Download HD Download MP4 Download XviD Download WMV

Port Tunneling and Socks5 Proxies with a Secure Shell (SSH)

SSH Tunneling isn’t new to the show, we’ve done it before over DNS or in conjunction with VNC. Today we’re looking at two SSH tricks for tunneling just about any traffic.

First up, ssh -D. The -D option specified a local "e;Dynamic"e; application-level port forwarding. Any connection made to the specified port goes through the tunnel as a SOCKS4 or SOCKS5 proxy. Perfect for secure web browsing as demonstrated with Firefox in this segment.

Usage

ssh -D 8080 user@server

Second, ssh -L. The -L option enables port forwarding. Using this option tells the SSH client to listen to traffic on a specified port and forward it along through the tunnel. The server receives this data and points it to the specified destination, whether it be on the destination network or otherwise. In our example we use the -L option to securely connect to an open IRC server.

Usage

ssh user@server -L local-listen-port:destination-ip:destination-port

For more SSH-fu check out the ssh man page or Linux Journal’s interesting series on 101 uses of openssh.

Bypassing site-blocking firewalls with your own private web proxy

The age old scheme for bypassing restrictive firewalls, like those that block sites at school or work, has been to use a web proxy. Of course this is followed up by the network administrator blocking all mainstream proxies. But what if you could run your own? Well, you can and it’s really freaking easy. In this segment Darren demonstrates PHProxy

Cracking MS-CHAPv2 PPTP VPN handshakes & LM Hashes Followup from 6×12

On episode 612 we demonstrated a tool, asleap, designed to crack MS-CHAPv2, the authentication protocol commonly found in Microsoft PPTP VPNs. The final demo was unsuccessful due to the encoding of the handshake and response sniffed by Wireshark. Viewer Sc00bz was kind enough to post a PHP script that accepts the challenge, response and username and provides you with the proper asleap command to run with the properly encoded byte sequences. Sc00bz has well documented the code, which lives now on this Hak5 forum thread. Thanks Sc00bz!

Deploying Virtual Appliances in minutes the open source way

A Virtual Appliance can be though of as a software image containing a supporting stack designed to run inside a virtual machine. A quick look at vmware’s virtual appliance directory shows that there are hundreds of applications that can be quickly and easily deployed. In this segment I take the Dimdim open source virtual appliance, designed for vmware, and deploy it with VirtualBox (just becasue I can).

Download HD Download MP4 Download XviD Download WMV

Merge folders with Winmerge

This open source Windows tool allows you to easily identify inconsistencies between two would-be identical directories and quickly make corrections, complete with keyboard shortcuts. Check out Winmerge

inSSIDer, an open source Windows WiFi Scanner

So in my never ending search for better and better utilities to make my life easier, I came across inSSIDer by metageek.

Which is basically a stripped down version of their Chanalyzer software.

Stripped down maybe, but extremely useful none the less? YES!

After performing a scan of my boss’s house who was plagued with signal drops and slow speeds, I came across the reason.

Interfering access points. His router was on channel 6, surrounded by half a dozen other access points.

So using the easy to read inSSIDer software I decided to put him on channel 11, where there were no other AP’s in range.

As soon as I made the switch, I had vastly improved signal strength, and no longer had drops walking through the house.

We’ll be running a review of the Wi-Spy products and metageek’s Chanalyzer in an upcoming episode.

LAN Party

This month’s LAN Party is Team Fortress 2 on Saturday, October 3rd, at game.hak5.org. Find all the LAN Party details at hak5lan.squarespace.com

Windows VPN connection as Service

One of the nice things about Windows Server is the built in VPN service — RRAS or Routing and Remote

Access. In this segment I demonstrate a way to connect one Windows Server to another utilizing a PPTP VPN

connection as a service. The built in VPN connection manager isn’t half bad.

A nifty feature is >the rasdial.exe program

which allows you to connect/disconnect a VPN profile from the command line. Pairing that with the AutoExNT service from the Windows Server

Resource Kit and you’ve got a VPN connection on boot, even before login.

Contest

This month’s contest is for the scatter brained and design concious desktop users. Share your desktop’s

over at Hak5.org/screenshot and be entered to

win leet Hak5 swag and Ashley Schwartau’s Hackers Are People Too DVD.

Download HD Download MP4 Download XviD Download WMV

With the dozens–or in the case of many administrators hundreds–of passwords one must use and remember every day, how is one to ensure a secure and original password every time? Sure you could come up with some crazy algorythm that involves information in the WHOIS record of the domain you’re logging into, or you could live in normal land and get a password safe. Shannon goes over her favorite free open source offering KeePass.

Using industry standard encryption to keep your passwords safe, KeePass is the most full featured password safe we’ve tested. With versions for just about every OS under the sun, including many smart phones, there is no reason to ever reuse a password again.

If you’re a fan of KeePass and have a story or plugin you want to sare with us be sure to hit up feedback@hak5.org!

When it comes to storing passwords on the back end, whether they be in a database or flat file, it’s important to keep ‘em salted. In this episode Darren goes over what Hash salting is — what it means to users, administrators, and would-be password crackers.

Don’t forget about our first ever official Hak5 Meetup at Busch Gardens Williamsburg on August 15th. Find all the details at hak5meetup.squarespace.com or RSVP on Facebook.

Download HD Download MP4 Download XviD Download WMV

Matt Lestock uses VMware Converter to take that ugly power hungry idle beast and turn it into a sleek and slim virtual machine, piped stright into your ESXi host.

Send your questions and feedback to matt@hak5.org

Darren Kitchen is cooking up a Linux based Java servlet container and HTTP web server with Apache Tomcat. While never distributions and package repositories can make setting up a Tomcat server a breeze, it’s nice to have an understanding of the manual process.

Don’t forget about our first ever official Hak5 Meetup at Busch Gardens Williamsburg on August 15th. Find all the details at hak5meetup.squarespace.com or RSVP on Facebook.

Download HD Download MP4 Download XviD Download WMV

Darren’s on a mission to mount a digital video camera to his motorcycle. While commercial options such as the $300 Vholdr Contour HD and $150 Oregon Scientific AT3K are available, why not build your own universal camera mount for about 5 bucks.

Continuing with the theme of rolling your own, why not build your own ESX/ESXi compatible virtual machine host? Matt builds one that fits inside a gym bag and walks us through setting up ESXi in about 10 minutes (give or take a few progress bars).

Rounding out the nearly free and useful bits this episode, Shannon shows us an open source video editing application that may be perfect for your light video editing needs. Avidemux is a light weight editor perfect for simple video trimming, filtering and encoding. It sports some really nice automation and job queing features and comes with profiles pre-configured for common formats such as MP4 for iPod, PSP, or Apple TV.

Download HD Download MP4 Download XviD Download WMV

While Shannon’s on vacation our friend Jenn Cutter from Open Alpha joins us to talk about the recent developments in PSP hacking and homebrew.

The PSP homebrew scene has grown more interesting over the past little while since the user base has been sectioned off into different camps based on the particular unit they purchased and whatever firmware they are using. Thanks to the efforts of Team Typhoon, ChickHEN (homebrew enabler) permits owners of all models to run the unofficial apps and games they’ve grown to love without touching the flash of the PSP, so there’s no worrying about turning it into a brick. No one likes expensive bricks. Keep in mind that ChickHEN is not a piracy tool so don’t expect to run any type of backups though it. Davee has the lowdown on the latest release which can be downloaded here. If you are curious or sceptical, feel free to check out video proof that it works on PSP 3000s.

–Jenn Cutter

Matt answers your questions about storage area networks and recommends QNAP. If you’re feeling hands on rolling your own is a great option too. Matt points out his favorite hardware like 3Ware RAID cards, Transcend IDE Flash Modules, and the Intel Storage Server SSR212MC2. Software wise it’s worth investigating Freenas, and SAN Melody.

Continuing on with Eighty’s segment on extracting windows executables from packet captures and Mubix’s segment on network tap analizers, Darren’s taking a look at the open source tool ngrep. If you’re familiar with grep you’ll be at home with this tool. Darren demonstrates using the tool to filter packets from a live capture using a Network Monkey. Alternatively it can be used with pcap files.

Don’t forget to check out our latest contest at Hak5.org/yourlan where the most creative network will win cozy Hak5 gear from our newly opened HakShop

Download HD Download MP4 Download XviD Download WMV

Show Notes

Common User Password Profiler

The Common User Password Profiler from Remote-Exploit is a password/passphrase generator specifically targeted as an individual user. Feed it some info like names, birth dates, spouce, children and pets and it will generate individually, or along with an existing dictionary, thousands of potential passwords. Just add water, feed to your favorite brute forcer and enjoy.

From personal experience I can vouch that, while simple sounding, this would have a HIGH success rate on some of my _former_ (L)users. Administrators take note and enforce BOFH password requirements

netcat – “The Swiss-army knife for TCP/IP”

When it comes to sending and receiving TCP and UDP any which way from the console nothing is more versatile or easy to use than netcat.

With a few simple commands you can use netcat to initiate chat, file transfer or even shell access in either direction between a “server” and a “client”.

The tool can be set to listen or broadcast on any port and tied together with some shell-fu almost anything is possible.

Some listener favorites include cloning hard drives over a network with dd and netcat, tailing a log across the network, port scanning, IP redirecting, or even spoofing user-agents and referrers. Internet Explorer 22 anyone?

Digininja points to this great netcat cheat sheet (PDF 128K).

What kind of crazy stuff have you done with netcat? Feedback@hak5.org

Shannon’s Wordpress Plugin Picks

Twitme

This plugin allows you to automatically post your new posts on the twitter website. This is good because the iPod and iPhone for example have a large amount of twitter clients to pick from. Your blog posts will arrive to people while they are walking the streets.

Socialite

Socialite allows your Wordpress posts to publish to Twitter, Facebook, and MySpace. Each social networking site can be enabled or disabled for publishing, and each is configured separately with their own options. Support for Short URL services such as zz.gd and Tinyurl.com is also supported.

Sociable

Automatically add links to your favorite social bookmarking sites on your posts, pages and in your RSS feed. You can choose from 99 different social bookmarking sites!

MobilePress

MobilePress is a WordPress plugin that will render your WordPress blog on mobile handsets, with the ability to use customized themes. The plugin also allows specific themes for specific devices / mobile browsers, such as iPhone, Opera Mini, Windows CE Mobile and other generic handset browsers.

Resize at Upload Plus

The plugin will automatically resize an image upon upload, depending on the maximum width and height that you define. Gone are the days when you, or your client, will ruin a site’s layout by uploading a huge file with 25 megapixels. Be advised: there is no backup, no copy of the originally uploaded image.

WP-Cache 2.0

WP-Cache is an extremely efficient WordPress page caching system to make your site much faster and responsive. It works by caching Worpress pages and storing them in a static file for serving future requests directly from the file rather than loading and compiling the whole PHP code and then building the page from the database. WP-Cache allows to serve hundred of times more pages per second, and to reduce the response time from several tenths of seconds to less than a millisecond.

Wordpress Backup

Backup the upload directory (images), current theme directory, and plugins directory to a zip file. Zip files optionally sent to email.

WP Security Scan

Scans your WordPress installation for security vulnerabilities and suggests corrective actions.

WP Ban

It will display a custom ban message when the banned IP, IP range, host name or referer url trys to visit you blog. You can also exclude certain IPs from being banned. There will be statistics recordered on how many times they attemp to visit your blog. It allows wildcard matching too.

pixelstats

Count every viewer and every article view for each blog entry, no matter how and where it is read: pixelstats tracks views of each blog post or page, not only on a single article page but also on each other page where the complete article is shown, i.e. the blog front page, category pages, search result page, archive pages and even RSS fee

Thanks for watching, subscribing, and most of all supporting the show. Custom commissioned WiFi Pineapples running Jasager are still available.

Download HD Download MP4 Download XviD Download WMV

Watch

Show Notes

Free Instant Messaging Server

Openfire is by far the easiest Jabber implementation I’ve ever had the pleasure of installing, setting up and administering.

However, in utilizing open source licensing, and a great plugin API, Openfire is a lot more than just a Jabber server.

Another great use for Openfire is the ability to control corporate IM connectivity by setting it up as a gateway server between services like AIM & MSN and your users.

From a singular client, your users can have both their corporate and private contacts.

If you’re looking for a very powerful and easy to use corporate / public jabber implementation, you really should check out Openfire.

For more info on the setup of Openfire, check out my blog at MattLestock.com

–Matt

Wii Homebrew Update

As you may have noticed Nintendo released Wii System Menu 4.0 at GDC and with it comes a few changes to Wii homebrew.

First and foremost this means a sweet farewell to our friend the Twilight hack. It has served us well. If you update to 4.0 you won’t be able to use the Twilight hack to install the homebrew channel or other homebrew apps.

If you’re still a version behind your best to use the twilight hack now and install the homebrew channel and DVDX as they survive the update. After upgrading to 4.0 you’ll be able to continue using homebrew channel, download new homebrew from the homebrew browser, and add apps from SD.

New exploits are being researched by the homebrew community and we’ll keep you updated when a new process is developed for installing homebrew post 4.0.

Wii Homebrew picks this week are Snes9x GX — an awesome SNES emulator based on Snes9x. Brutal Mario — an excellent custom mario level with unique ASM hacks and bosses. And MTP Demo.

“Doom II” Skulltag

What can I say, I love Doom! One thing is for sure, I’m not the only one. The fine folks at Skulltag love Doom as well.

This month our LAN Party is Skulltag — an epic port of the original Doom and Doom II. It brings the classic first person shooter into the 21st century while maintaining the essence of what made Doom great for so many years. I highly recommend you check it out and get involved in this all-month-long LAN Party at doom.hak5.org.

If you don’t already have a copy of doom.wad or doom2.wad grab a legit copy from steam for $10 or grab the open source iWad FreeDoom!

Happy Fragging

Don’t forget to submit your questions@hak5.org and feedback@hak5.org and thanks for your contributions.

Download HD Download MP4 Download XviD Download WMV

Watch

Show Notes

Taking a trip around your network with Nmap

This week I talk about network scanning with the difinitive open source security scanner Nmap.

Scanning ones own network is ideal whether simply to know your neighbors or keep inventory of your assets. As a black hat it can be the first step in enumerating a target environment and looking for weaknesses.

In order to perform our scan we’ll simply need a copy of Nmap. It’s available for Windows, Mac, and just about every flavor of Linux, BSD and more. If you’re on a debian based system like Ubuntu a simple apt-get install nmap should do you good. If you’re looking for a security distribution with nmap (and a ton of other great tools) built in can’t speak highly enough of BackTrack. Version 4 beta was just recently released.

The underlying workings of Nmap are better explained in this guide but suffice it to say it takes advantage of TCP’s 3-way-handshake and other fancy raw packet tricks to find hosts and open ports. In this segment I set out to introduce the concept and get you started with a few basic examples. If you’re interested I recommend Nmap Network Scanning and the official man pages as further reading.

The segment details some commands and their usage in a searching for open MS terminal servers scenario. I highly encourage you to provide feedback either by way of email (darren AT hak5 d0t org) or on our forums. I enjoy doing segments like these but if you have any corrections (more than one way to skin a cat), suggestions for future topics or hacks of your own please let me know.

–Darren Kitchen

Obscure your OS Fingerprint

OSfuscate 0.3 by Irongeek is used to camaflouge or obscure your Windows OS. With this tool, it’ll show up like another OS of your choice, nothing at all, or even a printer. OSFuscate could be used if you are on a hostile network and need some sort of cloak while going along in your daily routine. It is important to note that this is not a fool proof method for hiding yourself on a network and should not be relied upon for security. however, as a layer of obscurity in addition to your regular security practices you may want to consider it.

It’s a simple process to set up OSFuscate on your machine. Go to Start->Run->Regedit. Back up your Parameters folder, found under System->CurrentControlSet->Services->Tcpip->Parameters. You can do this by simply right clicking on the folder, and choosing export. This is basically just to keep yourself form messing up your OS in the process and having no way to return it to normal. You’ll notice on Irongeek’s website that certain Parameter Registry keys will be subtly changed. You could do this by hand, but OSFuscate makes this task super simple. Open OSFuscate, and choose an OS that you want to pretend to be. Restart your computer and the differences should be in place! Now if someone running NMap snoops your computer, they’ll see some other OS other than what you actually have.

You can find more information at Irongeek’s Website. And as always, you can email me with any comments or suggestions.

as it really helps us out.

–Shannon Morse

Matt’s full review of the Napera N24 can be found on his blog at MattLestock.com.

Thanks for tuning into our season premiere episode. We’re very excited about all of the exciting new projects coming up in Season 5. We appreciate and encourage your feedback — especially on this episode’s fresh format, pace, and presentation. We strive to make this show better and better for you every week so let us know how we’re doing!

And a big thanks to those who’ve contributed to the success of Hak5. Your donations are greatly appreciated!

Production Note

This episode was plagued by the cabling mistake that made episode 4×01 dark and fuzzy. On a brighter note I’m happy to say episodes 4×03 and on look sharp and prettier.

Watch

Show Notes

Matt reviews SpiceWorks, a full featured open source infrastructure mapping suite. Grab a copy at spiceworks.com or check out Matt’s full review at MattLestock.com.

Chris Gerling dives into Reverse Engineering basics

In part 1 of Reverse Engineering I go over some basic theory and demo some tools associated with the Crackme scene of reverse engineering. This is not hardcore reverse engineering that will get you on the RELOADED team, but it’s a nice peek into things.

Tools of the trade (there are MANY MANY more):

WINDASM (W32DASM): I cannot link you to anything official as it’s no longer obtainable from the original vendor, so you’ll have to google for it. Be wary of any copy you download, virus scan it, and run it in a VM or on an isolated machine first. No guarantees.

IDA Pro: Industry standard. Extremely useful for almost any kind of file. We demo the older free version for lack of $500.
OllyDbg: Debugger similar to IDA Pro
PEiD: Detects packers, cryptors, and compilers.
.NET Reflector: Typically used for disassembling .NET applications.

Big Endian is akin to SONAR being sent as SON AR
Little Endian is akin to SONAR being sent as AR SON

Registers = Variables
32 bit = e
16 bit = different size, ax, bx, cx, dx, di, si, sp, bp
8 bit: al, ah, bl, bh, cl, ch, dl, dh. l means lower 8 bits of 16 bit reg, h means higher
Flags = boolean values, 1 or 0. Zero flag can get 0 or non zero (1) values.

The idea is to debug and disassemble to find out exactly how a program works, thereby enabling you to modify characteristics of that program to suit your needs.

In Part 2 we finish these notes and actually show you how to navigate through code.

Shannon talks about OpenDNS, a more secure and featureful alternative to your ISP provided DNS available at OpenDNS.com

Christine’s software pick this week is Calibrize, a nifty tool for simple color calibration.

Production Note

Video issues will be resolved by 403. We’re using new equipment and didn’t catch a nasty bug in our system until after the second shoot

Watch

Show Notes

Wi-Fi Pineapple

Why target individuals on a wireless network when you could have them come to you. Darren talks about the Jasager project, a small portable honey pot with a hunger for clients based on the La Fonera router. http://www.fon.com. Download Jasager.

Maltego

Mubix heads down to show us some fun new features in the open source forensics and intelligence gathering tool Maltego. Download at http://www.paterva.com or find in the latest version of BackTrack at http://www.remote-exploit.org. Read more in Mubix’s Maltego article at room362.

Audio-Surf

Shannon reviews the IGF award winning music game by Invisible Handlebar. Audio-Surf is like the result of F-Zero and Guitar Hero hooking up with the ability to import your own music. Single, 2-player and co-op modes make this highly addictive game one of our favorites. Available through steam at www.audio-surf.com

LAN Party

We’ll be hosting our first LAN Party this season all day Saturday, September 20th at game.hak5.org. Join in for some Counter-Strike: Source action. We’ll be shooting two episodes back to back that day so feel free to hit up the setcam at http://hak5.org and watch as we fumble lines and try not to team-kill.