New tool: linux-pkgs.sh

Published: 2024-03-24. Last Updated: 2024-03-26 12:48:15 UTC
by Jim Clausing (Version: 1)
0 comment(s)

During a recent Linux forensic engagement, a colleague asked if there was anyway to tell what packages were installed on a victim image. As we talk about in FOR577, depending on which tool you run on a live system and how you define "installed" you may get different answers, but at least on the live system you can use things like apt list or dpkg -l or rpm -qa or whatever to try to list them, but if all you have is a disk image, what do you do? So after some research, I initially put together 2 scripts, one to pull info from /var/lib/dpkg/status on Debian/Ubuntu-family systems and another to look through /var/lib/yum/yumdb to try to pull that info from RHEL/CentOS boxes that use yum, but then I remembered that Fedora uses dnf instead of yum and when I found a Fedora image I realized that dnf doesn't use /var/lib/yum/yumdb. I finally combined my original 2 into a single script and playing around for a bit figured out that the dnf info is kept in a sqlite db in /var/lib/dnf. So, I'm putting another new tool out there. This one can handle all 3 of the above cases. If anyone wants to help out with figuring out where other distros (not based on these 3 families) hide this data, feel free to share and I'll update, but these 3 handle the vast majority of cases that I run across and probably the vast majority of clound Linux instances, so I figure it is a good place to start.

As usual, this one can be found in my scripts repo on github.

References:

[1] https://github.com/clausing/scripts

[2] https://github.com/clausing/scripts/blob/master/linux-pkgs.sh

---------------
Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu

Keywords:
0 comment(s)

Tool updates: le-hex-to-ip.py and sigs.py

Published: 2024-03-24. Last Updated: 2024-03-25 03:24:49 UTC
by Jim Clausing (Version: 1)
0 comment(s)

I am TA-ing for Taz for the new SANS FOR577 class again and I figured it was time to release some fixes to my le-hex-to-ip.py script that I wrote up last fall while doing the same. I still plan to make some additional updates to the script to be able to take the hex strings from stdin, but in the meantime, figured I should release this fix. I was already using Python3's inet_ntoa() function to convert the IPv4 address, so I simplified the script by using the inet_ntop() function since it can handle both the IPv4 and IPv6 addresses instead of my kludgy handling of the IPv6. As a side-effect it also quite nicely handles the IPv4-mapped IPv6 addresses (of the form ::ffff:192.168.1.75).

And, during class today, I noticed that somewhere along the line, I broke my sigs.py script when taking input from stdin. That has now been fixed, too.

Both scripts can be found in my scripts repo on github.

References:

[1] https://github.com/clausing/scripts

[2] https://github.com/clausing/scripts/blob/master/le-hex-to-ip.py

[3] https://github.com/clausing/scripts/blob/master/sigs.py

---------------
Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu

Keywords: tool
0 comment(s)

Comments


Diary Archives