WEBVTT 1 00:00:00.120 --> 00:00:03.399 Welcome back to the deep dive. We're your shortcut to 2 00:00:03.439 --> 00:00:07.839 getting well, incredibly well informed without feeling totally overwhelmed. 3 00:00:08.000 --> 00:00:09.519 Yeah, there's a lot out there. 4 00:00:09.400 --> 00:00:13.359 There really is. So today we're diving into something powerful, 5 00:00:13.400 --> 00:00:16.199 maybe a bit underestimated, a kind of secret weapon that's 6 00:00:16.199 --> 00:00:21.559 actually been part of computing for decades. Foundational really exactly, 7 00:00:21.920 --> 00:00:25.440 but it's becoming super critical now in cybersecurity. Okay, let's 8 00:00:25.519 --> 00:00:30.079 unpack this. We are talking about cybersecurity operations, but maybe 9 00:00:30.120 --> 00:00:32.719 not with the fancy, expensive tools you might think of. First, 10 00:00:32.759 --> 00:00:34.479 we're talking about the command line. 11 00:00:34.840 --> 00:00:38.960 Ah, yes, good old command line, specifically the Bash Shehell. 12 00:00:39.359 --> 00:00:42.320 Our guide for this is a really practical book, Cybersecurity 13 00:00:42.359 --> 00:00:46.359 Ops with Bash, Attack, Defend and Analyze from the command 14 00:00:46.359 --> 00:00:49.759 Line by Paul Truncone and Carl Alvin. Great resource, totally, 15 00:00:50.280 --> 00:00:52.359 and our mission today is to give you a shortcut 16 00:00:52.560 --> 00:00:54.600 a way to see how Bash isn't just you know, 17 00:00:54.640 --> 00:00:58.759 for developers coding away or cised men's managing servers. It's 18 00:00:58.799 --> 00:01:02.560 this incredibly flexible multi tool anyone interested in computer security, 19 00:01:02.759 --> 00:01:05.519 whether you're on the offense probing systems or on defense 20 00:01:05.560 --> 00:01:08.879 building walls, attack or defend. Yeah, and the cool thing 21 00:01:08.959 --> 00:01:12.159 is the techniques work, whether you're on Linux, mac Os, 22 00:01:12.560 --> 00:01:13.799 even Windows these days. 23 00:01:13.920 --> 00:01:16.799 And what's truly fascinating here, I think is just how 24 00:01:16.840 --> 00:01:19.799 fundamental the command line is. I mean, most of us, right, 25 00:01:19.959 --> 00:01:24.079 we spend our time clicking around in graphical interfaces. Guisappoint 26 00:01:24.159 --> 00:01:27.159 click and they're great, super easy to use, no doubt, 27 00:01:27.560 --> 00:01:32.439 but that ease it often costs you something speed, maybe flexibility, 28 00:01:32.879 --> 00:01:35.560 and you definitely get distanced from what the system is 29 00:01:35.599 --> 00:01:36.439 actually doing. 30 00:01:36.280 --> 00:01:38.480 Underneath, like a layer of abstraction exactly. 31 00:01:38.519 --> 00:01:41.400 GUIs are like that nice dashboard in your car. Looks good, 32 00:01:41.519 --> 00:01:44.200 tells you the basics, but the command line that's like 33 00:01:44.239 --> 00:01:46.000 lifting the hood. You're right there with the engine. 34 00:01:46.120 --> 00:01:48.040 Okay. I like that analogy, and this. 35 00:01:48.200 --> 00:01:51.319 Deep dive hopefully will kind of reconnect you to that 36 00:01:51.439 --> 00:01:55.120 raw power, show you that Bash is this direct, super 37 00:01:55.159 --> 00:01:58.560 efficient way to tap into everything your operating system can do. 38 00:01:58.760 --> 00:02:01.560 Getting under the hood. I like, yeah, So, okay, why 39 00:02:01.599 --> 00:02:07.640 Bash specifically for cybersecurity? It still feels a bit basic. 40 00:02:07.879 --> 00:02:11.599 Well, it's basic in the best sense, you know, it's foundational. 41 00:02:11.639 --> 00:02:14.919 It's universal. Bash started in the Unix and Linux world obviously, 42 00:02:15.199 --> 00:02:18.439 but it's just everywhere now. It's standard on macOS, and 43 00:02:18.520 --> 00:02:20.719 you can get it really easily on Windows is get 44 00:02:20.759 --> 00:02:26.599 Bash seguine or the Window subsystem for Linux WSL WSL. Yeah, 45 00:02:26.639 --> 00:02:29.360 which means the stuff we talk about today. These aren't 46 00:02:29.479 --> 00:02:33.319 niche skills. They are incredibly transferable. You learn the stuff once, 47 00:02:33.560 --> 00:02:35.759 you can probably use it almost any way you might 48 00:02:35.800 --> 00:02:37.840 need to secure a system or figure out what. 49 00:02:37.800 --> 00:02:40.280 Happened on one. Okay, So it's like the ultimate cross 50 00:02:40.280 --> 00:02:43.000 platform utility belt for security folks pretty much. But to 51 00:02:43.039 --> 00:02:46.639 really use that belt effectively, especially for tricky security tasks, 52 00:02:47.080 --> 00:02:49.400 we probably need to nail down some and core ideas first. 53 00:02:50.159 --> 00:02:53.039 What are the essential bits of Bash that make it 54 00:02:53.120 --> 00:02:53.719 so good for this? 55 00:02:54.360 --> 00:02:58.120 Yeah, definitely if we connect this to the bigger picture, 56 00:02:58.800 --> 00:03:02.039 the real power often comes from how Bash handles data, 57 00:03:02.520 --> 00:03:06.599 how it moves information around data streams exactly. Every program 58 00:03:06.639 --> 00:03:10.280 fundamentally has like three channels, one for input coming in stin, 59 00:03:10.719 --> 00:03:13.000 one for normal output going out strout, and one for 60 00:03:13.120 --> 00:03:14.280 error messages. 61 00:03:14.000 --> 00:03:16.400 Sure, okay, in out and oops. 62 00:03:16.599 --> 00:03:20.599 Yeah basically. But the magic and where Bash really shines 63 00:03:20.639 --> 00:03:22.919 for security work is redirection and piping. 64 00:03:23.319 --> 00:03:23.599 Right. 65 00:03:23.759 --> 00:03:26.400 This is what lets you chain simple commands together to 66 00:03:26.439 --> 00:03:30.520 build surprisingly powerful custom tools like right on the spot. 67 00:03:30.639 --> 00:03:32.680 So redirection is sending stuff places. 68 00:03:32.879 --> 00:03:35.039 Yep. You can send the normal output of a command 69 00:03:35.080 --> 00:03:38.400 straight into a file maybe command results dot out, or 70 00:03:38.400 --> 00:03:40.400 if you want to add to a file that's already there, 71 00:03:40.520 --> 00:03:43.719 you use up and it tended exactly and you can 72 00:03:43.759 --> 00:03:46.719 send just the error messages somewhere else. Maybe two aero 73 00:03:46.719 --> 00:03:50.240 loog dot txt, or combine both normal output and errors 74 00:03:50.240 --> 00:03:53.159 into one file with evan in handy, or just make 75 00:03:53.199 --> 00:03:55.520 output disappear entirely if you don't need it, send it 76 00:03:55.560 --> 00:03:58.479 to dubnel, kind of like a black hole for data. Okay, 77 00:03:58.759 --> 00:04:01.560 And one more really full one is t That command 78 00:04:01.719 --> 00:04:03.879 lets you see the output on your screen while it's 79 00:04:03.879 --> 00:04:06.759 also saving it to a file. Great for monitoring something 80 00:04:06.800 --> 00:04:08.360 live but also keeping a record. 81 00:04:08.560 --> 00:04:11.479 Right, see it and save it makes sense. And piping 82 00:04:11.639 --> 00:04:13.759 that's the connector right the symbol. That's the one. 83 00:04:14.000 --> 00:04:16.879 Piping takes the standard output from the command on the 84 00:04:16.959 --> 00:04:19.720 left and feeds it directly as the standard input to 85 00:04:19.720 --> 00:04:20.360 the command on the. 86 00:04:20.399 --> 00:04:22.759 Right, connecting the tools precisely. 87 00:04:22.879 --> 00:04:26.399 This is how you build those complex workflows from simple 88 00:04:26.399 --> 00:04:29.319 building blocks. It's like creating an assembly line for your 89 00:04:29.399 --> 00:04:32.959 data right there in the terminal okay, And one more thing. 90 00:04:33.720 --> 00:04:35.560 If you have a command that might take a while, 91 00:04:35.720 --> 00:04:38.600 like maybe pinging a machine constantly to see if it's up, 92 00:04:39.120 --> 00:04:41.560 you can run it in the background using the ampersand 93 00:04:41.680 --> 00:04:44.240 so like ping one two point one sixty eight point 94 00:04:44.240 --> 00:04:48.160 one point one and ping results do log. It just 95 00:04:48.279 --> 00:04:51.480 runs quietly, logs its output and gives you your prompt 96 00:04:51.519 --> 00:04:52.319 back immediately. 97 00:04:52.480 --> 00:04:53.279 Oh that's useful. 98 00:04:53.399 --> 00:04:55.480 Yeah, And you can check on those background tasks with 99 00:04:55.480 --> 00:04:58.079 the jobs command and bring one back to the foreground 100 00:04:58.120 --> 00:04:59.959 with FG if you need to interact with it. 101 00:05:00.079 --> 00:05:00.399 Got it. 102 00:05:00.600 --> 00:05:03.439 And beyond just moving data, remember Bash is a full 103 00:05:03.480 --> 00:05:06.240 on programming language too. You've got variables, you can read input, 104 00:05:06.279 --> 00:05:09.920 you have if statements, wild loops, functions, you can automate 105 00:05:09.959 --> 00:05:10.680 almost anything. 106 00:05:10.959 --> 00:05:14.199 That flexibility is huge. Okay, but here's something you mentioned 107 00:05:14.240 --> 00:05:17.279 in the book that seems to trip people up a lot. Honestly, 108 00:05:17.319 --> 00:05:18.519 it confused me at first too. 109 00:05:18.959 --> 00:05:23.600 Ah, let me guess shell patterns versus regular expressions. 110 00:05:23.920 --> 00:05:29.319 Bingo. It gets really interesting here. What's the fundamental difference 111 00:05:29.480 --> 00:05:32.160 and why is getting them mixed up such a potential 112 00:05:32.240 --> 00:05:33.360 problem in security? 113 00:05:33.600 --> 00:05:36.120 It's a great question, and yeah, it is critical for 114 00:05:36.199 --> 00:05:40.639 doing things accurately. So shell patterns think for match anything, 115 00:05:40.720 --> 00:05:43.079 for match any single character for a range like a 116 00:05:43.160 --> 00:05:46.560 ZA right the file globbing stuff exactly. They're primarily designed 117 00:05:46.600 --> 00:05:50.160 for matching filenames in the filesystem. When you type ls 118 00:05:50.199 --> 00:05:52.639 dot log, you're telling the shell itself to find all 119 00:05:52.720 --> 00:05:54.240 filenames ending in dot log. 120 00:05:54.319 --> 00:05:56.519 Okay, so it's about the names of files, correct. 121 00:05:56.600 --> 00:06:00.319 Now. Regular expressions or rejects are different beasts, which more 122 00:06:00.319 --> 00:06:04.000 powerful patterns designed for matching text content stuff inside files 123 00:06:04.399 --> 00:06:05.920 or within a stream of data. 124 00:06:05.680 --> 00:06:07.160 Like searching inside a log file. 125 00:06:07.279 --> 00:06:11.720 Precisely. Rejects has a much richer, sometimes more complex set 126 00:06:11.759 --> 00:06:14.639 of special characters and rules. And you use rejects with 127 00:06:14.720 --> 00:06:17.959 tools that process text like rep or AUC or said. 128 00:06:18.279 --> 00:06:21.240 So, different tools, different patterns, yeah. 129 00:06:20.759 --> 00:06:23.480 And confusing them. That can lead to you missing crucial 130 00:06:23.519 --> 00:06:26.319 evidence because you used a file name pattern to search 131 00:06:26.360 --> 00:06:29.160 file content, or maybe doing something unintended because your pattern 132 00:06:29.199 --> 00:06:30.519 match files you didn't expect. 133 00:06:30.759 --> 00:06:32.680 Can you give a quick example, sure. 134 00:06:32.600 --> 00:06:36.600 Find varlogdash name dot gz uses a show pattern dot 135 00:06:36.639 --> 00:06:38.920 gz to find filenames ending in GZ. 136 00:06:39.160 --> 00:06:40.360 Simple okay, But. 137 00:06:40.439 --> 00:06:44.839 Grep error zerosh nine plus farlow gap dot log uses 138 00:06:44.879 --> 00:06:48.360 a regular expression error zero zero nine plus to find 139 00:06:48.439 --> 00:06:50.920 lines inside the app dot log file that contain the 140 00:06:50.959 --> 00:06:53.680 word error followed by one or more digits. 141 00:06:53.800 --> 00:06:56.759 Ah, Okay, one looks at the label, the other looks 142 00:06:56.759 --> 00:06:57.519 inside the box. 143 00:06:57.560 --> 00:06:59.560 That's a great way to put it. Understanding that difference 144 00:06:59.600 --> 00:07:01.439 is vital for precise investigation. 145 00:07:01.639 --> 00:07:04.800 Definitely. Okay. Let's shift gears into our first deep dive 146 00:07:04.920 --> 00:07:09.000 area defensive security operations with Bash. Using Bash as the 147 00:07:09.040 --> 00:07:12.360 investigator's toolkit, how do we usually frame defensive thinking? 148 00:07:12.519 --> 00:07:15.360 Well, A really helpful framework is the five principles of 149 00:07:15.399 --> 00:07:21.639 cybersecurity Confidentiality, integrity, availability, non repudiation, and authentication, often called 150 00:07:21.720 --> 00:07:27.680 CIANA for short CIA. Briefly, confidentiality is about keeping secrets 151 00:07:27.839 --> 00:07:33.160 secret only authorized access. Integrity means making sure data hasn't 152 00:07:33.199 --> 00:07:37.240 been messed with it's trustworthy. Availability is ensuring systems and 153 00:07:37.319 --> 00:07:40.040 data are there when you need them right. Non Repudiation 154 00:07:40.240 --> 00:07:42.639 is about proof linking in action to a specific user 155 00:07:42.680 --> 00:07:46.000 so they can't deny it. And authentication is simply proving 156 00:07:46.480 --> 00:07:47.879 you are who you say you are. 157 00:07:48.120 --> 00:07:49.680 Okay, the core security goals. 158 00:07:49.519 --> 00:07:53.319 Exactly, So the important question for us becomes, how does Bash, 159 00:07:53.439 --> 00:07:56.759 this command line tool actually help us maintain these principles, 160 00:07:57.319 --> 00:07:59.959 or maybe more importantly, how does it help us investigate 161 00:08:00.120 --> 00:08:02.240 when we suspect one of them has been violated? 162 00:08:02.319 --> 00:08:04.439 That makes sense. It grounds what we're doing. So if 163 00:08:04.439 --> 00:08:07.639 we're thinking about actually doing defense or investigating an incident, 164 00:08:07.720 --> 00:08:11.480 say checking data integrity or figuring out the confidentiality impact 165 00:08:11.480 --> 00:08:14.920 of a breach, Bash becomes our hands on toolkit. Where 166 00:08:14.920 --> 00:08:17.319 do we start maybe data collection and analysis. 167 00:08:17.600 --> 00:08:20.759 Absolutely, when something happens you need to gather evidence quickly 168 00:08:20.800 --> 00:08:23.879 and thoroughly. Bash gives you these direct tools. You've got 169 00:08:23.920 --> 00:08:26.680 simple things like cut to pull out specific columns of 170 00:08:26.759 --> 00:08:29.000 data file to quickly tell you what kind of file 171 00:08:29.040 --> 00:08:31.399 you're looking at, header tail to peak at the starter 172 00:08:31.560 --> 00:08:35.320 end of logs. The basics, the powerful, basic, And what's 173 00:08:35.360 --> 00:08:37.879 really neat is this isn't just a Linux Mac thing. 174 00:08:37.960 --> 00:08:41.000 If you're using git Bash on a Windows machine, you 175 00:08:41.000 --> 00:08:44.720 can call native Windows command line tools directly, things like 176 00:08:44.919 --> 00:08:47.919 reg to query the Windows registry oh wow, or web 177 00:08:47.919 --> 00:08:51.240 toodle to work with Windows event logs. You can investigate 178 00:08:51.279 --> 00:08:54.679 Windows systems using the same Bash skills. That cross platform 179 00:08:54.679 --> 00:08:57.200 ability is a huge win for analysts. 180 00:08:56.720 --> 00:09:00.000 So you're not constantly switching mental gears between operating systems. 181 00:09:00.440 --> 00:09:03.639 What about grabbing log files, say for later analysis. 182 00:09:03.759 --> 00:09:06.480 Super efficient. On Linux, you can package up all the 183 00:09:06.519 --> 00:09:09.639 logs in varlog into one compressed file, like sealing an 184 00:09:09.639 --> 00:09:13.639 evidence bag, with a command like tarh ccf O scs 185 00:09:13.759 --> 00:09:16.720 ez name logs, dot tr dot gz varlog easy. 186 00:09:16.840 --> 00:09:17.240 Nice. 187 00:09:17.240 --> 00:09:19.799 On Windows, you can script webtoodle to export all the 188 00:09:19.799 --> 00:09:22.919 different event logs. And here's a really powerful technique for 189 00:09:22.960 --> 00:09:24.919 remote systems, dotsh. 190 00:09:24.639 --> 00:09:25.320 It cure shell. 191 00:09:25.440 --> 00:09:28.000 Yeah, you don't even need to log into the remote machine. 192 00:09:28.000 --> 00:09:31.639 Sometimes you can run a command remotely like swash user 193 00:09:31.679 --> 00:09:34.440 at remote server command and get the output back on 194 00:09:34.480 --> 00:09:37.320 your local machine, or even run a local script on 195 00:09:37.399 --> 00:09:40.600 the remote machine like swash user at remote server, Bash, 196 00:09:40.840 --> 00:09:45.919 dash s dot mylocalscript, dot sh The script itself never 197 00:09:45.960 --> 00:09:49.480 has to be copied over there. It's efficient and sometimes stealthier. 198 00:09:49.679 --> 00:09:52.279 Okay, that's very cool for quick data grabs. So once 199 00:09:52.320 --> 00:09:55.039 you have the data, maybe logs or files from a system, 200 00:09:55.279 --> 00:09:57.399 it can be a lot of data. How do you 201 00:09:57.480 --> 00:09:59.840 start searching through it effectively? With Bash? 202 00:10:00.320 --> 00:10:03.639 Yeah, finding the needle in the haystack. Bash's fine command 203 00:10:03.799 --> 00:10:06.039 is your go to for searching based on filenames and 204 00:10:06.080 --> 00:10:07.240 other file attributes. 205 00:10:07.399 --> 00:10:08.799 Like finding suspicious file. 206 00:10:08.720 --> 00:10:11.960 Names exactly find dash name password. Could search the whole 207 00:10:12.000 --> 00:10:14.600 system for files with password in the name, use in 208 00:10:14.720 --> 00:10:18.120 name for case insensitive, or find hitting files which often 209 00:10:18.159 --> 00:10:20.320 start with a dot on Linux or Mac fine home 210 00:10:20.399 --> 00:10:23.240 name maagine. Remember that dot is a shell pattern matching 211 00:10:23.279 --> 00:10:24.519 file names starting with a dot. 212 00:10:24.639 --> 00:10:28.320 Got it filenames? What about searching inside the files for 213 00:10:28.440 --> 00:10:29.759 keywords or indicators. 214 00:10:30.000 --> 00:10:35.320 That's where GRIP comes in. Grap ir some directory suspicious pattern. 215 00:10:35.679 --> 00:10:39.039 The I makes it case insensitive, R makes it recursive 216 00:10:39.080 --> 00:10:42.440 through directories, and E specifies the pattern, which would typically 217 00:10:42.519 --> 00:10:45.279 be a regular expression here that you're looking for within 218 00:10:45.320 --> 00:10:45.840 the files. 219 00:10:45.960 --> 00:10:49.440 Okay, find for names grap for content makes sense. What 220 00:10:49.519 --> 00:10:53.240 about checking if files have been tampered with that integrity piece? 221 00:10:53.399 --> 00:10:58.480 Ah? Yes, Message digests or hashes tools like chess on 222 00:10:58.519 --> 00:11:01.759 some or md fivesome creator a unique digital fingerprint for 223 00:11:01.799 --> 00:11:04.159 a file. I could check some sort of but much 224 00:11:04.159 --> 00:11:07.480 more cryptographically strong. The key property is that changing even 225 00:11:07.639 --> 00:11:10.399 one single bit in the file will produce a completely 226 00:11:10.399 --> 00:11:11.320 different hash value. 227 00:11:11.399 --> 00:11:11.639 Wow. 228 00:11:11.759 --> 00:11:13.879 Okay, So if you calculate the hash of a critical 229 00:11:13.919 --> 00:11:16.320 system file and compare it to a known good value, 230 00:11:16.480 --> 00:11:18.600 you can tell instantly if it's been modified. It's a 231 00:11:18.600 --> 00:11:21.919 fundamental integrity check. You can script Bash to check hashes 232 00:11:21.960 --> 00:11:23.279 of many files very quickly. 233 00:11:23.440 --> 00:11:26.840 Powerful stuff. Okay, moving on to data processing and analysis. 234 00:11:26.960 --> 00:11:30.039 You've collected logs, maybe found some interesting files. How does 235 00:11:30.120 --> 00:11:33.080 Bash help make sense of, say a massive web server log. 236 00:11:33.440 --> 00:11:36.799 This is where combining tools with pipes really shines. Think 237 00:11:36.840 --> 00:11:40.759 about an Apache Access dot log, huge file, lots of lines. Right, 238 00:11:40.879 --> 00:11:43.840 you can use cut to extract just the IP address 239 00:11:43.879 --> 00:11:46.399 a the first field, then pipe that into sort, then 240 00:11:46.440 --> 00:11:49.360 pipe that into unique miss to count occurrences, and finally 241 00:11:49.360 --> 00:11:51.840 pipe that into sort. Dice on to see which ips 242 00:11:51.919 --> 00:11:55.759 made the most requests. Four simple commands chained together give 243 00:11:55.799 --> 00:11:56.879 you a top talkers list. 244 00:11:56.919 --> 00:11:59.720 It's pretty neat turning raw logs into a summary exact. 245 00:12:00.480 --> 00:12:02.960 Or you could use ak, which is brilliant for field 246 00:12:03.039 --> 00:12:05.840 based processing. Maybe you want to find which ips are 247 00:12:05.840 --> 00:12:08.480 getting lots of four O four not found errors, AC 248 00:12:08.679 --> 00:12:11.919 nine dollars easials four O four print one dollar. Access 249 00:12:11.919 --> 00:12:15.639 dot log could print the IP address field one from 250 00:12:15.720 --> 00:12:18.559 lines where the status code field nine is four oh four. 251 00:12:18.720 --> 00:12:20.240 Pipe that through your sertunic chain again. 252 00:12:20.320 --> 00:12:21.799 Help spot reconnaissance scanning. 253 00:12:21.840 --> 00:12:24.000 Maybe could be or maybe you want to see who's 254 00:12:24.000 --> 00:12:26.679 transferring the most data, use cut or ok to get 255 00:12:26.679 --> 00:12:29.240 the IP address and the number of bytes transferred. Then 256 00:12:29.320 --> 00:12:32.120 use another script maybe like the summer chistish example from 257 00:12:32.159 --> 00:12:34.879 the book, to total the bytes per IP. Sort that 258 00:12:35.120 --> 00:12:37.759 and a huge spike for one IP that might warrant 259 00:12:37.799 --> 00:12:39.519 investigation for data exultration. 260 00:12:39.960 --> 00:12:43.559 Right, checking the confidentiality wasn't breached precisely, and you can 261 00:12:43.600 --> 00:12:45.840 even visualize this stuff simply in the terminal. 262 00:12:46.120 --> 00:12:48.679 The book has examples like histogram dot ash that can 263 00:12:48.720 --> 00:12:51.960 take counts or totals and draw basic bar charts right there. 264 00:12:52.039 --> 00:12:53.200 Quick visual checks. 265 00:12:53.360 --> 00:12:58.120 Very cool. Okay. One more defensive area real time log monitoring, 266 00:12:59.120 --> 00:13:00.600 watching things as they happen. 267 00:13:00.679 --> 00:13:03.679 Yeah, super important for catching things early. The classic command 268 00:13:03.759 --> 00:13:08.039 here is tail dash F PATHTOLG file follow the file right. 269 00:13:08.080 --> 00:13:10.159 It just sits there and prints new lines as they 270 00:13:10.159 --> 00:13:12.080 get added to the end of the file. But the 271 00:13:12.080 --> 00:13:15.240 real power comes when you pipe that live stream. 272 00:13:15.159 --> 00:13:17.519 Ah pipe tail dash f output. 273 00:13:17.720 --> 00:13:20.440 Yes, pipe it into rep or egrep using the line 274 00:13:20.440 --> 00:13:23.200 buffered options, so it processes each line immediately, and you 275 00:13:23.200 --> 00:13:25.759 can filter that live stream for keywords or patterns so 276 00:13:25.840 --> 00:13:26.200 you can. 277 00:13:26.080 --> 00:13:29.600 Watch for specific errors or maybe log in attempts exactly. 278 00:13:29.879 --> 00:13:32.960 You could even build a simple lightweight intrusion detection system 279 00:13:33.039 --> 00:13:36.919 and IDs have a file say ioc dot txt with 280 00:13:37.080 --> 00:13:40.879 known bad patterns indicators of compromise like attempts to access 281 00:13:40.879 --> 00:13:45.080 sensitive files et cetera, paswd, or run commands pinch. Then 282 00:13:45.159 --> 00:13:47.600 you tail dash f your weblog and pipe it into 283 00:13:47.840 --> 00:13:53.120 egrep lineh buffer dash fioc dot txt. It will only 284 00:13:53.120 --> 00:13:55.639 show you the lines that match your bad patterns, alerting 285 00:13:55.639 --> 00:13:56.440 you in real time. 286 00:13:56.600 --> 00:13:59.399 Wow. Okay, a homegrown IDs with just tail. 287 00:13:59.200 --> 00:14:01.320 And rep pretty much, and you can do similar things 288 00:14:01.320 --> 00:14:04.159 on Windows. The book has a windtail dot sh script 289 00:14:04.200 --> 00:14:06.519 that uses web toodle in a loop to simulate tail 290 00:14:06.600 --> 00:14:08.519 dash f for Windows event logs. 291 00:14:08.279 --> 00:14:10.440 Bringing that real time view to Windows logs too. 292 00:14:10.559 --> 00:14:12.679 And you can take it further. There are scripts like 293 00:14:12.720 --> 00:14:15.639 webdash dot sh that use terminal control commands to create 294 00:14:15.679 --> 00:14:19.399 simple dashboards. They repeatedly run several commands, maybe monitoring different 295 00:14:19.440 --> 00:14:22.399 logs or system stats, and repaint the screen, giving you 296 00:14:22.480 --> 00:14:24.559 multiple live views in one terminal window. 297 00:14:24.639 --> 00:14:27.759 Okay, so Bash is definitely a powerhouse for defense and investigation. 298 00:14:28.000 --> 00:14:30.960 Let's flip the coin now penetration testing with Bash. Thinking 299 00:14:31.200 --> 00:14:34.200 like an adversary. How does Bash fit into the attacker's toolkit? 300 00:14:34.279 --> 00:14:35.440 Is there a structure they follow? 301 00:14:35.679 --> 00:14:39.799 Often yes, especially for more organized attackers. It's rarely just 302 00:14:39.919 --> 00:14:43.320 random hacking. A useful model to understand the phases is 303 00:14:43.399 --> 00:14:46.799 Mandiance attack life cycle. It lays out typical steps. 304 00:14:46.879 --> 00:14:47.559 Okay, where are they? 305 00:14:47.639 --> 00:14:50.679 There are about eight phases in that model. Reconnaissance first, 306 00:14:51.000 --> 00:14:56.960 then initial exploitation, establish foothold, escalate, privileges internal reconnaissance, move 307 00:14:57.039 --> 00:15:01.039 laterally inside the network, maintain presence, and and finally complete 308 00:15:01.080 --> 00:15:02.279 the mission whatever. 309 00:15:02.000 --> 00:15:05.840 That might be. Recon exploit foothold, escalate, internal recon lateral movement, 310 00:15:05.960 --> 00:15:07.679 maintain complete. Got it? 311 00:15:08.039 --> 00:15:11.840 Understanding that flow helps you see where tools including bashcripts 312 00:15:11.919 --> 00:15:15.440 might be used. It gives context to offensive actions. Bash 313 00:15:15.480 --> 00:15:17.960 makes an attacker very agile within this cycle. 314 00:15:18.159 --> 00:15:21.200 That framework definitely helps visualize it. Given how quick and 315 00:15:22.399 --> 00:15:24.840 low profile Bash can be, where does it really shine 316 00:15:24.879 --> 00:15:27.639 in this attack cycle? Let's start at the beginning. Reconnaissance. 317 00:15:27.720 --> 00:15:30.759 Reconnaissance is all about gathering intel in the target. Bash 318 00:15:30.840 --> 00:15:33.200 is great here. You can use kerl for example, to 319 00:15:33.240 --> 00:15:36.440 download web pages, maybe follow redirects to l save the output. 320 00:15:36.919 --> 00:15:39.919 Basically crawl website looking for information or vulnerabilities. 321 00:15:40.039 --> 00:15:40.919 This is from the command line. 322 00:15:41.000 --> 00:15:44.720 Yeah, and another classic technique is banner grabbing. Lots of 323 00:15:44.759 --> 00:15:49.559 network services like web servers, HGTP file servers, FTP mail 324 00:15:49.639 --> 00:15:53.200 servers SMTP. They announce themselves with a banner when you. 325 00:15:53.159 --> 00:15:55.360 Connect, like a welcome message kind of. 326 00:15:55.799 --> 00:15:58.840 And that banner often reveals the software name and version, 327 00:15:59.159 --> 00:16:02.720 maybe even the operating system gold dust for an attacker 328 00:16:02.759 --> 00:16:04.159 looking for known exploits. 329 00:16:04.320 --> 00:16:07.120 And you can automate grabbing these banners with Bash absolutely. 330 00:16:07.159 --> 00:16:10.559 But here's where Bash gets really sneaky and powerful, something 331 00:16:10.600 --> 00:16:13.799 that surprises people. You don't always need a dedicated tool 332 00:16:13.879 --> 00:16:16.080 like telnet or nmap to connect to a port and 333 00:16:16.120 --> 00:16:19.759 see that banner. No, Bash itself has this built in capability. 334 00:16:20.039 --> 00:16:23.679 Using a special filepath deftcfos nameport. 335 00:16:23.320 --> 00:16:26.320 Wait, Bash can make TCP connections directly effectively. 336 00:16:26.360 --> 00:16:28.440 Yes, it's a fetcher of the show. So an attacker 337 00:16:28.480 --> 00:16:31.200 on a system where maybe tools like telnet are removed 338 00:16:31.279 --> 00:16:34.519 or blocked, they can still perform network reconnaissance using just 339 00:16:34.600 --> 00:16:38.120 built in Bash commands. The book shows an SMTP connect 340 00:16:38.120 --> 00:16:42.039 dotsh script that uses exec three DVTCP one twenty five 341 00:16:42.120 --> 00:16:44.639 dollars to open a connection to an SMTP server on 342 00:16:44.720 --> 00:16:48.039 port twenty five and read its banner. No external tools needed. 343 00:16:48.159 --> 00:16:51.240 WHOA Okay, that is sneaky, minimal. 344 00:16:50.840 --> 00:16:54.159 Footprint exactly, pure command line resourcefulness. 345 00:16:54.360 --> 00:16:59.519 Okay. So after recun the model had like establishing a foothold, 346 00:16:59.639 --> 00:17:01.039 getting persistence. 347 00:17:00.639 --> 00:17:02.799 Right right Once you're in, you want a way to 348 00:17:02.799 --> 00:17:06.799 stay in or get back in easily. NC or netcat 349 00:17:06.839 --> 00:17:09.400 is often called the Swiss Army knife for networking. You 350 00:17:09.440 --> 00:17:13.160 can use it to create simple listeners, nclap port or 351 00:17:13.400 --> 00:17:15.240 make outbound connections. 352 00:17:14.680 --> 00:17:16.319 For simple data transfer or shells. 353 00:17:16.519 --> 00:17:19.279 Yes, and one very common technique for footholds is a 354 00:17:19.319 --> 00:17:21.359 reverse shell, especially using. 355 00:17:21.240 --> 00:17:23.880 SSH versus SSH. How does that work? 356 00:17:24.160 --> 00:17:27.319 Instead of the attacker connecting into the target, which might 357 00:17:27.319 --> 00:17:30.079 be blocked by a firewall, the compromised target machine initiates 358 00:17:30.119 --> 00:17:33.079 an outbound SSH connection to the attacker's machine using the 359 00:17:33.160 --> 00:17:36.000 natch R option SSR one two three four five dot 360 00:17:36.000 --> 00:17:38.759 local host part two to two attacker at attacker. This 361 00:17:38.799 --> 00:17:41.200 punches a hole out through the firewall. The attacker then 362 00:17:41.200 --> 00:17:43.200 connects to port one two three four five on their 363 00:17:43.200 --> 00:17:45.759 own machine, and SSH tunnels that connection back to the 364 00:17:45.799 --> 00:17:50.359 SSH server on the compromise targetqwever bypasses inbound rules very common. 365 00:17:50.480 --> 00:17:53.759 You can also create simpler, though less secure back doors 366 00:17:54.160 --> 00:17:58.319 just with Bash redirection and that devtsap trick again, something 367 00:17:58.440 --> 00:18:00.839 like exec binbash zero one one in two, two in 368 00:18:00.920 --> 00:18:04.279 one combined with connecting input output to a network socket 369 00:18:04.599 --> 00:18:07.839 instant remote shell Wow. Big warning though that kind of 370 00:18:07.880 --> 00:18:12.519 simple Bash backdoor. It's usually plain text unencrypted. Anyone stuffing 371 00:18:12.519 --> 00:18:16.200 the network can see everything risky, very so attackers might 372 00:18:16.240 --> 00:18:19.319 develop more sophisticated custom tools, maybe like the local rat 373 00:18:19.359 --> 00:18:22.519 dot show listener and remote rat dot ish client examples 374 00:18:22.839 --> 00:18:25.839 which use Bash scripting to provide more robust command execution 375 00:18:25.960 --> 00:18:28.759 and even file transfer capabilities over their backdoor channel. 376 00:18:28.880 --> 00:18:31.759 Makes sense now. If attackers are using these tools, they 377 00:18:31.799 --> 00:18:34.759 probably don't want defenders easily figuring them out if they 378 00:18:34.759 --> 00:18:37.240 get caught. That brings us to script obfuscation. 379 00:18:37.559 --> 00:18:40.480 Exactly, if your penetration testing script or your back door 380 00:18:40.519 --> 00:18:43.559 gets found, you don't want the blue team immediately understanding 381 00:18:43.559 --> 00:18:46.720 exactly how it works and what it did. Obfuscation makes 382 00:18:46.720 --> 00:18:47.880 reverse engineering harder. 383 00:18:48.279 --> 00:18:50.359 How do you obfuscate a Bash script? 384 00:18:50.599 --> 00:18:54.119 Several ways? Syntax obfuscation is the simplest. Just make the 385 00:18:54.160 --> 00:18:56.519 code hard to read. Put the whole script on one 386 00:18:56.599 --> 00:19:01.039 giant line, separated by semicolons. Use really meaningless variable and 387 00:19:01.160 --> 00:19:03.799 function names like afrioco. 388 00:19:03.559 --> 00:19:06.079 Or funky one annoying to read. That's the point. 389 00:19:06.559 --> 00:19:09.599 Then there's logic offuscation. This is where you add tons 390 00:19:09.640 --> 00:19:13.319 of useless code, pointless variables, functions calling other functions that 391 00:19:13.359 --> 00:19:17.039 do nothing important, complex loops that calculate something trivial. Makes 392 00:19:17.039 --> 00:19:19.599 a simple script look incredibly. 393 00:19:19.000 --> 00:19:22.279 Complicated, like hiding a needle in a bigger messier astac. 394 00:19:21.960 --> 00:19:25.519 Pretty much, but the most effective method is usually encryption. Okay, 395 00:19:25.559 --> 00:19:28.400 The basic idea is you have your real script plaintext. 396 00:19:28.599 --> 00:19:32.039 You encrypt it using a key producing ciphertext. You can 397 00:19:32.160 --> 00:19:36.279 use standard tools like ohensolars two thousand, CBC sll inrelscript 398 00:19:36.319 --> 00:19:40.039 dot sa outencrypted dot dot dot a password. Then you 399 00:19:40.079 --> 00:19:43.279 create a small rapper script. This wrapper contains the encrypted 400 00:19:43.359 --> 00:19:46.119 data and the password or prompts for it. When run, 401 00:19:46.200 --> 00:19:49.240