לאחרונה השתתפתי בקורס CSI בג'ון ברייס. בקורס זה למדתי (או ריעננתי את ידיעותי) בטכניקות פריצה שונות, כלי הגנה ותקיפה שונים וכו'. כעת, במהלך העבודה על פרויקט הגמר של הקורס, ניסיתי לסכם, לפחות לעצמי, את רשימת הכלים שאותם למדנו בקורס (ועוד כמה שלמדתי לבד לאחר מכן), להלן הרשימה המלאה (אני מקווה) של כל הכלים ועל כל אחד הסבר קצרצר ולינק (אני אשתדל לפרט ולעדכן את הפוסט הזה כל הזמן כדי לפרט על הכלים השונים ואופן זיהוי פעילותם ודרכי ההתמודדות הטובות שמצאתי עבורן)
Attack:
Scanning:
– Nmap – http://nmap.org/
– DNSRecon (DNS Records enumeration – http://pentestlab.wordpress.com/2012/11/13/dns-reconnaissance-dnsrecon/)
– DirBuster (לא נלמד בקורס) – https://www.owasp.org/index.php/Category:OWASP_DirBuster_Project
– Responder – Can also be used to start WPAD proxy or to get passwords/users (https://github.com/SpiderLabs/Responder)
Code
– Dot Net Reflector + Reflexi – Dot net reflection and MSIL patching
– Windows Enabler – Enable all disabled buttons in windows by using its handle
Network:
– Yersinia (http://www.yersinia.net/)
Sql Injection
– sqlmap – http://sqlmap.org/
ARP related
– Ettercap
Cookie Hijacking
– firesheep
SSL Cracking
– sslstrip.py
Web crawling/proxing/brute-forcing/dictionary attacking
– burp
– WPAD (By using Responder.py)
– arachni (http://www.arachni-scanner.com/)
DoS
– Smurfs attack – ICMP packets with the victim's ip as their spoofed source ip are sent to many computers which in turn will send a reply back to the victim' computer.
– LAND attack – SYN packets with the victim's spoofed ip as their source will cause the victim to reply itself and to lock up.
– pyloris (SlowLoris)
– SockStress
– AreYouDeadYet (R U D Y)
– Rouge DHCP / DHCP Spoofing
– thc-ssl-dos-1.4 – SSL DoS (https://www.thc.org/thc-ssl-dos/)
XSS
– BEEF
Password hacking:
– Hydra
– John the ripper
– Cain & Abel
– mimikatz
– pass the hash
– ntlm relay
– cewl.rb (Creates passwords list from internet information)
– cupp.py (Creates passwords list interactively)
Exploit management
– Metasploit
– Powersploit
– Dot Net Sploit (לא נלמד בקורס)
– Veil
All-In-One:
– Metasploit Pro
– Nexpose
Defense:
EMET (Enhanced Mitigation Experience Toolkit) – Microsoft's toolkit for automatically detecting malware activities based on behaviour analysis – http://support.microsoft.com/kb/2458544
PortKnocking – Technique to allow access from the outside by using a secret port access sequence
Logs Correlation:
– Splunk {+ Prealert Anomaly Detective App} (Collects and correlates logs from many apps (i.e F5, Cisco, VMWare, Security Onion, Windows AD, Riverbed Steelhead etc.) – http://www.splunk.com/)
Netflow:
– Argus (http://qosient.com/argus/argusnetflow.shtml)
Firewalling:
– pfSense
– iptables + fwbuilder
Kerberos:
– Shorten the time period in which the ticket is valid
Pass the hash:
– Enable "Access this computer from the network" policy and block anyone but administrators/HD users
IPS/IDS:
– Snort
– Ossec
– Apache ModSecurity
Sniffing
– Bro (Session [flow] data, Files analysis on the network, etc. – https://www.bro.org/)
Exploits detection
– Microsoft Enhanced Mitigation Experience Toolkit v3.0 (Heuristics based in-memory protection/detection)
Application whitelisting
– Group Policy AppLocker (http://technet.microsoft.com/en-us/library/dd548340(v=ws.10).aspx)
DEP
– Block requests to execute machine code directly from sections of memory that were designated to contain data
Sandboxing:
– Sandboxie
– Coucou
– Malwr – https://malwr.com/submission/
– Virustotal
– Free web based malware analysis – http://zeltser.com/reverse-malware/automated-malware-analysis.html
Honeypots:
– honeyd (http://www.artifex.co.il/he/?attachment_id=1164)
Events Correlation:
– Access with local accounts to another client/server
– Working in exceptional hours
– DNS requests (multiple requests from on computer about the same hostname [Should've been cached])
– Multiple logons
– WPAD Responses
– Greater bandwidth per client
– Greater signature hits
Profiling:
– Odd man out
– Number of events
– Value (Bandwidth/Connections) vs time
Assets Detection/Inventory:
– PADS/PRADS + Sguil
Behavior Analysis:
Suspicious behaviors:
– The same client requests the same A record again and again X times per second (exploit must communicate with its C&C)
– Registry (specific keys)
– Services (Installing)
– Bandwidth/Connections vs time
Forensics:
– Network Miner – Winforms tool for 'mining' files and data from pcap files
– Xplico – Web based tool for 'mining' files and data from pcap files
– EtherApe – Charts connections over time from pcap file and on live traffic – http://etherape.sourceforge.net/
– Wireshark – Advanced sniffer and packet analyzer
– TcpDump – Basic sniffer that exists in most Linux distributions
– NITROBA Example – http://digitalcorpora.org/corpora/scenarios/nitroba-university-harassment-scenario, http://www.netresec.com/?page=Blog&month=2011-06&post=Solution-to-the-Nitroba-case
– tcpreplay – A tool to replay pcap file to the LAN
– tcpflow – A tool for analyzing the traffic flow – http://www.circlemud.org/jelson/software/tcpflow/
– foremost – Retrieve files from raw data (carving) – http://foremost.sourceforge.net/
Tools:
– Ambush (http://www.ambuships.com/details.html)
VPN:
– Microsoft DirectAccess
הי,
איפה למדת על Splunk ועל Prelert? בקורס?
הי,
על Splunk למדתי בקורס… ועל המחיר שלו למדתי בחיים האמיתיים… יקר ברמות.
הקמתי במקום זה מערכת Elasticsearch ו-Logstash ו-Kibana כדי להשיג תוצאה דומה ללא עלות. אם זה מעניין אותך, תעדכנני ואשתדל לפרט יותר.
תודה על התגובה,
יובל.