Assessing a cyber security candidate

I typically assess a senior cyber security candidate across 7 basic domains for a technical interview, before I actually jump into security. Sometimes, a candidate is so good in these domains that asking questions about security becomes an afterthought. A dipstick feedback of fundamentals actually helps me understand where the candidate is coming from and if he can actually leverage his technical skills in real security engagements. Since these domains are exhaustive, assessment of fundamentals will depend on the previous experience a candidate is having. For instance, I would not expect a college grad to know complete ins and outs of active directory but would expect him to know programming, scripting, linux, VM and algorithms. A SOC guy should know network security, pcap analysis, protocols, BPF/ filters, elementary scripting. An experienced pentester is supposed to know almost all of the mentioned domains. At the end of the day, YMMV.

Tools are not going to make you a hacker, always remember what Gray Fox said -
"Only a fool trusts his life to a weapon"
These domains form the bread and butter basics of any good computer security candidate and enable him to understand the cross functional world from the point of an architect, an operations analyst, an incident responder, a developer, a packer mangler or simply as an adviser.

kinda like this. No Wait! Robyn Beck/AFP/Getty Images


Depending upon the feedback of this article, I may share some good to have domains as well.

Nevertheless, here are the domains :
  1. OS Fundamentals / Software - This is a big one, without these, your attack vectors typically fall flat. Windows and Linux are mandatory. Can you setup a working environment for your own security setup from scratch? Comfortable with VMs? Docker? Jailed environments?
  2. Network/ Network Security - Routers, switches, load balancers et al, be it software of hardware. Are the concepts clear? Considering a lot of the hardware is now virtualized/ customized and is being offered as a service by big providers and every now and then an attack/ exploit emerges that leverages misconfigurations in these systems/ services - these things are important. Can you understand a Pcap? Do you understand routing ? If there is one thing studying Phenoelit early on taught me, was to understand network and routing properly. 
  3. Active Directory/ LDAP - I simply can't overstate the importance of AD/ LDAP when it comes to security. Considering how they function as the backbone for enterprise, you are bound to encounter these. Having good fundamentals around these gives you a good headstart when you actually pentest these environments.
  4. Servers/ Web services/ APIs - Servers and web application basics, how they work, are deployed and do you know how to secure them? Fundamentals are important here. You may be able to find a bug in an application, but in case you can't fix the application per se, can you secure or advise correctly about securing the environment itself? How are application headers used? Do you know how to interact with an API? Can you create your own? Do you operate any website/ webservice? How do you scale it?
  5. Programming/ Scripting - Any one programming or scripting language you are comfortable with - python/ ruby/ bash/ powershell et al. Doesn't matter what it is. Can you read code? Can you comprehend patterns? Can you write pseudocode? Do you have fundamental understanding of algorithms?
  6. Hardware - Good to have knowledge of hardware basics, you should be comfortable with atleast setting up platforms like raspberry pi, beaglebone et al. Can you identify pinouts on an unknown board? Can you read technical manuals? What is your portable platform of choice? Can you setup your own VPN environment on a raspberry pi and hook it up with your test laptop?
  7. Architecture/ Tooling - A typical question starts like this : create a full fledged network for 100 people with everything included, LAN, WAN web services, email et al. Now design for 1000 people. Now for 10 K people. Now let's break it systematically - how will you break it? What attack vectors? What if Burpsuite is not available? Can you leverage curl? How can we improve it?

These domains are absolute essentials, platforms and tools may make you a bug hunter, but a knowledge of these will make you a better one.
There you go, if you know these, you already have a healthy background into computer security basics and I wish you best of luck.

This was crossposted at Fruxlabs Team blog.

The Rescure Cyber Threat Intelligence Project - Sensor Update

We have massively upgraded our sensor detection, logging and monitoring capabilities at rescure.fruxlabs.com - we detected around 350K attacks in last 24 hours which are then funneled and curated as feeds by our co-relation system. This included removing code cruft, updating data pipelines, a new ELK stack which can monitor multiple sensors at once. Feeds have been optimized as well and the stack has been migrated to new high performance servers.

Countless hours and personal funds have gone in to maintain this, special thanks to Fruxlabs Crack Team for being there. w00t!



In case you wish to collaborate in terms of sensors/ feeds/ research, please do reach us out at hello@theprohack.com.

The Rescure Cyber Threat Intelligence Project - Domain Blacklist Update

We are now publishing consumable list of malicious domains at rescure.fruxlabs.com as part of our independent cyber threat intelligence project.

Each node below is an event with its separate attributes (around 2 million) which are co-related in real-time to ensure only offending, malicious domains are listed at the portal. The current domain list size is around 18 thousand (! and growing) which is updated at the frequency of 4 hours at 
https://rescure.fruxlabs.com/rescure_domain_blacklist.txt
Rescure Cyber Threat Intelligence Domain Blacklist
Rescure Cyber Threat Intel Domain List Simulation
As always, feedback is appreciated at hello@theprohack.com

REScure Cyber Threat Intelligence Feed

We are now generating a daily blacklist of malicious IPs via our own threat intel solution. The feed will be generated every 6 hours and is now available at
https://rescure.fruxlabs.com/
The below snapshot is the end result of the penultimate stage of co-relation of millions of data points that are finally grouped into attack groups before they are published at rescure.fruxlabs.com
Cyber Threat Intelligence co-relation rescure.fruxlabs.com
Co-Relation snapshot at REScure Feed
You are encouraged to try it and consume it into your security solutions. Since this is in beta, we are limiting it to only IPs.
REScure Cyber Threat Intelligence Feed
Yep, REScure may look like this to your SIEM
We are alpha testing API access, detailed Indicators of Compromise access, STIX/TAXII/OpenIOC exports, realtime refresh rates and a lot more. This is an independent project we undertook to enhance our understanding of underlying architecture of distributed systems, the nature of threat intelligence and how to efficiently collect/store/consume/distribute it.

The project is being jointly developed with Sreyash and Eshan.

Your feedback is appreciated, please share it at hello@theprohack.com.

How I turned my phone into a hacking machine

There are probably hundreds (if not thousands) of tutorials on this, but since I wanted a portable, non rooted, disposable hacking device which has the ability to take calls (a.k.a a cellphone/smartphone), I decided to mod an android based device. I have done this earlier (probably 5 years back) by installing arch on my android phone on a separate partition and booting it. This can be done today as well but since I do not want to root my cellphone, and do not want to use proot/LibSDL, I decided to see what can be done in a non rooted environment.

Intended audience for this piece - anyone having a bit hands experience on linux. Consider this as my personal cliffnotes in case I have to do it again. Let me even include an age old Disclaimer (taken from XDA aeons ago):
I am not responsible for bricked devices, dead SD cards, thermonuclear war, or you getting fired because the alarm app failed. Please do some research before running commands. YOU are choosing to make these modifications, and if you point your finger at me for messing up your device, I will laugh at you.
My iPhone recently went kaput during a fated trip to Jubail, KSA, and I zeroed on an inexpensive, capable device (Motorola G4 Play for around ~120 USD) for which I won't feel bad in case it gets lost or breaks into a million pieces.

Well, the device specs are average, the phone feels rugged and the battery can be taken out by simply removing the cover (which is EXTREMELY important for me). It comes with Android 6.0 and probably will never get updated to Android 7.0 (owing to Lenovo's shitty firmware update cadence), but once I disabled a lot of applications, the phone feels quick and is a joy to use.

First things first -
Disabled : Chrome, Cloud Print, Device Help, Drive, File Manager, FM Radio, Google Japanese/Korean/Pinyin/Zhuyin Input, Google Play Movies, Google Play Music, Google Hangouts, Messenger, Photos, other motorola bloatware.

Doublecheck device administrators. I would have removed a lot more software but then, I will also be using this phone for making calls and for light personal use as well.

Installed : Firefox (with Ublock), ESFile Explorer, Termux, Hacker's Keyboard, Textra (for SMS), Quickpic, OpenVPN, SMS Backup+, FastHub (or Github), Fing (quick GUI based network discovery), Flud (Torrents), Google Authenticator, AndFTP, drozer agent, Packet Capture (Application specific packet capture), TOR and Phonograph (lightweight music application).

Once the device's innards are replaced with a bit more capable/lightweight software, I launched Termux which is probably the most important terminal emulator written for android. From its website
"Termux is an Android terminal emulator and Linux environment app that works directly with no rooting or setup required. A minimal base system is installed automatically; Additional packages are available using the APT package manager. "
Onwards we go.
  • I started by updating Termux and its inherent environment - apt update && apt upgrade
  • Installed python2, python3, nmap, openssh, git, python-pip,htop through relevant apt commands.
  • Installed metasploit through https://github.com/Auxilus/Auxilus.github.io/blob/master/metasploit.sh (turns out this script has been stolen by a lot of folks, like this guy over here, and this one for youtube likes).
  • Installed scapy.
  • Generated OpenSSH keys, configured OpenSSH to run into server mode so that I can login into my cellphone if required. Make sure you check the username with whoami before generating keys. Putty aficionados may want to convert id_rsa keys using puttygen before loading it.

  • Configured OpenVPN application to connect to my remote server. Added TOR support.
  • Authenticated Fasthub Application with my Github account through a personal access token.
  • Tested everything.
  • Generated a list of packages for later use by running the following command "dpkg --get-selections | cut -f1 > bkup_pack.txt". 
  • Took tar backup of current Termux installation for later use, I admit it is a quick and dirty hack but it works. Yes, I tested it.
cd /data/data/com.termux/files
tar -cvzf /sdcard/Download/termux.tgz --owner=0 --group=0 home usr
For more adventurous souls, you can go ahead with a rootfs option - https://github.com/xeffyr/Termux-RootFS. A simple tutorial for this would be here, however during my experiments, I found it to be buggy and some applications do not work properly. Since I value stability and security over everything, I promptly reverted back to my old fs.

Does everything works? Hell yeah.

Turn your phone into a hacking machine - Device statistics


Turn your phone into a hacking machine - Metasploit and python HTTP server


Turn your phone into a hacking machine - Running scapy

Turn your phone into a hacking machine - access github



To do : 
  1. Something about postgre stability, the sucker generally has connection issues.
  2. Improve documentation
  3. Harden device (CIS/STIG)