" Wow."

" This some on the killed -- Microsoft VPN tunnel and it."

" This week's episode is rocky but US airports. Get to assist express. Domain that. At a great idea and also -- for the great domain. Hello and welcome back. My name's Darren Kitchen on all the lines and the rest of the -- in no way in this little announcement and a it's true. Actually -- was just in Missouri. -- And on gas and then I was they go crazy for Halloween like craziness and some age is that they added."

" news for them and that is something. And then I a had to work the weekend. In DC actually like for four days straight thank working in DC and in the weirdest thing was I was doing. Conference coverage. Lake so you know and they said hey. We need -- to -- at the Marriott warden and I've been like I've done that three times it's -- please let conference it is not an exciting 100 now I was doing corporate video and let me there is. There's no one. Line or mean. Yeah yeah and you can't like go up to the presents and like you need to check it out but it that they don't him they're bunch engineers. Elegant works I mean geeks and nerds take your pick it."

" Thumb sounds mostly end zone. Wouldn't work and a lot of fun stuff. Amusement and DC. As that's concerned some. Nine -- you work on. --"

" We've got some device hacking. Gotta run acts on Debian -- you know that's just an account edges I think next week and and here I've got all sorts of other -- or type I've got a whole bunch of fun -- about that that's and Mika and spending a lot more on this show. Yeah and we're gonna spend some time now with west."

" On an endless with a homeless --"

" We'll and urging that that's where the mountains. I've never been Blacksburg here it's fun. -- So anyway if you attend Virginia Tech where you're near by if you should be there this weekend because that's what's up we are going to be there on Saturday. November 7 on line. Yes -- Hak5 live at Virginia Tech we -- taken over the campus and you know and and ups and Wi-Fi I mean doing presentations and fun hacker stuff. The only a lot of fun on this yeah Hak5 dot org slash VT. For all of the details on that we really have you can join us to --"

" Young so it's."

" Right on again and to some fun -- you can't hacking. -- Yet you know it's taken a lot of things we've learned in peace and it altogether yummy kitchen the good without bad in and now. Right well we're gonna get into that but first let's take a quick break and think -- sponsors domain dot com."

" Play all the latest co -- video games but don't have any friends. Contract to companion. It's a great idea that starts with a great domain at domain dot com. Domain dot com that's sweet deals on domain names league player to rentals dot com. Domain names for less than ten bucks a month that pushy up sells no commitment web hosting for under six bucks a month. President registration. Alien killer virtual private servers -- wide domain dot com is the -- see you next domain. Best of all Hak5 fans get an additional 15% off the orders when they took the coupon code Hak5 at check out. Got a great idea it all search for the great domain. At domain dot com."

" So continuing on with our VP and -- I thought it would be important to highlight some of the insecurities -- weaknesses in the protocols. That we've used so far. Now much like we have just a while ago it set up and asked to -- B key and the using a VP in jail less if you well. We then followed that up wear the nice little tool called access else net. But basically allowed us to win -- men in the meddling in our target there go ahead and make those as to sell requests on his behalf. And then send him made an encrypted. Connection that looks they're similar what it thinks is gonna be on and meanwhile we're seeing everything in between. Yes go ahead press that the it'll work and -- Quite surprised. But you know that's your inherent weakness in as a sell or. TL asses hey are you paying attention to this. The connection here and what we're going to do today. Or attempt to do is to highlights and the insecurities in Microsoft -- article or their default article for a VP and server. Now you'll notice that or if your memory and follow along. We've set up to VP and servers. Using windows we set up the first in windows server 2003. Using routing and remote access. That's a tie in with active directory. And we've set one up in windows XP just using. In the local user accounts and -- both of those war PP TP or point to point tunneling protocol. Based VPN and that's essentially. In taking. Just encapsulate and keep track L it's it's real good. In theory but we're gonna highlight one of the weaknesses here and it. Now if you've been following along with the show for awhile and seen our previous segments on things like PW dom and rainbow tables brute force attacking. You'll remember that when it comes to windows authentication like I just said either the active directory with server 2003. Or the local user accounts with windows XP. They're basically -- flavors here you've got your land manager patches which are made out of watered down weak sauce. And -- acceptable to. Brute force rainbow tables authors on stuff and then you got here and -- are hacked. Hashes which you know the passwords -- the did the accounts stored in. And those are still susceptible to your time memory trade off attacks. We'll today we're actually going to be using a proof of concept tools or actually just going to be brute forcing. But you could take this to his many levels ads as you see fit. But why don't we go ahead and give it a little bit of background on this protocol. Now when it comes to your default windows DP and servers here's server 2003 year XP one that we already created here in -- segments. Your default protocol is PP PP and the modern. Authentication part -- call for PP PP. Is what's known as an ass (%expletive) version two now that's the Microsoft challenged handshake authentication protocol. And it's actually in -- in two cents and 99 or 2000. And there are some inherent weaknesses in the it's actually widely it's been widely known like the last ten years how weak is. And if you're interested in a very interesting crypt analysis. There's one done by Bruce Dyer and some of the guys from loft heavy industries. Thought I'll have links that show -- But it is your default option there in year XP's the cancer person 2003. VPN servers and if I take a look here and in my server 2003 box oh go ahead and take a look. At this running remote access service and under security. Authentication methods no notice here -- got the and that's chat and there really isn't a whole lot of other option rather than less clear you know -- accurately you know on encrypt. Ward Just the regular -- and and that's a shame. Other. There are other options that exist you know maybe radius -- the just using it a more secure. Protocol in general run then when Microsoft went went -- particle. But suffice it to say when it comes to PP TP. Chapped is where it's. So we're actually going to exploit some of those weaknesses in a wonderful pool so let's take a look at that tool for Linux. So I'm here in my back -- 4 PM and with a twelve we're looking at today is called sleep. This is actually if you're familiar with. The tool that we use I think last season how audiences actually written by. The same author Joshua Wright and this came out in 2004. And has was updated -- Late 2008. But some other options and stuff but we're actually going to focus on this today and to give you an idea about this tool it's a proof of concept or -- demonstrating the weakness is. In both Lee and PP PP. Now leap is a bit like an extension of eap it is called lightweight. Accessible authentication article and -- only really gonna see this in Cisco. Access points Cisco gear sound. Not really what we're interested in. But it will also do Microsoft went point tunneling protocol because they both use the same and that's chapter in two. Which is you know inherently weak and it is. Because it's. Doesn't use any salts. For the anti cash. And he uses some weak DES keys. And it sends user names in the clear and were able to it with this tool exploit this and if we capture. Using a man in the middle attack. Capture that handshake when the connection is created we can actually you know either live or with a packet capture right into this tool. The dictionary -- and some key generation. We can. Find -- the last two. Bytes of the and T -- more land manager hash and from there we can actually reports -- the dictionary. And that's just because there are at the inherent weaknesses in the way that this is designed with the so that's very cool just out of two bytes at the end of you know the hatch you're going to able to to reverse that crack it and -- so you know that's. The high level overview of this tools let's go ahead and have some fun in the show and who can get going on as far as a demo."

" Concerned. Now we have our backtrack for IBM which is what we're going to uses the attacker we have our server 2003 box here. With our VPN server running remote access going on and I've got an active directory. Take a look we're gonna have to use. And the user let's call -- Paul. -- It's acting as Paul beginning give him. -- password. And doesn't really matter. And we do need to give him. Privileges that they can actually. Island. RA. And we have our windows XP virtual machine over here. Set. Paul."

" And pass through it okay now I don't wanna connect yet. Because I actually wanna go ahead and initiate from the attacker side. A a man in the middle attacks so that I can actually see all of the packets that are going from the client to the server and vice Versa. -- typically you know mean light dome. Where it either pineapple. Or you know very festive monkey I think you've been -- now and but. Right now just here in the VMs I'm just gonna go ahead and get this done. With. Little bit. Our cache poisoning so let's take a look at that. -- And backtrack. -- and run. Others are spoof. That's the one and 118 it is my target and 147 is the hosts so that they get that going in that direction. And and -- four the other direction. And was running into some problems in the degree it's because the -- to the next thing actually need to run it on its second inner -- here don't one point six. So. I was taking care me so anyway -- got that going. And now. As far as. What's happening with this is as far as the client is concerned I'm server and as far as the servers concerned. I'm decline now and I'm just passing everything in between so that that actually happens. I guess they did skip one step but I also outlined it two episodes back when I use the same war and that is just setting. -- or IKEA underscore board. To us from zero to one all of that -- and it's anyway. So let's go ahead and take a look at the packets going -- Now. I would be using like TCP down but just make this a bit more visual let's go ahead. And I'll fire up wires -- here."

" And take a look at our interfaces. And we don't have any available because I did the wrong let's try this again. Yes yes."

" A look at that he has interfaces. When these days and -- to run Israel but. Still dangers for me right so under Leo we see with butter packets will head start that. And all we're gonna see here's the bunch of marks because that's what's coming from us and once we actually do. And achieve this connection will filter that so that we're not seeing a whole bunch garbage we'll see just what we wanna see. So our server 2003 boxes ready let's take a look that are. Client all right -- pass through its. And let's connect and it is that past and in band and we are connected. Her day."

" And if -- come over here. And pauses or just go ahead and stop it. -- notice that there's a lot of what will stop stop stop."

" And this is RDP two of EM and so anyway we've got all of these PPP. Packets here and they are you know the comprise their encrypted and we're not really gonna be looking in to what's gone on there but if we go back and actually take a look at when that test session was initiated. Are so caught here and see that we've got all of these arts but then. Down here."

" That's where we see the PP TP the -- start a connection requests and from here we're going to be able to isolate this and actually extract the handshake from this. And -- dictionary as friends and schools and starts cracking. But first let's go ahead and think whatever great sponsors the united states air force."

" Welcome back we're still wires chart and I'm gonna go ahead and answer a filter that's gonna make this so much easier up here and top left. I've entered chapter. And what that basically done is said hey I don't care about any of that other our garbage here is TCP packets what I really want. Is the challenge handshake authentication particle or (%expletive). And it's that's a beautiful thing about wire shark and why am not using huge -- for this just makes so easy to visually see this. So let's take a look here under info. We can see our you know it's 118 talking to 147 these IPs here back and forth. And -- that compress this still the better. The challenge which was issued from -- salt remember that's the name of our server 2003 box. And the here's the value and actually take a look down here. And there account. That yes this is in fact now that's GRE so -- 47 we are talking about -- or 1740. Re. Our fortunes have one of those -- and and we are talking about point point. Particle here and here in fact is. The handshake and scroll down here. We'll actually see the identifier is -- challenges one's I believe one is challenged to is the response. Three's success reports failed. For whatever that's worth. What's important though is and here's the data. So I'm looking at the data here and I can see that's the only -- this this nice little tax right we're actually gonna copy this to know. Files because we're gonna be using it later."

" I think I have a little. Oops that's not it area. So this would be the challenge. And let's take a look at that response."

" So here -- the in this -- Response and you'll notice right here it says -- Paul Hackett said the the username and send a clear text meant nothing that the big deal but the cat is I mean -- your authentication right there. And then there's other fun things tools that we could use to maybe if we're -- penetration testing organizations to use its its engineering techniques. Eleven Alter ego. Whatever have you. You've gotta use their names there's a lot that can be glean just from that and maybe we should take a look. In more detail about that later on. But suffice it to say we have Paul here the username and if we look at the data here."

" like has had code -- this is the response. And then here is our response it's all of this garbage here. But is what we want so let's cut copy that toward the toward. And word or notepad. Rates. Mean this -- dots and this is the response. Okay."

" So now that we have the challenge response we can actually it's our path in those two. A sleep and see if we can get anything from that. But we are going to need a dictionary file two to crack it's now remember that I said that we have a username and now that's important. Well let's go ahead we don't actually have a dictionary file set up so go ahead and set one up here. And back consul and the -- in the show."

" And yes I'm just gonna get that who. That was holiday expert view it did of -- do. And that -- students do anyway."

" Yeah all right. So here we are. -- any good get that the way. Right now running as -- and let's take a look at cop Q. Are right and I believe we may have taken a look at this will be four but -- is gonna go ahead and run it through in interactive mode because. What we need to do here is we have our target Paula on this domain. And we need to create dictionary file -- we've got a picture but -- but it would be. Beneficial if we could add something to it that would be specific to this user and this is like I said where. All of that reconnaissance comes in the play it memories and not to ego or some other social engineering techniques to find more about all that's going to be. You know hopefully helpful one more cracking your password because bear in mind. This proof of concept cool. We're not using any anti time memory trade off and rainbow tables or just doing history. Brute force dictionary attack so it is very important matter dictionary as as. Robust as possible. So we're gonna be using this tool here -- Or at the common user password profiler believe. And it's going to walk us through a guided wizard if you will love learning some information to put together a very. A very targeted password file that is specific here to Paul. So let's go ahead and go through this lets you name all. Surname to -- His nickname camera guy. His date of birth. And his his wife's name is Shannon. And her nickname -- snobs. Company game. -- c'mon now we don't plan anything else where we're pretty much done this through its numbers yep port numbers. To a at least not yet we want we -- All right now we actually have and -- good in this are now will be cool news by. And we can see that we have a -- text by here that has a whole bunch of combinations. Of what Paul's password. Could possibly be if he were married to Shannon and had a kid named -- in -- in pineapple. Well anyway."

" Let's go ahead and share this with a US -- or a sleep well and and go ahead and -- are cracking on. So I'm just gonna CP this ever. Now before we can actually gonna -- reports and we need to actually generates and keys we need to. Create a we need to take this word lists and run it through junkies which will create an index and ashes of which because remember. Her deal with -- here so. I'll go ahead and run that and always have to do is go ahead and specify -- or dictionary that we just created."

" And tell it where we want to output the the passwords with -- as well as the index file. So go ahead just -- Call us. -- to -- the positive matches and this words to it. Idea acts. Or index. -- did take too long. Now of course we would want a much more exhaustive. Word list but for this example I think it's gonna work all right so. Let's go ahead and run this through a asleep now. -- When it it was first released back in 90004. Was just prison concept -- war cracking. You know -- Cisco access points that used. Cisco is -- Which happen to use Microsoft's. Chapped version two which we know it is vulnerable well. Well just by the way that is it is also a point tunneling protocol. Cracker. Just because that's the default authentication. Protocol so. -- and I think as governor 08. Joshua -- actually added an option. Where it not only can you take -- packet capture or just live over the wire. And then in the middle just looking at some traffic. And you know crack and that's -- were like -- Cisco access point or PPP PPP yen. Gave me the option to specify. Do is important bits of data that we're just cleaning from -- chart before. The the challenge and the response from the -- So let's go ahead and us he -- can do with this. Now that we have or hash file and our index built we can go ahead and run. What we gathered from wired shark. It's just -- appeared accurate count. -- challenge actually these need to be. Coal and eliminated did so limited to eliminate. I'm not even trying to speak words night. There is probably much easier way to do that but suffice to say -- now my keys the way that I want them. So on and go ahead and company's challenge as I am not right now again and run it through it sleep so we have the option here. Four. Or first thing today give -- our dictionaries so that would be words to. That. And we need to get our index which was words choose. Eight X and will go ahead and say taxi for challenge. And insert that challenge there. Now we need to attack or for response. Grab this."

" And insert that response."

" And won't notice that we get a little air here it actually says asleep incorrect challenge input length specified. And I'll show you why I actually have the source crew pulled up here. And this is exactly -- have run into this case tree here on seat says hey it that string length. Is not equal to 23. Then go ahead and throw their error and accident. I've been running into some problems here and I'll go ahead and show you why is there are some other examples that they know that work. And I'm not sure it's just a matter of it being format it wrong or not try hitting it properly. But it actually tried now arcade and maybe just once the first is that the problem here is this that 23 what with the -- would be sixteen. Characters or. Eight bytes right but I'm given sixteen bytes -- there when it look at that. So what's going on we'll take a look and and go ahead and open up one of the demo data files that comes with. Where's your parents at that comes with its sleeve in fact I go over to data you can see here we have DPP TP dump. And if you take a look at the read me they explain what the passwords are in stuff for these demos they can get feel for the program without doing any capturing your around. Well had a over the wire stark and as I have already done with my last one and filtering for chapped. And I can see here we go our challenge. Your data. You'll notice that that is just as long as 32 characters or sixteen bit that there tax. As what I had before. Responses just long. Names and in the clear. But interestingly if I run this is the crackers actually works. So. It's. Give that it shot announces this is actually a dated -- so. Rather than just passing the taxied for the challenged in the dash. We can actually give -- a packet captures so if it's in a you know. You know format like you'd get with -- wires her her. The -- roller Ettercap any of those. We can actually go and just run it through the -- it will find this stuff for us and they -- absolutely realistic look. -- and give it our words. That and more. And in this case and it's gonna answer -- art read from file and saying data's PP TP dot com. And you can see that it on the username Scots and the you know the challenge. And the response. And we can actually find these this for here 8160. That's actually -- the two bytes at the end of the Intel and hash so. From now we can you know -- get this too and it trailing by accident -- one if it is that the password of the users pack in our dictionary file. We're going to find that. I don't believe that is in this dictionary file one that we created specifically for Paul I believe -- for this is just a sleep. -- Q -- sleep or something like that. Of the surprises say this does work sadly it don't have the dictionary file that still does this but he is one that I believe comes of the default distribution. So you know. I -- you know higher you go ahead and play with its bulletin very cool cool. Downloaded from. From Will Wright blog it's will hack for sushi. And and give it tribe because you know it certainly does work and are just or right after pure whites that will write anyway. But you can see that the discrepancy there and concede the tone here where is it it's yet I have been spending a long time. Trying to figure this out and this is the part where I actually have a successful. It's I now but but I'm actually here oh very curious as to why this is Morton is everything that I've seen. It would indicate that this should actually be. Only sixteen characters -- RE eight -- rather than you know what I'm getting here so. I'm not really sure and that's why I'm asking you guys in Ireland you know our keynote just -- you can figure that out. But still nonetheless very -- I could probably take what I have read here and put you into a text file. With like the user coal in an and the challenge Cologne Cologne called caller respond. And through that through it John the ripper which found that we've never talked right here and play outside the scope of this segment. Then email me if you wanna talk about X prize signal on itself. But anyway you could probably crack it that way. But. The point being it's -- very cool. Application. Two here that's gonna allow us to take advantage of the inherent weaknesses in them just happened I think. While my demo -- here in that I can't get the right challenge. -- and what not I think I am successful in and displaying it just how weak it is just lit in here we can find the last two bytes. That hash in the demo files so go ahead and take a look at the tool for yourself run the demos and see what you guys can do and I guess its -- here is really. That you know and that's -- is inherently flawed. It's been ten years. And maybe it's time uses look at it different protocol and I'm nice feature PP PP is is worth. You know. Tacking on that much more effort when there's other particles that we will in the rest of this."

" EPA and series be looking at so -- in for the rest of the series as we take a look at LT TP. And -- peace -- and then setting up here and open VP and server -- and -- some stuff with the UPS's and tunnels and home routers and it just goes on and on that you guys your feedback. Definitely very important because it influences. This series the whole show for that matter so of course feedback Hak5 categories return on that. We'll hackers who she's -- by Joshua -- blog to download asleep. And you can find the -- show notes that anything talked about here today. Hak5 dot org. And you can flame me on Twitter for not getting this right Hak5 care."

" The best way to provide technical support is to do it on -- we go to assists expressed. You can help friends learn how to use -- software or fixed him with computer problems without being there in person good to assist express lets you easily view and -- And control computer on line she can quickly resolve technical issues. Whether your customer support technical consulting or management or just a computer guru. Good to -- express will help you increase revenue reduced travel support time. And service more clients try go to -- express free for thirty days for the special offer you must visit good to assist dot com slash Hak5. That's good to -- dot com forward slash H a K five for a free trial."

" But just about wraps up this episode of Hak5. The first word from Paul."

" The -- I'm gonna work. -- send email to people can have fun. That's question. Antenna FaceBook who that's where they of his book FaceBook slash analyst."

" And commit Twitter themselves. -- If he has been looking for one of these lately Hak5 dot org slash store's place again as well as -- stickers community service. Yeah actually harassing him that now our outlook knew each and I was -- the -- in -- about that and turns out that the place that makes and there -- broke so they were out of commission for like two weeks everything got pushed back the that we have. That new designs it's coming out soon. So I keep and I found that the -- I -- on. Now I know -- its its all about the capital. I mean we could just go with one of these you know places that does everything for you and then you know make about 10% on the back Anderson crap like so. And if we're ever going to make this you know continue. We really. Appreciate your support because it keeps us doing show. So thank you for everybody that has donated. And let's see what else is going on. -- and -- so we've got a really good when she and instant on Linux device hacking. And I can go and SSH tunneling some fun stuff they may not talk about the USH. Tunnels and gone back and forth and all work stuff."

" Man in need can't count. We all our eyes that threat Hak5 dot org is the place to find all of this shows including season one through three elusive. At first trilogy. That's an original the original trilogy you know it's like -- we should've started with -- fact I've season 4569. On the prequel. And it'll charge Oregon on. Anyway it's."

" Now not too far or not -- with the words and I'm. -- that."

" They're just again."

" That's -- yeah we actually just one night thinking cap so you know it's like -- out. My laptop it's not like."

" Wow."

" This some on the killed -- Microsoft VPN tunnel and it."

" This week's episode is rocky but US airports. Get to assist express. Domain that. At a great idea and also -- for the great domain. Hello and welcome back. My name's Darren Kitchen on all the lines and the rest of the -- in no way in this little announcement and a it's true. Actually -- was just in Missouri. -- And on gas and then I was they go crazy for Halloween like craziness and some age is that they added."

" news for them and that is something. And then I a had to work the weekend. In DC actually like for four days straight thank working in DC and in the weirdest thing was I was doing. Conference coverage. Lake so you know and they said hey. We need -- to -- at the Marriott warden and I've been like I've done that three times it's -- please let conference it is not an exciting 100 now I was doing corporate video and let me there is. There's no one. Line or mean. Yeah yeah and you can't like go up to the presents and like you need to check it out but it that they don't him they're bunch engineers. Elegant works I mean geeks and nerds take your pick it."

" Thumb sounds mostly end zone. Wouldn't work and a lot of fun stuff. Amusement and DC. As that's concerned some. Nine -- you work on. --"

" We've got some device hacking. Gotta run acts on Debian -- you know that's just an account edges I think next week and and here I've got all sorts of other -- or type I've got a whole bunch of fun -- about that that's and Mika and spending a lot more on this show. Yeah and we're gonna spend some time now with west."

" On an endless with a homeless --"

" We'll and urging that that's where the mountains. I've never been Blacksburg here it's fun. -- So anyway if you attend Virginia Tech where you're near by if you should be there this weekend because that's what's up we are going to be there on Saturday. November 7 on line. Yes -- Hak5 live at Virginia Tech we -- taken over the campus and you know and and ups and Wi-Fi I mean doing presentations and fun hacker stuff. The only a lot of fun on this yeah Hak5 dot org slash VT. For all of the details on that we really have you can join us to --"

" Young so it's."

" Right on again and to some fun -- you can't hacking. -- Yet you know it's taken a lot of things we've learned in peace and it altogether yummy kitchen the good without bad in and now. Right well we're gonna get into that but first let's take a quick break and think -- sponsors domain dot com."

" Play all the latest co -- video games but don't have any friends. Contract to companion. It's a great idea that starts with a great domain at domain dot com. Domain dot com that's sweet deals on domain names league player to rentals dot com. Domain names for less than ten bucks a month that pushy up sells no commitment web hosting for under six bucks a month. President registration. Alien killer virtual private servers -- wide domain dot com is the -- see you next domain. Best of all Hak5 fans get an additional 15% off the orders when they took the coupon code Hak5 at check out. Got a great idea it all search for the great domain. At domain dot com."

" So continuing on with our VP and -- I thought it would be important to highlight some of the insecurities -- weaknesses in the protocols. That we've used so far. Now much like we have just a while ago it set up and asked to -- B key and the using a VP in jail less if you well. We then followed that up wear the nice little tool called access else net. But basically allowed us to win -- men in the meddling in our target there go ahead and make those as to sell requests on his behalf. And then send him made an encrypted. Connection that looks they're similar what it thinks is gonna be on and meanwhile we're seeing everything in between. Yes go ahead press that the it'll work and -- Quite surprised. But you know that's your inherent weakness in as a sell or. TL asses hey are you paying attention to this. The connection here and what we're going to do today. Or attempt to do is to highlights and the insecurities in Microsoft -- article or their default article for a VP and server. Now you'll notice that or if your memory and follow along. We've set up to VP and servers. Using windows we set up the first in windows server 2003. Using routing and remote access. That's a tie in with active directory. And we've set one up in windows XP just using. In the local user accounts and -- both of those war PP TP or point to point tunneling protocol. Based VPN and that's essentially. In taking. Just encapsulate and keep track L it's it's real good. In theory but we're gonna highlight one of the weaknesses here and it. Now if you've been following along with the show for awhile and seen our previous segments on things like PW dom and rainbow tables brute force attacking. You'll remember that when it comes to windows authentication like I just said either the active directory with server 2003. Or the local user accounts with windows XP. They're basically -- flavors here you've got your land manager patches which are made out of watered down weak sauce. And -- acceptable to. Brute force rainbow tables authors on stuff and then you got here and -- are hacked. Hashes which you know the passwords -- the did the accounts stored in. And those are still susceptible to your time memory trade off attacks. We'll today we're actually going to be using a proof of concept tools or actually just going to be brute forcing. But you could take this to his many levels ads as you see fit. But why don't we go ahead and give it a little bit of background on this protocol. Now when it comes to your default windows DP and servers here's server 2003 year XP one that we already created here in -- segments. Your default protocol is PP PP and the modern. Authentication part -- call for PP PP. Is what's known as an ass (%expletive) version two now that's the Microsoft challenged handshake authentication protocol. And it's actually in -- in two cents and 99 or 2000. And there are some inherent weaknesses in the it's actually widely it's been widely known like the last ten years how weak is. And if you're interested in a very interesting crypt analysis. There's one done by Bruce Dyer and some of the guys from loft heavy industries. Thought I'll have links that show -- But it is your default option there in year XP's the cancer person 2003. VPN servers and if I take a look here and in my server 2003 box oh go ahead and take a look. At this running remote access service and under security. Authentication methods no notice here -- got the and that's chat and there really isn't a whole lot of other option rather than less clear you know -- accurately you know on encrypt. Ward Just the regular -- and and that's a shame. Other. There are other options that exist you know maybe radius -- the just using it a more secure. Protocol in general run then when Microsoft went went -- particle. But suffice it to say when it comes to PP TP. Chapped is where it's. So we're actually going to exploit some of those weaknesses in a wonderful pool so let's take a look at that tool for Linux. So I'm here in my back -- 4 PM and with a twelve we're looking at today is called sleep. This is actually if you're familiar with. The tool that we use I think last season how audiences actually written by. The same author Joshua Wright and this came out in 2004. And has was updated -- Late 2008. But some other options and stuff but we're actually going to focus on this today and to give you an idea about this tool it's a proof of concept or -- demonstrating the weakness is. In both Lee and PP PP. Now leap is a bit like an extension of eap it is called lightweight. Accessible authentication article and -- only really gonna see this in Cisco. Access points Cisco gear sound. Not really what we're interested in. But it will also do Microsoft went point tunneling protocol because they both use the same and that's chapter in two. Which is you know inherently weak and it is. Because it's. Doesn't use any salts. For the anti cash. And he uses some weak DES keys. And it sends user names in the clear and were able to it with this tool exploit this and if we capture. Using a man in the middle attack. Capture that handshake when the connection is created we can actually you know either live or with a packet capture right into this tool. The dictionary -- and some key generation. We can. Find -- the last two. Bytes of the and T -- more land manager hash and from there we can actually reports -- the dictionary. And that's just because there are at the inherent weaknesses in the way that this is designed with the so that's very cool just out of two bytes at the end of you know the hatch you're going to able to to reverse that crack it and -- so you know that's. The high level overview of this tools let's go ahead and have some fun in the show and who can get going on as far as a demo."

" Concerned. Now we have our backtrack for IBM which is what we're going to uses the attacker we have our server 2003 box here. With our VPN server running remote access going on and I've got an active directory. Take a look we're gonna have to use. And the user let's call -- Paul. -- It's acting as Paul beginning give him. -- password. And doesn't really matter. And we do need to give him. Privileges that they can actually. Island. RA. And we have our windows XP virtual machine over here. Set. Paul."

" And pass through it okay now I don't wanna connect yet. Because I actually wanna go ahead and initiate from the attacker side. A a man in the middle attacks so that I can actually see all of the packets that are going from the client to the server and vice Versa. -- typically you know mean light dome. Where it either pineapple. Or you know very festive monkey I think you've been -- now and but. Right now just here in the VMs I'm just gonna go ahead and get this done. With. Little bit. Our cache poisoning so let's take a look at that. -- And backtrack. -- and run. Others are spoof. That's the one and 118 it is my target and 147 is the hosts so that they get that going in that direction. And and -- four the other direction. And was running into some problems in the degree it's because the -- to the next thing actually need to run it on its second inner -- here don't one point six. So. I was taking care me so anyway -- got that going. And now. As far as. What's happening with this is as far as the client is concerned I'm server and as far as the servers concerned. I'm decline now and I'm just passing everything in between so that that actually happens. I guess they did skip one step but I also outlined it two episodes back when I use the same war and that is just setting. -- or IKEA underscore board. To us from zero to one all of that -- and it's anyway. So let's go ahead and take a look at the packets going -- Now. I would be using like TCP down but just make this a bit more visual let's go ahead. And I'll fire up wires -- here."

" And take a look at our interfaces. And we don't have any available because I did the wrong let's try this again. Yes yes."

" A look at that he has interfaces. When these days and -- to run Israel but. Still dangers for me right so under Leo we see with butter packets will head start that. And all we're gonna see here's the bunch of marks because that's what's coming from us and once we actually do. And achieve this connection will filter that so that we're not seeing a whole bunch garbage we'll see just what we wanna see. So our server 2003 boxes ready let's take a look that are. Client all right -- pass through its. And let's connect and it is that past and in band and we are connected. Her day."

" And if -- come over here. And pauses or just go ahead and stop it. -- notice that there's a lot of what will stop stop stop."

" And this is RDP two of EM and so anyway we've got all of these PPP. Packets here and they are you know the comprise their encrypted and we're not really gonna be looking in to what's gone on there but if we go back and actually take a look at when that test session was initiated. Are so caught here and see that we've got all of these arts but then. Down here."

" That's where we see the PP TP the -- start a connection requests and from here we're going to be able to isolate this and actually extract the handshake from this. And -- dictionary as friends and schools and starts cracking. But first let's go ahead and think whatever great sponsors the united states air force."

" Welcome back we're still wires chart and I'm gonna go ahead and answer a filter that's gonna make this so much easier up here and top left. I've entered chapter. And what that basically done is said hey I don't care about any of that other our garbage here is TCP packets what I really want. Is the challenge handshake authentication particle or (%expletive). And it's that's a beautiful thing about wire shark and why am not using huge -- for this just makes so easy to visually see this. So let's take a look here under info. We can see our you know it's 118 talking to 147 these IPs here back and forth. And -- that compress this still the better. The challenge which was issued from -- salt remember that's the name of our server 2003 box. And the here's the value and actually take a look down here. And there account. That yes this is in fact now that's GRE so -- 47 we are talking about -- or 1740. Re. Our fortunes have one of those -- and and we are talking about point point. Particle here and here in fact is. The handshake and scroll down here. We'll actually see the identifier is -- challenges one's I believe one is challenged to is the response. Three's success reports failed. For whatever that's worth. What's important though is and here's the data. So I'm looking at the data here and I can see that's the only -- this this nice little tax right we're actually gonna copy this to know. Files because we're gonna be using it later."

" I think I have a little. Oops that's not it area. So this would be the challenge. And let's take a look at that response."

" So here -- the in this -- Response and you'll notice right here it says -- Paul Hackett said the the username and send a clear text meant nothing that the big deal but the cat is I mean -- your authentication right there. And then there's other fun things tools that we could use to maybe if we're -- penetration testing organizations to use its its engineering techniques. Eleven Alter ego. Whatever have you. You've gotta use their names there's a lot that can be glean just from that and maybe we should take a look. In more detail about that later on. But suffice it to say we have Paul here the username and if we look at the data here."

" like has had code -- this is the response. And then here is our response it's all of this garbage here. But is what we want so let's cut copy that toward the toward. And word or notepad. Rates. Mean this -- dots and this is the response. Okay."

" So now that we have the challenge response we can actually it's our path in those two. A sleep and see if we can get anything from that. But we are going to need a dictionary file two to crack it's now remember that I said that we have a username and now that's important. Well let's go ahead we don't actually have a dictionary file set up so go ahead and set one up here. And back consul and the -- in the show."

" And yes I'm just gonna get that who. That was holiday expert view it did of -- do. And that -- students do anyway."

" Yeah all right. So here we are. -- any good get that the way. Right now running as -- and let's take a look at cop Q. Are right and I believe we may have taken a look at this will be four but -- is gonna go ahead and run it through in interactive mode because. What we need to do here is we have our target Paula on this domain. And we need to create dictionary file -- we've got a picture but -- but it would be. Beneficial if we could add something to it that would be specific to this user and this is like I said where. All of that reconnaissance comes in the play it memories and not to ego or some other social engineering techniques to find more about all that's going to be. You know hopefully helpful one more cracking your password because bear in mind. This proof of concept cool. We're not using any anti time memory trade off and rainbow tables or just doing history. Brute force dictionary attack so it is very important matter dictionary as as. Robust as possible. So we're gonna be using this tool here -- Or at the common user password profiler believe. And it's going to walk us through a guided wizard if you will love learning some information to put together a very. A very targeted password file that is specific here to Paul. So let's go ahead and go through this lets you name all. Surname to -- His nickname camera guy. His date of birth. And his his wife's name is Shannon. And her nickname -- snobs. Company game. -- c'mon now we don't plan anything else where we're pretty much done this through its numbers yep port numbers. To a at least not yet we want we -- All right now we actually have and -- good in this are now will be cool news by. And we can see that we have a -- text by here that has a whole bunch of combinations. Of what Paul's password. Could possibly be if he were married to Shannon and had a kid named -- in -- in pineapple. Well anyway."

" Let's go ahead and share this with a US -- or a sleep well and and go ahead and -- are cracking on. So I'm just gonna CP this ever. Now before we can actually gonna -- reports and we need to actually generates and keys we need to. Create a we need to take this word lists and run it through junkies which will create an index and ashes of which because remember. Her deal with -- here so. I'll go ahead and run that and always have to do is go ahead and specify -- or dictionary that we just created."

" And tell it where we want to output the the passwords with -- as well as the index file. So go ahead just -- Call us. -- to -- the positive matches and this words to it. Idea acts. Or index. -- did take too long. Now of course we would want a much more exhaustive. Word list but for this example I think it's gonna work all right so. Let's go ahead and run this through a asleep now. -- When it it was first released back in 90004. Was just prison concept -- war cracking. You know -- Cisco access points that used. Cisco is -- Which happen to use Microsoft's. Chapped version two which we know it is vulnerable well. Well just by the way that is it is also a point tunneling protocol. Cracker. Just because that's the default authentication. Protocol so. -- and I think as governor 08. Joshua -- actually added an option. Where it not only can you take -- packet capture or just live over the wire. And then in the middle just looking at some traffic. And you know crack and that's -- were like -- Cisco access point or PPP PPP yen. Gave me the option to specify. Do is important bits of data that we're just cleaning from -- chart before. The the challenge and the response from the -- So let's go ahead and us he -- can do with this. Now that we have or hash file and our index built we can go ahead and run. What we gathered from wired shark. It's just -- appeared accurate count. -- challenge actually these need to be. Coal and eliminated did so limited to eliminate. I'm not even trying to speak words night. There is probably much easier way to do that but suffice to say -- now my keys the way that I want them. So on and go ahead and company's challenge as I am not right now again and run it through it sleep so we have the option here. Four. Or first thing today give -- our dictionaries so that would be words to. That. And we need to get our index which was words choose. Eight X and will go ahead and say taxi for challenge. And insert that challenge there. Now we need to attack or for response. Grab this."

" And insert that response."

" And won't notice that we get a little air here it actually says asleep incorrect challenge input length specified. And I'll show you why I actually have the source crew pulled up here. And this is exactly -- have run into this case tree here on seat says hey it that string length. Is not equal to 23. Then go ahead and throw their error and accident. I've been running into some problems here and I'll go ahead and show you why is there are some other examples that they know that work. And I'm not sure it's just a matter of it being format it wrong or not try hitting it properly. But it actually tried now arcade and maybe just once the first is that the problem here is this that 23 what with the -- would be sixteen. Characters or. Eight bytes right but I'm given sixteen bytes -- there when it look at that. So what's going on we'll take a look and and go ahead and open up one of the demo data files that comes with. Where's your parents at that comes with its sleeve in fact I go over to data you can see here we have DPP TP dump. And if you take a look at the read me they explain what the passwords are in stuff for these demos they can get feel for the program without doing any capturing your around. Well had a over the wire stark and as I have already done with my last one and filtering for chapped. And I can see here we go our challenge. Your data. You'll notice that that is just as long as 32 characters or sixteen bit that there tax. As what I had before. Responses just long. Names and in the clear. But interestingly if I run this is the crackers actually works. So. It's. Give that it shot announces this is actually a dated -- so. Rather than just passing the taxied for the challenged in the dash. We can actually give -- a packet captures so if it's in a you know. You know format like you'd get with -- wires her her. The -- roller Ettercap any of those. We can actually go and just run it through the -- it will find this stuff for us and they -- absolutely realistic look. -- and give it our words. That and more. And in this case and it's gonna answer -- art read from file and saying data's PP TP dot com. And you can see that it on the username Scots and the you know the challenge. And the response. And we can actually find these this for here 8160. That's actually -- the two bytes at the end of the Intel and hash so. From now we can you know -- get this too and it trailing by accident -- one if it is that the password of the users pack in our dictionary file. We're going to find that. I don't believe that is in this dictionary file one that we created specifically for Paul I believe -- for this is just a sleep. -- Q -- sleep or something like that. Of the surprises say this does work sadly it don't have the dictionary file that still does this but he is one that I believe comes of the default distribution. So you know. I -- you know higher you go ahead and play with its bulletin very cool cool. Downloaded from. From Will Wright blog it's will hack for sushi. And and give it tribe because you know it certainly does work and are just or right after pure whites that will write anyway. But you can see that the discrepancy there and concede the tone here where is it it's yet I have been spending a long time. Trying to figure this out and this is the part where I actually have a successful. It's I now but but I'm actually here oh very curious as to why this is Morton is everything that I've seen. It would indicate that this should actually be. Only sixteen characters -- RE eight -- rather than you know what I'm getting here so. I'm not really sure and that's why I'm asking you guys in Ireland you know our keynote just -- you can figure that out. But still nonetheless very -- I could probably take what I have read here and put you into a text file. With like the user coal in an and the challenge Cologne Cologne called caller respond. And through that through it John the ripper which found that we've never talked right here and play outside the scope of this segment. Then email me if you wanna talk about X prize signal on itself. But anyway you could probably crack it that way. But. The point being it's -- very cool. Application. Two here that's gonna allow us to take advantage of the inherent weaknesses in them just happened I think. While my demo -- here in that I can't get the right challenge. -- and what not I think I am successful in and displaying it just how weak it is just lit in here we can find the last two bytes. That hash in the demo files so go ahead and take a look at the tool for yourself run the demos and see what you guys can do and I guess its -- here is really. That you know and that's -- is inherently flawed. It's been ten years. And maybe it's time uses look at it different protocol and I'm nice feature PP PP is is worth. You know. Tacking on that much more effort when there's other particles that we will in the rest of this."

" EPA and series be looking at so -- in for the rest of the series as we take a look at LT TP. And -- peace -- and then setting up here and open VP and server -- and -- some stuff with the UPS's and tunnels and home routers and it just goes on and on that you guys your feedback. Definitely very important because it influences. This series the whole show for that matter so of course feedback Hak5 categories return on that. We'll hackers who she's -- by Joshua -- blog to download asleep. And you can find the -- show notes that anything talked about here today. Hak5 dot org. And you can flame me on Twitter for not getting this right Hak5 care."

" The best way to provide technical support is to do it on -- we go to assists expressed. You can help friends learn how to use -- software or fixed him with computer problems without being there in person good to assist express lets you easily view and -- And control computer on line she can quickly resolve technical issues. Whether your customer support technical consulting or management or just a computer guru. Good to -- express will help you increase revenue reduced travel support time. And service more clients try go to -- express free for thirty days for the special offer you must visit good to assist dot com slash Hak5. That's good to -- dot com forward slash H a K five for a free trial."

" But just about wraps up this episode of Hak5. The first word from Paul."

" The -- I'm gonna work. -- send email to people can have fun. That's question. Antenna FaceBook who that's where they of his book FaceBook slash analyst."

" And commit Twitter themselves. -- If he has been looking for one of these lately Hak5 dot org slash store's place again as well as -- stickers community service. Yeah actually harassing him that now our outlook knew each and I was -- the -- in -- about that and turns out that the place that makes and there -- broke so they were out of commission for like two weeks everything got pushed back the that we have. That new designs it's coming out soon. So I keep and I found that the -- I -- on. Now I know -- its its all about the capital. I mean we could just go with one of these you know places that does everything for you and then you know make about 10% on the back Anderson crap like so. And if we're ever going to make this you know continue. We really. Appreciate your support because it keeps us doing show. So thank you for everybody that has donated. And let's see what else is going on. -- and -- so we've got a really good when she and instant on Linux device hacking. And I can go and SSH tunneling some fun stuff they may not talk about the USH. Tunnels and gone back and forth and all work stuff."

" Man in need can't count. We all our eyes that threat Hak5 dot org is the place to find all of this shows including season one through three elusive. At first trilogy. That's an original the original trilogy you know it's like -- we should've started with -- fact I've season 4569. On the prequel. And it'll charge Oregon on. Anyway it's."

" Now not too far or not -- with the words and I'm. -- that."

" They're just again."

" That's -- yeah we actually just one night thinking cap so you know it's like -- out. My laptop it's not like."