Download HD Download MP4 Download XviD Download WMV

Cracking WPA Keys with Cowpatty

A lot has changed since I last talked about WPA Cracking on Hak5. Specifically Joshua Wright, author of CowPatty has released a new version that dramatically changes the way one thinks about cracking WPA and WPA2 TKIP keys.

The most notable new feature in Cowpatty 4.5 is the “-2″ option, which only requires the first two frames of the 4-way handshake to start attacking.

By removing the need for the third and fourth frames of the handshake, an attacker is now more likely to successfully crack WPA keys when channel hopping. Furthermore, the lack of the third and fourth frame opens up a world of possabilities when it comes to trapping targets with rogue access points, or “honey pots”.

An example scenario illustrated on Wright’s blog details how an attacker may pose as a victim’s corporate wireless access point. Since it doesn’t matter if the target associates with the honey pot, anything from hostap to a spare WPA supporting access point with a bogus key will due.

Of course this has our friend Robin Wood pondering a Jasager plugin. Pineapples anyone?

As for carrying out the attack it’s pretty straight forward. I BackTrack as my hacking OS of choice coupled with an eee PC or Acer Aspire One. When it comes to Wireless I’m a big fan of the ALFA AWUS036H 500mW USB Wireless Adapter.

Other tools needed to carry out the attack include WPA tables like these SSID specific Cowpatty WPA Tables from Offensive Security and the Aircrack-ng suite.

The commands are pretty straight forward and well highlighted in the episode. There are a number of ways to go about this so if you’ve got another method you’d like to share with me, questions about this, or suggestions for future topics drop me a line. darren[at]hak5=dot=org.

Excerpt Darren Kitchen’s blog

ESXi & iSCSI

So the series I’ve been doing on ESXi has been getting nothing but great feedback, and I’m glad that I can share what I’ve learned over the course of the last couple years with everyone.

On episode 518 of Hak5, we show how truly easy it is to add iSCSI storage to a free deployment of ESXi.

So what is iSCSI?

In computing, iSCSI (pronounced /??s’k?zi/), is an abbreviation of Internet Small Computer System Interface, an Internet Protocol (IP)-based storage networking standard for linking data storage facilities. By carrying SCSI commands over IP networks, iSCSI is used to facilitate data transfers over intranets and to manage storage over long distances. iSCSI can be used to transmit data over local area networks (LANs), wide area networks (WANs), or the Internet and can enable location-independent data storage and retrieval. The protocol allows clients (called initiators) to send SCSI commands (CDBs) to SCSI storage devices (targets) on remote servers. It is a popular storage area network (SAN) protocol, allowing organizations to consolidate storage into data center storage arrays while providing hosts (such as database and web servers) with the illusion of locally-attached disks. Unlike traditional Fibre Channel, which requires special-purpose cabling, iSCSI can be run over long distances using existing network infrastructure.

In simpler terms, using some free software, it’s stupid easy to create a large amount of storage which is not tied to the physical adapter of the host server (in this case, the server ESXi is running on).

So what do we need?

• Functioning ESXi Installation
• Server capable of running FreeNAS
• Gigabit connectivity between ESXi server and FreeNAS

Now let’s get started. While it’s recommended to separate your iSCSI traffic from your other internet networking, for the purpose of this instruction, we’re just going to use the same IP subnet for all of our LAN and iSCSI traffic.

Our ESXi server sits at 10.10.1.55 and our newly installed FreeNAS server is located at 10.10.1.66

1. Connect to your FreeNAS server through the WebGUI using your favorite browser. In the top menu select Disks, then click Management.
2. Click on the plus sign in the lower right corner to add drives.
3. Next to Disk, choose the drive you want to add from the drop down, and if you want enter a description for it next to Description.
4. When you go back to the Disk Management screen you will be asked to confirm the addition by clicking on Apply changes, go ahead and do that now.
5. From the top menu choose Services, then iSCSI Target.
6. Click on the plus sign in the Extent area.
7. The Bolded fields are required, so place a name in the Extent name field, leave the Type as Device, and then choose the Device you want in the dropdown.
8. When you get back to the iSCSI Target page click on Apply changes.
9. Click on the plus sign in the Target area.
10. As before the Bolded fields are required. Here is a breakdown of the fields:

    Target name: Add your own or leave the default
    
    Flags: RW for Read/Write or RO for Read Only
    
    Storage: Will have the extents listed that were setup, choose the one you want to use
    
    Authorized Network: Enter the IP network that can access this drive. For us we’re going to enter 10.10.1.0 and we’ll leave the /24 as our subnet is 255.255.255.0

    Once you fill in all the info click on Add.

11. Back at the iSCSI target page you need to click on Apply changes once again.
12. Now place a check in the box next to Enable in the top right corner and then click Save and Restart in the bottom left.
13. The iSCSI Target drive is now setup and ready for use.

Now we need to setup ESXi to connect to our newly created iSCSI target.

Start by logging into your your host by using the Vitrual Infrastructure Client.

Click on your host, and then click the configuration tab.

Click Storage adapters, and then select your VMHBA32 iSCSI storage adapter.

Click properties and configure, then check the enabled box.

Goto the dynamic discovery tab, and add your FreeNAS IP address (in this case, 10.10.1.66)

Click ok, then close, and then rescan the HBA.

At this point you should see your storage, now we need to format the new storage.

So click back to the storage option on the left.

Then click Add Storage.

Select Disk / Lun, and click next.

Select your new disk on the FreeNAS iSCSI target, and next, next, finish.

DONE!

Questions? Post em in the comments!

Excerpt Matt Lestock’s blog

Bypass Windows Local Logins

Kon-Boot

Kon-Boot is an prototype piece of software which allows to change contents of a linux kernel (and now Windows kernel also!!!) on the fly (while booting). In the current compilation state it allows to log into a linux system as ‘root’ user without typing the correct password or to elevate privileges from current user to root. For Windows systems it allows to enter any password protected profile without any knowledge of the password. It was acctually started as silly project of mine, which was born from my never-ending memory problems Secondly it was mainly created for Ubuntu, later i have made few add-ons to cover some other linux distributions. Finally, please consider this is my first linux project so far Entire Kon-Boot was written in pure x86 assembly, using old grandpa-geezer TASM 4.0.

So basically, Kon-Boot enables you to log into any Windows or Linux password protected computer without knowing the password or anything about it.

The tech behind it? Kon-Boot basically latches onto parts of the memory and starts patching parts of the kernel (the Brain!), mainly the parts that have to do with the log-on auth and security. These patches let you logon without a password. Then, the bootkit does it so quickly that it leaves no footprints behind after you leave.

DUDE!

To do this:

Go to the website above and download Kon-Boot, open the zip file, and burn the .iso to a disc. I use ImgBurner because it is fast, easy, and FREE.

Shut down the computer you intend to get on to. When booting up, if it isn’t already set to boot from CD (or flashdrive, or whatever Kon-Boot is on), go into the BIOS and set it. You should see the Kon-Boot splash screen for a few seconds, then the username/password screen will appear with the main username already set if they have it saved. If not you need to know the username ahead of time. Press enter or type in some random characters (it doesn’t really matter) and press enter. You’re in!

Now party, snoop around, and get that file you wanted. Get your flashdrive or CD out, then shut the computer back off like usual.

Protecting yourself:

Password protect your BIOS!

True Crypt your entire harddrive!

Excerpt Shannon Morse’s blog

Download HD Download MP4 Download XviD Download WMV

In an effort to thwart hangovers the gang drops by DC’s Taven in Hoboken to geek out about Wifi and Virtualization over shots and cold ones.

Darren is excited about the recent improvements to both Airpwn and Cowpatty.

Edit: Mubix points out these awesome WPA Tables from Offensive-Security (You know ‘em as the BackTrack guys).

Best WPA Tables out there for us with CoWPAtty. (And another little + is they posted the password list they used to generate the tables, which is also an AWESOME password list for cracking all kinds of passwords.

Matt answers some viewers questions and encourages more for an upcoming special.

Shannon has all the deets on this week’s contest and LAN party.

Download HD Download MP4 Download XviD Download WMV

Watch

Show Notes

HakHouse Rover – Web Enabling a RC Tank

There comes a time in every geeks life when building a web enabled, crowd sourced, remote controlled vehicle is an imperative. For us that time is now.

The HakHouse rover project kicks off this week with the basics of controlling our inexpensive RC Tank. The toy itself was a mere $15 locally and this is important because cheap RC toys usually have cheap controls. Namely micro switches to control forwards, backwards, left and right. In this segment we break open the controller and solder leads to the board that correspond to movement.

Next we connect the leads with a Phidget Interface Kit. This little board talks to our PC via USB and has programming APIs for C/C++, Python and Java.

With a little hacked together C code in Linux we’re able to control the vehicle. If you’re a C coder we’d greatly appreciate your input on the code. It’s not very pretty at the moment.

Next we toss in a little PHP on Apache and control it from the web. I had originally slapped together a simple page with a form directed at php_self with an if isset and a case switch that initiated exec but it’s already been replaced by jzman’s sweet ajaxy code.

This projected is intended to be open source so I’ve got all the code, hardware and other details on our wiki. If you’d like to build one yourself or contribute ideas, code or otherwise it’s appreciated.

In the next installment of the HakHouse Rover project we’ll be installing a wireless web camera and laser turret to annoy our cat Kerby.

–Darren Kitchen

IP Renumbering w/PHP And A Compiler

In episode 424 a viewer question led to Darren and Matt discussing renumbering a whole subnet of Windows machines using the netsh command in a script, but how would you specify an IP for each machine with only one script? PHP to the rescue, because it’s not just for web pages anymore.

Since most Windows workstations don’t have PHP installed a compiler will let you prepare your code to run on systems that don’t have PHP installed.

First we have Roadsend PHP, which is available for Linux, FreeBSD, Mac OS X and Microsoft Windows. It’s released under GNU GPL, and it’s runtime libraries are GNU LGPL so compiled programs may be used for both open source and commercial projects.

Roadsend PHP is not just to package up your PHP into nice friendly bundles, it comes with Roadsend Studio, a full development environment (IDE) with support for the Glade interface builder (*nix/Win32), to give your PHP a GUI front end.

It supports PHP 4 and 5, and so far all the code I’ve compiled with it runs just as it would if launched from the command line using the php command. The only drawback to it is the compile process seems to take a while even on relatively small projects, and the file sizes are a little large (simple scripts weighing in at over 3MB); but if you want to stay in one environment from start to finish Roadsend will do the job.

Second is the Bambalam PHP EXE Compiler/Embedder, which as the name implies is for Windows only. Like Roadsend PHP, Bambalam PHP is free to use as it’s released under the PHP license, generates code that will run without a full PHP install, and with the use of the WindBinder library can produce programs with GUI front ends. That is about where the similarities end.

Bambalam is small, consisting of a hand full of files, and is only for the actual building of the executable code. Bring your own editor, debugger, GUI builder, and project manager. That’s not what Bambalam is for. What it is for, though, is producing small, fast programs out of any PHP that will run under PHP 4.4.4. The same +3MB code that Roadsend produced came in at just over 1MB with Bambalam, and under 700KB with compression turned on.

The problem my code solves is how to write one script to renumber a whole group of machines without having to issue a different version of the script to each machine. As this is more of a proof of concept we will assume that only the last octet of the IP address will be changing.

The command is issued with the following options:

<new IP> <subnet mask> <default gateway> [DNS] [WINS]

The new IP is given as the first three octets in xxx.xxx.xxx format, subnet and gateway will be a full four octets a peice. IP, DNS, and WINS can each be assigned as DHCP (using DHCP for IP preclueds the need for subnet and gateway). DNS and WINS can also be assigned as NONE so long as IP is not DHCP. Furthermore specifying WINS requires that some value be given for DNS.

If a new first three octets are given without specifying DNS or WINS and those values were already staticly assigned then the new first three octets will be used for those values as well. Also if IP is currently assigned via DHCP that can’t not be changed at this time.

Full source and future updates are available at http://www.elder-n00b.org/2009/02/ip-renumbering-wphp-and-compilers.html

Thanks to those who’ve contributed to the success of Hak5. Your donations are greatly appreciated!

Download HD Download MP4 Download XviD Download WMV

Watch

Show Notes

Dave Kennedy talks about Fast Track, a python based open-source project aimed at helping Penetration Testers in an effort to identify, exploit, and further penetrate a network.

Michael Ossmann and Dominic Spill presented on Building an All-Channel Bluetooth Monitor using the USRP and a lot of awesome code. It turns out listening to 79 channels at once is harder than you think.

Joshua Abraham spoke to us about wireless network mapping with his tool GIS Kismet

Mister X, author of Aircrack-ng shares with us a glimpse of the future of wireless network cracking.

Johnny Long, security expert and author, talks to us about Hackers for Charity

Don’t forget to take the Hak5 Survey. This is the last week it’s running so please if you haven’t already take a moment to fill it out as it really helps us out.

Production Note

Video issues will be resolved by 403. We’re using new equipment and didn’t catch a nasty bug in our system until after the second shoot

Watch

Show Notes

Wi-Fi Pineapple

Why target individuals on a wireless network when you could have them come to you. Darren talks about the Jasager project, a small portable honey pot with a hunger for clients based on the La Fonera router. http://www.fon.com. Download Jasager.

Maltego

Mubix heads down to show us some fun new features in the open source forensics and intelligence gathering tool Maltego. Download at http://www.paterva.com or find in the latest version of BackTrack at http://www.remote-exploit.org. Read more in Mubix’s Maltego article at room362.

Audio-Surf

Shannon reviews the IGF award winning music game by Invisible Handlebar. Audio-Surf is like the result of F-Zero and Guitar Hero hooking up with the ability to import your own music. Single, 2-player and co-op modes make this highly addictive game one of our favorites. Available through steam at www.audio-surf.com

LAN Party

We’ll be hosting our first LAN Party this season all day Saturday, September 20th at game.hak5.org. Join in for some Counter-Strike: Source action. We’ll be shooting two episodes back to back that day so feel free to hit up the setcam at http://hak5.org and watch as we fumble lines and try not to team-kill.

Download MP4 Download Xvid Download WMV