Authentication exploitation: Difference between revisions

From Essential
Jump to navigation Jump to search
No edit summary
No edit summary
Line 42: Line 42:
<pre>
<pre>
#!/bin/bash
#!/bin/bash
#http://infocepo.com/wiki/index.php/Authentication_exploitation


#20161103 APA UPDATE
#20161103 APA UPDATE
Line 48: Line 49:
#Debug
#Debug


cd $(dirname $0)
# == settings ==
 
MyRemoteDir="/"
# == Policies settings ==
MyExpireLenght="90"
 
# == Other settings ==
MyInfra='<infra_name>'
MyInfra='<infra_name>'
MyCompany='<company>'
MyCompany='<company>'
Line 64: Line 61:
L equipe systeme"
L equipe systeme"


MyRemoteDir=~"/"
# === Policies settings ===
MyExpireLenght="90"
 
# == Init ==
cd $(dirname $0)


if [ ! -f .htpasswd ] ;then
  touch .htpasswd
  chmod 600 .htpasswd
fi
# == Processing ==
# == Processing ==
# Send mail for each group
# Send mail for each group
Line 73: Line 78:
   IFS=';' read MyGroup MyMail MyDate <<< $MyLine
   IFS=';' read MyGroup MyMail MyDate <<< $MyLine
   MyAppUrlList=$(grep $MyGroup authentication.cfg |grep -v ^"\ *#" |awk 'BEGIN{FS=";"}{print "  "$1", "$2}' |sort -u)
   MyAppUrlList=$(grep $MyGroup authentication.cfg |grep -v ^"\ *#" |awk 'BEGIN{FS=";"}{print "  "$1", "$2}' |sort -u)
  MyHtpasswdOld=$(grep "^${MyGroup}:" .htpasswd)


### Paramaters OK?
### Paramaters OK?
   if { [ "$(date +"%s")" -gt "$(date -d "$MyDate" +"%s")" ] || [ -z "$MyDate" ] ;} && [ ! -z "$MyMail" ] && [ ! -z "$MyAppUrlList" ] ;then
   if { [ "$(date +"%s")" -gt "$(date -d "$MyDate" +"%s")" ] || [ -z "$MyDate" ] || [ -z "${MyHtpasswdOld}" ] ;} && [ ! -z "$MyMail" ] && [ ! -z "$MyAppUrlList" ] ;then


##### Information mail
##### Information mail
Line 114: Line 120:


# === Store password hash ===
# === Store password hash ===
     grep "^${MyGroup}:" .htpasswd >>.htpasswd.history
     echo "${MyHtpasswdOld}" >>.htpasswd.history
     htpasswd -b .htpasswd $MyGroup $MyPasswd
     htpasswd -b .htpasswd $MyGroup $MyPasswd


Line 137: Line 143:
   MyServer="${MyFilter}"
   MyServer="${MyFilter}"


   ssh $MyServer ">/tmp/.$$ ;chmod 600 /tmp/.$$" </dev/null
   >/tmp/.$$ ;chmod 600 /tmp/.$$
   MyGroupList="$(echo $MyGroups |tr ',' ' ')"
   MyGroupList="$(echo $MyGroups |tr ',' ' ')"
   for MyGroup in $MyGroupList ;do
   for MyGroup in $MyGroupList ;do
     (grep "^$MyGroup:" .htpasswd |ssh $MyServer "cat - >>/tmp/.$$" )</dev/null
     grep "^$MyGroup:" .htpasswd >>/tmp/.$$
   done
   done


Line 149: Line 155:
   MyConfigFile="${MyRemoteDir}etc/httpd/htpasswd/.$(echo $MyLocation |tr -c '[:alnum:]\r\n' '_').htpasswd"
   MyConfigFile="${MyRemoteDir}etc/httpd/htpasswd/.$(echo $MyLocation |tr -c '[:alnum:]\r\n' '_').htpasswd"


   ssh $MyServer "sort -u /tmp/.$$ -o /tmp/.$$ ;diff /tmp/.$$ $MyConfigFile ||cat /tmp/.$$ >$MyConfigFile ;rm -f /tmp/.$$" </dev/null
   sort -u /tmp/.$$ -o /tmp/.$$
  scp -p /tmp/.$$ ${MyServer}:/tmp/.$$ &&\
  rm -f /tmp/.$$ &&\
  sleep 1 &&\
  ssh $MyServer "diff /tmp/.$$ $MyConfigFile ||cat /tmp/.$$ >$MyConfigFile ;rm -f /tmp/.$$" </dev/null &&\
  sleep 1
done
done


# End init
cd -
cd -
</pre>
</pre>

Revision as of 01:24, 12 December 2016

Guide rapide

Description

  • "authentication.mail.cfg" contient les mails de chaque groupe.
  • "authentication.cfg" contient les groupes pour chaque url.
  • "authentication-update" permet l envoi des mails et la mise à jour de l ensemble des serveurs.

Format des fichiers de configuration de l exploitation

authentication.mail.cfg

group;mail[,...][;expiredate]
  • group : nom du groupe
  • mail : mails du groupe séparés par des virgules

authentication.cfg

ApplicationID;URL;group[,...]
  • ApplicationID : nom de l application
  • URL : url complète avec au moins le dernier répertoire suivi d un "/"
  • group[,...] : noms des groupes séparés par des virgules

Pour information

  • ".htpasswd" sert au stockage des mots de passes cryptés. Ce fichier est alimenté en automatique.
  • "<Serveur_applicatif>:/etc/httpd/htpasswd/.<Répertoire uniquement alpha numérique de l appli>.htpasswd" sert au stockage des mots de passes pour chaque appli.

droits

drwx------	exploitation   ../<ScriptDir>/
-rw-------	exploitation   authentication.mail.cfg
-rw-------	exploitation   authentication.cfg
-rw-------	exploitation   .htpasswd
-r-x------	exploitation   authentication-update

cron

2 2 * * * cd &&. ./.bash_profile &&cd <ScriptDir> &&./authentication-update

authentication-update

#!/bin/bash
#http://infocepo.com/wiki/index.php/Authentication_exploitation

#20161103 APA UPDATE
#20161202 APA ADD
#V2 optimization :date expire
#Debug

# == settings ==
MyRemoteDir="/"
MyInfra='<infra_name>'
MyCompany='<company>'
MyEmailSupport='<email_support>'

MyFoot="Ceci est un email automatique. Veuillez ne pas repondre, SVP.
Pour toutes questions relatives a cet email, merci de contacter le Centre De Service a ${MyEmailSupport}.

Cordialement,
L equipe systeme"

# === Policies settings ===
MyExpireLenght="90"

# == Init ==
cd $(dirname $0)

if [ ! -f .htpasswd ] ;then
  touch .htpasswd
  chmod 600 .htpasswd
fi
# == Processing ==
# Send mail for each group
grep -v ^"\ *#" authentication.mail.cfg |while read MyLine ;do

### Paramaters load
  IFS=';' read MyGroup MyMail MyDate <<< $MyLine
  MyAppUrlList=$(grep $MyGroup authentication.cfg |grep -v ^"\ *#" |awk 'BEGIN{FS=";"}{print "  "$1", "$2}' |sort -u)
  MyHtpasswdOld=$(grep "^${MyGroup}:" .htpasswd)

### Paramaters OK?
  if { [ "$(date +"%s")" -gt "$(date -d "$MyDate" +"%s")" ] || [ -z "$MyDate" ] || [ -z "${MyHtpasswdOld}" ] ;} && [ ! -z "$MyMail" ] && [ ! -z "$MyAppUrlList" ] ;then

##### Information mail
    if [ -z "$MyDate" ] ;then
      echo "Subject: [${MyInfra}] Information applications internes

Bonjour,

Voici les URLS des applications ${MyCompany} :

${MyAppUrlList}

${MyFoot}" |sendmail "$(echo $MyMail |tr ',' ' ')"
      sleep 1
    fi

##### Password mail

    MyLogin=$MyGroup
    MyPasswd=$(pwgen 14 1)
    MyAppList=$(grep $MyGroup authentication.cfg |grep -v ^"\ *#" |awk 'BEGIN{FS=";"}{print "  "$1}')

    echo "Subject: [${MyInfra}] Codes d acces applications internes

Bonjour,

Voici vos nouveaux codes d acces :

  login=${MyLogin}
  passwd=${MyPasswd}

Pour les applications ${MyCompany} suivantes :

${MyAppList}

${MyFoot}" |sendmail "$(echo $MyMail |tr ',' ' ')"
sleep 1

# === Store password hash ===
    echo "${MyHtpasswdOld}" >>.htpasswd.history
    htpasswd -b .htpasswd $MyGroup $MyPasswd

# === Date update for expiration password ===
    grep $MyGroup authentication.mail.cfg >>authentication.mail.cfg.history
    MyNewDate=$(date -d "+${MyExpireLenght} days" '+%Y%m%d')
    sed -i "s/^${MyGroup};${MyMail}.*/${MyGroup};${MyMail};${MyNewDate}/g" authentication.mail.cfg
  fi
done

sort -u .htpasswd -o .htpasswd

# == Remote update ==
grep -v ^"\ *#" authentication.cfg |while read MyLine ;do

### Read url and groups
  IFS=';' read MyApplicationID MyUrlFull MyGroups <<< $MyLine

  MyFilter=$(MyPatern='^https?://([^/]+).*$'
  echo $MyUrlFull |\
  sed -rn "s#$MyPatern#\1#p" |head -1)
  MyServer="${MyFilter}"

  >/tmp/.$$ ;chmod 600 /tmp/.$$
  MyGroupList="$(echo $MyGroups |tr ',' ' ')"
  for MyGroup in $MyGroupList ;do
    grep "^$MyGroup:" .htpasswd >>/tmp/.$$
  done

  MyFilter=$(MyPatern='^https?://[^/]+/+(.+)/+[^/]*$'
  echo $MyUrlFull |\
  sed -rn "s#$MyPatern#\1#p" |head -1)
  MyLocation="${MyFilter}"
  MyConfigFile="${MyRemoteDir}etc/httpd/htpasswd/.$(echo $MyLocation |tr -c '[:alnum:]\r\n' '_').htpasswd"

  sort -u /tmp/.$$ -o /tmp/.$$
  scp -p /tmp/.$$ ${MyServer}:/tmp/.$$ &&\
  rm -f /tmp/.$$ &&\
  sleep 1 &&\
  ssh $MyServer "diff /tmp/.$$ $MyConfigFile ||cat /tmp/.$$ >$MyConfigFile ;rm -f /tmp/.$$" </dev/null &&\
  sleep 1
done

# End init
cd -
Retrieved from "https://infocepo.com/wiki/index.php?title=Authentication_exploitation&oldid=723"