Tuesday, 27 September 2022

Qualys Tool

Qualys Tool

Qualys cloud-based vulnerability management solution. Qualys can compete head-to-head with Nessus. Qualys is a commercial product. Qualys is agent-base tool.  Qualys installed sensor agents at various points in their network and  systems.  The agent sensors upload data to the cloud platform for detection and analysis.

Qualys  provide following type of services,

  • Asset Management
  • IT Security
  • Compliance
  • Cloud Container Security
  • Web App Security
You can make login and try some tools of Qualys on trail biases. 

Qualys Asset Inventory



Asset Details



Endpoint Detection 



Qualys Agent 


Like any other Vulnerability Assessment Tool, Qualys  follow a Vulnerability Management Life Cycle model Predict – Prevent – Detect – Respond - Learn .

*As per my last blog, In future  we discuss one-by-one Vulnerability Assessment  (VA) tools. If you have any question, you can ask me in comments section.



Monday, 19 September 2022

Trojan Horse

 Trojan Horse

Trojan Horse are malicious programs which mislead from its actual intentions.  The word of  Trojan derived from a Greek story. This is a wooden horse, in which soldiers hiding and waiting to enter the city. When the wooden horse reached in the city and then soldiers came out and  attacked. With this theory, Trojan software mislead user intention and wait for time to came out for stealing the user information and also give unauthorized access to Threat actor. The trojan can also spread other connected devices across a network.



Trojans are typically spread by Social Engineering. The purpose or most common use of Trojan programs are: -

  • Steal Information
  • Infect Connected Devices
  • Creating back door
  • Gaining Unauthorized Access
  • Ransomware Attacks
  • Using Victim for Spamming
  • Using Victim as Botnet
  • Downloading other malicious software
  • Disabling Firewalls

The following are list of port wise  Trojan, such as 

  • TCP Port 20 Senna Spy
  • TCP Port  21 Invisible FTP
  • TCP Port 22 Shaft
  • TCP Port 80 Executor
  •  TCP Port 421 Wappers Trojan
  • TCP Port 1095/1098 RAT
  • TCP Port 17300 Netbus
  • TCP Port 53001 Remote window Shutdown
  • TCP Port 456 Hacker Paradise 

For Cyber security you must know the process of Trojan working. The process divide in following steps,
  1. Creating Trojan with Trojan Construction Kit
  2. Creating Droppers for deliver Trojan 
  3. Creating Wrapper  for blind the Trojan file
  4. Execute the Dropper (Trojan File)
Threat Actor used Trojan Construction Kit to customized the Trojan. Customized Trojans can be more dangerous for the target. After that  Threat Actor attached the Trojan with dropper (Dropper is a software, which designed for delivering a payload on the target machine). Threat Actor also  blind  the file with Wrapper. So this file not easily detect by defending software. 

Once Trojan is installed on Target PC, it will connect the attacker  to the victim by providing unauthorized access or extract secret information or perform a specific action for which Trojan is designed for.


Following are some Trojan Types,
  • Command Shell Trojans (For Remote Control Command Shell)
  • Defacement Trojans (For Editing  & Executing Windows Program)
  • HTTP/HTTPS Trojans (For Bypassing Firewall and Executing  on Target)
  • Botnet Trojans ( FOR DDos Attack)
  • Proxy Server Trojans ( For Converting Host system to Proxy server)
  • Remote Access Trojans ( For GUI access of  Target System)
 
 By following some measures, You can protect of your network from Trojans. like as ,
  • Avoid to Click on Suspected Email Attachments
  • Monitor Network Traffic
  • Block unused Ports 
  • IDS
  • Antivirus
  • Scan USB or any removeable media before use
  • Enable Auditing
  • Used Host base Firewall

Friday, 16 September 2022

Aircrack-ng Suite

 Aircrack-ng Suite Wireless Assessment

Aircrack-ng is the most popular open source wireless network security tool. it is  typically found on Kali Linux distributions, although it has also been ported to Windows operating systems. it can be used to monitor wireless networks, intercept traffic, disrupt wireless communication between hosts, and even crack wireless keys, such as those used in WEP and both WPA2 and WPA3. 


Aircrack-ng is also used by attacker for cracking the Wi-Fi security and password.  Hacker used Cupp utility with Aircrack-ng for cracking wireless password.

Aircrack-ng consists of four main  separate tools, each with a specific purpose. Following are  some useful functions of Aircrack-ng Suite,

We used Kali Linux environment for these commands.

Aircrack-ng options

For wireless password cracking from cupp file,


 aircrack-ng –a2 –b <BSSID of WLAN Router> -w /root/Desktop/cupp/Albert.txt ‘/root/Desktop/WPA.cap’



After Processing, its give Following KEY
 



Wireless Technologies such as Wi-Fi and Bluetooth are  widely used technologies nowadays. These technologies can be secured using different network monitoring and auditing tools, configuring strict access control policies, best practices, and  techniques. we need strong  Wi-Fi encryptions and their
issues, moving from WEP to WPA2, strong authentication, and encryptions, best practices will make wireless network harder to be compromised.

*As per my last blog, In future  we discuss one-by-one Vulnerability Assessment  (VA) tools. If you have any question, you can ask me in comments section.



Wednesday, 14 September 2022

Nessus Vulnerability Scanner Tool

Nessus Vulnerability Scanner Tool

Nessus is one of the more widely used network vulnerability scanners, originally starting as an open-source product and then gaining in popularity enough to become an enterprise-level, scalable commercial product from Tenable. Nessus also have community edition for home user. Nessus is available cloud-base and  on-premises server-base solutions. Nessus is configurable and can allow you to use a wide range of plug-ins (scanning signatures based on vulnerability or operating system). You can scan operating systems and applications, including all flavors of Windows, macOS, and most Linux distributions and its also work on odd embedded OS devices as well. You can create preconfigured scans, target lists, and several other options when configuring a scan. 




Plug-ins can be created using Nessus Attack Scripting Language (NASL). Nessus reports provide information on missing patches and updates & configuration issues. Nessus can output its results in a variety of report formats, including its native Nessus (XML) format, PDF reports, and CSV format. You can download this tool from Tenable’s website https://www.tenable.com.

Following are some screenshots for Nessus, we used Nessus essentials on Kali Linux environment for these screenshots.
  • Download and install Nessus vulnerability scanning tool.
  • Open a web browser.
  • Go to URL http://localhost:8834 and you see login screen

             
Nessus Login Screen 


After Login you see following screen, where you create policies and perform scanning of different assets.



Go to Policies Tab and Click Create New Policy,


There you can perform multiple task as per your  requirement like Host discovery, Basic network scan, Advance scan and much more.

Following screen shot show the Advance scan,




Host Discovery Tab


Port Scanning Tab

Plugin Tab

You can create Scan and schedule it. Following screen show this,


 Upon completion, you can observe the result,


Click on Vulnerabilities Tab to observe vulnerabilities detected. You can also check
other tabs, Remediation, Notes and History to get more details about history, issues
and remediation actions.



Go to  Report and select the required format.


 
 *As per my last blog, In future  we discuss one-by-one Vulnerability Assessment  (VA) tools. If you have any question, you can ask me in comments section.



Tuesday, 13 September 2022

Hping Network Scanning Tool

 Hping Network Scanning Tool

Hping is a command-line TCP/IP packet assembler and analyzer tool. it is a  open-source spoofing tool that provides a pen tester with the ability to craft network packets to exploit vulnerable firewalls and IDS/IPS . Hping can also handle fragmentation, arbitrary packets body, and size and file transfer. It supports TCP, UDP, ICMP and RAWIP protocols. 


We can perform  following scans with Hping  parameters,

  • Advanced port scanning.
  • Testing net performance.
  • Path MTU discovery.
  • Transferring files between even fascist firewall rules.
  • Traceroute-like under different protocols.
  • Remote OS fingerprinting & others.
  • Test firewall rules.
Current version of hping is hping3. Following are some commands for Hping3, which we used to perform network scan. we used Kali Linux environment for these commands.

ICAMP PING With Hping3

Create ACK Packet 


TCP Stealth Scan Command


The following are some options used with Hping3 command: -


*As per my last blog, In future  we discuss one-by-one Vulnerability Assessment  (VA) tools. If you have any question, you can ask me in comments section.








Monday, 12 September 2022

Nmap (Network Mapper)

 Nmap (Network Mapper)

Nmap (for Network Mapper) is a most popular Vulnerability Assessment  (VA) tools, which used to scan network and discover what hosts are present and what services they are running. Nmap works by sending specially crafted network traffic  to the target hosts and then examining the responses of target. This can tell not only which hosts are active on the network and which of their ports are listening, but it can also help us determine the operating system, hostname, and even patch level of some systems.

Basically  Nmap  is command-line interface (CLI) tool. But there are some graphical user interface (GUI) tools also available like  Zenmap (Windows), NmapFE (Linux), and Xnmap (macOS). Successive runs of Nmap with identical parameters, together with a bit of scripting, enable the user to quickly identify changes to the configuration of a target. Attackers may be interested in new services because they are likelier to have exploitable configuration errors. Defenders, on the other hand, may be interested in new services because they could indicate a compromised host. Nmap  also used  some organization to get inventory assets on a network by periodically doing full scans and comparing hosts and services to an existing baseline.


Following are some commands for Nmap, which we used to perform network scan. we used Kali Linux environment for these commands.

Basic Syntax

Host Discovery Scan


nmap -sS 192.168.0.80 (half-open scan)


There are many types of scanning options that you can utilize by entering different nmap switches. In which some of them are show in following figure,



WARNING*: Some scans are described as “stealthy”, a well-configured IDS/IPS can detect  Nmap scanning.

GUI front-end programs developed for Nmap, such as Zenmap and NmapFE, that provide an easy-to-use interface like following Figures,



*As per my last blog, In future  we discuss one-by-one Vulnerability Assessment  (VA) tools. If you have any question, you can ask me in comments section.


Saturday, 10 September 2022

Vulnerability Assessment Tools

 Vulnerability Assessment Tools

Vulnerability Assessment  (VA) tools are defined as security applications tools that scan enterprise networks to identify weaknesses that Threat Actor may exploit. When VA Tools finds weaknesses on network, software & system , the vulnerability software suggests or initiates remediation action, thereby minimizing the potential of a network & system attack. 

There is many Vulnerability Assessment  (VA) tools  available. Some of them are commercial and some of them are open source. All of these tools have their own strengths and weaknesses. We can separate it these tools function wise. Following are some well-known  Vulnerability Assessment  (VA) tools,

Web Application Tools

  • OWASP Zed Attack Proxy (ZAP) 
  • Burp Suite
  • Nikto
  • Arachni

Infrastructure and Network Tools

  • Nmap 
  • hping
  • Nessus
  • OpenVAS
  • Qualys

Wireless Assessment Tools

  • Aircrack-ng
  • Reaver
  • oclHashcat

Cloud Infrastructure Assessment Tools

  • Scout Suite
  • Prowler
  • Pacu

Like any other IT process, VA Tools  follow a Vulnerability Management Life Cycle model. The model presented here follows the basic steps of Discover – Prioritize Assets – Assess – Report - Remediate - Verify and then again start with Discover. This lifecycle provides a good foundation for any security program.


The steps in the Vulnerability Management Life Cycle are described below.

  • Discover: Scan network-accessible systems by VA tools and get inventory of all assets across the network and develop bassline of all assets including operating system and open services.
  • Prioritize Assets: Categorize assets into groups on basis of their criticality to business operation.
  • Assess: Accomplish this by using a baseline risk profile to eliminate risks according to vulnerability threats.
  • Report: The data gathered must be compiled in a custom report that outlines the various vulnerabilities and prioritizes and addresses them.
  • Remediate: Prioritize and fix vulnerabilities in order according to business risk. Establish controls and demonstrate progress.
  • Verify: When the vulnerabilities have been identified and resolved, there must be consistent follow-up audits to ensure they won’t happen again. This is the verification stage.
In future blogs, We  discuss one-by-one Vulnerability Assessment  (VA) tools with examples.


Friday, 9 September 2022

Vulnerability identification

 Vulnerability identification

 What is a Cybersecurity Vulnerability? Vulnerabilities are weaknesses in an information system’s design, implementation, operation, or management,  that can be exploited by Threat Actor ,  to compromise of the confidentiality, integrity, or availability of that system. After exploiting a vulnerability, a Threat Actor can run malicious code, install malware, and even steal sensitive data.

Vulnerability identification is the process of scanning and noting exploitable gaps in our system, network operation & configuration. These  scanning help us , to focus on protecting the  system & network by pointing out the weak parts of our system. There is countless vulnerabilities exist, so we will need to define a broader selection of vulnerabilities to get things started. Following are some examples of common potential vulnerabilities:

  •  Hardware:   Susceptibility to humidity, dust, moisture, electrostatic discharge (ESD), and inadequate physical protection
  •  Software:   Lack of testing and auditing, design flaws, missing patches, legacy, and misconfiguration
  •  Network:   Unprotected cables, insecure network architecture, poor or missing encryption, poor segmentation, and poorly positioned network appliances
  •  Personnel:   Poor recruiting practices, lack of security policy adherence, and poor cybersecurity awareness
  •   Physical site:   Susceptibility to floods, fires, power outages, unauthorized entry, lack of surveillance, and lack of security guards
  •  Organizational:   Lack of business continuity plans BCP and disaster recovery plans DRP

Vulnerability identification is a big undertaking that involves consistent internal vulnerability assessments. Vulnerability management or assessments is a  practice of identifying, classifying, prioritizing, remediating, and mitigating  system & network of vulnerabilities. 









In addition to the acquisition of vulnerability intelligence from numerous vulnerability identification sources, as listed here:

  1.  CVE
  2.  Exploit Database
  3.  IT system audit reports
  4.  National Vulnerability Database (NVD)
  5.  Open Web Application Security Project (OWASP)
  6.  Previous risk assessments
  7.  SANS Internet Storm Center
  8.  Security advisories
  9.  Security requirements checklist
  10.  System security testing
  11.  US-CERT
  12.  Vendor advisories (Cisco, IBM, Google, Microsoft)
  13.  Vulnerability listings

 Consider a simple example—A Default/Weak password used by an administrator or a normal user are both problematic, but the potential effect of a compromise of an administrator’s account can have far greater impact on the organization. 

Wednesday, 7 September 2022

Investigate Phishing Campaigns

Investigate Phishing Campaigns 

How to investigate phishing campaigns

First we discuss that what is phishing campaign. A phishing campaign is an email scam designed to steal personal information from victims. Threat Actor use phishing  to obtain sensitive information for fraud such as  credit card details and login credentials, by concealing as a organization  or person in an email communication.

How bad is phishing? You aware that social engineering attack  daily basis  occurs. Threat Actor main aim to steal  your  data, financial information, login information. According to CISCO Cybersecurity report more then 90%  data breaches as result of phishing. 
A particular way of the majority of websites on the malicious IP address indicates phishing, some of the websites appeared to have contained a malicious executable file for stealing data. 
There is Some Screen Shots of malicious sites,







Following is some basic techniques to investigate phishing campaign,

Basic IP Address reputation / Website identification:
Initial step, we check that if the IP address has a been associated with undesired or suspicious activity such as spam: Mx Toolbox  is a great tool for checking IPs against known blacklists. there you give IP and its give result about that IP reputation. you also use various tool like Symantec’s BroadcomCisco Talos Intelligence and  Virus Total  for investigate the IP address reputation.


Check for DNS variations: 
Commonly malicious actors to engage in domain typo-squatting, which means purposeful registration of domain names with  similar spelling to the target domain; the aim here is to fool unsuspecting phishing victims. For checking DNS variation, there is tool DNS Twister. It can be very useful for checking similar domain names, as well as alerting whenever such new domains become registered.

Calculate the webpage’s SHA256 hash :
Phishing websites are frequently simplistic copies of each other, without any bells and whistles since the objective here is to steal user information. That makes the task of investigating them and linking them to other malicious domains a little easier, if they are indeed carbon copies of one another.

To calculate a website’s SHA256 value, you can use the following Kali Linux terminal command:

curl www.mydomain.com | sha256sum

The result  give you a hash value and then  hash value can be then searched against using Urlscan and should produce a multitude of results.

Examine security certificates :
Phishing website  not enable  security certificate https encrypted connection, but some of them do. Nowadays Threat Actor  obtain free security certificates for their fake websites in order to add another layer of purported legitimacy to the phishing sites; after all, many people still erroneously believe that the “green padlock” symbol in the browser means the website they visit is real and that the information they enter into it is fully secure.


Friday, 2 September 2022

Threat Classification

 

Threat Classification

Threat

The Threat  a malicious act that seeks to damage data, steal data, or disrupt digital life in general . In simple way, we can say that any attack of viruses, data breaches, and Denial of Service (DoS) attacks is called Threat.

We can categorized the Threat  in multiple different ways, depending on several factors. This can include the obvious, such as whether it’s environmental or man-made, adversarial or non-adversarial. According  to  National Institute of Standards and Technology (NIST) Special Publication (SP) 800-30,  that there are four different types of threat sources (also known as threat agents) that can cause or generate a threat event:

  • Adversarial   Includes malicious persons, groups, organizations, and nation-states
  • Accidental   Users or administrators
  • Structural   Equipment or software failure
  • Environmental   Natural or man-made disasters and outages

We can also classify threats according to the type of attack they represent, through which avenue of attack (called a threat vector), and whether they are known or unknown treats.

We can classify Threat in Four different category,

  • Known Knowns
  • Known unknowns
  • Unknown Knowns
  • Unknown unknowns
Known Knowns Threats: A threat that can be identified using basic signature or pattern matching, other way threats we are aware of and understand it.

Known unknowns Threats: A threat that cannot be identified using basic signature or pattern matching, other way threats we are aware but don't understand it.

Unknown Knowns Threats: A classification of malware that contains obfuscation techniques to circumvent signature-matching and detection, other way we understand but but are not aware of it.

Unknown Unknowns Threats: A classification of malware that contains completely new attack vectors and exploits, other way threats we are neither aware of nor understand it.

Now we discussed different type threats in details,

Zero Day Threats:  A zero-day threat or vulnerability is a flaw in a piece of software that the vendor is unaware of and thus has not issued a patch or advisory for. The code written to take advantage of this flaw is called the zero-day exploit. it can create complicated problems well before anyone realizes something is wrong.

Obfuscated Malware Code:  Malicious code whose execution the malware author has attempted to hide through various techniques such as compression, encryption, or encoding to severely limit attempts to statically analyze the malware.

Recycled Threats:  Refers to the process of combining and modifying parts of existing exploit code to create new threats that are not as easily identified by automated scanning.

Malware:  Any software intentionally designed to cause damage to a computer, server, client, or computer networks.

Documented Exploits: A piece of software, data or sequence of commands that takes advantage of a vulnerability to cause unintended behavior or to gain unauthorized access to sensitive data.





Building Own SIEM Environment using Opensource Tools (Part 4)

  Building Own SIEM Environment using Opensource Tools (Part 4) Wazuh Server As per last blog, we are going to install Wazuh server and Wazu...