SlideShare uma empresa Scribd logo

Headless Host Scanning Techniques

Jan Schaumann
Jan Schaumann

A talk I gave at Twitter in April 2011 about scanmaster and sigsh and how to scan hundreds of thousands of hosts in minutes.

Tecnologia
1 de 67
Baixar para ler offline
Headless Host Scanning Jan Schaumann <jschauma@netmeister.org> 99CE 1DC7 770A C5A8 09A6 0DCD 66CE 4FE9 6F6B D3D7 @jschauma
Headless Host Scanning -- @jschauma 2 11/19/12
Life Lessons: Pen testing can't solve everything. Headless Host Scanning -- @jschauma 3 11/19/12
Inside-Out Headless Host Scanning -- @jschauma 4 11/19/12
Distance to Yahoo! ad in feet: 404 Construction cost: $357 million Capacity: 41,915 Headless Host Scanning -- @jschauma 5 11/19/12
Ballpark numbers Distance to Yahoo! ad in feet: 30927 Construction cost: $1.5 billion Capacity: 52,325 Headless Host Scanning -- @jschauma 6 11/19/12
Life Lessons: Size matters Headless Host Scanning -- @jschauma 7 11/19/12
It all began some time in January of 2007... Yahoo! Presentation; Confidential 11/19/12
Initial Problem Statement “Hey, we need to know which hosts can’t deal with the new Daylight Saving Time.” Headless Host Scanning -- @jschauma 9 11/19/12
A Systems Administrator's Toolbox Headless Host Scanning -- @jschauma 10 11/19/12
A simple tool perl python /bin/sh Headless Host Scanning -- @jschauma 11 11/19/12
Initial "Solution" #!/bin/sh while read host; do ssh $host "env TZ=PST8PDT perl -e ’@t=localtime 1173682800; exit 1 - pop @t’" done Headless Host Scanning -- @jschauma 12 11/19/12
Problem Statement “Please run this script on these hosts.” Headless Host Scanning -- @jschauma 13 11/19/12
2nd Pass #!/bin/sh while read host; do scp script.sh $host:/tmp/ ssh $host "/tmp/script.sh" done Headless Host Scanning -- @jschauma 14 11/19/12
Mensch, nutz' doch ein Konfigurationsmanagementtool! Headless Host Scanning -- @jschauma 15 11/19/12
Configuration Management Headless Host Scanning -- @jschauma 16 11/19/12
Configuration Management Good at: §  keeping state §  ensuring flat text file properties Not so good at: §  deploying applications §  executing (one-time) scripts Terrible at: §  reporting output of individual commands or scripts Headless Host Scanning -- @jschauma 17 11/19/12
Life Lessons: Sturgeon's Law (1st adage) "Nothing is always absolutely so." Headless Host Scanning -- @jschauma 18 11/19/12
Mensch, nutz' doch Deine Logaggregationsinfrastruktur! Headless Host Scanning -- @jschauma 19 11/19/12
Log Aggregation §  makes assumptions about message format §  frequently unreliable and/or asynchronous §  adds additional complexity Headless Host Scanning -- @jschauma 20 11/19/12
3rd Pass #!/bin/sh while read host; do cat script.sh | ssh $host "bash –s" done Headless Host Scanning -- @jschauma 21 11/19/12
3rd Pass #!/bin/sh while read host; do ssh $host "bash –s" < script.sh done Headless Host Scanning -- @jschauma 22 11/19/12
Problem Refinement “Run this set of arbitrary commands on our hosts. Yes, on all of them.” Headless Host Scanning -- @jschauma 23 11/19/12
Wait a second – all hosts? $ wtf host wtf: I don't know what host means! $ §  a computer connected to a network §  a virtual machine §  a container §  jails, zones, ... §  chroot Headless Host Scanning -- @jschauma 24 11/19/12
Sturgeon's Law (1st adage) "Hosts" on the network "Hosts" in asset database "Hosts" in DNS Yahoo! Presentation; Confidential 11/19/12
3rd Pass #!/bin/sh while read host; do ssh $host "bash –s" < script.sh done Headless Host Scanning -- @jschauma 26 11/19/12
4th Pass Headless Host Scanning -- @jschauma 27 11/19/12
Headless Host Scanning -- @jschauma 28 11/19/12
Life Lessons: Causality (Duh!) $ w 10:45AM up 51 days, 22:19, 11 users, load averages: 976.23, 618.17, 1020.25 $ time ls 13.354 real 0.001 user 0.002 sys $ Headless Host Scanning -- @jschauma 29 11/19/12
Horizontal Scalability Scanmaster Scanslaves Scanslaves Targethosts Headless Host Scanning -- @jschauma 30 11/19/12
SSH Complications: assword prompts Interactive connections? Password: $USER@hostname's password: Headless Host Scanning -- @jschauma 31 11/19/12
SSH Complications: assword prompts Interactive connections begat password injectors. Headless Host Scanning -- @jschauma 32 11/19/12
SSH Complications: assword prompts proc respond { pw } { global pws if {![info exists pws($pw)]} { send_user " (autopw) " stty -echo expect_user -re "(.+)n" stty echo set pws($pw) [exec perl -ne "print pack(q{u}, $_)" << $expect_out(1,string)] } else { send_user " (autopw'ed)" } log_user 0 send -- "[exec perl -ne "print unpack(q{u}, $_)" << $pws($pw)]n"; log_user 1 } eval spawn -noecho $argv expect { "assword:" { respond system exp_continue } Yahoo! Presentation; Confidential 11/19/12
SSH Complications: assword prompts Key Authentication to the rescue! Yahoo! Presentation; Confidential 11/19/12
Horizontal Scalability Scanmaster Scanslaves Scanslaves Targethosts Yahoo! Presentation; Confidential 11/19/12
SSH Complications: assword prompts Key Authentication to the rescue? §  private keys need to be present on all hosts connecting to targets §  you need to provide passphrase for private keys at scan start Enter passphrase for /home/${USER}/.ssh/id_rsa: Enter passphrase for /home/${USER}/.ssh/id_dsa: Enter passphrase for /home/${USER}/.ssh/scankey: Yahoo! Presentation; Confidential 11/19/12
SSH Complications: assword prompts Key Authentication also uses password injectors. Headless Host Scanning -- @jschauma 37 11/19/12
SSH Complications: assword prompts SSH Agent Forwarding to the rescue! §  private keys stored in agent on single "safe" machine §  agent forwarding enabled to scan slaves §  everything's peachy! Headless Host Scanning -- @jschauma 38 11/19/12
SSH Agent Forwarding proxy agent Slave Targethosts Master Headless Host Scanning -- @jschauma 39 11/19/12
SSH Agent Forwarding proxy agent Slave Targethosts Master Headless Host Scanning -- @jschauma 40 11/19/12
SSH Agent Forwarding Master Headless Host Scanning -- @jschauma 41 11/19/12
SSH Agent Forwarding Headless Host Scanning -- @jschauma 42 11/19/12
Scalability issues Scanmaster Scanslaves Scanslaves Targethosts Headless Host Scanning -- @jschauma 43 11/19/12
Miscellaneous Scalability Issues §  doing hostname lookups for each connection is expensive §  use IP addresses §  parsing known_hosts with several 100K entries is expensive §  use UserKnownHostsFile=/dev/null §  use GlobalKnownHostsFile=/dev/null §  hosts change ssh keys "frequently" §  we need StrictHostKeyChecking=no :-( §  collecting even only a few lines from every single host can fill up your disk quickly §  ssh connections can hang "indefinitely" (=> tkill(1) cron scheduled killing of processes) Headless Host Scanning -- @jschauma 44 11/19/12
Yay, Open Source! Headless Host Scanning -- @jschauma 45 11/19/12
Scanmaster Scripts §  checkhosts(1) §  run given script on all hosts in input via ssh(1) (in background) §  scanhosts(1) §  invoke checkhosts(1) against split input (again in background) §  defaults to 150 invocations of checkhosts(1) in parallel §  scanslave(1) §  starts ssh-agent(1) and adds keys §  adds tkill(1) crontab §  invoke scanhosts(1) against split input §  scanmaster(1) §  splits input into number of scanslaves chunks §  ssh to each scanslave and kicks off scanslave(1) in screen session §  aggregates and post-processes results Headless Host Scanning -- @jschauma 46 11/19/12
Scanmaster Scripts $ wc -l * 330 checkhosts 259 scanhosts 325 scanmaster 179 scanslave 1093 total $ file * checkhosts: Bourne shell script text executable scanhosts: Bourne shell script text executable scanmaster: Bourne shell script text executable scanslave: Bourne shell script text executable $ Headless Host Scanning -- @jschauma 47 11/19/12
"Every item on the menu at Taco Bell is just a different configuration of roughly eight ingredients. With this simple periodic table of meat and produce, the company pulled down $1.9 billion last year." http://teddziuba.com/2010/10/taco-bell-programming.html Headless Host Scanning -- @jschauma 48 11/19/12
Miscellaneous Security Issues §  ssh-agent exposes our keys to target hosts §  use ForwardAgent=no, ClearAllForwardings=yes §  ssh-agent on scanslaves exposes our privkeys to anybody with super-user privileges on the scanslaves §  use a scan-only key with from= and various no- restrictions §  password injector will respond to anything asking for your assword §  uhm... don't use password auth? §  use of a "real" user is stupid Headless Host Scanning -- @jschauma 49 11/19/12
Going topless. T.O.P.L.E.S.S. Headless User Requirement #1: §  selective access (via ssh keys) Headless User Requirement #2: §  a restricted shell Headless User Requirement #3: §  an un-restricted shell Headless User Requirement #2 and #3: §  allow arbitrary commands, provided they were sanctioned by somebody we trust Headless Host Scanning -- @jschauma 50 11/19/12
Windows PowerShell Headless Host Scanning -- @jschauma 51 11/19/12
Windows PowerShell ExecutionPolicy §  Restricted §  No scripts can be run. Windows PowerShell can be used only in interactive mode. §  Unrestricted §  No restrictions; all Windows PowerShell scripts can be run. §  RemoteSigned §  Downloaded scripts must be signed by a trusted publisher before they can be run. §  AllSigned §  Only scripts signed by a trusted publisher can be run. Headless Host Scanning -- @jschauma 52 11/19/12
The (TacoBell) Sigsh NAME sigsh -- a signature verifying shell SYNOPSIS sigsh [-c certs] [-x] [-p prog] DESCRIPTION sigsh is a non-interactive, signature requiring and verifying command interpreter. More accurately, it is a signature verification wrapper around a given shell. It reads input in PKCS#7 format from standard in, verifies the signature and, if the signature matches, pipes the decoded input into the command interpreter. Headless Host Scanning -- @jschauma 53 11/19/12
Yay, Open Source! Headless Host Scanning -- @jschauma 54 11/19/12
The (TacoBell) Sigsh $ find . ( -type f -a ! -path '*.svn/*' ) | xargs wc -l 50 ./test/sigsh.test.pl 36 ./certs/Makefile 5 ./certs/README 121 ./doc/sigsh.1 17 ./doc/Makefile 176 ./src/sigsh.sh 12 ./README 29 ./LICENSE 446 total $ Headless Host Scanning -- @jschauma 55 11/19/12
Yay, Open Source! Headless Host Scanning -- @jschauma 56 11/19/12
The (TacoBell) Sigsh $ egrep -v "^[ ]*#" sigsh.sh | wc -l 93 $ Headless Host Scanning -- @jschauma 57 11/19/12
The (TacoBell) Sigsh EXAMPLES The following examples illustrate possible usage of this tool. To execute the commands in the file 'script.bash': openssl smime -sign -nodetach -signer mycert.pem -inkey mykey.pem -in script.bash -outform pem | sigsh To execute the perl code contained in the signed PKCS#7 file 'code.pem': sigsh -p /usr/bin/perl <code.pem Headless Host Scanning -- @jschauma 58 11/19/12
The Good, the Bad and the Ugly
The Good §  private cert need not be present on scanslave hosts §  signing party need not be executing party §  if you grant passwordless sudo to the headless user, you can do * §  certs can expire => we have builtin time-bomb powers! §  multiple people can have signing-power independent of each other §  we can scan over XXXK "hosts" in approximately 15 minutes §  we have the flexibility to collect all sorts of interesting data Headless Host Scanning -- @jschauma 60 11/19/12
Scanning over 400 hosts/second [...] 16:09:14: 0 / 30 done - waiting... 16:10:16: 0 / 30 done - waiting... 16:11:18: 1 / 30 done - waiting... 16:12:20: 6 / 30 done - waiting... 16:13:22: 20 / 30 done - waiting... 16:14:24: 27 / 30 done - waiting... 16:15:25: 29 / 30 done - waiting... 16:16:27: 29 / 30 done - waiting... 16:17:30: 30 / 30 done 16:17:30: Scanned XXXXXX hosts in XX minutes and 32 seconds. Aggregating data... Yahoo! Presentation; Confidential 11/19/12
The Bad §  this is still a TacoBell sigsh, not a powershell §  we have not solved the ssh-key access problem (though a leaked ssh-key cannot allow arbitrary command execution, only execution of previously approved commands) §  multiple people can have signing-power independent of each other Headless Host Scanning -- @jschauma 62 11/19/12
Life Lessons: Pareto's Principle The "trivial many" The "vital few" Headless Host Scanning -- @jschauma 63 11/19/12
Life Lessons: Milton Friedman was right. There's nothing so permanent as a temporary government program solution. Yahoo! Presentation; Confidential 11/19/12
The Ugly §  Only ~80% of our hosts have sigsh => we need to combine headless with "headful" scans. Thus, we currently: §  scan headlessly (80%, in <15 minutes) §  scan with regular user and dedicated scankey (11%) §  scan with regular user and password, twice (7%) §  scan with regular user and old password §  scan with regular user and older password §  scan with regular user and even older password §  We still (have to) trust the binaries on the remote host. §  no veriexec, TPE, ... Headless Host Scanning -- @jschauma 65 11/19/12
Life Lessons §  Pen testing can't solve everything. §  Size matters. §  "Nothing is always absolutely so." (Sturgeon's Law) ›  "90% of everything is crud." (2nd adage; freebie) §  Causality (Duh!) §  Mmm, mmm TacoBell! §  80% of the effects come from 20% of the causes. (Pareto Principle) §  There's nothing so permanent as a temporary solution. §  The worst form of on-demand data collection except all the others that have been tried. Headless Host Scanning -- @jschauma 66 11/19/12
Information §  http://www.netmeister.org/apps/scanmaster/ §  http://www.netmeister.org/apps/sigsh/ §  jschauma@netmeister.org §  @jschauma This talk in 140 chars or less: Scanning 100s of K hosts headlessly using a signature verifying shell is awful. Still better than most alternatives. That is all. Headless Host Scanning -- @jschauma 67 11/19/12

Recomendados

FreeBSD: Dev to Prod
FreeBSD: Dev to ProdFreeBSD: Dev to Prod
FreeBSD: Dev to ProdSean Chittenden
 
What we Learned Implementing Puppet at Backstop
What we Learned Implementing Puppet at BackstopWhat we Learned Implementing Puppet at Backstop
What we Learned Implementing Puppet at BackstopPuppet
 
Hadoop meet Rex(How to construct hadoop cluster with rex)
Hadoop meet Rex(How to construct hadoop cluster with rex)Hadoop meet Rex(How to construct hadoop cluster with rex)
Hadoop meet Rex(How to construct hadoop cluster with rex)Jun Hong Kim
 
Distributed Developer Workflows using Git
Distributed Developer Workflows using GitDistributed Developer Workflows using Git
Distributed Developer Workflows using GitSusan Potter
 
Lights, Camera, Docker: Streaming Video at DramaFever
Lights, Camera, Docker: Streaming Video at DramaFeverLights, Camera, Docker: Streaming Video at DramaFever
Lights, Camera, Docker: Streaming Video at DramaFeverbridgetkromhout
 
Puppet getting started by Dirk Götz
Puppet getting started by Dirk GötzPuppet getting started by Dirk Götz
Puppet getting started by Dirk GötzNETWAYS
 
How we use and deploy Varnish at Opera
How we use and deploy Varnish at OperaHow we use and deploy Varnish at Opera
How we use and deploy Varnish at OperaCosimo Streppone
 
VUG5: Varnish at Opera Software
VUG5: Varnish at Opera SoftwareVUG5: Varnish at Opera Software
VUG5: Varnish at Opera SoftwareCosimo Streppone
 

Recomendados

FreeBSD: Dev to Prod
FreeBSD: Dev to ProdFreeBSD: Dev to Prod
FreeBSD: Dev to ProdSean Chittenden
 
What we Learned Implementing Puppet at Backstop
What we Learned Implementing Puppet at BackstopWhat we Learned Implementing Puppet at Backstop
What we Learned Implementing Puppet at BackstopPuppet
 
Hadoop meet Rex(How to construct hadoop cluster with rex)
Hadoop meet Rex(How to construct hadoop cluster with rex)Hadoop meet Rex(How to construct hadoop cluster with rex)
Hadoop meet Rex(How to construct hadoop cluster with rex)Jun Hong Kim
 
Distributed Developer Workflows using Git
Distributed Developer Workflows using GitDistributed Developer Workflows using Git
Distributed Developer Workflows using GitSusan Potter
 
Lights, Camera, Docker: Streaming Video at DramaFever
Lights, Camera, Docker: Streaming Video at DramaFeverLights, Camera, Docker: Streaming Video at DramaFever
Lights, Camera, Docker: Streaming Video at DramaFeverbridgetkromhout
 
Puppet getting started by Dirk Götz
Puppet getting started by Dirk GötzPuppet getting started by Dirk Götz
Puppet getting started by Dirk GötzNETWAYS
 
How we use and deploy Varnish at Opera
How we use and deploy Varnish at OperaHow we use and deploy Varnish at Opera
How we use and deploy Varnish at OperaCosimo Streppone
 
VUG5: Varnish at Opera Software
VUG5: Varnish at Opera SoftwareVUG5: Varnish at Opera Software
VUG5: Varnish at Opera SoftwareCosimo Streppone
 
Ansible 實戰:top down 觀點
Ansible 實戰:top down 觀點Ansible 實戰:top down 觀點
Ansible 實戰:top down 觀點William Yeh
 
Version Control for Mere Mortals
Version Control for Mere MortalsVersion Control for Mere Mortals
Version Control for Mere MortalsEmma Jane Hogbin Westby
 
Manage and Deploy your sites with Drush
Manage and Deploy your sites with DrushManage and Deploy your sites with Drush
Manage and Deploy your sites with DrushAmazee Labs
 
Mining Ruby Gem vulnerabilities for Fun and No Profit.
Mining Ruby Gem vulnerabilities for Fun and No Profit.Mining Ruby Gem vulnerabilities for Fun and No Profit.
Mining Ruby Gem vulnerabilities for Fun and No Profit.Larry Cashdollar
 
Sprockets
SprocketsSprockets
SprocketsChristophe Porteneuve
 
Docker, c'est bonheur !
Docker, c'est bonheur !Docker, c'est bonheur !
Docker, c'est bonheur !Alexandre Salomé
 
Fun with exploits old and new
Fun with exploits old and newFun with exploits old and new
Fun with exploits old and newLarry Cashdollar
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)Larry Cashdollar
 
Как мы взломали распределенные системы конфигурационного управления
Как мы взломали распределенные системы конфигурационного управленияКак мы взломали распределенные системы конфигурационного управления
Как мы взломали распределенные системы конфигурационного управленияPositive Hack Days
 
Best practices for ansible
Best practices for ansibleBest practices for ansible
Best practices for ansibleGeorge Shuklin
 
Efficient DBA: Gain Time by Reducing Command-Line Keystrokes
Efficient DBA: Gain Time by Reducing Command-Line KeystrokesEfficient DBA: Gain Time by Reducing Command-Line Keystrokes
Efficient DBA: Gain Time by Reducing Command-Line KeystrokesSeth Miller
 
Embedded software development using BDD
Embedded software development using BDDEmbedded software development using BDD
Embedded software development using BDDItamar Hassin
 
Vincent Ruijter - ~Securing~ Attacking Kubernetes
Vincent Ruijter - ~Securing~ Attacking KubernetesVincent Ruijter - ~Securing~ Attacking Kubernetes
Vincent Ruijter - ~Securing~ Attacking Kuberneteshacktivity
 
Puppet Conf 2012 - Managing Network Devices with Puppet
Puppet Conf 2012 - Managing Network Devices with PuppetPuppet Conf 2012 - Managing Network Devices with Puppet
Puppet Conf 2012 - Managing Network Devices with PuppetNan Liu
 
Ansible Meetup Hamburg / Quickstart
Ansible Meetup Hamburg / QuickstartAnsible Meetup Hamburg / Quickstart
Ansible Meetup Hamburg / QuickstartHenry Stamerjohann
 
Testing your infrastructure with litmus
Testing your infrastructure with litmusTesting your infrastructure with litmus
Testing your infrastructure with litmusBram Vogelaar
 
Rush, a shell that will yield to you
Rush, a shell that will yield to youRush, a shell that will yield to you
Rush, a shell that will yield to youguestdd9d06
 
Getting started with Ansible
Getting started with AnsibleGetting started with Ansible
Getting started with AnsibleIvan Serdyuk
 
Automation and Ansible
Automation and AnsibleAutomation and Ansible
Automation and Ansiblejtyr
 
Ansible - Crash course
Ansible - Crash courseAnsible - Crash course
Ansible - Crash courseSimone Soldateschi
 
Building better tools
Building better toolsBuilding better tools
Building better toolsJan Schaumann
 
Protecting Data in Untrusted Locations
Protecting Data in Untrusted LocationsProtecting Data in Untrusted Locations
Protecting Data in Untrusted LocationsJan Schaumann
 

Mais conteúdo relacionado

Mais procurados

Ansible 實戰:top down 觀點
Ansible 實戰:top down 觀點Ansible 實戰:top down 觀點
Ansible 實戰:top down 觀點William Yeh
 
Manage and Deploy your sites with Drush
Manage and Deploy your sites with DrushManage and Deploy your sites with Drush
Manage and Deploy your sites with DrushAmazee Labs
 
Mining Ruby Gem vulnerabilities for Fun and No Profit.
Mining Ruby Gem vulnerabilities for Fun and No Profit.Mining Ruby Gem vulnerabilities for Fun and No Profit.
Mining Ruby Gem vulnerabilities for Fun and No Profit.Larry Cashdollar
 
Fun with exploits old and new
Fun with exploits old and newFun with exploits old and new
Fun with exploits old and newLarry Cashdollar
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)Larry Cashdollar
 
Как мы взломали распределенные системы конфигурационного управления
Как мы взломали распределенные системы конфигурационного управленияКак мы взломали распределенные системы конфигурационного управления
Как мы взломали распределенные системы конфигурационного управленияPositive Hack Days
 
Best practices for ansible
Best practices for ansibleBest practices for ansible
Best practices for ansibleGeorge Shuklin
 
Efficient DBA: Gain Time by Reducing Command-Line Keystrokes
Efficient DBA: Gain Time by Reducing Command-Line KeystrokesEfficient DBA: Gain Time by Reducing Command-Line Keystrokes
Efficient DBA: Gain Time by Reducing Command-Line KeystrokesSeth Miller
 
Embedded software development using BDD
Embedded software development using BDDEmbedded software development using BDD
Embedded software development using BDDItamar Hassin
 
Vincent Ruijter - ~Securing~ Attacking Kubernetes
Vincent Ruijter - ~Securing~ Attacking KubernetesVincent Ruijter - ~Securing~ Attacking Kubernetes
Vincent Ruijter - ~Securing~ Attacking Kuberneteshacktivity
 
Puppet Conf 2012 - Managing Network Devices with Puppet
Puppet Conf 2012 - Managing Network Devices with PuppetPuppet Conf 2012 - Managing Network Devices with Puppet
Puppet Conf 2012 - Managing Network Devices with PuppetNan Liu
 
Ansible Meetup Hamburg / Quickstart
Ansible Meetup Hamburg / QuickstartAnsible Meetup Hamburg / Quickstart
Ansible Meetup Hamburg / QuickstartHenry Stamerjohann
 
Testing your infrastructure with litmus
Testing your infrastructure with litmusTesting your infrastructure with litmus
Testing your infrastructure with litmusBram Vogelaar
 
Rush, a shell that will yield to you
Rush, a shell that will yield to youRush, a shell that will yield to you
Rush, a shell that will yield to youguestdd9d06
 
Getting started with Ansible
Getting started with AnsibleGetting started with Ansible
Getting started with AnsibleIvan Serdyuk
 
Automation and Ansible
Automation and AnsibleAutomation and Ansible
Automation and Ansiblejtyr
 

Mais procurados (20)

Ansible 實戰:top down 觀點
Ansible 實戰:top down 觀點Ansible 實戰:top down 觀點
Ansible 實戰:top down 觀點
 
Version Control for Mere Mortals
Version Control for Mere MortalsVersion Control for Mere Mortals
Version Control for Mere Mortals
 
Manage and Deploy your sites with Drush
Manage and Deploy your sites with DrushManage and Deploy your sites with Drush
Manage and Deploy your sites with Drush
 
Mining Ruby Gem vulnerabilities for Fun and No Profit.
Mining Ruby Gem vulnerabilities for Fun and No Profit.Mining Ruby Gem vulnerabilities for Fun and No Profit.
Mining Ruby Gem vulnerabilities for Fun and No Profit.
 
Sprockets
SprocketsSprockets
Sprockets
 
Docker, c'est bonheur !
Docker, c'est bonheur !Docker, c'est bonheur !
Docker, c'est bonheur !
 
Fun with exploits old and new
Fun with exploits old and newFun with exploits old and new
Fun with exploits old and new
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)
 
Как мы взломали распределенные системы конфигурационного управления
Как мы взломали распределенные системы конфигурационного управленияКак мы взломали распределенные системы конфигурационного управления
Как мы взломали распределенные системы конфигурационного управления
 
Best practices for ansible
Best practices for ansibleBest practices for ansible
Best practices for ansible
 
Efficient DBA: Gain Time by Reducing Command-Line Keystrokes
Efficient DBA: Gain Time by Reducing Command-Line KeystrokesEfficient DBA: Gain Time by Reducing Command-Line Keystrokes
Efficient DBA: Gain Time by Reducing Command-Line Keystrokes
 
Embedded software development using BDD
Embedded software development using BDDEmbedded software development using BDD
Embedded software development using BDD
 
Vincent Ruijter - ~Securing~ Attacking Kubernetes
Vincent Ruijter - ~Securing~ Attacking KubernetesVincent Ruijter - ~Securing~ Attacking Kubernetes
Vincent Ruijter - ~Securing~ Attacking Kubernetes
 
Puppet Conf 2012 - Managing Network Devices with Puppet
Puppet Conf 2012 - Managing Network Devices with PuppetPuppet Conf 2012 - Managing Network Devices with Puppet
Puppet Conf 2012 - Managing Network Devices with Puppet
 
Ansible Meetup Hamburg / Quickstart
Ansible Meetup Hamburg / QuickstartAnsible Meetup Hamburg / Quickstart
Ansible Meetup Hamburg / Quickstart
 
Testing your infrastructure with litmus
Testing your infrastructure with litmusTesting your infrastructure with litmus
Testing your infrastructure with litmus
 
Rush, a shell that will yield to you
Rush, a shell that will yield to youRush, a shell that will yield to you
Rush, a shell that will yield to you
 
Getting started with Ansible
Getting started with AnsibleGetting started with Ansible
Getting started with Ansible
 
Automation and Ansible
Automation and AnsibleAutomation and Ansible
Automation and Ansible
 
Ansible - Crash course
Ansible - Crash courseAnsible - Crash course
Ansible - Crash course
 

Destaque

Building better tools
Building better toolsBuilding better tools
Building better toolsJan Schaumann
 
Protecting Data in Untrusted Locations
Protecting Data in Untrusted LocationsProtecting Data in Untrusted Locations
Protecting Data in Untrusted LocationsJan Schaumann
 
Safely Drinking from the Data Waterhose
Safely Drinking from the Data WaterhoseSafely Drinking from the Data Waterhose
Safely Drinking from the Data WaterhoseJan Schaumann
 
Everything is Awful (And You're Not Helping)
Everything is Awful (And You're Not Helping)Everything is Awful (And You're Not Helping)
Everything is Awful (And You're Not Helping)Jan Schaumann
 
Know Your Enemy - An Introduction to Threat Modeling
Know Your Enemy - An Introduction to Threat ModelingKnow Your Enemy - An Introduction to Threat Modeling
Know Your Enemy - An Introduction to Threat ModelingJan Schaumann
 
Python Pants Build System for Large Codebases
Python Pants Build System for Large CodebasesPython Pants Build System for Large Codebases
Python Pants Build System for Large CodebasesAngad Singh
 
Semper Ubi Sub Ubi - Things They Don't Teach You In School
Semper Ubi Sub Ubi - Things They Don't Teach You In SchoolSemper Ubi Sub Ubi - Things They Don't Teach You In School
Semper Ubi Sub Ubi - Things They Don't Teach You In SchoolJan Schaumann
 
A Guide to Hiring for your Startup
A Guide to Hiring for your StartupA Guide to Hiring for your Startup
A Guide to Hiring for your StartupYevgeniy Brikman
 
An intro to Docker, Terraform, and Amazon ECS
An intro to Docker, Terraform, and Amazon ECSAn intro to Docker, Terraform, and Amazon ECS
An intro to Docker, Terraform, and Amazon ECSYevgeniy Brikman
 
Startup DNA: the formula behind successful startups in Silicon Valley (update...
Startup DNA: the formula behind successful startups in Silicon Valley (update...Startup DNA: the formula behind successful startups in Silicon Valley (update...
Startup DNA: the formula behind successful startups in Silicon Valley (update...Yevgeniy Brikman
 
Infrastructure as code: running microservices on AWS using Docker, Terraform,...
Infrastructure as code: running microservices on AWS using Docker, Terraform,...Infrastructure as code: running microservices on AWS using Docker, Terraform,...
Infrastructure as code: running microservices on AWS using Docker, Terraform,...Yevgeniy Brikman
 
Startup Ideas and Validation
Startup Ideas and ValidationStartup Ideas and Validation
Startup Ideas and ValidationYevgeniy Brikman
 

Destaque (18)

Building better tools
Building better toolsBuilding better tools
Building better tools
 
Protecting Data in Untrusted Locations
Protecting Data in Untrusted LocationsProtecting Data in Untrusted Locations
Protecting Data in Untrusted Locations
 
Defense at Scale
Defense at ScaleDefense at Scale
Defense at Scale
 
Fancy pants
Fancy pantsFancy pants
Fancy pants
 
Safely Drinking from the Data Waterhose
Safely Drinking from the Data WaterhoseSafely Drinking from the Data Waterhose
Safely Drinking from the Data Waterhose
 
OpSec101
OpSec101OpSec101
OpSec101
 
Everything is Awful (And You're Not Helping)
Everything is Awful (And You're Not Helping)Everything is Awful (And You're Not Helping)
Everything is Awful (And You're Not Helping)
 
Know Your Enemy - An Introduction to Threat Modeling
Know Your Enemy - An Introduction to Threat ModelingKnow Your Enemy - An Introduction to Threat Modeling
Know Your Enemy - An Introduction to Threat Modeling
 
Python Pants Build System for Large Codebases
Python Pants Build System for Large CodebasesPython Pants Build System for Large Codebases
Python Pants Build System for Large Codebases
 
Startup DNA: Speed Wins
Startup DNA: Speed WinsStartup DNA: Speed Wins
Startup DNA: Speed Wins
 
Semper Ubi Sub Ubi - Things They Don't Teach You In School
Semper Ubi Sub Ubi - Things They Don't Teach You In SchoolSemper Ubi Sub Ubi - Things They Don't Teach You In School
Semper Ubi Sub Ubi - Things They Don't Teach You In School
 
A Guide to Hiring for your Startup
A Guide to Hiring for your StartupA Guide to Hiring for your Startup
A Guide to Hiring for your Startup
 
Agility Requires Safety
Agility Requires SafetyAgility Requires Safety
Agility Requires Safety
 
Node.js vs Play Framework
Node.js vs Play FrameworkNode.js vs Play Framework
Node.js vs Play Framework
 
An intro to Docker, Terraform, and Amazon ECS
An intro to Docker, Terraform, and Amazon ECSAn intro to Docker, Terraform, and Amazon ECS
An intro to Docker, Terraform, and Amazon ECS
 
Startup DNA: the formula behind successful startups in Silicon Valley (update...
Startup DNA: the formula behind successful startups in Silicon Valley (update...Startup DNA: the formula behind successful startups in Silicon Valley (update...
Startup DNA: the formula behind successful startups in Silicon Valley (update...
 
Infrastructure as code: running microservices on AWS using Docker, Terraform,...
Infrastructure as code: running microservices on AWS using Docker, Terraform,...Infrastructure as code: running microservices on AWS using Docker, Terraform,...
Infrastructure as code: running microservices on AWS using Docker, Terraform,...
 
Startup Ideas and Validation
Startup Ideas and ValidationStartup Ideas and Validation
Startup Ideas and Validation
 

Semelhante a Headless Host Scanning Techniques

Webinar: Automate IBM Connections Installations and more
Webinar: Automate IBM Connections Installations and moreWebinar: Automate IBM Connections Installations and more
Webinar: Automate IBM Connections Installations and morepanagenda
 
nginxをソースからインストールしてみたよ
nginxをソースからインストールしてみたよnginxをソースからインストールしてみたよ
nginxをソースからインストールしてみたよmamoru tateoka
 
Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - RoutersLogicaltrust pl
 
Filip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routersFilip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routersYury Chemerkin
 
stackconf 2020 | Speeding up Linux disk encryption by Ignat Korchagin
stackconf 2020 | Speeding up Linux disk encryption by Ignat Korchaginstackconf 2020 | Speeding up Linux disk encryption by Ignat Korchagin
stackconf 2020 | Speeding up Linux disk encryption by Ignat KorchaginNETWAYS
 
NAS Botnet Revealed - Mining Bitcoin
NAS Botnet Revealed - Mining Bitcoin NAS Botnet Revealed - Mining Bitcoin
NAS Botnet Revealed - Mining Bitcoin Davide Cioccia
 
Debugging Network Issues
Debugging Network IssuesDebugging Network Issues
Debugging Network IssuesApcera
 
Love The Terminal
Love The TerminalLove The Terminal
Love The TerminalMike West
 
Copying files between linux machines using scp and ssh without linux user pas...
Copying files between linux machines using scp and ssh without linux user pas...Copying files between linux machines using scp and ssh without linux user pas...
Copying files between linux machines using scp and ssh without linux user pas...Ravi Kumar Lanke
 
Approach to find critical vulnerabilities
Approach to find critical vulnerabilitiesApproach to find critical vulnerabilities
Approach to find critical vulnerabilitiesAshish Kunwar
 
Basic presentation of cryptography mechanisms
Basic presentation of cryptography mechanismsBasic presentation of cryptography mechanisms
Basic presentation of cryptography mechanismsMarian Marinov
 
Really useful linux commands
Really useful linux commandsReally useful linux commands
Really useful linux commandsMichael J Geiser
 
Fast & Furious: Speed in the Opera browser
Fast & Furious: Speed in the Opera browserFast & Furious: Speed in the Opera browser
Fast & Furious: Speed in the Opera browserAndreas Bovens
 
Building a Docker v1.12 Swarm cluster on ARM
Building a Docker v1.12 Swarm cluster on ARMBuilding a Docker v1.12 Swarm cluster on ARM
Building a Docker v1.12 Swarm cluster on ARMTeam Hypriot
 

Semelhante a Headless Host Scanning Techniques (16)

Introduction to ansible
Introduction to ansibleIntroduction to ansible
Introduction to ansible
 
Webinar: Automate IBM Connections Installations and more
Webinar: Automate IBM Connections Installations and moreWebinar: Automate IBM Connections Installations and more
Webinar: Automate IBM Connections Installations and more
 
nginxをソースからインストールしてみたよ
nginxをソースからインストールしてみたよnginxをソースからインストールしてみたよ
nginxをソースからインストールしてみたよ
 
Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers
 
Filip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routersFilip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routers
 
stackconf 2020 | Speeding up Linux disk encryption by Ignat Korchagin
stackconf 2020 | Speeding up Linux disk encryption by Ignat Korchaginstackconf 2020 | Speeding up Linux disk encryption by Ignat Korchagin
stackconf 2020 | Speeding up Linux disk encryption by Ignat Korchagin
 
NAS Botnet Revealed - Mining Bitcoin
NAS Botnet Revealed - Mining Bitcoin NAS Botnet Revealed - Mining Bitcoin
NAS Botnet Revealed - Mining Bitcoin
 
Debugging Network Issues
Debugging Network IssuesDebugging Network Issues
Debugging Network Issues
 
Love The Terminal
Love The TerminalLove The Terminal
Love The Terminal
 
Copying files between linux machines using scp and ssh without linux user pas...
Copying files between linux machines using scp and ssh without linux user pas...Copying files between linux machines using scp and ssh without linux user pas...
Copying files between linux machines using scp and ssh without linux user pas...
 
Da APK al Golden Ticket
Da APK al Golden TicketDa APK al Golden Ticket
Da APK al Golden Ticket
 
Approach to find critical vulnerabilities
Approach to find critical vulnerabilitiesApproach to find critical vulnerabilities
Approach to find critical vulnerabilities
 
Basic presentation of cryptography mechanisms
Basic presentation of cryptography mechanismsBasic presentation of cryptography mechanisms
Basic presentation of cryptography mechanisms
 
Really useful linux commands
Really useful linux commandsReally useful linux commands
Really useful linux commands
 
Fast & Furious: Speed in the Opera browser
Fast & Furious: Speed in the Opera browserFast & Furious: Speed in the Opera browser
Fast & Furious: Speed in the Opera browser
 
Building a Docker v1.12 Swarm cluster on ARM
Building a Docker v1.12 Swarm cluster on ARMBuilding a Docker v1.12 Swarm cluster on ARM
Building a Docker v1.12 Swarm cluster on ARM
 

Mais de Jan Schaumann

The Razors Edge - Cutting your TLS Baggage
The Razors Edge - Cutting your TLS BaggageThe Razors Edge - Cutting your TLS Baggage
The Razors Edge - Cutting your TLS BaggageJan Schaumann
 
Crazy Like A Fox - #Infosec Ideas That Just Might Work
Crazy Like A Fox - #Infosec Ideas That Just Might WorkCrazy Like A Fox - #Infosec Ideas That Just Might Work
Crazy Like A Fox - #Infosec Ideas That Just Might WorkJan Schaumann
 
It's the people, stupid.
It's the people, stupid.It's the people, stupid.
It's the people, stupid.Jan Schaumann
 
Primum non nocere - Ethical Obligations in Internet Operations
Primum non nocere - Ethical Obligations in Internet OperationsPrimum non nocere - Ethical Obligations in Internet Operations
Primum non nocere - Ethical Obligations in Internet OperationsJan Schaumann
 
L3DSR - Overcoming Layer 2 Limitations of Direct Server Return Load Balancing
L3DSR - Overcoming Layer 2 Limitations of Direct Server Return Load BalancingL3DSR - Overcoming Layer 2 Limitations of Direct Server Return Load Balancing
L3DSR - Overcoming Layer 2 Limitations of Direct Server Return Load BalancingJan Schaumann
 

Mais de Jan Schaumann (9)

The Razors Edge - Cutting your TLS Baggage
The Razors Edge - Cutting your TLS BaggageThe Razors Edge - Cutting your TLS Baggage
The Razors Edge - Cutting your TLS Baggage
 
Crazy Like A Fox - #Infosec Ideas That Just Might Work
Crazy Like A Fox - #Infosec Ideas That Just Might WorkCrazy Like A Fox - #Infosec Ideas That Just Might Work
Crazy Like A Fox - #Infosec Ideas That Just Might Work
 
It's the people, stupid.
It's the people, stupid.It's the people, stupid.
It's the people, stupid.
 
Primum non nocere - Ethical Obligations in Internet Operations
Primum non nocere - Ethical Obligations in Internet OperationsPrimum non nocere - Ethical Obligations in Internet Operations
Primum non nocere - Ethical Obligations in Internet Operations
 
PGP for Smarties
PGP for SmartiesPGP for Smarties
PGP for Smarties
 
Ipv6 basics
Ipv6 basicsIpv6 basics
Ipv6 basics
 
L3DSR - Overcoming Layer 2 Limitations of Direct Server Return Load Balancing
L3DSR - Overcoming Layer 2 Limitations of Direct Server Return Load BalancingL3DSR - Overcoming Layer 2 Limitations of Direct Server Return Load Balancing
L3DSR - Overcoming Layer 2 Limitations of Direct Server Return Load Balancing
 
Useless use of *
Useless use of *Useless use of *
Useless use of *
 
DST @ Yahoo!
DST @ Yahoo!DST @ Yahoo!
DST @ Yahoo!
 

Último

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 

Último (20)

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 

Headless Host Scanning Techniques

  • 1. Headless Host Scanning Jan Schaumann <jschauma@netmeister.org> 99CE 1DC7 770A C5A8 09A6 0DCD 66CE 4FE9 6F6B D3D7 @jschauma
  • 2. Headless Host Scanning -- @jschauma 2 11/19/12
  • 3. Life Lessons: Pen testing can't solve everything. Headless Host Scanning -- @jschauma 3 11/19/12
  • 4. Inside-Out Headless Host Scanning -- @jschauma 4 11/19/12
  • 5. Distance to Yahoo! ad in feet: 404 Construction cost: $357 million Capacity: 41,915 Headless Host Scanning -- @jschauma 5 11/19/12
  • 6. Ballpark numbers Distance to Yahoo! ad in feet: 30927 Construction cost: $1.5 billion Capacity: 52,325 Headless Host Scanning -- @jschauma 6 11/19/12
  • 7. Life Lessons: Size matters Headless Host Scanning -- @jschauma 7 11/19/12
  • 8. It all began some time in January of 2007... Yahoo! Presentation; Confidential 11/19/12
  • 9. Initial Problem Statement “Hey, we need to know which hosts can’t deal with the new Daylight Saving Time.” Headless Host Scanning -- @jschauma 9 11/19/12
  • 10. A Systems Administrator's Toolbox Headless Host Scanning -- @jschauma 10 11/19/12
  • 11. A simple tool perl python /bin/sh Headless Host Scanning -- @jschauma 11 11/19/12
  • 12. Initial "Solution" #!/bin/sh while read host; do ssh $host "env TZ=PST8PDT perl -e ’@t=localtime 1173682800; exit 1 - pop @t’" done Headless Host Scanning -- @jschauma 12 11/19/12
  • 13. Problem Statement “Please run this script on these hosts.” Headless Host Scanning -- @jschauma 13 11/19/12
  • 14. 2nd Pass #!/bin/sh while read host; do scp script.sh $host:/tmp/ ssh $host "/tmp/script.sh" done Headless Host Scanning -- @jschauma 14 11/19/12
  • 15. Mensch, nutz' doch ein Konfigurationsmanagementtool! Headless Host Scanning -- @jschauma 15 11/19/12
  • 16. Configuration Management Headless Host Scanning -- @jschauma 16 11/19/12
  • 17. Configuration Management Good at: §  keeping state §  ensuring flat text file properties Not so good at: §  deploying applications §  executing (one-time) scripts Terrible at: §  reporting output of individual commands or scripts Headless Host Scanning -- @jschauma 17 11/19/12
  • 18. Life Lessons: Sturgeon's Law (1st adage) "Nothing is always absolutely so." Headless Host Scanning -- @jschauma 18 11/19/12
  • 19. Mensch, nutz' doch Deine Logaggregationsinfrastruktur! Headless Host Scanning -- @jschauma 19 11/19/12
  • 20. Log Aggregation §  makes assumptions about message format §  frequently unreliable and/or asynchronous §  adds additional complexity Headless Host Scanning -- @jschauma 20 11/19/12
  • 21. 3rd Pass #!/bin/sh while read host; do cat script.sh | ssh $host "bash –s" done Headless Host Scanning -- @jschauma 21 11/19/12
  • 22. 3rd Pass #!/bin/sh while read host; do ssh $host "bash –s" < script.sh done Headless Host Scanning -- @jschauma 22 11/19/12
  • 23. Problem Refinement “Run this set of arbitrary commands on our hosts. Yes, on all of them.” Headless Host Scanning -- @jschauma 23 11/19/12
  • 24. Wait a second – all hosts? $ wtf host wtf: I don't know what host means! $ §  a computer connected to a network §  a virtual machine §  a container §  jails, zones, ... §  chroot Headless Host Scanning -- @jschauma 24 11/19/12
  • 25. Sturgeon's Law (1st adage) "Hosts" on the network "Hosts" in asset database "Hosts" in DNS Yahoo! Presentation; Confidential 11/19/12
  • 26. 3rd Pass #!/bin/sh while read host; do ssh $host "bash –s" < script.sh done Headless Host Scanning -- @jschauma 26 11/19/12
  • 27. 4th Pass Headless Host Scanning -- @jschauma 27 11/19/12
  • 28. Headless Host Scanning -- @jschauma 28 11/19/12
  • 29. Life Lessons: Causality (Duh!) $ w 10:45AM up 51 days, 22:19, 11 users, load averages: 976.23, 618.17, 1020.25 $ time ls 13.354 real 0.001 user 0.002 sys $ Headless Host Scanning -- @jschauma 29 11/19/12
  • 30. Horizontal Scalability Scanmaster Scanslaves Scanslaves Targethosts Headless Host Scanning -- @jschauma 30 11/19/12
  • 31. SSH Complications: assword prompts Interactive connections? Password: $USER@hostname's password: Headless Host Scanning -- @jschauma 31 11/19/12
  • 32. SSH Complications: assword prompts Interactive connections begat password injectors. Headless Host Scanning -- @jschauma 32 11/19/12
  • 33. SSH Complications: assword prompts proc respond { pw } { global pws if {![info exists pws($pw)]} { send_user " (autopw) " stty -echo expect_user -re "(.+)n" stty echo set pws($pw) [exec perl -ne "print pack(q{u}, $_)" << $expect_out(1,string)] } else { send_user " (autopw'ed)" } log_user 0 send -- "[exec perl -ne "print unpack(q{u}, $_)" << $pws($pw)]n"; log_user 1 } eval spawn -noecho $argv expect { "assword:" { respond system exp_continue } Yahoo! Presentation; Confidential 11/19/12
  • 34. SSH Complications: assword prompts Key Authentication to the rescue! Yahoo! Presentation; Confidential 11/19/12
  • 35. Horizontal Scalability Scanmaster Scanslaves Scanslaves Targethosts Yahoo! Presentation; Confidential 11/19/12
  • 36. SSH Complications: assword prompts Key Authentication to the rescue? §  private keys need to be present on all hosts connecting to targets §  you need to provide passphrase for private keys at scan start Enter passphrase for /home/${USER}/.ssh/id_rsa: Enter passphrase for /home/${USER}/.ssh/id_dsa: Enter passphrase for /home/${USER}/.ssh/scankey: Yahoo! Presentation; Confidential 11/19/12
  • 37. SSH Complications: assword prompts Key Authentication also uses password injectors. Headless Host Scanning -- @jschauma 37 11/19/12
  • 38. SSH Complications: assword prompts SSH Agent Forwarding to the rescue! §  private keys stored in agent on single "safe" machine §  agent forwarding enabled to scan slaves §  everything's peachy! Headless Host Scanning -- @jschauma 38 11/19/12
  • 39. SSH Agent Forwarding proxy agent Slave Targethosts Master Headless Host Scanning -- @jschauma 39 11/19/12
  • 40. SSH Agent Forwarding proxy agent Slave Targethosts Master Headless Host Scanning -- @jschauma 40 11/19/12
  • 41. SSH Agent Forwarding Master Headless Host Scanning -- @jschauma 41 11/19/12
  • 42. SSH Agent Forwarding Headless Host Scanning -- @jschauma 42 11/19/12
  • 43. Scalability issues Scanmaster Scanslaves Scanslaves Targethosts Headless Host Scanning -- @jschauma 43 11/19/12
  • 44. Miscellaneous Scalability Issues §  doing hostname lookups for each connection is expensive §  use IP addresses §  parsing known_hosts with several 100K entries is expensive §  use UserKnownHostsFile=/dev/null §  use GlobalKnownHostsFile=/dev/null §  hosts change ssh keys "frequently" §  we need StrictHostKeyChecking=no :-( §  collecting even only a few lines from every single host can fill up your disk quickly §  ssh connections can hang "indefinitely" (=> tkill(1) cron scheduled killing of processes) Headless Host Scanning -- @jschauma 44 11/19/12
  • 45. Yay, Open Source! Headless Host Scanning -- @jschauma 45 11/19/12
  • 46. Scanmaster Scripts §  checkhosts(1) §  run given script on all hosts in input via ssh(1) (in background) §  scanhosts(1) §  invoke checkhosts(1) against split input (again in background) §  defaults to 150 invocations of checkhosts(1) in parallel §  scanslave(1) §  starts ssh-agent(1) and adds keys §  adds tkill(1) crontab §  invoke scanhosts(1) against split input §  scanmaster(1) §  splits input into number of scanslaves chunks §  ssh to each scanslave and kicks off scanslave(1) in screen session §  aggregates and post-processes results Headless Host Scanning -- @jschauma 46 11/19/12
  • 47. Scanmaster Scripts $ wc -l * 330 checkhosts 259 scanhosts 325 scanmaster 179 scanslave 1093 total $ file * checkhosts: Bourne shell script text executable scanhosts: Bourne shell script text executable scanmaster: Bourne shell script text executable scanslave: Bourne shell script text executable $ Headless Host Scanning -- @jschauma 47 11/19/12
  • 48. "Every item on the menu at Taco Bell is just a different configuration of roughly eight ingredients. With this simple periodic table of meat and produce, the company pulled down $1.9 billion last year." http://teddziuba.com/2010/10/taco-bell-programming.html Headless Host Scanning -- @jschauma 48 11/19/12
  • 49. Miscellaneous Security Issues §  ssh-agent exposes our keys to target hosts §  use ForwardAgent=no, ClearAllForwardings=yes §  ssh-agent on scanslaves exposes our privkeys to anybody with super-user privileges on the scanslaves §  use a scan-only key with from= and various no- restrictions §  password injector will respond to anything asking for your assword §  uhm... don't use password auth? §  use of a "real" user is stupid Headless Host Scanning -- @jschauma 49 11/19/12
  • 50. Going topless. T.O.P.L.E.S.S. Headless User Requirement #1: §  selective access (via ssh keys) Headless User Requirement #2: §  a restricted shell Headless User Requirement #3: §  an un-restricted shell Headless User Requirement #2 and #3: §  allow arbitrary commands, provided they were sanctioned by somebody we trust Headless Host Scanning -- @jschauma 50 11/19/12
  • 51. Windows PowerShell Headless Host Scanning -- @jschauma 51 11/19/12
  • 52. Windows PowerShell ExecutionPolicy §  Restricted §  No scripts can be run. Windows PowerShell can be used only in interactive mode. §  Unrestricted §  No restrictions; all Windows PowerShell scripts can be run. §  RemoteSigned §  Downloaded scripts must be signed by a trusted publisher before they can be run. §  AllSigned §  Only scripts signed by a trusted publisher can be run. Headless Host Scanning -- @jschauma 52 11/19/12
  • 53. The (TacoBell) Sigsh NAME sigsh -- a signature verifying shell SYNOPSIS sigsh [-c certs] [-x] [-p prog] DESCRIPTION sigsh is a non-interactive, signature requiring and verifying command interpreter. More accurately, it is a signature verification wrapper around a given shell. It reads input in PKCS#7 format from standard in, verifies the signature and, if the signature matches, pipes the decoded input into the command interpreter. Headless Host Scanning -- @jschauma 53 11/19/12
  • 54. Yay, Open Source! Headless Host Scanning -- @jschauma 54 11/19/12
  • 55. The (TacoBell) Sigsh $ find . ( -type f -a ! -path '*.svn/*' ) | xargs wc -l 50 ./test/sigsh.test.pl 36 ./certs/Makefile 5 ./certs/README 121 ./doc/sigsh.1 17 ./doc/Makefile 176 ./src/sigsh.sh 12 ./README 29 ./LICENSE 446 total $ Headless Host Scanning -- @jschauma 55 11/19/12
  • 56. Yay, Open Source! Headless Host Scanning -- @jschauma 56 11/19/12
  • 57. The (TacoBell) Sigsh $ egrep -v "^[ ]*#" sigsh.sh | wc -l 93 $ Headless Host Scanning -- @jschauma 57 11/19/12
  • 58. The (TacoBell) Sigsh EXAMPLES The following examples illustrate possible usage of this tool. To execute the commands in the file 'script.bash': openssl smime -sign -nodetach -signer mycert.pem -inkey mykey.pem -in script.bash -outform pem | sigsh To execute the perl code contained in the signed PKCS#7 file 'code.pem': sigsh -p /usr/bin/perl <code.pem Headless Host Scanning -- @jschauma 58 11/19/12
  • 59. The Good, the Bad and the Ugly
  • 60. The Good §  private cert need not be present on scanslave hosts §  signing party need not be executing party §  if you grant passwordless sudo to the headless user, you can do * §  certs can expire => we have builtin time-bomb powers! §  multiple people can have signing-power independent of each other §  we can scan over XXXK "hosts" in approximately 15 minutes §  we have the flexibility to collect all sorts of interesting data Headless Host Scanning -- @jschauma 60 11/19/12
  • 61. Scanning over 400 hosts/second [...] 16:09:14: 0 / 30 done - waiting... 16:10:16: 0 / 30 done - waiting... 16:11:18: 1 / 30 done - waiting... 16:12:20: 6 / 30 done - waiting... 16:13:22: 20 / 30 done - waiting... 16:14:24: 27 / 30 done - waiting... 16:15:25: 29 / 30 done - waiting... 16:16:27: 29 / 30 done - waiting... 16:17:30: 30 / 30 done 16:17:30: Scanned XXXXXX hosts in XX minutes and 32 seconds. Aggregating data... Yahoo! Presentation; Confidential 11/19/12
  • 62. The Bad §  this is still a TacoBell sigsh, not a powershell §  we have not solved the ssh-key access problem (though a leaked ssh-key cannot allow arbitrary command execution, only execution of previously approved commands) §  multiple people can have signing-power independent of each other Headless Host Scanning -- @jschauma 62 11/19/12
  • 63. Life Lessons: Pareto's Principle The "trivial many" The "vital few" Headless Host Scanning -- @jschauma 63 11/19/12
  • 64. Life Lessons: Milton Friedman was right. There's nothing so permanent as a temporary government program solution. Yahoo! Presentation; Confidential 11/19/12
  • 65. The Ugly §  Only ~80% of our hosts have sigsh => we need to combine headless with "headful" scans. Thus, we currently: §  scan headlessly (80%, in <15 minutes) §  scan with regular user and dedicated scankey (11%) §  scan with regular user and password, twice (7%) §  scan with regular user and old password §  scan with regular user and older password §  scan with regular user and even older password §  We still (have to) trust the binaries on the remote host. §  no veriexec, TPE, ... Headless Host Scanning -- @jschauma 65 11/19/12
  • 66. Life Lessons §  Pen testing can't solve everything. §  Size matters. §  "Nothing is always absolutely so." (Sturgeon's Law) ›  "90% of everything is crud." (2nd adage; freebie) §  Causality (Duh!) §  Mmm, mmm TacoBell! §  80% of the effects come from 20% of the causes. (Pareto Principle) §  There's nothing so permanent as a temporary solution. §  The worst form of on-demand data collection except all the others that have been tried. Headless Host Scanning -- @jschauma 66 11/19/12
  • 67. Information §  http://www.netmeister.org/apps/scanmaster/ §  http://www.netmeister.org/apps/sigsh/ §  jschauma@netmeister.org §  @jschauma This talk in 140 chars or less: Scanning 100s of K hosts headlessly using a signature verifying shell is awful. Still better than most alternatives. That is all. Headless Host Scanning -- @jschauma 67 11/19/12