Andy Smith's Blog

cloud-config validate without cloudinit

A quick hack to let you validate your CoreOS cloud-config user_data file without having to install coreos-cloudinit (though you do need internet access):

curl 'https://validate.core-os.net/validate' -X PUT --data-binary '@user_data'

This makes use of CoreOS's online validator, but without having to copy/paste which can be a little fiddly when SSH'd somewhere.

Running manuka docker honeypot setup

I've just got dionaea and kippo running in docker images on to make a quick to set up honeypot. The project is called manuka.

Here's how to get manuka running on Ubuntu 14.04:

#install docker (skip if you have docker 1.3+ already)
[ -e /usr/lib/apt/methods/https ] || {
  sudo apt-get update
  sudo apt-get install apt-transport-https
}

sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys \
    36A1D7869245C8950F966E92D8576A8BA88D21E9

sudo sh -c "echo deb https://get.docker.com/ubuntu docker main > \
    /etc/apt/sources.list.d/docker.list"

sudo apt-get update
sudo apt-get -y install lxc-docker

#install docker-compose
sudo apt-get install -y python-pip
sudo pip install docker-compose

#run manuka
curl -q https://raw.githubusercontent.com/andrewmichaelsmith/manuka/master/run.sh > run.sh
chmod +x run.sh
sudo ./run.sh

You have just setup dionaea and kippo.

Let's try out kippo:

ssh [email protected]
# > Password: <12345>
# > [email protected]:~#

And dionaea:

sudo nmap  -d -p 445 127.0.0.1 --script=smb-vuln-ms10-061
ls var/dionaea/bistreams
# > total 4.0K
# > drwxr-xr-x 2 nobody nogroup 4.0K Mar 16 23:21 2015-03-16

All logs and files will be saved under $PWD/var/.

Happy to hear any bug reports and feature requests on Github.

Docker volume and docker VOLUME

I've been fiddling with docker lately and it took me a while to come to this realisation. The docker volume command line argument and the docker VOLUME Dockerfile instruction are a bit different.

The docker volume command line argument:

docker run -v /var/logs:/var/logs ubuntu echo test

And the docker VOLUME Dockerfile instruction:

VOLUME /var/logs

The Dockerfile VOLUME instruction doesn't support host directories.

As discussed in this stackoverflow post it looks like this is intentional because it makes things less portable.

Quick and Easy SSH MITM

A quick intro to using mitmproxy to man-in-the-middle an SSH connection.

So you want to sniff an SSH connection (that you have access to) but wireshark is giving you junk? Luckily someone has written a tool for that. The mitmproxy by Maximilian Hils allows you to plop a fake server in between your SSH client and the SSH server you're connecting to.

(Confusingly this is not the same as the other, more well known mitmproxy which only does HTTPS and HTTP)

I wanted to have a nose at the data sent from git to github over SSH. This is what I did.

# Download mitmproxy
git clone https://github.com/mitmproxy/mitmproxy.git

#Generate mitm keys (these go to ~/.mitmkeys)
./mitmkeys

Now you want to install the SSH key you just generated to the server you want to mitm.

#Install SSH key
ssh-copy-id -i ~/.mitmkeys/id_rsa.pub user@victimserver

Then run the proxy, pointing it at the victimserver.

#Run proxy
./mitmproxy_ssh -H victimserver

This runs the proxy on localhost:2222

Now simply connect to the local proxy:

ssh localhost -p 2222

And ta-da! You should see the raw data sent between client and server in the window you ran mitmproxy_ssh.