kasperskylab / tinycheck Goto Github PK

After successful installation, cannot access the frontend in order to configure tinycheck. I keep getting ERR_CONNECTION_REFUSED error. Tried on two separate networks and routers and few browsers. Same problem. I can ping "tinycheck.local" and resolve IP address of raspberry.

In install.sh, line 399:

if echo "$iface" | grep -Eq "(wlan[0-9]|wl[a-z0-9]{20})"; then

In case the Wi-Fi interface used to create the AP is named after the modern naming scheme, e.g. wlp2s0, the if-check fails because the regex matches the string only if it contains wl, followed by exactly 20 [a-z0-9] characters.

It was probably meant to check for wl followed by at least 2, and up to 20 [a-z0-9] characters.

Changing it to if echo "$iface" | grep -Eq "(wlan[0-9]|wl[a-z0-9]{2,20})"; then should fix the issue.

dear all,
first thanks to kaspersky for thi useful tool.
I lost the administration password... What I have to do?
thanks

Malware today often tests if it's running in a virtual machine or if debugging software like IDA-Pro is installed, and makes sure to not do anything suspicious or even destroy itself when it sees that's the case. If his project is successful, it won't be long until some of the software in question will check for a response on tinycheck.local.

Maybe only bring up the mDNS responder and web server when a hardware button is pressed? This way the malware cannot check it's talking to one of these.

Hi, i install utility on Kali everythings fine but After reboot when try to open browser the address http://tinycheck.local dont work, get isp error site dont exist. Its strange that dont open host tinycheck any help?

Hello, and thanks for this very interesting project.

I'm trying to set it up for a Raspberry Pi 4 on the latest Raspberry Pi OS Lite. I do not want to run it as a kiosk, but rather via my internal network.
After running the installation script I first ran into python errors, I installed all modules (all except "wifi" are available as packages, installed "wifi" via pip) then after restarting the tinycheck-frontend and tinycheck-backend services can successfully access the frontend and backend.
However I cannot get an IP address when connecting to the wireless network with my phone. I followed closely this issue (#55) and everything seems normal, I have a valid configuration per the comments. The following is my /tmp/hostapd.log, it seems my phone is associated then immediately dissociated :

Configuration file: /tmp/hostapd.conf
wlan0: interface state UNINITIALIZED->COUNTRY_UPDATE
wlan0: Could not connect to kernel driver
Using interface wlan0 with hwaddr e4:5f:01:00:8c:fb and ssid "wireless-8609"
wlan0: interface state COUNTRY_UPDATE->ENABLED
wlan0: AP-ENABLED 
wlan0: STA 84:cf:bf:91:ec:e8 IEEE 802.11: associated
wlan0: AP-STA-CONNECTED 84:cf:bf:91:ec:e8
wlan0: STA 84:cf:bf:91:ec:e8 RADIUS: starting accounting session F2B1F1690BA32E9A
wlan0: STA 84:cf:bf:91:ec:e8 WPA: pairwise key handshake completed (RSN)
wlan0: STA 84:cf:bf:91:ec:e8 IEEE 802.11: disassociated
wlan0: AP-STA-DISCONNECTED 84:cf:bf:91:ec:e8
wlan0: STA 84:cf:bf:91:ec:e8 IEEE 802.11: disassociated
wlan0: STA 84:cf:bf:91:ec:e8 IEEE 802.11: associated
wlan0: AP-STA-CONNECTED 84:cf:bf:91:ec:e8
wlan0: STA 84:cf:bf:91:ec:e8 RADIUS: starting accounting session 820EAB40DE4B3972
wlan0: STA 84:cf:bf:91:ec:e8 WPA: pairwise key handshake completed (RSN)
wlan0: STA 84:cf:bf:91:ec:e8 IEEE 802.11: disassociated
wlan0: AP-STA-DISCONNECTED 84:cf:bf:91:ec:e8
wlan0: STA 84:cf:bf:91:ec:e8 IEEE 802.11: disassociated
wlan0: STA 84:cf:bf:91:ec:e8 IEEE 802.11: associated
wlan0: AP-STA-CONNECTED 84:cf:bf:91:ec:e8
wlan0: STA 84:cf:bf:91:ec:e8 RADIUS: starting accounting session 70D55126920C638A
wlan0: STA 84:cf:bf:91:ec:e8 WPA: pairwise key handshake completed (RSN)
wlan0: STA 84:cf:bf:91:ec:e8 IEEE 802.11: disassociated
wlan0: AP-STA-DISCONNECTED 84:cf:bf:91:ec:e8
wlan0: STA 84:cf:bf:91:ec:e8 IEEE 802.11: disassociated
wlan0: STA 84:cf:bf:91:ec:e8 IEEE 802.11: associated
wlan0: AP-STA-CONNECTED 84:cf:bf:91:ec:e8
wlan0: STA 84:cf:bf:91:ec:e8 RADIUS: starting accounting session 265905938AF6B14E
wlan0: STA 84:cf:bf:91:ec:e8 WPA: pairwise key handshake completed (RSN)
wlan0: STA 84:cf:bf:91:ec:e8 IEEE 802.11: disassociated
wlan0: AP-STA-DISCONNECTED 84:cf:bf:91:ec:e8
wlan0: STA 84:cf:bf:91:ec:e8 IEEE 802.11: disassociated

I will probably also run into issues later with the IOCs since it seems the script failed in downloading them : a traceback was displayed on that step. However I would like to first solve this problem.

Could you help me troubleshoot this ? Do you need any additional information ? One problem I found is on the hostapd.conf, I have no way to modify the country_code. It is set to GB and I need it set to FR, maybe that's what is causing the problem connecting to the AP ? I also found it weird that the python modules were not installed by the script.

Thanks a lot !
yzoug

EDIT: changed /usr/share/tinycheck/server/frontend/app/assets/hostapd.conf to specify FR instead of GB, same problem

Ubuntu 20.04 uses predictable network interface names. As a result install.sh does not detect wifi interfaces.

I have been having numerous issues trying to get TinyCheck to run and slowly overcoming each one. The final hurdle seems to be getting the front end to work.

I am able to access the backend at https://127.0.0.1 and configure it easily enough. It detects the two WiFi devices, onboard and USB, as well as the disconnected ethernet. The onboard WiFi is connected to a router and the internet.

Whenever I try to launch or access the frontend I just get an error message in Chromium as below:

This site can’t be reached

127.0.0.1 refused to connect.
Try:

• Checking the connection
• Checking the proxy and the firewall

ERR_CONNECTION_REFUSED

I am still a novice when it comes to Linux and anything Raspberry Pi.

I am running TinyCheck on an Raspberry Pi 400 with Raspbian 10 "Buster". It is a fresh standard 32-bit image with all packages updated.

No errors were reported during installation of TinyCheck.

I did have to make a minor modification the execution script as "chromium-browser" doesn't exist on the current Raspbian install, it is just called "chromium".

If i bash the kiosk script in the terminal I get the following errors:

Opening in existing browser session.
[3187:3187:0217/142107.370387:ERROR:broker_posix.cc(43)] Invalid node channel message
[3184:3184:0100/000000.158348:ERROR:gpu_init.cc(426)] Passthrough is not supported, GL is desktop
[3184:3184:0100/000000.206342:ERROR:broker_posix.cc(43)] Invalid node channel message

That doesn't mean much to my non-programmer mind and I'd appreciate some help.

Hello,

Did a new installation of TinyCheck on a PI4 with the following Raspbian version:
PRETTY_NAME="Raspbian GNU/Linux 10 (buster)"
NAME="Raspbian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=raspbian
ID_LIKE=debian
HOME_URL="http://www.raspbian.org/"
kernel : Linux tinycheck 5.10.52-v7l+ #1441 SMP Tue Aug 3 18:11:56 BST 2021 armv7l GNU/Linux

But now each time I want to generate a an AP with the frontend, I have always the following error:

xhr.js:177 GET http://192.168.1.161/api/network/ap/start 500 (INTERNAL SERVER ERROR)
createError.js:16 Uncaught (in promise) Error: Request failed with status code 500
at t.exports (createError.js:16)
at t.exports (settle.js:17)
at XMLHttpRequest.h.onreadystatechange (xhr.js:62)

Try some workaround as describe on issue #28, but without any success. Any idea on this ?

In regards to #90 I also realized that raspbian OS (or whatever its called at the moment) comes with wifi blocked. The install did not unblock this.

rfkill unblock 0 would be the solution

Dear,

I have installed a fresh TinyChek on a RPi3B+ with the last Rasberry OS Buster.
My configuration has:

• wlan0 onboard the RPi for the Internet connection
• wlan1 to work as AP

Currently, I would create a portable configuration so, wlan0 accesses the Internet through tethering with iPhone(1).
Whereas, wlan1 should create the AP to investigate another iPhone, let's call this iPhone(2).

I'm able to access the backend and frontend.
I'm able to create the AP and generate the QR code.
But, when I try to connect the iPhone(2) to wlan1, TinyCheck doesn't release any private IP to the iPhone(2) and after a few on the iPhone appear the sentence "No Internet connection".
Moreover, TinyCheck doesn't go ahead it is stopped on the QR page.

Any idea to solve this issue?
Thanks.

First, thank you for this excellent tool, greaat work!

After reading
https://github.com/KasperskyLab/TinyCheck/wiki/Having-an-issue-%3F
Here is the infos :

• Your operating system;
Debian 10 Buster
• Your hardware configuration;
PC HP Elitebook 2540p Corei5 Windows7 certified
Wifi network device Broadcom BCM4312 G
Wired Network device Intel 82577L Gigabit Ethernet Controller

The result of the iw list, ifconfig, cat /tmp/hostapd.log commands (if anything related to the network);

iw list
Wiphy phy0
max # scan SSIDs: 4
max scan IEs length: 2285 bytes
max # sched scan SSIDs: 0
max # match sets: 0
max # scan plans: 1
max scan plan interval: -1
max scan plan iterations: 0
Retry short limit: 7
Retry long limit: 4
Coverage class: 0 (up to 0m)
Device supports RSN-IBSS.
Supported Ciphers:
* WEP40 (00-0f-ac:1)
* WEP104 (00-0f-ac:5)
* TKIP (00-0f-ac:2)
* CCMP-128 (00-0f-ac:4)
* CCMP-256 (00-0f-ac:10)
* GCMP-128 (00-0f-ac:8)
* GCMP-256 (00-0f-ac:9)
* CMAC (00-0f-ac:6)
* CMAC-256 (00-0f-ac:13)
* GMAC-128 (00-0f-ac:11)
* GMAC-256 (00-0f-ac:12)
Available Antennas: TX 0 RX 0
Supported interface modes:
* IBSS
* managed
* AP
* AP/VLAN
* monitor
* mesh point
Band 1:
Bitrates (non-HT):
* 1.0 Mbps
* 2.0 Mbps (short preamble supported)
* 5.5 Mbps (short preamble supported)
* 11.0 Mbps (short preamble supported)
* 6.0 Mbps
* 9.0 Mbps
* 12.0 Mbps
* 18.0 Mbps
* 24.0 Mbps
* 36.0 Mbps
* 48.0 Mbps
* 54.0 Mbps
Frequencies:
* 2412 MHz [1] (20.0 dBm)
* 2417 MHz [2] (20.0 dBm)
* 2422 MHz [3] (20.0 dBm)
* 2427 MHz [4] (20.0 dBm)
* 2432 MHz [5] (20.0 dBm)
* 2437 MHz [6] (20.0 dBm)
* 2442 MHz [7] (20.0 dBm)
* 2447 MHz [8] (20.0 dBm)
* 2452 MHz [9] (20.0 dBm)
* 2457 MHz [10] (20.0 dBm)
* 2462 MHz [11] (20.0 dBm)
* 2467 MHz [12] (20.0 dBm) (no IR)
* 2472 MHz [13] (20.0 dBm)
* 2484 MHz [14] (20.0 dBm) (no IR)
Supported commands:
* new_interface
* set_interface
* new_key
* start_ap
* new_station
* new_mpath
* set_mesh_config
* set_bss
* authenticate
* associate
* deauthenticate
* disassociate
* join_ibss
* join_mesh
* set_tx_bitrate_mask
* frame
* frame_wait_cancel
* set_wiphy_netns
* set_channel
* set_wds_peer
* probe_client
* set_noack_map
* register_beacons
* start_p2p_device
* set_mcast_rate
* connect
* disconnect
* set_qos_map
* set_multicast_to_unicast
Supported TX frame types:
* IBSS: 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70 0x80 0x90 0xa0 0xb0 0xc0 0xd0 0xe0 0xf0
* managed: 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70 0x80 0x90 0xa0 0xb0 0xc0 0xd0 0xe0 0xf0
* AP: 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70 0x80 0x90 0xa0 0xb0 0xc0 0xd0 0xe0 0xf0
* AP/VLAN: 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70 0x80 0x90 0xa0 0xb0 0xc0 0xd0 0xe0 0xf0
* mesh point: 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70 0x80 0x90 0xa0 0xb0 0xc0 0xd0 0xe0 0xf0
* P2P-client: 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70 0x80 0x90 0xa0 0xb0 0xc0 0xd0 0xe0 0xf0
* P2P-GO: 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70 0x80 0x90 0xa0 0xb0 0xc0 0xd0 0xe0 0xf0
* P2P-device: 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70 0x80 0x90 0xa0 0xb0 0xc0 0xd0 0xe0 0xf0
Supported RX frame types:
* IBSS: 0x40 0xb0 0xc0 0xd0
* managed: 0x40 0xd0
* AP: 0x00 0x20 0x40 0xa0 0xb0 0xc0 0xd0
* AP/VLAN: 0x00 0x20 0x40 0xa0 0xb0 0xc0 0xd0
* mesh point: 0xb0 0xc0 0xd0
* P2P-client: 0x40 0xd0
* P2P-GO: 0x00 0x20 0x40 0xa0 0xb0 0xc0 0xd0
* P2P-device: 0x40 0xd0
software interface modes (can always be added):
* AP/VLAN
* monitor
interface combinations are not supported
HT Capability overrides:
* MCS: ff ff ff ff ff ff ff ff ff ff
* maximum A-MSDU length
* supported channel width
* short GI for 40 MHz
* max A-MPDU length exponent
* min MPDU start spacing
Device supports TX status socket option.
Device supports HT-IBSS.
Device supports SAE with AUTHENTICATE command
Device supports low priority scan.
Device supports scan flush.
Device supports AP scan.
Device supports per-vif TX power setting
Driver supports full state transitions for AP/GO clients
Driver supports a userspace MPM
Device supports configuring vdev MAC-addr on create.
Supported extended features:
* [ RRM ]: RRM
* [ FILS_STA ]: STA FILS (Fast Initial Link Setup)
* [ CQM_RSSI_LIST ]: multiple CQM_RSSI_THOLD records
* [ CONTROL_PORT_OVER_NL80211 ]: control port over nl80211

ifconfig
enp0s25: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.46 netmask 255.255.255.0 broadcast 192.168.0.255
inet6 fe80::6ab5:99ff:fef9:468 prefixlen 64 scopeid 0x20
inet6 2a01:e0a:8b7:f390:fb17:aaf9:aab8:fd0d prefixlen 64 scopeid 0x0
inet6 2a01:e0a:8b7:f390:bdd1:ab9a:2e07:f1e5 prefixlen 64 scopeid 0x0
inet6 2a01:e0a:8b7:f390:c147:834:4b9d:bcaa prefixlen 64 scopeid 0x0
inet6 2a01:e0a:8b7:f390:dddc:b4be:76dd:6009 prefixlen 64 scopeid 0x0
inet6 2a01:e0a:8b7:f390:6ab5:99ff:fef9:468 prefixlen 64 scopeid 0x0
ether 68:b5:99:f9:04:68 txqueuelen 1000 (Ethernet)
RX packets 1757223 bytes 1307301934 (1.2 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 89066 bytes 33474090 (31.9 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 20 memory 0xd4700000-d4720000

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10
loop txqueuelen 1000 (Local Loopback)
RX packets 7363 bytes 5547952 (5.2 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 7363 bytes 5547952 (5.2 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.73 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 2001:861:3cc3:5cd0:81df:d188:5a67:2145 prefixlen 64 scopeid 0x0
inet6 2001:861:3cc3:5cd0::2791:d84c prefixlen 128 scopeid 0x0
inet6 fe80::2a4d:f660:f4a9:9b48 prefixlen 64 scopeid 0x20
inet6 fe80::c755:b837:8447:d2f6 prefixlen 64 scopeid 0x20
inet6 2001:861:3cc3:5cd0:e67e:353b:cb32:20ec prefixlen 64 scopeid 0x0
ether c0:cb:38:8b:72:97 txqueuelen 1000 (Ethernet)
RX packets 40589 bytes 6547535 (6.2 MiB)
RX errors 0 dropped 1 overruns 0 frame 0
TX packets 6691 bytes 2245383 (2.1 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

cat /tmp/hostapd.log
Configuration file: /tmp/hostapd.conf
wlan0: interface state UNINITIALIZED->COUNTRY_UPDATE
wlan0: STA a0:1b:29:ad:24:c0 IEEE 802.11: disassociated
Using interface wlan0 with hwaddr c0:cb:38:8b:72:97 and ssid "wifi-f472"
wlan0: interface state COUNTRY_UPDATE->ENABLED
wlan0: AP-ENABLED
wlan0: INTERFACE-DISABLED
wlan0: INTERFACE-ENABLED
Failed to set beacon parameters
wlan0: INTERFACE-DISABLED
wlan0: INTERFACE-ENABLED
Failed to set beacon parameters
wlan0: INTERFACE-DISABLED
wlan0: INTERFACE-ENABLED
Failed to set beacon parameters
wlan0: STA a0:1b:29:ad:24:c0 IEEE 802.11: disassociated due to inactivity
wlan0: STA a0:1b:29:ad:24:c0 IEEE 802.11: deauthenticated due to inactivity (timer DEAUTH/REMOVE)

• A description of the issue;
http://tinycheck.local/ Welcome screen ok
clicked "let's start!"
next screen, stuck on :
http://tinycheck.local/generate-ap
« We generate an ephemeral network for you »
« Activation of Network failed »

Why activation of network failed please ?

The install.sh script can be tweaked to complete, but nodejs no longer supports ARMv6.

This means lines 258 and 259 in install.sh do not install anything. Options seem to be use an older potentially insecure version of node and npm, cross compile for arm v6, compile directly on the device (I am not even going to try this!) or download somebody else's unofficial and potentially insecure binary.

Will edit this when I've managed to do more with it.

today I analyzed an iPhone. I would like to know if the function "find my iPhone" is considered malicious or not.
Thanks

hi all

As other users i have problems getting this all to work. Simillar as #28 #79
I sucessfully installed all according to the documentations.
Setup: Raspberry Pi 3 Model B Rev 1.2
wlan0: onboard module
wlan1: TP-Link TL-WN823N

I didn't install the PI with a GUI, only command line.
Therefore, I can't access tinycheck with tinycheck.local, but the IP address.

I can successfully connect to the frontend (http://192.168.2.44) with my phone or laptop and the backend (https://192.168.2.44) with my PC.

When I tab "let's start!" on my phone/laptop, the AP is created, but the web does not proceed.

pi@tinycheck:/tmp $ cat /tmp/hostapd.conf
country_code=GB
interface=wlan1
ssid=wireless-e88b
hw_mode=g
channel=11
auth_algs=1
wpa=2
wpa_passphrase=3f9e4a1f
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP
disassoc_low_ack=0

pi@tinycheck:/tmp $ cat /tmp/hostapd.log
Configuration file: /tmp/hostapd.conf
wlan1: interface state UNINITIALIZED->COUNTRY_UPDATE
Using interface wlan1 with hwaddr xx:xx:xx:xx:xx:xx and ssid "wireless-e88b"
wlan1: interface state COUNTRY_UPDATE->ENABLED
wlan1: AP-ENABLED

pi@tinycheck:/tmp $ ifconfig
eth0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether b8:27:xx:xx:xx:xx  txqueuelen 1000  (Ethernet)

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)

wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.2.44  netmask 255.255.255.0  broadcast 192.168.2.255
        inet6 fe80::8d8c:xxxx:xxxx:xxxx  prefixlen 64  scopeid 0x20<link>
        ether b8:27:xx:xx:xx:xx  txqueuelen 1000  (Ethernet)

wlan1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.100.1  netmask 255.255.255.0  broadcast 192.168.100.255
        inet6 fe80::63bb:xxxx:xxxx:xxx  prefixlen 64  scopeid 0x20<link>
        ether 00:0f:xx:xx:xx:xx  txqueuelen 1000  (Ethernet)

On the laptop (or smartphone) in firefox I can see an HTTP 500 error Request URL GET: http://192.168.2.44/api/network/ap/start after 10 seconds and there is no QR-Code created.

I tried to re-install TinyCheck on a Ubuntu 20.04 VM (mainly for using the analysis engine) and the links associated with the installation of Zeek were not working : see these lines

I checked Zeek binary and updated install.sh with this code to fix it:

if [[ $distrib == "debian" ]]; then
         echo "deb http://download.opensuse.org/repositories/security:/zeek/Debian_$version/ /" > /etc/apt/sources.list.d/security:zeek.list
         wget -nv "https://download.opensuse.org/repositories/security:zeek/Debian_$version/Release.key" -O Release.key
elif [[ $distrib == "ubuntu" ]]; then
         echo "deb http://download.opensuse.org/repositories/security:/zeek/xUbuntu_$version/ /" > /etc/apt/sources.list.d/security:zeek.list
         wget -nv "https://download.opensuse.org/repositories/security:zeek/xUbuntu_$version/Release.key" -O Release.key

Mighty wizards/Felix

I am trying to understand how TC is built - and I am admittly rather rusty on the webfrontend side of things.
Is this close?:
https://testdriven.io/blog/combine-flask-vue/

I'd like to compliment the IOC page with simple information such as

• "n entries in DB";
• "last update: YYYY-MM-DD";
• "force update" button.
  But even little changes to the blueprints (*.vue) don't render. Likely I've missed an important part in this.

Any pointers appreciated!

Hi,

After tested TinyCheck on a virtual environment (with a little bit of modifications in the code), i decided to test it on the purposed environment : a Raspberry Pi 4 (with a touchscreen).

But after fews tests with a stalkerware (in this test Snoopza) installed on a smartphone, i saw that it didn't detect first DNS query to api.snoopza.com ( it is easily viewable on the capture.pcap with a dns filter).
In every test, i wait at least 5 minutes, and i do some stuff like rebooting, taking photo, surfing, etc. On the Snoopza panel, i get informations on the smartphone, so there is communication between the smartphone and Snoopza's server.

On the virtual environment, I modified the zeekengine.py file to also loop on all dns queries and compare it with IOCs :

for d in self.dns:
                # Check for blacklisted domain.
                for domain in bl_domains:
                    if d["domain"].endswith(domain[0]):
                           .....

I saw that this part is adding dns resolution to the analysis engine, but i don't understand why it seems to not work in my tests case :

for c in self.conns:
            c["resolution"] = self.resolve(c["ip_dst"])

I wonder if i am doing a thing wrong, or if the analysis needs to loop also on DNS queries ?

Thanks for the work on this amazing tool,
Léandre

Hi,

If you have RaspberryPi connected via ethernet cable, could you get by with only a single WiFi dongle?

Thanks

Hi all,
Running Rapsberry Pi OS (Legacy) Buster v10.11

Attempted to install fresh version of TinyCheck - second time trying and installation hung continuously on "Feeding your Tinycheck instance with fresh IOCs and whitelist, please wait'.

I waited overnight but it did not proceed. Tried again today and same result.
I rebooted it and tried to the result anyway - but could not get TinyCheck frontend working --- error connection refused. Might have been the same as the problem with the Python 'six' package that is mentioned in issue #95 though looking back on it.

Any workarounds for this problem with the updates?

Thanks!

Going straight to the point: is there any chance to raise alerts by feeding on snort rules like this?

alert TCP $EXTERNAL_NET any -> $HOME_NET any (msg:"This is just an example of time-variant rule"; flags:S; threshold: type threshold, track by_dst, count 1000 ,
seconds 60; sid: 5000002;)

Count is accrued over a specific period of time, but at the moment time-variant analysis is totally ignored by tinycheck...and, as far as I know, snort rules are evaluated in a shoot via suricata...isn’t true?

Thanks.

Hi,

I don't know if Tiny Check target this type of spyware (which is not a stalkerware) but it's may be interesting to add the associated IOCs : https://blog.zimperium.com/new-advanced-android-malware-posing-as-system-update/

C&C servers:
hxxps://mypro-b3435.firebaseio.com

hxxps://licences.website/backendNew/public/api/

Have a nice day,
Léandre

Hi
what about including/collaborating with Abuse.ch (https://abuse.ch/#projects)?

(thanks for your work)
A

I'm having the following issue:

Unfortunatelly, we got some issues.

Please verify that you've to Wifi interaces on your device and restart it by clicing on the bottom below

I've checked syslog and got following information when I click to use existing network

Dec  1 14:30:19 tinycheck dhcpcd[484]: wlan1: carrier acquired
Dec  1 14:30:19 tinycheck kernel: [  304.598639] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready
Dec  1 14:30:19 tinycheck dhcpcd[484]: wlan1: IAID eb:d1:47:a4
Dec  1 14:30:19 tinycheck dhcpcd[484]: wlan1: adding address fe80::6e18:8148:cde4:2469
Dec  1 14:30:19 tinycheck avahi-daemon[401]: Joining mDNS multicast group on interface wlan1.IPv6 with address fe80::6e18:8148:cde4:2469.
Dec  1 14:30:19 tinycheck avahi-daemon[401]: New relevant interface wlan1.IPv6 for mDNS.
Dec  1 14:30:19 tinycheck dhcpcd[484]: wlan1: probing address 192.168.100.1/24
Dec  1 14:30:19 tinycheck avahi-daemon[401]: Registering new address record for fe80::6e18:8148:cde4:2469 on wlan1.*.
Dec  1 14:30:20 tinycheck dhcpcd[484]: wlan1: soliciting an IPv6 router
Dec  1 14:30:20 tinycheck python3[396]: 127.0.0.1 - - [01/Dec/2020 14:30:20] "GET /api/network/ap/start HTTP/1.1" 200 -
Dec  1 14:30:25 tinycheck dhcpcd[484]: wlan1: using static address 192.168.100.1/24
Dec  1 14:30:25 tinycheck avahi-daemon[401]: Joining mDNS multicast group on interface wlan1.IPv4 with address 192.168.100.1.
Dec  1 14:30:25 tinycheck avahi-daemon[401]: New relevant interface wlan1.IPv4 for mDNS.
Dec  1 14:30:25 tinycheck avahi-daemon[401]: Registering new address record for 192.168.100.1 on wlan1.IPv4.
Dec  1 14:30:25 tinycheck dhcpcd[484]: wlan1: adding route to 192.168.100.0/24
Dec  1 14:30:32 tinycheck dhcpcd[484]: wlan1: no IPv6 Routers available

rfkill shows

root@tinycheck:/var/log# rfkill list all
0: phy0: Wireless LAN
	Soft blocked: no
	Hard blocked: no
1: phy1: Wireless LAN
	Soft blocked: no
	Hard blocked: no
2: hci0: Bluetooth
	Soft blocked: no
	Hard blocked: no
root@tinycheck:/var/log#

and ifconfig

wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.88.68  netmask 255.255.255.0  broadcast 192.168.88.255
        inet6 fe80::5201:2c77:4fe2:f1f9  prefixlen 64  scopeid 0x20<link>
        ether d0:37:45:ff:8f:df  txqueuelen 1000  (Ethernet)
        RX packets 29889  bytes 3631819 (3.4 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1467  bytes 800955 (782.1 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlan1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.100.1  netmask 255.255.255.0  broadcast 192.168.100.255
        inet6 fe80::6e18:8148:cde4:2469  prefixlen 64  scopeid 0x20<link>
        ether b8:27:eb:d1:47:a4  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 37  bytes 5172 (5.0 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Setup:

Raspberry Pi 3+
TP-Link TL-WN725N

root@tinycheck:/var/log# uname -a
Linux tinycheck 5.4.79-v7+ #1373 SMP Mon Nov 23 13:22:33 GMT 2020 armv7l GNU/Linux
root@tinycheck:/var/log#

Hello people,

As it can arrive to anyone who has his nose too much in the code, during an audit, the guys from https://sayfer.io reported few days ago a possible authenticated RCE. As most of the command injection vulnerabilities, this can be exploited easily by:

• Getting the JSON Web Token (JWT) if the attackers know the user / password ;
• Injecting commands in the configuration from the API (notably, in the WIFI interfaces names) ;
• Waiting the user to create a new capture, tshark will be executed with the code as parameter, yes.

Facing to that, I'm gonna patch the vulnerability which is serious:

• Patching the install script to push the user to setup his own credentials ;
• Putting regexes on the WiFi interfaces names when editing the configuration ;
• Changing the way how subprocess calls are processed (which is the biggest fail 🤦‍♂️) ;

I would like to thanks personally sayfer.io researchers to have reported that serious issue.

If you have downloaded TinyCheck prior today, please

• Update to the latest commit/version: #cd /usr/share/tinycheck/ && bash update.sh;
• Update the login / password if you used the default ones ;

Don't hesitate to use this thread if you have any question related to this issue or see another issue.

Félix.

The line in the internet connection check

if nc -zw1 example.com 443; then

fails due to the url placeholder example.com

I tried it out on Ubuntu 20.04.1 LTS which is the only system which had 2 wifi interfaces. The installation gave a lot of errors and then rebooted. Now I cannot connect to the web interface - although ssh still works.

I want to uninstall TinyCheck - how can I do that?

Hey,

Whenever i try to change the analysis configuration in the backend i get the error: unknown key.
This is for all the 3 slider settings: heuristic, ioc, whitelist.

Is this just for me or do more users have this?
Its not a big problem since i can change the yaml file but would be nice if this would work.

Cheers

Hello,

The update.sh script :

• Never gets updated by itself ;
• Don't save the SSL keys (issue from mil1234n6);
• Don't update the kiosk.sh script.

Regarding these issues I've updated the update.sh script.

Have a good week,
Félix.

Most of my RPI's haven't had a monitor connected at any time, and I'd love to be able to use this as a auditing tool on one of them.

Is there a way to install this headless without a running x11? I tried a couple of times, and it appears it won't run without a desktop loaded.

Thanks!

Hello,
is there anything i should enable to save PDF report?

inside the USB key i have under TinyCheck dir only :
capture.pcap
assets ( dir)

i do not see any pdf here.
Thanks

When running it on Pop!_OS it's not detected as Debian-like system.

The output for ID_LIKE is ID_LIKE="ubuntu debian"

❯ sudo cat /etc/os-release
NAME="Pop!_OS"
VERSION="20.04 LTS"
ID=pop
ID_LIKE="ubuntu debian"
PRETTY_NAME="Pop!_OS 20.04 LTS"
VERSION_ID="20.04"
HOME_URL="https://pop.system76.com"
SUPPORT_URL="https://support.system76.com"
BUG_REPORT_URL="https://github.com/pop-os/pop/issues"
PRIVACY_POLICY_URL="https://system76.com/privacy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal
LOGO=distributor-logo-pop-os

Apologies if it's more helpful to break this down into individual issues, but I didn't want to flood the tracker.

For what it's worth, I thought I would collect these issues into one post as the experience of a moderately computer-literate person trying to set up Tinycheck on a Pi4B. Overall, the experience was very good and the documentation very clear, but I did encounter these friction points:

1) Installation: 'install.sh' appeared to hang indefinitely at the "Feeding your TinyCheck instance with fresh IOCs and whitelist, please wait." stage. Given that the step after this seems to be a reboot, I opted to restart the Pi and see if the installation had worked, which it appears to have done. I also ran 'update.sh' and this completed successfully. However, I can't seem to find any way to verify the installation or to force the IOCs to re-download. (A basic test with what should be an uncompromised phone generated a moderate alert for a geo-location tracker, so I assume it's working as intended, but there are no MISP instances listed in the backend, which may be normal but have left me wondering whether I should reinstall)

2) Virtual Keyboard: I set the device up in kiosk mode, as that's probably how it will end up being used, but used a mouse, keyboard and hdmi out to TV to make sure everything was working. The virtual keyboard doesn't seem to interact properly with a physical keyboard. You can use the physical keyboard to type into the text field of the keyboard, but nothing is then passed to the Wifi Password box when you click on '< enter' (pressing enter on the keyboard has no effect). In the end, clicking the password into the virtual keyboard seemed to do the trick. Additionally, the keyboard sometimes deploys (on a separate screen?) at the top of the screen. This means the x and home icons appear within the text entry box and appear as if they are functions of the keyboard rather than the tinycheck app: ie I thought x would clear the text field and home would return me to the previous screen. (Screencap here)

3) PDF reports: As per this issue, PDF reports were not generated. The fix in that thread worked, but unless you know to look for it then it seems to be an invisible failure point.

Inspired by the talk at rc3 about this project I wanted to try it out.

after a fresh installation on raspbian buster (tried bullseye where at least the backend and frontend ran until meeting import errors, remembered the speaker at rc3 said buster would work better) the thing did nothing. login shows:

systemctl status tinycheck-watchers:
    ...
    ModuleNotFoundError: No module named 'sqlalchemy'

systemctl status tinycheck-frontend:
    ...
    ModuleNotFoundError: No module named 'flask'

systemctl status tinycheck-backend:
    ...
    ModuleNotFoundError: No module named 'flask'

apparently line 320 might not have worked?

 python3 -m pip install -r "$SCRIPT_PATH/assets/requirements.txt"

My try python3 -m pip install -r requirements.txt revealed an error (multiple similar all with cryptography package)

  Failed building wheel for cryptography

debug assistance of pip(?) recommends upgrade.

python3 -m pip install --upgrade pip

and again, somewhat more compact:

This package requires Rust >=1.41.0.
----------------------------------------
ERROR: Failed building wheel for cryptography
Failed to build cryptography
ERROR: Could not build wheels for cryptography, which is required to install pyproject.toml-based projects

So this might have to do with cryptography from version 3.5 onwards relies on rust >=1.45.
https://cryptography.io/en/latest/installation/

edit requirements.txt

cryptography < 3.49

which made the install ( python3 -m pip install -r requirements.txt ) go through

enough for today

As anyone been able to do this through the frontend?
I select "save", then plug in a USB stick - but nothing else happens beyond that.
(I am expecting an auto-mount of the USB as a next step)

I assume the /tmp/CAPTURESESSION/*.json and the logs are part of the report.
Can I trigger the save manually from "...tinycheck/server/frontend/app/classes/save.py"?

TIA

I tried to download Tinycheck and when I boot it I got this problem
Internal Server Error: The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there is an error in the application.

i have a raspberry pi 4 8gb, i have install raspberry OS
the result of iw list:
Wiphy phy0
max # scan SSIDs: 10
max scan IEs length: 2048 bytes
max # sched scan SSIDs: 16
max # match sets: 16
max # scan plans: 1
max scan plan interval: 508
max scan plan iterations: 0
Retry short limit: 7
Retry long limit: 4
Coverage class: 0 (up to 0m)
Device supports roaming.
Device supports T-DLS.
Supported Ciphers:
* WEP40 (00-0f-ac:1)
* WEP104 (00-0f-ac:5)
* TKIP (00-0f-ac:2)
* CCMP-128 (00-0f-ac:4)
* CMAC (00-0f-ac:6)
Available Antennas: TX 0 RX 0
Supported interface modes:
* IBSS
* managed
* AP
* P2P-client
* P2P-GO
* P2P-device
Band 1:
Capabilities: 0x1022
HT20/HT40
Static SM Power Save
RX HT20 SGI
No RX STBC
Max AMSDU length: 3839 bytes
DSSS/CCK HT40
Maximum RX AMPDU length 65535 bytes (exponent: 0x003)
Minimum RX AMPDU time spacing: 16 usec (0x07)
HT TX/RX MCS rate indexes supported: 0-7
Bitrates (non-HT):
* 1.0 Mbps
* 2.0 Mbps (short preamble supported)
* 5.5 Mbps (short preamble supported)
* 11.0 Mbps (short preamble supported)
* 6.0 Mbps
* 9.0 Mbps
* 12.0 Mbps
* 18.0 Mbps
* 24.0 Mbps
* 36.0 Mbps
* 48.0 Mbps
* 54.0 Mbps
Frequencies:
* 2412 MHz [1] (20.0 dBm)
* 2417 MHz [2] (20.0 dBm)
* 2422 MHz [3] (20.0 dBm)
* 2427 MHz [4] (20.0 dBm)
* 2432 MHz [5] (20.0 dBm)
* 2437 MHz [6] (20.0 dBm)
* 2442 MHz [7] (20.0 dBm)
* 2447 MHz [8] (20.0 dBm)
* 2452 MHz [9] (20.0 dBm)
* 2457 MHz [10] (20.0 dBm)
* 2462 MHz [11] (20.0 dBm)
* 2467 MHz [12] (20.0 dBm)
* 2472 MHz [13] (20.0 dBm)
* 2484 MHz [14] (disabled)
Band 2:
Capabilities: 0x1062
HT20/HT40
Static SM Power Save
RX HT20 SGI
RX HT40 SGI
No RX STBC
Max AMSDU length: 3839 bytes
DSSS/CCK HT40
Maximum RX AMPDU length 65535 bytes (exponent: 0x003)
Minimum RX AMPDU time spacing: 16 usec (0x07)
HT TX/RX MCS rate indexes supported: 0-7
VHT Capabilities (0x00001020):
Max MPDU length: 3895
Supported Channel Width: neither 160 nor 80+80
short GI (80 MHz)
SU Beamformee
VHT RX MCS set:
1 streams: MCS 0-9
2 streams: not supported
3 streams: not supported
4 streams: not supported
5 streams: not supported
6 streams: not supported
7 streams: not supported
8 streams: not supported
VHT RX highest supported: 0 Mbps
VHT TX MCS set:
1 streams: MCS 0-9
2 streams: not supported
3 streams: not supported
4 streams: not supported
5 streams: not supported
6 streams: not supported
7 streams: not supported
8 streams: not supported
VHT TX highest supported: 0 Mbps
Bitrates (non-HT):
* 6.0 Mbps
* 9.0 Mbps
* 12.0 Mbps
* 18.0 Mbps
* 24.0 Mbps
* 36.0 Mbps
* 48.0 Mbps
* 54.0 Mbps
Frequencies:
* 5170 MHz [34] (disabled)
* 5180 MHz [36] (20.0 dBm)
* 5190 MHz [38] (disabled)
* 5200 MHz [40] (20.0 dBm)
* 5210 MHz [42] (disabled)
* 5220 MHz [44] (20.0 dBm)
* 5230 MHz [46] (disabled)
* 5240 MHz [48] (20.0 dBm)
* 5260 MHz [52] (20.0 dBm) (no IR, radar detection)
* 5280 MHz [56] (20.0 dBm) (no IR, radar detection)
* 5300 MHz [60] (20.0 dBm) (no IR, radar detection)
* 5320 MHz [64] (20.0 dBm) (no IR, radar detection)
* 5500 MHz [100] (20.0 dBm) (no IR, radar detection)
* 5520 MHz [104] (20.0 dBm) (no IR, radar detection)
* 5540 MHz [108] (20.0 dBm) (no IR, radar detection)
* 5560 MHz [112] (20.0 dBm) (no IR, radar detection)
* 5580 MHz [116] (20.0 dBm) (no IR, radar detection)
* 5600 MHz [120] (20.0 dBm) (no IR, radar detection)
* 5620 MHz [124] (20.0 dBm) (no IR, radar detection)
* 5640 MHz [128] (20.0 dBm) (no IR, radar detection)
* 5660 MHz [132] (20.0 dBm) (no IR, radar detection)
* 5680 MHz [136] (20.0 dBm) (no IR, radar detection)
* 5700 MHz [140] (20.0 dBm) (no IR, radar detection)
* 5720 MHz [144] (disabled)
* 5745 MHz [149] (disabled)
* 5765 MHz [153] (disabled)
* 5785 MHz [157] (disabled)
* 5805 MHz [161] (disabled)
* 5825 MHz [165] (disabled)
Supported commands:
* new_interface
* set_interface
* new_key
* start_ap
* join_ibss
* set_pmksa
* del_pmksa
* flush_pmksa
* remain_on_channel
* frame
* set_wiphy_netns
* set_channel
* tdls_oper
* start_sched_scan
* start_p2p_device
* connect
* disconnect
* crit_protocol_start
* crit_protocol_stop
* update_connect_params
Supported TX frame types:
* managed: 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70 0x80 0x90 0xa0 0xb0 0xc0 0xd0 0xe0 0xf0
* AP: 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70 0x80 0x90 0xa0 0xb0 0xc0 0xd0 0xe0 0xf0
* P2P-client: 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70 0x80 0x90 0xa0 0xb0 0xc0 0xd0 0xe0 0xf0
* P2P-GO: 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70 0x80 0x90 0xa0 0xb0 0xc0 0xd0 0xe0 0xf0
* P2P-device: 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70 0x80 0x90 0xa0 0xb0 0xc0 0xd0 0xe0 0xf0
Supported RX frame types:
* managed: 0x40 0xd0
* AP: 0x00 0x20 0x40 0xa0 0xb0 0xc0 0xd0
* P2P-client: 0x40 0xd0
* P2P-GO: 0x00 0x20 0x40 0xa0 0xb0 0xc0 0xd0
* P2P-device: 0x40 0xd0
software interface modes (can always be added):
valid interface combinations:
* #{ managed } <= 1, #{ P2P-device } <= 1, #{ P2P-client, P2P-GO } <= 1,
total <= 3, #channels <= 2
* #{ managed } <= 1, #{ AP } <= 1, #{ P2P-client } <= 1, #{ P2P-device } <= 1,
total <= 4, #channels <= 1
Device supports scan flush.
Device supports randomizing MAC-addr in sched scans.
Supported extended features:
* [ 4WAY_HANDSHAKE_STA_PSK ]: 4-way handshake with PSK in station mode
* [ 4WAY_HANDSHAKE_STA_1X ]: 4-way handshake with 802.1X in station mode
* [ DFS_OFFLOAD ]: DFS offload

the result of ifconfig:
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.11 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::5402:97e4:d175:3416 prefixlen 64 scopeid 0x20
ether e4:5f:01:25:35:84 txqueuelen 1000 (Ethernet)
RX packets 918 bytes 163816 (159.9 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 661 bytes 113288 (110.6 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10
loop txqueuelen 1000 (Local Loopback)
RX packets 141 bytes 12794 (12.4 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 141 bytes 12794 (12.4 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

wlan0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether e4:5f:01:25:35:85 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

I disabled wlan for a moment because I couldn’t log in with ssh
but the problem is the same even if i update the sistem with the code given in the wiki.
I've tried to log through the the frontend and backend but it's the same.

I use a wlan and eth as written in the instructions and it's always the same.

Heya,

I would really like to try this out on my rasberry pi zero w but...
Whenever i try to connect to the backend/frontend i keep getting a 500 error. I tried reinstalling but that didnt work. When i check the daemon.log i see multiple /jinja2 errors: TemplateNotFound :Index.html.

When i check the main.py i see this:

app = Flask(name, template_folder="../../app/backend/dist")
There is no /Dist?

And
def main():
"""
Return the index.html generated by Vue
"""
return render_template("index.html")

But i guess that doesnt happen(?)
Can anyone help me out?

Thanks in advance!

Closed, read about the closed issue with pi zero. Will try to do the npm install and check if it works. otherwise upgrading to other pi.

As anyone been able to do this through the frontend?
I select "save", then plug in a USB stick - but nothing else happens beyond that.
(I am expecting an auto-mount of the USB as a next step)

I assume the /tmp/CAPTURESESSION/*.json and the logs are part of the report.
Can I trigger the save manually from "...tinycheck/server/frontend/app/classes/save.py"?

TIA

How to reset all initial settings ?

After changing the internet access from eth0 to wlan1 the frontend website (http://tinycheck.local) shows the logo and a loading circle gif but nothing else happens..

I already stopped the FE/BE/Watcher service, started them again and checked that status is ok..

I would like to restart over with the screen that suggests a new wifi network with QR and network name/pass.

what files do i have to edit ? thank you for your support.

Hi felix, first let me say that I'm entirely grateful for the work you put in that project. Much appreciated 👍

While setting this up on a PI 4+ with raspbian OS I stumbled across something that is worth to be mentioned in the readme imo.
The WIFI (dongle) used to setup the client's networks via hostapd needs to be running in monitor mode. While this might be obvious for the folks that hack with wifis regularly, it might be a hassle for others to finally find out. Especially when (as in my case) the default drivers do not support it. Would you accept a PR for this?

Best regards

Hey,

Ive installed TinyCheck on my Rasberry Pi zero W.
And after some struggles to get it all working it now stops working at the point where it should show the QR code with created AP name and password. I can connect to the AP, also have a connection. But tinycheck doesnt go on..

I watched the debugger in firefox and it shows:

Uncaught (in promise) Error: timeout of 30000ms exceeded
exports createError.js:16
ontimeout xhr.js:103

So thats probably this part?:

methods: {
generate_ap: function() {
clearInterval(this.interval)
this.ssid_name = false
axios.get(/api/network/ap/start, { timeout: 30000 })
.then(response => (this.show_ap(response.data)))

Any clues what i could do? Is it maybe the QR code what doesnt get generated or?
Thanks in advance.

While english is a totally fine thing to start with, it would be good if the interfaces of tinycheck had the possibility to be translated.

I'll leave this as idea for now. Maybe I find time this month to work on that myself. Also I would be happy if people share possible solutions for that here. Right now we have stuff to translate in both frontends and the analysis engine.

Folks,

I have some bugs on the wpa_supplicant file. Sometime shit goes at the end of file, without knowing why.
Still don't know why as my unit tests work but when it is it prod, it can fail. I need to investigate.

So if there is some troubles with the WiFi (like you can't list wifi networks on your system) or it can't connect to a WiFi network, edit the wpa_supplicant file and try to see if there is something wrong a the end of the file.

#nano /etc/wpa_supplicant/wpa_supplicant.conf

I'm gonna to take time (hope this week) to see what's wrong.

Félix.

tinycheck-frontend.service failed, not able to get into http://tinycheck.local or http://127.0.0.1
Any ideas? Can sen logs/files if needed

● tinycheck-frontend.service - TinyCheck frontend service
Loaded: loaded (/lib/systemd/system/tinycheck-frontend.service; enabled; vend
Active: failed (Result: exit-code) since Mon 2022-02-14 16:25:27 GMT; 17s ago
Process: 400 ExecStart=/usr/bin/python3 /usr/share/tinycheck/server/frontend/m
Main PID: 400 (code=exited, status=1/FAILURE)

Feb 14 16:25:27 tinycheck python3[400]: from pyudev.core import Context, Enu
Feb 14 16:25:27 tinycheck python3[400]: File "/usr/local/lib/python3.7/dist-pa
Feb 14 16:25:27 tinycheck python3[400]: from pyudev.device import Devices
Feb 14 16:25:27 tinycheck python3[400]: File "/usr/local/lib/python3.7/dist-pa
Feb 14 16:25:27 tinycheck python3[400]: from ._device import Attributes, Dev
Feb 14 16:25:27 tinycheck python3[400]: File "/usr/local/lib/python3.7/dist-pa
Feb 14 16:25:27 tinycheck python3[400]: from six.moves import collections_ab
Feb 14 16:25:27 tinycheck python3[400]: ImportError: cannot import name 'collect
Feb 14 16:25:27 tinycheck systemd[1]: tinycheck-frontend.service: Main process e
Feb 14 16:25:27 tinycheck systemd[1]: tinycheck-frontend.service: Failed with re
lines 1-16/16 (END)

Pardon the ignorance - is there any way in which TinyWatch can decrypt https requests?
Obviously, this would require installing a certificate on the device, so it require the OK of the device owner. But for anyone analysing the traffic and trying to hunt for intrusions, the additional data (endpoints getting called; strings getting sent/received) would be very beneficial. All these are currently 'invisible' if they are sent over https

Hi again!

I try to add IOC from cert-fr without success. I tried:

• c/p raw json
• import json file
  In all cases, I get
  ✗ 303 IOCs not imported, see details below.
  with

[…]
"galaxy":,                                   | Wrong IOC format
"shadowattribute":,                          | Wrong IOC format
"tag":,                                      | Wrong IOC format
"category":"network activity",       | Wrong IOC format
"comment":"adresses ip reliu00e9es", | Wrong IOC format
"deleted":false,                             | Wrong IOC format
"disable_correlation":false,                 | Wrong IOC format
[…]

I suppose it's parsing related. Can I do something to get it work?
(for example a script to preprocessing the file before importing it in TC)

Wich IOC format is used by TC?

'good'day!

When removing all SSIDs unter admin page "MANAGE DEVICE/Network config" and leaving only one, the config.yaml modified.
The modification is subesquently parsed errornously.

Previous setting under "network:/ssids:" (config.yaml):

 ...
 network:
  in: wlan1
  internet_check: http://example.com
  out: wlan0
  ssids:
  - skynet
  - wireless
  tokenized_ssids: true
 ...

After removal of all and addtion of SSID "TEST":

 ...
 network:
  in: wlan1
  internet_check: http://example.com
  out: wlan0
  ssids: TEST
  tokenized_ssids: true
 ...

"TEST" is subsequently then rendered as SSIDs "T", "E", "S", "T".
Expected behaviour is restored when manualyl editing config.yaml to

 ...
  ssids: 
  - TEST
 ...

You may want to check my quick frame/base/stand hack on Thingiverse:
https://www.thingiverse.com/thing:4679522

The TFT seems to work flawlessly.

How would one make a screensaver for this?
Happy to do a quick GPIO for a status LED - eg. when the screen is blank.
Pointers and hints welcome.

(Didn't know where else to post this.. please move/delete accordingly)

I wonder if it's possible to use TinyCheck without a "real" internet access. The purpose is, if the smartphone is infected with a spyware, to not send more information to any C2 server.
A solution is maybe to use a "fake internet" with fake DNS/HTTP responses ?

While searching for possible extensions to the IOCs used by tinycheck, I found myself missing some information about how this iocs.json is to be maintained by this project. You mentioned some sources in the docs, for example https://github.com/Te-k/stalkerware-indicators, but it looks like not all of the available iocs from there made it into the iocs.json. I am creating a watcher for them right now and it is painfree with the architecture you came up with.

In general it would be good to know how plans are to maintain the iocs.json in this repo. Are you watching sources like Te-k/stalkerware-indicators proactively and update the iocs.json? Is the plan to maintain this repository as a comprehensive list of IOCs with input/PRs from the community as

If you have seen something very suspicious and/or needs to be investigated/integrated in one of these two lists, don't hesitate to ping us. You can also do you own watcher. Remember, sharing is caring.

suggests?

Thanks for a feedback on this matter :)