Posts

Contents Basic terminology Installation Java Distribution Package (yum or deb) tarball Configuration Core Memory Verify Firewall RHEL/Centos 7 The REST API Health Statistics List Indicies List Nodes Document Operations Create Index With Mappings Index Naming Conventions Populating an Index Auto Document Identifiers Retreiving Documents Existance Checking Updating Documents Deleting Documents Deleting an Index Reindexing an Index Aliasing an Index The Mapping API The Multi Get API The Bulk API Bulk Loading from JSON File Searching Background The TF/IDF Algorithm The Query DSL Query Context Filter Context Stateful vs Stateless Searching Multiple Indices Searching with Query String Params Search Multiple Indexes Searching using the Request Body Term Search Full Text Search Boolean Compound Queries Aggregations Metric Aggregations Cardinality Aggregation FieldData with The Mapping API Bucketing Aggregations Nested Aggregations Filter Aggregation X-Pack Security Kerberos with Active Directory krb5.conf Kerberos Principals (keytab fun) msktutil ktpass Elasticsearch Configuration X-Pack Setup Users Kibana Configuration Create Users Test it Troubleshooting gss context negotiation failure Defective token detected Kerberos clock skew Logon name already exists in the enterprise Creating Test Data Basic terminology Node is a single server within a cluster. Nodes perform the actual indexing and search work. Each node has a unique id and name. Cluster a collection of nodes that work together to achieve a shared goal. Is assigned a unique name, which by default is elasticsearch. This name is used to join nodes. Index is a collection of similar (not the same) documents, and is uniquely identified by name. By default every index is given 5 shards and 1 replica. Types represents an entity with a similar set of characteristics, and in essence are a way of partitioning documents up. For example book reviews and book comments could each be modelled as types. Document is the unit of information to be indexed. Represented as JSON. Every document must have a type and an index it belongs to. Shards are the division of an index across nodes. This enables the cluster to parallise the work of index store and retreival operations. Replicas clone shards across other nodes one or more times, providing high availability (in the event an individual shard node fails) and increasing search throughput. Installation Java Make sure an Oracle 8 or 10 JVM is available. Elastic 6.4.x interestingly JVM support matrix only supports four JVM’s. ...

A paper I prepared as part of the UNSW Master of Cyber Security. Alternately available as LaTeX and PDF. Abstract This paper discusses the motivations behind computer network exploitation, the general lifecycle of an attack operation, and the frictions and asymmetries that exist between both the attacker and the efender. One of the greatest challenges is fitting the ever-increasing and changing amount of information into a whole plan or framework to develop the right strategies to prevent such attacks. Armed with his knowledge seek out the creation of a structured general purpose framework for developing offensive strategies, the components described within it, its design philosophy, and how it can be used. It is eant to provide a concrete and structured approach to CNO strategy development. ...

Some fun I hacking on a boot to root challenge I did with a mate recently. Enumeration OS Fingerprint root@kali:~/boot2root# nmap -O 192.168.0.102 Starting Nmap 7.60 ( https://nmap.org ) at 2018-07-26 22:44 EDT Nmap scan report for 192.168.0.102 Host is up (0.00022s latency). Not shown: 986 closed ports PORT STATE SERVICE 21/tcp open ftp 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 3389/tcp open ms-wbt-server 8009/tcp open ajp13 8080/tcp open http-proxy 49152/tcp open unknown 49153/tcp open unknown 49154/tcp open unknown 49155/tcp open unknown 49156/tcp open unknown 49157/tcp open unknown MAC Address: 00:50:56:A3:B7:92 (VMware) Device type: general purpose Running: Microsoft Windows 2008|Vista|7 OS CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1 cpe:/o:microsoft:windows_vista::sp1:home_premium cpe:/o:microsoft:windows_7 OS details: Microsoft Windows Server 2008 R2 SP1, Microsoft Windows Vista Home Premium SP1, Windows 7, or Windows Server 2008 Network Distance: 1 hop OS detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 66.26 seconds A Windows box, running a bunch of services like ftp, two http servers, smb and ajp. ...

Intro Containers, and specifically Docker are attracting a crazy amount of industry attention, particularly, I’m finding the software dev space. Slide 1 OK, just quickly what is Docker. Docker is a computer program that performs operating-system-level virtualization also known as containerization. Docker is used to run software packages called “containers”. “Build once, configure once, and run anywhere.” Slide 2 In a containerised world, the container becomes the standard unit of management and deployment. Containers provide a safe and consistent space for processes to run in. A container for example, could contain an Apache web server and all the dependencies it requires. Containers can in theory run all sorts of workloads…webapps, database servers, desktop processes. ...

Awesome tip #1: In metasploit console (msfconsole), once you have loaded up an exploit, take show payloads for a spin. This will show all payloads that are compatible with the given exploit. Awesome! Today we got the chance to work on Metasploitable 3, a Windows VM with a number of vunerability and flags (15ish of them). Its a great way to take this knowledge and apply it to an actual machine. I wont detail a full walkthrough, as there are already plenty, and I don’t want to ruin the learning experience. ...

Privilege Escalation. Basics On Windows, SYSTEM is the highest privilege possible. Local Administrators can effectively get SYSTEM privileges. On Linux, root (uid=0) is the highest privilege possible. Regular users can escalate to root privileges on demand (i.e. sudo). Techniques Kernel exploits - leverage a flaw in the OS. Vunerabilty is determined by researching kernel version, patch levels. Tend to be patched quickly. High privileged programs - get a program running at a higher privilege to execute your code. Often things are unnessarily run with high privileges for convenience sake. For example, JBoss running on TomCat, running as root. Deploy a WAR to JBoss with an embedded reverse shell. Credential theft - leverage techniques to compromise a user with higher privileges. The primary method of lateral movement within organisations. Dumping of hashes, such as responder, SCF files on writab shares, UNC requests (when a user attempts to \\server an auth request is sent and can be captured), network sniffing. Password reuse. SCF to steal credentials. Insecure configurations - abuse incorrectly services or programs. Service paths with whitespace is a great example e.g. C:\anti-virus\virus definition\bin\update.exe, Windows path probing will attempt to find and run C:\anti-virus\virus.exe. On Linux in the /etc/shadow file, the prefix e.g. $6 indicates the hash function and salt, for example, this entry: ...

Exploitation An exploit is some software which leverages a vunerability to perform an action. Important to differientiate the payload from the exploit. A payload is something executed via an exploit. Finding Exploits Exploit DB Google SearchSploit - a local mirror of exploit-db; useful for local cached copies. For example CVE-2008-4250, maybe assigned different vendor specific labels. In this case MSE08-067, by searching Google and heading to the Microsoft security bullitin: ...

Covers basics starting with enumeration. There is a process to exposing vunerabilities. Not a linear process. Imposter syndrome is huge in this field, due to the complexity of the field, and how many domains it covers. The anatomy of a hack (EEE); Enumeration, Exploitation, Escalation There are multiple ways to do one thing, for example to figure out if the sshd daemon is running you could: Check if port 22 is listening netstat -tlp Check if the sshd process is running Try to ssh connect to the daemon List the running services through systemd Tools Tools to grok: ...

Recently I’ve had the opportunity to dig into Apache Spark, thanks to some training from Brian Bloechle from Cloudera. What is spark? Fast, flexible, and developer friendly, Apache Spark is the leading platform for large scale SQL, batch processing, stream processing, and machine learning. Java, Scala, Python and R are first class citizens when its comes to consuming the various Spark API’s. I’ll cover PySpark in more detail. Spark is an agnostic processing engine, that can target a number of cluster managers including Spark Standalone, Hadoop’s YARN, Apache Mesos and Kubernetes. In the context of Spark, some useful surrounding ecosystem to be aware of: ...

Installation on Linux is well documented. wget https://www.scootersoftware.com/bcompare-4.2.4.22795.x86_64.rpm su rpm --import https://www.scootersoftware.com/RPM-GPG-KEY-scootersoftware yum install bcompare-4.2.4.22795.x86_64.rpm On my Fedora 27 box, I found the launcher bash /usr/bin/bcompare exits with a return code of 1, if the linker cannot resolve all dependencies. BC_LIB=/usr/lib64/beyondcompare export BC_LIB EXEC=$BC_LIB/BCompare #check to see if we have all of the shared libraries. CHECK=`ldd $EXEC | grep "not found" | wc -l` if [ "$CHECK" -ne "0" ]; then echo Some Shared Libraries were not found ldd $EXEC exit 1 fi Dumping out the shared libs BCompare depends on: ...