diff --git a/Chapter13/ch13_parse_httpx.sh b/Chapter13/ch13_parse_httpx.sh index e0cea0f..ce33b8c 100755 --- a/Chapter13/ch13_parse_httpx.sh +++ b/Chapter13/ch13_parse_httpx.sh @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash # Function to parse a single JSON object parse_json() { diff --git a/Chapter13/nmap_results.csv b/Chapter13/scan_results.csv similarity index 78% rename from Chapter13/nmap_results.csv rename to Chapter13/scan_results.csv index 16c057b..21d62c5 100644 --- a/Chapter13/nmap_results.csv +++ b/Chapter13/scan_results.csv @@ -2,4 +2,4 @@ IP,Hostname,Port,Service,Version 192.168.1.1,gateway,80,http,Apache 2.4.41 192.168.1.10,webserver,443,https,nginx 1.18.0 192.168.1.20,database,3306,mysql,MySQL 5.7.32 -192.168.1.30,fileserver,22,ssh,OpenSSH 8.2p1 \ No newline at end of file +192.168.1.30,fileserver,22,ssh,OpenSSH 8.2p1 diff --git a/Chapter14/ch14_auto_obfuscate_1.sh b/Chapter14/ch14_auto_obfuscate_1.sh index e69de29..3173a3c 100644 --- a/Chapter14/ch14_auto_obfuscate_1.sh +++ b/Chapter14/ch14_auto_obfuscate_1.sh @@ -0,0 +1,42 @@ +#!/usr/bin/env bash + +# Function to encode a string using base64 +encode_base64() { + echo "$1" | base64 +} +# Function to obfuscate variable names +obfuscate_var_name() { + echo "var_$(openssl rand -hex 4)" +} + +# Function to obfuscate a command using command substitution +obfuscate_command() { + local cmd="$1" + echo "$(echo "$cmd" | od -A n -t x1 | tr -d ' \n')" +} +# Main function to generate an obfuscated script +generate_obfuscated_script() { + local original_script="$1" + local obfuscated_script="" + while IFS= read -r line; do +# Obfuscate variable assignments + if [[ "$line" =~ ^[[:space:]]*([a-zA-Z_][a-zA-Z0-9_]*)[[:space:]]*= ]]; then + var_name="${BASH_REMATCH[1]}" + new_var_name=$(obfuscate_var_name) + line="${line//$var_name/$new_var_name}" + fi +# Obfuscate commands + if [[ "$line" =~ ^[[:space:]]*([-a-zA-Z0-9_]+) ]]; then + cmd="${BASH_REMATCH[1]}" + obfuscated_cmd=$(obfuscate_command "$cmd") + line="${line//$cmd/\$(echo -e \"\x$(echo "$obfuscated_cmd" | sed 's/../\\x&/g')\")}" + fi +obfuscated_script+="$line"$'\n' + done < "$original_script" + + echo "$obfuscated_script" +} + +original_script="original_script.sh" +obfuscated_script=$(generate_obfuscated_script "$original_script") +echo "$obfuscated_script" > obfuscated_script.sh diff --git a/Chapter14/ch14_gather_basic_info.sh b/Chapter14/ch14_gather_basic_info.sh index dff05d0..fe40467 100644 --- a/Chapter14/ch14_gather_basic_info.sh +++ b/Chapter14/ch14_gather_basic_info.sh @@ -1,23 +1,23 @@ #!/usr/bin/env bash -echo "System Information:" -echo "===================" -echo "Hostname: $(hostname)" -echo "Kernel version: $(uname -r)" -echo "OS: $(cat /etc/os-release | grep PRETTY_NAME | cut -d'"' -f2)" -echo "CPU: $(lscpu | grep 'Model name' | cut -d':' -f2 | xargs)" -echo "Memory: $(free -h | awk '/^Mem:/ {print $2}')" -echo -e "\nNetwork Information:" -echo "===================" -ip addr | awk '/inet / {print $2}' -echo -e "\nInstalled Security Software:" -echo "===========================" -if command -v systemctl &> /dev/null; then - systemctl list-units --type=service | grep -iE '(antivirus|security|protect|defend|guard)' -else - service --status-all | grep -iE '(antivirus|security|protect|defend|guard)' -fi +echo "Checking for AV/EDR presence..." +# Process check +echo "Processes:" +ps aux | grep -E "(av|edr|protect|defend|guard)" -echo -e "\nOpen Ports:" -echo "===========" -ss -tuln | grep LISTEN +# File system check +echo "Suspicious directories:" +ls -l /opt /etc | grep -E "(av|antivirus|edr|protect)" +# Network connections +echo "Network connections:" +ss -tuln | grep -E "(8080|443|22)" + +# Service check +echo "Services:" +systemctl list-units --type=service | grep -E "(av|antivirus|edr)" + +# Kernel modules +echo "Kernel modules:" +lsmod | grep -E "(av|edr|protect)" + +echo "Enumeration complete." diff --git a/Chapter14/ch_14_sleep_1.sh b/Chapter14/ch14_sleep_1.sh similarity index 100% rename from Chapter14/ch_14_sleep_1.sh rename to Chapter14/ch14_sleep_1.sh diff --git a/Chapter14/ch_14_sleep_2.sh b/Chapter14/ch14_sleep_2.sh similarity index 100% rename from Chapter14/ch_14_sleep_2.sh rename to Chapter14/ch14_sleep_2.sh