CounterMeasures - Security, Privacy & TrustCounterMeasures - A Security Blog | Trend Micro’s Rik Ferguson blogs about current security issues. Detect. Respond. Contain. Redline, Mandiant’s premier free tool, provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis, and the development of a threat assessment profile. With Redline, users can: Thoroughly audit and collect all running processes and drivers from memory, file system metadata, registry data, event logs, network information, services, tasks, and web history.Analyze and view imported audit data, including narrowing and filtering results around a given timeframe using Redline’s Timeline functionality with the TimeWrinkle™ and TimeCrunch™ features. Streamline memory analysis with a proven workflow for analyzing malware based on relative priority.Identify processes more likely worth investigating based on the Redline Malware Risk Index (MRI) score.Perform Indicator of Compromise (IOC) analysis.
Want more information about Redline? Check out our M-Unition Blog and User Forums. Current Version: Redline 1.11.1 Release Date: March 11, 2014. Sandboxie - Sandbox software for application isolation and secure Web browsing. Word Password Remover - Remove password for Word 97/2000/xp/2003 document in a few minutes. Bulk extractor. Overview bulk_extractor is a computer forensics tool that scans a disk image, a file, or a directory of files and extracts useful information without parsing the file system or file system structures.
The results can be easily inspected, parsed, or processed with automated tools. bulk_extractor also created a histograms of features that it finds, as features that are more common tend to be more important. The program can be used for law enforcement, defense, intelligence, and cyber-investigation applications. bulk_extractor is distinguished from other forensic tools by its speed and thoroughness. Another advantage of ignoring file systems is that bulk_extractor can be used to process any digital media. Output Feature Files bulk_extractor now creates an output directory that includes: ccn.txt -- Credit card numbers ccn_track2.txt -- Credit card “track 2″ information domain.txt -- Internet domains found on the drive, including dotted-quad addresses found in text.
Report.xml Post-Processing. Binwalk - Firmware Analysis Tool. As of 2013-11-15, binwalk is no longer maintained on GoogleCode. The code repository has moved to and all future releases and updates will be posted at binwalk.org. The GoogleCode repository remains for historical purposes only. Binwalk is a firmware analysis tool designed to assist in the analysis, extraction, and reverse engineering of firmware images and other binary blobs. It is simple to use, fully scriptable, and can be easily extended via custom signatures, extraction rules, and plugin modules.
Binwalk supports various types of analysis useful for inspecting and reverse engineering firmware, including: Embedded file identification and extraction Executable code identification Type casting Entropy analysis and graphing Heuristic data analysis "Smart" strings analysis See the screenshots page for sample usage and output. Important bugfix release - Version 1.2.2-1 fixes bugs which, in some scenarios, would cause binwalk to miss file signatures. Archives. The OpenIOC Framework. Third Party GeoIP Resources. This page lists some of the 3rd party resources available to help you integrate GeoIP Legacy databases and web services with your applications. MaxMind does not endorse any of these pages and the use of the code in them is at your own risk. Implementation Basics Mapping Set up MaxMind GeoIP C API to work with Google Maps Usando GeoIP e Google Maps Geotargeting Visitor Redirection by Country PHP - uses 301 redirect Modules and Plugins General WordPress TWiki Spam Filter Installing Milter-Greylist with GeoIP to control spam - "The Milter-Greylist is a milter to sendmail written in C that implements the greylist filtering system, as proposed by Evan Harris.
" Web Services GSLB (Global Server Load Balancing) BIND GeoIP - A new patch for BIND which extends support to additional MaxMind databases, including GeoIP City and IPv6 GeoIP Country. Blake's CentOS LAMP Server Guide - sections on AWStats and mod_geoip2 Flash Google Earth API Resources CakePHP Pure Perl Ruby mod-geoip Python Java GeoIP Java mailing list Erlang.
APIs: GeoLite Free Downloadable Databases. New Database Format Available: This page is for our legacy databases. For our latest database format, please see our GeoLite2 Databases. Databases IP Geolocation The GeoLite databases are our free IP geolocation databases. They are updated on the first Tuesday of each month. IP geolocation is inherently imprecise. We publish accuracy statistics for GeoLite City. Autonomous System Numbers We offer free databases that map IPv4 and IPv6 addresses to Autonomous System Numbers (ASN), including the names of each Autonomous System. Support MaxMind does not provide customer support for free GeoLite databases. License The GeoLite databases are distributed under the Creative Commons Attribution-ShareAlike 4.0 International License. We also offer commercial redistribution licensing. Downloads. Bill Cheswick's Blog Archives. Qube.cc - Website - McAfee Labs Threat Center.
Free Online Virus, Malware and URL Scanner. Is worldaftermidnight.com a safe site ? Jsunpack - a generic JavaScript unpacker. Ib-ibi.com | McAfee SiteAdvisor Software. Whois Lookup & Domain Availability Search | DomainTools. Sam Spade tools. ENISA. Blog. Seasoned malware analysts/reversers/crackers move along – you already know this stuff Analyzing malware is always challenging as there are a few dozen if not hundreds different ways to detect the virtual environment plus other tools used by reversers during dynamic or in-depth analysis – most of these can be easily picked up by malware looking for process names, registry keys, or using one of the undocumented, or semi-documented bugs/features of VMs (usually snippets of code producing different results when executed on a real CPU vs. on a virtual CPU).
This short post describes a few ways how to hide VM (main focus on VMWare) and tools – by hiding their files, processes, services + associated with them registry keys/values. Changing VM settings It has has been described quite well here. Hiding Processes only If you need to hide the process only, you can use HideToolz available for a download from Fyyre’s web site. This is what HideToolz sees (processes marked with an asterisk are hidden) Fingerprinting: The Complete Documentation. PwnedList. Jeffrey's Exif viewer. FotoForensics. McAfee SiteAdvisor Software – Website Safety Ratings and Secure Search. SiteCheck - Free Website Malware Scanner. XSS Filter Evasion Cheat Sheet. Last revision (mm/dd/yy): 07/4/2018 This cheat sheet lists a series of XSS attacks that can be used to bypass certain XSS defensive filters.
Please note that input filtering is an incomplete defense for XSS which these tests can be used to illustrate. Basic XSS Test Without Filter Evasion This is a normal XSS JavaScript injection, and most likely to get caught but I suggest trying it first (the quotes are not required in any modern browser so they are omitted here): XSS Locator (Polygot) The following is a "polygot test XSS payload. " javascript:/*--></title></style></textarea></script></xmp><svg/onload='+/"/+/onmouseover=1/+/[*/[]/+alert(1)//'> Image XSS using the JavaScript directive Image XSS using the JavaScript directive (IE7.0 doesn't support the JavaScript directive in context of an image, but it does in other contexts, but the following show the principles that would work in other tags as well: No quotes and no semicolon Case insensitive XSS attack vector HTML entities Malformed A tags <!
<! CrackStation - Online Password Hash Cracking - MD5, SHA1, Linux, Rainbow Tables, etc. Your PasswordCard - 84,321 printed so far! Archives. Approximately 1 year ago today, Tim Tomes and I did a presentation on Volume Shadow Copies (VSC) at Hack3rCon II. Hack3rCon^3 just wrapped up, and I’ve officially been shamed into finally publishing the details of the research.
Many of the faithful PDC readers will know most of these details, as some of them were included as pieces to posts on other topics, but I will try to provide a little something new. Volume Shadow Copies The Volume Shadow Copy Service (VSS) maintains copies of every 16k block that is changed on an NTFS disk. Then at certain times it packages up all those 16k blocks and puts them up into a Volume Shadow Copy (VSC). The times aren’t strictly predictable, but by default it will create a VSC automatically with the installation of new software and patches. Also, a VSC will be created every couple of days on Vista and every couple of weeks on Windows 7.
The date in box 1 is the date on which the VSC was created. Copy \\? Wmic process call create \\. Have fun. Maltego Part I - Intro and Personal Recon. By Chris Gates, CISSP, GCIH, C|EH, CPTS According to their web site, “Paterva invents and sells unique data manipulation software. Paterva is headed by Roelof Temmingh who is leading a light and lethal team of talented software developers.”
On May 6 2008, they released a new version of a very kewl tool named Maltego. “Maltego, is an open source intelligence and forensics application. It allows for the mining and gathering of information as well as the representation of this information in a meaningful way. Coupled with its graphing libraries, Maltego, allows you to identify key relationships between information and identify previously unknown relationships between them.
It is a must-have tool in the forensics.security and intelligence fields!” Chris Gates’ talk at ChicagoCon 2008s entitled “New School Information Gathering” touched on many tools and techniques. The Facts Where to get it? There is a Free Version and a Commercial Version Who made it? What is Maltego? Maltego also allows you to: Security Reference Guide | Maltego: Exploiting the Internet. Last updated May 23, 2003. It has been said that you can learn a lot about a person by the friends he keeps. While a true statement, this idea is stuck in the physical realm. Thanks to the Internet, the concept of learning about a person through peripheral means has grown into a massively valuable and somewhat scary idea.
In this week's update, we are going to look at a program called Maltego and discover how this one application can take a name and, through a series of cascading steps, create a very detailed profile about that person. Maltego represents the latest in how the computer security industry is viewing the value of the mass amounts of data that make up the Internet. In addition to this, Maltego incorporates a weighting system into its application that can help a data analyzer recognize when a particular entity has more value than the others — the higher the number, the more likely it is that the piece of information matters. Infrastructure Personal Step One — Expanding the Name. Keyboard Ninja: Concatenate Multiple Text Files in Windows. You have a directory full of log files that you want to import into Excel or a database so you can do some processing on them… but there are hundreds of files… how do you make them into a single file?
Answer: Pull out your DOS hat, open a command prompt, and then use the “for” command. The syntax works something like this: for <variablename> in (<directorylisting>) do <command><variablename> So if you wanted to append all of the *.log files in a directory, you’d use the “type” command and then pipe it into a single file using the >> operator. The difference between >> and > is that the former appends data to the end of the file, and the latter will completely replace the file, which would be pointless for what we want to do.
So here’s the command you’d run, assuming you are in the directory containing the log files. for %f in (*.log) do type "%f" >> aggregate.txt And yes, I actually just used this command for a project at work, which is why I’m writing up this article. =) History File/Log for Windows Update. Certificate and Client Directory Search | BSI UK. The VERIS RISK FISH | SIRA.
So I've been working on something for a while, with the intent to have it be a SIRA work of art - available to the community via SIRA for IRAs to use and abuse. The idea is relatively simple - take a "Fish" or Ishikawa Diagram ( for root cause analysis - and apply it to information risk. So instead of production/manufacturing's categories of People, Methods, Machines, Materials and so forth, all I did was apply VERIS categories of incident classification - and added a "Controls" tree.
I've attached my a .pdf file. I've been using it personally for a while, and while it's not really earth-shattering, perspective-changing, risk model-arama - I have found that it can be really useful, almost a risk analyst's swiss army knife. Please let me know what you think. With this email I give it to you, the Society. With that - it's very 1.0. Reverse IP Lookup - Find Other Web Sites Hosted on a Web Server.
Find other sites hosted on a web server by entering a domain or IP address above. Note: For those of you interested, as of May 2014, my database has grown to over 100 million domain names. I am now offering this domain list for purchase. A reverse IP domain check takes a domain name or IP address pointing to a web server and searches for other sites known to be hosted on that same web server. Data is gathered from search engine results, which are not guaranteed to be complete. IP-Address.org provides interesting visual reverse IP lookup tool.
Knowing the other web sites hosted on a web server is important from both an SEO and web filtering perspective, particularly for those on shared web hosting plans. Background All web sites are hosted on web servers, which are computers running specialized software that distribute web content as requested. While IP sharing is typically transparent to ordinary users, it may cause complications for both search engine optimization and web site filtering.