From 58677190958ce780ce060db3a5ae0858d608e09b Mon Sep 17 00:00:00 2001 From: 2smithereens Date: Sun, 14 Mar 2021 03:15:46 +0000 Subject: [PATCH 01/11] Update webhoneypot.md spelling correction. --- IntroClassFiles/Tools/IntroClass/webhoneypot/webhoneypot.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/IntroClassFiles/Tools/IntroClass/webhoneypot/webhoneypot.md b/IntroClassFiles/Tools/IntroClass/webhoneypot/webhoneypot.md index 5dce02db..1a0cf948 100644 --- a/IntroClassFiles/Tools/IntroClass/webhoneypot/webhoneypot.md +++ b/IntroClassFiles/Tools/IntroClass/webhoneypot/webhoneypot.md @@ -92,7 +92,7 @@ Then, navigate to the owa-honeypot directory. -Now, lets tail the dumppass log. +Now, lets tail the dumpass log. From d7786f34fc7b5df7e502aad9b85f72085a164ae8 Mon Sep 17 00:00:00 2001 From: John Strand Date: Sun, 14 Mar 2021 15:05:09 -0600 Subject: [PATCH 02/11] Update Portspoof.md --- IntroClassFiles/Tools/IntroClass/Portspoof.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/IntroClassFiles/Tools/IntroClass/Portspoof.md b/IntroClassFiles/Tools/IntroClass/Portspoof.md index ecbcb717..df3ec269 100644 --- a/IntroClassFiles/Tools/IntroClass/Portspoof.md +++ b/IntroClassFiles/Tools/IntroClass/Portspoof.md @@ -85,7 +85,7 @@ If you were to scan using Nmap from another machine now you would see something Note: You *must* run Nmap from a different machine. Scanning from the same machine will not reach Portspoof. -`~#` **`nmap -p 1-20 172.16.215.138`** +`~C:\>` **`nmap -p 1-10 `** Starting Nmap 6.47 ( http://nmap.org ) Nmap scan report for 172.16.215.138 @@ -116,7 +116,7 @@ All ports are reported as open! When run this way, Nmap reports the service that To get more accurate results, an attacker might run an Nmap service scan, which would actively try to detect the services running. But performing an Nmap service detection scan shows that something is amiss because all ports are reported as running the same type of service. -`~#` **`nmap -p 1-20 -sV 172.16.215.138`** +`~C:\>` **`nmap -p 1-10 -sV `** Starting Nmap 6.47 ( http://nmap.org ) Nmap scan report for 172.16.215.138 @@ -154,7 +154,7 @@ This mode will generate and feed port scanners like Nmap bogus service signature Now running an Nmap service detection scan against the top 100 most common ports (a common hacker activity) will turn up some very interesting results. -`~#` **`nmap -F -sV 172.16.215.138`** +`~C:\>` **`nmap -p 1-10 -sV 172.16.215.138`** Starting Nmap 6.47 ( http://nmap.org ) Stats: 0:00:49 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan From c4dbe8f4756a1af6411025f8bb97a69c001470a6 Mon Sep 17 00:00:00 2001 From: John Strand Date: Sun, 14 Mar 2021 15:07:54 -0600 Subject: [PATCH 03/11] Update Portspoof.md --- IntroClassFiles/Tools/IntroClass/Portspoof.md | 138 +++--------------- 1 file changed, 17 insertions(+), 121 deletions(-) diff --git a/IntroClassFiles/Tools/IntroClass/Portspoof.md b/IntroClassFiles/Tools/IntroClass/Portspoof.md index df3ec269..d6f7cb2b 100644 --- a/IntroClassFiles/Tools/IntroClass/Portspoof.md +++ b/IntroClassFiles/Tools/IntroClass/Portspoof.md @@ -101,16 +101,7 @@ Note: You *must* run Nmap from a different machine. Scanning from the same machi 8/tcp open unknown 9/tcp open discard 10/tcp open unknown - 11/tcp open systat - 12/tcp open unknown - 13/tcp open daytime - 14/tcp open unknown - 15/tcp open netstat - 16/tcp open unknown - 17/tcp open qotd - 18/tcp open unknown - 19/tcp open chargen - 20/tcp open ftp-data + All ports are reported as open! When run this way, Nmap reports the service that typically runs on each port. @@ -132,16 +123,7 @@ To get more accurate results, an attacker might run an Nmap service scan, which 8/tcp open tcpwrapped 9/tcp open tcpwrapped 10/tcp open tcpwrapped - 11/tcp open tcpwrapped - 12/tcp open tcpwrapped - 13/tcp open tcpwrapped - 14/tcp open tcpwrapped - 15/tcp open tcpwrapped - 16/tcp open tcpwrapped - 17/tcp open tcpwrapped - 18/tcp open tcpwrapped - 19/tcp open tcpwrapped - 20/tcp open tcpwrapped + Example 2: Spoofing Service Signatures -------------------------------------- @@ -161,107 +143,21 @@ Now running an Nmap service detection scan against the top 100 most common ports Service scan Timing: About 90.00% done; ETC: 01:11 (0:00:05 remaining) Nmap scan report for 172.16.215.138 Host is up (0.21s latency). - PORT STATE SERVICE VERSION - 7/tcp open http Milestone XProtect video surveillance http interface (tu-ka) - 9/tcp open ntop-http Ntop web interface 1ey (Q) - 13/tcp open ftp VxWorks ftpd 6.a - 21/tcp open http Grandstream VoIP phone http config 6193206 - 22/tcp open http Cherokee httpd X - 23/tcp open ftp MacOS X Server ftpd (MacOS X Server 790751705) - 25/tcp open smtp? - 26/tcp open http ZNC IRC bouncer http config 0.097 or later - 37/tcp open finger NetBSD fingerd - 53/tcp open ftp Rumpus ftpd - 79/tcp open http Web e (Netscreen administrative web server) - 80/tcp open http BitTornado tracker dgpX - 81/tcp open hosts2-ns? - 88/tcp open http 3Com OfficeConnect Firewall http config - 106/tcp open pop3pw? - 110/tcp open ipp Virata-EmWeb nbF (HP Laserjet 4200 TN http config) - 111/tcp open imap Dovecot imapd - 113/tcp open smtp Xserve smtpd - 119/tcp open nntp? - 135/tcp open http netTALK Duo http config - 139/tcp open http Oversee Turing httpd kC (domain parking) - 143/tcp open crestron-control TiVo DVR Crestron control server - 144/tcp open http Ares Galaxy P2P httpd 7942927 - 179/tcp open http WMI ViH (3Com 5500G-EI switch http config) - 199/tcp open smux? - 389/tcp open http-proxy ziproxy http proxy - 427/tcp open vnc (protocol 3) - 443/tcp open https? - 444/tcp open snpp? - 445/tcp open http Pogoplug HBHTTP QpwKdZQ - 465/tcp open http Gordian httpd 322410 (IQinVision IQeye3 webcam rtspd) - 513/tcp open login? - 514/tcp open finger ffingerd - 515/tcp open pop3 Eudora Internet Mail Server X pop3d 4918451 - 543/tcp open ftp Dell Laser Printer z printer ftpd k - 544/tcp open ftp Solaris ftpd - 548/tcp open http Medusa httpd Elhmq (Sophos Anti-Virus Home http config) - 554/tcp open rtsp? - 587/tcp open http-proxy Pound http proxy - 631/tcp open efi-webtools EFI Fiery WebTools communication - 646/tcp open ldp? - 873/tcp open rsync? - 990/tcp open http OpenWrt uHTTPd - 993/tcp open ftp Konica Minolta bizhub printer ftpd - 995/tcp open pop3s? - 1025/tcp open sip-proxy Comdasys SIP Server D - 1026/tcp open LSA-or-nterm? - 1027/tcp open IIS? - 1028/tcp open rfidquery Mercury3 RFID Query protocol - 1029/tcp open smtp-proxy ESET NOD32 anti-virus smtp proxy - 1110/tcp open http qhttpd - 1433/tcp open http ControlByWeb WebRelay-Quad http admin - 1720/tcp open H.323/Q.931? - 1723/tcp open pptp? - 1755/tcp open http Siemens Simatic HMI MiniWeb httpd - 1900/tcp open tunnelvision Tunnel Vision VPN info 69853 - 2000/tcp open telnet Patton SmartNode 4638 VoIP adapter telnetd - 2001/tcp open dc? - 2049/tcp open nfs? - 2121/tcp open http Bosch Divar Security Systems http config - 2717/tcp open rtsp Darwin Streaming Server 104621400 - 3000/tcp open pop3 Solid pop3d - 3128/tcp open irc-proxy muh irc proxy - 3306/tcp open ident KVIrc fake identd - 3389/tcp open ms-wbt-server? - 3986/tcp open mapper-ws_ethd? - 4899/tcp open printer QMC DeskLaser printer (Status o) - 5000/tcp open http D-Link DSL-eTjM http config - 5009/tcp open airport-admin? - 5051/tcp open ssh (protocol 325257) - 5060/tcp open http apt-cache/apt-proxy httpd - 5101/tcp open ftp OKI BVdqeC-ykAA VoIP adapter ftpd kHttKI - 5190/tcp open http Conexant-EmWeb JqlM (Intertex IX68 WAP http config; SIPGT TyXT) - 5357/tcp open wsdapi? - 5432/tcp open postgresql? - 5631/tcp open irc ircu ircd - 5666/tcp open litecoin-jsonrpc Litecoin JSON-RPC f_ - 5800/tcp open smtp Lotus Domino smtpd rT Beta y - 5900/tcp open ftp - 6000/tcp open http httpd.js (Songbird WebRemote) - 6001/tcp open daap mt-daapd DAAP TGeiZA - 6646/tcp open unknown - 7070/tcp open athinfod Athena athinfod - 8000/tcp open amanda Amanda backup system index server (broken: libsunmath.so.1 not found) - 8008/tcp open http? - 8009/tcp open ajp13? - 8080/tcp open http D-Link DGL-4300 WAP http config - 8081/tcp open http fec ysp (Funkwerk bintec R232B router; .h.K...z) - 8443/tcp open smtp - 8888/tcp open smtp OpenVMS smtpd uwcDNI (OpenVMS RVqcGIr; Alpha) - 9100/tcp open jetdirect? - 9999/tcp open http Embedded HTTPD 3BOzejtHW (Netgear MRd WAP http config; j) - 10000/tcp open http MikroTik router http config (RouterOS 0982808) - 32768/tcp open filenet-tms? - 49152/tcp open unknown - 49153/tcp open http ASSP Anti-Spam Proxy httpd XLgR(?)? - 49154/tcp open http Samsung AllShare httpd - 49155/tcp open ftp Synology DiskStation NAS ftpd - 49156/tcp open aspi ASPI server 837305 - 49157/tcp open sip AVM FRITZ!Box | + PORT STATE SERVICE VERSION + 1/tcp open tcpmux? + 2/tcp open compressnet? + 3/tcp open compressnet? + 4/tcp open pioneers-meta Pioneers game meta server 9 + 5/tcp open rje? + 6/tcp open g15daemon g15daemon (Logitech G15 keyboard control) + 7/tcp open echo? + 8/tcp open unknown + 9/tcp open nagios-nsca Nagios NSCA + 10/tcp open unknown + 7 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-b in/submit.cgi?new-service : + ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== + SF-Port1-TCP:V=7.91%I=7%D=3/14%Time=604E7AC1%P=i686-pc-windows-windows%r(N + SF:ULL,6D,"HTTP/1\.0\x20400\x20Invalid\x20Request\r\nContent-Type:\x20text Notice how all of the ports are still reported as open, but now Nmap reports a unique service on each port. This will either 1) lead an attacker down a rabbit hole investigating each port while wasting their time, or 2) the attacker may discard the results as false positives and ignore this machine altogether, leaving any legitimate service running untouched. From e77bd82d4c672c22e28aeb104704df0ce13dd1e0 Mon Sep 17 00:00:00 2001 From: John Strand Date: Sun, 14 Mar 2021 15:18:26 -0600 Subject: [PATCH 04/11] Update honeyuser.md --- .../Tools/IntroClass/honeyuser/honeyuser.md | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/IntroClassFiles/Tools/IntroClass/honeyuser/honeyuser.md b/IntroClassFiles/Tools/IntroClass/honeyuser/honeyuser.md index f7d7b592..8b21a44f 100644 --- a/IntroClassFiles/Tools/IntroClass/honeyuser/honeyuser.md +++ b/IntroClassFiles/Tools/IntroClass/honeyuser/honeyuser.md @@ -117,16 +117,11 @@ When Create Custom View opens, please select XML:  Then, select Edit query Manually, Press Yes on the Alert Box and then replace the text in the query with the text below:  ~~~~~~  - -  - -    - -    * [EventData[Data[@Name='TargetUserName']='Frank']] + + ~~~~~~  From 52f5108be31684b4e435a51d52f280a746164e28 Mon Sep 17 00:00:00 2001 From: John Strand Date: Mon, 15 Mar 2021 02:21:37 -0600 Subject: [PATCH 05/11] Update webhoneypot.md --- IntroClassFiles/Tools/IntroClass/webhoneypot/webhoneypot.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/IntroClassFiles/Tools/IntroClass/webhoneypot/webhoneypot.md b/IntroClassFiles/Tools/IntroClass/webhoneypot/webhoneypot.md index 1a0cf948..9e99ab8f 100644 --- a/IntroClassFiles/Tools/IntroClass/webhoneypot/webhoneypot.md +++ b/IntroClassFiles/Tools/IntroClass/webhoneypot/webhoneypot.md @@ -44,7 +44,7 @@ Next, change directories to the /opt/owa-honeyport directory: -Now, lets start the honeypot: +Now, let's start the honeypot: @@ -92,7 +92,7 @@ Then, navigate to the owa-honeypot directory. -Now, lets tail the dumpass log. +Now, lets tail the dumppass log. @@ -156,7 +156,7 @@ It should look like this: -After a while, oyu should see some attack strings in your Logs. +After a while, you should see some attack strings in your Logs. From 2de1145c95ca20267cd0678ba9be7e386955d92a Mon Sep 17 00:00:00 2001 From: John Strand Date: Mon, 15 Mar 2021 02:23:37 -0600 Subject: [PATCH 06/11] Update HoneyShare.md --- IntroClassFiles/Tools/IntroClass/honeyshare/HoneyShare.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/IntroClassFiles/Tools/IntroClass/honeyshare/HoneyShare.md b/IntroClassFiles/Tools/IntroClass/honeyshare/HoneyShare.md index df023432..5f4ec497 100644 --- a/IntroClassFiles/Tools/IntroClass/honeyshare/HoneyShare.md +++ b/IntroClassFiles/Tools/IntroClass/honeyshare/HoneyShare.md @@ -84,7 +84,7 @@ It should look like this:     -Next, lets open a Windows Command Prompt:  +Next, let's open a Windows Command Prompt:     From 664fea011b4254cd09e77e013b53c5a101144bc4 Mon Sep 17 00:00:00 2001 From: John Strand Date: Mon, 15 Mar 2021 02:24:41 -0600 Subject: [PATCH 07/11] Update Canarytokens.md --- IntroClassFiles/Tools/IntroClass/canarytokens/Canarytokens.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/IntroClassFiles/Tools/IntroClass/canarytokens/Canarytokens.md b/IntroClassFiles/Tools/IntroClass/canarytokens/Canarytokens.md index 56388190..939cc949 100644 --- a/IntroClassFiles/Tools/IntroClass/canarytokens/Canarytokens.md +++ b/IntroClassFiles/Tools/IntroClass/canarytokens/Canarytokens.md @@ -23,7 +23,7 @@ Then select Create Token.     -When you get the next screen, select Download your MS Word File  +When you get the next screen, select Download your MS Word File.      From 8ee39e17c2102c6ad72d3e31ab5aa8ec46cd34d3 Mon Sep 17 00:00:00 2001 From: John Strand Date: Mon, 15 Mar 2021 02:26:39 -0600 Subject: [PATCH 08/11] Update Canarytokens.md --- .../Tools/IntroClass/canarytokens/Canarytokens.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/IntroClassFiles/Tools/IntroClass/canarytokens/Canarytokens.md b/IntroClassFiles/Tools/IntroClass/canarytokens/Canarytokens.md index 939cc949..e645fad5 100644 --- a/IntroClassFiles/Tools/IntroClass/canarytokens/Canarytokens.md +++ b/IntroClassFiles/Tools/IntroClass/canarytokens/Canarytokens.md @@ -55,7 +55,7 @@ Now, let's play with the site cloner:     -Please select New Token in the upper right corner  +Please select New Token in the upper right corner.    @@ -83,7 +83,7 @@ Now, select Create my Canarytoken.     -Now we will need to copy the JavaScript and put it somewhere so it triggers:  +Now we will need to copy the JavaScript and put it somewhere so it triggers:    @@ -91,7 +91,7 @@ Now we will need to copy the JavaScript and put it somewhere so it triggers:     -Now, lest surf to https://scriptasylum.com/tutorials/encode-decode.html  +Now, let's surf to https://scriptasylum.com/tutorials/encode-decode.html     From 7b1437fc96150d2800ac79053fc7a94442b60a9a Mon Sep 17 00:00:00 2001 From: John Strand Date: Mon, 15 Mar 2021 02:27:32 -0600 Subject: [PATCH 09/11] Update AdvancedC2PCAPAnalysis.md --- .../Tools/IntroClass/pcap/AdvancedC2PCAPAnalysis.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/IntroClassFiles/Tools/IntroClass/pcap/AdvancedC2PCAPAnalysis.md b/IntroClassFiles/Tools/IntroClass/pcap/AdvancedC2PCAPAnalysis.md index 4578e050..50897e14 100644 --- a/IntroClassFiles/Tools/IntroClass/pcap/AdvancedC2PCAPAnalysis.md +++ b/IntroClassFiles/Tools/IntroClass/pcap/AdvancedC2PCAPAnalysis.md @@ -24,7 +24,7 @@ Next, open an Ubuntu Prompt by clicking the down carrot in the terminal and sele    -Next, let navigate to the directory where the pcap file is stored.  +Next, let's navigate to the directory where the pcap file is stored.     @@ -76,8 +76,7 @@ Press `q` to close the tcpdump session.     -One of the interesting things about many malware specimens we review these days is how they “wait” for the attacker to communicate with them. For example, in the sample malware traffic we are reviewing, the backdoor “beacons” out every 30 seconds. This is for two reasons. One is because the attacker might not be at a system waiting for a command shell on a compromised target and two is because long-term established sessions tend to attract attention. This is because with protocols such as HTTP, the sessions are generally short burst sessions for multiple objects. When this backdoor was created, we wanted it to act like real HTTP. So, it had to have an asynchronous component to it.   - +One of the interesting things about many malware specimens we review these days is how they “wait” for the attacker to communicate with them. For example, in the sample malware traffic we are reviewing, the backdoor “beacons” out every 30 seconds. This is for two reasons. One is because the attacker might not be at a system waiting for a command shell on a compromised target and. Secondly, because long-term established sessions tend to attract attention. This is because with protocols such as HTTP, the sessions are generally short burst sessions for multiple objects. When this backdoor was created, we wanted it to act like real HTTP. So, it had to have an asynchronous component to it.    In the capture, the SYN packets are roughly 30 seconds apart for the beacon traffic.   From 252bb2a66ca6a7a2c933b7d07b84b236dcebce6f Mon Sep 17 00:00:00 2001 From: John Strand Date: Mon, 15 Mar 2021 02:27:42 -0600 Subject: [PATCH 10/11] Create AdvancedC2PCAPAnalysis.md From 302ed45afeadc658230ba4a8225adb462e3478fe Mon Sep 17 00:00:00 2001 From: 2smithereens Date: Mon, 15 Mar 2021 11:35:17 -0400 Subject: [PATCH 11/11] Update HoneyBadger.md requirements.txt is in the /opt/honeybadger/server/ folder, the cd needs to be moved up before running the pip3 or it will fail. Adding quit command to exit the python interpreter. ***NOT INCLUDED IN PULL, BUT NEEDS CLARIFICATION*** `python3 honeybadger.py -ik -gk ` on line 55 references keys that aren't included. It may be that the instructions can include documentation on where to get the keys, or just removing the flags, since they aren't directly given for the course. --- IntroClassFiles/Tools/IntroClass/HoneyBadger.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/IntroClassFiles/Tools/IntroClass/HoneyBadger.md b/IntroClassFiles/Tools/IntroClass/HoneyBadger.md index 187cc1b0..1a99a805 100644 --- a/IntroClassFiles/Tools/IntroClass/HoneyBadger.md +++ b/IntroClassFiles/Tools/IntroClass/HoneyBadger.md @@ -35,12 +35,12 @@ Usage In order to use the latest version of HoneyBadger, Python 3 must be installed, as well as python3-pip. These should both be installed on the ADHD image. Install HoneyBadger's required packages with the following command: +`cd /opt/honeybadger/server` `pip3 install -r requirements.txt` NOTE: Only run the database initialization step if the database isn't already initialized. Next, initialize the database. To do so, navigate to the directory that contains the HoneyBadger files and run the Python interpreter: -`cd /opt/honeybadger/server` `python3` From the python interpreter, run the following: @@ -49,6 +49,7 @@ From the python interpreter, run the following: honeybadger.initdb('adhd', 'adhd') Quit the Python interpreter. +`quit()` Finally, from the same directory, run the HoneyBadger server: `python3 honeybadger.py -ik -gk `