Merge folders with Winmerge

This open source Windows tool allows you to easily identify inconsistencies between two would-be identical directories and quickly make corrections, complete with keyboard shortcuts. Check out Winmerge

inSSIDer, an open source Windows WiFi Scanner

So in my never ending search for better and better utilities to make my life easier, I came across inSSIDer by metageek.

Which is basically a stripped down version of their Chanalyzer software.

Stripped down maybe, but extremely useful none the less? YES!

After performing a scan of my boss’s house who was plagued with signal drops and slow speeds, I came across the reason.

Interfering access points. His router was on channel 6, surrounded by half a dozen other access points.

So using the easy to read inSSIDer software I decided to put him on channel 11, where there were no other AP’s in range.

As soon as I made the switch, I had vastly improved signal strength, and no longer had drops walking through the house.

We’ll be running a review of the Wi-Spy products and metageek’s Chanalyzer in an upcoming episode.

LAN Party

This month’s LAN Party is Team Fortress 2 on Saturday, October 3rd, at game.hak5.org. Find all the LAN Party details at hak5lan.squarespace.com

Windows VPN connection as Service

One of the nice things about Windows Server is the built in VPN service — RRAS or Routing and Remote

Access. In this segment I demonstrate a way to connect one Windows Server to another utilizing a PPTP VPN

connection as a service. The built in VPN connection manager isn’t half bad.

A nifty feature is >the rasdial.exe program

which allows you to connect/disconnect a VPN profile from the command line. Pairing that with the AutoExNT service from the Windows Server

Resource Kit and you’ve got a VPN connection on boot, even before login.

Contest

This month’s contest is for the scatter brained and design concious desktop users. Share your desktop’s

over at Hak5.org/screenshot and be entered to

win leet Hak5 swag and Ashley Schwartau’s Hackers Are People Too DVD.

There is plenty to do on the Kindle that isn’t in the user manual. Read on for details!

At the Home screen use ALT-SHIFT-M for Minesweeper. It’s a little slow in response time, but still fun.

Free Books and PDF’s on your Kindle can be accessed through sites like Mnybks.Net and Feedbooks.
Mobipocket creator converts pdf’s to kindle files for all of your needs. If you don’t want to use Mobipocket, check this out- for free conversions, email a document to “name”@free.kindle.com and have it emailed back to you in kindle format.

Bypassing Paying for Blogs
Check out sites like Kindle Feeder to read your favorite blogs and news sites for free, instead of paying for the subscription version. From your browser, go to kindlefeeder.com and sign up or just search for your favorite feed.

Try accessing a site that isn’t compatible with mobile through proxy sites like mowser.com.

Google Maps
Under browser mode, click Alt-1 to access google maps quickly. Alt-2 shows gas stations and Alt-3 shows restaurants.

For email and useful messengers, use the following:
Gmail: m.gmail.com
Yahoo Messenger: us.m.yahoo.com/p/messenger/
Google Reader: google.com/reader/m
Google Calendar: google.com/calendar/m

SMS messages to your friends cell phone can be accessed by simply emailing the 10-digit cell phone number at the appropriate gateway. e.g. for AT&T cell customers would be 1234567890@txt.att.net.
This is a (unverified) list of gateways for various cell services.
AT&T: @txt.att.net
Alltel: @message.alltel.com
Nextel: @messaging.nextel.com
Powertel: @ptel.net
Sprint: @messaging.sprintpcs.com
SunCom: @tms.suncom.com
T-Mobile: @tmomail.net
US Cellular: @email.uscc.net
Verizon: @vtext.com
Virgin Mobile: @vmobl.com

To view personal pictures on your Kindle, plug your Kindle into it’s mini USB to a computer. Add a folder called ‘pictures’ in the root of the Kindle or SD card. Create another folder inside the Kindle folder ‘pictures’ called whatever you like. In the Home screen, hit Alt-Z to refresh and your new ‘book’ should appear with the name of the folder you chose. Open it and page back or forward to view your pictures. Press Alt-Shift-0 to set the current picture as a screensaver.

And here are a couple of tips for the Kindle 2:
Tether your Kindle 2 via a USB port so you don’t have to use WhisperNet or create a custom screensaver with your own pictures.

Matt Lestock reviews BlueBear’s Adobe Air-based application for managing mixed virtualization environments. Kodiak currently supports VMware ESX servers with Citrix XenServer and Microsoft Hyper-V compatibility coming soon. This cross platform management application is pretty slick!

Darren Kitchen discusses the evolution of his favorite boot loader, Grub, and points out USB installation options and Grub2’s loopback option. He also discusses persistent changes, nested menus, and notes.

Darren also checks out LiveUSB, a tool that promises to automate the process of building a USB Multi Boot tool. Note: The site and application are all in French.

While on Vacation at the beach Darren and Shannon talk password security. Shannon covers her favorite free open source password safe, Keepass, and how it can take the nightmare out of remembering a different password for every site. Then, Darren goes over salting and what it does to protect your password’s hash on the back end.

With the dozens–or in the case of many administrators hundreds–of passwords one must use and remember every day, how is one to ensure a secure and original password every time? Sure you could come up with some crazy algorythm that involves information in the WHOIS record of the domain you’re logging into, or you could live in normal land and get a password safe. Shannon goes over her favorite free open source offering KeePass.

Using industry standard encryption to keep your passwords safe, KeePass is the most full featured password safe we’ve tested. With versions for just about every OS under the sun, including many smart phones, there is no reason to ever reuse a password again.

If you’re a fan of KeePass and have a story or plugin you want to sare with us be sure to hit up feedback@hak5.org!

When it comes to storing passwords on the back end, whether they be in a database or flat file, it’s important to keep ‘em salted. In this episode Darren goes over what Hash salting is — what it means to users, administrators, and would-be password crackers.

Don’t forget about our first ever official Hak5 Meetup at Busch Gardens Williamsburg on August 15th. Find all the details at hak5meetup.squarespace.com or RSVP on Facebook.

Why carry around a dozen bootable USB drives when you could merge ‘em all into one? On his episode we buld a USB Multipass complete with customized boot menu ready to launch any of favorite tools–including Backtrack, Ophcrack, Kon-boot, dban, freedos, and more. Plus Shannon reviews the Trinity Rescue Kit, the boot disc dubbed CPR for your computer.

It has been the dream of many to combine the pen-testing, forensics and recovery power of our favorite USB bootable linux distros into one drive complete with customized boot menu. Finally Frank Castle shares this digital mojo with us. I bring you the USB Muiltipass.

While the video walks you through the step by step I’ll provide an overview with links here.

First you’ll need three programs, PeToUSB, grubinst and grub4dos.

Prepare the USB drive by formatting it with PeToUSB. With the drive plugged in run the PeToUSB executable, select the drive, check Enable Disk Format, Quick Format and Force Volume Dismount and click Start. If you are using a drive over 2 GB you will receive an error about dismounting — it’s no big deal — simply format the drive as Fat32 with the Windows Disk Manager.

Next run grubinst_gui. Select the disk option and pick your USB drive. Be sure to select the correct drive number. If you’re not sure which drive is your USB drive check with Windows Disk Manager. Once you are assured the correct drive is selected go ahead and click Install. No options need to be checked, the defaults are fine.

You will then need to copy the grldr file from the grub4dos package to the root of your USB drive. Finally finish off the install by creating a blank text file in the root of your USB drive called “menu.lst”.

You can now boot from this drive. Of course there aren’t any Linux distributions and utilities installed yet, so let’s move on to adding all the goodies.

When it comes to installing distros I’ll go ahead and quote Frank Castle as he puts it best.

For most of the distros I added, I started off with an iso version of it. I then extracted the isos either to my desktop or directly to the root of the thumb drive (or you could just copy the files from a burnt version of the distro, just as long as you get the files to the root of your thumb drive). Most Linux Distros come with 2 folders: a boot folder and another folder that actually holds the meat and potatoes of the distro. Since it would be impossile to have 6 or 7 different boot folders that don’t overlap on the same thumb drive (without multiple partitions…a route I tired to take for way too long) I simply renamed the boot folder to something like “bootbt3″ or “bootknop” depending on the distro, and just left the other folder as is. I then added the appropriate information by using the information by either:

1) Looking at the information provided in the syslinux or isolinux file in most linux distros

2) Looking at a (now taken down) webpage with tons of examples (appropriatly added to this tutorial under Examples.txt)

3) Trial and Error

Most distros fell under the first of these options: Backtrack 3, Backtrack 4, Knoppix, and Trinity Rescue Kit all worked fine under these conditions

Some distros fell under the examples webpage: these included Ubuntu LiveCD (a different example because there is no boot folder and way more than two folders, but it ended up working without changing any folder names) as well as some others

Few Distros fell into the third option, but the ones that did were a bitch and a half to get working. These included Kon-Boot and OPHcrack.

OPHcrack (the latest version – 2.3.0), a tool I have known, loved, and depended on (at least until I met Kon-boot…thank you) was a apparently different than any of the other distros because just copying the files from the iso… blah blah blah didn’t work. It turns out that you have to burn the Distro to a spare thumb drive using tazusb (Slitaz installer) from http://www.objectif-securite.ch/slitaz/tazusb.exe. You then copy these files to the root of your thumb drive and so on and so on. The second challenge was to get both versions of OPHcrack (XP and Vista) on the drive, since ALL of the files overlapped. It turns out that the only difference in the two verisons were the tables provided so I just copied the tables from one cd to the other and proceeded forward as usual.

Kon-Boot was yet another bitch of a thing to get running via USB. No matter what I did it would boot, load, and promptly go back to the Grub bootloader. After a few hours of trial and error, I discovered I had to tell GRUB to tell the BIOS that the hard drive was the first boot device, even though it was obviously the thumb drive, because Windows apparently won’t run at all if it isn’t the first boot device. This reqiured a few extra lines. Also, for some reason the .iso file wouldn’t work (I could never extract or even see the raw files of Kon-Boot), so i was forced to use the Floppy image (.img)

When it comes to customizing Grub its simply a matter of creating a 640×480 – 14 color splash screen image. This is easy to accomplish with the Gimp. Once you’ve created a 640×480 image you can crunch the colors be selecting Image, Mode, Indexed and entering 14 ad the maximum colors. Save this file as a XMP, then gzip it. Copy the gz to the root of your USB drive and prepend “splashimage /image.xpm.gz” to your menu.lst file.

Further information on customizing the grub menu.lst file for your specific distros can be found in the grub manual. As an example I’ll provide my config here:

splashimage /jozette.xpm.gz
color blue/black yellow/blue
timeout 120

title BackTrack 4 BETA
root (hd0,0)
kernel /bootbt4/vmlinuz vga=0×317 ramdisk_size=6666 root=/dev/ram0 rw quiet
initrd=/bootbt4/initrd.gz
boot

title Kon-Boot-test
map –mem /FD0-konboot-v1.1-2in1.img (fd0)
map –hook
chainloader (fd0)+1
map (hd1) (hd0)
map –hook
rootnoverify (fd0)

title Memtest86
kernel /memdisk
initrd /memtestp.img

title ntpasswd
kernel /ntpasswd/vmlinuz rw vga=1 initrd=/ntpasswd/initrd.cgz /ntpasswd/scsi.cgz
initrd /ntpasswd/initrd.cgz

title DBAN
kernel /memdisk
initrd /dban.img

title SystemRescueCD
kernel /rescuecd initrd=initram.igz video=ofonly vga=0 scandelay=5
initrd /initram.igz

title FreeDOS
root (hd0,2)
kernel /memdisk
initrd /freedos.img floppy

title Ophcrack
kernel /bootoph/bzImage rw root=/dev/null vga=normal lang=C kmap=us screen=1024x768x16 autologin
initrd /bootoph/rootfs.gz
I’m sure there will be many questions and further development of this project so as I’ll go ahead and point you the episode 524 release thread on the Hak5 forums. Share your thoughts!

Don’t forget about our first ever official Hak5 Meetup at Busch Gardens Williamsburg on August 15th. Find all the details at hak5meetup.squarespace.com or RSVP on Facebook.

Matt Lestock returns and brings us the skinny on converting physical servers into virtual servers and piping ‘em right into your ESXi box while Darren takes the scenic route on a Linux Apache Tomcat install with some Java and bash lovin’.

Matt Lestock uses VMware Converter to take that ugly power hungry idle beast and turn it into a sleek and slim virtual machine, piped stright into your ESXi host.

Send your questions and feedback to matt@hak5.org

Darren Kitchen is cooking up a Linux based Java servlet container and HTTP web server with Apache Tomcat. While never distributions and package repositories can make setting up a Tomcat server a breeze, it’s nice to have an understanding of the manual process.

Don’t forget about our first ever official Hak5 Meetup at Busch Gardens Williamsburg on August 15th. Find all the details at hak5meetup.squarespace.com or RSVP on Facebook.

Rob Fuler, aka Mubix, of Room362.com joins us to expand on last week’s discussion about the Cold Boot attacks. We cover retrieving memory from live systems, analysis with tools like volatility, and file recovery with foremost. Mubix calls it forensics for the gray hat.

Rob Fuller, aka Mubix of Room362.com joins us to expand on last weeks discussion about the cold boot attack.

This time we’re imaging memory from live systems. Windows boxes specifically. I point out my favorite open source app win32dd, which allows retrieval of physical memory in a couple of methods. Mubix is a fan of ManTech’s MDD. Both of these tools are capable of capturing memory on Windows 2003 SP1 (Vista+) and later machines. More tools can be found at the Forensics Wiki.

Once we’ve captured our memory it’s time to run it through a few tools to extract the good bits. Last week we touched on AESKeyFinder and RSAKeyFinder as well as Strings. This week we’re using the epic memory artifact extraction utility Volatility.

This gem allows us to see deep into what a Windows box was doing at time of memory capture, including running processes, open network connections, DLLs loaded for each process, registry handles, and more. The tool can even extract executables from memory. It’s a nifty little cross platform tool that’s worth a spin. If you’re looking to get your feet wet you might want to try it against some example data, courtesy of the NIST.

Best of all, Volatility if a framework that supports third party scripts. One such target=”_blank”>plugin makes it pretty simple to extract the Windows SAM from a memory sample.

We also cover using foremsot, an excellent tool for recovering data from memory based on headers, footers and data structures. I can say from experience that using the

-t ALLoption on a dump of Mubix’s memory that A TON of files are recovered, all nice and neat in their own folders based on extension. Thanks for the mem dump Mubix . If you don’t have a capture of Mubix’s memory you can find samples to play with Foremost at the Digital Forensics Tool Testing Images site.

We’ll be back in studio next week with Matt. Of course be sure to send your feedback to feedback@hak5.org, post in the forums or respond in the comments.

And don’t forget about our first ever official Hak5 Meetup at Busch Gardens Williamsburg on August 15th. Find all the details at hak5meetup.squarespace.com or RSVP on Facebook.

Shot with the Canon T1i and edited with Premiere CS4. Song is 1979 by Smashing Pumpkins. Just toying around with the 720p video functions of the camera.

by Darren Kitchen

When it comes to recovering encryption keys from memory nobody has a more intriguing method than Princeton University researchers who pioneered what is known as the Cold Boot Attack.

Their paper, Lest We Remember: Cold Boot Attacks on Encryption Keys debunks the popular assumption that RAM modules lose their contents when power is lost. As it turns out the degredation of memory can be a matter of seconds to minutes at room temperature. Furthermore this degredation can be slowed by freezing the memory module.

The researchers go on to outline several methods for copying memory from a reset computer or extracted RAM module. Princeton University’s Center for Information Technology Policy site maintains the paper, videos, and source code from the research.

The USB / PXE Imaging tool in combination with the AES Key Finding tool are a powerful combination. In this week’s show we discuss and demo these tools in action.

We also touch on the McGrew Security RAM Dumper and Foremost.

After laying the ground work for this attack I’ll be back in studio next week with more in depth demos and answers to your questions. Please send your feedback and questions along to feedback@hak5.org.

–Darren Kitchen

PlayXPert is a unique in-game overlay for PC and MMO games, incorporating the popular use of social media and the web with the importance of impressive FPS and un-distubed gameplay. PlayXPert lets you play your game without ever having to Alt-Tab out of the game by downloading the small widgets and customizing your opacity, widget settings, and key bindings. You can see it for yourself at their site: PlayXPert.

–Shannon Morse

Also don’t forget about our first ever official Hak5 Meetup at Busch Gardens Williamsburg on August 15th. Find all the details at hak5meetup.squarespace.com or RSVP on Facebook.

Building the ultimate white box ESXi server for under $2000! Can it be done? Darren and Matt grab the company credit card and answer that question.

<strong>Building the Ultimate White Box Server for under $2000</strong></p>

<p>When it comes to building a white box server for ESXi your best resources are <a href="http://vm-help.com/" target="_blank">vm-help.com</a>, <a href="http://ultimatewhitebox.com/" target="_blank">UltimateWhiteBox.com</a>, the <a href="http://www.vmware.com/resources/compatibility/search.php" target="_blank">VMware Compatibility Guide</a>, and the <a href="http://communities.vmware.com/home.jspa" target="_blank">VMware community</a>.</p>
<p>We carefully selected ESXi supported components based on reliability and value. If this were the ultimate $3000 white box server we might have picked a server board with dual Xeon’s and ECC memory, but to keep it under that magic $2000 price point we went with beefy “desktop” components such as the <a href="http://www.newegg.com/Product/Product.aspx?Item=N82E16819115202" target="_blank">Intel Core i7 920</a>, the <a href="http://www.newegg.com/Product/Product.aspx?Item=N82E16813131365" target="_blank">ASUS P6T Deluxe</a>, and <a href="http://www.newegg.com/Product/Product.aspx?Item=N82E16820145233" target="_blank">12 GB of Corsair XMS3</a> memory.</p>

<p>Drive wise you can’t go wrong with the <a href="http://www.newegg.com/Product/Product.aspx?Item=N82E16816116042" target="_blank">3ware 9650SE-4LPML</a>. It supports four SATA II drives in RAID 0, 1, 5, 10 or JBOD. It’s bigger brother the <a href="http://www.newegg.com/Product/Product.aspx?Item=N82E16816116045" target="_blank">9650SE-16ML</a> sixteen channel SATA II controller is hot too — just at three times the price. The 9650SE isn’t supported out of the box by ESXi, however 3ware provides a <a href="http://www.3ware.com/KB/article.aspx?id=15548" target="_blank">knowledge base article and drivers</a> necessary to add support for the card after your ESXi box is built.</p>
<p>Drive wise we picked up four <a href="http://www.newegg.com/Product/Product.aspx?Item=N82E16822136284" target="_blank">Western Digital Caviar Black</a> 1TB drives since they’re cheap and reliable.</p>
<p>To make things easy when installing all these components in our <a href="http://www.newegg.com/Product/Product.aspx?Item=N82E16811147101" target="_blank">Rosewill RSV-Z4000</a> 4U rackmount case we picked up a <a href="http://www.newegg.com/Product/Product.aspx?Item=N82E16817707117" target="_blank">4 Drive trayless how swap sata backplane</a> from StarTech. IcyDock makes one too. This was the only $100 spent for convenience over performance/value, but anyone who has dealt with 5.25″ to 3.5″ mounting brackets will agree it’s worth every penny.</p>

<p>Rather than installing ESXi on the RAID, we used a 4GB USB drive from Patriot. The <a href="http://www.newegg.com/Product/Product.aspx?Item=N82E16820220251">Xporter XT</a>. It boasts really fast read/write times. I’m sure any old 1gb or larget USB drive would have done but they’re so cheap, why not?</p>
<p>We’re doing a little white box server contest. Winners will get all sorts of swag from the <a href="http://www.hak5.org/hakshop/" target="_blank">Hak5 Store</a>. Check out all the details in the <a href="http://hak5.org/forums/index.php?showtopic=13481" target="_blank">episode release thread</a> at Hak5.org</p>