쉘 프로그래밍 관련 아래 글 참고
2020/07/27 - [[혁신성장 청년인재] 인공지능을 활용한 보안전문가 양성과정] - Day13: 리눅스 관리자 | FTP | NFS | 쉘프로그래밍
1. 시스템 상에 기록된 lastb 로그파일 분석해보기 (lastb 파일 첨부)
lastb 파일 미리보기 -->
user ssh:notty 192.168.110.200 Mon Oct 5 17:25 - 17:25 (00:00)
user ssh:notty 192.168.110.200 Mon Oct 5 17:13 - 17:13 (00:00)
user ssh:notty 192.168.110.200 Mon Oct 5 17:13 - 17:13 (00:00)
user ssh:notty 192.168.110.200 Mon Oct 5 17:13 - 17:13 (00:00)
user ssh:notty 192.168.110.200 Mon Oct 5 17:09 - 17:09 (00:00)
user ssh:notty 192.168.110.136 Mon Oct 5 17:08 - 17:08 (00:00)
user ssh:notty 192.168.110.136 Mon Oct 5 17:07 - 17:07 (00:00)
userhat ssh:notty 192.168.110.136 Mon Oct 5 16:27 - 16:27 (00:00)
userhat ssh:notty 192.168.110.136 Mon Oct 5 16:27 - 16:27 (00:00)
userhat ssh:notty 192.168.110.100 Mon Oct 5 16:27 - 16:27 (00:00)
userhat ssh:notty 192.168.110.100 Mon Oct 5 16:26 - 16:26 (00:00)
userhat ssh:notty 192.168.110.100 Mon Oct 5 16:26 - 16:26 (00:00)
user ssh:notty 192.168.110.110 Mon Oct 5 17:13 - 17:13 (00:00)
user ssh:notty 192.168.110.110 Mon Oct 5 17:09 - 17:09 (00:00)
user ssh:notty 192.168.110.110 Mon Oct 5 17:08 - 17:08 (00:00)
user ssh:notty 192.168.110.110 Mon Oct 5 17:07 - 17:07 (00:00)
userman ssh:notty 192.168.110.110 Mon Oct 5 16:26 - 16:26 (00:00)
userman ssh:notty 192.168.110.110 Mon Oct 5 16:25 - 16:25 (00:00)
userman ssh:notty 192.168.110.110 Mon Oct 5 16:25 - 16:25 (00:00)
test ssh:notty localhost Mon Oct 5 16:23 - 16:23 (00:00)
test ssh:notty localhost Mon Oct 5 16:23 - 16:23 (00:00)
userman ssh:notty 192.168.110.136 Mon Oct 5 16:25 - 16:25 (00:00)
userman ssh:notty 192.168.110.136 Mon Oct 5 16:25 - 16:25 (00:00)
userman ssh:notty 192.168.110.136 Mon Oct 5 16:25 - 16:25 (00:00)
userman ssh:notty 192.168.110.136 Mon Oct 5 16:25 - 16:25 (00:00)
userman ssh:notty 192.168.110.136 Mon Oct 5 16:24 - 16:24 (00:00)
test ssh:notty localhost Mon Oct 5 16:23 - 16:23 (00:00)
test ssh:notty localhost Mon Oct 5 16:23 - 16:23 (00:00)
test ssh:notty localhost Mon Oct 5 16:23 - 16:23 (00:00)
userhat ssh:notty 192.168.110.136 Mon Oct 5 16:26 - 16:26 (00:00)
userhat ssh:notty 192.168.110.136 Mon Oct 5 16:26 - 16:26 (00:00)
test ssh:notty localhost Mon Oct 5 16:23 - 16:23 (00:00)
root :0 :0 Mon Oct 5 11:02 - 11:02 (00:00)
btmp begins Mon Oct 5 11:02:02 2020
- user 별로 몇 번 로그인했는지 확인하기
[admin@localhost Desktop]$ cut -d " " -f 1 lastb.txt | grep ^[a-z] | awk '{print $1}' | sort -n | uniq -c
1 btmp
1 root
6 test
11 user
7 userhat
8 userman
- IP별로 몇 번 로그인했는지 확인하기
[admin@localhost Desktop]$ awk '{print $3}' lastb.txt| grep ^[0-9] | sort -n | uniq -c
3 192.168.110.100
7 192.168.110.110
11 192.168.110.136
5 192.168.110.200
2. 웹서비스(아파치) 로그 분석
로그를 만들다가, 그냥 로그를 구글링해서 찾았어요
gist.github.com/rm-hull/bd60aed44024e9986e3c
1. 정상적인 접속(200)인 IP만 출력하기
$ awk '$9 = 200 {print $1}' access.log |grep ^[0-9] | sort -n | uniq -c
10 2.134.205.87
2 2.60.195.241
1 2.86.149.141
2 2.92.107.146
2 2.92.97.180
4 2.93.102.73
2 2.93.147.171
2 2.93.161.253
2 2.93.199.113
2 2.93.207.131
4 2.93.207.163
2 2.93.207.249
2 2.93.207.51
2 2.93.207.76
2 2.93.207.80
26 2.93.22.237
2. GET요청만 출력하기
$ head -10 access.log | sed "s/\"/ /g" | awk '$6 = "GET" {print $1, $6,$7}' | sort -n | uniq -c
GET 1
1 46.72.177.4 GET /administrator/
1 46.72.177.4 GET /administrator/index.php
1 83.167.113.100 GET /administrator/
1 83.167.113.100 GET /administrator/index.php
1 95.29.198.15 GET /administrator/
1 95.29.198.15 GET /administrator/index.php
1 109.169.248.247 GET /administrator/
1 109.169.248.247 GET /administrator/index.php
1 109.184.11.34 GET /administrator/
3. 요청 파라미터 출력하기
$ sed 's/^"//g' access.log | awk -F\" '{print $2}'
GET / HTTP/1.1
GET /templates/_system/css/general.css HTTP/1.1
GET /templates/jp_hotel/images/logo.jpg HTTP/1.1
GET /images/stories/raith/almhuette_raith.jpg HTTP/1.1
GET /images/stories/raith/almenland_logo.jpg HTTP/1.1
GET /images/stories/raith/wohnraum.jpg HTTP/1.1
GET /index.php?option=com_content&view=article&id=49&Itemid=55 HTTP/1.1
4. OS COMMAND INJECTION 검토 (../../)
sed 's/^"//g' web_scanner_access.log | awk -F\" '{print $2}' | fgrep ../
GET /index.php/component/search/?ordering=../../../../../../../../../../etc/passwd%00.jpg&searchphrase=any&searchword= HTTP/1.1
GET /index.php/component/search/?ordering=alpha&searchphrase=../../../../../../../../../../etc/passwd&searchword= HTTP/1.1
GET /index.php/component/../../../../../../../../../../etc/passwd/ HTTP/1.1
GET /index.php?option=../../../../../../../../../../etc/passwd%00.jpg HTTP/1.1
GET /index.php/component/search/?ordering=../../../../../../../../../../../../../../../proc/version&searchphrase=all&searchword= HTTP/1.1
GET /index.php/component/search/?ordering=oldest&searchphrase=all&searchword=/%5c../%5c../%5c../%5c../%5c../%5c../%5c../etc/passwd HTTP/1.1
GET /DVWA/vulnerabilities/fi?page=/.././.././.././.././.././.././.././../etc/./passwd%2500 HTTP/1.1
GET /index.php/component/search/?ordering=oldest&searchphrase=any&searchword=../../../../../../../../../../etc/passwd HTTP/1.1
5. SQL INJECTION 검토
egrep -e 'union|select|char' web_scanner_access.log | awk -F\" '{print $3}'
6. JSON 파일로 저장하기
$ sed 's/\"//g' access.log | grep ^[0-9]|
awk '{print "\""NR"\":{\"IP\":\""$1 "\", \"METHOD\":\""$6"\"},"}' > json_access.log
$ head json_access.log
{ "1":{"IP":"109.169.248.247", "METHOD":"GET"},
"2":{"IP":"109.169.248.247", "METHOD":"POST"},
"3":{"IP":"46.72.177.4", "METHOD":"GET"},
"4":{"IP":"46.72.177.4", "METHOD":"POST"},
"5":{"IP":"83.167.113.100", "METHOD":"GET"},
$ tail json_access.log
"10948":{"IP":"212.95.7.66", "METHOD":"GET"},
"10949":{"IP":"212.95.7.66", "METHOD":"GET"},
"10950":{"IP":"212.95.7.66", "METHOD":"GET"},
"10951":{"IP":"212.95.7.66", "METHOD":"GET"},
"10952":{"IP":"212.95.7.66", "METHOD":"GET"},
"10953":{"IP":"212.95.7.66", "METHOD":"GET"},
"10954":{"IP":"212.95.7.66", "METHOD":"GET"},
"10955":{"IP":"212.95.7.66", "METHOD":"GET"},
"10956":{"IP":"212.95.7.66", "METHOD":"GET"}
}
$ python -m json.tool json_access.log
$
"1": {$
"IP": "109.169.248.247",$
"METHOD": "GET"$
},$
"10": {$
"IP": "109.184.11.34",$
"METHOD": "POST"$
},$
"100": {$
"IP": "83.167.113.100",$
"METHOD": "GET"$
},$
"1000": {$
"IP": "93.185.22.218",$
"METHOD": "POST"$
},$
"10000": {$
"IP": "80.110.186.51",$
"METHOD": "GET"$
},$
"10001": {$
"IP": "80.110.186.51",$
"METHOD": "GET"$
},$
"10002": {$
"IP": "80.110.186.51",$
"METHOD": "GET"$
...
"9995": {$
"IP": "80.110.186.51",$
"METHOD": "GET"$
},$
"9996": {$
"IP": "80.110.186.51",$
"METHOD": "GET"$
},$
"9997": {$
"IP": "80.110.186.51",$
"METHOD": "GET"$
},$
"9998": {$
"IP": "80.110.186.51",$
"METHOD": "GET"$
},$
"9999": {$
"IP": "80.110.186.51",$
"METHOD": "GET"$
}$
}$
'[혁신성장 청년인재] 인공지능을 활용한 보안전문가 양성과정' 카테고리의 다른 글
DAY66 : 프로젝트 주제 선정 멘토링 (0) | 2020.10.21 |
---|---|
DAY64: 파이썬 기초 학습 | numpy 학습 (0) | 2020.10.21 |
DAY61: 파이썬 기초 (5) (0) | 2020.10.12 |
DAY60: 파이썬 기초 (4) (0) | 2020.10.12 |
DAY59: 파이썬 기초 (3) (0) | 2020.10.12 |