# apt-get update
# apt-get dist-upgrade
# apt-get install x11vnc tor privoxy proxychains
#x11vnc -storepasswd ULTRASECRETPASS /etc/lightdm/x11passwd
# apt autoremove
# update-rc.d tor enable
# vi /etc/rc.local
/usr/bin/x11vnc -xkb -auth /var/run/lightdm/root/:0 -noxrecord -noxfixes -noxdamage -rfbauth /etc/lightdm/x11passwd -forever -bg -rfbport 5900 -listen 127.0.0.1 -scale 1280×800 -o /var/log/x11v
nc.log > /dev/null 2>&1
From your host:
# ssh -L localhost:5900:localhost:5900 root@raspberry
In this tutorial, hope help you guys how to configure IKEv2 VPN using IOS9 ( iphone ) and OpenBSD.
# cat /etc/iked.conf ikev2 "ios9" passive esp from 0.0.0.0/0 to 192.168.1.0/24 \ local 22.214.171.124 peer any \ ikesa enc aes-256 auth hmac-sha2-256 group modp2048 \ childsa enc aes-256 auth hmac-sha2-256 group modp2048 \ psk "YOURPSK" config address 192.168.1.0/24 \ config name-server 192.168.1.1 config access-server 192.168.1.1
# chmod 700 /etc/iked.conf # rcctl enable iked # echo 'inet 192.168.1.1 255.255.255.0 192.168.1.255' > /etc/hostname.vether0 # sh /etc/netstart vether0
- 126.96.36.199 is an external ip_address
Let’s configure unbound for DNS CACHE and Forward requests to DNSCRYPT.
# rcctl enable unbound # vi /var/unbound/etc/unbound.conf
Something like this should work for most setups:
server: interface: 192.168.1.1 interface: 127.0.0.1 access-control: 192.168.1.0/24 allow do-not-query-localhost: no hide-identity: yes hide-version: yes forward-zone: name: "." forward-addr: 127.0.0.1@40
# export PKG_PATH=http://ftp.openbsd.org/pub/OpenBSD/5.9/packages/amd64 # pkg_add dnscrypt-proxy # rcctl enable dnscrypt_proxy
# rcctl set dnscrypt_proxy flags -E -m 1 -R cisco -a 127.0.0.1:40
- Replace cisco with an upstream resolver of your choice. The package includes a list of servers in the /usr/local/share/dnscrypt-proxy/dnscrypt-resolvers.csv file.
Recently I had a little issue with DNS round robin pointing to different SSH Servers ( different fingerprints ) conflicting with known_hosts file.
Follow a little script I wrote to test expect.
Follow the example (;
This setup was tested with OpenBSD 5.1, squid-2.7-ldap, dansguardian-188.8.131.52 and Windows 2008 Server
I will show how to authenticate Squid Proxy in Active Directory using squid_ldap_auth and squid_ldap_group.
The basic for this is:
At squid.conf put
auth_param basic program /usr/local/libexec/squid_ldap_auth -v 3 -R -b dc=yourdomain,dc=com -D cn=”Squid Authenticator”,ou=IT,ou=”Users and Groups”,dc=yourdomain,dc=com -W /etc/squid/passfile -f sAMAccountName=%s 10.20.30.1
external_acl_type proxygroup %LOGIN /usr/local/libexec/squid_ldap_group -v 3 -R -b dc=yourdomain,dc=com -D cn=”Squid Authenticator”,ou=IT,ou=”Users and Groups”,dc=yourdomain,dc=com -W /etc/squid/passfile -f (&(sAMAccountName=%v)(memberof=cn=%a,ou=Internet,ou=Groups,ou=Organization,ou=”Users and Groups”,dc=yourdomain,dc=com)) 10.20.30.1
acl ad_auth proxy_auth REQUIRED
acl netaccess external proxygroup url_regex “/etc/squid/group”
http_access deny !ad_auth
http_access allow netaccess
cn=”Squid Authenticator” = Display Name of User account in Active Directory
ou=…., ou… = recursive search to top of domain
/etc/squid/passfile = Contains password of Squid Authenticator account
10.20.30.1 = Ip address of Active Directory
url_regex “/etc/squid/group” = If the group contain spaces, example: Internet Access, put into file called group, if not use:
acl netaccess external proxygroup InternetAccess
where InternetAccess is name of the group
squid_ldap_group = was used to autheticate users that belong of specific group
authplugin = ‘/etc/dansguardian/authplugins/proxy-basic.conf’
Tips: Test ldap authenticators with -d param, it is usefull to debug, and test from command line directly.
To squid_ldap_auth, the sintax is: username password
To squid_ldap_group, the sintax is: username group
To Test group with spaces from shell, use: Internet%20Access
Hello there !
In this brief tutorial, I will show how capture remote traffic through ssh and analysis with wireshark.
the basic to do this is:
$ mkfifo /tmp/remoteif
$ ssh root@yourserver “tcpdump -ni pflog0 -w – host 10.20.30.40” > /tmp/remoteif
$ wireshark -k -i /tmp/remoteif
* Tips: configure your remote user to use sudo to execute tcpdump. Configure root login without password using keys
An especial thanks to my friend mentesan -> Muito Sapeca !
My apologies, I’m working so much, and the time is scarce. Coming soon, I will to back post regularly.
by hour, I will post a video with a possible bug that I discovered at OpenBSD
Follow the video:
I founded another possible bug with route issue, but was at 5.0, I will do tests with 5.1, and if true, I will send to bug at openbsd dot org too
Regards to my friend Mauricio Gimenez, Cleiton ( Clandestine ) and Fabiano Matias (Bhior)
Hacking Life 😀
Today, I was very very nervous ! Believe ! I’m ! So, I decided paste this simple script that I did a long time ago, but BELIEVE ! WORK and is EFFECTIVE !
Brief resume, of why I’m posting this script:
frw~ # iptables -nvL
Chain INPUT (policy ACCEPT 215K packets, 38M bytes)
Chain FORWARD (policy ACCEPT 4848K packets, 3768M bytes)
Chain OUTPUT (policy ACCEPT 78397 packets, 11M bytes)
This is what really import at this moment ! Rules of the INPUT and FORWARD CHAIN, I not will show, because the target of rule is ACCEPT and the POLICY of CHAIN IS ACCEPT too , thus, WHY RULES WITH ACCEPT !???? make no sense !
Alright, a simple script …
# cat firewall.sh
# Simple firewall
# Guilherme Hakme
# Set yours ifaces here
# Clear all rulez at tables FILTER and NAT ( -F ) and delete chains predeffined by user (-X) and set POLICY ACCEPT
$ipt -t nat -F
$ipt -t nat -X
$ipt -P INPUT ACCEPT
$ipt -P FORWARD ACCEPT
$ipt -P OUTPUT ACCEPT
# Default Policy 😉 ( firewall begins here 😉 )
$ipt -P INPUT DROP
$ipt -P FORWARD DROP
$ipt -P OUTPUT DROP
# Allowing local traffic at loopback interface ( 127.0.0.1) and doing statefullllllll
$ipt -A INPUT -i lo -j ACCEPT
$ipt -A OUTPUT -o lo -j ACCEPT
$ipt -A INPUT -i $iface -m state –state RELATED,ESTABLISHED -j ACCEPT
$ipt -A OUTPUT -o $iface -p tcp –dport 53 -j ACCEPT
$ipt -A OUTPUT -o $iface -p udp –dport 53 -j ACCEPT
$ipt -A OUTPUT -o $iface -p tcp –syn -m state –state NEW -j ACCEPT
$ipt -A OUTPUT -o $iface -p icmp –icmp-type echo-request -j ACCEPT
$ipt -A OUTPUT -o $iface -m state –state RELATED,ESTABLISHED -j ACCEPT
# Allowing necessary services
$ipt -A INPUT -i $iface -p tcp -m multiport –dport 22 -j ACCEPT
$ipt -A INPUT -i $iface -p udp -m multiport –dport 5000,8000:9000 -j ACCEPT
case $1 in
start) defdrop && dispserv ;;
stop) defaccept ;;
reload) defaccept && defdrop && dispserv ;;
statefull) defaccept && defdrop ;;
test) defdrop && dispserv && sleep 40 && defaccept ;;
*) echo “Uso: “$0″ start, stop, reload, statefull, test” ;;
This firewall is very very simple, and is designed to allow only running services, in this example, asterisk and ssh.
Permit DNS searches and ping ( echo request ) .
Statefull is Accept connections only generated by firewall
Adjust to yours purposes and execute it
# chmod +x firewall.sh
# ./firewall.sh start
# iptables -nvL
See by you the diference.
Secure Shell (SSH) is a network protocol for secure data communication, remote shell services or command execution and other secure network services between two networked computers that it connects via a secure channel over an insecure network: a server and a client (running SSH server and SSH client programs, respectively). The protocol specification distinguishes two major versions that are referred to as SSH-1 and SSH-2.
Now that we know what is SSH, let me show somethings.
Imagine the follow situation:
You are on a promiscuous network and you need to get your mails. The comunication with the server is not encrypted, thus, someone that sniffing network traffic, can have your username/password !
But you have a SSH service running on someplace ( your home, free shell, etc 😉 )
Normally, you provide user/password . Of course you can use KEYS too !
# ssh email@example.com
Note: On windows machine, you can use putty/plink. Google for it …..
We will encrypt the communication on local network!
# ssh -L 127.0.0.1:2525:mailserver.com:25 firstname.lastname@example.org
Note: A shell will open at your server.com, try to pass -LNnf, it will run shell session in background. Remember: # man ssh
A local tunnel ( Local Forward, parameter “-L” ) was created locally to local computer at port 2525 using server.com to forward packets to mailserver.com at port 25
Note: You need to be root to bind to TCP port <1024. In example I used 2525.
In your computer, try configure your mail client to get emails from: 127.0.0.1 and port 2525
Hummm, can I do this of inverse form ? I’ m asking because I only can read my mail from my job ….
Of couse … You can !!!!, try change -L to -R
# ssh -R 127.0.0.1:2525:mailserver.com:25 email@example.com
A Remote tunnel ( Remote Forward, parameter “-R” ) was created locally to remote computer at port 2525 using YOUR HOST to forward packets to mailserver.com at port 25
To finalize SSH as SOCKS
Practically, a SOCKS server will proxy TCP connections to an arbitrary IP address as well as providing a means for UDP packets to be forwarded.
# ssh -DnNf 127.0.0.1:1080 firstname.lastname@example.org
A Dynamic tunnel ( Dynamic Forward, parameter “-D” ) was created locally at port 1080. All traffic, including udp protocol, will be forwarded to server.com
Configure your favorite browser to use Proxy, put 127.0.0.1 and port 1080, select socks and type 5 , and then, open a website as http://www.whatismyip.org and see ip of your ssh server !
Tips: Combine the knowledge here acquired, with article published here. “Stay anonymous and SSH honeypot”
Bypass firewalls, etc.
If you have some tip, please comment, and we will add to here, contribute ! Share your knowledge ! 🙂
All traffic between SSH SERVER and SSH CLIENT is CRYPTO !
Happy hacking !
Five steps to recovery root password of mysql server
- Stop mysql server
# /etc/init.d/mysql stop
2. Start mysql server without password
# mysqld_safe –skip-grant-tables &
3. Connect to mysql server using mysql client
# mysql -u root
the output will be something like this:
Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 1 to server version: 5 Type 'help;' or '\h' for help. Type '\c' to clear the buffer. mysql>
4. Configure new password for root user
mysql> use mysql;
mysql> update user set password=PASSWORD(“YOUR_PASSWORD_HERE”) where User=’root’;
mysql> flush privileges;
5. Stop mysql services.
# ps ax | grep mysql
* tip: first stop -> mysqld_safe
# kill -9 4456
# kill -9 4567
# /etc/init.d/mysql start
Last week, I bought an Atrix 4g and I would wanted run bt5 arm.
Now I’m here, writing a little tutorial to do this. Basically it is easy, but need some tricks.
Let’s go …
First, if you is beginner on droid’s world , read a little. ( in my first day with my droid, I do on Power Up the cellphone : -> BOOT FAILED ) LoL .
A good place is XDA DEVELOPERS
In this link -> http://forum.xda-developers.com/show….php?t=1154600
Step 1 -> Download BT5 ARM from www.backtrack-linux.org/downloads
Step 2 -> You need ROOT your DROID, -> http://forum.xda-developers.com/show….php?t=1255548
Step 3 -> Unpack your BT ARM IMAGE and enter into directory.
# cd BT5-GNOME-ARM # ls README bootbt bt5.img.gz busybox fsrw installbusybox.sh mountonly unionfs
-> Unpack bt5.img.gz
# gunzip bt5.img.gz
By default Internal memory is VFAT filesystem and SDCARD, if you use the droid to format too, so we need resize the image ( bt5.img ) to put at VFAT, because the image cannot be bigger than 4GB ( vfat filesystem not permit this )
-> Create another “disk” less than 4GB
# dd if=/dev/zero of=bt5-new.img bs=1M count=3600
-> Create 2 directories
# mkdir OLD && mkdir NEW
-> Mount the original image
# mount -o loop bt5.img OLD # df -i Filesystem Inodes IUsed IFree IUse% Mounted on ..... ..... ..... /dev/loop0 320000 266729 53271 84% /home/chaos/BT5-GNOME-ARM/OLD
-> Now format the new “disk”
# mke2fs -N 320000 bt5-new.img
-> Note that I used the same number os INODES that THE ORIGINAL IMAGE *
-> Mount the “disk” and copy the content of ORIGINAL IMAGE TO NEW IMAGE, umount images, delete original image, rename new image, gzip it and delete bootbt script
# mount -o loop bt5-new.img NEW # cp -R -f OLD/* NEW/ # umount OLD #umount NEW # rm bt5.img # mv bt5-new.img bt5.img #gzip bt5.img # rm bootbt
-> Create a new bootbt file with this content:
perm=$(id|cut -b 5) if [ "$perm" != "0" ];then echo "This Script Needs Root! Type : su";exit;fi busybox sysctl -w net.ipv4.ip_forward=1 export kit=/sdcard/BT5 export bin=/system/bin export mnt=/data/local/mnt export PATH=$bin:/usr/bin:/usr/local/bin:/usr/sbin:/bin:/usr/local/sbin:/usr/games:$PATH export TERM=linux export HOME=/root losetup /dev/block/loop2 $kit/bt5.img mount -o noatime -t ext2 /dev/block/loop2 $mnt mount -t devpts devpts $mnt/dev/pts mount -t proc proc $mnt/proc mount -t sysfs sysfs $mnt/sys echo "nameserver 184.108.40.206" > $mnt/etc/resolv.conf echo "127.0.0.1 localhost bt5" > $mnt/etc/hosts busybox chroot $mnt /bin/bash echo "Stopping Backtrack on Atrix" umount $mnt/dev/pts umount $mnt/proc umount $mnt/sys umount $mnt/root/.gvfs sleep 2 umount $mnt losetup -d /dev/block/loop2
# chmod +x bootbt
-> From README FILE <-
-> Go to your platform-tools directory and proceed to make a directory on the device to store BT5:
# ./adb shell # mkdir /sdcard/BT5 # exit
-> If you ROOTED your droid with ONE CLICK, You ALREADY HAVE BUSYBOX
-> Transfer the required BT5 files to the device:
# ./adb push fsrw /sdcard/BT5/ # ./adb push mountonly /sdcard/BT5/ # ./adb push bootbt /sdcard/BT5/ # ./adb push bt5.img.gz /sdcard/BT5/ # ./adb push unionfs /sdcard/BT5/
-> Uncompress the image and start BT5:
# ./adb shell # su # cd /sdcard/BT5 # gunzip bt5.img.gz # sh bootbt
-> If all goes well, you’ll be in the BT5 chroot:
root@localhost:/# ls /pentest/
backdoors database exploits passwords scanners stressing voip
cisco enumeration forensics python sniffers tunneling web
-> change your root password
-> change startvnc script
root@localhost:/# vi /usr/bin/startvnc
-> THE CONTENT must be
#!/bin/bash rm -rf /tmp/.X1* export USER=root vncserver -geometry 960x540
-> change stopvnc script
root@localhost:/# vi /usr/bin/stopvnc
-> the content MUST be
#!/bin/bash export USER=root vncserver -kill :1
-> CHANGE VNC PASSWORD
-> Start your GUI and connect it
-> USE ANDROID VNC FROM MARKET and connect to localhost and port 5901
ENJOY YOUR BACKTRACK-LINUX in your ATRIX