lab:stack_of_nucs:ansible_playbook_-_fah_removal
This is an old revision of the document!
Table of Contents
clie
Ansible Playbook - FAH Removal
In our previous step we set up FAH on our Stack of NUCs.
Now we are going to disable the service and uninstall it. In the last step there was an optional step to “finish folding”. Bonus points for doing this.
Purpose:
- Demonstrate stopping and removing an installed service workload
Step 1 - Connect to the Ansible Control Node
Step 2 - Create the Playbook
Create the file /home/ansible/my-project/fah/removefah.yml
- removefah.yml
--- - hosts: all become: true become_user: root tasks: - name: Stop and disable FAHClient.service ansible.builtin.service: name: FAHClient.service state: stopped enabled: false - name: Remove fahclient package apt: name: fahclient state: absent clean: true purge: true - name: Reboot reboot:
Step 3 - Test the Playbook
ansible-playbook removefah.yml
Next Step
Now that we have removed the CPU-hungry FAH service, we go next to installing Kubernetes.
Optional
Cyber security students may want to deploy hashtopolis in the Lab. This deploys a distributed hashcat cluster for brute forcing password hashes.
Hashtopolis
References:
There are two pieces to set up:
- server - central server distributes the keyspace of a task, aggregates jobs, and collects results in MySQL database
- communicates over HTTPS with client machines
- passes over files, binaries and task commands
- agents - act on the commands, execute the hash cracking application, and report “founds” to the server
Start a Folder for hashtopolis
- Log in to the Ansible control node (NUC 2)
- Create directory
/home/ansible/my-project/hashtopolisand change to itmkdir hashtopoliscd hashtopolis
- Create the inventory, putting one of the worker nodes in the
[server]section and the rest in the[agents]section/home/ansible/my-project/hashtopolis/inventory- inventory
[all:vars] ansible_python_interpreter=/usr/bin/python3 ansible_user='ansible' ansible_become=true ansible_become_method=sudo [server] [agents]
- Create the
ansible.cfgfile/home/ansible/my-project/hashtopolis/ansible.cfg- ansible.cfg
[defaults] inventory = inventory
Server Setup
Server runs on a LAMP stack
- testing-server-build.yml
--- - hosts: server become: true vars: mysql_root_password: "my_sql_root_password" app_user: "ansible" http_host: "hashtopolis" http_conf: "hashtopolis.conf" http_port: "80" disable_default: true hashtopolis_password: "my_hashtopolis_password" tasks: - name: Install prerequisites apt: pkg: - aptitude - git - phpmyadmin # Apache Configuration - name: Install LAMP Packages apt: pkg: - apache2 - mysql-server - python3-pymysql - php - php-pear - php-mysql - libapache2-mod-php - name: Create document root file: path: "/var/www/{{ http_host }}" state: directory owner: "{{ app_user }}" mode: '0755' - name: Set up Apache virtualhost template: src: "apache.conf.j2" dest: "/etc/apache2/sites-available/{{ http_conf }}" notify: Reload Apache - name: Enable new site shell: /usr/sbin/a2ensite {{ http_conf }} notify: Reload Apache - name: Disable default Apache site shell: /usr/sbin/a2dissite 000-default.conf when: disable_default notify: Reload Apache # MySQL Configuration - name: start and enable mysql service service: name: mysql state: started enabled: yes - name: manage MySQL root password become: true mysql_user: login_user: root login_password: "{{ mysql_root_password }}" name: root password: "{{ mysql_root_password }}" check_implicit_admin: true - name: Sets the hashtopolis password mysql_user: name: hashtopolis password: "{{ hashtopolis_password }}" priv: "*.*:ALL" login_user: root login_password: "{{ mysql_root_password }}" state: present - name: Removes all anonymous user accounts mysql_user: name: '' host_all: true state: absent login_user: root login_password: "{{ mysql_root_password }}" - name: Removes the MySQL test database mysql_db: name: test state: absent login_user: root login_password: "{{ mysql_root_password }}" - name: Create new databases mysql_db: name: - hashtopolis state: present login_user: root login_password: "{{ mysql_root_password }}" # UFW Configuration - name: "UFW - Allow HTTP on port {{ http_port }}" ufw: rule: allow port: "{{ http_port }}" proto: tcp # PHP Info Page - name: Sets Up PHP Info Page template: src: "info.php.j2" dest: "/var/www/{{ http_host }}/info.php" - name: Clone a github repository git: repo: https://github.com/s3inlc/hashtopolis.git dest: /home/ansible/repos/ clone: true update: true - name: copy hastopolis/src/* to /var/www/hashtopolis copy: src: /home/ansible/repos/src/ dest: "/var/www/{{ http_host }}/" remote_src: true owner: www-data group: www-data # - name: chown -R www-data:www-data /var/www/hashtopolis # - name: php.ini tweaking handlers: - name: Reload Apache service: name: apache2 state: reloaded - name: Restart Apache service: name: apache2 state: restarted
- Configure the server using the Web UI
- open web browser and point to the server's IP address
- complete the installation gui to configure the server
- server hostname: localhost
- server port: 3306
- mysql user: hashtopolis
- mysql password: my_hastopolis_password
- database name: hashtopolis
- create a login account when prompted
- After configuration is complete, remove the install directory.
- remove-hashtopolis-installer.yml
--- - hosts: server become: true vars: http_host: "hashtopolis" tasks: - name: Remove install directory file: path: "/var/www/{{ http_host }}/install" state: "absent"
- Log in and create enough vouches for all your worker nodes
- Click Agents > New
- Under Vouchers, and next to the New voucher button, click Create
- Repeat to generate vouchers for all your workers
- Save these voucher codes to
vouchers.txt
- Click Files, then the Wordlists Tab
- Click Add File, the upload a list of passwords to use for cracking
Agent Setup
- Create a text file with the list of voucher codes:
/home/ansible/my-project/hashtopolis/vouchers.txt. Replace the example voucher codes with your actual codes.- vouchers.txt
A3wwdhU2 Yznktilt
- Create a j2 template for the agent configuration file
- config.json.j2
{ "files-path": "/home/ansible/files", "crackers-path": "/home/ansible/crackers", "hashlists-path": "/home/ansible/hashlists", "zaps-path": "/home/ansible", "preprocessors-path": "/home/ansible/preprocessors", "url": "http://{{ server_ip }}/api/server.php", "voucher": "{{ vouchers[play_hosts.index(inventory_hostname)]}}", "token": "", "uuid": "" }
- Create unit file for the new hashtopolis-agent service
- hashtopolis-agent.service
[Unit] Description=Hashtopolis Agent After=network.target [Service] Type=simple ExecStart=/usr/bin/python3 /home/ansible/hashtopolis.zip Restart=on-failure StandardOutput=syslog StandardError=syslog SyslogIdentifier=hashtopolis-client WorkingDirectory=/home/ansible [Install] WantedBy=multi-user.target
- Create playbook to install the agent
- hashtopolis-agent.yml
--- - hosts: server - hosts: agents become: true vars: server_ip: "{{groups['server'].0}}" vouchers: "{{ lookup('file', '/home/ansible/my-project/hashtopolis/vouchers.txt').splitlines() }}" tasks: - name: Install prerequisites apt: pkg: - zip - git - python3 - python3-psutil - python3-requests - pciutils - curl - name: Pull agent get_url: url: "http://{{ server_ip }}/agents.php?download=1" dest: /home/ansible/ - name: Create config file template: src: "/home/ansible/my-project/hashtopolis/config.json.j2" dest: "/home/ansible/config.json" - name: Create systemd unit file copy: src: /home/ansible/my-project/hashtopolis/hashtopolis-agent.service dest: /etc/systemd/system owner: root mode: 644 - name: Reload systemd command: systemctl daemon-reload sudo: yes - name: Start hashtopolis-agent service systemd: name: hashtopolis-agent enabled: true state: started
Confirm Agents are Up and Running
- Check the services using a playbook
- check-agent-service.yml
--- - hosts: agents tasks: - name: Get Service Status ansible.builtin.systemd: name: "hashtopolis-agent" register: hta_service_status - debug: var: hta_service_status.status.ActiveState
- Log in to the Hashtopolis dashboard and view the agents
Add Dictionary of Passwords to Try
- Click Files, then the Wordlists Tab
- Click Add File, the upload a list of passwords to use for cracking
Create Sample md5 Password Hashes
md5sum
Create a Task to Crack the Hashes
to do
I chose a hash from /etc/shadow, type 1800. (https://hashcat.net/wiki/doku.php?id=example_hashes) Unix passwords.
lab/stack_of_nucs/ansible_playbook_-_fah_removal.1683137553.txt.gz · Last modified: 2023/05/03 18:12 by user