Site Migration

Sorry for the last few days of downtime! Just moving the site and looks like I missed a few posts. They will be restored this week for sure.

Android will automatically require full disk encryption.

Soon android vendors will need to set disk encryption to be the standard on new devices (provided the device supports it) it seems the only requirement is if the device features a lock screen.

Taken from their new best practices guide:
https://static.googleusercontent.com/media/source.android.com/en//compatibility/android-cdd.pdf 

crpt

This is great news, but Google should focus on securing how the device is encrypted before making it mandatory for all users. Not to mention, its generally human error that gives you away on your phone. Very sobering and appropriate (Gawker User) comment below:

Comment

With mobile platforms more and more commonly being accepted as payment methods I feel this is android push to get their platform secure for a new type of Google Checkout / Paypass. This will increase desire to turn your phone into a larger and larger attack surface for carders.

Bundled with the fact employers are allowing much more BYOD policy’s this can become an issue. But until that happens, here is a hashcat thread on how to capture and brute force the keys if you are doing data forensics on the device. Provided you know how to use hashcat and have spare CUDA cores.

But hey, if your short a few cores Nvidia’s Test Drive has not been abused yet since they are still letting users sign up. I am surprised it has not become an issue yet.

nvidia

*Note I dont recommend the abuse of Nvidia’s free service to crack android or other passwords. But I am surprised they don’t put in more hurdles to prevent someone from doing this / using them as a seedbox.

 

Thoughts on downloading already public data dumps.

An excellent article from user thecthulhu, the article does not state what are of law his lawyer operates. But outlines a number of reasons why hosting / distributing / downloading dumps is not illegal. Take it as it is.

However charging for it is a different story.

One thing to remember is even if you break laws in other countries, its not advised you visit it as one Mississauga gentleman found out while trying to save a few hundred on a bumper for his car by purchasing it from the US.

Citrix clipboard is not working | Or why cant I copy and paste text from local apps to citrix apps.

First off this is not a fix rather a client side patch. If you do not feel comfortable running this then I would recommend you don’t. The patch was written by a Citrix engineer and hosted on Citrix’s support database but is still not included as a offical patch. I try not to write about half ass fixes but this one has saved me a few times on the weekend when I just needed the clients PC to work.

Problem: When I copy and paste from citrix nothing happens. The clipboard is broken on citrix apps. I cant past text into citrix but it works fine locally.

I have seen this numerous times in and out of the office and it can be very frustrating especially to accounting users who need to copy and paste large datasets.

Solution: Run the repairCDBpatch file that is provided by citrix to fix the chain.

Documentation on this is located here: http://blogs.citrix.com/2009/05/28/how-to-repair-clipboard-functionality-in-citrix-xenapp-and-is-it-time-to-enable-the-fix-by-default/ 

First you need to download the file from Citrix: http://support.citrix.com/article/CTX106226?_ga=1.158326778.153608753.1424184468

Once you have the RepairCBDChain32.zip file you need to extract it to the clients PC. Once that is done simply run the file when the users experience the issue and the chain will be fixed.

Simple and not too much to it. But I found this after some time when looking for a patch with little to no reference of it online. I figured I would write it as a guide to ensure I have easy access to it.

Using spambots to find leaks and password lists.

Recently I have been getting into looking for password lists for hash cracking. Starting out can be tough as you end up with just getting some basic pastebin scraper off the net and running it. Then realizing that it is just looking for any post with plaintext password and user.

This is great if you want a bunch of pastes that have very little to do with password lists and more to do with broken code developers are trying to shuffle around. In my nieveness I was in hopes of it just working.

Good news is the code was well documents and easy for my to read and edit. Now comes the question of what do I put in for it to search for. There is a very good write up on hunting for password lists here . One line that did stand out to me was:

…hackers frequently use to create accounts such as Cucum01:Ber02, zolushka:natasha, and many others. These combos are so common in password lists they always lead to more passwords.

So I thought to myself how can I take data I already have and use that to make my own password finder. Well thats when I came up with this idea when studying some leaks in order to find more passwords.

What do all forums have? Spam bots. Now pay attention this is key, if I was a spammer I would not be using the same username across all sites since this would allow admins to keep a list and block me out same goes for email or domain. So instead I would use variations of a specific username / email. However this is not good enough for me to track in case they changed username / emails. However one thing I did notice while doing pattern tracking was that most of the accounts I would disregard since they are spam bots (generally banned accounts in leaked DBs) had the same password. For this example I give you:

aerorlugcubrempie or as I use to track this bot Zk7oz89sfE

This account uses a veriety of emails to register such as:

a.ero.r.l.u.gcu.b.r.e.m.p.ie@gmail.com
ae.r.orl.u.g.c.u.b.r.em.pie@gmail.com
aer.orlug.c.u.b.r.e.mpie@gmail.com
aer.orl.ugcu.b.rempi.e@gmail.com

and so on and so fourth. This is important but also unimportant. Remember the spam bot can always register with a new gmail at any time. However the one thing that never fails is that the bot always uses the password Zk7oz89sfE .

Searching google and pastebin for the decrypted password often lead to sites that have this password listed along with thousands of other decrypted human passwords. I also found the bot commonly rotated usernames as well so really the password was the only way to tell if it was the same bot or not.

 

 

Decrypting hashed and salted passwords | Part two of SQL injection.

This is part two of a obviously two part post. The disclaimer remains the same and should be reviewed prior to reading the article.

Question: I have a number of hashed passwords I need to crack. I forogt my password to insert service name here and I happen to have it in a hashed and salted value.

 Answer: Good news! This is totally possible provided you have the following 3 things.

Time , a decent GPU , and copy of Hashcat

Provided that the hashed and salted password came from one of the following sources that hash cat is good at running tables against. See here for that list these are refereed to modes when cracking.

First we need to find out what version you need to use. This depends on hardware. GPU attacks are often much faster than CPU attacks so today we will be focusing on oclHashcat. But if you like you can still use original hashcat.

If you use a ATi card you want to download oclHashcat for AMD note a specific version is required to work. At the time of this writing they recommend CCC 14.9

If your like me and have a Nvidia card then you will want to download oclHashcat for NVidia go ahead an extract that somewhere simple to get to.

You will also need to have a wordlist to throw against hashcat. I will be covering how I get these lists in a post tomorrow. A wordlist is simply put a collection of text that you will then hash and compare against the password you want to crack. See a super simplified example below.

Assume the password I want to crack is:
42f749ade7f9e195bf475f37a44cafcb

And my password list looks like this:
aaaaaaaaaa
bbbbbbbbb
Password
Password123
ccccccccccc

Hashcat will basically take each line and make an appropriate hash of it. Using mode 0 (MD5) it will look like this. Keep in mind this is a simplified example.

aaaaaaaaaa – e09c80c42fda55f9d992e59ca6b3307d – Does not match
bbbbbbbbb – 57f365f09200a0ee7c1243d545447cb1 – Does not match
Password – dc647eb65e6711e155375218212b3964 – Does not match
Password123 – 42f749ade7f9e195bf475f37a44cafcb – Match! -Stop-
ccccccccccc – not compared since I only needed to find one password

Hashcat compares lines thousands to millions of times a second based off the encryption used that it is trying to compare to and how decent you hardware is. Note, on average ATi cards can compute hashes faster than Nvidia cards.

So wordlists, I break mine down into two lists, HumanPasswords.txt (980MB all unique lines) this is from a collection of other leaks and publicly posted passwords that have been commonly used the the past. Then the other list is WordList.txt this contains a mix of Wikipedia titles, books, movies, the numbers 123456, locations and names. I split it up since odds are if a human has typed in a password once into a machine it has been used elsewhere. Using my HumanPasswords.txt (5.3GB) list I get about 84.73% of all lists in the first run without any modifiers. After that I will run WordList.txt and that will bring me roughly 87% without modifiers if I am lucky. This list takes significant time to run and gives less results.

Enough of lists. How do you use Hashcat once you have a list.

First open up a new command line and navigate to the hashcat folder. If you dont know what type of hash you are attacking try checking out HashID its great.

For this example we will use the previous post from using SQL injection and be attacking a phpBB encrypted password. For this go back to your modes list. I can see this is mode 400 (phpass, MD5 WordPress, MD5 phpBB3, MD5 Joomla).

enter in the following command:

cudaHashcat64.exe -m 400 recovered.txt hashes.txt Humanpasswords.txt

Now lets break that down we are calling hashcat for Nvidia cards, attack mode 400, we want all the cracked passwords to go into recovered.txt , the list of hashed passwords is hashes.txt and the compare list is HumanPasswords.txt

One thin you will want to look at is how long it will take to crack. Depending on your card / wordlist / number of hashes you want to crack / outdoor humidity it can all vary.

On my Nvidia 660Ti I get about 73,000 Hashes a second and it took me 4 min to run though my entire password list. Running this on normal hashcat on my CPU took over 30 mins.

Sweet I got a few passwords but not the one I wanted or I cant crack a fair number of them. This is where rules come in super useful. Believe it or not, people actually put in a effort to make passwords hard to guess. Well at least 4% of the population anyways. Here you are left with a few options this is the order I normally work.

Run the HumanPasswords list again with a rule file. Rules allow you to add substitutions to the file for example running the leet speak rule will change.

password to p@ssw0rd

To do this runt he same command but specify a rule this time.

cudaHashcat64.exe -m 400 recovered.txt hashes.txt Humanpasswords.txt -r rules\best64.rule

Once that has completed and your still in need try more rules if not you can add masks and additions. I dont use masks often enough so I will not be covering that.

Now we can finally play with WordList.txt but we dont want generic words so lets mix it up.

cudaHashcat64.exe -m 400 recovered.txt hashes.txt wordlist.txt -a ?d?d

By addng ?d?d we basically asked hashcat to add 00 to each word then 01 then 02 all the way to 99. This will take some time depending on the workstation.

This has been a very basic rundown of HashCat happy cracking!

Setting VLC to display Multiple Videos on Multiple Monitors starting at Multiple Times from command line.

So I had this project where basically we wanted to display some footage in a showroom and it had to meet the following criteria.

Be a single video file
Loop 24/7
Span 3 1920×1080 monitors that are independent (not cloned)
The video can never be at the same point on multiple TVs
Be super automated so anyone would be able to launch it with zero technical skill

Be warned the code is rough and I am sure there is room for improvement but its here.

Problem: I want VLC to run multiple times to show two videos. VLC wont automatically open on another monitor. Have VLC open a file at a specific point.

Solution:

First off we need to be sure we are talking about the same version of VLC all the testing was done on Windows 7 and 8.1 with VLC version 2.1.5 Ricewind.

First click on Tools and select  Preferences.
vlc2

You need to uncheck Use only one instance when started from file manager. This is on by default.
vlc1

Now Im going to make two assumptions so my code is easy to follow.
– All your video file(s) must be located in a folder called C:\bin\vids\
– Your master script is also located in C:\bin\vids
– You are trying to fix this on a windows box of a 64bit nature

First make a batch file called v1.bat in the batch file put in the following code:

“C:\Program Files (x86)\VideoLAN\VLC\vlc.exe” –started-from-file –playlist-enqueue “C:\bin\Vids\videoplayback720.mp4” –start-time=0 -f -L –video-x 10 –video-y 10 –no-one-instance –no-embedded-video

Lets break this down part by part. First we need to call VLC from the command line and use the built in file manager from windows.
“C:\Program Files (x86)\VideoLAN\VLC\vlc.exe” –started-from-file

We now want to add the video to the playlist of this VLC instance so tell VLC where the file is NOTE! Replace the words videoplayback720.mp4 with the name of your own video file.
–playlist-enqueue “C:\bin\Vids\videoplayback720.mp4”

Start the video at the zero , make it full screen, and loop forever.
–start-time=0 -f -L

Now we need to choose what monitor to start the video on. I used starting location 10 10. This can be anything within the primary monitor.
–video-x 10 –video-y 10

Now we want to ensure that any new videos that open dont open ontop of this one and we want the window to be free floating so there is no VLC bar.
–no-one-instance –no-embedded-video

Perfect now we need to make a new batch file called v2.bat it will be very similar to v1.bat but have a few tweaks that I outline below changes are in bold:

“C:\Program Files (x86)\VideoLAN\VLC\vlc.exe” –started-from-file –playlist-enqueue “C:\bin\Vids\videoplayback720.mp4” –start-time=600 -f -L –video-x 1930 –video-y 10 –no-one-instance –no-embedded-video

First we modified start time to 600 seconds. This is 10 min. into the video file so that both files will be at different points of time. Second we modified video-x this will place the video on the 2nd screen and then full screen it. The reason it is 1930 is you need to have a X point larger than your first monitor. So for those of you who are bad at math look below:

For two videos playing on to screens you can use

Two 1920×1080 Screens:
v1.bat –video-x 10
v2.bat –video-x 1930
If you wanted to have a 3rd screen just add the resolution again:
v3.bat –video-x 3845

Two 1440×900 Screens:
v1.bat –video-x 10
v2.bat –video-x 1450

Two 1920×1080 Screens but the primary is on the Right:
v1.bat –video-x 10
v2.bat –video-x -1930

Now we need to automate the opening of these files, I made a crude master batch script to do so and made a shortcut on the desktop so even a intern could operate the system.

I have 3 screens so mine contained 3 files. Make a master file called StartVids.bat and paste in:

start cmd /k CALL “C:\bin\vids\v1.bat”
start cmd /k CALL “C:\bin\vids\v2.bat”
start cmd /k CALL “C:\bin\vids\v3.bat”

Save your file and then give it a run!

Remote Desktop setting the default lock screen in 8 and 8.1?

I have noticed when you remote desktop from any machine to your 8 or 8.1 box your screen reverts to this:

2014-09-04_13-54-40

 

How annoying! Especially if you have a branding policy in your office or are feeling a little artsy.

Problem: Windows likes to the use default users lock screen image when I remote desktop or am logged out.

Solution: Set the default image for all users via a newly added through group policy.
First of all we need to open the group policy editor (if you want to edit it locally). If your on a domain I will assume you know how to use GPO’s and where to find them.

Open a new run window (Windows + R) and type gpedit.msc. Then press enter.
2014-09-04_14-06-26

You will then need to navigate to Computer Configuration\Administrative Templates\Control Panel\Personalization\Force a specific default lock screen image

2014-09-04_14-07-19

Double click to edit the policy, enter the path of the policy and click apply!

2014-09-04_14-08-57

Simply log out and log back in to see the changes!

 

 

Server 2003 Event ID 333 – Error spamming your event viewer? There is a simple solution.

Recently I was working with a Windows Server 2003 box that was having some memory paging issues long story short ESX was running low on memory and the servers had to be shifted around. However after doing this I  still found that th even log looked like this:

10-22-2013 2-59-26 PM

 

Problem – Event ID 333 is still created every 5-30 seconds after I have cleared Event ID 2020 has stopped being added to the event log.

Lets look at a basic scenario here. Normally we all know our servers well, the physical and the virtual ones and we know what they are capable of and adjust accordingly. However sometimes an application (in the case of physical) or a whole server (in the case of virtual) will occupy all the memory or shares that it is given.

10-22-2013 3-11-34 PM

This causes Event – 2020 – Error , the source is Server. Its basically saying “Hey Im out of memory and the page pool area is all gone!”

After the issue is cleared or the page area lightens the load then the Event 2020’s will stop. However you may see re-occuring Event 333‘s . This is a Microsoft issue, do not be alarmed these will not stop until the server is rebooted or heaven forbid we patch out Windows Server 2003 boxes. But lets all be honest odds are these are already legacy systems we are afraid of powering off already.

Solution – Apply  Microsofts Hotfix, or Ignore the errors and have a good nights rest knowing these will repeat until the server is rebooted.

Thats right these errors are not supposed to spam the console every 5-30 seconds but they will. So you dont have to keep your eye on it unless you rebooted and they are still coming up. But be sure to check and see if a 2020 came up first after the reboot.

Microsofts hot fix can be found here. With a statement talking about the fact it was an error.