Feb 09 2023

How Application Mapping Can Boost Application Security

Category: App Security — DISC @ 10:35 am

How Application Mapping Can Boost Application Security

Application security refers to the measures taken to protect the confidentiality, integrity, and availability of an application and its associated data. This involves designing, developing, and deploying applications in a secure manner and protecting them against threats such as hacking, malware, and data theft. It also involves the use of application security testing tools, as well as ongoing monitoring and management to detect and respond to security incidents.

Application security aims to prevent unauthorized access to an application and its data, and to ensure the privacy and security of sensitive information processed by the application. This is essential for organizations to maintain the trust of their customers, partners, and stakeholders, and to comply with industry regulations and standards.

What Is Application Mapping?

Application mapping is the process of creating a visual representation of the components, relationships, and interactions of a software application. It helps to identify potential security vulnerabilities and areas of risk, and can be used to support security testing, incident response, and overall application security planning.

Application mapping can be performed manually or with the use of automated tools and typically includes a diagram that shows the various components of the application, such as the user interface, database, and server, and how they interact with each other. This information can be used to create a comprehensive understanding of the application architecture and to develop and implement effective security controls.

How Application Mapping Can Boost Application Security

Application mapping can boost application security by providing a comprehensive understanding of the application’s architecture, data flow, and interactions between components. This information can be used to identify potential security risks and vulnerabilities and to implement appropriate application security measures to mitigate these risks. Here are some specific ways that application mapping can boost application security:

Identification of sensitive data: By creating a visual representation of the flow of data within an application, application mapping can help to identify sensitive data and the components that handle this data. This information can be used to ensure that sensitive data is properly protected and that the appropriate security measures are in place to secure the data.
Improved threat modeling: Threat modeling is the process of identifying potential security risks and vulnerabilities within an application. Application mapping can provide a clear understanding of the application’s architecture, components, and data flow, making it easier to identify potential security risks and vulnerabilities.
Better access control: Application mapping can be used to identify the relationships between different components and to understand the flow of data within the application. This information can be used to implement better access controls, such as role-based access controls, to ensure that sensitive data is only accessible by authorized users.
Improved network segmentation: By creating a visual representation of the application’s architecture and data flow, application mapping can be used to identify the components that are communicating with each other and the flow of data between these components. This information can be used to improve network segmentation and to ensure that sensitive data is only accessible by authorized components.
Better incident response: In the event of a security incident, application mapping can provide a clear understanding of the application’s architecture and data flow, making it easier to respond to the incident and restore the application to a secure state.

Application Mapping Best Practices

Recognize All Types of Dependencies

Identifying all types of dependencies is a crucial step in the application mapping process. Dependencies between components can greatly impact the security of an application, so it is important to understand all of these relationships. There are three types of dependencies that should be recognized in application mapping:

Functional dependencies: These describe the relationships between components that perform specific functions. For example, a user interface component may depend on a database component to store and retrieve data. By recognizing functional dependencies, organizations can understand how changes to one component can impact the overall functionality of the application.
Data dependencies: These describe the relationships between components that exchange data. For example, an application component may receive data from an external source, such as a web service, and pass that data to another component for processing. By recognizing data dependencies, organizations can understand how sensitive data flows through the application and identify areas where data may be vulnerable to attack.
Security dependencies: These describe the relationships between security controls and the components they protect. For example, a firewall may protect an application server, or encryption may protect sensitive data in transit. By recognizing security dependencies, organizations can understand the overall security posture of the application and identify areas where security controls may be insufficient or missing.

Actively Avoid Dependencies When Possible

By reducing the number of dependencies between components, organizations can minimize the attack surface and simplify security management. Here are a few ways that dependencies can be reduced:

Removing unnecessary components: Unnecessary components can increase the attack surface and the complexity of security management. By removing these components, organizations can reduce the number of dependencies and simplify the application architecture.
Limiting access to components: Limiting access to components, such as by restricting network access or implementing access controls, can reduce the number of dependencies and minimize the attack surface. For example, by limiting access to a database component to only the components that need to access it, organizations can reduce the number of potential attack vectors.
Simplifying interactions between components: Complex interactions between components can increase the risk of security vulnerabilities and make it more difficult to manage security. By simplifying these interactions, organizations can reduce the number of dependencies and improve the overall security of the application.

Strive To Test Everything

Testing all components and interactions represented in the application map is essential to identify security vulnerabilities and ensure that they are addressed. Here are a few reasons why comprehensive testing is important:

Prioritize testing efforts: Application mapping provides a roadmap for comprehensive security testing, which can be used to prioritize testing efforts and ensure that all areas of the application are tested. This can help organizations focus their testing efforts on the most critical components and interactions.
Identify vulnerabilities: By testing all components and interactions, organizations can identify security vulnerabilities that may otherwise be overlooked. This can include vulnerabilities in the functionality of individual components, the interactions between components, and the security controls that protect them.
Address vulnerabilities before exploitation: Comprehensive testing can help organizations identify and remediate security vulnerabilities before they can be exploited. This can reduce the risk of a successful attack and improve the overall security posture of the application.
Ensure the security of the entire application: Testing individual components may not be enough to ensure the security of the entire application. By testing everything, organizations can understand how all components and interactions work together and identify potential security vulnerabilities in the overall architecture.

Periodically Update Your Map

Periodically updating your application map is a best practice that helps ensure the security of an application. Regularly updating the map ensures that it remains accurate and up-to-date, which is essential for effective security management. Here are a few reasons why periodic updates are important:

Reflect changes in the application: Applications change over time, and regular updates to the map help ensure that these changes are accurately reflected. For example, new components may be added, existing components may be updated, or relationships between components may change. Keeping the map up-to-date helps organizations understand the impact of these changes on the security of the application.
Identify new dependencies: As the application evolves, new dependencies may be introduced that need to be recognized and managed. By regularly updating the map, organizations can identify these new dependencies and understand how they impact the security of the application.
Stay ahead of threats: Threats to the security of an application are constantly changing, and regular updates to the map help organizations stay ahead of these threats. By understanding how changes in the application and new threats may impact the security of the application, organizations can take proactive steps to mitigate risk.
Improve security management: Periodic updates to the application map can help organizations improve the efficiency and effectiveness of security management. By keeping the map up-to-date, organizations can ensure that security efforts are focused on the right areas and that the overall security posture of the application is strong.

Conclusion

In conclusion, application mapping is a powerful tool that can significantly boost the security of applications. By creating a detailed map of the components and interactions within an application, organizations can gain a better understanding of their security posture and identify potential vulnerabilities.

By following the best practices in this article, organizations can proactively mitigate risk and improve the efficiency and effectiveness of their security management efforts. In today’s increasingly connected and complex technological landscape, the importance of application security cannot be overstated, and application mapping can play a critical role in ensuring the security and protection of sensitive information and data.

Application Security Program Handbook: A guide for software engineers and team leaders

Application Security for Developers

Checkout out our previous posts on App Security

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: Application security

Comments (0)

Feb 09 2023

What is Social Engineering? How Does it Work?

Category: social engineering — DISC @ 12:09 am

What is Social Engineering? How Does it Work?

Social Engineering is a technique that is performed by cybercriminals who indulge in exploiting human weaknesses. The act of Social Engineering involves various techniques all of which involve the manipulation of human psychology.

Threat actors rely especially on Social Engineering in order to easily gain sensitive information from victims. Social engineering attack depends on building trust with the victim so that he never suspects in giving out his/her personal information such as phone numbers, passwords, social security number, etc.,

This technique is proved to have been the most successful one when it comes to hacking into an organization’s network. Hackers can disguise themselves as an IT audit person or an external network administrator and easily gain access inside a building without suspicion. Once they are inside an organization, they follow various other social engineering techniques to compromise their network.

One of the greatest weaknesses, an organization can possess is the lack of information security knowledge with its employees. This lack of knowledge in cybersecurity gives a great advantage for hackers to perform attacks causing data breaches in the organization.

Social Engineering attack Types

There are lots of social engineering attacks that can be used by threat actors. Some of them are,

1. Phishing
2. Vishing
3. Spoofing
4. Tailgating
5. Quid pro quo
6. Baiting

1. Phishing

Phishing is the most simple and effective attack a hacker can use to steal credentials like username, password, social security number, organization secrets, or credit card details. Sometimes phishing is also used to spread malware inside a network. In general, Phishing involves Social engineering as well as Spoofing

2. Vishing

Vishing is similar to phishing, which involves calling the victim and pretending as a legitimate caller. Once the victim believes without suspicion, it will be easy for the hacker to gain sensitive information such as network structure, employee details, company account details etc.,

3. Spoofing

Spoofing is a type of attack where, “what we see will look like it, but it is not”.In terms of Cyber Security, Spoofing is nothing but disguising as a legitimate source in order to gain sensitive information or to gain access to something. An attacker can trick us into believing that he is from the original source by spoofing.

4. Tailgating

Tailgating or piggybacking is a technique followed by threat actors to enter an organization building. During this attack, the threat actors wait for an employee/ a person to enter inside a place where the access for outsiders is restricted and follow them inside the building once they use their access cards or access key to open the door.

5. Quid pro quo

Quid pro quo in Latin means “a favor for a favor”. In this case, the hacker communicates with an employee of a company and offer them a deal. Either money in exchange for information or anything the employee would wish.

In most cases, money is the main motto. Hackers communicate with a present employee or an ex-employee and ask to give away sensitive information such as administrator privilege, administrator password, network structure, or any other data they require in exchange of the employee’s wish.

Hackers convince the employees to give away the information by making a personal deal with them. This is considered one of the serious threats in an organization because the information is given away intentionally by an employee.

6. Baiting

As the word describes, hackers create baits such as USB flash drives, CD-ROM’s, Floppy disk or Card readers.

They create folders inside the devices such as Projects, revised Payrolls of the organization and drop them in sensitive areas(Elevators, Rest Rooms, Cafeterias or Parking lots) where employees would keep it usually.

Once an employee picks up and inserts the USB in their computer, the script inside the device runs and gives full control to the hackers. This method of Social Engineering is called as Baiting.

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: Baiting, phishing, Quid pro quo, spoofing, tailgating, vishing

Comments (0)

Feb 08 2023

Developers Created AI to Generate Police Sketches. Experts Are Horrified

Category: AI — DISC @ 11:56 pm

Police forensics is already plagued by human biases. Experts say AI will make it even worse.

Two developers have used OpenAI’s DALL-E 2 image generation model to create a forensic sketch program that can create “hyper-realistic” police sketches of a suspect based on user inputs.

The program, called Forensic Sketch AI-rtist, was created by developers Artur Fortunato and Filipe Reynaud as part of a hackathon in December 2022. The developers wrote that the program’s purpose is to cut down the time it usually takes to draw a suspect of a crime, which is “around two to three hours,” according to a presentation uploaded to the internet.

“We haven’t released the product yet, so we don’t have any active users at the moment, Fortunato and Reynaud told Motherboard in a joint email. “At this stage, we are still trying to validate if this project would be viable to use in a real world scenario or not. For this, we’re planning on reaching out to police departments in order to have input data that we can test this on.”

AI ethicists and researchers told Motherboard that the use of generative AI in police forensics is incredibly dangerous, with the potential to worsen existing racial and gender biases that appear in initial witness descriptions.

“The problem with traditional forensic sketches is not that they take time to produce (which seems to be the only problem that this AI forensic sketch program is trying to solve). The problem is that any forensic sketch is already subject to human biases and the frailty of human memory,” Jennifer Lynch, the Surveillance Litigation Director of the Electronic Frontier Foundation, told Motherboard. “AI can’t fix those human problems, and this particular program will likely make them worse through its very design.”

The program asks users to provide information either through a template that asks for gender, skin color, eyebrows, nose, beard, age, hair, eyes, and jaw descriptions or through the open description feature, in which users can type any description they have of the suspect. Then, users can click “generate profile,” which sends the descriptions to DALL-E 2 and produces an AI-generated portrait.

For more details: Developers Created AI to Generate Police Sketches. Experts Are Horrified

https://www.vice.com/en/article/qjk745/ai-police-sketches

Comments (0)

Feb 08 2023

Researcher Hacked Toyota’s Global Supplier Portal

Category: Hacking,Vendor Assessment — DISC @ 12:43 pm

Researcher Hacked Toyota’s Global Supplier Portal

The Global Supplier Preparation Information Management System, or GSPIMS, of Toyota, was breached by a security researcher using a backdoor. After 90 days, the hacker dutifully alerted the company about the breach.

The firm’s web platform, known as GSPIMS, enables employees and suppliers to remotely log in and manage the company’s extensive supply chain. It is an Angular single-page application. Based on a license key embedded in the app for AG Grid, it was created by SHI International Corp – USA on behalf of Toyota.

“I discovered what was essentially a backdoor login mechanism in the Toyota GSPIMS website/application that allowed me to log in as any corporate Toyota user or supplier just by knowing their email”, a security specialist who blogs under the pseudonym EatonWorks.

He eventually found the email address of the system administrator and was able to access their account. He says “I had full control over the entire global system”.

Also, he had complete access to all internal Toyota projects, data, and user accounts, including those of Toyota’s partners and suppliers from outside the company.

On November 3, 2022, Toyota was properly informed of the issues, and by November 23, 2022, the firm had verified they had been resolved.

Specifics of the Toyota’s Breach

The researcher made the decision to investigate any potential threats concealed behind the login screen.

He had to modify the JavaScript code to get beyond the login screen. Here, developers may control who has access to particular pages by utilizing the Angular framework, which will return true or false.

Researcher explains that patching the JavaScript was all that was needed to achieve full access since their API was improperly secured.

In GSPIMS’ case, no data would load from the API. All the endpoints would return HTTP status 401 – Unauthorized responses due to the missing login cookie.

“Toyota/SHI had seemingly secured their API correctly, and at this point, I was about to write this site off as “probably secure”. I don’t bother reporting single-page-application bypasses unless it also exposes a leaky/improperly secured API”, says the researcher.

Further, the analyst rapidly realized that the service was creating a JSON Web Token (JWT) based on the user’s email address for password-less login. Therefore, someone may create a valid JWT if they were able to guess a genuine email address of a Toyota employee.

“I had discovered a way to generate a valid JWT for any Toyota employee or supplier registered in GSPIMS, completely bypassing the various corporate login flows, which probably also enforce two-factor authentication options”, the researcher.

Then the researcher was trying to locate a user who had the System Admin position and came across another API endpoint called findByEmail that only required a valid email to return data on a user’s account. Conveniently, this also identifies the managers of the user.

This gave him access to the User Administration section. He poked around more and found users with even higher access, such as Supplier Admin, Global Admin, and finally, System Admin.

A GSPIMS system administrator has access to private data, including 14,000 user profiles, project schedules, supplier rankings, and classified documents.

Researcher said Toyota prevented what may have been a disastrous leak of information about both their partners’ and suppliers’ employees as well. It was possible to make embarrassing internal remarks and supplier rankings public.

Because cyberattacks on Toyota and its suppliers have previously occurred, another one was quite likely.

Modern cars: A growing bundle of security vulnerabilities

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: Hacked Toyota

Comments (0)

Feb 08 2023

How to Use Cloud Access Security Brokers for Data Protection

Category: Cloud computing — DISC @ 11:07 am

How to Use Cloud Access Security Brokers for Data Protection

A cloud access security broker is a security policy enforcement point that can be located on-premises or in the cloud. Its purpose is to aggregate and implement an enterprise’s security policies whenever cloud-based resources are accessed.

How to Use Cloud Access Security Brokers for Data Protection

The cloud access security broker is analogous to a security guard in that it ensures compliance with the laws that were established by the administrators of the cloud service.

A cloud access security broker is a security solution that enables businesses to protect both their data and their users while they are working in the cloud. It functions as a middleman between an organization’s IT infrastructure and the company’s cloud services, monitoring and limiting access to ensure that security policies are adhered to.

Increasing companies’ utilization of cloud-based services is one of the primary factors contributing to the growing demand for cloud access security brokers. As more and more businesses move their data and applications to the cloud, which is very simple to use and manage, these businesses require a method to secure their assets and protect themselves against potential threats that may arise as a result of services being connected to one another without having a great deal of control over them.

Cloud access security brokers offer a means to monitor and regulate access to cloud services, thereby guaranteeing that only authorized users can view sensitive data.

Cloud Access Security Broker for Data Protection: How It Can Be Achieved

Cloud access security brokers can also assist enterprises in complying with regulatory regulations and industry standards like HIPAA, PCI-DSS, and SOC 2, amongst others. Furthermore, as they carry out a substantial amount of detailed reporting for data breaches, they are able to undertake data encryption and can even manage access controls. As a result, the business is carrying out these procedures in an effective manner. So it can be used for cloud data security in a number of ways.

Using Cloud Access Security Brokers for Data Loss Prevention

After being implemented, cloud access security brokers are able to perform monitoring of the resources that have been created or deployed. They can also be used to enforce access restrictions on such resources, which effectively guarantees that only authorized people who have the authorization to access them can access that sensitive data. This not only protects against unauthorized access but also prevents sensitive data from being accidentally deleted.

Performing Data Encryption

Cloud access security broker protects data in a variety of ways, including through the implementation of appropriate access restrictions. Cloud access security brokers have the ability to encrypt sensitive data while it is both at rest and in motion.

If the data is encrypted, then even if someone gains unauthorized access to the data or if the data itself is stolen, it cannot be decoded without the appropriate decryption keys even if the data was encrypted. As a result, it renders it possible to gain access to the data even after having performed access that was not authorized.

Managing proper compliance

Because cloud access security brokers are responsible for the enforcement of a wide variety of policies, they can be of assistance in achieving various kinds of compliance. Cloud access security brokers are able to assist firms in meeting regulatory requirements and industry standards, such as HIPAA, PCI-DSS, and SOC 2, which may be applicable.

Cloud access security brokers are essentially reporting and alerting systems that give organizations information about potential security breaches. This enables organizations to take action to secure their data swiftly.

The Four Pillars of a Cloud Access Security Broker

Cloud access security brokers are built on four distinct pillars, each of which not only assists an organization in meeting appropriate data encryption standards but also provides a means by which the users of that organization can be protected. Cloud access security brokers offer visibility into the utilization of cloud services across an entire organization. This visibility includes information about which services are being utilized, who is using them, and the kind of data that is being saved or accessed. This offers an organization a sufficient level of visibility of its resources.

By providing extensive reporting and notifications on potential security breaches, cloud access security brokers are able to assist organizations in meeting regulatory obligations and industry standards.

The prevention of data loss, encryption, access restriction, and activity monitoring are only some of the security measures that can be enforced by cloud access security brokers in order to secure data and users in the cloud. In addition to this, they offer governance capabilities for their customers, such as policy management, incident response, and risk management, to assist businesses in managing and securing their cloud environments.

Conclusion

Cloud access security brokers safeguard cloud data. They monitor and control data and application access to secure cloud services. By monitoring and controlling cloud usage, they assist enterprises to meet regulatory and industry standards.

Cloud access security brokers can identify and mitigate threats to prevent data breaches and other security problems. They also offer encryption, data loss prevention, and threat detection. These solutions benefit all businesses, especially cloud-dependent ones. They should be utilized with firewalls, intrusion detection systems, and antivirus software as part of a holistic security plan.

Cloud Access Security Brokers CASBs

AWS: Getting started with cloud security (Free Course)

Checkout our previous posts on Cloud Computing

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: CASBI, CASBs, cloud security

Comments (0)

Feb 08 2023

Why Browsers are Essential to the Internet and How Operating Systems are Holding Them Back

Category: Information Security — DISC @ 12:03 am

Why-Browsers-are-Essential-to-the-Internet Download

The Browser Hacker’s Handbook

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Comments (0)

Feb 06 2023

What is an OSINT Tool – Best OSINT Tools 2023

Category: OSINT — DISC @ 5:30 pm

What is an OSINT Tool – Best OSINT Tools 2023

pen Source Intelligence (OSINT) tools are an invaluable resource for companies, organizations cybersecurity researchers and students. In this article, we will explore the 15 best OSINT tools that you can use for your investigations and education purposes.

OSINT, or Open Source Intelligence, refers to the practice of gathering information from publicly available sources. In the information and digital age, there are countless tools and resources available for OSINT practitioners to use, making it easier than ever to collect and analyze information. Here are the 15 best OSINT tools that you can use for your investigations:

Maltego

Maltego is a powerful and sophisticated OSINT tool for gathering data from public sources. Developed by Paterva, Maltego OSINT allows users to quickly uncover relationships between large amounts of disparate data which can then be used to build intelligence profiles.

With Maltego OSINT, users are able to extract information from multiple online sources using simple graphic representations. This includes the ability to map out social networks, capture contact details and business data, track domain names and IP addresses, uncover digital evidence such as documents or images stored on websites, find related news articles and more.

Furthermore, by automating the process of gathering publicly available data in this way, Maltego OSINT enables users to quickly discover hidden connections that would otherwise remain undetected. Visit the official website of Maltego here.

Shodan

Shodan is a search engine for the Internet of Things (IoT) devices and an OSINT tool that is used to uncover vulnerable and exposed devices connected to the Internet, otherwise known as smart devices.

Shodan was created by John Matherly in 2009 and is considered to be the world’s first computer search engine. Shodan can be used to detect security vulnerabilities on public websites, as well as provide detailed information about each web server it finds.

Shodan has become increasingly popular among cybersecurity and IT security professionals who use it for vulnerability assessment, penetration testing, and network mapping. Shodan also helps them identify insecure services such as misconfigured cloud databases, FTP servers, telnet servers, and SSH servers that are exposed on the internet without authentication or encryption.

Additionally, Shodan provides detailed technical information about each device it finds including IP address, operating system type, open ports, running software programs and associated vulnerabilities. That is why Shoden is a perfect OSINT tool out there. Visit the official website of Shodan here.

TheHarvester

TheHarvester is a powerful OSINT tool used to find information related to domains and email addresses. It can be used by security professionals, IT administrators, and hackers alike to collect information from different sources on the internet.

TheHarvester was created as an alternative for doing research on public resources such as search engines, PGP key servers, and social networks. It allows users to quickly gather large amounts of data from sites like Google, Bing, Yahoo!, Dogpile, LinkedIn, Twitter and many more.

All of the gathered data can be exported into several formats such as HTML/XML or even saved as a text file. Additionally, it includes an API that allows users to customize their searches according to their specific needs. Visit the official TheHarvester page on Kali here.

Recon-ng

Recon-ng is an OSINT tool used for reconnaissance and data gathering. It is a full-featured web application that can be used to gather subsets of public information related to a target, such as usernames, names, email addresses, domain names and other relevant details.

Recon-ng has been designed to automate the process of gathering intelligence about a given target as quickly and efficiently as possible. The Recon-ng OSINT tool provides users with access to multiple resources such as Google, Bing, Twitter, Shodan and more.

The platform also allows users to interact with each resource using the same interface which simplifies the data-gathering process significantly compared to traditional methods. It enables users to quickly collect comprehensive information on a target without having to manually search multiple online sources or databases. Visit the official Recon-ng page on Kali here.

Spiderfoot

Spiderfoot is an excellent OSINT tool designed to automate the process of gathering information about a specific target. Spiderfoot enables users to have quick and easy access to a wide range of data sources.

It is capable of collecting information from over 200 sources, such as DNS records, WHOIS information and public resources like Shodan, VirusTotal, Google and others. Spiderfoot can be used for reconnaissance, investigative research and even threat hunting by allowing users to quickly identify potential threats or vulnerabilities in their environment.

The tool works by scanning the internet for publicly available data from various sources based on the user’s input query parameters. The collected data can then be mapped out into an interactive graph with various visual indicators which make it easier to interpret the gathered information.

This feature makes it much easier for security professionals to recognize trends or anomalies within their networks which can help them detect malicious activities or threats early on. Visit the official website of Spiderfoot here.

OSINT Framework

OSINT Framework is a website and information-gathering tool used by security professionals for investigative purposes. It is a collection of free and publicly available tools that can be used to conduct online investigations.

OSINT Framework provides users with an easy-to-use platform to quickly search, collect and analyze data from various sources such as social media platforms, websites, forums, blogs and more. By using this framework, security professionals are able to gather a wealth of information in order to identify potential threats or anomalies on the web.

The OSINT Framework enables users to access public records and other sources of information quickly and efficiently. It utilizes specialized search engines and databases such as Google Hacking Database (GHDB) as well as several other open-source intelligence tools such as Recon-ng, Maltego and Shodan. Visit the official website of OSINT Framework here.

Foca

Foca (Fingerprinting Organizations with Collected Archives) is an OSINT tool used by cybersecurity professionals to collect data from the internet. It can be used to find information on any subject, including people, companies, and other organizations. The tool gathers data from a variety of sources such as social media platforms, websites, and search engines.

The tool helps users to collect information quickly and efficiently by providing them with a set of tools for searching, collecting and analyzing the collected data. It provides users with advanced filtering options that allow them to narrow down their searches and find relevant information easily.

Foca also has features such as keyword analysis which enables users to analyze text-based content or images in order to identify patterns or trends in the collected data. Additionally, it offers other features like automated report generation which allows users to generate reports quickly without having to manually gather all the necessary data themselves. Visit the official GitHub repository of FOCA here.

Metagoofil

Metagoofil is a powerful OSINT tool used for gathering publicly available information about a particular target. It is especially useful for penetration testers, security professionals, and researchers who need to collect data from websites in order to perform reconnaissance on their targets.

Metagoofil was developed by Edge Security in 2006 as part of the framework for its security consulting services. This tool can be used to scan websites, search engines, and public document archives such as PDFs and Microsoft Office documents. It then searches for specific keywords related to the target and collects the relevant information from these sources.

With its easy-to-use interface, Metagoofil allows users to quickly find files containing sensitive information such as usernames, passwords, email addresses, IP addresses, etc., which can then be used in further attacks or research projects. Visit the official Metagoofil page on Kali here.

GHunt

GHunt is a new OSINT tool that lets users extract information from any Google Account using an email. The information that GHunt extracts include:

Google ID
Owner’s name
Public photos (P)
Phones models (P)
Phones firmware
Installed Softwares
Google Maps reviews
Possible physical location
Possible YouTube channel
Possible other usernames
Events from Google Calendar
If the account is a Hangouts Bot
Last time the profile was edited
Activated Google services (YouTube, Photos, Maps, News360, Hangouts, etc.)

Visit GHunt’s GitHub repository here.

Yandex Images

The Russian counterweight to America’s Google, Yandex has been extremely popular in Russia and offers users the option to search across the internet for thousands of images. This is in addition to its reverse-image functionality which is remarkably similar to Google.

A good option included within is that you could sort images category wise which can make your searches more specific and accurate.

Tip: In my personal experience; Yandex image search results are far more accurate and in-depth than Google Images. Visit Yandex here.

N2YO.com

Allowing you to track satellites from afar, N2YO is a great tool for space enthusiasts. It does so by featuring a regularly searched menu of satellites in addition to a database where you could make custom queries along the lines of parameters such as the Space Command ID, launch date, satellite name, and an international designator.

You could also set up custom alerts to know about space station events along with a live stream of the International Space Station(ISS)! Visit the official website of N2YO here.

TinEye

TinEye is the original reversed image search engine, and all you have to do is submit a proper picture to TinEye to get all the required information, like where it has come from and how it has been used.

Instead of using keyword matching, it uses a variety of approaches to complete its tasks, including picture matching, signature matching, watermark identification, and numerous other databases to match the image.

In conclusion, these 15 OSINT tools are among the best available for conducting investigations using publicly available information. Whether you are a professional investigator or a curious individual, these tools can help you gather and analyze information more efficiently and effectively. Visit the official website of TinEye here.

Have I Been Pwned

Have I Been Pwned is an online service that helps people determine if their personal data has been compromised. It works by using email addresses to track data breaches, allowing users to know whether their information has been leaked or stolen due to a hack or other incident.

Have I Been Pwned was created in 2013 by Troy Hunt, a Microsoft Regional Director and security expert. The site provides users with detailed information about the source of any breach affecting their personal data, as well as the types of data that may have been leaked. This allows them to take appropriate steps to protect themselves from future attacks.

Have I Been Pwned or HIBP currently tracks more than 12 billion accounts across over 600 major data breaches, providing one of the most comprehensive databases for checking if your account details have been exposed online. Visit Have I Been Pwned here.

Conclusion

In conclusion, OSINT tools are an invaluable resource for anyone looking to stay ahead of the curve in the world of digital intelligence. The 15 Best OSINT tools outlined in this article provide an excellent overview for any user, from the novice to the professional, to get started. By using these tools and understanding their functions, users can empower themselves to become better researchers and find valuable data more quickly.

Checkout our previous posts on OSINT

OSINT Techniques: Resources for Uncovering Online Information

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: OSINT Tool

Comments (0)

Feb 06 2023

75 Best Android Penetration Testing Tools – 2023

Category: Pen Test,Security Tools — DISC @ 10:56 am

75 Best Android Penetration Testing Tools – 2023

Android penetration testing tools are more often used by security industries to test the vulnerabilities in Android applications.

Here you can find the Comprehensive mobile penetration testing tools and resource list that covers Performing Penetration testing Operations in Android Mobiles.

Android is the biggest organized base of any mobile platform and developing fast—every day. Besides, Android is rising as the most extended operating system in this viewpoint because of different reasons.

Android Security Penetration Testing Tools

Online Analyzers

Following are the online analyzers used to pentest the android applications.

Appray	Dynamic Analysis Tools for Android and iOS Applications
Nowsecure	Complete Mobile Security Testing tool for Android & iOS Tools
AppKnox	Efficient Security Testing Tools for Mobile Apps

Static Analysis Tools

Androwarn	Detects and warn the user about potential malicious behaviors developed by an Android application
ApkAnalyser	Virtual Analysis Tools for Android Applications
APKInspector	GUI-based Security Analysis
DroidLegacy	Pentesting Kit
FlowDroid	Static Analysis Tool
Android Decompiler	Professional Reverse Engineering Toolkit
PSC out	A tool that extracts the permission specification from the Android OS source code using static analysis
Amandroid	static analysis framework
SmaliSCA	Smali Static Code Analysis
CFGScanDroid	Scans and compares CFG against CFG of malicious applications
Madrolyzer	extracts actionable data like C&C, phone number etc.
SPARTA	verifies (proves) that an app satisfies an information-flow security policy; built on the Checker F r amework
ConDroid	Performs a combination of symbolic + concrete execution of the app
DroidRA	Virtual Analysis
RiskInDroid	A tool for calculating the risk of Android apps based on their permissions, with an online demo available.
SUPER	Secure, Unified, Powerful, and Extensible Rust Android Analyzer
ClassyShark	Standalone binary inspection tool which can browse any Android executable and show important info.

Mobile App Vulnerability Scanner Tools

QARK	QARK by LinkedIn is for app developers to scan app for security issues
AndroBugs	Android vulnerability analysis system
Nogotofail	Network security testing tool
Devknox	Autocorrect Android Security issues as if it was spell check from your IDE
JAADAS	Joint intraprocedural and inter-procedure program analysis tool to find vulnerabilities in Android apps, built on Soot and Scala

Dynamic Analysis Tools

Androl4b	A Virtual Machine For Assessing Android applications, Reverse Engineering and Malware Analysis
Android Malware Analysis Toolkit	(Linux distro) Earlier it use to be an online analyzer
Mobile-Security-Framework MobSF	Mobile Security Framework is an intelligent, all-in-one open-source mobile application (Android/iOS) automated pen-testing framework capable of performing static, dynamic analysis, and web API testing.
AppUse	custom build for pentesting
Cobradroid	custom image for malware analysis
Xposed	equivalent of doing Stub based code injection but without any modifications to the binary
Inspeckage	Android Package Inspector – dynamic analysis with api hooks, start unexported activities and more. (Xposed Module)
Android Hooker	Dynamic Java code instrumentation (requires the Substrate Framework)
ProbeDroid	Dynamic Java code instrumentation
Android Tamer	Virtual / Live Platform for Android Security Professionals
DECAF	Dynamic Executable Code Analysis Framework based on QEMU (DroidScope is now an extension to DECAF)
CuckooDroid	Android extension for Cuckoo sandbox
Mem	Memory analysis of Android Security (root required)
AuditdAndroid	Android port of auditd, not under active development anymore
Aurasium	Practical security policy enforcement for Android apps via bytecode rewriting and in-place reference monitor.
Appie	Appie is a software package that has been pre-configured to function as an Android Pentesting Environment.It is completely portable and can be carried on USB stick or smartphone.This is a one-stop answer for all the tools needed in Android Application Security Assessment and an awesome alternative to existing virtual machines.
StaDynA	A system supporting security app analysis in the presence of dynamic code update features (dynamic class loading and reflection). This tool combines static and dynamic analysis of Android applications in order to reveal the hidden/updated behavior and extend static analysis results with this information.
Vezir Project	Virtual Machine for Mobile Application Pentesting and Mobile Malware Analysis
MARA	Mobile Application Reverse engineering and Analysis Framework
Taintdroid	Requires AOSP compilation

Reverse Engineering

Smali/Baksmali	apk decompilation
Androguard	powerful, integrates well with other tools
Apktool	really useful for compilation/decompilation (uses smali)
Android OpenDebug	make any application on device debuggable (using cydia substrate)
Dare	.dex to .class converter
Dex2Jar	dex to jar converter
Enjarify	dex to jar converter from Google
Frida	Inject javascript to explore applications and a GUI tool for it
Indroid	thread injection kit
Jad	Java decompiler
JD-GUI	Java decompiler
CFR	Java decompiler
Krakatau	Java decompiler
Procyon	Java decompiler
FernFlower	Java decompiler
Redexer	apk manipulation

Fuzz Testing

IntentFuzzer
Radamsa Fuzzer
Honggfuzz
An Android port of the melkor ELF fuzzer
Media Fuzzing Framework for Android
AndroFuzz

App Repackaging Detectors

FSquaDRA

Android Security tool for detection of repackaged Android applications based on app resources hash comparison.

Market Crawlers

Google play crawler (Java)	searching android applications on GooglePlay,
Google play crawler (Python)	browse and download Android apps from Google Play
Google play crawler (Node)	get app details and download apps from official Google Play Store
Aptoide downloader (Node)	download apps from Aptoide third-party Android market
Appland downloader (Node)	download apps from Appland third-party Android market

Misc Tools

smalihook	Decompiler
APK-Downloader	Downloader
AXMLPrinter2	to convert binary XML files to human-readable XML files
adb autocomplete	Repo Downloader
Dalvik opcodes	Registry
Opcodes table for quick reference	Registry
ExploitMe Android Labs	for practice
GoatDroid	for practice
mitmproxy	intercepting proxy
dockerfile/androguard	shell environment
Android Vulnerability Test Suite	android-vts scans a device for set of vulnerabilities
AppMon–	AppMon is an automated framework for monitoring and tampering system API calls of native macOS, iOS and android apps. It is based on Frida.

ANDROID SECURITY BOOK: 10 Simple Ways Billionaires Secure Their Android Devices

Checkout our previous posts on “Security Tools”

Computer Forensics

Building a Cybersecurity Toolkit

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: Android Penetration Testing Tools, Android security, Pen testing, Security professionals

Comments (0)

Feb 03 2023

Most Important Computer Forensics Tools for 2023

Category: Security Tools — DISC @ 5:10 pm

Most Important Computer Forensics Tools for 2023

Computer Forensics tools are more often used by security industries to test the vulnerabilities in networks and applications by collecting the evidence to find an indicator of compromise and take appropriate mitigation Steps.

Here you can find the Comprehensive Computer Forensics tools list that covers Performing Forensics analysis and responding to incidents in all Environments.

Digitial Forensics analysis includes preservation, collection, Validation, Identification, Analysis, Interpretation, Documentation, and Presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal.

Collections of Computer Forensics Tools

DFIR – The definitive compendium project – Collection of forensic resources for learning and research. Offers lists of certifications, books, blogs, challenges, and more
dfir.training – Database of forensic resources focused on events, tools, and more
ForensicArtifacts.com Artifact Repository – Machine-readable knowledge base of forensic artifacts

Free Digital Forensic Tools

Forensics tools on Wikipedia
Free computer forensic tools – Comprehensive list of free digital forensic tools

Distributions – Open Source Forensic Tools

bitscout – LiveCD/LiveUSB for remote forensic acquisition and analysis
deft – Linux distribution for forensic analysis
SANS Investigative Forensics Toolkit (sift) – Linux distribution for forensic analysis

Frameworks

dff – Forensic framework
IntelMQ – IntelMQ collects and processes security feeds
Laika BOSS – Laika is an object scanner and intrusion detection system
PowerForensics – PowerForensics is a framework for live disk forensic analysis
The Sleuth Kit – Tools for low level forensic analysis
turbinia – Turbinia is an open-source framework for deploying, managing, and running forensic workloads on cloud platforms

Live Network Forensics Tools

grr – GRR Rapid Response: remote live forensics for incident response
Linux Expl0rer – Easy-to-use live forensics toolbox for Linux endpoints written in Python & Flask
mig – Distributed & real time digital forensics at the speed of the cloud
osquery – SQL powered operating system analytics

Imaging

dc3dd – Improved version of dd
dcfldd – Different improved version of dd (this version has some bugs!, another version is on github adulau/dcfldd)
FTK Imager – Free imageing tool for windows
Guymager – Open source version for disk imageing on linux systems

Carving

bstrings – Improved strings utility
bulk_extractor – Extracts informations like email adresses, creditscard numbers and histrograms of disk images
floss – Static analysis tool to automatically deobfuscate strings from malware binaries
photorec – File carving tool

Memory Forensics Tools

inVtero.net – High speed memory analysis framework developed in .NET supports all Windows x64, includes code integrity and write support.
KeeFarce – Extract KeePass passwords from memory
Rekall – Memory Forensic Framework
volatility – The memory forensic framework
VolUtility – Web App for Volatility framework
BlackLight – Windows/MacOS Computer Forensics tools client supporting hiberfil, pagefile, raw memory analysis.
DAMM – Differential Analysis of Malware in Memory, built on Volatility.
evolve – Web interface for the Volatility Memory Forensics Framework.
FindAES – Find AES encryption keys in memory.
inVtero.net – High speed memory analysis framework developed in .NET supports all Windows x64, includes code integrity and write support.
Muninn – A script to automate portions of analysis using Volatility, and create a readable report.
Rekall – Memory analysis framework, forked from Volatility in 2013.
TotalRecall – Script based on Volatility for automating various malware analysis tasks.
VolDiff – Run Volatility on memory images before and after malware execution, and report changes.
Volatility – Advanced memory forensics framework.
VolUtility – Web Interface for Volatility Memory Analysis framework.
WDBGARK – WinDBG Anti-RootKit Extension.
WinDbg – Live memory inspection and kernel debugging for Windows systems.

Network Forensics Tools

SiLK T ools – SiLK is a suite of network traffic collection and Computer Forensics tools analysis tools
Wireshark – The network traffic analysis tool
NetLytics – Analytics platform to process network data on Spark.

Windows Artifacts

ArtifactExtractor – Extract common Windows artifacts from source images and VSCs
FastIR Collector – Collect artifacts on windows
FRED – Cross-platform microsoft registry hive editor
LogonTracer – Investigate malicious Windows logon by visualizing and analyzing Windows event log
MFT-Parsers – Comparison of MFT-Parsers
MFTExtractor – MFT-Parser
NTFS journal parser
NTFS USN Journal parser
RecuperaBit – Reconstruct and recover NTFS data
python-ntfs – NTFS analysis

OS X Forensics

OSXAuditor

Internet Artifacts

chrome-url-dumper – Dump all locally stored information collected by Chrome
hindsight – Internet history forensics for Google Chrome/Chromium

Timeline Analysis

DFTimewolf – Framework for orchestrating Computer Forensics tools collection, processing, and data export using GRR and Rekall
plaso – Extract timestamps from various files and aggregate them
timesketch – Collaborative forensic timeline analysis

Disk Image Handling

aff4 – AFF4 is an alternative, fast file format
imagemounter – Command line utility and Python package to ease the (un)mounting of forensic disk images
libewf – Libewf is a library and some tools to access the Expert Witness Compression Format (EWF, E01)
xmount – Convert between different disk image formats

Decryption

hashcat – Fast password cracker with GPU support
John the Ripper – Password cracker

Learn Forensics

Forensic challanges – Mindmap of forensic challanges
Training material – Online training material by European Union Agency for Network and Information Security for different topics (e.g. Digital forensics, Network forensics)

Forensic CTFs Tools

There are many relatively new tools available that have been developed in order to recover and dissect the information.

Tags: Forensics Tools

Comments (0)

Feb 03 2023

MAJORITY OF THE RANSOMWARE GANGS USED THIS PACKER TO BYPASS ANTIVIRUS AND ENCRYPT DEVICES

Category: Malware,Ransomware — DISC @ 11:02 am

Majority of the ransomware gangs used this packer to bypass antivirus and encrypt devices

Packers are becoming an increasingly important tool for cybercriminals to use in the commission of illegal acts. On hacker forums, the packer is sometimes referred to as “Crypter” and “FUD.” Its primary function is to make it more difficult for antivirus systems to identify malicious code. Malicious actors are able to disseminate their malware more quickly and with fewer consequences when they use a packer. It doesn’t matter what the payload is, which is one of the primary qualities of a commercial Packer-as-a-Service, which implies that it may be used to pack a variety of different harmful samples. This opens up a lot of opportunities for cybercriminals. Another key quality of the packer is that it is transformational. Because the packer’s wrapper is changed on a frequent basis, it is able to avoid detection by devices designed to enhance security.

According to Checkpoint, TrickGate is an excellent illustration of a robust and resilient packer-as-a-service. It has been able to go under the radar of cyber security researchers for a number of years and is consistently becoming better in a variety of different ways.

Although a lot of very good study was done on the packer itself, TrickGate is a master of disguises and has been given a number of different titles due to the fact that it has so many different characteristics. A number of names have been given to it, including “TrickGate,” “Emotet’s packer,” “new loader,” “Loncom,” and “NSIS-based crypter.”

At the end of 2016, they made our first observation of TrickGate. During that time, it was used to spread the Cerber malware. Since that time, they have been doing ongoing research on TrickGate and have discovered that it is used to propagate many forms of malicious software tools, including ransomware, RATs, information thieves, bankers, and miners. It has come to their attention that a significant number of APT organizations and threat actors often employ TrickGate to wrap their malicious code in order to evade detection by security solutions. Some of the most well-known and top-distribution malware families have been wrapped by TrickGate,

including Cerber, Trickbot, Maze, Emotet, REvil, CoinMiner, Cobalt Strike, DarkVNC, BuerLoader, HawkEye, NetWire, AZORult, Formbook, Remcos, Lokibot, AgentTesla, and many more. TrickGate has also been involved in the wrapping of many other malware.

Bypass antivirus detection With Phantom Payloads

Tags: BYPASS ANTIVIRUS AND ENCRYPT DEVICES

Comments (0)

Feb 02 2023

HACKERS GAINED ACCESS TO O365 EMAIL ACCOUNTS BY USING OAUTH APPLICATIONS “CERTIFIED” BY MICROSOFT

Category: Email Security,Hacking — DISC @ 10:57 am

Hackers gained access to O365 email accounts by using OAuth applications “certified” by Microsoft

Becoming verified on well-known platforms such as Instagram, Twitter, or the Apple AppStore has become the standard for determining one’s standing in the current online social scene. As users, we trust verified accounts more than those that aren’t. In the business sector, the situation is exactly the same with third-party OAuth app publishers who have been validated by Microsoft. Unfortuitously, threat actors have noticed the significance of the verified status in the Microsoft environment as well.

Researchers from Proofpoint found a new malicious third-party OAuth app campaign that used the Microsoft “certified publisher” status in order to meet certain of Microsoft’s criteria pertaining to the distribution of OAuth apps. This raised the likelihood that users would be duped into giving authorization when a malicious third-party OAuth app (from this point forward, referred to as a “OAuth app” or a “malicious app”) asks access to data that is available through a user’s account. Researchers found that the malicious applications had extensive delegated rights, such as the ability to read emails, change mailbox settings, and obtain access to files and other data that were associated with the user’s account.

New kind of phishing attacks are exploiting Microsoft OneNote to bypass disabled macro

According to Microsoft, a Microsoft account can achieve the status of “publisher verified” or “verified publisher” when the “publisher of the app has verified their identity using their Microsoft Partner Network (MPN) account and has associated this MPN account with their app registration.” Other terms for this achievement include “verified publisher” and “verified publisher.” (Just so there isn’t any misunderstanding, a “certified publisher” has absolutely nothing to do with the desktop program known as Microsoft Publisher, which is available in some levels of Microsoft 365.)

The material provided by Microsoft goes on to provide more clarification, stating that “after the publisher of an app has been confirmed, a blue verified badge displays in the Azure Active Directory (Azure AD) authorization prompt for the app and on other websites.” Note that when Microsoft discusses third-party OAuth applications, it is talking to apps that have been developed by companies that fall into this category. These businesses are referred to as “publishers” in the Microsoft environment.

Researchers were able to identify three malicious applications that were developed by three distinct malicious publishers. The same firms were singled out for attack by these applications, and they are connected to the same malicious infrastructure. Multiple people were seen giving permission to the malicious applications, which put the environment of their firm at risk.

According to the findings of their investigation, the majority of the participants in this campaign seemed to originate from the United Kingdom (UK). Individuals from the finance and marketing departments, as well as high-profile users such as managers and executives, were among those whose accounts were compromised. Beginning on December 6th, 2022, we made our first observation of this particular avatar of malicious third-party OAuth applications. In every instance, the specialized backend infrastructure that supports the applications was only put in place a few days or weeks before December 6th.

When users give their permission, malicious applications’ default delegated permissions allow threat actors to access and manipulate mailbox resources, calendar events, and meeting invitations that are linked to accounts that have been compromised. This access and manipulation is only possible when users give their consent. After receiving approval, gaining access does not need further action on the part of the user since the permissions also allow “offline access.” The given token, also known as the refresh token, often has a lengthy expiration time that is more than one year. This provided threat actors with access to the data associated with the hacked account as well as the potential to utilize the compromised Microsoft account in later BEC attempts or other types of attacks.

In addition to the possibility of user accounts being hijacked, firms that have been impersonated run the risk of having their brand abused. It is quite difficult for firms in this situation to determine whether or not their reputation is being sullied by one of these assaults. There is no necessary contact that must take place between the entity that is being impersonated and the malicious verified publisher.

Even though an OAuth third-party app has been validated by Microsoft, it is imperative to proceed with extreme care when allowing access to the app. OAuth applications are not reliable and should not be trusted only on the basis of their verified publisher status. End users are likely to become victims of sophisticated social engineering approaches because of the complexity of the assaults that are being carried out.

Comments (0)

Jan 31 2023

RANSOMWARE investigation OSINT Threathunting

Category: Information Security,OSINT,Ransomware — DISC @ 11:43 am

by Joas A Santos

RANSOMWARE-investigation-OSINT-Threathunting-1-2 Download

Ransomware Staff Awareness E-learning Course

The Ransomware Threat Landscape

Tags: OSINT, Threathunting

Comments (0)

Jan 31 2023

Hackers Exploiting Unpatched Exchange Servers in The Wild

Category: Hacking,Security patching — DISC @ 10:38 am

Hackers Exploiting Unpatched Exchange Servers in The Wild

Microsoft has been strongly encouraging its customers to keep updating their Exchange servers, in addition to taking steps to ensure that the environment remains secured with robust security implementations.

While doing so, users can do the following things:-

Enable Windows Extended Protection.
Configure certificate-based signing of PowerShell serialization payloads

The number of attacks against unpatched Exchange servers will not diminish as long as unpatched servers remain unpatched. The unpatched environment of on-premises Exchange provides threat actors with too many opportunities for exfiltrating data and committing other illegal activities.

Numerous security flaws in Exchange Server have been uncovered in the past two years, leading to widespread exploitation in some cases.

Updating Unpatched Exchange Servers

Microsoft stresses that their security measures are temporary fixes and may not defend against all attack variations, thus requiring users to update security through provided updates.

Recent years have seen Exchange Server become an advantageous target for attackers due to numerous security vulnerabilities that have been exploited as zero-day attacks to penetrate systems.

Ensure the protection of your Exchange servers from exploits targeting recognized vulnerabilities by installing the latest cumulative update and the most recent security update that is supported.

The cumulative updates are available for:-

CU12 for Exchange Server 2019
CU23 for Exchange Server 2016
CU23 for Exchange Server 2013

The available security update:-

January 2023 SU

The cumulative updates and security updates for Exchange Server are cumulative, which means that only the most recent one needs to be installed.

It’s crucial to run Health Checker post-update installation to identify any manual tasks required by the admin. Using Health Checker, you can access step-by-step guides and articles that provide you with all the information you need.

Recommendations

Here below we have mentioned all the recommendations offered by Microsoft:-

Always pay attention to the blog post announcements that Microsoft publishes, to keep informed of known issues and any manual actions Microsoft recommends or requires.
Make sure that you always review the FAQ before installing an update.
If you are looking for ways to inventory your servers and find out which of them need to be updated, then the Exchange Server Health Checker may help you.
Use the Exchange Update Wizard to upgrade your environment by selecting your current and target Cumulative Updates (CU) after determining the required updates.
The SetupAssist script can assist you in troubleshooting any errors that may occur during the update installation process.
There might be certain updates that you need to install on your Exchange server(s) in order to keep them up-to-date, so you should make sure that you do so.
Ensure to update dependent servers, such as Active Directory, DNS, and other servers utilized by Exchange, prior to installing necessary updates.

There is never an end to the amount of security work that needs to be done in order to keep your Exchange environment secure. However, the Exchange Server update process is constantly being reviewed by Microsoft in order to find ways to simplify it and make it more reliable.

Mastering Windows Server 2019: The complete guide for system administrators to install, manage, and deploy new capabilities with Windows Server 2019

Tags: Unpatched Exchange Servers

Comments (0)

Jan 31 2023

HACKER GROUP HACKS IN ISRAELI CHEMICAL FACTORIES

Category: Hacking — DISC @ 10:28 am

Hacker group hacks in Israeli Chemical factories

According to reports, a group of hackers has launched a massive cyberattack on Israeli chemical companies operating in the occupied territories. The hackers have warned the companies’ engineers and workers to resign their positions before they suffer severe repercussions as a result of the Tel Aviv regime‘s unrelenting violence against Palestinians.

“Our advice to scientists working in the chemical plants is to quit their job, hunt for a new one, and find sanctuary in a location where we are not present,” the message reads. “Leave their employment. Look for a new one.” This is while we have a strong presence anyplace,” the statement sent by the Electronic Quds Force was reported by the Arabic-language television news network RT Arabic.

In addition, the statement said, “We confirm that your job in chemical factories presents a threat to your life; but, we will never hesitate to melt your bodies with chemicals the next time an act of violence is performed against Palestinians.”

Under the guise of apprehending Palestinians whom Tel Aviv considers to be “wanted,” Israeli soldiers virtually daily conduct raids in a variety of localities located inside the territory of the West Bank that is now under Israeli occupation. The raids almost often result in violent clashes between law enforcement and locals.

Israel has significantly stepped up its assaults on Palestinian villages and cities throughout the whole of the territory it occupies during the last several months. As a direct consequence of these assaults, the lives of dozens of Palestinians have been taken, and many more have been taken into custody.

According to the United Nations, 2022 was the deadliest year for Palestinians living in the West Bank in the previous 16 years’ worth of data.

After a group of pro-Palestinian hackers from Bangladesh took the websites of two commercial Israeli ports offline several weeks earlier, the websites of four major ports in the Israeli-occupied territories were taken offline by a massive cyber attack carried out by a group of Iraqi hackers at the end of August of last year.

It was stated by Sabereen News, a Telegram news channel affiliated with the Iraqi Popular Mobilization Units (PMU) or Hashd al-Sha’abi, that a hacking gang calling itself “ALtahrea Team” knocked down the websites of the ports of Jaffa, Haifa, Acre, and Eilat on August 31.

Back on August 8, ALtahrea Team carried out a large cyber assault on hundreds of Israeli websites, one of which was the website of the municipality of the city of Sderot, which is located in the western part of the Negev.

Tags: CHEMICAL FACTORIES HACK

Comments (0)

Jan 30 2023

HOW TO FIND ZERO-DAY VULNERABILITIES WITH FUZZ FASTER U FOOL (FFUF): DETAILED FREE FUZZING TOOL TUTORIAL

Category: Information Security — DISC @ 10:00 am

How to find zero-day vulnerabilities with Fuzz Faster U Fool (ffuf): Detailed free fuzzing tool tutorial

Today, the specialists of the Cyber Security 360 course of the International Institute of Cyber Security (IICS) will show us in detail the use of Fuzz Faster U Fool (ffuf), a free and easy-to-use fuzzing tool, using the command line method for configuration on web servers.

Created by Twitter user @joohoi, cybersecurity professionals around the world have praised ffuf for its advanced capabilities, versatility, and ease of use, making it one of the top choices in fuzzing.

Before keep going, as usual, we remind you that this article was prepared for informational purposes only and does not represent a call to action; IICS is not responsible for the misuse that may occur to the information contained herein.

INSTALLATION

According to the experts of the Cyber Security 360 course, ffuf runs on a Linux terminal or Windows command prompt. Upgrading from the source code is no more difficult than compiling, except for the inclusion of “-u”.

1	`go get` `-u` `github.com/ffuf/ffuf`

For this example Kali Linux was used, so you will find ffuf in the apt repositories, which will allow you to install it by running a simple command.

1	`apt install ffuf`

After installing this program, you can use the “-h” option to invoke the help menu.

1 ffuf –h

ENTRY OPTIONS

These are parameters that help us provide the data needed for a web search of a URL using word lists.

NORMAL ATTACK

For a normal attack, use the parameters “-u” for the target URL and “-w” to load the word list.

1	`ffuf` `-u` `http://testphp.vulnweb.com/FUZZ/` `-w` `dict.txt`

After you run the command, you will need to focus on the results.

First, it’s worth noting that by default it works on HTTP using the GET method
You can also view the status of the response code (200, 204, 301, 302, 307, 401, 403, and 405). You can track the progress of the attack being performed

USING MULTIPLE WORD LISTS

The experts of the Cyber Security 360 course mention that a single list of words is not always enough to get the desired results. In these cases, you can apply multiple word lists at the same time, one of the most attractive functions of ffuf. In this example, we have granted the program access to two dictionaries (txt:W1 and txt:W2), which the tool will run at the same time:

1	`ffuf` `-u` `https://ignitetechnologies.in/W2/W1/` `-w` `dict.txt:W1` `-w` `dns_dict.txt:W2`

IGNORE A COMMENT IN A WORD LIST

Usually, the default word list has some comments that can affect the accuracy of the results. In this case, we can use the “-ic” parameter to delete the comments. Also, to remove any banners in the tools used, use the “-s” parameter:

1	`ffuf` `-u` `http://testphp.vulnweb.com/FUZZ/` `-w` `dict.txt`

Here we can notice that some comments are shown in the results if the above command is executed. After using the “-s” and “-ic” parameters, all comments and banners will be removed.

1	`ffuf` `-u` `http://testphp.vulnweb.com/FUZZ/` `-w` `dict.txt` `-ic` `–s`

EXTENSIONS

It is also possible to search for a file with a specific extension on a web server using the “-e” option. All you need to do is specify the extension and name of the file along with the parameter in the appropriate command format:

1	`ffuf` `-u` `http://192.168.1.12/dvwa/FUZZ/` `-w` `dict.txt` `-e` `.php`

DIFFERENT QUERIES AND MODES

Burp Suite is a professional platform for monitoring the security of web applications. The “cluster bomb” function allows using multiple payloads, mention the experts of the Cyber Security 360 course. There is a separate payload package for each given location; the attack goes through each payload packet one by one, checking all possible options.

There are several parameters of this tool that make it easy to use the script. For example, the “-request” parameter allows you to use the request in an attack, while “-request-proto” allows you to define the parameter itself, and “-mode” helps you choose the attack mode.

First, random credentials are used on the target URL page and the proxy server is configured to capture the request in interception mode in Burp Suite.

Now, on the Intercept tab, you need to change the credentials provided by adding HFUZZ and WFUZZ. HFUZZ is added before “uname” and WFUZZ before “pass”. Then, you need to copy and paste this query into the text and name according to the purposes of the project. In this case, the file was named as brute.txt.

Later we will move to the main attack mode, where the “-request” parameter contains a “-request-proto” text file that will help you create a prototype of http, and “-mode” will be responsible for the “cluster bomb” attack. The lists of words in question (users.txt and pass.txt) consist of SQL injections. By entering the following command, an attack will be launched:

1	`ffuf` `-request` `brute.txt` `-request-proto http` `-mode` `clusterbomb` `-w` `users.txt:HFUZZ` `-w` `pass.txt:WFUZZ` `-mc` `200`

As you can see from the results of the attack, SQL injections have been successfully found to be effective for this specific purpose.

MAPPING OPTIONS

If we want the ffuf to show only the data that is important for web fuzzing, we must pay attention to these parameters. For example, it can be HTTP code, strings, words, size and regular expressions, mention the experts of the Cyber Security 360 course.

HTTP CODE

To understand this configuration, you should consider a simple attack on which you will be able to see which HTTP codes appear in the results.

1	`ffuf` `-u` `http://192.168.1.12/dvwa/FUZZ/` `-w` `dict.txt`

It is clear that the codes 302 HTTP and 200 HTTP were received.

If you want to see specific attacks, such as HTTP code 200, you must use the “-mc” parameter along with a specific number. To verify that this parameter works, you just need to run the following command:

1	`ffuf` `-u` `http://192.168.1.12/dvwa/FUZZ/` `-w` `dict.txt` `-mc` `200`

LINE

The tool returns results for specific lines in the file using the “-ml” parameter. We can use it by specifying the strings we need.

1	`ffuf` `-u` `http://192.168.1.12/dvwa/FUZZ/` `-w` `dict.txt` `-ml` `15`

WORDS

Similarly, since the above options correspond to a function, you can provide a result with a certain number of words. For this, use the “-mw” parameter along with the number of words you want to see in the results.

1	`ffuf` `-u` `http://192.168.1.12/dvwa/FUZZ/` `-w` `dict.txt` `-mw` `53`

SIZE

It is also possible to use the “-ms” parameter along with the specific size you want to see in the results.

1	`ffuf` `-u` `http://192.168.1.12/dvwa/FUZZ/` `-w` `dict.txt` `-ms` `2929`

REGULAR EXPRESSIONS

This is the last of all the mapping options available in ffuf. LFI fuzzing will be applied by matching the string to the subsequent “root:x” pattern for this dictionary.

A URL is used that can provide this functionality, and with the “-mr” parameter, the corresponding string “root:x” is defined. This is what a special list of words looks like.

Using this list of words, we enter the following command to add the “-mr” parameter to the attack script:

1	`ffuf` `-u` `http://testphp.vulnweb.com/showimage.php?file=FUZZ` `-w` `dict2.txt` `-mr` `"root:x"`

We received the http 200 response for /etc/passwd for this list of words.

FILTERING OPTIONS

Filtering options are the exact opposite of matching parameters. The experts of the Cyber Security 360 course recommend using these options to remove unnecessary elements during web fuzzing. It also applies to HTTP code, strings, words, size, and regular expressions.

HTTP CODE

The “-fc” parameter requires a specific HTTP status code that the user wants to remove from the results.

1	`ffuf` `-u` `http://192.168.1.12/dvwa/FUZZ/` `-w` `dict.txt` `-fc` `302`

LINE

With the help of the “-fl” parameter, it is possible to remove a certain row from the result or filter it from the attack.

1	`ffuf` `-u` `http://192.168.1.12/dvwa/FUZZ/` `-w` `dict.txt` `-fl` `26`

SIZE

The “-fs” option allows you to filter the specified size described by the user during the attack.

1	`ffuf` `-u` `http://192.168.1.12/dvwa/FUZZ/` `-w` `dict.txt` `-fs` `2929`

WORDS

The “-fw” option allows you to filter the number of words of the results that the user wants to receive.

1	`ffuf` `-u` `http://192.168.1.12/dvwa/FUZZ/` `-w` `dict.txt` `-fw` `83`

REGULAR EXPRESSIONS

The “-fr” option allows you to delete a specific regular expression. In this case, we will try to exclude the log files from the results.

1	`ffuf` `-u` `http://192.168.1.12/dvwa/FUZZ/` `-w` `dict.txt` `-fr` `"log"`

GENERAL PARAMETERS

Below are the general parameters of this tool, which are completely related to the web fuzzing process.

AUTOMATIC CUSTOM CALIBRATION

Calibration is the process of providing a measuring instrument with the information it needs to understand the context in which it will be used. When collecting data, calibrating your computer ensures that the process works accurately, mention the experts of the Cyber Security 360 course.

We can adjust this function according to the needs in each case using the “-acc” parameter, which cannot be used without the “-ac” parameter.

1	`ffuf` `-u` `http://192.168.1.12/dvwa/FUZZ/` `-w` `dict.txt` `-acc` `-ac` `-fl` `26` `-ac` `-fs` `2929` `-ac` `-fw` `54`

COLOR

Sometimes color separation helps identify relevant details in the results. The “-c” parameter helps to divide the data into categories.ç

1	`ffuf` `-u` `http://192.168.1.12/dvwa/FUZZ/` `-w` `dict.txt –c`

MAXIMUM TASK EXECUTION TIME

If you want to apply fuzzing for a limited period of time, you can use the “-maxtime” parameter. You must enter a command to specify the selected time interval.

1	`ffuf` `-u` `http://192.168.1.12/dvwa/FUZZ/` `-w` `dict.txt` `-maxtime` `5`

MAXIMUM TURNAROUND TIME

Using the “-max time-job” parameter, the user can set a time limit for a specific job. With this command, you can limit the time it takes to complete a task or query.

1	`ffuf` `-u` `http://192.168.1.12/dvwa/FUZZ/` `-w` `dict.txt` `-maxtime-job 2`

DELAY

Using the “-p” parameter, the user will add a slight delay for each request offered by the attack. According to the experts of the Cyber Security 360 course, with this feature the consultation becomes more efficient and provides clearer results.

1	`ffuf` `-u` `http://192.168.1.12/dvwa/FUZZ/` `-w` `dict.txt` `-p` `1`

QUERY SPEED

We can select the request speed you need for each of the attacks using the “-rate” parameter. For example, we can create one request per second according to the desired attack.

1	`ffuf` `-u` `http://192.168.1.12/dvwa/FUZZ/` `-w` `dict.txt` `-rate` `500`

ERROR FUNCTIONS

There are three parameters that support the error function. The first parameter is “-se”, a “false error” that says whether the next request is genuine or not. The second “-sf” parameter will stop the attack when more than 95% of the requests are counted as an error. The third parameter is “-sa”, a combination of the above parameters.

In the example shown below, we will use the “-se” parameter:

1	`Ffuf` `-u` `http://ignitetechnologies.in/W2/W1/` `-w` `dict.txt:W1` `-w` `dns_dict.txt:W2 –se`

VERBOSE MODE

Verbose Mode is a feature used in many operating systems that provide additional information about what the computer does and what drivers and applications it loads when initialized. In programming, this mode provides accurate output for debugging purposes, making it easier to debug the program itself. To access this mode, the “-v” parameter is applied.

1	`Ffuf` `-u` `http://192.168.1.12/dvwa/FUZZ/` `-w` `dict.txt –v`

EXECUTION THREADS

The “-t” parameter is used to speed up or slow down the process. By default, it is set to 40. If you want to speed up the process, you need to increase its value.

1	`ffuf` `-u` `http://192.168.1.12/dvwa/FUZZ/` `-w` `dict.txt` `-t` `1000`

OUTPUT OPTIONS

We may save the results of attacks carried out in order to keep records, improve readability and find possible links. Enter the “-o” parameter to save the output, but you must specify its format using the “-of” parameter.

Once the attack is complete, it should be checked whether the file with the output data corresponds to this format or not, mention the experts of the Cyber Security 360 course. As you can see, the file itself refers to HTML.

OUTPUT DATA IN CSV FORMAT

Similarly, we can create CSV files using the “-of” parameter, where csv are comma-separated values. For example:

1	`ffuf` `-u` `http://192.168.1.12/dvwa/FUZZ/` `-w` `dict.txt` `-o` `file.html` `-of` `html`

When the attack is complete, you need to check whether the file with the output data corresponds to this format or not. As you can see, the file itself belongs to the CSV.

DATA OUTPUT IN ALL AVAILABLE FORMATS

Similarly, if you want to recover data in all formats, use the “-of all” parameter. For example, it can be json, ejson, html, md, csv, ecsv.

1	`ffuf` `-u` `http://192.168.1.12/dvwa/FUZZ/` `-w` `dict.txt` `-o` `output/file` `-of` `all`

Now, once the attack is complete, you need to check all the files. We can see that they were saved in various formats.

HTTP OPTIONS

Sometimes the fuzzing process requires details such as an HTTP request, cookies, and an HTTP header, mention the experts of the Cyber Security 360 course.

TIME-OUT

This feature acts as a deadline for the event to complete. The “-timeout” parameter helps to activate this option.

1	`ffuf` `-u` `http://192.168.1.12/dvwa/FUZZ/` `-w` `dict.txt` `-timeout` `5`

HOST HEADER

If you want to fuzz out subdomains, you can use the “-H” parameter along with the word list of the domain name.

1	`Ffuf` `-u` `https://google.com` `-w` `dns_dict.txt` `-mc` `200` `-H` `“HOST: FUZZ.google.com”`

RECURSION

According to the experts of the Cyber Security 360 course, this is a mechanism for reusing objects; if a program requires the user to access a function within another function, this is called a recursive call to the function. Using the “-recursion” parameter, the user can implement this functionality in their attacks.

1	`ffuf` `-u` `"http://testphp.vulnweb.com/FUZZ/"` `-dict.txt –recursion`

COOKIE ATTACK

There are times when fuzzing is not effective on a site where authentication is required. In these cases, we may use the “-b” parameter to use session cookies.

1	`ffuf` `-u` `http://192.168.1.12/dvwa/FUZZ/` `-w` `dict.txt` `-b` `"PHPSESSID:"7aaaa6d88edcf7cd2ea4e3853ebb8bde""`

REPLAY-PROXY

There are speed limits when using the Intruder feature in the free version of Burp (Community Edition). The attack slowed down a lot, and each new “order” slowed it down even more.

In this case, the user uses the Burp Suite proxy server to get the results and evaluate them. First, you need to install the localhost proxy server on port number 8080.

Now let’s use “-replay-proxy”, which helps to get the local proxy server of the host, installed in the previous step on port number 8080.

1	`ffuf` `-u` `http://192.168.1.12/dvwa/FUZZ/` `-w` `dict.txt` `-replay-proxy http://127.0.0.1:8080` `-v` `-mc` `200`

This attack will show results on two platforms. The first platform is in the Kali Linux terminal and the second is in the “HTTP history” tab in Burp Suite. With the help of various methods, you will be able to better understand the target and analyze the results of the attack.

It is common to compare ffuf with other tools such as dirb or dirbuster. While ffuf can be used for deploying brute-force attacks, its real appeal lies in simplicity.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, information technologies, and to know more details about the Cyber Security 360 course

HOW TO DO PROFESSIONAL VULNERABILITY ASSESSMENT ON YOUR WEBSITE FOR FREE USING JUICE SHOP?

Comments (0)

Jan 30 2023

HOW TO EASILY SPOOF MAC ADDRESS AUTOMATICALLY AND BE MORE ANONYMOUS

Category: Anonymous,Information Privacy,Information Security — DISC @ 9:44 am

How to easily spoof mac address automatically and be more anonymous

WHY CHANGE THE MAC ADDRESS?

The MAC address is (should be) unique to each network interface. By the way, if the device has several network interfaces, then each of them has its own MAC address. For example, laptops have at least two network interfaces: wired and Wi-Fi – each of them has an MAC address. Desktop computers are usually the same. When we talk about “changing MAC addresses”, we need to understand that there are several of these addresses. By the way, each port has its own unique MAC address, if the device supports wireless networks, then each wireless interface (2.4 GHz and 5 GHz) also has its own MAC address.

So, since the MAC address must be unique, it allows you to uniquely identify the network device. And since this network device is part of your computer, this allows you to uniquely identify your computer. Moreover, the MAC address (also called a hardware, physical address) does not change when the operating system changes.

In short, the replacement of the MAC address is needed so that it is not possible to track and identify the device by the MAC address. But there is a more important reason (than paranoia) to learn about MAC addresses and about methods from substitution, or prohibiting changes in your system. Based on MAC addresses, user identification can be performed when connected via the Intercepting Portal. A few words about the Intercepting Portal. Captive Portal). This is a way to force the user to comply with certain conditions for providing Internet access. You can most often encounter examples of Intercepting Portals in public places that provide Internet access services via Wi-Fi to an indefinite circle of people, but who want to identify the user and / or allow access only to persons with credentials. For example, at the airport you may need to confirm your phone number via SMS to access the free Wi-Fi network. The hotel will provide you with a username and password for accessing the Internet via Wi-Fi – this ensures that only hotel customers can use Wi-Fi services.

Due to the features of the Intercepting Portal, user identification is based on MAC addresses. And starting with NetworkManager 1.4.0 (a popular program for managing network connections on Linux), an automatic MAC-address spoofing is now present. And in case of incorrect settings, you may encounter an Internet access problem running through the Intercepting Portal. There are also problems with customized filtering by MAC on the router.

Well, for pentesting experts , of course, there are reasons to change the MAC address: for example, to pretend to be another user, and take advantage of its open access to the magical world of the Internet, or to increase anonymity.

Who can see my MAC address?

The MAC address is used to transfer data on a local network. That is, it is not transmitted when connecting to websites and when accessing the global network. Although there are exceptions: some vulnerabilities allow a person who is not on your local network to find out your MAC address.

If you connect to the router via the local network, then the router knows your MAC address, but if you open the site on the Internet, the site owner cannot find out your MAC address.

All devices located on the local network can see each other’s MAC addresses (there are many scanners that can get this data). An example of a local network scan made using arp-scan. A slightly different situation with wireless network interfaces. If you are connected to an access point (router), then all the rules of the local network work: the router and other devices can find out your MAC address. But also any person who is within the reach of your Wi-Fi signal (from the phone, laptop) can find out your MAC address.

SPOOFING MAC ADDRESSES IN NETWORKMANAGER

NetworkManager may reassign MAC installed by other programs

Starting with NetworkManager 1.4.0, this program supports MAC spoofing, and has many different options.

So that we can understand them, we need to understand some concepts

First, network adapters are :

wired (ethernet);
wireless (wifi).

For each group, MAC rules are customized separately.

Secondly, a wireless adapter can be in two states:

scanning (search, not connected to the network) – is set using the property wifi.scan-rand-mac-address, default set to yes, which means that during scanning it sets an arbitrary MAC address. Another acceptable value is no;
connected to the network – installed using the property wifi.cloned-mac-address, the default value is preserve.

For wired interface (installed by property ethernet.cloned-mac-address) and the wireless interface in the connection state (installed by the property wifi.cloned-mac-address) the following values are available (regimes):

clearly specified MAC address (t.e. you can write the desired value that will be assigned to the network interface)
permanent: use the MAC address sewn into the device
preserve: do not change the device’s MAC address after activation (for example, if the MAC has been changed by another program, the current address will be used)
random: generate a random variable for each connection
stable: similar to random – i.e. for each connection to generate a random variable, NO when connecting to the same network, the same value will be generated
NULL / not installed: This is the default value that allows you to roll back to global settings by default. If global settings are not set, then NetworkManager rolls back to the value preserve.

If you are trying to change the MAC in other ways and you are failing, it is entirely possible that NetworkManager, which changes the MAC in its own rules, is to blame. Since most Linux distributions with a NetworkManager graphical interface are installed and running by default, to solve your problem, you must first understand how NetworkManager works and by what rules.

NETWORKMANAGER CONFIGURATION FILES

NetworkManager settings, including settings related to MAC, can be done in a file /etc/NetworkManager/NetworkManager.conf or adding an additional file with the extension . . . .conf to the directory /etc/NetworkManager/conf.d

The second option is highly recommended, since when updating NetworkManager usually replaces the main one . . . . . . . . . .conf file and if you made changes to /etc/NetworkManager/NetworkManager.conf, then the settings you made will be overwritten.

HOW TO MAKE KALI LINUX REPLACE WITH EACH CONNECTION

If you want the MAC address to be replaced with each connection, but the same MAC is used in the connection to the same network, then the file /etc/NetworkManager/conf.d/mac.conf:

1	`sudo gedit /etc/NetworkManager/conf.d/mac.conf`

Add lines :

123	`[connection]ethernet.cloned-mac-address=stablewifi.cloned-mac-address=stable`

Lines with ethernet.cloned-mac-address & wifi.cloned-mac-address can be added individually or together.

Check the current values :

1 ip link

Restart the service :

1	`sudo systemctl restart NetworkManager`

We will make connections to wired and wireless networks. Now check the values of MAC again

As you can see, MAC is replaced for both the wired and wireless interfaces.

As already mentioned, the same addresses will be generated for the same networks, if you want different MACs each time even for the same networks, then the lines should look like this:

123	`[connection]ethernet.cloned-mac-address=randomwifi.cloned-mac-address=random`

HOW TO CONFIGURE AUTOMATIC MAC SPOOFING IN UBUNTU AND LINUX MINT

Ubuntu and Linux Mint use NetworkManager versions that support automatic MAC configuration. However, if you connect a Wi-Fi card to Ubuntu or Linux Mint, you will see a real MAC. This is due to the fact that in the file /etc/NetworkManager/NetworkManager.conf indicated not to spoof :

To change this, open the file :

1	`sudo gedit /etc/NetworkManager/NetworkManager.conf`

And delete the lines :

12	`[device]wifi.scan-rand-mac-address=no`

or comment on them to make it happen :

12	`#[device]#wifi.scan-rand-mac-address=no`

or change no on yes:

12	`[device]wifi.scan-rand-mac-address=yes`

And restart NetworkManager :

1	`sudo systemctl restart NetworkManager`

Similarly, you can add lines to replace MAC (these settings create a new address for each connection, but when connecting to the same networks, the same address is used):

123	`[connection]ethernet.cloned-mac-address=stablewifi.cloned-mac-address=stable`

OTHER WAYS TO CHANGE THE MAC ADDRESS

CHANGE MAC USING IPROUTE2

We will use the program ip, which is included in the package iproute2.

Let’s start by checking the current MAC address with the command :

1	`ip link show interface_name`

Where Interface_name – This is the name of a particular network interface that you want to see. If you do not know the name, or want to see all the interfaces, then the command can be started like this :

1	`ip link show`

At the moment, we are interested in the part that follows after link / ether“and represents a 6-byte number. It will look something like this :

1	`link/ether 00:c0:ca:96:cf:cb`

The first step for spoofing MAC addresses is to transfer the interface to a state down. This is done by the team

1	`sudo ip link set dev interface_name down`

Where Interface_name replaces the real name. In my case, this wlan0, then the real team looks like this:

1	`sudo ip link set dev wlan0 down`

Next, we go directly to the MAC spoofing. You can use any hexadecimal value, but some networks may be configured not to assign IP addresses to customers whose MAC address does not match any known vendor (producer). In these cases, so that you can successfully connect to the network, use the MAC prefix of any real vendor (first three bytes) and use arbitrary values for the next three bytes.

To change the MAC, we need to run the command :

1	`sudo ip link set dev interface_name address XX:XX:XX:XX:XX:XX`

Where XX: XX: XX: XX: XX: XX – This is the desired new MAC .

For example, I want to set the hardware address EC: 9B: F3: 68: 68: 28 for my adapter, then the team looks like this:

1	`sudo ip link set dev wlan0 address EC:9B:F3:68:68:28`

In the last step, we return the interface to the state up. This can be done by a team of the form :

1	`sudo ip link set dev interface_name up`

For my system, a real team:

1	`sudo ip link set dev wlan0 up`

If you want to check if the MAC is really changed, just run the command again:

1	`ip link show interface_name`

Value after “link / ether“should be the one you installed.

CHANGE MAC WITH MACCHANGER

Another method uses macchanger (also known as the GNU MAC Changer). This program offers various functions, such as changing the address so that it matches a particular manufacturer, or its complete randomization.

Set macchanger – it is usually present in official repositories, and in Kali Linux it is installed by default.

At the time of the change of the MAC, the device should not be used (be connected in any way, or have status up). To transfer the interface to a state down:

1	`sudo ip link set dev interface_name down`

For spoofing, you need to specify the name of the interface, and replace in each next command wlan0 in the name of the interface that you want to change the MAC.

To find out the values of MAC, execute the command with the option -s:

1	`sudo macchanger -s wlan0`

Something like:

12	`Current MAC: 00:c0:ca:96:cf:cb (ALFA, INC.)Permanent MAC: 00:c0:ca:96:cf:cb (ALFA, INC.)`

The “Current MAC” line means the address at the moment, and “Permanent MAC” means a constant (real) address.

For spoofing the MAC address to a completely arbitrary address (option -r):

1	`sudo macchanger -r wlan0`

About the following will be displayed :

123	`Current MAC: 00:c0:ca:96:cf:cb (ALFA, INC.)Permanent MAC: 00:c0:ca:96:cf:cb (ALFA, INC.)New MAC: be:f7:5a:e7:12:c2 (unknown)`

The first two lines are already explained, the line “New MAC” means a new address.

For randomization, only bytes that determine the uniqueness of the device, the current MAC address (i.e.e. if you check the MAC address, it will register as from the same vendor) run the command (option -e):

1	`sudo macchanger -e wlan0`

To set the MAC address to a specific value, execute (option -m):

1	`sudo macchanger -m XX:XX:XX:XX:XX:XX wlan0`

Here XX: XX: XX: XX: XX: XX – This is the MAC you want to change to.

Finally, to return the MAC address to the original, constant value prescribed in the iron (option -p):

1	`sudo macchanger -p wlan0`

CONCLUSION

NetworkManager currently provides a wealth of MAC spoofing capabilities, including a change to a random address, or to a specific one. A feature of NetworkManager is the separation of “scanning” and “connected” modes, i.e. you may not see that the settings made have already entered into force until you connect to any network.

If after the change of MAC you have problems with connecting (you cannot connect to networks – wired or wireless), this means that there is a ban on connecting with MAC from an unknown vendor (producer). In this case, you need to use the first three octets (bytes) of any real vendor, the remaining three octets can be arbitrary says pentesting experts.

The Art of Mac Malware: The Guide to Analyzing Malicious Software

Tags: ANONYMOUS, Mac Malware, SPOOF MAC ADDRESS

Comments (0)

Jan 28 2023

PlugX Malware Sneaks Onto Windows PCs Through USB Devices

Category: Malware,Windows Security — DISC @ 9:29 am

PlugX Malware Sneaks Onto Windows PCs Through USB Devices

PlugX malware has been around for almost a decade and has been used by multiple actors of Chinese nexus and several other cybercrime groups.

The Palo Alto Networks Unit 42 incident response team has discovered a new variant of PlugX malware that is distributed via removable USB devices and targets Windows PCs. This should not come as a surprise since 95.6% of new malware or their variants in 2022 targeted Windows.

According to Unit 42 researchers, the new variant was detected when carrying out an incident response post a Black Basta ransomware attack. The researchers uncovered several malware samples and tools on the victims’ devices. This includes the Brute Ratel C4 red-teaming tool, GootLoader malware, and an old PlugX sample.

PlugX malware has been around for almost a decade and has been used by multiple actors of Chinese nexus and several other cybercrime groups. The malware was previously used in many high-profile cyberattacks, such as the 2015 U.S. Government Office of Personnel Management (OPM) breach.

The same backdoor was also used in the 2018 malware attack on the Android devices of minority groups in China. Most recently, in November 2022, researchers linked Google Drive phishing scams to the group infamously known for using PlugX malware.

Scope of Infection

The new variant stood out among other malware because it could infect any attached removable USB device, e.g., floppy, flash, thumb drives, and any system the removable device was plugged into later.

So far, no evidence connects the PlugX backdoor or Gootkit to the Black Basta ransomware group, and researchers believe another actor could have deployed it. Moreover, researchers noted that the malware could copy all Adobe PDF and Microsoft Word documents from the host and places them in a hidden folder on the USB device. The malware itself creates this folder.

PlugX Malware Being Distributed through Removable USB Devices

Malware Analysis

Unit 42 researchers Jen Miller-Osborn and Mike Harbison explained in their blog post that this variant of PlugX malware is a wormable, second-stage implant. It infects USB devices and stays concealed from the Windows operating file system. The user would not suspect that their USB device is being exploited to exfiltrate data from networks.

PlugX’s USB variant is different because it uses a specific Unicode character called non-breaking space/ U+00A0 to hide files in a USB device plugged into a workstation. This character prevents the Windows OS from rendering the directory name instead of leaving an anonymous folder in Explorer.

Furthermore, the malware can hide actor files in a removable USB device through a novel technique, which even works on the latest Windows OS.

The malware is designed to infect the host and copy the malicious code on any removable device connected to the host by hiding it in a recycle bin folder. Since MS Windows OS by default doesn’t show hidden files, the malicious files in recycle bin aren’t displayed, but, surprisingly, it isn’t shown even with the settings enabled. These malicious files can be viewed/downloaded only on a Unix-like OS or through mounting the USB device in a forensic tool.

Mastering Windows Security and Hardening: Secure and protect your Windows environment from intruders, malware attacks, and other cyber threats

InfoSec books | InfoSec tools | InfoSec services

Tags: PlugX Malware

Comments (0)

Jan 27 2023

New Python Malware Targeting Windows Devices

Category: Malware,Python — DISC @ 10:26 am

New Python Malware Targeting Windows Devices

The malware features also include file transfer, keylogging, stealing passwords stored in the browser, clipboard data stealing, cookies exfiltration and more.

Threat analysis firm Securonix’s cybersecurity researchers have discovered a new malware dubbed PY#RATION allowing attackers to steal sensitive files and log keystrokes from impacted devices.

Malware Distribution Technique

The malware is distributed through a conventional phishing mechanism in which the email contains a password-protected ZIP archive. When it is unpacked, two shortcut image files appear, titled front.jpg.lkn and back.jpg.lnk. When launched, these files display the front and back of a driver’s license that doesn’t exist.

New Python Malware Targeting Windows Devices — Images used in the scam (Credit: Securonix)

With this, the malicious code is also executed, leading to two new files being downloaded from the internet. These files are titled front.txt and back.txt, later renamed to .bat docs and executed. The malware disguises itself as Cortana virtual assistant to ensure persistence on the system.

What is PY#RATION

PY#RATION is a Python-based malware that displays a RAT (remote access trojan) like behaviour to sustain control over the affected host. The malware has various capabilities and functionalities, such as keylogging and data exfiltration.

However, the unique aspect is that it uses WebSocket for exfiltration and C2 communication, and evades detection from network security solutions and antivirus programs. Leveraging Python’s built-in Socket.IO framework that facilitates client and server WebSocket communications, the malware pulls data and gets commands over a single TCP connection through open ports simultaneously.

Moreover, according to a blog post published by Securonix, the attackers use the same C2 address, which the IPVoid checking system is yet to block. Researchers believe this malware is still under active development as they have detected multiple versions since August 2022. The malware receives instructions from the operations through WebSocket and obtains sensitive data.

Potential Dangers

This Python RAT is packed into an executable that uses automated packers such as ‘pyinstaller’ and ‘py2exe’ to convert Python code into Windows executables. This helps inflate payload size (The first detected version 1.0 being 14MB and the last detected version 1.6.0 being 32 MB containing 1000+ lines and additional code).

Researchers claim that the latest version of the payload remains undetected by all except for one antivirus engine listed on VirusTotal.

The malware features include file transfer to and from the C2 server, network enumeration, shell command execution, keylogging, stealing passwords stored in the browser, host enumeration, clipboard data stealing, and cookies exfiltration. Who’s behind this campaign, the distribution volume, and campaign objectives are still unclear.

Python for Cybersecurity: Using Python for Cyber Offense and Defense

InfoSec books | InfoSec tools | InfoSec services

Tags: Python Malware

Comments (0)

Jan 26 2023

ENISA gives out toolbox for creating security awareness programs

Category: Security Awareness,Security Tools — DISC @ 9:33 am

ENISA gives out toolbox for creating security awareness programs

The European Union Agency for Cybersecurity (ENISA) has made available Awareness Raising in a Box (AR-in-a-BOX), a “do it yourself” toolbox to help organizations in their quest to create and implement a custom security awareness raising program

The package includes:

A guideline on how to build an internal cyber-awareness raising program tailored to employees’ needs
A guideline on creating an awareness campaign targeted at external stakeholders
A how-to guide on how to select the appropriate tools and channels to best reach the target audience and tips for effective communication in social media
Instructions on selecting the right metrics and developing key performance indicators (KPIs) to evaluate the effectiveness of a program or campaign
A guide for the development of a communication strategy
An awareness raising game, in different versions and styles, for a generic audience and for an audience in the energy sector. It also comes with a guide on how it should be played
An awareness raising quiz to test comprehension and retention of key information (e.g., how to create good passwords)

Why security awareness matters

People have become cyber-attackers’ primary attack vector, which means that programs for raising cyber awareness are crucial for an organization’s cybersecurity strategy. The goal of these programs is to promote good cybersecurity practices of employees, managers and executives and improve their cybersecurity behavior.

A lot of advice can be found online on how to upgrade your security awareness efforts and engage your employees with better cybersecurity training, but sometimes organizations don’t know where to start.

AR-in-a-BOX can help them wrap their head around the task and push them towards realization.

“AR-in-a-Box is offered by ENISA to public bodies, operators of essential services, large private companies as well as small and medium ones (SMEs). [It] is dynamic and will be regularly updated and enriched,” the agency noted.

ENISA has previously published helpful materials for cybersecurity awareness campaigns aimed at electricity operators and the healthcare sector.