SystemRescueCD

ILTAU09
David Nevala, IT Director, Lukins & Annis, P.S.
Lance Rea, Chief Information Officer, Davis & Gilbert LLP

SystemRescueCD is a collection of hundreds of tools and utilities for maintaining or repairing a PC.

Microsoft Virtual PC environment
Starting SystemRescueCD
Configuring the network
Multiple consoles
X graphical user interface
Hardware detection
Hard drive detection and performance
Lost disk partition
Replace lost or corrupted system files
Change lost Windows password
Edit system registry
File System Ulilities
Virus scanning
Network utilities
gparted
Last exercise

The following tutorial follows the convention, where anything following the root@sysresccd /root % sign, is a command line that should be typed exactly as shown. Other items that require action are listed in a bold font.

Systemrescue cd will be referred to as "srcd" in the following tutorial.

Microsoft Virtual PC environment

Because we are working in a Microsoft Virtual PC environment, we will need to emulate a computer with a CD drive. For this session, we've included the srcd image on the harddrive of the virtual machine host workstations. We need to capture the cd drive in order to boot the image.

You will also use the Right-Alt key extensively during this tutorial as it "releases" your mouse and keyboard input from the virtual machine console.

1. If the virtual machine is not running, browse to the Microsoft Virtual PC application icon in the Programs list.

2. Highlight the Toolkit srcd session image and click Start.

3. After the image starts, go to the Virtual PC CD menu and Capture ISO Image.

4. Go to the Action menu, and choose Reset to restart the virtual PC.

Starting SystemRescueCD

To start srcd the computer needs to be capable of booting from CDROM or USB drives. This would normally be an option that needs to be enabled in the system BIOS. Some computers allow a function key to be pressed enabling a boot menu from which the CD or USB image can be chosen.

1. The first screen allows you to choose a boot kernel or modify boot options

    Press F2, F3, F4, F5, F6 to view boot options and various help screens

2. Type aida and enter to view system information.

    Action -» reset to restart srcd.

3. Type mhdd and enter to view hard drive configuration

    Action -» reset to restart srcd.

4. Type freedos and enter to start a DOS session

    Action -» reset to restart srcd.

5. To run srcd in RAM, type docache and enter.

6. The first screen has important information regarding network setup, ssh server, editors, browsers, NTFS, X, etc. To return to this Welcome screen at any time in your login session, type "exit".

Configuring the network

To enable and use the network in a srcd environment, the network interface needs to be enabled first.

1. Enable network interface

    root@sysresccd /root % net-setup eth0

2. Choose wired network

3. Choose dhcp address assignment

4. Verify connectivity

    root@sysresccd /root % ifconfig

Multiple consoles

    root@sysresccd /root % top

    Type Alt-F2 to open new console

    root@sysresccd /root % ls

    Type Alt-F3 to open a new console

X graphical user interface

1. Configure srcd X window environment. The wizard configurator is needed in the Microsoft Virtual PC environment, but "startx" will usually work on a real PC

    root@sysresccd /root % wizard

2. Choose appropriate server. The Xorg-mkx seems to work in the Microsoft Virtual PC environment.

    root@sysresccd /root % Xorg-mkx, and choose OK

3. To restart X

    root@sysresccd /root % right-click on the desktop, and choose Exit

4. In the event that X crashes or loads a bad configuration, use ctrl-alt-bkspace to kill the X server and return to the console prompt..

    root@sysresccd /root % ctrl-alt-bkspace

Hardware detection

To get a listing of hardware detected by the linux kernel as the computer booted, we can use dmesg and other utilities.

1. Complete hardware listing

    root@sysresccd /root % dmesg

    root@sysresccd /root % shift page up/dn

2. Complete scrollable listing

    root@sysresccd /root % dmesg | less

3. Filter listings, e.g. find hard drives

    root@sysresccd /root % dmesg | egrep -i 'sda|hda|scsi|ide'

     root@sysresccd /root % shift page up/dn

4. View memory information

    root@sysresccd /root % dmesg | grep -i memory

    root@sysresccd /root % cat /proc/meminfo

5. View CPU information

    root@sysresccd /root % cat /proc/cpuinfo

6. View USB information

    root@sysresccd /root % dmesg | grep -i usb

7. View Network Card information

    root@sysresccd /root % dmesg | grep -i eth0

    root@sysresccd /root % dmesg | grep -iE "(eth0|eth1)"

    root@sysresccd /root % dmesg | grep eth0

8. Other hardware information utilities

    root@sysresccd /root % lspci

    root@sysresccd /root % lsusb

    root@sysresccd /root % lsscsi

    root@sysresccd /root % lshw

9. Dump bios

    root@sysresccd /root % dmidecode | less

Hard drive detection and performance

Hard drive information can be gathered, and disk configuration changed with hdparm or sdparm. hdparm is used for SATA or IDE drives, and sdparm would be used for SCSI drives. (Hdparm is great for getting a quick feel for the health of a drive, but it is dangerous. If you are making changes on a production machine, make sure you know exactly what you hope to accomplish. Some commands can ruin or corrupt disks and data)

1. View documentation for hdparm TIP: (hit 'q' to exit man pages)

    root@sysresccd /root % man hdparm

    root@sysresccd /root % man sdparm

     root@sysresccd /root % hdparm --help

2. List drives and partitions that srcd is aware of

    root@sysresccd /root % sfdisk -l or fdisk -l

3. Get detailed information from drive

    root@sysresccd /root % hdparm -I /dev/sda

4. Test read timings

    root@sysresccd /root % hdparm -t /dev/sda (note this takes a couple seconds to provide results)

5. Test both disk and cache timings

    root@sysresccd /root % hdparm -tT /dev/sda

6. Set power management

    root@sysresccd /root % hdparm -B /dev/sda

7. Set accoustic mangement (AAM)

    root@sysresccd /root % hdparm -M 128 /dev/sda

    root@sysresccd /root % hdparm -M 254 /dev/sda

8. Check space on devices

    root@sysresccd /root % df -h

    root@sysresccd /root % du -h

9. For your post-conference pleasure try the bonnie++ benchmarking tool.

    root@sysresccd /root % ntfs-3g /dev/sda1 /mnt/windows
    root@sysresccd /root % bonnie++ -d /mnt/.windows -u root

Lost disk partition

1. Display partion information

root@sysresccd /root % sfdisk -l

2. Search for missing or deleted partitions

root@sysresccd /root % testdisk

3. Choose Create a new log file

4. Select /dev/sda - enter on [Proceed]

5. Choose [Intel]

6. Choose [Analyse]

7. Choose [Quick Search]

8. Type 'yes' and hit Enter

9. Choose the partition you want to restore and press Enter

10. Choose [Write] to restore the deleted partition

11. Type 'Y' to confirm

12. Choose [OK] to reboot

13. Action -> Release the CD drive image

14. Reset the VM

Replace lost or corrupted system files

1. Reset the VM - Does Windows boot?

2. Note the error message - (It appears that shell32.dll is missing)

3. Before resetting the computer, go to the "CD" menu and Capture ISO Image

4. Browse to "IT Support on the Cheap" folder and choose systemrescuecd-x86-1.2.1.iso

5. Mount the restored windows partition into the srcd file system, e.g.,

    root@sysresccd /root root@sysresccd /root % ntfs-3g /dev/sda1 /mnt/windows

6. The Windows XP installation system files are usually contained in c:\I386, or on the installation media.

    root@sysresccd /root root@sysresccd /root % cd /mnt/windows/I386

    root@sysresccd /root root@sysresccd /root % ls Action -> Release the CD drive image

7. Verify that the shell32.dll file is in the archive

    root@sysresccd /root root@sysresccd /root % cabextract -l SHELL32.DL_

8. Extract the shell32.dll file into the proper location (commands are on one line)

    root@sysresccd /root root@sysresccd /root % cd /mnt/windows/WINDOWS/system32

    root@sysresccd /root root@sysresccd /root % cabextract -F shell32.dll /mnt/windows/I386/SHELL32.DL_

9. Unmount the windows partition to cleanly close and flush the cache to disk

    root@sysresccd /root/ root@sysresccd /root % cd /

    root@sysresccd /root/ root@sysresccd /root % umount /mnt/windows

10. Release the CD drive and attempt to boot Windows

    Action -> Release the CD drive image

11. Reset the VM

Change lost Windows password

Our XP machine still won't boot because the password is lost. We'll use the utility chntpw to change the password.

1. Mount the windows partition into the srcd file system, e.g.,

    root@sysresccd /root root@sysresccd /root % ntfs-3g /dev/sda1 /mnt/windows

2. Change directory to windows directory

    root@sysresccd /root root@sysresccd /root % cd /mnt/windows/WINDOWS/system32/config

3. Show users

    root@sysresccd /root root@sysresccd /root % chntpw -l SAM

4. Select user to change password

    root@sysresccd /root root@sysresccd /root % chntpw -u User1 SAM

5. Choose option "1" to blank password

6. Exit and write changes

7. Unmount the NTFS partition cleanly to flush writes to disk

    root@sysresccd /root/ root@sysresccd /root % cd /

    root@sysresccd /root root@sysresccd /root % umount /mnt/windows

7. Release the CD drive

    Action -> Release the CD drive image

8. Reset the VM

Edit system registry

1. Mount the windows partition into the srcd file system, e.g.,

    root@sysresccd /root root@sysresccd /root % ntfs-3g /dev/sda1 /mnt/windows

2. Change to the windows directory

    root@sysresccd /root root@sysresccd /root % cd /mnt/windows/WINDOWS/system32/config

3. Show the registry files

    root@sysresccd /root root@sysresccd /root % ls -la

4. The registry hives are separate files which are normally displayed by regedit in a directory tree.

    HKEY_LOCAL_MACHINE\SAM                SAM
    HKEY_LOCAL_MACHINE\SECURITY      SECURITY
    HKEY_LOCAL_MACHINE\SOFTWARE    software
    HKEY_LOCAL_MACHINE\SYSTEM          system
    HKEY_USERS                                  default
    HKEY_CURRENT_USER                      ntuser.dat

4. From the srcd console, run the command chntpw software

    root@sysresccd /root root@sysresccd /root % chntpw -e software

5. "?" will provide help

6. Navigate like a file directory

7. "?" will provide help

8. "?" will provide help

9. "?" will provide help

File System Ulilities

1. Find deleted files

    root@sysresccd /root root@sysresccd /root % photorec

    root@sysresccd /root root@sysresccd /root % mkdir /tmp/recover ; cd /tmp/recover

    root@sysresccd /root root@sysresccd /root % photorec

2. Hightlight desired drive and choose [Proceed]

3. Choose [Intel]

4. Choose desired partition and select [Search]

5. Choose the filesystem type [Other]

6. Choose partition to restore to. Accept /tmp/recover, and type Y

7. Files are restored to directories

Virus scanning

To use the network in a srcd environment, the network interface needs to be enabled first. Refer to the enabling network section above for assistance configuring the network.

1. Using ClamAV

2. Update virus definition files

    root@sysresccd /root root@sysresccd /root % freshclam

3. Check that virus patterns updated properly

    root@sysresccd /root root@sysresccd /root % ls -la /var/lib/clamav

4. Mount Windows partition e.g.,

    root@sysresccd /root root@sysresccd /root % ntfs-3g /dev/sda1 /mnt/windows

5. Verify clamscan options

    root@sysresccd /root root@sysresccd /root % man clamscan

6. Scan previously restored files for viruses

    root@sysresccd /root root@sysresccd /root % clamscan -rvi /tmp/restore
    root@sysresccd /root root@sysresccd /root % clamscan - rvi /mnt/windows/Documents\ and\ Settings

7. If clamscan found a virus it can be automatically removed by adding the -remove switch, but normally you would want to deal with them manually.

    root@sysresccd /root root@sysresccd /root % clamscan -rvi -remove /mnt/windows/

Network utilities

To use the network in a systemrescue environment, the network interface needs to be enabled first. Refer to the enabling network section above for assistance configuring the network.

1. Ping
    root@sysresccd /root root@sysresccd /root % man ping
    root@sysresccd /root root@sysresccd /root % ping -a (works if sound modules loaded)
    root@sysresccd /root root@sysresccd /root % ping -A

    shows the route out and back
    root@sysresccd /root root@sysresccd /root % ping -R

    Stress test a connection
    root@sysresccd /root root@sysresccd /root % ping -f

    Count option - set how many times to ping
    root@sysresccd /root root@sysresccd /root % ping -c3

    Change packet sizes
    root@sysresccd /root root@sysresccd /root % ping -s 65507
    root@sysresccd /root root@sysresccd /root % ping -s 10000
    root@sysresccd /root root@sysresccd /root % ping -s 15000

2. traceroute
    root@sysresccd /root root@sysresccd /root % traceroute www.iltanet.org

3. arp
    root@sysresccd /root root@sysresccd /root % arp
    root@sysresccd /root root@sysresccd /root % arp -a
     root@sysresccd /root root@sysresccd /root % arping

4. netstat
    Show routing table for all IPs bound to the PC
    root@sysresccd /root root@sysresccd /root % netstat -rn

    Show all ports connected()
    root@sysresccd /root root@sysresccd /root % netstat -an

    Show port 80 connections
    root@sysresccd /root root@sysresccd /root % netstat -an | grep :80

    Display active internet connections
    root@sysresccd /root root@sysresccd /root % netstat -natp

5. dnstracer
    Determine where a DNS Server gets it's info from
    root@sysresccd /root root@sysresccd /root % dnstracer google.com
    root@sysresccd /root root@sysresccd /root % dnstracer purple.com

6. iftop
    root@sysresccd /root root@sysresccd /root % iftop

7. ifstat
    Show network traffic
    root@sysresccd /root root@sysresccd /root % ifstat

8. tcpdump
    root@sysresccd /root root@sysresccd /root % ALT-F2
    root@sysresccd /root root@sysresccd /root % tcpdump
    root@sysresccd /root root@sysresccd /root % ALT-F3
    root@sysresccd /root root@sysresccd /root % ping -c1 (your neighbor's ip address)
    root@sysresccd /root root@sysresccd /root % ALT-F2
    root@sysresccd /root root@sysresccd /root % tcpdump host ( your neighbor's ip address)

9. nmap
    quick port scan - run this against your neighbor
    root@sysresccd /root root@sysresccd /root % nmap ipaddress
    root@sysresccd /root root@sysresccd /root % nmap -p1-65535 ipaddress
    Run an OS fingerprint scan
    root@sysresccd /root root@sysresccd /root % nmap -O ipaddress

10. Try wildcards to scan multiple hosts e.g. (192.168.*.*, 192.168.0.0/16, 192.168.0.0-255)

gparted

1. Start up a GUI -

root@sysresccd /root root@sysresccd /root % wizard

2. Click the disk icon in the lower left and choose GParted from the System menu

3. Unmount the drive

4. Use the mouse to shrink the drive (just a little)

5. Apply changes by clicking the green check mark

Last exercise

We'll use Darik's Boot-n-Nuke to wipe the XP Virtual Machine drive

1. Restart virtual P.C.

2. At boot prompt, type dban