Kon-Boot is an prototype piece of software which allows to change contents of a linux kernel (and now Windows kernel also!!!) on the fly (while booting). In the current compilation state it allows to log into a linux system as ‘root’ user without typing the correct password or to elevate privileges from current user to root. For Windows systems it allows to enter any password protected profile without any knowledge of the password. It was acctually started as silly project of mine, which was born from my never-ending memory problems Secondly it was mainly created for Ubuntu, later i have made few add-ons to cover some other linux distributions. Finally, please consider this is my first linux project so far Entire Kon-Boot was written in pure x86 assembly, using old grandpa-geezer TASM 4.0.

So basically, Kon-Boot enables you to log into any Windows or Linux password protected computer without knowing the password or anything about it.

The tech behind it? Kon-Boot basically latches onto parts of the memory and starts patching parts of the kernel (the Brain!), mainly the parts that have to do with the log-on auth and security. These patches let you logon without a password. Then, the bootkit does it so quickly that it leaves no footprints behind after you leave.

DUDE!

To do this:
Go to the website above and download Kon-Boot, open the zip file, and burn the .iso to a disc. I use ImgBurner because it is fast, easy, and FREE.

Shut down the computer you intend to get on to. When booting up, if it isn’t already set to boot from CD (or flashdrive, or whatever Kon-Boot is on), go into the BIOS and set it. You should see the Kon-Boot splash screen for a few seconds, then the username/password screen will appear with the main username already set if they have it saved. If not you need to know the username ahead of time. Press enter or type in some random characters (it doesn’t really matter) and press enter. You’re in!

Now party, snoop around, and get that file you wanted. Get your flashdrive or CD out, then shut the computer back off like usual.

Protecting yourself:
Password protect your BIOS!
True Crypt your entire harddrive!

Want to bypass those nasty restrictions imposed by your corporate or university firewalls? Darren has just the trick with Internet Redirection. Ever wanted to hide secret data inside a photo? Shannon’s show us a neat steganography app. Plus Matt answers your virtualization questions!

Show Notes

Internet Redirection

Corporate and university firewalls can be a particular PITA — especially if you’re a gamer. And while SSH tunneling (even over DNS)or VPN technologies are often preferred, it is quite possible to “bounce” your traffic off an Internet Redirection server. Like a fancy proxy, rinetd allows you to specify incoming and outgoing IP and port. It features basic client access rules based on IP and even supports logging. In my segment I demonstrate accepting traffic on port 80 and transmitting it to an IRC server on port 6667.

Granted this isn’t going to fool your more complex firewalls that actually inspect packets — but if you’re just looking to get traffic through an open port I highly recommend giving rinetd a try.

–Darren

Steghide

Download a copy of Steghide. Extract the zip.

You want to hide a file. First thing you need is a file to hide it in. Choose a file – whether that be a music file, jpeg, word document… whatever – and save it inside the steghide folder, which was extracted from the zip folder. Also, save your file that you want to hide inside that same folder as well.
Open up your command prompt and open the steghide folder directory. Open the steghide.exe file. The last few rows of type will tell you how to embed and extract your hidden file.

Embedding:
Type into the command prompt: ’steghide embed -cf file.jpg (this is your regular file) -ef hiddenfile.txt’ (this is the file you want to hide).
Choose a Passphrase and you’re done! You’ll notice the original photo or music file has changed it’s byte size now that you’ve embedded something inside it.

Extracting:
Type into the command prompt: ’steghide extract -sf file.jpg’ and enter the passphrase. Now, you’ll see the extracted hidden file appear inside the same folder.
Your done! Simple, eh?

–Shannon

Darren shows off some nifty tricks for Netcat and a targeted brute force attack dictionary generator. Matt continues his series on Virtualization with redundancy and Shannon pimps the blog with her WordPress plugin picks. Plus the results of our Monkey Contest, the Code Challenge and this weeks easter egg hunt

Show Notes

Common User Password Profiler

The Common User Password Profiler from Remote-Exploit is a password/passphrase generator specifically targeted as an individual user. Feed it some info like names, birth dates, spouce, children and pets and it will generate individually, or along with an existing dictionary, thousands of potential passwords. Just add water, feed to your favorite brute forcer and enjoy.

From personal experience I can vouch that, while simple sounding, this would have a HIGH success rate on some of my _former_ (L)users. Administrators take note and enforce BOFH password requirements

netcat – “The Swiss-army knife for TCP/IP”

When it comes to sending and receiving TCP and UDP any which way from the console nothing is more versatile or easy to use than netcat.

With a few simple commands you can use netcat to initiate chat, file transfer or even shell access in either direction between a “server” and a “client”.

The tool can be set to listen or broadcast on any port and tied together with some shell-fu almost anything is possible.

Some listener favorites include cloning hard drives over a network with dd and netcat, tailing a log across the network, port scanning, IP redirecting, or even spoofing user-agents and referrers. Internet Explorer 22 anyone?

Digininja points to this great netcat cheat sheet (PDF 128K).

What kind of crazy stuff have you done with netcat? Feedback@hak5.org

Shannon’s WordPress Plugin Picks

Twitme

This plugin allows you to automatically post your new posts on the twitter website. This is good because the iPod and iPhone for example have a large amount of twitter clients to pick from. Your blog posts will arrive to people while they are walking the streets.

Socialite

Socialite allows your WordPress posts to publish to Twitter, Facebook, and MySpace. Each social networking site can be enabled or disabled for publishing, and each is configured separately with their own options. Support for Short URL services such as zz.gd and Tinyurl.com is also supported.

Sociable

Automatically add links to your favorite social bookmarking sites on your posts, pages and in your RSS feed. You can choose from 99 different social bookmarking sites!

MobilePress

MobilePress is a WordPress plugin that will render your WordPress blog on mobile handsets, with the ability to use customized themes. The plugin also allows specific themes for specific devices / mobile browsers, such as iPhone, Opera Mini, Windows CE Mobile and other generic handset browsers.

Resize at Upload Plus

The plugin will automatically resize an image upon upload, depending on the maximum width and height that you define. Gone are the days when you, or your client, will ruin a site’s layout by uploading a huge file with 25 megapixels. Be advised: there is no backup, no copy of the originally uploaded image.

WP-Cache 2.0

WP-Cache is an extremely efficient WordPress page caching system to make your site much faster and responsive. It works by caching Worpress pages and storing them in a static file for serving future requests directly from the file rather than loading and compiling the whole PHP code and then building the page from the database. WP-Cache allows to serve hundred of times more pages per second, and to reduce the response time from several tenths of seconds to less than a millisecond.

WordPress Backup

Backup the upload directory (images), current theme directory, and plugins directory to a zip file. Zip files optionally sent to email.

WP Security Scan

Scans your WordPress installation for security vulnerabilities and suggests corrective actions.

WP Ban

It will display a custom ban message when the banned IP, IP range, host name or referer url trys to visit you blog. You can also exclude certain IPs from being banned. There will be statistics recordered on how many times they attemp to visit your blog. It allows wildcard matching too.

pixelstats

Count every viewer and every article view for each blog entry, no matter how and where it is read: pixelstats tracks views of each blog post or page, not only on a single article page but also on each other page where the complete article is shown, i.e. the blog front page, category pages, search result page, archive pages and even RSS fee

Thanks for watching, subscribing, and most of all supporting the show. Custom commissioned WiFi Pineapples running Jasager are still available.

In this episode Shannon hacks the Wii and shares her favorite homebrew with us. Matt connects 3CX to the PSTN and Darren sets up a network monkey client in Linux.

Show Notes

Twilight Hack

Wii Homebrew

You need a few things:

* wii
* wii mote controller
* computer
* internet access
* small sd card formatted as FAT.
* Zelda Twilight Princess for Wii

The Wii Brew Wiki
Homebrew Channel

How to install the Wii Homebrew Channel on your Wii using the Twilight Hack.

Download the Twilight Hack. There are two versions, one for Wii system 3.3, and one for 3.4. I haven’t updated mine, so I’m still on 3.3.

Download the Homebrew Channel zip file.

Also, if you want, go ahead and download some apps from the HackMii website. I suggest the Homebrew Browser so you dont have to copy apps to the SD card every time you wanna download something new.

You’ll need a small SD card 2 gig or smaller. Make sure to format your SD card as FAT. Do to this, right click on the SD card, and choose format. Simple!

Put the SD card in your Wii, then turn it on. Go to the Wii Options–>Data management–>Save Data–>Wii section of the menu. Find your Zelda: Twilight Princess saved file, and copy it. If you havent played it yet, you might not have a saved file, so go ahead and play a bit. Put your SD card in your computer and copy the “Private” folder from the card to your comp, just in case you may need it in the future.

Move the homebrew executable that you extract from the zip file to your SD card root directory and save it as boot.dol or boot.elf.

Also, save the Twilight Hack Private folder from the extracted zip file to your SD card.

Now, check out your Twilight Princess game CD. It should have some hard to read serial numbers inscribed on the inner circle. Match this serial with the corresponding “Save slot”.
RVL-RZDE-0A-0 JPN /private/wii/title/rzde/data.bin TwilightHack0RVL-RZDE-0A-0 USA /private/wii/title/rzde/data.bin TwilightHack0RVL-RZDE-0A-2 USA /private/wii/title/rzde/data.bin TwilightHack2
Region Inner circle text File Save slot
Europe/Australia RVL-RZDP-0A-0 JPN /private/wii/title/rzdp/data.bin Twilight Hack
Asia (JPN) RVL-RZDJ-0A-0 JPN /private/wii/title/rzdj/data.bin Twilight Hack
America (USA)
America (USA)
America (USA)

Inside the private–>wii–>title folder are 3 folders with letters corresponding to the serials. Delete the two that don’t match your cd.

Put your SD card back in the Wii. Go to Wii Options–>Data management–>Save Data–>Wii and erase the Zelda save now. Open the SD card menu and choose Twilight Hack. Copy to the Wii.

Stick your game CD in your Wii and boot up Zelda! Choose the save slot that corresponds with your serial. Mine was TwilightHack0. Go ahead and skip the intro, it doesn’t hurt the hack. Once you see Link as a playable character, either walk backwards or talk to the guy in front of you. This will start up the hack install process, so just choose “Agree” to everything.

You’re done! Now you can play on the homebrew channel. Yay!

Get the homebrew browser so you can download apps straight from the channel instead of shuffling your SD card around.

To do that, simply stick the sd in your computer and create a folder called apps. Copy the homebrew browser folder and its contents over to the sd and back it goes to your wii!

If you have some cool homebrew for the Wii, tell me about it or ask me any questions at Snubs@hak5.org.

Don’t forget to submit your questions@hak5.org and feedback@hak5.org and thanks for your contributions.

This episode was a blast! Although I got sick over the weekend (and I’m still recuperating), I still had a great time putting together a partially improv sketch and helping Darren with his animation. I hop you enjoy it!

Our friend digininja is at it again. On this episode we feature Robin Wood’s latest hack based on none other than the Fon+ wireless router.

Interceptor is a wireless wired network tap. Simply put you place it in line on an ethernet cable, then connect to it via a special wireless access point. Once connected and running the Interceptor scripts you’ll be able to sniff all of the traffic passing across the wire.

Interceptor doesn’t affect TTL and adds minimal latency to packets. It doesn’t associate to the target network so discovering an active Interceptor on your LAN isn’t trivial.

This tool is perfect for pen testers. The device inexpensive, based on the Fon+ router and using open source software. It is small enough to fit behind a network wall plate, inside a plush monkey, or even inside a network switch or other gear.

In this episode we demonstrate the usage, illustrate the installation and speak with the developer Robin Wood.

You can download the software and play with it yourself from digininja.org/interceptor and find support and discussion at the Hak5 Interceptor Forum.

Thanks for watching, subscribing, and most of all supporting the show. On a related note custom commissioned WiFi Pineapples running Jasager are now available.

We return next week with a regular format show. Don’t forget to submit your questions@hak5.org and feedback@hak5.org and trust your technolust!

DNS Tunneling

The basic premise comes down to this: If you can connect to a wireless access point that has a captive portal running, constantly forwarding your web requests to a payment page, you can most likely bypass those restrictions if you can get name resolution.

Simply open a shell and ping your favorite website. It doesn’t matter if you get ICMP packets back, what you’re looking for is name resolution. If ping says “Pinging www.l.google.com [74.125.95.99]” or similar you should be all set to tunnel your traffic over DNS

In order to get going you’ll need a domain, or sub-domain, a set of Perl scripts called Ozyman, a server to run the ozyman and ssh daemons on, and a little luck

Full step by step instructions can be found at Mubix’s wonderful blog o goodness at Room362.com.

Linux Gaming

In this episode we had the pleasure of having Tyler McAdams of Linux DNA on the show to talk about gaming on Linux and mad performance optimizations with ICC. Tyler was happy to announce that LinuxDNA is now working with Dream Linux for the ASUS eee PC.

Thanks to those who’ve contributed to the success of Hak5. Your donations are greatly appreciated!

Download the episode here!

Getting to know your neighbors — Darren takes a trip around your network with nmap, THE open source network security scanner. Want to obscure your OS fingerprint? Make a Windows Box show up as a printer? Shannon’s got just the thing. And Matt takes a first look at the Napera N24 smart network switch / security appliance. All that and more on this Hak5 Season 5 Premiere!

Taking a trip around your network with Nmap

This week I talk about network scanning with the definitive open source security scanner Nmap.

Scanning ones own network is ideal whether simply to know your neighbors or keep inventory of your assets. As a black hat it can be the first step in enumerating a target environment and looking for weaknesses.

In order to perform our scan we’ll simply need a copy of Nmap. It’s available for Windows, Mac, and just about every flavor of Linux, BSD and more. If you’re on a debian based system like Ubuntu a simple apt-get install nmap should do you good. If you’re looking for a security distribution with nmap (and a ton of other great tools) built in can’t speak highly enough of BackTrack. Version 4 beta was just recently released.

The underlying workings of Nmap are better explained in this guide but suffice it to say it takes advantage of TCP’s 3-way-handshake and other fancy raw packet tricks to find hosts and open ports. In this segment I set out to introduce the concept and get you started with a few basic examples. If you’re interested I recommend Nmap Network Scanning and the official man pages as further reading.

The segment details some commands and their usage in a searching for open MS terminal servers scenario. I highly encourage you to provide feedback either by way of email (darren AT hak5 d0t org) or on our forums. I enjoy doing segments like these but if you have any corrections (more than one way to skin a cat), suggestions for future topics or hacks of your own please let me know.

–Darren Kitchen

Obscure your OS Fingerprint

OSfuscate 0.3 by Irongeek is used to camaflouge or obscure your Windows OS. With this tool, it’ll show up like another OS of your choice, nothing at all, or even a printer. OSFuscate could be used if you are on a hostile network and need some sort of cloak while going along in your daily routine. It is important to note that this is not a fool proof method for hiding yourself on a network and should not be relied upon for security. however, as a layer of obscurity in addition to your regular security practices you may want to consider it.

It’s a simple process to set up OSFuscate on your machine. Go to Start->Run->Regedit. Back up your Parameters folder, found under System->CurrentControlSet->Services->Tcpip->Parameters. You can do this by simply right clicking on the folder, and choosing export. This is basically just to keep yourself form messing up your OS in the process and having no way to return it to normal. You’ll notice on Irongeek’s website that certain Parameter Registry keys will be subtly changed. You could do this by hand, but OSFuscate makes this task super simple. Open OSFuscate, and choose an OS that you want to pretend to be. Restart your computer and the differences should be in place! Now if someone running NMap snoops your computer, they’ll see some other OS other than what you actually have.

You can find more information at Irongeek’s Website. And as always, you can email me with any comments or suggestions.
as it really helps us out. –Shannon Morse

Matt’s full review of the Napera N24 can be found on his blog at MattLestock.com.

Thanks for tuning into our season premiere episode. We’re very excited about all of the exciting new projects coming up in Season 5. We appreciate and encourage your feedback — especially on this episode’s fresh format, pace, and presentation. We strive to make this show better and better for you every week so let us know how we’re doing!

And a big thanks to those who’ve contributed to the success of Hak5. Your donations are greatly appreciated!

Download this Episode!

Darren’s back in the kitchen with an illustrated scenario of online brute forcing every systems administrators beloved remote desktop. He whips up some home made chicken noodle soup and tosses on the ol’ white hat for a talk about countermeasures and security best practices. Then Matt brings you a full featured and aggressively priced alternative to Microsoft’s own Terminal Service. Do I hear cheap thin clients around the corner?

Online Brute Force Countermeasures And Chicken Noodle Soup

Similar in function to SSH, Remote Desktop Protocol is one of the essential tools for administrating Microsoft Windows Servers. The natively encrypted services comes standard on Windows Server and even XP Pro and Vista. It is also serve as the example for a brief follow up to my previous segment on Offline Brute Forcing.

In my scenario I demonstrate how the tool TSGrinder can be used to perform dictionary attacks against RDP services with character substitution (or leet) options. This attack simply demonstrates a few weaknesses in Windows.

First of all by default the Administrator account cannot be locked out remotely. This behavior can be changed using the Passprop utility from the Windows 2000 resource kit. This tool will also allow you to enforce strong passwords. It is also recommended that the administrator account be renamed. There are a few tools for this as well. Though more obscurity than security I recommend changing the RDP listen port. I strongly recommend reviewing Microsoft’s password best practices and considering passphrases. PasswordMeter.com is a nice site that will rate your password on complexity. Finally I recommend enabling extensive auditing. There are a number of third party security applications made specifically for auditing that offer alerting options on events such as online brute force attempts. One application in particular, 2X SecureRDP offers advanced filtering based on IP and Mac addresses for RDP connections. I’m particularly interesting in hearing your feedback on Windows extensive auditing software so please drop me a line, darrenAThak5.0rg!

And my final recommendation on securing RDP is to limit its exposure by keeping TCP 3389 (or whatever port you’ve changed it to) closed. A little SSH tunneling or VPNing can go a long way to keeping unncessary serices away from the wild wild web. I’ve laid the foundation for this in a segment on 1×07 and will follow up with a more robust VPN segment soon. If you’ve got ideas again drop me a line.

Download it here!

Shannon takes the spotlight and opens the show. Darren threatens to vote her off the hakhouse. We postponed the open sourcing of the missile launcher due to finals. Thanks Jason Appelbaum. Our friend Mubix has a great article on Multi-Boot Security Live CDs that makes last weeks pick, UNetbootin even more amazing.

Our next LAN Party will be Half-Life 2 Deathmatch on Saturday, December 13 at game.hak5.org. Prepare to get smack in the face with a flying toilet! Check out all the details at our brand spankin’ new Hak5 LAN Site (with leetness by Squarespace)

Public Key Encryption

In this segment we show you how to setup public key authentication between a windows and a linux host. There are many different software packages through which to accomplish this but we used openssh and putty.

Requirements:

Linux machine or VM running OpenSSH (most distros have it in their repository, or you can find it here: http://www.openssh.com/portable.html

Windows machine with putty software (download the whole package) http://www.openssh.com/portable.html

Installing openssh on linux is relatively straightforward. Refer to their site for details. Once that’s setup, we generated a key using the command “ssh-keygen” and specified the filenames. You can customize the keys you generate as you wish, but we went with the defaults. After entering a passphrase twice, you’ll have a public and private key file, with the public having the extension .pub. The private key file stays on the server but we copy the public key over to our windows machine and convert it into putty format using Putty Generator. After you have the key, you can either pass it with scp using scp -i (pscp in our example since we’re using putty’s scp executable), or you can use the putty ssh client in order to pass the key instead of just a password to authenticate to the server. This makes an easy two-factor authentication mechanism.

–Chris

Driver Backup

After installing a fresh copy of your Windows OS of choice, the biggest headache for most of us is the arduous task of trying to locate drivers for all of our different components. So this post is all about making your reinstall a little less troublesome.

Hereís a list of some of the better driver backup utilities!

DriverBackup2 is a lightweight driver-backup tool. The application is portable with a caveat: youíll need administrative privileges for full use. You can opt to backup one or all of your drivers, the backed up files are dumped into a tree structure based on driver name. DriverBackup2 also allows you to restore and delete unnecessary drivers. If you ever hunted for obscure drivers online, when installing legacy or obscure hardware for instance, DriverBackup2 will save you the hassle of searching them out again.

Double Driver lists all the hardware drivers installed on your system and creates backups of both the actual drivers and lists of the driver names. While handy with any computer, Double Driver really shines if you have a computer that came with pre-installed drivers that are hard if not impossible to come by. With a few clicks youíll have those archaic laptop drivers backed up and ready to put back to work after a fresh install.

DriverMax allows you to easily reinstall all your Windows drivers. No more searching for rare drivers on discs or on the web or inserting one installation CD after the other. Simply export all your drivers (or just the ones that work ok) to a folder or a compressed file. After reinstalling Windows all drivers can be back in place in less than 5 minutes.

DriverView is a helpful upgrade from looking through devices individually in the Device Manager, but the real value here is in the list generation. Create an HTML-formatted backup list for your future troubleshooting needs or export to text to show friends or forum members just whatís gone wrong. While it doesnít actually backup drivers, if youíre still into doing things the old fashion way, DriverView is a great choice!

Now that weíve got all of the corporate slogans and descriptions out of the way, my personal favorite is the first link weíve talked about here. The interface is the least cluttered, and the process really couldnít be any easier. For those of you who are looking to deploy driver backups in an automated fashion, thereís a built in commandline builder! Like I said, Iíve personally used it and really does make life alot easier after a reinstall.

So check it out and if you have any questions, remember: matt@hak5.org – Revision3 Forum or Hak5 Forum

–Matt

Congrats to Mesartwell who correctly answered last week’s trivia. Answer: “Tom is king” and “Jules sucks”. Grab yourself a copy of the Doom alphas

“Hackers Are People Too”

Ashley Schwartau joins us via skype to talk about her documentary Hackers Are People Too

–Darren

Music Organizers

I have thousands of songs on my computer and some of them are missing titles, artists, etc. So when I hop on iTunes to download my feed of podcasts (like Hak5!), I use TuneUp Media to clean up some of my music.

TuneUpMedia

TuneUp Media has the ability to find your songs basically by listening to them, and tell you the information for each one. You simply drag your song over to the clean up bar on the right, and TuneUp finds your songs info in a few seconds. It even gives you a choice of album art you can use.

I like TuneUp simply because Iím really organizational. There are a few bugs thoughÖ Firstly, once you download TuneUp, you donít have the option to close it while in iTunes (unless this has changed recently). Second, there are two versions – free and not free. With the free version, you only have 500 songs to clean up. In the payed version- you can clean up as much as you want.

TagScanner

The second one is TagScanner. Tagscanner is good for someone who doesnít like iTunes. In tagscanner, you can not only clean up the names and artists on your music, but you can also fix up the ID3 tags for each song, down to lyrics and album art. You can also export your music into a .txt or excel spreadsheet, which is pretty neat.

–Shannon
2

Questions

Skybar Baron writes I have a computer from my school and was wondering if there was a way to wipe everything but like Microsoft Office and the OS?

Darren recommends Sdelete.

Until next week we welcome your feedback and remind you to Trust your Technolust

Download it here! http://revision3.com/hak5/Phreaknic

The gang heads to Phreaknic in Nashville Tennessee and in Hak5 tradition brings you a sampling including interviews with Russell Butturini about his U3 Incident Response Tool, Adrian Crenchaw, aka Irongeek, about Keyloggers and other embedded hacking, Daniel Hooper about Software Defined Radio and GNU Radio, Eighty of Dual Core, Droops from Hacker Media, and more. Yeehaw!

Russell Butturini shows us the U3 Incident Response Payload for the USB switchblade. Code and tutorial on the forums.

Adrian Crenchaw, aka Irongeek talks about Hardware Keyloggers and other geeky bits.

Daniel Hooper explains Software Defined Radio, GNU Radio, and the universal software radio peripheral.

Plus talks with Nerdcore star Eighty of Dual Core and Droops from Hacker Media and Hacker Public Radio.