Now that we are off to a fresh start to 2021, it is a good idea to install Linux for the new device we have obtained. In this article, I will walk you through several considerations and how to install Linux on your device. Do note your device may require a couple of configuration changes specifically on its needs, but I will get into that here. We will also do some hardening of the operating system as well as good defensive strategies with Linux. A solid defense will lead to a great understanding of offensive tactics when needed.
This information is provided for educational purposes. I am not responsible for your actions.
Your Device
I would highly suggest that if you have not purchased a dedicated device yet, that you spend some time looking over models that fit your budget and what distribution of Linux you plan to use. This is vital as you will need to confirm if the device is fully supported via the Hardware Compatibility List (HCL), and I know you are probably thinking this is not the 90’s but keep in mind some chipsets are a lot more work to get every feature working in Linux. In some cases, this could greatly reduce your budget and in some cases could make your decision on what the device is used for as Linux may not support a particular feature of the device. Again, these are some decisions that you have to make for your needs.
Now that we have our new device, bear in mind I leave that to you in what specs and budget that you spend, I do ask that you used cash and did not make common mistakes on how you obtained it. Once we are ready to start preparing it for use whether defensive or offensive, we will need to take a couple of factors into consideration. An obvious consideration would be is this for offensive or defensive only use, will it become our daily driver that is essentially a ghost device, or will it be an air-gapped device for a few specific tasks? These are questions that you need to ask yourself as I cannot answer them for you. It will change our approach on what we do with our setup as that will greatly impact what we do with the device for each choice, I will provide some specifics for each and then some overall information for how to do the installations.
If you are planning for only offensive operations for the device I would highly suggest never installing to the actual device and using only a USB Linux, and I would suggest non persistence but again that is your call. I will go over this in-depth in the next section about USB Linux options. One of the first considerations for offensive use is identifiability of the device, meaning will it be rememberable if someone were to see the device. Such important factors as not using a case, a skin, or stickers. Each of these, while stylistic and unique, when you are doing operations you want to fit in with the crowd. It is more critical for the success of your operation that you do not “stand out”. The next major consideration is that what features of the device do we “need”. Do you need Bluetooth to be enabled all the time? Do you need the fingerprint reader, or should you even use it? (NO) As you have decided on a device it is important to understand the physical operational security as well as the potential configuration issues or identifiers. This will become more apparent with every iteration of our threat modeling against ourselves. As previous articles highlighted, every device has fingerprints, you want to fit in with the masses to avoid identification for a variety of reasons.
As you continue your threat modeling around the device take note of things such as will you need access to the media reader and other ports? These could be used as attack vectors with such attacks as an Evil Maid attack. While often overlooked physical security of our device when not in use will be very important, especially if we plan to use the device for offensive purposes. I would also like to go ahead and warn you that you will need to be prepared to destroy the device for obvious reasons if you feel your operational security is compromised. When I say woodchipper laptops, I am referring to the concept of physically tossing it into a woodchipper. Remember operations can get very expensive and each drop in the operational security will result in costs both from a monetary perspective and for our valuable time. Once we have threat modeled our offensive device, we should factor all these considerations in on what process you will take for installation, later in this article the methods of installation are discussed.
If you are planning on using the defensive operations, or even air gapping the device, then you will need to also follow the above threat modeling concepts and apply them to the device. There are many other considerations one must make when air gapping a device, things such as how often you will bring the device online, and when you will update it. A lot of air-gapped devices are often not kept up to date or even worse vulnerable to Evil Maid attacks as the owners have told multiple individuals in their life about the air-gapped device. Individuals can be a huge threat to you and your operational security and are often the weakest link. As pointed out prior in group operations an individual will often break the operation when they have a drop in OpSec which will happen. Loved ones can also become adversaries when financials are involved or if they believe that they can get immunity from other charges by providing details on you, this is just how the world works, and assume everyone is like that.
If you plan to use the device as a daily driver you will have a much different approach after also following the threat modeling of the device, as you will be using the device for everyday tasks. You will most likely need your SD card reader, all your USB ports, and possibly Bluetooth. These considerations of configurations and specific controlling of these features will become much more critical as you may take a more relaxed approach that could be used against you for your work. Keep in mind that while you feel you may have nothing to hide, I will say it once more you shit with the door closed, have blinds/curtains in your home, and you lock your doors. Daily driver devices will have a harder decision on installing to disk or running on USB, as there are some pros to the USB model and install to disk and they will be covered in this write-up.
USB Linux
There are hundreds of flavors of Linux, this can be overwhelming if you are coming from Windows and looking to get started. Do not panic, you should even before installing to your new device check out several via USB Linux and get a feel for what may work for you. I will again state that you cannot just download Kali and be 1337, this will end up getting you fingerprinted on networks in the future. Kali is a great Linux distribution for some research tasks but it is only “a Linux”, and each of the tools that it has installed can be installed on non “marked” Linux distributions. What I mean by marked is that network monitors and administrators are looking for Kali fingerprints, if you think they aren’t you need to get with the program. I am a fan of Debian, Fedora, and Gentoo Linux distributions. I prefer BSD Unix myself but thoseare my preferred Linux environments. Each environment has a unique live installation. I suggest these first as you will need to get familiar with Linux if you have never used it.
I strongly recommend getting used to the Linux operating system before just jumping into some offensive tactics to avoid getting yourself in a situation you do not fully understand and compromising yourself. This is where many would-be hackers get themselves in some serious problems. They assume they won’t get caught because running Linux or some tool they heard others using. As is the case with any tool, if used improperly, you risk hurting yourself. Avoid making such mistakes, remember learning is a process and you should never rush it. If you rush into using Linux and trying to jump on the offensive side you will get a knock on your door. Which I would highly advise you to avoid.
Another great version of Linux to use on USB is Tails, but again as I just mentioned you should learn more about using Linux before just jumping into privacy-focused versions of tools. This way you understand some of the common mistakes and you can avoid making them. OpSec is usually compromised by simple mistakes. Very few operations are compromised with a sophisticated attack, it is often the basic mistakes that cost you. You should learn how PGP works, how to use it, as well as avoiding the use of social media and other services when performing operations. You should also not just use Tor and VPNs for only operations or you will also open yourself up for correlation data attacks and that is also considered a basic drop-in OpSec.
Let’s set up a USB drive Linux, you will need to download Balena, an operating system of your choice, and a USB external drive. Balena is an open-source disk burning software, you will want to download the .img or USB specific “live” version of the operating system of your choice. Balena is straightforward, after you have downloaded your Linux of choice then simply start Balena, select the .img file, and your USB drive. Wait for the image to burn and you are done. After this, simply tell your device to boot from USB and start exploring. I would suggest that you test and explore on a device you already have so we can keep the “ghost” device a ghostso that it remains private until you get more familiar with Linux.
There is also a persistent model and a non-persistent model with USB Linux, you will need to make that choice for yourself. I prefer non-persistent for obvious reasons.
Installation to Disk
There is a second option for installing Linux and that is on the local disk of the device, this will provide the best performance but it comes with some risks I will cover in this section. Disk installation could also be a dual boot system with Windows and Linux, this could pose some issues dependent on the device. If it is a newer device and using some NVM-e storage with GPT and onboard security it could prevent you from using some Linux installations. You should refer to your hardware and the HCL. I would strongly encourage you to not try to install an MBR version of Linux on GPT required system, you will have a bad time. However, if you hit this snag with an obscure Linux distribution you may be in for a long day of hackery. This goes back to the importance of the HCL and picking a version that works with your device. Once you have looked over these settings and are ready to install, let’s do it.
You will need to download the ISO of the Linux distribution you plan to install on your device. You should download Balena, the same tool we used earlier for the USB section can be used for prepping the USB device you will be using as the installation medium for your device. You can use a DVD burner or cd burner if you need to if the target device supports this, but these media formats are rarer and rarer in most people’s homes. Once you download the ISO and burn it to the desired medium, you will need to then boot from said medium.
Each installer will vary slightly but most will ask you about what type of installation you want to do, whether full disk or to a separate partition. If you are planning to do a full disk installation to your device, be sure you backed up the important data and files prior as they will be deleted. Once you have decided on the partition layout or full disk click next and select the packages you want. I would encourage you to install developer tools and not server tools, this will be covered later in the Hardening section as to why to avoid this if you are using it as a daily driver and not a server. Unnecessary packages and system services will create vulnerabilities in our operational security. Once you have selected packages, click next, the installer will install these packages and prepare the system for use. At the end of the installation, you will be asked about full disk encryption, a user, username, password, and other details. Fill these out accordingly. Once completed, reboot.
USB vs Disk Linux
USB Linux can be a great and versatile tool for learning and getting familiarity with Linux with limited risk of damaging your system. There is a slight performance hit as it is reading over the USB and not natively from the disk of the device. Dependent on the hardware it can be quite noticeable of a hit. I would suggest you do not base the performance of the USB Linux as the benchmark of how Linux will perform on the device. If you are using persistent USB Linux you can carry this machine with you anywhere you go, and since most machines after 2002 support booting off of USB, this can be quite handy for many reasons. You can also do disk repairs and such with this tool. I encourage you to get creative, explore what is possible and what can be done with such a tool.
A Linux system that is running on disk will outperform the USB Linux and, in many cases, will have better hardware support for features of the device it is installed on. USB versions make some compromises for the size of the image as well as what is installed to prevent bloat and issues with the performance. There are also some issues with running a Linux machine and not on USB as well. For example, if you destroy your filesystem on an installed device you will need to recover it or reinstall it. This can be a very tedious process and a deterrent for most users; however, all operating systems suffer from this. If you delete important Windows files it will need to be restored or reinstalled to address similar issues.
Each way we use a computer or any tool there will be a pro and con to it. One other disadvantage of both persistent USB and installed Linux systems will be that the disk they are installed on, can be extracted. Yes, full disk encryption helps in breaking this type of data extraction but if it is done improperly it will create more problems than what it solves. It is also important to note that there are some issues with how your device may be compromised with the physical security, this applies to the USB drives as well and you will need to consider these threats. However, one advantage of USB drive Linux installs is that you can easily discard the drive in a plethora of ways. Most people though will end up holding on to it even when they shouldn’t and thus giving adversaries far more information than they should.
As stated earlier dependent on your operation needs you may have to be prepared to destroy the device, so keep that in mind while you decide on what device or installation method you will use.
This can all seem very overwhelming and, in some ways,, it should as you need to understand that the real threats of adversaries with some operations can even result in a serious loss of freedom, actual physical injury, and monetary damage. These are all factors that most wannabe hackers overlook, this is something mostLARP’ing OpSec people overlook, and something that is in general just ignored because people believe it can’t happen to them. Just always ask yourself if the device is worth more than your freedom then you shouldn’t be using it for such activities. Just some food for thought.
Hardening
Hardening is the process of locking down a system, dependent on the use case for the system the hardening methods used will vary drastically but some of them are universal and I plan to cover a few examples. One thing that many on their local overlook is the importance of understanding what applications they have installed and what they use. On a server usually, the mindset is different, but you may be surprised to learn that oftentimes unnecessary packages, plugins, and configurations are also deployed allowing for attackers to exploit. One common mistake during the installation process is to install server tools on their daily driver.
You do not need Sendmail, a web server, and a database on your device for most people. If you are a developer then of course this changes your needs and you already have an idea of what you need to install.
SELinux is one of many methods of security in modern Linux systems. It is an improved version of how the older Unix groups and user system worked. This system allows for roles and exclusions for various processes and handles restrictions of accessing system resources. There are a few caveats that you must be aware of, one being is often you will find lazy system administrators who will just set a permissive state to SELinux. This poses numerous problems on the security side but it can also prove to become a problem when trying to analyze where a vulnerability may have been able to be executed. SELinux is not a silver bullet, no software is, security is a process. Each drop you have in best practices can and will be used against you or your company just like OpSec in an operation. This applies to system configurations more than you may understand.
I will use an example of an SELinux policy for a Tor exit relay so that it is clear as to how you should define a property for each exclusion. First, you will need to create a CIL file that you will reference with the semodule for each exclusion you may need to make. To determine if you will need to make an exclusion you can simply run a service and it may not start. If it does not start look at the system logs and you should see a reference that it was blocked with SELinux or not permitted for security reasons. If you know and trust that the application or service you plan to run is safe you can create an exclusion with the following process example via command line, change according to your needs.
- touch tor-exclusion.cil
- Add the following to the tor-exclusion.cil:
typeattributeset cil_gen_require tor_t)
(allow tor_t self (capability (dac_override dac_read_search)))• sudo semodule -i tor-exclusion.cil
And now you can start the Tor daemon, that is if you have configured it accordingly to your needs. This is a very simple demonstration and you can find plenty of other examples online. There are also some other best practices with some other functions in Linux when allowing remote connections. Such as configuring ssh to use only PubKeyAuthentication. You will need to create a ssh key on your device, to do that run the following command:
• ssh-keygen -t $algo-C “$email”
You will need to choose what algorithm you use for key generation, do your research for which algorithm and make note of file location generated.
Follow the prompts, use a passphrase, and make it complex so that
it is not compromised. Now that you have this public key you can upload it to your remote host using the ssh-copy-id command for the remote host. Like this:
• ssh-copy-id -i ~/.ssh/$pubkeyfilegenerated $user@$remotehost
Now you will need to log into the remote host for the last time with your password and you will need to edit the following file:
• /etc/ssh/sshd_config
In the file, you will find PubKeyAuthentication, change this to yes. You will also want to remove the AllowPasswordAuthentication value and change it to no. You will then want to restart your ssh daemon on that host with the following command:
• sudo systemctl restart sshd.service
Once it is restarted, exit the system and then ssh to the host, you will not be prompted for the password again and users attempting to access the machine with a password will no longer be able to make attempts. However, you will want to set up something like fail2ban, this way you can limit the number of attempts people are trying and reduce some other attacks on your services.
Next, you will want to spend some time figuring out what applications or services on your local or remote host will require inbound network connections and you can then configure iptables, firewalld, or pfsense to restrict these. Once you have followed these simple tasks to implement some services you may need to allow remote connections to or locked down your host to only allow outbound connections, we can then resolve a pink elephant in the room and that is DNS. DNS queries are often monitored on most networks whether by ISP’s or by network administrators. We need to take a few steps but we can keep them from spying on what we are doing with our DNS requests. One easy way is a VPN, a proper VPN that routes its requests over a different DNS server than your ISP. You can test this by going to DNS Leak Test. You should also verify this by running other requests, do not rely solely on a VPN. We can also use Tor and torsocks to obfuscate our requests, I covered this here. Another option is setting up DNS crypt. One other easier solution is changing your DNS server, I would advise against using Google or Cloudflare, these big tech companies are known to record as well. This is where your personal operational security needs will guide you on which solution works for you.
If you have followed these pretty simple basic best practices your system will be fairly defensively secured from outside attackers. The biggest vector is and will always be you and the software you decide to run. There is no weaker link in security than humans, time and time again this is proven. Whether from lazy systemsadministrators to lazy developers, or inexperienced ones deployingprojects without first understanding the risks. Experience along with continuous threat modeling is the only way to stay on top of security, it is not a silver bullet software solution it will always be a process. Do not get lazy on security, it will bite you in the ass. It only takes one mistake. Keep good backups as well or you will regret it. I will cover backups in the future.
Defensive Tactics
Defensive tactics will make you far better at analyzing a target than ever being purely offensive in your tactics. You need to understand the best practices and how they work to understand where the target might have had weaknesses in its implementations. There are always people looking at every service online, there is a variety of tools to do so that we will explore in next week’s article on beginning offensive tactics. Solid defensive strategies will teach you more on how systems are to be properly configured, from here you will be able to easily identify systems that are not properly configured. There is nothing more valuable than the experience of installing and securing systems yourself that a tool can replace. Tools are not all bad but you again must know how to use them and properly for them to be effective.
Paranoid approaches to security are a good approach but as with all things when it comes to systems there will be compromises even on our machines. Understanding the needs of the target and our own needs will provide us much-needed insight into threat modeling for defensive and offensive strategies against a system. The majority of hacking and even operational security is simply understanding the threat modeling and how to handle drops when something does happen to the security of your system and your operational security is compromised. Hope for the best, always plan for the worst. Understanding your planning for the worst can also provide you some much-needed clarity when things do go south. Panic will lead you to make bad decisions, whether a security breach or OpSec breach, keep your cool or it will end badly. Never rush, this is a marathon and not a sprint when it comes to security. Technology will continue to evolve and so will security. Always threat model, always be learning, and most important of all, always be prepared for the worst.
Closing
Linux is a very interesting operating system and it can be overwhelming. Setting up Linux for our operation or daily use can also be a bit overwhelming if you are migrating from another operating system like Windows. There are some real benefits and in the modern world there are very few reasons besides things like gaming, that can exclude most people from using Linux or other Nix-based operating systems. Proprietary operating systems can be very dangerous to our day-to-day privacy but extremely dangerous when performing an operation. I would highly discourage any use of a proprietary operating system for any operation. This includes macOS, while it is a pretty good Unix,there is a lot of bad for OpSec process that the operating system does. This is part of the dangers of all proprietary systems.
I want to continue to encourage you to spend time learning how Linux works and honing your understanding of tooling before ever venturing into an operation using it. This will often lead to the demise of many a newcomer. Do not rush in trying to go fulloffensive or you will end up spending some time in jail. Cybersecurity is a big business, operating DNM’s is also a big market, and so is civil disobedience to oppressive regimes. As you continue your learning path just always spend time threat modeling around what you are learning and what it could provide others profiling you. Many times, people often overlook the basic mistakes made in operational security. Be paranoid, you are being watched.
I want to thank JACE for proofreading as always, along with thanking many of you who reach out to me over secure channels to inquire on topics and ideas. You can contact me on the following platforms:
Signal:(867–675–1041)
Tox: D7D264EA7541C4324625A8360267C3C54F9C1AF564D4266FE4 5F2BCB68924E21CB2A75746D51
