blackriver

Excellent advice, thanks Jason!

I'm not sure if I'm up to coding my own tool yet, but thanks for the reading material. I wonder if this would be a good exercise in Python or Ruby: calling tcpdump and tshark, processing their output, and restart. Sounds like a weekend project!

Thanks for the reply, Jason. I'm trying to understand how I could do the same with a different tool, say tcpdump. As far as I understand, tcpdump will also capture the beacons when put in monitor mode with -I. Is there a way to basically count the "data packets" in monitor mode just like airodump-ng does?

I was trying to explain the workings of Airodump-ng to someone when it occurred to me I don't fully understand what the "#Data"-column is trying to show. I always assumed these were "interesting" packets, i.e. packets generated by an actual user instead of say beacons (although the manual says it's the "number of captured data packets, including data broadcast packets"). I was wondering if anyone knew how Airodump-ng determines if it sees a data packet. I tried to google but couldn't find an answer. So is it perhaps one of these? All packets minus beacons? Only TCP (and maybe UDP) packets? All packets that have a source and destination?

That second solution is actually not so bad... I could keep the fileserver steady and stable, and do my crazy coding and pentesting from a virtual machine. One other thing, would drive/partition/directory encryption do any good in this case?

I wanted to turn an old computer into a fileserver (running Debian). I wanted to store all my data there, so that my regular PC will only have one HDD running the OS (Windows) and programs. So I created a samba share, and got it working neatly right away. But after installing some pentesting tools, it occured to me that storing all my sensitive, private and personal data and running shady hacking/pentesting tools on one single box might not be a good idea. Now, my question is, how to keep my personal data as safe as possible on my little Linux fileserver? I have used a different user + usergroup for my samba shares, so my normal user account can't access the samba shares thanks to regular Linux file permissions. Is there anything more I can do?

@Webhostbudd: can I create a tunnel for a port range, then? One group of servers uses the range 3000 to 4000 for instance, it would be a PITA to manually set up Putty or Plink for this. @Sparda: I think I was confusing a few concepts. I was thinking of how a SOCKS5 proxy works, like how Matt explained on show 416: http://www.mattlestock.com/2008/12/setup-an-ssh-socks-proxy/ @scrapheap: Some are using EditpadPro (more an advanced text editor, if you know it), and others use Netbeans (for PHP). Netbeans actually has SFTP support, but it's impossible to set up. This seems to be a known issue and I hope it'll be fixed soon. I must say the tool Tunnelier does what it says, and sets up a FTP-to-SFTP bridge without much effort. So far I'm loving this tool, but I feel bad I couldn't set up something more intelligent using proper tools like Plink or Putty.

Thanks again everybody. I dug a little deeper and used the method suggested by Sparda, which indeed seems to work. I can log into the remote FTP server over localhost:21, and according to the logs the login process completes sucessfully. But then the problem scrapheap mentions arises: FTP needs another port for the actual data, and the remote server chooses a random port for this. I can't possibly know this port on forehand, so it looks like this isn't gonna work after all :( I came across a tool that might fix my problem, called Tunnelier: http://www.bitvise.com/ftp-bridge.html so I will be giving that a shot.

Thanks for the replies, guys. I'm still not 100% confident this will keep my traffic secure 100% between point A ("ME" in the drawing, my Windows machine) and point B ("SERVER 2" in the drawing, the Linux server where the files need to go). I have this SSH tunnel thing in my head like this: I set up a tunnel between ME and SERVER 1. The traffic between this goes through an SSH tunnel, and all's well. But then SERVER 1 will have to send whatever I want to send to my original destination, SERVER 2. And that's good old FTP, with plain text passwords and all. Even if I set up a tunnel directly to SERVER 2, won't SERVER 2 still just blindly FTP my data to itself (over the internet) using the original non-local IP adress?

But won't that just create a secure tunnel from me to the server at the end of the tunnel, and from then on become plain FTP again? The server at the end of the tunnel will still need to go onto the internet to actually FTP my files to the destination host.

Here's my situation: I have a Windows XP machine and I have to edit files on several remote Linux boxes. Due to my project's chosen IDE, I can't work directly on the remote machines using VIM or something similar. So, we use the IDE's built-in FTP which allows us to edit files on the remote servers. This is rather insecure, and the IDE doesn't support SFTP. How can do this securely? I was thinking of building an SSH tunnel (as explained on episode 416), but the IDE also doesn't support using a proxy. Also, it would be a pain in the butt to switch between servers, which happens a lot during the day. What else can I try? The most ideal solution would be to somehow mount the remote Linux dir to something local in Windows, so I can simply use the IDE's explorer to edit a "local" file (similar to Dropbox, for instance). I'm using Putty, Plink and Total Commander on my Windows machine so far.

Finally something to do in Europe again: http://www.hackerspace.net/ Any Hak5 viewers going there? I'm thinking about it!

If you like anime, definately check out Battle Programmer Shirase. It's a slightly weird anime about a freelance computer programmer who has to hack himself out of all kinds of adventures. Armed with special powers like "Double compile!" he outsmarts his black-hat hacker enemies. All episodes are quite short, like 15 minutes, so ideal for on your phone or netbook. Wikipedia page: http://en.wikipedia.org/wiki/Battle_Programmer_Shirase

I never dared full disc encryption either, so I settled for encfs on my Eee 701 running Debian Lenny. It basically enables you to encrypt directories. It works really well for what I want to do, which is just keeping my personal data safe when I lose my laptop. I'm sure I'd leave some traces in temp files and whatnot, but at least I don't have my full email correspondence viewable for the whole world.

Yeah, at the time of testing none of these devices (Xbox, Wii, etc.) were connected. So when the problems occured, nothing but my PC and my router made up my home network. My router does ARP requests for the devices it has seen on the network in the past few months, to which only my PC responds. The problem occurs when all of a sudden my PC does an ARP request for this address 192.168.1.61, which is unused on my network. I guess that ARP request confuses my router and/or PC, and network activity stops (at least incoming packets). Is there a way to see which program on my PC initiates this ARP request?

I don't think the router is doing ARP for a whole range, it's always just this handful of local addresses ending on 69, 67, 109, 66, 68, 64 and 65 (but not 61 that my PC asks for!). These all belonged to devices that connected to my network in the past few months: my Xbox, Wii, another PC, my laptop, etc. Some of these devices haven't been online for at least two months, but apparently my router still keeps asking if they're there. By the way, I filtered the captured packages to only show ARP and ICMP packets, to leave out the UDP traffic from Counter-Strike (see the package numbers in the first column). So inbetween the ARP-broadcasts there's plenty of "normal" traffic, but the screenshot doesn't show these. That's maybe why you think it looks like a sweep? I also checked in the router to see if there are other devices on the network, but that's not the case. I'm pretty sure I'm malware-free, too. I quickly tried capturing packets while downloading a large binary over HTTP, and I didn't get any errors. The download only took about 15 minutes, so that is not the full timeframe the error normally occurs in. I will capture other (non-Counter-strike :) ) traffic tomorrow, to see if it occurs there too.

Yeah, I realise the difference between DHCP and ARP, I just hoped a static IP address would solve things. But alas :( Here is a screenshot of a typical situation: Everything goes well, until my PC (as source "AsusteKC_53:3a:21" and IP 192.168.1.64) starts asking who 192.168.1.61 has. Network response grinds to a halt, and the ICMP packets keep returning "Destination unreachable" untill my router (ThomsonT_1b:bb:58 on IP 192.168.1.254) starts broadcasting ARP requests again. Network response goed back to normal, until all of this repeats 30 to 45 minutes later. Some more details: 1. I was playing Counter-Strike 1.6 through Steam, no other stuff going on the background (killed my email, Dropbox, torrents, etc.). I also ran Wireshark, obviously ;) 2. The command "arp -a" under Windows only shows one entry, which is for for the router. 3. The IP address 192.168.1.61 that my PC sends an ARP broadcast for, has never been used by a device on my network. IP addresses on my network start from 192.168.1.64 up.

Thanks for the quick reply, Digip. My router is a router and modem in one, and does indeed do the DHCP for my network. I don't have access to my capture file right now, but it looks like my router refreshes the ARP table every 15 minutes or so. I have not changed any settings in my router for this, so I'm assuming this is a default rate. I will check at home if my PC is doing a RARP, but I'm pretty sure the protocol reported by Wireshark is "ARP", not "RARP". And it does an ARP request for other devices that sometimes connect to my network as well (my Xbox and laptop), so I get like four ARP requests in total. These four devices are also queried in an ARP request from my router, so it really looks like my PC is taking over the role of my router. I will try a static address tonight. Thanks for the help, I got some clues to work with now!

I started debugging my network after I noticed my internet connection completely stalled every hour or so. A couple of seconds later, it would regain connectivity, but lots of connections would've been terminated by then. I decided to capture all my packets using Wireshark. Now I see an ARP request from my router every once a while, and this works fine. My PC responds to the requests and replies back to the router, and all's well. But suddenly, after about 10 rounds of ARP requests from my router, my PC suddenly sends out an ARP request. They're the same as my router's, except it says to "tell 192.168.1.60", which is the IP address of my PC. Immediately after this, I see no incoming packets anymore, of any protocol. Does anybody know why my PC would suddenly try to take over ARP stuff? What causes this, and how can I turn this off? I'm running Windows XP, am on a wired network, and I'm currently the only machine on the network. My router is a Thompson (Alcatel) Speedtouch.

http://www.glitched.nl/ They're showing the Nerdcore For Life documentary and having Beefy, MC Lars, MC Router and YTCracker live on stage! Watch out for the Hak5 stickers that night ;')

I'm wondering, since the Gmail cookie stealin' news, and the attention it brought to how and why cookies could be vulnerable, is it still worth stealing cookies? Doesn't every big site has measures taken against cookie stealing, or more specific, cookie re-using from a different PC/OS/browser/MAC/IP? Would you still really be able to simply log in as a certain user by using a captured cookie?

PM sent :)

I think I'm gonna for a few of the "special" replacement keys -- the rest is still good enough. Thanks for the link!

I just finished the second book two days ago. I stand by my statement that this is an absolute MUST for anybody who digs hacking and comics. Ed Piskor combines hacking, storytelling and art in a manner that would make any hacker, cracker, phreak or even lamer go absolutely woot. It's a piece of hacker culture. GET. THIS. BOOK!

I found a Model M from the late 80s, but it has a weird keyboard (having a dedicated key for 'plusminus', the X or C key also has a 'µ', and some more weirdness). The keys consist of two parts: the key itself, and an overlay key that has the actual letter/symbol printed on it. If I take these all off I'm left with a blank keyboard. I was wondering if anyone has a broken Model M with a normal keyboard layout, and it willing to sell me these overlay keys. As a last resport I want to make this a "Das Keyboard", but my girlfriend likes to use it as well -- and she's just not nerd enough for a symbol-less keyboard. As a second to last resort, I want to blank out all the keys (remove the symbols printed on them), have a few illustrator/graffiti friends paint the symbols on them, and spray the keys with transparent coating. But rather, I'd just have original Model M keys :) Anybody who can help?