Sunday, 19 November 2017

Windows 10 setup steps

Remove OneDrive:

C:\Windows\SysWOW64\OneDriveSetup.exe -uninstall
Set HKEY_CLASSES_ROOT\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\System.IsPinnedToNameSpaceTree and HKEY_CLASSES_ROOT\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\System.IsPinnedToNameSpaceTree to 0.
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}]
"System.IsPinnedToNameSpaceTree"=dword:00000000

[HKEY_CLASSES_ROOT\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}]
"System.IsPinnedToNameSpaceTree"=dword:00000000

Run Protec'tor.

Thursday, 16 November 2017

Ad filtering setup for DD-WRT

In order to set up ad filtering by host blocking on DD-WRT, you can create a cron(1) script to download a hosts file and point dnsmasq(1) to it.

The first step is accomplished by a crontab entry in Administration, Cron like the following (line broken for readability). Note that this file is in cron.d format, i.e. the sixth field is the user name and the command is the seventh field.

0 0 * * * root mkdir -p /tmp/adhosts;
    i=0;
    for url in "http://hosts-file.net/download/hosts.txt";
    do
        /usr/bin/curl -s "$url" > /tmp/adhosts/$i;
        i=$((1 + i));
    done;
    kill -hup $(cat /var/run/dnsmasq.pid)

You can add any number of files to download, but since cron(1) does not support line continuation you will have to write the entire script in one line (or store it somewhere in the filesystem).

In order for dnsmasq to pick up the list, the following setting is needed in Services, DNSMasq:

addn-hosts=/tmp/adhosts

Monday, 30 October 2017

PHP and MariaDB on OpenBSD

First, create a /etc/httpd.conf configuration file.

server "default" {
        directory index "index.php"
        listen on * port 80
        location "*.php" {
                fastcgi socket "/run/php-fpm.sock"
        }
}

Next, enable and start httpd.

# rcctl enable httpd
# rcctl start httpd

Then install PHP.

# pkg_add php

In order for httpd to be able to run PHP scripts, the PHP FastCGI server must be enabled and started.

# rcctl enable php70_fpm
# rcctl start php70_fpm

As a test, accessing your server from a browser should work after creating a file /var/www/htdocs/index.php with the following contents:

<?php
phpinfo();

Don't forget to delete this again after testing.

# rm /var/www/htdocs/index.php

Next, install and configure MariaDB.

# pkg_add mariadb-server php-pdo_mysql

MariaDB requires some initial configuration.

# rcctl enable mysqld
# rcctl start mysqld
# mysql_install_db --user=_mysql
# mysql_secure_installation

This must be done before changing the MariaDB socket (below).

Edit the file /etc/my.cnf and change the socket variable to /var/www/run/mysql/mysql.sock in both the [client] and [server] sections in order to make it accessible to processes running with chroot inside /var/www. While you're here, you might want to enable skip-networking if you don't intend to access your database remotely.

# rcctl restart mysqld

Activate the PDO database driver.

# ln -s ../php-7.0.sample/pdo_mysql.ini /etc/php-7.0/

Configure the PDO database driver accordingly to connect to the database at the correct socket. Note the missing /var/www prefix due to the chroot done by php70_fpm!

# echo "pdo_mysql.default_socket=/run/mysql/mysql.sock" >> /etc/php-7.0/pdo_mysql.ini
# rcctl restart php70_fpm

Changes to the PHP configuration may require restarting the FastCGI server.

As pointed out in the PHP manual, if your web app needs to do DNS lookups it's going to need a copy of your /etc/resolv.conf and /etc/services.

# mkdir /var/www/etc
# cp /etc/resolv.conf /etc/services /var/www/etc

And likewise, in order to enable SSL connections:

# cp -R /etc/ssl /var/www/etc/

Then install any additional PHP modules your apps require.

# pkg_add php-curl php-zip
# rcctl restart php70_fpm

OpenBSD on Hyper-V

Installing OpenBSD on Hyper-V shouldn't really be an issue since the OS even contains specific driver for virtualised drives (hvs(4)) and network cards (hvn(4)).

However, I did not succeed installing OpenBSD 6.2 on Hyper-V because it hung while attaching the disk driver at the line

hvs0 at hyperv0 controller 1: ide
This occurred both when attaching the disk through an IDE and SCSI controller. After disable hvs in the user kernel configurator the kernel boots.

OpenBSD 6.1 recognises the attached disk as a standard IDE drive as opposed to a virtualised hvs drive and works.

The standard network adaptor is not recognised by OpenBSD 6.1, so it is necessary to use the compatibility network adaptor.

Note that according to a remark in Microsoft's instructions for creating an OpenBSD disk for Azure, only »fixed« disk images are supported. Since the »Create VM« wizard of the Hyper-V manager creates dynamic disk images by default, it makes more sense to choose the option to »create and attach a disk image later« and then creating a fixed disk manually.

Friday, 21 July 2017

Installing and removing python packages on macOS

Since python on macOS comes without the pip package manager, I was wondering how to install and remove packages.

As it turns out, there's an older »package manager« called easy-install that can be used to install, but not remove packages.

If you're happy installing packages system-wide, i.e. inside /Library/Python on macOS, you can run

# easy_install pyyaml

Installing into the user's package directory in $HOME/Library/Python can be done by

$ easy_install --user pyyaml

Removing packages isn't quite as straightforward as easy_install doesn't offer a command to do so. The manual (linked above) suggests to run

# easy_install -mxN pyyaml
prior to deleting a package, but I have not looked into what that entails.

Essentially, all that seems to be necessary is to delete the corresponding line from the package database, located at /Library/Python/2.7/site-packages/easy-install.pth, for example, and then delete the .egg file (a ZIP).

Monday, 5 December 2016

IPSec on Netgear R6300 using DD-WRT or OpenWRT

This is still WIP, so the following just represents a brain dump so I know where to pick up when I come back to this again.

It seems that the current state of Linux is that the KAME patches are integrated into the kernel. All that is required to run IPSec is to configure it correctly, which apparently can be done mostly in two ways using strongSwan or KAME's original racoon.

I'm unsure whether the kernel in DD-WRT v3.0-r29396 giga (04/04/16) contains everything needed to run strongSwan or racoon. Packages for strongSwan and ipsec-tools appear to be available via ipkg from OpenWrt once I enable jffs2 in the GUI under »Administration«.

Once either of them are running, the OpenWrt wiki has instructions for road-warriors to set up strongSwan or racoon.

The problem with running OpenWRT directly is that (as of 2016-02-08) there are no open-source drivers for the 5GHz module. Also note that DD-WRT for Netgear's R6300v1 is based on the brcm47xx branch of OpenWrt (as indicated for example by cat /etc/ipkg.conf) unlike R6300v2 which relies on bcm53xx. This is in spite of the CPU model of the former being reported as »Broadcom BCM5300 chip rev 1«.

Thursday, 3 November 2016

Logging https traffic using Raspbian

In order to intercept https traffic, it is necessary to run software on a router or access point that provides its own certificates to clients. Using Mirko Dölle's beautiful instructions, today I set up mitmproxy on a Raspberry Pi 2 running Raspbian based on Debian Jessie. I have an RT5572 based dual band wifi dongle that works very well with Raspbian which I am going to use for clients to connect while the Raspberry Pi 2 itself is connected to the internet via ethernet.

First, I set up Raspbian in the usual way. Then I modified the dhcpcd configuration to assign a static IP address to the wifi adaptor which is going to be my access point. I added the following lines to the end of /etc/dhcpcd.conf.

interface wlan0
static ip_address=192.168.6.1/24

Next, I added the hostapd package and created a configuration file for it:

# apt-get install hostapd
# cat >/etc/hostapd/hostapd.conf <<EOF
interface=wlan0
driver=nl80211
country_code=GB
ctrl_interface=/var/run/hostapd
ctrl_interface_group=0

ssid=rpi-mitm

# 802.11g on #8
hw_mode=g
channel=8

# encryption
wpa=2
wpa_passphrase=pleasehackme
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP

# gobbledigook
beacon_int=100
auth_algs=1
wmm_enabled=1
EOF

Before activating, one line in /etc/default/hostapd has to be adjusted:

DAEMON_CONF="/etc/hostapd/hostapd.conf"

In order to assign IP addresses to clients and handle DNS forwarding, I then installed dnsmasq, again creating a configuration for it.

# apt-get install dnsmasq
# cat >>/etc/dnsmasq.conf <<EOF
interface=wlan0
dhcp-range=192.168.6.50,192.168.6.100,12h
EOF

Next, I activated package forwarding by uncommenting the following lines in /etc/sysctl.conf:

net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1

I then set up network address translation by adding a POSTROUTING rule for my WAN interface to the NAT iptables. This setting needs to be persisted by installing the iptables-persistent package.

# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# apt-get install iptables-persistent

Then I restart all the services involved. I disable legacy Debian networking because it takes the wlan0 interface up which prevents hostapd from starting. This completes the setup of the access point.

# systemctl disable networking
# systemctl start hostapd
# systemctl start dnsmasq
# systemctl restart procps

In order to inspect client traffic through the access point, I installed mitmproxy. The version 0.10.1-2 installed by apt-get (on Jessie) is too old, so I install the current version 0.18.2 manually. Since Jessie only provides Python 3.4, I went with Python 2.7.

# apt-get install python-pip python-dev libffi-dev libssl-dev libxml2-dev libxslt1-dev libjpeg8-dev zlib1g-dev g++
# pip install mitmproxy

To run it, I add a couple of redirections to the inbound interface.

# iptables -t nat -A PREROUTING -i wlan0 -p tcp --dport 80 -j REDIRECT --to-port 8080
# iptables -t nat -A PREROUTING -i wlan0 -p tcp --dport 443 -j REDIRECT --to-port 8080
# mitmproxy -T --host

Install mitmproxy's certificate on the device by browsing to http://mitm.it/.

To deactivate the capture, it suffices to remove the iptables rules.

# iptables -t nat -F PREROUTING