-
Notifications
You must be signed in to change notification settings - Fork 85
Installation
Kvasir is built upon web2py and can generally be used with any supported database.
Kvasir is primarily supported on Ubuntu Linux with limited support for Apple Mac OS X. The following libraries and applications are required:
- PIP
- git
- lxml
- BeautifulSoup
- msgpack (for Metasploit integration)
To install all required libraries on a Debian/Ubuntu installation:
apt-get install python-pip git-core python-lxml python-tornado python-beautifulsoup python-dev
pip install msgpack-python
Additionally a database and python library will be required. We recommend and utilize PostgreSQL with the psycopg2 library. web2py comes with pg8000 which has shown to be unstable:
apt-get install postgresql python-psycopg2
You can install web2py anywhere you want and there are a number of deployment recipes available. This chapter will step you through a basic SSL-enabled installation in the /opt/Kvasir directory.
Download latest web2py code from github:
$ cd /opt
$ git clone https://github.com/web2py/web2py.git web2py
Verify postgres configuration to permit 'md5' login for localhost:
$ sudo -u postgres vi /etc/postgresql/<version>/main/pg_hba.conf
Ensure METHOD for IPv4 and IPv6 are set to "md5":
local all all md5
# IPv4 local connections:
host all all 127.0.0.1/32 md5
# IPv6 local connections:
host all all ::1/128 md5
OPTIONAL: Modify main postgres config to listen on a different port and restart the database
$ sudo vi /etc/postgresql/<version>/main/postgresql.conf
[...]
port = 6543
[...]
$ sudo service postgresql-<version> restart
Create kvasir postgres account. Use a password you can remember.
sudo -u postgres createuser -SleEPRD kvasir
Enter password for new role:
Enter it again:
CREATE ROLE kvasir PASSWORD 'md5<hash>' NOSUPERUSER NOCREATEDB NOCREATEROLE INHERIT LOGIN;
Create the Kvasir postgres database
sudo -u postgres createdb kvasir -O kvasir
Create a self-signed SSL Certificate to be used for web2py and postgres
openssl genrsa -out server.key 2048
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 1095 -in server.csr -signkey server.key -out server.crt
OPTIONAL: Verify that postgres can access the SSL certificates you expect it will use - Ubuntu defaults to the snakeoil certs
$ ls -al /etc/ssl/private/server.key
-rw-r----- 1 root ssl-cert ...
$ ls -al /etc/ssl/certs/server.crt
-rw-r--r-- 1 root root ...
$ grep 'postgres' /etc/group
ssl-cert:x:105:postgres,alice
postgres:x:126:
OPTIONAL: symlink the server.key and server.crt into postgres's run-time data directory
$ grep 'data_directory' /etc/postgresql/<version>/main/postgresql.conf
data_directory = '/var/lib/postgresql/<version>/main'
$ ln -s /etc/ssl/private/server.key /var/lib/postgresql/<version>/main/server.key
$ ln -s /etc/ssl/certs/server.crt /var/lib/postgresql/<version>/main/server.crt
Start web2py
cd /opt/web2py
python web2py.py -c server.crt -k server.key -p 8443 -i 127.0.0.1 --minthreads=40 -a <recycle>
Browse to https://localhost:8443/admin/ and enter your web2py administration password.
NOTE: If listening to an external interface (-i 0.0.0.0) then ensure iptables is configured correctly and be sure to use a strong password! The /admin/ console is enabled to external interfaces when using SSL.
This procedure will install the latest Kvasir code in /opt/Kvasir using the latest version from Github:
$ cd /opt
$ git clone https://github.com/KvasirSecurity/Kvasir.git Kvasir
Kvasir's design is lightweight allowing installation as unique applications in web2py.
Using sym-links will ensure that your web2py/Kvasir codebase is always up-to-date with your main Kvasir codebase.
$ cd /opt/web2py/applications
$ ln -s /opt/Kvasir kvasir</pre>
Cloning makes a separate git installation of the Kvasir code allowing for updates / branchs / merging.
$ cd /opt/web2py/applications
$ git clone --depth=1 file:///opt/Kvasir kvasir</pre>
Alternatively you can git clone directly from Github:
$ cd /opt/web2py/applications
$ git clone https://github.com/KvasirSecurity/Kvasir.git kvasir
Kvasir ships intentionally broken. You must configure it first! To do this copy the file 'kvasir.yaml.sample' to 'kvasir.yaml'
The database uri option configures where your database is located and follows a standard URI structure. Web2py supports multiple databases via connection strings. As of now only postgresql, sqlite and mysql have been validated to work with Kvasir. Oracle and MicrosoftSQL should work but have not been tested.
The URI is set in db -> kvasir -> uri
Web2py maintains table sanity through the migrate settings. If you are a single user or multiple users are using the same web interface this setting can remain "True". If you have multiple users with their own Kvasir/web2py instance working on the same database then only ONE user should set this to "True". All others must use "False".
Fake_migrate should be set to "False" unless something goes wrong with your database synchronization files.
The security_key setting is used to define the encryption method and salt value for passwords and other sensitive data in web2py. You should change this value!
Web2py requires the databases directory exist. It doesn't automatically create this. From the main Kvasir application directory:
$ mkdir databases
- Open your browser to https://localhost:8443/kvasir/
- If you see database errors while trying to access the site at this point, you may need to clean up Kvasir/database/* files that web2py creates
No user accounts are created by default. Accounts must be created manually @ https://localhost:8443/kvasir/appadmin/insert/db/auth_user. If viewing Kvasir from localhost a link will be shown on the login screen to add a user.
NOTE If adding users through the web2py ui the "Registration ID" field is required. It must be unique for each user and can be anything like "1" or "fubar" or "d34db33f"
Users may also be added from a console:
$ cd /opt/web2py $ ./web2py.py -R applications/Kvasir/private/user.py -S Kvasir -M -A -u username -p password
CPE data is used to accurately identify Operating Systems during scan imports. This data can be downloaded from NIST by Kvasir or supplied by you.
A Task Scheduler Agent is required to run on your system to perform some of the longer running activities such as XML processing, terminal launching, etc. This can be run as an indiviual process:
$ cd /opt/web2py
$ python web2py.py -K kvasir,kvasir,kvasir
Or you can start both the web server and the scheduler:
$ cd /opt/web2py
$ python web2py.py -c server.crt -k server.key -p 8443 -i 127.0.0.1 --minthreads=40 -a <recycle> -X -K appname,appname,appname