devices.sh

1
2

curl -s 'http://<your router>/api/devices' ' -H 'Cookie: test; Session=<use yours>; XSRF-TOKEN=<get one>' -H 'Accept-Language: en-US,en;q=0.8' -H 'User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.130 Safari/537.36' -H 'Accept: application/json, text/plain, */*' -H 'Accept-Encoding: gzip, deflate, sdch' -H 'Connection: keep-alive' --compressed \
| sed -e '{ s/\[//g; s/{/\n/g; s/^.+//g; s/ipv6Address.+(?="mac)/\t/g};' | grep -v "rssi\":0" 

peekaboo.sh

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

#!/bin/bash
while true
do 
    ./devices.sh | cut -d, -f 6-7,12,14,16 | egrep -i -e '<MAC or Vendor-Prefixes to look for>'
    if [ $? -eq 0 ]
    then
        echo -e "\a\n\n\nret[$?] -- DEVICES FOUND !!\n\n\n" && \
            /usr/bin/mpg123 -q $HOME/.sounds/peanutbutter-jelly-time.mp3
        break
    else
        echo "ret[$?] -- $(date +%H:%M:%S) - Devices not found.."
        sleep 3
        clear
    fi
done

I'll elaborate in the near future. Have fun!

The other night I decided to do the long-overdue update of my Gentoo install on my netbook which serves as my XBMC machine. As expected, something along the way broke and XBMC's dependency, ffmpeg, failed to build. After a long struggle, I gave up on the XBMC ebuild and went with XBMC's successor, Kodi. Making haste, I neglected to enable any of Kodi's optional USE-flags. The result: everything perfect Kodi-side (faster actually), but my various remote-control browser-addons, mobile apps, and scripts were made useless.

Meet Kodi's fwiend, JSON-RPC

For months now I've been using a script called xbmc-play. It was simple to use, and lightweight. Problem is that, like most XBMC/Kodi remotes, the underlying mechanics that handle the communication required the webserver feature on the Kodi machine. Since I know a fair amount about scripting and very little of building extensions for browsers and Android apps, scripting became the first part of this journey to regain remoting ability.

In first discovering the lack of a webserver, running netstat -tuanp confirmed no process was listening on the defaut port 8080. The listing did reveal that after enabling "Allow programs on other systems to control Kodi" it listens on port 9090. And a quick google of Kodi's relation to this port will tell you that the JSON-RPC protocol is what's understood on Kodi's end.

First Impression

Looking over the JSON-RPC API articles at the Kodi Wiki and it's official documentation you can get ideas about the syntax of these 'requests' the commands have to make and go from there.

Prior experience manually interacting over TCP/IP came in handy. I was quickly able to test some prototype requests with Kodi using the wiki-suggested telnet tool. Ultimately, I chose to work with netcat as it seemed more fitting for use in the resulting script that follows:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60

#!/bin/bash

## YouTube Kodi Script [http://github.com/pnd4/kodi-play] 
#by pnd4 
#
# - Portions from "YouTube XBMC Script" by Tom Laermans [tomlaermans.net]. 
#   This script is (also) released into the public domain.
# - Description: Uses Kodi's native JSON-RPC to play YouTube content remotely
#   without need for the webserver.
# - Requires: netcat (tested with GNU Netcat)
# - Usage: kodi-play < URL | YouTube-ID >
# -    ex: kodi-play hABj_mrP-no

## Configure Kodi's RPC details here
KODI_HOST=gen2
KODI_PORT=9090

## Don't touch anything under here

REGEX="^.*((youtu.be\/)|(v\/)|(\/u\/\w\/)|(embed\/)|(watch\?))\??v?=?([^#\&\?]*).*"

ID=$1

if [ "$ID" == "" ];
then
  echo "Syntax $0 <id|url>"
  exit
fi

if [[ $ID =~ $REGEX ]]; then
  ID=${BASH_REMATCH[7]}
fi

# Sends our JSON-RPC request to Kodi, and closes the connection.
function jrpc_req {
    echo -n "$1" EOF | nc -c $KODI_HOST $KODI_PORT;
}

echo -n "Opening video id $ID on $KODI_HOST ... "


jrpc_req '{"jsonrpc": "2.0", 
           "method": "Playlist.Clear", 
           "params":{"playlistid":1}, 
           "id": 0}';

jrpc_req '{"jsonrpc": "2.0", 
           "method": 
           "Playlist.Add", 
           "params":{"playlistid":1, 
           "item" :{ "file" : "plugin://plugin.video.youtube/?action=play_video&videoid='$ID'"}}, 
           "id": 0}';

jrpc_req '{"jsonrpc": "2.0", 
           "method": 
           "Player.Open", 
           "params":{"item":{"playlistid":1, "position" : 0}}, 
           "id": 0}';

echo "Done."

What's Next

Having got to dabble into communicating with Kodi over JSON-RPC and being with met less trouble than success. I'm thinking about pursuing a desktop application or at least framework for controlling Kodi/XBMC. It would certainly fulfull my need, and maybe help someone else looking for remote-control without the need for a excess bloat services like a webserver or unnecessary consumption of resources client-side from yet another browser-addon.

With the advent of compact low-powered embedded systems, people seem forget to leverage the power of older systems largely in part due to resource limitations. My netbook, for instance, at most can have 2GB of RAM. Modern machines come with at least 4GB these days, but modern applications like Chrome are quick to claim it. If we choose to design our systems and their appilcations intelligently life won't necessarily be over for such devices like my netbook and won't be for some time as long as we remain resourceful as users and continue to keep modularity in mind as developers.

Using 2.07-2 as a base

Copied PKGBUILD for lzo2-2.07-2 from ABS.
Changed 'arch' to suit ALARM.
Deleted the stuff regarding 2.07 (patch: src, checksums).
Changed pkg version and release values from '2.07-2' to make '2.08-1' respectively.

Making it work

Seems like adding CFLAGS="-DLZO_DEBUG" before ./configure .. made the difference whether it built or not.

Maintaining Security?

However setting the CFLAGS environment variable showed a warning that if not using at least "-O" ("-O2" being the default makepkg.conf optimization CFLAG) then it would not use "-DFORTIFYSOURCE=2" which sounds important from a security-minded perspective.

After some light reading about GCC's flags:
Security Related Flags
-O option flag
Relationship: FORTIFY_SOURCE & O-Flag

Looks like the best option would be to disable 'FORTIFYSOURCE' but still maintain the highest level of security otherwise and retain the ability to protect from stack-smashing attacks by setting 'stack-protector-all'. It seems with 2.08 we have only two choices: "-O0" or no optimizations at all. Personally, I'd gladly sacrifice runtime-speed optimizations for security, when having both is not an option and since ARM devices don't have much memory, why not use "-O0" if we can.

This equates to CFLAGS="-Wall -O0 -U_FORTIFY_SOURCE -fstack-protector-all"
(seen on line #21)

Full PKGBUILD

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46

#### PND4 - 07/02/14 07:30
# http://pnd4.github.io/downloads/code/lzo-2.08-1-arm/PKGBUILD

pkgname=lzo2
pkgver=2.08
pkgrel=1
pkgdesc="Portable lossless data compression library"
arch=('arm')
url="http://www.oberhumer.com/opensource/lzo"
license=('GPL')
depends=('glibc')
source=(http://www.oberhumer.com/opensource/lzo/download/lzo-${pkgver}.tar.gz)
md5sums=('fcec64c26a0f4f4901468f360029678f')

prepare() {
  cd "${srcdir}/lzo-${pkgver}"
}

build() {
  cd "${srcdir}/lzo-${pkgver}"
  CFLAGS="-Wall -O0 -U_FORTIFY_SOURCE -fstack-protector-all" ./configure --prefix=/usr --enable-shared

  make

  # build minilzo
  gcc $CFLAGS -fpic -Iinclude/lzo -o minilzo/minilzo.o -c minilzo/minilzo.c
  gcc $LDFLAGS -shared -o libminilzo.so.0 -Wl,-soname,libminilzo.so.0 minilzo/minilzo.o

}

check() {
  cd "${srcdir}/lzo-${pkgver}"
  make test # Larger test
  make check
}

package() {
  cd "${srcdir}/lzo-${pkgver}"
  make DESTDIR=${pkgdir} install

  # install minilzo
  install -m 755 libminilzo.so.0 ${pkgdir}/usr/lib
  install -p -m 644 minilzo/minilzo.h ${pkgdir}/usr/include/lzo
  cd ${pkgdir}/usr/lib
  ln -s libminilzo.so.0 libminilzo.so
}

TO-DO

• Have someone proof/verify the PKGBUILD.

In any case, doing the deed myself was surprising easy. Though I'd imagine someone without any prior knowledge of codecs, aspect ratio, and bitrate may run into trouble. I'd suggest they give my commands a shot.

Lets start off by making sure we have ffmpeg installed on the buffest rig you've got. This can be preety heavy lifting and can take quite sometime on older machines.

Now assuming we have our original file EP1_HD_1080p.mov in our current directory, running the following command will get us going.

1

ffmpeg -i EP1_HD_1080p.mov -ac 2 -qscale 5 -f mp4 -s 854x480 ep1_sd_480p.mp4

To break it down, here's the same command with placeholders.

1
2
3
4
5
6
7

ffmpeg \
    -i [input-filename] \
    -ac [# of audio-channels] \
    -qscale [quality-scale: 1-31 (1 = highest quality)] \
    -f [format: mp4, avi, mkv, ..] \
    -s [Resolution: (Width)x(Height)] \
    [output-filename]

Now you may have checked out some examples before mine and noticed others' had a lot more options. It just goes to show that ffmpeg is the go-to utility. Whether small job like mine or the demands of a release-group like "YIFY", you can't go wrong.

As always, good luck!

After 'inspecting' the source of a live webcast and the data that gets thrown around once the plugin is launched, I managed to get a 10$ webcast for free. To be honest, I feel like I just got lucky with this one.. While media is still woven into websites with embed tags as it was back when Geocities was booming, where besides the scrolling marquee we all insisted on looping our favorite song in the background, but this time theres all sorts of new protocols, plugins, and codecs at work. We can't just 'view-source' and expect to see 10-dollars-worth-of.mp4. There's nothing to worry about though, we only have to dig a little harder. Probably real hard if you're like me and have never had much experience with media plugins.. So lets get to it.

First, you're going to want to check out the source of the page where the plugin and stream play. Your browser's developer tools come in real handy and should have everything you need for sleuthing around.

Right now we just need to take note of the vendorID and mediaID parameters. Both were mentioned at least a few times thoughout the page I was working with.

Next we want to examine the SMIL file which will tell us exactly where we can find our stream. I found mine by using Firefox's network console and paying attention to the back-and-forth dialog going on between the browser's plugin and the webcast host. I suspect if you did the same you'd come up with similar, so here's mine to save you the trouble.

1

curl hxxp:||cdn.m0b1ler1der.c0m/m0b1ler1der/mobilestorefront/<vendorID>/media/file/<mediaID>/streams.smil

In the output of the previous command here should be a couple key-value pairs like content="http://yadayada.yup" and src="/theStreamsUWereLookinFor@rightHurr" to help you put together a URI to pass to your chosen media player.

This URI is direct access to the stream, but if it returns an error or otherwise you're going to need to invesigate further. My hope is that I've at least set you on the right foot toward success. As a final clue, here's what my result would've looked like using the example values I've used thus far.

1

http://yadayada.yup/i/theStreamsUWereLookinFor@rightHurr/master.m3u8

If you're wondering the origin of the parts of the URI not supplied explicitly in the SMIL, they were taken from a previous URI from the same site, before they started asking for money.

Flash-Drive I/O

Flash memory is cheap and small. Most even have enough storage space that you can house your ROOTFS pretty comfortably. The downside is pretty sluggish reads/writes. Fortunately the pogoplug has 256MB's of RAM; By allocating some commonly written directories in RAM we gain speed plus the benefit of less write-cycles overall to our flash-memory. If you don't already know, flash memory has a limited number of writes, so this effectively prolongs the life of your drive/system.

Simply add/replace the appropriate lines to fstab ..

1
2
3
4
5

tmpfs /tmp         tmpfs nodev,nosuid,noatime           0 0
tmpfs /var/tmp     tmpfs nodev,nosuid,noatime           0 0
tmpfs /var/log     tmpfs nodev,nosuid,noatime,size=20M  0 0
tmpfs /var/run     tmpfs defaults,noatime,size=1M       0 0
tmpfs /var/lock    tmpfs defaults,noatime,size=1M       0 0

I/O Governor

The logic that is behind your drive/disk access can be tweaked reducing lag by appending the following line to /etc/rc.local

1

echo deadline > /sys/block/sda/queue/scheduler

Note That I don’t use the noop scheduler because deadline can be better as it group small accesses, which improve latency. The default, cfq is better suited for disk-drives.

xrandr

Using xrandr[^1] we are able to dynamically modify our desktop's properties.

OFF

1

xrandr --output DVI-0 --off

ON

1

xrandr --output DVI-0 --left-of VGA-0 --auto

[^1]: Xrandr's Man Page

Commands

Redirect rtmp port using iptables.

sudo iptables -t nat -A OUTPUT -p tcp --dport 1935 -j REDIRECT

Sniffing for stream parameters.

rtmpsrv

Once you've captured a stream, you can undo the redirection.

sudo iptables -t nat -D OUTPUT -p tcp --dport 1935 -j REDIRECT

Use rtmpdump like so, piping the output to mplayer/vlc

rtmpdump -q -r "rtmpe://origin.hdcast.org:1935/redirect/" -a "redirect/" -f "LNX 11,9,900,152" -W "http://www.udemy.com/static/flash/player5.9.swf" -p "http://www.hdcast.org/embedlive2.php?u=ban5&vw=640&vh=460&domain=www.btsportshd.com" -y "ban5" -b "10000" -v | mplayer -really-quiet -framedrop -

Important options

rtmpdump

• -r [tcURL ex. "rtmp://stream.url/"]
• -a [app ex. "redirect/"
• -y [playpath ex. "freetv4"]
• -v [live]
• -b [buffersize ex. "10000"]
• -W [swfURL ex. "http://stream.url/flash/player5.9.swf"]

mplayer

• -really-quiet [Suppresses output.]
• -framedrop [Helps with streams.]
• - [Plays from stdout.]

Port redirect helper script

I wrote a bash script that takes the hard part, remembering, out of the iptables step.

#!/bin/bash

## PND4
## o1.27.13

success() {
  echo ".. success :)"
}

failure() {
  echo "-- FAILURE :("
}

add-rule() {
  sudo iptables -t nat -A OUTPUT -p tcp --dport 1935 -j REDIRECT
}

del-rule() {
  sudo iptables -t nat -D OUTPUT -p tcp --dport 1935 -j REDIRECT
}

case "$1" in
  start)
    echo "Starting.."
    # also delete rule if it exists for some reason to avoid dupes.
    # always errors out so we ignore it
    del-rule 2>/dev/null
    add-rule
    [ $? -eq 0 ] && success || failure
    ;;
  stop)
    echo "Stopping.."
    del-rule
    [ $? -eq 0 ] && success || failure
    ;;
  *)
    echo "Usage: $0 <start|stop>"
    ;;
esac

Useful Links and References

1. rtmpsrv tutorial
2. XBMC: hint on buffer option

[as of 11.11.2013]

• 20-23 HD-3000
• 15-20 Rocketfish 720p RF-HDWEB
• 17 M$ HD-2300

RasPi Notes

RasPi community has good info on the subject. Should be valid for Pogoplugs too.

A few recommendations I have for streaming USB webcams with linux:

1. Unless you need the capabilities of motion (that is, you are using the motion detection built in to motion) use mjpgstreamer instead of motion. Motion processes each image to see if pixels have changed, and by default runs a lot of binary morphology on the images (erode, dilate, etc), where mjpgstreamer just streams. On my Pogoplus with four cameras this means the difference between 60%+ cpu utilization versus single digits (and to get down to 60% I had to drop the framerate to 2Hz and go through a bunch of options to turn off as much processing as possible). I have another machine running zoneminder which processes my streams which is why I don't mind forgoing motion detection.

2. Use MJPEG instead of YUV If you want multiple webcams on a single USB bus this is basically a necessity. Even if you don't it means a lot less data to process. This is the default in mjpgstreamer, in motion set: "v4l2palette 2" in motion.conf

3. Get a webcam with known support Some webcams have a problem where the request a lot more bandwidth than they need and this means you can't use two at the same time. There is a hack to get around this in YUV mode, but not MJPEG which isn't much of a help. If you are up for hacking the driver yourself it should be possible to skip the BW check and make these work anyway, but that is quite a bit of work.

Cameras that work simultaneously (no bandwidth bug): -Logitech C120 -Logitech C160 -Logitech B500 -Logitech Quickcam E 3500 -Logitech Quickcam Messenger -Microsoft HD-3000 -Microsoft HD-5000 -Rocketfish HD Webcam Pro

Cameras that do not work in multiples (bandwidth bug?): -Logitech C110 -Logitech C310 -Creative Live! Cam Video IM Ultra -HP 2-Megapixel Webcam (RZ406AA)

My current recommendation is probably the HD-3000. It is 720p and can be found for about $20. It does NOT have autofocus which I think is good for a webcam you leave running 24/7. I tried the HD-5000 and it spends a lot of time refocusing. I'm afraid it would break after a few weeks. The C160 is currently the cheapest, about $8 shipped on ebay. Meritline sometimes sells it for $6. The irritating thing about the c120/c160 is that they have a focusing ring you have to adjust. For a security camera I would prefer fixed focus. I buy any webcam I can get at a firesale so I'll keep trying more - I would appreciate results from anyone else as well.

EDIT: Added a few more cameras]

It turns out you can disable autofocus on UVC supported webcams like this:

v4l2-ctl –verbose –set-ctrl=focus_auto=0

At least it works for me on all the AF cameras I have to test (Microsoft & Rocketfish).

Not only is this a good idea for camera longevity (I would think so at least) it helps prevents false motion alarms.

Useful Links and References

1. eLinux: RasPi Webcam compatibility list

Make sure Gentoo is matched up with your target kernel version

1
2

eselect kernel list
eselect kernel set #

Build it

1
2
3
4
5
6
7

zcat /proc/config.gz > /usr/src/linux
cd /usr/src/linux
make oldconfig
make modules_prepare
emerge --ask @module-rebuild
make
make modules_install

Install it

1

genkernel --no-menuconfig --no-clean --install all

Update bootloader

1

vim /boot/extlinux/extlinux.conf

Reboot and cross your fingers.

Clean-up/delete old files in /boot and corresponding bootloader entries.

Useful Links and References

1. Gentoo Wiki: Kernel/Upgrade

• first make sure the VPN is up and operational
• correct transmission's config if the address isn't current.. [stop, edit, start]
• definitely end with transmission running

Quote

Enforcing an application, for example a torrent client like Transmission, to always use the VPN interface or any particular network interface for that matter, is trivially simple using iptables on Debian, Ubuntu or any other GNU/Linux distro. Personally, I am running Debian Sid on the Raspberry Pi. Occasionally I use it for downloading files ( legal stuff, seriously, believe me :D ) using Transmission Bittorrent client over a VPN connection. Sometimes it happens that the VPN connection fails and doesn't reconnect for whatever reason and Transmission continues pulling stuff directly over my internet connection, which I would like to avoid. Fortunately it is very straightforward to enforce rules based on application owner UID. Transmission runs under the owner debian-transmission in Debian (use htop to check this) and the following two lines of iptables ensures that any process with owner having UID, debian-transmission, will not use any other network interface apart from the OpenVPN tunnel interface tun0

iptables -A OUTPUT -m owner --uid-owner debian-transmission -d 192.168.0.100 -j ACCEPT
iptables -A OUTPUT -m owner --uid-owner debian-transmission \! -o tun0 -j REJECT

The first line ensures that, my Mac-mini having IP address 192.168.0.100 on the lan, can always access the web interface of transmission. The second line makes sure, no outgoing traffic can leave via anything other that tun0. Peace of mind restored, thanks to iptables.

Code

transmission-vpn-only.sh

Ver. ArchLinuxARM-110413

#!/bin/sh

iface="tun0"
service="transmission.service"
config="/var/lib/transmission/.config/transmission-daemon/settings.json"

# test if service is currently running
systemctl --quiet is-active $service
if [ $? -eq 0 ]; then
    # get the ip from the current config
    savedIP=$(cat $config | egrep -o '\"bind-address-ipv4\": \"[^ ]*' | cut -d'"' -f4)
    # test if ip has changed and is no longer available
    ping -i1 -w2 -c1 $savedIP >/dev/null
    if [[ $? -ne 0 || "x$savedIP" == "x0.0.0.0" ]]; then
        echo IP unavailable, stop and reconfigure transmission..
        systemctl stop $service
        # test if VPN went down completely
        ifconfig $iface >/dev/null
        if [ $? -ne 0 ]; then
            echo Oops.. $iface not available, exiting without restarting transmission..
            exit 1
        fi
        # reconfigure transmission with new ip address
        sed -i "s/\"bind-address-ipv4\":.*\$/\"bind-address-ipv4\": \"$(ip a show dev $iface | egrep -o 'inet [^ ]* ' | cut -d' ' -f2 | sed 's/ //')\",/" $config
        systemctl start $service
        echo Transmission started.
    fi
else
    echo "Transmission isn't running.."
    exit 1
fi

To-Do

• Figure out how to 'BindInterface', if possible.
• Revise transmission-vpn-only script.
• Figure out why openvpn config leaves routes behind.

Useful Links and References

1. BotCyborg

CPU     Intel or AMD with SSE2 support. 64-bit OS recommended.
RAM     2GB+
HDD     5GB+
Video   Quadro/QuadroFX/FireGL/FirePro

Notes regarding HW selection

• FirePro v3900 was best bang for buck. Good Solidworks reviews.
• 4GB of RAM will work, can always upgrade.
• 3.5Ghz Dual core + Hyper-Threading (i3-3220/3240) should be plenty.

Capinc Solidworks HW Tips

• Video Card: VERY important
• Proc: Solidworks is optimized for multiple cores
• RAM: Solidworks grabs 340mb on launch. 4gb+ is only necessary for very large assemblies (over 10,000 parts)
• HD: Generally, does not affect Solidworks performance

Newegg specials for Oct.

"i5" Combo + FirePro V3900 ~$630

Someone mentioned i5 & i7's have decent enough graphics to run Solidworks.. maybe just get FirePro later, if needed?

• Trustworthy PSU
• i5 is Quad Core, 8MB-L2, HD4000 'integrated' gfx
• 8GB RAM
• 1TB HDD, SSD would've been nicer.
• USB 3.0

• No case.

  Combo: 1291151

"i3" Combo + FirePro V3900 ~$ 430

• Decent PSU. But low wattage.
• 500GB HDD
• USB 3.0

• Plain Case.

  Combo: 1271103

"Budget Gaming" Combo $ 370

• nVidia GT 640 2GB, instead of FirePro ?
  .. donno if that's such a good idea.
• Good PSU
• 500GB HDD
• USB 3.0

• Decent looking case.

  Combo: 1461943

Karma a version of hostapd for creating rogue access points.

NAT or Bridge

IP's must be handed out to the connecting clients so one or the other must be configured

• NAT - creates a new subnet ".. with IP forwarding/masquerading and DHCP service (wireless clients will use a dedicated subnet, data from/to that subnet is NAT-ted – similar to a normal WiFi router that's connected to your DSL or cable modem)" – Archwiki > see the Firewalls article
• Bridge - ".. Simple, but it requires that any service that's needed by your wireless clients (like, DHCP) is available on your computers external interface. That means it will not work if you have a dialup connection (e.g., via PPPoE or a 3G modem) or if you're using a cable modem that will supply exactly one IP address to you via DHCP." –ArchWiki > You need to create a network bridge and add your network interface (e.g. eth0) to it. You should not add the wireless device (e.g. wlan0) to the bridge; hostapd will add it on its own. > >If you use netctl, see Bridge with netctl for details (just do not add tap0 used in that example).

Configuration

System configuration is stored in /etc/hostapd/hostapd.conf.

To override at runtime: sudo hostapd /path/to/hostapd.conf

General use, non-Karma, WPA/WPA2 config
From nims.wordpress.com

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44

#sets the wifi interface to use, is wlan0 in most cases
interface=wlan0
#driver to use, nl80211 works in most cases
driver=nl80211
#sets the ssid of the virtual wifi access point
ssid=dontMessWithVincentValentine
#sets the mode of wifi, depends upon the devices you will be using. It can be a,b,g,n. Setting to g ensures backward compatiblity.
hwmode=g
#sets the channel for your wifi
channel=6
#macaddracl sets options for mac address filtering. 0 means "accept unless in deny list"
macaddracl=0
#setting ignorebroadcastssid to 1 will disable the broadcasting of ssid
ignorebroadcastssid=0
#Sets authentication algorithm
#1 - only open system authentication
#2 - both open system authentication and shared key authentication
authalgs=1
 
#####Sets WPA and WPA2 authentication#####
#wpa option sets which wpa implementation to use
#1 - wpa only
#2 - wpa2 only
#3 - both
 wpa=3
#sets wpa passphrase required by the clients to authenticate themselves on the network
 wpapassphrase=KeePGuessinG
#sets wpa key management
 wpakeymgmt=WPA-PSK
#sets encryption used by WPA
 wpapairwise=TKIP
#sets encryption used by WPA2
 rsnpairwise=CCMP


#################################


#####Sets WEP authentication#####
#WEP is not recommended as it can be easily broken into
   wepdefaultkey=0
   wepkey0=qwert    #5,13, or 16 characters
#optionally you may also define wepkey2, wepkey3, and wep_key4


#################################
#For No encryption, you don't need to set any options

non-Karma w/ WPA2

1
2
3
4
5
6
7
8
9
10
11
12

interface=tpl0
driver=nl80211
ssid=2WIRE022
hwmode=g
channel=10
macaddracl=0
authalgs=1
ignorebroadcastssid=0
wpa=2
wpapassphrase=SecretPassword1234
wpakeymgmt=WPA-PSK
rsn_pairwise=CCMP

Karma w/ WEP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47

# config file to use with the Karma'd version of hostapd
# created by Robin Wood - robin@digininja.org - www.digininja.org

interface=tpl0
driver=nl80211
countrycode=US

ssid=AndroidAP
channel=3

wepdefaultkey=0
wepkey0=SecretPassword1234

# Both open and shared auth
authalgs=3

# no SSID cloaking
ignorebroadcastssid=0

# -1 = log all messages
loggersyslog=-1
loggerstdout=-1

# 2 = informational messages
loggersysloglevel=2
loggerstdoutlevel=2

# Dump file for state information (on SIGUSR1)
# example: kill -USR1 <pid>
dumpfile=/tmp/hostapd.dump
ctrlinterface=/var/run/hostapd
ctrlinterfacegroup=adm

# 0 = accept unless in deny list
macaddracl=0

# only used if you want to do filter by MAC address
acceptmacfile=/etc/hostapd/hostapd.accept
denymacfile=/etc/hostapd/hostapd.deny

# Finally, enable Karma
enablekarma=0

# Black and white listing
# 0 = white
# 1 = black
karmablack_white=1

Useful links and references

ArchWiki: Software Access Point

Installation

First install ruby. Then clone repo

git clone git://github.com/imathis/octopress.git octopress
cd octopress

Install dependencies

sudo gem install bundler
bundle install # make sure to run this one in the 'octopress' directory

Install default theme

rake install

Useful Links and References

Octopress.org

Jekyll Docs

BigdinosaurBlog: Changing Octopress' Header

create project directory

mkdir -p <folder>
cd <folder>

create files or copy them from existing project.

touch README.md

initialize barebone git files

git init

prepare commit with annotations and files

git add README.md
git commit -m "<message>"

new project, so create remote origin, and master branch

git remote add origin <url | git@github.com:pnd4/<project>.git"

publish files to the new git-repository

git push -u origin master

Tips from the IRC guys

Excerpt from: freenode#crunchbang-offtopic20130929.log

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40

[00:04:25] <Ferus> also thats why you git pull
[00:04:28] <Ferus> all the time
[00:04:29] <Ferus> lel
[00:04:33] <orik> xD
[00:04:57] * Ferus passes pnd4 an american spirit black
[00:04:59] <pnd4> hmm whats the diff between git pull and clone?
[00:05:00] <orik> well phoronix even has good things to say about mpv
[00:05:10] <orik> a pull just checks for changes and
[00:05:19] <Ferus> clone clones a new repo, pull pulls the new changes from master
[00:05:26] <orik> ^^
[00:05:27] <pnd4> oh ok.. thanks
[00:05:50] <orik> man I've been using git at work for the past three months and I swear I still don't fully understand it
[00:05:56] <Ferus> tl;dr if the repo doesnt exist locally, you clone from master, if it does exist locally, you pull from master
[00:06:19] <Ferus> orik: i've been using git for two years, i broke my repo 5 months ago and havent fixed it
[00:06:34] <Ferus> (i dont know how ;_;)
[00:07:41] <pnd4> ok so Ive cloned dwmstatus earlier, made changes. if I do a pull, does it undo my changes to match the current master?
[00:07:52] *** Joins: salam4ik (~salam4ik@89.106.233.158)
[00:08:10] * pnd4 copies directory and just tries it.. 'banzai!'
[00:08:21] <Ferus> no, it'll complain that you have un-stashed changed
[00:08:23] <Ferus> changes*
[00:08:39] <Ferus> so you want to do git stash; git pull; git stash pop
[00:09:05] <pnd4> stash, thats a new one too.. did I mention I'm quite new to git ? haha.
[00:09:17] <Ferus> (this is all i know how to do)
[00:09:27] <Ferus> besides add and rm, but thats kinda obvious
[00:09:44] <pnd4> thanks. I'll try and remember that if/when suckless puts out a new version
[00:10:49] <pnd4> I think having familiarity with git should help in the job search.. I mean, who wouldn't want a guy that's familiar with widely used version control systems?
[00:10:49] <Ferus> you can always google it
[00:11:46] <pnd4> that is true, but the tl;dr versions are always nice
[00:12:52] <pnd4> Halts: ebay has the hat I want for 25 (down from 35$) .. they're out of my size.. I share your pain.
[00:14:05] <pnd4> its like that scene in 'The Last Samurai' where they cut his hair
[00:15:40] <Halts> at least you can buy your hat.
[00:16:01] <pnd4> would you buy your jersey still if it was 120 ?
[00:16:59] <Ferus> > IP Location: Kingston / New York / United States
[00:17:08] <Ferus> bahaha this site is horrible, cant even geolocate
[00:18:22] <Halts> haha, not right now.
[00:18:28] <Halts> but I eventually would, yes.
[00:18:40] <Halts> I'd like to get it for
[00:18:50] <Halts> but, a bunch of cunts ruined that
[00:19:57] *** Quits: orik (~orik@50-46-134-47.evrt.wa.frontiernet.net) (Remote host closed the connection)
[00:20:51] <n2o4> pnd4: Just checkout your features into it's own branch, for example git clone foobar, git checkout -b my-super-branch, make edits and commit, issue git checkout master to check into the master branch again.

Useful Links and References

1. GitHub

Images

1

<img class="center" src="http://www.pnd4.net/images/that-image.jpg">

Quote

More.
Notes.

Code

example.sh

#!/bin/bash
    test 1 -eq 1 && echo true || echo false

You can also insert preformatted text using backtick's.

Also see Octopress's Documentation[^1]

List

• item 1
• item 2
• item 3

References

See Wordpress's Cheatsheet[^2] for more examples of Markdown.

Useful Links

Octopress.Org

[^1]: Octopress Documentation [^2]: Wordpress Markdown Reference

Installing

Instead of using rvm or rbenv, stick to installing Ruby system-wide with pacman.

1

pacman -S ruby

Paths

Caution editing your .bashrc or .zshrc.. root does not need to have a GEM_HOME or ~/.gem/ruby/2.0.0 added to its PATH

~/.gemrc

For root, create .gemrc so that when gems are installed as root, it uses the system-wide directory.

1

gem: --no-user-install

Optionally, create user's .gemrc as well, although it'd be the same as in /etc/gemrc, which is automatically made by the ArchPkg

1

gem: --user-install

Updating Gems

Update system: sudo gem update –system Update user: gem update

Useful Links and References

Archwiki: Ruby

Note from ArchDev about .gemrc

Specs

1
2

AR9331 and RTL8187
16mb ROM / 64mb DDR2 RAM

Software

Available Pentest Packages include aircrack-ng, dsniff, easy-creds, ettercap, hping3, httptunnel, karma, kismet, macchanger, mdk3, ngrep, nmap, nodogsplash captive portal, privoxy, ptunnel, snort, sslsniff, sslstrip, ssltunnel, stunnel, tcpdump, tor, and reaver

–HakShop

Useful Links and References

HakShop: Wifi Pinapple Mark 5

wifipinapple.com

Where the rules files go

In Arch, the usual /etc/iptables/iptables.rules In Gentoo, the rules are restored from /var/lib/iptables/rules-save In Debian, wiki says to create /etc/network/if-pre-up.d/iptables (chmod +x)

Rules Basic Template

Based on: https://wiki.archlinux.org/index.php/SimpleStatefulFirewall

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:TCP - [0:0]
:UDP - [0:0]
## === BEGIN: First Rule ======================================
# Keep before ping limiting rules to limit pings per connection
-I INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
## === END: First Rule ========================================
## === BEGIN: Ping limiting ===================================
# Keep after 'RELATED, ESTABLISHED' to limit pings per connection
-A INPUT -p icmp --icmp-type echo-request -m recent --name ping_limiter --set
-A INPUT -p icmp --icmp-type echo-request -m recent --name ping_limiter --update --hitcount 6 --seconds 10 -j DROP
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
## === END: Ping limiting =====================================
## === BEGIN: General Rules ===================================
# Extra protection against spoofing attacks (see: sysctl regarding rp_filter)
-I INPUT ! -i lo -s 127.0.0.0/8 -j DROP
# Accept all traffic coming from localhost
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -j REJECT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
## === END: General Rules =====================================
## === BEGIN: Services ========================================
## NTP
#-A UDP -p tcp -i eth0 -s 192.168.12.0/24 --dport 123 -j ACCEPT
## SSH
#-A TCP -p tcp -i eth0 -s 192.168.12.0/24 --dport 22 -j ACCEPT
## TRANSMISSION
#Allow transmission to talk to users
-A OUTPUT -m owner --uid-owner transmission -d 192.168.12.18 -j ACCEPT
#Restrict transmission from using other ports.
-A OUTPUT -m owner --uid-owner transmission ! -o tun+ -j REJECT
#Allow users to talk to transmission
-A TCP -p tcp -s 192.168.12.18 --dport 9091 -j ACCEPT
## === END: Services ==========================================
## === BEGIN: Trick Port Scanning =============================
-I TCP -p tcp -m recent --update --seconds 60 --name TCP-PORTSCAN -j REJECT --reject-with tcp-rst
-I UDP -p udp -m recent --update --seconds 60 --name UDP-PORTSCAN -j REJECT --reject-with port-unreach
-A INPUT -p tcp -m recent --set --name TCP-PORTSCAN -j REJECT --reject-with tcp-rst
-A INPUT -p udp -m recent --set --name UDP-PORTSCAN -j REJECT --reject-with icmp-port-unreach
## === END: Trick Port Scanning ===============================
## === BEGIN: Last Rule =======================================
# This rule must be kept at the end, regardless if port-scan or ping limit is used.
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
## === END: Last Rule =========================================
COMMIT

Internet Connection Sharing

Involves adding additional rules

For the template below: | | wan | lan |
|———:|—————–:|—————–:|
| iface | wan0 | lan0 |
| subnet | 192.168.12.0 | 172.168.42.0 |

Example Template

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 172.16.42.0/24 -o wan0 -j MASQUERADE
COMMIT
filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:fw-interfaces - [0:0]
:fw-open - [0:0]
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j fw-interfaces
-A FORWARD -j fw-open
-A FORWARD -j REJECT --reject-with icmp-host-unreachable
-A fw-interfaces -i lan0 -j ACCEPT
COMMIT

References

Archwiki
Debwiki

You should see a text box, there you can add individual iptables rules as if you were using the command line. Just save the command with the appropriate button labeled [Save Firewall]

I found this particularly useful for allowing a machine with a static IP ping a machine that drops ping requests. Here is the rule I added as an example

1

iptables -A INPUT -s <ip.allowed.pings> -p icmp -j ACCEPT