Month: April 2017

Lunar – a UNIX security auditing tool

LUNAR is a open source UNIX security auditing tool written in Shell script. It offers the audit for various operating systems like Linux (RHEL, CentOS, Debian, Ubuntu), Solaris and Mac OS with less requirements. Services like Docker and AWS are also supported.

Download

Clone repository

# git clone
$ git clone https://github.com/lateralblast/lunar.git

Download via curl

# download via curl
$ curl -L -C - -o lunar.zip https://github.com/lateralblast/lunar/archive/master.zip

# extract archive
$ unzip lunar.zip

Usage

The use is very easy… but the outcome brings much values.

# show help
$ sh lunar.sh -h

# list functions
$ sh lunar.sh -S

# run ssh audit
$ sh lunar.sh -s audit_ssh_config

# run selinux audit in verbose mode
$ sh lunar.sh -s audit_selinux -v

# run all audits
$ sh lunar.sh -a

Curl via Socks5 proxy on macOS

SSH tunnel in Browsers are easy! What about curl via SSH tunnels? Yeah – it`s easy, too!

Preparation

Check minimal firewall rules and SSH configuration on target host.

# ensure ssh service is enabled
$ firewall-cmd --list-services
...
ssh

# ensure AllowTcpForwarding is allowed
$ sshd -T | grep -i AllowTcpForwarding
...
allowtcpforwarding yes

Create SSH tunnel

Some basics about SSH tunnel…

# create ssh tunnel (foreground process)
$ ssh -ND localhost:9000 <user>@<host>
$ ssh -C4ND localhost:9000 <user>@<host>
$ ssh -C4ND localhost:9000 <user>@<host> -v
$ ssh -C4ND localhost:9000 <user>@<host> -p 22 -v

# create ssh tunnel (background process)
$ ssh -C4ND localhost:9000 <user>@<host> -f
  • C: use compression (level can be set in configuration file)
  • 4: forces ssh to use IPv4 only
  • N: do not execute a remote command
  • D: specifies dynamic application-level port forwarding
  • v: verbose mode
  • f: go to background before command execution
  • p: port to connect to on the remote host

Check SSH tunnel

The following examples will help you to monitor the connection to the target server.

# check ssh tunnel (local)
$ ps aux | grep ssh

# check ssh tunnel via lsof (target)
$ lsof -nPi | grep ssh

# check ssh tunnel via ss (target)
$ ss -4t

Use SSH tunnel

Now we use the tunnel via curl. With the service ipinfo.io we can verify.

# curl for external ip (without tunnel)
$ curl https://ipinfo.io/ip

# curl for external ip
$ curl --socks5 localhost:9000 https://ipinfo.io/ip

# curl for external ip (since curl v7.21.7)
$ curl -x socks5://localhost:9000 https://ipinfo.io/ip

Note: There are two protocol prefixes socks5:// and socks5h://. The 2nd will let the SOCKS server handle DNS-queries.

Kill SSH tunnel

The simplest and hardest way to kill SSH tunnels (on background) is following example. But be careful it kills all ssh connections!

# kill all ssh tunnel
$ sudo killall ssh