לאחרונה השתתפתי בקורס CSI בג'ון ברייס. בקורס זה למדתי (או ריעננתי את ידיעותי) בטכניקות פריצה שונות, כלי הגנה ותקיפה שונים וכו'. כעת, במהלך העבודה על פרויקט הגמר של הקורס, ניסיתי לסכם, לפחות לעצמי, את רשימת הכלים שאותם למדנו בקורס (ועוד כמה שלמדתי לבד לאחר מכן), להלן הרשימה המלאה (אני מקווה) של כל הכלים ועל כל אחד הסבר קצרצר ולינק (אני אשתדל לפרט ולעדכן את הפוסט הזה כל הזמן כדי לפרט על הכלים השונים ואופן זיהוי פעילותם ודרכי ההתמודדות הטובות שמצאתי עבורן)

Attack:

Scanning:

– Nmap – http://nmap.org/

– DNSRecon (DNS Records enumeration – http://pentestlab.wordpress.com/2012/11/13/dns-reconnaissance-dnsrecon/)

– DirBuster (לא נלמד בקורס) – https://www.owasp.org/index.php/Category:OWASP_DirBuster_Project

– Responder – Can also be used to start WPAD proxy or to get passwords/users (https://github.com/SpiderLabs/Responder)

 

Code

– Dot Net Reflector + Reflexi – Dot net reflection and MSIL patching

– Windows Enabler – Enable all disabled buttons in windows by using its handle

 

Network:

– Yersinia (http://www.yersinia.net/)

 

Sql Injection

– sqlmap – http://sqlmap.org/

 

ARP related

– Ettercap

 

Cookie Hijacking

– firesheep

 

SSL Cracking

– sslstrip.py

 

Web crawling/proxing/brute-forcing/dictionary attacking

– burp

– WPAD (By using Responder.py)

– arachni (http://www.arachni-scanner.com/)

 

DoS

– Smurfs attack – ICMP packets with the victim's ip as their spoofed source ip are sent to many computers which in turn will send a reply back to the victim' computer.

– LAND attack – SYN packets with the victim's spoofed ip as their source will cause the victim to reply itself and to lock up.

– pyloris (SlowLoris)

– SockStress

– AreYouDeadYet (R U D Y)

– Rouge DHCP / DHCP Spoofing

thc-ssl-dos-1.4 – SSL DoS (https://www.thc.org/thc-ssl-dos/)

 

XSS

– BEEF

 

Password hacking:

– Hydra

– John the ripper

– Cain & Abel

– mimikatz

– pass the hash

– ntlm relay

– cewl.rb (Creates passwords list from internet information)

– cupp.py (Creates passwords list interactively)

 

Exploit management

– Metasploit

– Powersploit

– Dot Net Sploit (לא נלמד בקורס)

– Veil

 

All-In-One:

– Metasploit Pro

– Nexpose

 

Defense:

EMET (Enhanced Mitigation Experience Toolkit) – Microsoft's toolkit for automatically detecting malware activities based on behaviour analysis – http://support.microsoft.com/kb/2458544

PortKnocking – Technique to allow access from the outside by using a secret port access sequence

 

Logs Correlation:

Splunk {+ Prealert Anomaly Detective App} (Collects and correlates logs from many apps (i.e F5, Cisco, VMWare, Security Onion, Windows AD, Riverbed Steelhead etc.) – http://www.splunk.com/)

 

Netflow:

– Argus (http://qosient.com/argus/argusnetflow.shtml)

 

Firewalling:

– pfSense

– iptables + fwbuilder

 

Kerberos:

– Shorten the time period in which the ticket is valid

 

Pass the hash:

– Enable "Access this computer from the network" policy and block anyone but administrators/HD users

 

IPS/IDS:

– Snort

– Ossec

– Apache ModSecurity

 

Sniffing

– Bro (Session [flow] data, Files analysis on the network, etc. – https://www.bro.org/)

 

Exploits detection

– Microsoft Enhanced Mitigation Experience Toolkit v3.0 (Heuristics based in-memory protection/detection)

 

Application whitelisting

– Group Policy AppLocker (http://technet.microsoft.com/en-us/library/dd548340(v=ws.10).aspx)

 

DEP

– Block requests to execute machine code directly from sections of memory that were designated to contain data

 

Sandboxing:

– Sandboxie

– Coucou

– Malwr – https://malwr.com/submission/

– Virustotal

– Free web based malware analysis – http://zeltser.com/reverse-malware/automated-malware-analysis.html

 

Honeypots:

– honeyd (http://www.artifex.co.il/he/?attachment_id=1164)

 

Events Correlation:

– Access with local accounts to another client/server

– Working in exceptional hours

– DNS requests (multiple requests from on computer about the same hostname [Should've been cached])

– Multiple logons

– WPAD Responses

– Greater bandwidth per client

– Greater signature hits

 

Profiling:

– Odd man out

– Number of events

– Value (Bandwidth/Connections) vs time 

 

Assets Detection/Inventory:

– PADS/PRADS + Sguil

 

Behavior Analysis:

Suspicious behaviors:

– The same client requests the same A record again and again X times per second (exploit must communicate with its C&C)

– Registry (specific keys)

– Services (Installing)

– Bandwidth/Connections vs time 

 

Forensics:

– Network Miner – Winforms tool for 'mining' files and data from pcap files

– Xplico – Web based tool for 'mining' files and data from pcap files

– EtherApe – Charts connections over time from pcap file and on live traffic – http://etherape.sourceforge.net/

– Wireshark – Advanced sniffer and packet analyzer

– TcpDump – Basic sniffer that exists in most Linux distributions

– NITROBA Example – http://digitalcorpora.org/corpora/scenarios/nitroba-university-harassment-scenariohttp://www.netresec.com/?page=Blog&month=2011-06&post=Solution-to-the-Nitroba-case

– tcpreplay – A tool to replay pcap file to the LAN

– tcpflow – A tool for analyzing the traffic flow – http://www.circlemud.org/jelson/software/tcpflow/

– foremost – Retrieve files from raw data (carving) –  http://foremost.sourceforge.net/

 

Tools:

– Ambush (http://www.ambuships.com/details.html)

 

 

VPN:

– Microsoft DirectAccess

2 Comments

  1. הי,

    על Splunk למדתי בקורס… ועל המחיר שלו למדתי בחיים האמיתיים… יקר ברמות.

    הקמתי במקום זה מערכת Elasticsearch ו-Logstash ו-Kibana כדי להשיג תוצאה דומה ללא עלות. אם זה מעניין אותך, תעדכנני ואשתדל לפרט יותר.

     

    תודה על התגובה,

    יובל.

    admin

השאר תגובה