Bash script to loop through values in a file with space as a separator

Lets say we have a file with list of IPs that are space separated and you want to read each of the values to pass to a loop to perform an operation. Here is an example file with IP Addresses separated  by a space:

cat ips.txt
192.168.1.1 192.168.1.10

Now, lets say you want to loop through these IPs and run a ping command against each of them.

cat ping.sh
#!/bin/bash

# IFS is an internal bash variable. Here, we set its value as space.
IFS=$" "
# Read the file "ips.txt" and store the list of values to a variable "ips"
ips="$(cat ips.txt)"

# Run the following loop which will loop through each of the ips and run a ping test
for ip in $ips; do ping -c 1 $ip; done
# Unset the IFS variable so that it wont mess with the reset of the script
unset IFS

-Running this loop, will loop through the list of IP addresses and perform a ping.

./ping.sh
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.660 ms

--- 192.168.1.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.660/0.660/0.660/0.000 ms
PING 192.168.1.10 (192.168.1.10) 56(84) bytes of data.
64 bytes from 192.168.1.10: icmp_seq=1 ttl=64 time=0.108 ms

--- 192.168.1.10 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.108/0.108/0.108/0.000 ms

Hope this helps!

Happy scripting folks! 🙂

Source/References: Link

Monitor a Linux host with Telgraf InfluxDB and Chronograf using Docker

This is a guide on how to monitor a Linux device(s) using Telgraf, InfluxDB and Chronograph. To make things easier, we will be running all these components using Docker.

Requirements:

  • Docker should be installed  [Note: Docker version 19.03.08 was used in this tutorial]
  • Internet connectivity to pull the docker images
  • Custom docker network
  • Sufficient Disk space to store data in InfluxDB

1. Create a custom docker network:

-Lets create a custom docker bridge network. Below, I have created a custom docker network with the name “influxdb”.

docker network create influxdb

You can name it whatever you want. You just need to make sure that name is passed in the –net flag in other docker commands.

You can verify that the network is created using the following command:

docker network ls

-Below are the sample outputs:

[email protected]:~$ docker network ls
NETWORK ID NAME DRIVER SCOPE
0d72e4098315 bridge bridge local
e3808d2b4078 host host local
d2c5b3842508 influxdb bridge local
a25ec7e0c8a2 none null local

 

2. Run InfluxDB:

-InfluxDB is database where all the statistics of the host will be stored. To create an instance of InfluxDB, run the following command pass the network name as well as shown below:

docker run -d --name=influxdb --net=influxdb influxdb

3. Run Telegraf:

-Before you run Telegraf, you would need to create Telegraf config file. Run the below commands to generate a sample Telegraf configuration file.

mkdir telegraf
docker run --rm telegraf telegraf config > telegraf/telegraf.conf
ls telegraf/

-Modify the above telegraf.conf as per your requirement. For starters, you can un-comment the outputs.influx block and the urls section. So, the config file would have the following:

[[outputs.influxdb]]
   urls = ["http://influxdb:8086"]

-The above output block tells Telegraf where the Influxdb database is located.  Once this configuration file is passed to telegraph in the next section, then Telegraf will interact with InfluxDB (read and write data) via API.

-Now that we have the configuration file ready, we can run Telegraf and pass the configuration file.

-Below I am passing /sys /proc and /etc as readonly mounts inside the container. Optionally, I have passed the docker socket as well as a bind mount so that I can monitor the resource usage of docker and the running containers too.

docker run -d --restart=always --name telegraf \
--net=influxdb --hostname=telegraf \
-e "HOST_PROC=/rootfs/proc" \
-e "HOST_SYS=/rootfs/sys" \
-e "HOST_ETC=/rootfs/etc" \
-v $(pwd)/telegraf/telegraf.conf:/etc/telegraf/telegraf.conf:ro \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
-v /sys:/rootfs/sys:ro \
-v /proc:/rootfs/proc:ro \
-v /etc:/rootfs/etc:ro \
telegraf

You can add/modify the source as you wish to monitor more data. You just need to make sure that the the necessary mounts/variables are passed as well.

4. Run Chronograf:

-Chronograf is used to visualize the data using a browser. It can talk to InfluxDB and display the data in forms of graphs etc.

-To run Chronograf, you can run the following docker command:

docker run -d --name chronograf -p 8888:8888 --net=influxdb chronograf --influxdb-url=http://influxdb:8086

-Verify all containers are running using “docker ps -a

[email protected]:~$ docker ps -a
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                          NAMES
a9da408e41b0        chronograf          "/entrypoint.sh --in_"   39 seconds ago      Up 38 seconds       0.0.0.0:8888->8888/tcp         chronograf
326255e6d234        telegraf            "/entrypoint.sh tele_"   36 minutes ago      Up 36 minutes       8092/udp, 8125/udp, 8094/tcp   telegraf
51c95679a803        influxdb            "/entrypoint.sh infl_"   About an hour ago   Up About an hour    8086/tcp                       influxdb

The above output shows that all the three containers are up and running.

-Now, you can access the Chronograf Dashboard from your browser by visiting the following URL.

http://localhost:8888

Once you are in the Chronograf UI, you can   navigate to “Host Lists” and click on host to view the collected stats.

Below is a screenshot of Chronograf that is displays the host information:

chronograf graphs


Troubleshooting:

To troubleshoot API issues, you could create a sample container in same  “influxdb” network and install curl in it.

For example: You could create an alpine container attached to the influxdb network.

docker run --net=influxdb -it alpine sh

Then install curl using “apk add curl”. Below is the sample outputs:

/ # apk add curl
fetch http://dl-cdn.alpinelinux.org/alpine/v3.11/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.11/community/x86_64/APKINDEX.tar.gz
(1/4) Installing ca-certificates (20191127-r1)
(2/4) Installing nghttp2-libs (1.40.0-r0)
(3/4) Installing libcurl (7.67.0-r0)
(4/4) Installing curl (7.67.0-r0)
Executing busybox-1.31.1-r9.trigger
Executing ca-certificates-20191127-r1.trigger
OK: 7 MiB in 18 packages

-Once curl is installed, Then try the following sample InfluxDB API calls pointing to the InfluxDB endpoint from within the Alpine container:

curl -i -XPOST http://influxdb:8086/query --data-urlencode "q=show databases"

-Below are sample outputs:

/ # curl -i -XPOST http://influxdb:8086/query --data-urlencode "q=show databases"
HTTP/1.1 200 OK
Content-Type: application/json
Request-Id: e58a61db-6fa6-11ea-85a3-0242ac120002
X-Influxdb-Build: OSS
X-Influxdb-Version: 1.7.10
X-Request-Id: e58a61db-6fa6-11ea-85a3-0242ac120002
Date: Thu, 26 Mar 2020 21:15:19 GMT
Transfer-Encoding: chunked

{"results":[{"statement_id":0,"series":[{"name":"databases","columns":["name"],"values":[["_internal"],["telegraf"]]}]}]}

-Here is another example on how to to check if you are able to create a database:

curl -i -XPOST http://influxdb:8086/query --data-urlencode "q=CREATE DATABASE telegraf"

To troubleshoot issues related to Telegraf, you review the docker logs.

docker logs -f telegraf

To troubleshoot issues with InfluxDB, you can manually access InfluxDB’s shell/CLI and run commands (just like you would in other database servers such as MySQL.)

Below is an example on how to view the list of databases from InfluxDB shell.

docker exec -it influx sh
# influx
Connected to http://localhost:8086 version 1.7.10
InfluxDB shell version: 1.7.10
> show databases
name: databases
name
----
_internal
telegraf

I hope this helps. Do share, leave a like/comment below! Cheers!

 

Regards,

ΞXΤЯ3МΞ

 

Sources/References:

https://hub.docker.com/_/telegraf/
https://hub.docker.com/_/chronograf/
https://www.jacobtomlinson.co.uk/monitoring/2016/06/23/running-telegraf-inside-a-container/

Update CA certificate store in Fedora to trust a root CA certificate

Lets assume you have a CA certificate “ca.crt” that you want your system or utilities like curl to trust then you can do the following:

Copy the CA certificate to /etc/pki/ca-trust/source/anchors/

sudo cp ca.crt /etc/pki/ca-trust/source/anchors/

Then you can run the following command to update Fedora’s local CA store.

sudo update-ca-trust

Now you system and tools like curl will trust certificates signed by this CA.

Verify that SSL connection is trusted using curl :

Lets say you have a webserver server whose certificate was signed by the above root CA and the signed certificate is already uploaded to the webserver. You can verify that your Fedora client trusts the certificate using curl.

curl -vvv https://test-server-fqdn.com

In the above curl command, I am passing the verbose flag -vvv which is optional. It is handy for troubleshooting purposes SSL issues.

If the connection is trusted, the SSL connection should work and you would see a message such as below from the curl outputs:

* server certificate verification OK

Note: This was tested on Fedora 31.

Source/References:

https://serverfault.com/questions/394815/how-to-update-curl-ca-bundle-on-redhat
https://www.linux.org/docs/man8/update-ca-trust.html

Run bash script from a Perl script

To run a bash script (Example: bash-script.sh) from inside a perl script, you could use the following syntax:

system("sh", "bash-script.sh")

Note: Here, once the bash script completes execution it will continue with the execution of the perl script.

Example:

Perl Script: perl-script.pl
Bash Script: bash-script.sh

Below is a perl script  “perl-script.pl” which calls an external bash script “bash-script.sh”.

#!/usr/bin/perl
use strict;
use warnings;

print "Running parent perl script. \n";
print "Starting to call external bash script\n";

# Sample Argument to be passed to the bash script
my $my_arg = "ARG1";

# With arguments - pass them inside quotes seperated by commas 
system("sh", "bash-script.sh","$my_arg");

print "Back to parent perl script\n";

Below is the sample “bash-script.sh” which prints the variable.

#!/bin/bash
echo "---Start of Bash script---"

a=$1
echo "Argument from Perl script is" $a

To test, execute the perl script:

./perl-script.pl

 

Credits/References
https://stackoverflow.com/questions/3200801/how-can-i-call-a-shell-command-in-my-perl-script

How to fix print_req_error: I/O error, dev fd0, sector 0 error

After a fresh install of Ubuntu, my terminal was being flooded with “print_req_error: I/O error, dev fd0, sector 0” error.

dev fd0

This is because, your kernel thinks you have a floppy disk fd0, but cant find one. To fix this issue, you can run the following in your terminal:

sudo rmmod floppy
echo "blacklist floppy" | tee /etc/modprobe.d/blacklist-floppy.conf
sudo dpkg-reconfigure initramfs-tools

Misc: If you are deploying a new virtual machine, you can avoid this issue by deleting the Floppy Disk drive.

Source: StackOverflow

View progress when using dd command

While using “dd”, by default it does not show the progress nor status of the transfer. However, you could use the flag “status=progress” to show the status/progress of the transfer. Here is a screenshot:

This flag is available in the newer version of dd. Here are the CLI outputs for the text ninjas:

$ sudo dd if=archlinux-2019.06.01-x86_64.iso bs=4M of=/dev/sdd status=progress oflag=sync
641728512 bytes (642 MB, 612 MiB) copied, 16 s, 39.1 MB/s
153+1 records in
153+1 records out
643825664 bytes (644 MB, 614 MiB) copied, 16.4601 s, 39.1 MB/s

PS: Use dd (data duplicator) with caution. ‘ddis also known as disk destroyer  in an alternate universe.

Regards,
ΞXΤЯ3МΞ

Cyberpunk 2077 E3 Trailer! HYPE!!

Check out the brand new Cyberpunk 2077 E3 Trailer. This is literally the going to be the best game ever! Trust me, you are gonna love this one!

[PS: To avoid any spoiler, I used the video with the above thumbnail.]

To my fellow Gamers: After you watch this video after you watch the above, watch the presentation HERE. The crowd goes in-freaking-sane during the presentation. Check out the crowd reaction here.

This literally has been the best E3 so far. Holy smoke! I am Pumped!!!

Regards,
ΞXΤЯ3МΞ

 

Reverse Engineering Router Firmware TP-Link TD-W8970

This is a blog post on reverse engineering TP Link  TD-W8970v3 router firmware.

Requirements:

      • Router Firmware  [ TP-Link TD-W8970 v3 ]
      • Linux Tools – binwalk, unsquashfs, dd, strings
      • Optional: “John” a.k.a john the ripper (for Brute forcing passwords)

Disclaimer:

This is strictly for educational purposes ONLY and not be used for conducting any illegal activities. I hold no responsibility for misuse of this information.

Download the firmware:

First, we need to download the firmware that we need to reverse engineer. I am using the TP Link TD-W8970 v3 firmware.

To download the firmware, go to the below link. -Select “V3” as the version and click on “Firmware”.

https://www.tp-link.com/us/support/download/td-w8970/

TP Link TD-W8970 firmware download page

 

Download the firmware.

TP Link TD-W8970 select latest firmware

Time to dig around!!

Copy the firmware to a new location and extract it.

mkdir ~/firmware
cp ~/Downloads/TD-W8970_V3_150427.zip ~/firmware/
cd firmware/
unzip TD-W8970_V3_150427.zip
cd TD-W8970\(UN\)_V3_150427/

So, here we can see the firmware upgrade image itself with the “.bin” extension along with the firmware upgrade guide.

$ ls -l
total 8296
-rw-rw-r-- 1 extr3me extr3me  317017 Dec 25  2013 'How to upgrade TP-LINK ADSL Modem Router - Copy.pdf'
-rw-rw-r-- 1 extr3me extr3me 8174304 Apr 27  2015 'TD-W8970v3_0.9.1_1.2_up_boot(150427)_2015-04-27_17.48.51.bin'
[email protected] TD-W8970(UN)_V3_150427 $

For sanity purposes, I removed the firmware upgrade guide which I don’t need here.

$ rm How\ to\ upgrade\ TP-LINK\ ADSL\ Modem\ Router\ -\ Copy.pdf

Inspecting the binary with “file” command shows that it of type “data”.

$ file TD-W8970v3_0.9.1_1.2_up_boot\(150427\)_2015-04-27_17.48.51.bin
TD-W8970v3_0.9.1_1.2_up_boot(150427)_2015-04-27_17.48.51.bin: data

Below is a screenshot:

 

checking the binary using "file" command

I tried to run hexdump and filter out some data but did not get any useful info here yet.

$ hexdump -C TD-W8970v3_0.9.1_1.2_up_boot\(150427\)_2015-04-27_17.48.51.bin | head -10
00000000  03 00 00 00 76 65 72 2e  20 32 2e 30 00 ff ff ff  |....ver. 2.0....|
00000010  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
*
00000030  ff ff ff ff 08 97 00 03  00 00 00 35 00 00 00 00  |...........5....|
00000040  9c e8 56 2f 7d cd f2 5a  80 92 27 b5 dd 23 66 ea  |..V/}..Z..'..#f.|
00000050  00 00 00 00 ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
00000060  ff ff ff ff ff ff ff ff  80 01 00 00 80 2e 00 20  |............... |
00000070  00 7e 02 00 00 00 02 00  00 13 d6 d3 00 13 d6 e0  |.~..............|
00000080  00 67 e0 00 00 00 00 00  00 00 e3 90 55 aa 01 02  |.g..........U...|
00000090  a5 00 09 01 55 d1 51 bb  ff ff ff ff ff ff ff ff  |....U.Q.........|

Now, use the tools “strings” to print out all the human readable strings in the binary. Here, I filtered the 1st 10 lines.

-The output does show two strings that seemed interesting.

$ strings TD-W8970v3_0.9.1_1.2_up_boot\(150427\)_2015-04-27_17.48.51.bin | head -10
ver. 2.0
79!8
@ !<
6H!$
cfe-v
e=192.168.1.1:ffffff00 h=192.168.1.100 g= r=f f=vmlinux i=bcm963xx_fs_kernel d=1 p=0
96361I2
  c
!P%@
!H$5)

A bit off topic. But out of curiosity, I searched online for “bcm963xx_fs_kernel” and came across a PDF document “Broadcom BCM963xx CFE Boot Loader and Flash Memory Structure Application Notes”‘ from Jan 2006.

search result

Here is a screenshot of the document itself:

broadcom CFE PDF document

So, it looks like the router firmware has “Broadcom” and we now know the bootloader and we can get more information from the PDF.

Here is a link to the document: Broadcom CFE Link

cfe-v
e=192.168.1.1:ffffff00 h=192.168.1.100 g= r=f f=vmlinux i=bcm963xx_fs_kernel d=1 p=0

The strings output also shows “cfe-v” which looks to “Common Firmware Environment”.

It also has information on the CFE bootloader flash memory:

Broadcom bootloader flash memory architecture

In Page 5 of the Broadcom documentation, it does refer to the TFTP flashing method and could see some similarties from the output of the “strings” command.

minicom update via TFTP

T his is what I could come up so far, comparing the screenshot and the below line:

e=192.168.1.1:ffffff00 h=192.168.1.100 g= r=f f=vmlinux i=bcm963xx_fs_kernel d=1 p=0“,

e=192.168.1.1:ffffff00     => "192.168.1.1" => Board IP. I assume "ffffff00" => subnet mask 255.255.255.0 or CIDR.
h=192.168.1.100            => "192.168.1.100" => Host IP
g=                         => "empty" => Gateway IP
r=f                        => "f" => Run from Flash
f=vmlinux                  => "vmlinux" | Default run hostfilename is "vmlinux"
i=bcm963xx_fs_kernel       => "bcm963xx_fs_kernel" | Default flash filename is "bcm963xx_fs_kernel"
d=1                        => "1" | Delay = 1
p=0                        => "0" | [I have no idea what this is.]

So, the e, h, g, r, f, i, d and p seems to be variables that would be used during the flashing procedure via minicom to emulate a serial device.

If you would like to dig deeper, you could read about CPE by clicking here.

Extracting Router Filesystem:

To check what is in the router firmware binary, I have used “binwalk“. Below is output of binwalk:

$ binwalk TD-W8970v3_0.9.1_1.2_up_boot\(150427\)_2015-04-27_17.48.51.bin

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
13300         0x33F4          LZMA compressed data, properties: 0x6D, dictionary size: 4194304 bytes, uncompressed size: 220576 bytes
66572         0x1040C         LZMA compressed data, properties: 0x6D, dictionary size: 4194304 bytes, uncompressed size: 3876096 bytes
151315        0x24F13         MySQL MISAM index file Version 4
1366752       0x14DAE0        Squashfs filesystem, little endian, non-standard signature, version 4.0, compression:gzip, size: 6806057 bytes, 594 inodes, blocksize: 65536 bytes, created: 2015-04-27 09:45:54

The Ahaaa moment!

So, here we see this binary contains a squashfs filesystem starting at decimal “1366752”.

binwalk binary squashfs

We can extract the squashfs filesystem alone from the firmware binary using the “dd” command by skiping up to “1366752” using the “skip” flag.

$ dd if=TD-W8970v3_0.9.1_1.2_up_boot\(150427\)_2015-04-27_17.48.51.bin skip=1366752 bs=1 of=router-fs.squashfs
6807552+0 records in
6807552+0 records out
6807552 bytes (6.8 MB, 6.5 MiB) copied, 8.81061 s, 773 kB/s

Here, we are providing the input file as the router firmware, setting the block size to “1” and getting data from “1366752” to the end of the binary and storing it to a file “router-fs.squashfs”. Here, if we dont specify the “bs” the copy would most likely fail.

So, the squashfs file system is about ~6.5MB in size compressed.

$ ls -lh
total 15M
-rw-rw-r-- 1 extr3me extr3me 6.5M Jun 10 00:05  router-fs.squashfs
-rw-rw-r-- 1 extr3me extr3me 7.8M Apr 27  2015 'TD-W8970v3_0.9.1_1.2_up_boot(150427)_2015-04-27_17.48.51.bin'

Screenshot: dd to extract router filesystem

– Now, Checking the file shows as “data”.

$ file router-fs.squashfs
router-fs.squashfs: data
  • For verification, check the unpacked binary “router-fs.squashfs” and it does show as “squashfs filesystem”.
$ binwalk router-fs.squashfs

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             Squashfs filesystem, little endian, non-standard signature, version 4.0, compression:gzip, size: 6806057 bytes, 594 inodes, blocksize: 65536 bytes, created: 2015-04-27 09:45:54

Now, we can extract the filesystem using “unsquashfs”.

$ unsquashfs router-fs.squashfs

-You may see some error such as below:

“create_inode: could not create character device squashfs-root/dev/bcmadsl0, because you’re not superuser!”

These logs can be safely ignored. Here is the output for reference:

$ unsquashfs router-fs.squashfs 
[130/91284]
Parallel unsquashfs: Using 8 processors
546 inodes (811 blocks) to write
create_inode: could not create character device squashfs-root/dev/bcmadsl0, because you're not superuser!
create_inode: could not create character device squashfs-root/dev/bcmarl, because you're not superuser!
create_inode: could not create character device squashfs-root/dev/bcmfap, because you're not superuser!
create_inode: could not create character device squashfs-root/dev/bcmvlan, because you're not superuser!
create_inode: could not create character device squashfs-root/dev/bcmxtmcfg0, because you're not superuser!
create_inode: could not create character device squashfs-root/dev/bpm, because you're not superuser!
create_inode: could not create character device squashfs-root/dev/brcmboard, because you're not superuser!
create_inode: could not create block device squashfs-root/dev/caldata, because you're not superuser!
create_inode: could not create character device squashfs-root/dev/console, because you're not superuser!
create_inode: could not create character device squashfs-root/dev/dk0, because you're not superuser!
create_inode: could not create character device squashfs-root/dev/fcache, because you're not superuser!
create_inode: could not create character device squashfs-root/dev/flash0, because you're not superuser!
create_inode: could not create character device squashfs-root/dev/gmac, because you're not superuser!
create_inode: could not create character device squashfs-root/dev/gpio, because you're not superuser!
create_inode: could not create character device squashfs-root/dev/gpio1, because you're not superuser!
create_inode: could not create character device squashfs-root/dev/ingqos, because you're not superuser!
create_inode: could not create character device squashfs-root/dev/led, because you're not superuser!
create_inode: could not create block device squashfs-root/dev/mtd, because you're not superuser!
create_inode: could not create character device squashfs-root/dev/mtd0, because you're not superuser!
create_inode: could not create character device squashfs-root/dev/mtd1, because you're not superuser!
create_inode: could not create character device squashfs-root/dev/mtd2, because you're not superuser!
create_inode: could not create character device squashfs-root/dev/mtd3, because you're not superuser!
create_inode: could not create character device squashfs-root/dev/mtd4, because you're not superuser!
create_inode: could not create character device squashfs-root/dev/mtd5, because you're not superuser!
create_inode: could not create block device squashfs-root/dev/mtdblock0, because you're not superuser!
create_inode: could not create block device squashfs-root/dev/mtdblock1, because you're not superuser!
create_inode: could not create block device squashfs-root/dev/mtdblock2, because you're not superuser!
create_inode: could not create block device squashfs-root/dev/mtdblock3, because you're not superuser!
create_inode: could not create block device squashfs-root/dev/mtdblock4, because you're not superuser!
create_inode: could not create block device squashfs-root/dev/mtdblock5, because you're not superuser!
create_inode: could not create character device squashfs-root/dev/net/tun, because you're not superuser!
create_inode: could not create character device squashfs-root/dev/null, because you're not superuser!
create_inode: could not create character device squashfs-root/dev/pmap, because you're not superuser!
create_inode: could not create character device squashfs-root/dev/ppp, because you're not superuser!
create_inode: could not create character device squashfs-root/dev/pppox_iptables, because you're not superuser!
create_inode: could not create character device squashfs-root/dev/ptmx, because you're not superuser!
create_inode: could not create character device squashfs-root/dev/ptyp0, because you're not superuser!
create_inode: could not create character device squashfs-root/dev/ptyp1, because you're not superuser!
create_inode: could not create character device squashfs-root/dev/ptyp2, because you're not superuser!
create_inode: could not create character device squashfs-root/dev/pwrmngt, because you're not superuser!
create_inode: could not create character device squashfs-root/dev/qostype, because you're not superuser!
create_inode: could not create character device squashfs-root/dev/random, because you're not superuser!
create_inode: could not create block device squashfs-root/dev/sda, because you're not superuser!
create_inode: could not create block device squashfs-root/dev/sda1, because you're not superuser!
create_inode: could not create block device squashfs-root/dev/sda2, because you're not superuser!
create_inode: could not create block device squashfs-root/dev/sdb, because you're not superuser!
create_inode: could not create block device squashfs-root/dev/sdb1, because you're not superuser!
create_inode: could not create block device squashfs-root/dev/sdb2, because you're not superuser!
create_inode: could not create character device squashfs-root/dev/tty, because you're not superuser!
create_inode: could not create character device squashfs-root/dev/tty0, because you're not superuser!
create_inode: could not create character device squashfs-root/dev/ttyACM0, because you're not superuser!
create_inode: could not create character device squashfs-root/dev/ttyACM1, because you're not superuser!
create_inode: could not create character device squashfs-root/dev/ttyACM10, because you're not superuser!
create_inode: could not create character device squashfs-root/dev/ttyACM11, because you're not superuser!
create_inode: could not create character device squashfs-root/dev/ttyACM12, because you're not superuser!
create_inode: could not create character device squashfs-root/dev/ttyACM13, because you're not superuser!
create_inode: could not create character device squashfs-root/dev/ttyACM14, because you're not superuser!
create_inode: could not create character device squashfs-root/dev/ttyACM15, because you're not superuser!
create_inode: could not create character device squashfs-root/dev/ttyACM2, because you're not superuser!
create_inode: could not create character device squashfs-root/dev/ttyACM3, because you're not superuser!
create_inode: could not create character device squashfs-root/dev/ttyACM4, because you're not superuser!
create_inode: could not create character device squashfs-root/dev/ttyACM5, because you're not superuser!
create_inode: could not create character device squashfs-root/dev/ttyACM6, because you're not superuser!
create_inode: could not create character device squashfs-root/dev/ttyACM7, because you're not superuser!
create_inode: could not create character device squashfs-root/dev/ttyACM8, because you're not superuser!
create_inode: could not create character device squashfs-root/dev/ttyACM9, because you're not superuser!
create_inode: could not create character device squashfs-root/dev/ttyS0, because you're not superuser!
create_inode: could not create character device squashfs-root/dev/ttyUSB0, because you're not superuser!
create_inode: could not create character device squashfs-root/dev/ttyUSB1, because you're not superuser!
create_inode: could not create character device squashfs-root/dev/ttyUSB10, because you're not superuser!
create_inode: could not create character device squashfs-root/dev/ttyUSB11, because you're not superuser!
create_inode: could not create character device squashfs-root/dev/ttyUSB12, because you're not superuser!
create_inode: could not create character device squashfs-root/dev/ttyUSB13, because you're not superuser!
create_inode: could not create character device squashfs-root/dev/ttyUSB14, because you're not superuser!
create_inode: could not create character device squashfs-root/dev/ttyUSB15, because you're not superuser!
create_inode: could not create character device squashfs-root/dev/ttyUSB2, because you're not superuser!
create_inode: could not create character device squashfs-root/dev/ttyUSB3, because you're not superuser!
create_inode: could not create character device squashfs-root/dev/ttyUSB4, because you're not superuser!
create_inode: could not create character device squashfs-root/dev/ttyUSB5, because you're not superuser!
create_inode: could not create character device squashfs-root/dev/ttyUSB6, because you're not superuser!
create_inode: could not create character device squashfs-root/dev/ttyUSB7, because you're not superuser!
create_inode: could not create character device squashfs-root/dev/ttyUSB8, because you're not superuser!
create_inode: could not create character device squashfs-root/dev/ttyUSB9, because you're not superuser!
create_inode: could not create character device squashfs-root/dev/ttyp0, because you're not superuser!
create_inode: could not create character device squashfs-root/dev/ttyp1, because you're not superuser!
create_inode: could not create character device squashfs-root/dev/ttyp2, because you're not superuser!
create_inode: could not create character device squashfs-root/dev/urandom, because you're not superuser!
create_inode: could not create character device squashfs-root/dev/watchdog, because you're not superuser!

create_inode: could not create character device squashfs-root/dev/zero, because you're not superuser!
[====================================================================================================================================================================================================| ] 722/811 89%

created 370 files
created 48 directories
created 87 symlinks
created 0 devices
created 0 fifos

-Now, we should see a folder named “squashfs-root

$ ls -l
total 14636
-rw-rw-r--  1 extr3me extr3me 6807552 Jun 10 00:05  router-fs.squashfs
drwxrwxr-x 13 extr3me extr3me    4096 Apr 27  2015  squashfs-root
-rw-rw-r--  1 extr3me extr3me 8174304 Apr 27  2015 'TD-W8970v3_0.9.1_1.2_up_boot(150427)_2015-04-27_17.48.51.bin'

Now, change into the folder ”

$ cd squashfs-root/

-Listing the files shows that we have the router’s filesystem.

$ ls -a
.  ..  bin  dev  etc  lib  linuxrc  mnt  proc  sbin  sys  tmp  usr  var  web

-To value a view of the filesystem in a tree like format, I have used the command “tree” and piping it to less:

$ tree -C | less -R

Guessing the Linux Kernel version:

-Checking the files with “.ko” extension for keyword “vermagic” would be the best guess to the Linux kernel version.

$ strings ./lib/modules/NetUSB.ko | grep vermagic
vermagic=2.6.30 SMP preempt mod_unload MIPS32_R1 32BIT

Now, that I know the kernel version I could then check for exploits that affect this kernel version.

For example: Check for CVEs that affect this version. [Link]

Some random things worth checking:

-The list of libraries installed can be found under:

$ tree -C lib/ | less -R

– So, the chrooted environment were the user inputs commands seems to be via a binary “usr/bin/cli” or could be translating the user commands to the actual deamon.

$ strings ./usr/bin/cli | less

-Btw, I found a blooper while checking this binary. Searching this binary, I did find a few misspelled words. Example: “histroy” instead of “history” 😛

serial
wan2lan
start
exit
clear
clear screen
enter config mode
enable
enter privilege mode
leave to the privious mode
help
help info
history
show histroy commands

Guessing GCC Version:

$ strings ./usr/bin/cli | grep GCC
GCC: (GNU) 3.3.2
GCC: (Buildroot 2010.02-git) 4.4.2

 

Cracking password from the router’s filesystem:

-Looking at the filesystem, I could see a file “passswd.bak” under etc/ directory.

-Reading the file shows there are two users with has shell access.

$ cat etc/passwd.bak
admin:$1$$iC.dUsGpxNNJGeOm1dFio/:0:0:root:/:/bin/sh
nobody:*:0:0:nobody:/:/bin/sh

Here:

      Username indicated in green.
      Hashed password indicated in orange.
Assigned shell indicated in pink.

This looks to be the “shadow” file usually located under etc/shadow which my assumption is to be copied to etc/shadow during upgrade.

Here is something wierd. Why does user “nobody” has /bin/bash shell ? Manufacturer backdoor??Mmmmm….! We will come to that later.

Messing around  – Cracking passwords:

Before cracking the password, lets understand something about the hash+salt. Here, the “$” signs are special

passwd.bak file

admin:$1$$iC.dUsGpxNNJGeOm1dFio/:0:0:root:/:/bin/sh

The string that we require is the following:

$1$$iC.dUsGpxNNJGeOm1dFio/

The string is specificied in the following format:

$id$salt$encrypted

$1 => Indicates that  MD5 is used to create the hash the password. Below is a table of the list of possible values for the 1st section.

--------------------
| 1  | MD5         |
--------------------
| 2  | Blowfish    |
--------------------
| 2a | eksBlowfish |
--------------------
| 5  | SHA-256     |
--------------------
| 6  | SHA-512     |
--------------------

For testing purposes, I was able to crack the password with John the ripper.

If the passwords had complex salts + hashing methods, for ex SHA-512 it may take longer than expected. [Again, this is for educational purposes ONLY!]

$ john etc/passwd.bak
Loaded 1 password hash (md5crypt [MD5 32/64 X2])
No password hashes left to crack (see FAQ)

– To view the cracked password, you could use the –show flag along with the input file etc/passwd.bak

$ john --show etc/passwd.bak
admin:1234:0:0:root:/:/bin/sh
1 password hash cracked, 0 left

 

cracked password using john the ripper

-So, the password “admin” user is “1234”.

The user “nobody”:

Coming back to the user “nobody”.

Ideally, for security purposes “nobody” user is used with a combination of a non existing directory along with a nologin shell. Below is a sample of an acceptable configuration to me:

nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin

However, in the router’s FS, it seems wierd that the user “nobody” seems to have “/” or the actual root as mount along with “/bin/bash”.

nobody:*:0:0:nobody:/:/bin/sh

Anyways, may be this is just my paranoia/spidey sense kicking in. 😛

 

If you read this far. Thanks a ton! Hope you learned something from this article. Do bookmark this page for future references. Cheers

 

Regards,
ΞXΤЯ3МΞ

References:

https://openwrt.org/docs/techref/bootloader/cfe
https://en.wikipedia.org/wiki/Common_Firmware_Environment
https://www.cvedetails.com/version/81666/Linux-Linux-Kernel-2.6.30.html
https://charlesreid1.com/wiki/John_the_Ripper/Shadow_File
https://www.openwall.com/john/doc/EXAMPLES.shtml

Click to access bcm963xx_bootloader_appnote.pdf


http://plastilinux.blogspot.com/2009/11/how-to-know-version-of-kernel-without.html
ase1590

Filter AWS EC2 instances using tags with AWS CLI + Screenshots

This is tutorial on how to filter/search for AWS EC2 instances using AWS CLI by filtering with their tag and values.

For instructions on how to install AWS CLI in your machine, you can refer to on my previous blog posts. [Link ].

Below is a screenshot of an EC2 instance that two tags and their corresponding values.

aws ec2 instance tags screenshot

To search for instances using their tags and the values , you can use the following syntax:

aws ec2 describe-instances --filters Name=tag:Owner,Values=TechAntidote

Here, “Owner” is the key and the Value is “TechAntidote”. Here is a screnshot of the output:

aws cli ec2 searching with tags screenshot

You can search for other tags as well by providing the respective Key/value pairs.  [Note: The strings are case-sensitive.]

aws ec2 describe-instances --filters Name=tag:Name,Values=DevB0x

aws cli tag search results

Hope this helps. Cheers! 🙂

Source/References: AWS CLI Command Reference

Install Docker on Ubuntu 18.04.1

This is a tutorial on how to install Docker on Ubuntu 18.04. [Works on Ubuntu 16.04 / 17.04 / 18.04.1 ]

Before we install docker, verify if you had installed any older versions of docker. If so, we need to remove them.

Run the following to remove any old versions of docker:

sudo apt-get remove docker docker-engine docker.io containerd runc -y

Install Prerequisites:

sudo apt-get install apt-transport-https ca-certificates curl software-properties-common -y

Install docker using convenience script

curl -fsSL get.docker.com -o get-docker.sh
sudo sh get-docker.sh

Add current user to docker group

sudo usermod -aG docker $USER

Enable Docker service on boot:

To enable docker service to run on boot, run the following:

sudo systemctl enable docker

Now, we need to exit out of the terminal and open a new terminal so that we can start using docker. Else, you may get a permission error. [You could either type “exit” and re-login to your ubuntu server or open a new terminal session].

After re-logging in, we can start using docker.

To start with, you can check the version of docker installed on your system.

docker version

Here is a screenshot of the outputs for reference:

docker version

When I got this, I’ll was like…

Now, lets run a  docker container, you can use the following:

docker run -it hello-world

You should ideally see docker downloads a docker image and provide you with a hello world message as shown below:

Just kidding, you should see something outputs as below:

Thats all for this tutorial. Do Leave a comment down below if you docker installed successfully.

Do bookmark my website/follow for future docker tutorials.

#PeaceOut

References/Sources:

Docker Install

Gify