Tool CD preparation notes

Tool CD production notes-general Linux technology-Linux programming and kernel information, the following is a detailed description. I. Refill knoppix

Knoppix is a debian-based linux operating on a CD. There are a lot of articles about knoppix re-customization on the Internet. I am actually just recording it myself.

1. Unpack ISO

There are no spare machines or partitions, and you can only use virtual machines to solve the problem. Add a new linux system on the VPC, select the memory size, hard disk Image file, and then start the system in the menu CD-> Capture Image... select KNOPPIX_V3.2-2003-05-03-EN.iso.

Start option: Enter knoppix 2 to enter the character mode. Use fdisk to separate/dev/hda into one zone. 5 GB should be sufficient, and then use mkfs. ext2 to create a file system for/dev/hda1. Mount the partition:

# Mount-o rw/dev/hda1/mnt/hda1

Create a working directory:

# Mkdir/mnt/hda1/knx

# Mkdir-p/mnt/hda1/knx/master/KNOPPIX

# Mkdir-p/mnt/hda1/knx/source/KNOPPIX

If the machine does not have enough memory, a swap file should be created, because the compressed file is temporarily written into the memory when the file system is compressed:

# Cd/mnt/hda1/knx; dd if =/dev/zero of = swapfile bs = 1 M count = 750; mkswap swapfile; swapon swapfile

Copy the knoppix file. The p Parameter of cp is to keep all attributes of the file. The copy operation will last for a long time.

# Cp-Rp/KNOPPIX/*/mnt/hda1/knx/source/KNOPPIX

The following copies are used to re-compile the kernel and then redo iso to start the new kernel. Otherwise, you only need to copy boot. img.

# Cd/cdrom/KNOPPIX

# Cp boot. img boot. cat KNOPPIX/mnt/hda1/knx/master/KNOPPIX

Go to the chroot environment and perform drastic pruning on knoppix:

# Chroot/mnt/hda1/knx/source/KNOPPIX

2. Crop and replace

After entering the chroot environment, mount proc:

# Mount-t proc/proc

The network is ready. Because it is based on the debian operating system and all software packages are maintained through the apt system, you may need to modify the/etc/apt/sources. list file to use a fast image site.

Then, use the apt-get -- purge remove program command to delete unnecessary things. Reduce the space and install other things you want. The/usr/share/doc directory is also large, with more than 100 MB.

You can run deborphan to find some unassociated packages, which can also be safely deleted.

To make knoppix suitable for the bridge of honeynet GenII, you must patch the kernel:

# Apt-get install kernel-source-2.4.20

# Apt-get install kernel-patch-xfs

# Wget http://users.pandora.be/bart.de... 003_vs_2.4.20.diff

# Wget http://users.pandora.be/bart.de... against-2.4.20.diff

# Tar jxf kernel-source-2.4.20.tar.bz2

# Cp linux/. config kernel-source-2.4.20/

# Rm linux

# Ln-s kernel-source-2.4.20 linux

# Cd linux

# ../Kernel-patches/all/apply/xfs

# Patch-p1 <../ebtables-v2.0.003_vs_2.4.20.diff

# Patch-p1 <../bridge-nf-0.0.10-against-2.4.20.diff

We have used the knoppix Kernel configuration file. config. Here we should note that the ebtables patch must be played in bridge-nf; otherwise, an error may occur.

# Make menuconfig

802.1d Ethernet Bridging and related options should be selected in the kernel options. Others can be customized according to their own needs. After completing this step, add the knoppix kernel patch:

# Patch-p1 <../knoppix-kernel.patch

Then compile the kernel:

# Make dep

# Make bzImage

# Make modules

# Make moduels_install

It takes a lot of time to compile the module. After the installation, you can delete the original kernel-related items of konippix:

# Rm-rf/usr/src/linux-2.4.20-xfs

# Rm-rf/lib/modules/2.4.20-xfs

# Rm-rf/boot /*

# Rm/vmlinuz

Copy the new kernel:

# Cp System. map/boot/System. map-2.4.20

# Cp arch/i386/boot/bzImage/boot/vmlinuz-2.4.20

# Cd/boot

# Ln-s System. map-2.4.20 System. map

# Ln-s vmlinuz-2.4.20 vmlinuz

# Cd/

# Ln-s boot/vmlinuz-2.4.20 vmlinuz

The cloop. o module must be re-compiled with the new kernel:

# Cd/tmp

# Wget http://www.knopper.net/download/knoppix/cloop_0.68-2.tar.gz

# Tar xzf cloop_0.68-2.tar.gz

# Cdcloop-0.68

# Make KERNEL_DIR =/usr/src/linux

Since knoppix uses boot. img to start the system, you must modify it. press ALT + F2 to enter another non-chroot shell and copy boot. img:

# Cp/mnt/hda1/knx/master/KNOPPIX/boot. img/mnt/hda1/knx/source/KNOPPIX/var/tmp

Modify the chroot shell environment.

# Cd/tmp

# Mkdir boot mroot

# Mount boot. img boot-t msdos-o loop =/dev/loop0

# Cp boot/miniroot.gz.

# Gzip-d miniroot.gz

# Mount miniroot mroot-t ext2-o loop =/dev/loop1

# Cp/tmp/cloop-0.68/cloop. o/tmp/mroot/modules/

Because my kernel is large, simply remove the support for the scsi optical drive, so the startup speed will be much faster:

# Rm-rf/tmp/mroot/modules/scsi

Modify/tmp/mroot/linuxrc and set SCSI_MODULES = "".

In fact, you can use winimage to expand boot. img, so these things can be easily put into it. It is better to use multiple boot image files. Note that the image file name must be in the 8.3 format. The diskemu mentioned later can only use this format.

Package miniroot back:

# Umount/tmp/mroot

# Gzip-9 miniroot

# Cp miniroot.gz boot/

Copy the new kernel image back:

# Cp/boot/vmlinuz-2.4.20/tmp/boot/vmlinuz

Modify the DEFAULT vmlinuz settings of the syslinux. cfg file in the/tmp/boot directory, change lang = us to lang = cn 2, and change all the following lang = us to lang = cn. In this way, the language attribute is changed to Chinese by default when knoppix is restarted, and the character mode is used by default, so it is unnecessary to enter the xwindow at startup.

You can also modify the boot. msg, f2, and logo.16 labels under/tmp/boot. This new boot. img can boot knoppix to the new kernel, refill it, And then install the kernel-related driver under the new kernel. Exit the chroot environment and use the new boot. img to recreate iso:

# Cp/mnt/hda1/knx/source/KNOPPIX/var/tmp/boot. img/mnt/hda1/knx/master/KNOPPIX/boot. img

# Cd/mnt/hda1/knx/

# Mkisofs-pad-l-r-J-v-V "KNOPPIX"-B KNOPPIX/boot. img-c KNOPPIX/boot. cat-hide-rr-moved-o/mnt/hda1/knx/knoppix. iso/mnt/hda1/knx/master

The iso production speed is relatively fast. Transfer/mnt/hda1/knx/knoppix. iso to your system and use this iso to start the virtual machine.

3. Update and install a new driver

After restarting, you can use uname-a to check whether the kernel is new.

Enhanced support for wireless NICs. By default, linux is a wireless network card that does not support the atmel chip and needs to be installed separately. This is an unofficial version:

# Chroot/mnt/hda1/knx/source/KNOPPIX

# Cd/tmp

# Wget http://atmelwlandriver.sourcefor... -ss-20030507.tar.gz

# Tar xzf atmelwlandriver-ss-20030507.tar.gz

# Cd atmelwlandriver

# Make config

Build all [y/N] <-- select y here to compile all the drivers.

# Make all

# Make install

The linux kernel module is provided for the orinoco driver, but the default driver does not support the monitor mode of the wireless Nic. The airsnort main site provides the corresponding patch, which can be patched by pcmcia-cs, you can also patch the orinoco driver to make it easier:

# Cd/tmp

# Wget http://ozlabs.org/people/dgibson/dldwd/orinoco-0.13b.tar.gz

# Wget http://airsnort.shmoo.com/orinoco-0.13b-patched.diff

# Tar xzf orinoco-0.13b.tar.gz

# Cd orinoco-0.13b

# Patch-p1 <../orinoco-0.13b-patched.diff

# Make

# Make install

The driver for linux-wlan-ng is also updated:

# Cd/tmp

# Wget ftp://ftp.linux-wlan.org/pub/lin... g-0.2.1-pre5.tar.gz

# Tar xzf linux-wlan-ng-0.2.1-pre5.tar.gz

# Cd linux-wlan-ng-0.2.1

# Make config <-- all drivers can be added here.

# Make all

# Make install

The prism chip can also use the orinoco driver. If you confirm that some NICs use the prism chip, you can modify the/etc/pcmcia/config file and change the driver, for example, if the NIC of the Compaq WL100 uses the orinoco driver, you can change it:

Bind "prism2_cs"

In this way, the NIC that is inserted with the Compaq WL100 will use the linux-wlan-ng driver. Other NICs can also be modified, but you need to know the chip used by the NIC.

4. Modification and localization of the xwindow desktop environment

KNOPPIX uses KDE as the desktop environment by default, which is too big. Except fluxbox, wmake, and twm, all other desktop environments have been deleted. fvwm is also very good and can be directly installed with apt. Fluxbox is used as the default desktop. The input method uses fcitx, which is very good and has already entered the debian sid. It will be easy to update later. Modify the value assignment of the DESKTOP variable near line 1026 of/etc/init. d/knoppix-autoconfig to the following:

# Also read desired desktop, if any

DESKTOP = "$ (getbootparam desktop 2>/dev/null )"

# Allow only supported windowmanagers

Case "$ DESKTOP" in fvwm | windowmaker | wmaker | fluxbox | twm); *) DESKTOP = "fluxbox"; esac

Knoppix actual execution of xwindow scripts is/etc/X11/Xsession. d/45 xsession, which contains various desktop functions, such as startkde (). You need to add a similar function to fvwm to completely copy startfluxbox (). Startkde () can be deleted to save space.

Modify the last part of the 45xsession file:

If ["$ LANGUAGE" = "cn"]; then

Export XMODIFIERS = @ im = fcitx

/Usr/bin/fcitx &

Fi

Case "$ DESKTOP" in

Fvwm | FVWM) startfvwm ;;

Fluxbox | FLUXBOX) startfluxbox ;;

Windowmaker | wmaker | WINDOWMAKER | WMAKER) ["$ FREEMEM"-ge "35000"] & startwindowmaker | starttwm lowmem 64 ;;;

Twm | TWM) starttwm ;;;

*) Starttwm invalidwm ;;;

Esac

This script can be modified in many ways. You may need to modify the/etc/init. d/xsession script.

Simsun font and firefly patch can be downloaded here:

Http://debian.ustc.edu.cn/dev/

Modify/etc/gtk/gtkrc. zh_CN:

Style "gtk-default-zh-cn "{

Fontset = "-misc-simsun-medium-r-normal -- 14-*-iso10646-1 ,\

-Misc-simsun-medium-r-normal -- 14-*-iso10646-1"

}

Class "GtkWidget" style "gtk-default-zh-cn"

Modify/etc/init. d/xsession. By default, the root user is used to start X.

5. honeynet Functions

# Mkdir/honeynet

# Wget http://honeynet.xfocus.net/papers/honeynet/tools/snort_inline.tgz

# Wget http://honeynet.xfocus.net/paper... ksniff-2.0.1.tar.gz

# Wget http://honeynet.xfocus.net/paper...-linux-2.0.1.tar.gz

# Apt-get install swatch

# Apt-get install honeyd

You can adjust it later.

6. Generate a compressed file system

We recommend that you upgrade the system and clean up the garbage before refilling.

# Apt-get-u upgrade <-pay attention to here, some service-type software will add boot script, you can delete with the update-rc.d.

# Apt-get clean

Update Association:

# Updatedb

# Umount/proc

After exiting the chroot environment, compress the file system:

# Mkisofs-R-U-V "KNOPPIX.net filesystem"-P "KNOPPIX www.knoppix.net"-hide-rr-moved-cache-inodes-no-bak-pad/mnt/hda1/knx /source/KNOPPIX | nice-5/usr/bin/create_compressed_fs-65536>/mnt/hda1/knx/master/KNOPPIX

Ii. Create winpe

As a tool disk, it would be better if there is a windows environment. winpe solves this problem.

It is very easy to customize a winpe. The English version of customization is introduced below:

1. First copy the winpe directory of the winpe disc to the hard disk. Assume that the copied hard disk directory is: e: \ winpe.

You can use the resource manager to copy the file.

2. Download the msa edc Deployment Kit from the Microsoft website.

E: \ temp \> wget http://download.microsoft.com/do... 5deploymentkit.exe

Unbind the package to e: \ temp \ EDCAPFDeployment, and then:

E: \ temp \> copy EDCAPFDeployment \ WinPESupport \ WINPESYS. INF e: \ winpe

Here, WINPESYS. INF is actually added with ramdisk support. The default drive letter is r and the size is 4 MB. Modify HKLM, "SYSTEM \ ControlSet001 \ Services \ ramdrv \ Parameters", "DriveLetter", 0000000000, "R, "SYSTEM \ ControlSet001 \ Services \ ramdrv \ Parameters", "DiskSize", 0x00010001, 0x400000.

3. Prepare a winxp disc, such as a drive F. It is strange why the pebuilder should use the sp1 disc. I found that xp can also be installed.

4. Run the mkimg. cmd script to generate the winpe file.

If you want winpe to execute programs in the memory during startup, you can modify the config. inf file in the e: \ winpe directory and change the osloadoptions item to the following:

Osloadoptions = txtsetup. sif, setupdata, "/fastdetect/minint/noguiboot/inram"

But make sure your system has MB of memory.

Modify the loaderprompt item if you want to modify the startup prompt information. Of course, neither of these two items can be done. Use the following command to generate the winpe file:

E: \ winpe \> mkimg. cmd f: e: \ temp \ winpe. tmp

If you delete the WinSxS directory and its files under i386, the last iso file cannot use notepad. However, if you directly change the winpe iso released by Microsoft, the notepad cannot be executed and you do not know why.

5. Copy the ramdisk driver file.

E: \ winpe \> copy e: \ temp \ EDCAPFDeployment \ WinPESupport \ ramdrv. INF e: \ temp \ winpe. tmp \ I386 \ inf \

E: \ winpe \> copy e: \ temp \ EDCAPFDeployment \ WinPESupport \ ramdrv. sys e: \ temp \ winpe. tmp \ I386 \ system32 \ drivers \

6. Add erd command 2002

Only beibeicommandshell.exe, common. dll, compmgmt.exe, cs. cfg, dt. cfg, erdcmdr2002.cnt, erdhelp.exe, assumer.exe, fauxshell. dll, fe. cfg, filesearch.exe, locksmith.exe, logoff.exe, logon.exe, ntfsver.exe, pwdserv.exe, tcpcfg.exe, and windowsshell.exe files to e: \ temp \ winpe. tmp \ I386 \ system32. After iso is started, you can run logon in the system32 directory to enter erd. Even if you do not want to use erd, you can also use some of its tools, such as tcpcfg, to conveniently configure the network.

7. Adjust winpe

Now we can create iso, but the winpe will prompt Press any key to boot from CD when it is started ., if you want to boot from the hard disk without pressing a key, you only need to delete e: \ temp \ winpe. the bootfix in the tmp \ i386 directory. this prompt will not appear in the binfile.

When winpe is started, the e: \ temp \ winpe. tmp \ I386 \ system32 \ startnet. cmd file is used first. You can edit this script to make it easier to start.

3. Create an iso file.

DISKEMU is a commonly used software for multi-boot discs and is easy to use. Create the working directory e: \ cd and copy DISKEM1X. BIN and DISKEMU. CMD to the cd directory. Create the IMG and KNOPPIX directories under the cd directory.

Copy KNOPPIX's compressed file KNOPPIX to e: \ cd \ KNOPPIX and copy boot. img to e: \ cd \ img \ knoppix. img and copy it to e: \ cd \ KNOPPIX \. Otherwise, it will be incorrect when knoppix is installed to the hard disk using the knx-hdinstsall script.

Run e: \ temp \ winpe. copy all files under tmp to e: \ cd, and copy e: \ winpe \ ETFSBOOT. COM to e: \ cd \ img \ winpe. bin.

Modify the DISKEMU. CMD file. The following is a reference:

Cd img

: Start

Cls

Print

Print

Print

Print

Print

Print

Print

Print

Print

Print 1. KNOPPIX

Print 2. WindowsPE

Print r. Reboot

Print q. Quit to command prompt

Print Esc. Boot first harddisk

Print

Print

Print

Print

Print

Print

Print

Print

: Mainkey

; Timeout is 60 seconds, default key is escape

Getkey 60 esc

Onkey 1 goto knoppix

Onkey 2 goto winpe

Onkey f1 goto help

Onkey q quit

Onkey r reboot

Onkey f boot 0

Onkey esc boot 80

; When no key found...

Goto mainkey

;

: Help

Cls

Print HELP

Print ----

Print + Have ISO9660 filesystem support, you can do "dir" and "cd"

Print + A "advanced" command prompt to load anything you want

Print + A simple bootmenu for "less" advanced users

Print + Autodetection of floppy image types (by filesize)

Print + Using a bootable Diskemu 1.x CD-Rom, you can even boot images from "non-

Print bootable "CD-Roms, just swap the CD, type" cd \ "and you can use that CD.

Print (Cool !)

Print + You can create a multiboot bootable CD-Rom using (almost) any recording

Print software you want

Print + Supported floppy types: 160KB, 180KB, 320KB, 360KB, 1.2 MB, kb, 820KB,

Print 1.44 MB, 1.68 MB, 1.72 MB, 2.88 MB

Print

Print All supported command are listed below.

Print

Print batch boot bootinfotable cd cls dir

Print echo emusegm getkey goto help keyval

Print loadsegm onkey print quit readtest reboot

Print run test type ver

Print

Print help (Or ?) Displays help about

Print

Print Press any key to return to main menu

Getkey

Goto start

;

: Knoppix

Print Use KNOPPIX

Run knoppix. img

Getkey

Goto start

;

: Winpe

Print WindowsPE

Run winpe. bin

Getkey

Goto start

;

; EOF

Then you can create an iso file. However, you must pay attention to the iso format. The iso format cannot be used. The Joliet format compatible with the iso file must be used. The-j1 parameter of cdimage meets this condition:

Cdimage-ltoolcd-j1-bloader. bin cd toolcd. iso

OK. Use toolcd. iso to guide you.

Iv. Simple instructions

Linux:

1. Select 1 from the Startup menu to start KNOPPIX without SCSI, but the speed is relatively fast. Select 2 as the KNOPPIX with SCSI to start the detection SCSI device.

2. exiting from xwindow in vmware will cause the screen to become smaller and no problem is found.

3. If the machine has multiple optical drives, put them in the/dev/cdrom drive; otherwise, the drive cannot be started.

4. You can use the knx-hdinstall script to conveniently and quickly install the system to the hard disk.

Winpe:

1. The start).net script will be used after startup. First, the system resolution is displayed. The default value is 800x600.

2. The system prompts whether to start the network or the erd command (the hard disk requires a win system and the license is in the root directory of the disc ).

3. Enter explorer to start the resource manager of erd. The hard disk can be read and written directly by using fat or ntfs partitions.

4. The tools directory will be added to the PATH environment variable, which contains many interesting things. You can add them yourself.

Statement:

Because the CD contains a lot of commercial software, it cannot be downloaded, and you should not ask me where these things come from. I just want to introduce how to create a tool CD for you to perform penetration testing, investigation and evidence collection, intrusion detection, and network traps.