ts

gh
Shell Scripting for Reconnaissance and Intrusion Detection 2
8

Ri
ll
Hostname: Athena

Fu
User: mgray

ns
1.14. Packages Removed from System
Aisleriot Solitaire

ai
Amazon

et
Cheese

rR
GNOME majo
GNOME Mines

ho
GNOME Sudoku
Rhythmbox

ut
Shotwell

,A
Simple Scan
Videos
te
itu

1.15. Additional packages installed on System

st

Most recent Ubuntu updates

In

VMWare Tools
NS

preload
curl
SA

gnome-tweak-tool
nmap
vim
e
Th

sublime-text
git
19

wireshark
tshark
20
©

8. Appendix B – User Report Script

#!/bin/env bash
LSPCI=/usr/bin/lspci
Mark D. Gray, [email protected]

© 2019 The SANS Institute Author retains full rights.

 ts
gh
Shell Scripting for Reconnaissance and Intrusion Detection 2
9

Ri
ll
LSB=/usr/bin/lsb_release

Fu
W=/usr/bin/w

ns
LASTLOG=/usr/bin/lastlog
CAT=/bin/cat

ai
EGREP=/bin/egrep

et
rR
LSOF=/usr/bin/lsof
DATE=/bin/date

ho
HOSTNAME=/bin/hostname

ut
UNAME=/bin/uname

,A
FAILLOG=/usr/bin/faillog
## files ##
te
PASSWD="/etc/passwd"
itu

SUDOERS="/etc/sudoers"
st

SHADOW="/etc/shadow"
In

GROUP="/etc/group"
NS

ROOTHIST="/root/.bash_history"
## Output file ##
SA

OUTPUT="user.$(date +'%m-%d-%y').info.txt"
e
Th

root_check(){
local meid=$(id -u)
19

if [ $meid -ne 0 ]; then

20

echo "You must run this tool as root or sudo."

©

exit 1
fi
}

header_split(){
echo "---------------------------------------------------" >>
$OUTPUT
echo "$@" >> $OUTPUT
echo "---------------------------------------------------" >>
$OUTPUT
}

Mark D. Gray, [email protected]

© 2019 The SANS Institute Author retains full rights.

 ts
gh
Shell Scripting for Reconnaissance and Intrusion Detection 3
0

Ri
ll
Fu
user_info(){

ns
echo "* Hostname: $(hostname)" >$OUTPUT
echo "* Run date and time: $(date)" >>$OUTPUT

ai
et
rR
header_split "Linux Distro"
echo "Linux kernel: $(uname -mrs)" >>$OUTPUT

ho
$LSB -a >> $OUTPUT

ut
,A
header_split "Logged in Users"
$W >> $OUTPUT
te
itu

header_split "Remote User Logins"

st

$LASTLOG >> $OUTPUT

In
NS

header_split "Failed Logins"

$FAILLOG -a >> $OUTPUT
SA
e

header_split "Local User Accounts"

Th

$CAT $PASSWD >> $OUTPUT

$CAT $SHADOW >> $OUTPUT
19
20

header_split "Local Groups"

©

$CAT $GROUP >> $OUTPUT

header_split "Root Bash History"

$CAT $ROOTHIST >> $OUTPUT

echo "The User Report Info Written To $OUTPUT."

}
root_check
user_info

Mark D. Gray, [email protected]

© 2019 The SANS Institute Author retains full rights.

 ts
gh
Shell Scripting for Reconnaissance and Intrusion Detection 3
1

Ri
ll
9. Appendix C – Operating System Report Script

Fu
ns
#!/bin/env bash

ai
et
LSPCI=/usr/bin/lspci

rR
LSB=/usr/bin/lsb_release
UPTIME=/usr/bin/uptime

ho
DISK_USAGE=/bin/df

ut
HOME_SPACE=/usr/bin/du

,A
## files ##
CPU="/proc/cpuinfo"
te
MEMORY="/proc/meminfo"
itu

MOUNTS="/proc/mounts"
st

FSTAB="/etc/fstab"
In

## Output file ##
NS

OUTPUT="system.$(date +'%m-%d-%y').info.txt"
root_check(){
SA

local meid=$(id -u)

e

if [ $meid -ne 0 ]; then

Th

echo "You must run this tool as root or sudo."

exit 1
19

fi
20

}
©

header_split(){
echo "---------------------------------------------------" >>
$OUTPUT
echo "$@" >> $OUTPUT
echo "---------------------------------------------------" >>
$OUTPUT
}

system_info(){
echo "* Hostname: $(hostname)" >$OUTPUT
Mark D. Gray, [email protected]

© 2019 The SANS Institute Author retains full rights.

 ts
gh
Shell Scripting for Reconnaissance and Intrusion Detection 3
2

Ri
ll
echo "* Run date and time: $(date)" >>$OUTPUT

Fu
ns
header_split "Linux Distro"
echo "Linux kernel: $(uname -mrs)" >>$OUTPUT

ai
$LSB -a >> $OUTPUT

et
rR
header_split "PCI Devices"

ho
${LSPCI} -v >> $OUTPUT

ut
,A
header_split "Disk Space Output"
${DISK_USAGE} -h >> $OUTPUT
te
itu

header_split "Home Space Output"

st

${HOME_SPACE} -sh /home/* >> $OUTPUT

In
NS

header_split "Host Uptime"

$UPTIME >> $OUTPUT
SA
e

header_split "CPU Info"

Th

cat $CPU >> $OUTPUT

19

header_split "Memory Info"

20

cat $MEMORY >> $OUTPUT

©

header_split "Mounts"
cat $MOUNTS >> $OUTPUT

header_split "FSTAB"
cat $FSTAB >> $OUTPUT

header_split "Installed Packages"

dpkg -l >> $OUTPUT
echo "The System Report Info Written To $OUTPUT."
}

Mark D. Gray, [email protected]

© 2019 The SANS Institute Author retains full rights.

 ts
gh
Shell Scripting for Reconnaissance and Intrusion Detection 3
3

Ri
ll
root_check

Fu
system_info

ns
ai
10. Appendix D – Network Activity Report Script

et
rR
#!/bin/env bash

ho
IP4FW=/sbin/iptables

ut
IP6FW=/sbin/ip6tables
LSPCI=/usr/bin/lspci
,A
te
ROUTE=/sbin/route
itu

NETSTAT=/bin/netstat
LSB=/usr/bin/lsb_release
st
In

IFCFG=/sbin/ifconfig
ARP=/usr/sbin/arp
NS
SA

## files ##
DNSCLIENT="/etc/resolv.conf"
e

DRVCONF="/etc/modprobe.conf"
Th

NETALIASCFC="/etc/sysconfig/network-scripts/ifcfg-eth?-range?"
19

NETCFC="/etc/sysconfig/network-scripts/ifcfg-eth?"
20

NETSTATICROUTECFC="/etc/sysconfig/network-scripts/route-eth?"
SYSCTL="/etc/sysctl.conf"
©

## Output file ##
OUTPUT="network.$(date +'%m-%d-%y').info.txt"

root_check(){
local meid=$(id -u)
if [ $meid -ne 0 ];
then
echo "You must be root user to run this tool"
exit 1
fi
Mark D. Gray, [email protected]

© 2019 The SANS Institute Author retains full rights.

 ts
gh
Shell Scripting for Reconnaissance and Intrusion Detection 3
4

Ri
ll
}

Fu
ns
header_split(){
echo "---------------------------------------------------" >>

ai
$OUTPUT

et
rR
echo "$@" >> $OUTPUT
echo "---------------------------------------------------" >>

ho
$OUTPUT

ut
}

network_info(){ ,A
te
echo "* Hostname: $(hostname)" >$OUTPUT
itu

echo "* Run date and time: $(date)" >>$OUTPUT

st
In

header_split "Linux Distro"

NS

echo "Linux kernel: $(uname -mrs)" >>$OUTPUT

$LSB -a >> $OUTPUT
SA
e

header_split "IFCONFIG Output"

Th

${IFCFG} -a >> $OUTPUT

19

header_split "Kernel Routing Table"

20

${ROUTE} -n >> $OUTPUT

©

header_split "DNS Client $DNSCLIENT Configuration"

[ -f $DNSCLIENT ] && cat $DNSCLIENT >> $OUTPUT || echo "Error
$DNSCLIENT file not found." >> $OUTPUT

header_split "IP4 Firewall Configuration"

$IP4FW -L -n >> $OUTPUT

header_split "IP6 Firewall Configuration"

$IP6FW -L -n >> $OUTPUT

Mark D. Gray, [email protected]

© 2019 The SANS Institute Author retains full rights.

 ts
gh
Shell Scripting for Reconnaissance and Intrusion Detection 3
5

Ri
ll
header_split "Network Stats"

Fu
$NETSTAT -s >> $OUTPUT

ns
header_split "ARP Cache"

ai
$ARP -a >> $OUTPUT

et
rR
header_split "Network Tweaks via $SYSCTL"

ho
[ -f $SYSCTL ] && cat $SYSCTL >> $OUTPUT || echo "Error $SYSCTL

ut
not found." >>$OUTPUT

,A
echo "The Network Configuration Info Written To $OUTPUT."
te
}
itu
st

root_check
In

network_info
NS
SA
e
Th
19
20
©

Mark D. Gray, [email protected]

© 2019 The SANS Institute Author retains full rights.

 ts
gh
Shell Scripting for Reconnaissance and Intrusion Detection 3
6

Ri
ll
Fu
ns
ai
et
11. Appendix E - DNS Scripts

rR
NMAP Reverse DNS lookup

ho
#!/bin/env bash

ut
#NMAP reverse DNS lookup

,A
nmap -R -sL -Pn -dns-servers 172.21.0.82 172.21.0.0/24 | awk
te
'{if(($1" "$2" "$3)=="Nmap scan report")print$5" "$6}'
itu

| sed 's/(//g' | sed 's/)//g' > nmap_rdns.txt

st

Bash domain name resolution

In

#!/bin/env bash
NS

echo "Enter class C Range: 172.21.0"

read range
SA

for ip in {1..254..1};do
host $range.$ip | grep "name pointer" | cut -d" " -f5
e
Th

done
19

DNS Reverse Lookup

20

#!/bin/env bash
©

for ip in {1..254..1}; do dig -x 172.21.0.$ip | grep $ip >> dns.txt;

done;

Bulk DNS lookup

#!/bin/env bash
domains="microsoft.com
sans.org
google.com
gmail.com
bing.com
facebook.com
Mark D. Gray, [email protected]

© 2019 The SANS Institute Author retains full rights.

 ts
gh
Shell Scripting for Reconnaissance and Intrusion Detection 3
7

Ri
ll
hotmail.com"

Fu
for domain in $domains

ns
do
ipv4=$(dig +short -t a @8.8.8.8 $domain)

ai
echo $domain has ip = $ipv4

et
rR
done

ho
12. Appendix F – Network Analysis Scripts

ut
,A
Find live hosts with NMAP te
#!/bin/env bash
itu

nmap -sP -n -oX out.xml 172.21.0.0/24 | grep "Nmap" | grep -v "https"

| grep -v "addresses"
st

| cut -d" " -f5 > live_hosts && rm out.xml

In
NS

Ping sweep with bash

#!/bin/env bash
SA

read -p "Enter the first 24bits of the IP range e.g. 172.21.0 : "
e

subnet
Th

alive_ping()
19

{
20

ping -c 1 $1 > /dev/null

©

[ $? -eq 0 ] && echo "Host with IP: $i is up."

}
for i in $subnet.{1..254..1}
do
alive_ping $i >> live_hosts & disown
done

Identify top talkers after set number of packets.

#!/bin/env bash

Mark D. Gray, [email protected]

© 2019 The SANS Institute Author retains full rights.

 ts
gh
Shell Scripting for Reconnaissance and Intrusion Detection 3
8

Ri
ll
sudo tcpdump -nn -c 350 | awk '{print $3}' | cut -d. -f1-4 | sort -n

Fu
| uniq -c | sort -nr > talker_out

ns
ai
et
rR
ho
ut
,A
te
itu
st
In
NS
SA
e
Th
19
20
©

Mark D. Gray, [email protected]

© 2019 The SANS Institute Author retains full rights.

 Last Updated: August 19th, 2020

Upcoming SANS Training

Click here to view a list of all SANS Courses

SANS Virginia Beach 2020 Virginia Beach, VAUS Aug 30, 2020 - Sep 04, 2020 Live Event

SANS London September 2020 London, GB Sep 07, 2020 - Sep 12, 2020 Live Event

SANS Baltimore Fall 2020 Baltimore, MDUS Sep 08, 2020 - Sep 13, 2020 Live Event

SANS Munich September 2020 Munich, DE Sep 14, 2020 - Sep 19, 2020 Live Event

SANS Australia Spring 2020 , AU Sep 21, 2020 - Oct 03, 2020 Live Event

SANS San Antonio Fall 2020 San Antonio, TXUS Sep 28, 2020 - Oct 03, 2020 Live Event

SANS Northern VA - Reston Fall 2020 Reston, VAUS Sep 28, 2020 - Oct 03, 2020 Live Event

SANS Brussels October 2020 Brussels, BE Oct 05, 2020 - Oct 10, 2020 Live Event

SANS Amsterdam October 2020 Amsterdam, NL Oct 05, 2020 - Oct 10, 2020 Live Event

SANS FOR500 Milan 2020 (In Italian) Milan, IT Oct 05, 2020 - Oct 10, 2020 Live Event

SANS October Singapore 2020 Singapore, SG Oct 12, 2020 - Oct 24, 2020 Live Event

SANS Prague October 2020 Prague, CZ Oct 12, 2020 - Oct 17, 2020 Live Event

SANS Orlando 2020 Orlando, FLUS Oct 12, 2020 - Oct 17, 2020 Live Event

SANS London October 2020 London, GB Oct 12, 2020 - Oct 17, 2020 Live Event

SANS Doha October 2020 Doha, QA Oct 17, 2020 - Oct 22, 2020 Live Event

SANS Riyadh October 2020 Riyadh, SA Oct 17, 2020 - Oct 22, 2020 Live Event

SANS SEC504 Rennes 2020 (In French) Rennes, FR Oct 19, 2020 - Oct 24, 2020 Live Event

SANS Stockholm October 2020 Stockholm, SE Oct 19, 2020 - Oct 24, 2020 Live Event

SANS Dallas Fall 2020 Dallas, TXUS Oct 19, 2020 - Oct 24, 2020 Live Event

SANS Rome October 2020 Rome, IT Oct 19, 2020 - Oct 24, 2020 Live Event

SANS San Francisco Fall 2020 San Francisco, CAUS Oct 26, 2020 - Oct 31, 2020 Live Event

SANS SEC560 Lille 2020 (In French) Lille, FR Oct 26, 2020 - Oct 31, 2020 Live Event

SANS Geneva October 2020 Geneva, CH Oct 26, 2020 - Oct 31, 2020 Live Event

SANS Cologne October 2020 Cologne, DE Oct 26, 2020 - Oct 31, 2020 Live Event

SANS Tel Aviv November 2020 Tel Aviv, IL Nov 01, 2020 - Nov 05, 2020 Live Event

SANS Krakow November 2020 Krakow, PL Nov 02, 2020 - Nov 07, 2020 Live Event

SANS Rocky Mountain Fall 2020 Denver, COUS Nov 02, 2020 - Nov 07, 2020 Live Event

SANS London November 2020 London, GB Nov 02, 2020 - Nov 07, 2020 Live Event

SANS DFIRCON 2020 Miami, FLUS Nov 02, 2020 - Nov 07, 2020 Live Event

SANS Paris November 2020 Paris, FR Nov 02, 2020 - Nov 07, 2020 Live Event

SANS Sydney 2020 Sydney, AU Nov 02, 2020 - Nov 14, 2020 Live Event

SANS Gulf Region 2020 Dubai, AE Nov 07, 2020 - Nov 19, 2020 Live Event

SANS OnDemand OnlineUS Anytime Self Paced

SANS SelfStudy Books & MP3s OnlyUS Anytime Self Paced