Deterlab notes

Table of Contents

Deterlabs Docs

Deterlabs Commands Docs

Assignment

1 SSH

Generate a new key for the service.

ssh-keygen -t rsa -b 4096 -f ~/.ssh/deterlab

Add the ~/.ssh/deterlab.pub key to your Deterlab profile using the web page. You find a link to the left in a yellow box.

SSH have a config file that makes it easier to connect to services. If ~/.ssh/config does not exists then create it and add:

Host deterlab
     HostName users.isi.deterlab.net
     User <YOUR USERNAME>
     Protocol 2
     IdentityFile ~/.ssh/deterlab
     StrictHostKeyChecking no
     PubkeyAuthentication yes
     PasswordAuthentication no

To connect to the Deterlab “Bastion” environment use:

ssh deterlab

2 Start an environment

Create a new environment named your username. The second command waits for the environment to be build and then enters it by SSH. When everything is finished you will get a question about adding a RSA fingerprint, say yes. The second command can take some time to finish! You should now see something like: lnuitsaa@workbench:~$, then you are on the node. The creation of a node only needs to be done once. You then swap in/out of that node, look at 3.

startexp -i -p LnuITSec -e $USER /share/education/ComputerForensics_UCLA/forensics.ns
expwait -e LnuITSec,$USER active && ssh $(node_list -e LnuITSec,$USER)

3 Swapping

Swapping in and out of environments. The environment have a default time of 4 hours before it swaps out, i think this only happens if nothing is going on on the node. Then you need to swap in again.

3.1 In

Set the node in swap state and join it as soon as it is ready. The environment take some time to start, at least some minutes. Use this command on the “Bastion”.

swapexp -e LnuITSec,$USER in && expwait -e LnuITSec,$USER active && ssh $(node_list -e LnuITSec,$USER)

3.2 Out

When you are done working for the day, swap out and the resources can be used by someone else. This command should be used on the “Bastion”.

swapexp -w -e LnuITSec,$USER out

4 Joining an ongoing session

If the session is active you can join it with:

ssh $(node_list -e LnuITSec,$USER)

5 Useful

5.1 Show node state

Show the state of a node.

expinfo -n -e LnuITSec,$USER

5.2 List all the files belonging to us.

ls -lR /proj/LnuITSec/

5.3 Install Emacs 25.1 on Ubuntu 10.04

Download and transfer the emacs-25.1.tar.xz to the node. The node doesn’t have internet access so use scp or sftp from your local computer.

sudo apt-get install build-essential checkinstall
sudo apt-get install libncurses5
sudo apt-get install libncurses-dev
sudo apt-get build-dep emacs23
tar xf emacs-25.1.tar.xz
cd emacs-25.1
./configure --without-x
make

Add to ~/.profile

alias emacs25='~/./emacs-25.1/src/emacs'

You can now use Emacs 25 by:

emacs25

5.4 ~/.profile

Useful alias.

alias l='ls -lhaF'
alias rm='rm -i'
alias mv='mv -i'
alias join='ssh $(node_list -e LnuITSec,$USER)'
alias swapout='swapexp -w -e LnuITSec,$USER out'
alias swapin='yes | swapexp -e LnuITSec,$USER in && expwait -e LnuITSec,$USER active && ssh $(node_list -e LnuITSec,$USER)'

6 Removing the environment

This will destroy the environment completely! All* data that are on the node will be deleted. Use this when you are done with all of the assignments.

endexp -w -e LnuITSec,$USER

7 Act 1

7.1 Download image

Download the act1 assignemnt and check sha hash.

cd /images
sudo ./loadimage.sh act1.img
sha256sum act1.img

7.2 Examin the image.

Examin the /images/sda1 image that was loaded.

file /images/act1.img
fdisk -lu /images/act1.img

Here is a table with the offsets that is found on the disk. We can see that there is three paritions on the disk.

Parition Start 512 Start
act1.img1 63 32256
act1.img2 3887730 1990517760
act1.img5 3887793 1990550016

7.3 Mount a loop image.

Mount the first “loop0” to /images/sda1, this is the file system to examin. This disk should be the root disk where users and systems is.

sudo losetup /dev/loop0 /images/act1.img -o 32256
sudo mount /dev/loop0 /images/sda1 -t ext2 -o ro
df -Th | grep /images/sda1
ls -la /images/sda1

7.4 Look for users

Bob told us that there is some accounts on the system. ‘bob’, ‘eric’, ‘kevin’, ‘peter’ and ‘takeda’.

cd /images/sda1
ls -l home/

Looks lika all of them are there.

How about with passwd?

cat /images/sda1/etc/passwd | awk -F":" '{print $1 "\t" $2 "\t" $3 "\t" $4 "\t" $5 "\t" $6 "\t" $7}'

7.5 Search for deleted files on Ext2.

Searching for deleted files on a Ext2 disk.

sudo e2undel -d /dev/loop0 -s /images/recovered -a -tw

8 Dumps

https://staff.washington.edu/dittrich/misc/forensics/

sudo grep -ir breakin /var/log/*
sudo grep -ir attempt /var/log/*
sudo grep -ir login /var/log/*

Date: <2017-02-18 Sat>

Author: John Herrlin

Created: 2017-04-18 Tue 18:06

Emacs 25.1.1 (Org mode 8.2.10)

Validate