Building the ultimate white box ESXi server for under $2000! Can it be done? Darren and Matt grab the company credit card and answer that question.

Download HD Download MP4 Download XviD Download WMV

Building the Ultimate White Box Server for under $2000

When it comes to building a white box server for ESXi your best resources are vm-help.com, UltimateWhiteBox.com, the VMware Compatibility Guide, and the VMware community.

We carefully selected ESXi supported components based on reliability and value. If this were the ultimate $3000 white box server we might have picked a server board with dual Xeon’s and ECC memory, but to keep it under that magic $2000 price point we went with beefy “desktop” components such as the Intel Core i7 920, the ASUS P6T Deluxe, and 12 GB of Corsair XMS3 memory.

Drive wise you can’t go wrong with the 3ware 9650SE-4LPML. It supports four SATA II drives in RAID 0, 1, 5, 10 or JBOD. It’s bigger brother the 9650SE-16ML sixteen channel SATA II controller is hot too — just at three times the price. The 9650SE isn’t supported out of the box by ESXi, however 3ware provides a knowledge base article and drivers necessary to add support for the card after your ESXi box is built.

Drive wise we picked up four Western Digital Caviar Black 1TB drives since they’re cheap and reliable.

To make things easy when installing all these components in our Rosewill RSV-Z4000 4U rackmount case we picked up a 4 Drive trayless how swap sata backplane from StarTech. IcyDock makes one too. This was the only $100 spent for convenience over performance/value, but anyone who has dealt with 5.25″ to 3.5″ mounting brackets will agree it’s worth every penny.

Rather than installing ESXi on the RAID, we used a 4GB USB drive from Patriot. The Xporter XT. It boasts really fast read/write times. I’m sure any old 1gb or larget USB drive would have done but they’re so cheap, why not?

We’re doing a little white box server contest. Winners will get all sorts of swag from the Hak5 Store. Check out all the details in the episode release thread at Hak5.org

Darren’s Hacking WPA-PSK keys using the recently updated Cowpatty and some damn fine lookup tables. Connecting ESXi to iSCSI targets — Matt breaks it down with FreeNAS. And Shannon completely bypasses local Windows logins with a Kernel modifyin’ boot cd? w00t!

Download HD Download MP4 Download XviD Download WMV

Cracking WPA Keys with Cowpatty

A lot has changed since I last talked about WPA Cracking on Hak5. Specifically Joshua Wright, author of CowPatty has released a new version that dramatically changes the way one thinks about cracking WPA and WPA2 TKIP keys.

The most notable new feature in Cowpatty 4.5 is the “-2″ option, which only requires the first two frames of the 4-way handshake to start attacking.

By removing the need for the third and fourth frames of the handshake, an attacker is now more likely to successfully crack WPA keys when channel hopping. Furthermore, the lack of the third and fourth frame opens up a world of possabilities when it comes to trapping targets with rogue access points, or “honey pots”.

An example scenario illustrated on Wright’s blog details how an attacker may pose as a victim’s corporate wireless access point. Since it doesn’t matter if the target associates with the honey pot, anything from hostap to a spare WPA supporting access point with a bogus key will due.

Of course this has our friend Robin Wood pondering a Jasager plugin. Pineapples anyone?

As for carrying out the attack it’s pretty straight forward. I BackTrack as my hacking OS of choice coupled with an eee PC or Acer Aspire One. When it comes to Wireless I’m a big fan of the ALFA AWUS036H 500mW USB Wireless Adapter.

Other tools needed to carry out the attack include WPA tables like these SSID specific Cowpatty WPA Tables from Offensive Security and the Aircrack-ng suite.

The commands are pretty straight forward and well highlighted in the episode. There are a number of ways to go about this so if you’ve got another method you’d like to share with me, questions about this, or suggestions for future topics drop me a line. darren[at]hak5=dot=org.

Excerpt Darren Kitchen‘s blog

Bypass Windows Local Logins

Kon-Boot

Kon-Boot is an prototype piece of software which allows to change contents of a linux kernel (and now Windows kernel also!!!) on the fly (while booting). In the current compilation state it allows to log into a linux system as ‘root’ user without typing the correct password or to elevate privileges from current user to root. For Windows systems it allows to enter any password protected profile without any knowledge of the password. It was acctually started as silly project of mine, which was born from my never-ending memory problems Secondly it was mainly created for Ubuntu, later i have made few add-ons to cover some other linux distributions. Finally, please consider this is my first linux project so far Entire Kon-Boot was written in pure x86 assembly, using old grandpa-geezer TASM 4.0.

So basically, Kon-Boot enables you to log into any Windows or Linux password protected computer without knowing the password or anything about it.

The tech behind it? Kon-Boot basically latches onto parts of the memory and starts patching parts of the kernel (the Brain!), mainly the parts that have to do with the log-on auth and security. These patches let you logon without a password. Then, the bootkit does it so quickly that it leaves no footprints behind after you leave.

DUDE!

To do this:

Go to the website above and download Kon-Boot, open the zip file, and burn the .iso to a disc. I use ImgBurner because it is fast, easy, and FREE.

Shut down the computer you intend to get on to. When booting up, if it isn’t already set to boot from CD (or flashdrive, or whatever Kon-Boot is on), go into the BIOS and set it. You should see the Kon-Boot splash screen for a few seconds, then the username/password screen will appear with the main username already set if they have it saved. If not you need to know the username ahead of time. Press enter or type in some random characters (it doesn’t really matter) and press enter. You’re in!

Now party, snoop around, and get that file you wanted. Get your flashdrive or CD out, then shut the computer back off like usual.

Protecting yourself:

Password protect your BIOS!

True Crypt your entire harddrive!

Excerpt Shannon Morse‘s blog

The gang gathers at a dive in Hoboken, NJ during their trip to NYC for the live diggnation and discuss wireless packet injection with airpwn, advancements in WPA-PSK attacks and of course, virtualization.

Download HD Download MP4 Download XviD Download WMV

In an effort to thwart hangovers the gang drops by DC’s Taven in Hoboken to geek out about Wifi and Virtualization over shots and cold ones.

Darren is excited about the recent improvements to both Airpwn and Cowpatty.

Edit: Mubix points out these awesome WPA Tables from Offensive-Security (You know ‘em as the BackTrack guys).

Best WPA Tables out there for us with CoWPAtty. (And another little + is they posted the password list they used to generate the tables, which is also an AWESOME password list for cracking all kinds of passwords.

Matt answers some viewers questions and encourages more for an upcoming special.

Shannon has all the deets on this week’s contest and LAN party.

Building your own VMware ESXi Server in under an hour with parts you may have lying under your bed. Extreme sports cameras and mounts and mounts can be expensive. Why not build your own for about 5 bucks. And light video editing that’s both easy and free? Avidemux may be the answer.

Download HD Download MP4 Download XviD Download WMV

Darren’s on a mission to mount a digital video camera to his motorcycle. While commercial options such as the $300 Vholdr Contour HD and $150 Oregon Scientific AT3K are available, why not build your own universal camera mount for about 5 bucks.

Continuing with the theme of rolling your own, why not build your own ESX/ESXi compatible virtual machine host? Matt builds one that fits inside a gym bag and walks us through setting up ESXi in about 10 minutes (give or take a few progress bars).

Rounding out the nearly free and useful bits this episode, Shannon shows us an open source video editing application that may be perfect for your light video editing needs. Avidemux is a light weight editor perfect for simple video trimming, filtering and encoding. It sports some really nice automation and job queing features and comes with profiles pre-configured for common formats such as MP4 for iPod, PSP, or Apple TV.

Darren shows off some nifty tricks for Netcat and a targeted brute force attack dictionary generator. Matt continues his series on Virtualization with redundancy and Shannon pimps the blog with her WordPress plugin picks. Plus the results of our Monkey Contest, the Code Challenge and this weeks easter egg hunt

Download HD Download MP4 Download XviD Download WMV

Show Notes

Common User Password Profiler

The Common User Password Profiler from Remote-Exploit is a password/passphrase generator specifically targeted as an individual user. Feed it some info like names, birth dates, spouce, children and pets and it will generate individually, or along with an existing dictionary, thousands of potential passwords. Just add water, feed to your favorite brute forcer and enjoy.

From personal experience I can vouch that, while simple sounding, this would have a HIGH success rate on some of my _former_ (L)users. Administrators take note and enforce BOFH password requirements

netcat – “The Swiss-army knife for TCP/IP”

When it comes to sending and receiving TCP and UDP any which way from the console nothing is more versatile or easy to use than netcat.

With a few simple commands you can use netcat to initiate chat, file transfer or even shell access in either direction between a “server” and a “client”.

The tool can be set to listen or broadcast on any port and tied together with some shell-fu almost anything is possible.

Some listener favorites include cloning hard drives over a network with dd and netcat, tailing a log across the network, port scanning, IP redirecting, or even spoofing user-agents and referrers. Internet Explorer 22 anyone?

Digininja points to this great netcat cheat sheet (PDF 128K).

What kind of crazy stuff have you done with netcat? Feedback@hak5.org

Shannon’s WordPress Plugin Picks

Twitme

This plugin allows you to automatically post your new posts on the twitter website. This is good because the iPod and iPhone for example have a large amount of twitter clients to pick from. Your blog posts will arrive to people while they are walking the streets.

Socialite

Socialite allows your WordPress posts to publish to Twitter, Facebook, and MySpace. Each social networking site can be enabled or disabled for publishing, and each is configured separately with their own options. Support for Short URL services such as zz.gd and Tinyurl.com is also supported.

Sociable

Automatically add links to your favorite social bookmarking sites on your posts, pages and in your RSS feed. You can choose from 99 different social bookmarking sites!

MobilePress

MobilePress is a WordPress plugin that will render your WordPress blog on mobile handsets, with the ability to use customized themes. The plugin also allows specific themes for specific devices / mobile browsers, such as iPhone, Opera Mini, Windows CE Mobile and other generic handset browsers.

Resize at Upload Plus

The plugin will automatically resize an image upon upload, depending on the maximum width and height that you define. Gone are the days when you, or your client, will ruin a site’s layout by uploading a huge file with 25 megapixels. Be advised: there is no backup, no copy of the originally uploaded image.

WP-Cache 2.0

WP-Cache is an extremely efficient WordPress page caching system to make your site much faster and responsive. It works by caching Worpress pages and storing them in a static file for serving future requests directly from the file rather than loading and compiling the whole PHP code and then building the page from the database. WP-Cache allows to serve hundred of times more pages per second, and to reduce the response time from several tenths of seconds to less than a millisecond.

WordPress Backup

Backup the upload directory (images), current theme directory, and plugins directory to a zip file. Zip files optionally sent to email.

WP Security Scan

Scans your WordPress installation for security vulnerabilities and suggests corrective actions.

WP Ban

It will display a custom ban message when the banned IP, IP range, host name or referer url trys to visit you blog. You can also exclude certain IPs from being banned. There will be statistics recordered on how many times they attemp to visit your blog. It allows wildcard matching too.

pixelstats

Count every viewer and every article view for each blog entry, no matter how and where it is read: pixelstats tracks views of each blog post or page, not only on a single article page but also on each other page where the complete article is shown, i.e. the blog front page, category pages, search result page, archive pages and even RSS fee

Thanks for watching, subscribing, and most of all supporting the show. Custom commissioned WiFi Pineapples running Jasager are still available.

Session Hijacking with a Pineapple, Hamster and Ferret and cell phone? A free and easy way to virtualize physical servers! And is WPA Broken? Ikea clusters, screencasting, and canvas technolust.
[ MP4 | XviD | WMV ]

Watch

Show Notes

Is WPA Broken? Interesting stuff coming out of PacSec this year. Ars has a great writeup about it our check out Martin Beck and Erik Tews’ paper Practical attacks against WEP and WPA (PDF). There is a proof of concept tool available from the Aircrack-NG folks. Take a look at Tkiptun-ng. At time of writing the tool is not fully functional. Something to keep an eye on.

Steve P. writes to us about the Helmer beowulf cluster. This 6xCore2Quad is sure to make any geek smile. Kitty approved too! While stuffing a personal cluster into an Ikea cabinet is novel in and of itself the mad scientist behind it has thought some insane cluster designs including the 50 tflop Helmer 2 and the 4 pflop Helmer 3. All I can say is I want one. Thanks for the links Steve.

Darren enjoys a Bondages’ No Problem while Matt and Shannon stick with the margaritas.

More importantly Darren talks about Session Hijacking and demos a tool from Errata Security called Hamster and Ferret that, in conjunction with the latest 2.0 build of Jasager, an ICS’d EVDO connection and Tftpd32 we’re able to “sidejack” with our little man-in-the-middle setup. Lesson learned? Be suspicious of any wifi. Check for signatures of trusted networks and tunnel your traffic. We’ll come back to this topic with a more indepth segment on Jasager detection and traffic encryption soon.

A note on trivia. Please answer trivia questions on the Hak5 forums from now on. We would love to continue doing dual winners but with growing prize costs we cannot. Also, if you’re interested in volunteering to help with trivia code challenges lend a hand in the Dev5 board.

Matt shows us how to convert a physical server into a virtual server locally using the free VMware converter tool and talks about some of the concerns you must consider when preparing to virtualize. If you have virtualization questions hit up Matt and we’ll cover ‘em on future segments. Matt at Hak5 d0t org.

Alex W. writes with a question about screen recording. We highly recommend the open source Camstudio as well as FRAPS and Techsmith’s Camtasia Studio (warning: sticker shock may occur at techsmith.com). Paul (our “camera guy”) suggests checking out the new screen capturing functionality of the latest verison of VLC, especially if you’re on the Linux or Mac side.

As always we’d love to hear your feedback. Your questions, comments or concerns can be directed to HakHouse.com. It’s a crazy interactive project we’re working on. Just wait ’till we get the web-enabled robots up in there.

Trust your Technolust