Download HD Download MP4 Download XviD Download WMV

Port Tunneling and Socks5 Proxies with a Secure Shell (SSH)

SSH Tunneling isn’t new to the show, we’ve done it before over DNS or in conjunction with VNC. Today we’re looking at two SSH tricks for tunneling just about any traffic.

First up, ssh -D. The -D option specified a local "e;Dynamic"e; application-level port forwarding. Any connection made to the specified port goes through the tunnel as a SOCKS4 or SOCKS5 proxy. Perfect for secure web browsing as demonstrated with Firefox in this segment.

Usage

ssh -D 8080 user@server

Second, ssh -L. The -L option enables port forwarding. Using this option tells the SSH client to listen to traffic on a specified port and forward it along through the tunnel. The server receives this data and points it to the specified destination, whether it be on the destination network or otherwise. In our example we use the -L option to securely connect to an open IRC server.

Usage

ssh user@server -L local-listen-port:destination-ip:destination-port

For more SSH-fu check out the ssh man page or Linux Journal’s interesting series on 101 uses of openssh.

Bypassing site-blocking firewalls with your own private web proxy

The age old scheme for bypassing restrictive firewalls, like those that block sites at school or work, has been to use a web proxy. Of course this is followed up by the network administrator blocking all mainstream proxies. But what if you could run your own? Well, you can and it’s really freaking easy. In this segment Darren demonstrates PHProxy

Cracking MS-CHAPv2 PPTP VPN handshakes & LM Hashes Followup from 6×12

On episode 612 we demonstrated a tool, asleap, designed to crack MS-CHAPv2, the authentication protocol commonly found in Microsoft PPTP VPNs. The final demo was unsuccessful due to the encoding of the handshake and response sniffed by Wireshark. Viewer Sc00bz was kind enough to post a PHP script that accepts the challenge, response and username and provides you with the proper asleap command to run with the properly encoded byte sequences. Sc00bz has well documented the code, which lives now on this Hak5 forum thread. Thanks Sc00bz!

Deploying Virtual Appliances in minutes the open source way

A Virtual Appliance can be though of as a software image containing a supporting stack designed to run inside a virtual machine. A quick look at vmware’s virtual appliance directory shows that there are hundreds of applications that can be quickly and easily deployed. In this segment I take the Dimdim open source virtual appliance, designed for vmware, and deploy it with VirtualBox (just becasue I can).

Download HD Download MP4 Download XviD Download WMV

Adding a touch screen to a LCD is pretty straight forward and fairy inexpensive. There are a few different places to get the touch screen kit, we got ours from ebay for around 80 bucks + shipping. Dealextreme.com has a small selection of smaller touch screen kit perfect for netbooks, because they come with a controller made to connect internally instead of external usb. When buying a kit to make sure it comes with the matching controller to avoid any head aches.

When it comes to desktop virtualization Matt and I think very differently. While I agree that VMware’s ESX and (free) ESXi solutions are killer, I can’t seem to justify the price of target=”_blank”>VMware Workstation when Sun’s Virtual Box is free, open source, full featured, super speedy and rock solid. Matt doesn’t agree.

Matt wouldn’t agree with my assessment, but he doesn’t write the show notes so I’ll just go ahead and link to this totally unbiased comparison.

Download HD Download MP4 Download XviD Download WMV

Matt Lestock reviews BlueBear’s Adobe Air-based application for managing mixed virtualization environments. Kodiak currently supports VMware ESX servers with Citrix XenServer and Microsoft Hyper-V compatibility coming soon. This cross platform management application is pretty slick!

Darren Kitchen discusses the evolution of his favorite boot loader, Grub, and points out USB installation options and Grub2’s loopback option. He also discusses persistent changes, nested menus, and notes.

Darren also checks out LiveUSB, a tool that promises to automate the process of building a USB Multi Boot tool. Note: The site and application are all in French.

Download HD Download MP4 Download XviD Download WMV

Matt Lestock uses VMware Converter to take that ugly power hungry idle beast and turn it into a sleek and slim virtual machine, piped stright into your ESXi host.

Send your questions and feedback to matt@hak5.org

Darren Kitchen is cooking up a Linux based Java servlet container and HTTP web server with Apache Tomcat. While never distributions and package repositories can make setting up a Tomcat server a breeze, it’s nice to have an understanding of the manual process.

Don’t forget about our first ever official Hak5 Meetup at Busch Gardens Williamsburg on August 15th. Find all the details at hak5meetup.squarespace.com or RSVP on Facebook.

Download HD Download MP4 Download XviD Download WMV

Building the Ultimate White Box Server for under $2000

When it comes to building a white box server for ESXi your best resources are vm-help.com, UltimateWhiteBox.com, the VMware Compatibility Guide, and the VMware community.

We carefully selected ESXi supported components based on reliability and value. If this were the ultimate $3000 white box server we might have picked a server board with dual Xeon’s and ECC memory, but to keep it under that magic $2000 price point we went with beefy “desktop” components such as the Intel Core i7 920, the ASUS P6T Deluxe, and 12 GB of Corsair XMS3 memory.

Drive wise you can’t go wrong with the 3ware 9650SE-4LPML. It supports four SATA II drives in RAID 0, 1, 5, 10 or JBOD. It’s bigger brother the 9650SE-16ML sixteen channel SATA II controller is hot too — just at three times the price. The 9650SE isn’t supported out of the box by ESXi, however 3ware provides a knowledge base article and drivers necessary to add support for the card after your ESXi box is built.

Drive wise we picked up four Western Digital Caviar Black 1TB drives since they’re cheap and reliable.

To make things easy when installing all these components in our Rosewill RSV-Z4000 4U rackmount case we picked up a 4 Drive trayless how swap sata backplane from StarTech. IcyDock makes one too. This was the only $100 spent for convenience over performance/value, but anyone who has dealt with 5.25″ to 3.5″ mounting brackets will agree it’s worth every penny.

Rather than installing ESXi on the RAID, we used a 4GB USB drive from Patriot. The Xporter XT. It boasts really fast read/write times. I’m sure any old 1gb or larget USB drive would have done but they’re so cheap, why not?

We’re doing a little white box server contest. Winners will get all sorts of swag from the Hak5 Store. Check out all the details in the episode release thread at Hak5.org

Download HD Download MP4 Download XviD Download WMV

Cracking WPA Keys with Cowpatty

A lot has changed since I last talked about WPA Cracking on Hak5. Specifically Joshua Wright, author of CowPatty has released a new version that dramatically changes the way one thinks about cracking WPA and WPA2 TKIP keys.

The most notable new feature in Cowpatty 4.5 is the “-2″ option, which only requires the first two frames of the 4-way handshake to start attacking.

By removing the need for the third and fourth frames of the handshake, an attacker is now more likely to successfully crack WPA keys when channel hopping. Furthermore, the lack of the third and fourth frame opens up a world of possabilities when it comes to trapping targets with rogue access points, or “honey pots”.

An example scenario illustrated on Wright’s blog details how an attacker may pose as a victim’s corporate wireless access point. Since it doesn’t matter if the target associates with the honey pot, anything from hostap to a spare WPA supporting access point with a bogus key will due.

Of course this has our friend Robin Wood pondering a Jasager plugin. Pineapples anyone?

As for carrying out the attack it’s pretty straight forward. I BackTrack as my hacking OS of choice coupled with an eee PC or Acer Aspire One. When it comes to Wireless I’m a big fan of the ALFA AWUS036H 500mW USB Wireless Adapter.

Other tools needed to carry out the attack include WPA tables like these SSID specific Cowpatty WPA Tables from Offensive Security and the Aircrack-ng suite.

The commands are pretty straight forward and well highlighted in the episode. There are a number of ways to go about this so if you’ve got another method you’d like to share with me, questions about this, or suggestions for future topics drop me a line. darren[at]hak5=dot=org.

Excerpt Darren Kitchen’s blog

ESXi & iSCSI

So the series I’ve been doing on ESXi has been getting nothing but great feedback, and I’m glad that I can share what I’ve learned over the course of the last couple years with everyone.

On episode 518 of Hak5, we show how truly easy it is to add iSCSI storage to a free deployment of ESXi.

So what is iSCSI?

In computing, iSCSI (pronounced /??s’k?zi/), is an abbreviation of Internet Small Computer System Interface, an Internet Protocol (IP)-based storage networking standard for linking data storage facilities. By carrying SCSI commands over IP networks, iSCSI is used to facilitate data transfers over intranets and to manage storage over long distances. iSCSI can be used to transmit data over local area networks (LANs), wide area networks (WANs), or the Internet and can enable location-independent data storage and retrieval. The protocol allows clients (called initiators) to send SCSI commands (CDBs) to SCSI storage devices (targets) on remote servers. It is a popular storage area network (SAN) protocol, allowing organizations to consolidate storage into data center storage arrays while providing hosts (such as database and web servers) with the illusion of locally-attached disks. Unlike traditional Fibre Channel, which requires special-purpose cabling, iSCSI can be run over long distances using existing network infrastructure.

In simpler terms, using some free software, it’s stupid easy to create a large amount of storage which is not tied to the physical adapter of the host server (in this case, the server ESXi is running on).

So what do we need?

• Functioning ESXi Installation
• Server capable of running FreeNAS
• Gigabit connectivity between ESXi server and FreeNAS

Now let’s get started. While it’s recommended to separate your iSCSI traffic from your other internet networking, for the purpose of this instruction, we’re just going to use the same IP subnet for all of our LAN and iSCSI traffic.

Our ESXi server sits at 10.10.1.55 and our newly installed FreeNAS server is located at 10.10.1.66

1. Connect to your FreeNAS server through the WebGUI using your favorite browser. In the top menu select Disks, then click Management.
2. Click on the plus sign in the lower right corner to add drives.
3. Next to Disk, choose the drive you want to add from the drop down, and if you want enter a description for it next to Description.
4. When you go back to the Disk Management screen you will be asked to confirm the addition by clicking on Apply changes, go ahead and do that now.
5. From the top menu choose Services, then iSCSI Target.
6. Click on the plus sign in the Extent area.
7. The Bolded fields are required, so place a name in the Extent name field, leave the Type as Device, and then choose the Device you want in the dropdown.
8. When you get back to the iSCSI Target page click on Apply changes.
9. Click on the plus sign in the Target area.
10. As before the Bolded fields are required. Here is a breakdown of the fields:

    Target name: Add your own or leave the default
    
    Flags: RW for Read/Write or RO for Read Only
    
    Storage: Will have the extents listed that were setup, choose the one you want to use
    
    Authorized Network: Enter the IP network that can access this drive. For us we’re going to enter 10.10.1.0 and we’ll leave the /24 as our subnet is 255.255.255.0

    Once you fill in all the info click on Add.

11. Back at the iSCSI target page you need to click on Apply changes once again.
12. Now place a check in the box next to Enable in the top right corner and then click Save and Restart in the bottom left.
13. The iSCSI Target drive is now setup and ready for use.

Now we need to setup ESXi to connect to our newly created iSCSI target.

Start by logging into your your host by using the Vitrual Infrastructure Client.

Click on your host, and then click the configuration tab.

Click Storage adapters, and then select your VMHBA32 iSCSI storage adapter.

Click properties and configure, then check the enabled box.

Goto the dynamic discovery tab, and add your FreeNAS IP address (in this case, 10.10.1.66)

Click ok, then close, and then rescan the HBA.

At this point you should see your storage, now we need to format the new storage.

So click back to the storage option on the left.

Then click Add Storage.

Select Disk / Lun, and click next.

Select your new disk on the FreeNAS iSCSI target, and next, next, finish.

DONE!

Questions? Post em in the comments!

Excerpt Matt Lestock’s blog

Bypass Windows Local Logins

Kon-Boot

Kon-Boot is an prototype piece of software which allows to change contents of a linux kernel (and now Windows kernel also!!!) on the fly (while booting). In the current compilation state it allows to log into a linux system as ‘root’ user without typing the correct password or to elevate privileges from current user to root. For Windows systems it allows to enter any password protected profile without any knowledge of the password. It was acctually started as silly project of mine, which was born from my never-ending memory problems Secondly it was mainly created for Ubuntu, later i have made few add-ons to cover some other linux distributions. Finally, please consider this is my first linux project so far Entire Kon-Boot was written in pure x86 assembly, using old grandpa-geezer TASM 4.0.

So basically, Kon-Boot enables you to log into any Windows or Linux password protected computer without knowing the password or anything about it.

The tech behind it? Kon-Boot basically latches onto parts of the memory and starts patching parts of the kernel (the Brain!), mainly the parts that have to do with the log-on auth and security. These patches let you logon without a password. Then, the bootkit does it so quickly that it leaves no footprints behind after you leave.

DUDE!

To do this:

Go to the website above and download Kon-Boot, open the zip file, and burn the .iso to a disc. I use ImgBurner because it is fast, easy, and FREE.

Shut down the computer you intend to get on to. When booting up, if it isn’t already set to boot from CD (or flashdrive, or whatever Kon-Boot is on), go into the BIOS and set it. You should see the Kon-Boot splash screen for a few seconds, then the username/password screen will appear with the main username already set if they have it saved. If not you need to know the username ahead of time. Press enter or type in some random characters (it doesn’t really matter) and press enter. You’re in!

Now party, snoop around, and get that file you wanted. Get your flashdrive or CD out, then shut the computer back off like usual.

Protecting yourself:

Password protect your BIOS!

True Crypt your entire harddrive!

Excerpt Shannon Morse’s blog

Download HD Download MP4 Download XviD Download WMV

In an effort to thwart hangovers the gang drops by DC’s Taven in Hoboken to geek out about Wifi and Virtualization over shots and cold ones.

Darren is excited about the recent improvements to both Airpwn and Cowpatty.

Edit: Mubix points out these awesome WPA Tables from Offensive-Security (You know ‘em as the BackTrack guys).

Best WPA Tables out there for us with CoWPAtty. (And another little + is they posted the password list they used to generate the tables, which is also an AWESOME password list for cracking all kinds of passwords.

Matt answers some viewers questions and encourages more for an upcoming special.

Shannon has all the deets on this week’s contest and LAN party.

Download HD Download MP4 Download XviD Download WMV

Darren’s on a mission to mount a digital video camera to his motorcycle. While commercial options such as the $300 Vholdr Contour HD and $150 Oregon Scientific AT3K are available, why not build your own universal camera mount for about 5 bucks.

Continuing with the theme of rolling your own, why not build your own ESX/ESXi compatible virtual machine host? Matt builds one that fits inside a gym bag and walks us through setting up ESXi in about 10 minutes (give or take a few progress bars).

Rounding out the nearly free and useful bits this episode, Shannon shows us an open source video editing application that may be perfect for your light video editing needs. Avidemux is a light weight editor perfect for simple video trimming, filtering and encoding. It sports some really nice automation and job queing features and comes with profiles pre-configured for common formats such as MP4 for iPod, PSP, or Apple TV.

Download HD Download MP4 Download XviD Download WMV

While Shannon’s on vacation our friend Jenn Cutter from Open Alpha joins us to talk about the recent developments in PSP hacking and homebrew.

The PSP homebrew scene has grown more interesting over the past little while since the user base has been sectioned off into different camps based on the particular unit they purchased and whatever firmware they are using. Thanks to the efforts of Team Typhoon, ChickHEN (homebrew enabler) permits owners of all models to run the unofficial apps and games they’ve grown to love without touching the flash of the PSP, so there’s no worrying about turning it into a brick. No one likes expensive bricks. Keep in mind that ChickHEN is not a piracy tool so don’t expect to run any type of backups though it. Davee has the lowdown on the latest release which can be downloaded here. If you are curious or sceptical, feel free to check out video proof that it works on PSP 3000s.

–Jenn Cutter

Matt answers your questions about storage area networks and recommends QNAP. If you’re feeling hands on rolling your own is a great option too. Matt points out his favorite hardware like 3Ware RAID cards, Transcend IDE Flash Modules, and the Intel Storage Server SSR212MC2. Software wise it’s worth investigating Freenas, and SAN Melody.

Continuing on with Eighty’s segment on extracting windows executables from packet captures and Mubix’s segment on network tap analizers, Darren’s taking a look at the open source tool ngrep. If you’re familiar with grep you’ll be at home with this tool. Darren demonstrates using the tool to filter packets from a live capture using a Network Monkey. Alternatively it can be used with pcap files.

Don’t forget to check out our latest contest at Hak5.org/yourlan where the most creative network will win cozy Hak5 gear from our newly opened HakShop

Download HD Download MP4 Download XviD Download WMV

Show Notes

Internet Redirection

Corporate and university firewalls can be a particular PITA — especially if you’re a gamer. And while SSH tunneling (even over DNS)or VPN technologies are often preferred, it is quite possible to “bounce” your traffic off an Internet Redirection server. Like a fancy proxy, rinetd allows you to specify incoming and outgoing IP and port. It features basic client access rules based on IP and even supports logging. In my segment I demonstrate accepting traffic on port 80 and transmitting it to an IRC server on port 6667.

Granted this isn’t going to fool your more complex firewalls that actually inspect packets — but if you’re just looking to get traffic through an open port I highly recommend giving rinetd a try.

–Darren

Steghide

Download a copy of Steghide. Extract the zip.

You want to hide a file. First thing you need is a file to hide it in. Choose a file – whether that be a music file, jpeg, word document… whatever – and save it inside the steghide folder, which was extracted from the zip folder. Also, save your file that you want to hide inside that same folder as well.
Open up your command prompt and open the steghide folder directory. Open the steghide.exe file. The last few rows of type will tell you how to embed and extract your hidden file.

Embedding:
Type into the command prompt: ’steghide embed -cf file.jpg (this is your regular file) -ef hiddenfile.txt’ (this is the file you want to hide).
Choose a Passphrase and you’re done! You’ll notice the original photo or music file has changed it’s byte size now that you’ve embedded something inside it.

Extracting:
Type into the command prompt: ’steghide extract -sf file.jpg’ and enter the passphrase. Now, you’ll see the extracted hidden file appear inside the same folder.
Your done! Simple, eh?

–Shannon

Download HD Download MP4 Download XviD Download WMV

Watch

Show Notes

Virtualization

So we’ve finally come to the point in which I’ve been worn down enough to begin highlighting some virtualization for you guys.

In this episode I kind of gave you a brief overview of a singular reason one would want to virtualize their infrastructure.

COST

Now more than ever I’m sure your CAPEX budgets are tightening or have vanished completely for this fiscal year.

Let’s take a real down and dirty look at the primary benefit of virtualization.

Last year I purchased a Dell server with the following specs for about $22,000

4x Quad-Core Xeon X7350 processors at 2.93GHz
128GB RAM
5x 15,000RPM 450GB SAS Hard Drives

Now as you can see this is a beast.

VMWare licensing costs for this server are about another $10,000. OUCH! However there’s more.

Right now I’m running 38 virtual machines on this server. With room for more.

Let’s say the average 1U server costs $1500. Where am I at from a pure cost perspective?

A) Virtual Environment – $32,000

B) Separate Physical machines – $57,000

This doesn’t take into account the virtual environment’s savings on things such as power consumption, or cooling.

Plus with another server, and a SAN you now have a Highly Available system for about the same cost as individual machines.

I know this was a brief overview of the primary benefits of virtualization, but I wanted to give you guys an idea of just what is accomplishable when you begin thinking virtually.

I’ll be bringing you a bunch more segments in the coming weeks ranging from SAN selection and implementation to building a cheap virtual environment at your house, so stay tuned for more!

–Matt Lestock

Contests

The Monkey Wallpaper contest is still going on. Entries are due by Friday, April 24th. The winner will be announced on next weeks episode, 511. You can find all the art work and submission details at Hak5.org/MonkeyContest. The winner will receive a deluxe sock monkey kit from SockMonkey.net!

This week we have a new contest — a code challenge. If you’re into PHP, Imagemagick, and gmail you’ll want to get involved. Entries are due by Friday, May 1st. The winner will be announced on episode 512. you can find all the details at Hak5.org/CodeChallenge. The winner will receive a copy of Mario Lurig’s PHP Book PHP Reference: Beginner to Intermediate PHP5.

Wii Homebrew News

Team Twiizers focus on BootMii

On the 16th Team Twiizers, the folks that brought us the Homebrew Channel, announced that they have shifted their focus to the BootMii project.

BootMii is system boots before the Wii System Menu and allows for complete low level control of the Wii, including launching the homebrew channel.

Team Twiizers expects to have a beta released within the coming weeks. So far it has been successfully installed on about a dozen Wiis.

We’ll have a hands on look when it becomes available.

USB Loader released

Earlier this month Waninkoko released USB Loader, an homebrew Wii app which allows you to backup game discs to USB Hard Drive or SD card run backed up games from said media without needing the original disc.

Obviously this tool has piracy potential written all over it but it’s also the fastest and most convenient option we’ve found for backing up games.

Last week we demoed nitrotux’s Wii Disc Dumper, a similar backup tool that took 10 hours to download a Dual-Layer Wii Disc in 6 parts.

The newly released USB Loader does that in 1/10th the time directly to a single ISO file. We’ll be using it today as part of our Wii 720p segment

Dolphin build 2962 released

On the 13th Dolphin build 2962 hit subversion. This latest build adds OpenAL audio support, the ability to frame dump to AVI, various bug fixes and a more powerful Xbox 360 controller rumble. Huzzah

Wii Homebrew Review

A lot has changed over the last four weeks since we started playing with Wii Homebrew so before we get into the latest — backing up Wii Games and playing them in HD on your PC — let’s review how we got here.

Currently the best method for installing Homebrew on your Wii is through a technique known as the Twilight Hack. This involves loading a special save-game for Zelda: Twilight Princess that causes a buffer overflow and code execution.

This method was thwarted by Nintendo’s recently released System Menu 4.0. If you haven’t updated your Wii already we advise you steer clear until the homebrew scene can come up with a new hack.

If you already have homebrew installed, such as the Homebrew Channel or DVD-X, updating to 4.0 doesn’t break those but we still advise against it.

The most essential homebrew app is the Homebrew Channel. It’s a breeze to install with the twilight hack and once installed you can use it to launch other homebrew apps from your SD card — no need to pull off the twilight hack every time you want to play a different homebrew app.

The Homebrew Browser is another essential as it allows you to download homebrew apps, games, utilities and demos right from your Wii’s Internet connection and onto your SD card.

A great list of homebrew apps can be found at the WiiBrew.org wiki. Details for pulling off these hacks can be found in our show notes and previous episodes.

USB SD Loader

The USB SD Loader from waninkoko is, IMHO, the easiest way to backup Wii games — far superior to the disc dumper we showed off on 509. That said, it should be known that in order to use the USB SD Loader you must modify your Wii using a wad manager — but you’ve already voided the warranty anyway right? It is also worth noting that as of writing it does not backup gamecube discs. For that you’ll need to stick to the disc dumper mentioned on 509.

In order to use the USB Loader you’ll need to install the USB Loader wad file using a wad manager. Once installed you’ll need to run the cios36 rev10 installer. Then ensure that the IOS36-64-v1024.wad file is in the root of your SD card and start the USB Loader from the new channel item in system menu.

You’ll have the option to format either an SD card or USB drive in WBFS. This will be the medium for storing and running backed up games. It’s probably not a good idea to format your regular homebrew SD card for this . I took the USB route opting to format a portable 320GB HDD. Once formatted, installing games is as simple as inserting the disc, pressing (+) on the wii remote and following the prompts. Typical single-layer discs take about an hour to copy.

In order to get the game off your removable hard drive and onto your computer in ISO form you’ll need to install the (windows only) WBFS Manager program. This program lets you select your removable drive and extract games as ISO images. You can also copy any ISOs you may have on your computer to the removable drive with this tool.

Dolphin Emulator

Once you have a legally copied ISO file on your computer you’ll want to install and configure Dolphin in order to play it.

The important bits to note about getting Dolphin to run properly is that you’ll need Microsoft Visual C++ 2008 Service Pack 1 (x86 or x64) installed. You’ll also need the DirectX March 2009 Runtime. Use the Microsoft DirectX Updater. It’s probably also a good idea to update your video drivers while you’re at it.

Dolphin itself is pretty easy to use. Like most emulators it features a plethora of control configurations and convenient save state options.

Thanks for watching, subscribing, and most of all supporting the show. Custom commissioned WiFi Pineapples running Jasager are still available.