The Cold Boot Attack on Hak5

..

When it comes to recovering encryption keys from memory nobody has a more intriguing method than Princeton University researchers who pioneered what is known as the Cold Boot Attack.

Their paper, Lest We Remember: Cold Boot Attacks on Encryption Keys debunks the popular assumption that RAM modules lose their contents when power is lost. As it turns out the degredation of memory can be a matter of seconds to minutes at room temperature. Furthermore this degredation can be slowed by freezing the memory module.

The researchers go on to outline several methods for copying memory from a reset computer or extracted RAM module. Princeton University’s Center for Information Technology Policy site maintains the paper, videos, and source code from the research.

The USB / PXE Imaging tool in combination with the AES Key Finding tool are a powerful combination. In this week’s show we discuss and demo these tools in action.

We also touch on the McGrew Security RAM Dumper and Foremost.

After laying the ground work for this attack I’ll be back in studio next week with more in depth demos and answers to your questions. Please send your feedback and questions along to feedback@hak5.org.

–Darren Kitchen

PlayXPert is a unique in-game overlay for PC and MMO games, incorporating the popular use of social media and the web with the importance of impressive FPS and un-distubed gameplay. PlayXPert lets you play your game without ever having to Alt-Tab out of the game by downloading the small widgets and customizing your opacity, widget settings, and key bindings. You can see it for yourself at their site: PlayXPert.

–Shannon Morse

Also don’t forget about our first ever official Hak5 Meetup at Busch Gardens Williamsburg on August 15th. Find all the details at hak5meetup.squarespace.com or RSVP on Facebook.

View the original post | Visit 1337 g@m3r, n00b h@x0r

Published with Socialite. A Wordpress Plugin.

Episode 520 – Encrypt your entire hard drive!

What’s your best defense against a boot CD that breaks Windows passwords in two keystrokes? Encrypting your entire hard disk. Shannon’s got the details on truecrypt drive encryption while Darren brings up plausible deniability with hidden volumes.

..

Encrypting your entire hard drive

Truecrypt is an open-source, free program for everyone.
Download the latest version of Truecrypt.

Open Truecrypt and choose ‘Create Volume’. Choose ‘Encrypt entire hard drive’. Then, you will choose whether you single-boot or multi-boot your machine.

On the encryption options, I just choose AES because it is the default setting, and it’s a very strong encryption.

Next you will choose a password. This option is neat because it actually gives you a small notice saying that a password with less than 20 characters is easier to break than one with more than 20.

On the next page, you must randomize your data. You must move your mouse around in the box of algorithms to create a very randomized clump of data. The more randomized, the better encrypted.

Truecrypt will make your create a rescue disk. This is easy if you have a cd burner already installed in your tower. If not (if you have a netbook), you must create the rescuedisk.iso and burn it onto a flashdrive or something of the like. You are basically making Truecrypt think you have a cd burner and are burning the cd, when instead, you are just sticking the iso on a USB flashdrive.

For my netbook, I used WinCD Emu. WinCD Emu emulates the burning of a cd, so Truecrypt thinks you’ve finished this task.

Truecrypt will ask you to wipe your drive, and I just choose none since I don’t really need to. Next you must go through a pretest. Your computer will restart and a Truecrype login screen will appear before the windows login (this is why Konboot wouldn’t work!). If everything goes well and the pretest completes with no problems, you can begin encrypting. Encryption takes a LONG time, so be patient! Once it’s done, it’ll prompt you, and you’re finished!

For a more in depth step by step, go here.

And as always, you can email me at snubs@hak5.org!

Plausible Deniability with Hidden Truecrypt Volumes

Plausible Deniability basically means being able to deny awareness of something. For a more rich explination check out Wikipedia’s article on the subject, it’s quite interesting.

In regards to Truecrypt, our subject of the week, Plausible Deniability referrs to the ability to hide encrypted volumes within encrypted volumes. Since it cannot be proven that a hidden volume exists within a truecrypt volume.

Hidden volumes can contain just about any data, including entire operating systems. It is important to note that the sectors of a hidden volume do not change over time. If an adversary had access to the outer volume contents over a period of time the existance of a hidden volume could be proven if files were never read or written to or from these sectors.

Questions? Comments? Write me directly, Darren@Hak5.org or send feedback to the entire Hak5 crew.

View the original post | Visit 1337 g@m3r, n00b h@x0r

Published with Socialite. A Wordpress Plugin.

Truecrypt Your Entire Hard Drive!

Truecrypt can be found here:

http://www.truecrypt.org/

Truecrypt is an open-source, free program for everyone.

Download the latest version of Truecrypt.

Open Truecrypt and choose ‘Create Volume’.  Choose ‘Encrypt entire hard drive’.  Then, you will choose whether you single-boot or multi-boot your machine.

On the encryption options, I just choose AES because it is the default setting, and it’s a very strong encryption.

Next you will choose a password.  This option is neat because it actually gives you a small notice saying that a password with less than 20 characters is easier to break than one with more than 20.

On the next page, you must randomize your data.  You must move your mouse around in the box of algorithms to create a very randomized clump of data.  The more randomized, the better encrypted.

Truecrypt will make your create a rescue disk.  This is easy if you have a cd burner already installed in your tower.  If not (if you have a netbook), you must create the rescuedisk.iso and burn it onto a flashdrive or something of the like.  You are basically making Truecrypt think you have a cd burner and are burning the cd, when instead, you are just sticking the iso on a USB flashdrive.

For my netbook, I used WinCD Emu (http://wincdemu.sysprogs.org/).  WinCD Emu emulates the burning of a cd, so Truecrypt thinks you’ve finished this task.

Truecrypt will ask you to wipe your drive, and I just choose none since I don’t really need to.  Next you must go through a pretest.  Your computer will restart and a Truecrype login screen will appear before the windows login (this is why Konboot wouldn’t work!).  If everything goes well and the pretest completes with no problems, you can begin encrypting.  Encryption takes a LONG time, so be patient!  Once it’s done, it’ll prompt you, and you’re finished!

View the original post | Visit 1337 g@m3r, n00b h@x0r

Published with Socialite. A Wordpress Plugin.

Episode 519 – Building the Ultimate White Box for under $2000

Building the ultimate white box ESXi server for under $2000! Can it be done? Darren and Matt grab the company credit card and answer that question.

..

<strong>Building the Ultimate White Box Server for under $2000..strong>..p>

<p>When it comes to building a white box server for ESXi your best resources are <a href="http://vm-help.com/" target="_blank">vm-help.com..a>, <a href="http://ultimatewhitebox.com/" target="_blank">UltimateWhiteBox.com..a>, the <a href="http://www.vmware.com/resources/compatibility/search.php" target="_blank">VMware Compatibility Guide..a>, and the <a href="http://communities.vmware.com/home.jspa" target="_blank">VMware community..a>...p>
<p>We carefully selected ESXi supported components based on reliability and value. If this were the ultimate $3000 white box server we might have picked a server board with dual Xeon’s and ECC memory, but to keep it under that magic $2000 price point we went with beefy “desktop” components such as the <a href="http://www.newegg.com/Product/Product.aspx?Item=N82E16819115202" target="_blank">Intel Core i7 920..a>, the <a href="http://www.newegg.com/Product/Product.aspx?Item=N82E16813131365" target="_blank">ASUS P6T Deluxe..a>, and <a href="http://www.newegg.com/Product/Product.aspx?Item=N82E16820145233" target="_blank">12 GB of Corsair XMS3..a> memory...p>

<p>Drive wise you can’t go wrong with the <a href="http://www.newegg.com/Product/Product.aspx?Item=N82E16816116042" target="_blank">3ware 9650SE-4LPML..a>. It supports four SATA II drives in RAID 0, 1, 5, 10 or JBOD. It’s bigger brother the <a href="http://www.newegg.com/Product/Product.aspx?Item=N82E16816116045" target="_blank">9650SE-16ML..a> sixteen channel SATA II controller is hot too — just at three times the price. The 9650SE isn’t supported out of the box by ESXi, however 3ware provides a <a href="http://www.3ware.com/KB/article.aspx?id=15548" target="_blank">knowledge base article and drivers..a> necessary to add support for the card after your ESXi box is built...p>
<p>Drive wise we picked up four <a href="http://www.newegg.com/Product/Product.aspx?Item=N82E16822136284" target="_blank">Western Digital Caviar Black..a> 1TB drives since they’re cheap and reliable...p>
<p>To make things easy when installing all these components in our <a href="http://www.newegg.com/Product/Product.aspx?Item=N82E16811147101" target="_blank">Rosewill RSV-Z4000..a> 4U rackmount case we picked up a <a href="http://www.newegg.com/Product/Product.aspx?Item=N82E16817707117" target="_blank">4 Drive trayless how swap sata backplane..a> from StarTech. IcyDock makes one too. This was the only $100 spent for convenience over performance/value, but anyone who has dealt with 5.25″ to 3.5″ mounting brackets will agree it’s worth every penny...p>

<p>Rather than installing ESXi on the RAID, we used a 4GB USB drive from Patriot. The <a href="http://www.newegg.com/Product/Product.aspx?Item=N82E16820220251">Xporter XT..a>. It boasts really fast read/write times. I’m sure any old 1gb or larget USB drive would have done but they’re so cheap, why not?..p>
<p>We’re doing a little white box server contest. Winners will get all sorts of swag from the <a href="http://www.hak5.org/hakshop/" target="_blank">Hak5 Store..a>. Check out all the details in the <a href="http://hak5.org/forums/index.php?showtopic=13481" target="_blank">episode release thread..a> at Hak5.org..p>

View the original post | Visit 1337 g@m3r, n00b h@x0r

Published with Socialite. A Wordpress Plugin.

Episode 518 - Hacking WPA, ESXi and iSCSI, Bypass Windows Passwords

..

Cracking WPA Keys with Cowpatty

A lot has changed since I last talked about WPA Cracking on Hak5. Specifically Joshua Wright, author of CowPatty has released a new version that dramatically changes the way one thinks about cracking WPA and WPA2 TKIP keys.

The most notable new feature in Cowpatty 4.5 is the “-2″ option, which only requires the first two frames of the 4-way handshake to start attacking.

By removing the need for the third and fourth frames of the handshake, an attacker is now more likely to successfully crack WPA keys when channel hopping. Furthermore, the lack of the third and fourth frame opens up a world of possabilities when it comes to trapping targets with rogue access points, or “honey pots”.

An example scenario illustrated on Wright’s blog details how an attacker may pose as a victim’s corporate wireless access point. Since it doesn’t matter if the target associates with the honey pot, anything from hostap to a spare WPA supporting access point with a bogus key will due.

Of course this has our friend Robin Wood pondering a Jasager plugin. Pineapples anyone?

As for carrying out the attack it’s pretty straight forward. I BackTrack as my hacking OS of choice coupled with an eee PC or Acer Aspire One. When it comes to Wireless I’m a big fan of the ALFA AWUS036H 500mW USB Wireless Adapter.

Other tools needed to carry out the attack include WPA tables like these SSID specific Cowpatty WPA Tables from Offensive Security and the Aircrack-ng suite.

The commands are pretty straight forward and well highlighted in the episode. There are a number of ways to go about this so if you’ve got another method you’d like to share with me, questions about this, or suggestions for future topics drop me a line. darren[at]hak5=dot=org.

Excerpt Darren Kitchen’s blog

ESXi & iSCSI

So the series I’ve been doing on ESXi has been getting nothing but great feedback, and I’m glad that I can share what I’ve learned over the course of the last couple years with everyone.

On episode 518 of Hak5, we show how truly easy it is to add iSCSI storage to a free deployment of ESXi.

So what is iSCSI?

In computing, iSCSI (pronounced /??s’k?zi/), is an abbreviation of Internet Small Computer System Interface, an Internet Protocol (IP)-based storage networking standard for linking data storage facilities. By carrying SCSI commands over IP networks, iSCSI is used to facilitate data transfers over intranets and to manage storage over long distances. iSCSI can be used to transmit data over local area networks (LANs), wide area networks (WANs), or the Internet and can enable location-independent data storage and retrieval. The protocol allows clients (called initiators) to send SCSI commands (CDBs) to SCSI storage devices (targets) on remote servers. It is a popular storage area network (SAN) protocol, allowing organizations to consolidate storage into data center storage arrays while providing hosts (such as database and web servers) with the illusion of locally-attached disks. Unlike traditional Fibre Channel, which requires special-purpose cabling, iSCSI can be run over long distances using existing network infrastructure.

In simpler terms, using some free software, it’s stupid easy to create a large amount of storage which is not tied to the physical adapter of the host server (in this case, the server ESXi is running on).

So what do we need?

• Functioning ESXi Installation
• Server capable of running FreeNAS
• Gigabit connectivity between ESXi server and FreeNAS

Now let’s get started. While it’s recommended to separate your iSCSI traffic from your other internet networking, for the purpose of this instruction, we’re just going to use the same IP subnet for all of our LAN and iSCSI traffic.

Our ESXi server sits at 10.10.1.55 and our newly installed FreeNAS server is located at 10.10.1.66

1. Connect to your FreeNAS server through the WebGUI using your favorite browser. In the top menu select Disks, then click Management.
2. Click on the plus sign in the lower right corner to add drives.
3. Next to Disk, choose the drive you want to add from the drop down, and if you want enter a description for it next to Description.
4. When you go back to the Disk Management screen you will be asked to confirm the addition by clicking on Apply changes, go ahead and do that now.
5. From the top menu choose Services, then iSCSI Target.
6. Click on the plus sign in the Extent area.
7. The Bolded fields are required, so place a name in the Extent name field, leave the Type as Device, and then choose the Device you want in the dropdown.
8. When you get back to the iSCSI Target page click on Apply changes.
9. Click on the plus sign in the Target area.
10. As before the Bolded fields are required. Here is a breakdown of the fields:

    Target name: Add your own or leave the default

    Flags: RW for Read/Write or RO for Read Only

    Storage: Will have the extents listed that were setup, choose the one you want to use

    Authorized Network: Enter the IP network that can access this drive. For us we’re going to enter 10.10.1.0 and we’ll leave the /24 as our subnet is 255.255.255.0

    Once you fill in all the info click on Add.

11. Back at the iSCSI target page you need to click on Apply changes once again.
12. Now place a check in the box next to Enable in the top right corner and then click Save and Restart in the bottom left.
13. The iSCSI Target drive is now setup and ready for use.

Now we need to setup ESXi to connect to our newly created iSCSI target.

Start by logging into your your host by using the Vitrual Infrastructure Client.

Click on your host, and then click the configuration tab.

Click Storage adapters, and then select your VMHBA32 iSCSI storage adapter.

Click properties and configure, then check the enabled box.

Goto the dynamic discovery tab, and add your FreeNAS IP address (in this case, 10.10.1.66)

Click ok, then close, and then rescan the HBA.

At this point you should see your storage, now we need to format the new storage.

So click back to the storage option on the left.

Then click Add Storage.

Select Disk / Lun, and click next.

Select your new disk on the FreeNAS iSCSI target, and next, next, finish.

DONE!

Questions? Post em in the comments!

Excerpt Matt Lestock’s blog

Bypass Windows Local Logins

Kon-Boot

Kon-Boot is an prototype piece of software which allows to change contents of a linux kernel (and now Windows kernel also!!!) on the fly (while booting). In the current compilation state it allows to log into a linux system as ‘root’ user without typing the correct password or to elevate privileges from current user to root. For Windows systems it allows to enter any password protected profile without any knowledge of the password. It was acctually started as silly project of mine, which was born from my never-ending memory problems Secondly it was mainly created for Ubuntu, later i have made few add-ons to cover some other linux distributions. Finally, please consider this is my first linux project so far Entire Kon-Boot was written in pure x86 assembly, using old grandpa-geezer TASM 4.0.

So basically, Kon-Boot enables you to log into any Windows or Linux password protected computer without knowing the password or anything about it.

The tech behind it? Kon-Boot basically latches onto parts of the memory and starts patching parts of the kernel (the Brain!), mainly the parts that have to do with the log-on auth and security. These patches let you logon without a password. Then, the bootkit does it so quickly that it leaves no footprints behind after you leave.

DUDE!

To do this:

Go to the website above and download Kon-Boot, open the zip file, and burn the .iso to a disc. I use ImgBurner because it is fast, easy, and FREE.

Shut down the computer you intend to get on to. When booting up, if it isn’t already set to boot from CD (or flashdrive, or whatever Kon-Boot is on), go into the BIOS and set it. You should see the Kon-Boot splash screen for a few seconds, then the username/password screen will appear with the main username already set if they have it saved. If not you need to know the username ahead of time. Press enter or type in some random characters (it doesn’t really matter) and press enter. You’re in!

Now party, snoop around, and get that file you wanted. Get your flashdrive or CD out, then shut the computer back off like usual.

Protecting yourself:

Password protect your BIOS!

True Crypt your entire harddrive!

Excerpt Shannon Morse’s blog

View the original post | Visit 1337 g@m3r, n00b h@x0r

Published with Socialite. A Wordpress Plugin.

Episode 517 - Packet Injection, WPA Attacks, Virtualization

Yay!

..

In an effort to thwart hangovers the gang drops by DC’s Taven in Hoboken to geek out about Wifi and Virtualization over shots and cold ones.

Darren is excited about the recent improvements to both Airpwn and Cowpatty.

Edit: Mubix points out these awesome WPA Tables from Offensive-Security (You know ‘em as the BackTrack guys).

Best WPA Tables out there for us with CoWPAtty. (And another little + is they posted the password list they used to generate the tables, which is also an AWESOME password list for cracking all kinds of passwords.

Matt answers some viewers questions and encourages more for an upcoming special.

Shannon has all the deets on this week’s contest and LAN party.

View the original post | Visit 1337 g@m3r, n00b h@x0r

Published with Socialite. A Wordpress Plugin.

Kon-Boot

Kon-Boot

Kon-Boot is an prototype piece of software which allows to change contents of a linux kernel (and now Windows kernel also!!!) on the fly (while booting). In the current compilation state it allows to log into a linux system as ‘root’ user without typing the correct password or to elevate privileges from current user to root. For Windows systems it allows to enter any password protected profile without any knowledge of the password. It was acctually started as silly project of mine, which was born from my never-ending memory problems Secondly it was mainly created for Ubuntu, later i have made few add-ons to cover some other linux distributions. Finally, please consider this is my first linux project so far Entire Kon-Boot was written in pure x86 assembly, using old grandpa-geezer TASM 4.0.

So basically, Kon-Boot enables you to log into any Windows or Linux password protected computer without knowing the password or anything about it.

The tech behind it? Kon-Boot basically latches onto parts of the memory and starts patching parts of the kernel (the Brain!), mainly the parts that have to do with the log-on auth and security. These patches let you logon without a password. Then, the bootkit does it so quickly that it leaves no footprints behind after you leave.

DUDE!

To do this:
Go to the website above and download Kon-Boot, open the zip file, and burn the .iso to a disc. I use ImgBurner because it is fast, easy, and FREE.

Shut down the computer you intend to get on to. When booting up, if it isn’t already set to boot from CD (or flashdrive, or whatever Kon-Boot is on), go into the BIOS and set it. You should see the Kon-Boot splash screen for a few seconds, then the username/password screen will appear with the main username already set if they have it saved. If not you need to know the username ahead of time. Press enter or type in some random characters (it doesn’t really matter) and press enter. You’re in!

Now party, snoop around, and get that file you wanted. Get your flashdrive or CD out, then shut the computer back off like usual.

Protecting yourself:
Password protect your BIOS!
True Crypt your entire harddrive!

View the original post | Visit 1337 g@m3r, n00b h@x0r

Published with Socialite. A Wordpress Plugin.

Tokidoki, a new kind of purse

Okay, you might read that header and think, wow… This really is a girl’s blog. Well yea, you’re right. But I found these adorable purses and I’ve never seen them before, so I wanted to share my finding with you

First off, ‘tokidoki’ is a word from the Japanese language that can be translated to ’sometimes’. For example, “Sometimes, I go to the movies” or “I like to play video games sometimes.” Back in Japanese class last year, I learned the word and laughed every time I said it. C’mon! It’s a silly word! ^_^

So I was up in NYC getting lost in the East (?) Village and found this cute little store that sold watches and Tokidoki purses. This guy named Simone Legno is the creator, although… I don’t think he’s Japanese…

There is a huge following for the Tokidoki brand online. The business has created little dolls of the characters off the purses, and notepads, posters, etc. People go crazy when they see these. Did I mention the characters have names?

The Purses!

You can tell I keep leaning towards the same design. Color, bright, busy, VERY anime-like. My style has been found, finally. I always hated going to the mall trying to find that one bag that I liked, because they are always $400.00 Coach purses, or LV purses, or fake-designer, or sequins so much they look like fish… Although these range $100.00 to $200.00 for each Tokidoki purse, I’m not put off because I really like the design.

And that was my girl-on-a-soap-box speech for the day.

View the original post | Visit 1337 g@m3r, n00b h@x0r

Published with Socialite. A Wordpress Plugin.

The ten spot: hottest geek women!

CommandZer01 ranks me as his #3 hottest geek girl. Show teh <3!

View the original post | Visit 1337 g@m3r, n00b h@x0r

Published with Socialite. A Wordpress Plugin.

Episode 516 - Roll your own VMware ESXi Server and more

http://www.hak5.org/episodes/episode-516

..

Darren’s on a mission to mount a digital video camera to his motorcycle. While commercial options such as the $300 Vholdr Contour HD and $150 Oregon Scientific AT3K are available, why not build your own universal camera mount for about 5 bucks.

Continuing with the theme of rolling your own, why not build your own ESX/ESXi compatible virtual machine host? Matt builds one that fits inside a gym bag and walks us through setting up ESXi in about 10 minutes (give or take a few progress bars).

Rounding out the nearly free and useful bits this episode, Shannon shows us an open source video editing application that may be perfect for your light video editing needs. Avidemux is a light weight editor perfect for simple video trimming, filtering and encoding. It sports some really nice automation and job queing features and comes with profiles pre-configured for common formats such as MP4 for iPod, PSP, or Apple TV.

View the original post | Visit 1337 g@m3r, n00b h@x0r

Published with Socialite. A Wordpress Plugin.