Episode 518 – Hacking WPA, ESXi and iSCSI, Bypass Windows Passwords
Darren’s Hacking WPA-PSK keys using the recently updated Cowpatty and some damn fine lookup tables. Connecting ESXi to iSCSI targets — Matt breaks it down with FreeNAS. And Shannon completely bypasses local Windows logins with a Kernel modifyin’ boot cd? w00t!
Download HD Download MP4 Download XviD Download WMV
Cracking WPA Keys with Cowpatty
A lot has changed since I last talked about WPA Cracking on Hak5. Specifically Joshua Wright, author of CowPatty has released a new version that dramatically changes the way one thinks about cracking WPA and WPA2 TKIP keys.
The most notable new feature in Cowpatty 4.5 is the “-2″ option, which only requires the first two frames of the 4-way handshake to start attacking.
By removing the need for the third and fourth frames of the handshake, an attacker is now more likely to successfully crack WPA keys when channel hopping. Furthermore, the lack of the third and fourth frame opens up a world of possabilities when it comes to trapping targets with rogue access points, or “honey pots”.
An example scenario illustrated on Wright’s blog details how an attacker may pose as a victim’s corporate wireless access point. Since it doesn’t matter if the target associates with the honey pot, anything from hostap to a spare WPA supporting access point with a bogus key will due.
Of course this has our friend Robin Wood pondering a Jasager plugin. Pineapples anyone?
As for carrying out the attack it’s pretty straight forward. I BackTrack as my hacking OS of choice coupled with an eee PC or Acer Aspire One. When it comes to Wireless I’m a big fan of the ALFA AWUS036H 500mW USB Wireless Adapter.
Other tools needed to carry out the attack include WPA tables like these SSID specific Cowpatty WPA Tables from Offensive Security and the Aircrack-ng suite.
The commands are pretty straight forward and well highlighted in the episode. There are a number of ways to go about this so if you’ve got another method you’d like to share with me, questions about this, or suggestions for future topics drop me a line. darren[at]hak5=dot=org.
Excerpt Darren Kitchen‘s blog
Bypass Windows Local Logins
Kon-Boot is an prototype piece of software which allows to change contents of a linux kernel (and now Windows kernel also!!!) on the fly (while booting). In the current compilation state it allows to log into a linux system as ‘root’ user without typing the correct password or to elevate privileges from current user to root. For Windows systems it allows to enter any password protected profile without any knowledge of the password. It was acctually started as silly project of mine, which was born from my never-ending memory problems
Secondly it was mainly created for Ubuntu, later i have made few add-ons to cover some other linux distributions. Finally, please consider this is my first linux project so far
So basically, Kon-Boot enables you to log into any Windows or Linux password protected computer without knowing the password or anything about it.
The tech behind it? Kon-Boot basically latches onto parts of the memory and starts patching parts of the kernel (the Brain!), mainly the parts that have to do with the log-on auth and security. These patches let you logon without a password. Then, the bootkit does it so quickly that it leaves no footprints behind after you leave.
DUDE!
To do this:
Go to the website above and download Kon-Boot, open the zip file, and burn the .iso to a disc. I use ImgBurner because it is fast, easy, and FREE.
Shut down the computer you intend to get on to. When booting up, if it isn’t already set to boot from CD (or flashdrive, or whatever Kon-Boot is on), go into the BIOS and set it. You should see the Kon-Boot splash screen for a few seconds, then the username/password screen will appear with the main username already set if they have it saved. If not you need to know the username ahead of time. Press enter or type in some random characters (it doesn’t really matter) and press enter. You’re in!
Now party, snoop around, and get that file you wanted. Get your flashdrive or CD out, then shut the computer back off like usual.
Protecting yourself:
Password protect your BIOS!
True Crypt your entire harddrive!
Excerpt Shannon Morse‘s blog
Awesome Episode! I really liked this one…and I’ve already burned a “restore”CD for my PCs. Thanks dudes..
I thought this was the best segment Matt has done so far with regard to his presentation of the material. All of the content was good this time; a really great show
Great Episode! Konboot will save me years of my life!
@5:58 Darren said that he had issues with virtualisation on his Acer netbook, and he would talk about it ‘later’ — and then never did (or not that I remember!)
Did you mean in a later episode, or was the content I was about to be really interested in cut out for some reason?
Great Episode!!! Virtualization segments are awesome!! And KonBoot works great!! Keep coming with more great stuff. Pretty soon I will have my degree from Hak5 U!!
hey matt. when are you planning to talk about the Desktop virtualization strategy? server stuff is cool, but most companies already deployed them. desktop vm tends to get complicated due to choosing the right thin clients, cost, and politics. if you have an experience deploying desktop virtualization, i wish you can go over them. the internal security is a big concern these days. also, going over the business plan could be very cool too.
thanks
HOW CAN i USE YOUR INFORMATION IN COMPUTER GRAPHICS UNLESS YOU SHOW ME
THE WAY TO MAKE A NETWORK WITH SOMEONE THAT i WORK WITH AND DO NOT HAVE TO USE SOMETHING LIKE A TORRENT TO USE TO UPLOAD ON A PLATFORM LIKE BIT TORRENT FROM A PROGRAM THAT MANY CAN SEE. yOU KNOW. you GUYS ARE COOL AND i LOVE THE SHOW .
I WOULD LIKE TO USE THIS TO GO TO THE NEXT LEVEL OF A TORRENT HOW CAN I START MY OWN SHARE NETWORK MAYBE
I watch your show from the Netherlands and I must say that I love it.
When finished watching the recent episode, I can’t wait for the next one..
Though I must say that Snubs has 9 competitive ‘ladies’ in the top 10 rank..
Keep up this work and c ya.
Groeten Koen
I’m nominating EDDIE for a WTFey. It’s a new award. I just made it up.
OMG thats so funny a WTFey.. Win
Loved the show. That is all.
Kon Boot
Rather than waste a whole CD for a small file and have to carry that CD with you its easier to use syslinux or gr4bdos and a menu.lst to boot the Kon fd0 image file from a USB Memory stick “and you wouldn’t even need to re-format the USB.
oops I spelled grub dos wrong it should be “grub4dos”
good work pls how can i download the software
nice and eye opening work keep it up (please how can i get the software downloaded
what about installing ESXi on a SATA or IDE drive? i havent had much luck with that…got any input?
3TeK,
I installed ESXi onto a sata drive in the previous episode.
You just need to make sure you have a supported controller so that vmware recognizes it.
Here’s the vm-help link of supported hardware.
http://www.vm-help.com/esx40i/esx40_whitebox_HCL.php
Or installing ESXi 4.0 to IDE
http://www.vm-help.com/esx40i/ESXi_install_to_IDE_drive/ESXi_install_to_IDE_drive.php
I think your WordPress has been hacked. This post just reappeared in my Google Reader with a bunch of spam links about drugs in it.
[...] with the new changes in BackTrack 4!. btw, in episode 518 of Hak5 they cover WPA hacking: http://www.hak5.org/episodes/episode-518 oh yea and join my FB group: http://www.facebook.com/group.php?gid=2229950641 [...]
this episode is grate. I’m a Chinese, but a accidentaly watch the episode 402. and scine then, i download every episode Hak5.
i love episode with haking. and looking forward for more.
btw, happy birthday.
Thanks guys for the awesome show. Im glad you covered the freenas solution. I am freenas along with the vGhetto Scripts to do backups and cloning. GhettoVCB will take a snapshot copy the VM to the freenas and then delete the snapshot, with no interruption to the end users. Oh yeah for FREE on ESXi 3.5u3. Thanks for feeding my technolust….
@Matt
Yea i just downloaded ESXi 4 and it installed without a flaw on my sata drive on my Tyan i7320 board. I had been trying to install ESXi 3 on it before and that where i was having problems I guess.
Thanks
Great Episode! Loved the show!!!
Great Show, I would also like to see more about Desktop-virtualisation and also Application-Virtualisation.
THX!
i am having trouble getting konboot to work i burned it to a cd and it won’t work i tried on like three machines i need help if anyone has it
Did anyone else get a warning from IE8 saying that the Kon-boot download linked to virues and other malware? The warning reccommed me the cancel the download. I did. I just wanted to ask Shannon Morse or anyone else if they had a bad experiace with Kon-boot. I realize that it might be considered malware because Kon-boot hooked on the Windows kernel (or something like that). Thanks for the input guys.
Hey guys having a little problem with setting up an iSCSI target on step 7 i dont have device, i just have file. any ideas?
hi there i need some help i am new to all this hacking and all the over cool stuff you do but
i am on about getting a wifi-pineapple or makeing one because it is cheaper so any way i am looking at some stuff i need and i come across this video
http://www.hak5.org/?s=wireless+hacking
and it says you use
ALFA AWUS036H wireless for hacking wifi. well is ALFA AWUS036H the the wifi-pineapple.
or is it this http://www.fon.com/en/
because i am getting realy derrrrrrrrrrrrrr about this please help me get my brain back in line
ps if it is the fon then what do i need it for or can i use it for doing what u are doing this video also
http://www.hak5.org/?s=wireless+hacking
also in this video http://www.hak5.org/episodes/episode-518 you are using a programe called back track3 well i downloaded backtack 3 and 4 it and it dose not have the same software you did
software is called cowpatty 4.5
how do i get cowpatty on backtrack
i have loads more qqqqqqq for you but i think this will do for now
email me back dead_virus87@hotmail.com with help
[...] Episode 518 – Hacking WPA, ESXi and iSCSI, Bypass Windows Passwords [...]
When I try to add my extent when I choose type the only thing listed is file not device. What am I missing?
Thanks.
[...] Wright, author of coWPAtty (See our segment here), released in 2004 a proof of concept tool to demonstrate weaknesses in LEAP and PPTP [...]
[...] Wright, author of coWPAtty (See our segment here), released in 2004 a proof of concept tool to demonstrate weaknesses in LEAP and PPTP [...]
WHAT IS THE DIFFERENCE BETWEEN THE USB RT73,RT2570,AND RTL8187 DEVICE?
first of all Great Show`s
i have one question
if i use BT3 on a Eeepc 701 the sound wound work on BT4 it works fine now i am using spoonweb spoonwpa but i can not implement it to bt4 can you help me?
[...] Wright, author of coWPAtty (See our segment here), released in 2004 a proof of concept tool to demonstrate weaknesses in LEAP and PPTP [...]
[...] Wright, author of coWPAtty (See our segment here), released in 2004 a proof of concept tool to demonstrate weaknesses in LEAP and PPTP [...]
[...] Episode 518 – Hacking WPA, ESXi and iSCSI, Bypass Windows Passwords [...]
[...] was presented on numerous places, it was featured in: Hak5 Episode-518, PaulDotCom Security Weekly Episode-158, WindowsITPro and others. Till the 13-07-2009 it was [...]
I laughed so hard when the deauth killed the wireless mics too. also if anyone is wondering i would personally not send any more than 5 deauths. any more than that is overkill and not needed.
After watching your show I have become very interested in learning more about the whole IT field. I was just wondering if you still a big fan of the Alfa AWUS036H or if there is anything else on the market you might recommend?
I would like to know how I can work with you guys? the start of the computer commandor 64