Minggu, 18 Maret 2012

the types of space and file system structure

  1. Slack space
Slack space refers to portions of a hard drive that are not fully used by the current allocated file and which may contain data from a previously deleted file.

 Illustration of slack space on a hard drive:

    In the example above, saving a 768 byte file (named User_File.txt) requires only sector 1 and 1/2 of sector 2 in the cluster. 
Depending on the operating system, the remaining 256 bytes in sector 2 might be filled with 1′s or 0′s or might simply remain intact.  Both sectors 3 and 4 would not be overwritten and are thus considered slack space.

   If the slack space previously contained data from a deleted file, this information could be recovered with forensic tools. Additional Details Operating systems allocate files on a hard drive using clusters, which are a collection of contiguous sectors. Because a cluster is the smaller allocation unit an operating system can address, if a file does not utilize the full cluster, a portion of the space remaining may not be overwritten and might contain data from a previously deleted file.

For forensic analysts, it is important to understand that slace space is considered allocated space since it is part of an allocated cluster.  As such, special tools must be used to extract and analyse slace space.  An analysis of unallocated data will not contain any slack space data.

   2. unallocated space

Unallocated space is simply defined as the area or space on the hard drive of the computer that is available to write data to.
   The unallocated space is not viewable to the typical computer user and requires specialized computer forensic software to view and analyze. Unallocated space can contain deleted files or partially deleted files. When a file is deleted, the pointers to the file are removed, but the data remains in unallocated space until such time as the operating system stores another file in the same space, thereby over-writing the data.



A good analogy for what the content of unallocated space would look like is if two boxes of paper were tossed into the air and allowed to fall to the floor. The first box would contain all documents written in the English language. The second box would contain all documents written in a foreign language. Someone would then collect all the paper and put the pages into a larger box , unsorted in no particular order. The English pages Could be easily read, but the foreign language Could not and the pages would be all jumbled together.


3. magic number (programming)

A numeric value or constant text used to identify the file format or protocol; to file,
 magic number in files :
Magic numbers are common in programs across many operating systems. Magic numbers implement strongly typed data and are a form of in-band signaling to the controlling program that reads the data type(s) at program run-time. Many files have such constants that identify the contained data. Detecting such constants in files is a simple and effective way of distinguishing between many file formats and can yield further run-time information.

example:
  • Compiled Java class files (bytecode) start with hex CAFEBABE. When compressed with Pack200 the bytes are changed to CAFED00D.
  • GIF image files have the ASCII code for "GIF89a" (47 49 46 38 39 61) or "GIF87a" (47 49 46 38 37 61)
  • JPEG image files begin with FF D8 and end with FF D9. JPEG/JFIF files contain the ASCII code for "JFIF" (4A 46 49 46) as a null terminated string. JPEG/Exif files contain the ASCII code for "Exif" (45 78 69 66) also as a null terminated string, followed by more metadata about the file.
  • PNG image files begin with an 8-byte signature which identifies the file as a PNG file and allows detection of common file transfer problems: \211 P N G \r \n \032 \n (89 50 4E 47 0D 0A 1A 0A). That signature contains various newline characters to permit detecting unwarranted automated newline conversions, such as transferring the file using FTP with the ASCII transfer mode instead of the binary mode.
  • Standard MIDI music files have the ASCII code for "MThd" (4D 54 68 64) followed by more metadata.
  • Unix script files usually start with a shebang, "#!" (23 21) followed by the path to an interpreter.
  • PostScript files and programs start with "%!" (25 21).
  • PDF files start with "%PDF" (hex 25 50 44 46).

4. structutre filesystem

File is a collection of related information that is named and stored in secondary storage. File is useful to represent data or program.
A file system is part of a hard disk that has been allocated to contain the file. Part of the hard disk is accessed by mounting the file system through the directory. Once the filesystem is mounted, it looks just like any other directory to the end user.
However, due to structural differences between file systems and directories, data in these entities can be managed separately.

When the operating system is installed for the first time, it is loaded into the directory structure, as shown in the following figure.




To the right directory (/ usr, / tmp, / var, and / home) is all the system files so they have a separate section of the hard disk is allocated for their use. This file system is mounted automatically when the system starts up, so end users do not see the difference between system files and directories listed on the left (/ bin, / dev, / etc and / lib).

Tree file has the following characteristic:
  • File that can be shared by machines of the same hardware architecture is in file system / usr.
  • Variable per-client file, for example, spool and mail files, located in the file system / var.
  • File systems / (root) contains the files and directories critical for system operation. For example, it contains 
          -  A directory of the device (/ dev)
       -  Mount points where file systems can be installed into the root file system, for example, / mnt 
  • File system / home is the mount point for the user's home directory.
  • For the server, the directory / export file contains the paging-space, per-client (not shared) file system root, dump, home, and / usr / share directory for the diskless client, as well as exported / usr directory.
  • The file system / proc contains information about the state of processes and threads in the system.
  • The file system / opt contains optional software, such as an application.  
    

The types of files:

  • Text files: the sequence of characters may be arranged into rows and pages.
  • Source file: the sequence of the various subroutines and functions, each of which then governed as declarations followed by statements that can diexecute.
  • Object files: the sequence of bytes are arranged into blocks that can be understood by the connecting system.
  • Executable file: a collection of sections of code that can be brought into memory and executed by the loader.
 concepts of file naming and extensions:

here I will try to discuss the structure file. mp3
--------------------------------------------------------------------------------------
 the MP3 files are divided into several small blocks - frames. Each frame has a length of time constant 0.026 seconds.
But the size of one frame (in Bytes) varies according to the bitrate. For example. to 128kbps it (usually) 417 Bytes 626 Bytes and for 192kbps. First 4 Bytes of each frame is a frame header and the rest is audio data.

Frame header consists of information about frame (bitrate, stereo mode ...) and therefore frame independent item. Each can have its own characteristics. It is used for example. Variables in Bitate file, where each frame can have a different bitrate.

Frame headers have this structure (each letter is one bit):

AAAAAAAA AAABBCCD EEEEFFGH IIJJKLMM

Variable Bitrate (VBR):
is a system created to meminimaljan length of the file and is useful also to maintain sound quality.


VBR file structure:
byte
 0-3       Mostly it contains values ​​FF FB 30 4C, from which you can rely   
            FrameLen = 156 Bytes. And thats just enough space to store the info 
            VBR.
            This header contains some important information applicable to the  

            entire file:
            - MPEG (MPEG1 or MPEG2)
            - Sampling rate frequency index
            - CHANNEL (JointStereo etc.)

4-x       This string is used as the main VBR file identifier. If not found, the file              should be CBR. This string can be placed at different locations in 
             accordance with the values ​​of MPEG and CHANNEL36-39    "Xing" for MPEG1 and CHANNEL != mono (mostly used)
21-24    "Xing" for MPEG1 and CHANNEL == mono
21-24    "Xing" for MPEG2 and CHANNEL != mono
13-16    "Xing" for MPEG2 and CHANNEL == mono
After a string of "Xing" no flags are placed, the number of frames in a file and file size in Bytes. Each item has 4 Bytes and will be recorded as the number of 'int' in memory. The first is the most significant byte and the last is the least.

The following scheme is for MPEG1 and CHANNEL = mono!
40-43     Flags
                 Value          Name          Description
            00 00 00 01|Frames Flag|set if value for number of frames in  file is 

                                                       stored
            00 00 00 02|Bytes Flag|set if value for filesize in Bytes is stored
            00 00 00 04|TOC Flag|set if values for TOC (see below) are stored
            00 00 00 08|VBR Scale Flag|set if values for VBR scale are stored

                                    All these values can be stored simultaneously.   
44-47     Frames
              Number of frames in file (including the first info one)

48-51     Bytes
              File length in Bytes

52-151   TOC (Table of Contents)
              Contains of 100 indexes (one Byte length) for easier lookup in file.
              Approximately solves problem with moving inside file.
              Each Byte has a value according this formula:
             (TOC[i] / 256) * fileLenInBytes
            So if song lasts eg. 240 sec. and you want to jump to 60. sec. (and file
              is 5 000 000 Bytes length) you can use:
              TOC[(60/240)*100] = TOC[25]
              and corresponding Byte in file is then approximately at:
              (TOC[25]/256) * 5000000
If you want to trim VBR file you should also reconstruct Frames, Bytes and TOC properly.

 152-155 VBR Scale










my reference: viaforensics.com

Kamis, 15 Maret 2012

Maser Boot Record(MBR) and Structure file sistem

Master Boot Record (MBR) is the information in the first sector of each hard disk or diskette that identifies how and where the operating system is in place that can boot (loaded) into the computer's main storage or random access memory.

Master Boot Record is also sometimes called a "partition sector" or "master partition table" because it includes a table that puts any hard disk partition that has been formatted into. In addition to this table, the MBR also includes a program that reads the boot sector of partition record that contains the operating system will boot into RAM. In turn, the record contains a program that loads the rest of the operating system into RAM.


structure file system:
  1. FAT (file allocation Table)
    FAT or FAT16 is known by the name of a file system used by MS-DOS and WINDOWS to manage file storage.
    File Allocation Table is a data structure created by Windows when you format a volume by using FAT or FAT32 file system. Windows stores information about each file in the FAT so that it can menfambill file at a later time.

    FAT32 is a derivative of FAT16. FAT32 supports smaller cluster sizes and larger volumes than FAT16.

    The difference between FAT16 to FAT32.
    FAT 16:
    - Max size of 4 Gigabyte filer
    - Max number of files 268 435 437
    - Max length of file names 255
    - Max size of partition 2 Gigabyte
    - Have the file permissions
    FAT 32:
    - Max size of 4 Gigabyte filer
    - Max number of files 65 517
    - Max length of file names 255
    - Max size of partition 2 Terabyte
    - Have the file permissions
     

  2. NTFS (new technology file system)
    NTFS is an advanced partition systems that provide the performance security, reliability, and features that can not be found in the FAT version.
    For example:
    - NTFS guarantees volume consistency by using standard transaction records and recovery techniques.
    - If the system fails, NTFS uses file records and checkpoint information to restore the consistency of the file system.
    - NTFS also provides features such as file and folder permissions, encryption, disk quotas, and compression.
    - In this large file system partition while max 256 Terra Byte 16 Terra Bytes of data.

    In terms of security of NTFS file security application allows the level of giving NTFS permissions, so that we can control which users have access to a file type where.
    Security can be given at two different levels
    1. only users
    2. in group :Network File System (NFS)

    NTFS is already in all the windows of the 2000, XP, Vista. And uses 64-bit address and supports disk partitions up to 264.

  3. The second extended file system (ext2)
     Both the Extended File System is designed as an extensible and robust file system for Linux. It is also the most successful file system so far in the Linux community and is the basis for all currently shipping Linux distributions.

    Data structure in EXT2:
    Space is divided into blocks in ext2. And the blocks are grouped into block groups, analogous to the cylinder in the unix file system.
    Each block group contains a copy of the superblock and block group table description, and all of the blogs contain the block bitmap, an inode bitmap mode table and finally the actual data blocks.
    The superblock contains important information that is critical to the operation darisistem boot, so the backup copy is created in the block number in the file system. However, usually only the first copy, which is found in the first block of the file system, used in the boot.
    Group descriptor stores the location of the block bitmap, inode bitmap and the beginning of the inode table for every block group and this, in turn stored in a group descriptor table.

    inode:
    Each file or directory is represented by the inode. This includes data on the inode size, permissions, ownership, and location on the disk from a file or directory.
    Example ext2 inode structure:
     

    Quote of the linux kernel documentation to ext2:
         There is a pointer to the first 12 blocks containing the data file in the inode. There is a pointer to indirect block (which contains a pointer to the next set of blocks), a pointer to a block of double indirect trebly indirect pointer to the block.

    So, there are structures in the 15-pointer ext2, for the first 12 are direct block. Pointer number 13 points to an indirect block, double block number 14 to number 15 and not directly to the trebly indirect block.
    Disadvantages of EXT2:
    A. Limit 32 768 level sub directory
    2. Can not handle files larger than 2TB
    3. Block size is limited by the architecture
     

  4.  The third extended file system (ext3)
    ext3 or third extended filesystem is a journaled file system used by the Linux kernel. Although its performance (speed) is less attractive than competing Linux filesystems like ext4, JFS, ReiserFS and XFS, it has a significant advantage in that it allows on-site upgrade of the ext2 file system without having to back up and restore data. Benchmarks show that Ext3 also uses less CPU power than ReiserFS and XFS. because it is considered safer.

    advantages of ext3:
    - A journaling file system created to help protect data in it.
    - Online file system growth
    - Htree indexing for larger directories

    shortage:
    - function:
    ext3, can not fsck-ed while the filesystem is mounted for write. Try to check the file system is mounted may detect false errors where data modified disk has not been reached yet, and damage the file system in an attempt to "fix" this error.
     
    - recovery:
    No support recovery of deleted files in file system design. The active ext3 driver to wipe deleted files inode file for crash safety reasons.

    - Lack of support snapshot:
    ext3 does not have native support for snapshots - the ability to quickly grasp the state of the filesystem at an arbitrary time, instead of relying on less space-efficient snapshot volume level provided by the Linux LVM. The Next3 file system is a modified version of ext3 that offers support for images, but still compatibility to ext3 on-disk format.

    - There is no checksum in the journal
    Ext3 does not do checksumming when writing to the journal. If barrier = 1 is enabled as a mount option (in / etc / fstab), and if the hardware is doing out-of-order write caching, one runs the risk of severe filesystem corruption during a crash.


     my resorce: www.dewassoc.com

Senin, 05 Maret 2012

Damn Vulnerable Web App 'DVWA' and upload backdoor 'weevely'

        in this article I will try to give a tutorial, about doing a damn vulnerable web app "dvwa".,
and upload backdor 'weevely'

Here the authors use sqlmap.,
for those who want to read the manual sqlmap can be seen in


  •  The first thing to do to run apache2 and mysql
  •  then open the DVWA on your web browser


 Username : admin
 Password  : password














  • Now we are setting up security., and select high.


  •  then select the SQL injection

  • Now open Burp suite.

  •  to get a response to the Burp suit ., we have to do the proxy settings.,
    for those who do not have a proxy 8080.

 click add new proxy port input 8080










  •  then input as shown below
  •  Now look at the Burp suite.,
 for those who want to know the usefulness Burp suite just follow my steps., then you will understand yourself., but okay., I'll try to give an overview of the Burp suite

Burp Suite is an integrated platform for attacking web applications. It contains all of the Burp tools with numerous interfaces between them designed to facilitate and speed up the process of attacking an application. All tools share the same robust framework for handling HTTP requests, authentication, downstream proxies, logging, alerting and extensibility.


  •  Now we go to sqlmap
 usefulness sqlmap  this to perform pentesting sql injection in a web., that in it we can take over the database, and much more.
what is sql injection, can be viewed here:  explanation
 


 okeey., ready ....
The first thing we tried to see the database victime


./sqlmap.py -u "url victim" --cokie "Data from the Burp suite" --dbs


 Now we get the database










  • now i want to get the data users and passwords
by using the command: --string="Surname" --users --passwords



I chose 1


 wait until the process is successful


yaap., beautiful., we have to get it (9 * o *) 9







backdoor of weevely:
-------------------------- 

usefulness backdoor one of them is that we can access the web without having to use the admin login page
  • Now we try to make backdor

  •  to create a backdoor Weevely using the command : ./weevely.py generate "your_password" "place_a_backdoor/'name_backdor' "


  • I try to view the contents of the backdoor

  • Now we are trying to upload




 but I failed to do so






  • I tried to remember the words of my assistants., which raised the question of chmod., and I tried to find articles about the chmod ..   
Licensing utility files and directories (chmod) is set permit access to a file / directory to the user, group and user / group else.
Permission is divided into three kinds. 

READ (r). Can be read (either file or directory)
WRITE (w). Can write / edit (if the file) and create a file / new directory (if directory)
EXECUTE (x). Can be executed (if the file) and enter (if the directory)

  •  The first thing I did was locate the directory upload dvwa
  • after getting the directory., I try to do the chmod 

  •  I try to upload again weevely.php but still failed.
I then tried to create a new weevely and now use format .jpeg


  •  Now I try to run a backdoor that I have made
    but failed




























>.<
  •  I then tried to run using a file directory


 I still have not been able to gain access., I have to learn harder


 my video tutorial:
part 1:



Part 2: