Home JSON
Category:

JSON

How to fix permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: error
Docker

How to fix “Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock error

by blackMORE
written by blackMORE

Quickest way to fix How to fix “Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post “http://%2Fvar%2Frun%2Fdocker.sock/v1.24/auth”: dial unix /var/run/docker.sock: connect: permission denied” error.

How to fix permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: error

Error:

Received error during login to Docker from Ubuntu 20.04 running on WSL.

blackmoreops@wsl:/home$ docker login
Login with your Docker ID to push and pull images from Docker Hub. If you don't have a Docker ID, head over to https://hub.docker.com to create one.
Username: blackmoreops
Password:
Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post "http://%2Fvar%2Frun%2Fdocker.sock/v1.24/auth": dial unix /var/run/docker.sock: connect: permission denied

Short version:

Fix:

This is a quick way to fix it, just opened  a terminal and typed this command to fix permission error. (user already had sudo access)

sudo chmod 666 /var/run/docker.sock

Verify:

Always verify,

blackmoreops@wsl:/var/run$ docker login
Login with your Docker ID to push and pull images from Docker Hub. If you don't have a Docker ID, head over to https://hub.docker.com to create one.
Username: blackmoreops
Password:
WARNING! Your password will be stored unencrypted in /home/blackmoreops/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

Long version:

According to the official Docker docs here:

You need to do the following:

To create the docker group and add your user:

Create the docker group

sudo groupadd docker

Add your user to the docker group

sudo usermod -aG docker ${USER}

Relogin

You would need to logout and log back in so that your group membership is re-evaluated or type the following command:

su -s ${USER}

Verify

Verify that you can run docker commands without sudo.

docker run hello-world
  • This command downloads a test image and runs it in a container. When the container runs, it prints an informational message and exits.

Fixing WARNING: Error loading config file error

If you initially ran Docker CLI commands using sudo before adding your user to the docker group, you may see the following error, which indicates that your ~/.docker/ directory was created with incorrect permissions due to the sudo commands.

WARNING: Error loading config file: /home/user/.docker/config.json -stat /home/user/.docker/config.json: permission denied

To fix this problem, either remove the ~/.docker/ directory (it is recreated automatically, but any custom settings are lost), or change its ownership and permissions using the following commands:

sudo chown "$USER":"$USER" /home/"$USER"/.docker -R
sudo chmod g+rwx "$HOME/.docker" -R

 

Your call which one is more suitable for you. I was running it on WSL for testing, so picked the quick and dirty one. If I was to do it in a serious environment, I’d probably go with the long version.

That’s it.

1 comment
0 FacebookTwitterPinterestEmail
Database

BloodHound – Hacking Active Directory Trust Relationships

by blackMORE
written by blackMORE

BloodHound is for hacking active directory trust relationships and it uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment.

BloodHound

Attackers can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify. Defenders can use it to identify and eliminate those same attack paths. Both blue and red teams can use BloodHound to easily gain a deeper understanding of privilege relationships in an Active Directory environment.

It is a single page JavaScript web application, built on top of Linkurious, compiled with Electron, with a Neo4j database fed by a PowerShell ingestor.

BloodHound Hacking Active Directory Options

Enumeration Options

  • CollectionMethod – The collection method to use. This parameter accepts a comma separated list of values. Has the following potential values (Default: Default):
    • Default – Performs group membership collection, domain trust collection, local admin collection, and session collection
    • Group – Performs group membership collection
    • LocalAdmin – Performs local admin collection
    • RDP – Performs Remote Desktop Users collection
    • DCOM – Performs Distributed COM Users collection
    • GPOLocalGroup – Performs local admin collection using Group Policy Objects
    • Session – Performs session collection
    • ComputerOnly – Performs local admin, RDP, DCOM and session collection
    • LoggedOn – Performs privileged session collection (requires admin rights on target systems)
    • Trusts – Performs domain trust enumeration
    • ACL – Performs collection of ACLs
    • Container – Performs collection of Containers
    • ObjectProps – Collects object properties such as LastLogon and DisplayName
    • DcOnly – Performs collection using LDAP only. Includes Group, Trusts, ACL, ObjectProps, Container, and GPOLocalGroup.
    • All – Performs all Collection Methods except GPOLocalGroup
  • SearchForest – Search all the domains in the forest instead of just your current one
  • Domain – Search a particular domain. Uses your current domain if null (Default: null)
  • Stealth – Performs stealth collection methods. All stealth options are single threaded.
  • SkipGCDeconfliction – Skip Global Catalog deconfliction during session enumeration. This can speed up enumeration, but will result in possible inaccuracies in data.
  • ExcludeDc – Excludes domain controllers from enumeration (avoids Microsoft ATA flags :) )
  • ComputerFile – Specify a file to load computer names/IPs from
  • OU – Specify which OU to enumerate

Connection Options

  • DomainController – Specify which Domain Controller to connect to (Default: null)
  • LdapPort – Specify what port LDAP lives on (Default: 0)
  • SecureLdap – Connect to AD using Secure LDAP instead of regular LDAP. Will connect to port 636 by default.
  • IgnoreLdapCert – Ignores LDAP SSL certificate. Use if there’s a self-signed certificate for example
  • LDAPUser – Username to connect to LDAP with. Requires the LDAPPass parameter as well (Default: null)
  • LDAPPass – Password for the user to connect to LDAP with. Requires the LDAPUser parameter as well (Default: null)
  • DisableKerbSigning – Disables LDAP encryption. Not recommended.

Performance Options

  • Threads – Specify the number of threads to use (Default: 10)
  • PingTimeout – Specifies the timeout for ping requests in milliseconds (Default: 250)
  • SkipPing – Instructs Sharphound to skip ping requests to see if systems are up
  • LoopDelay – The number of seconds in between session loops (Default: 300)
  • MaxLoopTime – The amount of time to continue session looping. Format is 0d0h0m0s. Null will loop for two hours. (Default: 2h)
  • Throttle – Adds a delay after each request to a computer. Value is in milliseconds (Default: 0)
  • Jitter – Adds a percentage jitter to throttle. (Default: 0)

Output Options

  • JSONFolder – Folder in which to store JSON files (Default: .)
  • JSONPrefix – Prefix to add to your JSON files (Default: “”)
  • NoZip – Don’t compress JSON files to the zip file. Leaves JSON files on disk. (Default: false)
  • EncryptZip – Add a randomly generated password to the zip file.
  • ZipFileName – Specify the name of the zip file
  • RandomFilenames – Randomize output file names
  • PrettyJson – Outputs JSON with indentation on multiple lines to improve readability. Tradeoff is increased file size.

Cache Options

  • CacheFile – Filename for the Sharphound cache. (Default: BloodHound.bin)
  • NoSaveCache – Don’t save the cache file to disk. Without this flag, BloodHound.bin will be dropped to disk
  • Invalidate – Invalidate the cache file and build a new cache

Misc Options

  • StatusInterval – Interval to display progress during enumeration in milliseconds (Default: 30000)
  • Verbose – Enables verbose output

You can download BloodHound here:

Linux x64 – BloodHound-linux-x64.zip
Windows x64 – BloodHound-win32-x64.zip
Source – BloodHound-2.1.0.zip

Or read more here and here.

0 comments
0 FacebookTwitterPinterestEmail
What is Password Reset Poisoning?
Hacking

Targeting websites with Password Reset Poisoning

by blackMORE
written by blackMORE

Most of web application security vulnerabilities, leverage user input in ways that were not initially intended by their developer(s). Password Reset Poisoning is one such vulnerability, that leverages commonly unthought of headers, such as the Host header seen in an HTTP request:

GET https://example.com/reset.php?email=foo@bar.com HTTP/1.1
Host: evilhost.com

Notice the difference where we specify the host in the URL (example.com) and a different, malicious host, in the Host header (evilhost.com).What is Password Reset Poisoning?

Example – Password Reset(s)

One common functionality in most web applications, is the ability to reset your password. Requesting to do so may sometimes involve sending an email to your inbox with a URL embedding in a special one-time token to click on. The one time token is there to allow the user to set a new password without having to specify the old (current) one.

Part of building that URL, is deciding what the domain should be, which in PHP may look something along the lines of:

$resetPasswordURL = “https://{$_SERVER[‘HTTP_HOST’]}/reset-password.php?token=12345678-1234-1234-1234-12345678901”;

This is then injected into an email template and sent to the user as expected. From the Developer’s perspective, he is always expecting $_SERVER[“HTTP_HOST”] to be example.com so would rarely perform any additional sanity checks on the input.

Targeted Attack

As a malicious actor, you want to take control of a particular individual’s account. By leveraging Password Reset Poisoning, you can:

    1. Obtain the target’s email address used on the site.
      This is sometimes done via:a) Social Engineering attacks (Phishing, Smishing etc.)
      b) OSINT (Open-source Intelligence)
      c) Mining old data breaches for the user’s information.
    2. Send a Password Reset request on behalf of the target scoped in step one, with the modified Host header like so: 
      POST https://example.com/reset.php HTTP/1.1
Accept: */*
Content-Type: application/json
Host: evilhost.com

{“email”: “target@company.com”}

      Which if we refer back to the previous code, will string interpolate the reset password URL to (for example):

      https://evilhost.com/reset-password.php?token=12345678-1234-1234-1234-12345678901

    3. Wait for the target to receive the manipulated email such as the following: These emails would look entirely secure to the user, especially if the link is hidden behind some button or image. Primarily due to the fact that the email is actually sent by the correct application and not the evil host.
    4. The victim’s password reset token is extracted once the link is clicked. At this point, the attack can go a step further by cloning the site to make it seem as though the user is accessing the correct one. This is generally done in one of two ways:
      a) The attacker clones part of the application (e.g. login page) and presents that to the user once they have clicked the link.
      b) The attacker’s site (evilhost.com) acts as a proxy to the real site whereby the behavior and the contents would be identical to the original site, making everything look seamless to the end-user. This is the most convincing method.

Remediation

From a development perspective, do not trust the Host header, or any input header for that matter. Instead, the application’s base URL should be determined by some configuration depending on the environment. A good example is a config.ini file such as:

[GLOBAL]
DB_URL=mysql://
DB_USER=root
DB_PASS=toor

[APPLICATION]
BASE_URL=example.com

This can then be string interpolated safely as a constant in the previous code. Assume there is some utility function get_config(section, entry):

$resetPasswordURL = “https://” . get_config(‘APPLICATION’, ‘BASE_URL’) . ”/reset-password.php?token=12345678-1234-1234-1234-12345678901”;

Additionally, as an application developer, you should support and highly incentivize Multi-Factor Authentication to avoid malicious actors hijacking accounts with password reset tokens alone. Ideally also avoiding 2FA methods such as SMS Authentication.

Conclusion

Password Reset Poisoning is one of those attacks that appear very trivial and are very much on the practical side rather than the theoretical, often used as low-hanging fruit in Bug Bounty Programs.

That said, they are very easy to secure against and easily illustrate why you should always be cautious of any possible form of user input. This is especially true when developers make use of web application security scanners to automatically detect such vulnerabilities. Acunetix will not only test the Host header for Password Reset poisoning, it will also test for a slew of other Host Header attacks to help you to fully secure your web application(s).

Source link

0 comments
0 FacebookTwitterPinterestEmail