### Start Splunk Service
Source: https://www.iblue.team/data-collection-processing-and-integration/splunk/setup-and-configuration
This snippet shows how to start the Splunk service. It involves navigating to the Splunk installation directory and executing the start script with superuser privileges. You will be prompted to accept the license agreement.
```shell
cd /opt/splunk
sudo ./splunk start
```
--------------------------------
### Download and Start Cribl
Source: https://www.iblue.team/data-collection-processing-and-integration/cribl/setup-and-configuration
This snippet demonstrates how to download the latest Cribl version using curl, extract the archive, navigate to the installation directory, and start the Cribl service. It also shows the deprecation messages for older start scripts and the output indicating successful Cribl startup, including its address, mode, status, version, and initial login credentials.
```bash
$ curl -Lso - $(curl https://cdn.cribl.io/dl/latest-x64) | tar zxv
cd /cribl/bin
./start.sh
```
--------------------------------
### Accept Splunk License Agreement
Source: https://www.iblue.team/data-collection-processing-and-integration/splunk/setup-and-configuration
When starting Splunk for the first time, you will be prompted to accept the general terms and conditions. Type 'y' and press Enter to agree.
```shell
Do you agree with this license? [y/n]: y
```
--------------------------------
### Install Git
Source: https://www.iblue.team/memory-forensics-1/volatility-plugins
Installs Git, a version control system required to clone the Volatility GitHub repository. This command is for Debian-based Linux distributions.
```bash
$ sudo apt install git-all
```
--------------------------------
### Install ZeroTier Client (Direct)
Source: https://www.iblue.team/general-notes-1/install-and-configure-zerotier-client
Installs the ZeroTier client directly from the official source using a single curl command piped to bash. This is a quick installation method.
```bash
curl -s https://install.zerotier.com | sudo bash
```
--------------------------------
### Install ZeroTier Client (Download and Execute)
Source: https://www.iblue.team/general-notes-1/install-and-configure-zerotier-client
Downloads the ZeroTier install script, makes it executable, and then runs it after manual review. This method allows for script validation before execution.
```bash
curl -s https://install.zerotier.com -o zerotier.sh; chmod +x zerotier.sh
./zerotier.sh
```
--------------------------------
### Install NGINX and Set Up Basic Site
Source: https://www.iblue.team/general-notes-1/azure-blob-storage-with-nginx-proxy
Installs NGINX and creates a basic HTML file for a new subdomain. It also configures the NGINX server block for the subdomain and enables the site configuration. Finally, it tests the NGINX configuration and restarts the service.
```bash
$ apt update -y; apt install nginx -y
$ sudo mkdir -p /var/www/blob/html
$ sudo chown -R $USER:$USER /var/www/blob/html
$ sudo chmod -R 755 /var/www/blob
$ echo "blob.iblue.team" > /var/www/blob/html/index.html
$ nano /etc/nginx/sites-available/blob
server {
listen 80;
root /var/www/blob/html;
index index.html index.htm index.nginx-debian.html;
server_name blob.iblue.team;
location / {
try_files $uri $uri/ =404;
}
}
$ sudo ln -s /etc/nginx/sites-available/blob /etc/nginx/sites-enabled/
$ nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
$ systemctl restart nginx
```
--------------------------------
### Install Development Tools
Source: https://www.iblue.team/memory-forensics-1/volatility-plugins
Installs 'python2.7-dev' and 'build-essential' packages. These are required if compilation errors occur during the installation of Python packages, such as 'gcc' not being found or 'egg_info' command failures.
```bash
$ sudo apt install -y python2.7-dev build-essential
```
--------------------------------
### Test Volatility with Memory Image
Source: https://www.iblue.team/memory-forensics-1/volatility-plugins
Tests the Volatility installation by analyzing a memory dump file. It demonstrates the usage of the 'imageinfo' and 'kdbgscan' plugins to gather information about the memory image and identify its profile.
```bash
$ python vol.py -f /path/to/memdump.mem imageinfo
or
$ python vol.py -f /path/to/memdump.mem kdbgscan
```
--------------------------------
### Install VMFS6-tools and Explore Disk Partitions (Linux)
Source: https://www.iblue.team/esxi-forensics/esxi-vmfs-exploration
These commands install necessary tools for interacting with VMFS file systems on a Linux host. It includes installing 'vmfs6-tools' and 'libguestfs-tools', followed by listing disk partitions to identify the VMFS volume.
```bash
sudo apt-get install vmfs6-tools
fdisk -l
sudo mkdir /mnt/sdb && sudo mkdir /mnt/vmdk
```
--------------------------------
### Setup MinIO Server with TLS (Linux Binary)
Source: https://www.iblue.team/incident-response-1/unix-like-artifacts-collector-uac/setup-minio-object-storage
This snippet outlines the steps to set up MinIO with TLS for secure communication. It involves installing Certbot, obtaining a certificate for a custom domain, copying the certificate and private key to the MinIO configuration directory, and then running the MinIO server with specified addresses for API and console, enabling HTTPS.
```bash
sudo apt install certbot
sudo mkdir /path/to/minio-datastore
sudo certbot certonly --manual --preferred-challenges dns --debug-challenges -d minio.yourdomain.com.au
sudo cp /etc/letsencrypt/live/minio.yourdomain.com.au/fullchain.pem public.crt
sudo cp /etc/letsencrypt/live/minio.yourdomain.com.au/privkey.pem private.key
./minio server /path/to/minio-datastore --console-address "minio.yourdomain.com.au:9001" --address "minio.yourdomain.com.au:9000"
```
--------------------------------
### Run mitmproxy (Web Mode)
Source: https://www.iblue.team/general-notes-1/mitm-proxy
Starts the mitmproxy in web interface mode, accessible via a browser. This command requires root privileges.
```bash
sudo mitmweb
```
--------------------------------
### Clone Volatility Repository
Source: https://www.iblue.team/memory-forensics-1/volatility-plugins
Clones the Volatility framework from its official GitHub repository. This step downloads the source code and core files for Volatility.
```bash
$ git clone https://github.com/volatilityfoundation/volatility.git
```
--------------------------------
### Install and Configure tgt iSCSI Target on Ubuntu
Source: https://www.iblue.team/esxi-forensics/identification-acquisition-and-examination-of-iscsi-luns-and-vmfs-datastores
Installs the tgt package, checks its status, and configures a block device as an iSCSI LUN. This setup is for testing and does not include security configurations. It requires root privileges and assumes the existence of a block device like /dev/sdb.
```shell
sudo apt update; sudo upgrade
sudo apt install tgt
sudo systemctl status tgt
```
```shell
sudo nano /etc/iscsi/iscsi.conf
```
```shell
direct-store /dev/sdb
```
```shell
systemctl restart tgt
sudo tgtadm --mode target --op show
```
--------------------------------
### Setup MinIO Client (mc) for Administration
Source: https://www.iblue.team/incident-response-1/unix-like-artifacts-collector-uac/setup-minio-object-storage
This snippet downloads the MinIO client binary (mc) for Linux, makes it executable, and then configures an alias to connect to a MinIO server. This client is used to administer buckets, users, permissions, and generate pre-signed URLs from a workstation.
```bash
$ wget https://dl.min.io/client/mc/release/linux-amd64/mc
$ chmod +x mc
$ mc alias set myminio/ http://MINIO-SERVER admin password
```
--------------------------------
### Reinstall Distorm3 (if needed)
Source: https://www.iblue.team/memory-forensics-1/volatility-plugins
Uninstalls and then reinstalls a specific version of 'distorm3' (3.4.4). This step is a troubleshooting measure for potential conflicts or issues with the 'distorm3' installation.
```bash
pip uninstall distorm3
pip install distorm3==3.4.4
```
--------------------------------
### Manage ZeroTier Network Connections
Source: https://www.iblue.team/general-notes-1/install-and-configure-zerotier-client
Provides essential ZeroTier CLI commands for interacting with ZeroTier networks. These commands allow users to check status, join/leave networks, and list network configurations.
```bash
zerotier-cli status
```
```bash
zerotier-cli join xxxxxxx
```
```bash
zerotier-cli leave xxxxxxx
```
```bash
zerotier-cli listnetworks
```
--------------------------------
### Install Volatility Dependencies
Source: https://www.iblue.team/memory-forensics-1/volatility-plugins
Installs the 'pycrypto' and 'distorm3' Python packages, which are essential dependencies for Volatility. 'pycrypto' addresses 'Crypto.Hash' import errors, and 'distorm3' is required for malware analysis plugins. Version 3.4.4 of distorm3 is specified to avoid potential issues.
```bash
$ python2.7 -m pip install pycrypto distorm3==3.4.4
```
--------------------------------
### Run mitmproxy (Console Mode)
Source: https://www.iblue.team/general-notes-1/mitm-proxy
Starts the mitmproxy in console mode, listening on all network interfaces on port 8080. This command requires root privileges.
```bash
sudo mitmproxy
```
--------------------------------
### Download and Run MinIO Server (Linux Binary)
Source: https://www.iblue.team/incident-response-1/unix-like-artifacts-collector-uac/setup-minio-object-storage
This snippet downloads the MinIO server binary for Linux, makes it executable, and then runs it with specified credentials and data directory. It configures the server to use port 9000 for the API and 9001 for the web console.
```bash
wget https://dl.min.io/server/minio/release/linux-amd64/minio
chmod +x minio
MINIO_ROOT_USER=admin MINIO_ROOT_PASSWORD=password ./minio server /mnt/data --console-address ":9001"
```
--------------------------------
### Install mitmproxy
Source: https://www.iblue.team/general-notes-1/mitm-proxy
Installs the mitmproxy tool using the apt package manager. This command requires root privileges.
```bash
sudo apt install mitmproxy
```
--------------------------------
### Download Splunk Package using Wget
Source: https://www.iblue.team/data-collection-processing-and-integration/splunk/setup-and-configuration
This snippet shows how to download the Splunk .deb package from a provided URL using the `wget` command. Ensure you have a stable internet connection and the correct URL for the package.
```shell
$ wget -O splunk-10.0.2-e2d18b4767e9-linux-amd64.deb "https://download.splunk.com/products/splunk/releases/10.0.2/linux/splunk-10.0.2-e2d18b4767e9-linux-amd64.deb"
```
--------------------------------
### Install and Use dwarfdump for Volatility Profile
Source: https://www.iblue.team/memory-forensics-1/volatility-plugins/build-custom-linux-profile-for-volatility
Installs the dwarfdump utility and uses it to extract dwarf information from a compiled module. This information is then zipped with the System.map file to create a Volatility profile.
```bash
sudo apt install dwarfdump
dwarfdump -di ./module.o > module.dwarf
sudo zip Ubuntu64-4.15.0.106.zip module.dwarf /boot/System.map-4.15.0-106-generic
```
--------------------------------
### Install Linux Kernel on Ubuntu
Source: https://www.iblue.team/memory-forensics-1/volatility-plugins/build-custom-linux-profile-for-volatility
Installs a specific Linux kernel version on an Ubuntu system, which will serve as the base for building the Volatility profile. Ensure the kernel version matches the one identified from the memory dump.
```bash
sudo apt update; sudo apt install linux-image-6.2.0-36-generic
```
--------------------------------
### Build DumpIt on Linux
Source: https://www.iblue.team/memory-forensics-1/acquisition/dumpit
Instructions to build the Linux variant of DumpIt using Cargo, Rust's package manager. Requires build essentials and Rust toolchain installation.
```shell
sudo apt install build-essential liblzma-dev
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
git clone https://github.com/MagnetForensics/dumpit-linux.git
cd dumpit-linux
cargo build --release
cd target/release
```
--------------------------------
### Configure and Install Linux Kernel Debug Symbols on Ubuntu
Source: https://www.iblue.team/memory-forensics-1/volatility-plugins/build-custom-linux-profile-for-volatility
Sets up the necessary repository and installs the debug symbols for a specific Linux kernel version on Ubuntu. This requires editing the sources list and using apt commands. Replace 'xxxxx' with your Ubuntu release name.
```bash
sudo nano /etc/apt/sources.list.d/ddebs.list
deb http://ddebs.ubuntu.com xxxxx main restricted universe multiverse
deb http://ddebs.ubuntu.com xxxxx-updates main restricted universe multiverse
deb http://ddebs.ubuntu.com xxxxx-proposed main restricted universe multiverse
(replace xxxxx with your release name from 'lsb_release -cs', ie focal, trusty, etc.
wget -O - http://ddebs.ubuntu.com/dbgsym-release-key.asc | sudo apt-key add -
$ sudo apt update
$ sudo apt install linux-image-6.2.0-36-generic-dbgsym
$ sudo shutdown -r now
```
--------------------------------
### Mounting EWF Image with guestfish
Source: https://www.iblue.team/general-notes-1/mount-e01-containing-vmdk-xfs-from-rhel-system
This snippet shows how to use `guestfish` to mount and access files within an EWF image. It involves starting `guestfish` in read-only mode, identifying filesystems, mounting the root filesystem, and then mounting it locally for access.
```bash
guestfish --ro -a /mnt/RHEL/ewf1
```
```bash
> run
> list-filesystems
> mount /dev/rhel/root /
> mount-local /mnt/rhel-mount readonly:true
> mount-local-run
```
```bash
cat /mnt/rhel-mount/home/username/Desktop/files.txt
```
--------------------------------
### Install Splunk Package using Dpkg
Source: https://www.iblue.team/data-collection-processing-and-integration/splunk/setup-and-configuration
This command installs the downloaded Splunk .deb package using `dpkg`. This requires superuser privileges. After installation, you can check the package status.
```shell
$ sudo dpkg -i splunk-10.0.2-e2d18b4767e9-linux-amd64.deb
```
--------------------------------
### Check Splunk Installation Status
Source: https://www.iblue.team/data-collection-processing-and-integration/splunk/setup-and-configuration
This command verifies if the Splunk package is installed correctly on the system. It displays the package name, status, maintainer, architecture, version, and a brief description.
```shell
$ dpkg --status splunk
```
--------------------------------
### Create Dummy Data Files with 'yes' and 'head'
Source: https://www.iblue.team/general-notes-1/disk-images-for-various-filesystems-and-configurations/ext4-with-lvm-and-raid5-3-disks
This command sequence generates large text files by repeatedly outputting a string and truncating it to a specified size. It's used here to create sample data for testing storage configurations. The 'yes' command provides the string, 'head -c' limits the size in bytes, and '>' redirects the output to a file.
```bash
$ yes APPLE | head -c 1073741824 > apple.txt
```
--------------------------------
### Install Python 2.7 Pip
Source: https://www.iblue.team/memory-forensics-1/volatility-plugins
Installs pip for Python 2.7, which is necessary for managing Python packages required by Volatility. This involves downloading the get-pip.py script and executing it with Python 2.7.
```bash
$ wget https://bootstrap.pypa.io/pip/2.7/get-pip.py
$ python 2.7 get-pip.py
```
--------------------------------
### Format 2GB Volume with BTRFS on Linux
Source: https://www.iblue.team/general-notes-1/disk-images-for-various-filesystems-and-configurations/ufs-ffs-btrfs-xfs
Demonstrates the process of formatting a 2GB block device (/dev/sdb) with the BTRFS filesystem on a Linux Mint system. It includes output from the `mkfs.btrfs` command, showing filesystem details, and subsequent commands for mounting the filesystem, writing a file, and unmounting it.
```bash
$ md5sum /dev/sdb
a981130cf2b7e09f4686dc273cf7187e /dev/sdb
$ mkfs.btrfs /dev/sdb
btrfs-progs v5.16.2
See http://btrfs.wiki.kernel.org for more information.
NOTE: several default settings have changed in version 5.15, please make sure
this does not affect your deployments:
- DUP for metadata (-m dup)
- enabled no-holes (-O no-holes)
- enabled free-space-tree (-R free-space-tree)
Label: (null)
UUID: a8201ae2-3eaf-446d-b004-fee6a011dfaa
Node size: 16384
Sector size: 4096
Filesystem size: 2.00GiB
Block group profiles:
Data: single 8.00MiB
Metadata: DUP 102.38MiB
System: DUP 8.00MiB
SSD detected: no
Zoned device: no
Incompat features: extref, skinny-metadata, no-holes
Runtime features: free-space-tree
Checksum: crc32c
Number of devices: 1
Devices:
ID SIZE PATH
1 2.00GiB /dev/sdb
$ date
Thu 24 Aug 2023 17:47:55 ACST
$ echo "https://iblue.team" > /mnt/btrfs/notes.txt
$ cat /mnt/btrfs/notes.txt
https://iblue.team
root@mint:~# umount /mnt/btrfs
```
--------------------------------
### Splunk Service Initialization and Availability
Source: https://www.iblue.team/data-collection-processing-and-integration/splunk/setup-and-configuration
This output indicates that Splunk is starting up, generating self-signed certificates, and waiting for its web server to become available on port 8000. It provides a link to the Splunk documentation for help.
```shell
Warning: ignoring -extensions option without -extfile
Certificate request self-signature ok
subject=CN = splunk, O = SplunkUser
Done
Waiting for web server at http://127.0.0.1:8000 to be available........................................ Done
If you get stuck, we're here to help.
Look for answers here: http://docs.splunk.com
The Splunk web interface is at http://splunk:8000
```
--------------------------------
### List Objects in a Bucket using MinIO Client (mc)
Source: https://www.iblue.team/incident-response-1/unix-like-artifacts-collector-uac/setup-minio-object-storage
This command uses the MinIO client (mc) to list the objects within a specific bucket on a MinIO server. It shows the object's creation timestamp, size, storage class, and name, verifying that uploaded files are accessible.
```bash
user@host:/home/user# mc ls minio/my-bucket
[2022-04-25 11:35:22 AEST] 234MiB STANDARD my-object
```
--------------------------------
### List Buckets using MinIO Client (mc)
Source: https://www.iblue.team/incident-response-1/unix-like-artifacts-collector-uac/setup-minio-object-storage
This command uses the MinIO client (mc) to list the available buckets on a configured MinIO server. It assumes an alias named 'minio' has been set up, and it displays the bucket name along with its size and creation timestamp.
```bash
user@host:/home/user# mc ls minio
[2022-04-25 10:56:00 AEST] 0B my-bucket/
```
--------------------------------
### Pull and Verify log2timeline/plaso Docker Image
Source: https://www.iblue.team/ctf-challenges/compromised-windows-server-2022-simulation/plaso
This snippet demonstrates how to pull the latest log2timeline/plaso Docker image and then run a simple command to verify the installation and check the version of log2timeline. It requires Docker to be installed and configured.
```shell
docker pull log2timeline/plaso
user@df:~/cases/26038642$ docker run log2timeline/plaso log2timeline.py --version
```
--------------------------------
### Create and Mount ext4 Filesystem
Source: https://www.iblue.team/general-notes-1/disk-images-for-various-filesystems-and-configurations/ext4-lvm-and-luks1-luks2
Demonstrates the process of creating and mounting an ext4 filesystem on a Linux host. It includes commands for disk partitioning, formatting with ext4, and mounting the filesystem. The output shows the creation of a filesystem with specific block and inode counts, and its UUID.
```shell
$ fdisk -l
Disk /dev/sdb: 1 GiB, 1073741824 bytes, 2097152 sectors
Disk model: VMware Virtual
$ md5sum /dev/sdb
cd573cfaace07e7949bc0c46028904ff /dev/sdb
$ mkfs.ext4 /dev/sdb
mke2fs 1.46.5 (30-Dec-2021)
Creating filesystem with 262144 4k blocks and 65536 inodes
Filesystem UUID: 3f13c5a2-1e5b-4771-b5c3-430e4d0a1053
Superblock backups stored on blocks:
32768, 98304, 163840, 229376
Allocating group tables: done
Writing inode tables: done
Creating journal (8192 blocks): done
Writing superblocks and filesystem accounting information: done
root@mint:~# date
Tue 22 Aug 2023 22:36:58 ACST
$ mount /dev/sdb /mnt/ext4
> nano /mnt/ext4/notes.txt > https://iblue.team
$ md5sum /dev/sdb
40575d67d4651c200d9f3234701bf05e /dev/sdb
```
--------------------------------
### Format 2GB Volume with XFS on Linux
Source: https://www.iblue.team/general-notes-1/disk-images-for-various-filesystems-and-configurations/ufs-ffs-btrfs-xfs
Details the process of formatting a 2GB block device (/dev/sdb) with the XFS filesystem on a Linux Mint host. This includes zeroing the device, calculating its MD5 checksum, formatting it with `mkfs.xfs`, mounting the filesystem, writing a file, and unmounting.
```bash
Previously attached /dev/sdb (MD5 a981130cf2b7e09f4686dc273cf7187e)
$ dd if=/dev/zero of=/dev/sdb
$ md5sum /dev/sdb
a981130cf2b7e09f4686dc273cf7187e /dev/sdb
$ mkfs.xfs /dev/sdb
meta-data=/dev/sdb isize=512 agcount=4, agsize=131072 blks
= sectsz=512 attr=2, projid32bit=1
= crc=1 finobt=1, sparse=1, rmapbt=0
= reflink=1 bigtime=0 inobtcount=0
data = bsize=4096 blocks=524288, imaxpct=25
= sunit=0 swidth=0 blks
naming =version 2 bsize=4096 ascii-ci=0, ftype=1
log =internal log bsize=4096 blocks=2560, version=2
= sectsz=512 sunit=0 blks, lazy-count=1
realtime =none extsz=4096 blocks=0, rtextents=0
$ mkdir /mnt/xfs
$ mount /dev/sdb /mnt/xfs
$ echo "https://iblue.team" > /mnt/xfs/notes.txt
$ cat /mnt/xfs/notes.txt
https://iblue.team
$ umount /mnt/xfs
```
--------------------------------
### Configure ext4 with LVM
Source: https://www.iblue.team/general-notes-1/disk-images-for-various-filesystems-and-configurations/ext4-lvm-and-luks1-luks2
This snippet details the steps for setting up an ext4 filesystem using LVM (Logical Volume Management). It covers creating a physical volume, a volume group, and a logical volume, followed by formatting the logical volume with ext4. The output shows LVM version information, disk scanning results, and detailed volume group and logical volume configurations.
```shell
$ md5sum /dev/sdb
cd573cfaace07e7949bc0c46028904ff /dev/sdb
lvm version
LVM version: 2.03.11(2) (2021-01-08)
Library version: 1.02.175 (2021-01-08)
Driver version: 4.45.0
root@mint:~# lvmdiskscan
/dev/sda2 [ 513.00 MiB]
/dev/sda3 [ <79.50 GiB]
/dev/sdb [ 1.00 GiB]
1 disk
2 partitions
0 LVM physical volume whole disks
0 LVM physical volumes
$ pvcreate /dev/sdb
Physical volume "/dev/sdb" successfully created
$ vgcreate vg01 /dev/sdb
Volume group "vg01" successfully created
root@mint:~# vgdisplay
--- Volume group ---
VG Name vg01
System ID
Format lvm2
Metadata Areas 1
Metadata Sequence No 1
VG Access read/write
VG Status resizable
MAX LV 0
Cur LV 0
Open LV 0
Max PV 0
Cur PV 1
Act PV 1
VG Size 1020.00 MiB
PE Size 4.00 MiB
Total PE 255
Alloc PE / Size 0 / 0
Free PE / Size 255 / 1020.00 MiB
VG UUID SuDIRA-DfeR-N3Gh-r41v-fZJL-2duf-XEuwWf
$ lvcreate -L 1020M -n lv01 vg01
Logical volume "lv01" created.
root@mint:~# lvdisplay
--- Logical volume ---
LV Path /dev/vg01/lv01
LV Name lv01
VG Name vg01
LV UUID YH1P8v-cDBJ-1emn-0ApX-Qq7j-S6Pr-3IsWkV
LV Write Access read/write
LV Creation host, time mint, 2023-08-22 22:04:23 +0930
LV Status available
# open 0
LV Size 1020.00 MiB
Current LE 255
Segments 1
Allocation inherit
Read ahead sectors auto
- currently set to 256
Block device 253:0
$ mkfs.ext4 /dev/vg01/lv01
mke2fs 1.46.5 (30-Dec-2021)
Creating filesystem with 261120 4k blocks and 65280 inodes
Filesystem UUID: 6423a1eb-f631-45e1-9f9a-94a49b6c90c6
Superblock backups stored on blocks:
32768, 98304, 163840, 229376
Allocating group tables: done
Writing inode tables: done
Creating journal (4096 blocks): done
Writing superblocks and filesystem accounting information: done
$ stat /mnt/ext4/note.txt
File: /mnt/ext4/note.txt
Size: 19 Blocks: 8 IO Block: 4096 regular file
Device: fd00h/64768d Inode: 13 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2023-08-22 22:05:46.435740476 +0930
Modify: 2023-08-22 22:05:46.435740476 +0930
Change: 2023-08-22 22:05:46.435740476 +0930
Birth: 2023-08-22 22:05:46.435740476 +0930
```
--------------------------------
### Get Partition Table for NVMe Disk on ESXi
Source: https://www.iblue.team/esxi-forensics/understanding-esxi/partitions-volumes
This command displays the partition table information for a specified NVMe disk device on an ESXi host. It uses `partedUtil` to show the partition type (GPT), disk geometry, and details of each partition including type GUID and name.
```shell
[root@localhost:~] partedUtil getptbl "/vmfs/devices/disks/t10.NVMe____KINGSTON_SA2000M8250G___________________C5593D5168B72600"
gpt
30401 255 63 488397168
1 64 204863 C12A7328F81F11D2BA4B00A0C93EC93B systemPartition 128
5 208896 8595455 EBD0A0A2B9E5443387C068B6B72699C7 linuxNative 0
6 8597504 16984063 EBD0A0A2B9E5443387C068B6B72699C7 linuxNative 0
7 16986112 268435455 4EB2EA3978554790A79EFAE495E21F8D vmfsl 0
8 268437504 488397134 AA31E02A400F11DB9590000C2911D1B8 vmfs 0
```
--------------------------------
### Basic Volatility Commands
Source: https://www.iblue.team/memory-forensics-1/volatility-plugins/build-custom-linux-profile-for-volatility
Demonstrates basic commands for interacting with Volatility, including checking if a new profile is registered, and retrieving banner and process list information from a memory image.
```bash
python3 vol.py isfinfo
python3 vol.py -f ec2mem.mem banners
python3 vol.py -f ec2mem.mem linux.pslist
```
--------------------------------
### Verify Installed Linux Kernel
Source: https://www.iblue.team/memory-forensics-1/volatility-plugins/build-custom-linux-profile-for-volatility
Confirms that the correct Linux kernel version has been successfully installed and is currently running on the Ubuntu system. This step is essential before proceeding to install debug symbols.
```bash
user@ubuntu:~$ uname -a
```
--------------------------------
### Interact with VMDK using guestfish
Source: https://www.iblue.team/incident-response-1/mounting-ufs-vmdk-from-netscaler-citrix-adc
This snippet demonstrates initiating a guestfish session with a VMDK file and running initial commands like 'run' to prepare for filesystem operations. Guestfish allows for direct manipulation of virtual disk images.
```bash
$ guestfish -a NSVPX-ESX-13.0-90.12_nc_64-disk1.vmdk
Welcome to guestfish, the guest filesystem shell for
editing virtual machine filesystems and disk images.
Type: ‘help’ for help on commands
‘man’ to read the manual
‘quit’ to quit the shell
> run
100% ⟦▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒⟧ 00:00
>
```
--------------------------------
### Install Certbot and Obtain SSL Certificate
Source: https://www.iblue.team/general-notes-1/azure-blob-storage-with-nginx-proxy
Installs Certbot and its NGINX plugin to obtain and manage Let's Encrypt SSL certificates for the specified domain. This enables HTTPS for the subdomain.
```bash
$ apt install certbot python3-certbot-nginx
$ certbot --nginx -d blob.iblue.team
(accept prompts)
```
--------------------------------
### List Filesystems and Partitions in VMDK with guestfish
Source: https://www.iblue.team/incident-response-1/mounting-ufs-vmdk-from-netscaler-citrix-adc
This snippet shows commands to list filesystems and partitions within a VMDK using guestfish. It highlights potential issues with UFS identification and the output of partition tables.
```bash
> list-filesystems
libguestfs: error: list_filesystems: sfdisk exited with status 1: sfdisk: /dev/sda: partition 5: partition table contains only 4 partitions
> list-partitions
/dev/sda1
/dev/sda5
/dev/sda6
/dev/sda7
/dev/sda8
```
--------------------------------
### Convert Disk to LUKS2 Format
Source: https://www.iblue.team/general-notes-1/disk-images-for-various-filesystems-and-configurations/ext4-lvm-and-luks1-luks2
This snippet demonstrates how to convert an existing logical volume to LUKS2 encryption using the cryptsetup command. It requires specifying the target device and confirming the irreversible conversion with 'YES'. The output shows the successful conversion and provides details about the LUKS2 header, keyslots, and data segments.
```bash
$ cryptsetup convert --type luks2 /dev/mapper/vg01-lv01
WARNING!
========
This operation will convert /dev/mapper/vg01-lv01 to LUKS2 format.
Are you sure? (Type 'yes' in capital letters): YES
$ cryptsetup luksDump /dev/mapper/vg01-lv01
LUKS header information
Version: 2
Epoch: 2
Metadata area: 16384 [bytes]
Keyslots area: 2064384 [bytes]
UUID: 0689d6a7-33a1-47fd-a971-c6ac38b24d47
Label: (no label)
Subsystem: (no subsystem)
Flags: (no flags)
Data segments:
0: crypt
offset: 2097152 [bytes]
length: (whole device)
cipher: aes-xts-plain64
sector: 512 [bytes]
Keyslots:
0: luks2
Key: 512 bits
Priority: normal
Cipher: aes-xts-plain64
Cipher key: 512 bits
PBKDF: pbkdf2
Hash: sha256
Iterations: 1956298
Salt: bc 58 47 d6 4c fb bb 77 c7 e7 91 f7 22 ef 81 0c
3f b5 5d ad b1 3e 08 32 51 47 94 c2 c0 4a 20 ed
AF stripes: 4000
AF hash: sha256
Area offset: 32768 [bytes]
Area length: 258048 [bytes]
Digest ID: 0
1: luks2
Key: 512 bits
Priority: normal
Cipher: aes-xts-plain64
Cipher key: 512 bits
PBKDF: pbkdf2
Hash: sha256
Iterations: 1836384
Salt: 60 95 5c d5 36 77 bb f7 78 a9 11 98 d7 66 79 38
c6 5e 14 98 da aa 2a 3d 62 bf e4 31 2a 73 8d 57
AF stripes: 4000
AF hash: sha256
Area offset: 290816 [bytes]
Area length: 258048 [bytes]
Digest ID: 0
Tokens:
Digests:
0: pbkdf2
Hash: sha256
Iterations: 110890
Salt: a6 3c c4 96 52 33 c6 6f 5e 0f a6 38 34 2e 7a 3c
a5 4b 62 4f 6d 5a f1 07 5a c8 ff 52 ad 4b b8 78
Digest: 01 eb 16 1a 86 1c db 04 5a 86 0a 6c c3 8e d9 44
1a 72 04 c4
```
--------------------------------
### Install SQLite Command Line Tools
Source: https://www.iblue.team/general-notes-1/exporting-sqlite-blob-data-from-standalone-sqlite-database-using-command-line-tools
Installs the necessary sqlite3 command-line tools on Debian-based systems (like Ubuntu or WSL). This is a prerequisite for executing the export commands.
```bash
sudo apt install sqlite3
```
--------------------------------
### Password Cracking with Hashcat (Hashcat)
Source: https://www.iblue.team/ctf-challenges/13cubed-linux-memory-forensics
This example shows how to use the hashcat tool to crack password hashes found in a memory dump, likely extracted from the /etc/shadow file. It utilizes a specific hash mode (-m 1800) and specifies wordlists for the cracking process. The command requires the hash file and one or more wordlist files as input.
```hashcat
hashcat.exe -m 1800 -a 0 13cubed.hash C:\wordlist1.txt C:\wordlist2.txt
```
--------------------------------
### Open and Format LUKS Device with Filesystem
Source: https://www.iblue.team/linux-forensics/luks-hashcat-and-hidden-volumes
Commands to open a LUKS device, create an ext4 filesystem on the mapped device, and then close the LUKS device. This process populates the LUKS container with data, which is necessary for successful hashcat validation.
```bash
$ lsblk -lf
NAME FSTYPE FSVER LABEL UUID FSAVAIL FSUSE% MOUNTPOINTS
sdc crypto_LUKS 2 f4bd2ee4-969d-4022-b61e-23524e83f592
$ cryptsetup luksOpen /dev/sdc sdc
Enter passphrase for /dev/sdc:
$ mkfs.ext4 /dev/mapper/sdc
mke2fs 1.46.5 (30-Dec-2021)
Creating filesystem with 520192 4k blocks and 130048 inodes
Filesystem UUID: 20bb32f6-e8cc-4ea8-a483-136ea7d5fed8
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912
Allocating group tables: done
Writing inode tables: done
Creating journal (8192 blocks): done
Writing superblocks and filesystem accounting information: done
$ cryptsetup luksClose sdc
$ lsblk -lf
NAME FSTYPE FSVER LABEL UUID FSAVAIL FSUSE% MOUNTPOINTS
sdc crypto_LUKS 2 f4bd2ee4-969d-4022-b61e-23524e83f592
$ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
sdc 8:32 0 2G 0 disk
$ python3 luks2hashcat.py /dev/sdc > sdc.ext4.hash
```
--------------------------------
### Install Linux Kernel Debug Info on Amazon Linux
Source: https://www.iblue.team/memory-forensics-1/volatility-plugins/build-custom-linux-profile-for-volatility
Installs the debug information package for the currently running kernel on an Amazon Linux EC2 instance. This is a prerequisite for building kernel profiles on Amazon Linux systems.
```bash
sudo su
sudo yum update -y
sudo yum --enablerepo='*debuginfo' install kernel-debuginfo-$(uname -r)
```
--------------------------------
### Install Checkra1n on Debian-based Linux
Source: https://www.iblue.team/ios-forensics/checkm8-checkra1n-acquisitions-extractions
This code snippet adds the Checkra1n repository to the system's sources list, fetches the GPG key for authentication, updates the package list, and installs the checkra1n package. It requires root privileges.
```bash
echo "deb https://assets.checkra.in/debian /" | sudo tee -a /etc/apt/sources.list
sudo apt-key adv --fetch-keys https://assets.checkra.in/debian/archive.key
sudo apt update
sudo apt-get install checkra1n
```
--------------------------------
### Open LUKS Encrypted Volumes using cryptsetup
Source: https://www.iblue.team/incident-response-1/ivanti-connect-secure-auth-bypass-and-remote-code-authentication-cve-2024-21887
Decrypts and opens LUKS-encrypted logical volumes using the previously created keyfile. Each logical volume is mapped to a new device name for mounting.
```bash
$ cryptsetup luksOpen -d lvmkey /dev/groupA/home ivanti1
```
```bash
$ cryptsetup luksOpen -d lvmkey /dev/groupA/runtime ivanti2
```
```bash
$ cryptsetup luksOpen -d lvmkey /dev/groupS/swap ivanti3
```
```bash
$ cryptsetup luksOpen -d lvmkey /dev/groupZ/home ivanti4
```