Monthly Archives: May 2015

Using winexe on CentOS 7 to execute commands on remote Windows 7 machines

winexe is an application for Linux that you can use to execute remote commands on Windows machines. Similar to how a meterpreter would work or how you use psexec on Windows.
The reason for using it could be that you want to script certain actions on remote machines, such as executing powershell scripts and gather information for forensic purposes etc. I was interested in it because of the last example.

In this guide I will show you how to do that and build a scenario for you and show you how one could use it to collect remote information on your endpoints. As usual I use CentOS 7 with the latest updates as per the date of this post.

1.
Download winexe from here. If you download the current source (as per this date) it is called “winexe-winexe-waf-b787d2a2c4b1abc3653bad10aec943b8efcd7aab.zip” with sha1sum cbbebd80c935a8408448f3a92c04b85ea19a8b64

Or, clone it using git:

2.
Make sure you have all the packages installed. You will need the epel repo for some packages as well.

3. Unzip the package downloaded in step 1 (I downloaded it to /root/) and navigate into the source folder. Or if you used git simple go into the folder and then in the source folder.

4. Build it

5. If everything works good you will get the output

6.
Time for the fun stuff. Now you will have your winexe binary in the build directory. Navigate into the folder build

7.
Now. Before we continue you need to set up the Windows machine. There are some issues with Windows 7 and later as described here. I had to add this key to my machine to make it work:

Start cmd as administrator and paste it in. That should be everything.

8.
I have already uploaded a powershell script to my machine. It will run some commands and output this to a text file locally on the system. The local user I have created is called “bob” with the password of “secretpassword”. The system I am targeting is a system called windows.domain.local. Note that it is not joined to a active directory domain, it is just a domain I use for testing. You could do it with kerberos and an active directory account as well. The command line for executing the powershell script is:

The –uninstall parameter removes the service that winexe installs after it is done.
The other parameters you can read about here

To just run a simple ipconfig you can do like this

Or maybe drop yourself into a shell:

References
http://www.aldeid.com/wiki/Winexe#Common_options
http://sourceforge.net/p/winexe/winexe-waf/ci/master/tree/#
http://ss64.com/nt/cmd.html

Guide for setting up yubikey OTP ssh access with CentOS 7

Hi!

Today I will show you how to use the yubikey and set up authentication on CentOS 7 from scratch.
I have bought a yubikey 2 standard and will configure it to be used as OTP device when logging on via SSH. This is very cheap solution which offers a high level of security for home users.

The system I am using has just been installed and it is standard CentOS 7 with just default selections when installing. System is also updated and current to this day.

Let’s start!

1.
Begin by installing some packages

2.
Clone the yubico-c library and install it.

If you get the error messsage

You need to install asciidoc

3.
Clone the yubikey-personalization library and install it

3.
Clone the yubico-c-client and install it

4.
Clone the yubico-pam module and install it

5.
Fix the symlink for the pam module

NOTE! Before you continue, this is where you can lock yourself out and create a box that is not accessible. You should be logged on with root on another terminal so that you can revert back if it does not work. Console access will still work, so if you use KVM or something similar, you should be able to access it through that.

Start by making sure your yubikey is configured as shown in this guide:
YubiKey YubiCloud Configuration

You should also make sure that the OTP function is working by going here after you have configured it:
https://demo.yubico.com/

Your server will need to be able to contact the yubikey API service to validate the auth, so make sure you have internet connection to the box as well.
When it is working, move on!

6.
Change SELinux to run in permissive mode. People have been reporting issues with SELinux and yubikey so I recommend that you put it in permissive mode. If you don’t want to spend a couple of hours troubleshooting.

Edit the file /etc/sysconfig/selinux and set the parameter SELINUX to permissive as shown below.

This will run at boot next time and change it to permissive. Now run the command to change mode to permissive in this session

Get the status. You can see the row “Current mode”, should say “permissive”

7.
Create a user, I have picked the name ‘test’. Make sure you change the password as well.

8.
Edit the file /etc/pam.d/sshd

Make sure it contains the row:

as seen below in the file:

9.
Crete the authfile mentioned above.

Add your user and yubikey id separated with ‘:’. This is how my /etc/yubipasswd file looks like:

Open a new terminal and login as test

ssh test@your-yubikey-configured-system

When you are promted for the password, write your password and press your yubikey so that it becomes one long string. Imagine:

[root@localhost test]# ssh test@localhost
test@localhost’s password: password + yubikey OTP token

The yubikey will press enter by default and this should log you on! Voila!

Other information
If you have multiple configurations on your yubikey, i.e Configuration Slot 1 and Slot 2 you may have used the wrong Slot. Slot 1 is pressed for 1 second and the other is above 2 seconds. (Or something like that). I use Configuration Slot 1 because then you dont have to press it for a longer period of time.

If you have installed a default CentOS 7 you probably do not need to change other SSH configuration files such as /etc/ssh/sshd_config

And /etc/pam.d/system-auth by adding “try_first_pass” to the row

You can also try installing the packages via epel repo. Packages are called:

The pam library I think you will have to install manually as previously shown.

Links related to this guide
https://demo.yubico.com/
http://www.yubico.com/wp-content/uploads/2013/07/YubiKey_YubiCloud_Configuration.pdf
https://developers.yubico.com/yubico-pam/Yubikey_and_SSH_via_PAM.html
https://developers.yubico.com/yubikey-personalization/
https://github.com/Yubico/yubico-pam#readme

Good luck!

Putting together a small systemd service script and controlling python

Hello!

This time I will demonstrate how to create a simple systemd service file so that you can control your applications with systemctl in CentOS 7. As you know systemctl will be replacing init so it is time to see what you can do with it.

Imagine the following sample script called hello.py. It will not do anything but print hello world and then sleep for one second.

Make sure you set the permissions so that it is executable. I will be placing this script in the folder /usr/local/bin/hello/

The next step is to create a small bash script that will execute the python script. In this script you can do more stuff if needed. I will call it run.sh

Make sure it is also located in /usr/local/bin/hello/

Now you want to be able to control that running a service command, i.e “service hello start” or
“systemctl start hello.service”

Start by navigating to the systemd folder and create the hello.service file. This is where we will tell systemctl what will happen.

Edit the hello.service file and make sure you point ExecStart to the bash script called run.sh

Now, there are a few things you need to know. The parameter “ExecStart” is what going to happen when you tell systemctl to “start”. There are also “ExecStop” and “ExecReload”. Those will be used for? You guessed it, when stopped and reloaded. There are also nice stuff such as “ExecStartPre” and “ExecStartPost” to execute commands before and after the main app has started.

More info can be found at Red Hat

However, in our service file above we only need the settings I have provided.
So now it is time to execute it:

As you see I am using the old service command but CentOS 7 is redirecting to systemctl, that is fine. Both will work. The status command also shows that it is running.

We can also confirm by checking what is running

If you change any of the contents of the hello.service file you will be given the following message:

That is fine, just execute “systemctl daemon-reload”

To enable this on startup you can just do the classic chkconfig hello on and systemctl will take over:

If you have a python application that may involve mongodb or some other service like mysql you can edit your service file to look like this

This will mean that syslog, network and the mongodb service is required to start before your app is.

Have fun!

Setup a OpenVPN server on FreeBSD 10.1

Hey,

I just wanted to recommend this guide if you are interested in setting up a VPN server at home or in the cloud.

https://www.digitalocean.com/community/tutorials/how-to-configure-and-connect-to-a-private-openvpn-server-on-freebsd-10-1

I recommend you using at least 4096 key size and AES 256. If you go any higher it will take a lot of time to generate the keys, and you will get bad performance and timeouts (even with only one client) on the standard $5 per month server at DigitalOcean. More CPU cores will enable you to run stronger crypto!

Good luck!

Converting ova images to qcow2

The ova format is an open format for virtual machines. In this small guide I will explain how you can convert it to qcow2 format and run it in KVM.

In my example I am using LogPoint which is a SIEM product that you can download a trial of here

The file you download will be called logpoint.ova. Once you have it you can check out the file format using the file command:

You can also have a look at the contents of the tar archive

The next step is to extract the files. Just run

Time for some conversion!

The next step is to logon with ssh to your KVM server and start virt-manager and import the image.

In virt-manager choose new and then import existing image. If you get a black screen on the console try to change the video to QXL and restart it. As LogPoint is based on Ubuntu you can change that while in the guide.

Good luck!

Monitor for new wine releases using Systembolaget API

Howdy,

For everyone that live in Sweden this is a post about how to alert when new stuff is added to Systembolagets range of products. I will show you how to use a small python script and some bash code to automatically send you an e-mail when new products are discovered. Currently the XML file hosted at Systembolaget is updated every morning at 07:00 AM CET so make sure you schedule it to run just after that.

1. Step one is to set up your server to send e-mail, see my previous post for an example of that on CentOS 7.

2. Head over to systembolaget and their API page here, and get the link to their XML product file which is called “Sortimentsfilen”. This is what we are fetching and it is already included in the bash script, but it can be good to know where you find it.

3. Create the folder “systembolaget” in your root directory. Or whatever directory you will be running the script from. On my test server I just used the root user. Place the python and bash script there.

4. Now time for some python. This is the code:

What it does is that it will read the file called “/root/systembolaget/sortiment.xml” and look for keywords as defined in the variable “names”. When something is found it will check if this is already something I know of and if not print it to screen. That is it. In my example I monitor for Dal Forno and Roccolo Grassi wines.

5. Now it is time for the bash script that actually does the work:

This is the script that you can crontab. Make sure you change the row where it says “your.email@domain.com” so that you get it sent to a proper email address. You can also change “WINE DISCOVERED!” to whatever you want, that will be the subject of the e-mail.