CS Labs

Practical Tools from Our Team

CS Labs gives the cybersecurity experts at Critical Start an opportunity to generate useful ideas and tools to support our customers’ quest for greater security. Here are examples of the work we’ve done, available to the public.

 

Threat Analytics Chrome Plugin

Current Version 4.0 – Updated on 5/7/2015 to add support for 3rd group and ability to HTTP POST in addition to GET. Also updated search providers – go to Options and click “Refresh Now” button to the new providers.

 

Chrome permissions changed in this version, because we added the capability to redirect input from the Chrome Extension to a web server of your choice via HTTP POST. Content is sent only to the URL you add as a search provider, using Javascript. To see the actual code, press Ctrl-Shift-i to view developer’s tools in Chrome.

Most users will NOT need to use the POST function – just ignore. The POST function is useful when you want to POST (versus GET) a search term to an application or API. You would copy the destination URL to the ‘Link’ field and add the raw POST data in the ‘Add POST value’ field. The HTTP POST will come from the Chrome extension by default, which some applications/API’s will not allow. In that case use a PROXY to send the POST. A simple proxy script can be found at https://www.criticalstart.com/?p=3430.

Note – Virus Total has changed MD5 lookup – use this instead https://www.virustotal.com/latest-report.html?resource=TESTSEARCH

3.3 – Updated on 12/5/2013 to fix bug when using SSL with Security Analytics enabled. Added Carbon Black support (beta)

Version 3.0.7 – Updated on 10/9/2013 to fix bug when saving new NetWitness Pivot Query

Version 3 – added integration with RSA NetWitness (Windows client)

Version 2 – added integration with RSA Security Analytics web interface

The extension is available at the Chrome Web Store. You need at least Chrome version 6.0.472 to install and use this extension.

The screen shot below shows the intended usage – being able to search an IP address, a domain, or MD5 hash easily by opening multiple security websites at the same time.

The screenshot below is an example of the configuration options. By selecting the URL and clicking on “Domain Lookup”, the entire group will be opened in new tabs. This saves valuable time for security analysts involved in investigations of many different events. You can edit the group names (IP Lookup, Domain) just by clicking in the column header. Drag the arrows to rearrange search providers.

The initial configuration is downloaded from our website at https://www.criticalstart.com/cschromeplugin/criticalstart.txt. It looks like:

{“searchproviders”:[[“-1″,”Virus Total Hash”,”https://www.virustotal.com/file/%s/analysis/”,true,true,0],[“-1″,”Bit9 MD5 Hash”,”https://fileadvisor.bit9.com/services/extinfo.aspx?md5=%s”,true,true,0],[“-1″,”Google”,”http://www.google.com/search?q=TESTSEARCH”,true,true,3],[“-1″,”Google Safe Browsing”,”http://www.google.com/safebrowsing/diagnostic?site=%s”,true,true,3],[“-1″,”Central Ops”,”http://centralops.net/co/DomainDossier.aspx?addr=%s&dom_dns=1&dom_whois=1&net_whois=1″,true,true,3],[“-1″,”Malware DL”,”http://www.malwaredomainlist.com/mdl.php?search=%s&colsearch=All&quantity=50″,true,true,3],[“-1″,”URL Void”,”http://urlvoid.com/scan/%s/”,true,true,2],[“-1″,”URL Void IP”,”http://urlvoid.com/ip/%s”,true,true,1],[“-1″,”Robtex IP”,”http://ip.robtex.com/%s.html”,true,true,1]],”groups”:[[“1″,”IP Lookup”],[“2″,”Domain Lookup”]],”config”:[[“https://www.criticalstart.com/cschromeplugin/criticalstart.txt”,”true”,”false”,””,””]]}

You can make your own configuration file and host it yourself. Use the example one supplied as a guide. The first boolean value for each search providers (true/false) determines if the search provider is enabled by default. The second boolean value shows if the provider came from the remote configuration file or was added manually. The last item determines if the search provider is a member of no groups (0), group 1 (1), group 2 (2), or both groups (3).

If you have suggestions for search providers or improvements, please send an email to [email protected]. This will automatically open a case in our ticketing system.

Critical Start Password Generator Help (Beta)

This is the help text for the Critical Start Password Generator (both GUI and console version). See the license terms below.

Download a copy of the Password Generator.

One of the best free controls to mitigate initial compromise from malware and slow lateral movement is to use unique passwords for local administrator accounts on user PCs and internal servers. Many organizations use the same local administrator passwords for common operating system builds – easy to support but very dangerous long term.

How do you easily keep track of hundreds or thousands of pseudo-random passwords – check out the Critical Start Password Generator. It’s not perfect, but it’s much better than every Windows machine having the same local administrator password!

The Critical Start Password Generator is a simple tool to take a known value that is unique to each PC (serial number, asset tag number, etc.) and combine it with a known passphrase to generate a pseudo-random password unique to each machine. Administrators can easily compute the local administrator password if needed. Attackers and individuals could not easily determine the password unless they have:

  • The salt value used to calculate the password
  • Algorithm length (256 or 512 SHA2)
  • Rounds of hashing (multiple rounds to make precomputed rainbow tables more difficult)
  • Round used to salt (salt value is applied only in round)
  • Password length (from 8-16 characters)

You can also upload a text file with one value per row. Each value per row will be used as the unique value to generate a password, and the output stored to a CSV file.

The command line version works as follows:

  • There are three valid modes and associated options you may use:
  • This will use manual start password value:
  • PasswordGenerator.exe -u [-l ] [-s ] [-r ] [-t <r
    ound to salt>] [-h ] [-a ]
  • This will use unique serial of your computer:
  • PasswordGenerator.exe -g [-l ] [-s ] [-r ] [-t ] [-h lgorithm (256 or 512)>] [-a ]
  • This will open CSV file and create output csv file:
  • PasswordGenerator.exe -c [-l ] [-s ] [-r ] [-t alt>] [-h ] [-a ] [-o ]

Send feedback or comments to [email protected].

Field Offices

Connect With us