Dave's Info-Tech Blog

First while logged into raspberry pi you will always, want to update using:

sudo apt-get update -y && sudo apt-get dist-upgrade -y && sudo apt-get autoremove -y

I also recommend using PuTTY to ssh into your Kali Linux. Its a great tool used by all the pros I know. You can download here: 

https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html

Then once you are setup you will want to install ssh by running:

apt-get install ssh

then you will want to configure ssh to open using:

systemctl enable ssh

systemctl start ssh

Now that we have enabled ssh, we want to install a way for us to remote desktop into our Kali Linux from a windows machine. So we will install xrdp for kali linux. Start with the following command: Apt-get install xrdp

After xrdp is installed you can start the server with the following command:

Service xrdp start Service xrdp-sesman start

Finally if you want xrdp to automatically run after startup, run the following: update-rc.d xrdp enable

Now you should be able to run Remote Desktop on Windows machine and use the Kali linux IP address to Remote into it.

It will look like the following:

You will just login with your user account or root user. 

and you’re in!

If you run into issues this page updates regularly:

Today I was able to successfully setup OpenVAS Greenbone in Kali Linux on a Raspberry Pi 4 (4 GB RAM). I have read that many people had issues doing this but, I was able to get it working without getting the Raspberry Pi to overheat. I think the only way to do this is on the latest (as of 2019) Raspberry Pi 4 (4GB RAM).

If you don’t know what Greenbone is, you are missing out. Greenbone is a vulnerability management solution for enterprise IT which includes reporting and security change management. It is the equivalent of Nessus... except Greenbone is free!

Lets go ahead and get started. I had some issues installing this. There are very little screenshots but I will do my best to make the text as clear as possible. I started out by running the standard:

sudo apt-get update -y && sudo apt-get upgrade -y && sudo apt-get autoremove

Then went right into installing:

sudo apt-get install openvas

Once this completed I ran:

sudo openvas-setup

Once this completes, you will get issues. However these issues can be easy to solve.  You can find the issues by typing:

openvas-check-setup

It will go in Steps and show you what they recommend to do to sold issues. An example: 

You should see several step:

You will see the ERROR: Your OpenVAS-9 is not complete! 

Once you see that scroll up and look at the ERROR: in the last steps. It will also show you a FIX: that you can run. 

In my example I had to run gsad

then I ran the openvas-check-setup again to check for other errors. Then I would repeat the openvas-check-setup and run those fixes until it said “It seems like you OpenVAS-9 installation is OK.”

Once that is done you will need to make some adjustments to Greenbone. 

First it will always start out with 127.0.0.1 on Kali Linux. Not sure why, but the fix for that is to run the following and change IP addresses from 127.0.0.1:9001 to your device’s IP Address:Port Number. So first go to:

sudo nano /etc/default/greenbone-security-assistant

There you will press the down arrow untill you see the IP Address that needs to be changed. Then go to:

sudo nano /lib/systemd/system/greenbone-security-assistant.service

then change the IP Address and port number there too. 

Finally you will need to restart the services for all the changes to go into effect. Type:

systemctl daemon-reload && systemctl restart greenbone-security-assistant.service

Once that goes into effect, you should be able to go to your local https://IPAddress:PortNumber

Remember it has to be https!

That is it for today. Hopefully you enjoy my Raspberry Pi hacks and tools setup. 

If you haven’t used, Kali Linux is an excellent tool for penetration testing. It’s widely used by Information Security experts and can help determine vulnerabilities in your environment. You do need to know how to use all the tools that come pre-installed in order for you to test the environment, but I will definitely post about some of these at another time. Today, I am just looking at installing Kali Linux Distro on a Raspberry Pi.

I know what some of you are thinking, why would you install this on a Raspberry Pi, why not install it on a desktop or laptop? I’m glad you asked. Having Kali Linux on a Raspberry Pi can make it ultra portable, a very lightweight operating system, a great tool in the bag of tricks, and very interchangeable. Having the Raspberry Pi is so convenient, you can take it to any location and plug in and start using. Because Kali Linux  distro is smaller and doesn’t include all the bells and whistles that normal operating systems use, it runs incredibly well on a Raspberry Pi, and it’s very widely supported. It is also nice to have as an extra tool in the bag when testing environments. finally its interchangeable, as in you can switch the Micro SD card with some other install of Linux or a different OS (Raspbian or Ubuntu or even IoT Windows).

Before we begin, I want to recommend that you do not do this on a work network, as most organizations that have any type of information security network, will automatically become suspicious of you downloading Kali Linux. Remember, technically, this operating system is used for hacking, finding vulnerabilities, and exploiting weaknesses in an organizational environment. You will want to do this at home or in a allowed classroom setting (in other words: get permission if you are not sure). Disclaimer: I am not responsible for what anyone does with the information I am providing, nor do I take responsibility if your organization takes action upon you for using, installing, executing on your work, home or any other environment. Please use responsibly.

First, you want to start out you want to download the .img file from the kali linux arm image from https://www.offensive-security.com/kali-linux-arm-images/

Depending on what version of raspberry pi you have, will dictate which Kali Linux distro to install. It will start out downloading .torrent file. This will take moments to download. While that is going I would recommend downloading bittorrent or some other torrent downloader to get the image file. 

Once the download is finished it will still not be an image (.img) file just yet. It will be a .xyz file. You will want to download 7-zip (https://www.7-zip.org/) to convert the .xyz file to a .img file. 

Once you convert this file, then you are ready to install on the Micro SD card. Make sure you have belenaEtcher (https://www.balena.io/etcher/) on your PC and plug in your Micro SD card. Verify that the correct image is selected and that the correct disk is selected. 

Then select Flash! It will immediately start reimaging the Micro SD card with Kali Linux. Once this is completed, you will remove the Micro SD card and plug it into your Raspberry Pi. You should see the following screen:

If you don’t see that, you may need to restart from the beginning, and re-try to install on the SD card. 

Once inside Kali Linux it will look like this:

I hope you enjoy learning about Kali Linux as I have. It really can be a great tool for any Information Security Engineer looking to find vulnerabilities and learn about Digital Forensics. 

Fixing Kali Linux Raspberry Pi clock issue:

Install ntpdate: sudo apt-get install ntpdate

know your local ntp server: ntpdate 0.north-america.pool.ntp.org

create a folder in root and call it scripts

type: cd scripts type: nano start.sh

add the following command: sudo ntpdate 0.north-america.pool.ntp.org

ctrl c to exit, select y for yes,  and press enter to keep name as is.

type: cd ~

cd /etc/

nano crontab

on the last line type: @reboot /root/scripts/start.sh

(Whatever you do DON’T add a script for trying to automate apt-get updates/upgrades/autoremove. It will cause issues in Raspberry pi and will prevent you from logging in remotely or through ssh. If you try this you will have to log in manually and remove the script for this... you have been warned.)

ctrl c to exit, select y for yes,  and press enter to keep name as is.

verify that it works by reboot now command.

Display Settings and Ethernet port issue:

When I installed on Raspberry Pi 4 I noticed there was an issue with my network Ethernet cable connection. It was receiving IPv6 but not IPv4. I checked the Ethernet Network and it showed device not managed. I ran the following:

sudo nano /etc/NetworkManager/NetworkManager.conf

and changed the False to true as shown below:

Note: Usually, you will want to run  sudo service network-manager restart and reboot the Raspberry Pi but since we are configuring the display, we will wait until the end.

Lastly, to fix the screen, I had to go into the following:

sudo nano /boot/config.txt

Then removed the # from in front of the

disable_overscan=1;

While I did all that I ran:

sudo apt-get update

and 

sudo apt-get upgrade

Waiting for updates... Taking sooo long on slow network...

Finally rebooting with:

sudo service network-manager restart

reboot

Needs on for the Computer and Raspberry Pi

-Belena Etcher - https://www.balena.io/etcher/

-Raspbian Buster Lite - https://downloads.raspberrypi.org/raspbian_lite_latest

-Micro SD Card reader/writer

-Wired keyboard

Installing OS on Micro SD card

After downloading Raspbian Lite and Belena Etcher on your Windows machine, Select the Raspbian Lite img file. If it is still in the original zip file, please make sure you unzip or extract all the files so that Etcher can access the image file.

Select the Micro SD card, and Flash the Micro SD card.

Once the flash is complete, then you will plug in the Micro SD card to the Raspberry Pi and let it boot. You should see the following screen.

You should see the default Raspberry Login: 

Username: pi

Password: raspberry

Configuring the Raspberry Pi

Change the default username and password for the raspberry pi:

Type: Sudo raspi-config

Select option 2 and follow the instructions to change the password to something else for security.

Select the language/region option specifically for the keyboard. You will have to change to keyboard to be an English - US keyboard NOT English – GB (Great Britain) keyboard. If you do not set this up correctly, you will not be able to type commands properly.

We will also need updates

sudo apt-get update

sudo apt-get upgrade (This may take a while)

sudo apt-get install unattended-upgrade

Reboot the device by typing:

sudo reboot

Login to pi

Now we will plug our raspberry pi into the network and configure our localized options with:

sudo raspi-config

Go to the main screen and go to option 3 and select option 1 and select B2.

Now we will install the kiosk software:

sudo apt-get install –no-install-recommends xserver-xorg x11-xserver-utils xinit openbox

This will take 5 minutes. After it installs, then we will be using chromium browser in incognito mode to configure the webpage.

Set this for Kiosk mode:

Sudo apt-get install –no-install-recommends chromium-browser

Type y

This will take 10 minutes to install.

Now we will setup autostart.

sudo nano /etc/xdg/openbox/autostart

You will see the following:

Note: If you do not see the screen above, you may have to troubleshoot. Troubleshooting steps: run the following:

sudo apt-get clean

sudo apt-get autoremove

sudo apt-get remove --auto-remove --purge 'libx11-.*'

sudo apt-get autoremove --purge

Now, go back and re-install the kiosk software and the chromium browser.

Once, get the screen above, leave everything as is. Move to the bottom of the screen where there is no text. Type:

xset s off

xset s noblank

xset –dpms

chromium-browser --disable-infobars --kiosk --incognito ‘http://www.DavidAlanGarza.com’

Once you have that set, type Cntl-X type y Click Enter

Now to disable the mouse cursor:

Type: startx -- -nocursor -incognito

This will display the webpage or should. If it did not, you will need to see what needs correcting on the code above.

Now we will go back into

Nano .bash_profile

Now type the following very very carefully:

[[ -z $DSIPLAY && $XDG_VTNR –eq 1 ]] && startx -- -nocursor

Type CNTL-X to save and type y

Improve Security:

We will deny sshd by typing

sudo nano /etc/ssh/sshd_config

allowUsers pi

Now we will install a firewall by typing the following:

sudo apt install ufw

sudo ufw enable

Now we will install an fail2ban which scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc. Generally Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email) could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, courier, ssh, etc). Fail2Ban is able to reduce the rate of incorrect authentications attempts however it cannot eliminate the risk that weak authentication presents. Configure services to use only two factor or public/private authentication mechanisms if you really want to protect services.

Type: sudo apt install fail2ban

Installing Automatic Updates:

By default your Pi won’t be rebooted if required, so if you want it to (and want to set the time) you can do that like this:

First install Unattended-upgrade

sudo apt-get install unattended-upgrade 

sudo sed -i 's/^\/\/Unattended-Upgrade::Automatic-Reboot "false";/Unattended-Upgrade::Automatic-Reboot "true";/g' /etc/apt/apt.conf.d/50unattended-upgrades

 sudo sed -i 's/^\/\/Unattended-Upgrade::Automatic-Reboot-Time "02:00";/Unattended-Upgrade::Automatic-Reboot-Time "02:00";/g' /etc/apt/apt.conf.d/50unattended-upgrades

 And if you want unused packages to be removed (like when you run apt-get autoremove):

 sudo sed -i 's/^\/\/Unattended-Upgrade::Remove-Unused-Dependencies "false";/Unattended-Upgrade::Remove-Unused-Dependencies "true";/g' /etc/apt/apt.conf.d/50unattended-upgrades

 Next we must create the /etc/apt/apt.conf.d/20auto-upgrades file to instruct the updater what to do:

 sudo tee /etc/apt/apt.conf.d/20auto-upgrades > /dev/null <<EOF

APT::Periodic::Update-Package-Lists "1";

APT::Periodic::Unattended-Upgrade "1";

EOF

 And that’s all there is to it! Every day your Pi will now check for updates

Cloning Micro SD

Download Win32 Disk Imager onto your computer. https://sourceforge.net/projects/win32diskimager/

If you have a micro sd card you want to image, plug it into the computer.

You will see the following window:

In the image file type in where you want to save an img file. You can create an empty text file and rename it to be a .img file and write over it if you want to create an image.

Select Write to write over the image file. Select Read to erase and image the Micro SD card with whatever is on the .img file.

Last Note:

If you are noticing that something is not working right while you are building this kiosk. You may want to completely restart from scratch and re-install the OS. On of the main things about this Raspbian and these Raspberry Pi’s is that if one thing gets slightly corrupt, then the whole system can be corrupted. So with this project, be patient, and take your time. The majority of the code is Case Sensitive. It can be tedious, but I know you can do it! I hope you have fun setting up the kiosk.

Hidden Wifi:

I found out these would not connect to the hidden Wireless. It would even attempt to access. 

You must open text editor to:

sudo nano /etc/wpa_supplicant/wpa_supplicant.conf

and change the following:

ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev update_config=1 country=US

network={        ssid="Your Hidden SSID"        scan_ssid=1         key_mgmt=WPA-PSK         psk="Your SSID's Password"

Setting up clusters in Windows Server 2016 has become so easy. However; When integrating it with other environments, like VMWare, and AO SQL Clustering. It can get quite Tricky. First we want to setup our environment in VSphere. Next we will setup Windows Server 2016 with Failover Clustering. Then we’ll make sure to make some adjustments to DNS. Finally, We will setup AlwaysOn SQL Clustering. 

Please make sure you have .NET Framework 3.5.1 or greater on the servers. Then We will need to create 2 VMs with 3 drives each. Then we will need to make sure that the drives are online, and available from other locations. However one main aspect that I had overlooked was that the Virtual Disks have to be created Eager Zero Thick not Lazy Zero Thick. I made the heinous mistake of using Lazy Zero Thick, and then could not understand why I was having so many problems. 

Note: When creating virtual disks with Eager Zero Thick, it does take longer than using the faster Lazy Zero Thick option. Eager Zero Thick Disks allocates the space for the virtual disk, then zeros it all out unlike the Lazy Zero Thick which only allocates the space. 

You also generally wouldn’t use Eager Zero Thick except for Microsoft clustering and Oracle programs. Once the disks are created we are reading to install Windows Server 2016.

Install either Datacenter edition or Standard edition. For this example we’ll use the standard edition. Install all the Microsoft Windows feature updates and verify that you have already allocated all the resources needed. Check that the additional Virtual Disks are available, and make sure you install the Failover Cluster feature. You may want to reboot after the feature is installed, if you have not done so. Once you installed the feature go to the Failover Cluster Manager and prepare to create the cluster. If this is a two node cluster be sure to add a Witness Server or Desktop. Once this is created and validated, go to your computer manager and verify that the virtual disks are online and initialized. Next, you will want to configure the cluster quorum settings. I created a separate server for this quorum and configured a File share witness. 

Now, make sure you can access these from another computer on the secured network. You will have to setup a Host A record round robin DNS situation, where you give a specified name the 2 failover cluster nodes IP adresses in the Host address. Example: if the nodes had up address of 192.168.1.43 and 192.168.1.44. Then the two Host records you would need to create are AOSqlServer -> 192.168.1.43 and AOSqlServer -> 192.169.1.44

Finally, We will enable AlwaysOn Availability Groups on SQL Server 2016. 

After Installing SQL Server 2012 or 2014 Enterprise edition on all the replicas. Please install it on as a stand-alone instance, and then we will configure SQL Server. Once you expand SQL Server Network Configuration node, and click on Protocols for MSSQLServer, you will see the TCP/IP dialog box on the right panel. Right click on the TCP/IP entry and select Enable. 

In SQL Server Configuration Manager, right click on SQL Server Services to open the Properties dialog box. Navigate to the AlwaysOn High Availability tab to select the “Enable AlwaysOn Availability Groups.

Now we must configure the login accounts and the replicas that will need read write privileges. 

First verify that your SQL Service Account is there and is a domain account, not a local machine account. Now login through SQL Management Studio (SSMS). Add you SQL Service account to the Administrators group on each replica (via computer management). Then allow connect permissions to the SQL Service account through SSMS: Right click on the SQL Service login to open the Properties dialog box. On each replica navigate to the Securables page and make sure Connect SQL Grant box is checked and allow remote connections. You can do this by using SSMS in the instance properties or by using sp_configure.

EXEC sp_configure ‘remote access’, 1;

GO

RECONFIGURE;

GO

Now we will create the file share through the Server Manager that the SQL Service account, and the replicas can access. The File is for the initial backup/restore process that happens to the databases when you join the AlwaysOn group during setup.

Last thing is to install the AlwaysOn Availability group. Once you’s ensured that full backups have been created, and all databases are in Full recovery mode, you will have to remove these databases from the tlog backup maintenece during the installation of Always on (you can always add them back). It could cause errors with both tlogs backing up while AlwaysOn is being created.

On you primary, open SSMS and expand the AlwaysOn High Availablity folder. Right click on the Availability Groups and select New Availability Group Wizard.

Select only the databases you want to include in the AlwaysOn group.

Next to the databases you will see the status with a blue link. If you see "Meets Prerequisites” it will signify that these databases are included in your group. If it does not say "Meets Prerequisites”, then click on the link to see more details on what needs to be corrected.

Now, you will specify and Add the Replicas. You will need to specify if you want Automatic or Manual Failover, Synchronous or Asynchronous Data Replication, and the type of Connections you are allowing to the end users.

Be sure to view the troubleshooting page if you have any issues:

http://blogs.msdn.com/b/alwaysonpro/archive/2013/12/09/trouble-shoot-error.aspx

The backup preferences tab will assist in choosing the type of backup and to prioritize the replica backups.

In the Listener tab, you will create an availability group listener button, Enter the string DNS name, enter port 1433 and enter the IP address for your listener, which should be an unused IP address on the network. 

Next, you will Select Initial Data Synchronization page, join the databases to the Always on group, then verify the Full option is selected for using File Shares. For large databases select Join or Skip to restore the databases to the secondary replica. We will use Full for now. Last thing to do here is remember the SQL Service accounts and set that all replicas have read/write permissions to the file Share or it will not work. 

Run the Validation checks, and make sure it the results are successful.