What are the definitions of and the relationships between instances, device numbers, minor nodes, major numbers, and minor numbers?

"Instance numbers" are part of the "shorthand" name for "dev_info" nodes owned by a particular driver. These nodes are usually associated one-to-one with a particular hardware instance: the two 85C30 chips in a SPARC station each have a dev_info node called instance zero or zs and instance one.

Instance numbers are assigned (and owned) by the system, and returned to the driver by ddi_get_instance(9F). Instance numbers and "shorthand names" are not normally visible outside the kernel.

host% ls -l /devices/pseudo/mm:zero 
crw-rw-rw- 1 root 13, 12 Oct 11 02:20 /devices/pseudo/mm:zero

"Minor nodes" consist of all the information that is held about a user-accessible device that is the minor number (exported by the special file), part of the name of the special file (the 'zero' in "mm:zero", minor number 12 of the "mm" driver), and whether it is block or character. See ddi_create_minor_node(9F) for how to build one.

"Device numbers" are contained in an opaque type "dev_t". They consist of a major number and a minor number.

The "major number" is an internal magic number used by the system to bind special files (such as /devices/pseudo/mm:zero) to device drivers.

In the example above, the "major number" is 13. There is usually no reason for the driver to care what its major number is as they are assigned by the system.

The "minor number" is a component of the device number. It's meaning is entirely up to the device driver, and it is associated with a special file by calling ddi_create_minor_node(9F). In the above example, the minor number is 12. Minor names are associated with minor numbers, as the part following the colon in the name of the special file ('zero' in this case).

Source: http://developers.sun.com/solaris/developer/support/driver/faqs.html

Read More...

Introduction

This text is about sniffers, the good and the evil uses, which I'll hope you will find usefull and easy to comprehend. Please note that this is not intended for the network experts out there i.e. nothing new is said. However assumes you're familiar with certain TCP/IP terms.

Definition of a sniffer

In networking terms, a sniffer defines a machine which has its network interface card set to promiscuous mode, thus watching over any packet on the same switch. In normal mode, a network card will accept only those packets addressed to its MAC address. However when the network card is in promiscuous mode, it will accept all of the packets, and pass them to the OS. This is usefull for monotoring a network, detecting malicious packets, capturing passwords, and many more. In fact, a sniffer is used by crackers, hackers, and by security professionals for different reasons.

NIDS

NIDS = network Intrusion Detection System. This consists of a program which sets the network card in promiscuous mode, and checks for interesting packets. This will check for hacker attacks such as NT Null Sessions, failed TELNET authentication and even PINGs, amongst others. One such free tool for Linux (and now even WinNT/2k) is Snort. Snort is given a list of patterns it should check for, log and alert the user/administrator. NIDS are there to accompany firewalls as firewalls, like any other software implementations, have limitations, and can be circumvented. Thus once an attacker has cracked the firewall, if he does anything which produces a pattern defined in the Intrusion Detection System, will probably face some new problems :)

Monitoring

This is used by employers wishing to watch over whatever their empoyees or School administrators watching over their student's use of internet (or vice-versa, that would be interesting). Therefore they should know if you're watching porn from school or not. One such product for WinNT is Languard, which gives you all connections other machines on the same network switch are doing. It also allows the Administrator running Languard, to filter certain sites, keywords, or protocols. With the recent controversial FBI Carnivore software, we also got an alternative implementation of the evil software: Antivore. This monitors e-mail, tracks a suspect's IP address and basically sniffs all data of the suspect.

Password Sniffing and other malicious uses

Sniffing passwords is probably what you're after. This basically consists of capturing only the first few bytes of every telnet, ftp (or whatever protocol) session. A huge number of programs exist to do this for all platforms. Dsniff (available for linux and WinNT) does this and more. It even allows you to synchronise with another user on the network and browse websites as he is doing so in realtime. Sniffers can be a real headache for the (maybe lazy) system administrator, as once just one machine is compromised on a network, all data going and outgoing the network can be captured. Thus e-mail, clear text passwords (such as telnet or ftp), Netbios, and many more, can be compromised easily.

General Use

TCPDump use to be, and prbably still is, the sniffer of choice. It allows the user to dump all Network Data in its roaw format. It is usually used to check on certain connections, what data is passing on a certain protocol and other general use. I personally use Snort for general use (besides using it as an IDS), as it by default decodes the packet data. Other sniffers (network protocol analyzer), are Ethereal (for Linux/UNIX, port also available for WinNT) and eEye's IRIS (commercial product). These two are easy to use sniffers and will help you learn a lot on your network traffic. WinNT Server also comes with it's built-in sniffer: Network Monitor.
A relatively "new" implementation of sniffers is to make passive network mapping and OS detection. A good product which does this (available for Linux and Windows platforms) is Siphon 0.666.

Defeating Sniffers

If you want to be sure that no niffers are running on your network, there actually is software which checks for this. AntiSniff by L0pht comes to mind. Other software which I know that check for this are Sentinel (for linux) and Languard. One of the ways these work is by sending Machine A an ARP packet directed to a machine B which does not exist, thus if Machine A is capturing all packets (i.e. is in promiscuous mode), it should respond to this packet, when it's not supposed to.

Other than that, it is recommended that Network Administrators use encryption on their networks, thus makeing sniffing (maybe by inside users, i.e. employees wishing to blackmail their boss for example >:) more or less useless. Thus for instance, instead or using TELNET, use Secure Shell (SSH).

If you actually want to attack a sniffer, say which is running as an IDS or Monitor, you can simply flood it with packets. A port scan should in theory break up most.

Source: http://eyeonsecurity.org/articles/sniffers.html

Read More...

In both Linux and FreeBSD, we can enable/disable promiscuous mode for an interface using "ifconfig". The parameters "promisc" and "-promisc" are used to enable and disable promiscuous mode respectively. In Solaris, promiscuous mode can be enabled using "snoop".

Examples

Linux
Enable promiscuous mode of the interface eth0:

# ifconfig eth0 promisc

Disable promiscuous mode of the interface eth0

# ifconfig eth0 -promisc

FreeBSD
Enable promiscuous mode of the interface nxge0

# ifconfig nxge0 promisc

Disable promiscuous mode of the interface nxge0

# ifconfig nxge0 -promisc

Solaris
Enable promiscuous mode of the interface vxge0

# snoop -d vxge0

Quit snoop to disable promiscuous mode

Read More...

Network Interface Cards (NICs) receive all frames in a network. Each frame will have source and destination MAC addresses. Each NIC is identified through MAC address (also called as Physical Address, Hardware Address, Ethernet Address, etc.).

Once a frame is received, NIC checks if it is the intended recipient of the frame by matching destination address and its own MAC address. In normal operation, it accepts that frame only if there is a match.

In the other mode of operation, the NIC, once entered into that mode, accepts all frames regardless of the destination address. This mode is called promiscuous mode.

Promiscuous mode is generally used for Debugging network issues, network driver issues, packet sniffing, etc. tcpdump, ethereal, wireshark are the examples for packet sniffing tools. You can find a list of such tools here.

Read More...

Kernel customization is not for everyone. Please note before you try any of this that it can break your system. There's a bunch of reasons that you'd want to customize your kernel. You may want to trim down your kernel to only the necessary services, especially if you are running a server or dedicated device that only requires the essentials. You also may need to patch your kernel to support hardware that isn't currently supported with the kernel you are running on.

This article will not explain how to patch your kernel, just how to customize your current one. I'll have another followup article that explains how to patch your kernel, and some practical reasons why you'd want to do so.

To start, we need to figure out what version of the kernel we are currently running. We'll use the uname command for that

$ uname -r
2.6.17-10-generic

Now we need to Install the linux source for your kernel, note that I'm running the 2.6.17-10 kernel, so the installer line reflects that. For the purposes of this article, you can substitute the kernel number for whatever you are running. We also need to install the curses library and some other tools to help us compile.

sudo apt-get install linux-source-2.6.17 kernel-package libncurses5-dev fakeroot

If you are curious where the linux source gets installed to, you can use the dpkg command to tell you the files within a package. Here's the output on my system:

$ dpkg -L linux-source-2.6.17
/.
/usr
/usr/src
/usr/src/linux-source-2.6.17.tar.bz2
/usr/share
/usr/share/doc
/usr/share/doc/linux-source-2.6.17
(trimmed)

We can see that the source has been installed to the /usr/src directory in a zipped file. To make things easier, we'll put ourselves in root mode by using sudo to open a new shell. There's other ways to do this, but I prefer this way.

sudo /bin/bash

Now change directory into the source location so that we can install. Note that you may need to install the bunzip utility if it's not installed. (it was on mine)

cd /usr/src
bunzip2 linux-source-2.6.17.tar.bz2
tar xvf linux-source-2.6.17.tar
ln -s linux-source-2.6.17 linux

Make a copy of your existing kernel configuration to use for the custom compile process. Note that the ` character is the one below the tilde ~

cp /boot/config-`uname -r` /usr/src/linux/.config

Now we will launch the utility that will let us customize the kernel:

cd /usr/src/linux
make menuconfig

First, go down to Load an Alternate Configuration File, and load the .config file. (just hit enter)

Now that we are inside the utility, we can set the options for our custom kernel. Navigation is pretty simple, there's a legend at the top if you get lost. I decided to select Networking and hit the Enter key to go down into that category.

Amateur Radio Support? What in the hell is that installed for? You'll note by the * that it's built-in to the kernel.

By pressing the ? key, we can see the help for that particular item. Here's the explanation:

Well, I'm going to disable that immediately. Why on earth is that installed in my kernel anyway? I hit Esc to exit the help screen, and then hit N to exclude that from my kernel.

When you are finished making whatever choices you want, hit Exit and save the configuration when prompted.

Now we have a configuration ready for compile. First we'll do a make clean, just to make sure everything is ready for the compile.

make-kpkg clean

Next we'll actually compile the kernel. This will take a LONG FREAKING TIME, so go find something interesting to do.

fakeroot make-kpkg –initrd –append-to-version=-custom kernel_image kernel_headers

This process will create two .deb files in /usr/src that contain the kernel. The linux-image**** file is the actual kernel image, and the other file contains the You can install both with dpkg. The filenames will probably be different on your system.

Please note that when you run these next commands, this will set the new kernel as the new default kernel. This could break things! If your machine doesn't boot, you can hit Esc at the GRUB loading menu, and select your old kernel. You can then disable the kernel in /boot/grub/menu.lst or try and compile again.

dpkg -i linux-image-2.6.17.14-ubuntu1-custom_2.6.17.14-ubuntu1-custom-10.00.Custom_i386.deb
dpkg -i linux-headers-2.6.17.14-ubuntu1-custom_2.6.17.14-ubuntu1-custom-10.00.Custom_i386.deb

Now reboot your machine. If everything works, you should be running your new custom kernel. You can check this by using uname. Note that the exact number will be different on your machine.

uname -r
2.6.17.14-ubuntu1-custom

Also, In the interests of full disclosure, I learned how to do this from the article at HowtoForge, which is a great website for some very advanced tutorials on linux. You'll note that many of the steps in this article are similar, although I tried to make this article more "Ubuntu".

Source: http://www.howtogeek.com/howto/ubuntu/how-to-customize-your-ubuntu-kernel/

Read More...