Friday 31 January 2014

Transferring ISOs from an XBOOT USB drive to Easy2Boot

If you already have an XBOOT USB drive containing linux ISO files, you may have found that when you copy them to your Easy2Boot USB drive, they don't work.

This is because XBOOT modifies the ISOs. For a typical linux ISO, XBOOT will extract the files from the casper folder of the ISO file and then copy them to a subfolder under the \images folder on the USB drive. XBOOT also modifies the \isolinux\isolinux.cfg file contents (inside the ISO file) to add some cheat codes which will direct the linux kernel to load the squashfs files from a different folder, e.g.

label driverupdates=Use driver update disc
append driverupdates=debian-installer/driver-update=true

is converted to:

label driverupdates=Use driver update disc
append driverupdates=debian-installer/driver-update=true ignore_uuid live-media-path=/images/fdraptor/casper

The cheat codes added by XBOOT may work for some linux distros (or versions) but not for others. This is why it is 'hit-or-miss' as to whether XBOOT will work or not with 'unsupported' ISOs.

To move these XBOOT converted ISOs to an E2B USB drive we need to:

1. Copy the whole \images folder from the XBOOT drive to \images on the E2B drive
2. Move the ISO files to the \_ISO\MAINMENU folder

So if we had 'fdraptor' on our XBOOT drive, we would now have an E2B drive with these folders:
  • \images\fdraptor\casper\ - several files including filesystem.squashfs (700MB)
  • \_ISO\MAINMENU\fdraptor.iso (32MB)
As many linux initial kernels do not support NTFS, XBOOT does not work well on an NTFS drive. If you use these files on an E2B drive, the E2B USB drive needs to be formatted as FAT32 and not NTFS.

Of course, you can just download the original ISOs from the web and copy them to your E2B drive (even on an NTFS E2B drive) and it should work just fine.

The other alternative is to make a .imgPTN file from the XBOOT USB drive by dragging-and-dropping the drive letter onto the MPI_FAT32 desktop shortcut.

Easy2Boot .mnu files

Usually, when adding payload files to Easy2Boot, you just need to copy the file over and make sure it is contiguous. In some cases you may need to modify the file extension slightly too. However, for some 'special' payload files or if you want persistence when booting from linux ISOs, we need to use a .mnu file.

Below is a list of some of the .mnu files that can be found in the \_ISO\docs\Sample mnu Files folder of the Easy2Boot download in v1.25. More may be added to later versions, so always check for new examples!
Instructions on how to use .mnu files can be found by opening them in Notepad and reading the instructions within.

Thursday 30 January 2014

Make a 'Forensics To Go' 32GB USB Flash drive

If you have a 32GB or larger USB pen and want a ready-made 'Forensic' multiboot USB Flash drive, try the (virtual disk) image provided on 'Hacking Exposed' by David Cowen\Kevin Stokes.  Download is here.


This USB disk image contains two FAT32 partitions, with XBOOT installed ISOs of...
  • SIFT 2.14
  • Kali Linux
  • Paladin 5
  • Raptor 3
on a hidden 2nd partition, and 4GB-worth of the following portable apps and tools on the first partition (which is visible to Windows):

Documents
analyzing-malicious-document-files.pdf
log2timeline-cheatsheet.pdf
Memory-Forensics-Cheat-Sheet-v1.pdf
Network Forensics Cheat Sheet.pdf
SANS-DFIR-Poster-2012.pdf
sbag.users.guide.v.0.24.pdf
SIFT Cheat Sheet and DFIR Curriculum.pdf
USB-Device-Tracking-Artifacts.pdf


Linux Tools
TZworks_64bit
TZworks_32bit
Truecrypt


Mac Tools
FortiClient_Installer.dmg
nmap-6.40-2.dmg
TrueCrypt 7.1a Mac OS X.dmg
TZworks


Portable Apps
PortableApps.com
2XClient
7-ZipPortable
AbiWordPortable
AntRenamerPortable
AutorunsPortable
BabelMapPortable
cdrtfePortable
ClamWinPortable
CommandPromptPortable
ConverberPortable
CrystalDiskInfoPortable
CubicExplorerPortable
DaphnePortable
DatabaseBrowserPortable
EraserPortable
EraserDropPortable
Explorer++Portable
FileAlyzerPortable
FileZillaPortable
FoxitReaderPortable
FrhedPortable
GetSudokuPortable
GoogleChromePortable
grepWinPortable
HDHackerPortable
HijackThisPortable
HWiNFOPortable
InfraRecorderPortable
IniTranslatorPortable
IrfanViewPortable
JkDefragPortable
KasperskyTDSSKillerPortable
KchmViewerPortable
KeePassPortable
KeepNotePortable
KiTTYPortable
McAfeeStingerPortable
Monster2Portable
CamStudioPortable
ChecksumControlPortable
ConvertAllPortable
DiffpdfPortable
Notepad++Portable
PasswordGorillaPortable
PeerBlockPortable
PidginPortable
ProcessExplorerPortable
ProcessHackerPortable
ProcessMonitorPortable
PuTTYPortable
PWGenPortable
RegshotPortable
SIWPortable
SkypePortable
SmartDefragPortable
SpybotPortable
SQLiteDatabaseBrowserPortable
SqlitemanPortable
StickiesPortable
SumatraPDFPortable
SystemExplorerPortable
TeamViewerPortable
ThunderbirdPortable
Toucan
UUID-GUIDGeneratorPortable
VLCPortable
WhoDatPortable
WindowsErrorLookupToolPortable
winMd5SumPortable
WinMTRPortable
WinSCPPortable
WiseDiskCleanerPortable
WiseProgramUninstallerPortable
WiseRegistryCleanerPortable
xpyPortable
CppcheckPortable
KompoZerPortable
NetHackPortable
PeaZipPortable
qBittorrentPortable
RevoUninstallerPortable
PortableApps.comLauncher

Windows Tools
volatility-2.3.1.standalone.exe
WiresharkPortable-1.10.5.paf.exe
Imager_Lite_3.1.1
NirSoft Tools
Password Tools
rrv2.8
Scalpel-2.0
SysinternalsSuite
Tools that require Install
TZworks 32bit
TZworks 64bit
USB Write - EnableProtect
Woanware



To make this USB Flash drive

You need a 32GB or larger USB drive.
1. Download the 8GB (!) USB_Multiboot.zip file from the blog here or the updated image here.
2. Extract the 30GB 'USB image for download.img' file to your system hard disk using 7Zip (or similar utility)
3. Run RMPrepUSB and insert your 32GB (or larger) USB Flash drive
Select the 32GB USB Flash drive in the top drive selection box and click on the File->Drive button.
Enter 1SEC for the file start sector (see screenshot), 0 for the USB start sector and 0 for the length.
After 10 -30 minutes you will have a bootable USB flash drive.

The image is from a 32GB USB Flash drive made using XBOOT. If you wish to add more files to it using XBOOT, you can must first change the partition order over as follows:

1. Run RMPrepUSB and select the 32GB drive
2. Type CTRL-O and select partition 2 when prompted

This will swap over the partitions and make visible the XBOOT 1st FAT32 partition containing the (modified) ISO files:
  • fdraptor.iso
  • hirensbootcd.iso
  • paladin.iso
  • siftworkstationrevusb.iso
You should now be able to run XBOOT and modify the contents.

When you have finished testing the USB drive, use RMPrepUSB - Ctrl-O to change back the partitions and make the applications partition visible to Windows again.

You can either boot from this USB drive on a 'live' system or boot from it (or the original .img file) with the 'target' hard-disk image in VirtualBox.

Note: XBOOT modifies the .ISO files and extracts and removes the squashfs (casper) files into a subfolder under \images. Therefore these .iso files cannot just be 'dropped' onto an Easy2Boot drive as they will not boot correctly. These XBOOT ISOs can be used if you copy the whole \images folder from the XBOOT partition to the root of a FAT32 E2B USB drive (not NTFS - it won't work!) and then move the .iso files to the \_ISO\MAINMENU folder (i.e. the E2B drive will contain a \images folder with subfolders).

Of course, you can download the original ISOs from their websites and simply add them to your Easy2Boot USB drive.

Note: There is a later download here which may have some of the files missing (I have not tested it).

Wednesday 29 January 2014

Easy2Boot v1.25 available (new $HOME$ keyword for .mnu files)

Easy2Boot v1.25 adds a new feature for .mnu files.

Previously, you had to 'hard code' the sub-folder name into the .mnu file text. For example, here is a typical .mnu file which expects the ISO file to be in the MNU subfolder (e.g. \_ISO\MAINMENU\MNU) :

iftitle [if exist %MFOLDER%/MNU/Ylmf_OS_3.0.iso] Boot YlmF (Windows Like OS) Non-Persistent 
map %MFOLDER%/MNU/Ylmf_OS_3.0.iso (0xff)
map --hook
root (0xff)
kernel /casper/vmlinuz file=/cdrom/preseed/ubuntu.seed boot=casper  persistent iso-scan/filename=%MFOLDER%/MNU/ylmf_OS_3.0.iso floppy.allowed_drive_mask=0 splash
initrd /casper/initrd.img

However, now we can use $HOME$ to represent the path of the .mnu file like this:

iftitle [if exist $HOME$/Ylmf_OS_3.0.iso] Boot YlmF (Windows Like OS) Non-Persistent 
map $HOME$/Ylmf_OS_3.0.iso (0xff)
map --hook
root (0xff)
kernel /casper/vmlinuz file=/cdrom/preseed/ubuntu.seed boot=casper  persistent iso-scan/filename=$HOME$/ylmf_OS_3.0.iso floppy.allowed_drive_mask=0 splash
initrd /casper/initrd.img


This means that we can place the .mnu files and their payload files in any sub-folder of any name and we don't have to edit the .mnu file to match it.

This is useful because it means we can control the order of the items in the menus more easily by simply changing the name of the folders that we place our .mnu files in.

Consider an E2B file and folder arrangement of:

\_ISO\MAINMENU\b.iso
\_ISO\MAINMENU\k.iso
\_ISO\MAINMENU\MNU\a.mnu  (and a.iso)
\_ISO\MAINMENU\MNU\y.mnu  (and y.iso)
\_ISO\MAINMENU\z.iso

The menu entries in the Main menu would be ordered like this because the MNU folder's files will be enumerated after k.iso:

b.iso
k.iso
(title text from the a.mnu file)
(title text from the y.mnu file)
z.iso


Now if we want the a.mnu entry to be listed first in the Main menu, previously when using the %MFOLDER% variable, we would have had to make a new $MNU folder and then move the a.mnu and a.iso files also edit the .mnu file to change 'MNU' to '$MNU'.

However, if we use the new $HOME$ keyword in the .mnu file, all we need do is move the a.iso and a.mnu files to a new $MNU folder and we don't have to edit the .mnu file at all.

\_ISO\MAINMENU\$MNU\a.mnu  (and a.iso)
\_ISO\MAINMENU\b.iso
\_ISO\MAINMENU\k.iso
\_ISO\MAINMENU\MNU\y.mnu  (and y.iso)
\_ISO\MAINMENU\z.iso

The keyword $HOME$ will be expanded by E2B to be "/_ISO/MAINMENU/$MNU" automatically.

If you also want to change the position of y.mnu, you can simply rename the MNU folder (e.g. use $A to list it first or ZZ to list it last in the menu).

I have changed all of the Sample mnu Files in the \_ISO\docs\Sample mnu Files folder in v1.25 of E2B to use the new $HOME$ keyword. You can still use %MFOLDER% in your .mnu files if you wish.

The new v1.25 downloads are linked here.








Combine SARDU with Easy2Boot

To add SARDU to your Easy2Boot menu

1. Make your E2B USB drive as usual
2. Run SARDU and install SARDU plus any ISOs etc. to your E2B drive. This will add a dozen or so files to the root of the E2B drive and also a \SARDU folder.
3. Re-install grub4dos to the PBR using RMPrepUSB
4. Open an Administrator command prompt and navigate to the RMPRepUSB\SYSLINUX\Syslinux_4.06 folder  (tip: you can press F3 in RMPrepUSB to find the folder)
5. At the command prompt type:

syslinux.exe -f   X:   X:\SARDU\sardu.bin

where X: is the drive letter of your Easy2Boot USB drive

6. Create a SARDU.mnu file and add it to the \_ISO\MAINMENU\MNU folder:

title SARDU\n Run SARDU
chainloader /SARDU/sardu.bin


Sunday 26 January 2014

2 new Easy2Boot videos now on YouTube

I have added a couple more Easy2Boot videos to YouTube which I hope you will find useful.

Please let me know if you want any more and what topics to cover...

Part 1
Part 2

Part 1
1. Make an E2B drive - See other E2B videos for how to add and run Windows Install ISOs
2. Helper USB Flash drive
3. Folder structure
4. Can add own files anywhere except under \_ISO
5. WinContig -- Error 60 -- file not contiguous
6. Test with QEMU and VBox+VMUB
7. Add ISOs -- linux ISOs to Mainmenu
8. Add ISOs to \_ISO\LINUX
9. Add ISOs to \_ISO\AUTO and explain difference
10. What happens if delete DOS files -- menu entry disappears
11. How sub-menus work -- UTILITIES and UTILITIES_MEMTEST
12. Change names to reorder
13. Add .txt files

Part 2
14. Hirens - Change file extension to .isowinv
15. List of file extensions supported - see Tutorial 72a
16. Hirens - Add a .mnu file -- mnu can be any name
17. Change background -- add \_ISO\mybackground.bmp or mybackground.bmp.gz
18. Rename Sample_MyE2B.cfg to MyE2b.cfg -- explain -- sample mnu files
19. Demo master password + font + hotkey + remove F7 + menu pwd
20. Add blank line in menu
21. Speed up menu loading -- FASTLOAD, no font file
22. Suppress E2B startup messages
23. Suppress grub4dos messages - patchme
24. 'Skins'

See www.rmprepusb.com Easy2Boot - Tutorial 72a for more details.

Wednesday 22 January 2014

Easy2Boot 1.24 available

Just a few small changes:

1. If you had an E2B USB HDD and a USB Helper Flash drive and both contained the E2B folders, then LOADISO would try to run ImDisk twice which would cause it to loop. I have added some checks in LOADISO.cmd so that if it is being run from the drive containing WINHELPER.USB or is being run for a 2nd time, it will just exit. If you have problems with the LOADISO blue console window, check that you only have one instance of the E2B folder structure on one drive in the system (which should be the E2B boot drive).

2. Some of the Sample .mnu files in the \_ISO\docs folder had not been updated to use the new ENG folder and use the new %LANG% variable for that folder. These files have now been updated.


Monday 20 January 2014

E2B v1.23 available

This version allows you to boot from a different grub4dos bootable drive and then 'chainload boot' to your E2B USB drive. This means that if you use an E2B USB Hard drive, then you could boot from either your E2B USB Hard drive or your E2B Helper USB Flash drive.

Helper drive menu.lst file:

clear
pause --wait=3 Booting from Easy2Boot USB Helper Flash Drive...
find --set-root /_ISO/e2b/grub/menu.lst
chainloader /grldr
boot

Note that to support this, the sample .mnu files in the \_ISO\docs folder have also been changed because the E2B drive will no longer be (hd0,0) and so the partnew commands have been modified to use the correct device name for the E2B drive (e.g. hd2). If you have used any of the sample .mnu files then you will need to update them in order to use this new feature.

If you always boot from the E2B drive then you don't need to change your .mnu files. The standard E2B .mnu files have not changed.

Thursday 16 January 2014

Fake Flash drives on Amazon!

It seems even Amazon sellers are offering these fake capacity flash drives!
See here for a review of one on Amazon.com.

In case you missed it, I wrote a blog post on fake flash drives and FakeFlashTest here.

Wednesday 8 January 2014

Easy2Boot v1.22_DPMS bugfix!

Somehow the DriverPack.ini file was missing from the Easy2Boot_v1.22_DPMS.zip download, this has now been fixed. Please download Easy2Boot_v1.22B_DPMS.zip and either overwrite your whole E2B drive or just extract and copy DriverPack.ini from the Easy2Boot_v1.22B_DPMS.zip file.

v1.22B Small bugfix so that NOF7HD variable works if used in MyE2B.cfg.

Note: This link may not work at a later date - please check Tutorial 72a for the latest downloads.




P.S. Why is spam mail so dumb? I have been getting lots of spam mail recently for nursing bras and hair restoration oil - who do they think I am - a bald mother?

Tuesday 7 January 2014

Booting a CrunchBang ISO from a grub4dos USB drive

I had not heard of CrunchBang before (why are there are so many linux distros? .If only these developers would collaborate, I am sure linux could easily beat Windows!).

Anyway, here is a menu which will boot to the Live desktop from a CrunchBang 11 ISO file

title CRUNCHBANG
set ISO=/crunchbang-11-20130506-i686.iso
uuid () > nul
set UUID=%?%
echo %UUID%
map ()%ISO% (0xff) || map --mem ()%ISO% (0xff)
map --hook
root (0xff)
kernel /live/vmlinuz boot=live fromiso=/dev/disk/by-uuid/%UUID%%ISO% live-media-path=/live config splash noeject
initrd /live/initrd.img

Of course, as usual, you can boot the ISO to the Live OS just by adding the ISO to your Easy2Boot \_ISO\MAINMENU folder (no need to edit a menu).

Installing CrunchBang! from a USB drive

If you wish to boot from the CrunchBang ISO using E2B and then select the 'Install' option to install it onto another disk, you will need to use the same 'mount -t iso9660 -o ro /dev/sdb4 /cdrom' shell command that I detailed in my previous 'kali' blog post.
If using a .imgPTN file (no real need as not UEFI?) then you will need to use the 'mount -t vfat -o ro /dev/sdb1 /cdrom' shell command.




Sunday 5 January 2014

Installing Kali to a disk from a Kali ISO located on an E2B USB drive

Kali will run as a Live OS just by copying over the ISO to your E2B drive (e.g. copy to \_ISO\MAINMENU), however if you try to use the Install options to install Kali to another disk, you will find that you get an error as it will not be able to find the 'CDROM'. The same problem occurs with USB drive made with YUMI too, however with Easy2Boot we can work around the issue.

You can manually fix this problem if using E2B by typing in a linux command from the command shell to mount the partition #4 that will now contain the ISO file mapped by E2B before booting it, as follows:

When the CD-ROM is not detected, choose 'No' 'No' <Continue>, and choose the Execute the Shell menu option, then type ls /dev/ to find the fourth USB partition name - sdx4 (usually sdb4) and then type
mount -t iso9660   -o  ro   /dev/sdb4   /cdrom
and check if it was successful using the mount command - then type
exit
and proceed with install.

Other useful commands are:
list-devices disk
ls /dev/s*
umount /cdrom            to unmount the cdrom.

If you cannot remember this, why not make a .txt file with the same name as the ISO with these instructions in the text file, e.g. (all one long line)

title Kali Linux\n To INSTALL to another disk, run the shell and type:\n mount -t iso9660 -o ro /dev/sdb4 /cdrom\n You can use ls /dev/ to find the correct name of the USB drive\n Then type exit to continue


Note: E2B has a sample .mnu file in the \_ISO\docs\Sample mnu Files folder for Kali.

If you use a MakePartImage .imgPTN file to boot to Kali, you can use a similar command - e.g.
mount -t vfat -o ro /dev/disk/by-label/EASY2BOOT /cdrom

or
mount -t vfat -o ro /dev/sdb1 /cdrom

where EASY2BOOT is the label of the partition (EASY2BOOT is the default volume label when you create the image file using MakePartImage).

Easy2Boot v1.22 now available (bugfix)

If you find the Ptn2_Menu.mnu menu doesn't work, this should now be fixed in version 1.22. Thanks to DvdK for spotting this! 4 files have been changed in the \_ISO\e2b\grub folder.
Note: 1.22A fixes the bug where if you are using Ptn2_Menu.g4b, then the F7-F10 menu entries are missing from the resulting menu of ISOs on the 2nd partition so you cannot go back to the main menu.
1.22B fixes a small bug if you are using the NOF7HD variable to suppress the F7 menu item.

Saturday 4 January 2014

Easy2Boot v1.21 available

Small update to DPMS2. If two XP mass storage drivers are found, then a firadisk/winvblock driver was not selected - this resulted in a BSOD. What you should do is use F6 to select the required drivers.
Only two virtual F6 floppies are recognised by XP Setup, therefore we cannot have two default mass storage drivers + a default Firadisk or WinVBlock driver. fd0 can have one default driver and fd1 can have another default driver, but we cannot have 3 default drivers!
I have changed the behaviour now so that one mass storage driver is selected + the firadisk/winvblock driver. However, if the wrong mass storage driver is selected by DPMS2, you will need to press F6 and select the other mass storage driver manually (as well as the firadisk/winvblock driver).
The only way to load  3 or more drivers is to use the F6 key.
V 1.21 of E2B and V1.21 +DPMS2 mass storage drivers are now available.