Midnight Commander | Anti-Hacker Tool Kit, Third Edition

< Day Day Up >

Midnight Commander (MC) is one of those tools that isn’t strictly a viewer, but it has one built in. This tool is worth mentioning because we use it all the time when quickly traversing a dataset, especially in investigations that involve Unix systems.

Midnight Commander is available to download from http://www.ibiblio.org/mc/.

Implementation

When you download MC from the web site, you may need to compile it before you can use it. Depending on which platform you will be running this tool, you may need to consult the installation instructions that come with the package. MC is available as a RedHat Package Manager (RPM) for Linux and as a package/port in the *BSD world. The port can be located in the /usr/ports/misc/mc directory on FreeBSD.

MC can be invoked with the following command:

forensic# mc

Once invoked, a screen similar to Figure 25-8 appears. MC could be thought of as a console Windows Explorer–like tool that will allow you to move around the file system and view files quickly. At any time, you can press F9 and you will be presented with this menu system if you cannot remember the shortcuts discussed in this section.

click to expand
Figure 25-8: The main screen of Midnight Commander

Notice how the left pane in MC contains the contents of the working directory in which you ran the mc command. The right pane begins with your home directory. By pressing the UP and DOWN ARROW keys, you can navigate the file system in the left pane. If you press TAB at this point, you will switch the control to the right pane. Again, pressing the UP and DOWN ARROW keys will navigate the file system. When navigating the file system, pressing ENTER will change the directory to the directory you have highlighted. If you have a file highlighted instead, pressing F3 will invoke the internal viewer, as shown in Figure 25-9.

click to expand
Figure 25-9: Midnight Commander’s ability to view files

If you press F4 while viewing a file, the viewer will switch to hexadecimal mode. This mode produces output similar to the output that hexdump and hexedit produce. The results of MC’s hexadecimal output can be viewed in Figure 25-10. Pressing F4 again would switch you back to ASCII mode.

click to expand
Figure 25-10: Midnight Commander can view files in hexadecimal mode.

Pressing F7 in either viewing mode will allow you to search either ASCII strings or hexadecimal values.

Tip

Be sure to prepend the 0x to any numbers you need to be hexadecimal when searching in that mode; otherwise, the values will be interpreted as decimal values.

When in ASCII mode, you may search with regular expressions by pressing the F6 key. Although regular expressions are beyond the scope of this book, you can find out more about them on the perlre man page; they provide powerful searching functionality.

You may also jump to any position in the file by pressing the F5 key. When in ASCII mode, MC will ask you for the line number to which you wish to jump, and when in hexadecimal mode it will ask you for the offset within the open file.

When you have finished viewing the file, press F10 to return to the main MC menu. When you have selected a file, pressing F4 will edit the file with vi in binary mode.

Note

Some files may not display properly if the associated external viewer is not installed on your machine. For example, compressed files are expanded before they are displayed when you choose to view them. To view how MC will display files of different extensions, press F9 at a file browser screen (as shown in Figure 25-8) to access the pull-down menus, then choose Command | Extension File Edit. This command will execute vi. You may change this extensions file and save it for future use when running MC.

The bottom portion of the MC window allows you to type a command as if you were at a shell prompt. At any point, if you select a file or directory, you can instantly copy and paste the name to the shell prompt by pressing ALT-ENTER.

If you are using MC to aid in your analysis of an investigation, you may want to copy and/or move files from one directory to another as you complete their analyses. Press F5 and F6 to copy and move the selected file, respectively, from one pane to the next. If you need to delete a file (perhaps it is irrelevant to your analysis), you can press F8.

Note

Copy, pasting, moving, and deleting could alter the time and date stamps of the files you are manipulating. Therefore, you should do this only on data for which you have a best-evidence original stored away.

Case Study: Deciphering the Mysterious Criminal’s Files

You have been handed a CD-ROM with some strange files that were seized from an alleged hacker. Law enforcement officials hope you can make sense of these files, as their resources are limited after routine budget cuts. Since you enjoy helping the good guys, you decide to perform some analysis on these files pro bono.

The files on the CD-ROM have the following attributes:

forensic# ls -al /mnt/cdrom total 306 dr-x------   2 kjones  1000     512 Apr 22 21:58 . drwxr-xr-x  11 kjones  1000     512 Apr 22 21:42 .. -r-x------   1 kjones  1000    1889 Apr 22 21:59 bin -r-x------   1 kjones  1000    1075 Apr 22 21:58 h -r-x------   1 kjones  1000    1041 Apr 22 21:58 p -r-x------   1 kjones  1000    1212 Apr 22 21:57 s -r-x------   1 kjones  1000  290564 Apr 22 21:42 t

Without access to the original filenames, a novice investigator would get nervous—but not you, because you carefully read this chapter! Didn't you?

Run file The first thing you would want to do is run the file command to determine the file types. You discover the following information:

forensic# file * bin: tcpdump capture file (little-endian) - version 2.4      (Ethernet, capture length 65535) h:   ASCII English text p:   ASCII text s:   ASCII text t:   ELF 32-bit LSB executable, Intel 80386, version 1 (FreeBSD),      dynamically linked (uses shared libs), stripped

You already know most of the story! The culprit had a copy of tcpdump (this would be discovered if you executed the file “t” in a sanitary environment or examined the strings within it) and an output file generated by tcpdump. Therefore, your next step is to read Chapter 16 and learn how to analyze this tcpdump output.

Analyze the Hexdump You could dump the contents of these files, but you decide to dump only on the “h,” “p,” and “s” files, as you already know the “bin” file is tcpdump output and you must analyze that with tcpdump itself. The following results are displayed when you use the hexdump.fmt format file (or -C in FreeBSD):

forensic# hexdump -C h | head 00000000  23 20 48 6f 73 74 20 44  61 74 61 62 61 73 65 0a  |# Host Database.| 00000010  23 20 54 68 69 73 20 66  69 6c 65 20 73 68 6f 75  |# This file shou| 00000020  6c 64 20 63 6f 6e 74 61  69 6e 20 74 68 65 20 61  |ld contain the a| 00000030  64 64 72 65 73 73 65 73  20 61 6e 64 20 61 6c 69  |ddresses and ali| 00000040  61 73 65 73 0a 23 20 66  6f 72 20 6c 6f 63 61 6c  |ases.# for local| 00000050  20 68 6f 73 74 73 20 74  68 61 74 20 73 68 61 72  | hosts that shar| 00000060  65 20 74 68 69 73 20 66  69 6c 65 2e 0a 23 20 49  |e this file..# I| 00000070  6e 20 74 68 65 20 70 72  65 73 65 6e 63 65 20 6f  |n the presence o| 00000080  66 20 74 68 65 20 64 6f  6d 61 69 6e 20 6e 61 6d  |f the domain nam| 00000090  65 20 73 65 72 76 69 63  65 20 6f 72 20 4e 49 53  |e service or NIS| forensic# hexdump -C p | head 00000000  72 6f 6f 74 3a 2a 3a 30  3a 30 3a 43 68 61 72 6c  |root:*:0:0:Charl| 00000010  69 65 20 26 3a 2f 72 6f  6f 74 3a 2f 62 69 6e 2f  |ie &:/root:/bin/| 00000020  63 73 68 0a 74 6f 6f 72  3a 2a 3a 30 3a 30 3a 42  |csh.toor:*:0:0:B| 00000030  6f 75 72 6e 65 2d 61 67  61 69 6e 20 53 75 70 65  |ourne-again Supe| 00000040  72 75 73 65 72 3a 2f 72  6f 6f 74 3a 0a 64 61 65  |ruser:/root:.dae| 00000050  6d 6f 6e 3a 2a 3a 31 3a  31 3a 4f 77 6e 65 72 20  |mon:*:1:1:Owner | 00000060  6f 66 20 6d 61 6e 79 20  73 79 73 74 65 6d 20 70  |of many system p| 00000070  72 6f 63 65 73 73 65 73  3a 2f 72 6f 6f 74 3a 2f  |rocesses:/root:/| 00000080  73 62 69 6e 2f 6e 6f 6c  6f 67 69 6e 0a 6f 70 65  |sbin/nologin.ope| 00000090  72 61 74 6f 72 3a 2a 3a  32 3a 35 3a 53 79 73 74  |rator:*:2:5:Syst| forensic# hexdump -C s | head 00000000  72 6f 6f 74 3a 24 31 24  38 44 65 30 47 66 5a 51  |root:$1$8De0GfZQ| 00000010  24 6c 4f 79 78 59 42 70  2e 6e 59 56 59 74 5a 52  |$lOyxYBp.nYVYtZR| 00000020  45 63 63 42 73 61 31 3a  30 3a 30 3a 3a 30 3a 30  |EccBsa1:0:0::0:0| 00000030  3a 43 68 61 72 6c 69 65  20 26 3a 2f 72 6f 6f 74  |:Charlie &:/root| 00000040  3a 2f 62 69 6e 2f 63 73  68 0a 74 6f 6f 72 3a 2a  |:/bin/csh.toor:*| 00000050  3a 30 3a 30 3a 3a 30 3a  30 3a 42 6f 75 72 6e 65  |:0:0::0:0:Bourne| 00000060  2d 61 67 61 69 6e 20 53  75 70 65 72 75 73 65 72  |-again Superuser| 00000070  3a 2f 72 6f 6f 74 3a 0a  64 61 65 6d 6f 6e 3a 2a  |:/root:.daemon:*| 00000080  3a 31 3a 31 3a 3a 30 3a  30 3a 4f 77 6e 65 72 20  |:1:1::0:0:Owner | 00000090  6f 66 20 6d 61 6e 79 20  73 79 73 74 65 6d 20 70  |of many system p|

If you examine the “t” file with hexdump and look at a deeper offset, you see the following information:

forensic# hexdump -C t … 0003cda0  35 2c 20 31 39 39 36 2c  20 31 39 39 37 0a 54 68  |5, 1996, 1997.Th| 0003cdb0  65 20 52 65 67 65 6e 74  73 20 6f 66 20 74 68 65  |e Regents of the| 0003cdc0  20 55 6e 69 76 65 72 73  69 74 79 20 6f 66 20 43  | University of C| 0003cdd0  61 6c 69 66 6f 72 6e 69  61 2e 20 20 41 6c 6c 20  |alifornia.  All | 0003cde0  72 69 67 68 74 73 20 72  65 73 65 72 76 65 64 2e  |rights reserved.| 0003cdf0  0a 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................| 0003ce00  40 28 23 29 20 24 48 65  61 64 65 72 3a 20 2f 74  |@(#) $Header: /t| 0003ce10  63 70 64 75 6d 70 2f 6d  61 73 74 65 72 2f 74 63  |cpdump/master/tc| 0003ce20  70 64 75 6d 70 2f 74 63  70 64 75 6d 70 2e 63 2c  |pdump/tcpdump.c,| 0003ce30  76 20 31 2e 31 35 38 20  32 30 30 30 2f 31 32 2f  |v 1.158 2000/12/| 0003ce40  32 31 20 31 30 3a 34 33  3a 32 34 20 67 75 79 20  |21 10:43:24 guy | 0003ce50  45 78 70 20 24 20 28 4c  42 4c 29 00 75 6e 6b 6e  |Exp $ (LBL).unkn| 0003ce60  6f 77 6e 20 64 61 74 61  20 6c 69 6e 6b 20 74 79  |own data link ty| 0003ce70  70 65 20 25 64 00 25 73  00 00 00 00 00 00 00 00  |pe %d.%s........| 0003ce80  61 63 3a 64 65 45 3a 66  46 3a 69 3a 6c 6d 3a 6e  |ac:deE:fF:i:lm:n| 0003ce90  4e 4f 70 71 72 3a 52 73  3a 53 74 54 3a 75 76 77  |NOpqr:Rs:StT:uvw| 0003cea0  3a 78 58 59 00 69 6e 76  61 6c 69 64 20 70 61 63  |:xXY.invalid pac| 0003ceb0  6b 65 74 20 63 6f 75 6e  74 20 25 73 00 25 73 3a  |ket count %s.%s:| 0003cec0  20 69 67 6e 6f 72 69 6e  67 20 6f 70 74 69 6f 6e  | ignoring option| 0003ced0  20 60 2d 6d 20 25 73 27  20 00 28 6e 6f 20 6c 69  | `-m %s' .(no li| 0003cee0  62 73 6d 69 20 73 75 70  70 6f 72 74 29 0a 00 69  |bsmi support)..i| 0003cef0  6e 76 61 6c 69 64 20 73  6e 61 70 6c 65 6e 20 25  |nvalid snaplen %| 0003cf00  73 00 76 61 74 00 77 62  00 72 70 63 00 72 74 70  |s.vat.wb.rpc.rtp| …

The information hexdump provided here clearly shows that this file was compiled from a source file that contained the word tcpdump.

To keep this case study brief, we will mention only that other information such as usage statements are also available in the hexdump output, helping to confirm your speculation that this file is the sniffer program tcpdump.

We chose to spare you the details of examining the same files using the other tools in this chapter. We assume you get the picture, and selection of the particular tool is a personal choice in this case.

< Day Day Up >