Hak5 905 – Cloud backups with Amazon S3, Man-in-the-middle attacks made easy, Network Enumeration & Hash Cracking and more…

Shannon shows us how to perform arp cache poisoning attacks with ease. Jason joins us for a little cloud backup action using Perl and Amazon S3. Darren covers cracking the code: network enumeration and hash cracking, plus promiscous mode wifi cards, hacked Canon EOS firmware, and a whole lot more.

Download HD Download MP4 Download WMV

Hacker Headlines

In a report by the University of Cali, San Diego and University of Washington, scientists have discovered ways to remotely take over your car. This hasn’t happened out in the wild just yet, but they bought a car and put it through a whole bunch of hacks. Cars now-a-days come with cellular connections and Bluetooth technology. So, a hacker could potentially remotely take over the locks, brakes, etc, or track the vehicles location.

Full Disk Encryption for both internal memory and Secure Digital cards are coming to Android by way of WhisperCore, an app from Whisper Systems. Mixie Marlinspike, co-founder and CTO of Whisper Systems demonstrated the beta of a 256bit AES encryption system on a Nexus S phone recently. WhisperCore is expected to roll out for other Android devices as a free-for-personal-use app with corporate pricing to follow. You may remember Marlinspike from such tools as sslstrip, googlesharing, and the cloud cracking service wpacracker.

Sn0wbreeze 2.3 just came out for all your Apple jailbreaking needs… or some of them at least. This tool will let you jailbreak your iphone, ipad, or ipod using iOS 4.3 on Windows, but it requires tethering. Redmond Pie, the creators of the jailbreak, say you can also use the PwnageTool if you don’t feel like using Windows.

Twitter finally jumped on the SSL bandwagon. Following in the footsteps of Facebook, and after the “OMGs my packets can be sniffed” awakening that was Firesheep, you can now use HTTPS to login to the social networking service. In fact there is even an option under account settings to always use HTTPS. Good on ya, Twitter, for making SSL an opt-in feature. In related news, SSLSTRIP still works.

Make your friends beleive you really are an Xmen! Or, close to one… The guys at the London Makerfaire 2011 , Hackerspace and Brightarcs used a Kinect to make Tesla coils react to your every move. And where did they get the idea? Oh, at the local pub of course. It’s called the Evil Genius Simulator. Win.

Road Test: Magic Lantern Firmware

When it comes to extending the life of your digital camera nothing does more than installing a custom rom. The Magic Lantern firmware for the t2i and the 5d Mark II has done just that for me. Even though the firmware is still in beta, after 4 monthes later it’s really proven to be a strong tool set. However it’s not for everyone, there are some downsides: sometimes the camera locksup when switch modes and requires it’s battery pulled, The menu is not perfect and can cause artifacts to remain on screen until restart. The tools that it brings to the tabel more than make up for it include audio meter, custom safe zone overlays, mic input levels and the ability to record the mic input the the on the left track while recording the on board mic the the right channel. All and I recommend, however if the idea of you camera freezing scares you it not quite ready for you just yet. However, it just came out of beta on the 13 of march and I can’t wait to try it out.

Cracking the Code: Network Enumeration and Hash Cracking

Darren covers how the last crack the code challenge was completed using a bit of network enumeration and hash cracking. You can download the payload and play along at home.


Last Week: This composer of Blade Runner was an inspiration to the recently released OST by Daft Punk of Tron Legacy? The answer was Vangelis. This weeks question is: In Season 5 of X Files, Esther Nairn is the creator of what ‘narly’ entertainment software? Answer at hak5.wpengine.com/trivia for your chance at some swag!

Cloud backsup with Perls and Amazon S3

In this segment Jason shows us how to setup perl scripts to automate backups to an Amazon S3 account.


  • Install ruby
  • sudo apt-get install ruby
  • check if ruby is installed
  • ruby -v
  • now get the s3sync ruby scripts
  • wget http://s3.amazonaws.com/ServEdge_pub/s3sync/s3sync.tar.gz
  • tar xvzf s3sync.tar.gz
  • rm s3sync.tar.gz
  • cd s3sync
  • Create Traget directory /s3backup

Edit the s3config.yml with Access Key ID, Secret Access Key
Once that’s done we are good to go to build out our script the dump the backup files in to the traget folder the trigger the sync.

Now we have our backup script working, let drop it into the cron folder and automate this. Now you have a bullet prof backup. We Have been using it for hak5.wpengine.com for sometime now and it’s saved us on more than one occasion. If you have any questions about this of any of the other segments you have seen on todays show email us and [email protected]

Segment Keywords (Comma separated): cloud backup, amazon s3, perl, perl script, s3 script, amazon s3 script, crontab, automate s3 backup, s3 backup script,

ARP Cache Poisoning Attacks on Windows

“We get asked a million times over if we’d demonstrate an ARP-Cache Poisoning Attack for Windows, and while we’ve covered this *WAY* back in Season 1, I figured it’s worth a refresher. Now, there are a million ways to do this in the command line with linux tools, but here in Windows we’ll be using a very simple tool called Cain & Abel. Once you’ve downloaded and installed it from www.oxid.it go ahead and fire up the sniffer by flicking the chip icon in the top left. The first time you do this you’ll be asked to select your interface. You can get back to this screen anytime by clicking Configure. I’ve selected this interface here with my IP address since it’s my wireless network card. Now I can scan the network for potential targets. Go to the sniffer tab, right-click, and select Scan Mac Addresses. I’ll stick with the default “”All hosts in my subnet”” and click OK. Now that I have a list of machines on the network I can go over the the APR tab and start the actual ARP Cache Poisoning Attack. Click the blue plus icon on the toolbar to bring up the routing dialog. Here I’ll select on the left — that’s the router — and on the right — that’s Darren’s machine. Click OK and the route will be loaded. Now, begin the poisoning attack by clicking the radiation icon in the top left. Immediately our poisoning attack begins. Now sit back, relax, and wait for your target to do some browsing. Once enough traffic has gone through your’ll notice Full-routing below.

So, what does all of this mean?

ARP Cache Poisoning attacks basically mean a technique used to attack a wired or wireless connection. The attacker can sniff data and send a spoofed ARP message to the LAN. So when they send that spoof message, they receive data that was intended for the router or the computer in question. It’s a man in the middle attack. Neither machine knows I exist in the middle. They just think they’re sending data like usual.

So, what tools are tickling your technolust? Send ’em by — [email protected] — and we’ll share ’em with the world.

Promiscous mode Wifi cards and Hak5 cameras

DT wrote in: Is there a cheap substitute for an airpcap maybe a firmware flash on a certian wifi card? or something to run software side to work with the wifi card? or virtual appliance?

Your best bet is looking at aircrack-ng compatible cards. Everything you ever wanted to know about wireless card capabilities can be found in the links there.

Daniel wrote: What type of cameras you use for your show. What model. Thanks in advance. Keep the great show.

We’re rocking a single Panasonic AG-HMC150 and two Panasoic HMC40s. To be fair when we started out we were using a trio of the Sony DCR-HC85s. What you shoot is way more important than what you shoot on.

Show Notes Outro (HTML):

Keep up with the latest on Hak5 by following us on Twitter or Facebook. Subscribe and get your weekly technolust delivered automatically. Or show your support and grab some swag from the HakShop – including the new airport friendly WiFi Pineapple and hoodie. Finally if you’d like to suggest a topic
for ask a question feel free to hit up [email protected].


  • Scorpion

    Just thought you might want to know about the S3 segment that where you blurred the keys you might want to have a look at the termial on the right it has the keys right there as well and i can see them clearly.

  • mitza_cz


    Do you know if i can install the wireless card on a virtual machine (VMware) so i can sniff with aircrack.
    Or if you have an ideea how can i sniff wireless packets from a VM.


  • opasx

    Just with regards to vegemite, no one here in AU eats it straight from the jar. Toast some bread, spread margerine or butter on bread then spread vegemite on it, eat it. Also on fresh white bread, butter it (margerine or butter) then spread vegemite on it. And for best taste experience, make a cheese sandwich and spread vegemite on one piece of the bread. But please, dont eat it straight out the jar, your bowels will thank you for it.

  • SilentASSassN

    Curious to know, as I’ve been surfing through the old Season 1 episodes, is it possible to use Cain from a wifi connected computer? I can easily scan the network for connected devices using Cain, but have been unsuccessful at actually being able to select the router and victim in order to start an ARP poison attack. I’ve read elsewhere that this is only possible with a wired connection (although i don’t see why it would matter and have never heard that being said on the Hak5 site).

    So, how do i use my wifi connected laptop to initiate an ARP poison attack on my network using Cain… or is this something that must be done using BT tools?


    • Slevin

      She was on a laptop… Using wireless. And I just did the same on my network. So yes, it is possible from a wireless computer.

  • lostfinder333

    great episode, in regards to the news about hacking cars: i’m glad i drive a car so old it doesn’t even have a catalytic converter, let alone an ecu or cellphone/Bluetooth connection. (benefit of not having a catalytic: i don’t EVER have to get it e-tested)

  • Anton Erholt

    Hiya from Sweden, love your show! I guess every knows it already, but instead of copying/moving to backup-folders you could just soft-link it there:
    ln -s /path/to/awesome_folder /path/to/Dropbox/s3/whatever
    I think it’ll work for s3 aswell, I only use D-box for school. Peace!

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>