Oct 31, 2022

How fun is Windows?

Received new laptop that runs Windows 11 over the weekend.


Had spent some times on customize a few things:
  1. Install Google_Pinyin 
  2. Setup the input method switching to (left) ctrl-shift notkey.
  3. Install WSL/WSL2
  4. Install Windows Terminal
  5. Install Multipass (VM orchestrator)
  6. Setup ssh-keygen
  7. Create sample multipass VM with cloud-init
  8. Install python3 (in Windows 11)

Between WSL and Multipass, I need to setup the routing in order for them to communicate.

PS> Set-NetIPInterface -ifAlias "vEthernet (WSL)" -Forwarding Enabled
PS> Set-NetIPInterface -ifAlias "vEthernet (Default Switch)" -Forwarding Enabled

And to show the final routing table:
PS> Get-NetIPInterface | select ifIndex,InterfaceAlias,AddressFamily,ConnectionState,Forwarding | Sort-Object -Property IfIndex | Format-Table

One the routing is configured, then I proceed with ssh-keygen and setup the public key authentication between WSL and multipass.

~$ cd .ssh
~/.ssh$ ssh-keygen -t ed25519 -C "xx@wsl2"
~/.ssh$ ssh-keygen -l -f id_ed25519.pub
~/.ssh$ ssh-copy-id -i id_ed25519.pub xx@remote_server


Next, I need to setup multipass VM with cloud-init.

Create a cloud-init.yaml file for multipass:
-------------------------------
users:
  - default
  - name: xx
    groups: sudo
    shell: /bin/bash
    sudo: ['ALL=(ALL) NOPASSWD:ALL']
    ssh_authorized_keys:
      - ssh-rsa <rsa keys in one line>
package_update: true
package_upgrade: true
packages:
  - nodejs
  - python3
-------------------------------


PS> multipass multipass launch -c 2 -m 2G -d 20G -n ubuntu-vm --cloud-init cloud_init.yaml


Learnt some tricks in Windows command line. I install Python (with cmdline) and locate where is the python.exe.

PS> winget install python --source msstore
PS> where python

Oct 30, 2022

wtfis

Found an interesting tool called wtfis.

wtfis is a commandline tool that gathers information about a domain, FQDN or IP address using various OSINT services. 

This tool assumes that you are using free tier / community level accounts, and so makes as few API calls as possible to minimize hitting quotas and rate limits.

Setup

wtfis uses these environment variables:

  • VT_API_KEY (required) - Virustotal API key
  • PT_API_KEY (optional) - Passivetotal API key
  • PT_API_USER (optional) - Passivetotal API user
  • SHODAN_API_KEY (optional) - Shodan API key

Installation

$ pip install wtfis

Usage:

$ wtfis -h
usage: wtfis [-h] [-m N] [-s] [-n] [-1] [-V] entity

positional arguments:
  entity                Hostname, domain or IP

options:
  -h, --help            show this help message and exit
  -m N, --max-resolutions N
                        Maximum number of resolutions to show (default: 3)
  -s, --use-shodan      Use Shodan to enrich IPs
  -n, --no-color        Show output without colors
  -1, --one-column      Display results in one column
  -V, --version         Print version number


Links:

Oct 29, 2022

DevOps Exercises

Found an interesting repo that shares resources about DevOps exercises and questions. It can be used for preparing for an interview. 

It is suitable for anyone who interested in pursuing a career as DevOps engineer, learning the concepts.


Links:

Oct 28, 2022

Steps to a successful GitSecOps approach

GitOps is an approach to perform cloud operations (in DevOps way) by centralizing the desired state of system into code and enforcing change through automation via version control system (such as Git).

Git acts as a common place where workflows, automation, checks and balances can be applied before entering a production environment, enabling organizations with a crucial foothold to secure by design further than ever before.

By adopting GitOps, it means it is a commitment to interacting only with Git and leaving the integration and deployment jobs to be automated.

By ensuring that everything is code driven and declared, the risk from non-automated agents (a.k.a. humans) can be drastically minimized. 

For example, using the automation workflows, you can embed compliance scans to enforce best-practices and regulatory mandates to prevent mis-configurations. With detection of configuration drift, it becomes easier and quicker to isolate vulnerable/compromised resources for investigation.

GitOps can leverage DevSecOps tools, such as IaC scanning, security testing, IAM and secret management. And by bringing a security-as-code and adding compliance requirements and security policies into coded artifacts, organizations can embrace GitSecOps to effectively shift the security left.


Seven steps to a successful GitSecOps approach:

  1. Applying identity and access controls
  2. Enforcing change control and peer review workflows
  3. Observing end-to-end
  4. Keep secrets safe (vault or eternal key managers)
  5. Protecting audit logs
  6. Catching the drift
  7. Monitoring anomalous behavior

Just like DevSecOps, GitSecOps also requires the adoption of a new mindset and culture to getting things done in a cloud native way.

Sharing common tools, processes and goals — focused on a successful shared outcome rather than an isolated deliverable — ensures that the DevSecOps and GitSecOps goals are aligned to support each other and the organization’s digital transformation vision.


Links:

Oct 27, 2022

Modern Binary/Patch Diffing

 

In this webinar, Stephen will demonstrate the process of downloading Microsoft cumulative updates to extract the patches and prep them for diffing. 

It's a very useful way to identify patched vulnerabilities that can potentially be weaponized for exploitation of un-patched systems, as well as learning how vulnerabilities are patched to aid in bug hunting. 

My notes:

  • Time consuming to find the diff. (use bindiff or diaphora)
  • 2022-10 x64 "Windows 10" 22H2  Vs "Cumulative windows 10"
  • 2 purposes:
    • weaponize patched vuln (n-day exploit)
    • find new 0-day vuln
  • MS doesn't obfuscate the patch management process. 😅
  • expand.exe -F:* .\xxxx.msu .\extract
  • expand.exe -F:* .\extract\xxxx.cab .\patch
  • expand.exe -F:* .\patch\yyyy.cab .\patch
  • expand.exe -F:* .\patch\zzzz.cab .\patch [20min++]
  • gci -Recurse c:\windows\WinSxS\ -Filter ntdll.dll
  • .\delta_patch.py -i .\NTDLL\ntdll.dll -o ntdll.2020-10.dll .\NTDLL\r\ntdll.dll .\2020-10\x64\ntdll.dll_10.0.18362.1139\f\ntdll.dll
  • .\delta_patch.py -i .\NTDLL\ntdll.dll -o ntdll.2020-11.dll .\NTDLL\r\ntdll.dll .\2020-11\x64\ntdll.dll_10.0.18362.1171\f\ntdll.dll


Links:

Oct 26, 2022

Moving from Operations to GitOps

After the article on Operation Hates Agile, here comes next, how to move from Operations to GitOps.

IaC is the replacement of traditional operation. It allows enterprises to control changes and manage the configuration settings in cloud environments more efficiently.

First, we need to know what contained inside "Infrastructure as Code" or IaC. There are 3 characteristics in IaC:

  1. Imperative and Declarative
  2. Mutable and Immutable
  3. DevOps

Imperative Vs. Declarative

Most IaC is declarative in nature. However, we can always make changes to the cloud environment with both imperative or declarative automation.

To make imperative automation changes to cloud infra, we use cmdline interface (CLI). It directs changes to the cloud first within a container, then virtual machine (VM), and then virtual private cloud, through a script. This is a detailed checklist, but if the configuration needs to be changed after the push to multiple machines, the steps and the script would have to be repeat.

A declarative automation approach requires goal creation. For example, rather than using the CLI and listing the exact step-by-step configuration for a VM, you’d simply state that you want a VM with, say, a domain attached, and then let the automation take over. The declarative approach (most of the time in YAML) enables you to more easily state what needs to be accomplished by the automation tools.

Mutable Vs. Immutable

Mutable means that it is prone to change. A virtual machine is an example of mutable infrastructure.

Immutable infrastructure cannot be changed once deployed, such as container/docker. Changes will still occur, but they are made to the original declarative statements. Once the changes are ready, all like devices or configurations are changed consistently.

Most of the time, we use both imperative and declarative automation methods interchangeably to manage IaC. This may raise an issue called Configuration Drift.

Oct 25, 2022

MHDDoS - DDoS Attack Script

MHDDoS is a DDoS Attack Script written in Python3. It includes 56 attack methods (DoS/DDoS). 


Installation (1st way)

$ git clone https://github.com/MHProDev/MHDDoS.git
$ cd MHDDoS
$ pip install -r requirements.txt

 Installation (2nd way)

$ docker pull ghcr.io/mhprodev/mhddos:latest


Links:

Oct 24, 2022

Multipass Private SSH Key is Exposing to Everyone

It is so convenience to use the command 'multipass shell jimny' whenever we need to access to VM created. 

But, how can we login without password? Where is the SSH private key?

Actually it is using SSH public key authentication for login to VM. 

Oct 23, 2022

Windows Event Log Analysis

Configuring logging on Windows systems, and aggregating those logs into a SIEM, is a critical step toward ensuring that your environment is able to support effective incident response using Incident response tools.

Events can be logged in the Security, System and Application event logs. 

Log NameEvent Log where the event is stored. Useful when processing numerous logs pulled from the same system.
SourceThe service, Microsoft component or application that generated the event.
Event IDA code assigned to each type of audited activity.
LevelThe severity assigned to the event in question.
User
The user account involved in triggering the activity or the user context that the source was running as when it logged the event.
OpCodeAssigned by the source generating the log.
LoggedThe local system date and time when the event was logged.
Task CategoryAssigned by the source generating the log.
KeywordsAssigned by the source and used to group or sort events.
ComputerThe computer on which the event was logged. This is useful when examining logs collected from multiple systems, but should not be considered to be the device that caused an event (remote workstation).
DescriptionA text block where additional information specific to the event being logged is recorded.

 

Types of Windows Event Log Analysis – Guide

  •     Account Management Events
  •     Account Logon and Logon Events
  •     Common Event ID 4768 result codes
  •     Logon event type code descriptions
  •     Common logon failure status codes
  •     Access to Shared Objects
  •     Scheduled Task Logging
  •     Object Access Auditing
  •     Audit Policy Changes
  •     Auditing Windows Services
  •     Wireless LAN Auditing
  •     Process Tracking
  •     Additional Program Execution Logging
  •     Auditing PowerShell Use


Go thru the complete incident response guide with the following link.


Links:

Oct 22, 2022

Couldn't open a raw socket. Error: Permission denied (13)

With Multipass, do I still need VMware Player to run Linux with full privilege, under Windows OS ?

WSL is more common choice of running virtual machine nowadays comparing to VMware Player.

With Multipass, everything seems more easier/faster now. 😇 

Here's my story today, on how I need to run nmap port scan to a router.

PS> multipass launch -n scanner

PS> multipass shell scanner

ubuntu@scanner:~$ sudo snap install nmap

ubuntu@scanner:~$ sudo nmap -sU -p 53 192.168.31.1
Starting Nmap 7.93 ( https://nmap.org ) at 2022-10-21 23:17 +08
Couldn't open a raw socket. Error: Permission denied (13)

ubuntu@scanner:~$ sudo snap connect nmap:network-control

ubuntu@suzuki:~$ sudo nmap -sU -p 53 192.168.31.1
Starting Nmap 7.93 ( https://nmap.org ) at 2022-10-21 23:18 +08
Nmap scan report for XiaoQiang (192.168.31.1)
Host is up (0.0027s latency).

PORT   STATE SERVICE
53/udp open  domain

Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds

ubuntu@scanner:~$ sudo nmap -n -sS -p 1-1024 192.168.31.1
Starting Nmap 7.93 ( https://nmap.org ) at 2022-10-21 23:35 +08
Nmap scan report for 192.168.31.1
Host is up (0.0075s latency).
Not shown: 1020 closed tcp ports (reset)
PORT    STATE SERVICE
53/tcp  open  domain
80/tcp  open  http
443/tcp open  https
784/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 0.34 seconds
ubuntu@scanner:~$

With this, I have more confidence with Multipass now. 😉

Oct 20, 2022

Start MicroK8s with Multipass

This post is for me to learn how to create a highly available Kubernetes cluster using the MicroK8s and multipass.

Kubernetes clusters host containerised applications in a reliable and scalable way. Having DevOps in mind, Kubernetes makes maintenance tasks such as upgrades and security patching simple.

MicroK8s is a zero-ops, CNCF certified lightweight Kubernetes distribution for workstations, clusters, edge and IoT devices.

Again, the prerequisite is  there must be a working copy multipass, and I'm using WSL. 😎

Here are the setup configuration:

$ multipass launch --name kmaster -m 4G

$ multipass shell kmaster

ubuntu@kmaster:~$ sudo snap install microk8s --classic

ubuntu@kmaster:~$ sudo usermod -a -G microk8s ubuntu
ubuntu@kmaster:~$ sudo chown -f -R ubuntu ~/.kube

ubuntu@kmaster:~$ exit

$ multipass shell kmaster  

ubuntu@kmaster:~$ microk8s status --wait-ready

Next, let setup a second node:

$ multipass launch --name kworker1 -m 4G

$ multipass shell kworker1

ubuntu@kworker1:~$ sudo snap install microk8s --classic

ubuntu@kworker1:~$ sudo usermod -a -G microk8s ubuntu
ubuntu@kworker1:~$ sudo chown -f -R ubuntu ~/.kube

ubuntu@kworker1:~$ exit

$ multipass shell kworker1

ubuntu@kworker1:~$ microk8s status --wait-ready

 Both nodes are ready, let's join them:

$ multipass exec kmaster -- microk8s add-node

From the node you wish to join to this cluster, run the following:
microk8s join 172.22.71.179:25000/daaad28e6febfbdaa5e228479e5f3f7c/8ee2423760f2

Use the '--worker' flag to join a node as a worker not running the control plane, eg:
microk8s join 172.22.71.179:25000/daaad28e6febfbdaa5e228479e5f3f7c/8ee2423760f2 --worker

If the node you are adding is not reachable through the default interface you can use one of the following:
microk8s join 172.22.71.179:25000/daaad28e6febfbdaa5e228479e5f3f7c/8ee2423760f2

Copy the line (in bold) and paste to the second node (kworker), and wait for a few minutes.

Oct 19, 2022

Operation Hates Agile

Operation hates Agile. Why?

Simply because Agile is supposed to be moving fast and keep breaking things (for improvement).  With the fast pace of changing (in DevOps), it is impossible to get a stable and predictable metrics for operation teams.

Audit is another entity that similar to operation which hates Agile. 😜 Because by the time audit team finish the report, DevOps is already making 38 changes. 😅 

Conclusion, Agile is supposed to replace traditional operation, change management, and even audit.  

Question is, does the top management has the courage to replace the traditional operations (change management, audit) with Agile?

So if you want a successful Agile in your company:

Oct 18, 2022

Load-Balance with Nginx

Get inspired from the article How to Setup Nginx Reverse Proxy, I would like to challenge these with multipass + cloud-init to load balance for 3 backend servers.

In summary, we will create 4 instances of servers where 1 being the reverse-proxy and load-balancer role, and 3 being the backend web servers.

PS> multipass launch -n backend1 --cloud-init ci_backend1.yaml

PS> multipass launch -n backend2 --cloud-init ci_backend2.yaml

PS> multipass launch -n backend3 --cloud-init ci_backend3.yaml

PS> multipass launch -n lbr --cloud-init ci_lbr.yaml

Then point your browser (at host) to http://lbr.mshome.net/ and keep refresh. 😊

I took less than 8 minutes to start all the 4 instances of servers. All the necessary (4) files are stored at GitHub link below. Below are the screenshots.

16 Basic PowerShell Cmdlets

Get to know Windows PowerShell better with these 16 Best PowerShell Commands (Cmdlets) You Must Know.

Oct 16, 2022

Manually Install and configure Nginx with Multipass

Found a great tutorial site at Ubuntu.

Let me follow the tutorial to setup a Nginx web server with multipass.

$ multipass launch --name nginxweb -c 2 -m 2G

$ multipass shell nginxweb

ubuntu@nginxweb:~$ sudo apt update
ubuntu@nginxweb:~$ sudo apt install nginx 

ubuntu@nginxweb:~$ cd /var/www
ubuntu@nginxweb:~$ sudo mkdir tutorial
ubuntu@nginxweb:~$ cd tutorial
ubuntu@nginxweb:~$ sudo "${EDITOR:-vi}" index.html

Insert the following content and save index.html:

<!doctype html>
<html>
<head>
    <meta charset="utf-8">
    <title>Hello, Nginx!</title>
</head>
<body>
    <h1>Hello, Nginx!</h1>
    <p>We have just configured our Nginx web server on Ubuntu Server!</p>
</body>
</html>

Next, configure Nginx web to start a new web instance at port 81.

ubuntu@nginxweb:~$ cd /etc/nginx/sites-enabled
ubuntu@nginxweb:~$ sudo "${EDITOR:-vi}" tutorial

Again, insert the following content and save the tutorial file:

server {
       listen 81;
       listen [::]:81;

       server_name example.ubuntu.com;

       root /var/www/tutorial;
       index index.html;

       location / {
               try_files $uri $uri/ =404;
       }
}

Last, restart Nginx, and capture the IP address and make sure everything is working.

ubuntu@nginxweb:~$ sudo service nginx restart

ubuntu@nginxweb:~$ ip a 

Open the browser (at host) and point to http://<ip>:81/ and http://<ip>/

(All the works complete within 4 min at my laptop)


Link:

Oct 14, 2022

Cloud Security and DevSecOps Automation

Completed my training on SEC540 today. 

SEC540 provides me with a methodology to secure modern Cloud and DevOps environments. By embracing the DevOps culture,I'm able to walk away to build security controls witin the DevSecOps security program.

It is important to understand the DevOps toolchain and how to introduce security controls in their automated pipelines responsible for delivering changes to cloud-based systems. Without effective pipeline security controls, security teams lose visibility into the changes released into production environments.

Oct 13, 2022

Velociraptor for DFIR

Velociraptor - Endpoint visibility and collection tool

Velociraptor is a tool for collecting host based state information using The Velociraptor Query Language (VQL) queries. It is an advanced digital forensic and incident response tool that enhances your visibility into your endpoints.

Today, I just see the demo from Carlos Cajigas's on Rapid DFIR Tooling in SANS community night event. It is amazing !!

There is a blog spot from FIRST.org where it shows how Velociraptor vs. PrintNightmare (2021).


Links:

Oct 12, 2022

Amplification Research

AMP-Research is a research on exotic UDP/TCP amplification vectors, payloads and mitigations.

Amplification is where a simple malformed socket or packets request elicit a response larger than the input data. This can be abused to "amplify" a request, by means of Distributed Reflected Denial of Service (DRDoS) attacks or DDoS. 

Best way to show what this means is using the network protocol MSSQL over TCP/IP UDP port 1434 (23 times amplification factor) as an example.

$ echo -ne '\x02' | nc -u -q 2 190.xx.xx.xx 1434|xxd -p|wc -c
629 bytes

Another example on ARD (Apple Remote Desktop) listener:

$ echo -ne '\x00\x14\x00\x01\x03' |nc -u 89.xx.xx.xx 3283|hexdump
0000000 0100 ea03 3100 0000 0000 0000 0000 0000
0000010 0000 0000 0000 0000 0000 0000 0000 0000
0000020 0000 0000 0000 0000 0100 0000 0000 0000
0000030 0000 0000 0000 0000 0000 0000 0000 0000
_
0000050 0000 1200 0000 0000 0000 0000 0000 0000
0000060 0000 0000 0000 0000 0000 0000 0000 0000
0000070 0000 0000 0000 0000 0000 0000 0000 640a
0000080 7461 6861 6565 6472 0034 0000 0000 0000
0000090 0000 0000 0000 0000 0000 0000 0000 0000
_
00000c0 0000 0001 0000 0000 0000 0000 0000 0000
00000d0 0000 0000 0000 9803 0000 0100 18f0 ed98
00000e0 9288 0000 0000 0a00 6400 6100 7400 6100
00000f0 6800 6500 6500 7200 6400 3400 0000 0000
0000100 0000 0000 0000 0000 0000 0000 0000 0000


Links:

Oct 11, 2022

ZMAP

ZMap is a fast single-packet network scanner optimized for Internet-wide network surveys. 

On a computer with a gigabit connection, ZMap can scan the entire public IPv4 address space on a single port in under 45 minutes. With a 10gigE connection and PF_RING, ZMap can scan the IPv4 address space in 5 minutes.

Installation (Ubuntu)

$ sudo apt install zmap

$ sudo zmap 192.168.31.0/24

Installation (manual)

$ cmake -DWITH_REDIS=ON -DWITH_JSON=ON -DCMAKE_INSTALL_PREFIX=/usr/local/bin .
$ make -j4
$ make install

Sample Usage

┌──(xx㉿wsl2)-[~]
└─$ sudo zmap --probe-module=icmp_echoscan 192.168.31.1/24 --quiet
Oct 24 19:07:15.790 [INFO] zmap: output module: csv
Oct 24 19:07:15.790 [INFO] csv: no output file selected, will use stdout
192.168.31.227
192.168.31.1
192.168.31.210
192.168.31.214
192.168.31.239
192.168.31.209
192.168.31.202
192.168.31.224
192.168.31.208
192.168.31.236
192.168.31.216
192.168.31.205
192.168.31.213
Oct 24 19:07:23.939 [INFO] zmap: completed


Links:

Oct 10, 2022

Docker and VM

There are many comparison between Docker and Virtual Machine in term of architecture. 

Here're some summary on operational between Docker and Virtual Machine, based on my own understanding.


VM Docker
Compatibility 👍 👌
Virtualization 👍 👌
Security 👍 👌
Size 👌 👍
Performance 👌 👍
Scalability 👌 👍

 

Oct 9, 2022

Telegram MTProto API Framework

Pyrogram - Telegram MTProto API Framework for Python.

Pyrogram is a modern, elegant and asynchronous MTProto API framework. It enables you to easily interact with the main Telegram API through a user account (custom client) or a bot identity (bot API alternative) using Python. 

QuickStart

  1. Install Pyrogram with pip3 install -U pyrogram.
  2. Get your own Telegram API key from https://my.telegram.org/apps.
  3. Open the text editor of your choice and paste the following:
    1. import asyncio
      from pyrogram import Client 
      api_id = 12345
      api_hash = "0123456789abcdef0123456789abcdef" 
      async def main():
          async with Client("my_account", api_id, api_hash) as app:
              await app.send_message("me", "Greetings from **Pyrogram**!") 
      asyncio.run(main())
  4. Replace api_id and api_hash values with your own.
  5. Save the file as hello.py.
  6. Run the script with python3 hello.py
  7. Follow the instructions on your terminal to login.
  8. Watch Pyrogram send a message to yourself. 


Links:

Oct 6, 2022

Upgrade Ubuntu to 22.04 LTS Jammy Jellyfish

I have Ubuntu 20.04 installed under Windows Subsystem for Linux (WSL).

Below are the steps to upgrade Ubuntu to 22.04 Jammy Jellyfish (so that that I can enjoy my python3.10).

$ sudo apt update
$ sudo apt upgrade
$ sudo apt dist-upgrade

$ sudo apt autoremove

$ sudo apt install update-manager-core

$ sudo do-release-upgrade 

Follow by a couple of 'y

The whole process took around 2 hours to finish.

Links:

Oct 5, 2022

Upgrade to Python 3.10 on Ubuntu 20.04 LTS

My Ubuntu 20.04 comes with Python 3.8.10, and I need to upgrade it to 3.10 for a workshop.

Here are the steps:

$ sudo add-apt-repository ppa:deadsnakes/ppa
$ sudo apt-get update

$ apt-get update

$ apt list | grep python3.10

$ sudo apt-get install python3.10

$ sudo update-alternatives --install /usr/bin/python3 python3 /usr/bin/python3.8 1
$ sudo update-alternatives --install /usr/bin/python3 python3 /usr/bin/python3.10 2

$ sudo update-alternatives --config python3

$ python3 -V

Oct 4, 2022

Running Nuclei on Docker with Multipass

Here's the easiest way to run nuclei with Multipass.


PS> multipass launch docker -n tiger

PS> multipass shell tiger

ubuntu@tiger:~$ docker pull projectdiscovery/nuclei:latest

ubuntu@tiger:~$ docker images

ubuntu@tiger:~$ docker run -i -t bb2be5c37d25 --version

ubuntu@tiger:~$ docker run -i -t bb2be5c37d25 -update

ubuntu@tiger:~$ docker run -i -t bb2be5c37d25 -ut 

ubuntu@tiger:~$ echo  http://172.22.64.197 > urls.txt

ubuntu@tiger:~$ echo  http://172.22.64.197:8080 >> urls.txt

ubuntu@tiger:~$ git clone https://github.com/projectdiscovery/nuclei-templates

ubuntu@tiger:~$ cat urls.txt | docker run -v /home/ubuntu/nuclei-templates:/go/src/app/ -i projectdiscovery/nuclei  -t ./technologies/nginx/nginx-version.yaml  -t ./technologies/apache/apache-detect.yaml   > results.txt

ubuntu@tiger:~$ more results.txt
+-------+-------+---------+
| TOTAL | ADDED | REMOVED |
+-------+-------+---------+
|  4306 |    40 |       0 |
+-------+-------+---------+
[2022-10-04 10:16:00] [apache-detect] [http] [info] http://172.22.64.197:8080 [Apache/2.4.52 (Ubuntu)]
[2022-10-04 10:16:00] [nginx-version] [http] [info] http://172.22.64.197 [nginx/1.18.0] 

ubuntu@tiger:~$ cat urls.txt | docker run -v /home/ubuntu/nuclei-templates:/go/src/app/ -i projectdiscovery/nuclei  > result2.txt

ubuntu@tiger:~$ more result2.txt
[2022-10-04 10:28:00] [default-apache2-ubuntu-page] [http] [info] http://172.22.64.197:8080
[2022-10-04 10:28:00] [apache-detect] [http] [info] http://172.22.64.197:8080 [Apache/2.4.52 (Ubuntu)]
[2022-10-04 10:28:00] [default-apache-test-all] [http] [info] http://172.22.64.197:8080 [Apache/2.4.52 (Ubuntu)]
[2022-10-04 10:28:00] [nginx-version] [http] [info] http://172.22.64.197 [nginx/1.18.0]
[2022-10-04 10:28:00] [default-nginx-page] [http] [info] http://172.22.64.197
[2022-10-04 10:28:02] [tech-detect:nginx] [http] [info] http://172.22.64.197
[2022-10-04 10:28:29] [openssh-detect] [network] [info] 172.22.64.197:22 [SSH-2.0-OpenSSH_8.9p1 Ubuntu-3]
[2022-10-04 10:28:30] [http-missing-security-headers:cross-origin-opener-policy] [http] [info] http://172.22.64.197:808
0
[2022-10-04 10:28:30] [http-missing-security-headers:access-control-allow-origin] [http] [info] http://172.22.64.197:80
80
[2022-10-04 10:28:30] [http-missing-security-headers:access-control-expose-headers] [http] [info] http://172.22.64.197:
8080
[2022-10-04 10:28:30] [http-missing-security-headers:strict-transport-security] [http] [info] http://172.22.64.197:8080
[2022-10-04 10:28:30] [http-missing-security-headers:permissions-policy] [http] [info] http://172.22.64.197:8080
[2022-10-04 10:28:30] [http-missing-security-headers:x-frame-options] [http] [info] http://172.22.64.197:8080
[2022-10-04 10:28:30] [http-missing-security-headers:x-content-type-options] [http] [info] http://172.22.64.197:8080
[2022-10-04 10:28:30] [http-missing-security-headers:x-permitted-cross-domain-policies] [http] [info] http://172.22.64.
197:8080
[2022-10-04 10:28:30] [http-missing-security-headers:referrer-policy] [http] [info] http://172.22.64.197:8080
[2022-10-04 10:28:30] [http-missing-security-headers:cross-origin-embedder-policy] [http] [info] http://172.22.64.197:8
080
[2022-10-04 10:28:30] [http-missing-security-headers:cross-origin-resource-policy] [http] [info] http://172.22.64.197:8
080
[2022-10-04 10:28:30] [http-missing-security-headers:access-control-max-age] [http] [info] http://172.22.64.197:8080
[2022-10-04 10:28:30] [http-missing-security-headers:access-control-allow-headers] [http] [info] http://172.22.64.197:8
080
[2022-10-04 10:28:30] [http-missing-security-headers:clear-site-data] [http] [info] http://172.22.64.197:8080
[2022-10-04 10:28:30] [http-missing-security-headers:content-security-policy] [http] [info] http://172.22.64.197:8080
[2022-10-04 10:28:30] [http-missing-security-headers:access-control-allow-credentials] [http] [info] http://172.22.64.1
97:8080
[2022-10-04 10:28:30] [http-missing-security-headers:access-control-allow-methods] [http] [info] http://172.22.64.197:8
080
[2022-10-04 10:28:30] [http-missing-security-headers:strict-transport-security] [http] [info] http://172.22.64.197
[2022-10-04 10:28:30] [http-missing-security-headers:x-frame-options] [http] [info] http://172.22.64.197
[2022-10-04 10:28:30] [http-missing-security-headers:x-content-type-options] [http] [info] http://172.22.64.197
[2022-10-04 10:28:30] [http-missing-security-headers:x-permitted-cross-domain-policies] [http] [info] http://172.22.64.
197
[2022-10-04 10:28:30] [http-missing-security-headers:referrer-policy] [http] [info] http://172.22.64.197
[2022-10-04 10:28:30] [http-missing-security-headers:access-control-allow-origin] [http] [info] http://172.22.64.197
[2022-10-04 10:28:30] [http-missing-security-headers:access-control-allow-methods] [http] [info] http://172.22.64.197
[2022-10-04 10:28:30] [http-missing-security-headers:cross-origin-embedder-policy] [http] [info] http://172.22.64.197
[2022-10-04 10:28:30] [http-missing-security-headers:access-control-max-age] [http] [info] http://172.22.64.197
[2022-10-04 10:28:30] [http-missing-security-headers:access-control-expose-headers] [http] [info] http://172.22.64.197
[2022-10-04 10:28:30] [http-missing-security-headers:access-control-allow-headers] [http] [info] http://172.22.64.197
[2022-10-04 10:28:30] [http-missing-security-headers:content-security-policy] [http] [info] http://172.22.64.197
[2022-10-04 10:28:30] [http-missing-security-headers:permissions-policy] [http] [info] http://172.22.64.197
[2022-10-04 10:28:30] [http-missing-security-headers:clear-site-data] [http] [info] http://172.22.64.197
[2022-10-04 10:28:30] [http-missing-security-headers:cross-origin-opener-policy] [http] [info] http://172.22.64.197
[2022-10-04 10:28:30] [http-missing-security-headers:cross-origin-resource-policy] [http] [info] http://172.22.64.197
[2022-10-04 10:28:30] [http-missing-security-headers:access-control-allow-credentials] [http] [info] http://172.22.64.1
97
[2022-10-04 10:28:34] [options-method] [http] [info] http://172.22.64.197:8080 [HEAD,GET,POST,OPTIONS]
[2022-10-04 10:28:34] [openssh-detect] [network] [info] 172.22.64.197:22 [SSH-2.0-OpenSSH_8.9p1 Ubuntu-3]
[2022-10-04 10:28:41] [waf-detect:nginxgeneric] [http] [info] http://172.22.64.197/
[2022-10-04 10:28:41] [waf-detect:apachegeneric] [http] [info] http://172.22.64.197:8080/

 

Links:



Oct 3, 2022

Start K3s with Multipass

Prerequisite: You need to have a working multipass, and preferably a Linux-based host. (I'm using WSL 😎 )

Then follow the steps to create the virtual machines and follow by create the k3s cluster. K3s promises to be a lightweight K8s

Here are the tools used and the description.

Tools Description
Multipass It's a system that orchestrates the creation, management and maintenance of virtual machines and associated Ubuntu images to siplify development.
K3s K3s is a certified Kubernetes distribution designed for production workloads in unattended, resource-constrained, remote locations or inside IoT appliances.

First, we need 1 master node (kmaster) and 2 worker nodes (kworker1 and kworker2).

$ multipass launch --name kmaster
$ multipass launch --name kworker1
$ multipass launch --name kworker2

Second, we need to create the K3s cluster. 

$ multipass exec kmaster -- /bin/bash -c "curl -sfL https://get.k3s.io | sh -"

$ K3S_NODEIP_MASTER="https://kmaster.mshome.net:6443"

$ K3S_TOKEN="$(multipass exec kmaster -- /bin/bash -c "sudo cat /var/lib/rancher/k3s/server/node-token")"

$ multipass exec kworker1 -- /bin/bash -c "curl -sfL https://get.k3s.io | K3S_TOKEN=${K3S_TOKEN} K3S_URL=${K3S_NODEIP_MASTER} sh -"

$ multipass exec kmuworker2 -- /bin/bash -c "curl -sfL https://get.k3s.io | K3S_TOKEN=${K3S_TOKEN} K3S_URL=${K3S_NODEIP_MASTER} sh -"

Oct 2, 2022

Start Docker with Multipass

Multipass is a great tool for working with containers. 

Minikube workflow is another great example of a built-in tool for container development. And Microk8s runs on top of Multipass cross-platform and is for pocket-sized Kubernetes.

Docker Workflow in Multipass

An extra tool in Docker workflow is Portainer. In fact, each VM instance created with the Docker workflow comes with a Portainer container already running in Docker. Once that instance is launched, you’re already up and running with a convenient GUI interface (at port 9000) for launching and managing your containers.

multipass launch docker -n <instance-name>

multipass launch docker -n dk

multipass info dk

To access the docker command interface:

multipass exec dk docker

To create alias for docker:

multipass alias <instance>:<command> <alias-cmd>

multipass alias dk:docker dkr 

To run the hello-world container:

dkr run hello-world 

multipass dkr run hello-world

multipass dkr version

multipass dkr version

To access the portainer with browser, open the URL at http://dk_ip_addr:9000

 

Oct 1, 2022

Multipass Images

C:\>multipass find --format json
{
    "errors": [
    ],
    "images": {
        "18.04": {
            "aliases": [
                "bionic"
            ],
            "os": "Ubuntu",
            "release": "18.04 LTS",
            "remote": "",
            "version": "20220921"
        },
        "20.04": {
            "aliases": [
                "focal"
            ],
            "os": "Ubuntu",
            "release": "20.04 LTS",
            "remote": "",
            "version": "20220920"
        },
        "22.04": {
            "aliases": [
                "jammy",
                "lts"
            ],
            "os": "Ubuntu",
            "release": "22.04 LTS",
            "remote": "",
            "version": "20220923"
        },
        "anbox-cloud-appliance": {
            "aliases": [
            ],
            "os": "",
            "release": "Anbox Cloud Appliance",
            "remote": "",
            "version": "latest"
        },
        "appliance:adguard-home": {
            "aliases": [
            ],
            "os": "Ubuntu",
            "release": "AdGuard Home Appliance",
            "remote": "appliance",
            "version": "20200812"
        },
        "appliance:mosquitto": {
            "aliases": [
            ],
            "os": "Ubuntu",
            "release": "Mosquitto Appliance",
            "remote": "appliance",
            "version": "20200812"
        },
        "appliance:nextcloud": {
            "aliases": [
            ],
            "os": "Ubuntu",
            "release": "Nextcloud Appliance",
            "remote": "appliance",
            "version": "20200812"
        },
        "appliance:openhab": {
            "aliases": [
            ],
            "os": "Ubuntu",
            "release": "openHAB Home Appliance",
            "remote": "appliance",
            "version": "20200812"
        },
        "appliance:plexmediaserver": {
            "aliases": [
            ],
            "os": "Ubuntu",
            "release": "Plex Media Server Appliance",
            "remote": "appliance",
            "version": "20200812"
        },
        "charm-dev": {
            "aliases": [
            ],
            "os": "",
            "release": "A development and testing environment for charmers",
            "remote": "",
            "version": "latest"
        },
        "core": {
            "aliases": [
                "core16"
            ],
            "os": "Ubuntu",
            "release": "Core 16",
            "remote": "",
            "version": "20200818"
        },
        "core18": {
            "aliases": [
            ],
            "os": "Ubuntu",
            "release": "Core 18",
            "remote": "",
            "version": "20211124"
        },
        "docker": {
            "aliases": [
            ],
            "os": "",
            "release": "A Docker environment with Portainer and related tools",
            "remote": "",
            "version": "latest"
        },
        "jellyfin": {
            "aliases": [
            ],
            "os": "",
            "release": "Jellyfin is a Free Software Media System that puts you in control of managing and streaming your media.",
            "remote": "",
            "version": "latest"
        },
        "minikube": {
            "aliases": [
            ],
            "os": "",
            "release": "minikube is local Kubernetes",
            "remote": "",
            "version": "latest"
        },
        "snapcraft:core18": {
            "aliases": [
                "18.04"
            ],
            "os": "",
            "release": "Snapcraft builder for Core 18",
            "remote": "snapcraft",
            "version": "20201111"
        },
        "snapcraft:core20": {
            "aliases": [
                "20.04"
            ],
            "os": "",
            "release": "Snapcraft builder for Core 20",
            "remote": "snapcraft",
            "version": "20210921"
        },
        "snapcraft:core22": {
            "aliases": [
                "22.04"
            ],
            "os": "",
            "release": "Snapcraft builder for Core 22",
            "remote": "snapcraft",
            "version": "20220426"
        }
    }
}

C:\>multipass version --format json
{
    "multipass": "1.10.1+win",
    "multipassd": "1.10.1+win"
}

C:\>multipass find --format -h
Usage: multipass find [options] [<remote:>][<string>]
Lists available images matching <string> for creating instances from.
With no search string, lists all aliases for supported Ubuntu releases.

Options:
  -?, -h, --help      Displays help on commandline options
  -v, --verbose       Increase logging verbosity. Repeat the 'v' in the short
                      option for more detail. Maximum verbosity is obtained with
                      4 (or more) v's, i.e. -vvvv.
  --show-unsupported  Show unsupported cloud images as well
  --format <format>   Output list in the requested format.
                      Valid formats are: table (default), json, csv and yaml

Arguments:
  string              An optional value to search for in [<remote:>]<string>
                      format, where <remote> can be either ‘release’ or ‘daily’.
                      If <remote> is omitted, it will search ‘release‘ first,
                      and if no matches are found, it will then search ‘daily‘.
                      <string> can be a partial image hash or an Ubuntu release
                      version, codename or alias.

multipass find --format table