Creating Your Own USB Katana Sword

by zitstif on Sep.20, 2014, under Posts

JP Dunning (https://twitter.com/r0wnin) is the creator of the Katana: Portable Multi-Boot Security Suite. Upon visiting www.hackfromacave.com, it appears that this projects have come to a halt. It is true that you can still obtain the Katana toolkit via torrents (http://securityiskey.blogspot.com/2012/08/katana-3-beta-torrent.html for those are interested). However, I can’t recommend downloading this toolkit as of now because a lot the Linux distributions within the Katana toolkit have been superseded by newer distributions. Another issue with Katana is that it’s kind of a pain to customize and add and remove distributions.

With that being said, this post’s objective is to inform those who how to create a multi-booting USB flash drive toolkit that is easily customizable for end user’s specific needs. For this we will be heavily relying on YUMI (http://www.pendrivelinux.com/yumi-multiboot-usb-creator/). Using YUMI is pretty straight forward and I don’t believe there is a strong need for myself to create a tutorial (https://www.google.com/#q=YUMI+tutorial).

To create our “Home Made Katana”, you will need:

-Time
-32GB Flash drive (smaller may work but I recommend 32GB or larger)
-YUMI ( http://www.pendrivelinux.com/yumi-multiboot-usb-creator/ )
-HomeMadeKatana.zip ( https://ia601401.us.archive.org/15/items/HomeMadeKatana/HomeMadeKatana.zip )

HomeMadeKatana.zip file hash
MD5: dc5b97133c9e6ca9a848b26b234f2210
SHA-1: 8a13ce78c380a05f60602a40790bf77021d52de9

NOTE: TOOLS IN THIS ARCHIVE WILL SET OFF AV SYSTEMS

The root directory of this zip file contains:

Disk Investigator
HxD
KatanaToolKit.exe
odbg201
PortableApps
Speccy
SysinternalsSuite
windows-binaries-from-Kali
zittools

I pulled the PortableApps directory and the KatanaToolKit.exe from the Katana:
Portable Multi-Boot Security Suite. I meant to add herdProtect portable scanner but forgot to. Feel free to add this if you want: http://www.herdprotect.com/installers/herdProtectScan_Portable.exe .

To create our “Home Made Katana”, do as follows:

1.) Backup any data you want on your flash drive
2.) Wipe the flash drive
3.) Download YUMI
4.) I recommend the following distributions/bootable tools:

Caine
Clonezilla (Backup + Clone Tool)
DBAN
Deft (Forensics)
GParted
Hiren’s Boot CD
Kali
Kon-Boot Floppy Image
Mint Linux
Offline NT Password & Registry Editor
Ophcrack Vista/7
Ophcrack XP
Tails
Ultimate Boot CD
Windows 7
Windows 8
Windows Defender Offline

5.) Download and extract HomeMadeKatana.zip to the root of the flash drive.

You may ask yourself why would I recommend putting Windows 8 on your flash drive? I recommend this because newer systems are now using UEFI and a lot of systems are shipping without optical drives. For instance if you need to reset a Windows 8 local account password ( http://pcsupport.about.com/od/windows-8/a/reset-password-windows-8.htm ), having Windows 8 on your “Home Made Katana” would be of great use.

An additional note that should be taken into consideration when dealing with newer UEFI computers. To boot into Linux distros or even to boot from USB or optical drives with software that doesn’t necessarily support secure booting you will need to turn the secure boot option off and/or enable legacy booting and/or enable compatibility support module (CSM).

In retrospect, what we have done is create a mutlibootable and powerful flash drive with utilities for penetration testers, IT gurus and network administrators. In addition, I would also recommend getting a USB Rubber Ducky (https://hakshop.myshopify.com/collections/usb-rubber-ducky) especially if you’re into penetration testing. If you have any questions, comments or input feel free to post a comment below.

Leave a Comment :, , , , , , , , , , , , , , more...

zitstif.no-ip.org is still alive…

by zitstif on Jul.03, 2014, under Posts

Thanks to Microsoft, no-ip.com domains and subdomains experienced outages due to Microsoft hijacking no-ip domains to capture traffic from infected hosts. Their intention was to only affect the websites that were malicious but instead they affected malicious and non-malicious websites as well (like zitstif.no-ip.org).

http://www.noip.com/blog/2014/06/30/ips-formal-statement-microsoft-takedown/

http://www.theregister.co.uk/2014/07/01/sorry_chaps_microsoft_unborks_legitimate_noip_users_domains/

I want to thank Microsoft for their recent mistake and I also want to thank them for the wonderful user interface Metro on Windows 8 that is alienating desktop computer users. All Microsoft needs to do now is cut off support for Windows 7…

Leave a Comment :, , , , , , , more...

I kind of regret having ads on my website…

by zitstif on Mar.03, 2014, under Posts

Today I decided to take a look at my website without any ad blocking software through Internet Explorer 11. With my web history cleared and with no cookies for Google’s ad service to create targeted ads for me, I was served a suspicious ad with this link:

hxxp://file-downloads.net/download/?pi=zitstif.no-ip.org&gclid=CJLtkeHr97wCFcURMwodTnQAtg

That looks legit!

Let’s see what VirusTotal says about this URL:

https://www.virustotal.com/en/url/f0e704606da846903a630c56cee42812a7a943b897fa550a50db0e0bbb19fccd/analysis/1393900872/

It’s too legit to quit now!

Upon visiting this link I was served up immediately an EXE file with the title, “7zip_14381_stn.exe”… how wonderful. Why don’t we just upload this to VirusTotal?

https://www.virustotal.com/en/file/fc80f6307596ce2d6139710873be7ede8693a65681067c75b9bf17617a1af070/analysis/

Granted this piece of software isn’t necessarily malicious per se but it’s the kind of crap I get sick of seeing on Windows systems. Here are some tools I strongly recommend using when dealing with this kind of junkware:

http://www.bleepingcomputer.com/download/rkill/
http://www.bleepingcomputer.com/download/junkware-removal-tool/
http://www.bleepingcomputer.com/download/adwcleaner/

In addition, I recently found a tool that is kind of equivalent to having a portable version of VirusTotal:

http://www.herdprotect.com/downloads.aspx

Even though it doesn’t delete/quarantine/cure anything, use the herdprotect scanner with care because it can throw off false positives but it is still very useful. Anyways, I wish Google’s ad service would stop referring people to crapware, but they’re paying customers too and no, you won’t offend me if you use ad blocking software on my website.

Leave a Comment :, , , , , , , , , , more...

Getting authy-ssh to work (or at least what worked for me)

by zitstif on Dec.14, 2013, under Uncategorized

This will be a relatively short post. It is my objective for this post to be useful for other individuals who are having issues setting up authy-ssh on their Secure Shell servers. First, if you’re not familiar with two-step verification, have a look at this:

https://en.wikipedia.org/wiki/Two-step_verification

I was inspired to install this on one of my SSH servers due to enabling this feature on my Gmail account:

http://googleblog.blogspot.com/2011/02/advanced-sign-in-security-for-your.html

I had heard about authy-ssh a while back through news.ycombinator but had never put the time into setting it up. To set it up you can follow these directions:

https://www.authy.com/products/ssh#installation

I ran into issues though. My SSH server did not possess ’seq’ and I received error messages from the authy-ssh script that were not very clear. I then dug into the authy-ssh shell script and discovered that it heavily depended on ‘curl’ connecting to Authy’s web servers over https. ‘curl’ would give me SSL certificate errors and I’m highly confident this is an issue with ‘curl’ on my server and not Authy’s SSL certificates. To bypass this issue in the authy-ssh script at lines 398, 482, 497, 533, and 605 you will need to add on the ‘-k’ flag to ‘curl’ to ignore the SSL certificate errors. I will warn you that this is NOT very secure but if you need authy to work, this should work.

In addition to this, you may want to run this shell script as well:

http://zitstif.no-ip.org/authyfix.txt

The authy-ssh bash shell script does a check to see if bash exists or if seq exists. If you’re on an OSX system, the OSX equivalent of ’seq’ is ‘jot’. The equivalent of ’seq 10′ with ‘jot’ is ‘jot – 1 10′.

Leave a Comment :, , , , , , , , more...

DERBYCON 2013 – LIVING OFF THE LAND: A MINIMALIST’S GUIDE TO WINDOWS POST-EXPLOITATION – CHRISTOPHER CAMPBELL, MATTHEW GRAEBER

by zitstif on Oct.19, 2013, under Posts, Videos

Leave a Comment :, , , , , , more...

]

Searching for something?

Use the form below to search the site:

Still not finding what you're looking for? Leave a comment or contact me if you wish.