Blog¶

5/18/24
3 min read

Draft

DNSmasq

masq-chacho

Dnsmasq: the unsung hero of network management, where DNS meets DHCP with a side of TFTP, just to keep things spicy. (Speaking of spicy, how do you like the novelty glasses?) DNSmasq is a lightweight, yet robust service that doesn't just juggle network requests—it makes local network life easier. Ideal for smaller networks like your home or that tiny, yet over-ambitious office, Dnsmasq helps devices play nice with each other by resolving hostnames and dishing out IP addresses. So why bother? Because manually handling network configurations is about as enjoyable as stepping on LEGOs. Read on for the more boring installation and config instructions/considerations.

Installation Walkthrough for a Local DNS Server.

To set up dnsmasq on an Ubuntu server for local DNS queries, with forwarding to Cloudflare's nameservers for internet queries, follow these detailed step-by-step instructions:

Install `dnsmasq`

Update your package list to ensure you get the latest version available:
```
sudo apt update
```
Install dnsmasq:
```
sudo apt install dnsmasq
```

Configure `dnsmasq`

Backup the original configuration file for safety:

sudo cp /etc/dnsmasq.conf /etc/dnsmasq.conf.backup

Edit the configuration file:
```
sudo nano /etc/dnsmasq.conf
```
Add/update the following settings to tailor dnsmasq for your needs:
Set the listening interface, if you want dnsmasq to listen only on specific network interfaces (e.g., eth0 for Ethernet):
```
interface=eth0
listen-address=127.0.0.1  # Listen on localhost
bind-interfaces           # Bind to the interface specified
```
Continue reading

5/15/24
4 min read

Draft

MySQL

gardendb

Install

sudo apt install mysql-server -y

Run the mysql Secure Installation Program

sudo mysql_secure_installation

Establish Password Validity Policy
You can use more secure authentication means like keys rather than passwords.
MySQL has an anonymous user capability for testing, but it should be removed for security.
Root user should only be allowed to connect from localhost.
Remove the test database.
Reload the privileges table.

Enable the Firewall

sudo ufw enable

sudo ufw allow mysql

Check to ensure it's listening:

netstat -ant

You should see the 127.0.0.1:3306 (3306 indicating the default port for mySQL) The database server will eventually need to talk to other systems on the network.

Set Up

Configuration

cd /etc/mysql/mysql.conf.d && ll

mysql.cnf configures the command line's behavior
mysqld.cnf configures the server's behavior

vi mysqld.cnf

4/21/24
4 min read

Setting Up a Pihole Docker

pihole-chacho

For some easy-listening learning, I often turn to NetworkChuck's YouTube channel. Recently, I decided to set up Pi-hole, a network-wide ad and tracker blocking application that acts as a DNS sinkhole and optionally as a DHCP server. However, Chuck's video used a Pi-hole image that wasn't ARM architecture compatible. I modified it, pulled the regular pihole/pihole:latest image, and then watched Brandon Lee's VirtualizationHowTo channel for additional insights. Here are my notes from this process:

Option 1: Create the Pihole Container

docker run -dit -p 53:53/tcp -p 53:53/udp -p 80:80 -p 443:443     -v "$(pwd)/etc-pihole:/etc/pihole:z" -v "$(pwd)/etc-dnsmasq.d:/etc/dnsmasq.d:z" --name chacho_pihole pihole/pihole:latest

Explanation:
1. We are running the container with the latest version of Pi-hole, naming it chacho_pihole.
2. Port forwarding is set up so the host forwards traffic to the Pi-hole container. Note: On macOS, mDNSResponder may use port 53 (and possibly 5353). In that case, use an alternative port like 5399 for the host while keeping port 53 for the container.
3. We are mounting two volumes from the current working directory to the container's directories.

Once this container is spun up, and in a healthy status (docker ps to check this), we're ready to visit the Pi-hole interface. Open up a browser and use your docker host IP address like so:

http://10.2.3.4/admin

4/14/24
4 min read

Draft

Pentesting a Linux Server

linuxPentest The first, most logical thing to find out is for what purpose the server is being used. This, along with other basic information guides the rest of the test.

1. Recon

dig example.com

whois

OSINT

git clone https://github.com/laramies/theHarvester.git

2. Scanning & Enum

If scanning a whole network, find out who is up first:

nmap -sn 192.168.1.0/24 -oG - | awk '/Up$/{print $2}' > active_hosts.txt

Then scan only those hosts to learn which services are running and which common ports are open.

nmap -sV -iL active_hosts.txt

Further scanning or targeted scanning may also necessitate running default scripts and if it is a webserver, perhaps also run the --script http-enum script.

nmap -sC --script http-enum 192.168.1.10

4/11/24
3 min read

First Capture-the-Flag

ctf-chacho

A couple of months ago, I was invited to join a team to compete in a capture-the-flag event. Having only joined the cybersecurity community a year and a half ago, the invitation was both appreciated and a bit intimidating. Would I be able to contribute something of value? What if I didn't know how to do anything? What if it showed everyone how much I didn't understand?

* screech the brakes *
Curiosity is the antidote to imposter syndrome. When you care more about learning what you need to know than what people think about you, its a game-changer. So armed with my tenacity for learning and the goal of finding out where my strengths might lie in such an event, I accepted the invite.

4/11/24
4 min read

Draft

Flag Swapping for CTF

cyberflag

This was for an exercise I participated in where we thought we would need a way defend our servers against flags from other teams. I created a couple of scripts and then combined them into an iterative script to make it easier to execute once on the box so I wouldn't forget to change specific variables.

3/26/24
7 min read

Fail2Ban Primer

fail2ban

Fail2Ban is a log-parsing application that monitors system logs for symptoms of an automated attack on your server, and it bans offending IPs automatically by updating firewall rules to prevent further breaches. Fail2Ban is configured through jail files located in /etc/fail2ban. It comes with a default configuration file (jail.conf) which should not be edited directly, as it may be overwritten by package upgrades. Instead, create a local copy to override the defaults.

1. Configure Fail2Ban

a. Create a Local Configuration File:

sudo cp /etc/fail2ban/jail.{conf,local}

b. Edit the Local Configuration File:

sudo nano /etc/fail2ban/jail.local

3/26/24
5 min read

Draft

Hardening a Linux Server

hardenLinux

1. Recon First

For a CTF, Grab n Crack

Grab the Hashes for Cracking (swap out the IP)

scp root@server_ip:/etc/passwd ./passwd
scp root@server_ip:/etc/shadow ./shadow

Unshadow

unshadow passwd shadow > combined.txt

Run John

john combined.txt

Review and Note

john --show combined.txt

SSH in and Change Passwords

ssh root@server_ip

passwd username

Document Normal Running Processes

ps aux > processes.txt

OS Info

cat /etc/os-release

2. Least Privilege

Review Current Permissions

Audit the current user accounts, groups, and their permissions on each server.

cat /etc/passwd

or

getent passwd

Checking GUID/SUID files

find / -perm -4000 -type f 2>/dev/null

3/26/24
3 min read

Draft

Hardening a Windows Server

hardenWindows

1. Least Privilege

Review Current Permissions

Audit the current user accounts, groups, and their permissions on each server.

Get-LocalUser

Adjust Permissions

Adjust the permissions so that users and services have only the necessary rights to perform their duties. In Windows, you can manage user permissions through the Local Users and Groups Manager or PowerShell.

Remove or Disable Unnecessary Accounts

Identify accounts that are no longer in use or unnecessary.

Remove User

Remove-LocalUser -Name "ExampleUser"

Disable User

Disable-LocalUser -Name "ExampleUser"

3/25/24
9 min read

Harnessing Wireshark

harnessingwireshark

Background

The ability to effectively analyze network traffic is critical for maintaining security, troubleshooting issues, and optimizing performance. Crafting a tailored Wireshark setup that aligns with specific analysis goals and preferences can significantly enhance efficiency and effectiveness in packet capture analysis. In this post, I'll review some of the basic customization options including display filters, protocol dissectors, and advanced display configurations. These allow users to streamline workflows, focus on pertinent information, and uncover insights that may otherwise remain obscured. In the following walkthrough, we will explore how to set up Wireshark to suit distinct analysis needs.

Downloading Wireshark

Linux

Debian/Ubuntu

sudo apt install wireshark

Fedora

sudo dnf install wireshark

Arch Linux

sudo pacman -S wireshark

GUI Install Option

Wireshark

Windows

Wireshark

macOS

If you don't have Homebrew installed:

/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

Once you've successfully installed Homebrew:

brew install wireshark

GUI Install Option

Wireshark