Questions about this topic? Sign up to ask in the talk tab.

Perl

From NetSec
Revision as of 14:20, 6 September 2011 by GeorgetFeeney (Talk | contribs)

Jump to: navigation, search

Practical Extraction and Report Language

Perl is the oldest interpreted language. More to come.

LESSON

Perl Regex - Hatter

1.0 - Introduction The shebang declares the location of the code's interpreter. I.e. if you're writing bash, you'll need to put:

  1. !/bin/bash

at the top of your file. In perl, it's typically:

  1. !/usr/bin/perl

This should be the first line in any perl you write. You can also use:

  1. !env perl

If you are unsure of the path and you have it in your environment variables. With perl in particular, its real easy to get it ugly as hell.

To counter this, your next two lines will be: use strict; use warnings; Strict perl forces you to maintain some semblence of syntax. Without the strict usage, you can basically run amok with code, perl does not care.

Our script so far should look like:

  1. !/usr/bin/perl

use strict; use warnings;

Now, thanks to mepholic, I've removed sensitive data from this log and made it available for everyone: http://blackhatacademy.org/sample_asterisk.log You will need to save this file.

WINDOWS USERS: You can do everything we're going over by installing CYGWIN with PERL. CYGWIN is available at http://www.cygwin.com/install.html

TODAY we'll be writing a regex to read asterisk logs to determine ip's with authentication failures.

Our perl script is going to do the following : 1) Analyze an asterisk log 2) Determine IP's with auth failures 3) Determine number of auth failures per IP 4) Block IP's going over a configurable threshhold

To participate in this lesson, please download and install perl and a text editor of your choice.

You've got a few different data types in perl and its different than other languages. You have scalars (ints or strings) prefixed with $ You have arrays/lists prefixed with @ You have hashes (similar to a struct/associative array) prefixed with % You have references prefixed with a \

You can declare a variable by saying: my [$%@]varname; So if its a scalar: my $scalar;

So : my $scalar = 0; my $scalar = "foo"; Either is acceptable or just: my $scalar;

Now, for our example, we'll want to analyze each line. So let's look at these failed lines: [Aug 27 07:34:43] NOTICE[2762] chan_sip.c: Registration from '"1561"<sip:[email protected]>' failed for '113.105.152.180:40586' - No matching peer found In this particular instance, we know the ip comes right before the last : in the string. So to match the ip itself and not the whole line, We'd do something like this: /\x27([\d]{1,3}\.[\d]{1,3}\.[\d]{1,3}\.[\d]{1,3}):[^:]+$/ Where \x27 is a single quote. Obviously, this won't work for failed auths because it will match shit that isn't a failed auth. It'll also match successes or any line with an ip like that.

Here comes an in-depth explanation of that line: Single quote, any digit between one and 3 characters in length, a dot, so on and so forth (match an IP), until the last : in the string, and it has to be right before the last : in the string. The [^:]+ at the end makes it so if a : occurs after that, it will no longer match as [^:]+ matches everything until the end of the string.

Now we've got to make it match failures too, the only real important data we care about is the ip, the count of failed auths and whether or not they're already in iptables for block because if they are we don't want to add another rule. It means we've already blocked'em and these were previously analyzed logs

We'll use a hash to hold our ip's with failed auth and the value of each $hash{$ip} will contain the count of the failures. %hash is how it is declared and referred to but when you refer to a key of the hash, you want to put $ since its a scalar value you're accessing inside the hash.

You can directly modify the key inside of a hash by doing: $hash{'key'} = 'value';

Also, you can create an key=>value pair by doing: my %hash = ( 'key' => 'value', 'key2' => 'value2' );

You can copy the hash tree to another hash by doing: my %hash2 = %hash;

If you want to print out a tree of the hashes, you can use while(my($key,$value) = each(%hash)) { print "Key: $key, Value: $value\n"; };

Resulting Log: phobos public_html # perl test.pl 113.105.152.180:10001 220.134.238.64:2194 67.205.85.58:7789 80.254.76.242:4

So, http://blackhatacademy.org/test.pl.txt, will spit out your ip's and number of failures. This data is then used to blackhole IP's (preventing them from affecting the server)

That'll add a blackholed IP route if 1) They are over $threshhold failures (25) 2) They are not already blackholed