Brute forcing Buckets on Amazon S3. Two computers, one mouse with Synergy, a Crack the Code Challenge walkthrough with archive and PDF cracking all a lot more, this time on Hak5.

Download HD Download MP4 Download WMV

Hacker Headlines

LulzSec has just opened up a Hack Request Line, enabling people to give them a ring and ask for them to hack certain sites. The group’s phone number is a 614 USA area code that they posted on their twitter feed. They say they have already sent DDOS attacks to eight of the sites callers have requested with more to follow. But, of course, this is all just for the Lulz.

Random Hacks of Kindness just occurred on June 4th and 5th. It’s a globally linked conference that brings together hackers from 18 cities around the world to discuss problems in the world that could have technological solutions. Seems like an awesome idea, and I wish I could have made it this year!

If you’ve ever had the inkling to flash an Arduino using a ZipIt Z2, now there’s a way! Check out the video from Hack A Day.

Crack the Code Challenge

Did you have what it took to compete in our Crack The Code Challenge, brought to you by GoToAssist Express? These Hak5 viewers did last Sunday. Mad props go to: JudaZuk, CanadianTaco, Bas, ThisDB, adrianke, Fredrik, Mike, Edmund, Adammw111 and Julian who were the first 10 to complete the challenge.

A big thanks go out to all that participated, joined the live stream and chat, and of course GoToAssist Express for sponsoring our Hak5 Lab Network. Stay tuned for info on the next, even bigger Crack the Code Challenge.

Brute Forcing Amazon S3 Buckets

Darren demonstrates Robin Wood‘s bucket finder tool, talks about brute force theory and goes over Robin’s recent analysis.

Two Computers one Mouse with Synerygy

The definition of Synergy is basically taking two or more things and making them function together to produce an outcome that is greater than just the things by themselves. The handy tool called Synergy does just that. Here at our Hak5 office, I use two different computers. I bring in my laptop for social networking, catching up with emails, and writing shownotes; and I also use another laptop to work on the HakShop, print labels, and fulfill orders. I have two mice, one for each machine, and if I had a dime for every time I grabbed the wrong mouse when I’m switching between the two laptops, I’d be a millionaire.

Enter Synergy, the free and open source software that lets you share your mouse and keyboard between several different computers, where each computer has it’s own display. You don’t need any hardware addons or special mods, all you need is a local area network- a connection to the internets shared by those differennt computers. But what if you have different operating systems on those machines? Luckily, Windoes, Mac, and Linux are all supported. Sharing the computers is as easy as just moving your mouse from one monitor to another, also enabling you to use multiple monitors for your single computers as normal, and you can copy and paste between the seperate machines.
Synergy was first created years ago but wasn’t being updated after 2006, so we have a merging of Synergy and Synergy+, now bringing us updates and new OS compatibility.

to download Synergy, go to synergy-foss.org and click the download tab, then choose your operating system for the main computer. Go through the install process like normal and open the program. On the main window, check server, which means you will share this computers keyboard and mouse. Now, click on Configure server. From here you can drag and drop your main computers monitor to a desired box in the grid. This gives you a nice structured view of where each of your computers will be in real time. So, since my main computer will be to the left of my second laptop, I’ll put my main computer here. In the next tab, you can enable hotkeys if wanted, and choose advanced settings. Also, keep in mind your ‘server’s’ name, mine is Snubs-PC. This will be the keyboard and mouse that you’ll want to connect your other computers to as clients.

Now I’m going to connect my second laptop to this main one’s keyboard and mouse, and hopefully all goes well!

I’ve installed Synergy on my second computer. To install it on a second computer, AKA a client, just follow the same steps as before. This time, when you open the program, you’ll need to check Client, and type in the name of your original main computer, for me it’s Snubs-PC. Go into edit–>settings and look up your laptops name, mine is Hakshop. Now on your server computer, choose Server Configuration, and drag a new monitor to the screen. Name this one Hakshop by double clicking on the monitor. Now that you have both computers set up, click start synergy on both of them. If all works fine and they are both connected via the same local area connection – ethernet or wireless – you should be able to move your mouse from one monitor to the other PC’s monitor.

Easy! And totally cool. I literally had a ‘Whoa’ moment when I had my laptop on the other side of the room and was able to use my mouse to control it.

If you like Synergy or have a program like this, email me at feedback@hak5.org.

If you’re into Hak5 you’ll love our new show by hosts Darren Kitchen and Shannon Morse. Check out HakTip!

Whether you’re a beginner or a pro, HakTip is essential viewing for current and aspiring hackers, computer enthusiasts, and IT professionals. With a how-to approach to all things Information Technology, HakTip breaks down the core concepts, tools, and techniques of Linux, Wireless Networks, Systems Administration, and more

And let’s not forget to mention that you can follow us on Twitter and Facebook, Subscribe to the show and get all your Hak5 goodies, including the infamous WiFi Pineapple over at HakShop.com. If you have any questions or suggestions please feel free to contact us at feedback@hak5.org.

Join modding wizard Ben Heck and friends as they build and modify a host of amazing community-inspired creations. Be sure to watch the most recent episode of The Ben Heck Show where Ben builds an Arduino-powered, exterior-mounted camera system for an off-road vehicle. The setup enables the driver to control the cameras from inside the cabin to get a better view of obstacles while driving on rugged, off-road terrain. This show about building, modding and electronics culture is brought to you exclusively by element14. Be sure to visit element14.com/tbhs for a chance to win one of Ben’s latest builds!

I’m here to tell you about a tool that will help you save time and money and make you look like a hero to clients or colleagues GoToAssist Express – by Citrix. Lets you easily resolve computer issues in real time OR after hours. Even work while your customers are away from their computers, dramatically boosting your productivity. In fact, on average, Go To Assist Express users report a 40% increase in productivity – that’s like getting 2 extra work days back a week! Try GoToAssist Express FREE for 30 Days. For this special offer visit
GoToAssist.com/hak5.

.TV is the best domain name for websites with video. If you want to build a video site or if your website has a play button, I recommend getting a .TV domain. A .TV website lets you showcase your original content and create a unique site, not just another YouTube channel. Just go to Domain.com and search for the perfect .TV domain for your new idea. Then use coupon code Hak5 at checkout to save an extra 15%. If you need to host your .TV website, don’t forget about Domain.com’s web hosting plans. They’re less than six bucks a month and have everything you need to build, maintain, and promote your site. Remember – when you think domain names, think Domain dot com. Got a great idea? It all starts with a great domain. Domain.com

Darren finishes off the photo frame case mod with a little cable beautification and accent lighting. Shannon’s getting into programming without touching a line of code using the Illumination Software Creator from Radical Breeze. Plus getting crafty with packets and the hping utility, open-source dropbox alternative based on OpenSSH and Rsync, and multi-threaded steganography bruter-forcers!

Download HD Download MP4 Download WMV

Hacker Headlines

Last week we reported on nearly 60 nasty trojans hitting the Android marketplace. Google responded by delisting the publisher and used their app remote kill switch on the over quarter-million affected users. Google also released a security tool to clean up the mess. Well, said security tool has been found on an unregulated third-party Chinese marketplace injected some delicious botnet code. This one sports the ability to send text messages from the zombie’d phone.

A ‘group of hackers’ has figured out a way to scam Microsoft’s XBox Live Points by producing working character strings like the ones you get on the back of the points cards. They released the scheme on a website that would generate the codes for you! Microsoft lost about 1.2 million dollars in points, but they have since blocked the site… though, they don’t have a way of knowing who did it and they’ll probably have to redo the entire algorithm.

Just when you thought your Linux box was safe, a router-rooting bit of malware has been discovered. Once run the malware, posing as an ELF file, brute forces network routers. If successful the malware even sets up an IRC backdoor on the system. This router-rooter comes months after the Chuck Norris botnet circulated, attacking routers with default passwords.

If you visited George Hotz’s website between January 2009 and now, Sony may know about it. In a decision last Thursday, Magistrate Joseph Spero granted Sony a subpoena of PS3 jailbreaker George Hotz’s web provider for logs. Sony also won subpoenas for data on Youtube and Google. GeoHot’s provider, Bluehost, has been asked to turn over server logs, IP address logs, and just about anything pertaining to geohot.com/jailbreak.zip

Whats more fun than Gary’s Mod? How about using the Kinect to play Gary’s Mod! John B used OpenNI to gather skeletal coordinate data from the Kinect and pass it through to Gary’s Mod so he can do all the physics fun while get an exercise. How about some Gary’s Mod music videos next? With baby kittens?

—

Crack the Code Challenge

Did you have what it took to compete in our Crack The Code Challenge, brought to you by GoToAssist Express? These fine Hak5 viewers did last Sunday. Mad props go to Paul, Sork, Richard, Raging Cake, Jenkins, John and Joey, as well as our returning champions Netshroud, Leo and Tristian.

A big thanks go out to all that participated, joined the live stream and chat, and of course GoToAssist Express for sponsoring our Hak5 Lab Network. We had an overwhelming reception with more participants than virtual machines, however we’ll be increasing our capacity this week as well as getting the Thunder Kitten Assault Force involved. Stay tuned for info on the next, even bigger Crack the Code Challenge.

And be sure to tune in next week as we’ll have a detailed walk through on how the challenge was completed.

—

Illumination Software Creator

I would love to have the ability to make my own software applications without having to know any kind of coding language. But it seems like even to do something as simple as a Hello World script you still have to know at least a few lines of script.
Well… not anymore! With Illumination Software Creator, from Radical Breeze, you can write software apps without the code, by using a unique easy interface.

Requirements:
Windows- Needs Python
Works on Windows, Linus, Ubuntu, Mac, Android, and Flex

Follow directions on the Requirements page at RadicalBreeze.com. For Windows, I have to download a few python installers before it’ll work. Then go to the download page and click on your desired OS. Run through the quick download and open the Software Creator.
Simply drag and drop boxes for what you want your application to do. Then connect the boxes by the ribbons to make a full application.
I’m gonna do a really simple one. It’s going to have a popup window that says Hak5 Rules!
First, click on new project and add your boxes. I want to set some text in a message box that will pop up.
So I add the set text box and add a variable that I can re-use for several commands. The variable is called Hak5 Rules, text, and the default text is Hak5 Rules!
Under Set Text I add the Hak5 Rules to the custom text line, then for the message box I add the Variable for Hak5 Rules.
After you make your application, click run to make sure it works. Ok, I need to add the variable to the Set Text box, and now I can click Run, save it, and in a few seconds, there we have a text box that says Hak5 Rules

At first it’s a little tough to get used to if you’ve never designed an app or used code. Once you get the hang of it it’s really easy.
Email me what you think at feedback@hak5.org.

—

HakTip: Crafting packets with HPING

We’ve been talking about screen, and packet sniffers, but today I’m putting ‘em together with a new tool to craft our own packets.

Hping3 is a TCP/IP packet assembler. It’s modeled after the unix ping command — but it can do so much more. It’ll craft TCP, UDP, ICMP or even RAW-IP packets.

So here in the top screen I have tcpdump running on eth0. If I issue a ping 66.11.227.169 I’ll see that traffic.

Now let’s say I want to not just ping the server, but figure out if there’s an HTTP daemon running. For this we’ll do what’s called a half-open SYN connection.

hping -c 1 -I eth0 -s 1234 -p 80 -S 66.11.227.169

In the top screen I can see my traffic. In the bottom I get the output from hping and I can see that we sent a SYN packet and received a SYN+ACK. Since we’re not completing the three-way-handshake we never complete the connection, thus leaving it as a half-open SYN connection.

Just as an example I’m going to run the command again but this time let’s change it to port 81.

hping -c 1 -I eth0 -s 1234 -p 80 -S 66.11.227.169

And in this instance there isn’t a daemon running to answer the SYN, thus we see 1 packet sent, 0 received.

Now this is just scratching the surface of what’s possible with a traffic generator like hping and a debug setup like tcpdump coupled with screen. And of course I’m looking forward hearing about your favorite packet assemblers.

So what tips are rocking your world? Send ‘em by tips@hak5.org

In this segment Darren covers the beautification aspects of the case mod, tackling the tricky bits of cable management and accent lighting with cold cathodes. Darren reviews some of the recent case mod feedback and looks forward to hearing your ideas for future mods. Send ‘em by feedback@hak5.org

—

Trivia!

Last week’s trivia question was:
In WarGames, this character gives his name to the first computer game Lightman finds. The answer is Stephen Falken.

This week’s trivia question is:
This composer of Blade Runner was an inspiration to the recently released OST by Daft Punk of Tron Legacy?

Answer at hak5.org/trivia for your chance to win some hak5 swag!

Emails: Cluster Specs, Dropbox Alternatives and Brute Force scripts

“Jamie writes:
PLEASE tell us all the parts you use for the cluster nodes in episode 823. Please??? Love the show.”

The exact specs are ASUS P8 H67-M series motherboard, Core i5 2500K CPU, 2.5″ Scorpio Blue 250GB hard drive, and the least expensive 4GB of RAM you can find.

“You guys should work on metatagging your episodes based on what is covered and then have a search function for that… I am having all sorts of issues finding a few older episode I remember on Android… as I just a working one I want to play with it now -initialhit”

We are! In fact Paul is even cataloging our archive of segments. You may have noticed the code, game, geek, hack and IT categories on hak5.org. Stay tuned as we get all of our content cataloged over the coming weeks.

“After the last CCC I realised that you could brute force stegfiles a
Lot faster if you created multiple concurrent threads to do the work.
So, I wrote my own script to do just that. It’s definitely faster than
cypherround’s script, though not as pretty. I don’t have a website or
blog, so I pastebinned it http://pastebin.com/nLSbbF17.
Oh, and I’m really looking forward to the next CCC! –Nevermore”

Wicked! Thanks Nevermore

Tim writes: “Hey guys, I have a question about a possible dropbox alternative.

I have been using dropbox for about a year now for my paranormal research group. It has worked great for sharing casefile paperwork, evidence collections, etc.

I would invest in the pro versions to hold more space, but due to a security concern, each member of our organization has their own account and each person depending on
their position in the company gets access to certain folders, if I got pro for each person I would end up spending thousands of dollars a year (we have 20 members)

My question is could there be a better way of sharing files and synchronizing file versions instantly between users. I tried Microsuck Skydrive but I am also using some linux
machines which counts that out.”

The short answer is rsync. The longer answer will be a future segment, but
here are some links to get you started:

http://philcryer.github.com/lipsync/, https://github.com/philcryer/lipsync#readme, http://fak3r.com/geek/howto-build-your-own-open-source-dropbox-clone/, http://code.google.com/p/s3fs/wiki/FuseOverAmazon, and http://www.tarsnap.com/.

—

Keep up with the latest on Hak5 by following us on Twitter or Facebook. Subscribe and get your weekly technolust delivered automatically. Or show your support and grab some swag from the HakShop – including the new airport friendly WiFi Pineapple and hoodie. Finally if you’d like to suggest a topic
for ask a question feel free to hit up feedback@hak5.org.

Darren demonstrates cracking Microsoft VPN tunnels using the MS-CHAPv2 authentication protocol using Joshua Wright’s tool ASLEAP and talks about the theory behind the attack.

Continuing on with our VPN series I find it important to highlight the weaknesses in the protocols we have talked about thus far. In my last segment I highlighted a tool that allows an attacker to easily hijack an SSL session using a man-in-the-middle attack. Couple this with Adito (aka OpenVPN-ALS), my favorite open-source SSL VPN server, and you can see the problem.

But what about the basic Microsoft VPN we setup a few weeks back? The VPN servers that we setup on Windows XP and Server 2003 used either active directory or local windows accounts to authenticate users.

And looking back at our discussions on pwdump, rainbow tables and the like you’ll remember the inherent weaknesses in Windows account credentials.

There are two ways Windows stores a user’s account credentials, or password. LAN Manager hashes which are comprised of watered-down weaksauce and NTLM which are succeptable to time-memory tradeoff attacks.

The default VPN server implemented in Windows XP and Server 2003′s Routing and Remote Access service uses Point-To-Point-Tunneling-Protocol. This is convenient because the Windows clients have supported Microsoft PPTP VPN connections natively since 2000, and in Windows 95/98 with Dual Up Networking version 1.3.

The modern authentication protocol of Microsoft’s PPTP is MS-CHAPv2. This Challenge Handshake Authentication Protocol suffers from inherent weaknesses.

As far back at 1999 these weaknesses have been widely known. If you’re interested in reading more on the cryptanalysis of MS-CHAPv2 there’s a nifty paper written by Bruce Schneier and L0pht that I’ll link in the show notes.

And while other options exist such as Radius, this is still the default option for PPTP authentication in Windows environments.

Joshua Wright, author of coWPAtty (See our segment here), released in 2004 a proof of concept tool to demonstrate weaknesses in LEAP and PPTP protocols.

This tool, ASLEAP, was updated in 2007 to include an option to just crack MS-CHAP v2. Either by examining a packet capture that includes a MS-CHAP handshake ASLEAP or specifying an MS-CHAP challenge and response ASLEAP is able to deduce the username and last two bytes of the NT hash. Using this information, and a dictionary file, ASLEAP is able to brute-force the hash.

Continuing with the VPN Series, Darren discusses the inherent weaknesses in Microsoft’s PPTP authentication protocol, MS-CHAPv2, and demos a Linux tool that exploits these weaknesses.

Download HD Download MP4 Download XviD Download WMV

Continuing on with our VPN series I find it important to highlight the weaknesses in the protocols we have talked about thus far. In my last segment I highlighted a tool that allows an attacker to easily hijack an SSL session using a man-in-the-middle attack. Couple this with Adito (aka OpenVPN-ALS), my favorite open-source SSL VPN server, and you can see the problem.

But what about the basic Microsoft VPN we setup a few weeks back? The VPN servers that we setup on Windows XP and Server 2003 used either active directory or local windows accounts to authenticate users.

And looking back at our discussions on pwdump, rainbow tables and the like you’ll remember the inherent weaknesses in Windows account credentials.

There are two ways Windows stores a user’s account credentials, or password. LAN Manager hashes which are comprised of watered-down weaksauce and NTLM which are succeptable to time-memory tradeoff attacks.

The default VPN server implemented in Windows XP and Server 2003′s Routing and Remote Access service uses Point-To-Point-Tunneling-Protocol. This is convenient because the Windows clients have supported Microsoft PPTP VPN connections natively since 2000, and in Windows 95/98 with Dual Up Networking version 1.3.

The modern authentication protocol of Microsoft’s PPTP is MS-CHAPv2. This Challenge Handshake Authentication Protocol suffers from inherent weaknesses.

As far back at 1999 these weaknesses have been widely known. If you’re interested in reading more on the cryptanalysis of MS-CHAPv2 there’s a nifty paper written by Bruce Schneier and L0pht that I’ll link in the show notes.

And while other options exist such as Radius, this is still the default option for PPTP authentication in Windows environments.

Joshua Wright, author of coWPAtty (See our segment here), released in 2004 a proof of concept tool to demonstrate weaknesses in LEAP and PPTP protocols.

This tool, ASLEAP, was updated in 2007 to include an option to just crack MS-CHAP v2. Either by examining a packet capture that includes a MS-CHAP handshake ASLEAP or specifying an MS-CHAP challenge and response ASLEAP is able to deduce the username and last two bytes of the NT hash. Using this information, and a dictionary file, ASLEAP is able to brute-force the hash.

PS: Check out Player2Rentals.com.

Darren’s Hacking WPA-PSK keys using the recently updated Cowpatty and some damn fine lookup tables. Connecting ESXi to iSCSI targets — Matt breaks it down with FreeNAS. And Shannon completely bypasses local Windows logins with a Kernel modifyin’ boot cd? w00t!

Download HD Download MP4 Download XviD Download WMV

Cracking WPA Keys with Cowpatty

A lot has changed since I last talked about WPA Cracking on Hak5. Specifically Joshua Wright, author of CowPatty has released a new version that dramatically changes the way one thinks about cracking WPA and WPA2 TKIP keys.

The most notable new feature in Cowpatty 4.5 is the “-2″ option, which only requires the first two frames of the 4-way handshake to start attacking.

By removing the need for the third and fourth frames of the handshake, an attacker is now more likely to successfully crack WPA keys when channel hopping. Furthermore, the lack of the third and fourth frame opens up a world of possabilities when it comes to trapping targets with rogue access points, or “honey pots”.

An example scenario illustrated on Wright’s blog details how an attacker may pose as a victim’s corporate wireless access point. Since it doesn’t matter if the target associates with the honey pot, anything from hostap to a spare WPA supporting access point with a bogus key will due.

Of course this has our friend Robin Wood pondering a Jasager plugin. Pineapples anyone?

As for carrying out the attack it’s pretty straight forward. I BackTrack as my hacking OS of choice coupled with an eee PC or Acer Aspire One. When it comes to Wireless I’m a big fan of the ALFA AWUS036H 500mW USB Wireless Adapter.

Other tools needed to carry out the attack include WPA tables like these SSID specific Cowpatty WPA Tables from Offensive Security and the Aircrack-ng suite.

The commands are pretty straight forward and well highlighted in the episode. There are a number of ways to go about this so if you’ve got another method you’d like to share with me, questions about this, or suggestions for future topics drop me a line. darren[at]hak5=dot=org.

Excerpt Darren Kitchen‘s blog

Bypass Windows Local Logins

Kon-Boot

Kon-Boot is an prototype piece of software which allows to change contents of a linux kernel (and now Windows kernel also!!!) on the fly (while booting). In the current compilation state it allows to log into a linux system as ‘root’ user without typing the correct password or to elevate privileges from current user to root. For Windows systems it allows to enter any password protected profile without any knowledge of the password. It was acctually started as silly project of mine, which was born from my never-ending memory problems Secondly it was mainly created for Ubuntu, later i have made few add-ons to cover some other linux distributions. Finally, please consider this is my first linux project so far Entire Kon-Boot was written in pure x86 assembly, using old grandpa-geezer TASM 4.0.

So basically, Kon-Boot enables you to log into any Windows or Linux password protected computer without knowing the password or anything about it.

The tech behind it? Kon-Boot basically latches onto parts of the memory and starts patching parts of the kernel (the Brain!), mainly the parts that have to do with the log-on auth and security. These patches let you logon without a password. Then, the bootkit does it so quickly that it leaves no footprints behind after you leave.

DUDE!

To do this:

Go to the website above and download Kon-Boot, open the zip file, and burn the .iso to a disc. I use ImgBurner because it is fast, easy, and FREE.

Shut down the computer you intend to get on to. When booting up, if it isn’t already set to boot from CD (or flashdrive, or whatever Kon-Boot is on), go into the BIOS and set it. You should see the Kon-Boot splash screen for a few seconds, then the username/password screen will appear with the main username already set if they have it saved. If not you need to know the username ahead of time. Press enter or type in some random characters (it doesn’t really matter) and press enter. You’re in!

Now party, snoop around, and get that file you wanted. Get your flashdrive or CD out, then shut the computer back off like usual.

Protecting yourself:

Password protect your BIOS!

True Crypt your entire harddrive!

Excerpt Shannon Morse‘s blog

The gang gathers at a dive in Hoboken, NJ during their trip to NYC for the live diggnation and discuss wireless packet injection with airpwn, advancements in WPA-PSK attacks and of course, virtualization.

Download HD Download MP4 Download XviD Download WMV

In an effort to thwart hangovers the gang drops by DC’s Taven in Hoboken to geek out about Wifi and Virtualization over shots and cold ones.

Darren is excited about the recent improvements to both Airpwn and Cowpatty.

Edit: Mubix points out these awesome WPA Tables from Offensive-Security (You know ‘em as the BackTrack guys).

Best WPA Tables out there for us with CoWPAtty. (And another little + is they posted the password list they used to generate the tables, which is also an AWESOME password list for cracking all kinds of passwords.

Matt answers some viewers questions and encourages more for an upcoming special.

Shannon has all the deets on this week’s contest and LAN party.

Darren shows off some nifty tricks for Netcat and a targeted brute force attack dictionary generator. Matt continues his series on Virtualization with redundancy and Shannon pimps the blog with her WordPress plugin picks. Plus the results of our Monkey Contest, the Code Challenge and this weeks easter egg hunt

Download HD Download MP4 Download XviD Download WMV

Show Notes

Common User Password Profiler

The Common User Password Profiler from Remote-Exploit is a password/passphrase generator specifically targeted as an individual user. Feed it some info like names, birth dates, spouce, children and pets and it will generate individually, or along with an existing dictionary, thousands of potential passwords. Just add water, feed to your favorite brute forcer and enjoy.

From personal experience I can vouch that, while simple sounding, this would have a HIGH success rate on some of my _former_ (L)users. Administrators take note and enforce BOFH password requirements

netcat – “The Swiss-army knife for TCP/IP”

When it comes to sending and receiving TCP and UDP any which way from the console nothing is more versatile or easy to use than netcat.

With a few simple commands you can use netcat to initiate chat, file transfer or even shell access in either direction between a “server” and a “client”.

The tool can be set to listen or broadcast on any port and tied together with some shell-fu almost anything is possible.

Some listener favorites include cloning hard drives over a network with dd and netcat, tailing a log across the network, port scanning, IP redirecting, or even spoofing user-agents and referrers. Internet Explorer 22 anyone?

Digininja points to this great netcat cheat sheet (PDF 128K).

What kind of crazy stuff have you done with netcat? Feedback@hak5.org

Shannon’s WordPress Plugin Picks

Twitme

This plugin allows you to automatically post your new posts on the twitter website. This is good because the iPod and iPhone for example have a large amount of twitter clients to pick from. Your blog posts will arrive to people while they are walking the streets.

Socialite

Socialite allows your WordPress posts to publish to Twitter, Facebook, and MySpace. Each social networking site can be enabled or disabled for publishing, and each is configured separately with their own options. Support for Short URL services such as zz.gd and Tinyurl.com is also supported.

Sociable

Automatically add links to your favorite social bookmarking sites on your posts, pages and in your RSS feed. You can choose from 99 different social bookmarking sites!

MobilePress

MobilePress is a WordPress plugin that will render your WordPress blog on mobile handsets, with the ability to use customized themes. The plugin also allows specific themes for specific devices / mobile browsers, such as iPhone, Opera Mini, Windows CE Mobile and other generic handset browsers.

Resize at Upload Plus

The plugin will automatically resize an image upon upload, depending on the maximum width and height that you define. Gone are the days when you, or your client, will ruin a site’s layout by uploading a huge file with 25 megapixels. Be advised: there is no backup, no copy of the originally uploaded image.

WP-Cache 2.0

WP-Cache is an extremely efficient WordPress page caching system to make your site much faster and responsive. It works by caching Worpress pages and storing them in a static file for serving future requests directly from the file rather than loading and compiling the whole PHP code and then building the page from the database. WP-Cache allows to serve hundred of times more pages per second, and to reduce the response time from several tenths of seconds to less than a millisecond.

WordPress Backup

Backup the upload directory (images), current theme directory, and plugins directory to a zip file. Zip files optionally sent to email.

WP Security Scan

Scans your WordPress installation for security vulnerabilities and suggests corrective actions.

WP Ban

It will display a custom ban message when the banned IP, IP range, host name or referer url trys to visit you blog. You can also exclude certain IPs from being banned. There will be statistics recordered on how many times they attemp to visit your blog. It allows wildcard matching too.

pixelstats

Count every viewer and every article view for each blog entry, no matter how and where it is read: pixelstats tracks views of each blog post or page, not only on a single article page but also on each other page where the complete article is shown, i.e. the blog front page, category pages, search result page, archive pages and even RSS fee

Thanks for watching, subscribing, and most of all supporting the show. Custom commissioned WiFi Pineapples running Jasager are still available.

Darren’s back in the kitchen with an illustrated scenario of online brute forcing every systems administrators beloved remote desktop. He whips up some home made chicken noodle soup and tosses on the ol’ white hat for a talk about countermeasures and security best practices. Then Matt brings you a full featured and aggressively priced alternative to Microsoft’s own Terminal Service. Do I hear cheap thin clients around the corner?

Download HD Download MP4 Download XviD Download WMV

Watch

Show Notes

Online Brute Force Countermeasures And Chicken Noodle Soup

Similar in function to SSH, Remote Desktop Protocol is one of the essential tools for administrating Microsoft Windows Servers. The natively encrypted services comes standard on Windows Server and even XP Pro and Vista. It is also serve as the example for a brief followup to my previous segment on Offline Brute Forcing.

In my scenario I demonstrate how the tool TSGrinder can be used to perform dictionary attacks against RDP services with character substitution (or leet) options. This attack simply demonstrates a few weeknesses in Windows.

First of all by default the Administrator account cannot be locked out remotely. This behavior can be changed using the Passprop utility from the Windows 2000 resource kit. This tool will also allow you to enforce strong passwords. It is also recommended that the administrator account be renamed. There are a few tools for this as well. Though more obscurity than security I recommend changing the RDP listen port. I strongly recommend reviewing Microsoft’s password best practices and considering passphrases. PasswordMeter.com is a nice site that will rate your password on complexity. Finally I recommend enabling extensive auditing. There are a number of third party security applications made specifically for auditing that offer alerting options on events such as online brute force attempts. One application in particular, 2X SecureRDP offers advanced filtering based on IP and Mac addresses for RDP connections. I’m particularly interesting in hearing your feedback on Windows extensive auditing software so please drop me a line, darrenAThak5.0rg!

And my final recommendation on securing RDP is to limit its exposure by keeping TCP 3389 (or whatever port you’ve changed it to) closed. A little SSH tunneling or VPNing can go a long way to keeping unncessary serices away from the wild wild web. I’ve laid the foundation for this in a segment on 1×07 and will follow up with a more robust VPN segment soon. If you’ve got ideas again drop me a line.

–Darren Kitchen

Terminal Service Alternatives

The website is located at http://www.xpunlimited.nl there is a large list of benefits at http://xpunlimited.nl/benefits.html

One of the really nice features is the ability to repurpose an old XP machine to use as a terminal server.

The setup couldn’t be easier, and is pretty much a standard application installer, customization is a very simple process from limiting application launches, to customizing the initial desktop, and even advanced functions which replicate the microsoft terminal services security settings.

Questions or alternatives?

–Matt Lestock

In this first episode of ’09 Dave Randolph joins us to geek out about all things video. Darren whips up a Password Cracking Cocktail and shows off a wicked fast MD5 brute force tool that harnesses the power of your Nvidia graphics card. Shannon saves the day by recovering her sisters Windows password with Ophcrack Live. And Evil Server gets his evil on while we were away on holiday.

MP4 XviD WMV

Watch

Show Notes

MD5 Brute Forcing with your graphics card

Since Nvidia released the CUDA API for Windows, Mac and Linux a number of advances have taken place in the world of brute forcing. In this episode I feature a tool by Svarychevski Michail Aleksandrovich that claims to be the world’s fastest MD5 cracker — BarsWF

Using the brute forcer with a couple Nvidia 8 series or newer graphics cards you’re able to achieve unprecidented speeds. I’ve seen claims of nearly 4 billion hashes per second with quad SLI.

CUDA has also spurred other developments, such as this NTLM brute forcer for Linux.

In my segment I go into the very basics of password cracking theory and MD5 hashes with some simple scenarios. My aim is to provide a fundamental understanding of the concepts. If you’re interested in reading more I suggest starting here.

–Darren Kitchen

Windows Password Recovery with Ophcrack Live USB

Recovering Windows Passwords coulnd’t be easier with Ophcrack Live on USB. Whether it’s your sister’s forgotten XP account or [insert other legit reason] a little USB booting and Rainbow Table loving’s got you covered.

Preparing an Ophcrack USB key is as simple as formatting your drive for FAT32 with the HP USB format tool. Downloading and launching USBOphcrack.exe and running the included batch file. The program will download a small set of rainbow tables and prepare your USB drive.

For even higher password recovering accuracy I recommend finding a larger set of Ophcrack compatible rainbow tables. Or if you’re feeling adventerous why not try out the Hak5 community rainbow tables — a whopping 120GB of NTLM goodness.

–Shannon Morse

Be sure to follow one of us on Twitter if you’ll be at CES this week. We’ll be there finding all the best hackable gadgets!

In this episode of Hak5 Darren uses the eeePC, BackTrack 3, and Aircrack-ng to audit the security of our WPA encrypted wireless access point. Wess reviews Herbie the Mousebot from Solarbotics, a great electronics projects for beginners/intermediates. Chris Gerling comes by to show us Rockbox, the open source firmware alternative for your portable media players as well as a brief tutorial on building your own songs for frets on fire. Grab a companion cube and gather ’round for some technolust.

Download MP4 Download Xvid Download WMV