Cryptography Caesar Shift Cipher

To understand well the concept of Cryptography we will look at a simple example and very famous that you will solve with Python 3, I am always doing emphasis on Python because it is a great language and easy to learn.

Cryptography is one of most interesting branches of programming. Studying its algorithms usually begins with the simple method named after famous Roman emperor Julius Caesar who used it for communicating his military secrets (and perhaps for love letters to Cleopatra).

We will practice deciphering encrypted messages in this problem.

The idea of the algorithm is simple. Each letter of the original text is substituted by another, by the following rule:

  • find the letter (which should be encrypted) in the alphabet;
  • move K
    positions further (down the alphabet);
  • take the new letter from here;
  • if “shifting” encountered the end of the algorithm, continue from its start.

For example, if K=3(shift value used by Caesar himself), then Abecomes D,  becomes E, W
becomes Zand Z becomes Cand so on, according to the following table:

There are many ways to solve this problem; then we have one of them if you invent a little more with python or ruby you can answer this with only three lines of code.

ls=[]
quantity=[]
quantity.append(input("""Write the number of words and the value of "K"
for example: 1 3: """))
quantity =" ".join(quantity)
quantity=quantity.replace(" ", ",")
i=0

while i<int(quantity[0]):
    ls.append(input("Write the words separated by space and end with 'point'. : "))
    i=i+1

ls=" ".join(ls)
ls=ls.replace("", ",")
ls=ls.split(",")
k=int(quantity[2])
lsn=[]

lsl=["A","B","C","D","E","F","G","H","I","J","K","L","M","N","O","P","Q","R","S","T","U","V","W","X","Y","Z"]
j=0
while j < len(ls):
    i=0
    while i < len(lsl):
        if ls[j]==lsl[i]:
            lsn.append(lsl[i-k])
        i=i+1
    if ls[j]==" ":
        lsn.append(" ")
    if ls[j]==".":
        lsn.append(". ")
    j=1+j
lsn="".join(lsn)
print ("decrypted message: ")
print(lsn)
exit = input("EXIT")

let’s look at what this code does in python.

if we receive the following message and they tell us K = 3

“LQIRVHFDGGLFWV LV WKH EHVW”

This is very simple, and the idea was to show how it works. Something a little more complex would be to decipher what would be the value K. the encryption methods are much more complicated than all the above.

Many tools decipher in seconds, and some use artificial intelligence.

Resources:

http://www.codeabbey.com/

If you are interested in learning more, we invite you to review this course.

Python For InfoSec Professionals

 

Meterpreter Commands

What is meterpreter?

Meterpreter or a session of meterpreter is something that we obtain after making exploitation, and it allows us to obtain or do many things, it is the diminutive for meta-interpreter, and it is executed entirely in memory. In this blog, we will show a list of commands that are too useful at the time of an audit.

command list of meterpreter

It allows you to extract an image from the remote desktop.

meterpreter > screenshots

It allows to visualize all the information of all existing network cards in the attacked machine.

meterpreter > ipconfig

It allows to consult the type of user that the victim machine is executing.

meterpreter > getpid

meterpreter > show_mount

It allows to consult and modify the routing table.

meterpreter > route

It allows to load a file in a specific route, in the same way that the download command is necessary to use double slash when indicating the route.

meterpreter > upload

It allows to download a file from the machine attacked, it is necessary to make use of the double back-slash in the same route.

meterpreter > download

It allows to obtain information from the remote system such as:

1. Name of the machine.
2. Operating System.
3. Type of architecture.
4. Language of the operating system.

meterpreter > sysinfo

It allows to consult the time in which the user of the victim machine has been absent.

meterpreter > idletime

You are now ready to use the meterpreter commands after you compromise the victim host.

Try Certified Ethical Hacker for FREE!!!https://infosecaddicts.com/course/certified-ethical-hacker-v10/

Resources:

https://www.nyxbone.com/metasploit/Meterpreter.html

https://en.wikipedia.org/wiki/Metasploit_Project

 

Simple Event Log Analysis

Event logs provide information about applications and can be modified including parameters using cdmlets characteristics that help to dump these events into specific variables or simply to identify specific dates within system registers.

The Log file analysis is an important task that allows us to get critical information about a service, an application or system. When we need to examine or when we need to research a target, it is highly recommended to dig into the logs files because, all the configurations, events, error warnings notices from a given system is stored in this files.

Step 1: Dump the event logs

The first thing to do is to dump them into a format that facilitates later processing with Windows PowerShell.

To dump the event log, you can use the Get-EventLog and the Exportto-Clixml cmdlets if you are working with a traditional event log such as the Security, Application, or System event logs.

If you need to work with one of the trace logs, use the Get-WinEvent and the ExportTo-Clixml cmdlets.

Get-EventLog -LogName application | Export-Clixml Applog.xml
type .\Applog.xml
$logs = "system","application","security"

The % symbol is an alias for the Foreach-Object cmdlet. It is often used when working interactively from the Windows PowerShell console

$logs | % { get-eventlog -LogName $_ | Export-Clixml "$_.xml" }

Step 2: Import the event log of interest

To parse the event logs, use the Import-Clixml cmdlet to read the stored XML files.

Store the results in a variable.

Let’s take a look at the commandlets Where-Object, Group-Object, and Select-Object.

The following two commands first read the exported security log contents into a variable named $seclog, and then the five oldest entries are obtained.

$seclog = Import-Clixml security.xml
$seclog | select -Last 5

A cool trick from one of our students named Adam. This command allows you to look at the logs for the last 24 hours:

Get-EventLog Application -After (Get-Date).AddDays(-1)

You can use ‘-after’ and ‘-before’ to filter date ranges

One thing you must keep in mind is that once you export the security log to XML, it is no longer protected by anything more than the NFTS and share permissions that are assigned to the location where you store everything.

By default, an ordinary user does not have permission to read the security log.

Step 3: Drill into a specific entry

To view the entire contents of a specific event log entry, choose that entry, send the results to the Format-List cmdlet, and choose all of the properties.

$seclog | select -first 1 | fl *

The message property contains the SID, account name, user domain, and privileges that are assigned for the new login.

($seclog | select -first 1).message
(($seclog | select -first 1).message).gettype()

In the *nix world, you often want a count of something (wc -l).

How often is the security privilege mentioned in the message property?

To obtain this information, pipe the contents of the security log to a Where-Object to filter the events, and then send the results to the Measure-Object cmdlet to determine the number of events:

$seclog | ? { $_.message -match 'SeSecurityPrivilege'} | measure

If you want to ensure that only event log entries return that contains SeSecurityPrivilege in their text, use Group-Object to gather the matches by the EventID property.

$seclog | ? { $_.message -match 'SeSecurityPrivilege'} | group eventid

Because importing the event log into a variable from the stored XML results in a collection of event log entries, it means that the count property is also present.

Use the count property to determine the total number of entries in the event log.

$seclog.Count

SIMPLE LOGFILE ANALYSIS

The Select-String  cmdlet, is the most used command to search or filter files :

Description

The Select-String cmdlet searches for text and text patterns in input strings and files. You can use it like Grep in UNIX and Findstr in Windows. You can type Select-String or its alias, sls.

Select-String is based on lines of text. By default, Select-String finds the first match in each line and, for each match, it displays the file name, line number, and all text in the line containing the match. However, you can direct it to detect multiple matches per line, display text before and after the match, or display only a Boolean value (True or False) that indicates whether a match is found.

Select-String uses regular expression matching, but it can also perform a simple match that searches the input for the text that you specify.

Select-String can display all of the text matches or stop after the first match in each input file. It can also display all text that does not match the specified pattern. You can also specify that Select-String should expect a particular character encoding, such as when you are searching files of Unicode text.

 

mkdir c:\ps
cd c:\ps
(new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=TV", "c:\ps\CiscoLogFileExamples.txt")

 

 

Select-String cmdlet:

Select where the String “192.168.208.63”:

Select-String 192.168.208.63 .\CiscoLogFileExamples.txt

Select where the String “192.168.208.63” by-line, as we can see in this example we can pipe a result to another cmdlet:

Select-String 192.168.208.63 .\CiscoLogFileExamples.txt | select line

To see how many connections are made when analyzing a single host, the output from that can be piped to another command: Measure-Object.

Select-String 192.168.208.63 .\CiscoLogFileExamples.txt | select line | Measure-Object

To select all IP addresses in the file expand the matches property, select the value, get unique values and measure the output.

Select-String "\b(?:\d{1,3}\.){3}\d{1,3}\b" .\CiscoLogFileExamples.txt | select -ExpandProperty matches | select -ExpandProperty value | Sort-Object -Unique | Measure-Object

Removing Measure-Object shows all the individual IPs instead of just the count of the IP addresses. The Measure-Object command counts the IP addresses.

Select-String "\b(?:\d{1,3}\.){3}\d{1,3}\b" .\CiscoLogFileExamples.txt | select -ExpandProperty matches | select -ExpandProperty value | Sort-Object -Unique

To determine which IP addresses have the most communication the last commands are removed to determine the value of the matches. Then the group command is issued on the piped output to group all the IP addresses (value), and then sort the objects by using the alias for Sort-Object: sort count –des.

This sorts the IP addresses in a descending pattern as well as count and delivers the output to the shell.

Select-String "\b(?:\d{1,3}\.){3}\d{1,3}\b" .\CiscoLogFileExamples.txt | select -ExpandProperty matches | select value | group value | sort count -des

 

They are very interesting things that you can do with powershell I invite you to continue researching more about this.

Try Certified Ethical Hacker for FREE!!!https://infosecaddicts.com/course/certified-ethical-hacker-v10/

 

Low level of interaction honeypots

Honeypots could be categorized according to the level of interaction with the system into three main categories. The categories are- low level of interaction, medium level of interaction, and high level of interaction. I will discuss the low level of interaction honeypots in this article.

honeypots

When using these type of honeypots, it is not possible to receive a significant amount of data from this system. There are other systems where more and more amounts of data could be collected from them. The advantages of this type of honeypots are given neatly in the following points:

  • They have very limited interaction with the system. This implies that no high risk could arise from an attacker from dealing with this honeypot type of system. To illustrate, there is no operating system in place that an attacker can interact with.
  • The main usage of this type of honeypots is that any traffic coming into the network could be easily identified and captured by such honeypots. Also, new viruses and new worms are identifiable by such honeypots as well.
  • Getting this type of honeypot configured and installed into the network is a simple task. Understanding this type of honeypots and dealing with them from the organization’s perspective is equally easy.
  • The most used honeypot in this category of low-level interaction honeypots is what is referred to as Honeyd. This is considered as a vital honeypot when it comes to the low level of interaction honeypots. The latest and most stable version is 1.5c, which was released back in 2007. I will talk about Honeyd more in detail. This will include how to use them in practice and modern approaches to using them in another article to be published soon. So stay tuned! 😊

In a nutshell, through this type of honeypots, there are only one or more services that have to be simple and available for the attacker to interact with. All communication attempts with any particular functions such as a web or SSH server are logged and investigated afterward. These types of honeypots are considered as simple daemons that help a network administrator get to monitor any attempts of attacks on the system in a passive manner. The host operating system, in this case, is for sure free of any vulnerabilities that could be possibly exploited by an attacker. Thus, this makes such kinds of honeypots safe and secure from the organization point of view. On the other hand, this type of honeypots cannot be used for the sake of simulating a complex environment where interaction is a must, such as a Simple Mail Transfer Protocol (SMTP) server.

Security risks of using the low level of interaction honeypots?

honeypots

When dealing with low interactive honeypots like Honeyd, there are some security risks. These risks mainly lie in the fact that it is straightforward to get to know that a Honeyd is a trap. A Honeyd is easy to detect even when we do not configure our honeypot with our settings. The reason for that is a honeyd drops all the connections until it becomes impossible for it to deal with them anymore. Even when SYN package is not that good, the connections get terminated.

This information could assist any attacker in finding out that the targeted system is not a real one but a honeypot trap system. When an attacker checks the connections of the system, he will be capable of discovering that he fell into a trap, not a real system. Things are obvious in this case. Dropped connections are easily detected by the monitoring tools which an attacker uses, and these dropped connections imply the fakeness of such honeypot systems.

Low interaction honeypots get services emulated by an operating system, yet they are not real services. This fundamental information becomes of valuable use for an attacker who wants to draw his conclusions about the fakeness of a website. Complicated functions cannot get handled using such low interaction honeypots as well. Hence, breaking the system with the use of this technique becomes powerful. What an attacker needs to do is to look for information throughout the network merely. This is because, in the case of low interaction honeypots, the network stack is the one which we deal with.

Another major problem of low level of interaction honeypots is that they depend on the resources of the system that they are deployed on. Removing such resources, as a result, leads to a great notable feature which is latency. This could be checked through a ping test where the response will occur much later than how it was before getting the resources of the system removed. The system will hardly reply with an answer to our ping. This could indicate that the attacker is dealing with a Honeyd or Nepenthes. We can even use these approaches to detect the type of honeypot which we just deployed.

Leaving the deployed low interaction honeypot open for several days in a row is also a great way to come up with some important conclusions. The requests that are received by our honeypot should be significantly taken care of such that any responses by our system should be believable and make sense to the attacker. The responses to the extreme should fool the attacker that they believe that it is an actual running system. Nevertheless, when it comes to low interaction honeypots, SSH server is up and running while there are no generated replies or answers when talking to port 22. This trivially indicates that the system is not a real one because its responses are not appropriate, making the system not secure in the first place.

Resources:

http://www.diva-portal.org/smash/get/diva2:327476/fulltext01

https://www2.cs.arizona.edu/~collberg/Teaching/466-566/2012/Resources/presentations/2012/topic12-final/report.pdf

Try Certified Ethical Hacker for FREE!!! https://infosecaddicts.com/course/certified-ethical-hacker-v10/