How to do Authentication(Either with Credentials/Session Cookie) using rekono

[srikr]

What do you need?
Is there way we can use credentials or session cookies to login and run all the Tools in Rekono to Test the Device Under Test

Below are some error seen due to lack of authentication:
Tool: Log4j Scanner

Traceback (most recent call last):
  File "/opt/log4j-scanner/log4-scanner/log4j-scan.py", line 395, in <module>
    main()
  File "/opt/log4j-scanner/log4-scanner/log4j-scan.py", line 367, in main
    dns_callback = Interactsh()
  File "/opt/log4j-scanner/log4-scanner/log4j-scan.py", line 224, in __init__
    self.register()
  File "/opt/log4j-scanner/log4-scanner/log4j-scan.py", line 232, in register
    res = self.session.post(
  File "/usr/local/lib/python3.10/dist-packages/requests/sessions.py", line 590, in post
    return self.request('POST', url, data=data, json=json, **kwargs)
  File "/usr/local/lib/python3.10/dist-packages/requests/sessions.py", line 542, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/local/lib/python3.10/dist-packages/requests/sessions.py", line 655, in send
    r = adapter.send(request, **kwargs)
  File "/usr/local/lib/python3.10/dist-packages/requests/adapters.py", line 504, in send
    raise ConnectTimeout(e, request=request)
requests.exceptions.ConnectTimeout: HTTPSConnectionPool(host='interact.sh', port=443): Max retries exceeded with url: /register (Caused by ConnectTimeoutError(<urllib3.connection.HTTPSConnection object at 0x7f89bce376a0>, 'Connection to interact.sh timed out. (connect timeout=30)'))

Tool: ZAP

Found Java version 11.0.16
Available memory: 7954 MB
Using JVM args: -Xmx1988m
809 [main] INFO  org.parosproxy.paros.Constant - Copying default configuration to /home/rekono/.ZAP/config.xml
977 [main] INFO  org.parosproxy.paros.Constant - Creating directory /home/rekono/.ZAP/session
977 [main] INFO  org.parosproxy.paros.Constant - Creating directory /home/rekono/.ZAP/dirbuster
978 [main] INFO  org.parosproxy.paros.Constant - Creating directory /home/rekono/.ZAP/fuzzers
978 [main] INFO  org.parosproxy.paros.Constant - Creating directory /home/rekono/.ZAP/plugin
Accessing URL
Failed to attack the URL: received a 404 response code, expected 200.
Writing results to /rekono/reports/16aff3d3-9d45-4898-9a66-f1367ed8d402.xml

Tool: CMSeek

TERM environment variable not set.
Traceback (most recent call last):
  File "/usr/share/cmseek/cmseek.py", line 116, in <module>
    core.main_proc(target,cua)
  File "/usr/share/cmseek/cmseekdb/core.py", line 52, in main_proc
    follow_redir = input('[#] Set ' + cmseek.bold + cmseek.fgreen + init_source[3] + cmseek.cln + ' as target? (y/n): ')
EOFError: EOF when reading a line

Tool: SearchSploit

{
	"SEARCH": "TLS 1.2 > /rekono/reports/1d4712d1-a6c8-4073-8388-36c8fa55dcce.json",
	"DB_PATH_EXPLOIT": "/usr/share/exploitdb",
	"RESULTS_EXPLOIT": [	],
	"DB_PATH_SHELLCODE": "/usr/share/exploitdb",
	"RESULTS_SHELLCODE": [	]
}

[pablosnt]

I'm not sure if I'm understanding you regarding to credentials or session cookies. For authentication in Rekono, you can use the session in the frontend or your API token to make requests directly to the API REST. You can get your API key in your profile after input your password. Moreover, to use the API REST, you can also use the rekono-cli project.

About the tools errors, there aren't due to lack of authentication. The reason of these errors are very differents:

• Log4j-scanner: it's a known error in the log4j-scanner tool that I have reported in the following issues: Connection timeout during standard execution cisagov/log4j-scanner#55 and interact.sh server unavailable  fullhunt/log4j-scan#131

• OWASP ZAP: it isn't an error, it seems that the URL attacked by ZAP isn't available (returns an HTTP 404), so ZAP execution fails. To check if it is a Rekono error or not, can you check the exactly command that Rekono executes in the executions-workers log? Is the target URL correct?

• CMSeeK: very similar to the other errors. Personally, I never see it before, so can you check in the logs if the target URL is correct? If the URL is correct, it can be a CMSeeK error

• SearchSploit: I don't see any error in your output. The output of SearchSploit is in JSON format, the empty lists mean that no exploits found for TLS 1.2 technology

I don't know if I can help you in anything else, but in general, this errors seems to belong to the external hacking tools or due to the specific target that you are scanning

[pablosnt]

Sorry, I finally understand this issue after read again your description. No, at the moment is not possible to execute hacking tools using authentication against the target services. I know that it's a very interesting and needed feature, and I have included it to the backlog yet, even before make Rekono public. I will keep this issue open to keep it in mind :)

[srikr]

@pablosnt ok I mainly wanted this is because my Server is configured with authentication, inorder for these tools to login to my Server and run scan/attack, somewhere there should be a way to configure either authentication(basic/form port/ntlm) or cookie based session ids.
Do we have any tweaks I can make in the code to get this working.... or any other workaround or I have to wait till you have the fix for it...

[pablosnt]

Yes, of course, it's a feature that Rekono should include but it can't be implemented yet. This development can need some time, because it can be complex, includes frontend and backend development and a lot of authentication methods should be considered.

As fast and very bad workaround, you can configure manually your tools in your database to use this authentication tokens or credentials, or you can create specific tool configurations to use these authentication. Of course, this workaround would apply the authentication configuration for all your targets and projects. I'm referring to this: https://github.com/pablosnt/rekono/blob/main/rekono/tools/fixtures/3_configurations.json#L248. As I said, it's a very bad workaround, but it could work for you while the feature is not released

[srikr]

@pablosnt I am fine with bad workaround, all I need is to use those subset of tools in your main tool. Based on the code you referred above, are you saying to change the 3_configurations.json file in my local code outside docker container as below(in this case considering ZAP tool for now):

{
        "model": "tools.configuration",
        "pk": 25,
        "fields": {
            "tool": 8,
            "name": "Active scan",
            "arguments": "-cmd {url} -quickprogress -quickout {output} -cookie "csrftoken=csrftoken123; toolsessionid=toolsessionid123; sessionid=sessionid123"",
            "default": true
        }
    }

Once above code is added, I have to rebuild with no-cache and bring up the containers to make the above code reflected in the container.
Is my understanding correct?

[pablosnt]

Yes, this file is the default data in the Rekono database. So, if you have a Rekono instance up, you also can change this value directly in the Configuration table of the Rekono database. If you change the value in the file, you need to re-deploy the full environment, because it's needed to initialize the database again

[srikr]

ok I see.. Also should I need to figure out what is the arguments I have to give as per the cli of the Tool or I can simply give like this:
-cmd {url} -quickprogress -quickout {output} -cookie "csrftoken=csrftoken123; toolsessionid=toolsessionid123; sessionid=sessionid123"

[srikr]

I did quick search on zap command line, I found below two links:

https://www.zaproxy.org/docs/desktop/cmdline/
https://www.zaproxy.org/docs/desktop/addons/quick-start/cmdline/

Need to research on -config option to pass cookie... Seems like for every tool I have to find the command line option and add it to 3_configurations.json file for "arguments".
Will try to add and see how it goes..

Thanks

[srikr]

I see following containers, in which container(name of the container would be helpful) I can directly change the file so that I need not rebuild the code.

└─$ docker ps
CONTAINER ID   IMAGE                                                 COMMAND                  CREATED        STATUS                  PORTS                                                                      NAMES
040156d03b6b   rekono-nginx:latest                                   "/docker-entrypoint.…"   47 hours ago   Up 47 hours             0.0.0.0:80->80/tcp, :::80->80/tcp, 0.0.0.0:443->443/tcp, :::443->443/tcp   nginx
691860d47957   rekono-kali:latest                                    "python manage.py rq…"   47 hours ago   Up 47 hours                                                                                        rekono-executions-worker-4
6abc5b916c4f   rekono-kali:latest                                    "python manage.py rq…"   47 hours ago   Up 47 hours                                                                                        rekono-executions-worker-2
2836be29f56d   rekono-backend:latest                                 "python manage.py rq…"   47 hours ago   Up 47 hours                                                                                        rekono-tasks-worker-1
bf30b8b18cd8   rekono-backend:latest                                 "python manage.py rq…"   47 hours ago   Up 47 hours                                                                                        rekono-findings-worker-1
88021a0e9bc1   rekono-backend:latest                                 "python manage.py rq…"   47 hours ago   Up 47 hours                                                                                        rekono-emails-worker-1
9d45ba201de5   rekono-kali:latest                                    "python manage.py rq…"   47 hours ago   Up 47 hours                                                                                        rekono-executions-worker-3
d3a070846685   rekono-kali:latest                                    "python manage.py rq…"   47 hours ago   Up 47 hours                                                                                        rekono-executions-worker-5
4c8f34537d20   rekono-backend:latest                                 "python manage.py ru…"   47 hours ago   Up 47 hours (healthy)   8000/tcp                                                                   backend
c832f2b8f23d   rekono-kali:latest                                    "python manage.py rq…"   47 hours ago   Up 47 hours                                                                                        rekono-executions-worker-1
b05591d663d4   rekono-frontend:latest                                "docker-entrypoint.s…"   47 hours ago   Up 47 hours (healthy)                                                                              frontend
bc0447c16b8f   postgres:14.2-alpine                                  "docker-entrypoint.s…"   47 hours ago   Up 47 hours                                                                                        postgres
04bcf7f4fe49   catatnight/postfix:latest                             "/bin/sh -c '/opt/in…"   47 hours ago   Up 47 hours             25/tcp                                                                     postfix
6ba59f2bfcb5   redis:6.2.6-alpine                                    "docker-entrypoint.s…"   47 hours ago   Up 47 hours                                                                                        redis

[pablosnt]

No, I think that I didn't explain myself. You have two options: edit the file in your system and build the environment again or edit the Rekono database directly. The Rekono database is the postgres container, where you can access the Configuration table in the "rekono" database using the credentials "postgres:postgres" (if you didn't change it)

[srikr]

Sure @pablosnt the table name in postgres would be tools_configuration and below is the commands of postgres which need to be run:

rekono=# update tools_configuration
set arguments = '-cmd {url} -config "csrftoken=abc" -quickprogress -quickout {output}'
where id = 25;

will use this as a workaround.

Thanks

[pablosnt]

Released in the latest release 1.4.0