Shannon shows us how to perform arp cache poisoning attacks with ease. Jason joins us for a little cloud backup action using Perl and Amazon S3. Darren covers cracking the code: network enumeration and hash cracking, plus promiscous mode wifi cards, hacked Canon EOS firmware, and a whole lot more.

Download HD Download MP4 Download WMV

Hacker Headlines

In a report by the University of Cali, San Diego and University of Washington, scientists have discovered ways to remotely take over your car. This hasn’t happened out in the wild just yet, but they bought a car and put it through a whole bunch of hacks. Cars now-a-days come with cellular connections and Bluetooth technology. So, a hacker could potentially remotely take over the locks, brakes, etc, or track the vehicles location.

Full Disk Encryption for both internal memory and Secure Digital cards are coming to Android by way of WhisperCore, an app from Whisper Systems. Mixie Marlinspike, co-founder and CTO of Whisper Systems demonstrated the beta of a 256bit AES encryption system on a Nexus S phone recently. WhisperCore is expected to roll out for other Android devices as a free-for-personal-use app with corporate pricing to follow. You may remember Marlinspike from such tools as sslstrip, googlesharing, and the cloud cracking service wpacracker.

Sn0wbreeze 2.3 just came out for all your Apple jailbreaking needs… or some of them at least. This tool will let you jailbreak your iphone, ipad, or ipod using iOS 4.3 on Windows, but it requires tethering. Redmond Pie, the creators of the jailbreak, say you can also use the PwnageTool if you don’t feel like using Windows.

Twitter finally jumped on the SSL bandwagon. Following in the footsteps of Facebook, and after the “OMGs my packets can be sniffed” awakening that was Firesheep, you can now use HTTPS to login to the social networking service. In fact there is even an option under account settings to always use HTTPS. Good on ya, Twitter, for making SSL an opt-in feature. In related news, SSLSTRIP still works.

Make your friends beleive you really are an Xmen! Or, close to one… The guys at the London Makerfaire 2011 , Hackerspace and Brightarcs used a Kinect to make Tesla coils react to your every move. And where did they get the idea? Oh, at the local pub of course. It’s called the Evil Genius Simulator. Win.

—

Road Test: Magic Lantern Firmware

When it comes to extending the life of your digital camera nothing does more than installing a custom rom. The Magic Lantern firmware for the t2i and the 5d Mark II has done just that for me. Even though the firmware is still in beta, after 4 monthes later it’s really proven to be a strong tool set. However it’s not for everyone, there are some downsides: sometimes the camera locksup when switch modes and requires it’s battery pulled, The menu is not perfect and can cause artifacts to remain on screen until restart. The tools that it brings to the tabel more than make up for it include audio meter, custom safe zone overlays, mic input levels and the ability to record the mic input the the on the left track while recording the on board mic the the right channel. All and I recommend, however if the idea of you camera freezing scares you it not quite ready for you just yet. However, it just came out of beta on the 13 of march and I can’t wait to try it out.

—

Cracking the Code: Network Enumeration and Hash Cracking

Darren covers how the last crack the code challenge was completed using a bit of network enumeration and hash cracking. You can download the payload and play along at home.

—

Trivia!

Last Week: This composer of Blade Runner was an inspiration to the recently released OST by Daft Punk of Tron Legacy? The answer was Vangelis. This weeks question is: In Season 5 of X Files, Esther Nairn is the creator of what ‘narly’ entertainment software? Answer at hak5.org/trivia for your chance at some swag!

—

Cloud backsup with Perls and Amazon S3

In this segment Jason Appelbaum shows us how to setup perl scripts to automate backups to an Amazon S3 account.

Notes

• Install ruby
• sudo apt-get install ruby
• check if ruby is installed
• ruby -v
• now get the s3sync ruby scripts
• wget http://s3.amazonaws.com/ServEdge_pub/s3sync/s3sync.tar.gz
• tar xvzf s3sync.tar.gz
• rm s3sync.tar.gz
• cd s3sync
• Create Traget directory /s3backup

Edit the s3config.yml with Access Key ID, Secret Access Key
Once that’s done we are good to go to build out our script the dump the backup files in to the traget folder the trigger the sync.

Now we have our backup script working, let drop it into the cron folder and automate this. Now you have a bullet prof backup. We Have been using it for hak5.org for sometime now and it’s saved us on more than one occasion. If you have any questions about this of any of the other segments you have seen on todays show email us and feedback@hak5.org

Segment Keywords (Comma separated): cloud backup, amazon s3, perl, perl script, s3 script, amazon s3 script, crontab, automate s3 backup, s3 backup script,

—

ARP Cache Poisoning Attacks on Windows

“We get asked a million times over if we’d demonstrate an ARP-Cache Poisoning Attack for Windows, and while we’ve covered this *WAY* back in Season 1, I figured it’s worth a refresher. Now, there are a million ways to do this in the command line with linux tools, but here in Windows we’ll be using a very simple tool called Cain & Abel. Once you’ve downloaded and installed it from www.oxid.it go ahead and fire up the sniffer by flicking the chip icon in the top left. The first time you do this you’ll be asked to select your interface. You can get back to this screen anytime by clicking Configure. I’ve selected this interface here with my IP address since it’s my wireless network card. Now I can scan the network for potential targets. Go to the sniffer tab, right-click, and select Scan Mac Addresses. I’ll stick with the default “”All hosts in my subnet”" and click OK. Now that I have a list of machines on the network I can go over the the APR tab and start the actual ARP Cache Poisoning Attack. Click the blue plus icon on the toolbar to bring up the routing dialog. Here I’ll select 10.13.37.1 on the left — that’s the router — and 10.13.37.124 on the right — that’s Darren’s machine. Click OK and the route will be loaded. Now, begin the poisoning attack by clicking the radiation icon in the top left. Immediately our poisoning attack begins. Now sit back, relax, and wait for your target to do some browsing. Once enough traffic has gone through your’ll notice Full-routing below.

So, what does all of this mean?

ARP Cache Poisoning attacks basically mean a technique used to attack a wired or wireless connection. The attacker can sniff data and send a spoofed ARP message to the LAN. So when they send that spoof message, they receive data that was intended for the router or the computer in question. It’s a man in the middle attack. Neither machine knows I exist in the middle. They just think they’re sending data like usual.

So, what tools are tickling your technolust? Send ‘em by — tips@hak5.org — and we’ll share ‘em with the world.

—

Promiscous mode Wifi cards and Hak5 cameras

DT wrote in: Is there a cheap substitute for an airpcap maybe a firmware flash on a certian wifi card? or something to run software side to work with the wifi card? or virtual appliance?

Your best bet is looking at aircrack-ng compatible cards. Everything you ever wanted to know about wireless card capabilities can be found in the links there.

Daniel wrote: What type of cameras you use for your show. What model. Thanks in advance. Keep the great show.

We’re rocking a single Panasonic AG-HMC150 and two Panasoic HMC40s. To be fair when we started out we were using a trio of the Sony DCR-HC85s. What you shoot is way more important than what you shoot on.

—

Show Notes Outro (HTML):

Keep up with the latest on Hak5 by following us on Twitter or Facebook. Subscribe and get your weekly technolust delivered automatically. Or show your support and grab some swag from the HakShop – including the new airport friendly WiFi Pineapple and hoodie. Finally if you’d like to suggest a topic
for ask a question feel free to hit up feedback@hak5.org.

Mubix of Room362 comes down to the HakHouse to share his favorite tools for analyzing packet captures and network taps. Darren’s toying around with netcat and music streaming while Shannon’s got the skinny on the latest hacks for Wii Homebrew with system menu 4.0.

Download HD Download MP4 Download XviD Download WMV

Show Notes

While Matt’s busy moving into his new house Mubix of Room362 fills in with an awesome segment on analyzing data from packet captures or live network taps using Network Miner and Net Witness.

Darren’s taking Chad’s advice and using netcat with mpg123 to stream music from the console.

Plus Shannon has the skinny on unlocking your Wii and installing homebrew even if you’re running the new System Menu 4.0.

And don’t forget to check out our latest contest at Hak5.org/yourlan where the most creative network will win cozy Hak5 gear from our newly opened HakShop

Want to bypass those nasty restrictions imposed by your corporate or university firewalls? Darren has just the trick with Internet Redirection. Ever wanted to hide secret data inside a photo? Shannon’s show us a neat steganography app. Plus Matt answers your virtualization questions!

Download HD Download MP4 Download XviD Download WMV

Show Notes

Internet Redirection

Corporate and university firewalls can be a particular PITA — especially if you’re a gamer. And while SSH tunneling (even over DNS)or VPN technologies are often preferred, it is quite possible to “bounce” your traffic off an Internet Redirection server. Like a fancy proxy, rinetd allows you to specify incoming and outgoing IP and port. It features basic client access rules based on IP and even supports logging. In my segment I demonstrate accepting traffic on port 80 and transmitting it to an IRC server on port 6667.

Granted this isn’t going to fool your more complex firewalls that actually inspect packets — but if you’re just looking to get traffic through an open port I highly recommend giving rinetd a try.

–Darren

Steghide

Download a copy of Steghide. Extract the zip.

You want to hide a file. First thing you need is a file to hide it in. Choose a file – whether that be a music file, jpeg, word document… whatever – and save it inside the steghide folder, which was extracted from the zip folder. Also, save your file that you want to hide inside that same folder as well.
Open up your command prompt and open the steghide folder directory. Open the steghide.exe file. The last few rows of type will tell you how to embed and extract your hidden file.

Embedding:
Type into the command prompt: ’steghide embed -cf file.jpg (this is your regular file) -ef hiddenfile.txt’ (this is the file you want to hide).
Choose a Passphrase and you’re done! You’ll notice the original photo or music file has changed it’s byte size now that you’ve embedded something inside it.

Extracting:
Type into the command prompt: ’steghide extract -sf file.jpg’ and enter the passphrase. Now, you’ll see the extracted hidden file appear inside the same folder.
Your done! Simple, eh?

–Shannon

Darren shows off some nifty tricks for Netcat and a targeted brute force attack dictionary generator. Matt continues his series on Virtualization with redundancy and Shannon pimps the blog with her WordPress plugin picks. Plus the results of our Monkey Contest, the Code Challenge and this weeks easter egg hunt

Download HD Download MP4 Download XviD Download WMV

Show Notes

Common User Password Profiler

The Common User Password Profiler from Remote-Exploit is a password/passphrase generator specifically targeted as an individual user. Feed it some info like names, birth dates, spouce, children and pets and it will generate individually, or along with an existing dictionary, thousands of potential passwords. Just add water, feed to your favorite brute forcer and enjoy.

From personal experience I can vouch that, while simple sounding, this would have a HIGH success rate on some of my _former_ (L)users. Administrators take note and enforce BOFH password requirements

netcat – “The Swiss-army knife for TCP/IP”

When it comes to sending and receiving TCP and UDP any which way from the console nothing is more versatile or easy to use than netcat.

With a few simple commands you can use netcat to initiate chat, file transfer or even shell access in either direction between a “server” and a “client”.

The tool can be set to listen or broadcast on any port and tied together with some shell-fu almost anything is possible.

Some listener favorites include cloning hard drives over a network with dd and netcat, tailing a log across the network, port scanning, IP redirecting, or even spoofing user-agents and referrers. Internet Explorer 22 anyone?

Digininja points to this great netcat cheat sheet (PDF 128K).

What kind of crazy stuff have you done with netcat? Feedback@hak5.org

Shannon’s WordPress Plugin Picks

Twitme

This plugin allows you to automatically post your new posts on the twitter website. This is good because the iPod and iPhone for example have a large amount of twitter clients to pick from. Your blog posts will arrive to people while they are walking the streets.

Socialite

Socialite allows your WordPress posts to publish to Twitter, Facebook, and MySpace. Each social networking site can be enabled or disabled for publishing, and each is configured separately with their own options. Support for Short URL services such as zz.gd and Tinyurl.com is also supported.

Sociable

Automatically add links to your favorite social bookmarking sites on your posts, pages and in your RSS feed. You can choose from 99 different social bookmarking sites!

MobilePress

MobilePress is a WordPress plugin that will render your WordPress blog on mobile handsets, with the ability to use customized themes. The plugin also allows specific themes for specific devices / mobile browsers, such as iPhone, Opera Mini, Windows CE Mobile and other generic handset browsers.

Resize at Upload Plus

The plugin will automatically resize an image upon upload, depending on the maximum width and height that you define. Gone are the days when you, or your client, will ruin a site’s layout by uploading a huge file with 25 megapixels. Be advised: there is no backup, no copy of the originally uploaded image.

WP-Cache 2.0

WP-Cache is an extremely efficient WordPress page caching system to make your site much faster and responsive. It works by caching Worpress pages and storing them in a static file for serving future requests directly from the file rather than loading and compiling the whole PHP code and then building the page from the database. WP-Cache allows to serve hundred of times more pages per second, and to reduce the response time from several tenths of seconds to less than a millisecond.

WordPress Backup

Backup the upload directory (images), current theme directory, and plugins directory to a zip file. Zip files optionally sent to email.

WP Security Scan

Scans your WordPress installation for security vulnerabilities and suggests corrective actions.

WP Ban

It will display a custom ban message when the banned IP, IP range, host name or referer url trys to visit you blog. You can also exclude certain IPs from being banned. There will be statistics recordered on how many times they attemp to visit your blog. It allows wildcard matching too.

pixelstats

Count every viewer and every article view for each blog entry, no matter how and where it is read: pixelstats tracks views of each blog post or page, not only on a single article page but also on each other page where the complete article is shown, i.e. the blog front page, category pages, search result page, archive pages and even RSS fee

Thanks for watching, subscribing, and most of all supporting the show. Custom commissioned WiFi Pineapples running Jasager are still available.