# MacOS 10.13 High Sierra Clean Install Gotchas

Posted: October 18th, 2017 | Author: | Filed under: Mac | Tags: , , , , , | No Comments »

MacOS High Sierra introduced the new file system APFS. I encountered some perplexing bugs.

When you are doing clean setup with a machine equipped with SSD, DO NOT be a smart alec and reformat your SSD to APFS!!! IT WILL NOT WORK! The setup will just try install and reboot back to where you had started. If you click on the log setting you will notice the installer times out complaining that the file system is not HFS+ and can’t convert to APFS. So if you are going to clean install, format in HFS+ then let the installer convert it (counterintuitive I know). Oh Disk Utility will unhelpfully NOT let you revert back to HFS+

If you read this, because you are stuck.. Open Terminal. Use diskutil list to figure out the name of your SSD drive. Use diskutil eraseDisk APFS to delete the drive, then try Disk Utility again.

Oh yeah, once you finish the install process LET FILEVAULT FINISH BEFORE REBOOT!! If not eg applying the “Supplemental Update etc”, you will have to reinstall the whole thing again!! You can check the encryption status under Preferences -> Security & Privacy -> Filevault.. for my 500MB SSD drive it takes 12 hours. First time around, I got the “Failed to open OS X Installer. the Path /System/Installation Packages/OSInstall.mpkg appears to be missing or damaged.” message.

# Snort setup in pFsense details

Posted: November 10th, 2016 | Author: | Filed under: FreeBSD, pfSense, Snort | Tags: , , , | No Comments »

Snort is an open source intrusion detection system that is available as a package on pFsense. What this means is a lot of aspects from rules to system tuning can be easily configure via the pFsense GUI.

What is Snort does? Once you have defined the networks (eg your local LAN, WAN); Snort will scan the segments the network packets with rules that you have given it. Once the packets rules are met eg I get “ET SHELLCODE Possible Backslash Escaped UTF-8 0c0c Heap Spray” while using git, Snort will put out an alert in the logs and (optionally) blocks the ip address from further compromise.

What Snort doesn’t do? It is not a firewall. The rules I mentioned here are separate from the firewall. Snort in this case works in conjunction with pFsense. You can seperately install it on OpenWRT etc or have Snort installed seperately on another computer / bridge.

While the setup is straight forward via pFsense, There are a few gotchas I would like to point out, so people would avoid:

1. Make sure your Snort computer has enough horsepower. I know a lot of readers on this blog is from openwrt world. I won’t recommend running snort with anything slower than a second generation Core processor. I said this because I ran it via pfSense on a Thinkpad T410, which has a first generation Core and it overheated and shutdown at 85C. Memory doesn’t matter (4Gb should be more than enough) but CPU horsepower does. The second generation stabilizes around 47C at ambient network connection but have been cranked up to 60-70C, when the whole family are at use.
2. For the first little while, be prepared to check the Alerts and Blocked lists. The canned rules save you but they will also give you false alarms, so you have to be prepared to spend time (at least initially) to monitor things. When sites you used to be able to access stopped working, check the Alerts log. Snort might have blocked the site. eg Snort would block 213.230.210.230 and report “ET CNC Feodo Tracker Reported CnC Server TCP group 13”. It turns out that 213.230.210.230 is the site for one of the Ad-list repositories. So some care must be spent to monitor the traffic at least initially.
3. Pick only the rules you need when you are sure. Under Categories section for each interface, you can pick and choose which rules you want Snort to investigate for each packet. If you are using a Linux machine with Chrome only, you can disable the ie rules and so on.
4. Adding and / suppressing ip address and rules takes a few seconds, so be patient.

# 0x8024800c error after Windows 7 restore for Lenovo machines

Posted: July 9th, 2016 | Author: | Filed under: Windows, Windows 10, Windows 7 | No Comments »

I always find doing a clean restore to a computer is important when upgrading to a new OS. Since Windows 10’s free upgrade deadline is near. I thought I would document the work around for the 0x8024800c error when restoring Windows 7. This usually happens with a clean install and Windows Update (or installing .msu) won’t work.

1. Use the Lenovo discs to restore Windows 7.
2. Do the initial setup.
3. Go to Administrative Tools -> Services
4. Find Windows Update service Right click -> Select Stop
5. Go to Windows Explorer, find Windows\SoftwareDistribution and delete that directory (I empty the Recycle Bin too)
6. Go back to Windows Update service and Restart the service
7. I would restart the machine.

Now Windows Update etc will work fine.

# ByPass Lost EFI Password for Post 2010 MacBooks

Posted: June 26th, 2016 | Author: | Filed under: EFI, Mac | Tags: , , , | No Comments »

Recently one of my friends encountered a problem (albeit a self inflicted one). My friend has a Macbook Air (late 2010) that was bought used. Unbeknownst to the purchaser, the EFI password had been set and wasn’t given at the time of purchase. Now the problem arises when my friend wants to sell the Macbook Air after years of service to upgrade to something better. You can’t wipe and reinstall the OS with the EFI password set (it won’t boot without the password even the USB or Recovery option) and yes, swapping out the SSD or reinstall MacOS on another machine won’t work either. Apple Store would not reset the EFI password without a proof of purchase (which is reasonable). So I investigated what other possible solutions.

EFI stores the password along with the system settings (e.g. SSD id etc) on a memory chip, which is on the Macbook board. It is probably one of the most out of place chip on the whole board, it is rather big, with 8 thick pins, vs other sleek BGA low profile chips on the Macbook board.

If the Macbook had been purchased second hand with EFI password set and the owner doesn’t have any Apple Store records here are some sensible ways* to bypass it. I am describing the procedure in general as each specific models have their own peculiarities and some not all methods work for all models:
1. Buy an adaptor that allows you to reprogram the EFI chip via the SPI debug port. There are plenty of youtube video demonstrating that. The problem is accessing the chip during the writing process might cook the whole board. I find this solution messy, as you sometimes have to flip over the board to proceed.
2. If you have access to a SMT rework tool, you can desolder the offending chip, dump its content, reprogram a new chip without the password and pop in a new one. It will leave chemical marks on the motherboard. In Canada, the service costs $120&up. That’s the most physically invasive method. 3. Purchase a bypass tool (called a Matt Card by the manufacturer). It is basically a compatible chip that piggy backs off the original EFI chip via the SPI port. It copies the original EFI content when first plugged in, removes the password in that copy and set the chip on the board to read only (via a fuse). The downside is the chip needs to be forever paired to the Macbook in order for the Macbook to boot. Not the most elegant solution, but installing it takes only 10 minutes and most of the time is unscrewing the pentalobe screws of the Macbook Air. It costs roughly$90CAD.

I went with method 3, since it is not my Macbook; I don’t want to be the person to explain to my friend that the Macbook got toasted during repair. As you can see from the picture, The card is a tight fit, but it seems to work well.

Conclusion: The best solution is prevention. If budget allows, always purchase your MacOS devices directly from Apple so your account information is on their system. If your budget is limited and you have to purchase any MacOS devices via non authorized Apple channels (second hand etc), make sure you check to see if EFI password is enabled by pressing Option key during boot up (or any of the combinations listed by Apple). If the screen is like the first picture below, then EFI password is enabled. I recommend not buy the item with the EFI password set.

Here are the pictures of the problem, chip pictures, installation and final results.

* sensible as in not brute forcing the password, which I don’t think is worth while especially for EFI passwords that are not iCloud PIN locked.

# pfSense & Snort

Posted: June 21st, 2016 | Author: | Filed under: FreeBSD, pfSense, Snort | No Comments »

pFsense has an option to have Snort installed via the package manager. Snort tells you what kind of attack is coming, it can be a bit of information overload. However pfSense’s Snort GUI is quite intuitive and you can pick and choose what kind of rules interest you.

To setup Snort, I discover that pfSense’s default size for /tmp and /var directories are too small for Snort’s various rule sources. So what happens is while you are downloading the Snort rules, it will fail (Snort tar.gz can be over 32MB).

To fix that is really simple:

Go to: System -> Advanced -> Miscellaneous and change the /tmp and /var settings, for me, I have set it to 64MB, the default is 32MB. Click “Save” It will restart. Now try, downloading the Snort rules, it will work great!

Simple! 🙂

# Realtek RTL8111 ExpressCard works well with FreeBSD / pfSense

Posted: May 4th, 2016 | Author: | Filed under: Expresscard NIC, FreeBSD, pfSense, Realtek 8111 | No Comments »

With the price of older Intel Core iseries laptops plummeting to ~$100 levels. I have decided to abandon OpenWRT and move to pfSense. I am not too comfortable with OpenWRT’s update mechanism, which requires a wholesale reflash every time for major updates. Not to mention due to different SoCs’ inconsistencies when a new model comes out there are weird tweaks you need to make. I think pfSense is more flexible in the software sense (built in FreeRADIUS, Cert management and Captive Portal are handy for guest wifi), of course it requires more robust hardware. Downside is Thinkpad’s Centrino network adaptor card does not support HostAP mode due to power requirements, so I guess the old router is still good for something 😉 The obvious problem with laptops is most of them only come with a single Ethernet NIC. I am using a Thinkpad T420 as a test bed, so I found a Realtek RTL8111 ExpressCARD to be the second NIC. It wasn’t listed on any FreeBSD compatibility lists, but I would like to report that a generic one works just fine. I find the Thinkpad’s card slot not seating the card properly, it slip the card in and out few times to get seated, once that’s done it works great. # Install FreeRadius2 on a OpenWRT router for EAP authentication Posted: January 8th, 2015 | Author: | Filed under: freeRADIUS, OpenWRT | Tags: , , , , , , , , , | No Comments » This tutorial requires an OpenWRT based router (obviously). It is based from my experience installing FreeRadius2 on a Netgear WNDR3800. At the end of this, you get a router with built in FreeRADIUS server, PEAP encryption over wifi and user storage. I have had good experience with routers that are based on the Atheros AR7161 chip set. They are plenty quick and have plenty of RAM and Flash (usually at least 64MB – 128MB) and have 8 – 16MB of flash memory. Prerequisites: I recommend you do a few things first before you install FreeRADIUS2 and start configuring: • Login to the web interface of OpenWRT, go under System -> Startup and disable telnet. It is just good practice. • Unless you like to edit files using vi OpenWRT, install a text editor. • Install openssh-sftp-server, so you can transfer the key certificates and related files easily via sftp • ssh into your router and install OpenSSL utility by issuing: > opkg install openssl-util • Stay in the shell and create the CA & server certificates you are going use with freeRADIUS, skip this step if you already have an authenticated certificate. Just upload it to a directory you can remember in the router • Create the OpenSSL ca.cert and server.pem certificates: 1. Create the directory structure: (if you store it in your etc directory, it will get backed up by the stock backup utility) > mkdir ~/CA && chmod 700 ~/CA && cd ~/CA > mkdir certs > mkdir newcerts > mkdir private > mkdir crl > touch index.txt > echo "01" > serial > echo "00" > crlnumber 2. Copy openssl.cnf from the /etc/ssl/openssl.cnf to the /CA directory above. Also edit it to your satisfaction (note the directory name). Directory variables should match the ones above. 3. Create a file called xpextensions with the following content and leave it in the directory where you put openssl.cnf. [xpclient_ext] extendedKeyUsage = 1.3.6.1.5.5.7.3.2 [xpserver_ext] extendedKeyUsage = 1.3.6.1.5.5.7.3.1 4. Create the CA key and link it symbolically to the private dir: > openssl req -new -x509 -days 7300 -keyout cakey.pem -out cacert.pem -config openssl.cnf > ln -s cakey.pem /CA/private/cakey.pem 5. Create the certificates (make sure you keep track of all the passwords! especially the in/out passwords at the last step, you need that for freeRADIUS’s config.) > openssl req -config openssl.cnf -newkey rsa:4096 -keyout serverkey.pem -out servercert.req > openssl ca -config openssl.cnf -out servercert.pem -extensions xpserver_ext -extfile xpextensions -keyfile cakey.pem -infiles servercert.req > openssl pkcs12 -export -in servercert.pem -inkey serverkey.pem -out server.p12 -clcerts > openssl pkcs12 -in server.p12 -out server.pem 6. Create the Certificate Revocation List, DH and Random > openssl ca -config openssl.cnf -gencrl -out crl.pem > openssl dhparam -text -5 1024 -out dh > dd if=/dev/random of=random bs=1M count=2 • The default wpa drivers (wpad-mini) doesn’t support 802.1x enterprise encryption, so we need to install the full version of wpad. The step below is specific to routers that are based on the Atheros chip set. So consult OpenWRT Hardware list to make sure. Uninstall wpad-mini and install the full wpad. Some older instructions will say install hostpadap but that has been deprecated since OpenWRT 7.0.3 (see here) > opkg remove wpad-mini > opkg install wpad • Optionally install SQLite3, in case you have quite a few users and want to do accounting etc. > opkg install sqlite3-cli libsqlite3 Installation: Copy and paste the following into the ssh shell. > opkg install freeradius2 freeradius2-common freeradius2-mod-chap freeradius2-mod-detail freeradius2-mod-eap freeradius2-mod-eap-md5 freeradius2-mod-eap-mschapv2 freeradius2-mod-eap-peap freeradius2-mod-eap-tls freeradius2-mod-eap-ttls freeradius2-mod-exec freeradius2-mod-files freeradius2-mod-logintime freeradius2-mod-mschap freeradius2-mod-pap freeradius2-mod-passwd freeradius2-mod-preprocess freeradius2-mod-radutmp freeradius2-utils Also the following if you want to use SQLite (I recommend this for test purposes for now). > opkg install freeradius2-mod-sql freeradius2-mod-sql-sqlite freeradius2-mod-sqlcounter freeradius2-mod-sqllog Small steps before configuration 1. Go under LuCi under System -> Startup click on the Enabled button to disable radiusd, if radiusd is running click on Stop 2. ssh and edit /etc/init.d/radiusd replace or comment out radiusd -i$IPADDR -p 1812,1813 $OPTIONS replace it with radiusd$OPTIONS

The reasoning for step 1 is you would want to run radiusd -XX (debug mode), while you are configuring and testing. We need step 2 because radiusd will also be listening to localhost, we want to stop radiusd from just listening to our network ip address.

Configuration:
Unlike in FreeRADIUS documentation, our configuration files are stored in /etc/freeradius2 directory instead of /etc/raddb or /etc/freeradius/ directories.

Here are the list of files you will need to modify:

1. radiusd.conf
In this section you configure the listening ports and ip address

listen {
type = auth
ipaddr = 127.0.0.1
port = 0
interface = br-lan
}

In the above example
type is required, ipaddr and interface are recommended. If they are not there, radiusd will try to best guess.

• type can be auth or acct, stands for authentication and accounting.
• ipaddr is the ip address, since we are running a server locally, localhost is a must.
• port is the port to listen for, 0 will tell radiusd to see what the system default is.
• interface is the name of which network interface, you want radiusd to listen for OpenWRT, br-lan is the bridged lan virtual interface.

If you want other AP on your network to authenticate using this server, make another listen instance and listen to this server’s network address.

2. eap.conf
Since we are going to use PEAP, you just have to go to tls {} section and fill in the relevant information ie:

• certdir that’s the directory where the server certificate lives (see above)
• cadir that’s the directory where the ca certificate lives
• private_key_password that’s the “out” password used in the last step of the server.pem generation.
• private_key_file location of server.pem

Make sure the files referenced in the lines after the above make sense.

3. clients.conf
This file stores the information of other AP or devices might use this server for authentication. For our purposes, we will need localhost.

client localhost {
secret          = SomeSecretPhrase
require_message_authenticator = no
nastype     = other
}

You will need to enter the secret in the WiFi Security setup page.

You can add other APs by their particular ip addresses.

4. users
This is the text file which stores users’ names and passwords in cleartext.

"User name in quotes"       Cleartext-Password := "Password in quotes"
Reply-Message = "Hello, %{User-Name}",
Fall-Through = Yes

Enable the Fall-Through option if you have other users after this one.

5. sql.conf

The setup is quite simple:

sql {
database = 'sqlite'
}

The default database always resides in /etc/freeradius2 and is called sqlite_radius_client_database

I don’t think SQLite is production ready yet for version 2 of freeRADIUS. You can grab the scheme and sql files from the 3.0.x source tree particularly under the feeradius-server/raddb/mods-config/sql directory.

Put the SQL files in a directory that you can access on OpenWRT. Use the .read command to read and execute the SQL files.

Configuring the Wifi interface:

Go under Network -> Wifi in LuCi

1. Select Wireless Security tab underneath Interface Configuration
2. Select WPA2-EAP
3. Enter the radiusd’s ip address in the Radius-Authentication-Server field
4. Enter the secret (as you typed in clients.conf) in the Radius-Authentication-Secret field
5. Click on Save and Apply

Test and Debug:
Open a ssh shell and type in radiusd -XX, if the configuration is correct. A whole bunch of text will fly by and ends up saying radiusd is listening and now you can try to get some of your wireless devices to connect, using new WPA2-EAP or WPA2-Enterprise settings.

When you are happy with the setting go back to System -> Startup and enable radiusd.

Backup:
A note about the Backup function under System-> Backup/Flash command. It only backs up the /etc directory. So do keep in mind of that, do backup your certificate directory.

# Installing Parallel Tools 9 via CLI in Debian

Posted: September 16th, 2014 | Author: | Filed under: Debian | No Comments »

1. make sure CDROM is active and connected in Machine Configuration (without this Parallels cannot mount the parallel tools ISO).
2. su