Wednesday, April 14, 2010

Up and running with Adito (Openvpn ALS) VPN solution

Just recently i've had the opportunity to install the VPN server software, Adito, now known as Openvp-ALS and i find this piece of software to be very impressive. Adito is what is known as a clientless system, which means that no additional client software needs to be installed to connect to the server (you use any web browser as the client). It is based of SSL-Explorer, a once open source project that utilizes SSL technology to establishits VPN tunnels. Adito works similarly with SSL being the very gut of it's VPN system. The project also utilizes java, making it quite universal in the sense that it can be installed on Windows, Linux or a MAC. Because it works over HTTPS you can access your files securely from almost anywhere.

Installing on a linux system:
(System used: Bactrack 4)

NOTE: The following steps were taking from http://jaredheinrichs.com/how-to-install-adito-on-ubuntu-linux.html

# sudo apt-get install default-jre icedtea6-plugin openjdk-6-jdk // if this doesn't work, you may optionally try to install sun-java6-bin sun-java6-jdk sun-java6-plugin sun-java6-jre packages
# sudo apt-get install ant
# sudo wget http://superb-east.dl.sourceforge.net/sourceforge/adito/adito-0.9.1-bin.tar.gz // this link might be broken so you may need to find the updated path for the download
# sudo mv adito-0.9.1-bin.tar.gz /opt/
# cd /opt
# sudo tar -zxvf adito-0.9.1-bin.tar.gz
# cd adito-0.9.1
# sudo ant install

This should start up the webserver on port 28080 on localhost.

Open Browser on your local machine and go to: http://127.0.0.1:28080

Create New Certificate

Step 1 – Set Keystore Passphrase – Type password twice for Cert
Step 2 – Create New Certificate – Fill out Form
Step 3 – Configure User Database – Built-in
Step 4 – Configure Super User – Fill out Form
Step 5 – Configure Web Server – Leave defaults
Step 6 – Configure Proxies – Leave blank unless you use proxy – Hit Next
Step 7 – Summary

Install Complete
install
Go Back to the Ubuntu CLI (Command line interface)
# sudo ant install-service //This sets up the system so you can manage it from /etc/init.d with the usual start|stop|restart commands
# sudo ant start

For installing on windows, please see: http://lars.werner.no/?page_id=153


NOTE: When using backtrack 4 to connect to the VPN server, i ran into issues with the java run-time not being initialized in Firefox. This may be the case with other Linux Distro's as well.To get this working I needed to create a symbolic link to the java run-time plug-in file to my hidden "/root/.Mozilla/plug-ins" directory (in other cases it would be in the user's home directory). The plug-ins directory might not be there as Mozilla probably doesn't have any plug-ins installed as of yet so i went ahead and created that directory.

# cd /home/user_dir/.mozilla
# mkdir plugins
# ln -s /usr/lib/jvm/java-6-sun-1.6.0.10/jre/plugin/i386/ns7/libjavaplugin_oji.so

or if the above doesn't work

cd /usr/lib/firefox-dir/plugins
# ln -s /usr/lib/jvm/java-6-sun-1.6.0.10/jre/plugin/i386/ns7/libjavaplugin_oji.so

Restart Firefox and all should be well

Resources / Good Reading:
http://jaredheinrichs.com/how-to-install-adito-on-ubuntu-linux.html
http://sourceforge.net/projects/openvpn-als/
http://www.sohoadvisers.com/tutorials/adito-ssl-vpn/installing-adito-ssl-vpn
http://lars.werner.no/?page_id=153

Monday, April 12, 2010

Image partitions with the linux tool Partimage

Just recently i was looking at some alternative partition cloning software to the one i frequently use, driveimagexml. Not that their was anything wrong with DriveImageXML, i just was looking for a linux alterative. Little did i know, built into backtrack 4 was a piece of software called partimage which would accomplish pretty much what i would want. As in my recent posts on dd, one disadvantage to dd is that it backs up an entire partition, not just the used space. So if you have a 10 gig partition and only 2 gigs is used up, dd would produce a 10 gig exact copy of the partition. Partimage however only backs up the used portion of the partition saving you time and space.

To launch/use partimage:
# partimage

This launches an n-curses based user interface which is far from complicated and the options doesn't really need much explanation

For more info on its usage, see www.psychocats.net/ubuntu/partimage or www.partimage.org

Sunday, April 11, 2010

Hexedit a hard disk

I'm gonna be simply changing a flag within the boot sector that identifies the system (or boot) partition. This will serve as the basic principles behind doing low level hard disk analysis and editing, typically common withing digital forensics.

The boot sector is the first 512 bytes on a hard disk (446 bytes for bootloader code, 64 bytes for partition table, and the last two bytes in the sector are a signature word for the sector and are always hex 55 AA). The partition table contains the entries for the primary and extended partitions and each entry is 16 bytes long, giving a maximum of 4 entries available.

The following table describes each entry in the Partition Table. The sample values correspond to the information for partition 1.(taken from http://www.ntfs.com/partition-table.htm)

Partition Table Fields

Byte Offset

Field Length

Sample Value

Meaning

00

BYTE

0x80

Boot Indicator. Indicates whether the partition is the system partition. Legal values are:
00 = Do not use for booting.
80 = System partition.

01

BYTE

0x01

Starting Head.

02

6 bits

0x01

Starting Sector. Only bits 0-5 are used. Bits 6-7 are the upper two bits for the Starting Cylinder field.

03

10 bits

0x00

Starting Cylinder. This field contains the lower 8 bits of the cylinder value. Starting cylinder is thus a 10-bit number, with a maximum value of 1023.

04

BYTE

0x06

System ID. This byte defines the volume type. In Windows NT, it also indicates that a partition is part of a volume that requires the use of the HKEY_LOCAL_MACHINE\SYSTEM\DISK Registry subkey.

05

BYTE

0x0F

Ending Head.

06

6 bits

0x3F

Ending Sector. Only bits 0-5 are used. Bits 6-7 are the upper two bits for the Ending Cylinder field.

07

10 bits

0x196

Ending Cylinder. This field contains the lower 8 bits of the cylinder value. Ending cylinder is thus a 10-bit number, with a maximum value of 1023.

08

DWORD

3F 00 00 00

Relative Sector.

12

DWORD

51 42 06 00

Total Sectors.


First we identify the partition table.
# xxd -l 64 -s +446 /dev/sdb // jumps to the offset at byte position 446 and displays the next 64 bytes which will be the partition table

Now according to the partition table field the first byte( of the 16 byte per entry) represents the boot indicator field. When the BIOS passes control to the boot sector, the code withing the fist 446 bytes looks at the partition table and identifies the boot/system partition (Legal values are hex value 80 or 00: 00 = Do not use for booting, 80 = System partition). We are gonna change this system partiton flag to 00. This will see the partition as unbootable.

So the MBR is 446 bytes in length(offset 0-445). The next 64 bytes represents the partition table consisting of a possible 4 entries (16 bytes x 4). The first byte of each entry indicates whether its the system partition or not. If their was only one partiton then the bytes 446 - 462 would contain values, whilst the rest of the entries would be all zero's.

To change the first partition entry system id field, we want to put the value of hexadecimal 00 at offset 446 bytes. First we create a simple text file with only the value of 00 in it. Then we use the 'xxd' program to convert this simple text file into a binay file containing only the hex value of 00.

# echo "00" | xxd -ps -r > byte.bin

Now to get that byte written into offset 446 you use the 'dd' program.
# dd if=byte.bin of=/dev/sdb seek=446 bs=1 count=1// reads and writes 1byte , 1 time, from byte.bin file at offest 446 into the block device /dev/sdb

To do this all in one command, we can make use of pipes:
# echo "00" | xxd -ps -r | dd of=/dev/sdb seek=446 bs=1 count=1

References/Good reading:
http://www.ntfs.com/partition-table.htm
http://www.linuxquestions.org/questions/linux-newbie-8/learn-the-dd-command-362506/

Thursday, April 8, 2010

Using 'dd' or 'dcfldd'for disk imaging and backup

DD is a very ancient unix utility that still has its superiority in the disk imaging and cloning categories of tools. Being command lined based, it reads from standard input and write to its standard output which allows you to use 'pipes' for advanced processing and remote networking capabilities.

DCFLDD is an enhanced version of dd and follows the same structure when passing arguments, i.e, keyword=value format. The commands are almost identical so you can pretty much use the same commands that you use in dd with dcfldd but not necessarily the other way around as the later has some enhancements that dd does not have. Some of dcfldd enhancements include
  • Hashing on-the-fly - dcfldd can hash the input data as it is being transferred, helping to ensure data integrity.
  • Status output - dcfldd can update the user of its progress in terms of the amount of data transferred and how much longer operation will take.
  • Flexible disk wipes - dcfldd can be used to wipe disks quickly and with a known pattern if desired.
  • Image/wipe Verify - dcfldd can verify that a target drive is a bit-for-bit match of the specified input file or pattern.
  • Multiple outputs - dcfldd can output to multiple files or disks at the same time.
  • Split output - dcfldd can split output to multiple files with more configurability than the split command.
  • Piped output and logs - dcfldd can send all its log data and output to commands as well as files natively.


Using dd you can create backups of an entire harddisks or just parts of it.
Hard disk copy/Back up::
# dd if=/dev/sda of=/dev/sdb
# dd if=/dev/sda of=/path/to/image
# dd if=/dev/sda | gzip > /path/to/image.gz //makes image of sda disk and pipes it to the gzip program for compression of the backup image file image.gz

Restore Backup
# dd if=/path/to/image of=/dev/sda
# gzip -dc /path/to/image.gz | dd of=/dev/sda

MBR Backup
# dd if=/dev/sda of=/path/to/mbr/image count=1 bs=512

MBR Restore
# dd if=/path/to/mbr/image of=/dev/sda
add "count=1 bs=446" to exclude the partiton table

More Advance commands
# dcfldd if=/dev/sda of=/path/to/image bs=4096 conv=notrunc,noerror //

make an iso image of CD
# dcfldd if=/dev/cd of=/home/mycd.iso bs=2048 conv=notrunc // CD sectors are 2048 bytes so this copies sector to sector.
The result will be a hard disk image file of the CD. You can use "chmod a+rwx mycd.iso" to make the image writable.

make an iso image of Hard disk
# dcfldd if=/dev/hda of=/home/disk.iso bs=4096 conv=notrunc,noerror

To mount the image: # mount -o loop /path/to/image /mnt/mountpoint

In some cases, you would not be able to mount the image file. What you need to do is determine the offset of the sector (not the cyclinder). You can get the cylinder offests using fdisk.

First, associate one of the loop interfaces with the image file # losetup /dev/loop0 /path/to/image

Then
# fdisk -l /dev/loop0
Disk /dev/sdb: 8036 MB, 8036285952 bytes
255 heads, 63 sectors/track, 977 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x00000000

Device Boot Start End Blocks Id System
/dev/sdb1 * 1 976 7839698 b W95 FAT32

What we really want is the offset of the sector so we add the '-u' flag to fdisk
# fdisk -ul /dev/loop0
Disk /dev/sdb: 8036 MB, 8036285952 bytes
255 heads, 63 sectors/track, 977 cylinders, total 15695871 sectors
Units = sectors of 1 * 512 = 512 bytes
Disk identifier: 0x00000000

Device Boot Start End Blocks Id System
/dev/sdb1 * 44 15679439 7839698 b W95 FAT32


We then take the start of the partition that you want to edit 44 in this case and multiply it by 512 ie 512*44=22528

then mount like this: # mount -o loop,offset=22528 /dev/loop0 /mnt/mountpoint