Using ELK and watcher to set up alerts

Hi there,

Setting up ELK (Elasticsearch, Logstash and Kibana) is real easy (Follow the guide here https://www.elastic.co/start). It is also perfect to use at home to collect logs and to get visibility of your home network. If you also install xpack you will get a function called “watcher”. This is to be able to alert on certain events. When I set this up in a lab recently I found out that it was not that easy to get started so I decided I should share what I found out.

First of all, in the lab I had a Palo Alto producing logs. What I wanted to do was to alert if someone tried to log on to it and produced a failed login. In Palo Alto this is reported under the “VirtualSystem” and the category “auth-fail”. More information about the fields can be found here:
. So basically I had to put up a watcher to alert if auth-fail was sent from the Palo Alto device.

After you have parsed out the information from the Palo Alto logs using logstash and put them in elasticsearch this is what the field would look like in Kibana:

So to simply match on this using a watcher, this is what you can do using the development tools in the Kibana GUI (If you are using xpack). If not, then you can use the local API over command line:

PUT _watcher/watch/palo-failed-login
{
  "trigger": {
    "schedule": {
      "interval" : "1m"
    }
  },
  "input" : { 
    "search" : {
      "request" : {
        "indices" : "<logstash-paloalto-systemlog-{now/d}>",
        "body" : {
          "query": {
            "bool" : {
              "must" : {
                "match_phrase" : { "VirtualSystem" : "auth-fail" }
              },
              "filter": {
                "range": 
                  {
                    "@timestamp": 
                      {
                        "from": "now-1m",
                        "to" : "now"
                      }
                  }
              }
            }
          }
        }
      }
    }
  },
  "condition" : {
    "compare" : {
      "ctx.payload.hits.total" : {
        "gt" : 0
      }
    }
  },
  "actions" : {
    "log" : {
      "logging" :  {
        "text" : "WARNING PALO ALTO LOGIN ATTEMPT"
      }
    }
  }
  
}

PUT _watcher/watch/palo-failed-login

{

"trigger": {

"schedule": {

"interval" : "1m"

}

"input" : {

"search" : {

"request" : {

"indices" : "<logstash-paloalto-systemlog-{now/d}>",

"body" : {

"query": {

"bool" : {

"must" : {

"match_phrase" : { "VirtualSystem" : "auth-fail" }

"filter": {

"range":

{

"@timestamp":

{

"from": "now-1m",

"to" : "now"

}

"condition" : {

"compare" : {

"ctx.payload.hits.total" : {

"gt" : 0

}

"actions" : {

"log" : {

"logging" : {

"text" : "WARNING PALO ALTO LOGIN ATTEMPT"

}

Once this triggers, you will have an entry with the logging text “WARNING PALO ALTO LOGIN ATTEMPT” in the log for elasticsearch located at /var/log/elasticsearch/elasticsearch.log on CentOS 7.

NOTE! Make sure that you point it to the correct index. By default if you do not change it your index will be logstash-, but as I have created an index for the palo alto logs specifically, the row below could be different for you depending on where you put your data.

"indices" : "<logstash-paloalto-systemlog-{now/d}>",

1	"indices" : "<logstash-paloalto-systemlog-{now/d}>",

More information can be found here:
watcher reference at elastico
The official forum is also a good way to start if you run into issues:
elastico forum

LAMP with https causes issues with slow requests

Leave a reply

Hey,

So I ran into a really interesting issue the other day.

I was developing an app in PHP and was preparing it for https. In this project I use sessions and cookies with the secure flag set and when I enabled https I noticed that all requests to the server took a very long time. One request took about 8-10 seconds and I could not figure out why.

I was using these versions on CentOS 7 running on the main machine.

yum list installed|grep -E '(httpd|php)'
httpd.x86_64                           2.4.6-40.el7.centos.4          @updates  
httpd-tools.x86_64                     2.4.6-40.el7.centos.4          @updates  
php.x86_64                             5.4.16-36.3.el7_2              @updates  
php-cli.x86_64                         5.4.16-36.3.el7_2              @updates  
php-common.x86_64                      5.4.16-36.3.el7_2              @updates  
php-mysql.x86_64                       5.4.16-36.3.el7_2              @updates  
php-pdo.x86_64                         5.4.16-36.3.el7_2              @updates

yum list installed|grep -E '(httpd|php)'

httpd.x86_64 2.4.6-40.el7.centos.4 @updates

httpd-tools.x86_64 2.4.6-40.el7.centos.4 @updates

php.x86_64 5.4.16-36.3.el7_2 @updates

php-cli.x86_64 5.4.16-36.3.el7_2 @updates

php-common.x86_64 5.4.16-36.3.el7_2 @updates

php-mysql.x86_64 5.4.16-36.3.el7_2 @updates

php-pdo.x86_64 5.4.16-36.3.el7_2 @updates

This project is a little special because I am running the mysql-server on Remnux in a virtual machine in KVM on the main machine. Remnux is running this version of mysql-server:

remnux@remnux:~$ dpkg -l|grep mysql-server
ii  mysql-server                           5.5.46-0ubuntu0.14.04.2                 all          MySQL database server (metapackage depending on the latest version)
ii  mysql-server-5.5                       5.5.46-0ubuntu0.14.04.2                 amd64        MySQL database server binaries and system database setup
ii  mysql-server-core-5.5                  5.5.46-0ubuntu0.14.04.2                 amd64        MySQL database server binaries

remnux@remnux:~$ dpkg -l|grep mysql-server

ii mysql-server 5.5.46-0ubuntu0.14.04.2 all MySQL database server (metapackage depending on the latest version)

ii mysql-server-5.5 5.5.46-0ubuntu0.14.04.2 amd64 MySQL database server binaries and system database setup

ii mysql-server-core-5.5 5.5.46-0ubuntu0.14.04.2 amd64 MySQL database server binaries

I doubt you would have the issue if the mysql server ran on the same machine, I.e localhost. On this scenario the machine used 10.1.1.2 and the Remnux instance where the database is running is using 192.168.10.250.

So, as you may understand I am using 192.168.10.250 as the database in my php code.

I started to debug with strace by attaching to the httpd process:

ps auxw | grep -E 'sbin/httpd' | awk '{print"-p " $2}' | xargs strace -F

1	ps auxw \| grep -E 'sbin/httpd' \| awk '{print"-p " $2}' \| xargs strace -F

This will print a lot of nice stuff when you suspect something is really strange. For instance, below you see the web server reading a file called dbfunctions.php.

[pid 11222] open("/var/www/html/functions/dbfunctions.php", O_RDONLY) = 16
[pid 11222] fstat(16, {st_mode=S_IFREG|0644, st_size=13579, ...}) = 0
[pid 11222] fstat(16, {st_mode=S_IFREG|0644, st_size=13579, ...}) = 0
[pid 11222] fstat(16, {st_mode=S_IFREG|0644, st_size=13579, ...}) = 0
[pid 11222] mmap(NULL, 13579, PROT_READ, MAP_SHARED, 16, 0) = 0x7f5a31b10000
[pid 11222] munmap(0x7f5a31b10000, 13579) = 0
[pid 11222] close(16)

[pid 11222] open("/var/www/html/functions/dbfunctions.php", O_RDONLY) = 16

[pid 11222] fstat(16, {st_mode=S_IFREG|0644, st_size=13579, ...}) = 0

[pid 11222] mmap(NULL, 13579, PROT_READ, MAP_SHARED, 16, 0) = 0x7f5a31b10000

[pid 11222] munmap(0x7f5a31b10000, 13579) = 0

[pid 11222] close(16)

This is how a connection to the mysql server looks like. You can see the connect() and setsocketopt() functions being called to establish a connection. It was also here I noticed a delay.

[pid 11222] connect(16, {sa_family=AF_INET, sin_port=htons(3306), sin_addr=inet_addr("192.168.10.250")}, 16) = 0
[pid 11222] setsockopt(16, SOL_SOCKET, SO_RCVTIMEO, "\2003\341\1\0\0\0\0\0\0\0\0\0\0\0\0", 16) = 0
[pid 11222] setsockopt(16, SOL_SOCKET, SO_SNDTIMEO, "\2003\341\1\0\0\0\0\0\0\0\0\0\0\0\0", 16) = 0
[pid 11222] setsockopt(16, SOL_IP, IP_TOS, [8], 4) = 0
[pid 11222] setsockopt(16, SOL_TCP, TCP_NODELAY, [1], 4) = 0
[pid 11222] setsockopt(16, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0
[pid 11222] read(16, "_\0\0\0\n5.5.46-0ubuntu0.14.04.2-log"..., 16384) = 99

[pid 11222] connect(16, {sa_family=AF_INET, sin_port=htons(3306), sin_addr=inet_addr("192.168.10.250")}, 16) = 0

[pid 11222] setsockopt(16, SOL_SOCKET, SO_RCVTIMEO, "\2003\341\1\0\0\0\0\0\0\0\0\0\0\0\0", 16) = 0

[pid 11222] setsockopt(16, SOL_SOCKET, SO_SNDTIMEO, "\2003\341\1\0\0\0\0\0\0\0\0\0\0\0\0", 16) = 0

[pid 11222] setsockopt(16, SOL_IP, IP_TOS, [8], 4) = 0

[pid 11222] setsockopt(16, SOL_TCP, TCP_NODELAY, [1], 4) = 0

[pid 11222] setsockopt(16, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0

[pid 11222] read(16, "_\0\0\0\n5.5.46-0ubuntu0.14.04.2-log"..., 16384) = 99

It can be useful to troubleshoot delays.

I also found a thread on stack overflow which suggested that the cause was DNS recursive requests. So I fired up tcpdump with this command

tcpdump -pi eno1 port 53

1	tcpdump -pi eno1 port 53

And I saw that the machine was trying to do reverse lookups of 192.168.x.x which took forever (Going out to google)

I had a discussion with a friend and after trying nginx I realised that the problem was not apache or nginx. He suggested I try this setting in the mysql-server on Remnux.

http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_skip-name-resolve

I edited the file /etc/mysql/my.cnf and added the setting “skip-name-resolve”. Here is a snippet from my configuration file on Remnux:

[mysqld]
#
# * Basic Settings
#
user		= mysql
pid-file	= /var/run/mysqld/mysqld.pid
socket		= /var/run/mysqld/mysqld.sock
port		= 3306
basedir		= /usr
datadir		= /var/lib/mysql
tmpdir		= /tmp
lc-messages-dir	= /usr/share/mysql
skip-external-locking
skip-name-resolv

[mysqld]

# * Basic Settings

user = mysql

pid-file = /var/run/mysqld/mysqld.pid

socket = /var/run/mysqld/mysqld.sock

port = 3306

basedir = /usr

datadir = /var/lib/mysql

tmpdir = /tmp

lc-messages-dir = /usr/share/mysql

skip-external-locking

skip-name-resolv

After a restart of everything the issue was gone.

I hope I can help someone else by making this documented and the steps to troubleshoot public. This was really a very strange issue and took some time to troubleshoot.

Good luck!

Various code snippets in C++ (Mostly WINAPI)

Leave a reply

Hey,

I thought I would share some code snippets used in various projects of mine. The code I will be sharing can be compiled with Visual Studio 2015 or later (probably).

The first one is a piece of code to get any of the KNOWNFOLDERID‘s in Windows.

#include "stdafx.h"
#include <Windows.h>
#include <string>
#include <Shlobj.h> 
#include <comutil.h> //for _bstr_t (used in the string conversion below)

#pragma comment(lib, "Advapi32.lib") //To get the FOLDERID_vars
#pragma comment(lib, "comsuppw") //For the _bstr_t conversion
using namespace std;

string GetAppDataPath() {

	//Get the folder C:\Users\<user>\AppData\Local which is given by FOLDERID_LocalAppData
	LPWSTR wszPath = NULL;
	SHGetKnownFolderPath(FOLDERID_LocalAppData, 0, NULL, &wszPath);

	//Convert the unicode char to string.
	_bstr_t bstrPath(wszPath);
	std::string strPath((char*)bstrPath);

	return strPath;
}
int main()
{
	
	string tmp = GetAppDataPath();
	//Will give you a messagebox showing the path.
	MessageBoxA(0, tmp.c_str(), "Demo", 0);
	return 0;
}

#include "stdafx.h"

#include <Windows.h>

#include <string>

#include <Shlobj.h>

#include <comutil.h> //for _bstr_t (used in the string conversion below)

#pragma comment(lib, "Advapi32.lib") //To get the FOLDERID_vars

#pragma comment(lib, "comsuppw") //For the _bstr_t conversion

using namespace std;

string GetAppDataPath() {

//Get the folder C:\Users\<user>\AppData\Local which is given by FOLDERID_LocalAppData

LPWSTR wszPath = NULL;

SHGetKnownFolderPath(FOLDERID_LocalAppData, 0, NULL, &wszPath);

//Convert the unicode char to string.

_bstr_t bstrPath(wszPath);

std::string strPath((char*)bstrPath);

return strPath;

}

int main()

{

string tmp = GetAppDataPath();

//Will give you a messagebox showing the path.

MessageBoxA(0, tmp.c_str(), "Demo", 0);

return 0;

}

If you are using shellcode from meterpreter and you are going to bundle this into another executable, you can execute the shellcode by using this code.

void executeShellcode() {
//My NOP-sled
unsigned char buf[] =
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";

	//Executing the NOP-sled
	void *exec = VirtualAlloc(0, sizeof buf, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
	memcpy(exec, buf, sizeof buf);
	((void(*)())exec)();
}

void executeShellcode() {

//My NOP-sled

unsigned char buf[] =

"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"

"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";

//Executing the NOP-sled

void *exec = VirtualAlloc(0, sizeof buf, MEM_COMMIT, PAGE_EXECUTE_READWRITE);

memcpy(exec, buf, sizeof buf);

((void(*)())exec)();

}

The last snippet is code that can be used to convert a string in hex to the char values.

#include "stdafx.h"
#include <Windows.h>
#include <string>
#include <sstream>
using namespace std;
int main()
{
	
	string hex = "414243"; //ABC in hex, 41=A, 42=B, 43=C
	int len = hex.length();
	stringstream ss;
	for (int i = 0; i< len; i += 2)
	{
		string byte = hex.substr(i, 2);
		char chr = (char)(int)strtol(byte.c_str(), NULL, 16);
		ss << chr;
	}

	MessageBoxA(0, ss.str().c_str(), "Decoded", 0);
	
    return 0;
}

#include "stdafx.h"

#include <Windows.h>

#include <string>

#include <sstream>

using namespace std;

int main()

{

string hex = "414243"; //ABC in hex, 41=A, 42=B, 43=C

int len = hex.length();

stringstream ss;

for (int i = 0; i< len; i += 2)

{

string byte = hex.substr(i, 2);

char chr = (char)(int)strtol(byte.c_str(), NULL, 16);

ss << chr;

}

MessageBoxA(0, ss.str().c_str(), "Decoded", 0);

return 0;

}

Good luck!

Raspberry Pi as tor2web service running apache

Leave a reply

Hey,

In this article I will describe how to set up a Raspberry Pi, install tor and access it using tor2web.

Start by installing RASPBIAN JESSIE LITE (Minimal image based on Debian Jessie) from the raspberry pi web . I will be using this version:

Version:November 2015
Release date:2015-11-21
Kernel version:4.1

I will walk you through everything until you have a raspberry pi online with a hidden tor2web url that you can access from anywhere.

1 – Change root password
The default password is “raspberry” and user is “pi”. Make sure you change this.

2 – Updating the Pi
Once you have connected the Pi to the network make sure you update it.
apt-get update -y; apt-get upgrade -y

3 – Installing apache2

I will refer to Raspberry Pi documentation for how to install apache.
We will also configure it to only listen on localhost, as we do not need it to listen on the public interface, we will only have ssh there. This is also they way tor hidden services work, but more on that later!

This is optional. Install php, mysql and php-pdo

sudo apt-get install php5 php5-mysql
sudo apt-get install mysql-server
sudo mysql_secure_installation

sudo apt-get install php5 php5-mysql

sudo apt-get install mysql-server

sudo mysql_secure_installation

4 – Configure apache
We only want it to listen on localhost because we want to use it on tor. So let’s change that. Modify the file /etc/apache2/ports.conf so that it looks like this. Make sure the line is changed from “Listen 80” to “Listen 127.0.0.1:8080”.

Listen 127.0.0.1:8080

1	Listen 127.0.0.1:8080

5 – Installing tor

sudo apt-get install tor

1	sudo apt-get install tor

6 – Configure tor
We will now create the directories and configure the hidden service. If you want to read more check the reference documentation here

Edit the file /etc/tor/torrc

HiddenServiceDir /etc/tor/http-server/
HiddenServicePort 80 127.0.0.1:8080

1 2	HiddenServiceDir /etc/tor/http-server/ HiddenServicePort 80 127.0.0.1:8080

Time to start, “service tor start”

Your hostname will now be visible in this file:

/var/lib/tor/http-service/hostname

1	/var/lib/tor/http-service/hostname

Your website will now be available by accessing a url such as

https://xxxxxxxxxxxxxxx.onion.to/

Replace the x’s with your hostname found in the hostname file. This works because of the “.to” that is added to the onion domain. More information here https://tor2web.org/

To make tor start on boot, enter the following command

sudo update-rc.d tor enable

1	sudo update-rc.d tor enable

References and additional reading

http://httpd.apache.org/docs/2.4/ssl/ssl_howto.html

https://www.digitalocean.com/community/tutorials/how-to-create-a-ssl-certificate-on-apache-for-ubuntu-14-04

https://www.torproject.org/docs/tor-hidden-service.html.en

https://www.torproject.org/docs/debian.html.en

https://tor2web.org/

Compiling QEMU and libvirtd from source to be more sneaky when doing malware analysis

3 Replies

Hello,

This is another post related to malware analysis and QEMU/KVM. I did a bit more research and found different older articles describing how to make pafish happy and how to evade malware that are aware of virtual machines.

Below is a screenshot from the output of pafish on Windows 7.

The Windows 7 system is running on a KVM host with the following kernel:

[root@virre ~]# uname -a
Linux host.local 3.10.0-229.7.2.el7.x86_64 #1 SMP Tue Jun 23 22:06:11 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

1 2	[root@virre ~]# uname -a Linux host.local 3.10.0-229.7.2.el7.x86_64 #1 SMP Tue Jun 23 22:06:11 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

As you can see, it looks pretty good and we may be able to win over most malware, but there are still stuff that we want to remove. For instance, check out the device manager

As you can see there are devices called QEMU which indicates that this is not a laptop. Note that pafish did not detect this, but still, we should fix it. Our goal today is to make it say something else. Before we continue there are a lot of posts that I have used for reference (Check the end of this guide), but I wanted to start fresh and make a guide for everyone trying to do this on.. You guessed it, CentOS 7.

Before we start let me just explain a little. When you install qemu/kvm on CentOS 7 using yum it will be called qemu-kvm, but when you compile it will be called qemu-system-x86_64. This is important to understand. It is still the same, but it is called different depending on if it is compiled or not. Read more here
Also, make sure that you have the kvm module loaded. My laptop for this guide is an old laptop running a AMD CPU. Check with lsmod if the proper modules are loaded. For intel it should say kvm_intel.

[root@localhost qemu]# lsmod |grep kvm
kvm_amd                60314  3 
kvm                   461126  1 kvm_amd

[root@localhost qemu]# lsmod |grep kvm

kvm_amd 60314 3

kvm 461126 1 kvm_amd

1. Install a fresh CentOS 7 minimal.
I installed it with Gnome Desktop as I am using an old laptop. And update it:

yum update -y; yum upgrade -y

1	yum update -y; yum upgrade -y

After we finish it will look something like this (2015-06-25)

[root@localhost ~]# uname -a
Linux localhost.localdomain 3.10.0-229.7.2.el7.x86_64 #1 SMP Tue Jun 23 22:06:11 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

1 2	[root@localhost ~]# uname -a Linux localhost.localdomain 3.10.0-229.7.2.el7.x86_64 #1 SMP Tue Jun 23 22:06:11 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

2. Install some more packages and development tools
Grab a coffee while you wait.

yum install python-devel perl-XML-XPath supermin python-ipaddr libvirt-python
yum groupinstall "Development Tools"

1 2	yum install python-devel perl-XML-XPath supermin python-ipaddr libvirt-python yum groupinstall "Development Tools"

Before we continue we can do some tweaking to compile a little bit faster. Depending on how many cores your system has, you can change the jobs parameter for make. Execute the following command:

[root@localhost ~]# cat /proc/cpuinfo | grep processor | wc -l
2

1 2	[root@localhost ~]# cat /proc/cpuinfo \| grep processor \| wc -l 2

This would give me the value of “make -j2”. Yea, this is an old laptop..

3. Cloning QEMU

#!/bin/bash
yum-builddep qemu-kvm
git clone git://git.qemu.org/qemu.git
cd qemu

#!/bin/bash

yum-builddep qemu-kvm

git clone git://git.qemu.org/qemu.git

cd qemu

4. Edit drivers and compiling
Now the fun stuff starts. We are going to rename the device from QEMU HARDDISK to something else. Make sure you are in the cloned qemu folder that we just cloned from the git repo (step 4)

[root@localhost qemu]# pwd
/root/qemu-source/qemu

1 2	[root@localhost qemu]# pwd /root/qemu-source/qemu

Find the driver name (As seen in the device manager)

[root@localhost qemu]# grep -nr "HARDDISK" hw/*
hw/ide/core.c:2284:            strcpy(s->drive_model_str, "QEMU HARDDISK");
hw/scsi/scsi-disk.c:2303:        s->product = g_strdup("QEMU HARDDISK");

[root@localhost qemu]# grep -nr "HARDDISK" hw/*

hw/ide/core.c:2284: strcpy(s->drive_model_str, "QEMU HARDDISK");

hw/scsi/scsi-disk.c:2303: s->product = g_strdup("QEMU HARDDISK");

These are the files that you need to edit. I will replace it with “WDC WD20EARS” that should simulate a 2TB disk from Western Digital (according to a Google search).

[root@localhost qemu]# sed -i 's/QEMU HARDDISK/WDC WD20EARS/g' hw/ide/core.c
[root@localhost qemu]# sed -i 's/QEMU HARDDISK/WDC WD20EARS/g' hw/scsi/scsi-disk.c
[root@localhost qemu]# grep -nr "WDC" hw/*
hw/ide/core.c:2284:            strcpy(s->drive_model_str, "WDC WD20EARS");
hw/scsi/scsi-disk.c:2303:        s->product = g_strdup("WDC WD20EARS");

[root@localhost qemu]# sed -i 's/QEMU HARDDISK/WDC WD20EARS/g' hw/ide/core.c

[root@localhost qemu]# sed -i 's/QEMU HARDDISK/WDC WD20EARS/g' hw/scsi/scsi-disk.c

[root@localhost qemu]# grep -nr "WDC" hw/*

hw/ide/core.c:2284: strcpy(s->drive_model_str, "WDC WD20EARS");

hw/scsi/scsi-disk.c:2303: s->product = g_strdup("WDC WD20EARS");

Also, let us not forget the DVD drive. Let us call it Toshiba DVD-ROM (because it was the only thing that popped up in my head)

[root@localhost qemu]# grep -nr "QEMU DVD" hw/*
hw/ide/atapi.c:732:        padstr8(buf + 16, 16, "QEMU DVD-ROM");
hw/ide/core.c:2278:            strcpy(s->drive_model_str, "QEMU DVD-ROM");

[root@localhost qemu]# grep -nr "QEMU DVD" hw/*

hw/ide/atapi.c:732: padstr8(buf + 16, 16, "QEMU DVD-ROM");

hw/ide/core.c:2278: strcpy(s->drive_model_str, "QEMU DVD-ROM");

And there are some more places that we need to edit:

[root@localhost qemu]# sed -i 's/QEMU DVD-ROM/DVD-ROM/g' hw/ide/core.c
[root@localhost qemu]# sed -i 's/QEMU DVD-ROM/DVD-ROM/g' hw/ide/atapi.c 
[root@localhost qemu]# sed -i 's/s->vendor = g_strdup("QEMU");/s->vendor = g_strdup("Toshiba");/g' hw/scsi/scsi-disk.c
[root@localhost qemu]# sed -i 's/QEMU CD-ROM/CD-ROM/g' hw/scsi/scsi-disk.c
[root@localhost qemu]# sed -i 's/padstr8(buf + 8, 8, "QEMU");/padstr8(buf + 8, 8, "Toshiba");/g' hw/ide/atapi.c

[root@localhost qemu]# sed -i 's/QEMU DVD-ROM/DVD-ROM/g' hw/ide/core.c

[root@localhost qemu]# sed -i 's/QEMU DVD-ROM/DVD-ROM/g' hw/ide/atapi.c

[root@localhost qemu]# sed -i 's/s->vendor = g_strdup("QEMU");/s->vendor = g_strdup("Toshiba");/g' hw/scsi/scsi-disk.c

[root@localhost qemu]# sed -i 's/QEMU CD-ROM/CD-ROM/g' hw/scsi/scsi-disk.c

[root@localhost qemu]# sed -i 's/padstr8(buf + 8, 8, "QEMU");/padstr8(buf + 8, 8, "Toshiba");/g' hw/ide/atapi.c

Time to build! Make sure you are root so you can install it.

#!/bin/bash
./configure --prefix=/usr --sysconfdir=/etc --docdir=/usr/share/doc/qemu --target-list=x86_64-softmmu
make -j2
make install

#!/bin/bash

./configure --prefix=/usr --sysconfdir=/etc --docdir=/usr/share/doc/qemu --target-list=x86_64-softmmu

make -j2

make install

Fix a sympbolic link to make virt-manager happy.

ln -s /usr/bin/qemu-system-x86_64 /usr/libexec/qemu-kvm

1	ln -s /usr/bin/qemu-system-x86_64 /usr/libexec/qemu-kvm

5. Time to compile libvirt

If you want to know more about compiling libvirt, and the arguments I am using with autogen you can read more here before you continue:
https://libvirt.org/compiling.html

#!/bin/bash
yum-builddep libvirt
git clone git://libvirt.org/libvirt.git
cd libvirt
./autogen.sh --system --prefix=/usr --sysconfdir=/etc 
make -j2
make check
make install

#!/bin/bash

yum-builddep libvirt

git clone git://libvirt.org/libvirt.git

cd libvirt

./autogen.sh --system --prefix=/usr --sysconfdir=/etc

make -j2

make check

make install

Go ahead and start!

systemctl start libvirtd

1	systemctl start libvirtd

You should see something like this in /var/log/messages

Jun 26 08:32:06 localhost systemd: Starting Virtualization daemon...
Jun 26 08:32:07 localhost systemd: Started Virtualization daemon.
Jun 26 08:32:08 localhost journal: libvirt version: 1.3.0

Jun 26 08:32:06 localhost systemd: Starting Virtualization daemon...

Jun 26 08:32:07 localhost systemd: Started Virtualization daemon.

Jun 26 08:32:08 localhost journal: libvirt version: 1.3.0

6. Install virt-manager

git clone git://git.fedorahosted.org/virt-manager.git
cd virt-manager
python setup.py install

git clone git://git.fedorahosted.org/virt-manager.git

cd virt-manager

python setup.py install

You can now start virt-manager by executing ./virt-manager in the same directory. Or, if you do not want to use virt-manager and create the virtual machine, you can just continue to step 7.

7. Install the first virtual machine
Let us install a Windows XP SP0 and see whats what. I am using an old iso image which I placed in /root/

mkdir /vm/
#Create the disk
/usr/bin/qemu-img create -f qcow2 /vm/winxp.qcow2 80G
#Either create a machine through virt-manager or do it command line style
/usr/libexec/qemu-kvm -enable-kvm -m 1024 -hda /vm/winxp.qcow2 -cdrom /root/en_winxp_pro_x86_build2600_iso.img -boot d

mkdir /vm/

#Create the disk

/usr/bin/qemu-img create -f qcow2 /vm/winxp.qcow2 80G

#Either create a machine through virt-manager or do it command line style

/usr/libexec/qemu-kvm -enable-kvm -m 1024 -hda /vm/winxp.qcow2 -cdrom /root/en_winxp_pro_x86_build2600_iso.img -boot d

When the installation is complete, go into the device manager and voilá:

Device Manager after QEMO modifications

Each time you want to modify something in the qemu code you can just rerun the make and make install steps and you will update the binary and drivers will be changed accordingly.

8. Changing The BIOS
This is the last step if you really would like to be sneaky. When you execute dmidecode it will also tell you that this is QEMU and not something else.

Notice QEMU after Manufacturer on the devices

QEMU uses seabios so we will start by performing a clone of the latest source and compile it.

git clone git://git.seabios.org/seabios.git
cd seabios
make

git clone git://git.seabios.org/seabios.git

cd seabios

make

The completed bios file will be located in the folder out and is called “bios.bin”. The next step is to execute it with some parameters set (“-k en” means english keyboard)

/usr/libexec/qemu-kvm -enable-kvm -m 1024 -drive file=/vm/winxp.qcow2,if=none,id=drive-ide0-0-0,format=qcow2 -device ide-hd,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0,bootindex=1 -k en -boot n -bios /root/bios/seabios/out/bios.bin -smbios type=1,manufacturer="Dell" -smbios type=0,vendor="Dell" -smbios type=4,manufacturer="Dell" -smbios type=17,manufacturer="Dell" -smbios type=3,manufacturer="Dell"

/usr/libexec/qemu-kvm -enable-kvm -m 1024 -drive file=/vm/winxp.qcow2,if=none,id=drive-ide0-0-0,format=qcow2 -device ide-hd,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0,bootindex=1 -k en -boot n -bios /root/bios/seabios/out/bios.bin -smbios type=1,manufacturer="Dell" -smbios type=0,vendor="Dell" -smbios type=4,manufacturer="Dell" -smbios type=17,manufacturer="Dell" -smbios type=3,manufacturer="Dell"

Notice the parameter

-bios /root/bios/seabios/out/bios.bin

1	-bios /root/bios/seabios/out/bios.bin

This is where I specify the bios file we compiled.

The other parameters:

-smbios type=1,manufacturer="Dell" 
-smbios type=0,vendor="Dell" 
-smbios type=4,manufacturer="Dell" 
-smbios type=17,manufacturer="Dell" 
-smbios type=3,manufacturer="Dell"

-smbios type=1,manufacturer="Dell"

-smbios type=0,vendor="Dell"

-smbios type=4,manufacturer="Dell"

-smbios type=17,manufacturer="Dell"

-smbios type=3,manufacturer="Dell"

Is where I tell it to set Dell as a manufacturer and not QEMU. And your final product after running dmidecode should be something like this:

dmidecode after the parameter changes

You can also add the bios file using virsh edit and set the following.

  <os>
    <type arch='x86_64' machine='pc-i440fx-2.4'>hvm</type>
    <loader type='rom'>/root/bios/seabios/out/bios.bin</loader>
    <boot dev='hd'/>
  </os>

<os>

<loader type='rom'>/root/bios/seabios/out/bios.bin</loader>

</os>

However, you still require the smbios arguments. You could also add the “-smbios type” parameters in the domain xml for the vm.

That was all!

References and links

Using KVM and guestfish for dynamic malware analysis on Windows

Leave a reply

Hey,

After the news that FireEye was affected by the VENOM vulnerability it got me thinking that how hard can it be to do this in KVM. This article will give you a start on how to do sort of dynamic analysis, or at least get you going. I will probably update it later on when I do more.

Prerequisites

This guide requires that you have already installed a CentOS 7.1 system with KVM support and a Windows XP machine installed. This machine is named “winxp” and will be used further down in the guide. The system has to be configured with IDE drives and qcow2 format. Make sure you have two disks, one disk called “windows_xp.qcow2” mounted at C: and one called “windows_xp_data.qcow2” mounted at E: on the machine. The size of the disks should be at least 80GB or so per disk. Other things like memory should be fine at 2GB.

Let’s kick off! Make sure you have a snapshot on the vm called “ready”. We will use this as default state before starting the machine. So to sum up.

1. Install a VM Windows XP guest with 2gb of ram and qcow2 disks so that we can use snapshots
2. Make sure it has two disks, one at C: at 80GB and one at E: at 80GB. These qcow2 images are saved in the folder /vm/
3. Create a snapshot called “ready” when you have installed it.
4. Done!

Let’s start!

Everything we configure from now on will be done on the KVM host. That is the mother machine running the guest machines (the Windows XP system is a guest)

1. Install the epel repo. You will need this for the packages.

yum install epel-release

1	yum install epel-release

2. Install some packages from epel. They are required to mount the NTFS volume offline

yum install libguestfs-tools

1	yum install libguestfs-tools

3. The is an issue on current (2015-06-08) CentOS 7.1 with winsupport. You have to manually download the rpm and install it using yum localinstall. This is used to be able to mount NTFS drives.
Read more here:
https://www.centos.org/forums/viewtopic.php?f=48&t=52437
Download here
http://people.redhat.com/~rjones/libguestfs-winsupport/7/7.1/x86_64/

4. Create the folder /root/files/

5. That should be it. Test it with the script in the next step.

Before you run it you have to know what it does. As you cannot insert files on a live system without (potentially) damaging the filesystem we will make sure the guest is shut down first. We will use destroy since we do not want to wait for a graceful shutdown. After the machine is shut down, we mount the disk called “windows_xp_data.qcow2” which is our E: on the winxp system and then upload all files in the folder “/root/files” to E:\files\ on the Windows XP system.

6. The startup script on the vm host.

#!/bin/bash

state=$(virsh domstate winxp)
if [[ $state == "shut off" ]]
        then echo "Machine is powered off. Proceeding."
else
    	echo "Machine is on. Shutting down"
        virsh destroy winxp
        echo "Machine have been shut off"
fi

echo "Restoring machine to default state"
virsh snapshot-revert winxp ready

echo "Preparing to insert file into filesystem"

guestfish <<_EOF_
add /vm/windows_xp_data.qcow2
run
mount-vfs -o ntfs /dev/sda1 /
copy-in /root/files/ /
_EOF_

echo "File has been inserted. Booting machine"
virsh start winxp
echo "Machine is booted, sit down and enjoy!"

#!/bin/bash

state=$(virsh domstate winxp)

if [[ $state == "shut off" ]]

then echo "Machine is powered off. Proceeding."

else

echo "Machine is on. Shutting down"

virsh destroy winxp

echo "Machine have been shut off"

echo "Restoring machine to default state"

virsh snapshot-revert winxp ready

echo "Preparing to insert file into filesystem"

guestfish <<_EOF_

add /vm/windows_xp_data.qcow2

run

mount-vfs -o ntfs /dev/sda1 /

copy-in /root/files/ /

_EOF_

echo "File has been inserted. Booting machine"

virsh start winxp

echo "Machine is booted, sit down and enjoy!"

7. When the machine now has booted you should find the files on E:\files. What you can do now is to implement a python application running at startup on the Windows XP machine that looks in the folder and then uses something like a custom cfg file to perhaps first install a older version of adobe and then launch your pdf file in files. As you can manipulate the filesystem before you boot the machine you may be able remove some or all traces of QEMU or KVM to perhaps “dodge” the vm awareness in some malware.

Good luck!

Using winexe on CentOS 7 to execute commands on remote Windows 7 machines

1 Reply

winexe is an application for Linux that you can use to execute remote commands on Windows machines. Similar to how a meterpreter would work or how you use psexec on Windows.
The reason for using it could be that you want to script certain actions on remote machines, such as executing powershell scripts and gather information for forensic purposes etc. I was interested in it because of the last example.

In this guide I will show you how to do that and build a scenario for you and show you how one could use it to collect remote information on your endpoints. As usual I use CentOS 7 with the latest updates as per the date of this post.

[root@localhost ~]# cat /etc/redhat-release 
CentOS Linux release 7.1.1503 (Core) 
[root@localhost ~]# uname -a
Linux localhost.localdomain 3.10.0-229.el7.x86_64 #1 SMP Fri Mar 6 11:36:42 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

[root@localhost ~]# cat /etc/redhat-release

CentOS Linux release 7.1.1503 (Core)

[root@localhost ~]# uname -a

Linux localhost.localdomain 3.10.0-229.el7.x86_64 #1 SMP Fri Mar 6 11:36:42 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

1.
Download winexe from here. If you download the current source (as per this date) it is called “winexe-winexe-waf-b787d2a2c4b1abc3653bad10aec943b8efcd7aab.zip” with sha1sum cbbebd80c935a8408448f3a92c04b85ea19a8b64

Or, clone it using git:

git clone http://git.code.sf.net/p/winexe/winexe-waf winexe

1	git clone http://git.code.sf.net/p/winexe/winexe-waf winexe

2.
Make sure you have all the packages installed. You will need the epel repo for some packages as well.

yum install epel-release
yum update -y
yum install samba-client \
gcc \
perl \
mingw-binutils-generic \
mingw-filesystem-base \
mingw32-binutils \
mingw32-cpp \
mingw32-crt \
mingw32-filesystem \
mingw32-gcc \
mingw32-headers \
mingw64-binutils \
mingw64-cpp \
mingw64-crt \
mingw64-filesystem \
mingw64-gcc \
mingw64-headers \
libcom_err-devel \
popt-devel \
zlib-devel \
zlib-static \
glibc-devel \
glibc-static \
python-devel \
gnutls-devel \
libacl-devel \
openldap-devel \
samba-devel \

yum install epel-release

yum update -y

yum install samba-client \

gcc \

perl \

mingw-binutils-generic \

mingw-filesystem-base \

mingw32-binutils \

mingw32-cpp \

mingw32-crt \

mingw32-filesystem \

mingw32-gcc \

mingw32-headers \

mingw64-binutils \

mingw64-cpp \

mingw64-crt \

mingw64-filesystem \

mingw64-gcc \

mingw64-headers \

libcom_err-devel \

popt-devel \

zlib-devel \

zlib-static \

glibc-devel \

glibc-static \

python-devel \

gnutls-devel \

libacl-devel \

openldap-devel \

samba-devel \

3. Unzip the package downloaded in step 1 (I downloaded it to /root/) and navigate into the source folder. Or if you used git simple go into the folder and then in the source folder.

[root@localhost source]# pwd
/root/winexe-winexe-waf-b787d2a2c4b1abc3653bad10aec943b8efcd7aab/source

1 2	[root@localhost source]# pwd /root/winexe-winexe-waf-b787d2a2c4b1abc3653bad10aec943b8efcd7aab/source

4. Build it

[root@localhost source]# ./waf configure build

1	[root@localhost source]# ./waf configure build

5. If everything works good you will get the output

Waf: Leaving directory `/root/winexe-winexe-waf-b787d2a2c4b1abc3653bad10aec943b8efcd7aab/source/build'
'build' finished successfully (1.819s)

1 2	Waf: Leaving directory `/root/winexe-winexe-waf-b787d2a2c4b1abc3653bad10aec943b8efcd7aab/source/build' 'build' finished successfully (1.819s)

6.
Time for the fun stuff. Now you will have your winexe binary in the build directory. Navigate into the folder build

[root@localhost build]# pwd
/root/winexe-winexe-waf-b787d2a2c4b1abc3653bad10aec943b8efcd7aab/source/build
[root@localhost build]# ./winexe
winexe version 1.1
This program may be freely redistributed under the terms of the GNU GPLv3
Usage: winexe [OPTION]... //HOST COMMAND
Options:
  -h, --help                                  Display help message
  -V, --version                               Display version number
  -U, --user=[DOMAIN/]USERNAME[%PASSWORD]     Set the network username
  -A, --authentication-file=FILE              Get the credentials from a file
  -N, --no-pass                               Do not ask for a password
  -k, --kerberos=STRING                       Use Kerberos, -k [yes|no]
  -d, --debuglevel=DEBUGLEVEL                 Set debug level
  --uninstall                                 Uninstall winexe service after remote execution
  --reinstall                                 Reinstall winexe service before remote execution
  --system                                    Use SYSTEM account
  --profile                                   Load user profile
  --convert                                   Try to convert characters between local and remote code-pages
  --runas=[DOMAIN\]USERNAME%PASSWORD          Run as the given user (BEWARE: this password is sent in cleartext over the network!)
  --runas-file=FILE                           Run as user options defined in a file
  --interactive=0|1                           Desktop interaction: 0 - disallow, 1 - allow. If allow, also use the --system switch (Windows requirement). Vista does not support this option.
  --ostype=0|1|2                              OS type: 0 - 32-bit, 1 - 64-bit, 2 - winexe will decide. Determines which version (32-bit or 64-bit) of service will be installed.
[root@localhost build]#

[root@localhost build]# pwd

/root/winexe-winexe-waf-b787d2a2c4b1abc3653bad10aec943b8efcd7aab/source/build

[root@localhost build]# ./winexe

winexe version 1.1

This program may be freely redistributed under the terms of the GNU GPLv3

Usage: winexe [OPTION]... //HOST COMMAND

Options:

-h, --help Display help message

-V, --version Display version number

-U, --user=[DOMAIN/]USERNAME[%PASSWORD] Set the network username

-A, --authentication-file=FILE Get the credentials from a file

-N, --no-pass Do not ask for a password

-k, --kerberos=STRING Use Kerberos, -k [yes|no]

-d, --debuglevel=DEBUGLEVEL Set debug level

--uninstall Uninstall winexe service after remote execution

--reinstall Reinstall winexe service before remote execution

--system Use SYSTEM account

--profile Load user profile

--convert Try to convert characters between local and remote code-pages

--runas=[DOMAIN\]USERNAME%PASSWORD Run as the given user (BEWARE: this password is sent in cleartext over the network!)

--runas-file=FILE Run as user options defined in a file

--interactive=0|1 Desktop interaction: 0 - disallow, 1 - allow. If allow, also use the --system switch (Windows requirement). Vista does not support this option.

--ostype=0|1|2 OS type: 0 - 32-bit, 1 - 64-bit, 2 - winexe will decide. Determines which version (32-bit or 64-bit) of service will be installed.

[root@localhost build]#

7.
Now. Before we continue you need to set up the Windows machine. There are some issues with Windows 7 and later as described here. I had to add this key to my machine to make it work:

reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\system" /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f

1	reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\system" /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f

Start cmd as administrator and paste it in. That should be everything.

8.
I have already uploaded a powershell script to my machine. It will run some commands and output this to a text file locally on the system. The local user I have created is called “bob” with the password of “secretpassword”. The system I am targeting is a system called windows.domain.local. Note that it is not joined to a active directory domain, it is just a domain I use for testing. You could do it with kerberos and an active directory account as well. The command line for executing the powershell script is:

./winexe --user=\bob%secretpassword //windows.domain.local --interactive=1 --uninstall --system 'cmd /C "powershell.exe -executionPolicy bypass -File C:\gather.ps1" & EXIT'

1	./winexe --user=\bob%secretpassword //windows.domain.local --interactive=1 --uninstall --system 'cmd /C "powershell.exe -executionPolicy bypass -File C:\gather.ps1" & EXIT'

The –uninstall parameter removes the service that winexe installs after it is done.
The other parameters you can read about here

To just run a simple ipconfig you can do like this

[root@localhost build]# ./winexe --user=\bob%secretpassword //windows.domain.local --interactive=1 --uninstall --system 'cmd /C "ipconfig" & EXIT'

1	[root@localhost build]# ./winexe --user=\bob%secretpassword //windows.domain.local --interactive=1 --uninstall --system 'cmd /C "ipconfig" & EXIT'

Or maybe drop yourself into a shell:

[root@localhost build]# ./winexe --user=\bob%secretpassword //windows.domain.local --interactive=1 --uninstall --system 'cmd /C "cmd" & EXIT'
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>

[root@localhost build]# ./winexe --user=\bob%secretpassword //windows.domain.local --interactive=1 --uninstall --system 'cmd /C "cmd" & EXIT'

Microsoft Windows [Version 6.1.7601]

C:\Windows\system32>

References
http://www.aldeid.com/wiki/Winexe#Common_options
http://sourceforge.net/p/winexe/winexe-waf/ci/master/tree/#
http://ss64.com/nt/cmd.html

Guide for setting up yubikey OTP ssh access with CentOS 7

Leave a reply

Hi!

Today I will show you how to use the yubikey and set up authentication on CentOS 7 from scratch.
I have bought a yubikey 2 standard and will configure it to be used as OTP device when logging on via SSH. This is very cheap solution which offers a high level of security for home users.

The system I am using has just been installed and it is standard CentOS 7 with just default selections when installing. System is also updated and current to this day.

[root@localhost ~]# uname -a
Linux localhost.localdomain 3.10.0-229.el7.x86_64 #1 SMP Fri Mar 6 11:36:42 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
[root@localhost ~]# cat /etc/redhat-release 
CentOS Linux release 7.1.1503 (Core)

[root@localhost ~]# uname -a

Linux localhost.localdomain 3.10.0-229.el7.x86_64 #1 SMP Fri Mar 6 11:36:42 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

[root@localhost ~]# cat /etc/redhat-release

CentOS Linux release 7.1.1503 (Core)

Let’s start!

1.
Begin by installing some packages

yum group install "Development Tools" -y
yum install git -y
yum install epel-release -y
yum install perl-LDAP -y
yum install pam-devel -y
yum install libcurl-devel -y
yum install help2man -y
yum install ykpers -y
yum install ykpers-devel -y

yum group install "Development Tools" -y

yum install git -y

yum install epel-release -y

yum install perl-LDAP -y

yum install pam-devel -y

yum install libcurl-devel -y

yum install help2man -y

yum install ykpers -y

yum install ykpers-devel -y

2.
Clone the yubico-c library and install it.

git clone git://github.com/Yubico/yubico-c.git
cd yubico-c
autoreconf --install
./configure
make check
sudo make install

git clone git://github.com/Yubico/yubico-c.git

cd yubico-c

autoreconf --install

./configure

make check

sudo make install

If you get the error messsage

WARNING: 'a2x' is missing on your system.
         You might have modified some files without having the proper
         tools for further handling them.  Check the 'README' file, it
         often tells you about the needed prerequisites for installing
         this package.  You may also peek at any GNU archive site, in
         case some other package contains this missing 'a2x' program.

WARNING: 'a2x' is missing on your system.

You might have modified some files without having the proper

tools for further handling them. Check the 'README' file, it

often tells you about the needed prerequisites for installing

this package. You may also peek at any GNU archive site, in

case some other package contains this missing 'a2x' program.

You need to install asciidoc

yum install asciidoc

1	yum install asciidoc

3.
Clone the yubikey-personalization library and install it

 git clone git://github.com/Yubico/yubikey-personalization.git
 cd yubikey-personalization
 autoreconf --install
 ./configure
 make check install

git clone git://github.com/Yubico/yubikey-personalization.git

cd yubikey-personalization

autoreconf --install

./configure

make check install

3.
Clone the yubico-c-client and install it

git clone git://github.com/Yubico/yubico-c-client.git
cd yubico-c-client
autoreconf --install
./configure
make check
sudo make install

git clone git://github.com/Yubico/yubico-c-client.git

cd yubico-c-client

autoreconf --install

./configure

make check

sudo make install

4.
Clone the yubico-pam module and install it

git clone https://github.com/Yubico/yubico-pam.git
cd yubico-pam
autoreconf --install
./configure
make check install

git clone https://github.com/Yubico/yubico-pam.git

cd yubico-pam

autoreconf --install

./configure

make check install

5.
Fix the symlink for the pam module

ln -s /usr/local/lib/security/pam_yubico.so /usr/lib64/security/pam_yubico.so

1	ln -s /usr/local/lib/security/pam_yubico.so /usr/lib64/security/pam_yubico.so

NOTE! Before you continue, this is where you can lock yourself out and create a box that is not accessible. You should be logged on with root on another terminal so that you can revert back if it does not work. Console access will still work, so if you use KVM or something similar, you should be able to access it through that.

Start by making sure your yubikey is configured as shown in this guide:
YubiKey YubiCloud Configuration

You should also make sure that the OTP function is working by going here after you have configured it:
https://demo.yubico.com/

Your server will need to be able to contact the yubikey API service to validate the auth, so make sure you have internet connection to the box as well.
When it is working, move on!

6.
Change SELinux to run in permissive mode. People have been reporting issues with SELinux and yubikey so I recommend that you put it in permissive mode. If you don’t want to spend a couple of hours troubleshooting.

Edit the file /etc/sysconfig/selinux and set the parameter SELINUX to permissive as shown below.

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of three two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

# This file controls the state of SELinux on the system.

# SELINUX= can take one of these three values:

# enforcing - SELinux security policy is enforced.

# permissive - SELinux prints warnings instead of enforcing.

# disabled - No SELinux policy is loaded.

SELINUX=permissive

# SELINUXTYPE= can take one of three two values:

# targeted - Targeted processes are protected,

# minimum - Modification of targeted policy. Only selected processes are protected.

# mls - Multi Level Security protection.

SELINUXTYPE=targeted

This will run at boot next time and change it to permissive. Now run the command to change mode to permissive in this session

setenforce 0

1	setenforce 0

Get the status. You can see the row “Current mode”, should say “permissive”

[root@localhost test]# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28

[root@localhost test]# sestatus

SELinux status: enabled

SELinuxfs mount: /sys/fs/selinux

SELinux root directory: /etc/selinux

Loaded policy name: targeted

Current mode: permissive

Mode from config file: permissive

Policy MLS status: enabled

Policy deny_unknown status: allowed

Max kernel policy version: 28

7.
Create a user, I have picked the name ‘test’. Make sure you change the password as well.

useradd test
passwd test

1 2	useradd test passwd test

8.
Edit the file /etc/pam.d/sshd

Make sure it contains the row:

auth 	required 	pam_yubico.so id=16 debug authfile=/etc/yubipasswd

1	auth required pam_yubico.so id=16 debug authfile=/etc/yubipasswd

as seen below in the file:

[root@localhost test]# cat /etc/pam.d/sshd
#%PAM-1.0
auth 	required 	pam_yubico.so id=16 debug authfile=/etc/yubipasswd
auth	   required	pam_sepermit.so
auth       substack     password-auth
auth       include      postlogin
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    optional     pam_keyinit.so force revoke
session    include      password-auth
session    include      postlogin

[root@localhost test]# cat /etc/pam.d/sshd

#%PAM-1.0

auth required pam_yubico.so id=16 debug authfile=/etc/yubipasswd

auth required pam_sepermit.so

auth substack password-auth

auth include postlogin

account required pam_nologin.so

account include password-auth

password include password-auth

# pam_selinux.so close should be the first session rule

session required pam_selinux.so close

session required pam_loginuid.so

# pam_selinux.so open should only be followed by sessions to be executed in the user context

session required pam_selinux.so open env_params

session optional pam_keyinit.so force revoke

session include password-auth

session include postlogin

9.
Crete the authfile mentioned above.

touch /etc/yubipasswd

1	touch /etc/yubipasswd

Add your user and yubikey id separated with ‘:’. This is how my /etc/yubipasswd file looks like:

root:xxyyxxxyyyxx
test:xxyyxxxyyyxx

1 2	root:xxyyxxxyyyxx test:xxyyxxxyyyxx

Open a new terminal and login as test

ssh test@your-yubikey-configured-system

When you are promted for the password, write your password and press your yubikey so that it becomes one long string. Imagine:

[root@localhost test]# ssh test@localhost
test@localhost’s password: password + yubikey OTP token

The yubikey will press enter by default and this should log you on! Voila!

Other information
If you have multiple configurations on your yubikey, i.e Configuration Slot 1 and Slot 2 you may have used the wrong Slot. Slot 1 is pressed for 1 second and the other is above 2 seconds. (Or something like that). I use Configuration Slot 1 because then you dont have to press it for a longer period of time.

If you have installed a default CentOS 7 you probably do not need to change other SSH configuration files such as /etc/ssh/sshd_config

ChallengeResponseAuthentication no

1	ChallengeResponseAuthentication no

And /etc/pam.d/system-auth by adding “try_first_pass” to the row

auth        sufficient    pam_unix.so try_first_pass nullok

1	auth sufficient pam_unix.so try_first_pass nullok

You can also try installing the packages via epel repo. Packages are called:

libyubikey-devel.x86_64 : Development files for libyubikey
ykclient.x86_64 : Yubikey management library and client
ykpers.x86_64 : Yubikey personalization program

libyubikey-devel.x86_64 : Development files for libyubikey

ykclient.x86_64 : Yubikey management library and client

ykpers.x86_64 : Yubikey personalization program

The pam library I think you will have to install manually as previously shown.

Good luck!

Putting together a small systemd service script and controlling python

1 Reply

Hello!

This time I will demonstrate how to create a simple systemd service file so that you can control your applications with systemctl in CentOS 7. As you know systemctl will be replacing init so it is time to see what you can do with it.

Imagine the following sample script called hello.py. It will not do anything but print hello world and then sleep for one second.

#!/usr/bin/python
import time

while True:
	time.sleep(1)
    print 'hello world'

#!/usr/bin/python

import time

while True:

time.sleep(1)

print 'hello world'

Make sure you set the permissions so that it is executable. I will be placing this script in the folder /usr/local/bin/hello/

[root@demo hello]# ls -lah
totalt 4,0K
drwxr-xr-x. 2 root root 20 23 maj 10.20 .
drwxr-xr-x. 3 root root 36 23 maj 10.20 ..
-rwxr-xr-x. 1 root root 74 23 maj 10.20 main.py
[root@demo hello]# pwd
/usr/local/bin/hello

[root@demo hello]# ls -lah

totalt 4,0K

drwxr-xr-x. 2 root root 20 23 maj 10.20 .

drwxr-xr-x. 3 root root 36 23 maj 10.20 ..

-rwxr-xr-x. 1 root root 74 23 maj 10.20 main.py

[root@demo hello]# pwd

/usr/local/bin/hello

The next step is to create a small bash script that will execute the python script. In this script you can do more stuff if needed. I will call it run.sh

#!/bin/bash

/usr/local/bin/hello/main.py

#!/bin/bash

/usr/local/bin/hello/main.py

Make sure it is also located in /usr/local/bin/hello/

Now you want to be able to control that running a service command, i.e “service hello start” or
“systemctl start hello.service”

Start by navigating to the systemd folder and create the hello.service file. This is where we will tell systemctl what will happen.

[root@demo hello]# cd /etc/systemd/system
[root@demo system]# touch hello.service

1 2	[root@demo hello]# cd /etc/systemd/system [root@demo system]# touch hello.service

Edit the hello.service file and make sure you point ExecStart to the bash script called run.sh

[Unit]
Description=my Hello App

[Service]
Type=simple
ExecStart=/usr/local/bin/hello/run.sh
TimeoutSec=300

[Install]
WantedBy=multi-user.target

[Unit]

Description=my Hello App

[Service]

Type=simple

ExecStart=/usr/local/bin/hello/run.sh

TimeoutSec=300

[Install]

WantedBy=multi-user.target

Now, there are a few things you need to know. The parameter “ExecStart” is what going to happen when you tell systemctl to “start”. There are also “ExecStop” and “ExecReload”. Those will be used for? You guessed it, when stopped and reloaded. There are also nice stuff such as “ExecStartPre” and “ExecStartPost” to execute commands before and after the main app has started.

More info can be found at Red Hat

However, in our service file above we only need the settings I have provided.
So now it is time to execute it:

[root@demo hello]# service hello status
Redirecting to /bin/systemctl status  hello.service
hello.service - hello
   Loaded: loaded (/etc/systemd/system/hello.service; enabled)
   Active: active (running) since lör 2015-05-23 11:11:51 CEST; 2min 48s ago
 Main PID: 651 (run.sh)
   CGroup: /system.slice/hello.service
           ├─651 /bin/bash /usr/local/bin/hello/run.sh
           └─654 /usr/bin/python /usr/local/bin/hello/main.py

maj 23 11:11:51 tinyids.demo.local systemd[1]: Starting hello...
maj 23 11:11:51 tinyids.demo.local systemd[1]: Started hello.

[root@demo hello]# service hello status

Redirecting to /bin/systemctl status hello.service

hello.service - hello

Loaded: loaded (/etc/systemd/system/hello.service; enabled)

Active: active (running) since lör 2015-05-23 11:11:51 CEST; 2min 48s ago

Main PID: 651 (run.sh)

CGroup: /system.slice/hello.service

├─651 /bin/bash /usr/local/bin/hello/run.sh

└─654 /usr/bin/python /usr/local/bin/hello/main.py

maj 23 11:11:51 tinyids.demo.local systemd[1]: Starting hello...

maj 23 11:11:51 tinyids.demo.local systemd[1]: Started hello.

As you see I am using the old service command but CentOS 7 is redirecting to systemctl, that is fine. Both will work. The status command also shows that it is running.

We can also confirm by checking what is running

[root@demo hello]# ps aux|grep hello
root       651  0.0  0.0 115212  1444 ?        Ss   11:11   0:00 /bin/bash /usr/local/bin/hello/run.sh
root       654  0.0  0.1 127372  4576 ?        S    11:11   0:00 /usr/bin/python /usr/local/bin/hello/main.py

[root@demo hello]# ps aux|grep hello

root 651 0.0 0.0 115212 1444 ? Ss 11:11 0:00 /bin/bash /usr/local/bin/hello/run.sh

root 654 0.0 0.1 127372 4576 ? S 11:11 0:00 /usr/bin/python /usr/local/bin/hello/main.py

If you change any of the contents of the hello.service file you will be given the following message:

Warning: Unit file of hello.service changed on disk, 'systemctl daemon-reload' recommended.

1	Warning: Unit file of hello.service changed on disk, 'systemctl daemon-reload' recommended.

That is fine, just execute “systemctl daemon-reload”

To enable this on startup you can just do the classic chkconfig hello on and systemctl will take over:

[root@hello system]# chkconfig hello on
Note: Redirecting to ”systemctl enable hello.service”.
ln -s '/etc/systemd/system/hello.service' '/etc/systemd/system/multi-user.target.wants/hello.service'

[root@hello system]# chkconfig hello on

Note: Redirecting to ”systemctl enable hello.service”.

ln -s '/etc/systemd/system/hello.service' '/etc/systemd/system/multi-user.target.wants/hello.service'

If you have a python application that may involve mongodb or some other service like mysql you can edit your service file to look like this

[Unit]
Description=My Service
After=syslog.target network.target mongod.service

[Service]
Type=simple
ExecStart=/usr/local/bin/hello/run.sh
TimeoutSec=300

[Install]
WantedBy=multi-user.target

[Unit]

Description=My Service

After=syslog.target network.target mongod.service

[Service]

Type=simple

ExecStart=/usr/local/bin/hello/run.sh

TimeoutSec=300

[Install]

WantedBy=multi-user.target

This will mean that syslog, network and the mongodb service is required to start before your app is.

Have fun!

Setup a OpenVPN server on FreeBSD 10.1

Leave a reply

Hey,

I just wanted to recommend this guide if you are interested in setting up a VPN server at home or in the cloud.

https://www.digitalocean.com/community/tutorials/how-to-configure-and-connect-to-a-private-openvpn-server-on-freebsd-10-1

I recommend you using at least 4096 key size and AES 256. If you go any higher it will take a lot of time to generate the keys, and you will get bad performance and timeouts (even with only one client) on the standard $5 per month server at DigitalOcean. More CPU cores will enable you to run stronger crypto!

Good luck!

kickass infosec

saving the world one byte at a time

Using ELK and watcher to set up alerts

LAMP with https causes issues with slow requests

Various code snippets in C++ (Mostly WINAPI)

Raspberry Pi as tor2web service running apache

Compiling QEMU and libvirtd from source to be more sneaky when doing malware analysis

Using KVM and guestfish for dynamic malware analysis on Windows

Using winexe on CentOS 7 to execute commands on remote Windows 7 machines

Guide for setting up yubikey OTP ssh access with CentOS 7

Putting together a small systemd service script and controlling python

Setup a OpenVPN server on FreeBSD 10.1