DDWRT Stupid USB Tethering

DDWRT V3
WAN Set as auto

cd /lib/modules/4.4.89 
insmod usbnet.ko 
insmod cdc_ether.ko 
insmod rndis_host.ko 
ifconfig usb0 up 
udhcpc -i usb0

It should auto up and just need the following iptables
iptables --table nat --append POSTROUTING --out-interface usb0 -j MASQUERADE 

iptables --append FORWARD --in-interface br0 -j ACCEPT 

Updating old esx servers to ESXi 6.7

A few of the old ESXi servers are lying around and needs to be upgraded.

Power all VM.
Turn on maintenance mode.
Enable SSH
SSH into the server

esxcli network firewall ruleset set -e false -r httpClient
esxcli software sources profile list --depot=https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml | grep 6.7
esxcli software profile update -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml -p ESXi-6.7.0-8169922-standard
Might wanna open another SSH
tail -f /var/log/esxupdate.log
esxcli network firewall ruleset set -e false -r httpClient
reboot

6.7.0 (Build 8169922) -> :)

Copied from: https://tinkertry.com/easy-update-to-esxi-67

Using OSX High Sierra on a VMWARE ESXi

Steps to convert the stupid installer into an iso for other uses...

hdiutil create -o /tmp/HighSierra.cdr -size 5200m -layout SPUD -fs HFS+J
hdiutil attach /tmp/HighSierra.cdr.dmg -noverify -mountpoint /Volumes/install_build
sudo /Applications/Install\ macOS\ High\ Sierra.app/Contents/Resources/createinstallmedia --volume /Volumes/install_build
mv /tmp/HighSierra.cdr.dmg ~/Desktop/InstallSystem.dmg
hdiutil detach /Volumes/Install\ macOS\ High\ Sierra
hdiutil convert ~/Desktop/InstallSystem.dmg -format UDTO -o ~/Desktop/HighSierra.iso

Kali Linux - Creating your own distro

A colic of mine was trying to act cute and said he wanted his own custom version of kali linux.
As remaster-sys might not work, ( i think ), went on to figure if it's really possible.
As he sucks in googling, here are the steps for my own reference.

Install Kali to a VM.
apt update && apt install curl git live-build
git clone git://git.kali.org/live-build-config.git
cd live-build-config
Inside the kali-config folder, there are various "environments" available.
I choose the LIGHT version as though it's a variant of the XFCE env, it's really light.
With this in mind, lets add some "special" packages that my colic wants.
Edit the config in kali-config/variant-light/package-lists/kali.list.chroot
Add your packages etc.
As he wanted to add custom "code and scripts" as well, add them to kali-config/common/includes.chroot/ folder. EG: root/Desktop/aaa.txt will make the aaa.txt appear on the root desktop.
To enable SSH on startup, 
echo ‘update-rc.d -f ssh enable’ >> kali-config/common/hooks/01-start-ssh.chroot
chmod 755 kali-config/common/hooks/01-start-ssh.chroot
Once done, build the image.
./build.sh --variant light --verbose
Drink coffee and the build ISO will be at: images/xxx.iso

REF: https://www.cybrary.it/0p3n/create-kali-linux-iso/
REF: https://kali.training/chapter-9/building-custom-kali-live-iso-images/

VM Fusion Persistant Disk

Add a new hard disk to your VM Fusion.
Open up the VMX File in your editor.
Search for your workdisk
scsi0:1.fileName = "YOUROWKDISK-000001.vmdk"

Add in the following lines
scsi0:1.mode = "independent-persistent"
snapshot.disabled = "TRUE"
snapshot.action = "keep"

To take snapshot. Shut down the VM. 
Then take the snapshot

Blank screen after some dist-upgrade

So my kali was doing some dist-upgrade.
Took wayyyyy too long and i just killed it.
However, next reboot, everything was black. =_+''

After booting, press Ctrl+Alt+F1~F12.
This should get you a terminal.
Login as root
dpkg --configure -a
WAIT PATIENTLY ( which i failed )
Once done, reboot, volia.

Auto Backup MYSQL DB table structure

Usually during coding, one would often forgot about the MySQL databases structure.
I would usually check in my code but not my DB design.

Below is a sh file that backup the MySQL table structure.
Not the best script. But it does the job.

#!/bin/bash

Host=localhost
BDir=/root/SQLStructureBackup/

Dump="/usr/bin/mysqldump -d -h $Host -u BACKUPUSER -pSOMEPASSWORDHERE "
MySQL=/usr/bin/mysql

Today=$(date +%Y-%b-%d)

# Get a list of all databases
Databases=$(echo "SHOW DATABASES" | $MySQL -u BACKUPUSER -pSOMEPASSWORDHERE)

for db in $Databases; do
        date=`date`
        file="$BDir/$Today-$db.sql.gz"
        echo "Backing up '$db' from '$Host' on '$date' to: "
        echo "   $file"
        $Dump $db | gzip > $file
done

Getting SAMBA to work

One of my colics have trouble setting up samba for his linux server.
apt-get install samba smbfs
Edit the samba config file at /etc/samba/smb.conf
# Global parameters
[global]
       workgroup = HOME
       netbios name = SAMBA
       server string = Samba Server %v
       map to guest = Bad User
       log file = /var/log/samba/log.%m
       max log size = 50
       socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
       preferred master = No
       local master = No
       dns proxy = No
       security = User
        hosts allow = 127. XXX.XXX
        interfaces = 127.0.0.1/8 XXX.XXX.XXX.XXX/16
        bind interfaces only = yes
        guest account = nobody
        null passwords = no
        username level = 6
        #password level = 6
        encrypt passwords = true
        unix password sync = yes
        domain master = no
        preserve case = yes
        short preserve case = yes
# Share
[files]
       path = /files/
       valid users = SOMEUSERHERE
       read only = No
       create mask = 0777
       directory mask = 0777

useradd -c "NAME HERE" SOMEUSERHERE
smbpasswd -a SOMEUSERHERE

*Note that usually samba will not start if your config is wrong..

Single boot kali into MAC

Friend has an old imac around.

Decided to install it with kali.

Pop in kali usb and press OPTION to boot menu.

Should see a WINDOWS and EFI BOOT partition.

Choose windows and install normally.

After installation, boot back to LIVE MODE.

root@kali:~# gdisk /dev/sda
zsh: correct 'gdisk' to 'fdisk' [nyae]? n
GPT fdisk (gdisk) version 0.8.5

Partition table scan:
  MBR: protective
  BSD: not present
  APM: not present
  GPT: present

Found valid GPT with protective MBR; using GPT.


Command (? for help): p
Disk /dev/sda: 976773168 sectors, 465.8 GiB
Logical sector size: 512 bytes
Disk identifier (GUID): B6A4398E-3590-4BB7-AA57-D64EF74860D0
Partition table holds up to 128 entries
First usable sector is 34, last usable sector is 976773134
Partitions will be aligned on 2048-sector boundaries
Total free space is 4077 sectors (2.0 MiB)

Number  Start (sector)    End (sector)  Size       Code  Name
   1      2048      4095   1024.0 KiB  EF02
   2      4096       943585279   449.9 GiB   0700
   3       943585280       976771071   15.8 GiB    8200

Command (? for help): r

Recovery/transformation command (? for help): h

WARNING! Hybrid MBRs are flaky and dangerous! If you decide not to use one,
just hit the Enter key at the below prompt and your MBR partition table will
be untouched.

Type from one to three GPT partition numbers, separated by spaces, to be
added to the hybrid MBR, in sequence: 2
Place EFI GPT (0xEE) partition first in MBR (good for GRUB)? (Y/N): y

Creating entry for GPT partition #2 (MBR partition #2)
Enter an MBR hex code (default 07): 83
Set the bootable flag? (Y/N): y

Unused partition space(s) found. Use one to protect more partitions? (Y/N): n

Recovery/transformation command (? for help): w

Final checks complete. About to write GPT data. THIS WILL OVERWRITE EXISTING
PARTITIONS!!

Do you want to proceed? (Y/N): y
OK; writing new GUID partition table (GPT) to /dev/sda.
Warning: The kernel is still using the old partition table.
The new table will be used at the next reboot.
The operation has completed successfully.
root@kali:~#

Syncing Apple Wireless Mouse and keyboard to kali

And so i have an old apple mouse and keyboard and decided to sync it to kali via bluetooth instead!

Holding on the keyboard power button throughout the syncing not sure if it works.

Bluetooth setup was a hassle.

So...

apt-get install blueman

Then run blueman-manager
:P

Setting up mod-security for apache.

And so we were looking into WAF for our sites....
Lets go...

apt-get install libapache2-modsecurity

Verify that all is well. If there is a shared, all is well.
apachectl -M | grep --color security

Rename the config file..
mv /etc/modsecurity/modsecurity.conf{-recommended,}

Restart apache
/etc/init.d/apache2 restart

Logs should be in /var/log/apache2/modsec_audit.log

Let's enable modsecurity
nano /etc/modsecurity/modsecurity.conf
SecRuleEngine DetectionOnly becomes SecRuleEngine On
SecResponseBodyAccess On becomes SecResponseBodyAccess Off
Restart apache

Test SQL injection
Create a php

<html> <body> <?php if(isset($_POST['login'])) { $username = $_POST['username']; $password = $_POST['password']; $con = mysqli_connect('localhost','root','password','sample'); $result = mysqli_query($con, "SELECT * FROM `users` WHERE username='$username' AND password='$password'"); if(mysqli_num_rows($result) == 0) echo 'Invalid username or password'; else echo '<h1> Logged in</h1> <p> A Secret for you....</p> '; } else { ?> <form action="" method="post"> Username: <input type="text" name="username"/><br /> Password: <input type="password" name="password"/><br /> <input type="submit" name="login" value="Login"/> </form> <?php } ?> </body> </html>
Change password to suit your database.

Login to MYSQL.
mysql -u root -p
create database sample;
connect sample;
create table users(username VARCHAR(100),password VARCHAR(100));
insert into users values('jesin','pwd');
insert into users values('alice','secret');
quit;

Test your page to see if can login.
Then under username, use this: ' or true -- 
Note the space behind --
You should be able to login. FUCK!!!!

Lets get the ruleset.
wget "https://github.com/SpiderLabs/owasp-modsecurity-crs/tarball/v2.2.5"
tar -zxf 

Lets move the ruleset
rm -rf /usr/share/modsecurity-crs/*
mkdir /usr/share/modsecurity-crs
mv SpiderLabs-owasp-modsecurity-crs-5c28b52/* /usr/share/modsecurity-crs/
cd /usr/share/modsecurity-crs/
mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
cd /usr/share/modsecurity-crs/activated_rules/
ln -s ../modsecurity_crs_10_setup.conf .
for f in `ls /usr/share/modsecurity-crs/base_rules/` ; do sudo ln -s /usr/share/modsecurity-crs/base_rules/$f /usr/share/modsecurity-crs/activated_rules/$f ; done
for f in `ls /usr/share/modsecurity-crs/optional_rules/` ; do sudo ln -s /usr/share/modsecurity-crs/optional_rules/$f /usr/share/modsecurity-crs/activated_rules/$f ; done

nano /etc/apache2/mods-available/mod-security.conf
Add in the following 2 lines
        Include "/usr/share/modsecurity-crs/*.conf"

        Include "/usr/share/modsecurity-crs/activated_rules/*.conf"

Make sure that mod-security.conf is something like that...


        # Default Debian dir for modsecurity's persistent data
        SecDataDir /var/cache/modsecurity

        # Include all the *.conf files in /etc/modsecurity.
        # Keeping your local configuration in that directory
        # will allow for an easy upgrade of THIS file and
        # make your life easier
        Include "/etc/modsecurity/*.conf"
        Include "/usr/share/modsecurity-crs/*.conf"
        Include "/usr/share/modsecurity-crs/activated_rules/*.conf"

Make sure that mod-security.load is something like that...

LoadFile libxml2.so.2

LoadModule security2_module /usr/lib/apache2/modules/mod_security2.so

Make sure that mod-security is loaded via a2enmod. It should be done by default.

Restart your apache.

You might need to a2enmod headers or apt-get install libapache2-mod-proxy-html
Remove relevant rules if needed.
Also check that the mod-security.conf does not load duplicate conf
Test your injection, it should fail.

The site: https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project requires modsecurity >= 2.7.

PFSense with snort

And so i was tasked to settle the pfsense for a small network.
Decided to install snort.

Go to System > Packages > Available Packages > find Snort
Install it.
Get oinkcode from snort website.
Go back to services > snort
Go to global settings
Tick Install Snort VRT Rules
Paste oinkcode
Check Install Snort Community
Check ETOpen
Set auto update to 1 day.
Save.

Go to updates tab.
Update the rules.

Go back to Snort Interfaces tab.
Add a new interface
Set interface to WAN.
Save

Edit the WAN interface.
Check the snort Snort GPLv2 Community Rules (VRT CERTIFED) to enable the snort rules.

and remember to save!

Reference: https://techknight.eu/2015/03/14/pfsense-snort-idsips-basic-setup-and-configuration/

Connect WPA2 on linux

And so i have a linux that is far from the router.
And i need to connect it via wifi.

apt-get install 

Know your interface first...
nano /etc/network/interfaces

auto wlan0

iface lo inet loopback

iface eth0 inet dhcp

allow-hotplug wlan0

iface wlan0 inet static ( Else use iface wlan0 inet dhcp )

address 192.168.1.155

netmask 255.255.255.0

gateway 192.168.1.1

wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf

iface default inet dhcp

nano /etc/wpa_supplicant/wpa_supplicant.conf

ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev

update_config=1

network={

ssid="NYO_WWWP"

psk="topsecret"

proto=RSN

key_mgmt=WPA-PSK

pairwise=CCMP

auth_alg=OPEN

}

Install .Net Framework 3.5 on windows 10

DISM /Online /Enable-Feature /FeatureName:NetFx3 /All /LimitAccess /Source:d:\sources\sxs

VMWare Workstation 12 - Kali Rolling - No internet too...

And so i decided to install Kali on my office laptop.
Which unfortunately, LAN and WIFI is spoilt...
Being a poor guy as usual, did not have money to buy a USB wireless adapter....
So.... 
Lets do it the HARD CORE USB THUMBDRIVE WAY!

Install VMWare.
Get the installer from the website. It's a bundle file.
chmod +x {bundle name}
./{bundle name}
VMWare installation will start.
Next all the way, for CDKEY, google youtube. There's a key out there that works...

After installation, while trying to run vmware
Should get an error saying that some headers are not found.

FUGGGGGG!
No internet, how to update?????

On another internet PC somewhere far far away...
On kali-rolling, the headers are unfortunately linux-headers-4.0.0 ( uname -r )
In the kali-rolling repo, the headers are 4.4.0 ( apt-cache search linux-headers )
HOW HOW HOW!

Let's revert the apt/sources.list and change it to SANA repo.
nano /etc/apt/sources.list
deb http://http.kali.org/kali sana main non-free contrib deb http://security.kali.org/kali-security sana/updates main contrib non-free deb-src http://http.kali.org/kali sana main non-free contrib deb-src http://security.kali.org/kali-security sana/updates main contrib non-free

apt-get flush && apt-get autoremove
apt-get update
apt-cache search linux-headers
You should see that there is a linux-headers-4.0.0

Lets download this and move it to the lousy office laptop.
This command will list the packages (deb) files needed and output to a urls.txt
apt-get -qq --print-uris install build-essential linux-headers-$(uname -r) | cut -d\' -f2 > urls.txt

Lets download the deb files...
mkdir temp
mv urls.txt temp/
cd temp
wget -i urls.txt

Once done, move everything over to the no internet laptop.
dpkg -i *.deb

Kali Rolling - Lets update

Well, Kali linux just got an upgrade ( Quite some time back ).
Feeling bored with Natasha, decided that i should do an upgrade for my VM.

Edit your /etc/apt/sources.list.
Change it to:
deb http://http.kali.org/kali kali-rolling main contrib non-free
deb-src http://http.kali.org/kali kali-rolling main contrib non-free

If you are still on SANA,which you should not be...
deb http://http.kali.org/kali sana main non-free contrib
deb http://security.kali.org/kali-security sana/updates main contrib non-free
# For source package access, uncomment the following line
# deb-src http://http.kali.org/kali sana main non-free contrib
# deb-src http://security.kali.org/kali-security sana/updates main contrib non-free

Note that sometimes, you might get a package error.
I find that using the mirror could be a better choice. ( http://http.kali.org/README.mirrorlist )
I'm using archive-3.kali.org mirror.
So my sources.list look something like this..
deb http://archive-3.kali.org/kali kali-rolling main contrib non-free
deb-src http://archive-3.kali.org/kali kali-rolling main contrib non-free

Finally, do a apt-get update && apt-get dist-upgrade
It's GOING to take some time... Took about 1GB of network data...

Google Fonts Downloader

I've been trying to download templates and stuff for my clients.
However, usually they would want those in their "internal" network that means NO INTERNET!

What about those fonts that most templates use now?
How can i make those google fonts offline?

-> https://google-webfonts-helper.herokuapp.com/fonts
:P

Ubuntu for VMWARE splitting into 2 screens!

And so i was testing a ubuntu installation on a VMware.

However, was given 2 screens.
Mirroring each other...
How How How...

Disable vmwgfx fbdev in ubuntu.
Edit the VM file /etc/modprobe.d/vmwgfx-fbdev.conf to say
options vmwgfx enable_fbdev=0

sudo update-initramfs -u && reboot

Heng ah!

Installing Google Chrome on Kali Linux

Lets get Google GNU GPG Keys.

wget -q -O - https://dl-ssl.google.com/linux/linux_signing_key.pub | sudo apt-key add -

Lets create a new Chrome Repository

echo "deb http://dl.google.com/linux/chrome/deb/ stable main" >> /etc/apt/sources.list.d/google-chrome.list

apt-get update

apt-get install google-chrome-stable

To run.

Create a non-root user

useradd -m chromeuser

Create a shortcut to run google chrome

gksu -u chromeuser google-chrome

Learning Git & Installing Gitlist

The company that i've worked for has tons of codes EVERYWHERE.

And using a file directory system guess it's not gonna work for them.

Introducing GIT....
Which i hope will be able to solve the problem... hahaha!

Install Debian

apt-get update

apt-get install php5 apache2 git

Now I will assume the following:

Path to my git is at : /home/code/

mkdir /home/code/

chmod -R 744 /home/code/

chown -R www-data:www-data /home/code/

Install gitlist ( Web for git )

http://gitlist.org/ or cd /var/www/ && wget "https://s3.amazonaws.com/gitlist/gitlist-0.5.0.tar.gz"

tar -zxf gitlist-0.5.0.tar.gz

cd /var/www/gitlist/

rm config.ini-example ( Or you can rename it to config.ini with the following contents )

nano config.ini

[git]
client = '/usr/bin/git' ; Your git executable path
default_branch = 'master' ; Default branch when HEAD is detached
repositories[] = '/home/code/' ; Path to your repositories
                                           ; If you wish to add more repositories, just add a new line

; WINDOWS USERS
;client = '"C:\Program Files (x86)\Git\bin\git.exe"' ; Your git executable path
;repositories[] = 'C:\Path\to\Repos\' ; Path to your repositories

; You can hide repositories from GitList, just copy this for each repository you want to hide
; hidden[] = '/home/git/repositories/BetaTest'

[app]
debug = false
cache = true
theme = "default"
title = ""
baseurl = 'http://localhost/gitlist';

; If you need to specify custom filetypes for certain extensions, do this here
[filetypes]
; extension = type
; dist = xml

; If you need to set file types as binary or not, do this here
[binary_filetypes]
; extension = true
; svh = false
; map = true

; set the timezone
[date]
; timezone = UTC
; format = 'd/m/Y H:i:s'

Lets enable mod-rewrite

a2enmod rewrite

For the .htaccess in /var/www/gitlist/, make sure the rewrite rule becomes /gitlist/index.php instead of the original index.php

root@gitlist:/var/www/gitlist# cat .htaccess

    Options -MultiViews +SymLinksIfOwnerMatch

    RewriteEngine On

    #RewriteBase /var/www/gitlist/

    RewriteCond %{REQUEST_FILENAME} !-f

    RewriteRule ^(.*)$ /gitlist/index.php/$1 [L,NC]

    order allow,deny

    deny from all

Make a directory called cache and chmod 777 to it

mkdir cache

chmod 777 /var/www/gitlist/cache/

chown -R www-data:www-data /var/www/gitlist/

/etc/init.d/apache2 restart

Lets init an empty git.

cd /home/code/

git init --bare my-project.git

Creating a HTTPS client authentication based web server with CRL.

Ok.

I am in need of a web server that uses HTTPS client certificate authentication.
I think this should keep those without the client cert off my https! :P

Lets start

Lets create a directory to store every thing

Lets echo a number for our CRLNumber file ( CRL number is for the next number for the next cert )
echo 1000 > crlnumber

Lets touch an index. ( A database of all the certs in there )
touch index.txt

Lets create an openssl.cnf file. This will be the config file passed in to all the commands.
===== Start ===== 
dir = /xxx

[ ca ]
default_ca      = CA_default

[ CA_default ]
serial = $dir/crlnumber
new_certs_dir = $dir/certs
database = $dir/index.txt
policy = policy_match
default_days = 365
default_md = md5
default_crl_days = 1

[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

[ usr_cert ]
# These extensions are added when 'ca' signs a request.
basicConstraints=CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer

[ v3_ca ]
# Extensions for a typical CA
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = CA:true
keyUsage = cRLSign, keyCertSign

[ req ]
distinguished_name      = req_distinguished_name
string_mask = utf8only


[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_default             = SG
countryName_min                 = 2
countryName_max                 = 2

stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = Singapore

localityName                    = Locality Name (eg, city)
localityName_default            = Singapore

0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = XXX

# we can do this but it is not needed normally :-)
#1.organizationName             = Second Organization Name (eg, company)
#1.organizationName_default     = World Wide Web Pty Ltd

organizationalUnitName          = Organizational Unit Name (eg, section)
#organizationalUnitName_default =

commonName                      = Common Name (e.g. server FQDN or YOUR name)
commonName_max                  = 64

emailAddress                    = Email Address
emailAddress_max                = 64

# SET-ex3                       = SET extension number 3

===== Start ===== 

Lets create a CA ( Remember the password )
openssl genrsa -aes256 -out ca.key.pem 4096

Lets create the cert out of the key!
openssl req -new -x509 -days 3650 -key ca.key.pem -sha256 -extensions v3_ca -out ca.cert.pem

Ok, the CA seems to be fixed now.

Lets create our apache web server key and cert
openssl genrsa -out server.key.pem 4096

Create a CSR out of it
openssl req -sha256 -new -key server.key.pem -out server.csr.pem

Lets sign it
openssl ca -keyfile ca.key.pem -cert ca.cert.pem -extensions usr_cert -notext -md sha256 -in server.csr.pem -out server.cert.pem -config openssl.cnf

Lets fix Apache
SSLEngine on
SSLCertificateFile    /xxx/server.cert.pem
SSLCertificateKeyFile /xxx/server.key.pem
SSLCACertificateFile /xxx/ca.cert.pem

Now your apache should be HTTPS enabled.
Though you should get a cert not trusted sign.

Lets move on to allow our clients to login...
SSLCARevocationFile /xxx/crl.pem
SSLVerifyClient require
SSLVerifyDepth  1

==== Create user script
#!/bin/bash

echo "Creating Private Key for $1"
openssl genrsa -out $1.key.pem 4096

echo "Creating CSR for $1"
openssl req -new -key $1.key.pem -out $1.csr.pem -config openssl.cnf

echo "Signing CSR from CA Key"
openssl ca -keyfile ca.key.pem -cert ca.cert.pem -extensions usr_cert -notext -md sha1 -in $1.csr.pem -out $1.cert.pem -config openssl.cnf

echo "Creating P12 keys"
openssl pkcs12 -export -clcerts -in $1.cert.pem -inkey $1.key.pem -out $1.p12
==== Create user script

==== revokeUser.sh
#!/bin/bash

echo "Revoke user: $1"
openssl ca -keyfile ca.key.pem -cert ca.cert.pem -revoke $1.cert.pem -config openssl.cnf
clear
echo "Generating new CRL"
openssl ca -keyfile ca.key.pem -cert ca.cert.pem -gencrl -out crl.pem -config openssl.cnf

/etc/init.d/apache2 restart

==== revokeUser.sh

To create the user ./createUser.sh nameofuser
To revoke ./revokeUser.sh nameofuser

Creating an Encrypted Disk ( Persistence ) boot for Kali Linux on thumbdrive.

Get Kali Linux first.
https://www.kali.org/downloads/

Then lets DD to our thumbdrive. ( Replace iso image and sdb for your device )
dd if=kali-linux-1.0.8-amd64.iso of=/dev/sdb bs=1M

Or you can use those windows GUI such as Win32DiskImager for the job.

To enable persistence so your work is saved between reboots ( Linux image with gparted best )
Insert bootable disk.
Run gparted.
For the thumbdrive partition, you should see /dev/sdb1 and /dev/sdb2 with an unallocated area.
Right click unallocated area and make it as a ext4 file system with label: persistence.
Add and apply.

Run the following commands:

For unencrypted partition.

mkdir -p /mnt/my_usb
mount /dev/sdb3 /mnt/my_usb
echo "/ union" > /mnt/my_usb/persistence.conf
umount /dev/sdb3

For an encrypted partition

cryptsetup --verbose --verify-passphrase luksFormat /dev/sdb3
cryptsetup luksOpen /dev/sdb3 my_usb
mkfs.ext4 -L persistence /dev/mapper/my_usb
e2label /dev/mapper/my_usb persistence
mkdir -p /mnt/my_usb
mount /dev/mapper/my_usb /mnt/my_usb
echo "/ union" > /mnt/my_usb/persistence.conf
umount /dev/mapper/my_usb
cryptsetup luksClose /dev/mapper/my_usb

Copied from: https://forums.kali.org/showthread.php?22166-Making-a-Persistent-usb-flash-drive-with-kali-linux-1-08

Tun missing! Find them!

And so I had this problem when my TUN disappeared.

It all started when my OPENVPN suddenly did not want to work.

When i manually tried to openvpn the server.conf file. All i got was this.
Wed Feb 4 10:05:18 2015 OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Dec 1 2014
Wed Feb 4 10:05:18 2015 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Wed Feb 4 10:05:18 2015 Diffie-Hellman initialized with 1024 bit key
Wed Feb 4 10:05:18 2015 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Feb 4 10:05:18 2015 Socket Buffers: R=[133120->131072] S=[133120->131072]
Wed Feb 4 10:05:18 2015 ROUTE: default_gateway=UNDEF
Wed Feb 4 10:05:18 2015 Note: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory (errno=2)
Wed Feb 4 10:05:18 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Wed Feb 4 10:05:18 2015 /sbin/ifconfig 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
SIOCSIFADDR: No such device
: ERROR while getting interface flags: No such device
SIOCSIFDSTADDR: No such device
: ERROR while getting interface flags: No such device
SIOCSIFMTU: No such device
Wed Feb 4 10:05:18 2015 Linux ifconfig failed: external program exited with error status: 1
Wed Feb 4 10:05:18 2015 Exiting

As you can see, there was an error opening the TUN interface with error number 2.
I then checked with my VPS provider and apparently the fault was on their end. 
They then make TUN appear.

To show that TUN was there:
root@xxx:/# cat /dev/net/tun 
cat: /dev/net/tun: File descriptor in bad state
root@xxx:/# 

However, running the openvpn server.conf now produces a different kind of error.
root@xxx:/etc/openvpn# openvpn server.conf
Thu Feb 5 15:33:14 2015 OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Dec 1 2014
Thu Feb 5 15:33:14 2015 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Thu Feb 5 15:33:14 2015 Diffie-Hellman initialized with 1024 bit key
Thu Feb 5 15:33:14 2015 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Thu Feb 5 15:33:14 2015 Socket Buffers: R=[133120->131072] S=[133120->131072]
Thu Feb 5 15:33:14 2015 ROUTE: default_gateway=UNDEF
Thu Feb 5 15:33:14 2015 Note: Cannot open TUN/TAP dev /dev/net/tun: Operation not permitted (errno=1)
Thu Feb 5 15:33:14 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu Feb 5 15:33:14 2015 /sbin/ifconfig 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
SIOCSIFADDR: No such device
: ERROR while getting interface flags: No such device
SIOCSIFDSTADDR: No such device
: ERROR while getting interface flags: No such device
SIOCSIFMTU: No such device
Thu Feb 5 15:33:14 2015 Linux ifconfig failed: external program exited with error status: 1
Thu Feb 5 15:33:14 2015 Exiting
root@xxx:/etc/openvpn#

It now shows that errno is 1.
I then ding dong with the VPS but they could not help me out as my SLA did not cover 3rd party.
Thus, i am left with the harsh choice of reinstalling my VPS.
However, after reinstalling, the problem exist.
Out of the blue, i just issue the ultimate command.
rm /dev/net/tun && reboot

SUDDENLY, all was fine....
So if next time you have such an error, just remove the god dam tun....

Setting up the openvpn server ( again )

Lets install OpenVPN
apt-get install openvpn

Lets create the easy-rsa and copy some sample files over
cd /etc/openvpn
mkdir easy-rsa
cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/* easy-rsa/

Lets clean the easy rsa folder first
cd easy-rsa
source ./vars
./clean-all

Lets build the CA
./build-ca

Lets build the server
./build-key-server server

Lets build the DH parameters
./build-dh

For each client
./build-key clientname

Lets make sure that ipv4_forward and iptables can jump here and there.
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 10.9.8.0/24 -j SNAT --to-source

Lets save the IPtables
iptables-save > /etc/iptables.up.rules

Lets create the openvpn server config
nano /etc/openvpn/server.conf

port 1194
proto udp
dev tun

ca      /etc/openvpn/easy-rsa/keys/ca.crt    # generated keys
cert    /etc/openvpn/easy-rsa/keys/server.crt
key     /etc/openvpn/easy-rsa/keys/server.key  # keep secret
dh      /etc/openvpn/easy-rsa/keys/dh1024.pem

server 10.9.8.0 255.255.255.0  # internal tun0 connection IP
ifconfig-pool-persist ipp.txt

keepalive 10 120

comp-lzo         # Compression - must be turned on at both end
persist-key
persist-tun

status log/openvpn-status.log

verb 3  # verbose mode
client-to-client

cd /etc/openvpn
mkdir -p log/
touch log/openvpn-status.log

#This is needed if you want to route all traffic through the VPN
push "redirect-gateway def1 bypass-dhcp"

#Push down DNS just in case
push "dhcp-option DNS 8.8.8.8"

Restart the openvpn service and it should be up and running!

For the client config:

client

dev tun

port 1194

proto udp

remote VPNSERVER_IP 1194             # VPN server IP : PORT

nobind

ca ca.crt

cert clientname.crt

key clientname.key

comp-lzo

persist-key

persist-tun

verb 3

Copied from : https://wiki.debian.org/OpenVPN