May 02 2024

VNC Is The Hacker’s New Remote Desktop Tool For Cyber Attacks

Category: Hacking,Security Toolsdisc7 @ 7:26 am

While facilitating remote work, remote desktop software presents security challenges for IT teams due to the use of various tools and ports.

The multitude of ports makes it difficult to monitor for malicious traffic. 

Weak credentials and software vulnerabilities are exploited to gain access to user systems.

Hackers may also use technical support scams to trick users into granting access.  

The Most Targeted Remote Desktop Tools In The Last 12 Months

Researchers identified VNC, a platform-independent remote desktop tool using RFB protocol, as the most targeted remote desktop application (98% of traffic).

The attacks leveraged weak passwords and a critical vulnerability (CVE-2006-2369) in RealVNC 4.1.1, allowing authentication bypass. 

Over 99% of attacks targeted unsecured HTTP ports rather than TCP ports used for application data exchange, which suggests attackers exploit the inherent lack of authentication on HTTP for unauthorized access.

The security of VNCs varies depending on the specific software, while some offer weak password limitations, others leverage SSH or VPN tunnelling for encryption.

VNC uses a base port (5800 for TCP, 5900 for HTTP) with an additive display number, making it difficult to secure with firewalls compared to single-port remote desktop solutions. 

Additionally, pinpointing the origin of VNC attacks is challenging due to attackers using proxies and VPNs, but a significant portion seems to originate from China. 

Attackers target RDP, a remote desktop protocol, for credential-based attacks and exploit vulnerabilities to execute malicious code, as RDP is more likely to be involved in large attacks compared to VNC. 

Flaws Exploited

In one study, 15% of RDP attacks leveraged obsolete cookies, possibly to target older, more vulnerable RDP software,  and RDP vulnerabilities like CVE-2018-0886 (targeting credential security), CVE-2019-0708 (with worm potential), and CVE-2019-0887 (hypervisor access) have been reported by Barracuda

Attackers exploit vulnerabilities in RDP to gain access to systems. Brute-force attacks are common, targeting password hashes for privileged accounts. RDP can also be used to launch denial-of-service attacks. 

In social engineering scams, attackers convince users to grant RDP access to fix fake technical problems, and vulnerable RDP instances are sold on the black market for further attacks.

North America is a leading source of RDP attacks, but location tracking is difficult due to anonymizing techniques. 

TeamViewer, a remote desktop tool, rarely encounters attacks (0.1% of traffic). Recent versions target enterprises and integrate with business applications, offering security features like fingerprinting, strong password enforcement, and multi-factor authentication. 

Encrypted communication channels further enhance security. However, phished credentials and technical support scams can still compromise TeamViewer sessions and may use ports beyond the primary port 5938, making malicious traffic detection more challenging for security teams. 

Citrix created ICA as an alternative to RDP. It uses ports 1494 and 2598, while older ICA clients and the ICA Proxy have had RCE vulnerabilities. 

AnyDesk, another RDP solution, uses port 6568 and has been abused in tech support scams and malware, while Splashtop Remote, using port 6783, has been involved in support scams and can be compromised through weak credentials.

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot


Apr 30 2024

Tracecat: Open-source SOAR

Category: Open Source,Security Toolsdisc7 @ 7:11 am

Tracecat is an open-source automation platform for security teams. The developers believe security automation should be accessible to everyone, especially understaffed small- to mid-sized teams. Core features, user interfaces, and day-to-day workflows are based on existing best practices from best-in-class security teams.

Use specialized AI models to label, summarize, and enrich alerts. Contextualize alerts with internal evidence and external threat intel:

  • Find cases using semantic search
  • MITRE ATT&CK labels
  • Whitelist / blacklist identities
  • Categorize related cases
  • MITRE D3FEND suggestions
  • Upload evidence and threat intel

Tracecat is not a 1-to-1 mapping of Tines / Splunk SOAR. The developers aim to give technical teams a Tines-like experience but with a focus on open-source and AI features.

While Tracecat is designed for security, its workflow automation and case management system are also suitable for various alerting environments, such as site reliability engineering, DevOps, and physical systems monitoring.

Turn security alerts into solvable cases:

  • Click-and-drag workflow builder – Automate SecOps using pre-built actions (API calls, webhooks, data transforms, AI tasks, and more) combined into workflows. No code required.
  • Built-in case management system – Open cases direct from workflows. Track and manage security incidents all-in-one platform.

Tracecat is cloud-agnostic and deploys anywhere that supports Docker. It’s available for free on GitHub.

Practical Threat Intelligence and Data-Driven Threat Hunting: A hands-on guide to threat hunting with the ATT&CK(TM) Framework and open source tools

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: Tracecat


Apr 20 2024

Most Important Python Security Tools for Ethical Hackers & Penetration Testers 2024

Category: Pen Test,Python,Security Toolsdisc7 @ 11:13 pm

There are a variety of Python security tools are using in the cybersecurity industries and python is one of the widely used programming languages to develop penetration testing tools.

For anyone who is involved in vulnerability research, reverse engineering or pen-testing, Cyber Security News suggests trying out mastering in Python For Hacking From Scratch.

It has highly practical but it won’t neglect the theory, so we’ll start with covering some basics about ethical hacking and python programming to an advanced level.

The listed tools are written in Python, others are just Python bindings for existing C libraries and some of the most powerful tools pentest frameworks, Bluetooth smashers, web application vulnerability scanners, war dialers, etc. Here you can also find 1000s of hacking tools.

Best Python Security Tools for Pentesters

Python Course & Papers

  • Hacking with Python – Learn to Create your own Hacking Tools
  • Mastering in Python Programming For Hacking From Scratch
  • SANS offers the course SEC573: Python for Penetration Testers.
  • The Python Arsenal for Reverse Engineering is a large collection of tools related to reverse engineering.
  • There is a SANS paper about Python libraries helpful for forensic analysis (PDF).
  • For more Python libaries, please have a look at PyPI, the Python Package Index.

Network

  • ScapyScapy3k: send, sniff and dissect and forge network packets. Usable interactively or as a library
  • pypcapPcapy and pylibpcap: several different Python bindings for libpcap
  • libdnet: low-level networking routines, including interface lookup and Ethernet frame transmission
  • dpkt: fast, simple packet creation/parsing, with definitions for the basic TCP/IP protocols
  • Impacket: craft and decode network packets. Includes support for higher-level protocols such as NMB and SMB
  • pynids: libnids wrapper offering sniffing, IP defragmentation, TCP stream reassembly and port scan detection
  • Dirtbags py-pcap: read pcap files without libpcap
  • flowgrep: grep through packet payloads using regular expressions
  • Knock Subdomain Scan, enumerate subdomains on a target domain through a wordlist
  • SubBrute, fast subdomain enumeration tool
  • Mallory, extensible TCP/UDP man-in-the-middle proxy, supports modifying non-standard protocols on the fly
  • Pytbull: flexible IDS/IPS testing framework (shipped with more than 300 tests)
  • Spoodle: A mass subdomain + poodle vulnerability scanner
  • SMBMap: enumerate Samba share drives across an entire domain
  • Habu: python network hacking toolkit

Debugging and Reverse Engineering

  • Paimei: reverse engineering framework, includes PyDBG, PIDA, pGRAPH
  • Immunity Debugger: scriptable GUI and command line debugger
  • mona.py: PyCommand for Immunity Debugger that replaces and improves on pvefindaddr
  • IDAPython: IDA Pro plugin that integrates the Python programming language, allowing scripts to run in IDA Pro
  • PyEMU: fully scriptable IA-32 emulator, useful for malware analysis
  • pefile: read and work with Portable Executable (aka PE) files
  • pydasm: Python interface to the libdasm x86 disassembling library
  • PyDbgEng: Python wrapper for the Microsoft Windows Debugging Engine
  • uhooker: intercept calls to API calls inside DLLs, and also arbitrary addresses within the executable file in memory
  • diStorm: disassembler library for AMD64, licensed under the BSD license
  • Frida: A dynamic instrumentation framework which can inject scripts into running processes
  • python-ptrace: debugger using ptrace (Linux, BSD and Darwin system call to trace processes) written in Python
  • vdb / vtrace: vtrace is a cross-platform process debugging API implemented in python, and vdb is a debugger which uses it
  • Androguard: reverse engineering and analysis of Android applications
  • Capstone: lightweight multi-platform, multi-architecture disassembly framework with Python bindings
  • Keystone: lightweight multi-platform, multi-architecture assembler framework with Python bindings
  • PyBFD: Python interface to the GNU Binary File Descriptor (BFD) library
  • CHIPSEC: framework for analyzing the security of PC platforms including hardware, system firmware (BIOS/UEFI), and platform components.

Fuzzing

  • afl-python: enables American fuzzy lop fork server and instrumentation for pure-Python code
  • Sulley: fuzzer development and fuzz testing framework consisting of multiple extensible components
  • Peach Fuzzing Platform: extensible fuzzing framework for generation and mutation based fuzzing (v2 was written in Python)
  • antiparser: fuzz testing and fault injection API
  • TAOF, (The Art of Fuzzing) including ProxyFuzz, a man-in-the-middle non-deterministic network fuzzer
  • untidy: general purpose XML fuzzer
  • Powerfuzzer: highly automated and fully customizable web fuzzer (HTTP protocol based application fuzzer)
  • SMUDGE
  • Mistress: probe file formats on the fly and protocols with malformed data, based on pre-defined patterns
  • Fuzzbox: multi-codec media fuzzer
  • Forensic Fuzzing Tools: generate fuzzed files, fuzzed file systems, and file systems containing fuzzed files in order to test the robustness of forensics tools and examination systems
  • Windows IPC Fuzzing Tools: tools used to fuzz applications that use Windows Interprocess Communication mechanisms
  • WSBang: perform automated security testing of SOAP based web services
  • Construct: library for parsing and building of data structures (binary or textual). Define your data structures in a declarative manner
  • fuzzer.py (feliam): simple fuzzer by Felipe Andres Manzano
  • Fusil: Python library used to write fuzzing programs

Web

  • Requests: elegant and simple HTTP library, built for human beings
  • lxml: easy-to-use library for processing XML and HTML; similar to Requests
  • HTTPie: human-friendly cURL-like command line HTTP client
  • ProxMon: processes proxy logs and reports discovered issues
  • WSMap: find web service endpoints and discovery files
  • Twill: browse the Web from a command-line interface. Supports automated Web testing
  • Ghost.py: webkit web client written in Python
  • Windmill: web testing tool designed to let you painlessly automate and debug your web application
  • FunkLoad: functional and load web tester
  • spynner: Programmatic web browsing module for Python with Javascript/AJAX support
  • python-spidermonkey: bridge to the Mozilla SpiderMonkey JavaScript engine; allows for the evaluation and calling of Javascript scripts and functions
  • mitmproxy: SSL-capable, intercepting HTTP proxy. Console interface allows traffic flows to be inspected and edited on the fly
  • pathod / pathoc: pathological daemon/client for tormenting HTTP clients and servers
  • spidy: simple command-line web crawler with page downloading and word scraping

Forensics

  • Volatility: extract digital artifacts from volatile memory (RAM) samples
  • Rekall: memory analysis framework developed by Google
  • LibForensics: library for developing digital forensics applications
  • TrIDLib, identify file types from their binary signatures. Now includes Python binding
  • aft: Android forensic toolkit

Malware Analysis

  • pyew: command line hexadecimal editor and disassembler, mainly to analyze malware
  • Exefilter: filter file formats in e-mails, web pages or files. Detects many common file formats and can remove active content
  • pyClamAV: add virus detection capabilities to your Python software
  • jsunpack-n, generic JavaScript unpacker: emulates browser functionality to detect exploits that target browser and browser plug-in vulnerabilities
  • yara-python: identify and classify malware samples
  • phoneyc: pure Python honeyclient implementation
  • CapTipper: analyse, explore and revive HTTP malicious traffic from PCAP file

PDF

  • peepdfPython security tools to analyse and explore PDF files to find out if they can be harmful
  • Didier Stevens’ PDF tools: analyze, identify and create PDF files (includes PDFiDpdf-parser and make-pdf and mPDF)
  • Opaf: Open PDF Analysis Framework. Converts PDF to an XML tree that can be analyzed and modified.
  • Origapy: Python wrapper for the Origami Ruby module which sanitizes PDF files
  • pyPDF2: pure Python PDF toolkit: extract info, spilt, merge, crop, encrypt, decrypt…
  • PDFMiner: extract text from PDF files
  • python-poppler-qt4: Python binding for the Poppler PDF library, including Qt4 support

Misc

  • InlineEgg: A Python security tools toolbox of classes for writing small assembly programs in Python
  • Exomind: framework for building decorated graphs and developing open-source intelligence modules and ideas, centered on social network services, search engines and instant messaging
  • RevHosts: enumerate virtual hosts for a given IP address
  • simplejson: JSON encoder/decoder, e.g. to use Google’s AJAX API
  • PyMangle: command line tool and a python library used to create word lists for use with other penetration testing tools
  • Hachoir: view and edit a binary stream field by field
  • py-mangle: command line tool and a python library used to create word lists for use with other penetration testing tools
  • wmiexec.py: execute Powershell commands quickly and easily via WMI
  • Pentestly: Python and Powershell internal penetration testing framework
  • hacklib: Toolkit for hacking enthusiasts: word mangling, password guessing, reverse shell and other simple tools

Other Useful Libraries and Tools

  • IPython: enhanced interactive Python shell with many features for object introspection, system shell access, and its own special command system
  • Beautiful Soup: HTML parser optimized for screen-scraping
  • matplotlib: make 2D plots of arrays
  • Mayavi: 3D scientific data visualization and plotting
  • RTGraph3D: create dynamic graphs in 3D
  • Twisted: event-driven networking engine
  • Suds: lightweight SOAP client for consuming Web Services
  • M2Crypto: most complete OpenSSL wrapper
  • NetworkX: graph library (edges, nodes)
  • Pandas: library providing high-performance, easy-to-use data structures and data analysis tools
  • pyparsing: general parsing module
  • lxml: most feature-rich and easy-to-use library for working with XML and HTML in the Python language
  • Whoosh: fast, featureful full-text indexing and searching library implemented in pure Python
  • Pexpect: control and automate other programs, similar to Don Libes `Expect` system
  • Sikuli, visual technology to search and automate GUIs using screenshots. Scriptable in Jython
  • PyQt and PySide: Python bindings for the Qt application framework and GUI library

Python security tools Books

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: Python Security Tools


Apr 15 2024

THE PATH TO A PENTESTING CAREER (A BLUEPRINT FOR ASPIRING WHITE HATS)

Category: Hacking,Pen Test,Security Toolsdisc7 @ 7:22 am

Security analysis of web applications is, first of all, a search and investigation of cases of incorrect functioning of program code and vulnerabilities. Those who choose a penetration tester’s profession should keep in mind that it requires continuous learning and the ability to use a library of resources for self-education. A common situation is that while you are studying vulnerabilities in one framework, a dozen new reports are published. To quickly understand the potential vulnerabilities associated with previously unknown technologies, you need to be well-versed in the sources of information. When working in a team on an actual pentest project, there is usually no time for a thoughtful search. So, if your skills are combined with a strong foundational education, you are looking at promising career opportunities.

Your initial understanding of the subject can be developed through cybersecurity analysis courses at the university. These courses can also help you decide if this career path is right for you. It is good to receive foundational training in software development and networking, including web applications, while you are at university. Afterward, you can gain hands-on experience by practicing infrastructure penetration testing.

Usually, your initial attempts to secure a job as a web penetration tester might reveal gaps in your knowledge. Seeking employment at companies like VentureDive, where the work could help fill these educational gaps and offer valuable experience, is a smart approach. For instance, you could start as a technical support specialist in information security at a large company. After about two to four months, you might go for your first interview for a security analyst position, during which you could identify any weak points you might still have. With a few more months of work under the guidance of a mentor and diving into training materials, you could successfully land a position as a penetration tester.

Choosing where to work in the future is not as straightforward as it may appear. In a large, well-known company, you will be surrounded by a high level of expertise and likely assigned a mentor. However, the opportunity to find truly interesting vulnerabilities in real projects might be limited. This is because such organizations often have costly services, and their clients are usually not willing to skimp on development and security. Consequently, you will be working with quality products that have undergone thorough security testing, reducing the likelihood of encountering situations that provide valuable experience.

In a small company, you should not expect to find a mentor, a high level of expertise, or an impressive salary. However, these companies often get orders to pentest applications with many vulnerabilities, providing invaluable experience for those new to the profession. With this experience under your belt, you could eventually transition to a larger company.

Mastering Interview Techniques

Given that we cannot cover everything, let’s go over the essential knowledge and skills you need to analyze vulnerabilities in web applications.

  • A pentester needs to understand how applications function on the network level, which includes knowing about TCP handshakes, domain names, IPs, proxies, etc. It is also important to grasp the basics of how HTTP and HTTPS protocols work. Being prepared to answer questions like “What is the difference between HTTP methods?” “When should PATCH be used as opposed to POST?” and “How do HTTP 0.9/1.1 differ from HTTP/2?” is a part of this foundational knowledge.
  • Vulnerabilities are not always tucked away in a web application’s code; sometimes, they are embedded in its architecture, like within the web server itself. Often, a pentester might not have a direct view of the application’s architecture but can infer how it functions. Therefore, having knowledge in this area is incredibly useful.
  • As vulnerabilities become more complex, it is important to grasp the basics. This foundational understanding allows you to tackle more complex issues as they arise.
  • Developing the ability to search for answers to your questions using open sources is vital, even if you have someone to ask. Always start by seeking out information and attempting to solve problems on your own before seeking help.
  • Being able to write and read code in various languages, including PHP, Python, JavaScript, Java, and C#, is essential. When it comes to analyzing web applications, you will encounter different approaches, such as white box, gray box, and black box testing. For example, if you are doing white box testing and have access to the application’s source code, having development experience is a big plus. Additionally, the ability to write automation scripts and tailor third-party tools to fit your needs is a valuable skill.
  • Pentest projects frequently require examining the application from the outside in. You need the ability to scan the network and identify vulnerable services to ensure no obvious security flaws are overlooked.
  • In your work, you will often need to theoretically explain the nature of a vulnerability. This requires understanding basic concepts, such as how databases operate, the properties of information, and what constitutes vulnerability and exploitation. Essential skills also include system administration for both Windows and Linux.

Simply studying a vast number of vulnerabilities will turn you into a top-tier professional because it does not cultivate the skill of discovering them. During actual pentest projects, the toughest part is often identifying vulnerabilities. It is advised to search for vulnerable applications and analyze them without peeking at the technology stack or hints about the vulnerabilities. This practice offers foundational experience and insights into how things operate in an actual project.

For those lacking a basic education in security analysis, paid penetration testing courses are an option to consider. Unfortunately, the better courses tend to be expensive, and it is difficult to recommend any budget-friendly options that are truly effective. It is crucial to realize that these courses will not turn you into an expert overnight, as some might claim, but they will provide you with a solid understanding of the profession.

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: ASPIRING WHITE HATS


Mar 12 2024

CloudGrappler: Open Source Tool That Detects Hacking Activity

Category: OSINT,Security Toolsdisc7 @ 12:49 pm

CloudGrappler is an innovative open-source tool designed to detect the presence of notorious threat actors in cloud environments.

This tool is a beacon of hope for security teams struggling to keep pace with the sophisticated tactics of groups like LUCR-3, also known as Scattered Spider.

CloudGrappler leverages the power of CloudGrep, a tool developed by Cado Security, to offer high-fidelity, single-event detections of activities associated with well-known threat actors in popular cloud platforms such as AWS and Azure.

It acts as a cyber detective, sifting through the vast amounts of data in cloud environments to identify suspicious and malicious activities that often go unnoticed.

Key Features Of CloudGrappler

  • Threat Actor Querying: CloudGrappler excels in identifying activities demonstrated by some of the most notorious cloud threat actors. It utilizes a subset of activities from Permiso’s extensive library of detections to help organizations pinpoint threats targeting their cloud infrastructure.
  • Single-Event Detections: The tool provides a granular view of potential security incidents, enabling security teams to quickly and easily identify specific anomalies within their AWS and Azure environments.
  • Integration with CloudGrep: By incorporating a set of Tactics, Techniques, and Procedures (TTPs) observed in the modern threat landscape, CloudGrappler enhances its threat detection capabilities.

How CloudGrappler Works

CloudGrappler includes several components designed to streamline the threat detection process:

  • Scope Selector: Users can define the scope of their scanning through an integrated data_sources.json file, choosing to scan specific resources or a broader range of cloud infrastructure services.
  • Query Selector: The tool comes with a queries.json file containing predefined TTPs commonly used by threat actors. Users can modify these queries or add custom ones to tailor the scanning process.
  • Report Generator: After scanning, CloudGrappler produces a comprehensive report in JSON format, offering detailed insights into the scan results and enabling security teams to address potential threats swiftly.

It is based on a subset of activity from Permiso’s library of hundreds of detections, and it helps organizations detect threats targeting their cloud infrastructure.

Users have the ability to scan specific resources within their environment
Users can scan specific resources within their environment

Practical Applications

CloudGrappler is not just about detecting suspicious activities. it also provides valuable threat intelligence to help security professionals understand the risks in their environment and develop targeted response strategies.

Threat Activity
Threat Activity

The tool’s output includes information on the threat actor involved, the severity of the detected activity, and a description of the potential implications.

For those interested in enhancing their cloud security posture, CloudGrappler is available on GitHub.

The repository includes detailed instructions on setting up and using the tool, making it accessible to security teams of all sizes.

As cloud environments become increasingly complex and threat actors’ activities more sophisticated, tools like CloudGrappler are essential for maintaining a robust security posture.

CloudGrappler represents a significant step forward in the fight against cybercrime by offering an open-source solution for detecting and analyzing threats in cloud environments.

You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are incredibly harmful, can wreak havoc, and damage your network.

Open Source Intelligence Methods and Tools: A Practical Guide to Online Intelligence

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Open Source Tool


Mar 03 2024

Tor Tools

Category: Dark Web,Security Tools,Web Securitydisc7 @ 8:37 am

🧅Tor Tools

🔹Nipe – Script to redirect all traffic from the machine to the Tor network.
🔗https://lnkd.in/grhEtqdr

🔹OnionScan – Tool for investigating the Dark Web by finding operational security issues introduced by Tor hidden service operators.
🔗https://onionscan.org/

🔹Tails – Live operating system aiming to preserve your privacy and anonymity.
🔗https://tails.boum.org/

🔹Tor – Free software and onion routed overlay network that helps you defend against traffic analysis.
🔗https://lnkd.in/g8Uc8nB2

🔹dos-over-tor – Proof of concept denial of service over Tor stress test tool.
🔗https://lnkd.in/gAEQPvbd

🔹kalitorify – Transparent proxy through Tor for Kali Linux OS.
🔗https://lnkd.in/gruAzkkw

Tor: From the Dark Web to the Future of Privacy

Tor

Tor: From the Dark Web to the Future of Privacy

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Tor Project


Feb 15 2024

5 free digital forensics tools to boost your investigations

Category: Forensics,Security Toolsdisc7 @ 2:19 pm

Digital forensics plays a crucial role in analyzing and addressing cyberattacks, and it’s a key component of incident response. Additionally, digital forensics provides vital information for auditors, legal teams, and law enforcement agencies in the aftermath of an attack.

Many cutting-edge digital forensics tools are on the market, but for those who cannot afford them, here’s a list of great free solutions to get you started.

Autopsy

Autopsy is a digital forensics platform widely employed by law enforcement agencies, military personnel, and corporate investigators to examine and understand activities on a computer. Although Autopsy is designed to be cross-platform, the latest version is fully functional and tested only on Windows.

digital forensics tools

bulk_extractor

bulk_extractor is a high-speed tool for digital forensics analysis. It scans various inputs, including disk images, files, and directories, extracting organized information like email addresses, credit card numbers, JPEG images, and JSON fragments. This is achieved without the need to parse file systems or their structures. The extracted data is saved in text files, which can be examined, searched, or utilized as inputs for further forensic investigations.

NetworkMiner

NetworkMiner, an open-source network forensics tool, specializes in extracting artifacts like files, images, emails, and passwords from network traffic captured in PCAP files. Additionally, it can capture live network traffic by sniffing a network interface.

Velociraptor

Velociraptor is a sophisticated digital forensics and incident response tool designed to improve your insight into endpoint activities. At the press of a (few) buttons, perform targeted collection of digital forensic evidence simultaneously across your endpoints, with speed and precision.

digital forensics tools

WinHex

WinHex is a versatile hexadecimal editor, proving especially useful in the areas of computer forensics, data recovery, low-level data processing, and IT security. It allows users to inspect and modify various file types, as well as recover deleted files or retrieve lost data from hard drives with damaged file systems or digital camera cards.

SABRENT USB 3.0 to SATA External Hard Drive Lay-Flat Docking Station | for 2.5 or 3.5in HDD, SSD

Learn Computer Forensics: Your one-stop guide to searching, analyzing, acquiring, and securing digital evidence

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Forensics Tools


Feb 08 2024

H4X-Tools : Empowering OSINT Enthusiasts With A Comprehensive Toolkit

Category: OSINT,Security Toolsdisc7 @ 10:57 am

Discover the power of H4X-Tools, a versatile toolkit designed for scraping, OSINT (Open-Source Intelligence), and beyond.

From extracting information from social media accounts to conducting phone and IP lookups, H4X-Tools offers a wide array of functionalities to aid researchers, developers, and security enthusiasts alike.

Explore its features, installation process, and community-driven development in this article. Toolkit for scraping, OSINT and more.

Submit feature requests and bugs in the issues tab.

If you want to help with the development, follow the instructions in contributing and simply open a pull request. You can also donate to keep the project alive and me motivated!

Current Tools

Warning

Some tools might not work on Windows systems.

Tool NameDescription
Ig ScrapeScrapes information from IG accounts.
Web SearchSearches the internet for the given query.
Phone LookupLooks up a phone number and returns information about it.
Ip LookupLooks up an IP/domain address and returns information about it.
Port ScannerScans for open ports in a given IP/domain address.
Username SearchTries to find a given username from many different websites.
Email SearchEfficiently finds registered accounts from a given email. Thanks to holehe.
Webhook SpammerSpams messages to a discord webhook.
WhoIs LookupLooks up a domain and returns information about it.
SMS BomberSpams messages to a given mobile number.
Fake Info GeneratorGenerates fake information using Faker.
Web ScrapeScrapes links from a given url.
Wi-Fi FinderScans for nearby Wi-Fi networks.
Wi-Fi Password GetterScans for locally saved Wi-Fi passwords.
Dir BusterBruteforce directories on a website.
Local Accounts GetterScans for all local accounts and their information.
Caesar CipherEncrypts/decrypts/bruteforce a message using the Caesar cipher.
BaseXXEncodes/decodes a message using Base64/32/16.
AboutTells you about the tool.
DonateMy crypto addresses where to donate.
ExitExits the tool.

Note

-IG Scrape requires you to log in, in order to use it.

-SMS Bomber only works with US numbers.

-You might get rate limited after using some of the tools for too long.

Installation

I’ll upload already built executables to the releases tab, but I’d recommend installing the tool manually by following the instructions below. This way you also get the freshest version.

Setup

Important

Make sure you have Python and Git installed.

view the wiki page for more detailed tutorial.

Linux

  1. Clone the repo git clone https://github.com/vil/h4x-tools.git
  2. Change directory cd h4x-tools
  3. Run sh setup.sh in terminal to install the tool.

Windows

  1. Clone the repo git clone https://github.com/vil/h4x-tools.git
  2. Change directory cd h4x-tools
  3. Run the setup.bat file.

Setup files will automatically build the tool as an executable. You can also run the tool using python h4xtools.py in the terminal.

Also, dependencies can be installed manually using pip install -r requirements.txt.

OSINT Cracking Tools: Maltego, Shodan, Aircrack-Ng, Recon-Ng

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: H4X-Tools, OSINT Cracking Tools


Feb 08 2024

As-a-Service tools empower criminals with limited tech skills

Category: Cybercrime,Ransomware,Security Toolsdisc7 @ 9:45 am

As-a-service attacks continue to dominate the threat landscape, with Malware-as-a-Service (MaaS) and Ransomware-as-a-Service (RaaS) tools making up the majority of malicious tools in use by attackers, according to Darktrace.

Cybercriminals exploit as-a-Service tools

As-a-Service tools can provide attackers with everything from pre-made malware to templates for phishing emails, payment processing systems and even helplines to enable criminals to mount attacks with limited technical knowledge.

The most common as-a-Service tools Darktrace saw in use from July to December 2023 were:

  • Malware loaders (77% of investigated threats), which can deliver and execute other forms of malware and enable attackers to repeatedly target affected networks.
  • Cryptominers (52% of investigated threats), which use an infected device to mine for cryptocurrency.
  • Botnets (39% of investigated threats) enrol users in wider networks of infected devices, which attackers then leverage in larger-scale attacks on other targets.
  • Information-stealing malware (36% of investigated threats), malicious software like spyware or worms, designed to secretly access and collect sensitive data from a victim’s computer or network.
  • Proxy botnets (15% of investigated threats), more sophisticated botnets that use proxies to hide the true source of their activity.

Phishing threats escalate in business communications

Darktrace identified Hive ransomware as one of the major Ransomware-as-a-Service attacks at the beginning of 2023. With the dismantling of Hive by the US government in January 2023, Darktrace observed the rapid growth of a range of threats filling the void, including ScamClub, a malvertising actor notorious for spreading fake virus alerts to notable news sites, and AsyncRAT, responsible for attacking US infrastructure employees in recent months.

As businesses continue to rely on email and collaboration tools for communication, methods such as phishing continue to cause a headache for security teams. Darktrace detected 10.4 million phishing emails across its customer fleet between the 1st September and the 31st December 2023.

But the report also highlights how cybercriminals are embracing more sophisticated tools and tactics designed to evade traditional security parameters. One example is the rise of Microsoft Teams phishing in which attackers contact employees through Teams, posing as a co-worker and tricking them into clicking malicious links.

In one case in September 2023, Darktrace identified a suspected Teams phisher attempting to trick users into clicking a SharePoint link that would download the DarkGate malware and deploy further strains of malware across the network.

Multi-function malware on the rise

Another new trend identified is the growth of malware developed with multiple functions to inflict maximum damage. Often deployed by sophisticated groups like cyber cartels, these Swiss Army knife-style threats combine capabilities.

For example, the recent Black Basta ransomware also spreads the Qbot banking trojan for credential theft. Such multi-tasking malware lets attackers cast a wide net to monetise infections.

“Throughout 2023, we observed significant development and evolution of malware and ransomware threats, as well as changing attacker tactics and techniques resulting from innovation in the tech industry at large, including the rise in generative AI. Against this backdrop, the breadth, scope, and complexity of threats facing organizations has grown significantly,” comments Hanah Darley, Director of Threat Research, Darktrace. “Security teams face an up-hill battle to stay ahead of attackers, and need a security stack that keeps them ahead of novel attacks, not chasing yesterday’s threats.”

Future Crimes: Inside the Digital Underground and the Battle for Our Connected World

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: As-a-Service, darktrace, Malware


Feb 06 2024

20 free cybersecurity tools you should know about

Category: Information Security,Security Toolsdisc7 @ 10:36 am

https://www.techtarget.com/whatis/feature/17-free-cybersecurity-tools-you-should-know-about

Cybersecurity products can get pricy but there are many excellent open source tools to help secure your systems and data. Here’s a list of some of the most popular with cyber pros.

Cybersecurity tools aren’t just for the enterprise anymore; they’re essential for every type and size of organization.

Some tools specialize in antivirus, while others focus on spear phishing, network security or scripting. Even the best cybersecurity products can only do a few things very well, and there is no room for error.

Effective products, coupled with in-depth cybersecurity planning, are a must for all. Whether businesses have an in-house security team or outsource these services, every entity needs cybersecurity pros to discover and fix any points of weakness in computer systems. This reality can tax the bottom line, but luckily there are many free cybersecurity tools available.

Here is a rundown of some of the top free tools cybersecurity professionals use every day to identify vulnerabilities.

1. Aircrack-ng

Aircrack-ng is a must-have suite of wireless security tools that focus on different aspects of Wi-Fi security. Aircrack-ng focuses on monitoring, attack testing and cracking your Wi-Fi network. This package of tools can capture, analyze and export packet data, spoof access points or routers and crack complex Wi-Fi passwords. The Aircrack-ng suite of programs includes Airdecap-ng, which decrypts WEP or WPA-encrypted capture files; Airodump-ng, a packet sniffer; Airtun-ng, a virtual tunnel interface creator; and Packetforge-ng, which creates encrypted packets for injection. All of it is free and open source.

2. Burp Suite

Burp is a suite of tools specifically focused on debugging and testing web app security. Burp Suite includes a spider for crawling web app content, a randomness tool for testing session tokens and a sophisticated request repeater to resend manipulated requests. The real power of Burp Suite, however, is the intercepting proxy tool, which enables Burp to intercept, inspect, modify and send traffic from the browser to a target. This powerful feature makes it possible to creatively analyze a web app’s attack vectors from all angles — a key reason it’s often ranked as one of the best free cybersecurity tools. The community version of Burp Suite is free, but there is also a paid Enterprise Edition designed for enabling testing in DevSecOps.

3. Defendify

Defendify is an all-in-one product that provides multiple layers of protection and offers consulting services if needed. With Defendify, organizations can streamline cybersecurity assessments, testing, policies, training, detection and response in one consolidated cybersecurity tool.

Features include cybersecurity risk assessments, technology and data use policies, incident response plans, penetration testing, threat alerts, phishing simulations and cybersecurity awareness training.

4. Gophish

Many of the costliest data breaches and ransomware attacks in recent years can be traced back to simple phishing campaigns because many company workers fall for them. One of the best protections is to secretly test your staff to see who is gullible, and for that you can use the free program Gophish. Gophish is open source and provides a full-featured toolkit for security administrators to build their own phishing campaigns with relative ease. The overall goal is not to embarrass staff, but find out who needs greater phishing awareness and foster better security training within their organization.

5. Have I Been Pwned

Created by award-winning cybersecurity thought leader and teacher Troy Hunt, Have I Been Pwned is a website where you enter your email address to check if your address has been revealed in a data breach. Have I Been Pwned’s database is filled with billions of usernames, passwords, email addresses and other information that hackers have stolen and published online. Just enter your address in the search box.

6. Kali Linux

Kali Linux is a Debian Linux derivative specifically designed toward testing for security tasks, such as penetration testing, security auditing and digital forensics. Kali includes roughly 600 pre-installed programs, each included to help computer security experts carry out a specific attack, probe or exploit against a target. Aircrack-ng, Nmap, Wireshark and Metasploit are a few of the pre-installed tools that ship with the Kali Linux download.

7. Metasploit Framework

Similar to Kali Linux but at the application layer rather than OS, the Metasploit Framework can test computer system vulnerabilities or can be used to break into remote systems. It is, in other words, a network penetration “Swiss Army knife” used by both ethical hackers and criminal gangs to probe networks and applications for flaws and weaknesses. There is both a free and a commercial version — known as the Framework and Pro editions, respectively — which are available for trial. Both editions are de facto standard for penetration testing with more than 1,500 exploits. Metasploit comes pre-installed on Kali Linux.

8. Nmap

Nmap is a free network mapper used to discover network nodes and scan systems for vulnerability. This popular free cybersecurity tool provides methods to find open ports, detect host devices, see which network services are active, fingerprint operating systems and locate potential backdoors.

While Nmap provides users immense power and capability to explore networks, the program has a rather steep learning curve to get over before one becomes truly proficient in using it.

9. Nikto

Nikto is an ultra-powerful, command-line tool useful for uncovering vulnerabilities in web apps, services and web servers. Originally launched in the early 2000s, Nikto is still widely used by both blue and red teams that want to quickly scan web servers for unpatched software, misconfigurations and other security issues. The program also features built-in support for SSL proxies and intrusion detection system evasion. Nikto can run on any computer capable of supporting the Perl programming language.

10. Open Vulnerability Assessment Scanner

OpenVAS is an all-in-one vulnerability scanner that comprehensively tests for security holes, misconfigured systems and outdated software. The scanner gets the tests for detecting vulnerabilities from a feed with daily updates. Much of the program’s power stems from its built-in programming interface, which enables developers to create custom scans that fit niche needs.

Its capabilities include unauthenticated and authenticated testing, high-level and low-level internet and industrial protocols, performance tuning for large-scale scans and a powerful internal programming language to implement any type of vulnerability test.

11. OSSEC

OSSEC is a free program for cybersecurity professionals that’s been touted as one of the most popular systems for intrusion detection and prevention. Made up of multiple components — including a server, agent and router monitor — OSSEC is capable of rootkit detection, system integrity checking, threat alerts and response. One of OSSEC’s highlights is its comprehensive log analysis tool, empowering users to compare and contrast log events from many different sources.

OSSEC comes in three versions: standard; OSSEC+, which includes machine learning and real-time community update; and Atomic OSSEC, with more advanced functions.

12. Password managers

Using only strong passwords — and keeping them secure — is an essential step in the security of any system. But since a best practice is to use a unique password for every website, app and service, that can get tricky. A good password manager makes it possible to safely store all passwords together so a user only needs to remember one master key rather than dozens of unique passwords. This is especially true for cybersecurity professionals tasked with guarding passwords to mission-critical systems. Fortunately, there are free password management tools. Three good, free options for cybersecurity pros are KeePassBitwarden and Psono.

13. PfSense

The firewall/router software pfSense can be installed on either a physical computer or virtual machine to protect networks. PfSense is based on the FreeBSD OS, and has become one of the most popular open source firewall/router projects available. PfSense can also be configured for intrusion detection and prevention, traffic shaping, load balancing and content filtering. The pfSense site includes a tour, a community page, a link to both training and support and a download of the latest version of the community edition of the software.

14. P0f

Endpoint fingerprinting is analysis of web traffic to find patterns, responses and packets sent and received in a particular direction — even if they are encrypted. This works even with “dumb” devices that don’t interact with the network but can still enable unauthorized access to an organization’s systems.

P0f is a simple yet powerful network-level fingerprinting and forensics program. While other free cybersecurity programs do a similar job, p0f is unique in that it’s designed for stealth. Where most other programs rely on active scanning and packet injection, p0f can identify fingerprints and other vital information without network interference. Being passive rather than active means p0f is nearly impossible to detect and even harder to block, making it a favorite tool for ethical hackers and cybercriminals alike.

15. REMnux

Normally the dissection and examination of malware is left to the antimalware vendors. But if you would like to do the job yourself, there is REMnux, a free Linux toolkit for reverse-engineering and analyzing malware.

Included in every REMnux distribution are tools to analyze Windows executables, reverse-engineer binaries and inspect suspicious documents. It also includes a collection of free tools cybersecurity professionals can use to monitor networks, gather data and conduct memory forensics. 

16. Security Onion

Security Onion is an open source software collection based on the Linux kernel that helps cybersecurity professionals develop a comprehensive profile of their system’s security posture. Security Onion provides network monitoring using full packet capture, host-based and network-based intrusion detection systems, log indexing, search and data visualization features.

The operating system emphasizes ease of use and makes it possible to interweave data and analytics from multiple tools into a unified dashboard. The overarching goal of the project is to offer teams a foolproof security monitoring solution that reduces decision paralysis and false alerts.

17. Snort

Snort is an open source network intrusion prevention and intrusion detection system capable of real-time traffic analysis and logging. It uses a series of rules to identify malicious network activity, find the packets and generate alerts. This packet sniffer — managed by Cisco — actively searches and analyzes networks to detect probes, attacks and intrusions. Snort accomplishes this by fusing a sniffer, packet logger and intrusion detection engine into a single package.

Its developer recently released version 3, which includes a new rule parser and rule syntax, support for multiple packet-processing threads, use of a shared configuration and attribute table, access to more than 200 plugins, rewritten TCP handling and new performance monitoring.

18. Sqlmap

Sqlmap is an open source penetration testing tool that automates detecting and exploiting SQL injection flaws of database servers, enabling a remote hacker to take control. It comes with a detection engine and many niche features for the ultimate penetration tester. It supports a variety of databases — including Oracle and open source — and a number of injection types.

19. Wireshark

Wireshark is considered by many to be an indispensable tool to locate, identify and examine network packets to diagnose critical issues and spot security weaknesses. The website for Wireshark outlines its broad set of features and provides a user’s guide and other resources for putting this free cybersecurity tool to best use.

20. Zed Attack Proxy (ZAP)

ZAP is an open source penetration testing tool designed specifically for testing web applications. It is known as a “man-in-the-middle proxy,” where it intercepts and inspects messages sent between browsers and web applications.

ZAP provides functionality for developers, testers new to security testing and security testing specialists. There are also versions for each major operating system and Docker. Additional functionality is available via add-ons in the ZAP Marketplace.

Every cybersecurity expert carries a different set of tools, depending on their mission and skill set. However, the free cybersecurity tools here serve as an entry point for those looking to increase their cybersecurity skills and knowledge. Cyberthreats are getting more lethal every year — and more efficient.

The Ultimate Kali Linux Book: Perform advanced penetration testing using Nmap, Metasploit, Aircrack-ng, and Empire

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: free cybersecurity tools


Feb 01 2024

7 hacking tools that look harmless but can do real damage

Category: Hacking,Security Toolsdisc7 @ 8:52 am

https://www.zdnet.com/article/7-hacking-tools-that-look-harmless-but-can-do-real-damage/

One of the best ways to stay safe and secure when using your computers and other electronic devices is to be aware of the risks. For the past decade, that’s precisely what I’ve been doing.

Most risks are obvious: use strong passwords, don’t download and install software from untrustworthy websites, or hand your unlocked device to a third party.

However, there are less obvious — yet equally dangerous — risks that can result in device or network intrusion, or even device destruction.

Watch out: Some of the most effective and dangerous hacking tools are hard to tell apart from benign devices. They can even be cute.

1. Flipper Zero

2. O.MG cables

3. USBKill

4. USB Nugget

5. Wi-Fi Pineapple

6. USB Rubber Ducky

7. LAN Turtle

for more details:

https://www.zdnet.com/article/7-hacking-tools-that-look-harmless-but-can-do-real-damage/

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: hacking tools


Jan 19 2024

OSINVGPT – A Tool For Open-Source Investigations

Category: Security Toolsdisc7 @ 12:12 pm

OSINVGPT is an AI-based system that helps security analysts with open-source investigations and tool selection. While this tool was developed by “Very Simple Research.”

This tool can assist security analysts in gathering relevant information, sources, and tools for their investigations. It even helps researchers produce reports and summaries of their results. 

OSINVGPT is available on ChatGPT and is useful for security researchers as it saves both time and effort.

Key Aspects

Here below, we have mentioned all the key aspects that OSINVGPT can do:-

  • Data Analysis
  • Interpretation
  • Guidance on Methodology
  • Case Studies
  • Examples
  • Document Analysis
  • Fact-Checking
  • Verification
  • Recommendations Based on External Sources
  • Ethical Considerations

OSINVGPT’s data analysis and interpretation involve examining information from diverse open sources to form readable narratives and address specific queries. At the same time, guidance is offered on conducting transparent and accurate open-source investigations. 

Detailed insights and suggestions are provided using real-world examples within the knowledge base. Appropriate data is analyzed and extracted from the uploaded documents for open-source investigations. 

To ensure investigation accuracy, assistance is given in fact-checking using open-source data. Recommendations based on external sources are provided for queries beyond the direct knowledge base, with a focus on ethical considerations in open-source investigations for responsible conduct.

Moreover, if you want, you can access the OSINVGPT tool from here for open-source investigation.

Related articles on Security Tools

Open Source Intelligence Methods and Tools: A Practical Guide to Online Intelligence

Practical Threat Intelligence and Data-Driven Threat Hunting: A hands-on guide to threat hunting with the ATT&CK™ Framework and open source tools

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Open source, OSINVGPT


Jan 04 2024

15 open-source cybersecurity tools you’ll wish you’d known earlier

Category: Open Network,Security Toolsdisc7 @ 4:33 pm

Open-source tools represent a dynamic force in the technological landscape, embodying innovation, collaboration, and accessibility. These tools, developed with transparency and community-driven principles, allow users to scrutinize, modify, and adapt solutions according to their unique needs.

In cybersecurity, open-source tools are invaluable assets, empowering organizations to fortify their defenses against evolving threats.

In this article, you will find a list of open-source cybersecurity tools that you should definitely check out.

Nemesis: Open-source offensive data enrichment and analytic pipeline

Nemesis is a centralized data processing platform that ingests, enriches, and performs analytics on offensive security assessment data (i.e., data collected during penetration tests and red team engagements).​​

SessionProbe: Open-source multi-threaded pentesting tool

SessionProbe is a multi-threaded pentesting tool designed to evaluate user privileges in web applications.

Mosint: Open-source automated email OSINT tool

Mosint is an automated email OSINT tool written in Go designed to facilitate quick and efficient investigations of target emails. It integrates multiple services, providing security researchers with rapid access to a broad range of information.

Vigil: Open-source LLM security scanner

Vigil is an open-source security scanner that detects prompt injections, jailbreaks, and other potential threats to Large Language Models (LLMs).

AWS Kill Switch: Open-source incident response tool

AWS Kill Switch is an open-source incident response tool for quickly locking down AWS accounts and IAM roles during a security incident.

PolarDNS: Open-source DNS server tailored for security evaluations

PolarDNS is a specialized authoritative DNS server that allows the operator to produce custom DNS responses suitable for DNS protocol testing purposes.

k0smotron: Open-source Kubernetes cluster management

Open-source solution k0smotron is enterprise-ready for production-grade Kubernetes cluster management with two support options.

Kubescape 3.0 elevates open-source Kubernetes security

Targeted at the DevSecOps practitioner or platform engineer, Kubescape, the open-source Kubernetes security platform has reached version 3.0.

Logging Made Easy: Free log management solution from CISA

CISA launched a new version of Logging Made Easy (LME), a straightforward log management solution for Windows-based devices that can be downloaded and self-installed for free.

GOAD: Vulnerable Active Directory environment for practicing attack techniques

Game of Active Directory (GOAD) is a free pentesting lab. It provides a vulnerable Active Directory environment for pen testers to practice common attack methods.

Wazuh: Free and open-source XDR and SIEM

Wazuh is an open-source platform designed for threat detection, prevention, and response. It can safeguard workloads in on-premises, virtual, container, and cloud settings.

Yeti: Open, distributed, threat intelligence repository

Yeti serves as a unified platform to consolidate observables, indicators of compromise, TTPs, and threat-related knowledge. It enhances observables automatically, such as domain resolution and IP geolocation, saving you the effort.

BinDiff: Open-source comparison tool for binary files

BinDiff is a binary file comparison tool to find differences and similarities in disassembled code quickly.

LLM Guard: Open-source toolkit for securing Large Language Models

LLM Guard is a toolkit designed to fortify the security of Large Language Models (LLMs). It is designed for easy integration and deployment in production environments.

Velociraptor: Open-source digital forensics and incident response

Velociraptor is a sophisticated digital forensics and incident response tool designed to improve your insight into endpoint activities.

Open Source Intelligence Methods and Tools: A Practical Guide to Online Intelligence

Practical Threat Intelligence and Data-Driven Threat Hunting: A hands-on guide to threat hunting with the ATT&CK™ Framework and open source tools

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Open Source Intelligence Methods and Tools, Open-Source Tools


Nov 28 2023

Stop panic buying your security products and start prioritizing

Category: Security Toolsdisc7 @ 2:12 pm

In the realm of cybersecurity, where a constant influx of new “essential” products occurs, it’s tempting to be influenced into investing in unnecessary tools that not only expand your vulnerability but also provide minimal, if any, value. Let’s delve into the intricacies of security expenditure and the advantages of optimization, especially in times of economic uncertainty as we plan for the 2024 budget.

The culture of panic buying is real

This is an industry that uses fear, uncertainty, and doubt (FUD) as a selling tactic, making security leaders feel like every product is make-or-break for the wellbeing of their organization. The promise of a fix-it-all solution (the mythical silver bullet) is particularly tempting in this environment, especially for smaller organizations that most likely don’t have the budgets to implement a multitude of security tools or hire cyber specialists in-house. Vendors play on that desperation to make profits, and a lot of them are very good at it.

The fear mongering may also lead to impulsive decisions to invest in products that won’t configure correctly with the buyer’s current technology stack, thus introducing even more risk. The name of the game in a lean operation is a solution that is customizable and adaptable, and that will grow with the changing needs of an organization’s security team.  

The consequences can cost millions

According to IBM’s 2023 Cost of a Data Breach Report, organizations are now paying $4.5 million to deal with breaches – a 15% increase over the last three years. Aside from spending cash to purchase the product, panic buying can result in a wider attack surface, costly auto-renews and misconfigurations.

There is no doubt that taking advantage of new technological solutions (with AI and machine learning being fan favorites right now), can be extremely beneficial from both a technological and reputational perspective. But without looking at the big picture and calculating the actual value of the product in question, it’s nearly impossible to make a well-informed investment decision.

To assess the value of a product, security leaders should examine whether it adds or minimizes organizational risk and whether their current cybersecurity personnel and tools will be able to interact with it effectively.

Calculating the value of a product doesn’t have to be a guessing game. Risk = likelihood x impact is a great equation to use to solve for the value of a product or service.

To calculate likelihood of an attack, examine the degree of difficulty to execute an attack and the exposure of your assets. Determine your organization’s acceptable risk and use that equation to work backwards to identify the monetary impact of an attack. If that impact is significantly higher than the price of the product or service, it may be worth looking elsewhere.

It’s easy to fall into the trap of impulse buying cybersecurity products that don’t improve security but instead leave you vulnerable to costly attacks. Organizations should aim to protect their most valuable assets and prioritize addressing threats to those critical puzzle pieces of their business.

The solution is possible, and relatively simple

Look inward and optimize. Companies need to understand what inside their networks and data is most attractive and most vulnerable to attackers. Get visibility into what you have, calculate the value of your tools, and use the information to move forward.

Understanding risk by gaining full visibility into what you already have can allow companies to communicate better with investors and the public in the case of an attack or breach. For example, they will be able to give clear information about the impact (or lack of impact) on the business when an attack occurs and lay out clear steps for remediation, not having to guess the next best course of action.

‘Tis the season to prioritize your security investments

It is important to remember that the goal is not to buy more tools to chase the growing number of vulnerabilities that experts find every day, but to protect the assets that are most relevant to overall vital business operations and limit the fallout of inevitable cyber incidents.

By attaching a dollar value to the cyber risks the organization is up against, you will be in a much better position to discuss your security plan and budgetary needs.

When budgets are tight, every purchase must be accounted for with a clear indication of its value to the business operation. This is especially true for security purchases, which tend to be costly line items.

In today’s economic climate, proving ROI for security spend is a big part of security leaders’ jobs. It is crucial that before purchasing a new cybersecurity tool, investing in a service, or hiring specialists, you understand their functionality and purpose.

Cyber Security Program and Policy Using NIST Cybersecurity Framework: NIST Cybersecurity Framework (CSF)

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: security products


Oct 16 2023

GUARDIANS OF THE HACKERS GALAXY: UNLOCK THE TOOL OF TODDYCAT’S GROUP

Category: Cyber Espionage,Security Toolsdisc7 @ 9:36 am

COMPREHENSIVE ANALYSIS: TODDYCAT’S ADVANCED TOOLSET AND STEALTHY CYBER ESPIONAGE TACTICS

ToddyCat, an Advanced Persistent Threat (APT) group, has garnered attention for its clandestine cyber-espionage operations, utilizing a sophisticated toolset designed for data theft and exfiltration. The group employs a myriad of techniques to move laterally within networks and conduct espionage operations with a high degree of secrecy and efficiency. This article, incorporating insights from the article and other sources, aims to provide a detailed overview of ToddyCat’s toolset and operational tactics.

STEALTH AND SOPHISTICATION: TODDYCAT’S MODUS OPERANDI

ToddyCat employs disposable malware, ensuring no clear code overlaps with known toolsets, thereby enhancing its ability to remain undetected. The malware is designed to steal and exfiltrate data, while the group employs various techniques to move laterally within networks and conduct espionage operations.

EXPLOITATION TECHNIQUES AND MALWARE UTILIZATION

  • Disposable Malware: Utilized to enhance stealth and evasion capabilities.
  • Data Exfiltration: Malware designed to access and extract sensitive information.
  • Lateral Movement: Techniques employed to expand reach and access within compromised environments.

TOOLSET SUMMARY

  1. Dropbox Exfiltrator: A tool designed to exfiltrate data, ensuring that stolen information can be securely and covertly transferred to the attackers.
  2. LoFiSe: A tool that may be utilized for lateral movement and further exploitation within compromised networks.
  3. Pcexter: A tool that may be used to send specific files or data to external servers, facilitating data exfiltration.
  4. Dropper: A tool that may be utilized to deploy additional payloads or malware within compromised environments.

DETAILED INSIGHTS INTO THE TOOLSET

1. LOADERS

  • Standard Loaders: ToddyCat utilizes 64-bit libraries, invoked by rundll32.exe or side-loaded with legitimate executable files, to load the Ninja Trojan during the infection phase. Three variants of these loaders have been observed, each differing in aspects like the library loaded by, where the malicious code resides, the loaded file, and the next stage.
  • Tailored Loader: A variant of the standard loader, this is customized for specific systems, employing a unique decryption scheme and storing encrypted files in a different location and filename (%CommonApplicationData%\Local\user.key).

2. NINJA TROJAN

The Ninja Trojan, a sophisticated malware written in C++, is a potent tool in ToddyCat’s arsenal. It provides functionalities like:

  • Managing running processes
  • File system management
  • Managing multiple reverse shell sessions
  • Injecting code into arbitrary processes
  • Loading additional modules during runtime
  • Proxy functionality to forward TCP packets between the C2 and a remote host

3. LOFISE

LoFiSe is a component designed to find and collect files of interest on targeted systems. It tracks changes in the file system, filtering files based on size, location, and extension, and collects suitable files for further action.

4. DROPBOX UPLOADER

This generic uploader, not exclusive to ToddyCat, is used to exfiltrate stolen documents to DropBox, accepting a DropBox user access token as an argument and uploading files with specific extensions.

5. PCEXTER

Pcexter is another uploader used to exfiltrate archive files to Microsoft OneDrive. It is distributed as a DLL file and executed using the DLL side-loading technique.

POTENTIAL IMPACT AND THREAT LANDSCAPE

The emergence of ToddyCat’s new toolset and its sophisticated TTPs presents a significant threat to organizations, with potential impacts including data breaches, unauthorized access to sensitive information, and network compromise.

MITIGATION AND DEFENSE STRATEGIES

  • Enhanced Monitoring: Implementing monitoring solutions to detect anomalous activities.
  • User Education: Ensuring users are educated about potential threats and cybersecurity best practices.
  • Regular Patching: Keeping all systems regularly patched and updated.
  • Threat Intelligence: Leveraging intelligence to stay abreast of the latest TTPs employed by threat actors.

ToddyCat’s advanced toolset and stealthy operations underscore the evolving and sophisticated nature of cyber threats. Organizations and cybersecurity practitioners must remain vigilant and adopt advanced cybersecurity practices to defend against the sophisticated tools and tactics employed by threat actors like ToddyCat.

Spy Secrets That Can Save Your Life: A Former CIA Officer Reveals Safety and Survival Techniques to Keep You and Your Family Protected

100 Deadly Skills: The SEAL Operative’s Guide to Eluding Pursuers, Evading Capture, and Surviving Any Dangerous Situation

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: ToddyCat’s Group


Oct 11 2023

UNMASKING CRACKED COBALT STRIKE 4.9: THE CYBERCRIMINAL’S TOOL OF CHOICE

Category: Cybercrime,Security Toolsdisc7 @ 8:58 am

Cobalt Strike, a legitimate commercial penetration testing tool, has inadvertently become a favored instrument among cybercriminals for its efficacy in infiltrating network security. Initially released in 2012 by Fortra (formerly known as Help Systems), Cobalt Strike was designed to aid red teams in identifying vulnerabilities within organizational infrastructures. Despite stringent customer screening and licensing for lawful use only, malicious actors have successfully obtained and distributed cracked versions of the software, making it a prevalent tool in cyberattacks involving data theft and ransomware.

Cobalt Strike 4.9 is now available. This release sees an overhaul to Cobalt Strike’s post exploitation capabilities to support user defined reflective loaders (UDRLs), the ability to export Beacon without a reflective loader which adds official support for prepend-style UDRLs, support for callbacks in a number of built-in functions, a new in-Beacon data store and more.  

COBALT STRIKE 4.9 FEATURES

The latest release, version 4.9, introduces several significant features and improvements:

  • User-Defined Reflective Loaders (UDRLs): This feature enhances post-exploitation capabilities by allowing users to define and use their reflective loaders, providing more flexibility and control over the loading process of the Beacon payload.
  • Export Beacon Without a Loader: Users can now export the Beacon payload without a reflective loader, which officially supports prepend-style UDRLs, allowing for more versatile deployment and execution of the Beacon payload in various environments.
  • Callback Support: Version 4.9 introduces support for callbacks, enabling users to implement and handle custom callback routines effectively.
  • Beacon User Data Structures Improvement: These structures have been improved to prevent crashes and provide more stability during operations. They also allow a Reflective Loader to resolve and pass system call information to Beacon, overriding Beacon’s default system call resolver.
  • Host Profile Support for HTTP(S) Listeners: This feature addresses limitations in HTTP(S) processing by introducing a new Malleable C2 profile group named http-host-profiles.
  • WinHTTP Support: The update adds support for the WinHTTP library to the Beacon’s HTTP(S) listener.
  • Beacon Data Store: This feature allows users to store Buffer Overflow Frameworks (BOFs) and .NET assemblies in a structured manner.

CRACKED VERSIONS IN THE WILD

Google researchers have recently identified 34 different cracked versions of the Cobalt Strike hacking toolkit actively being used in the wild. These cracked versions are exploited by cybercriminals for various malicious activities, emphasizing the tool’s popularity and widespread illicit use in the cybercriminal community. The discovery of cracked version 4.9 of Cobalt Strike highlights the significant challenges and risks associated with the illicit use of this powerful toolkit.

THE CRACKDOWN

Microsoft, in collaboration with Fortra and the Health Information Sharing and Analysis Center (Health-ISAC), has initiated a widespread legal crackdown on servers hosting these cracked copies. This concerted effort aims to dismantle the malicious infrastructure and disrupt the operations of threat actors utilizing Cobalt Strike for nefarious purposes.

WHY COBALT STRIKE?

Cobalt Strike has gained notoriety among cybercriminals for its post-exploitation capabilities. Once the beacons are deployed, these provide persistent remote access to compromised devices, allowing for sensitive data harvesting or the dropping of additional malicious payloads.

THE USERS

Cobalt Strike’s cracked versions are used by unidentified criminal groups, state-backed threat actors, and hacking groups acting on behalf of foreign governments. These actors have been linked to numerous ransomware attacks impacting various industries, causing significant financial and operational damage.

REMEDIATION EFFORTS

To counteract the malicious use of Cobalt Strike, various entities have provided resources to assist network defenders in identifying Cobalt Strike components within their networks. These resources include open-sourced YARA rules and a collection of indicators of compromise (IOCs).

The illicit use of Cobalt Strike poses a significant threat to global cybersecurity. The ongoing crackdown led by Microsoft, Fortra, and Health-ISAC represents a crucial step towards mitigating the risks associated with Cobalt Strike, underscoring the importance of collaborative efforts in the fight against cybercrime.

Cobalt Strike, a Defender’s Guide

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Cobalt Strike


Oct 09 2023

Chalk: Open-source software security and infrastructure visibility tool

Category: Open Network,Security Toolsdisc7 @ 10:38 am

Chalk is a free, open-source tool that helps improve software security. You add a single line to your build script, and it will automatically collect and inject metadata into every build artifact: source code, binaries, and containers.

Gaining visibility

Chalk enables complete visibility across the development process, from the first time a developer creates the code to the entire lifetime a container hosting is running.

Chalk is a convenient tool for compliance by producing SBOMs, embedding code provenance details, and digitally signing them. You can then send these to your preferred location as a report. Additionally, without added effort, you can achieve SLSA level 2 compliance even before SLSA level 1 becomes a mandated standard.

Usage scenarios

“Interestingly, early design partners are constantly developing new use cases, but the classic ones are still unique because nothing else solves those today. The canonical one is knowing what code is in production and what is not. “Prod or not”. That basic use case means most users can shut off code scanning on the majority of their code repos, shutting down the noise and the busy work people have to do looking at it, but also saving massive amounts of money on wasted tools licenses,” Mark Curphey, Co-Founder of Crash Override, told Help Net Security.

“A great and topical one is automatically generating software security supply chain reports. Chalk will generate an SBOM, add build provenance data about where the code came from and who built it, something required by the US gov directives and where no other automated solution exists, and then to top it all, digitally signs it all in a report and sends it to a central report registry. That use case is huge, just huge,” he concluded.

The source code for Chalk is available on GitHub.

Tags: Open-source software security


Sep 20 2023

Nagios Monitoring Tool Vulnerabilities Let Attackers Perform SQL Injection

Category: Security Tools,Security vulnerabilitiesdisc7 @ 9:47 am

Nagios XI is a prominent and frequently used commercial monitoring system for IT infrastructure and network monitoring. 

Vulnerability Research Engineer Astrid Tedenbrant found four distinct vulnerabilities in Nagios XI (version 5.11.1 and below) while conducting routine research.

By making use of three of these flaws classified as (CVE-2023-40931CVE-2023-40933, and CVE-2023-40934), users with various levels of access rights can get access to the database field via SQL injection.

Additionally, the vulnerability (CVE-2023-40932) permits Cross-Site Scripting through the Custom Logo component, rendering on all pages, including the login page.

Details of the Vulnerabilities

SQL Injection in Banner acknowledging endpoint (CVE-2023-40931)

“Announcement Banners” are a feature of Nagios XI that users may choose to recognize. This feature’s endpoint is susceptible to a SQL Injection attack.

When a user acknowledges a banner, a POST request is made to ‘/nagiosxi/admin/banner_message-ajaxhelper.php’ with the POST data ‘action=acknowledge banner message&id=3’.

“The ID parameter is assumed to be trusted but comes directly from the client without sanitization”, the researcher explains.

“This leads to a SQL Injection where an authenticated user with low or no privileges can retrieve sensitive data, such as from the `xi_session` and `xi_users` table containing data such as emails, usernames, hashed passwords, API tokens, and backend tickets”.

SQL Injection in Host/Service Escalation in CCM (CVE-2023-40934)

An authorized user with access to control host escalations can run any database query using Nagios XI’s Core Configuration Manager.

The same database access is possible through this vulnerability as through previous SQL Injection vulnerabilities, although it necessitates more privileges than CVE-2023-40931.

SQL Injection in Announcement Banner Settings (CVE-2023-40933)

In this case, while performing the `update_banner_message_settings` action on the affected endpoint, the `id` parameter is assumed to be trusted and is concatenated into a database query with no sanitization. This allows an attacker to modify the query, the researcher said.

Compared to CVE-2023-40931, successful exploitation of this vulnerability needs more privileges but provides the same database access as the other two SQL Injection Vulnerabilities.

Cross-Site Scripting in Custom Logo Component (CVE-2023-40932)

Reports say Nagios XI may be modified to include a unique corporate logo, which will be visible across the entire product. Included in this are the login page, various administration pages, and the landing page.

A cross-site scripting flaw in this functionality allows an attacker to inject arbitrary JavaScript, which any user’s browser will be able to execute.

“This can be used to read and modify page data, as well as perform actions on behalf of the affected user. Plain-text credentials can be stolen from users’ browsers as they enter them.,” reports said.

Fix Available

All of these vulnerabilities have been fixed, and users are encouraged to update to 5.11.2 or later.

The commercial version of the open-source Nagios Core monitoring platform, Nagios XI, offers more functionality that makes managing complicated IT settings easier.

Because of the access that Nagios XI requires, it is frequently used in highly privileged instances, making it an attractive target for attackers.

SQL Injection Strategies: Practical techniques to secure old vulnerabilities against modern attacks


InfoSec tools
 | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: SQL injection


Sep 18 2023

Mobile Verification Toolkit: Forensic analysis of Android and iOS devices to identify compromise

Category: Forensics,Mobile Security,Security Toolsdisc7 @ 8:53 am

Mobile Verification Toolkit (MVT) is a collection of utilities to simplify and automate the process of gathering forensic traces helpful to identify a potential compromise of Android and iOS devices.

MVT supports using public indicators of compromise (IOCs) to scan mobile devices for potential traces of targeting or infection by known spyware campaigns. MVT is a forensic research tool intended for technologists and investigators. Using it requires understanding the basics of forensic analysis and using command-line tools. MVT is not intended for end-user self-assessment.

It was developed and released by the Amnesty International Security Lab in July 2021 in the context of the Pegasus Project, along with a technical forensic methodology. It continues to be maintained by Amnesty International and other contributors.

Mobile Verification Toolkit key features

MVT’s capabilities are continuously evolving, but some of its key features include:

  • Decrypt encrypted iOS backups.
  • Process and parse records from numerous iOS system and apps databases, logs, and system analytics.
  • Extract installed applications from Android devices.
  • Extract diagnostic information from Android devices through the adb protocol.
  • Compare extracted records to a provided list of malicious indicators in STIX2 format.
  • Generate JSON logs of extracted records and separate JSON logs of all detected malicious traces.
  • Generate a unified chronological timeline of extracted records, along with a timeline of all detected malicious traces.

Mobile Verification Toolkit is available for download on GitHub. The developers do not want MVT to enable privacy violations of non-consenting individuals. To achieve this, MVT is released under its license.

Mobile Forensics Investigation: A Guide to Evidence Collection, Analysis, and Presentation

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Mobile Verification Toolkit


Sep 15 2023

Attackers hit software firm Retool to get to crypto companies and assets

Category: App Security,Crypto,Security Toolsdisc7 @ 3:18 pm

Retool, the company behind the popular development platform for building internal business software, has suffered a breach that allowed attackers to access and take over accounts of 27 cloud customers, all in the crypto industry.

According to a CoinDesk report, one the known victims is Fortress Trust, i.e., four of its customers who accessed their crypto funds via a portal built by Retool.

It all started with an SMS

The attack started with spear phishing text messages delivered to a number of Retool employees. According to the company, only one fell for the scheme.

The phishing text message. (Source: Retool)

Spoofed to look like it was coming from the company’s IT department, the goal was to make the targets log in to a fake Retool identity portal, at which point they would receive a phone call by the attacker.

“The caller claimed to be one of the members of the IT team, and deepfaked our employee’s actual voice. The voice was familiar with the floor plan of the office, coworkers, and internal processes of the company. Throughout the conversation, the employee grew more and more suspicious, but unfortunately did provide the attacker one additional multi-factor authentication (MFA) code,” Snir Kodesh, Retool’s head of engineering, shared on Wednesday.

“The additional OTP token shared over the call was critical, because it allowed the attacker to add their own personal device to the employee’s Okta account, which allowed them to produce their own Okta MFA from that point forward. This enabled them to have an active GSuite [i.e., Google Workspace] session on that device.”

And because the employee’s MFA codes were synched with their Google account, the attacker now had access to all MFA tokens held within that account.

“With these codes (and the Okta session), the attacker gained access to our VPN, and crucially, our internal admin systems. This allowed them to run an account takeover attack on a specific set of customers (all in the crypto industry),” Kodesh noted, and added that the attacker also poked around some of the Retool apps – but didn’t specify which ones.

“We have an internal Retool instance used to provide customer support; this is how the account takeovers were executed. The authentication for this instance happens through a VPN, SSO, and a final MFA system. A valid GSuite session alone would have been insufficient.”

Who’s to blame?

“Social engineering can affect anyone,” Kodesh noted, and “even with perfect training and awareness of these attacks, mistakes will happen.” He also put some on the blame for the hack on Google.

The company recently released the Google Authenticator synchronization feature that syncs MFA codes to the cloud and made it easier to activate the feature than not to.

“Unfortunately Google employs dark patterns to convince you to sync your MFA codes to the cloud, and our employee had indeed activated this ‘feature’. If you want to disable it, there isn’t a clear way to ‘disable syncing to the cloud’, instead there is just a “unlink Google account” option. In our corporate Google account, there is also no way for an administrator to centrally disable Google Authenticator’s sync ‘feature’,” he explained.

“Through this Google update, what was previously multi-factor-authentication had silently (to administrators) become single single-factor-authentication, because control of the Okta account led to control of the Google account, which led to control of all OTPs stored in Google Authenticator.”

Of course, Google cannot be blamed for this breach entirely – Retool should have regularly reviewed the protections they’ve put in place and evaluated whether they are still adequate. After all, attackers have been finding ways around multi-factor authentication for a while now, and the threat landscape is changing quickly.

If the company had used a FIDO2-compliant hardware security key instead of one-time passwords delivered via an authenticator app, this particular social engineering attack would have failed – as a similar attack against Cloudflare employees did a year ago.

The investigation is ongoing

Retool is working with law enforcement and a third party forensics firm to investigate the breach in depth.

So far, they found that 27 cloud customers have been affected (and they notified them all), but that on-premise Retool customers remain secure.

“Retool on-prem operates in a ‘zero trust’ environment, and doesn’t trust Retool cloud. It is fully self contained, and loads nothing from the cloud environment. This meant that although an attacker had access to Retool cloud, there was nothing they could do to affect on-premise customers,” Kodesh noted.

Fortress’ customers, on the other hand, apparently lost nearly $15 million.

UPDATE (September 15, 2023, 04:35 a.m. ET):

“Our first priority is the safety and security of all online users, whether consumer or enterprise, and this event is another example of why we remain dedicated to improving our authentication technologies,” Google stated.

“Beyond this, we also continue to encourage the move toward safer authentication technologies as a whole, such as passkeys, which are phishing resistant. Phishing and social engineering risks with legacy authentication technologies, like ones based on OTP, are why the industry is heavily investing in these FIDO-based technologies. While we continue to work toward these changes, we want to ensure Google Authenticator users know they have a choice whether to sync their OTPs to their Google Account, or to keep them stored only locally. In the meantime, we’ll continue to work on balancing security with usability as we consider future improvements to Google Authenticator.”

Application Security Program Handbook: A guide for software engineers and team leaders

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory


Next Page »