Scripting the server
The scripts shown below will create a new directory for case files and start two listeners. The first listener is used to log commands executed on the subject (client) machine and the second is used to receive files. A script to clean up and shut down the listeners is also presented. Here is the main script, start-case.sh:
!/bin/bash
# start-case.sh
#
Simple script to start a new case on a forensics
workstation. Will create a new folder if needed
and start two listeners: one for log information
and the other to receive files. Intended to be # used as part of initial live response. # by Dr. Phil Polstra (@ppolstra) as developed for # PentesterAcademy.com. usage () { echo “usage: $0 ” echo “Simple script to create case folder and start listeners” exit 1
}
if [ $# -lt 1 ] ; then usage else echo “Starting case $1” fi #if the directory doesn’t exist create it if [ ! -d $1 ] ; then mkdir $1 fi # create the log listener nc -k -l 4444 >> $1/log.txt & echo “Started log listener for case $1 on $(date)” | nc localhost 4444 # start the file listener
./start-file-listener.sh $1 &
This script starts with the special comment “#!” also known as the she-bang which causes the bash shell to be executed. It is important to run a particular shell as users who are allowed to pick their own might select something incompatible with your script. A # anywhere on a line begins a comment which terminates at the end of the line. The first several lines are comments that describe the script.
After the comments a function called usage is defined. To define a function in a shell script simply type its name followed by a space, empty parentheses, another space, and then enclose whatever commands make up the function in curly brackets. Unlike compiled languages and some scripting languages, shell scripts require white space in the proper places or they will not function correctly. The $0 in the line echo “usage: $0
Note the use of double quotes in the echo commands. Anything enclosed in double quotes is expanded (interpreted) by the shell. If single quotes are used, no expansion is performed. It is considered a good programming practice to define a usage function that is displayed when a user supplies command line arguments that do not make sense.
The line if [ $# -lt 1 ] ; then begins an if block. The logical test is enclosed in square brackets. Note that there must be white space around the brackets and between parts of the logical test as shown. The variable $# is set to the number of command line arguments passed in to the script. In this script if that number is less than 1, the usage function is called, otherwise a message about starting a case is echoed to the screen. The variable $1 is the first command line parameter passed in (right after the name of the script) which is meant to be the case name. Observe that the if block is terminated with fi (if spelled backwards).
The conditional statement in the if block that starts with if [ ! -d $1 ] ; then checks to see if the case directory does not yet exist. The -d test checks to see that a directory with the name that follows exists. The ! negates (reverses) the test so that the code inside the if block is executed if the directory doesn’t exist. The code simply uses mkdir to create the directory.
Next the line nc -k -l 4444 >> $1/log.txt & starts a listener on port 4444 and sends everything received to a file in the case directory named log.txt. Note the command is enclosed in back ticks (backward single quotes). This tells the shell to please run the command. The & causes the command to be run in the background so that more things may be executed.
The next line simply echoes a banner which is piped to the listener in order to create a header for the log file. Finally, another script is also run in the background. This scripts starts the file listener process. This script is described next.
!/bin/bash
# start-file-listener.sh
#
Simple script to start a new file
listener. Intended to be # used as part of initial live response. # by Dr. Phil Polstra (@ppolstra) as developed for # PentesterAcademy.com. # When a filename is sent to port 5555 a transfer on 5556 # is expected to follow. usage () { echo “usage: $0 ” echo “Simple script to start a file listener” exit 1
} # did you specify a case name? if [ $# -lt 1 ] ; then usage fi while true do filename=$(nc -l 5555)
nc -l 5556 > $1/$(basename $filename) done
This script starts with the standard she-bang which causes the bash shell to be used. It also defines a usage function which is called if a case name is not passed in to the script. The real work in this script is in the while loop at the end. The line while true causes an infinite loop which is only exited when the user presses Control-C or the process is killed. Note that unlike the if block which is terminated with fi, the do block is terminated with done (not od).
The first line in the loop runs a netcat listener on port 5555 and sets the filename variable equal to whatever was received on this port. Recall that we have used this trick of running a command inside of $() to set a variable equal to the command results in the previous script. Once a filename has been received a new listener is started on port 5556 (nc -l 5556 on the next line) and the results directed to a file with the same name in a directory named after the case name (> $1/$(basename $filename) on the second half of the line). The first command line argument, which should be the case name, is stored in $1. The basename command is used to strip away any leading path for a file that is sent.
Once a file has been received, the infinite loop starts a new listener on port 5555 and the cycle repeats itself. The loop exits when the cleanup script, to be described next, is executed. The client side scripts that send log information and files will be discussed later in this chapter.
!/bin/bash
# close-case.sh
# Simple script to start shut down listeners.
Intended to be used as part of initial live response. # by Dr. Phil Polstra (@ppolstra) as developed for # PentesterAcademy.com. echo “Shutting down listeners at $(date) at user request” | nc localhost 4444 killall start-case.sh killall start-file-listener.sh killall nc
This is our simplest script yet. First we echo a quick message to our log listener on port 4444, then we use the killall utility to kill all instances of our two scripts and netcat. If you are wondering why we need to kill netcat since it is called by the scripts, recall that in some cases it is run in the background. Also, there could be a hung or in-process netcat listener or talker out there. For these reasons it is safest just to kill all the netcat processes.