Virsh script fun

I can’t remember how it came up the other day, but the sysadmin and I were talking about the virtual environment we have, and how I have moved a few things around, decommissioned a few machines and in general moved a few things around. When he went to go looking for them, they weren’t in the spot that he had written down or remembered. It’s been so easy with just one person (him) in the past, it’s been a bit of a challenge to keep things on the same page.

Long story short, the idea came up that it would be awesome if we had something that could generate a list of what VM is on what machine, see what resources are in use, etc. This would be useful since we are spinning up a new environment in a little bit, and new things need to be added occasionally. I have been reviewing security controls and documentation a lot as of late, so I jumped on the idea to work on something different for a bit.

Here’s the script that I wrote:

#!/bin/bash
virsh list --all --title
# Get total CPUs
virsh nodeinfo | grep "CPU(s)" | awk '{print "Total CPUs on server: " $2}'
# Get allocated CPUs
virsh list | awk '{print $1}' | grep -oIE [0-9]* | while read machine; do virsh dominfo ${machine} | grep "CPU.s"; done | awk 'BEGIN {cpu=0;} {cpu=cpu+$2;} END {print "Total CPUs in use: " cpu;}'
# Get total Memory
free -g | grep Mem | awk '{print "Total system memory in GB: " $2'}
# Get allocated memory in GB
virsh list | awk '{print $1}' | grep -oIE [0-9]* | while read machine; do virsh dominfo ${machine} | grep "Used memory"; done | awk 'BEGIN {mem=0;} {mem=mem+$3;} END {print "Total memory allocated to VMs: " mem/1024/1024;}'

It produces output like this:

 Id     Name                           State      Title
  2     machine1                       running
  4     machine2                       running
  10    machine3                       running    machine3
  21    machine4                       running
  25    machine5                       running    Service1
  26    machine6                       running    Service2
  27    machine7                       running    Service3
  -     machine8                       shut off   Decomissioned

Total CPUs on server: 48
Total CPUs in use: 36
Total system memory in GB: 125
Total memory allocated to VMs: 72

I’ve removed the system name and title since they aren’t needed to demonstrate it’s functionality. Overall I was pleased with it. I could have made the script more readable and friendly, but it was something quick and dirty. I used ansible to upload it to all the VM’s and then used the following command to execute it. Yeah, I know it could have been a .yaml file, but again, quick and dirty to get the job done. And yes, afterwards I added a page for it in our documentation.

ansible xen -i inventory.txt [other options ] -u [user] -m shell -a "/root/bin/virsh_info.sh" -f 1 

This was great because it went through each of the VM hosts and ran the script one at a time and generated the output. I sent it to him and it was exactly the sort of thing he was looking for. It made my day.

Separating development from CM

One of the things that has happened at work, since before I got here, was there was an increasing line between development and configuration management. This was started with good intentions – the CM wouldn’t be around, so a developer was given access to do something, with the understanding only to do it when the CM wasn’t here. As you can imagine, over time this was taken advantage of. So it is being reeled in and the line is getting harder to cross.

This has been met with a little resistance as you can expect, with people being used to have access to certain things, etc. One developer/Business Objects owner has had this sort of access. I’m not clear if it was recently taken away, but I was asked to provide this person with trace and log files, and off the bat this was not a big deal if it’s once or twice, but it looks like this is ongoing. So I decided to automate it.

The easy way to do this (and the route I took) was to use python as a web server with the following command:


python -m SimpleHTTPServer [port]

This will make the current directory into a listing via the port you specify. The problem is that it sorts by name and doesn’t include information like the date, etc. This can be a problem cause the user didn’t know which files were needed. Ok let’s fix that. I wrote the following bash script (I removed the declaration of the variables):

cd $DIR
ls -lt > $FILE # get directory listing
sed -i '1i' $FILE # beginning HTML tags echo "" >> $FILE # ending HTML tags
sed -i 's/ /\t/g' $FILE # replace spaces with tabs
sed -i 's/$/
/' $FILE # force new lines

What this does is listed in the comments, but it also makes the file appear at the top of the list for the web server. A little bit of a hack fix, but close enough. But what happens when the files change, as they are bound to do during the course of the day. Well, let’s just add something in crontab.

*/10 7-18 * * 1-5 $DIR/DirListingBobJ.sh >/tmp/dirbobj.out 2>&1

This will run it every 10 minutes, 7 am to 6 pm, M-F and output it to a file for debugging.

Overall, this was a nice break from working security controls.

School update

I’ve been busy with school and work (and a little one!) so I haven’t updated as much as I’d like, and haven’t had as much time for pet projects.

The good news is that I’m halfway done with my coursework for this semester and I’m 5 weeks into it! Well, 4 if you discount the week I went to San Antonio for work because, I’ll be honest, I wasn’t as productive as I normally was. I think I should be able to wrap up the rest of my work by the end of this month. I feel good about this because the semesters are 6 months and I’ll be done in two. I’ll accelerate what I’m doing and then I want to look at doing the OSCP. That side of security has always been fascinating for me and I think it will compliment what I’ve learned so far.

ITPro.tv CEH v10 course

My work has a partnership with skillport which includes lots of different books, videos and other courses you can take for free. One of the things that I’ve been grinding is the CEHv10 course from ITPro.tv. I finished it last night. They structure their videos into a section or two of vocab and explaining and then a section with exercises, which is a good format to learn. I don’t know how many hours the course was, but I finished it about 2 weeks, most of the time watching it at 1.25-2.0 times the speed.

I feel like I learned a lot of really cool things, I took notes more on the practical application of the CEH exam which to me was the most interesting. The last few hours was cryptography and I feel like they beat that over and over again and a lot of it wasn’t new information. They just launched a CEH v10 AIO book, so that’ll probably be my next thing, but I do officially start school in 2 days so I might have to wait on that for a little bit.

Back to school

After a few conversations I’ve had over the last couple of weeks, I’ve decided that I’m going back to school to get a Masters Degree. I went to WGU for my Bachelors, so it was easy to go back to WGU. I’ve selected the Cybersecurity and Information Assurance degree and everything is set for me to start on May 1st.

I’ve had a call with my mentor who got to the point and filled me on my next steps. I’ve been off and on about going back to school, but the thing that tipped me over the edge was a conversation I had with the Regional Leader of the ISC2 group. He is getting his MBA, and said something along the lines of ‘2 years will go by whether you get it or not’.

That made me think

If I had started 2 years ago, I could have had it – do I wish I would have done it?

Yes.

Ok then do it.

ssl certificates and burp suite

One of the requirements that I have for my work is to run vulnerability scans for our environment. For this specific requirement, I use Burp Suite to perform web scans. One issue that we’ve had since before I got here was our SSL Certificates were not valid (even though they were). This was very frustrating, but we were able to explain to the people viewing them that they we actually valid so we got them to sign off on the scans.

I don’t have a link to the article, but we originally referenced an issue with Burp Suite that said that there was a bug regarding the validation of SSL Certificates. We would reference this when saying that there was a problem with the certificate chain. Without getting into too much detail, it was the worst offender in our report and even though it had a pass, we’d have to explain it to a new auditor and hope that he was able to understand why it was actually valid.

In scanning one of the development sites, it was discovered that one site didn’t have the issue with the SSL Certificate. So we compared it to the others, and turns out that it was in the correct order. The root cert needed to be a the bottom (which I guess makes sense, but putting the root cert first also makes sense) and once we changed that in pre-prod the issue was gone. So we went into pre-prod and changed it and it to what the development environment was and it worked.

This had been an issue that persisted before I started here, and it was great to be a part of the solution.

picoCTF Recovering From the Snap

This one was fun. I hadn’t ever played around with recovering deleted files.

There used to be a bunch of animals here, what did Dr. Xernon do to them?

This level starts off with the file animals.dd.

A few things I checked on. It looks like this is a disk image. I mounted the image and there are 4 files, but nothing that would indicate a flag or anything.

initial cut at the file

I knew that .dd files were used in disk images, and a quick search lead me to some software called ‘testdisk’

Huh ok, let’s try ‘P’
This looks promising
arrowed down, then will press ‘c’

From here you select the directory you want to save the recovered file to.

This is the flag file

Pretty cool.

picoCTF “HEEEEEEERE’S Johnny!”

I’ve kinda been all over the place with CTF stuff lately, there is just so much to learn and at any given time I could go in 5 different directions. There have been a few that I’ve started on and they end up being to difficult for me right now, so I’ve made a draft version of that solution with what I’ve learned along the way. One of them is how shellcode works which has been eye opening – I knew it from a high level, but getting into the weeds is awesome. So for that one, I’ve documented what I’ve read, watched and learned in addition to the level, but I’m not ready to solve it so I’ve moved on for a little while and the concepts have solidified.

The levels on picoctf aren’t really numbered or anything, so this one is by the tag line. The problem reads like this:

Okay, so we found some important looking files on a linux computer. Maybe they can be used to get a password to the process. Connect with nc 2018shell.picoctf.com 35225. Files can be found here: passwd shadow.

When you run nc to that port, you get a login similar to ssh.

Here’s the contents of the passwd file:

root:x:0:0:root:/root:/bin/bash

And here’s the shadow file:

root:$6$HRMJoyGA$26FIgg6CU0bGUOfqFB0Qo9AE2LRZxG8N3H.3BK8t49wGlYbkFbxVFtGOZqVIq3qQ6k0oetDbn2aVzdhuVQ6US.:17770:0:99999:7:::

I can’t remember when, but if I recall correctly, at one point passwords were hashed in /etc/passwd and were in the second column (where the ‘x’) is now. With the ‘x’ there, it points to the /etc/shadow file. There is a breakdown of the /etc/passwd file structure here.

So we have a username and an encrypted password. Wut do? I guess we can run it through a cracking program. The hint said something about ‘rockyou’ and that was a dead give away. See here.

I’ve messed around with cracking before, but not a lot and the first thing I thought of was hashcat. That didn’t seem to work well. I might have got it to work, but then I remembered “John the Ripper” and looked for that.

Using john was pretty easy.

hellokitty is the password for user root

With this information we can nc to where we connected previously, enter the information and get the flag.

Bingo

OTW Narnia0 -> Narnia1

From what I’m understanding is it run’s the echo command and then runs cat with the previous command as STDIN since no arguments are given. Then that’s piped into the narnia0 executable. Pretty cool!

New set up

I’ve thought about a way to boot my main OS off a thumb drive or something like that so I’d be able to boot if off any PC or laptop (64 bit). It would make it so I could use any resource that I had at the time and pick off where I left off. After doing some digging, I got a solution.

I bought a 1TB M.2 SSD with an enclosure off Amazon. I was easily able to install Linux on it and thought about partitioning it so it’d have Windows and Linux and a NTFS partition for VM’s and storage. I was really paranoid about installing over my main disks MBR, so I took it out while I was testing this just in case something went awry.

It turns out that, after a lot of tinkering, I wasn’t able to boot Windows or multiple partitions. So that was a bust. I wasn’t able to even install Windows onto the USB, so I tried installing it with the SSD installed. After I got it installed, I realized I wasn’t able to remove the internal SSD unless I disassembled more than I wanted to do so that was out.

It turns out that Windows 10 Enterprise has the ability to install on USB’s so I gave that a shot and it worked exactly as I’d expect it to. I then downloaded a few ISO’s and installed various VM’s that I use – like I still am using Linux Mint as a daily driver, but this time it’s installed in a VM. Oh, and as a side note, I’m able to play GTA V on it (inside Windows) so that makes for an awesome bonus 🙂