In the spirit of that list we\u2019d like to offer our updated 2018 edition, featuring the Defiant team\u2019s top three picks for useful tools across five categories: Information Gathering & Analysis<\/strong>, Penetration Testing<\/strong>, Forensics & Log Analysis<\/strong>, Malware Analysis<\/strong>\u00a0and the illustrious Other<\/strong> category.<\/p>\n With as multifaceted as the information security sphere is, you\u2019ll probably notice a bit of bias from our roots in web application security. A researcher who spends their time reverse-engineering Windows malware binaries will surely have a different opinion on the best tools for malware analysis. What are your picks? We\u2019d love to hear them in the comments.<\/p>\n Note: While each category contains our top three picks, the selections themselves are presented in no particular order.<\/em><\/p>\n Since Google<\/a> is effectively the source of all knowledge, it should be no surprise that we consider it one of the most valuable resources for finding information on the internet. In the scope of security analysis, however, Google\u2019s star shines brightest when it\u2019s used to find things that aren\u2019t intended to be found.<\/p>\n Google Dorking (using advanced search operators to identify sensitive information or vulnerable hosts) can be a powerful technique for those of both good and ill intent. Researchers can leverage Google and other search engines to dig up web-accessible backup files, indicators of insecure web applications, and more. For more specific examples, a popular database of useful dork strings can be found in Exploit-DB\u2019s Google Hacking Database<\/a>.<\/p>\n Where Google crawls the internet to make an index of websites, Shodan\u2019s<\/a> mission is to index internet-connected devices themselves. Shodan sells itself as \u201cThe Search Engine for the Internet of Things\u201d, and it delivers on that promise in some interesting ways.<\/p>\n If you\u2019re not familiar, consider stories emerging over the past few years of malicious manipulation of gas pumps worldwide<\/a>. Nearly all of these stories make reference to the attackers\u2019 use of Shodan in target identification, including an exhaustive whitepaper on the subject by TrendMicro<\/a>.<\/p>\n Maltego<\/a> is an exceptional resource for investigations and general open-source intelligence (OSINT) alike. It provides a platform upon which to aggregate and organize data in order to analyze associations between all sorts of entities like email addresses, social media accounts and web sites.<\/p>\n \u201cMaltego helps us explore the web of malware, attacking hosts, command & control servers, related emails and everything else that goes into our research. It\u2019s a great tool to collaborate on investigating malicious activity, while making sure we don\u2019t leave any loose ends.\u201d<\/em> \u2013 Brad Haas, Senior Security Analyst at Defiant<\/p>\n When it comes to full-featured web application penetration testing platforms, the two biggest names are PortSwigger\u2019s Burp Suite<\/a> and OWASP\u2019s Zed Attack Proxy<\/a> (ZAP). Most users will find these to be roughly interchangeable, both tools featuring a powerful assortment of features like an intercepting proxy, web spider, and fuzzer. ZAP is completely free and open source, while Burp is a commercial product with a free, slightly limited community edition.<\/p>\n Intercepting and manipulating the requests being sent to a target from your browser is a great first step for any penetration testing exercise, and quality-of-life tools like the Burp Repeater and Zap\u2019s Manual Request Editor allow you to tweak payloads on the fly without interrupting your workflow to make script changes. Overall, it doesn\u2019t hurt to keep both of them handy.<\/p>\n SQL injection vulnerabilities can be devastating if exploited, and for better or worse, sqlmap<\/a> is really good at finding them. It features a bevy of tests against a variety of DBMS backends from MySQL to Oracle, and can be used to automate much of the process of identifying and attacking injectable points on a site.<\/p>\n Given a list of domains, sqlmap can crawl the sites and automatically perform a series of heuristic tests against any input methods it can identify. Once an injection point is identified, sqlmap remembers it and can then be used to launch a number of attacks. Depending on the security measures in place on the host, sqlmap can perform tasks from dumping the vulnerable database to opening a meterpreter shell to be used as a backdoor.<\/p>\n With WordPress pulling in a respectable 59.9% of the CMS market share<\/a>, it was inevitable that a highly specialized vulnerability scanner like WPScan<\/a> would be developed for it. Launching WPScan is a common first step in black box audits of WordPress sites, due to its ability to divulge a great deal of information about a typical installation.<\/p>\n WordPress core versions, as well as lists of installed plugins and themes along with their versions can be quickly enumerated with WPScan, and with some additional flags it can reliably enumerate a list of usernames present on the site. WPScan then rounds out the suite with a number of features to evade detection, including User-Agent randomization and a simple proxy implementation that gets along well with Tor<\/a> routing.<\/p>\n FireEye\u2019s Highlighter<\/a> is a graphically-focused log analysis utility which can be of great use to administrators and incident response personnel in the wake of an attack.<\/p>\n Viewing a histogram of log activity over time can provide a unique perspective on the timeline of a breach, and the ability to pinpoint keywords and whitelist known good items from your dataset can streamline the analysis process. Unfortunately, Highlighter hasn\u2019t seen a new release since 2011 and thus only officially supports Windows 7 and below, but it certainly holds loyalty from those who started using it a few years ago.<\/p>\n For the Linux and Mac log reviewers, you can\u2019t beat lnav<\/a>. It presents itself as a small-scale log viewer, more suitable for quick review of specific data on a single host than tools like Splunk<\/a>, which are firmly enterprise-scale and often require their own infrastructure.<\/p>\n Cool features like SQL query implementations and easy-to-read syntax highlighting make lnav a no-brainer to implement in log review processes, especially in cases where you\u2019re performing a postmortem review for a third party and no formal log aggregation was in place before you got involved.<\/p>\n This one might be a bit of a cheat, but we couldn\u2019t pass it up with all the write-ins for grep, awk, and the like on our team survey. Regardless of your workflow or your technology stack, it\u2019s crucial to know your way around the utilities commonly built into the systems with which you interact.<\/p>\n In most cases, it\u2019s also important to leave your comfort zone and familiarize yourself with operating systems you encounter less frequently. For instance, Linux-using researchers may find themselves wishing they knew more PowerShell when encountering a Windows system in an engagement. To help you brush up, the SANS Institute has published a number of easily digestible reference materials, including the Linux Shell Survival Guide<\/a> and the PowerShell Cheat Sheet<\/a>.<\/p>\n Web-based malware is commonly masked by one or more layers of obfuscation, where the code is deliberately made to be difficult or impossible for humans to read. UnPHP<\/a> is a solid first-run choice for analysts who encounter obfuscated PHP scripts without the time or experience to deobfuscate them manually.<\/p>\n UnPHP isn\u2019t a panacea, and there are a number of evasions used in malware obfuscation which it can\u2019t quite crunch at this time, but it handles many common techniques with ease. Of particular note is its recursive deobfuscation, as UnPHP can identify when a decoded output is itself obfuscated and automatically process the new layer. Even though it may not solve everything you throw at it, it\u2019s still a valuable time-saver for anyone who comes across obfuscated PHP.<\/p>\n Where clean interface design and an \u201cautomate the boring stuff\u201d mindset collide, we get CyberChef<\/a>. CyberChef is an easy-to-use web application built to accommodate a number of data manipulation tasks, from simple encoding and decoding to encryption and compression, in a repeatable format.<\/p>\n To this end, CyberChef allows the user to create and save \u201crecipes\u201d out of a series of operations. Instruction sets like \u201cGunzip, then ROT13, then Base64 decode, then ROT13 again\u201d<\/em> can be stored and reloaded to \u201cbake\u201d new inputs repeatedly. These operations can scale up to complete a number of tasks, especially with built-in functions to extract useful strings like IP addresses and emails from the decoded input.<\/p>\n JavaScript minification is a standard process for just about every front-end web developer in the market, and malware developers are no stranger to this. JS Beautifier<\/a> is a simple online tool used to automate the formatting of minified and obfuscated JavaScript into a human-readable document.<\/p>\n For the purposes of malware deobfuscation in particular, JS Beautifier can detect and reverse common obfuscation methods (notably packer, by Dean Edwards) as well as handling various character encodings like hexadecimal. Like UnPHP above, JS Beautifier isn\u2019t a silver bullet that will take all of the work out of JS malware analysis, but it\u2019s an excellent first step in almost every case.<\/p>\n Whether writing a regular expression is a daily task or an occasional solution to a problem, Regex101<\/a> is sure to be of use. Users inexperienced with regex will quickly appreciate the availability of quick reference materials and a powerful Explanation view, which provides you with a breakdown of why your expression behaves the way it does.<\/p>\n Experienced users can make great use of Regex101 as well. The built-in debugger allows developers to observe their regex as it runs step-by-step, which helps to identify performance improvements. Even simply watching Regex101 follow along as you write an expression, highlighting matching content in your test string as you go, can be of great assistance in preventing simple issues in complex regular expressions that may have been considerably more difficult to debug if written unassisted.<\/p>\n Troy Hunt\u2019s massive breach data aggregation project\u00a0Have I Been Pwned?<\/a>\u00a0is a staple in information security awareness efforts. HIBP gives anyone on the internet the chance to know whether their personal data was associated with a publicly-known security breach. It provides a user-friendly breakdown of what particular data may have been stolen, as well as the source of each breach, if known. There\u2019s also a separate API to check whether a given password has appeared in a breach, which we\u2019ve built into Wordfence<\/a> in an effort to prevent WordPress users from using compromised passwords.<\/p>\n While HIBP is of some use as a research tool, it excels at helping the layperson grasp the importance of security best practices. After all, there\u2019s really no better way to convince your relatives that password reuse is dangerous than by showing them their data has probably already been breached.<\/p>\n Spending any amount of time interacting with infected websites has the potential to be unsafe, or at the very least annoying. Malicious scripts on the sites in question will be attempting a number of behaviors, like browser redirects and cryptomining, so having a readily-configurable browser extension to protect yourself from these scripts is important.<\/p>\n NoScript<\/a> has been the giant in this market since the mid-2000s, providing users with the ability to automatically block all scripts from executing until whitelisted by domain or on a per-script basis. However, it\u2019s currently only compatible with Firefox and other Mozilla software, which can be a limiting factor for many users.<\/p>\n The browser gap is largely filled by uMatrix<\/a>, a browser firewall developed by the creator of the popular ad blocker uBlock Origin. uMatrix is compatible with Firefox<\/a>, Chrome<\/a>, and Opera<\/a>, and offers similar functionality to NoScript in terms of unwanted script filtering. While it offers a bit more to the power-user, uMatrix is definitely less user-friendly than NoScript, and you\u2019ll find \u201cFor Advanced Users\u201d warnings across its entries in browser addon repositories and its GitHub project alike.<\/p>\n To reiterate, this list is far from exhaustive. There are tools built to solve all sorts of problems, from the generic to specific, across every niche security specialty imaginable. This post simply serves as a handy reference for the utilities that we find ourselves using most commonly.<\/p>\nInformation Gathering & Analysis<\/h1>\n
Google<\/h3>\n
![\"\"](\"https:\/\/www.wordfence.com\/wp-content\/uploads\/2018\/06\/googledork.png\")
<\/a><\/p>\nShodan<\/h3>\n
![\"\"](\"https:\/\/www.wordfence.com\/wp-content\/uploads\/2018\/06\/shodan-1024x808.png\")
<\/a><\/p>\nMaltego<\/h3>\n
![\"\"](\"https:\/\/www.wordfence.com\/wp-content\/uploads\/2017\/03\/jerseyShore-1024x564.png\")
<\/a><\/p>\nPenetration Testing<\/h1>\n
Burp Suite and ZAP<\/h3>\n
![\"\"](\"https:\/\/www.wordfence.com\/wp-content\/uploads\/2018\/06\/burp-1024x800.png\")
<\/a><\/p>\nsqlmap<\/h3>\n
![\"\"](\"https:\/\/www.wordfence.com\/wp-content\/uploads\/2018\/06\/sqlmap-1024x344.png\")
<\/a><\/p>\nWPScan<\/h3>\n
![\"\"](\"https:\/\/www.wordfence.com\/wp-content\/uploads\/2018\/06\/wpscan-1024x894.png\")
<\/a><\/p>\nForensics & Log Analysis<\/h1>\n
Highlighter<\/h3>\n
lnav<\/h3>\n
![\"\"](\"https:\/\/www.wordfence.com\/wp-content\/uploads\/2018\/06\/lnav-1024x574.png\")
<\/a><\/p>\nThe Command Line<\/h3>\n
![\"\"](\"https:\/\/www.wordfence.com\/wp-content\/uploads\/2018\/06\/grep-1024x214.png\")
<\/a><\/p>\nMalware Analysis<\/h1>\n
UnPHP<\/h3>\n
![\"\"](\"https:\/\/www.wordfence.com\/wp-content\/uploads\/2018\/06\/unphp-1024x555.png\")
<\/a><\/p>\nCyberChef<\/h3>\n
![\"\"](\"https:\/\/www.wordfence.com\/wp-content\/uploads\/2018\/06\/cyberchef-1024x325.png\")
<\/a><\/p>\nJS Beautifier<\/h3>\n
![\"\"](\"https:\/\/www.wordfence.com\/wp-content\/uploads\/2018\/06\/jsbeautifier-1024x471.png\")
<\/a><\/p>\nOther<\/h1>\n
Regex101<\/h3>\n
![\"\"](\"https:\/\/www.wordfence.com\/wp-content\/uploads\/2018\/06\/regex101-1024x326.png\")
<\/a><\/p>\nHave I Been Pwned?<\/h3>\n
![\"\"](\"https:\/\/www.wordfence.com\/wp-content\/uploads\/2018\/06\/haveibeenpwned.png\")
<\/a><\/p>\nNoscript \/ uMatrix<\/h3>\n
![\"\"](\"https:\/\/www.wordfence.com\/wp-content\/uploads\/2018\/06\/noscript-1024x319.png\")
<\/a><\/p>\nConclusion<\/h1>\n