Thursday, October 30, 2014

script for centos 7 & openvas 7 install

centos 7 minimal. as in minimal. as in not even has netstat.

yum update
yum install wget
yum install isomd5sum
wget -q -O - http://www.atomicorp.com/installers/atomic |sh
yum -y install openvas
openvas-setup
systemctl stop firewalld
systemctl disable firewalld
openvas-mkcert-client -n om -i
openvasmd --rebuild
openvasmd

restart all daemons.

tell me sweet lies about arachni, will you?

wget http://downloads.arachni-scanner.com/arachni-0.4.6-0.4.3-linux-x86_64.tar.gz
tar xzvf arachni-0.4.6-0.4.3-linux-x86_64.tar.gz
mv arachni-0.4.6-0.4.3 /usr/local/.
ln -s /usr/local/arachni-0.4.6-0.4.3 /usr/local/arachni
ln -s /usr/local/arachni/bin/arachni* /usr/bin/
ln -s /usr/local/arachni/bin/readlink_f.sh /usr/bin/

Thursday, October 23, 2014

will grep for food

although zless does the job, too.

so. my mx host changed. and you know a whole lot of my boxes simply do not not use smarthost for mail relay. that's okay. or is it?

not really. because all those hosts need to have their zillion hosts files and bizarro mail conf files updated. and of course i'm not using chef or puppet or using anything sane. who would do that? not me, of course.

but! i do backup etc directories in a central, safe place. i can totally grep them, right? no. they're all compressed.

zless to the rescue!

 #!/bin/bash  
 cd /safe/archive  
 for i in $( ls |grep tgz ); do  
     echo $i >> busted  
     zless $i | grep oldmailhost >> busted  
 done  

and then, knowing the tgz i can rgrep the snot out of it and find where that string resides. go to said server and grep -r away.

Wednesday, October 15, 2014

i get tired of paths

i do.
 cd /usr/local && tar --strip-components 1 -xzf \  
 /path/to/crap-<version>-<platform>-<arch>.tar.gz  
 plops in local. libs, binaries and all.  

openvas & nasl

 openvas-nasl -d -t mysystem.oh.no -X -T out /var/lib/openvas/plugins/gb_bash_shellshock_remote_cmd_exec_vuln.nasl  
 openvas-nasl -d -t 192.168.6.0/24 -X -T out /var/lib/openvas/plugins/gb_bash_shellshock_remote_cmd_exec_vuln.nasl set key www/80/keepalive -> yes  

esx 5 pubkeys

 To allow SSH access to ESXi/ESX hosts with public/private key authentication:  
 Generate public/private keys. 
 Notes  
 These instructions generate two files in ~/.ssh: id_rsa and id_rsa.pub.  
 In ESXi 5.x, the ssh-keygen command is located at /usr/lib/vmware/openssh/bin.  
 
On the remote host, store the public key content, id_rsa.pub in ~/.ssh/authorized_keys.  
 Notes  
 For ESXi 5.0, the location of authorized_keys is: /etc/ssh/keys-<username>/authorized_keys  
 More than one key can be stored in this file.  
 To allow root access, changePermitRootLogin no to PermitRootLogin yes in the /etc/ssh/sshd_config file.  
 To disable password login, ensure thatChallengeResponseAuthentication and PasswordAuthentication are set to no.  
 Reload the service:  
 For ESXi, run the command:  
 /etc/init.d/SSH restart  
 For ESX, run the command:  
 service sshd reload  

Monday, October 13, 2014

the shocker

sure... we have centralized everything. what we sysadmins do have are pubkeys all over the place. so how do we figure out how much of a pain patching for the many shellshock and aftershock systems that are on our networks? well crap. first is enumerate. yank the dns zone files, clean them up and feed them into:
shocking.sh
  #!/bin/bash   
datestamp=$(date +"%m-%d-%Y")
  for ip_addr in $(cat strippedzonefile) ; do   
  ping -q -c 1 $ip_addr &&   
  bash -c "   
   echo \" *** $ip_addr *** \" >> output ;   
   scp -B theshocker.sh root@$ip_addr:/root/ >> output ;   
   ssh -v -o ConnectTimeout=1 -o BatchMode=yes -o ConnectionAttempts=1 \  
      -o PasswordAuthentication=no root@$ip_addr \  
       /bin/bash -c /root/theshocker.sh >> output ;   
   echo \"done\"   
  "   
  done   
cat output | mail -s "shellshock and aftershock report $datestamp" you@somewhere
which scp's and executes theshocker.sh
 #!/bin/sh  
 SHELLSHOCK=`env x='() { :;}; echo true' /bin/bash -c "" 2>/dev/null`  
 AFTERSHOCK=`env var='() {(a)=>\' /bin/bash -c "echo date | grep -v date" 2>/dev$`  
 if [ -n "$SHELLSHOCK" ]  
 then  
 echo "cve-2014-6271 vulnerability detected - shellshock";  
 else  
 echo "cve-2014-6271 not detected - shellshock"  
 fi  
 if [ -n "$AFTERSHOCK" ]  
 then  
 echo "cve-2014-7169 vulnerability detected - aftershock";  
 else  
 echo "cve-2014-7169 not detected - aftershock"  
 fi  
which outputs to output:
*** 192.168.6.199 ***
cve-2014-6271 vulnerability detected - shellshock
cve-2014-7169 vulnerability detected - aftershock
 *** 192.168.6.20 ***
 *** 192.168.6.21 ***
you get the picture.

zone file to happy ips

grep -E "192\.168\.(13[6-9]|14[0-2])\.[0-9]{1,3}" db.aname.zone | sort | uniq > finessed