ST RCE Cry lm Tea OU Tem Tia cc) ar Licrele) Findithe gaps before an | = Tele Ces eee foe er as amen | Bia e s supports structured data Web apps in Python Lf simulations to reduce risk © Get the news from the EF _ sources you choose Be eels 2: network analysis tool that z can track processes GLITTERING FOSS GEMS! WWW.LINUX-MAGAZINE.COMLINUX-OPTIMIZED HARDWARE FROM LAPTOP TO HIGH-END PC TUXEDO develops and manufactures hardware a sleek ultrabook, or a high-end PC for demanding ifically optimized for Linux - from powerful workloads - we have the perfect device, precisely laptops and versatile desktops to workstations tailored to your unique needs and preferences. and mini PCs. Our wide range offers customized 100% Linux-compatible, individually configurable, solutions for beginners, professionals, and busi- with an optional personalized cover logo and nesses alike, Whether you're looking for a rugged compr sp jensive, dedicated support! S © # TOXepo @ & 9 Ux Pp Immediately Masein —GermanData—_ German compatle YearsCusranee readyforuse tuxedoflamag296 Geary Pracy Tech SupportWelcome SHE JUST ONE MORE YEAR ... Dear Reader, ‘So much of the big news these days is all about Al, Al ad- vances, Al politics, Al corporate maneuvering, Al power Usage ... | was feeling a bit downcast about the prospect of writing yet another Al column when, in fact, there isn’t that, much I can say in one page that isn't elther speculation or \well-trodden platitudes. Then | noticed a news item that, ‘swung the other way, into the deep, retro past: Picture the oldest PC-style home computer you can remember, maybe the first computer your father brought home? ‘The BBC website recently posted an article on contempo: rary uses for really ancient Windows computer systems [1], and I'm not just talking about people logging onto @ home PC to write a letter. | mean actual production sys- tems out in the real world. 've always had a low-tech, high-tech streak. | never liked it that | was supposed to throw out my computer and buy anew one because some hardware company (or software company) wanted to chalk up another sale. One of the things that attracted me to Linux was the idea that | wouldn't have to bow down to corporate timelines of planned obsolescence. But seriously, some of the examples in the article are a little mind blowing, Commuter trains in Germany that run on Windows 3.11 ATMs with Windows XP ... Software for veterans hospitals that still runs on Windows NT. According to the article, the ‘computer that starts the automatic train control system or the Muni Metro light rail system in San Francisco runs MS-DOS, and the system won't boot in the morning un- less someone sticks a floppy disk into the floppy drive. As the expression goes, “Ifit ain't broke, don't fix it ‘These systems are all doing what they were designed to do, so no one seems to mind that they exist in a weird time warp. One of the takeaways from all this is just the reminder of how much time and expense it takes to write complex infrastructure-managing software systems ~ and how risky itis to change something that is already functional. People on the subway train aren‘t going to say, “Wow, this subway is a much better experience since they Info [1 “Stil Booting ater All These Years: The People Stuck Using An: cient Windows Computers” by Thomas Germain, BBC Future: /teps/ivwbbe.com/Tuture/articie/20250516-the-people-tuck Using ancient windows-computers upgraded their software.” But if you start the upgrade and nothing works for a couple months while you smooth out the kinks, you'll hear about it from just about everybody. Also, itis worth noting, deferred maintenance Is a common strategy for governments (and even many companies) in difficult budget years. "It worked last, year; let's wait another year and fix it then?” Then you look up and 20 years have passed. Many of these systems run legacy software because they are tied to legacy hardware. If you're not ready to buy a new machine yet, and the old machine is tied to old soft ‘ware, you're stuck with making the old software work. | admire that, in a way, although | would like to believe someone sat down and thought through all the security implications, and I'm less than confident that that has ac- tually happened. A closed system, with no direct Internet ‘access for a cybercriminal to use for a break-in, is clearly safer than a system wired up to the Internet, but seriously, how secure is that room where you store the mystical 386 PC that is the brains of your operation? om Joe Casad, Editor in Chiefa JULY 2025

eognant, 2 sognente, 2 ne_pegnenks * aizect(#oegnents)); “and an even more common case is ‘Tm doing an owt-of-line call not be- cause the size is unknown, but because the size is big’ ‘So noted the size alignment of the size inthe function name, so that Fould have different versions for the most obvé- ous straightforward cases (notably the ‘just do word-at-a-time copie “Admittedly my main use case for that twas the big fixed size case in the stat code, which just does return copy_te_uter(stattut, 2 ‘erp, etzeof(t0p)) 7 -BPAULE + 03 “and shows up tike a sore thumb on some benchmarks, “But I've always hated the patch be- cause it turns out that the real fix is to ‘get rid of the temporary buffer on the stack, and just copy the fields one-by- one with ‘unsafe_put_user()’ and friends, but every time I do that ~ and ve done it several times ~ Tend up throwing the patch away because it ends up being problematic on non-x86 architectures. (Reason: INIT_STRUCT_STAT64_PAD- DINGO. Ugh).” ‘While that discussion was happening, ‘Mateusz mentioned that he'd reported the issue to the GCC people via their Bugzilla interface and followed up with the folks over there. He pointed out, “Even if the gee folk address this soon(tm), users wont be able to benefit from it for quite some time.” He posted a slightly revised patch ‘based on feedback from the GCC folks, saying, "Given the above, would you be ‘ok with allowing the patch into the tree as a temporary measure? It can be gated ‘on compiler version later on (if gee folk fix the problem) or straight up removed.” He added, “I make no claim this is the fastest thing out there for any uarch, ‘merely that regular stores beat what gee is emitting now.” However, the discussion ended incon- clusively. Which to me seems to indi- cate that Linus's most recent decision stands for now - that this should be fixed by GCC rather than in the kernel, ‘while he’s still open to specific related fixes going into the kernel itself. It seems as though this issue is taken seri- ‘ously by the various top dogs, so one ‘way or another an optimization will probably be adopted, Tracking Compiler Plugin Problems Mark Brown noticed some internal com: pilererors (ICs) when building the Linux kernel, ICEs generally indicate a tug inthe compile itself, rather than a bug in the kemel - normally the com- piler should be able to fail gracefully no rmatter what it eying to compile So when Annd Bergmann identified the kernel patch introducing the error, something dnt smell right. Mark said, “that commits fairly obviously not re ally at fault here, most likely this is an issue in the plugin. Given how NEWS Kernel News =NEWS MEE! Kernel News disruptive having key configs like this failing le’ disable the plugins for com- pile test builds until a fix is found.” ‘Compiler plugins, like plugins for other tools, add features not imple- mented by the main tool. In the case of GCC, these may do special types of code analysis, special optimization passes during compilation, code quality checks, and other things. For example, the stackleak plugin clears the kernel stack whenever the execution path re- tums from a system call. This helps reduce the chance of a malicious user ‘getting access to private data lingering in the stack Mark's suggestion of disabling com- piler plugins for test builds would mean that the kernel developers wouldn't hit these odd and potentially hard-to-debug compiler crashes so often, but any big distributions sill relying on plugins ‘would still benefit from them for build- ing their own kernels. Linus Torvalds replied, “I'm not against this, but [do want to bring up the ‘are the plugins worth having at all” discussion again. They've been a pain before. Afaik, the actual useful cases are now done by actual real compiler sup: port (and by clang, at that). Who actu- ally *uses* the gec plugins? They just, worry me in general, and this is not the first time they have caused ICE problems.” ‘This led to a bit of research. When Linus asked who used GCC plugins, he almost certainly meant, which of the big Linux distributions used them, as ‘opposed to which regular users. re- member awhile back it was determined that nearly al regular users relied on their distributions” pre-built kernel bi nary, and it was really only ever the kernel developers themselves who “rolled their own.” Mark noted that Talos Linux used the Jatent_entropy plugin to gather entropy from the kernel build process itsel in order to seed its random number gener- ator, Arnd added that Talos also used the stackl ak plugin previously described ‘Amd also remarked that nearly 60 dis- tributions he looked at used no plugins, ind most of those Kernels appear to be built with a compiler that doesn’t sup- port plugins.” Regarding Talos's use of the latent_, entropy plugin, Kees Cook remarked, “The early RNG (random number gen erator] for small machines remains pretty bad, so I can understand want- ing to keep that around. For bigger ma- chines it's not as much of a benefit, Kees also said, “stackleak has no via- ble alternative. [..] I'd be nice if there ‘were a way to do this with upstream compilers.” Meanwhile, regarding Mark's inital report of an ICE, Kees also reported, “Looks like this isa randstruct bug, ‘We'll need to disable that one for now (tather than all plugins).” The rand- struct plugin is a security plugin that randomizes the layout of kernel data structures in RAM, making it harder for attackers to pin down the location of data they want to sniff. Meanwhile Mark reminded folks, Note that the patch is only disabling for build coverage builds where the result- ing binaries generally aren't going to ac- tually be run.” To which Linus replied: ‘Well, here's a reason we do build coverage ~ we also want to test that the non-build coverage case builds, “And it’s not actually obvious that it does ~ it’s in fact rather likely that the ‘gcc plugin is broken in general, and it Just so happens that it's the build bots that find it, “Which is why Thonestly would prefer 1 just disable the plugins in general “Because the problem isthe plugin, not the build coverage.” ‘Though at that point Mark said 10 Linus, “Sadly it seems like the build bots didn’t find it, or at least if they found it they didn’t identity it well enough to end up with reporting the issue to someone who'd fix it. Iran into it because I do allmodcontig builds as part of applying things since both you and Stephen do them and that exploded in my face at -rc1.” Linus remarked, “I wouldn't be en- tirely surprised if a lot of the build bots end up running old distros.” He added, ‘So this is presumably only happening with certain compiler versions, and I expect the build bots have a fairly small set of compilers they end up testing.” Meanwhile, various kernel folks were tuying to identify the actual version of GCC that caused this particular plugin to break. As Kees put it, “'m stil trying to figure out what the matrix is, because I can reproduce the crash on Debian's GCC 12 but not Ubuntu’s GCC 13, ete. It feels like there are a few comer cases in- volved here. So it’s not just the regular “new compiler changes’ that usually break the plugins. Regardless, I'm still digging...” Mark added, “The other problem we hhave is that AFAIK unlike clang we don’t really have people actively working on GCC coverage specifically, everyone ‘mostly just assumes everyone else is doing it since GCC is the default (me being as guilty of that as everyone else here). The work Amd’s doing is the nearest thing I'm aware of but that’s ‘more intermittent and I gather his tool- chains don't have plugins enabled which wouldn't help here.” ‘Arnd explained, “I don’t think there is any sensible way to support plugins with my cross compilers, because that requires building the plugin on a devet oper's machine and link it against the ‘compiler I statically linked against a specific libstde+ + to avoid runtime compatibility problems.” ‘The discussion petered out with var ous folks helping try to nail down exactly which plugins needed to be disabled for exactly which compiler versions when, building the kernel. Apparently Linus’s attitude of “let's just outlaw all GCC plugins” was highly ‘motivating. Mark, Amd, Kees, and oth: cers worked to disable only the minimal number of plugins to keep the build process running cleanly. However, it does seem as though compiler plugins are more or less doomed eventually. Any features they implement will inevi tably be better and easier to maintain and debug if they stay in the main com: piler code. But for now, atleast, plugin support remains in the kernel build system,2025 AKADEMY BERLIN niversitat16 mann Tools for practice pen testing Sparring Partners Ifyou want to check your systems for security vulnerabilities, you need the right tools and a massive helping of experience. Prospective pen testers can get some practice by breaking into prefabricated training VMs. By Tim Schirmann hen you buy a new food processor, it will take you three glances at the mai ual, two creamy pea soups, and maybe a piece of your fin ‘get before you can correctly assess the danger of the blender blades at speed 6. Pen testing is not much different: Hacking tools are only efficient if you know what they were designed for, how to use them, and what limits they have. Before you launch a full-scale attack on your own web server via its open ports, you will want to first get to know the most important tools and attempt a couple of simpler break-ins. I's actually great fun Requirements ‘The starting point and basis for pen testing is your current technical skil set, Experience as an administrator is extremely useful To erack an NGINX web server, for example, you need to understand the internal workings of the software and at least be able to setup the instance you are running. Ideally, you will also have already hardened various sy tems against atacks. In other words, you know which veetors could be promising for intrusion attempts. Attacks usually start on the network and end up on the command line at some point, When you get there, you need to know what you axe doing. Many hacker tools are designed as command line- only programs. DIY shell and Python scripts can also auto- mate your attack attempts. Phishing can play a role in pen testing as wel (See the box entitled “Phishing for Neweom- ers}, It isa massive advantage to have basic network knowl- edge, familiarity with the command line, and scripting ski DIY Store Visi ‘The first step is to obtain a toolbox with a selection of fre- quently required security tools, You can find these tools in Linux distributions that are explicitly designed for pen tes- ters (see Table 1). Kali Linux (1] is particularly popular, as are Parrot (2], BackBox [3], BlackArch [4], and the Network Security Toolkit (NST) [5]. Kali Linux and Parrot run as Live systems, although you ‘can permanently install them, and they can also run as vir- tual machines (VMs). Both distributions have relatively large ‘communities and are well documented. The Kali Linux docu: mentation is especially helpful. In addition to numerous in- structions on the Internet, you will find several books on using Kali Linus. Phishing for Newcomers In principle, pen testing also includes phishing. A pen test phishing attack involves trying to persuade employees in your ‘wn organization to hand over their access credentials or other Useful information. The art of persuasion required for this can (unfortunately) be learned, Essentially, itis simply a matter of lying as woll and as convincingly as you can. Explaining the psychological techniques requited to do this goes well beyond this article {As phishing attacks always target people, they are sensitive from a human and legal point of view. Make sure you obtain the consent of the authorities within your organization before trying this out, observe the legal requirements, carefully plan Your appraach, and do nat steal from yaur fellow employees. You can use your phishing experience to sensitize your em- ployees to this kind of attack after the event.COVER STORY Discover Pen Testing NUM Pen testing neweomers are therefore ‘well advised to use Kali Linux (Figure 1), although many things work the same || 8 a way on Parrot (Figure 2) - surprisingly | © ae often, you can follow the same instruc- | a tions without any changes. you do | ¢ Sat not like Kali’ user interface, consider | — switching to Parrot The other distributions {listed are more for advanced pen testers due to : - the sparse documentation. BackBox (Figure 3) offers an extremely tidy user interface, but it is only available as an 180 image. BlackArch’s developers focus on quantity: At the time of going to press, their Arch Linux-based distr bution (Figure 4) came with north of 2,800 security tools. Although the vel-_ Figure 1: Kali Linux is one of the few pen testing distributions eran NST (Figure 5) has only seen slow alternative, light-colored desktop theme. development since 2003, it mainly relies (on an old-fashioned web interface. Setting Up a Workshop ven though Kali Linux and several of the ateratives will run as Live systms, you will till want to install themn on a computer or a VM. Installing the system makes it easier 1o use ll the tool; the entire distribution will aso run faster, and an installed system offers more stor age space fr, say, a password database But beware: Kali disables some secu the pen test tools, This means thatthe distributions themselves are not intra- sion proof. Keep this limitation in mind analyze programs. f you're just using Kali temporarily for practice and learn ing, you can disregard this point asa general rule When pen testing, you put yourself in the shoes ofan attacker who wants to break into a system. The skill set is similar to troubleshooting, where you sradually home in on the root cause For example, if you cannot break into the web server directly via port 80, you have to think ofa different way and possibly combine several tools fora Figure 2: Parrot is available as a Docker image, for WSL on Windows, and asa standard system for daily work. Life Is a Quiz The Internet is home to several prefabr- cated VMS containing systems that are intentionally poorly configured and rid led with security vulnerabilities, These systems are usefl for practicing pen testing, The Vuln#lub [6] portal has a Figure 3: Like most pen testing distributions, BackBox Linux uses the lightweight Xfce desktop environment.COVER STORY MEEEE Discover Pen Testing security tools. collection of these machines (Figure 6) and also tells you the intrusion severity level. In many cases, the vulnerable ma: chines are like those popular puzzle cubes or a reverse escape room where you have to solve several tasks that build on each, other to break in rather than out. You can tell when you have mastered a subtask either by the clues or the word Flag. In this game of Capture the Flag (CTF), the level of dificulty usually increases from flag to flag. Some of the VMs even tell a story and have names like The Wall and Necromancer. Despite their age, the Basic pen testing 1, Basic pen testing 2, and Metasploitable 2 VMs are recommended for getting started with pen testing, The Open Web Application Security Project (OWASP), which was founded in 2001, not only collects fre- quently occurring security vulnerabilities in web applications, but also provides a vulnerable online store in the form of the OWASP Juice Figure 4: The lean version of BlackArch includes only a few selected vulnerable machines without giving the ‘matter some thought. Third parties could exploit their security vulnerabil ties and use them (o penetrate your own network, To avoid this happening, start your choice of pen testing distribution ina VM and mount it, along with the vulnerable system, in its own isolated virtual network segment, In VirtualBox, you can do this with just a few mouse clicks in the network settings. One positive side effect ofthis operating ‘mode is that you will never inadvertently attack areal system. You can also use the virtualization solution to create snapshots of the systems. You can then use these snapshots to reset the systems later on and start your intrusion all over again, Before you attack the vulnerable VM, you need to familiarize yourself with ‘your pen testing distribution, Set up the desktop to suit your own preferences and find out which password you need 10 use tostart programs with root privileges. Finally, update the entire system, What you have now is your awn litle pen testing lab. 11s up to you to use it to investigate the vulnerable systems. Other articles in this issue explore the pen testing process at a deeper lever, but in a nutshell Frst gather information about the system you are attacking. On which ports is the server lis ening; does it offer a user interface and perhaps even a login option? Which versions of what software are running on the server? Armed with this knowledge, you can look for possible vulnerabilities and then try to actively exploit them. Meticulous Record Keeper Keep a detailed written record of your attacks, how you proceeded with your (training) intrusions, which vulnerabilities you Shop (7). The = —— Ce S| Juice Shop is suit: : > OB mpninasy POOH able for your first Orcrston Reni Creer OY attempts at pen testing, bu itis only available as source code and as a Docker con- tainer Ready-made solutions are aval able on the inte- net for al the VMs Timentioned, And ifyou get stuck at any point, you will quickly find help Locking Up the Systems Under no circum stances should you simply startup the dase rane eee ee reser ta Figure 5: NST’s web-based user interface makes it easier to target a server.= COVER Discover Pen Testing SHUM exploited, and which tools you used. In particular, record the view in the terminal, you can look up the details inthe stored out ‘commands you executed and their output. These records will put from the tools. These records also act as a log and as a basis serveas reminders later on when you find yourself pen testing __for talking o fellow employees or chatting on Internet forums. n a similar situation. [Fimportant information sips out of Once you have cracked several vulnerable VMs, you can ‘gradually expand your lab. Thanks to the virtualization solution, you can ‘quickly set up and simulate more com- plex networks, gradually adding fire- walls to your lab to match your growing capabilities. If you want to practice attacks via WiFi, you need a device that you can safely attack. A decommissioned lap- top or a collection of old Raspberry Pis are good options. But make absolutely sure that you are on your own network during your tests and that you are at- ig tacking the right target. Ideally, you ‘cern . ‘will want to lock all of devices away in their own isolated network segment. Hacking in Private Figure 6: The basic pen testing VMs on VulnHub are de: If you want to go beyond the practice starter intrusion attempts. ‘you get breaking into vulnerable Table 1: Important Pen Testing Tools at a Glance Cen Strings Finds character strings in binary files Neteat (Ne for short) ‘Sends characters toa port or network interface curt Calls URLs, downloads files, and sends requests to services Bases Decodes texts writen in Basob4 Erne Natdiseover Provides information about the network, including the IP addresses of accessible systems Nmap Provides information about servers and the network, Among other things, Nmap detects open ports Wireshark Records network traffic. You can use the log to retroactively analyze a web server's responses Etterca Sriffs the communication between two devices Serra? arts Legion ‘Somi-automates numerous security tests OWASP Zed Attack Proxy ZAP) _Finds out which remote stations a client or browser is talking to and tests the remote stations for security problems. ZAP acts as @ proxy through which you need to route the client's network traffic wintez Finds security problems on WiFi networks Ditb Searches for accessible directories on a web server by trying out typical URLs such as actin or finternal wescan Finds security vulnerabilities in WordPress installations. Nikto and Burp Suite Find known vulnerabilities in web applications Salmap ‘Scans web applications for SOL injection and similar vulnerabilities Openvas Discovers known vulnerabilities on the system (vulnerability scanner) Metasploit ‘Automates attacks and executes exploits for security vulnerabilities (Vulnerability Scanner and Exploit Framework) Finding and Cracking Passwords LaZagne Finds all access data and passwords stored on a system Airorack-ng acks WiFi passwords (WPA encryption) Hydra Cracks logins John the Ripper Cracks passwords using ahash Zip2john Extracts the password hash from an encrypted ZIP fle for John the Ripper INUX-MAGAZINE.COM Je yCOVER STORY HEBBEN Discover Pen Testing +26 08 (© Note: Keyword searching of CVE Recrds nom aaable nthe earch box above Keywords mayincadeaCVEID(eg. (2024230, er ane or more kewords separate by aspace(eg. suthazaten, SOL nection, cess scripting ec) Learn CVE® Program Mission Identity, define, and catalog publicly disclosed cybersecurity vulnerabilities Curtenty, there are 272,418 CVE Records accesible via Download of Keyword Search above ‘The CVE Program partners with community ‘members worldwide to grow CVE content And expand its usage. Click Below to learn ‘more about the role of CVE Numbering ‘Authorities (CNAs) and Roots. that deals with current security problems and tools. Knowledge You can only ex- plot the security tulnerabilties of an NGINK web server if you are aware of them. “The Common Vul- neablites and Exposures data- 0 ba! base (CVE) [8] © serintertor ot logs erica secu Corset rity vulnerai eae compte tes, Some tools a snake use ofthe stcon CVE (Figure 7) or Save Before reer tothe data- sais base. For this rea- Figure 7: CVE numbers uniquely identify security vulnerabilities worldwide. training VMs, you'll find various in-person or online courses, as well as regular pen testing workshops at conferences. If you want to delve deeper into pen testing on your own, there is nothing to compare with a good book, preferably in hard copy, You can put the book next to your computer and prac tice while you read. At the same time, you are forced to actu ally type out the commands from the book. And this type of, exercise is precisely what burns the commands into your ‘memory; you will not see the same benefits if you are just copying and pasting. Make sure that the publication date of the book you choose is not too far back. You'll need a book ‘OWASP Juice Shop ‘meen otro sen [pres] Figure 8: OWASP hosts the vulnerable Juice Shop and identifies the top 10 most important vulnerabilities in web applications. son alone, you will want to familiarize ‘yourself with the structure and contents of the CVE database, You will also want to discover more about the methods used by cybercriminals, Ifyou are thirsty for further knowledge: Jack Halon [9] has ‘compiled some resources for (prospective) pen testers and stored them in a very extensive list. MITRE ATT&CK [10] and the aforementioned OWASP (Figure 8), among others, have com piled suggestions for a methodical approach. OWASP also pro- ‘vides teaching materials and organizes pen testing conferences. Finally, for more experienced pen testers, taking part in com- petitions is a good idea, Capture the Flag events are particu- larly popular and instructive; the chal: lenge is to solve predefined tasks as quickly as possible. The CTFtime (11) ‘website has a calendar listing potentially Interesting events. You will even find some VMs on VulnHub that were used in previous CTF competitions (Figure 9). Conclusions ecemmess = | You wort find a single tol that will scomeweerers= |help you automatically perform a pen fais test nstead, you have to gradually fel your way forward using several fer. oes eee! ent tools. This process requires techni- Prsgenp ret cal knowledge, strategy, and, above all, ‘Author ‘Tim Schirmann isa freelance computer scientist and author. Besides books, Tim has published various articles in maga: zines and on websites.COVER STORY Discover Pen Testing experience. Pen testers simply cannot avoid a hands-on training VMs. Courses and literature can help you build up approach. your skill set. Before you attempt a break-in, always pay at- ‘The extensive steps of a pen test might sound like work, tention to the legal requirements ~ and make sure you are but itis actually great fun thanks to cleverly designed testing the right system, m Info (1) Kali Linux: hetpsi7unww kal org/ QI [B} BackBox: htpsy/iwwm:backbox.org/ a 6 Parrot: htsyvwwparrotsee.ora/ BlackArch: htps//blackarch.org/ Network Security Toolkit (NST tps:/mwmnetworksocuritytoolkit ‘orginstindex.htmn} 1 0 \ulniiub: hetpsyfwwwcvulnhub.com/ (OWASP Juice Shop: https:/owasp. org/w- project juice-shop/ [8] CVE: https:ywww.cve.ora/ To} "So You Want to Work in Cyber Secu: rity?": httpsy/naton.github io’ breaking-into-cyber-security/ [HOI MITRE ATTACK: ttps:/atackmitre.org/ [ICTFTime: https: fettime.org/ on ChatGPT Cents ing Now running & coptrePos80 30° = conty time Past events Figure 9: The CTFtime website lists upcoming CTF competitions world- wide and the results of previous challenges. AE Advanced Techniques from Linux Experts This new special edition brings you the best and most practical articles from the 2024 editions of Linux Magazine. Whether you're new to Linux or a seasoned veteran, you'll find something useful in the tips, tools, and technologies inside. Eisgel ORDER ONLINE: shop.linuxnewmedia.com/shopmn Practice your pen testing skills with the OWASP Juice Shop challenge Juicy The OWASP Juice Shop has over 100 tasks that will get you up to speed on pen testing. This article guides you through your first steps. ay Tim Schirmann Practicing Pen Testing ‘ou can quickly test whether door for attackers by breaking into your own system. All you need to do is... well, what actually? Isn’t there this Metasploit tool that you can simply fie against the server? But before you point massive unknown weapons at your own server, you might want to take some time to familiar- ize yourself with the available tools and their purposes. And the best way to get started isto break into atest system, ‘The Open Worldwide Application Security Project (OWASP) ‘makes its Juice Shop [1] available for starting pen testers. In addition to offering tasty fruit juices, the Juice Shop also delib- erately contains a number of vulnerabilities, providing new- comers with an ideal target for hands-on pen testing practice. You can quickly set up the Juice Shop in a Docker container, uur web server is an open Open for Business Because the Juice Shop has security vulnerabiities, you will not want to launeh ton your own stem Instead, install your favor ite distibution on a virtual machine (VM) or on an od laptop. Other services running n the background on your system will ot interfere withthe analysis, In principle, any distribution can serve as the underpinnings, butt should have the following tools ints repositories: Docker, Nmap, Dirb, and Base64. You can play it safe with Debian ogo forthe Kali Linx 2] pen testing distribution 2 sty 2025 SUE 2: mane ‘As soon as your distribution is running on the VM or on an ‘ld computer, use the package manager to integrate the tools | just mentioned. On Kali Linux, all you need to do is type sudo apt install docker. io All other tools are already in place. The two commands from Listing 1 will download the container with the Juice Shop and launeh it. ‘To monitor the status messages from the container, just leave the terminal window open. You can run the security tools against the Juice Shop in a second terminal. Finally, itis a good idea to temporarily interrupt the Intemet connection in order to ensure that you have a completely isolated test ‘environment Finding the Door When attacking computer system, you ist need to acces the actual target and then glean as much information as Listing 1: Download and Startup 4 sudo docker pull bkinminich/juice- shop § sudo dooker run --rm -p 2000:2000 brimintcn/juice-shopTumse) Sxarting tr 7-95 ( neos://mas.org ) a 2025-06-02 2650 cesT tap tebe roort for toernore G57 8.0.3) ‘ther scaresses for tocathost (oot scanned): = ew shan St cleo pores Cele) esp done: 1 0 adress (1 hot up) scanned Sn 0.26 seconde Gynec igure 1: Nmap checks all the possible ports; in this example, the only response was via TCP on port 3000. possible about the victim (scanning and enumeration phase). The Juice Shop is already running on your system, so you can't {get much closer for the time being. With an online store, the ‘main question is how you will communicate with it. You will have noticed some clues from the Docker command or the con tainer output. The web server running in the container listens ‘on port 3000, but perhaps there is also a backdoor to the online store? To find out, type nap 127.0.8.1 Nmap detects all the open ports on the specified IP address ~ in this case the local system, which is always 127.0.0.1. The tool only detects a single open port 3000 (Figure 1) ~ in other words, there is no backdoor. Never mind; just access the store in your browser by typing ftp://localhost:3000 in, the address bar. ‘The Juice Shop welcomes you with the message shown in Figure 2 and offers to help you directly If this is your frst time ‘working with the Juice Shop, you will definitely want to accept the offer by clicking Help getting started. The online store then reveals the first task that you need to solve, and you won't be able to solve it without prior knowledge: Find the hidden score board ~ whatever that is Before you start the search, a brief ‘warning: The following instructions are intended to make your first steps with the Juice Shop easier and are therefore inevitably going to be spol crs. Ifyou want to work things out for ‘yourself and do these steps on your ‘own, stop reading now and read the rest ofthis article when you're done, A Look Under the Hood ‘To get started, take a look around the store, You will notice that you need to register before you can order any products, but there is absolutely no reference to a score board. Ifyou get stuck in the interface, perhaps peek: ing behind the scenes and plumbing, the depths of the HTML code will help. One way to start poking around is to view the page source in your browser; if you have Firefox, just press Ctrl +U, COVER STORY Practicing Pen Testing SNH The splash page has surprisingly litle code, Once again, there is no trace ofa score board, On the other hand, the page ddoes integrate a number of JavaScript scripts. The scripts added in the upper patt of Cloudflare appear to be standard components, for example, the popular jQuery library. (You ‘would need to check whether all the components in this sec: tion are indeed standard.) But if you look at the scripts in the lower part they seem to be far more interesting. In fact, they Took as if they have been cobbled together explicitly for the Juice Shop. The name nain. js refers to the central script; it ‘might be worth taking a look there firs. Spruced Up Ifyou click on natn, js or open tin your browser, you wil see 2 fairly long and confusing string of characters The file has ob viously been stripped to remove spaces and line breaks ("min fled"), Fortunately, Firefox, Chrome and many other browsers can make the content himanly-readable In Firefox, cose the source code view and press F12 on the Juice Shop startpage to pen the developer console. Then switch to the Debugger tab. All the builtin scripts ae gathered there onthe left-hand side Click on mainjs and on the culy brackets ({}) atthe bottom, of the mide el. ‘As you slowly scroll through the code, you will discover humerous URLs. This is especially true from around line 3,750, where there are some interesting-sounding paths, such as /about or /login. I you append the URLS tothe web address ofthe store, you are taken to the matching sub pages. For example, localhost:2000/4/lgin takes you to the shop’s login page Sooner of later you wil stumble across a path labeled / scoreboard (as shown in Figure 3). That sounds pretty much like a bull's eye! By the way, instead of browsing the long Script, you could simply search for score using your browsers search function and check out the rests. Figure 2: When you first call up the Juice Shop, you'll see a message telling you about the security vulnerabilities and giving you an initial tip.COVER STORY MEEBE Practicing Pen Testing atthe store with the com: asa ; ‘mand from Listing 2 ‘The paths that Ditb will ry out are specified in the Damen onic big. txt file, which isin mal cluded with the tool and re- sides in the /usr/share/ dirb/woralists/ directory fon Debian and Kali Linus. Additional wordlists are also stored in this directory. =) Alternatively, you can add ™ £8) more paths to big. txt or Dirb logs every URL. that actually exists on the com from Figure S. As it ties out the URLs at a dizzying ‘ speed, the uice Shop will Figure 3: The main. js script’s source code contains a reference to the URL for the eventually crash due to score board you were told to look for. the excess load. To prevent this from happening, set Ifyou now enter the URL localhost:3000/#/score-board, you. the -z 1 parameter to enforce a short pause of 10ms after will arrive at the hidden subpage shown in Figure 4. The sub- each test page summarizes all the vulnerabilities the store has and lists Some meaningful tasks atthe same time. The number of ater. Side Effect isks indicates how dificult a solution isto find. The order in _Dirb presents several finds from the Juice Shop. For example, which you work through the asks is upto you, although it youl finda small video clip on htp/loealost:3000/ Video, would seem to make sense tostart with the easy prob- Listing 2: Dirb Attack lems with only one asterisk. I you get stuck with a task, you can temporarily switch to another or just stop working on the Juice Shop for a few days. find that [often think of differ ent approaches if I step back from the problem. If you still feel like you're at a dead end with no way out, you can always click on Hine inthe task box to view ‘one or more tips. 5 aro neep://ecaineat:2000/ /uer/shere/aie/worahiste/big.txt -2 20 Backdoors If the score board is accessi- ble via a hidden URL, maybe there are more hid: den URLs? Before you dive back into the source code of the page, you will want torun Dith. The tool tries out known vectors, such as fadmin or /login. Leave the score board open in the background and point Dirb Figure 4: The score board keeps track of your success. Some tasks can only be com- pleted if you have solved other tasks first.Teme a AO fas ecanast000/ fae/share/tehrmedistsnigtat 18 facanas:see/ ties (cota Sst 8730) cree Figure 5: Dirb searches for hidden URLs on web serv- ers. In the Juice Shop, the tool found what it was looking for several times. ‘The URLs Dirb discovers also include hetp://localhost:3000/ ‘metrics. This is where you will find numerous metrics from the Prometheus tool, which monitors the online store's per- formance in the background (Figure 6). This kind of critical internal data should never be made public, but in practice, quite a few web servers bandy these metrics about. By discovering hutp,//locathost:3000/metries, Dirb at the same time completed the Exposed Metres task on the score board. The score board helps you celebrate your success with a small shower of confetti. There was even a second celebration, because the soft ‘ware also dug up tp://locathost:3000/rest. Ifyou call it up, the online store delivers the wild message shown in Figure 7, which is not intended for the user's eyes. By calling up the URL, Dirb provoked the error in the © | Zomeeaep < Zonaiacesnp |loahoastonmens x) 4 V - @ x ‘web application and solved the Error Han- | «4 Gq 0 tna a - oe. tig task. Like with the metris, stack 3 fee ct ea ote of nat eno amet fe ‘races give attackers deep insights into the structure ofthe web application, Ser ia Easter Eggs Finally, hep locathos:3000/fp also looks interesting, and robots.txt also referencesit, The robots. xt text ile prohibits Google and other web craiers from accessing some paths or URLs this forbidden fruit could lad t lucrative targets for atackers, Inthe case of the Juice Shop, robots.txt asks search en ines to ignore ftp ~ a8 pen teste, this Js exactly where you would want to a point your browser. Ei http://locathost:3000/ftp gives users access toa directory on the server INUX-MAGAZINE.COM COVER STORY Practicing Pen Testing (Figure 8). Among other things, the directory contains the aquisitions.ag Markdown file, containing explosive informa- tion from the management about a planned takeover. The eastere. 9g file also catches the eye. However, the Juice shop refuses to download it, stating that only .xd and .pdf files can be downloaded. The question is how you can still grab the Easter egg. Hide and Seek You should be able to change the file name to eastere.gg.nd somehow. But changing the URL. will throw an error message. Fortunately, there is the null character, known as a null byte. Some programming languages interpret this special character as the end of a line. If you cleverly smuggle the null byte into the input, the program will cut off the rest of the line. Just insert a null byte in front of .nd. In a URL, the notation for the null byte is %00, which results in eastere.gg*@@.nd, The Juice Shop then allows the request to pass because the ending is still .xd. Under the hood, the system should truncate the string at the null byte, which means that the correct file eastere. ag is returned. ‘When I enter this URL, however, the result is sobering: Calling atp://localhost:3000/ ftp/eastere.gg %00.md again results in an error message. This problem is due to a nasty litle pitfall: The URL contains a percent sign that you also need to replace with the appropriate encoding: http://localhost:3000/ip/eastere.gg% 2500. ‘md. If you navigate to the adapted address in the browser, you will finally get the Easter egg, or at least half of it, Because you will only see a cryptic character string in the text file Humpty Dumpty ‘This encrypied message contains no umlauts or other special characters, You will see two equals signs atthe end, which is sus piciously reminiscent of BaseG4 coding [3]. A shell onetiner can find out whether the suspicion is confirmed: Use the command: echo "L241..." | baseés -d aca wren eae, Figure 6: Metrics can provide a treasure trove of information for attack- ers and pen testers.COVER STORY MBBBE Practicing Pen Testing | Zomsencasep 0 0 bate OWASP Juice Shop (Express 4.21.0) Figure 7: According to the stack trace, the Juice Shop is based on the outdated Node,js Express v4.21.0. As a pen tester, you could now exploit these Node,js vulnerabilities. to push the character string into a pipe and from there into the Base64 tool. ‘The parameter ~4 ensures that Base64 decodes the charac: ter string. The result still looks illegible, but slashes seem to divide individual words. You'll discover a pattern: Fist, gur and some other “syllables” appear several times. Further- more, the letters are not evenly distributed. For example, oc- curs particularly frequently. ‘The signs point to a Caesar cipher in which each letter has been replaced by another letter from the alphabet. Texts, ‘you get stuck. ciphered in this way can be decrypted using the ROT Converter (4] by Thomas Kin. In the text typed at the top, the second line (Rot I encrypted) swaps each letter for its direct neighbor in the alphabet. The second line swaps each letter with the next but one in the al- phabet and so on. If you copy the line from the Easter egg into the top field, you can read the decrypted text in the line Rot 13 en- crypted. The developers of the Juice Shop have obviously replaced each let- ter with the letter 13 places after it in the alphabet, using ROT13 eneryption [5]. The result contains a funny mes- sage and looks a bit like a URL be- cause of the slashes. You can probably guess what's coming: Append the de- cexypted text to http://locathost:3000 and call up the resulting address. Conclusion ‘The Juice Shop has over 100 tasks, so this, article barely scratches the surface. Solv- ng the remaining tas} hands. Do not hesitate to make use ofthe builtin help and tips if ‘The Juice Shop's developers oriented their work on the 10 most common security problems in web applications. ‘OWASP regularly summarizes these problems in the OWASP ‘Top 10 [6]. It is a good idea to read up on these classic errors, and then go through them in the Juice Shop. And if you don’t know what to do, itis worth taking a look at the ap- Btangrecoy itp x e200 ~ittp Gameeme coupon, 201 tak + © D tecaoses000i» sercocemen ere pctage on Figure 8: The J directory containing some explosive documents. Shop's misconfigured web server allows access to a pendix of the book Pwning OWASP Juice Shop, which is available online (7). mam Info [1] OWASP Juice Shop: https:/owasp. org/mw-project-juice-shop/ (2) Keli Linux: https:/wmwuckall org/ [3] Baso64 ntps:/en.wikipedia.org/wiki/Base6s [4] ROT Converter: hrtps:/wwnw. thomas-kuehn.de/geocaching/rot php (5) ROTI: ‘ntps:/en.wikipedia.org/wikiROT13 [6] OWASP Top 10: https:/owasp.ora/ wunwrproject-top-ten/ 171 Kimminich, Bjéen. Pwning OWASP Juice Shop: htips:/pwning. ‘owasp-juice.shopycompanion-guide/ latestindex html ‘Author Tim Schirmann isa freelance computer Scientist and author. Besides books, Tim has published various articles in magazines and on websites,ADMIN is your source for technical solutions Phil to real-world problems. ae PETA Improve your admin skills with practical articles on: Security Cloud computing e DevOps HPC Storage and more! shop.linuxnewmedia.com/shop ¥¢ @adiin-magezinecom @ ADMIN magazine @ @adminmag reer CHECK OUT OUR FULL CATALOG: SHOP.LINUXNEWMEDIA.COMSome distros are more political than technical. EU OS attempts to break free of Active Directory and Microsoft Windows and keep distro maintenance close to home. 8) inux distributions are created for many reasons. Some are devel ‘oped out ofa preference for a par ticular application or desktop en- vironment; others are created for specific tasks such musie composition, graphic arts, education, or security and privacy Sill others are intended for Windows compatibility or aimed at beginners Some are frankly experimental or de signed for do-it-yourselfers, ‘The recent publicity about EU OS isa reminder of a more rarely seen distribu tion: what might be called the policy dis- tro, whose goal isto standardize the IT structure of a government and its depart ‘ments (Figure 1). The idea dates back to Author Bruce Byfield is a computer journalist and a freelance writer and editor specializing In ree and open source software. In addition to his writing projects, heals teaches live and e-learning courses. n his retime, Bruce writes about Northwest Coast ait (httev/brucebyfield. wordpress. com), He is also.co-founder of Prentice Pieces, a blog about writing and fantasy at tps: /prenticepieces.comy. the earliest days of Linux, when free software was often touted as a means of bridging the digital divide between the technological democracies of North America rope and ind developing nations. but it has usually received spotty atte: tion at best, partly because itis more of political than technical concern, but ‘mostly because the success of policy distros has often been limited, EU OS is a community-Ied project that hopes to eventually be adopted by the European Union (EU). Although far from the first attempt at a policy distribution, EU 08 describes itself as a “proof of con- cept.” The challenge lies in proving “that ‘an admin team ean manage users and their data, software and devices with or without Active Directory and without Microsoft Windows within a migration period of rather two years than 20 years” {1}. The time frame is apparently a reference to LiMux, the on-again, off- ‘again attempt to switch the city of Mu. nich to free software that began in 2004, EU OS's goal is to produce a co herent policy for the adaptation of free software that will be accepted by Code Europa EU [2], the code development platform for open source projects shared by the EU institutions. The project also adds, without any detail, touch with the public administration on ind EU level” (1) EU 0S plans to produce an immutable distribution that uses bootable container technology and runs the Plasma desktop ‘on Fedora, The choice of distribution comes from project founder Robert Rie- ‘member state ‘mann’s personal experience with various distributions. These details have tended tobe emphasized in media coverage, Figure 1: EU OS: A proof of concept in search of a distribution.because that is what the audience is pre- sumably interested in, but EU OS is not intended as merely another distribution among hundreds. Rather, BU OS wants to produce a distribution that, if neces- sary, ean be maintained entirely within Europe. A major concern will be ‘whether common Linux technologies such as the kernel or Wayland might face export limitations - a newly rele- vant possibility due to the current tariff ‘wars initiated by the United States gov- ferment, To date, much of EU OS's ac: tivities seem to have centered on consul- tation about such issues, which until recently have tended to be ignored, The project has also made a study of previ ‘ous policy distros and is developing a ‘model of how EU OS's core components ‘ight interact with local requirements and variations. At least at this stage, such concerns seem to have a higher pri- ority than the technology itself. A page of functional requirements exists, but EU OS is obviously still in development. Other Policy Distros Poligy datos have existed for several decades, but they have met with mixed. success, Typically they begin with the desire to replace the we of Windows in atonal or lea governments, often in developing countries that can l-afford Tcensng fees, although local govern, rents also show a strong interest in mi gating to re software, especialy sot Ware developed locally in order to avoid import problems. As well, national pride may playa role. Notable examples include + Bharat Operating Sytem Soltions (BOSS) Linux: India’s recent effort to. eliminate the digital divide an en- Courage the us of Linux + Asta Linux: Originally developed for the Rassan army, Astra Linux has since expanded fo become a eplace- rent for Windows in Rossian states and in nuclear power plants + Kylin: Developed for use by the Chi- neve government and military, Ubunta yn sits offical successor + Nova Linux: Cuba's attempt to replace Windows is inspired pany by ‘deology and partly in response tothe Us embargo on trade with Cuba and the concern that the US government ‘may have back doors in Windows Notably, civic efforts to migrate to free software also exist in Europe. The best known of these isthe aforementioned LiMux. Started in 2004 by the city of Munich, the projeet was roughly four- fifths complete by 2012. However, prior- ities have since shifted back and forth ‘with changes in municipal government, often reduced to resolutions to use free software where possible. As of 2024, the city couneil has returned to the original pla. ‘In addition to LiMux, EU OS notes over a dozen other local migration at- tempts, including the French National Gendarmerie’s GendBuntu, which is considered a major success story with over 82,000 computers, and the Swiss Federal Court, one ofthe earliest migrations and considered a modest success. Other migrations have also ‘oceurred in European schools and universities. EU 0S takes full advantage of these previous examples, with its development ‘webpage being as concemed with policy as technology. Creating an Ecosystem Such predecessors and the obvious fact that we live in a Microsoftdominated ‘world make the challenges faced by pol- Jey distributions obvious. To add polities to technology adds a new level of com- plexity that few free software advocates are equipped to handle. A change of government, for example, can delay or derail years of work. Similarly, a migea- tion may seem pointless to those unta- niliar with free software and often re uires additional training. Moreover, while a standard array of software may seem natural to long-time Windows users, such a poliey may not guarantee the best selection of software. For in- stance, the choice of Felora may be popular, but a base distribution of Rocky Linux, AlmaLinux, or, better yet, Debian might well be a better choice for secu- rity for national or civic computing REVIEW Distro Walk - Policy Distros (NU Even more importantly, as Marco Fio- ‘ett points out on FOSS Force [3], efforts such as EU OS seem to ignore the fact that most modern computing is done on phones rather than servers, worksta- tions, or laptops. Fioretti makes some practical suggestions about infrastruc ture that apply to all policy distributions. Fioretti’s suggestions focus on the pri- vacy and security required for govern ment use, as well as ease of use, including: * "Mandatory courses of REAL digital literacy” ~ this literacy should empha- size practical use of software, not coding + *Flat-out prohibition of storing or ex: changing documents in proprietary file formats in any public archive of any public institution” ‘An Android alternative that is easy and safe for the average user to install and that all civil servants must use for work-related tasks “Mandatory adoption of Nextcloud for every public cloud service” ‘An open source, multiplatform, instant ‘messaging system that can handle ‘multiple accounts in contrast to exist ing standard apps such as WhatsApp, Signal, and Telegram “Search engines that just work,” such as DuckDuckGo ‘A European version of Android to avoid vendor-lock-in and control If] understand Fioretti's comments correctly, his suggestion is that policy distributions need to be held to higher standards of usability and security than the average systems for home and business use. It's advice that policy distributions would do well to con sider. In the process, all computing ‘would benefit. aan Info [1] EUOS FAG: htips:/euos.eustag [2] Code Europa EU: ‘tps: /code.europa.ewinfo [3] “The Last Thing the EU Needs Is Its ‘Own Linux Distro” by Marco Fioratt FOSS Force, April 8, 2025, https:// fosstorce.com/2025/04/the:lastthing- the-eu-noods-ists-own-linux-distrof Ubuntu’s ambitious dream of convergence is alive and well in the now-independent Lomiri desktop. sy 1 2010, Canonical, the company be hind the Ubuntu project, an: nounced an innovative new desktop system that they dubbed the Unity desktop. Unity was built to reflect Ca rnonieal’s vision of convergence, which, ‘was a belief that conventional computer systems were converging with mobile devices, and a single interface that pro: vided a similar look and feel on comput: ers, phones, and tablets would lead to ‘more seamless operations. Unity was the default desktop on Ubuntu through ‘Ubuntu 17.10, but the system never re ally caught on. Android and iOS consoli ddated their hold over the mobile phone space, leaving litte room for an alterna tive, Unity aso raised some controversy with Linux users for its shopping lens feature, which collected information from users based on search results In the end, Unity just wasn't popular ‘enough to continue the considerable ex pense of developing and maintaining i, and Canonical stepped away, returning to the Gnome desktop with Ubuntu 18.04. “Many Linux users believe that was the end of Unity but in fact, the Unity des top lives on. A group called Unity? con- tinued development of the Unity 7 desk {op and released a new version in 2022, although the project website does not ap- pear to have had much activity since that Unity 7.7 release [1] The former Unity 8 desktop, however, is still in active development. A non- profit foundation called UBports contin ues fo maintain the Unity 8 codebase, al though the name of the desktop was changed to Lomiti in 2020 [2]. The change occurred for several reasons. For ‘ne thing, the developers wanted to Avoid confusion with the Unity 3D game engine, but the new name also under- scores the new status of the desktop asa project separate from Canonical (Gee the box entitled "Why did Ca- nonical Leave Unity?") The UBports foundation is focused on supporting and promoting UBports {often called Ubuntu Touch) - a mobile ‘operating system based on Ubuntu and Lomiri, The Lomiri desktop environment and UBports software are available under open source licenses, Lomiri originally relied on Canonical’s Mir display server, which now supports ‘Wayland, The interface is built using the (Qt modeling language, which is straight- forward and much easier to develop than Java ~ the default programming lan- jguage in Android Getting Started with Lomi You have several options for exploring Lomiti on supported hardware, including © Ubunti Lomi is an Ubunt flavor with Lomi butt in. Downtoad the 150 from the Ubuntu Unity website 4] and install as you would with any other Ubuntu syste: Write the image toalash drive and setup UEFIt0 boot from it. The easiest way to try Lo the Live image and instal if you like + Ubuntu Touch - Buy a supported mo bile device (5} and make sure you have the correct version of Android Why Did Canonical Leave Unity? Some of the reasons why Canonical lett Unity include + Bad financial situation ~ switching to Gnome is cheaper than developing a whole desktop environment. + Code syne Canonical forked some Gnome applications and modified them, so code syne with upstream was complicated + Failure of the $32,000,000 crowatunding campaign ~ the Ubuntu Edge smartphone [3] was not ready to ‘compete with Android and iOS flag ships. nbitiousinstalled. Use the UBports Installer [6] which provides step-by-step instruc tions for each device. '* postmarketOS - access postmarketOs through the Lomiri(7] wiki page. * Debian for Sid (unstable Debian version), but currently no instructions are available [8]. ‘Alpine - the packages are at the Al- the packages are available pine website [9 ‘* NixOS - add the following lines to Jetc/nixas/contigurat ion. nix: services. deaxtoptanager.2 Then run sudo nixos-rebuild switch. ‘Whatever your starting point, once the system is successfully installed, you'll ‘boot to the Lomiri desktop. Lomiri Desktop Your first look at the Lomiri desktop will seem familiar if you used an Ubuntu system back in the 2010-2017 Unity era. Figure 1 shows the Search and File Manager preview. The search tool is a unique and powerful applica tion created for Unity and tuned by the Lomiri developers. You can search files, applications, vide photos all at once. You recently opened files and applications. In fac by date, category, type, and the time of the last change, The search feature is fast and useful, and it is one of the best applications in Lomiri. The de. fault file manager is Nemo, a fork of Nautilus. If you've ever used Ubuntu, you know how it looks and feels. ‘The System Preferences app (Fig. ure 2) is very similar to Gnome System music, and ‘an also search the search tool can filter results Preferences, with different icons and minimal modifications, The Unity ‘Tweak tool is more interesting, The Tweak tool offers several options for configuring the Lomiri launcher, search, panel, of switcher, The launcher auto- hide feature is useful and can save a lot change the launcher's transparency level. The panel, with the classic File, Edit, View. menu, also provides an auto-hide op: of time. You can also easily tion with eustom timeout. 1 almost forgot to tell about Lomii’s Heads Up Display (HUD) feature. The HUD is a control panel you ean access ‘through a hotkey that lets you search for top-level menu items from the keyboard without having to reach for the mouse, ‘The default global menu hotkey is AIL+F10; you can change it with one click ifneeded. “The window manager settings are def nitely more rich than in Gnome and allow the user to set different animations for many events in a number of available workspaces. The auto-rise option puts the focus on applications where an up- date has occurred in the user interface. For instanee, ifa chat message is re- ceived, the application that received, the ‘message will automatically receive focus to get the user's attention, The window snapping feature is very close to its analogues in the tiling win- dow managers. The cursor position trig- gers actions such as: * top center ~ maximize window Figure 2: System Preferences on the left and the Tweak Tool on the right. Lomiri * Jeft top, middle, bottom - resize to the left part of the display * right bottom, middle, top the right part ofthe display Hot comers are always a very useful op. tion: Move the cursor to the display pos tion and an action is triggered. Gnome has a similar option, but Lomiti provides a much more powerful setup with eight hot comers: top-left, middle, and right; at bottom, three comers on the same po and two on the middle display, left and right. The possible actions are: Toggle Desktop, Show Workspaces, Spread Windows, Spread All Windows. So instead of memorizing a lot of hot keys, you can use hot corners for win- sitions dow and workspace management. ‘The Lomiri display has some other in teresting features that deserve attention: * Very fast and convenient dark/white theme switching: You ean also change accent colors, although there are only a few colors available by default: Bark, Blue, Magenta,Lomiri Figure 3: The mobile version of Lomiri on Ubuntu Touch. Olive, Prussian Green, Purple, Red. Sage, Viridian ‘Notifications: There's no option to hide notifications for a single applica tion in desktop Lomir, but this option is available in the mobile version. ‘© Character map: The character map is very good when you need to enter a non-usual character. Figure 4: Morph Browser on right and File Manager on left. 32 Global Menu ‘The classic application menu often in cludes the options Fite, Edt, Selection, Find, and more. A global menu means that all of these options are cut from the application window and moved to the top of the display. The global menu was disabled at some point in GNOME, and the move proved controversial. On Lo- miri you can relax: The global menu is, solid and stable, just like in macOs, There's nothing difficult about enabling the global menu: Focus on the applica: tion menu, then move the cursor to the top panel, and it will appear. Lomiri Mobile The whole purpose of Unity is to support convergence between desktop and mo- bile systems. The mobile version of Lo- ‘iri (Figure 3) is optimized for touch screens and Is quite fast and responsive. ‘The interface (Figure 4) feels much faster compared to Android on the same doviee The Morph browser is pre-installed as the default browser. Firefox isn't avail able on Open Store (10), the local Google Play alternative, but an unofficial port is (on Gitftub [11]. The mobile version of the browser is very different from the desktop version and well optimized for touch screens, The Settings tool is similar tothe Apple 40 equivalent and a bit plain (Figure 5) ‘Advanced system tuning is available through the UT Tweak Tool [12]. The cal: endar supports remote server synchroni- zation using the CalDAV protocol Conclusion The Unity8 community has done a great job of keeping Lomiri afloat and improv- ing it. Lomiri works well, has a respon. sive interface, and is easy on system Unity was created for convergence and Lomiri has maintained these principles, with the same shell for desktop, mobile, or tablet. Gestures support is good, al lowing you to quickly navigate between ‘windows and launcher. Mobile Lomi looks very impressive and allows the user to perform common, tasks on smartphones running Linux. The interface is generally faster than Android and brings mote freedom to mobile de- vices, Features include: «call records, Figure 5: Calendar and System Settings. ‘application backups, ‘root access and SSH out of the box, ‘* OwnCloud/Nextcloud support, and ‘much more Lomiri is well worth exploring. Enjoy it! a Info [M1 Unity 7.7: thetps:unitye.org [21 Lomi: hetps [a1 Ubuntu Edge: 1ps/fen. wikipedia.org Edge [4)_Ubuntu Unity: hetps y. 01g) IS] Ubuntu Touch Supported Devices: Itpsi/devices. ubuntu-towch ia) {6} UBports Installer: 71 postmarket0: https:/wik postmarketos.org/wiki/Lomi [8] Lomi in Debian: tpsy/packages dobian.org/sic/lom) {8} Lomiriin Alpine: Atps:/pkgs. fedgonesting [1010pen Store: httpsijopen-store.io [111 Unofficial Firefox Port: htps:faitab, comidebelick/uFirefox [12] UT Tweak Too: hit ‘Author Paul Nixer has been a Linux user and FOSS advocate since the late ‘00s. He is passionate about privacy, security, net works, and community-driven develop- ‘ment. Find Paul on Mastodon at; http: @pauinixer.eee ws The © GNOME Conference UADEC Brescia, Italy July 24-29, 2025 GUADEC is GNOME’s main annual event. Held since 2000, it brings together Free Software enthusiasts and professionals from all over the world. Join us at GUADEC 2025, in Brescia or online, to hear about the latest technical developments, attend talks, participate in workshops, and celebrate GNOME! Learn More GUADEC.ORGon Keay rN se enc raditional shells operate on unstructured uiting britle parsing, Nushell replaces that with struc tured data pipelines, enabling consistent, reliable com: | often re- mands that treat output as, lists. Nushell (often called Nu) is a modem shell designed for working with structured data, builtin Ru: Unix’s pipeline philosophy. Unlike traditional shells that pass structured data (tables, re- cords, lists) allowing you to filter, sort, and query information pe tables, records, and and inspired by text streams, Nushell pipelines pa: without tedious string parsing. This makes Nu especially pow. erful for developers and system administrators who frequently work with ISON, YAML, CSV, and other data formats. Installation and Configuration on Ubuntu Nushell ean be installed on Ubuntu in multiple ways (Apt re- pository, Snap, oF building from source). Here I will focus on the Apt repository method, which is straightforward and keeps Nushell up to date via apt. Alternatively, You can use Shap oF Homebrew [1]. ‘To install Nushell securely on Ubuntu using the official Apt repository, start by adding the GPG key that ensures the pack ages" authenticity. This key is required by the Apt system to verify that downloaded packages come from a trusted source. curt ~fest netpa//apt-tary.to/ na/ene-ney | 2 Next, add the Nushell repository to your system’s Apt sources list sdb tt: //ant fury. io/msbeli/ /* | 2 34 Nushell’s data-first approach elevates shell scripting to a new level of clarity and precision. This enables your package manager to locate and retrieve Nushell packages from the designated remote repository. Once the repository is configured, update your local package cache so that Apt becomes aware of the newly added Nushell source and can fetch package metadata: Finally, install Nushell using the standard apt installation command: ‘This pulls the Nushell binary and all its dependencies from the repository and installs them on your system (Figute 1). Basic Configuration Once Nushel is installed, you" likely want to configure it to suit your environment. Nushell’s configuration is typically done in two files (Figure 2 located in your config directory (sualy«/.config/musnel/ on Ubunta systems) 9. The main configaration scrip that rons at startup forinteractve Nushell sessions (simular to Bass bash) Here you can set Nushellpecfic options, aliases, prompt (and exported to commana run from Nashel). This is akin to an environment profi Structured Data Proces: One of Nushell’s| structured data natively in the shell. Traditional shells treat 9 iandout features is its ability to handleNushell all command output as text 0 STAGE ECEREMMMMM Covi ite creates at’ /none/nancin/ coneig/nushelt/eon tools such as grep, auk, oF 9 Nushell commands, by con: trast, return tables, records, PES OG sce and lists ~ rich data types that n youcan filer and manipulate ah eta with ease Filesystem Data as Tables segrmareat yy The 1s command in Nushell eer returns a table of files with columns such as name, type, size, and modified time- The welcome screen confirms that the environment and config files stamp, rather than a simple were initialized. text listing, This means you ‘can query it directly. For example, you can list directories in the current folder sorted by last modified time (as shown in Figure 3) with Peasy mee ees re CRC eee eects System Information as ee nee erry Structured Data perro Commands such as ps (process list) and sys (system info) are built into Nushell and return structured data as well. For instance, ps gives you a table ae of running processes (with columns for PID, name, CPU, memory, ete.). You could find the top memory-consuming process (see Figure 4) with fie ee Opening and Parsing Structured Files Nushell’ open command is way to bring data from files (or URLs) co powerful into Nushell’s pipeline. Itauto-detects (ONE Ce Ome One filetypes including JSON, CSV, TOML, oer one ora et YAML, XML, Excel, SQLite, and more The config.nu and env.nu files are created automatically on cords first launch, [2]. For example, the table in Figure $ is generated with and parses them into tables or ri Working with Pipeline Data Once you have data in a Nushell pipe line (whether from an internal com mand’s output that you parse), you The 15 command filters and sorts only directories by their last modified time, displaying the results in a structured table with color- coded columns for clarity. use a rich set of commands to manipu late itNushell displays the process using the most memory (in this case, dockerd) with detailed metrics in a structured table format. eer) eens ay-Funetioi Nushell opens and visualizes the stack. yan! fi as provider, gateway URL, and function configuration. sare Join Overall, working with structured data in Nushell means you can teat your shell like a lightweight data processing engine. This is a huge productivity boost when dealing with JSON APIs, logfiles, CSV exports, and other types of data, during administration or development tasks, Using Nushell for Sys Admin Tasks Nushell’s capabilities aren't limited to parsing data; they ex Nushell’s structured pipeline, tasks that involve gathering, Monitoring Processes and Resources As shown eal live view of processes. A rps gives a sys admin can easily build ‘one-liners to find problem atic processes, For example, table, making it easy to inspect OpenFaaS deployment details such era) File and Directory Management Nushell can of course run standard file file) jus lke Bach. It either uses builin mands in Nushellas you would nor mally combining these with structured queries, For example, to remove all les larger than 100M ina directory (be care with this), use The advantage comes when 1s | vere aize > 100m | get mane | 2 a minor sch ( [41m 36 This lists files inthe current directory. filters to those with a size greater than, 100MB, and then extracts the name and runs thera command on each file. Ina traditional shell, finding and deleting large files might involve parsing du or ind ourput. le as anested Logfile Analysis system administrators often need to sift through logfiles. With Nushell, you can treat logs as data sources, While logs are plaintext, you can use Nushell’s parsing commands to struc ture them. For example if you have an NGINX might use = (fasts) (28}] \"{metnoa} fart) wrTe/(+#}\" 2 cus} fhytes}" | where eeatur Performance Optimization Tips Despite all its features, Nushell is designed tobe performant, leveraging Rust’s speed and safety. However, working with aes eer) Sleeping es esteem pe | were nam > t0nb | 2 filters the process list 10 anything using over 10MB of memory and sorts the result by memory usa (Figure 6) roe ee Using ps to find proc w & ce) ee cats Running Sees) 7 esses consuming more than 10MB of memory.structured data can introduce overhead compared to plain-text streams and certain usage patterns can be optimized. Parallelism for Heavy Workloads ‘Nushell has experimental support for parallel execution in pipelines. Specifically, it provides parallel versions of some ‘commands, such as par-each, which runs the body for each clement in alist concurrently across multiple threads (3). If you have a pipeline where each item can be processed inde- pendently (e.g, processing a list of files, pinging multiple servers, etc), consider using par-each instead of each. When used appropriately, parallelism can significantly improve performance on multicore systems for large tasks. Memory Considerations Because Nushell holds structured data in memory, be mindful of extremely large data. Ifyou ty 0 open giant.)son that’, say, O0MB, Nushell will eed to Toad and represent that strue- ture in memory that could be a few times large. Tn scenarios ‘where memory i a eoncern, eonsider processing data in chunks (i possible) or using streaming tools in combination With Nushell. For instance, you could pipe data through 3@ 0 pre-fiter lange JSON files before Nushell ingests it or use ta) style streaming for logs and have Nushel process incrementally Always test with smaller samples and monitor resource usage Concurrency and Background Tasks Nushell can also run commands in the background (there's an & operator for background tasks and a way to check on these tasks (4). Offloading long-running tasks to the background can keep your shell ree for other work. However, as of writing, background task management in Nushellis basic, 30 heavy Parallel background jobs might be better handled by external orchestratrs or using par-each In general, Nushell’s performance for everyday tasks (listing directories, parsing moderate ISON, etc.) i very good. When IN-DEPTH Nushell [50m remember it's essentially a small data engine ~ use the tools it provides (like parallel commands or the dataframe plugin) to help Nushell out. And don’t hesitate to combine Nushell with other optimized tools for specific step if needed (eg. use 9, riparep, for superfast text searching if a plain-text search is ‘hat you need, and then feed results into Nushell). The goal is to.se Nushell where it adds value and nat force it into seenarios itisn't optimized for Conclusion ‘Nushell is still evolving and its community is active (you can check Nushell’s GitHub page [5] forthe latest plugins and tips). Nushell’s professional yet accessible approach means it, ‘ean be adopted gradually ~ you might start by using it interac- tively for data inquiries and eventually incorporate it into your automation scripts once you trust its capabilities. With struc- ‘ured output, you will likely find that many tasks that used to require a mash-up of shell tools and scripting can now be done ina single Nushell pipeline resulting in clearer and more maintainable command-line workflows. mam Info [1 Instating with Homebrew: bttps:/imwa.nushellsh/bookiinstallation. html [21 Opening files: htips:/amw.nushellshybooK/oading. data.him! [31 Parallelism: https:/www.nushel.sh/book/paralllism.htrn! [4] Background jobs: /tps:/wwww.nushellsh/book?background jobs.htm! [5] Nushell GitHub page: htipsy/github.comynushel/nushell Author Marcin Gastol is a Microsoft MVP, Microsoft Certified Trainer, and conference speaker. He works as a Senior DevOps Engineer and has extensive experience in Azure technologies. Visit his blog at https:/marcingastol.cony.Ptcpdump cesses along wi Warde This trusty troubleshooting tool can tra NUNS chi WAN k The legacy Tepdump is a tool no admin would want to do without, but it is a bit long in the tooth. The eBPF-based Ptcpdump aims to counter this worry. The rewrite offers extensive CLI compatibility and can even display process information. sy MrtinL. icpdump [1] is a popular tool for capturing network traffic. Most admins are aware that they ean use Tepdump to save a record of network traffic in the Peap format [2], then analyze and visualize the traffic using a protocol analysis tool such as Wireshark. In-depth troubleshooting with Tepdump is often the last resort when you have exhausted all other op: tions and you still can’t open a network connection (Figure 1), On the downside, many users are an- rnoyed by the fact that Tepdump can't ‘map network traffic to specific pro cesses. In other words, Tepdump cannot tell you which program the logged pack ets belong to. As a workaround, programs ‘ean sometimes be identified on the basis of IP addresses and their in-and out bound ports. ‘The reason why Tepdump can't assign network traffic to individual programs is, because it first switches network inter 38 see al incoming packets, By doing this, curity funetions that the Linux kernel actually it works around some of th dictates before you can sniff network connections; however, at the network level, Linux itself does not offer a way 10 correlate programs and traffic. Also, Tep dump does not offer the option to group and output the information on the sys tem; you cannot simply tell the program to read packets from certain programs and ignore the rest. When Tepdump was created, the Linux kernel did not offer anywhere near Theo- retially, it should be possible to modify the present level of functionality and provide the required functions for roe this work thus far. Luckily, today’s Linux systems support VM environment called the Extended Berkeley Packet Filter (eBPF) that can Joad and execute any software from us- cerspace. Programs that rely on eBPF on Linux have complete access to the entire tracking, but no one has done kernel space, provided the administrator sets things up accordingly. You can use eBPF to create compre hensive firewall implementations in the kernel that do not rely on the less-than popular Netfilter. However, eBPF does not actually have to manipulate the net ‘work traffic in the kernel; instead, it ean restrict its activity to logging, Developers vere able to create a Tepdump alterna: tive called Ptepdump that's based on eBPF technology and is capable of seeing all the data traffic while still getting ac. cess to the kernel’s PID tables. Ptcpdump Pepdump (Figure 2) « amin kernal YM that spec the wali of individual processes The ool isnot particularly well known, if you seareh for Prepdump on the Inter net, oul find the Gib directory (3 belonging o Huang Huan, the tool's centially acts as identify and in. and released! under the MIT license. Its