Table Of Contents
- OS CHEATS
- WINDOWS
- LINUX
- DECODING
- HEX CONVERSION
- SNORT
- SNORT RULES
- DOS/DDOS
- FINGERPRINT DOS/DDOS
- TOOL SUITES
- PREBUILT ISO, VIRTUAL MACHINE AND DISTRIBUTIONS
OS CHEATS
WINDOWS
Pipe output to clipboard:
some_command.exe | clip
Output clip to file: (Requires PowerShell 5)
Get-Clipboard > clip.txt
Add time stamps into log file:
echo %DATE% %TIME% >> <TXT LOG>.txt
Add/Modify registry value remotely:
reg add \\<REMOTE COMPUTER NAME>\HKLM\Software\<REG KEY INFO>
Get registry value remotely:
reg query \\<REMOTE COMPUTER NAME>\HKLM\Software\<REG KEY INFO>
Test to see if Registry Path exists:
Test-Path "HKCU:\Software\Microsoft\<HIVE>"
Copy files remotely:
robocopy C:\<SOURCE SHARED FOLDER> \\<DESTINATION COMPUTER>\<DESTINATION FOLDER> /E
Check to see if certain file extensions are in a directory:
Test-Path C:\Scripts\Archive\* -include *.ps1, *.vbs
Show contents of a file:
type <FILE NAME>
Combine contents of multiple files:
type <FILE NAME 1> <FILE NAME 2> <FILE NAME 3> > <NEW FILE NAME>
Desktops, allows multiple Desktop Screens:
Run live option:
"%ProgramFiles%\Internet Explorer\iexplore.exe "https://live.sysinternals.com/desktops.exe
Remote mounting, Read and Read/Write:
net share MyShare_R=c:\<READ ONLY FOLDER> /GRANT:EVERYONE,READ
net share MyShare_RW=c:\<READ/WRITE FOLDER> /GRANT:EVERYONE,FULL
Remote task execution using PSEXEC:
psexec.exe \\<TARGET IP ADDRESS> -u <USER NAME> -p <PASSWORD> /c C:\<PROGRAM>.exe
psexec @C:\<TARGET FILE LIST>.txt -u <ADMIN LEVEL USER NAME> -p <PASSWORD> C:\<PROGRAM>.exe >> C:\<OUTPUT FILE NAME>.txt
psexec.exe @C:\<TARGET FILE LIST>.csv -u <DOMAIN NAME>\<USER NAME> -p <PASSWORD> /c C:\<PROGRAM>.exe
Remote task execution and send output to share:
wmic /node:ComputerName process call create “cmd.exe /c netstat -an > \\<REMOTE SHARE>\<OUTPUT FILE NAME>.txt”
Compare two files for changes:
Compare-Object (Get-Content .<LOG FILE NAME 1>.log) -DifferenceObject (Get-Content .<LOG FILE NAME 2>.log)
Remote task execution using PowerShell:
Invoke-Command -<COMPUTER NAME> {<PS COMMAND>}
PowerShell Command Help:
Get-Help <PS COMMAND> -full
LINUX
Analyze traffic remotely over ssh:
ssh root@<REMOTE IP ADDRESS OF HOST TO SNIFF> tcpdump -i any -U -s 0 -w - 'not port 22'
Manually add note/data to syslog:
logger "Something important to note in Log"
dmesg | grep <COMMENT>
Simple read only mounting:
mount -o ro /dev/<YOUR FOLDER OR DRIVE> /mnt
Mounting remotely over SSH:
apt-get install sshfs
adduser <USER NAME> fuse
# Log out and log back in.
mkdir ~/<WHERE TO MOUNT LOCALLY>
sshfs <REMOTE USER NAME>@<REMOTE HOST>:/<REMOTE PATH> ~/<WHERE TO MOUNT LOCALLY>
Creating a SMB share in Linux:
useradd -m <NEW USER>
passwd <NEW USER>
smbpasswd -a <NEW USER>
echo [Share] >> /etc/samba/smb.conf
echo /<PATH OF FOLDER TO SHARE> >> /etc/samba/smb.conf
echo available = yes >> /etc/samba/smb.conf
echo valid users = <NEW USER> >> /etc/samba/smb.conf
echo read only = no >> /etc/samba/smb.conf
echo browsable = yes >> /etc/samba/smb.conf
echo public = yes >> /etc/samba/smb.conf
echo writable = yes >> /etc/samba/smb.conf
service smbd restart
Visit share from remote system:
smb:\\<IP ADDRESS OF LINUX SMB SHARE>
Copy files to remote system:
scp <FILE NAME> <USER NAME>@<DESTINATION IP ADDRESS>:/<REMOTE FOLDER>
Mount a SMB share to remote system:
mount -t smbfs -o username=<USER NAME> //<SERVER NAME OR IP ADDRESS>/<SHARE NAME> /mnt/<MOUNT POINT>/
Monitor if a website or file is still accessible:
while :; do curl -sSr http://<URL> | head -n 1; sleep 60; done
Use Screen to manage multiple shell sessions, list sessions, create new shell and switchto other shells:
screen
screen -ls
# Hit Ctrl-a then c
# Hit Ctrl-a then n
Re-attach a screen:
screen -x
Start a service that will keep running after logout and return back to prompt:
nohup ./<COMMAND> > <OUTPUT TO A FILE> &
Check list of nohup running jobs:
jobs -l
Kill a nohup job:
kill %<JOB NUMBER>
Check which command is being used and list all locations:
which <COMMAND NAME>
which -a <COMMAND NAME>
DECODING
HEX CONVERSION
Convert from hex to decimal in Windows:
set /a 0xff
:: 255
Convert from hex to decimal in Windows -- PowerShell
0xff
# 255
Other Basic Math in Windows:
set /a 1+2
:: 3
set /a 3*(9/4)
:: 6
set /a (2*5)/2
:: 5
set /a "32>>3"
:: 4
Decode Base64 text in a file:
certutil -decode <BASE64 ENCODED FILE NAME> <DECODED FILE NAME>
Decode XOR and search for HTTP:
xorsearch.exe -i -s <INPUT FILE NAME> http
Convert from hex to decimal in Linux:
echo “0xff”|wcalc -d # 255
Convert from decimal to hex in Linux:
echo “255”|wcalc -h # 0xff
Decode HTML Strings:
Add-Type -AssemblyName System.Web
[System.Uri]::UnescapeDataString("HTTP%3a%2f%2fHello%20World.com") HTTP://Hello World.com
SNORT
SNORT RULES
Snort Rules to detect Meterpreter traffic:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Metasploit User Agent String"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0 (compatible\; MSIE 6.0\; Windows NT 5.1)|0d 0a|"; http_header; classtype:trojan-activity; reference:url,blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/; sid:1618000; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Metasploit User Agent String"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0 (compatible\; MSIE 6.1\; Windows NT)|0d 0a|"; http_header; classtype:trojan-activity; reference:url,blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/; sid:1618001; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Metasploit User Agent String"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0 (compatible\; MSIE 7.0\; Windows NT 6.0)|0d 0a|"; http_header; classtype:trojan-activity; reference:url,blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/; sid:1618002; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Metasploit User Agent String"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0 (compatible\; MSIE 7.0\; Windows NT 6.0\; Trident/4.0\; SIMBAR={7DB0F6DE-8DE7-4841-9084-28FA914B0F2E}\; SLCC1\; .N|0d 0a|"; http_header; classtype:trojan-activity; reference:url,blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/; sid:1618003; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Metasploit User Agent String"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0 (compatible\; Metasploit RSPEC)|0d 0a|"; http_header; classtype:trojan-activity; reference:url,blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/; sid:1618004; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Metasploit User Agent String"; flow:to_server,established; content:"User-Agent|3a| Mozilla/5.0 (Windows\; U\; Windows NT 5.1\; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/4.0.221.6 Safari/525.13|0d 0a|"; http_header; classtype:trojan-activity; reference:url,blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/; sid:1618005; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Metasploit User Agent String"; flow:to_server,established; content:"User-Agent|3a| Mozilla/5.0 (compatible\; Googlebot/2.1\; +http://www.google.com/bot.html)|0d 0a|"; http_header; classtype:trojan-activity; reference:url,blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/; sid:1618006; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Metasploit User Agent String"; flow:to_server,established; content:"User-Agent|3a| Mozilla/5.0 (compatible\; MSIE 10.0\; Windows NT 6.1\; Trident/6.0)|0d 0a|"; http_header; classtype:trojan-activity; reference:url,blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/; sid:1618007; rev:1;)
Snort Rules to detect PSEXEC traffic:
alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"POLICY-OTHER use of psexec remote administration tool"; flow:to_server,established; content:"|FF|SMB|A2|"; depth:5; offset:4; content:"|5C 00|p|00|s|00|e|00|x|00|e|00|c|00|s|00|v|00|c"; nocase; metadata:service netbios-ssn; reference:url,technet.microsoft.com/en-us/sysinternals/bb897553.aspx; classtype:policy-violation; sid:24008; rev:1;)
alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"POLICY-OTHER use of psexec remote administration tool SMBv2"; flow:to_server,established; content:"|FE|SMB"; depth:8; nocase; content:"|05 00|"; within:2; distance:8; content:"P|00|S|00|E|00|X|00|E|00|S|00|V|00|C|00|"; fast_pattern:only; metadata:service netbios-ssn; reference:url,technet.microsoft.com/en-us/sysinternals/bb897553.aspx[1]; classtype:policy-violation; sid:30281; rev:1;)
DOS/DDOS
FINGERPRINT DOS/DDOS
Fingerprinting the type of DoS/DDoS:
- Ref. https://www.trustwave.com/Resources/SpiderLabs-Blog/PCAP-Files-Are-Great-Arn-t-They--/ Volumetric: Bandwidth consumption
- Example, sustaining sending 1Gb of traffic to 10Mb connection
- Ref. http://freecode.com/projects/iftop
iftop -n
Protocol: Use of specific protocol
- Example, SYN Flood, ICMP Flood, UDP flood
tshark -r <FILE NAME>.pcap -q -z io,phs
tshark -c 1000 -q -z io,phs
tcpdump -tnr $FILE |awk -F '.' '{print $1"."$2"."$3"."$4}' | sort | uniq -c | sort -n | tail
tcpdump -qnn "tcp[tcpflags] & (tcp-syn) != 0"
netstat -s - Example, isolate one protocol and or remove other protocols
tcpdump -nn not arp and not icmp and not udp
tcpdump -nn tcp - Resource: State and connection exhaustion
- Example, Firewall can handle 10,000 simultaneous connections, and attacker sends 20,000
netstat -n | awk '{print $6}' | sort | uniq -c | sort -nr | head
- Example, Firewall can handle 10,000 simultaneous connections, and attacker sends 20,000
- Application: Layer 7 attacks
- Example, HTTP GET flood, for a large image file.
tshark -c 10000 -T fields -e http.host | sort | uniq -c | sort -r | head -n 10
tshark -r capture6 -T fields -e http.request.full\_uri | sort | uniq -c | sort -r | head -n 10c
tcpdump -n 'tcp[32:4] = 0x47455420'| cut -f 7- -d ":" - Example, look for excessive file requests, GIF, ZIP, JPEG, PDF, PNG.
tshark -Y "http contains "ff:d8"" || "http contains "GIF89a"” || "http contains "\x50\x4B\x03\x04"" || "http contains\xff\xd8" " || “http contains "%PDF"" || “http contains "\x89\x50\x4E\x47"" - Example, Look for web application 'user-agent' pattern of abuse.
tcpdump -c 1000 -Ann | grep -Ei 'user-agent' | sort | uniq -c | sort -nr | head -10 - Example, show HTTP Header of requested resources.
tcpdump -i en0 -A -s 500 | grep -i refer
- Example, HTTP GET flood, for a large image file.
- Sniff HTTP Headers for signs of repeat abuse:
tcpdump -s 1024 -l -A dst <EXAMPLE.COM> - Poison: Layer 2 attacks
- Example, ARP poison, race condition DNS, DHCP
tcpdump 'arp or icmp'
tcpdump -tnr <SAMPLE TRAFFIC FILE>.pcap ARP |awk -F '.' '{print $1"."$2"."$3"."$4}' | sort | uniq -c | sort -n | tail
tshark -r <SAMPLE TRAFFIC FILE>.pcap -q -z io,phs| grep arp.duplicate-address-detected
- Example, ARP poison, race condition DNS, DHCP
TOOL SUITES
PREBUILT ISO, VIRTUAL MACHINE AND DISTRIBUTIONS
-
KALI - Open Source Pentesting Distribution
- Ref. https://www.kali.org
-
SIFT - SANS Investigative Forensics Toolkit
-
REMNUX - A Linux Toolkit for Reverse-Engineering and Analyzing Malware
- Ref. https://remnux.org
-
OPEN VAS - Open Source vulnerability scanner and manager
-
MOLOCH - Large scale IPv4 packet capturing (PCAP), indexing and database system
-
SECURITY ONION - Linux distro for intrusion detection, network security monitoring, and log management
-
NAGIOS - Network Monitoring, Alerting, Response, and Reporting Tool
-
OSSEC - Scalable, multi-platform, open source Host-based Intrusion Detection System
-
SAMURAI WTF - Pre-configured web pen-testing environment
-
RTIR - Request Tracker for Incident Response
-
HONEYDRIVE - Pre-configured honeypot software packages
-
The Enhanced Mitigation Experience Toolkit - helps prevent vulnerabilities in software from being successfully exploited
-
ATTACK SURFACE ANALYZER BY MICROSOFT - Baseline Tool
-
WINDOWS TO GO - USB Portable Windows 8
-
WINFE - Windows Forensic Environment on CD/USB
-
DCEPT - Deploying and detecting use of Active Directory honeytokens
-
TAILS - The Amnesic Incognito Live System
-
GRR - Google Rapid Respponse framework focused on remote live forensics