Cybersecurity

網路安全

OpenVAS

Installation

Docker
mkdir  openvas-data
docker run -d -p 9392:9392 -e PASSWORD="Your admin password here" -v $(pwd)/openvas-data:/data --name openvas immauss/openvas


Kali Linux

HowTo

更新 Feed



Nessus

Tutorials

免費授權版

Installation

Install on RedHat 8
  1. 前往官網申請 Nessus Essentials 的免費啟動碼。
  2. 從官網下載 Nessus 安裝檔 Nessus-10.1.2-es8.x86_64.rpm
  3. 先更新作業系統 dnf update
  4. 安裝 RPM 檔 rpm -ivh Nessus-10.1.2-es8.x86_64.rpm
  5. 登入網頁 https://server.ip:8834
  6. 輸入啟動碼與建立登入的帳號密碼。
  7. 完成。
Install with the docker

DockerHub: https://hub.docker.com/r/tenableofficial/nessus 

docker pull tenableofficial/nessus:<version>

docker run --name "nessus-pro" -d -p 8834:8834  -e ACTIVATION_CODE=<activation code> \
-e USERNAME=admin -e PASSWORD=admin tenableofficial/nessus:<version>

Update the Nessus 主程式

Offline
  1. 下載最新版 Nessus : Download Nessus | Tenable®
    NOTE: 如果舊版的是用 RPM 安裝,升級時也必須用 RPM 升級。
  2.  將更新檔上傳至 Nessus 主機,並進行更新作業。

以 RPM 方式更新

rpm -Uvh Nessus-10.4.1-es8.x86_64.rpm
systemctl stop nessusd
systemctl start nessusd
Online
/opt/nessus/sbin/nessuscli update
檢查目前版號

Nessus Admin > Settings > About

Update the plugins

Online
/opt/nessus/sbin/nessuscli update --plugins-only
Offline

For 免費版授權

NOTE: 原有的 activation code 已經註冊過,就不能重複取得 plugin 的下載連結。必須重新申請一組新的 activation code,再依據下方程序取得最新 plugin 下載連結。

  1. 申請一組新的 Activation Code (NOTE: 只有使用這個連結,才可以立即收到郵件通知)
  2. 從現有 Nessus 主機取得 Challenge Code
  3. 用上述的資料透過下述的連結,可以下載最新的 plugin 更新檔,前往:  https://plugins.nessus.org/v2/offline.php   (TIP: 網頁除了提供 plugin 更新檔 all-2.0.tar.gz 以外,還有授權檔的資訊,不過在這個案例用不上)

取得 Challenge Code (NOTE: 每次重啟系統,Challenge Code 會被重置)

/opt/nessus/sbin/nessuscli fetch --challenge

將 plugin 更新檔上傳至主機並套用

/opt/nessus/sbin/nessuscli update all-2.0.tar.gz

確認 plugin 已更新

Nessus Admin > Settings > About 

注意事項:

  1. 套用更新檔指令完成後,系統還需要數分鐘時間進行背景更新作業,可以觀察 CPU 的負載程度來確認是否已完成。
  2. 舊的 scan 不會套用新的 plugin,必須先移除再重新建立才會套用。

重新註冊授權

用新的授權檔重新註冊

FAQ

更新 plugin 出現錯誤

Error: failed to write decompressed tar archive * Failed to update from all-2.0.new.tar.gz.  Invalid manifest.

解決方案:檢查目錄 /opt/nessus 是否有足夠可用空間。

修正 plugin #51192(SSL Certificate Cannot Be Trusted)

對於使用自我簽署憑證的網站或服務,可以使用 custom_CA 功能,將自訂的根憑證,輸入至 Nessus 系統。

TIP: 根憑證必須是 PEM 格式 BAS64 編碼,內容包含開頭文字 -----BEGIN CERTIFICATE-----,與結尾文字 -----END CERTIFICATE----- 的密文內容。

Nessus Web > Settings > Custom CA

-----BEGIN CERTIFICATE-----
...
...
...
-----END CERTIFICATE-----



Learning

Government sites

Security sites

網站 功能描述
shodan.io 搜索互聯網連接設備的搜索引擎。
censys.io 提供互聯網設備和網絡資產信息的搜索平台。
hunter.io 查找與特定域名相關的電子郵件地址的工具。
fullhunt.io 自動化攻擊面管理和漏洞發現平台。
onyphe.io 網絡資產搜索和網絡安全信息收集引擎。
socradar.io 提供實時網絡威脅情報和數字風險保護服務。
binaryedge.io 互聯網範圍掃描和網絡風險評估平台。
ivre.rocks 開源網絡偵察框架。
crt.sh 搜索和查詢SSL/TLS證書的數據庫。
vulners.com 綜合性漏洞數據庫和安全內容存儲庫。
publicwww.com 源代碼搜索引擎,用於在網頁源碼中查找特定代碼片段。
pulsedive.com 威脅情報和網絡安全數據聚合平台。
intelx.io 多源開放源情報(OSINT)搜索和分析工具。
wigle.net 無線網絡數據庫和地圖服務。
viz.greynoise.io 分析和可視化互聯網噪聲和惡意活動的平台。

Security Platform

Threat Intelligence

Detection & Analysis Tools

Security Tools

- Wazuh - The Open Source Security Platform
- Web Check

All-in-one OSINT tool for analysing any website

- OWASP - Nettacker

Automated Penetration Testing Framework (自動滲透測試框架)

- WAF: Web Application Firewall
- Pi-Alert: WiFi/LAN 連網裝置偵測
- WatchYourLAN
- VMs for Cybersecurity Professional
- ntopng: Network traffic monitor
- ImHex: Hex Editor

A Hex Editor for Reverse Engineers, Programmers and people who value their retinas when working at 3 AM

- OSSIEM

Open Source SIEM Stack, Wazuh + Graylog + Velociraptor + Copilot

- Toolbox
- Fishing Test

AI Cybersecurity

Security Jobs

Interview

Security Websites

CVE Database
Vendor
Government
Security Organization
Security Online Tools

NCHC 國網中心

Cyber Attacks

cyber_attacks.jpg

Suricata

Introduction

Suricata is a high performance, open source network analysis and threat detection software used by most private and public organizations, and embedded by major vendors to protect their assets.

Suricata is far more than an IDS/IPS.

Suricata features

There are three main ways Suricata can be used:

Signatures (Rules)

Suricata uses signatures analysis, which is a detection method used to find events of interest. Signatures consist of three components:

Here's an example of a Suricata signature:

Suricata-signature.png

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"GET on wire"; flow:established,to_server; content:"GET"; http_method; sid:12345; rev:3;)
Action

Note that the drop action also generates an alert, but it drops the traffic. A drop action only occurs when Suricata runs in IPS mode.

The pass action allows the traffic to pass through the network interface. The pass rule can be used to override other rules. An exception to a drop rule can be made with a pass rule. For example, the following rule has an identical signature to the previous example, except that it singles out a specific IP address to allow only traffic from that address to pass:

pass http 172.17.0.77 any -> $EXTERNAL_NET any (msg:"BAD USER-AGENT";flow:established,to_server;content:!”Mozilla/5.0”; http_user_agent; sid: 12365; rev:1;)

The reject action does not allow the traffic to pass. Instead, a TCP reset packet will be sent, and Suricata will drop the matching packet. A TCP reset packet tells computers to stop sending messages to each other.

Note: Rule order refers to the order in which rules are evaluated by Suricata. Rules are loaded in the order in which they are defined in the configuration file. However, Suricata processes rules in a different default order: pass, drop, reject, and alert. Rule order affects the final verdict of a packet.

Header

$HOME_NET is a Suricata variable defined in /etc/suricata/suricata.yaml that you can use in your rule definitions as a placeholder for your local or home network to identify traffic that connects to or from systems within your organization.

Rule options

Confiuration file

Configuration files let you customize exactly how you want your IDS to interact with the rest of your environment. 

Suricata's configuration file is suricata.yaml, which uses the YAML file format for syntax and structure.

Log files

There are two log files that Suricata generates when alerts are triggered:

The main difference between the eve.json file and the fast.log file is the level of detail that is recorded in each. The fast.log file records basic information, whereas the eve.json file contains additional verbose information.

Trigger a custom rule

With a packet capture file

sudo suricata -r sample.pcap -S custom.rules -k none

Check the logs

# For fast.log
cat /var/log/suricata/fast.log

# For eve.log, using jq command to display the JSON format
jq . /var/log/suricata/eve.json | less
jq -c "[.timestamp,.flow_id,.alert.signature,.proto,.dest_ip]" /var/log/suricata/eve.json
jq "select(.flow_id==1200997752018164)" /var/log/suricata/eve.json

Resources

Snort

Introduction

Snort is the foremost Open Source Intrusion Prevention System (IPS) in the world. Snort IPS uses a series of rules that help define malicious network activity and uses those rules to find packets that match against them and generates alerts for users.

VirusTotal

Analyse suspicious files, domains, IPs and URLs to detect malware and other breaches, automatically share them with the security community.

URL: https://www.virustotal.com/ 

Analyze the report

  1. Detection: This tab provides a list of third-party security vendors and their detection verdicts on an artifact. Detection verdicts include: malicious, suspicious, unsafe, and others. Notice how many security vendors have reported this hash as malicious and how many have not.

  2. Details: This tab provides additional information extracted from a static analysis of the IoC. Notice the additional hashes associated with this malware like MD5, SHA-1, and more. 

  3. Relations: This tab contains information about the network connections this malware has made with URLs, domain names, and IP addresses. The Detections column indicates how many vendors have flagged the URL or IP address as malicious.

  4. Behavior: This tab contains information related to the observed activity and behaviors of an artifact after executing it in a controlled environment, such as a sandboxed environment. A sandboxed environment is an isolated environment that allows a file to be executed and observed by analysts and researchers. Information about the malware's behavioral patterns is provided through sandbox reports. Sandbox reports include information about the specific actions the file takes when it's executed in a sandboxed environment, such as registry and file system actions, processes, and more. Notice the different types of tactics and techniques used by this malware and the files it created.

Pro tip: Sandbox reports are useful in understanding the behavior of a file, but they might contain information that is not relevant to the analysis of the file. By default, VirusTotal shows all sandbox reports in the Behavior tab. You can select individual sandbox reports to view. This is helpful because you can view the similarities and differences between reports so that it's easier to identify which behaviors are likely to be associated with the file.
Determine whether the file is malicious

Review these three sections to determine if there is a consistent assessment of the file's potential maliciousness such as: a high vendors' ratio, a negative community score, and malware detections in the security vendors' analysis section.

Screenshots

virustotal-1.png

virustotal-2.png

virustotal-3.png

virustotal-4.png

virustotal-5.png

virustotal-6.png

Cheat Sheets

Cybersecurity Acronyms

cybersecurity_acronyms_p1.jpg

Common types of password attacks

common_types_of_password_attacks.jpg

Designing Secure Systems

designing_secure_systems.jpg

 

Pentesters

Search Engines

search_engines_for_pentesters.jpg

Cybersecurity Certificate

Google Cybersecurity Certificates (GCC)

Google 資安證書

Qualify for the following jobs:

You'll learn about: