June 15th, 2009 -- Posted in Podcasts, e-life, technology |
Kon-Boot
Kon-Boot is an prototype piece of software which allows to change contents of a linux kernel (and now Windows kernel also!!!) on the fly (while booting). In the current compilation state it allows to log into a linux system as ‘root’ user without typing the correct password or to elevate privileges from current user to root. For Windows systems it allows to enter any password protected profile without any knowledge of the password. It was acctually started as silly project of mine, which was born from my never-ending memory problems 
Secondly it was mainly created for Ubuntu, later i have made few add-ons to cover some other linux distributions. Finally, please consider this is my first linux project so far Entire Kon-Boot was written in pure x86 assembly, using old grandpa-geezer TASM 4.0.
So basically, Kon-Boot enables you to log into any Windows or Linux password protected computer without knowing the password or anything about it.
The tech behind it? Kon-Boot basically latches onto parts of the memory and starts patching parts of the kernel (the Brain!), mainly the parts that have to do with the log-on auth and security. These patches let you logon without a password. Then, the bootkit does it so quickly that it leaves no footprints behind after you leave.
DUDE!
To do this:
Go to the website above and download Kon-Boot, open the zip file, and burn the .iso to a disc. I use ImgBurner because it is fast, easy, and FREE.
Shut down the computer you intend to get on to. When booting up, if it isn’t already set to boot from CD (or flashdrive, or whatever Kon-Boot is on), go into the BIOS and set it. You should see the Kon-Boot splash screen for a few seconds, then the username/password screen will appear with the main username already set if they have it saved. If not you need to know the username ahead of time. Press enter or type in some random characters (it doesn’t really matter) and press enter. You’re in!
Now party, snoop around, and get that file you wanted. Get your flashdrive or CD out, then shut the computer back off like usual.
Protecting yourself:
Password protect your BIOS!
True Crypt your entire harddrive!
January 22nd, 2009 -- Posted in Podcasts, technology |
Download this Episode!
Darren’s back in the kitchen with an illustrated scenario of online brute forcing every systems administrators beloved remote desktop. He whips up some home made chicken noodle soup and tosses on the ol’ white hat for a talk about countermeasures and security best practices. Then Matt brings you a full featured and aggressively priced alternative to Microsoft’s own Terminal Service. Do I hear cheap thin clients around the corner?
Online Brute Force Countermeasures And Chicken Noodle Soup
Similar in function to SSH, Remote Desktop Protocol is one of the essential tools for administrating Microsoft Windows Servers. The natively encrypted services comes standard on Windows Server and even XP Pro and Vista. It is also serve as the example for a brief follow up to my previous segment on Offline Brute Forcing.
In my scenario I demonstrate how the tool TSGrinder can be used to perform dictionary attacks against RDP services with character substitution (or leet) options. This attack simply demonstrates a few weaknesses in Windows.
First of all by default the Administrator account cannot be locked out remotely. This behavior can be changed using the Passprop utility from the Windows 2000 resource kit. This tool will also allow you to enforce strong passwords. It is also recommended that the administrator account be renamed. There are a few tools for this as well. Though more obscurity than security I recommend changing the RDP listen port. I strongly recommend reviewing Microsoft’s password best practices and considering passphrases. PasswordMeter.com is a nice site that will rate your password on complexity. Finally I recommend enabling extensive auditing. There are a number of third party security applications made specifically for auditing that offer alerting options on events such as online brute force attempts. One application in particular, 2X SecureRDP offers advanced filtering based on IP and Mac addresses for RDP connections. I’m particularly interesting in hearing your feedback on Windows extensive auditing software so please drop me a line, darrenAThak5.0rg!
And my final recommendation on securing RDP is to limit its exposure by keeping TCP 3389 (or whatever port you’ve changed it to) closed. A little SSH tunneling or VPNing can go a long way to keeping unncessary serices away from the wild wild web. I’ve laid the foundation for this in a segment on 1×07 and will follow up with a more robust VPN segment soon. If you’ve got ideas again drop me a line.
December 11th, 2008 -- Posted in Podcasts, technology |
Download it here!
Shannon takes the spotlight and opens the show. Darren threatens to vote her off the hakhouse. We postponed the open sourcing of the missile launcher due to finals. Thanks Jason Appelbaum. Our friend Mubix has a great article on Multi-Boot Security Live CDs that makes last weeks pick, UNetbootin even more amazing.
Our next LAN Party will be Half-Life 2 Deathmatch on Saturday, December 13 at game.hak5.org. Prepare to get smack in the face with a flying toilet! Check out all the details at our brand spankin’ new Hak5 LAN Site (with leetness by Squarespace)
Public Key Encryption
In this segment we show you how to setup public key authentication between a windows and a linux host. There are many different software packages through which to accomplish this but we used openssh and putty.
Requirements:
Linux machine or VM running OpenSSH (most distros have it in their repository, or you can find it here: http://www.openssh.com/portable.html
Windows machine with putty software (download the whole package) http://www.openssh.com/portable.html
Installing openssh on linux is relatively straightforward. Refer to their site for details. Once that’s setup, we generated a key using the command “ssh-keygen” and specified the filenames. You can customize the keys you generate as you wish, but we went with the defaults. After entering a passphrase twice, you’ll have a public and private key file, with the public having the extension .pub. The private key file stays on the server but we copy the public key over to our windows machine and convert it into putty format using Putty Generator. After you have the key, you can either pass it with scp using scp -i (pscp in our example since we’re using putty’s scp executable), or you can use the putty ssh client in order to pass the key instead of just a password to authenticate to the server. This makes an easy two-factor authentication mechanism.
–Chris
Driver Backup
After installing a fresh copy of your Windows OS of choice, the biggest headache for most of us is the arduous task of trying to locate drivers for all of our different components. So this post is all about making your reinstall a little less troublesome.
HereĂs a list of some of the better driver backup utilities!
DriverBackup2 is a lightweight driver-backup tool. The application is portable with a caveat: youĂll need administrative privileges for full use. You can opt to backup one or all of your drivers, the backed up files are dumped into a tree structure based on driver name. DriverBackup2 also allows you to restore and delete unnecessary drivers. If you ever hunted for obscure drivers online, when installing legacy or obscure hardware for instance, DriverBackup2 will save you the hassle of searching them out again.
Double Driver lists all the hardware drivers installed on your system and creates backups of both the actual drivers and lists of the driver names. While handy with any computer, Double Driver really shines if you have a computer that came with pre-installed drivers that are hard if not impossible to come by. With a few clicks youĂll have those archaic laptop drivers backed up and ready to put back to work after a fresh install.
DriverMax allows you to easily reinstall all your Windows drivers. No more searching for rare drivers on discs or on the web or inserting one installation CD after the other. Simply export all your drivers (or just the ones that work ok) to a folder or a compressed file. After reinstalling Windows all drivers can be back in place in less than 5 minutes.
DriverView is a helpful upgrade from looking through devices individually in the Device Manager, but the real value here is in the list generation. Create an HTML-formatted backup list for your future troubleshooting needs or export to text to show friends or forum members just whatĂs gone wrong. While it doesnĂt actually backup drivers, if youĂre still into doing things the old fashion way, DriverView is a great choice!
Now that weĂve got all of the corporate slogans and descriptions out of the way, my personal favorite is the first link weĂve talked about here. The interface is the least cluttered, and the process really couldnĂt be any easier. For those of you who are looking to deploy driver backups in an automated fashion, thereĂs a built in commandline builder! Like I said, IĂve personally used it and really does make life alot easier after a reinstall.
So check it out and if you have any questions, remember: matt@hak5.org – Revision3 Forum or Hak5 Forum
–Matt
Congrats to Mesartwell who correctly answered last week’s trivia. Answer: “Tom is king” and “Jules sucks”. Grab yourself a copy of the Doom alphas
“Hackers Are People Too”
Ashley Schwartau joins us via skype to talk about her documentary Hackers Are People Too
–Darren
Music Organizers
I have thousands of songs on my computer and some of them are missing titles, artists, etc. So when I hop on iTunes to download my feed of podcasts (like Hak5!), I use TuneUp Media to clean up some of my music.
TuneUpMedia
TuneUp Media has the ability to find your songs basically by listening to them, and tell you the information for each one. You simply drag your song over to the clean up bar on the right, and TuneUp finds your songs info in a few seconds. It even gives you a choice of album art you can use.
I like TuneUp simply because IĂm really organizational. There are a few bugs thoughĂ– Firstly, once you download TuneUp, you donĂt have the option to close it while in iTunes (unless this has changed recently). Second, there are two versions – free and not free. With the free version, you only have 500 songs to clean up. In the payed version- you can clean up as much as you want.
TagScanner
The second one is TagScanner. Tagscanner is good for someone who doesnĂt like iTunes. In tagscanner, you can not only clean up the names and artists on your music, but you can also fix up the ID3 tags for each song, down to lyrics and album art. You can also export your music into a .txt or excel spreadsheet, which is pretty neat.
–Shannon
2
Questions
Skybar Baron writes I have a computer from my school and was wondering if there was a way to wipe everything but like Microsoft Office and the OS?
Darren recommends Sdelete.
Until next week we welcome your feedback and remind you to Trust your Technolust
November 6th, 2008 -- Posted in Podcasts |
Download it here! http://revision3.com/hak5/Phreaknic
The gang heads to Phreaknic in Nashville Tennessee and in Hak5 tradition brings you a sampling including interviews with Russell Butturini about his U3 Incident Response Tool, Adrian Crenchaw, aka Irongeek, about Keyloggers and other embedded hacking, Daniel Hooper about Software Defined Radio and GNU Radio, Eighty of Dual Core, Droops from Hacker Media, and more. Yeehaw!
Russell Butturini shows us the U3 Incident Response Payload for the USB switchblade. Code and tutorial on the forums.
Adrian Crenchaw, aka Irongeek talks about Hardware Keyloggers and other geeky bits.
Daniel Hooper explains Software Defined Radio, GNU Radio, and the universal software radio peripheral.
Plus talks with Nerdcore star Eighty of Dual Core and Droops from Hacker Media and Hacker Public Radio.
