This time on the show, an Ubertooth One Primer – Setup with BackTrack 5. Booting multiple ISOs from a single USB drive, we’ve got plenty of options. And answers to your questions on A+ certs, programming languages, network scanning and more.

Download HD Download MP4 Download WMV

Ubertooth One Primer – Setup with BackTrack 5

We’ve been asked numerous times to do a segment on getting started with the Ubertooth One, and while it’s specific to this hardware in nature the techniques involved are similar to that of many other tools.

If you’re not familiar, the Ubertooth One is an open source bluetooth testing tool made by Mike Ossmann in response to the lack of good bluetooth testing devices, or the ridiculously high price tags in excess of $10,000 for commercial monitoring equipment.

So in the same sense that we have inexpensive WiFi adapters that can go into monitor or promiscuous mode, we now have the Ubertooth One.

Now props to HarvestGardener on the BackTrack Linux forums for putting a lot of this together. Most of the Ubertooth development was done on Mac OSX but getting it going in Linux isn’t too difficult, thankfully.

So today I aim to setup dependencies and compile Ubertooth Tools in Backtrack 5 linux host machine. Currently does not work in VM — Libusb issues.

The first dependency you’ll need is pyside. It’s a PySide adds Qt bindings to Python, letting it use the cross-platform UI framework for some graphical goodness. You can download it manually from PySide.org or simply install it with apt. Unfortunately it isn’t in the default BackTrack 5 repository so you’ll need to add a personal package archive or PPA.

apt-get install python-software-properties
add-apt-repository ppa:pyside
apt-get update
apt-get install libnl-dev libusb-1.0-0-dev pyside-tools

Next we’ll need the PyUSB extension which provides USB access to Python.

wget http://downloads.sourceforge.net/project/pyusb/PyUSB%201.0/1.0.0-alpha-1/pyusb-1.0.0-a1.tar.gz
tar xvf pyusb-1.0.0-a1.tar.gz
cd pyusb-1.0.0-a1
python setup.py install

We’ll also need bluetooth baseband libraries so we can process raw bluetooth data. Thankfully libbtbb does the trick:

wget http://downloads.sourceforge.net/project/libbtbb/libbtbb.0.5.tgz
tar xvf libbtb.0.5.tgz
cd libbtbb
make
make install

Ok so we’re finally to the part where we actually get to the Ubertooth code. As of recording the latest version of Ubertooth software is release 238.

wget http://downloads.sourceforge.net/project/ubertooth/ubertooth-r238.tar.gz
tar xvf ubertooth-r238.tar.gz

This archive contains the latest firmware for both the Ubertooth One and Ubertooth Zero, the KiCad files if you’re so inclined to make your own Ubertooth, documentation and host software including a few bluetooth tools, kismet plugins and a fun little spectrum analyzer.

Since Bluetooth operates in the same 2.4 GHz ISM band as WiFi, we can actually use the Ubertooth One as a basic spectrum analyzer and see all of the WiFi signals for a given area.

python specan_ui.py

Alright, that’s a lot of info so we’re going to stop right here and pick up next time with compiling Kismet from source with the Ubertooth Plugin, capturing our first Bluetooth packets, installing the Wireshark plugin and finally analyzing the good stuff. If you haven’t already checked it out you can find the Ubertooth One at HakShop.com along with the documentation and source files if you’re crafty with the soldering iron and eager to build your own.

Boot multiple ISOs from one USB with these free tools

Having several tools on several USB’s or CD’s can be a pain in the butt, especially when you’re looking for a specific one but don’t remember which USB you put it on. To save us from this trouble, there are many applications available online that let you create one multibootable USB drive. Thus, you can store all your tools on one USB drive instead of ten. We’ve reviewed YUMI, UNetBootin, Darren’s done his MultiPass, and I’ve checked out Katana. This week, I’m checking out a couple of your user picks, XBoot, and Sardu.

The first one is XBoot. Its a light weight utility for creating multiboot USB’s OR CD’s. To use it, download the zip file from their website. Open the application and plug in your USB flashdrive. Now, you’ll need to have some ISO’s already downloaded on to your computer or you can go to File–>Download and choose some of your favorite utilities and linux distros.
Once they are done installing, drag the ISO’s into the box under the Create Multiboot USB/ISO tab. For mine, I chose Ophcrack, Clonezilla, and Puppy Linux. On the side, you can see the total size of the files added, you can remove files, look up the MD5 hash checksum in case you’re wondering if it’s the actual tool, and at the bottom you can choose to create your ISO Live CD or USB bootable flash drive. I’m choosing my FlashDrive. Double check the Selected USB drive to make sure it’s not your operating system drive. Then, this is cool, you can choose your Bootloader. I’ll stick with the recommended Syslinux, but you can also choose Grub4dos or not install one at all.
Then, when you click next, it’ll start copying all your ISO’s to your thumbdrive and create the bootloader. This may take several minutes, so just kick back and relax.

Once the USB is created, you’ll have the option to run it on QEMU to test it. You can also edit the flashdrive, by clicking the tab that says Edit Multiboot USB.

The second one is Sardu. Sardu is a program I found that was apparently made by Vikings using hieroglyphics. You simply plug in your flashdrive, click on your choices for Antivirus, Utilities, Linux Distros, and/or Windows CD’s, and choose make bootable USB. Clicking on the different utilities and linux distros will download them from their websites. You can also click ISO at the top and choose Make ISO, then click on an ISO folder to choose it for your flashdrive. I downloaded all of mine into my downloads folder, so I just navigate to the downloads folder and click OK. When done, click the cute little USB button and wait for it to finish creating the bootable USB. Once done, you can boot off your flashdrive using SuperGrubDisk. The tabs at the top enable you to check the Hash, create and defrag your USB.

Now I’m going to restart my computer and boot into Syslinux for XBoot and Grub for Sardu and try them out!
Looks like it works, and works well. The three ISO’s that I chose boot properly, and I can add more if I want!”"

So of these two, I have to say Sardu for Vikings took a bit more time for me to figure out how to get my ISO’s onto the USB and make it bootable. Turns out, I was just thinking too hard when trying to add my ISO folders! Xboot was pretty natural to figure out and it was easier to use. Xboot was my definetly my favorite.

So after googling for other multiboot creators, I found all the ones I could, but are there other ones? Do you use a tool that could make my life easier? Email me at feedback@hak5.org

Bash and Airodump-ng tips

Whether you’re trying to copy a PID from TOP or a BSSID from airodump-ng, when your terminal is constantly refreshing the task is cumbersome at best. So calm that screen with the shortcut CTRL+s. To resume simply hit CTRL+q. And specific to airodump-ng not only can you pause the screen with ‘space bar’, but there are all sorts of handy keystrokes like ‘tab’ – which lets you to scroll up and down the list of stations, ‘s’ which changes the sorting column, and my favorite, ‘m’ which marks connection groups with a colors.

Thanks to Sitwon and Bethany for sending these in and getting some complimentary hak5 swag. Submit your 4-bits at hak5.org/nibble

If you’re into Hak5 you’ll love our new show by hosts Darren Kitchen and Shannon Morse. Check out HakTip!

Whether you’re a beginner or a pro, HakTip is essential viewing for current and aspiring hackers, computer enthusiasts, and IT professionals. With a how-to approach to all things Information Technology, HakTip breaks down the core concepts, tools, and techniques of Linux, Wireless Networks, Systems Administration, and more

And let’s not forget to mention that you can follow us on Twitter and Facebook, Subscribe to the show and get all your Hak5 goodies, including the infamous WiFi Pineapple over at HakShop.com. If you have any questions or suggestions please feel free to contact us at feedback@hak5.org.

We’re getting promiscuous, with wireless cards! As part of our foundation series of HakTips Darren covers the fundamentals of wireless packet sniffing with a practical approach in BackTrack Linux using the Aircrack-ng suite.

Download HD Download MP4 Download WMV

Let’s think about network traffic as a cocktail party. Picture Alice and Bob on the love seat chatting it up while Charlie is deep in conversation with Dave at the bar. Meanwhile, Eve is nearby sipping a Hendrix Martini listening in on everyone’s conversations.

You see, in order for Alice to send a message to Bob she has to address it to him by his network interfaces MAC address — or Media Access Control Address. This address is unique every network interface on the planet. Bob’s is going to be different from Charlie’s, Dave’s or anyone else.

On a hub based network, Alice’s message is heard by all. But by default when Charlie or Dave hear a message addressed to a mac address other their own, their network interface will drop the frame completely.

This is where promiscuous mode comes into play. If Eve’s network interface is in promiscuous mode she doesn’t drop frames not addressed to her. This is great for packet sniffing, say if Eve was a network administrator attempting to debug a faulty network. Likewise, if Eve had malicious intent the same applies to eavesdropping.

Now promiscuous mode assumes a hub based network. Switches thwart this by only sending messages to their intended recipients instead of everyone.

Which brings us to Monitor mode. Monitor mode, or RFMON for Radio Frequency Monitor, is one of six modes that wireless network interfaces can assume. Similar to Promiscuous mode, Monitor mode allows the wireless network interface to “sniff packets” not intended for it.

Unline promiscuous mode however, an interface in monitor mode can sniff packets from access points it isn’t even associated with. Again this is great for, say, an administrator troubleshooting a network, or on the darker side for malicious purposes such as eavesdropping and cracking encrypted networks.

What program or command is giving you warm fuzzies? Hit me up — tips@hak5.org

And be sure to check out our sister show, Hak5 for more great stuff just like this.

WIFI PINEAPPLE VERSION 2 ONLY. THIS WILL NOT WORK WITH THE WIFI PINEAPPLE VERSION 3.

Whether your new to Jasager or you’ve made a configuration change you wish you hadn’t, doing a fresh WiFi Pineapple install is a breeze. This guide walks you through the steps required to flash compatible WiFi Pineapple hardware with the latest version of Robin Wood’s Jasager firmware as well as default configurations and and packages.

Requirements

This guide is written for Windows users and should take about 15-20 minutes to complete. In addition to WiFi Pineapple hardware you’ll need a Telnet, SSH and SCP client (we recommend PuTTY and WinSCP) as well as an Ethernet cable and the following download:

• build-pineapple.zip MD5: C5D90DB48E511F8AEF4FDFBCA7E3CF38

Video Walkthrough

Preparing your computer

Before getting to the actual flashing bit the computer’s network interfaces must be configured. Begin by setting the Ethernet adapter with a static IP address of 192.168.1.100 and a subnet mask of 255.255.255.0. This setting can be found in Windows 7 from the Control Panel under View network status and tasks, and Change adapter settings. Right-click on the Local Area Connection and choose Properties. Select Internet Protocol Version 4 (TCP/IPv4) and click Properties.

It is also a good idea to disable any other network adapters that may be present, like a wireless adapter. To do this right-click on the interface and click Disable.

Flashing the Firmware

Plug one side of an Ethernet cable into the Ethernet adapter you set with a static address in the previous step. Plug the other end of the cable into the WiFi Pineapple hardware. Make sure the WiFi Pineapple does not have power, but keep the power cable handy as we’ll need it in just a moment. Using battery power for the flashing process is not advised.

Open the Freifunk AP51 Easy Flash utility. Check the box labeled Use external file under Rootfs, click browse, and select the openwrt-atheros-root.squashfs file. Repeat this step for the section labeled Kernel choosing openwrt-atheros-vmlinux.lzma

Select the Ethernet adapter you had previously setup with a static IP address from the drop-down under Interface.

With the WiFi Pineapple power cable handy click the Go button, wait one second and plug in the power cable. The WiFi Pineapple will light up and the EasyFlash utility will report “No packet” until the device is found. Once the utility is communicating with the device it will report both the computer and WiFi Pineapple‘s IP and MAC addresses then begin flashing. This process takes about 10 minutes. Once the flash is complete the EasyFlash utility will automatically close and the WiFi Pineapple will reboot.

Initial Setup

With the WiFi Pineapple rebooting, open a command prompt (Start, Run, CMD) and issue “ping 192.168.1.1 -t”. This command will continue pinging the WiFi Pineapple. Once replies are reported stop the ping with the CTRL+C keyboard combo. The device is now ready for initial login.

Open PuTTY or your Telnet client of choice and enter the host 192.168.1.1. If using PuTTY make sure Telnet is selected, as well as the default port 23. Click Open.

When greeted with an OpenWRT splash screen type the command “passwd” and press enter. Type a password and press enter twice. When “Password for root changed by root” is reported the WiFi Pineapple is now ready for packages and configuration.

Wireless Configuration

Once again open PuTTY or your SSH client of choice. Enter the host 192.168.1.1. If using PuTTY make sure SSH is selected, as well as the default port 22. Click Open.

When greeted with a security alert, click Yes. Enter “root” for “login as” and the password you had previously configured.

From the WiFi Pineapple command line enter the following command to change the wireless configuration setting.

echo "
config wifi-device  wifi0
option type    atheros
option channel  auto
config wifi-iface
option device wifi0
option network lan
option mode ap
option ssid Pineapple
option encryption none
" > /etc/config/wireless

Leave this SSH session window open as it will be used in the next step to install packages.

Package Install

Various packages can be installed on the WiFi Pineapple. See the openwrt repository at downloads.openwrt.org/kamikaze/8.09.2/atheros/packages. The default package on the WiFi Pineapple is X-WRT, a web based management interface, and its dependency haserl.

Open WinSCP and enter the host name 192.168.1.1. Enter root as the user name and the password chosen. Select SCP from the File protocol drop-down and click Login. If presented with two group errors, click OK — they are safe to ignore.

Select the haserl and webif package files from your hard disk on the left and drag them to the area on the right. The file transfer will begin.

Back in the SSH session enter the command “ls” followed by enter. The package files previously transferred should be reported. Now install both package files with the command “opkg install *.ipk”. This process will take just a minute. Once complete a “SUCCESS!” message will be reported. At this point the WiFi Pineapple has been configured and is ready to be rebooted. Either unplug and replug and power adapter or issue the command “reboot”.

The WiFi Pineapple has now been flashed and configured with factory default settings. This guide can be followed up with this article on logging into the WiFi Pineapple for the first time.

WIFI PINEAPPLE VERSION 2 ONLY. THIS WILL NOT WORK WITH THE WIFI PINEAPPLE VERSION 3.

In this segment Darren talks about Session Hijacking and demonstrates a tool from Errata Security called Hamster and Ferret that, in conjunction with a WiFi Pineapple, an ICS’d 3G connection and Tftpd32 we’re able to “sidejack” with our little man-in-the-middle setup. Lesson learned? Be suspicious of any wifi. Check for signatures of trusted networks and tunnel your traffic.

While the tethering WiFi Pineapple and laptop 3G technique in this segment is still quite valid, Darren now prefers to use BackTrack Linux as documented here.

So you’ve built, borrowed or bought a WiFi Pineapple and you’re new to OpenWRT and Jasager. Hopefully this guide will familiarize you with the many aspects of the the WiFi Pineapple. If you have specific questions please leave a comment or email feedback@hak5.org and we’ll try to keep this page updated.

This article will guide you through connecting to the WiFi Pineapple for the first time. For more in-depth how-to’s involving command line control, modules, using the white and black listing functions, sharing Internet access and more please consult the Jasager board on the Hak5 forums and keep an eye on the WiFi Pineapple category of the Hak5.org blog for future articles on these topics.

First and foremost

The WiFi Pineapple is a customized version of OpenWRT running the latest Jasager software by Robin Wood. Since OpenWRT is a Linux based wireless networking operating system you’ll want to be familiar with basic Linux and networking fundamentals.

Tools you’ll find handy

Right out of the box most everything can be configured with just about any web browser, but you’ll likely also want a tool or two to get a shell and transfer files. If you’re using Linux or Mac you already have the ssh and scp commands at your disposal. If you’re on Windows we recommend using the PuTTY and WinSCP GUI tools or the command-line equivelent Plink.

Battery Powering the Pineapple

The WiFi Pineapple requires 5V and 2A of DC power. If you’re looking to go mobile leave the wall-wart at home. Four AA rechargeable batteries work well at powering this puppy. It’s important to get AA batteries with a high mAh rating. We recommend no less than 2400, so pick up a few meant for digital cameras for best results. If your standard alkalines aren’t doing the trick it’s probably due to a low mAh rating. Check the packaging. Of course we recommend rechargeables over the landfill populating variety.

Connecting for the first time

There are many ways to connect to and configure a WiFi Pineapple. Here are a few:

Via Ethernet

Power up and connect an Ethernet cable between your computer and the router’s. In its stock configuration the WiFi Pineapple is configured with the static IPv4 address of 192.168.1.1. It is also setup to hand out IP addresses in the 192.168.1.0/24 range via DHCP. If your machine is configured to obtain an IP address automatically you should get something like 192.168.1.100 from it momentarily.

Configuring your interface to obtain an IP address from the WiFi Pineapple’s DHCP server

In case your computer is not already setup to obtain an IP address on the Ethernet interface from a DHCP server, here are quick instructions for some common operating systems.

Windows XP

Open Network Connections from the Control Panel. Right-click on the Local Area Connection and choose Properties. From the dialog select Internet Protocol TCP/IP and click Properties. From the General tab choose Obtain an IP address automatically and Obtain DNS server address automatically. Click OK twice.

Windows 7

Click Choose Network Status and Tasks from the Control Panel. Click Change adapter settings. Right click the Local Area Connection and choose Properties. Select Internet Protocol Version 4 and click Properties. Select Obtain and IP address automatically and Obtain DNS server address automatically, then click OK twice.

Linux / Mac

Open a terminal and issue ifconfig eth0 where eth0 is the Ethernet interface connected to the WiFi Pineapple. Check the inet addr reported. If it is not a 192.168.1.x address you’ll want to manually ask for an address from the DHCP server on the pineapple. Depending on your distribution the command to do this may be “dhclient eth0″ or “dhcpcd eth0″.

Via Wireless

By default the SSID of the WiFi Pineapple is either “Pineapple” or “OpenWRT” without encryption. Connect to it as you would to any ordinary wireless access point. The pineapple will assign you an IP address via DHCP. If for some reason your Wireless interface has not been configured to obtain an address automatically please consult the above instructions substituting your wireless interface for the Ethernet interface.

Via Serial

WiFi Pineapples bought or built on Fon 2100 or Accton MR3201A hardware sport shell access through a serial interface. For information on this access method please consult these fine documents:

• Fon Serial Cable at digininja.org
• LaFonera Hardware Serial-Cable-Port on dd-wrt.com

Accessing the Jasager Interface

Once connected via Ethernet or wireless you can point your web browser at the Jasager management interface. Here you can configure the interface, karma, mac address filtering, ssid white/black listing and execute commands on connected clients.

By default the Jasager interface can be found at http://192.168.1.1:1471. It’s important to note the :1471 bit as that specifies the non-standard port number of this http interface. Any modern web browser will work, be it Firefox, Chrome, Safari, Opera or Internet Explorer. I’ve even successfully used it with the text-only browser Lynx! You’ll need to login. By default the username is root and password is “pineapplesareyummy” (sans quotes).

Status / Main Controls

The options in this section allow you to control the wireless card and karma features. The SSID list is a list of SSIDs that the interface will either accept (whitelist mode) or ignore (blacklist mode). One thing to watch out for is that changing from blacklist to whitelist mode, and vise-versa does not reset the SSID list.

Connected Clients

The list of connected clients comes from a merger of wlanconfig output, information in the log file and the ARP cache. A blank IP address may mean the client hasn’t got an IP address or hasn’t used it for a while so it has slipped from the ARP table.
The dropdown list of commands allows you to add the clients SSID to the watch list and kick the MAC address. Kicking is not blocking a MAC, just temporarily disconnecting it, most clients will attempt to reconnect within seconds of being kicked. Kicking can be useful if you blacklist a SSID and need to remove any currently associated clients. I have an idea that this list will grow with useful commands such as blocking MAC addresses and initiating things such as nmap scans. Watch out for new features in version 2.

Log

All activity is logged to /karma/log/status.log which gets dumped out to the log window.

This guide builds on the Auto-Rickroll payload for the WiFi Pineapple. Following this guide you will be able to create a self-contained WiFi Pineapple or similar OpenWRT based wireless access point serving up faux websites to capture login credentials. The purpose of this article is to point out the simplicity of a phishing attack using the dnsmasq technique of the Auto-Rickroll payload, and how you can protect yourself from similar attacks. See the mitigation section at the bottom of the article for defense advice.

Demonstration

Before beginning please follow the instructions outlined in the Auto-Rickrolling WiFi-Pineapple article. Once complete we will:

1. Install PHP and dependencies
2. Configure PHP and HTTPD
3. Testing the PHP installation
4. Write redirection and capture scripts
5. Modify a website to capture credentials

Install PHP and dependencies

The installation of PHP on OpenWRT is pretty straight forward. Considering the size limitations and power of your typically embedded device such as the WiFi Pineapple and what we’re trying to achieve I have opted for the 4x build of PHP, rather than the newer 5x. Feel free to deviate if your needs require the newer features of 5.

Begin by downloading and installing the following packages from downloads.openwrt.org: libopenssl_0.9.8i-3.2_mips.ipk, php4_4.4.7-1_mips.ipk, php4-cgi_4.4.7-1_mips.ipk and zlib_1.2.3-5_mips.ipk

Alternatively, everything required for this hack can be downloaded in this archive.

Copy the package files (*.ipk) to the WiFi Pineapple in /root/ using the scp command in Linux or an SCP utility in Windows like WinSCP or Plink.

Open a shell on the WiFi Pineapple using your ssh client of choice (on Windows I recommend PuTTY) and login as root. You should already be located in /root/ after logging in. Issue the “pwd” command to be sure, or change directory to /root/ with “cd /root/”. Verify that the packages have been copied by issuing the “ls” to list the contents of the directory. You should see the four package files listed. To install them all issue “opkg install *.ipk”

After a few moments each package should be installed. Now it is time to configure PHP and the HTTP server.

Configure PHP and HTTPD

Two changes need to be made in order for the HTTP server to recognize .php files and process them correctly.

First we’ll need to add a line to the httpd.conf file in /etc/ so either open it with your favorite text editor (vi is already installed) or simply issue the command “echo “*.php:/usr/bin/php” >> /etc/httpd.conf”. Verify that the line has been added with “cat /etc/httpd.conf”

Next we’ll need to add a line to the php.ini file in /etc/. Again open the file in an editor or add the line with “echo “cgi.force_redirect 0″ >> /etc/php.ini” and verify with “grep cgi.force_redirect /etc/php.ini”

Now restart the web server either by issuing “/etc/init.d/httpd restart” or simpy rebooting the WiFi Pineapple with the “reboot” command. It’s also safe to simply unplug the power and plug it back in.

Once the HTTPD and PHP configuration files have been modified and the server has restarted we can move on to testing the PHP installation.

Testing the PHP installation

PHP has a handy little function for testing the its installation. If you rebooted your WiFi Pineapple you’ll need to log back into a shell as root. Once situated, change directory to /www/ with the “cd /www/” command. Now we’ll need to create a test.php file so issue “touch test.php”. Next issue “<?php phpinfo(); ?>” > test.php”. Verify that the string has written to the file with the command “cat test.php”.

With the file written we can test the php install by navigating to test.php on the web server. Remember, following the instructions from the Auto-Rickrolling WiFi Pineapple article we’re able to get to the web server from any URL requested. Based on the dnsmasq.conf, there is no difference between example.com and google.com. Pointing your browser to, say, http://example.com/test.php should yield the following results:

Write redirection and capture scripts

Given that the dnsmasq.conf file will send any URL requested to the root of the web server we will need to write a small PHP script to identify the requested URL and present the user with the corresponding page. Once the user logs into the faux page we’ll use an error.php script to capture the credentials and log them in a file.

Unfortunately at the time of writing I have been unable to convince the tiny web server to process php files as indexes. The cheap workaround for now is to write a simple meta redirect index.html file that points to our redirect.php script for the actual processing. Hopefully this step can be removed in the future, but for now you’ll need to open the index.html file in /www/ using your favorite editor and replace the contents with the following:

<html> <head> <meta http-equiv="REFRESH" content="0;url=redirect.php">

Now for the fun page. Create a redirect.php file with the command “touch redirect.php” and open it with a text editor, for example “vi redirect.php”.

Note: If you’re new to vi here’s a bare-minimum introduction: There are two modes to vi, command mode and insert mode. By default you’ll be in command mode. Press “i” to enter insert mode allowing you to type into the file. Press ESC to get back to command mode. The command “:x” saves and quits. Learn more about using vi.

Here’s an example redirect.php script. Modify as you see necessary. We’ll break it down line by line.

<?php
$ref = $_SERVER['HTTP_REFERER'];

if (strpos($ref, "facebook")) { header('Location: facebook.html'); }

require('peets.html');

?>

The first line tells PHP to start processing the following lines of code.

The second sets the value of the variable “ref” as the HTTP_REFERER. This variable is obtained from “_SERVER” and basically tells us what URL the client is coming from. Since dnsmasq.conf is set to send any website to the root of our web server this could be anything.

The third line uses the srtpos function to look inside the “ref” variable that we just set and see if the word “facebook” is somewhere inside. This means that both “http://facebook.com” and “http://www.facebook.com” would return true. Note: Same goes for facebooksucks.com or any variation that contains the string “facebook”.

If the word “facebook” is found in the variable “ref” the function header will set the location of the browser to facebook.html – a file we’ll create here in a minute.

To phish multiple domains you would create additional similar if statements customized to the urls desired.

The fourth line will only be processed if the statements above aren’t found to be true. In our example we’re only looking for facebook but the list could be more extensive. The require function tells php to load up the contents of the file—in our case peets.html. This could be anything from terms of service agreement, an in-flight Internet purchase page or the old index file from our beloved Auto-Rickroll.

The fifth line closes the PHP processing.

In order to capture the data posted from our faux pages we’ll need to craft an error.php file. Without going into a line-by-line explanation, basically this file looks for two variables posted to it – name and pass – and writes them to the file bitches.txt

We’ll need to create the bitches.txt file in /www/ and change its permissions so issue both “touch /www/bitches.txt” and “chmod 777 /www/bitches.txt”

I have included a few lines to prevent tampering and add logging. The end of the file is basic html to display a faux “503 Service Unavailable” error. Again, this can be customized to your hearts content. For example, returning to the login page may convince an unwitting user that their password wasn’t accepted and give them the opportunity to try “their other password”.

Modify a website to capture credentials

The last step in this phishing attack is to actually rip and modify the pages of our faux sites. In our example so far we’ve been using facebook.com as the target, so follow this example. Using a web browser (or getting fancy with curl or wget) save the homepage of your target site. In chrome click the wrench and choose “Save page as”. Save the site as “Web page complete”. This will save not only the HTML but create a folder including the additional image and javascript components.

Open the html file in your favorite text editor and look for the following string: “form method=”post”". Set the action variable to equal “error.php”.

Now check for the string “input type=”text”" and find the username field. Change the name variable to equal “name” if it is not so already.

Finally check for the string “input type=”password”" and change the name variable to “pass”.

Your faux login page is now ready to be uploaded to the WiFi Pineapple. Using a tool such as WinSCP copy the facebook.html and accompanying facebook folder to /www/ on the device.

With these three modifications your error.php script will pickup the contents of the name and pass text fields. Test this by browsing to facebook.com while connected to your WiFi Pineapple. You should see your faux login page. Entering fake credentials should bring you to the error.php displaying a fake 503 error, and checking facebook.com/bitches.txt should display the captured information.

How not to fall victim to this attack

Obviously disk limitations on the WiFi Pineapple are going to prevent one from serving up face versions of every site on the Internet – so if you’re connected to one of these devious devices and can’t access an obscure URL, something is up. You’ll also notice that navigating to facebook.com in this example forwards you to facebook.com/facebook.html – which should be a sure sign of trouble. The most obvious part about this attack is that every domain you could possibly ping is going to report back a response from 192.168.1.1 – a huge red alert that you’re not in Kansas anymore.

Finally keep in mind that having two or three passwords isn’t enough. Every site needs its own secure and unique password. Consider using a password manager such as LastPass, 1Password or KeePass.

For further reading and advice on identifying phishing sites see antiphishing.org.

This time on the show, the Gmail 2-step verification, the easiest screen shot utility in the world, Image burning, MD5 integrity verification and the auto-rickrolling pineapple of doom!

Download HD Download MP4 Download WMV

Hacker Headlines

Sony and George Hotz have called a truce. Settling outside court famed PS3 hacker GeoHot agreed not to be “engaging in any unauthorized access to any SONY PRODUCT under the law” etc… Following the settlement Hotz donated $10k to the Electronic Frontier Foundation, money left over from his donated legal defense fund.

Skype made a boo-boo. Android Police found this little vulnerability in the Skype app for Android, where it seems that the SQLite3 databases where all your chat logs and info is stored was never protected. Skype forgot to encrypt the databases. That means a rogue app could potentially steal data out of your Skype app and send it back to the bad guy. Android Police created this app called Skypwned just to show how the breached can effect you. Oops!

Revealed at the Where 2.0 conference this week, security researchers published details on how iPhones and 3G iPads have been periodically logging your location. Since iOS 4.0 the file consolidated.db has been storing timestamps with latitude-longitude coordinates. The researchers published an open source tool, dubbed iPhone Tracker, which maps your devices stored locations.

Looks like Skype isn’t the only one with trouble brewing. WordPress.com’s servers were hacked pretty deep, root-access level deep. They say a bunch of customer’s source codes were accessible, so they’re having the vulnerable site change their passwords and API’s. The breach was on Automattic.com’s servers to be exact, the software company behind the WordPress platform. Obviously, a lot of information was viewable, but hopefully all the customer’s have already fixed any problems on their sites.

Mad Scientists Photonicinduction bring happyness to the world with a video demonstrating how to erase the data off a CD by spinning between it between two high voltage transformers.

HakTip: zScreen

Want to capture print screens and share them, but don’t want to go through the hassle of saving, uploading, and all that jazz? Try zScreen.

zScreen will automatically capture screenshots, text, or files from your computer clipboard and upload them to a destination of your choice, as well as have the link to it automatically copied to your computer when it’s completed.

Simply download zScreen from code.google.com and install. Once installed, choose your destination for images, files, and text, and the type of URL shortener you would like to use. Under destinations, you can authenticate and authorize zScreen to upload to your FTP, ImageShack, Flickr, even Twitter page, and tons of others. For myself, I’m going to upload to my Flickr page. zScreen uses OAuth, so all it requires is your username, not your password. It’ll authenticate through your Flickr site. You can even choose settings such as what window you want the print screen to copy, you can add a watermark, and tons of other options. Once you’ve gotten your settings squared away, hit your favorite HotKey and watch as your image gets uploaded to your account automatically.

So I hit PrtSc, and my full size image gets uploaded to my Flickr just like that. After it’s uploaded I can easily copy the image link from my clipboard. The link is also saved in zScreen.

It’s a great time saver, and perfect for easily taking notes on your screen and sharing them with others. Thanks to Patrick F for sending this in to us. Do you have a time saver or something cool to share? Email tips@hak5.org and we’ll share them.

OpenWRT / WiFi Pineapple mod: Auto-Rickroll

“John Bebo’s Auto-Rickroll payload for the WiFi Pineapple is an excellent example of using Dnsmasq to forward targets to a hosted site. While this site could be malicious, perhaps hosing the Browser Exploitation Framework, Bebo’s payload is a safe and simple prank. Any web site a victim attempts to browse to brings them to a WiFi Pineapple hosted page containing Rick Astley ASCII Art and looping audio. It uses a similar technique employed by Captive Portals – something we’ll explore in more detail soon – except a lot more annoying.

Thanks to great documentation from Bebo and Hak5 forum member Psychosis setting up your own Auto-rickrolling WiFi Pineapple is super simple. In fact, this will work on just about any OpenWRT based wireless access point – but we’ll be focusing on the WiFi Pineapple specifically for its Jasager abilities.

Follow the step-by-step article with pictures and video at hak5.org/hack/auto-rickrolling-wifi-pineapple

scp * pineapple
mv *. /etc/config
mv * /www/
touch /etc/dnsmasq.conf
echo address=/#/192.168.1.1 > /etc/dnsmasq.conf
vi /etc/init.d/jasager
add to start()
wlanconfig ath0 create wlandev wifi0 wlanmode master 2>&1 > /dev/null
iwpriv ath0 karma 1
brctl addif br-lan ath0
ifconfig eth0 up
#comment out iptables
reboot

Trivia

Our last trivia question was: What is the name of this prominent computer club that was founded in Berlin in 1981? And the answer was: Chaos Computer Club

This week’s trivia question is: What is the name of this virus, considered the first known use of polymorphic code?

Answer at hak5.org/trivia for a chance to win some swag!

2 Step Verification in Gmail

Although I know all of you out there protect your online accounts like crazy, there is always a way to get more protection. Maybe you don’t like using an encryption program or you use the same password for all of your sites. Although this is really bad, I think all of us have done that once or twice in the past. So perhaps you want to try something new.

I just discovered Gmail 2 Step Verification process for my google mail account. I’ve been a little paranoid lately with all the cyber attacks going on, so I decided to up my security, especially because my email is the one site I really don’t want hacked.

2 Step Verification can help prevent unauthorized access that someone might have with just a stolen password. Now, when I sign in to gmail, I’ll not only need my password, but also a code that generates on my phone.

You might be thinking, ‘Well, what if your phone gets stolen?’. I set up a passcode on my phone, a series of random numbers that only I remember, and I set it so if I try brute forcing the passcode, after 10 wrong codes, it’ll wipe my phone.

Back to Gmail. When setting this up, first you’ll need your phone. If you won’t have a secure phone nearby when you sign in to Gmail, perhaps this isn’t the tool for you.

Click on “”Set Up 2 Step Verification”" and choose your phone. Androids, Blackberries, and Iphones have a special Google Authenticator app that will generate your random codes.

The first time you open the app, it’ll ask you to scan a QR code with your phone’s camera. This QR code generates your first series of random digits, and it ties you, the phone holder, to your gmail account. If you don’t have a usable camera or can’t read the QR code, choose to create a time-based key instead, and type your secret key into your phone.

Click next after taking your photo and verify your generated code. Gmail will then ask you to set up a backup in case your phone is lost or stolen. Next you will need a printer or a safe place to save your backup codes. I had a printer installed so I printed my backup codes. Each of these codes will let you sign in once to your gmail.

After printed, click next and choose a backup phone. This can be a home phone, a spouses phone, etc. Type in the phone number and you can then test it if you want. I set up my personal number to my home phone, and when I tested it, it called me and left me a message with a new generated code. When you hit next, confirm your account, and turn on 2 Step Verification.

When you first log in, you’ll type in your account name, password, then your verification code off your phone. You can also choose if you want the code remembered for 30 days or if you want it to ask you for a new code every time you log in.

You’ll notice after you turn on 2 Step Verification that all your devices tied to your gmail account are logged out. Things like gmail for iphone, the mail app, etc, don’t have a place to type in a verification code. To help your security, you’ll need to set up application specific passwords. To do this, under the 2 Step Verification main page, choose application specific passwords.

Choose a name of your device, for example, mine will be “”Shannon’s Iphone”". Click next and you’ll see a series of letters and numbers that you’ll have to type in to your Iphone. So I type in my username, and under the password box I type in this generated password and click next. I only have to do this one time, ever. So I won’t need to memorize this code.

But what happens if someone gets ahold of Shannon’s Iphone? Luckily, under the code, you can see my Iphone. If I choose ‘Revoke’, all access to my mail will be logged out on my Iphone until I authorize it again.

If at any time I need new printed codes, or I need to change my phones, I can go under account settings, 2 Step Verification and edit anything I need. I can even turn off 2 Step Verification if needed.

I LOVE 2 Step Verification. It makes me feel a lot more secure about my mail and personal information. Questions? Comments? Have another program for me? Email feedback@hak5.org.

Emails: CD Burning and nomnomfish

Max S writes: I have been watching your show since season 6. Since then you mentioned a program named Konboot few times.
I was curious and tried getting it. But I have a problem, I successfully download it, and extract it using winrar but when I burn it to a blank CD it doesn’t work.
Am I missing something or does konboot not function anymore?

Shannon recommends verifying the integrity of the download using a tool like Fast Sum or MD5SUM and burning with a tool like IMG Burn

Keep up with the latest on Hak5 by follow us on Twitter or Facebook. Subscribe and get your weekly technolust delivered automatically. Or show your support and grab some swag from the HakShop – including the new airport friendly WiFi Pineapple and hoodie. Finally if you’d like to suggest a topic
for ask a question feel free to hit up feedback@hak5.org.

John Bebo’s Auto-Rickroll payload for the WiFi Pineapple is an excellent example of using Dnsmasq to forward targets to a hosted site. While this site could be malicious, perhaps hosing the Browser Exploitation Framework, Bebo’s payload is a safe and simple prank. Any web site a victim attempts to browse to brings them to a WiFi Pineapple hosted page containing Rick Astley ASCII Art and looping audio. It uses a similar technique employed by Captive Portals – something we’ll explore in more detail soon – except a lot more annoying.

Thanks to great documentation from Bebo and Hak5 forum member Psychosis setting up your own Auto-rickrolling WiFi Pineapple is super simple. In fact, this will work on just about any OpenWRT based wireless access point – but we’ll be focusing on the WiFi Pineapple specifically for its Jasager abilities.

This article will focus on setting up the Auto-Rickroll payload in Windows so the every handy PuTTY and WinSCP tools will be used. If you’re on Mac or Linux you already have SSH and SCP. We’ll also be taking a beginners approach, so if you’re a guru you can simply download the payload and take a look at the commands at the end of the article.

Demonstration

First begin by download this package containing all of the configuration and www files. Extract the contents to a temporary directory. You should notice index.html as well as NGGUP.mp3 and NGGUP.wav – these are the www files. You’ll also notice extension-less files dhcp, network and wireless. These are the configuration files.

Next connect your WiFi Pineapple to a computer via an Ethernet cable. In its default configuration the WiFi Pineapple has the IP address of 192.168.1.1 and will assign your computer an IP address in that range using DHCP.

To test your connection to the WiFi Pineapple open a shell and issue the ipconfig command. You should have a 192.168.1.x IP address with your default gateway set as 192.168.1.1. Depending on your configuration you may need to disconnect from any wireless or other networks you are currently connected to. Issuing ping 192.168.1.1 should result in four replies.

Now that you’re directly connected to the WiFi Pineapple open WinSCP. Enter 192.168.1.1 as the host name. Leave 22 as the port number. Enter root for the user name and your password. By default the WiFi Pineapple has a password of “pineapples are yummy”. Select SCP from File protocol and click Login. You may receive two errors regarding group lookup, which are safe to disregard.

Now that you’re logged into the WiFi Pineapple with WinSCP you can begin transferring files. In the left-pane navigate to the temporary directory to which you extracted the files in the first step. The right pane will be /root on the WiFi Pineapple by default. Select the 6 extracted files on the left and drag them to the right.

Click Copy to confirm the command and wait for the procedure to complete.

Now that the files have been copied we’re ready to put them in the appropriate places on the device.

Open PuTTY and enter 192.168.1.1 in the host name field. Port 22 should be entered by default. Click Open to connect. The first time doing this you will be asked to save the key. Click yes if prompted.

When prompted login as root. Again, the default password is “pineapplesareyummy” (sans quotes). Issuing the “ls” command will display the files we copied over in the previous step.

Move the index.html and NGGUP files to /www with the command “mv index.html NGGUP.* /www/” Issuing the “ls” command again will show that only the configuration files remain.

Before moving the configuration files to their appropriate location we’ll want to backup the existing files – just in case we ever want to go back to the default. Navigate to the config directory with the “cd /etc/config” command. Again “ls” will display all of the files in this directory.

Rename network, dhcp and wireless to network.bak, dhcp.bak and wireless.bak respectively using the mv command. For example, “mv dhcp dhcp.bak”

Now you’re ready to move the auto-rickrolling configuration files to /etc/config. Since you’re already in that directory use the command “mv ~/* .” (notice the space between * and .). This command says to move (mv) everything (*) from the home directory (~/ – in our case /root since we’re logged in as root) to the current working directory (.).

Again issuing “ls” will show that the configuration files have moved.

Next we’ll need to modify the dnsmasq config file. By default it does not exist in /etc/ so to create a new one we’ll need to issue the command “touch /etc/dnsmasq.conf”

Once the file has been created we’ll need to add one line to it. We could use a text editor such as vi but I find it easier to simply echo the line into the file. Issue “echo “address=/#/192.168.1.1” > /etc/dnsmasq.conf” (mind the quotes around address=/#/192.168.1.1). The echo command prints whatever is written within the quotes. By default it is written to the screen, but since we used a greater-than sign we specified that the output of the echo command go into the file – in our case /etc/dnsmasq.conf. Alternatively if we were echoing multiple lines into the file we would use two consecurive greater-than signs, which append to the end of a file.

To verify that the configuration has been written issue “cat /etc/dnsmasq.conf”, which will return what we wrote in the previous step, sans quotes. The /#/ part of the command is a wildcard, meaning any address your target attempts to browse to will forward to, in this case, 192.168.1.1.

Now we’ll also need to modify the /etc/init.d/jasager configuration file so that is begins karma immediately upon powering on. This is the only step specific to the WiFi Pineapple and can be considered optional. I like the idea of karma coming up on its own with this configuration – it really automates the whole attack. Since the WiFi Pineapple doesn’t need Internet access (it’s forwarding everything to an internally hosted page) it’s just a matter of plugging in the battery pack and turning it on.

We’ll need to add a block of commands to a function, so a proper text editor is in order. For this issue “vi /etc/init.d/jasager”

Cursor down to the iptables command and press “i” to insert. Now prepend a # to the command to comment it out. Next, after the tail command and before the function closes enter the following string of commands exactly as outlined here. Save and close the file by pressing the escape key followed by : (colon), x (x) and enter.

Finally our configuration changes are complete and it is time to reboot, so either pull the plug on the pineapple or issue the “reboot” command. When everything comes back up either stay connected via ethernet or connect via WiFi to the newly renamed SSID of “ricknet” (or any other Jasager-ized SSID). Browse to any website and enjoy the rickroll action.

Quick steps

#scp * to your pineapple
mv *. /etc/config
mv * /www/
touch /etc/dnsmasq.conf
echo “address=/#/192.168.1.1″ > /etc/dnsmasq.conf
vi /etc/init.d/jasager
#add to start()
wlanconfig ath0 create wlandev wifi0 wlanmode master 2>&1 > /dev/null
iwpriv ath0 karma 1
brctl addif br-lan ath0
ifconfig eth0 up
#comment out iptables command
reboot

This time on an unorthodox Hak5, producers Darren and Paul venture to Las Vegas for the NAB Show and see what the National Association of Broadcasters are up to. We find HD video mixers for under a grand, 3G and 4G bonding solutions for live streaming on the go, HDMI field recorders, extreme sports cameras and some 30 foot jibs we can’t afford or house but still want anyway. This is our technolust!

Download HD Download MP4 Download WMV

Keep up with the latest on Hak5 by following us on Twitter or Facebook. Subscribe and get your weekly technolust delivered automatically. Or show your support and grab some swag from the HakShop – including the new airport friendly WiFi Pineapple and hoodie. Finally if you’d like to suggest a topic
for ask a question feel free to hit up feedback@hak5.org.

Originating in the 1970s, Snake has become a classic of simplistic video game design. With merely two controls to speak of, turning left and right relative to the direction of the main character, Snake has found its way into popular culture and ultimately our hearts.

Play is fairly straight forward. Navigate a game board without running into obstacles, such as walls and ones self. Score points by running into or “eating” pieces of food. Each piece of food accumulated causes Snake’s tail to grow, thus increasing the complexity of the game board. With no way to stop or reverse, Snake is fundamentally a game of finite length.

For some Snake might be most known as the game that comes with most Nokia phones. Debuting in 1997 on the Finnish candy-bar style 6110 series handsets, Snake consisted of monochrome squares controlled by a rudimentary D-pad. Since then Snake has found a massive audience with Nokia users with new versions including Snake EX – a 16-bit color quality versions sporting multiplayer support over IR and Bluetooth. More recently Snake has evolved to include 3D graphics on Nokia phones.

In 2005 Taneli Armanto, Nokia engineer responsible for Snake on Nokia devices, received an award and special recognition for his pivotal role in embedding Snake on the 6110 from the Mobile Entertainment Forum.

For me Snake was first known as Nibbles, a Qbasic sample program included in MS-DOS version 5.0. This ANSI color graphic Snake variant included 9 levels and featured multiplayer support where by two players could use a single keyboard to navigate individual snakes across a game board. For me Nibbles served as a gateway to programming as the source code, freely modifiable, made the game easy to hack.

Today Snake lives on in many forms. Some of my favorites include Youtube and Gmail. To play Snake on Youtube one must hold the left key for two seconds and press the up key while a video is loading. The video loading throbber will then become the familiar always hungry creature.

To play Snake in Gmail one must visit Mail Settings and activate Old Snakey from the Labs menu.

Darren Kitchen has been exploring underground scenes since his first 1200 baud modem. He first found technolust after writing a BBS dialer in BASIC on a PC-XT. Since then he has made a career of his self-taught tech skills in the field of Systems Administration. After founding Hak5 in 2005 he has become fascinated with new media. Darren also pwns you in Unreal Tournament.

Join the Hak5 crew as we celebrate our Bay Area arrival and the beginning of season 9!

LIVE PERFORMANCES from Nerdcore sensations Dual Core and Dale Chase

Saturday April 2nd at 7:00pm

The Hotsy Totsy Club
601 San Pablo Ave
Albany, CA 94706

Ring in the ninth season with cocktails, nerdcore and technolust!

21 and up. Bring your friends

RSVP at Facebook