Thanks to Webmaster Tips for the reminder about using lynx to pull the content of a web page without saving it to a file.
Using their method, we can quickly check the "Total Threat count" on Norton's Safe Web site for a domain using:
lynx -source "http://safeweb.norton.com/report/show?name=domain.com" | grep -i "Total threats found:" | awk -F '>' '{print $2}' | awk -F '<' '{print $1}'
Not all that pretty, but effective nonetheless. Looking to add 2-3 more command line based checks, including Google's Safe Browsing API.
Wednesday, September 9, 2009
Sunday, August 23, 2009
Dump all IPs from pcap with tshark
Simple command to dump all IPs from a PCAP using tshark (custom fields are RED):
tshark -nr sample.pcap ip awk '{print $3 ; $ 5 }' sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4 uniq > output_file
By section:
- Summarize all IP traffic in the PCAP without resolving names or ports
- Print the source and destination IPs on separate lines (the ;)
- Sort the results appropriately for IP addresses (thanks to networking.ringofsaturn.com)
- Remove duplicates
- Redirect the output to a file
tshark -nr sample.pcap ip awk '{print $3 ; $ 5 }' sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4 uniq > output_file
By section:
- Summarize all IP traffic in the PCAP without resolving names or ports
- Print the source and destination IPs on separate lines (the ;)
- Sort the results appropriately for IP addresses (thanks to networking.ringofsaturn.com)
- Remove duplicates
- Redirect the output to a file
Wednesday, August 19, 2009
Automated Malware Analysis - Lab or Live
The internal debate:
A. Lab only (with a minor exception for legit DNS lookups) with all traffic hitting mock services on a mock Internet
OR
B. Uber-throttled, hardened, and ham strung Internet connection to improve scope and accuracy of analysis
The obvious knock on B is that "You put others on the Internet at risk". Really? If the outbound ports are severely limited, connections throttled, and duration capped, isn't that risk wildly overstated? At that point, what is the difference between approach B and manually wget'ing links on a live system, only to move those files into the lab, rinse, and repeat?
A. Lab only (with a minor exception for legit DNS lookups) with all traffic hitting mock services on a mock Internet
OR
B. Uber-throttled, hardened, and ham strung Internet connection to improve scope and accuracy of analysis
The obvious knock on B is that "You put others on the Internet at risk". Really? If the outbound ports are severely limited, connections throttled, and duration capped, isn't that risk wildly overstated? At that point, what is the difference between approach B and manually wget'ing links on a live system, only to move those files into the lab, rinse, and repeat?
Saturday, August 15, 2009
Reverse Engineering Cheat Sheet
Ran across this cheat sheet from Microsoft on X86/Win32 for Reverse Engineers. Also found this one by Lenny Zeltser that is more how-to centric. Both are handy one-pagers to keep with an IDA book.
Lenny also has a number of other InfoSec cheat sheets on his site covering everything from Internet Application Security to DDoS Incident Reponse, as well as links to InfoSec cheat sheets by others.
Lenny also has a number of other InfoSec cheat sheets on his site covering everything from Internet Application Security to DDoS Incident Reponse, as well as links to InfoSec cheat sheets by others.
Friday, August 14, 2009
Thursday, August 13, 2009
Lock down single user sign-on
Add the following to /etc/inittab
su:S:wait:/sbin/sulogin
source: http://thedaneshproject.com/posts/password-protect-single-user-mode/
su:S:wait:/sbin/sulogin
source: http://thedaneshproject.com/posts/password-protect-single-user-mode/
Updated Cheatsheets Available
SANS post on updated cheatsheets details the following:
- Jeremy Stretch's work at PacketLife.net: http://packetlife.net/cheatsheets/
- Forensic cheatsheets for XP and Vista/Win7.
- Jeremy Stretch's work at PacketLife.net: http://packetlife.net/cheatsheets/
- Forensic cheatsheets for XP and Vista/Win7.
Tuesday, July 28, 2009
Quick CentOS Inventory Script
Had a need to quickly grab inventory (sys config) information from a bunch of hosts on our network. Unfortunately, identifying the number of CPUs/cores and specific drive information isn't always clear cut. This script grabs the key information, which can be used to discern the basic system configuration.
A couple of notes:
1. This is CentOS or RedHat specific. Your mileage will vary with other flavors.
2. At the time of this post, all of our systems are using SCSI drives and the script only grabs SCSI disk info from dmesg.
#!/bin/bash
clear
echo "##################### SYSTEM INVENTORY ########################"
grep HOSTNAME /etc/sysconfig/network
cat /etc/redhat-release | awk -F "&&&" '{print "OS VERSION: " $1}'
echo
echo "NETWORK INFO:"
echo "#################################################################"
/sbin/ifconfig | grep -A1 eth0 |grep "inet addr" | awk '{print $2}' |awk -F ":" '{print "ETH0 IP ADDRESS: " $2}'
/sbin/ifconfig | grep -A1 eth1 |grep "inet addr" | awk '{print $2}' |awk -F ":" '{print "ETH1 IP ADDRESS: " $2}'
echo "#################################################################"
echo
echo "CPU INFO:"
echo "#################################################################"
cat /proc/cpuinfo |egrep "processor|model name|cpu MHz|physical id"
echo "#################################################################"
echo
cat /proc/meminfo | grep MemTotal | awk '{print "SYSTEM MEMORY: "$2"KB"}'
echo
echo "HARD DISK INFO:"
echo "#################################################################"
dmesg | grep SCSI | grep MB
echo
df -lTh
echo
echo "##################### END OF INVENTORY ########################"
exit 0
A couple of notes:
1. This is CentOS or RedHat specific. Your mileage will vary with other flavors.
2. At the time of this post, all of our systems are using SCSI drives and the script only grabs SCSI disk info from dmesg.
#!/bin/bash
clear
echo "##################### SYSTEM INVENTORY ########################"
grep HOSTNAME /etc/sysconfig/network
cat /etc/redhat-release | awk -F "&&&" '{print "OS VERSION: " $1}'
echo
echo "NETWORK INFO:"
echo "#################################################################"
/sbin/ifconfig | grep -A1 eth0 |grep "inet addr" | awk '{print $2}' |awk -F ":" '{print "ETH0 IP ADDRESS: " $2}'
/sbin/ifconfig | grep -A1 eth1 |grep "inet addr" | awk '{print $2}' |awk -F ":" '{print "ETH1 IP ADDRESS: " $2}'
echo "#################################################################"
echo
echo "CPU INFO:"
echo "#################################################################"
cat /proc/cpuinfo |egrep "processor|model name|cpu MHz|physical id"
echo "#################################################################"
echo
cat /proc/meminfo | grep MemTotal | awk '{print "SYSTEM MEMORY: "$2"KB"}'
echo
echo "HARD DISK INFO:"
echo "#################################################################"
dmesg | grep SCSI | grep MB
echo
df -lTh
echo
echo "##################### END OF INVENTORY ########################"
exit 0
Monday, July 27, 2009
Finding all large files on a linux host
I ran across the common problem of one of our file systems running short on space and needed to figure out what was all of a sudden occupying most of the space. Google pointed me to a DZone Snippets post on the subject.
The command worked as written, but if the results list was long, it was fairly difficult to identify the worst offenders. Reordering the awk output fixed that and a quick sort puts the biggest files at the bottom of the results. The only other changes were to use the "M" option to specify megabytes vs. kilobytes and to remove the human readable switch from the ls command. This allows the results to be accurately sorted. Otherwise, files with sizes in the gigabytes would appear at the top of the results.
This is what I ended up using:
find / -type f -size +50M -exec ls -l {} \; | awk '{ print $5 " -- " $9 }' | sort -n
Update (8-11-09):
So the original command above works, but does not take into account directory and filenames with spaces in them. The following awk command resolves that problem, but does have one known issue. If the filename is the same as another value on the line (e.g. user/group is root and filename is root), it will spit out everything from the user/group field on. I have not seen this behavior using the full command.
find / -type f -size +50M -exec ls -l {} \; | awk '{ print $5 " -- " substr($0,index($0,$9))}' | sort -n
The command worked as written, but if the results list was long, it was fairly difficult to identify the worst offenders. Reordering the awk output fixed that and a quick sort puts the biggest files at the bottom of the results. The only other changes were to use the "M" option to specify megabytes vs. kilobytes and to remove the human readable switch from the ls command. This allows the results to be accurately sorted. Otherwise, files with sizes in the gigabytes would appear at the top of the results.
This is what I ended up using:
find / -type f -size +50M -exec ls -l {} \; | awk '{ print $5 " -- " $9 }' | sort -n
Update (8-11-09):
So the original command above works, but does not take into account directory and filenames with spaces in them. The following awk command resolves that problem, but does have one known issue. If the filename is the same as another value on the line (e.g. user/group is root and filename is root), it will spit out everything from the user/group field on. I have not seen this behavior using the full command.
find / -type f -size +50M -exec ls -l {} \; | awk '{ print $5 " -- " substr($0,index($0,$9))}' | sort -n
Thursday, July 23, 2009
SATA hardware write blocker, anyone?
In the course of our automated malware analysis, we have made use of CorePROTECT's CoreRESTORE IDE hardware write blocker. Unfortunately, I bought the last four available and without a significant (i.e. 500+) order, they do not plan on doing another production run.
It is becoming increasingly difficult to buy modern systems with IDE drives. Enter the problem. No one seemingly makes hardware write blockers for SATA drives.
There are plenty of software options out there, such as Microsoft's SteadyState, DeepFreeze, Returnil, and CornerStone (see: SANS discussion of multiple products). All of these work with varying degrees of success and detectability. CoreRESTORE blockers work extremely well, but aren't foolproof when it comes to detection. Fortunately, we have not run across any malware that specifically looks for this hardware.
Why don't we use virtual systems, snapshots, etc...? We do. But we always have physical systems ready, in case the malware is VM aware.
If you are aware of anyone else manufacturing hardware write blockers, especially for modern drives, please reply.
It is becoming increasingly difficult to buy modern systems with IDE drives. Enter the problem. No one seemingly makes hardware write blockers for SATA drives.
There are plenty of software options out there, such as Microsoft's SteadyState, DeepFreeze, Returnil, and CornerStone (see: SANS discussion of multiple products). All of these work with varying degrees of success and detectability. CoreRESTORE blockers work extremely well, but aren't foolproof when it comes to detection. Fortunately, we have not run across any malware that specifically looks for this hardware.
Why don't we use virtual systems, snapshots, etc...? We do. But we always have physical systems ready, in case the malware is VM aware.
If you are aware of anyone else manufacturing hardware write blockers, especially for modern drives, please reply.
Friday, July 17, 2009
Mounting cdrom in %post on RHEL/CentOS 5.x
Problem: The anaconda tarball contains(ed) a change that causes RHEL/CentOS 5.x installs to prematurely eject the cdrom/dvd before %post is executed in custom installs. There is discussion of what is affected here. In addition to the eject issue, /dev/cdrom no longer exists during the 5.x install process.
Solution Part 1: To resolve the cdrom eject issue, you need to modify the /usr/lib/anaconda/dispatch.py script in the stage2.img file from your custom install media. In order to mount and edit the stage2.img file, I did the following (based upon Ansari Imtiyaz's post here):
Copy the existing stage2.img file to the /tmp directory
# cp/images/stage2.img /tmp/old_stage2.img
# mkdir /mnt/old_stage2
Mount the old image
# mount -o loop /tmp/old_stage2.img /mnt/old_stage2
The old image is non-writable at this point, so we tar the files to move them to a writable folder
# cd /mnt/old_stage2
# tar -cvf /tmp/temp_stage2.tar .
# mkdir /tmp/new_stage2
# cd /tmp/new_stage2
# tar -xvf /tmp/stage2.tar
Once the tar file has been expanded, edit the /tmp/new_stage2/usr/lib/anaconda/dispatch.py file by flip-flopping the "methodcomplete" and "dopostaction" lines, as described here. Once editted, the "methodcomplete" line should follow the "dopostaction" line.
Create the new image file
# cd /tmp
# mkfs.cramfs stage2/ stage2.img.new
Copy the new image file into place
# mv/images/stage2.img /images/stage2.img.old
# cp /tmp/stage2.img.new/images/stage2.img
Solution Part 2: To resolve the issue with /dev/cdrom not existing during the install process, follow the instructions provided here (comment #3). I had to adjust Micah's sed command to properly provide the drive alias and to mount in a location that matches what is already in my kickstart:
### Insert into kickstart ks.cfg file after %post
cdrom=`cat /proc/sys/dev/cdrom/info | grep "drive name:" | sed 's/^drive name:\W*//'`
echo "CD ROM device is $cdrom; making dev link..."
ln -s /dev/$cdrom /tmp/cdrom
mount -t iso9660 -o ro /tmp/cdrom /mnt/cdrom
Solution Part 1: To resolve the cdrom eject issue, you need to modify the /usr/lib/anaconda/dispatch.py script in the stage2.img file from your custom install media. In order to mount and edit the stage2.img file, I did the following (based upon Ansari Imtiyaz's post here):
Copy the existing stage2.img file to the /tmp directory
# cp
# mkdir /mnt/old_stage2
Mount the old image
# mount -o loop /tmp/old_stage2.img /mnt/old_stage2
The old image is non-writable at this point, so we tar the files to move them to a writable folder
# cd /mnt/old_stage2
# tar -cvf /tmp/temp_stage2.tar .
# mkdir /tmp/new_stage2
# cd /tmp/new_stage2
# tar -xvf /tmp/stage2.tar
Once the tar file has been expanded, edit the /tmp/new_stage2/usr/lib/anaconda/dispatch.py file by flip-flopping the "methodcomplete" and "dopostaction" lines, as described here. Once editted, the "methodcomplete" line should follow the "dopostaction" line.
Create the new image file
# cd /tmp
# mkfs.cramfs stage2/ stage2.img.new
Copy the new image file into place
# mv
# cp /tmp/stage2.img.new
Solution Part 2: To resolve the issue with /dev/cdrom not existing during the install process, follow the instructions provided here (comment #3). I had to adjust Micah's sed command to properly provide the drive alias and to mount in a location that matches what is already in my kickstart:
### Insert into kickstart ks.cfg file after %post
cdrom=`cat /proc/sys/dev/cdrom/info | grep "drive name:" | sed 's/^drive name:\W*//'`
echo "CD ROM device is $cdrom; making dev link..."
ln -s /dev/$cdrom /tmp/cdrom
mount -t iso9660 -o ro /tmp/cdrom /mnt/cdrom
Subscribe to:
Posts (Atom)