top of page
Search

Tools of the trade

  • Christian Popov
  • May 14, 2019
  • 3 min read

Updated: Feb 8, 2020

Hello dear reader,


Another day another post inspired by Twitter. (I really should spend less time on Twitter...)


This time the post comes from Florian Roth (@cyb3r0ps) on tools used to gather data on IPs, domains and more.

You can find his list of tools in the link below: https://www.slideshare.net/FlorianRoth2/security-analyst-workshop-20190314


Original tweet

So, I decided to share an extended list of the tools I use on my day-to-day investigations.


Dear reader, you don't have to use all them, pick the ones you like and go with them.

Unless you want to go for the absolute overkill.


If that sound like something you would go for you have a friend in me. :)


you small in stature insubordinate, I take a shine to you

Be aware there might be some overlap with Florian's tools/slides.


IP Look-up:

Base IP Information:

https://whatismyipaddress.com https://www.robtex.com/ip-lookup/ https://www.ipvoid.com Blacklists and Heuristics:

http://multirbl.valli.org

https://www.abuseat.org/lookup.cgi

https://www.malwares.com

https://viz.greynoise.io/table

https://www.threatminer.org

When investigating public IPs, the first thing I would go for is generic information.

IP address, host name, ASN, DNS records, organization, geo-location.


IPVoid and Robtex are good for that kind of stuff.




After I've established my base facts about the IP I would move to blacklists. .

Multirbl is a great tool to search across many blacklists.


MultiRBL

Other than blacklists you could lookup heuristic information on the IP.

Meaning what kind of activity has been reported for said IP.


Bulk IP look-ups:

https://www.bulkblacklist.com

https://www.infobyip.com/ipbulklookup.php


Before moving to the other tools I want to mention the Bulk lookup tools.

Man do I love these two.


If you have to work with large sets of IPs, such as reports, these are your best friend.

Bulk IP resolve

All In one platforms:

https://exchange.xforce.ibmcloud.com

https://pulsedive.com

https://www.virustotal.com/#/home/upload

https://otx.alienvault.com/dashboard/new

https://community.riskiq.com/home

https://mxtoolbox.com/NetworkTools.aspx

https://app.threatconnect.com/auth/index.xhtml

https://talosintelligence.com https://app.threatconnect.com/auth/index.xhtml

I'm calling this bunch of tools all in one platform because they can do many things.

You can check IPs, URLs, hashes, hosts, etc.

You need to create an account to use some of these services.

My favorites would be IBM X-Force, VirusTotal, PulseDive and RISKIQ.


It's not DNS! *Morgan Freeman narrator voice*: It was indeed DNS.

In the list below you will find some of my favorite DNS tools.


DNS:


http://whois.domaintools.com

https://domainbigdata.com

https://dnsrecords.io https://dnsdumpster.com https://mxtoolbox.com/NetworkTools.aspx (DNS Tools)



Vulnerability search engines:


https://sploitus.com

https://vulmon.com


Dear reader, if your are looking for a specific vulnerability try one of these.

If you're looking for the hot new critical vulnerability right now.

But can't seem to remember it you can use the By Recent Activity option in Vulmon.

you're feeling a bit red or purple-ish today.

You can use Sploitus to find said vulnerability and download a PoC or two.



IoT Search Engines:

Search engines... you gotta love 'em. Other than Censys and Shodan I would like to add BinaryEdge, ThreatCrowd, Onyphe and PublicWWW to the list.


You could check out FOFA and ZoomEye but I have no idea whats going on there.


The Internet is dark and full of terrors....



Below are 2 of my favorite URL scanners.

Check them out.


URLs:

https://zulu.zscaler.com

https://urlscan.io


Malware Samples/Detonation :

https://www.hybrid-analysis.com

https://app.any.run https://beta.virusbay.io/sample/browse https://analyze.intezer.com/#/


As I said mind the overlap...


Magic:

https://gchq.github.io/CyberChef/

https://mindedsecurity.github.io/jstillery/ https://www.tutorialspoint.com/compile_java_online.php

Data Breach:

https://haveibeenpwned.com


Vendors:

I would suggest going to the site of your security vendor first. Checking what information they have on the link/IP/hash.

Then cross checking with the other vendors. That's how I would do it.

Sophos:

Virus Definitions:

https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware.aspx


Symantec:

URL scanner (BlueCoat Proxy): https://sitereview.bluecoat.com/#/ Virus Definitions: https://www.symantec.com/security_response/definitions.jsp?inid=globalnav_scflyout_virusdef

https://www.symantec.com/security-center/risks


McAfee: URL Scanner:

https://trustedsource.org/sources/index.pl

Fortigate: IPS Encyclopedia:

https://fortiguard.com/encyclopedia

Web filter lookup:

https://fortiguard.com/webfilter

CheckPoint:

https://www.checkpoint.com/advisories https://threatpoint.checkpoint.com/ThreatPortal/emulation

https://www.checkpoint.com/urlcat/main.htm

Trend Micro:

https://www.trendmicro.com/vinfo/us/threat-encyclopedia/


F5 Networks: https://support.f5.com/csp/home

WAF Violations: https://techdocs.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-13-0-0/33.html


Cisco: https://tools.cisco.com/security/center/home.x


I'm going to make a post on Triaging a alert and specifics on the different types of alerts you get through your SIEM.


A story for another time....


Let me know what you think.


Cheers.


 
 
 

Comments

©2019 by ChrispySec. Proudly created with Wix.com

bottom of page