BC - An arbitrary precision calculator language

bc is a language (and compiler) whose syntax resembles that of C, but with unlimited-precision arithmetic. bc consists of identifiers, keywords, and symbols, which are briefly described in the following entries. Examples are given at the end.
Interactively perform arbitrary-precision arithmetic or convert numbers from one base to another. Input can be taken from files or read from the standard input. To exit, type quit or EOF.

An identifier is a series of one or more characters. It must begin with a lowercase letter but may also contain digits and underscores. No uppercase letters are allowed. Identifiers are used as names for variables, arrays, and functions. Variables normally store arbitrary-precision numbers. Within the same program you may name a variable, an array, and a function using the same letter. The following identifiers would not conflict:

x : Variable x

x[i] : Element i of array x.i can range from 0 to 2047 can also be an expression.

x[y,z] : Call function x with parameter y and z.

 

 

SSH Tunneling Attack into Local Network

In this case I'll show how to attacking inside local network via Linux server, this is with a picture like this :

This is scenario of attacking in this case, Attacker is from outside network will hijacking server linux machine and force into local network (Windows), I'll try to show with blackbox hacking method, first thing we need is scanning network or Information Gathering

So now we can look service and version of target system, from this data we can search vulnerable service to gate enterance into target machine, I try to attack from samba service so I open metasploit on console and search exploit for samba on unix machine

After choose an exploit for unix machine running samba and show option for this  machine like here

I look option by type "show options" and we can look what the next option we need to fill, like LHOST as own IP, RHOST as IP Target, RPORT as Port we'll use on target machine and PAYLOAD as shellcode to get system on target here I do

And run exploit to try injecting payload and exploit into target system if that is success that will show process like this

After enterance into target machine we can try to type "ls" to look directory like this

I try to check id and who as I now in machine with command id and whoami

Now we had as root that mean we sucess get root or rooting in target system, after all we can get password hash into /etc/shadow

And now its time to crack password from this hash in /etc/shadow, I copy this into text editor and save as txt format and I save into john folder cause I use john the ripper to crack password hash like this

After we know have access to machine, with information from nmap we know this machine running service ssh now try to access from ssh service with password and user have from here

After success enter into system machine from ssh service try to look network interface active on that machine

I found 2 network interface is active that is eth0 and eth1, this can predict he system is server for local network , eth0 is for internet network access and eth1 is for local network service, so try to scanning network on eth1 from this machine like here

There 2 machine active on this server, I decide to try attacking into target IP 10.10.10.2 from my machine with tunneling technique via ssh service I do like this

After get access via tunneling I set to port 9090 and I edit proxychains channel port from 9050 to 9090 to use it for tunneling, I open metasploit with proxychains, that logic is metasploit will running on port 9090 tunnel to machine server linux target and jumping into local network

I will attacking windows system on target with information from previous gathering and I decide to attacking with samba service on windows like here

After set RHOST for IP target I use payload meterpreter bind_tcp like this

Set payload and running that exploit and this exploit

 

I try to migrate to other service in this machine, I choose explorer.exe

On this step we have access and control machine on local network via tunneling from server machine.

Prologue of Computer Forensics

Identification of device evidence

For identification device we need to know about that device from global view, that all about device like brand, type and function, in identification after know about device and function we need to identify device from software view or internal device.

In identification as phase introduction device we can use few tools in this case I recommend use md5sum, this tools for generate file fingerprint hashing, with this tools we can indentify validation of file, this phase is chain of custody.

After generate hash of file we can imaging or clone file with dd. this tools is copy byte per byte, but before use dd. we need to mount device with special treat mount with noatime for no update time and no exec for execution restriction and -ro for read only mode.

When finish clone with dd. check again result of dd. file output with md5sum that must be same result of hashing to verify clone and master is same or identic file, and after we have clone of file we can seal master device for safe evidence, this phase is chain custody.

Then now we can move to analisys evidence treat.

Now I'll try to practical this phase

File is :

practical.floppy.dd

After clone evidence and make sure hashing is same that mean the evidence is identic with source or master.

Show detail of file to know owned and file detail

To be continued...

About Space and File Structure

Slack Space

Slack Space is area of storage or disk that is empty but still contain data. When a file is deleted just pointer to it is removed, if look at the disk byte for byte you still can look deleted data.

That mean slack space is zone of data has deleted by user or system can to recovery later, if data still available in Slack Space enable to recovered or in other mean slack space is place of temporary data when data removed in storage system by user or system.

Slack space is unused cluster space, several file syatem use unit cluster as smallest unit file.

Unallocated Space

Unallocated Space is Clusters of a media partition not in use for storing any active files. They may contain pieces of files that were deleted from the file partition but not removed from the physical disk, I guess that is zero space in disk storage contain data partition system.

Look like picture above, unallocated space is unpartition part in disk storage, that place is unused by file system and cant to write anything data inside to place by operating system. space on a hard drive that potentially contains intact files, remnants of files, subdirectories or temporary files which were created and then deleted by either a computer application, the operating system or the operator.

Magic Number

A constant numerical or text value used to identify a file format or protocol, Magic numbers are common in programs across many operating systems. Magic numbers implement strongly typed data and are a form of in-band signaling to the controlling program that reads the data type(s) at program run-time. Many files have such constants that identify the contained data. Detecting such constants in files is a simple and effective way of distinguishing between many file formats and can yield further run-time information.

Example of Structure File

Txt File Format and File Structure

The text file structure consists of a stream of 8-bit ASCII characters. Every record in a text file is terminated by a newline character (\n, ASCII 012). Some utilities may omit the newline character on the last record, but the Fortran library will treat such an occurrence as a malformed record. This file structure can be specified for a file that is declared as formatted sequential access or formatted direct access. It is the default file structure for formatted sequential access files. On UNICOS and UNICOS/mk systems, it is also the default file structure for formatted direct access files.

AVI File Structure

The AVI file format is based on the RIFF (resource interchange file format) document format. A RIFF file consists of a RIFF header followed by zero or more lists and chunks.

• The RIFF header has the following form:
  'RIFF' fileSize fileType (data)
  where 'RIFF' is the literal FOURCC code 'RIFF', fileSize is a 4-byte value giving the size of the data in the file, and fileType is a FOURCC that identifies the specific file type. The value of fileSize includes the size of the fileType FOURCC plus the size of the data that follows, but does not include the size of the 'RIFF' FOURCC or the size of fileSize. The file data consists of chunks and lists, in any order.
  
• A chunk has the following form:
  ckID ckSize ckData
  where ckID is a FOURCC that identifies the data contained in the chunk, ckSize is a 4-byte value giving the size of the data in ckData, and ckData is zero or more bytes of data. The data is always padded to nearest WORD boundary. ckSize gives the size of the valid data in the chunk; it does not include the padding, the size of ckID, or the size of ckSize.
  
• A list has the following form:
  'LIST' listSize listType listData
  where 'LIST' is the literal FOURCC code 'LIST', listSize is a 4-byte value giving the size of the list, listType is a FOURCC code, and listData consists of chunks or lists, in any order. The value of listSize includes the size of listType plus the size of listData; it does not include the 'LIST' FOURCC or the size of listSize.
  

The remainder of this section uses the following notation to describe RIFF chunks:

ckID ( ckData )

where the chunk size is implicit. Using this notation, a list can be represented as:

'LIST' ( listType ( listData ) )

Optional elements are placed in brackets: [ optional element ]

AVI Form

AVI files are identified by the FOURCC 'AVI ' in the RIFF header. All AVI files include two mandatory LIST chunks, which define the format of the streams and the stream data, respectively. An AVI file might also include an index chunk, which gives the location of the data chunks within the file. An AVI file with these components has the following form:

The 'hdrl' list defines the format of the data and is the first required LIST chunk. The 'movi' list contains the data for the AVI sequence and is the second required LIST chunk. The 'idx1' list contains the index. AVI files must keep these three components in the proper sequence.

Note  The OpenDML extensions define another type of index, identified by the FOURCC 'indx'.

The 'hdrl' and 'movi' lists use subchunks for their data. The following example shows the AVI RIFF form expanded with the chunks needed to complete these lists:

 Main Header

The 'hdrl' list begins with the main AVI header, which is contained in an 'avih' chunk. The main header contains global information for the entire AVI file, such as the number of streams within the file and the width and height of the AVI sequence. The main header chunk consists of an AVI Main Header structure.

Stream Header

One or more 'strl' lists follow the main header. A 'strl' list is required for each data stream. Each 'strl' list contains information about one stream in the file, and must contain a stream header chunk ('strh') and a stream format chunk ('strf'). In addition, a 'strl' list might contain a stream-header data chunk ('strd') and a stream name chunk ('strn').
The stream header chunk ('strh') consists of an AVISTREAMHEADER structure.
A stream format chunk ('strf') must follow the stream header chunk. The stream format chunk describes the format of the data in the stream. The data contained in this chunk depends on the stream type. For video streams, the information is a BITMAPINFO structure, including palette information if appropriate. For audio streams, the information is a WAVEFORMATEX structure.
If the stream-header data ('strd') chunk is present, it follows the stream format chunk. The format and content of this chunk are defined by the codec driver. Typically, drivers use this information for configuration. Applications that read and write AVI files do not need to interpret this information; they simple transfer it to and from the driver as a memory block.
The optional 'strn' chunk contains a null-terminated text string describing the stream.
The stream headers in the 'hdrl' list are associated with the stream data in the 'movi' list according to the order of the 'strl' chunks. The first 'strl' chunk applies to stream 0, the second applies to stream 1, and so forth.

Stream Data

Following the header information is a 'movi' list that contains the actual data in the streams—that is, the video frames and audio samples. The data chunks can reside directly in the 'movi' list, or they might be grouped within 'rec ' lists. The 'rec ' grouping implies that the grouped chunks should be read from disk all at once, and is intended for files that are interleaved to play from CD-ROM.
The FOURCC that identifies each data chunk consists of a two-digit stream number followed by a two-character code that defines the type of information in the chunk.

 Index Entries

AVI 1.0 index

An optional index ('idx1') chunk can follow the 'movi' list. The index contains a list of the data chunks and their location in the file. It consists of an AVIOLDINDEX structure with entries for each data chunk, including 'rec ' chunks. If the file contains an index, set the AVIF_HASINDEX flag in the dwFlags member of the AVIMAINHEADER structure.

AVI 2.0 index

An AVI 2.0 index can appear as a single chunk. Alternatively, index segments can be interleaved within the 'movi' chunk. If the index segments are placed in the 'movi' chunk, a super index contains an index of the index segments. The AVIMETAINDEX structure is the base structure for both the index segments and the super index. For more information, see the OpenDML AVI File Format Extensions, published by the OpenDML AVI M-JPEG File Format Subcommittee. (This resource may not be available in some languages and countries.

MBR and Filesystem Structure

MBR

MBR (Master Boot Record) is Table of Boot sector in storage that is place for record any boot loader of operating system, when unit computer installed into hardisk.

MBR is domain of identity or first place run in hardisk cause that place at Cylinder 0, Head 0, Sector 1 in hardisk, place for check all of hardware in unit of computer. 

The Master Boot Record contains the Partition Table for the disk and a small amount of executable code. On x86-based computers, the executable code examines the Partition Table, and identifies the system partition. The Master Boot Record then finds the system partition's starting location on the disk, and loads an copy of its Partition Boot Sector into memory. The Master Boot Record then transfers execution to executable code in the Partition Boot Sector.

• The master boot routine that is run when the computer is started
• The partition table that contains the information about the partitions
• The MBR identification code that identifies the MBR as a master boot record

File System

File systems organize and manage hard disk space. They enable you to create folders and files and to find them again. They are also used to grant or to block access to files. Windows file systems do not operate directly with sectors. They work with clusters. A cluster groups multiple sectors into a single data storage unit for ease of management. Clusters also specify how much hard disk space is allocated to each file. Each file requires a whole cluster, even if it does not use all the available space. 


FAT 16

FAT16 is one of several file system format in storage, in hardisk FAT16 partition have specification size of cluster every value of size of partition like this table

Lack of FAT16

Lack of storage space. No additional programs or files, especially for those who use the system with Windows95 and have more than 512MB of hard disk.

Ineffective. Large cluster size leads to waste, Not efficient in the arrangement of files and asks the user often do Defrag to get the previous cluster completely unused.

The maximum size disk that can be supported in a single hard disk FAT16 is 2GB.

That lackness is revision by FAT32 filesystem 
  
FAT 32

FAT32 is development of FAT16, several file system have structure in media storage or disk like this table

FAT32 is a file system for Windows. It is a development of the File Allocation Table (FAT) file system that Microsoft created to support large drives in a single volume. The File Allocation Table made things easier on the user by allowing them to see only a single drive letter, instead of many different letters. Disc space is also used more proficiently with this system.

FAT32 increases the number of bits which can be used to address hardware sectors. Hardware sectors are often referred to as clusters. Clusters are identified with a larger number of bits with each development of the FAT file system.

Excellence of FAT32

Using 32 bits to represent the cluster

FAT32 provides a larger drive sizes. Sizes are provided up to 2 terabytes, compared with only 2GB of FAT 16.

FAT32 uses a more efficient place. FAT32 uses smaller cluster sizes (4KB cluster size of the drive for 8 GB), more efficient 10 - 15 percent compared to FAT or FAT16. The minimum size for the FAT32 partition of about 260 MB.

Lack of FAT32

Microsoft will support the FAT32 file system's functional errors in reading independently and store the files either in the form of real (real mode) and the form of protected (protected mode). Microsoft support facilities including real and protected mode on Windows 95.

Although the FAT32 file system supports disk sizes up to 2 terabytes (TB), some hard disks may not be able to fill the partition that can be turned on is larger than 7.8 gigabytes (GB) due to limitations of the system I / O base (BIOS) INT 13 interface

 


NTFS

The weakness of the FAT is the inability to control access to files or folders from the hard drive, allowing outsiders to change the data in a network system.

NTFS is type of filesystem is designed for 2 to the 64th power of clusters. These file systems allow for significantly larger partitions. They also make better use of data storage.

This type have diferent structure with FAT this is explaination of diference of them

The unnamed stream is a mandatory element and is always present. If you are creating an alternate atream and the file does not exists, the system will automatically create a zero length unnamed stream. If you are deleting the unnamed stream, the system considers it as a request to delete the whole file, and all the alternate streams will also be deleted.

The security descriptor and the file attributes belong to the file as a whole, not to the unnamed stream. For instance, no stream can be opened for writing if the read only attribute is set.

NTFS currently has 16 metafiles, which I’ll describe later on. Finally, each File
Record is composed mainly of Attributes. Attributes are clearly defined (more
on them later), and each one of them is a structure that describes the object
in the File Record.

EXT2

Ext2 was first developed and integrated in the Linux kernel, and is now also being developed for use on other operating systems.

The goal is to create a powerful file system, which can implement those files from UNIX semantics, and has an advanced service features.

Ext2 was first developed and integrated in the Linux kernel, and is now also being developed for use on other operating systems.

The goal is to create a powerful file system, which can implement those files from UNIX semantics, and has an advanced service features.

Capability

1. Ext2 file system capable of supporting multiple file types from UNIX standard, such as regular files, directories, device special files and symbolic links.
2. Ext2 able to manage system files are created in a large partition.
3. Ext2 file system capable of generating file names are long. Maximum of 255 characters.
4. Ext2 require several blocks to super user (root).

EXT3

EXT3 is a journalled filesystem

Journalled filesystem is designed to help protect data in it.

With a journalled filesystem, then we no longer need to check the consistency of data, which will take very long for my disk.

EXT3 is a filesystem that was developed for use on the Linux operating system.

EXT3 is the result of improvements in the form of EXT2 EXT2 better by adding a variety of advantages.

Structure 


bootstrap
code to be loaded into memory and executed when the computer is powered on. MVS volumes reserve the entire first track of the first cylinder for the boot strap.

volume descriptor
information describing the size, type, and layout of the file system and in particular how to find the other key meta-data descriptors

file descriptors
information that describes a file (ownership, protection, time of last update, etc.) and points where the actual data is stored on the disk.

free space descriptors
lists of blocks of (currently) unused space that can be allocated to files.

file name descriptors
data structures that associate user-chosen names with each file.

Excellence
   

Availability:

EXT3 does not support the process of checking the file system, even when the system is not cleaned experienced a "shutdown", except in some very rare hardware errors.

Things like this happen because the data is written or stored into a disk in a way so that the file system is always consistent.

The time required to recover an ext3 file system after the system is not cleaned off is independent of the size of the file system or file number, but
depending on the size of the "journal" used to maintain consistency. Journal of the size of the initial (default) takes about 1 second to recover (depending on hardware darikecepatan).

Data integrity

By using the ext3 file system we can get a stronger assurance of data integrity in the case where the system is not cleaned off (shutdown).

We can choose the type and level of protection of data received. We can choose to keep the file system remains consistent, but still allow the damage to the data in the file system in the case turned off (shutdown) system that has not been cleaned; this could provide an increase in speed in some circumstances.