Sunday, July 29, 2012

Ubuntu for Minimalists

Ubuntu gets a lot of flack for being stuffed with things you don't need.  In fact, it goes beyond that.  The Advanced Packaging Tool or "apt" likes to stuff a variety of useless dependencies down your throat.

As it turns out there's a way around both of those problems.  Canonical has a minimal install ISO that grabs all the packages from the web.  By default after the installation you will be left with a command line interface and nothing more.  You have the option to install various packages during the install, but it's not required.  This version of the install can also be useful because there's no need to update after the install has finished.  Everything will already be the latest version.

Now onto the next problem.  How can you get the Advanced Packaging Tool (apt) to only install what you ask?  Simple.  Create a "/etc/apt/apt.conf" file and put the following two lines in it:


APT::Install-Recommends "0";
APT::Install-Suggests "0";

Once created you wont be installing more than you need.  The one downside is there may be some extra knowledge required to install certain packages the way you want.  For example, the gvfs package isn't automatically installed when installing xfce4.  gvfs is required for various functions in xfce4 such as the trash.  For a slightly less minimal, but slightly more user friendly experience you can get rid of the "APT::Install-Suggests "0";" line you created.  

Monday, June 4, 2012

Linux Partitioning Guide

Introduction
This seems to be a popular topic among people new to Linux, and why wouldn't it be?  Partitioning your hard drive is one of the first things you have to do when you install Linux.
I'm making this guide, because over the past couple months, I've seen a couple of sub par guides on the subject.  Hopefully those that need this information most will find my guide useful.  If anyone has any suggestions for what I could add or change, please let me know in the comments.


Brief Overview of Some Commonly Used File System Types
(note: When talking about file systems, journaling refers to a file systems ability to document information about the files.  Journaling can prevent data from becoming corrupted when the system is turned off in the middle of a file transfer.  As an added bonus, systems that support journaling can perform file system checks must faster.)


FAT32 - This is a non-journaling file system, mainly used for compatibility with Microsoft systems.  This file system is often recommended for thumb drives as it wont read and write as much data as NTFS.

NTFS - This file system supports journaling as well as other features such as file permissions.  It is probably what you use for your Windows partition.

EXT2 - This is a non-journaling Linux file system.  Just like FAT32, it's often recommended for thumb drives due to the fact that it wont read and write as much data as other file systems.  The maximum file size and partition size however are much larger than that of FAT32.  Files can be as large as 2 TB as opposed to FAT32's limit of 4GB, and partitions can be up to 32TB as opposed to FAT32's limit of 8TB.

EXT3 - Journaling Linux file system that allows in place upgrades from ext2, uses less CPU than XFS, and it also considered stable and well tested.

EXT4 - Journaling Linux file system with improved performance over EXT3, and more features.

XFS - Offers stability and advanced journaling features.  This file system cannot be shrunk and it yields poor performance when performing certain tasks such as deleting a large amount of files.  It was created by Silicon Graphics, and is often implemented on large servers.

Swap Area
Linux will occasionally write pages of data from RAM to the swap area to free up memory.  It's generally said that you should use one and a half times the amount of ram in your system for the size of your swap area.  If you aren't doing much with your system, you have a decent amount of ram(4GB+), and you don't plan on hibernating your computer, you barely even need a swap area.  Some people just opt not to use swap these days.  The amount you use is generally just preference.

Devices
In Linux, hard drives will generally be referred to as /dev/sdX where X is the letter of the drive.  The first drive is a(/dev/sda), the second drive is b(/dev/sdb), and so on and so forth.  IDE drives were at one point referred to as /dev/hdX, but the latest kernel will just use /dev/sdX for that as well.

Boot Loader
The boot loader (which starts up the operating system when you turn on your computer ex. grub) should be installed on the MBR of the primary hard drive (not to be confused with a primary partition).
You should make sure the partition you install the grub files to is marked as bootable.  If you don't make a separate boot partition this will be the root partition.  Many distros will do this for you, but if you're using something where you need to do the partitioning manually and separate from the install, such as slackware or gentoo, keep that in mind.

Partition Types
Primary - There's room for 4 primary partitions on a hard drive, unless you want an extended partition in which case you're allowed 3 primary.  Windows will only boot from primary partitions, but you can use logical drives for Linux if you wish.

Extended - An extended partition is broken up into logical partitions.  To bypass the limit of 4 partitions per hard drive you can make an extended partition and break it up into as many logical partitions as you desire.

Partitioning Example Using Xubuntu Linux
I've put together a set of screenshots to demonstrate how to manually partition your drive during the Xubuntu Linux install.

First we're going to select "Something else" on the installation menu.  You should get a screen like this with any Ubuntu variant, and most likely something similar with other Linux distros.




For the sake of this demonstration I've created an NTFS partition that takes up the entire hard drive.  Lets let this NTFS partition represent a Windows install we want to keep on the computer.  First click on /dev/sda1 (or whatever partition your windows install is located on) and then select change on the menu.




Since this is a dummy install and I don't really need it, I'm going to make it one gig.  Change the box to whatever size you want your windows partition to be, keeping in mind that you might want some extra space left over.  You should also back up any important data on the partition in case anything goes wrong with the resize.  Click on OK to continue partitioning the drive.




















At this point the installation will warn you that you're about to resize the partition and anything you've done up to this point will be finalized.  Click on continue to proceed.

















You will now notice you can select free space under the first partition.  Click on add to create a partition in the space we cleared up.






The first partition we're going to make is the swap area.  Type in the size of the partition in megabytes and then select swap area from the "Use as:" menu and click OK.






















Now that we've created some swap space we're going to add the partition where the operating system will be located.















This time select enough space for the main operating system.  You could either fill up the entire hard drive, or leave room for more partitions.  In this example I made it 5 gigs which fits the minimum requirement for Xubuntu.  You will most likely want more than that.  In the box "Mount point:" put a forward slash.  This indicates that it will be for the root file system.  The root file system contains everything not otherwise specified.  At this point you could also change the file system type of this partition, but the default choice of EXT4 is probably what you want anyway.


Now that we've set up the root partition, and we still have some space left, lets make a home partition to store various user settings and files.  Having a dedicated home partitions makes reinstalling, upgrading, or installing new distributions a breeze.



For this last partition I'm going to keep the default file system Ext4 once again.  Since I'm using the rest of the drive I'm not going to enter a new size, but I will type in /home under mount point.  At this point I click OK and I'm almost done.

Before hitting install make sure that the boot loader is pointed to go on the correct drive (whichever one the computer boots from) by selecting it on the menu on the bottom of the window.  Double check everything and you're good to press install and continue the installation.






Conclusion
If you need to partition things and resize partitions manually, without using an installer, the easiest way to do so is with a program called Gparted.  You can open Gparted from the command line on the Xubuntu live cd by typing "sudo gparted".   Depending on what distro you use, you use you may need to install it first.  It's pretty self explanatory.

If you've made it this far you should have a pretty clear understanding of how to partition a drive.  If you would like to learn how to partition from the command line, I suggest looking into parted.  Unfortunately you can't resize ntfs with parted alone, but there are other programs out there to do so such as ntfsresize.


Saturday, June 2, 2012

WEP and WPA Cracking made easy

Disclaimer: This article is for educational purposes.  Do not attempt the following on hardware you do not own.


Before we begin it's important to make sure that you have everything you need.  For the sake of this tutorial I will be using a live Backtrack 5 USB drive,WiFi card compatible with aircrack-ng, two computers (although you can get away with just using one), and of course a wireless router.

Backtrack can be downloaded for free at http://www.backtrack-linux.org/

A list of compatible cards can be found here.  If you're going to need a new card I would recommend this one:
Alfa AWUS036NHR - High-Gain 2000mw 2W 802.11 B/G/N Wireless USB Network Adaptor - Wireless-N 802.11n Wi-Fi - 150Mbps - 2.4 GHz - 5dBi Antenna - Long Range - Realtek Chipset - Strongest on the Market - NEWEST VERSION

It should work out of the box with Backtrack Linux.


Step 1 - Finding the name of your wireless interface
This step is easy enough.  Type "airmon-ng" without the quotes into the terminal to find the interface name of your wireless card.

In this example the interface is wlan0.  Your interface could very well be something different.  Write down the name of the interface and keep it for reference.

Step 2 - Start your interface in monitor mode
The next step is to put the wireless card into monitor mode.  In the last step we determined what the name of our wireless interface was.  Type the following into the terminal, without quotes, where (interface) is the name of your interface.  "airmon-ng start (interface)"

You might as well kill any processes that airmon-ng detects may cause trouble.  Killing the processes is easy enough.  Keep in mind that the PID will be different every time.  In the screen shot below, 2836, and 2884 are the processes we want to kill.  Just type "kill (pid)" into the terminal, without quotes, for each PID.  Of course replacing (pid) with the number provided.





 Step 3 - Find the access point and it's BSSID
For this step type the following into your trusty terminal, once again keeping in mind to replace (interface) with the correct name: "airodump-ng (interface)"

If you've followed all the previous instructions correctly, you should now have the following pop up:

The top column of BSSIDs correspond to access points.  The station column on the bottom contains mac addresses that correspond to the clients connected to the access points.  In this example there is a WEP connection by the name of "vulnerable".  This is what I will be cracking.  To stop airodump-ng you can press control-C(the information will still be on the screen and you can copy and paste from it easily).  

If you are cracking WEP just take note of the BSSID of the access point, and the channel it's on (the CH column specifies the channel).  If you are cracking WPA take note of the BSSID of the access point, the channel it's on(once again, the CH column specifies the channel), as well as the mac address of any clients connected to it.  If the network you want to crack is WPA you can skip down to the WPA section now, otherwise continue reading for WEP cracking.


WEP Specific Section

Step 4 - Dump packets into file
Now that you have the necessary information, type the following into the terminal without the quotes: "airodump-ng -c (channel) -w (file name of your choice) --bssid (bssid) (interface)"

You should now be capturing data.  When the amount of "#Data" becomes over 10000 you're generally good to go.  Sometimes it takes a lot more though.  The Data will rise depending on how much network traffic there is.  If someone on the network jumps on youtube for example, you should have more than enough data in a very short period of time.  If there isn't much network traffic you'll have to either wait, or use a method to get around it which I wont be covering in this tutorial.

Once the data has reached a sufficient amount it's time to crack it.  This will be the last step.  You're almost done.




Step 5 - Crack the Key
The final step is cracking the key.  Type the following into the terminal without the quotes: "aircrack-ng -b (bssid) (file name from before)*.cap"


If you're successful you should get something that looks like this:


If it doesn't find the key right away, don't get discouraged, just wait for it to collect more data and try again.



WPA Specific Section

Step 4 - Start Dumping Data to File
This step is actually exactly the same as it is in the WEP section, except this time we're looking for the WPA handshake.  Type the following into the terminal without the quotes: "airodump-ng -c (channel) -w (file name of your choice) --bssid (bssid) (interface)

We're looking for a WPA Handshake.  When we capture it, it will show up in the upper right corner.  It will appear whenever a client connects to the access point.  If there is a client currently connected you can send a deauth packet to knock it offline and generally have it reconnect.  



Open up a new terminal and don't touch the one capturing data. For this one you might want to run airodump-ng, close it with control-c, and then copy and paste the correct information into the command.

The deauth command is as follows without the quotes: "aireplay-ng -0 1 -a (BSSID) -c (mac address of client) (interface)"

In this command the -0 specifies the deauthentication, and the 1 is the amount of times to perform it.

You should now have the handshake.  Go back to the terminal that's collecting data.  If everything went as planned the upper right should now say "WPA handshake".  You can close out of that, and it's time to crack the passphrase.

WPA isn't quite as easy to crack.  You can use a word list, or a program like john the ripper to brute force the handshake.  In this example I'm using a word list that comes with Backtrack 5.  There are plenty of word lists out there, and a lot of them are going to be better than this one.  Nevertheless.

Type the following into a terminal "aircrack-ng -w (wordlist) -b (bssid) (file name from before)*.cap"  I believe the word list can be found in multiple places, but in this example I used "/rofs/pentest/wireless/aircrack-ng/test/password.lst".

If you are successful you should see something that looks like this:

If you're not so lucky you need either another word list or you need to use john the ripper.  Assuming that your dump is in /root/ (it should be if you followed this tutorial exactly), to use john the ripper do the following:

Change the directory to /pentest/passwords/john/ by issuing the command "cd /pentest/passwords/john" without the quotes.    From there type in the command "./john --incremental --stdout | aircrack-ng -b (bssid) -w - /root/(file)*.cap" without the quotes, and then wait for what might be an eternity for it to find the correct key.

Thursday, May 5, 2011

Learning the Linux Terminal

This blog entry will cover some basic Linux commands to get you started in the terminal.  Commands are in no particular order.  Note: Some of these commands can vary depending on the distro.  They are all just binary files.  I made this a while ago, pretty much just for fun, and I wanted to see if I could be of some help. I'm not sure it was everything I wanted it to be at the time.  For a more comprehensive list of commands try this website.

Helpful Tip: Most commands will come with a help file. To access it you generally type in the command followed by --help, or -h. This will list some more advanced features of the commands which I wont be covering most of here.

history - View commands previously typed in.

pwd - Which stands for present working directory will tell you where you are located on the system.

cd - If you type cd followed by a directory you can switch to that directory.

ls - Which stands for list will list all the contents of the current directory. If you would like to view some extra info, such as the permissions, use "ls -l". If you would like to include hidden files type "ls -a". You can implement both at the same type if you like by typing "ls -la".

rm - Which stands for remove can delete files. Common options are "rm -r", the r standing for recursive, which deletes directories. "rm -f", the f standing for force will delete files without prompting various warnings.

cp - Which stands for copy will copy a file.

mv - Which stands for move will move a file.

chmod - Which stands for change mode, will change the permissions of the files. Adding a value of 1 will allow you to execute. Adding a value of 2 will let you write. Adding a value of 4 will allow you to read. You have to enter a combination of these 3 values added together 3 times. The order is "Owner Group Users". The command "chmod 777 [file]" will allow everyone to read write and execute. A directory must have the ability to execute in order to be opened.

adduser - Add a user.

groupadd - Add a group.

groupdel - Delete a group.

chgrp - Change the group of a specific file. Every file and directory has a said owner and group. To view these type "ls -l".

usermod - Which stands for user modification can do a variety of things. If you want to add a user to a group, without changing the other groups the user is in type "usermod -G [group] -a [user]".

df - Will list the filesystems and tell you how much disk space you have left in them.

du - Will list all the files on the disk and tell you how much space they take up.

ifconfig - Will list internet devices.  You are given IP addresses, mac addresses and the like so you can check on everything.

mount - Will tell you what's mounted.  You can also use this to mount drives.  For example "mount /dev/sda1 /mnt/drive" will mount the sda1 partition in the directory /mnt/drive.

fdisk - You could tell fdisk which device you would like to partition by typing in it's name ex("fdisk /dev/sda"), or you could have it list all of the devices by typing "fdisk -l".

Helpful tip:
You can use some commands together with a pipe. "|" is a pipe.

less - Is a command which will let you view the output of a command that might be too long to scroll through on the terminal. Or perhaps you're not able to scroll through your terminal, you can with this program. If you type "history | less" you will be able to scroll through the history of the commands you typed.

grep - This command will narrow down the output lines with specific output. It's kind of like the find feature. Lets say you want to look through your history to find every time you used the cp command. You could do this by typing "history | grep cp".

echo - Will output something to the screen. I will give an example of why this is useful down below.

Helpful tip:
If you want to write the output of a command to a file use > filename. For example if you wanted to add your history to a file named history you could type "history > history". If you wanted to first label this as your history you could type "echo "history:" > history && history >> history". The two greater than signs will append data to the file and wont delete what's already in there, while just one greater than sign will overwrite what's in there.

Added by request:

man - You can use this command to read the manual of a command.  Similar to typing --help.  This goes into more detail than help.

Helpful tip:
If you don't remember an exact command, but you remember the start of it, you can often press tab and have it auto-complete.  The same thing applies if you don't want to type in a long file name.  You start to type it in and then press tab and it will auto-complete.

Thursday, March 10, 2011

What's an ARP poisoning attack, and how can you proect yourself from it?

In the world of hacking, and more specifically script kiddies, there's something known as an ARP poisoning attack.  ARP stands for Address Resolution Protocol.  This protocol is responsible for matching an IP address to a Mac address.

So what's an ARP poisoning attack you ask?  In a nutshell ARP poisoning attack is when a computer running special software, connected to a network, pretends to be the router.  It also pretends to be the other computers connected to the network.  What does this mean?  It means all of the traffic going over the network runs through the computer running this software.  This could be bad for a number of reasons.

Reasons this could be bad:

1.  A person running this software could use it in combination with a packet sniffer.  This means all the unencrypted stuff you're sending and receiving could be viewed by the wannabe hacker.  This could include AIM conversations, FTP passwords, Facebook pages, etc...

2.  A person running this software could spoof security certificates.  What does this mean for you?  You could be signing into your encrypted e-mail, and have your password stolen.  Generally you will get a bit of dialogue that explains the certificate can't be verified, but you can't always rely on this.  I'll explain further how to protect yourself in a second.

3.  A person running this software could spoof DNS.  What does this mean for you?  You could be redirected to an inappropriate website in a very bad place to view it.  Or maybe you get tricked into installing a Trojan on what's normally a safe website.  Such a thing could give a script kiddie full access to your computer.

Now that I've explained a bit about what an ARP poisoning attack is, I will explain some ways to protect yourself.


If you use a wireless router at home it should always be protected with the best encryption.  Use a long passphrase.  Never use WEP encryption as it's practically useless.  This should be enough to protect yourself at home.


Unsecured public wifi is the riskiest kind to be on.  The absolute best way to protect yourself in this situation is to set up an SSH tunnel to send all of your traffic through a remote box.  SSH is encrypted, and by tunneling all of your traffic through it, you will be keeping your information private.  To do this you can issue the following command (assuming you're running Linux with ssh capabilities):

ssh -f user@server.com -L 3000:server.com:25 -N

Fill in all of the user and server information accordingly.   This will send all of the traffic on port 3000 of your computer to the remote server you have set up.  All the traffic will go through port 25 on that computer.  You can replace the ports with whatever you like to suit your needs.  Just make sure your programs are set up to go through the correct port.

If you don't set up an SSH server to tunnel your traffic through there are still some steps you can take to protect yourself.  You can install a nice script blocker like No-Script(a plug-in for Firefox).  With No-Script you wont have any surprise java drive by Trojan scripts pop up and try to get you to run them.  This can be a good thing regardless of if you're on an unprotected/untrustworthy network or not.

Look for dialogue detecting unverified security certificates.  This is common place on the Internet as you generally need to pay money to verify a certificate, but it could also be sign of an attack.
The last thing you can do is just use common sense.  Companies wont ask you for your re-verification on your password generally, or credit card, or what have you.  You've probably heard this enough, but I thought I might add it because apparently some people still get fooled by phishing schemes.