Jun 29, 2020 Datadog is another accessible log analysis tool. With Datadog you can record and search through log data from a wide variety of devices and applications.Datadog’s visualization displays log data in the form of graphs so you can see how network performance has changed over time. All displays are top notch and can be read with a glimpse. However, you can create unique log analytics dashboards. Hard drive space is cheaper than ever, but as Parkinson's Law dictates, your data (and, let's face it, BitTorrent addiction) somehow expands to fill your space available for storage. Here's a. I’m going to answer the question you asked, then the question you might mean. The MAC address is the physical “serial number” of the network card in your device. It’s supposed to be unique worldwide. It’s only used by machines on your local netwo. Apr 09, 2018 Analyzing server logs with the ELK Stack. Server logs usually reside under the /var/log directory (on Linux-based systems). To track these logs in real time you could, of course, perform a simple tail -f command but for more effective log analysis you would want to ship the logs into your centralized logging platform. In the case of the ELK.
It is often the case that web applications face suspicious activities due to various reasons, such as a kid scanning a website using an automated vulnerability scanner or a person trying to fuzz a parameter for SQL Injection, etc. In many such cases, logs on the webserver have to be analyzed to figure out what is going on. If it is a serious case, it may require a forensic investigation.
Apart from this, there are other scenarios as well.
For an administrator, it is really important to understand how to analyze the logs from a security standpoint.
People who are just beginning with hacking/penetration testing must understand why they should not test/scan websites without prior permissions.
This article covers the basic concepts of log analysis to provide solutions to the above mentioned scenarios.
Setup
For demo purposes, I have the following setup.
Apache server
– Pre installed in Kali Linux
This can be started using the following command:
service apache2 start
MySQL
– Pre installed in Kali Linux
This can be started using the following command:
service mysql start
A vulnerable web application built using PHP-MySQL
I have developed a vulnerable web application using PHP and hosted it in the above mentioned Apache-MySQL.
With the above setup, I have scanned the URL of this vulnerable application using few automated tools (ZAP, w3af) available in Kali Linux. Now let us see various cases in analyzing the logs.
Logging in the Apache server
It is always recommended to maintain logs on a webserver for various obvious reasons.
The default location of Apache server logs on Debian systems is
/var/log/apache2/access.log
Logging is just a process of storing the logs in the server. We also need to analyze the logs for proper results. In the next section, we will see how we can analyze the Apache server’s access logs to figure out if there are any attacks being attempted on the website.
Analyzing the logs
Manual inspection
In cases of logs with a smaller size, or if we are looking for a specific keyword, then we can spend some time observing the logs manually using things like grep expressions.
In the following figure, we are trying to search for all the requests that have the keyword “union” in the URL.
From the figure above, we can see the query “union select 1,2,3,4,5” in the URL. It is obvious that someone with the IP address 192.168.56.105 has attempted SQL Injection.
Similarly, we can search for specific requests when we have the keywords with us.
In the following figure, we are searching for requests that try to read “/etc/passwd”, which is obviously a Local File Inclusion attempt.
As shown in the above screenshot, we have many requests trying for LFI, and these are sent from the IP address 127.0.0.1. These requests are generated from an automated tool.
In many cases, it is easy to recognize if the logs are sent from an automated scanner. Automated scanners are noisy and they use vendor-specific payloads when testing an application.
For example, IBM appscan uses the word “appscan” in many payloads. So, looking at such requests in the logs, we can determine what’s going on.
Microsoft Excel is also a great tool to open the log file and analyze the logs. We can open the log file using Excel by specifying “space” as a delimiter. This comes handy when we don’t have a log-parsing tool.
Aside from these keywords, it is highly important to have basic knowledge of HTTP status codes during an analysis.
Below is the table that shows high-level information about HTTP status codes.
1xx | Information |
2xx | Successful |
3xx | Redirection |
4xx | Client Error |
5xx | Server Error |
Web shells
Web shells are another problem for websites/servers. Web shells give complete control of the server. In some instances, we can gain access to all the other sites hosted on the same server using web shells.
The following screenshot shows the same access.log file opened in Microsoft Excel. I have applied a filter on the column that is specifying the file being accessed by the client.
If we clearly observe, there is a file named “b374k.php” being accessed. “b374k” is a popular web shell and hence this file is purely suspicious. Looking at the response code “200”, this line is an indicator that someone has uploaded a web shell and is accessing it from the web server.
It doesn’t always need to be the scenario that the web shell being uploaded is given its original name when uploading it onto the server. In many cases, attackers rename them to avoid suspicion. This is where we have to act smart and see if the files being accessed are regular files or if they are looking unusual. We can go further ahead and also see file types and the time stamps if anything looks suspicious.
One single quote for the win
It is a known fact that SQL Injection is one of the most common vulnerabilities in web applications. Most of the people who get started with web application security start their learning with SQL Injection. Identifying a traditional SQL Injection is as easy as appending a single quote to the URL parameter and breaking the query.
Anything that we pass can be logged in the server, and it is possible to trace back.
The following screenshot shows the access log entry where a single quote is passed to check for SQL Injection in the parameter “user”.
%27 is URL encoded form of a Single Quote. Myimaths hack machine.
For administration purposes, we can also perform query monitoring to see which queries are executed on the database.
If we observe the above figure, it shows the query being executed from the request made in the previous figure, where we are passing a single quote through the parameter “user”.
We will discuss more about logging in databases later in this article.
Mac Analyze Tool Logs Hacks
Analysis with automated tools
Mac Analyze Tool Logs Hacked
When there are huge amount of logs, it is difficult to perform manual inspection. In such scenarios we can go for automated tools along with some manual inspection.
Though there are many effective commercial tools, I am introducing a free tool known as Scalp.
According to their official link, “Scalp is a log analyzer for the Apache web server that aims to look for security problems. The main idea is to look through huge log files and extract the possible attacks that have been sent through HTTP/GET.”
Scalp can be downloaded from the following link.
It is a Python script, so it requires Python to be installed on our machine.
The following figure shows help for the usage of this tool.
As we can see in the figure, we need to feed the log file to be analyzed using the flag “–l”.
Along with that, we need to provide a filter file using the flag “-f” with which Scalp identifies the possible attacks in the access.log file.
We can use a filter from the PHPIDS project to detect any malicious attempts.
This file is named as default_filter.xml and can be downloaded from the link below.
The following piece of code is a part that is taken from the above link.
It is using rule sets defined in XML tags to detect various attacks being attempted. The above code snippet is an example to detect a File Inclusion attempt. Similarly, it detects other types of attacks.
After downloading this file, place it in the same folder where Scalp is placed.
Run the following command to analyze the logs with Scalp.
python scalp-0.4.py –l /var/log/apache2/access.log –f filter.xml –o output –html
Note: I have renamed this file in my system to access.log.1 in the screenshot. You can ignore it.
‘output’ is the directory where the report will be saved. It will automatically be created by Scalp if it doesn’t exist.
–html is used to generate a report in HTML format.
As we can see in the above figure, Scalp results show that it has analyzed 4001 lines over 4024 and found 296 attack patterns.
We can even save the lines that are not analyzed for some reason using the “–except” flag.
A report is generated in the output directory after running the above command. We can open it in a browser and look at the results.
The following screenshot shows a small part of the output that shows directory traversal attack attempts.
Logging in MySQL
![Mac Mac](/uploads/1/2/7/2/127267141/711771540.jpg)
This section deals with analysis of attacks on databases and possible ways to monitor them.
The first step is to see what are the set variables. We can do it using “show variables;” as shown below.
Mac hackers. The following figure shows the output for the above command.
As we can see in the above figure, logging is turned on. By default this value is OFF.
Another important entry here is “log_output”, which is saying that we are writing them to a “FILE”. Alternatively, we can use a table also.
We can even see “log_slow_queries” is ON. Again, the default value is “OFF”.
All these options are explained in detail and can be read directly from MySQL documentation provided in the link below.
http://dev.mysql.com/doc/refman/5.0/en/server-logs.html
Query monitoring in MySQL
The general query log logs established client connections and statements received from clients. As mentioned earlier, by default these are not enabled since they reduce performance. We can enable them right from the MySQL terminal or we can edit the MySQL configuration file as shown below.
I am using VIM editor to open “my.cnf” file which is located under the “/etc/mysql/” directory.
If we scroll down, we can see a Logging and Replication section where we can enable logging. These logs are being written to a file called mysql.log file.
We can also see the warning that this log type is a performance killer.
Usually administrators use this feature for troubleshooting purposes.
We can also see the entry “log_slow_queries” to log queries that take a long duration.
Now every thing is set. If someone hits the database with a malicious query, we can observe that in these logs as shown below.
The above figure shows a query hitting the database named “webservice” and trying for authentication bypass using SQL Injection.
More logging
By default, Apache logs only GET requests. To log POST data, we can use an Apache module called “mod_dumpio”.
To know more about the implementation part, please refer to the link below.
Alternatively, we can use ‘mod security’ to achieve the same result.
Reference
Content Written By Henry Dalziel, 2020
Traffic Monitoring Tools To Use In 2020
Understanding what is going in and out of your network is vital! If you are unfamiliar to this concept then go ahead and read up about ingress and egress traffic.
Clearly the first step is to understand what should be on your network and what shouldn’t be on your network! The tools listed on this resource we hope are of use to you.
We’ve played with many of them and whilst there is no perfect solution they are all vital to learn how to use if you’d like to become a Penetration Tester or System Network Engineer or System Admin.
Wireshark
This tool is a network packet analyzer and this kind of tool will try to capture network packets used for analysis, network troubleshooting, education, software, and communications.
We’ve covered Wireshark a lot – the best summary, if you are new to it, would be here.
Argus
Argus can be used to help support network security management and network forensics and is compatible with Wireshark and Nmap.
With the right strategies, argus data can be mined to determine if you’ve been compromised or attacked historically after an attack has been announced and indicators-of-compromise (IOCs) have been established.
Is Argus Free?
Using Argus tool is free of charge!
Does Argus Work on all Operating Systems?
Argus works on Linux, MAC OS X, and Windows operating systems.
What are the Typical Uses for Argus?
Argus can easily be adapted to be a network activity monitoring system, easily answering a variety of activity questions (such as bandwidth utilization). It can also be used to track network performance through the stack and capture higher-level protocol data. With additional mining techniques (such as utilizing moving averages), Argus data can be used for “spike tracking” of many fields.
Etherape
Etherape is a Graphical Network Monitor that is modeled after etherman. It features an IP, TCP and link-layer modes that displays network activity graphically.
Links and hosts change in size with traffic. It also has a color-coded protocols displays. This tool supports Hardware and Protocols such as FDDI, Ethernet, ISDN, Token Ring, SLIP, PPP and WLAN devices plus a lot of encapsulation formats. EtherApe can filter traffic to be shown and can read packets coming from a file as well as life from the network. Node statistics can also be exported.
Is Etherape Free?
Yes, Etherape is free to use.
Does Etherape Work on all Operating Systems?
Etherape works on Linux and MAC OS X operating systems.
What are the Typical Uses for Etherape?
Etherape is primarily used to track several types of network traffic.
How Do You Install Argus?
Ettercap
Ettercap is an open-source network security tool made for man in the middle attacks on local area networks.
It works by ARP poisoning the computer systems and putting a network interface into promiscuous mode. Thereby it can unleash several attacks on its victims. It also has plugin support so features can be extended by putting new plugins.
Is Ettercap Free?
Ethercap is free and can be downloaded through their website which can be found on their website.
Does Ettercap Work on all Operating Systems?
It works on several operating systems including Windows, Mac OS X, and Linux.
What are the Typical Uses for Ettercap?
Ettercap is used to content filtering on the fly, sniff live connection and many more. It is also used for security auditing and computer network protocol analysis. It has the capability to intercept traffic on a network segment, conduct active eavesdropping against common protocols and also used to capture passwords.
How Do You Install Etherape?
Follow these commands (one line at a time)
sudo apt-get install zlib1g zlib1g-dev
sudo apt-get install build-essential
sudo apt-get install ettercap
Nagios
Nagios is a network and system monitoring application. It monitors services and hosts that you specify, alerting you when things go bad or when things get better.
Some of the many features of Nagios include monitoring of your entire IT infrastructure, know immediately when problems arise, spot problems before they occur, detect security breaches, share availability data with stakeholders, plan, and budget for IT upgrades and reduce downtime and business losses.
Is Nagios Free?
This application is free to use.
Does Nagios Work on all Operating Systems?
Nagios is available for Linux operating systems.
What are the Typical Uses for Nagios?
Nagios is used to monitor network services such as SMTP, POP, HTTP, ICMP, NNTP etc. It is also used for monitoring host resources, contact notifications when host or service problems occur and gets resolved.
Ngrep
This tool has been mentioned a few other times in our directory. It is complementary to the other tools listed within this category.
Ngrep is similar to tcpdump, but it offers more in that it will show the ‘regular expression’ in the payload of a packet, and also demonstrate the matching packets on a screen or console. The end result is that the user (typically a penetration tester or network security engineer) will see all unencrypted traffic being passed over the network. You need to put the network interface into promiscuous mode in order for this to work.
Is Ngrep Free?
Downloading and using of Ngrep is free.
Does Ngrep Work on all Operating Systems?
It works on operating systems running Linux, Windows and MAC OS X.
What are the Typical Uses for Ngrep?
Ngrep is used to store traffic on the wire and store pcap dump files and read files generated by tools like tcpdump or wireshark.
Ntop
Ntop is a network probing tool used by cybersecurity professionals to show network usage. When in ‘interactive mode’ ntop displays the network status on an end user’s terminal.
If placed on ‘web mode’, this tool will behave like a web server and will create an HTML dump of the network status. It supports a Flow emitter/NetFlow/collector which is an HTTP-based client interface for making ntop-centric monitoring applications and RRD for storing traffic statistics persistently.
Is Ntop Free?
Yes, Ntop is free to use.
Does Ntop Work on all Operating Systems?
Ntop works on Linux, Microsoft Windows, and MAC OS X operating systems.
What are the Typical Uses for Ntop?
Ntop is used to show network usage in real-time. You can use web browsers like Google Chrome or Mozilla to manage and navigate through traffic information to understand more about network status. It monitors and supports protocols like Decnet, DLC, AppleTalk, TCP/UDP/ICMP, (R)ARP, Netbios and IPX.
How to hack with terminal mac. The networks will be directly connecting with your disk so making it secure means that you are preventing the networks from causing your device. Certainly, it is not difficult to encrypt the disk as you can do that through the software as well as tools available on the internet. #4 Disk Encryption Get Your Mac Ready for HackingFull disk encryption, again it is wholly required to get your disk on the Mac encrypted so that no one can indulge inside it and hence harm it. For a better management, user-defined titles and icons can be specified for each single entry.
POF
p0f is a very effective and well-known passive fingerprinting tool that comes highly recommended. p0f is a passive fingerprinting tool that can identify the machines you connect to, machines that connect to your box and even machines that go near your box even if that device is behind a packet firewall.
Is P0f Free?
![Mac analyze tool logs hacked Mac analyze tool logs hacked](/uploads/1/2/7/2/127267141/567384296.png)
The use of this tool is free.
Does P0f Work on all Operating Systems?
P0f works on Linux, Microsoft and MAC OS X operating systems.
What are the Typical Uses for P0f?
P0f is used to identify the target host’s operating system by simply examining packets captured even when the device is behind a packet firewall. It can also detect what kind of remote system is hooked up to or how far it is located. The latest beta can detect illegal network hook-ups. P0f can detect types of NAT setups and packet filters and can sometimes determine the ISP of the other person.
Solarwinds
SolarWinds Firewall Security Manager (FSM) is a great solution for organizations and companies who need reporting and expert management on their most critical security devices.
Set-up and configuration of this product are pretty straightforward and multi clients can be deployed to allow multiple administrators to access the system.
Is SolarWinds Free?
No. SolarWinds is a paid product offered by an excellent and well-respected company.
Does SolarWinds Work on all Operating Systems?
SolarWinds works on Windows operating systems.
What are the Typical Uses for SolarWinds?
Uses of this tool include network discovery scanners, router password decryption, SNMP brute force cracker, and TCP connection reset program.
Splunk
Splunk captures, indexes and then correlates data in a searchable repository from which it can generate reports, graphs, alerts, visualization, and dashboards. Considered as one of the best security tools, the sheer power of this thing is incredible. It can scale endlessly and also has the ability to cluster.
Is Splunk Free?
A commercial version is available. Free versions may also be offered.
Does Splunk Work on all Operating Systems?
Works natively for Linux and MAC OS X.
What are the Typical Uses for Splunk?
Splunk is used to search, monitor, report and analyze real-time streaming and historical IT data. It can collect logs from different sources and make them searchable in a unified interface.
FAQ
If My Internet Is Slow Does It Mean The Network Is Hacked?
There are many possible reasons your Internet connection might seem to be slow. Potential problems include issues with your modem or router, Wi-Fi signal, signal strength on your cable line, the number of devices on your network saturating your bandwidth, or even a slow DNS server. It does NOT necessarily mean that someone has installed some sort of hacking network device, software or tool on your network.
Can Wireshark Be Detected On A Network?
You can’t detect a fully passive sniffing tool (such as Wireshark) on the network when in “fully passive” mode because the software uses a network card with its TCP/IP stack disabled. That way the tool card will only listen and never talk, so it’s almost impossible to detect Wireshark.