Password reset via Recovery mode + Passwd protecting GRUB entries.

This is the most common technique used, what I try when i get an Ubuntu System with un-protected Recovery Mode GRUB entries. Read this from howtogeek.com


First a quick look into how to reset password via the Recovery mode.

When a ubuntu machine boots up it presents us with a GRUB loading screen. Hit "Esc" to get to the menu as shown below :

Now the highlighted entry is the Recovery Mode. From here you can either select "drop to shell prompt" and if it still asks for a password, then you can try this.
Select the Recovery mode entry and press "e" to edit the entry.

Then in next screen select the Kernel entry. You are presented as an entry like this.

 

 

 Now replace "ro quiet splash" with

rw init=/bin/bash

Once you have done this hit "Enter" and use "b" to boot

You are presented with a root shell

Issue "passwd" command to change password for root.
Issue "passwd <username>" to change password for a user.


Issue "sync" command to write the changes to disk.

chntpw - the Offline NT password Editor !

As explained in Wikipedia, chntpw is a software utility for resetting or blanking local passwords used by Windows NT, 2000, XP, Vista, and 7. It does this by editing the SAM database where Windows stores password hashes.
I know many of you would be already knowing this or other methods e.g. utilman method.



Now first of all you need a BackTrack LiveCD or any other Security Distro with chnptw pre-installed or you can download it afterwards from BackTrack repository.

Steps to follow :
1. Boot your system using BackTrack LiveCD.

2. Mount your partition containing Windows.

root@bt:~# fdisk -l


   Device Boot      Start         End      Blocks           Id   System
/dev/sda1   *           1          10683    85811166      83  Linux
/dev/sda2           10684       14762    32764567+   83  Linux
/dev/sda3           14801       56885   338047762+    f  W95 Ext'd (LBA)
/dev/sda4           56886       60801    31455270       7  HPFS/NTFS
/dev/sda5           14802       32664   143484547+   7  HPFS/NTFS
/dev/sda6           32665       56885   194555151    83  Linux

root@bt:~# cd /media; mkdir dex

root@bt:~# mount -t ntfs /dev/sda3  /media/dex

      
Note - /dev/sda4 is partition containing Windows and /media/dex is the mount point.

3. Fire up chntpw.

Though it is pretty explanatory but here's an example as how to remove password from an Admin account which is locked.

root@bt:~# cd /pentest/passwords/chntpw/
root@bt:/pentest/passwords/chntpw#

root@bt:/pentest/passwords/chntpw# find /media/dex/ -iname sam
/media/dex/Windows/System32/config/RegBack/SAM
/media/dex/Windows/System32/config/SAM
^C
root@bt:/pentest/passwords/chntpw# ./chntpw -i /media/dex/Windows/System32/config/SAM

<>========<> chntpw Main Interactive Menu <>========<>

Loaded hives: </media/dex/Windows/System32/config/SAM>

  1 - Edit user data and passwords
      - - -
  9 - Registry editor, now with full write support!
  q - Quit (you will be asked if there is something to save)

What to do? [1] -> 1
===== chntpw Edit User Info & Passwords ====

| RID -|---------- Username -------------| Admin?   |- Lock? --|
| 01f4 | Administrator                  | ADMIN  | dis/lock |
| 03e8 | Dexter                             | ADMIN  | dis/lock |
| 01f5 | Guest                               |                | dis/lock |

Select: ! - quit, . - list users, 0x<RID> - User with RID (hex)
or simply enter the username to change: [Administrator] Administrator

- - - - User Edit Menu:
 1 - Clear (blank) user password
 2 - Edit (set new) user password (careful with this on XP or Vista)
 3 - Promote user (make user an administrator)
 4 - Unlock and enable user account [probably locked now]
 q - Quit editing user, back to user select
Select: [q] > 1
Password cleared!

Select: ! - quit, . - list users, 0x<RID> - User with RID (hex)
or simply enter the username to change: [Administrator] Administrator

- - - - User Edit Menu:
 1 - Clear (blank) user password
 2 - Edit (set new) user password (careful with this on XP or Vista)
 3 - Promote user (make user an administrator)
 4 - Unlock and enable user account [probably locked now]
 q - Quit editing user, back to user select
Select: [q] > 4
Unlocked!              [note- this step is important as the Admin account was  locked]

Select: ! - quit, . - list users, 0x<RID> - User with RID (hex)
or simply enter the username to change: [Administrator] !

<>========<> chntpw Main Interactive Menu <>========<>

Loaded hives: </media/dex/Windows/System32/config/SAM>

  1 - Edit user data and passwords
      - - -
  9 - Registry editor, now with full write support!
  q - Quit (you will be asked if there is something to save)


What to do? [1] -> q


Hives that have changed:
 #  Name
 0  </media/dex/Windows/System32/config/SAM>
Write hive files? (y/n) [n] : y
0  </media/dexWindows/System32/config/SAM> - OK
root@bt:/pentest/passwords/chntpw#


It's done. Next time you login to your Windows with username Administrator and no password... :)

Mobile Dial-Up in Back Track 5.

Installed BackTrack5 codename "Revolution" and was a bit frustrated when didn't found wvdial pre-installed in there.
As most of people around me use dial-up connections to use Internet. So searched for a solution and found that "pon,poff and plog" scripts can be used to control PPP connections (pre-installed in BackTrack5).

NOTE--- The method is explained below. Comments are in Green color and commands and the files content that is to be added are in Red color.

Step 1

Plug the Data Cable in Phone n see if it is recognized by the kernel.

root@bt:~#tail /var/log/messages

should result something like this

localhost kernel: [4295346.417000] usb 1-1: new full speed USB device using ohci_hcd and address3
localhost kernel: [4295348.125000] cdc_acm 1-1:1.8: ttyACM0: USB ACM device
localhost kernel: [4295348.133000] usbcore: registered new driver cdc_acm
localhost kernel: [4295348.133000] drivers/usb/class/cdc-acm.c: v0.23:USB Abstract Control Model driver for USB modems and ISDN adapters <---says that uses cdc-acm driver & that OS sees this device at /dev/ttyACM0


Step 2

Configure Ubuntu(bt5) to communicate with my phone.

Need to have ppp , it comes pre-installed in bt5 [ root@bt:~#apt-get install ppp]

Now , I need to create a configuration file that will tell BT5 , how to communicate with the phone

root@bt:~# nano /etc/ppp/peers/mobile

debug

noauth

connect "/usr/sbin/chat -v -f /etc/chatscripts/mobile"

usepeerdns

/dev/ttyACM0 115200 <--Need to use the device modem is recognized as (step1)

defaultroute

crtscts

lcp-echo-failure 0

My OS will send some commands to my phone to tell it to connect to the internet.These commands are stored in the chat script,and are sent when i try to connect.

root@bt:~#nano /etc/chatscripts/mobile

TIMEOUT 35

ECHO ON

ABORT '\nBUSY\r'

ABORT '\nERROR\r'

ABORT '\nNO ANSWER\r'

ABORT '\nNO CARRIER\r'

ABORT '\nNO DIALTONE\r'

ABORT '\nRINGING\r\n\r\nRINGING\r'

'' \rAT

OK 'AT+CGDCONT=1,"IP","INTERNET"'

OK ATD*99***1#

CONNECT ""

If I can connect in my phone without the PC,then this should work. If not then the likely points if the failure are the
'AT+CGDCONT=1,"IP","INTERNET"'

"INTERNET" in above line is the Access Point Name...Get it From the Phone.


Step 3

Ready to connect

To dial use

root@bt:~#pon mobile

To disconnect

root@bt:~# poff mobile

Note---Whatever connection are communicated between the Phone N OS can be seen @ /var/log/syslog

root@bt:~#tail -f /var/log/syslog

to view the messages "live" on the Terminal

Omegle Spy Bot !

NOT ILLEGAL BECAUSE OMEGLE DOESN'T HAVE A TERMS OF SERVICE - From the Creator of the Tool

Few days back came across an awesome Java executable name "Omegle Spy Bot". Credit goes to the creator of this app and can be found here under the download section.

You need Java installed on your system to run this app, works fine in Windows too.
For Linux users issue following on terminal

Code:

dex@desktop :~$ sudo java -jar OmegeleSpy.jar

The GUI of this app is pretty explanatory.
Start by clicking on "Start new conversation"
 Here's a snapshot.

Then they start their normal conversation you can watch the conversation.
Send message to either one from another one. Disconnect a user and impersonate him...Check it out ! Fun !

Using Google's Open DNS servers !

It's better to use Google's Open DNS server rather than one provided with your ISP.

There's a minor thing to take notice of in this method to work, as most of Linux users know for setting up DNS Server to use one needs to edit /etc/resolv.conf file.

so do this

code:

dex@desktop :~$ sudo gedit /etc/resolv.conf

nameserver 8.8.8.8
nameserver 8.8.4.4

dex@desktop :~$ chattr +i /etc/resolv.conf

Note :: Used  chattr command here to give file resolv.conf  immutable file attribute so that next time you reboot or restart your networking interface(s) your DNS servers will not be reset by the system to use the settings given by the DHCP server.

When you want to change again the file resolv.conf, first issue the following command to remove the immutable file attribute first before editing resolv.conf .

code:

dex@desktop :~$ sudo chattr -i /etc/resolv.conf

Someone suggested to me that Open DNS is better in terms of latency. So can also use as per need these DNS too :

 208.67.222.222
 208.67.220.220

Google Dork for Security Cameras !!

Use this Google Search Terms or Google Dorks to find several unattended Security Cams.

Note :: Use for fun only , do not stalk others !!


inurl:ViewerFrame?Mode=
intitle:Axis 2400 video server
inurl:/view.shtml
intitle:Live View / - AXIS
inurl:view/view.shtml^
inurl:ViewerFrame?Mode=
inurl:ViewerFrame?Mode=Refresh
inurl:axis-cgi/jpg
inurl:axis-cgi/mjpg (motion-JPEG)
inurl:view/indexFrame.shtml
inurl:view/index.shtml
inurl:view/view.shtml
liveapplet
intitle:live view intitle:axis
intitle:liveapplet
allintitle:Network Camera NetworkCamera
intitle:axis intitle:video server
intitle:liveapplet inurl:LvAppl
intitle:EvoCam inurl:webcam.html
intitle:Live NetSnap Cam-Server feed
intitle:Live View / - AXIS
intitle:Live View / - AXIS 206M
intitle:Live View / - AXIS 206W
intitle:Live View / - AXIS 210?
inurl:indexFrame.shtml Axis
inurl:MultiCameraFrame?Mode=Motion
intitle:start inurl:cgistart
intitle:WJ-NT104 Main Page
intext:MOBOTIX M1? intext:Open Menu
intext:MOBOTIX M10? intext:Open Menu
intext:MOBOTIX D10? intext:Open Menu
intitle:snc-z20 inurl:home/
intitle:snc-cs3 inurl:home/
intitle:snc-rz30 inurl:home/
intitle:sony network camera snc-p1?
intitle:sony network camera snc-m1?
site:.viewnetcam.com -www.viewnetcam.com
intitle:Toshiba Network Camera user login
intitle:netcam live image
intitle:i-Catcher Console - Web Monitor
inurl:”ViewerFrame?Mode=
intitle:Axis 2400 video server
inurl:/view.shtml
intitle:”Live View / - AXIS” | inurl:view/view.shtml^
inurl:ViewerFrame?Mode=
inurl:ViewerFrame?Mode=Refresh
inurl:axis-cgi/jpg
inurl:axis-cgi/mjpg (motion-JPEG)
inurl:view/indexFrame.shtml
inurl:view/index.shtml
inurl:view/view.shtml
liveapplet
intitle:”live view” intitle:axis
intitle:liveapplet
allintitle:”Network Camera NetworkCamera”
intitle:axis intitle:”video server”
intitle:liveapplet inurl:LvAppl
intitle:”EvoCam” inurl:”webcam.html”
intitle:”Live NetSnap Cam-Server feed”
intitle:”Live View / - AXIS”
intitle:”Live View / - AXIS 206M”
intitle:”Live View / - AXIS 206W”
intitle:”Live View / - AXIS 210″
inurl:indexFrame.shtml Axis
inurl:”MultiCameraFrame?Mode=Motion”
intitle:start inurl:cgistart
intitle:”WJ-NT104 Main Page”
intext:”MOBOTIX M1″ intext:”Open Menu”
intext:”MOBOTIX M10″ intext:”Open Menu”
intext:”MOBOTIX D10″ intext:”Open Menu”
intitle:snc-z20 inurl:home/
intitle:snc-cs3 inurl:home/
intitle:snc-rz30 inurl:home/
intitle:”sony network camera snc-p1″
intitle:”sony network camera snc-m1″
site:.viewnetcam.com -www.viewnetcam.com
intitle:”Toshiba Network Camera” user login
intitle:”netcam live image”
intitle:”i-Catcher Console - Web Monitor”

Online VNC , SSH and Remote Desktop Scanner !

Today, I came across these awesome Online tools to search for VNC, RDP & SSH ports open in an IP address range  !! Do check them out !!

Note :: These tools doesn't Brute force, simply checks if the service ports are open.

Online VNC Scanner
This scans the VNC and gives you the IP address in Green.

Online Remote Desktop Scanner
This scans the Remote Desktop / RDP and gives you the IP address in Green.

Online SSH Scanner
This scans the SSH and gives you the IP address in Green.

BackTrack5 Released !!

This new revision has been built from scratch, and boasts several major improvements over all previous releases.Based on Ubuntu Lucid LTS. Kernel 2.6.38, patched with all relevant wireless injection patches. Fully open source and GPL compliant. BackTrack 5 comes in several flavors and architectures.

BackTrack5 Codename "Revolution" this time comes with GNOME Desktop Environment for the first time. There is a whole lot of architectures to chose from e.g arm, x86, x86_64 and also there is a choice between Virtual Image and ISO download. I am particularly excited about the GNOME Environment x86 architecture, going to try it soon.

Grab Yourself a Copy at --->> http://www.backtrack-linux.org/downloads/

Ping Sweeping in BackTrack !!!

While many of us use "Nmap" to ping sweep a network, there is also "fping" and "nbtscan" which when combined can give pretty fast result. There are many better ways to ping sweep this is just one way to do it.

Using fping is easy just refer the man page. Following is an example

CODE
# fping -a -g 10.18.1.0/24 2>/dev/null
10.18.1.66
10.18.1.77

This usage gives all the live host. For querying Netbios service to get the names of the Windows machine on your network use :

CODE
# nbtscan  10.18.1.1-254
Doing NBT name scan for addresses from 10.18.1.1-254

IP address       NetBIOS Name     Server    User             MAC address      
------------------------------------------------------------------------------
10.18.1.66       AAA-PC          <server>  <unknown>        00:1e:ce:90:ab:8c

Many other ways to do ping-sweep a network with minimum packet generation e.g using "Scapy" or just go with Nmap.

NOTE :: These are not expert views. on contrary these are something a newbie is  picking up.

Reliance NETCONNECT 1x CDMA stick in Ubuntu 10.04 !

Recently after getting 3G stick from Micromax work under Ubuntu, One of my friend asked me to connect his Reliance NetConnect 1x (CDMA based dongle) on Ubuntu.

I basically followed the steps as earlier for Micromax stick and got hit by a bummer when sakis3g script  tells the device has no GSM capabilities, even after using -noprobe switch there was some issue of "PIN".

So after that i tried a simple method. Execute the sakis3g script & switch modem

dex@dex-desktop:~$sudo ./sakis3g --interactive "verbose"

Then go for " more options > Only switch modem(if applicable)>USB device> HT CDMA device"

After the modem is switched the Network Manager App in Ubuntu(on top right of panel) shows a "new broadband connection" available. Click on that select Reliance as the operator.

Before connecting using this new connection you'll have to enter your "user:password" combination by right-clicking the
Network App> Edit Connections>Mobile Broadband > Reliance Connection.

["user:password" for netconnect is just a 8 digit no. you got while you purchased your dongle. Enter the same no. for both ]

Now you are ready just left-click on Network App and then "Reliance Connection" connects you....

NOTE::  usb_modeswitch can also be used to switch the modem (can try that too).

apt-fast--- faster apt-get installations !!!

When I  see new upgrades or updates available for my Ubuntu distribution i go for them instantly, unfortunately it takes a whole lot time to update using "apt-get" mainly because it doesn't create parallel download connections.
After a bit Googling i came across a cool script named apt-fast by Matt Parnell which can be found here (most recent one with name "apt-fast.sh"). Just download it.

Make it executable and owned by root and then move it to /usr/bin by issuing following commands on terminal::

dex@dex-desktop:~$ sudo -i

sudo password for dex:
root@dex-desktop:~#whoami

root

root@dex-desktop:~# chown root:root apt-fast.sh

root@dex-desktop:~#chmod u+x apt-fast.sh

root@dex-desktop:~#mv ./apt-fast.sh /usr/bin/apt-fast

root@dex-desktop:~# ls -l /usr/bin/apt-fast
-rwxr--r-- 1 root root 2072 2011-04-09 15:14 /usr/bin/apt-fast

Note that apt-fast uses same options and commands as apt-get but is faster. For example

root@dex-desktop:~#apt-fast upgrade


P.S. :: If your distro doesn't have axel package then the script apt-fast does it for you. Axel is a light download accelerator for Linux. You can play with axel too.

Extracting META DATA from Photographs !!

Recently, I read a nice blog somewhere about "How" a person caught someone who was posting offensive pictures to a social-networking site using the EXIF Data stored in a photograph to get the GPS location of the offender.
I looked around and found that my BackTrack R2 has got a perfect tool to strip metadata in /pentest/misc directory called "exiftool". You would be surprised as how much information does the smartphones are storing in the photographs you click.(Have plenty if these pics @ facebook of my friends with smartphones)

How to use the tool ?? Well there is a README file.

Or you can just fire the tool like this

root@bt /pentest/misc/exiftool # ./exiftool  <path of image>

Following is a screenshot showing its usage

The Pic shows the camera used is of make "Motorola" , well this is just a snippet of the information the tool also gives GPS location as shown below in another screenshot. See the first few lines.

WARNING !! This tool is used in Forensics and Reconnaissance work on a target. So don't use it to stalk people.

Micromax 3G sticks in Ubuntu (Debian based distro)!!

MICROMAX 310G USB stick in Ubuntu 9.10

Recently tried to use  Micromac310G with my installed BackTrack4 R2 (Ubuntu based distro). But the distro detects it as a CD-ROM.
Read a lot of forums and googled the problem and it came to my knowledge that Ubuntu 10.10 supports these Modems. So , I had one option of updating my whole distro. But I decided to follow it on my current distro and i came across a nice blog which explains most of the process which requires a bit patience and requires basic Linux knowledge. Link is  here

Or for Ubuntu 10.04 and newer version can just try the sakis3g script which can be found here.
After downloading the script execute it with root privileges

root#./sakis3g  --interactive "verbose"

and then  the process is pretty explanatory.


P. S. :: sakis3g script requires usb_modeswitch, so if your Ubuntu doesn't have it   then go for the Full version of sakis3g script. Otherwise Binary free version works fine with already installed usb_modeswitch.