0x22bb
/
hacktricks
mirror of https://github.com/carlospolop/hacktricks.git
1
2
Fork 0
Code Releases Activity

GitBook: [master] 476 pages modified

This commit is contained in:
CPol 2021-05-28 17:53:46 +00:00 committed by gitbook-bot
parent bcbe8bc194
commit 6180340b7f
No known key found for this signature in database
GPG Key ID: 07D2180C7B12D0FF
7 changed files with 85 additions and 63 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
SUMMARY.md
View File

@ -424,7 +424,7 @@
* [Memory dump analysis](forensics/basic-forensic-methodology/memory-dump-analysis/README.md)
* [Volatility - CheatSheet](forensics/basic-forensic-methodology/memory-dump-analysis/volatility-examples.md)
* [Partitions/File Systems/Carving](forensics/basic-forensic-methodology/partitions-file-systems-carving/README.md)
* [File/Data Carving Tools](forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-tools.md)
* [File/Data Carving & Recovery Tools](forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md)
* [NTFS](forensics/basic-forensic-methodology/partitions-file-systems-carving/ntfs.md)
* [Pcap Inspection](forensics/basic-forensic-methodology/pcap-inspection/README.md)
* [DNSCat pcap analysis](forensics/basic-forensic-methodology/pcap-inspection/dnscat-exfiltration.md)

59
forensics/basic-forensic-methodology/README.md
View File

@ -46,42 +46,7 @@ I want to do a special mention to the page:
## Pcap Inspection
When yo
**Linux/Unix**
En linux cualquier cosa es un archivo. Por ejemplo la RAM es un archivo llamado **/dev/mem**
**lsof** —> Open files belonging to any process
**lsof -i** 4 —> Todos los archivos relacionados con conexiones IPv4
**lsof -i 4 -a -p 1234** —> List all open IPV4 network files in use by the preocess 1234
**lsof /dev/hda3** lista todos los archivos abiertos en /dev/hda3
**lsof -t /u/ade/foo** encuentra el proceso que tiene /u/abe/foo abierto
**lsof +D /directory/path** Busca que procesos tienen abiertos dicho directorio y archivos de dicho directorio
**lsof -i :1-1024** Archivos que usan dichos puertos
**lsof -i udp** Archivos que usan UDP -uid 0
**lsof -p 3 - R** Muestra del proceso nº3 también su proceso padre
**date** —> Hora del ordenador actual
**uptime** —> Rebooted
**uname -a** —> System information
**ifconfig** —> Ver si esta en modo promiscuo
**ps -eaf** —> Procesos y servicios inusuales
**netstat -punta**
**lsof +L1** —> Muestra todos los archivos abiertos con un contador de link menor de 1. Esto es para los procesos que eliminan el archivo del que vienen pero siguen ejecutandose porque ya están en memoria. Es decir lista todos los procesos que tienen su archivo borrado.
**w who users** —> Info de usuarios
**find / -uid 0 -perm -4000 2>/dev/null** —> Sirve para encontrar todos los archivos que tienen de permiso la **s**
**find /directory -type f -mtime -1 -print** —> Encuentra todos los archivos dentro de ese directorio modificados hace menos de 1 día
**last** —> Último usuario loggeado
**df** —> Free space
**free** —> free y used physical y swap memory
Toda la info obtenida de la máquina infectada NO debe ser guardada en la máquina sino enviada a otra con **netcat**
{% page-ref page="pcap-inspection/" %}
## **Anti-Forensic Techniques**
@ -89,25 +54,3 @@ Keep in mind the possible use of anti-forensic techniques:
{% page-ref page="anti-forensic-techniques.md" %}
\*\*\*\*
\*\*\*\*
\*\*\*\*
Borrado de datos: [https://github.com/Claudio-C/awesome-data-sanitization](https://github.com/Claudio-C/awesome-data-sanitization)
recuperacion de datos: [https://github.com/Claudio-C/awesome-datarecovery](https://github.com/Claudio-C/awesome-datarecovery)
##

4
forensics/basic-forensic-methodology/anti-forensic-techniques.md
View File

@ -72,6 +72,10 @@ A way to discover this would be to inspect the running processes and **review ea
These distros are **executed inside the RAM** memory. The only way to detect them is **in case the NTFS file-system is mounted with write permissions**. If it's mounted just with read permissions it won't be possible to detect the intrusion.
## Secure Deletion
[https://github.com/Claudio-C/awesome-data-sanitization](https://github.com/Claudio-C/awesome-data-sanitization)
## Windows Configuration
It's possible to disable several windows logging methods to make the forensics investigation much harder.

4
forensics/basic-forensic-methodology/partitions-file-systems-carving/README.md
View File

@ -160,14 +160,14 @@ Note that this technique **doesn't work to retrieve fragmented files**. If a fil
There are several tools that you can use for file Carving indicating them the file-types you want search for
{% page-ref page="file-data-carving-tools.md" %}
{% page-ref page="file-data-carving-recovery-tools.md" %}
### Data Stream **C**arving
Data Stream Carving is similar to File Carving but i**nstead of looking for complete files, it looks for interesting fragments** of information.
For example, instead of looking for a complete file containing logged URLs, this technique will search for URLs.
{% page-ref page="file-data-carving-tools.md" %}
{% page-ref page="file-data-carving-recovery-tools.md" %}
### Secure Deletion

75
forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md Normal file
View File

@ -0,0 +1,75 @@
# File/Data Carving & Recovery Tools
## Carving & Recovery tools
More tools in [https://github.com/Claudio-C/awesome-datarecovery](https://github.com/Claudio-C/awesome-datarecovery)
### Autopsy
The most common tool used in forensics to extract files from images is [**Autopsy**](https://www.autopsy.com/download/). Download it, install it and make it ingest the file to find "hidden" files. Note that Autopsy is built to support disk images and other kind of images, but not simple files.
### Binwalk <a id="binwalk"></a>
**Binwalk** is a tool for searching binary files like images and audio files for embedded files and data.
It can be installed with `apt` however the [source](https://github.com/ReFirmLabs/binwalk) can be found on github.
**Useful commands**:
```bash
sudo apt install binwalk #Insllation
binwalk file #Displays the embedded data in the given file
binwalk -e file #Displays and extracts some files from the given file
binwalk --dd ".*" file #Displays and extracts all files from the given file
```
### Foremost
Another common tool to find hidden files is **foremost**. You can find the configuration file of foremost in `/etc/foremost.conf`. If you just want to search for some specific files uncomment them. If you don't uncomment anything foremost will search for it's default configured file types.
```bash
sudo apt-get install foremost
foremost -v -i file.img -o output
#Discovered files will appear inside the folder "output"
```
### **Scalpel**
**Scalpel** is another tool that can be use to find and extract **files embedded in a file**. In this case you will need to uncomment from the configuration file \(_/etc/scalpel/scalpel.conf_\) the file types you want it to extract.
```bash
sudo apt-get install scalpel
scalpel file.img -o output
```
### Bulk Extractor
This tool comes inside kali but you can find it here: [https://github.com/simsong/bulk\_extractor](https://github.com/simsong/bulk_extractor)
This tool can scan an image and will **extract pcaps** inside it, **network information\(URLs, domains, IPs, MACs, mails\)** and more **files**. You only have to do:
```text
bulk_extractor memory.img -o out_folder
```
Navigate through **all the information** that the tool has gathered \(passwords?\), **analyse** the **packets** \(read[ **Pcaps analysis**](../pcap-inspection/)\), search for **weird domains** \(domains related to **malware** or **non-existent**\).
### PhotoRec
You can find it in [https://www.cgsecurity.org/wiki/TestDisk\_Download](https://www.cgsecurity.org/wiki/TestDisk_Download)
It comes with GUI and CLI version. You can select the **file-types** you want PhotoRec to search for.
![](../../../.gitbook/assets/image%20%28524%29.png)
## Specific Data Carving Tools
### FindAES
Searches for AES keys by searching for their key schedules. Able to find 128. 192, and 256 bit keys, such as those used by TrueCrypt and BitLocker.
Download [here](https://sourceforge.net/projects/findaes/).
## Complementary tools
You can use [**viu** ](https://github.com/atanunq/viu)to see images form the terminal.
You can use the linux command line tool **pdftotext** to transform a pdf into text and read it.

2
forensics/basic-forensic-methodology/pcap-inspection/README.md
View File

@ -79,7 +79,7 @@ ngrep -I packets.pcap "^GET" "port 80 and tcp and host 192.168 and dst host 192.
Using common carving techniques can be useful to extract files and information from the pcap:
{% page-ref page="../partitions-file-systems-carving/file-data-carving-tools.md" %}
{% page-ref page="../partitions-file-systems-carving/file-data-carving-recovery-tools.md" %}
## Check Exploits/Malware

2
forensics/basic-forensic-methodology/windows-forensics/README.md
View File

@ -446,7 +446,7 @@ The Status and sub status information of the event s can indicate more details a
### Recovering Windows Events
It's highly recommended to turn off the suspicious PC by **unplugging it** to maximize the probabilities of recovering the Windows Events. In case they were deleted, a tool that can be useful to try to recover them is [**Bulk\_extractor**](../partitions-file-systems-carving/file-data-carving-tools.md#bulk-extractor) indicating the **evtx** extension.
It's highly recommended to turn off the suspicious PC by **unplugging it** to maximize the probabilities of recovering the Windows Events. In case they were deleted, a tool that can be useful to try to recover them is [**Bulk\_extractor**](../partitions-file-systems-carving/file-data-carving-recovery-tools.md#bulk-extractor) indicating the **evtx** extension.
## Identifying Common Attacks with Windows Events