Home Systems Linux
Category:

Linux

Linux is a Unix-like and POSIX-compliant computer operating system assembled under the model of free and open source software development and distribution. The defining component of Linux is the Linux kernel, an operating system kernel first released on 5 October 1991 by Linus Torvalds.

tor-rootkit - A Python 3 standalone Windows 10 and Linux Rootkit
How toLinuxSecurityWindows

tor-rootkit – A Python 3 standalone Windows 10 and Linux Rootkit

by blackMOREOps
written by blackMOREOps

tor-rootkit is A Python 3 standalone Windows 10 / Linux Rootkit. The networking communication get’s established over the tor network.

tor-rootkit - A Python 3 standalone Windows 10 and Linux Rootkit

Disclaimer

Use for educational purposes only.

How to use

  1. Clone the repo and change directory:
git clone https://github.com/emcruise/TorRootkit.git
cd ./tor-rootkit
  1. Build docker container:
docker build -t listener .
  1. Run docker container:
docker run -v $(pwd)/executables:/executables/ -it listener
  1. Deploy the executables: When the listener is up and running it generates a “executables” directory containing different payloads for different plattforms.
TorRootkit/
│    ...
└    executables/

Note: The client can take some time to connect because PyInstaller executables are a bit slower and it need’s to start tor.

Features

  • Standalone executables for Windows and Linux, including python interpreter and tor
  • the whole communication works over tor hidden services which guarantees some degree of anonymity
  • The Listener can handle multiple clients
  • The Listener generates payloads for different platforms on startup

Listener Shell Commands

Command Explanation
help Shows the help menu
^C or exit Exits the shell
list lists all connected clients with their according index
select <index> start shell with client

Client Shell Commands

Command Explanation
help Shows the help menu
^C or exit Exits the client shell and returns to listener shell
os <command> Executes a command in the clients shell and returns the output
background Keeps the connection to a client and returns to listener

Contribution

Any contributions are appreciated. Make a pull-requests and I’ll merge if it passes my automatic tests. More here

1 comment
0 FacebookTwitterPinterestThreadsBlueskyEmail
GitLab Watchman - Audit Gitlab For Sensitive Data & Creds
HackingLinuxSecurity

Search Gitlab For Sensitive Data and Credentials using GitLab Watchman

by blackMOREOps
written by blackMOREOps

GitLab Watchman is an application that uses the GitLab API to Search GitLab for sensitive data and credentials exposed internally – this includes code, commits, wiki pages and more.
GitLab Watchman - Audit Gitlab For Sensitive Data & Creds

Features

It searches GitLab for sensitive data and credentials for internally shared projects and looks at:

  • Code
  • Commits
  • Wiki pages
  • Issues
  • Merge requests
  • Milestones

For the following data:

  • GCP keys and service account files
  • AWS keys
  • Azure keys and service account files
  • Google API keys
  • Slack API tokens & webhooks
  • Private keys (SSH, PGP, any other misc private key)
  • Exposed tokens (Bearer tokens, access tokens, client_secret etc.)
  • S3 config files
  • Tokens for services such as Heroku, PayPal and more
  • Passwords in plaintext
  • and more

Time based searching

You can run GitLab Watchman to look for results going back as far as:

  • 24 hours
  • 7 days
  • 30 days
  • All time

This means after one deep scan, you can schedule GitLab Watchman to run regularly and only return results from your chosen timeframe.

Installation

Install via pip

pip install gitlab-watchman

Or via source

Rules

GitLab Watchman uses custom YAML rules to detect matches in GitLab.

---
filename:
enabled: #[true|false]
meta:
name:
author:
date:
description: #what the search should find#
severity: #rating out of 100#
scope: #what to search, any combination of the below#
- blobs
- commits
- milestones
- wiki_blobs
- issues
- merge_requests
test_cases:
match_cases:
- #test case that should match the regex#
fail_cases:
- #test case that should not match the regex#
strings:
- #search query to use in GitLab#
pattern: #Regex pattern to filter out false positives#

There are Python tests to ensure rules are formatted properly and that the Regex patterns work in the tests dir. More information about rules, and how you can add your own, is in the file docs/rules.md.

Search Gitlab For Sensitive Data

GitLab Watchman will be installed as a global command, use as follows:

usage: gitlab-watchman [-h] --timeframe {d,w,m,a} --output
{file,stdout,stream} [--version] [--all] [--blobs]
[--commits] [--wiki-blobs] [--issues] [--merge-requests]
[--milestones] [--comments]

Monitoring GitLab for sensitive data shared publicly

optional arguments:
-h, --help show this help message and exit
--version show program's version number and exit
--all Find everything
--blobs Search code blobs
--commits Search commits
--wiki-blobs Search wiki blobs
--issues Search issues
--merge-requests Search merge requests
--milestones Search milestones
--comments Search comments

required arguments:
--timeframe {d,w,m,a}
How far back to search: d = 24 hours w = 7 days, m =
30 days, a = all time
--output {file,stdout,stream}
Where to send results

You can run GitLab Watchman to look for everything, and output to default Stdout:

gitlab-watchman –timeframe a –all

Or arguments can be grouped together to search more granularly. This will look for commits and milestones for the last 30 days, and output the results to a TCP stream:

gitlab-watchman –timeframe m –commits –milestones –output stream

Other Watchman apps

You may be interested in some of the other apps in the Watchman family:

1 comment
0 FacebookTwitterPinterestThreadsBlueskyEmail
Vulnerability Scanner For Container Images & Filesystems
How toLinuxSecurity

Vulnerability Scanner For Container Images & Filesystems

by blackMOREOps
written by blackMOREOps

Grype is a vulnerability scanner for container images and filesystems with an easy to install binary that supports the packages for most major *nix based operating systems.

Grype is a vulnerability scanner for container images and filesystems

Features of Grype Vulnerability Scanner For Container Images & Filesystems

Scan the contents of a container image or filesystem to find known vulnerabilities and find vulnerabilities for major operating system packages in:

  • Alpine
  • BusyBox
  • CentOS / Red Hat
  • Debian
  • Ubuntu

Find vulnerabilities for language-specific packages:

  • Ruby (Bundler)
  • Java (JARs, etc)
  • JavaScript (NPM/Yarn)
  • Python (Egg/Wheel)
  • Python pip/requirements.txt/setup.py listings

Supports Docker and OCI image formats.

Installation

Recommended

curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin

…or, you can specify a release version and destination directory for the installation:

curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b

Homebrew

brew tap anchore/grype
brew install grype

Note: Currently, Grype is built only for macOS and Linux.

A vulnerability scanner for container images and filesystems

Using Grype Vulnerability Scanner For Container Images & Filesystems

Install the binary, and make sure that grype is available in your path. To scan for vulnerabilities in an image:

grype

The above command scans for vulnerabilities that are visible in the container (i.e., the squashed representation of the image). To include software from all image layers in the vulnerability scan, regardless of its presence in the final image, provide –scope all-layers:

grype  --scope all-layers

Grype can scan a variety of sources beyond those found in Docker.

# scan a container image archive (from the result of `docker image save ...`, `podman save ...`, or `skopeo copy` commands)
grype path/to/image.tar

# scan a directory
grype dir:path/to/dir

Resources

You can download Grype or read more here.

0 comments
0 FacebookTwitterPinterestThreadsBlueskyEmail
Use any Linux applications through a proxy (apt-get, wget etc)
HackingHow toLinux

Use any Linux applications through a proxy (apt-get, wget etc)

by blackMOREOps
written by blackMOREOps

It’s pretty normal in many Organizations to use get servers to connect to Internet via a Proxy. In most cases it’s for updating apt-get or yum via  proxy. However, quite often you might need to download packages directly using wget or curl and setting up apt-get or apt via proxy, wget via proxy, curl via proxy is a pain. What if you could simply setup a  Proxy and just use any applications to use that using a simply command? I faced this many times and hence writing this guide. Note that if you’re only allowing apt-get via proxy then stick with configuring /etc/apt.conf or /etc/apt/conf.d/00proxy or something similar but if you need to allow different applications via a proxy then this method is best and simplest.

Use any Linux applications through a proxy (apt-get, wget etc)

This also helps when you’re trying to install apt packages from sources outside of restricted DMZ’s or State Nations especially from PPA. For example: if you try to update the c++ compiler to g++-6 or g++-7 through

sudo add-apt-repository ppa:ubuntu-toolchain-r/test -y
sudo apt-get update
sudo apt-get install g++-7 -y

it might take you a very long time to finish downloading. But if you have a socks5 proxy or HTTP or HTTPS Proxy out there, this method will make things so much faster. The idea is to use apt-get or other applications using a HTTP or HTTPS or SOCKS5 proxy. So let’s get to it:

Install proxychains

sudo apt-get install proxychains

Setup proxychains

Setup is pretty straight forward. You simply edit the file in /etc/proxychains.conf and add proxy details. You can use socks5, http, https or any supported proxy with username and password if they have any.

Since my socks5 proxy server is running at 127.0.0.1 through port 1080, my setting is

socks5 127.0.0.1 1080

at the last line of /etc/proxychains.conf.

Run proxychains with apt-get

sudo proxychains apt-get update
sudo proxychains apt-get install g++-7 -y

Done in minutes!

Proxychains with wget and other applications

You can also use the proxychains for other software as below:

sudo proxychains synaptic
proxychains julia
proxychains wget https://www.google.com/

This surely beats the annoying settings for wget or curl with extra parameters or using /etc/wgetrc or similar configurations.

Hope it helps

0 comments
0 FacebookTwitterPinterestThreadsBlueskyEmail
Unattended Upgrade
Linux AdministrationHow toKali LinuxLinuxSecurityUbuntu

How to configure automatic updates in Ubuntu Server

by blackMOREOps
written by blackMOREOps

This guide explains how to configure automatic updates in Ubuntu Server 20.04. This tutorial is based on the following official Ubuntu Documentation article: Ubuntu Server Guide » Package Management » Automatic Updates. If you just want to do it, scroll down to the end and copy paste the two configuration file configs and you’re done. If you want to understand it and tweak, then keep reading.

Unattended Upgrade

Unattended Upgrade

The unattended-upgrades package can be used to automatically install updated packages and can be configured to update all packages or just install security updates. First, install the package by entering the following in a terminal:

sudo apt install unattended-upgrades

Configure unattended-upgrades

To configure unattended-upgrades, edit /etc/apt/apt.conf.d/50unattended-upgrades and adjust the following to fit your needs:

Unattended-Upgrade::Allowed-Origins {
        "${distro_id}:${distro_codename}";
        "${distro_id}:${distro_codename}-security";
//      "${distro_id}:${distro_codename}-updates";
//      "${distro_id}:${distro_codename}-proposed";
//      "${distro_id}:${distro_codename}-backports";
};

Certain packages can also be blacklisted and therefore will not be automatically updated. To blacklist a package, add it to the list:

Unattended-Upgrade::Package-Blacklist {
//      "vim";
//      "libc6";
//      "libc6-dev";
//      "libc6-i686";
};

Note: The double “//” serve as comments, so whatever follows “//” will not be evaluated.

Enable automatic updates

To enable automatic updates, edit /etc/apt/apt.conf.d/20auto-upgrades and set the appropriate apt configuration options:

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";

The above configuration updates the package list, downloads, and installs available upgrades every day. Those actions are triggered by timer units at a set time but with a random delay: apt-daily.timer and apt-daily-upgrades.timer. These timers activate the correspondent services that run /usr/lib/apt/apt.systemd.daily script.

However, it may happen that if the server is off at the time the timer unit elapses, the timer will be triggered immediately at the next startup. As a result, they will often run on system startup and thereby cause immediate activity and hold the apt-lock.

In many cases that is beneficial, but in some cases it might be counter-productive. Examples are administrators with many shut down machines or VM images that are only started for some quick action that then is delayed or even blocked by the unattended upgrades. To adapt this behaviour, we can change/override the configuration of both apt’s timer units [apt-daily-upgrade.timer, apt-daily.timer]. To do so use systemctl edit <timer_unit&gt; and override the Persistent attribute like Persistent=delay (example of such an override):

[Timer]
Persistent=delay

The local download archive is cleaned every week. On servers upgraded to newer versions of Ubuntu, depending on your responses, the file listed above may not be there. In this case, creating a new file of this name should also work.

Note : You can read more about apt Periodic configuration options in the apt.conf(5) manpage and in the /usr/lib/apt/apt.systemd.daily script header.

The results of unattended-upgrades will be logged to /var/log/unattended-upgrades.

Notifications

Configuring Unattended-Upgrade::Mail in /etc/apt/apt.conf.d/50unattended-upgrades will enable unattended-upgrades to email an administrator detailing any packages that need upgrading or have problems.

Another useful package is apticron. apticron will configure a cron job to email an administrator information about any packages on the system that have updates available, as well as a summary of changes in each package.

To install the apticron package, in a terminal enter:

sudo apt install apticron

Once the package is installed edit /etc/apticron/apticron.conf, to set the email address and other options:

EMAIL="[email protected]"

Verify configuration

You can see if the auto-upgrades work by launching a dry run:

sudo unattended-upgrades --dry-run --debug

Another way to check if automatic updates work is waiting a few days and checking the unattended upgrades logs:

cat /var/log/unattended-upgrades/unattended-upgrades.log

Now your Ubuntu Server 20.04 should now update automatically

Configuration dump

My configuration looks somewhat like this:

[toggle title=”50unattended-upgrades” state=”close”]

// Automatically upgrade packages from these (origin:archive) pairs
//
// Note that in Ubuntu security updates may pull in new dependencies
// from non-security sources (e.g. chromium). By allowing the release
// pocket these get automatically pulled in.
Unattended-Upgrade::Allowed-Origins {
        "${distro_id}:${distro_codename}";
        "${distro_id}:${distro_codename}-security";
        // Extended Security Maintenance; doesn't necessarily exist for
        // every release and this system may not have it installed, but if
        // available, the policy for updates is such that unattended-upgrades
        // should also install from here by default.
        "${distro_id}ESMApps:${distro_codename}-apps-security";
        "${distro_id}ESM:${distro_codename}-infra-security";
        "${distro_id}:${distro_codename}-updates";
        "Artifactory:public"
//      "${distro_id}:${distro_codename}-proposed";
//      "${distro_id}:${distro_codename}-backports";
};

// Python regular expressions, matching packages to exclude from upgrading
Unattended-Upgrade::Package-Blacklist {
    // The following matches all packages starting with linux-
//  "linux-";

    // Use $ to explicitely define the end of a package name. Without
    // the $, "libc6" would match all of them.
//  "libc6$";
//  "libc6-dev$";
//  "libc6-i686$";

    // Special characters need escaping
//  "libstdc\+\+6$";

    // The following matches packages like xen-system-amd64, xen-utils-4.1,
    // xenstore-utils and libxenstore3.0
//  "(lib)?xen(store)?";

    // For more information about Python regular expressions, see
    // https://docs.python.org/3/howto/regex.html
};

// This option controls whether the development release of Ubuntu will be
// upgraded automatically. Valid values are "true", "false", and "auto".
Unattended-Upgrade::DevRelease "false";

// This option allows you to control if on a unclean dpkg exit
// unattended-upgrades will automatically run
//   dpkg --force-confold --configure -a
// The default is true, to ensure updates keep getting installed
// Unattended-Upgrade::AutoFixInterruptedDpkg "true";

// Split the upgrade into the smallest possible chunks so that
// they can be interrupted with SIGTERM. This makes the upgrade
// a bit slower but it has the benefit that shutdown while a upgrade
// is running is possible (with a small delay)
// Unattended-Upgrade::MinimalSteps "true";

// Install all updates when the machine is shutting down
// instead of doing it in the background while the machine is running.
// This will (obviously) make shutdown slower.
// Unattended-upgrades increases logind's InhibitDelayMaxSec to 30s.
// This allows more time for unattended-upgrades to shut down gracefully
// or even install a few packages in InstallOnShutdown mode, but is still a
// big step back from the 30 minutes allowed for InstallOnShutdown previously.
// Users enabling InstallOnShutdown mode are advised to increase
// InhibitDelayMaxSec even further, possibly to 30 minutes.
// Unattended-Upgrade::InstallOnShutdown "false";

// Send email to this address for problems or packages upgrades
// If empty or unset then no email is sent, make sure that you
// have a working mail setup on your system. A package that provides
// 'mailx' must be installed. E.g. "[email protected]"
// Unattended-Upgrade::Mail "";

// Set this value to one of:
//    "always", "only-on-error" or "on-change"
// If this is not set, then any legacy MailOnlyOnError (boolean) value is used to chose between "only-on-error" and "on-change"
// Unattended-Upgrade::MailReport "on-change";

// Remove unused automatically installed kernel-related packages (kernel images, kernel headers and kernel version locked tools).
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";

// Do automatic removal of newly unused dependencies after the upgrade
// Unattended-Upgrade::Remove-New-Unused-Dependencies "true";

// Do automatic removal of unused packages after the upgrade (equivalent to apt-get autoremove)
Unattended-Upgrade::Remove-Unused-Dependencies "true";

// Automatically reboot *WITHOUT CONFIRMATION* if the file /var/run/reboot-required is found after the upgrade
// Unattended-Upgrade::Automatic-Reboot "false";
Unattended-Upgrade::Automatic-Reboot "true";

// Automatically reboot even if there are users currently logged in
// when Unattended-Upgrade::Automatic-Reboot is set to true
//Unattended-Upgrade::Automatic-Reboot-WithUsers "true";

// If automatic reboot is enabled and needed, reboot at the specific
// time instead of immediately
//  Default: "now"
//Unattended-Upgrade::Automatic-Reboot-Time "02:00";
Unattended-Upgrade::Automatic-Reboot-Time "06:00";

// Use apt bandwidth limit feature, this example limits the download
// speed to 70kb/sec
//Acquire::http::Dl-Limit "70";

// Enable logging to syslog. Default is False
// Unattended-Upgrade::SyslogEnable "false";

// Specify syslog facility. Default is daemon
// Unattended-Upgrade::SyslogFacility "daemon";

// Download and install upgrades only on AC power
// (i.e. skip or gracefully stop updates on battery)
// Unattended-Upgrade::OnlyOnACPower "true";

// Download and install upgrades only on non-metered connection
// (i.e. skip or gracefully stop updates on a metered connection)
// Unattended-Upgrade::Skip-Updates-On-Metered-Connections "true";

// Verbose logging
// Unattended-Upgrade::Verbose "false";

// Print debugging information both in unattended-upgrades and
// in unattended-upgrade-shutdown
// Unattended-Upgrade::Debug "false";

// Allow package downgrade if Pin-Priority exceeds 1000
// Unattended-Upgrade::Allow-downgrade "false";

[/toggle]

[toggle title=”20auto-upgrades” state=”close”]

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";

[/toggle]

0 comments
0 FacebookTwitterPinterestThreadsBlueskyEmail
Newer Posts
Older Posts
@2021 - All Right Reserved. Designed and Developed by PenciDesign