Showing posts with label archlinux. Show all posts
Showing posts with label archlinux. Show all posts

2015-12-20

Raspberry Pi Zero inside a Lapdock 100

A lot of folks have used the Motorola Lapdock as a portable complement to the Raspberry Pi. It usually ends up as a big mess of cables. My Lapdock was actually used a lot with my last phone, as it was intended to. Occasionally, people would ask me if I was using it for a Pi. My response was "If I can figure out how to fit it inside, I'll try." I always figured it would involve de-soldering all the GPIO headers, network and USB jacks to make it thin enough to fit, then a bunch of soldering to hard-wire everything together.

With the announcement of the Raspberry Pi Zero, I knew it was finally time.

I did a little bit of recon inside the Lapdock case. Plenty of room for a Raspberry Pi Zero and some cables.


Opening up the LapDock isn't too hard. Start by prying the keyboard loose from the top, with a small flat-blade screwdriver or a spudger. Underneath, you will find a single ribbon cable for the keyboard, and a number of screws. Remove the keyboard and all visible screws. The only thing left holding the case together after that are the four screws on the bottom case, one at each corner.

Once I saw the layout inside, my plan was to place some pigtail connectors inside the chamber that the dock connector rests in when not in use. The speaker on the left bottom corner is kind of in the way.

I ordered two cables from Amazon:
Micro HDMI Female to Mini-HDMI Male
USB On-The-Go Extension

I tested everything outside the lapdock first.

Miraculously, both cables worked great. I'd read many horror stories of HDMI cables and adapters that didn't work well with the Raspberry Pi. Not bad for 12 bucks.

Inside, I got to work. First things first, remove the speaker, held in by two screws. Remove the battery, too. It sits loose in the case and is easily unplugged.

At this point, it was obvious to me that I couldn't put the pigtails inside the case where I had planned. There's just not enough room under the speaker. I took the top case apart a little further by removing the screws marked below.
 

I cut away a little piece of plastic under the speaker to open up some space near where the dock cable rests.
Then, I pried apart the upper part of the dock on one side, giving me enough room to make a cross-shaped hole in the rubber dock membrane by making two slices with a knife.

I'll have to run the pigtails through this corner of the phone dock. I routed the cables through the maze of plastic and shoved them through this hole.

I had to make sure the plugs were oriented properly for a good fit with the dock connector.

To make room for the Pi, I took a knife blade to some of the plastic structures inside the case. A tab (not shown) on the lower case lid also needed to be trimmed.


The final part before reassembly was trying to find a good way to route the cables so that the Lapdock could be reassembled nicely. I held the Raspberry Pi Zero down with some double-sided foam mounting tape once I had everything in position. This tape also insulates Pi from the metallic coating on the inside of the Lapdock's case, so don't skimp on it.

Once everything was buttoned back up, I plugged the dock connector into the pigtails again and powered the dock up.

The end result is a nice, self-contained computer powered by the Raspberry Pi Zero, but the dock is still usable for other devices.



Update: 2015-01-24

Frequently, you have to use the reset button on the bottom of the lapdock to get it to boot proplerly, and I wanted to be able to reset the dock with my pinkie finger. Also, I wanted a way to easily swap out MicroSD cards. To fix these two issues, I used a stepped drill bit to enlarge the reset pinhole and to give me access to the Pi Zero's card slot.


2015-12-12

PiTether: Mobile phone to ethernet bridge

Introduction

If you saw me at DefCon this year, you probably saw me using my HP Jornada. There was also a pretty good chance that you saw me getting it online in strange ways...
HACK THE PLANET! (Or just dial up a BBS...)
Since there aren't payphones everywhere, though, I built something interesting back in May, preparing for DefCon. It's a very simple Raspberry Pi ethernet bridge. I did this mostly to avoid using the open WiFi at DefCon, understanding that 3G/4G shenanigans are happening, but with a higher barrier to entry than the 802.11a/b/g/n/ac mess.

Yes, that's a Raspberry Pi Model B inside a case made of LEGO bricks.

Setting up Arch Linux

Being no stranger to building embedded systems, I decided to go with a bare-bones Arch Linux ARM install on a 2GB SD card. You could likely run with an even smaller card if you wanted to. The installation instructions are pretty straight-forward if you're familiar with the command line.

Once you have Arch Linux up and running on the Pi, I recommend changing the default passwords (alarm/alarm, root/root) and then doing a system update to get the latest packages from base. Simply connect the Pi to the Internet through its ethernet port, then run "pacman -Syyu" as root.

Configuring the network

The 3 interfaces we worry about are eth0, usb0 and br0. The first two basically work right out of the box:

/etc/systemd/network/eth0.network exists from the default installation, so the ethernet port is already set up for us.

When you activate USB Tethering from Android while plugged in to most modern Linux distros, it shows up as a network device (in this case, usb0) without any extra configuration.

br0 (the bridge interface) needs to be configured. First, we establish a netctl profile for it. Put the following text into a file called /etc/netctl/br0


Description="PiTether USB/Ethernet connection"
Interface=br0
Connection=bridge
BindsToInterfaces=(eth0 usb0)
IP=dhcp
SkipForwardingDelay=yes

Next, create a service file for systemd that calls netctl for the br0 interface. Put these contents in /etc/systemd/system/netctl@br0.service
.include /usr/lib/systemd/system/netctl@.service

[Unit]
Description=PiTether USB/Ethernet connection
BindsTo=sys-subsystem-net-devices-eth0.device
BindsTo=sys-subsystem-net-devices-usb0.device
After=sys-subsystem-net-devices-eth0.device
After=sys-subsystem-net-devices-usb0.device
Run the following command as root to enable the interface during start-up:

netctl enable br0

Reboot the Pi to make sure everything works as planned. To test:

  1. Plug in your phone and activate USB Tethering.
  2. Plug a device into the ethernet port of the Raspberry Pi
  3. Request a DHCP Lease (happens automatically on most devices)
  4. Try to browse the web or connect to something over the Internet (ping, ssh, etc)
As a finishing touch, I decided to make the entire filesystem read-only. This makes it so that the device can be safely powered off by simply unplugging it without any risk of corrupting the filesystem. I did this so that I never needed to SSH to it or hook up a console to safely shut it down. Since this is really a single-use project, this works pretty well. For more elaborate embedded-system work, I usually opt for a RAM disk configuration, but that's not needed here.

You can probably do this by sliding the write-protect tab on the SD card (for Pi A and B only) however, I opted to mark both filesystems "ro" in /etc/fstab. Apparently, root (/) is optional in fstab, but I added it by copying the /boot line and slightly altering the device and mountpoint fields. My /etc/fstab looks like this:
#
# /etc/fstab: static file system information
#
# file system   dir     type    options         dump    pass
/dev/mmcblk0p0  /       ext4    defaults,ro     0       0
/dev/mmcblk0p1  /boot   vfat    defaults,ro     0       0
You can give it one more reboot and test after that if you want. If you ever want to change anything in the filesystem, you can temporarily remount it read-write again by using the command "mount -o remount,rw /" while logged in as root. You can use that to remove ",ro" from the fstab options or to occasionally update packages.

2014-01-28

OpenVAS on BlackArch Linux: Installation Notes

OpenVAS can be tricky to set up. Once OpenVAS packages are installed, there's a bunch of steps you need to perform, and in a pretty specific order, to turn it into a working vulnerability scanner. There are four parts to OpenVAS: The Scanner service, the Manager service, the Administrator service, and then some front-end client. In this case, I'm demonstrating Greenbone Security Assistant, which is yet another service, an SSL web UI that you can access locally, or from another computer, for managing OpenVAS.

I recommend using sudo instead of doing everything as root, but you're obviously not obliged to do it that way. These instructions presume you are using sudo, though. Sudo isn't in the Arch base distribution, but you can add it with:

[root@spx ~]# pacman -S sudo

First, install all the packages. gsa is the web UI, while gsd is a graphical client that runs under X11. You don't need to install both of them, but I usually do. A bunch of dependencies will be added with these packages. Stuff in bold is what I typed. Everything else is terminal output. Most of the really verbose output is truncated and noted with my own commentary in ellipses.


[axon@spx ~]$ sudo pacman -S openvas-administrator openvas-manager openvas-scanner gsa gsd
resolving dependencies...

Packages (75): alsa-lib-1.0.27.2-1  cmake-2.8.12.1-3  damageproto-1.2.1-2
   ...
   ...
               openvas-administrator-1.3.2-4  openvas-manager-4.0.4-3
               openvas-scanner-3.4.0-5

Total Download Size:    73.21 MiB
Total Installed Size:   338.56 MiB

:: Proceed with installation? [Y/n] y
:: Retrieving packages ...


Next, download all the OpenVAS NVT scripts. These are updated frequently. By default, OpenVAS doesn't ship with any scripts, so you need to download them. If there are no NVTs, OpenVAS scanner service doesn't like to start.


[axon@spx ~]$ sudo openvas-nvt-sync
... lots of text while the NVT scripts download ...
zyxel_pwd.nasl.asc
[i] Download complete
[i] Checking dir: ok
[i] Checking MD5 checksum: ok


Next, make the SSL Cert for OpenVAS with this handy script:

[axon@spx ~]$ sudo openvas-mkcert
 
Answer each prompt if you want, but as this is a private-use certificate, I usually just hit enter at all the prompts to accept the defaults. We also need to make a Client Cert for OpenVAS-Manager (om) like this:  

[axon@spx ~]$ sudo openvas-mkcert-client -n om -i
...
Write out database with 1 new entries
Data Base Updated
User om added to OpenVAS.





Start the OpenVAS Scanner service. This can take a really long time, and consumes a lot of RAM.

[axon@spx ~]$ sudo openvassd
Loading the OpenVAS plugins...base gpgme-Message: Setting GnuPG homedir to '/etc/openvas/gnupg'
base gpgme-Message: Using OpenPGP engine version '2.0.22'
Loading the plugins... 1887 (out of 33836)




The OpenVAS Manager service requires an SQLite database, but none is created during package installation. Use the following command to create the database. It will sit there for a few minutes and return to the command line without saying anything. This is normal. 
[axon@spx ~]$ sudo openvasmd --rebuild
 

Start the OpenVAS Manager service. This runs quickly. 
[axon@spx ~]$ sudo openvasmd





Add a user to OpenVAS. You'll log into OpenVAS with these credentials. Pick a strong password, not the one I use here.
[axon@spx ~]$ sudo openvasad -c 'add_user' -n adminusername -w adminpassword
ad   main:MESSAGE:4484:2014-01-28 14h31.41 CST: No rules file provided, the new user will have no restrictions.
ad   main:MESSAGE:4484:2014-01-28 14h31.41 CST: User adminusername has been successfully created.


Start the OpenVAS Administrator service.
[axon@spx ~]$ sudo openvasad




I'm usually paranoid, and at this step, I check the process list for "openvas" services. You should see openvassd, openvasad and openvasmd all running. If not, look at the logs in /var/log/openvas to give you some hints, or check to make sure you performed each step necessay. If that all checks out, start a client, such as Greenbone Security Assistant.


[axon@spx ~]$ sudo gsad

Now just browse to https://localhost (or your BlackArch's network IP). You'll need to accept the self-signed certificate. Generating a new SSL cert for GSA is beyond the scope of this article.

2014-01-27

Introducing: BlackArch Linux

I've always admired Arch Linux, the spartan and light-weight Linux distro with its rolling release and clever package management system. At the same time, a lot of the security tools I know and love are difficult to compile, and found in few package repositories outside of Kali Linux, the Debian-derived distro that comes packed with pretty much every open-source security and penetration-testing tool that's relevant to today's researchers... and that's part of the problem. It's fun to play with new tools on occasion, but I rarely want or need all that stuff installed at once. Also, while I've spent more than enough time on Debian-family Linux distros thanks to a job managing Ubuntu LTS servers and hand-holding various friends and family through Ubuntu on desktops, it never quite felt like home as much as Arch does.

Enter BlackArch Linux, a package repository for arming your Arch Linux box to the teeth with all our favorite tools. There's also a collection of Live images to play with if that's more your style, but this relatively young project offers an appealing choice to those who prefer Arch. Getting BlackArch up and running is pretty straightforward.

I prefer to start with a basic Arch Linux installation. For the command-line adept and those familiar with Arch, the Arch Installation Guide is a no-nonsense checklist of things you need to do, while the Beginners' Guide offers a bit more hand-holding. I used both when getting back into Arch Linux a while ago. You'll need to partition your drive, format the filesystems, pacstrap it, set up the network, add a user, and some other basic things that are outlined in the guides. Installation difficulty is on par with OpenBSD, but with a little less guidance from a dedicated install script. Don't forget to set up a boot loader!

You'll probably want to customize your Arch Linux install, which may include setting up X11, a Display Manager and a Window Manager or Desktop Environment (handy for using a graphical web browser or GUI-driven tools such as BurpSuite). That's all covered in the Beginners' guide as well. I'm pretty fond of OpenBox with Conky, so I ended up with a pretty minimalist desktop, shown here.


Once you have Arch installed and a comfortable userland configured, you'll want to make sure it's up to date by running "pacman -Syu" and then you should install wget before moving on to installing BlackArch, if you haven't already:

pacman -S wget 

From there, you can simply follow the instructions on the BlackArch Download page. This will just add the repositories to your Arch Linux installation, and doesn't actually install the packages. You can opt to install all the packages at once with:

pacman -S blackarch

But in my opinion, the fact that you can pick and choose which tools to install makes it quite nice for devices like netbooks or other machines that you really don't want bogged down with hundreds of tools you don't need. The BlackArch download page outlines how to peruse their repository for the stuff you want, or installing groups of similar packages, such as "blackarch-scanner" and "blackarch-networking"

In my next post, I'll explain how to configure OpenVAS, and get it up and running on BlackArch. I frequently set this up in my security lab when introducing interns to vulnerability scanning, and it's usually a bit tricky to get running for the first time.