A number of free and open-source tools are available to perform WLAN site-survey such as Kismet and inSSIDer for Home. This post will introduce the features of these two tools.
First, inSSIDer for Home is free to use Wi-Fi discovery tool for Windows. It is available from http://www.metageek.net/
Running the tool (v188.8.131.52) at home gave me the following detail about a Wi-Fi network I tested:
- Listed the SSIDs of all WLANs in my area based on their signal strength
- The chanel(s) each WLAN use: mine was channel 1
- Security protocols used: mine was WPA2-Personal
- MAC addresses
- IEEE 802. 11 protocols: mostly ‘n’ but some ‘g’ type appeared as well
- Signal: between -29 and -35 dBm
- Overlapping networks: 2 networks
- Co-channel: 9 networks
- Band: 2.4 Ghz networks
Nevertheless, inSSIDer enables sorting with the following filters: SSID, vendor, channel, signal, security protocol used and 802.11 protocol. Further, it has a visual view of the networks occupying the spectrum.
- Channels: there are 11 channels in band 2.4 Ghz in which channels 1, 6 and 11 do not overlap with each other. In this case using channel 1 was appropriate and it was not overlapping with a strong signal in the neighbourhood.
Read the rest of this entry »
Linux distributions such as Fedora does not include any Microsoft TrueType fonts (TTFs) by default. To get these, have a look at the resources and guidelines available from the following sourceforge.net project: http://corefonts.sourceforge.net/
First, Microsoft TTFs package includes the following font-families:
- Andale Mono
- Arial Black/Arial (Bold, Italic, Bold Italic)
- Comic Sans MS (Bold)
- Courier New (Bold, Italic, Bold Italic)
- Georgia (Bold, Italic, Bold Italic)
- Times New Roman (Bold, Italic, Bold Italic)
- Trebuchet (Bold, Italic, Bold Italic)
- Verdana (Bold, Italic, Bold Italic)
Second, the following steps must be followed to get the fonts added:
- Make sure the following is installed:
yum install rpm-build cabextract ttmkfdir
- Download the latest msttcorefonts spec from http://corefonts.sourceforge.net and build an rpm file
cd /tmp wget http://corefonts.sourceforge.net/msttcorefonts-2.5-1.spec rpmbuild -ba msttcorefonts-2.0-1.spec
- The RPM file will be stored in: /root/rpmbuild/RPMS/noarch/, install it using
rpm -ivh /root/rpmbuild/RPMS/noarch/msttcorefonts-2.5-1.noarch.rpm
Third, restart your system to get this working. I used my gnome-tweak-tool to change my default fonts to Arial and Times New Roman.
And finally, the path to Fedora’s fonts directory is /usr/share/fonts in which the newly added fonts can be located now. Further, any ttf font files can be added directly to a (new) folder following this path, Google Fonts: http://www.google.com/fonts is a very good resource for these. If a new ttf file is added, refresh the system using fc-cache -v and enjoy!
In this post I will be demonstrating iperf in Linux, a tool used in measuring the TCP and UDP throughput in a LAN between two hosts. The demonstration objective is to briefly introduce iperf with snapshots of a live system rather than producing extensive testing result and network analysis.
I used Red Hat-based linux machines (Fedora and CentOS) and iperf as well as other tools such as netperf are not part of the official RPM, but they are indeed part of the RepoForge (previouslly known as RPMforge) which -if installed- adds many other packages.
To install RepoForge, go to the official website http://repoforge.org and download the release package suitable for your machine. In my case for example, this was:
Which can be installed using the following command:
rpm -ivh rpmforge-release-0.5.3-1.el6.rf.x86_64.rpm
Now we can install iperf using yum
Classless Inter-Domain Routing (CIDR) allocates address space on any bit boundary, instead of on 8-bit segments as in Classful addressing. The following example demonstrates how to determine possible networks, IP ranges and subnet mask from a CIDR Notation.
Considering the following CIDR notation value: 184.108.40.206/26
we may determine the following
- Subnet Mask
A CIDR notation is constructed from an IP address and a prefix size equivalent to the number of leading 1 bits in the subnet mask. Considering the CIDR notation above, the number of bits in the mask is 26. This can then be represented as:
If we convert this number to Decimal, we get the following subnet mask: 255.255.255.192
Read the rest of this entry »
The Volatility Framework is an advanced memory forensics framework. This post aims to introduce it with a number of examples. The framework supports RAM dumps from 32 and 64-bit windows, linux, mac, and android systems.
My demonstration will take place on a Windows machine, hence I downloaded the standalone executable which comes packaged with Python and all required dependencies from:
https://www.volatilesystems.com/default/volatility. New address: https://code.google.com/p/volatility/
To organise my work environment, I created a folder called ‘volatility’ in my standard Download folder and moved the stand alone executable to it, in my case its name was volatility-2.1.standalone.exe.
P.S. The standalone executable is portable and can be run from removable media e.g. USB.
To use it, let us first list all possible options and included plugins. This need to be done using the Command Prompt in Windows
This is demonstrated in the following figure (click to enlarge)
Netcat (nc) is critical for many tasks you attempt to do over a network. It can either use TCP or UDP to establish a connection for you to send files to another computer, pipe the output of a software over the network, scan for ports or just chat!
This article will demonstrate NetCat through a number of practical examples using a linux box (BackTrack) and a Windows XP machine. While nc is shipped with BackTrack, you will need to search and download the right version for your Windows or just use another Linux box. In my windows machine, all I need is the nc.exe file, I moved it to C:\WINDOWS so that it can be recognised easily by my Command Prompt. For this example please note that the IP of my Windows XP is 192.168.7.131 and BT is 192.168.7.133.
- Chat over the network!. I used the following command to put my Windows machine in listen-mode (option -l for listen) on port 2222 (-p for port). I also used -v to display information about the connection, v for verbose, you may add another v as in (-vv).
nc -lvp 2222
To connect, using the other machine, type
nc 192.168.7.131 2222
whatever you type now, on any machine, will show on both! as in the following figure
Volatile memory (or volatile storage) is computer memory whose contents are maintained while the power is on and erased/lost every time the power-supply is turned off or interrupted. The Random Access Memory (RAM) is a traditional example of a volatile memory. It allows fast CPU read/write access to data compared to non-volatile memory such as HDDs where data originally reside. Hence, data-bytes are always moved from non-volatile memory to volatile memory for processing.
Computer volatile memory is acquired for different purposes. For instance, Windows can be configured to dump it to a file called Memory.DMP to serve as part of a recovery procedure in the case of system failure (e.g. BSoD). Nevertheless, in computer forensics, volatile memory is acquired as an evidence to be analysed.
This article will demonstrate a number of automated tools used for the acquisition of volatile memory in Windows and Linux systems. Memory can either be captured in full by some tools while others require a process ID (PID) to acquire a memory dump for an identified process. In Linux, PID can be listed using ‘ps -af‘. If the list is found to be long it can be combined with grep. For example, you can locate FireFox process using
root@bt:~# ps -af | grep firefox
In windows, this can be done with the Task Manager or the ‘tasklist‘ command.
Read the rest of this entry »
This blog is powered by WordPress as indicated in the footer of these pages and I -of course- take regular backups. Hence, I found it suitable to create this small post to highlight few simple but important issues to consider during WordPress backups using the famous phpMyAdmin.
- Empty your SPAM folder. If you also have a SPAM problem (and I think you are) and rely on some sort of SPAM and Trackback filtering technology such as Akismet (this is what I use), make sure you empty your spam folder. This wouldn’t affect the size of your backup file if you have few SPAM messages, but the last time I checked, there was over 4000 different SPAM messages sent to my blog! I can not be happy to have this in my backup file.
- Consider deleting revisions. Revisions are copies of your WordPress posts, each time you edit a post and save your work a new version of this post is saved along with the older one. While it is possible to turn this feature OFF, I personally prefer to make use of it but simply run the following SQL command before I take full backups to delete all of them.
DELETE FROM wp_posts WHERE post_type = "revision";
- Optimize your tables. Deleting rows will not refresh information such as table sizes. Nevertheless, optimizing your tables would improve the efficiency of data retrieval and processing. You can either do that by ticking all your WordPress DB tables using phpMyAdmin and select Optimize from the drop-down box at the buttom or you might chose to optimize a single table at a time using the following SQL command example
OPTIMIZE TABLE wp_posts;
Each time I follow this simple procedure I significantly reduce the size of my backup file. For the sake of this post, I compared the result before and after I performed these steps and I saw that my SQL backup file was reduced from 32 MB to about 3 MB only! –yes, my blog isn’t that big!
A solution for the ‘VMware Authorization Service is not running‘ alert message, which you might get while trying to Power On a virtual machine using VMware Workstation.
Assuming that your installation is not damaged and the problem is with the service being stopped. Attempt to restart it without the need to reboot your computer.
First, confirm that the service is included and ticked in the Services tab of msconfig
- Start –> Run (or Windows-r)
- type msconfig
- click the Services tab
- locate ‘VMware Authorization Service’
(P.S. you may hide all Microsoft services to reduce the list)
If you can find the service ticked, but its status is Stopped, then attempt to restart it with the following steps:
- Start –> Run (or Windows-r)
- type services.msc
- locate the ‘VMware Authorization Service’
- right-click and select Start
You should be able to Power On your VMware machines now!
A previous post analysed the Master Boot Record using a hex editor to extract information about the different partitions in a Hard Disk Drive (HDD). This article will demonstrate a number of autoamated tools to extract detailed information. The tools are: fdisk, mmls, fsstat and fls.
They are pre-installed in BackTrack but if you are using a different Linux flavour such as Fedora, you need to install the The Sleuth Kit (TSK) command line tools. In Fedora you can search for TSK using YUM!
Ideally, this kind of investigation occur on an image of the HDD. However, the objective of this article is to present these tools and not to demonstrate a professional computer forensic procedure.
For the test, I booted one of my computers using BackTrack from a USB stick and searched for the connected HDDs as in the following figure
In Linux, storage devices (and partitions) are located within the /dev directory. Naming takes place based on the following logic:
- /dev/hda ; is the first (master) PATA/IDE hard drive
- /dev/hdb ; is the second (slave) PATA/IDE hard drive
- /dev/hda1 ; is partition 1 of the first (master) PATA/IDE hard drive
- /dev/sda ; is the first (master) SATA/SCSI hard drive
- /dev/sdb ; is the second (slave) SATA/SCSI hard drive
- /dev/sda3 ; is partition 3 of the first (master) SATA/SCSI hard drive
As such, I’ve searched for hda* and sda* to locate HDDs and revealed 3 partitions for the main disk and a single partition for the second one (which is the USB stick I booted from).