So Who Needs a GUI in Cybersecurity?

Cybersecurity in a nutshell

So Who Needs a GUI in Cybersecurity?

Cybersecurity in a nutshell

If you are a technical specialist in cybersecurity you probably have an aversion to GUIs (Graphical User Interfaces). Why? Because they are just to slow and cumbersome. For a specialist, the first place to go on a computer is to find “Terminal” or “Cmd”, and then you locate PowerShell, Node.js or Python, and you are away. The File Explorer is replaced by a command line.

For IoT scanning, we just pop-up a command line, and it’s Python or Shodan command line tools [here]:

In Wireshark, we are often looking for a needle in a haystack, and where the haystack is made up of billions of network packets. So you are either going to crash your system in loading up a GUI, or you’ll get your filter out, and run Wireshark from the command line (Tshark):

Wireshark Filtering
Edit descriptionasecuritysite.com

We can then capture our traces, and quickly run a filter to search for our needle:

c:\Program Files\Wireshark\tshark  -Y "http contains "89:50:4E:47" -r with_png.pcap

The following give some examples of Wireshark filters:

  • PNG Filter: http contains “\x89\x50\x4E\x47”. Trace with a PNG and PNG filter: Test. Pcap
  • PDF Filter: http contains “%PDF”. Trace with a PDF and PDF filter: Test. Pcap
  • GIF Filter: http contains “GIF89a”. Trace with a GIF and GIF filter: Test. Pcap
  • ZIP Filter: http contains “\x50\x4B\x03\x04”. Trace with a ZIP and ZIP filter: Test. Pcap
  • JPEG Filter: http contains “\xff\xd8”. Trace with a JPEG and JPEG filter: Test. Pcap
  • MP3 Filter: http contains “\x49\x44\x33”. Trace with an MP3 and MP3 filter: Test. Pcap
  • RAR Filter: http contains “\x52\x61\x72\x21\x1A\x07\x00”. Trace with a RAR and RAR filter: Test. Pcap
  • AVI Filter: http contains “\x52\x49\x46\x46”. Trace with a AVI and AVI filter: Test. Pcap
  • SWF Filter: http contains “\x46\x57\x53”. Trace with a SWF and SWF filter: Test. Pcap
  • GZip Filter: http contains “\x1F\x8B\x08”. Trace with a GZIP and GZIP filter: Test. Pcap
  • Email address Filter: smtp matches “”[a-zA-Z0–9._%+-]+@[a-zA-Z0–9._%+-]””. Trace with an email and Email regex filter: Test. Pcap
  • IP address Filter: http matches “”[0–9]{1,3}\.[0–9]{1,3}\.[0–9]{1,3}.[0–9]{1,3}””. Trace with HTTP traffic and IP address regex filter: Test. Pcap
  • Credit card details (Mastercard) Filter: smtp matches “”5\\d{3}(\\s|-)?\\d{4}(\\s|-)?\\d{4}(\\s|-)?\\d{4}””. Trace with an email and Mastercard regex filter: Test. Pcap
  • Credit card details (Visa) Filter: smtp matches “”4\\d{3}(\\s|-)?\\d{4}(\\s|-)?\\d{4}(\\s|-)?\\d{4}””. Trace with an email and Visa filter regex filter: Test. Pcap
  • Credit card details (Am Ex) Filter: smtp matches “”3\\d{3}(\\s|-)?\\d{6}(\\s|-)?\\d{5}””. Trace with an email and Am Ex regex filter: Test. Pcap
  • Domain name Filter: http matches “”[a-zA-Z0–9\-\.]+\.(com|org|net|mil|edu|COM|ORG|NET|MIL|EDU|UK)””. Trace with an email and Email regex filter: Test. Pcap
  • FTP User/Password Crack Filter: ftp contains \”530 User\”. Trace with FTP Hydra and 530 filter: Test. Pcap
  • FTP Login Filter: tcp.port==21 && tcp.flags.syn==1 && tcp.flags.ack==1. Trace with FTP Hydra and SYN/Port 21 filter: Test. Pcap
  • Telnet Login Filter: tcp.port==23 && tcp.flags.syn==0 && tcp.flags.ack==0. Trace with Telnet Hydra and SYN/Port 23 filter: Test. Pcap
  • Telnet Login Filter: telnet contains “login”: Test. Pcap
  • Telnet Login Filter: telnet contains “Failed”: Test. Pcap
  • Hping DoS Filter: tcp.flags.syn==1 && tcp.flags.ack==0. Trace with Hping and SYN flag filter: Test. Pcap

And we can write more complex rules with Snort. With this we take our PCAP files, and test then with rules. Snort does this with a stand-alone analyser using the “-r” option:

The following are the traces that can be used in Snort:

Conclusion

So, drop the GUI, and get into the command line.