First steps and more SOP

So today I had the first contact with the labs. Connection test done, VM image downloaded and fee paid.

Little small things I also did as a SOP.

1) I changed the passwords on the VM .. obvious.

2) I changed the Background Image on my Host and on the VM. Might sound silly. But having a different colortheme going on helps actually to differentiate the different machines. While working I found it helpful to know on which server your connection was. Machine Red, Blue etc.

3) I worked a little bit on the post exploitation phase. Might seem silly. But I have a forensic background. So normally I don’t work on exploits. But I think I can look through files 😉 And I don’t want to look like these stupid criminals.

https://youtu.be/BzA3v74y0cc

https://www.youtube.com/watch?v=gu43HG-kIWY

I mean there will be a situation were I will break into a server during this course. I mean that is the whole goal in that lab. So my list for after the fact is so far:

SOP: “GRAB AND RUN”

Of course I have to make this list for each OS I will encounter.

Assuming I have a root shell what should I do ?

1) Persistence

I want to stay .. so persistence is needed. Basically it is a admin task. Adding a new user with root, maybe install some new programs or services. Basic admin stuff. I need to look up some of the commands. OS X etc …

2) The grab phase. What do I want. Lets start on my normal forensic checklist.

-userlist and hashes

-a list of all running processes into a file

-a list of all open network connections

-all important config files, especially for all the running services

-look around for other interesting files, especially ssh keys or stuff left behind from a attacker

-timeline Well I will likely not need a timeline of my attack for a judge .. WELL I HOPE SO 😉

http://www.linuxtopia.org/online_books/introduction_to_linux/linux_The_most_important_configuration_files.html

http://www.dba-oracle.com/linux/important_files_directories.htm

So seems a nice start. Okay I will not upload a bunch of forensic tools to the “victim”. So I will have to think about how to exfiltrate the files. But the basic procedure is clear.

1) create a folder for each host

2) copy the files into their “normal folders”

3) Look through them or just run a dif against the “normal” config files to find interesting parts.

So far.

Ucki

Kommentar verfassen

Trage deine Daten unten ein oder klicke ein Icon um dich einzuloggen:

WordPress.com-Logo

Du kommentierst mit Deinem WordPress.com-Konto. Abmelden /  Ändern )

Google Foto

Du kommentierst mit Deinem Google-Konto. Abmelden /  Ändern )

Twitter-Bild

Du kommentierst mit Deinem Twitter-Konto. Abmelden /  Ändern )

Facebook-Foto

Du kommentierst mit Deinem Facebook-Konto. Abmelden /  Ändern )

Verbinde mit %s