Box Resuscitation 2: clean-up and updating BT5

Now that we recovered passwords and we're in, it's time to do a little clean up of this older Win XP / BT5r1 box.

AMP stands for Apache Web Server, MySQL database server and originally Perl scripting, though we usually use PHP and sometimes Python.  At first, AMPs were LAMPs, i.e., they ran exclusively Linux. Lately however, with significant improvements in Windows security and virtualization, it is now possible to use a WAMP (i.e., on Windows). Here’s what a LAMP looks like in terms of architecture (courtesy of wikipedia):

With the advent of virtualization techniques, one does not really need separate computers to handle different tasks, as they all can be replaced by virtualization software, but I am already pushing my main computers to the max and there really isn’t room to spare.

ssh

This particular laptop has a keyboard problem and a noisy fan. Rather than clean it up as I should (and possibly change the keyboard, as I have a spare), I decided to place it on a chilling mat (with fans), move it out of sight, connect it to the network and run SSHd.

In Backtrack 5 R1 – the particular distro this laptop is was running in dual boot with XP – to enable SSHd autostart I issue the commands:

1. sshd-generate   # this will generate the keys; it can then be started with /etc/init.d/ssh start ; use stop instead of start to stop the service.
2. update-rc.d –f ssh defaults   # this will add system startup
3. service ssh start or start ssh # should also work

To login via SSH from a Windows machine I can use Putty or MobaXterm (mxt in Sources). MobaXterm comes with its own Xserver ready to use, which means that you can use graphical apps off the server. I haven’t seen an option for PK login as Putty has, so if you will be logging in via Internet or other less secure networks, consider setting up a key pair as shown also in the DNS-32x hacking guide.

info

Before going further, it’s worth gathering some info about the machine. I knew it was a Toshiba Portege m200, which is a tablet hybrid running usually Pentium M (single core), but couldn’t remember the processor speed nor the amount of RAM or the exact size of the hard drive.

Other than lshw (truly wonderful), there are quite a few other commands used to gather hardware info.

• cat /proc/meminfo  # 766676 kB total in my case
• cat /proc/cpuinfo  # Pentium M 1.5 GHz
• dmesg | grep CPU # Transmeta :)
• top
• vmstat  # swpd 224, free 95392, buff 68784, cache 521484
• free or free –m
• dmidecode --type 17 | dmidecode --type memory | dmidecode –t 17
• hardinfo | lshw | sysinfo | lshw-gtk | hwinfo # only lshw installed by default
• lspci
• lsusb
• inxi –F # must be first installed
• cat /etc/issue  #distro name BT5r1 changed to 2
• lsb_release –a  #root distro (10.04)

The dmidecode commands will give more details about memory and all three are equivalent.

To check and monitor temperature you need to install lm-sensors and hddtemp.

• apt-get install lm-sensors hddtemp
• sensors-detect           # setup and configure; answer yes to everything
• service module-init-tools start      # to load the modules (you could also reboot)
• apt-get install psensor         # this is supposed to work better
• add-apt-repository ppa:jfi/ppa  (or ppa:jfi/psensor-unstable) if you feel adventurous

acpi -t may also work fine, though acpi itself usually needs to be installed as well.

To turn off the screen completely – a good idea if I won’t be using it, I’d have to use ToshSet utilities.

tosh

There are essentially two options when it comes to Toshiba utilities under linux: toshutils (“Toshiba laptop utilities” APM only, 4-500K) and toshset ("Access much of Toshiba laptop hardware interface", 240K). Toshutils seem more polished and documented, but older (System, Hardware and Unique ID). Toshset has “hints” on using it with ACPI via an experimental driver, and patches for kernel 3.2. They seem to build upon toshutils. Toshiba M200 seems to support APM 1.2 and ACPI 2.0; it is unclear if M400 supports APM – probably yes. Toshutils (and, very likely, toshset), provide the following commands:

• alarm [-d, --disable | –l, --localtime | –h | –v, --version ]
• dispswitch [ –h | –i, -–internal | –e, -–external | –s, -–simultaneous | –v, -–version]
• fan [-f, –-off | –n, –-on | –a, –-auto | –t, –-toggle | –d, –-daemon | –s, –-smart]
• hotkey [ –h |–display | –m (monochrome) | –de | –en | –es | –fr | –it | –pt | –ja ]
• ownerstring [ –p, -–print | –r, -–remove | –s, -–set]
• svpw [ –u | –h ]
• tbacklight [ –f, -–off | –n, -–on]
• tdocked [ –h | 0xnn exit codes: 00 empty, 01 floppy, 02 ATAPI CD-ROM, 03 IDE HD, 04 2nd batt, 80 no support, 83 not attached, ff not Toshiba]
• tpasswd [ –h ]
• tuxtime-conf [ –ashv]
• wmtuxtime  [ –c, -–contrast | –n, -–normal | –display | –geometry | –h, -–help | –v, -–version ]
• thotswap (sysadmin daemon) [ –q, -–quite | –w, -–wall | –x, -–xmessage | –u, -–unregister | –r, -–rescan | –h, -–help | –v, -–version ]

Some users reported success in using these utilities by editing /etc/default/grub and adding acipy_osi: GRUB_CMDLINE_LINUX_DEFAULT="quiet splash acpi_osi=\\\"Linux\\\""

Obviously, both the method above as well as below might be redundant for our purposes if we can simply set the backlight to turn off from the motherboard (which I could not).

According to how2g (link below), there is also a general way to turn off the monitor: xset dpms force off, and you can check the status of the X server with xset –q but that did not seem to work on my computer (it probably needs to be enabled in the kernel or at boot-up, as ACPI above).

There are a few variations on that, but since Ubuntu Karmic (9.10), it’s been broken. Some of the system calls apparently don’t get along well with this command, causing the screen to wake up after about a minute.

The solution would be this Python script, screen_off.sh (in ~/bin and chmod +x):

#!/usr/bin/python

import time
import subprocess
from Xlib import X
from Xlib.display import Display

display = Display(':0')
root = display.screen().root
root.grab_pointer(True,
        X.ButtonPressMask | X.ButtonReleaseMask | X.PointerMotionMask,
        X.GrabModeAsync, X.GrabModeAsync, 0, 0, X.CurrentTime)
root.grab_keyboard(True,
        X.GrabModeAsync, X.GrabModeAsync, X.CurrentTime)

subprocess.call('xset dpms force off'.split())
p = subprocess.Popen('gnome-screensaver-command -i'.split())
time.sleep(1)

while True:
    print display.next_event()
    p.terminate()
    break

Sb has made a script to turn the monitor on and off in April 2009 for a lobby display monitor:

#!/bin/bash
export DISPLAY=:0.0

if [ $# -eq 0 ]; then
  echo usage: $(basename $0) "on|off|status"
  exit 1
fi

if [ $1 = "off" ]; then
  echo -en "Turning monitor off..."
  xset dpms force off
  echo -en "done.\nCheck:"
  xset -q|grep "Monitor is"
elif [ $1 = "on" ]; then
  echo -en "Turning monitor on..."
  xset dpms force on
  echo -en "done.\nCheck:"
  xset -q|grep "Monitor is"
elif [ $1 = "status" ]; then
  xset -q|sed -ne 's/^[ ]*Monitor is //p'
else 
  echo usage: $(basename $0) "on|off|status"
fi

Cron turns off the monitor at night and back on in the morning:

1. 0 20 0 0 0 /home/lobby/monitorControl.sh off
2. 0 7 0 0 0 /home/lobby/monitorControl.sh on

I don’t need the monitor to be scheduled, but if this script resolved the aforementioned problems it’s worth a second look.

updating

Once logged in, the next task was to install all updates with

• apt-get update
• apt-get upgrade

The first problem I noticed was an error for Opera – its public key was no longer valid.

That can be fixed with:

• apt-get upgrade –fix-missing  # more general, I never had to used it
• wget -O - http://deb.opera.com/archive.key | sudo apt-key add -  # reimport the key from Opera – always works!

OTOH, Opera is not really needed on a server box, but I’m a fan.

I reattempted the update and this time it seems to go without problems. I left it unattended and when I checked again, there had been some kind of “not enough space” error. Also, the laptop seemed to overheat, undoubtedly (after issuing top) due to a process that kept trying to write to the HD and couldn’t.

Time to clean-up.

freespace

Before freeing some space, I had to see how much I had. I knew this partition was at the limit (11 GB or so), but didn’t know how bad things got. To see the free space on each partition, I use df –h . The situation was indeed dire, so first I looked at the usual suspects, via du –h dir (-c provides a grand total at the end, du –ch | grep total just that, du –s for the current dir and du –S the same, but no subdir): /home doesn’t get used much in this distro, but /root already had 2-300 MB. Yet most space was taken by apt-get cache and kernel images.

To clean up that cache and remove unneeded programs I issued:

• apt-get clean
• apt-get --purge autoremove (or apt-get purge which is not deprecated)

To remove old kernel images, you might want to issue the following:

1. uname –r   #   output your current kernel, the one you don’t want to remove; if you try, linux will tell you that such a move would have catastrophic consequences
2. dpkg --list | grep linux-image  #    list all the images on the system; the ones you should remove will start with ii
3. sudo apt-get purge linux-image-x.x.x.x-generic  #   issue this command for each image previously identified, making sure you don’t remove your current kernel (or the latest)
4. update-grub2  #   grub normally updates by itself, but you can never be too careful

Here’s a script to do this automatically:

#!/bin/sh
dpkg -l linux-*  | \
awk '/^ii/{ print $2}' | \
grep -v -e `uname -r | cut -f1,2 -d"-"` | \
grep  -e '[0-9]' | xargs sudo apt-get -y purge

After these actions, the free space went to 1.8 GB.

armitage

Seeing the glorious new free space, I’ve decided to play a little bit with Mubix’ Armitage, which is a GUI front-end for Rapid7’s Metasploit. Needless to say, that wasn’t necessary and you will be well advised to skip this entire section; I had to try it because it uses Java and I do not install Java on any of [regular] my machines because it’s too slow, resources hungry and a security risk.

Metasploit recommends registration, but I haven’t bothered. There’s a number of svn errors on update (even after upgrade to R2), but they can be easily fixed with:

cd /opt/metasploit/common/lib
mv libcrypto.so.0.9.8 libcrypto.so.0.9.8-b
mv libssl.so.0.9.8 libssl.so.0.9.8-backup
ln -s /usr/lib/libcrypto.so.0.9.8
ln -s /usr/lib/libssl.so.0.9.8
msfupdate

After updating it with msfupdate, it started spitting out a number of errors due to poor postgresql implementation. Upon investigating, I learned that my best bet was now to upgrade to BT5R2. To do this properly I will need to shrink the Windows partition and increase the linux partition first.

bt5r2

I booted up the CD or DVD (can’t remember) – it was the KDE 32 bit though. On install, I chose the timezone, then chose manual partitioning. I proceeded to decrease the Windows partition by 2 GB (after previously having defragged even the free space with Defraggler). I erased the old ext4 and created a new one, over the new free space with right click, assigning it /. The install went fine, then I issued apt-get update; apt-get upgrade. When I came back, I found some errors due to insufficient disk space. It seems that the 800+ MB of free space were somehow not enough to install hashcat-gui, a program that needed 85 MB of download. The other packages were backtrack-utils, ophcrack and pytbull. I decided to upgrade only those skipping hashcat for now. Issuing apt-get install package should work, though if you want to install a package only if it already exists, try

dpkg -s <package> 2>/dev/null | grep -q Status.*installed && sudo apt-get install <package>

..which can be made into an upgrade-package.sh script:

#!/bin/bash

[[ -z $1 ]] && { echo "Usage: $(basename $0) package"; exit 1; }

if dpkg -s "$1" 2>/dev/null | grep -q Status.*installed; then
    echo "Attempting to upgrade $1"
    sudo apt-get install "$1"
else
    echo "Package $1 is not installed"
fi

This went rather well. After giving the other programs a chance to be upgraded, a bunch of other packages wanted to get updated when I ran apt-get upgrade. And again, the command failed when it came hashcat-gui’s turn.

root@bt:~# apt-get upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be upgraded:
  hashcat-gui
1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 0B/85.3MB of archives.
After this operation, 0B of additional disk space will be used.
Do you want to continue [Y/n]?
(Reading database ... 235141 files and directories currently installed.)
Preparing to replace hashcat-gui 0.5.0-bt0 (using .../hashcat-gui_0.5.1-bt0_all.deb) ...
Unpacking replacement hashcat-gui ...
dpkg: error processing /var/cache/apt/archives/hashcat-gui_0.5.1-bt0_all.deb (--unpack):
failed in buffer_write(fd) (10, ret=-1): backend dpkg-deb during `./pentest/passwords/hashcat-gui/oclHashcat-plus/kernels/4098/m0300_a0.WinterPark.32.kernel': No space left on device
dpkg-deb: subprocess paste killed by signal (Broken pipe)
Errors were encountered while processing:
/var/cache/apt/archives/hashcat-gui_0.5.1-bt0_all.deb
E: Sub-process /usr/bin/dpkg returned an error code (1)

I am very much tempted to blow up the existing install and steal another GB from Windows when reinstalling. Instead, I decide to purge this package the reinstall it. Luckily, it works!

btkb

This tablet hybrid has a keyboard, but it’s toast, so I’ll be using a bluetooth keyboard. For that, I’ll install bluez:

apt-get install bluez python-gobject python-dbus

cd  /usr/share/doc/bluez/examples/

hcitool dev #discover it

./simple-agent hci0 XX:XX:XX:XX:XX:XX #your device should be on

./test-device trusted XX:XX:XX:XX:XX:XX yes #different for 11.04

/etc/init.d/bluetooth restart

dmesg|tail #check if it was added

Once the keyboard is added, we’re in business. Unfortunately, the above did not work, I had to use hcitool –search or scan followed by --connect and the device address. I set an alias in .bash_aliases so that I don’t have to search again. I don’t make it permanent because I will not be using it often.

wireless

If I turned on BT I might as well configure a wireless connection (on this notebook, the BT and Wifi radio are turned on and off from the same switch). Strangely, KDE’s wireless manager, Wicd seems to be plagued by problems. Luckily, Wpa_Supplicant (the console program that negotiates WiFi connections) is installed by default, so we don’t need to worry about it. Here are the commands:

1. /etc/init.d/networkmanager stop   # stop network manager, esp if connected elsewhere
2. ifconfig wlan0 up     # wake up your hardware
3. iwlist wlan0 scan      # scan for your router
4. wpa_passphrase “Your AP” “secretkey”  > /etc/wpa_supplicant.conf     # this will convert your passphrase from ASCII to HEX and echo it to a configuration file
5. (if temporary, you could get away with just wpa_passphrase "ssid" "password" > wpaconfig followed by wpa_supplicant -iwlan0 –cwpaconfig)
6. edit the network section to add “key_mgmt=WPA-PSK” if using that personal protocol, then optionally chmod the file so that only root can read it
7. wpa_supplicant –Bd –Dwext –iwlan0 –c /etc/wpa_supplicant.conf      # D is the driver – see more with wpa_supplicant –help which will list more options under drivers; wext is a catchall
8. dhcp wlan0   # wait a few seconds to get an IP address (if you had one, release it w/ –r), then
9. ifconfig wlan0   # check if you’re connected

If you have a WPS router, you can connect without the WPA PSK / passphrase:

First, set yourself up a very basic wpa_supplicant.conf in /etc/wpa_supplicant.conf:

--

• ctrl_interface=/var/run/wpa_supplicant
• ctrl_interface_group=0
• update_config=1

--

Second, start wpa_supplicant in daemon mode: wpa_supplicant -Dwext -iwlan0 -c/etc/wpa_supplicant.conf –B

Third, run wpa_cli, and verify that it's working by issuing command 'status'. You should see wpa_state=INACTIVE

Fourth, lets add our BSSID and PIN: wps_reg xx:xx:xx:xx:xx:xx 12345678

You should see an "OK". Wait a few more seconds as wpa_supplicant picks up the BSSID and tries to associate and perform key negotiation. What you want to see is "CTRL-EVENT-CONNECTED", which will indicate that the PIN was accepted and that you're now associated.

At this point, if you were to exit wpa_cli, you could run dhclient on wlan0 and would be offered an IP from the AP, assuming DHCPd were enabled.

Go ahead and type the command 'save', which should output another "OK". This will update the wpa_supplicant.conf file, as specified from the command line, with a static configuration for this new network.

Verify by: cat /etc/wpa_supplicant.conf

If all went well, you should have a line under this new network titled 'psk'. Good luck!

It’s much simpler to connect to a WEP router:

1. ifconfig wlan0 down
2. iwconfig wlan0 mode managed
3. iwconfig wlan0 key 00:00:00:00:00 # change it with your known key
4. iwconfig wlan0 channel x  # I’ve a feeling this does not need to be spec’d
5. iwconfig wlan0 essid YourAP  # may be concatenated with 3
6. dhclient wlan0

That’s it.

radio

Another small install I just had to make was a console radio, pyradio, which comes with all the stations I enjoy. It needs mplayer already installed. If you want to record music, you might want to install streamripper (more in recording anything).

Once all this is done and working, it remains to change login and password to something that can be entered with the defective password and alias & test the commands to add the BT keyboard. And in some distant future, I should replace the keyboard and clean / replace the noisy fan.

It is also possible to use mplayer mms://somafm.com/GrooveSalad (need to play with this some more - http://ice.somafm.com/groovesalad with vlc or cvlc, for instance).

automount

Since I’m operating on very low space constraints, any generated data will have to be saved to the Windows partition. To ensure it is mounted on each and every boot, we need to add it in fstab:

• mkdir –p /media/windows   # no error if existing, make parent as needed
• cp -a /etc/fstab /etc/fstab.`date +%y%m%d-%H%M%S` # backup optional
• echo "/dev/sda1 /media/windows ntfs-3g defaults 0 0" >> /etc/fstab

It used to be that the ntfs driver was RO and only 3g was not, but it may be that today the “write” functionality has been incorporated in the regular driver. Also, this is an older distro. Either way, I wanted to be sure that I won’t hit this problem, though you might be able to get away with using “ntfs” only.

Once mounted, you might want to create symbolic links to the Windows directories you will be using for data. For instance, in the /root directory,

• ln -s /media/windows/lk/MyApps bin

To mount a Samba partition, you might want to use //ntserver/docs /mnt/samba cifs username=docsadm,password=D1Y4x9sw,_netdev 0 0.

Here’s a command making use of a file containing the password:

mount -t cifs //192.168.1.2/path/2mount -o rw,uid=500,gid=500,file_mode=0775,dir_mode=0775,credentials=/root/smb,setuids=0775

The /root/smb file should contain to lines, username= and password=, there should be no spaces and the password shouldn’t contain slashes (it might cough at other special characters as well, giving “Permission Denied”); make it rw only by root. The –o may simply contain a username=,password= directive. You might want to use _netdev as it delays mounting until network is enabled, even though it’s not known to mount.cifs. If that doesn’t work and you need the functionality, you might want to create an executable in /etc/init.d with #! /bin/sh | mount –a.

One last point is that a hibernated Windows whose main drive was written to will awaken complaining. Allowing Scandisk to mess it up results in major headaches (inf-hib). Newer drivers might be able to detect if the hiberfil.sys is active. If they don’t, consider using this bash script.

More guides etc below.

Sources / More info: mxt, lnx-duf, toshset, mysql-323, mysql-fonz, apache-bt, How to install Tor on Backtrack 5, start+faq, armtg-bt5-err, bt5-upd, Metasploit db_autopwn using PostgreSQL, bt5-mtsplt-pgs, asku-single, pyradio, bt-setup, wifite, how2g-monhkey, sb-toff, nxmehta, rsw, rtl8192, cidr, bt52bt, bt5-nessus, fsheep, inf-hib, ub-tosh, ub-fan, mp-radio, wpa, ub-tc, ub-tcrep

ConsumedConsumer, lamp, amp, wamp, admin, administration, hacking, setup, cleanup, ssh, login, armitage, backtrack, metasploit, cracking, toshset, toshutils, apm, acpi, bios, motherboard, toshiba, m200, m400, bt5, bt5r2, radio, mplayer