APPENDIX B - John Herrlins notes on Deterlab
Table of Contents
1. Assignment environment preparations
1.1. SSH
1.2. Start an environment
1.3. Swapping
1.3.1. In
1.3.2. Out
1.4. Joining an ongoing session
1.5. Useful
1.5.1. Show node state
1.5.2. List all the files belonging to us, OPTIONAL
1.5.3. Install Emacs 25.1 on Ubuntu 10.04, OPTIONAL
1.5.4. ~/.profile, OPTIONAL
1.6. Removing the environment
1.7. Dumps
2. Assignment tools preparation
2.1. Download an image
2.2. Examine the image.
2.3. Mount a loop image.
2.4. Search for deleted files on Ext2.
2.5. Umount a loop device.
2.6. Strings
2.7. Check for rootkits
2.7.1. Install chkrootkit
2.7.2. Usage
1 Assignment environment preparations
1.1 SSH
Generate a new key for the service.
ssh-keygen -t rsa -b 4096 -f ~/.ssh/deterlab
Add the ~/.ssh/deterlab.pub key to your Deterlab profile using the web page. You find a link to the left in a yellow box.
SSH have a config file that makes it easier to connect to services. If ~/.ssh/config does not exists then create it and add:
Host deterlab
HostName users.isi.deterlab.net
User <YOUR USERNAME>
Protocol 2
IdentityFile ~/.ssh/deterlab
StrictHostKeyChecking no
PubkeyAuthentication
yes
PasswordAuthentication no
To connect to the Deterlab “Bastion” environment use:
ssh deterlab
1.2 Start an environment
Create a new environment named your username. The second command waits for the environment to be build and then enters it by SSH. When everything is finished you will get a question about adding a RSA fingerprint, say yes. The second command can take some time to finish! You should now see something like: lnuitsaa@workbench:~$, then you are on the node. The creation of a node only needs to be done once. You then swap in/out of that node, look at 1.3.
startexp -i -p LnuITSec -e $USER /share/education/ComputerForensics_UCLA/forensics.ns
expwait -e LnuITSec,$USER active && ssh $(node_list -e LnuITSec,$USER)
1.3 Swapping
Swapping in and out of environments. The environment have a default time of 4 hours before it swaps out, i think this only happens if nothing is going on on the node. Then you need to swap in again.
1.3.1 In
Set the node in swap state and join it as soon as it is ready. The environment take some time to start, at least some minutes. Use this command on the “Bastion”.
swapexp -e LnuITSec,$USER in && expwait -e LnuITSec,$USER active && ssh $(node_list -e LnuITSec,$USER)
1.3.2 Out
When you are done working for the day, swap out and the resources can be used by someone else. This command should be used on the “Bastion”.
swapexp -w -e LnuITSec,$USER out
1.4 Joining an ongoing session
If the session is active you can join it with:
ssh $(node_list -e LnuITSec,$USER)
1.5 Useful
1.5.1 Show node state
Show the state of a node.
expinfo -n -e LnuITSec,$USER
1.5.2 List all the files belonging to us, OPTIONAL
ls -lR /proj/LnuITSec/
1.5.3 Install Emacs 25.1 on Ubuntu 10.04, OPTIONAL
Download and transfer the emacs-25.1.tar.xz to the node. The node doesn’t have internet access so use scp or sftp from your local computer.
sudo apt-get install build-essential checkinstall
sudo apt-get install libncurses5
sudo apt-get install libncurses-dev
sudo apt-get build-dep emacs23
tar xf emacs-25.1.tar.xz
cd emacs-25.1
./configure --without-x
make
Add to ~/.profile
alias emacs25='~/./emacs-25.1/src/emacs'
You can now use Emacs 25 by:
emacs25
1.5.4 ~/.profile, OPTIONAL
Useful alias.
alias l='ls -lhaF'
alias rm='rm -i'
alias mv='mv -i'
alias join='ssh $(node_list -e LnuITSec,$USER)'
alias swapout='swapexp -w -e LnuITSec,$USER out'
alias swapin='yes | swapexp -e LnuITSec,$USER in && expwait -e LnuITSec,$USER
active && ssh $(node_list -e LnuITSec,$USER)'
1.6 Removing the environment
This will destroy the environment completely! All* data that are on the node will be deleted. Use this when you are done with all of the assignments.
endexp -w -e LnuITSec,$USER
1.7 Dumps
https://staff.washington.edu/dittrich/misc/forensics/
sudo grep -ir breakin /var/log/*
sudo grep -ir attempt /var/log/*
sudo grep -ir login /var/log/*
2 Assignment tools preparation
2.1 Download an image
Download the act1 assignment and check sha hash.
cd /images
sudo ./loadimage.sh act1.img
sha256sum act1.img
2.1.1 Download an image on your local machine
From remote host to local host
scp <user>@<remote_host>:<remote_file_path> <local_dir>
From local host to remote host
scp <file_path> <user>@<remote_host>:<remote_dir>
Example without connecting to pcxxx with ssh do that from the your_username@users machine:
scp -3 -v pcxxx:/images/act1.img ~/home
In Windows, use winSCP and connect to users.isi.deterlab.net with your username and password. If you have successfully scp the image from pcxxx to your your_username@users machine’s /home directory, you should be able to see it when connected with winSCP. Then you can successfully retrieve the image to your computer through winSCP.
2.2 Examine the image.
Examine the /images/sda1 image that was loaded.
file /images/act1.img
fdisk -lu /images/act1.img
Here is a table with the offsets that is found on the disk.
|
Parition |
Start |
512 Start |
|
act1.img1 |
63 |
32256 |
|
act1.img2 |
3887730 |
1990517760 |
|
act1.img5 |
3887793 |
1990550016 |
2.3 Mount a loop image.
Mount the first “loop0” to /images/sda1, this is the file system to examine.
sudo losetup /dev/loop0 /images/act1.img -o 32256
sudo mount /dev/loop0 /images/sda1 -t ext2
df -Th | grep /images/sda1
ls -la /images/sda1
2.4 Search for deleted files on Ext2.
Searching for deleted files on a Ext2 disk.
sudo e2undel -d /dev/loop0 -s /images/recovered -a -tw
2.5 Umount a loop device.
Umount sda1 and loop0
sudo umount /images/sda1
sudo losetup -d /dev/loop0
2.6 Strings
strings, “print the strings of printable characters in files.”
strings /var/log/wtmp
2.7 Check for rootkits
2.7.1 Install chkrootkit
In our case the application is already extracted.
cd /images/chkrootkit-0.47
ls -la
2.7.2 Usage
chkrootkit -r root_directory (where root_directory is the mounted disk image)