strandjs / introlabs Goto Github PK
View Code? Open in Web Editor NEWThese are the labs for my Intro class. Yes, this is public. Yes, this is intentional.
These are the labs for my Intro class. Yes, this is public. Yes, this is intentional.
file:///C:/Users/adhd/IntroLabs/IntroClassFiles/index.html#!Tools/IntroClass/deepbluecli/DeepBlueCLI.md
DeepBlueCLI is a free tool by Eric Conrand
-> Conrad
Please enable the Virtual Machine Platform Windows feature and ensure virtualization is enabled in the BIOS.
For information please visit https://aka.ms/wsl2-install
[process exited with code 4294967295]
Hi!
Can you plase add a notice to use mouseover on the axes and data in https://github.com/strandjs/IntroLabs/edit/master/IntroClassFiles/Tools/IntroClass/RITA/RITA.md
That would've helped me a lot answering the first question and also I would not have to guess what it shows! :)
Thanks.
file:///C:/Users/adhd/IntroLabs/IntroClassFiles/index.html#!Tools/IntroClass/Wireshark/Wireshark.md
tcpdump, lets take
-> let's
having some visulizations is very
-> visualizations
Wireshark. Basicly, it is key
-> Basically
Lets get started.
-> Let's
The second windows shows a
-> window
If it is.... You must
-> you
highlights the corasponding
-> corresponding
This means wirreshark can decode
-> wireshark
fly and automaticly highlight
-> automatically
the relevent data
-> relevant
Ok, now, lets play with some statistics.
-> let's
Please select Staticstics >
-> Statistics
If you looks closely, there is a lot
-> look
Now, lets look at Statisctics >
-> let's
-> Statistics
This gives us a breakdown of who was chatting with what systems the most.
-> system
the opisite direction
-> opposite
Now, lets play with some basic
-> let's
with possible compleation options
-> completion
quickly drill in on any spcific protocls you
-> specific
-> protocols
for that spcific string:
-> specific
Burnerap.com should be Burnerapp.com
200-user-gen.bat line 52 is missing a space between the password and /add.
net user David correcthorse/add
There is a typo at dnscat2-ja3-strobe-gaten when it should be dnscat2-ja3-strobe-agent
It is possible to use login hour restrictions in the honey users lab.
Add net user Frank /time:
to the user creation script which will set Frank's login hours to None
You may also want to modify Frank's password to be a otherwise-successful hit (Winter2020
)
Now the event log that is generated if you password spray Frank's password is Account logon time restriction violation.
Sort LAB page link order to reflect 'Intro to SOC' first and 'intro to Sec" as second
WINADHD VM > Desktop Labs link > Cyber Deception > "Comming Soon!!!"
file:///C:/Users/adhd/IntroLabs/IntroClassFiles/index.html#!Tools/IntroClass/TCPDump/TCPDump.md
and security analyest
-> analyst
Well, it is showing each packets Timestamp:
-> packet's
-> timestamp
can create filters for litteraly every
-> literally
Lets add port number.
-> Let's
either sent or recived to port
-> received
-> by
Lets dig into the packet
-> Let's
We can also see the raw Hex, if that is your sort of thing with the -X flag:
-> thing, with
This is very usefull when
-> useful
Here is a great resoruce to try
-> resource
In the above screenshot we are seeing the CLsoe and SYN_Sent becasue of the beaconing nature of the connection
file:///C:/Users/adhd/IntroLabs/IntroClassFiles/index.html#!Tools/IntroClass/WebLogReview/WebLogReview.md
Now, lets instert your IP address
-> let's
-> insert
file:///C:/Users/adhd/IntroLabs/IntroClassFiles/index.html#!Tools/IntroClass/LinuxCLI/LinuxCLI.md
The fist will be where we run the backdoor.
-> first
On your Linux terminal
-> you switch between capitalizing Linux (as in Linux terminal here, Linux backdoor later) and lowercase (linux system later)
We will next need to create a fifo backpipe:
/#mknod backpipe p
-> Repetition
Next, lets start the backdoor:
-> let's
back into the netcat listiner.
-> listener
Basicly, this will create a backdoor listnening
-> listening
Now, lets connect:
-> let's
Now, lets type some
-> let's
Also notice there was not message saying
-> no
It just drops our curser back to the left side of the screen.
-> cursor
Now, lets open
-> let's
We want to be root becasue doing looking at network
->"because"
-> remove the doing
Basicly, it is very had to do your job as a SOC
-> Basically
-> hard
Lets start by
-> Let's
ports that are being used.just
-> used. Just
Now lets
-> let's
Lets look at the full processes
-> Let's
This is a for all processes. U for sorted by user and x to indlude the processes using a teletype terminal.
-> I know it's cause it's the start of the sentence, but a capital U is actually a different switch
-> include
It allows us to see data associated with the various proccess directly.
-> processes
This is very, very usefull as
-> useful
what, exacly a program is doing.
-> remove the comma
Line 22: truning -> turning
dnscat2-ja3-strobe-gaten
should be dnscat2-ja3-strobe-agent
For the dnscat2-ja3-strobe-gaten dataset --> For the dnscat2-ja3-strobe-agent dataset
One of the interesting things about many malware specimens we review these days is how they “wait” for the attacker to communicate with them. For example, in the sample malware traffic we are reviewing, the backdoor “beacons” out every 30 seconds. This is for two reasons. One is because the attacker might not be at a system waiting for a command shell on a ### compromised target and. Secondly, because long-term established sessions tend to attract attention. This is because with protocols such as HTTP, the sessions are generally short burst sessions for multiple objects. When this backdoor was created, we wanted it to act like real HTTP. So, it had to have an asynchronous component to it.
Dear John,
I've setup and tested the steps below to disable windows updates on the Lab-VM with working results.
Disable the Windows service directly under services:
Windows Update service
==> General Tab ==> Startup Type ==> DisabledWindows Update service
and clicking stop.Edit the registry to 1st disable the windows medic service by changing the config value to (4)
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>WaaSMedicSvc
==> Modify the Start
key and set its value to (4).Update the System Windows Update Group Policy. (This is the real winner)
At this stage you can reboot the VM and test the updates by bringing up the Windows Updates menu.
file:///C:/Users/adhd/IntroLabs/IntroClassFiles/index.html#!Tools/IntroClass/RITA/RITA.md
For VSAgent we will be focusing on Beacons
-> focussing
file:///C:/Users/adhd/IntroLabs/IntroClassFiles/index.html#!Tools/IntroClass/Memory/MemoryAnalysis.md
Sprcificly in the area of network
-> Specificly
applied to any comercial tools
-> commercial
navigate to the the memory
-> remove one the
Lets open a command
-> Let's
look at it with Volaitlity!
-> Volatility
Now, we will need to navigate to the cd \tools\volatility_2.6_win64_standalone directory
->"cd to the \tools" or "navigate to the c:\tools", you mixed both
established and have SYS_Sent and closed:
-> SYN_SENT
we are seeing the CLsoe and
-> CLOSED
The above screenshot is... Concerning.
-> concerning
look further into this becasue
-> because
it is compromised (becasue it
-> because
anytime a "suspect" computer has another open connection to an internal system is, without question, a cause for concern.
-> any time
Now, lets look
-> let's
Generaly, users and day to day usage of a system does not
-> Generally
-> do
We may see it brefily as part
-> briefly
was invoked by the user on the system as Explorer.exe is the GUI
-> on the system, as
Lets now dive
-> Let's
IntroLabs/IntroClassFiles/index.html#!Tools/IntroClass/LinuxCLI/LinuxCLI.md
4th line: "The fist will be where we run the backdoor."
The first...
file:///C:/Users/adhd/IntroLabs/IntroClassFiles/index.html#!Tools/IntroClass/DomainLogReview/DomainLogReview.md
We will start by using DeepBlueCLI, then moving into looking directly at the event logs themselves.
-> move
We have 240 logon failures. That... Is a lot for this small org.
-> is
event IDs of 4476:
-> 4776
Issue: Typo
Location: First line from the top of FirewallLog.md
-> "In this lab, we will be looing
at a log from an ASA firewall from Cisco."
Hi John,
The top of the Portspoof lab lists http://portspoof.org/ as the website for Portspoof. This leads to a defunct Wordpress site.
http://drk1wi.github.io/portspoof/ is the correct website. Alternatively, you could link to the Github page for Portspoof: https://github.com/drk1wi/portspoof
In the Example 2: Spoofing Service Signatures section the nmap from Windows command contains what I assume is the instructor's IP instead of the expected
Line 2: "lense" should be "lens"
Line 18: "basicly" should be "basically"
Line 38: "curser" should be "cursor"
Line 38: "succesfully" should be "successfully"
Line 40: "Basicly" should be "Basically"
Line 54: "usesfull" should be "useful"
Line 62: "direcly" should be "directly"
File: Canarytokens.md
"Then, select Coned
Website from the dropdown: " <- Cloned
file:///C:/IntroLabs/IntroClassFiles/index.html#!Tools/IntroClass/DomainLogReview/DomainLogReview.md
Now, please click on the header column called Event ID. This will sort the logs by ID number we are doing this because we want to quickly get to the event IDs of 4476:
should be event 4776
In navigation.md the Applocker link does not go to the correct resource. Line 22
Expected: http://localhost:8888/#!Tools/IntroClass/AppLocker/AppLocker.md
Current: https://github.com/strandjs/IntroLabs/blob/master/IntroClassFiles/Tools/IntroClass/AppLocker/AppLocker.md
In this lab we will be looing at a log from an ASA firewall from Cisco.
Update to looking
"Basicly" should be "Basically"
file:///C:/Users/adhd/IntroLabs/IntroClassFiles/index.html#!Tools/IntroClass/WindowsCLI/WindowsCLI.md
ways to learn, well... Anything,
-> anything
is to actualy
-> actually
Lets get started.
-> "Let's" - but you could also just scratch the sentence since the next one is "let's get started" again.
Please note that my adaptor
-> adapter
msf5 exploit(multi/handler) > set LHOST 172.26.19.133
Remember, your IP will be different!
msf5 exploit(multi/handler) > exploit
-> I think this is missing the set LPORT 4444 step. The default seems to be 8443
open an edge browser
-> Edge
Now, lets look
-> Let's
Please, remember, your IP addresses will
-> address
Now, lets open another
-> let's
Once we are in, lets start
-> let's
connections yet. Lets try
-> Let's
Now, lets drill down
-> let's
Now, lets dive in!
-> let's
Lets keep digging with wmic:
-> Let's
see above, it was launced by
-> launched
Line 11: "overal" should be "overall"
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.