Security

Penetration testing report via Serpico

Penetration testing make fun but writing penetration testing reports is boring. When you start you will look for templates or software which supports you. Here comes Serpico into the game. Serpico is a collaboration and report generation tool. The best… it is open-source.

Usage via Docker

# search for Serpico (optional)
$ docker search serpico

# download official image
$ docker pull serpicoproject/serpico

# create and run container
$ docker run --name serpico -p 8888:443 -it serpicoproject/serpico /bin/bash -l

# run setup script (only 1st time)
$ ruby scripts/first_time.rb

# create new user
$ ruby scripts/create_user.rb admin test123 1

# start serpico
$ ruby serpico.rb

Now you can use Serpico in your favorite browser…

# macOS use Safari
$ open -a Safari https://localhost:8888

Login with created credentials (admin/test123) and create your reports. On Youtube is a good introduction. If you don’t have Microsoft Words installed, you can view your reports online.

Lunar – a UNIX security auditing tool

LUNAR is a open source UNIX security auditing tool written in Shell script. It offers the audit for various operating systems like Linux (RHEL, CentOS, Debian, Ubuntu), Solaris and Mac OS with less requirements. Services like Docker and AWS are also supported.

Download

Clone repository

# git clone
$ git clone https://github.com/lateralblast/lunar.git

Download via curl

# download via curl
$ curl -L -C - -o lunar.zip https://github.com/lateralblast/lunar/archive/master.zip

# extract archive
$ unzip lunar.zip

Usage

The use is very easy… but the outcome brings much values.

# show help
$ sh lunar.sh -h

# list functions
$ sh lunar.sh -S

# run ssh audit
$ sh lunar.sh -s audit_ssh_config

# run selinux audit in verbose mode
$ sh lunar.sh -s audit_selinux -v

# run all audits
$ sh lunar.sh -a

Firewalld Rich Rules basics

This tutorial will help you to get started with the firewalld configuration. Basics on zones and rich rules are presented.

What we do

The shell provisioner will ensure that on all hosts firewalld and curl are installed. For “host_protected” the provisioner will install nginx for demo purposes, too. Furthermore, the firewall will configured on “host_protected”.

Every host has two interfaces NAT (enp0s3) and host-only (enp0s8). The provisioner will not touch the NAT interface (zone: public) rules! Only the host-only interface (zone: home) rules will modified!

# show result configuration public (local)
$ vagrant ssh host_protected -c 'sudo firewall-cmd --list-all --zone=public'
...
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp0s3
  sources:
  services: dhcpv6-client ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  sourceports:
  icmp-blocks:
  rich rules:

# show result configuration home (local)
$ vagrant ssh host_protected -c 'sudo firewall-cmd --list-all --zone=home'
...
home (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp0s8
  sources:
  services:
  ports:
  protocols:
  masquerade: no
  forward-ports:
  sourceports:
  icmp-blocks:
  rich rules:
    rule family="ipv4" source address="192.168.33.10" service name="http" accept
    rule family="ipv4" source address="192.168.33.20" service name="ssh" accept

Project

Here are all needed files…

---
- name: host_http_access
  ip: 192.168.33.10
  hostname: http.local
- name: host_ssh_access
  ip: 192.168.33.20
  hostname: ssh.local
- name: host_protected
  ip: 192.168.33.30
  hostname: protected.local

Please add your values for box name/url!

# -*- mode: ruby -*-
# vi: set ft=ruby :

require 'yaml'

Vagrant.require_version ">= 1.9.3"
machines = YAML.load_file('hosts.yml')

Vagrant.configure("2") do |config|

  machines.each do |machines|

    config.vm.define machines["name"] do |machine|

      # disable ssh key update
      machine.ssh.insert_key = false

      # vagrant box name
      machine.vm.box = ""

      # vagrant box url
      machine.vm.box_url = ""

      # disable box update
      machine.vm.box_check_update = false

      # set hostname
      machine.vm.hostname = machines["hostname"]

      # disable synced_folder
      machine.vm.synced_folder ".", "/vagrant", disabled: true

      # 2nd network interface (private)
      machine.vm.network "private_network", ip: machines["ip"]

      # virtualbox settings
      machine.vm.provider :virtualbox do |vb|
        vb.name = machines["name"]
        vb.cpus = 1
        vb.memory = '1024'
        vb.gui = false
      end

      # run shell provisioner
      if machines["name"] == 'host_protected'
        machine.vm.provision "shell", path: "provisioner.sh", :args => "protected"
      else
        machine.vm.provision "shell", path: "provisioner.sh"
      end

    end

  end

end

#! /usr/bin/env bash

# install firewalld and curl
sudo yum install -y firewalld curl

# enable firewalld
sudo systemctl enable firewalld

# start firewalld
sudo systemctl start firewalld

# configure firewalld rich rules
if [ "${1}" == "protected" ]; then
  # install epel-release
  sudo yum install -y epel-release

  # install nginx
  sudo yum install -y nginx

  # enable nginx
  sudo systemctl enable nginx

  # start nginx
  sudo systemctl start nginx

  # change enp0s8 to home zone
  sudo firewall-cmd --zone=home --change-interface=enp0s8 --permanent

  # restart firewalld service
  sudo systemctl restart firewalld

  # remove all services form zone home
  sudo firewall-cmd --zone=home --remove-service dhcpv6-client --permanent
  sudo firewall-cmd --zone=home --remove-service mdns --permanent
  sudo firewall-cmd --zone=home --remove-service samba-client --permanent
  sudo firewall-cmd --zone=home --remove-service ssh --permanent

  # add rich rules
  sudo firewall-cmd --zone=home --add-rich-rule='rule family="ipv4" service name="http" source address="192.168.33.10" accept' --permanent
  sudo firewall-cmd --zone=home --add-rich-rule='rule family="ipv4" service name="ssh" source address="192.168.33.20" accept' --permanent

  # reload firewall
  sudo firewall-cmd --reload
fi

Usage

# start vagrant environment (local)
$ vagrant up

# show status (optional - local)
$ vagrant status
...
Current machine states:

host_http_access          running (virtualbox)
host_ssh_access           running (virtualbox)
host_protected            running (virtualbox)

# ssh into host_http_access (local)
$ vagrant ssh host_http_access

# try http via curl (host_http_access)
$ curl -I http://192.168.33.30

# try ssh (host_http_access)
$ ssh vagrant@192.168.33.30

# ssh into host_ssh_access (local)
$ vagrant ssh host_ssh_access

# try http via curl (host_ssh_access)
$ curl -I http://192.168.33.30

# try ssh (host_ssh_access)
$ ssh vagrant@192.168.33.30

# destroy vagrant environment
$ vagrant destroy -f

Note: before you destroy the vagrant environment, have a look on zones xml files for “host_protected”!

# ssh into host_protected (local)
$ vagrant ssh host_protected

# change to root (host_protected)
$ sudo su -

# change directory
$ cd /etc

# cat actual zone xml files
$ cat firewalld/zones/*.xml

TCP port scanner Brutescan

Brutescan is a fast and noisy TCP port scanner written in go.

Preparation

# install git and curl packages
$ sudo apt install -y curl git

# download go (do not install from Debian)
$ curl -O https://storage.googleapis.com/golang/go1.8.linux-amd64.tar.gz

# unzip archive
$ tar xvf go1.8.linux-amd64.tar.gz

# set owner and group (recursive)
$ sudo chown -R root:root go

# move all into target directory
$ sudo mv go /usr/local/

Configure go (for user)

# create hidden go directory
$ mkdir ~/.go

# configure needed paths (inside .bashrc)
$ echo "GOPATH=$HOME/.go" >> ~/.bashrc
$ echo "export GOPATH" >> ~/.bashrc
$ echo "PATH=\$PATH:/usr/local/go/bin:\$GOPATH/bin" >> ~/.bashrc

# reload
$ source ~/.bashrc

# check go version
$ go version
go version go1.8 linux/amd64

Install brutescan

# install packages from github
$ go get github.com/asciimoo/brutescan

# show bombardier help
$ brutescan --help

Usage/Examples

# scan all ports on localhost
$ brutescan localhost
...
Scanning localhost (127.0.0.1)
Port range: 1-65535 (65534 ports)
Concurrent connections: 65512

port 22    open
port 25    open
port 111   open
port 42619 open

Scan finished in 2.970551852s
...

# scan port range with specific concurrent pool size
$ brutescan -pmin 22 -pmax 2000 -pool 100 heise.de
...
Scanning heise.de (193.99.144.80)
Port range: 22-2000 (1978 ports)
Concurrent connections: 100

no open ports found

Scan finished in 1m0.087341111s ...

Tiny SSH audit

I wrote an bash script which makes the SSH server configuration audit a little bit easier. Here now an description for usage. The repository can found here.

Usage

# upload script to target host (tmp directory)
$ scp ssh_audit.sh <user>@<host>:/tmp

# login into target host
$ ssh <user>@<host>

# switch to root
$ su -

# change file permissions (optional)
$ chmod u+x /tmp/ssh_audit.sh

# run ssh audit
$ /tmp/ssh_audit.sh

The output is self-explanatory. If you need more details, just run following command.

# output the effective configuration to stdout (Extended test mode)
$ sshd -T

Install and configure Fail2Ban on CentOS 7

This tutorial presents the minimum SSH protection on CentOS 7 by Fail2Ban (without e-mail).

Preparation

# install epel-release
$ yum install -y epel-release && yum -y update

# install fail2ban packages
$ yum install -y fail2ban fail2ban-systemd

# update selinux-policies (if SELinux)
$ yum update -y selinux-policy*

Configuration

# change directory
$ cd /etc

# check content of 00-systemd.conf
$ cat fail2ban/jail.d/00-systemd.conf
...
[DEFAULT]
backend=systemd
...

# create custom default configuration
$ cp -p fail2ban/jail.conf fail2ban/jail.local

# edit custom default configuration
$ vim fail2ban/jail.local
...
[DEFAULT]
ignoreip = 127.0.0.1/8
bantime  = 3600
maxretry = 3
...

# create custom sshd configuration
$ vim fail2ban/jail.d/sshd.local
...
[sshd]
enabled = true
port = ssh
logpath = %(sshd_log)s
...

Ready for startup

# enable fail2ban
$ systemctl enable fail2ban

# start fail2ban
$ systemctl start fail2ban

Check status

# check status (optional)
$ systemctl status fail2ban

# tail fail2ban logfile (optional)
$ tail -f /var/log/fail2ban.log

# tail secure logfile (optional)
$ tail -f /var/log/secure

# check iptables
$ iptables -L -n

# check status of jails
$ fail2ban-client status

# check status of sshd jail
$ fail2ban-client status sshd

Example

$ fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed:	0
|  |- Total failed:	347
|  `- Journal matches:	_SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
   |- Currently banned:	1
   |- Total banned:	56
   `- Banned IP list:	185.110.132.202

$ whois 185.110.132.202
...
person:         Karamurzov Barasbi
abuse-mailbox:  abusemail@openstack.net.ua
address:        Belize, BE, Kolmo ave 11, apt 901
...

Install Pappy Proxy on CentOS7

Pappy Proxy (Proxy Attack Proxy ProxY) is an open source intercepting proxy for performing web application security tests. It is similar to BurpSuite, ZAP and so on. The benefit is the command line!

Installation

# update system
$ yum update -y

# install epel
$ yum -y install epel-release

# install needed packages
$ yum install -y git python-pip python-devel gcc libffi-devel libxml2 libxml2-devel libxslt libxslt-devel openssl-devel

# clone repository
$ git clone --recursive https://github.com/roglew/pappy-proxy.git

# change directory
$ cd pappy-proxy/

# install pappy-proxy
$ pip install .

# run help
$ pappy --help

# start up in lite mode
$ pappy -l

So pappy is started … we can configure and test it (via lite-mode).

# generate certificates
pappy> gencerts

# test proxy from other terminal
$ curl -x http://localhost:8000 -L http://google.com

# list requests
pappy> ls

# prints the full response to a request
pappy> vfs <id>

# exit pappy-proxy lite mode
pappy> quit

Prepare a project

# create project directory
$ mkdir myProject

# change directory
$ cd myProject

We need to start pappy shortly to create config.json file.

# start pappy-proxy
$ pappy

# exit pappy-proxy
pappy> quit

# show directory content
$ ls -la

# modify settings
$ vim config.json

# start up pappy-proxy
$ pappy
...

Note: By default the proxy is running on port 8000 – bound to localhost. You need to modify the config.json. For more information read the docs.

Install w3af on Debian (Jessie)

W3AF is a free is a Web Application Attack and Audit Framework. This tutorial shows how to install w3af on Debian 8.6 (not by Debian package w3af-console).

Preparation

# update system
$ apt-get update && apt-get upgrade

# install needed packages
$ apt-get install -y build-essential sudo git libssl-dev openssl libxml2-dev libxslt1-dev libssl-dev libffi-dev python-dev python-pip

# upgrade python pip
$ pip install --upgrade pip

Install and run w3af

# clone from git repository
$ git clone https://github.com/andresriancho/w3af.git

# change directory
$ cd w3af/

# run console (this step creates the install script)
$ ./w3af_console

# run installation script
$ . /tmp/w3af_dependency_install.sh

# start (accept the terms and conditions)
$ ./w3af_console

# show version
w3af>>> version

# show help
w3af>>> help

Note: read the user guide on http://docs.w3af.org