Shell Scripting For Reconnaissance and Incident Response
Shell Scripting For Reconnaissance and Incident Response
gh
Shell Scripting for Reconnaissance and Intrusion Detection 2
8
Ri
ll
Hostname: Athena
Fu
User: mgray
ns
1.14. Packages Removed from System
Aisleriot Solitaire
ai
Amazon
et
Cheese
rR
GNOME majo
GNOME Mines
ho
GNOME Sudoku
Rhythmbox
ut
Shotwell
,A
Simple Scan
Videos
te
itu
VMWare Tools
NS
preload
curl
SA
gnome-tweak-tool
nmap
vim
e
Th
sublime-text
git
19
wireshark
tshark
20
©
Ri
ll
LSB=/usr/bin/lsb_release
Fu
W=/usr/bin/w
ns
LASTLOG=/usr/bin/lastlog
CAT=/bin/cat
ai
EGREP=/bin/egrep
et
rR
LSOF=/usr/bin/lsof
DATE=/bin/date
ho
HOSTNAME=/bin/hostname
ut
UNAME=/bin/uname
,A
FAILLOG=/usr/bin/faillog
## files ##
te
PASSWD="/etc/passwd"
itu
SUDOERS="/etc/sudoers"
st
SHADOW="/etc/shadow"
In
GROUP="/etc/group"
NS
ROOTHIST="/root/.bash_history"
## Output file ##
SA
OUTPUT="user.$(date +'%m-%d-%y').info.txt"
e
Th
root_check(){
local meid=$(id -u)
19
exit 1
fi
}
header_split(){
echo "---------------------------------------------------" >>
$OUTPUT
echo "$@" >> $OUTPUT
echo "---------------------------------------------------" >>
$OUTPUT
}
Ri
ll
Fu
user_info(){
ns
echo "* Hostname: $(hostname)" >$OUTPUT
echo "* Run date and time: $(date)" >>$OUTPUT
ai
et
rR
header_split "Linux Distro"
echo "Linux kernel: $(uname -mrs)" >>$OUTPUT
ho
$LSB -a >> $OUTPUT
ut
,A
header_split "Logged in Users"
$W >> $OUTPUT
te
itu
Ri
ll
9. Appendix C – Operating System Report Script
Fu
ns
#!/bin/env bash
ai
et
LSPCI=/usr/bin/lspci
rR
LSB=/usr/bin/lsb_release
UPTIME=/usr/bin/uptime
ho
DISK_USAGE=/bin/df
ut
HOME_SPACE=/usr/bin/du
,A
## files ##
CPU="/proc/cpuinfo"
te
MEMORY="/proc/meminfo"
itu
MOUNTS="/proc/mounts"
st
FSTAB="/etc/fstab"
In
## Output file ##
NS
OUTPUT="system.$(date +'%m-%d-%y').info.txt"
root_check(){
SA
fi
20
}
©
header_split(){
echo "---------------------------------------------------" >>
$OUTPUT
echo "$@" >> $OUTPUT
echo "---------------------------------------------------" >>
$OUTPUT
}
system_info(){
echo "* Hostname: $(hostname)" >$OUTPUT
Mark D. Gray, [email protected]
Ri
ll
echo "* Run date and time: $(date)" >>$OUTPUT
Fu
ns
header_split "Linux Distro"
echo "Linux kernel: $(uname -mrs)" >>$OUTPUT
ai
$LSB -a >> $OUTPUT
et
rR
header_split "PCI Devices"
ho
${LSPCI} -v >> $OUTPUT
ut
,A
header_split "Disk Space Output"
${DISK_USAGE} -h >> $OUTPUT
te
itu
header_split "Mounts"
cat $MOUNTS >> $OUTPUT
header_split "FSTAB"
cat $FSTAB >> $OUTPUT
Ri
ll
root_check
Fu
system_info
ns
ai
10. Appendix D – Network Activity Report Script
et
rR
#!/bin/env bash
ho
IP4FW=/sbin/iptables
ut
IP6FW=/sbin/ip6tables
LSPCI=/usr/bin/lspci
,A
te
ROUTE=/sbin/route
itu
NETSTAT=/bin/netstat
LSB=/usr/bin/lsb_release
st
In
IFCFG=/sbin/ifconfig
ARP=/usr/sbin/arp
NS
SA
## files ##
DNSCLIENT="/etc/resolv.conf"
e
DRVCONF="/etc/modprobe.conf"
Th
NETALIASCFC="/etc/sysconfig/network-scripts/ifcfg-eth?-range?"
19
NETCFC="/etc/sysconfig/network-scripts/ifcfg-eth?"
20
NETSTATICROUTECFC="/etc/sysconfig/network-scripts/route-eth?"
SYSCTL="/etc/sysctl.conf"
©
## Output file ##
OUTPUT="network.$(date +'%m-%d-%y').info.txt"
root_check(){
local meid=$(id -u)
if [ $meid -ne 0 ];
then
echo "You must be root user to run this tool"
exit 1
fi
Mark D. Gray, [email protected]
Ri
ll
}
Fu
ns
header_split(){
echo "---------------------------------------------------" >>
ai
$OUTPUT
et
rR
echo "$@" >> $OUTPUT
echo "---------------------------------------------------" >>
ho
$OUTPUT
ut
}
network_info(){ ,A
te
echo "* Hostname: $(hostname)" >$OUTPUT
itu
Ri
ll
header_split "Network Stats"
Fu
$NETSTAT -s >> $OUTPUT
ns
header_split "ARP Cache"
ai
$ARP -a >> $OUTPUT
et
rR
header_split "Network Tweaks via $SYSCTL"
ho
[ -f $SYSCTL ] && cat $SYSCTL >> $OUTPUT || echo "Error $SYSCTL
ut
not found." >>$OUTPUT
,A
echo "The Network Configuration Info Written To $OUTPUT."
te
}
itu
st
root_check
In
network_info
NS
SA
e
Th
19
20
©
Ri
ll
Fu
ns
ai
et
11. Appendix E - DNS Scripts
rR
NMAP Reverse DNS lookup
ho
#!/bin/env bash
ut
#NMAP reverse DNS lookup
,A
nmap -R -sL -Pn -dns-servers 172.21.0.82 172.21.0.0/24 | awk
te
'{if(($1" "$2" "$3)=="Nmap scan report")print$5" "$6}'
itu
#!/bin/env bash
NS
for ip in {1..254..1};do
host $range.$ip | grep "name pointer" | cut -d" " -f5
e
Th
done
19
#!/bin/env bash
©
Ri
ll
hotmail.com"
Fu
for domain in $domains
ns
do
ipv4=$(dig +short -t a @8.8.8.8 $domain)
ai
echo $domain has ip = $ipv4
et
rR
done
ho
12. Appendix F – Network Analysis Scripts
ut
,A
Find live hosts with NMAP te
#!/bin/env bash
itu
read -p "Enter the first 24bits of the IP range e.g. 172.21.0 : "
e
subnet
Th
alive_ping()
19
{
20
#!/bin/env bash
Ri
ll
sudo tcpdump -nn -c 350 | awk '{print $3}' | cut -d. -f1-4 | sort -n
Fu
| uniq -c | sort -nr > talker_out
ns
ai
et
rR
ho
ut
,A
te
itu
st
In
NS
SA
e
Th
19
20
©
SANS Virginia Beach 2020 Virginia Beach, VAUS Aug 30, 2020 - Sep 04, 2020 Live Event
SANS London September 2020 London, GB Sep 07, 2020 - Sep 12, 2020 Live Event
SANS Baltimore Fall 2020 Baltimore, MDUS Sep 08, 2020 - Sep 13, 2020 Live Event
SANS Munich September 2020 Munich, DE Sep 14, 2020 - Sep 19, 2020 Live Event
SANS Australia Spring 2020 , AU Sep 21, 2020 - Oct 03, 2020 Live Event
SANS San Antonio Fall 2020 San Antonio, TXUS Sep 28, 2020 - Oct 03, 2020 Live Event
SANS Northern VA - Reston Fall 2020 Reston, VAUS Sep 28, 2020 - Oct 03, 2020 Live Event
SANS Brussels October 2020 Brussels, BE Oct 05, 2020 - Oct 10, 2020 Live Event
SANS Amsterdam October 2020 Amsterdam, NL Oct 05, 2020 - Oct 10, 2020 Live Event
SANS FOR500 Milan 2020 (In Italian) Milan, IT Oct 05, 2020 - Oct 10, 2020 Live Event
SANS October Singapore 2020 Singapore, SG Oct 12, 2020 - Oct 24, 2020 Live Event
SANS Prague October 2020 Prague, CZ Oct 12, 2020 - Oct 17, 2020 Live Event
SANS Orlando 2020 Orlando, FLUS Oct 12, 2020 - Oct 17, 2020 Live Event
SANS London October 2020 London, GB Oct 12, 2020 - Oct 17, 2020 Live Event
SANS Doha October 2020 Doha, QA Oct 17, 2020 - Oct 22, 2020 Live Event
SANS Riyadh October 2020 Riyadh, SA Oct 17, 2020 - Oct 22, 2020 Live Event
SANS SEC504 Rennes 2020 (In French) Rennes, FR Oct 19, 2020 - Oct 24, 2020 Live Event
SANS Stockholm October 2020 Stockholm, SE Oct 19, 2020 - Oct 24, 2020 Live Event
SANS Dallas Fall 2020 Dallas, TXUS Oct 19, 2020 - Oct 24, 2020 Live Event
SANS Rome October 2020 Rome, IT Oct 19, 2020 - Oct 24, 2020 Live Event
SANS San Francisco Fall 2020 San Francisco, CAUS Oct 26, 2020 - Oct 31, 2020 Live Event
SANS SEC560 Lille 2020 (In French) Lille, FR Oct 26, 2020 - Oct 31, 2020 Live Event
SANS Geneva October 2020 Geneva, CH Oct 26, 2020 - Oct 31, 2020 Live Event
SANS Cologne October 2020 Cologne, DE Oct 26, 2020 - Oct 31, 2020 Live Event
SANS Tel Aviv November 2020 Tel Aviv, IL Nov 01, 2020 - Nov 05, 2020 Live Event
SANS Krakow November 2020 Krakow, PL Nov 02, 2020 - Nov 07, 2020 Live Event
SANS Rocky Mountain Fall 2020 Denver, COUS Nov 02, 2020 - Nov 07, 2020 Live Event
SANS London November 2020 London, GB Nov 02, 2020 - Nov 07, 2020 Live Event
SANS DFIRCON 2020 Miami, FLUS Nov 02, 2020 - Nov 07, 2020 Live Event
SANS Paris November 2020 Paris, FR Nov 02, 2020 - Nov 07, 2020 Live Event
SANS Sydney 2020 Sydney, AU Nov 02, 2020 - Nov 14, 2020 Live Event
SANS Gulf Region 2020 Dubai, AE Nov 07, 2020 - Nov 19, 2020 Live Event