Nixploit

Installation

Nixos

Prepare your hosts by adding those line to your nixos configuration

Caution

A user inside the incus-admin group need to be considered like root

# enable incus
virtualisation.incus = {
enable = true;
};

# Make your user an incus admin
users.users.your-username.extraGroups = [ "incus-admin" ];

# Do not block the nixploit bridge
networking.firewall.interfaces."nixploit-net-b" = {
    allowedUDPPorts = [ 53 67 ];
    allowedTCPPorts = [ 53 ];
};

Debian

1. Make sure nix is installed. See related documentation or do this using the official debian packages:

sudo apt update
sudo apt install nix-setup-systemd
sudo usermod -a -G nix-users your-username

Then logout to be part of the nix-users group

2. Make sure incus is installed. See related documentation or do this using the official debian packages

sudo apt install incus

3. Your user needs to be in the incus-admin group

Caution

A user inside the incus-admin group need to be considered like root

sudo usermod -a -G incus-admin your-username

Then logout to be part of the incus-admin group

4. Install btrfst for the image storage

sudo apt install btrfs-progs

4. Your firewall must not block the nixploit-net-b bridge.

Using nftables:

table inet filter {
  chain input {
    type filter hook input priority filter; policy drop;

    iifname "nixploit-net-b" udp dport { 53, 67 } accept
    iifname "nixploit-net-b" tcp dport 53 accept
  }
}

Using iptables: TODO

Fedora

Usage

# Just launch the damn thing
nix run github:Macbucheron1/Nixploit -- --help

Developpement setup

# Clone the repository
git clone https://github.com/Macbucheron1/Nixploit.git

# Enter the repository
cd Nixploit

# if you use direnv 
# direnv allow
# Otherwise
nix develop

What & Why

Problem

TODO

Nix

TODO

Incus

TODO

Golang

TODO

TODO

Wrapper

• Fix multiple TODO in wrapper
  • Network
  • GUI
  • GPU
• Make it possible to update profile while container is running
• Generate ssh using ssh.go and copy it in the container. Be careful wheter the key already exist, still check if the key is in the container
• Launch xpra through the wrapper
• Make a connection test before XPRA for network troubleshooting
• Add automatic firewall rules
• print error made by sub command (like nix)
• clone using https instead of ssh
• On debian when a container already exists, nixploit start tries to create a new container instead of loging in

Image

• Add git
• Pull the image from the release

Docs

• Talk about storage option in the readme
• Talk about network options in the readme (allow firewall for the nixploit network to use dhcp port)

Other

• Make github pipeline to release the wrapper at each tag
• Test on other distribution with nix installed
  • Fedora
  • Debian

Security

• use a passphrase for the ssh key
• XPRA host key checking ? check how they do on mofos
• network put none by default
• use a different bridge for each because all nixploit container can communicate right now
• make sur ipv6 Router Advertisement is disabled on nixploit network
  • https://linuxcontainers.org/incus/docs/main/explanation/security/#bridged-nic-security
• Disallow BPF
  • https://linuxcontainers.org/incus/docs/main/explanation/bpf-tokens/
• valide profile strictly. If the profile already exist, nixploit does not check it to verify it's integrity. A modified profile can be used to make some local privilege escalation
  • storage
  • network