Dumping NTLM Hashes

Since discovering Hashcat, password cracking has become somewhat of a hobby of mine – even enough to buy the first video card in about 15 years (not much of a modern gamer)

Although the card is nothing flash – GT750 – it does the job. We all start small.

Having physical access to a machine most likely means you will not need to crack a password to gain access to data on the device (bootable Linux USB) but sometimes its all about knowing the password itself. The password could be the keys to the kingdom.

And I am curious about what people pick for passwords. I am kind of pasionate about password security.

I do get clients on a daily basis who have forgotten passwords for their home Windows machines, and while I can easily backup their data, I like to also tell them that their password was Petsname1 (or some other “creative” conconcton) and that its time to start using more secure passwords. Because reasons.

Grabbing a NTLM hash is as easy as Backbox, Bkhive, Samdump2…

The reason I use Backbox is I find it boots on everything I need it to boot on. And the reason I used bkhive to dump the system key rather than just using samdump2 to dump key and hash is that is was not dumping properly and I was getting incorrect keys, and incorrect/uncrackable hashes. Im just showing the way that works for me.

Getting the Hash

  1. Boot up from Bootable BackBox USB
  2. Open Terminal
  3. Mount victim hard drive
  4. Change directory to directorywheredrivewasmounted/Windows/System32/config
  5. type in bkhive SYSTEM key.txt – now from a forensic point of view this is going to make a file right there in the config folder that someone could possibly find later on – even if you delete
  6. type in samdump2 SAM key.txt > hashes.txt – again from a forensics point of view this file is being written to the local drive and could be discovered later on

You now have a file, hashes.txt, that contains the hashed password of each user from that machine.

Installing Screen for FreeBSD

Screen is an application that allows a user to run multiple sessions within a single terminal window. This is handy if multiple programs are required to be run simultaneously by allowing the user to swap between different ‘screens’ to view the output. Another feature of screen is the ability to restore a remote session if a connection is lost. Using screen is a great habit to get into, especially when running tasks that require a longer running time, such as when installing updates or compiling software.

To install screen ensure your ports are up-to-date by running:
portsnap fetch update

After this completes you will need to change into the directory that the screen port is located:
cd /usr/ports/sysutils/screen

And then to install screen type:
make install clean

Screen will now be installed.

One example for using screen is so that you can restore a remote session if a connection is lost. To do this type in screen after logging in via ssh.

If the connection is lost, log back in via ssh and type screen -RD the session will be restore where you left off.

I hope you find this information useful!

 

Repair Windows Boot Errors

Not being able to boot into Windows can be frustrating and can often lead to the dreaded re-installation of Windows. This doesn’t have to be the case, with some boot troubles easily fixed using tools provided on your installation media.

Disclaimer: Before undertaking any of the steps below create a backup of your files. This can be done by booting from a bootable USB stick (Windows Installation Media or Live Linux Distro) and transferring files to an External Drive. I am not  responsible for data lost undertaking these repairs. If you are unable to access your hard drive using bootable media you might have a dead hard drive.

I have used these steps to troubleshoot the following errors:

  • INACCESSIBLE_BOOT_DEVICE Blue Screen
  • Blinking White Cursor
  • Stuck on Windows 10 Spinning Wheel
  • Booting to Recovery Mode

CHKDSK

Often overlooked, your boot troubles could be something as simple as a errors within the file system or files in bad sectors that are required upon boot.

To run chkdsk (check disk) you will need to boot up from a bootable Windows Installation DVD or USB stick and choose the Command Prompt from recovery options.

At the command prompt run the following command:

  • chkdsk /r

the /r switch fixes errors on the disk and locates bad sectors and attempts to recovery information in those sectors.

CMOS Settings

Sometimes boot issues can be caused by incorrect CMOS settings. With most machines you can access CMOS by pressing DEL when powering up. If this doesn’t work you might need to press ESC first to pause ‘fast boot’. You will then be displayed a menu with the key you need to press to access CMOS (also referred to as BIOS).

Once in CMOS check that SATA mode is set correctly, i.e. IDE, AHCI, or RAID. Be sure to save changes upon exit.

A flat CMOS battery will reset CMOS settings to default. If the settings where changed from default before installing Windows (i.e. from IDE to AHCI), and CMOS is reset, Windows will fail to boot.

A user inadvertently holding the power button in for an extended period of time (or a sticky power button) can also cause CMOS to be reset.

If you are unsure what setting you need, try swapping from the default to IDE or AHCI.

Bootrec

Bootrec is a tool found on Windows Installation Media. To use this tool you will need to boot up from a bootable Windows Installation DVD or USB stick and choose the Command Prompt from recovery options.

At the command prompt run the following commands:

  • bootrec /FixMbr
  • bootrec /FixBoot
  • bootrec /RebuildBcd

bootrec /FixMbr writes a new master boot record to the system partition.

bootrec /FixBoot writes a new boot sector the the drive.

bootrec /RebuildBcd searches available hard drives for installations of Windows and adds them to the boot configuration data. If you have multiple hard drives containing Windows installations these will be added to BCD.

If no installations are found using bootrec /RebuildBcd I have found running the command bootsect /nt60 all /mbr followed by a reboot (returning to a command prompt) and then running bootrec /RebuildBcd will allow Windows Installation to be added to BCD.

bootsect /nt60 all /mbr applies the master boot code compatible with BOOTMGR. BOOTMGR is used by Windows Vista, Windows 7, Windows 8, and Windows 10.

Windows XP uses NTLDR which requires the switch /nt52 rather than /nt60.

Also if you are still using Window XP it might be time to upgrade!

Diskpart

Diskpart can be found on Windows Installation Media. To use this boot up from a bootable Windows DVD or USB and choose the Command Prompt from recovery options.

Steps for Diskpart will differ from machine to machine, but I usually find Disk 0 is the main hard drive, and the largest partition (Possibly Partition 1) is the Windows Installation partition.

At the command prompt run the following commands, taking into account your differing Disk and Partition numbers:

  • Diskpart
    Opens the Diskpart Utility
  • List Disk
    This allows you to view the number of a disk
  • Select Disk #
    Replace # with the number of the disk shown above, possibly ‘0’
  • List Partition
    This allows you to view partition numbers
  • Select Partition #
    Replace # with the number of the partition shown above, possibly ‘1’
  • Active
    This marks the partition as an active system partition.  
  • Exit
    Quits Diskpart Utility
  • Bootrec /RebuildBcd
    Searches available hard drives for installations of Windows and adds them to the boot configuration data.

For some machines I have also had to run Extend after running Active in the steps above. Extend is used to extend a freshly created partition, so I am not sure 100% while this has been successful for me.

I hope this post is able to help someone out!

White Screen of Death (WordPress)

I had a reoccurring issue with several clients WordPress boxes that would get a ‘white screen of death’ when logging into the dashboard.

The affected URLs appeared to be example.com/wp-admin/ and also example.com/wp-login.php

The rest of the site appeared to work fine without issue.

The fix for my cases was to enabled cURL support for PHP on the server.

Problem solved and clients are not having issues logging in.

OS X Internet Recovery Error 2100D

I recently decided to overhaul my 2011 MacBook Air and perform a fresh install of OS X. Of course this turned out to be a much bigger job than anticipated.

Booting into OS X Recovery, I was able to reinstall OS X, but much to my surprise everything was still on my machine. This is usually the best case scenario, but I was looking for a fresh out of box state.

I booted up with Kali and formatted the hard drive. I then booted into Internet Recovery by holding Option, Command & R while powering on the device. This is when the trouble started.

The first issue was not getting past the WiFi selection screen. I would connect to my wireless network and then watch the spinning globe go round and round. I left this running for a few hours thinking it was downloading OS X in the background.

When I released that nothing was downloading I rebooted the MacBook Air into the Internet Recovery. This time I was greeted with error 2100D – and that more information could be found on apple.com/support. There was very little information in regards to 2100D.

I rebooted again several times, and was greeted with the same infinite spinning globe, another occurrence of error 2100D, and a new error – 2100F – again with a message explaining I could find more information on apple.com/support. This one was a little more informative and appears to be to do with a bad internet connection.

Google Search provided the usual fanboy answer. The only fix is to take it to a Genius Bar.

I changed my routers DNS from my local DNSMASQ server to Googles DNS. Still unable to get past the WiFi selection screen.

I tried several wireless network setting configurations before coming back to WPA/WPA2 – which according to Apple – is the only connection supported for running Internet Recovery. With everything set as Apple requires, I was still unable to perform Internet Recovery.

I eventually put it down to a bad configuration setting in my router. Looking though the router configuration I noticed the in-built DNSMASQ was enabled, and there was an option to use DSNMASQ for DHCP and DNS. Turned both of these on, rebooted to Internet Recovery, and OS X is now downloading.

KeePass Dictionary Attack

Update

Python 3 version can be found on GitHub.

Updated page can be viewed here.

KeePass Dictionary Attack – Python 2.7

import libkeepass

filename = 'sample.kdbx' # Enter name of keepass database
f = open('passwords.txt') # Enter name of password list

for line in f:
    line = line.strip()
    try:
        with libkeepass.open(filename, password=line) as kdb:
            print '\n \n Password has been found. Your password is ' + `line`
            break
    except IOError:
        print 'Trying password:  ' + line

I wrote this script for a class I was teaching on using Password Managers. Even though we were implementing a Password Manager, some students still insisted on using simple passwords, thus leaving their password manager vulnerable to a simple dictionary attack. It is by no means an elaborate script, but was enough to outline to my students why we should use strong passwords to protect sensitive data.

Keepass Dictionary Attack
The KeePass Dictionary Attack script displaying the password found for a KeePass database.

To use this script you will need access to a wordlist. There are many wordlists around and a quick Google search for ‘wordlist’ will link you to several. A list of the top 500 worst passwords can be found here.

You will also need to download and install the libkeepass module. To install this module you may also need to download Microsoft Visual C++ compiler for Python 2.7.

The KeePass Dictionary Attack script will cycle though the lines of the password list and then display the password if it finds a match. This password will then let you open an view passwords stored in the database. Currently, there is no message displayed if the password isn’t found.

Protecting yourself

A KeePass dictionary using the default values can be attacked a fairly reasonable pace – depending on the speed of the attacking PC of course.

To help protect against a KeePass Dictionary Attack you can try some of the options found here – this doesn’t prevent an attacker running this script but does dramatically slow the attacker down.

Dictionary Attack

A dictionary attack is when an attacker uses a wordlist of common passwords to attempt entry into your account/devices/files/etc. This is often successful due to people using simple dictionary words for passwords – to avoid this kind of attack ensure you use long, unique passwords.

Windows 3.1.1 Virtual Box

For a bit of fun I thought I would run Windows 3.1.1 in a Virtual Box.

Although I spent my early days mucking around on MSDOS, I do remember coming across Windows 3.1.1 on some old machines I was dismantling as a kid.

I really do like the simple GUI, it’s just nice to look at. Just takes you back.

Create an old school gaming console with RetroPie

Single-board computers such as the Raspberry Pi are quickly surpassing the computers of yesteryear. They are perfect for building all kinds of projects, and when looking for a way to emulate the old snes, n64 and dos games I played as a kid, I stumbled across RetroPie. It is simple to setup and I will elaborate more below. For this project you will need a Raspberry Pi 2. I have attempted to do this with a Raspberry Pi B+ but I found it was a little slow emulating some games. Pi 2 has played everything I have wanted to play so far, and I might put together a list of games I have had success playing. I have done this using Windows, but if I get time I will write up a Linux or Mac tutorial as well. Note: I have kept these steps very simple, but If you need a hand let me know and I may be able to assist.

raspberrypi

What hardware do you need?

Raspberry Pi 2 – Get from your favorite electronic shop or buy online.
Micro USB Cable – To power your Pi. You are bound to have one or two of these around the house somewhere.
USB Wall Adapter – To power your Pi. Again, you most likely have one of these around the house. Think phone/tablet/etc.
Micro SD Card – For installing the operating system/storing the games. I’ve used a Verbatim 8GB Class 4 Micro SDHC
Ethernet Cable – To connect your Pi to the internet. You are bound to have one of these around the house.
Keyboard – To use as a controller – I all looking to get some USB Snes controllers, when I do I will add my experience with them on here.
HDMI cable – To connect to your TV.
Case for the Raspberry Pi – To help protect your Pi. Plenty of different option available.

What software do you need?

Win32 Disk ImagerFor copying the SD Card Image to the SD Card.
FileZilla ClientFor transferring games to the Raspberry Pi.
RetroPie SD Card Image – I downloaded version 3.0 for Raspberry Pi 2.
WinRAR – To extract the .img file from the compressed RetroPie SD Card Image.

Lets get started

First things first – download and install Win32 Disk Imager, FileZilla Client and WinRAR. Download the RetroPie SD Card image and extract the .img file ,using WinRAR, to Desktop.

Copying the RetroPie image to the Micro SD Card

win32disk
  1. Make sure your SD card in your card reader.
  2. Check your device drive letter in Computer and select that from the Device drop down box.
  3. Type the path for the SD card image we extracted earlier. e.g. C:/Users/PCUser/Desktop/retropie-v3.0rc1-rpi2.img
  4. Press Write. If you get the message:
    “Writing to a physical device can corrupt the device.
    (Target Device: [D:\]””)
    Are you sure you want to continue?
    Press ‘Yes’. The image will now be copied over to the SD Card.You will be prompted with the message box below when transfer has finished.

Setting up RetroPie

After the image has copied over successfully, put the SD card into your Raspberry Pi and power it on. Ensure you have you Pi plugged into the TV via HDMI and plugged into your home network via the Ethernet cable. If all has gone well you should eventually see this screen.

retropie

RetroPie recognises if you have no controllers. You will need to configure your controller. In this case I am just using a standard keyboard. Hold a key on the keyboard and set the keys to whatever you wish.

controllers

After you have completed this configuration press the Menu button and then select quit. A prompt will appear to ask if you want to quit Emulation station. Press yes. You will then need to press any key (where’s the any key?) to get the terminal emulator,  otherwise emulation station will restart.

Some simple configuration

Now we will be prompted with the Terminal emulator. In which we will run a few commands. First type in sudo raspi-config and press enter. The first option is expand filesystem. Select this and press enter again. – This is the only real option we need to worry about at the moment. but it is also wise to change the password from raspberry to something a little more unique. You can change other settings, timezones, overclock, etc. We don’t need to change other settings for RetroPie to work, but feel free to have a look through the menu.

After looking though the menu select finish. You will be asked if you wish to reboot. Select ‘no’ for now.

The next command we will type is ifconfig. Ifconfig will show us the raspberry pi’s IP address. You will find this information under eth0 on the line starting with inet address. E.g. 10.0.0.6 or 192.168.20.13 or something similar. Take note of this IP.

Now we can reboot the raspberry pi. Type in the command sudo reboot

The Raspberry Pi will reboot back into Emulation Station.

Copying games over using FileZilla

Open FileZilla. In the Quickconnect bar, type in your IP address, username (pi), password (raspberry if you haven’t updated the default) and set the port to 22. Click quickconnect.

filezilla

Once connected you will see a list of folders. Double click the RetroPie folder. Double click the ROMS folder. Choose the Gaming console and transfer the ROM file into the folder. For this example I have chosen PC.

filezilla2

Transfer your ROM folder into the correct game console folder. For example I have transferred the Jazz Jackrabbit folder into the PC folder.

filezilla3

Closed FileZilla and you are ready to play.

Playing Games

Power on the Pi so that it boots into EmulationStation. Simply select the gaming console you wish to use and the games should be listed underneath. Select your game and it will open the emulator and play. If you are going to play DOS games, you will need to open DOSBox under the IBM menu. Type in the commands to open the exe and you’re right to go.

Happy gaming!

jazz