Exploit Notes

Splunk Pentesting

Last modified: 2023-01-25

Malware Network

Splunk is a tool for monitoring and searching through big data. A default port is 8089.

Default Credentials

admin:changeme

Dorks

In Splunk, click Search & Reporting. Maybe we need to set the “All time” Preset on the right of the search form.
The cheat sheet of searching is below:

# "main" index stores all the processed data
index="main" earliest=0
# Identify all SourceType
index="main" earliest=0 | stats count by sourcetype | sort -count
# Specity the SourceType
index="main" sourcetype="<SourctType>"
# Specify the EventCode
# EventCode 8: CreateRemoteThread in sysmon.
index="main" sourcetype="<SourceType>" EventCode=8
# EventCode 11: FileCreate in sysmon.
index="main" sourcetype="<SourceType>" EventCode=11
# Retrieve MD5 hash of the target image
index="main" sourcetype="<SourceType>" Image="c:\\Path\\to\\file.exe" md5
# Retrive file locations and number of files.
index="main" sourcetype="<SourceType>" EventCode=11 | stats count by TargetFilename
# Filter by commands
# e.g. "net user /add"
index="main" sourcetype="<SourceType>" CommandLine="*/add*"
# Client-server method "POST" and search by file formats
index="main" sourcetype="iis" cs_method="POST" | search *.php* OR *.asp* OR *.aspx* OR *.jsp*
# Specify the file
index=main example.aspx sourcetype="<SourceType>"

Tools by HDKS

Fuzzagotchi

Automatic web fuzzer.

aut0rec0n

Auto reconnaissance CLI.

Hash Cracker

Hash identifier.