Password reset via Recovery mode + Passwd protecting GRUB entries.

This is the most common technique used, what I try when i get an Ubuntu System with un-protected Recovery Mode GRUB entries. Read this from howtogeek.com


First a quick look into how to reset password via the Recovery mode.

When a ubuntu machine boots up it presents us with a GRUB loading screen. Hit "Esc" to get to the menu as shown below :

Now the highlighted entry is the Recovery Mode. From here you can either select "drop to shell prompt" and if it still asks for a password, then you can try this.
Select the Recovery mode entry and press "e" to edit the entry.

Then in next screen select the Kernel entry. You are presented as an entry like this.

 

 

 Now replace "ro quiet splash" with

rw init=/bin/bash

Once you have done this hit "Enter" and use "b" to boot

You are presented with a root shell

Issue "passwd" command to change password for root.
Issue "passwd <username>" to change password for a user.


Issue "sync" command to write the changes to disk.

chntpw - the Offline NT password Editor !

As explained in Wikipedia, chntpw is a software utility for resetting or blanking local passwords used by Windows NT, 2000, XP, Vista, and 7. It does this by editing the SAM database where Windows stores password hashes.
I know many of you would be already knowing this or other methods e.g. utilman method.



Now first of all you need a BackTrack LiveCD or any other Security Distro with chnptw pre-installed or you can download it afterwards from BackTrack repository.

Steps to follow :
1. Boot your system using BackTrack LiveCD.

2. Mount your partition containing Windows.

root@bt:~# fdisk -l


   Device Boot      Start         End      Blocks           Id   System
/dev/sda1   *           1          10683    85811166      83  Linux
/dev/sda2           10684       14762    32764567+   83  Linux
/dev/sda3           14801       56885   338047762+    f  W95 Ext'd (LBA)
/dev/sda4           56886       60801    31455270       7  HPFS/NTFS
/dev/sda5           14802       32664   143484547+   7  HPFS/NTFS
/dev/sda6           32665       56885   194555151    83  Linux

root@bt:~# cd /media; mkdir dex

root@bt:~# mount -t ntfs /dev/sda3  /media/dex

      
Note - /dev/sda4 is partition containing Windows and /media/dex is the mount point.

3. Fire up chntpw.

Though it is pretty explanatory but here's an example as how to remove password from an Admin account which is locked.

root@bt:~# cd /pentest/passwords/chntpw/
root@bt:/pentest/passwords/chntpw#

root@bt:/pentest/passwords/chntpw# find /media/dex/ -iname sam
/media/dex/Windows/System32/config/RegBack/SAM
/media/dex/Windows/System32/config/SAM
^C
root@bt:/pentest/passwords/chntpw# ./chntpw -i /media/dex/Windows/System32/config/SAM

<>========<> chntpw Main Interactive Menu <>========<>

Loaded hives: </media/dex/Windows/System32/config/SAM>

  1 - Edit user data and passwords
      - - -
  9 - Registry editor, now with full write support!
  q - Quit (you will be asked if there is something to save)

What to do? [1] -> 1
===== chntpw Edit User Info & Passwords ====

| RID -|---------- Username -------------| Admin?   |- Lock? --|
| 01f4 | Administrator                  | ADMIN  | dis/lock |
| 03e8 | Dexter                             | ADMIN  | dis/lock |
| 01f5 | Guest                               |                | dis/lock |

Select: ! - quit, . - list users, 0x<RID> - User with RID (hex)
or simply enter the username to change: [Administrator] Administrator

- - - - User Edit Menu:
 1 - Clear (blank) user password
 2 - Edit (set new) user password (careful with this on XP or Vista)
 3 - Promote user (make user an administrator)
 4 - Unlock and enable user account [probably locked now]
 q - Quit editing user, back to user select
Select: [q] > 1
Password cleared!

Select: ! - quit, . - list users, 0x<RID> - User with RID (hex)
or simply enter the username to change: [Administrator] Administrator

- - - - User Edit Menu:
 1 - Clear (blank) user password
 2 - Edit (set new) user password (careful with this on XP or Vista)
 3 - Promote user (make user an administrator)
 4 - Unlock and enable user account [probably locked now]
 q - Quit editing user, back to user select
Select: [q] > 4
Unlocked!              [note- this step is important as the Admin account was  locked]

Select: ! - quit, . - list users, 0x<RID> - User with RID (hex)
or simply enter the username to change: [Administrator] !

<>========<> chntpw Main Interactive Menu <>========<>

Loaded hives: </media/dex/Windows/System32/config/SAM>

  1 - Edit user data and passwords
      - - -
  9 - Registry editor, now with full write support!
  q - Quit (you will be asked if there is something to save)


What to do? [1] -> q


Hives that have changed:
 #  Name
 0  </media/dex/Windows/System32/config/SAM>
Write hive files? (y/n) [n] : y
0  </media/dexWindows/System32/config/SAM> - OK
root@bt:/pentest/passwords/chntpw#


It's done. Next time you login to your Windows with username Administrator and no password... :)

Mobile Dial-Up in Back Track 5.

Installed BackTrack5 codename "Revolution" and was a bit frustrated when didn't found wvdial pre-installed in there.
As most of people around me use dial-up connections to use Internet. So searched for a solution and found that "pon,poff and plog" scripts can be used to control PPP connections (pre-installed in BackTrack5).

NOTE--- The method is explained below. Comments are in Green color and commands and the files content that is to be added are in Red color.

Step 1

Plug the Data Cable in Phone n see if it is recognized by the kernel.

root@bt:~#tail /var/log/messages

should result something like this

localhost kernel: [4295346.417000] usb 1-1: new full speed USB device using ohci_hcd and address3
localhost kernel: [4295348.125000] cdc_acm 1-1:1.8: ttyACM0: USB ACM device
localhost kernel: [4295348.133000] usbcore: registered new driver cdc_acm
localhost kernel: [4295348.133000] drivers/usb/class/cdc-acm.c: v0.23:USB Abstract Control Model driver for USB modems and ISDN adapters <---says that uses cdc-acm driver & that OS sees this device at /dev/ttyACM0


Step 2

Configure Ubuntu(bt5) to communicate with my phone.

Need to have ppp , it comes pre-installed in bt5 [ root@bt:~#apt-get install ppp]

Now , I need to create a configuration file that will tell BT5 , how to communicate with the phone

root@bt:~# nano /etc/ppp/peers/mobile

debug

noauth

connect "/usr/sbin/chat -v -f /etc/chatscripts/mobile"

usepeerdns

/dev/ttyACM0 115200 <--Need to use the device modem is recognized as (step1)

defaultroute

crtscts

lcp-echo-failure 0

My OS will send some commands to my phone to tell it to connect to the internet.These commands are stored in the chat script,and are sent when i try to connect.

root@bt:~#nano /etc/chatscripts/mobile

TIMEOUT 35

ECHO ON

ABORT '\nBUSY\r'

ABORT '\nERROR\r'

ABORT '\nNO ANSWER\r'

ABORT '\nNO CARRIER\r'

ABORT '\nNO DIALTONE\r'

ABORT '\nRINGING\r\n\r\nRINGING\r'

'' \rAT

OK 'AT+CGDCONT=1,"IP","INTERNET"'

OK ATD*99***1#

CONNECT ""

If I can connect in my phone without the PC,then this should work. If not then the likely points if the failure are the
'AT+CGDCONT=1,"IP","INTERNET"'

"INTERNET" in above line is the Access Point Name...Get it From the Phone.


Step 3

Ready to connect

To dial use

root@bt:~#pon mobile

To disconnect

root@bt:~# poff mobile

Note---Whatever connection are communicated between the Phone N OS can be seen @ /var/log/syslog

root@bt:~#tail -f /var/log/syslog

to view the messages "live" on the Terminal

Omegle Spy Bot !

NOT ILLEGAL BECAUSE OMEGLE DOESN'T HAVE A TERMS OF SERVICE - From the Creator of the Tool

Few days back came across an awesome Java executable name "Omegle Spy Bot". Credit goes to the creator of this app and can be found here under the download section.

You need Java installed on your system to run this app, works fine in Windows too.
For Linux users issue following on terminal

Code:

dex@desktop :~$ sudo java -jar OmegeleSpy.jar

The GUI of this app is pretty explanatory.
Start by clicking on "Start new conversation"
 Here's a snapshot.

Then they start their normal conversation you can watch the conversation.
Send message to either one from another one. Disconnect a user and impersonate him...Check it out ! Fun !

Using Google's Open DNS servers !

It's better to use Google's Open DNS server rather than one provided with your ISP.

There's a minor thing to take notice of in this method to work, as most of Linux users know for setting up DNS Server to use one needs to edit /etc/resolv.conf file.

so do this

code:

dex@desktop :~$ sudo gedit /etc/resolv.conf

nameserver 8.8.8.8
nameserver 8.8.4.4

dex@desktop :~$ chattr +i /etc/resolv.conf

Note :: Used  chattr command here to give file resolv.conf  immutable file attribute so that next time you reboot or restart your networking interface(s) your DNS servers will not be reset by the system to use the settings given by the DHCP server.

When you want to change again the file resolv.conf, first issue the following command to remove the immutable file attribute first before editing resolv.conf .

code:

dex@desktop :~$ sudo chattr -i /etc/resolv.conf

Someone suggested to me that Open DNS is better in terms of latency. So can also use as per need these DNS too :

 208.67.222.222
 208.67.220.220

Google Dork for Security Cameras !!

Use this Google Search Terms or Google Dorks to find several unattended Security Cams.

Note :: Use for fun only , do not stalk others !!


inurl:ViewerFrame?Mode=
intitle:Axis 2400 video server
inurl:/view.shtml
intitle:Live View / - AXIS
inurl:view/view.shtml^
inurl:ViewerFrame?Mode=
inurl:ViewerFrame?Mode=Refresh
inurl:axis-cgi/jpg
inurl:axis-cgi/mjpg (motion-JPEG)
inurl:view/indexFrame.shtml
inurl:view/index.shtml
inurl:view/view.shtml
liveapplet
intitle:live view intitle:axis
intitle:liveapplet
allintitle:Network Camera NetworkCamera
intitle:axis intitle:video server
intitle:liveapplet inurl:LvAppl
intitle:EvoCam inurl:webcam.html
intitle:Live NetSnap Cam-Server feed
intitle:Live View / - AXIS
intitle:Live View / - AXIS 206M
intitle:Live View / - AXIS 206W
intitle:Live View / - AXIS 210?
inurl:indexFrame.shtml Axis
inurl:MultiCameraFrame?Mode=Motion
intitle:start inurl:cgistart
intitle:WJ-NT104 Main Page
intext:MOBOTIX M1? intext:Open Menu
intext:MOBOTIX M10? intext:Open Menu
intext:MOBOTIX D10? intext:Open Menu
intitle:snc-z20 inurl:home/
intitle:snc-cs3 inurl:home/
intitle:snc-rz30 inurl:home/
intitle:sony network camera snc-p1?
intitle:sony network camera snc-m1?
site:.viewnetcam.com -www.viewnetcam.com
intitle:Toshiba Network Camera user login
intitle:netcam live image
intitle:i-Catcher Console - Web Monitor
inurl:”ViewerFrame?Mode=
intitle:Axis 2400 video server
inurl:/view.shtml
intitle:”Live View / - AXIS” | inurl:view/view.shtml^
inurl:ViewerFrame?Mode=
inurl:ViewerFrame?Mode=Refresh
inurl:axis-cgi/jpg
inurl:axis-cgi/mjpg (motion-JPEG)
inurl:view/indexFrame.shtml
inurl:view/index.shtml
inurl:view/view.shtml
liveapplet
intitle:”live view” intitle:axis
intitle:liveapplet
allintitle:”Network Camera NetworkCamera”
intitle:axis intitle:”video server”
intitle:liveapplet inurl:LvAppl
intitle:”EvoCam” inurl:”webcam.html”
intitle:”Live NetSnap Cam-Server feed”
intitle:”Live View / - AXIS”
intitle:”Live View / - AXIS 206M”
intitle:”Live View / - AXIS 206W”
intitle:”Live View / - AXIS 210″
inurl:indexFrame.shtml Axis
inurl:”MultiCameraFrame?Mode=Motion”
intitle:start inurl:cgistart
intitle:”WJ-NT104 Main Page”
intext:”MOBOTIX M1″ intext:”Open Menu”
intext:”MOBOTIX M10″ intext:”Open Menu”
intext:”MOBOTIX D10″ intext:”Open Menu”
intitle:snc-z20 inurl:home/
intitle:snc-cs3 inurl:home/
intitle:snc-rz30 inurl:home/
intitle:”sony network camera snc-p1″
intitle:”sony network camera snc-m1″
site:.viewnetcam.com -www.viewnetcam.com
intitle:”Toshiba Network Camera” user login
intitle:”netcam live image”
intitle:”i-Catcher Console - Web Monitor”

Online VNC , SSH and Remote Desktop Scanner !

Today, I came across these awesome Online tools to search for VNC, RDP & SSH ports open in an IP address range  !! Do check them out !!

Note :: These tools doesn't Brute force, simply checks if the service ports are open.

Online VNC Scanner
This scans the VNC and gives you the IP address in Green.

Online Remote Desktop Scanner
This scans the Remote Desktop / RDP and gives you the IP address in Green.

Online SSH Scanner
This scans the SSH and gives you the IP address in Green.