I had a CD-RW drive but being a computer security researcher I had no desire to spend money for blank cd-recordables. What follows is how I managed to install various operating systems on my computer (1 hard drive) without having to burn to a CD the ISO and then boot from that.
The original reason I wrote this article was just to expand my knowledge of network/computer security on unix/BSD/linux operating systems. The plan was to create a multi-OS pc that I could boot into 1 of several OS's, then from another PC I would attempt to hack into the computer.. mostly just scanning to get baselines and get a feel for the differences. I figured the best way to do that would be to have a multi-boot system. Unfortunately for me I didn't have any blank CDs to record ISO's on, and I also didn't have a floppy 3.5 disk. So that is how my journey into this subject-matter started.
- Download the iso file
- Mount the iso file as a loop back device on a temporary directory
- Save the content of
/mnt/cdrom, which has the distro expanded in a recognisible form, into a temporary directory. (using dd to "burn" the iso to HD instead of CD)
- Reboot and use Grub, sourced from any other Linux, to boot up the kernal and initrd files of this temporary directory, thereby activate its installer if it has one or to conduct the installation from the fire-up GUI.
NOTE: Please keep in mind that there are many different ways to achieve this same result using various loop and ramdisk methods... this is ongoing for me so any help would be appreciated!
I have been into the computer security scene since 1990, but I realized that I had very little experience with the various LInux, Unix, and alternative Operating systems out there. I first partitioned my 120GB harddrive into 10 partitions, the 2nd partition is a small swap and the last partition is extra large because it holds all the ISO images.. I then wrote a small shell script to automatically download (I love wget, but curl most!) the following.
- Local Area Security
- Packet Master
The script also downloaded Installation manuals and md5 checksums.. (let me know if I should post... its pretty unsophisticated ;)
I installed Slackware (personal favorite) on hda1 using my last blank CD-R, note that I do not have a separate boot partion. (Should I?). I also installed grub on the MBR. I love grub, if you read through the man pages and all info you can find about grub, you can learn a whole lot. Grub has much more features and capability than lilo, even though lilo comes installed by default with slack.
I organize my kernel situation as follows... In my
/boot directory, I mkdir KERNEL, CONFIG, MAP, INITRD and that is a good way for me to keep my kernels and everything organized.. Another good way is a separate dir for each new kernel.
Since Arch-Linux is a solid distro, my personal favorite, I'll use that as a first example.
Here is the Arch-Linux section of my shell script
goge Arch-Linux $w http://puzzle.dl.sourceforge.net/sourceforge/archlinux/arch-0.6.iso $w http://unc.dl.sourceforge.net/sourceforge/archlinux/arch-0.6.md5sum $w http://www.archlinux.org/docs/en/guide/install/arch-install-guide.html md55 cat arch-0.6.md5sum md5sum arch-0.6.iso md55
The first thing to do is to mount the downloaded ISO image so we can use it as if it were an actual CD.
mount -t iso9660 -o ro,loop=/dev/loop0 cdimage /mnt/cdrom
Where cdimage= the ISO image. EX:
This mounts the iso as /mnt/cdrom.
Next you need to copy /mnt/cdrom to a separate partition for the booting process. So mkfs.ext2 /dev/hda9. ( I prefer reiserfs or even XFS to ext but if you use something other than ext2 you could run into some problems because some of the installation kernels and initrds don't include support for reiserfs and so can't recognize the files. Although you could use mkinitrd to create a new initrd with reiserfs support, that might be pushin it IMO... ;) I use the 9th partition consistently for this. I know there is a "right" way to copy the /mnt/cdrom files so everything stays the way it is supposed too, using tar or cpio, but I'm lazy so I just do cp -rp.
(What is the tar or cpio commands to copy with correct permissions etc??)
So you mount the 9th partition as whatever, say /mnt/hd and then copy the files. Now what?
Now edit your
/boot/grub/menu.lst file to include the specific options to boot arch-linux installation.
A good idea is to find the
isolinux.cfg file somewhere on the distro cd, this will tell you what to include in the menu.lst. Here is the section in my
title Arch Install root (hd0,8) kernel /isolinux/vmlinuz load_ramdisk=1 prompt_ramdisk=0 root=/dev/rd/0 initrd=/isolinux/initrd.img
This should be self-explanatory. The root (hd0,8) is pointing to partition 9. So the rest of the commands start from partition 9.
When you experience problems, remember you can always edit the grub boot options by typing 'e' and then edit the section. Also, a good idea is to include several variations in your menu.lst so you can easily try other ways to boot efficiently. And, remember to read up on all the installation guides that come with your distro, specifically, hard-disk installs.
There are special cases, Gentoo, has a semi-new compressed filesystem called squashfs. BTW, this is AWESOME, so check it out. It has to be compiled into the kernel, so some work is in order, but use this recompile to optimize your kernel. You can get the squashfs patch for almost any kernel. I use the latest stable 2.6 kernel. Squashfs is incredible and although I don't think you need it to install from ISO, you do need it to expand the livecd.squashfs filesystem that comes with the cd. Heres a sample Gentoo section from my menu.lst
title Gentoo Install root (hd0,8) kernel /isolinux/gentoo root=/dev/ram0 initrd=/isolinux/gentoo.igz init=/linuxrc acpi=off looptype=squashfs loop=/livecd.squashfs cdroot vga=791 splash=silent
A nother' tip is the shell that is provided if you experience problems, typically busybox or ash. The key tools to get you going from here is mount and chroot. Sometimes you will need to manually create a simulated file system and then chroot into it. For instance, you might have to create boot, etc, bin, directories on the target partition.
I generally install each OS onto the next partition (careful of the logical partition) and add it to my menu.lst after install. A good idea is after installation, copy the kernel and initrd(if there is one) to the slackware(or whatever) boot partition on hda1. I copy kernels to /boot/KERNEL/ and initrd's to /boot/INITRD, then menu.lst is more organized...
You then need to add an updated section to your menu.lst (just comment out the install section for later) Here is the finished arch-linux section from menu.lst
title Arch Linux 6 root (hd0,2) kernel /boot/vmlinuz26 ro root=/dev/hdc3
This doesn't use my convenient boot/KERNEL/vmlinuz26 as you can tell by setting the root to partition 3. ***NOTE: Make a backup of MBR using dd and save to floppy, also backup the partition table to floppy, using cfdisk or parted. And boot disks (I use 1 with grub, and 1 with slack, and tomsbootdisk) will invariably come in handy. Tomsbootdisk is recommended, and make the grub boot disk when you install grub. install to floppy.
The final result after some fun experimenting, is when I boot, I have a cool grub boot screen come up with the option to boot into whatever OS I want, this is handy for multiple reasons. One good thing to do after this is to port scan and vuln scan each OS, after you update of course. Write this stuff down and you will know the weaknesses/strengths of the various OS's.
I can boot a custom Firewall, snort, or multiple honeypots using this procedure, as well as a graphical kde environment with a kernel optimized for graphics and my processor/architecture, or an environment devoted to forensics or even an environment suitable for programming.
P.S. Some of the cooler alternative operating systems are BeOS 5, EOS, ER_OS, V2_OS, and my personal favorite Menuet. Menuet is 100% assembly graphical operating system that fits on a floppy. Its money!
This should be a good enough example to get you started, this kind of thing should be learned and not just copied... Knowing how to do this stuff could prove to be exceptionally useful... ;)
I'm currently doing research into the following areas.
- MBR code, especially passing off control to different addresses.
- The difference (in code) of the various bootloaders out there... I have around 20 so far.
- How to use grub with the stage1_5 iso9660 to be able to read iso filesystems.. this leads to the possibility of moving the iso file to a specific area on the hard drive and load the iso file as if it were a device..
- How to pass control from the boot-loader, to the boot-manager, to the boot-loader on the iso filesystem. This is my #1 goal. Make it look to the iso filesystem that besides the fact that its a file and not a cd, that a previous boot-loader didn't chain-load to it. IOW, that it is a fresh boot that received its control directly from the BIOS. stupid f'in BIOS! How easy it is to boot from a CD-server serving iso files as cd's, on a nearby pc.
- How to use the ability of boot-loaders to register and load code into memory much like loop devices, to load and register the code for an iso filesystem, in a looping fashion.
- How to use vmware to install an iso using the "use actual harddisk" method, how to use this on a partition, safely, and how to transfer entire partition images byte by byte.
I am doing a lot of code hacking and if I don't find an easy (for all linux skill levels) solution soon with one of the boot-loaders, I am looking at having to write one myself.. something I REALLY STRONGLY do not want to do. Any suggestions are welcome.
Also, looking at how the pre-root root, that grub loads and then mounts the kernel from it, how can I add the loop option to tthe mount command used. This happens all transparently for th euser, so I know I have to hack it out.. But is it possible to use a looped fs? without a mounted HD? with a mounted HD that the original looped iso is mounted on?
Also looking at using the ramdisk initrd to load some type of custom program that allows me to mount a looped fs on the pre-root, (or root).
Looking at GRUB2 code has helped a lot. I also like the Ranish Partition Manager..
ONCE AND FOR ALL, lilo just can't compare AT ALL to grub or Ranish Partition Manager. I bet people only use it because of the "first love" syndrome. eh?
At any rate, I'm learning a lot, and many of the results I will find I will post here eventually, because they are HUGE lee important for the security community.
A couple months ago, I stumbled across two incredible programs that I have used over and over again in awe. After getting over my greediness of wanting to keep them to myself.. here you go.. enjoy!The home page for these tools EasyBoot and UltraISO.
Some Uses Ive Explored:
- Copying all my system CD's and install CD's to my HD.
- Modifying my XP Restore CD's to be current and streamlined with XP SP2 and include my favorite windows programs.
- Creating a custom grub boot CD with extra and unique capabilities.
- Viewing the construction of all major Operating System's Boot Loader Code and related code.
Suggestions for use:
- Read the product documentation thoroughl
- Get a good hexeditor/viewer
- Read a bunch of threads in the forum
- Begin use
Hey the last issue of phrack (#63) has a really relevant article to this topic..
You can check it out at www.phrack.org or download it here and read it at your leisure :)
==Phrack Inc.== Volume 0x0b, Issue 0x3f, Phile #0x0a of 0x14 |=-----------------=[ Hacking Grub for fun and profit ]=-----------------=| |=-----------------------------------------------------------------------=| |=---------------=[ CoolQ <email@example.com> ]=---------------=| |=-----------------------------------------------------------------------=| --[ Contents 0.0 - Trojan/backdoor/rootkit review 1.0 - Boot process with Grub 1.1 how does Grub work ? 1.2 stage1 1.3 stage1.5 & stage2 1.4 Grub util 2.0 - Possibility to load specified file 3.0 - Hacking techniques 3.1 how to load file_fake 3.2 how to locate ext2fs_dir 3.3 how to hack grub 3.4 how to make things sneaky 4.0 - Usage 5.0 - Detection 6.0 - At the end 7.0 - Ref 8.0 - hack_grub.tar.gz
If you need to hack the physical security of a computer.. there isnt really a much better way of doing it than what is referenced in the phrack article and in the posts above. There is also the possiblity of breaking the physical security at 1 computer and booting up your custom files.. and then use your custom loaded OS to configure devices network-wide.. using BOOTP/DHCP/tftp/etc. protocols.. A lot of networked printers and devices would rapidly fall to this method... configure the newly captured printers/devices to open a backdoor back into the local network remotely for you automatically, even after your custom OS is unloaded.. with the increase use of wireless devices and PnP devices like USB, protecting the physical security will become much more important in the future.
Ive also noticed that booting a pc could be as easy as a usb key, or using a usb upstream/downstream hub to self-boot, just think of all the memory cards and other proprietary type access points there are..
If I can boot your machine, your security is about none. Scarry.
Sounds like fun
December 22nd, 2012