diff --git a/IntroClassFiles/Tools/IntroClass/HoneyBadger.md b/IntroClassFiles/Tools/IntroClass/HoneyBadger.md index 187cc1b0..1a99a805 100644 --- a/IntroClassFiles/Tools/IntroClass/HoneyBadger.md +++ b/IntroClassFiles/Tools/IntroClass/HoneyBadger.md @@ -35,12 +35,12 @@ Usage In order to use the latest version of HoneyBadger, Python 3 must be installed, as well as python3-pip. These should both be installed on the ADHD image. Install HoneyBadger's required packages with the following command: +`cd /opt/honeybadger/server` `pip3 install -r requirements.txt` NOTE: Only run the database initialization step if the database isn't already initialized. Next, initialize the database. To do so, navigate to the directory that contains the HoneyBadger files and run the Python interpreter: -`cd /opt/honeybadger/server` `python3` From the python interpreter, run the following: @@ -49,6 +49,7 @@ From the python interpreter, run the following: honeybadger.initdb('adhd', 'adhd') Quit the Python interpreter. +`quit()` Finally, from the same directory, run the HoneyBadger server: `python3 honeybadger.py -ik -gk ` diff --git a/IntroClassFiles/Tools/IntroClass/Portspoof.md b/IntroClassFiles/Tools/IntroClass/Portspoof.md index ecbcb717..d6f7cb2b 100644 --- a/IntroClassFiles/Tools/IntroClass/Portspoof.md +++ b/IntroClassFiles/Tools/IntroClass/Portspoof.md @@ -85,7 +85,7 @@ If you were to scan using Nmap from another machine now you would see something Note: You *must* run Nmap from a different machine. Scanning from the same machine will not reach Portspoof. -`~#` **`nmap -p 1-20 172.16.215.138`** +`~C:\>` **`nmap -p 1-10 `** Starting Nmap 6.47 ( http://nmap.org ) Nmap scan report for 172.16.215.138 @@ -101,22 +101,13 @@ Note: You *must* run Nmap from a different machine. Scanning from the same machi 8/tcp open unknown 9/tcp open discard 10/tcp open unknown - 11/tcp open systat - 12/tcp open unknown - 13/tcp open daytime - 14/tcp open unknown - 15/tcp open netstat - 16/tcp open unknown - 17/tcp open qotd - 18/tcp open unknown - 19/tcp open chargen - 20/tcp open ftp-data + All ports are reported as open! When run this way, Nmap reports the service that typically runs on each port. To get more accurate results, an attacker might run an Nmap service scan, which would actively try to detect the services running. But performing an Nmap service detection scan shows that something is amiss because all ports are reported as running the same type of service. -`~#` **`nmap -p 1-20 -sV 172.16.215.138`** +`~C:\>` **`nmap -p 1-10 -sV `** Starting Nmap 6.47 ( http://nmap.org ) Nmap scan report for 172.16.215.138 @@ -132,16 +123,7 @@ To get more accurate results, an attacker might run an Nmap service scan, which 8/tcp open tcpwrapped 9/tcp open tcpwrapped 10/tcp open tcpwrapped - 11/tcp open tcpwrapped - 12/tcp open tcpwrapped - 13/tcp open tcpwrapped - 14/tcp open tcpwrapped - 15/tcp open tcpwrapped - 16/tcp open tcpwrapped - 17/tcp open tcpwrapped - 18/tcp open tcpwrapped - 19/tcp open tcpwrapped - 20/tcp open tcpwrapped + Example 2: Spoofing Service Signatures -------------------------------------- @@ -154,114 +136,28 @@ This mode will generate and feed port scanners like Nmap bogus service signature Now running an Nmap service detection scan against the top 100 most common ports (a common hacker activity) will turn up some very interesting results. -`~#` **`nmap -F -sV 172.16.215.138`** +`~C:\>` **`nmap -p 1-10 -sV 172.16.215.138`** Starting Nmap 6.47 ( http://nmap.org ) Stats: 0:00:49 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 90.00% done; ETC: 01:11 (0:00:05 remaining) Nmap scan report for 172.16.215.138 Host is up (0.21s latency). - PORT STATE SERVICE VERSION - 7/tcp open http Milestone XProtect video surveillance http interface (tu-ka) - 9/tcp open ntop-http Ntop web interface 1ey (Q) - 13/tcp open ftp VxWorks ftpd 6.a - 21/tcp open http Grandstream VoIP phone http config 6193206 - 22/tcp open http Cherokee httpd X - 23/tcp open ftp MacOS X Server ftpd (MacOS X Server 790751705) - 25/tcp open smtp? - 26/tcp open http ZNC IRC bouncer http config 0.097 or later - 37/tcp open finger NetBSD fingerd - 53/tcp open ftp Rumpus ftpd - 79/tcp open http Web e (Netscreen administrative web server) - 80/tcp open http BitTornado tracker dgpX - 81/tcp open hosts2-ns? - 88/tcp open http 3Com OfficeConnect Firewall http config - 106/tcp open pop3pw? - 110/tcp open ipp Virata-EmWeb nbF (HP Laserjet 4200 TN http config) - 111/tcp open imap Dovecot imapd - 113/tcp open smtp Xserve smtpd - 119/tcp open nntp? - 135/tcp open http netTALK Duo http config - 139/tcp open http Oversee Turing httpd kC (domain parking) - 143/tcp open crestron-control TiVo DVR Crestron control server - 144/tcp open http Ares Galaxy P2P httpd 7942927 - 179/tcp open http WMI ViH (3Com 5500G-EI switch http config) - 199/tcp open smux? - 389/tcp open http-proxy ziproxy http proxy - 427/tcp open vnc (protocol 3) - 443/tcp open https? - 444/tcp open snpp? - 445/tcp open http Pogoplug HBHTTP QpwKdZQ - 465/tcp open http Gordian httpd 322410 (IQinVision IQeye3 webcam rtspd) - 513/tcp open login? - 514/tcp open finger ffingerd - 515/tcp open pop3 Eudora Internet Mail Server X pop3d 4918451 - 543/tcp open ftp Dell Laser Printer z printer ftpd k - 544/tcp open ftp Solaris ftpd - 548/tcp open http Medusa httpd Elhmq (Sophos Anti-Virus Home http config) - 554/tcp open rtsp? - 587/tcp open http-proxy Pound http proxy - 631/tcp open efi-webtools EFI Fiery WebTools communication - 646/tcp open ldp? - 873/tcp open rsync? - 990/tcp open http OpenWrt uHTTPd - 993/tcp open ftp Konica Minolta bizhub printer ftpd - 995/tcp open pop3s? - 1025/tcp open sip-proxy Comdasys SIP Server D - 1026/tcp open LSA-or-nterm? - 1027/tcp open IIS? - 1028/tcp open rfidquery Mercury3 RFID Query protocol - 1029/tcp open smtp-proxy ESET NOD32 anti-virus smtp proxy - 1110/tcp open http qhttpd - 1433/tcp open http ControlByWeb WebRelay-Quad http admin - 1720/tcp open H.323/Q.931? - 1723/tcp open pptp? - 1755/tcp open http Siemens Simatic HMI MiniWeb httpd - 1900/tcp open tunnelvision Tunnel Vision VPN info 69853 - 2000/tcp open telnet Patton SmartNode 4638 VoIP adapter telnetd - 2001/tcp open dc? - 2049/tcp open nfs? - 2121/tcp open http Bosch Divar Security Systems http config - 2717/tcp open rtsp Darwin Streaming Server 104621400 - 3000/tcp open pop3 Solid pop3d - 3128/tcp open irc-proxy muh irc proxy - 3306/tcp open ident KVIrc fake identd - 3389/tcp open ms-wbt-server? - 3986/tcp open mapper-ws_ethd? - 4899/tcp open printer QMC DeskLaser printer (Status o) - 5000/tcp open http D-Link DSL-eTjM http config - 5009/tcp open airport-admin? - 5051/tcp open ssh (protocol 325257) - 5060/tcp open http apt-cache/apt-proxy httpd - 5101/tcp open ftp OKI BVdqeC-ykAA VoIP adapter ftpd kHttKI - 5190/tcp open http Conexant-EmWeb JqlM (Intertex IX68 WAP http config; SIPGT TyXT) - 5357/tcp open wsdapi? - 5432/tcp open postgresql? - 5631/tcp open irc ircu ircd - 5666/tcp open litecoin-jsonrpc Litecoin JSON-RPC f_ - 5800/tcp open smtp Lotus Domino smtpd rT Beta y - 5900/tcp open ftp - 6000/tcp open http httpd.js (Songbird WebRemote) - 6001/tcp open daap mt-daapd DAAP TGeiZA - 6646/tcp open unknown - 7070/tcp open athinfod Athena athinfod - 8000/tcp open amanda Amanda backup system index server (broken: libsunmath.so.1 not found) - 8008/tcp open http? - 8009/tcp open ajp13? - 8080/tcp open http D-Link DGL-4300 WAP http config - 8081/tcp open http fec ysp (Funkwerk bintec R232B router; .h.K...z) - 8443/tcp open smtp - 8888/tcp open smtp OpenVMS smtpd uwcDNI (OpenVMS RVqcGIr; Alpha) - 9100/tcp open jetdirect? - 9999/tcp open http Embedded HTTPD 3BOzejtHW (Netgear MRd WAP http config; j) - 10000/tcp open http MikroTik router http config (RouterOS 0982808) - 32768/tcp open filenet-tms? - 49152/tcp open unknown - 49153/tcp open http ASSP Anti-Spam Proxy httpd XLgR(?)? - 49154/tcp open http Samsung AllShare httpd - 49155/tcp open ftp Synology DiskStation NAS ftpd - 49156/tcp open aspi ASPI server 837305 - 49157/tcp open sip AVM FRITZ!Box | + PORT STATE SERVICE VERSION + 1/tcp open tcpmux? + 2/tcp open compressnet? + 3/tcp open compressnet? + 4/tcp open pioneers-meta Pioneers game meta server 9 + 5/tcp open rje? + 6/tcp open g15daemon g15daemon (Logitech G15 keyboard control) + 7/tcp open echo? + 8/tcp open unknown + 9/tcp open nagios-nsca Nagios NSCA + 10/tcp open unknown + 7 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-b in/submit.cgi?new-service : + ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== + SF-Port1-TCP:V=7.91%I=7%D=3/14%Time=604E7AC1%P=i686-pc-windows-windows%r(N + SF:ULL,6D,"HTTP/1\.0\x20400\x20Invalid\x20Request\r\nContent-Type:\x20text Notice how all of the ports are still reported as open, but now Nmap reports a unique service on each port. This will either 1) lead an attacker down a rabbit hole investigating each port while wasting their time, or 2) the attacker may discard the results as false positives and ignore this machine altogether, leaving any legitimate service running untouched. diff --git a/IntroClassFiles/Tools/IntroClass/canarytokens/Canarytokens.md b/IntroClassFiles/Tools/IntroClass/canarytokens/Canarytokens.md index 56388190..e645fad5 100644 --- a/IntroClassFiles/Tools/IntroClass/canarytokens/Canarytokens.md +++ b/IntroClassFiles/Tools/IntroClass/canarytokens/Canarytokens.md @@ -23,7 +23,7 @@ Then select Create Token.     -When you get the next screen, select Download your MS Word File  +When you get the next screen, select Download your MS Word File.      @@ -55,7 +55,7 @@ Now, let's play with the site cloner:     -Please select New Token in the upper right corner  +Please select New Token in the upper right corner.    @@ -83,7 +83,7 @@ Now, select Create my Canarytoken.     -Now we will need to copy the JavaScript and put it somewhere so it triggers:  +Now we will need to copy the JavaScript and put it somewhere so it triggers:    @@ -91,7 +91,7 @@ Now we will need to copy the JavaScript and put it somewhere so it triggers:     -Now, lest surf to https://scriptasylum.com/tutorials/encode-decode.html  +Now, let's surf to https://scriptasylum.com/tutorials/encode-decode.html     diff --git a/IntroClassFiles/Tools/IntroClass/honeyshare/HoneyShare.md b/IntroClassFiles/Tools/IntroClass/honeyshare/HoneyShare.md index df023432..5f4ec497 100644 --- a/IntroClassFiles/Tools/IntroClass/honeyshare/HoneyShare.md +++ b/IntroClassFiles/Tools/IntroClass/honeyshare/HoneyShare.md @@ -84,7 +84,7 @@ It should look like this:     -Next, lets open a Windows Command Prompt:  +Next, let's open a Windows Command Prompt:     diff --git a/IntroClassFiles/Tools/IntroClass/honeyuser/honeyuser.md b/IntroClassFiles/Tools/IntroClass/honeyuser/honeyuser.md index f7d7b592..8b21a44f 100644 --- a/IntroClassFiles/Tools/IntroClass/honeyuser/honeyuser.md +++ b/IntroClassFiles/Tools/IntroClass/honeyuser/honeyuser.md @@ -117,16 +117,11 @@ When Create Custom View opens, please select XML:  Then, select Edit query Manually, Press Yes on the Alert Box and then replace the text in the query with the text below:  ~~~~~~  - -  - -    - -    * [EventData[Data[@Name='TargetUserName']='Frank']] + + ~~~~~~  diff --git a/IntroClassFiles/Tools/IntroClass/pcap/AdvancedC2PCAPAnalysis.md b/IntroClassFiles/Tools/IntroClass/pcap/AdvancedC2PCAPAnalysis.md index 4578e050..50897e14 100644 --- a/IntroClassFiles/Tools/IntroClass/pcap/AdvancedC2PCAPAnalysis.md +++ b/IntroClassFiles/Tools/IntroClass/pcap/AdvancedC2PCAPAnalysis.md @@ -24,7 +24,7 @@ Next, open an Ubuntu Prompt by clicking the down carrot in the terminal and sele    -Next, let navigate to the directory where the pcap file is stored.  +Next, let's navigate to the directory where the pcap file is stored.     @@ -76,8 +76,7 @@ Press `q` to close the tcpdump session.     -One of the interesting things about many malware specimens we review these days is how they “wait” for the attacker to communicate with them. For example, in the sample malware traffic we are reviewing, the backdoor “beacons” out every 30 seconds. This is for two reasons. One is because the attacker might not be at a system waiting for a command shell on a compromised target and two is because long-term established sessions tend to attract attention. This is because with protocols such as HTTP, the sessions are generally short burst sessions for multiple objects. When this backdoor was created, we wanted it to act like real HTTP. So, it had to have an asynchronous component to it.   - +One of the interesting things about many malware specimens we review these days is how they “wait” for the attacker to communicate with them. For example, in the sample malware traffic we are reviewing, the backdoor “beacons” out every 30 seconds. This is for two reasons. One is because the attacker might not be at a system waiting for a command shell on a compromised target and. Secondly, because long-term established sessions tend to attract attention. This is because with protocols such as HTTP, the sessions are generally short burst sessions for multiple objects. When this backdoor was created, we wanted it to act like real HTTP. So, it had to have an asynchronous component to it.    In the capture, the SYN packets are roughly 30 seconds apart for the beacon traffic.   diff --git a/IntroClassFiles/Tools/IntroClass/webhoneypot/webhoneypot.md b/IntroClassFiles/Tools/IntroClass/webhoneypot/webhoneypot.md index 5dce02db..9e99ab8f 100644 --- a/IntroClassFiles/Tools/IntroClass/webhoneypot/webhoneypot.md +++ b/IntroClassFiles/Tools/IntroClass/webhoneypot/webhoneypot.md @@ -44,7 +44,7 @@ Next, change directories to the /opt/owa-honeyport directory: -Now, lets start the honeypot: +Now, let's start the honeypot: @@ -156,7 +156,7 @@ It should look like this: -After a while, oyu should see some attack strings in your Logs. +After a while, you should see some attack strings in your Logs.