Whether you are a sysadmin, a threat intel analyst, a malware researcher, forensics expert, or even a software developer looking to build secure software, these 15 free tools from GitHub or GitLab can easily fit into your day-to-day work activities and provide added advantages.
Editor’s note: This article, originally published in April 2016, has been updated to include tools that are currently in popular use.
1. ELF Parser
Many virtualized malware analysis and sandboxing solutions exist to peek into Windows malware, but analyzing suspicious macOS or Linux binaries becomes slightly more challenging with limited tools available to study the behavior of these native executables. I experienced this challenge when ascertaining the behavior of a hard-to-detect macOS and Linux malware packed in an ELF executable. This is where, ELFParser, combined with traffic analysis tools like WireShark and static analysis tools like hexdump, made the research a tad easier.
ELF Parser neatly breaks down strings found inside of an ELF executable by URLs, strings, IP addresses, calls and network functions. The tool also highlights signs of any suspicious activities like as information gathering, reconnaissance (e.g., retrieving environment variables), process manipulation and other such tasks being performed by a binary. The higher the number of suspicious tasks or a function calls within a binary, the higher will be the “score” calculated by the tool.
Originally developed by Victor Alvarez of VirusTotal, YARA has become a must for malware researchers and SOC analysts alike. “With YARA you can create descriptions of malware families (or whatever you want to describe) based on textual or binary patterns. Each description, a.k.a rule, consists of a set of strings and a Boolean expression which determine its logic,” reads YARA’s official documentation.
Security researchers can often be seen posting “YARA rules” on Twitter or VirusTotal’s community section for malware samples. The purpose of these rules is to help IT professionals detect a particular malware strand or indicator of compromise (IOC) in their environment.
For dynamic analysis of a Linux binary, malicious or benign, PageBuster makes it super easy to retrieve dumps of executable pages within packed Linux processes. This is especially useful when pulling apart malware packed specialized run-time packers that introduce obfuscation and hamper static analysis.
“Packers can be of growing complexity, and, in many cases, a precise moment in time when the entire original code is completely unpacked in memory doesn’t even exist,” explains security engineer Matteo Giordano in a blog post.
PageBuster also takes caution to conduct its page dumping activities carefully to not trigger any anti-virtual machine or anti-sandboxing defences present in the analyzed binary (e.g., evasive malware).
“The great thing about AuditJS is that not only will it scan the packages in your package.json, but it will scan all the dependencies of your dependencies, all the way down. Being able to know if you have a security vulnerability even on transitive dependencies can come with some significant peace of mind,” said developer Dan Miller in a blog post.
When you combine the power of Shodan, Censys, VirusTotal, SecurityTrails and a dozen other open-source intelligence (OSINT) services, you get Mihari. Mihari touts itself to be a framework for continuous OSINT-based threat hunting. The plethora of services Mihari integrates with opens up many possibilities when it comes to collecting and managing OSINT.
The tool can alert you on Slack, TheHive, or by creating a new MISP event after it has searched for artifacts (IP addresses, URLs or hashes of interest) in your database.
Denial of service (DoS) does not always occur through a networking attack flooding your server or payloads causing an application crash. Flaws in your regular expressions (regex) can be exploited to hinder performance and speed of your application, or cause a DoS condition.
The exact weakness where a vulnerable regex pattern can cause the regex processing engine to freeze or lag is called “catastrophic backtracking.” Regexploit lets security researchers, ethical hackers and developers easily find if their regex has any regular expression denial of service (ReDoS) flaws.
7. Awesome Cobalt Strike Defence
Cobalt Strike is a popular pentesting tool used to simulate real-world advanced threats. As such it has also been abused by adversaries for carrying out their sinister activities.
Awesome-CobaltStrike-Defence is not a single tool but rather a collection of tools and techniques on GitHub, compiled by security researchers Michael Koczwara and Wojciech Lesicki to help cybersecurity pros prepare defences against advanced attacks that use Cobalt Strike and similar pentesting tools.
For red-teaming activities, Boomerang provides a way to expose internal servers to the web or cloud over HTTP or TCP tunnels. This can have many uses depending on the context and scope of a security assessment. Written in Go, this tool may aid in penetration testing activities and establishing command-and-control (C2) connections that may slip right through corporate firewalls.
The Zed Attack Proxy (ZAP) is a user-friendly pentesting tool that finds vulnerabilities in web apps. It provides automated scanners and a set of tools for those who wish to find vulnerabilities manually. It’s designed to be used by practitioners with a wide range of security experience, and is ideal for functional testers who are new to pentesting or for developers. There’s even an official ZAP plugin for the Jenkins continuous integration and delivery application.
Shadrak is another decompression bomb generator based off of the ZipBomb package. Decompression bombs or “zip bombs” refer to a very large file with useless, gibberish data which has been compressed to reduce its size to a few kilobytes (KBs). When decompressed, the original file would take up more resources (e.g., terabytes of disk space) than what is available, causing the system to freeze or crash altogether.
For malware researchers and ethical hackers, Shadrak becomes a very useful tool to be aware of. It can generate decompression bombs in various formats including 7-Zip, exe, RAR, ZIP or TAR. The tool’s developers claim its decompression bombs are capable of crashing or hanging antivirus products, forensic tools, antispam systems, and cause a DoS condition on just about anything that decompresses files.
Photon is a super-fast web crawler designed for gathering OSINT. It can be used to obtain email addresses, social media accounts, Amazon buckets, and other crucial information relating to a domain. Photon draws on public sources such as Google and Internet Archive’s Wayback Machine. Written in Python, Photon comes with the ability to add plugins to it to export the collected data in a neat JSON format, or to integrate DNSDumpster with it.
For incident response professionals, Mozilla Defense Platform (MozDef) is an open-source tool to automatically handle, monitor, respond to and manage security incidents as they occur. MozDef incorporates Elasticsearch, Meteor, and MongoDB to expand traditional SIEM capabilities with incident response and visualizations.
For performing thorough security audits on Unix-based systems such as Linux, macOS, BSD, look no further than Lynis. Makers of Lynis wanted to make it easy for defenders or blue teamers to assess the security defences they have in place, and generate tips on how to further harden their system. As such, sysadmins, security auditors, and even pentesters will find value from including Lynis in their toolkit.
15. Autopsy / The Sleuth Kit
For digital forensics experts, Autopsy provides a graphical user interface (GUI) application that is based on the The Sleuth Kit project to help analyze hard drives and smart phones. Although Autopsy is meant to be cross-platform (Windows, Linux, macOS, etc.), its makers have primarily tested it on Windows systems.
This story, “15 open source GitHub projects for security pros” was originally published by
Copyright © 2021 IDG Communications, Inc.