--- title: scan --- ### Docker 1. docker start 9f7e7b4e46e2 2. docker exec -it 9f7e7b4e46e2 /bin/bash 3. apt-get update #### install git if required 4. apt install git 5. git --version 6. apt-get install python3.6 7. apt-get install python-pip python-dev build-essential #### install python if required --- - encrypted295b 1. git clone https://github.com/sushmai/scan - Asks for login as repository is private 2. cd scan 3. pip install -r requirements.txt 4. python s3scanner.py -l -d cmpe235sjsu (When you know bucket name, if not you can search using key words such as not closed us-west) 5. ls 6. you can see a folder with open bucket names 7. cd and ls - now you can see all files as credentials are not setup properly --- ``` flaskblog - app run == run_app post = alert new_post = new_alert ``` #### UI: iterm - navigate to project folder >>> from run_app import db - (run_app.py) - Get's below response if no error found - (SQLALCHEMY_TRACK_MODIFICATIONS adds significant overhead and) >>> db.create_all() - This creates new file named "site.db" - Right now it is empty, let's add data to it #### add user >>> from app import User, Post >>> user_1 = User(username="sushma", email='sushmaviera@gmail.com', password='password') - Add the above user to database >>> db.session.add(user_1) - No errors means user added only comitted to database with below command >>> db.session.commit() - We can commit multiple users at the same time >>> user_2 = User(username="Matan", email='matan@cba.com', password='password') >>> user_3 = User(username="Khurram", email='Khurram@cba.com', password='password') >>> db.session.add(user_2) >>> db.session.add(user_3) >>> db.session.commit() - To see all the users >>> User.query.all() >>> db.drop_all() - To empty all the tables --- User authentication - password hashing to decrypt default flask comes with an inbuilt module >>>sudo pip install flask-bcrypt - Encrypt: XXX-Pro:CBA_UI aquaman$ python Python 2.7.16 (default, Oct 16 2019, 00:34:56) [GCC 4.2.1 Compatible Apple LLVM 10.0.1 (clang-1001.0.37.14)] on darwin Type "help", "copyright", "credits" or "license" for more information. >>> from flask_bcrypt import Bcrypt >>> bcrypt = Bcrypt() >>> bcrypt.generate_password_hash('test') '$2b$12$kLHteENeGZnO3SsN5fnrKOzT2hXemYIC8qFYyqAeJXb6JohMmeQOe' - Now it encrypted a sample password - let's see how to decrypt When some one try to decrypt it everytime the output will be different so it's now possible to decrypt it. - Example: >>> bcrypt.generate_password_hash('test').decode('utf-8') u'$2b$12$e1Y7s/JZ4kXhmKPizTTW6edzgigFAZW3NI7CwpQVdLoX7NYiCq6HK' >>> bcrypt.generate_password_hash('test').decode('utf-8') u'$2b$12$8PzxVQH3nNhxn4WqH0fAf.1GxYReIYAQu3H9sj.2EytV2yQqjnN4W' >>> bcrypt.generate_password_hash('test').decode('utf-8') u'$2b$12$yPOwCdbQYl6zwACXhSjdP.ETKAwEe9h91sW2fczIF6Il5rESVKB8K' >>> bcrypt.generate_password_hash('test').decode('utf-8') u'$2b$12$Pu9SDFljcZyEbUhW9y/VZ.Q2TxssJcGp21vWgbPi6a3/9fYoPoyO2' everytime repsonse is different so unable get hold on password. ### how CBA will do authentication ? >>> hashed_pw = bcrypt.generate_password_hash('test').decode('utf-8') save the hash. Testing: >>> bcrypt.check_password_hash(hashed_pw, 'password') False >>> bcrypt.check_password_hash(hashed_pw, 'test') True This shows rainbow table is still possible if hacker gets hold on hash value, we highly encourage users to have randomized passwords. # verify: - create a user through registration - and check DB >>> from app.models import User >>> user = User.query.first() >>> user <User u'suma'> >>> user.password u'$2b$12$wmj9k57LMvFqWJTNHwIo7.vcYzWWgjMy/RtfILS0hh/cs23acZv9e' >>> --- user now can send all scan request so lets how can we see who sent us request - from app.models import User, Post - posts = Post.query.all() --- - from itsdangerous import TimedJSONWebSignatureSerializer as Serializer --- #### Pending - [ ] Html image with button account.html - [ ] email alert --- Run app : - python run_app.py Go to Data base: - python - from app.models import User, Post Add users: test1@cba.org testing --- *** Test Cases *** Testcase1_passwordtest Open Browser ${URL} ${Browser} Input Text id:"email" Earth15@gmail.com Input Text id:"password" Abs23d Click Element name:"submit" close Browser Testcase1_passwordtest Open Browser ${URL} ${Browser} Input Text id:"email" test1@cba.org Input Text id:"password" testing Click Element name:"submit" close Browser --- ##### AWS CLI 1. Install and verify for me - /Users/aquaman/bin/aws --version 2. set up credentials - try ro see the bucket - aws s3 ls s3://bucket-name/path/to/file - From public bucket - /Users/aquaman/bin/aws s3 ls s3://cba1sjsu295b - From my ownbucket list: - /usr/local/bin/aws s3 ls #upload files: - aws s3 cp ~/Downloads/file1.zip s3://bucket-name/path/to/destination --acl public-read - - sudo /Users/aquaman/bin/aws s3 cp ~/Downloads/encrypted s3://cba1sjsu295b --grants read=uri=http://acs.amazonaws.com/groups/global/AllUsers --recursive - aws s3 cp <your directory path> s3://<your bucket name> --grants read=uri=http://acs.amazonaws.com/groups/global/AllUsers --recursive http://cba1sjsu295b.s3-website-us-east-1.amazonaws.com/ --- Summary: - Not doing any test on encrypted files. ---