Hak5 912 – Stealing Windows passwords. Shannon’s hacking with the Katana USB boot key, automated file renamers, Firefox security extensions & more

This time Hak5, Mubix joins us for more mischevious Metasploit fun. We’re stealing Windows logins with a crafty keylogger. Shannon’s hacking from a cave with the Katana USB security suite. Plus, automating file renaming in Windows, Firefox security extensions and so much more.

Download HD Download MP4 Download WMV

Hacker Headlines

Our favorite framework just got a major update. Metasploit 3.7.0 has been released and with it comes a major backend overhaul. You should notice a significant performance increase in handling multiple sessions as well as a nice little update to the SMB stack that’ll all you to perform pass-the-hash attacks against Windows Server 2008. Find out more about this and the 35-some new remote exploits at Rapid7.

Square has opted for encryption on their mobile credit card readers! Square, a successful company that enables just about anyone to be able to take payments through their iPhone, went through a bit of a tiff with Verifone, who recently said Square was basically sending out card skimmers to whoever wanted them. It sounds like Square deemed it necessary to update their hardware, and decided to make a new line of the Square credit card readers. It sounds like Square is becoming a real competitor to Verifone, and a legit one at that.

iOS 4.3.3 has arrived bringing changes to the way the controversial crowd sourced database cache, or “consolidated.db” file works. The update reduces size of the cache, no longer backs up the cache to iTunes, and deletes it when ios location services are turned off. Apple acknowledges that iPhones had been storing as much as a years worth of data even if location services were off, which they claimed as a bug. The database is still unencrypted.

This is some nice news to hear! Jeff Moss, the founder of the infamous hacker conference, Defcon in Las Vegas, has been named as ICANN (Internet Corporation for Assigned Names and Numbers)’s chief security officer. Rod Beckstrom, ICANN’s president and chief executive officer, said “I can think of no one with a greater understanding of the security threats facing Internet users and how best to defend against them than Jeff Moss. He has the in-depth insider’s knowledge that can only come from fighting in the trenches of the ongoing war against cyber-threats.”

With the PlayStation Network is still down following a massive data breach, Sony has claimed before the U.S. House Committee on Energy and Commerce that a file named ‘Anonymous’ was found during the investigation. The file contained the words “we are legion”, Kazuo Hirai, chairman of the board of directors of Sony Computer Entertainment America explained. Anonymous, who had previously conducted a large-scale distributed denial of service attack on Sony during the GeoHot case, has denied involvement.

Kerby’s JPop Group of the week

SCANDAL – Haruka

HakTip: Bulk file renaming

We got an email from Chris G, aka Macrohard in the Hak5 forums, who said:

This was the free bulk naming software I was going to try out. I have a vendor that likes to send me a large assortment of files with a lousy .extension name, and I need to work on getting them to process for a document retention system.

Bulk Rename Utility is available at bulkrenameutility.co.uk and it lets you rename several files with a click of your mouse. This free software comes in 32 or 64 bit for Windows.

After downloading and installing, choose a folder or a group of files that you want to change.

After highlighting your files, choose what you want to change. I chose to change the file name (Box 2), and change the case (Box 4) to upper case. Then, I added numbering to the end of each photo (Box 10). All of your changes can be seen under New Name in the file box at the top. Once finished, click Rename. You will get a warning telling you the files are about to be changed. Click ok after double checking and tada! All of your selected files have been fixed in seconds.

If you chose to do this during the install, you can also have a Windows Explorer Extension included when you right click a series of files.

This saves me TONS of time renaming all those photos from CES. Got a tip? We’ll share it! [email protected]

Keylogging Windows logins with Mubix

We have the pleasure of being joined by Mubix, aka Rob Fuller, to demonstrate a crafty Metasploit script for keylogging Winlogon.exe.


Last weeks trivia: The UK version of this device represents 10 Pence with a 1000 Hz tone. What is the device? The Answer was: Red Box

This week’s question is: Serving the Pacific Northwest, Midwest and Rocky Mountains, this Regional Bell Operating Center has merged with neither Verizon or AT&T.

Answer at hak5.wpengine.com/trivia to win some sweet swag.

The Katana USB Security Suite

Last week I demo’d the easy way to install Konboot and way back in Season 8 I had showed you Katana. Katana is a portable multi-boot security suite with all sorts of penetration testing and security applications built into one single flash drive. It has been updated a ton since way back when, so I wanted to do a quick follow up on this lovely piece of awesomesauce version 2.0.

First close down your anti virus software. It’ll freak out when you download Katana due to the tools available through the program. Download the torrent of Katana at hackfromacave.com. It’s a hefty 4 gigs big so have tons of room and an 8 gig flash drive for the install.

Extract the .rar to the root of your USB stick. Open the root of your flash drive, open the boot folder, and right click the ./bootinst.bat batch file and choose “”run as an Administrator””.

Now you have two things you can do. First, check out the Katana Toolkit on your windows machine. This application can run various tools such as KeePass and Unstopable Copier.

Second, you can boot up the Katana boot disc. Unplug your drive, and power down your computer. Plug the flash drive back in and boot from it.

If it works, and it should, you’ll see the screen I see here. Use your arrow keys to navigate up and down through the various tools. For my example, I’m going to boot into Ophcrack, a good tool for your forgetful sibling when they lost their Window’s password. It has built in rainbow tables and can figure out the password in a few seconds. So mine was ‘game’, which you just lost. Ophcrack was able to figure out my simple password with no problem, letting me back into my computer. You’ll notice in Katana you still will have the problem with 64 bit machines running Kon-Boot. If this is the case, first open the boot directory in the root of the Katana drive, then copy the files ‘vesamenu.c32’ and ‘chain.c32’ from this directory into the syslinux/kon-boot directory.

You’ll have to go through a process of choosing Kon-Boot, then boot 2nd HDD, then going back to the Katana main menu. Go back into Kon-Boot and select the next boot from HDD choice. This will enable Kon-Boot to finally work hopefully, but I was having issues with it not working correctly.

This is the general idea of how to get Kon-Boot to work as well on Iron Geek’s blog that I mentioned last week, so maybe you’ll have better luck on your machine!

I got an email from the creator, Ronin, giving me some recent tips and tricks with Katana such as:

  • Using the Katana Tool Kit from a locked down Windows system
  • Write blocking the Katana drive for cheap using an SD Card
  • Using a live CD to avoid needing to access Password blocked BIOSs to modify the Boot Order for USB to Boot.


Katana is a very handy tool for anyone interested in learning more about security and penetration testing. It’s also a great application to have in case you ever need any of the tools available in the ToolKit. Several tools have been added since the initial release of Katana, so I definitely suggest you check out version 2.0. Check out more from Ronin at hackfromacave.com and Email me at [email protected] with your favorite security tools or bootkits.


Ben writes:

Hey Hak5 guys! Regularly at work I use Firebug and HTTPFox FireFox add-ons; do you guys recommend any other “”must-have”” security testing Firefox addons? Loving the show; keep up the great work! 🙂

Darren recommends NoScript, as well as BadPass, LastPass, Keepass, FoxyProxy and FoxTor

JasonT writes:

Hi Darren and Shannon, Kerby, the lovable cat and mascot and backbone of Hak5 is a bit of a mystery to the Hak5 viewers ( at least I think ), If you could spare a couple of Hak5 minutes, could we get Kerby’s story, Whom is Kerby’s master, his likes/dislikes etc.

Thanks. Kerby is short for Kerberos — the authentication protocol. If you go back to season 1 you’ll see a bunch of cute Kerby moments. Thanks for writing in.

Francisco writes:

Hi Hak5, I’ve been meaning to ask this question before but it goes, what kind of upload speeds do you guys get in the Hak5 Studio? And to achieve them, what kind of hardware (eg, modem, load balancer) do you have? I run several virtual servers in my house and the maximum upload speed I can get is around 100 to 150KBps. What I can do to increase the upload speeds? Thank you in advance.

In the *current* studio we’re getting about 6-7 Mbps up. 20-25 down. A lot of that is attributed to the bangin’ router we have. Darren’s a big fan of both Smoothwall and Untangle. Paul likes M0n0wall and pfsense.

Keep up with the latest on Hak5 by follow us on Twitter or Facebook. Subscribe and get your weekly technolust delivered automatically. Or show your support and grab some swag from the HakShop – including the new airport friendly WiFi Pineapple andhoodie. Finally if you’d like to suggest a topic for ask a question feel free to hit up [email protected].


    • cristian

      Or if you are using keyscrambler or maybe the virtual keyboard on the login screen of the windows 7 should do the trick

  • ENQ

    Very good shows 🙂 and if you are crazy about security(like me) you might check https://www.requestpolicy.com/ firefox plugin, its basicaly prevent cross site scripting, cross site forgery attacks, sometimes its anoying you have to keep leting some scripts and request to be allowed. But it gives me warm security feeling 🙂

  • Travis Harper

    OpenWRT, DD-WRT are very cool. I like them allot. I have also used smoothwall express 2 and 3 with a ton a smoothwall mods… sweeet!!

    However, I am now an ENDIAN Firewall/Router convert.
    Ajax gui goodness ( fun to say ) and powerful features built right into it .. no mods required… LOVE IT.

    Hands down the best i’ve tried.


    If you like your smoothie, your love EFW.

  • foxb

    You have really good Internet speeds(my home speed is ADSL 5M/600k 🙁 ), but most of it is contributed by your Internet connection and secondly by the router/firewall you have.

    Most of this plastic boxes will die at around 10M+ speeds (especially old ones build few years ago). Newer ones will keep up with the speed(maybe up to 50M), but will die at high number of open connections(torrents are known for that).

    For those who do not want to use PC based router good choice will be to go to business routers.

  • cristian

    i also am a google chrome fun and when it comes of sites like warez or i don’t want some site to have my ip adress in their logs , i have the following set up… a windowsXP on vmware the vm’s virtual hdd is stored in a truecrypt encrypted container with a big password. On the vm i have installed google chrome , sandboxie , tunelier , truecrypt and keyscrambler

    the sandboxes are stored in another encrypted truecrypt container but inside the vm the contents of the sandboxes are deleted with sdelete and does 40 passes

    I’m using 2 istancces of tunnelier connected to 2 diferent ssh nologin servers first is a tunnel to ssh1 and then a tunnel to ssh2 through ssh1…

    I use the following batch script to run chrome:
    @echo off
    start /wait sandboxes.tc
    cd C:\Program Files\Sandboxie\
    Start.exe /box:Defcon2 C:\Users\Admin\AppData\Local\Google\Chrome\Application\chrome.exe –incognito

    in google chrome as bookmarks i have the ip’s of facebook gmail yahoo twitter myspace etc instead of their dns name to avoid dns poisoning

    i was wondering if i use reactos , it will still be metasploitable?

  • SEO Hertfordshire

    Just wish too say your article is as astonishing. The clarity to your post is simply spectacular and tat i could think you are
    a professional on this subject. Well wigh your permission aklow me to grasp your feed to stay up to date with
    drawing close post. Thanks a million and please keep up
    the rewarding work.

  • how to hack into gmail account

    Facebook was able to grow steadily and quickly by utilising a key understanding of student.
    End-users are even asked to share fresh malware to the site so that the
    site moderators are able to produce a signature for it fast, to be made available to other users.
    Other information they can also obtain includes the person’s email address, their physical
    address, their phone number and the Internet service provider they
    are using.

  • web design directory

    Link exchange is nothing else except it is simply placing the
    other person’s website link on your page at suitable place and other person will
    also do similar for you. – IMPORTANT: Looking for Low Cost Website and SEO Services?
    Try our best in class Budget IT Services at only from ESI – eSublime
    Infosystems Pvt. Ltd. – Website: http://www.eSublime.Net/

  • freelance web developer

    Hi to every one, the contents present at this website are in fact awesome for
    people knowledge, well, keep up the good work fellows.

    – IMPORTANT: Looking for Low Cost Website and SEO Services?
    Try our best in class Budget IT Services at only from ESI – eSublime Infosystems Pvt.
    Ltd. – Website: http://www.eSublime.Net/

  • internet web design

    What i don’t understood is in fact how you are not actually a lot more well-liked
    than you may be right now. You are very intelligent.
    You know thus significantly in relation to this
    matter, made me individually consider it from numerous varied angles.
    Its like women and men don’t seem to be involved unless it is one
    thing to do with Girl gaga! Your personal stuffs excellent.
    At all times deal with it up! – IMPORTANT: Looking for Low Cost Website and SEO Services?
    Try our best in class Budget IT Services at only from ESI
    – eSublime Infosystems Pvt. Ltd. – Website: http://www.eSublime.Net/

  • how to hack into gmail account

    The most likely abuser is just a spammer
    looking for emails to use in a botnet. End-users are even asked to share
    fresh malware to the site so that the site moderators are able to produce a signature for it fast,
    to be made available to other users. Sectors and
    individuals use it for different reasons.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>