This April 1st we bring you a gem* from the archives. Recently dig’d from a super VHS tape it’s Hak5 episode 507 from 1995. We take a peak at a Windows 95 “chicago” beta build, get our phone phreaking on, and review one of the latest SNES games.

Every geek should take a look at Windows Chicago Build 58 — it’s classic.

Special Information Tones can be used for all sorts of interesting things.

The Lion King for SNES is honestly one of the better Disney games of its time.

We’ll be back next week with an awesome episode from 2009!

Don’t forget to submit your questions@hak5.org and feedback@hak5.org and thanks for your contributions.

This episode was a blast! Although I got sick over the weekend (and I’m still recuperating), I still had a great time putting together a partially improv sketch and helping Darren with his animation. I hop you enjoy it!

Our friend digininja is at it again. On this episode we feature Robin Wood’s latest hack based on none other than the Fon+ wireless router.

Interceptor is a wireless wired network tap. Simply put you place it in line on an ethernet cable, then connect to it via a special wireless access point. Once connected and running the Interceptor scripts you’ll be able to sniff all of the traffic passing across the wire.

Interceptor doesn’t affect TTL and adds minimal latency to packets. It doesn’t associate to the target network so discovering an active Interceptor on your LAN isn’t trivial.

This tool is perfect for pen testers. The device inexpensive, based on the Fon+ router and using open source software. It is small enough to fit behind a network wall plate, inside a plush monkey, or even inside a network switch or other gear.

In this episode we demonstrate the usage, illustrate the installation and speak with the developer Robin Wood.

You can download the software and play with it yourself from digininja.org/interceptor and find support and discussion at the Hak5 Interceptor Forum.

Thanks for watching, subscribing, and most of all supporting the show. On a related note custom commissioned WiFi Pineapples running Jasager are now available.

We return next week with a regular format show. Don’t forget to submit your questions@hak5.org and feedback@hak5.org and trust your technolust!

DNS Tunneling

The basic premise comes down to this: If you can connect to a wireless access point that has a captive portal running, constantly forwarding your web requests to a payment page, you can most likely bypass those restrictions if you can get name resolution.

Simply open a shell and ping your favorite website. It doesn’t matter if you get ICMP packets back, what you’re looking for is name resolution. If ping says “Pinging www.l.google.com [74.125.95.99]” or similar you should be all set to tunnel your traffic over DNS

In order to get going you’ll need a domain, or sub-domain, a set of Perl scripts called Ozyman, a server to run the ozyman and ssh daemons on, and a little luck

Full step by step instructions can be found at Mubix’s wonderful blog o goodness at Room362.com.

Linux Gaming

In this episode we had the pleasure of having Tyler McAdams of Linux DNA on the show to talk about gaming on Linux and mad performance optimizations with ICC. Tyler was happy to announce that LinuxDNA is now working with Dream Linux for the ASUS eee PC.

Thanks to those who’ve contributed to the success of Hak5. Your donations are greatly appreciated!

Download the episode here!

Getting to know your neighbors — Darren takes a trip around your network with nmap, THE open source network security scanner. Want to obscure your OS fingerprint? Make a Windows Box show up as a printer? Shannon’s got just the thing. And Matt takes a first look at the Napera N24 smart network switch / security appliance. All that and more on this Hak5 Season 5 Premiere!

Taking a trip around your network with Nmap

This week I talk about network scanning with the definitive open source security scanner Nmap.

Scanning ones own network is ideal whether simply to know your neighbors or keep inventory of your assets. As a black hat it can be the first step in enumerating a target environment and looking for weaknesses.

In order to perform our scan we’ll simply need a copy of Nmap. It’s available for Windows, Mac, and just about every flavor of Linux, BSD and more. If you’re on a debian based system like Ubuntu a simple apt-get install nmap should do you good. If you’re looking for a security distribution with nmap (and a ton of other great tools) built in can’t speak highly enough of BackTrack. Version 4 beta was just recently released.

The underlying workings of Nmap are better explained in this guide but suffice it to say it takes advantage of TCP’s 3-way-handshake and other fancy raw packet tricks to find hosts and open ports. In this segment I set out to introduce the concept and get you started with a few basic examples. If you’re interested I recommend Nmap Network Scanning and the official man pages as further reading.

The segment details some commands and their usage in a searching for open MS terminal servers scenario. I highly encourage you to provide feedback either by way of email (darren AT hak5 d0t org) or on our forums. I enjoy doing segments like these but if you have any corrections (more than one way to skin a cat), suggestions for future topics or hacks of your own please let me know.

–Darren Kitchen

Obscure your OS Fingerprint

OSfuscate 0.3 by Irongeek is used to camaflouge or obscure your Windows OS. With this tool, it’ll show up like another OS of your choice, nothing at all, or even a printer. OSFuscate could be used if you are on a hostile network and need some sort of cloak while going along in your daily routine. It is important to note that this is not a fool proof method for hiding yourself on a network and should not be relied upon for security. however, as a layer of obscurity in addition to your regular security practices you may want to consider it.

It’s a simple process to set up OSFuscate on your machine. Go to Start->Run->Regedit. Back up your Parameters folder, found under System->CurrentControlSet->Services->Tcpip->Parameters. You can do this by simply right clicking on the folder, and choosing export. This is basically just to keep yourself form messing up your OS in the process and having no way to return it to normal. You’ll notice on Irongeek’s website that certain Parameter Registry keys will be subtly changed. You could do this by hand, but OSFuscate makes this task super simple. Open OSFuscate, and choose an OS that you want to pretend to be. Restart your computer and the differences should be in place! Now if someone running NMap snoops your computer, they’ll see some other OS other than what you actually have.

You can find more information at Irongeek’s Website. And as always, you can email me with any comments or suggestions.
as it really helps us out. –Shannon Morse

Matt’s full review of the Napera N24 can be found on his blog at MattLestock.com.

Thanks for tuning into our season premiere episode. We’re very excited about all of the exciting new projects coming up in Season 5. We appreciate and encourage your feedback — especially on this episode’s fresh format, pace, and presentation. We strive to make this show better and better for you every week so let us know how we’re doing!

And a big thanks to those who’ve contributed to the success of Hak5. Your donations are greatly appreciated!

DOWNLOAD!

Show Notes

USB Device Tracking

If you’ve ever used a USB storage device and wondered how stealthy you can be with them, you’re in for a scare. Windows XP logs pretty much everything you’d want to know about that USB key in the registry each time it’s plugged in and written to.

When you plug in your USB drive, the Plug and Play manager gets notified and queries the device descriptor in the firmware for information about the device. This helps it locate a driver, which is referenced in the %SystemRoot%/inf folder by various .inf files. Once the device is identified and a driver selected, the information is dropped into HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\USBSTOR with a format similar to Disk&Ven_###&Prod_###&Rev_### which will identify the device ID, manufacturer and more. An important number you will find here is the ParentID prefix, which I did not actually say during the segment but this is something that will appear in virtually every registry entry regarding the device.

Microsoft uses serial numbers on the devices to distinguish between devices with the same manufacturer or model. In the case that the serial number is not unique (or even not present), the PnP manager will create a unique instance ID for the device.

All of the numbers you find related to each device should be logged if you’re doing any sort of investigation or trying to track a device across computers.

If you’re trying to determine whether data was perhaps pilfered from your machine/network, you will want to look at HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceClasses, where you will find the ParentID prefix and will be able to correlate to the device. You should also see the manufacturer name here. We are looking for the Last Write time which will help in determining whether data was pilfered by giving you a timeframe as to when someone last copied data to the device. In order to do this, you’re going to right click on the entry that has the ParentID prefix and manufacturer name for the device you want, and then click Export. Change the file extension to .txt and name it anything you want, remembering where you save the file. Upon opening this file up, you will find the last write time.

There are many applications for this data, and you’ll probably never be in the registry doing it quite this way, as there are many tools, both commercial and free that will simplify all of this. This data is also used in tools/services which help track your devices, such as iHound (ihoundsoftware.com), which helps you track devices if they’re stolen.

If you have any questions feel free to contact me here and visit my website. Many thanks to Harlan Carvey, author of the 2007 book Windows Forensic Analysis (I think I might’ve errantly said 2005, sorry) for without this book I wouldn’t have known as much as I do about the windows registry.

–Chris Gerling Jr.

PFsense

While our smoothwall is and has been working well for us for the past two years, I recently had the need for something a little more robust.

I came across a fork of the monowall project, pfSense is a free, open source customized distribution of FreeBSD tailored for use as a firewall and router. In addition to being a powerful, flexible firewalling and routing platform, it includes a long list of related features and a package system allowing further expandability without adding bloat and potential security vulnerabilities to the base distribution.

Here’s a short summary of some of the eye catching features.

* Filtering by source and destination IP, IP protocol, source and destination port for TCP and UDP traffic
* Able to limit simultaneous connections on a per-rule basis
* pfSense utilizes p0f, an advanced passive OS/network fingerprinting utility to allow you to filter by the Operating System initiating the connection. Want to allow FreeBSD and Linux machines to the Internet, but block Windows machines? pfSense can do so (amongst many other possibilities) by passively detecting the Operating System in use.
* Option to log or not log traffic matching each rule.
* Highly flexible policy routing possible by selecting gateway on a per-rule basis (for load balancing, failover, multiple WAN, etc.)
* Aliases allow grouping and naming of IPs, networks and ports. This helps keep your firewall ruleset clean and easy to understand, especially in environments with multiple public IPs and numerous servers.
* Transparent layer 2 firewalling capable – can bridge interfaces and filter traffic between them, even allowing for an IP-less firewall (though you probably want an IP for management purposes).
* Packet normalization – Description from the pf scrub documentation – “‘Scrubbing’ is the normalization of packets so there are no ambiguities in interpretation by the ultimate destination of the packet. The scrub directive also reassembles fragmented packets, protecting some operating systems from some forms of attack, and drops TCP packets that have invalid flag combinations.”
* Enabled in pfSense by default
* Can disable if necessary. This option causes problems for some NFS implementations, but is safe and should be left enabled on most installations.
* Disable filter – you can turn off the firewall filter entirely if you wish to turn pfSense into a pure router.
* pfSense offers three options for VPN connectivity, IPsec, OpenVPN, and PPTP.

There’s a ton of other great features that you can read up on at http://is.gd/iauk

The LiveCD ISO is available from http://www.pfsense.org/mirror.php?section=downloads and for VMware folks, a prebuilt VM is available at http://files.pfsense.org/vmware/pfSense-1.2.2-VM.zip

–Matt Lestock

LAN Party

This month, we are playing Left4Dead and Zombie Panic! Join us for our LAN Party on Saturday, February 28th at L4D.hak5.org or ZP.hak5.org for a good ol’ zombie apocalypse.

Trivia

Last week’s trivia was: “In PHP, which is faster and why? echo”Hello World”; or print(”Hello World”);?” Zoltan answered right with: “Echo is faster because it doesn’t set a return value and ‘print’ is a more complex function.” Zoltan wins a copy of Pronobozo’s CD ‘Zero=One=Everything’. You can check out more of Pronobozo’s music at his website.

If you want to win this week’s giveaway, enter the letters you see popping up during the episode into our trivia page and answer the trivia question in the first 24 hours from when this episode releases. We will choose a random winner out of the correct answers!

iTunes

Remember to subscribe to our new HD feed on iTunes at Hak5.org.

Feedback

Have a segment suggestion, constructive feedback, or a snack idea for Kerby? Email your ideas to Feedback@hak5.org. Thank you!

Stickers

Don’t forget! We’ve got brand new sticker packs as thanks for your donations at Hak5.org/stickers. Without your help, we wouldn’t be HD right now.

Shmoocon

We will be at Shmoocon this weekend, February 6-8 in Washington DC. If you are in the area, join us for the annual podcaster’s meetup. Meet our cast and crew as well as lots of other great podcasters from PaulDotCom, Securabit, Sploitcast, Cyber Speak, Security Justice, and more! Get the info at Podcaster’s Meetup.com.

Survey

We’re conducting a survey to get some additional information about our viewer. We would love your feedback. If you have a few minutes to spare, please do us a favor and take the survey at the survey page.

For those of you who complete the survey, you will be treated to a sneak peek at a new show that Revision3 has been working on and get a back stage look at the pre-production of a Hak5 episode.

Trust your Technolust!

Download it here!

Shannon takes the spotlight and opens the show. Darren threatens to vote her off the hakhouse. We postponed the open sourcing of the missile launcher due to finals. Thanks Jason Appelbaum. Our friend Mubix has a great article on Multi-Boot Security Live CDs that makes last weeks pick, UNetbootin even more amazing.

Our next LAN Party will be Half-Life 2 Deathmatch on Saturday, December 13 at game.hak5.org. Prepare to get smack in the face with a flying toilet! Check out all the details at our brand spankin’ new Hak5 LAN Site (with leetness by Squarespace)

Public Key Encryption

In this segment we show you how to setup public key authentication between a windows and a linux host. There are many different software packages through which to accomplish this but we used openssh and putty.

Requirements:

Linux machine or VM running OpenSSH (most distros have it in their repository, or you can find it here: http://www.openssh.com/portable.html

Windows machine with putty software (download the whole package) http://www.openssh.com/portable.html

Installing openssh on linux is relatively straightforward. Refer to their site for details. Once that’s setup, we generated a key using the command “ssh-keygen” and specified the filenames. You can customize the keys you generate as you wish, but we went with the defaults. After entering a passphrase twice, you’ll have a public and private key file, with the public having the extension .pub. The private key file stays on the server but we copy the public key over to our windows machine and convert it into putty format using Putty Generator. After you have the key, you can either pass it with scp using scp -i (pscp in our example since we’re using putty’s scp executable), or you can use the putty ssh client in order to pass the key instead of just a password to authenticate to the server. This makes an easy two-factor authentication mechanism.

–Chris

Driver Backup

After installing a fresh copy of your Windows OS of choice, the biggest headache for most of us is the arduous task of trying to locate drivers for all of our different components. So this post is all about making your reinstall a little less troublesome.

Hereís a list of some of the better driver backup utilities!

DriverBackup2 is a lightweight driver-backup tool. The application is portable with a caveat: youíll need administrative privileges for full use. You can opt to backup one or all of your drivers, the backed up files are dumped into a tree structure based on driver name. DriverBackup2 also allows you to restore and delete unnecessary drivers. If you ever hunted for obscure drivers online, when installing legacy or obscure hardware for instance, DriverBackup2 will save you the hassle of searching them out again.

Double Driver lists all the hardware drivers installed on your system and creates backups of both the actual drivers and lists of the driver names. While handy with any computer, Double Driver really shines if you have a computer that came with pre-installed drivers that are hard if not impossible to come by. With a few clicks youíll have those archaic laptop drivers backed up and ready to put back to work after a fresh install.

DriverMax allows you to easily reinstall all your Windows drivers. No more searching for rare drivers on discs or on the web or inserting one installation CD after the other. Simply export all your drivers (or just the ones that work ok) to a folder or a compressed file. After reinstalling Windows all drivers can be back in place in less than 5 minutes.

DriverView is a helpful upgrade from looking through devices individually in the Device Manager, but the real value here is in the list generation. Create an HTML-formatted backup list for your future troubleshooting needs or export to text to show friends or forum members just whatís gone wrong. While it doesnít actually backup drivers, if youíre still into doing things the old fashion way, DriverView is a great choice!

Now that weíve got all of the corporate slogans and descriptions out of the way, my personal favorite is the first link weíve talked about here. The interface is the least cluttered, and the process really couldnít be any easier. For those of you who are looking to deploy driver backups in an automated fashion, thereís a built in commandline builder! Like I said, Iíve personally used it and really does make life alot easier after a reinstall.

So check it out and if you have any questions, remember: matt@hak5.org – Revision3 Forum or Hak5 Forum

–Matt

Congrats to Mesartwell who correctly answered last week’s trivia. Answer: “Tom is king” and “Jules sucks”. Grab yourself a copy of the Doom alphas

“Hackers Are People Too”

Ashley Schwartau joins us via skype to talk about her documentary Hackers Are People Too

–Darren

Music Organizers

I have thousands of songs on my computer and some of them are missing titles, artists, etc. So when I hop on iTunes to download my feed of podcasts (like Hak5!), I use TuneUp Media to clean up some of my music.

TuneUpMedia

TuneUp Media has the ability to find your songs basically by listening to them, and tell you the information for each one. You simply drag your song over to the clean up bar on the right, and TuneUp finds your songs info in a few seconds. It even gives you a choice of album art you can use.

I like TuneUp simply because Iím really organizational. There are a few bugs thoughÖ Firstly, once you download TuneUp, you donít have the option to close it while in iTunes (unless this has changed recently). Second, there are two versions – free and not free. With the free version, you only have 500 songs to clean up. In the payed version- you can clean up as much as you want.

TagScanner

The second one is TagScanner. Tagscanner is good for someone who doesnít like iTunes. In tagscanner, you can not only clean up the names and artists on your music, but you can also fix up the ID3 tags for each song, down to lyrics and album art. You can also export your music into a .txt or excel spreadsheet, which is pretty neat.

–Shannon
2

Questions

Skybar Baron writes I have a computer from my school and was wondering if there was a way to wipe everything but like Microsoft Office and the OS?

Darren recommends Sdelete.

Until next week we welcome your feedback and remind you to Trust your Technolust

Download it here!

Show Notes

Is WPA Broken? Interesting stuff coming out of PacSec this year. Ars has a great writeup about it our check out Martin Beck and Erik Tews’ paper Practical attacks against WEP and WPA (PDF). There is a proof of concept tool available from the Aircrack-NG folks. Take a look at Tkiptun-ng. At time of writing the tool is not fully functional. Something to keep an eye on.

Steve P. writes to us about the Helmer beowulf cluster. This 6xCore2Quad is sure to make any geek smile. Kitty approved too! While stuffing a personal cluster into an Ikea cabinet is novel in and of itself the mad scientist behind it has thought some insane cluster designs including the 50 tflop Helmer 2 and the 4 pflop Helmer 3. All I can say is I want one. Thanks for the links Steve.

Darren enjoys a Bondages’ No Problem while Matt and Shannon stick with the margaritas.

More importantly Darren talks about Session Hijacking and demos a tool from Errata Security called Hamster and Ferret that, in conjunction with the latest 2.0 build of Jasager, an ICS’d EVDO connection and Tftpd32 we’re able to “sidejack” with our little man-in-the-middle setup. Lesson learned? Be suspicious of any wifi. Check for signatures of trusted networks and tunnel your traffic. We’ll come back to this topic with a more indepth segment on Jasager detection and traffic encryption soon.

A note on trivia. Please answer trivia questions on the Hak5 forums from now on. We would love to continue doing dual winners but with growing prize costs we cannot. Also, if you’re interested in volunteering to help with trivia code challenges lend a hand in the Dev5 board.

Matt shows us how to convert a physical server into a virtual server locally using the free VMware converter tool and talks about some of the concerns you must consider when preparing to virtualize. If you have virtualization questions hit up Matt and we’ll cover ‘em on future segments. Matt at Hak5 d0t org.

Alex W. writes with a question about screen recording. We highly recommend the open source Camstudio as well as FRAPS and Techsmith’s Camtasia Studio (warning: sticker shock may occur at techsmith.com). Paul (our “camera guy”) suggests checking out the new screen capturing functionality of the latest verison of VLC, especially if you’re on the Linux or Mac side.

As always we’d love to hear your feedback. Your questions, comments or concerns can be directed to HakHouse.com. It’s a crazy interactive project we’re working on. Just wait ’till we get the web-enabled robots up in there.

Trust your Technolust

Download it here! http://revision3.com/hak5/Phreaknic

The gang heads to Phreaknic in Nashville Tennessee and in Hak5 tradition brings you a sampling including interviews with Russell Butturini about his U3 Incident Response Tool, Adrian Crenchaw, aka Irongeek, about Keyloggers and other embedded hacking, Daniel Hooper about Software Defined Radio and GNU Radio, Eighty of Dual Core, Droops from Hacker Media, and more. Yeehaw!

Russell Butturini shows us the U3 Incident Response Payload for the USB switchblade. Code and tutorial on the forums.

Adrian Crenchaw, aka Irongeek talks about Hardware Keyloggers and other geeky bits.

Daniel Hooper explains Software Defined Radio, GNU Radio, and the universal software radio peripheral.

Plus talks with Nerdcore star Eighty of Dual Core and Droops from Hacker Media and Hacker Public Radio.

Episode 409 – HappyHakoween: Password Cracking Clusters, Remote Control Services, Wireshark Packet Filtering

Matt shows us how to turn anything into a service and provide a web frontend to manage them windows server, great for game server administration. Chris Gerling wraps up his three part series on Packet Sniffing with Wireshark techniques for packet filtering. Darren harnesses the CPU power of the HakHouse for good or evil to demonstrate cluster computing. Plus details on our Hak5 Halloween LAN Party!

Matt Lestock turns any windows application into a service using instsrv and srvany and demonstrates how we use this technique, coupled with Panel Daemon to delegate game server administration at the Hak5 playground.

Chris Gerling shows us some packet filtering techniques using the network analyzer Wireshark. He covers capture filters, display filters, colors and statistics. Read more on packet sniffing on his blog at ChrisGerling.com

Darren Kitchen talks about parallel computing. He touches on grid computing and massively parallel processors though he mainly focuses on clustering. Darren demonstrates simple windows password cracking techniques using an openMosix based image and discusses the theory behind setup. Darren has a lot of further reading for you to check out on his blog and would like to hear your feedback about building the Hak5 beowulf cluster!

And on a production note: We’ve switched over from a standard-def composite based video mixing solution to a high-def HDMI based system. Unfortunately until we get a Mac Pro and switch to Final Cut Pro for editing we’re unable to release a 720p version of Hak5. But we’re well on our way to bringing you guys truly high def technolust thanks to everyone who has continued to support this cause. Thanks!

Thanks for watching Episode 409! <3

Hak5 ep 408 – Building Packets

Chris Gerling breaks down IP and TCP headers with Wireshark and building blocks. Shannon Morse shows us DosBox, a free IBM PC DOS emulator. Christine Bourquin talks about Alice, a teaching programming language for beginners. Darren Kitchen summarizes his experience at Day-Con and answers some questions about Fon batteries.

Chris Gerling dives into the structure of IP and TCP headers in part two of his three part series on packet sniffing. He covers everything from source ports to checksums and everything in between offering insight into TCP packets in plain English. Then in part three he covers basic Wireshark usage and advanced techniques. Read more on packet sniffing on his blog at ChrisGerling.com

Shannon Morse shares with us DosBox, the free and open source IBM PC emulator that allows you to break out those old floppies and play your DOS games once again. While we wait for DNF, anyone for a Duke Nukem 3D deathmatch?

Christine Bourquin demos Alice, an innovative 3D programming language that makes it easy to teach programming using a simple drag-and-drop interface. Perfect for the next generation of computer scientists.

Darren Kitchen brings us his review of Day-Con with photos courtesy of the security twits. He also talks about Jasager batteries both big and small.

And on a production note: We’ve switched over from a standard-def composite based video mixing solution to a high-def HDMI based system. We’re not ready to release the full 720p quite yet as we’re ironing out (read: developing on the fly) the post production process but in the mean time we’ve got damn good looking 480p and we’re looking for your feedback. Thanks a million to everyone who has donated and helped make this happen!

On my segment, I chatted with ya’ll about Dosbox. The first time we shot the segment, we had such bad audio quality that I had to go back and shoot the segment again late into the night… /sigh. Such things happen when you work on a show.

Dosbox is a totally nifty creation that emulates an IBM pc compatible computer running MSDOS. Although dosbox is basically intended to run old school video games from the late 80′s and early 90′s, it can take on other tasks.

One of the key features about Dosbox is it’s ability to run peer-to-peer and internet/intranet video games. It simulates an entire modem, so you and your friends can play those old TCP/IP or IPX network multiplayer games easily with each other.

You can also take simple photos of your gameplay or video footage which is created with the ease of the click of a button. Hit CTRL+F5 for your photo, or CTRL+ALT+F5 to begin a video then again to end it. This makes for easy tutorial building, as well as nice video clips to share. The video is recorded into a folder called captures.

I found lots of good information about Dosbox at this wiki: http://en.wikipedia.org/wiki/DOSBox, as well as their main site: http://www.dosbox.com/. Here, you can find a HUGE list of games that are supported by Dosbox as well as FAQ’s, their own wiki, and forums.

Oh, and did I mention it’s open source and free? Yup