An alchemists view from the bar

Network Security Alchemy

Archive for October 2008

Portable USB network traffic generator Part 1

leave a comment »

In my line of work there is a regular need to generate some network traffic, whether it’s just background noise or attack data the general requirements are the same.

  • Conjure up network traffic out of the ether
  • Have a method of exposing the traffic it to a monitoring system
  • Audit the monitoring systems categorization of the data – Did it correctly detect the data as clean or dirty.
  • Be portable.
    • I have many methods of doing this in my work or home test lab’s but not on the road where I need it the most.
  • Help out others with similar problems
    • I regularly get asked by people if I have a tool to achieve this, and I want to answer with a “Sure, take a copy of this”

After some tough thought, the best solution I came up with is a bootable USB stick that “just works”.

I thought I would walk through the steps taken to create this, followed by a downloadable image of the tool.

Consider this post part-1 in a series: Building the platform.

I am executing these instructions on an Ubuntu system, things may well differ on other platforms. I have no idea if RH based systems have an equivilant to Debians debootstrap.

Plug the stick into your system, and look at dmesg

It is important that we recognise what the device name is for our USB stick.

On my system, following insertion of a stick, I can see the following

$ dmesg
[12169.500704] sd 5:0:0:0: [sdc] 506880 512-byte hardware sectors (260 MB)
[12169.502281] sd 5:0:0:0: [sdc] Write Protect is off
[12169.502285] sd 5:0:0:0: [sdc] Mode Sense: 43 00 00 00
[12169.502287] sd 5:0:0:0: [sdc] Assuming drive cache: write through
[12169.502292]  sdc: sdc1[12171.503704] sd 5:0:0:0: [sdc] 506880 512-byte hardware sectors (260 MB)
[12171.504587] sd 5:0:0:0: [sdc] Write Protect is off
[12171.504590] sd 5:0:0:0: [sdc] Mode Sense: 43 00 00 00
[12171.504592] sd 5:0:0:0: [sdc] Assuming drive cache: write through
[12171.504596]  sdc: sdc1

Clearly my working device is sdc

Create a partition & build a filesystem

Use fdisk to remove an existing partitions on your USB stick, cfdisk or fdisk are the tools to use.

$ sudo fdisk /dev/sdc                # Manage partitions on my USB device /dev/sdc

I created a single primary Linux partition, and made it active (bootable)

Device Boot      Start         End      Blocks   Id  System
/dev/sdc1   *           1        1021      253177   83  Linux

We now need to make a filesystem on this device. Note that because of the way flash memory can only take a limited number of disk writes, we don’t want to use ext3’s journal.

$ sudo mkfs.ext2 /dev/sdc1           # Makes a ext2 fs on the partition

Install our OS onto the new filesystem

Lets mount the filesystem so that we can add files to it.

$ sudo mkdir /mnt/temp               # Create a temp mount point
$ sudo mount /dev/sdc1 /mnt/temp/    # and mount our USB filesystem

I mentioned earler that I use Ubuntu as my closen desktop disrto, however I want the USB stick to be running stock Debian stable (etch). Becase Ubuntu is essentially a broken Debian system, we can simply do the following:

$ sudo debootstrap etch /mnt/temp/

For those who are unaware, debootstrap bootstraps a new debian system. It will install all the base programs I need for a GNU/Linux instance on this USB stick.

$ sudo dumpe2fs /dev/sdc1 | grep UUID       # find the UUID for our fs - Note this somewhere
dumpe2fs 1.40.8 (13-Mar-2008)
Filesystem UUID:          4481e1b0-0c0c-48fa-8c27-971aa95e3e9b
# chroot into our new system in /mnt/temp
$ sudo chroot /mnt/temp/             
$ mount /proc/
$ dpkg-reconfigure --all --priority critical --frontend dialog
# This reconfigures all debs that need critical configuration
$ apt-get update
$ apt-get install initrd-tools linux-image-686
# Note to pay attention to the yes/no abort prompt - Select No to continue.
$ echo > /etc/hosts
# create a minimum hosts file
$ echo replay > /etc/hostname
$ vi /etc/fstab

Paste the below, editing the UUID for your UUID found by doing the dumpe2fs command earlier

# Leons example fstab - edit for your uuid
# Note this is the minimum i need, there is no static association with a device name here
# the UUID is a uniq ID for the fs

UUID=4481e1b0-0c0c-48fa-8c27-971aa95e3e9b /  ext2    defaults,errors=remount-ro 0       1
tmpfs           /tmp    tmpfs   defaults        0       0
proc            /proc   proc    defaults        0       0

Thats it for our work inside our chroot, lets exit and make the system bootable

$ sudo grub-install --root-directory=/mnt/temp /dev/sdc

$ sudo chroot /mnt/temp/
$ apt-get install grub

Check your grub settigns

$ umount /proc

$ exit
$ sudo umount /mnt/temp

If the umount complains about the device being busy (very likely), I find that cron is running inside the chroot. Kill it.

$ eject /dev/sdc

There you go, you should now have a bootable(ish) USB stick with a debian base install on it. What a walk i the park, and far easier than many of the how-to’s I see scattered around the internet. I have noticed that there are a few things that don’t work well and need some attention: Essentially parsing the correct partition ID at boot time to the initrd. Ill look into that and do an update when I get this being more portable.



Written by leonward

October 26, 2008 at 6:14 pm

Posted in Uncategorized