Author: Justin Wilson

Categories
Cyber Security

USB Data Blockers (A.K.A. “USB Condoms”)

This post may contain affiliate links and I may earn a small commission if you make purchases using links on this page at no additional cost to you. I only endorse products that I love and/or use myself.

USB Data Blockers are a must if you regularly charge your phone using a public USB charging port.

USB charging stations can be modified to contain malicious hardware that can be used to hack into your phone when you plug into it. This type of attack is known as “Juice Jacking”. USB Data Blockers prevent any kind of data transfer from occurring while allowing the device to charge, preventing this kind of attack.

Here are some recommended USB data blockers that you can use to protect your device while away from home.

This 4-pack includes both regular USB-A and USB-A to USB-C data blockers. Made of Aluminum, these ones should be more durable than plastic data blockers.

If you find yourself using USB-C charging ports, you’ll want to grab this version instead.
Here’s another solid option for a regular USB-A datablocker that has a high rating and great reviews.
Categories
Cyber Security Lists

Recommended Privacy VPNs

Picture of a laptop secured with a VPN

When away from home, it’s especially important to use a privacy VPN when connecting to WiFi. Most privacy VPN services only cost a few dollars a month, are easy to use on your laptop or smartphone, and provide a reasonable level of security when connecting to unknown WiFi networks. Here are a few VPN services that I recommend.

Recommended VPNs:

Keep reading for a description of each of these services.

NordVPN

NordVPN is one of the biggest names in the world of privacy VPNs. They’re a trustworthy company and have an easy-to-use app for both desktop and mobile devices. I’ve been using them for several years, and they are my VPN provider of choice. Their subscription is very affordable at just a few dollars a month. You can get a discounted rate using this link.

Surfshark

In addition to being extremely affordable, Surfshark also lets you use your account on an unlimited number of devices, whereas most providers limit you to 5-10 devices per account. They have multiple subscription lengths available, including monthly and annual options. You can use this link to get a discount.

Proton VPN

Proton VPN, owned by Proton (also known for their Proton Mail email service) is a very security-conscious company that offers private email service in addition to their privacy VPN. They are definitely a company that I would trust, and I recommend their services. You can check out their VPN options here.

ExpressVPN

ExpressVPN is another well-known privacy VPN provider. They consistently receive high customer satisfaction ratings and are a reputable option. You can check out their services here.

Additional VPN options

If for some reason you don’t like any of the above options, there are alternatives available. Here’s a list of some of the other options I’m aware of.

Categories
Cyber Security Lists

Recommended Password Managers

With the ever increasing volume of data breaches, having unique, secure passwords is more important than ever. Here you’ll find my list of recommended password managers that you can use to securely store your passwords.

Recommended Password Managers:

  • KeePass (free, offline, no cloud sync)
  • LastPass (no longer recommended, too many data breaches)
Categories
Cyber Security

Cyber Attack Maps (a.k.a. “Pew-Pew” maps)

Here’s a list of Pew-Pew maps for your enjoyment.

Arbor Networks: https://www.digitalattackmap.com

Bitdefender: https://threatmap.bitdefender.com

Checkpoint: https://threatmap.checkpoint.com

FireEye: https://www.fireeye.com/cyber-map/threat-map.html

Fortinet: https://threatmap.fortiguard.com

Imperva: https://www.imperva.com/cyber-threat-attack-map

Kaspersky: https://cybermap.kaspersky.com

Netscout: https://www.netscout.com/ddos-attack-map

Radware: https://livethreatmap.radware.com

Spamhaus: https://www.spamhaus.com/threat-map

Thales Group: https://cyberthreat.thalesgroup.com

Categories
Cyber Security Lists

List of NDR Tools

VendorProduct
Arista NetworksArista NDR
CiscoSecure Network AnalyticsSecure Cloud Analytics
CorelightCorelight Open NDR Platform
DarktraceDarktrace DETECT; Darktrace RESPOND
ExtraHopReveal(x)
Fidelis CybersecurityFidelis Network
GatewatcherAionIQ
GigamonGigamon ThreatINSIGHT
IronNetIronNet Collective Defense Platform
PlixerPlixer Security Intelligence Platform
ProgressFlowmon Anomaly Detection System
QI-ANXINSkyEye
SangforCyber Command
Stamus NetworksStamus Security Platform
TencentT-Sec NDR
TrellixTrellix Network Detection and Response
Trend MicroTrend Micro Deep Discovery; Trend Micro TippingPoint; Trend Micro Vision One
VectraVectra Threat Detection and Response Platform
VMwareNSX Network Detection and Response

Accedian
Allentis
aizoOn (Aramis)
Blue Hexagon (Acquired by Qualys Oct 2022)
BluVector
CloudCover
cPacket Networks
Cryptomage
CUSTOCY
CyGlass
Cynamics
Deep Instinct
Exeon
Fortinet
GREYCORTEX
Hillstone Networks
Huawei
LiveAction
LogRhythm
Lumu Technologies
MixMode
Muninn
NANO Corp
Netography
NetWitness
NextRay
Nominet
OpenText (Bricata)
Ordr
Quad Miners
Qihoo 360
Sesame IT
Stellar Cyber
TEHTRIS
ThreatBook
ThreatWarrior
Tophant
Vehere
Venustech
Verizon

Categories
Cyber Security

How Secure Is My Smart Device?

When it comes to smart device security, generally speaking, a smart device will be slightly less secure than the cloud account and WiFi network that it is connected to.

Why” slightly less secure? “

There are two main ways that a smart device could be compromised: Remotely from anywhere in the world using the connected cloud account, and by someone who has hacked into your WiFi network.

The connected cloud account is the most widely accessible attack vector as it can be accessed from anywhere in the world. A compromised cloud account will give an attacker access to your devices without having to actually “hack” the device itself.

Conversely, if you have a nefarious neighbor who is able to guess the password to your WiFi network, they will be able to access your device directly and attempt to log in locally or exploit security vulnerabilities on the device itself.

A cloud account with a strong, unique password and MFA enabled, combined with a strong WiFi password, are your first lines of defense and will considerably improve the security posture of your smart home devices. (Click here for a list of password managers that I recommend.)

However, each smart device may have additional “features” or security flaws which add additional security risks even with a secure cloud account and WiFi network – hence “slightly less secure.”

For example, some devices use a technology called UPnP, or “Universal Plug-n-Play” to expose themselves directly to the internet. UPnP is enabled by default on most home routers and makes setup easier for some devices. However, it introduces additional security risks as well. Disabling the UPnP feature on your router is a great way to further improve the security of your smart devices.

Categories
Cyber Security

Deciphering Windows Event Logs: 4733

4733: A member was removed from a security-enabled local group

This event can be interpreted as:

"<subjectUserName> removed <memberSid> from group <targetUserName>. This action was performed from <computer>."

Helpful Hints:

To get the username of an account by SID, you can use the following command (note: this works well for local accounts, there may be a better way to do this in AD):

wmic useraccount where sid="S-1-5-21-3696241878-1170446952-3831691710-1002" get name 
Name 
SuperHacker

Categories
Cyber Security

Deciphering Windows Event Logs: 4732

4732: A member was added to a security-enabled local group

This event can be interpreted as:

"<subjectUserName> added <memberSid> to group <targetUserName>. This action was performed from <computer>."

Helpful Hints:

To get the username of an account by SID, you can use the following command (note: this works well for local accounts, there may be a better way to do this in AD):

wmic useraccount where sid="S-1-5-21-3696241878-1170446952-3831691710-1002" get name 
Name 
SuperHacker
Categories
Cyber Security

Decrypting WPA2 Encrypted Wi-Fi Traffic with Wireshark

TL;DR

sudo ip link set wlan1 down
sudo iw dev wlan1 set type monitor
sudo ip link set wlan1 up
sudo iw dev wlan1 set channel 6
sudo tcpdump -i wlan1 -w %Y-%m-%d_%H.%M.%S.pcap -G 3600
  1. Capture some handshakes
  2. Open .pcap file in Wireshark
  3. Edit > Preferences > Protocols > IEEE 802.11 > Decryption Keys > Edit > New (+)
  4. Select key type: wpa-pwd
  5. Enter the key in the following format: password:ssid
  6. Click OK, then OK again. Wireshark will refresh the display with decrypted traffic. Set the display filter to “ip” to filter out all of the wireless noise.

Intro

Analyzing WPA2 encrypted wireless traffic is more difficult than I thought it would be. After several hours of struggling, I was able to do it. Here’s a condensed version of what I learned.

There are several components that must all work together in order to be successful:

  1. You must have the WPA2 password and SSID
  2. You can only unencrypt traffic for devices for which you also captured a four-way handshake which occurred after the handshake took place
    1. Cool side note: This might even work across pcaps if the files are opened in the right order! For example, if you capture a handshake in cap1.pcap, and more traffic (but no handshake) in cap2.pcap, you can open cap1.pcap first, then File > Open cap2.pcap, and the handshake from cap1.pcap will be used to decrypt traffic in cap2.pcap.

Note: In theory, this should work with WPA and WEP encrypted traffic as well, with only slight modification for WEP.

1. Capturing Traffic in Linux

First, let’s capture some traffic (note, you may need to change “wlan1” to “wlan0” or whatever your adapter shows up as. To see a list of all wireless adapters, run “iwconfig”.) You’ll need to know which channel the desired AP is running on.

To discover this on 2.4Ghz networks, use

sudo airodump-ng wlan1

Or for 5Ghz networks, use

sudo airodump-ng -b a wlan1

(Note: not all traffic may be captured on 5Ghz with this method; I’m still working on this.)

(Note 2: If you’re doing this in Kali Linux, be sure to update your distro before proceeding or airodump-ng will likely fail:)

sudo apt update
sudo apt upgrade

Once you know which channel you need to use, run the following commands:

sudo ip link set wlan1 down
sudo iw dev wlan1 set type monitor
sudo ip link set wlan1 up
sudo iw dev wlan1 set channel 6 # (set the correct channel here)
sudo tcpdump -i wlan1 -w %Y-%m-%d_%H.%M.%S.pcap -G 3600

That last command will begin capturing traffic to a file with a filename of the current timestamp and will start a new .pcap file every 3600 seconds (1 hour). Capture as much traffic as you desire, and then press CTRL+C to stop the packet capture.

2. Capturing a Handshake

Be sure to capture a handshake for the device you wish to decrypt traffic for; the handshake will be required to decrypt the traffic for that device. If you can’t manually disconnect and reconnect a device, you can attempt to de-authenticate the device (or all devices) from the network in hopes that they will then reconnect.

To deauth a device, you’ll need to know the BSSID of your AP. To find the BSSID, run:

sudo airodump-ng wlan1

Once your AP has appeared, press CTRL+C to cancel.

Now, you can use the BSSID to deauth a device. To deauth a single device, run:

sudo aireplay-ng --deauth 2 -a [bssid] -c [mac address of device] wlan1

Or, to deauth ALL devices (you should probably be careful with this option), run:

sudo aireplay-ng -0 2 -a [bssid] wlan1

Now that you’ve caught some handshakes, we can start decrypting traffic. NOTE: Only traffic that was captured after the handshake can be decrypted.

3. Decrypting and Analyzing Traffic in Wireshark

To view the decrypted traffic in Wireshark:

  1. Open the pcap file in Wireshark
  2. Go to: Edit > Preferences > Protocols > IEEE 802.11 > Decryption Keys > Edit > New (+)
  3. Select key type: wpa-pwd
  4. Enter the key in the following format: password:ssid
  5. Click OK, then OK again. Wireshark will refresh the display with decrypted traffic. Set the display filter to “ip” to filter out all of the wireless noise.
Categories
Cyber Security

Password Cracking 101

When you log in to your computer, you must enter two pieces of information: username and password. Together, these two pieces of information authenticate you. Your username tells the computer who you are, and your password proves to the computer who you are – because only you would know the password.

In order for the computer to know that you entered the correct password, it has to compare it to something – a stored copy of your password. However, simply storing your password on your hard drive or in memory would be a dangerous thing; any user or program could potentially read it and steal it. Therefore, passwords are usually not stored in plaintext; rather, a password is hashed and its hash is stored on a hard drive or in memory.

A hash is the output of a one-way cryptographic algorithm where an input of ‘A’ always yields an output of ‘B’. When you enter a password, it is hashed and the newly generated hash is compared to the stored hash. If it matches, you can be authenticated.

Many types of hashing algorithms exist; some of the more common ones are MD5, SHA1, SHA256, and SHA512.

Here’s an example of a SHA1 hash and the corresponding password:
70ccd9007338d6d81dd3b6271621b9cf9a97ea00:Password1

All hashes of a given type are the same length. For example:

70ccd9007338d6d81dd3b6271621b9cf9a97ea00:Password1
77c3b049c875bf848328939583f2ad29cb5c01a4:wateva
31ad300bdae5e974505fe38472fe855853b79201:martin1
ef1a87d6fc7d9be2b651634de76ebcc46a74a8b8:kingston
fa4a9554600ca3da6732aa82e6fa0c9abe8a27ae:dustin1
f90ecb2cdd602cfe77ff30f39182a9fbebbd61b4:stefanie
ef65de1c7be0aa837fe7b25ba9a7739905af6a55:herbert
99ecb3e5e3396fdf87b5faa63880195b355e6cf5:felicity
fefe6ebb4ff26e9729b6363069f200ad17c2ca84:dracula
c9be014f81aeb389b4616f87ace64399a7381a3e:basket
a812ce795d364414bdede8f17e50cd33a7190f8c:sunset
515dd919689cf68643e573f27d47aef3897e66a3:hummer

Because a hash is generated from a one-way algorithm, it’s technically impossible to “unencrypt” it. You cannot derive a password simply by running its hash through the hashing algorithm in reverse. In order to determine what the password is of a given hash, you must hash something and see if the output is the same as the hash of the password that you are attempting to crack. Chances of any given input yielding the desired hash are incredibly small (and vary depending on the hashing algorithm).

Password Cracking Methods

Several methods of password cracking exist. These include:

  • Brute Force
  • Mask Attack
  • Dictionary Attack
  • Hybrid Attack
  • Rainbow Tables

Brute Force

A brute force attack is the surest way to crack any password. However, by the time it succeeds, the universe may have come to an end.

This attack starts with the specified length(s) of characters and iterates through every possible combination, i.e.,

aaa
aab
aac

zzx
zzy
zzz

Passwords up to 8 characters in length could be cracked in a day. Much longer than this, however, and the time to crack quickly grows from weeks to millions of years.

Mask Attack

A mask attack is a more targeted version of a brute force attack. With a mask attack, you can specify that you only want to try certain types of characters in certain positions. For example, the most common order in which characters appear in commonly used passwords is as follows: Uppercase, Lowercase, Digits, and Special Characters; i.e., “Password1!”. Using this knowledge of how humans create passwords, longer passwords can sometimes be cracked using this more targeted approach.

Dictionary Attack

A dictionary attack hashes each word in a pre-defined word list to see if the resulting hash matches the hash of the password to be cracked. While dictionary words are sometimes used as passwords, a “dictionary attack” is not limited to dictionary words. Often, lists of leaked passwords are used to crack an unknown password, thinking that if one person used a particular password, someone else probably thought of it as well. This type of attack is typically the fastest; a wordlist of several million words can be processed in seconds.

Hybrid Attack

A hybrid attack combines a traditional dictionary attack with a brute force or hybrid attack. Each word in the word list will have additional characters prepended or appended to it before it is hashed. For example, “baseball” may become “@baseball” or “baseball2”. This is advantageous because it simply modifies known patterns from a wordlist, thus increasing the odds of a successful crack over pure brute force or dictionary attacks. This type of attack is typically faster than brute force but slower than a dictionary attack, as multiple variations of each word must be attempted.

Rainbow Tables

Rainbow table attacks use databases of precomputed hashes to accelerate the cracking process. While this type of attack can be much faster than brute force, this comes at a cost of storage space. A rainbow table may be many gigabytes or even several terabytes in size.

Tools that perform rainbow table attacks include Ophcrack and Rainbow Crack.

Practice

If you want to practice password cracking, you’ll need two things: Tools and Hashes.

Tools:

Hashes: