Author: Max Andersen

Most people use CLI to connect to TryHackMe, but I believe it should be run through NetworkManager if you have it:

Connecting via GUI/NetworkManager will give you this end result:

So, if you think this could be interesting, please download your configuration file from TryHackMe and import it with NetworkManager:

Left click on NetworkManager icon and select VPN Connections and Add a VPN connection:

Choose the last option “import….”

and select the TryHackMe .ovpn file.

Some ciphers fail to be imported so these ciphers manually needs to be put in the nmconnection file:

file: /etc/NetworkManager/system-connections/KrigDK.nmconnection

Insert the following into the file [vpn] section:

[vpn]
cipher=AES-256-CBC
data-ciphers=AES-256-CBC:AES-128-GCM:CHACHA20-POLY1305:AES-256-GCM

so it looks like this:

restart NetworkManager

and you can now start your vpn in your Kali VM

voila:

Update: This means that all traffic is automatically routed inside TryHackMe’s network and they do not allow internet access, so please deselect this under ‘routes’ in the NetworkManager app to get internet access while on TryHackMe platform.

Then you can still connect to the internet and TryHackMe’s website.

enjoy.

While it requires a certain amount of risk acceptance, due to the fact you install software in Dom0, it might be healthier for you if you calm the blue light on your computer screen.

A great guide has been posted at the QubesOS forum: https://forum.qubes-os.org/t/blue-light-filter-in-xfce-redshift/540/4

Why evaluate yet another password manager, when so many exists and what are my requirements for a decent one?

First:

• My password manager must be locally accessible

Why:

• I don’t want to input my “Master” password to all my passwords directly on a frontend on the internet (That includes API’s, etc.) Frontends get compromised all the time and with E2E encryption, the actual decryption is on the frontend. That means that I would never trust a SaaS password manager solution. Risk acceptance declined (Accepting the risk!)

Next:

• My password manager database must be synced across devices (minimum desktop/laptop + phone).

Why:

• Because syncing is needed if I use more than one device (and most of us do!) and the synchronization is only performed on encrypted file, so no cloud provider can read it in clear text. And yes, my iPhone is in Lockdown mode, always, hopefully helping my device to be more protected than if not.

and finally:

• My password manager needs a web browser plugin

Why:

• I might have one database for low-risk passwords accessible via browser-plugin, and another high-risk passwords only in airgapped VM., depending on risk acceptance.

So with that out of the way, let us test Enpass to see what solution is up to par. It actually seems like this password manager is the only one meeting my requirements(?):

Installing Enpass

My taste in installation on Linux is using either the distribution’s own repositories(RedHat) or if you trust the supplier of the software more, their repositories(Enpass). If you fear supply chain attack, you might want to install a package and not update it, if you trust the source code and needs to review it, continuously. For me, the application needs to get updated when I update my other packages using an update app or via dnf update og apt update.

I even prefer updating before official releases, when related to security (Link to Risk analysis on KeePassXC):

Add the repositories, install wget and the application using the instructions on the link above:

The above installation creates the executable in /opt/enpass/Enpass which is so correct it is not always included in path, so might only work when directly addressed or a symlink is created.

https://www.qubes-os.org/doc/app-menu-shortcut-troubleshooting/

Start the app and select “Folder Sync” and select your Dropbox Folder, that is already being synced. If you want your password manager to sync itself, feel free to insert a dropbox account as per below “Dropbox” or any other file syncing service:

Set your master password, press continue and retype:

Confirm your Master password:

Then you get the possibility to install browser extensions, so press the install button, if you trust it to be safe.

This might have implications beyond my knowledge and if you are hit by a 0-day in your browser, the password database might be compromised by a browser plugin, I suspect. So evaluate your risk acceptance again. Remember: you can always copy / paste with clipboard between VM’s anyway(if you are using QubesOS with airgapped Password Manager VM):

And click “Get it” to install the extension:

Click “Continue to installation”:

Click “Add” if you trust Enpass with your browser data:

And your password manager plugin was added. Click Okay.

Then set Enpass as the default password manager or do it yourself. Choose deny or allow to your preference.

A great way to avoid re-using compromised passwords, even if not used by you, but by others, thereby also being used in password spraying attacks, etc. enable the “Check Compromised Passwords”:

Activate it using your email:

And type in the code sent to your email:

Conclusion:

It clicks my 3 boxes, so I might switch from my “KeePassXC / KeePassium” setup to this software if I trust the company over time.

Sometimes you can buy a license with a great discount for the first year. “International Womens Day”, had a 66% discount, so you might wanna wait to purchase at the right time.

high-risk passwords should be in an airgapped database.

low-risk passwords should be installed as shown above in a user-friendly database, syncing all passwords in cloud and avoiding direct master password input at cloud provider.

Enpass is an indian company and my year long experience with Password Manager Pro from ManageEngine, I would not trust the code quality to be top-notch regarding security (issues have been found and I bet there are hundreds more…. Link). But do a quick risk assessment on your setup. Your phone and desktop needs adequate protection. Can’t blame it on Enpass if you have easy access to your phone from evil APT’s. And Enpass might be quality code now…. ;).

There is a lot of risks related to a webpage and some of them might be high and others low, but knowing them and addressing them according to your risk acceptance, can be a good idea for both personal and commercial use.

• Register domain with hidden PII [punktum.dk or hosting provider]
• Enable MFA via Mit-ID on domain [punktum.dk]
• Enable MFA at hosting provider admin panel [eg. simply.com]
• Enforce DMARC, SPF and DKIM on domain to protect email.
• Enable DNSSEC on domain
• Disable SSH, etc. if possible or create very long passwords (40+).
• MFA on CMS login [eg. WordPress site using authy]
• Remove all plugins not used
• Remove all themes not used
• Register WPScan API and scan for known vulnerabilities. [WPScan]
• Security scan the site on sitecheck.sucuri.net [Sucuri Sitecheck]
• Install WordFence plugin and register as minimum, the free license [WordFence]
• Set WordPress plugins and themes to autoupdate
• Setup continuous website monitoring on shodan.io [Shodan.io]
• Create your security.txt file [securitytxt.org]
• Test website configuration and mail [SikkerPåNettet.dk] (Ignore ridiculous IPv6 errors]

The above are the things I came up with, when registering a new personal domain and website. The more important/commercial the website is, consider DDoS protection, WAF, etc. provided by CloudFlare, Imperva or others.

If selfhosting, Install EDR on the servers use CIS Benchmarks and SELinux, rotate DKIM keys, periodically, etc.)

Enjoy !

When readjusting everything from font size 12 to 10, one type of applications just ignore this. And that is the Qt applications.

So, when starting KeePassXC, font looked quite large compared to everything else, so I had to readjust in the VM used.

example of how it looks before change:

Starting the program to make the changes:

[user@personal ~]$ qt5c

Change the font to 10 and resize your app.

It looks quite the same, when having the same width, but if you compare the font in the title, you can see the difference.

Just wanted to play ThreatGen Red vs Blue and figured I’d update my template, so here goes:

In dom0:

sudo qvm-template install debian-12

In Qube Manager clone the debian-12 to a “debian-12-Steam” template and give it plenty of storage and memory:

Initial memory 4000MB
Max Memory 16000MB
System storage max size: 50GB (depending on what games you play)

Install steam in this qubes following the guide here: /https://itslinuxfoss.com/install-steam-debian-12/

Start steam for the first time in the template to finish the install.

Create AppVM Qube with enough memory and disk also:

Then run steam and the background is completely white and you have to move the mouse up in the left corner of the white area and select settings:

Then move down and select “interface” and deselect everything regarding graphics acceleration:

That’s it. Install ThreatGen :

If you want to install the game in the template, don’t install it here, but there 🙂

Enjoy

Open a prompt and type

xfwm4 –replace

If your display is configured @ 3840 x 2160, then you might not be satisfied with the lack of 1.5 million pixels on the screen or the occasional blinking /blacking of the screen

Go to Dom0 and write:

If you are using HDMI-1 instead of DP-1 us that. Check with following command

xrandr <enter>