Time for an Autopsy

Exploring this week's events, some useful tools, and two tutorials - right to your inbox! [View this email in your browser]( Brought to you by... Connect. Configure. Control. See how Drata simplifies compliance management. [Drata]( automates evidence collection with 80+ integrations and monitors risk 24/7 for 14+ frameworks. Whether it’s SOC 2, ISO 27001, GDPR, or HIPAA, you can stay compliant without the messy, manual work. Book a demo and see why companies like Notion and Lemonade choose Drata to streamline their compliance programs. Plus, [Packt]( readers get 10% off and waived implementation fees. [REQUEST A DEMO]( SecPro #101: Time for an Autopsy. Hello! First of all, it's been a busy week for security experts. Not only have we seen a massive data leak that has affected potentially millions of people, but it seems that new malware gangs are appearing. That means that now is a perfect time to start brushing up on diagnostic skills and learning to recognize the adversary. That's why Sai's guide on using Autopsy is featured this week! Similarly, we're looking to lend a hand to blue teams. This week, we start up our Top 10 on the MITRE D3FEND framework. If you're interested in defensive work at the minute, make sure to check it out and tell us what you think! Finally, thank you for everyone who entered our giveaway last week! We will be sending out the free Packt eBooks to our winners over the next few days. Make sure to watch this space so don't miss out on any othe giveaways! Cheers! [Austin Miller]( Editor in Chief [TAKE THIS WEEK'S SURVEY!]( This week's highlights: - [Using Autopsy]( - [D3FEND Top 10 - #10]( - [Learn Ethical Hacking from Scratch]( - [This Week's Survey]( And with that - on with the show! [_secpro]( [Packt _secpro Newsletter]( [The _secpro Website]( This Week's Editorial Articles [Using Autopsy]( It is fast, easy to use, and capable of analyzing all types of mobile devices and digital media. Its plug-in architecture enables extensibility. Autopsy is used in every industry by every professional who seeks help in recovering data. [D3FEND Top Ten - #10]( We're bringing you a new top ten - this time, the D3FEND framework! Brought to you by MITRE, this is the counterfoil to ATT&CK and is perfect for blue teams. What's Going on in the World of Security? Since the world of security is always changing, keeping up with blogs, insights, and other updates is almost half the job. That's why we've collected some recent blog posts from our favorite cybersecurity "talking heads" to give you a helping hand. - [Krebs on Security]( - [Russian Hacker “Wazawaka” Indicted for Ransomware]( Indictments returned in New Jersey and the District of Columbia allege that Matveev was involved in a conspiracy to distribute ransomware from three different strains or affiliate groups, including Babuk, Hive, and LockBit. - [Bruce Schneier]( - [Microsoft Patching a Secure Boot Bug]( The problem with the patch is that it breaks backwards compatibility: “…once the fixes have been enabled, your PCT will no longer be able to boot from older bootable media that doesn’t include the fixes.” - [Troy Hunt]( - [Update 347]( Troy discusses the recent RentoMojo breach and AusCERT. - [Brian Honan]( - [RSA Reflections: A Look Back on the 2023 Security Conference]( "One leaves RSA with an innate sense of awe at the sheer size and scale of this event. The orchestration and programme management for a conference serving over 40,000 people is breath-taking." Cybersecurity Fundamentals And we're back with another tutorial from [Learn Ethical Hacking from Scratch]( This time, we're looking at how you can capture handshakes, perfect for starting to launch more sophisticated attacks. [LIKE WHAT YOU SEE? CLICK HERE TO READ MORE]( [Capturing the handshake]( To crack a WPA key, the first thing we're going to need to do is capture the handshake. We're going to capture the handshake by using airodump-ng, the same way that we used it with WEP-encrypted networks. We will use airodump-ng --bssid, the same way we used it to run it against WEP networks; at the end of the day, we're only capturing packets using airodump-ng, it's doing the same job. We will include the channel, and then we will write to a file, calling the file test-handshake; we will also include the wireless card in monitor mode. We use the same command we used when we were capturing packets for WEP networks, airodump-ng --bssid. We put the target AP, --channel; the target channel, --write; the name of the file that we're going to store stuff in; and wlan0, our Wi-Fi card, with monitor mode. The command is as follows: airodump-ng --bssid 54:B8:0A:9E:54:2D --channel 11 --write test-handshake wlan0 Once we launch this command, we will have our network, a WPA-encrypted network, we will have a client connected to the network. To capture the handshake, we can just sit down and wait for a device to connect to the network. Once a device connects to the network, we can capture the handshake, or we can use something that we learned in the previous chapter ([Chapter 5]( Pre-Connection Attacks), which is a deauthentication attack. In a deauthentication attack, we disassociate, or disconnect, any device from a network that is within our Wi-Fi range. If we do that for a very short period of time, we can disassociate the device from the network for a second; the device will try to connect back to the network automatically, and even the person using the device will not notice that his device is disconnected and reconnected. We will then be able to capture the handshake packets. Again, we said that the handshake gets sent every time a device connects to a target network. Now we're just going to run a basic authentication attack, using aireplay-ng. We studied it in [Chapter 4]( Network Penetration Testing, and, in this section we put a very large number of packets when we were disconnecting our target. Now we are only going to put a small number: four deauthentication packets. Then, we're going to put -a, the MAC address of the target AP, and -c, to specify the client MAC address (the MAC address of the client that we want to disconnect). Then we are going to put the Wi-Fi card name, which is wlan0. We use aireplay-ng --deauth, the name of the attack, and 4 authentication packets to the AP, and disconnect the device from it. The command is as follows: aireplay-ng --deauth 4 -a 54:B8:0A:9E:54:2D -c B8:76:3F:F8:F5:CD wlan0 As you can see in the following screenshot, we captured the WPA handshake, and our target device didn't even change, nor was it disconnected: We didn't get any messages about being disconnected, because we were disconnected for a very short period of time; as a result, even the person using the device didn't notice, and we were able to capture the handshake. Now we can use a wordlist and run it against the handshake to try to determine the main WPA key. That's all for this week! Next time, we will look at creating and using a wordlist! Have You Tried..? So many tools, so little time to try them. While you try out this week's tutorial for Autopsy, why not take a look at some similar things we've been trying out this week? - [markmckinnon/Autopsy-Plugins]( - A whole range of Python-based plugins to change up Autopsy. - [bannsec/autopsy_docker]( - Docker for Autopsy. What it says on the tin. - [saraferreirascf/Photo-and-video-manipulations-detector]( - Plugins specifically designed for noticing photo and video shenanigans. - [NoelV11/DFIR-Training]( - A comprehensive walkthrough on how to use Autopsy and get the most out of the toolkit [FORWARDED THIS EMAIL? SIGN UP HERE]( [NOT FOR YOU? UNSUBSCRIBE HERE]( Copyright © 2023 Packt Publishing, All rights reserved. As a GDPR-compliant company, we want you to know why you’re getting this email. The _secpro team, as a part of Packt Publishing, believes that you have a legitimate interest in our newsletter and the products associated with it. Our research shows that you opted-in for communication with Packt Publishing in the past and we think that your previous interest warrants our appropriate communication. If you do not feel that you should have received this or are no longer interested in _secpro, you can opt out of our emails using the unsubscribe link below. Our mailing address is: Packt Publishing Livery Place, 35 Livery StreetBirmingham, West Midlands, B3 2PB United Kingdom [Add us to your address book]( Want to change how you receive these emails? You can [update your preferences]( or [unsubscribe from this list](.