Today I update my dual boot system and unfortunately my Debian OS wasn’t booting anymore. The root cause was that Windows decide to reclaim the EFI boot.
A friend of mine came back from vacation where he had taken a lot of pictures. When he got back home a large part of his Micro SD card (exFAT partition) was no longer accessible so he missed a couple of weeks of his photos and videos. His Windows Operating System froze completely when it hit a rotten cluster during a file copy action. So we had to find another solution to get his files back.
The first step I tried was to get the data from the SD card via Linux with ddrescue. With ddrecue, you create and complete dump of the SD card (or the sdb1 partition only). So you can do the data recovery on the image file (backup1.img) and not on the already corrupted SD Card.
But Linux also had also trouble reading when I hit a bad cluster. The only thing I could do during the read issues was a physical disconnect of the USB adapter, reconnect the adapter and restart the ddrescue process. The reason of was that a dual SD card adapter was used:
Micro SD > SD > SD > USB
(spoiler ALERT!: Never use multiple adapters for data recovery!!!)
Because ddrescue has a mapfile it goes further where he was stopped the last time.
While debugging I wrote a simple loop that forced a “physical” disconnection of the USB adapter wait one sec and reconnect the devices without touching anything.
This works but is a very very slow process. This will takes months to recover so I had to find another way.
#!/bin/bash
## Steps to Prepare:
# lsusb check card reader and change the /dev/bus
# Start script in usbreset folder
# Run as sudo
# mount disk (media / thomas)
while true
do
echo "Let's try Again!"
ddrescue -d /dev/sdb1 /media/thomas/4905eb31-1df4-49bb-bb75-ec4889641d20/backup1.img /media/thomas/4905eb31-1df4-49bb-bb75-ec4889641d20/backup1.mapfile
sleep 1
./usbreset /dev/bus/usb/001/004
sleep 1
done
The funny thing is that it was Sinterklaas time and that my daughter had just received a vtech kiddy photo camera with a Micro SD to USB adapter included ๐
So I try new new adapter: Micro SD > USB and with success.
And after almost 15 hours the result 99.98% rescued rate ๐
During my search for a solution I found some interesting articles:
I was working for an elementary website of a friend of mine. I pushed the website to GitHub so it’s was way easier to maintain the site.
But I thought it must be easier than transferring all the changes every time by an FTP program. So I found git-ftp and of course FTPS didn’t work out of the box ๐
Windows
What you have to do to enable GIT FTP (on Windows)
And the next time you make a change you only have to do
git ftp push
When you get an errors like these:
zo 19 dec 2021 23:11:50 CET: Retrieving last commit from sftp://******:***@s*******/public/sites/*********/.
* Trying *********:22...
* Connected to ******* (********) port 22 (#0)
* Found host ******** in /home/******/.ssh/known_hosts
* Set "ecdsa-sha2-nistp256" as SSH hostkey type
* Closing connection 0
curl: (79) Error in the SSH layer
zo 19 dec 2021 23:11:50 CET: fatal: Could not get last commit. Use 'git ftp init' for the initial push. Can't access remote 'sftp://******:***@********'. Network down? Wrong URL? exiting..
Pfff I’ve had a battery drain for weeks on my Oneplus device (you know that your phone battery drains faster than you would expect). But that drain was not visible in the android battery overview.
I had already installed an app (betterbattrystats) that give you more information about the drain. With betterbatterystats I found out that logd could be the issue, but logd is a log service so it should not be a root cause.
So I found out that you could just start a task manager (top) from the Android debug tools. What seems; the youtube music app was draining my battery. Even though I don’t even use it. You can’t delete that app either so I forced stopped it and now everything is quiet.
Really wtf; I am a tech guy and have to put in so much effort to figure this out. How many people don’t have the same issues but just accept it?
How can you fix this?
First install ADB
Put your phone in development mode
Start top
adb shell top -m 20 -d 2
Here you can see the logd and the com.google.and+
To figure out what PID 9036 is
adb shell ps | grep 9036
And voila; the root cause…. Youtube music
So I turned off the Youtube app and now everything looks nice!
Please google don’t hide you shitty services from the android battery overview!
I had to check my DHCP configuration for a Dell Wyse Thin Client. But when you configure specific options like 161 and 162 you don’t see that options in a Wireshark capture during a Windows DHCP request.
I like Wireshark. But I don’t like to install software on a server for troubleshooting purposes. Especially when you need software like PCAP to sniff some network data.
But what you can do is capture data data with netsh, copy the data to your workstation, convert the data so you can read it with wireshark and do you thing.
Capture the data
Run this command to capture the data (elevated command prompt)
For me, this was a pain in the ass for a long time. When I connect to a Windows server through RDP/RDS it sometimes takes more than 2 minutes to connect to a server. Today after some waiting, and waiting and some more waiting I did a deep dive with Wireshark to figure out why it was so slow.
My setup
Azure domain joined Windows 10 device (Laptop)
Connection over a Cisco Anyconnect VPN
Remote Desktop Manager (Devolutions)
Native RDP client
MremoteNG
Remote VS local
I know for sure the issue should be in my setup. Because when I connect first to a jump host (RDP) and then connect to other domain-joined servers everything was connected almost immediately after I put in my user credentials.
What to do (TL;DR)
There are four things you have to modify to speed up the initial remote desktop connection speed:
Disable SSL / TLS1.0
Disable Netbios on the VPN network adapter
Disable automatic proxy settings in Windows
Change the credential to domain.local\admin or [email protected] instead of domain\admin
Disable SSL / TLS1.0
No, you don’t have to negotiate what protocol you have to use to connect a server. Use TLS1.2 or I don’t want to connect with you ๐ So:
How to
Start > Run > Regedit
Go to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client
If the TLS 1.0 and Client folders doesn’t exists create these keys
Create a 32 DWORD value with the name Enabled
Value data: 0 (Hex)
Restart the client
Enabled = 0
Disable Netbios on the VPN adapter
What I was seeing in my Wireshark capture is that RDP was trying to broadcast to get information over NETBIOS. You have a DNS server so you don’t need a legacy broadcast protocol! Unfortunately, I don’t have any screenshot of the capture but you can always check yourself ๐
How to
Change the VPN Adapter and reboot the computer:
Disable Netbios
Disable the proxy
After connection to a server with RDP and you enter the credentials Windows is trying constantly to WPAD.domain.local to autoconfigure itself. WPAD stands for Web Proxy Auto-Discovery and I think you never want to autoconfigure a MITM ehh proxy device. You always want to have full control of your device. So, disable this to speed up the connection and make your device more secure.
Wireshark Capture WPAD A record
How to
Go to settings
Search for proxy
Switch the Automatically detect settings to Off
Restart Windows
Turn WPAD off
Change the login name
I found out that this is the most annoying and time consuming one. I always use DOMAIN\User when I connect to a server. But this is what happens:
Domain.Domain.TLD
Kerberos is doing a DNS query on _kerberos._tcp.dc._msdcs.domain.domain.tld and of course he will never can find that double domain A record. But if you change the logon name to domain.tld\admin or [email protected] Kerberos will find the A record and connects immediately ๐
Top speed!
Kerberos
And even now it’s possible to tune the Kerberos authentication further and fix the last KRB5KDC_ERR_PREAUTH_REQUIRED error you can see in the screenshot. Maybe next time but for now I’m happy with the initial connection speed ๐
It can be fun to reverse engineer some android applications. I think it’s better to do this on your workstation instead of your phone because it’s way more flexible and you don’t ruin your phone when you break things ๐
In my case, I use Debian 11. But of course, you can do this with any OS.
Requirements
An app you want to debug
OWASP ZAP Proxy
Genymotion
NPM
APK Export (Android App)
OWASP ZAP Proxy
I use the snap package for ZAP because it’s easy to install and you’ve always the latest version.
$ sudo snap install zaproxy --classic
Start ZAP and export the dynamic certificate (tools > options)
Dynamic SSL Certificate
Click on the save button an place the file somewhere on your disk.
Follow the wizards, create an genymotion account and create a new virtual device. In my example I used a google Pixel 3 with Android 10.
Overview virtual devices
Now it’s time to configure the proxy within the android device!
Configure proxy in Android
Start the created virtual genymotion android device and copy the certificate file we create earlier with a simple drag and drop.
drag & drop the certificate file
Succesfull copy
Now we can can configure the proxy in the wifi settings.
Go to settings > search for certificate and install the certificate.
settings > find >certificates
Import the certificate
Edit the wifi connection, add the proxy and restart the wifi.
Edit the Wifi
Go to the advance options
Set the proxy to Manual
The IP is always: 10.0.3.2This is the “localhost” setting for the genymotion host server
Port 8080
Genymotion Proxy Settings
When you (re)connect the the wifi you have the accept the proxy error (but this is a good thing).
Sign in the the wifi
Accept the warning
Now you will see all the traffic. But only the traffic for the apps who respect the android HTTP_PROXY settings. So this is what you can do when an app don’t respect this setting:
Rebuild the APK with APK-MITM
Now everything is in place. So the last thing we need to do is rebuild the APK file so we can proxing all the network traffic. So:
Everything is in place now. So the only thing you have to do is drag & drop the *-patched.apk file to genymotion, install this file and you are fully in control ๐