yum update yum install wget yum install isomd5sum wget -q -O - http://www.atomicorp.com/installers/atomic |sh yum -y install openvas openvas-setup systemctl stop firewalld systemctl disable firewalld openvas-mkcert-client -n om -i openvasmd --rebuild openvasmd restart all daemons. tell me sweet lies about arachni, will you? wget http://downloads.arachni-scanner.com/arachni-0.4.6-0.4.3-linux-x86_64.tar.gz tar xzvf arachni-0.4.6-0.4.3-linux-x86_64.tar.gz mv arachni-0.4.6-0.4.3 /usr/local/. ln -s /usr/local/arachni-0.4.6-0.4.3 /usr/local/arachni ln -s /usr/local/arachni/bin/arachni* /usr/bin/ ln -s /usr/local/arachni/bin/readlink_f.sh /usr/bin/
Thursday, October 30, 2014
script for centos 7 & openvas 7 install
centos 7 minimal. as in minimal. as in not even has netstat.
Thursday, October 23, 2014
will grep for food
although zless does the job, too.
so. my mx host changed. and you know a whole lot of my boxes simply do not not use smarthost for mail relay. that's okay. or is it?
not really. because all those hosts need to have their zillion hosts files and bizarro mail conf files updated. and of course i'm not using chef or puppet or using anything sane. who would do that? not me, of course.
but! i do backup etc directories in a central, safe place. i can totally grep them, right? no. they're all compressed.
zless to the rescue!
and then, knowing the tgz i can rgrep the snot out of it and find where that string resides. go to said server and grep -r away.
so. my mx host changed. and you know a whole lot of my boxes simply do not not use smarthost for mail relay. that's okay. or is it?
not really. because all those hosts need to have their zillion hosts files and bizarro mail conf files updated. and of course i'm not using chef or puppet or using anything sane. who would do that? not me, of course.
but! i do backup etc directories in a central, safe place. i can totally grep them, right? no. they're all compressed.
zless to the rescue!
#!/bin/bash
cd /safe/archive
for i in $( ls |grep tgz ); do
echo $i >> busted
zless $i | grep oldmailhost >> busted
done
and then, knowing the tgz i can rgrep the snot out of it and find where that string resides. go to said server and grep -r away.
Wednesday, October 15, 2014
i get tired of paths
i do.
cd /usr/local && tar --strip-components 1 -xzf \
/path/to/crap-<version>-<platform>-<arch>.tar.gz
plops in local. libs, binaries and all.
openvas & nasl
openvas-nasl -d -t mysystem.oh.no -X -T out /var/lib/openvas/plugins/gb_bash_shellshock_remote_cmd_exec_vuln.nasl
openvas-nasl -d -t 192.168.6.0/24 -X -T out /var/lib/openvas/plugins/gb_bash_shellshock_remote_cmd_exec_vuln.nasl set key www/80/keepalive -> yes
esx 5 pubkeys
To allow SSH access to ESXi/ESX hosts with public/private key authentication:
Generate public/private keys.
Notes
These instructions generate two files in ~/.ssh: id_rsa and id_rsa.pub.
In ESXi 5.x, the ssh-keygen command is located at /usr/lib/vmware/openssh/bin.
On the remote host, store the public key content, id_rsa.pub in ~/.ssh/authorized_keys.
Notes
For ESXi 5.0, the location of authorized_keys is: /etc/ssh/keys-<username>/authorized_keys
More than one key can be stored in this file.
To allow root access, changePermitRootLogin no to PermitRootLogin yes in the /etc/ssh/sshd_config file.
To disable password login, ensure thatChallengeResponseAuthentication and PasswordAuthentication are set to no.
Reload the service:
For ESXi, run the command:
/etc/init.d/SSH restart
For ESX, run the command:
service sshd reload
Monday, October 13, 2014
the shocker
sure... we have centralized everything. what we sysadmins do have are pubkeys all over the place. so how do we figure out how much of a pain patching for the many shellshock and aftershock systems that are on our networks?
well crap. first is enumerate. yank the dns zone files, clean them up and feed them into:
shocking.sh
#!/bin/bash
datestamp=$(date +"%m-%d-%Y")
for ip_addr in $(cat strippedzonefile) ; do
ping -q -c 1 $ip_addr &&
bash -c "
echo \" *** $ip_addr *** \" >> output ;
scp -B theshocker.sh root@$ip_addr:/root/ >> output ;
ssh -v -o ConnectTimeout=1 -o BatchMode=yes -o ConnectionAttempts=1 \
-o PasswordAuthentication=no root@$ip_addr \
/bin/bash -c /root/theshocker.sh >> output ;
echo \"done\"
"
done
cat output | mail -s "shellshock and aftershock report $datestamp" you@somewhere
#!/bin/sh
SHELLSHOCK=`env x='() { :;}; echo true' /bin/bash -c "" 2>/dev/null`
AFTERSHOCK=`env var='() {(a)=>\' /bin/bash -c "echo date | grep -v date" 2>/dev$`
if [ -n "$SHELLSHOCK" ]
then
echo "cve-2014-6271 vulnerability detected - shellshock";
else
echo "cve-2014-6271 not detected - shellshock"
fi
if [ -n "$AFTERSHOCK" ]
then
echo "cve-2014-7169 vulnerability detected - aftershock";
else
echo "cve-2014-7169 not detected - aftershock"
fi
*** 192.168.6.199 *** cve-2014-6271 vulnerability detected - shellshock cve-2014-7169 vulnerability detected - aftershock *** 192.168.6.20 *** *** 192.168.6.21 ***you get the picture.
zone file to happy ips
grep -E "192\.168\.(13[6-9]|14[0-2])\.[0-9]{1,3}" db.aname.zone | sort | uniq > finessed
Subscribe to:
Posts (Atom)