2017
06.16

So i was just monitoring a deep update and figured i should just post what it looks like.

Click to enlarge

Top left : sudo emerge -uDNvt @world –with-bdeps=y –changed-deps –keep-going –verbose-conflicts
Bottom left : ttyload
Top center : htop
Top right : atop
Middle {center, right} && Bottom {center, right} : ttysys

2017
05.26

So before we begin this article assumes a wiped drive. So not using parallels or virtualization but a full install with no dual booting.

This article is not going to go through installation. There are plenty of posts across the internet explaining that.


-= Kernel .config =-
At time of writing i was using gentoo-sources-4.11.3 but the config file was originally from 4.9.X.
Here is the .config for gentoo-sources-4.11.3 that i created.


-= Booting =-
So i decided to go with grub2. First thing i did was using efibootmgr, remove all other entries that were not gentoo so that it looked like this when done :
sudo efibootmgr
BootCurrent: 0000
Timeout: 5 seconds
BootOrder: 0000
Boot0000* gentoo

I also had a weird issue where after grub called the kernel that my disk location (/dev/sdX) would randomly change location between /dev/sd{a,b}. Easiest fix was adding the below to /etc/default/grub:
GRUB_DEVICE="PARTUUID=a852b30c-4543-49d6-969c-4e49ee029b14"
GRUB_DEVICE_UUID="8f2de9ac-7e52-44ec-af63-488be87e8908"

which can be grabbed by running “sudo blkid”.
Mine shows this:
/dev/sdb1: UUID="B572-A82B" TYPE="vfat" PARTLABEL="EFI System Partition" PARTUUID="90780068-fc39-4371-9cc9-deaf333d4d99"
/dev/sdb2: UUID="e795a3d1-590d-4c72-86be-fffe93fcb9e8" TYPE="swap" PARTLABEL="swap" PARTUUID="9dc0699e-6830-4279-93fa-70686f94de10"
/dev/sdb3: UUID="8f2de9ac-7e52-44ec-af63-488be87e8908" TYPE="ext4" PARTLABEL="root" PARTUUID="a852b30c-4543-49d6-969c-4e49ee029b14"

Once the UUID & PARTUUID were set, no more issues since old style locations did not matter any longer.


-= keyboard lights =-
I followed this link from wiki.gentoo.org to set keyboard lighting except in the script provided i changed the step to “2” instead of “25” so that there is a more fine tuned stepping.


-= screen back lighting =-
Again, i followed this link from wiki.gentoo.org to set screen back light levels but again, in the script i changed the steps from “25” to “5” so that the screen would change gradually.


-= keyboard iso layout =-
I had an issue where the tilda key was showing left and right carats. To correct this i put this line in “/etc/local.d/02-kbd–iso.start”:
#!/bin/bash
echo 0 > /sys/module/hid_apple/parameters/iso_layout

since its a local.d script it will start up on boot.


-= lid closing and backlight =-
So the link posted above caused weird issues so i installed “sys-power/pm-utils” and changed the acpi scripts a bit like so :

/etc/acpi/events/lm_lid :
event=button/lid.*
action=/etc/acpi/actions/lid.sh

/etc/acpi/actions/lid.sh :
#!/usr/bin/env bash
_DBL="/proc/acpi/button/lid/LID0/state"
if [ $(cat ${_DBL} | awk '{print $2}') = "closed" ]
then
xscreensaver-command -lock
pm-suspend
fi

2017
05.25

Sup all,

Sorry for the delay in posting any new articles but life caught up with me.

This article involves the inverse path usb armory and how to not only ssh into it, but be able to reach the outside world from it while connected to my gentoo machine.

As of the time of writing:
– the image used on the armory was debian base 20170518
– Gentoo Base System release 2.3
– Gentoo sources 4.11.2-r1

There were some kernel changes that had to be made due to the usb CDC networking:

Device Drivers --->
    [*] Network Device Support --->
        <*> USB Network Adapters --->
            <*>   Multi-purpose USB Networking Framework
                -*-     CDC Ethernet support (smart devices such as cable modems)
                <*>     CDC EEM support
                -*-     CDC NCM support
                <*>     CDC MBIM support
                <*>     Host for RNDIS and ActiveSync devices
            <*>   Simple USB Network Links (CDC Ethernet subset)
                [*]     Embedded ARM Linux links (iPaq, ...)

These settings will create an eth interface called enp0s20u1 when the usb armory is plugged in (ignore the first column since its dmesg timing).

Once the image is loaded onto the microsd card and the usb armory plugged in, dmesg should give you something similar to :

[ 1199.466184] usb 1-1: new high-speed USB device number 4 using xhci_hcd                                                                                                                                                                                                                  
[ 1199.637025] usb 1-1: New USB device found, idVendor=0525, idProduct=a4a2                                                                                                                                                                                                                
[ 1199.637032] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0                                                                                                                                                                                                           
[ 1199.637035] usb 1-1: Product: RNDIS/Ethernet Gadget                                                                                                                                                                                                                                     
[ 1199.637037] usb 1-1: Manufacturer: Linux 4.9.28 with 53f80000.usb                                                                                                                                                                                                                       
[ 1199.645848] cdc_ether 1-1:1.0 usb0: register 'cdc_ether' at usb-0000:00:14.0-1, CDC Ethernet Device, 1a:55:89:a2:69:42                                                                                                                                                                  
[ 1199.651675] cdc_ether 1-1:1.0 enp0s20u1: renamed from usb0                                                                                                                                                                                                                              
[ 1199.659833] IPv6: ADDRCONF(NETDEV_UP): enp0s20u1: link is not ready

Once plugged in, you are going to want to ssh into your usb armory and grant it internet access. The best thing to do is something along the lines of the next couple of commands. i placed them all in a script for ease but i will just paste the raw commands below (YMMV):

sudo ifconfig enp0s20u1 10.0.0.2 gateway 10.0.0.2 netmask 255.255.255.0
sudo echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward
sudo iptables -t nat -A POSTROUTING -o wlp3s0 -j MASQUERADE
sudo /etc/init.d/iptables save
sudo /etc/init.d/iptables stop
sudo /etc/init.d/iptables start

Now to test it but just remember that both user and password are “usbarmory”:

ssh usbarmory@10.0.0.1
usbarmory@10.0.0.1's password: 
Warning: untrusted X11 forwarding setup failed: xauth key data not generated

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu May 25 23:53:59 2017 from 10.0.0.2
-bash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)
usbarmory@usbarmory:~$ 

and Voila!!!

now you are in the usb armory and you can update it.

2017
01.18

irc bashbot

sup all,

happy holidays and all that good stuff.

so lately i have been working on an irc bot written only in bash.

i know, sounds like a fucking nightmare and it would have been easier in python but this is fun and it works.

you can grab it here

i will write an article in the up and coming days/weeks explaining all the moving parts and all that fun stuff.

stay tuned

2016
09.29

sup

i decided to write this command line bar graph (with portions taken from here) that shows graphs based on the amount of files and extensions in a dir (recursive or non-recursive).

need came about due to not wanting to grep, sort and uniq certain folders at the time for what i was doing.

here is a link to the script.

here is the usage animation:
bargraph
click to enlarge

here is the usage:

NAME
    bargraph.sh - show bar graphs of dir file types

SYNOPSIS
    bargraph.sh [OPTION]...

DESCRIPTION
    This script shows a bar graph with the total count
    of files in a dir according to extension.

    -b [character]
            This is to specify what character you want to use to
            draw your bar graphs. If this option is used, place
            the character in quotes (ex: "#").
            Default is "#"

    -d [path]
            This is to specify the path to be used. Need to input
            this for the script to work.

    -e [ext{,ext,ext}]
            This option is to select a single or list of extensions
            to show in the bargraph.
            Usage is either { -e "foo" } for single extension or
            { -e "foo,bar,baz" } for multiple. Always comma separated.

    -h      Show this file (usage).

    -r      Recursive.

    -s      This sorts output according to most files.
            Default is sorted by name.

    -v      Show version.
2016
09.28

Sup all

so i finally decided to have a command run every time my terminal goes idle. after some searching, here is what i have come up with:
lock-after-time && lock-command

from the man pages:

lock-after-time number
        Lock the session (like the lock-session command) after number seconds of inactivity.  The default is not to lock (set to 0).
lock-command shell-command
        Command to run when locking each client.  The default is to run lock(1) with -np.

so in my .tmux.rc :

set -g lock-after-time 360
set -g lock-command "/usr/bin/asciiquarium"

asciiquarium is set to start after 6 minutes.

2016
09.08

now that i am back in i have decided to post an updated screenshot of the status page for no real reason.

fortiswitch-fortiswitch
Click to enlarge

2016
09.08

sup all

so i’ve been working with a fortiswitch 224d-poe at home for a while when the thing went bat shit on me. When i tried to access the admin console i realized that i had forgotten the password. Below are the steps i used for wiping switch back to factory default with latest (as of time of writing) firmware.

first things first, make sure that you have a properly pinned console cable :
10338-serial-cable-pinouts-for-console-access-to-fortinet-devices
click image to enlarge

then set up a tftp server. i used tftp-hpa in a non-daemonized mode since i only needed it for one time usage.

next restart the switch with console. i did this below:
sorry for the awful pics but it was 0400 in the morning when i did this
20160907_035650
click image to enlarge

since the default and data2 partitions were formatted and saved as default, this caused the factory default settings to be enabled.

once this was done:
fortiswitch-fortiswitch
click image to enlarge

and voila. back to defaults and regained access to the switch.

2016
08.12

hello all

just returned from hacker summer camp and have acquired a couple of new yubikeys specifically the four and the four nano and have been configuring them in my gentoo install just for login.

below are the steps to set this up in gentoo and pam for required authentication. this article assumes that you have already configured your yubikeys so i will not go through how to config them.

the first bunch of packages that we have to install :

[I] sys-auth/pam_u2f
     Available versions:  (~)1.0.4 {debug}
     Installed versions:  1.0.4(03:25:01 PM 08/10/2016)(-debug)
     Homepage:            https://github.com/Yubico/pam-u2f
     Description:         Library for authenticating against PAM with a Yubikey

[I] sys-auth/pam_yubico
     Available versions:  (~)2.17-r1 (~)2.19-r1 {ldap test}
     Installed versions:  2.19-r1(02:36:23 PM 08/10/2016)(-ldap -test)
     Homepage:            https://github.com/Yubico/yubico-pam
     Description:         Library for authenticating against PAM with a Yubikey

so the emerge line would be sudo emerge -av pam_u2f pam_yubico

once that is installed we are going to create /etc/pam.d/yubico with the contents of :
auth required pam_u2f.so cue interactive

and now we need to create the u2f_keys file under ${HOME}/.config/Yubico using the pamu2cfg utility:
sudo pamu2fcfg -u $(logname) >> ${HOME}/.config/Yubico/u2f_keys

double check this file if you are putting in more than one entry to ensure that each line is separate.

once this is done, we are going edit bot /etc/pam.d/login and /etc/pam.d/passwd and add to both the line:
auth include yubico

once everything is saved, lets test it by pressing alt + ctrl + f2 — this will open a new session without logging you out.

and bam. fully set up.

2016
07.05

Sup all

I have been working on an easy way to enable my local laptop to have 2FA using the google authenticator and it turned out to be easier.

All these steps were done on Gentoo installs, but should translate easily to non-gentoo ditro’s

This is the google-authenticator module that we are installing:

% eix google-authenticator
[I] sys-auth/google-authenticator
     Available versions:  (~)1.01_pre20160307231538 **9999
     Installed versions:  1.01_pre20160307231538(02:41:56 PM 07/05/2016)
     Homepage:            https://github.com/google/google-authenticator
     Description:         PAM Module for two step verification via mobile platform

which we will install like so:
sudo emerge -av google-authenticator
this is the same as sudo apt-get install or sudo yum install

then we will run: google-authenticator as the regular user which should give you a screen similar to this:
2016-07-05-155746_1600x900_scrot

Now, either copy that url into a browser to generate a qr code that will scan in the google authenticator app, or use the secret key and input that into your authenticator app. Don’t forget to save the temp codes that it gave you to somewhere safe in case you lose your authenticator device.

Once that is done, we are going to add the line:auth required pam_google_authenticator.so to /etc/pam.d/passwd, /etc/pam.d/login, and /etc/pam.d/sshd

[cbodden:/etc/pam.d] % egrep google *
login:auth         required     pam_google_authenticator.so
passwd:auth        required     pam_google_authenticator.so
sshd:auth       required     pam_google_authenticator.so


Depending in what order you place this new line in these files, you can ask for the verification code before or after your actual password.

Since i do not use a login manager, i would assume that you would also have to add that line to any files associated with your login manager under /etc/pam.d.

For ssh usage, we have to change ChallengeResponseAuthentication yes to uncommented and yes in /etc/sshd/sshd_config, then restart (/etc/init.d/sshd restart) sshd.

Now lets test. Press Alt+Ctrl+F2 (assuming you are using tty7 for your xwindows system), this should give you a login prompt. Test a login.

Good to go.