Download HD Download MP4

SSH Public Key Fingerprints and known_hosts

Typical SSH Servers user 128-bit MD5 hashes as Public Key Fingerprints. These are used to verify the authenticity of a server. These key fingerprints are short sequences of bytes used to authenticate a much longer public key. Like we discussed last week regarding key pairs for user authentication, SSH servers have key pairs for server authentication.

On a Linux OpenSSH server for example these key pairs will be found in /etc/ssh/*key*. The public keys will be world readable while the private keys can only be read by a superuser.

On a Linux client for example the key fingerprints of remembered servers are stored in ~/.ssh/known_hosts. Since SSH version 4 the username and hostnames associated with these servers are hashed.

To remotely verify the key fingerprint of an SSH server

ssh-keyscan -t rsa,dsa REMOTEHOSTNAME > /tmp/ssh_host_rsa_dsa_key.pub
ssh-keygen -l -f /tmp/ssh_host_rsa_dsa_key.pub

Alternatively, on the remote server the key fingerprints can be found by:

cd /etc/ssh
ls *key*
cat ssh_host_key # this is the private key
# permission will be denied if not superuser
cat ssh_host_key.pub # this is the public key
ssh-keygen -lf ssh_host_rsa_key.pub
# field 1 = bit length of key
# field 2 = fingerprint of key
# field 3 = name of key

Setting up a Windows SSH Server with Bitvise (+ A few other software recommendations)

Setting up the SSH Server Windows Using BitVise WinSSHd

• Download BitVise

• Creating a server on laptop or pc at home...
• Auto config router (UPnP) - BAD!! No Universal Plug-n-Play
• Open Port to Any Computer
• Uncheck 'Allow Any Logon', Click add.
• Enter Username - Run 'whoami' from CMD to find out your username.
• Want to add account for a friend? Do a virtual account.

SSH Servers for Windows

FreeSSHd - http://www.freesshd.com/

• Nice but lacks advanced security controls. The server starts
  sessions with security in the context of the service itself, meaning
  since it needs to be run as administrator or system those are the
  privileges available to the users.

• Not open source so it can't be vetted, improved upon by the community
• Hasn't been updated since 2009
• Difficult to get working on Windows 7
• Free and easy to setup

Bitvise WinSSHD - http://www.bitvise.com/winsshd

• Free for non-commercial / personal use

• License costs $100, unlocks Active Directory feature for enterprises
• Easy to install and update, nice GUI
• Supports Active Directory, Kerberos or it's own user database
• Works fine in Windows 7
• Supports AES 128 and 256 bit encryption
• Not open source so it can't be vetted, improved upon by the community
• Can be configured to use Power Shell instead of CMD as the default
  shell for users

• Supports OpenSSH public key files
• Configure account and group permissions per IP and DNS
• Automation API, logging

OpenSSH for Windows - SSHWindows.sf.net

• Free, open source implementation of OpenSSH with Cygwin

• Hasn't been updated since 2004
• Enough said

Copssh - https://www.itefix.no/i2/copssh

• Package of portable OpenSSH for Cygwin

• GUI for administartion

KpyM SSH Server - http://www.kpym.com/2/kpym/index.htm

• Free, open source

• Uses Windows identification (Windows user accounts)
• Automated install and setup
• Nag screen. Single license is $35

Setting up Key Pair Authentication in Linux with OpenSSH

On the remote host:

mkdir .ssh
chmod 700 .ssh
cd .ssh

On the local host:

ssh-keygen -t rsa
scp ~/.ssh/id_rsa.pub user@host:.ssh/authorized_keys2

Back on the remote host:

ls -la authorized_keys2
chmod 600 authorized_keys2
exit

On the local host:

ssh user@host

Bonus: Transfer SSH public keys from one machine to another

Now that we've done it the long way, let's take a moment to appreciate a convenient shortcut -- ssh-copy-id.

ssh-keygen; ssh-copy-id user@host; ssh user@host

Download HD Download MP4

Before getting into public key crypto we should first take a moment to gather a basic understanding of the SSH-2 protocol layers. In a nutshell the three layers of SSH-2 are:

The first is the Transport Layer. This layer is responsible for handling key exchanges, the servers authenticity (server authentication), compression, encryption and re-keying (typically after 1 GB of traffic or 1 Hour have elapsed). We'll get into more detail on this next week when we focus on key fingerprints.

Second is the User Authentication Layer, which handles client authentication, or authentication of the user trying to log-in. This process is client driven, meaning that the connecting client chooses which method they would like to authenticate with. Accepted methods vary by server but typically these include:

• Password Authentication - we used this last week by interactively typing in our password at the prompt when logging in

• Public Key - this is the method we'll be using today and going forward
• Keyboard Interactive - a process that can be used for one-time-passwords.
• GSSAPI (Generic Security Services Application Programming Interface) - this is actually a library used by commercial vendors, usually to implement single-sign-on services in enterprises and integrating with existing security services such as NTLM or Kerberos.

Finally there is the Connection Layer. This layer defines the channels, or asymmetric communications supported by SSH, including:

• Shell Channel for Shells, SFTP, SCP
• Direct-TCP/IP Channel for Client-to-Server forwards
• Forwarded-TCP/IP Channel for Server-to-Client forwards

Understanding Public Key Cryptography

Authentication via Asymmetric Key Cryptography (aka Public Key Crypto) is the method for generating a key pair -- both public and private (aka secret) -- and publishing one or the other in order to initiate secure communication. In our example we'll be protecting our private key on the client while publishing the public key on the SSH server. With this setup anything encrypted with the public key can be decrypted with our own private key. The oversimplification of this is that the key pairs are linked mathmatically allowing for encryption with the public key and decryption with the private key. The idea is that it's impractical to figure out the private key based on only knowledge of the public key. This is the basis for SSL, PGP, GPG, Bitcoin and many other protocols.

SSH-2 supports at least two methods for Public Key authentication

• RSA Key Pairs, which are named after creators Rivest, Shamir and Adleman and published in 1978 is an algorithm based on the difficulty of factoring large integers. Again the oversimplification is that the public key is based on the product of two large primes (along with an aux value) and the private key is derived from prime factors used to create the public key.

• DSA Key Pairs, or Digital Signature Algorithm, have been a Federal Information Processing Standard since 1993. Originally pantented by former NSA employee David Kravitz this technology is now freely available for anyone to use worldwide.

Setting up a Linux OpenSSH Server
On a Debian based Linux machine setting up ssh can be as simple as issuing "sudo apt-get install ssh". In this segment Darren goes over some of the configuration lines you would find useful to modify in /etc/ssh/sshd_config.

AllowTcpForwarding yes
GatewayPorts       yes
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile      %h/.ssh/authorized_keys
AllowUsers bob alice
PermitRootLogin no
Protocol 2
Port 222
LoginGraceTime 1m
ListenAddress
ClientAliveInterval 60
ClientAliveCountMax 0

Be sure to restart the SSH deamon after editing the configuration. stop ssh;start ssh;service ssh restart;/etc/init.d/ssh restart #one of these should do it! :)

SSH Key Authentication On Windows with Putty for a Linux Server

This'll create key pair- an authorization to log on to server for authentication. Begin by downloading the Putty KeyGen tool. Click Generate and move mouse to generate key pair, and save both. Now open the server via Putty.

On the server go ahead and create a user if you haven't already done so. Typically this is achieved using the "adduser username" then "passwd username" commands.

Now, while logged in as your user, make a directory called .ssh in the your home. For example "mkdir ~/.ssh"

You'll want to change the mode to 700 so that only you have access to it. In the world of Unix there are 3 levels of permissions for files and directories. The Owner, Groups and World (everyone). The first 10 characters are the file's attributes. The first character represents what type of file it is. If it's a dash (-) it's a regular file. A (d) represents a directory, and there are a few others for special stuff like symbolic links. The next 9 characters specify the Read (r), Write (w) and Execute (x) permissions for the file's Owner, Groups and World (everyone). Change the mode of the directory with "chmod 700 .ssh/" The "chmod" command stands for Change Mode and allows you to easily modify a file or directory's permissions. Chmod will accept an octal representation of the modes. We're not going to get into them all but in this case 700 changes the file to be Readable, Writeable and Executable by the file's Owner, and nothing else for any Groups and the World.

Next change to the newly created directory with "cd .ssh" and create a file called authorized_keys2 with the public key on one line saved in file. Add ""ssh-rsa "" to the beginning.

Finally you'll want to again change the mode of the file so that only you can read and write to it. In this case the command would be "chmod 600 authorized_key2".

Now back on the Windows machine ppen pageant.exe and select 'add key'. Add the private key created in the initial setup. Pageant works as a passphrase keeper. With Pageant in memory and your private key loaded go ahead and test your connection. Just as before login with putty being sure to include "username@" before the hostname in the connection dialog.

You should now login without a password needed! Hooray! ]]> http://Hak5.org/episodes/hak5-1109/feed 8 http://Hak5.org/episodes/hak5-1104 http://Hak5.org/episodes/hak5-1104#comments Thu, 15 Mar 2012 06:35:52 +0000 Jason http://Hak5.org/?p=4598 ]]>

This time on the show, maintaining persistence and privacy on IRC with your very own bouncer - Darren explains. Then setting up simple 2-factor authentication in Windows. Plus why VIM is better than VI, or was that Emacs? All that and much more this time on Hak5!

Download HD Download MP4

Whether you're a beginner or a pro, HakTip is essential viewing for current and aspiring hackers, computer enthusiasts, and IT professionals. With a how-to approach to all things Information Technology, HakTip breaks down the core concepts, tools, and techniques of Linux, Wireless Networks, Systems Administration, and more

And let's not forget to mention that you can follow us on Twitter and Facebook, Subscribe to the show and get all your Hak5 goodies, including the infamous WiFi Pineapple over at HakShop.com. If you have any questions or suggestions please feel free to contact us at feedback@hak5.org. ]]> http://Hak5.org/episodes/hak5-1104/feed 4 http://Hak5.org/episodes/hak5-1001 http://Hak5.org/episodes/hak5-1001#comments Sat, 27 Aug 2011 01:02:47 +0000 Jason http://Hak5.org/?p=4040 ]]>

In this DEFCON 19 episode of Hak5, Darren speaks with Moxie Marlinspike on the future of authenticity and Johnny Long on the latest at Hackers For Charity.

Download HD Download MP4 Download WMV

If you’re into Hak5 you’ll love our new show by hosts Darren Kitchen and Shannon Morse. Check out HakTip!

Whether you’re a beginner or a pro, HakTip is essential viewing for current and aspiring hackers, computer enthusiasts, and IT professionals. With a how-to approach to all things Information Technology, HakTip breaks down the core concepts, tools, and techniques of Linux, Wireless Networks, Systems Administration, and more

And let’s not forget to mention that you can follow us on Twitter and Facebook, Subscribe to the show and get all your Hak5 goodies, including the infamous WiFi Pineapple over at HakShop.com. If you have any questions or suggestions please feel free to contact us at feedback@hak5.org.

There are two things IT professionals and their clients have in common, they want the job done right and they want it done fast. That’s why I highly recommend Go To Assist Express by Citrix to anyone in I.T. It puts clients at ease with its simple and secure remote support and puts you in position to do what you do best – Access, Diagnose and Resolve. Try Go To Assist Express FREE for 30 days. Visit GoToAssist.com/hak5 to see how you can deliver LIVE tech support to anyone, anywhere with GoToAssist Express.

If you want to build a video site or if your website has a play button, I recommend getting a dot TV domain. A dot TV website lets you showcase your original content and create a unique site, not just another YouTube channel.
Just go to Domain.com and search for the perfect dot TV domain for your new idea. Then use coupon code Hak5 at checkout to save an extra 15%.
If you need to host your dot TV website, don’t forget about Domain.com’s web hosting plans. They’re less than six bucks a month and have everything you need to build, maintain, and promote your site.
Remember – when you think domain names, think Domain.com. Got a great idea? It all starts with a great domain. Domain.com

The Ben Heck Show is an all-new online-TV-series created for (and by) electronics enthusiasts, and sponsored exclusively by element14. Join Ben and friends for bi-weekly episodes as they modify and build all kinds of community-suggested gadgets. Got an idea for a mod? Then share it with Ben. Or, if you’re ready to build, we’re ready with the parts list to make it happen. Either way, be sure to tune-in at element14.com/TBHS

In this haktip Shannon shows us the setup and use of the cookie steeling tool Firesheep to hijack Darren’s twitter session.

Websites always make you login with a username and password, but when you’re on their page all cozy and logged in, you’re browsing insecurely on a regular old HTTP site. HTTP session hacking (called sidejacking) happens when an attacker gets the users cookie which you were transmitted when you first logged in, and they can use it to do anything you would normally do. The only way to really protect yourself from this is through SSL or HTTPS like what you see on your banking websites.

Firesheep, by Eric Butler, demonstrates how vunerable your login is. It’s a man in the middle attack firefox extension that anyone has the ability to use.

To use Firesheep, first make sure to download winpcap. Then download the browser extension and open it using firefox by dragging it into your list of extensions and add-ons. You may need to restart Firefox. Go to View–>Sidebar–>Firesheep and enable it. Now, simply click start capturing and you’ll be able to see the username and photo of anyone on your network that logs into one of the specific sites that Firesheep uses. Click on the name or photo of anyone on the list, and you are now logged in as them, with the ability to do whatever you want as them on that site. Scary huh? Luckily Twitter and Facebook have caught on to this and have enabled the ability to use HTTPS secure logins on their sites. So if you haven’t updated your settings, do it now!

This time on the show, Cookies beware! It’s Session Hijacking time. Darren reports from Automate 2011 with a 28 foot multi-touch bar. Plus, websites made easy with Kompozer, a Backtrack vs Blackbuntu review and a whole lot more.

Download HD Download MP4 Download WMV

Hacker Headlines

SSL provider Comodo was hacked allowing attackers to obtain secure certificates for Google, Yahoo, Skype and others. comodo is claiming that the sophisticated attack against its European partner must have been “state-driven.” Comodo’s own incident reportpoints out IP addresses from Iran responsible for the attack. While simply obtaining these certificates, which have since been disabled, wouldn’t make those sites vulnerable — it would allow passwords and emails to be snooped using man-in-the-middle attacks to impersonate the legitimate sites. That would be pretty trivial to do if, say, you were Iran, which controls the nations telecommunications infrastructure.

The RSA’s SecurID systems has been hacked! The SecurID is a tool that authenticates by having you key in a password but also a series of random numbers. A few days ago the tool sent out an email to it’s users saying it was a victim of a hack that extracted certain data from the RSA’s system. Data that was directly related to their SecurID two-factor authentication tools. The RSA says it isn’t that bad, but make sure you beef up security at your company, i.e. make stronger passwords. Like that’s really going to get people to change their passwords.

Say you wanted to write your own Stuxnet like worm to attack SCADA systems? Well your job just got a lot easier. Security researcher Luigi Auriemma released proof of concept code for 34 vulnerabilities affecting SCADA systems from Siemens, Iconics, 7-Technologies and DATAC. The code, released on the bugtraq mailing list, doesn’t affect the backend systems, merely the operator platforms, however they would allow attackers to potentially crash systems, retrieve sensitive data or dig deeper into the network.

Check out those sweet Nintendo 3DS’s at your local retailer! Demo units have been available to play in stores, but they won’t let you check out the menu or the specs underneath the games that autoplay on the devices. Luckily, there is now a nice little hack to let you get into the main menu and see what lies beneath inside these awesome new toys. Check the link and give it a try.

Is your government or ISP messing with your data? In the wake of the Internet blackouts of Egypt and Libya, Google is announcing awards of at least a million dollars to Georgia Tech researchers working on tools for web users, as well as smartphones and tablets, which detect whether ISPs are adhering to service level agreements and if data is meing tampered with.

–

HakTip: Session hijacking with Firesheep

This week’s Hak Tip comes to us from Gary. Websites always make you login with a username and password, but when you’re on their page all cozy and logged in, you’re browsing insecurely on a regular old HTTP site. HTTP session hacking (called sidejacking) happens when an attacker gets the users cookie which you were transmitted when you first logged in, and they can use it to do anything you would normally do. The only way to really protect yourself from this is through SSL or HTTPS like what you see on your banking websites.

Firesheep, by Eric Butler, demonstrates how vunerable your login is. It’s a man in the middle attack firefox extension that anyone has the ability to use.

To use Firesheep, first make sure to download winpcap. Then download the browser extension and open it using firefox by dragging it into your list of extensions and add-ons. You may need to restart Firefox. Go to View–>Sidebar–>Firesheep and enable it. Now, simply click start capturing and you’ll be able to see the username and photo of anyone on your network that logs into one of the specific sites that Firesheep uses. Click on the name or photo of anyone on the list, and you are now logged in as them, with the ability to do whatever you want as them on that site. Scary huh? Luckily Twitter and Facebook have caught on to this and have enabled the ability to use HTTPS secure logins on their sites. So if you haven’t updated your settings, do it now!

Got a tip you want to share? Email them to tips@hak5.org and we’ll show them off!

–

The 28 foot multi-touch bar!

Darren reports from the Automate 2011 conference in Chicago checking out the mtBar from Crunchy Logistics and Imaging Source. This 28 foot rear diffused illumination multi-touch bar surface sports unlimited tracking of fingers and objects at 120 FPS. Darren gets the juicy details from Niel Dufva, Aaron Bitler and Brandon Hill from Crunchy Logistics, as well as John Berryman from Imaging Source.

–

Trivia!

Last week’s question was: In Season 5 of X Files, Esther Nairn is the creator of what ‘narly’ entertainment software? The answer is: Autonomous Bots in Ninjitsu Princess. This weeks question is: In what episode of the X Files can the Lone Gunmen be seen attending DefCon in Vegas? Answer at hak5.org/trivia for your chance to grab up some swag!

–

Snubs Report: Kompozer

Shannon checks out the easy web authoring tool Kompozer. Here are some of her favorite features:

• Web authoring tool
• No HTML or coding needed
• FTP Site Manager- browseable side bar and tree view (kind of like Explorer’s folder pane)
• Color Picker- Easy to use color swap, just click with your mouse.
• Tabs- Can edit several docs at once
• CSS Editor- Easy to create stylesheets
• Styler- Toolbar lets you change style instantly
• Customize toolbars
• Forms- XUL-based UI to edit forms
• Cleaner- get rid of annoying
  ‘s- make valid documents
• XFN- Can add XHTML info saying you know and trust an external link
• Visible Marks- can view carriage returns and block borders.
• Table/ Cell resizing rulers- Adjust rows and columns easily
• Automated Spellchecker

–

Road Test: Corsair Force SSD

In the words of Mr Horse: “No sir, I don’t like it”

While the Corsair Force SSD has great performance numbers, a few major annoyances are harshing on my technolust.

No SSD should BSOD Windows on S3 resume. Nor should it report “No bootable device” upon cold boot.

Sorry Corsair, I gave it a fair chance for just about a month and even with the latest firmware this thing’s a dud.

–

Emails: Computer models and Blackbuntu vs Backtrack

Victor writes: I was wondering whats the computer that you usually have in the show cause it looks really good i think i might want to get one but i don’t know the model or manufacturer.

Darren and Shannon have both recently upgraded to the 11.6″ Acer Aspire TimelineX 1830T. Darren has the Intel Core i7 version while Shannon has opted for the i3.

Prior to these Shannon was using the 9″ Acer Aspire One and the 10″ Nokia Booklet 3G while Darren has had the 7″ ASUS eee PC 701, 9″ Acer Aspire One and 15″ ASUS N53J.

Juan writes: I was watching episode 903 and at the end you mention Blackbuntu. I have use Backtrack before but have never herd of Blackbuntu I start it to poking around the internet and found not only Blackbuntu but GnackTrack too both are sort of the same idea both are base on ubuntu both use gnome and both have the standard Backtrack program suit so I was think all tree of them make for a good head to head battle or just for a review

Darren has been playing with Blackbuntu for about a week now. Prior to that he’s been using BackTrack since 3.0, but never as a primary OS. Here are some of his initial observations:

• Blackbuntu is based on ubuntu 10.10 using Gnome as the window manager and contains a similar feature set to BackTrack.
• BackTrack is more established, while Blackbuntu is on version 0.2 it’s counterpart BackTrack is nearing beta of version 5.
• BackTrack is the basis for the Offensive Security courses and certifications, which teach all sorts of pentesting and wireless attacks in both live-in-person and online learning scenarios
• In comparison to BackTrack, Blackbuntu doesn’t have much of a community. You’re more likely to find tutorials and help for BackTrack
• That said, most of what you’d do with BackTrack will run very similarly on Blackbuntu.
• The biggest strong point Blackbuntu has in my book is the fact that it’s a highly customized version of Ubuntu with Gnome, which I’m already familiar with, and to me is better suited as a primary Linux OS.
• Then again I’ve run into stability issues with Blackbuntu that have me, for the time being, switching back to Backtrack 4r2
• I’ll reassess these in the near future when BackTrack 5 debuts, which will be both 32 and 64 bit compatible, running on Ubuntu 10.04 with official support for KDE, Gnome and Fluxbox

–

Keep up with the latest on Hak5 by following us on Twitter or Facebook. Subscribe and get your weekly technolust delivered automatically. Or show your support and grab some swag from the HakShop – including the new airport friendly WiFi Pineapple and hoodie. Finally if you’d like to suggest a topic for ask a question feel free to hit up feedback@hak5.org.

Season 9 Premieres with the return of Shannon “Snubs” Morse and Paul “the camera guy” Tobias. We kick around the hacker headlines, get the low-down on Nexpose from Rapid7 at RSA, automate file mangement in windows, multiplex some screen sessions, capture packets from the command line and a lot more.

Download HD Download MP4 Download WMV

Hacker Headlines

Kinect hackers rejoice! Microsoft confirms that a Kinect SDK is coming for PC and Mac this spring, allowing developers to deal with the motion and voice sensor at a higher level than the informal Kinect hacks. The SDK will be free for personal use with a commercial version expected to follow.

Sony is threatening to permanently disconnect jail broken PlayStation 3 consoles from the PlayStation Network. Jeff Rubenstein, Sony’s Social-Media Manager wrote in his blog “To avoid this, customers must immediately cease use and remove all circumvention devices and delete all unauthorized or pirated software from their PlayStation 3 systems”

Donations have closed for the legal defense fund of George Hotz, notable iPhone jailbreaker and PS3 hacker. Sony has tied the hacker up in San Francisco federal since January court facing unspecified damages on DMCA violations. Hotz writes on his blog “I have enough to cover my legal fees for the time being.” and “For now, the best you can do is spread the word”

The latest VirtualBox 4.0.4 update adds support for Ubuntu 11.04 alpha guests. The Ubuntu Alpha, code named Natty Narwhal, introduces Unity as the default desktop session. Gnome can still be accessed as a “Ubuntu Classic Session”

Urban SQL Injection — full of win.

Crack the Code Challenge

Do you have what it takes to compete in the Crack The Code Challenge? Test your skills in our private lab network and bid for the title supreme leet hax0r. Winners will be featured on future episodes of Hak5!

Our next event will be this Sunday, February 27th at 3pm Pacific. Visit Hak5.org/challenge for all of the details. We’ll be live streaming at hak5.org/live throughout the day. We’d like to thank Citrix and GoToAssist Express for sponsoring the Crack the Code Challenge.

Rapid7′s Nexpose at RSA 2011

Darren meets with Chris Kirsch of Rapid7 to find out what’s new in Nexpose

Trivia!

Our last question was “In the Millennium Trilogy, what is the name of the hacker community?” and the answer is: “Hacker Republic”

Our new question is: “From March 5, 1975 to December 1986, this club of computer hoppyists would meet in the Silicon Valley Area.”

Participate at hak5.org/trivia

Hak5 finally goes HTTPS

Thanks to Domain.com our very own Hak5.org is finally sporting a shiny new SSL certificate. Darren recaps some of the nifty things you can do with one and recommends thawte SSL 123. Thanks Domain.com for hosting Hak5.org and sponsoring for over a year!

Automating Windows File Managment

Belvedere

What it does:
Automating file management and scripting on Windows: Belvedere.

Belvedere lets you organize any folders on your harddrive. You can create rules to move, copy, delete, rename, or open files based on name, extension, size, creation, date, and even more. So basically it’s a self-cleaner tool for Windows Only. There’s also a Mac cleaner called Hazel that you might want to check out if you are an Apple user.

It was created by Adam Pash back in ’08, and you can check out the source of this tool over at GitHub.

It’s a .exe so just install it from the download link. You can make Belvedere startup when Windows starts, but you’ll have to add it manually.

How you use it:
Belvedere is really easy to use, it’s just simple point and clicks. You create a folder, then name your rule from one of the choices, and build conditions with the drop down menus.

Belvedere gives me the ability to multitask and not worry so much about how clean my PC is.

Do you have another tool that works like Belve? Let me know at feedback@hak5.org.

HakTip: Multiplexing Screen Sessions

What’s more wicked than a screen session? Two screen sessions! As we’ve talked about recently the unix command Screen is a great way to maintain bash sessions from multiple SSH clients without losing your work. My favorite shortcut after invoking the “screen” command is CTRL+a followed by “S”, which splits the screen horizontally in two. Use CTRL+a then Tab to switch between the views. Debian users get the added sexyness of vertical split by hitting CTRL+a then Pipe.

What little gems are rocking your world? Hit us up, we’ll share ‘em with the world. tips@hak5.org

Email: Command Line Packet Sniffers

Hey, I’m in dire need of a command line linux packet sniffer. My servers are 3 hours away, and none have X11 installed. I used to use sniffit a long time ago, but it looks like they’ve added a GUI to it. Just wondering if you had any ideas off the top of your head.

Darren recommends TCPDUMP and NGREP

Have others to share? feedback@hak5.org

Sketching with the Harmony Project

Sparkleface writes in to share the Harmony Project — a nifty sketching program in HTML5. Check out the source code and more info

Keep up with the latest on Hak5 by following us on Twitter or Facebook. Subscribe and get your weekly technolust delivered automatically. Or show your support and grab some swag from the HakShop – including the new airport friendly WiFi Pineapple and hoodie. Finally if you’d like to suggest a topic
for ask a question feel free to hit up feedback@hak5.org.

Darren demonstrates a little man-in-the-middle attack using SSLStrip, an epic tool for removing that pesky encryption from your victims browsing session. Go from secure site to clear-text passwords in one simple step.

Moxie Marlinspike‘s SSLStrip, released at Blackhat/DEFCON this year, is a tool that transparently hijacks HTTP traffic and redirects HTTPS links to look-alike HTTP links. While this description barely scratches the surface, Darren’s segment takes a closer look including a pracitcal demonstration of a man-in-the-middle attack using arpspoof and a little luck with remote-exploit’s BackTrack 4 penetration testing distribution.

Darren demonstrates cracking Microsoft VPN tunnels using the MS-CHAPv2 authentication protocol using Joshua Wright’s tool ASLEAP and talks about the theory behind the attack.

Continuing on with our VPN series I find it important to highlight the weaknesses in the protocols we have talked about thus far. In my last segment I highlighted a tool that allows an attacker to easily hijack an SSL session using a man-in-the-middle attack. Couple this with Adito (aka OpenVPN-ALS), my favorite open-source SSL VPN server, and you can see the problem.

But what about the basic Microsoft VPN we setup a few weeks back? The VPN servers that we setup on Windows XP and Server 2003 used either active directory or local windows accounts to authenticate users.

And looking back at our discussions on pwdump, rainbow tables and the like you’ll remember the inherent weaknesses in Windows account credentials.

There are two ways Windows stores a user’s account credentials, or password. LAN Manager hashes which are comprised of watered-down weaksauce and NTLM which are succeptable to time-memory tradeoff attacks.

The default VPN server implemented in Windows XP and Server 2003′s Routing and Remote Access service uses Point-To-Point-Tunneling-Protocol. This is convenient because the Windows clients have supported Microsoft PPTP VPN connections natively since 2000, and in Windows 95/98 with Dual Up Networking version 1.3.

The modern authentication protocol of Microsoft’s PPTP is MS-CHAPv2. This Challenge Handshake Authentication Protocol suffers from inherent weaknesses.

As far back at 1999 these weaknesses have been widely known. If you’re interested in reading more on the cryptanalysis of MS-CHAPv2 there’s a nifty paper written by Bruce Schneier and L0pht that I’ll link in the show notes.

And while other options exist such as Radius, this is still the default option for PPTP authentication in Windows environments.

Joshua Wright, author of coWPAtty (See our segment here), released in 2004 a proof of concept tool to demonstrate weaknesses in LEAP and PPTP protocols.

This tool, ASLEAP, was updated in 2007 to include an option to just crack MS-CHAP v2. Either by examining a packet capture that includes a MS-CHAP handshake ASLEAP or specifying an MS-CHAP challenge and response ASLEAP is able to deduce the username and last two bytes of the NT hash. Using this information, and a dictionary file, ASLEAP is able to brute-force the hash.

Continuing with the VPN Series, Darren discusses the inherent weaknesses in Microsoft’s PPTP authentication protocol, MS-CHAPv2, and demos a Linux tool that exploits these weaknesses.

Download HD Download MP4 Download XviD Download WMV

Continuing on with our VPN series I find it important to highlight the weaknesses in the protocols we have talked about thus far. In my last segment I highlighted a tool that allows an attacker to easily hijack an SSL session using a man-in-the-middle attack. Couple this with Adito (aka OpenVPN-ALS), my favorite open-source SSL VPN server, and you can see the problem.

But what about the basic Microsoft VPN we setup a few weeks back? The VPN servers that we setup on Windows XP and Server 2003 used either active directory or local windows accounts to authenticate users.

And looking back at our discussions on pwdump, rainbow tables and the like you’ll remember the inherent weaknesses in Windows account credentials.

There are two ways Windows stores a user’s account credentials, or password. LAN Manager hashes which are comprised of watered-down weaksauce and NTLM which are succeptable to time-memory tradeoff attacks.

The default VPN server implemented in Windows XP and Server 2003′s Routing and Remote Access service uses Point-To-Point-Tunneling-Protocol. This is convenient because the Windows clients have supported Microsoft PPTP VPN connections natively since 2000, and in Windows 95/98 with Dual Up Networking version 1.3.

The modern authentication protocol of Microsoft’s PPTP is MS-CHAPv2. This Challenge Handshake Authentication Protocol suffers from inherent weaknesses.

As far back at 1999 these weaknesses have been widely known. If you’re interested in reading more on the cryptanalysis of MS-CHAPv2 there’s a nifty paper written by Bruce Schneier and L0pht that I’ll link in the show notes.

And while other options exist such as Radius, this is still the default option for PPTP authentication in Windows environments.

Joshua Wright, author of coWPAtty (See our segment here), released in 2004 a proof of concept tool to demonstrate weaknesses in LEAP and PPTP protocols.

This tool, ASLEAP, was updated in 2007 to include an option to just crack MS-CHAP v2. Either by examining a packet capture that includes a MS-CHAP handshake ASLEAP or specifying an MS-CHAP challenge and response ASLEAP is able to deduce the username and last two bytes of the NT hash. Using this information, and a dictionary file, ASLEAP is able to brute-force the hash.

PS: Check out Player2Rentals.com.

This time on the show Darren’s having a little man-in-the-middle fun with a demonstration os SSLStrip, an epic tool for removing that pesky encryption from your victims browsing session.

Download HD Download MP4 Download XviD Download WMV

Moxie Marlinspike‘s SSLStrip, released at Blackhat/DEFCON this year, is a tool that transparently hijacks HTTP traffic and redirects HTTPS links to look-alike HTTP links. While this description barely scratches the surface, Darren’s segment takes a closer look including a pracitcal demonstration of a man-in-the-middle attack using arpspoof and a little luck with remote-exploit’s BackTrack 4 penetration testing distribution.