Download HD Download MP4 Download XviD Download WMV

Cracking WPA Keys with Cowpatty

A lot has changed since I last talked about WPA Cracking on Hak5. Specifically Joshua Wright, author of CowPatty has released a new version that dramatically changes the way one thinks about cracking WPA and WPA2 TKIP keys.

The most notable new feature in Cowpatty 4.5 is the “-2″ option, which only requires the first two frames of the 4-way handshake to start attacking.

By removing the need for the third and fourth frames of the handshake, an attacker is now more likely to successfully crack WPA keys when channel hopping. Furthermore, the lack of the third and fourth frame opens up a world of possabilities when it comes to trapping targets with rogue access points, or “honey pots”.

An example scenario illustrated on Wright’s blog details how an attacker may pose as a victim’s corporate wireless access point. Since it doesn’t matter if the target associates with the honey pot, anything from hostap to a spare WPA supporting access point with a bogus key will due.

Of course this has our friend Robin Wood pondering a Jasager plugin. Pineapples anyone?

As for carrying out the attack it’s pretty straight forward. I BackTrack as my hacking OS of choice coupled with an eee PC or Acer Aspire One. When it comes to Wireless I’m a big fan of the ALFA AWUS036H 500mW USB Wireless Adapter.

Other tools needed to carry out the attack include WPA tables like these SSID specific Cowpatty WPA Tables from Offensive Security and the Aircrack-ng suite.

The commands are pretty straight forward and well highlighted in the episode. There are a number of ways to go about this so if you’ve got another method you’d like to share with me, questions about this, or suggestions for future topics drop me a line. darren[at]hak5=dot=org.

Excerpt Darren Kitchen’s blog

ESXi & iSCSI

So the series I’ve been doing on ESXi has been getting nothing but great feedback, and I’m glad that I can share what I’ve learned over the course of the last couple years with everyone.

On episode 518 of Hak5, we show how truly easy it is to add iSCSI storage to a free deployment of ESXi.

So what is iSCSI?

In computing, iSCSI (pronounced /??s’k?zi/), is an abbreviation of Internet Small Computer System Interface, an Internet Protocol (IP)-based storage networking standard for linking data storage facilities. By carrying SCSI commands over IP networks, iSCSI is used to facilitate data transfers over intranets and to manage storage over long distances. iSCSI can be used to transmit data over local area networks (LANs), wide area networks (WANs), or the Internet and can enable location-independent data storage and retrieval. The protocol allows clients (called initiators) to send SCSI commands (CDBs) to SCSI storage devices (targets) on remote servers. It is a popular storage area network (SAN) protocol, allowing organizations to consolidate storage into data center storage arrays while providing hosts (such as database and web servers) with the illusion of locally-attached disks. Unlike traditional Fibre Channel, which requires special-purpose cabling, iSCSI can be run over long distances using existing network infrastructure.

In simpler terms, using some free software, it’s stupid easy to create a large amount of storage which is not tied to the physical adapter of the host server (in this case, the server ESXi is running on).

So what do we need?

• Functioning ESXi Installation
• Server capable of running FreeNAS
• Gigabit connectivity between ESXi server and FreeNAS

Now let’s get started. While it’s recommended to separate your iSCSI traffic from your other internet networking, for the purpose of this instruction, we’re just going to use the same IP subnet for all of our LAN and iSCSI traffic.

Our ESXi server sits at 10.10.1.55 and our newly installed FreeNAS server is located at 10.10.1.66

1. Connect to your FreeNAS server through the WebGUI using your favorite browser. In the top menu select Disks, then click Management.
2. Click on the plus sign in the lower right corner to add drives.
3. Next to Disk, choose the drive you want to add from the drop down, and if you want enter a description for it next to Description.
4. When you go back to the Disk Management screen you will be asked to confirm the addition by clicking on Apply changes, go ahead and do that now.
5. From the top menu choose Services, then iSCSI Target.
6. Click on the plus sign in the Extent area.
7. The Bolded fields are required, so place a name in the Extent name field, leave the Type as Device, and then choose the Device you want in the dropdown.
8. When you get back to the iSCSI Target page click on Apply changes.
9. Click on the plus sign in the Target area.
10. As before the Bolded fields are required. Here is a breakdown of the fields:

    Target name: Add your own or leave the default
    
    Flags: RW for Read/Write or RO for Read Only
    
    Storage: Will have the extents listed that were setup, choose the one you want to use
    
    Authorized Network: Enter the IP network that can access this drive. For us we’re going to enter 10.10.1.0 and we’ll leave the /24 as our subnet is 255.255.255.0

    Once you fill in all the info click on Add.

11. Back at the iSCSI target page you need to click on Apply changes once again.
12. Now place a check in the box next to Enable in the top right corner and then click Save and Restart in the bottom left.
13. The iSCSI Target drive is now setup and ready for use.

Now we need to setup ESXi to connect to our newly created iSCSI target.

Start by logging into your your host by using the Vitrual Infrastructure Client.

Click on your host, and then click the configuration tab.

Click Storage adapters, and then select your VMHBA32 iSCSI storage adapter.

Click properties and configure, then check the enabled box.

Goto the dynamic discovery tab, and add your FreeNAS IP address (in this case, 10.10.1.66)

Click ok, then close, and then rescan the HBA.

At this point you should see your storage, now we need to format the new storage.

So click back to the storage option on the left.

Then click Add Storage.

Select Disk / Lun, and click next.

Select your new disk on the FreeNAS iSCSI target, and next, next, finish.

DONE!

Questions? Post em in the comments!

Excerpt Matt Lestock’s blog

Bypass Windows Local Logins

Kon-Boot

Kon-Boot is an prototype piece of software which allows to change contents of a linux kernel (and now Windows kernel also!!!) on the fly (while booting). In the current compilation state it allows to log into a linux system as ‘root’ user without typing the correct password or to elevate privileges from current user to root. For Windows systems it allows to enter any password protected profile without any knowledge of the password. It was acctually started as silly project of mine, which was born from my never-ending memory problems Secondly it was mainly created for Ubuntu, later i have made few add-ons to cover some other linux distributions. Finally, please consider this is my first linux project so far Entire Kon-Boot was written in pure x86 assembly, using old grandpa-geezer TASM 4.0.

So basically, Kon-Boot enables you to log into any Windows or Linux password protected computer without knowing the password or anything about it.

The tech behind it? Kon-Boot basically latches onto parts of the memory and starts patching parts of the kernel (the Brain!), mainly the parts that have to do with the log-on auth and security. These patches let you logon without a password. Then, the bootkit does it so quickly that it leaves no footprints behind after you leave.

DUDE!

To do this:

Go to the website above and download Kon-Boot, open the zip file, and burn the .iso to a disc. I use ImgBurner because it is fast, easy, and FREE.

Shut down the computer you intend to get on to. When booting up, if it isn’t already set to boot from CD (or flashdrive, or whatever Kon-Boot is on), go into the BIOS and set it. You should see the Kon-Boot splash screen for a few seconds, then the username/password screen will appear with the main username already set if they have it saved. If not you need to know the username ahead of time. Press enter or type in some random characters (it doesn’t really matter) and press enter. You’re in!

Now party, snoop around, and get that file you wanted. Get your flashdrive or CD out, then shut the computer back off like usual.

Protecting yourself:

Password protect your BIOS!

True Crypt your entire harddrive!

Excerpt Shannon Morse’s blog

Download HD Download MP4 Download XviD Download WMV

In an effort to thwart hangovers the gang drops by DC’s Taven in Hoboken to geek out about Wifi and Virtualization over shots and cold ones.

Darren is excited about the recent improvements to both Airpwn and Cowpatty.

Edit: Mubix points out these awesome WPA Tables from Offensive-Security (You know ‘em as the BackTrack guys).

Best WPA Tables out there for us with CoWPAtty. (And another little + is they posted the password list they used to generate the tables, which is also an AWESOME password list for cracking all kinds of passwords.

Matt answers some viewers questions and encourages more for an upcoming special.

Shannon has all the deets on this week’s contest and LAN party.

Watch

Show Notes

Is WPA Broken? Interesting stuff coming out of PacSec this year. Ars has a great writeup about it our check out Martin Beck and Erik Tews’ paper Practical attacks against WEP and WPA (PDF). There is a proof of concept tool available from the Aircrack-NG folks. Take a look at Tkiptun-ng. At time of writing the tool is not fully functional. Something to keep an eye on.

Steve P. writes to us about the Helmer beowulf cluster. This 6xCore2Quad is sure to make any geek smile. Kitty approved too! While stuffing a personal cluster into an Ikea cabinet is novel in and of itself the mad scientist behind it has thought some insane cluster designs including the 50 tflop Helmer 2 and the 4 pflop Helmer 3. All I can say is I want one. Thanks for the links Steve.

Darren enjoys a Bondages’ No Problem while Matt and Shannon stick with the margaritas.

More importantly Darren talks about Session Hijacking and demos a tool from Errata Security called Hamster and Ferret that, in conjunction with the latest 2.0 build of Jasager, an ICS’d EVDO connection and Tftpd32 we’re able to “sidejack” with our little man-in-the-middle setup. Lesson learned? Be suspicious of any wifi. Check for signatures of trusted networks and tunnel your traffic. We’ll come back to this topic with a more indepth segment on Jasager detection and traffic encryption soon.

A note on trivia. Please answer trivia questions on the Hak5 forums from now on. We would love to continue doing dual winners but with growing prize costs we cannot. Also, if you’re interested in volunteering to help with trivia code challenges lend a hand in the Dev5 board.

Matt shows us how to convert a physical server into a virtual server locally using the free VMware converter tool and talks about some of the concerns you must consider when preparing to virtualize. If you have virtualization questions hit up Matt and we’ll cover ‘em on future segments. Matt at Hak5 d0t org.

Alex W. writes with a question about screen recording. We highly recommend the open source Camstudio as well as FRAPS and Techsmith’s Camtasia Studio (warning: sticker shock may occur at techsmith.com). Paul (our “camera guy”) suggests checking out the new screen capturing functionality of the latest verison of VLC, especially if you’re on the Linux or Mac side.

As always we’d love to hear your feedback. Your questions, comments or concerns can be directed to HakHouse.com. It’s a crazy interactive project we’re working on. Just wait ’till we get the web-enabled robots up in there.

Trust your Technolust

Download MP4 Download Xvid Download WMV

Production Notes

Special uber thanks go to Ashley Witt for cleaning up our poor audio. I’m sure next episode will be slightly less frantic as we settle into the new place. Keep an eye on Hak5.org for updates on future live shows this month.

Sponsors

Get awesome web hosting from the pros at Dreamhost and receive $25 off your order when you enter coupon code HAK5! Plans start at $7.95/mo including 500 GB storage, 5 TB bandwidth, and one-click installs of popular software like Wordpress, phpBB, and MediaWiki.

Keep your personal information away from spammers, hackers and your crazy ex-evilserver. Private Domain Registration from GoDaddy.com protects your privacy by keeping your address, phone number and more out of the public database. Get an additional 10% on your order when you enter coupon code HAK.