Hacking WPA, ESXi and iSCSI, Bypass Windows Passwords


Hacking WPA, ESXi and iSCSI, Bypass Windows Passwords

Darren's Hacking WPA-PSK keys using the recently updated Cowpatty and some damn fine lookup tables. Connecting ESXi to iSCSI targets -- Matt breaks it down with FreeNAS. And Shannon completely bypasses local Windows logins with a Kernel modifyin' boot cd? w00t!

This week's episode covers the following topics. Click to jump:

- Cracking WPA Keys with Cowpatty
- ESXi & iSCSI
- Bypass Windows Local Logins

Cracking WPA Keys with Cowpatty

Excerpt Darren Kitchen's blog

A lot has changed since I last talked about WPA Cracking on Hak5. Specifically Joshua Wright, author of CowPatty has released a new version that dramatically changes the way one thinks about cracking WPA and WPA2 TKIP keys.

The most notable new feature in Cowpatty 4.5 is the "-2" option, which only requires the first two frames of the 4-way handshake to start attacking.

By removing the need for the third and fourth frames of the handshake, an attacker is now more likely to successfully crack WPA keys when channel hopping. Furthermore, the lack of the third and fourth frame opens up a world of possibilities when it comes to trapping targets with rogue access points, or "honey pots".

An example scenario illustrated on Wright's blog details how an attacker may pose as a victim's corporate wireless access point. Since it doesn't matter if the target associates with the honey pot, anything from hostap to a spare WPA supporting access point with a bogus key will due.

Of course this has our friend Robin Wood pondering a Jasager plugin.
Pineapples anyone?

As for carrying out the attack it's pretty straight forward. I BackTrack as my hacking OS of choice coupled with an eee PC or Acer Aspire One. When it comes to Wireless I'm a big fan of the ALFA AWUS036H 500mW USB Wireless Adapter.

Other tools needed to carry out the attack include WPA tables like these SSID specific Cowpatty WPA Tables from Offensive Security and the Aircrack-ng suite.

The commands are pretty straight forward and well highlighted in the episode. There are a number of ways to go about this so if you've got another method you'd like to share with me, questions about this, or suggestions for future topics drop me a line. darren[at]hak5=dot=org.


Excerpt Matt Lestock's blog

So the series I’ve been doing on ESXi has been getting nothing but great feedback, and I’m glad that I can share what I’ve learned over the course of the last couple years with everyone.
On episode 518 of Hak5, we show how truly easy it is to add iSCSI storage to a free deployment of ESXi.

So what is iSCSI?

In computing, iSCSI (pronounced /??s'k?zi/), is an abbreviation of Internet Small Computer System Interface, an Internet Protocol (IP)-based storage networking standard for linking data storage facilities. By carrying SCSI commands over IP networks, iSCSI is used to facilitate data transfers over intranets and to manage storage over long distances. iSCSI can be used to transmit data over local area networks (LANs), wide area networks (WANs), or the Internet and can enable location-independent data storage and retrieval. The protocol allows clients (called initiators) to send SCSI commands (CDBs) to SCSI storage devices (targets) on remote servers. It is a popular storage area network (SAN) protocol, allowing organizations to consolidate storage into data center storage arrays while providing hosts (such as database and web servers) with the illusion of locally-attached disks. Unlike traditional Fibre Channel, which requires special-purpose cabling, iSCSI can be run over long distances using existing network infrastructure.

In simpler terms, using some free software, it’s stupid easy to create a large amount of storage which is not tied to the physical adapter of the host server (in this case, the server ESXi is running on).

So what do we need?

- Functioning ESXi Installation
- Server capable of running FreeNAS
- Gigabit connectivity between ESXi server and FreeNAS

Now let’s get started. While it’s recommended to separate your iSCSI traffic from your other internet networking, for the purpose of this instruction, we’re just going to use the same IP subnet for all of our LAN and iSCSI traffic.

Our ESXi server sits at and our newly installed FreeNAS server is located at

1) Connect to your FreeNAS server through the WebGUI using your favorite browser. In the top menu select Disks, then click Management.

2) Click on the plus sign in the lower right corner to add drives.

3) Next to Disk, choose the drive you want to add from the drop down, and if you want enter a description for it next to Description.

4) When you go back to the Disk Management screen you will be asked to confirm the addition by clicking on Apply changes, go ahead and do that now.

5) From the top menu choose Services, then iSCSI Target.

6) Click on the plus sign in the Extent area.

7) The Bolded fields are required, so place a name in the Extent name field, leave the Type as Device, and then choose the Device you want in the dropdown.

8) When you get back to the iSCSI Target page click on Apply changes.

9) Click on the plus sign in the Target area.

10) As before the Bolded fields are required. Here is a breakdown of the fields:

Target name: Add your own or leave the default
Flags: RW for Read/Write or RO for Read Only
Storage: Will have the extents listed that were setup, choose the one you want to use
Authorized Network: Enter the IP network that can access this drive. For us we’re going to enter and we’ll leave the /24 as our subnet is

11) Once you fill in all the info click on Add.

12) Back at the iSCSI target page you need to click on Apply changes once again.

13) Now place a check in the box next to Enable in the top right corner and then click Save and Restart in the bottom left.

The iSCSI Target drive is now setup and ready for use.

14) Now we need to setup ESXi to connect to our newly created iSCSI target.
- Start by logging into your your host by using the Vitrual Infrastructure Client.
- Click on your host, and then click the configuration tab.
- Click Storage adapters, and then select your VMHBA32 iSCSI storage adapter.
- Click properties and configure, then check the enabled box.
Goto the dynamic discovery tab, and add your FreeNAS IP address (in this case,
- Click ok, then close, and then rescan the HBA.

15) At this point you should see your storage, now we need to format the new storage.
- So click back to the storage option on the left.
- Then click Add Storage.
- Select Disk / Lun, and click next.
- Select your new disk on the FreeNAS iSCSI target, and next, next, finish.


Questions? Post em in the comments!

Bypass Windows Local Logins

Excerpt Shannon Morse's blog


Kon-Boot is an prototype piece of software which allows to change contents of a linux kernel (and now Windows kernel also!!!) on the fly (while booting). In the current compilation state it allows to log into a linux system as ‘root’ user without typing the correct password or to elevate privileges from current user to root. For Windows systems it allows to enter any password protected profile without any knowledge of the password. It was acctually started as silly project of mine, which was born from my never-ending memory problems :) Secondly it was mainly created for Ubuntu, later i have made few add-ons to cover some other linux distributions. Finally, please consider this is my first linux project so far :) Entire Kon-Boot was written in pure x86 assembly, using old grandpa-geezer TASM 4.0.

So basically, Kon-Boot enables you to log into any Windows or Linux password protected computer without knowing the password or anything about it.

The tech behind it? Kon-Boot basically latches onto parts of the memory and starts patching parts of the kernel (the Brain!), mainly the parts that have to do with the log-on auth and security. These patches let you logon without a password. Then, the bootkit does it so quickly that it leaves no footprints behind after you leave.


To do this:
Go to the website above and download Kon-Boot, open the zip file, and burn the .iso to a disc. I use ImgBurner because it is fast, easy, and FREE.

Shut down the computer you intend to get on to. When booting up, if it isn’t already set to boot from CD (or flashdrive, or whatever Kon-Boot is on), go into the BIOS and set it. You should see the Kon-Boot splash screen for a few seconds, then the username/password screen will appear with the main username already set if they have it saved. If not you need to know the username ahead of time. Press enter or type in some random characters (it doesn’t really matter) and press enter. You’re in!

Now party, snoop around, and get that file you wanted. Get your flashdrive or CD out, then shut the computer back off like usual.

Protecting yourself:
Password protect your BIOS!
True Crypt your entire harddrive!