Create a BackTrack 4 persistent USB drive

BackTrack is widely considered the complete hacker boot disc. Born out of WHAX this security sharp linux distro has been years in the making, and finally version 4 final is out.

One of the best ways to experience BackTrack 4 (BT4) is by creating a USB boot drive. Simply download the ISO and “burn” it to a USB drive with a tool like unetbootin.

BackTrack even offers a VMDK if you’re interested in playing around in VMware or VirtualBox.

In this episode Darren guides you through partitioning, formatting and installing BackTrack 4 to a USB drive and configuring persistence.

A ZipIt Userland image for the average user

How to Connect your Zipit Z2 to an encrypted WPA network.
With Aliosa’s OS:

Turn on the wireless radio by opening the termina and issuing “ifconfig eth1 up”
Create a WPA supplicant configuration file for your router and password by issuing “Wpa_passphrase youraccesspoint yourpassphrase > nameoffile.wpa”
Connect to the WPA network using the configuration file you just created with “Wpa_supplicant –Dwext –i eth1 –c nameoffile.wpa –B”
Get an IP address from your router’s DHCP by typing “Dhclient eth1″.
Installing RootNexus’s ‘Average User’ userland image.

Plug in your miniSD
Open PhysDiscWrite GUI
Right-click miniSD, choose Oofnen, choose Image Laden
Choose the average user image file
Click yes, and wait 10 minutes.
Eject your miniSD safely and restart your Zipit Z2 with the miniSD card in it
Zipit Z2 “Average User” userland image: http://zipit.rootnexus.org/
Getting WPA to work: http://www.christopherkois.com/?p=53

Put Mubix in a room with a whiteboard and prepare to take notes. Go grab yourself a copy of Metasploit, or build a BackTrack Virtual Machine and start playing. Mubix’s complete show notes can be found at Room362.com. Mubix also recommends the free Offensive Security course Metasploit Unleashed – Mastering the Framework.

This time on the show Darren’s having a little man-in-the-middle fun with a demonstration os SSLStrip, an epic tool for removing that pesky encryption from your victims browsing session.

Moxie Marlinspike’s SSLStrip, released at Blackhat/DEFCON this year, is a tool that transparently hijacks HTTP traffic and redirects HTTPS links to look-alike HTTP links. While this description barely scratches the surface, Darren’s segment takes a closer look including a pracitcal demonstration of a man-in-the-middle attack using arpspoof and a little luck with remote-exploit’s BackTrack 4 penetration testing distribution.

Merge folders with Winmerge

This open source Windows tool allows you to easily identify inconsistencies between two would-be identical directories and quickly make corrections, complete with keyboard shortcuts. Check out Winmerge

inSSIDer, an open source Windows WiFi Scanner

So in my never ending search for better and better utilities to make my life easier, I came across inSSIDer by metageek.

Which is basically a stripped down version of their Chanalyzer software.

Stripped down maybe, but extremely useful none the less? YES!

After performing a scan of my boss’s house who was plagued with signal drops and slow speeds, I came across the reason.

Interfering access points. His router was on channel 6, surrounded by half a dozen other access points.

So using the easy to read inSSIDer software I decided to put him on channel 11, where there were no other AP’s in range.

As soon as I made the switch, I had vastly improved signal strength, and no longer had drops walking through the house.

We’ll be running a review of the Wi-Spy products and metageek’s Chanalyzer in an upcoming episode.

LAN Party

This month’s LAN Party is Team Fortress 2 on Saturday, October 3rd, at game.hak5.org. Find all the LAN Party details at hak5lan.squarespace.com

Windows VPN connection as Service

One of the nice things about Windows Server is the built in VPN service — RRAS or Routing and Remote

Access. In this segment I demonstrate a way to connect one Windows Server to another utilizing a PPTP VPN

connection as a service. The built in VPN connection manager isn’t half bad.

A nifty feature is >the rasdial.exe program

which allows you to connect/disconnect a VPN profile from the command line. Pairing that with the AutoExNT service from the Windows Server

Resource Kit and you’ve got a VPN connection on boot, even before login.

Contest

This month’s contest is for the scatter brained and design concious desktop users. Share your desktop’s

over at Hak5.org/screenshot and be entered to

win leet Hak5 swag and Ashley Schwartau’s Hackers Are People Too DVD.

There is plenty to do on the Kindle that isn’t in the user manual. Read on for details!

At the Home screen use ALT-SHIFT-M for Minesweeper. It’s a little slow in response time, but still fun.

Free Books and PDF’s on your Kindle can be accessed through sites like Mnybks.Net and Feedbooks.
Mobipocket creator converts pdf’s to kindle files for all of your needs. If you don’t want to use Mobipocket, check this out- for free conversions, email a document to “name”@free.kindle.com and have it emailed back to you in kindle format.

Bypassing Paying for Blogs
Check out sites like Kindle Feeder to read your favorite blogs and news sites for free, instead of paying for the subscription version. From your browser, go to kindlefeeder.com and sign up or just search for your favorite feed.

Try accessing a site that isn’t compatible with mobile through proxy sites like mowser.com.

Google Maps
Under browser mode, click Alt-1 to access google maps quickly. Alt-2 shows gas stations and Alt-3 shows restaurants.

For email and useful messengers, use the following:
Gmail: m.gmail.com
Yahoo Messenger: us.m.yahoo.com/p/messenger/
Google Reader: google.com/reader/m
Google Calendar: google.com/calendar/m

SMS messages to your friends cell phone can be accessed by simply emailing the 10-digit cell phone number at the appropriate gateway. e.g. for AT&T cell customers would be 1234567890@txt.att.net.
This is a (unverified) list of gateways for various cell services.
AT&T: @txt.att.net
Alltel: @message.alltel.com
Nextel: @messaging.nextel.com
Powertel: @ptel.net
Sprint: @messaging.sprintpcs.com
SunCom: @tms.suncom.com
T-Mobile: @tmomail.net
US Cellular: @email.uscc.net
Verizon: @vtext.com
Virgin Mobile: @vmobl.com

To view personal pictures on your Kindle, plug your Kindle into it’s mini USB to a computer. Add a folder called ‘pictures’ in the root of the Kindle or SD card. Create another folder inside the Kindle folder ‘pictures’ called whatever you like. In the Home screen, hit Alt-Z to refresh and your new ‘book’ should appear with the name of the folder you chose. Open it and page back or forward to view your pictures. Press Alt-Shift-0 to set the current picture as a screensaver.

And here are a couple of tips for the Kindle 2:
Tether your Kindle 2 via a USB port so you don’t have to use WhisperNet or create a custom screensaver with your own pictures.

Matt Lestock reviews BlueBear’s Adobe Air-based application for managing mixed virtualization environments. Kodiak currently supports VMware ESX servers with Citrix XenServer and Microsoft Hyper-V compatibility coming soon. This cross platform management application is pretty slick!

Darren Kitchen discusses the evolution of his favorite boot loader, Grub, and points out USB installation options and Grub2’s loopback option. He also discusses persistent changes, nested menus, and notes.

Darren also checks out LiveUSB, a tool that promises to automate the process of building a USB Multi Boot tool. Note: The site and application are all in French.

Engineering a mid size office network from the ground up. Matt shares with us tips on switch stacking and more. Palm centro security? Shannon shows us how to bypass SIM lockout. And Darren’s getting his grub2 on without borking his ubuntu box. All that and more on this episode of Hak5.

The Palm Centro has the ability to do a system lockout with access to the SIM only by using a PIN code. If you set this lockout, when you power cycle your phone, you can only have access to the lockout menu. You can either enter your PIN, choose cancel, or choose make emergency call. If you choose make emergency call and go through a few buttons, you can enter the hardware of the Centro. From the main menu of one of these phones, you can access the users contacts, SMS messages, photos, apps, games, notes, and more. Here is a walkthrough of how to bypass the lockout:
How to Bypass Your Palm Centro Security

To help protect your phone from this kind of issue, you can use a program like Warden Security. Sadly, it costs a whopping $14.95, and no one wants to spend that much on an app!
Warden Security

Know of a nifty phone hack you want to share with us? Email feedback with details!

While on Vacation at the beach Darren and Shannon talk password security. Shannon covers her favorite free open source password safe, Keepass, and how it can take the nightmare out of remembering a different password for every site. Then, Darren goes over salting and what it does to protect your password’s hash on the back end.

With the dozens–or in the case of many administrators hundreds–of passwords one must use and remember every day, how is one to ensure a secure and original password every time? Sure you could come up with some crazy algorythm that involves information in the WHOIS record of the domain you’re logging into, or you could live in normal land and get a password safe. Shannon goes over her favorite free open source offering KeePass.

Using industry standard encryption to keep your passwords safe, KeePass is the most full featured password safe we’ve tested. With versions for just about every OS under the sun, including many smart phones, there is no reason to ever reuse a password again.

If you’re a fan of KeePass and have a story or plugin you want to sare with us be sure to hit up feedback@hak5.org!

When it comes to storing passwords on the back end, whether they be in a database or flat file, it’s important to keep ‘em salted. In this episode Darren goes over what Hash salting is — what it means to users, administrators, and would-be password crackers.

Don’t forget about our first ever official Hak5 Meetup at Busch Gardens Williamsburg on August 15th. Find all the details at hak5meetup.squarespace.com or RSVP on Facebook.

Why carry around a dozen bootable USB drives when you could merge ‘em all into one? On his episode we buld a USB Multipass complete with customized boot menu ready to launch any of favorite tools–including Backtrack, Ophcrack, Kon-boot, dban, freedos, and more. Plus Shannon reviews the Trinity Rescue Kit, the boot disc dubbed CPR for your computer.

It has been the dream of many to combine the pen-testing, forensics and recovery power of our favorite USB bootable linux distros into one drive complete with customized boot menu. Finally Frank Castle shares this digital mojo with us. I bring you the USB Muiltipass.

While the video walks you through the step by step I’ll provide an overview with links here.

First you’ll need three programs, PeToUSB, grubinst and grub4dos.

Prepare the USB drive by formatting it with PeToUSB. With the drive plugged in run the PeToUSB executable, select the drive, check Enable Disk Format, Quick Format and Force Volume Dismount and click Start. If you are using a drive over 2 GB you will receive an error about dismounting — it’s no big deal — simply format the drive as Fat32 with the Windows Disk Manager.

Next run grubinst_gui. Select the disk option and pick your USB drive. Be sure to select the correct drive number. If you’re not sure which drive is your USB drive check with Windows Disk Manager. Once you are assured the correct drive is selected go ahead and click Install. No options need to be checked, the defaults are fine.

You will then need to copy the grldr file from the grub4dos package to the root of your USB drive. Finally finish off the install by creating a blank text file in the root of your USB drive called “menu.lst”.

You can now boot from this drive. Of course there aren’t any Linux distributions and utilities installed yet, so let’s move on to adding all the goodies.

When it comes to installing distros I’ll go ahead and quote Frank Castle as he puts it best.

For most of the distros I added, I started off with an iso version of it. I then extracted the isos either to my desktop or directly to the root of the thumb drive (or you could just copy the files from a burnt version of the distro, just as long as you get the files to the root of your thumb drive). Most Linux Distros come with 2 folders: a boot folder and another folder that actually holds the meat and potatoes of the distro. Since it would be impossile to have 6 or 7 different boot folders that don’t overlap on the same thumb drive (without multiple partitions…a route I tired to take for way too long) I simply renamed the boot folder to something like “bootbt3″ or “bootknop” depending on the distro, and just left the other folder as is. I then added the appropriate information by using the information by either:

1) Looking at the information provided in the syslinux or isolinux file in most linux distros

2) Looking at a (now taken down) webpage with tons of examples (appropriatly added to this tutorial under Examples.txt)

3) Trial and Error

Most distros fell under the first of these options: Backtrack 3, Backtrack 4, Knoppix, and Trinity Rescue Kit all worked fine under these conditions

Some distros fell under the examples webpage: these included Ubuntu LiveCD (a different example because there is no boot folder and way more than two folders, but it ended up working without changing any folder names) as well as some others

Few Distros fell into the third option, but the ones that did were a bitch and a half to get working. These included Kon-Boot and OPHcrack.

OPHcrack (the latest version – 2.3.0), a tool I have known, loved, and depended on (at least until I met Kon-boot…thank you) was a apparently different than any of the other distros because just copying the files from the iso… blah blah blah didn’t work. It turns out that you have to burn the Distro to a spare thumb drive using tazusb (Slitaz installer) from http://www.objectif-securite.ch/slitaz/tazusb.exe. You then copy these files to the root of your thumb drive and so on and so on. The second challenge was to get both versions of OPHcrack (XP and Vista) on the drive, since ALL of the files overlapped. It turns out that the only difference in the two verisons were the tables provided so I just copied the tables from one cd to the other and proceeded forward as usual.

Kon-Boot was yet another bitch of a thing to get running via USB. No matter what I did it would boot, load, and promptly go back to the Grub bootloader. After a few hours of trial and error, I discovered I had to tell GRUB to tell the BIOS that the hard drive was the first boot device, even though it was obviously the thumb drive, because Windows apparently won’t run at all if it isn’t the first boot device. This reqiured a few extra lines. Also, for some reason the .iso file wouldn’t work (I could never extract or even see the raw files of Kon-Boot), so i was forced to use the Floppy image (.img)

When it comes to customizing Grub its simply a matter of creating a 640×480 – 14 color splash screen image. This is easy to accomplish with the Gimp. Once you’ve created a 640×480 image you can crunch the colors be selecting Image, Mode, Indexed and entering 14 ad the maximum colors. Save this file as a XMP, then gzip it. Copy the gz to the root of your USB drive and prepend “splashimage /image.xpm.gz” to your menu.lst file.

Further information on customizing the grub menu.lst file for your specific distros can be found in the grub manual. As an example I’ll provide my config here:

splashimage /jozette.xpm.gz
color blue/black yellow/blue
timeout 120

title BackTrack 4 BETA
root (hd0,0)
kernel /bootbt4/vmlinuz vga=0×317 ramdisk_size=6666 root=/dev/ram0 rw quiet
initrd=/bootbt4/initrd.gz
boot

title Kon-Boot-test
map –mem /FD0-konboot-v1.1-2in1.img (fd0)
map –hook
chainloader (fd0)+1
map (hd1) (hd0)
map –hook
rootnoverify (fd0)

title Memtest86
kernel /memdisk
initrd /memtestp.img

title ntpasswd
kernel /ntpasswd/vmlinuz rw vga=1 initrd=/ntpasswd/initrd.cgz /ntpasswd/scsi.cgz
initrd /ntpasswd/initrd.cgz

title DBAN
kernel /memdisk
initrd /dban.img

title SystemRescueCD
kernel /rescuecd initrd=initram.igz video=ofonly vga=0 scandelay=5
initrd /initram.igz

title FreeDOS
root (hd0,2)
kernel /memdisk
initrd /freedos.img floppy

title Ophcrack
kernel /bootoph/bzImage rw root=/dev/null vga=normal lang=C kmap=us screen=1024x768x16 autologin
initrd /bootoph/rootfs.gz
I’m sure there will be many questions and further development of this project so as I’ll go ahead and point you the episode 524 release thread on the Hak5 forums. Share your thoughts!

Don’t forget about our first ever official Hak5 Meetup at Busch Gardens Williamsburg on August 15th. Find all the details at hak5meetup.squarespace.com or RSVP on Facebook.

Matt Lestock returns and brings us the skinny on converting physical servers into virtual servers and piping ‘em right into your ESXi box while Darren takes the scenic route on a Linux Apache Tomcat install with some Java and bash lovin’.

Matt Lestock uses VMware Converter to take that ugly power hungry idle beast and turn it into a sleek and slim virtual machine, piped stright into your ESXi host.

Send your questions and feedback to matt@hak5.org

Darren Kitchen is cooking up a Linux based Java servlet container and HTTP web server with Apache Tomcat. While never distributions and package repositories can make setting up a Tomcat server a breeze, it’s nice to have an understanding of the manual process.

Don’t forget about our first ever official Hak5 Meetup at Busch Gardens Williamsburg on August 15th. Find all the details at hak5meetup.squarespace.com or RSVP on Facebook.