Sunday, December 13, 2009

Building the Perfect Backtrack 4 USB Thumb Drive

This post will show you how to build a USB thumb drive with the following features:
  • Persistent Changes
  • Nessus and NessusClient installed
  • Encryption configured for storing data
Tools and Supplies
  1. USB thumbdrive – minimum capacity 4GB
  2. BackTrack 3 CDROM, BackTrack 4 DVD or an additional USB thumbdrive (minimum 2GB) – Used to partition the thumbdrive.
  3. Optional: UNetbootin – A tool to transfer an iso image to a USB drive.
Download the BackTrack ISO (BackTrack 4 Pre Release is the latest as of this posting)

This tutorial is based commands executed from BackTrack, so you will have to boot BackTrack 4 first. The easiest way to do this is to boot from the BackTrack 4 DVD, which is a live CD.

Partition the USB thumbdrive
First, boot to BackTrack 4. You will have to figure out which drive is the target drive. The following command will show the drives available and you can determine from that which is the new USB drive:
dmesg | egrep hd.\|sd.
Partition and format the drive as follows:
  1. The first partition needs to be a primary partition of at least 1.5 GB and set to type vfat. Also remember to make this partition active when you are creating it. Otherwise you might have some boot problems.
  2. The second Partition can be the rest of the thumb drive.
Below are the steps to take to get the drive partitioned and formatted, and were taken from this video on the Offensive Security website. A ‘#‘ indicates a comment and is not part of the command and user typed commands are blue bold. Note, make sure to delete any existing partitions on the drive first.
fdisk /dev/sda # use the appropriate drive letter for your system
# delete existing partitions, of which there may be more than one. 

Command (m for help): d
Partition number (1-4): 1 

# create the first partition 
Command (m for help): n
Command action
e extended
p primary partition (1-4)
Partition number (1-4): 1
First cylinder (1-522, default 1): <enter>
Using default value 1
Last cylinder, +cylinders or +size{K,M,G} (1-522, default 522): +1500M 

#create the second partition 
Command (m for help): n
Command action
e extended
p primary partition (1-4)
Partition number (1-4): 2
First cylinder (193-522, default 193): <enter>
Using default value 193
Last cylinder, +cylinders or +size{K,M,G} (193-522, default 522): <enter>
Using default value 522

# Setting the partition type for the first partition to vfat/fat32 
Command (m for help): t
Partition number (1-4): 1
Hex code (type L to list codes): b
Changed system type of partition 1 to b (W95 FAT32) 

# Setting the partition type for the second partition to Linux 
Command (m for help): t
Partition number (1-4): 2
Hex code (type L to list codes): 83 

# Setting the first partition active 
Command (m for help): a
Partition number (1-4): 1 

Command (m for help): w 
# now it is time to format the partitions 
mkfs.vfat /dev/sdb1
mkfs.ext3 -b 4096 -L casper-rw /dev/sdb2

Two things to notice above in the format commands:
  1. We are using ext3 instead of ext2
  2. You must include the -L casper-rw portion of the command.
Being able to use ext3 is great because of journaling. The -L casper-rw option helps to get around the problem where we had to enter the partition name in order to get persistence working.

Partition and format the drive according the layout above.

Make it a bootable BackTrack 4 USB thumb drive
These steps are also taken from the Offensive Security video mentioned above.  They are:
  1. Mount the first partition
  2. Copy the BackTrack files to it
  3. Install grub
Execute the following commands.
# mount the first partition, sda1 in my case. 
mkdir /mnt/sda1
mount /dev/sda1 /mnt/sda1

# copy the files, you will need to find where the ISO is mounted on your system. 
cd /mnt/sda1
rsync -r /media/cdrom0/* .

# install grub 
grub-install --no-floppy --root-directory=/mnt/sda1 /dev/sda
Now you have a bootable BackTrack 4 USB thumb drive. Next let's configure persistent changes.

Persistent Changes
This is done much differently and more easily than it was in BackTrack 4 Beta or BackTrack 3. First of all, for basic persistence, no configuration is required. There is already a menu option for this, however, it is only for console mode so you will have to make a couple changes:
  1. Change the default boot selection to persistent
  2. Set the resolution for the GUI
cd /mnt/sda1/boot/grub
vi menu.lst 

# change the default line below to ‘default 4' and append ‘vga=0×317' (that’s a zero) to the kernel line to set the resolution to 1024×768 

# By default, boot the first entry.
default 4
title Start Persistent Live CD
kernel /boot/vmlinuz BOOT=casper boot=casper persistent rw quiet vga=0×317
initrd /boot/initrd.gz

Reboot and either select “Start Persistent Live CD” or just wait since we set it to auto-boot to persistent mode. To testit, create a file and reboot again. If your file is still there, everything is working.

Install Nessus
Download the Ubuntu Nessus and NessusClient packages from nessus.org.

Again, with BackTrack 4 things are little easier. To install the Nessus server, simply execute the following command to install the package.
dpkg --install Nessus-4.0.2-ubuntu810_i386.deb
Things used to be a little bit more complicated for the client, but with the release of the pre-final version, it is just as easy as installing as the server.
dpkg --install NessusClient-4.0.2-ubuntu810_i386.deb
Finally it’s time to configure Nessus. Execute each of the following and follow the prompts.
#create server certificate 
This script will now ask you the relevant information to create the SSL
certificate of Nessus. Note that this information will *NOT* be sent to
anybody (everything stays local), but anyone with the ability to connect to your Nessus daemon will be able to retrieve this information.
CA certificate life time in days [1460]:<enter>
Server certificate life time in days [365]:<enter>
Your country (two letter code) [FR]:US
Your state or province name [none]:State
Your location (e.g. town) [Paris]:City
Your organization [Nessus Users United]:<enter>
Congratulations. Your server certificate was properly created.

# add user 
Login :Admin
Authentication (pass/cert) : [pass]<enter>
Login password :
Login password (again) :
Do you want this user to be a Nessus ‘admin’ user ? (can upload plugins, etc…) (y/n) [n]:y
User rules
nessusd has a rules system which allows you to restrict the hosts
that Me has the right to test. For instance, you may want
him to be able to scan his own host only.
Please see the nessus-adduser manual for the rules syntax
Enter the rules for this user, and enter a BLANK LINE once you are done :
(the user can have an empty rules set)
Login : Admin
Password : ***********
This user will have ‘admin’ privileges within the Nessus server
Rules :
Is that ok ? (y/n) [y]y
User added
We want to disable Nessus starting at boot. We are going to do some things a little later than require that Nessus not be running at boot. 

/usr/sbin/update-rc.d -f nessusd remove
This command does not remove the Nessus start scripts. It only removes the links that cause Nessus to start at boot time.

The next thing to do is register the installation so you can get the plugin feed. You need to go here and request
a key.

Once you have your key. Execute the following to update your plugins. Please note that there are two dashes before register in the nessus-fetch line below. They can display as one sometimes.
/opt/nessus/bin/nessus-fetch --register [your feed code here]
When that is done, and it is going to take a few minutes, you are ready to start the server and client. Be aware that with version 4.0, while the command to start returns quickly, the actual starting of the service may take a minute or two. You may have to reboot before Nessus will work. You can use netstat -na to check that the
server is listening on port 1241.
/etc/init.d/nessusd start

Time to find those vulnerabilities.

Configure Encryption
Since BackTrack will be used to poke at peoples networks and systems, with permission of course, it is very important that the information we find be protected. To do this, we are going to setup an encrypted volume that will eventually become our home directory.

This can be done with the GUI or via command line. We will be using the gui because we need to be able to format the volume with ext3 and, as yet, I have not been able to figure out how to do that via the command line on linux.
  • Launch truecrypt from a terminal window.  
  • When truecrypt opens click the "Create Volume" button.  
  • In the Volume Location field enter the path to your volume, like /work_dir, click next.  
  • Leave the default Encryption Options & click next.  
  • Enter the volume size, say 1GB or so.  
  • Enter and confirm your desired password. 
  •  Select ext3 for the file system type, click next.  
  • Click next on the Cross-Platform Support page leaving the default values.  
  • Click format - you should move your mouse to create randomness for higher security.
You will get a message that the volume was successful created. Click on the ‘OK’ button, then exit the Truecrypt gui, both the ‘Create Volume’ windows and the main windows, going back to your terminal (command line) window.

To test the filesystem, execute the following, note the -k ” is two single quotes, not a double quote:
truecrypt -t -k ” --protect-hidden=no /work_dir /media/truecrypt1
cd /media/truecrypt1
df .

This will show that the volume is mounted and the amount of disk space you have left. The next step is to have this volume mounted when you log in. This can be done by editing the root user’s .profile file. Add the truecrypt command above to root’s .profile so it looks like this:
# ~/.profile: executed by Bourne-compatible login shells.
if [ "$BASH" ]; then
if [ -f ~/.bashrc ]; then
. ~/.bashrc
truecrypt -t -k '' --protect-hidden=no /my_secret_stuff /media/truecrypt1
mesg n

The next time you reboot you will be asked for the password for the volume and it will be mounted for you.

Now let's tweak a few tings
The first thing we are going to do is configure networking to start at boot time. It’s convenient and easy to
disable later if necessary. All you have to do is execute the following command.
/usr/sbin/update-rc.d networking defaults
Next, make sure all the BackTrack tools and the system itself is up-to-date. First execute the following:
apt-get update
This is update the software repository information. Next, execute:
apt-get upgrade
The system will determine if there is anything that needs to be updated and then prompt you to continue. Individual packages can be updated by including the package name after upgrade.

Next reset the root user’s home directory during the login process to the mounted truecrypt volume. This will ensure that anything written to the home directory will be encrypted. Enter the following commands:
cd /media/truecrypt1
rsync -r –links /root/ .

# add the bold lines below 
vi /root/.profile 
# ~/.profile: executed by Bourne-compatible login shells. 
if [ "$BASH" ]; then
if [ -f ~/.bashrc ]; then
. ~/.bashrc
truecrypt -t -k '' --protect-hidden=no /my_secret_stuff /media/truecrypt1 

export HOME=/media/truecrypt1
export HISTFILE=/media/truecrypt1/.bash_history

mesg n 
The next time you reboot, when you are finally in the system, your home directory will be /media/truecrypt1.
There is one last thing we should do - change nessus to log to the encrypted volume. This is very easy. The
file that controls this is /opt/nessus/etc/nessus/nessusd.conf. We need to create a place for the log files to go. Execute the following:
cd /media/truecrypt1
mkdir -p nessus/logs

Once you have done that, edit the /opt/nessus/etc/nessus/nessusd.conf file and change this:
# Log file :
logfile = /opt/nessus/var/nessus/logs/nessusd.messages
# Shall we log every details of the attack ? (disk intensive)
log_whole_attack = no
# Dump file for debugging output
dumpfile = /opt/nessus/var/nessus/logs/nessusd.dump

to this:
# Log file :
logfile = /media/truecrypt1/nessus/logs/nessusd.messages
# Shall we log every details of the attack ? (disk intensive)
log_whole_attack = no
# Dump file for debugging output
dumpfile = /media/truecrypt1/nessus/logs/nessusd.dump

That’s it. Now you have the Perfect Backtrack 4 USB Thumb Drive.

More BackTrack:

No comments:

Post a Comment