Monthly Jack2

[Tools] linux-explorer - Easy-to-use live forensics toolbox for Linux endpoints

Published by Jack2 on March 12th, 2018

[References]
  1. https://github.com/intezer/linux-explorer


0) 개요
  • Python & Flask 기반의 리눅스 엔트포인트 라이브 포렌식 도구

1) 기능
  • ps
    • 전체 프로세스 목록 확인
    • 프로레스 메모리 맵 확인 및 메모리 문자열을 쉽게 가져오기
    • 원클릭 메모리 덤프
    • 자동으로 공개된 서비스에 해시 검색
      • VirusTotal / AlienVault OTX / MalShare
  • users
    • 사용자 목록
  • find
    • 이름 및 정규식에 의한 의심스러운 파일 검색
  • netstat
    • Whois
  • logs
    • syslog
    • auth.log(사용자 인증 로그)
    • ufw.log(방화벽 로그)
    • bash history
  • anti-rootkit
    • chkrootkit
  • yara
    • YARA signatures( by @Neo23x0)를 이용한 파일 및 디렉토리 스캔
    • 메모리 주소 공간에서 동작하는 프로세스 스캔
    • 자신의 YARA 시그니쳐 업로드 가능

2) 사전 설치되어야 하는 것들
  • yara
    • sudo apt-get install yara
  • chkrootkit
    • sudo apt-get install chkrootkit

3) 설치 과정
  • git clone
malware@CEAT:~$ cd Tools/
malware@CEAT:~/Tools$ git clone https://github.com/intezer/linux_expl0rer
Cloning into 'linux_expl0rer'...
remote: Counting objects: 392, done.
remote: Compressing objects: 100% (13/13), done.
remote: Total 392 (delta 4), reused 13 (delta 4), pack-reused 375
Receiving objects: 100% (392/392), 1.72 MiB | 610.00 KiB/s, done.
Resolving deltas: 100% (39/39), done.
Checking connectivity… done

  • 필요한 파이썬 라이브러리 확인 및 설치
malware@CEAT:~/Tools$ cd linux_expl0rer/
malware@CEAT:~/Tools/linux_expl0rer$ cat requirements.txt
certifi==2017.11.5
chardet==3.0.4
click==6.7
Flask==0.12.2
idna==2.6
itsdangerous==0.24
Jinja2==2.10
MarkupSafe==1.0
OTXv2==1.2
psutil==5.4.1
requests==2.18.4
simplejson==3.12.0
urllib3==1.22

malware@CEAT:~/Tools/linux_expl0rer$ sudo pip install -r requirements.txt

  • 해시값 확인을 위한 서비스들의 API 정보 설정 (옵션)
malware@CEAT:~/Tools/linux_expl0rer$ cat config.py
VT_APIKEY = ''
OTX_APIKEY = ''
MALSHARE_APIKEY = ‘'


  • 실행 권한을 준 뒤에 실행
malware@CEAT:~/Tools/linux_expl0rer$chmod +x start_server.sh
malware@CEAT:~/Tools/linux_expl0rer$./start_server.sh


4) 설치 과정 중 발생한 오류
  • yara가 설치되어 있지 않다는 오류 메시지 확인
malware@CEAT:~/Tools/linux_expl0rer$ ./start_server.sh
[*] fetching up-to-date yara signatures...
Archive: master.zip
End-of-central-directory signature not found. Either this file is not
a zipfile, or it constitutes one disk of a multi-part archive. In the
latter case the central directory and zipfile comment will be found on
the last disk(s) of this archive.
unzip: cannot find zipfile directory in one of master.zip or
master.zip.zip, and cannot find master.zip.ZIP, period.
[*] starting Linux Expl0rer...
Traceback (most recent call last):
File "linux_explorer.py", line 21, in
toolbox = dict({'yara': tools.YARA(),
File "/home/malware/Tools/linux_expl0rer/tools.py", line 16, in __init__
raise Exception('error: %s not installed' % self.__class__.__name__)
Exception: error: YARA not installed
    • linux_explorer.py, line 21
    • linux_expl0rer/tools.py, line 16

  • 현재 환경에는 다음과 같이 yara 가 정상적으로 동작
malware@CEAT:~/Tools/linux_expl0rer$ yara
yara: wrong number of arguments
Usage: yara [OPTION]... RULES_FILE FILE | DIR | PID

Try `--help` for more options

  • yara가 설치된 경로 확인
malware@CEAT:~/Tools/linux_expl0rer$ find / -name yara 2> /dev/null
/usr/local/bin/yara
/usr/local/lib/python2.7/dist-packages/cuckoo/data/yara
/usr/local/include/yara
/home/malware/cuckoo-modified/data/yara
/home/malware/.cuckoo/yara
/home/malware/Tools/yara-3.4.0/yara
/home/malware/Tools/yara-3.4.0/windows/yara
/home/malware/Tools/yara-3.4.0/libyara/include/yara
    • 이전에 확인한 tools.py에 명시된 경로와 차이로 현재 설치된 경로로 변경


  • 정상 동작 확인
malware@CEAT:~/Tools/linux_expl0rer$ ./start_server.sh
[*] fetching up-to-date yara signatures...
Archive: master.zip
End-of-central-directory signature not found. Either this file is not
a zipfile, or it constitutes one disk of a multi-part archive. In the
latter case the central directory and zipfile comment will be found on
the last disk(s) of this archive.
unzip: cannot find zipfile directory in one of master.zip or
master.zip.zip, and cannot find master.zip.ZIP, period.
[*] starting Linux Expl0rer...
* Running on http://127.0.0.1:8080/ (Press CTRL+C to quit)
* Restarting with stat
* Debugger is active!
* Debugger PIN: 251-971-847
    • IP 및 포트번호 변경이 필요한 경우



5) 실행
  • IP 변경 후 재실행해도 정상동작 확인
malware@CEAT:~/Tools/linux_expl0rer$ ./start_server.sh
[*] fetching up-to-date yara signatures...
Archive: master.zip
End-of-central-directory signature not found. Either this file is not
a zipfile, or it constitutes one disk of a multi-part archive. In the
latter case the central directory and zipfile comment will be found on
the last disk(s) of this archive.
unzip: cannot find zipfile directory in one of master.zip or
master.zip.zip, and cannot find master.zip.ZIP, period.
[*] starting Linux Expl0rer...
* Running on http://127.0.0.1:8080/ (Press CTRL+C to quit)
* Restarting with stat
* Debugger is active!
* Debugger PIN: 251-971-847
^Cmalware@CEAT:~/Tools/linux_expl0rer$ ./start_server.sh
[*] fetching up-to-date yara signatures...
Archive: master.zip
125a22041186964c6ced8707da2a320cc667f6cf
inflating: yara_rules/apt_agent_btz.yar
inflating: yara_rules/apt_alienspy_rat.yar
inflating: yara_rules/apt_apt10.yar
inflating: yara_rules/thor_inverse_matches.yar
inflating: yara_rules/threat_lenovo_superfish.yar
[*] starting Linux Expl0rer...
* Running on http://192.168.200.111:8080/ (Press CTRL+C to quit)
* Restarting with stat
* Debugger is active!
* Debugger PIN: 251-971-847

  • 접속 화면



6) 한계점
  • 로컬 환경에서 빠르게 라이브 포렌식을 할 때는 용이하게 사용 할 수 있는 점이 있지만 grr 프레임워크가 보다 더 강력한 기능을 제공
    • 구글에서 공개한 도구 - https://github.com/google/grr
      • 파이썬 기반
      • 원격 라이브 포렌식 프레임워크
      • GRR is a python client (agent) that is installed on target systems, and python server infrastructure that can manage and talk to clients.

JAEKI KIM Posted on March 12th, 2018

comments powered by Disqus