You are here : Home » Learning security » Operating Systems » GNU Linux » Build a recovery toolkit

Build a recovery toolkit

D 10 June 2010     H 03:27     A Emeric Nasi     C 2 messages

agrandir


License : Copyright Emeric Nasi, some rights reserved
This work is licensed under a Creative Commons Attribution 4.0 International License.
Creative Commons License

Introduction

All security guides recommend you should have a security audit toolkit (or forensic toolkit or recovery toolkit). This toolkit is constituted by a set of static-linked binaries (grep,w,netstat,ls,nc,strace,ps ... etc). The problem it that these security guides tell you to build this toolkit but never show you how to do it (they just tell it can be really difficult...). In this article I will explain why we need this toolkit then I will show how to build it.

Note : The "build the toolkit" part of this article uses the apt-get package installer (for Debian-like distribs). I tested this code with success on Ubuntu, and with Debian (however some package are different and the described method may not always work).



Why a recovery toolkit?

If an attacker had gain a superuser access into your system, he could have install a malware iike a trojan or a rootkit. Therefore you cannot trust anything on your system. The su or login binaries could have been replaced by his own tool to grab your passwords. Other trojan can directly attack shared library meaning that even newly compiled code may be dangerous.
The other use of this toolkit is to "repair after an accident". A single wrong command is enough to damage important binaries or shared libraries (for example a rm -r on the wrong folder...).
This toolkit must be mounted on a read-only file-system and could be used by rootkit hunting tools such as chkrootkit.
It is also important to notice this toolkit is constituted of statically linked binaries.
We cannot rely on the system shared libraries if the system is corrupted.

Build the toolkit.

Note : The total size of the binaries + sources is about 500 Mo. The binaries size alone is less then 50 Mo.
Prerequisite :
Create a folder where you will install your toolkit.
mkdir -p audit/src
mkdir -p audit/bin
You need to install the dpkg dev package.
apt-get  install dpkg-dev
The core binaries :

  1. apt-get   source coreutils  audit/src
  2. cd audit/src/coreutils-x.x # replace x by the package version
  3. ./configure
  4. make CC="gcc -static -std=gnu99"
  5. cp src/cat "../bin"
  6. cp src/chmod "../bin"
  7. cp src/chown "../bin"
  8. cp src/cp "../bin"
  9. cp src/cut "../bin"
  10. cp src/dd "../bin"
  11. cp src/df "../bin"
  12. cp src/du "../bin"
  13. cp src/echo "../bin"
  14. cp src/head "../bin"
  15. cp src/id "../bin"
  16. cp src/ln "../bin"
  17. cp src/ls "../bin"
  18. cp src/md5sum "../bin"
  19. cp src/mkdir "../bin"
  20. cp src/mknod "../bin"
  21. cp src/mv "../bin"
  22. cp src/pwd "../bin"
  23. cp src/readlink "../bin"
  24. cp src/rm "../bin"
  25. cp src/stat "../bin"
  26. cp src/sha512sum "../bin"
  27. cp src/su "../bin"
  28. cp src/tail "../bin"
  29. cp src/touch "../bin"
  30. cp src/uname "../bin"
  31. cp src/wc "../bin"
  32. cp src/who "../bin"
  33. # These are essentials but there are more in the src folder

The proc binaries :

  1. apt-get install libncurses-dev # required to build top
  2. apt-get   source procps  audit/src
  3. cd audit/src/procps-xxx # replace xxxx by the package version
  4. make SHARED=0 CC='gcc -static'
  5. cp "free" "../bin"
  6. cp "kill" "../bin"
  7. cp "ps/ps" "../bin"
  8. cp "top" "../bin"
  9. cp "uptime" "../bin" 
  10. cp "vmstat" "../bin" 
  11. cp "w" "../bin"

The net-tools binaries :

  1. apt-get   source net-tools  audit/src
  2. cd audit/src/net-tools-xxx # replace xxxx by the package version
  3. sed -i 's@default:@&\n break;@' lib/inet_sr.c 
  4. make config # Keep default config by answering [enter] to all prompts 
  5. sed -i 's|#define HAVE_AFX25 1|#define HAVE_AFX25 0|' config.h # you probably do not need X.25 protocol support
  6. sed -i 's|#define HAVE_HWX25 1|#define HAVE_HWX25 0|'  config.h
  7. # We needed to change to 0 values for HAVE_AFX25 and HAVE_HWX25 so it will compile on ubuntu 
  8. # to avoid x25_sr.c:80: error: ‘x25_address’ undeclared (first use in this function)
  9. # If someone has found a better way do not hesitate to comment this article!
  10. make CC="gcc -static" ifconfig netstat arp route
  11. cp "arp" "THYLACINE_OUTPUT_PATH/../bin" # 
  12. cp "ifconfig" "../bin"
  13. cp "netstat" "../bin"
  14. cp "route" "../bin"

The gawk binaries :

  1. apt-get   source gawk  audit/src
  2. cd audit/src/gawk-xxx # replace xxxx by the package version
  3. LDFLAGS="-static" sh ./configure # Static compiling is not always easy...
  4. make LDFLAGS="-static"  
  5. cp "gawk" "../bin"
  6. ln -s "../bin/gawk" "../bin/awk"

The grep binaries :

  1. apt-get   source grep  audit/src
  2. cd audit/src/grep-xxx # replace xxxx by the package version
  3. ./configure 
  4. make CC="gcc -static" 
  5. cp "src/grep" "../bin"
  6. cp "src/egrep" "../bin"

The lsof binary :

  1. apt-get   source lsof  audit/src
  2. cd audit/src/lsof-xxx # replace xxxx by the package version
  3. ./Configure -n linux 
  4. make CC="gcc -static" 
  5. cp "lsof" "../bin"

The strace binary :

  1. apt-get   source strace  audit/src
  2. cd audit/src/strace-xxx # replace xxxx by the package version
  3. ./configure 
  4. make CC="gcc -static" 
  5. cp "strace" "../bin"

The sed binarie :

  1. apt-get   source sed  audit/src
  2. cd audit/src/sed-xxx # replace xxxx by the package version
  3. ./configure 
  4. make CC="gcc -static" 
  5. cp "sed/sed" "../bin"

The netcat binary :

  1. apt-get   source netcat  audit/src
  2. cd audit/src/netcat-xxx # replace xxxx by the package version
  3. sed -i 1i"#include \"resolv.h\"" netcat.c # Why is it always so difficult to compile source code...  
  4. make linux 
  5. cp "nc" "../bin"

The binutils binaries :

  1. apt-get   source binutils  audit/src
  2. cd audit/src/binutils-xxx # replace xxxx by the package version
  3. ./configure 
  4. make  LDFLAGS="-all-static" &> make.log # CC="gcc -static" does not work here 
  5. cp "binutils/strings" "../bin"
  6. # more binaries in there, pick the ones you want

The findutils binaries :

  1. apt-get   source findutils  audit/src
  2. cd audit/src/findutils-xxx # replace xxxx by the package version
  3. ./configure 
  4. make CC="gcc -static"
  5. cp "find/find" "../bin"
  6. cp "locate/locate" "../bin"
  7. cp "xargs/xargs" "../bin"

.

Finally

We finished building our toolkit. Remember you should keep this toolkit (at least the bin folder) on a separate read-only file-system (like a CD).
You may want to verify that your binaries are really static. Use the ldd command for that.
ldd audit/bin/*
Should echo that all tools aren’t dynamic binaries.

Also in this section

20 July 2017 – Digging passwords in Linux swap

30 May 2016 – VNC to access Kali Linux on Raspberry Pi

5 December 2010 – Linux filesystem security scans

27 August 2010 – Linux security using a limited group (PAM modules)

14 August 2010 – How to secure Linux users

1 Forum posts

Any message or comments?
pre-moderation

This forum is moderated before publication: your contribution will only appear after being validated by an administrator.

Who are you?
Your post

Search

Also in this section

1.  Digging passwords in Linux swap

2.  VNC to access Kali Linux on Raspberry Pi

3.  Linux filesystem security scans

4.  Linux security using a limited group (PAM modules)

5.  How to secure Linux users

Most popular

1.  Digging passwords in Linux swap

2.  Bypass Defender and other thoughts on Unicode RTLO attacks

3.  Launch shellcodes and bypass Antivirus using MacroPack Pro VBA payloads

4.  Hacking around HTA files

5.  PE injection explained

5 random articles

1.  Rogue WiFi Access point

2.  Advanced USB key phishing

3.  Iptables firewall versus nmap and hping3

4.  Hide meterpreter shellcode in executable

5.  Hide HTA window for RedTeam

Sponsor

If you appreciate my work, you may help or reward with a contribution :)

Most recent articles

1 | 2 | 3 | 4 | 5

Recent comments

1 | 2 | 3 | 4 | 5

Latest news

2010-2023 Sevagas
Archives | | Contact

RSS 2.0 twitter linkedin facebook