Skip to content

johnosbb/CyberTools

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

208 Commits

CyberSecurity.jpg

CyberSecurity.jpg

 
 

README.md

README.md

 
 

hotspots.md

hotspots.md

 
 

proxies.md

proxies.md

 
 

routers.md

routers.md

 
 

Repository files navigation

Cyber Security and Cyber Security Tools and Strategies

A list of Internet Cyber Tools and Resources

Automation

Reference Sites

Routers and Firewalls

Reporting Spam and Phishing Emails

image

Identity Theft

Resources

Tools

Port Scanning Tools

  • zenmap - Cross platform Port Scanner

Network Tools

Arp Spoofing

Network Monitoring Tools

wireshark

image image

T-Shark

TCP-Dump

  • TCP Dump
  • Capturing pcap files over SSH - ssh root@192.168.1.10 -- "tcpdump -w - -s 65535 'not port 22'" > capture.pcap
  • Capturing pcap traffic live over SSH - ssh root@192.168.1.10 -- "tcpdump -U -s 65535 -w - 'not port 22'" | wireshark -k -i -

Ideally we need to run Wireshark on the Router. TCPDump is available on alot of routers image

  • tcpdump -U = no buffering
  • tcpdump -D -- show available interfaces
  • tcpdump -i eth0 -- snoop on Eth0
  • tcpdump -i any -- snoop on all interfaces
  • tcpdump -n -i any dst port 80 -- snoop on port 80, n shows IP addresses and Port numbers rather than domain names.
  • tcpdump -n -i any port 554 -- snoop on port 554 for DNS traffic
  • tcpdump -n -i any host 192.168.1.254 and not src net 192.168.1.0/24 -- find traffic connecting to 192.168.1.254 which is outside of this local IP range.
  • tcpdump -n -i any -s 65535 -w mycapture.cap -- capture traffic of frames 65535 bytes to a file called mycapture.cap

Other Tools

Burp Suite
Browser Integrity Checking
Browser Hardening
Cleaners

Anti Malware Tools and Encryption

Privacy

Meta Search Engines

Cookies must be disabled for these to offer anonimity

Google Activity

Secure Browsers

Add Blockers and Anti Tracking

Finger Printing

Certificate Management and Integrity

Isolation Strategies

Portable Applications

Isolations Silos

Firewalls

  • Simpler firewalls are based on layers 3 or 4 to accept o reject traffic based on Port, Protocol and Address
  • More complex firewalls work at the application layer to do DPI (Deep Packet Inspection), they can determine whether the traffic conforms to the profile set for a particular port.
  • Host based firewalls like Windows Firewall or Linux IP tables are found on computers.
  • Egress filtering: - Blocking outgoing traffic. This can prevent malware from communicating back out to a command centre.
  • User Friendly Front End for Windows Firewall Control
  • GUFW - GUI for UFW and IP tables
  • Shorewall - GUI for UFW and IP tables

Network Isolation

Wireless Security

  • The preferred configuration for home networks is WEPA-2 Personal with AES (CCMP) and a 256 bit pre-shared key. image
  • WPA2 Enterprise uses a radius server which avoids having one fixed key. WEPA2 with a fixed key is open to brute force attacks. The seeding of the encryption is based on the SSID of the network. Rainbow tables are constructed for common SSIDs.
  • WEPA2 Attacks - CowPatty - available in Kali
  • WEP Vulnerability
  • Evil Twin
  • Wifi Pinapple

Wifi Injection Tools

A USB adapter is required with one of the following chips sets:

  • Atheros AR9271
  • Ralink RT3070
  • Ralink RT3522
  • Realtek 8187L

The best adapters can be found on Cyberprogrammers

Tools

BlueTooth Security

Sandboxes

Windows

Linux

Virtualization (free and opensource)

Type 2

Type 1

Hybrid

Linux

Virtualization Risks

Virtual Machine Hardening

  • Use a USB based network adapter to isolate from the host adapter.
  • USe whole disk encryption on the host operating system to prevent logs, caches etc being used as an attack point from the host.
  • Clear down swap space and caches after use
  • Use Hypervisor encryption
  • Disable all unnecessary functions like:
    • 3D accelerateion, serial ports, video acceleration, drag and drop/clipboard.
    • If possible do not install VMWare tools and VirtualBox extensions.
    • Do not redirect USB and disable the USB controller (USe a PS2 Mouse on the VM).
    • Enable PAE/NX.
    • Consider live operating systems and if possible do not use persistent storage.
    • Use snapshots for a clean machine on each new activity.
    • Avoid hybernating or sleeping VMs - keys are stored in memory or the harddisk.

Other Isolation Technologies

  • Device Guard - Windows 10

Operating Systems for Security and Privacy

Whonix

Strengths

  • whonix A whonix workstation connects directly to a thor based gateway and is isolated from a local LAN.
    • Anonymising Relay Monitor - ARM - similar to top on unix, but for Tor. Command line application for monitoring Tor relays, providing real time status information such as the current configuration, bandwidth usage, message log, connections, etc.
    • SDWdate - an anonomous time service used by whonix, also used by Tor, unlike NTP it preserves anonimity.
    • The whonix gateway can be used by other VMs and non-whonix workstations to provide secure access.

Weaknesses

  • It is easy to identify if someone is using whonix.
  • Whonix does not encrypt by default.
  • It does not protect again rootkits etc.
  • It does not protect against hardware compromise.
  • It can be difficult set up requiring virtual machines or additional hardware.
  • Unlike tails (and other amnesic operating systems) whonix can leaves traces on the hardware.

Qubes

Strengths

  • Desktop OS based on xen hypervisor; it uses virtualisation for isolation between security domains.
  • Qubes Templates allow the desktop to be comfigured liked popular operating systems.
  • Unlike momolithic architectures (Trusted Components Base) were a lot of code runs with elevated privalleges, xen is a type 1 hypervisor and quebes runs a micro kernel on top of this. This provides distinct advantages by reducing the attack space.
  • Dom0 controls the screen and desktop, but has no network access.
  • Applications run in different VMs, but Dom0 presents this as a single desktop.
  • There is a Net VM which takes care of all network activity. Even is the network VM is compromised the malicious code still cannot escalate privellege to reach other isolated components.
  • USB can also be isolated in a VM.
  • Each application can run in a seperate VM, so we could have a browser for banking and a browser for hacking, for example.
  • Qubes has built in integration with Tor.

Weaknesses

Security Domains and Isolation

  • Consider isolating your activites into different domains, use a virtualised or sandboxed browser to surf the web to isolate routine activities from attack.

Router Security

  • Shodan is the world's first search engine for Internet-connected devices. Shodan Web Site
    • We can use Shodan to search for vunerabilities, for example searching for 'Default Password' shows devices still using the default password and username.
    • It features an exploits database: https://exploits.shodan.io/welcome
    • We can search for an IP address using https://www.shodan.io/host/ followed by the ip address

Security Frameworks

Disk and File Encryption

File Encryption

SSH

  • For Putty - ssh-keygen - generate public keys in a folder of your choosing
  • Linux: ssh-copy-id -i /home/${USER}/.ssh/id_rsa.pub <remote_user_name>@<remote_ip_address>
  • Generating SSH key-pairs on Windows
  • Copying SSH keys from Windows to target device
  • OpenSSH, use ssh-keygen to create a public key called id_ras.pub, run the script below to install the key on the target: ssh-copy-id.bat username@192.168.1.10 password id_ras.pub

Windows Example

Create a script called ssh-copy-id.cmd with the following content

::usage: ssh-copy-id test@example.com password [id_ras.pub]

::@echo off
IF "%~3"=="" GOTO setdefault
set /p id=<%3
GOTO checkparams
:setdefault
set /p id=<id_rsa.pub
:checkparams
IF "%~1"=="" GOTO promptp
IF "%~2"=="" GOTO promptp2

:exec
:: To accept the signature the first time
echo y | plink.exe %1 -pw %2 "exit"
:: now to actually copy the key
echo %id% | plink.exe %1 -pw %2 "umask 077; test -d .ssh || mkdir .ssh ; cat >> .ssh/authorized_keys"
GOTO end

:promptp
set /p user= "Enter username@remotehost.com: "
:promptp2
set /p pw= "Enter password: "
echo y | plink.exe %user% -pw %pw% "exit"
echo %id% | plink.exe %user% -pw %pw% "umask 077; test -d .ssh || mkdir .ssh ; cat >> .ssh/authorized_keys"
:end
pause

Example usage

SSH Configuration on Windows instance of VSCode connecting to Linux Target

Copy the keys from windows to linux

ssh-copy-id.cmd <linux_username>@192.168.1.xx <linux_user_password> id_rsa.pub

This will put the relevent keys in ~/.ssh/authorized_keys on the Linux target

Windows connecting to Windows target

ssh-copy-id.cmd <target-username>@192.168.1.xxx <password> c:\Users\<windows-username>\.ssh\id_rsa.pub

SSH Configuration on Ubuntu

  • chmod go-w /home/user
  • chmod 700 /home/user/.ssh
  • chmod 600 /home/user/.ssh/authorized_keys

Connecting with VSCode

Host LinuxBox_191
    HostName 192.168.1.121
    User yourusername


Host RaspberryPI
    HostName 192.168.1.131
    User yourusername

OAuth 2.0

Two Factor Authentication

OTP - Soft Tokens

Hard Tokens

Windows Package Managers

Password Management

Password Managers

Hashing

A useful strategy for creating a hash that is resistant to brute force attacks is to use a salt, the us a derivation function to stretch and then finally encrypt with AES and a master password. A further extension of this method is to use a hardware security moduleto store the master password HSM

It is also possible to additionally embed a key in the hash before encrypting.

Password Cracking

Password Evaluation

End Point Protection - Anti Virus

  • FUD, Fully undectable malware that has been obfiscated and encrypted.
  • A lot of cheap or free anti virus products used basic signature analysis which cannot detect FUD based walware.
  • Heuristic detection analyses code for suspicious patterns and structures. Heuristic techniques are used in mid-range products.
  • More advanced products use sandboxes in addition to heuristics.
  • Behaviour based blocking - AV onserves the software in action
  • Cloud based analysis, uses the softwares integrity rating based on cloud assisted analysis of large numbers of users.
  • Kaspersky White Papers

Software Restriction Policies

Anti Exploit Toolkits

Virtualization Based Containment

Device Guard Windows 10

Security Models and Access Control Models

Secure Kernel Implementations

Cyber Security Training

Deception Strategies

Detection is key to Cyber Security

Honeypots

Intrusion Detection Systems

NIDs HIDs Network and Host intrusion detection. These generally require a lot of setup, configuration and maintenance.

Intrusion Prevention Systems

  • WIPS - wireless Intrusion Prevention Systems
  • NBAS - Network Behaviour Analysis Systems

Network Threat Analysis Systems - These facilitate the practice of Network Security Monitoring, event driven analysis and foreinsic analysis.

Proxy Based Analysis

File Integrity Monitors

Process Monitoring Tools

Windows

Linux

Network Monitor Tools

SIEM - Security information and event management

Malware and Virus Removal Tools

Live CDs

Sysadmin CDs

Tool Kits for Malware Analysis

Sys Internals

  • Sys Internals

  • Process Explorer

    • Run as administrator, you can replace taskmanager with PE
    • Does the process have a verified signature?
    • What is its Virus Total score?
    • Does it have an icon?
    • Has the file been packed or encrypted?

  • Process Monitor

    • Run as Adminsitrator
    • Logs all process activity
    • It has five different types of monitor, Reg Mon for registry events, file mon for file related events, Net Mon for Networking related events,Process Mon for Process and Thread creation, deletion, Profile Mon, or Thread Stack Snapshots.
    • It supports extensive filtering options, filters can be saved and reloaded.
    • We can move the target symbol to a particular window to ispect that process.

  • Autoruns

    • Shows you what programs are configured to run during system bootup or login, and when you start various built-in Windows applications.

  • Tcpview from Sys Internals, similar to netview with GUI

Other Tools

Pentesting

Linux Utilities and Commands

  • Idenify Machine Type: hostnamectl

  • Debsums

    debsums is intended primarily as a way of determining what installed files have been locally modified by the administrator or damaged by media errors and is of limited use as a security tool.

    If you are looking for an integrity checker that can run from safe media, do integrity checks on checksum databases and can be easily configured to run periodically to warn the admin of changes see other tools such as: aide, integrit, samhain, or tripwire.

  • Unhide

Unhide is a forensic tool to find hidden processes

Root Kits

Root Kit Analysis For Linux

Cross Platform System Analysis Tools

OSQuery

System Recovery

Rollback and Cloning

Backup

-Owncloud -Turnkey Linux -Digital Ocean

SparkleShare creates a special folder on your computer. You can add remotely hosted folders (or "projects") to this folder. These projects will be automatically kept in sync with both the host and all of your peers when someone adds, removes or edits a file. -Sparkle Share

Hardening

Anti Forensics

Traditional Mechanical Drives

Solid State Drives

Data on SDDs depends on wether the TRIM command is used in the interface to the drive when erasing. Wear-leveling also means some blocks are not erased and data is constantly moved. It may leave a block and simply mark it as invalid. SSDs also have hidden spare capacity (possibly 10%). This spare area may hold user data and this data is not visible to the operating system. Use disk encryption to be certain on SSDs.

Avoiding Data Trails

  • Use live operating systems
  • Use portable media for storage
  • Avoid rather than try to destroy afterwards
  • Use encryption

Evidence Elimination Tools

-bleachbit - includes drive wiping -WinApp2 - adds signatures to other tools

Disk Wiping Tools

-dban -Parted Tools

Removing EXIF and Metadata

Many types of files contain metadata, authors, GPS co-ordinates, revision history, comment etc. You can view this metadata by viewing properties and details in windows. EXIF is found in images and video files.

Meta Data Removal

Camera Noise Identification and Camera Finger Printing

-Obscuracam

Email Security

Anonimity

Live CDs

VPNS

The Invisible Internet

Deep Fakes

AI librarys for Deep Fake Images and Video

Open Source

Commercial

For Audio

Audio and Video

AI generation

Fact Checking Organisations

  • APF Fact Check—factcheck.afp.com
  • AP Fact—apnews.com/APFactCheck
  • BBC Reality Check—bbc.co.uk/news/reality_check
  • FullFact—fullfact.org
  • Politfact—politifact.com
  • Snopes—snopes.com

Media provenance

  • Content Authenticity Initiative (Adobe)—contentauthenticity.org
  • Digimac—digimap.edina.ac.uk
  • News Provenance Project—newsprovenanceproject.com
  • Pressland—pressland.com

Disinformation detection and protection

  • Amped—ampedsoftware.com
  • AI Foundation—aifoundation.com
  • Bellingcat—bellingcat.com
  • DARPA—darpa.mil
  • EUvsDisinfo—euvsdisinfo.eu
  • The Citizen Lab at the University of Toronto—citizenlab.ca
  • DeepTrace—deeptracelabs.com
  • Jigsaw—jigsaw.google.com
  • NewsGuard—newsguardtech.com
  • Truepic—truepic.com

Social-media analysis

  • Botswatch—botswatch.io
  • Dataminr—dataminr.com
  • Graphika—graphika.com
  • Storyful—storyful.com

Best practice (media)

  • Duke Reporters’ Lab—reporterslab.org
  • Credibility Coalition—credibilitycoalition.org
  • First Draft News—firstdraftnews.org
  • News Literacy Project—newslit.org
  • News Integrity Initiative, Newmark School of Journalism, The City University of New York—journalism.cuny.edu/centers/tow-knight-center-entrepreneurial-journalism/news-integrity-initiative/
  • Nieman Lab, Harvard University—niemanlab.org
  • Partnership on AI—partnershiponai.org
  • Reuters Institute—reutersinstitute.politics.ox.ac.uk

Policy/society

  • Access Now—accessnow.org
  • Alliance for Securing Democracy—securingdemocracy.gmfus.org
  • Anti-Defamation League—adl.org
  • Center for Humane Technology—humanetech.com/problem/
  • Center for Media Engagement, Moody College of Communication, University of Texas at Austin—mediaengagement.org/
  • Cyber Policy Center, Stanford University—cyber.fsi.stanford.edu
  • Data and Society, Disinformation Action Lab—datasociety.net/research/disinformation-action-lab/
  • DeepTrust Alliance—deeptrustalliance.org
  • Digital Forensics Research Lab and DisinfoPortal, Atlantic Council—atlanticcouncil.org/programs/digital-forensic-research-lab/
  • Electronic Frontier Foundation—eff.org
  • Information Disorder Lab, Shorenstein Centre, Harvard University—shorensteincenter.org/about-us/areas-of-focus/misinformation/
  • Internet Observatory, Stanford University—cyber.fsi.stanford.edu/io/content/io-landing-page-2
  • OpenAI—openai.com
  • PEN America—pen.org
  • Partnership on AI—partnernshiponai.org
  • The Truthiness Collaboration, Annenberg Innovation Lab, University of Southern California—annenberglab.com
  • Wikimedia—wikimedia.org
  • WITNESS—witness.org

About

A list of Internet Cyber Tools and Resources

Resources

Readme
Activity

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published