So Who Needs a GUI in Cybersecurity?
So Who Needs a GUI in Cybersecurity?
Cybersecurity in a nutshell
If you are a technical specialist in cybersecurity you probably have an aversion to GUIs (Graphical User Interfaces). Why? Because they are just to slow and cumbersome. For a specialist, the first place to go on a computer is to find “Terminal” or “Cmd”, and then you locate PowerShell, Node.js or Python, and you are away. The File Explorer is replaced by a command line.
For IoT scanning, we just pop-up a command line, and it’s Python or Shodan command line tools [here]:
In Wireshark, we are often looking for a needle in a haystack, and where the haystack is made up of billions of network packets. So you are either going to crash your system in loading up a GUI, or you’ll get your filter out, and run Wireshark from the command line (Tshark):
We can then capture our traces, and quickly run a filter to search for our needle:
c:\Program Files\Wireshark\tshark -Y "http contains "89:50:4E:47" -r with_png.pcap
The following give some examples of Wireshark filters:
- PNG Filter: http contains “\x89\x50\x4E\x47”. Trace with a PNG and PNG filter: Test. Pcap
- PDF Filter: http contains “%PDF”. Trace with a PDF and PDF filter: Test. Pcap
- GIF Filter: http contains “GIF89a”. Trace with a GIF and GIF filter: Test. Pcap
- ZIP Filter: http contains “\x50\x4B\x03\x04”. Trace with a ZIP and ZIP filter: Test. Pcap
- JPEG Filter: http contains “\xff\xd8”. Trace with a JPEG and JPEG filter: Test. Pcap
- MP3 Filter: http contains “\x49\x44\x33”. Trace with an MP3 and MP3 filter: Test. Pcap
- RAR Filter: http contains “\x52\x61\x72\x21\x1A\x07\x00”. Trace with a RAR and RAR filter: Test. Pcap
- AVI Filter: http contains “\x52\x49\x46\x46”. Trace with a AVI and AVI filter: Test. Pcap
- SWF Filter: http contains “\x46\x57\x53”. Trace with a SWF and SWF filter: Test. Pcap
- GZip Filter: http contains “\x1F\x8B\x08”. Trace with a GZIP and GZIP filter: Test. Pcap
- Email address Filter: smtp matches “”[a-zA-Z0–9._%+-]+@[a-zA-Z0–9._%+-]””. Trace with an email and Email regex filter: Test. Pcap
- IP address Filter: http matches “”[0–9]{1,3}\.[0–9]{1,3}\.[0–9]{1,3}.[0–9]{1,3}””. Trace with HTTP traffic and IP address regex filter: Test. Pcap
- Credit card details (Mastercard) Filter: smtp matches “”5\\d{3}(\\s|-)?\\d{4}(\\s|-)?\\d{4}(\\s|-)?\\d{4}””. Trace with an email and Mastercard regex filter: Test. Pcap
- Credit card details (Visa) Filter: smtp matches “”4\\d{3}(\\s|-)?\\d{4}(\\s|-)?\\d{4}(\\s|-)?\\d{4}””. Trace with an email and Visa filter regex filter: Test. Pcap
- Credit card details (Am Ex) Filter: smtp matches “”3\\d{3}(\\s|-)?\\d{6}(\\s|-)?\\d{5}””. Trace with an email and Am Ex regex filter: Test. Pcap
- Domain name Filter: http matches “”[a-zA-Z0–9\-\.]+\.(com|org|net|mil|edu|COM|ORG|NET|MIL|EDU|UK)””. Trace with an email and Email regex filter: Test. Pcap
- FTP User/Password Crack Filter: ftp contains \”530 User\”. Trace with FTP Hydra and 530 filter: Test. Pcap
- FTP Login Filter: tcp.port==21 && tcp.flags.syn==1 && tcp.flags.ack==1. Trace with FTP Hydra and SYN/Port 21 filter: Test. Pcap
- Telnet Login Filter: tcp.port==23 && tcp.flags.syn==0 && tcp.flags.ack==0. Trace with Telnet Hydra and SYN/Port 23 filter: Test. Pcap
- Telnet Login Filter: telnet contains “login”: Test. Pcap
- Telnet Login Filter: telnet contains “Failed”: Test. Pcap
- Hping DoS Filter: tcp.flags.syn==1 && tcp.flags.ack==0. Trace with Hping and SYN flag filter: Test. Pcap
And we can write more complex rules with Snort. With this we take our PCAP files, and test then with rules. Snort does this with a stand-alone analyser using the “-r” option:
The following are the traces that can be used in Snort:
- Trace with Wanna Crypto (infecting): here Test.
- Trace with Wanna Crypto (Tor): here Test.
- Trace with Hydra FTP crack/Bad Login: here Test.
- Trace with Hydra Telnet crack: here Test.
- Trace with Port Scan: here Test.
- Trace with SYN Flood (DoS): here Test.
- Trace with FIN Flood (DoS): here Test.
- Trace with PDF file: here Test.
- Trace with GIF file: here Test.
- Trace with PNG file: here Test.
- Trace with ZIP file: here Test.
- Trace with JPEG file: here Test.
- Trace with MP3 file: here Test.
- Trace with RAR file: here Test.
- Trace with AVI file: here Test.
- Trace with SWF file: here Test.
- Trace with GZip file: here Test.
- Trace with email attachments (MIME): here Test.
- Trace with email addresses: here Test.
- Trace with IP address: here Test.
- Trace with credit card details: here Test.
- Trace with DNS: here Test.
- Trace with Ping sweep: here Test.
- Trace with SNMP: here Test.
- Trace with ARP Spoof: here Test.
- Trace with Heartbleed: here Test.
- Teardrop DoS: here Test.
Conclusion
So, drop the GUI, and get into the command line.