Open in app

Sign in

Write

Sign in

Splunk [Part-1]— Try Hack me Room

mohomed arfath
8 min readJan 15, 2021

--

What is Splunk?

Splunk is a software tool for searching, analyzing and visualizing machine-generated data obtained from the websites, apps, sensors, computers, etc. that make up the company and The infrastructure.

For an organization, Splunk provides plenty of opportunities. Any of the advantages of using Splunk are Offers improved GUI in a dashboard with real-time visibility By delivering quick results, it reduces troubleshooting and solving time. It is a technique that is ideally used for root cause analysis. You can create graphs, warnings, and dashboards with Splunk.

Using Splunk, you can quickly check and investigate particular findings. It helps you to troubleshoot any malfunction scenario for enhanced results. Helps you track and make an educated decision on some market indicators Splunk allows Artificial Intelligence to be integrated into the data plan. Enables you to obtain valuable Tactical Information from your computer data

Task 2 →Can you dig it?

Splunk queries always begin with this command implicitly unless otherwise specified. What command is this? When performing additional queries to refine received data this command must be added at the start. This is a prime example of a slight trick question.

search

When searching for values, it’s fairly typical within security to look for uncommon events. What command can we include within our search to find these?

rare

What about the inverse? What if we want the most common security event?

top

When we import data into splunk, what is it stored under?

index

We can create ‘views’ that allow us to consistently pull up the same search over and over again; what are these called?

dashboard

Importing data doesn’t always go as planned and we can sometimes end up with multiple copies of the same data, what command do we include in our search to remove these copies?

dedup

Splunk can be used for more than just a SIEM and it’s commonly used in marketing to track things such as how long a shopping trip on a website lasts from start to finish. What command can we include in our search to track how long these event pairs take?

transaction

In a manner similar to Linux, we can ‘pipe’ search results into further commands, what character do we use for this?

|

In performing data analytics with Splunk (ironically what the tool is at it’s core) it’s useful to track occurrences of events over time, what command do we include to plot this?

timechart

What about if we want to gather general statistical information about a search?

stats

Data imported into Splunk is categorized into columns called what?

fields

When we import data into Splunk we can view it’s point of origination, what is this called? I’m looking for the machine aspect of this here.

host

When we import data into Splunk we can view its point of origination from within a system, what is this called?

source

We can classify these points of origination and group them all together, viewing them as their specific type. What is this called? Use the syntax found within the search query rather than the proper name for this.

sourcetype

When performing functions on data we are searching through we use a specific command prior to the evaluation itself, what is this command?

eval

Love it or hate it regular expression is a massive component to Splunk, what command do we use to specific regex within a search?

rex

It’s fairly common to create subsets and specific views for less technical Splunk users, what are these called?

pivot table

What is the proper name of the time date field in Splunk

_time

How do I specifically include only the first few values found within my search?

head

More useful than you would otherwise imagine, how do I flip the order that results are returned in?

reverse

When viewing search results, it’s often useful to rename fields using user-provided tables of values. What command do we include within a search to do this?

lookup

We can collect events into specific time frames to be used in further processing. What command do we include within a search to do just that?

bucket

We can also define data into specific sections of time to be used within chart commands, what command do we use to set these lengths of time? This is different from the previous question as we are no longer collecting for further processing.

span

When producing statistics regarding a search it’s common to number the occurrences of an event, what command do we include to do this?

count

Last but not least, what is the website where you can find the Splunk apps at?

Splunkbase.splunk.com

We can also add new features into Splunk, what are these called?

Apps

What does SOC stand for?

Security operations center

What does SIEM stand for?

Security information and event management

How about BOTS?

Boss of the soc

And CIM?

Common information model

what is the website where you can find the Splunk forums at?

Answers.splunk.com

Task 5 →Advanced Persistent Threat

What IP is scanning our web server?

To get the IP first we need to go to the reconnaissance tab like image-1

Then click Finding the IP Scanning your web server(part1 , part 2)

Then it will lead to another tab with default search query “index=botsv1 imreallynotbatman.com” like this we need to build all the other query one top of this.

index=botsv1 imreallynotbatman.com 
| stats count by source
| sort -count 
| head 10

index=botsv1 imreallynotbatman.com
| stats count by source → (calculate the summary of source by counting )
| sort -count → (sort the source count in to a descending order )
| head 10 →(take the first 10 results )

Now in result you can see there is a source file call stream:http this is the place that all http requests are stored

Now lets find out what are the scr_ip’s that did http requests to our site.

index = botsv1 imreallynotbatman.com sourcetype = stream:http
|stats count by src_ip
|sort -count

answer is 40.80.148.42

What web scanner scanned the server?

index=botsv1 imreallynotbatman.com sourcetype=stream:http src_ip=”40.80.148.42" 
|stats count by src_headers 
|sort -count
|head 5

index=botsv1 imreallynotbatman.com sourcetype=stream:http src_ip=”40.80.148.42"
|stats count by src_headers →(src_headers are the header files of HTTP requests)
|sort -count
|head 5

Answer is Acunetix

What is the IP address of our web server?

index=botsv1 imreallynotbatman.com sourcetype=stream:http src_ip="40.80.148.42" 
| stats count by dest_ip 
| sort -count

IP →192.168.250.70

What content management system is imreallynotbatman.com using?

index=botsv1 imreallynotbatman.com sourcetype=stream:http src_ip="40.80.148.42"
| stats count by uri 
| sort -count 
| head 10

answer is Joomla

What address is performing the brute-forcing attack against our website?

Most of the brute force requests must be Get or Post methods so now lets count how many post and get request we got for this site

index=botsv1 imreallynotbatman.com sourcetype=stream:http src_ip="40.80.148.42" 
| stats count by http_method 
| sort -count

So in here you can see Most of the requests are post requests there for attack also happened this way. We know for brute force attack we need to have username and password variables
now lets take one variable as username and search 1 request to get the other variables lets run this command

index=botsv1 imreallynotbatman.com sourcetype=stream:http src_ip="40.80.148.42" http_method="POST" username 
| table dest_content 
| head 1

So now we can see password variable name is passwd

Now lets find out how many Login request we got in here
this is the command we gonna use

index=botsv1 imreallynotbatman.com sourcetype=stream:http http_method="POST" form_data=*username*passwd* 
| stats count by src_ip

now you can see 2 IP address and 23.22.63.114 IP did the brute force attack against our site
so the answer is 23.22.63.114

What was the first password attempted in the attack?

This search command is little bit similar to the previous command

index=botsv1 imreallynotbatman.com sourcetype=stream:http http_method="POST" form_data=*username*passwd* 
| rex field=form_data "username=(?<u>\w+)" 
| rex field=form_data "passwd=(?<p>\w+)" 
| table _time, u, p 
| sort by _time
| head 3

I will break down the command for you it is easy to understand..

Use the rex command to either extract fields using a standard expression called classes.

use ( *, +, ? ) to define how to match the groups to the literal pattern. For example, * matches 0 or more, + matches 1 or more, and ? matches 0 or 1.

rex field=form_data "username=(?<u>\w+)

Rex — extract , field=from_data username=(? <u>\w+) →select the username column and represent as U and Find one or more alphanumeric characters in username

table _time, u, p 
| sort by _time
| head 3

create table with 3 column name _time, u and p and sort by _time and print first 3 result

in here I took the first 3 results.

So the First password is 12345678

One of the passwords in the brute force attack is James Brodsky’s favorite Coldplay song. Which six character song is it?

In this question they saying something about Coldplay song for that we need to have the all the Coldplay song list. you can copy that from here and need to save it as a csv format.

Now in Splunk, go to Settings > Lookups > Lookup table files > New lookup Table File.

If you didn't get the answer run the command

To check whether your file is uploaded correctly

I am stopping from here this blog is kind of long with in this week I will try to upload the second part of the Splunk..

Till then see youu…!!! Stay safe , stay curious

Splunk
Splunk Walkthrough
Tryhackme
Splunk Room
Splunk Task 5

--

--

mohomed arfath
mohomed arfath

Written by mohomed arfath

274 Followers
8 Following

Security Engineer as profession rest is Classified

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams