Using File Systems

Making Use of Swap Space

By default, the Network Security Toolkit probe does not access your hard disk and runs entirely out of RAM. However, if your hard disk has available Linux swap partitions, you can make use of them. To do this, you simply use the laddswap command. It will look for all hard disk partiions that are formated as Linux swap space and attempt to make use of them. The following demonstrates the affects on free memory which the laddswap command can have:

Figure 4.3. Using laddswap To Find/Use Swap Partitions

[root@probe root]# free
             total       used       free     shared    buffers     cached
Mem:        319944     230820      89124          0       4444     175736
-/+ buffers/cache:      50640     269304
Swap:            0          0          0
[root@probe root]# laddswap
 
*** Swap space prior to adding...
/sbin/swapon -s
Filename                        Type            Size    Used    Priority
 
*** Detecting existing swap areas...
 
*** Swap space after adding...
/sbin/swapon -s
Filename                        Type            Size    Used    Priority
/dev/hda8                       partition       538136  0       -2
[root@probe root]# free
             total       used       free     shared    buffers     cached
Mem:        319944     230820      89124          0       4444     175736
-/+ buffers/cache:      50640     269304
Swap:       538136          0     538136
[root@probe root]# 

If you want to stop making use of swap space (though I can't think of a good reason to do so), you can use the swapoff -a command.

Mounting Local Hard Disks

A typical PC will have a single IDE hard disk installed. IDE hard disk partitions show up with the prefix /dev/hd (SCSI disks show up with the prefix /dev/sd).

The following demonstrates how one might find all of the mountable IDE hard disk partitions on a system (note the use of grep to weed out extended and swap partitions).

Figure 4.4. Finding IDE Partitions

[root@probe root]# fdisk -l | grep /dev/hd | grep -v xtended | grep -v swap
Disk /dev/hda: 12.0 GB, 12072517632 bytes
/dev/hda2   *         4       392   3124642+   b  Win95 FAT32
/dev/hda3           393       409    136552+  83  Linux
/dev/hda5           932      1192   2096451   83  Linux
/dev/hda6          1193      1467   2208906   83  Linux
/dev/hda7           410       864   3654724+  83  Linux
[root@probe root]# mount -t vfat /dev/hda2 /mnt/fat; ls /mnt/fat
aecu.sys      config.dos         maestro.com        Program Files  tmp
asd.log       config.sys         MP3Player          recycled       usblog.txt
ati           debug.log          msdos.---          scandisk.log   USBStorage
autoexec.ago  detlog.old         msdos.bak          setuplog.old   vcrtemp.avi
autoexec.bat  detlog.txt         msdos.sys          setuplog.txt   videorom.bin
autoexec.dos  docs               mstrinf.ini        setupxlg.txt   wfcname.ini
bootlog.prv   drivers            My Documents       Sierra         windows
bootlog.txt   frunlog.txt        My Received Files  suhdlog.---    WUTemp
cavedog       Impressions Games  netlog.txt         suhdlog.dat
command.com   io.sys             opt                system.1st
[root@probe root]# umount /mnt/fat
[root@probe root]# mount -t auto /dev/hda3 /mnt/ext3; ls /mnt/ext3
boot.b               kernel.h     module-info-2.4.20-8  vmlinuz
chain.b              lost+found   os2_d.b               vmlinuz-2.4.20-8
config-2.4.20-8      message      System.map
grub                 message.ja   System.map-2.4.20-8
initrd-2.4.20-8.img  module-info  vmlinux-2.4.20-8
[root@probe root]# umount /mnt/ext3
[root@probe root]# mount -t auto /dev/hda5 /mnt/ext3; ls /mnt/ext3
emumail  erik  etc  ftp  lost+found  megan  nst  pkb  root  scott
[root@probe root]# umount /mnt/ext3
[root@probe root]# mount -t auto /dev/hda6 /mnt/ext3; ls /mnt/ext3
lost+found
[root@probe root]# umount /mnt/ext3
[root@probe root]# mount -t auto /dev/hda7 /mnt/ext3; ls /mnt/ext3
bin   dev  halt  initrd  lib         misc  mysql  proc  sbin  usr
boot  etc  home  lan     lost+found  mnt   opt    root  tmp   var
[root@probe root]# umount /mnt/ext3
[root@probe root]# 

If you looked closely at the above, you'll notice that I specified vfat for the file system type for the /dev/hda2 partition where as I was lazy and let Linux guess at the appropriate file system by specifying auto for the other partitions. Its been my experience that if you don't specify vfat, Linux will sometimes choose msdos as the file system type and limit you to file names following the 8.3 DOS file name convention.

Note

I've found that the partitions on flash memory inserted into a PCMCIA adapter often shows up as a IDE device (with the /dev/hd prefix), where as the same memory inserted into a USB adapter will show up as a SCSI device (with the /dev/sd prefix).

Mounting USB Thumb Drives

Often one can make use of USB Flash drives (also known as a "memory stick" or "thumb drive"), external USB hard disks, camera memory (in a USB adapter). If you are free to partition and format the drive, you can create any kind of file system you want on it (like a fully Linux compatible ext3 file system). However, if you can't dedicate the drive to Linux usage (maybe you decided to borrow your wife's MP3 player like me), you will probably need to treat it like a old Windows FAT file system.

It should be noted that most USB drives show up as SCSI disks to Linux. Because of this, fdisk -l will reports the partition's device with the prefix /dev/sd. For example, after inserting my wife's MP3 player into my laptop running the Network Security Toolkit probe, I can use the following commands to find it and then mount it to the mount point /mnt/memstick:

Figure 4.5. Mounting a Thumb Drive (Memory Stick)

[root@probe root]# fdisk -l | grep /dev/sd
Disk /dev/sda: 131 MB, 131072512 bytes
/dev/sda1             1       500    127984    6  FAT16
[root@probe root]# mount -t vfat /dev/sda1 /mnt/memstick
[root@probe root]# ls /mnt/memstick
01-Is This Love.mp3                          After You Came.mp3
01-Steve McQueen.mp3                         Babe.mp3
02-Baba.mp3                                  Flash.mp3
02-I Don't Remember.mp3                      Heartbeat_City.mp3
03-You're An Original.mp3                    home
04-No Way Out.mp3                            Killer Queen.mp3
05-Would I Lie To You.mp3                    My_Best_Friend_s_Girl.mp3
08-San Jacinto.mp3                           nst.lp
09-Diamond Road.mp3                          settings.dat
13-Living In A Box  Living In A Box.mp3      test
14-Jamming.mp3                               The_Tracks_of_My_Tears.mp3
15-Joining You.mp3                           Touch_And_Go.mp3
15-Mother Earth.mp3                          voice
17-Missing Persons  Destination Unknown.mp3
[root@probe root]# umount /mnt/memstick
[root@probe root]# 

There are a couple of things to note when making use of USB storage:

  • Not all USB storage is usable (we've run across combinations of USB devices + motherboards + Network Security Toolkit that would not work).

  • We have seen cases where the fdisk -l failed to detect the USB storage device, but we were still able to mount it by specifying /dev/sda1.

  • Writes may seem to occur very quickly to the USB storage device. This is due to the way Linux caches disk writes. Because of this, you MUST ALWAYS remember to umount your USB storage device prior to removing it (if you simply pull it out - expect file system corruption). You'll also notice that the umount command may take a long time to complete. This is common if there is a lot of cached data that needs to be written out over a slow USB 1.0 bus.

  • Flash memory typically has a limited number of times which it can be written to. You may want to consider including the noatime option when mounting a file system that normally keeps track of access times. This will reduce the number of writes to the device.

Making SMB (Windows Shares)

It is possible to access and make use of file systems which are shared by Windows machines on the local network (or any other samba like server). If you know the public name of the shared file system (like //gauntlet/public) you can mount it in the following manner:

Figure 4.6. Mounting a Shared Windows Folder

[root@probe root]# mkdir /mnt/smb
[root@probe root]# mount -t smbfs -o username=pblank //guantlet/public /mnt/smb
Password:
[root@probe root]# ls /mnt/smb
ant    cd       download  IBMJava2-13  jar   linux            office52   sbin
art    classes  firefox   interbase    java  lost+found       ogg        tmp
bin    docs     gps       j2sdk1.4.0   jdk   MozillaFirebird  originals  win32
books  dos      guide     jalbum       jre   mp3              photos
[root@probe root]# touch /mnt/smb/tmp/bogus.txt
[root@probe root]# ls -l /mnt/smb/tmp/smb.txt
-rwxr-xr-x    1 root     root            0 Jun 17 17:21 /mnt/smb/tmp/smb.txt
[root@probe root]# chown mysql.mysql /mnt/smb/tmp/smb.txt
chown: changing ownership of `/mnt/smb/tmp/smb.txt': Operation not permitted
[root@probe root]# rm /mnt/smb/tmp/smb.txt
rm: remove regular empty file `/mnt/smb/tmp/smb.txt'? y
[root@probe root]# umount /mnt/smb
[root@probe root]# 

The interesting thing to note in this situation is that all files under /mnt/smb will appear to be owned by root to the Network Security Toolkit probe. In truth, these files are still owned by the user pblank on the server. There is no way to change the ownership of these files from our Network Security Toolkit probe. Hence the Network Security Toolkit probe will only be able to make limited use of this file system. If we want to do something more (like use it as a place to permanently store our SQL data base), we'll need to make use of the loop back device as describe in the Loopback Tricks section.

In the above example, we were fortunate and knew the name of the Windows machine and the name of the file system it was sharing (the //gauntlet/public passed to the mount command). If you are not so fortunate as to know this information ahead of time, you can make use of the nmap and smbclient commands to help track down what shares are available on your network.

Figure 4.7. Looking For Windows Shares

[root@probe root]# nmap -p 139 192.168.100.2-20
 
Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-06-17 17:35 EST
Interesting ports on rice.linux.bogus (192.168.100.2):
PORT    STATE SERVICE
139/tcp open  netbios-ssn
 
Interesting ports on beans.linux.bogus (192.168.100.3):
PORT    STATE  SERVICE
139/tcp closed netbios-ssn
 
Interesting ports on tamale.linux.bogus (192.168.100.5):
PORT    STATE SERVICE
139/tcp open  netbios-ssn
 
Interesting ports on flan.linux.bogus (192.168.100.8):
PORT    STATE SERVICE
139/tcp open  netbios-ssn
 
Interesting ports on mole.linux.bogus (192.168.100.9):
PORT    STATE  SERVICE
139/tcp closed netbios-ssn
 
Interesting ports on tortilla.linux.bogus (192.168.100.12):
PORT    STATE  SERVICE
139/tcp closed netbios-ssn
 
Nmap run completed -- 19 IP addresses (6 hosts up) scanned in 2.302 seconds
[root@probe root]# smbclient -L 192.168.100.2 -N
added interface ip=192.168.100.9 bcast=192.168.100.255 nmask=255.255.255.0
Anonymous login successful
Domain=[CCG] OS=[Unix] Server=[Samba 2.2.7a-security-rollup-fix]
 
        Sharename      Type      Comment
        ---------      ----      -------
        netlogon       Disk      Network Logon Service
        profiles       Disk
        print$         Disk      Printer Drivers
        public         Disk      Public Stuff
        family         Disk      Family Stuff (like accounts)
        IPC$           IPC       IPC Service (Samba Server)
        ADMIN$         Disk      IPC Service (Samba Server)
        inkjet         Printer   Created by redhat-config-printer 0.6.x
        photo          Printer   Created by redhat-config-printer 0.6.x
        photo4x6       Printer   Created by redhat-config-printer 0.6.x
        ps             Printer   Created by redhat-config-printer 0.6.x
 
        Server               Comment
        ---------            -------
        POPPERS              Megan's laptop
        RICE                 Samba Server
 
        Workgroup            Master
        ---------            -------
        CCG                  RICE
[root@probe root]# 

The above tells me that the machine 192.168.100.2 has a lot of shares available. It also tells me that its security should be enhanced as I was able to gather this information anonymously (guess I better go start reading through the samba guides to figure out how to configure my home samba server to be more secure).

Mounting NFS Drives

Mounting and using NFS drives from a server is fairly straight forward. The one issue to be aware of is that ownership of files is likely not to be root. For example:

Figure 4.8. Mounting a NFS Drive

[root@probe root]# mount -t nfs 192.168.0.2:/opt /mnt/nfs
[root@probe root]# touch /mnt/nfs/tmp/bogus.txt
[root@probe root]# ls -l /mnt/nfs/tmp/bogus.txt
-rw-r--r--    1 nfsnobody nfsnobody        0 Jun 17 17:00 /mnt/nfs/tmp/bogus.txt
[root@probe root]# chown mysql.mysql /mnt/nfs/tmp/bogus.txt
chown: changing ownership of `/mnt/nfs/tmp/bogus.txt': Operation not permitted
[root@probe root]# umount /mnt/nfs
[root@probe root]# 

As shown above, the root user on the probe has limited access to the NFS drive exported by 192.168.0.2. If we want to do something more (like use it as a place to permanently store our SQL data base), we'll need to make use of the loop back device as describe in the Loopback Tricks section.