Tuesday, July 21, 2015

Toolbox for Security Analyst | BlackHatTrick Blog

Toolbox for Security Analyst | BlackHatTrick Blog


If you're just getting started in this field, know that half the battle is finding all the tools and understanding what they're best at. Here's my list of the sites I find myself using most and what they're good for:
Website Open Source Intelligence
  • CentralOps Domain Dossier - A nice simple DNS/WhoIs lookup tool.
  • Robtex - Horrible layout, good info for historical and current DNS records, infrastructure and findings all sites on a given IP.
  • DNSDumpster - A newcomer, makes a nice graph of subdomains for a given domain.
  • PassiveTotal - Requires being accepted in, but another great source for passive DNS data.
  • URLQuery - Search for the site in question, will give you a picture and all sorts of other awesome data on the site.
  • Page2Images - Get a picture of what a site looks like without going there.
  • Internet Archive - Actual snapshots of many pages at various points in history, unlike URLQuery, these can still be dangerous if the snapshot is captured at the point an infection was active.
Finding and Researching Malware Samples
  • Malwr - A standard in online dynamic and static analysis, uses the great Cuckoo Sandbox package. Great for submitting samples, even better for using their search terms for OSINT on related samples. Many samples are available for download.
  • Payload Security - A newcomer in online dyanmic/static analysis, but so far I like the analysis of samples even better than malwr.com. Once they get more samples submitted this will likely be a contender for best. Unique feature of searching for viruses by family.
  • VirusTotal - One of the best sources for historical DNS lookups and IP/FQDN/URL reputation. They do basic static analysis and dynamic analysis, HUGE collection of samples.
  • PassiveTotal - Mentioned above, but also great for researching malware domains.
  • URLQuery - Mentioned above, good for testing if a site is infected, much more useful for finding the history of infection on a given website. Snapshots of compromised sites from here can be invaluable to an investigation.
  • VirusShare - A private site that collections LOTS of samples for download, also offers massive bittorrent download of gigs of malware.
  • MalwareViz - A unique site that takes a sample and draws a graph of network and file interactions.
  • KernelMode Malware Forum - A great place to find discussion and samples of most of the malware families.
Software
  • IDA (Free Edition) - Unless you have tons of money, you'll be stuck with the free edition that doesn't support 64 bit code. That's ok, it's plenty good to get started.
  • Hopper Dissassembler - The affordable disassembler. It's gotten dramatically more powerful in a short amount of time and is actually affordable. I think it's great for the price.
  • OllyDbg - The standard debugger for Windows programs. Tons of great plugins, use version 1 or 2 depending on the plugins you want to be able to use. There's also a GREAT tutorial series here, it's focused on binary cracking, but the skills involved in that are very similar to reverse engineering malware. It will teach you Olly very quickly.
  • REMnux - A great linux distro that comes with 95% of the malware analysis tools you'll like want to use ready to go. Lenny Zeltser, the creator of REMnux, also has a awesome tools catalog organized by task so you can find what you need. P.S. Lenny also runs the SANS Malware Reverse Engineering course which is great for getting started in this field, I've taken it and can vouch that it's an awesome way to start.
Virtualization:
  • Type 2 Hypervisors - What you want for running malware in a safe environment.
    • VMWare Workstation/Fusion - The standard, works great, used by many, and can control ESXi if you have it. Windows / OS X
    • VirtualBox - The free virtualization solution, works pretty much just as well as VMWare, but sometimes seems to be not as fast and may have a few less features. Windows / OS X / Linux
    • Hyper-V - Comes free with some versions of Windows 8+, can also be used to control a free Windows Hyper-V Server 2012 box. A great option if you want a headless server for VMs and have an extra, decently powerful computer laying around. Windows only.
    • KVM - Perhaps technically a Type 1 hypervisor, this typically runs along a host OS and can be run locally or headless like with Promox. A great option if you use Linux as your main OS. There's lots of options for GUI management here depending on how you want to manage it.
  • Type 1 Hypervisors - For advanced setups with lots of VMs and multiple networks.
    • VMWare ESXi - A industry stanard, the free version is very limited in advanced features, but is ok for making and using basic VMs. It's good to know for professional development, but the down side is their free management client is windows only. It's also very picky with hardware, most server hardware will work, but if you try to put this on consumer hardware you might run into trouble. If you want this, try one of the next two options.
    • Proxmox - The free, web managed ESXi alternative. I love Proxmox, I've written about previously how I currently use it for running Sophos UTM for my home router/firewall. It will work with mostly anything Linux works with. It's slightly less user-friendly than ESXi due to it's somewhat lacking documentation, but most problems that aren't specifically solved in the wiki are a quick Google to find the answer to.
    • Microsoft Hyper-V Server - Honestly, if you're in an all Windows environment, this is free and the management portion comes built into windows so you should probably try it before anything else. Runs on tons of different hardware since it's Windows. Don't confuse Windows Server with the Hyper-V role installed with the standalone Hyper-V Server, the former is not free, the latter is. Also know that Windows 7 can only control up to Hyper-V Server 2008R2, you must have Windows 8+ to use Hyper-V server 2012+.

No comments:

Post a Comment