hacktracking: December 2017

# sysdig: System-level exploration tool

Installing
# curl -s https://s3.amazonaws.com/download.draios.com/stable/install-sysdig | sudo bash

Listing chisels
# sysdig -cl

Listing fields to filter
# sysdig -l

Using a chisel
# sysdig -c topprocs_cpu

Writing events to file
# sysdig -z -w tracefile.scap.gz

Reading events from file and use a chisel
# sysdig -z -r tracefile.scap.gz -c topprocs_cpu

Filtering events for a specific process
# sysdig proc.name=sshd

Filtering events for a specific file
# sysdig fd.name=/var/log/auth.log

Filtering events for files that contain /etc
# sysdig fd.name contains /etc
# sysdig evt.args contains /bin/ls
# sysdig fd.ip=1.2.3.4
# sysdig fd.l4proto=udp

Formating the output
# sysdig -p '%evt.arg.path' 'evt.type=chdir and user.name=root'

Information about all chisels
# sysdig -cl | grep -P '^\w' | awk '{print $1}' | grep -v -e Category -e Use | xargs -L 1 sysdig -i

Interesting chisels
# sysdig -c topprocs_cpu
# sysdig -c echo_fds -s 2000 -A proc.name=httpd
# sysdig -c echo_fds -s 2000 -A fd.port=80 and evt.buffer contains GET
# sysdig -c spy_file 'RW /var/log/syslog'
# sysdig -c spy_logs
# sysdig -c spy_syslog
# sysdig -c spy_ip 1.2.3.4
# sysdig -c spy_port 443
# sysdig -c topconns
# sysdig -c topprocs_net
# sysdig -c spy_users 0|1
# sysdig -c lsof
# sysdig -c netstat
# sysdig -c ps
# sysdig -c topfiles_bytes proc.name contains tar
# sysdig -c list_login_shells ncat
# sysdig -c spy_users proc.loginshellid=1234
# sysdig -c stdin -c stdout proc.name=cat

Reference

https://github.com/draios/sysdig/wiki

# SimpleHTTPSServer with letsencrypt certificate

# apt-get update
# apt-get install software-properties-common
# add-apt-repository ppa:certbot/certbot
# apt-get update
# mkdir webserver
# cd webserver
# apt-get install certbot
# mkdir www
# certbot certonly --webroot -w $PWD/www -d mydomain.org -d www.mydomain.org
# cp /etc/letsencrypt/live/mydomain.org/privkey.pem .
# cp /etc/letsencrypt/live/mydomain.org/fullchain.pem .
# cat privkey.pem fullchain.pem > cert.pem
# cat https-server.py
import BaseHTTPServer, SimpleHTTPServer
import os
import ssl
import sys

port = 443

iface = sys.argv[1]
ipv4 = os.popen('ip addr show ' + iface).read().split('inet ')[1].split('/')[0]

cwd = os.getcwd()
certfile = cwd + '/cert.pem'
wwwdir = cwd + '/www'

os.chdir(wwwdir)

httpd = BaseHTTPServer.HTTPServer((ipv4, port), SimpleHTTPServer.SimpleHTTPRequestHandler)
httpd.socket = ssl.wrap_socket (httpd.socket, certfile = certfile, server_side = True)
httpd.serve_forever()
# python https-server.py eth0