DDG Tech Notes

H D Morre has announced the release of Metasploit v 3.2 (http://www.metasploit.com/) - and a new license for the popular security testing framework.  According to the main web page:

The Metasploit development team is happy to announce the immediate availability of version 3.2 of the Metasploit Framework. This release is the first version of Metasploit to be provided under a true open source license (BSD) and represents over ten months of work by the development team.

Currently available from the web site are the distributions for the normal cast of OSes (Mac, Linux, etc.) plus a binary windows installer.

I’ve not yet seen any Debian or Ubuntu packages.  I’ll be putting some together myself and make them available here until such time as a maintained package becomes available (sorry, but I do not currently have the time to commit to this long term.)

I’ve been a fan of Beryl for some time - using in on my Ubuntu, Debian Etch and Slackware distro machines.  (see my article Desktop Time Wasters for images of my original Debian box with beryl.)  I’ve always done this with source compiles on Slackware, and packages on Ubuntu and Debian.

Some time ago (more specifically, some package upgrades ago) I ran into a dependency issue on my Debian box that rendered Berly unusable.  I can recall giving it some time, trying to work it out, but eventually giving up.

At the time (prior to the breakage) I was installing Beryl from the third-party repository (specifically, deb http://debian.beryl-project.org etch main for those interested).

In the time after my Debian machine’s beryl install broke, I reinstalled a Ubuntu (Hardy Heron) on my IBM X41 (related articles here and here.)  I didn’t pay much attention at the time (it was late, I may have been drinking, etc.) but at the end of the install I had what I thought was beryl controlling the Ubuntu desktop on my IBM X41.

I didn’t pay it much attention, until I finally became annoyed by the fact that my Debian box no longer looked like l wanted it to.  I decided it was time to compare what I had (working) on my Ubuntu box to what was (not working) on my debian box.  That was the Rosetta Stone that finally made it all click in my mind.

The trouble I was having all stemmed from a change in the packaging names of what I called Beryl in both Ubuntu and Debian.  In fact, an open-source (re)convergence had occurred between Beryl (the eye candy, and a window manager) and compiz (the compositing window manager) that created an entirely new line of packages, Compiz Fusion.

While you can easily add the appropriate entry into /etc/apt/sources.list, both the Debian etch/sid and Ubuntu hardy main repositories (i.e. the repositories that you should already have configured after an install) have access to the packages you should need.  Granted, in neither case will the packages be the bleeding edge of latest development that you can get from either the beryl or fusion maintained repositories (complete with svn checkout branches.)  However, both will provide you with the coolest, cpu-consuming desktop graphic effects that will keep all but the most eye-candy addicted among us happy.  So how do we make this work?

First off, if you (like me on my Debian box) are a former beryl repository user, you’ll first want to move those packages.  These steps should work out for either Debian or Ubuntu systems.

I suggest using Synaptic package manger, and removing packages related to the following search terms:

• beryl
• compiz
• emerald

After that, remove any of the beryl references from your /etc/apt/sources.lst file and running sudo apt-get update.  Or, if you are more inclined towards Synaptic Package Manager, open it up and select Settings–>Repositories–>Third party software and remove the appropriate entry (or entries).

Now it’s time to add in the new stuff.  There a few different packages required to make this all work together.  I haven’t yet identified any one specific package that has all of these as a dependency (and thus would make this all work by simply selecting that one specific package.)  Readers, if you know of one (or few) that will accomplish this, please leave a comment so it can be shared with the rest of us! I do know for sure that, at the end of the day, I needed the following packages to make this all come together:

• mesa-utils
• libcompizconfig0
• compiz-gtk
• libdecoration0
• compizconfig-backend-gconf
• compiz-fusion-bcop
• compiz-plugins
• compizconfig-settings-manager
• python-compizconfig
• fusion-icon
• compiz-fusion-plugins-extra
• compiz-fusion-plugins-unsupported
• compiz-core
• compiz-fusion-plugins-main
• compiz-gnome

After making sure that all of these packages are installed, your first step should be to simply restart X.  The “sure fire” way to do this would be to restart the whole box.  If you’re more adventurous, then either you’ve already set your gdm (gnome display manager) to restart at every login, or you can kill gdm and restart it as root from the command line.

Either way, if all went magically well, you should see the “Fusion Icon” appear in your tray on your task bar (see image at left.)  This seemed to “just work” for my Ubuntu install, but required a couple of extra steps on my Debian system.

The couple of extra steps

For my Debian laptop, I had to manually add it to my Startup Programs.  Go to System–>Preferences–>Sessions.  Under the “Startup Programs” tab, click on “Add”.  Give it a name, and ‘/usr/bin/fusion-icon’ as the command:

This end is only the beginning!

You should now have Compiz Fusion active on your desktop.  So now what?  Right-click on the Fusion icon in your tray and check out some of the options.  You can change the window manager on the fly, and (depending on what you have installed) you may be able to change your window decorator as well.  Finally, take a look at the ‘Settings Manager.’  In the next Compiz Fusion post, I’ll walk through some of the cooler features of Compiz Fusion - things like Window transparencies, neat visual effects, etc.

Until then…

Every want to use your Ubuntu distribution to obliterate the data on a disk volume? It may be easier than you think!

First thing - the disclaimer. I’m very conscious about not misrepresenting myself to my blog aggregators regarding what my posts are actually about. On the other hand, after looking at my blog stats, search queries have turned up my site for searches roughly along the lines “Ubuntu Wipe Disk” at a rate that I did not expect. So why this disclaimer?

All of the methods that I am about to present are not really Ubuntu specific. However, as a good blogger, I have an obligation to provide information pertinent to what my readers are looking for.

Also note that any method below that deals with disk partitions can be used equally for swap partitions - arguably one of the most critical partitions to wipe on any system.

And, with the exception of the section below regarding specific disk eradication software, you can perform pretty much any of these steps even with a “Live” Linux CD - which can save you the hassle of physically connecting the hard drive to your Ubuntu machine.

So, here goes…

So, you want to wipe a disk so that no one else can read what you might have written there?

While that sounds like a fairly simple task, there are really some assumptions built into the question that you must consider first:

1. What exactly do you want to wipe? Is it an entire disk, or just a partition on the disk?
2. Who is the “no one” that you want to protect your data from?
3. Are you performing this action in response to your own needs, or the needs of you company or corporation?
4. If you are performing these actions for your company, are there any particular regulatory requirements that you must meet?

With out question framed properly, we can move forward with an actual plan to meet your requirements. Here goes:

What exactly do you want to wipe?

For most methods presented in this article, the what you want to wipe doesn’t really change the method used to wipe it, except for the parameters passed to the specific tools.

Identifying where to perform your wipe.

OK. So you’ve either booted up the target machine with a Live CD, or you’ve attached the drive to your current workstation. How do you know which device it is? Well, here’s a little background. Those of you familiar with Linux device names and identifying attached hard drives will probably want to skip ahead.

Any attached hard drive can be accessed, as if it were a normal file, under the /dev tree. Generally speaking (there are definitely some exceptions to this) IDE type drives follow the naming convention /dev/hdX - where X is a letter a, b, c etc., and other non-IDE type drives (including SCSI, SATA, etc.) are identified as /dev/sdX.

So, for example, the first detected IDE drive (IDE Disk 1 on channel 1 of the first controller) would be at /dev/hda, which the second would be at /dev/hdb.

Likewise, SCSI drives follow a similar patters. The first drive (or LUN, if it is an array) on the first channel of the first detected SCSI controller would be identified as /dev/sda, the second /dev/sdb, etc.

So what do I mean by “first detected”? This is (again, generally speaking) the order in which the kernel module drivers for the devices are loaded.

OK - so that’s how to identify the drive. What about partitions? Those are assigned to a different point under the /dev tree, with a numeric indicator of the partition number (in sequential order.) For example, the first partition of the first IDE drive will be /dev/hda1, and the second /dev/hda2. As you might expect, the partitions of the first SCSI drive would be /dev/sda1, /dev/sda2, etc.

However, things get a little more interesting if you involve the Logical Volume Manager.

I won’t go into the details of how the Logical Volume Manager (LVM) relates to partition numbers. If you are faced with this situation and don’t quite understand which partition means what, I’d actually recommend just wiping the entire disk.

Performing the wipe the quick-n-dirty way.

This method is not entirely secure (meaning a determined person could potentially recover data even after this) but it will protect you against all reasonable, common attempts to scavenge data from the drive.

The core of all of this stems from the fact that deletes on pretty much all file system types don’t actually delete. Generally, they overwrite pointers on the disk that point to were actual data resides. With the pointers gone, the operating system (Linux, Windows, whatever) has no idea of how to read the data.  But, the data is still physically on the disk, and can be retrieved almost trivially with a little knowledge and commonly available tools such as Foremost (ubuntu package: ‘foremost’ - Forensics application to recover data)

So, what we want to do is actually overwrite all of the old data. (Note: if you are going to wipe a disk or a partition using these methods, there is no benefit to deleting stuff prior to the operation. Save yourself some time)

Also, for the methods below, it really makes no difference what operating system created the data in the first place.  If you can get the drive attached to you machine (or access it booting with a Live CD) you can easily erase a Windows, Mac OS X, MS-DOS or whatever drive.

So, here we go.

If all you want to do is overwrite the data, then the simple command line tool ‘dd’ is your friend. dd stands for ‘Direct Dump’ and it does just that - directly dump data to a file. Only in this case, our “file” will be the device link to a disk or partition.

dd has kind of a funny syntax (funny in the UNIX or Linux world, at least) for specifying command line parameters. It is <param>=<value>. To start off, there are only two that we need to worry about. These are ‘if’ (for input file) and ‘of’ (for output file). So, let’s say we want to wipe the first partition of the first SCSI drive in our system. That’s easy! just use:

dd if=/dev/zero of=/dev/sda1

of=/dev/sda1 tells dd to write all data to /dev/sda1, or the first partition of the first SCSI drive.

if=/dev/zero may seem a little strange if you’ve never seen it before. The device /dev/zero is essentially a pseudo-device that dumps out a continual string of zeros. So, dd will continually read from it’s input file (if=) and write that same data to it’s output file (of=) until…

Well, basically, until it gets an error that the disk is full. Which is exactly what we want in this situation, a disk full of zero bit data, or a completely erased disk.

If you want to be a little cooler with your use of dd parameters, you can utilize the bs= and count= parameters.  bs= designates the block size, and count= is the number of bs chunks of data (i.e. the number of blocks) of data that will be written.  If you are not familiar with how to determine the block size and block count of your disk drive, I’d highly recommend just using the method described above.

So that erased my disk!  Great, what else could I have to worry about?

Well, that depends on either 1) how paranoid you are, or 2) what your application is.

For the really paranoid, always remember remnance!

So what the heck is remnance?  Basically, you can think of this as leftovers in the process of writing data to magnetic media.  At a very high level, writing to magnetic media is basically applying a magnetic field to a region of the media to change the “pole” or “charge” of that region.  For simplicity sake, think of the two poles of a magnet north (N) and south (S).  No imagine that all N regions represent a 0 (zero) and all S regions represent a 1.  You’ve got a simple formula for representing your binary data on your magnetic media.

Since this is a process of changing the magnetic orientation of a region of media, things can change over time.  Fluctuations in the space between the write head and the media due to heat variations, humidity, etc, as well as changes in the media itself over time can effect the way the media responds to this reorientation process.

Or, as another analogy, imagine that you are standing in front of a wall with a bunch of balloons filled with either red or green paint.  Assuming you can always throw the balloon at the exact spot on the wall, tiny differences in the wind at the time it is thrown or whatever will result in slightly different patterns splattered on the wall.  While the center of the region will always obviously be either red or green after each throw, there will be remnants of previous throws around the rim of where they hit.  And, if you threw a green balloon last time, and a red balloon this time, the outer area of the “splatter” will show more green than red.

This is basically what happens with your magnetic media.  Tiny tell-tale signs are left on the periphery of the regions that can give clues to data that was written there previously.  Processes - such as Magnetic Force Microscopy - can then be run on the media itself to lift this information from the disk and deduce - if not outright read - what was previously there.  In other words, simply overwriting your magnetic media with all zeros as above doesn’t completely remove all traces of the data on the disk!

Minimizing remnance via software

It is very important to note that, while software based methods can significantly reduce the possibility of data recovery using magnetic remnance, it can never completely eliminate it.  Again, this is one of those things where you have to consider what your requirements are.  Do we just want to make sure that no one can reasonable pull our tax return from our hard drive after we sell it on EBay?  If so, the software solution below is probably very reasonable.  Are you trying to eradicate data from the hard drive that has the super-secret pictures of the alien autopsy performed at Area 51?  Well, then, software won’t cut it (and you’re hopefully not looking for advice from my blog anyhow!)

The general idea behind a software based approach to addressing remnance is to not simple overwrite the data once, but to repeatedly ‘flip’ the bit.  That is, write all zeros to the disk, followed by all ones, followed again by all zeros.  By using this method, you can scramble the data available from remnance, and make it much harder for anyone to pull anything useful from the drive.  The more times you consecutively ‘flip’ the bit, the better off you are.

Unfortunately, there is no really easy way to stream a series of bits of ones the way that /dev/zero streams bits of zeros.  For that, you’ll need some other piece of software.

xFlip

One options is xFlip (more details and downloads are available on the xFlip page) written by yours truly.  With xFlip, you can choose any combination of:

• Overwrite the data with random bits
• Overwrite the data with all zeros
• Overwrite the data with all ones
• ‘Flip’ all bits to their opposite (technically, XOR each byte with 255)

And you can repeat any combination of these steps an arbitrary number of times.  Currently, I’ve not yet created a Ubuntu package for this - either it’s source or a binary form.  However, if you are reasonable comfortable with gcc or your favorite ANSI C compiler, the source code is pretty small and basic.  If there is enough demand, I’ll gladly put the time into packaging this for Hardy, for whatever platforms I can get my hands on.

xFlip has its limitations too, however.  For example, any sectors that have been marked as “bad” by the disk will not be touched, and could potentially leak data that was originally written to them.

Wipe

The Ubuntu package wipe (sudo apt-get install wipe, or via synaptic package manager) is primarily focused on removing individual files.  However, it will happily work with full disk devices or partitions by addressing them with the same /dev tree locations described in the ‘dd’ method above.  You’ll probably have to manually install it when using a Live CD, however.

Secure Deletion Toolkit

The Secure deletion toolkit (Ubuntu package secure-delete) is another tool primarily targeting specific files.  Again, you’ll not likely find it on most Live CD distributions.

Actually, it is a collection of tools, including:

• srm - Effectively wiping all of the data from a file, instead of just removing the pointers
• sfill - fills (scrambles) all of the free space on a drive.  This will obfuscate any data left laying around from files previously deleted on your disk.
• smem - wipes data from memory in a secure way.  This may seem silly, until you consider the proliferation of solid state memory devices
• sswap - Wiping swap space.

It may seem odd, but if this is your toolkit of choice, sswap can actually be used to successfully eradicate the data (with the limitation describe above) from a hard disk or partition.  It’s kind of a hack, but here is the idea:

First, identify your target drive as describe in the ‘dd’ method above.  Then, after mounting the drive on your Ubuntu system, or operating off of a live CD, first initialize the disk or partition as swap space (however, see notes below.)  For, say, the first IDE drive, you would use the command:

mkswap /dev/hda

Similarly, the first partition on the second SCSI disk would be:

mkswap /dev/sda1

In fact, the mkswap command may not be necessary.  This is not my preferred method or software, so I haven’t tried it without the mkswap command.

Then, simply:

sswap {device}

and replace {device} with the /dev path to you hard drive or partition, and you’re good to go.

Further Methods

The only other options for data destruction above and beyond this are all physical based methods.  Obviously physical methods can not be accomplished from your workstation, but I include them for completeness:

• Passing the physical disk through a very strong magnetic field.  This is referred to as degaussing.
• Incineration.  But, you better make it really really hot.
• Shredding.  Even more important than with paper, though (due to the small ‘region’ size on high density hard drives) the size of the chunks coming out of a disk shredder are extremely important.

You’ll find a multitude of commercial services offering any of the above.  If you work for an organization that is serious about data destruction, but wants to keep it in-house for policy, compliance, or other reasons, commercial degaussers are probably the best bet.

So there ya have it!

In truth, if you are just the average person, the ‘dd’ method described above will likely be plenty for protecting the normal user data from any reasonable attempt to extract it.  It doesn’t take much more to go the next step and use a tool like xFlip, wipe, or sswap to eradicate the data in a way that would protect you from all but the most determined and money-rich government, investigative agency of contracted digital forensics firm.

I use WINE on an almost daily basis to run Windows binaries right in my Linux environment.  It is a requirement of my job, and virtual machines such as VMWare (or here), VirtualBox, etc.  just seemed like overkill.

However, I was recently surprised to discover that many people are not familiar with WINE, what it does, or how easy it can be to make it do it.  That, coupled with the recent post-beta, stable release of WINE itself, pushed me to help get the word out.

So, let’s start with a couple of questions:

What is WINE?

The answer from the WINE website is:

Wine is an Open Source implementation of the Windows API on top of X, OpenGL, and Unix.

Think of Wine as a compatibility layer for running Windows programs. Wine does not require Microsoft Windows, as it is a completely free alternative implementation of the Windows API consisting of 100% non-Microsoft code, however Wine can optionally use native Windows DLLs if they are available.

OK - so what does that mean?  It means that for a good number of Windows applications, you can simply get the EXE file (or COM, or accompanying DLLs) on your Linux-based computer and run them right in Linux.  That’s right - no rebooting your dual-boot system, no starting a virtual machine - just run it and have it integrated into your Linux/Ubuntu desktop environment.  Slick…

Why is it called WINE?

WINE is a recursive acronym for Wine Is Not an Emulator. It refers specifically to the fact that WINE is not intended to emulate a machine running a full install of Windows.  Instead, it is a rewrite of the native Windows API in an open-source format, without reliance on Windows native (and proprietary) code.  The whole idea is that Windows (like most operating systems) relies on calls to an underlying library of system calls.  If you know the system calls and what they are expected to do, you can easily (well, not so easily in practice) create libraries for any operating system or platform by simply accepting the same inputs (function parameters) and performing the appropriate operations to produce the expected output.

Enough with the techno-mumbo-jumbo.  What do I need to do to run a Windows application on my Ubuntu box?

Well, the answer is, that depends.  Ubuntu has long had packaged support for WINE (search for it in Synaptic) but as of this writing, it had not yet picked up version 1.0 (I’ve got 0.9.59 visible in my standard hardy repo currently). However, the fine folks at WINEHq have provided packages that are easily used, all you need to do it point your sources there.

Again, more technical mumbo-jumbo.  Can’t you just tell me how to get it installed?

Why yes I can.  The first step is to update where your system looks for packages.  First, you’ll need to open up a terminal window and make your system “trust” the location the packages come from.  This is done with the command:

wget -q http://wine.budgetdedicated.com/apt/387EE263.gpg -O- | sudo apt-key add -

You’ll be prompted for a password - that’ll be your password.

Next, you need to update your list of valid sources to use the repository of packages at WINE.  There are two ways to do this.

The first way is to (again, in a terminal window) add the following line to the file /etc/apt/sources.list:

sudo wget http://wine.budgetdedicated.com/apt/sources.list.d/hardy.list -O /etc/apt/sources.list.d/winehq.list

And then run the command:

sudo apt-get update

Or, if you are not a fan of editing on the command line, open up Synaptic Package Manager by clicking on System –> Administration –> Synaptic Package Manager.  Once that opens, click on Settings –> Repositories.  This will open up a second window.  In that window, select the ‘Third-party Software‘ tab, and click on the ‘Add‘ button.  In the dialog box that comes up, for APT line, enter:

deb http://wine.budgetdedicated.com/apt hardy main

You’ll be prompted to refresh after you start closing down the windows.  Do so.

At this point, you can simply install the WINE package from Synaptic (or sudo apt-get install wine).

Great - now what?

If the above was successful, you should now see a menu item called ‘Wine’ under your ‘Applications’ menu.  This is where you will see your ‘Windows’ application show up after being installed.  You’ll also get “Open With Wine Windows Program Loader” on the right-click menu for files that the Desktop determines to be Windows executables.

For most of the Windows programs you want to run, it’ll simply be a matter of downloading the Windows installer for the application, and double-clicking on the executable file.

A word of Warning

If you are accustomed to running some sort of virtual machine that is running Windows on your Ubuntu computer, you’ll find this to be a little different.  Files written by programs run with WINE will just exists in your home directory - not some “virtual” disk file as in most virtual machine software.  You’ll also get a much tighter integration to your Ubuntu desktop environment that may throw you off at first, but will be a breath of fresh air once you get used to it.

Where can I find more info?

First off, the Main Wine web site.  I’d also like to thank Tom Wickline for pointing out http://www.wine-reviews.net/, another great place for all things WINEy.

Cheers, and may all of this WINE’ing end your whining about not being able to run what you want, when and how you want!

If you work as a System Administrator - or really any of the IT-type support roles - you may be similar to me. Specifically, I’m torn between two extremes. On the one hand, I have an innate (or perhaps adopted through hard knocks) desire to control absolutely every aspect of my machine. On the other hand, after spending 8 (or 12, or 24 or more) hours straight supporting computer systems, I often want my desktop or laptop to “just work.” Adding to this latter pressure is the very real and practical concern: as a Sysadmin, my computer is a tool to do my job. I want to spend my time doing work and earning duckets, not fixing my own tools.

So, that leads me to a natural tendancy to install the same operating system on my desktop and/or laptop that I use for work. That’s Linux. Now my natural, control everything by hand inclination would lead me directly to SlackWare Linux. Honestly, I do love Slackware. Nothing will get my propeller spinning for hours on end like getting a Slackware install tuned to my exact specifications. But that’s the problem, isn’t it?? That breaks our second requirement. While Slackware may end up being the slickest, most streamlined and efficient Linux distribution after you go through all of the work, it really doesn’t usually just work out of the box. I’m not slighting Slackware here by any stretch of the imagination. But it’s about like driving a race-ready, high-end exotic car to the grocery store 10 blocks away on a 100 degree day. Sure, I can reach nearly 200mph in the exotic - but I’ll never need that to grab a gallon of milk. And I’ll probably want some air conditioning and a window that roles down to make the trip comfortable.

Personally, I’ve found Ubuntu to be the best balance between the two extremes of any Linux distro I’ve used. Ubuntu packaging (ahem - Debian packaging, actually) is a breeze for about 90% of all of the software I need on a machine that I’ll use for work. However, if I need something out of the main stream, or I need to compile something new from source, I can do that too.

Basically, I feel that Ubuntu “just works,” up until the point that I decide that I want to spend the time hacking something together. In those circumstances, Ubuntu doesn’t stand in my way. That’s why this Sysadmin chooses Ubuntu for his laptop, and desktop, and even his Daughter’s laptop.

So, this was driving me nuts.  I was getting constant beeps (terminal bell) from my shell work.  Most notably, it was from tab completion on command lines, or my nasty habit of hitting <ESC> at least twice in vi to get out of insert mode.  I had to make this top!

My previous experience told me to look at termcap files and the like.  Nothing I tried would work.  At the time I decided I’d had enough of the infernal beeping and wanted to do something about it, I was unfortuately without internet access.  As a last “hail mary” effort, I issued a:

ross@peloton:~$ sudo grep -i bell /etc/*
Password or swipe finger:
/etc/inputrc:# do not bell on tab-completion
/etc/inputrc:# set bell-style none
/etc/inputrc:# set bell-style visible
/etc/mime.types:application/vnd.wrq-hp3000-labelled
/etc/pnm2ppa.conf:# "colorshear 0" (the default value) and the best pattern is labelled "-2",
/etc/screenrc:# turn visual bell on
/etc/screenrc:vbell on
/etc/screenrc:vbell_msg "   Wuff  ----  Wuff!!  "
ross@peloton:~$

Woah - what’s that inputrc file?? (Note:  If you’re wondering what the “…or swipe finger:” means, see my post on getting an IBM/Lenovo laptop fingerprint reader working.)

Sure enough, that turned out to be the hit.  In my version of Ubuntu, it was as simple as uncommenting line 21 of /etc/inputrc, which read:

# set bell-style none

Changing that to

set bell-style none

meant that (after starting a new terminal session) all of the beeps were gone.  WOOHOO!