Tech Juice

Introduction

This page describes the typical layout of a modern hard drive. You may have heard of file systems such as NTFS, FAT32 or EXT3, which are used by your operating system. Concepts like files and directories are contained in these file systems, so obviously they are very important. But a single physical hard disk can contain multiple filesystems – each on a separate partition. And a hard disk that contains a operating system must contain some elements that play a role in the boot sequence.

Obviously a lot more is going on under the hood. Let’s take a look.

Anatomy of a hard disk

Hard disks have been around since the 1950′s, but the design has not changed much. The general hard disk design is quite simple, consisting of only a few moving parts. In the picture above you can see:

• Platters: Solid disks with a magnetic coating that contains the data. The platters spin at a constant rate when the hard disk is in operation,  typically at 3600, 5200 or 7200 rounds per minute (rpm).
• Arms: The head stack assembly holds the arms that hold the read/write heads. The stack is rotated by an actuator which is not displayed in the image, causing the arms to position the heads between

…

Introduction

Screen is a window manager for Linux. The power of Screen is described well in this article:

The same way tabbed browsing revolutionized the web experience, GNU Screen can do the same for your experience in the command line. GNU Screen allows you to manage several interactive shell instances within the same “window.” By using different keyboard shortcuts, you are able to shuffle through the shell instances, access any of them directly, create new ones, kill old ones, attach and detach existing ones.

Instead of opening up several terminal instances on your desktop or using those ugly GNOME/KDE-based tabs, Screen can do it better and simpler. Not only that, with GNU Screen, you can share sessions with others and detach/attach terminal sessions. It is a great tool for people who have to share working environments between work and home. By adding a status bar to your screen environment, you are able to name your shell instances on the fly or via a configuration file called .screenrc that can be created on the user’s home directory.

If you are a Linux user, chances are you have been using additional Putty windows if you needed simultaneous access to more than one secure…

Let’s say you have a Windows computer with one network card. You are running VMWare on this computer, and you want to have network access from your Virtual Machine(s). There are many ways to accomplish this with VMWare, i.e. NAT, but for true separation you need another hardware network card.

This article explains how to create a setup where Windows uses one network card, and VMWare uses the other.

1: Install and Configure Second Network Card

1. Install the second network card and power on the Windows. Windows will automatically install the drivers and start using the second network adapter alongside the existing one – it will request an IP for both network adapters.
2. Configure Windows to not use the second network adapter [VMWare KB]:

To disassociate the network adapter from all protocols except the VMware Bridge protocol:

1. In the Windows host, open the network adapter settings within Control Panel.
2. • Windows XP – Click Start > Control Panel and open Network Connections.
   • Windows Vista or Windows 7 – Click Windows > Control Panel and open View network Status and Tasks > Change Adapter settings.
3. Right-click the network adapter and click Properties.
4. Deselect

…

Introduction

The arping tool for Linux is the Layer 2 equivalent of the ping command. It is used to send ARP (Address Resolution Protocol) request messages to a destination host in a Local Area Network (LAN) . This is useful to test whether a particular IP address is in use and online in the network. The arping tool operates at OSI Layer 2, so it can only be used in local networks: ARP messages cannot be routed across routers or gateways. Many Linux distributions, including Backtrack, include arping by default.

When arping is run without parameters it will not do anything – except display the command line options:

$ arping
ARPing 2.09, by Thomas Habets <thomas@habets.pp.se>
usage: arping [ -0aAbdDeFpqrRuv ] [ -w <us> ] [ -S <host/ip> ]
 [ -T <host/ip ] [ -s <MAC> ] [ -t <MAC> ] [ -c <count> ]
 [ -i <interface> ] <host/ip/MAC | -B>
For complete usage info, use --help or check the manpage.

Arping with an IP Address Argument

Now let’s see arping in action by supplying it with an IP address to probe. This is the most common way to use arping. Say we want to send…

In this post we discuss the Internet Control Message Protocol (ICMP), one of the core protocols of the TCP/IP suite [Wikipedia] [RFC 792]. Many common networking utilities are based on ICMP, including tracert and ping.

ICMP messages are typically generated in response to errors in IP datagrams or for diagnostic or routing purposes. ICMP errors are always reported to the original source IP address of the originating datagram. The protocol is implemented by both hosts and routers, albeit in different ways.

A version of ICMP for IPv6 exists: ICMPv6. The scope of this article is limited to ICMP for IPv4 (ICMPv4).

ICMP Packet Structure

Each ICMP message is encapsulated directly within a single IP datagram, and thus, like UDP, ICMP is unreliable. The structure of ICMP packets is displayed below:

Header Fields

The Type and Code fields are the first two fields in the header of the ICMP packet. Together these fields designate the meaning of the packet.

Type/Code Fields

The most common combinations of Type and Code are displayed below.

As can be seen in the table, an ICMP message can either be an error message or a query message. Query messages are two-way: when an ICMP request …

The DNS Protocol

The Domain Name System protocol translates domain names into IP addresses (Wikibooks page). When a client wants to open a webpage at www.google.com, a query is sent to a DNS server (a.k.a. name server) to fetch the corresponding IP address. The IP returned by the name server is used to contact the Google web server – the server that hosts the actual website contents. In this post we explain the DNS protocol and the packets involved.

Usually, a client will know the IP address of one or more DNS servers after the DHCP boot process is completed. In order to resolve a hostname, a DNS query packet is sent. All DNS traffic between clients and name servers is encapsulated in UDP, and name servers always run on UDP port 53.

DNS Packet Structure

The structure of DNS packets looks like this:

The flags field (16 bits) has the following structure:

    a)  The first (0th)bit indicates query(0) or response(1)
    b) Next three bits (1-4) indicates ‘Standard Query (0)’,
       ‘Inverse Query (1)’ and ‘Server Status Request (2)’.
    c) The 5th bit field indicates Authoritative answer. The
       name server is authoritative for the domain in the
       question section.
    d) The 6th bit field is set if 

Introduction

The Dynamic Host Configuration Protocol (DHCP) is an automatic configuration protocol used on IP networks [RFC 2131]. A major advantage is that it eliminates the need to manually assign each host a static IP address. Hosts can ‘ask’ to join a network and they will be assigned an IP, and provided with additional information such as the subnetmask and gateway IP.

There are two versions of DHCP, one for IPv4 and one for IPv6. While both versions bear the same name and perform much the same purpose, the details of the protocol for IPv4 and IPv6 are sufficiently different that they can be considered separate protocols. In this article we explain the DHCP for IPv4 protocol and its packets.

How It Works

A client initially knows nothing about the network is it joining, so it needs to contact the DHCP server to request an IP address and receive other network information such as the subnetmask and the address of the DNS server. However, the MAC and IP address of the DHCP server are initially unknown to the client as well. So how can the new client contact the DHCP server, if it doesn’t know its location?

To solve this bootstrap problem the DHCP protocol uses special broadcast…

How do you list the open TCP and UDP ports on your server and the processes that own them? The answer is to use either the netstat or the lsof command:

netstat

$ sudo netstat -lptu
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 *:ftp                   *:*                     LISTEN      3825/vsftpd
tcp        0      0 *:ssh                   *:*                     LISTEN      3539/sshd
tcp        0      0 localhost:6600          *:*                     LISTEN      3922/mpd
tcp        0      0 localhost:mysql         *:*                     LISTEN      30004/mysqld
tcp        0      0 *:svn                   *:*                     LISTEN      3810/svnserve
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN      3539/sshd
tcp6       0      0 [::]:microsoft-ds       [::]:*                  LISTEN      3805/smbd
tcp6       0      0 localhost:6600          [::]:*                  LISTEN      3922/mpd
tcp6       0      0 [::]:netbios-ssn        [::]:*                  LISTEN      3805/smbd
tcp6       0      0 [::]:www               

On the Ethernet level, multicast traffic (and broadcast, which is just a special case of multicast) can be recognized by the least significant bit of the most significant byte of the MAC address. If this bit is set to 1, then the Ethernet frame is multicast traffic, otherwise it is unicast.

Display Filter for Excluding Broadcast/Multicast Traffic

!(eth.dst[0] & 1)

A display filter is used for packet filtering while viewing captured traffic.

Capture Filter for Excluding Broadcast/Multicast Traffic

not broadcast and not multicast

Wireshark capture filters are specified before capturing commences, and use the same syntax as tcpdump, WinDump, Analyzer, and any other program that uses the libpcap/WinPcap library. Capture filters can exclude traffic from being captured at all.…

Introduction

This post explains how to execute a man-in-the-middle attack on Linux. Only the actual attack is described here. The mechanisms of ARP poisoning and man-in-the-middle attacks are explained in a different post.

In this post we demonstrate a MITM with the Ettercap tool. Ettercap is a multipurpose sniffer/interceptor/logger for switched LAN, and pretty much the Swiss army knife of ARP poisoning. Every security researcher should include it in his toolbox, and it is included in the Backtrack Linux distribution. Ettercap features a pretty nice GUI, but in this post we only use the text mode.

Command Syntax

The ettercap program has the following syntax:

ettercap [OPTIONS] [TARGET1] [TARGET2]

The targets can be IPs and MACs, and specific TCP and UDP ports can also be targetted. A simple description of the TARGET1 and TARGET2 syntax is given below. Read the target specification section on the man page for details.

TARGET is in the form MAC/IPs/PORTs. 
 
If you omit any of the parts, it means a wildcard is used for that part.
 
Examples:
//80         means ANY