Stop Wasting Time Setting Up! ZIION OS, The Web3 Dev’s and Hacker’s Dream :)

I’m not going to say that setting up hacking or dev envs is more difficult than actual hacking, but sometimes it can be, especially if you’re completely unfamiliar with setting up env, or If you hate dealing with config like me since config problems turn into another mess and another rabbit holes, you may loose your entire data sometimes because of skill issue lol.

ZIION OS Overview

Installing all blockchain protocols, troubleshooting errors during setup, configuring settings, setting up your environment, IDE, all development kits, iOS SDK, Java Development Kit, Python, Docker, and so on, is not an easy task. All of that can take almost a whole day sometimes more than one day :) especially if there is no documentation or poor resources available. Let’s consider learning Python on Linux. You don’t need anything special; just open vim and start coding. Period.

What about Web3 or blockchain development? Will Kali Linux, Ubuntu, or Windows solve your problems? Of course not, because they are not for blockchain. You will need to configure a local blockchain, Truffle, Testnests, and other hacking tools if you want to audit smart contracts.

This is why, as security researchers, we often turn to Kali Linux. It comes pre-loaded and pre-compiled with hacking tools, saving us the time of installing things like Docker, Python, and etc..

“ZIION OS” will solve everything! They started this blessed project while teaching a course on SANS and they noticed that setting up the environment takes the whole day. They decided to build an operating system just like Kali Linux but for blockchain security and development purpose. As they said, it’s open source and has over 100 tools pre-installed and configured out of the box.

ZIION comes with built-in blockchain platforms such as Ethereum, Bitcoin, Solana, Terra, Polygon, BSC, Substrate, Near, and others. Imagine if you want to do this manually. ZIION also, like Kali, comes with lots and lots of pre-compiled hacking and development kits and tools. I guess it’s more than 100 tools. ZIION supports blockchains based on the Ethereum Virtual Machine, Golang, and Rust.

Overall, ZIION is the first open-source, end-to-end, pre-compiled, multi-architecture, multi-protocol blockchain security testing and development solution.

Key Features

As I mentioned earlier, Ziion comes with over 100 tools for various purposes, including IoT, cloud (which is a new category, I believe, as I have never seen it in Kali Linux), fuzzing tools, Go and Rust tools, web and EVM tools, which is quite impressive! In their documentation, they have listed these tools along with some of the commands required to use them.

Here are some popular choices included in Ziion:

• Smart Contract Static Analyzer for Solidity and Vyper: Slither, Mythril, Oyente
• IDE and Testing Frameworks: Truffle, Hardhat, Remix
• Development Utilities: Node.js, Python, Docker and Solidity compiler, various blockchain node clients and General Security Tools like Nmap, Burp Suite..

And, as I mentioned earlier again, the main feature of Ziion is that it is Open-source. This means that the software is available for anyone to use, modify, and distribute without any restrictions. Additionally, Ziion is an end-to-end solution, which means it comes with a complete package, from setting up the environment to providing all the necessary tools for development and testing. You don’t need to install or configure any additional software. This is truly awesome!

Moreover, Ziion is Pre-compiled, meaning the software is already configured and ready to use, without the need for any extra configuration or setup. You don’t need to do any JSON-related tasks, set up APIs, or update certain tasks. Everything is already done.

Ziion is also Multi-architecture, in the sense that it is designed for virtualization. It is compatible with multiple computer architectures or platforms. And when I say Multi-protocol, ZIION offers built-in support for a wide range of blockchain protocols, including Ethereum, Bitcoin, Solana, and many others. This is absolutely fire!

In simpler terms, ZIION is like a pre-built toolbox specifically designed for blockchain security. It’s free to use, provides everything you need from start to finish, works on various computers, and allows you to work seamlessly with different blockchain technologies. This combination of features makes ZIION a unique and valuable resource for developers and security professionals in the blockchain space.

Installation and Setup

As I mentioned earlier, ZIION only works with virtualization software. Thankfully, ZIION offers OVA files compatible with VMware and VirtualBox for x86/amd64 machines, and a UTM file for ARM64 machines like Apple M1 or M2.

Here’s how to run ZIION using VirtualBox on Windows 11:

1. Download and Install VirtualBox, you’ll need VirtualBox to run ZIION.
2. Disable Hyper-V, you might need to turn it off completely for VirtualBox to work properly. You can do this by running the command bcdedit /set hypervisorlaunchtype off in a command prompt with administrator privileges.

Why we disable Hyper-V? Both Hyper-V and VirtualBox are virtualization platforms. They can’t coexist and try to control the same hardware resources. Disabling Hyper-V ensures VirtualBox has full access for running ZIION.

• Disable Core Isolation: If you’re still encountering issues like the green turtle icon indicating slow VM performance, you might need to disable Core Isolation features.
• Disable Memory Integrity, Go to Windows Security > Device Security > Core isolation and turn off “Memory Integrity.”
• Disable Credential Guard (advanced users), If the issue persists, you can try disabling Credential Guard by editing the registry (risky for beginners, proceed with caution). Navigate to the key Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\CredentialGuard in the registry editor and change the value of "Enabled" from 1 to 0. Restart your computer after making this change.
• Again why we disable Core Isolation? Core Isolation features like Memory Integrity can sometimes conflict with virtualization software by providing additional security measures that might impact performance. Disabling them allows VirtualBox more freedom to run ZIION smoothly.

Additional Notes:

• ZIION requires at least 8 GB of RAM for installation, but 16 GB is recommended for optimal performance.
• You’ll also need at least 100–200 GB of storage space, especially if you plan to work with a local blockchain within ZIION.
• The current version of ZIION seems to only offer a GNOME desktop environment.

Once you do these stuff, then now, import the OVA file using the default settings. Log in with Username: “ziion” and Password: “ziion” (be sure to remember to change the default password for security reasons). By following these steps and disabling the mentioned settings if necessary, you should be able to successfully run ZIION on your Windows 11 machine using VirtualBox.

Hands-on Experience (Exploring Pre-loaded Tools)

In essence, ZIION OS can be thought of as a version of Kali Linux tailored specifically for blockchain security. So now let’s try Remix IDE since it comes with ZIION OS and doesn’t require installation. In this section, I’ll demonstrate two tools: one for development and one for hacking, along with brief explanations on their functionalities. Remix specifically designed for developing smart contract at any level but specifically for new comers and Remix provides a user-friendly interface for writing, compiling, debugging, and deploying Solidity code.

When you search for “Remix,” it will appear, and opening it will serve it for you on localhost without the need for additional installation.

Home page of Remix

As you can see(below), I’ve written a simple functional ERC token, compiled it without any issues, deployed it, and even pushed it to IPFS, which is really cool and interesting. There are other development tools available ofc, but let’s also examine one or two hacking tools.

As you know, every Linux distribution must have the vim code editor, and here in Ziion, we’ll do the same for our contract using vim and interact with solc. If you’re using ZIION OS, solc (the Solidity compiler) likely comes pre-installed, so there is no need for manual installation via npm.

Great, now that we’ve written and saved our contract, let’s compile it.

The commands for compiling your Solidity code remain similar to those used with npm: “solc erc_20.sol”. However, you need to specify the output. Similar to the npm approach, you can use flags to get more specific output:

• “ — bin”: Generate bytecode
• “ — abi”: Generate ABI

So it would be like this:

• solc — bin -o SimpleToken.bin erc_20.sol # Output bytecode to SimpleToken.bin
• solc — abi -o SimpleToken.abi erc_20.sol # Output ABI to SimpleToken.abi

As you know, both fuzzing and static analysis are essential phases and tasks in hacking. While fuzzing is commonly used in web2 bug bounties, static analysis is a method used specifically for smart contracts.

Static analysis are just examining the source code of smart contracts without executing them. These tools scan the code for potential vulns, such as reentrancy attacks, integer overflows, and logic errors I guess.

They search for predefined patterns in the code that are known to be associated with vulnerabilities. For instance, they might look for missing checks before modifying balances, which could indicate a reentrancy vulnerability.

Let’s write a buggy smart contract and try to analyze our code. I’ve used a tool called “slither,” a Solidity analyzer tool written in Python. The command is “slither erc_20.sol,” and the output is shown below.

There are certainly many more tools like Echidna and Mythril. Feel free to experiment with them. Mythril is another great tool for testing the security of smart contracts, alongside Slither and Echidna.

You can install it using this command: “pip3 install mythril”

I don’t believe Ziion OS comes with Mythril pre-installed.

Then run myth analyze erc_20.sol to analyze your Solidity code.

Pushing the Limits: Additional Installations

We just installed one more tool in the previous section. Now let’s install VSCode, which is an essential tool for further auditing and development tasks. The process is similar to Kali Linux since Ziion is based on debain. We’ll use deb packages for installation. Download the .deb format from the VSCode download section and install it from your terminal using the command: sudo dpkg -i [package_name].deb

Benefits and Considerations (Pros & Cons)

So just like I said above.. ZIION OS, being based on Debian/Kali Linux..

Benefits (Pros):

• Security Focus: ZIION OS, with its roots in Kali Linux, prioritizes security. It offers pre-installed penetration testing and security auditing tools, making it appealing for security professionals.
• Open-Source and Customization: Like Debian and Kali, ZIION OS is open-source, allowing for customization and community-driven development. Users can access the source code, modify it to meet their specific needs, and contribute back to the project.
• Package Management: ZIION OS likely utilizes the familiar apt package manager or dpkg for installing software, providing a vast repository of packages for various purposes.

Considerations (Cons):

• Learning Curve: If you’re not familiar with Debian/Kali Linux, ZIION OS might have a steeper learning curve compared to more user-friendly desktop environments.
• Focus on Security: The security focus of ZIION OS might come with some trade-offs in terms of user-friendliness. Security features might require more configuration or technical knowledge to utilize effectively.
• Targeting: ZIION OS seems to be primarily targeted towards security professionals and developers, so it might not be the most intuitive choice for everyday users with no experience or interest in security tools.
• Limited Support: Compared to mainstream operating systems, ZIION OS might have a smaller support community, so finding help or troubleshooting issues could be more challenging.
• Hardware Requirements: While 8GB RAM and 100GB storage(I don’t think this would work for low end PC’s) but might seem sufficient, keep in mind that ZIION OS, along with any virtual machines you intend to run, security tools you utilize, and other software you install, will all compete for system resources. Consider your workload and adjust hardware specifications accordingly, especially if you plan on running resource-intensive tasks within virtualized environments.
• Limited Boot Options: ZIION OS might not offer traditional dual or single boot options for physical machines. This means you’ll likely need to use it within a virtual machine environment on top of another operating system. Ensure your system meets the virtualization software’s requirements for smooth operation.
• Desktop Environment Options: ZIION OS potentially offers GNOME as the primary desktop environment. While GNOME is a powerful and customizable option, some users might prefer alternative desktop environments for a more familiar or streamlined experience. Research compatibility if you have a strong preference for a specific desktop environment.

Web3 is the Future !!