Perl
Practical Extraction and Report Language is the oldest of the interpreted languages, python being its 3 years younger sibling.
Perl
Contents
Development Environment
To develop in perl you will need only a perl interpreter and a text editor. For those of you who find un highlighted perl, there are a variety of windows & linux text editors with syntax highlighting support.
Windows:
- notepad++
- cygwin's vim implementation
Linux:
- vim
- nano
- emacs
- geany
- gedit
Linux & Unix
On most distributions, perl and cpan come bundled by default. In the case it is not, a simple apt-get, emerge, yum install, pacman, or any other package manager should install it quickly. You can determine if perl is installed by typing `which perl' at the bash command line. If a filename is returned, you're good to go.
Windows
You can do everything we're going over by installing cygwin with perl. CYGWIN is available at http://www.cygwin.com/install.html
- For compilation to .exe, we recommend "pp", you can install this by `typing cpan -i pp' from your cygwin shell.
There is also a perl written by activestate- searching for "activestate perl" in any search engine will find it |
CPAN
Your first program
Variables & Data Types
Scalars
Arrays
Hashes
References
Boolean Logic
Statements
- unless
- if
Helper Natives
- exists
- defined
Operators
Bitwise Manipulations
Loops
While
Until
For
Foreach
User Input
Command Line Arguments
STDIN (Standard Input)
HTTP Inputs
Regular Expressions
LESSON
Perl Regex - Hatter
1.0 - Introduction The shebang declares the location of the code's interpreter. I.e. if you're writing bash, you'll need to put:
<syntaxhighlight lang="bash">#!/bin/bash</syntaxhighlight>
at the top of your file. In perl, it's typically:
<syntaxhighlight lang="bash">#!/usr/bin/perl</syntaxhighlight>
This should be the first line in any perl you write. You can also use:
<syntaxhighlight lang="bash">#!env perl</syntaxhighlight>
If you are unsure of the path and you have it in your environment variables. With perl in particular, its real easy to get it ugly as hell.
To counter this, your next two lines will be:
<syntaxhighlight lang="perl"> use strict; use warnings; </syntaxhighlight>
Strict perl forces you to maintain some semblence of syntax. Without the strict usage, you can basically run amok with code, perl does not care.
Our script so far should look like:
<syntaxhighlight lang="perl">
- !/usr/bin/perl
use strict; use warnings; </syntaxhighlight>
Now, thanks to mepholic, I've removed sensitive data from this log and made it available for everyone:
http://blackhatacademy.org/sample_asterisk.log
You will need to save this file.
WINDOWS USERS:
TODAY we'll be writing a regex to read asterisk logs to determine ip's with authentication failures.
Our perl script is going to do the following :
1) Analyze an asterisk log 2) Determine IP's with auth failures 3) Determine number of auth failures per IP 4) Block IP's going over a configurable threshhold
To participate in this lesson, please download and install perl and a text editor of your choice.
You've got a few different data types in perl and its different than other languages. You have scalars (ints or strings) prefixed with $ You have arrays/lists prefixed with @ You have hashes (similar to a struct/associative array) prefixed with % You have references prefixed with a \
You can declare a variable by saying:
<syntaxhighlight lang="perl"> my [$%@]varname; </syntaxhighlight>
So if its a scalar:
<syntaxhighlight lang="perl"> my $scalar; </syntaxhighlight>
So :
<syntaxhighlight lang="perl"> my $scalar = 0; my $scalar = "foo"; </syntaxhighlight>
Either is acceptable or just:
<syntaxhighlight lang="perl"> my $scalar; </syntaxhighlight>
Now, for our example, we'll want to analyze each line. So let's look at these failed lines:
[Aug 27 07:34:43] NOTICE[2762] chan_sip.c: Registration from '"1561"<sip:[email protected]>' failed for '113.105.152.180:40586' - No matching peer found
In this particular instance, we know the ip comes right before the last : in the string. So to match the ip itself and not the whole line, We'd do something like this:
/\x27([\d]{1,3}\.[\d]{1,3}\.[\d]{1,3}\.[\d]{1,3}):[^:]+$/
Where \x27 is a single quote. Obviously, this won't work for failed auths because it will match shit that isn't a failed auth. It'll also match successes or any line with an ip like that.
Here comes an in-depth explanation of that line:
Single quote, any digit between one and 3 characters in length, a dot, so on and so forth (match an IP), until the last : in the string, and it has to be right before the last : in the string. The [^:]+ at the end makes it so if a : occurs after that, it will no longer match as [^:]+ matches everything until the end of the string.
Now we've got to make it match failures too, the only real important data we care about is the ip, the count of failed auths and whether or not they're already in iptables for block because if they are we don't want to add another rule.
It means we've already blocked'em and these were previously analyzed logs
We'll use a hash to hold our ip's with failed auth and the value of each $hash{$ip} will contain the count of the failures. %hash is how it is declared and referred to but when you refer to a key of the hash, you want to put $ since its a scalar value you're accessing inside the hash.
You can directly modify the key inside of a hash by doing:
<syntaxhighlight lang="perl"> $hash{'key'} = 'value'; </syntaxhighlight>
Also, you can create an key=>value pair by doing:
<syntaxhighlight lang="perl"> my %hash = ( 'key' => 'value', 'key2' => 'value2' ); </syntaxhighlight>
You can copy the hash tree to another hash by doing:
<syntaxhighlight lang="perl"> my %hash2 = %hash; </syntaxhighlight>
If you want to print out a tree of the hashes, you can use:
<syntaxhighlight lang="perl"> while(my($key,$value) = each(%hash)) { print "Key: $key, Value: $value\n"; }; </syntaxhighlight>
Resulting Log:
phobos public_html # perl test.pl 113.105.152.180:10001 220.134.238.64:2194 67.205.85.58:7789 80.254.76.242:4
So, http://blackhatacademy.org/test.pl.txt, will spit out your ip's and number of failures. This data is then used to blackhole IP's (preventing them from affecting the server)
That'll add a blackholed IP route if
1) They are over $threshhold failures (25) 2) They are not already blackholed