In this DEFCON 19 episode of Hak5, Darren speaks with Moxie Marlinspike on the future of authenticity and Johnny Long on the latest at Hackers For Charity.

Download HD Download MP4 Download WMV

If you’re into Hak5 you’ll love our new show by hosts Darren Kitchen and Shannon Morse. Check out HakTip!

Whether you’re a beginner or a pro, HakTip is essential viewing for current and aspiring hackers, computer enthusiasts, and IT professionals. With a how-to approach to all things Information Technology, HakTip breaks down the core concepts, tools, and techniques of Linux, Wireless Networks, Systems Administration, and more

And let’s not forget to mention that you can follow us on Twitter and Facebook, Subscribe to the show and get all your Hak5 goodies, including the infamous WiFi Pineapple over at HakShop.com. If you have any questions or suggestions please feel free to contact us at feedback@hak5.org.

There are two things IT professionals and their clients have in common, they want the job done right and they want it done fast. That’s why I highly recommend Go To Assist Express by Citrix to anyone in I.T. It puts clients at ease with its simple and secure remote support and puts you in position to do what you do best – Access, Diagnose and Resolve. Try Go To Assist Express FREE for 30 days. Visit GoToAssist.com/hak5 to see how you can deliver LIVE tech support to anyone, anywhere with GoToAssist Express.

If you want to build a video site or if your website has a play button, I recommend getting a dot TV domain. A dot TV website lets you showcase your original content and create a unique site, not just another YouTube channel.
Just go to Domain.com and search for the perfect dot TV domain for your new idea. Then use coupon code Hak5 at checkout to save an extra 15%.
If you need to host your dot TV website, don’t forget about Domain.com’s web hosting plans. They’re less than six bucks a month and have everything you need to build, maintain, and promote your site.
Remember – when you think domain names, think Domain.com. Got a great idea? It all starts with a great domain. Domain.com

The Ben Heck Show is an all-new online-TV-series created for (and by) electronics enthusiasts, and sponsored exclusively by element14. Join Ben and friends for bi-weekly episodes as they modify and build all kinds of community-suggested gadgets. Got an idea for a mod? Then share it with Ben. Or, if you’re ready to build, we’re ready with the parts list to make it happen. Either way, be sure to tune-in at element14.com/TBHS

In this haktip Shannon shows us the setup and use of the cookie steeling tool Firesheep to hijack Darren’s twitter session.

Websites always make you login with a username and password, but when you’re on their page all cozy and logged in, you’re browsing insecurely on a regular old HTTP site. HTTP session hacking (called sidejacking) happens when an attacker gets the users cookie which you were transmitted when you first logged in, and they can use it to do anything you would normally do. The only way to really protect yourself from this is through SSL or HTTPS like what you see on your banking websites.

Firesheep, by Eric Butler, demonstrates how vunerable your login is. It’s a man in the middle attack firefox extension that anyone has the ability to use.

To use Firesheep, first make sure to download winpcap. Then download the browser extension and open it using firefox by dragging it into your list of extensions and add-ons. You may need to restart Firefox. Go to View–>Sidebar–>Firesheep and enable it. Now, simply click start capturing and you’ll be able to see the username and photo of anyone on your network that logs into one of the specific sites that Firesheep uses. Click on the name or photo of anyone on the list, and you are now logged in as them, with the ability to do whatever you want as them on that site. Scary huh? Luckily Twitter and Facebook have caught on to this and have enabled the ability to use HTTPS secure logins on their sites. So if you haven’t updated your settings, do it now!

This time on the show, Cookies beware! It’s Session Hijacking time. Darren reports from Automate 2011 with a 28 foot multi-touch bar. Plus, websites made easy with Kompozer, a Backtrack vs Blackbuntu review and a whole lot more.

Download HD Download MP4 Download WMV

Hacker Headlines

SSL provider Comodo was hacked allowing attackers to obtain secure certificates for Google, Yahoo, Skype and others. comodo is claiming that the sophisticated attack against its European partner must have been “state-driven.” Comodo’s own incident reportpoints out IP addresses from Iran responsible for the attack. While simply obtaining these certificates, which have since been disabled, wouldn’t make those sites vulnerable — it would allow passwords and emails to be snooped using man-in-the-middle attacks to impersonate the legitimate sites. That would be pretty trivial to do if, say, you were Iran, which controls the nations telecommunications infrastructure.

The RSA’s SecurID systems has been hacked! The SecurID is a tool that authenticates by having you key in a password but also a series of random numbers. A few days ago the tool sent out an email to it’s users saying it was a victim of a hack that extracted certain data from the RSA’s system. Data that was directly related to their SecurID two-factor authentication tools. The RSA says it isn’t that bad, but make sure you beef up security at your company, i.e. make stronger passwords. Like that’s really going to get people to change their passwords.

Say you wanted to write your own Stuxnet like worm to attack SCADA systems? Well your job just got a lot easier. Security researcher Luigi Auriemma released proof of concept code for 34 vulnerabilities affecting SCADA systems from Siemens, Iconics, 7-Technologies and DATAC. The code, released on the bugtraq mailing list, doesn’t affect the backend systems, merely the operator platforms, however they would allow attackers to potentially crash systems, retrieve sensitive data or dig deeper into the network.

Check out those sweet Nintendo 3DS’s at your local retailer! Demo units have been available to play in stores, but they won’t let you check out the menu or the specs underneath the games that autoplay on the devices. Luckily, there is now a nice little hack to let you get into the main menu and see what lies beneath inside these awesome new toys. Check the link and give it a try.

Is your government or ISP messing with your data? In the wake of the Internet blackouts of Egypt and Libya, Google is announcing awards of at least a million dollars to Georgia Tech researchers working on tools for web users, as well as smartphones and tablets, which detect whether ISPs are adhering to service level agreements and if data is meing tampered with.

–

HakTip: Session hijacking with Firesheep

This week’s Hak Tip comes to us from Gary. Websites always make you login with a username and password, but when you’re on their page all cozy and logged in, you’re browsing insecurely on a regular old HTTP site. HTTP session hacking (called sidejacking) happens when an attacker gets the users cookie which you were transmitted when you first logged in, and they can use it to do anything you would normally do. The only way to really protect yourself from this is through SSL or HTTPS like what you see on your banking websites.

Firesheep, by Eric Butler, demonstrates how vunerable your login is. It’s a man in the middle attack firefox extension that anyone has the ability to use.

To use Firesheep, first make sure to download winpcap. Then download the browser extension and open it using firefox by dragging it into your list of extensions and add-ons. You may need to restart Firefox. Go to View–>Sidebar–>Firesheep and enable it. Now, simply click start capturing and you’ll be able to see the username and photo of anyone on your network that logs into one of the specific sites that Firesheep uses. Click on the name or photo of anyone on the list, and you are now logged in as them, with the ability to do whatever you want as them on that site. Scary huh? Luckily Twitter and Facebook have caught on to this and have enabled the ability to use HTTPS secure logins on their sites. So if you haven’t updated your settings, do it now!

Got a tip you want to share? Email them to tips@hak5.org and we’ll show them off!

–

The 28 foot multi-touch bar!

Darren reports from the Automate 2011 conference in Chicago checking out the mtBar from Crunchy Logistics and Imaging Source. This 28 foot rear diffused illumination multi-touch bar surface sports unlimited tracking of fingers and objects at 120 FPS. Darren gets the juicy details from Niel Dufva, Aaron Bitler and Brandon Hill from Crunchy Logistics, as well as John Berryman from Imaging Source.

–

Trivia!

Last week’s question was: In Season 5 of X Files, Esther Nairn is the creator of what ‘narly’ entertainment software? The answer is: Autonomous Bots in Ninjitsu Princess. This weeks question is: In what episode of the X Files can the Lone Gunmen be seen attending DefCon in Vegas? Answer at hak5.org/trivia for your chance to grab up some swag!

–

Snubs Report: Kompozer

Shannon checks out the easy web authoring tool Kompozer. Here are some of her favorite features:

• Web authoring tool
• No HTML or coding needed
• FTP Site Manager- browseable side bar and tree view (kind of like Explorer’s folder pane)
• Color Picker- Easy to use color swap, just click with your mouse.
• Tabs- Can edit several docs at once
• CSS Editor- Easy to create stylesheets
• Styler- Toolbar lets you change style instantly
• Customize toolbars
• Forms- XUL-based UI to edit forms
• Cleaner- get rid of annoying
  ‘s- make valid documents
• XFN- Can add XHTML info saying you know and trust an external link
• Visible Marks- can view carriage returns and block borders.
• Table/ Cell resizing rulers- Adjust rows and columns easily
• Automated Spellchecker

–

Road Test: Corsair Force SSD

In the words of Mr Horse: “No sir, I don’t like it”

While the Corsair Force SSD has great performance numbers, a few major annoyances are harshing on my technolust.

No SSD should BSOD Windows on S3 resume. Nor should it report “No bootable device” upon cold boot.

Sorry Corsair, I gave it a fair chance for just about a month and even with the latest firmware this thing’s a dud.

–

Emails: Computer models and Blackbuntu vs Backtrack

Victor writes: I was wondering whats the computer that you usually have in the show cause it looks really good i think i might want to get one but i don’t know the model or manufacturer.

Darren and Shannon have both recently upgraded to the 11.6″ Acer Aspire TimelineX 1830T. Darren has the Intel Core i7 version while Shannon has opted for the i3.

Prior to these Shannon was using the 9″ Acer Aspire One and the 10″ Nokia Booklet 3G while Darren has had the 7″ ASUS eee PC 701, 9″ Acer Aspire One and 15″ ASUS N53J.

Juan writes: I was watching episode 903 and at the end you mention Blackbuntu. I have use Backtrack before but have never herd of Blackbuntu I start it to poking around the internet and found not only Blackbuntu but GnackTrack too both are sort of the same idea both are base on ubuntu both use gnome and both have the standard Backtrack program suit so I was think all tree of them make for a good head to head battle or just for a review

Darren has been playing with Blackbuntu for about a week now. Prior to that he’s been using BackTrack since 3.0, but never as a primary OS. Here are some of his initial observations:

• Blackbuntu is based on ubuntu 10.10 using Gnome as the window manager and contains a similar feature set to BackTrack.
• BackTrack is more established, while Blackbuntu is on version 0.2 it’s counterpart BackTrack is nearing beta of version 5.
• BackTrack is the basis for the Offensive Security courses and certifications, which teach all sorts of pentesting and wireless attacks in both live-in-person and online learning scenarios
• In comparison to BackTrack, Blackbuntu doesn’t have much of a community. You’re more likely to find tutorials and help for BackTrack
• That said, most of what you’d do with BackTrack will run very similarly on Blackbuntu.
• The biggest strong point Blackbuntu has in my book is the fact that it’s a highly customized version of Ubuntu with Gnome, which I’m already familiar with, and to me is better suited as a primary Linux OS.
• Then again I’ve run into stability issues with Blackbuntu that have me, for the time being, switching back to Backtrack 4r2
• I’ll reassess these in the near future when BackTrack 5 debuts, which will be both 32 and 64 bit compatible, running on Ubuntu 10.04 with official support for KDE, Gnome and Fluxbox

–

Keep up with the latest on Hak5 by following us on Twitter or Facebook. Subscribe and get your weekly technolust delivered automatically. Or show your support and grab some swag from the HakShop – including the new airport friendly WiFi Pineapple and hoodie. Finally if you’d like to suggest a topic for ask a question feel free to hit up feedback@hak5.org.

Season 9 Premieres with the return of Shannon “Snubs” Morse and Paul “the camera guy” Tobias. We kick around the hacker headlines, get the low-down on Nexpose from Rapid7 at RSA, automate file mangement in windows, multiplex some screen sessions, capture packets from the command line and a lot more.

Download HD Download MP4 Download WMV

Hacker Headlines

Kinect hackers rejoice! Microsoft confirms that a Kinect SDK is coming for PC and Mac this spring, allowing developers to deal with the motion and voice sensor at a higher level than the informal Kinect hacks. The SDK will be free for personal use with a commercial version expected to follow.

Sony is threatening to permanently disconnect jail broken PlayStation 3 consoles from the PlayStation Network. Jeff Rubenstein, Sony’s Social-Media Manager wrote in his blog “To avoid this, customers must immediately cease use and remove all circumvention devices and delete all unauthorized or pirated software from their PlayStation 3 systems”

Donations have closed for the legal defense fund of George Hotz, notable iPhone jailbreaker and PS3 hacker. Sony has tied the hacker up in San Francisco federal since January court facing unspecified damages on DMCA violations. Hotz writes on his blog “I have enough to cover my legal fees for the time being.” and “For now, the best you can do is spread the word”

The latest VirtualBox 4.0.4 update adds support for Ubuntu 11.04 alpha guests. The Ubuntu Alpha, code named Natty Narwhal, introduces Unity as the default desktop session. Gnome can still be accessed as a “Ubuntu Classic Session”

Urban SQL Injection — full of win.

Crack the Code Challenge

Do you have what it takes to compete in the Crack The Code Challenge? Test your skills in our private lab network and bid for the title supreme leet hax0r. Winners will be featured on future episodes of Hak5!

Our next event will be this Sunday, February 27th at 3pm Pacific. Visit Hak5.org/challenge for all of the details. We’ll be live streaming at hak5.org/live throughout the day. We’d like to thank Citrix and GoToAssist Express for sponsoring the Crack the Code Challenge.

Rapid7′s Nexpose at RSA 2011

Darren meets with Chris Kirsch of Rapid7 to find out what’s new in Nexpose

Trivia!

Our last question was “In the Millennium Trilogy, what is the name of the hacker community?” and the answer is: “Hacker Republic”

Our new question is: “From March 5, 1975 to December 1986, this club of computer hoppyists would meet in the Silicon Valley Area.”

Participate at hak5.org/trivia

Hak5 finally goes HTTPS

Thanks to Domain.com our very own Hak5.org is finally sporting a shiny new SSL certificate. Darren recaps some of the nifty things you can do with one and recommends thawte SSL 123. Thanks Domain.com for hosting Hak5.org and sponsoring for over a year!

Automating Windows File Managment

Belvedere

What it does:
Automating file management and scripting on Windows: Belvedere.

Belvedere lets you organize any folders on your harddrive. You can create rules to move, copy, delete, rename, or open files based on name, extension, size, creation, date, and even more. So basically it’s a self-cleaner tool for Windows Only. There’s also a Mac cleaner called Hazel that you might want to check out if you are an Apple user.

It was created by Adam Pash back in ’08, and you can check out the source of this tool over at GitHub.

It’s a .exe so just install it from the download link. You can make Belvedere startup when Windows starts, but you’ll have to add it manually.

How you use it:
Belvedere is really easy to use, it’s just simple point and clicks. You create a folder, then name your rule from one of the choices, and build conditions with the drop down menus.

Belvedere gives me the ability to multitask and not worry so much about how clean my PC is.

Do you have another tool that works like Belve? Let me know at feedback@hak5.org.

HakTip: Multiplexing Screen Sessions

What’s more wicked than a screen session? Two screen sessions! As we’ve talked about recently the unix command Screen is a great way to maintain bash sessions from multiple SSH clients without losing your work. My favorite shortcut after invoking the “screen” command is CTRL+a followed by “S”, which splits the screen horizontally in two. Use CTRL+a then Tab to switch between the views. Debian users get the added sexyness of vertical split by hitting CTRL+a then Pipe.

What little gems are rocking your world? Hit us up, we’ll share ‘em with the world. tips@hak5.org

Email: Command Line Packet Sniffers

Hey, I’m in dire need of a command line linux packet sniffer. My servers are 3 hours away, and none have X11 installed. I used to use sniffit a long time ago, but it looks like they’ve added a GUI to it. Just wondering if you had any ideas off the top of your head.

Darren recommends TCPDUMP and NGREP

Have others to share? feedback@hak5.org

Sketching with the Harmony Project

Sparkleface writes in to share the Harmony Project — a nifty sketching program in HTML5. Check out the source code and more info

Keep up with the latest on Hak5 by following us on Twitter or Facebook. Subscribe and get your weekly technolust delivered automatically. Or show your support and grab some swag from the HakShop – including the new airport friendly WiFi Pineapple and hoodie. Finally if you’d like to suggest a topic
for ask a question feel free to hit up feedback@hak5.org.

Darren demonstrates a little man-in-the-middle attack using SSLStrip, an epic tool for removing that pesky encryption from your victims browsing session. Go from secure site to clear-text passwords in one simple step.

Moxie Marlinspike‘s SSLStrip, released at Blackhat/DEFCON this year, is a tool that transparently hijacks HTTP traffic and redirects HTTPS links to look-alike HTTP links. While this description barely scratches the surface, Darren’s segment takes a closer look including a pracitcal demonstration of a man-in-the-middle attack using arpspoof and a little luck with remote-exploit’s BackTrack 4 penetration testing distribution.

Darren demonstrates cracking Microsoft VPN tunnels using the MS-CHAPv2 authentication protocol using Joshua Wright’s tool ASLEAP and talks about the theory behind the attack.

Continuing on with our VPN series I find it important to highlight the weaknesses in the protocols we have talked about thus far. In my last segment I highlighted a tool that allows an attacker to easily hijack an SSL session using a man-in-the-middle attack. Couple this with Adito (aka OpenVPN-ALS), my favorite open-source SSL VPN server, and you can see the problem.

But what about the basic Microsoft VPN we setup a few weeks back? The VPN servers that we setup on Windows XP and Server 2003 used either active directory or local windows accounts to authenticate users.

And looking back at our discussions on pwdump, rainbow tables and the like you’ll remember the inherent weaknesses in Windows account credentials.

There are two ways Windows stores a user’s account credentials, or password. LAN Manager hashes which are comprised of watered-down weaksauce and NTLM which are succeptable to time-memory tradeoff attacks.

The default VPN server implemented in Windows XP and Server 2003′s Routing and Remote Access service uses Point-To-Point-Tunneling-Protocol. This is convenient because the Windows clients have supported Microsoft PPTP VPN connections natively since 2000, and in Windows 95/98 with Dual Up Networking version 1.3.

The modern authentication protocol of Microsoft’s PPTP is MS-CHAPv2. This Challenge Handshake Authentication Protocol suffers from inherent weaknesses.

As far back at 1999 these weaknesses have been widely known. If you’re interested in reading more on the cryptanalysis of MS-CHAPv2 there’s a nifty paper written by Bruce Schneier and L0pht that I’ll link in the show notes.

And while other options exist such as Radius, this is still the default option for PPTP authentication in Windows environments.

Joshua Wright, author of coWPAtty (See our segment here), released in 2004 a proof of concept tool to demonstrate weaknesses in LEAP and PPTP protocols.

This tool, ASLEAP, was updated in 2007 to include an option to just crack MS-CHAP v2. Either by examining a packet capture that includes a MS-CHAP handshake ASLEAP or specifying an MS-CHAP challenge and response ASLEAP is able to deduce the username and last two bytes of the NT hash. Using this information, and a dictionary file, ASLEAP is able to brute-force the hash.

Continuing with the VPN Series, Darren discusses the inherent weaknesses in Microsoft’s PPTP authentication protocol, MS-CHAPv2, and demos a Linux tool that exploits these weaknesses.

Download HD Download MP4 Download XviD Download WMV

Continuing on with our VPN series I find it important to highlight the weaknesses in the protocols we have talked about thus far. In my last segment I highlighted a tool that allows an attacker to easily hijack an SSL session using a man-in-the-middle attack. Couple this with Adito (aka OpenVPN-ALS), my favorite open-source SSL VPN server, and you can see the problem.

But what about the basic Microsoft VPN we setup a few weeks back? The VPN servers that we setup on Windows XP and Server 2003 used either active directory or local windows accounts to authenticate users.

And looking back at our discussions on pwdump, rainbow tables and the like you’ll remember the inherent weaknesses in Windows account credentials.

There are two ways Windows stores a user’s account credentials, or password. LAN Manager hashes which are comprised of watered-down weaksauce and NTLM which are succeptable to time-memory tradeoff attacks.

The default VPN server implemented in Windows XP and Server 2003′s Routing and Remote Access service uses Point-To-Point-Tunneling-Protocol. This is convenient because the Windows clients have supported Microsoft PPTP VPN connections natively since 2000, and in Windows 95/98 with Dual Up Networking version 1.3.

The modern authentication protocol of Microsoft’s PPTP is MS-CHAPv2. This Challenge Handshake Authentication Protocol suffers from inherent weaknesses.

As far back at 1999 these weaknesses have been widely known. If you’re interested in reading more on the cryptanalysis of MS-CHAPv2 there’s a nifty paper written by Bruce Schneier and L0pht that I’ll link in the show notes.

And while other options exist such as Radius, this is still the default option for PPTP authentication in Windows environments.

Joshua Wright, author of coWPAtty (See our segment here), released in 2004 a proof of concept tool to demonstrate weaknesses in LEAP and PPTP protocols.

This tool, ASLEAP, was updated in 2007 to include an option to just crack MS-CHAP v2. Either by examining a packet capture that includes a MS-CHAP handshake ASLEAP or specifying an MS-CHAP challenge and response ASLEAP is able to deduce the username and last two bytes of the NT hash. Using this information, and a dictionary file, ASLEAP is able to brute-force the hash.

PS: Check out Player2Rentals.com.

This time on the show Darren’s having a little man-in-the-middle fun with a demonstration os SSLStrip, an epic tool for removing that pesky encryption from your victims browsing session.

Download HD Download MP4 Download XviD Download WMV

Moxie Marlinspike‘s SSLStrip, released at Blackhat/DEFCON this year, is a tool that transparently hijacks HTTP traffic and redirects HTTPS links to look-alike HTTP links. While this description barely scratches the surface, Darren’s segment takes a closer look including a pracitcal demonstration of a man-in-the-middle attack using arpspoof and a little luck with remote-exploit’s BackTrack 4 penetration testing distribution.

This week Shannon taps into a hidden Kindle serial port using a inty bitsy ribbon cable, a USB to Serial TTL cable and some jumpers in an attempt to hack root and finds herself upon the bootloader and nearly at a bash prompt. Darren guides you through the installation of VPN servers on Windows XP, Windows Server and Linux so you can keep your traffic secure in an encrypted tunnel while on untrusted networks.

Download HD Download MP4 Download XviD Download WMV

Hacking into the Kindle Bootloader Part 1

This week, I’m introducing the bootloader Kindle 1st gen hack.

Equipment:
Kindle 1st Generation
A computah!
USB to Serial TTL Cable
20 pin 0.5 mm flat cable
1 pin Jumper cables

Programs:
Putty

Igor Skochinsky explains how to hack into the bootloader of the Kindle very nicely on his blog, Reverse Everything. He includes screenshots, photos, and descriptions of everything you need to know to do this hack.
Part 1
Part 2

If you have any questions, you can email me at snubs@hak5.org!

Windows VPN Servers

In this segment I demonstrate setting up a VPN server in Windows XP which is rather limited at 1 concurrent connection. I also demonstrate building a Routing and Remote Access VPN server in Windows Server 2003.

Open Source VPN Server

I’m a big fan of open source. I’m also an overwhelmed systems administrator that likes easy. And when it comes to VPNs in Linux, OpenVPN is the go to solution. That’s why I’m excited about OpenVPN Access Server — an set of installation and configuration tools that simplifies rapid deployment of a VPN solution.

In this segment I demonstrate setting up this nifty, lightweight and powerful server in a typical home user scenario. I also speak to the fact that it can integrate with Active Directory via LDAP or even a RADIUS server for authentication. The web based backend makes administration a breeze and the web frontend makes client setup even easier. All the clients have to do is login to a website and download a prepackaged and configured connection app for Windows, Mac or Linux.

This package makes it incredibly easy to deploy a VPN server. But it comes at a cost. OpenVPN-AS requires a license key for each concurrent connection. Two are provided for free and additional licenses are $10 ea. Still a far cry from a windows Client Access License!

In future segments we’ll be getting our hands dirty with OpenVPN standard as well as some other interesting VPN technologies so be sure to send your feedback, requests and flames to darren@hak5.org

In this episode of Hak.5 Wess builds a mini arcade cabinet for under $100, Harrison attacks SSL with Whoppix, Darren defends himself by setting up a VPN server on XP, and Jon & Harrison take on buffer overflows with beer. Plus an interview with a Goldeneye Source developer, exclusive in-game video, and more Microshaft than you can wave a rounded IDE cable at. Special guest intro by Jenn Cutter from OpenAlpha and new theme music by Ashley Witt.

Download

Download Xvid

Watch on Youtube

Length: 34:30