This time on the show, Shannon demonstrates a novel password management technique. Darren’s explains Time Memory Trade-off and Rainbow Tables. Jason gets started programming for Windows Azure and it’s Linux in your web browser time! A PC Emulator in Javascript.

Download HD Download MP4 Download WMV

A novel approach to password management

I have about a million websites that I have to log onto day-to-day. Seriously. And with all the hype about website infiltration and stolen data, it makes me worry a bit about my own usernames and passwords. I have recently upgraded my Google Mail account to use 2-step verification, which I explained a few weeks ago in a Snubs Report, but what about my facebook? Twitter? My online banking?

These sites all say things like, ‘Password must be so-and-so characters long with at least one letter and number’, but some aren’t so secure. How will I know what sites will have a data breach? I don’t. So I use somewhat different passwords for all sites. But honestly, if someone had the balls and the time to figure out my pattern, they could probably do it. But I don’t want to download a password protection program to use on my home computer because I use several different computers and may not have access to the software or my saved encrypted passwords when I’m using a public PC.

Well, there are other options out there if you don’t want to use more software, you could use something a little less technical.

This is PasswordCard from passwordcard.org. It’s a card the size of a credit card that I can stick in my wallet and carry with me. What makes this unique is the series of random digits and letters that are included on it. The rows are different colors and the columns have a different symbol at the top. You can use this card to think up a very strong and tough password and use the colors and symbols to remember it.

Better yet, each code card is randomly generated and there are Android and iPhone apps.

So here is an example of how to use this tool:

First off, go to the website and print out your unique card. I have a laser black and white printer, but if you have a color printer I’d suggest printing in color to give you more options for remembering passwords.

You can then cut out your card and laminate it if needed. Keep the rest of the page, because it has your unique card number on it. More on that in just a bit.

Then you can choose your password. Choose a symbol and a color or row number and use the letters and numbers that are seen in that row or column.

All you have to do after that is go to your website and change your password. If you lost your PasswordCard, you can go back to the website, type in your unique card number and hit print, or pull it up on your mobile phone.
So for example, I printed out my card and I’m going to choose something I would remember. I’ll go with the music note, and number 7. So my password would be HAg8kgntQUG.

This tool is super simple to use and completely free. The website can be visited safely via HTTPS and the algorithm used to create the codes is available in case the website goes down and you need to reprint your card.

If you don’t feel safe printing a card, just download the free app off the Android Marketplace or the Apple App Store. This app will let you generate a random card or pull up your own card. It’ll also let you generate your own personal PasswordCard based on a series of random hexidecimal digits. For example, I can hit enter number, and type in a number that I have memorized. That number will always pull up my card for me to use.

If you’re worried that someone can get ahold of your unique card number, not to worry! They still wouldn’t have your actual passwords because those were created from the numbers and letters found on the card, and they could be thousands of different password combinations.

I think this is a pretty cool idea, and it’s easy enough that I could probably show my mom how to use this. So, enough of using crappy passwords!

This is just one of the tools available out there for password generation. Do you have one? Email it to me: feedback@hak5.org. Now for the haktip.”

Start programming in Windows Azure

Jason. begins a three-part mini-series on programming for Windows Azure. In this part Jason demonstrates how to get started. In coming parts Jason will develop an cloud-based application that maps Kismet KML data to a Bing map.

If you’re into Hak5 you’ll love our new show by hosts Darren Kitchen and Shannon Morse. Check out HakTip!

Whether you’re a beginner or a pro, HakTip is essential viewing for current and aspiring hackers, computer enthusiasts, and IT professionals. With a how-to approach to all things Information Technology, HakTip breaks down the core concepts, tools, and techniques of Linux, Wireless Networks, Systems Administration, and more

And let’s not forget to mention that you can follow us on Twitter and Facebook, Subscribe to the show and get all your Hak5 goodies, including the infamous WiFi Pineapple over at HakShop.com. If you have any questions or suggestions please feel free to contact us at feedback@hak5.org.

Darren demonstrates cracking Microsoft VPN tunnels using the MS-CHAPv2 authentication protocol using Joshua Wright’s tool ASLEAP and talks about the theory behind the attack.

Continuing on with our VPN series I find it important to highlight the weaknesses in the protocols we have talked about thus far. In my last segment I highlighted a tool that allows an attacker to easily hijack an SSL session using a man-in-the-middle attack. Couple this with Adito (aka OpenVPN-ALS), my favorite open-source SSL VPN server, and you can see the problem.

But what about the basic Microsoft VPN we setup a few weeks back? The VPN servers that we setup on Windows XP and Server 2003 used either active directory or local windows accounts to authenticate users.

And looking back at our discussions on pwdump, rainbow tables and the like you’ll remember the inherent weaknesses in Windows account credentials.

There are two ways Windows stores a user’s account credentials, or password. LAN Manager hashes which are comprised of watered-down weaksauce and NTLM which are succeptable to time-memory tradeoff attacks.

The default VPN server implemented in Windows XP and Server 2003′s Routing and Remote Access service uses Point-To-Point-Tunneling-Protocol. This is convenient because the Windows clients have supported Microsoft PPTP VPN connections natively since 2000, and in Windows 95/98 with Dual Up Networking version 1.3.

The modern authentication protocol of Microsoft’s PPTP is MS-CHAPv2. This Challenge Handshake Authentication Protocol suffers from inherent weaknesses.

As far back at 1999 these weaknesses have been widely known. If you’re interested in reading more on the cryptanalysis of MS-CHAPv2 there’s a nifty paper written by Bruce Schneier and L0pht that I’ll link in the show notes.

And while other options exist such as Radius, this is still the default option for PPTP authentication in Windows environments.

Joshua Wright, author of coWPAtty (See our segment here), released in 2004 a proof of concept tool to demonstrate weaknesses in LEAP and PPTP protocols.

This tool, ASLEAP, was updated in 2007 to include an option to just crack MS-CHAP v2. Either by examining a packet capture that includes a MS-CHAP handshake ASLEAP or specifying an MS-CHAP challenge and response ASLEAP is able to deduce the username and last two bytes of the NT hash. Using this information, and a dictionary file, ASLEAP is able to brute-force the hash.

Got a restrictive firewall blocking sites at school or work? Evade ‘em easily with your own private web proxy. Want to securely tunnel any port through an SSH session? Darren’s got just the trick. Wondering how to properly use Asleap to crack MS-CHAPv2 PPTP VPN handshakes & LM Hashes? Interested in trying out neat free enterprise applications but don’t feel like spending hours in a terminal? Try deploying a virtual appliance in minutes, the free and open source way.

Download HD Download MP4 Download XviD Download WMV

Port Tunneling and Socks5 Proxies with a Secure Shell (SSH)

SSH Tunneling isn’t new to the show, we’ve done it before over DNS or in conjunction with VNC. Today we’re looking at two SSH tricks for tunneling just about any traffic.

First up, ssh -D. The -D option specified a local "e;Dynamic"e; application-level port forwarding. Any connection made to the specified port goes through the tunnel as a SOCKS4 or SOCKS5 proxy. Perfect for secure web browsing as demonstrated with Firefox in this segment.

Usage

ssh -D 8080 user@server

Second, ssh -L. The -L option enables port forwarding. Using this option tells the SSH client to listen to traffic on a specified port and forward it along through the tunnel. The server receives this data and points it to the specified destination, whether it be on the destination network or otherwise. In our example we use the -L option to securely connect to an open IRC server.

Usage

ssh user@server -L local-listen-port:destination-ip:destination-port

For more SSH-fu check out the ssh man page or Linux Journal’s interesting series on 101 uses of openssh.

Bypassing site-blocking firewalls with your own private web proxy

The age old scheme for bypassing restrictive firewalls, like those that block sites at school or work, has been to use a web proxy. Of course this is followed up by the network administrator blocking all mainstream proxies. But what if you could run your own? Well, you can and it’s really freaking easy. In this segment Darren demonstrates PHProxy

Cracking MS-CHAPv2 PPTP VPN handshakes & LM Hashes Followup from 6×12

On episode 612 we demonstrated a tool, asleap, designed to crack MS-CHAPv2, the authentication protocol commonly found in Microsoft PPTP VPNs. The final demo was unsuccessful due to the encoding of the handshake and response sniffed by Wireshark. Viewer Sc00bz was kind enough to post a PHP script that accepts the challenge, response and username and provides you with the proper asleap command to run with the properly encoded byte sequences. Sc00bz has well documented the code, which lives now on this Hak5 forum thread. Thanks Sc00bz!

Deploying Virtual Appliances in minutes the open source way

A Virtual Appliance can be though of as a software image containing a supporting stack designed to run inside a virtual machine. A quick look at vmware’s virtual appliance directory shows that there are hundreds of applications that can be quickly and easily deployed. In this segment I take the Dimdim open source virtual appliance, designed for vmware, and deploy it with VirtualBox (just becasue I can).

Continuing with the VPN Series, Darren discusses the inherent weaknesses in Microsoft’s PPTP authentication protocol, MS-CHAPv2, and demos a Linux tool that exploits these weaknesses.

Download HD Download MP4 Download XviD Download WMV

Continuing on with our VPN series I find it important to highlight the weaknesses in the protocols we have talked about thus far. In my last segment I highlighted a tool that allows an attacker to easily hijack an SSL session using a man-in-the-middle attack. Couple this with Adito (aka OpenVPN-ALS), my favorite open-source SSL VPN server, and you can see the problem.

But what about the basic Microsoft VPN we setup a few weeks back? The VPN servers that we setup on Windows XP and Server 2003 used either active directory or local windows accounts to authenticate users.

And looking back at our discussions on pwdump, rainbow tables and the like you’ll remember the inherent weaknesses in Windows account credentials.

There are two ways Windows stores a user’s account credentials, or password. LAN Manager hashes which are comprised of watered-down weaksauce and NTLM which are succeptable to time-memory tradeoff attacks.

The default VPN server implemented in Windows XP and Server 2003′s Routing and Remote Access service uses Point-To-Point-Tunneling-Protocol. This is convenient because the Windows clients have supported Microsoft PPTP VPN connections natively since 2000, and in Windows 95/98 with Dual Up Networking version 1.3.

The modern authentication protocol of Microsoft’s PPTP is MS-CHAPv2. This Challenge Handshake Authentication Protocol suffers from inherent weaknesses.

As far back at 1999 these weaknesses have been widely known. If you’re interested in reading more on the cryptanalysis of MS-CHAPv2 there’s a nifty paper written by Bruce Schneier and L0pht that I’ll link in the show notes.

And while other options exist such as Radius, this is still the default option for PPTP authentication in Windows environments.

Joshua Wright, author of coWPAtty (See our segment here), released in 2004 a proof of concept tool to demonstrate weaknesses in LEAP and PPTP protocols.

This tool, ASLEAP, was updated in 2007 to include an option to just crack MS-CHAP v2. Either by examining a packet capture that includes a MS-CHAP handshake ASLEAP or specifying an MS-CHAP challenge and response ASLEAP is able to deduce the username and last two bytes of the NT hash. Using this information, and a dictionary file, ASLEAP is able to brute-force the hash.

PS: Check out Player2Rentals.com.

In this first episode of ’09 Dave Randolph joins us to geek out about all things video. Darren whips up a Password Cracking Cocktail and shows off a wicked fast MD5 brute force tool that harnesses the power of your Nvidia graphics card. Shannon saves the day by recovering her sisters Windows password with Ophcrack Live. And Evil Server gets his evil on while we were away on holiday.

MP4 XviD WMV

Watch

Show Notes

MD5 Brute Forcing with your graphics card

Since Nvidia released the CUDA API for Windows, Mac and Linux a number of advances have taken place in the world of brute forcing. In this episode I feature a tool by Svarychevski Michail Aleksandrovich that claims to be the world’s fastest MD5 cracker — BarsWF

Using the brute forcer with a couple Nvidia 8 series or newer graphics cards you’re able to achieve unprecidented speeds. I’ve seen claims of nearly 4 billion hashes per second with quad SLI.

CUDA has also spurred other developments, such as this NTLM brute forcer for Linux.

In my segment I go into the very basics of password cracking theory and MD5 hashes with some simple scenarios. My aim is to provide a fundamental understanding of the concepts. If you’re interested in reading more I suggest starting here.

–Darren Kitchen

Windows Password Recovery with Ophcrack Live USB

Recovering Windows Passwords coulnd’t be easier with Ophcrack Live on USB. Whether it’s your sister’s forgotten XP account or [insert other legit reason] a little USB booting and Rainbow Table loving’s got you covered.

Preparing an Ophcrack USB key is as simple as formatting your drive for FAT32 with the HP USB format tool. Downloading and launching USBOphcrack.exe and running the included batch file. The program will download a small set of rainbow tables and prepare your USB drive.

For even higher password recovering accuracy I recommend finding a larger set of Ophcrack compatible rainbow tables. Or if you’re feeling adventerous why not try out the Hak5 community rainbow tables — a whopping 120GB of NTLM goodness.

–Shannon Morse

Be sure to follow one of us on Twitter if you’ll be at CES this week. We’ll be there finding all the best hackable gadgets!

Matt shows us how to turn anything into a service and provide a web frontend to manage them windows server, great for game server administration. Chris Gerling wraps up his three part series on Packet Sniffing with Wireshark techniques for packet filtering. Darren harnesses the CPU power of the HakHouse for good or evil to demonstrate cluster computing. Plus details on our Hak5 Halloween LAN Party!
[ MP4 | XviD | WMV ]

Watch

Show Notes

Matt Lestock turns any windows application into a service using instsrv and srvany and demonstrates how we use this technique, coupled with Panel Daemon to delegate game server administration at the Hak5 playground.

Chris Gerling shows us some packet filtering techniques using the network analyzer Wireshark. He covers capture filters, display filters, colors and statistics. Read more on packet sniffing on his blog at ChrisGerling.com

Darren Kitchen talks about parallel computing. He touches on grid computing and massively parallel processors though he mainly focuses on clustering. Darren demonstrates simple windows password cracking techniques using an openMosix based image and discusses the theory behind setup. Darren has a lot of further reading for you to check out on his blog and would like to hear your feedback about building the Hak5 beowulf cluster!

And on a production note: We’ve switched over from a standard-def composite based video mixing solution to a high-def HDMI based system. Unfortunately until we get a Mac Pro and switch to Final Cut Pro for editing we’re unable to release a 720p version of Hak5. But we’re well on our way to bringing you guys truly high def technolust thanks to everyone who has continued to support this cause. Thanks!