Category: password crackers

Reset Your Windows Password

We have lots of password to remember : workstation, servers, banks, forums, mails etc… This makes forgetting passwords easier. Today I would like to mention how to remove reset admin password on windows.

I am going to use chntpw. chntpw is a Linux utility to (re)set the password of any user that has a valid (local) account on your WinNT or Win2000 system, by modifying the crypted password in the registry’s SAM file. You do not need to know the old password to set a new one. It works offline (i.e., you have to shutdown your computer and boot off a linux floppy disk).

1. Insert Backtrack’s DVD on your windows computer and boot from CD (usually you can hit f2, f12 in order to see boot order, then you can force computer to boot from CD/DVD).

2. Mount your windows partition:

2.1. Run fdisk -l to determine where is your windows partition.
My windows partition is /dev/sda1

2.2 Create empty folder to mount windows partition.
mkdir /mnt/windows

2.3mount /dev/sda1 /mnt/windows

3. Go into chntpw directory
cd /pentest/passwords/chntpw

4. Run chntpw against your SAM

./chntpw -i /mnt/windows//WINDOWS/system32/config/SAM
5. Type the username you want to reset password, enter, then press 1, enter.

6. After made the changes,  you need to exit from the main chntpw menu and press “Y” to write the changes or “N”to ignore the changes.

 

A Powerful Vulnerability Scanner: Nessus- Part II

In my last blog post, I mentioned about Nessus licenses and installation processes. Today, I would like to write about usage of Nessus.

Updating Plug-ins

After you register and activate the nessus server, it will start to download and then update the plugins. Plug-ins are kind of virus signatures.  Plug-ins test the common vulnerabilities on a machine. Nessus plugins are written on Nessus Attack Scripting Language (NASL). [It might be a good idea to have articles for how to write NASL too.]

nessus_Download

Updating plug-ins (for the first time) can take up to 20 minutes so be patient.

Client Configuration

Start Nessus Client  from Start->Applications->Tenable->Nessus Client.

Click the ‘+’ sign at the left. This will bring ‘Target Window’ where we can set which targets we want to scan.

nessus_client

We have 4 options that we can use the scan the network. The first one is single host. You can use the hostname or the IP address. (example.com or 123.4.5.67)

Second option is IP range. Basically, we can provide a valid ip range such as 192.168.0.1-192.168.0.254.

We can also scan a subnet by providing its network and subnet address. (Network Address: 192.168.0.0; Subnet mask: 255.255.255.0)

We can provide host names or IP we want to scan in a text file. This is beneficial if you already have the list of the machines you want to scan and don’t want to scan all the network.

Choose what ever option you like and then click ‘Save’.

Connecting to the Nessus Server

We will use ‘connection manager’ to connect to the Nessus server.

First, click the Connect button at the lower left side. It should bring connection manager.

Nessus_ConnectionManager

As you see, by default we can connect the localhost. (since I have running nessus server on the local machine I will use this option.) If we have our server on a different machine than local machine, then click plus sign at the bottom left side.

You can name the new connection and choose the authentication method you want. You can simply use password based authentication or SSL based authentication.

After you set up the connection, click ‘Save’. You should see a ‘New Certificate Window’ if you are connecting to the server first time. Click ‘Yes’ and login to the server.

Nessus_Certificate

Policies

Now, we need to add a new policy. Click the plus sign at the right side and save this policy as Default Policy. In this way, you will always have the default policy in the policy section.  Let’s create a more specific policy. We will scan a Linux server (CentOS) which has Apache and MySQL on it.

Plugin Selection

To create a new specific policy for our example, click the plus sign again and then hit ‘Plugin Selection’ tab. The server we are scanning is a CentOS Linux. So we don’t need to have Local Security Checks Plug-ins for Windows, Fedora, Redhat, Ubuntu and Debian. Uncheck all of these (Of course you will uncheck the ones except your OS). Same thing goes with IIS Webserver. Now, click Policy tab and save this Policy as Linux_CentOS Policy.

Important Note: The “Denial of Service” family contains some plugins (all of DoS plugins are enabled by default) that could cause outages on a corporate network if the “Safe Checks” option (Safe Check is also enabled by default-it is under the Options tab) is not enabled, but does contain some useful checks that will not cause any harm. The “Denial of Service” family can be used in conjunction with “Safe Checks” to ensure that any potentially dangerous plug-ins are not run. However, it is recommended that the “Denial of Service” family not be used on a production network.

Let’s start scanning by clicking ‘Scan now’ button at the below.

Reports

After scan completes, you can see the result under the ‘Report’ section.

Nessus_Report

Nessus found one medium and 8 low risks. Usually, you can ignore the low risk and you can ignore the medium risk for some cases.Orange color on a port number (in our example, it is port 80 ) means the highest risk is medium. Red means highest risk is a ‘high risk’ (!) and black means it is a ‘low risk’.

Nessus gives the important information about possible vulnerabilities. You will see Synopsis, Description, Solution, Risk Factor and Plugin Output on the report.

Nessus_Report2

We can sort the output based on Vulnerabilities, hosts, ports, IPs (one host can have more than one IP, right!) by using ‘View Template’ button on the lower right side.

We can export the report as html which is useful. We can also get CVE output and create an excel file if it is some thing you want. ( I prefer creating excel files using csv templates on Nessus, it makes my report more customizable)

Conclusion

In this blog post, we learned how to configure a Nessus client and connect it to a Nessus server,  how to scan networks, and how to read Nessus reports. In the next blog post(s), we look into more details about scanning progress and user management on Nessus.

A Powerful Vulnerabilty Scanner: Nessus- Part I

I will have some blog posts about Nessus. In this first one, I will mention general issues about it.

What is Nessus?

Nessus is a proprietary comprehensive vulnerability scanning software. It is free of charge for personal use in a non-enterprise environment. Its goal is to detect potential vulnerabilities on the tested systems.

You can scan ports and see the things crackers can find to hack so you can take action before they do! There will be some examples later for the vulnerabilities we can find with Nessus.

I always think Nessus is kind of outbox scanner for remote stuff and usually it works in that way. However, it can find default password or weak passwords too.

If you are working on a vulnerability management project, I will recommend you to have another scanner for scanning in the boxes ( i.e vulnerabilities for the software running on the machines. I like  Sunbelt Network Security Inspector for this purpose)

Anyway, let’s check License options for Nessus.

Licenses: What are Licenses? Wasn’t Nessus GPL and free ?

It was free but in 2005 creator of  Nessus sold it to Tenable Network Security. Tenable still maintains  Nessus 2.0 under GPL. They closed the source code for the version 3.0 and higher.

Version 3.0 was the first one which was done by Tenable. It was running almost 5 times faster than v2.  V3 was popular too but having 3 licenses for one product makes users a little confused.

The first type of the licenses is ProfessionalFeed License. With this license, Tenable provides you support of the application. They also provide plugins for you earlier than other licenses.

Pricing for the ProfessionalFeed is based upon the number of Nessus scanners in use within your organization, consultancy or service. The cost is $1,200 per scanner per year.

You can buy ProfessionalFeed from here.

The other type of License is HomeFeed License. A HomeFeed is available for free to individual home users, and cannot be used by organizations or individuals professionally.

The last one is on demand. It allows you to evaluate the ProfessionalFeed by using the HomeFeed subscription commercially for 15 days. You may only perform such an evaluation once.

The on-demand evaluation does not give you access to the customer portal, nor to the features specific to the ProfessionalFeed but should be adequate to test Nessus. You can obtain an activation code here.

Installing and Activating Nessus

Installing Nessus is so straight forward. You can download it from this link. It can run on Linux, Windows and Mac.

For this blog post, I installed it on a windows machine.

After you set it up, don’t forget to activate it. (Remember, even non-professional use of nessus, you are  required to get it activated. (They will send you activation key via e-mail, just grab the key and paste on the dialog window)

How It Works

You need to understand how the software works before scanning the machines across the network.

The most important thing you need to know is Nessus is agentless scanner. What is agentless?

Well, some security software needs to be installed on each machine you scan. However, the way nessus works is different. It uses client/server architecture. There will be a client machine in which you can run the software and make configuration for the scan. There will also be a server, the machine which performs what you tell by using the client machine.

Server and client can be same machine. Don’t forget, you don’t need to pay for each client but you need to pay for each server you install (They are required to have different licenses)

Client/Server Architecture brings some flexibilities. The first one is remote scanning.

You can install the server inside of the network and run client from a remote place say your home. This is so helpful since you don’t need to deal with firewall or IDS issues which can effect the scanning result.

Second advantage is one machine is enough to run a scan for all the network. This is definitely time saving!

I will cover the usage and configuration of Nessus in the next blog post.

Hacking / Recovering Firefox Saved Passwords

Introduction

I covered how/where Firefox store saved passwords on the previous blog post. Today, I will mention how to hack them.

As discussed previously, Firefox uses TripleDES as its encryption algorithm. If master password is not set, we can crack the password with any 64 base decoder since there won’t be encryption.

If master password is used, user needs to attack  key3.db with a password cracker such as FirePassword to recover master password.

Master password is not stored on the key3.db. Firefox stores  encrypted data associated with known string.

Say the known string is realinfosec. If user enter correct master password, he can decrypt the encrypted data as realinfosec.  BOOM!

Known string and decrypted one matched! Firefox now knows that user entered correct master password, so it will decrypt all the saved passwords.

The way Firemaster works is same.

  1. First, Firemaster generates password by using bruteforce, hybrid and dictionary attacks.
  2. After that, it computes hash of master password.
  3. Firepassword uses this hash to decrypt encrypted data.
  4. If the decrypted data matches with the string (i.e realinfosec), it means FireMaster gets the password!

firemaster1

After having master password,  you can decrypt saved passwords via FirePassword.

Currently, Firepassword can only decrypt saved passwords on Sigons.txt files not the ones on the signons.sqlite

Nagareshwar Talekar, creator of these two nice tools,  informed me that he will try to update FirePassword, then it may crack saved passwords stored on the signons.sqlite.

Conclusion

1-) If you forget your master password, you can get it back via FireMaster.

2-) Strength of encryption is depend on the strength of the Master Password you choose

3-)Nothing is impossible, you can recover your Firefox password. However, this means that hackers can crack them as well… Don’t forget; they only need to have key3.db and sigons files (txt and sqlite) to do that. You need to be sure that physical security and network security for your machine are OK.