Saturday, July 16, 2016

Security Resources

Updated November 5th, 2021
There are so many IT security resources on the Internet that it would be impossible to document them all. I curate this page roughly monthly with new things I have found. 

I hope you find something that you didn't know about!

Topics


IP Addresses for use in Documentation

Before I get started on resources, I want to talk about some little-known IP address blocks. Have you ever been watching a movie or TV show where they have a hacker banging away and they show IP addresses like 355.290.400.12?  It really turns me off on the show or movie when that happens. Think CSI-Cyber!

The IETF provides three IP blocks for documentation so using a nonsense IP isn't necessary. From the RFC - The blocks 192.0.2.0/24 (TEST-NET-1), 198.51.100.0/24 (TEST-NET-2) and 203.0.113.0/24 (TEST-NET-3) are provided for use in documentation. Addresses within the TEST-NET-1, TEST-NET-2, and TEST-NET-3 blocks SHOULD NOT appear on the public Internet and are used without any coordination with IANA or an Internet registry [RFC2050].

So, when you are writing a blog on some new nmap script you discovered use one of these blocks!
IPv4 Address Blocks Reserved for Documentation

If you are doing an IPv6 document the /32 range that has been reserved for documentation is: 2001:0DB8::/32
IPv6 Documentation prefix

Twitter 

There are so many good security sources on Twitter it's hard to keep up with the tweets!

My feed is @rikosintie and it is about 95% IT security info. I promise, no more tweeting from Southern Carribean bars!

@snowden - Edward Snowden
@johullrich - He runs the SANS Internet Storm podcast.
@mikko - This is Mikko Hypponen from FSecure
@dakami - This Dan Kaminsky of DNSSec fame. Dan passed away in 2021. 
@bgpstream - BGP outages. An eye-opening feed.
@schneierblog - The great cryptographer Bruce Schneier
@Routerpwn - A site dedicated to hacking consumer routers
@SCADAhacker - Industrial Control System (ICS) hacking
@langnergroup - Industrial Control System (ICS) hacking
@DarkReading - General security news
@nmap - Low volume tweets about nmap
@KevinMitnick - no introduction needed
@hdmoore - again, no introduction is needed
@briankrebs - a genius at infiltrating the dark net
@Unix-Ninja - Team Hashcat
@InfoSecHotSpot - Your Source For InfoSec News
@CiscoSecurity - Official Cisco Security feed.

Podcasts

I listen to these podcasts on a regular basis. Any podcast app should be able to find them. It is surprising how much you can learn for free by listening to podcasts.

Security Podcasts


  • Brakeing Down Security– Bryan Brake’s podcast. Some really good guests appear on this podcast.
  • Brakeing Down Incident Response - Brian Boetcher from Braking Down Security discusses Incident Response.
  • Darknet Diaries - Jack Rhysider covers famous hacks and breaches
  • Dark Secret Place - Not an IT podcast but if you want the real story about the world melting down this is the podcast you want.
  • Defensive Security Podcast - A Cybersecurity podcast covering breaches and strategies for defense.
  • Down The Security Rabbithole– Sometimes XXX rated but worth the time.
  • SANS Internet Stormcast - 5-minute daily update. An absolute must!
  • SecurityNow - One of the oldest podcasts on the Internet. Focused more on general security topics than network security but very entertaining. SecurityNow did a series of podcasts on Public Key Infrastructure (PKI) and cryptology. It was 10 years ago but the theory hasn't changed. Episodes 30-35 and 37 will get you up to speed on Crypto. Episode 456 "Harvesting Entropy" is a must listen to. You can go to http://www.grc.com/securitynow.htm and download the podcast and transcripts that you can read.
  • Paul's Security Weekly - Covers InfoSec news, techniques, technical How-tos, etc.
  • The Social-Engineer Podcast– They can be long-winded but there have been some great podcasts. There is one called “Don’t Scan me Bro” that is an hour long interview with the great HD Moore. I can’t recommend it enough.
  • Sound Security - Braxton Ehle and Osman Surkatty rant about the latest in information security news to help enterprises and mere mortals defend their information.
  • Standard Deviant Security – cyber security for the truth-seekers, mavericks and square pegs. Blog, and podcast by Tony Martin-Vegue.
  • The Complete Privacy & Security Podcast - This podcast, hosted by Michael Bazzell, will explain how to become digitally invisible.
  • Open Source Security Podcast - Short weekly podcast on open source security
  • Smashing Security - Graham Cluely and Carole Theriault laugh at the state of security
  • Security in Five - short 5-minute daily podcast
  • Unsupervised Learning - Daniel Miessler discusses the state of security  
  • Ubuntu Security Podcast - Canonical employees discuss current patches

General Sysadmin and Linux podcasts

  • 2.5 Admins - Allan Jude, Jim Salter, and Joe Resington discuss Sys Admin topics
  • Art of Charm - How to succeed by understanding human interaction
  • Ask Noah - Noah owns an MSP that converts customers to Linux
  • BSD Now on Jupiter Broadcasting – Allan Jude is a genius and has a great teaching podcast.
  • Destination Linux - weekly dose of Linux goodness. They have a whole network of podcasts now.
  • Command Line Heros - a Redhat sponsored podcast on how we got here
  • Home Assistant Podcast - Everything Home Assistant
  • Iron Sysadmin - three Redhat employees discuss topics of the week
  • Late Night Linux - Joe, Phalen and Graham discuss Linux. Can be XXX!
  • Linux Unplugged on Jupiter Broadcasting - a general show on Linux.
  • Linux Action News on Jupiter Broadcasting - a general show on Linux.
  • Linux in the Ham Shack - Ham radio focused podcast
  • Software Gone Wild - Dedicated to software-defined networking
  • TechSNAP on Jupiter Broadcasting - General IT technology podcast.
  • This week in Enterprise Tech - Hosted by Robert Ballecer, Curtis Franklin and Brian Chee.
  • IPv6 Buzz - Podcast on the current state of IPv6 deployments
  • The Network Break - weekly update on who bought who and new network announcements



Cisco specific

Cisco Best Practices to Harden Devices Against Cyber Attacks Targeting Network Infrastructure Cisco is aware of the recent joint technical alert from US-CERT ((TA18-106A) that details known issues that require customers to take steps to protect their networks against cyber-attacks.

Cisco Guide to Harden Cisco IOS Devices - The three functional planes of a network,  the management plane, control plane, and data plane, each provide different functionality that needs to be protected.

Cisco Guide to Harden Cisco IOS XR Devices - This document contains information that will help users secure Cisco IOS XR system devices to increase the overall security of a network.

Cisco TAC Security Show Podcasts
The Cisco Security TAC guys do an occasional podcast. All of them are worth listening to but these three are mandatory in my opinion!


Aruba Specific

I have started deploying a lot of Aruba gear. I am starting to get into the Aruba flow and really like Clearpass and their security products.

Aruba Network Security Fundamentals Webinar - This requires registration but is a 2-hour presentation.

I am also creating a "Cookbook" of Aruba configurations on my github at Aruba Cook Books

Microsoft specific

It's a Microsoft world in the enterprise and you will need to know how certain Windows technologies work to secure or attack Windows machines.

  1. Tracking Lateral Movement Part One - A must-read if you are responsible for AD Security.
  2. Monitoring what matters – Windows Event Forwarding for everyone
  3. Pass the Hash - If you don't know what that means you should read this blog.
  4. Active Directory Security - An outstanding site on AD attacks. 
  5. Domain Admin in Active Directory, Guy Franco - Paul's Security Weekly #520 - Guy shows us how to abuse service accounts to get yourself a golden ticket
  6. Domain Network Systems (DNS) Information - A site dedicated to W2008 AD/DNS
  7. Domain Name System - Microsoft's official DNS documentation site
  8. 'Web Server' Certificate Template not an option on http://server/certsrv
  9. Troubleshooting autoenrollment - Certificate Services Troubleshooting
  10. Certificate Enrollment - The RPC Server is unavailable
  11. Event ID 91 — AD CS Active Directory Domain Services Connection
  12. Linux Essentials for Windows Admins – Basics
  13. Linux to the rescue! How Ubuntu can help a computer in distress
  14. How to enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server
  15. How do you check what version of Server Message Block client a workstation is using on Windows?
  16. Weekend Scripter: Install PowerShell 4.0 in Windows 7
  17. Cheat Sheets to help you in configuring Windows Logging
  18. Avoiding Ransomware with built-in basic changes
  19. How to prevent your computer from becoming infected by CryptoLocker
  20. Attacking Active Directory - A gitlab.io blog on pen testing AD.

Hacking iLo/iDrac/IMM


  1. Risks of Using the Intelligent Platform Management Interface (IPMI) - US Cert warning
  2. IPMI: The most dangerous protocol you've never heard of
  3. Hacking IPMI Cipher 0 Using Kali Linux
  4. A Penetration Tester's Guide to IPMI and BMCs - HD Moore's guide to hacking IPMI
  5. IPMI++ Security Best Practices
  6. HewlettPackard/PowerShell-ProLiant-SDK
  7. Scripting Tools for Windows PowerShell User Guide iLO cmdlets v1.4
  8. PowerShell cmdlets for HPiLO boards V1.2.0.0
  9. About Execution Policies
  10. supermicro-ipmi-conf - NMAP script to pull Super Micro credentials
  11. Owning Dell DRAC for ONE AWESOME HACK!

Password Cracking

How I became a password cracker - A good ARS Technica article on using HashCat.

Hashcat home page - Be sure to read as much of the wiki as possible. There is a wealth of information in the wiki.

Building a Password Cracking Rig for Hashcat
Building a Password Cracking Rig for Hashcat - Part II

Below is a great three-part blog series on cracking IKE on Cisco ASA. If you are responsible for securing a VPN (Cisco, SonicWall or other) you should read these posts.

August 3rd, 2016 Update: Cisco wins Pwnie at Blackhat
Pwnie for Best Server-Side Bug - Cisco's ASA (Ancient Security Architecture) firewalls had a vulnerability in their IKE fragment re-assembly that permitted remote unauthenticated heap memory corruption.

Make sure you know how to use this!

The RADIUS protocol 

Using RADIUS or TACACS for device authentication is a Cisco best practice. Here are two links that discuss the weaknesses in the RADIUS protocol:

And one on using an evil twin to get 802.1x password hashes

Keepass

A Case Study in Attacking KeePass - A great blog on attacking KeepassX with Powershell and hashcat 3.0.
KeePass Cross-Platform Community Edition - A new fork of Keepass. KeepassXC has support for Yubikey.
Powershell to find KDB files - I wrote a simple Powershell script to find Keepass database files on all attached drives on a Windows machine.

Nmap

My first Python script was a wrapper for my most used nmap scripts. It saves me a lot of time when I'm scanning for specific information. It's free/Open Source and available here: Python Wrapper for nmap

I also recommend subscribing to the nmap mailing list. It is very active and you will get advanced notification of new scripts and ideas for nmap. Subscribe here: https://nmap.org/mailman/listinfo/dev

Linux Specific




Wireshark

WYSIWYG Network Packet Editor: WireEdit - WireEdit is a full stack WYSIWYG network packets editor.
Sharkfest 2013 - Inside the TCP Handshake (Betty DuBois) - A great introduction to TCP

Powershell

Microsoft open-sourced its scripting language called Powershell. For a security professional this is good news as you can write a script and run it on Windows, macOS, or Linux. 

Installing Powershell
Windows
Powershell is built-in, simply tap the Windows key, type Powershell select the PowerShell terminal or the PowerShell ISE. 

Linux
On Ubuntu, I prefer to use snapd for installing PowerShell. Simply open a terminal and run

sudo snap install code --classic

Microsoft has instructions for installing using APT at this link - Installing PowerShell on Linux

Running PowerShell
After you have Powershell installed, open a terminal and enter pwsh.


macOS
I have a blog on installing and using PowerShell on macOS here

Now that you have PowerShell installed you can use this script from Black Hills Information Security on macOS, Linux, or Windows to check open outbound ports. 

You can read about it here

1..1024 | % {$test= new-object system.Net.Sockets.TcpClient; $wait = $test.beginConnect("allports.exposed",$_,$null,$null); ($wait.asyncwaithandle.waitone(250,$false)); if($test.Connected){echo "$_ open"}else{echo "$_ closed"}} | select-string " "


Running Powershell on macOS
Open a new tab in terminal and enter:
pwsh 

Here is a link to a simple PowerShell script I wrote to create DHCP reservations for printers. It ran perfectly on macOS:

A simple script to create DHCP reservations for a Windows Server.
Today I needed to create DHCP reservations for some Access Points. I had the script above but I wanted to read the data from a CSV file. Here is the script modified to read the data from a CSV file.

param([string]$server = "server", [string]$scope = "scope")
$a = Import-Csv DHCP.csv
foreach ($item in $a) {
$ip=$($item.IP)
$mac=$($item.MAC)
#remove colons since MS DHCP can't deal with a real mac address
$mac=$mac-replace'[:]'
$name = $($item."AP-Name")
write-host "netsh dhcp server $server scope $scope add reservedip $ip $mac $name"
}


I created an Excel sheet like this:


Notice that the first MAC address doesn't have colons. When I get an asset sheet from my office the MAC addresses don't have colons. The script removes colons if they are there.


Here is the output:

PS /Users/mhubbard/GoogleDrive/Test/configs> ./dhcp-csv.ps1 -server 192.168.10.221 -scope 10.112.105.0
netsh dhcp server 192.168.10.221 scope 10.112.105.0 add reservedip 10.112.105.100 a44c1138fa5b AP1
netsh dhcp server 192.168.10.221 scope 10.112.105.0 add reservedip 10.112.105.101 04d5900e779b AP2
netsh dhcp server 192.168.10.221 scope 10.112.105.0 add reservedip 10.112.105.102 b0faebdde8a6 AP3
netsh dhcp server 192.168.10.221 scope 10.112.105.0 add reservedip 10.112.105.103 a44c1138fa59 AP4
netsh dhcp server 192.168.10.221 scope 10.112.105.0 add reservedip 10.112.105.104 5057a86e4b49 AP5

I know that you could do the same thing in Python. But most customers are on Windows and Python isn't installed by default but PowerShell is. If you use PowerShell you can give the script to any Windows user and they can run it.

Note: Guido Von Rossum, the inventor of Python, now works at Microsoft! Maybe Python will be installed by default in the future.


Using Visual Studio Code to create PowerShell scripts
The PowerShell ISE isn't available on Linux/macOS but Microsoft has a plugin for Visual Studio Code. The link to how to install the plugin is in the references below.

This article gives some tips on writing PowerShell scripts that work on Windows/Mac/Linux


This blog was my motivation for learning some PowerShell

I extended Matt's script to look at all mounted drives - Hard drives, USB flash drives, network shares. During testing, I mounted some old flash drives and laptop drives. I found 8 or 10 keepass databases that I had thought were lost forever



Reference


VMware PowerCLI

ESXi is the most popular Hypervisor in the enterprise. VMware has a module for PowerShell called PowerCLI. It exposes almost everything that you can do in VMware. I have used it to slipstream a RealTek network driver into the installer so that I could use a NUC like computer to run ESXi.



Pen Testing


Top Five Ways SpiderLabs Got Domain Admin on Your Internal Network
Scapy and Snort, Packet Peanut Butter and Jelly - Packet creation and SNORT sigs
So You Want to be a Hacker 2021 edition


SANS Articles
Egress Filtering? What - do we have a bird problem? - Why you should block outbound ports
Who inherits your IP address? - Along these same lines, when you decommision a server that had rules on the firewall, make sure you delete the firewall rules. I have seen an internal server exposed to the Internet by mistake this way.
Administrator's Password Bad Practice


Books

These are all Kindle books. I like a good thick paperback book as much as the next IT guy but with Kindle books, I can carry my complete library with me on my iPhone, iPad, or laptop.

  • The Hacker Playbook: Practical Guide To Penetration Testing Kindle Edition by Peter Kim  - This book is an absolute must-read if you want to understand how a Windows box gets hacked. I would go so far as to say it was an epiphany for me. The chapters on Social Engineering and Open Source Intelligence (OSINT) really opened my eyes. Peter has released The Hacker Playbook 2 and 3 now. I would still recommend the original if you are just starting out. It's available on Kindle for $15.
  • The Linux Command Line Beginner's Guide Kindle Edition - Jonathan Moeller - A good introduction to the Linux command line.
  • The Ubuntu Beginner's Guide - Seventh Edition Kindle Edition by Jonathan Moeller - A good introduction to Ubuntu.
  • Nmap 6 Cookbook: The Fat-Free Guide to Network Security Scanning by Nicholas March - Nmap is the tool I use the most and this is a great reference to it. Nmap is up to version 7 but everything in this book is still useful.
  • CEH v9: Certified Ethical Hacker Version 9 Study Guide - Sean Phillip Oriyano A really good read. I couldn't put it down and ended up buying the practice test book to go with it.
  • Python: Learn Python in One Day and Learn It Well by Jamie Chan - Learning Python is mandatory for a security specialist or even an outstanding network engineer. This book is an easy-to-follow introduction to Python.
  • Basic Security Testing with Kali Linux Third Edition - Daniel Dieterle. A really good introduction to Security Testing with Kali. 
  • Wireshark Network Analysis (Second Edition): The Official Wireshark Certified Network Analyst Study Guide - A deep dive for Wireshark.

  • Influence - Robert Cialdini. I have it on Audible. Great book on "Compliance Science". I know it sounds creepy but it will help your career for sure. The book was written as a text book so it is a bit of work to follow.
  • Pre-Suasion - Robert Cialdini. I have it on Audible. The second edition of influence. This one is easier to follow than Influence.
  • Social Engineering: The Science of Human Hacking - The great Chris Hadnagy's update to his classic book on social engineering.
  • Learn MySQl in a Day - Jamie Chan. An easy-to-read book that will jump-start your MySQL learning.
  • Automate the Boring Stuff with Python - Practical Programming for Beginners - Al Sweigart. 
  •  SSH Mastery - Michael Lucas. A great book that explains everything about SSH. There is a lot more to SSH than putty!
  • Building a Pentesting Lab for Wireless Networks
  • Burp Suite Cookbook - Sunny Weart
  • Kali Linux Web Penetration Testing Cookbook - Gilberto Nájera-Gutiérrez

Google Dorking

In The Hacker Playbook Peter covers Google Dorking in depth. If you haven't bought it yet here are a couple sites that will get you up to speed. The Google Dorking skills will make your searches much more productive. Recently, I scanned a website with a 
Google Dork - A tech target intro to syntax
Google Hacking Database (GHDB) - Huge database of Google Dork commands
Advanced Google Search Tricks - A very good article on Dorking

For example, if I want to search for PDF files but only on flowserve.com  I can enter

site:flowserve.com filetype:pdf

The results will be any PDF file that is on the flowserve.com

You can use just the site: or just the filetype: keyword depending on what you are searching for.

Security Related Web Sites

LogRythm has a great page with links to dozens of security resources - Top Cybersecurity Resources for Students and Professionals

  1. Security Now Episodes by category
  2. CVE Details - The ultimate Security vulerabilities
  3. Cryptography Engineering - Matthew Green's Blog
  4. Digital Shadows Blog
  5. Down The Security Rabbit Hole podcast home page
  6. Emergent Chaos - General IT security blog
  7. Erratasec - Advanced persistent cybersecurity
  8. Graham Cluley's blog - A Brit, but don't let that keep you away!
  9. Infospectives - Straight Forward Security
  10. The Irari Report - A Youtube Channel for Security
  11. Journey into IR - Digital forensics and incident response
  12. Kaspersky Lab Securelist
  13. Liquid Matrix Podcast homepage
  14. Malwarebytes Blog
  15. Naked Security - The Sophos Blog
  16. On the Wire podcast homepage
  17. Risky Business - It's a jungle out there
  18. SANS StormCast - InfoSec Podcasts. Great 5-6 minute daily podasts.
  19. SANS InfoSec Diary Blog Archive  - A great resource for vulnerabilities
  20. SSH Fingerprints Are Important - I got published here! See the last comment. You can see my username on my MAC - [mhubbard@1s1k-do .ssh] 
  21. Security Ledger - IoT Focused Security
  22. The Southern Fried Security Podcast - Security Podcast designed to fill the gap between a technical 
  23. security podcasts and Security Now
  24. The Standard Deviant - Home of the SD podcast
  25. Symantec's Blog
  26. TechNet JE Payne - An MS focused security blog
  27. Trend Micro Security Intelligence blog
  28. Tripwire's Blog
  29. Troy Hunt's Home Page
  30. Uncommon Sense Security blog - Jack Daniel's blog
  31. Vectranetworks - Cyber security information center
  32. Veracode's AppSec Blog


Privacy

I made this a separate category because most of the IT security websites and blogs focus on penetration testing and vulnerabilities. The sites in this list are focused on making you invisible or less visible on the Internet and protecting your privacy.

intel techniques - This is Michael Bazzell's site. He has a podcast on privacy that is very good. Michael and the host's/guests take it to a level that is way beyond what I need but I almost always learn something useful on each podcast.

Custom Linux builds for privacy - They did a podcast for privacy-focused Linux distros. They discuss Buscador along with other distros.

Your Ultimate Security Guide - Justin Carroll's website on privacy and security.

Troy Hunt's have I been pwned -  A site where you enter your email address and it checks to see if you are in any of the breaches that Troy tracks.

hacked emails - A site similar to Troy Hunt's "Have I been Pwned". It never hurts to have options when it comes to checking your email addresses for breaches.

Compromised Accounts for OSINT and Digital Security - One of Bazzell's blogs on email breaches.

GRC SSL Cert Fingerprints - More and more companies are using Man in the Middle (MiTM) appliances so that they can inspect TLS encrypted traffic. This site will display the finger print of the site's certificate and let's you determine if a MiTM appliance is in use.

sync.me - An app to detect spam calls. Also allows you to look up unknown numbers from calls and texts.

 Private Internet Access - A VPN provider. You should NEVER use the free WiFi at coffee shops or airports without a VPN. There are a lot of VPN providers now but a many of them are new and untested. PIA has been around for a while and has a good reputation for NOT keeping logs and accepting anonymous gift cards from Starbucks, Walmart, BestBuy and 100's of others for payment.

sudoapp.com - From the home page "Have up to 9 Sudo avatars for free. Each includes a custom phone number, email address, private browser and SudoPay virtual cards."