Thursday, February 8, 2018

when crond is using /bin/sh

 crond uses sh by default. that last cron script i posted, well tee is broke in sh. do this:

0 12 * * * root 2>&1 | bash -c 'tee >(/usr/bin/logger -p local6.notice -t script_tag ) >(mail -s "script output" me@here) >/dev/null'   

Monday, February 5, 2018

debug rsyslogd

 why isn't rsyslogd sending anything out?  
 window 1 $ tcpdump -u dst port 514  
 window 2 $ logger -n -P 514 "hello god"  
 <no answer>  
 hmm. let's debug rsyslogd  
 $ export RSYSLOG_DEBUGLOG="/tmp/debuglog"  
 $ export RSYSLOG_DEBUG="Debug"  
 $ service rsyslog stop  
 $ rsyslogd -d | head -10   
 7160.005597645:7fae096a3780: rsyslogd 7.2.6 startup, module path '', cwd:/root  
 7160.005872662:7fae096a3780: caller requested object 'net', not found (iRet -3003)  
 7160.005895004:7fae096a3780: Requested to load module 'lmnet'  
 7160.005906331:7fae096a3780: loading module '/lib64/rsyslog/'  
 7160.006023505:7fae096a3780: module lmnet of type 2 being loaded (keepType=0).  
 7160.006030872:7fae096a3780: entry point 'isCompatibleWithFeature' not present in module  
 7160.006033780:7fae096a3780: entry point 'setModCnf' not present in module  
 7160.006036209:7fae096a3780: entry point 'getModCnfName' not present in module  
 7160.006038359:7fae096a3780: entry point 'beginCnfLoad' not present in module  
 bad modules.  

dump cron script output from stdin into remote syslog & mail

 dump cron script output from stdin into remote syslog & mail  
 because i feel important the more mail i delete (but really need to archive it on a syslog server because, well, you know).  
 0 12 * * * root | cat | tee >(/usr/bin/logger -p local6.notice -t script_tag ) >(mail -s "script output" me@here) 2>&1  
 rsyslog configuration directive:  
 local6.*;*.*    @  
 (note: @@ is tcp listener)  

Thursday, February 1, 2018

svn logs to syslog

 make svn logs human readable and send off to a syslog server  
 in /etc/apache2/sites-enabled/000-svn  
 # set customlog variable  
 LogLevel warn  
 LogFormat "%{%Y-%m-%d %T}t %u@%h %>s repo:%{SVN-REPOS-NAME}e %{SVN-ACTION}e %B Bytes in %T Sec" svn_log  
 # customlog and send to syslog  
 CustomLog "|/usr/bin/tee -a /var/svn/logs/svn_logfile | /usr/bin/logger -thttpd -plocal6.notice" svn_log env=SVN-ACTION  
 in /etc/rsyslog.d/50-default.conf  
 local6.*    @remotesyslog  
 what remote syslog shows:  
 2018-02-01 16:34:45 buildbot@ 207 repo:repos get-dir /hell r160669 props 575 Bytes in 0 Sec  
 what standard apache access logs see: - buildbot [01/Feb/2018:16:34:45 -0500] "PROPFIND /svn/repos/hell HTTP/1.1" 207 397 "-" "SVN/6.6.6 (r40053) neon/0.66.0"  

apache logs to syslog

 get those apache logs to a remote syslog server  
 in /etc/apache2/sites-enabled/000-site  
 ErrorLog "|/usr/bin/tee -a /var/log/apache2/error.log | /usr/bin/logger -thttpd -plocal6.err"  
 CustomLog "|/usr/bin/tee -a /var/log/apache2/access.log | /usr/bin/logger -thttpd -plocal6.notice" combined  
 in /etc/syslog.conf  
 local6.*   @remoteserver  
 $ModLoad imfile  
 $InputFilePollInterval 10   
 $PrivDropToGroup adm  
 $WorkDirectory /var/spool/rsyslog  
 # Apache access file:  
 $InputFileName /var/log/apache2/access.log  
 $InputFileTag apache-access:  
 $InputFileStateFile stat-apache-access  
 $InputFileSeverity info  
 $InputFilePersistStateInterval 20000  
 #Apache Error file:   
 $InputFileName /var/log/apache2/error.log  
 $InputFileTag apache-error:  
 $InputFileStateFile stat-apache-error  
 $InputFileSeverity error  
 $InputFilePersistStateInterval 20000  
 what syslog gets:  
 <181>Feb 1 15:33:44 gallup httpd: - - [01/Feb/2018:15:33:44 -0500] "GET /url/index.php HTTP/1.1" 200 20025 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36"  

autosploit... one more thing to worry about

 yay autosploit! for making things interesting.
 this is a nice addition to the tools i have on my kali instance.  
 the important thing to do is:  
 pip install shodan  
 pip install blessings  
 if you want to be  a script kiddie and hack IoT register with and get your api key.
 msf modules are not automated, they're predefined here:  
 as everyone knows, this application scans the database of "Internet of Things" and creates a 
 random list of 6000 IPs to potentially exploit.  
 you can forego's list and create your own targeted list of systems to hijack.  
 touch $autosploitpwd/hosts.txt  
 i set up a nc listener per the need for a listening local port  
 nc -l 123  
 then calling Multisploit, AutoSploit quickly checks the ports on the hosts on the list (yours or's).  
 you are then presented with the option hijack the host using Metasploit's modules as defined above.  
 i decided to smash a system that's being retired...  
 [*] Added workspace: autosploit  
 LHOST => me  
 LPORT => 123  
 VERBOSE => true  
 THREADS => 100  
 RHOSTS => sadhost  
 [-] Exploit failed: The following options failed to validate: RHOST.  
 [*] Exploit completed, but no session was created.  
 no joy. but! i will find one...  

Tuesday, January 30, 2018

import ldap db dump

 you have an ldap db dump called import.ldif . you need to replace  
 an existing ldap database with import.ldif . do this:  
 TIMESTAMP=$(date '+%Y%m%d%H%M')  
 /etc/init.d/slapd stop ;  
 mv /var/lib/ldap /var/lib/ldap-$TIMESTAMP ;  
 mkdir /var/lib/ldap ;  
 cp /etc/ldap/DB_CONFIG /var/lib/ldap ;  
 slapadd -c -l /tmp/import.ldif ;  
 chown -R openldap.openldap /var/lib/ldap ;  
 /etc/init.d/slapd start