Category Archives: Technology

Configure apache to log the real client IP instead of cloudflare IP in http access logs (WordPress)

If you are running a WordPress site and you have cloudflare setup, you may have noticed that the http access logs log the IP of cloudflare instead of the actual client IP. This is a guide to enable logging of the real client IP instead of the cloudflare IP in the apache2 logs. This was tested on a Ubuntu 20.04 machine + apache2 and traffic is proxied from cloudflare.

Install Prerequisites:

sudo apt-get install apache2-dev libtool git

Git clone the mod_clouflare repo from cloulflare:

cd ~/
git clone https://github.com/cloudflare/mod_cloudflare.git
cd mod_cloudflare

Use the Apache extension tool to convert the .c file into a module:

apxs -a -i -c mod_cloudflare.c

Restart Apache:

sudo apachectl restart

Verify that the module is active:

apache2ctl -M|grep cloudflare

The output should show “cloudflare_module (shared)

Now your apache logs should show the real client IP instead of the cloudflare IPs.

tail -f /var/log/apache2/access.log

-Below is screenshot of access log that shows the real client IP(right click and open image in new lab for high res image):

access.log screenshot

Sources/Credits/References:

Cloudflare
Noirth Security

DFIR – Analyze Windows Event Logs (evtx) from a Linux machine using sigma rules, chainsaw and evtx dump

At work, I had a task to perform a quick compromise assessment for a hacked Windows server and I got a bunch of etvx files from the suspected host for analysis. I run Linux Mint + i3-gaps and its much easier and productive performing forensics from a Linux machine than Windows in my honest opinion. This post is meant for Linux users who want to perform Digital Forensics to find IOCs from Windows artifacts such as event logs / evtx files. Here my setup for forensics analsys for windows from a Linux perspective and the tools that I use.

Here are some tools that will come handy:

apt update && apt install git vim tar jq libxml2-utils source-highlight -y

Sigma Rules:

Get the latest sigma rules:

cd ~/
git clone https://github.com/SigmaHQ/sigma
git clone https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES.git

Chainsaw:

– Install chainsaw:

wget https://github.com/WithSecureLabs/chainsaw/releases/download/v2.9.1-2/chainsaw_x86_64-unknown-linux-gnu.tar.gz -O ~/chainsaw.tar.gz
tar zxvf ~/chainsaw.tar.gz
chmod +x ~/chainsaw/chainsaw

Example: Assume that you have a bunch of evtx files that you want to analyze and you have it in a directory "~/EVTX-ATTACK-SAMPLES/", you can run chainsaw against the directory where the evtx files are stored with the below command:

./chainsaw/chainsaw hunt ~/EVTX-ATTACK-SAMPLES/ -s ~/sigma/ --mapping ~/chainsaw/mappings/sigma-event-logs-all.yml -r ~/sigma/rules

– The above will output the findings in stdout.

Now, let say you want to output these in csv for reporting or further analysis, you can run the below:

./chainsaw/chainsaw hunt ~/EVTX-ATTACK-SAMPLES/ -s ~/sigma/ --mapping ~/chainsaw/mappings/sigma-event-logs-all.yml -r ~/sigma/rules/ --csv --output csv-outputs

Alternatively, chainsaw also has the option to output in json file. This comes handy if you want to injest into a SIEM tool like Wazuh/Opensearch/ES/Spunk.

/chainsaw/chainsaw hunt ~/EVTX-ATTACK-SAMPLES/ -s ~/sigma/ --mapping ~/chainsaw/mappings/sigma-event-logs-all.yml -r ~/sigma/rules/ --json --output json-output

Chainsaw filters and advanced searching:

– Chainsaw has options to search for specific event ids. For example, to search for Login Failures (Windows Event ID = 4625), you use the below command:

./chainsaw search -t 'Event.System.EventID: =4625' windows-log.evtx

– To search for specific strings such as to search for lssas dumps:

./chainsaw search -e "lsass" -i windows-log.evtx

– You can also search an entire directory of evtx files as well:

./chainsaw search -e "lsass" -i  ~/EVTX-ATTACK-SAMPLES/

– To search for events between two timeframes:

./chainsaw/chainsaw hunt ~/EVTX-ATTACK-SAMPLES/ -s ~/sigma/ --mapping ~/chainsaw/mappings/sigma-event-logs-all.yml -r ~/sigma/rules/ --from "2021-11-01T07:01:00" --to "2022-01-01T07:01:00"

– Below is screenshot for reference. (Right click image and open in new tab for better visual)

Evtx Dump:

If you like to dump all the events in a Windows event file for further analysis, there is an awesome opensource tool that allows you to just do that.

wget https://github.com/omerbenamram/evtx/releases/download/v0.8.2/evtx_dump-v0.8.2-x86_64-unknown-linux-gnu -O ~/evtx_dump
chmod +x ~/evtx_dump

–  To use the dump (Events will be separated with string “Event <count>” in the output file). This is handy when using vim/less by searching for “^Event ” and then using “n” to go the next event.

./evtx_dump-v0.8.2-x86_64-unknown-linux-gnu \
EVTX-ATTACK-SAMPLES/Discovery/4799_remote_local_groups_enumeration.evtx -f 4799_remote_local_groups_enumeration.parsed.xml


- Another method is to print to stdout and redirect to file:

./evtx_dump-v0.8.2-x86_64-unknown-linux-gnu \
EVTX-ATTACK-SAMPLES/Discovery/4799_remote_local_groups_enumeration.evtx > 4799_remote_local_groups_enumeration.parsed.xml
  • To generate the dump without the event separators in xml format:
./evtx_dump-v0.8.2-x86_64-unknown-linux-gnu \
--dont-show-record-number \
EVTX-ATTACK-SAMPLES/Discovery/4799_remote_local_groups_enumeration.evtx  -f 4799_remote_local_groups_enumeration.parsed.xml
– With this xml format, you can open this inside vim or use source-highlight to make it more readable.
cat 4799_remote_local_groups_enumeration.parsed.xml | xmllint --format - | source-highlight -s xml -f esc | less -R
  • To generate in json format:
./evtx_dump-v0.8.2-x86_64-unknown-linux-gnu \
EVTX-ATTACK-SAMPLES/Discovery/4799_remote_local_groups_enumeration.evtx -o json -f 4799_remote_local_groups_enumeration.parsed.json

./evtx_dump-v0.8.2-x86_64-unknown-linux-gnu \
--dont-show-record-number \
EVTX-ATTACK-SAMPLES/Discovery/4799_remote_local_groups_enumeration.evtx -o json -f 4799_remote_local_groups_enumeration.parsed.json

- For jsonl format, you the below:

./evtx_dump-v0.8.2-x86_64-unknown-linux-gnu \
EVTX-ATTACK-SAMPLES/Discovery/4799_remote_local_groups_enumeration.evtx -o jsonl -f 4799_remote_local_groups_enumeration.parsed.json
  • Here is CLI usage:
./evtx_dump-v0.8.2-x86_64-unknown-linux-gnu -h

Credits/References:

Chainsaw github
EVTX-ATTACK-SAMPLES
izzyboop

Hope this helps. Happy Hunting Defenders! 🙂

ΞXΤЯ3МΞ

Increase OS Disk Size of an Azure Linux VM

If you try to expand the disk without stopping/de-allocating the VM, depending on disk config it may not allow your to change the size and a banner with message “Changes to the disk size can be made only when the disk is unattached or the managing virtual machine(s) are deallocated.” would be displayed. To increase the disk size of a Linux VM, you can perform the following:

In my environment, the VM OS disk size was smaller than 4TB and could not be resized using the online method that could be done without downtime(it requires some special configuration which I didnt really get deep into). This method will involve shutting down the VM, de-allocating the VM, increasing the disk and then bringing the disk back online. So, there would be some downtime.
Another thing:

Note: Replace text in blue with your environment specific values.

1. Stop the VM:

az vm stop –resource-group Resource-Group-Name –name VM-NAME –subscription SUBSCRIPTION-ID

2. De-allocate the VM: (This may take a few minutes)

az vm deallocate –resource-group Resource-Group-Name –name VM-NAME –subscription SUBSCRIPTION-ID

3. Increase the Disk (from the UI):

-Navigate to the VM in Azure. Click on “Disks”

 

-Select the disk that you need to resize.

 

Click on “Size + performance” and select the disk size to which you want to increase to and then click on “Save”

4. Start the VM:

az vm start –resource-group Resource-Group-Name –name VM-NAME –subscription SUBSCRIPTION-ID

My Azure VM was based on Ubuntu 20.04.x and did not need additional changes in the OS. After the VM booted backup, it did automatically expand to the new allocated size.

Some of my thoughts on Azure Naming and resizing:
For some wierd reason, Azure does not make things easy for resizing disks. Ideally, you should be able to shutdown the VM and increase the disk, BUT Azure needs you to de-allocate the VM before you can make any changes to the disk. Another strange thing Azure decided to do is to label “de-allocate VM” instead of some sane label as at first it sound as if going to delete the VM and all its data when when in reality it does not.

Sources/References:
https://learn.microsoft.com/en-us/azure/virtual-machines/linux/expand-disks?tabs=ubuntu

If you have any queries/feedback regarding this, feel free to leave a comment below and will get back to you as soon as I can.

Install MacOS Ventura on Proxmox 8.x

This is a guide on how to configure and install MacOS Ventura on Promox 8.x.x. (This was tested in my lab which runs Proxmox 8.0.3 and 8.0.4. It should work for other versions as well)

Requirements:

  1. Proxmox 8.x.x
  2. Opencore ISO [ Link: https://github.com/thenickdude/KVM-Opencore/releases . https://github.com/thenickdude/KVM-Opencore/releases/tag/v20]
  3. MacOS Ventura ISO (You can get this from archive.org)
  4. Root access to Proxmox to edit config

Steps to configure:

Download the OpenCore-v20.iso.gz  from KVM-Opencore and extract it. [Link: https://github.com/thenickdude/KVM-Opencore/releases/tag/v20 ].

Create a VM in Proxmox with the below settings:

  • Select ISO Image as Opencore iso
  • Set Guest OS type to “Other
  • Set Graphics card as “Vmware compatible”, Machine type “q35
  • Set BIOS to OMVF UEFI, add EFI Disk and select disk. Un-select Pre-enroll keys. Select SCSI Controller to “VirtIO SCSI
  • Set hard disk as “VirtIO Block” , size = 64GB, cache = Write back unsafe
  • CPU: Set 1 Socket, 4 Cores, Type as “Host”
  • 4GB Min RAM
  • Set NIC to Vmware vmxnet3
  • Then add second cd, select Bus/Device as defaults(IDE) and add MAC OS ISO.
  • Change boot order so that opencore is first and then second is macos

Minor Changes needed for it to work:

  • SSH into the Proxmox host and edit the VM config: (the VM ID = 100 for my newly created VM. It may be different in yours)

/vim /etc/pve/qemu-server/100.conf

  • If your Proxmox server is running on an Intel CPU, then below line in top of the file:


args: -device isa-applesmc,osk="ourhardworkbythesewordsguardedpleasedontsteal(c)AppleComputerInc" -smbios type=2 -device usb-kbd,bus=ehci.0,port=2 -global nec-usb-xhci.msi=off -global ICH9-LPC.acpi-pci-hotplug-with-bridge-support=off -cpu host,vendor=GenuineIntel,+invtsc,+hypervisor,kvm=on,vmware-cpuid-freq=on

  • If your Proxmox host is running on an AMD CPU, use the below line instead:


args: -device isa-applesmc,osk="ourhardworkbythesewordsguardedpleasedontsteal(c)AppleComputerInc" -smbios type=2 -device usb-kbd,bus=ehci.0,port=2 -global nec-usb-xhci.msi=off -global ICH9-LPC.acpi-pci-hotplug-with-bridge-support=off -cpu Haswell-noTSX,vendor=GenuineIntel,+invtsc,+hypervisor,kvm=on,vmware-cpuid-freq=on

Now, change the media=cdrom to cache=unsafe. Here is a sed command to do so:


sed -i 's/media=cdrom/cache=unsafe/g' /etc/pve/qemu-server/100.conf

Below is my config for reference (/etc/pve/qemu-server/100.conf):


args: -device isa-applesmc,osk="ourhardworkbythesewordsguardedpleasedontsteal(c)AppleComputerInc" -smbios type=2 -device usb-kbd,bus=ehci.0,port=2 -global nec-usb-xhci.msi=off -global ICH9-LPC.acpi-pci-hotplug-with-bridge-support=off -cpu host,vendor=GenuineIntel,+invtsc,+hypervisor,kvm=on,vmware-cpuid-freq=on
balloon: 0
bios: ovmf
boot: order=ide2;ide0;virtio0;net0
cores: 4
cpu: host
efidisk0: local-lvm:vm-100-disk-0,efitype=4m,size=4M
ide0: local:iso/macOS Ventura 13.0.1.iso,cache=unsafe,size=13073658K
ide2: local:iso/OpenCore-v20.iso,cache=unsafe,size=150M
machine: q35
memory: 8096
meta: creation-qemu=8.0.2,ctime=1690969304
name: MAC-OS
net0: vmxnet3=D6:41:D1:8F:B5:49,bridge=vmbr0,firewall=1
numa: 0
ostype: other
scsihw: virtio-scsi-pci
smbios1: uuid=57a6ce4a-a710-483a-8577-28c1feae47d4
sockets: 1
vga: vmware
virtio0: local-lvm:vm-100-disk-1,cache=unsafe,iothread=1,size=64G
vmgenid: a9dee6c6-376d-48b9-bc20-3c586856ffb4

Here is a screenshot for reference of the settings page in Proxmox for the MacOS VM:

 

Proxmox MacOS Ventura Settings

– Here is a screenshot of the boot order settings:

– Now Boot the MacOS VM, and select UEFI boot when prompted.
– At boot prompt, run the below:


System\Library\CoreServices\Boot.efi

Installation:

– Open Disk Utility
– Click “View” => Show All Devices.
– Select the First option that shows 64GB disk and click on “Erase”. Once done, close disk utility and click option to start installer.
– Select the disk and continue the install on it

The rest of the installation is pretty straightforward. It did take a very long time for the install to complete along with a few restarts. But, at the end you should be able to boot into the Proxmox VM.

-Here is a screenshot of my VM post install.

MacOS VM login screen after installaton

 

Hope this helps! Cheers

Credits/References:
https://github.com/thenickdude/KVM-Opencore/releases/tag/v20
https://i12bretro.github.io/tutorials/0775.html

Enable promiscuous mode in VMware Workstation

Below are the steps to enable promiscuous mode for a VM in Vmware Workstation.

Shutdown the VM and edit the .vmx file. This is in the directory where your VM’s hard disks were configured to be sure.

vim /home/extr3me/vmware/pfsense/pfsense.vmx

Tip:
You can right click on the VM and select option “Open VM Directory” that will take you to the directory where the .vmx file is located.

Add the below line to the file:

ethernet0.noPromisc = "FALSE"

-If you have multiple interfaces, then add another line and replace the value 0 with 1 etc. Below is an example for two interfaces:

ethernet0.noPromisc = "FALSE"
ethernet1.noPromisc = "FALSE"

Source/Credits/Reference:

https://superuser.com/questions/1209497/how-do-you-enable-promiscuous-mode-in-vmware-workstation#1270695

Setup Wireguard VPN Server and Client in Ubuntu 20.04

This a guide on how to setup Wireguard VPN on Ubuntu and setting up a Wireguard client.

Requirements:

1. Ubuntu Server 20.04 used in my lab. (20.04 or higher is required for Policy routing)

2. Ubuntu Client (Ubuntu 20.04)

3. Root access to the server.

4. Network Access

Note: This should also work on Linux Mint 20.04

Setting up the Wireguard Server

Login to the In my lab, I have set up a EC2 instance and below is the current IP configuration before setting up Wireguard.

root@ip-172-31-20-229:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc fq_codel state UP group default qlen 1000
    link/ether 02:ca:92:5f:0e:80 brd ff:ff:ff:ff:ff:ff
    inet 172.31.20.229/20 brd 172.31.31.255 scope global dynamic eth0
       valid_lft 2617sec preferred_lft 2617sec
    inet6 fe80::ca:92ff:fe5f:e80/64 scope link 
       valid_lft forever preferred_lft forever

From above, I have a single interface with IP 172.31.20.229 assigned to eth0.

sudo apt update && sudo apt upgrade -y
sudo apt install wireguard -y

-Switch to root and run the following:

sudo su –

Below are the default permissions on the wireguard dir:

root@ip-172-31-20-229:~# ls -l /etc/ | grep wireguard
drwx------ 2 root root       4096 Aug  4  2020 wireguard

-You could set permissions to the directory as follows:

chmod 0700 /etc/wireguard/
root@ip-172-31-20-229:~# ls -l /etc/ | grep wireguard
drwx------ 2 root root       4096 Aug  4  2020 wireguard

To check the version of Wireguard installed:

root@ip-172-31-20-229:/etc/wireguard# wg --version
wireguard-tools v1.0.20200513 - https://git.zx2c4.com/wireguard-tools/

-Generate public and private key pairs:

cd /etc/wireguard/
umask 077; wg genkey | tee privatekey | wg pubkey > publickey

This should generate the private and the public key:

root@ip-172-31-20-229:/etc/wireguard# ls -l
total 8
-rw------- 1 root root 45 Jun 30 20:23 privatekey
-rw------- 1 root root 45 Jun 30 20:23 publickey

-Take a note of the private key “privatekeycat privatekey . You will need to add this to the WG server’s conf file.

Setting up the Wireguard Server’s configuration file

vim /etc/wireguard/wg0.conf

Add below content. (Here, I chose the IP as 192.168.6.1 which is the new VPN private address that will be assigned to the interface)

[Interface]
## My VPN server private IP address ##
Address = 192.168.6.1
 
## My VPN server port ##
ListenPort = 41194
 
## VPN server's private key i.e. string from /etc/wireguard/privatekey ##
PrivateKey = ADD_PRIVATE_KEY_HERE

-Allow the port in the Server’s Firewall:

root@ip-172-31-20-229:~# sudo ufw allow 41194/udp
Rules updated
Rules updated (v6)

-To check the status:

sudo ufw status

– Enable wireguard service on boot on the server and start the service:

ubuntu@ip-172-31-20-229:~$ sudo systemctl enable wg-quick@wg0
Created symlink /etc/systemd/system/multi-user.target.wants/[email protected] → /lib/systemd/system/[email protected].

ubuntu@ip-172-31-20-229:~$ sudo systemctl start wg-quick@wg0

To check the status of the wireguard service, use the following:

root@ip-172-31-20-229:~# sudo systemctl status wg-quick@wg0
[email protected] - WireGuard via wg-quick(8) for wg0
     Loaded: loaded (/lib/systemd/system/[email protected]; enabled; vendor preset: enabled)
     Active: active (exited) since Thu 2022-06-30 21:29:01 UTC; 8min ago
       Docs: man:wg-quick(8)
             man:wg(8)
             https://www.wireguard.com/
             https://www.wireguard.com/quickstart/
             https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
             https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
    Process: 2230 ExecStart=/usr/bin/wg-quick up wg0 (code=exited, status=0/SUCCESS)
   Main PID: 2230 (code=exited, status=0/SUCCESS)

Jun 30 21:29:01 ip-172-31-20-229 systemd[1]: [email protected]: Succeeded.
Jun 30 21:29:01 ip-172-31-20-229 systemd[1]: Stopped WireGuard via wg-quick(8) for wg0.
Jun 30 21:29:01 ip-172-31-20-229 systemd[1]: Starting WireGuard via wg-quick(8) for wg0...
Jun 30 21:29:01 ip-172-31-20-229 wg-quick[2230]: [#] ip link add wg0 type wireguard
Jun 30 21:29:01 ip-172-31-20-229 wg-quick[2230]: [#] wg setconf wg0 /dev/fd/63
Jun 30 21:29:01 ip-172-31-20-229 wg-quick[2230]: [#] ip -4 address add 192.168.6.1/24 dev wg0
Jun 30 21:29:01 ip-172-31-20-229 wg-quick[2230]: [#] ip link set mtu 8921 up dev wg0
Jun 30 21:29:01 ip-172-31-20-229 systemd[1]: Finished WireGuard via wg-quick(8) for wg0.

Checking the ifconfig output, you would see a new interface wg0 is created automatically which is expected.

root@ip-172-31-20-229:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc fq_codel state UP group default qlen 1000
    link/ether 02:ca:92:5f:0e:80 brd ff:ff:ff:ff:ff:ff
    inet 172.31.20.229/20 brd 172.31.31.255 scope global dynamic eth0
       valid_lft 2235sec preferred_lft 2235sec
    inet6 fe80::ca:92ff:fe5f:e80/64 scope link 
       valid_lft forever preferred_lft forever
5: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 8921 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none 
    inet 192.168.6.1/24 scope global wg0
       valid_lft forever preferred_lft forever

– You can check wireguard information/stats using the below command:

ubuntu@ip-172-31-20-229:~$ sudo wg
interface: wg0
  public key: pHrkGojLiNZy2GwshmdEXMaaOmowXXXXXXXXXXXXXXX=
  private key: (hidden)
  listening port: 41194

Configuring the VPN Client

  • Login to the client and install Wireguard.
sudo apt install wireguard -y

– Create the configuration file

root@wg-client:~# sudo sh -c 'umask 077; touch /etc/wireguard/wg0.conf'

root@wg-client:~# ls -l /etc/wireguard/wg0.conf 
-rw------- 1 root root 0 Jun 30 20:58 /etc/wireguard/wg0.conf
  • Create a key pair in the client

– In the client machine, create a key pair:

root@wg-client:~# cd /etc/wireguard/

root@wg-client:/etc/wireguard# umask 077; wg genkey | tee privatekey | wg pubkey > publickey

root@wg-client:/etc/wireguard# ls -l 
total 8
-rw------- 1 root root 45 Jun 30 21:01 privatekey
-rw------- 1 root root 45 Jun 30 21:01 publickey
-rw------- 1 root root  0 Jun 30 20:58 wg0.conf
root@wg-client:/etc/wireguard# 

– Take a note of the client’s public key. (This will be added in the server’s config later)

-Take a note of the private key from the client. This will be added in its own config file.

cat privatekey
  • Edit config

vim /etc/wireguard/wg0.conf

– On the client, create the wireguard config file as below:

[Interface]
## Add the client's private key which is from /etc/wireguard/publickey ##
PrivateKey = CLIENT_PRIVATE_KEY_HERE
 
## Client ip address that will be set by this Client ##
Address = 192.168.6.2/24
  
[Peer]
## Ubuntu 20.04 server public key ##
PublicKey = SERVER_PUBLIC_KEY_HERE
 
## set ACL ##
AllowedIPs = 192.168.2.0/24
  
## Your Ubuntu 20.04 LTS server's public IPv4/IPv6 address and port ##
Endpoint = PUBLIC_IP_OF_YOUR_WIREGUARD_SERVER:41194
   
##  Key connection alive ##
PersistentKeepalive = 15

-On the client, enable and start the Wireguard service:

root@wg-client:/etc/wireguard# sudo systemctl enable wg-quick@wg0
Created symlink /etc/systemd/system/multi-user.target.wants/[email protected] -> /lib/systemd/system/[email protected].

root@wg-client:/etc/wireguard# sudo systemctl start wg-quick@wg0

– Check the status of the service in the client:

root@wg-client:~# sudo systemctl status wg-quick@wg0
* [email protected] - WireGuard via wg-quick(8) for wg0
     Loaded: loaded (/lib/systemd/system/[email protected]; enabled; vendor preset: enabled)
     Active: active (exited) since Thu 2022-06-30 21:35:17 UTC; 5min ago
       Docs: man:wg-quick(8)
             man:wg(8)
             https://www.wireguard.com/
             https://www.wireguard.com/quickstart/
             https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
             https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
    Process: 123 ExecStart=/usr/bin/wg-quick up wg0 (code=exited, status=0/SUCCESS)
   Main PID: 123 (code=exited, status=0/SUCCESS)
        CPU: 28ms

Jun 30 21:35:17 wg-client systemd[1]: Starting WireGuard via wg-quick(8) for wg0...
Jun 30 21:35:17 wg-client wg-quick[123]: [#] ip link add wg0 type wireguard
Jun 30 21:35:17 wg-client wg-quick[123]: [#] wg setconf wg0 /dev/fd/63
Jun 30 21:35:17 wg-client wg-quick[123]: [#] ip -4 address add 192.168.6.2/24 dev wg0
Jun 30 21:35:17 wg-client wg-quick[123]: [#] ip link set mtu 1420 up dev wg0
Jun 30 21:35:17 wg-client systemd[1]: Finished WireGuard via wg-quick(8) for wg0.

-From the above output, we can see that the wireguard service has created the interface wg0 and assigned the IP 192.168.6.2/24 to it. You could also verify this by checking by checking the device ip conf as below:

root@wg-client:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0@if114: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether aa:3c:37:57:21:8a brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 192.168.1.143/24 brd 192.168.1.255 scope global dynamic eth0
       valid_lft 86010sec preferred_lft 86010sec
    inet6 fe80::a83c:37ff:fe57:218a/64 scope link 
       valid_lft forever preferred_lft forever
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none 
    inet 192.168.6.2/24 scope global wg0
       valid_lft forever preferred_lft forever

So far, we can configured the client to talk to the server. But the Server does not know about the client. So, next we need to update the Server’s Wireguard configuration file with the details of the wireguard client.

-Login to the Wireguard Server and add the below block to the server’s wireguard conf:

[Peer]
## Desktop/client VPN public key ##
PublicKey = CLIENT_PUB_KEY_HERE

## client VPN IP address (note  the /32 subnet) ##
AllowedIPs = 192.168.6.2/32

-So, your Wireguard server’s configuration file will be as follows:

[Interface]
## My VPN server private IP address ##
Address = 192.168.6.1
 
## My VPN server port ##
ListenPort = 41194
 
## VPN server's private key i.e. /etc/wireguard/privatekey ##
PrivateKey = ADD_PRIVATE_KEY_HERE

[Peer]
## Desktop/client VPN public key ##
PublicKey = CLIENT_PUB_KEY_HERE

## client VPN IP address (note  the /32 subnet) ##
AllowedIPs = 192.168.6.2/32

– Start the service again on the server:

sudo systemctl start wg-quick@wg0

Verify connectivity from the client => server:

– If the server is in the cloud, then update the security groups tallow the port.

– From the client, ping the server 192.168.6.1

root@wg-client:~# ping 192.168.6.1
PING 192.168.6.1 (192.168.6.1) 56(84) bytes of data.
64 bytes from 192.168.6.1: icmp_seq=1 ttl=64 time=81.9 ms
64 bytes from 192.168.6.1: icmp_seq=2 ttl=64 time=82.5 ms
^C
--- 192.168.6.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 81.886/82.172/82.458/0.286 ms

Checking active connections from Wireguard server:

– To see which clients are connected to the server and the statistics, you can run the below:

root@ip-172-31-20-229:~# sudo wg
interface: wg0
  public key: pHrkGojLiNZy2GwshmdEXMaaOmowXXXXXXXXXXXXXXX=
  private key: (hidden)
  listening port: 41194

peer: 8Zp7Cji5Aseew3L0P3c35sUzJNIPYYYYYYYYYYYYYYY=
  endpoint: 1.2.3.4:33395
  allowed ips: 192.168.6.2/32
  latest handshake: 1 minute, 12 seconds ago
  transfer: 3.94 KiB received, 1.47 KiB sent

Additional Information:

For debugging issue with wireguard, you could check the logs:

sudo journalctl -eu wg-quick@wg0

Here is a little cronjob to monitor the tunnel via ping and restart tunnel: (Credits to linuxbabe)

sudo crontab -e

-Add the below:

SHELL=/bin/bash
* * * * * for ((i=1; i<=6; i++)) do (ping -c9 192.168.6.1 > /dev/null || systemctl restart wg-quick@wg0) done

Hope this helps! Cheers!

Sources/References:

https://www.cyberciti.biz/faq/ubuntu-20-04-set-up-wireguard-vpn-server/

Set Up Your Own WireGuard VPN Server on Ubuntu 24.04/22.04

Hexadecimal basics using basic Linux utilities

This is short guide on how to convert strings and decimal values to hexadecimal and vice-versa using simple Linux utilities such as xxd and printf.

  1. To convert a string to hexadecimal, you can use xxd in Linux.

For example: To convert a string “kali” to hexadecimal, you can use the below format.

extr3me@op3n:~$ echo -n kali | xxd
00000000: 6b61 6c69 kali

To group and display the output a single character at a time, use -c  flag with argument 1.

extr3me@op3n:~$ echo -n kali | xxd -c1
00000000: 6b k
00000001: 61 a
00000002: 6c l
00000003: 69 i

This means the following:

00000000: 6b k <- k is a single character and its hexadecimal value is 6b
00000001: 61 a <- a is a single character and its hexadecimal value is 61
00000002: 6c l <- l is a single character and its hexadecimal value is 6c
00000003: 69 i <- i is a single character and its hexadecimal value is 69

2. Convert Hexadecimal value back to string:

extr3me@op3n:~$ echo -n "6b61 6c69" | xxd -r -p
kali

Dont worry about the spaces, it should still work.

extr3me@op3n:~$ echo -n "6b616c69" | xxd -r -p
kaliextr3me@op3n:~$

3. Convert decimal (number) to hexadecimal

-Lets say you want to convert number 12 to decimal value. To do so, you could use printf as shown below.

extr3me@op3n:~$ printf "%x\n" 12
c

From above output, the hexadecimal value for number 12 (aka decimal 12) is character c.

To find hexadecimal values for values from 1 to 255, you could run through it in a loop

for num in {1..255}; do printf "%x\n" $num ; done | less

Hope these help.

PS: Knowing hexadecimal does come in handy while learning/debugging different protocols.

How to fix “Error opening terminal: xterm-termite” when trying to SSH to a remote host

I am using “termite” on my ArchLinux machine but when I try to SSH to a remote linux machine(Ubuntu) to run some commands, it throws me an error “Error opening terminal: xterm-termite“. This a post on how to fix it.

Quick Fix:

If you are already SSH’ed into the remote machine and you see this issue, you could update the TERM variable on the remote system: (Run on remote system)

export TERM=xterm-256color

Permanent Fix:

The permanent fix is to edit your local ~/.bashrc file to include the following:

if [ "$TERM" = xterm ]; then
TERM=xterm-256color;
fi
export TERM=xterm-256color

In my case, I had to add it to my Arch Linux’s ~/.bashrc file. (i.e not on the remote Ubuntu machine that I am connecting to)

Here is a screenshot from my box: (Right click image and open in new team to view in full screen)

arch linux termite i3-gaps

To verify its fixed, open a new terminal (or source ~/.bashrc again) and SSH into the remote machine. Ideally this should be fixed.

Hope this helps!

Note: If you terminal does not support 256-color, then you may need to change the TERM variable to “xterm-color” instead of “xterm-256color”.

Credits/References:

Github

GDB basics with C

This is a beginner level tutorial on learning basics of debugging using GDB by debugging an executable. This post will cover writing a very simple C code, compiling it and then opening the generated executable in GDB for inspecting the working/debugging. The primary objective here is to get familiar with the basics of using GDB.

Requirements:

  1. Any Linux x64 OS. (Linux Mint 20 used in this tutorial)
  2. C compiler – gcc
  3. gdb – for debugging / reverse engineering.
  4. GDB Dashboard (Optional – Makes GDB easier to read)

[Disclaimer: This is blog post adapted from recurse’s original gdb tutorial.(All Credits/References added in the Credits section)]

Setting up the Environment:

  • Install the following tools to setup the basic environment:

sudo apt install vim gcc gdb git python3 python3-pip -y

GDB Dashboard:

  • To make GDB easier to understand and make it non-alien, use GDB Dashboard which is a really good python plugin  for GDB.  Its epic!
  • Run the following to get the gdbinit dotfile.
wget -P ~ https://git.io/.gdbinit

If you would like to check out the source, you can find it  @ https://github.com/cyrus-and/gdb-dashboard

For syntax highlighting, you would need the pygments module. If you are using Python2.x:

pip install pygments

If you are using Python3.x, then use pip3 to install it:

pip3 install pygments

To run gdb without providing any executable, run “gdb” and you should see the something like below:

extr3me@w4rl0ck:gdb$ gdb
GNU gdb (Ubuntu 9.2-0ubuntu1~20.04) 9.2
Copyright (C) 2020 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word".
>>> 

To exit out of gdb, type  “quit” .

-Below is a simple C program that initializes an integer value and then returns 0.

cat minimal.c
int main()
{
int i = 1337;
return 0;
}

-Compile the C code and make an executable, using the following flags:

gcc -g minimal.c -o minimal

-The directory should now have a executable with filename minimal.

extr3me@w4rl0ck:gdb$ file minimal
minimal: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=c918c072d119be6a9d18991e812a5414ecae67e1, for GNU/Linux 3.2.0, with debug_info, not stripped

Debugging the binary using GDB:

-To examine an executable in GDB, use the following format:

gdb <executable_file>

-Here, I would run the following to open the executable for debugging:

gdb minimal

gdb minimal output

Lets check the functions in this program, to do run “info functions”. You should be able to see that this executable has function main().

>>> info functions
All defined functions:

File minimal.c:
1: int main();

Non-debugging symbols:
0x0000000000001000 _init
0x0000000000001030 __cxa_finalize@plt
0x0000000000001040 _start
0x0000000000001070 deregister_tm_clones
0x00000000000010a0 register_tm_clones
0x00000000000010e0 __do_global_dtors_aux
0x0000000000001120 frame_dummy
0x0000000000001140 __libc_csu_init
0x00000000000011b0 __libc_csu_fini
0x00000000000011b8 _fini
Here is a screenshot:

gdb info functions output screenshot

The output also shows that the line number at which main() function is present in the source minimal.c.

From the info functions output, we can also see that function main() is present at line number 1 in source minimal.c.

Breakpoints:

-Lets say we need to examine what a executable is going at a given point of time or to inspect the value of a variable, then we can set one or more breakpoints and run the code upto that breakpoint. You can then examine the the value of a variable upto that breakpoint or directly examine the memory etc.

Breakpoints example: Setting breakpoints using function name

From the previous section,we know that the executable has function main(). Lets start examining the binary using gdb to see the value of “i” at different stages of the execution. To start with,  set a breakpoint at function main using the syntax break <function_name>:

>>> break main
Breakpoint 1 at 0x1129: file minimal.c, line 2.
>>>

To get the list of breakpoints that were set, you can use “info breakpoints”.

>>> info breakpoints
Num Type Disp Enb Address What
1 breakpoint keep y 0x0000000000001129 in main at minimal.c:2

gdb info breakpoints

The above shows that there is one breakpoint which is set at function main() whose starting address in memory is “0x1129” or “0x0000000000001129“.

Note: You can have create multiple breakpoints and they are numbered.

So we have a breakpoint in place, we can run the binary upto the breakpoint that was set. To run the program, use “run” or “r“.

gdb screenshot

This is what it looks like now. (You could now see the GDB dashboard with an insane amount of matrix looking stuff. :P)

[Note:  Right click the image and click on “View Image” / “Open image in new tab” if the image for better visibility. ]

GDB Dashboard screenshot

For this tutorial, we are more interested in few sections of Dashboard as of now –   “Source” , “Threads”, “Variables” and “Assembly” sections.

-The “Source” section has a blip on the line number which shows where exactly in the code where gdb is looking into. So, here, it shows that its in line 2 of the source. After you ran the program, if you re-run “info breakpoints” you can see that the message “breakpoint already hit 1 time“.

>> info breakpoints
Num Type Disp Enb Address What
1 breakpoint keep y 0x0000555555555129 in main at minimal.c:2
breakpoint already hit 1 time

 

[Note:  Right click the image and click on “View Image” / “Open image in new tab” if the image for better visibility. ]

As of now, the debugger is in line 2 where the variable “i” is not yet yet initiated in the program. So, if you try to print the value of “i”, then it should show a value = 0.

To print value of a variable, use the format “print var” or “p var“.

>> p i
$1 = 0

 

print i output screenshot

To go to the next line of code and execute it, use command “next” or “n“.  [Note: If the next line of code was a function, it would execute the full function). In this example, once we ran “r“, the “Source” section now highlights line number 3.

gdb print i screenshot 2

At this point, if you print variable “i”, it still shows value as “0” as the initialization is not complete.

You can also check the “Assembly” section in the GDB Dashboard which shows the disassembled code. So, the highlighted section in green in the  “Assembly” shows the following:

0x0000555555555131 main+8 movl $0x539,-0x4(%rbp)

This is the disassembled code (in AT&T syntax) for “int i = 1337”. We will come back to reviewing the assembly code later.

Run command “n” again in gdb. Now, checking the “Source” section in GDB dashboard, should that we are now on line 4.

Now. check the value of  variable “i” using print.

>>> p i
$3 = 1337

This shows that the value variable “i” is 1337.

(gdb) print i
$2 = 1337

Here is the screenshot for reference.

GDB print i after initialized

To find the type of the variable and the starting memory address of that variable in memory:
>>> print &i
$4 = (int *) 0x7fffffffdb8c

GDB print directly using variable address output

-The above shows that “i” is of “int” type. Additionally, “i” is stored at memory location starting at address 0x7fffffffdb8c

-To check maximum size of int type in memory using the sizeof() function.

>>> p sizeof(int)
$5 = 4

The above output shows that int would occupy 4 bytes of space in memory.

To examine memory using gdb use “x“.

-From above outputs, we know that variable “i” is stored in memory with starting address as 0x7fffffffdb8c. We also do know that i is of type integer and integer type would occupy a maximum of 4 bytes in memory.

To examine a specific memory address, you could use the following format

(gdb) x/FMT <starting_memory_address> 

Here is information from “help x” section:

(gdb) help x
Examine memory: x/FMT ADDRESS.
ADDRESS is an expression for the memory address to examine.
FMT is a repeat count followed by a format letter and a size letter.
Format letters are o(octal), x(hex), d(decimal), u(unsigned decimal),
t(binary), f(float), a(address), i(instruction), c(char), s(string)
and z(hex, zero padded on the left).
Size letters are b(byte), h(halfword), w(word), g(giant, 8 bytes).
The specified number of objects of the specified size are printed
according to the format. If a negative number is specified, memory is
examined backward from the address.

Defaults for format and size letters are those previously used.
Default count is 1. Default address is following last thing printed
with this command or "print".
(gdb)

Here, is an example, to examine data from memory location 0x7fffffffdb8c upto the next bytes (or 4 bytes above 0x7fffffffdb8c) ,  use the following:

>>> x/4xb 0x7fffffffdb8c
0x7fffffffdb8c: 0x39 0x05 0x00 0x00

Alternatively, you can access provide the memory location directly by passing “&i” i.e.  “x/4xb &i”

GDB examine memory location screenshot

The above output shows raw byte by byte representation in memory. Here, 0x39 is one byte in memory and 0x05 is another byte etc.
We also know that int would occupy 4 bytes in memory. Here, this integer takes only 2 bytes out of 4 bytes in memory.

Important: This raw memory representation “0x39 0x05 0x00 0x00” is in “little-endian” format(the least significant bytes of a number come first in memory).
So, you would need to read the hex bytes  “0x39 0x05 0x00 0x00” in reverse order. Hence, the value reversed 0x00 0x00 0x05 0x39 is 00000539.
To get the actual value, we need to convert the hex value to decimal.

You could use trusty bash  to covert hex to decimal by using format “echo $(( 16#$hexNum ))“. Here is what it does look like:

extr3me@w4rl0ck:~$ echo $(( 16#00000539 ))
1337

So, “1337” is the decimal value stored in memory location 4 bytes starting from 0x7fffffffdb8c.

So, we now know the value of integer variable starting at memory location 0x7fffffffdb8c is 1337. (i.e. the decimal value of i stored in memory is 1337).

An alternative is to use a online hex to decimal converter such as https://www.binaryhexconverter.com/hex-to-decimal-converter to covert 00000539 to decimal.

-You can also print the raw data using the variable itself by using the following format:

(gdb) x/4xb &i

0x7fffffffdb5c: 0x39 0x05 0x00 0x00

Other formats in GDB:

-To print in decimal format, use x/1dw:

(gdb) x/1dw &i
0x7fffffffdb7c: 1337

-Alternatively, give the memory location as well.

(gdb) x/1dw 0x7fffffffdb7c
0x7fffffffdb7c: 1337

Misc Information:

To check the number of threads, run “info threads“.

>>> info threads
Id Target Id Frame 
* 1 process 6570 "minimal" main () at minimal.c:4
>>> 

This shows there is 1 thread with PID 6570.

Other Interesting Stuff:

Here is a screenshot of the dissembled code of “minimal” binary.

#gdb-assembly.png

The one that we are interested in for now is the instruction highlighted below:

0x0000555555555129 main+0 endbr64
0x000055555555512d main+4 push %rbp
0x000055555555512e main+5 mov %rsp,%rbp
0x0000555555555131 main+8 movl $0x539,-0x4(%rbp)
0x0000555555555138 main+15 mov $0x0,%eax
0x000055555555513d main+20 pop %rbp
0x000055555555513e main+21 retq

The instruction “movl $0x539,-0x4(%rbp)” means => move the value “0x539” to the memory location of register rbp -4.

Differences between AT&T and Intel Syntax:

By default, GDB defaults to displaying in AT&T syntax. Here is what main function dissembled looks like in AT&T syntax:

extr3me@w4rl0ck:gdb$ gdb minimal
GNU gdb (Ubuntu 9.2-0ubuntu1~20.04) 9.2
Copyright (C) 2020 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from minimal...
>>> disass /m main
Dump of assembler code for function main:
2 {
0x0000000000001129 <+0>: endbr64
0x000000000000112d <+4>: push %rbp
0x000000000000112e <+5>: mov %rsp,%rbp

3 int i = 1337;
0x0000000000001131 <+8>: movl $0x539,-0x4(%rbp)

4 return 0;
0x0000000000001138 <+15>: mov $0x0,%eax

5 }
0x000000000000113d <+20>: pop %rbp
0x000000000000113e <+21>: retq

End of assembler dump.
>>>

-If you don’t like this syntax, you can make GDB use Intel syntax using “set disassembly-flavor intel“.

Here, is an example of main function dissasembled in Intel syntax:

extr3me@w4rl0ck:gdb$ gdb minimal
GNU gdb (Ubuntu 9.2-0ubuntu1~20.04) 9.2
Copyright (C) 2020 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from minimal...
>>> set disassembly-flavor intel
>>> disass /m main
Dump of assembler code for function main:
2 {
0x0000000000001129 <+0>: endbr64
0x000000000000112d <+4>: push rbp
0x000000000000112e <+5>: mov rbp,rsp

3 int i = 1337;
0x0000000000001131 <+8>: mov DWORD PTR [rbp-0x4],0x539

4 return 0;
0x0000000000001138 <+15>: mov eax,0x0

5 }
0x000000000000113d <+20>: pop rbp
0x000000000000113e <+21>: ret

End of assembler dump.
>>>

Here, you should see subtle differences  such as the AT&T syntax displays “movl $0x539,-0x4(%rbp)” while the same in Intel syntax is “mov DWORD PTR [rbp-0x4],0x539“.

Thats it for now. I will add more tutorials on GDB in the near future.

Happy Debugging!

Sources/References/Credits:

Below are all the credits/references/sources that made writing this blog post possible.

https://www.recurse.com/blog/5-learning-c-with-gdb <- Credits to recurse. I used this as my primary resource to learn GDB and then post my understanding of GDB and C here. Do check them out.
https://github.com/cyrus-and/gdb-dashboard <- Creator of the Epic GDB dashboard
https://www.tutorialspoint.com/gnu_debugger/ <- Great place to start.
https://sourceware.org/gdb/current/onlinedocs/gdb/Set-Breaks.html#Set-Breaks
https://stackoverflow.com/questions/209534/how-to-highlight-and-color-gdb-output-during-interactive-debugging
https://bob.cs.sonoma.edu/IntroCompOrg-RPi/sec-gdb1.html
https://www.binaryhexconverter.com <- Simple online convertor
https://stackoverflow.com/questions/13280131/hexadecimal-to-decimal-in-shell-script
https://www.ibm.com/developerworks/library/l-ia/index.html
Credits to my m8 @bytesareana for decoding the stuff with the memory location.