Search This Blog

Wednesday, September 18, 2013

Hacking the company's laptop

This articles talks about hacking and other activities which may seems to be illegal and will certainly get you into trouble if you are caught doing it. I would advise you read it as a form of entertainment and treat it as entirely fiction without any truth in it. Ok, let’s set this imaginary environment.

WE all had laptops for a long, long time that I did not even remember the days where laptop did not exist. Due to special considerations, my department had always had the privilege of admin rights on our laptop due to the work we do. We are required to install software, run privilege tasks etc on a daily basis. We never imagine the day that this would end. We never had the problem of facing this. Until now.

Due to new firm requirement, we are required to upgrade to a new version of the laptop OS with some enhancements as well as a new set of software for our work. This time, the top management came down on us hard and decided that we should not have administrative rights to the corporate laptop because we are supposed to perform our privileged task on another laptop. Ok, let’s leave that out of our story. The fact that we may be caught out in the field for weeks, it does not seems logical that we do not have access to our email and other corporate information systems. Therefore, we NEED to have administrative rights to the laptop. SOMEHOW.

Let’s pause for a minute if you feel that we need to discuss the moral and legal issue here. Like I said, its an imaginary environment. By all rights of standard, we should never have to ask for any thing and everything is given. However, this does not actually happen in the real world or for that matters, this imaginary world of our. So, someone needs to be the hero. Someone need to break some rules. Someone will have to do it. Yes, I know, that would be me.

Ok, lets come back to the story. So, many of us find that we cannot even insert a thumbdrive (oops, sorry, flashdrive) without triggering an administrative prompt. Life has been hell since the upgrade and it seems like the end of days is just about to begin. Unknown to most, a few of us are already beginning to work on this “problem”. The intention is just to be able to have enough rights to perform some of our installations etc without having to tear the laptop apart. Of course, in the process, we would not want to trigger any alert or alarms as well. Hackers get caught. Good hackers DON’T get caught.

So, we narrowed down our options. One of the endgame objectives would no doubt be the administrative rights. A more direct answer would be the administrator password. And inside our laptop, there is the local administrator account, which is used by the IT support department to roll out updates and perform installation on our laptop. This seems like the very object we want.

Usually before I go about the hard way, I try the easy way. In fact, the easy way usually works. I tried a few passwords. No luck. In fact, I was very caution to ensure that password lockout was not enable on this account. For very obvious reasons, if this account is lockout, it will be difficult to recover the system. I always wonder if this is the reason why everyone wants to attack the admin account, beside than knowing it has the rights of god on the machine. So, it does not use a simple password.

Another very direct way to recover a system is to wipe the password. This is more effective than you can imagine. I had broken tons of laptop whose owner does not want me to enter their system by simply rebooting into my boot CD and wiping off the administrator password. However, we have a problem here. This system is protected by a disk based encryption. When we boot up from a foreign OS, the encrypted partition simple will not mount. In fact, this was one problem I was dying to crack. Anyway, wiping the password is not the way to go.

Another approach is to extract the password hash. We all heard of rainbow tables and LCP. I guess this would be easy. I had extracted lots of passwords hashes in the past using PWDump or FGDump. One obstacle lies ahead. Antivirus. The antivirus is switch on to the maximum mode which simply detect and delete anything and everything it feels is dangerous. This includes some of our tools which we use for work as well. Nasty. The question is : Do I want to break the antivirus as well? Antivirus firm has spend millions on R&D to ensure their solution works and works well in a corporate environment. I am sure they had figured out that someone will want to disabled or uninstall their product in the corporate. Secondly, I also do not want to trigger some alarm if I had my antivirus off.  

In the above detail, I mentioned how easy it was for me to obtain my administrator’s right simply by social engineering the IT support department. However, that doesn’t not solve ALL the problems we have. It is good to have a laptop with an additional local admin account, but it is not enough to simply have that. There are still other helpless laptops out there. Ultimately, what I wanted was the admin account so that I can help them out too.

While I have my admin rights, it’s easy and simple to just change the password of the admin account to whatever I like, but that’s not my aim. I also realized that in order to push my hacking tools onto the laptop to extract the password hash, I will probably have to disable or uninstall the antivirus system because it is basically blocking and deleting my software whenever I copy it in.

Touching the antivirus is probably not where I want to go. Basically, messing with the antivirus may trigger some audit alarms which will not look nice on me. Secondly, I may not be able to properly uninstall or install the antivirus back because it may have a secondary password or some required files for the group policy. Enterprise level antivirus usually has all these additional stuffs. Destroying the antivirus will be a last resort for me.

Just to recall in the first article, the hard disk has a disk based encryption and that is why I am unable to use a boot disk or boot CD to extract the password hash.  In short, I am pretty screw if I continue in this path to try to extract the password hash. In a separate thread, I did manage to break one of these systems using a floppy boot up, but that’s another story. I had another thought. That is to install the system console and boot that up. But the chances that I will be able to run or do anything else in that restricted shell is quite close to none. So, what will be better than the password hash? Answer : The password itself.

So, how can one get the password? Let’s backtrack this a bit. How does the IT department upgrade and change all our passwords? Typically if you work smart, you will either push it down a GPO or use some sort of batch processing, maybe even SMS or WUSS. Now, being such a huge enterprise, I would guess they would use at least one of these. I strike GPO off because the admin account is a local account. So, what I will do is to find out how they changed the password (in batch).

I do not know why, but my IT department like to leave a link to their software repository around on their desktop. I guess that’s probably the root of corporate piracy if any happens here. In any case, this is the place I would start. Looking through the folders, I basically had gone through these times to times for other reasons, so pretty much know which are the new stuffs, or simply just sort them by date. Then from the new folders, I found another link to another server which contains the new software sets for this upgrade. Now, this will contains the binaries for the antivirus. I almost thought that I would reconsider breaking the antivirus and reinstalling it back using these binaries. Until I saw a very obvious file in the root directory.  It sound like jackpot. In fact, there is even a file call “ChangePasswordforXXX.exe” lying around there for the picking. Bingo.

So, this is a exe file. I would like to break it apart using IDA Pro or other debugger, but just throwing at a long shot, I thought I would start with a text editor instead. Based on my experience, most people do not encrypt or even obfuscate their binary. I had been able to break many applications and website basically because the binaries is not protected. Again, this enables me to accomplish what I did. By looking through the binary file, I notice this is a simple WISE installation binary. Yes, actually I already knew that when I saw the icon. They did not even bothered to change it. WISE has tendency to leave some of the configuration in clear text even when it is compiled into a binary. That is the reason why I saw the things I saw without even the use of a debugger. Somewhere in the file, I saw the password I was looking for. In fact, I did not even really take a look at the file, I simple do a search for “password” and I am brought to that offset in the file.
The password was long, complex and consists of alphanumeric with upper and lower case and symbols. But it is just another password hacked by me today.

As an added bonus, I even got hold of an additional password in the file just right below it. It is the encryption password for the harddisk. I haven’t figured out how I could use it, but I guess it will probably be useful, someday.

Who Reset My Password

Today I am going to talk about yet another simple and effective hack. This time, we are going to go into the scenario of grabbing password from forums, portals etc. Imagine this scenario. You are user A and you want to get into user B's account. We can safely assume that User B's email is inaccessible, otherwise, we all know we do not have a problem then.
Suppose as A, I decide I wanted to go reset my password instead. More often than not, it will be sent to A's email address, a link that enable user A to reset my password. In other times, they may even allow other means as well such as mobile phone or messenger, but the concept is still pretty much the same, except it just complicate the trace hiding part sometimes.

Now, after A check the email and a link will appear. If the link is embedded in HTML, uncode it and look for something like this:


uid=12314800&uname=xxxxxxxx&mail=yyyyyyyy
Now. isn't that cute. But what we are interested is the UID most of the time. And I don't need to point finger at what sort of program usually have this type of parameters. Now comes the interesting part. I have a link for A to reset A's password, but what if I CAN reset B's password instead? OK, this is where the complication may or may not help. Basically what you are interested is to obtain B's UID. To my surprise, it's something more easy than you think. Some portal, you will even be able to get that from the "reset password" page, while others, its just a matter of keying in the password incorrectly once on the login page.
Now, lets UID replace. Note that if the site uses some sort of hash check on the URL, this is probably not going to work. But then again the hash is usually going to be a combination of the parameters plus some unique identifier, with some luck, you might even be able to break the hash. In one case I encounter, the hash is basically the whole URL excluding the hash=ZZZZ parameter right at the end.
Assuming its not, replace B's uid with A's uid and you are sent to the password reset page. Go ahead and don't be shy about it. After which, go back to the login page and log into B's account successfully. And B may or may not even know the password had been changed.
You may laugh and think the hack is silly. 10 sites I saw and 10 I entered within last 3 days is not so laughable. If you maintain a portal, I think you should re-look at your password reset workflow seriously.

DVDFab and BD-RE

I had just recently gotten a Blu-ray write finally. Now, say goodbye to my DVD writable, or so I thought. While Data and other files has absolutely no problem with a BD-R or BD-RE (Yes, I do not know why, but they decided BD-RW doesn't sound good), it becomes a complication when it comes to the media like music and movies.
Lets leave the AudioCD part out of these, since its still in the legacy CD format. Take a look at DVD. I had always used DVDFab to "squeeze" DVD9 into DVD5 and it works like a charm. Lose some sound quality, but the video is usually 100% well kept. (Yes, don't we all hate the FBI notice delay and ads and to be honest, I think DVDFab should sell this as their prime point. Not sure if the FBIs are so happy about it though.

OK, this is where I am finally going to talk about why we can't do without DVDFab for Blu-ray. I had check out many (Yes, about 10 or so) who claim they can squeeze a Blu-ray without (much) loses. WEll, before that, let me stress that most Blu-ray out there simply are dual layers. Well, not that you get great quality or something, there are usually about 29GB (Single layer only houses 25GB) and I can't help thinking, they had done it on purpose so that people cannot copy it 1-1. And for me. BACKUP is a must. Especially when you own a Blu-ray, you would share with friends (and god knows, maybe even their dogs) all over. I do not want to have to pay almost USD40 and then, well own a very expensive coaster. So I insist on backing up my Blu-ray.

Well, why not buy a BD-RE DL? Yes, why not? It's just about 8X the price of the single layer! This is where DVDFab comes in. In most of my "test" (I own the Blu-ray by the way!), most of the "Extra" bytes comes from the previews or additional language tracks. And in Blu-ray, audio track is crazily large, especially when they are in 7.1 Digital or something. It's crazy! And I don't really care about the Russian language, for example. So these goes and all done nicely by DVDFab. In fact, I do not really even need to give up on quality on most of the movies. So its like 1080p, without some audio and definitely without FBI warnings and previews (by the time I watch these preview, the show is probably out anyway). And all this via DVDFab.


The current DVDFab comes with 2 major version, version 9 comes with the newer interface, but I prefer the old interface more like the above. There is a trial version which you can try for 30 days and decide for yourself if you want to buy it.

Check it out at:

Last, but not least, DVDFab does not require AnyDVD or other decrypter to decrypt the content of the DVD or Blu-ray! So, that's a bonus!

Well, I do not work for DVDFab in case you are wondering and there is no referral bonus or anything from my link.

Windows Update Unlocked and Manual Trigger

Ever seen this before? Well, this is an old version of Windows, but it would look somewhat similar when you have policies that preset and prevents you from doing a Windows Update. Usually there is nothing you can do about it and hope that you will eventually get the patch, thanks to your company, but if you are the owner of this machine and has admin rights, then read on.
Usually this is caused by GPO or similar policies preventing you from updating. Or you are not in the administrator group. To solve the GPO, you will need to fire up regedit.
  1. Go to HKEY_LOCAL_MACHINE \ SOFTWARE \ Policies \ Microsoft \ Windows \ WindowsUpdate \ AU. 
  2. Delete the keys AUOptions and NoAutoUpdate.
  3. Go to HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Policies \ WindowsUpdate.
  4. Delete the key DisableWindowsUpdateAccess.
Alternatively, you can also use the Group Policy Editor. 
  1. Fire up GP Editor by running "gpedit.msc" in command prompt.
  2. Go to Computer Configuration\Administrative Templates\Windows Components\Windows Update.
  3. Set "Configure Automatic Updates" to "Not Configured".
  4. Got to User Configuration\Administrative Templates\Windows Components\Windows Update.
  5. Set "Remove Access" to All  and "Windows Update features" to Not Configured.
On server, you may be able to run "gpupdate /force" to restart the policies, but a reboot is one sure way to get it done.

Next, we sometimes wants to fire up Windows Update and do a on demand update. But in a company wide deployment, often you will get a no access page at Microsoft because the Windows Update Server is set to local. So, here is the way to get it done, via script of in command prompt.

You can skip this steps sometimes, but I find that the sure way to trigger the update is sometimes to shutdown and restart the Windows Update Service like this:

net stop wuauserv
net start wuauserv

After this, you can start the actual trigger to Windows Update:

wuauclt /detectnow

This should make the yellow shield at the tray pops up. You may want to see a update status by:

wuauclt /r /ReportNow

This will communicate with the update server and takes a few minutes. 

And when something does crap out, there is always a very detail log in %systemroot%/WindowsUpdate.log. You will find all your problems inside be it wrong server, connection timeout etc.

Now, the above can definitely be put into a script to be run by schedule and you have your own "Automatic Update" so to speak. Have fun updating Windows (and other Microsoft Products)

Tuesday, September 17, 2013

FLV to MP# Convertor

Today, I transferred approximately 200 music files into my mobile phone, but when I tried to play them, only 30-35 files were showing up in the media player.  After a quick check, I found that the player in my mobile phone can only play WAV and MP3 files.  When I looked at the files, they were mostly in FLV format. 

FLV2MP3 
 So, quickly done a search on the Google and found this tiny tool, which is just 500KB.  It is really an amazing tiny application, which took less than half a minute to install and only few seconds to convert all the 170 FLV files into MP3.  Quality remained intact.
Download FLV2MP3 converter (on Ziddu), install it, and when you run it a small window will appear.  Just drop your files onto it and it will convert it to MP3 and stores in the same directory with the same file name.

How to restore the Windows XP bootloader

I have searched the Internet if there is any solution and what everyone was to use the Windows XP CD to repair it. Once we boot into the XP CD, we need to type “fixmbr” into recovery console to repair it. So, I digged the net to see if there is a simple solution and came with this. It worked for me great and there is no need to have XP CD. Follow these steps and you are done.
  • Right click on “My Computer” and click “Properties” which is at the end of the menu.
  • Select the “Advanced” tab from the list of tabs. Then, click “Settings” button in the “Startup and Recovery” section at the bottom.
  • It will open up a new window and then click “Edit” button, which will load boot.ini in notepad where you can edit it.
A normal boot.info file look like this:
[boot loader] timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINDOWS=”Microsoft Windows XP Professional”/fastdetect
Though I have uninstalled the Ubuntu, the boot.ini was looking like this:
[boot loader] timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINDOWS=”Microsoft Windows XP Professional”/noexecute= optin/fastdetect
c:\wubildr.mbr=”Ubuntu”

I have just copied the normal boot.ini code into the boot.ini, saved it, and restarted. Voila…..I got rid of the nagging dual boot window.  Below are the screenshots to guide you visually.

Bootloader 1
Bootloader 2

Free mobile video converter – XMedia Recode

last week, I was downloading and testing few best mobile video converters available on the net. After a day of testing, I found that XMedia Recode is the best video converter that can convert videos for almost all mobiles. It has a list of mobile brands and models to select and it will convert the video compatible for that model. Best of it, it is a free software.
 
Once you installed it, click open file and select the video to be converted for your mobile. Then, in “Profile,” select the brand of your mobile and in the below list, select the model of your mobile. Then, click on the “Add Job” button in toolbar. Then, the “Encode” button will active and click it to convert. It also has an option to shut down the system automatically when the conversion completes.

You can also use it for normal video conversions. Choose the profile name “Custom” and you can see more than 20 types of formats you can convert your video into.



It can convert for Acer, Apple, Archos, Asus, BlackBerry, Cowon, Creative, Elson, Epson, Garmin-Asus, Hauppauge, HTC, Hyundai, Intenso, iRiver, LG, Loewe, Motorola, Nikon, Nintendo, Nokia, O2, Palm, Phillips, Pocket PC, Samsung, SanDisk, Sony Ericsson, Sony, Sony PlayStation 3, PSP, Toshiba, T-Mobile, Vodafone, Western Digital TV Box, Xbox, Zune, and YouTube (as of version 2.2.4.2).

How It is possible to make Inkjet printing cheaper and cost-effective

Everybody knows that cartridges are very costly. Keeping that in my mind, I have started doing homework before purchasing one. Went to eBay and searched for compatible cartridge prices of different brands (they are cheaper than original cartridges). Cannon and Epson had cheap compatible cartridges.
While searching on eBay, I came across a listing of refillable cartridges for Epson. That listing instantly attracted me. It costs around Rs.600 for four cartridges (CMYK) and all comes with plastic lids, which you can open and fill the ink “n” number of times. eBay also has a listing of CISS (Continuous Ink Supply System) for various printer models of Epson, which makes printing cost dirt cheap.

Looking at these options, I settled down with Epson. I then did my research for an Epson All-in-one model, which is cheap. Epson Stylus TX121 was the cheapest and better one. Then, visited all the online e-commerce sites and found that IndiaPlaza offer is lowest. After applying a coupon code, I got it at Rs.2600 (MRP Rs.3999).
If you are using original cartridges, color print costs anywhere from 4-8 rupees for an A4 print (photo), black costs Rs.1-3 (depends on the brand). If you are using compatible cartridges, you can cut the price to half.
Refillable 73N cartridges with four color bottles of 100 mL each cost Rs.1050 on eBay. Only ink costs Rs.700, which you can use to fill all the cartridges 10 times. Assuming that one fill prints 300 prints (black and color), it will give a total of 3000 prints, which makes the cost per print 24 paise. If you are only printing black, then it becomes very, very cheap.  

You might have doubt that these inks will damage the printer head, but think, two or three sets of original cartridges cost is equivalent to your printer. I have already experimented with my printer and the quality of print is same as that of original ink. What all you need to keep in mind is to purchase products from eBay Power Sellers and seller with good feedback. They tend to sell good products to maintain their feedback.

PS: Epson Printer with Ink Tank System is available at Rs.6800 on eBay.

How to stop Telemarketing Calls

I hope you have enjoyed my previous post on funny telemarketing calls.  This post will guide you on stopping telemarketing calls.   After I got the credit card, these annoying calls have increased in number. I was aware of “National Do Not Call Registry,” but never tried it. As the calls increased to 4-5 a day, I registered for NDNC and surprisingly never received a marketing call thereafter. 

What is “National Do Not Call Registry” ?

The NDNC Registry is a database having the list of all telephone numbers of the subscribers who do not want to receive Unsolicited Commercial Communication (UCC). Telephone subscriber (Landline or mobile) who does not wish to receive UCC, can register their telephone number with their telecom service provider for inclusion in the NDNC or directly as mentioned below. Telecom Service Provider shall upload the telephone number to the NDNC within 45 days of receipt. The telemarketers will have to verify their calling telephone numbers list with the NDNC registry before making a call.

How to register for it?
 
Dial 1909 or SMS to 1909 with message ‘START DND‘ (remove quotes).
Register for it and get rid of annoying telemarketing calls.
Do Not call Registry of other countries:

Do Not Call Registry is also maintained by several other countries.  Below is a list of countries and their websites to help the international visitors/subscribes of my blog.

How to know from where the junk SMS has come from..

I always wondered what those two letters added to the sender name of a bulk/junk SMS refers to, like TD-ICICIBANK, BD-FORTUNE, etc. These days, the junk SMS has become a pain and I get unsolicited spam SMSes from Vastu consultant, Astrologer, Real Estate agents, LIC agents, which I have not opted to receive. Today, an article in Times of India says that these junk SMSes have reached an astounding number of 100 million a day sent throughout the country. As the SMS cost has become so cheap, it has become a low-cost marketing trick to reach the targeted customers. 

As per TRAI, every bulk SMS must have 2 letters as initials: the 1st letter stands for the service provider sending SMS and the 2nd for location eg, TD is Tata Delhi, BD is BSNL Delhi, etc.

This is the complete chart:
 
Service Provider Code
Aircel D
Airtel A
BSNL B
BPL Mobile L
Loop Telecom L
Idea Cellular I
MTNL M
Reliance Comm R
Reliance Telecom E
Spice Comm P
Tata Teleservices T
Vodafone V

So, now you can find out the origination of bulk SMS using the above chart. If you are getting huge number of bulk SMS daily, register for National Do Not Call Registry and see if it can be of help.