Network Issue with Kioptrix: Level 1 VM

Playing with the Kioptrix: Level 1 vulnerable Linux VM I kept having an issue where even though I set the Network Adapter to use my custom LAN segment it would change back to Bridged during boot up.

Before:

After:

What I ended up doing to fix the issue is the following:

1. Power off the VM & remove the Network Adapter.
2. Remove the VM from VMware workstation.
3. Browse to the location of the VM’s VMX file & open it in your favorite text editor.
4. Remove all entries that start with “ethernet0” & save your changes.

Note – In my case I still had quite a few even though I had removed the NIC from within VMware workstation. Here are the settings I removed. Also note that they may not all be right next to each other in the VMX file.

ethernet0.allowGuestConnectionControl = “FALSE”

ethernet0.features = “1”

ethernet0.wakeOnPcktRcv = “FALSE”

ethernet0.networkName = “Bridged”

ethernet0.addressType = “generated”

ethernet0.pciSlotNumber = “32”

ethernet0.generatedAddressOffset = “0”

ethernet0.connectionType = “bridged”

ethernet0.pvnID = “52 2d e6 a1 6b d2 75 7c-36 41 8a 52 fc c8 48 5c”

5. After saving the file, import the VM back into VMware workstation & power it on.

Replace Tenable Nessus Essentials Self-Signed Certificate

After installing Tenable Nessus Essentials & browsing to the web interface, you get warning about the certificate. The message can vary depending on the name used in the browser to connect (localhost, hostname, etc.)

This is due to it using the built-in self-signed certificate that is generated when Tenable Nessus Essentials is installed.

Once logged into the web interface, there isn’t anywhere to replace the certificate being used. I found the link below on how to use a certificate from a certificate authority, but the details are…lacking.
https://docs.tenable.com/nessus/Content/CustomSSLCertificates.htm

So below is what I did to replace the self-signed certificate with one from an internal certificate authority. It’s no one-stop script or function to run but it does the trick. Form follow function people. All the code can be found on my GitHub page. Some code is based off other sources & is credited on the GitHub page.
https://github.com/ThePatrickHoban/Scripts/blob/master/PowerShell/Certificates/GenerateNessusCertificate.ps1

All the standard disclaimers apply, if you break something that’s on you. Use at your own risk.

1. 1. Create a DNS entry as needed for the FQDN you are going to use. In my case, I use nessus.laptoplab.net.
   2. Some environment specific variables you will need to change. $CN is the FQDN that will be used to access the web interface. $TemplateName is the name of the template in your CA. $Password is a temporary password used for exporting the certificates.

# Variables to update as needed
[string]$CN = "nessus.laptoplab.net"
[string]$TemplateName = "LabSSLWebCertificateCustom"
[string]$Password = "P@ssw0rd"




Set some more variables. These you can modify if needed.



# Other Variables
[string[]]$SAN = "DNS=$CN"
[string]$Date = Get-Date -Format yyyyMMddhhmmss
[string]$FriendlyName = """Nessus $Date"""
[int]$keyLength = 2048
[string]$NessusCAPath = "C:\ProgramData\Tenable\Nessus\nessus\CA"
$SecurePassword = ConvertTo-SecureString $Password -AsPlainText -Force

# CA
$rootDSE = [System.DirectoryServices.DirectoryEntry]'LDAP://RootDSE'
$searchBase = [System.DirectoryServices.DirectoryEntry]"LDAP://$($rootDSE.configurationNamingContext)"
$CAs = [System.DirectoryServices.DirectorySearcher]::new($searchBase,'objectClass=pKIEnrollmentService').FindAll()
If ($CAs.Count -eq 1){
$CAName = "$($CAs[0].Properties.dnshostname)\$($CAs[0].Properties.cn)"
} Else {
$CAName = ""
}
If (!$CAName -eq "") {
$CAName = "$CAName"
}




Stop the Tenable Nessus service



Stop-Service -Name 'Tenable'




Create a variable of the contents for the INF file to be used by certutil.



# INF Template
$file = @"
[NewRequest]
FriendlyName = $FriendlyName
Subject = "CN=$CN,c=$Country,s=$State,l=$City,o=$Organisation,ou=$Department"
MachineKeySet = TRUE
KeyLength = $KeyLength
KeySpec=1
Exportable = TRUE
RequestType = PKCS10
ProviderName = "Microsoft Enhanced Cryptographic Provider v1.0"
[RequestAttributes]
CertificateTemplate = "$TemplateName"
"@

# SAN Certificate
If (($SAN).count -eq 1) {
$SAN = @($SAN -split ',')
}
$file +=
@'

[Extensions]
; If your client operating system is Windows Server 2008, Windows Server 2008 R2, Windows Vista, or Windows 7
; SANs can be included in the Extensions section by using the following text format. Note 2.5.29.17 is the OID for a SAN extension.

2.5.29.17 = "{text}"

'@
ForEach ($an in $SAN) {
$file += "_continue_ = `"$($an)&`"`n"
}




Prepare a few files.



$inf = Join-Path -Path $env:TEMP -ChildPath "$CN.inf"
$req = Join-Path -Path $env:TEMP -ChildPath "$CN.req"
$cer = Join-Path -Path $env:TEMP -ChildPath "$CN.cer"




Populate the INF file.



Set-Content -Path $inf -Value $file




Create a CSR.



Invoke-Expression -Command "certreq -new `"$inf`" `"$req`""




Get the private key info for the CSR.



# Private Key
$CertificateRequest = Get-ChildItem -Path Cert:\LocalMachine\REQUEST | Where-Object {$_.Subject -like "CN=$CN*"} | sort NotBefore | Select-Object -Last 1
Export-PfxCertificate -Cert $CertificateRequest -Password $SecurePassword -FilePath "$env:TEMP\$CN.pfx"

# Convert PFX to PEM
Set OPENSSL_CONF=C:\Program Files\OpenSSL-Win64\bin\openssl.cfg
Set-Location -Path 'C:\Program Files\OpenSSL-Win64\bin'
Invoke-Expression -Command ".\openssl.exe pkcs12 -in $env:TEMP\$CN.pfx -nocerts -out $env:TEMP\$CN.pem -passin pass:$Password -passout pass:$Password"
Invoke-Expression -Command ".\openssl.exe rsa -in $env:TEMP\$CN.pem -out $env:TEMP\$CN.key -passin pass:$Password -passout pass:$Password" 2>&1
Set-Location -Path C:\Temp




Submit the CSR to the CA.



Invoke-Expression -Command "certreq -submit -config `"$CAName`" `"$req`" `"$cer`""




Retrieve the certificate.



Invoke-Expression -Command "certreq -accept `"$cer`""




Export the certificate.



# Export certificate
$IssuedCertificate = Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {$_.Subject -like "CN=$CN*"} | sort NotBefore | Select-Object -Last 1
Export-Certificate -Cert $IssuedCertificate -FilePath "$env:TEMP\$CN`_Issued.cer"
# Convert to Base64
certutil -encode "$env:TEMP\$CN`_Issued.cer" "$env:TEMP\$CN`_Issued_Base64.cer"




Get the CA’s certificate. This step can vary depending on the PKI infrastructure.



# Get CA Certificate
# https://www.powershellgallery.com/packages/CertificatePS/1.2/Content/Copy-CertificateToRemote.ps1
[int]$iteration = 1
$Chain.Build($IssuedCertificate) | Out-Null
$ChainElements = $Chain.ChainElements | Select-Object -ExpandProperty Certificate -Skip 1
ForEach ($ChainElement in $ChainElements) {
$Iteration++
$CertificatePath = Join-Path $env:TEMP "$("{0:00}" -f $Iteration).$($ChainElement.Thumbprint).cer"
$ChainElement | Export-Certificate -FilePath $CertificatePath | Out-Null
# Convert to Base64
$Output = certutil -encode "$CertificatePath" "$env:TEMP\$("{0:00}" -f $Iteration).$($ChainElement.Thumbprint)`_Base64.cer"
}




Copy some of the certificate files to the Nessus Tenable directory. This one can vary as well to get the CA cert copied over. But if you’re reading this, you’re probably able to deduce how to get it copied & named correctly based on this example.



# Update Nessus certificate files
$Date = Get-Date -Format yyyyMMddhhmmss
Rename-Item -Path $NessusCAPath\cacert.pem -NewName $NessusCAPath\cacert`_$Date.pem
Copy-Item -Path $CertificatePath.Replace('.cer','_Base64.cer') -Destination $NessusCAPath\cacert.pem
Rename-Item -Path $NessusCAPath\servercert.pem -NewName $NessusCAPath\servercert`_$Date.pem
Copy-Item -Path $env:TEMP\$CN`_Issued_Base64.cer -Destination $NessusCAPath\servercert.pem -Force
Rename-Item -Path $NessusCAPath\serverkey.pem -NewName $NessusCAPath\serverkey`_$Date.pem
Copy-Item -Path $env:TEMP\$CN`.key -Destination $NessusCAPath\serverkey.pem -Force




Start the Tenable Nessus service.



Start-Service -Name 'Tenable Nessus'




Do a little cleanup. You can of course skip this step if you like & just move all the files generated to a secure location for backup.



$Cleanup = Get-ChildItem -Path $env:TEMP | Where-Object {$_.Name -like "$CN*"}
Remove-Item -Path $Cleanup.FullName

Now the moment of truth. Browse to the FQDN you configured for the Nessus Tenable web interface. You should not get any certificate warning.


		
	
								

			

Reset a Linux password from a live CD

Usually any Linux live CD will work. In my case since the installed version of Linux is Mint, I’m just booting to the Mint installation DVD which will by default launch a live session.

1. Boot to live CD.
2. Open terminal.
3. Find the drive with OS installed. (It’s usually /dev/sda1)

sudo fdisk –l

4. Create a temporary directory. It’s only virtual since the live CD runs in memory.

sudo mkdir /mnt/sda1

5. Mount the OS drive to the virtual directory.

sudo mount /dev/sda1 /mnt/sda1

6. Change the terminal root to the mounted drive.

sudo chroot /mnt/sda1

7. Change the password.

passwd john

8. Type the new password twice.
9. Exit chroot.

exit

9. Unmount the drive.

sudo umount /mnt/sda1

10. Remove Live CD & reboot.

Encoding & Decoding Base64 using PowerShell

Update: I updated this on 1/23/2020 to include UTF-8 as well. Originally I just showed Unicode. I have found that “things” are more often encoded in UTF-8.

# Encode string using Base64
$Text = "This was encoded using Base64"
$EncodedUnicode = [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($Text))
$EncodedUTF8 = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($Text))
$EncodedUnicode
VABoAGkAcwAgAHcAYQBzACAAZQBuAGMAbwBkAGUAZAAgAHUAcwBpAG4AZwAgAEIAYQBzAGUANgA0AA==
$EncodedUTF8
VGhpcyB3YXMgZW5jb2RlZCB1c2luZyBCYXNlNjQ=
 
# Decode Base64 to string
$Base64Unicode = "VABoAGkAcwAgAHcAYQBzACAAZQBuAGMAbwBkAGUAZAAgAHUAcwBpAG4AZwAgAEIAYQBzAGUANgA0AA=="
$Base64UTF8 = "VGhpcyB3YXMgZW5jb2RlZCB1c2luZyBCYXNlNjQ="
$DecodedUnicode = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($Base64Unicode))
$DecodedUTF8 = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($Base64UTF8))
$DecodedUnicode
This was encoded using Base64
$DecodedUTF8
This was encoded using Base64

Splunk Certified User

A guy from one of the Facebook groups I’m in challenged everyone to take the free Splunk Fundamentals 1 course & take the certification test. Accepted & done! I must say, for a free course it was pretty good. Picked up a lot of good information. However, it looks like they are ending this course but a new track will be starting soon.

Cisco Certified Network Associate Cyber Ops (CCNA Cyber Ops)

I’ve been working on the Cisco CCNA Cyber Ops certification since December 2017. I was very fortunate to have been invited & accepted into the “Cisco Global Cyber Ops Scholarship Program“. Cisco invested $10 million in this program to increase the pool of talent in the cyber-security field; one that we as Americans really need to focus on. It was fast paced & exciting. Now on to the next one…