05 - Enumeration

cheat sheet -> https://github.com/corelight/zeek-cheatsheets/blob/master/Corelight-Zeek-Cheatsheets-3.0.4.pdf

Setting up zeek
...

docker pull zeek/zeek:latest       

docker run -v $(pwd):/mnt -i zeek/zeek sh

Enumeration
...

zeek -C -r Capture.pcap local

Pasted image 20231213132310.png

cat ssh.log | zeek-cut client | sort -u

Pasted image 20231213174443.png

cat ssh.log | zeek-cut id.orig_h | sort | uniq -c | sort -n | sort -u

Pasted image 20231213175212.png

Setting zeek-grep
...

alias zeek-grep='grep -e "^#" -e'^C

Pasted image 20231213175244.png

HTTP logs
...

less -S http.log  | zeek-cut user_agent | sort | uniq -c | sort -n

Pasted image 20231213180206.png

wget looks phisy.

cat http.log | zeek-grep Wget | zeek-cut id.orig_h id.resp_h uri user_agent

root@53ef41d5da39:/mnt# cat http.log | zeek-grep Wget | zeek-cut id.orig_h id.resp_h uri user_agent172.31.39.46    13.233.179.35   /PKCampaign/Targets/Forela/Ransomware2_server.zip       Wget/1.21.2

Setting up zeek...

Enumeration...

Setting zeek-grep...

HTTP logs...

Setting up zeek
...

Enumeration
...

Setting zeek-grep
...

HTTP logs
...