Monday, April 19, 2010

Command Line Goodness Part 1

OK...so if you don't know how to use the command line effectively in your investigations, you are REALLY limiting yourself. Sure, there are plenty of tools that will do what I am going to cover in the next few posts, but I would argue that using the command line is MUCH faster, more efficient, and if done properly, can help you perform data reduction with more accuracy...not to mention that these methods and tools are FREE.

First of all, you will need to download UnxUtils. This is a suite of Windows port overs of the most popular Unix command line utilities. After you unzip the file, you can either drop them into the system32 directory, or add their path to your profile. You will also want to grab, grep v2.5.4, MD5deep and SSDeep, as well as perl and python v2.6.5. Once you have these command line utilities installed and part of your path, you should be able to use them from any location...which is WAY better than having to navigate to each respective directory just to issue a command.

So...not to rush, but I am getting on a plane shortly, so I am going to provide you with my list of regexes and a few commands. We will use these for the throughout the duration of this blog series, so if you are going to follow along, get your box set up, and we will begin analysis in part two!

All credit cards:
egrep -r "(4[0-9. -]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|6(?:011|5[0-9][0-9])[0-9]{12}|3[47][0-9]{13}|3(?:0[0-5]|[68][0-9])[0-9]{11}|(?:2131|1800|35\d{3})\d{11})" * > :\outfile.txt


Generic CC Numbers :
^(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|6(?:011|5[0-9][0-9])[0-9]{12}|3[47][0-9]{13}|3(?:0[0-5]|[68][0-9])[0-9]{11}|(?:2131|1800|35\d{3})\d{11})$

CC Numbers by brand:
Visa - ^4[0-9]{12}(?:[0-9]{3})?$
MC - ^5[1-5][0-9]{14}$
AMEX - ^3[47][0-9]{13}$
Discover - ^6(?:011|5[0-9]{2})[0-9]{12}$
JCB - ^(?:2131|1800|35\d{3})\d{11}$
Diners [^0-9](30[0-5]{1,1}[0-9]{11,11})|(3[68][0-9]{12,12})[^0-9]
JCB [^0-9]35[2-8]{1,1}[0-9]{1,1}[\x20\-]{0,3}[0-9]{4,4}[\x20\-]{0,3}[0-9]{4,4}[\x20\-]{0,3}[0-9]{4,4}[^0-9]
MasterCard [^0-9](36[0-9]{12,12})|(5[1-5]{1,1}[0-9]{2,2}[\x20\-]{0,3}[0-9]{4,4}[\x20\-]{0,3}[0-9]{4,4}[\x20\-]{0,3}[0-9]{4,4}[^0-9])
Visa-13 [^0-9]4[0-9]{12,12}[^0-9]
Visa-16 [^0-9]4[0-9]{3,3}[\x20\-]{0,3}[0-9]{4,4}[\x20\-]{0,3}[0-9]{4,4}[\x20\-]{0,3}[0-9]{4,4}[^0-9]
AMEX [^0-9]3[47][0-9]{2,2}[\x20\-]{0,3}[0-9]{6,6}[\x20\-]{0,3}[0-9]{5,5}[^0-9]
Discover [^0-9](6011)|(6[245][0-9]{2,2})[\x20\-]{0,3}[0-9]{4,4}[\x20\-]{0,3}[0-9]{4,4}[\x20\-]{0,3}[0-9]{4,4}[^0-9]

Track 1:
\%?B[0-9 ]{12,19}\^[^\^]+\/[^\^]+\^[0-9]{7,7}[^\?]+\.?

Track 2:
\;?[0-9]{12,19}[\=][0-9]{12,32}\.?

IP address: '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
egrep -o "\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b"

Emails:
^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.(?:[A-Z]{2}|com|org|net|gov|mil|biz|info|mobi|name|aero|jobs|museum)$

URLs:
^[a-zA-Z0-9\-\.]+\.(com|org|net|mil|edu|COM|ORG|NET|MIL|EDU)$
(http|ftp|https):\/\/[\w\-_]+(\.[\w\-_]+)+([\w\-\.,@?^=%&:/~\+#]*[\w\-\@?^=%&/~\+#])?


awk '{sub(/^/, "", $1); print }'

awk '{sub(/=(.)*/, "", $1) ; print }'

cut -d':' -f2 <-- This command cuts all before the ":" See you soon!

No comments:

Post a Comment