This time on the show, Shannon demonstrates a novel password management technique. Darren’s explains Time Memory Trade-off and Rainbow Tables. Jason gets started programming for Windows Azure and it’s Linux in your web browser time! A PC Emulator in Javascript.

Download HD Download MP4 Download WMV

A novel approach to password management

I have about a million websites that I have to log onto day-to-day. Seriously. And with all the hype about website infiltration and stolen data, it makes me worry a bit about my own usernames and passwords. I have recently upgraded my Google Mail account to use 2-step verification, which I explained a few weeks ago in a Snubs Report, but what about my facebook? Twitter? My online banking?

These sites all say things like, ‘Password must be so-and-so characters long with at least one letter and number’, but some aren’t so secure. How will I know what sites will have a data breach? I don’t. So I use somewhat different passwords for all sites. But honestly, if someone had the balls and the time to figure out my pattern, they could probably do it. But I don’t want to download a password protection program to use on my home computer because I use several different computers and may not have access to the software or my saved encrypted passwords when I’m using a public PC.

Well, there are other options out there if you don’t want to use more software, you could use something a little less technical.

This is PasswordCard from passwordcard.org. It’s a card the size of a credit card that I can stick in my wallet and carry with me. What makes this unique is the series of random digits and letters that are included on it. The rows are different colors and the columns have a different symbol at the top. You can use this card to think up a very strong and tough password and use the colors and symbols to remember it.

Better yet, each code card is randomly generated and there are Android and iPhone apps.

So here is an example of how to use this tool:

First off, go to the website and print out your unique card. I have a laser black and white printer, but if you have a color printer I’d suggest printing in color to give you more options for remembering passwords.

You can then cut out your card and laminate it if needed. Keep the rest of the page, because it has your unique card number on it. More on that in just a bit.

Then you can choose your password. Choose a symbol and a color or row number and use the letters and numbers that are seen in that row or column.

All you have to do after that is go to your website and change your password. If you lost your PasswordCard, you can go back to the website, type in your unique card number and hit print, or pull it up on your mobile phone.
So for example, I printed out my card and I’m going to choose something I would remember. I’ll go with the music note, and number 7. So my password would be HAg8kgntQUG.

This tool is super simple to use and completely free. The website can be visited safely via HTTPS and the algorithm used to create the codes is available in case the website goes down and you need to reprint your card.

If you don’t feel safe printing a card, just download the free app off the Android Marketplace or the Apple App Store. This app will let you generate a random card or pull up your own card. It’ll also let you generate your own personal PasswordCard based on a series of random hexidecimal digits. For example, I can hit enter number, and type in a number that I have memorized. That number will always pull up my card for me to use.

If you’re worried that someone can get ahold of your unique card number, not to worry! They still wouldn’t have your actual passwords because those were created from the numbers and letters found on the card, and they could be thousands of different password combinations.

I think this is a pretty cool idea, and it’s easy enough that I could probably show my mom how to use this. So, enough of using crappy passwords!

This is just one of the tools available out there for password generation. Do you have one? Email it to me: feedback@hak5.org. Now for the haktip.”

Start programming in Windows Azure

Jason. begins a three-part mini-series on programming for Windows Azure. In this part Jason demonstrates how to get started. In coming parts Jason will develop an cloud-based application that maps Kismet KML data to a Bing map.

If you’re into Hak5 you’ll love our new show by hosts Darren Kitchen and Shannon Morse. Check out HakTip!

Whether you’re a beginner or a pro, HakTip is essential viewing for current and aspiring hackers, computer enthusiasts, and IT professionals. With a how-to approach to all things Information Technology, HakTip breaks down the core concepts, tools, and techniques of Linux, Wireless Networks, Systems Administration, and more

And let’s not forget to mention that you can follow us on Twitter and Facebook, Subscribe to the show and get all your Hak5 goodies, including the infamous WiFi Pineapple over at HakShop.com. If you have any questions or suggestions please feel free to contact us at feedback@hak5.org.

We’re getting promiscuous, with wireless cards! As part of our foundation series of HakTips Darren covers the fundamentals of wireless packet sniffing with a practical approach in BackTrack Linux using the Aircrack-ng suite.

Download HD Download MP4 Download WMV

Let’s think about network traffic as a cocktail party. Picture Alice and Bob on the love seat chatting it up while Charlie is deep in conversation with Dave at the bar. Meanwhile, Eve is nearby sipping a Hendrix Martini listening in on everyone’s conversations.

You see, in order for Alice to send a message to Bob she has to address it to him by his network interfaces MAC address — or Media Access Control Address. This address is unique every network interface on the planet. Bob’s is going to be different from Charlie’s, Dave’s or anyone else.

On a hub based network, Alice’s message is heard by all. But by default when Charlie or Dave hear a message addressed to a mac address other their own, their network interface will drop the frame completely.

This is where promiscuous mode comes into play. If Eve’s network interface is in promiscuous mode she doesn’t drop frames not addressed to her. This is great for packet sniffing, say if Eve was a network administrator attempting to debug a faulty network. Likewise, if Eve had malicious intent the same applies to eavesdropping.

Now promiscuous mode assumes a hub based network. Switches thwart this by only sending messages to their intended recipients instead of everyone.

Which brings us to Monitor mode. Monitor mode, or RFMON for Radio Frequency Monitor, is one of six modes that wireless network interfaces can assume. Similar to Promiscuous mode, Monitor mode allows the wireless network interface to “sniff packets” not intended for it.

Unline promiscuous mode however, an interface in monitor mode can sniff packets from access points it isn’t even associated with. Again this is great for, say, an administrator troubleshooting a network, or on the darker side for malicious purposes such as eavesdropping and cracking encrypted networks.

What program or command is giving you warm fuzzies? Hit me up — tips@hak5.org

And be sure to check out our sister show, Hak5 for more great stuff just like this.

This week Shannon is bypassing NSFW filters while Darren goes sniffing for packets in all the wrong places.

Download HD Download MP4 Download XviD Download WMV

Darren takes Android WiFi Tether and Shark for a spin and ends up learning an important geography lesson.

Shannon is demonstrating a few techniques to detecting NSFW links and bypassing potential work filters with a few web tools, including: LongURL.com, PDFmyURL.com, Aviary.com and Variably Safe For Work.

—

You’re Invited to Hak5’s Birthday!

Join us to celebrate 5 years of technolust at the Hotsy Totsy Club – an Albany institution since 1939! Come for drinks, pool, shuffleboard and a live performance from nerdcore sensation, Eighty of Dual Core! 21+. No cover. Street parking. 7 blocks from El Cerrito BART. WiFi. Taco’s Autlense Taco Truck parked in lot. Need we say more?

Saturday, August 14th at 7:00 PM
Hotsy Totsy Club
601 San Pablo Ave.
Albany, CA 94706

RSVP now via Facebook – can’t wait to celebrate the grand years of old school hacking with you!

If you want to know the latest on Hak5 be sure to follow us on Twitter or Facebook.

Also, now is also a great time to grab some swag from the HakShop – including the new airport friendly WiFi Pineapple with free world-wide shipping.

And finally if you’d like to suggest a topic for a future show feel free to hit up feedback@hak5.org

Darren is playing with the latest version of BackTrack linux, setting up a persistant USB boot drive that’ll keep your files and settings consistent after a restart. Shannon is back at the ZipIt checking out the “Average User” userland image and connecting to WPA protected wireless networks.

Download HD Download MP4 Download XviD Download WMV

Create a BackTrack 4 persistent USB drive

BackTrack is widely considered the complete hacker boot disc. Born out of WHAX this security sharp linux distro has been years in the making, and finally version 4 final is out.

One of the best ways to experience BackTrack 4 (BT4) is by creating a USB boot drive. Simply download the ISO and “burn” it to a USB drive with a tool like unetbootin.

BackTrack even offers a VMDK if you’re interested in playing around in VMware or VirtualBox.

In this episode Darren guides you through partitioning, formatting and installing BackTrack 4 to a USB drive and configuring persistence.

A ZipIt Userland image for the average user

How to Connect your Zipit Z2 to an encrypted WPA network.
With Aliosa’s OS:

• Turn on the wireless radio by opening the termina and issuing “ifconfig eth1 up”
• Create a WPA supplicant configuration file for your router and password by issuing “Wpa_passphrase youraccesspoint yourpassphrase > nameoffile.wpa”
• Connect to the WPA network using the configuration file you just created with “Wpa_supplicant –Dwext –i eth1 –c nameoffile.wpa –B”
• Get an IP address from your router’s DHCP by typing “Dhclient eth1″.

Installing RootNexus’s ‘Average User’ userland image.

• Plug in your miniSD
• Open PhysDiscWrite GUI
• Right-click miniSD, choose Oofnen, choose Image Laden
• Choose the average user image file
• Click yes, and wait 10 minutes.
• Eject your miniSD safely and restart your Zipit Z2 with the miniSD card in it

• Zipit Z2 “Average User” userland image: http://zipit.rootnexus.org/
• Getting WPA to work: http://www.christopherkois.com/?p=53

Darren’s Hacking WPA-PSK keys using the recently updated Cowpatty and some damn fine lookup tables. Connecting ESXi to iSCSI targets — Matt breaks it down with FreeNAS. And Shannon completely bypasses local Windows logins with a Kernel modifyin’ boot cd? w00t!

Download HD Download MP4 Download XviD Download WMV

Cracking WPA Keys with Cowpatty

A lot has changed since I last talked about WPA Cracking on Hak5. Specifically Joshua Wright, author of CowPatty has released a new version that dramatically changes the way one thinks about cracking WPA and WPA2 TKIP keys.

The most notable new feature in Cowpatty 4.5 is the “-2″ option, which only requires the first two frames of the 4-way handshake to start attacking.

By removing the need for the third and fourth frames of the handshake, an attacker is now more likely to successfully crack WPA keys when channel hopping. Furthermore, the lack of the third and fourth frame opens up a world of possabilities when it comes to trapping targets with rogue access points, or “honey pots”.

An example scenario illustrated on Wright’s blog details how an attacker may pose as a victim’s corporate wireless access point. Since it doesn’t matter if the target associates with the honey pot, anything from hostap to a spare WPA supporting access point with a bogus key will due.

Of course this has our friend Robin Wood pondering a Jasager plugin. Pineapples anyone?

As for carrying out the attack it’s pretty straight forward. I BackTrack as my hacking OS of choice coupled with an eee PC or Acer Aspire One. When it comes to Wireless I’m a big fan of the ALFA AWUS036H 500mW USB Wireless Adapter.

Other tools needed to carry out the attack include WPA tables like these SSID specific Cowpatty WPA Tables from Offensive Security and the Aircrack-ng suite.

The commands are pretty straight forward and well highlighted in the episode. There are a number of ways to go about this so if you’ve got another method you’d like to share with me, questions about this, or suggestions for future topics drop me a line. darren[at]hak5=dot=org.

Excerpt Darren Kitchen‘s blog

Bypass Windows Local Logins

Kon-Boot

Kon-Boot is an prototype piece of software which allows to change contents of a linux kernel (and now Windows kernel also!!!) on the fly (while booting). In the current compilation state it allows to log into a linux system as ‘root’ user without typing the correct password or to elevate privileges from current user to root. For Windows systems it allows to enter any password protected profile without any knowledge of the password. It was acctually started as silly project of mine, which was born from my never-ending memory problems Secondly it was mainly created for Ubuntu, later i have made few add-ons to cover some other linux distributions. Finally, please consider this is my first linux project so far Entire Kon-Boot was written in pure x86 assembly, using old grandpa-geezer TASM 4.0.

So basically, Kon-Boot enables you to log into any Windows or Linux password protected computer without knowing the password or anything about it.

The tech behind it? Kon-Boot basically latches onto parts of the memory and starts patching parts of the kernel (the Brain!), mainly the parts that have to do with the log-on auth and security. These patches let you logon without a password. Then, the bootkit does it so quickly that it leaves no footprints behind after you leave.

DUDE!

To do this:

Go to the website above and download Kon-Boot, open the zip file, and burn the .iso to a disc. I use ImgBurner because it is fast, easy, and FREE.

Shut down the computer you intend to get on to. When booting up, if it isn’t already set to boot from CD (or flashdrive, or whatever Kon-Boot is on), go into the BIOS and set it. You should see the Kon-Boot splash screen for a few seconds, then the username/password screen will appear with the main username already set if they have it saved. If not you need to know the username ahead of time. Press enter or type in some random characters (it doesn’t really matter) and press enter. You’re in!

Now party, snoop around, and get that file you wanted. Get your flashdrive or CD out, then shut the computer back off like usual.

Protecting yourself:

Password protect your BIOS!

True Crypt your entire harddrive!

Excerpt Shannon Morse‘s blog

The gang gathers at a dive in Hoboken, NJ during their trip to NYC for the live diggnation and discuss wireless packet injection with airpwn, advancements in WPA-PSK attacks and of course, virtualization.

Download HD Download MP4 Download XviD Download WMV

In an effort to thwart hangovers the gang drops by DC’s Taven in Hoboken to geek out about Wifi and Virtualization over shots and cold ones.

Darren is excited about the recent improvements to both Airpwn and Cowpatty.

Edit: Mubix points out these awesome WPA Tables from Offensive-Security (You know ‘em as the BackTrack guys).

Best WPA Tables out there for us with CoWPAtty. (And another little + is they posted the password list they used to generate the tables, which is also an AWESOME password list for cracking all kinds of passwords.

Matt answers some viewers questions and encourages more for an upcoming special.

Shannon has all the deets on this week’s contest and LAN party.

Session Hijacking with a Pineapple, Hamster and Ferret and cell phone? A free and easy way to virtualize physical servers! And is WPA Broken? Ikea clusters, screencasting, and canvas technolust.
[ MP4 | XviD | WMV ]

Watch

Show Notes

Is WPA Broken? Interesting stuff coming out of PacSec this year. Ars has a great writeup about it our check out Martin Beck and Erik Tews’ paper Practical attacks against WEP and WPA (PDF). There is a proof of concept tool available from the Aircrack-NG folks. Take a look at Tkiptun-ng. At time of writing the tool is not fully functional. Something to keep an eye on.

Steve P. writes to us about the Helmer beowulf cluster. This 6xCore2Quad is sure to make any geek smile. Kitty approved too! While stuffing a personal cluster into an Ikea cabinet is novel in and of itself the mad scientist behind it has thought some insane cluster designs including the 50 tflop Helmer 2 and the 4 pflop Helmer 3. All I can say is I want one. Thanks for the links Steve.

Darren enjoys a Bondages’ No Problem while Matt and Shannon stick with the margaritas.

More importantly Darren talks about Session Hijacking and demos a tool from Errata Security called Hamster and Ferret that, in conjunction with the latest 2.0 build of Jasager, an ICS’d EVDO connection and Tftpd32 we’re able to “sidejack” with our little man-in-the-middle setup. Lesson learned? Be suspicious of any wifi. Check for signatures of trusted networks and tunnel your traffic. We’ll come back to this topic with a more indepth segment on Jasager detection and traffic encryption soon.

A note on trivia. Please answer trivia questions on the Hak5 forums from now on. We would love to continue doing dual winners but with growing prize costs we cannot. Also, if you’re interested in volunteering to help with trivia code challenges lend a hand in the Dev5 board.

Matt shows us how to convert a physical server into a virtual server locally using the free VMware converter tool and talks about some of the concerns you must consider when preparing to virtualize. If you have virtualization questions hit up Matt and we’ll cover ‘em on future segments. Matt at Hak5 d0t org.

Alex W. writes with a question about screen recording. We highly recommend the open source Camstudio as well as FRAPS and Techsmith’s Camtasia Studio (warning: sticker shock may occur at techsmith.com). Paul (our “camera guy”) suggests checking out the new screen capturing functionality of the latest verison of VLC, especially if you’re on the Linux or Mac side.

As always we’d love to hear your feedback. Your questions, comments or concerns can be directed to HakHouse.com. It’s a crazy interactive project we’re working on. Just wait ’till we get the web-enabled robots up in there.

Trust your Technolust

In this episode of Hak5 Darren uses the eeePC, BackTrack 3, and Aircrack-ng to audit the security of our WPA encrypted wireless access point. Wess reviews Herbie the Mousebot from Solarbotics, a great electronics projects for beginners/intermediates. Chris Gerling comes by to show us Rockbox, the open source firmware alternative for your portable media players as well as a brief tutorial on building your own songs for frets on fire. Grab a companion cube and gather ’round for some technolust.

Download MP4 Download Xvid Download WMV

In this Flying-by-the-seat-of-our-pants edition of Hak5 episode 2×07 / Live Beta 2 we settle into the temporary set and check out a web app to help you IRC at work, a Mac hack for using front row with a wiimote, and a utility for recovering WPA/WEP keys. Plus your calls and an AFK award for a long lost code monkey.
 
 
 

Production Notes

Special uber thanks go to Ashley Witt for cleaning up our poor audio. I’m sure next episode will be slightly less frantic as we settle into the new place. Keep an eye on Hak5.org for updates on future live shows this month.

Sponsors

Get awesome web hosting from the pros at Dreamhost and receive $25 off your order when you enter coupon code HAK5! Plans start at $7.95/mo including 500 GB storage, 5 TB bandwidth, and one-click installs of popular software like WordPress, phpBB, and MediaWiki.

Keep your personal information away from spammers, hackers and your crazy ex-evilserver. Private Domain Registration from GoDaddy.com protects your privacy by keeping your address, phone number and more out of the public database. Get an additional 10% on your order when you enter coupon code HAK.