Forget VNC for connecting to your linux VMs for interactivity. Use NoMachine!

Problem: I want to be able to connect to my linux host from windows and run apps seamlessly.

Solution: freeVNC or better yet NoMachine!

Recently I have been searching for a good, easy to use way for me to visually connect to my linux VMs on a windows host. Sure I can use the ESX console and its ok but I have been searching for something more seamless quick. freeVNC is kind of slow and not very quick to deploy in my opinion. Also it seems to have tons of tearing when working with layered or apps that call 3d raster functions.

Then came NoMachine, this app is stellar. Very simple to install even if you are foreign to linux operating systems. The app needs to be installed on both hosts and then they will discover one and other, obviously there is a bit of a security issue here but for home labs it is more than fine seeing as you need a username and password to log in.


I have been using it for a little over a week and have found a use for it in my VMs and in my hashtopus stack. More on hashtopus another day.

Best part? NoMachine is free! I highly recommend this application and think you should give it a hand if you are in a multi OS or headless RDP restricted environment.

A remote desktop without boundaries 

Gomez Peer Exploit |


I decided to take a look at how GomezPeer works from a low level view. During my observations I was surprised how someone would very easily be able to grab username and login info from cooperate websites in a passive manner while running the application.

What is GomezPeer: (in brief)

For those of you who don’t know GomezPeer is a public peer application that is run in order for Dynatrace to test out website responsiveness. Dynatrace claims it is #1 in application performance management.

What gomezpeer does is pays clients to run the application and instruction sets on their own PC so that vendors can measure end user performance of their sites. Such examples could be log in and order plane tickets, or execute a database queries against a server to see how long it will take to return the data in different areas of the country or world. This allows them to test a large number of OSs and ISPs and locations without needing to have the cost of the infrastructure in place. Peers are compensated anywhere between 5$ and 40$ per month and can choose to donate the amount to charity. Over the last few months GomezPeer has been slowly re branding its application into Dynatrace. Both GomezPeer and Dynatrace are owned by Compuware.

Both GomezPeer and Dynatrace use the same addressing block.

Gomez Advisor PNAP-BSN-GOMEZ-RM-02 (NET-63-251-134-0-1) –

How GomezPeer works:
Gomez peer is installed on a client and then activated by putting in a username that corresponds to a GomezPeerZone account. You can install as many peers as you like on as many physical hosts in order to increase your earnings.

The Exploit:

The original documentation on it has been pulled at the request of the vendor.

After working with the vendor the exploit has been mitigated and GomezPeer has been hardened in order to be more resilient to such attacks. The Dynatrace team has been very quick to respond to the issue and let the affected clients know.

I also found working with the project managers at Dynatrace easy to communicate with while working out the specifics and I thank them for that.

Using logstalgia with IIS 8

There is this cool free software out there called logstalgia it allows you to review webserver logs in order to find out in a visual way how clients use your site. But mostly it just looks cool, there are going to be benefits to looking at logs using it but really this is a ‘I was bored’ project so no real business use for it unless your CIO only responds to crazy colors and classic pong. I saw a number of users asking for IIS support on both the wiki and on the github so I decided to educate people on how you can use this on IIS not just Apache or NGIX.

Problem: I want to use logstaigia with IIS or Windows Web Services.

Solution: Change the format that IIS is logging in and make it easy for logging software to interpret the information written by the server.

To be clear you can also convert the logs to an apache like format but this would not allow for monitoring in real time. However this will show you how to fix the issue permanently.

First go on into IIS and click on the site you want to view logging for.1


Once you have opened the logging settings. Change the log format to NCSA and be sure to pick a easy to get to location for the logs.



If you want to see it in more than real time seeing as IIS only seems to write to the file ever few mins then look into setting up realtime logging.

Enjoy using logstalgia to view web traffic!



Citrix clipboard is not working | Or why cant I copy and paste text from local apps to citrix apps.

First off this is not a fix rather a client side patch. If you do not feel comfortable running this then I would recommend you don’t. The patch was written by a Citrix engineer and hosted on Citrix’s support database but is still not included as a offical patch. I try not to write about half ass fixes but this one has saved me a few times on the weekend when I just needed the clients PC to work.

Problem: When I copy and paste from citrix nothing happens. The clipboard is broken on citrix apps. I cant past text into citrix but it works fine locally.

I have seen this numerous times in and out of the office and it can be very frustrating especially to accounting users who need to copy and paste large datasets.

Solution: Run the repairCDBpatch file that is provided by citrix to fix the chain.

Documentation on this is located here: 

First you need to download the file from Citrix:

Once you have the file you need to extract it to the clients PC. Once that is done simply run the file when the users experience the issue and the chain will be fixed.

Simple and not too much to it. But I found this after some time when looking for a patch with little to no reference of it online. I figured I would write it as a guide to ensure I have easy access to it.

Moving Exchange Datastore freezes at “validating the destination file paths” | Exchange 2007

So recently I had to move a datastore location to a new disk since where we had it was running low on physical space. To do this is very straight forward and covered in a previous article, however this one was stubborn.

With the database offline I had copied the data to a new disk and verified it matched. But it stayed on this step for a number of minutes I never recall it taking so long before.



Problem: When I move an exchange datastore I freezes on validating the destination file paths. Unable to move exchange datastore. Moving exchange datastore takes excessive amount of time. 

Looking around online it should only take a number of seconds to check. There was little disk IO just lots of CPU usage since it stalled. I moved another Storage Group to ensure I was not insane and it went right away.


Solution: Remove log files from source and destination if you copied the whole folder.
/!\ Always copy log files never ever delete them until you are sure you need them. Always work with the DB offline and test mounting the DB after making a change.

Comparing the folders I noticed there were a large number of these log files sitting around in the same folder as the DB.


Since the DB was offline I moved them to a different disk to ensure it did not need them. I I remounted the DB and it came up fine without them. I assume they were made during some bad migrations we were working on at the time they were still around.

After removing the files I began the migration again but it still took time validating. I then remembered I had copied the whole folder so the logs were in the source and the destination. Moving them out as well and starting the process over yielded a fast migration!

I assume I could have waited for the system to compare the files and so on but after waiting 30 min for something that normally takes seconds did not sit well with me on a weekend.




Apple and OSX disk encryption | Or how did this get deployed to management before IT.

So I ended up having a client who decided to let their manager set up a laptop prior to us getting it. This laptop was one of the new macbooks that by default encrypt the disk (Yosemite and up I think) during the initial setup. This was a pain for me since I needed to split the PC with bootcamp in order to have Windows and OSX running together. As you would imagine this is a problem when the entire volume is being crypted.

Problem: I cant install bootcamp while my disk is being encrypted. I just got a new mac and the disk is locked due to encryption. I want to stop the encryption process on my mac.

Solution: We use terminal to end the process and roll back the changes to the disk.
Requirements: The users encryption phrase / password.

First this is a really easy to do using terminal so if you are not used to it don’t fret. The sooner you start decrypting the disk the sooner you can go back to using your aerospace looking laptop.

First head on over to Applications  and search for Terminal.term1


Now you will need to find out what disk ID is being crypted. Enter in the following command:

diskutil list

This will output a list of all the disks on the system.  You will need the title of the disk that is being crypted for the next part.

diskutil cs revert /Volumes/title_drive -passphrase

Now your done just wait! If your impatient then throw a few:

diskutil cs list

at it and it will give a ETA so you know if you have time to run to get a coffee.



Loading other users mailboxes in OWA | Or side loading so I can set the OOA.

Before I begin please ensure you follow your companies guidelines to data access prior to pulling this stunt.

Problem: My boss has asked me to audit a users mailbox but I don’t want to reset their password. I need to inspect a mailbox but I don’t want to sync the entire mailbox to a PC in order to see in side. I need to set a out of office alert for a user who is not in the office.

Solution: Grant permissions to the mailbox and use OWA to load the box ontop of the account with permissions.

First of all we need to set up full access to the mailbox using the EMC. Open up your MMC and navigate to Recipient Configuration > Mailbox you will need to find the mailbox you are looking for in this example we are using the totally legit user

Right click the mailbox and choose Manage Full Access a new menu will appear.




For this example we want all of IT to have access to this mailbox. I would suggest setting up groups in order to make it easier but today we will be using the domain group Domain Admins. Click Add and search for the group. Then click Ok and Manage.



Accept the confirmation showing you that it has completed.



Now go on over to your webmail login. You will want to log in as if you were yourself (assuming you are a member of domain admins).



Once logged in you need to append to the URL to access the other mailbox. You will see:

Change it to say:

And your in!

Using spambots to find leaks and password lists.

Recently I have been getting into looking for password lists for hash cracking. Starting out can be tough as you end up with just getting some basic pastebin scraper off the net and running it. Then realizing that it is just looking for any post with plaintext password and user.

This is great if you want a bunch of pastes that have very little to do with password lists and more to do with broken code developers are trying to shuffle around. In my nieveness I was in hopes of it just working.

Good news is the code was well documents and easy for my to read and edit. Now comes the question of what do I put in for it to search for. There is a very good write up on hunting for password lists here . One line that did stand out to me was:

…hackers frequently use to create accounts such as Cucum01:Ber02, zolushka:natasha, and many others. These combos are so common in password lists they always lead to more passwords.

So I thought to myself how can I take data I already have and use that to make my own password finder. Well thats when I came up with this idea when studying some leaks in order to find more passwords.

What do all forums have? Spam bots. Now pay attention this is key, if I was a spammer I would not be using the same username across all sites since this would allow admins to keep a list and block me out same goes for email or domain. So instead I would use variations of a specific username / email. However this is not good enough for me to track in case they changed username / emails. However one thing I did notice while doing pattern tracking was that most of the accounts I would disregard since they are spam bots (generally banned accounts in leaked DBs) had the same password. For this example I give you:

aerorlugcubrempie or as I use to track this bot Zk7oz89sfE

This account uses a veriety of emails to register such as:

and so on and so fourth. This is important but also unimportant. Remember the spam bot can always register with a new gmail at any time. However the one thing that never fails is that the bot always uses the password Zk7oz89sfE .

Searching google and pastebin for the decrypted password often lead to sites that have this password listed along with thousands of other decrypted human passwords. I also found the bot commonly rotated usernames as well so really the password was the only way to tell if it was the same bot or not.



Decrypting hashed and salted passwords | Part two of SQL injection.

This is part two of a obviously two part post. The disclaimer remains the same and should be reviewed prior to reading the article.

Question: I have a number of hashed passwords I need to crack. I forogt my password to insert service name here and I happen to have it in a hashed and salted value.

 Answer: Good news! This is totally possible provided you have the following 3 things.

Time , a decent GPU , and copy of Hashcat

Provided that the hashed and salted password came from one of the following sources that hash cat is good at running tables against. See here for that list these are refereed to modes when cracking.

First we need to find out what version you need to use. This depends on hardware. GPU attacks are often much faster than CPU attacks so today we will be focusing on oclHashcat. But if you like you can still use original hashcat.

If you use a ATi card you want to download oclHashcat for AMD note a specific version is required to work. At the time of this writing they recommend CCC 14.9

If your like me and have a Nvidia card then you will want to download oclHashcat for NVidia go ahead an extract that somewhere simple to get to.

You will also need to have a wordlist to throw against hashcat. I will be covering how I get these lists in a post tomorrow. A wordlist is simply put a collection of text that you will then hash and compare against the password you want to crack. See a super simplified example below.

Assume the password I want to crack is:

And my password list looks like this:

Hashcat will basically take each line and make an appropriate hash of it. Using mode 0 (MD5) it will look like this. Keep in mind this is a simplified example.

aaaaaaaaaa – e09c80c42fda55f9d992e59ca6b3307d – Does not match
bbbbbbbbb – 57f365f09200a0ee7c1243d545447cb1 – Does not match
Password – dc647eb65e6711e155375218212b3964 – Does not match
Password123 – 42f749ade7f9e195bf475f37a44cafcb – Match! -Stop-
ccccccccccc – not compared since I only needed to find one password

Hashcat compares lines thousands to millions of times a second based off the encryption used that it is trying to compare to and how decent you hardware is. Note, on average ATi cards can compute hashes faster than Nvidia cards.

So wordlists, I break mine down into two lists, HumanPasswords.txt (980MB all unique lines) this is from a collection of other leaks and publicly posted passwords that have been commonly used the the past. Then the other list is WordList.txt this contains a mix of Wikipedia titles, books, movies, the numbers 123456, locations and names. I split it up since odds are if a human has typed in a password once into a machine it has been used elsewhere. Using my HumanPasswords.txt (5.3GB) list I get about 84.73% of all lists in the first run without any modifiers. After that I will run WordList.txt and that will bring me roughly 87% without modifiers if I am lucky. This list takes significant time to run and gives less results.

Enough of lists. How do you use Hashcat once you have a list.

First open up a new command line and navigate to the hashcat folder. If you dont know what type of hash you are attacking try checking out HashID its great.

For this example we will use the previous post from using SQL injection and be attacking a phpBB encrypted password. For this go back to your modes list. I can see this is mode 400 (phpass, MD5 WordPress, MD5 phpBB3, MD5 Joomla).

enter in the following command:

cudaHashcat64.exe -m 400 recovered.txt hashes.txt Humanpasswords.txt

Now lets break that down we are calling hashcat for Nvidia cards, attack mode 400, we want all the cracked passwords to go into recovered.txt , the list of hashed passwords is hashes.txt and the compare list is HumanPasswords.txt

One thin you will want to look at is how long it will take to crack. Depending on your card / wordlist / number of hashes you want to crack / outdoor humidity it can all vary.

On my Nvidia 660Ti I get about 73,000 Hashes a second and it took me 4 min to run though my entire password list. Running this on normal hashcat on my CPU took over 30 mins.

Sweet I got a few passwords but not the one I wanted or I cant crack a fair number of them. This is where rules come in super useful. Believe it or not, people actually put in a effort to make passwords hard to guess. Well at least 4% of the population anyways. Here you are left with a few options this is the order I normally work.

Run the HumanPasswords list again with a rule file. Rules allow you to add substitutions to the file for example running the leet speak rule will change.

password to p@ssw0rd

To do this runt he same command but specify a rule this time.

cudaHashcat64.exe -m 400 recovered.txt hashes.txt Humanpasswords.txt -r rules\best64.rule

Once that has completed and your still in need try more rules if not you can add masks and additions. I dont use masks often enough so I will not be covering that.

Now we can finally play with WordList.txt but we dont want generic words so lets mix it up.

cudaHashcat64.exe -m 400 recovered.txt hashes.txt wordlist.txt -a ?d?d

By addng ?d?d we basically asked hashcat to add 00 to each word then 01 then 02 all the way to 99. This will take some time depending on the workstation.

This has been a very basic rundown of HashCat happy cracking!

SQL Injection Basics | How I learned how point and click attacks are easy.

After watching Troy Hunts Yow! Conference I was inspired to try the great SQL injection. This technique is known for getting mass password lists \ email addresses from forum sites. This is a two part guide with this being the first part. Part two covers what do with the data once you have it.

Disclaimer – Tests were conducted internally as far as you need to believe and by reading past this line you remove me from any liability regarding you and the use of the tools with the provided information below. See below for your very vintage reminder that 14 year olds go to jail every year for doing this kind of shit.



Question: Can I use SQL injection to get usernames and passwords?
How can I test for SQL Injection?
What is a good app for those who dont understand what SQL is or how injection works?
What is SQL injection?

 Answer:  Yes you can get usernames and passwords in a plaintext (if provided and poorly stored manner), hashed , and salted variety.
There are many paid services for testing SQL injection that will be better than the one demoed here for free, but you cant beat free.
We are going to use Havij 1.15 for testing SQL injection.
In brief SQL Injection is when input is not sanitized on incoming request and thus allowing someone to insert a question (query) before the data is sent back to the user.

Here is your super basic break down of SQL injection. A user goes to site that they want to attempt to SQL inject. They look for some kind of SQL element on the page (Logins, php? forms ties to DBs, Forums, Comments, etc). Once they find that element they will attempt to pass erroneous data to to it and see how it responds. If it shows a error that looks like a SQL error or table of data you have likely scored as SQL is telling you the problem something it shouldn’t do.  So lets get to this!

First locate your internal site you are allowed to test that I’m sure your all here to read and learn about. Here is mine straight from the 1990’s. I see there is a comments section that has my appropriate string.



Perfect now we need to test it, lets add a simple ‘ to the end of it and try again.


Perfect we just got a warning from SQL about the GET request. so lets take our new string′

and throw it into Havij. this app will give us a logical view of the DB including a tree view of the tables and columns. In other words it will show what can be seen publicly. Havij comes in two flavors Free and Pro and can be readily found on google. I will not be linking it from this article as there is no official source repo.



Then click on Analyze and it will attempt to fingerprint the database and interface with it. The log console will show you any information you need. If you see it running iterations then it has probably failed or the query can not be injected. Check the status field, here we can see my successful injection.


Now you want to click Tables and Get DBs to list all the available DBs on the server.




Ok, so there are 3 types of data fields we can query, Databases the root folders you see here these are usually based off service or used to logically sort data think of it like a folder called \music\ . Tables the first sub folder these are used to sort the data within the database much like if you have \music\techno\ they usually contain sets of columns like privileges and group settings. Then we have Columns these are the actual values, these columns would be items like post dates / times, ids, GUIDs, usernames, and passwords, they would be similar to \music\techno\Gemini – Blue .

When using Havij you need to do it from a top down structure allow it to find all the Databases first, then pick one database and Get Tables until you see what table you want to Get Columns from.

Here is an example of a few phpBB database using Get Tables.


I am going to use phpbb_users as my example table to Get Columns from. Checkbox the single table and choose Get Columns.


new data will be populated and you will see it as another sub category. Select the data you want its best to just choose a few at first. These will be unique for the service but this example specifically is target to phpBB. For the example I chose:

user_id – a number tied to the user, gives us a idea of the size of the userbase
username – the login
user_email – the account registrant address
user_password – their hashed and salted password
user_form_salt – some kind of initial salt for logins or account creation not sure

There are various other items like user_ip that would have been interesting as well.



But wait I thought you said I could get some passwords from this! Well there grasshopper, we need to establish the fact that no one should be storing passwords in cleartext on the server this is bad practice and phpBB does not do this. Im going to explain how to reverse this in the next post. But for now lets go ahead and save this using the Save Data button and make sure its a easy to read HTML file.

Congratulations you are just as badass as those 14 year olds out there running a muck on the internet. But your one more step closer to understand how this attack works and what could happen in the event you have a leak of your DB.

I would just like to point out this is a very basic representation on how to do this. The software used is doing all the heavy lifting if you would look into programming and testing for such a thing I would recommend taking a course on SQL and reviewing the commands in the console output of Havij also known as ‘carrot’

Now that you have learned the basics its time to grab a copy of SQLmap and learn how to do it the proper way. Havij is really just a easy way to test out a site.