May 22

DHCPpwn

It’s more than an alpha than beta but… This is an old piece of code I was working on a few years ago, but recently found time to start coding again. I know it’s a bit buggy (all of the buttons do not function yet and it tends to lock up bc of the loop on sending packets), but I still have lots of improvements to work on… I need to add my IPv4 Subnet calculator class (Should fix the lockup issues) and ARP class (Some DHCP servers like Fios modems send an arp request after DHCP). I also gotta add the function to hijack existing leases, but it’ll exhaust the DHCP pool on most servers(ie: linksys, cisco routers, etc)… I got it in a working state, so figured I’d post it for fun… It’ll be much improved soon!

BTW, if you test it on any type of DHCP server and don’t see addresses exhaust, let me know… I’ll get my hands on it and love to find out what else it’s doing!

DHCPwn1b

Jan 02

Recover SA Password on Microsoft SQL Server

Applies to:

Microsoft SQL Server 2005, Microsoft SQL Server 2008

 

Overview

If you ever lost a SA password, you may have thought your only option is to reinstall SQL and re-attach to the DB’s.  However, SQL server provides a much better disaster recovery method which preserves objects and data in the master DB.  Members of the server’s Local Administrator’s group can access SQL server by starting it in single-user mode.

 

How to Recover SA Password

  • Open SQL Server Configuration Manager
  • Stop the SQL Server Instance you need to recover the SA password
  • Open the properties on the SQL Server Instance and click on the Advanced tab
    • Change the Startup parameter by adding -m;  at the begging of the line and click OK
  • Start the SQL Service Instance
  • Open the command prompt
  • Run sqlcmd and press enter
  • Run a Transact-SQL command to add an existing account or a new account to the sysadmin server role.  Replace DOMAIN\Username with the account you want to add. *NOTE: if you  receive errors, I’ve listed some common issues at the end of this article.

 

  • Open SQL Server Configuration Manager
  • Stop the SQL Server Instance
  • Open the properties on the SQL Server Instance and click on the Advanced tab
    • Change the Startup parameter by removing the -m;  at the begging of the line and click OK
  • Start the SQL Service Instance
  • Open Microsoft SQL Server Management Studio and login with the account you added
    • Under the DB, expand Security, then Logins
    • Open the properties for the sa account, and reset the password

Common Error: Running SQLCMD HResult 0x2, Level 16, State 1

HResult 0x2, Level 16, State 1
Named Pipes Provider: Could not open a connection to SQL Server [2].
Sqlcmd: Error: Microsoft SQL Native Client : An error has occurred while establishing a connection to the server. When connecting to SQL Server 2005, this failure may be caused by the fact that under the default settings SQL Server does not allow remote connections..
Sqlcmd: Error: Microsoft SQL Native Client : Login timeout expired.

Typically, this error is caused by the SQL Browser service not running or the named pipes not being enabled or incorrect.  If the SQL Browser Service isn’t started, start it.  If there is a specific instance name, try connecting to that instance (ie: sqlcmd -S tcp:localhost\instancename).  SQLCMD is connecting through named pipes and the pipe name for the default instance is:

\\.\pipe\sql\query

To connect to a named instance, it connects to

\\.\pipe\<instancename>\sql\query

To make sure the named pipe is enabled and to change it to the default:

  • Open SQL Server Configuration Manager
  • Expand SQL Server Network Configuration
  • Click on Protocols for <InstanceName>, the default is MSSQLSERVER
  • Open the properties on Named Pipes

 

 

Jan 01

Reset Domain Administrator Password

The following method has been tested to work on both Server 2003 and Server 2008 Domain Controllers

  • Download SRVANY and INSTSRV, which are part of the Windows 2003 Resource Kit
  • Ensure you have the Directory Service Restore Mode Administrator password, restart the server in Directory Service Restore Mode, and log in as administrator
    • If you do not have have the Administrator Password, you can attempt to get it through one of these methods
  • Create the folder: C:\reset\
    • Copy srvany.exe, instsrv, and cmd.exe(Located in C:\system32) to the C:\reset\
  • Open a command prompt and enter the following commands
    • CD “C:\reset”
    • instsrv PassRecovery “C:\reset\srvany.exe”
  • Run regedit.exe and navigate to HKLM\System\CurrentControlSet\Services\PassRecovery
  • Create a subkey called: Parameters
    • Create a new string value (REG_SZ)
      1. Name: Application
      2. Value: C:\reset\cmd.exe
    • Create a new string value (REG_SZ) where <password> is the desired password (Must Meet Password Policy Requirements)
      1. Name: AppParameters
      2. Value: /k net user administrator <password> /domain
  • Open Services and Open the Properties for the PassRecovery Service
    • On the General tab, ensure the startup type is Automatic
    • On the Log On tab, ensure the option is checked to: Allow service to interact with desktop
  • Restart the server normally, and log in with the password you specified
  • Uninstall SRVANY by entering the following commands at a command prompt:
    • net stop PassRecovery
    • sc delete PassRecovery
  • Delete C:\reset\
Jan 01

Hacking Windows Passwords

If you’ve ever been in a situation where you didn’t know a password to login to a windows computer then there are several methods you can use. These methods require local access to a computer and work on workgroup as well as domain computers. However, it is possible to extend your access throughout a domain using these techniques. I’ll assume you already understand how windows security works, and just outline the methods. If you would like more details, you can email me.

Method 1 – Password Renew

This is my preferred method in which I personally had a lot of success with. You have the option to reset the passwords of any local user account, create a new local administrator, and set administrative rights to an existing user.

Warning! – Do not attempt these on methods on EFS or encrypted disks

  • Download Bart PE and Password Renew
  • Obtain a Windows XP or Windows 2003 Server Disk in order to build the boot disk
    • Add the Password renew as a plugin and build the disk
  • Boot the Bart PE Disk and Launch Password Renew
    • Select the windows directory (Default is C:\Windows)
    • Select to reset a password or install a new administrative account
    • Select Install, then reboot

Method 2 – Offline NT Password & Registry Editor

This is a less preferred method which has about a 70% success rate, and I would recommend backing up the SAM file before editing. However, there is no need to build anything because the downloads are already images.

Warning! – Do not attempt these on methods on EFS or encrypted disks

  • Download Offline NT Password & Registry Editor
  • Select the disk to mount containing the Windows system
  • Select the path and registry files (Typically WINDOWS/system32/config)
  • Select Option 1 for password edit
  • Select Option 1 to edit user data and passwords
  • Select the account you want to reset the password on
  • Select Option 1 to Clear (blank) user password (Blanking has a higher success rate)
  • Select Option q to quit and confirm writing the files back

Method 3 – Ophcrack (Cracking with Rainbow Tables)

This method takes a different approach by dumping the password hashes from the SAM file instead of editing it. It then attempts to crack the passwords using rainbow tables.

  • Download the Ophcrack live CD otherwise, you’ll need to be a local administrator to dump the password hashes
  • Burn the ISO to disk using any CD Burning Tool
  • Boot the Ophcrack CD, which will automatically launch Ophcrack, dump the SAM file, load the built in rainbow table, and crack the passwords
    • If the password you need does not crack, save the hashes, download the Ophcrack program and larger rainbow tables to run it against. If this does not work, try one of the other crack methods with the hashes

Method 4 – PWDump + John the Ripper or Cain (Cracking with Brute Force)

This approach is similar to Ophcrack by dumping hashes from the SAM file. However, it uses a brute force which can take significantly longer.

Warning, Some Antivirus programs might detect these as virus or hacking tools

  • Download PWDump6 or FGDump
    • Depending on your situation, you can run PWDump6 or FGDump across a network or on a local machine if you have administrative credentials. If not, you’ll need to dump the SAM file offline by putting them on a live CD (ie:Linux distro or BartPE), or adding the hard drive as a secondary drive on a workstation you have access to.
  • Once you obtained the hashes, download John the Ripper
    • You’ll need to run it from the command line and use any additional parameters you wish on the crack
  • Alternatively, once you obtained the hashes, download Cain & Abel
    • Open Cain
    • Click on the Cracker tab
    • Click the “+” to add hashes to the list
    • Select your list of hashes
    • Right-click the list and select a Brute Force Attack
    • Select your character set and click start

Method 5 – Cachedump (Cracking Cached Domain Passwords)

Taking things a step further, by default computers in a windows domain will cache the last 10 user’s password hashes. We can use Cachedump to extract the hashes and then import them into a program to crack.

Warning, Some Antivirus programs might detect these as virus or hacking tools

  • Download Cachedump 1.2
  • Open a command prompt and dump the cached password hashes, which requires local administrative access
    • cachedump.exe
  • Download John the Ripper with a Patch that supports M$ Cache Hash
  • Run John from the command line using any parameters you wish, but ensure you include the following parameter:
    • -format:mscash mydump.txt
Jan 01

Recovery Console XP Password Hack

The recovery console for Windows XP requires you to enter the the local administrator password in order to access it. However, if you do not know the password you will not be able to access the recovery console… That is unless you know this little trick.

  • Obtain a Windows 2000 installation or boot disk then boot from it
  • Select ‘R’ to Repair Windows
  • Select ‘C’ to launch the Recovery Console
  • Select the windows partition you want to access, and you WILL NOT be prompted for a password