TrackSomebody.com

october27thgroup.com pentesting, pci, red team

illmob.org

Cracking WPA/WPA2 with Reaver

January 24th, 2012 by admin in Linux, Privilege Escalation, Wireless

The WiFi Protected Setup (WPS) protocol is vulnerable to a brute force attack that allows an attacker to recover an access point’s WPS pin, and subsequently the WPA/WPA2 passphrase, in just a matter of hours, using the open source tool called Reaver. Think your 32 character alpha-numeric password is uncrackable? If your wireless router is using WPS then your router may be spit back your password in plain-text to the attacker in less than 10 hrs. WPS allows users to enter an 8 digit PIN to connect to a secured network without having to enter a passphrase. When a user supplies the correct PIN the access point essentially gives the user the WPA/WPA2 PSK that is needed to connect to the network. Reaver will determine an access point’s PIN and then extract the PSK and give it to the attacker. When we tested Reaver in our labs we were able to recovery the WPA password in 1.5hrs and the longest run was 7.5hrs Reaver Test

iPhone iOS 4.3.5 vulnerability

December 12th, 2011 by admin in Apple, News, Privilege Escalation

iPhone iOS 4.3.5 vulnerability (pin/password bypass to make calls) from Sigtrap.

  1. Turn on the phone.
  2. Slide to unlock.
  3. Press Emergency Call.
  4. Enter a very long phone number.
  5. Press and hold down the Power button.
  6. Wait for one second.
  7. Press the Call button.
  8. The phone will show the “Slide to power off” screen.
  9. Release the Power button.
  10. Press Cancel.
  11. Double press the Home button.
  12. Press the Phone icon.
  13. Make calls.

Bypass IPad 2 passcode with a smart cover

October 20th, 2011 by admin in Apple, Privilege Escalation

Anyone with a Smart Cover can break into your “password-protected” iPad 2. This issue occurs in iOS 5, but we’re hearing uncorroborated reports of it also working in earlier versions of iOS 4.3.

What the flaw allows:

As you can see in the video above, a Smart Cover can essentially unlock an iPad 2. The person who unlocks your iPad 2 will not have complete access to your iPad, but will be able to gain entrance to whatever you locked your iPad 2 on. If your iPad 2 went to sleep in Mail, Safari, Messages, Contacts, or Maps, you can imagine the sorts of personal information that can be viewed on your iPad. If you left your iPad 2 on its Home screen, the person can view which applications you have on your device, control media from the multitasking bar, but not much else.

How to re-create it:

1) Lock a password protected iPad 2

2) Hold down power button until iPad 2 reaches turn off slider

3) Close Smart Cover

4) Open Smart Cover

5) Click cancel on the bottom of the screen

(src:9to5mac.com)

Hard Drive Master Passwords

October 16th, 2011 by admin in Password Info, Privilege Escalation

Here’s a small compilation of passwords. If you have any to add please email us. We also can crack DELL HDD passwords for $10 ::Here::

SEAGATE -> “Seagate” +25 spaces

MAXTOR
series N40P -> “Maxtor INIT SECURITY TEST STEP ” +1 or +2 spaces
series N40P -> “Maxtor INIT SECURITY TEST STEP F”
series 541DX -> “Maxtor” +24 spaces
series Athena (D541X model 2B) and diamondmax80 -> “Maxtor”

WESTERN DIGITAL -> “WDCWDCWDCWDCWDCWDCWDCWDCWDCWDCWD”

FUJITSU -> 32 spaces

SAMSUNG -> “ttttttttttttttttttttttttttttttttt” (32 times t)

IBM
series DTTA -> “CED79IJUFNATIT” +18 spaces
series DJNA -> “VON89IJUFSUNAJ” +18 spaces
series DPTA -> “VON89IJUFSUNAJ” +18 spaces
series DTLA -> “RAM00IJUFOTSELET” +16 spaces
series DADA-26480 (6,4gb) -> “BEF89IJUF__AIDACA” +15 spaces

HITACHI series DK23AA, DK23BA and DK23CA -> 32 spaces

TOSHIBA -> 32 spaces

For xbox hdds try “XBOXSCENE” or “TEAMASSEMBLY” too

There is also some software available to reset the password called MHDD, another suggested program is ATAPWD. A Commercial tool from HDDLock claims to unlock drives and prices vary with drive size.

Password Reset CD

October 7th, 2011 by admin in Password Info, Privilege Escalation

Looks like pcloginnow.com is now offering their password reset CD for free on their site. Click the image to download it.



PCLoginNow is an easy-to-use tool to reset local administrator and other accounts passwords on Windows system. No need to reinstall the system. It resets Windows passwords and Windows security settings instantly. All version of Windows are completely supported.

OS X Lion bugs allow changing local user passwords and viewing shadow files

September 20th, 2011 by admin in Apple, cracking, News, Privilege Escalation, Uncategorized

http://www.flickr.com/photos/rubendomfer/5974823525/

The latest version of OS X Lion allows any user to easily change the password of any local account, due to permissions oversights on Apple’s part. The news comes less than a month after another Lion vulnerability that let users bypass LDAP without a password gained notoriety.

Originally reported by Defence in Depth blogger Patrick Dunstan, the root of the newly discovered problem in Mac OS X 10.7 is tied to the user-specific shadow files used in modern OS X platforms. These files are essentially hash databases and contain, among other things, the user’s encrypted passwords. Ideally, they should be accessible only via high-privilege accounts.

According to Dunstan, Apple dropped the ball in terms of how Lion handles privilege. “Whilst non-root users are unable to access the shadow files directly, Lion actually provides non-root users the ability to still view password hash data,” Dunstan wrote. “This is accomplished by extracting the data straight from Directory Services.” Any user can accomplish this trick by simply invoking the directory services listing using the /Search/ path — for example, $ dscl localhost -read /Search/Users/bob (where “bob” is the username). This causes Lion OS X to spew out the contents of Bob’s shadow hash file, including data that can be used to crack Bob’s password with a simple script, such as a Python script written by Dunstan.

Source: Info World

The new threat

February 12th, 2011 by admin in Apple, cracking, Linux, Privilege Escalation, Uncategorized, windows

Programmable embedded devices have the capability of being detected as a HID device , just like a keyboard or mouse. So if you have physical access and a minute alone you can compromise a system with something the size of your thumb. The possibilities are endless, HTTP/FTP download, injecting binaries into debug or Powershell etc.. Also this device is cross platform which means Windows,Linux,UNIX and Apple are all vulnerable.

Here’s an example project we made for a Windows7 box that adds a new Admin user to the system and hides that user from the logon screen. the whole process takes about 16 seconds , with most of the time taken by the device being detected as a keyboard and the driver installed. The device costs about $20 and can be found here

Make calls from locked iPhone 4s

October 25th, 2010 by admin in Apple, Privilege Escalation

A security hole in iPhone 4 software allows you to make a call after dialing a few pound signs and timing a few others as found by a MacForums member.

When your iPhone is locked with a passcode tap Emergency Call, then enter a non-emergency number such as ###. Next tap the call button and immediately hit the lock button. It should open up the Phone app where you can see all your contacts, call any number, etc.

A very similar security flaw discovered on the iPhone that we blogged about in 2008 that allowed people to easily bypass the lock screen to access mail, contacts and bookmarks. Apple later acknowledged the bug and issued a software update patching the issue.

An Apple spokeswoman’s response regarding the security flaw:
“We’re aware of this issue and we will deliver a fix to customers as part of the iOS 4.2 software update in November.”

Change your password with sticky keys

August 18th, 2010 by admin in Privilege Escalation, windows

Forgot the administrator password? There are many ways to access a Windows installation if you forgot the administrator password. Today I’ll show you another procedure to reset the Windows password by replacing the Sticky Keys application. This program allows you to use the function keys SHIFT, CTRL, ALT, or the Windows key by typing one key after the other instead of pressing them simultaneously with the second key. The main advantage of this password reset method is that you don’t need third-party software; another plus is that it is easy to carry out because no Registry hack is required, as when you offline enable the built-in administrator.

Please note that resetting the password from an account other than the corresponding user account always means that the user loses the credentials stored in the Windows Vault, stored Internet Explorer passwords, and files that you encrypted with the Encrypting File System (EFS). Of course, if you have a backup of these credentials, you can restore them; likewise, if you have exported the private EFS key, you can import it again after you have reset the password.

Like with all other solutions that allow you to reset the Windows password without having an account on the corresponding computer, you have to boot from a second operating system and access the Windows installation while it is offline.

You can do this with a bootable Windows PE USB stick or by using Windows RE. You can start Windows RE by booting the Windows Vista or Windows 7 setup DVD and then selecting “Repair” instead of “Install Windows.”

By the way, you can’t use the Windows XP boot CD for this purpose because its Recovery Console will ask for a password for the offline installation. However, you can use a Vista or Windows 7 DVD to reset a forgotten Windows administrator password on Windows XP.

This works because Windows RE, which is based on Vista or Windows 7, will let you launch a command prompt with access to an offline installation without requiring a password.
(more…)

Kon Boot 1.1

May 10th, 2010 by Dev Team in cracking, Privilege Escalation, windows

Kon Boot 1.1
We reviewed Kon Boot 1.0 last year HERE which was a great breakthrough program that allowed you to boot into a Windows machine and bypass the logon screen without entering a password. To accomplish this, Kon Boot hooks the bios on the fly subverting the Windows kernel authentication temporarily and allowing you access. Since this is a temporary process the computer is back to normal when you reboot. This allowed you to access the computer without having to take the time to reset the password or crack it, and it left the computer untouched. Now, a year later, Kon Boot v1.1 has been released with new features, such as booting from floppy,CD, or usb, privilege escalation support which allows you to gain SYSTEM privileges from ANY account on the system. For example, you can boot from Kon Boot and log in as Guest and run ‘Net User’ command to add a new user,reset admin passwords etc as SYSTEM

It also has a bunch of new bug fixes/updates.

  1. – Added 64-bit environment support
  2. – Added USB support tools (grldr, klmemusb)
  3. – Added debugging code to make it easier to track down various compatibility problems
  4. – Fixed bug in Windows 7 support failures
  5. – Removed Linux support
  6. – Many performance improvements to source code
  7. – Improved BIOS support by reducing code size significantly

Unfortunately it is no longer free. But for a meager price of $15.99 for a personal license, it gives you free updates and support for a period of 6 months. You can still use it without restrictions after that period.
They also offer a commercial license, for $75.99 with 1 year of support and updates, allowing you to use on business environment.
To purchase Kon Boot v1. 1,visit their website http://www.kryptoslogic.com

We are also giving away 10 personal licenses this week to some lucky readers!!! More details to come!!!

« Previous ArticleNext Article »