-2

Developing my toolkit and I want to have a safe edition of cmd.exe and bash on a usb. Why? These can be tampered with by attackers and I want a version I know is safe from manipulation. Any suggestions? Is this even possible today? I've read old stories about it. I've considered cygwin but it's only executable from Windows (currently don't have access to Windows) but unable to find any other possibilities. Is this not possible since it's tied locally?

Thank you!

edit: changed "bootable" to "portable" to lessen confusion.

Simonhawk
  • 1
  • 2
  • 1
    Do you want them to execute from the USB or do they have to be bootable? I know the title says bootable but by reading the question I am not sure. – toom Apr 17 '18 at 06:51
  • For now it's unclear what you are asking. Please provide more details especially with regards to your premises and your goals. – Tom K. Apr 17 '18 at 10:51
  • 2
    How will you run `cmd.exe` if you don't have access to Windows? – Neil Smithline Apr 17 '18 at 13:28
  • 1
    "bootable" was the wrong term. "portable" is more accurate. @toom – Simonhawk Apr 17 '18 at 16:54
  • @TomK. I don't understand what you're confused about. Everything you just mentioned is there. – Simonhawk Apr 17 '18 at 16:54
  • @NeilSmithline I feel like that question is unnessary but i'll answer it anyway. Right now I have no access to Windows. But when I'm investigating other machines (let's say a Windows user has some issues and I want to collect data on it) then I'll want my own tools to use because I know they're safe and sound. Overall: I want the tools handy in both cases (UNIX or Windows). I'm not doing this to have them running on one system but able to utilize when operating on other systems according to their needs (i.e. if it's windows, I'll need cmd) – Simonhawk Apr 17 '18 at 16:58
  • Simonhawk - I think that you're saying that you are looking for a drive that runs on both Windows and Linux. Is that correct? – Neil Smithline Apr 17 '18 at 19:47
  • Would a USB drive that has a physical write protect switch meet your needs? I have no experience with those, but I googled them and there are many options. You could then put whatever you want on the drive when you're on a trusted machine, then write-protect the drive when using on an untrusted machine. – Neil Smithline Apr 17 '18 at 19:54
  • 1
    I still don't really understand what you want to do. Even with a read-only USB drive, if the host is untrusted, how can you be sure that it will run the apps off the USB correctly? In general, if you can't trust the host system, you just take it offline and examine the drive on a secure computer. It sounds like you're trying to perform trustworthy operations on an untrusted computer. I'm not sure that's doable. – Neil Smithline Apr 17 '18 at 19:56
  • @NeilSmithline No that is not what i'm searching for. You're reading outside of my description. The idea is for me to place a known safe terminal on the USB. When I plug the USB into a different system, I navigate to the respective terminal (cmd or bash) and use that instead of the local system's terminal. Therefore, a portable terminal. – Simonhawk Apr 18 '18 at 00:35
  • Can you explain why you don't think it would be adequate to get a USB drive with a physical read-only switch on it, put cmd, bash (Linux version), bash (windows version with all of Cygwin), and whatever else you want on it and use that? – Neil Smithline Apr 18 '18 at 01:28

2 Answers2

4

The idea is fundamentally flawed, and cannot be salvaged.

To start with the first problem: plugging in an USB "stick" (mass storage device) in a computer will cause that computer to configure its USB and file systems drivers in order to access any files stored on that USB stick. If the system is infected, this process may already modify those files - either physically on disk, or when loading them into RAM.

So even if your CMD.EXE was correct on USB stick, you can't count on it staying that way or being loaded correctly.

The next problem, assuming CMD.EXE loads correctly, is that it needs to execute. The Win32 process will have several system DLL's loaded. Those could be infected as well. You can't override this by providing your "own" alternative DLL's. This is in fact a security mechanism, because this protects you against loading alternative infected DLL's and getting infected. Of course, in your scenario the system is already infected.

But even if your CMD.EXE loads, even if the system DLL's are unaffected, the process gets a limited view of the PC on which it's running. You cannot know anymore whether you are truly running as Administrator with full overview, all such assumptions are flawed once the system is compromised.

MSalters
  • 2,699
  • 1
  • 15
  • 16
  • Interesting. I understand the points you make and sounds reasonable. Thanks for answering. This is probably why I don't find much on this topic. But it's weird because I've read this in incident response articles (although that weren't current) so it made me believe it was possible. But with the changes as OSs growth, looks like this option is limited. Thanks again, you taught me something new. – Simonhawk Apr 18 '18 at 16:29
-1

There is a functioning solution (even if not meeting the exact desired solution above) and it's called a bootable USB drive. If you want to put a usb with a shell program on it into your computer, and then call that shell from that mnt, that's a tough one. If you don't need it to work like that, then just use lubuntu or Puppy linux to create a bootable flash drive. You'll have full access to the OS (unless encrypted). Many, many things can be done with this kind of USB. As for windows, that's a different story. But I can confirm the above is possible (and fun IMO) with linux.

For making the bootable USB: https://rufus.akeo.ie/

One of my favorite USB only deployments of linux: http://puppylinux.com/

bashCypher
  • 1,839
  • 11
  • 21