This weekend I had the privilege to present at on the subject of Social Engineering techniques for use in driving positive security outcomes.  At the end of the presentation there were several great questions and a slide of reference materials I’ve studied related to the concepts I was presenting in the class.  Though I’m still settling back down after the conference, I did want to post the final slide from my deck (and my comments on the references) for others to follow up on if interested.  A little later this week I’ll post up some of the questions I was asked at the end as best I can recal them, and my answers to those questions.  They were great questions which I think really helped add to the topic.

So here is the slide and my comments on the references (links to PDF version):

For the first two book references I called out particular chapters I thought were especially relevant to “Blue Team” security influencing.  But, both books are a great read in whole.

  • The Art of Deception
    • This is a great collection of stories style book regarding Social Engineering.  Provides an relatively easy read or less technical read that provides real world examples that then walks through the techniques and tricks used.
  • Social Engineering: The Art of Human Hacking
    • I would consider this the much more technical book, covers many of the same Psychology principles I discussed in great detail.  Additional covers some very advanced techniques like recognizing micro-expressions that could also be potentially helpful to a Blue Team trying to read their audience.
    • I would also go take a look at some of Chris Hadnagy’s Defcon talks on Social Engineering
    • There is a newer edition “Social Engineering: The Science of Human Hacking“, but I have not read that edition yet.
  • Quite: The Power of introverts in a World that Can’t Stop Talking
    • I read this primarily because of my interest in better understanding my own introverted ways originally.  I actually found that the discussion around the different ways introverts and extroverts process information, the ways they interact with individuals, and how they engage very helpful in understanding my own interactions with other introverts and extroverts.
  • Communication Theory – CMC in ODR
    • Bill Warters (Who I borrowed his great diagram of Communication Modeling from) has a great break down of commutation modeling process and examples.  This is a free online learning module of his.
  • Jek Hyde @HydeNS33K
    • Jek does a lot of great walk throughs of her on-site pen-testing (Social Engineering Engagements).  Well worth following here to see many of these techniques in practice.
  • Social Engineering for the Blue Team
    • Timothy De Block does a different talk on the same subject.  Great discussion on presentation and perceptions.

I have two speaking engagements lined up over the next two months that I’m very excited about (with a drop of stage fright).  Both are on topics I am passionate about and feel need a lot more thought in the information security world: Human Interaction with Technology, and Psychological and Sociological aspects of Information Security.

The first talk I’m giving Sept. 28th is at a new technology conference in Harrisonburg, VA called Valley TechCon.  My talk is titled “Driving Security Through Technology”, but as a small hint, I focus a lot on the human element of technology.

The second talk I’m giving is Oct 26th at BSidesDC Security Conference in Washington, DC.  This is a great local security con focused on providing information security knowledge to all that want to learn.  It’s also one of the largest of the BSides Security conferences in the world.  My talk is titled “Blue Teams next tool: Social Engineering (Psychology and Sociology at Work).  Again, it’s a talk that focus a lot on the human interaction side of information security.

I’ve always had a great interest in how we, as individuals and societies, interact with technology.  Now I’m hoping to fan the flames of others interest in looking beyond just the technological answers to cyber security.

With all the hardware working from Part 1, it’s time to move onto getting all the software in place.  There were plenty of references to work from, and based the on the recommendations of Wireless Village to bring Pentoo Linux for the WCTF, that’s where I started.  Here are some lists that I worked from:

This is where I started just going through the list of packages and tried a dnf install.  Many of these are standard Linux packages installed by default, a lot of them are also included as part of the base Fedora distribution.  But, there are several that needs supplemental repo’s added to the dnf package system to make install (and upgrades/maintenance later) easier.  I didn’t install everything, but I tried to make sure I covered many of the big ones, as well as some others I had seen in tutorials.  As I get more time with the laptop, and other CTF/WCTF, I’ll be able to fine tune the install.

Supplemental Software Repositories

The following are the collection of external repos I’ve added to the base distribution to support the additional tools needed.

Fedora 27 openh264 (From Cisco)

This is really about just enabling the repo which is installed by default but disabled.  Some CTF may have audio coding/decoding requirements and this adds to your options.

sudo dnf config-manager --set-enabled fedora-cisco-openh264

RPM Fusion for Fedora 27 – Free

RPM Fusion provides a large collection of additional packages from several sources that the core Fedora team does not wish to provide in core Fedora.  It will also provide a lot of dependencies for packages from other repos.  Updates are not as guaranteed as the core Fedora repo, but most packagers are pretty good at keep them up2date.

The Free repo covers fully open-sourced packages that Fedora was unable to make part of the base distro for various reasons.

sudo dnf install$(rpm -E %fedora).noarch.rpm

RPM Fusion for Fedora 27 – Nonfree

These are restrictive open-source or not-for-commercial use licensed packages.  If this is for personal use you should be fine, but if you mix work with pleasure, be warned, check the individual packages licenses before use.

sudo dnf install$(rpm -E %fedora).noarch.rpm

CERT Forensics Tools Repository

Linux Forensics Tools Repository – LiFTeR is a gold mine for CTF based tools for forensics and similar operations.  You will want rpmfusion installed to help support some of these packages.

First I suggest adding the CERT gpg key to dnf to verify packages:

sudo rpm --import

Then you can install the repo rpm.

sudo dnf install

Atomic Corp Repo

Atomic corp are the backers of OSSEC OpenSource HIDs solution, but they have a collection of security tools to supplement the above repos.  Tools like dirb.

sudo rpm -ivh


It goes with out saying you’ll want to have Metasploit at your disposal, it’s a foundation tool that will help in your early offensive operations.  There are two versions that Rapid7 provides: the free Open Source Metasploit Framework and the paid Commercial Support Metasploit Pro.  The following instructions are for the free Open Source version, it will suffice to get you started, and provides opportunities to learn.

Unfortunately the install process is not a clean dnf focused procedure, they supply an install script that hides some of the complexity, but I choose to figure out how to get it working with out their install script and just add it to my dnf repo collection.  Again rpmfusion above will help with dependencies.

First thing is we need to get the Rapid7 GPG key.  That can be found in their installer script at the top here.

curl 2>/dev/null | sed -e '1,/EOF/d' -e '/EOF/,$d' > metasploit.asc

We then need to add it to our rpm key signing store:

rpm --import metasploit.asc

Now we can manually add the Metasploit nightly rpm repo to dnf, and rpm install signatures should be happily verified going forward.

sudo dnf config-manager --add-repo

You can run the following command to confirm the repos are installed and ready to go (you may be accessed to accept several Fedora GPG keys being imported from the local installs)

dnf repolist

You should see something like this:

Packages Installed

With all the above in place there are two obvious installs you’ll want to do.  The full LiFTeR suite of tools and MetaSploit (warning this is about 3GB of software about to be installed, it’s a LOT of tools):

sudo dnf install CERT-Forensics-Tools metasploit-framework

Besides Metasploit (Exploitation/Pen-testing tool) your going to get Autoposy/SleuthKit (Forensics tool kit), Volatility (Memory Forensics), Silk (Packet analysis suite), Snort (IPS and packet analysis), nmap (Network Mapping and recon), Wireshark (Packet Analysis), and a huge host of other tools and supporting libraries.

Next up are a collection of individual tools that are also included in Pentoo, but the above did not install.

First up is a collection of assorted tools that deal with a range of WCTF/CTF exercises including password cracking, binary/code analysis, network analysis, network recon, exploit development, and more provided by Fedora.

sudo dnf install aircrack-ng scapy masscan zmap kismet kismet-plugins kismon gdb strace nacl-binutils nacl-arm-binutils examiner upx pcsc-lite-ccid chntpw libykneomgr libu2f-host mhash ophcrack chntpw libykneomgr libu2f-host mhash john ophcrack xorsearch crack sucrack ncrack ophcrack aircrack-ng pdfcrack cowpatty hydra medusa airsnort weplab tor flawfinder sage reaver urh hackrf hackrf-static cracklib-python perl-Crypt-Cracklib nikto dirb unicornscan net-snmp net-snmp-utils net-snmp-python net-snmp-perl net-snmp-gui skipfish

The following are more standard Linux tools, but very helpful in WCTF/CTF to handle audio/video analysis/manipulation, picture analysis/manipulation, coding, and quick network controls.

sudo dnf install vim-enhanced gstreamer1-plugin-openh264 mozilla-openh264 vlc python-vlc npapi-vlc dkms audacity ffmpeg firewall-applet system-config-firewall gimp nasm

Software Manually Installed

There were three packages I wanted to work with, but could not find good pre-built rpms of: hashcat, SANS SIFT


This can be gotten via VM, ISO, or installed locally.  In truth, it duplicates a lot of the tools already installed above.  I started down this route, then realized I would probably want to stick to the previous rpm route.  You can find the different install instructions here.


This is a classic password cracker that supports a world of different CPU/GPU acceleration options.  I’m somewhat limited given I’m running this on a laptop, but still an important tool to have at hand.  Need to link it into some cloud based compute resources…

For install, it’s the classic download, verify, copy.

First lets make an area to handle non-normal apps (feel free to change this to your liking).

cd ~; mkdir Apps; cd Apps

Then retrieve the hashcat public key

gpg --keyserver --recv 8A16544F

Next download their pgp signing key

curl --output hashcat-

Then download their binary

curl --output hashcat-

Then verify signature

gpg --verify hashcat- hashcat-

Then we can expand it and then install it.

7za x hashcat-
cd hashcat-4.0.1/
sudo cp hashcat64.bin /usr/local/bin/hashcat

And now it’s ready and in our path.  Downside is that we have to remember to manually check for updates occasionally.


Now onto WEP/WPA2 Cracking!

In part 3 of course.  Yeah, I know, it’s a tease, but want to get this software install bit out there, while I write up what I learned about WEP/WPA2 hacking.  I’ll cover basics like packet captures, packet injections (to force handshakes), and brute force pass-phrase recovery.

Last month for Shmoocon I decided I wanted to expand my skills a bit and take a shot at something I hadn’t really done much of in my InfoSec career lately, not since way back in the WEP and Linux Zaurus technology years.  Wireless hacking, i.e. a Wireless Capture The Flag event.

I’ve done some appsec testing, network pen testing, and similar in the past, but more side of desk to my core roles.  I haven’t played much in the wireless world, even after getting my Technicians class radio license last year (also at Shmoocon, baby steps I guess), so made the choice to learn as much as I could in my few days at the conference from their WCTF event put on by the good folks at Wireless Village.

These pages will describe what I’ve learned.  Order is hardware discussion then software discussion.  There will be references to some of the software tools in the hardware section, but don’t fear, all will be made clear in the end if you were like me and new to the subject.  Any software/terms mentioned early on aren’t critical, just for future reference as you manage to read through this page.

My Fedora WCTF Laptop

The WCTF Laptop hardware

The laptop: Dell Latitude 7370 with Fedora 27

To start I needed a laptop.  I have my personal Macbook Pro 13″ and an old Dell Vostro, but I didn’t want to deal with the silliness that MacOS presents to non-Mac’y things, and the Vostro is an ancient heavy 15″ stuck in the 32bit world.  I wanted something reasonably small, good battery life, great high-res screen and both USB-C and USB 3.0 ports to support a wide range of addons (like the wireless card I’ll talk about later).  I was targetting something that could handle four threads with no problem and at least have 16GB of ram and 256GB of SSD storage.  Also, needed to fully support Linux, and for well under $1K since I already had a perfectly fine daily laptop in the Macbook Pro.

The above quickly relegated me to the refurbished or used world.  Doing some searches I eventually found the Dell Latitude 7370 series.  This met all my requirements: ~2.5lbs weight, Intel M7 CPU, 16GB Ram, 256GB of Storage, QHD+ 3200×1800 13.3″ Touch Screen, WiFi AC, BT, USB-C and USB 3.0 ports.  And reports from the web said Linux installed fine on it.  Final key point, you can find these laptops (depending on exact spec) ranging from $500-800 refurbished, and often with a 3 year Dell hardware warranty included.  I managed to get mine on-sale at for a hair over $700 fully loaded about a week before Shmoocon.

Though the laptop came with Windows 10 Pro installed, I shrank the partition down and installed a dual boot with Fedora 27 (here is a straight forward write up).  I did a UEFI install of Fedora so that I could leave EFI Secure Boot enabled.  That caused some headaches (I mean learning opportunities) later when I was dealing with kernel modules for my new USB wireless card, but my goal was not to compromise host os security if at all possible.  I have kept the dnf security update process intact, I run SELinux enforcing, secure boot enforcing, encrypted partitions, and firewall, at all times.  Though there is always some level of “trust” that must be placed in Open Source software providers, I also make sure my dnf system has current keys and verifies software signatures regardless of providers.  So far there are only three software components that aren’t handled via dnf, which I’ll go into later.  I also made sure to create a new user and make them an “Administrator”, which is separate from the all powerful root user.

Hardware wise, almost everything works, and everything I needed did.  The only items I have not gotten to work in Linux is the fingerprint scanner, the WWAN, and the ID card reader.  And really, I just haven’t tried, maybe in Part 3?  There were only tow key changes I made to the standard Fedora install to make the hardware more effective.

First, was to add more scaling options to the monitor framebuffer.  Under “Settings -> Devices -> Display” by default you only have a couple of choices for scaling.  100% and 200% just weren’t right for me, needed something in between that didn’t punish my eyes but still took advantage of that lovely high resolution.  With the following command at the command line:

gsettings set org.gnome.mutter experimental-features "['scale-monitor-framebuffer']"

I was able to add additional choices, and found that 175% was the perfect scale for my vision.

Second was to add a gnome shell extension called “Block Caribou”.  This shell extension stops the virtual keyboard from popping up on the screen if you happen to use the touch screen.   Between accidently tapping the screen, and just trying it out, I don’t need another keyboard popping up and getting in the way of doing work.  Easier to keep it off using the shell extension.  You should be able to find it in the Fedora software shop under “add-ons -> shell extension”.  Ctrl-F to search for Caribou.

The WiFi: ALFA AWUS036AC 802.11AC 2.4/5Ghz

Though the Dell came with a perfectly good Intel 8260 802.11AC wireless network card, I wanted to have one that I believed had better support in the aircrack-ng community of tools and with solid monitor capability.  Also would like to stay on-net while learning my WCTF skills (access to online documentation and all).  Did some research and decided Alfa seemed to be making a large range of well supported USB adapters and that the AWUS036AC had driver support covering both 2.4 and 5Ghz networks in up-to the AC protocols.  What I didn’t learn until after my purchase and one day before Shmoocon, is that the support was “experimental” and limited.  But, in the end I was able to get it to work effectively for at least the basic skills I mastered.  Here is how:

Driver install:

This is the part I learned before Shmoocon.  There was no built-in driver for my Alfa card.  This I expected, so had already found the supported source code for the 8812au driver needed for this wireless card’s chip and aircrack-ng.  Install could be handled in two ways, “dkms” or manual “make” commands.  I originally went with dkms thinking it would make kernel upgrades easier, I was wrong.  Never cleanly integrated with Fedora kernel upgrades and with the need to sign drivers (details in a bit) I was stuck doing a lot of manual clean up and re-install work for the driver on each kernel update.  Stick with “make”, it’s easier.  Also, stick with the 5.1.5 branch for now, the 5.2.9 branch has issues.  This is what I did:

  1. Download the driver, you can either download a zip archive or use git to pull a copy from the repo (I’m showing the .zip method below)
  2. Make sure your user is setup as an administrator with access to sudo and wheel
    Hopefully you chose your primary Fedora user as an administrator when setting up, if not you may want to read up on User/Group Management in Fedora
  3. Make sure you have the latest source/headers for your kernel and build tools so you can build your kernel module against it.
    sudo dnf install kernel-devel kernel-headers dkms make gcc gcc-gdb-plugin libgcc glibc-headers glibc-devel
  4. Create a new directory using root/sudo in /usr/src called /usr/src/rtl8812au-5.1.5
    sudo mkdir /usr/src/rtl8812au-5.1.5
  5. Change permissions on it so that your regular user can handle the compiling part (save root permissions for when you really need them)
    sudo chown root:wheel /usr/src/rtl8812au-5.1.5
    sudo chmod g+w /usr/src/rtl8812au-5.1.5
  6. Copy the downloaded source code and tree into the directory as your normal user
    sudo cp /usr/src/.
    cd /usr/src/
  7. Build the source tree with make
    cd rtl8812au-5.1.5
  8. Install the source tree with make (need root again)
    sudo make install

Now if you aren’t using secure boot, you are good to go with the driver working.  If you are using secure boot then you have to sign these drivers with a EFI recognized certificate or the kernel will refuse to load them.  That’s a good thing, throws more hoops that malware would need to jump through to gain persistent access on your system.  But it means a little upfront work on your part, and one additional command line entry step each time you install/update the driver in the future.  I think it’s well worth the effort and learning experience, the following is based on:

  1. First you need to create a certificate pair for signing (keep these certs protected, and replace “mycert” with something relevant to you)
    sudo dnf install mokutil
    mkdir .mokcerts
    chmod o-rwx .mokcerts
    cd .mokcerts
    openssl req -new -x509 -newkey rsa:2048 -keyout MOKmycert.priv -outform DER -out MOKmycert.der -nodes -days 36500 -subj "/CN=mycert/"
  2. Then you need sign your new drivers
    sudo /usr/src/kernels/4.14.16-300.fc27.x86_64/scripts/sign-file sha256 ./MOKmycert.priv ./MOKmycert.der /lib/modules/4.14.16-300.fc27.x86_64/kernel/drivers/net/wireless/8812au.ko
  3. Now you’ll need to request adding your cert as a trusted cert in EFI
    sudo mokutil --import MOKmycert.der
    (remember the password you set, you will need it later!)
  4. Still not done, now you need to reboot and install and confirm your cert to EFI
    On reboot the system should automatically detect the key addition request above and boot into the MOK key management system.  Here you will be requested to provide passwords and accept the addition of your key.  Unfortunately this may vary some depending on bios version and hardware so I can’t provide a lot of guidance here, just read carefully and follow the prompts.  Also, REMEMBER YOUR PASSWORDS!
  5. Now when you finish rebooting your signed kernel driver for your Alfa should load fine.

Unfortunately on every new kernel you will need to rebuild the module, install it, and sign it.  That consists of the following commands (and making sure you are in the correct directories you used in the above steps):

  1. In the /usr/src/rtl8812au-5.1.5 directory:
    make clean
    sudo make install
  2. In your .mokcerts directory (making sure you are referencing the new kernel directory):
    sudo /usr/src/kernels/`uname -r`/scripts/sign-file sha256 ./MOKmycert.priv ./MOKmycert.der /lib/modules/`uname -r`/kernel/drivers/net/wireless/8812au.ko

The uname -r will insert the current kernel into the command, if you updated your kernel but hadn’t rebooted yet, it will be the wrong kernel version as you are still running the old kernel. You’ll need to manually figure out the kernel path.

You could script all the above into one command to make it easier to do on each new kernel upgrade.

Stopping NetworkManager from messing your aircrack-ng up:

This part I fully figured out on the last day of Shmoocon, unfortunately it really messed up my WPA hacking and I didn’t realize it until it was to late to fully recover before the end of the WCTF.  If you don’t do this you will be able to slowly crack WEP, and you’ll see things on WPA, but none of the techniques will work.  It will look like it’s working, but it really isn’t.  NetworkManager (which manages all your network connections) will constantly mess around with your monitor and packet injections even when it looks like it’s not.  Took some digging and testing, but finally found a nice way to get NetworkManager out of the way.

  1. First plug in your new network adapter and find out what interface name and mac address gets assigned. I would suggest running the command once before you plug it in and once after so you know which one is the new interface
    with output like:
    inet netmask broadcast
    inet6 fe80::c200:dca9:632:dbba prefixlen 64 scopeid 0x20
    ether XX:XX:XX:XX:XX:XX txqueuelen 1000 (Ethernet)
    RX packets 226897 bytes 315230079 (300.6 MiB)
    RX errors 0 dropped 0 overruns 0 frame 0
    TX packets 33918 bytes 4726882 (4.5 MiB)
    TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

    ip -a link
    with output like:
    2: NNNNNNNN: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DORMANT group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff
  2. Next you will need to open the following file to edit:
    sudo vi /etc/NetworkManager/NetworkManager.conf
  3. You need a section with the following:
  4. Then after that add a section with the following:
  5. Finally have a section with the following where the XXXXs are replaced with the MAC address and NNNNNNN is the interface name found above
  6. Now save the file and restart network manager
    systemctl restart NetworkManager
  7. That should now cover you.  You can check by running the following command and confirming it says unmanaged:
    nmcli dev status
    with output like this:
    wlp108s0    wifi     connected   wifinet
    lo          loopback unmanaged   --
    NNNNNNNN    wifi     unmanaged   --

Now NetworkManager should stay out of the way and allow you to have fun.

Next: Installing our pen-testing tools

I based the software I installed on the Pentoo Linux security focused distribution.  You could go the route of just installing Pentoo or Kali, and that’s fine, but I wanted a more general purpose setup.  I also wanted to make sure I was familiar with the small details that go into installing, using, and maintaining the software stack.

And those details will be for part 2….but here is a taste

From the base Fedora repo you can install an important tool aircrack-ng to get started.  From the command line run:

sudo dnf install aircrack-ng

When that finished up you can insert your wireless card and run the following command to start listening to what’s broadcasting around you (with NNNNNNNN being replaced by your actual wireless interface you worked on above):

sudo airodump-ng NNNNNNNN

Till next time…

In the process of building out my network intelligence system I need to have a central location to collect system and event logs on my network.  Since my ReadyNAS has Linux under the hood I figured what better place (since it has plenty of space to store LOTS of logs).  Here is what I did.

First, you need to have a a ReadyNAS with OS6 on it.  In my case I have one of the older ReadyNAS Pro 6 boxes which only officially support the older 4.x OS.  But, there is a very easy way to upgrade to OS6 and it has been very reliable for me.  Down side is that it will require wiping out all data on your NAS and reformatting (Backup, Backup, BACKUP!).  I believe it’s well worth the hassle of backing up and restoring data to get this upgrade.  It will void your warranty (or make it much more difficult to get through tech support), but it appears that Netgear has been reasonably responsive in adding fixes for the unsupported legacy hardware.  Once my NAS was converted updates have been easy and automatic.  Anyways, here is the info I followed to convert:  ReadyNAS Forums

Now to setup syslog (rsyslog) to receive incoming logs on your network do the following:

  1. Log into your NAS and enable SSH
    • Go to System -> Settings -> Service -> SSH
  2. Create a new folder to store/share your logs
    • Go to Shares -> Choose a Volume (or create one)
    • Create a new Folder (call it logs?) and set permissions as you like
  3. Create a new group
    • Go to Accounts -> Groups -> New Group
    • Create a new Group (call it logs?) and set permissions as you like
  4. Go back to your new “logs” share folder and set permissions such that the “logs” group has read/write perms
    (These are very liberal permissions and basic groups/users, you can go much more restrictive, which I would recommend once you’ve got the basics working)
  5. Now ssh to your ReadyNAS as root using the same password as your web based admin account
  6. Install rsyslog
    • apt-get install rsyslog
  7. Configure rsyslog
    • vim.tiny /etc/rsyslog.conf
      If you don’t know vim go read-up first, you need to know how to insert, delete, and save
    • Change the following lines:
      Remove the # signs in front of these lines at the top:

      $ModLoad imudp
      $UDPServerRun 514
      $ModLoad imtcp
      $InputTCPServerRun 514

      Add the # sign to these lines:

      #*.*;auth,authpriv.none -/var/log/syslog
      #cron.* /var/log/cron.log
      #daemon.* -/var/log/daemon.log
      #kern.* -/var/log/kern.log
      #lpr.* -/var/log/lpr.log
      #mail.* -/var/log/mail.log
      #user.* -/var/log/user.log -/var/log/
      #mail.warn -/var/log/mail.warn
      #mail.err /var/log/mail.err
      #news.crit /var/log/news/news.crit
      #news.err /var/log/news/news.err
      #news.notice -/var/log/news/news.notice
      #            auth,authpriv.none;\
      #            news.none;mail.none -/var/log/debug
      #             auth,authpriv.none;\
      #             cron,daemon.none;\
      #             mail,news.none -/var/log/messages

      And add these lines to the bottom:

      $template RemoteLog,"/data/logs/%$YEAR%/%$MONTH%/%fromhost-ip%/syslog.log"
      *.* ?RemoteLog
    • Be sure to change the /data/logs part to match with your volume and folder you created in steps 2 above
  8. Now enable and restart rsyslog
    • systemctl restart rsyslog.service
    • systemctl enable rsyslog.service
  9. Check to make sure rsyslog started happily
    • systemctl status rsyslog.service
    • tailf /data/logs/2015/03/
      • You should see something like this “rsyslogd: [origin software=”rsyslogd” swVersion=”5.8.11″ x-pid=”24127″ x-info=””] start”
  10. Log out of SSH and disable it if you don’t need it anymore.

That should cover the basics.  By default the ReadyNAS will log as from an IP of, all other hosts will log from their IPs on your network.  There is of course a lot more custom configuration you can do.  This is just the basics.  You will also be able to view your logs from the shared volume you created.

I commented out a lot of lines above to avoid duplicate logging in the /var/log directory as that’s only about 4GB in size.  You can always re-enable them and change there path if you choose.


I’ve been very busy updating my home network infrastructure lately.  I wanted to improve the zone separation, while at the same time providing a reasonably secure connection between my resources at home and my resources on the net.

Some of these changes include:

  • Replacing my SSG-140-SH Firewall with a new SRX220H2 w/POE Firewall.
  • Replacing my DELL 5448 Switch with a new Netgear GS724T Switch.
  • Removing an old 4 port POE switch.
  • Replacing my old VLAN setup (Main, Media, Utils) with my new VLAN setup (Main, Wireless, Media, Utils, LAB, VPN, Tunnel).
  • Upgrading my old Dell 860 (250GB Raid1 and 8GB RAM) co-located server with a new SuperMicro based server that has 12TB of storage and 32GB of ram.  This is split into virtualization images, so I’ll be able to work with Docker/CoreOS/KVM based technologies in my personal cloud.  This is tied into my home network via an OpenSwan -> SRX IPSec tunnel.  Additionally, the SRX will be able to provide dynamic SSL VPN capability for when I’m on the road.

All of the above gets added to my existing 12TB NAS, multiple POE wireless access points, and virtualization server.

I have a few more tweaks left to handle multicasting and cross-LAN traffic on the network, finishing up my log aggregation and analysis tools, as well CoreOS and Docker work for PaaS deployments.  This should provide some nice resources for my security research.

For years now I’ve used telnet as a quick and easy way to check to see if the most basic network functionality of a service like http is working. I.e. I telnet to port 80 and see the raw server communication. Very helpful in debugging network services. Where it fails is when you get into SSL services. Telnet to port 443 and sure you’ll see you connect, but your not going to be doing an SSL handshake.

So I finally did a little googling and ran across this gem:

openssl s_client -connect

And now I have SSL handshake and my raw plaintext interface that telnet provided.

Works great for all my ssl service troubleshooting (imap/pop/https/etc..).

Found the info at this site:

Ok this has been bothering me for a while, I upgrade my desktop to CentOS 6 to have a nice stable platform going forward from my previous Fedora 14 install and all was good.  Except Enigmail gpg passphrase caching broke.  Every time I hit an encrypted email I had to enter in the passphrase at least twice it seemed, and pity me if i clicked on a threaded email conversation.

So after digging around I found the following fix:

Edit .bash_profile and add:

gpg-agent --daemon --enable-ssh-support --write-env-file "${HOME}/.gpg-agent-info"

if [ -f "${HOME}/.gpg-agent-info" ]; then
. "${HOME}/.gpg-agent-info"

Edit .bashrc and add:

export GPG_TTY

And now all is happy.  Some of this was found on this page:

Some of it was trial and error, plus a health amount of googling.

So it’s been over two years since my last post.  Been very busy in my life and haven’t had time to do as much tinkering and computer stuff at home as I usually would.  That’s not to say I haven’t done anything, just haven’t documented it.  Here are a few things that happened in the last two years:

  1. I changed jobs, I now work in computer, network, and systems security full time.  I’m loving it!  Finally getting to really practice what I preach in the security field.  Georgetown was fun and a great time to grow my general systems experience, but I’m enjoying the focus on computer and network security.

  2. Got a new car, this actually happened about three years ago, but I never posted about it.  The Chevy Blazer was taken out by it’s imploding supercharger and deemed not worth my time, effort, and money to repair.  Given it was early 2009 and car dealers were giving away cars I got a great deal on a new 2009 VW Tiguan SE with AWD.  Still love the car and making small upgrades to it as the years go on to make it more mine.  I did actually stand up a page for that work here: My SUV Project (Tiguan).

  3. I made some network and computer upgrades at home as well.  I replace my original first generation MacBook Pro 15″ (Intel Core Duo 2Ghz) with a late 2010 model MacBook Pro 15″ (Intel i7 Dual Core) with HD display and 8GB of ram.  It’s currently triple booting MacOS X 10.6, Fedora 16, and Windows Ent 7.  I have a post on how to setup triple boot in the works.  I also upgrade my old Promise NS4300N 2TB NAS box with a new NetGear ReadyNAS Pro 6 12TB.  Much faster and a lot more storage plus so many options.  Finally I’ve kept the network up with technology and run full WiFI a/b/g 300mbps+ and GigE wired via NetGear WNDR4000 and assorted GigE switches paired with FiOS internet.  Finally I upgraded my workstation piece by piece to get it up to a Sandybridge i7 and 16GB ram so that I can build out a new HD+CableCard MythTV network using VMs, the NAS box, and the new Silicon Dust HD Prime. I’ll have a post later documenting my network general gear later as well as posts on how I setup MythTV.

  4. I’ve got a Barnes and Noble Nook Color as well.  It’s a great little device and hoping to take better advantage of it this coming year.  And yes, it’s rooted.  Running stock Nook Software but with the added benefit of sideloaded and standard android market apps too.

  5. And last but not least, still being a dad and husband working away enjoying watching the kids learn and grow (as I learn and grow).


Ok, so I’ve had my new Eee PC 1000 for several days and am loving it.  But, I did find a few really glaring security issues.  So with a lot of research I’ve come up with a basic list of must do’s for any new Eee PC owner.

  1. Shutdown Samba and Portmap – These services are on by default and there are known security issues with the version of Samba that comes with the EeePC.  Here is how to make sure they are stopped and don’t come back on.  Be warned, if you do this you will not be able to share files with others from your computer, though you can access files on other computers:
    • First start up a terminal window by pressing Ctrl + Alt + T
    • Next issue the following commands:
    • sudo invoke-rc.d samba stop
    • sudo update-rc.d -f samba remove
    • sudo update-rc.d samba stop 20 0 1 2 3 4 5 6 .
    • sudo invoke-rc.d portmap stop
    • sudo update-rc.d -f portmap remove
    • sudo update-rc.d portmap stop 20 0 1 2 3 4 5 6.
    • Next edit the services file using the following commands:
    • sudo vim /usr/sbin/
    • Press the “i” key to begin edit mode
    • find the line:
      start-stop-daemon –start –quiet –oknodo –exec /sbin/portmap
      and comment it out like:
      #start-stop-daemon –start –quiet –oknodo –exec /sbin/portmap
    • find the line:
      /usr/sbin/invoke-rc.d samba start
      and comment it out like:
      #/usr/sbin/invoke-rc.d samba start
    • Press the “ESC” key, then press the “:” key, then type “wq” followed by pressing the enter key
  2. There is a webserver that runs on the EeePC any time you launch the anti-virus icon under settings.  It by default hides the content from the internet, but the webserver is still listening on the internet port.  To force the webserver to ONLY listen to your local machine (and not advertise to the rest of the world) do the following.
    • You need to edit the following file using the commands:
    • sudo vim /usr/lib/esets/webi/nginx/conf/nginx.conf
    • find the http {} section,  then the server {} section and
    • Press the “i” key to begin edit mode
    • change “listen 20032;” to “listen localhost:20032;”
    • Press the “ESC” key, then press the “:” key, then type “wq” followed by pressing the enter key
    • Reboot the computer as there is no clean way to stop the service.

Ok, so now the why part.

The EeePC (including my brand new one) ships with a old version of samba enabled to start on boot by default that has a known remote attack that can grant root priveleges.  That is VERY bad:

Also the webserver that runs when you start up the anti-virus program on the EeePC is the legacy stable branch (one entire version behind current stable) and several revisions of that behind the current legacy stable revision:

The EeePc runs version 0.5.33 from November of 2007.  You’ll notice in the change log several fixed segfaults and other bugs, some of which could lead to security issues.  It’s best not to take chances and make sure it doesn’t report to non-localhost requests.

Next Page »

Copyright © 2015 · All Rights Reserved · Cafaro's Ramblings