Episode 2x02

From Hak5

Synopsis

In this episode of Hak5 Darren builds a Network Attached Storage server for our home network using a spare PC, a compact flash card, and some BSD. Paul brings us Doom on the iPod using Linux and some geeky voodoo. Wess crafts a unique LED liquor cabinet for about a hundred bucks. And Darren puts on his slightly darker than gray hat with a USB key that owns Windows machines in a matter of seconds (with a little prevention thrown in for good measure). Plus this month's trivia, poll, & LAN party details from the lovely and talented Alli. |* Network Attached Storage Server with FreeNAS

Network Attached Storage Server with FreeNAS

Darren modding? 20:01

Backing up our documents. It's something we all know we need to do, but surprisingly few people actually do. We'll take a look at one of the best solutions for backing up on a home network using a NAS, or Network Attached Storage device. We'll show you how to build your own using a spare PC, a $10 adapter board, a Compact Flash card, FreeNAS, an open source BSD distribution. And then we'll put it all together with a simple script that automates the backup job for you.

Requirements

First we'll need a spare PC, so grab that old clunker out of the closet and lets put it to work. It will need at least the following system requirements:

A PC with at least 96 MB RAM
Bootable CD Rom Drive
A USB or CF drive (In our example we'll use an IDE to CF adapter)
A Bootable Hard Drive (Preferable something with a large capacity)

Installation

Next we'll need to download the latest version of the FreeNAS image from www.freenas.org. Write the image to CD using a CD-R/RW drive. For more information on writing ISO files in Windows see how_to_write_iso_files_to_cd.htm

Now we need to boot our NAS Computer from the CD we just made. We will be presented with a FreeNAS console setup menu. From here we can configure our network and install FreeNAS to disk. In our example we will press 7 to install to HD/CF/USB Key. Then we will select 1 to install to HD, CF, or USB Key creating 1 UFS partition. By following the on screen instructions the FreeNAS software will be installed to our CF card. When complete we should be back to the FreeNAS console setup menu. From here we will configure out network by selecting option 1. Enter the name of the Ethernet Interface and press enter. At the Optional 1 Interface prompt, select Y and reboot.

Configuration

Once rebooted we should be back at the FreeNAS console setup menu. This time we need to select option 2 and enter an IP address for the computer. In our example we used 192.168.1.66, however this may change depending on your network configuration.

After configuring our network IP address we should once again be at the FreeNAS console setup menu. From here we can select option 6 to ping another computer on the network and verify that the network settings are configured properly. If you run into problems at this step I advise consulting the troubleshooting section of the FreeNAS documentation at www.freenas.org/downloads/docs/

From here we can remove the CD and boot from the CF card. Now from another computer on the network we can configure the drives. To do this open your preferred web browser and head to the IP address we configured in the steps above. In our example this is http://192.168.1.66/

We should be prompted for a user name and password. By default the username is admin and the password is freenas. It is advised that this is changed when setup is complete.

Drive Configuration

So now that we have FreeNAS installed we need to configure the drives. In our example we are configuring one hard drive. Select Management from the Disks menu and click the plus (+) icon to the right of the table. Select the hard drive from the list and keep the default settings. Click Add and the drive should appear in the Disk Management menu.

Next we need to format the hard drive. By doing this we will be completely removing all data from the drive. Be sure that there is no important information on the drive before performing this step. The data will not be recoverable. Once you are sure it is safe to proceed, select the hard drive from the list and click Format. This process should take about 5 to 10 minutes depending on the size of the disk.

Once the drive has been formatted we need to mount it. From the Disks menu select Mount Point and click the plus (+) icon to the right of the table. Then select the drive you wish to mount and click save.

Now the final in configuring the NAS is to setup CIFS (Samba), which will allow the computers on our network to use the drive. To do this simply click the CIFS link from the Services menu, check Enable, and click Save.

Use

Now to verify that we can use the NAS, click Start, then Run, and enter \\<IP ADDRESS OF NAS>. In our example this is \\192.168.1.66. Now click OK and you should see a window with your new network drive.

Notes

If you are feeling adventurous you may want to look into the other services such as FTP and NFS.

To take this one step further we can setup our Windows machines to backup nightly using a batch script that can be found on the Hak5 wiki at Backup Using Batch Files

Play Doom on an iPod with Linux

Paul & Darren 11:30

Getting to play Doom on an iPod is not complicated although the online ipodlinux.org wiki documentation can be a bit confusing. This simple overview should help to clear things up.

Updating iPod

The first step is to update iPod's firmware by downloading â€œiPod Updaterâ€ from the Apple website at apple.com/ipod/download/

Install the updater and launch it, afterwards connect iPod and wait for it to be discovered by the program. Press the update or restore button and wait for it to finish then quit the program and disconnect iPod.

Installing iPod Linux

Next download and extract the Installer 2 program for iPodLinux from www.ipodlinux.org. Once launched this program will install iPodLinux and podzilla, the iPod Linux interface. Next quit the installer, disconnect iPod, and wait for iPod to start the boot loader. This is the screen that will allow you to select between the factory installed Apple firmware and iPodLinux. You can get to this screen at any time by holdin the select and menu buttons. Select iPodLinux and scroll through the menus, verifying that everything is working properly.

Installing clauncher and iDoom

The next step is to reconnect the iPod to your PC in disk mode. To do this reboot the iPod by holding select and menu and selecting disk mode from the boot menu. Connect the iPod to the host computer and you should be able to view the contents of its hard disk. We will need to copy the clauncher binary from Clauncher to the iPodâ€™s root directory as well as the iDoom folder from idoom.hyarion.com to the root directory.

Configuring /etc/rc

The last step is to configure the /etc/rc file. We need to change the second to last line in that file from â€œexec podzillaâ€ to â€œexec /mnt/clauncherâ€. You can either do this with a text editor on your iPodâ€™s host computer, or with iPodLinuxâ€™s built in word processor; PodWrite. If you choose to edit the file on your iPodâ€™s host computer youâ€™ll find the LTools utility handy as it will allow you to see the Linux partition on your iPod. You can download LTools from here

The alternative method can be summed up from this quote from the iPodLinux.org wiki:

To edit it from your iPod (not extremely hard) use file browser and go to scroll down to foler etc and press the center button. Now scroll down and highlight the file rc. Hold the center button for 2 seconds and a menu will come up. Highlight open with PodWrite and press the center button. Press "MENU" and hit move cursor. Scroll down with the ClickWheel until you get to the bottom line. Press menu to switch to the keyboard and use the backspace (bs) or delete (dl) to remove either "poszilla" or "/sbin/podzilla" then use the onscreen keyboard again to type in "/mnt/clauncher" and your done. save it and reboot your ipod and Clauncher should start up.

Now when you start iPod you should be greeted with a console based loader which will allow you to start either Podzilla or iDoom by pressing a direction button followed by select.

LED liquor cabinet the Wess way

This mod was born of a simple idea where Darren had put his old cold cathode lights from his case behind the liquor bottles in the window sill, which gave the bottles a really cool glow.

I took that a step further by building the in-window cabnet. The biggest advantage was the fact that we could now store at least twice as much alcohol. Second, the fact that I could add a little class to the kitchen with a nice, hand crafted, wood shelving unit. Of course I couldn't just build a wooden shelf, I had to add some tech, and that's where the LEDs came in. Their purpose was to add that same blue glow that the cold cathodes did before.

Wood Working

All dimensions are relative to my window, yours will be different!(If you're running linux, disregard this statement and go recompile)
Sanding is key when woodworking. Once you have all your cuts made, make a couple of passes over the pieces with varying grits of sand paper. Go from 60-120, or even up to 300-400 for the final sanding. Remember to always sand with the grain!

Staining and Finishing

The color of stain is all a matter of personal preference. I decided to go with Merlot because I like dark wood.
Staining, like sanding, is always done with the grain.
When staining, use a tight knit painters rag, not a terry cloth towel. Terry cloth will leave lint.
Apply the stain liberally. Try to keep it fairly even but it's not an exact science.
After you get the whole thing stained, let it dry for about 15-20 minutes, then take a clean, dry wrag and wipe it all down. You can apply multiple coats if you disire a darker shade, just let the stain completely dry for 24 hours between coats. Also sand between coats with an ultra-fine sand paper (330 or higher), or use a very fine (0000 gauge) steel wool pad.
When you're done with staining, polyurethane makes for a great sealant and gives the project a beautiful, glossy finish, and deepens and enriches the color of the stain and wood grain.
As with everything else, apply the poly with the grain and do your best to keep it even, poly can be temperamental.
Watch for dripping! If the poly dries with drips in it, it is very difficult to get those out. You'll have to just about sand all the poly off to get rid of them.
Multiple coats of poly are recommended. Two at the very least. Sand between coats as well.

Tech/Electronics

Now what really sets this project apart from a regular cabnet is the LEDs that I installed. My major resourse for this was led.wiz. That is an LED calculator that will give you the best wiring solution for your LED circuit based on number of LEDs, their forward voltage, and supply voltage.

Instant USB Password Recovery Tool (The "USB Switchblade")

Further development for this project can be found on the HAK.5 forums at here

In this segment we'll overview a few of Microsoft Window's security weaknesses and show how to build a custom USB key that will retrieve vital information from a target computer, necessary for auditing password strength. A major flaw in the way Windows stores password information is the use of the legacy LM, or LAN Manager hash. While this hash is based on DES encryption it is vulnerable to time-memory trade-off attacks due to it's poor implementation. Our custom USB key uses new U3 technology to automatically and invisibly retrieve these weak hashes within seconds of being inserted into the target computer. From here the LM hashes can be tested against a set of rainbow tables using the popular rainbowcrack software and audited for password strength. We will also cover password best practices and prevention methods for this type of attack.

While the above paragraph may sound daunting at first I will break it down into human terms and explain how and why this works, and what you at can do to keep more secure passwords.

Overview of weaknesses in Windows password stores

The weakness that we will be exploiting is the way in which Windows stores password information. Since Windows 95 passwords have been stored in what is known as the LM, or LAN Manager hash. This hash is based on DES encryption which is a reasonably secure hash function, however the way in which Microsoft implemented it makes it easily attacked for a few reasons.

First, the user's password is converted to all uppercase. Second the password is padded or truncated to 14 bytes. Next the password is split into two 7 byte halves and the values are used to create two DES keys with a constant ASCII string, resulting in two 8 byte values. Those two values are concatenated to form a 16 byte value, which is the LM hash.

Basically what that all means is that your password is converted to all uppercase, split into two hashes, and stored in a DES encrypted hash. This makes the hash susceptible to brute force, or in our case, Time-Memory Trade-Off attacks, which we'll get into in a few moments.

Overview of password auditing USB key

The beauty of our custom password hash retrieving USB key comes from its unique use of U3 technology. U3 is relatively new USB flash drive technology developed by U3 LLC in cooperation with Sandisk and M-Systems. More information about U3 can be found at the website u3.com

It basically uses a portion of the flash drive's memory as a virtual CD-ROM drive. This allows the Windows autorun feature to work properly, enabling us to run programs as soon as the drive is inserted into a computer. The autorun feature does not work properly on standard USB flash drives so a U3 enabled USB flash drive is required to make this work.

In this example we are using a U3 enabled SanDisk Cruzer Micro USB Flash Drive. This drive comes with U3 software enabling the use of applications like Skype directly from the flash drive. We will need to wipe out the U3 partition on this drive and replace it with our own payload. In this case we are using a payload developed by a HAK.5 community member that goes by the name of MaxDamage. Max's payload contains a visual basic script and autorun.inf file which will be flashed onto the U3 CD-ROM partition. The autorun.inf file launches the visual basic script, which in turn runs the exploit located on the normal flash drive partition invisibly.

To replace the existing U3 software on the U3 enabled SanDisk Cruizer Micro USB Flash Drive we will need two files. The LPInstaller.exe and the cruzer-autorun.iso file. Both are hosted on the hak5.org website and is under further development on our forums and wiki.

The LPInstaller.exe is a piece of software developed by Sandisk for updating the U3 software on the flash drive. By default it will query a special website at Sandisk, download the latest U3 software, and flash the U3 partition on the USB flash drive. Since we want to install our own software we simple need to place a file named cruzer-autorun.iso in the same directory as the LPInstaller.exe program and run it. This will replace the existing U3 software with the first part of our payload.

The second part of Max's payload are the scripts located on the normal partition of the USB flash drive. These are located within the hidden folders WIP/CMD/ and include dlls, visual basic scripts, and executables, all run from a batch file. The batch file, go.cmd, will be run invisibly upon drive insertion and run the various password hash recovery tools. The most important part of this toolkit is the PwDump tool which will retrieve the LM hashes from the local computer and save them to a log file on the normal flash drive partition within the /Documents/logfiles directory, with a file name based on the computer name with a .log extension.

This file is created by the go.cmd file invisibly upon insertion and contains the LM hashes, as well as many other pieces of information. Further clarification on instalation procedures for the password hash retrieving USB key can be found on the hak5.org website.

Overview of Time-Memory Trade-Off

Time-Memory Trade-Off, or TMTO, in terms of password cracking is a procedure used to reduce the amount of computation time needed to test hashes, normally using a lookup table. The password cracking is done by comparing the password hash, in our case the LM hash, against a table of hashes and their known plaintext equivalents. The most popular table for this type of password cracking are known as Rainbow Tables, used in conjunction with a tool called Rainbow Crack. A full explanation of Time-Memory Trade-Off and Rainbow Tables are out of the scope of this article so I encourage you to read the following articles if interested:

There are many online services for comparing LM hashes against lookup tables, such as www.plain-text.info, md5lookup, and rainbowcrack-online. However in this example we will be using our own rainbow tables with the rainbow crack tool. One of the best places to obtain a set of rainbow tables is the website rainbowtables.shmoo.com operated by the Schmoo group. We will also need the rainbow crack software available from here

Putting the tools to use

Once you have gathered the necessary tools and created your own password hash retrieving USB key using a compatible U3 enabled USB Flash Drive we can put it to use and audit our computer's password strength.

The first step is to insert the USB flash drive into a Windows computer and wait a few seconds for it to be recognized. Once recognized the payload should be run automatically and invisibly, creating a log file on the flash drive in the /documents/logfiles/ directory. From here our work is done and we can safely remove the USB flash drive. From this or another computer we can open the log file containing the LM hash and run it against our rainbow tables using the rainbow crack tool.

To do so we will copy the LM hash of the user's password we wish to audit from the log file into a new file named pwfile.txt and move it to the directory where we store our rainbow tables and rainbow crack tool.

The command to test the hash against the tables is "rcrack *.rt -f pwfile"

The rainbow crack tool will then take a few minutes to run the LM hash against our rainbow tables and display the results. If we see the password in plaintext we know that the password is weak and needs to be strengthened.

Mitigation

There are a few things that need to be explained about this method for password hash retrieval and cracking. First is that physical access is needed to the Windows computer for which we will be testing. Second is that the computer is logged in with administrative access. And third is that no anti-virus that would detect the payload is running. In our tests Symantec Corporate Anti-Virus was able to detect the pwdump tool in the payload and prevent it from running. Many other anti-virus solutions may do the same.

Now if we are successful in using this method to retrieve the LM hash and run it against our rainbow tables and find a match the next step is to strengthen the password. To do this we must understand the limitations of the LM hash.

While the LM hash may be Window's "achilles heel" it can easily be circumvented by two methods. First is to use a password of 15 characters or higher, which is highly recommended. For further reading on long password best practices see the following websites on pass phrases:

sm1104.mspx
pass_phrase

It is also worth mentioning that LM hashes can be disabled entirely on a Windows 2000 or higher computer by making a simple change to the registry. For more information on preventing Windows from storing a LM hash see the following article in the Microsoft Knowledge Base: here

As an added precaution we can also disable the Windows autorun feature. More information on that procedure can be found in this Microsoft Knowledge Base article: here

For further development and files needed to perform this attack see the development thread on the Hak5 forums here