A discussion of Zeltser's "Malware Analysis Essentials for Incident Responders" video
Today, I brushed up on my malware analysis and found a fantastic resource for those wanting to learn about malware analysis. Like many things in information security, malware analysis is a culmination of many skillsets. Due to the requirement of all these skills, the topic seems a little unapproachable.
Luckily one of the excellent instructors over at SANs institute, Lenny Zeltser, gave a talk last year at RSA titled “Practical Malware Analysis Essentials for Incident Responders.”
This post will summarise the video content with a little input from my own experiences but, I encourage you to follow the link to the video for a fantastic primer on malware analysis by the always entertaining Lenny Zeltser.
Defcon 28 vIDEOs are out
The Bug Hunter’s Methodology Jason Haddix @jhaddixA little late to the game but I wanted to encourage everyone to go checkout the Defcon Videos for this year. For those who don't know, the conference was held virtually this year due to the COVID pandemic but still offered talks and various activities. To get to the videos, just head over to the official Def Con YouTube Channel.
A couple of talks I found interesting or would be interesting to new people are:
DEF CON Safe Mode - Zhipeng Huo, Chuanda Ding - Hack Windows Machines with Printer Protocol
DEF CON Safe Mode - Bill Demirkapi - Demystifying Modern Windows Rootkits
DEF CON Safe Mode - Erik Hunstad - Domain Fronting is Dead, Long Live Domain Fronting Using TLS 1.3
This talk is absolutely incredible. If you have been saddened by the demise of Domain Fronting. Weep not as there is a newer badder version in town. At least until Cloud Flare fixes it.
The Bug Hunter’s Methodology Jason Haddix @jhaddix
Jhaddix' update to his seminal Bug Hunters methodology. A few new tricks in there if you have been following along and a great place to start if you are interested in bug bounty hunting.
Guerrilla Red Team: Decentralize the Adversary - Christopher Cottrell
Filled with a great information on a training that Christopher used with one of his cohorts. I encourage you to jot down the plan and follow it if you are just starting out. HTB boxes, books and podcasts o my.
I haven't been through all of them but I watched ones that I thought would have interesting content based on the title.
My favorite talk was the last one on the list. Such a clever new take on the popular but now neutered Domain Fronting Attack. Erik provides a great walk through of the previous attack and also a weaponized approached to Domain Hiding, the new version.
Enjoy the talks and Let me know what your favorites were.
With the reimaging of The Cyber Union, I am including book reviews and regular blogs about things going on in my life. These articles will not solely focus on technical things, but instead, they will encompass a range of topics that are part of my journey to become better at cybersecurity, finding happiness, traveling, and reaching financial freedom. You know cool stuff like that.
Speaking of books, this blog will be a review on a book I recently bought that came highly recommended in the F.I.R.E circles, also known as Financial Independence Retire Early. One of my favorite bloggers, the infamous Mr.MoneyMustache, even included it in his reading list. The book is called Early Retirement Extreme by Jacob Lund Fisker. I will post a link to the book at the bottom of the blog with the “official” description for easy reference.
Note: This is just a reposting of a previous post. It was the fastest way I could think to move it to a new location.
Network Recon Summary
Nmap is a fundamental tool that most people with use to conduct network reconnaissance against targets. In addition to the networking capabilities, Nmap has a large library of scripts for attacks, enumeration, password attacks and more.
Breaking down the default scan (no options)
$ nmap 192.168.1.1
Note: We will break down the nmap scan one option at a time. After describing the option we will add it to the command and move on. This process is towards the endeavor that you better understand your tools.
TCP SYN scan
An nmap scan with no options defaults to a TCP SYN scan aka half-open scan, the -sS option (nmap -sS <ip> ). The scan is said to be a stealthier scan as a completed three-way handshake never occurs ( https://www.techopedia.com/definition/10339/three-way-handshake ). This is what the command would look like:
$ nmap -sS 192.168.1.1
Additional Default Options
In addition, according to the man page, “If no host discovery options are given, Nmap sends an ICMP echo request, a TCP SYN packet to port 443, a TCP ACK packet to port 80, and an ICMP timestamp request… These defaults are equivalent to the -PE -PS443 -PA80 -PP options.” The interpreted command without options thus far would look like:
$ nmap -sS -PE -PS 443 -PA 80 -PP 192.168.1.1
Top 1,000 Ports
As far as port scanning goes nmap will default to the top 1,000 ports. Making the command now as follows:
$ nmap -sS -PE -PS 443 -PA 80 -PP --top-ports 1000 192.168.1.1
Networking can be summed up with two types of traffic TCP (stateful) and UDP (stateless). To read about the differences check out the following link http://www.diffen.com/difference/TCP_vs_UDP . One thing to remember when running UDP scans, they take much longer to run than TCP scans. What this means is that we don’t want to scan all UDP ports. Feel free to scan all 65,535 TCP ports, in CTF's especially admins like to run services on non-standard ports. Both can be scanned at the same time using the following syntax where “T:” is for TCP ports and “U:” is for UDP ports:
$ nmap -p T:1-65535,U:161,162 192.168.1.1
Two additional options that are needed for good initial reconnaissance is Service, Service Version, and Operating System. These bits of information will guide what other attacks and recon methods you choose to use. One thing to note is that OS will not always be accurate but the information is great if you can get it.
$ nmap -sV -O 192.168.1.1
Starter SyntaxBelow is a good start for your Nmap network scan command:
Nmap -O -sV -p T:1-65535,U:161,162 192.168.1.1
Hopefully, this has helped you better understand Nmap and how powerful the tool is. Please visit https://nmap.org to learn more and really dig into the great documentation that Fyodor Vaskovich and his team has put together. After you have conquered the basics don’t forget to check out the NSE scripts.
The Cyber Union v2.0
Welcome to the new iteration of The Cyber Union, version 2.0. Sometimes its simply great to start over, and that is what I have done here. I initially visualized the blog as a place where many people could get together and share information, aka conscript some of my friends to help; however, it has been pretty much a solo adventure except for a few guest blogs.
Since it is just me writing, I decided to turn The Cyber Union into a lifestyle blog to discuss all the facets of life in the infosec world. What this means for the site is that I am going to switch things up a bit. I will be moving away from a purely technical blog to talking about things that go on as part of ordinary life in infosec such as finance and travel in addition to the technical stuff.
My aim is to help people find a better quality of life by:
The idea came for this change over this great period of isolation caused by COVID. I started reflecting on how I can find more freedom to enjoy the world and not be chained to a desk every day. This led to me thinking about hiking the mystical Appalachian Trail (known as the AT) in the eastern United States. My mind is oriented to finding patterns and solving puzzles, so I started to think about how I could get to the point where I can just take six months off (this is how long it takes to hike the AT).
The next logical step in my thought process was money. If I am going to take off half a year, I need to be much better at finances. This was a tough one. Finance advice comes from a variety of sources, all of whom think they have the universal answer. From my research into all the techniques, I settled on the F.I.R.E. method, which seems like financial hacking. Perfect.
The last step was to increase my salary and gain the ability to travel while I work. No problem. I have my own business on top of a day job. By continuously improving my tradecraft and keeping an eye on the cybersecurity practitioner market, I should see a steady increase in wages.
To me Information Security is a passion. I will never stop. Besides the ability to travel more, my sought after independence will allow me to research and explore new areas at a whim. Imagine a life where you research and work on projects that you think are interesting, not your boss. Imagine going to all the conferences you can handle to hang out with peers and learn from the best in the industry. Imagine working from anywhere in the world with an internet connection. These are my new end goals, my new driving force.
To tie this new entry for The Cyber Union v2.0 together, I need to switch things up for me to do all this fun stuff. I need to get really good at what I make money at, manage my money better, and prep myself for the six-month journey in the mountains.
This will be a record of my path to freedom, where I will share my thoughts on life, discuss my failures, and share helpful tips along the way.
If you are passionate about the field of cybersecurity, are craving a way to escape the 9 to 5 life, and live to travel, my blog is written with you in mind. Stay tune for a face lift of the site.