Maverick Kaung

Automatic backup with restic and systemd service

Mon, 07 Nov 2022 17:24:26 +0200

Ever since I read the Automate backups with restic and systemd on Fedora Magazine, I have been meaning to practice the 3-2-1 backup strategy.

For a while, that did not come to fruition. Ultimately, that was down to laziness first of all; secondly, figuring out how and where the backups should be was also another struggle.

However, I finally sat down one weekend and figured out the works.

What is the `3-2-1` backup strategy?

The 3-2-1 strategy boils down to¹:

3 copies of data
2 different media
1 copy being off-site

The tutorial in the Fedora Magazine showcased how one can use restic² and trigger the backup periodically via a systemd service unit file, instead of using cron. This also gave me the opportunity to learn a bit more about creating systemd service and timer units, so I decided to follow this.

However, the tutorial made use of an offsite backup solution provided by BackBlaze B2 Cloud storage. That solution was not one I was comfortable using just yet.

Mainly due to not wanting to use a service that did not provide Unix/Linux native tools, such as ssh, rsync and or sftp capabilities.

Therefore, I came up with these requirements:

1 x local LAN server backup
1 x local external drive backup
1 x Unix/Linux native tool capable offsite backup

LAN server backup

This one was pretty easy, I already had a desktop computer which I use as a Virtual Machine host, that was connected via tailscale and had a lot of disk space using traditional hard disks.

So all I had to do was initialise a folder on this host via restic using SFTP as described in: https://restic.readthedocs.io/en/stable/030_preparing_a_new_repo.html#sftp

Problem #1 solved!

Local drive backup

My laptop is connected to a dock and has a couple of USB-C. I also had a couple of external storage drives, especially the Samsung Portable SSD T7 - 1TB drive.

So all I had to do was make sure that the backup service runs if and only if this drive was mounted.

Problem #2 solved!

In fact, this already in some way, satisfies #1 + #2 of the 3-2-1 strategy.

However, I still needed to make the similar copy backed up offsite. As per my requirements #3, BackBlaze B2 was off the list, sadly. 🤕

A while back, I read an article titled Interview with John Kozubkik - John is the CEO of rsync.net which is a cloud storage in the form of a UNIX filesytem available over SSH. Ever since then I have been meaning to use this service somehow.

So for my #3 requirement, I researched using rsync.net and luckily enough, they have a special pricing for restic - https://rsync.net/products/restic.html

Not only that what makes rsync.net interesting is that:

there is no app or API - it simply gives you an empty UNIX filesystem accessible with any SSH tool.

P-e-r-f-e-c-t!

So let’s piece the things together.

Systemd service and timer units

Systemd services (ends in .service) can be triggered periodically by Systemd timer units (ends in .timer). This separates the actual command / script that does the work with the timer configuration. I consider this to be neat!

Furthermore, as pointed out by the great ArchLinux wiki³, the benefits are:

Jobs can be easily started independently of their timers. This simplifies debugging.
Each job can be configured to run in a specific environment (see systemd.exec(5)).
Jobs can be attached to cgroups.
Jobs can be set up to depend on other systemd units.
Jobs are logged in the systemd journal for easy debugging.

So how would this look like in practice?

Let’s say that your backup command is as follows:

restic backup /home/user/secret-stuff \
    --repo=sftp:backup1-host.rsync.net:backups \
    --verbose \
    --one-file-system \
    --exclude=/home/user/blah

The systemd service file, let’s call it, offsite-backup.service would be:

[Unit]
Description=Offsite backup with restic

[Service]
Type=simple
Restart=on-failure
RestartSec=30
ExecStartPre=restic unlock
ExecStart=restic backup /home/user/secret-stuff \
    --repo=sftp:backup1-host.rsync.net:backups \
    --verbose \
    --one-file-system \
    --exclude=/home/user/blah
ExecStopPost=restic unlock

The offsite-backup.timer would be:

[Unit]
Description=Offsite backup with restic

[Timer]
OnCalendar=daily UTC
Persistent=true
RandomizedDelaySec=300

[Install]
WantedBy=timers.target

Repeat the above steps similarly for different configurations for different backup medium. For example, to backup locally to an external drive if and only if it is mounted, I have a service like so:

[Unit]
Description=Local Restic backup service
ConditionPathIsMountPoint=/run/media/user/BackupDriveName/

[Service]
Type=simple
Restart=on-failure
RestartSec=30
ExecStart=restic backup /home/user/secret-stuff \
    --repo=sftp:backup1-host.rsync.net:backups \
    --verbose \
    --one-file-system \
    --exclude=/home/user/blah

If you are running the services for yourself under your own user, you can put them in ~/.config/systemd/user/ folder, otherwise it will have to go into /etc/systemd/system/ or system-wide user units in /etc/systemd/user/.

After that first reload the systemd daemon so that it knows there are new services available. Note: For user services include the --user argument after systemctl.

systemctl daemon-reload

Enable the timer unit:

systemctl enable --now offsite-backup.timer

To check when is the next scheduled run of your service:

systemctl list-timers

💯 🔥 Now you have an automatic backup job that runs according to the schedule you have setup, meaning you can sleep soundly while it does its job. 😄 🎉

Blog setup with Hugo, Github and Netlify

Mon, 31 Oct 2022 20:29:34 +0100

I have had this website / blog (going forward it shall be, the blog) on this current setup since about 2016, it has not always been a smooth ride. Always tinkering, always messing around with it when I do feel like it. However, I have enjoyed writing them.

The oldest post¹ was first written back in 2011 on blogspot.com (called: FLOSS Bytes) , right around the time I got into Linux² and open source communities. However, I wanted to move away from the clunky user interface of blogspot, which also included, as far as I remember, very difficult in theming. I was also very sold on the idea of a static site generator and hosting my own website, back then.

Finally, the popularity of Jeklly based Github pages and other static site generator tools like Hugo pushed me to pursue that route. The only requirement back then was for the setup to use a static site generator and not a content management system (CMS)³.

Overview of setup

I write my blog posts in Markdown using a text editor. This allows me to just concentrate on my writing and not get distracted by the view of the contents being rendered.

The Computer & File System on the far left represents the computer where I write my posts on, be that my laptop or desktop, or even on Github itself. I write the content and make sure any other contents like pictures are then stored in the right folders.

Once I am somewhat satisfied with my work, I push out the contents to my Git repository which is hosted on [Github][https://github.com/]. This allows me to revert/rollback my changes if I ever need to, create different branches for the contents or theme changes in its own branches in order for the main blog on mavjs.org to not be effected. You could call this modern day DevOps style blogging. 😄

When the contents get into git, pretty much instantly, Netlify app gets notified to build the site, and then makes the resulting built contents available on mavjs.org using its content delivery network. Netlify internally uses a Ubuntu Linux container with hugo in the background to create the build.

One of the advantages of using Git and its branching model, coupled with a platform like Netlify is that, because this blog was written in a different working branch once the work in progress contents are pushed to it, Netlify will create a preview of the content in its own URL. This way, you can use multi-branch model of Git to create multiple parallel experiments or writing content, while checking how the visuals would look in its final form.

Once you click on the Open deploy preview button, it takes you to a URL in a following format: https://deploy-preview-<pull request number>--<project-name>.netlify.app/ and you can browse the contents as you would on the main live website. 😊

What is even better about this setup? It costs nothing, literally 0 EUR were spent on this setup, other than making accounts and using the free tier of each service. 😆 👍 👌

https://mavjs.blogspot.com/2011/12/hello-world_4159.html ↩︎
Of course, that also invovled lots of Linux distribution (or as the cool kids say: distro) hopping from Ubuntu to Arch Linux, back to Ubuntu and then finally landing on Fedora since then. 😆 ↩︎
https://www.cloudflare.com/en-gb/learning/performance/static-site-generator/ ↩︎

pushnotifier

Sat, 08 Oct 2022 15:10:54 +0200

Using Podman pods Instead of docker-compose

Mon, 03 Oct 2022 17:18:46 +0200

Nowadays, it is common for developers to provide their (web) application in container for ease of setup. These applications usually consists of multiple inter-connecting parts. For example, the main application interacting with a database to store, read and write data.

To make the experience of setting up databases, developers also provide ways to bring them up automatically. One of the most used and well-known ways of doing this is to provide a Docker compose configuration for the application and its required services.

What is Docker Compose?

Compose is a tool for defining and running multi-container Docker applications. With Compose, you use a YAML file to configure your application’s services. Then, with a single command, you create and start all the services from your configuration.¹

How does a Docker Compose configuration look like?

version: "3.9"  # optional since v1.27.0
services:
  web:
    build: .
    ports:
      - "8000:5000"
    volumes:
      - .:/code
      - logvolume01:/var/log
    depends_on:
      - redis
  redis:
    image: redis
volumes:
  logvolume01: {}

While in the same directory as this configuration file (named: docker-compose.yaml), you can bring up these applications by executing:

$ docker-compose up -d

When podman came out, there was a tool created later on called podman-compose to help ease transition from docker & docker-compose.

What is Podman?

Podman is a daemonless, open source, Linux native tool designed to make it easy to find, run, build, share and deploy applications using Open Containers Initiative (OCI) Containers and Container Images. Podman provides a command line interface (CLI) familiar to anyone who has used the Docker Container Engine. Most users can simply alias Docker to Podman (alias docker=podman) without any problems.²

As mentioned above, podman was easily usable for people already familiar with docker without having to re-learn all the command arguments.

I have used podman-compose before, however, while looking at an application recently, I wanted to learn to use the more native solution with podman. Thus, learning about how I could make use of podman pod.

What is a Pod?

A Pod (as in a pod of whales or pea pod) is a group of one or more containers, with shared storage and network resources, and a specification for how to run the containers. A Pod’s contents are always co-located and co-scheduled, and run in a shared context. A Pod models an application-specific “logical host”: it contains one or more application containers which are relatively tightly coupled. In non-cloud contexts, applications executed on the same physical or virtual machine are analogous to cloud applications executed on the same logical host.

A Pod is similar to a set of containers with shared namespaces and shared filesystem volumes.³

Looking again at the example Compose configuration, you will notice that the port from the container 5000 is forwarded to the host’s port, i.e., 8000, meaning ports in Docker are mapped from containers. This is also true for normal containers in Podman as well. However, things work differently in a pod, as stated above about a Pod.

Therefore, for a pod the port is mapped from it, rather than from a container directly. Thus, when you create a pod you also declare the port(s) you want to map to your host.

To understand this better, let’s look at the application I used: miniflux - a minimalist and opinionated feed reader, to convert their provided docker installation method in docker-compose to using Podman pods.

The Docker compose configuration for miniflux could look like below:

version: '3.4'
services:
  miniflux:
    image: miniflux/miniflux:latest
    ports:
      - "80:8080"
    depends_on:
      - db
    environment:
      - DATABASE_URL=postgres://miniflux:secret@db/miniflux?sslmode=disable
      - RUN_MIGRATIONS=1
      - CREATE_ADMIN=1
      - ADMIN_USERNAME=admin
      - ADMIN_PASSWORD=test123
    healthcheck:
      test: ["CMD", "/usr/bin/miniflux", "-healthcheck", "auto"]
  db:
    image: postgres:latest
    environment:
      - POSTGRES_USER=miniflux
      - POSTGRES_PASSWORD=secret
    volumes:
      - miniflux-db:/var/lib/postgresql/data
    healthcheck:
      test: ["CMD", "pg_isready", "-U", "miniflux"]
      interval: 10s
      start_period: 30s
volumes:
  miniflux-db:

Breaking it down, you will notice that there are 2 containers:

the application: miniflux/miniflux
the postgres database: postgres

This means we will have to pull the 2 images to our local registry:

$ podman pull ghcr.io/miniflux/miniflux:latest

$ podman pull docker.io/library/postgres:latest

The only port mapped is 8080 from the miniflux container to port 80 on the host. Therefore, creating a pod would be:

$ podman pod create --name minifluxapp -p 80:8080

You will also notice that the postgres container uses a named volume, we will replicate that in podman by:

$ podman volume create miniflux-db

Since the miniflux container depends on db, we will first create the db container inside the pod as follows:

$ podman run --name=db -d --restart always --pod=minifluxapp \
--volume=miniflux-db:/var/lib/postgresql/data \
-e POSTGRES_USER=<miniflux-db-admin> \
-e POSTGRES_PASSWORD=<miniflux-db-password> \
--health-start-period=30s \
--health-interval=10s \
--health-cmd="CMD-SHELL pg_isready -U miniflux" docker.io/library/postgres:latest

Now, the miniflux container itself:

$ podman run --name=miniflux -d --restart=always --pod=minifluxapp \
-e DATABASE_URL=postgres://<db-user>:<db-pass>@localhost/miniflux?sslmode=disable \
-e RUN_MIGRATIONS=1 \
-e CREATE_ADMIN=1 \
-e ADMIN_USERNAME=<admin-user> \
-e ADMIN_PASSWORD=<admin-pass> \
--health-cmd="CMD-SHELL /usr/bin/miniflux -healthcheck auto" ghcr.io/miniflux/miniflux:latest

If all goes well, your containers should come up inside the pod, and the application is accessible via: http://127.0.0.1 or http://localhost.

From here, you could either generate a kubernetes pod definition⁴ to make it more reusable or systemd unit⁵ files to go together with your system administration.

pod definition

$ podman generate kube minifluxapp >> minifluxapp.yaml

systemd units

$ podman generate systemd \
--container-prefix minifluxapp \
--pod-prefix minifluxpod \
--name minifluxapp

First time experience with Atomic Red Team

Fri, 29 Oct 2021 19:08:24 +0200

What is Atomic Red Team?

Atomic Red Team™ is a library of simple tests mapped to the MITRE ATT&CK® framework that every security team can execute to test their defenses. Tests are focused, have few dependencies, and are defined in a structured format that can be used by automation frameworks.¹ - RedCanaryCo

Atomic Red Team is the main testing repository in the Atomic Family, created by the esteemed folks from Red Canary.² The Atomic Family also provides a couple of utility tools to help execute the tests, namely:

Invoke-AtomicRedTeam - A PowerShell-based framework for developing and executing atomic tests.³
AtomicTestHarnesses - A PowerShell module for executing many variations of an attack technique at once.⁴
Chain Reactor - A tool for testing detection and response coverage on Linux machines.⁵

In this post it will only be about Atomic Red Team - the library of tests & Invoke-AtomicRedTeam - the powershell framework to run the tests.

Security Monitoring and role of testing defenses

Security monitoring involves collection and analysis of information to detect suspicious behaviour and or unauthorised system changes on an organization’s network. This includes defining what types of behaviour and changes should trigger (an) alert(s), and what actions are to be taken.

Think of it this way, just because an organization has put up gates around the building and also have guards, does not mean other essential entrances are without locks. There would still be regular maintenance on the physical structures of the gates, door locks, reviewing of policies and background checks of guards, etc.

Similarly here, just because there are network and host security monitoring setup with triggers and actions for alerts defined, the work does not stop here. The organization will have to stay up to date with new vulnerabilities, techniques and regularly reassess whether those triggers and or actions are enough.

This is where a test framework like Atomic Red Team comes in, especially, for organizations that cannot spend a lot of resources around research on vulnerabilities and techniques, can make use of such a test framework to help in developing more security monitoring alert triggers, use cases or to create tests for already deployed triggers to make sure those work as intended regularly.

Lab Overview

pfSense acts as the router and the firewall - rules are set to disallow communication with the Internet, unless explicitly allowed.
Windows Server Domain Controller provides DHCP and DNS for internal domain.
RHEL 8 server running Splunk 8 - for centralised logging.
Fedora 34 client as administrator workstation - allowed to connect to the Internet. Main test execution management platform.
Windows 10 client - main test execution host.

For this test, an existing lab was reused, which is closed off of from the Internet. This may not have been the most convenient setup as Atomic Red Team downloads certain scripts from the repo for execution, thus not all tests might run properly.

Setting up pre-requisites

To execute tests remotely from a Linux machine (which was done here), it requires PowerShell core to be installed.⁶

Setting up openssh remoting

OpenSSH⁷ remoting feature now built-in to Windows can also be used here. This feature is available in:

Windows 10
Windows Server 2019
Windows Server 2022

Steps to enable:

Right-click Windows Icon
Click Settings
Select Apps > Apps & Features > Optional Features
Find OpenSSH Server
Click Install

To connect to the machine, execute:

$ ssh username@machine-ip

From observation, a machine that is joined to a domain (other than WORKGROUP), the way to connect is slightly different. Like so:

$ ssh domain\\username@machine-ip

PSWSMan module for WinRM PSRemoting on Linux

In this test, WinRM remoting was used as the author encountered a problem with using the SSH remoting feature. It may have something to do with passing in the domain with the username and New-PSSession not being happy about it. Although, it works if using plain old ssh command as seen above.

To use WinRM remoting feature on Linux, PSWSMan module needs to be installed.⁸

To do so:

$ sudo pwsh -Command "Install-Module -Name PSWSMan"
$ sudo pwsh -Command "Install-WSMan"

Once this is out of the way, a session variable in a PowerShell instance that points to the test execution machine can be created, and start the Atomic Red Team tests.

  # Setting a session in PowerShell
  PS> $sess = New-PSSession -ComputerName testexecutionmachine -Credentials domain\username

If SSH remoting worked, a session can be created as follows:

  PS> $sess = New-PSSession -HostName testexecutionmachine -UserName username

Test Execution - the real deal

First install the Execution Framework (Invoke-AtomicTest) and Atomics folder on the test execution management platform:

  IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing);
  Install-AtomicRedTeam -getAtomics

The imported Invoke-AtomicTest module will live as long as the current PowerShell session is alive. Tp load the module on startup, it needs to be set in the PowerShell profile.

Once installed, it is time to rock-n-roll.

The screenshots below are made on a Windows machine, as PowerShell does not seem to display all info when calling via -ShowDetails argument on a Linux machine.

However, here are a few commands to check out the library contents:

PS> Invoke-AtomicTest All -ShowDetailsBrief

To know the full details of all the tests related to T1003 - OS Credential Dumping⁹:

PS> Invoke-AtomicTest T1003 -ShowDetails

From the details above, it shows that there are multiple test cases associated with T1003, and it also notes the dependencies for running the test. So let’s get the dependency for test number #2 - Credential Dumping with NPPSpy.

PS> Invoke-AtomicTest T1003 -TestNumbers 2 -GetPrereqs

In the above figure, the downloading of the prerequisite dependecy failed, as the machine is not allowed to connect to the Internet.

After transferring over the dependecy file into C:\Users\<username>\AppData\Local\Temp, it is finally good to run the test again.

# Executing it remotely now
PS> Invoke-AtomicTest T1003 -Session $sess -TestNumbers 2

It will do it’s magic in the background, and let the user know what needs to be done next:

As recommended, log out and log back in, and voilà! Credentials were dumped:

Once the tests are done, it is time to clean it up. There is also an argument to do so:

PS> Invoke-AtomicTest T1003 -Session $sess -TestNumbers 2 -Cleanp

Once the clean-up command runs, it will delete the file with credentials at C:\NPPSpy.txt and the dll which was copied to C:\Windows\System32\NPPSpy.dll:

Summary

If it were not for a roundabout way of doing things and just running it on a single VM setup with Internet access allowed, it should have been a bit more smooth sailing. However, all in all, the easy of use combined with the curated list of dependencies needed to accomplish a test is a huge win.

There are not a lot of technologies involved in setting it up either, just copy and paste the commands in the wiki and it’s ready to go.

Next post(s) will go through a few attack scenarios that require running multiple steps of tests based on Threat Intel report(s), run the tests that correponds to them and understand what the logs tell us.

hic sunt dracones (Here be dragons!) 🐉

YAML linting and schema validation

Tue, 14 Sep 2021 19:50:19 +0200

Background

Recently, we considered an approach, where in a single file document analysts are able to share SIEM (idea) queries, and some form of documentation and or notes. We also needed to make them machine parseable and transformable, in order for us to automate the parts of the queries to feed into a SIEM system. This sort of idea is not new or ground breaking in anyway. In fact, it is pretty popular in the information security industry to share ideas for threat detection & hunting in YAML, TOML or markdown with code blocks.

YAML and TOML file formats are used a lot in threat detection & hunting rule sharing communities, ever since Sigma - generic signature format for SIEM systems¹, came out, I believe. Threat detection & hunting enthusiasts sharing ideas are also making use of YAML file format². In fact, vendors like Elastic³ share their detection contents on GitHub as TOML files⁴.

This allows some form of uniformity in how the contents should be structured and also defines how the machine or automations should extract the information.

If you have the team, time, development and engineering resources, it might be worth looking into just using Sigma and to get contents for different security systems ingesting them automatically. However, our approach was that, we wanted something to mix SIEM specific queries and some documentations together, while only spending some time into writing a script that can just strip out the query so that it can then be fed into a SIEM system, so we went with our own YAML format.

The downsides of coming up with your own format is that, you need to first define the structure, what field and values are mandatory, what are optional and then make a decision. This downside, however, can be overcome relatively easy in some cases. This was the case for us.

NOTE: Just want the sauce?

The Details

This is how a signature format in YAML looks like:

It has a title, id, description about the rule, the author, references, logsource, detection rules.

Let’s say, for your community or organization, you decided a YAML format inspired by Sigma, however, it is not an extension, and that you do not use a single syntax high-level abstraction for your queries. It looks like:

---
id: 6068c062-627f-4d7c-9250-5059f5417726 # UUIDv4
title: some title for your detection rule
description: a short sentence about the detection rule
references:
  - reference URL 1
  - reference URL 2
analyst_notes: >
  When you see X, you need to check if occurances of A, B, C, D are also there?
  If not, it might indicate a false-positive or a scenario 1 like in Alpha.
  If you see at most 3 out of 4, it is surely suspicious and therefore you should
  look for to find: K, L, M, N.  
query: >
  SELECT * FROM registry WHERE \
  key LIKE 'HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\%%' \
  and name='Debugger';",  
mitre:
  - T1112
jira: PJ-1337

Now you get to a point where these files are stored in Git for version control and some form of automation is in-place, you will need to make sure that the file is properly formatted as YAML and also compliant to your custom schema. The former can be achieved by using a linting tool like yamllint⁵. The latter with a library like Yamale⁶, which is what we went with.

YAML Linting

yamllint is a command line tool and a library you can use in your own tooling. If we run the tool on the YAML file above:

$ yamllint detection_rule.yml
detection_rule.yml
  2:42      warning  too few spaces before comment  (comments)
  11:81     error    line too long (81 > 80 characters)  (line-length)
  15:81     error    line too long (102 > 80 characters)  (line-length)

However, if you would like to combine such a linting process together with other checks your scripts are doing, you can import the library⁷. Here is an example:

import yamllint
from yamllint.config import YamlLintConfig

raw_yaml = open('detection_rule.yml', 'r').read()

yaml_config = YamlLintConfig("extends: default")

for p in yamllint.linter.run(raw_yaml, yaml_config):
    print(p.desc, p.line, p.rule)

Yamale - schema validation

Yamale is also a command line tool and a library. It comes with a few default validator⁸ functions, and is also very easily extendable. Here we will see how we could extend it for our schema.

First, we need to come up with a schema dictionary that Yamale can understand to use to validator your YAML files. Let’s consider the following as an initial schema dictionary:

id: str()
title: str()
description: str()
references: list(str())
analyst_notes: str()
query: str()
mitre: list(str())
jira: str()

Running yamale and providing the above schema as follows, yields a validation success.

$ yamale -s schema.yaml detection_rule.yml
Validating /home/user/project-x/detection_rule.yml...
Validation success! 👍

If you kept a close eye, you will have noticed that we initially told yamale that id is a string, however, that is not entirely true. The validation will also pass if you wrote in a bogus string that is not a UUID. So we will need to extend yamale and write our own validator.

Looking at an example custom validator⁹ in their example, we can try a proof of concept UUID validator and also include the validation routines as well:

import yamale
import uuid
from yamale.validators import DefaultValidators, Validator

class UUID(Validator):
    """ Custom UUID validator """
    tag = 'uuid'

    def _is_valid(self, value):
        try:
            luuid = uuid.UUID(str(value))
        except ValueError:
            return False
        return True

validators = DefaultValidators.copy()  # This is a dictionary
validators[UUID.tag] = UUID
schema = yamale.make_schema('./schema.yaml', validators=validators)

data = yamale.make_data('./detection_rule.yml')

try:
    yamale.validate(schema, data)
    print('Validation success! 👍')
except ValueError as e:
    print('Validation failed!\n%s' % str(e))
    exit(1)

Edit the validator for id in schema.yaml to uuid(), run the script above and it should output:

$ python schema-validate.py
Validation success! 👍

Say, for another custom validator, you want to check and make sure that jira values do confirm to the documented JIRA project key format¹⁰, since these are manually entered by analysts. Here we will reuse/sub-class from the built-in Regex validator.

import re
from yamale.validators import Regex

class JIRA(Regex):
    """ Custom JIRA Project ID validator. """
    tag = 'jira'

    def __init__(self, *args, **kwargs):
        self._project_key = str(kwargs.pop('project_key', ''))
        super(JIRA, self).__init__(*args, **kwargs)

        if len(self._project_key) > 0:
            self.regexes = [
                re.compile("^%s-\d+$" % (self._project_key))
            ]
        else:
            self.regexes = [
                re.compile("^([A-Z]{2}[0-9]{2})-\d+$"),
                re.compile("^([A-Z][A-Z_0-9]+)-\d+$"),
            ]

Adjust jira field’s value in schema.yaml as jira(project_key='JP') and on running the script, it should error out:

Validation failed!
Error validating data './detection_rule.yml' with schema './schema.yaml'
	jira: 'PJ-1337' is not a jira match.

Challenge

Let us try writing a schema validator for the Sigma rule we mentioned at the beginning.

---
title: str(min=1, max=256)
id: str()
status: enum('stable', 'testing', 'experimental', required=False)
description: str(required=False)
author: str(required=False)
date: str()
modified: str()
references: list(str(), required=False)
tags: list(str())
logsource: include('logsource')
detection: include('detection')
falsepositives: any(str(), list(), required=False)
level: enum('low', 'medium', 'high', 'critical', required=False)
---
logsource:
  product: str(required=False)
  category: str(required=False)
  service: str(required=False)
  definition: str(required=False)
---
detection:
  selection: any(str(), list(), map(key=str()))
  condition: str()
  timeframe: str(required=False)

Note: At times if you compare Yamale with something like Rx¹¹, the former seems somewhat limiting for the way Sigma was designed. However, I would start with something like Yamale first and then think about Rx later on.

Full Example Files

`detection_rule.yml`

---
id: 6068c062-627f-4d7c-9250-5059f5417726
title: some title for your detection rule
description: a short sentence about the detection rule
references:
  - reference URL 1
  - reference URL 2
analyst_notes: >
  When you see X, you need to check if occurances of A, B, C, D are also there?
  If not, it might indicate a false-positive or a scenario 1 like in Alpha.
  If you see at most 3 out of 4, it is surely suspicious and therefore you should
  look for to find: K, L, M, N.  
query:
  SELECT * FROM registry WHERE \
  key LIKE 'HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\%%' \
  and name='Debugger';",
mitre:
  - T1112
jira: PJ-1337

`schema.yaml`

id: uuid()
title: str()
description: str()
references: list(str())
analyst_notes: str()
query: str()
mitre: list(str())
jira: jira()

`validator.py`

import yamale
import uuid
import re
from yamale.validators import DefaultValidators, Validator, Regex

class UUID(Validator):
    """ Custom UUID validator """
    tag = 'uuid'

    def __init__(self, *args, **kwargs):
        super(UUID, self).__init__(*args, **kwargs)
        self._version = int(kwargs.pop('version', 4))

    def _is_valid(self, value):
        try:
            luuid = uuid.UUID(str(value), version=self._version)
        except ValueError:
            return False
        return True

class JIRA(Regex):
    """ Custom JIRA Project ID validator. """
    tag = 'jira'

    def __init__(self, *args, **kwargs):
        self._project_key = str(kwargs.pop('project_key', ''))
        super(JIRA, self).__init__(*args, **kwargs)

        if len(self._project_key) > 0:
            self.regexes = [
                re.compile("^%s-\d+$" % (self._project_key))
            ]
        else:
            self.regexes = [
                re.compile("^([A-Z]{2}[0-9]{2})-\d+$"),
                re.compile("^([A-Z][A-Z_0-9]+)-\d+$"),
            ]

validators = DefaultValidators.copy()  # This is a dictionary
validators[UUID.tag] = UUID
validators[JIRA.tag] = JIRA
schema = yamale.make_schema('./schema.yaml', validators=validators)

data = yamale.make_data('./detection_rule.yml')

try:
    yamale.validate(schema, data)
    print('Validation success! 👍')
except ValueError as e:
    print('Validation failed!\n%s' % str(e))
    exit(1)

Contributing to Kali Linux using toolbox on Fedora

Sat, 14 Nov 2020 22:24:11 +0100

Background

While working on Penetration Testing with Kali Linux (PWK) training offered by Offensive Security, I came across a tool called smtp-user-enum. It is a perl script to enumerate OS-level user accounts on Solaris via the SMTP service (sendmail).

In its usage documentation, it mentions an option to pass a list of hostnames running the SMTP service via a file, to use for enumeration. When trying out that option, I noticed that it didn’t work. Upon taking a close look at the script, I noticed that although it looks for the option -T in the arguments list¹, it was never part of the getopts evaluation², thus erroring out.

As it stands, I do not like having SSH keys tied to GitHub/Gitlab accounts on my Kali Linux virtual machine, so instead, I found a way to use a Debian container via toolbox on my regular workstation using Fedora, to create the necessary patches to conform to Debian packaging standards and submitting a pull request on Kali Linux’s stmp-user-enum package repo.

This post recounts of the steps I used, in case someone finds it useful or for my own reference in the future.

Note: I chose to use a Debian image here as I plan to work on other things via the same toolbox. We could have chosen to use Kali Linux docker image instead as well.

The Details

How `toolbox` works

We can create the first “toolbox” by invoking toolbox enter on Fedora. This will use the same Fedora version as our running host. That is, if the running host is Fedora 33, it will download the same container image via https://registry.fedoraproject.org.

However, we will see that the registry does not have a Debian image from which we can work from.

Using Debian Docker image

Toolbox uses podman³ in the background instead of docker. However, we can still pull a Debian docker image from Docker Hub.

First create a Debian “toolbox” named “debtest” as follows:

toolbox create -c debtest --image docker.io/debian:testing

Once it has finished downloading the docker image, we can enter the toolbox as:

toolbox enter debtest

We notice that we have entered our toolbox via the change in shell prompt:

⬢[user@toolbox ~]$

Creating the patch

Here we will use the Debian git-buildpackage (gbp) (Found a nice guide on gbp⁴ mentioned in another pull request⁵) to create and apply our changes according to Debian packaging standards. So install the package:

sudo apt install git-buildpackage -y

Fork the smtp-user-enum package on Gitlab. Clone the forked repository and enter the directory:

git clone git@gitlab.com:<your-username>/smtp-user-enum.git && cd smtp-user-enum

Create our feature branch:

git checkout -b getopts-Targets-file

Apply the previous patches by executing:

gbp pq import

This will move us to a patch queue branch called patch-queue/getopts-Targets-file. We can check this by running:

git branch

Now we can create our changes and commit them. Afterwards, we regenerate the patches in debian/patches/ by running:

gbp pq export

This will drop us back into our original branch getopts-Targets-file. Now we add debian/patches to git and commit them:

git add debian/patches
git commit

Then push those changes to your repository:

git push -u origin getopts-Targets-file

And then we create a pull request at the original repository, wait for the Gitlab CI jobs to run and turn green, and hope that one of the Kali Linux developers merges it. 😄

2018 FLARE-On Challenges Writeup

Mon, 08 Oct 2018 19:42:33 +0200

I decided to participate in this year’s edition of FLARE-On challenge. It is made by the fine folks from FireEye Labs Advanced Reverse Engineering (FLARE) team.

I wanted to see how far I could go. I did not set any goals nor did I took it as seriously as I would have liked.

The challenge is now over and I only managed to make it to the 2 challenge, as expected (you can see the reason why above 😆 ). Let’s get on with the challenges.

Minesweeper Championship Registration

Simple challenge. Once you open the zipped file, you’ll get a jar file.

These days I mostly use Bytecode Viewer when it comes to APK or jar files. Once you open the challenge jar file with it and navigate to the only class file in there you’ll see the following code:

Rest is history! 😉

Ultimate Minesweeper

Boy, was I in for a challenge with this one. 😅

Figured out it was a .NET binary and remembered a friend of mine talking about their experience decompiling them a few months back, I took this opportunity to try it out. There might have been an easier way than what I will be describing below:

Opened up the binary using Jetbrains’s dotPeek.
Exported it to a Visual Studio project.

Opened up the solution/project with Visual Studio.
Started looking into the main class.
Found a function SquareRevealedCallback that is used as a callback after each click on the minefield tiles.

Got to another function BombRevealed that checks if any minefields were revealed, which returns true or false to the callback function above.

Modified the if statement in BombRevealed as below and rest is some clicking. 😆

if (!this.MinesPresent[index2, index1])
{
    System.Console.WriteLine(index1 + 1);
    System.Console.WriteLine(index2 + 1);
}

Definitely going to hone my skills before next year’s FLARE-on challenge! 💪 😎

Also check out a more in-depth thorough writeup of the challenges from the authors: https://www.fireeye.com/blog/threat-research/2018/10/2018-flare-on-challenge-solutions.html

Swap Control and Caps Lock on Windows

Sat, 11 Aug 2018 19:12:00 +0000

Whenever I finish installing a fresh operating system, be it Windows or a Linux distribution, I always remap ctrl and caps lock on my keyboard. As I use the Control key a lot more than Caps Lock, I like having the former on the same line as my home row keys. So, this is what I normally do on Windows.

Disclaimer: I have only tested this on Windows 10.

Manually editing the registry key

Open up the Windows Run prompt via pressing the Windows and r on the keyboard.
Type regedit to bring up the Registry Editor.
Navigate to Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout
Either edit Scancode Map or create it by pressing Edit->New->Binary Value
Enter these values in Scancode Map:

00 00 00 00
00 00 00 00
03 00 00 00
1d 00 3a 00
3a 00 1d 00
00 00 00 00

Explanation for the values

The header version, which is always 0.
The header flag, which is always 0.
The sum of number of key entries to change and the extra NULL terminator line. In this case 2 key entries changed, therefore, 3.
Sends LEFT CTRL key code (0x001d) when pressing CAPS LOCK (0x003a)
Reverse of step 4, as we are swapping them around and not entirely disabling the use of caps lock.
NULL terminator line

This can also be put into a powershell script instead of manually editing the registry key as above. See the code below:

$hexified = "00,00,00,00,00,00,00,00,03,00,00,00,1d,00,3a,00,3a,00,1d,00,00,00,00,00".Split(",") | % { "0x$_"};

$kbLayout = 'HKLM:\SYSTEM\CurrentControlSet\Control\Keyboard Layout';

New-ItemProperty -Path $kbLayout -Name "Scancode Map" -PropertyType Binary -Value ([byte[]]$hexified)

References

Kudos to these answers on Stackoverflow.

Updates

added t in .Spli(",") and removed the space inbetween - Value (Kudos to @syk0saje for spotting the typos.)

goPwned

Fri, 12 Aug 2016 17:21:51 +0200

Running GUI apps from Fedora Docker containers

Sun, 10 May 2015 15:50:00 +0000

After reading Jessie Frazelle’s Docker Containers on the Desktop post I was quite interested in making some Fedora image based docker containers for some apps I want to use.

Ones, I wouldn’t normally install on my main machines, like Google Chrome with the Google Talk plugins and flash. So, I did make one with chrome and the talk plugin and followed the guide on Jessie’s blog to run the GUI app, it worked, but there was no sound.

But of course, I forgot Fedora use PulseAudio, so I looked for a solution on the internet as usual and stumbled upon a stackoverflow question: qt - run apps using audio in a docker container and now has a working Fedora docker container which runs Google Chrome with the Google Talk plugin.

Dockerfile:

FROM fedora:latest
MAINTAINER "Ye Myat Kaung (Maverick)" <mavjs@mavjs.org>

RUN yum install https://dl.google.com/linux/direct/google-chrome-stable_current_x86_64.rpm -y && \
yum install https://dl.google.com/linux/direct/google-talkplugin_current_x86_64.rpm -y

ENTRYPOINT [ "/usr/bin/google-chrome" ]
CMD [ "--user-data-dir=/data"]

Docker command to run container:

sudo docker run -it --rm\
    --net host \
    --cpuset 0 \
    --memory 512mb \
    -v /tmp/.X11-unix:/tmp/.X11-unix \
    -e DISPLAY=unix$DISPLAY \
    -v /dev/snd:/dev/snd --privileged \
    -v /dev/shm:/dev/shm \
    -v /etc/machine-id:/etc/machine-id \
    -v /var/lib/dbus:/var/lib/dbus \
    -v /run/user/`id -u`/pulse/native:/run/user/`id -u`/pulse/native \
    -v ~/.pulse:/home/$dockerUsername/.pulse \
    --name chrome \
    mavjs/chrome

My Fedora Dockerfiles can be found on my github & docker images on docker registery: fedora-dockerfiles & docker hub.

Fedora 21 Workstation HiDPI on retina macbook pro

Mon, 06 Apr 2015 02:10:00 +0000

I’ve been happily using F21 since it’s release announcement on Fedora Magazine,especially with the support for high resolution displays (HiDPI) since I’ve been converted back to using Fedora full time on my retina macbook pro. Although most of the GNOME apps work on my retina display, browsers and third-party apps are still lacking. Web pages’ fonts seems too tiny and I’ve to zoom in on them to see them better all the time.

But recently I came across a nice resource - https://wiki.archlinux.org/index.php/HiDPI about enabling HiDPI support on various apps. Mostly my main used apps daily are Firefox, Chromium and I’ve been trying to use pycharm (& various JetBrains apps) but with HiDPI everything seems so small, so as suggested in the wiki, I changed my settings as follows:

On Firefox (play around with the value):

about:config -> layout.css.devPixelsPerPx -> 1.5

Thunderbird (same as Firefox):

Edit -> Preferences -> Advanced -> Config Editor -> layout.css.devPixelsPerPx -> 1.5

PyCharm and any JetBrains products (the file should be in bin sub directory in the folder you extracted the app):

<appname|appname64>.vmoptions -> -Dhidpi=true

CLion before HiDPI tweak

CLion after HiDPI tweak

World of Warcraft on Fedora 20 via wine

Fri, 14 Nov 2014 14:26:00 +0000

Install wine:

    # sudo yum install wine

Download World of Warcraft Setup Installer from https://us.battle.net/account/download/?show=wow.

Run the installer with wine:

    # cd ~/Downloads/
    # wine World-of-Warcraft-Setup-enGB.exe

After the installation completes, it will ask you to login to your Battlenet Account. Instead, quit the application. Then tell it to use software rendered OpenGL by executing (it has a bug where the interface is just black canvas on some intel cards):

    % export LIBGL_ALWAYS_SOFTWARE=1
    % wine ~/.wine/drive_c/Program\ Files\ (x86)/Battle.net/Battle.net\ Launcher.exe

Battlenet actually allows you to play even though it hasn’t finished downloading if it has reached a certain downloaded size. Either wait to finish or open the game. When you run it the first time it will take a while and FPS is not that great. Quit the game. Modify SET gxApi “D3D9” to SET gxApi “Opengl” in the following file:

    $ ~/.wine/drive_c/Program\ Files\ (x86)/World\ of\ Warcraft/WTF/Config.wtf

After that your game should work in decent FPS.

Disclaimer:

Have not tried the gameplay yet, since my subscription expired. :-(
Fedora 20 running on a 13", 2.8Ghz retina macbookpro, 2013 edition.

Sources

Compiling Voxelands on Mac OSX

Fri, 26 Sep 2014 22:25:00 +0000

What is Voxelands?

Voxelands - the Fun-Focused Free Software Voxel World Game. Voxelands is a sandbox construction game based on Minetest, which was inspired by earlier “voxel world” games such as Infiniminer.

We already have the precompiled mac app for the latest stable release that you can install at: http://voxelands.com/downloads/voxelands-1408.00-osx.dmg

Disclaimer: The above voxelands-1408.00-os.dmg would still need the mentions dependencies installed from brew below, with the exception of git, cmake, Xcode, Xcode Command Line Tools. This post is mostly meant for people that want the latest new features in the development branch. I’m working on a proper mac app that wouldn’t need to install dependencies, in the next release.

To start off with getting a voxelands-1408.00:next-os.dmg (which is the branch for the next release, where most fixes that didn’t make it to the latest stable release gets committed to), you’d need a few more softwares to help. First off, you need `Homebrew - The missing package manager for OSX http://brew.sh, to install it

    ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"

After installing brew, you need to install these dependencies (that are in the brew repositories):

libpng
libvorbis
libogg
jpeg-turbo
gettext
irrlicht
git
cmake

Issue brew install on all of them

    brew install libpng libvorbis libogg jpeg-turbo gettext irrlicht git cmake

That will install the most needed dependencies for Voxelands on Mac OSX. But you will also need the XQuartz - A version of the X.Org X Window System that runs on Mac OSX, `Xcode, Command Line Tools for Xcode and you can start compiling.

Get the voxelands source from git first (voxelands’ former name was minetest-classic)

    git clone https://gitorious.org/minetest-classic/minetest-classic.git
    cd minetest-classic
    git checkout next

Let’s start off with telling cmake - which is the cross-platform, open-source build system that Voxelands uses, about the extra dependencies that we installed via brew (do make sure you supply the correct paths with the versions).

    cmake -DIRRLICHT_INCLUDE_DIR=/usr/local/Cellar/irrlicht/1.8.1/include/irrlicht/ \
    -DIRRLICHT_LIBRARY=/usr/local/Cellar/irrlicht/1.8.1/lib/libIrrlicht.a \
    -DJPEG_INCLUDE_DIR=/usr/local/Cellar/jpeg-turbo/1.3.1/include \
    -DJPEG_LIBRARY=/usr/local/Cellar/jpeg-turbo/1.3.1/lib/libturbojpeg.a \
    -DBUILD_SERVER=0 -DRUN_IN_PLACE=0 \
    -DCUSTOM_GETTEXT_PATH=/usr/local/Cellar/gettext/0.19.2/ \
    -DCMAKE_OSX_ARCHITECTURES=x86_64 \-G Xcode .

It will make a voxelands.xcodeproj inside the git cloned project directory. Then we can build using Xcode commandline tools.

    xcodebuild -verbose -project voxelands.xcodeproj -target package

It tells xcodebuild command to build the project with target of package, which makes the .dmg file that we will get in the end, if it successfully compiles.

If you need help or just want to hang out, come onto our IRC channel #voxelands at chat.freenode.net

UPDATED: forgot to add jpeg-turbo as one of the dependencies

Setting up searx with gunicorn and supervisor

Fri, 19 Sep 2014 21:09:00 +0000

What is searx?

searx is a privacy-respecting, hackable metasearch engine

I have been using my own instance of searx at https://searx.gliderswirley.org/ mostly because I can. :)

For some reason, my instance seems to go down at some random time, and I assumed it was uwsgi. :P And also because I wanted to try gunicorn and supervisor.

Most of the setup steps are already documented on the wiki at https://github.com/asciimoo/searx/wiki/Installation, but I’ll recount the steps here anyways.

Install packages (extra package: supervisor):

    sudo apt-get install git build-essential libxslt-dev python-dev python-virtualenv python-pybabel zlib1g-dev supervisor

Install searx:

    cd /usr/localsudo 
    git clone https://github.com/asciimoo/searx.git
    sudo useradd searx -d /usr/local/searx
    sudo chown searx:searx -R /usr/local/searx

Install dependencies in a virtualenv (extra package: gunicorn):

    sudo -u searx -icd /usr/local/searx
    virtualenv searx-ve. 
    ./searx-ve/bin/activate
    pip install -r requirements.txt
    pip install gunicorn
    python setup.py install

Configure secretkey:

    sed -i -e "s/ultrasecretkey/`openssl rand -hex 16`/g" searx/settings.yml

Make a configuration file:

    sudo touch /etc/supervisor/conf.d/searx.conf

Edit the above conf to include:

    [program:searx]
    command=/usr/local/searx/searx-ve/bin/gunicorn searx.webapp:app
    directory=/usr/local/searx/
    user=searx
    group=searx
    autostart=true
    autorestart=true
    stdout_logfile=/var/log/supervisor/%(program_name)s-access.log
    stderr_logfile=/var/log/supervisor/%(program_name)s-error.log

Then start the supervisor service:

    sudo service supervisor start

Community-ness in Malaysia at its last breath?

Wed, 30 Apr 2014 12:47:00 +0000

It has been almost close to 5 years that I have set my foot on the Malaysian soil. Came over to Malaysia in July, 2009 with the aim of studying a bachelor, and now that I have completed, the journey in Malaysia is almost coming to an end in 2 months.

I have moved around quite a bit, so, it’s pretty easy to not give much thoughts when leaving. But Malaysia is one which I spent the better half of my teenage years, and the one where I got into free & open source software (more of the ideology and appreciation, than contributing) and volunteering at events.

I have worked/volunteer for/with notable communities in Malaysia in the span of the last 3 or so years. I even helped grow a community with Beard-0, the notable Cyber Security & Forensics Club of A.P.U. I helped make Fedora Users’ and Developers Conference APAC happen in Malaysia, along with Izhar, as the main event owner and many other volunteers. And I helped organise a few Fedora events in Kuala Lumpur and at my previous university. Also, me, Beard-0, naavinm and KE started a Capture The Flag (CTF) team called, (GliderSwirley)[http://www.gliderswirley.org]. We still try to play most CTF(s) that we could (please pardon the 0xn00bness, if you see us on CTFTime :P ). I also volunteer at Hack In The Box Security Conference and manage most of HackWEEKDAY (Hopefully, the sponsors and participants were happy about it).

Being a part of these communities have been the best extracurricular activities I could ask for. I know there are others like music, martial arts and whatever clubs in the university, but they don’t align with my real interests. :P

The problem(s) I find in the way communities are running (not in any particular order);

the community leaders are >mid 20s-30s, they have full time jobs,
needs to be backed by a larger corp
not much passion for knowledge sharing (they just want to suck us dry :P )

When you look at communities like Python Malaysia, Fedora Malaysia and others, the real notable faces of the community have full time jobs. Although, they are pretty active at different events and theirs, there is no other person, especially from college/university students, to take over the leadership or just helping out at organizing events. I try to help most free and open source software (FOSS) communities because look at almost all the software(s) that we use, it’s somehow based on FOSS, one way or another.

I find that college/university students like being a part of communities that are backed by larger corps (I will not name them here, don’t want to offend anyone). I can’t blame them though, they get good SWAG(s)!! like all the time. I’m not exactly sure if every other communities need to start distributing swag(s) just to attract more members? It’s something I have not figure out yet. Or is it that there is no monetary rewards involved and students are not motivated because of that? :(

I have done quite a bit of workshops at CSFC, especially python. Because I find that the programming classes in the uni isn’t on par with making students actually want to program and I find that python is easier to teach to/learn for beginners. Also, since a lot of security software(s)/scripts are based on python, I hopped that would kill 2 birds with 1 stone, by helping students learn a (new) programming language as well as be able to extend the security software(s), if they find lacking in features. Obviously, I did not have a full-on course figured out like how most classes are, the workshop(s) are aimed more towards motivating the members to start learning programming language(s) and understand how software(s) work, and are mostly 1session/week. I have only recently found out you could get funding from the Python Software Foundation, but now I have other adventures away from Malaysia. :(

It so happens that students just want to learn the stuff they learn at workshop, go back home and come back the next time without much thoughts about it. Although, some are really talented/works hard and comes up with questions/errors that I have not come across. Whenever a discussion takes place on a particular problem, not many wants to chime in with their ideas, they like to just keep quiet or agree to it. Not sure if the agreeing part is for the sake of agreeing or they’re just afraid to voice out their opinions?

Also, I guess most students visioned that coming to CSFC means we will teach them which buttons to click on vulnerability/exploit finding software(s) and they can start being 1337 H4x0rs. But the sad reality of life is that being good at something doesn’t just come from learning to click buttons and knowing how to use a mouse. I, myself, is not a security professional, there are a ton of knowledge I need to gather too, but I am pretty sure it doesn’t always just involve clicking buttons and moving your mouse here and there.

So, after being a part of various communities in Malaysia for awhile, I have come to believe and decided (after thinking hard about it for the past ~4months, having discussed various times with Beard-0 and having talked to a few folks) that the community-ness in Malaysia is certainly at its last breath, don’t want to call it dead though. Maybe some still believes it is still growing strong. But to me, it’s at its last breath. I’d be lucky to attend/help out a few more community events in June (I know there is one in planning for Fedora Malaysia, if you’re interested, please have a look at the agenda, we’re still getting the date/venue sorted)

Although, my inner voice do hope that someone from the “younger/college/university” group in the community step-up and rekindle that community-ness fire in Malaysia. But I know that if I ever need to take a vacation in Malaysia and wants to meet the community folks, I can always find the Fedora/Python/Mozilla Malaysia, Code Equality (they’re AWESOME!) and some of the HITB folks. :)

So long and thanks for all the fish!

[Nullcon HackIM 2014] Forensics 2 Writeup

Fri, 31 Jan 2014 09:27:00 +0000

Points: 200

Description: There was a zip file on the desktop. I can’t remember the password for it.

We saw a zip file named: “null password.zip” on the desktop. When opened, there are 2 files which are encrypted. So it was clear that we needed to crack the zip.

First we looked at some hints from the challenge creator ;)

#Hint for FOR2 "User was too dumb to store the password in the protected zip file itself" #HackIM #ForensicChallenge @nullcon @null0x00
— Prince Komal Boonlia (@boonlia) January 25, 2014

#Hint for FOR2 "Why would someone put two files if it could have been done with one file" #HackIM #ForensicChallenge @nullcon @null0x00
— Prince Komal Boonlia (@boonlia) January 25, 2014

So, Beard-0 looked at a freshly booted VM of the image (since I was lazy + forgot to save the initial snapshot and was already working on another Forensic challenge) and looked at the Temp folder in AppData/Local, there he found a folder name Rar$DI99.160 inside which had one of the file “Null final1.pdf”. From this we looked at known attacks on zip files and found https://en.wikipedia.org/wiki/Known-plaintext_attack

We zipped the “Null final1.pdf” into a zip. Installed the evaluation edition of Ultimate Zip Cracker - http://download.cnet.com/Ultimate-ZIP-Cracker/3000-2092_4-10040839.html

Selected the “Plaintext attack” recovery method.

Chose the “Null final1.pdf” zip file as plaintext file.

And finally we had the unzip’d archive.

[Nullcon HackIM 2014] Forensics 5 Writeup

Mon, 27 Jan 2014 15:24:00 +0000

I play security competitions called Capture The Flag (CTF) with a group called Glider Swirley

Points: 500 Description: The client says that the system was compromise. There was no evidence found for the same. The client claims that some anti-forensics tool was used to remove the evidences. Our investigator agrees to it. Can you find out what was the command that was executed and at what time it was done?

There was a hint for it by one of the organizers.

#Hint for FOR5 "it crashed when it was being cleaned up" #HackIM #ForensicChallenge @nullcon @null0x00
— Prince Komal Boonlia (@boonlia) January 25, 2014

Since all the forensics challenges were based on 1 VM image, it was already known that the image is Windows 7 SP1 x86, thus the profile to use for volatility - https://code.google.com/p/volatility/ was Win7SP1x86. So I acquired the memory dump of the system (MEMORY.DMP)

As this was the first time we (me & Beard-0) had to use volatility, I tried to get familiar with it by looking at the process list. Issued with

    [nullcon-2014] >>> % vol.py -f MEMORY.DMP --profile=Win7SP1x86 pslist

Showed a few processes. But clearly by that I knew it wasn’t show me anything about a command being executed or a process crashing. Beard-0 looked through a few usage of volatility and found cmdscan. So I tried it out.

    [nullcon-2014] >>> % vol.py -f MEMORY.DMP --profile=Win7SP1x86 cmdscan 
    Volatility Foundation Volatility Framework 2.3.1
    **************************************************
    CommandProcess: conhost.exe Pid: 2200
    CommandHistory: 0x292a70 Application: TPAutoConnect.exe Flags: Allocated
    CommandCount: 0 LastAdded: -1 LastDisplayed: -1
    FirstCommand: 0 CommandCountMax: 50
    ProcessHandle: 0x58
    **************************************************
    CommandProcess: conhost.exe Pid: 2996
    CommandHistory: 0x5f04f8 Application: cmd.exe Flags: Allocated, Reset
    CommandCount: 2 LastAdded: 1 LastDisplayed: 1
    FirstCommand: 0 CommandCountMax: 50
    ProcessHandle: 0x58
    Cmd #0 @ 0x5ed400: cd desktop
    Cmd #1 @ 0x5f4730: sdelete -c -z c:
    Cmd #36 @ 0x5c00c4: ^?_?\???\
    Cmd #37 @ 0x5ed108: _?\????
    **************************************************
    CommandProcess: conhost.exe Pid: 2996
    CommandHistory: 0x5f0698 Application: sdelete.exe Flags: Allocated
    CommandCount: 0 LastAdded: -1 LastDisplayed: -1
    FirstCommand: 0 CommandCountMax: 50
    ProcessHandle: 0x50

So it seems the process we want is sdelete -c -z c:, but the flag format requires, the command and the time. So definitely it seems, we need a screenshot of when the process crashed. Now does volatility have a screenshot feature? Well, since it’s so awesome it does.

    [nullcon-2014] >>> % vol.py -f MEMORY.DMP --profile=Win7SP1x86 screenshot --dump-dir shots/

It just needs a directory to dump the screenshots and voila, one of the screenshots shows up:

Zeromutarts CTF Crypto Challenges

Mon, 27 Jan 2014 15:08:00 +0000

The magic of rsa (100)

You were able to hear some whispering on the last crypto party!
*whisper* $d$ is 35181901. Keep it secret or we are doomed!

We were given 2 files for the challenge.

1) rsa.py

    #!/usr/bin/env python
    import sys
    n= 65354147
    e = 13
    d = ??

    f = open( sys.argv[1] , "r" )
        for line in f: 
        line = int(line.strip())
        # you'll have to insert the decrypt function for each line(number) here!
        #dec = ...
        print chr(dec)

2) rsa.txt

If you read up about RSA decryption on Wikipedia, it’s pretty simple and straightforward to solve this challenge. You need $C$ = ciphertext (we got loads of it there in rsa.txt, just need to use one by one), $d$ = private key exponent (we got that as well), $n$ = modulus for both private and public keys. Thus, $M \equiv C^{d} \bmod n$

Here, I used sagemath cloud application to solve it as follows. You could actually save the following into a python script and run it.

    n = 65354147
    d = 35181901
    ctuple = [32588732,56947340,16730166,16529146,17037091,9958499,18895626,49410873,
    58063242,16529146,18895626,30273022,58063242,30273022,60194095,9956852,58063242,
    44337129,16730166,5059543,40999214,39158796,5059543,58063242,54302449,9958499,5806
    3242,8646641,16730166,51307370,16730166,57845836,16730166,34996934,32762958]
    result = ""

    for i in ctuple:
        lol = pow(i, d, n)
        result += chr(lol)
    print "Result for http://zeromutarts.de/task/rsa_magic : " + result

rivest-shamir-adleman (250)

*This one is important, we have no clue how to decrypt the secret message! Can you help us?*

We were given 2 files for this challenge as well.

1) rivest.py

    #!/usr/bin/env python
    import sys
    n= 80646413
    e = 5

    # You'll have to find the d yourself..
    d = unknown

    f = open( sys.argv[1] , "r" )
    for line in f: 
        line = int(line.strip())
        # you'll have to insert the decrypt function for each line(number) here!
        #dec = ...
        print chr(dec)

    # might come handy
    def xgcd(a,b):
        """Extended GCD:
        Returns (gcd, x, y) where gcd is the greatest common divisor of a and b
        with the sign of b if b is nonzero, and with the sign of a if b is 0.
        The numbers x,y are such that gcd = ax+by."""
        prevx, x = 1, 0;  prevy, y = 0, 1
        while b:
            q, r = divmod(a,b)
            x, prevx = prevx - q*x, x
            y, prevy = prevy - q*y, y
            a, b = b, r
        return a, prevx, prevy

    def modinv(a, m):
        """Modular multiplicative inverse, i.e. a^-1 = 1 (mod m)"""
        a, u, v = xgcd(a, m)
        if a <> 1:
            raise Exception('No inverse: %d (mod %d)' % (a, m))
        return u

2) rivest.txt

This time we seriously need sagemath to solve it. :) Since we don’t know the $d$ to decrypt the messages for this challenge, we first need to find the $p$ & $q$ to get $d$. The most straightforward way to get that is to use Fermat’s Factorization method.

I used the formula from here: http://facthacks.cr.yp.to/fermat.html to get $p$ & $q$.

    n = 80646413
    e = 5
    ctuple = [72895864,15633602,38820479,60303684,7458706,60299530,20682371,54642689,
    26066811,32615038,35349196,76400140,38820479,56463813,80491201,76400140,35349196,
    69567074,26066811,76400140,74270178,76127647,76127647,15633602,76400140,60303684,
    38820479,56463813,60303684,76400140,72844764,76127647,69302434,15633602,80491201,
    76400140,6809712,26066811,76400140,42498798,60299530,76127647,69302434,80491201,
    33234011]
    def fermatfactor(N):
       if N <= 0: return [N]
       if is_even(N): return [2,N/2]
       a = ceil(sqrt(N))
       while not is_square(a^2-N):
         a = a + 1
       b = sqrt(a^2-N)
       return [a - b,a + b]
    p, q = fermatfactor(n)

    phi=(p-1)*(q-1)
    d=pow(e,-1,phi)

    result = ""
    for i in ctuple:
        lol=pow(i,d,n)
        result+=chr(lol)
    print "Result for result http://zeromutarts.de/task/rivest-shamir-adleman : " + result

[Nullcon HackIM 2014] Misc 1 Writeup

Mon, 27 Jan 2014 20:02:01 +0800

Disclaimer: This post was orginally posted on apucsfc.org¹, which was a university security club where the author was a part of the CTF team and wrote this post back in 2014.

Points: 100

Description: Sam has parked his car in front of a store. Find the name of the store.

File: Level 1.pcap

As the usual, opened up the pcap file with wireshark. Looked around for some packet data that were interesting. Found an HTTP packet that had an image data in it. Exported the data by clicking File->Export Objects->HTTP, select the packet and save it as .png. And we get this image.

First tried looking at hex and fiddling with the colours. Then, read the description again and thought of GPS, so we looked into the metadata of the image using ImageMagick’s identify tool.

$ identify -verbose blah2.png

Got the stuff below (snipped).

Properties:
date:create: 2014-01-27T19:46:46+08:00
date:modify: 2014-01-27T19:46:46+08:00
exif:GPSAltitude: 100000/100
exif:GPSAltitudeRef: 0
exif:GPSInfo: 46
exif:GPSLatitude: 38/1, 51598/1000, 0/1
exif:GPSLatitudeRef: N
exif:GPSLongitude: 77/1, 3371/1000, 0/1
exif:GPSLongitudeRef: W
exif:GPSMapDatum: WGS-84
exif:GPSVersionID: 2, 2, 0, 0

Converted the 2 GPS coordinates to proper ones that map applications could use. 38.859967,-77.056183. Put that into Google Maps and got the following;

The domain has ceased to exist for a while, possibly until about 2017. You can find the archive of it here: https://web.archive.org/web/20161026194658/http://www.apucsfc.org/nullcon-hackim-2014-misc-1-writeup/ ↩︎

Analysis of iWebSpace Android Application

Thu, 26 Sep 2013 07:41:00 +0000

If you follow me enough on twitter (@mavjs), read my home page or follows my Fedora Ambassador wiki page, you’ll probably know that I study at the Asia Pacific University of Technology and Innovation, Malaysia. This is my account of the n00b analysis done in my free time on the university’s android application.

iWebSpace android application is, as quoted from its non-working Google Play page, “The Asia Pacific University APP provides convenient access to important information and to most of our services in your hand” - pretty cool and convenient for most students.

The only thing in my mind was to do an analysis before actually using it and mostly because this is the first time the university’s Center of Technology and Innovation (CTI) - a R&D department, produced a mobile application. They have both an iPhone version and an android version. Since I don’t own a Macbook, I couldn’t do any analysis on the former version. And android was easier to read as I’m more familiar with Java. That being said about the app, let’s see my n00b findings.

I acquired the .apk from a friend. (I think it’s verion 1.0 and also I don’t own an android)
Used dex2jar to convert .apk to .jar.
Used JD-GUI to open and read the .jar file.

First thing on my mind after opening the .jar file with JD-GUI was to see how the application was authentication the students. So, I scrolled through the code and found a Login class. Inside that Login class, it has a doLogin() method that logs you into the system, once you’ve your student ID and password supplied. I took a closer look at it and guess what I found?

Yup, HTTP. Awesome. No comments there. Let’s move along. Assuming, the majority of the students don’t care about their student ID and password, this is pretty much fine, I guess. :P

The app has functions to show the students, their pending/paid fees, attendance, timetable and exam timetables. Pretty cool and convenient, definitely. So, I did further look at those functions. Firstly, let’s look at Fee function. The Fee class has an onCreate() function, that sets up the view. Further look at it suggests that, it uses a md5 string + student ID to query the Fee status of a particular student. Have a look.

So, I took a closer look at the md5 string. The developers from CTI loves to keep their variable naming short (i, j, k, m, str1, str2). What does str1 actually md5-ing?

int i is getting the YEAR
int j is getting the MONTH
int k is getting the DATE , which is day of the month
int m is getting the HOUR_OF_DAY

From the above, if you reconstruct the md5 string with the current datetime on my system (26-09-2013 15:00:00), you get the following:

    md5(26 + 9 + 'Student ID' + 2013 + 15) = "1640a3e25cc45123c5e234606aefbeb2"

This is the same for the attendance function. The timetable and exam schedule functions aren’t that interesting, so I’ll not write about it here. When reported about the above, the only reply was that they will secure the web services. Does that mean they will keep sending the student ID and password over plain HTTP? I’ve no idea. :D I looked at the Google Play store page for the app and found that it couldn’t be found. What’s up?

But the most interesting part about the whole app is the ActiveWebspace class. It seems to register the device using the application to the server so that they can see what’s the count of devices using the app and to send push notifications to them. The server is registered with some unique regId, name and email to a web application residing at the following:

Once I found that URL, the only logical thing for me to do was to go one directory up, and see if I could find anything. And I did. This is what I found;

There was no authentication or whatsoever needed to access that, although they’ve 403’d the service after some hour that I reported about it. The reply they sent me was accordingly;

Cool story - “illustration purpose”. But it seems the message box can be used to send push notification from the look of the JavaScript function they were using:

Hey, at least this isn’t as bad as the iMessage Chat for android where it could possibly download malicious stuff, right? :P I think I’ll probably only use those services via web. Maybe some other day when I’m free, I’ll try looking at the iPhone version and see what kind of stuff they coded in. XD On another note, this was all done on a Fedora 19 laptop. Ciao!

Steam fail to start

Sat, 14 Sep 2013 04:43:00 +0000

Last night I was playing some games on Steam and closed it after I finished playing. Then I browsed around the Humble Bundle and bought the Humble Indie Bundle 9 since I wanted Mark of the Ninja, so to redeem it I switched on Steam. But it wasn’t starting up. So, opened it from terminal and got some errors, but those were there since ages and doesn’t actually affected the start up last time.

So, this morning, I was talking to a friend on IRC about it and he mentioned that you could just do

    /usr/bin/steam --reset

to reinstall and start again..and voilà it was indeed working again. :)

[Note]: Another friend suggested to restart the router, not sure how effective that would have been though. :P

Zsh Autocomplete Function to change and auto complete directories' name

Sat, 27 Oct 2012 05:01:00 +0000

About some weeks ago, I was trying to find a way to alias my favourite directory (~/Programming/Pythons) in zsh, and it should show me the directories contained inside it. But aliasing doesn’t work, except to cd me to that directory. Or a function can help me get into the directories inside ~/Programming/Pythons but I’d have to type out the directories’ name manually. That wasn’t an option either.

So I turned to “Uncle Google” :P for it. Also what I remembered from Zsh is that it’s auto completion is really awesome. So I searched for “zsh autocomplete function” and read some stackoverflow examples and stuff. But I had some errors if I was using oh-my-zsh‘s functions.zsh to store/write my zsh auto complete function in it.

What I did was, instead of writing that auto complete function inside oh-my-zsh’s functions.zsh, I wrote it directly inside .zshrc, like this:

    function prog() { 
        cd ~/Programming/Pythons/$1;
        }

    _prog() {
        _files -W ~/Programming/Pythons;
        }

    compdef _prog prog

What this code actually does is that when you type prog after sourcing your .zshrc file, it expands the defined directory, in here; ‘~/Programming/Pythons/’ and the argument $1 is based on whatever directory you selected from the expansion of the directory from the function _prog(), like this;

This exactly did what I needed. If you got awesome auto complete functions written, do share it at the comments. :)

Resources

Introduction to Grok web application framework @ UCTI

Sun, 09 Sep 2012 06:34:00 +0000

Hey folks, we, the Fedora Malaysia community in conjunction with UCTI Free & Open Source Software SIG, have planned for an introductory workshop on Grok, a web application framework. It uses the Zope Toolkit (ZTK).

This session is aimed towards finding more python as well as zope/plone/FOSS developers in Malaysia. The session is mentored by our very own Fedora Ambassador, Izhar a.k.a KageSenshi, who works at a local Plone support and service company called Inigo Consulting.

Following are the details of the session:

Date: Sun 15th July, 2012

Time: 11:00-18:00

Venue: Level-2 Room-5 (L2-5), UCTI (Google Maps: http://goo.gl/maps/dI7h)

Fee: Free Of Charge ;)

Folks coming to the session, (that’s you!), should bring along their own laptops (obviously!) and do not necessarily need to know Python, but need to have programming knowledge. Learning/knowing Python can be enhanced later on. Also need to know basic/intermediate HTML/CSS/JS.

Although, we prefer Unix/Linux systems like Fedora, users are welcome to use any platform that they wish, provided that they know how to install Grok or any other software packages and troubleshoot problems if they arise.

We might be passing around some Fedora 17 if we happen to not finish them off at Malaysia OpenSource Conference. :P So, if you happen to know how to use *nix system and just need to boot it up to it, you can use a virtual machine to boot into a *nix system using the CDs/DVDs passed around or you can also ask me, for an ISO image before the session, if you need one. :)

See you all there!

Links:

Zope/Plone User Group Malaysia G+: http://goo.gl/HcM7n

Zope/Plone User Group Malaysia Maliling List: http://groups.google.com/group/zplug-my

Getting Python Libraries Installed The Normal Way on Windows

Thu, 10 May 2012 00:38:00 +0000

I’ve been using GNU/Linux distributions for almost 2 years and with Fedora for about ~7-8 months.

Every single day I do some experiments with python, and every single time it makes me feel comfortable using Fedora to write scripts. It removes headaches from happening because I don’t have to figure out ways to install python libraries you need. I can just go forward with concentrating on coding.

There’s a little script I wrote called; ucti-timetable. It’s used to download timetables from my university and store them locally. But since a large user base from my university are windows users, I had to make it work on windows as well. Well, to be honest it works, but only one thing:

PAIN!!

It’s so painful to install a python library on windows. It fails most of the time…why is that?, you ask me..

Well, it’s because the python executable path is not in your $PATH. dafuq, right? So, yeah, this is how you do it (based on Windows 7):

Right click -> My Computer -> Properties -> Advanced System Settings -> Advanced tab ->Environment Variables -> System Variables

after that find PATH and append this or equivalent (depending on where your python gets installed): C:\Python27\

Only after you do this you could install BeautifulSoup the “normal” way

python setup.py install

Insane, right?

Spreading Fedora Love - One At A Time

Mon, 30 Apr 2012 03:32:00 +0000

Disclaimer: This post is actually abit overdue. Was supposed to be up by Tuesday, but some stuff caught up.

Event Details

Time: 10:00 - 16:00
Date: 23rd April, 2012
Venue: UCTI
Aim: Sharing knowledge/Teaching about GNU/Linux operating system(s).

This event was organized by rebelk0de and I, Maverick. I have been contributing to Fedora Malaysia for about ~5-7months now, while rebelk0de has long since contributed/helped Fedora MY.

It was aimed at sparkling the GNU/Linux and FOSS enthusiasm in UCTI, the event venue for FUDCon KL. Since UCTI had thousands of students, we had to start off with something smaller. So, we look for a small group of technical folks among the students, and we found the UCTI Technical Assistants (TAs). TAs work in the UCTI computer labs to maintain approimately 300 computers running Windows operating system, daily.

And as recently, I, together with rebelk0de (as advisor) and a small group of 4 people, have been working hard to get UCTI Free & Open Source Software Special Interest Group (FOSS SIG) back into shape and in official status. Therefore, as a recruitment drive, to share knowledge about FOSS & GNU/Linux and to promote & expand the “Fedora Love” to the folks here in UCTI, I was there at the date of the event.

The event’s objective was to get Fedora and Ubuntu running with little or no headaches involved for beginners. And to understand abit about getting the installed operating system up and running with things the users needed getting installed on a as needed basis, so, mainly it was about teaching them how to make use of the “yum” and “apt-get” package management utilities.

The event started around 11:00 and was headed by rebelk0de. I was the assistant ;), mainly to help out when folks couldn’t catch up or something went wrong with their Fedora installs. I mainly shared my knowledge about “things to watch out for when installing Fedora”, especially, the different types of installation processes and some tips & tricks for beginners. I also distributed some leftover Fedora 16 CDs that I had from this year’s FAD, almost all of the folks that showed up got it.

We took off the event by installing “Fedora” on the virtualboxes which took approximately 30mins. The installation environments were inside virtualbox on Windows hosts. The reason to take this approach was that we would have needed a lot of extra precious hard disks for this one event, the machines retains their changes after reboot (so it was easier to use virtualboxes) and most of the folks who showed up have never installed/used either Fedora or Ubunt and GNU/Linux in general. Most of the time was taken on explanining the installation process and post installation configurations such as “adding their users to the sudoers if they forgot to add it” and about using the vi text editor.

Most of the tutorial/hands-on were done on Fedora. Ubuntu was just used to show how to use the package management utilities. We all had a lunch break around 14:00-15:00. And we wrapped up the event by 16:00.

rebelk0de and I have promised the folks to have more continuous classes for them in the future, and they have agreed. So, on with more classes/events then! :D

P.S. Will share the event photos after getting uploaded to Fedora My’s Albums. ;)

Edit: Here is the photos from the event: GNU/Linux Intro Class at UCTI

Blogger CLI Posting Tip

Sat, 21 Apr 2012 15:01:00 +0000

What do you do when you’re a geek who uses Fedora, needs to write blog posts on blogspot.com and like only command line based clients?

Well, you do a ‘yum search’, of course. And then there you will find something called ‘googlecl’. So you do

    # yum install googlecl

Now, you could just write a blog post within a text file and post to the blog by doing;

    % blogger post --tags "GoogleCl, Fedora" --src /path/to/post/file --title "your post title"

That’s it! :)

posted from googlecl on fedora 16 :)

Hello World!

Fri, 13 Apr 2012 19:22:00 +0000

Welp, this is the first post on this blog. :)

Watch this blog for some #GNU/Linux, #FLOSS, #InfoSec & #Coding tips ’n tricks!

//posted from googlecl on fedora ;)

Maverick Kaung

Automatic backup with restic and systemd service

What is the 3-2-1 backup strategy?

LAN server backup

Local drive backup

Systemd service and timer units

Blog setup with Hugo, Github and Netlify

Overview of setup

pushnotifier

Using Podman pods Instead of docker-compose

What is Docker Compose?

How does a Docker Compose configuration look like?

What is Podman?

What is a Pod?

pod definition

systemd units

First time experience with Atomic Red Team

What is Atomic Red Team?

Security Monitoring and role of testing defenses

Lab Overview

Setting up pre-requisites

Setting up openssh remoting

PSWSMan module for WinRM PSRemoting on Linux

Test Execution - the real deal

Summary

YAML linting and schema validation

Background

The Details

YAML Linting

Yamale - schema validation

Challenge

Full Example Files

detection_rule.yml

schema.yaml

validator.py

Contributing to Kali Linux using toolbox on Fedora

Background

The Details

How toolbox works

Using Debian Docker image

Creating the patch

2018 FLARE-On Challenges Writeup

Minesweeper Championship Registration

Ultimate Minesweeper

Swap Control and Caps Lock on Windows

Manually editing the registry key

Explanation for the values

References

Updates

goPwned

Running GUI apps from Fedora Docker containers

Fedora 21 Workstation HiDPI on retina macbook pro

World of Warcraft on Fedora 20 via wine

Compiling Voxelands on Mac OSX

What is Voxelands?

Setting up searx with gunicorn and supervisor

What is searx?

Community-ness in Malaysia at its last breath?

[Nullcon HackIM 2014] Forensics 2 Writeup

[Nullcon HackIM 2014] Forensics 5 Writeup

Zeromutarts CTF Crypto Challenges

The magic of rsa (100)

1) rsa.py

2) rsa.txt

rivest-shamir-adleman (250)

1) rivest.py

2) rivest.txt

[Nullcon HackIM 2014] Misc 1 Writeup

Analysis of iWebSpace Android Application

Steam fail to start

Zsh Autocomplete Function to change and auto complete directories' name

Resources

Introduction to Grok web application framework @ UCTI

Getting Python Libraries Installed The Normal Way on Windows

Spreading Fedora Love - One At A Time

Blogger CLI Posting Tip

Hello World!

What is the `3-2-1` backup strategy?

`detection_rule.yml`

`schema.yaml`

`validator.py`

How `toolbox` works