### Start Splunk Service Source: https://www.iblue.team/data-collection-processing-and-integration/splunk/setup-and-configuration This snippet shows how to start the Splunk service. It involves navigating to the Splunk installation directory and executing the start script with superuser privileges. You will be prompted to accept the license agreement. ```shell cd /opt/splunk sudo ./splunk start ``` -------------------------------- ### Download and Start Cribl Source: https://www.iblue.team/data-collection-processing-and-integration/cribl/setup-and-configuration This snippet demonstrates how to download the latest Cribl version using curl, extract the archive, navigate to the installation directory, and start the Cribl service. It also shows the deprecation messages for older start scripts and the output indicating successful Cribl startup, including its address, mode, status, version, and initial login credentials. ```bash $ curl -Lso - $(curl https://cdn.cribl.io/dl/latest-x64) | tar zxv cd /cribl/bin ./start.sh ``` -------------------------------- ### Accept Splunk License Agreement Source: https://www.iblue.team/data-collection-processing-and-integration/splunk/setup-and-configuration When starting Splunk for the first time, you will be prompted to accept the general terms and conditions. Type 'y' and press Enter to agree. ```shell Do you agree with this license? [y/n]: y ``` -------------------------------- ### Install Git Source: https://www.iblue.team/memory-forensics-1/volatility-plugins Installs Git, a version control system required to clone the Volatility GitHub repository. This command is for Debian-based Linux distributions. ```bash $ sudo apt install git-all ``` -------------------------------- ### Install ZeroTier Client (Direct) Source: https://www.iblue.team/general-notes-1/install-and-configure-zerotier-client Installs the ZeroTier client directly from the official source using a single curl command piped to bash. This is a quick installation method. ```bash curl -s https://install.zerotier.com | sudo bash ``` -------------------------------- ### Install ZeroTier Client (Download and Execute) Source: https://www.iblue.team/general-notes-1/install-and-configure-zerotier-client Downloads the ZeroTier install script, makes it executable, and then runs it after manual review. This method allows for script validation before execution. ```bash curl -s https://install.zerotier.com -o zerotier.sh; chmod +x zerotier.sh ./zerotier.sh ``` -------------------------------- ### Install NGINX and Set Up Basic Site Source: https://www.iblue.team/general-notes-1/azure-blob-storage-with-nginx-proxy Installs NGINX and creates a basic HTML file for a new subdomain. It also configures the NGINX server block for the subdomain and enables the site configuration. Finally, it tests the NGINX configuration and restarts the service. ```bash $ apt update -y; apt install nginx -y $ sudo mkdir -p /var/www/blob/html $ sudo chown -R $USER:$USER /var/www/blob/html $ sudo chmod -R 755 /var/www/blob $ echo "blob.iblue.team" > /var/www/blob/html/index.html $ nano /etc/nginx/sites-available/blob server { listen 80; root /var/www/blob/html; index index.html index.htm index.nginx-debian.html; server_name blob.iblue.team; location / { try_files $uri $uri/ =404; } } $ sudo ln -s /etc/nginx/sites-available/blob /etc/nginx/sites-enabled/ $ nginx -t nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful $ systemctl restart nginx ``` -------------------------------- ### Install Development Tools Source: https://www.iblue.team/memory-forensics-1/volatility-plugins Installs 'python2.7-dev' and 'build-essential' packages. These are required if compilation errors occur during the installation of Python packages, such as 'gcc' not being found or 'egg_info' command failures. ```bash $ sudo apt install -y python2.7-dev build-essential ``` -------------------------------- ### Test Volatility with Memory Image Source: https://www.iblue.team/memory-forensics-1/volatility-plugins Tests the Volatility installation by analyzing a memory dump file. It demonstrates the usage of the 'imageinfo' and 'kdbgscan' plugins to gather information about the memory image and identify its profile. ```bash $ python vol.py -f /path/to/memdump.mem imageinfo or $ python vol.py -f /path/to/memdump.mem kdbgscan ``` -------------------------------- ### Install VMFS6-tools and Explore Disk Partitions (Linux) Source: https://www.iblue.team/esxi-forensics/esxi-vmfs-exploration These commands install necessary tools for interacting with VMFS file systems on a Linux host. It includes installing 'vmfs6-tools' and 'libguestfs-tools', followed by listing disk partitions to identify the VMFS volume. ```bash sudo apt-get install vmfs6-tools fdisk -l sudo mkdir /mnt/sdb && sudo mkdir /mnt/vmdk ``` -------------------------------- ### Setup MinIO Server with TLS (Linux Binary) Source: https://www.iblue.team/incident-response-1/unix-like-artifacts-collector-uac/setup-minio-object-storage This snippet outlines the steps to set up MinIO with TLS for secure communication. It involves installing Certbot, obtaining a certificate for a custom domain, copying the certificate and private key to the MinIO configuration directory, and then running the MinIO server with specified addresses for API and console, enabling HTTPS. ```bash sudo apt install certbot sudo mkdir /path/to/minio-datastore sudo certbot certonly --manual --preferred-challenges dns --debug-challenges -d minio.yourdomain.com.au sudo cp /etc/letsencrypt/live/minio.yourdomain.com.au/fullchain.pem public.crt sudo cp /etc/letsencrypt/live/minio.yourdomain.com.au/privkey.pem private.key ./minio server /path/to/minio-datastore --console-address "minio.yourdomain.com.au:9001" --address "minio.yourdomain.com.au:9000" ``` -------------------------------- ### Run mitmproxy (Web Mode) Source: https://www.iblue.team/general-notes-1/mitm-proxy Starts the mitmproxy in web interface mode, accessible via a browser. This command requires root privileges. ```bash sudo mitmweb ``` -------------------------------- ### Clone Volatility Repository Source: https://www.iblue.team/memory-forensics-1/volatility-plugins Clones the Volatility framework from its official GitHub repository. This step downloads the source code and core files for Volatility. ```bash $ git clone https://github.com/volatilityfoundation/volatility.git ``` -------------------------------- ### Install and Configure tgt iSCSI Target on Ubuntu Source: https://www.iblue.team/esxi-forensics/identification-acquisition-and-examination-of-iscsi-luns-and-vmfs-datastores Installs the tgt package, checks its status, and configures a block device as an iSCSI LUN. This setup is for testing and does not include security configurations. It requires root privileges and assumes the existence of a block device like /dev/sdb. ```shell sudo apt update; sudo upgrade sudo apt install tgt sudo systemctl status tgt ``` ```shell sudo nano /etc/iscsi/iscsi.conf ``` ```shell direct-store /dev/sdb ``` ```shell systemctl restart tgt sudo tgtadm --mode target --op show ``` -------------------------------- ### Setup MinIO Client (mc) for Administration Source: https://www.iblue.team/incident-response-1/unix-like-artifacts-collector-uac/setup-minio-object-storage This snippet downloads the MinIO client binary (mc) for Linux, makes it executable, and then configures an alias to connect to a MinIO server. This client is used to administer buckets, users, permissions, and generate pre-signed URLs from a workstation. ```bash $ wget https://dl.min.io/client/mc/release/linux-amd64/mc $ chmod +x mc $ mc alias set myminio/ http://MINIO-SERVER admin password ``` -------------------------------- ### Reinstall Distorm3 (if needed) Source: https://www.iblue.team/memory-forensics-1/volatility-plugins Uninstalls and then reinstalls a specific version of 'distorm3' (3.4.4). This step is a troubleshooting measure for potential conflicts or issues with the 'distorm3' installation. ```bash pip uninstall distorm3 pip install distorm3==3.4.4 ``` -------------------------------- ### Manage ZeroTier Network Connections Source: https://www.iblue.team/general-notes-1/install-and-configure-zerotier-client Provides essential ZeroTier CLI commands for interacting with ZeroTier networks. These commands allow users to check status, join/leave networks, and list network configurations. ```bash zerotier-cli status ``` ```bash zerotier-cli join xxxxxxx ``` ```bash zerotier-cli leave xxxxxxx ``` ```bash zerotier-cli listnetworks ``` -------------------------------- ### Install Volatility Dependencies Source: https://www.iblue.team/memory-forensics-1/volatility-plugins Installs the 'pycrypto' and 'distorm3' Python packages, which are essential dependencies for Volatility. 'pycrypto' addresses 'Crypto.Hash' import errors, and 'distorm3' is required for malware analysis plugins. Version 3.4.4 of distorm3 is specified to avoid potential issues. ```bash $ python2.7 -m pip install pycrypto distorm3==3.4.4 ``` -------------------------------- ### Run mitmproxy (Console Mode) Source: https://www.iblue.team/general-notes-1/mitm-proxy Starts the mitmproxy in console mode, listening on all network interfaces on port 8080. This command requires root privileges. ```bash sudo mitmproxy ``` -------------------------------- ### Download and Run MinIO Server (Linux Binary) Source: https://www.iblue.team/incident-response-1/unix-like-artifacts-collector-uac/setup-minio-object-storage This snippet downloads the MinIO server binary for Linux, makes it executable, and then runs it with specified credentials and data directory. It configures the server to use port 9000 for the API and 9001 for the web console. ```bash wget https://dl.min.io/server/minio/release/linux-amd64/minio chmod +x minio MINIO_ROOT_USER=admin MINIO_ROOT_PASSWORD=password ./minio server /mnt/data --console-address ":9001" ``` -------------------------------- ### Install mitmproxy Source: https://www.iblue.team/general-notes-1/mitm-proxy Installs the mitmproxy tool using the apt package manager. This command requires root privileges. ```bash sudo apt install mitmproxy ``` -------------------------------- ### Download Splunk Package using Wget Source: https://www.iblue.team/data-collection-processing-and-integration/splunk/setup-and-configuration This snippet shows how to download the Splunk .deb package from a provided URL using the `wget` command. Ensure you have a stable internet connection and the correct URL for the package. ```shell $ wget -O splunk-10.0.2-e2d18b4767e9-linux-amd64.deb "https://download.splunk.com/products/splunk/releases/10.0.2/linux/splunk-10.0.2-e2d18b4767e9-linux-amd64.deb" ``` -------------------------------- ### Install and Use dwarfdump for Volatility Profile Source: https://www.iblue.team/memory-forensics-1/volatility-plugins/build-custom-linux-profile-for-volatility Installs the dwarfdump utility and uses it to extract dwarf information from a compiled module. This information is then zipped with the System.map file to create a Volatility profile. ```bash sudo apt install dwarfdump dwarfdump -di ./module.o > module.dwarf sudo zip Ubuntu64-4.15.0.106.zip module.dwarf /boot/System.map-4.15.0-106-generic ``` -------------------------------- ### Install Linux Kernel on Ubuntu Source: https://www.iblue.team/memory-forensics-1/volatility-plugins/build-custom-linux-profile-for-volatility Installs a specific Linux kernel version on an Ubuntu system, which will serve as the base for building the Volatility profile. Ensure the kernel version matches the one identified from the memory dump. ```bash sudo apt update; sudo apt install linux-image-6.2.0-36-generic ``` -------------------------------- ### Build DumpIt on Linux Source: https://www.iblue.team/memory-forensics-1/acquisition/dumpit Instructions to build the Linux variant of DumpIt using Cargo, Rust's package manager. Requires build essentials and Rust toolchain installation. ```shell sudo apt install build-essential liblzma-dev curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh git clone https://github.com/MagnetForensics/dumpit-linux.git cd dumpit-linux cargo build --release cd target/release ``` -------------------------------- ### Configure and Install Linux Kernel Debug Symbols on Ubuntu Source: https://www.iblue.team/memory-forensics-1/volatility-plugins/build-custom-linux-profile-for-volatility Sets up the necessary repository and installs the debug symbols for a specific Linux kernel version on Ubuntu. This requires editing the sources list and using apt commands. Replace 'xxxxx' with your Ubuntu release name. ```bash sudo nano /etc/apt/sources.list.d/ddebs.list deb http://ddebs.ubuntu.com xxxxx main restricted universe multiverse deb http://ddebs.ubuntu.com xxxxx-updates main restricted universe multiverse deb http://ddebs.ubuntu.com xxxxx-proposed main restricted universe multiverse (replace xxxxx with your release name from 'lsb_release -cs', ie focal, trusty, etc. wget -O - http://ddebs.ubuntu.com/dbgsym-release-key.asc | sudo apt-key add - $ sudo apt update $ sudo apt install linux-image-6.2.0-36-generic-dbgsym $ sudo shutdown -r now ``` -------------------------------- ### Mounting EWF Image with guestfish Source: https://www.iblue.team/general-notes-1/mount-e01-containing-vmdk-xfs-from-rhel-system This snippet shows how to use `guestfish` to mount and access files within an EWF image. It involves starting `guestfish` in read-only mode, identifying filesystems, mounting the root filesystem, and then mounting it locally for access. ```bash guestfish --ro -a /mnt/RHEL/ewf1 ``` ```bash > run > list-filesystems > mount /dev/rhel/root / > mount-local /mnt/rhel-mount readonly:true > mount-local-run ``` ```bash cat /mnt/rhel-mount/home/username/Desktop/files.txt ``` -------------------------------- ### Install Splunk Package using Dpkg Source: https://www.iblue.team/data-collection-processing-and-integration/splunk/setup-and-configuration This command installs the downloaded Splunk .deb package using `dpkg`. This requires superuser privileges. After installation, you can check the package status. ```shell $ sudo dpkg -i splunk-10.0.2-e2d18b4767e9-linux-amd64.deb ``` -------------------------------- ### Check Splunk Installation Status Source: https://www.iblue.team/data-collection-processing-and-integration/splunk/setup-and-configuration This command verifies if the Splunk package is installed correctly on the system. It displays the package name, status, maintainer, architecture, version, and a brief description. ```shell $ dpkg --status splunk ``` -------------------------------- ### Create Dummy Data Files with 'yes' and 'head' Source: https://www.iblue.team/general-notes-1/disk-images-for-various-filesystems-and-configurations/ext4-with-lvm-and-raid5-3-disks This command sequence generates large text files by repeatedly outputting a string and truncating it to a specified size. It's used here to create sample data for testing storage configurations. The 'yes' command provides the string, 'head -c' limits the size in bytes, and '>' redirects the output to a file. ```bash $ yes APPLE | head -c 1073741824 > apple.txt ``` -------------------------------- ### Install Python 2.7 Pip Source: https://www.iblue.team/memory-forensics-1/volatility-plugins Installs pip for Python 2.7, which is necessary for managing Python packages required by Volatility. This involves downloading the get-pip.py script and executing it with Python 2.7. ```bash $ wget https://bootstrap.pypa.io/pip/2.7/get-pip.py $ python 2.7 get-pip.py ``` -------------------------------- ### Format 2GB Volume with BTRFS on Linux Source: https://www.iblue.team/general-notes-1/disk-images-for-various-filesystems-and-configurations/ufs-ffs-btrfs-xfs Demonstrates the process of formatting a 2GB block device (/dev/sdb) with the BTRFS filesystem on a Linux Mint system. It includes output from the `mkfs.btrfs` command, showing filesystem details, and subsequent commands for mounting the filesystem, writing a file, and unmounting it. ```bash $ md5sum /dev/sdb a981130cf2b7e09f4686dc273cf7187e /dev/sdb $ mkfs.btrfs /dev/sdb btrfs-progs v5.16.2 See http://btrfs.wiki.kernel.org for more information. NOTE: several default settings have changed in version 5.15, please make sure this does not affect your deployments: - DUP for metadata (-m dup) - enabled no-holes (-O no-holes) - enabled free-space-tree (-R free-space-tree) Label: (null) UUID: a8201ae2-3eaf-446d-b004-fee6a011dfaa Node size: 16384 Sector size: 4096 Filesystem size: 2.00GiB Block group profiles: Data: single 8.00MiB Metadata: DUP 102.38MiB System: DUP 8.00MiB SSD detected: no Zoned device: no Incompat features: extref, skinny-metadata, no-holes Runtime features: free-space-tree Checksum: crc32c Number of devices: 1 Devices: ID SIZE PATH 1 2.00GiB /dev/sdb $ date Thu 24 Aug 2023 17:47:55 ACST $ echo "https://iblue.team" > /mnt/btrfs/notes.txt $ cat /mnt/btrfs/notes.txt https://iblue.team root@mint:~# umount /mnt/btrfs ``` -------------------------------- ### Splunk Service Initialization and Availability Source: https://www.iblue.team/data-collection-processing-and-integration/splunk/setup-and-configuration This output indicates that Splunk is starting up, generating self-signed certificates, and waiting for its web server to become available on port 8000. It provides a link to the Splunk documentation for help. ```shell Warning: ignoring -extensions option without -extfile Certificate request self-signature ok subject=CN = splunk, O = SplunkUser Done Waiting for web server at http://127.0.0.1:8000 to be available........................................ Done If you get stuck, we're here to help. Look for answers here: http://docs.splunk.com The Splunk web interface is at http://splunk:8000 ``` -------------------------------- ### List Objects in a Bucket using MinIO Client (mc) Source: https://www.iblue.team/incident-response-1/unix-like-artifacts-collector-uac/setup-minio-object-storage This command uses the MinIO client (mc) to list the objects within a specific bucket on a MinIO server. It shows the object's creation timestamp, size, storage class, and name, verifying that uploaded files are accessible. ```bash user@host:/home/user# mc ls minio/my-bucket [2022-04-25 11:35:22 AEST] 234MiB STANDARD my-object ``` -------------------------------- ### List Buckets using MinIO Client (mc) Source: https://www.iblue.team/incident-response-1/unix-like-artifacts-collector-uac/setup-minio-object-storage This command uses the MinIO client (mc) to list the available buckets on a configured MinIO server. It assumes an alias named 'minio' has been set up, and it displays the bucket name along with its size and creation timestamp. ```bash user@host:/home/user# mc ls minio [2022-04-25 10:56:00 AEST] 0B my-bucket/ ``` -------------------------------- ### Pull and Verify log2timeline/plaso Docker Image Source: https://www.iblue.team/ctf-challenges/compromised-windows-server-2022-simulation/plaso This snippet demonstrates how to pull the latest log2timeline/plaso Docker image and then run a simple command to verify the installation and check the version of log2timeline. It requires Docker to be installed and configured. ```shell docker pull log2timeline/plaso user@df:~/cases/26038642$ docker run log2timeline/plaso log2timeline.py --version ``` -------------------------------- ### Create and Mount ext4 Filesystem Source: https://www.iblue.team/general-notes-1/disk-images-for-various-filesystems-and-configurations/ext4-lvm-and-luks1-luks2 Demonstrates the process of creating and mounting an ext4 filesystem on a Linux host. It includes commands for disk partitioning, formatting with ext4, and mounting the filesystem. The output shows the creation of a filesystem with specific block and inode counts, and its UUID. ```shell $ fdisk -l Disk /dev/sdb: 1 GiB, 1073741824 bytes, 2097152 sectors Disk model: VMware Virtual $ md5sum /dev/sdb cd573cfaace07e7949bc0c46028904ff /dev/sdb $ mkfs.ext4 /dev/sdb mke2fs 1.46.5 (30-Dec-2021) Creating filesystem with 262144 4k blocks and 65536 inodes Filesystem UUID: 3f13c5a2-1e5b-4771-b5c3-430e4d0a1053 Superblock backups stored on blocks: 32768, 98304, 163840, 229376 Allocating group tables: done Writing inode tables: done Creating journal (8192 blocks): done Writing superblocks and filesystem accounting information: done root@mint:~# date Tue 22 Aug 2023 22:36:58 ACST $ mount /dev/sdb /mnt/ext4 > nano /mnt/ext4/notes.txt > https://iblue.team $ md5sum /dev/sdb 40575d67d4651c200d9f3234701bf05e /dev/sdb ``` -------------------------------- ### Format 2GB Volume with XFS on Linux Source: https://www.iblue.team/general-notes-1/disk-images-for-various-filesystems-and-configurations/ufs-ffs-btrfs-xfs Details the process of formatting a 2GB block device (/dev/sdb) with the XFS filesystem on a Linux Mint host. This includes zeroing the device, calculating its MD5 checksum, formatting it with `mkfs.xfs`, mounting the filesystem, writing a file, and unmounting. ```bash Previously attached /dev/sdb (MD5 a981130cf2b7e09f4686dc273cf7187e) $ dd if=/dev/zero of=/dev/sdb $ md5sum /dev/sdb a981130cf2b7e09f4686dc273cf7187e /dev/sdb $ mkfs.xfs /dev/sdb meta-data=/dev/sdb isize=512 agcount=4, agsize=131072 blks = sectsz=512 attr=2, projid32bit=1 = crc=1 finobt=1, sparse=1, rmapbt=0 = reflink=1 bigtime=0 inobtcount=0 data = bsize=4096 blocks=524288, imaxpct=25 = sunit=0 swidth=0 blks naming =version 2 bsize=4096 ascii-ci=0, ftype=1 log =internal log bsize=4096 blocks=2560, version=2 = sectsz=512 sunit=0 blks, lazy-count=1 realtime =none extsz=4096 blocks=0, rtextents=0 $ mkdir /mnt/xfs $ mount /dev/sdb /mnt/xfs $ echo "https://iblue.team" > /mnt/xfs/notes.txt $ cat /mnt/xfs/notes.txt https://iblue.team $ umount /mnt/xfs ``` -------------------------------- ### Configure ext4 with LVM Source: https://www.iblue.team/general-notes-1/disk-images-for-various-filesystems-and-configurations/ext4-lvm-and-luks1-luks2 This snippet details the steps for setting up an ext4 filesystem using LVM (Logical Volume Management). It covers creating a physical volume, a volume group, and a logical volume, followed by formatting the logical volume with ext4. The output shows LVM version information, disk scanning results, and detailed volume group and logical volume configurations. ```shell $ md5sum /dev/sdb cd573cfaace07e7949bc0c46028904ff /dev/sdb lvm version LVM version: 2.03.11(2) (2021-01-08) Library version: 1.02.175 (2021-01-08) Driver version: 4.45.0 root@mint:~# lvmdiskscan /dev/sda2 [ 513.00 MiB] /dev/sda3 [ <79.50 GiB] /dev/sdb [ 1.00 GiB] 1 disk 2 partitions 0 LVM physical volume whole disks 0 LVM physical volumes $ pvcreate /dev/sdb Physical volume "/dev/sdb" successfully created $ vgcreate vg01 /dev/sdb Volume group "vg01" successfully created root@mint:~# vgdisplay --- Volume group --- VG Name vg01 System ID Format lvm2 Metadata Areas 1 Metadata Sequence No 1 VG Access read/write VG Status resizable MAX LV 0 Cur LV 0 Open LV 0 Max PV 0 Cur PV 1 Act PV 1 VG Size 1020.00 MiB PE Size 4.00 MiB Total PE 255 Alloc PE / Size 0 / 0 Free PE / Size 255 / 1020.00 MiB VG UUID SuDIRA-DfeR-N3Gh-r41v-fZJL-2duf-XEuwWf $ lvcreate -L 1020M -n lv01 vg01 Logical volume "lv01" created. root@mint:~# lvdisplay --- Logical volume --- LV Path /dev/vg01/lv01 LV Name lv01 VG Name vg01 LV UUID YH1P8v-cDBJ-1emn-0ApX-Qq7j-S6Pr-3IsWkV LV Write Access read/write LV Creation host, time mint, 2023-08-22 22:04:23 +0930 LV Status available # open 0 LV Size 1020.00 MiB Current LE 255 Segments 1 Allocation inherit Read ahead sectors auto - currently set to 256 Block device 253:0 $ mkfs.ext4 /dev/vg01/lv01 mke2fs 1.46.5 (30-Dec-2021) Creating filesystem with 261120 4k blocks and 65280 inodes Filesystem UUID: 6423a1eb-f631-45e1-9f9a-94a49b6c90c6 Superblock backups stored on blocks: 32768, 98304, 163840, 229376 Allocating group tables: done Writing inode tables: done Creating journal (4096 blocks): done Writing superblocks and filesystem accounting information: done $ stat /mnt/ext4/note.txt File: /mnt/ext4/note.txt Size: 19 Blocks: 8 IO Block: 4096 regular file Device: fd00h/64768d Inode: 13 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2023-08-22 22:05:46.435740476 +0930 Modify: 2023-08-22 22:05:46.435740476 +0930 Change: 2023-08-22 22:05:46.435740476 +0930 Birth: 2023-08-22 22:05:46.435740476 +0930 ``` -------------------------------- ### Get Partition Table for NVMe Disk on ESXi Source: https://www.iblue.team/esxi-forensics/understanding-esxi/partitions-volumes This command displays the partition table information for a specified NVMe disk device on an ESXi host. It uses `partedUtil` to show the partition type (GPT), disk geometry, and details of each partition including type GUID and name. ```shell [root@localhost:~] partedUtil getptbl "/vmfs/devices/disks/t10.NVMe____KINGSTON_SA2000M8250G___________________C5593D5168B72600" gpt 30401 255 63 488397168 1 64 204863 C12A7328F81F11D2BA4B00A0C93EC93B systemPartition 128 5 208896 8595455 EBD0A0A2B9E5443387C068B6B72699C7 linuxNative 0 6 8597504 16984063 EBD0A0A2B9E5443387C068B6B72699C7 linuxNative 0 7 16986112 268435455 4EB2EA3978554790A79EFAE495E21F8D vmfsl 0 8 268437504 488397134 AA31E02A400F11DB9590000C2911D1B8 vmfs 0 ``` -------------------------------- ### Basic Volatility Commands Source: https://www.iblue.team/memory-forensics-1/volatility-plugins/build-custom-linux-profile-for-volatility Demonstrates basic commands for interacting with Volatility, including checking if a new profile is registered, and retrieving banner and process list information from a memory image. ```bash python3 vol.py isfinfo python3 vol.py -f ec2mem.mem banners python3 vol.py -f ec2mem.mem linux.pslist ``` -------------------------------- ### Verify Installed Linux Kernel Source: https://www.iblue.team/memory-forensics-1/volatility-plugins/build-custom-linux-profile-for-volatility Confirms that the correct Linux kernel version has been successfully installed and is currently running on the Ubuntu system. This step is essential before proceeding to install debug symbols. ```bash user@ubuntu:~$ uname -a ``` -------------------------------- ### Interact with VMDK using guestfish Source: https://www.iblue.team/incident-response-1/mounting-ufs-vmdk-from-netscaler-citrix-adc This snippet demonstrates initiating a guestfish session with a VMDK file and running initial commands like 'run' to prepare for filesystem operations. Guestfish allows for direct manipulation of virtual disk images. ```bash $ guestfish -a NSVPX-ESX-13.0-90.12_nc_64-disk1.vmdk Welcome to guestfish, the guest filesystem shell for editing virtual machine filesystems and disk images. Type: ‘help’ for help on commands ‘man’ to read the manual ‘quit’ to quit the shell > run 100% ⟦▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒⟧ 00:00 > ``` -------------------------------- ### Install Certbot and Obtain SSL Certificate Source: https://www.iblue.team/general-notes-1/azure-blob-storage-with-nginx-proxy Installs Certbot and its NGINX plugin to obtain and manage Let's Encrypt SSL certificates for the specified domain. This enables HTTPS for the subdomain. ```bash $ apt install certbot python3-certbot-nginx $ certbot --nginx -d blob.iblue.team (accept prompts) ``` -------------------------------- ### List Filesystems and Partitions in VMDK with guestfish Source: https://www.iblue.team/incident-response-1/mounting-ufs-vmdk-from-netscaler-citrix-adc This snippet shows commands to list filesystems and partitions within a VMDK using guestfish. It highlights potential issues with UFS identification and the output of partition tables. ```bash > list-filesystems libguestfs: error: list_filesystems: sfdisk exited with status 1: sfdisk: /dev/sda: partition 5: partition table contains only 4 partitions > list-partitions /dev/sda1 /dev/sda5 /dev/sda6 /dev/sda7 /dev/sda8 ``` -------------------------------- ### Convert Disk to LUKS2 Format Source: https://www.iblue.team/general-notes-1/disk-images-for-various-filesystems-and-configurations/ext4-lvm-and-luks1-luks2 This snippet demonstrates how to convert an existing logical volume to LUKS2 encryption using the cryptsetup command. It requires specifying the target device and confirming the irreversible conversion with 'YES'. The output shows the successful conversion and provides details about the LUKS2 header, keyslots, and data segments. ```bash $ cryptsetup convert --type luks2 /dev/mapper/vg01-lv01 WARNING! ======== This operation will convert /dev/mapper/vg01-lv01 to LUKS2 format. Are you sure? (Type 'yes' in capital letters): YES $ cryptsetup luksDump /dev/mapper/vg01-lv01 LUKS header information Version: 2 Epoch: 2 Metadata area: 16384 [bytes] Keyslots area: 2064384 [bytes] UUID: 0689d6a7-33a1-47fd-a971-c6ac38b24d47 Label: (no label) Subsystem: (no subsystem) Flags: (no flags) Data segments: 0: crypt offset: 2097152 [bytes] length: (whole device) cipher: aes-xts-plain64 sector: 512 [bytes] Keyslots: 0: luks2 Key: 512 bits Priority: normal Cipher: aes-xts-plain64 Cipher key: 512 bits PBKDF: pbkdf2 Hash: sha256 Iterations: 1956298 Salt: bc 58 47 d6 4c fb bb 77 c7 e7 91 f7 22 ef 81 0c 3f b5 5d ad b1 3e 08 32 51 47 94 c2 c0 4a 20 ed AF stripes: 4000 AF hash: sha256 Area offset: 32768 [bytes] Area length: 258048 [bytes] Digest ID: 0 1: luks2 Key: 512 bits Priority: normal Cipher: aes-xts-plain64 Cipher key: 512 bits PBKDF: pbkdf2 Hash: sha256 Iterations: 1836384 Salt: 60 95 5c d5 36 77 bb f7 78 a9 11 98 d7 66 79 38 c6 5e 14 98 da aa 2a 3d 62 bf e4 31 2a 73 8d 57 AF stripes: 4000 AF hash: sha256 Area offset: 290816 [bytes] Area length: 258048 [bytes] Digest ID: 0 Tokens: Digests: 0: pbkdf2 Hash: sha256 Iterations: 110890 Salt: a6 3c c4 96 52 33 c6 6f 5e 0f a6 38 34 2e 7a 3c a5 4b 62 4f 6d 5a f1 07 5a c8 ff 52 ad 4b b8 78 Digest: 01 eb 16 1a 86 1c db 04 5a 86 0a 6c c3 8e d9 44 1a 72 04 c4 ``` -------------------------------- ### Install SQLite Command Line Tools Source: https://www.iblue.team/general-notes-1/exporting-sqlite-blob-data-from-standalone-sqlite-database-using-command-line-tools Installs the necessary sqlite3 command-line tools on Debian-based systems (like Ubuntu or WSL). This is a prerequisite for executing the export commands. ```bash sudo apt install sqlite3 ``` -------------------------------- ### Password Cracking with Hashcat (Hashcat) Source: https://www.iblue.team/ctf-challenges/13cubed-linux-memory-forensics This example shows how to use the hashcat tool to crack password hashes found in a memory dump, likely extracted from the /etc/shadow file. It utilizes a specific hash mode (-m 1800) and specifies wordlists for the cracking process. The command requires the hash file and one or more wordlist files as input. ```hashcat hashcat.exe -m 1800 -a 0 13cubed.hash C:\wordlist1.txt C:\wordlist2.txt ``` -------------------------------- ### Open and Format LUKS Device with Filesystem Source: https://www.iblue.team/linux-forensics/luks-hashcat-and-hidden-volumes Commands to open a LUKS device, create an ext4 filesystem on the mapped device, and then close the LUKS device. This process populates the LUKS container with data, which is necessary for successful hashcat validation. ```bash $ lsblk -lf NAME FSTYPE FSVER LABEL UUID FSAVAIL FSUSE% MOUNTPOINTS sdc crypto_LUKS 2 f4bd2ee4-969d-4022-b61e-23524e83f592 $ cryptsetup luksOpen /dev/sdc sdc Enter passphrase for /dev/sdc: $ mkfs.ext4 /dev/mapper/sdc mke2fs 1.46.5 (30-Dec-2021) Creating filesystem with 520192 4k blocks and 130048 inodes Filesystem UUID: 20bb32f6-e8cc-4ea8-a483-136ea7d5fed8 Superblock backups stored on blocks: 32768, 98304, 163840, 229376, 294912 Allocating group tables: done Writing inode tables: done Creating journal (8192 blocks): done Writing superblocks and filesystem accounting information: done $ cryptsetup luksClose sdc $ lsblk -lf NAME FSTYPE FSVER LABEL UUID FSAVAIL FSUSE% MOUNTPOINTS sdc crypto_LUKS 2 f4bd2ee4-969d-4022-b61e-23524e83f592 $ lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS sdc 8:32 0 2G 0 disk $ python3 luks2hashcat.py /dev/sdc > sdc.ext4.hash ``` -------------------------------- ### Install Linux Kernel Debug Info on Amazon Linux Source: https://www.iblue.team/memory-forensics-1/volatility-plugins/build-custom-linux-profile-for-volatility Installs the debug information package for the currently running kernel on an Amazon Linux EC2 instance. This is a prerequisite for building kernel profiles on Amazon Linux systems. ```bash sudo su sudo yum update -y sudo yum --enablerepo='*debuginfo' install kernel-debuginfo-$(uname -r) ``` -------------------------------- ### Install Checkra1n on Debian-based Linux Source: https://www.iblue.team/ios-forensics/checkm8-checkra1n-acquisitions-extractions This code snippet adds the Checkra1n repository to the system's sources list, fetches the GPG key for authentication, updates the package list, and installs the checkra1n package. It requires root privileges. ```bash echo "deb https://assets.checkra.in/debian /" | sudo tee -a /etc/apt/sources.list sudo apt-key adv --fetch-keys https://assets.checkra.in/debian/archive.key sudo apt update sudo apt-get install checkra1n ``` -------------------------------- ### Open LUKS Encrypted Volumes using cryptsetup Source: https://www.iblue.team/incident-response-1/ivanti-connect-secure-auth-bypass-and-remote-code-authentication-cve-2024-21887 Decrypts and opens LUKS-encrypted logical volumes using the previously created keyfile. Each logical volume is mapped to a new device name for mounting. ```bash $ cryptsetup luksOpen -d lvmkey /dev/groupA/home ivanti1 ``` ```bash $ cryptsetup luksOpen -d lvmkey /dev/groupA/runtime ivanti2 ``` ```bash $ cryptsetup luksOpen -d lvmkey /dev/groupS/swap ivanti3 ``` ```bash $ cryptsetup luksOpen -d lvmkey /dev/groupZ/home ivanti4 ```