Truman Installation Notes

From NSMWiki
Jump to: navigation, search

Contents

Prerequisites

  • Two computers. I'm using the following:
    • PC #1 is the Truman Server
      • RHEL5
      • 512MB RAM
      • HDD large enough to hold an entire DD image of the Malware Client system disk, plus Linux, plus some left over for data capture and analysis. Perhaps 300GB.
      • 2x1Gb/s NICs
    • PC #2 is the Malware Client
      • Windows XP SP2 (do not install patches)
      • 1GB RAM
      • 100GB HDD
        • IMPORTANT: Create the Windows partition as small as possible. There's an awful lot of hard drive imaging and reimaging going on here, so you'll save a heck of a lot of time by making this no larger than necessary. I've had good experience with 8GB.
      • 1x1Gb/s NIC

On each system, do a base OS install. The Truman Server should be up-to-date with all patches. There should be no patches applied to the Malware Client, though!

Ideally, these should be on two physical computers! Some malware contains code to detect the presence of a virtual machine and fails to run, or provides misleading results. Also, VMWare often seems to have trouble keeping up with all this hard drive imaging. At best, it's slow as a slug. At worst, it crashes the VMs. Seriously, it's best if you use two physical machines for this.

However, if you do use a VM, you should configure each system to have one NIC on a shared virtual network that is not connected to the physical network. I assign one interface on each host to /dev/vmnet9. The main NIC on the Truman Server should be configured as a bridging interface, as it will be connecting to the actual network.

Also, if you're using VMWare, you may find it convenient to create snapshots of each host just after successful OS installation but prior to configuring Truman, just in case you hose things and need to back out and try over.

Installation

Truman Server

  1. Install the Linux NTFS driver RPM
  2. Examine the network interfaces
    1. Make sure eth0 is the public interface.
    2. Configure eth1 to be a private interface with IP 10.10.10.1
# Advanced Micro Devices [AMD] 79c970 [PCnet32 LANCE]
DEVICE=eth1
HWADDR=00:0C:29:DF:E6:C1
ONBOOT=yes
BOOTPROTO=static
IPADDR=10.10.10.1
NETMASK=255.255.255.0
  1. Bring the eth1 interface up
# ifdown eth1
# ifup eth1
  1. Install prerequisite software packages
    1. yum install httpd tftp-server xinetd tcpdump dhcp wireshark
    2. chkconfig httpd on
    3. chkconfig dhcpd on
    4. chkconfig tftp on
    5. Download the ngrep SRPM, build and install that
      1. yum install libpcap-devel
      2. rpmbuild --rebuild ngrep-1.44-7.fc6.src.rpm
      3. rpm -ivh /usr/src/redhat/RPMS/i386/ngrep-1.44-7.i386.rpm
  2. Create the /bin/ddquiet utility, which Truman needs when restoring the Malware Client to it's initial state. Be sure it's executable. It should be a shell script, like this:
#!/bin/bash
/bin/dd $* 2>/dev/null
  1. Unpack the truman distribution
    1. tar xfvpz truman-0.1.tar.gz
  2. Configure DHCPD
    1. Replace /etc/dhcpd.conf with the following config file:
allow booting;
allow bootp;

option routers                  10.10.10.1;
option subnet-mask              255.255.255.0;
option domain-name              "company.com";
option domain-name-servers      10.10.10.1;

ddns-update-style ad-hoc;

subnet 10.10.10.0 netmask 255.255.255.0 {
        range dynamic-bootp 10.10.10.2 10.10.10.6;
        default-lease-time 21600;
        max-lease-time 43200;
	 filename "/pxelinux.0";
        next-server 10.10.10.1;

host client7 {
        ### NOTE: CHANGE THIS TO THE MALWARE CLIENT'S MAC ADDR
        hardware ethernet 00:0C:29:34:8A:4E;
        fixed-address 10.10.10.7;
}


# please don't delete this last squirrely brace.
}
  1. Configure xinetd
    1. Edit /etc/services and add the following lines:
# Truman Services
ddsave          45611/tcp                       # Truman save requests
ddrestore       45612/tcp                       # Truman restore requests
    1. cp $TRUMAN/etc/xinetd.d/* /etc/xinetd.d
    2. Edit /etc/xinetd.d/ddsave and /etc/xinetd.d/ddrestore and change the bind address from 4.5.6.1 to 10.10.10.1
    3. service xinetd restart
  1. Configure the Truman firewall rules to run at boot time!
    1. cp $TRUMAN/etc/init.d/fw /etc/init.d/truman.fw
    2. ln -s /etc/init.d/truman.fw /etc/rc3.d/S15truman.fw
    3. ln -s /etc/init.d/truman.fw /etc/rc5.d/S15truman.fw
    4. /etc/rc3.d/S15truman.fw start
  2. Copy the faux network services and forensics queues into place
    1. cp -rp $TRUMAN/fauxservers /
      1. Replace 4.5.6.1 with 10.10.10.1 in following files:
        1. /fauxservers/fauxdns.pl
        2. /fauxservers/fauxftp.pl
        3. /fauxservers/fauxirc.pl
        4. /fauxservers/fauxsmtp.pl
    2. cp -rp $TRUMAN/forensics /
      1. chgrp apache /forensics/queue /forensics/exes
      2. chmod g+rwx /forensics/queue /forensics/exes
      3. Edit /forensics/forensics.sh
        1. Change /mnt/new/WINNT to /mnt/new/WINDOWS
        2. Change /root/fauxservers/stop.sh to /fauxservers/stop.sh
  3. Create the /images directory
    1. mkdir /images
  4. Create loopback mountpoints
    1. mkdir /mnt/new /mnt/orig
  5. Copy /tftpboot into place
    1. cp -rp $TRUMAN/tftpboot /
    2. chgrp -R apache /tftpboot/pxelinux.cfg
    3. chmod g+rwx /tftpboot/pxelinux.cfg
    4. chmod g+rw /tftpboot/pxelinux.cfg/*
    5. Edit /tftpboot/pxelinux.cfg/truman, /tftpboot/pxelinux.cfg/normalboot and /tftpboot/pxelinux.cfg/default and replace the string "4.5.6.1" with "10.10.10.1" everywhere it occurs.
  6. Copy Truman binaries into place
    1. cp -p $TRUMAN/usr/bin/* /usr/bin
  7. Copy Truman CGI script into place
    1. cp -p $TRUMAN/usr/lib/cgi-bin/truman.cgi /var/www/cgi-bin

Malware Client

  1. Configure the system to boot from the network (PXE boot) only (even when the system boots from the local disk, it only does that after it has been instructed to do so by the PXE server).
  2. Create default users and passwords.
    1. Accounts: Administrator, user1, user2, user3. All passwords set to "password", or even no passwords if you prefer.
  3. Turn off AV, firewall and automatic updates.
  4. Install the PsTools distro from the Microsoft website. You need psshutdown
    1. Unzip the file and copy everything into c:\WINDOWS\system32
    2. From command prompt, run psshutdown /?. You need to run it once to accept the license before you can really use it.
  5. Download and install the Microsoft Windows Server 2003 Resource Kit, which contains the sleep command used by go.bat
  6. Copy everything from the Truman Server's $TRUMAN/win32 directory into place on the Malware Client.
    1. get.bat & get.reg go in c:\
    2. Everything in $TRUMAN/win32/WINNT/system32 goes in c:\WINDOWS\system32
    3. Right click on get.reg and load it into the registry (select "Merge") to ensure the batch file automatically runs at boot time.
    4. Edit c:\get.bat
      1. Change SERVER_IP to 10.10.10.1
      2. Change "c:\WINNT" to "c:\WINDOWS" everywhere it occurs
  7. Create an empty file c:\zero.txt, and make sure it's exactly 0 length!
  8. Connect the Client and Server NICs via cross-over cable or plug them into a shared hub
  9. Verify that the Client's NIC is configured for DHCP and receives and address (test ping to 10.10.10.1)
  10. Now, reboot the Malware Client and be sure to boot from the network!
    1. Select option 3 ("Save Only Boot") and wait for it to finish

Creating the Initial Baseline

Now that you've saved a copy of the initial image, set it up as the clean baseline image and gather some initial data. Perform the following steps on the Truman server:

  1. Save the newly-created disk image, and mount it
    1. mv /images/ddsave.img /images/ddrestore.img
    2. mount /images/ddrestore.img /mnt/orig
  2. Create a comprehensive list of initial files, directories and registry entries
    1. cd /mnt/orig
    2. ls -lR > /forensics/orig/orig.ls
    3. dumphive /mnt/orig/WINDOWS/system32/config/default /forensics/orig/default.reg
    4. dumphive /mnt/orig/WINDOWS/system32/config/software /forensics/orig/software.reg
    5. dumphive /mnt/orig/WINDOWS/system32/config/system /forensics/orig/system.reg

A note about NICs

The Truman PXE environment is based on an old Linux 2.4 kernel, and really there's not a lot of network card support. Many common ones are included, like 3c509/3c59x, e1000, eepro and some others. I had trouble getting my 3c509 card to be recognized when Truman booted up into Linux on the Malware Client. Here's what I did to fix it:

  1. On the Truman Server, unzip /tftpboot/truman.img.gz and mount the filesystem:
    1. gunzip truman.img.gz
    2. mount -o loop truman.img /mnt
  2. Edit the /mnt/etc/init.d/rc.inet file to manually configure the network interface. At the top of the file, add:
echo
echo
echo "*********************************************"
insmod 3c59x
modprobe eth0
ifconfig -a
echo "*********************************************"
echo
echo
  1. Unmount the image and compress it again
    1. umount /mnt
    2. gzip -9 truman.img

Now when you boot the Malware Client into Linux, the network should be up.