Thursday, February 8, 2018

when crond is using /bin/sh

 crond uses sh by default. that last cron script i posted, well tee is broke in sh. do this:

0 12 * * * root script.sh 2>&1 | bash -c 'tee >(/usr/bin/logger -p local6.notice -t script_tag ) >(mail -s "script output" me@here) >/dev/null'   

Monday, February 5, 2018

debug rsyslogd

 why isn't rsyslogd sending anything out?  
   
 window 1 $ tcpdump -u dst port 514  
 window 2 $ logger -n 6.6.6.6 -P 514 "hello god"  
   
 <no answer>  
   
 hmm. let's debug rsyslogd  
   
 $ export RSYSLOG_DEBUGLOG="/tmp/debuglog"  
 $ export RSYSLOG_DEBUG="Debug"  
 $ service rsyslog stop  
 $ rsyslogd -d | head -10   
   
 7160.005597645:7fae096a3780: rsyslogd 7.2.6 startup, module path '', cwd:/root  
 7160.005872662:7fae096a3780: caller requested object 'net', not found (iRet -3003)  
 7160.005895004:7fae096a3780: Requested to load module 'lmnet'  
 7160.005906331:7fae096a3780: loading module '/lib64/rsyslog/lmnet.so'  
 7160.006023505:7fae096a3780: module lmnet of type 2 being loaded (keepType=0).  
 7160.006030872:7fae096a3780: entry point 'isCompatibleWithFeature' not present in module  
 7160.006033780:7fae096a3780: entry point 'setModCnf' not present in module  
 7160.006036209:7fae096a3780: entry point 'getModCnfName' not present in module  
 7160.006038359:7fae096a3780: entry point 'beginCnfLoad' not present in module  
   
 bad modules.  
   
 recompile.  
   

dump cron script output from stdin into remote syslog & mail

 dump cron script output from stdin into remote syslog & mail  
   
 because i feel important the more mail i delete (but really need to archive it on a syslog server because, well, you know).  
   
 0 12 * * * root script.sh | cat | tee >(/usr/bin/logger -p local6.notice -t script_tag ) >(mail -s "script output" me@here) 2>&1  
   
 rsyslog configuration directive:  
 local6.*;*.*    @6.6.6.6:514  
   
 (note: @@ is tcp listener)  

Thursday, February 1, 2018

svn logs to syslog

 make svn logs human readable and send off to a syslog server  
   
 in /etc/apache2/sites-enabled/000-svn  
   
 # set customlog variable  
 LogLevel warn  
 LogFormat "%{%Y-%m-%d %T}t %u@%h %>s repo:%{SVN-REPOS-NAME}e %{SVN-ACTION}e %B Bytes in %T Sec" svn_log  
   
 # customlog and send to syslog  
 CustomLog "|/usr/bin/tee -a /var/svn/logs/svn_logfile | /usr/bin/logger -thttpd -plocal6.notice" svn_log env=SVN-ACTION  
   
 in /etc/rsyslog.d/50-default.conf  
 local6.*    @remotesyslog  
   
 what remote syslog shows:  
 2018-02-01 16:34:45 buildbot@6.6.6.6 207 repo:repos get-dir /hell r160669 props 575 Bytes in 0 Sec  
   
 what standard apache access logs see:  
 6.6.6.6 - buildbot [01/Feb/2018:16:34:45 -0500] "PROPFIND /svn/repos/hell HTTP/1.1" 207 397 "-" "SVN/6.6.6 (r40053) neon/0.66.0"  

apache logs to syslog

 get those apache logs to a remote syslog server  
   
 syslog  
   
 in /etc/apache2/sites-enabled/000-site  
   
 ErrorLog "|/usr/bin/tee -a /var/log/apache2/error.log | /usr/bin/logger -thttpd -plocal6.err"  
 CustomLog "|/usr/bin/tee -a /var/log/apache2/access.log | /usr/bin/logger -thttpd -plocal6.notice" combined  
   
 in /etc/syslog.conf  
 local6.*   @remoteserver  
   
 rsyslog  
   
 $ModLoad imfile  
 $InputFilePollInterval 10   
 $PrivDropToGroup adm  
 $WorkDirectory /var/spool/rsyslog  
    
 # Apache access file:  
 $InputFileName /var/log/apache2/access.log  
 $InputFileTag apache-access:  
 $InputFileStateFile stat-apache-access  
 $InputFileSeverity info  
 $InputFilePersistStateInterval 20000  
 $InputRunFileMonitor  
    
 #Apache Error file:   
 $InputFileName /var/log/apache2/error.log  
 $InputFileTag apache-error:  
 $InputFileStateFile stat-apache-error  
 $InputFileSeverity error  
 $InputFilePersistStateInterval 20000  
 $InputRunFileMonitor  
   
   
 what syslog gets:  
 <181>Feb 1 15:33:44 gallup httpd: 6.6.6.6 - - [01/Feb/2018:15:33:44 -0500] "GET /url/index.php HTTP/1.1" 200 20025 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36"  

autosploit... one more thing to worry about

 
 yay autosploit! for making things interesting.
 
 this is a nice addition to the tools i have on my kali instance.  
 the important thing to do is:  
   
 pip install shodan  
 pip install blessings  
 
 if you want to be  a script kiddie and hack IoT register with shodan.io and get your api key.
   
 msf modules are not automated, they're predefined here:  
 $autosploitpwd/modules.txt  
   
 as everyone knows, this application scans the shodan.io database of "Internet of Things" and creates a 
 random list of 6000 IPs to potentially exploit.  
   
 you can forego shodan.io's list and create your own targeted list of systems to hijack.  
 touch $autosploitpwd/hosts.txt  
   
 i set up a nc listener per the need for a listening local port  
 nc -l 123  
   
 then calling Multisploit, AutoSploit quickly checks the ports on the hosts on the list (yours or shodan.io's).  
 you are then presented with the option hijack the host using Metasploit's modules as defined above.  
   
 i decided to smash a system that's being retired...  
   
 [*] Added workspace: autosploit  
 LHOST => me  
 LPORT => 123  
 VERBOSE => true  
 THREADS => 100  
 RHOSTS => sadhost  
 [-] Exploit failed: The following options failed to validate: RHOST.  
 [*] Exploit completed, but no session was created.  
   
 no joy. but! i will find one...