Chris Gerling

Hey guys, thanks for watching!  I pretty much detailed everything out in the show notes, but if there are any other questions feel free to contact me!

I love my crazy titles.

Now that I have been out of the Navy 3 months, I have learned precisely how bad my time management skills really are. It’s a funny thing really, but something I now know about and aim to fix, though not this week, here’s the lineup from now till the end of the month:

- Tonight at 9:30pm EST I will be doing a quick SecuraByte with Rob Fuller (aka mubix), Tom Eston (aka agent0×0 from Security Justice) and geekgrrl (whose name I have just learned is Melissa), and perhaps some others.

- Wednesday is a normal SecuraBit show, with another one likely coming next Wed as well to make up for the holidays.

- Thurs-Sun is CES, which is going to be a very crazy fun time.

- I’m taking my GCFA exam hopefully a week from Saturday if we can crash at our friends’ place in Norfolk.

- More Hak5 segments, though my next one likely won’t be filmed until one of the last 2 weekends of the month due to the schedule.

I’m definitely going to be looking at some time management books, and perhaps trying some of the GTD (Getting Things Done) type stuff. I waste a lot of my time and although I am firmly a hedonistic creature, there is a point where some goals and tracking them are good for more than work related things.

I want to thank everyone who reads this blog, as seldom as I do update.

Hey guys,

Darren was nice enough to include the full notes I sent to him in the actual posting on Rev3, but here’s a copy in case you wander over this way.
If you’re ever in a position where you have to perform forensic imaging duties on a machine, this segment may be useful to you!  The overall goal is to be able to load a forensic .dd image into an environment where you can interact at the user level with it, and perform some initial analysis that may help to paint the overall picture of what happened later on.

Requirements:  A Helix live CD (any of their versions should work, but I recommend 2.0)
Any machine that has an OS which is compatible with VMware
Either a removable drive, or enough free space on a network share in order to push the .dd image out to it.
Live View
Having VMware Workstation is a plus, but if not, Live View will automatically download and install VMware Server and the DiskMount utility for you, if you so choose.

Helix is a forensic Live CD with loads of tools.  We’re focused on just the image acquisition part today.  For the most part, the default options are fine, just specify where you are outputting the .dd image to and you’re on your way!

Install Live View and make sure you either let it install the necessary components, or already have VMware installed ahead of time.  It tends to not like the absolute newest version of VMware Server, so ideally use the older one that it suggests.  Open the .dd image with Live View, and either Start it directly or Generate the config files.  Should you encounter problems with Starting it directly, use the generate config files option and then manually open the .vmx/.vmdk file from within VMware itself.  Don’t forget to check the settings on the new VM and make sure the operating system is set correctly, the program does not always autodetect it.

In layman’s terms, this takes the forensic image and converts it to a virtual machine format, so you can interact with it as if you were the user.  It does not write anything to the .dd image at all, but obviously I suggest using this with a COPY of the original .dd image you make of the suspect machine.

Have fun!

I must apologize again for the lack of show notes lately.  I didn’t make the time I should’ve.

Anyway, getting down to business:

I focused in on a couple of things during this series, as trying to compact the entirety of the OSI model and TCP/IP/wireshark would just be impossible, and I would probably have to charge you money.

I wanted to really focus on allowing people to understand the foundation of how the internet is kind of built, without having to memorize all sorts of terms.  At the same time, I wanted to delve a little deeper into the TCP/IP portions of a packet and really allow people to understand what a packet is and does in terms of communication.  Finally, I wanted to show them a tool that pretty much every seasoned IT professional has used to look at packets and perform analysis of any sort.

For 406/408, I highly reccommend just reading wikipedia articles and RFC’s if you are really interested in learning more about this.  I also suggest finding a decent TCP/IP book.  I don’t want to be an advertising link whore so I won’t be spewing out an amazon associate link to a random IT book here.

In 409, I used wireshark’s own manual and wiki, which is just stellar.  Here is a link to their documentation page:  http://www.wireshark.org/docs/.  Trust me, there are far more advanced things you can do with their filters/expressions.

If you have any specific requests, please contact me either via feedback@hak5.org, this site, or you can also IM me through my digsby widget on the front page of the site if you allow it.

Hey guys,

Thanks for watching part 2 of the reverse engineering series.  HUGE thanks to Chris Gates of LSO as well as Pedro D’Aquino whose solution I drew heavily on in order to create a logical walkthrough of how to solve the Crackme.

Crackmes are pieces of software that allow people to gain practical experience in reverse engineering without having to resort to less legal means of exercising their skills.  There are numerous sites out there that offer them.

Chris Gates, a friend of mine, started releasing crackmes as contests awhile back, and I covered one of them on 3×07.  The basic overview of this particular executable is that there are 4 buttons that appear in a GUI when the program is launched.  The top 3 buttons play tones, and the bottom button plays 3 tones that are supposed to match the top 3 tones.  Initially, they do not match, so it is up to you to figure out how to modify that executable in order for it to match.

We use Lutz Roeder’s .NET Reflector to open up the .exe initially, as it looks like managed code.  From there, after a little looking around, it’s apparent that something is amiss with this code, and that it’s not displaying like it should.  The problem is that the real .exe is compressed within this using something called NETZ.  In the show we go through how to unpack this .exe.  Here is the full python script:

#import zlib library
import zlib
#open the file which contains the compressed executable
fZip = open(“zipped.zip, “rb”) #we use ‘b’ as it is a binary file
#create the file in which we will store the unpacked exe
fUnzip = open(“Crackme03Original.exe”, “wb”)
#read the contents of the zipped file
compressedData = fZip.read()
#..and unzip it
uncompressedData = zlib.decompress(CompressedData)
#Write it to the file and we’re done!
fUnzip.write(uncompressedData)
fZip.close()
fUnzip.close()
exit()

After this, we open up the new .exe in .NET Reflector and find that the main windows form is called Form1, and Play_Click gives us a big tell that we’re closing in what we have to modify.  The program is checking the tones through comparision of hardcoded values of an array against hardcoded constants.  If you look in the dropdown menu under the toolbar there should be an IL selection, which shows the way the array is initialized.

Hovering the mouse over the instruction should give you the bytecodes you need.  From there, it’s as simple as converting hex and replacing values as shown in the segment.

For the full solution, please head over to LSO and to Pedro’s solution.  All the credit goes to him as he has an extremely good writeup that is very easy to follow.

See you next time!

PS:  cowboy informed me that there is a plugin for .NET Reflector called ReflixII that will help patch the .exe a little easier than manual hex editing.

I’ll have my show notes up from the segment I did for episode 403 tomorrow.  It will be out at noon EST at Hak5 and Revision3.

What a whirlwind!

I’m a bit late to the punch again but as you all know, Hak5 signed an agreement with Revision 3 networks.  You can find the press release here.  This is huge for us, and lets us focus our efforts on getting the show made without having to worry about marketing or distribution.  We film, send the footage to Rev3, who then does their thing with it, and releases it for us.  The first episode will be September 8th, at midnight, followed by the second episode 2 days later on September 10th, at noon.  From then on, every single week there will be a new Hak5 show, always at noon on Wednesday.

I guess a benefit of not getting around to writing that until now is that we filmed 401 and 402 yesterday and already I can see the benefit of having Rev3 onboard with us.  Filming 2 episodes in one day seemed daunting, and initially was, but mainly because we hadn’t filmed an entire show in many months, so we had to spray a little WD40 and work out some kinks.  Once that was done, we were able to start rocking and rolling, and the technolust was strong.  Yesterday’s experience tells me that within a month or two, we will be so comfortable in creating the shows, that not only should we be able to complete our shooting faster, but everyone involved will be very comfortable with one another, and it will show when we throw back and forth to each set.

One problem with the way things were done before, was that we were trying to shoot a good hour or more of stuff one weekend a month.  This, along with some procrastination, had us waiting until the weekend before the 5th each month to shoot everything and edit it to get it out the door.  You would think that switching to a weekly release format would be too much for us to handle, but the opposite is true, and here’s why:

• Totally redesigned set:  There are now 3 different sets in the house.  The “China” set in the corner, the “main” set on the same wall the monolith used to be, and then the “side” set (I apologize if I don’t know the official names for these sets, it just isn’t something my brain cares to remember) which is usually where I will be, along with any guests we have.
• Segment schedule, calendar, and scratchpad.  We now have dedicated documents that we can all go in and edit that have the segment listing for all of the upcoming shoots, who is doing what, how long their segment is roughly going to be, along with notes, links, and all that good stuff.  We had a mailing list before, but this time we’re serious about it and everyone is participating and communicating much more effectively.
• Experience:  Darren, Matt, Paul are the seasoned warriors of this trade and it really helps.  I’m inching along and getting better, and I think it showed last night when I did my segment.  I was the most comfortable in front of the camera than I had ever been before.  Standing in with Matt on his segment was still something I need to get better at though, in terms of asking questions and taking charge of the flow, as a “watson” seems to have to do.  Christine and Shannon are picking this stuff up extremely well, and probably have a better camera presence than I do, of course they’re social creatures.

I’m very much looking forward to these next 2 years.  There is a TON of good content lined up, and we’re eager to show it to all of you!

 I’m going to be meeting up with my friend Anthony this week to do a pilot show for the security oriented “podcast” I want to fool around with.  We’re still trying to nail down a format that will be unique enough for me to be satisfied, as well as the length, but I think that will all come together soon.  He has some hosting for the site I want to put together for it, but there are some issues to iron out with that before we can go public with the site/show.  Regardless of whether or not that gets figured out there will be a site/forums to go along with the show when we launch it.

This past weekend I did the visiting Christine routine up in MD.  We did the 105 degree variant of Yoga on Friday, and that was sure something.  90 minutes of sweating, stretching, and slurping down water so you don’t pass out.  I probably wasn’t the best candidate for it because I am a bit out of shape, but I did feel pretty damn good afterwards.  The teacher could’ve been a little nicer, as we had a totalitarian dominatrix it felt like.  You can find a yoga mat/towel for under 40 bucks combined in most places.  It was $8 per person for the actual session where we went.  A gym membership is still a better deal for general workouts.

While I was up there we went to the Orioles vs Yankees game on Saturday, where Baltimore triumphed 6-0.  There was nearly a fight in front of us where about 25-30 people got ejected from the game after at least 5 cops showed up.  It would’ve been 5 vs 20ish though, which would not have been very pretty.  I guess it’s quite a rivalry, although I wouldn’t know as I don’t really follow baseball.

If there’s filming this coming weekend for Hak5 3×10 I will most likely be doing some more reverse engineering type stuff.  I’m going to see if I can’t get what I have in mind working. 

So the live show was interesting Sat.  Thanks for all that tuned in.  I need a better way to manage the incoming callers and stuff

I’m listening to dubstep, an offshoot of my buddy Greg’s freshsets site that has listeners this time around.  Really good music.  Check em out at http://www.dubterrain.net/

In other news, I won’t be able to go to Defcon this year.  So I will likely see all the security types at Shmoocon once again next year.

 There will be a Hak5 Live show this Saturday the 12th, at 7pm EST.  Details will be on http://www.hak5.org and probably hak5live.org too.  I’ve got a couple of goodies to talk about and hopefully announce something pretty awesome.

I can consistently make it to 81% in Green Grass and High Tides by The Outlaws in Rock Band now.  I have to learn how to correctly play those sets of 3 notes which just go up and down the frets during that part.  It’s pretty ridiculous.  I’m very happy though, it’s a tough, tough song and gives me a really fun challenge.

I submitted my CPE’s for the Intrusion Detection Systems training I gave at work the last 2 weeks, which brings me up to a pretty decent number so far since I obtained the CISSP.  I may convert some of my material into a format I can put up on the site here.