Ruben Dario Caravajal Herrera

Posts by Ruben Dario Caravajal Herrera

Simple Event Log Analysis

0 Comments
Blog, Members Only

Event logs provide information about applications and can be modified including parameters using cdmlets characteristics that help to dump these events into specific variables or simply to identify specific dates within system registers.

The Log file analysis is an important task that allows us to get critical information about a service, an application or system. When we need to examine or when we need to research a target, it is highly recommended to dig into the logs files because, all the configurations, events, error warnings notices from a given system is stored in this files.

Step 1: Dump the event logs

The first thing to do is to dump them into a format that facilitates later processing with Windows PowerShell.

To dump the event log, you can use the Get-EventLog and the Exportto-Clixml cmdlets if you are working with a traditional event log such as the Security, Application, or System event logs.

If you need to work with one of the trace logs, use the Get-WinEvent and the ExportTo-Clixml cmdlets.

Get-EventLog -LogName application | Export-Clixml Applog.xml
type .\Applog.xml
$logs = "system","application","security"

The % symbol is an alias for the Foreach-Object cmdlet. It is often used when working interactively from the Windows PowerShell console

$logs | % { get-eventlog -LogName $_ | Export-Clixml "$_.xml" }

Step 2: Import the event log of interest

To parse the event logs, use the Import-Clixml cmdlet to read the stored XML files.

Store the results in a variable.

Let’s take a look at the commandlets Where-Object, Group-Object, and Select-Object.

The following two commands first read the exported security log contents into a variable named $seclog, and then the five oldest entries are obtained.

$seclog = Import-Clixml security.xml
$seclog | select -Last 5

A cool trick from one of our students named Adam. This command allows you to look at the logs for the last 24 hours:

Get-EventLog Application -After (Get-Date).AddDays(-1)

You can use ‘-after’ and ‘-before’ to filter date ranges

One thing you must keep in mind is that once you export the security log to XML, it is no longer protected by anything more than the NFTS and share permissions that are assigned to the location where you store everything.

By default, an ordinary user does not have permission to read the security log.

Step 3: Drill into a specific entry

To view the entire contents of a specific event log entry, choose that entry, send the results to the Format-List cmdlet, and choose all of the properties.

$seclog | select -first 1 | fl *

The message property contains the SID, account name, user domain, and privileges that are assigned for the new login.

($seclog | select -first 1).message
(($seclog | select -first 1).message).gettype()

In the *nix world, you often want a count of something (wc -l).

How often is the security privilege mentioned in the message property?

To obtain this information, pipe the contents of the security log to a Where-Object to filter the events, and then send the results to the Measure-Object cmdlet to determine the number of events:

$seclog | ? { $_.message -match 'SeSecurityPrivilege'} | measure

If you want to ensure that only event log entries return that contains SeSecurityPrivilege in their text, use Group-Object to gather the matches by the EventID property.

$seclog | ? { $_.message -match 'SeSecurityPrivilege'} | group eventid

Because importing the event log into a variable from the stored XML results in a collection of event log entries, it means that the count property is also present.

Use the count property to determine the total number of entries in the event log.

$seclog.Count

SIMPLE LOGFILE ANALYSIS

The Select-String  cmdlet, is the most used command to search or filter files :

Description

The Select-String cmdlet searches for text and text patterns in input strings and files. You can use it like Grep in UNIX and Findstr in Windows. You can type Select-String or its alias, sls.

Select-String is based on lines of text. By default, Select-String finds the first match in each line and, for each match, it displays the file name, line number, and all text in the line containing the match. However, you can direct it to detect multiple matches per line, display text before and after the match, or display only a Boolean value (True or False) that indicates whether a match is found.

Select-String uses regular expression matching, but it can also perform a simple match that searches the input for the text that you specify.

Select-String can display all of the text matches or stop after the first match in each input file. It can also display all text that does not match the specified pattern. You can also specify that Select-String should expect a particular character encoding, such as when you are searching files of Unicode text.

 

mkdir c:\ps
cd c:\ps
(new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=TV", "c:\ps\CiscoLogFileExamples.txt")

 

 

Select-String cmdlet:

Select where the String “192.168.208.63”:

Select-String 192.168.208.63 .\CiscoLogFileExamples.txt

Select where the String “192.168.208.63” by-line, as we can see in this example we can pipe a result to another cmdlet:

Select-String 192.168.208.63 .\CiscoLogFileExamples.txt | select line

To see how many connections are made when analyzing a single host, the output from that can be piped to another command: Measure-Object.

Select-String 192.168.208.63 .\CiscoLogFileExamples.txt | select line | Measure-Object

To select all IP addresses in the file expand the matches property, select the value, get unique values and measure the output.

Select-String "\b(?:\d{1,3}\.){3}\d{1,3}\b" .\CiscoLogFileExamples.txt | select -ExpandProperty matches | select -ExpandProperty value | Sort-Object -Unique | Measure-Object

Removing Measure-Object shows all the individual IPs instead of just the count of the IP addresses. The Measure-Object command counts the IP addresses.

Select-String "\b(?:\d{1,3}\.){3}\d{1,3}\b" .\CiscoLogFileExamples.txt | select -ExpandProperty matches | select -ExpandProperty value | Sort-Object -Unique

To determine which IP addresses have the most communication the last commands are removed to determine the value of the matches. Then the group command is issued on the piped output to group all the IP addresses (value), and then sort the objects by using the alias for Sort-Object: sort count –des.

This sorts the IP addresses in a descending pattern as well as count and delivers the output to the shell.

Select-String "\b(?:\d{1,3}\.){3}\d{1,3}\b" .\CiscoLogFileExamples.txt | select -ExpandProperty matches | select value | group value | sort count -des

 

They are very interesting things that you can do with powershell I invite you to continue researching more about this.

Web vulnerability scanner

0 Comments
Members Only

w3af Definition

w3af is another lightweight escalated web vulnerability scanner developed by the well able OWASP web application security programmers. Reporting is restricted and not as good as in Arachni. Nonetheless, w3af gives a decent foundation to vulnerability reporting. The vast playing point, or downfall dependent on how a penetration tester is fascinated by the project, is that w3af has numerous adjustable vulnerability plugins that oblige redesigns from the Internet at the time the plugin is launched. During a penetration testing session, in the case that the analyzer doesn’t get access to the internet, w3af creates plenty of failures. When an Internet association is accessible, the plugins download scripts and vulnerability checks, verifying that the output is as forward as could be allowed.

w3af Installation

Be sure to have this software ready before commencing the installation process:

Git client: sudo apt-get install git
Python 2.7 that is installed by default in most systems
Pip version 1.1: sudo apt-get install python-pip

  • First, we download w3af's source code using git
  • Next, we try running the w3af_console command, that will most probably fail due to missing dependencies. This command generates a helper script at /tmp/w3af_dependency_install.shthat when run will install all the required dependencies.
  • Dependencies are installed by running /tmp/w3af_dependency_install.sh
git clone https://github.com/andresriancho/w3af.git
cd w3af/
./w3af_console
. /tmp/w3af_dependency_install.sh

Scanning with w3af

To start with w3af run  ./w3af _console and then to load the help menu w3af>>> help.

To navigate the profiles

w3af>>> profiles

and to list all the possible options

w3af/profiles>>> list

You require to choose the Profile as OWASP_TOP10

w3af/profiles>>> use OWASP_TOP10

Defining the target to scan

w3af/profiles>>>back

to revert back to the main menu and then

w3af>>> target

w3af/config:target>>> set target domain.com

w3af/config:target>>> save

w3af/config:target>>> back

All the configurations are saved.

Start the scan using w3af.

w3af >> start

Standard scanning takes approximately 20 minutes, depends upon the target it may vary.

Happy pen testing!!

 

Footprinting

0 Comments
Members Only

Just imagine this, you are a hunter or a fisherman, I mean a professional. And you are planning your excursion to find your prey. What do you need? You need to know the terrain you will enter to take your prize. You need to watch for prints or get the right bait, you must know the habits of your prey. This is exactly what this means in the virtual world, the Hacker will gather all there is to know about what he sees as his target, being a corporation or just an individual. He’ll begin by doing a reconnaissance excursion, and watch every move a victim or a corporation has, have and probably will make, to finally set the trap more likely to be infallible on their systems.

Footprinting is the process of capturing as much information about a particular organization as possible. The objective of footprinting is to obtain this information in such a way as to not notify the organization. This information is available publicly, either from third parties or from the organization itself. The primary items targeted when footprinting includes:

  • The size and scope of the particular organization’s Internet presence
  • The presence of partnerships and any indication of backend network connectivity
  • An analysis of the current security policy
  • The location of operations and other facilities
  • The names and e-mail addresses of current important employees
  • The ability of the organization to control critical information about itself

Tools, Installation, and ways of use

In the next part, we have a list of known tools to collect information. We can perform an additional investigation and find many more tools for this type of tests and depending on the company you can make use of them.

  • WHOIS
  • Nslookup
  • Web-Based Tools

WHOIS

WHOIS allows you to query the information an organization entered when they registered their domain. ICANN regulations require all domain holders to submit WHOIS information. This information is displayed in public ‘WHOIS’ database. The information available includes the Registrant, Administrative, Billing, and Technical contact information.

The way to make the query is very simple you enter the website and enter the domain name as shown in the following image.

Nslookup

Nslookup is employed to query domain name servers. A nslookup query can be used to resolve IP addresses to hostnames. Hackers will typically target the MX record as it contains the IP address of the mail server. Another well-used tactic is that of attempting a zone transfer. These attacks typically take the following form:

c:\ nslookup server <ipaddress> set type=any ls -d target.com

Zone transfers should be prevented by limiting the devices that can permit this information, and by blocking TCP port 53 (Domain Name System) at the firewall. Note that “nslookup” is deprecated on many newer UNIX systems so consider using “dig” instead.

This is the same as the previous one, we must also enter the website and put the domain name as shown in the following image. We invite you to carry out tests with domains of your interest and analyze the results.

Web-based Tools

Many web-based tools are available to help hidden domain information. These services provide whois information, DNS information, and network queries.

From the previous list, we recommend you use Betterwhois we assure you that you will be amazed by the information you will get. How are there many websites that will provide you with a lot of information in this part of the process? We recommend that you do lots of tests and choose the tool that you like the most.

Domain Location and Path Discovery

If you are unsure of a domain’s location, the best way to determine its position is by use of the traceroute command. Traceroute identifies a path to a domain by incrementing the TTL field of the IP header.

When the TTL falls to zero, an ICMP message is generated. These ICMP messages identify each particular hop on the path to the destination. An example traceroute is shown below:

C:\>tracert www.infosecaddicts.com
Tracing route to www.infosecaddicts.com [104.25.167.6]
over a maximum of 30 hops:
  1   <1 ms    <1 ms <1 ms  10.0.2.2
  2    8 ms   2 ms 2 ms  openrg.home [192.168.1.1]
  3   42 ms    31 ms 31 ms  10.7.85.46
  4   29 ms    29 ms 28 ms  10.7.85.45
  5   47 ms    46 ms 47 ms  telefonica2-nap.ccit.org.co [206.223.124.157]
  6    *   * 48 ms  internexa1-nap.ccit.org.co [206.223.124.154]
  7    *   * *     Request timed out.
  8   48 ms    50 ms 49 ms  179.1.92.19
  9   47 ms    47 ms 48 ms  104.25.167.6
Trace complete.
C:\>

We use the trial version of http://www.visualroute.com/download.html This shows us on the geo-map the location of the target website and much more information in an organized way we invite you to explore this tool and analyze The route of any site of interest as shown in the following image.

ARIN, RIPE, and Regional Databases RIR’s are discoverable by IP address. If just the domain name is available, you can verify the IP by pinging the domain name. RIR’s and their area of control include:

ARIN (American Registry for Internet Numbers) – Contains domain information for domains being hosted in the Americas

RIPE (Réseaux IP Européens Network Coordination Centre) – Contains domain information for sites being hosted in the European area

APNIC (Asia Pacific Network Information Centre) – Contains domain information for sites be- ing hosted in the Asian Pacific area

AFRINIC (proposed African Regional Internet Registry) – Contains domain information for sites being hosted in Africa

LACNIC (Latin American and Caribbean Network Information Centre) – Contains domain information for sites in Latin America, South America, and the Caribbean

Determining the Network Range: You can query the RIR to identify what network range that the particular organization owns. If you select the wrong RIR, you will receive an error message, pointing out to the correct record holder.

Google Groups

Google Groups, The Google Groups area has taken over the DejaNews archives. Google groups are a common place for people to post questions about security or network problems. Data from Google Groups postings are archived for many years, and this information can yield many interesting facts about the systems or procedures that the organization is using. Some organizations will even post router configurations and their passwords in Google Groups. This is something your organization should not do! I’ve posted my PIX configuration below. I have included my IP addresses and e-mail address. Can anyone see why my home users cannot access the internal server through the firewall from my <RET MOVED_IP>? I’m concerned that my users are not going to be able to telecommute.

E-mail Tips and Tricks

The Simple Mail Transfer Protocol (SMTP) is employed for sending an e-mail. Every single e-mail you receive has a header that contains vital information such as the IP address of the particular server sending the message, the corresponding names of any attachments provided with the e-mail, and the time and date of the e-mail that was sent and received.

Bouncing E-mail – One conventional technique is to send an e-mail to an invalid e-mail address. The sole purpose of this technique is to examine the SMTP header that will be returned, revealing the e-mail server’s IP address, application type, and version.

Other ways to track interesting e-mail is to use software that will permit you to verify from where the e-mail originated from and how the recipient handled it.

eMailTracking Pro – This tool will enable you to track e-mail back to the sender

MailTracking.com – This tool allows you to find out when your e-mail was opened, how long it was read, and whether or not it got forwarded to someone else.

Now you can start with your tests and start getting the information of interest

Suricata in Ubuntu

0 Comments
Members Only

Suricata is a free, open source, mature, fast and robust network threat detection engine. In this publication, we will show one of the many things you can do.

We will need our virtual machine of any operative system of which we are going to make a ping. On the other hand, we need our virtual Linux machine Ubuntu in which we will install and configure Suricata.

We update our Linux virtual machine with the following command.

$ sudo apt-get update

With the following command we will install Suricata

$ sudo apt-get install suricata -y

We will create an empty rules file with the following command.

$ sudo touch /etc/suricata/rules/local.rules

Now we will edit the file suricata.yaml with the following command, you can use vim or nano in our case we will use gedit.

$ sudo gedit /etc/suricata/suricata.yaml

We will comment on all the rules files available, in this way our rules file will have priority, the comment is made by adding the sign # at the beginning of the line.

local.rules was a file that we created in the past.

Now we will add our local network, which we have configured in our virtual machine, in this case we have the 192.168.100.0/24

The next step is to edit our local file.rules

$ sudo gedit /etc/suricata/rules/local.rules

This is what we have to write in our file local.rules

$ alert icmp any any -> 192.168.100.3 any (msg: "ICMP detected";  sid:100000001;)

If you do not have ethtool installed yet, you can do it with the following command.

$ sudo -s

# apt-get install ethtool

Now execute following command to make GRO (Generic receive offload) disable on specific interfaces with help of Ethtool.

$ sudo ethtool -K enp0s3 gro off

Then again turn On NIDS mode of surictata using given below command.

$ sudo suricata -c /etc/suricata/suricata.yaml -i enp0s3

Now we ping from another virtual machine that is in the same network.

ping 192.168.100.3

And as a result, we have the record that made the virtual machine infosecaddicts@hacker to the machine that has meerkat installed infosecaddicts@infosecaddicts, to see that information in detail we will review the file fast.log with the following command.

$ sudo tall -f /var/log/suricata/fast.log

Suricata has other much better functionality we invite you to install and perform much more tests with this tool.