2smithereens · 2smithereens · Mar 15, 2021 · Mar 14, 2021 · Mar 14, 2021 · Mar 14, 2021
diff --git a/IntroClassFiles/Tools/IntroClass/HoneyBadger.md b/IntroClassFiles/Tools/IntroClass/HoneyBadger.md
@@ -35,12 +35,12 @@ Usage
 In order to use the latest version of HoneyBadger, Python 3 must be installed, as well as python3-pip. These should both be installed on the ADHD image.
 
 Install HoneyBadger's required packages with the following command:
+`cd /opt/honeybadger/server`
 `pip3 install -r requirements.txt`
 
 NOTE: Only run the database initialization step if the database isn't already initialized.
 
 Next, initialize the database. To do so, navigate to the directory that contains the HoneyBadger files and run the Python interpreter:
-`cd /opt/honeybadger/server`
 `python3`
 
 From the python interpreter, run the following:
@@ -49,6 +49,7 @@ From the python interpreter, run the following:
     honeybadger.initdb('adhd', 'adhd')
 
 Quit the Python interpreter.
+`quit()`
 
 Finally, from the same directory, run the HoneyBadger server:
 `python3 honeybadger.py -ik <IPSTACK_KEY> -gk <GOOGLE_KEY>`

diff --git a/IntroClassFiles/Tools/IntroClass/Portspoof.md b/IntroClassFiles/Tools/IntroClass/Portspoof.md
@@ -85,7 +85,7 @@ If you were to scan using Nmap from another machine now you would see something
 
 Note: You *must* run Nmap from a different machine. Scanning from the same machine will not reach Portspoof.
 
-`~#` **`nmap -p 1-20 172.16.215.138`**
+`~C:\>` **`nmap -p 1-10 <YOUR LINUX IP>`**
 
         Starting Nmap 6.47 ( http://nmap.org )
         Nmap scan report for 172.16.215.138
@@ -101,22 +101,13 @@ Note: You *must* run Nmap from a different machine. Scanning from the same machi
         8/tcp  open  unknown
         9/tcp  open  discard
         10/tcp open  unknown
-        11/tcp open  systat
-        12/tcp open  unknown
-        13/tcp open  daytime
-        14/tcp open  unknown
-        15/tcp open  netstat
-        16/tcp open  unknown
-        17/tcp open  qotd
-        18/tcp open  unknown
-        19/tcp open  chargen
-        20/tcp open  ftp-data
+
 
 All ports are reported as open! When run this way, Nmap reports the service that typically runs on each port.
 
 To get more accurate results, an attacker might run an Nmap service scan, which would actively try to detect the services running. But performing an Nmap service detection scan shows that something is amiss because all ports are reported as running the same type of service.
 
-`~#` **`nmap -p 1-20 -sV 172.16.215.138`**
+`~C:\>` **`nmap -p 1-10 -sV <YOUR LINUX IP>`**
 
         Starting Nmap 6.47 ( http://nmap.org )
         Nmap scan report for 172.16.215.138
@@ -132,16 +123,7 @@ To get more accurate results, an attacker might run an Nmap service scan, which
         8/tcp  open  tcpwrapped
         9/tcp  open  tcpwrapped
         10/tcp open  tcpwrapped
-        11/tcp open  tcpwrapped
-        12/tcp open  tcpwrapped
-        13/tcp open  tcpwrapped
-        14/tcp open  tcpwrapped
-        15/tcp open  tcpwrapped
-        16/tcp open  tcpwrapped
-        17/tcp open  tcpwrapped
-        18/tcp open  tcpwrapped
-        19/tcp open  tcpwrapped
-        20/tcp open  tcpwrapped
+
 
 Example 2: Spoofing Service Signatures
 --------------------------------------
@@ -154,114 +136,28 @@ This mode will generate and feed port scanners like Nmap bogus service signature
 
 Now running an Nmap service detection scan against the top 100 most common ports (a common hacker activity) will turn up some very interesting results.
 
-`~#` **`nmap -F -sV 172.16.215.138`**
+`~C:\>` **`nmap -p 1-10 -sV 172.16.215.138`**
 
         Starting Nmap 6.47 ( http://nmap.org )
         Stats: 0:00:49 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
         Service scan Timing: About 90.00% done; ETC: 01:11 (0:00:05 remaining)
         Nmap scan report for 172.16.215.138
         Host is up (0.21s latency).
-        PORT      STATE SERVICE          VERSION
-        7/tcp     open  http             Milestone XProtect video surveillance http interface (tu-ka)
-        9/tcp     open  ntop-http        Ntop web interface 1ey (Q)
-        13/tcp    open  ftp              VxWorks ftpd 6.a
-        21/tcp    open  http             Grandstream VoIP phone http config 6193206
-        22/tcp    open  http             Cherokee httpd X
-        23/tcp    open  ftp              MacOS X Server ftpd (MacOS X Server 790751705)
-        25/tcp    open  smtp?
-        26/tcp    open  http             ZNC IRC bouncer http config 0.097 or later
-        37/tcp    open  finger           NetBSD fingerd
-        53/tcp    open  ftp              Rumpus ftpd
-        79/tcp    open  http             Web e (Netscreen administrative web server)
-        80/tcp    open  http             BitTornado tracker dgpX
-        81/tcp    open  hosts2-ns?
-        88/tcp    open  http             3Com OfficeConnect Firewall http config
-        106/tcp   open  pop3pw?
-        110/tcp   open  ipp              Virata-EmWeb nbF (HP Laserjet 4200 TN http config)
-        111/tcp   open  imap             Dovecot imapd
-        113/tcp   open  smtp             Xserve smtpd
-        119/tcp   open  nntp?
-        135/tcp   open  http             netTALK Duo http config
-        139/tcp   open  http             Oversee Turing httpd kC (domain parking)
-        143/tcp   open  crestron-control TiVo DVR Crestron control server
-        144/tcp   open  http             Ares Galaxy P2P httpd 7942927
-        179/tcp   open  http             WMI ViH (3Com 5500G-EI switch http config)
-        199/tcp   open  smux?
-        389/tcp   open  http-proxy       ziproxy http proxy
-        427/tcp   open  vnc              (protocol 3)
-        443/tcp   open  https?
-        444/tcp   open  snpp?
-        445/tcp   open  http             Pogoplug HBHTTP QpwKdZQ
-        465/tcp   open  http             Gordian httpd 322410 (IQinVision IQeye3 webcam rtspd)
-        513/tcp   open  login?
-        514/tcp   open  finger           ffingerd
-        515/tcp   open  pop3             Eudora Internet Mail Server X pop3d 4918451
-        543/tcp   open  ftp              Dell Laser Printer z printer ftpd k
-        544/tcp   open  ftp              Solaris ftpd
-        548/tcp   open  http             Medusa httpd Elhmq (Sophos Anti-Virus Home http config)
-        554/tcp   open  rtsp?
-        587/tcp   open  http-proxy       Pound http proxy
-        631/tcp   open  efi-webtools     EFI Fiery WebTools communication
-        646/tcp   open  ldp?
-        873/tcp   open  rsync?
-        990/tcp   open  http             OpenWrt uHTTPd
-        993/tcp   open  ftp              Konica Minolta bizhub printer ftpd
-        995/tcp   open  pop3s?
-        1025/tcp  open  sip-proxy        Comdasys SIP Server D
-        1026/tcp  open  LSA-or-nterm?
-        1027/tcp  open  IIS?
-        1028/tcp  open  rfidquery        Mercury3 RFID Query protocol
-        1029/tcp  open  smtp-proxy       ESET NOD32 anti-virus smtp proxy
-        1110/tcp  open  http             qhttpd
-        1433/tcp  open  http             ControlByWeb WebRelay-Quad http admin
-        1720/tcp  open  H.323/Q.931?
-        1723/tcp  open  pptp?
-        1755/tcp  open  http             Siemens Simatic HMI MiniWeb httpd
-        1900/tcp  open  tunnelvision     Tunnel Vision VPN info 69853
-        2000/tcp  open  telnet           Patton SmartNode 4638 VoIP adapter telnetd
-        2001/tcp  open  dc?
-        2049/tcp  open  nfs?
-        2121/tcp  open  http             Bosch Divar Security Systems http config
-        2717/tcp  open  rtsp             Darwin Streaming Server 104621400
-        3000/tcp  open  pop3             Solid pop3d
-        3128/tcp  open  irc-proxy        muh irc proxy
-        3306/tcp  open  ident            KVIrc fake identd
-        3389/tcp  open  ms-wbt-server?
-        3986/tcp  open  mapper-ws_ethd?
-        4899/tcp  open  printer          QMC DeskLaser printer (Status o)
-        5000/tcp  open  http             D-Link DSL-eTjM http config
-        5009/tcp  open  airport-admin?
-        5051/tcp  open  ssh              (protocol 325257)
-        5060/tcp  open  http             apt-cache/apt-proxy httpd
-        5101/tcp  open  ftp              OKI BVdqeC-ykAA VoIP adapter ftpd kHttKI
-        5190/tcp  open  http             Conexant-EmWeb JqlM (Intertex IX68 WAP http config; SIPGT TyXT)
-        5357/tcp  open  wsdapi?
-        5432/tcp  open  postgresql?
-        5631/tcp  open  irc              ircu ircd
-        5666/tcp  open  litecoin-jsonrpc Litecoin JSON-RPC f_
-        5800/tcp  open  smtp             Lotus Domino smtpd rT Beta y
-        5900/tcp  open  ftp
-        6000/tcp  open  http             httpd.js (Songbird WebRemote)
-        6001/tcp  open  daap             mt-daapd DAAP TGeiZA
-        6646/tcp  open  unknown
-        7070/tcp  open  athinfod         Athena athinfod
-        8000/tcp  open  amanda           Amanda backup system index server (broken: libsunmath.so.1 not found)
-        8008/tcp  open  http?
-        8009/tcp  open  ajp13?
-        8080/tcp  open  http             D-Link DGL-4300 WAP http config
-        8081/tcp  open  http             fec ysp (Funkwerk bintec R232B router; .h.K...z)
-        8443/tcp  open  smtp
-        8888/tcp  open  smtp             OpenVMS smtpd uwcDNI (OpenVMS RVqcGIr; Alpha)
-        9100/tcp  open  jetdirect?
-        9999/tcp  open  http             Embedded HTTPD 3BOzejtHW (Netgear MRd WAP http config; j)
-        10000/tcp open  http             MikroTik router http config (RouterOS 0982808)
-        32768/tcp open  filenet-tms?
-        49152/tcp open  unknown
-        49153/tcp open  http             ASSP Anti-Spam Proxy httpd XLgR(?)?
-        49154/tcp open  http             Samsung AllShare httpd
-        49155/tcp open  ftp              Synology DiskStation NAS ftpd
-        49156/tcp open  aspi             ASPI server 837305
-        49157/tcp open  sip              AVM FRITZ!Box |
+     PORT   STATE SERVICE       VERSION
+        1/tcp  open  tcpmux?
+        2/tcp  open  compressnet?
+        3/tcp  open  compressnet?
+        4/tcp  open  pioneers-meta Pioneers game meta server 9
+        5/tcp  open  rje?
+        6/tcp  open  g15daemon     g15daemon (Logitech G15 keyboard control)
+        7/tcp  open  echo?
+        8/tcp  open  unknown
+        9/tcp  open  nagios-nsca   Nagios NSCA
+                10/tcp open  unknown
+        7 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-b                     in/submit.cgi?new-service :
+        ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
+        SF-Port1-TCP:V=7.91%I=7%D=3/14%Time=604E7AC1%P=i686-pc-windows-windows%r(N
+        SF:ULL,6D,"HTTP/1\.0\x20400\x20Invalid\x20Request\r\nContent-Type:\x20text
 
 Notice how all of the ports are still reported as open, but now Nmap reports a unique service on each port. This will either 1) lead an attacker down a rabbit hole investigating each port while wasting their time, or 2) the attacker may discard the results as false positives and ignore this machine altogether, leaving any legitimate service running untouched.
 

diff --git a/IntroClassFiles/Tools/IntroClass/canarytokens/Canarytokens.md b/IntroClassFiles/Tools/IntroClass/canarytokens/Canarytokens.md
@@ -23,7 +23,7 @@ Then select Create Token.
 
 
 
-When you get the next screen, select Download your MS Word File 
+When you get the next screen, select Download your MS Word File.  
 
 
 
@@ -55,7 +55,7 @@ Now, let's play with the site cloner:
 
 
 
-Please select New Token in the upper right corner 
+Please select New Token in the upper right corner. 
 
 
 
@@ -83,15 +83,15 @@ Now, select Create my Canarytoken.
 
 
 
-Now we will need to copy the JavaScript and put it somewhere so it triggers: 
+Now we will need to copy the JavaScript and put it somewhere so it triggers: 
 
 
 
 ![](attachment\Clipboard_2021-03-12-10-11-06.png) 
 
 
 
-Now, lest surf to https://scriptasylum.com/tutorials/encode-decode.html 
+Now, let's surf to https://scriptasylum.com/tutorials/encode-decode.html 
 
 
 

diff --git a/IntroClassFiles/Tools/IntroClass/honeyshare/HoneyShare.md b/IntroClassFiles/Tools/IntroClass/honeyshare/HoneyShare.md
@@ -84,7 +84,7 @@ It should look like this:
 
 
 
-Next, lets open a Windows Command Prompt: 
+Next, let's open a Windows Command Prompt: 
 
 
 

diff --git a/IntroClassFiles/Tools/IntroClass/honeyuser/honeyuser.md b/IntroClassFiles/Tools/IntroClass/honeyuser/honeyuser.md
@@ -117,16 +117,11 @@ When Create Custom View opens, please select XML:
 Then, select Edit query Manually, Press Yes on the Alert Box and then replace the text in the query with the text below: 
 
 ~~~~~~ 
-
-<QueryList> 
-
-  <Query Id="0" Path="Security"> 
-
-    <Select Path="Security">* [EventData[Data[@Name='TargetUserName']='Frank']]</>Select> 
-
-</Query> 
-
-</QueryList> 
+<QueryList>
+  <Query Id="0" Path="Security">
+    <Select Path="Security">* [EventData[Data[@Name='TargetUserName']='Frank']]</Select>
+  </Query>
+</QueryList>
 
 ~~~~~~ 
 

diff --git a/IntroClassFiles/Tools/IntroClass/pcap/AdvancedC2PCAPAnalysis.md b/IntroClassFiles/Tools/IntroClass/pcap/AdvancedC2PCAPAnalysis.md
@@ -24,7 +24,7 @@ Next, open an Ubuntu Prompt by clicking the down carrot in the terminal and sele
 
 
 
-Next, let navigate to the directory where the pcap file is stored. 
+Next, let's navigate to the directory where the pcap file is stored. 
 
 
 
@@ -76,8 +76,7 @@ Press `q` to close the tcpdump session.
 
 
 
-One of the interesting things about many malware specimens we review these days is how they “wait” for the attacker to communicate with them. For example, in the sample malware traffic we are reviewing, the backdoor “beacons” out every 30 seconds. This is for two reasons. One is because the attacker might not be at a system waiting for a command shell on a compromised target and two is because long-term established sessions tend to attract attention. This is because with protocols such as HTTP, the sessions are generally short burst sessions for multiple objects. When this backdoor was created, we wanted it to act like real HTTP. So, it had to have an asynchronous component to it.  
-
+One of the interesting things about many malware specimens we review these days is how they “wait” for the attacker to communicate with them. For example, in the sample malware traffic we are reviewing, the backdoor “beacons” out every 30 seconds. This is for two reasons. One is because the attacker might not be at a system waiting for a command shell on a compromised target and. Secondly, because long-term established sessions tend to attract attention. This is because with protocols such as HTTP, the sessions are generally short burst sessions for multiple objects. When this backdoor was created, we wanted it to act like real HTTP. So, it had to have an asynchronous component to it.  
 
 
 In the capture, the SYN packets are roughly 30 seconds apart for the beacon traffic.  

diff --git a/IntroClassFiles/Tools/IntroClass/webhoneypot/webhoneypot.md b/IntroClassFiles/Tools/IntroClass/webhoneypot/webhoneypot.md
@@ -44,7 +44,7 @@ Next, change directories to the /opt/owa-honeyport directory:
 
 
 
-Now, lets start the honeypot: 
+Now, let's start the honeypot: 
 
 
 
@@ -156,7 +156,7 @@ It should look like this:
 
 
 
-After a while, oyu should see some attack strings in your Logs. 
+After a while, you should see some attack strings in your Logs.
Original file line number	Diff line number	Diff line change
Expand Up		@@ -84,7 +84,7 @@ It should look like this:



		Next, lets open a Windows Command Prompt:
		Next, let's open a Windows Command Prompt:



Expand Down
-Original file line number
+Diff line change
@@ Expand Up / @@ -44,7 +44,7 @@ Next, change directories to the /opt/owa-honeyport directory: @@
-    Now, lets start the honeypot:
+    Now, let's start the honeypot:
@@ Expand Down Expand Up / @@ -156,7 +156,7 @@ It should look like this: @@
-    After a while, oyu should see some attack strings in your Logs.
+    After a while, you should see some attack strings in your Logs.
@@ Expand Down @@