Look and LISTEN

To find all listening deamons on your box use the lsof command and grep for LISTEN. See the lsof man page for details. So what's running on your machine?

$ lsof -i | grep LISTEN

SpotifyWe   427 bob    6u  IPv4 0xfadf3f229c048281      0t0  TCP localhost:4370 (LISTEN)

SpotifyWe   427 bob    7u  IPv4 0xfadf3f229c048b79      0t0  TCP localhost:4380 (LISTEN)

NDSPCShow 13355 bob   45u  IPv4 0xfadf3f22ae9d6ea1      0t0  TCP localhost:9012 (LISTEN)

NDSPCShow 13355 bob   46u  IPv4 0xfadf3f22af352b79      0t0  TCP localhost:dynamid (LISTEN)

Google    98152 bob  219u  IPv4 0xfadf3f22a1e07091      0t0  TCP 192.168.87.102:freeciv (LISTEN)

Google    98152 bob  225u  IPv4 0xfadf3f22a26b6091      0t0  TCP localhost:freeciv (LISTEN)

This shows that I currently have 6 listening deamons connected to 6 ports. All of these are TCP deamons. The NDSPCShow with PID 13355 is a process I'd like to kill and ensure that it never starts again. I dunno what this process actually does nor can I find any information regarding it.

Lsof uses the keywords LISTEN, ESTABLISHED, TCP, UDP etc to display the type and status of the connection. Check man lsof for details. But lsof is not the only program that shows this status netstat is another option. To see the processes that uses a socket connection on your machine.

$ netstat -an | grep LISTEN
tcp6       0      0  ::1.587                *.*                    LISTEN     
tcp4       0      0  127.0.0.1.587          *.*                    LISTEN     
tcp6       0      0  ::1.25                 *.*                    LISTEN     
tcp4       0      0  127.0.0.1.25           *.*                    LISTEN     
tcp4       0      0  127.0.0.1.5556         *.*                    LISTEN     
tcp4       0      0  192.168.87.102.5556    *.*                    LISTEN     
tcp4       0      0  127.0.0.1.9002         *.*                    LISTEN     
tcp4       0      0  127.0.0.1.9012         *.*                    LISTEN     
tcp4       0      0  127.0.0.1.4380         *.*                    LISTEN     
tcp4       0      0  127.0.0.1.4370         *.*                    LISTEN     
tcp4       0      0  *.88                   *.*                    LISTEN     
tcp6       0      0  *.88                   *.*                    LISTEN     
tcp4       0      0  127.0.0.1.49153        *.*                    LISTEN     
tcp4       0      0  127.0.0.1.49152        *.*                    LISTEN     
tcp4       0      0  127.0.0.1.3310         *.*                    LISTEN     
tcp46      0      0  *.80                   *.*                    LISTEN     
tcp4       0      0  *.445                  *.*                    LISTEN     
tcp6       0      0  *.445                  *.*                    LISTEN     
tcp4       0      0  *.5900                 *.*                    LISTEN     
tcp6       0      0  *.5900                 *.*                    LISTEN     
tcp4       0      0  *.548                  *.*                    LISTEN     
tcp6       0      0  *.548                  *.*                    LISTEN 

Again you can use the LISTEN etc. keywords to see the state of the connection. Yet another option is Knockknock. Knockknock is a python script that can be used to check which resources you have that may be malicious. Knockknock is available on github. You download and install it using git i.e.

$ git clone https://github.com/synack/knockknock.git

Then cd to the knockknock directry and execucute it. Here is how you find all running processes using knockknock.

$ sudo ./knockknock.py
<snipped>

[Chrome Browser Extensions]

Weebly - Website Builder 

 description: Easily create a free site, blog or online store. No technical skills required. Hosting included.

 id: cnocophcbjfiimmnhlhleaooedeheifb

 path: /Users/bob/Library/Application Support/Google/Chrome/Default/Extensions/cnocophcbjfiimmnhlhleaooedeheifb/1.0.5_0

None 

 description: None

 id: kfcfceejhleedfbabanmaamfiagjhncj

 path: None

<snipped>

The above shows the output from the knockknock python program. It can be used to see all browser extentions and processes that use your network connection. This way you can inspect any connections to see if there are any suspicious ones.

With fuser you can list all the open files on your OSX box. It'll give you the user and file handle for all open files. The output is really really cluttered in my opinion, so I'm sticking to the above alternatives.

Restoring OSX drives with photorec

To see what's left on your drive after using your machine for several years, recovering data using either testdisk or photorec can be quite fun. Install them on OSX using either brew or MacPorts, or Linux using your favourite  package manager.

$ sudo port install testdisk

The bove command installs both testdisk and photorec on osx. To run issue:

$ sudo photorec /log

Then follow the instructions in the command line. But before you run the recovery tool you'll have to find the drive you're attempting to recover from. This is done by using mount

$ mount

/dev/disk1 on / (hfs, local, journaled)

devfs on /dev (devfs, local, nobrowse)

localhost:/cZw0sWXSBvue3biH9HC_QR on /Volumes/MobileBackups (mtmfs, nosuid, read-only, nobrowse)

map -hosts on /net (autofs, nosuid, automounted, nobrowse)

map auto_home on /home (autofs, automounted, nobrowse)

The /dev/disk1 using the hfs filesystem is the one I'd like to recover stuff from, you can also use the diskutil program.

$ diskutil list

/dev/disk0 (internal, physical):

   #:                       TYPE NAME                    SIZE       IDENTIFIER

   0:      GUID_partition_scheme                        *500.1 GB   disk0

   1:                        EFI EFI                     209.7 MB   disk0s1

   2:          Apple_CoreStorage Macintosh HD            499.2 GB   disk0s2

   3:                 Apple_Boot Recovery HD             650.0 MB   disk0s3

/dev/disk1 (internal, virtual):

   #:                       TYPE NAME                    SIZE       IDENTIFIER

   0:                  Apple_HFS Macintosh HD           +498.9 GB   disk1

                                 Logical Volume on disk0s2

                                 71E61617-FD0B-4FFA-A432-4FE2737C217D

                                 Unlocked Encrypted

Again /dev/disk1 proves to be the one we're interested in. To recover it:

$ sudo photorec /log

Password:

PhotoRec 7.0, Data Recovery Utility, April 2015

Opens a new process in your terminal:

PhotoRec 7.0, Data Recovery Utility, April 2015

Christophe GRENIER <grenier@cgsecurity.org>

http://www.cgsecurity.org

Disk /dev/rdisk0 - 500 GB / 465 GiB (RO)

     Partition                  Start        End    Size in sectors

 2 P Unknown              409640   0  1 975503591   0  1  975093952 [Macintosh HD]

Pass 0 - Reading sector   74387313/975093952, 6/10 headers found

Elapsed time 0h08m58s - Estimated time to completion 1h48m34

Now all you have to do i wait. Photorec creates directories in the folder from which is is run. All these directories are named: recup_dir.* the asterix is replaced with numbers and the folders are filled with files.

$ ls -d ~/re*

/Users/bob/recup_dir.1335 /Users/bob/recup_dir.3194 /Users/bob/recup_dir.5052

/Users/bob/recup_dir.1336 /Users/bob/recup_dir.3195 /Users/bob/recup_dir.5053

/Users/bob/recup_dir.1337 /Users/bob/recup_dir.3196 /Users/bob/recup_dir.5054

/Users/bob/recup_dir.1338 /Users/bob/recup_dir.3197 /Users/bob/recup_dir.5055

<snipped>

/Users/bob/recup_dir.1339 /Users/bob/recup_dir.3198 /Users/bob/recup_dir.5056

Each directory is filled with files

$ ls /Users/bob/recup_dir.5052

f580969344.jpg   f580974912.pyc  f580980568.pyc  f580981752.pl    f580982432.gz    

<snipped>

f580987152.txt   f580987848.txt

Making it possible to use the normal file manipulation programs like: find, grep & sed. If you're looking for *.pdf file say anything with chess in it:

$ find ~/pdf/ -name '*.pdf' -exec pdfgrep -n 'chess' '{}' \;

525:    such as chess and checkers.

530:strategic game, such as checkers or chess. We will use, as an example, the much simpler

533:            For more complex games, such as checkers and chess, it is obviously infeasible to

533:      the position. For instance, in a chess program, the evaluation function measures such vari-

533:      mizing this function. The best computer chess programs have surprisingly sophisticated

533:            Nevertheless, for computer chess, the single most important factor seems to be number

533:      For instance, in a chess endgame, where there are relatively few pieces, the time savings

<snipped>

And there you have it. You can use '-H' in the pdfgrep part of the expression above to get a list of files instead of a linenumber, when you're examining many files like in the expression above this is a great help. If you have many files and directories you'll have to wait just like you did when running photorec. Have fun restoring.

The mad hat operator

Some stuff about the hat ^ operator. When I looked at this `buggar` I realised I hadn't used or seen this for many many years, which when you do a test of some sort is pretty bad. Because you look kinda lame when you get basic questions like this all wrong.

It's not that I hadn't used the xor operator I just never really took the time off to dwell into the operator since my time with boolean logic. So, I decided to work a little on the mad ^. In most languages like c/c++/java/python/bash and several others ^ means bitwise xor aka exclusive or. But in computer math ^ also means power of. The power off operator is the c function known as pow() (see man pow) for details.

Looking at a few simple examples: 10^9, 2^4, 5^7, 4^5, 3^3 and 5^0 seems to have simple answers.

10^9 = 1.000.000.000
2^4 = 128
5^7 = 78125
4^5 = 1024
3^3 = 27
5^0 = 1

All of the above are plain math answers. Answers that should be part of any ones math vocabulary. However, I'm not sure how the theory behind the 3^0 og 5^0 equations both equal 1 actually is. There's a theory on wikipedia that is really scientific and explains the details, there's a more fun description here however none of the articles say why x^0 is 1 they just claim it is? So why is it 1? Right about here I can hear all my previous teachers scream because it is.

I guess the answer to the above equations are: "It depends". Weather you mean in math or using binary operators. Since if you type the expression into either of the equations into any of the languages mentioned, you'll get completely different answers:

10^9 = 3
2^4 = 6
5^7 = 2
4^5 = 1
3^3 = 0
5^0 = 5

The cool statement of the math power off is that 2^1 or as it is stated x^1 = x. But in binary the answer is that it depends. Since: 2^1 = 3 and 3^1 = 2. Why is this, well the xor operator looks at the numbers binary and only lets values through that are not the same. Binary 2 and binary 1 are: 10 and 01 respectively. When you xor these you get:

10

01

--

11

11 is binary for 3. Xor 'promotes' or lets only ones through. Fine but why is 3^1 =2 then. Same simple answer:

11
01
--
10

Because any similar numbers is set to zero. So 0^0 = 0 and 1^1 = 0. Somehow I guess I have to accept the 2^0 math explanation since I seem to understand how the binary thing works. But anything times 0 is zero, execpt x^0. But can we prove it? Mathforum.org I guess we can:

x^0 = x^(1-1) = x^1 / x^1 = x/x = 1

Aka the law of the exponents. The important thing for me is that the reason I didn't know is because I never needed to know for dealing with pratical problems. But now I did find mathforum.org in the process guess I should read it now. Here's a small program madhat.c that plays with the ^ operator. Remember the answer, for this specific operator on how various equations turn out, is: "it depends".