ts
gh
Shell Scripting for Reconnaissance and Intrusion Detection 2
8
Ri
ll
Hostname: Athena
Fu
User: mgray
ns
1.14. Packages Removed from System
Aisleriot Solitaire
ai
Amazon
et
Cheese
rR
GNOME majo
GNOME Mines
ho
GNOME Sudoku
Rhythmbox
ut
Shotwell
,A
Simple Scan
Videos
te
itu
1.15. Additional packages installed on System
st
Most recent Ubuntu updates
In
VMWare Tools
NS
preload
curl
SA
gnome-tweak-tool
nmap
vim
e
Th
sublime-text
git
19
wireshark
tshark
20
©
8. Appendix B – User Report Script
#!/bin/env bash
LSPCI=/usr/bin/lspci
Mark D. Gray, markdaltongray@gmail.com
© 2019 The SANS Institute Author retains full rights.
ts
gh
Shell Scripting for Reconnaissance and Intrusion Detection 2
9
Ri
ll
LSB=/usr/bin/lsb_release
Fu
W=/usr/bin/w
ns
LASTLOG=/usr/bin/lastlog
CAT=/bin/cat
ai
EGREP=/bin/egrep
et
rR
LSOF=/usr/bin/lsof
DATE=/bin/date
ho
HOSTNAME=/bin/hostname
ut
UNAME=/bin/uname
,A
FAILLOG=/usr/bin/faillog
## files ##
te
PASSWD="/etc/passwd"
itu
SUDOERS="/etc/sudoers"
st
SHADOW="/etc/shadow"
In
GROUP="/etc/group"
NS
ROOTHIST="/root/.bash_history"
## Output file ##
SA
OUTPUT="user.$(date +'%m-%d-%y').info.txt"
e
Th
root_check(){
local meid=$(id -u)
19
if [ $meid -ne 0 ]; then
20
echo "You must run this tool as root or sudo."
©
exit 1
fi
}
header_split(){
echo "---------------------------------------------------" >>
$OUTPUT
echo "$@" >> $OUTPUT
echo "---------------------------------------------------" >>
$OUTPUT
}
Mark D. Gray, markdaltongray@gmail.com
© 2019 The SANS Institute Author retains full rights.
ts
gh
Shell Scripting for Reconnaissance and Intrusion Detection 3
0
Ri
ll
Fu
user_info(){
ns
echo "* Hostname: $(hostname)" >$OUTPUT
echo "* Run date and time: $(date)" >>$OUTPUT
ai
et
rR
header_split "Linux Distro"
echo "Linux kernel: $(uname -mrs)" >>$OUTPUT
ho
$LSB -a >> $OUTPUT
ut
,A
header_split "Logged in Users"
$W >> $OUTPUT
te
itu
header_split "Remote User Logins"
st
$LASTLOG >> $OUTPUT
In
NS
header_split "Failed Logins"
$FAILLOG -a >> $OUTPUT
SA
e
header_split "Local User Accounts"
Th
$CAT $PASSWD >> $OUTPUT
$CAT $SHADOW >> $OUTPUT
19
20
header_split "Local Groups"
©
$CAT $GROUP >> $OUTPUT
header_split "Root Bash History"
$CAT $ROOTHIST >> $OUTPUT
echo "The User Report Info Written To $OUTPUT."
}
root_check
user_info
Mark D. Gray, markdaltongray@gmail.com
© 2019 The SANS Institute Author retains full rights.
ts
gh
Shell Scripting for Reconnaissance and Intrusion Detection 3
1
Ri
ll
9. Appendix C – Operating System Report Script
Fu
ns
#!/bin/env bash
ai
et
LSPCI=/usr/bin/lspci
rR
LSB=/usr/bin/lsb_release
UPTIME=/usr/bin/uptime
ho
DISK_USAGE=/bin/df
ut
HOME_SPACE=/usr/bin/du
,A
## files ##
CPU="/proc/cpuinfo"
te
MEMORY="/proc/meminfo"
itu
MOUNTS="/proc/mounts"
st
FSTAB="/etc/fstab"
In
## Output file ##
NS
OUTPUT="system.$(date +'%m-%d-%y').info.txt"
root_check(){
SA
local meid=$(id -u)
e
if [ $meid -ne 0 ]; then
Th
echo "You must run this tool as root or sudo."
exit 1
19
fi
20
}
©
header_split(){
echo "---------------------------------------------------" >>
$OUTPUT
echo "$@" >> $OUTPUT
echo "---------------------------------------------------" >>
$OUTPUT
}
system_info(){
echo "* Hostname: $(hostname)" >$OUTPUT
Mark D. Gray, markdaltongray@gmail.com
© 2019 The SANS Institute Author retains full rights.
ts
gh
Shell Scripting for Reconnaissance and Intrusion Detection 3
2
Ri
ll
echo "* Run date and time: $(date)" >>$OUTPUT
Fu
ns
header_split "Linux Distro"
echo "Linux kernel: $(uname -mrs)" >>$OUTPUT
ai
$LSB -a >> $OUTPUT
et
rR
header_split "PCI Devices"
ho
${LSPCI} -v >> $OUTPUT
ut
,A
header_split "Disk Space Output"
${DISK_USAGE} -h >> $OUTPUT
te
itu
header_split "Home Space Output"
st
${HOME_SPACE} -sh /home/* >> $OUTPUT
In
NS
header_split "Host Uptime"
$UPTIME >> $OUTPUT
SA
e
header_split "CPU Info"
Th
cat $CPU >> $OUTPUT
19
header_split "Memory Info"
20
cat $MEMORY >> $OUTPUT
©
header_split "Mounts"
cat $MOUNTS >> $OUTPUT
header_split "FSTAB"
cat $FSTAB >> $OUTPUT
header_split "Installed Packages"
dpkg -l >> $OUTPUT
echo "The System Report Info Written To $OUTPUT."
}
Mark D. Gray, markdaltongray@gmail.com
© 2019 The SANS Institute Author retains full rights.
ts
gh
Shell Scripting for Reconnaissance and Intrusion Detection 3
3
Ri
ll
root_check
Fu
system_info
ns
ai
10. Appendix D – Network Activity Report Script
et
rR
#!/bin/env bash
ho
IP4FW=/sbin/iptables
ut
IP6FW=/sbin/ip6tables
LSPCI=/usr/bin/lspci
,A
te
ROUTE=/sbin/route
itu
NETSTAT=/bin/netstat
LSB=/usr/bin/lsb_release
st
In
IFCFG=/sbin/ifconfig
ARP=/usr/sbin/arp
NS
SA
## files ##
DNSCLIENT="/etc/resolv.conf"
e
DRVCONF="/etc/modprobe.conf"
Th
NETALIASCFC="/etc/sysconfig/network-scripts/ifcfg-eth?-range?"
19
NETCFC="/etc/sysconfig/network-scripts/ifcfg-eth?"
20
NETSTATICROUTECFC="/etc/sysconfig/network-scripts/route-eth?"
SYSCTL="/etc/sysctl.conf"
©
## Output file ##
OUTPUT="network.$(date +'%m-%d-%y').info.txt"
root_check(){
local meid=$(id -u)
if [ $meid -ne 0 ];
then
echo "You must be root user to run this tool"
exit 1
fi
Mark D. Gray, markdaltongray@gmail.com
© 2019 The SANS Institute Author retains full rights.
ts
gh
Shell Scripting for Reconnaissance and Intrusion Detection 3
4
Ri
ll
}
Fu
ns
header_split(){
echo "---------------------------------------------------" >>
ai
$OUTPUT
et
rR
echo "$@" >> $OUTPUT
echo "---------------------------------------------------" >>
ho
$OUTPUT
ut
}
network_info(){ ,A
te
echo "* Hostname: $(hostname)" >$OUTPUT
itu
echo "* Run date and time: $(date)" >>$OUTPUT
st
In
header_split "Linux Distro"
NS
echo "Linux kernel: $(uname -mrs)" >>$OUTPUT
$LSB -a >> $OUTPUT
SA
e
header_split "IFCONFIG Output"
Th
${IFCFG} -a >> $OUTPUT
19
header_split "Kernel Routing Table"
20
${ROUTE} -n >> $OUTPUT
©
header_split "DNS Client $DNSCLIENT Configuration"
[ -f $DNSCLIENT ] && cat $DNSCLIENT >> $OUTPUT || echo "Error
$DNSCLIENT file not found." >> $OUTPUT
header_split "IP4 Firewall Configuration"
$IP4FW -L -n >> $OUTPUT
header_split "IP6 Firewall Configuration"
$IP6FW -L -n >> $OUTPUT
Mark D. Gray, markdaltongray@gmail.com
© 2019 The SANS Institute Author retains full rights.
ts
gh
Shell Scripting for Reconnaissance and Intrusion Detection 3
5
Ri
ll
header_split "Network Stats"
Fu
$NETSTAT -s >> $OUTPUT
ns
header_split "ARP Cache"
ai
$ARP -a >> $OUTPUT
et
rR
header_split "Network Tweaks via $SYSCTL"
ho
[ -f $SYSCTL ] && cat $SYSCTL >> $OUTPUT || echo "Error $SYSCTL
ut
not found." >>$OUTPUT
,A
echo "The Network Configuration Info Written To $OUTPUT."
te
}
itu
st
root_check
In
network_info
NS
SA
e
Th
19
20
©
Mark D. Gray, markdaltongray@gmail.com
© 2019 The SANS Institute Author retains full rights.
ts
gh
Shell Scripting for Reconnaissance and Intrusion Detection 3
6
Ri
ll
Fu
ns
ai
et
11. Appendix E - DNS Scripts
rR
NMAP Reverse DNS lookup
ho
#!/bin/env bash
ut
#NMAP reverse DNS lookup
,A
nmap -R -sL -Pn -dns-servers 172.21.0.82 172.21.0.0/24 | awk
te
'{if(($1" "$2" "$3)=="Nmap scan report")print$5" "$6}'
itu
| sed 's/(//g' | sed 's/)//g' > nmap_rdns.txt
st
Bash domain name resolution
In
#!/bin/env bash
NS
echo "Enter class C Range: 172.21.0"
read range
SA
for ip in {1..254..1};do
host $range.$ip | grep "name pointer" | cut -d" " -f5
e
Th
done
19
DNS Reverse Lookup
20
#!/bin/env bash
©
for ip in {1..254..1}; do dig -x 172.21.0.$ip | grep $ip >> dns.txt;
done;
Bulk DNS lookup
#!/bin/env bash
domains="microsoft.com
sans.org
google.com
gmail.com
bing.com
facebook.com
Mark D. Gray, markdaltongray@gmail.com
© 2019 The SANS Institute Author retains full rights.
ts
gh
Shell Scripting for Reconnaissance and Intrusion Detection 3
7
Ri
ll
hotmail.com"
Fu
for domain in $domains
ns
do
ipv4=$(dig +short -t a @8.8.8.8 $domain)
ai
echo $domain has ip = $ipv4
et
rR
done
ho
12. Appendix F – Network Analysis Scripts
ut
,A
Find live hosts with NMAP te
#!/bin/env bash
itu
nmap -sP -n -oX out.xml 172.21.0.0/24 | grep "Nmap" | grep -v "https"
| grep -v "addresses"
st
| cut -d" " -f5 > live_hosts && rm out.xml
In
NS
Ping sweep with bash
#!/bin/env bash
SA
read -p "Enter the first 24bits of the IP range e.g. 172.21.0 : "
e
subnet
Th
alive_ping()
19
{
20
ping -c 1 $1 > /dev/null
©
[ $? -eq 0 ] && echo "Host with IP: $i is up."
}
for i in $subnet.{1..254..1}
do
alive_ping $i >> live_hosts & disown
done
Identify top talkers after set number of packets.
#!/bin/env bash
Mark D. Gray, markdaltongray@gmail.com
© 2019 The SANS Institute Author retains full rights.
ts
gh
Shell Scripting for Reconnaissance and Intrusion Detection 3
8
Ri
ll
sudo tcpdump -nn -c 350 | awk '{print $3}' | cut -d. -f1-4 | sort -n
Fu
| uniq -c | sort -nr > talker_out
ns
ai
et
rR
ho
ut
,A
te
itu
st
In
NS
SA
e
Th
19
20
©
Mark D. Gray, markdaltongray@gmail.com
© 2019 The SANS Institute Author retains full rights.
Last Updated: August 19th, 2020
Upcoming SANS Training
Click here to view a list of all SANS Courses
SANS Virginia Beach 2020 Virginia Beach, VAUS Aug 30, 2020 - Sep 04, 2020 Live Event
SANS London September 2020 London, GB Sep 07, 2020 - Sep 12, 2020 Live Event
SANS Baltimore Fall 2020 Baltimore, MDUS Sep 08, 2020 - Sep 13, 2020 Live Event
SANS Munich September 2020 Munich, DE Sep 14, 2020 - Sep 19, 2020 Live Event
SANS Australia Spring 2020 , AU Sep 21, 2020 - Oct 03, 2020 Live Event
SANS San Antonio Fall 2020 San Antonio, TXUS Sep 28, 2020 - Oct 03, 2020 Live Event
SANS Northern VA - Reston Fall 2020 Reston, VAUS Sep 28, 2020 - Oct 03, 2020 Live Event
SANS Brussels October 2020 Brussels, BE Oct 05, 2020 - Oct 10, 2020 Live Event
SANS Amsterdam October 2020 Amsterdam, NL Oct 05, 2020 - Oct 10, 2020 Live Event
SANS FOR500 Milan 2020 (In Italian) Milan, IT Oct 05, 2020 - Oct 10, 2020 Live Event
SANS October Singapore 2020 Singapore, SG Oct 12, 2020 - Oct 24, 2020 Live Event
SANS Prague October 2020 Prague, CZ Oct 12, 2020 - Oct 17, 2020 Live Event
SANS Orlando 2020 Orlando, FLUS Oct 12, 2020 - Oct 17, 2020 Live Event
SANS London October 2020 London, GB Oct 12, 2020 - Oct 17, 2020 Live Event
SANS Doha October 2020 Doha, QA Oct 17, 2020 - Oct 22, 2020 Live Event
SANS Riyadh October 2020 Riyadh, SA Oct 17, 2020 - Oct 22, 2020 Live Event
SANS SEC504 Rennes 2020 (In French) Rennes, FR Oct 19, 2020 - Oct 24, 2020 Live Event
SANS Stockholm October 2020 Stockholm, SE Oct 19, 2020 - Oct 24, 2020 Live Event
SANS Dallas Fall 2020 Dallas, TXUS Oct 19, 2020 - Oct 24, 2020 Live Event
SANS Rome October 2020 Rome, IT Oct 19, 2020 - Oct 24, 2020 Live Event
SANS San Francisco Fall 2020 San Francisco, CAUS Oct 26, 2020 - Oct 31, 2020 Live Event
SANS SEC560 Lille 2020 (In French) Lille, FR Oct 26, 2020 - Oct 31, 2020 Live Event
SANS Geneva October 2020 Geneva, CH Oct 26, 2020 - Oct 31, 2020 Live Event
SANS Cologne October 2020 Cologne, DE Oct 26, 2020 - Oct 31, 2020 Live Event
SANS Tel Aviv November 2020 Tel Aviv, IL Nov 01, 2020 - Nov 05, 2020 Live Event
SANS Krakow November 2020 Krakow, PL Nov 02, 2020 - Nov 07, 2020 Live Event
SANS Rocky Mountain Fall 2020 Denver, COUS Nov 02, 2020 - Nov 07, 2020 Live Event
SANS London November 2020 London, GB Nov 02, 2020 - Nov 07, 2020 Live Event
SANS DFIRCON 2020 Miami, FLUS Nov 02, 2020 - Nov 07, 2020 Live Event
SANS Paris November 2020 Paris, FR Nov 02, 2020 - Nov 07, 2020 Live Event
SANS Sydney 2020 Sydney, AU Nov 02, 2020 - Nov 14, 2020 Live Event
SANS Gulf Region 2020 Dubai, AE Nov 07, 2020 - Nov 19, 2020 Live Event
SANS OnDemand OnlineUS Anytime Self Paced
SANS SelfStudy Books & MP3s OnlyUS Anytime Self Paced