Tag Archives: CentOS

Compiling QEMU and libvirtd from source to be more sneaky when doing malware analysis

Hello,

This is another post related to malware analysis and QEMU/KVM. I did a bit more research and found different older articles describing how to make pafish happy and how to evade malware that are aware of virtual machines.

Below is a screenshot from the output of pafish on Windows 7.

The Windows 7 system is running on a KVM host with the following kernel:

As you can see, it looks pretty good and we may be able to win over most malware, but there are still stuff that we want to remove. For instance, check out the device manager

As you can see there are devices called QEMU which indicates that this is not a laptop. Note that pafish did not detect this, but still, we should fix it. Our goal today is to make it say something else. Before we continue there are a lot of posts that I have used for reference (Check the end of this guide), but I wanted to start fresh and make a guide for everyone trying to do this on.. You guessed it, CentOS 7.

Before we start let me just explain a little. When you install qemu/kvm on CentOS 7 using yum it will be called qemu-kvm, but when you compile it will be called qemu-system-x86_64. This is important to understand. It is still the same, but it is called different depending on if it is compiled or not. Read more here
Also, make sure that you have the kvm module loaded. My laptop for this guide is an old laptop running a AMD CPU. Check with lsmod if the proper modules are loaded. For intel it should say kvm_intel.

1. Install a fresh CentOS 7 minimal.
I installed it with Gnome Desktop as I am using an old laptop. And update it:

After we finish it will look something like this (2015-06-25)

2. Install some more packages and development tools
Grab a coffee while you wait.

Before we continue we can do some tweaking to compile a little bit faster. Depending on how many cores your system has, you can change the jobs parameter for make. Execute the following command:

This would give me the value of “make -j2”. Yea, this is an old laptop..

3. Cloning QEMU

4. Edit drivers and compiling
Now the fun stuff starts. We are going to rename the device from QEMU HARDDISK to something else. Make sure you are in the cloned qemu folder that we just cloned from the git repo (step 4)

Find the driver name (As seen in the device manager)

These are the files that you need to edit. I will replace it with “WDC WD20EARS” that should simulate a 2TB disk from Western Digital (according to a Google search).

Also, let us not forget the DVD drive. Let us call it Toshiba DVD-ROM (because it was the only thing that popped up in my head)

And there are some more places that we need to edit:

Time to build! Make sure you are root so you can install it.

Fix a sympbolic link to make virt-manager happy.

5. Time to compile libvirt

If you want to know more about compiling libvirt, and the arguments I am using with autogen you can read more here before you continue:
https://libvirt.org/compiling.html

Go ahead and start!

You should see something like this in /var/log/messages

6. Install virt-manager

You can now start virt-manager by executing ./virt-manager in the same directory. Or, if you do not want to use virt-manager and create the virtual machine, you can just continue to step 7.

7. Install the first virtual machine
Let us install a Windows XP SP0 and see whats what. I am using an old iso image which I placed in /root/

When the installation is complete, go into the device manager and voilá:

Device Manager after QEMO modifications

Each time you want to modify something in the qemu code you can just rerun the make and make install steps and you will update the binary and drivers will be changed accordingly.

8. Changing The BIOS
This is the last step if you really would like to be sneaky. When you execute dmidecode it will also tell you that this is QEMU and not something else.

Notice QEMU after Manufacturer on the devices

QEMU uses seabios so we will start by performing a clone of the latest source and compile it.

The completed bios file will be located in the folder out and is called “bios.bin”. The next step is to execute it with some parameters set (“-k en” means english keyboard)

Notice the parameter

This is where I specify the bios file we compiled.

The other parameters:

Is where I tell it to set Dell as a manufacturer and not QEMU. And your final product after running dmidecode should be something like this:

dmidecode after the parameter changes

You can also add the bios file using virsh edit and set the following.

However, you still require the smbios arguments. You could also add the “-smbios type” parameters in the domain xml for the vm.

That was all!

References and links

Guide for setting up yubikey OTP ssh access with CentOS 7

Hi!

Today I will show you how to use the yubikey and set up authentication on CentOS 7 from scratch.
I have bought a yubikey 2 standard and will configure it to be used as OTP device when logging on via SSH. This is very cheap solution which offers a high level of security for home users.

The system I am using has just been installed and it is standard CentOS 7 with just default selections when installing. System is also updated and current to this day.

Let’s start!

1.
Begin by installing some packages

2.
Clone the yubico-c library and install it.

If you get the error messsage

You need to install asciidoc

3.
Clone the yubikey-personalization library and install it

3.
Clone the yubico-c-client and install it

4.
Clone the yubico-pam module and install it

5.
Fix the symlink for the pam module

NOTE! Before you continue, this is where you can lock yourself out and create a box that is not accessible. You should be logged on with root on another terminal so that you can revert back if it does not work. Console access will still work, so if you use KVM or something similar, you should be able to access it through that.

Start by making sure your yubikey is configured as shown in this guide:
YubiKey YubiCloud Configuration

You should also make sure that the OTP function is working by going here after you have configured it:
https://demo.yubico.com/

Your server will need to be able to contact the yubikey API service to validate the auth, so make sure you have internet connection to the box as well.
When it is working, move on!

6.
Change SELinux to run in permissive mode. People have been reporting issues with SELinux and yubikey so I recommend that you put it in permissive mode. If you don’t want to spend a couple of hours troubleshooting.

Edit the file /etc/sysconfig/selinux and set the parameter SELINUX to permissive as shown below.

This will run at boot next time and change it to permissive. Now run the command to change mode to permissive in this session

Get the status. You can see the row “Current mode”, should say “permissive”

7.
Create a user, I have picked the name ‘test’. Make sure you change the password as well.

8.
Edit the file /etc/pam.d/sshd

Make sure it contains the row:

as seen below in the file:

9.
Crete the authfile mentioned above.

Add your user and yubikey id separated with ‘:’. This is how my /etc/yubipasswd file looks like:

Open a new terminal and login as test

ssh test@your-yubikey-configured-system

When you are promted for the password, write your password and press your yubikey so that it becomes one long string. Imagine:

[root@localhost test]# ssh test@localhost
test@localhost’s password: password + yubikey OTP token

The yubikey will press enter by default and this should log you on! Voila!

Other information
If you have multiple configurations on your yubikey, i.e Configuration Slot 1 and Slot 2 you may have used the wrong Slot. Slot 1 is pressed for 1 second and the other is above 2 seconds. (Or something like that). I use Configuration Slot 1 because then you dont have to press it for a longer period of time.

If you have installed a default CentOS 7 you probably do not need to change other SSH configuration files such as /etc/ssh/sshd_config

And /etc/pam.d/system-auth by adding “try_first_pass” to the row

You can also try installing the packages via epel repo. Packages are called:

The pam library I think you will have to install manually as previously shown.

Links related to this guide
https://demo.yubico.com/
http://www.yubico.com/wp-content/uploads/2013/07/YubiKey_YubiCloud_Configuration.pdf
https://developers.yubico.com/yubico-pam/Yubikey_and_SSH_via_PAM.html
https://developers.yubico.com/yubikey-personalization/
https://github.com/Yubico/yubico-pam#readme

Good luck!

Telldus Tellstick Duo on CentOS 7

The Telldus Tellstick Duo is a tiny usb device to control rf devices such as lightbulbs, thermo meters and a lot of other stuff. The software to control the device is open source and works fine on Ubuntu/Debian, OS X and Windows. People have also documented how to get it to work with CentOS 6. But if you are like me and want to run the latest CentOS version then it is a little bit more complicated. In this guide I will show you how to compile and get it to run on the latest version of CentOS 7.

1. Begin by plugging in your tellstick duo in your machine, if you tail /var/log/messages you will see the following when you plug it in:

2. The next step is to install some repos and libraries so that we can compile the latest version of the software from telldus. Note, if this guide fails you can try to do “yum groupinstall Development Tools” instead.

3. Install the epel repo

4. Install all of the libftdi, libusb and libconfuse libraries

5. Download and unpack the telldus software. At the time of writing the latest package is 2.1.2

NOTE ! depending on your version of Tellstick Duo, version 2.1.2 of the software may not work. If you run in to issues such as error messages saying “TellStick not found” when you run tdtool. try 2.1.1 instead.

If you then run into issues when compiling 2.1.1 with make, you may need to edit the file “telldus-core-2.1.1/common/Socket_unix.cpp”. Make sure you include unistd.h so that it looks like this in the top of the file:

END OF NOTE

6. Now when you are supposed to run “cmake .” it will fail:

This is because of two things. It cannot find the Doxyfile.in and the FTDI_LIBRARY is not found, this can be fixed. First download the Doxyfile.in:

Run the following cmake command to point to the library:

This is how it looks like:

7. Almost done. Time to make it. Run this command:

All should be good and you can move on to installing it.

8. Install it:

9. Fix some symlinks and run ldconfig:

10. Done! Start the daemon with this command

Note. You have to restart the daemon each time you change the tellstick.conf file. You can use kill or whatever you like to do this.

11. Configure your devices in the file /etc/tellstick.conf . This is what it looks like by default:

12. Once you have set up your devices according to the documentation you can control them using “tdtool”

Other notes

For me as I have an old version of the Tellstick Duo I have to use version 2.1.1 of the software. I get error messages such as:

You can fix this by doing what is documented here:

http://developer.telldus.com/wiki/Dont%20wait%20for%20confirmation

exFAT on CentOS 7

I recently decided to swap out my Apple Mac Mini as a media center (I use Plex) and run Plex media server on Linux instead. Plex has come a long way and now works fine on CentOS 6 or later.

However, some of my media was on a exFAT (http://en.wikipedia.org/wiki/ExFAT) formatted USB drive and I wanted that to work on CentOS 7. A google search found a good solution and I wanted to share that with you in this small guide.

1. Start with adding some repos that you will need. As this guide is for CentOS 7 I have chosen the repos that fit that.

2. Download the latest epel release from this location (at the time of writing it is epel-release-7-5.noarch.rpm) http://mirror.nsc.liu.se/fedora-epel/7/x86_64/repoview/epel-release.html

3. Download and install

3. Download the latest nux repo from this location (at the time of writing it is nux-dextop-release-0-1.el7.nux.noarch.rpm): http://li.nux.ro/repos.html

4. Download and install:

5. Install the exFAT packages

6. Plugin your disk and get the partition that you want to mount. For instance:

Produces this output:

7. Mount it:

8. Done! it will now be mounted at /media/

Setup mail client on CentOS 7

Hi,

A lot of people often need to be able to send e-mail from a server at home. For instance, you may be running a Raspberry Pi that is monitoring something or doing something fun such as filming or taking pictures of your neighbor. I wrote this small guide as it is probably the easiest way of doing it for CentOS 7.

1. To start with, you probably have an ISP with an e-mail server, such as smtp.yourisp.com. This will be needed later in step 4 of the guide.

2. Make sure postfix is installed. Or else, yum install postfix. At the time of writing this is what I am running.

[root@serv1 ~]# yum list installed|grep postfix
postfix.x86_64 2:2.10.1-6.el7 @anaconda

3. Backup your /etc/postfix/main.cf file to /etc/postfix/main.cf.bk

4. Edit the file /etc/postfix/main.cf and change the following settings:

myorigin = server.yourdomain.com
mydestination = server.yourdomain.com, localhost
relayhost = smtp.yourisp.com

Where server.yourdomain.com can be something like serv1.mycooldomain.com or whatever the name is of your own domain.

5. Restart postfix, service postfix restart

6. Try it by doing something like this, if you want to monitor your RAID

/usr/sbin/mdadm --detail /dev/dm-1 > /root/RAID_STATUS.log
/bin/mail -s "RAID STATUS" "your-email@domain.com" < /root/RAID_STATUS.log