[SANS ISC] Sorting Things Out – Sorting Data by IP Address, (Fri, Oct 8th)

One thing that is huge in making sense of large volumes of data is sorting.  Which makes having good sorting tools and methods a big deal when you are working through findings in a security assessment of pentest.  Or – just as importantly – in day-to-day system administration.

I stumbled into a Twitter thread last week (as one does) about sorting by IP address, and it struck me that the lowly “sort” command has changed quite a bit since I last read the man page completely for it (back in the ‘80’s, in the Bell Labs Unix books.  And yes, they were printed on paper). 

No matter if you are in the red team or the blue team, you’re forever having to sort hostnames or IP addresses, sort findings / vulnerabilities by hostname or IP, or sort hostnames by vulnerabilities / findings.

So let’s look at sorting by IP.  For this, we can use the “-V” (or –version-sort) argument of the sort command.  This sorts things by “version”  (as in decimal separated numeric strings).  This option matches up very nicely to what you want if you are sorting by IPv4 address, which is also a series of point-separated numeric strings. Let’s find the IP’s in my lab that have SSH open, then reverse-sort them by IP address:

# nmap –p22 –open 192.168.122.0/24 –oG ips.txt

# cat ips.txt | grep Host: | cut -d ” ” -f 2 | sort -Vr | uniq

192.168.122.186

192.168.122.176

192.168.122.113

192.168.122.101

192.168.122.51

192.168.122.8

192.168.122.7

192.168.122.6

192.168.122.5

192.168.122.1

 (thanks @flakpaket for this tidbit, this is an option that wasn’t in the paper Bell Labs Unix manuals back in the day!)

Or, what if you’ve got a list of files – for instance syslog files with IP addresses for filenames that you might want to sort?  The option for ls to sort by version is a lower case “v”.  Adding a “1” tells ls to give you the output as one line per file:

[email protected]:/syslog$ ls -v1

192.168.122.1.txt

192.168.122.82.txt

192.168.122.83.txt

192.168.122.84.txt

192.168.122.92.txt

192.168.122.93.txt

192.168.122.94.txt

192.168.122.100.txt

192.168.122.254.txt

 

 (also thanks to @flakpaket, this was also new to me!)

What if you’re on an older version of Linux – or (as I am some days), you’re on an older Windows host that has GNUtils installed instead of WSL?  In that case, you can tell sort to delimit your output with a “.”, then tell it which fields to sort on (in this case, fields 1-2-3-4).  This is an oldy, and the one that’s in my personal cheat-sheet from forever ago (but mentioned by @totalclaireity in this same thread)

$ ls /syslog | sort  -r -t . -k 1,1n -k 2,2n -k 3,3n -k 4,4n

Or, since everything is in the same /24 subnet, we can just sort by the 4th octet:

$ ls /syslog | sort  -r -t . -k 4,4n

What about PowerShell?  In that same thread, @mdjxkln shows us that there’s a version option for PowerShell as well:

$ips = nmap -p22 –open 192.168.122.0/24 | grep report |cut -d” ” -f 5

$ips |sort {[version] $_}

192.168.122.1

192.168.122.5

192.168.122.6

192.168.122.7

192.168.122.8

192.168.122.51

192.168.122.101

192.168.122.102

192.168.122.113

192.168.122.120

192.168.122.176

192.168.122.186

192.168.122.194

Or, in a bit more readable format:

$ips | sort {$_ -as [version]}

In another use case, let’s check all hosts in a domain (and yes, I did shorten this list), then sort them by IP:

$pcs = get-adcomputer -filter * -property Name,dnshostname,OperatingSystem,Operatingsystemversion,LastLogonDate,IPV4Address

PS C:Usersrobv> $pcs | Sort-Object { $_.IPV4Address -as [version]} | Select-Object name,IPV4Address

SAMETIME        32.69.129.51

HIGHRIDGE       32.69.129.82

AMADA-SVR       32.69.129.84

RECEIVING-DTP   32.69.129.88

STEVE-LTP    32.69.129.91

CSIPRINT        32.69.129.95

AVAYAVMAIL      32.69.129.99

BARTENDER       32.69.129.109

UNIONOFFICE2-DTP   32.69.129.117

SHIPPING1-DTP   32.69.129.129

ALUM-DTP        32.69.129.137

PUNCHPRESS2-DTP      192.168.6.31

LOBBY-DTP       192.168.6.41

MARKETING-DTP   192.168.6.49

ENGLOANER2-LTP  192.168.253.25

How can you make sorting easier?  Naming Conventions is the traditional answer to that.  Naming conventions are like belly buttons – everyone has one, and everyone’s is different!    The important thing when setting one up is to keep in mind that you’ll be using tools like sort and grep (or the PowerShell / Python equivalents), find and findstr in Windows, or Excel once you start formatting your output, and work your naming convention to take advantage of that. 

Have I missed any neat sort methods that you use daily?  Or is there a more effiicient syntax for what I’ve shown in this post?  Very likely – please, use our comment section to add to these methods!

References:

Thanks of course to @flakpaket (Jon Gorenflo) who started the twitter thread:

https://twitter.com/flakpaket/status/1445419600624095236

$ man sort  (of course)

https://community.idera.com/database-tools/powershell/powertips/b/tips/posts/sort-ipv4-addresses-correctly

And of course SANS SEC505: https://www.sans.org/cyber-security-courses/securing-windows-with-powershell/

===============
Rob VandenBrink
rob <at> coherentsecurity.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Source: Read More (SANS Internet Storm Center, InfoCON: green)

You might be interested in …

[SecurityWeek] Tens of Thousands of Unpatched Fortinet VPNs Hacked via Old Security Flaw

All posts, Security Week

A threat actor has leaked online access credentials for 87,000 Fortinet VPN devices that were apparently compromised using a vulnerability identified and patched two years ago. read more Source: Read More (SecurityWeek RSS Feed)

Read More

[ESET] Android stalkerware threatens victims further and exposes snoopers themselves

All posts, ESET feed

ESET research reveals that common Android stalkerware apps are riddled with vulnerabilities that further jeopardize victims and expose the privacy and security of the snoopers themselves The post Android stalkerware threatens victims further and exposes snoopers themselves appeared first on WeLiveSecurity Source: Read More (WeLiveSecurity)

Read More

[HackerNews] Nasty macOS Malware XCSSET Now Targets Google Chrome, Telegram Software

All posts, HackerNews

A malware known for targeting macOS operating system has been updated once again to add more features to its toolset that allows it to amass and exfiltrate sensitive data stored in a variety of apps, including apps such as Google Chrome and Telegram, as part of further “refinements in its tactics.” XCSSET was uncovered in August 2020, […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.