 |
| osqueryi |
Osquery
Osquery is an open-source tool created by Facebook. With Osquery, Security Analysts, Incident Responders, Threat Hunters, etc., can query an endpoint (or multiple endpoints) using SQL syntax. Osquery can be installed on multiple platforms: Windows, Linux, macOS, and FreeBSD.
Many well-known companies, besides Facebook, either use Osquery, utilize osquery within their tools, and/or look for individuals who know Osquery. Little Tricks To Achieve The Best Results In Osquery
Installation
If you wish to install Osquery on your local machine or local virtual machine, please refer to the installation instructions.
Install on Windows - CLICK HERE
Install on Linux - CLICK HERE
Install on macOS - CLICK HERE
Install on FreeBSD - CLICK HERE
Refer to the documentation on the Osquery daemon (osqueryd) information and all the command-line flags here.
But currently we will install in linux...Let's start
Osquery packages are not available in the default Ubuntu repository so before installing it we have to add the Osquery apt repository by running the following command in the terminal.
echo "deb [arch=amd64] https://pkg.osquery.io/deb deb main" | sudo tee /etc/apt/sources.list.d/osquery.list
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/osquery]
└─$ echo "deb [arch=amd64] https://pkg.osquery.io/deb deb main" | sudo tee /etc/apt/sources.list.d/osquery.list 127 ⨯
deb [arch=amd64] https://pkg.osquery.io/deb deb main
Now we will import the signing key by running the following command in the terminal.
echo "deb [arch=amd64] https://pkg.osquery.io/deb deb main" | sudo tee /etc/apt/sources.list.d/osquery.list
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/osquery]
└─$ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 1484120AC4E9F8A1A577AEEE97A80C63C9D8B80B
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
Executing: /tmp/apt-key-gpghome.4RXkY9hMi1/gpg.1.sh --keyserver keyserver.ubuntu.com --recv-keys 1484120AC4E9F8A1A577AEEE97A80C63C9D8B80B
gpg: key 97A80C63C9D8B80B: public key "osquery (osquery) <osquery@fb.com>" imported
gpg: Total number processed: 1
gpg: imported: 1
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/osquery]
└─$
After importing the signing key, now update your system by running the following command in the terminal.
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/osquery]
└─$ sudo apt-get update
Now, install osquery by running this command
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/osquery]
└─$ sudo apt-get install osquery 100 ⨯
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages were automatically installed and are no longer required:
libbasicusageenvironment1 libdap25 libgarcon-gtk3-1-0 libgroupsock8 libgtop-2.0-11 libgtop2-common libjsoncpp1 liblivemedia77
liblttng-ust-ctl4 liblttng-ust0 libre2-8 librpm8 librpmbuild8 librpmio8 librpmsign8 libsane libusageenvironment3 libxdo3
libxfce4ui-utils libxpresent1 light-locker linux-headers-5.9.0-kali2-amd64 linux-headers-5.9.0-kali2-common
linux-image-5.9.0-kali2-amd64 python3-atomicwrites python3-pathtools tango-icon-theme x11-session-utils xdotool xfce4-appfinder
xfce4-helpers xfce4-panel xfce4-pulseaudio-plugin xfce4-session xfce4-settings xfdesktop4 xfdesktop4-data xfwm4 xiccd xinit xorg
Use 'sudo apt autoremove' to remove them.
The following NEW packages will be installed:
osquery
0 upgraded, 1 newly installed, 0 to remove and 338 not upgraded.
Need to get 16.4 MB of archives.
After this operation, 92.2 MB of additional disk space will be used.
Get:1 https://pkg.osquery.io/deb deb/main amd64 osquery amd64 4.8.0-1.linux [16.4 MB]
Fetched 16.4 MB in 1min 52s (147 kB/s)
Selecting previously unselected package osquery.
(Reading database ... 407801 files and directories currently installed.)
Preparing to unpack .../osquery_4.8.0-1.linux_amd64.deb ...
Unpacking osquery (4.8.0-1.linux) ...
Setting up osquery (4.8.0-1.linux) ...
1468
Processing triggers for kali-menu (2021.2.0) ...
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/osquery]
└─$
After installing Osquery, now we have to check whether it has been installed correctly by running the following command
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/osquery]
└─$ osqueryi --version
osqueryi version 4.8.0
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/osquery]
└─$
Usage Time
we are set ready to use Osquery. Run the following command to go to interactive shell prompt.
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/osquery]
└─$ osqueryi
Using a virtual database. Need help, type '.help'
osquery>
For Help Command:
.help
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/osquery]
└─$ osqueryi
Using a virtual database. Need help, type '.help'
osquery> .help
Welcome to the osquery shell. Please explore your OS!
You are connected to a transient 'in-memory' virtual database.
.all [TABLE] Select all from a table
.bail ON|OFF Stop after hitting an error
.connect PATH Connect to an osquery extension socket
.disconnect Disconnect from a connected extension socket
.echo ON|OFF Turn command echo on or off
.exit Exit this program
.features List osquery's features and their statuses
.headers ON|OFF Turn display of headers on or off
.help Show this message
.mode MODE Set output mode where MODE is one of:
csv Comma-separated values
column Left-aligned columns see .width
line One value per line
list Values delimited by .separator string
pretty Pretty printed SQL results (default)
.nullvalue STR Use STRING in place of NULL values
.print STR... Print literal STRING
.quit Exit this program
.schema [TABLE] Show the CREATE statements
.separator STR Change separator used by output mode
.socket Show the local osquery extensions socket path
.show Show the current values for various settings
.summary Alias for the show meta command
.tables [TABLE] List names of tables
.types [SQL] Show result of getQueryColumns for the given query
.width [NUM1]+ Set column widths for "column" mode
.timer ON|OFF Turn the CPU timer measurement on or off
osquery>
Getting All the Tables
Osquery exposes data from the operating system as a relational database so it is in the form of tables. We can get all the tables by running this command.
.tables
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/osquery]
└─$ osqueryi
Using a virtual database. Need help, type '.help'
osquery> .tables
=> acpi_tables
=> apparmor_events
=> apparmor_profiles
=> apt_sources
=> arp_cache
=> atom_packages
=> augeas
=> carbon_black_info
=> carves
=> user_events
=> user_groups
=> user_ssh_keys
=> users
=> yara
=> yara_events
=> ycloud_instance_metadata
=> yum_sources
osquery>
Now we can get data from these tables by running SQL based queries.
Listing Information About all the Users
We can see all the information about users by running the following command in the interactive shell
SELECT * FROM users;
osquery> SELECT * FROM users;
+-------+-------+------------+------------+-------------------+--------------------------------------+-------------------------+-------------------+------+
| uid | gid | uid_signed | gid_signed | username | description | directory | shell | uuid |
+-------+-------+------------+------------+-------------------+--------------------------------------+-------------------------+-------------------+------+
| 0 | 0 | 0 | 0 | root | root | /root | /bin/zsh | |
| 1 | 1 | 1 | 1 | daemon | daemon | /usr/sbin | /usr/sbin/nologin | |
| 2 | 2 | 2 | 2 | bin | bin | /bin | /usr/sbin/nologin | |
| 9 | 9 | 9 | 9 | news | news | /var/spool/news | /usr/sbin/nologin | |
| 1003 | 1004 | 1003 | 1004 | hackingtruth.in | | /home/hackingtruth.in | /usr/bin/zsh | |
+-------+-------+------------+------------+-------------------+--------------------------------------+-------------------------+-------------------+------+
osquery>
We can also extract only the relevant data about users for example we want to see only the users and not other information about users.
SELECT username FROM users;
osquery> SELECT username FROM users;
+-------------------+
| username |
+-------------------+
| root |
| daemon |
| bin |
| sys |
| sync |
| games |
| man |
| systemd-resolve |
| mysql |
| _dnscrypt-proxy |
| debian-tor |
| Debian-exim |
| redis |
| _gvm |
| ak |
| speech-dispatcher |
| hackingtruth.in |
+-------------------+
osquery>
Similarly we can get usernames along with the directory in which the user exists by running the running this command.
SELECT username, directory FROM users;
osquery> SELECT username, directory FROM users;
+-------------------+-------------------------+
| username | directory |
+-------------------+-------------------------+
| root | /root |
| daemon | /usr/sbin |
| bin | /bin |
| sys | /dev |
| sync | /bin |
| games | /usr/games |
| man | /var/cache/man |
| lp | /var/spool/lpd |
| redis | /var/lib/redis |
| _gvm | /var/lib/openvas |
| ak | /home/ak |
| speech-dispatcher | /run/speech-dispatcher |
| hackingtruth.in | /home/hackingtruth.in |
+-------------------+-------------------------+
osquery>
We can also get all the data of specific users. For example we want to get all the information about the root user. We can get all the information about the root user
SELECT * FROM users WHERE username="root";
osquery> SELECT * FROM users WHERE username="root";
+-----+-----+------------+------------+----------+-------------+-----------+----------+------+
| uid | gid | uid_signed | gid_signed | username | description | directory | shell | uuid |
+-----+-----+------------+------------+----------+-------------+-----------+----------+------+
| 0 | 0 | 0 | 0 | root | root | /root | /bin/zsh | |
+-----+-----+------------+------------+----------+-------------+-----------+----------+------+
osquery>
We can also get specific data from specific fields (columns).
For Example
SELECT username, gid FROM users WHERE username=”root”
osquery> SELECT username, gid FROM users WHERE username="root";
+----------+-----+
| username | gid |
+----------+-----+
| root | 0 |
+----------+-----+
osquery>
Listing all The Processes
We can list first five processes running in linux by running the following command
SELECT * FROM processes LIMIT 5;
osquery> SELECT * FROM processes LIMIT 5;
+-------+--------------------+------+--------------------------+-------+-----+------+-----+-----+------+------+------+------+---------+------------+---------------+------------+-----------+-------------+-----------------+--------------------+------------+--------+--------+---------+------+
| pid | name | path | cmdline | state | cwd | root | uid | gid | euid | egid | suid | sgid | on_disk | wired_size | resident_size | total_size | user_time | system_time | disk_bytes_read | disk_bytes_written | start_time | parent | pgroup | threads | nice |
+-------+--------------------+------+--------------------------+-------+-----+------+-----+-----+------+------+------+------+---------+------------+---------------+------------+-----------+-------------+-----------------+--------------------+------------+--------+--------+---------+------+
| 1 | systemd | | /sbin/init splash | S | | | 0 | 0 | 0 | 0 | 0 | 0 | -1 | 0 | 10848000 | 165436000 | 1530 | 2780 | | | 1622207274 | 0 | 1 | 1 | 0 |
| 10 | rcu_tasks_rude_ | | | S | | | 0 | 0 | 0 | 0 | 0 | 0 | -1 | 0 | | | 0 | 490 | | | 1622208791 | 2 | 0 | 1 | 0 |
| 11 | rcu_tasks_trace | | | S | | | 0 | 0 | 0 | 0 | 0 | 0 | -1 | 0 | | | 0 | 0 | | | 1622207274 | 2 | 0 | 1 | 0 |
+-------+--------------------+------+--------------------------+-------+-----+------+-----+-----+------+------+------+------+---------+------------+---------------+------------+-----------+-------------+-----------------+--------------------+------------+--------+--------+---------+------+
osquery>
We can find the process id of a specific process for example we want to find the process id of zsh so we will run the following command in the interactive shell SELECT pid FROM processes WHERE name="mongod";
osquery> SELECT pid FROM processes WHERE name="zsh";
+-------+
| pid |
+-------+
| 14917 |
| 6291 |
+-------+
osquery>
report a snapshot of the current processing
Finding Version of
osquery> SELECT * FROM os_version;
+----------------+---------+-------+-------+-------+-------+----------+---------------+--------------+--------+
| name | version | major | minor | patch | build | platform | platform_like | codename | arch |
+----------------+---------+-------+-------+-------+-------+----------+---------------+--------------+--------+
| Kali GNU/Linux | 2021.1 | 2021 | 1 | 0 | | kali | debian | kali-rolling | x86_64 |
+----------------+---------+-------+-------+-------+-------+----------+---------------+--------------+--------+
osquery>
Checking Network Interfaces and IP Addresses
We can check the IP address, Subnet Mask of Network Interfaces
osquery> SELECT interface, address mask FROM interface_addresses WHERE interface NOT LIKE '%lo%';
+-----------+----------------------------------------+
| interface | mask |
+-----------+----------------------------------------+
| usb0 | 192.168.42.15 |
| usb0 | 2409:4064:e8c:3aa6:6c61:8faa:7134:c8e8 |
| usb0 | 2409:4064:e8c:3aa6:d4a3:82ff:fee0:fd6e |
| usb0 | fe80::d4a3:82ff:fee0:fd6e%usb0 |
+-----------+----------------------------------------+
osquery>
Checking Logged in Users
We can also check logged in users on your system by querying data from the ‘logged_in_users’ table.
SELECT user,host,time FROM logged_in_users WHERE tty NOT LIKE '-';
osquery> SELECT user,host,time FROM logged_in_users WHERE tty NOT LIKE '-';
+-----------+--------------------+------------+
| user | host | time |
+-----------+--------------------+------------+
| reboot | 5.10.0-kali5-amd64 | 1622227081 |
| LOGIN | | 1622207319 |
| runlevel | 5.10.0-kali5-amd64 | 1622207352 |
| hackerboy | :0 | 1622207355 |
+-----------+--------------------+------------+
osquery>
Checking System Memory
We can also check Total memory, free memory cached memory etc.
SELECT memory_total FROM memory_info;
osquery> SELECT memory_total FROM memory_info;
+--------------+
| memory_total |
+--------------+
| 3903123456 |
+--------------+
osquery>
To check free memory of your system run the following query.
SELECT memory_free FROM memory_info;
osquery> SELECT memory_free FROM memory_info;
+-------------+
| memory_free |
+-------------+
| 457252864 |
+-------------+
osquery>
We can also check the cached memory of the system using memory_info table by running this query
select cached from memory_info;
osquery> SELECT cached from memory_info;
+------------+
| cached |
+------------+
| 1626595328 |
+------------+
osquery>
Listing the Groups We can find all the groups in your system by running the following query.
SELECT * FROM groups;
osquery> SELECT * FROM groups;
+-------+------------+------------------+
| gid | gid_signed | groupname |
+-------+------------+------------------+
| 0 | 0 | root |
| 1 | 1 | daemon |
| 2 | 2 | bin |
| 3 | 3 | sys |
| 4 | 4 | adm |
| 5 | 5 | tty |
| 6 | 6 | disk |
| 7 | 7 | lp |
| 142 | 142 | debian-tor |
| 143 | 143 | Debian-exim |
| 144 | 144 | redis |
| 145 | 145 | _gvm |
| 1002 | 1002 | atul |
| 1003 | 1003 | ak |
| 1004 | 1004 | hackingtruth.in |
+-------+------------+------------------+
osquery>
Displaying Listening Ports
can display all the listening ports of our system by running the following command in the interactive shell
SELECT * FROM listening_ports;
osquery> SELECT * FROM listening_ports;
+-------+------+----------+--------+-----------+----+--------+--------------------------------------------+---------------+
| pid | port | protocol | family | address | fd | socket | path | net_namespace |
+-------+------+----------+--------+-----------+----+--------+--------------------------------------------+---------------+
| -1 | 22 | 6 | 2 | 0.0.0.0 | -1 | 20567 | | 0 |
| -1 | 9050 | 6 | 2 | 127.0.0.1 | -1 | 19986 | | 0 |
| -1 | 22 | 6 | 10 | :: | -1 | 20569 | | 0 |
| -1 | 255 | 255 | 2 | 0.0.0.0 | -1 | 2902 | | 0 |
| -1 | 58 | 255 | 10 | :: | -1 | 31505 | | 0 |
| 11512 | 0 | 0 | 1 | | 7 | 0 | /home/hackerboy/.osquery/shell.em | 0 |
| 1513 | 0 | 0 | 1 | | 12 | 0 | @/tmp/.ICE-unix/1513 | 0 |
| -1 | 0 | 0 | 1 | | -1 | 0 | @/tmp/.X11-unix/X0 | 0 |
| 1468 | 0 | 0 | 1 | | 16 | 0 | /run/user/1000/systemd/notify | 0 |
| 1468 | 0 | 0 | 1 | | 19 | 0 | /run/user/1000/systemd/private | 0 |
| 1494 | 0 | 0 | 1 | | 3 | 0 | /run/user/1000/bus | 0 |
| 1468 | 0 | 0 | 1 | | 26 | 0 | /run/user/1000/gnupg/S.dirmngr | 0 |
| 1468 | 0 | 0 | 1 | | 27 | 0 | /run/user/1000/gnupg/S.gpg-agent.browser | 0 |
| 1468 | 0 | 0 | 1 | | 28 | 0 | /run/user/1000/gnupg/S.gpg-agent.extra | 0 |
| 1468 | 0 | 0 | 1 | | 29 | 0 | /run/user/1000/gnupg/S.gpg-agent.ssh | 0 |
+-------+------------+------------------++-------+------------+------------------++-------+------------+------------------+
osquery>
We can also check whether a port is listening or not by running the following command.
SELECT port, address FROM listening_ports WHERE port=27017;
osquery> SELECT port, address FROM listening_ports WHERE port=9050;
+------+-----------+
| port | address |
+------+-----------+
| 9050 | 127.0.0.1 |
| 9050 | 127.0.0.1 |
+------+-----------+
osquery>
Disclaimer
This was written for educational purpose and pentest only.
The author will not be responsible for any damage ..!
The author of this tool is not responsible for any misuse of the information.
You will not misuse the information to gain unauthorized access.
This information shall only be used to expand knowledge and not for causing malicious or damaging attacks. Performing any hacks without written permission is illegal ..!
All video’s and tutorials are for informational and educational purposes only. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. We believe that it is impossible to defend yourself from hackers without knowing how hacking is done. The tutorials and videos provided on www.hackingtruth.in is only for those who are interested to learn about Ethical Hacking, Security, Penetration Testing and malware analysis. Hacking tutorials is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used.
All tutorials and videos have been made using our own routers, servers, websites and other resources, they do not contain any illegal activity. We do not promote, encourage, support or excite any illegal activity or hacking without written permission in general. We want to raise security awareness and inform our readers on how to prevent themselves from being a victim of hackers. If you plan to use the information for illegal purposes, please leave this website now. We cannot be held responsible for any misuse of the given information.
- Hacking Truth by Kumar Atul Jaiswal
I hope you liked this post, then you should not forget to share this post at all.
Thank you so much :-)