Friday, May 24, 2019

Use TorGuard OpenVPN servers in OPNsense firewall

This is how to use multiple Torguard OpenVPN servers in an OPNsense server. Adapted from pfSense instructions here.

DNS

System > General > DNS Servers
Add the following:
104.223.91.194
104.223.91.210

Create trust certificate

System > Trust > Certificates > Add
Select "Import an existing Certificate Authority"
Descriptive name: TG-CA
Certificate data: (get the latest key from here, copy the entire file)
Private key data: <leave blank>

Certificate authority

System > Trust > Authorities > Add
Descriptive Name: TG-internal-CA
Method: Create an internal Certificate Authority
Key length: 2048
Digest Algorithm: SHA1
Lifetime: 3650
Country Code: <put anything>
State or Province: <put anything>
City: <put anything>
Organization: <put anything>
Email Address: <put anything>
Common Name: internal-ca

Certificate manager

System > Trust > Certificates > Add
Descriptive Name: TG-Certificate
Method: Create an internal Certificate Authority
Key length: 2048
Digest Algorithm: SHA1
Lifetime: 3650
Country Code: <put anything>
State or Province: <put anything>
City: <put anything>
Organization: <put anything>
Email Address: <put anything>
Common Name: TG-Certificate

OpenVPN Client settings

VPN > OpenVPN > Clients > Add

Description: TG OpenVPN
Server Mode: Peer To Peer (SSL/TLS)
Protocol: UDP
Device Mode: tun
Interface: WAN
Local Port: <leave blank>

Remote server(s):
atl.east.usa.torguardvpnaccess.com
chi.central.usa.torguardvpnaccess.com
dal.central.usa.torguardvpnaccess.com
fl.east.usa.torguardvpnaccess.com
la.west.usa.torguardvpnaccess.com
lv.west.usa.torguardvpnaccess.com
nj.east.usa.torguardvpnaccess.com
ny.east.usa.torguardvpnaccess.com
sa.west.usa.torguardvpnaccess.com
sf.west.usa.torguardvpnaccess.com

Server Port(s): 443

Select server at random: Checked
Infinitely resolve server: Checked

Username: YOURTGUSERNAME
Password: YOURTGPASSWORD

Peer Certificate Authority: TG-CA
Client Certificate: Web GUI SSL certificate
Encryption algorithm: BF-CBC (128-bit, 64 bit block)
Auth Digest Algorithm: SHA1 (160-bit)
Hardware Crypto: No Hardware Crypto Acceleration
Compression: Enabled with Adaptive Compression
Disable IPv6: Check
Verbosity level: 1 default

Create OpenVPN interface

Interfaces > Assignments > Click add to the right of TG OpenVPN
You should now see OPT1 on the left. Click OPT1.

Enable interface
Description: TGInterface

(leave everything else blank)

You should have a new interface called TGInterface

Firewall / NAT settings

Firewall > NAT > Outbound

Select: Manual outbound NAT rule generation (no automatic rules are being generated)
Click Save

Change every rule (if you have more than one) to the interface TGInterface. No other settings should change in each rule.

Check VPN status

VPN > OpenVPN > Connection Status

The status should say up

Visit https://ipleak.net/ 


Install BlackArch from scratch on fresh Arch with Gnome GUI

(Using release: 2019.05.02 on Virtualbox 6.0)

Download Arch (or use a mirror)

BlackArch is a great pentest tool, comparable to Kali Linux, but with a steeper learning curve. The biggest issue for most new users is the lack of out-of-the-box gnome support.

I put together a combo of guides to get this working to make a comparable look and feel to Kali, but with Arch.

Specs

8GB RAM
128MB VGA
100GB thin provisioned HD
Network: bridged



Load the ISO and boot the machine. Once it comes up, verify network connectivity.

Disk creation

Type fdisk -l and you should see the 100GB drive.

The first partition we will create is the boot partition.

fdisk /dev/sda

p for the primary partition.

n for new 

1 for the first partition (sda1)

2048 (or enter for the default)

+500M for the space


Now we will create a swap partition.

n for create a new partition

p for primary

2 for the 2nd partition (sda2)

enter for the default sector

+8G for the swap file size

t to select the type

2 for the second, swap, partition

82 to make it a swap partition


Creating the 3rd partition

n to create the final partition using the rest of the space

p for primary

3 for the 3rd partition

enter to select the default drive sector start position

enter to select the last sector

w to write the changes

Finalize the filesystem

mkfs.ext2 /dev/sda1
mkswap /dev/sda2
mkfs.ext4 /dev/sda3


Mount the filesystem

mount /dev/sda3 /mnt
swapon /dev/sda2

Install the Base and Base-Devel repositories

pacstrap /mnt/ base base-devel

Generate the fstab and mount it to the temporary filesystem

genfstab /mnt >> /mnt/etc/fstab

Remount root to the mount

arch-chroot /mnt

Set System Language

echo "LANG=en_US.UTF-8"  > /etc/locale.conf
sed -i 's/#en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/g' /etc/locale.gen

Or use text editor of choice and remove the comment from your language of choice.

vi /etc/locale.gen
en_US.UTF-8 UTF-8

then run
locale-gen

Set the timezone

ln -sf /usr/share/zoneinfo/US/Central /etc/localtime
hwclock --systohc --utc

Create unique hostname

echo "systemname.host.local" > /etc/hostname

Change Root Password

passwd

Set up GRUB Bootloader

pacman -S grub
grub-install /dev/sda
grub-mkconfig -o /boot/grub/grub.cfg

Update repositories

pacman -Syu

Enable dhcpcd service

systemctl enable dhcpcd

Create superuser account

useradd -m -G wheel yourname
passwd yourname

Enable sudo for the “wheel” group

sed -i 's/# %wheel ALL=(ALL) ALL/%wheel ALL=(ALL) ALL/g' /etc/sudoers

Or edit the file manually
vi /etc/sudoers
uncomment out the following line
%wheel ALL=(ALL) ALL

Eject the ISO and reboot

Once the system comes back up, now would be a good time to shut down the system and create a snapshot.

Adding Gnome and lxdm

Using your superuser account,

update the system
sudo pacman -Syu

Install the pre-requisites
sudo pacman -S xorg

Install Gnome and extras
sudo pacman -S gnome gnome-extra

Once that's complete, you need to install a display manager.
pacman -S lxdm

Enable the service to start on boot
systemctl enable lxdm.service

Once you restart, lxdm will allow you to choose to log in with Gnome.

Once you've verified everything works, turn the system off, remove the snapshot and create a new one.



Adding BlackArch software

curl -O https://blackarch.org/strap.sh
chmod +x strap.sh
sudo ./strap.sh

Download the master package list and synchronize
sudo pacman -Syyu

To install all of the tools (very large download), run
pacman -S blackarch

To see the blackarch categories, run
pacman -Sg | grep blackarch

You should now have Black Arch Linux apps installed on a fresh install of Arch using Gnome.




Sources:

Thursday, June 28, 2018

Fix malformed SQLite DB in Tautuli (PlexPy) server in Windows


For those running Tautuli to monitor their Plex servers, sometimes DB issues happen. After upgrading from PlexPy to Tautuli I never had a solid footing on strange issues until I found a DB error and fixed it.

I kept seeing the following error in the logs:

Can't connect to the database: database disk image is malformed

To fix this, it's pretty simple. First you will need DB Browser for SQLite. The portable app works just fine if you don't want to install anything.

(if you need a more graphical guide, look at http://wordpress.semnaitik.com/repair-sqlite-database/ where I got most this info from)

Copy the tautuli.db file out of your plexpy/tautuli directory to work on.

In DB Browser for SQLite, click Open Database.

Execute SQL (tab)

Run the following: PRAGMA integrity_check

Then click the Play button.

You will see errors if there are DB issues (if the integrity check passes, it's not DB related).

Export the DB to SQL format and leave all the default options checked.

Once the database export is complete, import the database. This will essentially "clean" it. It will take some time to import

Import the database and select a new file name/location to store it. Replace this database with your main Tautuli database and relaunch the app.


Saturday, May 19, 2018

Installing OpenIPC on WyzeCam v2 and adding to BlueIris


Wyze Cam is a fully functional $20 security camera. Out of the box, it works great.

The only problem is that there, currently, isn't a website you can go to to manage the camera or view footage. It's only available via a smartphone app.

While the app works great pushing files to the cloud and local storage, the camera doesn't utilize open standards like RTSP, so it's not compatible with Blue Iris.

That's where OpenIPC steps in. This is very new firmware so expect these steps to change quite a bit. I'll try to keep it updated. There is a subreddit dedicated to OpenIPC as well.

This firmware will not erase or modify the built-in firmware, so no worries about bricking your device. If you remove the sd card and reboot the device, it will go back to the standard config.

While this can be annoying to some, the firmware is only in Alpha with non-open source code. There could be serious security risks, so this should only be used for testing and not production!

To install

Download Win32DiskImager

Try to use a 4GB or smaller MicroSD card for the install, if possible.

Download the latest IMG release file from here. (For instance openipc_v2-0.2.5.img or whichever release is newer). This will only work with the WyzeCamV2 not the V1

Open Win32DiskImager and select the IMG file and the target MicroSD drive.

To set the Wifi password, edit the file <drive letter>:\config\wpa_supplicant.conf and change

ssid="SSID"
to whatever your network name is. Also, change the password field.
psk="PW"

Save the file and remove the card. Unplug the Wyze Camera and insert the MicroSD card.

To write the firmware, press and hold the bottom setup button while plugging the camera back in.

In about 6 seconds, when the light turns blue, release the button. Wait a few minutes to see it on your network.

You can scan your network with a smartphone app like Fing or a Windows app like Angry IP Scanner to locate the camera. It will register ports:

21 ftp
22 ssh
23 telnet
80 http

If you browse to the ip from a browser, the login prompt will ask for a password. The default being:
dafang
ismart12

Blue Iris Setup

Adding the Wyze cam to Blue Iris is pretty straightforward. When you go to the config page it will provide you with the RTSP url. Just import this and that's it.


Just, bear in mind... this should not be used for anything other than testing. You cannot change the password (easily) and even then, the firmware changes are not permanent. 

An ideal solution would be to wait for the firmware to have a release candidate that allows you to add extra storage space that is instead being used for the OS.