Download HD Download MP4 Download XviD Download WMV

DHCP Exhaustion and DNS Man-in-the-Middle Attacks

Rather than your typical ARP based Man-In-The-Middle attack, Robin wood brings us two metasploit modules for both denial of service attacking a DHCP server and deploying a rogue DHCP server of your own with a DNS MiTM to boot. Check out the Metasploit DNS and DHCP Exhaustion – BETA at Digininja.org.

The JasagerInterceptor – a Pineapple Monkey mashup

This week we take a look within the community and highlight some of the awesome work done by Beakmyn. In an answer to Deathray’s thread on a Jasager with a network tap like the Interceptor, he brings you just such project. Behold the JasagerInterceptor. I’ve seen it with my own eyes at Shmoocon and I must say it’s a nifty bit of kit.

Moxie Marlinspike’s SSLStrip, released at Blackhat/DEFCON this year, is a tool that transparently hijacks HTTP traffic and redirects HTTPS links to look-alike HTTP links. While this description barely scratches the surface, Darren’s segment takes a closer look including a pracitcal demonstration of a man-in-the-middle attack using arpspoof and a little luck with remote-exploit’s BackTrack 4 penetration testing distribution.

SSH Tunneling isn’t new to the show, we’ve done it before over DNS or in conjunction with VNC. Today we’re looking at two SSH tricks for tunneling just about any traffic.

First up, ssh -D. The -D option specified a local "e;Dynamic"e; application-level port forwarding. Any connection made to the specified port goes through the tunnel as a SOCKS4 or SOCKS5 proxy. Perfect for secure web browsing as demonstrated with Firefox in this segment.

Usage

ssh -D 8080 user@server

Second, ssh -L. The -L option enables port forwarding. Using this option tells the SSH client to listen to traffic on a specified port and forward it along through the tunnel. The server receives this data and points it to the specified destination, whether it be on the destination network or otherwise. In our example we use the -L option to securely connect to an open IRC server.

Usage

ssh user@server -L local-listen-port:destination-ip:destination-port

For more SSH-fu check out the ssh man page or Linux Journal’s interesting series on 101 uses of openssh.

Download HD Download MP4 Download XviD Download WMV

Port Tunneling and Socks5 Proxies with a Secure Shell (SSH)

SSH Tunneling isn’t new to the show, we’ve done it before over DNS or in conjunction with VNC. Today we’re looking at two SSH tricks for tunneling just about any traffic.

First up, ssh -D. The -D option specified a local "e;Dynamic"e; application-level port forwarding. Any connection made to the specified port goes through the tunnel as a SOCKS4 or SOCKS5 proxy. Perfect for secure web browsing as demonstrated with Firefox in this segment.

Usage

ssh -D 8080 user@server

Second, ssh -L. The -L option enables port forwarding. Using this option tells the SSH client to listen to traffic on a specified port and forward it along through the tunnel. The server receives this data and points it to the specified destination, whether it be on the destination network or otherwise. In our example we use the -L option to securely connect to an open IRC server.

Usage

ssh user@server -L local-listen-port:destination-ip:destination-port

For more SSH-fu check out the ssh man page or Linux Journal’s interesting series on 101 uses of openssh.

Bypassing site-blocking firewalls with your own private web proxy

The age old scheme for bypassing restrictive firewalls, like those that block sites at school or work, has been to use a web proxy. Of course this is followed up by the network administrator blocking all mainstream proxies. But what if you could run your own? Well, you can and it’s really freaking easy. In this segment Darren demonstrates PHProxy

Cracking MS-CHAPv2 PPTP VPN handshakes & LM Hashes Followup from 6×12

On episode 612 we demonstrated a tool, asleap, designed to crack MS-CHAPv2, the authentication protocol commonly found in Microsoft PPTP VPNs. The final demo was unsuccessful due to the encoding of the handshake and response sniffed by Wireshark. Viewer Sc00bz was kind enough to post a PHP script that accepts the challenge, response and username and provides you with the proper asleap command to run with the properly encoded byte sequences. Sc00bz has well documented the code, which lives now on this Hak5 forum thread. Thanks Sc00bz!

Deploying Virtual Appliances in minutes the open source way

A Virtual Appliance can be though of as a software image containing a supporting stack designed to run inside a virtual machine. A quick look at vmware’s virtual appliance directory shows that there are hundreds of applications that can be quickly and easily deployed. In this segment I take the Dimdim open source virtual appliance, designed for vmware, and deploy it with VirtualBox (just becasue I can).

Download HD Download MP4 Download XviD Download WMV

Moxie Marlinspike’s SSLStrip, released at Blackhat/DEFCON this year, is a tool that transparently hijacks HTTP traffic and redirects HTTPS links to look-alike HTTP links. While this description barely scratches the surface, Darren’s segment takes a closer look including a pracitcal demonstration of a man-in-the-middle attack using arpspoof and a little luck with remote-exploit’s BackTrack 4 penetration testing distribution.

Download HD Download MP4 Download XviD Download WMV

Show Notes

While Matt’s busy moving into his new house Mubix of Room362 fills in with an awesome segment on analyzing data from packet captures or live network taps using Network Miner and Net Witness.

Darren’s taking Chad’s advice and using netcat with mpg123 to stream music from the console.

Plus Shannon has the skinny on unlocking your Wii and installing homebrew even if you’re running the new System Menu 4.0.

And don’t forget to check out our latest contest at Hak5.org/yourlan where the most creative network will win cozy Hak5 gear from our newly opened HakShop

Download HD Download MP4 Download XviD Download WMV

Watch

Show Notes

Twilight Hack

Wii Homebrew

You need a few things:

• wii
• wii mote controller
• computer
• internet access
• small sd card formatted as FAT.
• Zelda Twilight Princess for Wii

The Wii Brew Wiki
Homebrew Channel

How to install the Wii Homebrew Channel on your Wii using the Twilight Hack.

Download the Twilight Hack. There are two versions, one for Wii system 3.3, and one for 3.4. I haven’t updated mine, so I’m still on 3.3.

Download the Homebrew Channel zip file.

Also, if you want, go ahead and download some apps from the HackMii website. I suggest the Homebrew Browser so you dont have to copy apps to the SD card every time you wanna download something new.

You’ll need a small SD card 2 gig or smaller. Make sure to format your SD card as FAT. Do to this, right click on the SD card, and choose format. Simple!

Put the SD card in your Wii, then turn it on. Go to the Wii Options–>Data management–>Save Data–>Wii section of the menu. Find your Zelda: Twilight Princess saved file, and copy it. If you havent played it yet, you might not have a saved file, so go ahead and play a bit. Put your SD card in your computer and copy the “Private” folder from the card to your comp, just in case you may need it in the future.

Move the homebrew executable that you extract from the zip file to your SD card root directory and save it as boot.dol or boot.elf.

Also, save the Twilight Hack Private folder from the extracted zip file to your SD card.

Now, check out your Twilight Princess game CD. It should have some hard to read serial numbers inscribed on the inner circle. Match this serial with the corresponding “Save slot”.

RVL-RZDE-0A-0 JPN/private/wii/title/rzde/data.binTwilightHack0RVL-RZDE-0A-0 USA/private/wii/title/rzde/data.binTwilightHack0RVL-RZDE-0A-2 USA/private/wii/title/rzde/data.binTwilightHack2

Region	Inner circle text	File	Save slot
Europe/Australia	RVL-RZDP-0A-0 JPN	/private/wii/title/rzdp/data.bin	Twilight Hack
Asia (JPN)	RVL-RZDJ-0A-0 JPN	/private/wii/title/rzdj/data.bin	Twilight Hack
America (USA)
America (USA)
America (USA)

Inside the private–>wii–>title folder are 3 folders with letters corresponding to the serials. Delete the two that don’t match your cd.

Put your SD card back in the Wii. Go to Wii Options–>Data management–>Save Data–>Wii and erase the Zelda save now. Open the SD card menu and choose Twilight Hack. Copy to the Wii.

Stick your game CD in your Wii and boot up Zelda! Choose the save slot that corresponds with your serial. Mine was TwilightHack0. Go ahead and skip the intro, it doesn’t hurt the hack. Once you see Link as a playable character, either walk backwards or talk to the guy in front of you. This will start up the hack install process, so just choose “Agree” to everything.

You’re done! Now you can play on the homebrew channel. Yay!

Get the homebrew browser so you can download apps straight from the channel instead of shuffling your SD card around.

To do that, simply stick the sd in your computer and create a folder called apps. Copy the homebrew browser folder and its contents over to the sd and back it goes to your wii!

If you have some cool homebrew for the Wii, tell me about it or ask me any questions at Snubs@hak5.org.

Don’t forget to submit your questions@hak5.org and feedback@hak5.org and thanks for your contributions.

Download HD Download MP4 Download XviD Download WMV

Watch

Show Notes

Our friend digininja is at it again. On this episode we feature Robin Wood’s latest hack based on none other than the Fon+ wireless router.

Interceptor is a wireless wired network tap. Simply put you place it in line on an ethernet cable, then connect to it via a special wireless access point. Once connected and running the Interceptor scripts you’ll be able to sniff all of the traffic passing across the wire.

Interceptor doesn’t affect TTL and adds minimal latency to packets. It doesn’t associate to the target network so discovering an active Interceptor on your LAN isn’t trivial.

This tool is perfect for pen testers. The device inexpensive, based on the Fon+ router and using open source software. It is small enough to fit behind a network wall plate, inside a plush monkey, or even inside a network switch or other gear.

In this episode we demonstrate the usage, illustrate the installation and speak with the developer Robin Wood.

You can download the software and play with it yourself from digininja.org/interceptor and find support and discussion at the Hak5 Interceptor Forum.

Thanks for watching, subscribing, and most of all supporting the show. On a related note custom commissioned WiFi Pineapples running Jasager are now available.

We return next week with a regular format show. Don’t forget to submit your questions@hak5.org and feedback@hak5.org and trust your technolust!