Latest articles in ‘Cookbook’

  1. How to install GNS3 and VMware Player on Linux (Debian)

    Published: Sat 12 August 2017 in Cookbook.
    Updated: Sat 19 August 2017
    Step-by-step guides to install GNS3 and/or VMware player on Linux.

    While installing GNS3 and VMware should be easy, it in fact very easy to loose a lot of time on silly issues.

    • If you are interested only in installing VMware Player, feel free to directly go corresponding part.

    • If you are interested in installing GNS3, I also recommend to install VMware player as some appliances may require it.

    RouterGods also shared a few tips on how to setup a more comfortable GNS3 lab. Take a few minutes to check it once you’ve ended the installation!

    Installing GNS3

    GNS3 relies on Linux kernel features. If you are not a Linux user, the recommended way to use GNS3 is to use the GNS3 official virtual machine. This virtual machine may also be a good solution if you are a Linux user but you just want to quickly test GNS3 or do not want to modify your host environment.

    For a regular …

  2. How to build a virtual pentest lab

    Published: Fri 11 August 2017 in Cookbook.
    Updated: Sat 19 August 2017
    A guide to choose the best hardware and software to match your needs at the lowest cost and efforts.

    Standalone virtual machines are both a cheaper and more practical solution to test systems as they doesn’t need to dedicate hardware and are easier to handle than physical installation (actions such as cloning, doing a snapshot or a rollback become trivial).

    Network virtualization goes a step further and apply the same system to a whole network, including workstations, servers, and all networking devices such as switches, routers and firewalls. A virtual network can be of any size and topology, and can mimic any real-life situation such as Active Directory domains, remote-access or site-to-site VPNs or test protocols of every network plane.

    Such virtual network can be either fully isolated or have one or several link to physical devices and networks, its all up to you to decide.



    The goal of a virtual lab is to be able to quickly setup the environment which will allow you to …

  3. Isolate your services using jails and containers

    Published: Thu 10 August 2017 in Cookbook.
    Use FreeBSD jails and Linux LXC efficiently to make you server both more secure and easier to manage.

    Containers and jails allow you to make your system more secure, more reliable, more flexible and, at the end of the day, easier to manage. Once you get used to it, it become difficult to conceive to setup a server without such features.

    But what are they exactly?

    Containers and jails

    Containers and jails designate different implementations of operating-system-level virtualization. Like a lot of low-level security features we encounter in today’s world, this functionality can be traced back to the old mainframes, where reliability and parallelism are at the core of the system, and which allow to partition a host system into smaller isolated systems.

    This feature then went through commercial Unixes to finally reach open-source operating systems. The first open-source OS to really implement this feature was FreeBSD which offers its jail functionality since 2000 (FreeBSD 4.0). In the mean time there were several more-or-less successful attempts …

  4. FreeBSD jail SHM hole (CVE-2017-1087)

    Published: Wed 02 August 2017 in Cookbook.
    Updated: Thu 16 November 2017 (CVE assigned to this issue (finally, thanks Remko!))
    FreeBSD <=10.3 jails are not air-tight, vulnerability explanation and POC.

    In FreeBSD early days, shared memory (SHM) objects were associated to an actual file system object. Each jail having its own filesystem root, SHM object were therefore not reachable by other jails.

    FreeBSD 7.0 switched to a purely abstract representation of SHM objects. They are now just names, with no relation to the underlying filesystem.

    Due to this, any jail gained a read-write access to any SHM object system-wide, with no available workaround to prevent or limit this (this is not to be confused with IPCs which can be disabled on a per-jail basis, here there is strictly no way to prevent the issue).

    This issue has been published in the FreeBSD Security Advisory FreeBSD-SA-17:09 and CVE-2017-1087.


    fbsd-shm-hole.c is a small POC allowing to quickly test and demonstrate the issue.

    SHA-512 OpenPGP

    1. Compile and copy this tool in two different jails …

  5. How to examine Android SELinux policy

    Published: Mon 15 August 2016 in Cookbook.
    A step-by-step guide from building your environment to a concrete example showing the tools in action.

    Examining SELinux policy should be a trivial thing, but Android turns this into some kind of nightmare. In fact, Google has designed Android mainly from a consumer perspective, and not for power users. The result is that, as soon as you want to do something outside of using the latest Facebook app or playing Candy Crush, you very quickly find yourself back in realm of early-2000 Linux, when a developer-like knowledge was required to change what should be simple settings. I believe that the situation will fastly evolve as Android system gets more mature, but for now we have to do with what we have got…

    As you said, there are two reasons why it is necessary to compile your own SELinux toolset:

    • The system provided toolset is usually a version behind. While Android’s SELinux relies on policy DB version 30, current Linux boxes usually handle only version up …

  6. How to unpack and edit Android boot img?

    Published: Thu 11 August 2016 in Cookbook.
    A step-by-step guide from fetching and editing to reflashing an Android boot image.

    Tools selection

    The method I present here relies on CyanogenMod’s Android source code.

    While Google’s AOSP only provides to the tool to build the boot.img file, CyanogenMod also adds the unpackbootimg tool allowing you to unpack it. This tool does not seem specifically designed for CyanogenMod in any way, so most chances are that it will work for other ROMs as well.

    There are however a relatively large number of alternatives to unpack the boot.img file which all work more-or-less the same.

    Basically, such unpack tool will extract the content of the boot.img file and display a set of parameters you will have to pass to Google’s mkbootimg tool to build a file whose configuration (mainly kernel parameters and memory addresses) will match the original one.

    Here are a few examples, I did not test them personally so cannot recommend any and I present …

  7. How to block laptops and cellphones microphones from spying you?

    Published: Mon 18 July 2016 in Cookbook.
    Various ways to prevent your mobile devices microphones to be used as roving bugs.

    In State of surveillance, Edward Snowden explains the real danger behind cellphones spying, notably the fact that such form of spying provides access to information you precautiously never stored in any electronical device.

    It also demonstrate how to take appart and remove the camera and the microphone from a cellphone. Is going this far really necessary? Are there any revesible or more convenient ways?

    While IMHO using some black electrical duct-tape should be enough to blind a camera in most situations, things gets more complicated with the microphone but we still have several possibilities.

    Physical destruction / removal

    The most well-known and most effective solution is to physically destruct (drill) or remove (desolder) the microphone: no microphone anymore, no malicious way to use it. An external microphone can then be plugged whenever required (earphones for instance in the case of cellphones).

    Be aware however that certain devices (in particular cellphones and …

  8. How to run a CAM table overflow attack in GNS3

    Published: Sun 26 June 2016 in Cookbook.
    Updated: Sat 19 August 2017
    Background information on CAM table overflow attacks and concrete steps to reproduce them in a GNS3 lab.

    Knowing where difference with real gears lies

    For performance reasons, a lot of switch things are actually not part of the IOS code but are implemented in hardware. This includes the ARL, or Address Resolution Logic, which provides all the methods to add, remove and lookup entries in the MAC address table.

    Therefore, for the NM-16ESW module to work in GNS3, Dynamips had to reimplement all these normally hardware provided services, or at least push this far enough to allow an unmodified IOS to run on it correctly.

    The sad thing is indeed that this is unfinished work, as stated in this module’s source code header:

     * Cisco router simulation platform.
     * Copyright (c) 2006 Christophe Fillot (
     * NM-16ESW ethernet switch module (experimental!)
     * It's an attempt of proof of concept, so not optimized at all at this …

  9. Prevention measures against laptop seizure by the customs.

    Published: Mon 11 May 2015 in Cookbook.
    Steps to mitigate the risk of data theft and backdoor installation upon device seizure.

    The ANSSI, French government service in charge of IT security, has published a document (in French) providing brief advice to people having to travel abroad.

    The ANSSI advices concerning preparation before travel are as follow:

    1. Review the applicable company policy,
    2. Review destination country applicable laws,
    3. Prefer to use devices dedicated to travel (computers, smartphones, external storage etc.) and not containing any data not strictly needed for the mission,
    4. Backup all of your data before leaving and keep the backup in a safe place,
    5. Avoid taking any sensitive data at all, prefer to use a VPN (or a specially set up secured mailbox where all data will be deleted after retrieval) to retrieve the data securely (this is one of the most on-topic pieces of advice, since this one prevents any sensitive data from being present on the computer when crossing the border),
    6. Use a screen filter to avoid shoulder surfing …

Pages: 1 2 3

Popular tags see all