Hak5
Save 10% at GoDaddy.com with coupon code HAK

Episode 3x07

From Hak5

Jump to: navigation, search

Synopsis

In this episode Chris Gerling shows us a little reverse engineering with Crackmes, Darren unlocks OpenWRT on the Fon router, Will Coppola demonstrates inprotect, a nessus/nmap web frontent, and Matt fixes the Rock Band guitar once and for all. Plus HakSnacks including installation package building with Iexpress, a Rock Band drum kit for your PC, converting flash videos to mobile media formats, and browsing the Internets with calculator. Grab some pwnj00z, the next hour is designated for technolust!

Production Notes

The white balance on our scan converter (little boxy thing that converts our laptop’s display into something the video mixer can use) was a bit off making some of the full screen video difficult to read. Thankfully (and thanks for MassiveH) we’ve got a new scan converter that should make everything look a lot more clear for next episode.

The new graphics are part of the season4 graphics pack, just a few episodes early. It's kind of a mixed setup right now with the main title and closing credit graphics being from season3 proper. Going forward this season expect more experimentation with the graphics.

Show Notes

Reverse engineering with Crackmes

Crackmes are small programs designed to test a programmer's reverse engineering skills. They provide a legal avenue for this type of thing, which in turn also helps forensics people when they're dissecting a particular case.

In this demonstration I took a relatively easy one from the guys at LSO and showcased it. They get far more advanced, and for those you might need to look into IDA pro which is the last link under Resources.

Resources

Unlocking OpenWRT on La Fonera

I went into this hack thinking it was going to be more difficult than it ended up being. Sure I accidentally borked my first unit costing my an additional $40 but once I got a feel for the device and read nearly everything available on hacking it I realized that it could also be trivial to unlock in comparison so some of the tutorials. I've linked to them below in case you want to take the long road.

This tutorial assumes you've got a Fonera (Not the recently released Fonera+) and it's running firmware 0.7.1 r1. If you're running more recent firmware you'll need to consult the resources below for unlocking.

Getting SSH Access

Connect to the Fon via the MyPlace WPA enabled SSID. Browse to the admin pannel at http://192.168.10.1/ and click on Advanced settings. Login as admin/admin. Now open this HTML script and click submit.

sshenable.html 

<html>
<head>
</head>
<body>
<center>
<form method="post" action="http://169.254.255.1/cgi-bin/webif/connection.sh " enctype="multipart/form-data">
<input name="username" value="$(/etc/init.d/dropbear)" size="68" >
<input type="submit" name="submit" value="Submit" onClick="{this.form.wifimode.value='";' + this.form.wifimode.value +';"'}" />
</form>
</body>
</html>

Now fire up your favorite SSH client (I use Putty on Windows) and connect to 192.168.10.1. Login with the as root with the password "admin".

Replacing kernel and redboot config

We need to copy the replacement kernel and redboot config files over to the fon. You can either run a simple HTTPD (Like HFS on windows) on your computer and use wget to download them, or use something like WinSCP to transfer them.

Once the files are on the Fon type the following into the SSH console: 

mv /etc/init.d/dropbear /etc/init.d/S50dropbear

mtd -e vmlinux.bin.l7 write openwrt-ar531x-2.4-vmlinux-CAMICIA.lzma vmlinux.bin.l7

reboot

The first command ensures that SSH is enabled upon bootup so you don't need to use sshenable.html again. The second command patches the kernel. The third reboots the Fon.

Once the Fon has rebooted you'll need to SSH back into it and run the following command to patch the redboot config. 

mtd -e "RedBoot config" write out.hex "RedBoot config"

reboot

Flashing your own firmware

When the Fon reboots it will listen for a telnet session on port 9000 for about 10 seconds. This is where the tutorial deviates from others. Basically at this point all heavy lifting is done. Simply fire up the GUI, tell it what kernel file and root file system files you want to flash, select your interface, reboot the FON and within the 10 seconds click GO. I used the vmlinux.bin.l7 and rootfs.squashfs files from the OpenWRT project. DD-WRT supports the Fon as well if you'd like to go that route. Keep in mind it will take about 20+ minutes to successfully flash the Fon.


Files you'll need for this hack:


Resources:

The only Rock Band guitar fix you'll ever need

Hey everyone, Matt here...
I've been reading the interwebs and have come to one conclusion. Harmonix screwed the pooch when creating the rockband guitar controller!

So I've taken it upon myself to finally fix our controller once and for all and at the same time, show you how to do it as well. If you can solder some wires, you're pretty much good to go. Remember... it's always better to trim less than too much. TEST TEST TEST!!! I can't stress that point enough! If you're going to perform this hak, do it right, and go slow!

NOTE!!! THIS WILL VOID YOUR WARRANTY BIG TIME!

With that said, here is the link to the radioshack part we used Radio Shack Switch #275-016

2228995585_c9c145cd2e.jpg

2229787174_6342813d9f.jpg

2228995287_7aa9b4866d.jpg


Resources


Inprotect network security scanner

Today we're going to play with Inprotect, a web front end for nessus and nmap. This is aimed more for network admins but anyone concerned with their security should check it out.

If you do not know what nessus is please check out the official site at http://www.nessus.org/nessus/ and then continue reading.

Basically though it's an automated security testing application that runs your machine through a bunch of test to determine if any security risks are present. It will then report suspected risks.

I recommend you register for updates. This is free but you are 7 days delayed from the bleeding edge Nessus plug-ins. This is fine for most people.

If you don't know what Nmap is then you've probably been sleeping under a rock! Check http://nmap.org/ to find out.

You can install Inprotect in any way you wish; you can grab the sources and be in dependency hell for hours, you can apt-get "packages" and only have to do some configuration or you can cheat and grab the "NST2003 virtual machine".

The VM can be found at http://www.vmware.com/appliances/directory/141

Now that you have the VM it's time to boot it up and start configuring!

Please note that this is the fastest and easiest way to get it working correctly. The plug-ins used by default are old and need to be updated.

There is a wonderful walk through to get up and running that can be found at http://nst.sourceforge.net/nst/docs/inprotect/index.html

If you do plan on compiling from source I can tell you there is a bonus to be had. It's another program, a multi-headed brute force password cracker known as Hydra - more info on this at http://freeworld.thc.org/thc-hydra/.


Resources


HakSnacks

Iexpress Package Builder

Need a quick and easy installation package builder? If you're on Windows it may be right under your nose. The Iexpress wizard is super easy to use and gets the job done if you only need the most basic features. Nothing to download, simply click Start, Run, type "Iexpress" return.

Resources

Rock Band Drum Machine for Windows

More rock, less talk! Simply install the driver, plug in your kit, start up the drum machine, and wake up the neighbors with an awesome solo!

Resources

Save your online flash videos with vconvert

Production note: This segment was cut from the episode due to an audio issue with the recording however it was still mentioned in the cold open.

Save online videos to several mobile device formats using vconvert. Many other similar web services exist. Feel free to add them here or in the forum thread.

Resources

Browsing the Internet with calculator

On a locked down Windows PC? No browser in sight? Try calculator.

Launch calc.exe, click Tools, Help Topics. Right-click the title bar and click Jump To URL. Enter in your favorite site and away you go.

What's next, an IRC client built into Hearts?


Retrieved from "http://wiki.hak5.org/wiki/Episode_3x07"