Cyber Security Tools
Autopsy is an open-source, digital forensic platform, that is capable of analysing all types of mobile devices and digital media, and is produced by an organisation called Basis Tech. It provides a plug-in architecture that allows you to find add-on modules or develop custom modules in Java or Python.
CyberChef is said to be the cyber Swiss army knife. It is a browser-based web application for carry out cyber related tasks including, simple encoding, complex encryption, creating binary and hexdumps, compression, and decompression of data, calculating hashes and checksums, IPv6 and X.509 certificate parsing, changing character encodings, and much more.
CyberChef provides many different operations that can be combined together to perform a larger task, referred to as a recipe, which can be saved for later use.
Nessus, developed by an organisation called Tenable, Inc, is an open-source vulnerability scanner. It is a tool that checks computers to find vulnerabilities that could be exploited. It can be used to check for vulnerabilities that allow unauthorised control or access to sensitive data, misconfigurations, as well as denial of service vulnerabilities and more.
Nessus uses the Common Vulnerabilities and Exposures architecture for easy cross-linking between compliant security tools. It works by testing each port on a computer, determining what service it is running, and then testing this service to make sure there are no vulnerabilities in it that could be used by a hacker to carry out a malicious attack.
Scanning and enumeration are two common methods for compiling information about hosts and services on a network. Scanning refers to the use of various tools and techniques to survey a network for active hosts, open ports, and the types of services running on those ports. Enumeration refers to compiling detailed information about the discoveries made using scanning techniques, such as the operating system running on those hosts, the version of software running on its open ports, and even vulnerabilities associated with those versions.
Nmap, short for Network Mapper, is the most popular tool in this area. It is an open-source tool for exploring networks and auditing their security. It can be used to determine what hosts are available on a network, what services the hosts are running, what operating systems they are using, the type of packet filters and firewalls in use, and much more. As well as security auditing, it can also be useful for routine tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.
Below is a sample of Nmap commands.
List all the options available with Nmap.
Scan a single IP address.
Scan two IP addresses at the same time.
nmap 192.168.1.1 192.168.2.1
Scan a range of IP addresses.
Scan a web address.
Exclude an IP address from a scan.
nmap -exclude 192.168.1.1
List target IP addresses without completing a scan.
nmap 192.168.1.1-3 -sL
Scan selected TCP ports for a specified IP address.
nmap 192.168.1.1 -p T:21-25,80
Scan selected protocol for a specified IP address.
nmap 192.168.1.1 -p https
OpenSSL is a cryptographic library that contains an open-source implementation of the SSL (Secure Sockets Layer) and TLS (Transport Layer Security) protocols. It is available on numerous platforms including Microsoft Windows, Linux and macOS. It provides functions to generate private keys, along with their associated public keys, manage certificates, and equip client application with encryption and decryption capabilities, allowing for secure communications over computer networks, such as the Internet.
It is possible to check the version of OpenSSL installed on a system at a command prompt as follows.
openssl version –a
The below example uses the RSA asymmetric encryption algorithm to generate a private key, which is placed in a file called 'private.key'.
openssl genpkey -algorithm rsa -out private.key
The public key, corresponding to the private key just created, can then be derived.
openssl rsa -pubout -in private.key -out public.key
Someone else's public key can be used to encrypt a message to them. Here, their public key is contained in 'another-public.key', with the message to be encrypted contained in 'message.txt'. The encrypted message is output to the file 'message.enc'.
openssl pkeyutl -encrypt -inkey another-public.key -pubin -in message.txt -out message.enc
If a message is encrypted with your public key, it can be decrypted with your corresponding private key.
openssl pkeyutil -decrypt -inkey private.key -in message.enc -out message.txt
Here, the private key to decrypt the message is contained in 'private.key', with the encrypted message in 'message.enc'. The file 'message.txt' will contain the decrypted version of the message.
Snort is an open-source, network-based intrusion detection system (IDS) and intrusion prevention system (IPS). It can provide real-time network traffic analysis, enabling the monitoring of suspicious activity, such as attempts to take advantage of software flaws or unauthorised access, as well as analyse packet capture files, for the same types of activity.
A wide range of network-based attacks, such as malware infections, efforts at network reconnaissance, and denial-of-service attacks, to name a few, can be found with Snort. It uses a pre-established set of rules to do this.
Snort can be installed onto a stand-alone Linux based system and is also integrated into popular firewalls such as pfSense, Smoothwall, and OPNsense.
At its simplest, Snort can be started from the command line as follows.
If Snort is launched like this, with no further options specified, it is started in sniffer mode, where it captures network packets and displays the results out to the terminal.
To run Snort in intrusion detection mode, where it analyses network traffic to look for suspicious activity, a configuration file must be specified at start-up.
sudo snort -c /etc/snort/snort.conf
Any issues found will be displayed in the terminal by default. If it is necessary to validate the configuration file, this can be achieved by using the 'T' option.
sudo snort -T -c /etc/snort/snort.conf
Rather than having the results displayed in the terminal, if a directory is specified at start-up, any issues can be output to log files instead by using the 'l' option.
sudo snort -c /etc/snort/snort.conf -l /home/demo/Desktop
This will produce three log files, 'snort.alert.fast', 'snort.log', and 'snort.alert'. The log file 'snort.alert.fast' can be viewed via a normal text editor, such as Nano, Vi, or Mousepad, however, the remaining two files require the use of a package such as 'u2spewfoo' to be read, or any other software that supports the 'unified2' format.
sudo u2spewfoo snort.log
If Snort is required to analyse an existing packet capture file, rather than live traffic, this can be achieved using the 'r' option.
sudo snort -c /etc/snort/snort.conf -r demo.pcap -l /home/demo/Desktop
Wazuh is an open-source Security Incident and Event Management (SIEM) system based on OSSEC and Elastic Stack XDR (eXtended Detection and Response). Systems feed their logs into a SIEM, either directly, or indirectly via a log aggregator, which is sometimes used to reformat the logs into a suitable format. Wazuh then uses this combined log information to find likely security events by searching for Indicators of Compromise (IOC). A web-based dashboard is included to allow security professionals to visually see what is occurring. Information can be filtered as needed for specific purposes.
Wazuh agents installed on endpoints are used to feed information to a central server, providing security information on intrusion detection, file integrity monitoring, compliance checks, vulnerability detection, configuration assessments, and more. For agentless devices, such as firewalls, routers, and switches, log files can be ingested via Syslog, SSH and APIs.
Wireshark is a tool that allows for the inspection of computer networks. It is commonly referred to as a traffic, protocol, or packet analyser. Packet analysis involves the interception of network data, or packets as they are known, for the purposes of deducing their contents, together with the parties involved in the exchange. It is said to be the world’s foremost and widely used network protocol analyser, which is used in both commercial and non-profit organisations, as well as government agencies and educational establishments.
Wireshark is free, open-source software, that runs on a number of different platforms including, Microsoft Windows, Linux and macOS. Some of its features include, live capture of network data, the ability to inspect hundreds of protocols, view and analyse network data through a graphical user interface, as well as decryption support for many protocols and much more.
Wireshark can be used in several different roles. Firstly, network engineers can use it to troubleshoot performance issues with the network. Security analysts can use it to investigate intrusion attempts, or to validate existing security controls. Forensic analysts can utilise Wireshark to gain an insight into security breaches, whilst penetration testers can search for sensitive information to find a way into a target network. These are just a small number of its uses.
Zed Attack Proxy, or ZAP for short, is a penetration testing tool for finding vulnerabilities in web applications. Due to its ease of use, it can be used by security professionals, as well as developers and those involved in functional testing.
ZAP was initially started as a small project by the Open Web Application Security Project (OWASP), however, today it is maintained by a community of individuals from all over the world.
ZAP provides automated vulnerability scans, as well as a set of tools that allow for the discovery of security vulnerabilities manually.