Setting up Kali 1.1.0 on the new Raspberry Pi 2

My new Raspberry Pi 2 arrived, and I wanted to install Kali on it. I was preparing to follow the steps of Richard Brain,  but before I started, the folks at Kali tweeted that there was now a download available. 

I downloaded the image, checked the hash, and burned it onto a 32GB SD card using

sudo dd if=kali-1.1.0-rpi2.img of=/dev/mmcblk0  bs=4M

I placed the SD card into my RPi2 and booted it up. Of course I generated new ssh keys

rm /etc/ssh/ssh_host_*
dpkg-reconfigure openssh-server
service ssh restart

I changed the root password


I updated the software

apt-get update
apt-get upgrade

Extending the root partition on Kali Raspberry Pi 2

Normally one you execute raspi-config to extend the root file system. However, Kali didn’t have it. Following the lead from rageweb, I use the following commands to install the necessary files

dpkg -i triggerhappy_0.3.4-2_armhf.deb
dpkg -i lua5.1_5.1.5-7.1_armhf.deb
dpkg -i raspi-config_20150131-1_all.deb

The information from the above link was out of date. So if these files don’t exist, go to the parent directory  and search for the appropriate file with the correct revision number. Also note that with a RPi 2, you need the armhf instead of the armel files.

Once I started raspi-config,  I selected the resize root partition option, and rebooted, and that problem was solved.

Improving the security of remote access on Kali

The next steps are obvious to experts, but I can’t tell how experienced the readers are. So feel free to skip this part if you are experienced. Advanced users should look into this post on setting up an encrypted filesystem (LUKS) on a Raspberry Pi.

I wanted to make sure that password-based root access was not allowed. Instead, to gain access, the user has to access the device physically (an attached monitor and keyboard, a serial interface, etc.) or else the user has to place public key into the account.

I copied my account’s public key onto the device

cd ~/.ssh
scp root@rpi2kali:/tmp

I had to type the password of course. Then I logged onto the machine

ssh -l root rpi2kali
Password: XXXXXXXX

Setting up a non-root account on Kali

It’s generally a bad idea to allow someone to get root access directly. I recommend that you create a new user, (I used the user ID of ‘kali’), grant them sudo access, and set their password:

useradd -m -s /bin/bash -d /home/kali kali
adduser kali sudo
passwd kali

Now we have to set up this account to allow ssh key-based remote access, using the public key that was copied to this device previously. (I prefer this, because copying and pasting text can modify the string).

su - kali
mkdir ~/.ssh
chmod 700 ~/.ssh
cp /tmp/ ~/.ssh/authorized_keys

Now test all this out. Make sure you can remotely log into the system, and execute the sudo command. It’s a good idea to have several remote windows open, so you can correct errors in one window, and test things out in the other.

Disabling remote root access and preventing password-based remote access on Kali

Once this is done, you can disable remote root access by changing yes to no in the line in /etc/ssh/sshd_config. You can also disable remote access that uses passwords.

Change the lines to be the following

#PermitRootLogin yes
PermitRootLogin no
#PasswordAuthentication yes
PasswordAuthentication no

Then restart ssh

service ssh restart

Then make sure this all works. Try to log onto the root account remotely and you should see something like

ssh -l root rpi2kali 
Permission denied (publickey).

Then make sure that password-based remote access to the kali account is not allowed. You should get a similar error when trying to log onto the kali account from an account that isn’t in the authorized_keys file

Just remember to keep a window logged onto the machine while you test this, and to experiment by renaming the authorized_keys file. Also – you can use the ssh -vvv option to debug your remote ssh connection.

There’s a lot more you can do, like

  • Move the ssh service to a different port
  • add the ufw firewall package
  • Limit the remote access to specific IP ranges
  • Limit access to the built-in Ethernet port only, and prevent WiFI access
  • etc.

I’ll fill in more later.  But that’s enough to get you started.


Posted in Hacking, Linux, Security, System Administration | Tagged , , | 1 Comment

Extracting shell commands from Kali’s application menu

I use the Linux command line whenever I can.  Using the mouse to execute something when my fingers are on the keyboard irritates me.

I was using the Kali linux distribution to do some pentesting. And I was getting frustrated.

  • Some menu commands I wanted to execute on every reboot
  • Some menu commands had to be navigated down 4 or 5 menus to select
  • Some menu commands had to be executed multiple times in a row (like openvas check setup)
  • Some menu commands had a description that didn’t match the command line at all
  • I wanted the list of tools that were available, and paste this into a report. But there was no easy way to copy and paste the text from the menu into a file.

In general, I wanted to find out what exactly was executed when I used the menu to select an option from the Kali software.

So I wrote a script.

I wanted the script to generate this information for me. It didn’t take long, and it’s not very elegant, and this blog post takes much longer that it took me to write the script.

Yes, I could write a single program that does this by reading the file once, and generating the information in whatever format I wanted. But I just wanted I thought others may like this simple script.


# parsemenu - Bruce Barnett 2015
# this script will parse the kali gnome menu and get the 
# name of the tools that are in the menu

# First find all of the menu names
menus=`cat  $TOP/*desktop  | sed -n 's/Categories=//p' | \
tr ';' '\n' | sort -n | uniq`
cd $TOP
for m in $menus
    echo $m
    # Which apps are in this menu?
    files=`grep -l $m *.desktop` 
    for file in $files
        # get the name of the menu entry
        name=`sed -n 's/Name=//p' <$file`
        # get the shell command that is executed
        exec=`sed -n 's/Exec=//p' <$file | sed 's/^sh -c "\(.*\)"/\1/'`
        # Print it out
        echo "\t$name : $exec"

Kali Programs Available in from the menu

And here is the output:

    aircrack-ng : aircrack-ng --help;${SHELL:-bash}
    burpsuite : java -jar /usr/bin/burpsuite
    hydra : hydra -h;${SHELL:-bash}
    john : john;${SHELL:-bash}
    maltego : maltego
    metasploit framework : msfconsole;${SHELL:-bash}
    nmap : nmap;${SHELL:-bash}
    sqlmap : sqlmap -h;${SHELL:-bash}
    wireshark : wireshark
    owasp-zap : zap
    dnsdict6 : dnsdict6;${SHELL:-bash}
    dnsenum : dnsenum -h;${SHELL:-bash}
    dnsmap : dnsmap;${SHELL:-bash}
    dnsrecon : dnsrecon -h;${SHELL:-bash}
    dnsrevenum6 : dnsrevenum6;${SHELL:-bash}
    dnstracer : dnstracer;${SHELL:-bash}
    dnswalk : dnswalk --help;${SHELL:-bash}
    fierce : fierce -h;${SHELL:-bash}
    maltego : maltego
    nmap : nmap;${SHELL:-bash}
    urlcrazy : urlcrazy -h;${SHELL:-bash}
    zenmap : zenmap;${SHELL:-bash}
    alive6 : alive6;${SHELL:-bash}
    arping : arping;${SHELL:-bash}
    cdpsnarf : cdpsnarf -h;${SHELL:-bash}
    detect-new-ip6 : detect-new-ip6;${SHELL:-bash}
    detect_sniffer6 : detect_sniffer6;${SHELL:-bash}
    dmitry : dmitry;${SHELL:-bash}
    dnmap-client : dnmap_client;${SHELL:-bash}
    dnmap-server : dnmap_server;${SHELL:-bash}
    firewalk : firewalk;${SHELL:-bash}
    fping : fping -h;${SHELL:-bash}
    hping3 : hping3 -h;${SHELL:-bash}
    inverse_lookup6 : inverse_lookup6;${SHELL:-bash}
    masscan : masscan --help;${SHELL:-bash}
    miranda : miranda -h;${SHELL:-bash}
    ncat : ncat -h;${SHELL:-bash}
    netdiscover : netdiscover -h;${SHELL:-bash}
    nmap : nmap;${SHELL:-bash}
    passive_discovery6 : passive_discovery6;${SHELL:-bash}
    thcping6 : thcping6;${SHELL:-bash}
    unicornscan : us -h;${SHELL:-bash}
    wol-e : wol-e -h;${SHELL:-bash}
    xprobe2 : xprobe2 -h;${SHELL:-bash}
    zenmap : zenmap;${SHELL:-bash}
    firewalk : firewalk;${SHELL:-bash}
    fragroute : fragroute -h;${SHELL:-bash}
    fragrouter : fragrouter -h;${SHELL:-bash}
    ftest : ftest;${SHELL:-bash}
    lbd : lbd;${SHELL:-bash}
    wafw00f : wafw00f -h;${SHELL:-bash}
    dmitry : dmitry;${SHELL:-bash}
    dnmap-client : dnmap_client;${SHELL:-bash}
    dnmap-server : dnmap_server;${SHELL:-bash}
    masscan : masscan --help;${SHELL:-bash}
    netdiscover : netdiscover -h;${SHELL:-bash}
    nmap : nmap;${SHELL:-bash}
    unicornscan : us -h;${SHELL:-bash}
    zenmap : zenmap;${SHELL:-bash}
    0trace :;${SHELL:-bash}
    cdpsnarf : cdpsnarf -h;${SHELL:-bash}
    ftest : ftest;${SHELL:-bash}
    intrace : intrace;${SHELL:-bash}
    irpas-ass : ass -h;${SHELL:-bash}
    irpass-cdp : cdp;${SHELL:-bash}
    p0f : p0f -h;${SHELL:-bash}
    tcpflow : tcpflow -h;${SHELL:-bash}
    wireshark : wireshark
    xplico start : service xplico start;${SHELL:-bash}
    xplico stop : service xplico stop;${SHELL:-bash}
    xplico : xdg-open http://localhost:9876
    dnmap-client : dnmap_client;${SHELL:-bash}
    dnmap-server : dnmap_server;${SHELL:-bash}
    masscan : masscan --help;${SHELL:-bash}
    miranda : miranda -h;${SHELL:-bash}
    nmap : nmap;${SHELL:-bash}
    unicornscan : us -h;${SHELL:-bash}
    zenmap : zenmap;${SHELL:-bash}
    casefile : casefile
    creepy : creepy
    dmitry : dmitry;${SHELL:-bash}
    jigsaw : jigsaw -h;${SHELL:-bash}
    maltego : maltego
    metagoofil : metagoofil;${SHELL:-bash}
    recon-ng : recon-ng
    theharvester : theharvester;${SHELL:-bash}
    twofi : twofi -h;${SHELL:-bash}
    urlcrazy : urlcrazy -h;${SHELL:-bash}
    0trace :;${SHELL:-bash}
    dnmap-client : dnmap_client;${SHELL:-bash}
    dnmap-server : dnmap_server;${SHELL:-bash}
    intrace : intrace;${SHELL:-bash}
    netmask : netmask -h;${SHELL:-bash}
    trace6 : trace6;${SHELL:-bash}
    dnmap-client : dnmap_client;${SHELL:-bash}
    dnmap-server : dnmap_server;${SHELL:-bash}
    implementation6 : implementation6;${SHELL:-bash}
    implementation6d : implementation6d;${SHELL:-bash}
    ncat : ncat -h;${SHELL:-bash}
    nmap : nmap;${SHELL:-bash}
    sslscan : sslscan;${SHELL:-bash}
    sslyze : sslyze -h;${SHELL:-bash}
    tlssled : tlssled;${SHELL:-bash}
    unicornscan : us -h;${SHELL:-bash}
    zenmap : zenmap;${SHELL:-bash}
    acccheck : acccheck;${SHELL:-bash}
    nbtscan : nbtscan -h;${SHELL:-bash}
    nmap : nmap;${SHELL:-bash}
    zenmap : zenmap;${SHELL:-bash}
    nmap : nmap;${SHELL:-bash}
    smtp-user-enum : smtp-user-enum -h;${SHELL:-bash}
    swaks : swaks --help;${SHELL:-bash}
    zenmap : zenmap;${SHELL:-bash}
    braa : braa -h;${SHELL:-bash}
    cisco-auditing-tool : CAT;${SHELL:-bash}
    cisco-torch : cisco-torch;${SHELL:-bash}
    copy-router-config :;${SHELL:-bash}
    merge-router-config :;${SHELL:-bash}
    nmap : nmap;${SHELL:-bash}
    onesixtyone : onesixtyone;${SHELL:-bash}
    snmpcheck : snmpcheck -h;${SHELL:-bash}
    zenmap : zenmap;${SHELL:-bash}
    sslcaudit : sslcaudit -h;${SHELL:-bash}
    ssldump : ssldump -h;${SHELL:-bash}
    sslh : sslh -h;${SHELL:-bash}
    sslscan : sslscan;${SHELL:-bash}
    sslsniff : sslsniff;${SHELL:-bash}
    sslsplit : sslsplit -h;${SHELL:-bash}
    sslstrip : sslstrip -h;${SHELL:-bash}
    sslyze : sslyze -h;${SHELL:-bash}
    stunnel4 : stunnel4 -h;${SHELL:-bash}
    tlssled : tlssled;${SHELL:-bash}
    ace : ace;${SHELL:-bash}
    ace : ace;${SHELL:-bash}
    enumiax : enumiax -h;${SHELL:-bash}
    ike-scan : ike-scan -h;${SHELL:-bash}
    0trace :;${SHELL:-bash}
    dnmap-client : dnmap_client;${SHELL:-bash}
    dnmap-server : dnmap_server;${SHELL:-bash}
    intrace : intrace;${SHELL:-bash}
    netdiscover : netdiscover -h;${SHELL:-bash}
    netmask : netmask -h;${SHELL:-bash}
    trace6 : trace6;${SHELL:-bash}
    cisco-auditing-tool : CAT;${SHELL:-bash}
    cisco-global-exploiter :;${SHELL:-bash}
    cisco-ocs : cisco-ocs;${SHELL:-bash}
    cisco-torch : cisco-torch;${SHELL:-bash}
    copy-router-config :;${SHELL:-bash}
    merge-router-config :;${SHELL:-bash}
    yersinia : yersinia --help;${SHELL:-bash}
    copy-router-config :;${SHELL:-bash}
    merge-router-config :;${SHELL:-bash}
    bed : bed;${SHELL:-bash}
    fuzz_ip6 : fuzz_ip6;${SHELL:-bash}
    ohrwurm : ohrwurm;${SHELL:-bash}
    powerfuzzer : powerfuzzer;${SHELL:-bash}
    sfuzz : sfuzz -h;${SHELL:-bash}
    siparmyknife : siparmyknife;${SHELL:-bash}
    spike-generic_chunked : generic_chunked;${SHELL:-bash}
    spike-generic_listen_tcp : generic_listen_tcp;${SHELL:-bash}
    spike-generic_send_tcp : generic_send_tcp;${SHELL:-bash}
    spike-generic_send_udp : generic_send_udp;${SHELL:-bash}
    clusterd : clusterd -h;${SHELL:-bash}
    golismero : golismero -h;${SHELL:-bash}
    lynis : lynis -h;${SHELL:-bash}
    nikto : nikto -h;${SHELL:-bash}
    nmap : nmap;${SHELL:-bash}
    unix-privesc-check : unix-privesc-check;${SHELL:-bash}
    zenmap : zenmap;${SHELL:-bash}
    casefile : casefile
    maltego : maltego
    recon-ng : recon-ng
    bbqsql : bbqsql;${SHELL:-bash}
    dbpwaudit : dbpwaudit;${SHELL:-bash}
    hexorbase : hexorbase
    jsql : jsql
    mdb-export : mdb-export;${SHELL:-bash}
    mdb-hexdump : mdb-hexdump;${SHELL:-bash}
    mdb-parsecsv : mdb-parsecsv;${SHELL:-bash}
    mdb-sql : mdb-sql -h;${SHELL:-bash}
    mdb-tables : mdb-tables;${SHELL:-bash}
    oscanner : oscanner;${SHELL:-bash}
    sidguesser : sidguess;${SHELL:-bash}
    sqldict : sqldict
    sqlmap : sqlmap -h;${SHELL:-bash}
    sqlninja : sqlninja;${SHELL:-bash}
    sqlsus : sqlsus -h;${SHELL:-bash}
    tnscmd10g : tnscmd10g;${SHELL:-bash}
    openvas check setup : openvas-check-setup;${SHELL:-bash}
    openvas feed update : openvas-feed-update;${SHELL:-bash}
    openvas initial setup : openvas-setup;${SHELL:-bash}
    openvas start : openvas-start;${SHELL:-bash}
    openvas stop : openvas-stop;${SHELL:-bash}
    openvas-gsd : gsd
    blindelephant : -h;${SHELL:-bash}
    plecost : plecost -h;${SHELL:-bash}
    wpscan : wpscan --help;${SHELL:-bash}
    ua-tester : ua-tester;${SHELL:-bash}
    apache-users : apache-users;${SHELL:-bash}
    burpsuite : java -jar /usr/bin/burpsuite
    cutycapt : cutycapt --help;${SHELL:-bash}
    dirb : dirb;${SHELL:-bash}
    dirbuster : dirbuster;${SHELL:-bash}
    owasp-mantra-ff : owasp-mantra-ff
    vega : vega
    webscarab : webscarab
    webslayer : webslayer;${SHELL:-bash}
    owasp-zap : zap
    arachni_web : arachni_web;${SHELL:-bash}
    burpsuite : java -jar /usr/bin/burpsuite
    cadaver : cadaver;${SHELL:-bash}
    clusterd : clusterd -h;${SHELL:-bash}
    davtest : davtest;${SHELL:-bash}
    deblaze : -h;${SHELL:-bash}
    fimap : fimap -h;${SHELL:-bash}
    golismero : golismero -h;${SHELL:-bash}
    grabber : grabber -h;${SHELL:-bash}
    joomscan : joomscan;${SHELL:-bash}
    jsql : jsql
    nikto : nikto -h;${SHELL:-bash}
    owasp-mantra-ff : owasp-mantra-ff
    padbuster : padbuster;${SHELL:-bash}
    proxystrike : proxystrike
    skipfish : skipfish -h;${SHELL:-bash}
    sqlmap : sqlmap -h;${SHELL:-bash}
    uniscan-gui : uniscan-gui
    vega : vega
    wapiti : wapiti -h;${SHELL:-bash}
    webscarab : webscarab
    webshag-gui : webshag-gui;${SHELL:-bash}
    websploit : websploit;${SHELL:-bash}
    whatweb : whatweb -h;${SHELL:-bash}
    wpscan : wpscan --help;${SHELL:-bash}
    xsser : xsser -h;${SHELL:-bash}
    owasp-zap : zap
    w3af : w3af
    burpsuite : java -jar /usr/bin/burpsuite
    owasp-mantra-ff : owasp-mantra-ff
    paros : paros
    proxystrike : proxystrike
    vega : vega
    webscarab : webscarab
    owasp-zap : zap
    burpsuite : java -jar /usr/bin/burpsuite
    owasp-mantra-ff : owasp-mantra-ff
    powerfuzzer : powerfuzzer;${SHELL:-bash}
    webscarab : webscarab
    webslayer : webslayer;${SHELL:-bash}
    websploit : websploit;${SHELL:-bash}
    wfuzz : wfuzz;${SHELL:-bash}
    xsser : xsser -h;${SHELL:-bash}
    owasp-zap : zap
    bbqsql : bbqsql;${SHELL:-bash}
    sqlninja : sqlninja;${SHELL:-bash}
    sqlsus : sqlsus -h;${SHELL:-bash}
    hydra-gtk : xhydra
    acccheck : acccheck;${SHELL:-bash}
    burpsuite : java -jar /usr/bin/burpsuite
    cewl : cewl --help;${SHELL:-bash}
    cisco-auditing-tool : CAT;${SHELL:-bash}
    dbpwaudit : dbpwaudit;${SHELL:-bash}
    findmyhash : findmyhash;${SHELL:-bash}
    hydra : hydra -h;${SHELL:-bash}
    keimpx : keimpx -h;${SHELL:-bash}
    medusa : medusa -h;${SHELL:-bash}
    ncrack : ncrack -h;${SHELL:-bash}
    onesixtyone : onesixtyone;${SHELL:-bash}
    owasp-mantra-ff : owasp-mantra-ff
    patator : patator -h;${SHELL:-bash}
    phrasendrescher : pd -h;${SHELL:-bash}
    thc-pptp-bruter : thc-pptp-bruter;${SHELL:-bash}
    webscarab : webscarab
    owasp-zap : zap
    cachedump : cachedump -h;${SHELL:-bash}
    chntpw : chntpw -h;${SHELL:-bash}
    cmospwd : cmospwd;${SHELL:-bash}
    crackle : crackle;${SHELL:-bash}
    crunch : crunch;${SHELL:-bash}
    dictstat : dictstat -h;${SHELL:-bash}
    fcrackzip : fcrackzip --help;${SHELL:-bash}
    hash-identifier : hash-identifier;${SHELL:-bash}
    hashcat : hashcat --help;${SHELL:-bash}
    hashid : hashid -h;${SHELL:-bash}
    john : john;${SHELL:-bash}
    johnny : johnny;${SHELL:-bash}
    lsadump : lsadump -h;${SHELL:-bash}
    maskgen : maskgen -h;${SHELL:-bash}
    multiforcer : multiforcer --help;${SHELL:-bash}
    oclhashcat : oclhashcat;${SHELL:-bash}
    ophcrack-cli : ophcrack-cli;${SHELL:-bash}
    ophcrack : ophcrack
    policygen : policygen -h;${SHELL:-bash}
    pwdump : pwdump -h;${SHELL:-bash}
    pyrit : pyrit -h;${SHELL:-bash}
    rainbowcrack : rcrack;${SHELL:-bash}
    rcracki_mt : rcracki_mt;${SHELL:-bash}
    rsmangler : rsmangler -h;${SHELL:-bash}
    samdump2 : samdump2 -h;${SHELL:-bash}
    sipcrack : sipcrack -h;${SHELL:-bash}
    sucrack : man sucrack;${SHELL:-bash}
    truecrack : truecrack -h;${SHELL:-bash}
    oclhashcat : oclhashcat;${SHELL:-bash}
    pyrit : pyrit -h;${SHELL:-bash}
    pth-curl : pth-curl -h;${SHELL:-bash}
    pth-net : pth-net help;${SHELL:-bash}
    pth-openchangeclient : pth-openchangeclient --help;${SHELL:-bash}
    pth-rpcclient : pth-rpcclient -h;${SHELL:-bash}
    pth-smbclient : pth-smbclient -h;${SHELL:-bash}
    pth-smbget : pth-smbget --help;${SHELL:-bash}
    pth-sqsh : pth-sqsh --help;${SHELL:-bash}
    pth-winexe : pth-winexe -h;${SHELL:-bash}
    pth-wmic : pth-wmic -h;${SHELL:-bash}
    pth-wmis : pth-wmis -h;${SHELL:-bash}
    pth-xfreerdp : xfreerdp;${SHELL:-bash}
    aircrack-ng : aircrack-ng --help;${SHELL:-bash}
    asleap : asleap -h;${SHELL:-bash}
    bully : bully;${SHELL:-bash}
    cowpatty : cowpatty;${SHELL:-bash}
    eapmd5pass : eapmd5pass -h;${SHELL:-bash}
    fern-wifi-cracker : fern-wifi-cracker
    freeradius-wpe : freeradius -h;${SHELL:-bash}
    genkeys : genkeys;${SHELL:-bash}
    genpmk : genpmk;${SHELL:-bash}
    giskismet : giskismet -h;${SHELL:-bash}
    kismet : kismet -h;${SHELL:-bash}
    mdk3 : mdk3 --help;${SHELL:-bash}
    wash : wash -h;${SHELL:-bash}
    wifi-honey : wifi-honey -h;${SHELL:-bash}
    wifiarp : wifiarp -h;${SHELL:-bash}
    wifidns : wifidns -h;${SHELL:-bash}
    wifiping : wifiping -h;${SHELL:-bash}
    wifitap : wifitap -h;${SHELL:-bash}
    wifite : wifite --help;${SHELL:-bash}
    bluelog : bluelog -h;${SHELL:-bash}
    bluemaho :;${SHELL:-bash}
    blueranger :;${SHELL:-bash}
    bluesnarfer : bluesnarfer;${SHELL:-bash}
    btscanner : btscanner -h;${SHELL:-bash}
    crackle : crackle;${SHELL:-bash}
    redfang : fang -h;${SHELL:-bash}
    spooftooph : spooftooph -h;${SHELL:-bash}
    mfcuk : mfcuk -h;${SHELL:-bash}
    mfoc : mfoc -h;${SHELL:-bash}
    mfterm : mfterm -h;${SHELL:-bash}
    mifare-classic-format : mifare-classic-format -h;${SHELL:-bash}
    nfc-list : nfc-list -h;${SHELL:-bash}
    nfc-mfclassic : nfc-mfclassic -h;${SHELL:-bash}
    select tag : -R RFIDIOt.rfidiot.READER_PCSC;${SHELL:-bash}
    continuous select tag : -R RFIDIOt.rfidiot.READER_PCSC;${SHELL:-bash}
    chip & pin info :;${SHELL:-bash}
    jcop mifare read/write : -R RFIDIOt.rfidiot.READER_PCSC;${SHELL:-bash}
    jcop info : -R RFIDIOt.rfidiot.READER_PCSC INFO;${SHELL:-bash}
    jcop set atr historical bytes : -R RFIDIOt.rfidiot.READER_PCSC;${SHELL:-bash}
    bruteforce mifare : -R RFIDIOt.rfidiot.READER_PCSC;${SHELL:-bash}
    calculate jcop mifare keys : ;${SHELL:-bash}
    epassport read/write/clone : -R RFIDIOt.rfidiot.READER_PCSC;${SHELL:-bash}
    read mifare : -R RFIDIOt.rfidiot.READER_PCSC;${SHELL:-bash}
    read tag : -R RFIDIOt.rfidiot.READER_PCSC;${SHELL:-bash}
    identify hf tag type : -R RFIDIOt.rfidiot.READER_PCSC;${SHELL:-bash}
    test acg lahf :;${SHELL:-bash}
    select tag : -R RFIDIOt.rfidiot.READER_ACG -l /dev/ttyUSB0 -s 9600;${SHELL:-bash}
    continuous select tag : -R RFIDIOt.rfidiot.READER_ACG -l /dev/ttyUSB0 -s 9600;${SHELL:-bash}
    copy iso15693 tag : -R RFIDIOt.rfidiot.READER_ACG -l /dev/ttyUSB0 -s 9600;${SHELL:-bash}
    read acg reader eeprom : -R RFIDIOt.rfidiot.READER_ACG -l /dev/ttyUSB0 -s 9600;${SHELL:-bash}
    set fdx-b id : -R RFIDIOt.rfidiot.READER_ACG -l /dev/ttyUSB0 -s 9600;${SHELL:-bash}
    format mifare 1k value blocks : -R RFIDIOt.rfidiot.READER_ACG -l /dev/ttyUSB0 -s 9600;${SHELL:-bash}
    brute force hitag2 : -R RFIDIOt.rfidiot.READER_ACG -l /dev/ttyUSB0 -s 9600;${SHELL:-bash}
    jcop mifare read write : -R RFIDIOt.rfidiot.READER_ACG -l /dev/ttyUSB0 -s 9600;${SHELL:-bash}
    jcop info : -R RFIDIOt.rfidiot.READER_ACG -l /dev/ttyUSB0 -s 9600 INFO;${SHELL:-bash}
    jcop set atr historical bytes : -R RFIDIOt.rfidiot.READER_ACG -l /dev/ttyUSB0 -s 9600;${SHELL:-bash}
    identify lf tag type : -R RFIDIOt.rfidiot.READER_ACG -l /dev/ttyUSB0 -s 9600;${SHELL:-bash}
    bruteforce mifare : -R RFIDIOt.rfidiot.READER_ACG -l /dev/ttyUSB0 -s 9600;${SHELL:-bash}
    calculate jcop mifare keys : -R RFIDIOt.rfidiot.READER_ACG -l /dev/ttyUSB0 -s 9600;${SHELL:-bash}
    epassport read write clone : -R RFIDIOt.rfidiot.READER_ACG -l /dev/ttyUSB0 -s 9600;${SHELL:-bash}
    reset q5 tag : -R RFIDIOt.rfidiot.READER_ACG -l /dev/ttyUSB0 -s 9600 CONTROL ID;${SHELL:-bash}
    read lf tag : -R RFIDIOt.rfidiot.READER_ACG -l /dev/ttyUSB0 -s 9600;${SHELL:-bash}
    read mifare : -R RFIDIOt.rfidiot.READER_ACG -l /dev/ttyUSB0 -s 9600;${SHELL:-bash}
    read tag : -R RFIDIOt.rfidiot.READER_ACG -l /dev/ttyUSB0 -s 9600;${SHELL:-bash}
    read write clone unique (em4x02) : -R RFIDIOt.rfidiot.READER_ACG -l /dev/ttyUSB0 -s 9600;${SHELL:-bash}
    identify hf tag type : -R RFIDIOt.rfidiot.READER_ACG -s 9600 -l /dev/ttyUSB0; ${SHELL:-bash}
    test frosch reader
test frosch reader : -R RFIDIOt.rfidiot.READER_FROSCH -l /dev/ttyUSB0 -s 9600;${SHELL:-bash}
    set fdx-b id : -R RFIDIOt.rfidiot.READER_FROSCH -l /dev/ttyUSB0 -s 9600;${SHELL:-bash}
    read write clone unique (em4x02) : -R RFIDIOt.rfidiot.READER_FROSCH -l /dev/ttyUSB0 -s 9600;${SHELL:-bash}
    reset hitag2 tag : -R RFIDIOt.rfidiot.READER_FROSCH -l /dev/ttyUSB0 -s 9600 CONTROL;${SHELL:-bash}
    ubertooth util : ubertooth-util -h;${SHELL:-bash}
    zbassocflood : zbassocflood -h;${SHELL:-bash}
    zbdsniff : zbdsniff;${SHELL:-bash}
    zbdump : zbdump -h;${SHELL:-bash}
    zbfind : zbfind
    zbgoodfind : zbgoodfind -h;${SHELL:-bash}
    zbreplay : zbreplay -h;${SHELL:-bash}
    zbstumbler : zbstumbler -h;${SHELL:-bash}
    gnuradio-companion : gnuradio-companion
    gqrx : gqrx
    gr-scan : gr-scan --help;${SHELL:-bash}
    modes_gui : modes_gui
    rfcat : rfcat -h;${SHELL:-bash}
    rtl_adsb : rtl_adsb -h;${SHELL:-bash}
    rtl_fm : rtl_fm -h;${SHELL:-bash}
    rtl_sdr : rtl_sdr;${SHELL:-bash}
    rtl_tcp : rtl_tcp -h;${SHELL:-bash}
    rtl_test : rtl_test -h;${SHELL:-bash}
    rtlsdr-scanner : rtlsdr-scanner
    copy-router-config :;${SHELL:-bash}
    merge-router-config :;${SHELL:-bash}
    cisco-auditing-tool : CAT;${SHELL:-bash}
    cisco-global-exploiter :;${SHELL:-bash}
    cisco-ocs : cisco-ocs;${SHELL:-bash}
    cisco-torch : cisco-torch;${SHELL:-bash}
    yersinia : yersinia --help;${SHELL:-bash}
    metasploit framework : msfconsole;${SHELL:-bash}
    metasploit diagnostic logs  : /opt/metasploit/;${SHELL:-bash}
    metasploit diagnostic shell : /opt/metasploit/diagnostic_shell;${SHELL:-bash}
    metasploit community / pro : /opt/metasploit/scripts/
    update metasploit : msfupdate;${SHELL:-bash}
    creepy : creepy
    armitage : armitage;${SHELL:-bash}
    exploit6 : exploit6;${SHELL:-bash}
    ikat : ikat;${SHELL:-bash}
    jboss-autopwn-linux : jboss-linux;${SHELL:-bash}
    jboss-autopwn-win : jboss-win;${SHELL:-bash}
    termineter : termineter -h;${SHELL:-bash}
    beef : beef-xss;${SHELL:-bash}
    setoolkit : setoolkit;${SHELL:-bash}
    sandi-gui : sandi-gui
    searchsploit : searchsploit;${SHELL:-bash}
    ginguma : ginguma
    inguma : inguma;${SHELL:-bash}
    edb-debugger : edb;${SHELL:-bash}
    NASM shell : cd /usr/share/metasploit-framework/tools && ./nasm_shell.rb;${SHELL:-bash}
    ollydbg : ollydbg
    pattern create : cd /usr/share/metasploit-framework/tools && ./pattern_create.rb;${SHELL:-bash}
    pattern offset : cd /usr/share/metasploit-framework/tools && ./pattern_offset.rb;${SHELL:-bash}
    shellnoob : shellnoob;${SHELL:-bash}
    ace : ace;${SHELL:-bash}
    msgsnarf : msgsnarf -h;${SHELL:-bash}
    iaxflood : iaxflood;${SHELL:-bash}
    inviteflood : inviteflood -h;${SHELL:-bash}
    ohrwurm : ohrwurm;${SHELL:-bash}
    protos-sip : protos-sip -help;${SHELL:-bash}
    rtpbreak : rtpbreak -h;${SHELL:-bash}
    rtpflood : rtpflood;${SHELL:-bash}
    rtpinsertsound : rtpinsertsound -h;${SHELL:-bash}
    rtpmixsound : rtpmixsound -h;${SHELL:-bash}
    sctpscan : sctpscan;${SHELL:-bash}
    siparmyknife : siparmyknife;${SHELL:-bash}
    sipp : sipp -h;${SHELL:-bash}
    sipsak : sipsak -h;${SHELL:-bash}
    svcrack : svcrack -h;${SHELL:-bash}
    svcrash : svcrash -h;${SHELL:-bash}
    svmap : svmap -h;${SHELL:-bash}
    svreport : svreport -h;${SHELL:-bash}
    svwar : svwar -h;${SHELL:-bash}
    voiphopper : voiphopper;${SHELL:-bash}
    darkstat : darkstat;${SHELL:-bash}
    dnschef : dnschef -h;${SHELL:-bash}
    dnsspoof : dnsspoof -h;${SHELL:-bash}
    dsniff : dsniff -h;${SHELL:-bash}
    ettercap-graphical : ettercap -G
    ettercap-text : ettercap -h
    hexinject : hexinject -h;${SHELL:-bash}
    mailsnarf : mailsnarf -h;${SHELL:-bash}
    msgsnarf : msgsnarf -h;${SHELL:-bash}
    netsniff-ng : netsniff-ng -h;${SHELL:-bash}
    passive_discovery6 : passive_discovery6;${SHELL:-bash}
    responder : responder -h;${SHELL:-bash}
    sslsniff : sslsniff;${SHELL:-bash}
    tcpflow : tcpflow -h;${SHELL:-bash}
    urlsnarf : urlsnarf -h;${SHELL:-bash}
    webmitm : webmitm -h;${SHELL:-bash}
    webspy : webspy -h;${SHELL:-bash}
    wireshark : wireshark
    dnschef : dnschef -h;${SHELL:-bash}
    ettercap-graphical : ettercap -G
    ettercap-text : ettercap -h
    fake_advertise6 : fake_advertise6;${SHELL:-bash}
    fake_dhcps6 : fake_dhcps6;${SHELL:-bash}
    fake_dns6d : fake_dns6d;${SHELL:-bash}
    fake_dnsupdate6 : fake_dnsupdate6;${SHELL:-bash}
    fake_mipv6 : fake_mipv6;${SHELL:-bash}
    fake_mld26 : fake_mld26;${SHELL:-bash}
    fake_mld6 : fake_mld6;${SHELL:-bash}
    fake_mldrouter6 : fake_mldrouter6;${SHELL:-bash}
    fake_router26 : fake_router26;${SHELL:-bash}
    fake_router6 : fake_router6;${SHELL:-bash}
    fake_solicitate6 : fake_solicitate6;${SHELL:-bash}
    fiked : fiked -h;${SHELL:-bash}
    evilgrade : evilgrade;${SHELL:-bash}
    macchanger : macchanger -h;${SHELL:-bash}
    parasite6 : parasite6;${SHELL:-bash}
    randicmp6 : randicmp6;${SHELL:-bash}
    rebind : rebind;${SHELL:-bash}
    redir6 : redir6;${SHELL:-bash}
    responder : responder -h;${SHELL:-bash}
    sniffjoke : sniffjoke --help;${SHELL:-bash}
    sslsplit : sslsplit -h;${SHELL:-bash}
    sslstrip : sslstrip -h;${SHELL:-bash}
    tcpreplay : tcpreplay -h;${SHELL:-bash}
    wifi-honey : wifi-honey -h;${SHELL:-bash}
    yersinia : yersinia --help;${SHELL:-bash}
    driftnet : driftnet -h;${SHELL:-bash}
    burpsuite : java -jar /usr/bin/burpsuite
    dnsspoof : dnsspoof -h;${SHELL:-bash}
    ferret : ferret;${SHELL:-bash}
    hamster : hamster;${SHELL:-bash}
    mitmproxy : mitmproxy -h;${SHELL:-bash}
    owasp-mantra-ff : owasp-mantra-ff
    urlsnarf : urlsnarf -h;${SHELL:-bash}
    webmitm : webmitm -h;${SHELL:-bash}
    webscarab : webscarab
    webspy : webspy -h;${SHELL:-bash}
    owasp-zap : zap
    cymothoa : cymothoa -h;${SHELL:-bash}
    dbd : dbd -h;${SHELL:-bash}
    intersect : intersect;${SHELL:-bash}
    powersploit : cd /usr/share/powersploit/ && ls;${SHELL:-bash}
    sbd : sbd -h;${SHELL:-bash}
    u3-pwn : u3-pwn;${SHELL:-bash}
    cryptcat : cryptcat -h;${SHELL:-bash}
    dbd : dbd -h;${SHELL:-bash}
    dns2tcpc : dns2tcpc;${SHELL:-bash}
    dns2tcpd : dns2tcpd;${SHELL:-bash}
    iodine : iodine-client-start -h;${SHELL:-bash}
    miredo : miredo -h;${SHELL:-bash}
    ncat : ncat -h;${SHELL:-bash}
    proxychains : proxychains;${SHELL:-bash}
    proxytunnel : proxytunnel -h;${SHELL:-bash}
    ptunnel : ptunnel -h;${SHELL:-bash}
    pwnat : pwnat -h;${SHELL:-bash}
    sbd : sbd -h;${SHELL:-bash}
    socat : socat -h;${SHELL:-bash}
    sslh : sslh -h;${SHELL:-bash}
    stunnel4 : stunnel4 -h;${SHELL:-bash}
    udptunnel : udptunnel -h;${SHELL:-bash}
    webacoo : webacoo -h;${SHELL:-bash}
    weevely : weevely;${SHELL:-bash}
    edb-debugger : edb;${SHELL:-bash}
    ollydbg : ollydbg
    jad : jad;${SHELL:-bash}
    jd-gui : jd-gui
    rabin2 : rabin2 -h;${SHELL:-bash}
    radiff2 : radiff2;${SHELL:-bash}
    rasm2 : rasm2;${SHELL:-bash}
    recstudio-cli : recstudio-cli;${SHELL:-bash}
    recstudio : recstudio
    apktool : apktool;${SHELL:-bash}
    clang++ : clang++ --help;${SHELL:-bash}
    clang : clang --help;${SHELL:-bash}
    dex2jar : d2j-dex2jar -h;${SHELL:-bash}
    flasm : flasm;${SHELL:-bash}
    javasnoop : javasnoop
    radare2 : radare2 -h;${SHELL:-bash}
    rafind2 : rafind2 -h;${SHELL:-bash}
    ragg2-cc : ragg2-cc;${SHELL:-bash}
    ragg2 : ragg2 -h;${SHELL:-bash}
    rahash2 : rahash2 -h;${SHELL:-bash}
    rarun2 : rarun2;${SHELL:-bash}
    rax2 : rax2 -h;${SHELL:-bash}
    denial6 : denial6;${SHELL:-bash}
    dhcpig : -h;${SHELL:-bash}
    dos-new-ip6 : dos-new-ip6;${SHELL:-bash}
    flood_advertise6 : flood_advertise6;${SHELL:-bash}
    flood_dhcpc6 : flood_dhcpc6;${SHELL:-bash}
    flood_mld26 : flood_mld26;${SHELL:-bash}
    flood_mld6 : flood_mld6;${SHELL:-bash}
    flood_mldrouter6 : flood_mldrouter6;${SHELL:-bash}
    flood_router26 : flood_router26;${SHELL:-bash}
    flood_router6 : flood_router6;${SHELL:-bash}
    flood_solicitate6 : flood_solicitate6;${SHELL:-bash}
    fragmentation6 : fragmentation6;${SHELL:-bash}
    inundator : inundator;${SHELL:-bash}
    kill_router6 : kill_router6;${SHELL:-bash}
    macof : macof -h;${SHELL:-bash}
    rsmurf6 : rsmurf6;${SHELL:-bash}
    siege : siege -h;${SHELL:-bash}
    smurf6 : smurf6;${SHELL:-bash}
    t50 : t50 --help;${SHELL:-bash}
    mdk3 : mdk3 --help;${SHELL:-bash}
    reaver : reaver -h;${SHELL:-bash}
    iaxflood : iaxflood;${SHELL:-bash}
    inviteflood : inviteflood -h;${SHELL:-bash}
    slowhttptest : slowhttptest -h;${SHELL:-bash}
    thc-ssl-dos : thc-ssl-dos -h;${SHELL:-bash}
    android-sdk : android;${SHELL:-bash}
    apktool : apktool;${SHELL:-bash}
    baksmali : baksmali --help;${SHELL:-bash}
    dex2jar : d2j-dex2jar -h;${SHELL:-bash}
    smali : smali --help;${SHELL:-bash}
    arduino : arduino
    fcrackzip : fcrackzip --help;${SHELL:-bash}
    chkrootkit : chkrootkit -h;${SHELL:-bash}
    rkhunter : rkhunter -h;${SHELL:-bash}
    chkrootkit : chkrootkit -h;${SHELL:-bash}
    autopsy : autopsy;${SHELL:-bash}
    binwalk : binwalk -h;${SHELL:-bash}
    bulk_extractor : bulk_extractor -h;${SHELL:-bash}
    chkrootkit : chkrootkit -h;${SHELL:-bash}
    dc3dd : dc3dd --help;${SHELL:-bash}
    dcfldd : dcfldd --help;${SHELL:-bash}
    extundelete : extundelete --help;${SHELL:-bash}
    foremost : foremost -h;${SHELL:-bash}
    fsstat : fsstat;${SHELL:-bash}
    galleta : galleta;${SHELL:-bash}
    tsk_comparedir : tsk_comparedir;${SHELL:-bash}
    tsk_loaddb : tsk_loaddb;${SHELL:-bash}
    affcompare : affcompare -h;${SHELL:-bash}
    affcopy : affcopy -h;${SHELL:-bash}
    affcrypto : affcrypto -h;${SHELL:-bash}
    affdiskprint : affdiskprint -h;${SHELL:-bash}
    affinfo : affinfo -h;${SHELL:-bash}
    affsign : affsign -h;${SHELL:-bash}
    affstats : affstats -h;${SHELL:-bash}
    affuse : affuse -h;${SHELL:-bash}
    affverify : affverify -h;${SHELL:-bash}
    affxml : affxml -h;${SHELL:-bash}
    autopsy : autopsy;${SHELL:-bash}
    binwalk : binwalk -h;${SHELL:-bash}
    blkcalc : blkcalc;${SHELL:-bash}
    blkcat : blkcat;${SHELL:-bash}
    blkstat : blkstat;${SHELL:-bash}
    bulk_extractor : bulk_extractor -h;${SHELL:-bash}
    ffind : ffind;${SHELL:-bash}
    fls : fls;${SHELL:-bash}
    foremost : foremost -h;${SHELL:-bash}
    galleta : galleta;${SHELL:-bash}
    hfind : hfind;${SHELL:-bash}
    icat-sleuthkit : icat-sleuthkit;${SHELL:-bash}
    ifind : ifind;${SHELL:-bash}
    ils-sleuthkit : ils-sleuthkit;${SHELL:-bash}
    istat : istat;${SHELL:-bash}
    jcat : jcat;${SHELL:-bash}
    mactime-sleuthkit : mactime-sleuthkit;${SHELL:-bash}
    missidentify : missidentify -h;${SHELL:-bash}
    mmcat : mmcat;${SHELL:-bash}
    pdfbook : pd-fbook -h;${SHELL:-bash}
    pdgmail : pdgmail -h;${SHELL:-bash}
    readpst : readpst -h;${SHELL:-bash}
    reglookup : reglookup;${SHELL:-bash}
    regripper : regripper
    sigfind : sigfind;${SHELL:-bash}
    sorter : sorter;${SHELL:-bash}
    srch_strings : srch_strings -h;${SHELL:-bash}
    tsk_recover : tsk_recover;${SHELL:-bash}
    vinetto : vinetto -h;${SHELL:-bash}
    binwalk : binwalk -h;${SHELL:-bash}
    bulk_extractor : bulk_extractor -h;${SHELL:-bash}
    foremost : foremost -h;${SHELL:-bash}
    jls : jls;${SHELL:-bash}
    magicrescue : magicrescue;${SHELL:-bash}
    pasco : pasco;${SHELL:-bash}
    pev : pev -h;${SHELL:-bash}
    recoverjpeg : recoverjpeg -h;${SHELL:-bash}
    rifiuti : rifiuti;${SHELL:-bash}
    rifiuti2 : rifiuti2 -h;${SHELL:-bash}
    safecopy : safecopy -h;${SHELL:-bash}
    scalpel : scalpel -h;${SHELL:-bash}
    scrounge-ntfs : scrounge-ntfs -h;${SHELL:-bash}
    md5deep : md5deep -h;${SHELL:-bash}
    rahash2 : rahash2 -h;${SHELL:-bash}
    affcat : affcat -h;${SHELL:-bash}
    affconvert : affconvert -h;${SHELL:-bash}
    blkls : blkls;${SHELL:-bash}
    dc3dd : dc3dd --help;${SHELL:-bash}
    dcfldd : dcfldd --help;${SHELL:-bash}
    ddrescue : dd_rescue -h;${SHELL:-bash}
    ewfacquire : ewfacquire -h;${SHELL:-bash}
    ewfacquirestream : ewfacquirestream -h;${SHELL:-bash}
    ewfexport : ewfexport -h;${SHELL:-bash}
    ewfinfo : ewfinfo -h;${SHELL:-bash}
    ewfverify : ewfverify -h;${SHELL:-bash}
    fsstat : fsstat;${SHELL:-bash}
    guymager : guymager
    img_cat : img_cat;${SHELL:-bash}
    img_stat : img_stat;${SHELL:-bash}
    mmls : mmls;${SHELL:-bash}
    mmstat : mmstat;${SHELL:-bash}
    tsk_gettimes : tsk_gettimes -h;${SHELL:-bash}
    autopsy : autopsy;${SHELL:-bash}
    dff gui : dff -g;${SHELL:-bash}
    dff : dff;${SHELL:-bash}
    p0f : p0f -h;${SHELL:-bash}
    xplico start : service xplico start;${SHELL:-bash}
    xplico stop : service xplico stop;${SHELL:-bash}
    xplico : xdg-open http://localhost:9876
    chntpw : chntpw -h;${SHELL:-bash}
    pdf-parser : pdf-parser -h;${SHELL:-bash}
    peepdf : peepdf -h;${SHELL:-bash}
    volafox : volafox;${SHELL:-bash}
    volatility : vol -h;${SHELL:-bash}
    casefile : casefile
    magictree : magictree
    maltego : maltego
    metagoofil : metagoofil;${SHELL:-bash}
    pipal : pipal -h;${SHELL:-bash}
    truecrypt : truecrypt -h;${SHELL:-bash}
    cutycapt : cutycapt --help;${SHELL:-bash}
    recordmydesktop : recordmydesktop -h;${SHELL:-bash}
    dradis : service dradis start; xdg-open
    keepnote : keepnote
    apache2 restart : service apache2 restart;${SHELL:-bash}
    apache2 start : service apache2 start;${SHELL:-bash}
    apache2 stop : service apache2 stop;${SHELL:-bash}
    mysql restart : service mysql restart;${SHELL:-bash}
    mysql start : service mysql start;${SHELL:-bash}
    mysql stop : service mysql stop;${SHELL:-bash}
    sshd restart : service ssh restart;${SHELL:-bash}
    sshd start : service ssh start;${SHELL:-bash}
    sshd stop : service ssh stop;${SHELL:-bash}
    beef start : service beef-xss start;${SHELL:-bash}
    beef stop : service beef-xss stop;${SHELL:-bash}
    community / pro start : /opt/metasploit/scripts/;${SHELL:-bash}
    community / pro stop : /opt/metasploit/scripts/;${SHELL:-bash}
    dradis start : service dradis start;${SHELL:-bash}
    dradis stop : service dradis stop;${SHELL:-bash}
    openvas check setup : openvas-check-setup;${SHELL:-bash}
    openvas feed update : openvas-feed-update;${SHELL:-bash}
    openvas initial setup : openvas-setup;${SHELL:-bash}
    openvas start : openvas-start;${SHELL:-bash}
    openvas stop : openvas-stop;${SHELL:-bash}
    xplico start : service xplico start;${SHELL:-bash}
    xplico stop : service xplico stop;${SHELL:-bash}
Posted in Linux, Security, Shell Scripting | Tagged , , , | Leave a comment

CBC Padding Oracle Attacks Simplified – Key concepts and pitfalls

There are hundreds of web sites that describe the Padding Oracle attack, but many people find the concept confusing. I am going to try to explain everything you need to know. I am not going to write a bunch of equations to explain it. I’m not going to throw a big complicated diagram in front of you. You don’t have to understand encryption. I’ll just teach it to you one step at a time.  It won’t make your head hurt. I promise.

This will help you write your own tool, or use an existing tool, and I’ll make it as simple as possible, while pointing out all of the tricky bits…

If you remember that A-B == C and you can add B to both side of the equation to get A== B+C, and if you understand HEX values and the Exclusive Or (XOR) function, you have all of the deep knowledge needed to understand the attack.

Why are Padding Oracle Attacks important?

This type of attack is well known, and a lot of sites are vulnerable to this attack. It’s a common error. And it’s devastating because it works so fast. To understand the attack, you have to understand a a few simple things about cryptography.

What is Cryptographic Padding?

There are two types of encryption  – stream based and block based.  A stream based encryption system can be used to encrypt any number of bytes. A block-based encryption algorithm encrypts text in blocks. AES-128 uses 16-byte (i.e. 16*8 or 128-bit)  blocks. If you want to encrypt a single character with AES, you get 16 characters out. 17 Characters takes 2 blocks, or 32 characters total.

What happens if your cleartext is shorter than a block? It’s padded with extra characters to fill up the block before it’s encrypted because you have to encrypt a block.  These could be null characters, or random characters, but how do you tell the difference between important characters and extra characters?

There are several ways to do this. PKCS#7 is a typical example. If you have 15 bytes and need to add one more byte to fill up the block, you append hex (01). If you need to add 2 bytes, you append  hex(02 02).  3 Bytes requires you add the 3-byte pad of hex(03 03 03). Note that this allows a form of error checking, because there is some  redundancy when more that a single byte is added. If the last byte has the hex value of 04, then the previous 3 bytes have the same value. If not, then that is a padding error.

If the text fills up the 16-byte-block exactly, you add another block that contains 16 bytes hex(10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10).  Each of these values have the binary value of 16.

The important point is that you always have padding, from 1 to 16 characters., to the last block.

Here is a table that shows how cleartext (in blue) is padded (in black) before the block of 16 bytes is encrypted, just in case this isn’t clear.


Table 1 – PKCS#7 padding on a 16-byte block

What is an Padding Oracle?

An Oracle is a system that reveals information. Normally, a system that uses encryption either works or doesn’t. However, if the system reveals extra information – like if padding was valid, then this is called a Padding Oracle.

Hey Oracle! Does this block have proper padding? Tell me!

While the technical term is Padding Oracle, think of it as a blabbermouth.

What is Cipher Block Chaining (CBC)?

Classic block encryption, such as AES, has a problem. AES can be used several ways, but the simplest is called ECB or Electronic Codebook Mode. In this mode, a block of data is transformed.  There is no information used from a previous block of data that affects the transformation. When you encrypt the same data, the output or ciphertext is identical. If I encrypt 16 “A” characters, the output will be the same.

Or to put it another way, every time I encrypt my “Beans and Franks” recipe, the result is identical. If I send it to Alice, and I send to Bob, someone can see that I sent the same recipe to both people. It’s a cookbook. The recipes don’t change as long as we keep the same book.

One way to fix this problem is to combine or “chain” the results of the previous encryption block with the next block, so if the input is repeated, the results is different. One of these methods is called Cipher Block Chaining or CBC.

How does Cipher Block Chaining (CBC) work?

A better explanation of CBC is found on Wikipedia, but the most important point to understand is that when decoding block N, Block N is first decrypted, then XOR’ed with the previous block N-1.

The cleartext of Block N-1 does not matter when decoding Block N.

This detail is critical. Let me elaborate with an example. When CBC-mode is used, you need an Initialization Vector (IV) before you decrypt the encrypted block. In simple terms, this is a block of data that is usually sent as the first block of the data.

  • Block 1 is used as the IV for Block 2.
  • Block 2 is used as the IV for Block 3, etc.

Let’s say a system transmits the encrypted block LCB0byB0aGUgcG9p with the IV of all zeros.  The IV should be random, but for the sake of this explanation, let’s assume it’s all zeros. So the decryption system is sent the following 32 hex bytes (2 blocks)

 0000000000000000 LCB0byB0aGUgcG9p

Now let’s suppose the cleartext decodes the second 16-byte block to “AAAAAAA Pay $100″ or hex(41 41 41 41 41 41 41 20 50 61 79 20 24 31 30 30)

The ASCII character for “1” is hex(31), shown in bold above. Suppose I want to change the $100 to $500.   The ASCII value for “5” is just one bit different, or hex(35) instead of hex(31). In other words, suppose I wanted to modify the encrypted message and change 100 to 500, i.e.:

“AAAAAAA Pay $500″ is hex(41 41 41 41 41 41 41 20 50 61 79 20 24 35 30 30)

All I have to do to change the cleartext from $100 to $500 is to flip the matching bit in the Initialization Vector and send:

0000000000040000 LCB0byB0aGUgcG9p

In other words:

When I invert a single bit in the previous block,  the matching bit in the decrypted cleartext will be inverted.

It may seem unbelievable, but that’s all it takes. I don’t have to know the secret key used to encrypt the message to modify it. All I have to do is change the previous block, and this changes the decrypted value of the message. CBC-mode does nothing to check the integrity of the message. It’s vulnerable to this sort of attack. Scary, huh? If I know the cleartext of one block, I can modify it to be anything I want  by manipulating the previous block, without knowing anything about the encryption.

What’s required to perform a Padding Oracle Attack

There are two things you need to attack a Padding Oracle:

  • You need a Padding Oracle.
  • You need a way to capture and replay an encrypted message to that oracle.  In other words, you need to be able to send and modify the message to the Oracle.

Once you have that, you can decode the decrypted message.

What is a Padding Oracle Attack?

In the previous attack, I just modified a single bit. But I could modify any bit I want to, trying any of the 256 different values.

Normally modifying the message does not provide a way to guess the contents,  because it’s encrypted and I don’t know what the decrypted message is. However, if we can sent the message to the Padding Oracle, and it returns “Good Padding” or “Bad Padding” – then we can defeat the system.

The value hex(01) is valid padding when we have to add a single byte pad,  so if we try all 256 combinations of the last byte, and one of these returns “Valid Padding”, then we know now what the cleartext of that byte is, thanks to the blabbermouth oracle.

How do you crack the byte once you found it has valid padding?

Let’s assume the byte we are modifying has the value  Q (for Question Mark). And we are trying all 256 values of R (for Random) , so that the result is Valid Padding, i.e.

Q XOR R == hex(01)

and if you want the mathematical form, that would be

Q ⊕ R == hex(01)

Now’s it’s time for a little bit of Math. Not too much,  though. We can XOR the same value to both sides of the equation and the equation will still be true. If we XOR the same number to itself, it becomes all zeros, and Q ⊕ hex(00) == Q. Therefore we now know the following:

Q ==  R  ⊕ hex(01)

Or in other words, when we XOR the expected padding to the random guess, we get  the cleartext value of the corresponding byte.

Okay – we are done with the math. You can relax now. The rest is easy.

Once you crack the last byte, how do you crack the previous byte?

Once we know the value for the last byte (Byte 16) of the block N, we XOR the desired padding for a 2-byte pad into block N-1. The 2-byte padding is hex(02 02). In reality, we need to XOR three values together:

  • The original 16-byte block that precedes the block we are attacking
  • The padding (the number of bytes depends on which pad we are using)
  • The guessed cleartext (initially all nulls)

If, for example, we learn that byte 16 is ‘A’ hex(41), then to guess byte 15, we modify the previous block by XORing the bytes

OriginalBlock XOR hex(02 02) XOR hex (00 41)

But I should make it clear that we are working with 16-byte blocks

  • OriginalBlock
  • hex(00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 02)
  • hex (00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 41)

and we XOR all possible 256 values into the  byte we are randomly guessing, which is byte 15 in this case:

  • hex (00 00 00 00 00 00 00 00 00 00 00 00 00 00 XX 00 )

When one of the values returns valid padding, we know that the cleartext for the 15th byte is R ⊕ hex(02)

And for Byte 14, we XOR the newly learned value for byte 15 into the guessed cleartext, use hex(03 03 03) as the padding we XOR, and then we try all values for byte 14. That is, we shift one byte to the left, and change the padding string  to be the proper length and replicated value, shown in Table 1 above.

If we continue this, we can guess all 16 bytes of the last block.

Padding Oracle Attacks do not use encryption

Note that I just use the XOR function. It doesn’t matter what the encryption is. We never need to perform any encryption functions to do the attack. This attack does not require a powerful CPU or crypto accelerator. We just toggle bits, one byte at a time.

Padding Oracle Attacks decodes the cleartext without knowing the key

Also – this attack does not use or reveal the encryption key. I can’t determine the key, and can’t use it to decode other messages. I can only attack a message I have captured and can replay.

Padding Oracle Attacks only  decode the last block sent

Since we are trying to fake the padding, this only works on the last block of the chain. If more blocks are sent, the oracle only checks the last block for proper padding.

You don’t have to send every block to the Oracle.

The attack works on the last block I sent the oracle, but I don’t have to send all of the blocks. If  I have captured 10 blocks, I can break the 10th  block. But after I learn what the cleartext of block 10 is, I could just send 9 blocks. Or 8. Or 7.  In other words, once I have cracked the last block, I can simply truncate that block from my test, making the previous block (e.g. 9) be the the new last block.

Because of the way CBC-mode works, all I need to do is send 2 blocks. If I wanted to attack block 7, there is only one requirement – it’s the last block I send. I can send blocks 1 through 7. Or I can just send blocks 6 and 7.

I only need to send 2 blocks;  any 2 consecutive blocks.

In other words, I can crack the blocks in any order I want to. I can just send the IV and the first block and decode block 1. Then I can send blocks 1 and 2 to crack 2.

Padding Oracle Attacks can be completed in less than 256 * Number of Encrypted Bytes attempts

This is one of the reasons the attack is so dangerous. If each test takes a 1ms, then to crack 16000 characters takes 256*1600*1 milliseconds,  which is 4096 seconds., or a little more than an hour.

Instead of trying all 256 values, we can stop once we find a valid pad. Therefore the average number of guesses would be 128, so a more realistic estimate would be the above number divided by 2, which is 30 minutes.

There is a special case when guessing the last padded block

If you implement your own version of this attack, you may want to check to see how many times you get a valid pad for each byte. You should get exactly one correct answer. If you get  zero, or more than 1, you have a bug.

There is a special case you should be aware of.

Let’s say the block you are guessing is the last block, that is, the block with proper padding. Let’s assume the block has, for example, 7 bytes of padding, ending in

hex(07 07 07 07 07 07 07)

If we try every combination, one of the combinations will modify the last 7 bytes to be

hex(07 07 07 07 07 07 01)

In other words, there are two “values” for byte 16  where you have valid padding. One way to check for this is to see if the block has valid padding before you start. You can also check if the padding is hex(01) and the guess is hex(01) is the same, and if you get a valid padding when these are the same. If so, then ignore it.

Congratulations – you are now an expert in Padding Oracle Attacks

Posted in Hacking, Security | Tagged , , , , , , , | 4 Comments

Cataloging SDHC Cards on Ubuntu using a bash script

I have a lot of SD memory cards. I use them for my Camera, my Raspberry Pi, and for my laptop. They are cheap enough, I get several spares. And it makes it easy to convert my Raspberry Pi into different types of systems, allowing me to switch between different projects by just swapping the cards.

But when I grab one, I have to figure out what I last used that card for, and if there is anything worth saving on the card, and how much room I have left on the card. Did I use it for a camera? For transferring files? For a RPi system? I could keep a piece of paper with each card, label them, or store then in different places, but like all Unix script writers, I am lazy. I’d rather spend hours debugging a shell script than spend an extra minute every time I remove an SD card.

So I wrote a Bash shell script. To use it, I simply put the SD card into my laptop, and execute


I might prefer to add a note to indicate something about the card, such as the manufacturer, This is an additional argument that is added to my “catalog.”

SDCatalog SanDisk

And when I am done, I eject the card, put in  a new one, and repeat. The “data collection” is simple – My script just uses find to list the file names and store the results into a file – one file for each SD card. All of the files are stored in a single directory. I use the directory  ~/SD to store the files. So what do I collect besides the filenames? I collect (a) the card capacity, (b) the size of the individual partition, (c) how much of the partition is used,  and (d) the unique ID of the card. I store this information in the name of the file. And because I have the files stored on the card, I can use grep to figure out which card contains which file. For instance, if I am looking cards formatted for the Raspberry Pi, I can search for the  /home/pi in the “catalog” using grep:

grep '/home/pi$' ~/SD/*

and the output I get is:


I used the “_” character as a field separator in the filename.   Looking at the first line above, the identifier is “SD04G_p2_4_45_b7b5ddff-ddb4-48dd-84d2-dd47bf00694a”. There are 5 “fields” separated by “_” which in my script is decoded as follows:

SD04G - The string seen when the card is mounted - see dmesg(1)
p2 - which partition
4 - 4GB partition
45 - 45 % used of the 4GB partition
b7b5ddff-ddb4-48dd-84d2-dd47bf00694a - Device ID

The “:” and “./home/pi” are added by grep.

It would be trivial to use a script like AWK to parse this and pretty print the results. I’ll print my awk script at the end of this. post. But let me explain part of this script.

When I  mounded a SDHC card, and typed df, the following was the output:

Filesystem     1K-blocks      Used Available Use% Mounted on
/dev/sda6       47930932  22572060  22917420  50% /
none                   4         0         4   0% /sys/fs/cgroup
udev             3076304         4   3076300   1% /dev
tmpfs             617180      1420    615760   1% /run
none                5120         4      5116   1% /run/lock
none             3085884       240   3085644   1% /run/shm
none              102400        32    102368   1% /run/user
/dev/sda8      252922196 229762840  10304948  96% /home
/dev/mmcblk0p1  31689728   9316640  22373088  30% /media/bruce/9016-4EF8

To catalog this information, we have to parse the last line. The two critical parts are the strings “mmcblk0” and “media” – these may have to be tweaked depending on your operating system. So I made them easy to change with the lines:


I also store the results in a directory called ~/SD – but someone may wish to store them in a different location. So my script defines the location of the log with


If the environment variable SDLOG is defined, use that value, otherwise use the default.

Sometimes it’s easier to describe a card using an optional comment, such as the color, manufacturer, or device where you got the card from. So I define the value of EXTRA with an optional command line argument.


The script then checks if the directory for the log exists, and if not, it creates it.

The script tries to get a manufacturer’s ID for the device using dmesg(1). It does some checking to make sure the card is mounted, that the output file is writable, etc. It also looks for all of the partitions on the card.

But before I show you the script, let me show you a simple awk script called SDCParse that pretty-prints the names of the files used to store the catalog. For instance, the command

ls ~/SD | SDCparse

prints the following on my system – one line for each partition of each card:

      Note   Man.  Partition  Size   Usage ID                            
            00000         p1     2       1 E0FD-1813                     
   SanDisk  SL08G         p1     8       1 6463-3162                     
            SD04G         p1     0      30 3312-932F                     
            SD04G         p1     4      67 957ef3e9-c7cc-4b32-9c77-9ab1cea45a34
            SD04G         p2     4      45 b7b5ddff-ddb4-48dd-84d2-dd47bf00564a
            SD08G         p1     0      18 boot                          
            SD08G         p1     8       1 ecaf3faa-ecb7-41e1-8433-9c7a5d7098cd
            SD08G         p2     3      80 3d81d9e2-7d1b-4015-8c2c-29ec0875f762
              SDC         p1     0      34 boot                          
              SDC         p1    32      30 9016-4EF8                     
              SDC         p2    30      20 af599925-1134-4b6e-8883-fb6a99cd58f1
            SL08G         p1     8       1 6463-3162 

So this lets you see at a glance a lot of information about each SD card. I can easily see that I have 3 8GB cards whose p1 partition only uses 1% of the space. The awk script SDCParse is

awk -F_ '
    ST="%10s %6s %10s %5s %7s %-30s\n"
    printf(ST,"Note", "Man.", "Partition", "Size", "Usage", "ID")
    if (NF == 5) {
        printf(ST,"", $1, $2, $3, $4, $5)
    } else if ( NF == 6 ) {
        printf(ST,$1, $2, $3, $4, $5, $6)
    } else {
#        print ("Strange - line has ", NF, "fields: ", $0)

I should mention something I use often. The formatting of both the table headers, and the data, uses the same formatting string “ST”. If I want to change the spacing of the table, I only need to change it in the one line.

The SDCatalog script, which generates the catalog, is not quite so simple, but it seems to be robust.


# Bruce Barnett Tue Oct  7 09:19:41 EDT 2014

# This program examples an SD card, and 
# created a "log" of the files on the card
# The log file is created in the directory ~/SD 
#    (unless the envirnment valiable SDLOG is defined
# Usage
#    SDCatalog [text] 
#          where text is an optional field
# Example:
#    SDCatalog
#    SDCatalog SanDisk

# Configuration options
# These may have to be tweaked. They work for Ubuntu 14
# The output of df on Ubuntu looks like this
#/dev/mmcblk0p1   7525000 4179840   2956248  59% /media/barnett/cd3fe458-fc22-48e4-8
#     ^^^^^^^                                     ^^^^^      
#     SD                                          MEDIA
# therefore the parameters I search for are

# Command line arguments
EXTRA=$1 # is there any extra field/comment to be added as part of the filename

# Environment variables

# Note that '~/SD' will NOT work because the shell won't expand '~'. 
#  "~/SD" will work, but "$HOME/SD" will always work
LOG=${SDLOG-"$HOME/SD"} # use the $SDLOG envinrment variable, if defined, else use ~/SD

# Make sure the initial conditions are correct - we have a directory?
if [ -d "$LOG" ] # If I have a directory 
    : okay we are all set
    if [ -e "$LOG"  ]
        echo "$0: I want to use the directory $LOG, 
but another file exists with that name - ABORT!" 
        exit 1
    echo "mkdir $LOG"
    mkdir "$LOG" # the directory does not exist

# Now I will execute df and parse the results
# sample results may look like this
#/dev/mmcblk0p1   752000 417940   295248  59% /media/barnett/cd3fe458-fc22-48e4-8

# For efficiency, let's just execute df once and save it
# create a temporary filename based on script name, i.e. 
#       Example temporary name
#            SDCatalog..tmp
trap "/bin/rm $DFOUT" 0 1 15 # delete this temp file on exit


# is there anything mounted?
grep -q "$SD"  <$DFOUT || ( echo no SD card mounted ; exit 1)
# get the manufacturer of the card
# dmesg will report something like
#      [ 8762.029937] mmcblk0: mmc0:b368 SDC   30.2 GiB 
# and we want to get this part           ^^^^
# New version that uses the $SD variable
MANID=$(dmesg | sed -n 's/^.*'"$SD"':.mmc0:\(....\) \([a-zA-Z0-9]*\) .*$/\2/p' | tail -1)
# Get the current working directory
CWD=$(pwd) # Remember the current location so we can return to it

for p in p1 p2 p3 p4 p5 p6 p7 p8

    # get the mount point(s) of the card
    MOUNT=$(awk "/$SD$p"'/ {print $6}' <$DFOUT )
    # get the ID of the card
    if [ -n "$MOUNT" ]
        # Get the size of the disk
        SIZE=$(awk "/$SD$p"'/ {printf("%1.0f\n",$2/1000000)}' < $DFOUT)
        # Get the usage of the partition
        USE=$(awk "/$SD$p"'/ {print $5}' < $DFOUT | tr -d '%') #        ID=$(echo $MOUNT| sed 's:^.*/::')         ID=$(echo $MOUNT| sed 's:/'"$MEDIA"'/[a-z0-9]*/::')         # I am going to store the results in this file         if [ -z "$EXTRA" ]         then             X=         else             X="${EXTRA}_"         fi         OFILE="$LOG/$X${MANID}_${p}_${SIZE}_${USE}_${ID}"         echo Log file name is $OFILE         cd "$MOUNT"         touch $OFILE  || (echo cannot write to $OFILE - ABORT)         echo "sudo find .  >$OFILE"
        sudo find .  >$OFILE
        cd "$CWD"

I hope you find this useful.

Posted in Linux, Shell Scripting | Tagged , , , , , , , | 1 Comment

Setting up your Linux environment to support multiple versions of Java

Four ways to change your version of Java

Most people just define their JAVA_HOME variable, and rarely change it. If you do want to change it, or perhaps switch between different versions, you have some choices:

  1.  Use update-alternatives (Debian systems)
  2. Define/change your preferred version of Java in your ~/.bash_profile and log out, and re-login to make the change.
  3. Define/change your preferred version of Java in your ~/.bashrc file, and open a new terminal window to make the change.
  4. Define your preferred version of Java on the command line, and switch back and forth with simple commands.

When I use java, I often have to switch between different versions. I may need to do this for compatibility reasons, testing reasons, etc. I may want to switch between OpenJDK, and Oracle Java. Perhaps I have some programs that only work with particular versions of Java.  I prefer doing this using method #3 – on the command line.But by using the scripts below, you can use any of the three methods and control your Java version explicitly.

As I mention in example 1, You could, with some versions of Linux, use the command

sudo update-alternatives --config java

Debian systems use the update-alternatives to change the file system and relink some symbolic links to change what command “java” executes.  I’ll show you a way to get full control using the command line which makes no changes to the file system, allowing you to simultaneously run different versions of Java using just the command line.

Downloading multiple versions of Java

Let’s assume I’ve just downloaded Oracle jdk7u71  for a 64-bit machine into  tar file.  Assume I’ve already created the directory /opt/java. I unpack it using

md5sum ~/Downloads/jdk-7u71-linux-x64.tar.gz 
# Now verify the file integrity by eyeball
cd /opt/java
tar xfz ~/Downloads/jdk-7u71-linux-x64.tar.gz

So now I have the directory /opt/java/jdk1.7.0_71

Let me also download JDK8u25 as well, and store it in /opt/java/jdk1.8.0_25

To make things easier, I’m going to create the symbolic link latest – which will be my “favorite” or preferred version of java in the /opt/java directory.

cd /opt/java
ln -s jdk1.7.0_71 latest

Creating the Java Setup script

Now I am going to create a file called ~/bin/SetupJava which contains the following

#!/bin/echo sourceThisFile
# Bruce Barnett - Thu Nov 20 09:37:45 EST 2014
# This script sets up the java environment for Unix/Linux systems
# Usage (Bash):
# . ~/bin/SetupJava
# Results:
# Modified environment variables JAVA_HOME, PATH, and MANPATH
# If this file is saved as ~/bin/SetupJava, 
# then add this line to ~/.bashrc or ~/.bash_profile
# . ~/bin/SetupJava

# In case VERSION is a full path name, I delete everything 
# up to the '//'
JHOME=$(echo $JHOME | sed 's:^.*//:/:' )

# This next line is optional - 
it will abort if JAVA_HOME already exists
[ "$JAVA_HOME" ] && { echo JAVA_HOME defined - Abort ; exit 1; }

# Place the new directories first in the searchpath 
#  - in case they already exist
# also in case the above line is commented out

There is a lot of things going on here, but first – let’s explain the simplest way to use it: Simply add the following line to your ~/.bashrc  or ~/.bash_profile file:

. ~/bin/SetupJava

And you are done.

BUT we can do much more. First of all, note that this sets up your environment to use the “latest” version of Java, which is defined to be /opt/java/latest. But what if you don’t want to use that version? Note that I use the shell feature:


If the variable VERSION is not defined, the shell script uses the value “latest“. If you want to use a particular version of java, add a new line before you source the file:

. ~/bin/SetupJava

If you rather use version 8, then this could be changed to

. ~/bin/SetupJava

Note that you can have several different versions in your ~/.bashrc file, and have all but one commented out. Then, you can open a new terminal window and this window will use a different version of java. But what if you don’t want to exit the existing  window?

Switching between java versions on the command line.

But there is another approach that I like to use. I have created several different shell files. Here’s one called JAVA

. ~/bin/SetupJava
exec "${@:-bash}"

Here is another shell script called JAVA7u71 which explicitly executes Java version 7u71

. ~/bin/SetupJava
exec "${@:-bash}"

Here is one called JAVA8u25

. ~/bin/SetupJava
exec "${@:-bash}"

Here is one that executes the OpenJDK version of Java

. ~/bin/SetupJava
exec "${@:-bash}"

Note that I specified a version of java that was not in /opt/java – This is why I used the sed command

sed 's:^.*//:/:'

This deletes everything from the beginning of the line to the double ‘//’ changing /opt/java//usr/local/java/jdk1.7.0_67 to /usr/local/java/jdk1.7.0_67

Using the above commands to dynamically switch Java versions

You are probably wondering why I created these scripts, and what exactly does the following line do?

exec "${@:-bash}"

Please note the script,  by default, executes the command “exec bash” at the end.  That is, the script executes an interactive shell instead of terminating. So my shell prompt is really a continuation of the  script, which is still running. I also places double quotation marks around the variable in case the argument contains spaces, etc.

There are two ways to use these scripts. The first way simply temporarily changes your environment to use a specific version of Java. In the dialog below I execute OpenJDK, Oracle Java 7, and Oracle Java 8,  in that order and type “java -version” each time to verify that all is working properly. I then press Control-D (end-of-file) to terminate the JAVA script, and to return to my normal environment.  The shell prints “exit” when I press Control-D.  So I execute three different shell sessions, type the same command in each one, and then terminate the script: (the $ is the shell prompt)

$ java -version
java version "1.7.0_67"
Java(TM) SE Runtime Environment (build 1.7.0_67-b01)
Java HotSpot(TM) Server VM (build 24.65-b04, mixed mode)
$ exit
$ JAVA7u71
$ java -version
java version "1.7.0_71"
Java(TM) SE Runtime Environment (build 1.7.0_71-b14)
Java HotSpot(TM) Server VM (build 24.71-b01, mixed mode)
$ exit
$ JAVA8u25
$ java -version
java version "1.8.0_25"
Java(TM) SE Runtime Environment (build 1.8.0_25-b17)
Java HotSpot(TM) Server VM (build 25.25-b02, mixed mode)
$ exit

In other words, when I execute  OPENJDK, JAVA7u71, JAVA8u25 – I temporarily change my environment to use that particular version of Java. This change remains as long as that current session is running.  Since the script only really changes your environment variables, these changes are inherited for all new shell processes. Any time and child process executes a Java program, it will use the specific version of Java I specified.

If I want to, I can start up a specific version of Java and then launch several terminals and sessions in that environment

$ JAVA7u71
$ emacs &
$ gnome-terminal &
$ gnome-terminal &
$ ^D

However, there is one more useful tip. My script has the command

exec "${@:-bash}"

This by default executes bash. If, however, I wanted to execute just one program instead of bash, I could. I just preface the command with the version of Java I want to run:

$ OPENJAVA java -version
$ JAVA7u71 java -version 
$ JAVA8u25 java -version

I can execute specific java programs and testing them with different versions of Java this way.  I can also use this in shell scripts.

JAVA java program1
OPENJDK program2

And if program2 is a shell script that executes some java programs, they will use the OpenJDK version.

Using bash tab completion to select which Java version

Also note that you can use tab completion, and if you have 5 different versions of Java 7, in scripts called JAVA7u71, JAVA7u67, JAVA7u72, etc. you could type

$ JAVA7<tab>

Press <tab> twice and the shell would show you which versions of Java 7 are available (assuming you created the matching script.

The one thing that dynamic switching does not let you do is to save “transient” information like shell history, shell variables, etc. You need another approach to handle that.

Hope you find this useful!

Posted in Linux, Shell Scripting, System Administration | Tagged , , , , , , , | 5 Comments

Remote Input shell scripts for your Android Device, or my screen is cracked

My Android has a cracked screen. Help! I, too, had this happen to me. I had TitaniumBackup Pro on my device, but when the new version of KitKat came out, I lost root access because of the update.  I never … Continue reading

Gallery | Tagged , , , , , , , | 4 Comments

Setting up the 900 Mhz Freakduino board on Kali Linux

The Freakduino LR is an Arduino board with a built-in 900Mhz radio designed for long range (1 mile). The primary components include

  • CPU: ATMEGA328-QFP32
  • Atmel AT86RF212 900
  • TI CC1190 900 Mhz RF Front end

This board belongs in the suite of tools you can use to test systems which utilize the 900 Mhz RF band. The AT86RF212 radio supports offset quadrature phase-shift keying (O-QPSK) with a fixed chip rate of either 400 kchip/s or 1000 kchip/s. I ordered the Freakduino 900 MHZ radio version 2.1a.  There are a few steps missing from the installation/Usage guide (PDF). Here is how I installed the software on my Kali Linux system. In the process, I also had to install Oracle/Sun’s Java, and Apache Ant, and the beta version of the Arduino IDE, without using the various package managers, (i.e. from scratch).

Installing Oracle/Sun’s Java on KALI LINUX

I wanted to use the latest version of the Arduino software, which has support for the ARM chip sets (such as Arduino Due and the upcoming Flutter board). I didn’t actually need it for the Freakduino, but if I can use one version of the Arduino IDE for all of the Arduino boards, that’s preferable. In addition, having the latest is always useful. 🙂 My first attempt had some minor problems. The IDE menu bar listing the menu choices “File Edit Sketch Tools Help” was missing! This was caused by using the openjdk version of Java. Apparently there is an incompatibility with giflib 5.1.  The link has a work-around I did not try. I decided to install Sun/Oracle’s Java. There are a few things that had to be done to get this correctly installed.

Installing Oracle/Sun’s Java JDK on Kali Linux

One way to work around the problem is to remove all versions of java. However, there are some disadvantages to this. Another way is to install alternate versions of java, and switch from one to the other as needed. Download the version of java from the Oracle/Sun Java download page. Then install it into /opt/java

tar xfz jdk-7u65-linux-i586.tar.gz
# Decide where to put Sun's java
sudo mkdir /usr/lib/jvm/java-7-sun-i386
sudo mv jdk1.7.0_65/ /usr/lib/jvm/java-7-sun-i386
sudo chown -R root /usr/lib/jvm/java-7-sun-i386 
# you then want to find the current alternatives
sudo update-alternatives --config java

My results said: There are 2 choices for the alternative java (providing /usr/bin/java).


Selection    Path                                           Priority   Status ————————————————————

*0          /usr/lib/jvm/java-6-openjdk-i386/jre/bin/java   1061      auto mode 1            /usr/lib/jvm/java-6-openjdk-i386/jre/bin/java   1061      manual mode 2            /usr/lib/jvm/java-7-openjdk-i386/jre/bin/java   1051      manual mode


Therefore I wanted to use the next higher number – i.e. 3

sudo update-alternatives --install /usr/bin/java java \
   /usr/lib/jvm/java-7-sun-i386/jdk1.7.0_65/bin/java 3

I typed the update-alternatives command again, and selected version #3. Now when I executed

java -version

I get the right answer!

java version "1.7.0_65"
Java(TM) SE Runtime Environment (build 1.7.0_65-b17)
Java HotSpot(TM) Server VM (build 24.65-b04, mixed mode)

We have to repeat this for javac

sudo update-alternatives --config java # find the next free number
# My system had the highest number of 2, so I used 3
sudo update-alternatives --install /usr/bin/javac javac \
   /usr/lib/jvm/java-7-sun-i386/jdk1.7.0_65/bin/javac 3 
sudo update-alternatives --config java # set it to #3

And to test it, I typed

javac -version

And I got as a result:

javac 1.7.0_65

Installing Apache ant on Kali Linux

Now that I have Sun’s Java installed, I wanted to install ant. I didn’t see a package in Kali that had ant, so I downloaded the binary from the ant web site I then did the following to verify and install the ant binary

gpg --import KEYS
gpg --verify apache-ant-1.9.4-bin.tar.gz.asc

I then decided to install ant in the /opt directory

# Unpack and install anttar xvfz apache-ant-1.9.4-bin.tar.gz
sudo mv apache-ant-1.9.4 /opt/ant
sudo chown -R root /opt/ant

To run ant, I needed to modify a new environment variables. You can put these in your shell startup files, or store them in a file, and source them into your shell when you need to run/recompile the Arduino program

# Prepare to run ant

I called this program ./ by the way. And to verify that it was installed properly, type:

 ant -diagnostics

Now that we have Java and ant installed, we can now compile the Arduino code from the git source distribution.

Installing the Arduino 1.5 (Beta) software on Kali Linux

# where do you want to built the arduino source?
cd Src
# get the git repository
git clone git:// # takes a while
cd ./Arduino
# switch over the the beta version
git checkout -t origin/ide-1.5.x 
git pull # just in case
cd build
# You may want to clean the build if you changed anything
ant clean
# and now compile the Arduino code
# to run the code, type
and run

If the Arduino IDE shows up, you are in good shape for the next step!

Installing the Chibi/Freakduino libraries

I followed the Freakduino Installation Guide. I downloaded the v1.04 version (ZIP). Assuming the Arduino source is in ~/Src/Arduino, you can type the following:

cd ~/Src/Arduino/libraries
mkdir Chibi
cd Chibi

When you start up the Arduino IDE, use the following command:

cd ~/Src/Arduino/build
ant run

If successful, you should see in the examples a “Chibi” library.You can select one of them and compile it. But you can’t run it yet because there are a few more things to do. You have to (a) select the proper port,  (b) select the proper board and (c) select the proper bootloader. The port is easy. Go to Tools->Port and select “/dev/ttyUSB0” The board is another issue. The Freakduino board isn’t listed. We have to install the hardware support libraries. Download them using the following steps. This is different from the installation guide.

cd /tmp
cp freakduino freakduino-lr ~/Src/Arduino/hardware/arduino/avr/variants

The issue is that the instalation guide is written for Arduino 1.0, not 1.5. Instead of hardware/arduino/variants the new version supports different types of CPUs, so there is a hardware/arduino/avr/variants and hardware/arduino/sam/variants. Also the installation guide says to backup ~/Src/Arduino/hardware/arduino/avr/boards.txt and replace it with the version they provide. DO NOT DO THIS. A “diff” of the two files gives me more than 900 differences. I manually patched the file, adding their changes, and when I ran the program, I got a few errors, including

    Error while uploading: missing 'upload.tool' configuration parameter


     [exec] Board arduino:avr:freakduino doesn't define a 'build.board' preference. Auto-set to: AVR_FREAKDUINO
     [exec] Board arduino:avr:freakduino-lr doesn't define a 'build.board' preference. Auto-set to: AVR_FREAKDUINO-LR

To prevent these errors, do not follow their advice for the installation. Instead, edit the file ~/Src/Arduino/hardware/arduino/avr/boards.txt and add the following lines manually. In particular, note the last three lines of each group. These are the lines I added to eliminate the two errors above

############################################################## = Freakduino Standard, 5.0V, 8MHz, w/ATMega328P
# Bruce Barnett added these lines

############################################################## = Freakduino Long Range, 5.0V, 8MHz, w/ATMega328P
# Bruce Barnett added these lines

Now start up the Arduino IDE, select the Tools=>Board=>Freakduino Long Range, 5.0V, 8MHz, w/ATMega328P and load the Files=>Example=>Chibi=>chibi_ex01_hello_world1 example. Select verify and upload. You might get the error:

     [exec] Sketch uses 4,084 bytes (14%) of program storage space. Maximum is 28,672 bytes.
     [exec] Global variables use 482 bytes of dynamic memory.
     [exec] avrdude: ser_open(): can't open device "/dev/ttyUSB0": Permission denied
     [exec] ioctl("TIOCMGET"): Inappropriate ioctl for device

This is a permissions problem, which happens the first time you run the software. To fix this, create a file (as superuser) called /etc/udev/rules.d/52-arduino.rules which contains:

SUBSYSTEMS=="usb", KERNEL=="ttyUSB[0-9]*", ATTRS{idVendor}=="0403", ATTRS{idProduct}=="6001", SYMLINK+="sensors/ftdi_%s{serial}"

You may have to add yourself to the dialout group:

sudo adduser `whoami` dialout

Unplug the device, plug it back in, and you should be good to go!

See if you want more info

A sample Freakduino program that transmits on all of the channels

Here is a simple program that just transmits on all of the US channels. I ran “rfcat -s” to watch the spectrum analyzer show me the incoming traffic. You will have to change the baud rate on the serial monitor to match the rate in your program (e.g. 57600). This program prints out the channels, but you can comment out these lines to make it run faster.

I added some sample code to make the program more of a complete program, especially for US users.

#include <chibi.h>
#include <src/chb_drvr.h> // needed for OQPSK_SIN
#include <chibiUsrCfg.h>
#define DEST_ADDR 5 // this will be address of our receiver
byte channel;

void setup() {
    byte b;
// chibiCmdInit(57600);
   Serial.begin(57600);   // Print the starting channel   
// b=chibiGetChannel();     
   chibiSetMode(OQPSK_SIN); // Select the mode for US    
   chibiSetDataRate(0) ; // 250 kb/s    
// chibiSetDataRate(1) ; // 500 kb/s    
// chibiSetDataRate(2) ; // 1000 kb/s      
// chibiSetShortAddr(0xAAAA);    
   channel = 1;    
// chibiSetChannel(15);    
   pinMode(13, OUTPUT); 
void loop() {   
// put your main code here, to run repeatedly:     
// turn on LED   
   digitalWrite(13, HIGH);   
   Serial.println("TX on channel");   
   byte dataBuf[100];   
   strcpy((char *)dataBuf, "ABCDEFGHIJKLMNOPQRSTUVWXYZ");   
   chibiTx(0xBBBB, dataBuf, strlen((char *)dataBuf)+1);   
// r = chb_get_rand();   
// Serial.println(r);   
   digitalWrite(13, LOW);    // turn the LED off by making the voltage LOW  
// delay(100);              // wait for a second   
   if (channel > 10) {     
      channel = 1;   

Posted in Hacking, Linux, Security | Tagged , , , , , , , , | Leave a comment