Simple methods to get a System Shell in Windows

There are several ways to get a system shell in Windows without knowing the admin password.

One way is to see whats tasks on the taskbar are launched by System, explore them and look for a open file dialog box which can then be used to launch cmd.exe.  Another way is to see if the cmd.exe can be launched as a service with system privileges.

If you can bring up a local command prompt, with basic user privileges you can try to run the following:


sc create testsvc binpath= "cmd /K start" type= own type= interact
sc start testsvc


You can rename testsvc to whatever you want, like WindowsUpdateDaemon and the best part is that the service can be stopped and restared at any time.

And of course to remove the service:

sc delete testsvc


So what can you do with this?
If you were locked out from removing programs, editing services, checking system properties, things that involve the mmc console...
You could probably invoke these now using the command line.  Most of these programs exist in system32 folder.  Some may not be there or disabled, but there is no harm in trying.
Services Management     services.msc
Shared Folders     fsmgmt.msc
Remote Desktops     tsmmc.msc
Group Policy Management     gpmc.msc
Computer Management     compmgmt.msc

Bigger list here:  http://social.technet.microsoft.com/wiki/contents/articles/417.windows-mmc-snap-ins-msc.aspx


Ref: http://blogs.msdn.com/b/adioltean/archive/2004/11/27/271063.aspx

WindyCityTech Blogger
WindyWindyCityTech Wordpress

Compiling aircrack-ng suite on Raspberry Pi Raspbian

Why, because you can.  I'm doing this on the stock upgraded Raspbian distro kernel 3.6.11+.

Prerequisites are a brain, knowledge of Linux and Raspberry Pi.  Casual tech self-abusers should go and do some research first and yes the Pi is helping them come out the woodwork.

Compiling from the source down not work, it has not been upgraded for a while.  Just check out the SVN.


sudo apt-get upgrade
sudo apt-get update

sudo apt-get install libssl-dev subversion iw
svn co http://trac.aircrack-ng.org/svn/trunk aircrack-ng
cd aircrack-ng
make
sudo make install

airmon-ng is no longer compiled during make by the looks of it, but it is in aircrack-ng/scripts

You can make it executable by doing a chmod +x airmon-ng, then copying it to the same path where aircrack-ng is natively installed.  i.e
/usr/local/bin/

To get airodump-ng to work properly, you may need to kill all the services that airmon-ng complains about then it is running.
Go to /etc/init.d and
sudo ./ifplugd stop

then sudo killall all the rest of the processes that airmon-ng complains about

PID    Name
1589    ifplugd
1617    ifplugd
2380    dhclient
16076    ifplugd
16088    wpa_supplicant
16146    wpa_cli
Process with PID 16076 (ifplugd) is running on interface wlan0
Process with PID 16088 (wpa_supplicant) is running on interface wlan0
Process with PID 16146 (wpa_cli) is running on interface wlan0


Seems to work ok

pi@raspberrypi /etc/init.d $ sudo aireplay-ng -9 mon0
00:03:07  Trying broadcast probe requests...
00:03:07  Injection is working!
00:03:09  Found 2 APs

00:03:09  Trying directed probe requests...
00:03:09  ########### - channel: 6 - '#########'
00:03:10  Ping (min/avg/max): 1.637ms/22.619ms/103.341ms Power: -51.40
00:03:10  30/30: 100%

00:03:10  ########## - channel: 6 - '#####'
00:03:11  Ping (min/avg/max): 2.875ms/32.890ms/87.744ms Power: -54.83
00:03:11  30/30: 100%


WindyCityTech Blogger
WindyWindyCityTech Wordpress

Privacy Risk on new ebay.com.au website First and Last Name in Cleartext

The new ebay.com.au website has been released with much fanfare but the creaters of the website have now decided to embed the users first name and last name on most pages visited.  The test is delivered under plain http and can easily be captured over the air or wire using Wireshark.

Steps to replicate:

1. Login to ebay.com.au with correct credentials
2. Navigate to he home page
3. Hover the mouse to the top left hand corner under the "G'Day <First Name>"
4. Be greeted with a hover over panel with <First Name> <Last Name> in plain sight.

Conducting a Wireshark trace illustrates the issue.  A sting search in packet details for GH_alertData will display the first / last name.

Why is this bad:
Potentially a hacker can gain easy access to your first, last name and ebay id and use this info to produce a phishing email or collect this data for further attacks.

Where can this happen:
The most likely place for this to happen is over an unencrypted wireless network, i.e at the airport or the cafe.  Wired networks are also vulnerable.

What can ebay do:
Secure their website by using the https protocol for the entire website.

What else sucks:
On a internet connection that can stall, i.e 3G/wifi, the hover function can time out and throw up the message, "We're sorry, there was a problem retrieving this information".  Now the user can easily log out without refreshing the page.
Sidejack friendly...

WindyCityTech Blogger
WindyWindyCityTech Wordpress

Notes on how to backup AR7 router firmware using telnet

Source: http://ar7.wikispaces.com/Firmware

# cat /dev/mtdblock/0 > /var/oldfs.img
# cat /dev/mtdblock/1 > /var/oldkernel.img
# cat /dev/mtdblock/2 > /var/Original_ADAM2.img
# cat /dev/mtdblock/3 > /var/mtd3.img
# /usr/sbin/thttpd -g -d /var -u root -p 1080


WindyCityTech Blogger
WindyWindyCityTech Wordpress

LMMC header on DLink router file, decoding the zlib zpipe Plaintext password

LMMC header on router file, decoding.

Inspired from http://www.koshatul.com/

Tested on a DLink DSL-G604T

Downloading the config file dumps a config.bin file.  The first line of the file has a LMMC which indicates a zlib header

Convert the file to a .Z file
dd if=config.bin of=test.config.bin.z bs=20 skip=1


download the zlib source and extract it.  http://zlib.net/zlib-1.2.7.tar.gz
go to the examples folder
compile zpipe.c using the command
gcc -o zipe zpipe.c -lz
now you will have something called zpipe

copy the zpipe command where the config files are and execute the command
./zpipe -d < test.config.bin.z > config.txt

now open config.txt and view it plaintext!

WindyCityTech Blogger
WindyWindyCityTech Wordpress

linux password basics 101 notes

full source:  http://www.linuxjournal.com/content/hack-and-password-cracking-gpus-part-i-setup

passwords are encrypted into a hash and are stored in /etc/shadow

To look in the shadow file, type in a terminal sudo cat /etc/shadow


user:$id$salt$hash:otherCrap

look at 'man shadow' for the full definition.

The hashes are delimited by the $ sign in this format
$id $salt $encrypted


Where $id 1 = MD5  5 = SHA-256   6 = SHA-512

Also look here for more info http://www.cyberciti.biz/faq/understanding-etcshadow-file/

WindyCityTech Blogger
WindyWindyCityTech Wordpress

Changing a linux password, recovering

ref: http://www.youtube.com/watch?v=CLwqGce6AGo

Boot into a shell as root
type 'e' at the grub menu
change the line "ro quiet splash" TO "rw init=/bin/bash"
press CTRL-D to boot

search for home directory to find the username
confirm username by cat /etc/passwd
type 'passwd USER'
type in new password & confirm
type sync
reboot


another option is to boot from a live CD, mount the hard drive (sudo fdisk -l) and edit a character in the /etc/passwd file.
user:x:1000:1000:user,,,:/home/user:/bin/bash
to
user:x:1000:1000:user,,,:/home/user:/bin/bash
umount and reboot

login without a password.  Put a password in by typing
'passwd user'
then
sudo shadowconfig off
sudo shadowconfig on


WindyCityTech Blogger
WindyWindyCityTech Wordpress

compiling crunch 3.3 in ubunut and mint, error in Makefile

Found on Ubuntu forums here

Modify the makefile under build: crunch mode the $? to the left as shown.


val:    crunch.c

    @echo "Building valgrind compatible binary..."

    $(CC) $? $(VCFLAGS) $(LFS)  -o crunch

    @echo "valgrind --leak-check=yes crunch ..."

    @echo ""

crunch: crunch.c

    @echo "Building binary..."

    $(CC) $? $(CFLAGS) $(LFS)  -o $@

    @echo ""


Also note that crunch default install is /pentest/passwords/crunch  you may want to change the location in the make file to suit.


WindyCityTech Blogger
WindyWindyCityTech Wordpress

Installing Reaver WPS on Ubuntu 11 code.google.com/p/reaver-wps

What a great program.

To install on Ubuntu, you need to have the prerequisites:

• a brain
• build-essential  i.e apt-get install build-essential
• libpcap0.8 library and the development library libpcap0.8-dev
• aircrack-ng- preferably the subversion
• patched compat-wireless drivers - no channel -1 shit
• wireless card that can do injection
• reaver wps code http://code.google.com/p/reaver-wps/

The rest is pretty simple, just the usual extraction., ./configure, make, sudo make install.
Pay attention to the ./configure and make processes, if there is anything missing required, check or investigate.

You will need to put you wireless card into monitor mode, use airmon-ng for this.

You will also need to establish a good, solid signal between the AP and you radio, if you cannot then it will wont work very quickly or at all.




WindyCityTech Blogger
WindyWindyCityTech Wordpress

Pictures inside a Click RCD Safety Switch

Here are some pics of the insides of a Click Safety Switch.

The switch failed because the reset button latch worn out.

Shown is the current coil to measure earth leakage, relay coil to disconnect.

WindyCityTech Blogger
WindyWindyCityTech Wordpress

Ethernet Throwing Star Tap using Krone Punch Down Connectors Cat 5

This passive Ethernet tap featured at greatscottgadgets is great.
Get a couple of USB Ethernet adapters for your laptop, set up a tun interface and you can see everything on both sides without any arp cache poisoning.

It is possible to make the device using some Krone punch down blocks and some cat5 cable.

Here is some pictures, I have not added the 220pf caps yet, they are to derate 1 Gig networks to 100 Meg.

The schematic below, shows what is going on.

Link to Ethernet wiring diagram from Pinoutsguide Here
WindyCityTech Blogger
WindyWindyCityTech Wordpress

DIY Data Recovery from a WD2500 Caviar Hard Drive

I had a WD2500 Hard Drive that was not working, no spin up or anything.  It seemed that the board was not working, but there was no signs of failure.

Fortunately, I found another WD2500 board which was working.

A simple board swap did not work, the heads started chattering when plugged in.

To really fix it, it is necessary to remove a 8 pin rom chip on the "broken" board and solder it to a "good" donor board.  If you cannot do this, find someone who can or you will get nowhere.

Once this was done, the hard drive started without a problem, the data was dragged off ASAP.

Make sure you identify the rom chips plus the good and bad boards to make the process easier.
WindyCityTech Blogger
WindyWindyCityTech Wordpress

Pictures inside a Kramer Pico Tools DVI CAT5 Video extender

WindyCityTech Blogger
WindyWindyCityTech Wordpress

Pictures inside a Black BOX KVM Micro Extender CAT5 KVM

WindyCityTech Blogger
WindyWindyCityTech Wordpress

Hacking Bluetooth to RS 232 Modules from Ebay CSR BC417

Brought this module from ebay and they look promising.

They convert Serial to Bluetooth, which could have many embedded uses.

They are known as MDFLY, there are also Spanion ones out hter which are faster [source]

The main chip is a CSR BC417 and the other chip is a 29lv800c Flash.
Datasheet: http://mdfly.com/Download/Wireless/BT0417C_datasheet.pdf
AT Command Set: http://mdfly.com/Download/Wireless/BT0417C_ATcommand.pdf

There are a few guys hacking them at the moment

WindyCityTech Blogger
WindyWindyCityTech Wordpress

FetchTV YX-6936U Main Board Connections

Here are the connectors on the main fetch board.


1    Ethernet
2    HDMI
3    Optical
4    Composite S-Video Component
5    Rear USB
6    Front USB
7    SDA/SDK/ERR/Sync2/Clk2
8    Tuner Data D0-D7
9    Tuner Clock/Sync/Valid/Error
10    Tuner Power + I2C
11    From Power Supply
12    Smartcard Reader
13    Front Panel Light + remote
14    TTL RS232
15    3.3v + unknown
16    Sata

Power + Tuner Power

Tuner Control

Tuner Data + Control Front, USB

Front Panel

https://plus.google.com/photos/111113446315432778457/albums/5797610812510676321

WindyCityTech Blogger
WindyWindyCityTech Wordpress

FetchTV YX-6936U Boot messages from rs-232 header inside unit

Inside the FetchTV box is a straight 6 pin header, if you look closely at the white writing near it, you will notice the assignments given by the first 4 pins.

The other four pin header has 3.3v and probably other things.

The data needs to be converted from TTL to rs-232 using a max232 chip.  Look on ebay for rs232 translator boards.  In my case the 5 volt rail powered my translator board, I used ground ground one of the tv tuners.

The connection speed is 115200 N,8,1.

As soon as the boot commences, it begins to spit out data.

The full dump is here

Interesting lines from the boot sequence:
BCM74130011
Shmoo Version=3.5
BCM97413B1 CFE v2.21.2679, CFE core v2.12, Endian Mode: Little
RSA encryption


So much like the Tivo, Generation 4.....

If anyone want to share their FetchTV dumps, please paste on pastebin.com and put a link in the comments below.

WindyCityTech Blogger
WindyWindyCityTech Wordpress

Accu-chek Performa Expired Strips hack

If you have a Accu-check Performa, you will know that the strips come with a expiry date.

If the strips have expired, you will not be able to use them, even if you manually change the devices date.

This is because the device has a second battery onboard, which powers another clock, which is set in the factory.


There are several hacks online showing you how to get around this problem, some which involve shorting out this second battery.  This does work, however I am not into shorting out batteries.



There are two screws on the back of the case, one is under the label.  (yes, goodbye warranty)

Then lever the case open, by pushing back on the internal case tabs in these locations.

The best method is to use a soldering iron to lift one side of the battery (point 1) of the board, then use a wire to momentarily short the contacts on the board (point 1 & 2) to totally discharge the real time clock circuit.

If you are no good with a soldering iron, I suggest that you don't do this procedure.  Also you should not rely on expired strips, because they are "expired"






WindyCityTech Blogger
windywindycitytech wordpress

Unlocking and Debranding Vodafone K3570-Z 3G Internet Dongle

The aim:

• Get rid of the Carrier dashboard and replace with a non branded one.


• Unlock the device so any sim could be used.


• If patience persists, fine tune the device files to remove any USB reference to the carrier.

Tools and files:  Look here for links and here or google
QPST
Unlock software
ZTEMODEM.ISO_K3565-Z_debranding_v2.rar 
VF_K3570_New_Dialler.zip to patch the ZTEMODEM.iso file
Stupid Windows box
Brains


Prerequisite:
Install the driver for the device, either by installing the dashboard that comes with the device or by installing the driver inside the VF_K3570_New_Dialler.zip

Unlocking:
Follow the instructions on the bottom of this page, you will need a sim card that does not match the locked carrier.  Dont enter any unlock code if prompted by the dashboard, just use the dc program to unlock.


Unbranding:
Install the VF_K3570_New_Dialler.zip on a host Windows system

Once installed, grab the drivers folder located in Program Files\Vodafone....
You will see both 32 and 64 bit versions for XP / Vista / Win7 :)

Now you need to edit the ZTEMODEM.iso found in ZTEMODEM.ISO_K3565-Z_debranding_v2.rar , remove the drivers in that image (old k3565 drivers) and put the good drivers  in it!
Use your favourite ISO editor program to do this, ISO Master...

Now you have a remastered ISO with the correct driver for your modem finish the job by putting the CD image on the modem.

Following the instructions on this page, use QPST to delete the ZTEMODEM.ISO on the modem, then drag and drop the downloaded ZTEMODEM.ISO file into the modem file system.  Reset the device and check if it works. 

Unfortunately the switching between virtual CD and modem is not too user friendly.  These two sources explain why: Source 1  Source 2

Basically the Original Virtual CD is switched off once the driver is installed, locking you to use the modem on the PC that the driver was installed.  The only way to undo this is to use a Linux terminal with USBModeswitch to gain access to the modem and using AT commands to turn on the Virtual CD


No virtual CD = Modem detection
-----
Virtual CD = No modem detection


AT+ZCDRUN=E removes the file NODOWNLOAD.FLG
AT+ZCDRUN=8 removes the file autorun.flg
-----
AT+ZCDRUN=F restores NODOWNLOAD.FLG
AT+ZCDRUN=9 restores autorun.flg


Then ATZ before disconnecting

So what next, disable the Virtual CD and burn the ISO to a normal CD.




WindyCityTech Blogger
windywindycitytech wordpress

Networking and Computing Videos

A great resource, this guy teaches very well.  If you don't want to read pages of stuff then eli's videos are what you need.  Subject include networking and computing and also other Stuff.

Everyman Videos






WindyCityTech Blogger
windywindycitytech wordpress