In order to use a hard drive, it must first be partitioned. Partioning is the process of dividing your hard drive into chunks so that it can be prepared for use. Even if you’re going to keep the hard drive all in one piece, it must be partioned so that the select system knows it is intended to be in one piece.

Each device has a Master Boot Record. The MBR for each device contains space for only four partition entries. Of these entries, only one can be designated as an extended partition. All others must be set as primary partitions.  Windows XP and Linux can all be installed and set as bootable on primary or logical partitions.

The three terms we will discuss: primary, extended and logical

A primary partition is bootable. There can only be a total of four primary partitions on one disk. In earlier versions of Microsoft Windows, the first drive, C: had to be located on a primary partitions. Since Windows NT 3.51, this is not longer a requirement. The first partition on a disk does not need to be a primary partition. As a matter of fact, there doesn’t need to be any primary partitions on a disk. Primary partitions do not have to contain any operating system, they can serve simply as storage. Information about primary partitions are stored within the master boot record, as an entry in the master partition table.

Extended partitions are like containers. The entry for Extended partitions on the MBR actually points to a logical volume, inside which you can make as many logical partitions as you need. Extended partitions serve only as containers for smaller, secondary partitions called logical partitions. Extended partitions are not formatted or given drive letters, because they are only containers. Extended partitions aren’t useful until you start creating these smaller logical partitions within them.

The extended partitions were designed to add flexibility for users who wanted more than just four primary partitions. In disk partition utilities, extended partitions are usually denoted by colored borders around logical drives. If extended partitions are created, there will be a master partition table entry in the master boot record.

Logical partitions are the smaller partitions that must be created within the extended volume. They are bootable and can be formatted and assigned drive letters. All NT based systems can be installed and booted from logical partitions. Booting with logical partitions is easier with linux filesystems, but can be more complex with windows. Some find it easier to install the BOOT files for a windows logical partition onto a primary partition.

That’s all for now. I hope this shed some new light on some old terminology for you. You can find more detailed information on the topic covered by following the links below.

Information discussed is presented from personal experience and several authoritative sources. Please let me know if you find any errors.

——————–

Goodell, Dan. “Understanding MultiBooting and Booting Windows from an Extended Partition.” Understanding Multibooting. 10 Feb. 2007. 26 May 2009 <http://www.goodells.net/multiboot/>.

“How to create a multiple-boot system in Windows XP.” Microsoft Help and Support. 31 July 2007. Microsoft. 26 May 2009 <http://support.microsoft.com/kb/306559>.

Jaclaz. “Partitions: Primary vs Logical?” 11 Dec. 2004. www.msfn.org. 26 May 2009 <http://www.msfn.org/board/Partitions-Primary-vs-Logical-t33964.html&st=6>.

Kozierok, Charles M. “Primary, Extended and Logical Partitions.” Primary, Extended and Logical Partitions. 17 Apr. 2001. 26 May 2009 <http://www.pcguide.com/ref/hdd/file/structPartitions-c.html>.

Before we continue, a special thanks to Dr. R. Vaughn for the inspiration to pursue the truth, and to T. Nguyen for his initial research and demonstration. Credit for this application belongs to developer Thomas d’Otreppe and a galactica of other programmers from around the world. Thanks.

Here’s a checklist of what you’ll need before you begin:

• Linux platform (HD Install, Live CD, and USB mediums all work)
• Aircrack-ng version 1.0-rc3 or later (download)
• Compatible wireless card (more info)
• A wireless router to serve as a target access point (AP)
  LEGAL WARNING: Do not use this tool on an unauthorized network.  Experts in the United States believe that sometimes, such use of an unsecured wireless network may be considered an “unauthorized access of a computer” which is prohibited under Federal law and even theft of communications. Legal causes of action which were cited include defrauding the Internet service provider and a breach of the Internet service agreement. (source)

There are seven primary steps to cracking a WEP encrypted wireless network. These steps serve as an overview of this tutorial:

1. Checking the status of your wireless device
2. Enabling “monitor mode” on your wireless device
3. Scanning local wireless access points and choosing the target
4. Filter the scan to display desired target only
5. Send Authentication Request and Associate with AP
6. Generate and capture sufficient traffic data
7. Crack captured Initialization Vectors (IVs) and decrypt WEP key

For clarification, you should know that the screenshots below were taken on a BackTrack3 linux sec distribution. I used a HD install setup and a wireless card manufactured by Edimax (model: ew-7318usg). I had to manually install RT73 (USB) drivers published by serialmonkey.

Step 1: Checking the status of your wireless device

We’ll begin by verifying that you have an installed wireless device:

• Open up a shell console.
• Type iwconfig to list all recognized wireless devices.
• You may see several devices listed. Possible names are eth0, wlan0, rausb0, etc.
  eth = ethernet, wlan = wireless interface, rausb = USB wireless interface
  note: the numerical suffix in the device name represents a method of ordering the devices for the computer

Determine which wireless device you’ll be using and remember that device name for later.

Next, we’ll use the ifconfig command to record the mac address of your selected wireless device.

• In the shell, type ifconfig <device name> to bring up the configuration for your selected device.
  example: ifconfig rausb0

Image 1-0 // Using iwconfig and ifconfig to gather your device info

Note: Image 1-0 shows “no wireless extensions” next to lo, and eth0. That is because neither of these devices are wireless. lo = local loopback and eth0 = wired ethernet. I will be using “rausb0″ in my examples. You must replace “rausb0″ in the following commands with whatever your wireless device name is.

Step 2 – Enabling “monitor mode” on your wireless device

Using the Aircrack-ng utility package we installed, we will use the airmon-ng command to list the recognized devices, change our target device from Managed to Monitor mode, and than verify that our wireless devices has been properly modified by revisiting the iwconfig command.

• In the shell console, type airmon-ng. A list of recognized wireless devices will appear.
• Type airmon-ng start <device name> to set your wireless device to Monitor mode.
  Note: replace <device name> with the wireless device you’ve chosen to use. In this case I used rausb0.
  example: airmon-ng start rausb0
• Finally, type iwconfig <device name> to verify that your device Mode is set to “Monitor”.
  example: iwconfig rausb0

Image 1-1 // Setting mode to Monitor and confirming with iwconfig

Step 3 – Scanning local wireless APs and choosing the target

Now that your device is in monitor mode, we can scan for local wireless traffic and zero in on our target using the airodump-ng command.

• In your shell console, type airodump-ng <device name> to begin gathering wireless traffiic data. Over time, you will begin to see wireless access points in your vicinity pop up (if any exist). It is even possible that airodump-ng will begin to gather data on clients that are connected to the wireless APs. You’ll see these stations listed in seperate section.
  example: airodump-ng rausb0airodump-ng legend [Image 1-2]:
  BSSID = the mac address of the AP
  PWR = power of signal strength
  Beacons = number of beacon packets sent out, these packets broadcast AP information
  #Data = number of data packets being generated
  #/s = number of data packets per second
  CH = channel number of wireless signal
  MB = # Mb/s type encryption
  ENC = Encryption method
  CIPHER = Cipher type
  AUTH = Authentication type
  ESSID = SSID name of wireless network

Image 1-2 // Using airodump-ng to capture wireless traffic

Step 4 – Filter the scan to display desired target only

After a few seconds, airodump-ng should have displayed the necessary information for your target wireless network. Record the following information for the target network for use later on: BSSID, Channel Number, and ESSID. Now we’re going to use airodump-ng to filter this list and hone in our our target AP.

• Stop your current airodump-ng scan if you haven’t yet by hitting ctrl-c
  
• Type airodump-ng -c <number> -w <filename> -b <bssid> <device name>
  example: airodump-ng -c 10 -w dump -b 00:18:F8:72:7A:1E rausb0airodump-ng legend:
  -c <number> = <number> represents the channel number for the target AP
  -w <filename> = <filename> represents the filename that airodump-ng will create to store Initialization Vectors (IVs). Use something simple like “dump”.
  -b <bssid> = <bssid> represents the mac address of the target AP
  <device name> = <device name> represents whatever your wireless device name is. in our example we used rausb0.

Image 1-3 // Using airodump-ng to filter the scan onto primary target

Step 5 – Send Authentication Request and Associate with AP

Once you’re monitoring the target AP, you’ll need to send an authentication request in order to associate your machine with the AP. This command will allow us to inject data packets into the AP later on, and generate enough data in order to efficiently crack WEP and decrypt the key.

• Let airodump-ng from step 4 continue to scan the target AP.
• Open up a new shell console.
• In the new shell, type:
  aireplay-ng -1 0 –b <bssid> –h <device mac address> –e <essid name> <device name>
  example: aireplay-ng -1 0 -b 00:18:F8:72:7A:1E -h 00:11:22:33:44:55 -e TOYSTORY rausb0aireplay-ng legend:
  -1 0 = “-1 0″ corresponds to an attack by fake authentication, the zero is the delay that we authorize for the answer to come in.
  -b <bssid> = <bssid> refers to the mac address of the target AP.
  -h <deviec mac address> = use the mac address of your computer’s wireless device (refer to Image 1-0).
  -e <essid name> = <essid name> refers to the string name of your target AP.
  examples: linksys, NETGEAR, homerouter, c4ntcr4ckth1s
  <device name> = <device name> represents whatever your wireless device name is. in our example we used rausb0.

Image 1-4 // Using aireplay-ng to send authentication request

Step 6 – Generate and capture sufficient traffic data

Now that we’ve sent our authentication request and associated successfully, we can begin our ARP-request injection. The key to this step is to force a rapid increase in the amount of data being transmitted at the AP. As you monitor the data column with airodump-ng, you’ll notice the data value rising slowly, depending on the amount of traffic that is being generated on that access point. There are several factors that determine this, one of them being whether there are any connected clients who are using the internet.

With ARP-request injection, aireplay-ng listens for an ARP packet, then retransmits it back to the access point. This, in turn, causes the access point to repeat the ARP packet with a new Initialization Vector (IV). The program retransmits the same ARP packet over and over. However, each ARP packet repeated by the access point has a new IV. It is all these new IVs which allow you to decrypt the WEP key.

• Using the same shell from Step 5, or via a new shell, type the command:
  aireplay-ng -3 –b <bssid> –h <device mac address> <device name>
  example: aireplay-ng -3 -b 00:18:F8:72:7A:1E -h 00:1F:1F:27:D2:63 rausb0aireplay-ng legend:
  -3 = “3″ refers to the arpreplay module
  -b <bssid> = <bssid> refers to the mac address of the target AP.
  -h <device mac address> = use the mac address of your computer’s wireless device (refer to Image 1-0).
  <device name> = <device name> represents whatever your wireless device name is. in our example we used rausb0.
• [Image 1-5] You may need to wait a few seconds or minutes, but you should soon start to see a fast flood of ARP requests come across your screen.

Image 1-5 // Using aireplay-ng for arp request injection flooding

• [Image 1-6] Glance over at the shell that is running airodump-ng (step 4) and you should start noticing the data for your target AP increase dramatically into the thousands.

Image 1-6 // Airodump-ng (step 4) showing rapid data traffic increase

• At this point, thousands of IVs are being captured and deposited into the file you created in step 4 (if you used my example, the file will be named something like dump-01.cap). In order for the aircrack-ng utility to be succesful, you must capture at least 10,000 packets of data. The more data you capture, the greater your probability of being successful in decrypting the WEP key. I recommend letting the #Data reach nearer to 30,000 if you want a high success rate.
• Hit ctrl-c to stop your ARP requests once you notice your #Data has reached a high enough value.

Step 7 – Crack Initialization Vectors (IVs) and decrypt WEP key

Now we’ll ask aircrack-ng to analyze our dump file and begin the process of decrypting the IVs for the WEP key.

• Use the command aircrack-ng -b <bssid> <full filename> to begin cracking.
  example: aircrack-ng -b 00:18:F8:72:7A:1E dump-01.capaircrack-ng legend:
  -b <bssid> = <bssid> refers to the mac address of the target AP.
  <full filename> = <full filename> refers to the complete filename of the file used to capture IVs. (in our example we created the file in the root directory, and using a simple ls command told us the filename was dump-01.cap)
  note: when creating the dump file, “-01″ was automatically added in order to prevent file overwriting. this pattern continues with all consequent file creations receiving a unique suffix
  (dump-01, dump-02, dump-03, dump-04, etc .)
• If you captured enoughweak IVs, aircrack-ng crack successfully and you’ll be shown the hex value for the WEP key

Image 1-7 // Successful decryption and hex representation of WEP key

Now it’s as simple as entering the hex values into a wireless assistant manager in order to gain access to the WEP wireless network. Hardly comforting. Feel free to leave any questions, comments or concerns below and I’ll do my best to respond or help you resolve any issues.

Since the days of spoofing fake certificates with sslsniff, a new pattern has emerged where companies are increasing the amount of “negative feedback” versus “positive feedback” that appears on a website. Positive feedback on a website comes in the form of padlocks strategically placed throughout the webpage and browser, as well as rhetoric that make the typical end-user feel safe. Examples of the latter include well-placed words next to login buttons like, “Safe. Secure. Private.” Negative feedback presents itself as big warning signs whenever users try to visit “unsecure” pages. In Internet Explorer and Mozilla, this often means that websites do not appear at all at first, instead – the user is presented with a full page warning and guided through a series of cautionary steps to ensure that they really want to visit the website. Sslstrip relies on avoiding all signs of negative feedback. Instead of creating fake certificates which might spur these warnings, it proxies the traffic between http and https protocols in order to gather sensitive information such as usernames and passwords.

At the core, the attack exploits the unsecure http protocol, the weakest link in the chain. Two of the main ways that SSL is encountered on the web are when people click on links, or through redirects. Consider the online bank website for Wachovia. Typically, people will type in “wachovia.com” into the address field. This takes them to the address http://www.wachovia.com, an unsecure website. The website requires that they input their username/password credentials and click the login button in order to be redirected to the secure website https site – https://www.wachovia.com. Consider PayPal who wants users to be secure from the get-go. A user typically types in paypal.com, which sends an http request to PayPal, and then PayPal sends a redirect back to the browser saying that this should actually be SSL, only then does the browser make a SSL connection. This is the premise upon which sslstrip relies on. The attack focuses on the unsecure http page, exploits it, and then allows the attacker to manipulate the traffic.

Sslstrip begins with a MITM attack on a connection. Next, whenever sslstrip sees secure links or redirects, it will swap them out with the insecure look-alikes. As an example, url links could be changed from ‘<a href=”https://…”>’ to ‘<a href=”http://…”>’. The website ends up looking the same to the user because it is just a different protocol. The same thing is done with location headers.  Location headers are present in redirects, which tells your browser it should be connecting to somewhere else. As an example, when the attacker sees a redirect to “https://www.paypal.com”, sslstrip strips the redirect and points the browser to an unsecure look-alike with the http protocol, “http://www.paypal.com”. This is how sslstrip acts as a proxy for the sensitive information between the victim client and legitimate server. Sslstrip will even help increase positive feedback for end-users by inserting favicons with the familiar “secure padlock” icon in order to build trust. These padlocks can be placed in the address bar, and even on the browser itself. If everything works as planned, the MITM attack will steal passwords and other credentials without the client knowing.

So what’s the solution to increasing defense against this type of attack? There are several projects underway that aim to increase user awareness. One of these is the use of EV SSL Certificates. An EV protected site will generally have a large green bar where the address field is.  This big green header is supposed to tell users that they’re at a secure location. Of course, this type of notification doesn’t do much for users who aren’t educated or who don’t know whether a website utilizes EV protection. Certain authors such as Mike Fratto from InformationWeek suggest that, “there needs to be a consistent user interface that all browsers conform to that shows when SSL is enabled and when it isn’t. Meaning all browsers put the SSL-enabled display in the same place and in the same fashion.” This method of consistency seems to be the best way to imprint habit into user’s minds. Others suggest more encryption, and the complete exclusion of webpages that aren’t secure. On the other hand, some users are concerned that this would put much heavier loads on webservers. In the end, I think Moxie Marlinspike put it best when he called it an, “arms-race” with no end in sight. Hopefully, the increase of awareness or of newer and better protocols will soon diffuse this vulnerability.

Click to watch interview with Moxie Marlinspike

Sources:

1. Thoughtcrime.org
2. The H Security
3. OXID.IT
4. SecurityTube

Recently, during my quest to understand the history of telecommunications and cybersecurity, I’ve come across an interesting intersection – The Voice of Long Island.

According to 2600.com, The Voice of Long Island is one of the most significant, older radio shows laying the groundwork for the 2600 Magazine. Two hosts, Mike Yuhas and Eric Corley play around with phones and call operators from all over the world, doing wild experiments on the air, performing comedy sketches and displaying the true potential of noncommercial radio.

Emmanuel Goldstein, author of The Best of 2600: A Hacker Odyssey, has recently started uploading an archive of these shows, the first airing on February 7th, 1981. Each episode will be uploaded online exactly 28 years after it was first aired.

Emmanuel Goldstein

A short review of the radio show at 2600.com says it best…

Found here is a veritable time capsule from the early 80s, where the differences in society, technology, and attitude become readily apparent. This was an era without CDs and where rotary phones were commonly used. It was a time without computers and automation taking over virtually every part of our lives. The Bell System was still the only game in town, Ronald Reagan was the newly elected president, and there was no such thing as downloading music.

I encourage any of you who are feeling a tingling of excitement to follow along with me!  You can download high and low quality tracks by following the link after the break.

(Source: 2600.com)
> High-Bitrate
> Low-Bitrate

Before you begin, you’re going to need a few software tools. Here’s your checklist:

• Ubuntu Linux (download)
• PuTTY (download)
• Ultra VNC Viewer (download)

For clarity, we’re going to divide the instructions into four parts.
(1) Preparing Ubuntu, (2) Preparing Your Router, (3) Configuring PuTTY on Vista, and (4) Connecting to Ubuntu from Vista with VNC Viewer.

1. Preparing Ubuntu – Installing SSH & Activating Remote Desktop
   You’re going to need to install SSH and activate Remote Desktop on your Ubuntu machine in order to connect to your box securely.
   > Install SSH - Run this command in console: sudo apt-get install openssh-server
   > Activate Remote Desktop - Navigate to System -> Preferences -> Remote Desktop.
   Turn on three settings: Allow others users to view your desktop, Allow other users to control your desktop, and Require the user to enter this password. (remember this password for later)
2. Preparing your Router – Forwarding the SSH port to Ubuntu.
   You will have to forward the default SSH port (22) to the IP address of your Ubuntu box. Usually this involves telling your router which port you want to forward (22), as well as telling your router which IP address you want the port forwarded to (Your Ubuntu box, ex. 192.168.1.101).
3. Configuring PuTTY on Vista – We’re going to create a secure, SSH Tunnel connection from your Vista machine to your Ubuntu box using PuTTY.
   > Start putty.exe
   > Entering Host Name – Navigate to Session and enter the Host Name (or IP address) you want to connect to. In this field you will enter the EXTERNAL INTERNET IP ADDRESS of your router. (ex. 62.151.215.208, not 192.168.1.1)
   > Setup a SSH Tunnel – Navigate to Connection -> SSH -> Tunnels. Under Source Port enter 5900. Under Destination enter the local IP address of your Ubuntu machine (ex. 192.168.1.101), and add “:5900″ to the end of the address (ex. 192.168.1.101:5900). Click Add when you’ve filled in both fields.
   > Save your session and connect – Navigate back up to Session and Save your current settings. Make sure to use a familiar name for future reference. Hit Open to begin connecting to your server.
   > Connect to your Ubuntu box – You’ll see a black window where you need to enter your username and password. Enter your user login credentials to connect to the machine.
4. Connecting to Ubuntu from Vista with VNC Viewer – Now that you have established a secure connection by SSH Tunneling to Ubuntu, open the VNC Viwer application from your Vista machine.
   > Connect to localhost (127.0.0.1) and when prompted, enter the password you designated when turning on Remote Desktop on your Ubuntu machine (Step 1 Part 2)

You should now have a visual connection to your Ubuntu box! Feel free to ask questions on the above steps by commenting below.

So what constitutes a strong password? Simply put, variability of keys and length. A multitude of the password cracking tools on the market today use dictionary wordlists to guess weak and popular choices for passwords. Don’t fall into the trap of using passwords like these:

1. password123
2. 123456
3. qwerty (notice the pattern on your keyboard)

Instead, make sure you’re using the SHIFT key often to produce uppercase letters as well as symbols along with your typical lowercase and numbers password.  Consider some examples below of strong passwords. Note that you can still create a relatively simple password if you use words familiar to you.

1. Windows!42/XP
2. My!Password!12#
3. i!luv$MONey
4. Kathryn!sH0t!@

These passwords make it nearly impossible for password crackers that use wordlists to guess your password. Does this mean you’ll be completely safe from predators – no. But it does improve your personal security strength. Security starts with humans first, and computers second.

Finally as a last tip for password protection, don’t ever write your password down anywhere.  If you don’t think you can remember a certain combination, than use another one.