Closed acabey closed 7 years ago
llazzaro
commented
7 years ago Check in the file ~/.faraday/config/user.xml the value of couch_uri, it should point to your vm. If you already have that value pointing to the vm, does the gtk gui prints any error?
acabey
commented
7 years ago This is the output from console
2017-07-18 15:56:34,133 - faraday.launcher - INFO - Starting Faraday IDE. 2017-07-18 15:56:34,133 - faraday.launcher - INFO - Checking configuration. 2017-07-18 15:56:34,133 - faraday.launcher - INFO - Setting up plugins. 2017-07-18 15:56:34,134 - faraday.launcher - INFO - Removing old plugins folder. 2017-07-18 15:56:34,272 - faraday.launcher - INFO - Setting up ZSH integration. 2017-07-18 15:56:34,274 - faraday.launcher - INFO - Setting up user configuration. 2017-07-18 15:56:34,274 - faraday.launcher - INFO - Using custom user configuration. 2017-07-18 15:56:34,274 - faraday.launcher - INFO - Setting up icons for GTK interface. 2017-07-18 15:56:34,310 - faraday.launcher - INFO - Setting configuration. 2017-07-18 15:56:34,813 - faraday.launcher - INFO - No updates available, enjoy Faraday. 2017-07-18 15:56:35,032 - faraday.launcher - INFO - All done. Opening environment. 2017-07-18 15:56:35,482 - faraday.launcher - INFO - Main application ExceptHook enabled. 2017-07-18 15:56:35,483 - faraday.launcher - INFO - Starting main application.
* faraday ui is ready
Make sure you got couchdb up and running. If couchdb is up, point your browser to: [https://faraday.localdomain:443/_ui]2017-07-18 15:56:35,484 - faraday - INFO - XMLRPC API server configured on ('localhost', 9877) 2017-07-18 15:56:35,505 - faraday - INFO - REST API server configured on ('localhost', 9977)
The GUI only shows a popup, "Could not connect to Faraday Server"
WinnaZ
commented
7 years ago As Leo said, there must be something wrong in the configuration. Could you please send us the user.xml located in ~/.faraday/config/user.xml and also de server.ini file (located on the same directory)
acabey
commented
7 years ago Here are the relevant parts. I've cut out the "Plugin Settings" portion for the sake of readability.
<faraday>
<api_con_info_host>localhost</api_con_info_host>
<api_con_info_port>9877</api_con_info_port>
<api_restful_con_info_port>9977</api_restful_con_info_port>
<appname>Faraday - Penetration Test IDE Community</appname>
<auth algorithm="OTR" encrypted="no">0</auth>
<auto_share_workspace>1</auto_share_workspace>
<config_path>/home/acabey/.faraday/</config_path>
<data_path>/home/acabey/.faraday/data</data_path>
<debug_status>0</debug_status>
<default_category>General</default_category>
<default_temp_path>/home/acabey/.faraday/temp/</default_temp_path>
<font>-Misc-Fixed-medium-r-normal-*-12-100-100-100-c-70-iso8859-1</font>
<home_path>/home/acabey/</home_path>
<host_tree_toggle />
<hstactions_path>/home/acabey/.faraday/hstactions.dat</hstactions_path>
<icons_path>/home/acabey/.faraday/images/icons/</icons_path>
<image_path>/home/acabey/.faraday/images/</image_path>
<log_console_toggle />
<network_location>LAN</network_location>
<persistence_path>/home/acabey/.faraday/persistence/</persistence_path>
<perspective_view>/home/acabey/.faraday/persistence/</perspective_view>
<repo_password />
<repo_url type="SVN" />
<repo_user>u</repo_user>
<report_path>/home/acabey/.faraday/report/</report_path>
<shell_maximized>0</shell_maximized>
<last_workspace>test</last_workspace>
<couch_uri>https://faraday.pentest.localdomain:443</couch_uri>
<couch_is_replicated>True</couch_is_replicated>
<couch_replics />
<version>2.5.0</version>Also note that I made the workspace through the web interface.
WinnaZ
commented
7 years ago Hi, I see something suspicious with this line:
<couch_uri>https://faraday.pentest.localdomain:443</couch_uri>see, that in the beginning you have :
* faraday ui is ready
Make sure you got couchdb up and running.
If couchdb is up, point your browser to:
[https://faraday.localdomain:443/_ui]Faraday.pentester was an attempt to be a user and password on couchdb, this is the right way to set that up: [https://USER:PASSWORD@IP:port/_ui] or if your couchdb is set on admin party just [https://IP:port/_ui]. Here you have our official documentation: https://github.com/infobyte/faraday/wiki/configuration-server#authentication
acabey
commented
7 years ago The FQDN of the faraday server VM is faraday.pentest.localdomain. It was incorrect in my first post.
I have tried making a user acabey in couchdb with pass testpass. I can log into this account via faraday.pentest.localdomain/_utils/, but using https://acabey:testpass@faraday.pentest.localdomain:443 in the GTK UI fails.
After disabling the port 80 redirect and instead proxying on that as well, I have tried all of the same tests with the same result.
Does it matter that I am going through a reverse proxy? All seems to be working on the web UIs, and actions are only performed through a REST API, so I assume that shouldn't be a problem.
I could try bypassing the proxy, where can I find the configuration to make the server bind on 0.0.0.0?
If it helps, here is my (Apache) reverse proxy config
<VirtualHost *:80>
ServerName faraday.pentest.localdomain
# Redirect Permanent / https://faraday.pentest.localdomain
ProxyPass / http://localhost:5985/
ProxyPassReverse / http://localhost:5985/
ProxyPreserveHost on
</VirtualHost>
<VirtualHost *:443>
ServerName faraday.pentest.localdomain
SSLEngine on
<Location "/">
RequestHeader set X-Forwarded-Proto https
RequestHeader set X-Forwarded-Ssl on
RequestHeader set X-Url-Scheme https
</Location>
SSLCertificateFile /etc/ssl/private/faraday-internal.crt
SSLCertificateKeyFile /etc/ssl/private/faraday-internal.key
ProxyPass / http://localhost:5985/
ProxyPassReverse / http://localhost:5985/
ProxyPreserveHost on
</VirtualHost>Could you send the server.ini config file? I need to see if the bind_address is equal to 0.0.0.0 (like the wiki indicates https://github.com/infobyte/faraday/wiki/configuration-server#binding-faraday-to-0000 )
acabey
commented
7 years ago Server.ini
[faraday_server]
port=5985
bind_address=localhost
[ssl]
port=6985
certificate=
keyfile=
;keyfile_pwd=''
[couchdb]
host=localhost
port=5984
ssl_port=6984
user=
password=
protocol=httpI've just tried bypassing the reverse proxy and going directly to the server with combinations:
http://acabey:testpass@faraday.pentest.localdomain:5985 http://acabey:testpass@[VM_INTERNAL_IP]:5985 http://faraday.pentest.localdomain:5985 http://[VM_INTERNAL_IP]:5985
No dice. Web GUI is working still
WinnaZ
commented
7 years ago A few questions: 1) Are you trying to run the server and the GTK in the same VM? 2) Is the Web UI working? 3) Was the server already running? (the script faraday-server.py needs to be already running for the GTK or the Web UI to work)
I think you're missing a few configuration procedures, i wanna help you get everything working but first i need to fully understand what you want to do.
acabey
commented
7 years ago Sorry for the delay.
WinnaZ
commented
7 years ago Hey, Could you run curl -k -v https://YOUR_HOSTNAME/ and send us the output? Your faraday configuration needs the --cert parameter. Also we need you to check the output of this command: openssl x509 -noout -in nginx.crt -subject -issuer -dates
Where is says CN=HOSTNAME is has to be the same as the couch_uri.
You can find more information about this in our official documentation: https://github.com/infobyte/faraday/wiki/SSL
acabey
commented
7 years ago Assuming you mean from my workstation?
From workstation:
* Trying 192.168.1.40...
* TCP_NODELAY set
* Connected to faraday.pentest.localdomain (192.168.1.40) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: C=US; ST=MA; L=Boston; O=acabey; emailAddress=contact@acabey.xyz; CN=faraday.pentest.localdomain
* start date: Jul 18 16:02:51 2017 GMT
* expire date: Jul 16 16:02:51 2027 GMT
* issuer: C=US; ST=MA; L=Boston; O=acabey; emailAddress=contact@acabey.xyz; CN=homelab-internal-ca
* SSL certificate verify ok.
> GET / HTTP/1.1
> Host: faraday.pentest.localdomain
> User-Agent: curl/7.52.1
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Thu, 20 Jul 2017 20:13:20 GMT
< Server: CouchDB/1.6.0 (Erlang OTP/18)
< Content-Length: 127
< Cache-Control: must-revalidate
< Content-Type: text/plain; charset=utf-8
< Vary: Accept-Encoding
<
{"couchdb":"Welcome","uuid":"6b7b6f23344d2f7071d49d28aafefcc9","version":"1.6.0","vendor":{"version":"15.10","name":"Ubuntu"}}
* Curl_http_done: called premature == 0
* Connection #0 to host faraday.pentest.localdomain left intactFrom server:
* Trying 192.168.1.40...
* Connected to faraday.pentest.localdomain (192.168.1.40) port 443 (#0)
* found 172 certificates in /etc/ssl/certs/ca-certificates.crt
* found 690 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
* server certificate verification SKIPPED
* server certificate status verification SKIPPED
* common name: faraday.pentest.localdomain (matched)
* server certificate expiration date OK
* server certificate activation date OK
* certificate public key: RSA
* certificate version: #3
* subject: C=US,ST=MA,L=Boston,O=acabey,EMAIL=contact@acabey.xyz,CN=faraday.pentest.localdomain
* start date: Tue, 18 Jul 2017 16:02:51 GMT
* expire date: Fri, 16 Jul 2027 16:02:51 GMT
* issuer: C=US,ST=MA,L=Boston,O=acabey,EMAIL=contact@acabey.xyz,CN=homelab-internal-ca
* compression: NULL
* ALPN, server accepted to use http/1.1
> GET / HTTP/1.1
> Host: faraday.pentest.localdomain
> User-Agent: curl/7.47.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Thu, 20 Jul 2017 20:15:45 GMT
< Server: CouchDB/1.6.0 (Erlang OTP/18)
< Content-Length: 127
< Cache-Control: must-revalidate
< Content-Type: text/plain; charset=utf-8
< Vary: Accept-Encoding
<
{"couchdb":"Welcome","uuid":"6b7b6f23344d2f7071d49d28aafefcc9","version":"1.6.0","vendor":{"version":"15.10","name":"Ubuntu"}}
* Connection #0 to host faraday.pentest.localdomain left intactWhat do you mean by
the --cert parameter
That is referring to the server's public certificate?
After exporting the certificate from Firefox, I ran the GTK as the wiki says and I still cannot connect.
Also note that I am terminating SSL from an apache reverse proxy hosted on the same server. Faraday should only be doing plaintext HTTP.
Output of openssl command
subject= /C=US/ST=MA/L=Boston/O=acabey/emailAddress=contact@acabey.xyz/CN=faraday.pentest.localdomain
issuer= /C=US/ST=MA/L=Boston/O=acabey/emailAddress=contact@acabey.xyz/CN=homelab-internal-ca
notBefore=Jul 18 16:02:51 2017 GMT
notAfter=Jul 16 16:02:51 2027 GMTCommon name is the same. I don't think it is an SSL issue, I suspect a bug in the Faraday client.
Also should debug mode -d cause the GUI to fork from the shell?
WinnaZ
commented
7 years ago We tried to set up faraday on the same conditions as you and we could make it work just fine. We suspect you you might be having a problem with the library versions. Please run: python faraday.py --debug --cert cert.crt and show us the output and run: pip freeze > freeze_requirements.txt and send us the file please.4 Have a nice day.
acabey
commented
7 years ago Sorry for the delay, and thanks for looking into this in such detail. This seems to be getting somewhere. Does faraday try to verify the cert on its own (without using the system CA list?). I use an internal CA that is installed on the workstation. It works on all system applications (ie. wget) and I have installed in my browsers' CA list, so it works there as well.
2017-08-08 16:36:11,270 - faraday.launcher - INFO - Starting Faraday IDE.
2017-08-08 16:36:11,271 - faraday.launcher - INFO - Checking configuration.
2017-08-08 16:36:11,271 - faraday.launcher - INFO - Setting up plugins.
2017-08-08 16:36:11,271 - faraday.launcher - INFO - Removing old plugins folder.
2017-08-08 16:36:11,479 - faraday.launcher - INFO - Setting up ZSH integration.
2017-08-08 16:36:11,481 - faraday.launcher - INFO - Setting up user configuration.
2017-08-08 16:36:11,482 - faraday.launcher - INFO - Using custom user configuration.
2017-08-08 16:36:11,483 - faraday.launcher - INFO - Setting up icons for GTK interface.
2017-08-08 16:36:11,541 - faraday.launcher - INFO - Setting configuration.
SSL certificate validation failed.
You can use the --cert option in Faraday
to set the path of the cert
apturl==0.5.2
asciinema==1.3.0
beautifulsoup4==4.5.3
binwalk==2.1.1
Brlapi==0.6.5
chardet==2.3.0
chrome-gnome-shell==0.0.0
command-not-found==0.3
crcelk==1.1
cryptography==1.7.1
cycler==0.10.0
decorator==4.0.11
defer==1.0.6
distro-info===0.14build1
html5lib==0.999999999
httplib2==0.9.2
idna==2.2
ipdb==0.10.3
ipython==6.1.0
ipython-genutils==0.2.0
jedi==0.10.2
keyring==10.3.1
keyrings.alt==2.2
language-selector==0.1
launchpadlib==1.10.4
lazr.restfulclient==0.13.4
lazr.uri==1.0.3
louis==3.0.0
lxml==3.7.3
Mako==1.0.6
MarkupSafe==0.23
matplotlib==2.0.0
numpy==1.12.1
oauth==1.0.1
peewee==2.10.1
pexpect==4.2.1
pickleshare==0.7.4
Pillow==4.0.0
prompt-toolkit==1.0.15
psutil==5.0.1
psycopg2==2.6.2
ptyprocess==0.5.1
pyasn1==0.1.9
pycrypto==2.6.1
pycups==1.9.73
pycurl==7.43.0
Pygments==2.2.0
pygobject==3.22.0
PyMySQL==0.7.11
PyOpenGL==3.1.0
pyparsing==2.1.10
pyqtgraph==0.10.0
pyserial==3.2.1
python-apt==1.4.0b2
python-dateutil==2.5.3
python-debian==0.1.30
pytz==2016.7
pyxdg==0.25
PyYAML==3.12
reportlab==3.3.0
requests==2.10.0
scipy==0.18.1
screen-resolution-extra==0.0.0
SecretStorage==2.3.1
simplegeneric==0.8.1
simplejson==3.10.0
six==1.10.0
smoke-zephyr==1.0.2
ssh-import-id==5.6
system-service==0.3
systemd-python==233
termineter==0.2.6
traitlets==4.3.2
ubuntu-drivers-common==0.0.0
ufw==0.35
unattended-upgrades==0.1
urllib3==1.15.1
usb-creator==0.3.3
vboxapi==1.0
virtualenv==15.1.0
wadllib==1.3.2
wcwidth==0.1.7
webencodings==0.5
xdiagnose==3.8.5
xdot==0.7
xkit==0.0.0
youtube-dl==2017.3.26
zope.interface==4.3.2Hi again!
Okay great! We are on our way to make faraday work.
Now the last thing you need to do it is to run the --cert command, with the correct certificate.
Giving that you shared your proxy configuration, i'm pretty sure the file you need is
SSLCertificateKeyFile
/etc/ssl/private/faraday-internal.key
Good luck!
Keep us updated on how it went!
acabey
commented
7 years ago Sadly there is no change. With that I am greeted with the same failure inside the GTK.
That is also the certificate's private key, not the certificate; the client should never need the private key
WinnaZ
commented
7 years ago Hi there!
Sorry! I copied the wrong line!
i meant the SSLCertificateFile:
/etc/ssl/private/faraday-internal.crt
Try that and let me know.
acabey
commented
7 years ago That seems to have done something at least :)
loading@eve:~/Documents/sysadmin/FSF/office-audit$ /opt/faraday/faraday.py --cert faraday-internal.crt
2017-08-09 15:41:32,645 - faraday.launcher - INFO - Checking dependencies...
2017-08-09 15:41:32,646 - faraday.launcher - INFO - Dependencies met
_____ .___
_/ ____\_____ ____________ __| _/_____ ___.__.
\ __\ \__ \ \_ __ \__ \ / __ | \__ \ < | |
| | / __ \_| | \// __ \_/ /_/ | / __ \_\___ |
|__| (____ /|__| (____ /\____ | (____ // ____|
\/ \/ \/ \/ \/
[*[ Open Source Penetration Test IDE ]*]
Where pwnage goes multiplayer
2017-08-09 15:41:32,649 - faraday.launcher - INFO - Starting Faraday IDE.
2017-08-09 15:41:32,649 - faraday.launcher - INFO - Checking configuration.
2017-08-09 15:41:32,649 - faraday.launcher - INFO - Setting up plugins.
2017-08-09 15:41:32,649 - faraday.launcher - INFO - Removing old plugins folder.
2017-08-09 15:41:32,709 - faraday.launcher - INFO - Setting up ZSH integration.
2017-08-09 15:41:32,710 - faraday.launcher - INFO - Setting up user configuration.
2017-08-09 15:41:32,710 - faraday.launcher - INFO - Using custom user configuration.
2017-08-09 15:41:32,710 - faraday.launcher - INFO - Setting up icons for GTK interface.
2017-08-09 15:41:32,725 - faraday.launcher - INFO - Setting configuration.
2017-08-09 15:41:32,881 - faraday.launcher - ERROR - __str__ returned non-string (type Error)
2017-08-09 15:41:32,882 - faraday.launcher - INFO - No updates available, enjoy Faraday.
2017-08-09 15:41:33,007 - faraday.launcher - INFO - All done. Opening environment.
2017-08-09 15:41:33,381 - faraday.launcher - INFO - Main application ExceptHook enabled.
2017-08-09 15:41:33,382 - faraday.launcher - INFO - Starting main application.
* faraday ui is ready
Make sure you got couchdb up and running.
If couchdb is up, point your browser to:
[https://faraday.pentest.localdomain:443/_ui]
2017-08-09 15:41:33,382 - faraday - INFO - XMLRPC API server configured on ('localhost', 9876)
2017-08-09 15:41:33,402 - faraday - INFO - REST API server configured on ('localhost', 9977)
Error in sys.excepthook:
Traceback (most recent call last):
File "/opt/faraday/utils/error_report.py", line 83, in exception_handler
model.guiapi.postCustomEvent(event)
File "/opt/faraday/model/guiapi.py", line 38, in postCustomEvent
receiver = getMainWindow()
File "/opt/faraday/model/guiapi.py", line 34, in getMainWindow
return __the_mainapp.getMainWindow()
AttributeError: 'NoneType' object has no attribute 'getMainWindow'
Original exception was:
Traceback (most recent call last):
File "/opt/faraday/gui/gtk/application.py", line 635, in do_startup
CONF.getLastWorkspace())
File "/opt/faraday/gui/gtk/mainwidgets.py", line 515, in __init__
self.workspaces = self.serverIO.get_workspaces_names()
File "/opt/faraday/gui/gtk/decorators.py", line 17, in wrapper
res = func(*args, **kwargs)
File "/opt/faraday/gui/gtk/server.py", line 67, in get_workspaces_names
return models.get_workspaces_names()
File "/opt/faraday/persistence/server/models.py", line 647, in get_workspaces_names
return server.get_workspaces_names()['workspaces']
File "/opt/faraday/persistence/server/server.py", line 470, in get_workspaces_names
return _get("{0}/ws".format(_create_server_api_url()))
File "/opt/faraday/persistence/server/server.py", line 152, in _get
params=params))
File "/opt/faraday/persistence/server/server.py", line 118, in _unsafe_io_with_server
answer = server_io_function(server_url, **payload)
File "/usr/lib/python2.7/dist-packages/requests/api.py", line 71, in get
return request('get', url, params=params, **kwargs)
File "/usr/lib/python2.7/dist-packages/requests/api.py", line 57, in request
return session.request(method=method, url=url, **kwargs)
File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 475, in request
resp = self.send(prep, **send_kwargs)
File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 585, in send
r = adapter.send(request, **kwargs)
File "/usr/lib/python2.7/dist-packages/requests/adapters.py", line 403, in send
timeout=timeout
File "/usr/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 578, in urlopen
chunked=chunked)
File "/usr/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 354, in _make_request
self._raise_timeout(err=e, url=url, timeout_value=conn.timeout)
File "/usr/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 324, in _raise_timeout
if 'timed out' in str(err) or 'did not complete (read)' in str(err): # Python 2.6
TypeError: __str__ returned non-string (type Error)
Error in sys.excepthook:
Traceback (most recent call last):
File "/opt/faraday/utils/error_report.py", line 83, in exception_handler
model.guiapi.postCustomEvent(event)
File "/opt/faraday/model/guiapi.py", line 38, in postCustomEvent
receiver = getMainWindow()
File "/opt/faraday/model/guiapi.py", line 34, in getMainWindow
return __the_mainapp.getMainWindow()
AttributeError: 'NoneType' object has no attribute 'getMainWindow'
Original exception was:
Traceback (most recent call last):
File "/opt/faraday/gui/gtk/application.py", line 718, in do_activate
self.window = AppWindow(self.sidebar,
AttributeError: 'GuiApp' object has no attribute 'sidebar'
2017-08-09 15:41:33,624 - faraday - INFO - Closing Faraday...
Hi there, Could you solve this? Cheer!
acabey
commented
7 years ago I was never able to resolve this, and it is not something I will be pursuing any further. If this has not been reported / confirmed elsewhere, I will close the issue. Thank you for your time
I've set up a Faraday server on one VM and I have configured a reverse proxy such that I can access both the Faraday web interface at https://faraday.localdomain/_ui/ and the couchDB web interface at https://faraday.localdomain/_util/. I have set port 80 to permanently redirect to port 443. While my SSL certificate is self-signed, I have imported the CA onto my workstation. The browser has no issues.
I am having trouble getting the GTK interface on my workstation to connect to this server. On the start I get a "Cannot Connect" error message.
Am I missing something in the configuration?