Saturday, April 23, 2016

Windows Password Audit – Copy ntds.dit


 Company should do the password audit annually.

The process normally is:

  1. Login to domain controller, export ntds.dit, SAM and SYSTEM using shadow copy.
  2. Extract Hashes from above files. (use tool NTDSXtract - http://www.ntdsxtract.com/ or SANS Investigative Forensic Toolkit (SIFT) - http://digital-forensics.sans.org/community/downloads)
  3. Use offline cracking tool to crack the hashes: Cain, ophcrack etc.
The weak password can be defined as below:

  1.  All LM hashes are considered as weak.
  2. The password is considered as short and weak if its length is less than 8.
  3. Repeatable sequence of a character. eg. ‘111111’, ‘aaaaaa’, are considered as weak.
  4. Simple patterns, eg. ‘123456’, ‘abcdefgh’, are considered as weak.
  5. Keyboard combinations patterns. Based on all possible keyboard combinations like ‘qwerty’, ‘qazwsx’, etc.
  6. National keyboard combinations patterns. The same as previous but uses national keyboard layout.
  7. User name mutations patterns. For passwords based on user name.
  8. “Freaked” passwords, eg. ‘pa$$w0rd”, ‘@pp1e’ etc.
  9. Dictionary attack against well-known passwords, eg. ‘leaking facebook, LinkedIn, eHarmony passwords’, which can be downloaded from Internet.

Step 1:  Create shadow copy for copying password files

  1. Log on to a domain controller as a member of the Enterprise Admins groups or the Domain Admins group.
  2. Click Start, right-click Command Prompt, and then click Run as administrator
  3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  1. At the elevated command prompt, type the following command, and then press ENTER: ntdsutil
  1. At the ntdsutil prompt, type the following command, and then press ENTER: snapshot
  1. At the snapshot prompt, type the following command, and then press ENTER:
activate instance ntds
  1. At the snapshot prompt, type the following command, and then press ENTER:
create
The command returns the following output:
Snapshot set {GUID} generated successfully.
Where GUID is the globally unique identifier (GUID) for the snapshot.
  1. At the snapshot prompt, type the following command, and then press ENTER:
mount { GUID }
  1. As an option, to see a list of all mounted snapshots, you can type the following command, and then press ENTER:
list mounted
The output lists each mounted snapshot and a corresponding index number. You can use the index number instead of the GUID to subsequently mount, unmount, or delete the snapshot.

  1. Open another command line windows with Administrator.
  2. Run below commands:

E:\temp>copy c:\$SNAP_201603102306_VOLUMEC$\Windows\ntds\ntds.dit
       1 file(s) copied.
E:\temp>copy c:\$SNAP_201603102306_VOLUMEC$\windows\system32\config\SYSTEM
        1 file(s) copied.
E:\temp>copy c:\$SNAP_201603102306_VOLUMEC$\windows\system32\config\SAM
        1 file(s) copied.
E:\temp>reg SAVE HKLM\SYSTEM .\sys

  1. Copy these 4 files to a USB drive.
  2. To unmount the snapshot after you have finished viewing the data, type either of the following commands, and then press ENTER:
unmount index #
-or-
unmount { GUID }
  1. Delete old snapshots that you are no longer using because they consume disk space. To delete a snapshot, type either of the following commands, and then press ENTER:
delete index #
-or-
delete { GUID }
  1. After you are done with snapshot operations, type quit to return to the ntdsutil menu, and then type quit again to return to the command prompt.

Reference: https://technet.microsoft.com/en-us/library/cc753609(WS.10).aspx

Sunday, October 4, 2015

Default Webcam Username & Passwords

  • ACTiadmin/123456 or Admin/123456
  • Axis (traditional)root/pass,
  • Axis (new): requires password creation during first login
  • Cisco: No default password, requires creation during first login
  • Grandstreamadmin/admin
  • IQinVisionroot/system
  • Mobotixadmin/meinsm
  • Panasonicadmin/12345
  • Samsung Electronicsroot/root or admin/4321
  • Samsung Techwin (old)admin/1111111
  • Samsung Techwin (new)admin/4321
  • Sonyadmin/admin
  • TRENDnetadmin/admin
  • Toshibaroot/ikwd
  • Vivotekroot/<blank>
  • WebcamXPadmin/ <blank>
Search for Webcams on https://www.shodan.io/

  • webcamxp country:US          
  • WebcamXP city:"Chicago"
  • webcam port:81
  • webcam net:123.123.123.0/24    ---Filter by IP

Saturday, July 25, 2015

How to fix Remote Desktop Connection Manager 2.7 full screen issue


I recently upgraded Remote Desktop Connection Manager (RDCMan) 2.2 to version 2.7. After I fixed the popup window issue (http://andyinmatrix.blogspot.ca/2015/07/how-to-fix-remote-desktop-connection.html), I encountered another even worse issue: the host’s screen doesn’t scale to fit the full size of the local client screen size, which the RDCMan version 2.2 is doing very well. I have to use scroll bars to get the “start” button. This is really annoyed.



A few steps to fix this problem:

Click menu “tool”-> “options”



Click tab “Client Area”. Make sure “Lock window size” is unchecked.



Right click the very top root level of the hosts tree (it is actually your .rdg file name), select “properties”



Click tab “Remote Desktop Settings”; uncheck "Inherit from parent"; check "Same as client area", click ok.



That’s all. Enjoy the full screen. And of course, don’t forget to save your .rdg file.