Live from the PaulDotCom Security Weekly Studio....

• Want to register for any SANS conference? Please visit http://www.pauldotcom.com/sans/ for our referral program.
• Sponsored by Core Security, listen for the discount code at the end of the show
• Sponsored by Syngress, be the first to post the answer to the question at the end of the show and win a free book!
• Please go update our frapper map!
• Want some cool PaulDotCom Gear? Do you hack naked? Check out our Cafepress Store!
• Full Show Notes

Hosts: Larry "Uncle Larry" Pesce, Paul "PaulDotCom" Asadoorian, Nick "Twitchy" Depetrillo, Joe "Mr. C" Conlin
Email: psw@pauldotcom.com

Direct Audio Download

(Bandwidth provided by OSHEAN)

Audio Feeds:

Live from the PaulDotCom Security Weekly Studio....

• Want to register for any SANS conference? Please visit http://www.pauldotcom.com/sans/ for our referral program.


• Want some cool PaulDotCom Gear? Do you hack naked? Check out our Cafepress Store!


• Full Interview Show Notes

Hosts: Larry "Uncle Larry" Pesce, Paul "PaulDotCom" Asadoorian, Nick "Twitchy" Depetrillo, Joe "Mr. C" Conlin

Email: psw@pauldotcom.com

Direct Audio Download

(Bandwidth provided by OSHEAN)

Audio Feeds:

This past weekend Major Malfunction presented on and released his RFIDiot tools as Shmoocon. I was in attendance and had the opportunity to talk with him earlier in the weekend.

He presented his tools, all based in Python, to the audience and demonstrated a number of cloning attacks, as well as the ability to read the new UK passports. The UK passports contain all of the information needed to create a new one - including a digital version of the picture.

The challenge that he faced with the passports, is that a key is required to read the RFID chip. However, he was able to obtain all of the information that was needed to brute force the required key in only a few hours, using only the information printed on the envelope.

It also seems that Major Malfunction has a keen interest in cloning of humans. Well, not so much the humans, but their implanted RFID chips. As you may be aware, I have an implanted chip, and spent some time on stage with Major to have him clone me in front of a live audience. He was successful in cloning my chip, and was able to utilize it to unlock my laptop.

Now you may be asking, "Why would Larry allow someone to clone his implanted chip?". The reasons are simple:

• The number is publicly available from the video of the implantation [view it here]. It was always intended to be public.
• The implant was done for research and education. To me, assisting in the demo was the perfect opportunity to educate about the insecurities in RFID. I'm taking the hit so you don't have to.
• I'm encouraging people to use my implant for evil (or good). I know of some (secret) plans for my RFID chip at the Wireless Village at DEFCON 15. I'm willing to participate to help educate, and make the whole system better.
• I know the major inherent weaknesses in the system, so any project I'm using it for personally does not contain any live data (test data only). For access control purposes (such as a home, office or car), you can bet that you have to pass through one or more other security systems first! Likely, you'll only be able to open something useless, like an empty drawer. The safe or front door, forget it.

Mike Poor shouted to me while I was walking off stage to take the cloned card that Major Malfunction retained. I thought it was humorous, but at that point my RFID implant was already compromised; on the internet, displayed on the screen at the conference, and possibly already cloned to one or more cards in Major's possession. I'd already stepped beyond the point of no return. I'm OK with that too.

To plug Major Malfunction's works, go check out his website. Go download and play with his tools, and he also has a bunch of hardware for sale as well, which were actually used in his presentation.

Go forth and hack RFID, including mine.

- Larry
larry@pauldotcom.com

The the live stream should be active about 7:00 PM EST, Thursday March 29th. We should begin recording the live show at about 7:30 PM EST. Please keep in mind that these times are all estimates, but we will try to do the best that we can.

We'll also be interviewing Seth Fogie at 9:30 PM EST, who recently made swiss cheese out of Windows Mobile at Shmoocon.

When active, the live stream can be found at:

http://hydrogen.oshean.org:8000

Please join us, and thanks for listening!

- Larry

Live from Shmoocon!

WARNING: This show was recorded in front of a live audience. There are audio anomalies and stronger then usual language.

• Want to register for any SANS conference? Please visit http://www.pauldotcom.com/sans/ for our referral program.
• Sponsored by Core Security, listen for the discount code at the end of the show
• Sponsored by Syngress, be the first to post the answer to the question at the end of the show and win a free book!
• Please go update our frapper map!
• Want some cool PaulDotCom Gear? Do you hack naked? Check out our Cafepress Store!
• Full Show Notes

Hosts: Larry "Uncle Larry" Pesce, Paul "PaulDotCom" Asadoorian, Nick "Twitchy" Depetrillo, Joe "Mr. C" Conlin
Email: psw@pauldotcom.com

Direct Audio Download

(Bandwidth provided by OSHEAN)

Audio Feeds:

Larry and I decided that we would do something constructive while waiting for our plane and recap the weekend for listeners/readers:

• Simple Nomad in lingerie and crotch shots of Bruce Potter are NOT HOT
• 802.11 packet injection could not be easier with the new release of LORCON
• New Rule: Malt liquor should not be consumed after 2:00AM
• Window Mobile is now officially called Windows PwnM3 due to a slew of flaws covered by Seth Fogie. We will be talking about this more on the show soon.
• Renderman's arms actually increased in length by a few feet during the duration of the con
• Core USB light up hubs can get you pwn3d
• Shmoo balls were orange "stress balls" and hurt when thrown at the "junk"
• Twitchy is more twitchy at security cons
• GPF (General Purpose Fuzzer) is great for fuzzing routing protocols as discussed by Raven
• Dry humpiung is now officially an olympic sport and A.L. is the gold medal winner
• If a trojan horse shows up at your house it is likely that Johnny Long is inside
• If you are wearing a sticker that says, "Put Kevin Back In", pay attention to who is sitting 2 rows in front of you
• New Rule (Update!): Malt liquor should not be consumed period, only poured out for your "homies"
• OLPC could either further society as a while or be used to create a 10 million node botnet. Commence debating....
• Parental controls are not a replacement for parenting
• Light sabers hurt when they are used to spank you repeatedly
• Larry and MajorMaulfunction have a "special" connection as RFID cloing was demonstrated and proved to be very easy. Toolkit released.

Greetz to Hak.5, Cyberspeak, Sploitcast, Martin Mckeay, MajorMalfunction, Luiz, A.L., "Ducksauze", RI Hackers, Josh, dragorn, render, Binary Pirates, and everyone else that I forgot to mention. Thanks to the Shmoo group for an awesome conference!

Paul & Larry

PaulDotCom Security Weekly

Live from the PaulDotCom Security Weekly Studio....

• Want to register for any SANS conference? Please visit http://www.pauldotcom.com/sans/ for our referral program.
• Sponsored by Core Security, listen for the discount code at the end of the show
• Sponsored by Syngress, be the first to post the answer to the question at the end of the show and win a free book!
• Please go update our frapper map!
• Want some cool PaulDotCom Gear? Do you hack naked? Check out our Cafepress Store!
• Full Show Notes

Hosts: Larry "Uncle Larry" Pesce, Paul "PaulDotCom" Asadoorian, Nick "Twitchy" Depetrillo, Joe "Mr. C" Conlin
Email: psw@pauldotcom.com

Direct Audio Download

(Bandwidth provided by OSHEAN)

Audio Feeds:

I first created this presentation about a year ago, with the goal to raise awareness about some of the less publicized wireless attacks in use today. It has grown into a 98 slide presentation that covers Wifi, Bluetooth, RFID, and wireless driver attacks, including how to defend yourself. Its a blast to give, and fun to watch as we demonstrate numerous wireless attack tools, such as bluesnarfer, airpwn, KARMA, and others.

Larry has been kind enought o update it, test all of the demos, and add some good technical content. You can download a PDF version of the latest version here:

Wireless Network Security?

If you use any of the information above, we just as that you ask permission and give use credit. We believe it is important to continue to educate people about the wireless threats that we face.

If you have comments, questions, suggestions, and especially corrections about this presentation please contact us at psw /at/ pauldotcom.com.

PaulDotCom

The the live stream should be active about 7:00 PM EST, Thursday March 15th. We should begin recording the live show at about 7:30 PM EST. Please keep in mind that these times are all estimates, but we will try to do the best that we can.

When active, the live stream can be found at:

http://hydrogen.oshean.org:8000

Please join us, and thanks for listening!

- Larry

I recently spoke with Larry Greenemeier and shared my thoughts and comments on patch Tuesday, the lack of a recent patch tuesday, and the way patching ought to be :)

You can find the full article here:

How Will You Spend Your Patch Tuesday?

PaulDotCom

Live from the PaulDotCom Security Weekly Studio....

• Want to register for any SANS conference? Please visit http://www.pauldotcom.com/sans/ for our referral program.
• Sponsored by Core Security, listen for the discount code at the end of the show
• Sponsored by Syngress, be the first to post the answer to the question at the end of the show and win a free book!
• Please go update our frapper map!
• Want some cool PaulDotCom Gear? Do you hack naked? Check out our Cafepress Store!
• Full Show Notes

Hosts: Larry "Uncle Larry" Pesce, Paul "PaulDotCom" Asadoorian, Nick "Twitchy" Depetrillo, Joe "Mr. C" Conlin
Email: psw@pauldotcom.com

Direct Audio Download

(Bandwidth provided by OSHEAN)

Audio Feeds:

The the live stream should be active about 7:00 PM EST, Thursday January 25th. We should begin recording the live show at about 7:30 PM EST. Please keep in mind that these times are all estimates, but we will try to do the best that we can.

When active, the live stream can be found at:

http://hydrogen.oshean.org:8000

Please join us, and thanks for listening!

- Larry

As we have suggested on the podcast previously, it is a good idea to get involved with your local computer/security user groups. We have a few in the local Rhode Island area, one of them being SNENUG (Southern New England Network Users Group). I will be presenting the following:

Title: "Embedded Device Hacking With The Linksys WRT54G"

Where: Katherine Gibbs School, Cranston, RI

When: March 21, 2006 7:00PM-9:00PM

This is the first time that content from our book, Ultimate WRT54G Hacking, will be released to the general public in a formal fashion. I will cover some of the details on the WRT54G platform, firmware installation, and a few select projects. Of course, I will have demonstrations as well. For those who may not yet have a Hack Naked T-Shirt, I will bring some of those as well, along with Hack Naked Stickers.

If you are in the area, swing by, I even think there will be free food!

PaulDotCom

Live from the PaulDotCom Security Weekly Studio....

• Want to register for any SANS conference? Please visit http://www.pauldotcom.com/sans/ for our referral program.
• Sponsored by Core Security, listen for the discount code at the end of the show
• Sponsored by Syngress, be the first to post the answer to the question at the end of the show and win a free book!
• Please go update our frapper map!
• Want some cool PaulDotCom Gear? Do you hack naked? Check out our Cafepress Store!
• Full Show Notes

Hosts: Larry "Uncle Larry" Pesce, Paul "PaulDotCom" Asadoorian, Nick "Twitchy" Depetrillo, Joe "Mr. C" Conlin
Email: psw@pauldotcom.com

Direct Audio Download

(Bandwidth provided by OSHEAN)

Audio Feeds:

I read a brief article on Hydra last week and it reminded my just what a great tool this is for remote password cracking. I use it on many of my assessments. The first thing you need to do is make certain that you have separate, special, permission to run these tests. Password cracking is usually a welcomed addition to any assessment, provided you tell the customer exactly what is happening and when.

Setup and Configuration

The first step is to download and compile THC-Hydra, which you can get [http://www.thc.org/releases/hydra-5.3-src.tar.gz here]. And important thing to note when setting up this utility is that you must pay attention to the build process. THC-Hydra will require libraries in order to crack various services. For example, in order to crack SSH, you much have the appropriate SSH libraries, otherwise this feature will be disabled. Take the following as an example:

Starting hydra auto configuration ...

Checking for openssl (libssl/ssl.h) ...
                                    ... found
Checking for Postgres (libpq) ...
                              ... NOT found, module postgres disabled
Checking for SVN (ibsvn_client-1 libapr-0.so libaprutil-0.so) ...
                              ... NOT found, module svn disabled
Checking for SAP/R3 (librfc/saprfc.h) ...
                                      ... NOT found, module sapr3 disabled
Get it from http://www.sap.com/solutions/netweaver/linux/eval/index.asp
Checking for libssh (libssh/libssh.h) ...
                                      ... NOT found, module ssh2 disabled
Get it from http://0xbadc0de.be/ - use v0.11!
Hydra will be installed into .../bin of: /usr/local
  (change this by running ./configure --prefix=path)
Writing Makefile.in ...
NOTES NOTES NOTES NOTES NOTES NOTES NOTES NOTES NOTES NOTES NOTES NOTES
=======================================================================
ARM/PalmPilot users: please run ./configure-arm or ./configure-palm respectivly

In the above output Hydra has told us that it cannot find the libraries for Postgres, SVN, SAP, or SSH2). Refer to your distribution for the appropriate library installation. Now we are ready to run make and make install. I like to create a directory called /etc/hydra/ where I will store my configuration and dictionaries.

Obtaining Dictionaries

The most important component to any password cracking is the username and password dictionaries. You will need both, as most services will require both a username and a password. Where do you get these? You have to find them for yourself :) (Please do not ask me as I will not share them). In all seriousness, Google is your friend. Here are a few links to get you started:

• Default Password List From Phenoelit
• Top Ten Admin Passwords to Avoid
• Many Default Router Passwords
• John The Ripper - Buy your password lists

I tend to have 2-3 different password databases that I start with. The first and most basic are all the stupid passwords (secret, ciso, etc..). The second level will layer on top of that all of the default password lists. The third layer includes everything mentioned before, and adds a nice english dictionary. These will typically range from 100 or so passwords, to 40,000+ passwords. I also keep at least two different username databases, one with common defaults (root, administrator) and one with many more. Then, layered on top of all of those will be my own customizations based on the customer (gleaning from the web site, dumping the LDAP database, etc...).

Cracking Passwords

The next step is to identify the services that you will to test. I try to choose clear-text protocols if they are available, as they will go faster. For example, if the target has OWA (Outlook Web Access) available using HTTPS, but also provides POP3 services without SSL, I target POP3. The usernames and passwords will typically be the same (as from the banners you can figure out that its running on the same exchange/Windoze environment and associated domain). The POP3 service is quicker in this case because it does not have to complete the SSL handshake. When running Hydra, there are a few options that are significant and should always be used:

  -R        restore a previous aborted/crashed session

Basically, always use this option. Services that you are cracking could crash (yea, it happens), so being able to pick-up where you leave off is key.

  -l LOGIN or -L FILE login with LOGIN name, or load several logins from FILE

Unless I am only testing one username, I use this option and give it my username list.

  -p PASS  or -P FILE try password PASS, or load several passwords from FILE

This is where you specify your password database.

  -e ns     additional checks, "n" for null password, "s" try login as pass

ALWAYS use this option for every scan against every service. You may get lucky.

  -o FILE   write found login/password pairs to FILE instead of stdout

Always do this too, just in case you get disconnected from the server you are running hydra on.

  -w TIME   defines the max wait time in seconds for responses (default: 30)

Adjust this as neccessary. If a service is being picky I tend to monitor with tcpdump to be certain I am seeing what is expected and not overwhelming the host. Also, its a good idea to monitor this anyway, to be certain that there is no account lockout. If there is, you will need to adjust this value to try to slip under the lockout timers, which will greatly extend the length of your scan.

  server    the target server (use either this OR the -M option)

I either use this, or provide a list of servers with -M. It depends on the test.

  service    the service to crack. Supported protocols: telnet ftp pop3[-ntlm]   imap[-ntlm] smb smbnt http[s]-{head|get} http-{get|post}-form http-proxy cisco  cisco-enable vnc ldap2 ldap3 mssql mysql oracle-listener postgres nntp socks5   rexec rlogin pcnfs snmp rsh cvs svn icq sapr3 ssh2 smtp-auth[-ntlm] pcanywhere  teamspeak sip vmauthd

Specify the service to crack. Important thing to note, if you are testing a cisco router with usernames and passwords you will need to use the standard telnet module. Here are some examples:

hydra -L myusernames -P my.passwds -e s -e n -f -o cisco.username.out 192.168.1.1 telnet

hydra -l myusernames -P my.passwds -e s -e n -t 1 -M pop3.servers -o cracked_pop3.out  pop3

Now go forth, WITH PERMISSION, and crack the planet for the benefit of system and network administrators everywhere.

Resources

• http://www.darknet.org.uk/2007/02/thc-hydra-the-fast-and-flexible-network-login-hacking-tool/
• http://www.thc.org/thc-hydra/
• http://en.wikipedia.org/wiki/Hydra_(software)

Paul "PaulDotCom" Asadoorian