blog
Table des matières
3 billet(s) pour janvier 2026
| Notes rsh rcp | 2026/01/21 18:08 | Jean-Baptiste |
| Git - Duplication d'un dépôt | 2026/01/19 10:22 | Jean-Baptiste |
| Exemple simple de conf Nagios | 2026/01/14 10:07 | Jean-Baptiste |
Notes cluster shell parallèle
- clustershell (clush)
- clusterssh (cssh)
- mussh
clush
apt-get install clustershell # ou pip install --user ClusterShell
/etc/clustershell/groups
all: host1 host2
-a pour “all”
-B pour affichage groupé de STDOUT et STDERR si retour identique
clush -a -B
clush -w lame[1-4] -B
clush -w lame[1-6] --diff dmidecode -s bios-version
--- lame[1-4] (4) +++ lame[5-6] (2) @@ -1 +1 @@ -I36 +I15
Clush copy
Exemple SosRepport
Exemple
Génération du sosreport sur les cibles
clush -B -O ssh_options='-oStrictHostKeyChecking=no -oPort=2222' -l root --hostfile targets.lst sosreport -q --case-id 000000 --since 20230813000000 --batch
Récupération des sosreports
mkdir sosreports clush -B -O ssh_options='-oStrictHostKeyChecking=no -oPort=2222' -l root --hostfile targets.lst --rcopy '/var/tmp/sosreport-*.tar.xz' --dest sosreports/ clush -B -O ssh_options='-oStrictHostKeyChecking=no -oPort=2222' -l root --hostfile targets.lst --rcopy '/var/tmp/sosreport-*.tar.xz.sha256' --dest sosreports/
Renommage
cd sosreports/ # rename -nv '*' '' * rename '*' '' * rename '-' '' *
Nettoyage
clush -B -O ssh_options='-oStrictHostKeyChecking=no -oPort=2222' -l root --hostfile targets.lst rm -f /var/tmp/sosrepor*
List
clush -B --hostfile=hosts.lst
clush -B -O ssh_options='-oStrictHostKeyChecking=no -oPort=2222' -l admin --hostfile hosts.lst
Groupes
mkdir ~/.config/clustershell/ cp /etc/clustershell/groups.conf ~/.config/clustershell/
~/.config/clustershell/groups.d/plop.yaml
plop: www: 'www[1-4]' db: 'db-alpha,db-beta'
clush -B -g plop:www clush -B -g plop:*
mussh
mussh -H list.txt -b -c 'uptime'
mussh -H list.txt -b -C script.sh
mussh -m 7 -H ~/dev/list.txt -b -c 'apt-get -s dist-upgrade | grep "^[[:digit:]]\+ upgraded"'
ClusterSSH cssh
sudo apt-get install clusterssh
cssh c2-bl1 c2-bl2 c2-bl3 c2-bl4 c2-bl5 c2-bl6
sshpass
read SSHPASS export SSHPASS for ip in $(cat ip_all.lst) ; do sshpass -e ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectTimeout=10 $ip /bin/true && echo $ip >> ip_ok.lst || echo $ip >> ip_nok.lst ;done for ip in $(cat ip_ok.lst) ; do sshpass -e ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectTimeout=10 $ip grep 192.168.1.253 /etc/resolv.conf && echo $ip >> dns_ok.lst || echo $ip >> dns_nok.lst ;done
Scan site Web
Voir aussi :
httrack - Télécharger tous les fichiers .js
httrack -* +mime:text/html +*.js #httrack --mirror https://www.acme.fr -* +mime:text/html +*.js -r9999
pip install pyFreenet3 --use-pep517 ./bin/copyweb --mirror http://www.acme.fr -d sites/
Scan en ligne
Scan Wordpress
https://github.com/wpscanteam/wpscan
docker run -it --rm wpscanteam/wpscan --url http://www.acme.fr --enumerate u
Scan Drupal
#git clone https://github.com/immunIT/drupwn #pip install --user -r requirements.txt docker run --rm -it immunit/drupwn enum https://www.acme.fr
Drupwn> check CVE-2018-7600 [+] Application vulnerable
Exemple de malware
stat m7hw6o0xhn.php File: 'm7hw6o0xhn.php' Size: 1797 Blocks: 8 IO Block: 4096 regular file Device: fc07h/64519d Inode: 596 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 1000/sftp-acme) Gid: ( 1000/sftp-acme) Access: 2019-02-08 15:26:13.957265343 +0100 Modify: 2018-03-27 10:53:45.000000000 +0200 Change: 2018-05-22 18:02:27.736483258 +0200 Birth: -
/var/www/acme.fr/www.acme.fr/m7hw6o0xhn.php
<?php eval("\n\$dgreusdi = intval(__LINE__) * 337;"); $a = "0123456789abcdef"; $a = str_replace($dgreusdi, "E", $a); eval (gzinflate(base64_decode($a)));
Client Samba SMB CIFS
Voir aussi
- CIFS Unix Extensions / Services for Unix (SFU)
Voir :
- rclone
- curl smb / smbs
Install
apt-get install cifs-utils smbclient
Exemple
auth.cfg
username=jean password=P@ssw0rd domain=D$
smbclient -A auth.cfg //192.168.1.12/D$/ -c ls
Lister les partages
Anonymement
smbclient -N -L 127.0.0.1
Avec un compte
smbclient -U utilisateur%mdp -L 127.0.0.1
Ou (debug)
smbtree -N -d3
Se connecter
smbclient
smbclient -U utilisateur%mdp '\\127.0.0.1\partage'
gvfs-mount
gvfs-mount smb://server/share
libpam-mount
apt-get install libpam-mount
/etc/security/pam_mount.conf.xml
<volume options= "user=%(DOMAIN_USER),dom=%(DOMAIN_NAME),setuids" fstype="cifs" server="192.168.x.x" path="sharename" mountpoint="~/sharemount" />
Sécurité / Hardening / pentest
Voir nmap, smbmap, rpcclient, nbtscan, enum4linux
Pour tester
nmap -A 127.0.0.1 nmap --script smb-os-discovery.nse -p445 127.0.0.1 sudo nmap -sU -sS --script smb-os-discovery.nse -p U:137,T:139 127.0.0.1 nmap --script smb-enum-shares.nse -p445 <host> sudo nmap -sU -sS --script smb-enum-shares.nse -p U:137,T:139 127.0.0.1 nmap --script smb-enum-users.nse -p445 <host> sudo nmap -sU -sS --script smb-enum-users.nse -p U:137,T:139 127.0.0.1
Disable less secure legacy dialects
/etc/modprobe.d/cifs.conf
options cifs disable_legacy_dialects=1
echo 1 > /sys/module/cifs/parameters/disable_legacy_dialects # Y or 1 stands for enabled # N or 0 stands for disabled
Autres clients
Display CIFS statics with Mega bytes per a 1 second 3 times (sysstat)
cifsiostat -m 1 3
Userland
Equiv :
mount.cifs -o credentials=/home/share/.auth.cfg,uid=1000,forceuid,gid=1000,forcegid,file_mode=0777,dir_mode=0777,noperm,port=1446,vers=2.0 //127.0.0.1/share /mnt/share/
#sudo apt-get install fusesmb sudo apt-get install smbnetfs mkdir .smb cp /etc/smbnetfs.conf ~/.smb/ chmod 600 ~/.smb/smbnetfs.conf cp /etc/samba/smb.conf ~/.smb/ mkdir -p Network smbnetfs Network cd Network/127.0.0.1:1446/ cd Network/share:'domain\user1':'P@ssw0rd'@127.0.0.1:1446/Install
~/.smb/smbnetfs.conf
log_file "/tmp/smbnetfs.log" show_$_shares "true" show_hidden_hosts "true" auth "guest" "" include "smbnetfs.auth"
~/.smb/smbnetfs.auth
auth "smb-sh" "DOMAIN/user1" "P@ssw0rd" auth "127.0.0.1" "DOMAIN/user1" "P@ssw0rd" auth "127.0.0.1:1446" "DOMAIN/user1" "P@ssw0rd"
chmod 600 ~/.smb/smbnetfs.auth
Cache avec cachefilesd / FS-Cache
Voir :
Autres
findmnt -n -s -t cifs
mkdir /mnt/nompartage
/etc/fstab
//ouindoze/nompartage /mnt/nompartage cifs credentials=/home/jean/.smbcredentials,rw,auto,user,nounix,noserverino,iocharset=utf8,file_mode=0777,dir_mode=0777 0 0 //public/plop /mnt/espace_build_ovs/ cifs _netdev,rw,uid=15041,forceuid,gid=15141,forcegid,file_mode=0777,dir_mode=0777,noperm,credentials=/etc/.cifs_public_plop 0 0
mount -t cifs //mystorage/data2 -o username=user1,password=myPassword,rw,bg,vers=3,proto=tcp,hard,intr,rsize=32768,wsize=32768,forcedirectio,llock /data2
/etc/modprobe.d/cifs.conf
# Disable caching and the CIFS oplog for stable NTFS network shares options cifs enable_oplocks=0 install cifs /sbin/modprobe --ignore-install cifs $CMDLINE_OPTS && echo 0 > /proc/fs/cifs/LinuxExtensionsEnabled && echo 0 > /proc/fs/cifs/LookupCacheEnabled remove cifs /sbin/modprobe -r cifs
Fichiers contenant les identifiants en clair (pour ne pas les mettre dans le fstab)
/etc/.cifs_public_plop
#domain=domain username=utilisateur password=motdepasse
/home/jean/.smbcredentials
username=utilisateur password=motdepasse
Vous pouvez éventuellement ajouter :
domain=MONDOMAINE
Ou encore le mettre après le “username” comme :
username=utilisateur@MONDOMAINE
ou bien
username=MONDOMAINE\utilisateur
chmod 600 /home/jean/.smbcredentials /etc/.cifs_public_plop
Puis
mount /mnt/nompartage
Pb
Démonter / libérer les partitions CIFS en erreur (ou non)
# mount |grep /mnt/shared systemd-1 on /mnt/shared type autofs (rw,relatime,fd=28,pgrp=1,timeout=10,minproto=5,maxproto=5,direct,pipe_ino=38828)
sudo umount -a -t cifs -l sudo umount -a -t autofs -l
Err NT_STATUS_LOGON_FAILURE (with authfile only)
Voir https://bugzilla.redhat.com/show_bug.cgi?id=78846
# smbclient -A /etc/.creds //server-smb/partage1/ session setup failed: NT_STATUS_LOGON_FAILURE
# rpcclient vmx-gspl -d 1 -A /etc/.creds -c "getdriverdir \"Windows NT x86\"" Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
# smbclient -U jean -W DOMAIN //server-smb/partage1/ Enter jean's password: Domain=[ACME] OS=[Unix] Server=[Samba 3.6.6] smb: \>
Err NT_STATUS_CONNECTION_DISCONNECTED
$ smbclient -U user%'P@ssw0rd' -p 1445 //127.0.0.1/E WARNING: The "syslog" option is deprecated protocol negotiation failed: NT_STATUS_CONNECTION_DISCONNECTED
Solution
Ajouter l'option -m SMB3
smbclient -U user%'P@ssw0rd' -p 1445 //127.0.0.1/E -m SMB3
Pb temps de connexion long - NTLMSSP
plop@portable:~$ smbclient -U user%'P@ssw0rd' -p 1445 //127.0.0.1/D -m SMB3 -d 3 lp_load_ex: refreshing parameters Initialising global parameters rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Processing section "[global]" WARNING: The "syslog" option is deprecated added interface wlan0 ip=2a01:cb04:bae:2600:9aea:4ae:b4b3:15a2 bcast= netmask=ffff:ffff:ffff:ffff:: added interface docker0 ip=172.17.42.1 bcast=172.17.255.255 netmask=255.255.0.0 added interface wlan0 ip=192.168.1.12 bcast=192.168.1.255 netmask=255.255.255.0 Client started (version 4.5.16-Debian). Connecting to 127.0.0.1 at port 1445 Doing spnego session setup (blob length=398) got OID=1.3.6.1.4.1.311.2.2.30 got OID=1.2.840.48018.1.2.2 got OID=1.2.840.113554.1.2.2 got OID=1.2.840.113554.1.2.2.3 got OID=1.3.6.1.4.1.311.2.2.10 got principal=not_defined_in_RFC4178@please_ignore GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'naclrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered Got challenge flags: Got NTLMSSP neg_flags=0x62898215 NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x62088215 NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x62088215 NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x62088215 Domain=[PLOP] OS=[] Server=[] smb: \>
Où il y a trois lignes vides, ça a mis plusieurs secondes.
Dans le cas présent le contrôleur de domaine n'est pas joignable et nous utilisons un compte local.
Solution
Spécifier le domaine “.”
Le point indique un compte local (hors du domaine)
Vous pouvez utiliser l'option -W
smbclient -U user%'P@ssw0rd' -p 1445 //127.0.0.1/D -m SMB3 -W .
Solution
Mettre à jour smbclient et ses dépendances
# apt-get install smbclient The following extra packages will be installed: libldb1 libsmbclient samba-common samba-libs
Pb CIFS VFS: cifs_mount failed w/return code = -61 - NT_STATUS_PATH_NOT_COVERED
Erreur
# dmesg [1231082.766925] CIFS VFS: cifs_mount failed w/return code = -61
Diag
# smbclient -U jean -W ACME \\partages\images smb: \> cd REP\ Connection to pc1111 failed (Error NT_STATUS_BAD_NETWORK_NAME) Unable to follow dfs referral [\pc1111\REP$] cd \REP\: NT_STATUS_PATH_NOT_COVERED # ping pc1111 ping: unknown host pc1111
Solution
Modifier le /etc/hosts ou /etc/resolv.conf afin de résoudre pc1111
Pb error(22): Invalid argument
# mount -t cifs -o rw,uid=1000,forceuid,gid=1000,forceuid,file_mode=0777,dir_mode=0777,noperm,credentials=/root/.fichier_mdp //server/partage /mnt/nompartage mount error(22): Invalid argument Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg) # dmesg -T |tail [Wed Dec 23 11:31:16 2020] CIFS: Attempting to mount //server/partage [Wed Dec 23 11:31:16 2020] CIFS: VFS: cifs_mount failed w/return code = -22
Solution
Spécifier la version souhaitée
Exemple : vers=2.0
mount -t cifs -o rw,uid=1000,forceuid,gid=1000,forcegid,file_mode=0777,dir_mode=0777,noperm,vers=2.0,credentials=/root/.fichier_mdp //server/partage /mnt/nompartage
Err NT_STATUS_LOGON_FAILURE
$ smbclient -U user1%'BasP@ssw0rd' '\\localhost\shared' session setup failed: NT_STATUS_LOGON_FAILURE $ smbclient -U user1%'P@ssw0rd' '\\localhost\shared' Domain=[localhost] OS=[Unix] Server=[Samba 3.0.33-3.7.el5] tree connect failed: NT_STATUS_BAD_NETWORK_NAME
Solution
Le partage pointait vers un dossier non existant.
Notes
Exemple options de montage
on /data/users_homedirs type cifs (rw,relatime,sec=ntlm,unc=\\serveur\Home$,username=utilisateur,domain=ACME,uid=1000,forceuid,gid=1000,forcegid,addr=192.168.1.20,file_mode=0755,dir_mode=0755,nounix,rsize=61440,wsize=65536,actimeo=1)
Samba Winbind - AD - Exemple de conf
Conf NTP
/etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 127.0.1.1 pc1.plop.acme.local pc1
/etc/resolv.conf
#domain plop.acme.local search acme.local plop.acme.local options rotate timeout:1 retries:1 nameserver 192.168.20.153 nameserver 192.168.20.154
/etc/krb5.conf
[logging] default = FILE10000:/var/log/krb5lib.log [libdefaults] default_realm = PLOP.ACME.LOCAL default_keytab_name = FILE:/etc/krb5.keytab # The following krb5.conf variables are only for MIT Kerberos. krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms kdc_timesync = 1 ccache_type = 4 [appdefaults] kinit = { forwardable = true proxiable = true } # The following encryption type specification will be used by MIT Kerberos # if uncommented. In general, the defaults in the MIT Kerberos code are # correct and overriding these specifications only serves to disable new # encryption types as they are added, creating interoperability problems. # # Thie only time when you might need to uncomment these lines and change # the enctypes is if you have local software that will break on ticket # caches containing ticket encryption types it doesn't know about (such as # old versions of Sun Java). # The following libdefaults parameters are only for Heimdal Kerberos. v4_instance_resolve = false v4_name_convert = { host = { rcmd = host ftp = ftp } plain = { something = something-else } } fcc-mit-ticketflags = true [realms] PLOP.ACME.LOCAL = { kdc = cd1-plop:88 kdc = GDC01:88 admin_server = cd1-plop:749 default_domain = plop.acme.local } [domain_realm] PLOP = PLOP.ACME.LOCAL .plop.acme.local = PLOP.ACME.LOCAL [login] krb4_convert = true krb4_get_tickets = false
/etc/samba/smb.conf
# Global parameters [global] #obey pam restrictions = Yes realm = PLOP.ACME.LOCAL workgroup = PLOP security = ADS #template homedir = /staff/%U #template shell = /bin/bash winbind enum groups = Yes winbind enum users = Yes winbind use default domain = Yes winbind refresh tickets = yes idmap config * : range = 10000-20000 idmap config * : backend = tdb #password server = cd1-plop.plop.acme.local password server = * winbind separator = / # Pas d'imprimante printing = bsd printcap name = /dev/null load printers = No cups options = raw # # empêche le client de devenir maitre explorateur domain master = no local master = no preferred master = no os level = 0 # [DATA] create mask = 0666 directory mask = 0777 path = /data/ read only = No valid users = acme/user1, plop/admin
kinit admin@PLOP.ACME.LOCAL yum install samba-winbind samba-winbind-clients net ads join -U admin authselect select winbind with-mkhomedir --force getent passwd getent passwd ACME/user1
Samba - DFS
Voir :
Conf globale
host msdfs = yes
Le répertoire partagé doit être considéré comme une racine DFS
msdfs root = yes
Gérer un partage DFS est assez facile. Dans le répertoire partagé en tant que racine DFS, vous allez créer des liens Unix qui seront interprétés par Samba comme des liens DFS. Si vous voulez, vous pouvez aussi y créer des répertoires normaux et sous ces répertoires d'autres liens DFS. Vous n'êtes donc pas limité à une structure plate.
Les liens que vous créez peuvent l'être en utilisant l'une des notations suivantes :
ln -s msdfs:<server>\\<share> <DFS link name> ln -s msdfs:<server1>\\<share>,<server2>\\<share> <DFS link name> ln -s msdfs:<server>\\share\dir1\dir2(...) <DFS link name>
blog.txt · Dernière modification : de 127.0.0.1