From fc958ff0be4319b569fc50be9ee3f24d6e19dff5 Mon Sep 17 00:00:00 2001 From: aanchaltailwal <112718374+aanchaltailwal@users.noreply.github.com> Date: Fri, 16 Jun 2023 13:49:49 +0530 Subject: [PATCH 01/10] Update bastion_connect.sh --- .../bastion_connect.sh | 40 ++++++++++++++++++- 1 file changed, 39 insertions(+), 1 deletion(-) diff --git a/projects/bash_networking_security/bastion_connect.sh b/projects/bash_networking_security/bastion_connect.sh index a9bf588..ee7d059 100644 --- a/projects/bash_networking_security/bastion_connect.sh +++ b/projects/bash_networking_security/bastion_connect.sh @@ -1 +1,39 @@ -#!/bin/bash +#!/bin/bash + +PUBLIC_IP=$1 + +PRIVATE_IP=$2 + +COMMAND=$3 + + +# if the keyexists - a. if public but not private exist connect to public b. if both exist then public->private. else exit ffor bad input + +if [[ -n "$KEY_PATH" ]]; then + + if [[ -n "$PUBLIC_IP" ]] && [[ ! "$PRIVATE_IP" ]]; then + + ssh -i "$KEY_PATH" "ubuntu@$PUBLIC_IP" + + fi + + + + if [[ -n "$PUBLIC_IP" ]] && [[ -n "$PRIVATE_IP" ]]; then + + ssh -ti "$KEY_PATH" "ubuntu@$PUBLIC_IP" "ssh -i "new_ssh_key" 'ubuntu@$PRIVATE_IP'" "$COMMAND" + + fi + +else + + echo "KEY_PATH env var is expected and must point to an existing file. try: export KEY_PATH='~/pampampam.pem' " + + exit 5 + +fi + + if [ $# -lt 1 ]; then + echo "Please provide bastion IP address" + exit 5 +fi From 2ec901d75534d68d6c9f6058a638eacf2e708b5b Mon Sep 17 00:00:00 2001 From: aanchaltailwal <112718374+aanchaltailwal@users.noreply.github.com> Date: Fri, 16 Jun 2023 13:52:58 +0530 Subject: [PATCH 02/10] Update tlsHandshake.sh --- .../bash_networking_security/tlsHandshake.sh | 53 ++++++++++++++++++- 1 file changed, 52 insertions(+), 1 deletion(-) diff --git a/projects/bash_networking_security/tlsHandshake.sh b/projects/bash_networking_security/tlsHandshake.sh index a9bf588..dc704c4 100644 --- a/projects/bash_networking_security/tlsHandshake.sh +++ b/projects/bash_networking_security/tlsHandshake.sh @@ -1 +1,52 @@ -#!/bin/bash +#!/bin/bash -x +# Step 1 - Client Hello (Client -> Server) +RESPONSE=$(curl -X POST -H "Content-Type: application/json" -d '{ + "version": "1.3", + "ciphersSuites": ["TLS_AES_128_GCM_SHA256", "TLS_CHACHA20_POLY1305_SHA256"], + "message": "Client Hello" +}' http://:8080/clienthello) + + +# Step 2 - Server Hello (Server -> Client) +SESSION_ID=$(jq -r '.sessionID' <<< "$RESPONSE") + +echo "$RESPONSE" | jq -r '.serverCert' > cert.pem + + +# Step 3 - Server Certificate Verification +wget https://devops-feb23.s3.eu-north-1.amazonaws.com/cert-ca-aws.pem -O cert-ca-aws.pem + +VERIFICATION=$(openssl verify -CAfile cert-ca-aws.pem cert.pem) + +if [ "$VERIFICATION" != "cert.pem: OK" ]; then + echo "Server Certificate is invalid" + exit 5 +fi + + +# Step 4 - Client-Server master-key exchange +openssl rand -out masterKey.txt -base64 32 + +MASTER_KEY=$(openssl smime -encrypt -aes-256-cbc -in masterKey.txt -outform DER cert.pem | base64 -w 0) + + +# Step 5 - Server verification message +RESPONSE=$(curl -X POST -H "Content-Type: application/json" -d '{ + "sessionID": "'"$SESSION_ID"'", + "masterKey": "'"$MASTER_KEY"'", + "sampleMessage": "Hi server, please encrypt me and send to client!" +}' http://:8080/keyexchange) + + +# Step 6 - Client verification message +echo "$RESPONSE" | jq -r '.encryptedSampleMessage' > encSampleMsg.txt +cat encSampleMsg.txt | base64 -d > encSampleMsgReady.txt + +decrypted_sample_msg=$(openssl enc -d -aes-256-cbc -pbkdf2 -kfile masterKey.txt -in encSampleMsgReady.txt) + +if [ "$decrypted_sample_msg" != "Hi server, please encrypt me and send to client!" ]; then + echo "Server symmetric encryption using the exchanged master-key has failed." + exit 6 +else + echo "Client-Server TLS handshake has been completed successfully" +fi From f8ba5342273193866cbc980947a262093be52b29 Mon Sep 17 00:00:00 2001 From: aanchaltailwal <112718374+aanchaltailwal@users.noreply.github.com> Date: Fri, 16 Jun 2023 14:07:32 +0530 Subject: [PATCH 03/10] Update vpc.sh --- projects/bash_networking_security/vpc.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/projects/bash_networking_security/vpc.sh b/projects/bash_networking_security/vpc.sh index 951abba..c13975d 100644 --- a/projects/bash_networking_security/vpc.sh +++ b/projects/bash_networking_security/vpc.sh @@ -1,4 +1,4 @@ -REGION="" -VPC_ID="" -PUBLIC_INSTANCE_ID="" -PRIVATE_INSTANCE_ID="" \ No newline at end of file +REGION="eu-north-1" +VPC_ID="vpc-0efa8b8281af85cbf" +PUBLIC_INSTANCE_ID="i-00f629cb350bfb435" +PRIVATE_INSTANCE_ID="i-095d9adca2021336a" From 3acb376486113aa724b6c72357894bb2f3cc4e1e Mon Sep 17 00:00:00 2001 From: aanchaltailwal <112718374+aanchaltailwal@users.noreply.github.com> Date: Fri, 16 Jun 2023 16:36:30 +0530 Subject: [PATCH 04/10] Update SOLUTION --- projects/bash_networking_security/SOLUTION | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/projects/bash_networking_security/SOLUTION b/projects/bash_networking_security/SOLUTION index 2edfbaf..0c11f9d 100644 --- a/projects/bash_networking_security/SOLUTION +++ b/projects/bash_networking_security/SOLUTION @@ -1,16 +1,25 @@ Local DNS Server IP ------------------- - - - +127.0.0.53 Default gateway IP ------------------- - - +10.0.0.1 DHCP IP allocation sys-logs ------------------- - +Jun 15 05:37:09 ip-10-0-0-141 dhclient[359]: DHCPDISCOVER on ens5 to 255.255.255.255 port 67 interval 3 (xid=0xec60204a) +Jun 15 14:55:28 ip-10-0-0-141 dhclient[364]: DHCPDISCOVER on ens5 to 255.255.255.255 port 67 interval 3 (xid=0xed569a5d) +Jun 16 06:48:30 ip-10-0-0-141 dhclient[368]: DHCPDISCOVER on ens5 to 255.255.255.255 port 67 interval 3 (xid=0x19be7604) +Jun 15 05:37:09 ip-10-0-0-141 dhclient[359]: DHCPOFFER of 10.0.0.141 from 10.0.0.1 +Jun 15 14:55:28 ip-10-0-0-141 dhclient[364]: DHCPOFFER of 10.0.0.141 from 10.0.0.1 +Jun 16 06:48:30 ip-10-0-0-141 dhclient[368]: DHCPOFFER of 10.0.0.141 from 10.0.0.1 +Jun 15 05:37:09 ip-10-0-0-141 dhclient[359]: DHCPREQUEST for 10.0.0.141 on ens5 to 255.255.255.255 port 67 (xid=0x4a2060ec) +Jun 15 14:55:28 ip-10-0-0-141 dhclient[364]: DHCPREQUEST for 10.0.0.141 on ens5 to 255.255.255.255 port 67 (xid=0x5d9a56ed) +Jun 16 06:48:30 ip-10-0-0-141 dhclient[368]: DHCPREQUEST for 10.0.0.141 on ens5 to 255.255.255.255 port 67 (xid=0x476be19) +Jun 15 05:37:09 ip-10-0-0-141 dhclient[359]: DHCPACK of 10.0.0.141 from 10.0.0.1 (xid=0xec60204a) +Jun 15 14:55:28 ip-10-0-0-141 dhclient[364]: DHCPACK of 10.0.0.141 from 10.0.0.1 (xid=0xed569a5d) +Jun 16 06:48:30 ip-10-0-0-141 dhclient[368]: DHCPACK of 10.0.0.141 from 10.0.0.1 (xid=0x19be7604) + From 36c3f8a133c895ceac13497ee8139ff83fb1d586 Mon Sep 17 00:00:00 2001 From: aanchaltailwal <112718374+aanchaltailwal@users.noreply.github.com> Date: Fri, 16 Jun 2023 19:27:20 +0530 Subject: [PATCH 05/10] Update SOLUTION --- projects/bash_networking_security/SOLUTION | 1 + 1 file changed, 1 insertion(+) diff --git a/projects/bash_networking_security/SOLUTION b/projects/bash_networking_security/SOLUTION index 0c11f9d..d806de4 100644 --- a/projects/bash_networking_security/SOLUTION +++ b/projects/bash_networking_security/SOLUTION @@ -1,3 +1,4 @@ +#Solution Local DNS Server IP ------------------- 127.0.0.53 From c45c77df0970ba406e41f10402ce743ca9094e37 Mon Sep 17 00:00:00 2001 From: aanchaltailwal <112718374+aanchaltailwal@users.noreply.github.com> Date: Fri, 16 Jun 2023 19:30:21 +0530 Subject: [PATCH 06/10] Update SOLUTION --- projects/bash_networking_security/SOLUTION | 1 - 1 file changed, 1 deletion(-) diff --git a/projects/bash_networking_security/SOLUTION b/projects/bash_networking_security/SOLUTION index d806de4..0c11f9d 100644 --- a/projects/bash_networking_security/SOLUTION +++ b/projects/bash_networking_security/SOLUTION @@ -1,4 +1,3 @@ -#Solution Local DNS Server IP ------------------- 127.0.0.53 From fe57b2ca0688ff3305f691d2cbc576ee4903b770 Mon Sep 17 00:00:00 2001 From: aanchaltailwal <112718374+aanchaltailwal@users.noreply.github.com> Date: Fri, 16 Jun 2023 21:37:34 +0530 Subject: [PATCH 07/10] Update tlsHandshake.sh --- projects/bash_networking_security/tlsHandshake.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/projects/bash_networking_security/tlsHandshake.sh b/projects/bash_networking_security/tlsHandshake.sh index dc704c4..2074f79 100644 --- a/projects/bash_networking_security/tlsHandshake.sh +++ b/projects/bash_networking_security/tlsHandshake.sh @@ -7,7 +7,7 @@ RESPONSE=$(curl -X POST -H "Content-Type: application/json" -d '{ }' http://:8080/clienthello) -# Step 2 - Server Hello (Server -> Client) +# Step 2-Server Hello (Server -> Client) SESSION_ID=$(jq -r '.sessionID' <<< "$RESPONSE") echo "$RESPONSE" | jq -r '.serverCert' > cert.pem From 0af8433e69f2f544c098a052ecd5ffb734f9fe87 Mon Sep 17 00:00:00 2001 From: aanchaltailwal <112718374+aanchaltailwal@users.noreply.github.com> Date: Fri, 16 Jun 2023 21:40:14 +0530 Subject: [PATCH 08/10] Update tlsHandshake.sh --- .../bash_networking_security/tlsHandshake.sh | 70 ++++++++++--------- 1 file changed, 36 insertions(+), 34 deletions(-) diff --git a/projects/bash_networking_security/tlsHandshake.sh b/projects/bash_networking_security/tlsHandshake.sh index 2074f79..72fb8f7 100644 --- a/projects/bash_networking_security/tlsHandshake.sh +++ b/projects/bash_networking_security/tlsHandshake.sh @@ -1,52 +1,54 @@ #!/bin/bash -x -# Step 1 - Client Hello (Client -> Server) -RESPONSE=$(curl -X POST -H "Content-Type: application/json" -d '{ - "version": "1.3", - "ciphersSuites": ["TLS_AES_128_GCM_SHA256", "TLS_CHACHA20_POLY1305_SHA256"], - "message": "Client Hello" -}' http://:8080/clienthello) - - -# Step 2-Server Hello (Server -> Client) -SESSION_ID=$(jq -r '.sessionID' <<< "$RESPONSE") -echo "$RESPONSE" | jq -r '.serverCert' > cert.pem +IPADDRESS=13.53.122.7 || $PUBLIC_EC2_IP || $1 +# Step 1: Client Hello +client_hello=$(curl -s -X POST -H "Content-Type: application/json" -d '{ + "version": "1.3", + "ciphersSuites": [ + "TLS_AES_128_GCM_SHA256", + "TLS_CHACHA20_POLY1305_SHA256" + ], + "message": "Client Hello" +}' http://$IPADDRESS:8080/clienthello) -# Step 3 - Server Certificate Verification -wget https://devops-feb23.s3.eu-north-1.amazonaws.com/cert-ca-aws.pem -O cert-ca-aws.pem +# Step 2: Server Hello +version=$(echo "$client_hello" | jq -r '.version') +cipher_suite=$(echo "$client_hello" | jq -r '.cipherSuite') +session_id=$(echo "$client_hello" | jq -r '.sessionID') +server_cert=$(echo "$client_hello" | jq -r '.serverCert') -VERIFICATION=$(openssl verify -CAfile cert-ca-aws.pem cert.pem) +# Step 3: Server Certificate Verification +wget -q https://devops-feb23.s3.eu-north-1.amazonaws.com/cert-ca-aws.pem +openssl verify -CAfile cert-ca-aws.pem <<< "$server_cert" +verification_result=$? -if [ "$VERIFICATION" != "cert.pem: OK" ]; then - echo "Server Certificate is invalid" +if [ $verification_result -ne 0 ]; then + echo "Server Certificate is invalid." exit 5 fi +# Step 4: Client-Server master-key exchange +master_key=$(openssl rand -base64 32) +encrypted_master_key=$(echo "$master_key" | openssl smime -encrypt -aes-256-cbc -binary -outform DER cert.pem | base64 -w 0) -# Step 4 - Client-Server master-key exchange -openssl rand -out masterKey.txt -base64 32 - -MASTER_KEY=$(openssl smime -encrypt -aes-256-cbc -in masterKey.txt -outform DER cert.pem | base64 -w 0) - - -# Step 5 - Server verification message -RESPONSE=$(curl -X POST -H "Content-Type: application/json" -d '{ - "sessionID": "'"$SESSION_ID"'", - "masterKey": "'"$MASTER_KEY"'", +# Step 5: Server verification message +server_verification_msg=$(curl -s -X POST -H "Content-Type: application/json" -d '{ + "sessionID": "'"$session_id"'", + "masterKey": "'"$encrypted_master_key"'", "sampleMessage": "Hi server, please encrypt me and send to client!" -}' http://:8080/keyexchange) - +}' http://$IPADDRESS:8080/keyexchange) -# Step 6 - Client verification message -echo "$RESPONSE" | jq -r '.encryptedSampleMessage' > encSampleMsg.txt -cat encSampleMsg.txt | base64 -d > encSampleMsgReady.txt +encrypted_sample_msg=$(echo "$server_verification_msg" | jq -r '.encryptedSampleMessage') -decrypted_sample_msg=$(openssl enc -d -aes-256-cbc -pbkdf2 -kfile masterKey.txt -in encSampleMsgReady.txt) +# Step 6: Client verification message +decrypted_sample_msg=$(echo "$encrypted_sample_msg" | base64 -d | openssl enc -d -aes-256-cbc -pbkdf2 -pass pass:"$master_key" -md sha256) if [ "$decrypted_sample_msg" != "Hi server, please encrypt me and send to client!" ]; then echo "Server symmetric encryption using the exchanged master-key has failed." exit 6 -else - echo "Client-Server TLS handshake has been completed successfully" fi + +echo "Client-Server TLS handshake has been completed successfully" + + From 6af090c44a2dd3ff32857f9f369c65d1fe50cade Mon Sep 17 00:00:00 2001 From: aanchaltailwal <112718374+aanchaltailwal@users.noreply.github.com> Date: Fri, 16 Jun 2023 21:43:13 +0530 Subject: [PATCH 09/10] Update bastion_connect.sh --- .../bastion_connect.sh | 50 +++++++------------ 1 file changed, 18 insertions(+), 32 deletions(-) diff --git a/projects/bash_networking_security/bastion_connect.sh b/projects/bash_networking_security/bastion_connect.sh index ee7d059..71cec8e 100644 --- a/projects/bash_networking_security/bastion_connect.sh +++ b/projects/bash_networking_security/bastion_connect.sh @@ -1,39 +1,25 @@ #!/bin/bash +if [[ -z "$KEY_PATH" ]]; then + echo "KEY_PATH environment variable is not set!" + exit 5 +fi -PUBLIC_IP=$1 - -PRIVATE_IP=$2 - -COMMAND=$3 - - -# if the keyexists - a. if public but not private exist connect to public b. if both exist then public->private. else exit ffor bad input - -if [[ -n "$KEY_PATH" ]]; then - - if [[ -n "$PUBLIC_IP" ]] && [[ ! "$PRIVATE_IP" ]]; then - - ssh -i "$KEY_PATH" "ubuntu@$PUBLIC_IP" - - fi - - - - if [[ -n "$PUBLIC_IP" ]] && [[ -n "$PRIVATE_IP" ]]; then - - ssh -ti "$KEY_PATH" "ubuntu@$PUBLIC_IP" "ssh -i "new_ssh_key" 'ubuntu@$PRIVATE_IP'" "$COMMAND" +if [[ $# -lt 1 ]]; then + echo "KEY_PATH env var is expected" + echo "Please provide Public Instance (Bastion) IP address" + exit 5 +fi - fi +public_ip=$1 +private_ip=$2 +command="${@:3}" +if [[ -n "$private_ip" ]]; then + ssh -t -i "$KEY_PATH" ubuntu@"$public_ip" ssh -i "new_ssh_key" ubuntu@"$private_ip" "$command" else + ssh -i "$KEY_PATH" ubuntu@"$public_ip" "$command" +fi - echo "KEY_PATH env var is expected and must point to an existing file. try: export KEY_PATH='~/pampampam.pem' " - - exit 5 + -fi - - if [ $# -lt 1 ]; then - echo "Please provide bastion IP address" - exit 5 -fi + From 01cfd5107129cbbd7fd44e6ff17e0cfe41b3ef2f Mon Sep 17 00:00:00 2001 From: aanchaltailwal <112718374+aanchaltailwal@users.noreply.github.com> Date: Fri, 16 Jun 2023 23:07:14 +0530 Subject: [PATCH 10/10] Update bastion_connect.sh --- .../bastion_connect.sh | 28 +++++++++---------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/projects/bash_networking_security/bastion_connect.sh b/projects/bash_networking_security/bastion_connect.sh index 71cec8e..3fff470 100644 --- a/projects/bash_networking_security/bastion_connect.sh +++ b/projects/bash_networking_security/bastion_connect.sh @@ -1,25 +1,25 @@ #!/bin/bash -if [[ -z "$KEY_PATH" ]]; then - echo "KEY_PATH environment variable is not set!" + +COMMAND=$3 +# Check if the KEY_PATH environment variable is set +if [ -z "$KEY_PATH" ]; then + echo "KEY_PATH env var is expected" exit 5 fi -if [[ $# -lt 1 ]]; then - echo "KEY_PATH env var is expected" - echo "Please provide Public Instance (Bastion) IP address" +# Check if the public instance IP is provided +if [ -z "$1" ]; then + echo "Please provide bastion IP address" exit 5 fi -public_ip=$1 -private_ip=$2 -command="${@:3}" +# If both public and private instance IPs are provided, connect to the private instance via the public instance +if [ -n "$2" ]; then + ssh -ti "$KEY_PATH" ubuntu@"$1" ssh -i "new_ssh_key" ubuntu@"$2" "$COMMAND" -if [[ -n "$private_ip" ]]; then - ssh -t -i "$KEY_PATH" ubuntu@"$public_ip" ssh -i "new_ssh_key" ubuntu@"$private_ip" "$command" +# Otherwise, connect to the public instance else - ssh -i "$KEY_PATH" ubuntu@"$public_ip" "$command" -fi - - + ssh -i "$KEY_PATH" ubuntu@"$1" +fi