BKMs #1: Disabling SELinux

To temporarily disable SELinux on CentOS/RedHat EL run:

# echo 0 > /selinux/enforce

For permanent disabling, run:

# sed -i 's/SELINUX=enforcing/SELINUX=permissive/g' /etc/selinux/config

BKMs #0: Setting Up air gapped machine

Here's how I've setup and maintain Linux-based (Debian) air gapped computer.

Getting Debian

1) From trusted environment (I used computer and network at my work) I've downloaded debian.iso:

 $ wget http://cdimage.debian.org/debian-cd/7.2.0/i386/iso-dvd/debian\ 
-7.2.0-i386-DVD-1.iso

2) I've downloaded SHA1 sum and it's signature:

 $ wget http://cdimage.debian.org/debian-cd/7.2.0/i386/iso-dvd/SHA1SUMS.sign

3) To verify signature I needed Debian's cd/dvd signing key:

I googled exactly what I needed: "debian cd signing key", first match looked very promising: http://www.debian.org/CD/verify

I found (there was also second key with uid "Debian CD signing key" but with older date) what I was looking for:

pub   4096R/6294BE9B 2011-01-05
      Key fingerprint = DF9B 9C49 EAA9 2984 3258  9D76 DA87 E80D 6294 BE9B
      uid                  Debian CD signing key 
sub   4096R/11CD9819 2011-01-05

To be sure that http://www.debian.org/CD/verify site wasn't compromised at a time I was viewing it - I visited Google Cache of this site and compared key of interest:

pub   4096R/6294BE9B 2011-01-05
      Key fingerprint = DF9B 9C49 EAA9 2984 3258  9D76 DA87 E80D 6294 BE9B
      uid                  Debian CD signing key 
sub   4096R/11CD9819 2011-01-05

Good - exactly the same. One have to bear in mind that best practice is to check keyid/fingerprint of given cryptographic key from at least two sources (it's more difficult to compromise two sources at once). I used official Debian website as a first source and Google Cache of this site as second source. It's somewhat simpler approach (I don't need to look for second source which is sometimes tedious) but it's crucial to check date of generating cache by the Google. In this situtation older cache is better, for example if cache was generated ten days ago (and keys are identical on both current and cached versions) it means that site wasn't compromised OR it was compromised but nobody spotted it for 10 days (which is highly unlikely because many Debian developers see and use this site and would notice that keys listed there are forged).

4) Now that I identified valid key and verified that the source of it wasn't compromised, I could fetch key from public keyserver (using key id from above listings) and verify it's fingerpint:

 $ gpg --keyserver pgp.mit.edu --recv-keys 0x6294BE9B
 $ gpg --fingerprint 0x6294BE9B

Key fingerprint = DF9B 9C49 EAA9 2984 3258  9D76 DA87 E80D 6294 BE9B

Good - it's the same as advertised by key owner.

5) Now I can validate (by validating the key I confirm that I trust the owner of the key):

 $ gpg --edit-key 0x6294BE9B (in prompt choose: trust,3,quit)

6) Finally with valid key I can verify signature of downloaded iso image:

 $ gpg --verify SHA1SUMS.sign

7) I burned downloaded iso to DVD disc.

Installation

1) I used my legacy PC machine that I haven't used anymore (even better is to use completely new computer). I used magnetic (as opposed to SSD) disk (it much more difficult to securely erase SSD disks).

2) First I wiped out all the data from the disk (to do that I had to download Debian's liveCD and burn it to CD disc - I've made it from my trusted computer. I followed steps above when downloading livecd), then I boot it on my computer and I run:

 # shred /dev/sda

3) I've double checked that computer isn't connected to network and that it doesn't have wifi card installed (from this point on it will never be connected to network again). Now I could start installing OS.

4) I used following guide to do whole-disk encryption (I skipped part with setting up recovery system). I used Blowfish as an encryption algorithm (I do not trust AES anymore). I used this advice for choosing strong password that I could remember.

Usage

1) I bought new pendirve for moving files on and off my air-gapped machine (by the way I called it vault :) and I shredded it and created FAT16 partition:

 # shred /dev/sdb
 # fdisk /dev/sdb (n,t,w)
 # mkdosfs -F 16 /dev/sdb1

2) I generated gpg key pair on the vault and copied public key to pendrive:

 $ gpg --gen-key
 $ gpg --armor --output vault-key.asc --export 

Assumption is that private key will never leave vault machine. I copied public part (vault-key.asc) to my pendirve and I will share it with persons I need to communicate securely (of course I will also need their public keys for secure 2-way communication).

3) Also pendrive's whole-disk encryption is worth considering but I wanted to be able to use this pendrive both on Linux and Windows machines so I skipped this step for now (when I will transfer something sensitive I can always encrypt it with vault's public key).

4) I have now reasonably secure, air gapped computer. It's by no mean perfect: the way how files are transfered back and forth vault is obviously it's weakest point. Trusted "converters" or "verifiers" as mentioned here would help, but someone would have to write it first which isn't trivial.

5) Some typical maintenance issues and the way I deal with it:
- In case I will need more software I can always repeat steps "Getting Debian" to download second (or third) Debian's DVD.
- Keeping software up to date can be achieved by downloading Debian's update iso images.
- One more thing that I leave for now is maintaining secure backups of vault's disk - but it's doable.

Setting Up a Metasploit Development Environment for CentOS/Fedora

Here are steps to quickly set up development environment for Metasploit Project on rpm-based (CentOS & Fedora Core) Linux distros. The following is shortened version of official Metasploit tutorial (which describes whole process for Debian/Ubuntu distros). Idea is to prepare basic environment to start development quickly.

Install required packages:

 # yum -y install postgresql-devel libpcap-devel git

Install Ruby environment:

 $ curl -L https://get.rvm.io | bash -s stable --autolibs=enabled \
     --ruby=1.9.3

I got complaints about checksum verification, so I had to run:

 $ ~/.rvm/bin/rvm get stable

and now rerun:

 $ curl -L https://get.rvm.io | bash -s stable --autolibs=enabled \
     --ruby=1.9.3

Source rvm environment for current Bash session (also remember to add it to your ~/.bashrc):

 $ source ~/.rvm/scripts/rvm

Set your default ruby and gemset:

 $ rvm use --create --default 1.9.3-p448@msf

On CentOS when I tried to run from my metasploit-framework checkout:

 $ gem install bundle && bundle install

I got following error message:

 ERROR:  While executing gem ... (Gem::FilePermissionError)
 You don't have write permissions into the
 ~/.rvm/gems/ruby-1.9.3-p448@msf/bin directory.

It turned out that ~/.rvm/gems/ruby-1.9.3-p448@msf/bin directory doesn't exist - creating it solved the problem:

 $ cd ~/.rvm/gems/ruby-1.9.3-p448@msf
 $ mkdir bin

Ater rerun:

 $ gem install bundle && bundle install

I got similar error message (on CentOS):

 ERROR:  While executing gem ... (Gem::FilePermissionError)
 You don't have write permissions into the
 ~/.rvm/gems/ruby-1.9.3-p448@metasploit-framework/bin directory.

As previously, creating bin/ directory solved the issue:

 $ cd ~/.rvm/gems/ruby-1.9.3-p448@metasploit-framework
 $ mkdir bin

From now on bundle installation went smoothly and soon I was able to start msfconsole from my metasploit-framework directory:

 $ ./msfconsole -L

It's all that is required to start hacking on Metasploit codebase. I've ommited some optional steps listed in official tutorial - most notably step with forking official Metasploit repo, but because it is only required to perform pull requests, one can postpone it for now and do it when his new feature/module will be initially implemented.

SSL essentials for system administrators

X.509 standard specifies format for public key certificates.

Structure of a public key certificate is expressed in a formal language: ASN.1.

Creating self-signed certificate:

1) create private key & public key (without passphrase)

$ openssl genrsa -out server.key 2048

2) only private key was generated, but public key can be always extracted from it:

$ openssl rsa -in server.key -pubout

3) create certificate-signing request (CSR). It will contain public key of the entity requesting the certificate and information about the entity.

$ openssl req -new -key server.key -out server.csr

4) sign your own certificate using CSR and your private key (for real certs it would be private key of Certificate Authority)

$ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

5) examine the contents of your certificate

$ openssl x509 -text -in server.crt

Adding SSL support in Apache2:

<IfModule mod_ssl.c>
Listen 443
NameVirtualHost *:443
<VirtualHost *:443>
    SSLEngine On
    SSLOptions +StrictRequire
    SSLCertificateFile /etc/httpd/conf/ssl/server.crt
    SSLCertificateKeyFile /etc/httpd/conf/ssl/server.key
</VirtualHost>
</IfModule>

SSL deployment best practices can be found here.

Example certificate in text format:

Certificate:
Data:
Version: 1 (0x0)
Serial Number:
    aa:c9:e7:2b:f7:fe:38:e2
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=PL, ST=xxx, L=xxx, O=xxx, OU=xxx, CN=www.mysecuresite.com/emailAddress=xxx
Validity
    Not Before: Feb  7 13:28:40 2013 GMT
    Not After : Feb  7 13:28:40 2014 GMT
Subject: C=PL, ST=xxx, L=xxx, O=xxx, OU=xxx, CN=www.mysecuresite.com/emailAddress=xxx
Subject Public Key Info:
    Public Key Algorithm: rsaEncryption
	Public-Key: (2048 bit)
	Modulus:
	    00:df:02:92:d7:f4:0d:08:a0:78:14:f3:d4:a6:ff:
	    d7:36:ce:1d:75:90:92:af:c6:79:b1:e9:7a:60:2e:
	    b3:8a:77:94:79:c0:4f:a2:07:50:c0:9b:9e:38:9d:
	    a2:80:a9:c6:97:24:3d:80:da:13:15:63:f0:46:aa:
	    98:4d:3a:0b:37:94:4b:d9:bf:fd:8e:b6:7e:b7:46:
	    a1:58:05:20:9c:e0:6f:85:21:35:8a:14:04:7c:11:
	    0b:ed:1e:d5:24:98:0d:60:48:3f:40:51:38:17:05:
	    46:5a:2f:78:0d:64:f7:83:0a:e2:86:63:e0:23:18:
	    9a:ca:29:32:70:43:4e:41:ca:c9:57:5a:c8:9a:a7:
	    3d:50:63:96:b5:99:5a:c5:21:29:39:a5:6e:37:fb:
	    60:14:a4:a4:c7:4d:98:dc:1e:fa:c5:3e:b7:e1:ad:
	    2e:e5:c2:83:30:af:81:5d:0b:b2:19:26:6a:04:0b:
	    0b:e1:a6:70:75:ee:a2:fa:32:8d:b6:89:c8:ad:9f:
	    f0:25:66:29:27:e9:16:bf:1e:2f:ab:d4:29:af:33:
	    46:a1:c8:84:36:9a:f9:67:1a:e7:0e:e3:ac:bf:a4:
	    54:e6:e4:8d:dc:e2:1b:ad:3f:b9:3f:8c:af:7e:72:
	    27:ea:6b:6f:c7:cd:54:5a:4b:b0:e8:0a:2b:b4:dc:
	    aa:b1
	Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
57:96:60:2f:97:92:a7:b4:23:9d:0d:17:62:33:e2:bb:df:34:
c1:5c:43:df:63:c1:78:53:8c:a7:e5:ad:25:3a:5f:1d:f7:70:
2b:0b:28:33:61:f9:94:6f:4f:19:e0:2d:fc:fd:40:ad:8b:5c:
cc:b3:7d:0c:ed:85:05:ad:d5:ec:9f:61:61:d7:e4:89:12:5d:
f4:97:c4:a5:b2:37:4f:15:5b:da:f2:80:a0:5d:a7:91:5f:77:
1b:ee:2e:03:3f:10:3e:2c:bf:7e:f9:c0:5b:21:04:97:bb:42:
c9:f9:b6:30:99:8d:1a:35:7c:8e:6e:2a:91:c1:c0:2c:06:53:
eb:f5:72:a1:44:f5:b5:e0:b8:b8:3f:cd:34:2c:10:0b:69:ea:
11:a8:98:00:28:f8:36:64:18:53:73:fd:7f:35:81:cd:5a:7e:
a4:34:2f:8b:b9:54:46:94:6d:d4:13:13:e2:16:df:73:9b:0d:
fe:ce:1f:53:5c:ff:cd:91:d6:60:7d:bf:65:35:67:f6:57:a9:
8a:f8:ff:d3:23:4e:a0:83:41:5f:22:dc:4c:39:06:02:84:0f:
82:21:72:21:e7:d9:14:5d:9a:66:36:38:ba:15:af:97:45:06:
dc:da:9a:e3:6d:e4:61:36:42:ba:82:39:44:a4:35:cb:75:56:
2d:36:b0:9a

most important fields:
1) Issuer: #certificate authority, Verisign for example (Issuer == Subject in case of self-signed certificates)
2) Subject: CN: #common name, it's the part that must match the host being authenticated (it should be domain name of your server)

Certificates are commonly stored in two formats:
1) DER binary with extensions: .cer, .crt, .der
2) PEM (Privacy Enhanced Mail), base64 encoded DER certificate, enclosed between "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" with extension .pem

Getting certificate in PEM format from remote server:

$ openssl s_client -connect <ip:port> < /dev/null 2> /dev/null | openssl x509

Showing remote certificate in text format:

$ openssl s_client -connect <ip:port> < /dev/null 2> /dev/null | \
    openssl x509 -noout -text

Creating fingerprints (sha1):

$ openssl s_client -connect <ip:port> < /dev/null 2> /dev/null | \
    openssl x509 -noout -fingerprint

Simple debugging technique:

$ openssl s_client -connect <ip:port> -state -debug

Google maintains database of SSL certificates that were found by it's web crawlers. To check whether given certificate is available in Google's database (Google Certificate Catalog) do this:
calculate sha1 fingerprint of chosen certificate:

$ openssl s_client -connect <ip:port> < /dev/null | \ 
    openssl x509 -outform DER | openssl sha1

look up a TXT record with calculated fingerprint as a name in the certs.googlednstest.com domain:

$ dig +short 405062e5befde4af97e9382af16cc87c8fb7c4e2.certs.googlednstest.com TXT

You will get three numbers: the first number is the day that Google's crawlers first saw that certificate, the second is the most recent day, and the third is the number of days we saw it in between.
Only Certificates that satisfy following criteria will appear in Google's catalog: it must by correctly signed (either by a CA or self-signed); it must have correct domain name, that is, one that matches the one we used to retrieve the certificate.

Useful looping constructs in Bash

Handy "looping" constructs which I frequently use in my Bash scripts & one-liners:

1) loop over files

for FILE in /etc/*; do echo "etc file: $FILE"; done

OR:

for FILE in `find / -type f -name conf`; do 
    echo "File with 'conf' in name: $FILE"; 
done

2) loop over lines in file

cat /etc/hosts | while read LINE; do echo $LINE; done

OR:

while read LINE; do echo $LINE; done < /etc/hosts

3) loop over words in a file

for WORD in `cat /etc/hosts`; do echo $WORD; done

4) loop over elements in array

A=(a b c)
for i in ${A[@]}; do
    echo $i
done

Some more advanced (but also useful) constructs:

1) looping over array of functions & executing each function

FUNC_LIST=(func1 func2)

function func1 {
    echo 'func1 here'
}

function func2 {
    echo 'func2 here'
}

for func in ${FUNC_LIST[@]}; do
    eval $func
done 

2) passing array to function

ARR=(el1 el2)

function func {
    declare -a argArray=("${!1}")
    echo "${argArray[@]}"
}

func ARR[@]