May 30 2023

The essence of OT security: A proactive guide to achieving CISA’s Cybersecurity Performance Goals

Category: CISA,OT/ICS,Security ToolsDISC @ 9:27 am

The widespread adoption of remote and hybrid working practices in recent years has brought numerous benefits to various industries, but has also introduced new cyber threats, particularly in the critical infrastructure sector.

These threats extend not only to IT networks but also to operational technology (OT) and cyber-physical systems, which can directly influence crucial physical processes.

In response to these risks, the US government reinforced critical infrastructure security by introducing Cross-Sector Cybersecurity Performance Goals (CPGs) mandated by the US Cybersecurity Infrastructure & Security Agency (CISA).

Recently, CISA updated the CPGs to align with NIST’s standard cybersecurity framework, establishing each of the five goals as a prioritized subset of IT and OT cybersecurity practices.

In this article, we will look in more detail at CISA’s revamped CPGs and discuss the potential solutions available to help organizations achieve these critical goals.

CPG 1.0 Identify: Scoping out the vulnerabilities in the OT environment

CISA’s first CPG is “Identify”, which includes identifying the vulnerabilities in the IT and OT assets inventory, establishing supply chain incident reporting and vulnerability disclosure program, validating the effectiveness of third-party security controls across your IT and OT networks, establishing OT security leadership, and mitigating known vulnerabilities. Critical infrastructure organizations must address all these sub-categories exclusively to achieve the first CPG.

Addressing these responsibilities requires a dynamic effort. Firstly, organizations must strengthen their IT and OT relationship by fostering more effective collaboration between the security teams of both departments. But, most importantly, IT and OT teams must come together to understand the potential cyber threats and risks of each environment and how it affects the other. To achieve the first CPG, it is critical that these departments are not kept in isolation but rather collaborate and communicate frequently.

At the same time, organizations must establish OT leadership by clearly identifying a single leader who will be responsible and accountable for OT-specific cybersecurity. From there, organizations must create an asset inventory or glossary that clearly identifies and tracks all OT and IT assets across the entire ecosystem. These assets should be regularly audited based on their vulnerability management program. It’s also highly critical to have an open, public, and easily accessible communication channel where vendors, third parties, or employees can disclose any potential vulnerability in relation to the OT and IT assets.

CPG 2.0 Protect: Safeguarding privileged access to OT assets

CISA’s second CPG is “Protect”, which emphasizes the account security aspects of OT assets. To achieve this goal, critical infrastructure organizations are required to strengthen their password policies, change default credentials across OT remote access systems, apply network segmentation to segregate OT and IT networks, and separate general user and privileged accounts.

Addressing all these aspects of account security can be a chore for most organizations, but they can turn to unified secure remote access (SRA) solutions that can extend multiple account-level security controls to OT remote users via enforcement of multi-factor authentication (MFA), least privilege policies, and role-based access. Such solutions can also support advanced credential policies to further reduce the risk of unauthorized access and denial of service attacks.

It’s also important that organizations only leverage SRA solutions that are based on zero trust policies. This will help organizations establish effective network segmentation that eliminates direct, unfettered remote connectivity to OT assets, and to continuously monitor personnel activity during all remote OT connections.

CPG 3.0 Detect: Awareness of critical threats and potential attack vectors across your OT environment

CISA’s third CPG emphasizes the detection of relevant threats and knowledge of potential attack vectors and TTPs (tactics, techniques, and procedures) that can compromise OT security and potentially disrupt critical services.

Detecting relevant threats and TTPs across OT assets and networks requires a proactive approach that combines advanced monitoring and analysis. Real-time monitoring solution should be complemented with comprehensive network visibility, allowing for the swift detection of anomalies and unusual patterns.

A critical aspect of threat detection in OT environments — and meeting the CPG mandate — is the sharing of information and collaboration between various stakeholders. Threat intelligence platforms play an essential role in gathering and disseminating information about current and emerging threats. By leveraging this valuable data, organizations can stay ahead of potential risks, fine-tune their defenses, and ensure the safety and security of their OT assets. Additionally, conducting regular security assessments, penetration testing, and vulnerability scanning will help uncover any weaknesses in the infrastructure, allowing for timely remediation and improved resilience against cyberattacks.

CPG 4.0 and 5.0: Respond and Recover

The final two CISA’s CPGs stress the importance of incident reporting and planning. Regardless of how robust your OT security practices are, cyber threats are almost inevitable in today’s interconnected and increasingly remote networking era. So, while proactive security solutions are necessary, attacks still are unavoidable, especially in a highly targeted sector like critical infrastructure.

Therefore, CISA stresses that organizations must have a comprehensive plan and process outlined for reporting security incidents and effectively recovering their affected systems or services upon a breach.

Advanced SRA solutions can help organizations to achieve these goals through automated recording of user activities and asset-related data, as well as creating automated backups of critical data. More specifically, they can log all user sessions, encrypt all user- and asset-related data, and retain logs of OT remote user activity. These measures help to ensure that critical information is stored in accordance with all relevant regulatory requirements and backup and recovery needs.

Conclusion

Overall, the vulnerabilities of ageing OT assets and siloed OT and IT networks have created a significant threat to critical infrastructure entities, which has been further exacerbated by the prevalence of remote access.

CISA’s OT-specific goals and actions within the CPGs provide a much-needed set of guidelines for CNI organizations to strengthen their security posture and increase cyber resilience. By following CISA’s recommendations and employing innovative security technologies, organizations can minimize the risk of cyberattacks affecting the physical world and public safety.

InfoSec tools | InfoSec services | InfoSec books

Tags: CISA, Cybersecurity Performance Goals, ICS, Industrial Cybersecurity, OT


May 08 2023

RECONSHARK: NEW UNDETECTABLE RECONNAISSANCE TOOL USED BY CYBERCRIMINALS FOR HACKING

Category: Cybercrime,Security Toolsdisc7 @ 1:21 pm

Kimsuky is an advanced persistent threat (APT) organization that originates in North Korea and has a lengthy history of launching targeted attacks all around the globe. According to what is currently known about the organization, they have been mainly tasked with conducting information gathering and espionage activities in behalf of the North Korean government from at least the year 2012. Throughout the course of history, Kimsuky targets have been spread throughout several nations in North America, Asia, and Europe. In its most recent efforts, the organization has continued their strategy of worldwide targeting, which is centered on a variety of contemporary geopolitical concerns. The most recent Kimsuky ads, for instance, have been centered on nuclear agendas between China and North Korea; these agendas are pertinent to the continuing confrontation between Russia and Ukraine. In 2018, the gang was seen deploying a malware family known as BabyShark, and  most recent observations show that the group has developed the malware with an enhanced capacity for reconnaissance. Experts call to this component of BabyShark as ReconShark.

During a recent campaign, Kimsuky targeted the employees of the Korea Risk Group (KRG), which is an information and analysis organization that specializes in subjects that have both direct and indirect effects on the Democratic People’s Republic of Korea (DPRK). Kimsuky continues to employ phishing emails that have been carefully designed by himself for the purpose of deploying ReconShark. Notably, spear-phishing emails are created with a degree of design quality customized for certain persons, which increases the possibility that the target would open the email. This involves using correct formatting, language, and visual signals so that the content seems authentic to readers who are not paying attention. Notably, both the targeted emails, which include links to download harmful papers, as well as the malicious documents themselves, exploit the names of genuine people whose knowledge is relevant to the subject matter of the bait, such as Political Scientists.

Kimsuky’s nefarious emails include a link that, when clicked, will direct the recipient to a file that requires a password in order to access it. Most recently, they started hosting the infected document for download on Microsoft OneDrive, which is a cloud storage service.Exfiltrating information about the infected platform is the primary function of ReconShark. This includes information about current processes, information about the battery that is attached to the device, and information about endpoint threat detection measures that have been implemented.

In a manner similar to those of earlier iterations of BabyShark, ReconShark depends on Windows Management Instrumentation (WMI) to query information on processes and batteries. ReconShark does more than just steal information; it also distributes additional payloads in a multi-stage process. These payloads may be built as scripts (VBS, HTA, and Windows Batch), macro-enabled Microsoft Office templates, or Windows DLL files. The types of detecting mechanism processes that are active on compromised computers are taken into consideration when ReconShark chooses which payloads to send out.

In order to avoid being detected by static analysis methods, some ReconShark sequences are encoded using a pretty simple encryption. Typically, the instructions or scripts that are included inside these strings are for downloading and/or running payloads. All of the infrastructure that has been spotted as part of this campaign is housed on a shared hosting server provided by NameCheap. LiteSpeed Web Server (LSWS) was often used by operators of the Kimsuky malware in order to manage the harmful functionality. The continual attacks by Kimsuky and their use of the innovative reconnaissance tool ReconShark provide insight on the ever-changing nature of the North Korean threat environment. Organizations and people need to be aware of the tactics, techniques, and procedures (TTPs) utilized by North Korea state-sponsored advanced persistent threats (APTs) and take the required steps to defend themselves against attacks of this kind.

Field Manual FM 3-98 Reconnaissance and Security Operations

  InfoSec tools | InfoSec services | InfoSec books

Tags: RECONSHARK


Apr 17 2023

Lynis – Open Source Security Auditing & Pentesting Tool – 2023

Category: Pen Test,Security ToolsDISC @ 8:50 am

Lynis is an open source security auditing tool. Its main goal is to audit and harden Unix and Linux based systems. It scans the system by performing many security control checks. Examples include searching for installed software and determine possible configuration flaws.

Many tests are part of common security guidelines and standards, with on top additional security tests. After the scan, a report will be displayed with all discovered findings. To provide you with initial guidance, a link is shared with the related Lynis control.

Lynis is one of the most trusted automated auditing tool for software patch management, malware scanning and vulnerability detecting in Unix/Linux based systems. This tool is useful for auditorsnetwork and system administratorssecurity specialists and penetration testers.

Intended audience:

Lynis assists auditors in performing Basel II, GLBA, HIPAA, PCI DSS and SOX (Sarbanes-Oxley) compliance audits.

Security specialists, Penetration Testers, System auditors, System/network managers, Security Engineers.

Lynis is compatible with many Operating Systems, such as:

  • AIX
  • Arch Linux
  • BackTrack Linux
  • CentOS
  • Debian, DragonFlyBSD
  • Fedora Core, FreeBSD
  • Gentoo
  • HPUX
  • Kali, Knoppix
  • Linux Mint
  • MacOS X, Mageia, Mandriva
  • NetBSD
  • OpenBSD, OpenSolaris, openSUSE, Oracle Linux
  • PcBSD, PCLinuxOS
  • Red Hat Enterprise Linux (RHEL) and derivatives
  • Sabayon, Scientific Linux, Slackware, Solaris 10, SuSE
  • TrueOS
  • Ubuntu and derivatives

Lynis can also be auditing software such as :

  • Database servers: MySQL, Oracle, PostgreSQL
  • Time daemons: dntpd, ntpd, timed
  • Web servers: Apache, Nginx

Once lynis starts scanning your system, it will perform auditing in a number of categories:

  • System tools: system binaries
  • Boot and services: boot loaders, startup services
  • Kernel: run level, loaded modules, kernel configuration, core dumps
  • Memory and processes: zombie processes, IO waiting processes
  • Users, groups and authentication: group IDs, sudoers, PAM configuration, password aging, default mask
  • Shells
  • File systems: mount points, /tmp files, root file system
  • Storage: usb-storage, firewire ohci
  • NFS
  • Software: name services: DNS search domain, BIND
  • Ports and packages: vulnerable/upgradable packages, security repository
  • Networking: nameservers, promiscuous interfaces, connections
  • Printers and spools: cups configuration
  • Software: e-mail and messaging
  • Software: firewalls: iptables, pf
  • Software: webserver: Apache, nginx
  • SSH support: SSH configuration
  • SNMP support
  • Databases: MySQL root password
  • LDAP services
  • Software: php: php options
  • Squid support
  • Logging and files: Syslog daemon, log directories
  • Insecure services: inetd
  • Banners and identification
  • Scheduled tasks: crontab/cronjob, atd
  • Accounting: sysstat data, auditd
  • Time and synchronization: ntp daemon
  • Cryptography: SSL certificate expiration
  • Virtualization
  • Security frameworks: AppArmor, SELinux, security status
  • Software: file integrity
  • Software: malware scanners
  • Home directories: shell history files

How Lynis works:

In this Kali Linux Tutorial , To run it for the first time, it is recommended to use -c paramater. -c parameter means doing all tests to check the systems. If you want to put the Auditor name, just add –auditor parameter there. Here’s some

Download and Install the Lynis from GitHub 

git clone https://github.com/CISOfy/lynis

$ cd lynis-2.7.3
# ./lynis

samples output :

Once Installed then Start with Auditor or Pentester name .

# lynis -c –auditor “BALAJI”

Figure 1. Initialize

Lynis – Open source security auditing tool

Figure 2. System Tools

Lynis – Open source security auditing tool

Figure 3. Boot & Services and Kernel

Lynis – Open source security auditing tool

Figure 4. Users and Group

Lynis – Open source security auditing tool

Figure 5. Shell and storage

Lynis – Open source security auditing tool

Figure 6. Software, Ports and Packages

6

Figure 7. Networking and Printer

7

Figure 8. Email, Firewalls and Web Server

8

Figure 9. SSH, SNMP and Databases

Lynis – Open source security auditing tool

Figure 10. PHP, Squid Proxy and Logging

10

Figure 11. Inetd, Banner and Cron

11

Figure 12. Accounting, NTP and Cryptography

12

Figure 13. Virtualization, Security Frameworks and File Integrity

13

Figure 14. Malware Scanners, System Tool and Home directory

14

Figure 15. Kernel Hardening

15

Figure 16. Hardening, Custom Tests and Result

lynis_16_hardening_customtests_result

Figure 17. Hardening Index

17

Run Lynis with Custom Tests

Your system may not need to run all the tests. If your server not running a web server, you don’t need to test it. For this purpose, we can use –tests parameter. The syntax is :

# lynis –tests “Test-IDs”

there are more than 100 tests that we can do. Here are some list of Lynis Tests-ID.

  • FILE-7502 (Check all system binaries)
  • BOOT-5121 (Check for GRUB boot loader presence).
  • BOOT-5139 (Check for LILO boot loader presence)
  • BOOT-5142 (Check SPARC Improved boot loader (SILO))
  • BOOT-5155 (Check for YABOOT boot loader configuration file)
  • BOOT-5159 (Check for OpenBSD i386 boot loader presence)
  • BOOT-5165 (Check for FreeBSD boot services)
  • BOOT-5177 (Check for Linux boot and running services)
  • BOOT-5180 (Check for Linux boot services (Debian style))
  • BOOT-5184 (Check permissions for boot files/scripts)
  • BOOT-5202 (Check uptime of system)
  • KRNL-5677 (Check CPU options and support)
  • KRNL-5695 (Determine Linux kernel version and release number)
  • KRNL-5723 (Determining if Linux kernel is monolithic)
  • KRNL-5726 (Checking Linux loaded kernel modules)
  • KRNL-5728 (Checking Linux kernel config)
  • KRNL-5745 (Checking FreeBSD loaded kernel modules)
  • [04:57:04] Reason to skip: Test not in list of tests to perform
  • KRNL-5770 (Checking active kernel modules)
  • KRNL-5788 (Checking availability new kernel)
  • KRNL-5820 (Checking core dumps configuration)

Below is a sample command to run Check uptime of system and Checking core dumps configuration tests. If you want to add more tests, just add more Test-ID separated by space.

# ./lynis –tests “BOOT-5202 KRNL-5820”

111111

To get more Tests-IDs, you can find it inside /var/log/lynis.log. Here’s a trick how to do it.

1. First, we need to run lynis with -c (check-all) parameter.

# ./lynis -c -Q

2. Then look at inside /var/log/lynis.log file. Use cat command and combine it with grep. Let say you want to search Test-ID which related to Kernel. Use keyword KRNL to find it.

# cat /var/log/lynis.log | grep KRNL

2222

Below is a complete keywords of Test-IDs that available in Lynis.

BOOT
KRNL (kernel)
PROC (processor)
AUTH (authentication)
SHLL (shell)
FILE
STRG (storage)
NAME (dns)
PKGS (packaging)
NETW (network)
PRNT (printer)
MAIL
FIRE (firewall)
HTTP (webserver)
SSH
SNMP
DBS (database)
PHP
LDAP
SQD (squid proxy)
LOGG (logging)
INSE (insecure services – inetd)
SCHD (scheduling – cron job)
ACCT (accounting)
TIME (time protocol – NTP)
CRYP (cryptography)
VIRT (virtualization)
MACF (AppArmor – SELINUX)
MALW (malware)
HOME
HRDN (hardening)

Run lynis with categories

If you feel that put a lot of Test-IDs is painful, you can use –test-category parameter. With this option, Lynis will run Test-IDs which are included inside a specific category. For example, you want to run Firewall and Kernel tests. Then you can do this :

# ./lynis –tests-category “firewalls kernel”

3333

Run Lynis as Cronjob

Since security needs consistency, you can automate Lynis to run periodically. Let’s say you want to run it every month to see if there is any improvement since the last Lynis run. To do this, we can run Lynis as a cronjob. Here’s a sample cronjob to run it every month.

#!/bin/sh

AUDITOR=”automated”
DATE=$(date +%Y%m%d)
HOST=$(hostname)
LOG_DIR=”/var/log/lynis”
REPORT=”$LOG_DIR/report-${HOST}.${DATE}”
DATA=”$LOG_DIR/report-data-${HOST}.${DATE}.txt”

cd /usr/local/lynis
./lynis -c –auditor “${AUDITOR}” –cronjob > ${REPORT}

mv /var/log/lynis-report.dat ${DATA}

# End

Save the script into /etc/cron.monthly/lynis. Don’t forget to add related paths (/usr/local/lynis and /var/log/lynis), otherwise the script will not work properly.


InfoSec Threats
 | InfoSec books | InfoSec tools | InfoSec services

Tags: Lynis, Open source security


Apr 09 2023

Red Teaming Toolkit

Category: Information Security,Security ToolsDISC @ 11:09 am

Red Teaming: How Your Business Can Conquer the Competition by Challenging Everything – Free with Kindle trial

Red Teaming: How Your Business Can Conquer the Competition by Challenging Everything

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: Red teaming, Security Toolkit


Mar 11 2023

Linux 101 Hacks

Category: Hacking,Linux Security,Security ToolsDISC @ 12:09 pm

Looking to enhance your Linux skills? Practical examples to build a strong foundation in Linux – credit: Ramesh Nararajan
*******************************************

Mastering Linux Security and Hardening: A practical guide to protecting your Linux system from cyber attacks

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: Hacking, Hacking tool, Linux, OSINT


Mar 03 2023

Blue Team Tools

Category: Blue team,Security ToolsDISC @ 4:21 pm

Blue Team Tools – Ethical Hackers Academy

Blue Team Field Manual (BTFM) (RTFM)

Previous posts on Blue Team

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: Blue Team Field Manual, BTFM, Rtfm, security tools


Mar 03 2023

‘DECIDER’ AN OPEN-SOURCE TOOL THAT HELPS TO GENERATE MITRE ATT&CK MAPPING REPORTS

Category: Security ToolsDISC @ 11:50 am

Decider is a new, free tool that was launched today by CISA. It is designed to assist the cybersecurity community in mapping the behavior of threat actors to the MITRE ATT&CK framework. Through the use of guided questions, a powerful search and filter function, and a cart functionality that allows users to export results to commonly used formats, Decider helps make mapping both quick and accurate. It was developed in collaboration with the Homeland Security Systems Engineering and Development Institute (HSSEDI) and MITRE.

To get started with Decider, network defenders, analysts, and researchers may get started by viewing the video, information sheet, and blog posted by CISA. CISA strongly recommends that users of the community make use of the tool in tandem with the newly revised Best Practices for MITRE ATT&CK Mapping guidance. The MITRE ATT&CK framework is a lens that network defenders can use to analyze the behavior of adversaries, and it directly supports “robust, contextual bi-directional sharing of information to help strengthen the security of our systems, networks, and data,” as CISA Executive Assistant Director Eric Goldstein noted in his June 2021 blog post on the framework. Since it offers a standardized vocabulary for the evaluation of threat actors, the CISA strongly recommends that the cybersecurity community make use of the framework.

This revision of the best practices was made in collaboration with the Homeland Security Systems Engineering and Development InstituteTM (HSSEDI), which is a research and development facility owned by the Department of Homeland Security and run by MITRE. Since CISA first released the best practices in June 2021, the update addresses the modifications that the MITRE ATT&CK team has made to the framework as a result of those improvements. Moreover, frequent analytical biases, mapping problems, and particular ATT&CK mapping guidelines for industrial control systems are included in this version (ICS).

This tool leads users through a mapping process by asking them a series of guided questions concerning enemy behavior. The purpose of these questions is to assist users in determining the appropriate strategy, technique, or sub-technique. In addition to the application itself, users are given access to a data sheet and a short film that will acquaint them with the most important capabilities and features that Decider offers.

Previous posts on Security Tools

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: Mitre Att&ck Mapping, Open-Source Tools


Mar 02 2023

10 Best Penetration Testing tools

Category: Pen Test,Security ToolsDISC @ 3:15 pm
Penetration Testing

Best Penetration Testing tools

Penetration testing, also known as pen testing, is a process of assessing the security of a computer system or network by simulating an attack from a malicious outsider or insider. The goal is to identify vulnerabilities and weaknesses that can be exploited by attackers to gain unauthorized access to the system.

There are many penetration testing tools available that can help security professionals and ethical hackers to perform effective tests. Here are some of the best penetration testing tools:

  1. Metasploit Framework: It is an open-source penetration testing framework that provides a range of exploits, payloads, and auxiliary modules. It is widely used by penetration testers and security professionals to identify vulnerabilities and exploit them.
  2. Nmap: It is a network exploration and security auditing tool that can be used to scan networks and identify hosts, ports, and services. It can also be used to detect operating systems and versions.
  3. Wireshark: It is a network protocol analyzer that allows you to capture and analyze network traffic. It can be used to detect and analyze network attacks and vulnerabilities.
  4. Burp Suite: It is an integrated platform for performing web application security testing. It includes a proxy server, a scanner, a spider, and other tools that can be used to identify vulnerabilities in web applications.
  5. Aircrack-ng: It is a suite of tools that can be used to crack wireless network passwords. It includes tools for capturing and analyzing network traffic, as well as tools for cracking encryption keys.
  6. John the Ripper: It is a password cracking tool that can be used to test the strength of passwords. It can be used to crack passwords for a range of operating systems and applications.
  7. SQLmap: It is an open-source penetration testing tool that can be used to test the security of SQL-based web applications. It can be used to detect and exploit SQL injection vulnerabilities.
  8. Hydra: It is a password cracking tool that can be used to test the strength of passwords for a range of protocols, including HTTP, FTP, and Telnet.
  9. Nessus: It is a vulnerability scanner that can be used to scan networks and identify vulnerabilities. It can also be used to generate reports and prioritize vulnerabilities based on their severity.
  10. OWASP Zap: The world’s most popular free web security tool, actively maintained by a dedicated international team of volunteers.
  11. Kali Linux: It is a Linux distribution that is specifically designed for penetration testing and ethical hacking. It includes a range of tools for network analysis, vulnerability testing, password cracking, and more.

Latest Pen Testing Titles

Cobalt’s Pentest as a Service (PtaaS) platform, coupled with an exclusive community of testers, delivers the real-time insights you need to remediate risk quickly and innovate securely.

Previous Pen Testing Posts

We’d love to hear from you! If you have any questions, comments, or feedback, please don’t hesitate to contact us. Our team is here to help and we’re always looking for ways to improve our services. You can reach us by email (info@deurainfosec.com), or through our website’s contact form.

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: Penetration Testing tools


Mar 01 2023

5 open source Burp Suite penetration testing extensions you should check out

Category: Security ToolsDISC @ 11:25 am

How does Burp Suite extensions help in Penetration Testing…

Burp Suite is a popular web application security testing tool that can be extended through the use of various plugins and extensions. These extensions provide additional functionality and capabilities that can assist in the penetration testing process. Here are some ways that Burp Suite extensions can help in penetration testing:

  1. Automated vulnerability scanning: Burp Suite extensions can automate the process of scanning for vulnerabilities in web applications. These extensions can identify common vulnerabilities such as SQL injection, cross-site scripting (XSS), and file inclusion vulnerabilities.
  2. Customized payloads: Some Burp Suite extensions allow for the creation of customized payloads that can be used in testing for specific vulnerabilities. These payloads can help identify vulnerabilities that may be missed by standard scanning tools.
  3. Integration with other tools: Burp Suite extensions can integrate with other tools used in the penetration testing process, such as vulnerability scanners and exploit frameworks. This integration can streamline the testing process and make it more efficient.
  4. Brute-force attacks: Burp Suite extensions can automate brute-force attacks against web applications. This can help identify weak passwords or authentication mechanisms that could be exploited by an attacker.
  5. Fuzz testing: Burp Suite extensions can perform fuzz testing to identify vulnerabilities caused by unexpected or invalid input. This can help identify vulnerabilities such as buffer overflows or other memory-related issues.

In summary, Burp Suite extensions can greatly enhance the functionality and capabilities of the tool for penetration testing. These extensions can automate tasks, provide customized payloads, integrate with other tools, and help identify vulnerabilities that may be missed by standard scanning tools.

When it comes to assessing the security of computer systems, penetration testing tools are critical for identifying vulnerabilities that attackers may exploit. Among these tools, Burp Suite stands out as one of the most popular and widely used options among security professionals and enthusiasts alike.

Here’s a collection of Burp Suite extensions to make it even better.

Burp Suite extensions

Auth Analyzer

The Auth Analyzer extension helps you find authorization bugs. Navigate through the web application as a privileged user and let the Auth Analyzer repeat your requests for any defined non-privileged user. With the possibility to define parameters, the extension is able to extract and replace parameter values automatically.

Burp Suite extensions

Autowasp

Autowasp is a Burp Suite extension that integrates Burp issues logging with the OWASP Web Security Testing Guide (WSTG) to provide a web security testing flow. This tool will guide new penetration testers to understand the best practices of web application security and automate OWASP WSTG checks.

Burp Suite extensions

Burp_bug_finder

Burp_bug_finder is a Burp Suite plugin (written in Python) that makes the discovery of web vulnerabilities accessible. This version focuses only on XSS, and error-based SQLi. There’s no need to send XSS payload either for reflected or stored payload manually. You need to browse the pages where you want to check XSS vulnerability or error-based SQL injection.

Burp Suite extensions

Nuclei

Nuclei is a simple extension that allows you to run Nuclei scanner directly from Burp Suite and transforms JSON results into the issues.

Burp Suite extensions

Pentest Mapper

Pentest Mapper is a Burp Suite extension that integrates the Burp Suite request logging with a custom application testing checklist. The extension provides a straightforward flow for application penetration testing. The extension includes functionalities allowing users to map the application flow for pentesting to analyze the application and its vulnerabilities better. The API calls from each flow can be connected with the function or flow name. The extension allows users to map or connect each flow or API to vulnerability with the custom checklist.

Burp Suite extensions

Our Previous posts on Security Tools

Burp Suite Cookbook: Practical recipes to help you master web penetration testing with Burp Suite

We’d love to hear from you! If you have any questions, comments, or feedback, please don’t hesitate to contact us. Our team is here to help and we’re always looking for ways to improve our services. You can reach us by email (info@deurainfosec.com), or through our website’s contact form.

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: burp suite, Penetration Testing


Feb 24 2023

Hackers Use Open-Source Tools to Attack Shipping Companies & Medical Laboratories

Category: Hacking,Security ToolsDISC @ 2:35 pm

Hackers Use Open Source Tools to Attack Shipping Companies & Medical Laboratories

Unfortunately, it is not uncommon for hackers to use open source tools to attack organizations. Open source tools are freely available and can be used for both legitimate and malicious purposes.

In the case of shipping companies and medical laboratories, there are a number of open source tools that hackers could potentially use to launch attacks. For example, they may use network scanning tools such as Nmap or Wireshark to identify vulnerabilities in the organization’s network. They may also use tools such as Metasploit or Cobalt Strike to exploit these vulnerabilities and gain unauthorized access to systems and data.

Once they have access to a system, hackers may use open source tools like Mimikatz to steal passwords and other credentials. They may also use open source malware like DarkComet or Meterpreter to maintain access to compromised systems and exfiltrate sensitive data.

To protect against these types of attacks, it’s important for organizations to take a number of steps, including:

  1. Implementing strong access controls and authentication mechanisms to prevent unauthorized access to systems and data.
  2. Regularly patching and updating software and systems to address known vulnerabilities.
  3. Using security monitoring tools to detect and respond to potential security incidents.
  4. Providing regular security awareness training to employees to help them identify and respond to security threats.
  5. Conducting regular security assessments to identify and address vulnerabilities in the organization’s network and systems.
Hackers Use Open-Source Tools

There has been an emergence of a new security threat that has been causing havoc among the Asian shipping and medical laboratory industries.

It’s a never-before-seen threat group dubbed Hydrochasma, actively targeting the shipping and medical organizations that are engaged in research and treatment of the COVID-19 vaccine.

Symantec, a company under Broadcom, has been monitoring the activities of cybercriminals since October of last year. Their ultimate aim seems to be the acquisition of valuable information.

Modus Operandi of Attack

Hydrochasma’s modus operandi is unique in that they employ open-source tools and LotL techniques during their attacks. This enables them to carry out their malicious activities without leaving behind any traces that could potentially expose their identity. 

This method of operation poses a challenge to those attempting to track and attribute the attacks to specific threat actors.

The origin and affiliation of this threat actor have not been determined, nor has any evidence yet been collected as to its origin. 

The utilization of pre-existing tools seems to serve a dual purpose for Hydrochasma:- 

  • To evade attribution efforts
  • To enhance the stealthiness of their attacks

By leveraging these tools, they can mask their activity and blend in with legitimate network traffic, making it more challenging for security experts to detect and respond to their malicious activities.

Attack Chain

Most likely, Hydrochasma infected its host with a phishing email in order to spread its infection. Initial signs of Hydrochasma’s presence on a targeted system are often indicated by the appearance of a lure document, with a file name that is crafted to appear as if it were an email attachment written in the native language of the victim organization. 

This is an attempt to deceive the target into thinking that the document is legitimate and relevant to their work. Here below we have mentioned those attachment names:-

  • Product Specification-Freight-Company Qualification Information wps-pdf Export.pdf[.]exe
  • University-Development Engineer[.]exe

Once the attacker gains access to a machine, they utilize this access to deploy a Fast Reverse Proxy (FRP), which has the potential to expose servers that are located behind a firewall to the public web.

Tools Used

Here below we have mentioned all the tools that are dropped by the intruder on the affected system:-

  • Gogo scanning tool
  • Process Dumper (lsass.exe)
  • Cobalt Strike Beacon
  • AlliN scanning tool
  • Fscan
  • Dogz proxy tool
  • SoftEtherVPN
  • Procdump
  • BrowserGhost
  • Gost proxy
  • Ntlmrelay
  • Task Scheduler
  • Go-strip
  • HackBrowserData

It is extremely difficult to relate the activity to any specific threat group when a large number of publicly available tools are used. 

There was no evidence that any data was taken from any of the targeted computers by Hydrochasma according to researchers from Symantec. Hydrochasma on the other hand utilizes certain tools that allow remote access to the system, which could result in data being extracted from the system.

This attack appears to have been motivated by a mission to gather intelligence, as indicated by the sectors targeted.

Practical Threat Intelligence and Data-Driven Threat Hunting: A hands-on guide to threat hunting with the ATT&CK™ Framework and open source tools

Previous posts on Security Tool

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: Open-Source Tools


Feb 16 2023

How to Find Web Server Vulnerabilities With Nikto Scanner

Category: Security Tools,Web SecurityDISC @ 10:55 am

Find Web Server Vulnerabilities with Nikto Scanner.

Nikto is an open source web server vulnerabilities scanner, written in Perl languages. It function is to scan your web server for vulnerabilities.

Nikto scan for over 6700 items to detect misconfiguration, risky files, etc. and some of the features include:

  • You can save report in HTML, XML, CSV
  • It supports SSL and Full HTTP Proxy
  • Scan multiple ports on the server
  • Find subdomain
  • Apache user enumeration
  • Checks for outdated components
  • Detect parking sites
  • Server and software misconfigurations
  • Default files and programs
  • Insecure files and programs
  • Outdated servers and programs

Lets get started with the installation and how to use this tool

This can be installed on Kali Linux or other OS (Windows, Mac OSX, Redhat, Debian, Ubuntu, BackTrack, CentOS, etc.), which support Perl.

Also Read- Kali Linux Commands Cheatsheet

In this article, I will explain how to use Nikto on Kali Linux .

Firstly we will install the Nikto tool from Github or Using apt install command on terminal.

Using help manual of Nikto we can see various options or parameters on how we can use this tool very efficiently.

Firstly we will use the basic syntax to check the vulnerability of the website.

However, Nikto is capable of doing a scan that can go after SSL and port 443, the port that HTTPS websites use (HTTP uses port 80 by default). So we’re not just limited to scanning old sites, we can do vulnerability assessments on sites that use SSL, which is pretty much a requirement these days to be indexed in search results.

If we know it’s an SSL site that we’re targeting, we can specify it in Nikto to save some time on the scan by adding -ssl to the end of the command.

So by using this tool we can analyze the vulnerability of the website.

Previous posts on Security Tools

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: Nikto Scanner


Feb 06 2023

75 Best Android Penetration Testing Tools – 2023

Category: Pen Test,Security ToolsDISC @ 10:56 am

Android penetration testing tools are more often used by security industries to test the vulnerabilities in Android applications.

Here you can find the Comprehensive mobile penetration testing tools and resource list that covers Performing Penetration testing Operations in Android Mobiles.

Android is the biggest organized base of any mobile platform and developing fast—every day. Besides, Android is rising as the most extended operating system in this viewpoint because of different reasons.

Android Security Penetration Testing Tools

Online Analyzers

Following are the online analyzers used to pentest the android applications.

ApprayDynamic Analysis Tools for Android and iOS Applications
NowsecureComplete Mobile Security Testing tool for Android & iOS Tools
AppKnoxEfficient Security Testing Tools for Mobile Apps

Static Analysis Tools

AndrowarnDetects and warn the user about potential malicious behaviors developed by an Android application
ApkAnalyserVirtual Analysis Tools for Android Applications
APKInspectorGUI-based Security Analysis
DroidLegacyPentesting Kit
FlowDroidStatic Analysis Tool
Android DecompilerProfessional Reverse Engineering Toolkit
PSCoutA tool that extracts the permission specification from the Android OS source code using static analysis
Amandroidstatic analysis framework
SmaliSCASmali Static Code Analysis
CFGScanDroidScans and compares CFG against CFG of malicious applications
Madrolyzerextracts actionable data like C&C, phone number etc.
SPARTAverifies (proves) that an app satisfies an information-flow security policy; built on the Checker Framework
ConDroidPerforms a combination of symbolic + concrete execution of the app
DroidRAVirtual Analysis
RiskInDroidA tool for calculating the risk of Android apps based on their permissions, with an online demo available.
SUPERSecure, Unified, Powerful, and Extensible Rust Android Analyzer
ClassySharkStandalone binary inspection tool which can browse any Android executable and show important info.

Mobile App Vulnerability Scanner Tools

QARKQARK by LinkedIn is for app developers to scan app for security issues
AndroBugsAndroid vulnerability analysis system
NogotofailNetwork security testing tool
DevknoxAutocorrect Android Security issues as if it was spell check from your IDE
JAADASJoint intraprocedural and inter-procedure program analysis tool to find vulnerabilities in Android apps, built on Soot and Scala

Dynamic Analysis Tools

Androl4bA Virtual Machine For Assessing Android applications, Reverse Engineering and Malware Analysis
Android Malware Analysis Toolkit(Linux distro) Earlier it use to be an online analyzer
Mobile-Security-Framework MobSFMobile Security Framework is an intelligent, all-in-one open-source mobile application (Android/iOS) automated pen-testing framework capable of performing static, dynamic analysis, and web API testing.
AppUsecustom build for pentesting
Cobradroidcustom image for malware analysis
Xposedequivalent of doing Stub based code injection but without any modifications to the binary
InspeckageAndroid Package Inspector – dynamic analysis with api hooks, start unexported activities and more. (Xposed Module)
Android HookerDynamic Java code instrumentation (requires the Substrate Framework)
ProbeDroid Dynamic Java code instrumentation
Android Tamer Virtual / Live Platform for Android Security Professionals
DECAF Dynamic Executable Code Analysis Framework based on QEMU (DroidScope is now an extension to DECAF)
CuckooDroid Android extension for Cuckoo sandbox
Mem Memory analysis of Android Security (root required)
AuditdAndroid Android port of auditd, not under active development anymore
AurasiumPractical security policy enforcement for Android apps via bytecode rewriting and in-place reference monitor.
Appie Appie is a software package that has been pre-configured to function as an Android Pentesting Environment.It is completely portable and can be carried on USB stick or smartphone.This is a one-stop answer for all the tools needed in Android Application Security Assessment and an awesome alternative to existing virtual machines.
StaDynA A system supporting security app analysis in the presence of dynamic code update features (dynamic class loading and reflection). This tool combines static and dynamic analysis of Android applications in order to reveal the hidden/updated behavior and extend static analysis results with this information.
Vezir Project Virtual Machine for Mobile Application Pentesting and Mobile Malware Analysis
MARA Mobile Application Reverse engineering and Analysis Framework
Taintdroid Requires AOSP compilation

Reverse Engineering

Smali/Baksmali apk decompilation
Androguard powerful, integrates well with other tools
Apktool really useful for compilation/decompilation (uses smali)
Android OpenDebugmake any application on device debuggable (using cydia substrate)
Dare .dex to .class converter
Dex2Jar dex to jar converter
Enjarify dex to jar converter from Google
Frida Inject javascript to explore applications and a GUI tool for it
Indroidthread injection kit
Jad Java decompiler
JD-GUIJava decompiler
CFRJava decompiler
KrakatauJava decompiler
ProcyonJava decompiler
FernFlowerJava decompiler
Redexerapk manipulation

Fuzz Testing

IntentFuzzer
Radamsa Fuzzer
Honggfuzz
An Android port of the melkor ELF fuzzer
Media Fuzzing Framework for Android
AndroFuzz

App Repackaging Detectors

FSquaDRAAndroid Security tool for detection of repackaged Android applications based on app resources hash comparison.

Market Crawlers

Google play crawler (Java) searching android applications on GooglePlay,
Google play crawler (Python) browse and download Android apps from Google Play
Google play crawler (Node) get app details and download apps from official Google Play Store
Aptoide downloader (Node) download apps from Aptoide third-party Android market
Appland downloader (Node)download apps from Appland third-party Android market

Misc Tools

smalihookDecompiler
APK-DownloaderDownloader
AXMLPrinter2to convert binary XML files to human-readable XML files
adb autocompleteRepo Downloader
Dalvik opcodesRegistry
Opcodes table for quick referenceRegistry
ExploitMe Android Labsfor practice
GoatDroid for practice
mitmproxyintercepting proxy 
dockerfile/androguardshell environment
Android Vulnerability Test Suite android-vts scans a device for set of vulnerabilities
AppMonAppMon is an automated framework for monitoring and tampering system API calls of native macOS, iOS and android apps. It is based on Frida.

ANDROID SECURITY BOOK: 10 Simple Ways Billionaires Secure Their Android Devices

Checkout our previous posts on “Security Tools”

Computer Forensics

Building a Cybersecurity Toolkit

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: Android Penetration Testing Tools, Android security, Pen testing, Security professionals


Feb 03 2023

Most Important Computer Forensics Tools for 2023

Category: Security ToolsDISC @ 5:10 pm

Computer Forensics tools are more often used by security industries to test the vulnerabilities in networks and applications by collecting the evidence to find an indicator of compromise and take appropriate mitigation Steps.

Here you can find the Comprehensive Computer Forensics tools list that covers Performing Forensics analysis and responding to incidents in all Environments.

Digitial Forensics analysis includes preservation, collection, Validation, Identification, Analysis, Interpretation, Documentation, and Presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal.

Collections of Computer Forensics Tools

Computer Forensics Tools

Free Digital Forensic Tools

Distributions – Open Source Forensic Tools

Frameworks

  • dff – Forensic framework
  • IntelMQ – IntelMQ collects and processes security feeds
  • Laika BOSS – Laika is an object scanner and intrusion detection system
  • PowerForensics – PowerForensics is a framework for live disk forensic analysis
  • The Sleuth Kit – Tools for low level forensic analysis
  • turbinia – Turbinia is an open-source framework for deploying, managing, and running forensic workloads on cloud platforms

Live Network Forensics Tools

  • grr – GRR Rapid Response: remote live forensics for incident response
  • Linux Expl0rer – Easy-to-use live forensics toolbox for Linux endpoints written in Python & Flask
  • mig – Distributed & real time digital forensics at the speed of the cloud
  • osquery – SQL powered operating system analytics

Imaging

  • dc3dd – Improved version of dd
  • dcfldd – Different improved version of dd (this version has some bugs!, another version is on github adulau/dcfldd)
  • FTK Imager – Free imageing tool for windows
  • Guymager – Open source version for disk imageing on linux systems

Carving

  • bstrings – Improved strings utility
  • bulk_extractor – Extracts informations like email adresses, creditscard numbers and histrograms of disk images
  • floss – Static analysis tool to automatically deobfuscate strings from malware binaries
  • photorec – File carving tool

Memory Forensics Tools

  • inVtero.net – High speed memory analysis framework developed in .NET supports all Windows x64, includes code integrity and write support.
  • KeeFarce – Extract KeePass passwords from memory
  • Rekall – Memory Forensic Framework
  • volatility – The memory forensic framework
  • VolUtility – Web App for Volatility framework
  • BlackLight – Windows/MacOS Computer Forensics tools client supporting hiberfil, pagefile, raw memory analysis.
  • DAMM – Differential Analysis of Malware in Memory, built on Volatility.
  • evolve – Web interface for the Volatility Memory Forensics Framework.
  • FindAES – Find AES encryption keys in memory.
  • inVtero.net – High speed memory analysis framework developed in .NET supports all Windows x64, includes code integrity and write support.
  • Muninn – A script to automate portions of analysis using Volatility, and create a readable report.
  • Rekall – Memory analysis framework, forked from Volatility in 2013.
  • TotalRecall – Script based on Volatility for automating various malware analysis tasks.
  • VolDiff – Run Volatility on memory images before and after malware execution, and report changes.
  • Volatility – Advanced memory forensics framework.
  • VolUtility – Web Interface for Volatility Memory Analysis framework.
  • WDBGARK – WinDBG Anti-RootKit Extension.
  • WinDbg – Live memory inspection and kernel debugging for Windows systems.

Network Forensics Tools

  • SiLK Tools – SiLK is a suite of network traffic collection and Computer Forensics tools analysis tools
  • Wireshark – The network traffic analysis tool
  • NetLytics – Analytics platform to process network data on Spark.

Windows Artifacts

OS X Forensics

Internet Artifacts

  • chrome-url-dumper – Dump all locally stored information collected by Chrome
  • hindsight – Internet history forensics for Google Chrome/Chromium

Timeline Analysis

  • DFTimewolf – Framework for orchestrating Computer Forensics tools collection, processing, and data export using GRR and Rekall
  • plaso – Extract timestamps from various files and aggregate them
  • timesketch – Collaborative forensic timeline analysis

Disk Image Handling

  • aff4 – AFF4 is an alternative, fast file format
  • imagemounter – Command line utility and Python package to ease the (un)mounting of forensic disk images
  • libewf – Libewf is a library and some tools to access the Expert Witness Compression Format (EWF, E01)
  • xmount – Convert between different disk image formats

Decryption

Learn Forensics

Forensic CTFs Tools

There are many relatively new tools available that have been developed in order to recover and dissect the information.

Tags: Forensics Tools


Jan 26 2023

ENISA gives out toolbox for creating security awareness programs

Category: Security Awareness,Security ToolsDISC @ 9:33 am

The European Union Agency for Cybersecurity (ENISA) has made available Awareness Raising in a Box (AR-in-a-BOX), a “do it yourself” toolbox to help organizations in their quest to create and implement a custom security awareness raising program

security awareness toolbox

The package includes:

  • A guideline on how to build an internal cyber-awareness raising program tailored to employees’ needs
  • A guideline on creating an awareness campaign targeted at external stakeholders
  • A how-to guide on how to select the appropriate tools and channels to best reach the target audience and tips for effective communication in social media
  • Instructions on selecting the right metrics and developing key performance indicators (KPIs) to evaluate the effectiveness of a program or campaign
  • A guide for the development of a communication strategy
  • An awareness raising game, in different versions and styles, for a generic audience and for an audience in the energy sector. It also comes with a guide on how it should be played
  • An awareness raising quiz to test comprehension and retention of key information (e.g., how to create good passwords)

Why security awareness matters

People have become cyber-attackers’ primary attack vector, which means that programs for raising cyber awareness are crucial for an organization’s cybersecurity strategy. The goal of these programs is to promote good cybersecurity practices of employees, managers and executives and improve their cybersecurity behavior.

A lot of advice can be found online on how to upgrade your security awareness efforts and engage your employees with better cybersecurity training, but sometimes organizations don’t know where to start.

AR-in-a-BOX can help them wrap their head around the task and push them towards realization.

“AR-in-a-Box is offered by ENISA to public bodies, operators of essential services, large private companies as well as small and medium ones (SMEs). [It] is dynamic and will be regularly updated and enriched,” the agency noted.

ENISA has previously published helpful materials for cybersecurity awareness campaigns aimed at electricity operators and the healthcare sector.

Checkout our previous posts on Security Awareness

DISC InfoSec

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

Follow DISC #InfoSec blog

Ask DISC an InfoSec & compliance related question

Tags: free cybersecurity tools, Security Awareness


Jan 07 2023

Best Malware Analysis Tools List For Security Researchers & Malware Analyst 2023

Category: Malware,Security ToolsDISC @ 1:24 pm

Malware analysis tools are highly essential for Security Professionals who always need to learn many tools, techniques, and concepts to analyze sophisticated Threats and current cyber attacks.

Most Important Security Tools and Resources For Security Researcher and Malware Analyst

Malware Analysis Tools & Courses

  • Malware Analysis Courses
  • Hex Editors
  • Disassemblers
  • Detection and Classification
  • Dynamic Binary Instrumentation
  • Dynamic Analysis
  • Deobfuscation
  • Debugging
  • Malware Analaysis Courses
  • Reverse Engineering
  • Binary Analysis
  • Decompiler
  • Bytecode Analysis
  • Reconstruction
  • Memory Forensics
  • Windows Artifacts
  • Storage and Workflow
  • Malware samples
  • Courses
  • Domain Analysis
  • Books

Malware Analysis Courses

Here we have listed the best courses list for malware analysis, reverse engineering, exploit development and more..

Hex Editors

A hex editor (or binary file editor or byteeditor) is a type of computer program that allows for manipulation of the fundamental binary data that constitutes a computer file. The name ‘hex’ comes from ‘hexadecimal’: a standard numerical format for representing binary data.

Disassemblers 

disassembler is a computer program that translates machine language into assembly language—the inverse operation to that of an assembler.

A disassembler differs from a decompiler, which targets a high-level language rather than an assembly language. Disassembly, the output of a disassembler, is often formatted for human-readability rather than suitability for input to an assembler, making it principally a reverse-engineering tool.

Detection and Classification

  • AnalyzePE – Wrapper for a variety of tools for reporting on Windows PE files.
  • Assemblyline – A scalable distributed file analysis framework.
  • BinaryAlert – An open source, serverless AWS pipeline that scans and alerts on uploaded files based on a set of YARA rules.
  • ClamAV – Open source antivirus engine.
  • Detect-It-Easy – A program for determining types of files.
  • ExifTool – Read, write and edit file metadata.
  • File Scanning Framework – Modular, recursive file scanning solution.
  • hashdeep – Compute digest hashes with a variety of algorithms.
  • Loki – Host based scanner for IOCs.
  • Malfunction – Catalog and compare malware at a function level.
  • MASTIFF – Static analysis framework.
  • MultiScanner – Modular file scanning/analysis framework
  • nsrllookup – A tool for looking up hashes in NIST’s National Software Reference Library database.
  • packerid – A cross-platform Python alternative to PEiD.
  • PEV – A multiplatform toolkit to work with PE files, providing feature-rich tools for proper analysis of suspicious binaries.
  • Rootkit Hunter – Detect Linux rootkits.
  • ssdeep – Compute fuzzy hashes.
  • totalhash.py – Python script for easy searching of the TotalHash.cymru.com database.
  • TrID – File identifier.
  • YARA – Pattern matching tool for analysts.
  • Yara rules generator – Generate yara rules based on a set of malware samples. Also contains a good strings DB to avoid false positives

Dynamic Binary Instrumentation

Dynamic Binary Instrumentation Tools

Mac Decrypt

Mac Decrypting Tools

Emulator

Emulator Tools

Document Analysis

Document Based Malware Analysis Tools.

Dynamic Analysis

This introductory malware dynamic analysis class is dedicated to people who are starting to work on malware analysis or who want to know what kinds of artifacts left by malware can be detected via various tools.

The class will be a hands-on class where students can use various tools to look for how malware is: Persisting, Communicating, and Hiding

Deobfuscation Malware Analysis Tools

Reverse XOR and other code obfuscation methods.

  • Balbuzard – A malware analysis tool for reversing obfuscation (XOR, ROL, etc) and more.
  • de4dot – .NET deobfuscator and unpacker.
  • ex_pe_xor & iheartxor – Two tools from Alexander Hanel for working with single-byte XOR encoded files.
  • FLOSS – The FireEye Labs Obfuscated String Solver uses advanced static analysis techniques to automatically deobfuscate strings from malware binaries.
  • NoMoreXOR – Guess a 256 byte XOR key using frequency analysis.
  • PackerAttacker – A generic hidden code extractor for Windows malware.
  • unpacker – Automated malware unpacker for Windows malware based on WinAppDbg.
  • unxor – Guess XOR keys using known-plaintext attacks.
  • VirtualDeobfuscator – Reverse engineering tool for virtualization wrappers.
  • XORBruteForcer – A Python script for brute forcing single-byte XOR keys.
  • XORSearch & XORStrings – A couple programs from Didier Stevens for finding XORed data.
  • xortool – Guess XOR key length, as well as the key itself.

Debugging

IN this List we could  see the tools for Disassemblers, debuggers, and other static and dynamic analysis tools.Cross-Platform Debugging Tools

Windows-Only Debugging Tools

Linux-Only Debugging Tools

Reverse Engineering 

  • angr – Platform-agnostic binary analysis framework developed at UCSB’s Seclab.
  • bamfdetect – Identifies and extracts information from bots and other malware.
  • BAP – Multiplatform and open source (MIT) binary analysis framework developed at CMU’s Cylab.
  • BARF – Multiplatform, open source Binary Analysis and Reverse engineering Framework.
  • binnavi – Binary analysis IDE for reverse engineering based on graph visualization.
  • Binary ninja – A reversing engineering platform that is an alternative to IDA.
  • Binwalk – Firmware analysis tool.
  • Bokken – GUI for Pyew and Radare. (mirror)
  • Capstone – Disassembly framework for binary analysis and reversing, with support for many architectures and bindings in several languages.
  • codebro – Web based code browser using  clang to provide basic code analysis.
  • DECAF (Dynamic Executable Code Analysis Framework) – A binary analysis platform based   on QEMU. DroidScope is now an extension to DECAF.
  • dnSpy – .NET assembly editor, decompiler and debugger.
  • Evan’s Debugger (EDB) – A modular debugger with a Qt GUI.
  • Fibratus – Tool for exploration and tracing of the Windows kernel.
  • FPort – Reports open TCP/IP and UDP ports in a live system and maps them to the owning application.
  • GDB – The GNU debugger.
  • GEF – GDB Enhanced Features, for exploiters and reverse engineers.
  • hackers-grep – A utility to search for strings in PE executables including imports, exports, and debug symbols.
  • Hopper – The macOS and Linux Disassembler.
  • IDA Pro – Windows disassembler and debugger, with a free evaluation version.
  • Immunity Debugger – Debugger for malware analysis and more, with a Python API.
  • ILSpy – ILSpy is the open-source .NET assembly browser and decompiler.
  • Kaitai Struct – DSL for file formats / network protocols / data structures reverse engineering and dissection, with code generation for C++, C#, Java, JavaScript, Perl, PHP, Python, Ruby.
  • LIEF – LIEF provides a cross-platform library to parse, modify and abstract ELF, PE and MachO formats.
  • ltrace – Dynamic analysis for Linux executables.
  • objdump – Part of GNU binutils, for static analysis of Linux binaries.
  • OllyDbg – An assembly-level debugger for Windows executables.
  • PANDA – Platform for Architecture-Neutral Dynamic Analysis.
  • PEDA – Python Exploit Development Assistance for GDB, an enhanced display with added commands.
  • pestudio – Perform static analysis of Windows executables.
  • Pharos – The Pharos binary analysis framework can be used to perform automated static analysis of binaries.
  • plasma – Interactive disassembler for x86/ARM/MIPS.
  • PPEE (puppy) – A Professional PE file Explorer for reversers, malware researchers and those who want to statically inspect PE files in more detail.
  • Process Explorer – Advanced task manager for Windows.
  • Process Hacker – Tool that monitors system resources.
  • Process Monitor – Advanced monitoring tool for Windows programs.
  • PSTools – Windows command-line tools that help manage and investigate live systems.
  • Pyew – Python tool for malware analysis.
  • PyREBox – Python scriptable reverse engineering sandbox by the Talos team at Cisco.
  • QKD – QEMU with embedded WinDbg server for stealth debugging.
  • Radare2 – Reverse engineering framework, with debugger support.
  • RegShot – Registry compare utility that compares snapshots.
  • RetDec – Retargetable machine-code decompiler with an online decompilation service and API that you can use in your tools.
  • ROPMEMU – A framework to analyze, dissect and decompile complex code-reuse attacks.
  • SMRT – Sublime Malware Research Tool, a plugin for Sublime 3 to aid with malware analyis.
  • strace – Dynamic analysis for Linux executables.
  • Triton – A dynamic binary analysis (DBA) framework.
  • Udis86 – Disassembler library and tool for x86 and x86_64.
  • Vivisect – Python tool for malware analysis.
  • WinDbg – multipurpose debugger for the Microsoft Windows computer operating system, used to debug user mode applications, device drivers, and the kernel-mode memory dumps.
  • X64dbg – An open-source x64/x32 debugger for windows.

Binary Format and  Binary Analysis

The Compound File Binary Format is the basic container used by several different Microsoft file formats such as Microsoft Office documents and Microsoft Installer packages.

Binary Analysis Resources

 

Decompiler 

A decompiler is a computer program that takes an executable file as input, and attempts to create a high level source file which can be recompiled successfully. It is therefore the opposite of a compiler, which takes a source file and makes an executable.Generic Decompiler

Java Decompiler

.NET Decompiler

Delphi Decompiler

Python Decompiler

Bytecode Analysis

Bytecode Analysis Tools

Malware Analysis Tools for Reconstruction

Import Reconstruction Tools

  • AndroTotal – Free online analysis of APKs against multiple mobile antivirus apps.
  • AVCaesar – Malware.lu online scanner and malware repository.
  • Cryptam – Analyze suspicious office documents.
  • Cuckoo Sandbox – Open source, self hosted sandbox and automated analysis system.
  • cuckoo-modified – Modified version of Cuckoo Sandbox released under the GPL. Not merged upstream due to legal concerns by the author.
  • cuckoo-modified-api – A Python API used to control a cuckoo-modified sandbox.
  • DeepViz – Multi-format file analyzer with machine-learning classification.
  • detux – A sandbox developed to do traffic analysis of Linux malwares and capturing IOCs.
  • DRAKVUF – Dynamic malware analysis system.
  • firmware.re – Unpacks, scans and analyzes almost any firmware package.
  • HaboMalHunter – An Automated Malware Analysis Tool for Linux ELF Files.
  • Hybrid Analysis – Online malware analysis tool, powered by VxSandbox.
  • IRMA – An asynchronous and customizable analysis platform for suspicious files.
  • Joe Sandbox – Deep malware analysis with Joe Sandbox.
  • Jotti – Free online multi-AV scanner.
  • Limon – Sandbox for Analyzing Linux Malware.
  • Malheur – Automatic sandboxed analysis of malware behavior.
  • malsub – A Python RESTful API framework for online malware and URL analysis services.
  • Malware config – Extract, decode and display online the configuration settings from common malwares.
  • Malwr – Free analysis with an online Cuckoo Sandbox instance.
  • MASTIFF Online – Online static analysis of malware.
  • Metadefender.com – Scan a file, hash or IP address for malware (free).
  • NetworkTotal – A service that analyzes pcap files and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware using Suricata configured with EmergingThreats Pro.
  • Noriben – Uses Sysinternals Procmon to collect information about malware in a sandboxed environment.
  • PDF Examiner – Analyse suspicious PDF files.
  • ProcDot – A graphical malware analysis tool kit.
  • Recomposer – A helper script for safely uploading binaries to sandbox sites.
  • Sand droid – Automatic and complete Android application analysis system.
  • SEE – Sandboxed Execution Environment (SEE) is a framework for building test automation in secured Environments.
  • VirusTotal – Free online analysis of malware samples and URLs
  • Visualize_Logs – Open source visualization library and command line tools for logs. (Cuckoo, Procmon, more to come…)
  • Zeltser’s List – Free automated sandboxes and services, compiled by Lenny Zeltser.

Document Analysis

Document Analysis Tools

Scripting

Scripting

Android

Android tools

Yara

Yara Resources

Memory Forensics Malware Analysis Tools 

Tools for dissecting malware in memory images or running systems.

  • BlackLight – Windows/MacOS forensics client supporting hiberfil, pagefile, raw memory analysis.
  • DAMM – Differential Analysis of Malware in Memory, built on Volatility.
  • evolve – Web interface for the Volatility Memory Forensics Framework.
  • FindAES – Find AES encryption keys in memory.
  • inVtero.net – High speed memory analysis framework developed in .NET supports all Windows x64, includes code integrity and write support.
  • Muninn – A script to automate portions of analysis using Volatility, and create a readable report.
  • Rekall – Memory analysis framework, forked from Volatility in 2013.
  • TotalRecall – Script based on Volatility for automating various malware analysis tasks.
  • VolDiff – Run Volatility on memory images before and after malware execution, and report changes.
  • Volatility – Advanced memory forensics framework.
  • VolUtility – Web Interface for Volatility Memory Analysis framework.
  • WDBGARK – WinDBG Anti-RootKit Extension.
  • WinDbg – Live memory inspection and kernel debugging for Windows systems.

Windows Artifacts

  • AChoir – A live incident response script for gathering Windows artifacts.
  • python-evt – Python library for parsing Windows Event Logs.
  • python-registry – Python library for parsing registry files.
  • RegRipper (GitHub) – Plugin-based registry analysis tool.

Storage and Workflow

  • Aleph – Open Source Malware Analysis Pipeline System.
  • CRITs – Collaborative Research Into Threats, a malware and threat repository.
  • FAME – A malware analysis framework featuring a pipeline that can be extended with custom modules, which can be chained and interact with each other to perform end-to-end analysis.
  • Malwarehouse – Store, tag, and search malware.
  • Polichombr – A malware analysis platform designed to help analysts to reverse malwares collaboratively.
  • stoQ – Distributed content analysis framework with extensive plugin support, from input to output, and everything in between.
  • Viper – A binary management and analysis framework for analysts and researchers.

Malware samples

Malware samples collected for analysis.

  • Clean MX – Realtime database of malware and malicious domains.
  • Contagio – A collection of recent malware samples and analyses.
  • Exploit Database – Exploit and shellcode samples.
  • Malshare – Large repository of malware actively scrapped from malicious sites.
  • MalwareDB – Malware samples repository.
  • Open Malware Project – Sample information and downloads. Formerly Offensive Computing.
  • Ragpicker – Plugin based malware crawler with pre-analysis and reporting functionalities
  • theZoo – Live malware samples for analysts.
  • Tracker h3x – Agregator for malware corpus tracker and malicious download sites.
  • ViruSign – Malware database that detected by many anti malware programs except ClamAV.
  • VirusShare – Malware repository, registration required.
  • VX Vault – Active collection of malware samples.
  • Zeltser’s Sources – A list of malware sample sources put together by Lenny Zeltser.
  • Zeus Source Code – Source for the Zeus trojan leaked in 2011.

Domain Malware Analysis Tools

Inspect domains and IP addresses.

  • badips.com – Community based IP blacklist service.
  • boomerang – A tool designed for consistent and safe capture of off network web resources.
  • Cymon – Threat intelligence tracker, with IP/domain/hash search.
  • Desenmascara.me– One click tool to retrieve as much metadata as possible for a website and to assess its good standing.
  • Dig – Free online dig and other network tools.
  • dnstwist – Domain name permutation engine for detecting typo squatting, phishing and corporate espionage.
  • IPinfo – Gather information about an IP or domain by searching online resources.
  • Machinae – OSINT tool for gathering information about URLs, IPs, or hashes. Similar to Automator.
  • mailchecker – Cross-language temporary email detection library.
  • MaltegoVT – Maltego transform for the VirusTotal API. Allows domain/IP research, and searching for file hashes and scan reports.
  • Multi rbl – Multiple DNS blacklist and forward confirmed reverse DNS lookup over more than 300 RBLs.
  • NormShield Services – Free API Services for detecting possible phishing domains, blacklisted ip addresses and breached accounts.
  • SpamCop – IP based spam block list.
  • SpamHaus – Block list based on domains and IPs.
  • Sucuri SiteCheck – Free Website Malware and Security Scanner.
  • Talos Intelligence – Search for IP, domain or network owner. (Previously SenderBase.)
  • TekDefense Automater – OSINT tool for gathering information about URLs, IPs, or hashes.
  • URLQuery – Free URL Scanner.
  • Whois – DomainTools free online whois search.
  • Zeltser’s List – Free online tools for researching malicious websites, compiled by Lenny Zeltser.
  • ZScalar Zulu – Zulu URL Risk Analyzer.

Books 

Most Important books Reverse Engineering Books

Documents and Shellcode

Analyze malicious JS and shellcode from PDFs and Office documents. See also the browser malware section.

  • AnalyzePDF – A tool for analyzing PDFs and attempting to determine whether they are malicious.
  • box-js – A tool for studying JavaScript malware, featuring JScript/WScript support and ActiveX emulation.
  • diStorm – Disassembler for analyzing malicious shellcode.
  • JS Beautifier – JavaScript unpacking and deobfuscation.
  • JS Deobfuscator – Deobfuscate simple Javascript that use eval or document.write to conceal its code.
  • libemu – Library and tools for x86 shellcode emulation.
  • malpdfobj – Deconstruct malicious PDFs into a JSON representation.
  • OfficeMalScanner – Scan for malicious traces in MS Office documents.
  • olevba – A script for parsing OLE and OpenXML documents and extracting useful information.
  • Origami PDF – A tool for analyzing malicious PDFs, and more.
  • PDF Tools – pdfid, pdf-parser, and more from Didier Stevens.
  • PDF X-Ray Lite – A PDF analysis tool, the backend-free version of PDF X-RAY.
  • peepdf – Python tool for exploring possibly malicious PDFs.
  • QuickSand – QuickSand is a compact C framework to analyze suspected malware documents to identify exploits in streams of different encodings and to locate and extract embedded executables.
  • Spidermonkey – Mozilla’s JavaScript engine, for debugging malicious JS.

Practice Malware Analysis Tools 

Practice Reverse Engineering. Be careful with malware.

Open Source Threat Intelligence Tool

Harvest and analyze IOCs.

  • AbuseHelper – An open-source framework for receiving and redistributing abuse feeds and threat intel.
  • AlienVault Open Threat Exchange – Share and collaborate in developing Threat Intelligence.
  • Combine – Tool to gather Threat Intelligence indicators from publicly available sources.
  • Fileintel – Pull intelligence per file hash.
  • Hostintel – Pull intelligence per host.
  • IntelMQ – A tool for CERTs for processing incident data using a message queue.
  • IOC Editor– A free editor for XML IOC files.
  • ioc_writer – Python library for working with OpenIOC objects, from Mandiant.
  • Massive Octo Spice – Previously known as CIF (Collective Intelligence Framework). Aggregates IOCs from various lists. Curated by the CSIRT Gadgets Foundation.
  • MISP – Malware Information Sharing Platform curated by The MISP Project.
  • Pulsedive – Free, community-driven threat intelligence platform collecting IOCs from open-source feeds.
  • PyIOCe – A Python OpenIOC editor.
  • RiskIQ – Research, connect, tag and share IPs and domains. (Was PassiveTotal.)
  • threataggregator – Aggregates security threats from a number of sources, including some of those listed below in other resources.
  • ThreatCrowd – A search engine for threats, with graphical visualization.
  • ThreatTracker – A Python script to monitor and generate alerts based on IOCs indexed by a set of Google Custom Search Engines.
  • TIQ-test – Data visualization and statistical analysis of Threat Intelligence feeds.

Other Resources

Credits

This list is Created with helping of following Awesome Peoples.

Infosec books | InfoSec tools | InfoSec services

Tags: malware analysis tools


Nov 30 2022

10 Best Vulnerability Scanning Tools For Penetration Testing

Category: Access Control,Security ToolsDISC @ 10:57 am

A Vulnerability Scanning Tool is one of the essential tools in IT departments Since vulnerabilities pop up every day and thus leaving a loophole for the organization.

The Vulnerability scanning tools help in detecting security loopholes in the application, operating systems, hardware, and network systems.

Hackers are actively looking for these loopholes to use them to their advantage. Vulnerabilities inside a network need to be identified and fixed immediately to leave your attackers at bay.

What does a Vulnerability Scanner do?

Vulnerability scanners are one right way to do this, with their continuous and automated scanning procedures they can scan the network for potential loopholes.

It is on your internet or any device, they would help the IT departments identify the vulnerability and fix it both manually and automatically.

Vulnerability scanning tools do have two different approaches for performing their routines, authenticated and unauthenticated scans.

In the latter case, a penetration tester will show the scan disguised as a hacker without him having trusted access to the corporate network.

What are the Three types of Vulnerability Scanners?

This type of scan will help organizations identify the loopholes which will allow hackers to penetrate the system without trusted permissions.

Following are the types of vulnerability scanners

  • Discovery Scanning
  • Full Scanning
  • Compliance Scanning

What is an example of a Vulnerability Scanner?

The best Web vulnerability scanner in the market should allow you to perform both authenticated and unauthenticated types of scans to nullify network vulnerabilities among other related vulnerability scanners online

In this article, we’ll take a look at the top 10 best vulnerability scanning tools available in the market.

10 Best Vulnerability Scanner Tools

Vulnerability ScannerKey Features
OpenVAS Vulnerability ScannerCustom Scan Configuration
Targeted IP Address
Task Naming
Authorized (credentialed) Scans
Scheduling scans
Tripwire IP360Flexible Scanning
Full Network Discovery
Vulnerability Risk Scoring
Asset Discovery
Nessus vulnerability scannerTarget Profiling
Sensitive data discovery
Malware Detection
PCI DSS requirements
Vulnerability scanning
Comodo HackerProofDaily Vulnerability Scanning
Web-based Management Tool
PCI Scanning Tools
Nexpose communityReal Risk Score
Integration with Metasploit
Powerful Reporting
Adaptive Security
Vulnerability Manager PlusCustomization of Patches to Application
Detecting zero-day vulnerabilities
Audit end-of-life software
Security recommendations
NiktoSupport for Proxy with authentication
Cookies Support
Username Enumeration
Outdated component report
WiresharkLive capture and offline analysis
Deep inspection of protocols
VoIP analysis
Read/write Capture file
Coloring rules
Aircrack-ngAnalyzing WiFi networks for weaknesses
Capture and injection of WiFi cards
Sniff wireless packets
Recover lost keys
Retina network security scannerDiscover the Full network Environment
Identify Application Flaw
Analyze threats and gain security intelligence

10 Best Vulnerability Scanning Tools 2023

  1. OpenVAS Vulnerability Scanner
  2. Tripwire IP360
  3. Nessus vulnerability scanner
  4. Comodo HackerProof
  5. Nexpose community
  6. Vulnerability Manager Plus
  7. Nikto
  8. Wireshark
  9. Aircrack-ng
  10. Retina network security scanner

for more details on these vulnerability scanning tools

Vulnerability Scanning Tools

Checkout latest books on Vulnerability Scanning Tools

Tags: Vulnerability Scanning Tools


Nov 23 2022

5 free resources from the Cybersecurity and Infrastructure Security Agency (CISA)

Category: Security ToolsDISC @ 10:55 am

The Cybersecurity and Infrastructure Security Agency (CISA) is an agency of the United States Department of Homeland Security. CISA is in charge of enhancing cybersecurity and infrastructure protection at all levels of government, coordinating cybersecurity initiatives with American U.S. states, and enhancing defenses against cyberattacks.

To assist businesses in enhancing their security capabilities, CISA offers free cybersecurity products and services.

Cyber Hygiene Vulnerability Scanning

You can register for this service by emailing vulnerability@cisa.dhs.gov. Scanning will start within 3 days, and you’ll begin receiving reports within two weeks. Once initiated, this service is mostly automated and requires little direct interaction.

cisa cybersecurity

Cybersecurity Evaluation Tool (CSET)

This tool provides organizations with a structured and repeatable approach to assessing the security posture of their cyber systems and networks. It includes both high-level and detailed questions related to all industrial control and IT systems.

CSET

Checklist for implementing cybersecurity measures

This document outlines four goals for your organization:

  • Reducing the likelihood of a damaging cyber incident
  • Detecting malicious activity quickly
  • Responding effectively to confirmed incidents
  • Maximizing resilience.
cisa cybersecurity

Known Exploited Vulnerabilities (KEV) Catalog

The KEV Catalog enables you to identify known software security flaws. You can search for software used by your organization and, if it’s found, update it to the most recent version in accordance with the vendor’s instructions.

cisa cybersecurity

Malcolm network traffic analysis tool suite

Malcolm is comprised of several widely used open source tools, making it an attractive alternative to security solutions requiring paid licenses.

The tool accepts network traffic data in the form of full packet capture (PCAP) files and Zeek logs. Visibility into network communications is provided through two interfaces: OpenSearch Dashboards, a data visualization plugin with dozens of prebuilt dashboards providing an at-a-glance overview of network protocols; and Arkime, a tool for finding and identifying the network sessions comprising suspected security incidents. All communications with Malcolm, both from the user interface and from remote log forwarders, are secured with industry standard encryption protocols.

Malcolm operates as a cluster of Docker containers, isolated sandboxes which each serve a dedicated function of the system.

Malcolm

CISA free resources

Open Source Intelligence Methods and Tools: A Practical Guide to Online Intelligence

Tags: CISA, CISO, Cybersecurity and Infrastructure Security Agency (CISA), How-to, Open source, Open source intelligence


Nov 08 2022

Public URL scanning tools – when security leads to insecurity

Category: Security ToolsDISC @ 2:45 pm

Well-known cybersecurity researcher Fabian Bräunlein has featured not once but twice before on Naked Security for his work in researching the pros and cons of Apple’s AirTag products.

In 2021, he dug into the protocol devised by Apple for keeping tags on tags and found that the cryprography was good, making it hard for anyone to keep tabs on you via an AirTag that you owned.

Even though the system relies on other people calling home with the current location of AirTags in their vicinity, neither they nor Apple can tell whose AirTag they’ve reported on.

But Bräunlein figured out a way that you could, in theory at least, use this anonymous calling home feature as a sort-of free, very low-bandwidth, community-assisted data reporting service, using public keys for data signalling:

He also looked at AirTags from the opposite direction, namely how likely it is that you’d spot an AirTag that someone had deliberately hidden in your belongings, say in your rucksack, so that they could track you under cover of tracking themselves:

Indeed, the issue of “AirTag stalking” hit the news in June 2022 when an Indiana woman was arrested for running over and killing a man in whose car she later admitted to planting an AirTag in order to keep track of his comings and goings.

In that tragic case, which took place outside a bar, she could probably have guessed were he was anyway, but law enforcement staff were nevertheless obliged to bring the AirTag into their investigations.

When security scans reveal more than they should

Now, Bräunlein is back with another worthwhile warning, this time about the danger of cloud-based security lookup services that give you a free (or paid) opinion about cybersecurity data you may have collected.

Many Naked Security readers will be familiar with services such as Google’s Virus Total, where you can upload suspicious files to see what static virus scanning tools (including Sophos, as it happens) make of it.

Sadly, lots of people use Virus Total to gauge how good a security product might be at blocking a threat in real life when its primary purpose is to disambiguate threat naming, to provide a simple and reliable way for people to share suspicious files, and to assist with prompt and secure sample sharing across the industry. (You only have to upload the file once.)

This new report by Bräunlein looks at a similar sort of public service, this time urlscan.io, which aims to provide a public query-and-reporting tool for suspicious URLs.

The idea is simple… anyone who’s worried about a URL they just received, for example in what they think is a phishing email, can submit the domain name or URL, either manually via the website, or automatically via a web-based interface, and get back a bunch of data about it.

Like this, checking to see what the site (and the community at large) think of the URL http://example.com/whatalotoftextthisis:

You can probably see where Fabian Bräunlein went with this if you realise that you, or indeed anyone else with the time to keep an eye on things, may be able to retrieve the URL you just looked up.

Here, I went back in with a different browser via a different IP address, and was able to retrieve the recent searches against example.com. including the one with the full URL I submitted above:

Tags: scanning tools


Oct 27 2022

Wireshark 4.0.1 Released – What’s New!!

Category: Network security,Security ToolsDISC @ 1:33 pm

A new version of Wireshark has been released recently by the Wireshark Team, it’s Wireshark 4.0.1, which contains several enhancements, new updates, and bug fixes.

Wireshark is one of the most widely used open-source free software packet analyzers that are currently available on the market, and it is available in a variety of options for different platforms.

There are many people who use Wireshark packet analyzers for the analysis of packets, not just network administrators only. As security analysts also use Wireshark packet analyzers for packet analysis purposes.

Several organizations make use of this tool to manage and monitor all the activities of their business operations on a regular basis.

Wireshark recently released its Wireshark 4.0.0 and the current Wireshark 4.0.1 is a quick update from the previous one.

Platform Support

For all the major platforms or operating systems, the Wireshark 4.0.1 packet analyzer is available and here below we have mentioned them:-

  • Windows
  • Linux
  • macOS
  • BSD

What’s new in Wireshark 4.0.1?

There are several primary purposes for using Wireshark as a network protocol analyzer, including:-

  • Analysis
  • Troubleshooting
  • Education
  • Development

Wireshark 4.0 and later do not have any official 32-bit Windows packages that you can install on your computer. Qt 5.12.2 is now the standard version that ships with Windows installers. The previous version of these packages was Qt 6.2.3, which was shipped by default.

This release removes the experimental syntax for the display filter used in Wireshark 4.0.0 that allowed literals to be displayed just using angle brackets <…​>. You can use the colon prefix instead while dealing with byte arrays.

Wireshark 4.0.1 Released – What’s New!!


Oct 18 2022

RedEye – CISA Developed Open-source Red Team Tool Monitoring C&C Server Activities

Category: Security ToolsDISC @ 8:35 am

A new open-source analytical tool dubbed RedEye designed to make it easier for operators to visualize and report activities associated with C2 communication has been released by CISA.

Both the red and blue teams can benefit from RedEye, as it provides an easy way to gauge data, leading to specific decisions that can be made with confidence.

RedEye – CISA Developed Open-source Red Team Tool Monitoring C&C Server Activities

RedEye

A collaborative effort between CISA and DOE’s Pacific Northwest National Laboratory has given birth to this analytical tool. 

A graphically displayed log of all servers and hosts associated with each campaign can be retrieved by RedEye users by correlating historical records of each campaign log.

In order to view relevant information about a campaign, users can upload campaign data via RedEye to view information such as:-

  • Beacons 
  • Commands

During the process of parsing log files, such as those generated by Cobalt Strike, the tool presents the information in a format that can be easily understood.

As a result, users are able to tag activities displayed within the tool and comment on them. Operators can present findings and workflow to stakeholders using the presentation mode that is available on the RedEye application.

To discover the payload activity analysts can also analyze all the key events in a selected campaign. In addition to using RedEye to check the raw data received after an assessment, blue teams can also use it to understand it better.

This data can be used by them to see the attack path and the compromised hosts to take the appropriate action based on what they have learned.

RedEye offers a wide range of features and all its key features are presented in the below video made by CISA:-

Apart from RedEye, the CISA have also released several other open-source tools like:-

  • Malcom
  • ICS NPP
  • Sparrow

The following major platforms have been tested and proved to be compatible with RedEye:- 

  • Linux (Ubuntu 18 and above, Kali Linux 2020.1 or newer)
  • macOS (El Capitan and above)
  • Windows 7 or newer

Moreover, the CISA’s repository on GitHub hosts the tool, and it is available for download via the repository.

Practical Threat Intelligence and Data-Driven Threat Hunting: A hands-on guide to threat hunting with the ATT&CK™ Framework and open source tools

Tags: C2 signal, Open-source Red Team Tool, RedEye


Next Page »