(Knoppix) { Getting Started } Section 0. Background Information Knoppix is a GNU/Linux distribution that boots and runs completely from CD or DVD and can be used to read and write Windows and other partitions (among other clever tricks) The Knoppix CD and DVD include recent Linux software and desktop environments. The DVD includes programs such as OpenOffice.org, Abiword, The Gimp, Konqueror, Mozilla, Apache, PHP, MySQL and hundreds of other quality open source programs. Section 1. Downloading Knoppix Go To http://archive.cs.stedwards.edu/knoppix/ If this website is dead then go to http://www.knoppix.net Select a file that ends with ".iso" Note: EN stands for English Saving the ISO Command:  Click Save Saving ISO to a location Instruction: It's up to you were you want to save the file.  In my case, I will save the ISO to H:\BOOT ISO Section 2. Configure the Windows Virtual Machine to boot up knoppix Edit the WindowsVulnerable01 virtual machine. (See Below) Note: For those of you that don't have access to class material, this can be Windows XP, 2000, 2003 and 7. Configure Windows to boot off Knoppix Instructions:  Select CD/DVD (IDE) Select the Use ISO image file Browse to where you saved the knoppix iso. Note:  In my case, I save it in the following location: H:\BOOT ISO\KNOPPIX_V6.4.4CD-2011-01-30-EN.iso Configure Knoppix to use Linux VMware setting. Instructions:  Select the Options tab Select Linux for the Guest operating system Select Ubuntu for the Guest operating system version. Select OK. Play the Virtual Machine Select Play Virtual Machine Section 3. Start Up Knoppix Knoppix Start Instructions:  Let knoppix boot it, it will takes 30 seconds to 1 minute. Click on the KNOPPIX Folder Mounting your hard drive Instructions: Click on sda1 (This is your hard drive) Click on Documents and Settings Navigate to Favorites Instructions: Click on Administrator Click on Favorite Section 4. Start Up Terminal Window Start up a Terminal Windows Command:  Click on the Black Terminal Window (See Below) View the file system structure using Knoppix Command:  df -k (See Below) Note: /dev/sda1 is your hard drive /media/sda1 is the mount point of your hard drive. Navigate to your hard drive Command:  cd /media/sda (See Below) Command:  ls Navigate to Favorites Instructions: cd Documents\ and\ Settings Press the TAB key after typing "D" cd Administrator Press the TAB key after typing "A" cd Favorites Press the TAB key after typing "A" ls -l date Proof of Lab: Do a screen print, cut in paste into a word document, and upload to Moodle. Section: Proof of Lab5 Cut and Paste a screen shot found in Section 4, Step 4 in a word and upload to Moodle.

Data Hiding

(Data Hiding: Lesson 1) { Hiding Data in Slack Space using bmap } Section 0. Background Information What is the scenario? Have you ever heard of Cyber Espionage where a spy was able to hide data and go virtually un-noticed?  The following lesson demonstrates how easy it is for a person to hide data in a file's slack space. bmap  Bmap is a data hiding tool that can utilize slack space in blocks to hide data. It can perform lots of functions interesting to the computer forensics community and the computer security community. Slack Space Blocks are specific sized containers used by file system to store data. Blocks can also be defined as the smallest pieces of data that a file system can use to store information. Files can consist of a single or multiple blocks/clusters in order to fulfill the size requirements of the file. When data is stored in these blocks two mutually exclusive conditions can occur; The block is completely full, or the block is partially full. If the block is completely full then the most optimal situation for the file system has occurred. If the block is only partially full then the area between the end of the file the end of the container is referred to as slack space. Lab Notes In this lab we will do the following: Download bmap Compile bmap Hide a secret message into a file that contains slack space Legal Disclaimer As a condition of your use of this Web site, you warrant to computersecuritystudent.com that you will not use this Web site for any purpose that is unlawful or that is prohibited by these terms, conditions, and notices. In accordance with UCC § 2-316, this product is provided with "no warranties, either express or implied." The information contained is provided "as-is", with "no guarantee of merchantability." In addition, this is a teaching website that does not condone malicious behavior of any kind. You are on notice, that continuing and/or using this lab outside your "own" test environment is considered malicious and is against the law. © 2013 No content replication of any kind is allowed without express written permission. Section 1: Start Up the BackTrack5R1 VM Start Up VMWare Player Instructions: Click the Start Button Type Vmplayer in the search box Click on Vmplayer Open a Virtual Machine Instructions: Click on Open a Virtual Machine Open the BackTrack5R1 VM Instructions: Navigate to where the BackTrack5R1 VM is located Click on on the BackTrack5R1 VM Click on the Open Button Edit the BackTrack5R1 VM Instructions: Select BackTrack5R1 VM Click Edit virtual machine settings Edit Virtual Machine Settings Instructions: Click on Network Adapter Click on the Bridged Radio button Click on the OK Button Play the BackTrack5R1 VM Instructions: Click on the BackTrack5R1 VM Click on Play virtual machine Login to BackTrack Instructions: Login: root Password: toor or <whatever you changed it to>. Bring up the GNOME Instructions: Type startx Start up a terminal window Instructions: Click on the Terminal Window Obtain the IP Address Instructions: ifconfig -a Record your IP Address (See Picture) Note(FYI): My IP address 192.168.1.139. In your case, it will probably be different. This is the machine that will be use to attack the victim machine (Metasploitable). Section 2: Download bmap Create bmp folder Instructions: cd /opt mkdir bmap cd bmap Open Firefox Web Browser Instructions: Applications --> Internet --> Firefox Web Browser Navigate to bmap Instructions: In your Firefox browser navigate to the following address http://dl.packetstormsecurity.net/linux/security/bmap-1.0.17.tar.gz Select the Save File Radio Button Click the OK Button Save bmap Instructions: Click on File System Navigate to /opt/bmap Click Save Unzip and Untar bmap Instructions: cd /opt/bmap ls -l gunzip bmap-1.0.17.tar.gz tar xovf bmap-1.0.17.tar make bmap Instructions: cd /opt/bmap/bmap-1.0.17 make The purpose of the make utility is to determine automatically which pieces of a large program need to be recompiled, and issue the commands to recompile them. Note(FYI): You will see a lot of warnings.  However, make will compile bmap. make bmap Instructions: ln -s /opt/bmap/bmap-1.0.17/bmap /sbin/bmap "ln -s", makes a link to the bmap command in the /sbin. /sbin is typically a default directory found in the $PATH variable. which bmap bmap -help Section 3: Create Test File Create Test File Instructions: cd /var/tmp echo "This is a test file" > test.txt cat test.txt Section 4: Using bmap to hide text in slack space Show Slack Space Instructions: bmap --mode slack test.txt ls -l test.txt Note(FYI): The test.txt file is using 20 bytes of disk space. The test.txt file has 4076 bytes of "unused" slack space. Hide Data in Slack Space Instructions: echo "Top Secret Data Goes Here" | bmap --mode putslack test.txt ls -l test Notice the 20 byte size did not change after test was added to its slack space. cat test.txt Notice the secret message is not present. strings test.txt Not even strings can reach into the slack space of test.txt. Section 5: Proof of Lab Proof of Lab Note(FYI): The following commands will be placed in the lower terminal window. Instructions rm test.txt ls -l test.txt echo "This is a test file" > test.txt bmap --mode slack test.txt Notice the secret message was still present after the file was deleted and re-created. echo "Your Name" Replace the string "Your Name" with your actual name. e.g., echo "John Gray" Proof Of Lab Instructions: Do a PrtScn of the below commands Paste into a word document Upload to Moodle

Helix to Hard Drive

(Helix) { Install Helix Linux Image to Hard drive  } Section 0. Background Information Helix3 is a Live CD built on top of Ubuntu. It focuses on incident response and computer forensics. According to Helix3 Support Forum, e-fense is no longer planning on updating the free version of Helix. See http://www.e-fense.com/products.php Section 1. Downloading Helix On any machine connected to the Internet, bring up a Web Browser. In my case, I am using a Windows Machine that has a USB hard drive attached to it. Go To http://helix.onofri.org/Helix2008R1.iso Saving the ISO Command:  Click Save Saving ISO to a location Instruction: It's up to you where you want to save the file.  In my case, I will save the ISO to H:\BOOT ISO Section 2. Create a New Virtual Machine Create a New Virtual Machine Command: Click on "Create a New Virtual Machine" New Virtual Machine Wizard Instructions:  Click on the "I will install the operating system later" radio button. Click Next. Customer Operating System and Version Instructions:  Guest operating system: Linux Version: Ubuntu Click Next. Personalize Linux Instructions:  Virtual machine name: TargetHelix01 Note: Name it whatever you like. Location: H:\TargetHelix01 Note: If you can, save this image to a USB Hard drive. Click Next. Personalize Linux Instructions:  Maximum disk size (GB): 15 Note: You can make this a little as 3.5 GB.  It really depends if you instead on analyzing images with Autopsy. Click on the "Store virtual disk as a single file" Click Next. Personalize Linux Instructions:  Click Finished Note:  Helix will now boot off of the Helix2008R1.iso. Section 3. Install Helix to the Hard drive (Part 1) Warning:  Step 10 will fail.  Unfortunately, you will have to go through the install steps twice, due to an os-prober issue that has trouble seeing the logical volumes.  So, don't get frustrated and just follow along step by step. Edit TargetHelix01 Virtual Machine Command: Click Edit virtual machine settings Virtual Machine Settings Command: Select CD/DVD (IDE) Select the "Use ISO image file:" radio button. Browse to where you saved the Helix2008R1.iso Select OK. Booting from Helix Options Instructions: Select TargetHelix01 Play Virtual Machine Boot into the Helix Live CD Command: Arrow Down to "Boot into the Helix Live CD" Press Enter Install to Hard drive (Part 1) Instructions: System --> Administration --> Install Language Selection Instructions: English Forward Timezone Selection Instructions: Select City: Chicago Forward Keyboard layout Instructions: Which layout is most similar to your keyboard? USA USA Forward Prepare disk space Instructions: Make sure Guided - use entire disk is selected. Forward Who are you? Instructions: What is your name? student What name do you want to use to log in? student Choose a password What is the name of this computer? TargetHelix01 Forward Warning Instructions: After pressing forward the os-prober will fail because it cannot the volume groups. Click Cancel I realize you are saying what the hell, but please continue to follow along to get Helix to install to disk. Abort the installation? Instructions: Click on Quit Notes: I know this sounds crazy, but continue to Section 4. Section 4. Install Helix to the Hard drive (Part 2) Install to Hard drive (Part 2) Instructions: System --> Administration --> Install Language Selection Instructions: English Forward Timezone Selection Instructions: Select City: Chicago Forward Keyboard layout Instructions: Which layout is most similar to your keyboard? USA USA Forward Prepare disk space Instructions: Make sure Guided - use entire disk is selected. Forward Ready to Install Instructions: Click Install Side Note: See, I am not crazy, it works a second time.  BTW, I discovered this trick by scavenging through many of websites and blogs. Installing system Side Note:  This process will take between 10 to 20 minutes. Post Installation Command:  Click on Continue using the Live CD Adjust VMware Settings (For VMWare Only, See Below) Command:  Click on VMware Settings. Change Physical Drive (For VMWare Only, See Below) Command:  Select CD/DVD (IDE) Select the "Use physical drive:" Connection radio button. Change Network Adapter (For VMWare Only, See Below) Command:  Select Network Adapter NAT Select the "Bridged: Connected directly to the physical network" Network Connection radio button. Consistency Reboot Command:  Click on the Terminal Console sudo su - shutdown -r now Section 5. Logging Into TargetHelix01 Preview system information Command: Login with your the username and password you created earlier. In my case, I create a username called "student". How to become root Command: sudo su - Enter your current password for the account your logged in as. Proof of Lab Command: echo "Your Name"; date; df -h Do an Alt PrtScn (Print Screen) Cut and Paste into a Word Document Upload to Moodle. Section: Proof of Lab Cut and Paste a screen shot found in Section 5, Step 3 in a word and upload to Moodle.