Intro

sometime, one have to access to old and legacy devices. they may do not support the current ciphers and key algorithms, so, we have to modify the “.ssh/config” File or provide some additional cli arguments.

If you have todo this regualary, you may wanna extend the current parameters with the legacy ones like this:

Backup old config

you never know ;)

mv /etc/ssh/ssh_config /etc/ssh/ssh_config-$(date "+%s")

Install Updated Version

you have to copy/paste as root

SSH Chat

how to run your own SSH Chat Server

Setup

# add go
pkg_add go

# add user 'sshchat'
adduser

# switch user
su - sshchat
ftp https://github.com/shazow/ssh-chat/archive/v1.10.tar.gz
tar zxf v1.10.tar.gz
cd ssh-chat-1.10/
make build

# back to root
exit
cp /home/sshchat/ssh-chat-1.10/ssh-chat /usr/local/bin/

sshchat - ipfile

manage whiteliste ip in dedicated file

# create folder
mkdir -p /etc/pf.d

# sample file
echo "127.0.0.1" > /etc/pf.d/sshchat

# set permission
chmod 600 /etc/pf.d/sshchat

pf.conf

update pf.conf appropriate

MacOS

even MacOS seems not hardly affected, better safe than sorry !

# get Version
brew info xz

# Cleanup Cache
brew cleanup -v -s --prune=all

# Downgrade
brew reinstall xz

# Update
brew update

# Upgrade
brew upgrade

# reboot
reboot

# confirm, 5.4.6 should be fine
xz -V

Links

Any Comments ?

sha256: d2d6b0518ee60fc80381a2fb44dee61d06c02a7d4182045ff25d59f4894d1a10

Intro

do you wanna login into your cisco switches with ssh & public key. you can build your config easily and copy/paste it to your switch(es).

Set & Check Variables

pubkey: read from ~/.ssh/id_rsa.pub
username: root
password: will be generated. or set it by hand

# get & convert public key
pubkey=$(cat ~/.ssh/id_rsa.pub |cut -d' ' -f 2 |fold -b -w 72)

# Username Switch
username=root

# Password for User
password=$(openssl rand -hex 12)

# Full Line
echo "username $username privilege 15 password $password"

SSH Pubkey Auth Config Snippet

# Build Config
cat  << EOF


############################################
# Copy/Paste to your Cisco Devices - START #
############################################

conf t

# Set Version
ip ssh version 2
no aaa new-model

# Set User
username $username privilege 15 password $password

# Set Key
ip ssh pubkey-chain 
username $username 
key-string
$pubkey
exit
exit
exit

# vty Stuff
line vty 0 15
 login local
 transport input ssh

end
write
exit

############################################
# Copy/Paste to your Cisco Devices - END   #
############################################


EOF

you should test it in a lab environment before running on productiv switches ;)

Intro

Did you ever try to generate a small RSA Key ? Today, you should go with 3072 oder 4096 Bits, or use ECC.

With current Versions of OpenSSL, you can’t generate Key Smaller than 512 Bit.

128 Bit Key

import rsa

pubkey,privkey = rsa.newkeys(128)
print(pubkey.save_pkcs1('PEM').decode('UTF-8'))
print(privkey.save_pkcs1('PEM').decode('UTF-8'))

32 Bit Key

import rsa

pubkey,privkey = rsa.newkeys(32)
print(pubkey.save_pkcs1('PEM').decode('UTF-8'))
print(privkey.save_pkcs1('PEM').decode('UTF-8'))

16 Bit Key

import rsa

pubkey,privkey = rsa.newkeys(16)
print(pubkey.save_pkcs1('PEM').decode('UTF-8'))
print(privkey.save_pkcs1('PEM').decode('UTF-8'))

sample with 16Bit RSA Key

gpg stuff

generate key

gpg --generate-key

change Passphrase

gpg --change-passphrase user-id

import key

gpg --import 92FFBB90C18B59AEF311F9C5D2E39FFEAC507F67.pub.gpg

list key

gpg -k

sample

root@host # gpg -k 
[keyboxd]
---------
pub   ed25519 2024-01-02 [SC] [expires: 2027-01-01]
      F7118E072D426449DD9E4DE29674836DB8FECEDA
uid           [ultimate] root <root@host>
sub   cv25519 2024-01-02 [E] [expires: 2027-01-01]

encrypt

-r recipient -e encrypt

date > date
gpg -r F7118E072D426449DD9E4DE29674836DB8FECEDA -e date

sample

root@host # gpg -r F7118E072D426449DD9E4DE29674836DB8FECEDA -e date
root@host# ll date*                                                                                                                                                              
-rw-r--r--  1 root  wheel   29 Jan  2 15:14 date
-rw-r--r--  1 root  wheel  200 Jan  2 15:15 date.gpg

root@host# file date*
date:     ASCII text
date.gpg: data

decrypt

-d decrypt

Intro

hdiutil is a command-line utility on macOS that allows users to create, manipulate, and convert disk images. Disk images are virtual disk files that can contain the entire file system structure, including files, folders, and metadata. hdiutil provides a variety of functions related to disk images, and it’s a powerful tool for managing disk-related tasks on a Mac.

Basic Usage

create

echo -n "geheim" |hdiutil create -encryption -stdinpass -size 10m -volname encdata test.dmg -fs HFS+J

mount ro

echo -n "geheim" |hdiutil mount -stdinpass -readonly test.dmg

mount rw

echo -n "geheim" |hdiutil mount -stdinpass test.dmg

create, strong, mount

echo -n "geheim" |hdiutil create -encryption AES-256 -stdinpass -attach -volname encdata -size 10m test.dmg -fs HFS+J

unmount

hdiutil unmount /Volumes/encdata

or

sometimes, you wanna restrict access to a webserver based on ip addresses. here a little howto.

Update nginx Config for your vhost

and forward temporary/permanent to a sorry host.

--->8- snip -8<---

    location / {
      allow 192.0.2.0/24;
      allow 2001:db8::/32;
      deny all;
      error_page 403 =301 https://sorry.your.domain;
    }

or move the ip’s to a dedicated file and include it here …

--->8- snip -8<---

    location / {
      include incl/admin_ip.txt;
      deny all;
      error_page 403 =301 https://sorry.your.domain;
    }

Admin IP’s

cat ../incl/admin_ip.txt

Behind Corp Proxy

let’s assume you’re behing a Corp Proxy which enforce TLS Inspection, you don’t have the Proxy Cert and you want to Upgrade your Boxes …

… and of course, you do this in the LAB and for Research only and not your Productiv Environment!

TLS Inspection enabled

apt-get upate
W: Failed to fetch https://packages.sury.org/php/dists/bookworm/InRelease  Certificate verification failed: The certificate is NOT trusted.
The certificate issuer is unknown.  Could not handshake: Error in the certificate verification. [IP: xx.xx.xx.xx yyyy]

Disable TLS Check

touch /etc/apt/apt.conf.d/99verify-peer.conf
echo >>/etc/apt/apt.conf.d/99verify-peer.conf "Acquire { https::Verify-Peer false }"

Update

apt-get update
apt-get upgrade

Any Comments ?

sha256: 40c39ed441b4690a8644cd63bfd2e6987f06a70c4f922eca14de5dcc27d4fb35

Ciphey

Fully automated decryption/decoding/cracking tool using natural language processing & artificial intelligence, along with some common sense.

Source: https://github.com/Ciphey/Ciphey

Run in Docker

encoding=$(echo -n "hello world" |base64); docker run -it --rm remnux/ciphey ${encoding}

Result

Possible plaintext: 'hello world' (y/N): y
╭─────────────────────────────────╮
│ Formats used:                   │
│    base64                       │
│    utf8Plaintext: "hello world" │
╰─────────────────────────────────╯

Supported Ciphers

Ciphey currently supports 51 encryptions, encodings, compression methods, and hashes.

https://github.com/Ciphey/Ciphey/wiki/Supported-Ciphers

Any Comments ?

sha256: a33eac04129d4cf6bedce35c8b38c6f395a68fcf0a3e4ad7285caa6f249de7eb