Recover Files from a Windows NTFS partition using Linux based SystemRescue

11 Tuesday Jan 2022

Posted by Slice2 in Linux, Security, Windows

SystemRescue (formerly named SystemRescueCd) is a bootable Linux rescue toolset for repairing or manipulating your partitions and data on a disk. This post shows how to quickly mount a Windows NTFS file system to recover files.

1) Download the ISO and burn it to CD. Or, if you are rescuing a Windows VM, you will just mount the ISO.
https://www.system-rescue.org/Download/

2) Boot to SystemRescue. If you are working on a physical host, you may need to change you BIOS setting to boot the CD/DVD drive first. If a VM, make sure you attach the ISO and modify your boot order if needed. When presented to you, select “Boot SystemRescue using default options.” The Live CD option will load and when prompted, enter:

[root@sysrescue ~]# startx

3) The desktop will load and provide access to various tools. When the desktop is loaded, you can either enable the network or mount a USB drive to insert a file (drivers, tweaks, etc.) or retrieve files from the file system. Depending on the method you choose, see Network Access or USB Drive Access below for the steps.

a) Network Access. In the lower right corner, right-click the rotating swoosh and green dots icon and select edit connections. Select Wired Connection 1 and click the gear icon at the bottom. On the IPv4 Settings tab, select Method, then Manual, click Add and enter an IP address, Mask, Gateway, DNS (if DNS is needed) and click Save. It can take about 10 seconds for the settings to apply and the network service to restart. Ping to verify that it is up.

b) To quickly enable SSH/SCP/SFTP and securely harvest files over the network:
[root@sysrescue ~]# systemctl enable sshd
[root@sysrescue ~]# systemctl start sshd
[root@sysrescue ~]# systemctl disable iptables
[root@sysrescue ~]# systemctl stop iptables
[root@sysrescue ~]# passwd (to reset the root password)

c) Launch an Xterm, Putty or Powershell on a remote host to verify access. For example in an xterm or Powershell:
> ssh root@ip.you.assigned.above

d) If using Filezilla: to drag and drop/copy files to or from, enter these parameters and click QuickConnect.
Host: sftp://ip.you.assigned.above
Username: root
Password: root’s password
Port: 22

e) USB Drive Access. Insert a USB drive to the physical host or attach a USB device to a VM. In this case, the device ID below a simple 2 GB, vfat formatted PNY USB stick.
[root@sysrescue ~]# blkid (to find your USB device such as the one listed below on /dev/sdb1)

/dev/sdb1: LABEL=”SYSRCD-5″ UUID=”90BB-72F0″ BLOCK_SIZE=”512″ TYPE=”vfat” PARTUUID=”04aa1751-01″

f) Mount the USB device. Once mounted, you can move or copy files to or from the /usbdrive mount point.
[root@sysrescue ~]# mkdir /usbdrive
[root@sysrescue ~]# mount /dev/sdb1 /usbdrive
[root@sysrescue ~]# ls -l /usbdrive
drwxr-xr-x 2 root root 4096 Nov 22 2019 ‘System Volume Information’

4) Check for the Windows partition.
[root@sysrescue ~]# blkid | grep ntfs
/dev/sda2: BLOCK_SIZE=”512″ UUID=”ECF28F77F28F44B4″ TYPE=”ntfs” PARTUUID=”03fdd544-02″
/dev/sda1: LABEL=”System Reserved” BLOCK_SIZE=”512″ UUID=”240E8ECC0E8E9688″ TYPE=”ntfs” PARTUUID=”03fdd544-01″

a) See /dev/sda1 in the list? The partition with LABEL=”System Reserved” is not the one you want to mount. In this case, /dev/sda2 is the Windows OS partition with all of your files, logs, registry, etc.

b) Create a mountpoint and mount the Windows partition.
[root@sysrescue ~]# mkdir -pv /mnt/windows
[root@sysrescue ~]# ntfs-3g /dev/sda2 /mnt/windows

c) Check the new mountpoint.

[root@sysrescue ~]# cd /mnt/windows
[root@sysrescue /mnt/windows]# ls -l
drwxrwxrwx 1 root root 0 Aug 22 2013 ‘$Recycle.Bin’
-rwxrwxrwx 1 root root 427680 Aug 22 2013 bootmgr
-rwxrwxrwx 1 root root 1 Jun 18 2013 BOOTNXT
lrwxrwxrwx 2 root root 23 Aug 22 2013 ‘Documents and Settings’ -> /mnt/windows/Users
-rwxrwxrwx 1 root root 2147483648 Dec 17 20:51 pagefile.sys
drwxrwxrwx 1 root root 0 Aug 22 2013 PerfLogs
drwxrwxrwx 1 root root 4096 Dec 16 19:07 ProgramData
drwxrwxrwx 1 root root 4096 Dec 16 18:37 ‘Program Files’
drwxrwxrwx 1 root root 4096 Apr 16 2021 ‘Program Files (x86)’
drwxrwxrwx 1 root root 0 Nov 27 2020 ‘System Volume Information’
drwxrwxrwx 1 root root 0 May 24 2021 temp_share
drwxrwxrwx 1 root root 4096 Nov 27 2020 Users
drwxrwxrwx 1 root root 0 Nov 27 2020 vboxshare
drwxrwxrwx 1 root root 24576 Dec 17 20:52 Windows

d) You can also launch the GUI File Manager (Thunar) and simply double-click into the /mnt/windows folder. Click the blue X where the Windows Start icon would normally be > select File Manager. Under Devices select File System and then double-click the “mnt” folder and then the “windows” folder. Launch another File Manager window and you can simply drag and drop between the “windows” and “usbdrive” folders.

5) Files of interest. For troubleshooting a broken system, check the following locations.

a) User and log files.
/mnt/windows/Users/<your_username>/Documents
/mnt/windows/Users/<your_username>/Downloads
/mnt/windows/Windows/debug
/mnt/windows/Windows/Logs
/mnt/windows/Windows/Prefetch (useful if it was enabled)
/mnt/windows/Windows/System32/drivers (to remove a buggy driver)
/mnt/windows/Windows/System32/drivers/etc/hosts (to see if IPs were defined)
/mnt/windows/Windows/System32/LogFiles
/mnt/windows/Windows/System32/winevt/Logs (for all of the Windows Event Viewer Logs)

b) Registry files:
/mnt/windows/Windows/System32/config

6) When done, unmount the folders and reboot/shutdown. Change your directory first and umount.
[root@sysrescue /mnt/windows]# cd /
[root@sysrescue ~]# umount /mnt/windows
[root@sysrescue ~]# umount /usbdrive

a) Shutdown the host. Click the blue X in the lower left > Log out > Shutdown.

Sysmon Event ID 1 Process Creation rules for Splunk Universal Forwarder and McAfee All Access

20 Saturday Nov 2021

Posted by Slice2 in Security, Splunk

≈ Leave a comment

Tags

Security, Splunk, Sysmon

When using Sysmon to monitor processes in Splunk, you can exclude the chattiest processes that eat away at your license and indexing I/O. Splunk recommends excluding its own Universal Forwarder as well as antivirus products.

1) Splunk’s Sysmon Add-on docs list a few options for the sysmon config file. I used the SwiftOnSecurity template and simply added the UF and McAfee executables.

Splunk Add-on for Sysmon Doc:
https://docs.splunk.com/Documentation/AddOns/released/MSSysmon/ConfigureSysmon

Ready to run Sysmon config file:
https://github.com/SwiftOnSecurity/sysmon-config

Sysmon:
https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon

2) Open your Sysmon xml config file with Notepad++ or VSCode. Use Notepad++ or VSCode when editing xml on Windows. They recognize UNIX newline format and XML syntax highlighting so your file will be easier to read. Don’t use Notepad.exe. Under the heading <!–SYSMON EVENT ID 1 : PROCESS CREATION [ProcessCreate]–> enter the text below and save the file.

3) When done editing, reload the active config.

> sysmon -c c:\path\to\your_sysmon_config_file_v2.xml

<!–SECTION: Splunk:Universal Forwarder–>
<Image condition=”is”>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe</Image> <!–Splunk:Universal Forwarder: binary that accesses, processes, and indexes streaming data–>
<Image condition=”is”>C:\Program Files\SplunkUniversalForwarder\bin\btool.exe</Image> <!–Splunk:Universal Forwarder: cli util used to troubleshoot config file issues–>
<Image condition=”is”>C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe</Image> <!–Splunk:Universal Forwarder: the control application for the Windows version of Splunk–>
<Image condition=”is”>C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe</Image> <!–Splunk:Universal Forwarder: runs whenever you configure an Active Directory monitoring input–>
<Image condition=”is”>C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe</Image> <!–Splunk:Universal Forwarder: runs when you monitor performance data–>
<Image condition=”is”>C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe</Image> <!–Splunk:Universal Forwarder: runs when you configure Splunk to monitor network information–>
<Image condition=”is”>C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe</Image> <!–Splunk:Universal Forwarder: runs when you configure a Registry monitoring input–>
<Image condition=”is”>C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe</Image> <!–Splunk:Universal Forwarder: event log collections, outputs events as they are collected–>
<Image condition=”is”>C:\Program Files\SplunkUniversalForwarder\bin\splunk-winhostmon</Image> <!–Splunk:Universal Forwarder: runs when you configure a Windows host monitoring input–>
<Image condition=”is”>C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe</Image> <!–Splunk:Universal Forwarder: runs when you configure a Windows print monitoring input –>
<Image condition=”is”>C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe</Image> <!–Splunk:Universal Forwarder: runs when you configure a performance monitor–>
<Image condition=”is”>C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe</Image> <!–Splunk:Universal Forwarder: runs when you configure a PowerShell command or script monitor–>
<Image condition=”is”>C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe</Image> <!–Splunk:Universal Forwarder: this input monitors files without using Windows file handles.–>
<!–SECTION: McAfee:AntiVirus–>
<Image condition=”is”>C:\Program Files\Common Files\McAfee\Platform\Core\mchost.exe</Image> <!–McAfee:AntiVirus: no description – TBD–>
<Image condition=”is”>C:\Program Files\Common Files\McAfee\Platform\CommonBuild\McCBEntAndInstru.exe</Image> <!–McAfee:AntiVirus: no description – TBD–>
<Image condition=”is”>C:\Program Files\Common Files\McAfee\Platform\McPltCmd.exe</Image> <!–McAfee:AntiVirus: no description – TBD–>
<Image condition=”is”>C:\Program Files\McAfee\MQS\QcShm.exe</Image> <!–McAfee:AntiVirus: no description – TBD–>
<Image condition=”is”>C:\Program Files\McAfee.com\Agent\mcupdate.exe</Image> <!–McAfee:AntiVirus: no description – TBD–>
<Image condition=”is”>C:\Program Files\Common Files\McAfee\MSGSDK\msgrunner.exe</Image> <!–McAfee:AntiVirus: no description – TBD–>
<Image condition=”is”>C:\Program Files\Common Files\McAfee\TaskScheduler\McAMTaskAgent.exe</Image> <!–McAfee:AntiVirus: no description – TBD–>
<Image condition=”is”>C:\Program Files\Common Files\McAfee\UPDMGR\8.1.149.1\mcupdatemgr.exe</Image> <!–McAfee:AntiVirus: no description – TBD–>
<Image condition=”is”>C:\Program Files\Common Files\McAfee\CSP\4.1.106.0\McCSPServiceHost.exe</Image> <!–McAfee:AntiVirus: no description – TBD–>
<Image condition=”is”>C:\Program Files\McAfee\MSC\mcinfo.exe</Image> <!–McAfee:AntiVirus: no description – TBD–>
<Image condition=”is”>C:\Program Files\Common Files\McAfee\Platform\MSM\McSmtFwk.exe</Image> <!–McAfee:AntiVirus: no description – TBD–>
<Image condition=”is”>C:\Program Files\Common Files\McAfee\Platform\McUICnt.exe</Image> <!–McAfee:AntiVirus: no description – TBD–>
<Image condition=”is”>C:\Program Files\McAfee\MSC\OOBE\mcocrollback.exe</Image> <!–McAfee:AntiVirus: no description – TBD–>
<Image condition=”is”>C:\Program Files\McAfee\MSC\McInstru.exe</Image> <!–McAfee:AntiVirus: no description – TBD–>
<Image condition=”is”>C:\Program Files\Common Files\McAfee\UPDMGR\8.1.149.1\mcupdutl.exe</Image> <!–McAfee:AntiVirus: no description – TBD–>
<Image condition=”is”>C:\Program Files\Common Files\McAfee\DynamicAppDownloader\DADUpdater.exe</Image> <!–McAfee:AntiVirus: no description – TBD–>
<Image condition=”is”>C:\Program Files\Common Files\McAfee\HackerWatch\hwupdchk.exe</Image> <!–McAfee:AntiVirus: no description – TBD–>
<Image condition=”is”>C:\Program Files\McAfee\MSC\mcsync.exe</Image> <!–McAfee:AntiVirus: no description – TBD–>
<Image condition=”is”>C:\Program Files\Common Files\McAfee\ChromiumContainer\delegate.exe</Image> <!–McAfee:AntiVirus: no description – TBD–>
<Image condition=”is”>C:\Program Files\McAfee\VUL\McVulCtr.exe</Image> <!–McAfee:AntiVirus: no description – TBD–>
<Image condition=”is”>C:\Program Files\McAfee\VUL\McVulCon.exe</Image> <!–McAfee:AntiVirus: no description – TBD–>
<Image condition=”is”>C:\Program Files\McAfee\MfeAV\MfeAVSvc.exe</Image> <!–McAfee:AntiVirus: no description – TBD–>
<Image condition=”is”>C:\Program Files\McAfee\CoreUI\Launch.exe</Image> <!–McAfee:AntiVirus: no description – TBD–>
<Image condition=”is”>C:\Program Files\McAfee.com\Agent\mcagent.exe</Image> <!–McAfee:AntiVirus: no description – TBD–>

Upgrading CentOS 7.2003 to 7.2009 on an Offline or Air-Gapped System

01 Friday Jan 2021

Posted by Slice2 in Linux

≈ Leave a comment

This post demonstrates how to patch or upgrade a CentOS 7 host when it doesn’t have internet access or is an isolated system with no access to a yum repo. On a host with internet access (Public facing host) or a local repo, perform the following steps.

1) Make sure you have genisoimage and yum-utils installed. If not install them.

> sudo rpm -q genisoimage-*
genisoimage-1.1.11-25.el7.x86_64

> sudo rpm -q yum-utils
yum-utils-1.1.31-54.el7_8.noarch

> sudo yum install genisoimage
> sudo yum install yum-utils

2) On your internet facing host create folders for the packages you need. You can specify any folder(s) you require. I only require os, extras and updates but you may have packages installed from other folders. The full list is listed below.

atomic/
centosplus/
cloud/
configmanagement/
cr/
dotnet/
extras/
fasttrack/
isos/
messaging/
nfv/
opstools/
os/
paas/
rt/
sclo/
storage/
updates/
virt/

a) Create the folders.

> sudo mkdir -pv /repo/os
> sudo mkdir -pv /repo/updates
> sudo mkdir -pv /repo/extras

b) Use rsync to harvest the rpms and repo data. Note that these folders will create a 17.1 Gig ISO file in the next step. You need a Blu-ray burner or USB drive to move the file.

> /usr/bin/rsync -avrt rsync://mirror.umd.edu/centos/7.9.2009/os/x86_64/ /repo/os
> /usr/bin/rsync -avrt rsync://mirror.umd.edu/centos/7.9.2009/updates/x86_64/ /repo/updates
> /usr/bin/rsync -avrt rsync://mirror.umd.edu/centos/7.9.2009/extras/x86_64/ /repo/extras

c) Use genisoimage to create an ISO of the whole set. Note. In the command below, I write this ISO image to a VirtualBox shared folder mounted at /vboxshare. Use any path you like. The syntax is: genisoimage cli options – location and name of ISO file to be created and files/folders to be included in the ISO.
> genisoimage -U -r -v -J -joliet-long -allow-multidot -allow-lowercase -iso-level 4 -o /vboxshare/centos7.9.2009repo.20210101.iso /repo

3) Burn the ISO (as a file, not as an extracted image), or copy to a USB drive and move it to the offline host. Since I have VMs, I will mount the ISO to the VM. If you need to mount the ISO on a host with a Blu-ray player or on the local filesystem, see the manual mount section below.

a) Mount the ISO. You have options if you don’t automount ISOs. If your host is a VM, mount it as your hypervisor dictates. You can also copy the ISO to the local filesystem and mount it. Or, manually mount the ISO from a local or USB attached DVD/blu-ray.

> sudo mkdir /mnt/iso
> sudo mount -t iso9660 -o loop /home/repouser/centos7.9.2009repo.20210101.iso /mnt/iso/
— or
> sudo mkdir /mnt/iso
> sudo blkid (to find your cd/dvd device, chances are its /dev/sr0)
> mount /dev/sr0 /media/iso/

b) Once the ISO is mounted, verify the contents. In my case the path is shown below. If your mounted path is different, you need to adjust the baseurl path in local.repo in upcoming step 5.
> df -h
/dev/sr0 17G 17G 0 100% /run/media/root/CDROM

> ls -l /run/media/root/CDROM
dr-xr-xr-x. 4 root root 2048 Jan 1 10:30 extras
dr-xr-xr-x. 8 root root 2048 Jan 1 05:23 os
dr-xr-xr-x. 4 root root 2048 Jan 1 15:42 updates

Note: Each path location listed above must have a Packages and repodata folders inside. If they don’t, it won’t work.

4) On the CentOS host, create an archive folder if it doesn’t already exist. Move existing *.repo files to the archive folder.

> sudo mkdir -pv /etc/yum.repos.d/archive
> cd /etc/yum.repos.d/
> sudo /bin/mv *.repo archive/

5) Create the local.repo file in /etc/yum.repos.d/ and paste in the contents below.

> cd /etc/yum.repos.d/
> sudo vi local.repo (add the lines below and issue a wq! to save the file)

[base]
name=CentOS-$releasever – Base
baseurl=file:///run/media/root/CDROM/os/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7

[updates]
name=CentOS-$releasever – Updates
baseurl=file:///run/media/root/CDROM/updates/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7

[extras]
name=CentOS-$releasever – Extras
baseurl=file:///run/media/root/CDROM/extras/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7

6) Mount the CentOS rsync’d update ISO is not already done and update the OS.

> yum update
> reboot

Note: If you get errors trying to run yum update due to gpg checks, just comment out gpgkey and change gpgcheck to 0 in the local.repo file, and then run yum update again.

a) Login and check the release file to confirm the new version.

> cat /etc/centos-release

b) Mount the ISO again (if done manually). Install these packages on the offline system and then clean up old kernels to prevent your /boot from filling up. The – -count=2 leaves two kernels. Also, there are two dashes (- -) in front of oldkernels and count.

> sudo yum install genisoimage
> sudo yum install yum-utils
> package-cleanup – -oldkernels – -count=2

c) Move the new OS default repos to the archive folder.

> cd /etc/yum.repos.d/
> sudo /bin/mv CENTOS-*.repo archive/
> ls -l (and you should only have local.repo listed)

7) After you are done updating to the new OS release, comment out all of the [base] and [extras] sections in the local.repo file. All future patches will be in the [updates] repo. When a new OS version is released, just un-comment [base] and [extras].

a) Now that you are updated to 7.9.2009, you only need to rsync the updates folder and create the ISO with only the updates folder. For example, on the internet facing server you would only need to run these commands.
> /usr/bin/rsync -avrt rsync://mirror.umd.edu/centos/7.9.2009/updates/x86_64/ /repo/updates
> genisoimage -U -r -v -J -joliet-long -allow-multidot -allow-lowercase -iso-level 4 -o /vboxshare/centos7.9.2009repo.20210101.iso /repo/updates

HOWTO Easily Resize the Default LVM Volume on Ubuntu 18.04

05 Saturday Dec 2020

Posted by Slice2 in Linux

≈ 8 Comments

Say you have a 40 Gig disk. When the installer creates the encrypted volume during initial OS installation, it partitions the whole disk but only creates a 20 GB logical volume. You should resize the default volume group to increase the usable disk from 20 to 40 GB.

1) You will run a test first to verify that it can resize properly before you actually modify the partition.
a. Change to root and gather a few details. Points of interest are in bold red. You can see that the partition (type=part) for sda3 is 39G and the logical volume (type=lvm) is only 20 G.
> sudo -s (or su – root)
> lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
loop0 7:0 0 89.1M 1 loop /snap/core/8268
loop1 7:1 0 96.5M 1 loop /snap/core/9436
sda 8:0 0 40G 0 disk
├─sda1 8:1 0 1M 0 part
├─sda2 8:2 0 1G 0 part /boot
└─sda3 8:3 0 39G 0 part
└─dm_crypt-0 253:0 0 39G 0 crypt
└─ubuntu–vg-ubuntu–lv 253:1 0 20G 0 lvm /
sr0 11:0 1 1024M 0 rom

> df -h | grep “ubuntu–vg-ubuntu–lv”

/dev/mapper/ubuntu–vg-ubuntu–lv 20G 15G 4.0G 79% /

b. Now that we know the logical volume is only 20 Gigs, we can resize it to the remaining open free space. First, we will test this command using the -t switch (for test) and view the output for errors. If clean, proceed.
> lvresize -t -v -l +100%FREE /dev/mapper/ubuntu–vg-ubuntu–lv

TEST MODE: Metadata will NOT be updated and volumes will not be (de)activated.
Converted 100%FREE into at most 4862 physical extents.
Test mode: Skipping archiving of volume group.
Extending logical volume ubuntu-vg/ubuntu-lv to up to 38.99 GiB
Size of logical volume ubuntu-vg/ubuntu-lv changed from 20.00 GiB (5120 extents) to 38.99 GiB (9982 extents).
Test mode: Skipping backup of volume group.
Logical volume ubuntu-vg/ubuntu-lv successfully resized.
Test mode: Wiping internal cache
Wiping internal VG cache

2) Once you see that the test was successful, remove the -t switch (for test) from the previous command to actually increase the logical volume.
> lvresize -v -l +100%FREE /dev/mapper/ubuntu–vg-ubuntu–lv

Converted 100%FREE into at most 4862 physical extents.
Archiving volume group “ubuntu-vg” metadata (seqno 2).
Extending logical volume ubuntu-vg/ubuntu-lv to up to 38.99 GiB
Size of logical volume ubuntu-vg/ubuntu-lv changed from 20.00 GiB (5120 extents) to 38.99 GiB (9982 extents).
Loading ubuntu–vg-ubuntu–lv table (253:1)
Suspending ubuntu–vg-ubuntu–lv (253:1) with device flush
Resuming ubuntu–vg-ubuntu–lv (253:1)
Creating volume group backup “/etc/lvm/backup/ubuntu-vg” (seqno 3).
Logical volume ubuntu-vg/ubuntu-lv successfully resized.

> lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
loop0 7:0 0 89.1M 1 loop /snap/core/8268
loop1 7:1 0 96.5M 1 loop /snap/core/9436
sda 8:0 0 40G 0 disk
├─sda1 8:1 0 1M 0 part
├─sda2 8:2 0 1G 0 part /boot
└─sda3 8:3 0 39G 0 part
└─dm_crypt-0 253:0 0 39G 0 crypt
└─ubuntu–vg-ubuntu–lv 253:1 0 39G 0 lvm /
sr0 11:0 1 1024M 0 rom

3) Now that the logical volume is 39G, get the FS type and resize the filesystem on the newly acquired space. We can see that it’s using ext4.
> df -h -T |grep vg
/dev/mapper/ubuntu–vg-ubuntu–lv ext4 20G 15G 4.0G 79% /

a. Since the file system is ext4, we will use the resize2fs command.
> resize2fs -p /dev/mapper/ubuntu–vg-ubuntu–lv

resize2fs 1.44.1 (24-Mar-2018)
Filesystem at /dev/mapper/ubuntu–vg-ubuntu–lv is mounted on /; on-line resizing required
old_desc_blocks = 3, new_desc_blocks = 5
The filesystem on /dev/mapper/ubuntu–vg-ubuntu–lv is now 10221568 (4k) blocks long.

b. Now verify the new size of your root volume to confirm that it has increased in size.
> df -h -T |grep vg
/dev/mapper/ubuntu–vg-ubuntu–lv ext4 39G 15G 22G 41% /

Create a Docker Container for your Cisco ESA, SMA or WSA Offline Content Updates

23 Monday Nov 2020

Posted by Slice2 in Cisco

≈ Leave a comment

This process demonstrates how to use a Docker container to update your Cisco ESA and SMA (and WSA) appliances.

This HOWTO assumes you have a functioning Docker environment, the Cisco ESA/SMA (or WSA) Offline Content license, the Cisco Offline Content Public internet facing server and the 20200302-123456789_ipServer-v1.tar file from Cisco.

1) On your Public internet facing Cisco Offline Content server, run the ipClient –apps command to update the Content folders.
> sudo perl ipClient-v9.0.pl –apps
a. The command above creates the /cisco/offline/ipclient/transferPackage/applications.tar file with all of the updates bundled inside.

2) On the Docker server, create the new working directory for your Dockerfile. In this case, the admin user’s home folder is /home/admin and the new folder is ciscooffct.
> sudo mkdir –p ciscooffct
> cd ciscooffct

3) Inside the ciscooffct folder, create a file named Dockerfile and copy/paste the section below into that file and save it. Note, you can edit (or remove) the label section below to whatever you want. It’s just for informational purposes.
> vi Dockerfile (in vi, enter wq! when done pasting in the text below to save)

# Base OS.
FROM ubuntu:18.04

# Update the OS and install perl and apache2 packages.
RUN apt-get update && apt-get install -y \
libconfig-tiny-perl \
libanyevent-dbi-perl \
liblwp-protocol-https-perl \
libxml-opml-simplegen-perl \
libdbd-csv-perl \
libanyevent-dbd-pg-perl \
libwww-perl \
apache2 \
vim-tiny \
vim \
inetutils-ping \
&& rm -rf /var/lib/apt/lists/*

# Create the apache folders and enable it.
RUN mkdir -pv /cisco/offline/ipclient
RUN mkdir -pv /cisco/offline/ipclient/files
RUN mkdir -pv /cisco/offline/ipclient/logs
RUN mkdir -pv /cisco/offline/ipclient/cert
RUN mkdir -pv /cisco/offline/ipclient/httpd
RUN mkdir -pv /cisco/offline/ipclient/httpd/manifests
RUN mkdir -pv /cisco/offline/ipclient/DATABASE
RUN mkdir -pv /cisco/offline/ipclient/transferPackage

RUN mkdir -pv /cisco/offline/
RUN mkdir -pv /cisco/offline/ipclient/updater
RUN mkdir -pv /cisco/offline/ipclient/updater/logs
RUN mkdir -pv /var/www/html/asyncos
RUN mkdir -pv /cisco/offline/ipServer

# Copy the modified processUploads.pl script to the image.
COPY 20200302-123456789_ipServer-v1.tar /cisco/offline/ipServer/
COPY applications.tar /cisco/offline/ipclient/transferPackage/
RUN ls -l /cisco/offline/ipServer/
RUN cd /cisco/offline/ipServer/ && tar -xf 20200302-123456789_ipServer-v1.tar
RUN chmod -R 755 /cisco/offline/ipServer

# Set one or more individual labels
LABEL version=”0.1-beta”
LABEL vendor1=”Cisco”
LABEL created-by=”slice2″
LABEL release-date=”2020-NOV-23″

# Apache ports
EXPOSE 80
EXPOSE 443

ENV APACHE_RUN_USER www-data
ENV APACHE_RUN_GROUP www-data
ENV APACHE_LOG_DIR /var/log/apache2

# Run Apache
CMD [“/usr/sbin/apache2ctl”, “-D”, “FOREGROUND”]

# Get a shell after you run the container.
CMD [“/bin/bash”]

4) When you purchased the Offline Content support contract from Cisco, you received the ipClient, ipServer and Certificate files. Locate the server side file 20200302-123456789_ipServer-v1.tar (or whatever your version string is) as you will need it for this to work.
a. Extract the tar file and edit the processUploads.pl script.
b. The sections below should be modified. For the $LOCAL_UPDATE_SERVER value, enter the IP address of your Docker container. This is usually 172.17.0.2 for the first container and increments by 1 for each container. Run the docker ps –a command to see how many containers are running (see the STATUS header). If it doesn’t say Exited, it’s running.

my $UPLOAD_PATH = “/cisco/offline/ipclient/transferPackage”;
my $HTTPD_PATH = “/var/www/html”;
my $LOCAL_UPDATE_SERVER = “your internal or private server IP or FQDN”;
open(LOG, “/cisco/offline/ipclient/updater/logs/cleanup.log”);

c. After you have edited the file, tar it back up using the same file name.

5) Move your files. Copy both files, 20200302-123456789_ipServer-v1.tar and /cisco/offline/ipclient/transferPackage/applications.tar (from the Public server), to the /home/<your username>/ciscooffct folder on your Docker server. It should look like this.
admin@lab01 ciscooffct]$ pwd

/home/admin/ciscooffct

[admin@lab01 ciscooffct]$ ls -l

-rwxr-xr-x. 1 admin admin 28160 Nov 5 15:06 20200302-123456789_ipServer-v1.tar
-rwxr-x—. 1 admin admin 1123635200 Nov 5 16:45 applications.tar
-rw-rw-r–. 1 admin admin 2362 Nov 5 17:36 Dockerfile

6) On the Docker server, build the image. The image name is ciscooffct and the tag is ESA-SMA.

> docker build -t ciscooffct:ESA-SMA .

7) Run the image now that it has been built.

> docker run -ti -p80:80 –name ciscooffct ciscooffct:ESA-SMA

a. You will notice that you have a new prompt inside the container.

root@d33c4054c299:/# df -h
Filesystem Size Used Avail Use% Mounted on
overlay 36G 27G 8.9G 75% /
tmpfs 64M 0 64M 0% /dev
tmpfs 3.8G 0 3.8G 0% /sys/fs/cgroup
shm 64M 0 64M 0% /dev/shm
/dev/mapper/centos_lab01-root 36G 27G 8.9G 75% /etc/hosts
tmpfs 3.8G 0 3.8G 0% /proc/asound
tmpfs 3.8G 0 3.8G 0% /proc/acpi
tmpfs 3.8G 0 3.8G 0% /proc/scsi
tmpfs 3.8G 0 3.8G 0% /sys/firmware

b. Open a new xterm or new xterm tab to get a prompt on the Docker host, not inside the container. On the Docker terminal, enter the command below to find the IP address of the container and ping it.

> docker exec ciscooffct cat /etc/hosts | grep 172
172.17.0.2 d33c4054c299

> ping 172.17.0.2

c. Next, get the running status of the container.

> docker ps -a | grep ciscooffct
d33c4054c299 ciscooffct:ESA-SMA “/bin/bash” 18 minutes ago Up 18 minutes
0.0.0.0:80->80/tcp, 443/tcp ciscooffct

d. Back in the container terminal (the one with the root@d33c4054c299:/# prompt), run the perl script and start Apache.
> cd /cisco/offline/ipServer/20200302-123456789_ipServer-v1

> perl processUploads.pl

> apachectl start

e. If you have one, launch a browser on your Docker server and test access to the update content. If not, simply launch a browser on another host and point it to the IP address of the Docker server (not the container).

8) Commit your changes and prepare the image for export. Keep the container running during this process.
a. Find the container ID (in Red)

> docker ps -a | grep cisco
42f04b35318a ciscooffct:ESA-SMA “/bin/bash” About a minute ago Up About a minute 0.0.0.0:80->80/tcp, 443/tcp ciscooffct

b. Commit your changes before saving the image. This captures the new content updates. For the “-a” value, just enter the person’s name or initials that committed the changes.

> docker commit -a “Slice2” 42f04b35318a ciscooffct:ESA-SMA
sha256:c2c51d8936a0f0fa3101057101df43e3fb0084ad017669fd20a97666634fa194

c. Save a copy of the image and increment the name by one using the v1 (v2, v3, etc.) method. Check the size of the file when done.

> docker save -o ciscooffctv1.tar ciscooffct:ESA-SMA
> du -h ciscooffctv1.tar
2.4G ciscooffctv1.tar

d. Transfer the file to the production Docker server on your internal (Private) network and place it in /tmp (or the location of your choice) and load it. Make sure the ownership/permissions on the .tar file are correct before you load it. Check with the Docker server admin and adjust accordingly with chown/chmod. By default, the .tar file is created with 0600 (rw——-).

> docker load < /tmp/ciscooffctv1.tar
Loaded image: ciscooffct:ESA-SMA

> docker image ls
REPOSITORY TAG IMAGE ID CREATED SIZE
ciscooffct ESA-SMA c1c51d8936a0 22 minutes ago 2.5GB

> docker image ls | grep cisco (use this if you have a lot of images)
ciscooffct ESA-SMA c1c51d8936a0 23 hours ago 2.5GB

e. Start the Container using the incremented name (v1, etc.) so you know it’s new, start apache in the Container terminal and verify that it’s running.

> docker run -ti -p80:80 –name ciscooffctv1 ciscooffct:ESA-SMA

root@8ef4161ddfc5:/# apachectl start
> docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
8ef4161ddfc5 ciscooffct:ESA-SMA “/bin/bash” 4 minutes ago Up 4 minutes 0.0.0.0:80->80/tcp, 443/tcp ciscooffctv1

9) Make sure your Cisco appliances are pointing to this Container (the Docker server IP). When done updating the ESA/SMA appliances (using the updatenow command on each ESA/SMA via ssh or serial terminal), stop the container and remove the image. The image is obsolete after updating because Cisco releases new Content Updates every 4 hours or so. There is no need to keep this image on the Docker server.

> docker stop ciscooffctv1
> docker rm ciscooffctv1

10) Consider a daily or weekly schedule for updates. The next time you need to update content on the appliances, simply move in a new applications.tar file from the Public offline content server and run steps 6, 7, 8 and 9. The distilled steps are.

Start of Public side:
a. Add the new applications.tar file to the working folder.
b. build
c. run
d. perl processUploads.pl and apachectl start
e. commit
f. save (burn ciscooffctv1.tar file to DVD, move to Private network)

Start of Private side:
g. load (check ownership/permissions before load)
h. run
i. apachectl start
j. updatenow (on the ESA/SMA)
k. stop
l. rm

Apply the Mozilla Firefox STIG to Firefox on Ubuntu Linux 18.04

06 Thursday Aug 2020

Posted by Slice2 in Linux, Security

≈ 2 Comments

1) Applying the STIG on Windows is quite easy. However they fail to provide guidance on how to apply it on Linux. I hope this helps.

2) You will create two files; autoconfig.js and mozilla.cfg.

a) autoconfig.js is as follows. There must be two additional forward slashes at the start of the text below.

//
pref(“general.config.filename”, “mozilla.cfg”);
pref(“general.config.obscure_value”, 0);

b) mozilla.cfg is as follows. There must be two additional forward slashes at the start of the text below.

//
// SV-16707 – DTBF050
lockPref(“security.default_personal_cert”, “Ask Every Time”);
// SV-16710 – DTBF105
lockPref(“network.protocol-handler.external.shell”,false);
// SV-16711 – DTBF110
lockPref(“plugin.disable_full_page_plugin_for_types”,”application/pdf,application/fdf,application/xfdf,application/lso,application/lss,application/iqy,application/rqy,application/lsl,application/xlk,application/xls,application/xlt,application/pot,application/pps,application/ppt,application/dos,application/dot,application/wks,application/bat,application/ps,application/eps,application/wch,application/wcm,application/wb1,application/wb3,application/rtf,application/doc,application/mdb,application/mde,application/wbk,application/ad,application/adp”);
// SV-16713 – DTBF140
lockPref(“browser.formfill.enable”, false);
// SV-16714 – DTBF150
lockPref(“signon.autofillForms”, false);
// SV-16715 – DTBF160
lockPref(“signon.rememberSignons”, false);
// SV-16717 – DTBF180
lockPref(“dom.disable_window_open_feature.status”, true);
// SV-16718 – DTBF181
lockPref(“dom.disable_window_move_resize”, true);
// SV-16925 – DTBF030
lockPref(“security.enable_tls”, true);
// SV-16925 – DTBF030
lockPref(“security.tls.version.min”, 2);
// SV-16925 – DTBF030
lockPref(“security.tls.version.max”, 4);
// SV-16727 – DTBF182
lockPref(“dom.disable_window_flip”, true);
// SV-16928 – DTBF183
lockPref(“dom.event.contextmenu.enabled”, false);
// SV-21890 – DTBF085
lockPref(“browser.search.update”, false);
// SV-59603 – DTBF090
lockPref(“extensions.update.enabled”, false);
// SV-79381 – DTBF186
lockPref(“xpinstall.enabled”, false);
// SV-93759 – DTBF190
lockPref(“datareporting.policy.dataSubmissionEnabled”, false);
// SV-106633 – DTBF195
lockPref(“devtools.policy.disabled”, true);
// SV-111837 – DTBF200
lockPref(“toolkit.telemetry.enabled”, false);
// SV-111839 – DTBF205
lockPref(“toolkit.telemetry.archive.enabled”, false);
// SV-111841 – DTBF210
lockPref(“privacy.trackingprotection.fingerprinting.enabled”, true);
// SV-111843 – DTBF215
lockPref(“privacy.trackingprotection.cryptomining.enabled”, true);
// SV-111845 – DTBF220
lockPref(“browser.contentblocking.category”, “strict”);
// SV-111847 – DTBF225
lockPref(“extensions.htmlaboutaddons.recommendations.enabled”, false);
// SV-111849 – DTBF230
lockPref(“browser.newtabpage.activity-stream.enabled”, false);
// SV-111851 – DTBF235
lockPref(“security.ssl3.rsa_des_ede3_sha”, false);

3) At the console or via ssh, create the files in the Ubuntu locations.

> sudo vi /usr/lib/firefox/mozilla.cfg and paste the text shown above in 2b. There should be no extra space or line at the top or bottom of the text.
> sudo chmod 644 /usr/lib/firefox/mozilla.cfg

> sudo vi /usr/lib/firefox/defaults/pref/autoconfig.js and paste the text above in 2a. There should be no extra space or line at the top or bottom of the text.
> sudo chmod 644 /usr/lib/firefox/defaults/pref/autoconfig.js

4) Start Firefox. In the location bar, enter about:config. In the search field enter plugin. and you will see that plugin.disable_full_page_plugin_for_types is grayed out with a lock icon to the left. Try any other from the mozilla.cfg list and they should be the same.

Dynamically Resize Those Tiny BlackArch Linux Terminals and Add a Scrollbar

12 Tuesday May 2020

Posted by Slice2 in Linux, Security

≈ Leave a comment

BlackArch Linux is a great security distro but I’ve always been annoyed by the small terminal windows and could never find a way to resize them. I just used PuTTY on Windows or an xterm from another host/VM to get an easily adjustable xterm window. I found this obscure but simple method to resize the terminal and add a scrollbar. Hope you find this as helpful as I did.

1) Login to BlachArch as root. Right-click the desktop > select Terminal > and pick any terminal color you like.

2) Example resizing commands are listed below. Depending on your monitor size, you can play with the numbers to get your perfect terminal window. The set of numbers after the 8; sets the height and the last set with a “t” sets the width. The commands are dynamic and will change the terminal immediately. If you don’t like your choice, simply up-arrow and enter a new number.

[blackarch ~]# printf ‘\e[8;20;90t’
[blackarch ~]# printf ‘\e[8;30;90t’
[blackarch ~]# printf ‘\e[8;40;90t’
[blackarch ~]# printf ‘\e[8;50;95t’
[blackarch ~]# printf ‘\e[8;40;100t’

3) In your home directory check your .Xresources file.

> cat .Xresources | grep scroll

urxvt.scrollBar: false
urxvt.scrollTtyKeypress: true
urxvt.scrollTtyOutput: false
urxvt.scrollWithBuffer: false
urxvt.scrollstyle: plain

4) Change urxvt.scrollBar from false to true, add its position and merge the change.

> vi .Xresources
– set urxvt.scrollBar to true
– add urxvt.leftScrollBar: true
– save and quit vi
> xrdb -merge .Xresources

5) Close your existing xterm and you should have a scroll bar on the left. Run a few commands (like ls -lsa) to generate a lot of output and then you can scroll back.

Kali Linux OVA for Air-Gapped Use Build Process

06 Wednesday May 2020

Posted by Slice2 in Linux, Security

≈ 1 Comment

If your forensics lab employs Kali Linux as its primary security based Linux distro, this document describes how to build, augment, patch and export an OVA image for use in the lab where you have no internet access.

Software needed to complete this task include:
1) The latest Kali Linux release. As of this writing, its 2020.1b.
https://cdimage.kali.org/kali-2020.1b/kali-linux-2020.1b-installer-amd64.iso

2) VirtualBox 6.1.6 and Extensions (or the most recent version).
https://download.virtualbox.org/virtualbox/6.1.6/VirtualBox-6.1.6-137129-Win.exe
https://download.virtualbox.org/virtualbox/6.1.6/Oracle_VM_VirtualBox_Extension_Pack-6.1.6.vbox-extpack

3) PuTTY terminal emulator for Windows.
https://the.earth.li/~sgtatham/putty/latest/w64/putty-64bit-0.73-installer.msi

5) A Windows 10 PC or laptop with at least 8 Gigs of memory. 16 is better but 8 will do. You also need at least 200 Gigs of available hard drive space for the image and the exported OVA.

6) Once built, you will export the VM as an OVA and import it to the lab after it has been through your QA process.

IMPORTANT: A Special Note Regarding Word, PDF and Text Character Formatting

1) In some cases, Word and PDF character formatting gets mangled when you copy/paste into a Linux terminal. Before you press enter on a pasted command, make sure it looks the same.
2) If it looks the same and doesn’t run, its typically a broken “-“ as in the –v, or any other switch. The double dash “ – -“ can be merged as a single “–“ when the document is converted. Also, even if the “-“ looks normal and the command doesn’t run or has errors, simply paste the command into the terminal, then using the left-arrow key, roll back and place the cursor behind the “-“ dash, press the backspace key to remove and then enter a new single dash or double dash as needed. This will create them in the native terminal character font. I know, it can be a hassle.
3) Since some of these commands are quite long, you might consider pasting them into Notepad first, and then copy from Notepad into the Linux terminal.

STEP 1 – Obtain the Software and Install on your PC or Laptop

1) Download the software mentioned above.
2) Install PuTTY and VirtualBox first and then install the Extension pack. Defaults are fine unless you have reasons to choose otherwise.

STEP 2 – Build the VM

1) Building the VM must be done offsite if you have restrictions due to access limitations and/or security requirements that prevent you from installing software, accessing the repos, or your destination system is air-gapped.
2) Create a folder on your c:\ drive named vboxshare.
3) Launch VirtualBox Manager and select Machine > New.
a. Name it kali01 or whatever you like).
b. Choose your machine folder location.
c. Type: Linux.
d. Version: Debian x64.
e. Memory size: minimum 4096 MB but 8192 is preferred if you have it.
f. Select Create the virtual disk now and click create.
g. Change the File size to 80.00 GB.
h. Hard disk file type: VDI.
i. Storage on physical disk: select Fixed size and click Create to create the VM.
j. Right-click the new VM profile and select settings.
k. Under System > Processors you can change this to 2 if you have the horsepower on your PC or laptop. If not, 1 should be fine. Both memory and CPU can be changed after being imported on the FAS.
l. Select Display, change Video memory to 128 MB and make sure graphics controller is VMSVGA.
m. Select Storage, under Controller IDE, select the Empty disc icon. On the right, under Attributes, across from Optical Driver select the Disc icon and then Choose/Create a virtual optical disk. If not listed, click +Add and browse out to the Kali ISO you downloaded, select it and click Choose > OK.
n. Select Network. Change Attached to: Bridged Adapter, expand Advanced and change Promiscuous mode to Allow All.
o. Select Shared Folders and click the green + folder icon in the upper right.
i. Folder path: C:\vboxshare.
ii. Folder name: vboxshare and select Auto-mount.
iii. Mount point: /vboxshare (note the forward slash, not backslash).
iv. Click OK > OK. Right-click the VM and select Start. If prompted, select the Kali ISO.

4) On the Kali Installation process:
a. Select Graphical installation, English as the language, United States as location, American English for Keyboard.
b. If you have DHCP your network should autoconfig. If not, click Continue on the Network screen, select Configure Network Manually, enter an IP, netmask, gateway, name servers or DNS.
c. Enter the hostname, leave the domain name blank, create the user account (such as kaliadm), add a password, set the clock to Eastern.
d. For partition, select Guided – use entire disk, select the vbox harddisk, select all files in one partition and click Continue on Finish partitioning and write changes to disk, select Yes to write changes to disk.
e. Enter the proxy information if you need one, otherwise leave it blank,
f. On the Software selection page, make sure Desktop, Xfce, Collection of Tools, top 10, default and large are selected. The system will begin to install the packages.
g. Select Yes on Grub boot loader, select the vbox hardisk as the boot loader device, click Continue on Installation complete to reboot the VM.

5) Enable SSH. It’s off by default.
> sudo systemctl start ssh
> sudo systemctl enable ssh
a. Test your access using PuTTY to login as the kaliadm user. Check the new OS release.

> cat /etc/os-release
> lsb_release -a

6) Install the official “everything” metapackage set (even though it really isn’t all of them) and few utilities. Login as the kaliadm user.

> sudo apt update
> sudo apt install kali-linux-everything
> sudo reboot
> sudo apt upgrade (if noting installs, skip the next reboot)
> sudo reboot

7) Login as kaliadm and install the VirtualBox Guest Additions. First, make sure the prerequisites are installed (they should be by now).

> sudo apt install dkms linux-headers-$(uname -r) build-essential

a. On the VM frame across the top select Devices > Insert Guest Additions CD Image.
> sudo mount /dev/cdrom /mnt
> cd /mnt
> sudo ./VBoxLinuxAdditions.run
> sudo reboot

8) List installed apps. Grep for stuff if you need to.
> sudo apt-cache search ” | sort -d | awk ‘{print $1}’
> sudo apt-cache search ” | sort -d | awk ‘{print $1}’ | grep <app name>

9) List installed apps with some detail. Grep for stuff if you need to.
> sudo apt-cache policy $(apt-cache search ” | sort -d | awk ‘{print $1}’)
> sudo apt-cache policy $(apt-cache search ” | sort -d | awk ‘{print $1}’) | grep <app name>

10) Create the /cases folder. This is where case data is localized.
> sudo mkdir -pv /cases

STEP 3 – Install Additional Tools

1) Use PuTTY on your PC to SSH as the kaliadm user into the VM or login to the GUI.
2) Install ClamAV AntiVirus and verify. From this point forward, it’s your choice to either via SSH or right-click the Desktop and open a terminal.
> sudo apt install clamav clamav-freshclam clamav-base clamav-docs clamav-daemon clamtk
> sudo mkdir -pv /clamav_quarantine
> sudo clamscan –v –r –log=/home/kaliadm/clav.log –copy=/clamav_quarantine /etc/*
> sudo cat /var/log/clamav/freshclam.log
> sudo cat /home/kaliadm/clav.log

3) Install additional tools and utilities for the lab.
a. Python Steganography Tools.
> sudo /usr/bin/pip3 install Stegano
> sudo pip3 install stegoveritas_binwalk
> sudo pip3 install stegoveritas

b. Install stego-lsb.
> sudo git clone https://github.com/ragibson/Steganography
> cd Steganography
> sudo python3 setup.py install
> sudo stegolsb test

c. Install OpenStego
> sudo wget -v -S https://github.com/syvaidya/openstego/releases/download/openstego-0.7.3/openstego_0.7.3-1_amd64.deb
> sudo apt install ./openstego_0.7.3-1_amd64.deb

d. Python Rekall Forensic Framework:
> sudo pip3 install rekall

e. Windows Event Carving:
> sudo pip3 install evtxtract

f. Steganography Tools:
> sudo apt install stegosuite
> sudo apt install exiftool
> sudo apt install pngcheck
> sudo apt install stepic

g. Network tools:
> sudo apt install iftop
> sudo apt install iptraf-ng
> sudo apt install etherape

h. Office and File Transfer Tools:
> sudo apt install filezilla
> sudo apt install libreoffice
> sudo apt install thunderbird
> sudo apt install tree
> sudo apt install putty
> sudo apt install glogg
> sudo apt install xpdf
> sudo apt install evince
> sudo apt install qpdfview
> sudo apt install xtail

i. Multimedia, Audio, Video, Images/Graphics:
> sudo apt install vlc
> sudo apt install xpaint
> sudo apt install mplayer
> sudo apt install smplayer
> sudo apt install audacious
> sudo apt install audacity
> sudo apt install calibre
> sudo apt install libdvd-pkg
Note: if you get an error at the end of this install
run sudo dpkg-reconfigure libdvd-pkg and select yes.

> sudo apt install rhythmbox
> sudo apt install lsdvd
> sudo apt install libavcodec-extra
> sudo apt install cdparanoia
> sudo apt install brasero
> sudo apt install ripperx
> sudo apt install xcfa
> sudo apt install cdda2wav
> sudo apt install pacpl
> sudo apt install abcde
> sudo apt install vobcopy
> sudo apt install dvdbackup
> sudo apt install sound-juicer
> sudo apt install grip
> sudo apt-get install libspeex*
> sudo apt-get install libopus*
> sudo apt-get install libaacs*
> sudo apt-get install libbluray*

j. Google Chrome and cli browsers:
> sudo wget -v https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb
> sudo apt install ./google-chrome-stable_current_amd64.deb
> sudo apt install w3m
> sudo apt install lynx
> sudo apt install links2
> sudo apt install elinks

k. Additional Shells:
> sudo apt install golang
> sudo apt install csh
> sudo apt install ksh
> sudo apt install fish
> sudo apt install tcsh
> sudo apt install scanssh

STEP 4 – Export the VM as an OVA and Import Onsite

1) Once the new Kali VM is functioning and updated with the latest versions, it must be exported as an OVA and moved to the Lab. This step should be done as new versions are released to keep the Lab images updated.

2) In VirtualBox Manager, select the Kali VM. Click File > Export Appliance and fill out the following details under Virtual System Settings.
a. Name: should already list kali01.
b. Product: Kali Linux 2020.1b OVA
c. Product-URL: NA
d. Vendor: Kali, but built by <your name here>.
e. Version: 1.0, 06 May 2020 (rev the version for each OVA export, and use today’s date)
f. Description (click edit): Kali Linux 2020.1b, Everything Metapackage group, additional tools and Utils, VirtualBox 6.1.6 additions.
g. License: leave blank.
h. Under appliance settings, change format to Open Virtualization Format 2.0.
i. File: choose the location where you want to write the file.
j. Click Export.
k. When done, burn the OVA file to a Blu-ray disc or removable media.

3) Move the OVA Blu-ray to the internal host with VirtualBox installed.
a. Launch VirtualBox Manager and select File > Import Appliance.
b. Source: select Local File System.
c. File: on the right, click the folder with green arrow icon, browse to and select the kali01.ova file and click Open > Next.
d. Machine Base Folder: accept the default location or change this path to fit your installation.
e. Click Import to import the VM. When done, edit Settings as needed (more CPU, Memory, etc).
f. Boot the VM, login and set the IP address for the internal network and change the hostname if needed.
g. Manually reboot to seat the network changes or shutdown.

STEP 5 – What a Monthly (or as needed) Update Task Looks Like

1) Check to see if there is a new release for VirtualBox. If so, upgrade and make sure the Lab is upgraded as well.
https://www.virtualbox.org/wiki/Downloads

2) Update the Kali image.
a. Boot the public facing VM. Login to the VM as kaliadm.
b. Get the latest ClamAV updates for the VM and test a quick scan of /etc.
> sudo systemctl stop clamav-daemon
> sudo systemctl stop clamav-freshclam
> sudo freshclam
> sudo systemctl start clamav-daemon
> sudo systemctl start clamav-freshclam
> sudo clamscan –log=/home/kaliadm/clav.log –copy=/clamav_quarantine /etc/*

c. Update Google Chrome and the Python tools.

> sudo wget -v https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb
> sudo apt install ./google-chrome-stable_current_amd64.deb
> sudo /usr/bin/pip3 install Stegano
> sudo pip3 install stegoveritas_binwalk
> sudo pip3 install stegoveritas

> sudo git clone https://github.com/ragibson/Steganography
> cd Steganography
> sudo python3 setup.py install
> sudo stegolsb test

> sudo pip3 install rekall

> sudo pip3 install evtxtract

d. Update the OS and tools.
> sudo apt update
> sudo apt upgrade (if noting installs, skip the next reboot)
> sudo reboot
> sudo apt list –upgradable –a (if nothing else to patch, proceed)

e. Export and Import the VM as described in STEP 4.

HOWTO install the XFCE 4 Desktop on NetBSD 8.1

21 Saturday Sep 2019

Posted by Slice2 in NetBSD, XFCE

≈ 3 Comments

This is an update to previous posts for NetBSD 6x and 7x:
https://slice2.com/2016/01/30/howto-install-the-xfce-4-12-desktop-on-netbsd-7/
http://slice2.com/2015/01/03/howto-install-the-xfce-4-desktop-on-netbsd-6-1-5/
http://slice2.com/2013/10/10/howto-install-the-xfce-4-desktop-on-netbsd-6-1-2/

For a lightweight functional desktop on NetBSD, install XFCE. As root, perform the following steps. This covers 32 and 64 bit x86 hardware. Make sure you have the X11 Sets installed. Since NetBSD essentially runs on everything, simply adjust the repository path to your architecture from the list here: http://ftp.netbsd.org/pub/pkgsrc/packages/NetBSD/

1) Setup your binary repository.
> mkdir -p /usr/pkg/etc/pkgin
> touch /usr/pkg/etc/pkgin/repositories.conf
> vi /usr/pkg/etc/pkgin/repositories.conf and add path:
For x64
http://ftp.netbsd.org/pub/pkgsrc/packages/NetBSD/amd64/8.1/All/
For x32
http://ftp.netbsd.org/pub/pkgsrc/packages/NetBSD/i386/8.1/All/

2) Add the NetBSD ftp server to your host file. This is for convenience and can be removed when done.
> vi /etc/hosts and add:
199.233.217.201 ftp.netbsd.org

3) Export your path.
Note: I don’t know why the encoded quote characters keep appearing after /ALL/ in the path statements below. It must be an html coding issue and I’m not a developer. Just make sure that at the end of the path statement it ends with /8.1/All/” with no trailing characters. In other words, it should look like the paths depicted in step 1 above only it must end in a ” character.
For x64:
> export PKG_PATH=”http://ftp.netbsd.org/pub/pkgsrc/packages/NetBSD/amd64/8.1/All/”
For x32:
> export PKG_PATH=”http://ftp.netbsd.org/pub/pkgsrc/packages/NetBSD/i386/8.1/All/”

4) Install the latest version of pkgin on your system.
> pkg_add -v pkgin-*

5) Update the pkgin database and install XFCE.
> pkgin update
> pkgin install xfce4
calculating dependencies…done.

139 packages to install:
enca-1.15 libproxy-0.4.15 gsettings-desktop-schemas-3.24.0 libgpg-error-1.36 libIDL-0.8.14nb4 nspr-4.21 spidermonkey52-52.7.4nb9
libogg-1.3.3 p11-kit-0.23.15 nettle-3.4.1 libtasn1-4.13 libcfg+-0.7.0 gmp-6.1.2 ORBit2-2.14.19nb4 libgcrypt-1.8.5 libpsl-0.20.2nb4
glib-networking-2.60.3 tdb-1.4.0nb1 popt-1.16nb2 jbigkit-2.1 xvidcore-1.3.3nb1 x264-devel-20190312 libvpx-1.8.0 libvdpau-1.2
libva-2.3.0 libtheora-1.1.1nb2 libbluray-1.1.2 libass-0.14.0nb2 lame-3.100nb1 libunistring-0.9.10 mozilla-rootcerts-1.0.20190306
python27-2.7.16 py27-expat-2.7.16 libidn2-2.0.5 ffmpeg3-3.4.6nb1 tiff-4.0.10nb1 lcms2-2.9 poppler-0.76.1 py37-expat-3.7.3
py37-cElementTree-3.7.3 samba-3.6.25nb16 libsoup-2.64.2nb3 libgnome-keyring-3.12.0 GConf-3.2.3nb2 perl-5.28.2 p5-URI-1.76
xcb-util-0.4.0 pcre2-10.33 gnutls-3.6.7 libvorbis-1.3.6nb1 libltdl-2.4.6 gstreamer1-1.16.0 xmlcatmgr-2.2nb1 iso-codes-3.77nb1
libxfce4util-4.13.3 python37-3.7.3nb1 gle-3.1.0nb4 polkit-0.115nb2 zonetab-0 icu-64.2nb1 pcre-8.43 libffi-3.2.1nb4 readline-8.0
at-spi2-core-2.26.2nb1 lzo-2.10 libuuid-2.32.1 harfbuzz-2.4.0nb3 graphite2-1.3.11nb2 fribidi-0.19.7 libxml2-2.9.9 libcroco-0.6.8
freetype2-2.10.0 gnome-icon-theme-3.12.0nb3 librsvg-2.44.14nb1 shared-mime-info-1.10 pango-1.42.4nb5 libepoxy-1.4.3nb2 libXft-2.3.3
fontconfig-2.13.1 cairo-gobject-1.16.0nb3 cairo-1.16.0 atk-2.26.1 at-spi2-atk-2.26.1nb1 gsed-4.7 bash-5.0.7 gtksourceview3-3.24.9
glib2-2.60.4nb5 libical-3.0.3nb4 consolekit-1.2.1nb2 xscreensaver-5.40nb1 mate-polkit-1.22.0nb1 xfce4-garcon-0.6.2 xfce4-conf-4.13.7
upower-0.99.4nb4 libxklavier-5.4nb3 libwnck-2.30.6nb25 libglade-2.6.4nb29 libcanberra-0.30 vte3-0.54.3 startup-notification-0.12nb3
xfce4-exo-0.12.6 libnotify-0.7.7nb5 libexif-0.6.21nb1 gvfs-1.6.7nb42 gobject-introspection-1.60.1nb1 poppler-glib-0.76.1 png-1.6.37
openjpeg-2.3.1 libgsf-1.14.45 jpeg-9cnb1 gdk-pixbuf2-2.36.12 ffmpegthumbnailer-2.2.0nb1 dbus-glib-0.110 dbus-1.12.16 curl-7.65.1
libxfce4ui-4.13.5 libwnck3-3.24.1nb5 hicolor-icon-theme-0.17 gtk2+-2.24.32nb8 desktop-file-utils-0.23nb1 xfce4-xarchiver-0.5.4nb10
xfce4-wm-themes-4.10.0nb10 xfce4-wm-4.13.2 xfce4-tumbler-0.2.4 xfce4-thunar-1.8.6 xfce4-terminal-0.8.7.4nb3 xfce4-settings-4.13.6
xfce4-session-4.13.2 xfce4-power-manager-1.6.2 xfce4-panel-4.13.5 xfce4-orage-4.12.1nb14 xfce4-mousepad-0.4.1nb2 xfce4-desktop-4.13.4
xfce4-appfinder-4.13.3 xdg-utils-1.1.3nb1 gtk3+-3.24.8 gnome-themes-standard-3.20.2nb8 elementary-xfce-icon-theme-0.11
xfce4-4.12.0nb16

0 to refresh, 0 to upgrade, 139 to install
219M to download, 1360M to install

proceed ? [Y/n] Y

6) Add fonts and fam.
> pkgin install font-adobe-75*
> pkgin install font-adobe-100*
> pkgin install font-adobe-utopia*
> pkgin install fam
> cp /usr/pkg/share/examples/rc.d/famd /etc/rc.d/
> cp /usr/pkg/share/examples/rc.d/dbus /etc/rc.d/
> echo rpcbind=YES >> /etc/rc.conf
> echo famd=YES >> /etc/rc.conf
> echo dbus=YES >> /etc/rc.conf
> /etc/rc.d/rpcbind start
> /etc/rc.d/famd start
> /etc/rc.d/dbus start

7) Configure X and start the desktop for the first time. You can start X as root or other users. Run the following for users on the system. For example, the user slice2 would be setup as:
> echo xfce4-session >> /home/slice2/.xinitrc
> ln /home/slice2/.xinitrc /home/slice2/.xsession
> chown slice2:users /home/slice2/.xinitrc
> chown slice2:users /home/slice2/.xsession
> su – slice2
> startx (note: be patient, it may take a minute to load)
a) In the upper left, select Applications > Log out to continue to install the apps below.

b) For root:
> echo xfce4-session >> /root/.xinitrc
> ln /root/.xinitrc /root/.xsession
> startx

8) Install additional apps as desired. This step is optional. Enter Y when asked to proceed ? [Y/n] for each app. You can add the pkgin -y install if you want to skip the prompt. I just like to see what dependencies will be installed.
Browsers and plugins:
> pkgin -y install firefox
> pkgin -y install opera
> pkgin -y install flashplayer
> pkgin -y install mozilla-fonts*
> pkgin -y install openjdk*
> pkgin -y install openquicktime
> pkgin -y install xpdf

Install optional security apps, utils and shells:
> pkgin -y install chkrootkit
> pkgin -y install clamav
a) after installing clamav, refresh the virus db.
> /usr/pkg/bin/freshclam
> pkgin -y install coreutils
> pkgin -y install emacs
> pkgin -y install fish
> pkgin -y install iftop
> pkgin -y install keepassx
> pkgin -y install mhash
> pkgin -y install nbtscan
> pkgin -y install nmap
> pkgin -y install xtail
> pkgin -y install xtraceroute
> pkgin -y install vim
> pkgin -y install wget

Office productivity apps, zip tools, DVD burning, file transfer and multimedia:
> pkgin -y install audacious
> pkgin -y install audacity
> pkgin -y install brasero
> pkgin -y install bunzip
> pkgin -y install bzip2
> pkgin -y install filezilla
> pkgin -y install libreoffice*
Note: you can launch liberoffice from Applications > Office, or enter the soffice command in an xterm.
> pkgin -y install thunderbird
> pkgin -y install tree
> pkgin -y install vlc*
> pkgin -y install xmms
> pkgin -y install xfce4-xmms-plugin
> pkgin -y install xcdroast
> pkgin -y install xcalc
> pkgin -y install xpad
> pkgin -y install xpaint

Note: For Audio CD playback in XMMS, configure XMMS in the following manner:
a) Select “Options” -> “Preferences” (or press Control-P)
b) Select “Audio I/O Plugins” tab
c) Configure “CD Audio Player … [libcdaudio.so]”
d) Change “Device:” to the raw partition of your CD player (e.g., `/dev/cd0d’).
e) Change “Directory:” to an existing (empty) directory to be used within the
XMMS file selection dialog boxes as the path to select tracks on audio CDs
(e.g., `/cdrom/’).
f) Select “OK” to save the changes.

9) Now that all your apps are installed, start your desktop.
> su – slice2 (su to your user account)
> startx (remember, it takes a minute to load)
Or as root:
> startx

Build a Kali Linux ISO with the latest OS patches and packages

31 Saturday Aug 2019

Posted by Slice2 in Linux, Security

≈ Leave a comment

This post demonstrates how to build an updated Kali Linux ISO with the latest patches and package updates for the current 2019.2 release. This is helpful for offline environments, when you want a different desktop experience or you want every package available for Kali in one ISO. This is done as the root user.

1) Build a Kali Linux physical or virtual system. Downloads are available here:
https://www.kali.org/downloads/

2) Once built, update your system.
> apt update
> apt upgrade

3) Setup the build environment.
> mkdir -p /root/ISO
> cd /root/ISO/
> apt install -y curl git live-build cdebootstrap
> git clone https://gitlab.com/kalilinux/build-scripts/live-build-config.git

4) Modify the package list to get everything bundled into your ISO.
> cd /root/ISO/live-build-config/kali-config/variant-default/package-lists
> vi kali.list.chroot

Under the Kali applications header, set the file to look like the lines below. Basically, comment kali-linux-default (in red) and remove the comment on kali-linux-everything (in green). Leave the defaults for everything else in the file. When done, wq! to save your changes.

# Kali applications
#<package>
# You can customize the set of Kali metapackages (groups of tools) to install
# For the complete list see: https://tools.kali.org/kali-metapackages
# kali-linux-default
# kali-linux-large
kali-linux-everything
# kali-tools-top10

5) Build your ISO. Depending on your host’s CPU and internet speed, this could take an hour or more to complete.
> cd /root/ISO/live-build-config
> ./build.sh –verbose

Note: if you want a different desktop, run the associated build.sh variant below. Options are MATE, Gnome, XFCE, KDE, E17, I3WM, LXDE. For example:
For XFCE
./build.sh –variant xfce –verbose
For KDE
./build.sh –variant kde –verbose
For MATE
./build.sh –variant mate –verbose

6) When done, cd to the images folder and list the contents.
> cd /root/ISO/live-build-config/images
> ls -l
-rw-r–r– 1 root root 8184537088 Aug 31 14:23 kali-linux-rolling-amd64.iso
-rw-r–r– 1 root root 1619921 Aug 31 14:24 kali-linux-rolling-amd64.log

To check the size of the ISO:
> du -h kali-linux-rolling-amd64.iso
7.7G kali-linux-rolling-amd64.iso