security tools – HackerTarget.com

20 Open Source Security Tools for Blue Teams

the admin — Wed, 27 Sep 2017 11:30:15 +0000

Highly capable open source security tools are allowing Blue Teams to confront threats head on. Start building your defensive capability with these powerful tools.

The following is an overview of 10 20* essential security tools which enable defenders to build resilient systems and networks. These open-source security tools are effective, well supported, and can provide immediate value.

20 Essential tools for Blue Teams

  1. Nmap
  2. OpenVAS
  3. OSSEC
  4. Security Onion
  5. Metasploit Framework
  6. OpenSSH
  7. Wireshark
  8. Kali Linux
  9. Nikto
10. Yara

11. Arkime (formerly Moloch)
12. ZEEK (formerly Bro-IDS)
13. Snort
14. OSQuery
15. GRR - Google Rapid Response
16. ClamAV
17. Velociraptor
18. ELK Stack | Elastic Stack
19. Sigma | SIEM Signatures
20. MISP | Threat Intelligence Sharing Platform

** Article updated June 2021

Nmap

Nmap - map your network and ports with the number one port scanning tool. Nmap now features powerful NSE scripts that can detect vulnerabilities, misconfiguration and security related information around network services. After you have nmap installed be sure to look at the features of the included ncat - its netcat on steroids.
Read More: NMAP Cheat Sheet

OpenVAS

OpenVAS - open source vulnerability scanning suite that grew from a fork of the Nessus engine when it went commercial. Manage all aspects of a security vulnerability management system from web based dashboards. For a fast and easy external scan with OpenVAS try our online OpenVAS scanner.
Read More: Install OpenVAS on Kali and OpenVAS Tutorial and tips

OSSEC

OSSEC - host based intrusion detection system or HIDS, easy to setup and configure. OSSEC has far reaching benefits for both security and operations staff.
Read More: OSSEC Intro and Installation Guide

Security Onion

Security Onion - a network security monitoring distribution that can replace expensive commercial grey boxes with blinking lights. Security Onion is easy to setup and configure. With minimal effort you will start to detect security related events on your network. Detect everything from brute force scanning kids to those nasty APT's.

Metasploit Framework

Metasploit Framework - test all aspects of your security with an offensive focus. Primarily a penetration testing tool, Metasploit has modules that not only include exploits but also scanning and auditing.

OpenSSH

OpenSSH - secure all your traffic between two points by tunnelling insecure protocols through an SSH tunnel. Includes scp providing easy access to copy files securely. Can be used as poor mans VPN for Open Wireless Access points (airports, coffee shops). Tunnel back through your home computer and the traffic is then secured in transit. Access internal network services through SSH tunnels using only one point of access. From Windows, you will probably want to have putty as a client and winscp for copying files. Under Linux just use the command line ssh and scp.
Read More: SSH Examples Tips & Tunnels

Wireshark

Wireshark - view traffic in as much detail as you want. Use Wireshark to follow network streams and find problems. Tcpdump and Tshark are command line alternatives. Wireshark runs on Windows, Linux, FreeBSD or OSX based systems.
Read More: Wireshark Tutorial and cheatsheet and tshark tutorial and filter examples.

Kali Linux

Kali Linux - was built from the foundation of BackTrack Linux. Kali is a security testing Linux distribution based on Debian. It comes prepackaged with hundreds of powerful security testing tools. From Airodump-ng with wireless injection drivers to Metasploit this bundle saves security testers a great deal of time configuring tools.

Nikto

Nikto - a web server testing tool that has been kicking around for over 10 years. Nikto is great for firing at a web server to find known vulnerable scripts, configuration mistakes and related security problems. It won't find your XSS and SQL web application bugs, but it does find many things that other tools miss.
Read More: Nikto install and tutorial

Yara

Yara is a robust malware research and detection tool with multiple uses. It allows for the creation of custom rules for malware families, which can be text or binary. Useful for incident response and investigations. Yara scans files and directories and can examine running processes.

Arkime (formerly Moloch)

Arkime - is packet capture analysis ninja style. Powered by an elastic search backend this makes searching through pcaps fast. Has great support for protocol decoding and display of captured data. With a security focus this is an essential tool for anyone interested in traffic analysis.

ZEEK previously known as Bro IDS

ZEEK - totes itself as more than an Intrusion Detection System, and it is hard to argue with this statement. The IDS component is powerful, but rather than focusing on signatures as seen in traditional IDS systems this tool decodes protocols and looks for anomalies within the traffic.
Read More: Bro-IDS install and tutorial

Snort

Snort - is a real time traffic analysis and packet logging tool. It can be thought of as a traditional IDS, with detection performed by matching signatures. The project is now managed by Cisco who use the technology in its range of SourceFire appliances. An alternative project is the Suricata system that is a fork of the original Snort source.
Read More: Suricata install and tutorial

OSQuery

OSQuery - monitors a host for changes and is built to be performant from the ground up. This project is cross platform and was started by the Facebook Security Team. It is a powerful agent that can be run on all your systems (Windows, Linux or OSX) providing detailed visibility into anomalies and security related events.

GRR - Google Rapid Response

GRR - Google Rapid Response - a tool developed by Google for security incident response. This python agent / server combination allows incident response to be performed against a target system remotely.

ClamAV

Running ClamAV on gateway servers (SMTP / HTTP) is a popular solution for companies that lean into the open source world. With a team run out of Cisco Talos, it is no wonder that this software continues to kick goals for organisations of all sizes.
Read more: ClamAV install and tutorial

Velociraptor

Velociraptor A DFIR Framework. Used for endpoint monitoring, digital forensics, and incident response.
Supports custom detections, collections, and analysis capabilities to be written in queries instead of coElastic Stackde. Queries can be shared, which allows security teams to hunt for new threats swiftly. Velociraptor was acquired by Rapid 7 in April 2021. At the time of this article Rapid 7 indicated there are no plans for them to make Velociraptor commercial but will embed it into their Insight Platform.

ELK Stack | Elastic Stack

A collection of four open-source products — Elasticsearch, Logstash, Beats and Kibana. Use data from any source or format. Then search, analyze, and visualize it in real-time. Commonly known as the Elk Stack, now known as Elastic Stack. Alternative options include the open source Graylog or the very popular (commercial) Splunk.

Sigma | SIEM Signatures

Sigma is a standardised format for developing rules to be used in SIEM systems (such as ELK, Graylog, Splunk). Enabling researchers or analysts to describe their developed detection methods and make them shareable with others. Comprehensive rules available for detection of known threats. Rule development is often closely aligned with MITRE ATT&CK®.

MISP | Threat Intelligence Sharing Platform

MISP is a platform for the collection, processing and distribution of open source threat intelligence feeds. A centralised database of threat intelligence data that you can run to enable your enrich your SIEM and enable your analysts. Started in 2011 this project comes out of The Computer Incident Response Center Luxembourg (CIRCL). It is used by security analysts, governments and corporations around the world.

Updated 2021. Open Source Blue Team Security Tools have matured and become increasingly effective and powerful over the past few years. It is a great time to be a defender. Stitch together a few of these tools and develop an advanced defensive capability for your organisation.

The post 20 Open Source Security Tools for Blue Teams appeared first on HackerTarget.com.

16 Offensive Security Tools for SysAdmins

the admin — Tue, 27 Sep 2016 11:44:32 +0000

Security Professionals use Offensive security tools for testing and demonstrating security weaknesses. Systems Administrators and other IT professionals will benefit from having an understanding of the capabilities of these tools. Benefits include preparing systems to defend against these types of attacks and being able to identify the attacks in the case of an incident.

This selection of tools, when utilized by a moderately skilled attacker has the potential to wreak havoc on an organization's network.

If you are interested in testing these tools they are all available to download and use for FREE. Most are open-source with a couple of exceptions. Do not use against systems that you do not have permission to attack. You could end up in jail.

The mitigations listed for each tool are high-level pointers to techniques that a systems administrator should consider for defending against these powerful tools. Further information can be found at the project sites for each of the tools.

While some of the recommendations may appear to be common sense, far too often the basics are overlooked.

MetaSploit Framework

Metasploit Framework - an open source tool for exploit development and penetration testing. Metasploit is well known in the security community. Metasploit has exploits for both server and client based attacks; with feature packed communication modules (meterpreter) that make pwning systems fun! The framework now includes Armitage for point and click network exploitation. This is the go to tool if you want to break into a network or computer system.

Defending against Metasploit:

Keep all software updated with the latest security patches.
Use strong passwords on all systems.
Deploy network services with secure configurations.

Ettercap

Ettercap - a suite of tools for man in the middle attacks (MITM). Once you have initiated a man in the middle attack with Ettercap, use the modules and scripting capabilities to manipulate or inject traffic on the fly. Sniffing data and passwords are just the beginning; inject to exploit FTW!

Defending against Ettercap:

Understand that ARP poisoning is not difficult in a typical switched network.
Lock down network ports.
Use secure switch configurations and NAC if risk is sufficient.

SSLStrip

sslstrip - using HTTPS makes people feel warm, fuzzy, and secure. With sslstrip, this security can be attacked, reducing the connection to an unencrypted HTTP session, whereby all the traffic is readable. Banking details, passwords, and emails from your boss, all in the clear. Even includes a nifty feature where the favicon on the unencrypted connection is replaced with a padlock just to make the user keep that that warm fuzzy feeling.

Defending against sslstrip:

Be aware of the possibility of MITM attacks (arp, proxies / gateway, wireless).
Look for sudden protocol changes in browser bar. Not really a technical mitigation!

Evilgrade

evilgrade - another man in the middle attack. Everyone knows that keeping software updated is the way to stay secure. This little utility fakes the upgrade and provides the user with a not so good update. Can exploit the upgrade functionality on around 63 pieces of software including Opera, Notepad++, VMware, Virtualbox, itunes, quicktime and winamp! It really whips the llamas ass!

Defending against evilgrade:

Be aware of the possibility of MITM attacks (arp attacks, proxy / gateway, wireless).
Only perform updates to your system or applications on a trusted network.

Social Engineer Toolkit

Social Engineer Toolkit - makes creating a social engineered client side attack way too easy. Creates the spear phish, sends the email and serves the malicious exploit. SET is the open source client side attack weapon of choice.

Defending against SET:

User awareness training around spear phishing attacks.
Strong Email and Web filtering controls.

SQLmap

sqlmap - SQL Injection is an attack vector that has been around for over 10 years. Yet it is still the easiest way to get dumps of entire databases of information. Sqlmap is not only a highly accurate tool for detecting sql injection, but also has the capability to dump information from the database, and to even launch attacks that can result in operating system shell access on the vulnerable system.

Defending against sqlmap:

Filter all input on dynamic websites (secure the web applications).
Use mod_proxy or other web based filtering controls to help block malicious injection attacks (not ideal as often able to bypass these web application firewalls (WAF).

Aircrack-NG

aircrack-ng - breaking holes in wireless networks for fun and profit. A suite of tools that enables all manner of wireless network attacks.

Defending against aircrack-ng:

Never use WEP
When using WPA2 with pre-shared keys, ensure passwords are strong (10+ characters non-dictionary based passwords).

oclHashcat

oclHashcat - Need to get some passwords from the hashes you grabbed with sqlmap? Use this tool to bust them open. Over 48 different hashing algorithms supported. Will use the GPU (if supported) on your graphics card to find those hashes many times faster than your clunky old CPU.

Defending against oclHashcat:

Passwords are the weakest link. Enforce password complexity.
Protect the hashed passwords.
Salt the hashes.

ncrack

ncrack - Brute force network passwords with this tool from Fyodor the creator of Nmap. Passwords are the weakest link and Ncrack makes it easy to brute force passwords for RDP, SSH, http(s), SMB, pop3(s), VNC, FTP, and telnet.

Defending against ncrack:

Use strong passwords everywhere.
Implement time based lockouts on network service password failures.

Cain and Abel

Cain and Abel - Cracking passwords, sniffing VOIP and Man in the Middle (MITM) attacks against RDP are just a few examples of the many features of this Windows only tool.

Defending against Cain and Abel:

Be aware of the possibility of MITM attacks (arp attacks, untrusted proxy / gateway, wireless).
Use strong passwords everywhere.

Tor Network

Tor - push your traffic through this onion network that is designed to provide anonymity to the user. Note your traffic from the exit node is not encrypted or secured. Make sure you understand what it does before using it, Tor provides anonymity not encrypted communication.

Defending against Tor:

It is possible to implement blocking of Tor exit nodes on your firewall, if Tor traffic is linked to a threat to your environment.

Binwalk

Binwalk - is a fast way to analyse firmware images. Using binwalk you are able to; extract files, identify compression, extract compressed files, and search binaries for strings. For an attacker it helps in the search for hard coded passwords, API keys, and other key pieces of information in firmware images.

Defending against Binwalk:

Don't leave plain text hard coded passwords, API keys and other back doors in your firmware.

Cobalt Strike

Cobalt Strike (Commercial) - Billed as software for adversary simulations and red team operations. It is essentially an exploitation tool such as Metasploit but with a focus on lateral movement (tunnelling commands through multiple pivot points) and C2 (command and control). Checkout the videos for interesting examples of Cobalt Strike in use.

Defending against Cobalt Strike:

Advanced attackers need to be discovered by advanced blue teams. Solid network analysis capabilities and well defended networks.

Canvas - Immunity

Canvas (Commercial) - Another exploitation framework with advanced capabilities for pivoting and lateral movement. Can be used with another Immunity product - Innuendo that is billed as a post compromise implant framework. With these tools an attacker can simulate an advanced adversary from initial compromise all the way to persistent network access and data ex-filtration.

Defending against Canvas:

Similar to Cobalt Strike, you will need to have your house in order as a blue team to detect an attacker using these tools.

Mimikatz

Mimikatz - A well known tool to extract passwords and NTLM hashes from Windows memory. This tool will be used by an attacker once they are able to execute code on the system.

Defending against Mimikatz:

There are a number of tweaks that can be made to Windows Local Security Policy and Active Directory to limit the effectiveness of Mimikatz. Like many things in infosec, these techniques often come down to an arms race between the attacker and the defenders.

Zmap & Masscan

Zmap & masscan - When it comes to Port Scanners, the one at the top is no doubt Nmap. It is a utility that everyone should have available. When it comes to large scale scanning Zmap and masscan are two newer tools that are crazy fast. Scanning the whole IPv4 internet fast.

Defending against Zmap & Masscan:

Know Your Attack Surface and ensure your firewall is well configured.

If you are interested in testing these offensive security tools, take a look at the Kali Linux distribution. It includes many of these and other tools pre-installed.

These tools are used by security professionals around the world to demonstrate security weakness.

Updated 11th December 2018. Now includes 16 offensive security tools.

Warning
Only experiment on your local network where you have permission. Do not do anything stupid. You could end up in jail.

Have you seen our other Free IP and Network Testing tools.

Discover. Explore. Learn.

Recon

Next level testing with advanced Security Vulnerability Scanners.

Trusted tools. Hosted for easy access.

Use cases

The post 16 Offensive Security Tools for SysAdmins appeared first on HackerTarget.com.

Enable OSSEC Active Response

the admin — Tue, 06 Sep 2016 10:46:57 +0000

Many OSSEC users start with Active response disabled to ensure the OSSEC agent does not affect the server, especially when running in a live production environment. However, once you have an understanding of the number of alerts and types of alerts you are seeing, it is a good idea to enable Active response.

Blocking is the next step in defense

The advantages of running OSSEC on your servers are pretty obvious, especially when you start to get a few alerts, even if they are false positives. OSSEC is a quick and easy way to ensure any "interesting" changes or security events are noticed by sending an email to the configured email address. Blocking is the next step in defense. If services are being brute-forced, then you can block an IP address that is performing the brute force.

An important part of any monitoring system is to minimize the noise an admin or analyst is subjected too. Reducing the noise ensures legitimate alerts are noticed, and followed up for analysis.

Setting up Active response

After configuring OSSEC in a default configuration with Active response disabled, you need to enable it by modifying two sets of configuration parameters in the /var/ossec/etc/ossec.conf file.

Add command block

Add a command block to /var/ossec/etc/ossec.conf. This gives a name to the executable that you are going to run (typically located in /var/osssec/active-response/).

  <command>
    <name>firewall-drop</name>
    <executable>firewall-drop.sh</executable>
    <expect>srcip</expect>
    <timeout_allowed>yes</timeout_allowed>
  </command>

Rules and alert levels

Enable Active response on specific rules or all rules above a certain alert level.

<active-response>
        <disabled>no</disabled>
        <command>firewall-drop</command>
        <agent_id>001</agent_id>
        <location>local</location>
        <rules_id>31510</rules_id>
        <level>8</level>
        <timeout>600</timeout>
</active-response>

Rather than have a specific rule in the Active response block, omit the rules_id and all rules triggered above level 8 with source IP will be blocked by the firewall drop script using iptables for 600 seconds (10 minutes). Note the command block needs to be higher in the ossec.conf file than the active response block.

Verify

To see how effective your Active response is, take a look at /var/ossec/logs/active-responses.log. Here is a snippet of one of my logs. All the noisy bots are being blocked. Alerts for this noise no longer appear in my inbox as they are quietly blocked.

Sun Aug 14 11:55:04 UTC 2016 /var/ossec/active-response/bin/firewall-drop.sh add - 192.1xx.250.89 1471175704.407764 31510
Sun Aug 14 12:05:34 UTC 2016 /var/ossec/active-response/bin/firewall-drop.sh delete - 192.1xx.250.89 1471175704.407764 31510
Sun Aug 14 14:34:25 UTC 2016 /var/ossec/active-response/bin/firewall-drop.sh add - 103.255.xx.69 1471185265.450999 31153
Sun Aug 14 14:44:55 UTC 2016 /var/ossec/active-response/bin/firewall-drop.sh delete - 103.2xx.15.69 1471185265.450999 31153
Mon Aug 15 23:16:49 UTC 2016 /var/ossec/active-response/bin/firewall-drop.sh add - 82.166.1xx.x4 1471303009.783488 31510
Mon Aug 15 23:27:19 UTC 2016 /var/ossec/active-response/bin/firewall-drop.sh delete - 82.1xx.1x9.94 1471303009.783488 31510
Tue Aug 16 11:43:14 UTC 2016 /var/ossec/active-response/bin/firewall-drop.sh add - 91.200.1x.x47 1471347794.946259 31510
Tue Aug 16 11:53:45 UTC 2016 /var/ossec/active-response/bin/firewall-drop.sh delete - 91.20x.xx2.47 1471347794.946259 31510
Tue Aug 16 11:53:47 UTC 2016 /var/ossec/active-response/bin/firewall-drop.sh add - 91.20x.xx.47 1471348427.992693 31510

Custom Active Response Rules

Over on the SANS ISC Blog there is an excellent example of using Active Response to launch tcpdump upon the triggering of a rule.

In the example used, it specifies if an alert condition is met, then launch tcpdump and capture packets from the host that triggered the alert for 10 minutes. One use of this is to capture web attack payloads from bots / random hosts, but do not wish to capture all the web traffic. As the web attacks are detected, tcpdump automatically starts collecting packets. Of course, you will miss the initial attacks that triggered the alert, but any subsequent traffic would be collected.

It is possible to apply the same methodology to launch any command or script on your host. The possibilities are wide-ranging and only limited by your imagination.

Conclusion

That's it folks, I have written about OSSEC before and still find it to be very useful and an important part of any server build.

Do more with OSSEC

Detect WordPress attacks and monitor the application and web server logs.

Next level testing with advanced Security Vulnerability Scanners.

Trusted tools. Hosted for easy access.

Use cases & more info

The post Enable OSSEC Active Response appeared first on HackerTarget.com.