Download HD Download MP4 Download XviD Download WMV

Port Tunneling and Socks5 Proxies with a Secure Shell (SSH)

SSH Tunneling isn’t new to the show, we’ve done it before over DNS or in conjunction with VNC. Today we’re looking at two SSH tricks for tunneling just about any traffic.

First up, ssh -D. The -D option specified a local "e;Dynamic"e; application-level port forwarding. Any connection made to the specified port goes through the tunnel as a SOCKS4 or SOCKS5 proxy. Perfect for secure web browsing as demonstrated with Firefox in this segment.

Usage

ssh -D 8080 user@server

Second, ssh -L. The -L option enables port forwarding. Using this option tells the SSH client to listen to traffic on a specified port and forward it along through the tunnel. The server receives this data and points it to the specified destination, whether it be on the destination network or otherwise. In our example we use the -L option to securely connect to an open IRC server.

Usage

ssh user@server -L local-listen-port:destination-ip:destination-port

For more SSH-fu check out the ssh man page or Linux Journal’s interesting series on 101 uses of openssh.

Bypassing site-blocking firewalls with your own private web proxy

The age old scheme for bypassing restrictive firewalls, like those that block sites at school or work, has been to use a web proxy. Of course this is followed up by the network administrator blocking all mainstream proxies. But what if you could run your own? Well, you can and it’s really freaking easy. In this segment Darren demonstrates PHProxy

Cracking MS-CHAPv2 PPTP VPN handshakes & LM Hashes Followup from 6×12

On episode 612 we demonstrated a tool, asleap, designed to crack MS-CHAPv2, the authentication protocol commonly found in Microsoft PPTP VPNs. The final demo was unsuccessful due to the encoding of the handshake and response sniffed by Wireshark. Viewer Sc00bz was kind enough to post a PHP script that accepts the challenge, response and username and provides you with the proper asleap command to run with the properly encoded byte sequences. Sc00bz has well documented the code, which lives now on this Hak5 forum thread. Thanks Sc00bz!

Deploying Virtual Appliances in minutes the open source way

A Virtual Appliance can be though of as a software image containing a supporting stack designed to run inside a virtual machine. A quick look at vmware’s virtual appliance directory shows that there are hundreds of applications that can be quickly and easily deployed. In this segment I take the Dimdim open source virtual appliance, designed for vmware, and deploy it with VirtualBox (just becasue I can).

Download HD Download MP4 Download XviD Download WMV

This week we take the show on the road and perform live in Blacksburg, VA at Virginia Tech! Go Hokies and special thanks to Tim Tutt and John Ryding.

We had a blast talking tech on stage for nearly two hours, answering questions and hanging out with fans. The full show is too long to air but we hope you enjoy these snippets.

And of course, if you’re intested in having Hak5 speak at your club or university, contact us.

Hak5 will be LIVE at Virginia Tech this Saturday, November 7th. Join us at 7:00 PM for the best of networking, hacking and homebrew and Q&A. We’ll be in Torgersen 2150 on the Virginia Tech campus in Blackburg, VA. Then later at 9:00 we’ll be for the first time experiencing Bar Golf, a VT tradition that we would love to see you at. So lock down your firewalls and get ready for some Technolust as Hak5 begins the campus invasion. See you there!

View Larger Map

Download HD Download MP4 Download XviD Download WMV

Continuing on with our VPN series I find it important to highlight the weaknesses in the protocols we have talked about thus far. In my last segment I highlighted a tool that allows an attacker to easily hijack an SSL session using a man-in-the-middle attack. Couple this with Adito (aka OpenVPN-ALS), my favorite open-source SSL VPN server, and you can see the problem.

But what about the basic Microsoft VPN we setup a few weeks back? The VPN servers that we setup on Windows XP and Server 2003 used either active directory or local windows accounts to authenticate users.

And looking back at our discussions on pwdump, rainbow tables and the like you’ll remember the inherent weaknesses in Windows account credentials.

There are two ways Windows stores a user’s account credentials, or password. LAN Manager hashes which are comprised of watered-down weaksauce and NTLM which are succeptable to time-memory tradeoff attacks.

The default VPN server implemented in Windows XP and Server 2003’s Routing and Remote Access service uses Point-To-Point-Tunneling-Protocol. This is convenient because the Windows clients have supported Microsoft PPTP VPN connections natively since 2000, and in Windows 95/98 with Dual Up Networking version 1.3.

The modern authentication protocol of Microsoft’s PPTP is MS-CHAPv2. This Challenge Handshake Authentication Protocol suffers from inherent weaknesses.

As far back at 1999 these weaknesses have been widely known. If you’re interested in reading more on the cryptanalysis of MS-CHAPv2 there’s a nifty paper written by Bruce Schneier and L0pht that I’ll link in the show notes.

And while other options exist such as Radius, this is still the default option for PPTP authentication in Windows environments.

Joshua Wright, author of coWPAtty (See our segment here), released in 2004 a proof of concept tool to demonstrate weaknesses in LEAP and PPTP protocols.

This tool, ASLEAP, was updated in 2007 to include an option to just crack MS-CHAP v2. Either by examining a packet capture that includes a MS-CHAP handshake ASLEAP or specifying an MS-CHAP challenge and response ASLEAP is able to deduce the username and last two bytes of the NT hash. Using this information, and a dictionary file, ASLEAP is able to brute-force the hash.

PS: Check out Player2Rentals.com.

Download HD Download MP4 Download XviD Download WMV

Put Mubix in a room with a whiteboard and prepare to take notes. Go grab yourself a copy of Metasploit, or build a BackTrack Virtual Machine and start playing. Mubix’s complete show notes can be found at Room362.com. Mubix also recommends the free Offensive Security course Metasploit Unleashed – Mastering the Framework.

Download HD Download MP4 Download XviD Download WMV

Moxie Marlinspike’s SSLStrip, released at Blackhat/DEFCON this year, is a tool that transparently hijacks HTTP traffic and redirects HTTPS links to look-alike HTTP links. While this description barely scratches the surface, Darren’s segment takes a closer look including a pracitcal demonstration of a man-in-the-middle attack using arpspoof and a little luck with remote-exploit’s BackTrack 4 penetration testing distribution.

Download HD Download MP4 Download XviD Download WMV

Adding a touch screen to a LCD is pretty straight forward and fairy inexpensive. There are a few different places to get the touch screen kit, we got ours from ebay for around 80 bucks + shipping. Dealextreme.com has a small selection of smaller touch screen kit perfect for netbooks, because they come with a controller made to connect internally instead of external usb. When buying a kit to make sure it comes with the matching controller to avoid any head aches.

When it comes to desktop virtualization Matt and I think very differently. While I agree that VMware’s ESX and (free) ESXi solutions are killer, I can’t seem to justify the price of target=”_blank”>VMware Workstation when Sun’s Virtual Box is free, open source, full featured, super speedy and rock solid. Matt doesn’t agree.

Matt wouldn’t agree with my assessment, but he doesn’t write the show notes so I’ll just go ahead and link to this totally unbiased comparison.

Download HD Download MP4 Download XviD Download WMV

In this segment Tray Murphy, N4PAT, joins us in studio to introduce the basic concepts of Automatic Packet Reporting System — an amateur radio based digital communications system.

Tray continues to show us various hardware options for using the APRS system, including a Garmin 350 Nuvi “bug” and a GPS & Pic combo that would fit in a bread box.

We’ll be back in studio next week with Matt and Shannon and special guest Jason Appelbaum with a touchscreen LCD mod and a lot more.

Download HD Download MP4 Download XviD Download WMV

Thus far we’ve only spoken about implementing Virtual Private Networks using Point-To-Point Tunneling Protocol. While PPTP is a ok protocol for secure tunneling, at least in my experience it comes with a few gotchyas. Namely firewalls.

VPNs based on Secure Sockets Layer or SSL technologies are less encumbered by these restrictions. Certificates are already in the browsers and there is often no software to install. Secure, Easy, Versatile.

You can think of SSL VPNs as the Webmail of email. Rather than setting up a dedicated client like Outlook or Thunderbird to use POP3 or IMAP4 we’ll be using our web browser to access an https site.

SSL Explorer is a web based SSL VPN server. The technology was acquired by Barracuda Networks. Project named OpenVPN Application Layer Software (OpenVPN-ALS)

Windows Install

Can be sorta tricky so Lars Werner made an awesome installer using NSIS-Installer. Make sure you have the latest Java JRE.

Download, Run, Next, next, next, install, next,
Create certificate, Install Service, browse to https://server:28080 from client,
Login as admin and follow the certificate creation wizard.

System Configuration is basically the same on Linux or Windows.

Begin by setting up a LAMP and OpenSSH server. In this segment I used Ubuntu Server 8.04 32-bit.

Install Java JDK and configure paths.

sudo apt-get install sun-java6-bin and sun-java6-jdk
export JAVA_HOME=/usr/lib/jvm/java-6-sun
export PATH=$PATH:$JAVA_HOME/bin
java -version

Next install ant, which is kinda like make for Java.

sudo apt-get install ant

Then in /opt go ahead and download and install OpenVPN-ALS.

cd /opt
wget http://downloads.sourceforge.net/project/openvpn-als/adito/adito-0.9.1/adito-0.9.1-bin.tar.gz (note: at time of writing this was the latest version.)
sudo tar zxvf *.gz
cd adito-0.9.1/
ifconfig (remember this IP, you'll need it in a minute)
sudo ant install

From a browser go to http://:28080 and run the certificate wizard.

Once the wizard is complete the installer will finish. Now we’ll install OpenVPN-ALS as a service.

sudo ant install-service
sudo ant start

At this point we can stop and start the service using /etc/init.d/adito stop|start|restart.

You can now browse to the server’s IP on the port you configured in the setup wizard (default is 443 so simply prepend the IP by https://). Login with the super user account and you’ll be greeted by a management GUI. From here you can create accounts, groups, policies, and add resources. In this segment I configured an SSL Tunnel, a Network Place, and a Web Forward. For more details on configuration I advise consulting the SSL-Explorer Admin Guide (Zipped PDF). While the name has changed most of the functionality is the same. You may find additional documentation at the OpenVPN ALS forums.

Download HD Download MP4 Download XviD Download WMV

GPS Mashup

In this segment we’re joined by Bill from to talk about his clever mashup of his motovlog youtube videos and GPS data. Bill talks about motorcycle vlogging, goes over his equipment, and demonstrates his video technique. He then shows us via Dimdim how he uses Javascript, KML files and some code-fu to make a google map update in real time next to an embedded youtube video.

Virtual LANs

In this segment Matt explains the ins and outs of Virtual LANs and guides us through the setup of his Dell Powerconnect managed switches. If there is one thing he can’t stress enough it’s to ignore the web interface — thus far they’re all pretty much crap.

The first meeting will be held on Monday, September 28th at 8:00 PM Eastern Time (-5 GMT) in our Dimdim meeting room.

We’ll be broadcasting live via Dimdim, sharing segment ideas, answering questions and developing killer new projects.

We encourage you to join us for this first of many future Hak5 Lab events.

See you there!

See this post on the forums.