search

SpecterOps / Nemesis

An offensive data enrichment pipeline
https://specterops.github.io/Nemesis/
Other
597 stars 59 forks source link

No module named 'msfastpbkdf2.fastpbkdf2' #24

Closed checkymander closed 9 months ago

checkymander commented 10 months ago

When going through the instructions after installing all of the pre-requisites, downloading the images with the script, and running skaffold run -m nemesis --port-forward=user the process fails on the deployment/enrichment container.

image

When running kubectl logs enrichment-podnums the output is as follows:

image

tested on latest Ubuntu and the Debian version outlined in the setup docs.

leechristensen commented 10 months ago

Thanks for reporting this! I think the latest version of poetry (1.7.0. released Nov. 3) is the issue and seems to have broken the installation of this package in the container. Still looking into a fix.

checkymander commented 10 months ago

https://github.com/python-poetry/poetry/issues/6968#issuecomment-1303891299

It actually might not be poetry, but maybe an issue with the package?

sw-mreyes commented 10 months ago

This is odd, the package/import seems to work fine with python:3.11.2-bullseye (the base image of the enrichment container):

# docker run -it --rm python:3.11.2-bullseye /bin/bash
root@3ae0b5c9563c:/# pip3 install msfastpbkdf2
Collecting msfastpbkdf2
[...]
Building wheels for collected packages: msfastpbkdf2
  Building wheel for msfastpbkdf2 (setup.py) ... done
  Created wheel for msfastpbkdf2: filename=msfastpbkdf2-0.5-cp311-cp311-linux_x86_64.whl size=38073 sha256=390dee868a2ee95c5762aa7f7df7b0adb0e6a5e0a505cd64b565ed3f66ecbb66
  Stored in directory: /root/.cache/pip/wheels/63/2a/f7/7ac9b23d6cff154241d3a8ca24db5bc85955f9bbf5b9dd8d96
Successfully built msfastpbkdf2
Installing collected packages: six, pycparser, cffi, msfastpbkdf2
Successfully installed cffi-1.16.0 msfastpbkdf2-0.5 pycparser-2.21 six-1.16.0
[...]
root@3ae0b5c9563c:/# python3
Python 3.11.2 (main, Mar 23 2023, 17:12:29) [GCC 10.2.1 20210110] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from msfastpbkdf2 import pbkdf2_hmac
>>>

You can get the cluster to run by catching the exception around the import, not sure how to fix it tho.

HarmJ0y commented 9 months ago

OK I just pushed what I think is a fix to the main branch - tl;dr Poetry decided to be weird again and not compile the shared library that backs the package.

The reason we have this custom package (by us) is because all of the pbkdf implementations aren't built for speed and are pretty....bad. However, Microsoft does their pbkdf2 just differently enough that we had to customize the fastpbkdf2 package. Without using this package, decryption for DPAPI masterkeys slows down by a factor of at least 50x.

Apologies for the annoying bug - we know it wasn't ideal, but at least in this case we think this fix should be stable! If this works let us know and we'll close it out, if it doesn't let us know as well here and we'll keep digging.

Also, as a sidenote: we're planning on building "official" versions of all of these images with proper testing before publishing, so hopefully things like this ~shouldn't happen~ should be less common in the future :)

checkymander commented 9 months ago

I confirmed on my end that you've fixed the issue. Thanks for giving it a look!

HarmJ0y commented 9 months ago

Awesome!