Chris Gerling

Hey guys, thanks for watching!  I pretty much detailed everything out in the show notes, but if there are any other questions feel free to contact me!

~16 minutes left in January.

It’s amazing how fast the first month of a new year goes by.  Those older than me probably recognize this better, but it’s definitely becoming more noticible as I get older.  One minute you’re toasting some champagne with your friends and the next, well… you’re on the fast track to the next year.

In any event, this month was pretty interesting.  We started the new year off near Baltimore with friends, and then I went out to Vegas to cover CES with Hak5.  I got the plague while I was there, and unfortunately didn’t get to do any partying with all the awesome people I met out there.

After recovering from the plague and spending a couple of weekends just enjoying Richmond, I went back down to the HakHouse last night and recorded a segment on USB device tracking, which I owe a great deal of thanks to Harlan Carvey for both his book, and his help in my understanding of the windows registry.

February’s looking to be a very interesting month.  Shmoocon this coming Friday, and my birthday 6 days later.  Valentine’s Day, and then a pretty busy rest of the month.  Looking forward to seeing everyone at Shmoocon and hopefully seeing some new faces.

Peace

I love my crazy titles.

Now that I have been out of the Navy 3 months, I have learned precisely how bad my time management skills really are. It’s a funny thing really, but something I now know about and aim to fix, though not this week, here’s the lineup from now till the end of the month:

- Tonight at 9:30pm EST I will be doing a quick SecuraByte with Rob Fuller (aka mubix), Tom Eston (aka agent0×0 from Security Justice) and geekgrrl (whose name I have just learned is Melissa), and perhaps some others.

- Wednesday is a normal SecuraBit show, with another one likely coming next Wed as well to make up for the holidays.

- Thurs-Sun is CES, which is going to be a very crazy fun time.

- I’m taking my GCFA exam hopefully a week from Saturday if we can crash at our friends’ place in Norfolk.

- More Hak5 segments, though my next one likely won’t be filmed until one of the last 2 weekends of the month due to the schedule.

I’m definitely going to be looking at some time management books, and perhaps trying some of the GTD (Getting Things Done) type stuff. I waste a lot of my time and although I am firmly a hedonistic creature, there is a point where some goals and tracking them are good for more than work related things.

I want to thank everyone who reads this blog, as seldom as I do update.

Hey guys,

Darren was nice enough to include the full notes I sent to him in the actual posting on Rev3, but here’s a copy in case you wander over this way.
If you’re ever in a position where you have to perform forensic imaging duties on a machine, this segment may be useful to you!  The overall goal is to be able to load a forensic .dd image into an environment where you can interact at the user level with it, and perform some initial analysis that may help to paint the overall picture of what happened later on.

Requirements:  A Helix live CD (any of their versions should work, but I recommend 2.0)
Any machine that has an OS which is compatible with VMware
Either a removable drive, or enough free space on a network share in order to push the .dd image out to it.
Live View
Having VMware Workstation is a plus, but if not, Live View will automatically download and install VMware Server and the DiskMount utility for you, if you so choose.

Helix is a forensic Live CD with loads of tools.  We’re focused on just the image acquisition part today.  For the most part, the default options are fine, just specify where you are outputting the .dd image to and you’re on your way!

Install Live View and make sure you either let it install the necessary components, or already have VMware installed ahead of time.  It tends to not like the absolute newest version of VMware Server, so ideally use the older one that it suggests.  Open the .dd image with Live View, and either Start it directly or Generate the config files.  Should you encounter problems with Starting it directly, use the generate config files option and then manually open the .vmx/.vmdk file from within VMware itself.  Don’t forget to check the settings on the new VM and make sure the operating system is set correctly, the program does not always autodetect it.

In layman’s terms, this takes the forensic image and converts it to a virtual machine format, so you can interact with it as if you were the user.  It does not write anything to the .dd image at all, but obviously I suggest using this with a COPY of the original .dd image you make of the suspect machine.

Have fun!

I must apologize again for the lack of show notes lately.  I didn’t make the time I should’ve.

Anyway, getting down to business:

I focused in on a couple of things during this series, as trying to compact the entirety of the OSI model and TCP/IP/wireshark would just be impossible, and I would probably have to charge you money.

I wanted to really focus on allowing people to understand the foundation of how the internet is kind of built, without having to memorize all sorts of terms.  At the same time, I wanted to delve a little deeper into the TCP/IP portions of a packet and really allow people to understand what a packet is and does in terms of communication.  Finally, I wanted to show them a tool that pretty much every seasoned IT professional has used to look at packets and perform analysis of any sort.

For 406/408, I highly reccommend just reading wikipedia articles and RFC’s if you are really interested in learning more about this.  I also suggest finding a decent TCP/IP book.  I don’t want to be an advertising link whore so I won’t be spewing out an amazon associate link to a random IT book here.

In 409, I used wireshark’s own manual and wiki, which is just stellar.  Here is a link to their documentation page:  http://www.wireshark.org/docs/.  Trust me, there are far more advanced things you can do with their filters/expressions.

If you have any specific requests, please contact me either via feedback@hak5.org, this site, or you can also IM me through my digsby widget on the front page of the site if you allow it.

Hey guys,

Thanks for watching part 2 of the reverse engineering series.  HUGE thanks to Chris Gates of LSO as well as Pedro D’Aquino whose solution I drew heavily on in order to create a logical walkthrough of how to solve the Crackme.

Crackmes are pieces of software that allow people to gain practical experience in reverse engineering without having to resort to less legal means of exercising their skills.  There are numerous sites out there that offer them.

Chris Gates, a friend of mine, started releasing crackmes as contests awhile back, and I covered one of them on 3×07.  The basic overview of this particular executable is that there are 4 buttons that appear in a GUI when the program is launched.  The top 3 buttons play tones, and the bottom button plays 3 tones that are supposed to match the top 3 tones.  Initially, they do not match, so it is up to you to figure out how to modify that executable in order for it to match.

We use Lutz Roeder’s .NET Reflector to open up the .exe initially, as it looks like managed code.  From there, after a little looking around, it’s apparent that something is amiss with this code, and that it’s not displaying like it should.  The problem is that the real .exe is compressed within this using something called NETZ.  In the show we go through how to unpack this .exe.  Here is the full python script:

#import zlib library
import zlib
#open the file which contains the compressed executable
fZip = open(“zipped.zip, “rb”) #we use ‘b’ as it is a binary file
#create the file in which we will store the unpacked exe
fUnzip = open(“Crackme03Original.exe”, “wb”)
#read the contents of the zipped file
compressedData = fZip.read()
#..and unzip it
uncompressedData = zlib.decompress(CompressedData)
#Write it to the file and we’re done!
fUnzip.write(uncompressedData)
fZip.close()
fUnzip.close()
exit()

After this, we open up the new .exe in .NET Reflector and find that the main windows form is called Form1, and Play_Click gives us a big tell that we’re closing in what we have to modify.  The program is checking the tones through comparision of hardcoded values of an array against hardcoded constants.  If you look in the dropdown menu under the toolbar there should be an IL selection, which shows the way the array is initialized.

Hovering the mouse over the instruction should give you the bytecodes you need.  From there, it’s as simple as converting hex and replacing values as shown in the segment.

For the full solution, please head over to LSO and to Pedro’s solution.  All the credit goes to him as he has an extremely good writeup that is very easy to follow.

See you next time!

PS:  cowboy informed me that there is a plugin for .NET Reflector called ReflixII that will help patch the .exe a little easier than manual hex editing.

I’ll have my show notes up from the segment I did for episode 403 tomorrow.  It will be out at noon EST at Hak5 and Revision3.

What a whirlwind!

I’m a bit late to the punch again but as you all know, Hak5 signed an agreement with Revision 3 networks.  You can find the press release here.  This is huge for us, and lets us focus our efforts on getting the show made without having to worry about marketing or distribution.  We film, send the footage to Rev3, who then does their thing with it, and releases it for us.  The first episode will be September 8th, at midnight, followed by the second episode 2 days later on September 10th, at noon.  From then on, every single week there will be a new Hak5 show, always at noon on Wednesday.

I guess a benefit of not getting around to writing that until now is that we filmed 401 and 402 yesterday and already I can see the benefit of having Rev3 onboard with us.  Filming 2 episodes in one day seemed daunting, and initially was, but mainly because we hadn’t filmed an entire show in many months, so we had to spray a little WD40 and work out some kinks.  Once that was done, we were able to start rocking and rolling, and the technolust was strong.  Yesterday’s experience tells me that within a month or two, we will be so comfortable in creating the shows, that not only should we be able to complete our shooting faster, but everyone involved will be very comfortable with one another, and it will show when we throw back and forth to each set.

One problem with the way things were done before, was that we were trying to shoot a good hour or more of stuff one weekend a month.  This, along with some procrastination, had us waiting until the weekend before the 5th each month to shoot everything and edit it to get it out the door.  You would think that switching to a weekly release format would be too much for us to handle, but the opposite is true, and here’s why:

• Totally redesigned set:  There are now 3 different sets in the house.  The “China” set in the corner, the “main” set on the same wall the monolith used to be, and then the “side” set (I apologize if I don’t know the official names for these sets, it just isn’t something my brain cares to remember) which is usually where I will be, along with any guests we have.
• Segment schedule, calendar, and scratchpad.  We now have dedicated documents that we can all go in and edit that have the segment listing for all of the upcoming shoots, who is doing what, how long their segment is roughly going to be, along with notes, links, and all that good stuff.  We had a mailing list before, but this time we’re serious about it and everyone is participating and communicating much more effectively.
• Experience:  Darren, Matt, Paul are the seasoned warriors of this trade and it really helps.  I’m inching along and getting better, and I think it showed last night when I did my segment.  I was the most comfortable in front of the camera than I had ever been before.  Standing in with Matt on his segment was still something I need to get better at though, in terms of asking questions and taking charge of the flow, as a “watson” seems to have to do.  Christine and Shannon are picking this stuff up extremely well, and probably have a better camera presence than I do, of course they’re social creatures.

I’m very much looking forward to these next 2 years.  There is a TON of good content lined up, and we’re eager to show it to all of you!

Juggling 30 is well, 10 times as hard?..

It’s actually not as bad as it seems sometimes.  Things usually have a way of working through their cycles regardless of your input.  Obviously if you care about the results you want, there will be participation on your behalf though.

SecuraBit is getting larger, but the cool thing is that we have an amazing selection of people behind it, and that really helps because no single person has to think of everything, run everything.  It’s a group effort, which makes for less pressure on each individual.  We’ll be doing our bi-weekly shows as usual, but also some spontaneous shows whenever we get the itch, such as the show Rob and Anthony ran the other night to get some timely comments in on the whole DNS fiasco that’s gone public.  If you haven’t heard about it, and you’re in some way or another involved with IT, I would highly suggest doing some quick reading on the matter and either patching your stuff, or getting the word out to your staff to do it.

Hak5 is about to start hitting full force again.  I’m looking forward to participating in creating some more technolust for all who are interested to enjoy.  We have some pretty good ideas kicking around so far, one of which involves possibly stomping all over the warranty on my 2008 highlander, and boy do I ever love voiding warranties on things.

I’m torn between staying in the area, and moving a few hours away.  There are some pretty kickass jobs up towards DC that would be VERY rewarding professionally, yet I hate the idea of being so far from the people who make life fun, my friends.  I’ll know more in a few weeks as I edge closer to the time in which I must make an absolute decision.  Either way, I already drive at minimum an hour each way on most weekends, so 3 hours wouldn’t be that much more painful.

I’ll try not to go weeks without updating again .  I’ve been pretty busy with my job hunt, the SecuraBit show, and with Christine lately.  This past weekend we headed up to Richmond to see Robert Schimmel perform at the Funny Bone there, and it was a pretty decent show.  Saturday night a bunch of us went out to a new place on the oceanfront, where Christine lost her purse/phone/everything (well, stolen would be my assumption) and I got the high score on the Mrs. Pac Man machine there, although I neglected to take a picture, most likely because my score was only about 35,000ish and nothing to boast about for me.

Season 4 of Hak5 is looming and I have some ideas written down in our little brainstorming area.  I’m going to add a couple of more once I’m done writing this, and hopefully I’ll be able to deliver better quality stuff this season.

Last night we watched the movie “Funny Games”, which I thought was good, but entirely too slow for my taste.  I think I’m too americanized where I need explosions and plot twists every 3 seconds, vice every hour.  I do recommend watching it, however.