In this HakTip from DEFCON 19 Darren is joined by Mark Wuergler of Immunity to demo Silica, a wireless security assessment tool he has been developing.

Download HD Download MP4 Download WMV

In the demo Wuergler uses Silica to launch a client side attack on an Android phone.

What programs or commands are rocking your world? What technologies are tickling your technolust? Hit me up — tips@hak5.org or leave a comment.

And be sure to check out our sister show, Hak5 for more great stuff just like this.

I want to take a minute to tell you about BustedTees. It doesn’t matter if you’re into video games, movies, science-fiction or just wrapping your torso with something weird, BustedTees literally has you covered. You may have seen a BustedTee or two pop up in movies and TV shows. Now you can grab one for yourself. Head on over to BustedTees dot com to find the shirt of your dreams — your bizarre, hilarious dreams. Enter the promo code “HAK5” and receive 20% off your order

Today we’re continuing our discussion on wireless management frames with probe requests and responses.

Download HD Download MP4 Download WMV

Probes come in two flavors; requests and responses. Let’s begin with the request.

A probe request is a special frame sent by a client station requesting information from either a specific access point, specified by SSID, or all access points in the area, specified with the broadcast SSID.

The information being requested in a probe includes the supported data rates, which are also included in the beacon frames typically broadcast from an access point.

The difference here being that by sending a probe request your wireless card is making an active scan of either a specific network or all networks in the area, where as simply listening for beacon frames in considered a passive scan

Today we’ll demonstrate an active scan and we’ll disect the probe requests and responses.

So this brings us to the responses. Typically when an access point hears a probe request frame, either directed at the specific access point or to all stations in the area using the broadcast SSID, it will send out a probe response.

Similar to a beacon frame, we’ll find that these probe responses contain much of the same information required for two stations to begin communicating.

To begin our demo we’ll start by once again bringing up our fake access point with airbase-ng. Start by bringing up the interface ifconfig wlan0 up and starting a monitor mode interface on channel 11 airmon-ng start wlan0 11. Now we’ll issue airbase-ng -c 11 -e haktip mon0

So to recap our configuration we have our first radio in monitor mode as interface mon0 and it is acting as an access point or base station with Airbase-ng

We’ll bring up our second wireless card in monitor mode with airmon-ng start wlan4 11 and that will create the new interface mon1 — this will be acting as our client or station.

Now if we start up wireshark& and begin sniffing our client, mon1, we’ll see all of the packets or frames going in and out of this card. 

Immediately we’ll see there are plenty of beacons in the air, which we’ve discussed in previous sessions, so let’s filter those out. And while we’re at it lets also filter our any frame that isn’t address to or from our interface with the filter wlan.addr == 00:0f:04:b2:48:68 && wlan.fc.type_subtype != 0×08

Now in the terminal let’s tell our client card to do a passive scan of the area looking for available access points. Issue iw dev wlan4 scan passive | grep SSID and we should see plenty of SSIDs. If we go back to Wireshark we’ll see there aren’t any probes or reponses. This is because our client card here is reporting all of the nearby wireless networks based on a passive scan, meaning no data was sent out. Our card was completely silent and the data compiled was done so only using what was freely available in the air — in this case beacon frames. We can, and probably will get more sophistocated with this type of silent site-survey using the tool Kismet, but for now this will suffice in demonstrating what is available without transmitting a single frame.

So finally let’s go ahead and generate some Probes. In a terminal we’ll tell our client card to make an active scan of the area using the command iwlist wlan4 scan | grep ESSID.

If we come back over to Wireshark we’ll see plenty of probe requests and probe responses. Let’s take a look at the first probe request frame.

We can tell it’s a probe request as its subtype is 0×04. The source is our NICs MAC address and the destination address is Broadcast or ff:ff:ff:ff:ff:ff, meaning this probe request is meant for everyone who can hear it.

Wireshark already knows it is a management frame and under tagged paramaters we can see our supported data rates as well as the channel. Our first probe is set to channel 1. If we add to the filter && wlan.fc.type_subtype == 0×04 we’ll see that the next probe request was on channel 2, then 3, and so on.

Now if we flip our last filter from subtype 0×04, or Probe Request, to 0×05 we’ll see all of the probe responses. And much like the beacons we’ve seen before, these frames indicate the same capability information necessary for our stations to begin communicating.

What programs or commands are rocking your world? What technologies are tickling your technolust? Hit me up — tips@hak5.org or leave a comment.

And be sure to check out our sister show, Hak5 for more great stuff just like this.

Thrillist sifts through the crap to find the best your city has to offer every day. Wanna know about a Star Wars Burlesque show, a beer garden that screens 80s flicks, or a new restaurant with a Sushi robot? Then sign up for Thrillists free daily emall at Thrillist.com/hak5

Today we’ll be setting up an environment which will allow us to easily disect a beacon frame, as well as the other three types of management frames; probes, authentication and association. As you know we’ve covered the 3 types of wireless frames; management, control and data. Last week we went over one of the 4 types of management frames — the beacon.

Download HD Download MP4 Download WMV

To recap the demo we began by bringing up our NIC ifconfig wlan0 up and starting a monitor mode interface airmon-ng start wlan0 11 then using the MDK3 tool we can create beacon frames indicating our SSID of choice mdk3 mon0 b -c 11 -n haktip.

Now if we bring up an additional wireless interface ifconfig wlan5 up we can scan for nearby access points iwlist wlan5 scan | grep ESSID and see those beacon frames in action.

This week we’re going to be using airbase-ng and wireshark to put together a nice little wireless packet sniffing environment so that we can better understand management frames.

Airbase-ng is a script that comes bundled with the aircrack-ng suite of tools. Like many of the aircrack tools it is serves multiple purposes. This versatile little tool is mainly aimed at wireless client or stations rather than access points or base stations. It can be used in a wire array of wireless phishing attacks allowing one to obtain WPA handshakes or WEP keys. It can also cause all sorts of mayhem to access points and clients nearby so use with caution.

In todays example we’ll be using the most simple function, and that is mimicing a wireless access point.

You can find the full syntax of the tool by issuing airbase-ng –help. The only paramaters we’ll be specifying in our example will be the channel and ESSID. airbase-ng -c 11 -e haktip mon0

The first thing we see when using airbase-ng in this mode is the report “Created tap interface at0″

Everytime airbase-ng is started a tap interface is created. It isn’t brought up by default but simply issuing ifconfig ath0 up will bring it to life. The neat part about this interface is that even with WEP encryption enabled this tap interface will always show incoming packets after decryption. You can also send packets to this interface and they’ll go out encrypted, if the “-w” option is set.

The next thing listed is airbase-ng setting the MTU, or Maximum Transmission Unit, to 1500. This basically says the maximum size an IP packet can be before it gets split up into multiple packets. For ethernet v2 this is the highest setting possible. You may see MTUs of up to 9000 but only with Jumbo Frames on a gigabit lan.

Finally airbase-ng reports that the access point has been brought up using the BSSID of the NIC. If we want we can specify a different BSSID with the “-a” option or simply use macchanger beforehand.

Ok so we have our fake AP with the SSID “haktip” running so let’s copy the BSSID into our clipboard and startup wireshark&

We’ll select the mon0 interface to listen to and start. Now that we have a few packets lets stop sniffing and apply a filter.

To add a filter to Wireshark come up here to the filter bar and enter the expression. In this case I only want to see frames to or from the BSSID of our haktip access point so enter wlan.addr == BSSID and I’m only interested in beacon frames, so I’ll add && wlan.fc.type_subtype == 0×08

If we open the first frame we can see that it is in fact the type 0×08, or “Beacon”. The destination is Broadcast so it’s being sent out for everyone to hear. We have our source address and a sequence number. Wireshark also knows it’s a wireless management frame, so if we expand that we’ll see capability information under fixed and tagged paramaters. This beacon is saying, among other things, that it cannot support WEP, OFDM modulation isn’t allowed. Under tagged paramaters we’ll notice that the SSID is set to haktip, the support data rates are 1, 2, 5.5 and 11 Mb/s as well as rates 6, 9, 12, 18, 24, 36, 48 and 54 indicating that it’s an 802.11g network, and finally that the channel is set to 1.

And as always we value your feedback and suggestions. If you have a tip to share with me, email tips@hak5.org or leave a comment.

And be sure to check out our sister show, Hak5 for more great stuff just like this.

Midphase has been providing simple, smart and reliable webhosting since 2003. It features unlimited Disk Space & Bandwidth with an exclusive discount (6 months free) for Hak5 viewers. MidPhase provides 24×7 Premium Support via Phone, Live Chat, & Email, as well as a FREE Website builder & simple installs of WordPress, Drupal & Joomla. Also get $100 worth of Search Engine Credits from Google & Yahoo. Visit midphase.com/hak5 to get 6 FREE MONTHS web hosting through this exclusive Penn Point offer. Get your site transferred free (when you mention QuickSwitch).

Today we’re following up our discussion on 802.11 frames with an investigation of beacons and a practical example using BackTrack Linux and a technique known as raw frame injection.

Download HD Download MP4 Download WMV

As you recall from last time, the beacon frame is one of the four types of management frames. The other three being association, authentication and probes, which we’ll be getting into shortly.

Now the beacon frame is a special kind of management frame as it contains information about the network. This brings us to the terms:

Beacon frames or simple beacons are transmitted periodically by base stations or access points to announce the presence of wireless networks. The beacon frame is made up of several parts, including:

Whether the station is acting in ad-hoc or infrastructure mode (also known as managed mode)

The SSID or network name. We’ll be getting more into service sets of 802.11 networks but for now the SSID is a 32 character, typically human-readable string that uniquely identifies the network.

The Timestamp
The timestamp is quite simply a unit of time by which all associating stations synchronize to. It’s like that scene in the movie where all the spies synchronize their watches, except that it happens by hex in the blink of an eye.

And capability information such as

Channel Information

Supported data rates

Typically access points are setup the broadcast their beacons every 10 seconds. This can add quite a bit of overhead so for improved performance on networks where not a lot of clients are connecting and disconnecting, like a home network, this setting is often changed to be much higher.

MDK3 is a tool that exploits weaknesses in 802.11 protocols. It was created by ASPj with the help of the aircrack-ng team and libraries. MDK3 can be found at Pedro Larig’s homepage and is built in to the latest version of BackTrack from backtrack-linux.org

Today we’re using MDK3 in our practical example of transmitting and analyzing beacon frames.

To achieve this we’ll first we’ll need a card capable of raw frame injection. In order to test whether our card has this capability we’ll use the aireplay tool which is part of the aircrack-ng suite.

Aireplay-ng is a tool for injecting wireless frames and can accomplish 10 basic WiFi attacks, including deauthentication, fake authentication, fragmentation and more. We’ll be getting more in depth with the the aireplay-ng tool soon, but for today we’ll be using mode 9, also known as test mode.

Now before we can use either aireplay-ng or MDK3 we’ll need to bring up a monitor interface for our card, or set our card in monitor mode. If you recall from a previous episode the easiest way to do this is with the command airmon-ng start and our interface.

airmon-ng start wlan2

Now that our card has been set to monitor mode and we have the interface mon0 we can proceed to test our NIC.

Issuing aireplay-ng -9 (or –test) and our wireless interface (which in our case is wlan2) we can test to see whether or not our radio can handle raw frame injection.

aireplay-ng -9 wlan2

Our test is complete and we can see that aireplay-ng reports “injection is working”

Now on to MDK3, which is capable of performing many modes of attack. Issuing mdk3 at the command prompt will display a brief description of them.

mdk3 | more

Today we’re focusing on the beacon flood mode. For more information on any mode issue mdk3 –help and the mode. So we’ll issue

mdk3 –help b

Alternatively we could issue mdk3 –fullhelp for information on all attack modes.

So now finally to craft our beacon flood we can see here that the options -f will read SSIDs from a text file, -g will show that they’re using the 802.11g protocol at 54 Mbps, -a will show them as having WPA enabled using AES encryption, and -c will let us specify a channel.

Thankfully I already have a text file full of SSIDs handy so let’s just issue

mdk3 mon0 b -f ssid.list -g -a -c 11

Now as you can see mdk3 is transmitting hundreds of beacons on channel 11 for the access points I’ve specified.

We can verify this using our other wireless interface by scanning for all nearby networks with the command:

iwlist wlan0 scan | grep ESSID

Now Similar to fuzzing, this sort of attack can sometimes break wifi scanners or network interface drivers. And with a specially crafted ssid list I’m sure you can come up with your own fun.

Mind you all of these BSSIDs or mac addresses are random and there’s no chance of anyong actually associating with these base stations. At least not now.

What programs or commands are rocking your world? What technologies are tickling your technolust? Hit me up — tips@hak5.org

And be sure to check out our sister show, Hak5 for more great stuff just like this.

Squarespace is a publishing system for anyone looking to build a blog, portfolio or any kind of website. Squarespace offers a uniquely flexible tool for just about anyone (no coding experience required) to build high end websites with that same functionality that you will find on some of the highest trafficked pages on the web. Squarespace also has amazing iPhone and iPad apps so you can easily update your blog and manage comments on the go. Go to www.squarespace.com to get a 2-week free trial and 10% off when you sign up in July. Just enter coupon code hak57.

Today we’re continuing our WiFi series with the example of cracking a WPA-Pre Shared Key. We started by diving into a PSK brute force with John the Ripper with a previously captured 4-way handshake. Sice we’ve taken a step back and covered promiscuous and monitor mode in terms of packet sniffing, and how MAC addresses come into play here. And now we’ll cover the ingredients needed for this recipe of passphrase cracking delightfulness.

Download HD Download MP4 Download WMV

As I just mentioned our wireless NIC is in monitor mode airmon-ng start wlan0. This is just one of 6 modes that our wireless NIC can operate in. The other 5 are: Master, Managed, Ad-hoc, Mesh and Repeater.

A wireless NIC in Master Mode is often referred to as an Access Point or Base Station. Typically it’s an embedded device with a proprietary OS or slim down Linux installation setup to provide network access to clients.

My WiFi Pineapple here for instance is an access point and I can see the NIC is in Master mode by issuing iwconfig ath0

Now if I come back to my localhost and issue lsusb I see I have my trusty Realtek 8187L installed. And if I check airdriver-ng loaded I see that it’s using the mac80211 driver. With that I know to use the iw command to check the cards capabilities. I just need to know the physical ID first, so running airmon-ng shows that it’s phy1. So now running iw phy phy1 info will show me all of its supported modes. Of course this is a lot of output. Typically I’ve been piping this output to more or less, but today I’ll pipe it to grep.

Grep will show me just what I ask for. In this instance I’m looking for the word “modes”. Issuing iw phy phy1 info | grep modes yields a match, but I’ll need to see a few lines past. For that I’ll tack on A8 to get 8 lines following. iw phy phy1 info | grep -A8 modes shows me that my card only supports the managed and monitor modes.

So that brings us to Managed:

Interfaces in Managed Mode, aka Infrastructure Mode, are considered clients or stations and are the devices connected to an access point. Your laptop, nintendo DS, iPhone, etc.

To connect to my open access point here I can issue iwconfig wlan1 mode managed then iwconfig wlan1 essid Pineapple. If I check iwconfig wlan1 I can see it has associated with the access point.

Ad-hoc, aka Peer-to-Peer, is a mode where wireless devices can communicate with each other without the need for a centralized base-station or access point. This can be useful for small groups of devices in close proximity, but the performance will decrease as the number of devices increases.

For all of the devices on the Ad-Hoc network to communicate with each other they must use the same ESSID. To setup my interface I’ll issue iwconfig wlan0 channel 1 essid myadhocnetwork mode ad-hoc

Now I can see here my cell is not associated, and that’s because this radio is the only one on this ad-hoc network. How sad? I’d tell wlan1 to join wlan0 so they can party together, but as we discovered just a moment ago wlan1 only supports the managed and monitor modes.

The next wireless mode is Mesh. You can think of a mesh as a sort of planned ad-hoc network. Mesh networks, or mesh clouds, are comprised of radios acting as routers, gateways and clients. In a mesh network nodes can communicate as long as they have at least one common connection. For example node A can talk to node C if they are both within range of node B. Likewise, if a node were to go down a mesh can heal itself by routing through other nodes in the network.

We could probably do an entire series on mesh networking, but suffice it to say for now that’s the jist.

And our final mode is Repeater. A wireless interface in repeater mode can be configured to connect to a wireless network, and repeat the signal. The practical application here is to extend the range of a single access-point.

And as always we value your feedback and suggestions. If you have a tip to share with me, email tips@hak5.org. And be sure to check out our sister show Hak5 for more great stuff, just like this. I’ll be there reminding you to trust your technolust.

Computer disasters eventually happen to everyone – (your computer crashes,
gets infected with a virus, you drop it, theft, fire, etc.) but if you get Carbonite

Online Backup before your disaster then NO NEED TO WORRY because your
files will be backed up – automatically and safely offsite – and it’s really easy to get them back.

Plus, you get anytime, anywhere access to your backed up files from any
computer – or on your smartphone or iPad with a free Carbonite app!

With Carbonite, unlimited backup for your PC or Mac is just $59 a year. That’s less than $5 a month. But when you use the offer code Hak5 to start your Free 15-day Trial you’ll get Two Months Free if you decide to buy. All the details are at Carbonite.com and remember to use the offer code Hak5 to get Two Months Free with purchase.

Shannon shows us how to perform arp cache poisoning attacks with ease. Jason joins us for a little cloud backup action using Perl and Amazon S3. Darren covers cracking the code: network enumeration and hash cracking, plus promiscous mode wifi cards, hacked Canon EOS firmware, and a whole lot more.

Download HD Download MP4 Download WMV

Hacker Headlines

In a report by the University of Cali, San Diego and University of Washington, scientists have discovered ways to remotely take over your car. This hasn’t happened out in the wild just yet, but they bought a car and put it through a whole bunch of hacks. Cars now-a-days come with cellular connections and Bluetooth technology. So, a hacker could potentially remotely take over the locks, brakes, etc, or track the vehicles location.

Full Disk Encryption for both internal memory and Secure Digital cards are coming to Android by way of WhisperCore, an app from Whisper Systems. Mixie Marlinspike, co-founder and CTO of Whisper Systems demonstrated the beta of a 256bit AES encryption system on a Nexus S phone recently. WhisperCore is expected to roll out for other Android devices as a free-for-personal-use app with corporate pricing to follow. You may remember Marlinspike from such tools as sslstrip, googlesharing, and the cloud cracking service wpacracker.

Sn0wbreeze 2.3 just came out for all your Apple jailbreaking needs… or some of them at least. This tool will let you jailbreak your iphone, ipad, or ipod using iOS 4.3 on Windows, but it requires tethering. Redmond Pie, the creators of the jailbreak, say you can also use the PwnageTool if you don’t feel like using Windows.

Twitter finally jumped on the SSL bandwagon. Following in the footsteps of Facebook, and after the “OMGs my packets can be sniffed” awakening that was Firesheep, you can now use HTTPS to login to the social networking service. In fact there is even an option under account settings to always use HTTPS. Good on ya, Twitter, for making SSL an opt-in feature. In related news, SSLSTRIP still works.

Make your friends beleive you really are an Xmen! Or, close to one… The guys at the London Makerfaire 2011 , Hackerspace and Brightarcs used a Kinect to make Tesla coils react to your every move. And where did they get the idea? Oh, at the local pub of course. It’s called the Evil Genius Simulator. Win.

—

Road Test: Magic Lantern Firmware

When it comes to extending the life of your digital camera nothing does more than installing a custom rom. The Magic Lantern firmware for the t2i and the 5d Mark II has done just that for me. Even though the firmware is still in beta, after 4 monthes later it’s really proven to be a strong tool set. However it’s not for everyone, there are some downsides: sometimes the camera locksup when switch modes and requires it’s battery pulled, The menu is not perfect and can cause artifacts to remain on screen until restart. The tools that it brings to the tabel more than make up for it include audio meter, custom safe zone overlays, mic input levels and the ability to record the mic input the the on the left track while recording the on board mic the the right channel. All and I recommend, however if the idea of you camera freezing scares you it not quite ready for you just yet. However, it just came out of beta on the 13 of march and I can’t wait to try it out.

—

Cracking the Code: Network Enumeration and Hash Cracking

Darren covers how the last crack the code challenge was completed using a bit of network enumeration and hash cracking. You can download the payload and play along at home.

—

Trivia!

Last Week: This composer of Blade Runner was an inspiration to the recently released OST by Daft Punk of Tron Legacy? The answer was Vangelis. This weeks question is: In Season 5 of X Files, Esther Nairn is the creator of what ‘narly’ entertainment software? Answer at hak5.org/trivia for your chance at some swag!

—

Cloud backsup with Perls and Amazon S3

In this segment Jason Appelbaum shows us how to setup perl scripts to automate backups to an Amazon S3 account.

Notes

• Install ruby
• sudo apt-get install ruby
• check if ruby is installed
• ruby -v
• now get the s3sync ruby scripts
• wget http://s3.amazonaws.com/ServEdge_pub/s3sync/s3sync.tar.gz
• tar xvzf s3sync.tar.gz
• rm s3sync.tar.gz
• cd s3sync
• Create Traget directory /s3backup

Edit the s3config.yml with Access Key ID, Secret Access Key
Once that’s done we are good to go to build out our script the dump the backup files in to the traget folder the trigger the sync.

Now we have our backup script working, let drop it into the cron folder and automate this. Now you have a bullet prof backup. We Have been using it for hak5.org for sometime now and it’s saved us on more than one occasion. If you have any questions about this of any of the other segments you have seen on todays show email us and feedback@hak5.org

Segment Keywords (Comma separated): cloud backup, amazon s3, perl, perl script, s3 script, amazon s3 script, crontab, automate s3 backup, s3 backup script,

—

ARP Cache Poisoning Attacks on Windows

“We get asked a million times over if we’d demonstrate an ARP-Cache Poisoning Attack for Windows, and while we’ve covered this *WAY* back in Season 1, I figured it’s worth a refresher. Now, there are a million ways to do this in the command line with linux tools, but here in Windows we’ll be using a very simple tool called Cain & Abel. Once you’ve downloaded and installed it from www.oxid.it go ahead and fire up the sniffer by flicking the chip icon in the top left. The first time you do this you’ll be asked to select your interface. You can get back to this screen anytime by clicking Configure. I’ve selected this interface here with my IP address since it’s my wireless network card. Now I can scan the network for potential targets. Go to the sniffer tab, right-click, and select Scan Mac Addresses. I’ll stick with the default “”All hosts in my subnet”" and click OK. Now that I have a list of machines on the network I can go over the the APR tab and start the actual ARP Cache Poisoning Attack. Click the blue plus icon on the toolbar to bring up the routing dialog. Here I’ll select 10.13.37.1 on the left — that’s the router — and 10.13.37.124 on the right — that’s Darren’s machine. Click OK and the route will be loaded. Now, begin the poisoning attack by clicking the radiation icon in the top left. Immediately our poisoning attack begins. Now sit back, relax, and wait for your target to do some browsing. Once enough traffic has gone through your’ll notice Full-routing below.

So, what does all of this mean?

ARP Cache Poisoning attacks basically mean a technique used to attack a wired or wireless connection. The attacker can sniff data and send a spoofed ARP message to the LAN. So when they send that spoof message, they receive data that was intended for the router or the computer in question. It’s a man in the middle attack. Neither machine knows I exist in the middle. They just think they’re sending data like usual.

So, what tools are tickling your technolust? Send ‘em by — tips@hak5.org — and we’ll share ‘em with the world.

—

Promiscous mode Wifi cards and Hak5 cameras

DT wrote in: Is there a cheap substitute for an airpcap maybe a firmware flash on a certian wifi card? or something to run software side to work with the wifi card? or virtual appliance?

Your best bet is looking at aircrack-ng compatible cards. Everything you ever wanted to know about wireless card capabilities can be found in the links there.

Daniel wrote: What type of cameras you use for your show. What model. Thanks in advance. Keep the great show.

We’re rocking a single Panasonic AG-HMC150 and two Panasoic HMC40s. To be fair when we started out we were using a trio of the Sony DCR-HC85s. What you shoot is way more important than what you shoot on.

—

Show Notes Outro (HTML):

Keep up with the latest on Hak5 by following us on Twitter or Facebook. Subscribe and get your weekly technolust delivered automatically. Or show your support and grab some swag from the HakShop – including the new airport friendly WiFi Pineapple and hoodie. Finally if you’d like to suggest a topic
for ask a question feel free to hit up feedback@hak5.org.

While meeting up with family in Florida this week Darren takes on a WiFi Challenge using the airport friendly Pineapple Mark II and Airdrop-ng. Plus, Shannon has a follow-up to the Ultra Software including your picks.

Download HD Download MP4 Download XviD Download WMV

Airport WiFi Challenge – Jasager and Deauths

Once again my travels take me to a wonderful and target rich environment — the airport.

And while I typically don’t take on challenges, this one tickled my technolust. I was asked how many clients I could harness with a WiFi Pineapple during a typical hour long layover at the airport. I figured this was a great opportunity to test out Airdrop-ng.

Your Ultra Software Picks

In a follow-up from episode 703, Shannon counts down your Ultra software picks, including:

• Total Commander
• JkDefrag
• Ultimate Boot CD
• Super Anti-Spyware
• Process Explorer

We head out to DC for Shmoocon, our favorite hacker conference on the east coast, to talk to some of the brightest minds in security. We talk to Tom Eston about social media security, TheX1le about his new tool airdrop-ng, Jason Scott about preserving our digital heritage, Chris Paget about man-in-the-middle attacks against GSM networks, and much more.

Download HD Download MP4 Download XviD Download WMV

Airdrop-ng

Self taught packet junkie TheX1le shares with us his new tool for wireless de-authentication and deassociation. Airdrop-ng facilitates client control with versatile rule based control.

Cloning, Spoofing, Man-in-the-middle sniffing, and decrypting GSM

Chris Paget of h4rdw4re shares with us the in’s and out’s of GSM hacking. Armed with a USRP and his open-source software, Paget pretends to be your GSM tower, and a lot more.

Jason Scott – Defender of Digital Heritage
Textfiles.com very own Jason Scott joins us to talk about preserving our digital heritage with Archive Team and why it’s important to keep Geocities, Netscape Now buttons, and *gasp* Hamster Dance.

Social Media Security

Tom Eston shares with us the delicious dangers of social networks while in the hands of web-application exploiting hackers. No worries, he’s got you covered at socialmediasecurity.com

Darren’s Hacking WPA-PSK keys using the recently updated Cowpatty and some damn fine lookup tables. Connecting ESXi to iSCSI targets — Matt breaks it down with FreeNAS. And Shannon completely bypasses local Windows logins with a Kernel modifyin’ boot cd? w00t!

Download HD Download MP4 Download XviD Download WMV

Cracking WPA Keys with Cowpatty

A lot has changed since I last talked about WPA Cracking on Hak5. Specifically Joshua Wright, author of CowPatty has released a new version that dramatically changes the way one thinks about cracking WPA and WPA2 TKIP keys.

The most notable new feature in Cowpatty 4.5 is the “-2″ option, which only requires the first two frames of the 4-way handshake to start attacking.

By removing the need for the third and fourth frames of the handshake, an attacker is now more likely to successfully crack WPA keys when channel hopping. Furthermore, the lack of the third and fourth frame opens up a world of possabilities when it comes to trapping targets with rogue access points, or “honey pots”.

An example scenario illustrated on Wright’s blog details how an attacker may pose as a victim’s corporate wireless access point. Since it doesn’t matter if the target associates with the honey pot, anything from hostap to a spare WPA supporting access point with a bogus key will due.

Of course this has our friend Robin Wood pondering a Jasager plugin. Pineapples anyone?

As for carrying out the attack it’s pretty straight forward. I BackTrack as my hacking OS of choice coupled with an eee PC or Acer Aspire One. When it comes to Wireless I’m a big fan of the ALFA AWUS036H 500mW USB Wireless Adapter.

Other tools needed to carry out the attack include WPA tables like these SSID specific Cowpatty WPA Tables from Offensive Security and the Aircrack-ng suite.

The commands are pretty straight forward and well highlighted in the episode. There are a number of ways to go about this so if you’ve got another method you’d like to share with me, questions about this, or suggestions for future topics drop me a line. darren[at]hak5=dot=org.

Excerpt Darren Kitchen‘s blog

Bypass Windows Local Logins

Kon-Boot

Kon-Boot is an prototype piece of software which allows to change contents of a linux kernel (and now Windows kernel also!!!) on the fly (while booting). In the current compilation state it allows to log into a linux system as ‘root’ user without typing the correct password or to elevate privileges from current user to root. For Windows systems it allows to enter any password protected profile without any knowledge of the password. It was acctually started as silly project of mine, which was born from my never-ending memory problems Secondly it was mainly created for Ubuntu, later i have made few add-ons to cover some other linux distributions. Finally, please consider this is my first linux project so far Entire Kon-Boot was written in pure x86 assembly, using old grandpa-geezer TASM 4.0.

So basically, Kon-Boot enables you to log into any Windows or Linux password protected computer without knowing the password or anything about it.

The tech behind it? Kon-Boot basically latches onto parts of the memory and starts patching parts of the kernel (the Brain!), mainly the parts that have to do with the log-on auth and security. These patches let you logon without a password. Then, the bootkit does it so quickly that it leaves no footprints behind after you leave.

DUDE!

To do this:

Go to the website above and download Kon-Boot, open the zip file, and burn the .iso to a disc. I use ImgBurner because it is fast, easy, and FREE.

Shut down the computer you intend to get on to. When booting up, if it isn’t already set to boot from CD (or flashdrive, or whatever Kon-Boot is on), go into the BIOS and set it. You should see the Kon-Boot splash screen for a few seconds, then the username/password screen will appear with the main username already set if they have it saved. If not you need to know the username ahead of time. Press enter or type in some random characters (it doesn’t really matter) and press enter. You’re in!

Now party, snoop around, and get that file you wanted. Get your flashdrive or CD out, then shut the computer back off like usual.

Protecting yourself:

Password protect your BIOS!

True Crypt your entire harddrive!

Excerpt Shannon Morse‘s blog

The gang gathers at a dive in Hoboken, NJ during their trip to NYC for the live diggnation and discuss wireless packet injection with airpwn, advancements in WPA-PSK attacks and of course, virtualization.

Download HD Download MP4 Download XviD Download WMV

In an effort to thwart hangovers the gang drops by DC’s Taven in Hoboken to geek out about Wifi and Virtualization over shots and cold ones.

Darren is excited about the recent improvements to both Airpwn and Cowpatty.

Edit: Mubix points out these awesome WPA Tables from Offensive-Security (You know ‘em as the BackTrack guys).

Best WPA Tables out there for us with CoWPAtty. (And another little + is they posted the password list they used to generate the tables, which is also an AWESOME password list for cracking all kinds of passwords.

Matt answers some viewers questions and encourages more for an upcoming special.

Shannon has all the deets on this week’s contest and LAN party.

We head out to DC for Shmoocon, our favorite hacker conference on the east coast, to talk to some of the brightest minds in security. Dave Kennedy on his project FastTrack. Michael Ossmann about sniffing bluetooth. Joshua Abraham on his software GIS-Kismet. Mister X, author of Aircrack-ng and Johnny Long, author and security guru on Hackers for Charity.

Download HD Download MP4 Download XviD Download WMV

Watch

Show Notes

Dave Kennedy talks about Fast Track, a python based open-source project aimed at helping Penetration Testers in an effort to identify, exploit, and further penetrate a network.

Michael Ossmann and Dominic Spill presented on Building an All-Channel Bluetooth Monitor using the USRP and a lot of awesome code. It turns out listening to 79 channels at once is harder than you think.

Joshua Abraham spoke to us about wireless network mapping with his tool GIS Kismet

Mister X, author of Aircrack-ng shares with us a glimpse of the future of wireless network cracking.

Johnny Long, security expert and author, talks to us about Hackers for Charity

Don’t forget to take the Hak5 Survey. This is the last week it’s running so please if you haven’t already take a moment to fill it out as it really helps us out.