Security

2024-07-21
K8S Security

https://snyk.io/learn/kubernetes-security/

https://kubernetes.io/docs/tasks/administer-cluster/securing-a-cluster/

Read More

2024-07-20
K8S Deny Intranet Access From All Containers

constrain pod resources:

https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

to manually exceed the ephermal storage limit run:

1
2
fallocate -l 10G /bigfile

the pod will be evicted, volume and container will be purged, but the record is not automatically removed.

to cleanup the mess one may run a scheduled job like:

1
2
3
4
5
6
7
while true;
do
microk8s kubectl delete pods --field-selector=status.phase=Failed
microk8s kubectl delete pods --field-selector=status.phase=Unknown
sleep 60
done

or configure implementation dependent kube-controller-manager startup argument terminated-pod-gc-threshold=1.

for k3s edit /etc/rancher/k3s/config.yaml like:

1
2
3
kube-controller-manager-arg:
- 'terminated-pod-gc-threshold=1'

for microk8s, edit /var/snap/microk8s/current/args/kube-controller-manager

references:

https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/

https://docs.k3s.io/security/hardening-guide

https://github.com/k3s-io/k3s/issues/10448

make sure you have a networkpolicy enabled cni first. usually included but be careful with minikube since that is a different story

apply these configs with kubectl apply -f <config_path>

interact with kubectl exec <pod_name> -it -- /bin/sh

deployment config:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
apiVersion: apps/v1
kind: Deployment
metadata:
name: hello-world
labels:
app: hello-world
spec:
replicas: 1
selector:
matchLabels:
app: hello-world
template:
metadata:
labels:
app: hello-world
spec:
containers:
- name: alpine-container
image: alpine:3.7
command: ["tail", "-f", "/dev/null"]
resources:
limits:
ephemeral-storage: "4Gi"
dnsPolicy: None
dnsConfig:
nameservers:
- 8.8.8.8
terminationGracePeriodSeconds: 0

network policy config:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-intranet-egress
spec:
podSelector:
matchLabels:
app: hello-world
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: ::/0
except:
- fc00::/7
- fe80::/10
- ipBlock:
cidr: 0.0.0.0/0
except:
- 0.0.0.0/8
- 10.0.0.0/8
- 100.64.0.0/10
- 169.254.0.0/16
- 172.16.0.0/12
- 192.168.0.0/16

Read More

2024-06-13
Frp Usage

ssh port must be secured with pubkey only authentication

search for free frp or frp 免费 to get free frp providers

use masscan over these servers to find open ports and candidates

1
2
3
4
5
6
7
8
9
10
11
serverAddr = "frp.freefrp.net"
serverPort = 7000
auth.method = "token"
auth.token = "freefrp.net"
[[proxies]]
name = "ssh_service"
type = "tcp"
localIP = "127.0.0.1"
localPort = 22
remotePort = <remote_port>

Read More

2024-05-29
Strange Behavior Within Docker Containers

The default directory after starting parrotsec container is the filesystem root directory, which cannot run msfconsole. Change to home directory using cd and run metasploit afterwards.

1
2
docker run --rm -it -w /root parrotsec/security

Symlinked files are not working properly from the start. Taking msfconsole for example, when running container from image parrotsec/security, it will get stuck if we immediately execute msfconsole once logged in, but we can mitigate the problem by first change into the directory where msfconsole really locates, then execute it from there.

1
2
3
4
5
6
7
8
9
10
docker run --rm -it parrotsec/security
# it will stuck
msfconsole
# note the following will also stuck
/usr/share/metasploit-framework/msfconsole
# instead let's first change directory
cd /usr/share/metasploit-framework
# then invoke the binary
./msfconsole

Read More

2023-09-04
Understanding Captchas: Assessing Capabilities, Not Behaviors

captcha for turing test

captchas are used for public automated turing tests

however, it is not behavior based but rather like capability/skill based.

Read More

2022-12-07
Tools From Breachforums

  1. Invicti

Invicti is a web application security scanner hacking tool to find SQL Injection, XSS, and vulnerabilities in web applications or services automatically.

  1. Fortify WebInspect

It is used to identify security vulnerabilities by allowing it to test the dynamic behavior of running web applications.

  1. Cain & Abel

It is used to recover the MS Access passwords

  1. Nmap (Network Mapper)

Used in port scanning, one of the phases in ethical hacking, is the finest hacking software ever.

  1. Nessus

Nessus is the world’s most well-known vulnerability scanner, which was designed by tenable network security. It is free and is chiefly recommended for non-enterprise usage.

  1. Nikto

Checks web servers and identifies over 6400 CGIs or files that are potentially dangerous

  1. Kismet

Kismet is basically a sniffer and wireless-network detector that works with other wireless cards and supports raw-monitoring mode.

  1. NetStumbler

Identifying AP (Access Point) network configuration

  1. Acunetix

Integration of scanner results into other platforms and tools

  1. Netsparker

Uniquely verifies identified vulnerabilities, showing that they are genuine, not false positives

  1. Intruder

Integrates with Slack, Jira, and major cloud providers

  1. Nmap

Contains a data transfer, redirection, and debugging tool

  1. Metasploit

Ideal for finding security vulnerabilities

  1. Aircrack-Ng

It can crack WEP keys and WPA2-PSK, and check Wi-Fi cards

  1. Wireshark

Allows coloring rules to packet lists to facilitate analysis

  1. OpenVAS

OpenVAS has the capabilities of various high and low-level Internet and industrial protocols, backed up by a robust internal programming language.

  1. SQLMap

Supports executing arbitrary commands

  1. Ettercap

Live connections sniffer

  1. Maltego

Performs real-time information gathering and data mining

  1. Burp Suite

Uses out-of-band techniques

  1. John the Ripper

Tests different encrypted passwords

  1. Angry IP Scanner

This is a free tool for scanning IP addresses and ports

  1. SolarWinds Security Event Manage

Recognized as one of the best SIEM tools, helping you easily manage memory stick storage

  1. Traceroute NG

Detects paths changes and alerts you about them

  1. LiveAction

Its packet intelligence provides deep analyses

  1. QualysGuard

Responds to real-time threats

  1. WebInspect

Tests dynamic behavior of web applications for the purpose of spotting security vulnerabilities

  1. Hashcat

Supports distributed cracking networks

  1. L0phtCrack

Fixes weak passwords issues by forcing a password reset or locking out accounts

  1. Rainbow Crack

  2. IKECrack

IKECrack is an authentication cracking tool with the bonus of being open source.

  1. Sboxr

Checks for over two dozen types of web vulnerabilities

  1. Medusa

One of the best tools for thread-based parallel testing and brute-force testing

  1. Cain and Abel

uncovers password fields, sniffs networks, recovers MS Access passwords, and cracks encrypted passwords using brute-force, dictionary, and cryptanalysis attacks.

  1. Zenmap

Administrators can track new hosts or services that appear on their networks and track existing downed services

Read More

2022-11-04
Adb Wifi Always On

adb over wifi always on

warning: could be dangerous cause adb remote connections seem without any password. consider protect that with some proxy.

turning on:

1
2
3
4
setprop service.adb.tcp.port 5555
stop adbd
start adbd

turning off:

1
2
3
4
setprop service.adb.tcp.port -1
stop adbd
start adbd

set things under /data/adb/services.d/ and make them executable

1
2
3
mount -o remount,rw /
# then you can modify /sytem/etc/init.d, but not /system/bin cause it is a copy of /data/system/bin. you should create script there.

create this under /system/etc/init.d/

1
2
3
4
5
6
7
service adb_wifi_enable /system/bin/adb_wifi_enable.sh
disabled
oneshot
seclabel u:r:magisk:s0
on property:sys.boot_completed=1
start adb_wifi_enable

Read More