WARNING: This will be a very long (hopefully) and comprehensive series on rolling your own security distribution from picking hardware to installation and exploitation.
NOTE: This page will be most likely edited every time a change is committed so as to keep the information up to date in the real world. If anything major changes (new version of breaking WPA/WPA2 etc a new post will most likely be made to feature the tool/method). Check the modified date on the post to find the latest updates.
The reason that this has come about is I was messing with the latest Backtrack 5 R2 in a VM. I’m not sure whether it is only a problem with the prebuilt live VM distro or 5R2 as a whole, but I could not for the life of me get OpenVAS reports to export. After digging around the closest I came to solving the issue was to find that the user running OpenVAS could not write the temporary report to /tmp. In the log files I could see
/bin/bash /usr/local/share/openvas/openvasmd/global_report_formats/b993b6f5-f9fb-4e6e-9c94-dd46c00e058d/generate /tmp/openvasmd_OHKB4T/report.xml > /tmp/openvasmd_OHKB4T/report.out 2> /dev/null
When I tried to run the command from the commandline it reported “No such file or directory found”. After trying to contact OpenVAS via IRC and not getting any response, reading through multiple sites and blog posts I came to the conclusion that OpenVAS would not work under BT5 and that if I wanted it to work I would have to roll my own.
So I concluded to roll my own security distro, one that I could build how I wanted with the tools that I needed. This would also give me a good insight into the tools that are available for different exploits etc.
For anyone wanting to follow this process, these are the requirements that I was working with – and I will post the details using these requirements – so your mileage may vary depending on your requirements.
– Ubuntu 12.04 base. The BT5 apps have had good support running an Ubuntu base for the last 2 iterations and this is my distro of choice for every day use.
– VMware Workstation/Physical install.
– Alfa AWUS036H wireless adapter.
– Ability to audit wireless networks (aircrack, reaver etc).
– Ability to audit generic network devices (metasploit, openvas etc).
– Ability to audit VoIP networks (ucsniff etc) .
Any of the below processes outlined will work in either a virtual or physical environment, however, 2 things to note is that any form of wired NIC manipulation (macchanger, ucsniff, VLAN hopping etc) will NOT work in a virtual machine. Also, when trying to run aircrack-ng against a wordlist, or pyrit for CUDA based cracking is very slow and limited inside a VM. It was due to this that I explored the variables in installing the new security distro to an external drive.
External Installation Variables
Installing a distro to external harddrive is nothing new. In fact I blogged about doing a persistent install for BT4 to a 500GB USB HDD. However, my recent research at work has led me to explore other options that I would not have though about.
In a blanket statement, for Operating System installs, you want the highest number of read and write IOPS that you can get your hands on. In a nutshell, you can test for IOPS by reading and writing 4kb packets randomly to a disk. This is much different than testing sequential read/writes which most disk types are quite good at these days.
Obviously, different disk types will give you different IOPS readings. When exploring installing Cisco Call Manager to a SAN, Cisco advised us that the SAN must support 100 IOPS per operating system you wanted to host. Obviously in a SAN using 15K SAS disks the IOPS will be in the thousands but this was good starting point for me.
I started off by wanting to test a SD card, USB thumbdrive, USB harddrive and a SATA attached 2.5″ drive. Obviously anyone will undoubtedly say that the SATA drive will be the best option. True. However, I didn’t have the luxury of re-partitioning my internal disk.
I fired up HDTune to test the disks that I had on hand. As a warning, different disk types, manufacturers and individual disks will give you different mileage so don’t take this as gospel.
I have posted a photo of each device that I remembered to, so that anyone can match up the results if they have the same drive. The first screenshot shows sequential read time and drive access time. The second screenshot show sequential read/write times and 4k read/write IOPS.
USB – Toshiba TransMemory 1GB
USB – SanDiskCruzer Edge 8GB
NOTE: I would love to do this test again, perhaps on a brand new Cruzer. The IOPS far outweigh any others that I tested, so I’m not sure whether this is an anomaly or not.
USB – Toshiba USB Drv 16GB
SD – Sandisk Class 2 SDHC Card
USBHDD – Seagate Portable USB2 500GB
USBHDD – Seagate FreeAgent GoFlex USB3 500GB
USB HDD – Seagate FreeAgent GoFlex USB3 1TB
SATA HDD – Western Digital WD3200BEVT-22ZCT 320GB
From these tests you will notice that:
– Sequential read for all the drives are actually quite good.
– The old, cheap USB thumbdrives had quite poor sequential write, but I’m sure newer drives would be much better.
– Any flash based memory has excellent access speeds
– Most flash based memory has excellent 4kb read speeds creating a high IOPS read rate.
– Most flash based memory has absolutely shit 4kb write speeds creating very a low IOPS write rate.
– External USB harddrives are “ok” at everything.
– Internal SATA or any physically attached disks are where you want to be at.
The option that I opted for was to use the 500GB USB3 Seagate GoFlex HDD. Mainly because IOPS and sequential read/writes are quite OK, I have enough storage space to hold rainbow tables (unlike small USB thumbdrives), it was relatively cheap, and I’m a sucker for the GoFlex interface.
Unfortunately, I do not have much information on the wireless NIC front. A while ago I opted to buy the Alfa AWUS036H 1000Mw. Anyone who does some sort of research on the backtrack forums etc will pick up that the Alfa cards are highly powerful and capable of injection. There are newer cards available like the AWUS036NH 2000Mw, but I have not tried these, nor know whether they are capable of injection as they use newer RTL chipsets.
The Running System