Security

Cisco - SSH Key Auth

Intro do you wanna login into your cisco switches with ssh & public key. you can build your config easily and copy/paste it to your switch(es). Set & Check Variables pubkey: read from ~/.ssh/id_rsa.pub username: root password: will be generated. or set it by hand # get & convert public key pubkey=$(cat ~/.ssh/id_rsa.pub |cut -d' ' -f 2 |fold -b -w 72) # Username Switch username=root # Password for User password=$(openssl rand -hex 12) # Full Line echo "username $username privilege 15 password $password" SSH Pubkey Auth Config Snippet # Build Config cat << EOF ############################################ # Copy/Paste to your Cisco Devices - START # ############################################ conf t # Set Version ip ssh version 2 no aaa new-model # Set User username $username privilege 15 password $password # Set Key ip ssh pubkey-chain username $username key-string $pubkey exit exit exit # vty Stuff line vty 0 15 login local transport input ssh end write exit ############################################ # Copy/Paste to your Cisco Devices - END # ############################################ EOF you should test it in a lab environment before running on productiv switches ;)

RSA - Weak Keys

Intro Did you ever try to generate a small RSA Key ? Today, you should go with 3072 oder 4096 Bits, or use ECC. With current Versions of OpenSSL, you can’t generate Key Smaller than 512 Bit. 128 Bit Key import rsa pubkey,privkey = rsa.newkeys(128) print(pubkey.save_pkcs1('PEM').decode('UTF-8')) print(privkey.save_pkcs1('PEM').decode('UTF-8')) 32 Bit Key import rsa pubkey,privkey = rsa.newkeys(32) print(pubkey.save_pkcs1('PEM').decode('UTF-8')) print(privkey.save_pkcs1('PEM').decode('UTF-8')) 16 Bit Key import rsa pubkey,privkey = rsa.newkeys(16) print(pubkey.save_pkcs1('PEM').decode('UTF-8')) print(privkey.save_pkcs1('PEM').decode('UTF-8')) sample with 16Bit RSA Key

macos - hdiutil

Intro hdiutil is a command-line utility on macOS that allows users to create, manipulate, and convert disk images. Disk images are virtual disk files that can contain the entire file system structure, including files, folders, and metadata. hdiutil provides a variety of functions related to disk images, and it’s a powerful tool for managing disk-related tasks on a Mac. Basic Usage create echo -n "geheim" |hdiutil create -encryption -stdinpass -size 10m -volname encdata test.

Nginx - IP

sometimes, you wanna restrict access to a webserver based on ip addresses. here a little howto. Update nginx Config for your vhost and forward temporary/permanent to a sorry host. --->8- snip -8<--- location / { allow 192.0.2.0/24; allow 2001:db8::/32; deny all; error_page 403 =301 https://sorry.your.domain; } or move the ip’s to a dedicated file and include it here … --->8- snip -8<--- location / { include incl/admin_ip.txt; deny all; error_page 403 =301 https://sorry.

Ciphey

Ciphey Fully automated decryption/decoding/cracking tool using natural language processing & artificial intelligence, along with some common sense. Source: https://github.com/Ciphey/Ciphey Run in Docker encoding=$(echo -n "hello world" |base64); docker run -it --rm remnux/ciphey ${encoding} Result Possible plaintext: 'hello world' (y/N): y ╭─────────────────────────────────╮ │ Formats used: │ │ base64 │ │ utf8Plaintext: "hello world" │ ╰─────────────────────────────────╯ Supported Ciphers Ciphey currently supports 51 encryptions, encodings, compression methods, and hashes. https://github.com/Ciphey/Ciphey/wiki/Supported-Ciphers Any Comments ? sha256: a33eac04129d4cf6bedce35c8b38c6f395a68fcf0a3e4ad7285caa6f249de7eb

SSH Key Generator

If you need multiple SSH keys with passphrases for educational purposes, you can generate them as follows. The passphrase is set in the comments of the corresponding public key. SSH Key Generator Script cat << 'EOF' > /tmp/ssh-key-generator.sh #!/usr/bin/env bash # File f=/tmp/id_ed25519 # Cleanup test -f $f && rm $f $f.pub # Gen Key ssh-keygen -o -a 100 -t ed25519 -N "" -f ${f} # Extact Password (last 8 Char from PubKey) pw=$(cat ${f}.

Vault on OpenBSD

how to Install and run Hashicorp Vault on OpenBSD in addition to [https://blog.stoege.net/categories/vault/](this Blog Entry), here some instructions for OpenBSD. Requirements VM with OpenBSD 7.2 (or older …) and root/doas permission Domain, or at least a FQDN Name pointing to your VM HTTP/HTTPS allowed from Internet (for Certificate Generation) Nginx installed (pkg_add nginx) Source https://developer.hashicorp.com/vault/docs/get-started/developer-qs Install Vault all the Steps must be run as root (or with doas) pkg_add vault Vault Config Backup the prev.

Yubikey - on OpenBSD

Running YubiKey on OpenBSD buy a Key and give try … Source https://www.yubico.com/ Install Software pkg_add yubikey-manager-3.1.2p4 pkg_add yubikey-manager-3.1.2p4 quirks-6.42 signed on 2023-01-08T01:39:04Z yubikey-manager-3.1.2p4:py3-click-7.1.2: ok yubikey-manager-3.1.2p4:py3-pyusb-1.0.2p5: ok yubikey-manager-3.1.2p4:pcsc-lite-1.9.8: ok yubikey-manager-3.1.2p4:py3-cparser-2.19p2: ok yubikey-manager-3.1.2p4:py3-cffi-1.15.1: ok yubikey-manager-3.1.2p4:py3-cryptography-38.0.0p0: ok yubikey-manager-3.1.2p4:py3-pyscard-2.0.3: ok yubikey-manager-3.1.2p4:py3-openssl-22.0.0: ok yubikey-manager-3.1.2p4:libyubikey-1.13p4: ok yubikey-manager-3.1.2p4:json-c-0.16: ok yubikey-manager-3.1.2p4:ykpers-1.20.0p2: ok yubikey-manager-3.1.2p4: ok The following new rcscripts were installed: /etc/rc.d/pcscd See rcctl(8) for details. --- +yubikey-manager-3.1.2p4 ------------------- NOTE: yubikey-manager (ykman) is only partially functional on OpenBSD. Most of the "ykman fido xxx" commands (pin-setting and others) stall.

Flask JWT - Sample

Flask & JWT getting your hands dirty with Flask and JWT Source https://dev.to/grahammorby/jwt-auth-in-flask-python-18i4 with some modifications by myself … Environment Test under macOS & OpenBSD, Poetry installed and working Script build virtual env export app="app100" export FLASK_APP="${app}/app" poetry new ${app} cd ${app} set python 3.10 poetry env use $(which python3.10) gsed -i "s/python = \"^3.*$/python = \"^3.10\"/" pyproject.toml poetry lock add packages wget -4 -O requirements.txt https://raw.githubusercontent.com/GrahamMorbyDev/jwt-flask/master/requirements.txt echo "marshmallow-sqlalchemy" >> requirements.

Wireguard on Debian

Wireguard with Debian Grab a Fresh Debian which has Public Internet Access. Target is to build a WG Tunnel and assign a Public IP to the Server. Debian 11.6 apt-get install -y wireguard wireguard-tools Gen Key cd /etc/wireguard umask 077; wg genkey | tee privatekey | wg pubkey > publickey Set Vars myprivkey=$(cat privatekey) mypublicaddress="45.xx.xx.xx/28, 2a0e:xxxx:xxx::xxx/64" yourpubkey="3XK8xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=" yourpubip="45.xxx.xxx.xxx" yourpubport="443" Config cat << EOF > wg0.conf [Interface] PrivateKey = ${myprivkey} Address = PUBLIC_IP_V4/xx, PUBLIC_IP_V6/xx [Peer] PublicKey = ${yourpubkey} Endpoint = ${yourpubip}:${yourpubport} AllowedIPs = 0.