In this HakTip from DEFCON 19 Darren is joined by Mark Wuergler of Immunity to demo Silica, a wireless security assessment tool he has been developing.

Download HD Download MP4 Download WMV

In the demo Wuergler uses Silica to launch a client side attack on an Android phone.

What programs or commands are rocking your world? What technologies are tickling your technolust? Hit me up — tips@hak5.org or leave a comment.

And be sure to check out our sister show, Hak5 for more great stuff just like this.

I want to take a minute to tell you about BustedTees. It doesn’t matter if you’re into video games, movies, science-fiction or just wrapping your torso with something weird, BustedTees literally has you covered. You may have seen a BustedTee or two pop up in movies and TV shows. Now you can grab one for yourself. Head on over to BustedTees dot com to find the shirt of your dreams — your bizarre, hilarious dreams. Enter the promo code “HAK5” and receive 20% off your order

Today we’re continuing our discussion on wireless management frames with probe requests and responses.

Download HD Download MP4 Download WMV

Probes come in two flavors; requests and responses. Let’s begin with the request.

A probe request is a special frame sent by a client station requesting information from either a specific access point, specified by SSID, or all access points in the area, specified with the broadcast SSID.

The information being requested in a probe includes the supported data rates, which are also included in the beacon frames typically broadcast from an access point.

The difference here being that by sending a probe request your wireless card is making an active scan of either a specific network or all networks in the area, where as simply listening for beacon frames in considered a passive scan

Today we’ll demonstrate an active scan and we’ll disect the probe requests and responses.

So this brings us to the responses. Typically when an access point hears a probe request frame, either directed at the specific access point or to all stations in the area using the broadcast SSID, it will send out a probe response.

Similar to a beacon frame, we’ll find that these probe responses contain much of the same information required for two stations to begin communicating.

To begin our demo we’ll start by once again bringing up our fake access point with airbase-ng. Start by bringing up the interface ifconfig wlan0 up and starting a monitor mode interface on channel 11 airmon-ng start wlan0 11. Now we’ll issue airbase-ng -c 11 -e haktip mon0

So to recap our configuration we have our first radio in monitor mode as interface mon0 and it is acting as an access point or base station with Airbase-ng

We’ll bring up our second wireless card in monitor mode with airmon-ng start wlan4 11 and that will create the new interface mon1 — this will be acting as our client or station.

Now if we start up wireshark& and begin sniffing our client, mon1, we’ll see all of the packets or frames going in and out of this card. 

Immediately we’ll see there are plenty of beacons in the air, which we’ve discussed in previous sessions, so let’s filter those out. And while we’re at it lets also filter our any frame that isn’t address to or from our interface with the filter wlan.addr == 00:0f:04:b2:48:68 && wlan.fc.type_subtype != 0×08

Now in the terminal let’s tell our client card to do a passive scan of the area looking for available access points. Issue iw dev wlan4 scan passive | grep SSID and we should see plenty of SSIDs. If we go back to Wireshark we’ll see there aren’t any probes or reponses. This is because our client card here is reporting all of the nearby wireless networks based on a passive scan, meaning no data was sent out. Our card was completely silent and the data compiled was done so only using what was freely available in the air — in this case beacon frames. We can, and probably will get more sophistocated with this type of silent site-survey using the tool Kismet, but for now this will suffice in demonstrating what is available without transmitting a single frame.

So finally let’s go ahead and generate some Probes. In a terminal we’ll tell our client card to make an active scan of the area using the command iwlist wlan4 scan | grep ESSID.

If we come back over to Wireshark we’ll see plenty of probe requests and probe responses. Let’s take a look at the first probe request frame.

We can tell it’s a probe request as its subtype is 0×04. The source is our NICs MAC address and the destination address is Broadcast or ff:ff:ff:ff:ff:ff, meaning this probe request is meant for everyone who can hear it.

Wireshark already knows it is a management frame and under tagged paramaters we can see our supported data rates as well as the channel. Our first probe is set to channel 1. If we add to the filter && wlan.fc.type_subtype == 0×04 we’ll see that the next probe request was on channel 2, then 3, and so on.

Now if we flip our last filter from subtype 0×04, or Probe Request, to 0×05 we’ll see all of the probe responses. And much like the beacons we’ve seen before, these frames indicate the same capability information necessary for our stations to begin communicating.

What programs or commands are rocking your world? What technologies are tickling your technolust? Hit me up — tips@hak5.org or leave a comment.

And be sure to check out our sister show, Hak5 for more great stuff just like this.

Thrillist sifts through the crap to find the best your city has to offer every day. Wanna know about a Star Wars Burlesque show, a beer garden that screens 80s flicks, or a new restaurant with a Sushi robot? Then sign up for Thrillists free daily emall at Thrillist.com/hak5

Soldering 101: Shannon builds a network tap. Perl and GraphViz for mapping twitter connections. Chrome tips and deauthing WiFi. All that and more this time on Hak5.

Download HD Download MP4 Download WMV

Perl and GraphViz for mapping twitter connections.

As you know I’m a huge fan of programming as a hobby. Picking up BASIC was one of the first major steps that led to me becoming the huge computer geek I am today. So when I saw an email from Hak5 fan Jason Cooper about his latest creation I just had to take a look.

Jason has developed a really nifty perl script that maps links between people on twitter. His first version outputs a file ready to be converted by GraphViz into a beautiful image.

I’ll demonstrate how to get started here in Linux, but this will work on any OS that supports Perl and GraphViz which is pretty much all the major platforms.

I’ve wget’d and unzip’d the twittermap code from HeckrothIndustries.co.uk

Running ./twitterMap we’re presented with the arguments. Running more on twitterMap reveals an explination of the options.

As a test I’m going to run twitterMap with –breadth-search –limit=3 –max-pages=3 –output-file=hak5darren1.map –twitterid=hak5darren

This is going to take a moment while the script combs through the last three pages of my tweets and follows back 3 levels deep through messages sent to and from the specified account.

Jason hopes to add the option to map followers in addition to messages and the option to produce word lists from tweets.

Once twitterMap finishes I’ll be left with the output file specified. If I less the output file I can see a list of twitter IDs and their relationships. The colors correspond to relationship. Red is the origin while blue represents neighbors, black third parties and orange IDs that haven’t been looked at.

Using GraphViz the output file can be converted into an image with the syntax “”fdp -o hak5darren1.png -Tpng hak5darren1.map”"

This may take a bit so while GraphViz is processing you may want to pop back over to Jason’s site and take a peek at some of his other creations – like sssDetect, which detects when you’ve been a victim of Moxie’s sslStrip tool, or a nifty catch game for the GP2X.

Once complete you’ll find a PNG file in your source directory and honestly, it looks fantastic.

This is a great example of the spring model image GraphViz is able to produce from a simple conversion file.

Thanks so much for sending this in Jason. I wasn’t even aware of GraphViz and playing with the code made my day.

So what are you hacking away at? Got any code to send my way? Hit me up — feedback@hak5.org, maybe we’ll have your program on the show.

Kerby’s I Can Haz Cheezburger Kitty of the week

halp! i not cheezburger!

Packet sniffing with a LAN Tap

Today we’re packet sniffing — and no it’s not a black hat man in the middle attack. If you’re a network administrator or anyone who has to troubleshoot network issues you should have a passive network tap in your toolkit.

A network tap is basically a piece of hardware that lets you see the data flowing across a network. In a lot of cases you can use a computer to monitor the traffic between two points on the network, say between your router and switch.

Suffice it to say, if the network between points A and B are of the physical ethernet cable variety, a “”network tap”" is the best way to take a look at the traffic. A tap has at least three ports: an A port, a B port, and a monitor port.

For example the A port could be connected to the switch providing Internet access and the B port could be connected to the computer you’d like to monitor. And the monitor port is just that- a port that lets you monitor what’s in between.

Network taps are commonly used for network intrusion detection systems, VoIP recording, network probes, and packet sniffing, along with several other uses. Taps are used in security applications because they are non-obtrusive, in most cases aren’t detectable on the network, and can deal with full-duplex connections.

In our case, this network tap will work indefinitely since it doesn’t even need power. Passive network taps are almost the same thing as a general network tap, except these do not need power, there is no built-in computer or moving parts, and it’s just a few wires and connectors that will move data from one point to another.

You can build a passive network tap for under 20 bucks from parts at your local hardware store. A while back our friend Mike Ossmann built a 5-in-1 network admin cable that could do all sorts of stuff like Serial Console, Cross-Over and part of that was a passive network tap in a sort of throwing star design. Since then the Throwing Star LAN Tap has born under the Great Scott Gadgets brand.

This little guy is a small, simple device for monitoring Ethernet communications. To the target network, the Throwing Star LAN Tap looks just like a section of cable, but the wires in the cable extend to the monitoring ports in addition to connecting one target port to the other. You can use the Star along with tcpdump or Wireshark to collect data.

Now the throwing-star comes as a kit so you’ll have to solder it together yourself, which is half the fun. The tap comes in 7 pieces, the printed circuit board, four modular connectors and two capacitors.
Normal gigabit signals travel in both directions and it’s impossible to build a completely passive tap. There are gigabit taps but they’re like 1000 bucks, so yeah – no thanks. To overcome this limitation though, the throwing star gracefully degrades the signal with these two supplied capacitors that force the connection down to 100 Mbits by adding a slight noise to the line. Unless you’re using a really really long cable this shouldn’t become an issue and in most cases the tapped device will just drop down to 100mbit without trouble.
You will also need a soldering iron, some electrical solder (i’m using rosin core solder with flux build in), and a pair of wire cutters. Insert the four connectors into the circuit board. Be careful that each of the leads extends through the circuit board before snapping the connector fully into place. Insert the two capacitors through the circuit board. Once the iron is hot, place just a bit of solder on the tip. This is called tinning, which prevents the tip from oxidizing. Oxidization is bad because the solder wont adhere to oxidized surfaces. Solder both the 8 leads on the connectors and the leads of each capacitor and clip off the excess with wire cutters. There are 36 solder points on this board, which should take just a few minutes once you get going… Ok, with the board soldered it’s time to start using it. For this part I’ve asked Darren to play the victim here and we’ll start tapping his connection.

Connect the computer to the network through the throwing star in line on ports J1 and J2. Connect another ethernet cord to J3 and/ or J4 and plug it into your computer that you’ll be sniffing packets on. One monitor port is send, the other is receive.

Next on your computer, set your ethernet adaptor to promiscious mode. To do so in Linux, type ifconfig eth0 promisc where eth0 is your ethernet adaptor. You can check that the adapter went into promiscuous mode by typing ifconfig eth0 and looking for PROMISC. Now fire up your fav packet sniffer, I’m going to use Wireshark because its built into BT5 already. Click applications> backtrack> information gathering> network analysis> net traffic analysis> wireshark. Then to start viewing traffic, click on eth0 or choose interfaces under capture and click start next to eth0. If all works you should start seeing packets being sniffed. If I want to filter say IRC, I’ll type IRC up in the filter box, click apply, and I should start seeing whatever Darren is sending.

To tap both transmit and and receive you’ll need a second ethernet adapter, like this little USB guy here. Either fire up a second instance of Wireshark or TCP Dump to tap eth0 and eth1 or bridge the connections together.

This is a must for any network geek so head over to ossmann.com for the plans on build your own, or pop by the hakshop to have one delivered right to your door.
”

Nibble: Chrome task manager

I love Chrome. You love Chrome. Well, maybe you love Opera — nothin’ wrong with that. But if a page is harshin’ on your Chrome vibe go ahead and kill it with this keyboard combo. SHIFT+ESC brings up Chrome’s built-in task manager, cluing you into all sorts of details about every tabs memory, CPU and network usage. Right-click to get even more nitty gritty, or just kill the tabs process. There’s even a “”stats for nerds”" link that’ll bring you to about:memory for more than you ever wanted to know about how that flash game’s robbing your resources. Sorry Adobe — just sayin’

You know the deal, hak5.org/nibble — keep ‘em under 8 bits.

If you’re into Hak5 you’ll love our new show by hosts Darren Kitchen and Shannon Morse. Check out HakTip!

Whether you’re a beginner or a pro, HakTip is essential viewing for current and aspiring hackers, computer enthusiasts, and IT professionals. With a how-to approach to all things Information Technology, HakTip breaks down the core concepts, tools, and techniques of Linux, Wireless Networks, Systems Administration, and more

And let’s not forget to mention that you can follow us on Twitter and Facebook, Subscribe to the show and get all your Hak5 goodies, including the infamous WiFi Pineapple over at HakShop.com. If you have any questions or suggestions please feel free to contact us at feedback@hak5.org.

Join modding wizard Ben Heck and friends as they build and modify a host of amazing community-inspired creations. Be sure to watch the most recent episode of The Ben Heck Show where Ben builds an Arduino-powered, exterior-mounted camera system for an off-road vehicle. The setup enables the driver to control the cameras from inside the cabin to get a better view of obstacles while driving on rugged, off-road terrain. This show about building, modding and electronics culture is brought to you exclusively by element14. Be sure to visit element14.com/tbhs for a chance to win one of Ben’s latest builds!

I’m here to tell you about a tool that will help you save time and money and make you look like a hero to clients or colleagues GoToAssist Express – by Citrix. Lets you easily resolve computer issues in real time OR after hours. Even work while your customers are away from their computers, dramatically boosting your productivity. In fact, on average, Go To Assist Express users report a 40% increase in productivity – that’s like getting 2 extra work days back a week! Try GoToAssist Express FREE for 30 Days. For this special offer visit
GoToAssist.com/hak5.

.TV is the best domain name for websites with video. If you want to build a video site or if your website has a play button, I recommend getting a .TV domain. A .TV website lets you showcase your original content and create a unique site, not just another YouTube channel. Just go to Domain.com and search for the perfect .TV domain for your new idea. Then use coupon code Hak5 at checkout to save an extra 15%. If you need to host your .TV website, don’t forget about Domain.com’s web hosting plans. They’re less than six bucks a month and have everything you need to build, maintain, and promote your site. Remember – when you think domain names, think Domain dot com. Got a great idea? It all starts with a great domain. Domain.com

In this haktip Shannon shows us the setup and use of the cookie steeling tool Firesheep to hijack Darren’s twitter session.

Websites always make you login with a username and password, but when you’re on their page all cozy and logged in, you’re browsing insecurely on a regular old HTTP site. HTTP session hacking (called sidejacking) happens when an attacker gets the users cookie which you were transmitted when you first logged in, and they can use it to do anything you would normally do. The only way to really protect yourself from this is through SSL or HTTPS like what you see on your banking websites.

Firesheep, by Eric Butler, demonstrates how vunerable your login is. It’s a man in the middle attack firefox extension that anyone has the ability to use.

To use Firesheep, first make sure to download winpcap. Then download the browser extension and open it using firefox by dragging it into your list of extensions and add-ons. You may need to restart Firefox. Go to View–>Sidebar–>Firesheep and enable it. Now, simply click start capturing and you’ll be able to see the username and photo of anyone on your network that logs into one of the specific sites that Firesheep uses. Click on the name or photo of anyone on the list, and you are now logged in as them, with the ability to do whatever you want as them on that site. Scary huh? Luckily Twitter and Facebook have caught on to this and have enabled the ability to use HTTPS secure logins on their sites. So if you haven’t updated your settings, do it now!

This time on the show, Cookies beware! It’s Session Hijacking time. Darren reports from Automate 2011 with a 28 foot multi-touch bar. Plus, websites made easy with Kompozer, a Backtrack vs Blackbuntu review and a whole lot more.

Download HD Download MP4 Download WMV

Hacker Headlines

SSL provider Comodo was hacked allowing attackers to obtain secure certificates for Google, Yahoo, Skype and others. comodo is claiming that the sophisticated attack against its European partner must have been “state-driven.” Comodo’s own incident reportpoints out IP addresses from Iran responsible for the attack. While simply obtaining these certificates, which have since been disabled, wouldn’t make those sites vulnerable — it would allow passwords and emails to be snooped using man-in-the-middle attacks to impersonate the legitimate sites. That would be pretty trivial to do if, say, you were Iran, which controls the nations telecommunications infrastructure.

The RSA’s SecurID systems has been hacked! The SecurID is a tool that authenticates by having you key in a password but also a series of random numbers. A few days ago the tool sent out an email to it’s users saying it was a victim of a hack that extracted certain data from the RSA’s system. Data that was directly related to their SecurID two-factor authentication tools. The RSA says it isn’t that bad, but make sure you beef up security at your company, i.e. make stronger passwords. Like that’s really going to get people to change their passwords.

Say you wanted to write your own Stuxnet like worm to attack SCADA systems? Well your job just got a lot easier. Security researcher Luigi Auriemma released proof of concept code for 34 vulnerabilities affecting SCADA systems from Siemens, Iconics, 7-Technologies and DATAC. The code, released on the bugtraq mailing list, doesn’t affect the backend systems, merely the operator platforms, however they would allow attackers to potentially crash systems, retrieve sensitive data or dig deeper into the network.

Check out those sweet Nintendo 3DS’s at your local retailer! Demo units have been available to play in stores, but they won’t let you check out the menu or the specs underneath the games that autoplay on the devices. Luckily, there is now a nice little hack to let you get into the main menu and see what lies beneath inside these awesome new toys. Check the link and give it a try.

Is your government or ISP messing with your data? In the wake of the Internet blackouts of Egypt and Libya, Google is announcing awards of at least a million dollars to Georgia Tech researchers working on tools for web users, as well as smartphones and tablets, which detect whether ISPs are adhering to service level agreements and if data is meing tampered with.

–

HakTip: Session hijacking with Firesheep

This week’s Hak Tip comes to us from Gary. Websites always make you login with a username and password, but when you’re on their page all cozy and logged in, you’re browsing insecurely on a regular old HTTP site. HTTP session hacking (called sidejacking) happens when an attacker gets the users cookie which you were transmitted when you first logged in, and they can use it to do anything you would normally do. The only way to really protect yourself from this is through SSL or HTTPS like what you see on your banking websites.

Firesheep, by Eric Butler, demonstrates how vunerable your login is. It’s a man in the middle attack firefox extension that anyone has the ability to use.

To use Firesheep, first make sure to download winpcap. Then download the browser extension and open it using firefox by dragging it into your list of extensions and add-ons. You may need to restart Firefox. Go to View–>Sidebar–>Firesheep and enable it. Now, simply click start capturing and you’ll be able to see the username and photo of anyone on your network that logs into one of the specific sites that Firesheep uses. Click on the name or photo of anyone on the list, and you are now logged in as them, with the ability to do whatever you want as them on that site. Scary huh? Luckily Twitter and Facebook have caught on to this and have enabled the ability to use HTTPS secure logins on their sites. So if you haven’t updated your settings, do it now!

Got a tip you want to share? Email them to tips@hak5.org and we’ll show them off!

–

The 28 foot multi-touch bar!

Darren reports from the Automate 2011 conference in Chicago checking out the mtBar from Crunchy Logistics and Imaging Source. This 28 foot rear diffused illumination multi-touch bar surface sports unlimited tracking of fingers and objects at 120 FPS. Darren gets the juicy details from Niel Dufva, Aaron Bitler and Brandon Hill from Crunchy Logistics, as well as John Berryman from Imaging Source.

–

Trivia!

Last week’s question was: In Season 5 of X Files, Esther Nairn is the creator of what ‘narly’ entertainment software? The answer is: Autonomous Bots in Ninjitsu Princess. This weeks question is: In what episode of the X Files can the Lone Gunmen be seen attending DefCon in Vegas? Answer at hak5.org/trivia for your chance to grab up some swag!

–

Snubs Report: Kompozer

Shannon checks out the easy web authoring tool Kompozer. Here are some of her favorite features:

• Web authoring tool
• No HTML or coding needed
• FTP Site Manager- browseable side bar and tree view (kind of like Explorer’s folder pane)
• Color Picker- Easy to use color swap, just click with your mouse.
• Tabs- Can edit several docs at once
• CSS Editor- Easy to create stylesheets
• Styler- Toolbar lets you change style instantly
• Customize toolbars
• Forms- XUL-based UI to edit forms
• Cleaner- get rid of annoying
  ‘s- make valid documents
• XFN- Can add XHTML info saying you know and trust an external link
• Visible Marks- can view carriage returns and block borders.
• Table/ Cell resizing rulers- Adjust rows and columns easily
• Automated Spellchecker

–

Road Test: Corsair Force SSD

In the words of Mr Horse: “No sir, I don’t like it”

While the Corsair Force SSD has great performance numbers, a few major annoyances are harshing on my technolust.

No SSD should BSOD Windows on S3 resume. Nor should it report “No bootable device” upon cold boot.

Sorry Corsair, I gave it a fair chance for just about a month and even with the latest firmware this thing’s a dud.

–

Emails: Computer models and Blackbuntu vs Backtrack

Victor writes: I was wondering whats the computer that you usually have in the show cause it looks really good i think i might want to get one but i don’t know the model or manufacturer.

Darren and Shannon have both recently upgraded to the 11.6″ Acer Aspire TimelineX 1830T. Darren has the Intel Core i7 version while Shannon has opted for the i3.

Prior to these Shannon was using the 9″ Acer Aspire One and the 10″ Nokia Booklet 3G while Darren has had the 7″ ASUS eee PC 701, 9″ Acer Aspire One and 15″ ASUS N53J.

Juan writes: I was watching episode 903 and at the end you mention Blackbuntu. I have use Backtrack before but have never herd of Blackbuntu I start it to poking around the internet and found not only Blackbuntu but GnackTrack too both are sort of the same idea both are base on ubuntu both use gnome and both have the standard Backtrack program suit so I was think all tree of them make for a good head to head battle or just for a review

Darren has been playing with Blackbuntu for about a week now. Prior to that he’s been using BackTrack since 3.0, but never as a primary OS. Here are some of his initial observations:

• Blackbuntu is based on ubuntu 10.10 using Gnome as the window manager and contains a similar feature set to BackTrack.
• BackTrack is more established, while Blackbuntu is on version 0.2 it’s counterpart BackTrack is nearing beta of version 5.
• BackTrack is the basis for the Offensive Security courses and certifications, which teach all sorts of pentesting and wireless attacks in both live-in-person and online learning scenarios
• In comparison to BackTrack, Blackbuntu doesn’t have much of a community. You’re more likely to find tutorials and help for BackTrack
• That said, most of what you’d do with BackTrack will run very similarly on Blackbuntu.
• The biggest strong point Blackbuntu has in my book is the fact that it’s a highly customized version of Ubuntu with Gnome, which I’m already familiar with, and to me is better suited as a primary Linux OS.
• Then again I’ve run into stability issues with Blackbuntu that have me, for the time being, switching back to Backtrack 4r2
• I’ll reassess these in the near future when BackTrack 5 debuts, which will be both 32 and 64 bit compatible, running on Ubuntu 10.04 with official support for KDE, Gnome and Fluxbox

–

Keep up with the latest on Hak5 by following us on Twitter or Facebook. Subscribe and get your weekly technolust delivered automatically. Or show your support and grab some swag from the HakShop – including the new airport friendly WiFi Pineapple and hoodie. Finally if you’d like to suggest a topic for ask a question feel free to hit up feedback@hak5.org.

Shannon shows us how to perform arp cache poisoning attacks with ease. Jason joins us for a little cloud backup action using Perl and Amazon S3. Darren covers cracking the code: network enumeration and hash cracking, plus promiscous mode wifi cards, hacked Canon EOS firmware, and a whole lot more.

Download HD Download MP4 Download WMV

Hacker Headlines

In a report by the University of Cali, San Diego and University of Washington, scientists have discovered ways to remotely take over your car. This hasn’t happened out in the wild just yet, but they bought a car and put it through a whole bunch of hacks. Cars now-a-days come with cellular connections and Bluetooth technology. So, a hacker could potentially remotely take over the locks, brakes, etc, or track the vehicles location.

Full Disk Encryption for both internal memory and Secure Digital cards are coming to Android by way of WhisperCore, an app from Whisper Systems. Mixie Marlinspike, co-founder and CTO of Whisper Systems demonstrated the beta of a 256bit AES encryption system on a Nexus S phone recently. WhisperCore is expected to roll out for other Android devices as a free-for-personal-use app with corporate pricing to follow. You may remember Marlinspike from such tools as sslstrip, googlesharing, and the cloud cracking service wpacracker.

Sn0wbreeze 2.3 just came out for all your Apple jailbreaking needs… or some of them at least. This tool will let you jailbreak your iphone, ipad, or ipod using iOS 4.3 on Windows, but it requires tethering. Redmond Pie, the creators of the jailbreak, say you can also use the PwnageTool if you don’t feel like using Windows.

Twitter finally jumped on the SSL bandwagon. Following in the footsteps of Facebook, and after the “OMGs my packets can be sniffed” awakening that was Firesheep, you can now use HTTPS to login to the social networking service. In fact there is even an option under account settings to always use HTTPS. Good on ya, Twitter, for making SSL an opt-in feature. In related news, SSLSTRIP still works.

Make your friends beleive you really are an Xmen! Or, close to one… The guys at the London Makerfaire 2011 , Hackerspace and Brightarcs used a Kinect to make Tesla coils react to your every move. And where did they get the idea? Oh, at the local pub of course. It’s called the Evil Genius Simulator. Win.

—

Road Test: Magic Lantern Firmware

When it comes to extending the life of your digital camera nothing does more than installing a custom rom. The Magic Lantern firmware for the t2i and the 5d Mark II has done just that for me. Even though the firmware is still in beta, after 4 monthes later it’s really proven to be a strong tool set. However it’s not for everyone, there are some downsides: sometimes the camera locksup when switch modes and requires it’s battery pulled, The menu is not perfect and can cause artifacts to remain on screen until restart. The tools that it brings to the tabel more than make up for it include audio meter, custom safe zone overlays, mic input levels and the ability to record the mic input the the on the left track while recording the on board mic the the right channel. All and I recommend, however if the idea of you camera freezing scares you it not quite ready for you just yet. However, it just came out of beta on the 13 of march and I can’t wait to try it out.

—

Cracking the Code: Network Enumeration and Hash Cracking

Darren covers how the last crack the code challenge was completed using a bit of network enumeration and hash cracking. You can download the payload and play along at home.

—

Trivia!

Last Week: This composer of Blade Runner was an inspiration to the recently released OST by Daft Punk of Tron Legacy? The answer was Vangelis. This weeks question is: In Season 5 of X Files, Esther Nairn is the creator of what ‘narly’ entertainment software? Answer at hak5.org/trivia for your chance at some swag!

—

Cloud backsup with Perls and Amazon S3

In this segment Jason Appelbaum shows us how to setup perl scripts to automate backups to an Amazon S3 account.

Notes

• Install ruby
• sudo apt-get install ruby
• check if ruby is installed
• ruby -v
• now get the s3sync ruby scripts
• wget http://s3.amazonaws.com/ServEdge_pub/s3sync/s3sync.tar.gz
• tar xvzf s3sync.tar.gz
• rm s3sync.tar.gz
• cd s3sync
• Create Traget directory /s3backup

Edit the s3config.yml with Access Key ID, Secret Access Key
Once that’s done we are good to go to build out our script the dump the backup files in to the traget folder the trigger the sync.

Now we have our backup script working, let drop it into the cron folder and automate this. Now you have a bullet prof backup. We Have been using it for hak5.org for sometime now and it’s saved us on more than one occasion. If you have any questions about this of any of the other segments you have seen on todays show email us and feedback@hak5.org

Segment Keywords (Comma separated): cloud backup, amazon s3, perl, perl script, s3 script, amazon s3 script, crontab, automate s3 backup, s3 backup script,

—

ARP Cache Poisoning Attacks on Windows

“We get asked a million times over if we’d demonstrate an ARP-Cache Poisoning Attack for Windows, and while we’ve covered this *WAY* back in Season 1, I figured it’s worth a refresher. Now, there are a million ways to do this in the command line with linux tools, but here in Windows we’ll be using a very simple tool called Cain & Abel. Once you’ve downloaded and installed it from www.oxid.it go ahead and fire up the sniffer by flicking the chip icon in the top left. The first time you do this you’ll be asked to select your interface. You can get back to this screen anytime by clicking Configure. I’ve selected this interface here with my IP address since it’s my wireless network card. Now I can scan the network for potential targets. Go to the sniffer tab, right-click, and select Scan Mac Addresses. I’ll stick with the default “”All hosts in my subnet”" and click OK. Now that I have a list of machines on the network I can go over the the APR tab and start the actual ARP Cache Poisoning Attack. Click the blue plus icon on the toolbar to bring up the routing dialog. Here I’ll select 10.13.37.1 on the left — that’s the router — and 10.13.37.124 on the right — that’s Darren’s machine. Click OK and the route will be loaded. Now, begin the poisoning attack by clicking the radiation icon in the top left. Immediately our poisoning attack begins. Now sit back, relax, and wait for your target to do some browsing. Once enough traffic has gone through your’ll notice Full-routing below.

So, what does all of this mean?

ARP Cache Poisoning attacks basically mean a technique used to attack a wired or wireless connection. The attacker can sniff data and send a spoofed ARP message to the LAN. So when they send that spoof message, they receive data that was intended for the router or the computer in question. It’s a man in the middle attack. Neither machine knows I exist in the middle. They just think they’re sending data like usual.

So, what tools are tickling your technolust? Send ‘em by — tips@hak5.org — and we’ll share ‘em with the world.

—

Promiscous mode Wifi cards and Hak5 cameras

DT wrote in: Is there a cheap substitute for an airpcap maybe a firmware flash on a certian wifi card? or something to run software side to work with the wifi card? or virtual appliance?

Your best bet is looking at aircrack-ng compatible cards. Everything you ever wanted to know about wireless card capabilities can be found in the links there.

Daniel wrote: What type of cameras you use for your show. What model. Thanks in advance. Keep the great show.

We’re rocking a single Panasonic AG-HMC150 and two Panasoic HMC40s. To be fair when we started out we were using a trio of the Sony DCR-HC85s. What you shoot is way more important than what you shoot on.

—

Show Notes Outro (HTML):

Keep up with the latest on Hak5 by following us on Twitter or Facebook. Subscribe and get your weekly technolust delivered automatically. Or show your support and grab some swag from the HakShop – including the new airport friendly WiFi Pineapple and hoodie. Finally if you’d like to suggest a topic
for ask a question feel free to hit up feedback@hak5.org.

Shannon shows us how to perform arp cache poisoning attacks with ease.

“We get asked a million times over if we’d demonstrate an ARP-Cache Poisoning Attack for Windows, and while we’ve covered this *WAY* back in Season 1, I figured it’s worth a refresher. Now, there are a million ways to do this in the command line with linux tools, but here in Windows we’ll be using a very simple tool called Cain & Abel. Once you’ve downloaded and installed it from www.oxid.it go ahead and fire up the sniffer by flicking the chip icon in the top left. The first time you do this you’ll be asked to select your interface. You can get back to this screen anytime by clicking Configure. I’ve selected this interface here with my IP address since it’s my wireless network card. Now I can scan the network for potential targets. Go to the sniffer tab, right-click, and select Scan Mac Addresses. I’ll stick with the default “”All hosts in my subnet”” and click OK. Now that I have a list of machines on the network I can go over the the APR tab and start the actual ARP Cache Poisoning Attack. Click the blue plus icon on the toolbar to bring up the routing dialog. Here I’ll select 10.13.37.1 on the left — that’s the router — and 10.13.37.124 on the right — that’s Darren’s machine. Click OK and the route will be loaded. Now, begin the poisoning attack by clicking the radiation icon in the top left. Immediately our poisoning attack begins. Now sit back, relax, and wait for your target to do some browsing. Once enough traffic has gone through your’ll notice Full-routing below.

So, what does all of this mean?

ARP Cache Poisoning attacks basically mean a technique used to attack a wired or wireless connection. The attacker can sniff data and send a spoofed ARP message to the LAN. So when they send that spoof message, they receive data that was intended for the router or the computer in question. It’s a man in the middle attack. Neither machine knows I exist in the middle. They just think they’re sending data like usual.

Hping3 is a TCP/IP packet assembler. It’s modeled after the unix ping command

Now this is just scratching the surface of what’s possible with a traffic generator like hping and a debug setup like tcpdump coupled with screen.

Darren finishes off the photo frame case mod with a little cable beautification and accent lighting. Shannon’s getting into programming without touching a line of code using the Illumination Software Creator from Radical Breeze. Plus getting crafty with packets and the hping utility, open-source dropbox alternative based on OpenSSH and Rsync, and multi-threaded steganography bruter-forcers!

Download HD Download MP4 Download WMV

Hacker Headlines

Last week we reported on nearly 60 nasty trojans hitting the Android marketplace. Google responded by delisting the publisher and used their app remote kill switch on the over quarter-million affected users. Google also released a security tool to clean up the mess. Well, said security tool has been found on an unregulated third-party Chinese marketplace injected some delicious botnet code. This one sports the ability to send text messages from the zombie’d phone.

A ‘group of hackers’ has figured out a way to scam Microsoft’s XBox Live Points by producing working character strings like the ones you get on the back of the points cards. They released the scheme on a website that would generate the codes for you! Microsoft lost about 1.2 million dollars in points, but they have since blocked the site… though, they don’t have a way of knowing who did it and they’ll probably have to redo the entire algorithm.

Just when you thought your Linux box was safe, a router-rooting bit of malware has been discovered. Once run the malware, posing as an ELF file, brute forces network routers. If successful the malware even sets up an IRC backdoor on the system. This router-rooter comes months after the Chuck Norris botnet circulated, attacking routers with default passwords.

If you visited George Hotz’s website between January 2009 and now, Sony may know about it. In a decision last Thursday, Magistrate Joseph Spero granted Sony a subpoena of PS3 jailbreaker George Hotz’s web provider for logs. Sony also won subpoenas for data on Youtube and Google. GeoHot’s provider, Bluehost, has been asked to turn over server logs, IP address logs, and just about anything pertaining to geohot.com/jailbreak.zip

Whats more fun than Gary’s Mod? How about using the Kinect to play Gary’s Mod! John B used OpenNI to gather skeletal coordinate data from the Kinect and pass it through to Gary’s Mod so he can do all the physics fun while get an exercise. How about some Gary’s Mod music videos next? With baby kittens?

—

Crack the Code Challenge

Did you have what it took to compete in our Crack The Code Challenge, brought to you by GoToAssist Express? These fine Hak5 viewers did last Sunday. Mad props go to Paul, Sork, Richard, Raging Cake, Jenkins, John and Joey, as well as our returning champions Netshroud, Leo and Tristian.

A big thanks go out to all that participated, joined the live stream and chat, and of course GoToAssist Express for sponsoring our Hak5 Lab Network. We had an overwhelming reception with more participants than virtual machines, however we’ll be increasing our capacity this week as well as getting the Thunder Kitten Assault Force involved. Stay tuned for info on the next, even bigger Crack the Code Challenge.

And be sure to tune in next week as we’ll have a detailed walk through on how the challenge was completed.

—

Illumination Software Creator

I would love to have the ability to make my own software applications without having to know any kind of coding language. But it seems like even to do something as simple as a Hello World script you still have to know at least a few lines of script.
Well… not anymore! With Illumination Software Creator, from Radical Breeze, you can write software apps without the code, by using a unique easy interface.

Requirements:
Windows- Needs Python
Works on Windows, Linus, Ubuntu, Mac, Android, and Flex

Follow directions on the Requirements page at RadicalBreeze.com. For Windows, I have to download a few python installers before it’ll work. Then go to the download page and click on your desired OS. Run through the quick download and open the Software Creator.
Simply drag and drop boxes for what you want your application to do. Then connect the boxes by the ribbons to make a full application.
I’m gonna do a really simple one. It’s going to have a popup window that says Hak5 Rules!
First, click on new project and add your boxes. I want to set some text in a message box that will pop up.
So I add the set text box and add a variable that I can re-use for several commands. The variable is called Hak5 Rules, text, and the default text is Hak5 Rules!
Under Set Text I add the Hak5 Rules to the custom text line, then for the message box I add the Variable for Hak5 Rules.
After you make your application, click run to make sure it works. Ok, I need to add the variable to the Set Text box, and now I can click Run, save it, and in a few seconds, there we have a text box that says Hak5 Rules

At first it’s a little tough to get used to if you’ve never designed an app or used code. Once you get the hang of it it’s really easy.
Email me what you think at feedback@hak5.org.

—

HakTip: Crafting packets with HPING

We’ve been talking about screen, and packet sniffers, but today I’m putting ‘em together with a new tool to craft our own packets.

Hping3 is a TCP/IP packet assembler. It’s modeled after the unix ping command — but it can do so much more. It’ll craft TCP, UDP, ICMP or even RAW-IP packets.

So here in the top screen I have tcpdump running on eth0. If I issue a ping 66.11.227.169 I’ll see that traffic.

Now let’s say I want to not just ping the server, but figure out if there’s an HTTP daemon running. For this we’ll do what’s called a half-open SYN connection.

hping -c 1 -I eth0 -s 1234 -p 80 -S 66.11.227.169

In the top screen I can see my traffic. In the bottom I get the output from hping and I can see that we sent a SYN packet and received a SYN+ACK. Since we’re not completing the three-way-handshake we never complete the connection, thus leaving it as a half-open SYN connection.

Just as an example I’m going to run the command again but this time let’s change it to port 81.

hping -c 1 -I eth0 -s 1234 -p 80 -S 66.11.227.169

And in this instance there isn’t a daemon running to answer the SYN, thus we see 1 packet sent, 0 received.

Now this is just scratching the surface of what’s possible with a traffic generator like hping and a debug setup like tcpdump coupled with screen. And of course I’m looking forward hearing about your favorite packet assemblers.

So what tips are rocking your world? Send ‘em by tips@hak5.org

In this segment Darren covers the beautification aspects of the case mod, tackling the tricky bits of cable management and accent lighting with cold cathodes. Darren reviews some of the recent case mod feedback and looks forward to hearing your ideas for future mods. Send ‘em by feedback@hak5.org

—

Trivia!

Last week’s trivia question was:
In WarGames, this character gives his name to the first computer game Lightman finds. The answer is Stephen Falken.

This week’s trivia question is:
This composer of Blade Runner was an inspiration to the recently released OST by Daft Punk of Tron Legacy?

Answer at hak5.org/trivia for your chance to win some hak5 swag!

Emails: Cluster Specs, Dropbox Alternatives and Brute Force scripts

“Jamie writes:
PLEASE tell us all the parts you use for the cluster nodes in episode 823. Please??? Love the show.”

The exact specs are ASUS P8 H67-M series motherboard, Core i5 2500K CPU, 2.5″ Scorpio Blue 250GB hard drive, and the least expensive 4GB of RAM you can find.

“You guys should work on metatagging your episodes based on what is covered and then have a search function for that… I am having all sorts of issues finding a few older episode I remember on Android… as I just a working one I want to play with it now -initialhit”

We are! In fact Paul is even cataloging our archive of segments. You may have noticed the code, game, geek, hack and IT categories on hak5.org. Stay tuned as we get all of our content cataloged over the coming weeks.

“After the last CCC I realised that you could brute force stegfiles a
Lot faster if you created multiple concurrent threads to do the work.
So, I wrote my own script to do just that. It’s definitely faster than
cypherround’s script, though not as pretty. I don’t have a website or
blog, so I pastebinned it http://pastebin.com/nLSbbF17.
Oh, and I’m really looking forward to the next CCC! –Nevermore”

Wicked! Thanks Nevermore

Tim writes: “Hey guys, I have a question about a possible dropbox alternative.

I have been using dropbox for about a year now for my paranormal research group. It has worked great for sharing casefile paperwork, evidence collections, etc.

I would invest in the pro versions to hold more space, but due to a security concern, each member of our organization has their own account and each person depending on
their position in the company gets access to certain folders, if I got pro for each person I would end up spending thousands of dollars a year (we have 20 members)

My question is could there be a better way of sharing files and synchronizing file versions instantly between users. I tried Microsuck Skydrive but I am also using some linux
machines which counts that out.”

The short answer is rsync. The longer answer will be a future segment, but
here are some links to get you started:

http://philcryer.github.com/lipsync/, https://github.com/philcryer/lipsync#readme, http://fak3r.com/geek/howto-build-your-own-open-source-dropbox-clone/, http://code.google.com/p/s3fs/wiki/FuseOverAmazon, and http://www.tarsnap.com/.

—

Keep up with the latest on Hak5 by following us on Twitter or Facebook. Subscribe and get your weekly technolust delivered automatically. Or show your support and grab some swag from the HakShop – including the new airport friendly WiFi Pineapple and hoodie. Finally if you’d like to suggest a topic
for ask a question feel free to hit up feedback@hak5.org.

Season 9 continues with the results from last weekend’s Crack the Code Challenge as well as a walkthrough on how participants were able to complete the challenge using packet analysis, file reconstruction, stenagrophy and brute force. Plus encrypted USB drives with centralized management and more from the RSA 2011 conference.

Download HD Download MP4 Download WMV

Hacker Headlines

Bummed you didn’t get your hands on one of Google’s CR-48 Chrome notebooks? The alternative Instant-On OS Splashtop Linux is now available for download. Splashtop has been previously available as a pre-installed second OS on notebooks from Acer, ASUS, Dell and others. This 1.0 release makes the trim down Linux 2.6 and X11 based OS available to the public.

Samsung has made a ROM based on Android 2.3.2 Gingerbread for the i9000 that just leaked to the net. All of the changes haven’t yet been determined, and if you don’t have an i9000 model, you still have to wait for the update on your Galaxy S devices. I’m looking forward to seeing what the users can do with the ROM now that it’s available.

Sony isn’t taking recent PlayStation3 hacks lightly, as German hacker Graf Chokolo found out when authorities raided his house earlier in the week. In a post on his Hypervisor reverse engineering blog Chokolo wrote “Sony was today at my home with police and got all my stuff and accounts.” Hours later the “Hypervisor Bible” as Chokolo puts it was released. Links have been removed to comply with legal notices, but you know nothing is ever erased from the web.

The Nintendo 3DS has been out for a day in Japan… and it’s already been hacked. The Tech-On! Group has already gotten their hands on the 3DS and torn it apart to look at all the delicious insides, including the 3D display. Along with the hardware, Ayasuke2 on Youtube has already hacked the 3DS to run R4 Cards and play unauthorized Nintendo DS games.

Getting encased in carbonite isn’t exclusive to Han Solo anymore. Attendees at the Tangible, Embedded and Embodied Interactive Conference got to scan themselves in 3D with a hacked Microsoft Kinect and print the resulting STL file using a Stratasys 3D printer.

Crack the Code Challenge

Did you have what it took to compete in our Crack The Code Challenge, brought to you by GoToAssist Express? 6 Hak5 viewers did this Sunday. Mad props go to Netshroud for being the first to crack the code, as well as Jellyfish, Jon, Alex, Leo and Tristan.

A big thanks go out to all that participated, joined the live stream and chat, and of course GoToAssist Express for sponsoring our Hak5 Lab Network. We’ll have details on the next challenge on next weeks show so be sure to tune in.

Cracking the code: PCAP file recovery and stenography

Shannon demonstrates techniques for completing the Crack the Code Challenge using Network Miner and steghide.

HakTip: Command line packet captures using Tshark

Last week we were asked about command-line packet sniffers and I recommended tcpdump and ngrep for filtering. Steve Z was quick to point out TShark, the command-line counterpart to Wireshark. With rules and filtering built in, it is quickly becoming a favorite for my packet sniffing needs. For example, issuing:

tshark -R “!(udp.port==53) and udp and ip.addr==10.73.31.55″ -i eth0

will show me just UDP packets that aren’t on port 53 to or from the address specified.

What little gems are rocking your world? Hit us up, we’ll share ‘em on the show. tips@hak5.org

Encrypted USB drives with centralized management

Darren meets with Kingston and Blockmaster to talk about their new USB management security applications.

Email: USB Passthrough

Toby writes in:

Now that I’m adhering to the “Trust Your Technolust” way of life, I figure your my best chance for a quality fix… I have an issue that I would love to see how you would resolve. I work at a non-profit food producer that provides millions of servings to feeding programs world wide every year. Were running as much open source goodness as we possibly can so that we can direct as much revenue to the feeding programs as possible. I have a VM “When-doze” terminal server running a software package that requires a usb software key. I need a (cheap or free) way (hak or bypass) to overcome the lack of ability to have non-storage USB passthrough

Darren recommends USB Redirector, a product he learned about when researching Proxmox VE.

Keep up with the latest on Hak5 by following us on Twitter or Facebook. Subscribe and get your weekly technolust delivered automatically. Or show your support and grab some swag from the HakShop – including the new airport friendly WiFi Pineapple and hoodie. Finally if you’d like to suggest a topic
for ask a question feel free to hit up feedback@hak5.org.

Never again have your curious Google searching or social networking adventures be thwarted by your school or office firewall. Darren show off free and easy ways to bypass the filters using SSH or your own homegrown web proxy.

SSH Tunneling isn’t new to the show, we’ve done it before over DNS or in conjunction with VNC. Today we’re looking at two SSH tricks for tunneling just about any traffic.

First up, ssh -D. The -D option specified a local "e;Dynamic"e; application-level port forwarding. Any connection made to the specified port goes through the tunnel as a SOCKS4 or SOCKS5 proxy. Perfect for secure web browsing as demonstrated with Firefox in this segment.

Usage

ssh -D 8080 user@server

Second, ssh -L. The -L option enables port forwarding. Using this option tells the SSH client to listen to traffic on a specified port and forward it along through the tunnel. The server receives this data and points it to the specified destination, whether it be on the destination network or otherwise. In our example we use the -L option to securely connect to an open IRC server.

Usage

ssh user@server -L local-listen-port:destination-ip:destination-port

For more SSH-fu check out the ssh man page or Linux Journal’s interesting series on 101 uses of openssh.