Hak5 will be LIVE at Virginia Tech this Saturday, November 7th. Join us at 7:00 PM for the best of networking, hacking and homebrew and Q&A. We’ll be in Torgersen 2150 on the Virginia Tech campus in Blackburg, VA. Then later at 9:00 we’ll be for the first time experiencing Bar Golf, a VT tradition that we would love to see you at. So lock down your firewalls and get ready for some Technolust as Hak5 begins the campus invasion. See you there!

View Larger Map

Download HD Download MP4 Download XviD Download WMV

Continuing on with our VPN series I find it important to highlight the weaknesses in the protocols we have talked about thus far. In my last segment I highlighted a tool that allows an attacker to easily hijack an SSL session using a man-in-the-middle attack. Couple this with Adito (aka OpenVPN-ALS), my favorite open-source SSL VPN server, and you can see the problem.

But what about the basic Microsoft VPN we setup a few weeks back? The VPN servers that we setup on Windows XP and Server 2003 used either active directory or local windows accounts to authenticate users.

And looking back at our discussions on pwdump, rainbow tables and the like you’ll remember the inherent weaknesses in Windows account credentials.

There are two ways Windows stores a user’s account credentials, or password. LAN Manager hashes which are comprised of watered-down weaksauce and NTLM which are succeptable to time-memory tradeoff attacks.

The default VPN server implemented in Windows XP and Server 2003’s Routing and Remote Access service uses Point-To-Point-Tunneling-Protocol. This is convenient because the Windows clients have supported Microsoft PPTP VPN connections natively since 2000, and in Windows 95/98 with Dual Up Networking version 1.3.

The modern authentication protocol of Microsoft’s PPTP is MS-CHAPv2. This Challenge Handshake Authentication Protocol suffers from inherent weaknesses.

As far back at 1999 these weaknesses have been widely known. If you’re interested in reading more on the cryptanalysis of MS-CHAPv2 there’s a nifty paper written by Bruce Schneier and L0pht that I’ll link in the show notes.

And while other options exist such as Radius, this is still the default option for PPTP authentication in Windows environments.

Joshua Wright, author of coWPAtty (See our segment here), released in 2004 a proof of concept tool to demonstrate weaknesses in LEAP and PPTP protocols.

This tool, ASLEAP, was updated in 2007 to include an option to just crack MS-CHAP v2. Either by examining a packet capture that includes a MS-CHAP handshake ASLEAP or specifying an MS-CHAP challenge and response ASLEAP is able to deduce the username and last two bytes of the NT hash. Using this information, and a dictionary file, ASLEAP is able to brute-force the hash.

PS: Check out Player2Rentals.com.

Download HD Download MP4 Download XviD Download WMV

Put Mubix in a room with a whiteboard and prepare to take notes. Go grab yourself a copy of Metasploit, or build a BackTrack Virtual Machine and start playing. Mubix’s complete show notes can be found at Room362.com. Mubix also recommends the free Offensive Security course Metasploit Unleashed – Mastering the Framework.

Download HD Download MP4 Download XviD Download WMV

Moxie Marlinspike’s SSLStrip, released at Blackhat/DEFCON this year, is a tool that transparently hijacks HTTP traffic and redirects HTTPS links to look-alike HTTP links. While this description barely scratches the surface, Darren’s segment takes a closer look including a pracitcal demonstration of a man-in-the-middle attack using arpspoof and a little luck with remote-exploit’s BackTrack 4 penetration testing distribution.

Download HD Download MP4 Download XviD Download WMV

Adding a touch screen to a LCD is pretty straight forward and fairy inexpensive. There are a few different places to get the touch screen kit, we got ours from ebay for around 80 bucks + shipping. Dealextreme.com has a small selection of smaller touch screen kit perfect for netbooks, because they come with a controller made to connect internally instead of external usb. When buying a kit to make sure it comes with the matching controller to avoid any head aches.

When it comes to desktop virtualization Matt and I think very differently. While I agree that VMware’s ESX and (free) ESXi solutions are killer, I can’t seem to justify the price of target=”_blank”>VMware Workstation when Sun’s Virtual Box is free, open source, full featured, super speedy and rock solid. Matt doesn’t agree.

Matt wouldn’t agree with my assessment, but he doesn’t write the show notes so I’ll just go ahead and link to this totally unbiased comparison.

Download HD Download MP4 Download XviD Download WMV

In this segment Tray Murphy, N4PAT, joins us in studio to introduce the basic concepts of Automatic Packet Reporting System — an amateur radio based digital communications system.

Tray continues to show us various hardware options for using the APRS system, including a Garmin 350 Nuvi “bug” and a GPS & Pic combo that would fit in a bread box.

We’ll be back in studio next week with Matt and Shannon and special guest Jason Appelbaum with a touchscreen LCD mod and a lot more.

Download HD Download MP4 Download XviD Download WMV

Thus far we’ve only spoken about implementing Virtual Private Networks using Point-To-Point Tunneling Protocol. While PPTP is a ok protocol for secure tunneling, at least in my experience it comes with a few gotchyas. Namely firewalls.

VPNs based on Secure Sockets Layer or SSL technologies are less encumbered by these restrictions. Certificates are already in the browsers and there is often no software to install. Secure, Easy, Versatile.

You can think of SSL VPNs as the Webmail of email. Rather than setting up a dedicated client like Outlook or Thunderbird to use POP3 or IMAP4 we’ll be using our web browser to access an https site.

SSL Explorer is a web based SSL VPN server. The technology was acquired by Barracuda Networks. Project named OpenVPN Application Layer Software (OpenVPN-ALS)

Windows Install

Can be sorta tricky so Lars Werner made an awesome installer using NSIS-Installer. Make sure you have the latest Java JRE.

Download, Run, Next, next, next, install, next,
Create certificate, Install Service, browse to https://server:28080 from client,
Login as admin and follow the certificate creation wizard.

System Configuration is basically the same on Linux or Windows.

Begin by setting up a LAMP and OpenSSH server. In this segment I used Ubuntu Server 8.04 32-bit.

Install Java JDK and configure paths.

sudo apt-get install sun-java6-bin and sun-java6-jdk
export JAVA_HOME=/usr/lib/jvm/java-6-sun
export PATH=$PATH:$JAVA_HOME/bin
java -version

Next install ant, which is kinda like make for Java.

sudo apt-get install ant

Then in /opt go ahead and download and install OpenVPN-ALS.

cd /opt
wget http://downloads.sourceforge.net/project/openvpn-als/adito/adito-0.9.1/adito-0.9.1-bin.tar.gz (note: at time of writing this was the latest version.)
sudo tar zxvf *.gz
cd adito-0.9.1/
ifconfig (remember this IP, you'll need it in a minute)
sudo ant install

From a browser go to http://:28080 and run the certificate wizard.

Once the wizard is complete the installer will finish. Now we’ll install OpenVPN-ALS as a service.

sudo ant install-service
sudo ant start

At this point we can stop and start the service using /etc/init.d/adito stop|start|restart.

You can now browse to the server’s IP on the port you configured in the setup wizard (default is 443 so simply prepend the IP by https://). Login with the super user account and you’ll be greeted by a management GUI. From here you can create accounts, groups, policies, and add resources. In this segment I configured an SSL Tunnel, a Network Place, and a Web Forward. For more details on configuration I advise consulting the SSL-Explorer Admin Guide (Zipped PDF). While the name has changed most of the functionality is the same. You may find additional documentation at the OpenVPN ALS forums.

Download HD Download MP4 Download XviD Download WMV

GPS Mashup

In this segment we’re joined by Bill from to talk about his clever mashup of his motovlog youtube videos and GPS data. Bill talks about motorcycle vlogging, goes over his equipment, and demonstrates his video technique. He then shows us via Dimdim how he uses Javascript, KML files and some code-fu to make a google map update in real time next to an embedded youtube video.

Virtual LANs

In this segment Matt explains the ins and outs of Virtual LANs and guides us through the setup of his Dell Powerconnect managed switches. If there is one thing he can’t stress enough it’s to ignore the web interface — thus far they’re all pretty much crap.

The first meeting will be held on Monday, September 28th at 8:00 PM Eastern Time (-5 GMT) in our Dimdim meeting room.

We’ll be broadcasting live via Dimdim, sharing segment ideas, answering questions and developing killer new projects.

We encourage you to join us for this first of many future Hak5 Lab events.

See you there!

See this post on the forums.

Download HD Download MP4 Download XviD Download WMV

Hacking into the Kindle Bootloader Part 1

This week, I’m introducing the bootloader Kindle 1st gen hack.

Equipment:
Kindle 1st Generation
A computah!
USB to Serial TTL Cable
20 pin 0.5 mm flat cable
1 pin Jumper cables

Programs:
Putty

Igor Skochinsky explains how to hack into the bootloader of the Kindle very nicely on his blog, Reverse Everything. He includes screenshots, photos, and descriptions of everything you need to know to do this hack.
Part 1
Part 2

If you have any questions, you can email me at snubs@hak5.org!

Windows VPN Servers

In this segment I demonstrate setting up a VPN server in Windows XP which is rather limited at 1 concurrent connection. I also demonstrate building a Routing and Remote Access VPN server in Windows Server 2003.

Open Source VPN Server

I’m a big fan of open source. I’m also an overwhelmed systems administrator that likes easy. And when it comes to VPNs in Linux, OpenVPN is the go to solution. That’s why I’m excited about OpenVPN Access Server — an set of installation and configuration tools that simplifies rapid deployment of a VPN solution.

In this segment I demonstrate setting up this nifty, lightweight and powerful server in a typical home user scenario. I also speak to the fact that it can integrate with Active Directory via LDAP or even a RADIUS server for authentication. The web based backend makes administration a breeze and the web frontend makes client setup even easier. All the clients have to do is login to a website and download a prepackaged and configured connection app for Windows, Mac or Linux.

This package makes it incredibly easy to deploy a VPN server. But it comes at a cost. OpenVPN-AS requires a license key for each concurrent connection. Two are provided for free and additional licenses are $10 ea. Still a far cry from a windows Client Access License!

In future segments we’ll be getting our hands dirty with OpenVPN standard as well as some other interesting VPN technologies so be sure to send your feedback, requests and flames to darren@hak5.org

Download HD Download MP4 Download XviD Download WMV

Merge folders with Winmerge

This open source Windows tool allows you to easily identify inconsistencies between two would-be identical directories and quickly make corrections, complete with keyboard shortcuts. Check out Winmerge

inSSIDer, an open source Windows WiFi Scanner

So in my never ending search for better and better utilities to make my life easier, I came across inSSIDer by metageek.

Which is basically a stripped down version of their Chanalyzer software.

Stripped down maybe, but extremely useful none the less? YES!

After performing a scan of my boss’s house who was plagued with signal drops and slow speeds, I came across the reason.

Interfering access points. His router was on channel 6, surrounded by half a dozen other access points.

So using the easy to read inSSIDer software I decided to put him on channel 11, where there were no other AP’s in range.

As soon as I made the switch, I had vastly improved signal strength, and no longer had drops walking through the house.

We’ll be running a review of the Wi-Spy products and metageek’s Chanalyzer in an upcoming episode.

LAN Party

This month’s LAN Party is Team Fortress 2 on Saturday, October 3rd, at game.hak5.org. Find all the LAN Party details at hak5lan.squarespace.com

Windows VPN connection as Service

One of the nice things about Windows Server is the built in VPN service — RRAS or Routing and Remote

Access. In this segment I demonstrate a way to connect one Windows Server to another utilizing a PPTP VPN

connection as a service. The built in VPN connection manager isn’t half bad.

A nifty feature is >the rasdial.exe program

which allows you to connect/disconnect a VPN profile from the command line. Pairing that with the AutoExNT service from the Windows Server

Resource Kit and you’ve got a VPN connection on boot, even before login.

Contest

This month’s contest is for the scatter brained and design concious desktop users. Share your desktop’s

over at Hak5.org/screenshot and be entered to

win leet Hak5 swag and Ashley Schwartau’s Hackers Are People Too DVD.