6. Recon Implementation

# Design - Setup Wazuh on the insecure network - TODO (couldn't get working yet) - Port scan it and see the scanning activity # Wazuh Setup ## Docker Installation & Deployment [Docker installation - Deployment on Docker · Wazuh documentation](https://documentation.wazuh.com/current/deployment-options/docker/docker-installation.html) ### Set up Docker Compose 1. Increase max_map_count on your host (Linux) 2. 1. Increase `max_map_count` on your Docker host: 1. `sysctl -w vm.max_map_count=262144` 2. Update the `vm.max_map_count` setting in `/etc/sysctl.conf` to set this value permanently. To verify after rebooting, run “`sysctl vm.max_map_count`”. 2. Make sure Docker is installed 3. Download Docker Compose binary ```bash sudo curl -L "https://github.com/docker/compose/releases/download/v2.12.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose ``` 4. Grant execution permissions ```bash chmod +x /usr/local/bin/docker-compose ``` 5. Test installation ```bash docker-compose --version ``` ### Wazuh Docker Install & Deployment 1. Clone the Wazuh repository to your system: ```bash git clone https://github.com/wazuh/wazuh-docker.git -b v4.7.0 ``` - Then enter into the `single-node` directory to execute all the commands described below within this directory. 2. Provide a group of certificates for each node in the stack to secure communication between the nodes. You have two alternatives to provide these certificates: 1. Generate self-signed certificates for each cluster node. 2. We have created a Docker image to automate certificate generation using the Wazuh certs gen tool. 3. If your system uses a proxy, add the following to the `generate-indexer-certs.yml` file. If not, skip this particular step: ``` environment: - HTTP_PROXY=YOUR_PROXY_ADDRESS_OR_DNS ``` A completed example looks like: ``` # Wazuh App Copyright (C) 2021 Wazuh Inc. (License GPLv2) version: '3' services: generator: image: wazuh/wazuh-certs-generator:0.0.1 hostname: wazuh-certs-generator volumes: - ./config/wazuh_indexer_ssl_certs/:/certificates/ - ./config/certs.yml:/config/certs.yml environment: - HTTP_PROXY=YOUR_PROXY_ADDRESS_OR_DNS ``` Execute the following command to get the desired certificates: ```bash docker-compose -f generate-indexer-certs.yml run --rm generator ``` - This saves the certificates into the `config/wazuh_indexer_ssl_certs` directory. 3. Start the Wazuh single-node deployment using docker-compose: Foreground: ```bash docker-compose up ``` Background: ```bash docker-compose up -d ``` This failed, so I gave up on trying that for now. # NMAP Port Scanning ## Insecure Exposition Used a very basic high intensity OS and service discovery scan: ``` nmap -T4 -A -v 192.168.1.88 ``` ![](../../__attachments/Secure%20Database%20Exposition/Project%20Workspace/IMG-20231203233857992.png) ![](../../__attachments/Secure%20Database%20Exposition/Project%20Workspace/IMG-20231203234202527.png) ``` Scanning 192.168.1.88 [1000 ports] Discovered open port 22/tcp on 192.168.1.88 Discovered open port 5050/tcp on 192.168.1.88 Discovered open port 5432/tcp on 192.168.1.88 Discovered open port 9000/tcp on 192.168.1.88 Completed SYN Stealth Scan at 22:17, 0.39s elapsed (1000 total ports) 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 63:33:43:43:a4:f1:b6:19:83:cd:7e:ec:04:b4:13:90 (ECDSA) |_ 256 f3:69:0d:a9:a1:5c:31:99:dd:71:72:e3:4a:4b:70:4d (ED25519) 5050/tcp open mmcc? | fingerprint-strings: | GenericLines: | HTTP/1.1 400 Bad Request | Connection: close | Content-Type: text/html | Content-Length: 193 | <html> | <head> | <title>Bad Request</title> | </head> | <body> | <h1><p>Bad Request</p></h1> | Invalid Request Line 'Invalid HTTP request line: ''' | </body> | </html> | GetRequest: | HTTP/1.0 500 INTERNAL SERVER ERROR | Server: gunicorn | Date: Mon, 04 Dec 2023 03:17:08 GMT | Connection: close | Cache-Control: no-cache, no-store, must-revalidate | Pragma: no-cache | Expires: 0 | Content-Type: application/json | Content-Length: 109 | Vary: Accept-Encoding | X-Frame-Options: SAMEORIGIN | Content-Security-Policy: default-src ws: http: data: blob: 'unsafe-inline' 'unsafe-eval'; | X-Content-Type-Options: nosniff | X-XSS-Protection: 1; mode=block | Set-Cookie: pga4_session=a95f9866-5baf-4cb1-ab5e-98a40d8d17c2!E14g/myGyYBxPtZ88WF/1ZbbuVg6xsWTmuf8dZZ66Ko=; Expires=Tue, 05 Dec 2023 03:17:08 GMT; HttpOnly; Path=/; SameSite=Lax | {"success":0,"errormsg":"Port could not be cast to integer value as ':'","info":"","result":null,"data":null} | HTTPOptions: | HTTP/1.0 200 OK | Server: gunicorn | Date: Mon, 04 Dec 2023 03:17:08 GMT | Connection: close | Content-Type: text/html; charset=utf-8 | Allow: HEAD, OPTIONS, GET | Vary: Accept-Encoding | X-Frame-Options: SAMEORIGIN | Content-Security-Policy: default-src ws: http: data: blob: 'unsafe-inline' 'unsafe-eval'; | X-Content-Type-Options: nosniff | X-XSS-Protection: 1; mode=block | Set-Cookie: pga4_session=b2592446-b117-4970-be64-83babf84f6c5!VSvE+D7pJZM0f1XipO5yhExDs7aQ+vTWQZRXm9NlOlY=; Expires=Tue, 05 Dec 2023 03:17:08 GMT; HttpOnly; Path=/; SameSite=Lax |_ Content-Length: 0 5432/tcp open postgresql PostgreSQL DB 9.6.0 or later | fingerprint-strings: | SMBProgNeg: | SFATAL | VFATAL | C0A000 | Munsupported frontend protocol 65363.19778: server supports 3.0 to 3.0 | Fpostmaster.c | L2145 |_ RProcessStartupPacket 9000/tcp open cslistener? | fingerprint-strings: | GenericLines: | HTTP/1.1 400 Bad Request | Content-Type: text/plain; charset=utf-8 | Connection: close | Request | GetRequest, HTTPOptions: | HTTP/1.0 200 OK | Accept-Ranges: bytes | Cache-Control: max-age=31536000 | Content-Length: 19130 | Content-Type: text/html; charset=utf-8 | Last-Modified: Tue, 21 Nov 2023 20:14:20 GMT | Vary: Accept-Encoding | X-Content-Type-Options: nosniff | X-Xss-Protection: 1; mode=block | Date: Mon, 04 Dec 2023 03:17:08 GMT | <!doctype html><html lang="en" ng-app="portainer" ng-strict-di data-edition="CE"><head><meta charset="utf-8"/><title>Portainer</title><meta name="description" content=""/><meta name="author" content="Portainer.io"/><meta http-equiv="cache-control" content="no-cache"/><meta http-equiv="expires" content="0"/><meta http-equiv="pragma" content="no-cache"/><base id="base"/><script>if (window.origin == 'file://') { | loading the app from a local file as in docker extension | document.getElementById('base').href = 'http://localhost:49000/'; |_ window.ddExtension = 3 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service : ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port5050-TCP:V=7.94%I=7%D=12/3%Time=656D44B3%P=i686-pc-windows-windows% SF:r(GenericLines,11E,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnection:\x SF:20close\r\nContent-Type:\x20text/html\r\nContent-Length:\x20193\r\n\r\n SF:<html>\n\x20\x20<head>\n\x20\x20\x20\x20<title>Bad\x20Request</title>\n SF:\x20\x20</head>\n\x20\x20<body>\n\x20\x20\x20\x20<h1><p>Bad\x20Request< SF:/p></h1>\n\x20\x20\x20\x20Invalid\x20Request\x20Line\x20'Invalid\x SF:20HTTP\x20request\x20line:\x20'''\n\x20\x20</body>\n</ht SF:ml>\n")%r(GetRequest,2E8,"HTTP/1\.0\x20500\x20INTERNAL\x20SERVER\x20ERR SF:OR\r\nServer:\x20gunicorn\r\nDate:\x20Mon,\x2004\x20Dec\x202023\x2003:1 SF:7:08\x20GMT\r\nConnection:\x20close\r\nCache-Control:\x20no-cache,\x20n SF:o-store,\x20must-revalidate\r\nPragma:\x20no-cache\r\nExpires:\x200\r\n SF:Content-Type:\x20application/json\r\nContent-Length:\x20109\r\nVary:\x2 SF:0Accept-Encoding\r\nX-Frame-Options:\x20SAMEORIGIN\r\nContent-Security- SF:Policy:\x20default-src\x20ws:\x20http:\x20data:\x20blob:\x20'unsafe-inl SF:ine'\x20'unsafe-eval';\r\nX-Content-Type-Options:\x20nosniff\r\nX-XSS-P SF:rotection:\x201;\x20mode=block\r\nSet-Cookie:\x20pga4_session=a95f9866- SF:5baf-4cb1-ab5e-98a40d8d17c2!E14g/myGyYBxPtZ88WF/1ZbbuVg6xsWTmuf8dZZ66Ko SF:=;\x20Expires=Tue,\x2005\x20Dec\x202023\x2003:17:08\x20GMT;\x20HttpOnly SF:;\x20Path=/;\x20SameSite=Lax\r\n\r\n{\"success\":0,\"errormsg\":\"Port\ SF:x20could\x20not\x20be\x20cast\x20to\x20integer\x20value\x20as\x20':'\", SF:\"info\":\"\",\"result\":null,\"data\":null}")%r(HTTPOptions,237,"HTTP/ SF:1\.0\x20200\x20OK\r\nServer:\x20gunicorn\r\nDate:\x20Mon,\x2004\x20Dec\ SF:x202023\x2003:17:08\x20GMT\r\nConnection:\x20close\r\nContent-Type:\x20 SF:text/html;\x20charset=utf-8\r\nAllow:\x20HEAD,\x20OPTIONS,\x20GET\r\nVa SF:ry:\x20Accept-Encoding\r\nX-Frame-Options:\x20SAMEORIGIN\r\nContent-Sec SF:urity-Policy:\x20default-src\x20ws:\x20http:\x20data:\x20blob:\x20'unsa SF:fe-inline'\x20'unsafe-eval';\r\nX-Content-Type-Options:\x20nosniff\r\nX SF:-XSS-Protection:\x201;\x20mode=block\r\nSet-Cookie:\x20pga4_session=b25 SF:92446-b117-4970-be64-83babf84f6c5!VSvE\+D7pJZM0f1XipO5yhExDs7aQ\+vTWQZR SF:Xm9NlOlY=;\x20Expires=Tue,\x2005\x20Dec\x202023\x2003:17:08\x20GMT;\x20 SF:HttpOnly;\x20Path=/;\x20SameSite=Lax\r\nContent-Length:\x200\r\n\r\n"); ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port5432-TCP:V=7.94%I=7%D=12/3%Time=656D44B3%P=i686-pc-windows-windows% SF:r(SMBProgNeg,8C,"E\0\0\0\x8bSFATAL\0VFATAL\0C0A000\0Munsupported\x20fro SF:ntend\x20protocol\x2065363\.19778:\x20server\x20supports\x203\.0\x20to\ SF:x203\.0\0Fpostmaster\.c\0L2145\0RProcessStartupPacket\0\0"); ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port9000-TCP:V=7.94%I=7%D=12/3%Time=656D44B3%P=i686-pc-windows-windows% SF:r(GenericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\ SF:x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20B SF:ad\x20Request")%r(GetRequest,4BEF,"HTTP/1\.0\x20200\x20OK\r\nAccept-Ran SF:ges:\x20bytes\r\nCache-Control:\x20max-age=31536000\r\nContent-Length:\ SF:x2019130\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nLast-Modifi SF:ed:\x20Tue,\x2021\x20Nov\x202023\x2020:14:20\x20GMT\r\nVary:\x20Accept- SF:Encoding\r\nX-Content-Type-Options:\x20nosniff\r\nX-Xss-Protection:\x20 SF:1;\x20mode=block\r\nDate:\x20Mon,\x2004\x20Dec\x202023\x2003:17:08\x20G SF:MT\r\n\r\n<!doctype\x20html><html\x20lang=\"en\"\x20ng-app=\"portainer\ SF:"\x20ng-strict-di\x20data-edition=\"CE\"><head><meta\x20charset=\"utf-8 SF:\"/><title>Portainer</title><meta\x20name=\"description\"\x20content=\" SF:\"/><meta\x20name=\"author\"\x20content=\"Portainer\.io\"/><meta\x20htt SF:p-equiv=\"cache-control\"\x20content=\"no-cache\"/><meta\x20http-equiv= SF:\"expires\"\x20content=\"0\"/><meta\x20http-equiv=\"pragma\"\x20content SF:=\"no-cache\"/><base\x20id=\"base\"/><script>if\x20$window\.origin\x20 SF:==\x20'file://'$\x20{\n\x20\x20\x20\x20\x20\x20\x20\x20//\x20we\x20are SF:\x20loading\x20the\x20app\x20from\x20a\x20local\x20file\x20as\x20in\x20 SF:docker\x20extension\n\x20\x20\x20\x20\x20\x20\x20\x20document\.getEleme SF:ntById$'base'$\.href\x20=\x20'http://localhost:49000/';\n\n\x20\x20\x SF:20\x20\x20\x20\x20\x20window\.ddExtension\x20=")%r(HTTPOptions,4BEF,"HT SF:TP/1\.0\x20200\x20OK\r\nAccept-Ranges:\x20bytes\r\nCache-Control:\x20ma SF:x-age=31536000\r\nContent-Length:\x2019130\r\nContent-Type:\x20text/htm SF:l;\x20charset=utf-8\r\nLast-Modified:\x20Tue,\x2021\x20Nov\x202023\x202 SF:0:14:20\x20GMT\r\nVary:\x20Accept-Encoding\r\nX-Content-Type-Options:\x SF:20nosniff\r\nX-Xss-Protection:\x201;\x20mode=block\r\nDate:\x20Mon,\x20 SF:04\x20Dec\x202023\x2003:17:08\x20GMT\r\n\r\n<!doctype\x20html><html\x20 SF:lang=\"en\"\x20ng-app=\"portainer\"\x20ng-strict-di\x20data-edition=\"C SF:E\"><head><meta\x20charset=\"utf-8\"/><title>Portainer</title><meta\x20 SF:name=\"description\"\x20content=\"\"/><meta\x20name=\"author\"\x20conte SF:nt=\"Portainer\.io\"/><meta\x20http-equiv=\"cache-control\"\x20content= SF:\"no-cache\"/><meta\x20http-equiv=\"expires\"\x20content=\"0\"/><meta\x SF:20http-equiv=\"pragma\"\x20content=\"no-cache\"/><base\x20id=\"base\"/> SF:<script>if\x20$window\.origin\x20==\x20'file://'$\x20{\n\x20\x20\x20\ SF:x20\x20\x20\x20\x20//\x20we\x20are\x20loading\x20the\x20app\x20from\x20 SF:a\x20local\x20file\x20as\x20in\x20docker\x20extension\n\x20\x20\x20\x20 SF:\x20\x20\x20\x20document\.getElementById$'base'$\.href\x20=\x20'http: SF://localhost:49000/';\n\n\x20\x20\x20\x20\x20\x20\x20\x20window\.ddExten SF:sion\x20="); MAC Address: 00:0C:29:1B:D2:CF (VMware) Device type: general purpose Running: Linux 4.X|5.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 OS details: Linux 4.15 - 5.8 Uptime guess: 18.341 days (since Wed Nov 15 14:07:41 2023) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=258 (Good luck!) IP ID Sequence Generation: All zeros Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 1.38 ms 192.168.1.88 NSE: Script Post-scanning. Initiating NSE at 22:19 Completed NSE at 22:19, 0.00s elapsed Initiating NSE at 22:19 Completed NSE at 22:19, 0.00s elapsed Initiating NSE at 22:19 Completed NSE at 22:19, 0.00s elapsed Read data files from: C:\Program Files (x86)\Nmap OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 130.15 seconds Raw packets sent: 1023 (45.806KB) | Rcvd: 2034 (82.880KB) ``` ## Secure Exposition - You'll get a cloudflare access screen when trying to go to the postgres subdomain ![](../../__attachments/Secure%20Database%20Exposition/Project%20Workspace/IMG-20231204143114556.png) - oops did that wrong nmap can't resolve domains - ![](../../__attachments/Secure%20Database%20Exposition/Project%20Workspace/IMG-20231204180204398.png) - You can implement MFA really fast and easily add people to the list or have custom authentication conditions ![](../../__attachments/Secure%20Database%20Exposition/Project%20Workspace/IMG-20231204143246022.png)