HeX LiveCD Usage This is NSM oriented liveCD, therefore we are making use of the fluxbox features such as its tunable workspace, key bindings and so forth to improve analysis work flows - There are four workspaces available and each with its self-explained environment. WorkaholiC - Normal working environment for web browsing, email and rss reading plus other common daily tasks AnalyzT - Workspace to perform security analysis, all the NSM based tools will be loaded on this workspace HackeR - Workspace to perform network hacking, all the network hacking tools will be launched at this workspace and you can learn about packet crafting here WankeR - Do whatever you want in this workspace, usually instant messaging programs will be launched here Based on our idea, different programs should be launched in different workspace so that analyzt can concentrate on his/her task and the window won't be too clutter when we are making use of them. The fluxbox menu is designed for high accessibility. Analyzt can easily access to any security analysis tools without much hassles and they can learn how the tools work as all the tools will launch with its help content. Remember what we are emphasizing here is post processing or so called offline analysis instead of real time, thus we never run any network security analysis tools with root priviledge unless there's a need. Fluxbox Keybindings We are utilizing key binding for quick access and control of your window, you can find the key binding set at ~/.fluxbox/keys OnDesktop Mouse1 :hideMenus OnDesktop Mouse2 :workspaceMenu OnDesktop Mouse3 :rootMenu OnDesktop Mouse4 :nextWorkspace OnDesktop Mouse5 :prevWorkspace Mod1 Tab :NextWindow Mod1 Shift Tab :PrevWindow Mod1 F1 :Workspace 1 Mod1 F2 :Workspace 2 Mod1 F3 :Workspace 3 Mod1 F4 :Workspace 4 Mod1 l :ExecCommand xlock -mode matrix -geometry 1x1 -enablesaver Mod1 m :MaximizeWindow Mod1 n :MinimizeWindow Mod1 w :ShowDesktop Control Mod1 p :ExecCommand scrot '~/%Y%m%d%R_$wx$h_scrot.png' Control Mod1 w :Deiconify All OriginQuiet Control Mod1 d :ToggleDecor Control Mod1 x :Close Control Mod1 h :ExecCommand sudo halt -p Control Mod1 q :ExecCommand sudo reboot Control Mod1 r :ExecCommand fbrun Mouse1 == left mouse button Mouse2 == right mouse button Mouse3 == left + right mouse button Mod1 == alt key All the applications that launched in different workspace can be accessed easily with Mouse3 button. You will notice there's lock in fluxbox menu which is used to lock screen, you can either press alt + l or click the lock button in the menu to activate it. However you must set the password for user analyzt in order to lock it. To set the password shell>passwd Changing local user password for analyzt Old Password: blank(no password by default) New Password: 12345678 Retype New Password: 12345678 Now you have already defined the password, you can lock it without problem. To change to user root, type su in the terminal To change the desktop background(wallpaper), just run - shell>fbsetbg ~/rp-Wallpapers/rp-team.jpg To check what application packages that have been installed, run - shell>pkg_info To start ssh service - shell>sudo chmod +777 /etc/rc.conf shell>echo 'sshd_enable="YES"' >> /etc/rc.conf shell>sudo /etc/rc.d/sshd start To stop ssh service - shell>sudo /etc/rc.d/sshd stop Most of the network monitoring tools require root access to the network interface, therefore they must be run as root or the workaround is to change the permission of the bpf interface. When you launch etherape from fluxbox menu, you are running it as normal user hence you will encounter the message "Error getting device: no suitable device found". To avoid the message, you can run - sudo etherape This liveCD is actually best used with USB thumb drive, you can copy the pcap file, snort signatures, other tools configuration file to the USB thumbdrive and load it to the analyzt environment to perform analysis on it, in order to mount USB thumbdrive, follow the steps below - shell>sudo sysctl vfs.usermount=1 Once you plug in USB thumb drive, you may see this in similar dmesg output - shell>dmesg truncated output ..... umass0: vendor 0x13fe USB DISK Pro, rev 2.00/1.10, addr 2 da0 at umass-sim0 bus 0 target 0 lun 0 da0: < USB DISK Pro PMAP> Removable Direct Access SCSI-0 device da0: 1.000MB/s transfers da0: 1959MB (4012032 512 byte sectors: 255H 63S/T 249C) da1 at umass-sim0 bus 0 target 0 lun 1 da1: < USB DISK Pro PMAP> Removable Direct Access SCSI-0 device da1: 1.000MB/s transfers da1: 1MB (2880 512 byte sectors: 64H 32S/T 1C) shell>ls -la /dev/da* crwxrwxrwx 1 root operator 0, 115 Jul 3 07:27 /dev/da0* crwxrwxrwx 1 root operator 0, 118 Jul 3 07:27 /dev/da0s1* crwxrwxrwx 1 root operator 0, 117 Jul 3 07:27 /dev/da1* shell>sudo chmod 777 /dev/da0s1 If the USB thumb drive contains msdos file system, you can run - shell>mkdir rp-mnt shell>mount -t msdosfs /dev/da0s1 rp-mnt Except using mount to mount different file system, you can also use fuse userland tools that comes with the liveCD, you can mount ntfs, ssh, http and other file systems and based on our experience, it works pretty well. To mount ntfs with fuse shell>sudo kldload /usr/local/modules/fuse.ko shell>sudo ntfs-3g /dev/da0s1 /mnt To mount sshfs with fuse shell>mkdir ~/rp-sshfs shell>sshfs user@192.168.0.50: ~/rp-sshfs To mount ftp with curlftpfs shell>mkdir ~/rp-curlftpfs shell>curlftpfs ftp://qosient.com/dev/argus-3.0/ rp-curlftpfs/ shell>ls -la rp-curlftpfs/ total 5584 drwxr-xr-x 2 root wheel 2560 May 9 17:06 archive -rw-r--r-- 1 root wheel 410108 Jun 15 18:34 argus-3.0.0.tar.gz -rw-r--r-- 1 root wheel 555520 Jun 15 18:34 argus-3.0.0.tar.gz.asc -rw-r--r-- 1 root wheel 60 Jun 15 18:43 argus-3.0.0.tar.gz.md5 -rw-r--r-- 1 root wheel 962993 Jun 8 14:06 argus-clients-3.0.0.rc.44.tar.gz -rw-r--r-- 1 root wheel 1306457 Jun 8 14:06 argus-clients-3.0.0.rc.44.tar.gz.asc -rw-r--r-- 1 root wheel 74 Jun 15 18:43 argus-clients-3.0.0.rc.44.tar.gz.md5 -rw-r--r-- 1 root wheel 963058 Jun 19 06:30 argus-clients-3.0.0.rc.45.tar.gz -rw-r--r-- 1 root wheel 1306498 Jun 19 06:30 argus-clients-3.0.0.rc.45.tar.gz.asc -rw-r--r-- 1 root wheel 177850 Apr 29 17:20 argus.openwrt-0.9-3.0.0.tar.gz -rw-r--r-- 1 root wheel 72 Jun 15 18:43 argus.openwrt-0.9-3.0.0.tar.gz.md5 -rw-r--r-- 1 root wheel 3672 Jun 7 2006 pgp-keys.asc shell>mount /dev/fuse1 on /mnt (fusefs, local, noatime, synchronous) /dev/fuse2 on /usr/home/analyzt/rp-sshfs (fusefs, local, nosuid, synchronous, mounted by analyzt) /dev/fuse5 on /usr/home/analyzt/rp-curlftpfs (fusefs, local, nosuid, synchronous, mounted by analyzt) To umount ntfs shell>sudo umount /mnt To umount sshfs shell>umount ~/rp-sshfs HeX liveCD Installation Chfl4gs has integrated BSD installer to HeX liveCD so now we can install HeX to the hard drive. In order to do that - Boot up the LiveCD and "su" to root and type "installer" or "sudo installer" to start the installation. cpdup might take 10-30 minutes depending on you CDROM drive speed. The only problem is BSD installer ncurses looks a bit cluttered under X. We still have no solution/workaround to that. However that shouldn't affect the installation process. User Contribution Section: The default keyboard mapping is US, Stefan has kindly emailed me about his solution to change the keyboard setting and layout to german and I think it applies when you want to change to other keyboard mapping. Here's the straight forward how-to - Edit ~/.login_conf - me:\ :charset=iso-8859-15:\ :lang=de_DE.ISO8859-15: Edit /etc/X11/xorg.conf - Section "InputDevice" Identifier "Keyboard0" Driver "keyboard" Option "XkbModel" "pc105" # Option "XkbLayout" "us" Option "XkbLayout" "de" EndSection Edit /etc/rc.conf keymap="german.iso" That's all the configurations you need to change. Done. If you have found any tips in using this liveCD, please email us and we will add it to the contents. Any contributions and feedbacks are welcomed. Cheers (;])