Monday, February 20, 2006

Formatting USB Flash Disk for VFAT filesystem

Here are the steps I took to format my USB flash disk for VFAT filesystem. I chose this filesystem because it is supported in Windows and also in Linux :

  • Unmount the usb disk (if it is still in use) :
# umount /dev/sda1
  • Format the usb disk :
# mkfs.vfat -c -n TEDI /dev/sda1
mkfs.vfat 2.10 (22 Sep 2003)
  • Check the usb disk :
# dosfsck -vV /dev/sda1
dosfsck 2.10 (22 Sep 2003)
dosfsck 2.10, 22 Sep 2003, FAT32, LFN
Checking we can access the last sector of the filesystem
Boot sector contents:
System ID "mkdosfs"
Media byte 0xf8 (hard disk)
512 bytes per logical sector
4096 bytes per cluster
1 reserved sector
First FAT starts at byte 512 (sector 1)
2 FATs, 16 bit entries
125440 bytes per FAT (= 245 sectors)
Root directory starts at byte 251392 (sector 491)
512 root directory entries
Data area starts at byte 267776 (sector 523)
62578 data clusters (256319488 bytes)
32 sectors/track, 16 heads
0 hidden sectors
501148 sectors total
Starting check/repair pass.
Checking for unused clusters.
Starting verification pass.
Checking for unused clusters.
/dev/sda1: 2 files, 0/62578 clusters

Thursday, February 09, 2006

First Encounter with Scapy

After read several papers and presentations in network security field that mentioning scapy, I decided to try it.

From the Scapy website :

Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. It can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery (it can replace hping, 85% of nmap, arpspoof, arp-sk, arping, tcpdump, tethereal, p0f, etc.). It also performs very well at a lot of other specific tasks that most other tools can't handle, like sending invalid frames, injecting your own 802.11 frames, combining technics (VLAN hopping+ARP cache poisoning, VOIP decoding on WEP encrypted channel, ...), etc.

What interest me are :

  • scapy is written in Python. I am quite familiar with this computer language. I code translation tools in this language about 4 years ago.
  • it supports many network protocol even wifi (you need Wifitap tool :D)
I download the latest scapy version from http://www.secdev.org/projects/scapy/.
And the installation process is a breeze. I just put it in my working directory. BTW, scapy needs several optional package to work as advertised. But in my system I don't follow that. :D

I just put http://www.iana.org/assignments/ethernet-numbers to /etc/ethertypes.

You need to run scapy as root.

In this first encounter, I will try to ping to other host :

>>> sr(IP(dst="192.168.198.128")/ICMP())
Begin emission:
*Finished to send 1 packets.

Received 1 packets, got 1 answers, remaining 0 packets
(, )

Looks good.

Next I tried to ping localhost :

# python scapy.py
INFO: did not find python gnuplot wrapper . Won't be able to plot
INFO: Can't import PyX. Won't be able to use psdump() or pdfdump()
Welcome to Scapy (1.0.3.1beta)

>>> sr1(IP(dst="127.0.0.1")/ICMP())
Begin emission:
.Finished to send 1 packets.

Received 1 packets, got 0 answers, remaining 1 packets

It looks like there is an error, but I don't know where.

If you know what's wrong and how to fix that, please let me know.

Trying Nmap 4.00

Several days ago, I read an announcement about Nmap 4.00 release. In that announcement there are at least 200 fixes and features added to this version compare to Nmap 3.50. And also Fyodor said this version has many performance improvement I couldn't resist to download the newest version.

Last night, I installed it on my machine.

When I tried to run it first :
# nmap localhost

It complained about some DNS servers problem.

Starting Nmap 4.00 ( http://www.insecure.org/nmap/) at 2006-02-02 00:06 WIT
Unable to determine any DNS servers. Try using --system_dns or specify valid servers with --dns_servers
QUITTING!
I fired up the manual page :
$ man nmap

Fortunately I don't have to read the whole manual, my eyes caught something interesting about -n option (Never do DNS resolution). Cha-ching.

Notes (as of Feb 8, 2006) :
Last night, I checked my /etc/resolv.conf file and looked like there is no nameserver. So I setup the nameserver and I didn't need to specify -n option anymore.

I run nmap again, but this time I chose other machine as a target :
# nmap -sV -O 192.168.x.y

Starting Nmap 4.00 ( http://www.insecure.org/nmap/ ) at 2006-02-02 00:10 WIT
Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
All 1672 scanned ports on 192.168.x.y are: closed
MAC Address: aa:bb:cc:dd:ee:ff
Device type: general purpose
Running: Apple Mac OS X 10.1.X, Apple Mac OS 8.X, FreeBSD 5.X|6.X
Too many fingerprints match this host to give specific OS details

Nmap finished: 1 IP address (1 host up) scanned in 11.046 seconds

A new feature that interesting is now you can specify some option while nmap is running (it is called runtime interaction). To get the supported options, press "?" and it will display the information like this :

Interactive keyboard commands:
? Display this information
v/V Increase/decrease verbosity
d/D Increase/decrease debugging
p/P Enable/disable packet tracing
anything else Print status
More help: http://www.insecure.org/nmap/man/man-runtime-interaction.html

I played a little bit with verbosity level. I set it to level 5 (by pressing "v" button 5 times) :

# nmap -sV -O -P0 192.168.198.128

Starting Nmap 4.00 ( http://www.insecure.org/nmap/ ) at 2006-02-08 23:32 WIT
Verbosity Increased to 1.
Verbosity Increased to 2.
Verbosity Increased to 3.
Verbosity Increased to 4.
Verbosity Increased to 5.
DNS resolution of 1 IPs took 13.00s. Mode: Async [#: 1, OK: 0, NX: 0, DR: 1, SF: 0, TR: 3, CN: 0]
Initiating SYN Stealth Scan against 192.168.198.128 [1672 ports] at 23:33
Increasing send delay for 192.168.198.128 from 0 to 5 due to max_successful_tryno increase to 4
The SYN Stealth Scan took 10.27s to scan 1672 total ports.
Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
Host 192.168.198.128 appears to be up ... good.
All 1672 scanned ports on 192.168.198.128 are: closed
MAC Address: 00:0C:29:C0:60:1A (VMware)
Device type: general purpose
Running: Apple Mac OS X 10.1.X, Apple Mac OS 8.X, FreeBSD 5.X|6.X
Too many fingerprints match this host to give specific OS details
TCP/IP fingerprint:
SInfo(V=4.00%P=i686-pc-linux-gnu%D=2/8%Tm=43EA1D4E%O=-1%C=1%M=000C29)
T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=Y%W=0%ACK=S%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=0%ULEN=134%DAT=E)

Nmap finished: 1 IP address (1 host up) scanned in 23.918 seconds
Raw packets sent: 1912 (76.8KB) | Rcvd: 1677 (77.1KB)

Another interesting interactive command is p (for packet tracing, it's like our old beloved tcpdump output) :

# nmap -sV -O -P0 192.168.198.128

.Packet Tracing enabled
.SENT (15.9950s) TCP 192.168.198.1:52479 > 192.168.198.128:158 S ttl=41 id=53246 iplen=40 seq=1815539322 win=2048
SENT (15.9950s) TCP 192.168.198.1:52479 > 192.168.198.128:164 S ttl=43 id=44916 iplen=40 seq=1815539322 win=4096
SENT (15.9950s) TCP 192.168.198.1:52479 > 192.168.198.128:740 S ttl=58 id=19079 iplen=40 seq=1815539322 win=3072


Pressing any other key beside the ones listed on the interactive keyboard command will display current status. Here I use "spacebar" :

# nmap -sV -O -P0 192.168.198.128

System DNS resolution Timing: About 0.00% done; ETC: 20:11 (596:31:18 remaining)
Stats: 0:00:10 elapsed; 0 hosts completed (0 up), 0 undergoing ARP Ping Scan
System DNS resolution Timing: About 0.00% done; ETC: 20:11 (596:31:13 remaining)
Stats: 0:00:18 elapsed; 1 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 52.58% done; ETC: 23:40 (0:00:04 remaining)

Graffiti Generator

I found a cool site to generate graffiti online :
http://atom.smasher.org/graffiti/

It's so darn cool.

I make one graffiti for my blog site :


Fix Backspace Key Problem in vim

Problem :

In my SUSE 9.3 Professional there is a problem in vim. The backspace key only delete new text and it doesn't delete old text, it just gives me a system beep.

So, for example, if there is already text in the file, I cannot delete it. But if I insert new text and immediately hit the backspace key, it will delete it, but only up to the begging of the new text I have typed. If I type some new text and use the arrow keys to move around I can no longer delete the new text using the backspace key.

I can however always use the delete key to delete any text., but the delete key is not able to delete blank line.

Solution :

Just put the following in your .vimrc :

bs=2
source :
http://www.plug.org/pipermail/plug/2004-May/010431.html

Forensic Tools in Court

Here are several articles regarding forensic tools in court :


While reading those articles, I come across an article titled MD5 collisions and the impact on digital forensics by Eric Thompson of AccessData.

MD5 in Erlang

Last week (20 Dec 2005) there is a question regarding how to do MD5 in Erlang in Erlang mailing list.

I replied by quoting the following resource :

In addition to what Bengt has said, you may want to
take a look at the following message thread. It
discussed how to generate MD5 hash like md5sum program :

http://www.erlang.org/ml-archive/erlang-questions/200303/msg00492.html
Jing sent me his code (modified from the above code) :
-module(hello).
-export([hex/1]).
-export([print_hash/0]).

hex(L) when list (L) ->
lists:flatten([hex(I) || I <- L]); hex(I) when I > 16#f ->
[hex0((I band 16#f0) bsr 4), hex0((I band 16#0f))];
hex(I) -> [$0, hex0(I)].

hex0(10) -> $a;
hex0(11) -> $b;
hex0(12) -> $c;
hex0(13) -> $d;
hex0(14) -> $e;
hex0(15) -> $f;
hex0(I) -> $0 +I.

print_hash()->
Hash = erlang:md5("hi"),
hexHash = hex(Hash),
ok = io:fwrite( "hi gives ~w~n", [ hexHash] ),
Hash.

Unfortunately, the code didn't work.

Two days ago I had a chance to take a look at the code. After look at the code, I finally figure out where the problems are :
  • [hex/1] function expect its argument in "list" type
  • [md5/1] function return binary type
to solve this problem I need to convert binary to list. Luckily there is a function binary_to_list()

Another problem I have spotted lies in io:fwrite() function, I need to set the output type to string :
ok = io:fwrite( "hi gives ~w~n", [ hexHash] ),
Without further ado, here is the improved-version code :
-module(test).
-export([hex/1]).
-export([print_hash/0]).

hex(L) when list (L) ->
lists:flatten([hex(I) || I <- L]); hex(I) when I > 16#f ->
[hex0((I band 16#f0) bsr 4), hex0((I band 16#0f))];
hex(I) -> [$0, hex0(I)].

hex0(10) -> $a;
hex0(11) -> $b;
hex0(12) -> $c;
hex0(13) -> $d;
hex0(14) -> $e;
hex0(15) -> $f;
hex0(I) -> $0 +I.

print_hash() ->
Hash = binary_to_list(erlang:md5("hello\n")),
HexHash = hex(Hash),
ok = io:fwrite("Hello gives ~s~n", [HexHash]).
I run the code in Erlang shell :
tedi@suse:~/projects/src/erlang> erl
Erlang (BEAM) emulator version 5.4.10 [source] [hipe]

Eshell V5.4.10 (abort with ^G)
1> c(test).
{ok,test}
2> test:print_hash().
Hello gives b1946ac92492d2347c6235b4d2611184
ok
3>

Deferred concept: I Finally Got It

I have been struggling with the deferred concept in TwistedMatrix since last night. At that time, I read the deferred concept from : Generalization of Deferred Execution in Python. Unfortunately, I didn't get it. I couldn't do more because I was too tired, so I went to bed.

I wake up early this morning to go to the office and googling about deferred concept.

Luckily, I saw a documentation entitled Asynchronous Programming with Twisted (yes, I've put this article on my last entry blog, but I haven't read it yet). After thinkering the doc for about 2 hours, I finally GOT IT. Now I "quite" understand about the Deferred concept in Twisted.

Kudos to the TwistedMatrix team for writing such a superb and easy to understand documentation.

TwistedMatrix : Foundation Theory

I got the following links regarding Twisted framework background theory from an email sent to Twisted mailing list:

Berkenalan Dengan Twisted

Beberapa malam lalu, saya akhirnya berhasil juga cobain Twisted. Proses instalasinya tidak sesulit yang saya perkirakan, gampang banget. Cuma kemaren-kemaren ada kesalahan, saya mendownload paket Twisted secara terpisah-pisah, dan ternyata ada paket yang dibutuhkan yang belum didownload. Jadi gak bisa dibuild dah.

Untunglah kemaren tahu triknya, ambil aja paket bernama TwistedSumo, paket itu udah komplit..plit..plit....Di dalamnya terdapat Twisted Core, Zope Interface, dan modul-modul Twisted lain (TwistedMail, TwistedConch, de el el). Versi terakhirnya saat saya menulis blog ini adalah 2.1.0.

Proses instalasinya juga gampang :

* bongkar tarball TwistedSumo
* terus instalasi Zope Interface
* instalasi Twisted
* instalasi modul python pendukung lainnya, misalnya kalo mau dukungan untuk SSH dan SSL, harus instalasi PyCrypto dan PyOpenSSL.

Saya udah membuat draft tulisan proses yang saya lakukan untuk menginstalasi Twisted ini. Cuma belum sempet dirapihkan dan ditambah-tambahin biar jadi banyak. :D

Framework jaringan Twisted menggunakan pendekatan pemrograman event-driven. Dalam pendekatan model ini, ada bagian program yang dipanggil dan bertugas bila ada sebuah event terjadi, biasanya bagian itu disebut handler. Event tersebut bisa berupa initial koneksi, koneksi gagal, dan semacamnya.

Dari baca buku Twisted Network Programming Essentials, terdapat beberapa class yang penting dalam Twisted yaitu : reactor (untuk menangani event loop), deferred (untuk menangani asynchronous stuffs), serta protocol (untuk menangani bila sudah terjadi koneksi alias untuk menangani pengiriman/penerimaan data).

Sekian dulu laporan dari saya, karena pelajaran saya baru sampai situ. See you. :D

Another Blog by Me

After using another blog service (www.livejournal) for about two months, I decided to move my blog to Blogger.

I find it difficult to use LiveJournal blog, and it lacks some features.

So from now on I will move my blogs at LiveJournal to Blogger.

Thank you for dropping by.