Questions about this topic? Sign up to ask in the talk tab.

Perl

From NetSec
Revision as of 18:54, 22 November 2011 by LashawnSeccombe (Talk | contribs)

Jump to: navigation, search

Practical Extraction and Report Language is the oldest of the interpreted languages, python being its 3 years younger sibling.

Perl is flexible and can be used to write web applications, command line applications, or services.

Development Environment

To develop in perl you will need only a perl interpreter and a text editor. For those of you who find un highlighted perl, there are a variety of windows & linux text editors with syntax highlighting support.

Windows:

  • notepad++
  • cygwin's vim implementation

Linux:

  • vim
  • nano
  • emacs
  • geany
  • gedit

Linux & Unix

On most distributions, perl and cpan come bundled by default. In the case it is not, a simple apt-get, emerge, yum install, pacman, or any other package manager should install it quickly. You can determine if perl is installed by typing `which perl' at the bash command line. If a filename is returned, you're good to go.

Windows

You can do everything we're going over by installing cygwin with perl. CYGWIN is available at http://www.cygwin.com/install.html

 For compilation to .exe, we recommend "pp", you can install this by `typing cpan -i pp' from your cygwin shell.
c3el4.png There is also a perl written by activestate- searching for "activestate perl" in any search engine will find it

CPAN

CPAN is the module and package installer for perl. It can be accessed on most distributions simply by typing `cpan'. On windows, you can access it by typing `cpan' in your CYGWIN shell.

Notice: If `cpan' does not work, try `perl -e 'shell' -mCPAN'. If this does not work, your installation may be broken.

Your first program

Variables & Data Types

Scalars

Arrays

Hashes

References

Boolean Logic

Statements

  • unless
  • if

Helper Natives

  • exists
  • defined

Operators

Bitwise Manipulations

Loops

While

Until

For

Foreach

User Input

Command Line Arguments

STDIN (Standard Input)

HTTP Inputs

Regular Expressions

LESSON

Perl Regex - Hatter

1.0 - Introduction The shebang declares the location of the code's interpreter. I.e. if you're writing bash, you'll need to put:

<syntaxhighlight lang="bash">#!/bin/bash</syntaxhighlight>

at the top of your file. In perl, it's typically:

<syntaxhighlight lang="bash">#!/usr/bin/perl</syntaxhighlight>

This should be the first line in any perl you write. You can also use:

<syntaxhighlight lang="bash">#!env perl</syntaxhighlight>

If you are unsure of the path and you have it in your environment variables. With perl in particular, its real easy to get it ugly as hell.

To counter this, your next two lines will be:

<syntaxhighlight lang="perl"> use strict; use warnings; </syntaxhighlight>

Strict perl forces you to maintain some semblence of syntax. Without the strict usage, you can basically run amok with code, perl does not care.

Our script so far should look like:

<syntaxhighlight lang="perl">

  1. !/usr/bin/perl

use strict; use warnings; </syntaxhighlight>

Now, thanks to mepholic, I've removed sensitive data from this log and made it available for everyone:

 http://blackhatacademy.org/sample_asterisk.log

You will need to save this file.

WINDOWS USERS:

TODAY we'll be writing a regex to read asterisk logs to determine ip's with authentication failures.

Our perl script is going to do the following :

1) Analyze an asterisk log 2) Determine IP's with auth failures 3) Determine number of auth failures per IP 4) Block IP's going over a configurable threshhold

To participate in this lesson, please download and install perl and a text editor of your choice.

You've got a few different data types in perl and its different than other languages. You have scalars (ints or strings) prefixed with $ You have arrays/lists prefixed with @ You have hashes (similar to a struct/associative array) prefixed with % You have references prefixed with a \

You can declare a variable by saying:

<syntaxhighlight lang="perl"> my [$%@]varname; </syntaxhighlight>

So if its a scalar:

<syntaxhighlight lang="perl"> my $scalar; </syntaxhighlight>

So :

<syntaxhighlight lang="perl"> my $scalar = 0; my $scalar = "foo"; </syntaxhighlight>

Either is acceptable or just:

<syntaxhighlight lang="perl"> my $scalar; </syntaxhighlight>

Now, for our example, we'll want to analyze each line. So let's look at these failed lines:

 [Aug 27 07:34:43] NOTICE[2762] chan_sip.c: Registration from '"1561"<sip:[email protected]>' failed for '113.105.152.180:40586' - No matching peer found

In this particular instance, we know the ip comes right before the last : in the string. So to match the ip itself and not the whole line, We'd do something like this:

 /\x27([\d]{1,3}\.[\d]{1,3}\.[\d]{1,3}\.[\d]{1,3}):[^:]+$/

Where \x27 is a single quote. Obviously, this won't work for failed auths because it will match shit that isn't a failed auth. It'll also match successes or any line with an ip like that.

Here comes an in-depth explanation of that line:

Single quote, any digit between one and 3 characters in length, a dot, so on and so forth (match an IP), until the last : in the string, and it has to be right before the last : in the string. The [^:]+ at the end makes it so if a : occurs after that, it will no longer match as [^:]+ matches everything until the end of the string.

Now we've got to make it match failures too, the only real important data we care about is the ip, the count of failed auths and whether or not they're already in iptables for block because if they are we don't want to add another rule.

It means we've already blocked'em and these were previously analyzed logs

We'll use a hash to hold our ip's with failed auth and the value of each $hash{$ip} will contain the count of the failures. %hash is how it is declared and referred to but when you refer to a key of the hash, you want to put $ since its a scalar value you're accessing inside the hash.

You can directly modify the key inside of a hash by doing:

<syntaxhighlight lang="perl"> $hash{'key'} = 'value'; </syntaxhighlight>

Also, you can create an key=>value pair by doing:

<syntaxhighlight lang="perl"> my %hash = ( 'key' => 'value', 'key2' => 'value2' ); </syntaxhighlight>

You can copy the hash tree to another hash by doing:

<syntaxhighlight lang="perl"> my %hash2 = %hash; </syntaxhighlight>

If you want to print out a tree of the hashes, you can use:

<syntaxhighlight lang="perl"> while(my($key,$value) = each(%hash)) { print "Key: $key, Value: $value\n"; }; </syntaxhighlight>

Resulting Log:

 phobos public_html # perl test.pl
 113.105.152.180:10001
 220.134.238.64:2194
 67.205.85.58:7789
 80.254.76.242:4

So, http://blackhatacademy.org/test.pl.txt, will spit out your ip's and number of failures. This data is then used to blackhole IP's (preventing them from affecting the server)

That'll add a blackholed IP route if

1) They are over $threshhold failures (25) 2) They are not already blackholed