Change the database port from default value of 5432 to 5431

[dennisarriola]

Hello,

I was wondering if I can change the database port in Rekono Desktop Application. I was thinking to connect Rekono to Defect Dojo but because they using the same default database port which 5432, I cannot run these two applications at the same time. I was thinking to change Rekono Desktop Application database port for them to run at the same time but I was not successful?

Could you please tell me if my plan is feasible. If so, can you teach me how to change the RKN_DB_PORT or database_port value?

Thank you very much

[pablosnt]

Hello @dennisarriola,

The database port change can't be changed on Rekono Desktop, because it's based on a Docker container that executes everything: frontend, backend, database, redis queues and workers. However, this database is running in this Docker container under the hood, and its port is not exposed, so the database is more or less isolated from your host machine. In other words, Defect-Dojo instance shouldn't be affected by Rekono database in the case of Rekono Desktop.

Anyway, did you try to execute both? What error did you get?

In other situations, if you are running Rekono from source, you would be able to configure everything using environment variables and the config file. However, Rekono Desktop is pre-configured and this kind of changes in the configuration file would break the application well-working.

I hope this to be useful. Let me know if I can help in something else

[dennisarriola]

Hello @pablosnt,

Thank you for your prompt response.

For some reason, I cannot run Defect-Dojo and Rekono Desktop at the same time. Please see the attached files for the errors: Rekono Error: Scenario: Defect-Dojo application was started first. Rekono Desktop has not yet opened/started. When I start/open Rekono Desktop, this error message is displayed(wrong credentials). I cannot login even if i am using the correct default credentials. I have not changed it. Screenshow below: I extracted the error log of rekono, kindly see: Rekono Error Log

Defect Dojo Error: Scenario: Rekono Desktop application was started first. Defect Dojop has not yet opened/started. I was able to login successfully in Rekono Desktop using the default credentials (I have not changed it yet). When I start/launch Defect Dojo, this error message is displayed. Screenshow below:

I was thinking maybe because they were using/connecting to the port. I really don't have an idea. Or maybe because both are using IP 127.0.0.1, rekono postgresql was using 127.0.0.1:5432 and defect-dojo web application was using 127.0.0.1:42003

Thank you

[pablosnt]

Thank you for the great information of the problem! I will try to reproduce the issue as soon as possible and, hopefully, find a solution. Thank you again!

[pablosnt]

One more question, how did you run Defect-Dojo? Using Docke compose, I guess? Thanks

[dennisarriola]

Hello @pablosnt,

Thank you for your support.

I am not sure if it was through docker compose or what. I remember, installing it following from the instruction from this link https://www.kali.org/tools/defectdojo/ And then, these two were added in the Kali Linux menu: "defectdojo start" and "defectdojo stop" Kindly see the screenshot below:

Thank you again for your help and support. I prefer using the desktop version of rekono since I read from your posts that it is more stable than the web version. Hopefully you can find a way to somewhat fix it as you always do in rekono related concerns. 💯

[pablosnt]

Okay, thank you for the clarification. To be honest, I released the Rekono Desktop before Defect-Dojo was available in Kali, so I did all the testing using the Docker compose version of Defect-Dojo. I will work on this soon to try to reproduce the problem and find an explanation and solution. Thank you again!

[pablosnt]

Hello @dennisarriola, thank you very much for reporting this, it was a bit hard, but I've finally found the problem.

Even though Rekono Desktop is executed on a container, its network configuration was established to host. This means that the Rekono container and your Kali Linux host share the network and all the Rekono internal services are exposed to the host. This was the root cause of the error.

I've created an issue to the Kali Linux team to update the rekono-kbx package, and replace that configuration to bridge, so services like the database won't be accessible from the host. The package is not released yet because Kali team will need some time to work on it. I will notice you when it's ready :)

I would like to share some important notes about how to configure the Rekono Desktop and Defect-Dojo integration when the second one has been installed using the Kali Linux package:

By default, Defect-Dojo only accepts requests from 127.0.0.1 or localhost, and it's not possible to reach Defect-Dojo running in the host from the Rekono container. To solve this, you need to export the environment variable DD_ALLOWED_HOSTS (I've added it to my $HOME/.zshrc file) before running defectdojo. You will need to configure the Defect-Dojo URL in Rekono using the host from the docker0 interface, so add this IP to the allowed hosts or simply execute echo "export DD_ALLOWED_HOSTS=*" >> $HOME/.zshrc to allow connections from any IP in Defect-Dojo. Finally, configure the Defect-Dojo integration in Rekono as usual, in my case the URL was http://172.17.0.1:42003. Replace my IP with the IP of your docker0 interface.

I hope this to be useful. Let me know if you need help with something else

[dennisarriola]

Hello @pablosnt

Happy New Year!

Apologies for replying very late. I was on vacation during the holiday season. Thank you very much for the very detailed explanation. We understand and we will just wait for the new release. 👍 If I may ask, do you have a rough schedule for it? Is it okay to ask if there is? 😄

RE: share some important notes about how to configure the Rekono Desktop and Defect-Dojo integration Is it applicable also to your upcoming rekono-kbx package release to fix this current issue?

Thank you again~

All the best, Dennis Arriola

[pablosnt]

Hello @dennisarriola

Happy New Year! :)

If I may ask, do you have a rough schedule for it? Is it okay to ask if there is? 😄

Of course, it's okay to ask! Actually, the new fixed package is already available on Kali. Upgrade it, and it should work

Is it applicable also to your upcoming rekono-kbx package release to fix this current issue?

Yes. In addition to what I said, in my latest tests I couldn't configure the Defect-Dojo ALLOWED_HOSTS using environment variables, so I had to do it directly in the file /etc/defectdojo/settings.dist.py. Make sure Defect-Dojo is reachable using any of your no-localhost IPs before configuring the integration in Rekono. Check out my screenshot:

Thank you very much for reporting this! I'm closing this issue, but feel free to reopen it if you need help

Best regards, Pablo

[dennisarriola]

Thank you very much @pablosnt!

I will try the new package and will inform you the result. Thank you very much again! 😸

[dennisarriola]

Hello @pablosnt

I was able to run Rekono and Defect Dojo at the same time already. Kindly see screenshot below: Thank you very much

However, I stopped at

export the environment variable DD_ALLOWED_HOSTS (I've added it to my $HOME/.zshrc file) before running defectdojo

I am not familiar with .zschrc files, I try creating via Konsole terminal in Kali Linux, following from this site https://www.baeldung.com/linux/zsh-configuration-files but I'm afraid I might break something if I don't do it right. Can you share with me your .zschrc file or maybe share a screenshot of the content of that file?

Sorry for any inconvenience that this additional request may cause. Thank you very much again.

All the best, Dennis Arriola

[pablosnt]

Great! Good to know that it works!

Okay, now the problem at that point is that Defect-Dojo filters the requests based on the source domain, and by default, it's limited to localhost and 127.0.0.1. It's something very common in Django applications, in fact, Rekono also has that filter but in this case is not a problem. For example, you can try to reach Defect-Dojo from your browser using the docker0 or your private IP in your local network (usually from the eth0 interface) and you will get a 400 Bad Request as a response.

As far as I know, there are two ways to customize the Defect-Dojo filter to allow requests from Rekono (remember that is running in a Docker container, so it can't reach Defect-Dojo at localhost or 127.0.0.1):

• Configuring the DD_ALLOWED_HOSTS environment variable: I think that Defect-Dojo is installed as a Linux service, so I'm not very sure about the best place to configure it for that kind of Defect-Dojo installation. The first time I tried, configuring it in the $HOME/.zshrc file worked for me, however, the last time I did it, it failed. In my opinion, it would be the best option because you are not editing the Defect-Dojo source code, and you would keep this configuration independent of the Defect-Dojo package updates. Anyway, maybe it's something that you can ask to Defect-Dojo team. Regarding the .zshrc, it's the same as the .bashrc for example in OS based on a bash terminal by default, it's just a script that is executed at the start of each terminal session, so the environment variables defined there will be available everywhere. If you want to try this, just execute echo 'export DD_ALLOWED_HOSTS=*' >> $HOME/.zshrc that will add the line that defines the environment variable (export DD_ALLOWED_HOSTS=*) at the end of that file. The usage of * configures Defect-Dojo to accept requests from every source. The rest of my .zshrc content is given by Kali Linux by default, I just added this line at the end.

• Editing the default localhost filter in Defect-Dojo settings: when the environment variable is not provided, Defect-Dojo uses the list ['localhost', '127.0.0.1'] by default, and it's defined in the file /etc/defectdojo/settings.dist.py. You can check it by executing sudo cat /etc/defectdojo/settings.dist.py | grep ALLOWED_HOSTS (check my screenshot in this comment). In my case, I've added my Docker gateway IP ('172.17.0.1') to the default list, you can also add the * value to allow everything or the IP you want Rekono to use to reach Defect-Dojo. It works for me, however, maybe (to be honest, I don't have any idea) the changes in this file might be overwritten by the default file when Defect-Dojo is updated.

I hope this to be useful, let me know if it works for you or if you need help with something else :)

[dennisarriola]

Hello @pablosnt,

Thank you for your prompt response!

I followed the 2nd bullet and were able to successfully integrate Rekono and DefectDojo. Thank you very much! Kindly see screenshot below:

I have last more inquiries:

1. How to export the previous test results in rekono to defect dojo?
2. Is it possible to export the old test results?
3. Only the new test results after integrating rekono and defectdojo successfully will be reflected in defect dojo?
4. Will the test result will be automatically exported to defect dojo after the test?

Thank you very much. 😺

[pablosnt]

Great! Good news :)

How to export the previous test results in rekono to defect dojo?

It's not possible.

Is it possible to export the old test results?

There are two alternatives in the current version (I'm working on more for the new one):

• Using the Rekono API to export the findings data. You can use the rekono-cli for that
• Rekono tries to work with the original reports of the hacking tools when they support any export format. These reports are available in the path $HOME/.local/share/rekono/reports at your local machine. You can review and import them in Defect-Dojo manually for those reports supported by Defect-Dojo. It might be hard if you already have many reports

Only the new test results after integrating rekono and defectdojo successfully will be reflected in defect dojo?

Will the test result will be automatically exported to defect dojo after the test?

Yes, but you also have to enable the synchronization per project (go to the main project page > expand the three dots at the top right > Defect-Dojo). A detailed guide with screenshots is available at the documentation. After enabling the synchronization, findings will be imported automatically into Defect-Dojo when each execution is completed.

You are welcome!

[dennisarriola]

Thank you very much @pablosnt for your continuous support. I will try your suggestions and will inform you the result.

Again, thank you very much. 🎆

[dennisarriola]

Hello @pablosnt,

I successfully integrated and synchronized rekono and defectdojo tools. Thank you for your help! Kindly see:

I would like to share my observations and some questions about rekono.

• I noticed that some tools were skipped due to tool configuration error e.g. requires domain/URL/host argument. My question is, where do I put these domain/URL/host argument? Is it during adding New Target?
• Some tools take a little longer to finish and sometimes stays on Running status forever 😆 e.g. ZAP Active Scan, Nikto Web Scan and Metasploit, may I know if this is expected or should I need to wait for it to finish before shutting down my PC.
• Do I need to have an internet connection for some tools e.g. ZAP Active Scan, Nikto Web Scan and Metasploit to function properly? I searched about it but I cannot find from their respective websites.

Hopefully this will be my last inquiries. Thank you very much again!

All the best, Dennis Arriola

[pablosnt]

Hello @dennisarriola

I noticed that some tools were skipped due to tool configuration error e.g. requires domain/URL/host argument. My question is, where do I put these domain/URL/host argument? Is it during adding New Target?

This happens when the first executions of a Rekono process don't find the type of findings needed for the next execution. For example, if Nmap is executed first but it doesn't find anything, the next planned Dirsearch execution doesn't have the required parameters to be executed, so the execution ends as skipped. You can configure target ports and input vulnerabilities and technologies in the targets tab. All this information will be used as tool input when the previous tools don't find the findings needed to execute the next ones. Using these forms, you can give more context to your targets, and retry the executions.

This might also happen if you execute Rekono from the source and the tool is not installed on the system, but in your case with Rekono Desktop, everything is installed.

Some tools take a little longer to finish and sometimes stays on Running status forever 😆 e.g. ZAP Active Scan, Nikto Web Scan and Metasploit, may I know if this is expected or should I need to wait for it to finish before shutting down my PC.

Rekono only executes those tools, and as you probably know, ZAP and Nikto need some time to complete their executions. In the case of Metasploit, it's usual in Rekono, but it shouldn't take as long time and it's something that I have to research and fix. Note that everything is running on your machine, if you shut down your PC all the executions will stop, but their status will be Running because they are updated when each execution ends or fails.

Do I need to have an internet connection for some tools e.g. ZAP Active Scan, Nikto Web Scan and Metasploit to function properly? I searched about it but I cannot find from their respective websites.

As far as I know (this question is for the maintainers of those tools), Metasploit doesn't need any connection, and ZAP and Nikto only need connection with the target.

[dennisarriola]

Hello @pablosnt,

I understand. Thank you for the very detailed answers to my questions. I don't have anymore concern, hopefully. 😸

All the best, Dennis Arriola

[pablosnt]

I'm happy to know this was useful. You are welcome! 😄