Show info: dpkg --info $package Show all files of a deb: dpkg -L $package Show all installed packages: dpkg -l Search for a file or path: dpkg -S htpasswd Show why a package was installed: apitude why apache2-utils About deb files A deb file is a ar archive with this structure: $ ar t example.debdebian-binarycontrol.tar.xz (or .gz or…
Show system files which were changed after installation. dpkg --verify Check various security related issues: checksecurity Tools
Some notes: Build an own Kali ISO image apt install curl git live-buildgit clone https://gitlab.com/kalilinux/build-scripts/live-build-config.gitcd live-build-config..../build.sh --verbose This will create a custom ISO.
Other
Memory analyzation softwrae to see physical memory as files in a virtual file system. GitHub — ufrisk/MemProcFS: MemProcFS
See also memory dump article. Usual stuff: Specialized software: Thinks to look out for:
Note: See many, many commands from the Linux privesc post. Analyze logs On systems: Browse through the /var/log files. On newer systems with systemd: Note: If you have an image, you can also analyze logs from a mounted image like journalctl --root /mnt/hdd23 -t ssh ... Analyze startup services On SysVinit: Browse through /etc/init.d/ On…
Windows Detecting PE/DLL injection:
See also the Binary analysis post Windows uses as format for the executeable files the PE Portable Executeable format. This is a binary format which can be used as a English (light ‘xkcd’) — Imgur has a graphical overview.
See the Analysis data / forensic article for general data analysis. Also, relevant articles: Static analysis Notes beforehand: Have a first look into the file: xxd file.exe | less Have a look into the file segments binwalk file.exe Have a look in the strings strings file.exefloss file.exe You can try to visualize the entropy to maybe…
Tools: Execution possibilities for a dynamic analysis, if deobfuscation is not soooo good: Tipp: Overwrite sensible methods, if the language allows it. For example, in JavaScript: eval = print Now, each eval statement is not executed, but just printed :-).
Goal: See on a system if some specific executeable was executed.
See also Autostart (Persistence) | Hexacorn
Registry Windows Event Logging File system analysis See the NTFS article about logging.
Forensic tools
Dissect is a forensic tool for file system images,
Questions, who should be answered easily: Tips for analyzing log files Search a log and count the hosts: cat log | jq -c '.host' | sort | uniq -c | sort -n To see more about the host “Apache” cat log | grep "Apache" | jq Search in gzipped logs: zgrep log.gzzcat log.gz | grep "Apache" Convert…
Use cases Tools Standard unix tools like awk can also been used with a cat of a flow file. nfdump SiLK argus
JA4S is a system to hash the configuration of a TLS connection. More: ja4/technical_details/README.md at main · FoxIO-LLC/ja4 · GitHub Possible use cases:
Case: Ransomware
Personal collection of some infosec stuff. Primary purpose of this site is to collect and organize for myself.
Note: Some content is not publicly visible due to copyright issues. Therefore, some links could be broken.
python -c 'import pty;pty.spawn("/bin/bash")';
python3 -c 'import pty;pty.spawn("/bin/bash")';