You weren't able to make it to Las Vegas this year? Check out these ten short reviews of useful tools for threat intelligence researchers and threat hunters presented at Black Hat USA 2018:
Xori: Automated Disassembly
Malware disassembly can be quite tedious, even with a bells-and-whistles IDA Pro license. If only there was a way to automate all of it. That’s where Xori comes in.
Amanda Rousseau and Rich Seymour created a new automated disassembly platform that’s not only free, but fast. Reverse engineers often come across dozens of sample variants from the same family of malware. Having the ability to dissect all the assembly code and tell the results apart, automated and at a fast pace is something need in their arsenal of tools.
There are two modes in Xori, light and full emulation. Light emulation enumerates all the paths in CPU registers, the stack, and you’ll see some instructions. Full emulation follows the code’s path (shows all the branches of assembly instruction/functions), which is quite beneficial, though costs performance depending on the size of the binary and other factors.
Another beneficial feature of this tool is that it can output all the results in JSON format. Xori has been in development for six months and fully supports i386 and x86-64 instructions. It comes with a browser UI, in case you’re not into using the command line interface. You can download your copy here.
EKTotal: Exploit Kit Detection
Ever heard of VirusTotal? Imagine the same approach, but applied strictly to exploit kit analysis.
EKTotal is a platform developed by Nao Sec that takes in traffic analysis logs (.pcap or .saz files) obtained from tools like Wireshark and warns you if it detects traffic patterns seen in exploit kits like RIG and GrandSoft. Threat intelligence researchers who want to know what exploit kit is being utilized within a malicious landing page will love this tool.
Another beneficial feature EKTotal has to offer is that it lists all the CVEs that a particular exploit kit tries to take advantage of. This feature helps in determining what browser components were responsible for causing the victim’s system to be breached by the landing page. You can download the EKTotal source code here.
RedHunt OS: Adversary Emulation and Threat Hunting
Wouldn’t it be great if we had a dedicated operating system made just for red teams, packed with analysis tools to emulate real scenarios imposed by advanced persistent threats? That’s precisely what Redhunt OS is designed to do.
Redhunt OS developed by Redhunt Labs shows you exactly what your system’s weak points are, by taking advantage of attack emulation tools like Caldera, Atomic Red Team, DumpsterFire, CrackMapExec, Metasploit, and much more. It also includes a variety of threat intelligence tools, among them Yeti and Harpoon.
Think of it like Kali, just not as much on the offensive side, much more on the analysis side. It’s got an impressive attack and defense arsenal of modern tools most threat hunters are already familiar with, all in one platform.
So if you need a tool to assess your company’s security internally, Redhunt OS is perfect. As of the time of this writing, it’s still in beta. Expect more tools to be integrated into the platform as it receives more updates. You can download your copy here
CHIRON: Home-Based Network Analytics & Machine Learning Threat Detection Framework
This framework is designed mostly for IoTs within an internal network. I’m not sure what the future holds, but I’m fairly certain it includes many more internet-connected devices with low or no security. Hardcoded default passwords, lousy firmware, bad gateways… - what about a dashboard that told us about our dangerous environment?
That’s what CHIRON delivers, a toolset developed by jzadeh. Most users whose devices are listed on a site like Shodan.io, which shows all the hidden backend servers and IoT devices around the globe, more than likely don’t know that their living room, WiFi video doorbell, or the kid’s bedroom is live streaming to the internet.
Some probably don’t care - big deal, so what if my fridge is open to everyone on the internet? Online home invaders can quickly pivot from that refrigerator to other devices within the internal network once the IoT “security” hurdle has been taken.
CHIRON aims at closing the knowledge gaps about your company or home network. It parses data from tools like Nmap, P0f, and BRO IDS to provide analytics charts and graphs about more details regarding your internal network. The tool accumulates and displays the data you need to figure out who’s externally connected to the exposed IoT device.
Amazon Echo devices on your network, your smartwatch and your smart light bulbs - they all show up on CHIRON’s panel. What are the users of your network trying to connect to? This tool provides the answer - not just for IoT, but also for servers, workstations and laptops.
CHIRON works with another platform called AKTAION, which is designed for threat detection. This combination provides not only insights into your internal network’s weak spots, but also threat monitoring for threats such as ransomware, exploits, or phishing.
CHIRON is open source and available to download here
MaliceIO: “VirusTotal Wanna Be - Now with 100% more Hipster."
Malice is a platform created by Blacktop LLC, designed to be just like VirusTotal but aimed to be completely open source. Its target audience is anyone from an independent researcher to a “Fortune 500 company”, according to the Github page. It has Docker support, you can install it with homebrew, and it comes with a web UI. Malice sports graphs and charts, a dashboard, and a broad selection of plugins for analysis.
The roadmap for this tool specifies that in future versions, there will be plugin creation documents, a plugin ecosystem (along the lines of how Visual Studio handles extensions), a results API, and much more. The best part about Malice is the fact that unlike VirusTotal, it enables you to run your own variant of it on either a local server or your website.
Malice features many of the capabilities that VirusTotal offers, such as obtaining hashes, detection rates for malware, malware composition, and much more. If you want your own analysis platform instead of VirusTotal, using Malice for more transparency would be a compelling alternative. Get your copy here:
BTA: Open Source Active Directory Security Audit Framework
Stories abound about admins misconfiguring AWS buckets, leaving data exposed to the public internet. We have written about the bigger picture behind those data breaches here.
Which directories are exposed to which user accounts? That admins don’t check frequently enough is one of the reasons behind such incidents. Admins also rarely check folder permissions, and many also never audit to see if specific directories are exposed from outside of the network. Why? It’s tedious.
BTA, a tool developed by the Airbus Group SecLab promises to make the leg work less painful and time-consuming through automation. BTA provides its users with the dirt about the system it’s implemented on. Which users can read which mailboxes? Which user accounts and computers have rights over a given file or object? Who has privileged rights on the system? Which changes have been made between two points in time?
One of BTA’s most valuable features is backdoor detection. If you suspect that your system contains undocumented network entries, it’s a good idea to run BTA and see exactly what you’ve lost track of, or someone else out there might know exactly how to take advantage of such an opportunity.
For BTA to detect changes, users must keep a record of what the system’s integrity seemed before any changes. It’s a simple compare-and-contrast feature but useful for reducing (dangerous) complexity and confusion. For more information and download visit here
DejaVu: An Open Source Deception Framework
What if you wanted to “emulate” a bunch of fake workstations/servers like FTP, SMB, SSH servers in hopes of perhaps catching a rogue bot or snooping agents inside your internal network? Now you can - with DejaVu.
The DejaVu platform, developed by Bhadresh Patel and Harish Ramadoss, lets you create a wide array of network decoy nodes in the form of multiple docker server images. It comes equipped with a convenient network monitoring feature that alerts you in case an adversary decides to interact with any of the decoys.
This handy tool could quickly become a favorite of malware analysts. Why for malware analysts in particular? “Self replicating” malware prefers specific protocols to spread itself from node to node. Some malware likes to engage with different devices and available services that are connected on the same network.
By setting up decoy network nodes, we can capture the malware’s behavior and login attempts when it decides to interact with the decoy nodes. This is ideal also for network admins who want to catch intruders. With DejaVu, you can monitor login attempts on each service and see where they came from for further assessment.
Think of it like a web of honey pots. Or maybe you’re part of your company’s internal network security team, and you want to catch a rogue employee trying to log into multiple OpenSSH servers - with DejaVu you can.
DejaVu comes with an intuitive web UI for management. Its developers recommend that this interface remains wholly isolated from the internal network where the testing/decoys take place. For accurate results, the developers recommend the interface designed for building the decoys to block all outbound connections. That way things outside the network cannot interfere with the decoys within the internal “deception” network. If you want to try out DejaVu for yourself, you can download it here.
Dradis Framework: Learn How to Cut Your Reporting Time in Half
If you’re an InfoSec researcher who’s daunted by the repetitive task of writing dense reports about specific bugs and/or vulnerabilities on your company systems, you’ll likely appreciate Dradis.
Dradis could be described as the Github for reporting bugs. It’s collaborative, you can customize how it presents all the information, it has a methodologies checklist for different projects, and the dashboard is relatively easy to use. What stands out about Dradis is how many existing suits are already integrated, including such popular tools as Metasploit, Nmap, Nikto, Burp Suite, w3af, and many more.
This integration enables the user to quickly combine all the selected tool outputs into a single report, which can speed up the completion of this dreaded task significantly. The community edition of the Dradis project is free; you can download it here.
Snake: The Malware Storage Zoo
Do you belong to the - hopefully shrinking - circle of malware researchers and analysts who irresponsibly store samples in Zip archives? Or not even in Zips - you store the bare executables in folders? Are you similarly disorganized with the rest of your analysis work? No labels, no proper filenames?
You don’t need me to tell you that you’re doing it all wrong. What you may need is a simple and secure storage solution like Snake. Snake integrates multiple APIs and plugins, such as VirusTotal, Hexdump and Cuckoo, to help threat hunters store, organize and analyze malware. It can show you the process, registry and file activity for executables. It also has the ability to dump interesting strings with the correct offsets.
Malware research requires you to be organized and thorough with your analysis, and Snake will help you do all of that. It’s straightforward to set up, and it has a very clean web UI. To download your copy visit here.
This project targets players who need to play “offense”. Warberry PI is ideally suited for red teams. The core objective of this project is to gain as much intelligence as possible in a short amount of time but also doing it quietly. So if you’re into very stealthy and quick hacking, Warberry PI is for you.
It’s important to note that this tool has been around for some time, in fact it was first presented at Black Hat Arsenal 2016 and now again in 2018. This tool does not require you to have a Raspberry PI to run it, but it was made for that purpose. What stands out about Warberry PI is its portability within the family of Raspberry PI hardware.
What makes the Warberry PI stealthy? The tool targets specific, common and easy to exploit services, which reduces the need for scanning for them. Without this tool, assessment scans not only can take too long (especially with a Raspberry PI) but also run the risk of creating too much “noise” = too many opportunities for detection.
The whole point of red teaming is to follow these objectives of speed and stealth. Warberry PI is in its entirety a powerful python script with several parameters. It’s got many attack methods for various protocols like HTTP, FTP, SNMP, SIP, etc. You can download your copy from here.
Five More Notable Tools Spotted in the Black Hat Arsenal 2018:
ASTRA: Automated Security Testing for REST API
POLAR: Accelerating the search for vulnerable functions
ChipWhisperer: Open source toolchain for side-channel power analysis and glitching attacks
Foxtrot C2: A Journey of Payload Delivery
TumbleRF: RF Fuzzing Made Easy
Check out our 2019 Black Hat tool reviews here: 10 Top Tools for Threat Hunters from Black Hat USA 2019
Amir Khashayar Mohammadi is a Computer Science and Engineering major who focuses on malware analysis, cryptanalysis, web exploitation, and other cyber attack vectors.