By default, the Network Security Toolkit probe does not access your hard disk and runs entirely out of RAM. However, if your hard disk has available Linux swap partitions, you can make use of them. To do this, you simply use the laddswap command. It will look for all hard disk partiions that are formated as Linux swap space and attempt to make use of them. The following demonstrates the affects on free memory which the laddswap command can have:
Figure 3.3. Using laddswap To Find/Use Swap Partitions
[root@probe root]#freetotal used free shared buffers cached Mem: 319944 230820 89124 0 4444 175736 -/+ buffers/cache: 50640 269304 Swap: 0 0 0[root@probe root]#laddswap*** Swap space prior to adding... /sbin/swapon -s Filename Type Size Used Priority *** Detecting existing swap areas... *** Swap space after adding... /sbin/swapon -s Filename Type Size Used Priority /dev/hda8 partition 538136 0 -2[root@probe root]#freetotal used free shared buffers cached Mem: 319944 230820 89124 0 4444 175736 -/+ buffers/cache: 50640 269304 Swap: 538136 0 538136[root@probe root]#
If you want to stop making use of swap space (though I can't think of a good reason to do so), you can use the swapoff -a command.
A typical PC will have a single
IDE hard disk
installed. IDE hard disk partitions show up
with the prefix /dev/hd
(SCSI disks show up with the prefix
/dev/sd).
The following demonstrates how one might find all of the mountable IDE hard disk partitions on a system (note the use of grep to weed out extended and swap partitions).
Figure 3.4. Finding IDE Partitions
[root@probe root]#fdisk -l | grep /dev/hd | grep -v xtended | grep -v swapDisk /dev/hda: 12.0 GB, 12072517632 bytes /dev/hda2 * 4 392 3124642+ b Win95 FAT32 /dev/hda3 393 409 136552+ 83 Linux /dev/hda5 932 1192 2096451 83 Linux /dev/hda6 1193 1467 2208906 83 Linux /dev/hda7 410 864 3654724+ 83 Linux[root@probe root]#mount -t vfat /dev/hda2 /mnt/fat; ls /mnt/fataecu.sys config.dos maestro.com Program Files tmp asd.log config.sys MP3Player recycled usblog.txt ati debug.log msdos.--- scandisk.log USBStorage autoexec.ago detlog.old msdos.bak setuplog.old vcrtemp.avi autoexec.bat detlog.txt msdos.sys setuplog.txt videorom.bin autoexec.dos docs mstrinf.ini setupxlg.txt wfcname.ini bootlog.prv drivers My Documents Sierra windows bootlog.txt frunlog.txt My Received Files suhdlog.--- WUTemp cavedog Impressions Games netlog.txt suhdlog.dat command.com io.sys opt system.1st[root@probe root]#umount /mnt/fat[root@probe root]#mount -t auto /dev/hda3 /mnt/ext3; ls /mnt/ext3boot.b kernel.h module-info-2.4.20-8 vmlinuz chain.b lost+found os2_d.b vmlinuz-2.4.20-8 config-2.4.20-8 message System.map grub message.ja System.map-2.4.20-8 initrd-2.4.20-8.img module-info vmlinux-2.4.20-8[root@probe root]#umount /mnt/ext3[root@probe root]#mount -t auto /dev/hda5 /mnt/ext3; ls /mnt/ext3emumail erik etc ftp lost+found megan nst pkb root scott[root@probe root]#umount /mnt/ext3[root@probe root]#mount -t auto /dev/hda6 /mnt/ext3; ls /mnt/ext3lost+found[root@probe root]#umount /mnt/ext3[root@probe root]#mount -t auto /dev/hda7 /mnt/ext3; ls /mnt/ext3bin dev halt initrd lib misc mysql proc sbin usr boot etc home lan lost+found mnt opt root tmp var[root@probe root]#umount /mnt/ext3[root@probe root]#
If you looked closely at the above, you'll notice that I
specified vfat for the file system type for
the /dev/hda2 partition where as I was lazy
and let Linux guess at the appropriate file system by
specifying auto for the other
partitions. Its been my experience that if you don't specify
vfat, Linux will sometimes choose
msdos as the file system type and limit you
to file names following the 8.3 DOS file
name convention.
I've found that the partitions on flash memory
inserted into a PCMCIA adapter often
shows up as a IDE device (with the
/dev/hd prefix), where as the same
memory inserted into a USB adapter will
show up as a SCSI device (with the
/dev/sd prefix).
Often one can make use of USB Flash drives (also known as a "memory stick" or "thumb drive"), external USB hard disks, camera memory (in a USB adapter). If you are free to partition and format the drive, you can create any kind of file system you want on it (like a fully Linux compatible ext3 file system). However, if you can't dedicate the drive to Linux usage (maybe you decided to borrow your wife's MP3 player like me), you will probably need to treat it like a old Windows FAT file system.
It should be noted that most USB
drives show up as SCSI disks to
Linux. Because of this, fdisk -l will
reports the partition's device with the prefix
/dev/sd. For example, after inserting my
wife's MP3 player into my laptop running
the Network Security Toolkit probe, I can use the following commands to find it
and then mount it to the mount point
/mnt/memstick:
Figure 3.5. Mounting a Thumb Drive (Memory Stick)
[root@probe root]#fdisk -l | grep /dev/sdDisk /dev/sda: 131 MB, 131072512 bytes /dev/sda1 1 500 127984 6 FAT16[root@probe root]#mount -t vfat /dev/sda1 /mnt/memstick[root@probe root]#ls /mnt/memstick01-Is This Love.mp3 After You Came.mp3 01-Steve McQueen.mp3 Babe.mp3 02-Baba.mp3 Flash.mp3 02-I Don't Remember.mp3 Heartbeat_City.mp3 03-You're An Original.mp3 home 04-No Way Out.mp3 Killer Queen.mp3 05-Would I Lie To You.mp3 My_Best_Friend_s_Girl.mp3 08-San Jacinto.mp3 nst.lp 09-Diamond Road.mp3 settings.dat 13-Living In A Box Living In A Box.mp3 test 14-Jamming.mp3 The_Tracks_of_My_Tears.mp3 15-Joining You.mp3 Touch_And_Go.mp3 15-Mother Earth.mp3 voice 17-Missing Persons Destination Unknown.mp3[root@probe root]#umount /mnt/memstick[root@probe root]#
There are a couple of things to note when making use of USB storage:
Not all USB storage is usable (we've run across combinations of USB devices + motherboards + Network Security Toolkit that would not work).
We have seen cases where the fdisk
-l failed to detect the USB
storage device, but we were still able to mount it by
specifying /dev/sda1.
Writes may seem to occur very quickly to the USB storage device. This is due to the way Linux caches disk writes. Because of this, you MUST ALWAYS remember to umount your USB storage device prior to removing it (if you simply pull it out - expect file system corruption). You'll also notice that the umount command may take a long time to complete. This is common if there is a lot of cached data that needs to be written out over a slow USB 1.0 bus.
Flash memory typically has a limited number of times
which it can be written to. You may want to consider
including the noatime option when
mounting a file system that normally keeps track of access
times. This will reduce the number of writes to the
device.
It is possible to access and make use of file systems
which are shared by Windows machines on the local network (or
any other samba like server). If
you know the public name of the shared file system (like
//gauntlet/public) you can mount it in the
following manner:
Figure 3.6. Mounting a Shared Windows Folder
[root@probe root]#mkdir /mnt/smb[root@probe root]#mount -t smbfs -o username=pblank //guantlet/public /mnt/smbPassword:[root@probe root]#ls /mnt/smbant cd download IBMJava2-13 jar linux office52 sbin art classes firefox interbase java lost+found ogg tmp bin docs gps j2sdk1.4.0 jdk MozillaFirebird originals win32 books dos guide jalbum jre mp3 photos[root@probe root]#touch /mnt/smb/tmp/bogus.txt[root@probe root]#ls -l /mnt/smb/tmp/smb.txt-rwxr-xr-x 1 root root 0 Jun 17 17:21 /mnt/smb/tmp/smb.txt[root@probe root]#chown mysql.mysql /mnt/smb/tmp/smb.txtchown: changing ownership of `/mnt/smb/tmp/smb.txt': Operation not permitted[root@probe root]#rm /mnt/smb/tmp/smb.txtrm: remove regular empty file `/mnt/smb/tmp/smb.txt'?y[root@probe root]#umount /mnt/smb[root@probe root]#
The interesting thing to note in this situation is that
all files under /mnt/smb will appear to
be owned by root to the Network Security Toolkit probe. In
truth, these files are still owned by the user
pblank on the server. There is no way to
change the ownership of these files from our Network Security Toolkit
probe. Hence the Network Security Toolkit probe will only be able to make limited
use of this file system. If we want to do something more (like
use it as a place to permanently store our SQL data base),
we'll need to make use of the loop back device as describe in
the Loopback Tricks section.
In the above example, we were fortunate and knew the name
of the Windows machine and the name of the file system it was
sharing (the //gauntlet/public passed to
the mount command). If you are not so
fortunate as to know this information ahead of time, you can
make use of the nmap and
smbclient commands to help track down what
shares are available on your network.
Figure 3.7. Looking For Windows Shares
[root@probe root]#nmap -p 139 192.168.100.2-20Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-06-17 17:35 EST Interesting ports on rice.linux.bogus (192.168.100.2): PORT STATE SERVICE 139/tcp open netbios-ssn Interesting ports on beans.linux.bogus (192.168.100.3): PORT STATE SERVICE 139/tcp closed netbios-ssn Interesting ports on tamale.linux.bogus (192.168.100.5): PORT STATE SERVICE 139/tcp open netbios-ssn Interesting ports on flan.linux.bogus (192.168.100.8): PORT STATE SERVICE 139/tcp open netbios-ssn Interesting ports on mole.linux.bogus (192.168.100.9): PORT STATE SERVICE 139/tcp closed netbios-ssn Interesting ports on tortilla.linux.bogus (192.168.100.12): PORT STATE SERVICE 139/tcp closed netbios-ssn Nmap run completed -- 19 IP addresses (6 hosts up) scanned in 2.302 seconds[root@probe root]#smbclient -L 192.168.100.2 -Nadded interface ip=192.168.100.9 bcast=192.168.100.255 nmask=255.255.255.0 Anonymous login successful Domain=[CCG] OS=[Unix] Server=[Samba 2.2.7a-security-rollup-fix] Sharename Type Comment --------- ---- ------- netlogon Disk Network Logon Service profiles Disk print$ Disk Printer Drivers public Disk Public Stuff family Disk Family Stuff (like accounts) IPC$ IPC IPC Service (Samba Server) ADMIN$ Disk IPC Service (Samba Server) inkjet Printer Created by redhat-config-printer 0.6.x photo Printer Created by redhat-config-printer 0.6.x photo4x6 Printer Created by redhat-config-printer 0.6.x ps Printer Created by redhat-config-printer 0.6.x Server Comment --------- ------- POPPERS Megan's laptop RICE Samba Server Workgroup Master --------- ------- CCG RICE[root@probe root]#
The above tells me that the machine
192.168.100.2 has a lot of shares
available. It also tells me that its security should be
enhanced as I was able to gather this information anonymously
(guess I better go start reading through the
samba guides to figure out how to
configure my home samba server to
be more secure).
Mounting and using NFS drives from a
server is fairly straight forward. The one issue to be aware
of is that ownership of files is likely not to be
root. For example:
Figure 3.8. Mounting a NFS Drive
[root@probe root]#mount -t nfs 192.168.0.2:/opt /mnt/nfs[root@probe root]#touch /mnt/nfs/tmp/bogus.txt[root@probe root]#ls -l /mnt/nfs/tmp/bogus.txt-rw-r--r-- 1 nfsnobody nfsnobody 0 Jun 17 17:00 /mnt/nfs/tmp/bogus.txt[root@probe root]#chown mysql.mysql /mnt/nfs/tmp/bogus.txtchown: changing ownership of `/mnt/nfs/tmp/bogus.txt': Operation not permitted[root@probe root]#umount /mnt/nfs[root@probe root]#
As shown above, the root user on the
probe has limited access to the NFS drive
exported by 192.168.0.2. If we want to do
something more (like use it as a place to permanently store
our SQL data base), we'll need to make use of the loop back
device as describe in the Loopback Tricks section.