Notes on my research from topics involving Linux, Network Security, Pentesting, Network/Computer Forensics and more. My intention is to use the knowledge for good and to raise awareness with regards to cyber security threats and other vulnerabilities. Therefore, as I learn, you can learn too.
Wednesday, April 14, 2010
Up and running with Adito (Openvpn ALS) VPN solution
Installing on a linux system:
(System used: Bactrack 4)
NOTE: The following steps were taking from http://jaredheinrichs.com/how-to-install-adito-on-ubuntu-linux.html
# sudo apt-get install default-jre icedtea6-plugin openjdk-6-jdk // if this doesn't work, you may optionally try to install sun-java6-bin sun-java6-jdk sun-java6-plugin sun-java6-jre packages
# sudo apt-get install ant
# sudo wget http://superb-east.dl.sourceforge.net/sourceforge/adito/adito-0.9.1-bin.tar.gz // this link might be broken so you may need to find the updated path for the download
# sudo mv adito-0.9.1-bin.tar.gz /opt/
# cd /opt
# sudo tar -zxvf adito-0.9.1-bin.tar.gz
# cd adito-0.9.1
# sudo ant install
This should start up the webserver on port 28080 on localhost.
Open Browser on your local machine and go to: http://127.0.0.1:28080
Create New Certificate
Step 1 – Set Keystore Passphrase – Type password twice for Cert
Step 2 – Create New Certificate – Fill out Form
Step 3 – Configure User Database – Built-in
Step 4 – Configure Super User – Fill out Form
Step 5 – Configure Web Server – Leave defaults
Step 6 – Configure Proxies – Leave blank unless you use proxy – Hit Next
Step 7 – Summary
Install Complete
install
Go Back to the Ubuntu CLI (Command line interface)
# sudo ant install-service //This sets up the system so you can manage it from /etc/init.d with the usual start|stop|restart commands
# sudo ant start
For installing on windows, please see: http://lars.werner.no/?page_id=153
NOTE: When using backtrack 4 to connect to the VPN server, i ran into issues with the java run-time not being initialized in Firefox. This may be the case with other Linux Distro's as well.To get this working I needed to create a symbolic link to the java run-time plug-in file to my hidden "/root/.Mozilla/plug-ins" directory (in other cases it would be in the user's home directory). The plug-ins directory might not be there as Mozilla probably doesn't have any plug-ins installed as of yet so i went ahead and created that directory.
# cd /home/user_dir/.mozilla
# mkdir plugins
# ln -s /usr/lib/jvm/java-6-sun-1.6.0.10/jre/plugin/i386/ns7/libjavaplugin_oji.so
or if the above doesn't work
cd /usr/lib/firefox-dir/plugins
# ln -s /usr/lib/jvm/java-6-sun-1.6.0.10/jre/plugin/i386/ns7/libjavaplugin_oji.so
Restart Firefox and all should be well
Resources / Good Reading:
http://jaredheinrichs.com/how-to-install-adito-on-ubuntu-linux.html
http://sourceforge.net/projects/openvpn-als/
http://www.sohoadvisers.com/tutorials/adito-ssl-vpn/installing-adito-ssl-vpn
http://lars.werner.no/?page_id=153
Monday, April 12, 2010
Image partitions with the linux tool Partimage
To launch/use partimage:
# partimage
This launches an n-curses based user interface which is far from complicated and the options doesn't really need much explanation
For more info on its usage, see www.psychocats.net/ubuntu/partimage or www.partimage.org
Sunday, April 11, 2010
Hexedit a hard disk
The boot sector is the first 512 bytes on a hard disk (446 bytes for bootloader code, 64 bytes for partition table, and the last two bytes in the sector are a signature word for the sector and are always hex 55 AA). The partition table contains the entries for the primary and extended partitions and each entry is 16 bytes long, giving a maximum of 4 entries available.
The following table describes each entry in the Partition Table. The sample values correspond to the information for partition 1.(taken from http://www.ntfs.com/partition-table.htm)
Partition Table Fields
Byte Offset | Field Length | Sample Value | Meaning |
---|---|---|---|
00 | BYTE | 0x80 | Boot Indicator. Indicates whether the partition is the system partition. Legal values are: |
01 | BYTE | 0x01 | |
02 | 6 bits | 0x01 | Starting Sector. Only bits 0-5 are used. Bits 6-7 are the upper two bits for the Starting Cylinder field. |
03 | 10 bits | 0x00 | Starting Cylinder. This field contains the lower 8 bits of the cylinder value. Starting cylinder is thus a 10-bit number, with a maximum value of 1023. |
04 | BYTE | 0x06 | System ID. This byte defines the volume type. In Windows NT, it also indicates that a partition is part of a volume that requires the use of the HKEY_LOCAL_MACHINE\SYSTEM\DISK Registry subkey. |
05 | BYTE | 0x0F | |
06 | 6 bits | 0x3F | Ending Sector. Only bits 0-5 are used. Bits 6-7 are the upper two bits for the Ending Cylinder field. |
07 | 10 bits | 0x196 | Ending Cylinder. This field contains the lower 8 bits of the cylinder value. Ending cylinder is thus a 10-bit number, with a maximum value of 1023. |
08 | DWORD | 3F 00 00 00 | |
12 | DWORD | 51 42 06 00 |
First we identify the partition table.
# xxd -l 64 -s +446 /dev/sdb // jumps to the offset at byte position 446 and displays the next 64 bytes which will be the partition table
Now according to the partition table field the first byte( of the 16 byte per entry) represents the boot indicator field. When the BIOS passes control to the boot sector, the code withing the fist 446 bytes looks at the partition table and identifies the boot/system partition (Legal values are hex value 80 or 00: 00 = Do not use for booting, 80 = System partition). We are gonna change this system partiton flag to 00. This will see the partition as unbootable.
So the MBR is 446 bytes in length(offset 0-445). The next 64 bytes represents the partition table consisting of a possible 4 entries (16 bytes x 4). The first byte of each entry indicates whether its the system partition or not. If their was only one partiton then the bytes 446 - 462 would contain values, whilst the rest of the entries would be all zero's.
To change the first partition entry system id field, we want to put the value of hexadecimal 00 at offset 446 bytes. First we create a simple text file with only the value of 00 in it. Then we use the 'xxd' program to convert this simple text file into a binay file containing only the hex value of 00.
# echo "00" | xxd -ps -r > byte.bin
Now to get that byte written into offset 446 you use the 'dd' program.
# dd if=byte.bin of=/dev/sdb seek=446 bs=1 count=1// reads and writes 1byte , 1 time, from byte.bin file at offest 446 into the block device /dev/sdb
To do this all in one command, we can make use of pipes:
# echo "00" | xxd -ps -r | dd of=/dev/sdb seek=446 bs=1 count=1
References/Good reading:
http://www.ntfs.com/partition-table.htm
http://www.linuxquestions.org/questions/linux-newbie-8/learn-the-dd-command-362506/
Thursday, April 8, 2010
Using 'dd' or 'dcfldd'for disk imaging and backup
DCFLDD is an enhanced version of dd and follows the same structure when passing arguments, i.e, keyword=value format. The commands are almost identical so you can pretty much use the same commands that you use in dd with dcfldd but not necessarily the other way around as the later has some enhancements that dd does not have. Some of dcfldd enhancements include
- Hashing on-the-fly - dcfldd can hash the input data as it is being transferred, helping to ensure data integrity.
- Status output - dcfldd can update the user of its progress in terms of the amount of data transferred and how much longer operation will take.
- Flexible disk wipes - dcfldd can be used to wipe disks quickly and with a known pattern if desired.
- Image/wipe Verify - dcfldd can verify that a target drive is a bit-for-bit match of the specified input file or pattern.
- Multiple outputs - dcfldd can output to multiple files or disks at the same time.
- Split output - dcfldd can split output to multiple files with more configurability than the split command.
- Piped output and logs - dcfldd can send all its log data and output to commands as well as files natively.
Using dd you can create backups of an entire harddisks or just parts of it.
Hard disk copy/Back up::
# dd if=/dev/sda of=/dev/sdb
# dd if=/dev/sda of=/path/to/image
# dd if=/dev/sda | gzip > /path/to/image.gz //makes image of sda disk and pipes it to the gzip program for compression of the backup image file image.gz
Restore Backup
# dd if=/path/to/image of=/dev/sda
# gzip -dc /path/to/image.gz | dd of=/dev/sda
MBR Backup
# dd if=/dev/sda of=/path/to/mbr/image count=1 bs=512
MBR Restore
# dd if=/path/to/mbr/image of=/dev/sda
add "count=1 bs=446" to exclude the partiton table
More Advance commands
# dcfldd if=/dev/sda of=/path/to/image bs=4096 conv=notrunc,noerror //
make an iso image of CD
# dcfldd if=/dev/cd of=/home/mycd.iso bs=2048 conv=notrunc // CD sectors are 2048 bytes so this copies sector to sector. The result will be a hard disk image file of the CD. You can use "chmod a+rwx mycd.iso" to make the image writable.
make an iso image of Hard disk
# dcfldd if=/dev/hda of=/home/disk.iso bs=4096 conv=notrunc,noerror
To mount the image: # mount -o loop /path/to/image /mnt/mountpoint
In some cases, you would not be able to mount the image file. What you need to do is determine the offset of the sector (not the cyclinder). You can get the cylinder offests using fdisk.
First, associate one of the loop interfaces with the image file # losetup /dev/loop0 /path/to/image
Then
# fdisk -l /dev/loop0
Disk /dev/sdb: 8036 MB, 8036285952 bytes
255 heads, 63 sectors/track, 977 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x00000000
Device Boot Start End Blocks Id System
/dev/sdb1 * 1 976 7839698 b W95 FAT32
What we really want is the offset of the sector so we add the '-u' flag to fdisk
# fdisk -ul /dev/loop0
Disk /dev/sdb: 8036 MB, 8036285952 bytes
255 heads, 63 sectors/track, 977 cylinders, total 15695871 sectors
Units = sectors of 1 * 512 = 512 bytes
Disk identifier: 0x00000000
Device Boot Start End Blocks Id System
/dev/sdb1 * 44 15679439 7839698 b W95 FAT32
We then take the start of the partition that you want to edit 44 in this case and multiply it by 512 ie 512*44=22528
then mount like this: # mount -o loop,offset=22528 /dev/loop0 /mnt/mountpoint