Kali Linux – Raspberry PI 3 post install

# apt-get update
# apt-get dist-upgrade
# apt-get install x11vnc tor privoxy proxychains
#x11vnc -storepasswd ULTRASECRETPASS /etc/lightdm/x11passwd
# apt autoremove
# update-rc.d  tor enable
# vi /etc/rc.local

/usr/bin/x11vnc -xkb -auth /var/run/lightdm/root/:0 -noxrecord -noxfixes -noxdamage -rfbauth /etc/lightdm/x11passwd -forever -bg -rfbport 5900 -listen -scale 1280×800 -o /var/log/x11v
nc.log  > /dev/null 2>&1
# reboot

From your host:
# ssh -L localhost:5900:localhost:5900 root@raspberry

Posted in Uncategorized | Tagged , , | Comments Off on Kali Linux – Raspberry PI 3 post install

Building Ikev2 road warrior VPN for IOS9 with OpenBSD and DNSCRYPT

Howdy ,

In this tutorial, hope help you guys how to configure IKEv2 VPN using IOS9 ( iphone ) and OpenBSD.


# cat /etc/iked.conf

ikev2 "ios9" passive esp from to \
 local peer any \
 ikesa enc aes-256 auth hmac-sha2-256 group modp2048 \
 childsa enc aes-256 auth hmac-sha2-256 group modp2048 \
 psk "YOURPSK" config address \
 config name-server config access-server
# chmod 700 /etc/iked.conf
# rcctl enable iked
# echo 'inet' > /etc/hostname.vether0
# sh /etc/netstart vether0
  • is an external ip_address

Let’s configure unbound for DNS CACHE and Forward requests to DNSCRYPT.

# rcctl enable unbound
# vi /var/unbound/etc/unbound.conf

Something like this should work for most setups:

	access-control: allow
	do-not-query-localhost: no
	hide-identity: yes
	hide-version: yes

        name: "."
# export PKG_PATH=http://ftp.openbsd.org/pub/OpenBSD/5.9/packages/amd64
# pkg_add dnscrypt-proxy
# rcctl enable dnscrypt_proxy
# rcctl set dnscrypt_proxy flags -E -m 1 -R cisco -a
  • Replace cisco with an upstream resolver of your choice. The package includes a list of servers in the /usr/local/share/dnscrypt-proxy/dnscrypt-resolvers.csv file.





Posted in OpenBSD | Tagged , , , , | Comments Off on Building Ikev2 road warrior VPN for IOS9 with OpenBSD and DNSCRYPT

Solving round robin DNS name with SSH Server hosts


Recently I had a little issue with  DNS round robin pointing to different SSH Servers ( different fingerprints ) conflicting with known_hosts file.

Follow a little script I wrote to test expect.

Follow the example (;


#!/usr/bin/expect --

puts “Which server do you want connect?”
expect_user -re “(.*)\n”
send_user “\n”
set server $expect_out(1,string)
spawn -noecho host $server
expect -re “(\[0-9]{1,3})\.(\[0-9]{1,3})\.(\[0-9]{1,3})\.(\[0-9]{1,3})”
set m1 $expect_out(1,string)
set m2 $expect_out(2,string)
set m3 $expect_out(3,string)
set m4 $expect_out(4,string)
puts “Which is your username?”
expect_user -re “(.*)\n”
send_user “\n”
set username $expect_out(1,string)
stty -echo
spawn -noecho ssh $username@$m1.$m2.$m3.$m4
expect “continue connecting” {send “yes\r”}


Simple bash :
 echo “Type Hostname \n” ; ssh $(read g;host “$g”|awk -F’address ‘ ‘/address/ {print $2;exit}’)
Feel free to improve !
Posted in Network, Tools | Tagged , , , | Comments Off on Solving round robin DNS name with SSH Server hosts

OpenBSD+Squid+Dansguardian+ldap+Active Directory

This setup was tested with OpenBSD 5.1, squid-2.7-ldap, dansguardian- and Windows 2008 Server

I will show how to authenticate Squid Proxy in Active Directory using squid_ldap_auth and squid_ldap_group.

The basic for this is:

At squid.conf put

auth_param basic program /usr/local/libexec/squid_ldap_auth -v 3 -R -b dc=yourdomain,dc=com -D cn=”Squid Authenticator”,ou=IT,ou=”Users and Groups”,dc=yourdomain,dc=com -W /etc/squid/passfile -f sAMAccountName=%s

external_acl_type proxygroup %LOGIN /usr/local/libexec/squid_ldap_group -v 3 -R -b dc=yourdomain,dc=com -D cn=”Squid Authenticator”,ou=IT,ou=”Users and Groups”,dc=yourdomain,dc=com -W /etc/squid/passfile -f (&(sAMAccountName=%v)(memberof=cn=%a,ou=Internet,ou=Groups,ou=Organization,ou=”Users and Groups”,dc=yourdomain,dc=com))

acl ad_auth proxy_auth REQUIRED
acl netaccess external proxygroup url_regex “/etc/squid/group”


http_access deny !ad_auth
http_access allow netaccess

Quick explanation:

 cn=”Squid Authenticator” = Display Name of User account in Active Directory

ou=…., ou… = recursive search to top of domain

/etc/squid/passfile = Contains password of Squid Authenticator account = Ip address of Active Directory

url_regex “/etc/squid/group” = If the group contain spaces, example: Internet Access, put into file called group, if not use:

acl netaccess external proxygroup InternetAccess
where InternetAccess is name of the group

squid_ldap_group = was used to autheticate users that belong of specific group



authplugin = ‘/etc/dansguardian/authplugins/proxy-basic.conf’

Tips: Test ldap authenticators with -d param, it is usefull to debug, and test from command line directly.
To squid_ldap_auth, the sintax is: username password
To squid_ldap_group, the sintax is: username group
To Test group with spaces from shell, use: Internet%20Access

That is

Posted in OpenBSD | Tagged , , , , , , , | Leave a comment

Remote Packet sniff using SSH and Wireshark to analysis

Hello there !

In this brief tutorial, I will show how capture remote traffic through ssh and analysis with wireshark.

the basic to do this is:

$ mkfifo /tmp/remoteif
$ ssh root@yourserver “tcpdump -ni pflog0 -w – host” > /tmp/remoteif
$ wireshark -k -i /tmp/remoteif

* Tips: configure your remote user to use sudo to execute tcpdump. Configure root login without password using keys

An especial thanks to my friend mentesan -> Muito Sapeca !


Posted in Network | Tagged , , , | Leave a comment

Possible Bug at OpenBSD

Hello there,

My apologies, I’m working so much, and the time is scarce. Coming soon, I will to back post regularly.

by hour, I will post a video with a possible bug that I discovered at OpenBSD

Follow the video:



I founded another possible bug with route issue, but was at 5.0, I will do tests with 5.1, and if true, I will send to bug at openbsd dot org too


Regards to my friend Mauricio Gimenez, Cleiton ( Clandestine ) and Fabiano Matias (Bhior)

Hacking Life 😀


Posted in OpenBSD | Tagged , | Leave a comment

simple statefull firewall with iptables

Today, I was very very nervous ! Believe ! I’m ! So, I decided paste this simple script that I did a long time ago, but BELIEVE ! WORK and  is EFFECTIVE !

Brief resume, of why I’m posting this script:
frw~ # iptables -nvL

Chain INPUT (policy ACCEPT 215K packets, 38M bytes)
Chain FORWARD (policy ACCEPT 4848K packets, 3768M bytes)
Chain OUTPUT (policy ACCEPT 78397 packets, 11M bytes)

This is what really import at this moment ! Rules of the INPUT and FORWARD CHAIN, I not will show, because the target of rule is ACCEPT and  the POLICY of CHAIN IS ACCEPT too , thus,  WHY RULES WITH ACCEPT !???? make no sense !

Alright, a simple script …

# cat firewall.sh

# Simple firewall
# Guilherme Hakme
# http://stuffresearch.tor.hu

ipt=$(which iptables)
# Set yours ifaces here

# Clear all rulez at tables FILTER and NAT ( -F ) and delete chains predeffined by user (-X) and set POLICY ACCEPT

defaccept() {

$ipt -F
$ipt -X
$ipt -t nat -F
$ipt -t nat -X

# Default Policy 😉 ( firewall begins here 😉 )

defdrop() {


# Allowing local traffic at loopback interface ( and doing statefullllllll

$ipt -A INPUT -i lo -j ACCEPT
$ipt -A OUTPUT -o lo -j ACCEPT

$ipt -A INPUT -i $iface -m state –state RELATED,ESTABLISHED -j ACCEPT
$ipt -A OUTPUT -o $iface -p tcp –dport 53 -j ACCEPT
$ipt -A OUTPUT -o $iface -p udp –dport 53 -j ACCEPT
$ipt -A OUTPUT -o $iface -p tcp –syn -m state –state NEW -j ACCEPT
$ipt -A OUTPUT -o $iface -p icmp –icmp-type echo-request -j ACCEPT
$ipt -A OUTPUT -o $iface -m state –state RELATED,ESTABLISHED -j ACCEPT

# Allowing necessary services

dispserv() {

$ipt -A INPUT -i $iface -p tcp -m multiport –dport 22 -j ACCEPT
$ipt -A INPUT -i $iface -p udp -m multiport –dport 5000,8000:9000 -j ACCEPT

case $1 in
start) defdrop && dispserv ;;
stop) defaccept ;;
reload) defaccept && defdrop && dispserv ;;
statefull) defaccept && defdrop ;;
test) defdrop && dispserv && sleep 40 && defaccept ;;
*) echo “Uso: “$0″ start, stop, reload, statefull, test” ;;

This firewall is very very simple, and is designed to allow only running services, in this example, asterisk and ssh.
Permit DNS searches and ping ( echo request ) .
Statefull is Accept connections only generated by firewall

Adjust to yours purposes and execute it

#  chmod +x firewall.sh
# ./firewall.sh start

# iptables -nvL

See by you the diference.





Posted in Network | Tagged , | Leave a comment

Things to do with SSH

From Wikipedia:

Secure Shell (SSH) is a network protocol for secure data communication, remote shell services or command execution and other secure network services between two networked computers that it connects via a secure channel over an insecure network: a server and a client (running SSH server and SSH client programs, respectively).[1] The protocol specification distinguishes two major versions that are referred to as SSH-1 and SSH-2.

Now that we know what is SSH, let me show somethings.

Imagine the follow situation:

You are on a promiscuous network and you need to get your mails. The comunication with the server is not encrypted, thus, someone that sniffing network traffic, can have your username/password !

But you have a SSH service running on someplace ( your home, free shell, etc 😉 )

Normally, you provide user/password . Of course you can use KEYS too !

# ssh user@server.com

Note: On windows machine, you can use putty/plink. Google for it …..

We will encrypt the communication on local network!

# ssh -L user@server.com

Note: A shell will open at your server.com, try to pass -LNnf, it will run shell session in background. Remember: # man ssh


A local tunnel ( Local Forward, parameter “-L” ) was created locally to local computer at port 2525 using server.com to forward packets to mailserver.com at port 25

Note: You need to be root to bind to TCP port <1024. In example I used 2525.

In your computer, try configure your mail client to get emails from: and port 2525

Hummm, can I do this of inverse form ? I’ m asking because I only can read my mail from my job ….

Of couse … You can !!!!, try change -L to -R

# ssh -R user@server.com


A Remote tunnel ( Remote Forward, parameter “-R” ) was created locally to remote computer at port 2525 using YOUR HOST to forward packets to mailserver.com at port 25

To finalize SSH as SOCKS

From Wikipedia:

Practically, a SOCKS server will proxy TCP connections to an arbitrary IP address as well as providing a means for UDP packets to be forwarded.

For this:

# ssh -DnNf user@server.com


A Dynamic  tunnel ( Dynamic  Forward, parameter “-D” ) was created locally at port 1080. All traffic, including udp protocol, will be forwarded to server.com

Configure your favorite browser to use Proxy, put and port 1080, select socks and type 5 , and then, open a website as http://www.whatismyip.org and see ip of your ssh server !

Tips: Combine the knowledge here acquired, with article published here. “Stay anonymous and SSH honeypot”

Bypass firewalls, etc.

If you have some tip, please comment, and we will add to here, contribute ! Share your knowledge !  🙂

All traffic between SSH SERVER and SSH CLIENT is CRYPTO !

Happy hacking !


Posted in Information, Network | Tagged , , , | Leave a comment

Howto recovery mysql root password

Five steps to recovery root password of mysql server

  1. Stop mysql server

# /etc/init.d/mysql stop

2. Start mysql server without password

# mysqld_safe –skip-grant-tables &

3. Connect to mysql server using mysql client

# mysql -u root

the output will be something like this:

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 1 to server version: 5

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.


4. Configure new password for root user

mysql> use mysql;
mysql> update user set password=PASSWORD(“YOUR_PASSWORD_HERE”) where User=’root’;
mysql> flush privileges;
mysql> quit;

5. Stop mysql services.

# ps ax | grep mysql

* tip: first stop -> mysqld_safe

Example :

# kill -9 4456
# kill -9 4567

and then

# /etc/init.d/mysql start


Posted in Information | Tagged , , | Leave a comment


Hello there,
Last week, I bought an Atrix 4g and I would wanted run bt5 arm.
Now I’m here, writing a little tutorial to do this. Basically it is easy, but need some tricks.
Let’s go …

First, if you is beginner on droid’s world , read a little. ( in my first day with my droid, I do on Power Up the cellphone : -> BOOT FAILED ) LoL .
A good place is XDA DEVELOPERS 

In this link -> http://forum.xda-developers.com/show….php?t=1154600

Step 1 -> Download BT5 ARM from www.backtrack-linux.org/downloads
Step 2 -> You need ROOT your DROID, -> http://forum.xda-developers.com/show….php?t=1255548
Step 3 -> Unpack your BT ARM IMAGE and enter into directory.


# ls 
README  bootbt   bt5.img.gz  busybox  fsrw  installbusybox.sh  mountonly  unionfs

-> Unpack bt5.img.gz

# gunzip bt5.img.gz

By default Internal memory is VFAT filesystem and SDCARD, if you use the droid to format too, so we need resize the image ( bt5.img ) to put at VFAT, because the image cannot be bigger than 4GB ( vfat filesystem not permit this )

-> Create another “disk” less than 4GB

# dd if=/dev/zero of=bt5-new.img bs=1M count=3600

-> Create 2 directories

# mkdir OLD && mkdir NEW

-> Mount the original image

# mount -o loop bt5.img OLD
# df -i 
Filesystem            Inodes   IUsed   IFree IUse% Mounted on
/dev/loop0            320000  266729   53271   84% /home/chaos/BT5-GNOME-ARM/OLD

-> Now format the new “disk”

# mke2fs -N 320000 bt5-new.img

-> Note that I used the same number os INODES that THE ORIGINAL IMAGE *

-> Mount the “disk” and copy the content of ORIGINAL IMAGE TO NEW IMAGE, umount images, delete original image, rename new image, gzip it and delete bootbt script

# mount -o loop bt5-new.img NEW
# cp -R -f OLD/* NEW/
# umount OLD
#umount NEW
# rm bt5.img
# mv bt5-new.img bt5.img
#gzip bt5.img
# rm bootbt

-> Create a new bootbt file with this content:

perm=$(id|cut -b 5)

if [ "$perm" != "0" ];then echo "This Script Needs Root! Type : su";exit;fi

busybox sysctl -w net.ipv4.ip_forward=1
export kit=/sdcard/BT5
export bin=/system/bin
export mnt=/data/local/mnt
export PATH=$bin:/usr/bin:/usr/local/bin:/usr/sbin:/bin:/usr/local/sbin:/usr/games:$PATH
export TERM=linux
export HOME=/root
losetup /dev/block/loop2 $kit/bt5.img
mount -o noatime -t ext2 /dev/block/loop2 $mnt
mount -t devpts devpts $mnt/dev/pts
mount -t proc proc $mnt/proc
mount -t sysfs sysfs $mnt/sys
echo "nameserver" > $mnt/etc/resolv.conf
echo " localhost bt5" > $mnt/etc/hosts
busybox chroot $mnt /bin/bash

echo "Stopping Backtrack on Atrix"
umount $mnt/dev/pts
umount $mnt/proc 
umount $mnt/sys
umount $mnt/root/.gvfs
sleep 2
umount $mnt
losetup -d /dev/block/loop2
# chmod +x bootbt

-> From README FILE <-

-> Go to your platform-tools directory and proceed to make a directory on the device to store BT5:

# ./adb shell
# mkdir /sdcard/BT5
# exit

-> If you ROOTED your droid with ONE CLICK, You ALREADY HAVE BUSYBOX

-> Transfer the required BT5 files to the device:

# ./adb push fsrw /sdcard/BT5/
# ./adb push mountonly /sdcard/BT5/
# ./adb push bootbt /sdcard/BT5/
# ./adb push bt5.img.gz /sdcard/BT5/
# ./adb push unionfs /sdcard/BT5/

-> Uncompress the image and start BT5:

# ./adb shell
# su
# cd /sdcard/BT5
# gunzip bt5.img.gz
# sh bootbt

-> If all goes well, you’ll be in the BT5 chroot:

root@localhost:/# ls /pentest/
backdoors database exploits passwords scanners stressing voip
cisco enumeration forensics python sniffers tunneling web

root@localhost:/# passwd

-> change your root password

-> change startvnc script

root@localhost:/# vi /usr/bin/startvnc

-> THE CONTENT must be

rm -rf /tmp/.X1*
export USER=root 
vncserver -geometry 960x540

-> change stopvnc script

root@localhost:/# vi /usr/bin/stopvnc

-> the content MUST be

export USER=root
vncserver -kill :1


root@localhost:/# vncpasswd

-> Start your GUI and connect it

root@localhost:/# startvnc

-> USE ANDROID VNC FROM MARKET and connect to localhost and port 5901


Posted in Network, Tools | Tagged , , , , | 3 Comments