Thursday, September 23, 2004

AOL bypasses security in IE with WinAmp

We all know that WinAmp puts links all over the place to AOL. They are on the Desktop, the Start Menu, the IE favorites, The quick launch bar, even in your history. A I've found a new place and I find it rather disturbing. WinAmp adds an AOL website to your IE Trusted sites during installation, and this along with all the other AOL garbage is NOT optional.

To see if your computer has been affected:
  • Open Internet Explorer
  • Click on Tools then Internet Options.
  • Click on the Security tab.
  • Click on the Trusted Sites icon.
  • Click Sites.
  • Look for "", which may have been added during the installation of Nullsoft WinAmp 5 Lite.

Wednesday, September 22, 2004

Chest pains

Fortunately not mine. My good friend RM was in for an angiogram today, so GH and I went up to be with him and lend support for SM and family. Things went well. One site that was 100% blocked was had rerouted itself and one known blockage area wasn't blocked at all anymore. So what ever the aliment is, we have yet to discover the source of the chest pain, fainting spells and general malaise RM is suffering. He is in my prayers.

Afterward, I had ASH over for a DVD viewing. We watched Ronin. Awesome movie, one of my favorites for sure. ASH had to get to work and had a bit to drive to get there so as soon as the movie was over he woke me up from my rather pleasant slumber and hit the road.

Shortly after ASH and I had said fare-thee-well and such, I get a phone call from CMP. In the hospital with chest pain. A co-worker had driven her from work to the hospital, so her car was still at work. The doctor didn't think it was cardiac related pain but ran some tests anyway. Things came back confirming his guess, and treating CMP with an oral medication for pain and inflammation immediately solved the problem. He commented that it may still be related to a cardiac problem so a stress test was ordered for some time next week. This is something CMP does not want to do, mostly because nobody likes them. I will be pressuring her to follow through with the doctors orders.

Big day tomorrow. Many contractors and crews coming over to do various things to the place. Some of it is long over-due and some of it is just to beautify something that has long been a detracting feature of the property. Going to be a circus around here.

Monday, September 20, 2004

Frozen Bubble - Java port

Users of KDE love the little game that comes with their desktop environment. It's fun, and very simple and remains challenging and interesting. Someone has taken the time to make a Frozen Bubble - Java port which means you will be able to play on your windows machine, provided you have installed the java run time enviornment.

Thursday, September 09, 2004

Recover SAM file for XP password success

After much toying with various flavors of linux have finally done what I set out to do. This was not as easy as I was told it was going to be and really, no one seems interested in helping you recover and crack XP/NT passwords. All but two of the tools I'm using are freely available, but I'm told it can be done with free tools only.

Tools required for my efforts:
  1. A target machine. This computer is running an NT based OS like Windows NT, XP, 2000, Server 2003 and I don't know if Windows ME works this way but... if it has Windows ME on it, chances are the user is too stupid to use a password. The local machine passwords are encrypted into hashes stored in a file called SAM (System Access Manager or some such bullshit... who cares?). The SAM file is protected by Windows and you will not be able to access or copy the file while windows is running. So we need to find a way to access the files of a windows system without running windows, so the SAM file is not protected, and we can see the hash values stored in it.
  2. Knoppix Live Linux (info in english) a "live distro" of the Linux operating system. Live means that it has been designed to boot from a CD, no installing or configuring and that is what I wanted. I used version 3.6 (8-16-2004). I don't know but the absolute basic functions of Linux and despite a lot of reading I don't hold much hope of ever figuring this shit out. Knoppix auto detects hardware, and does it very well. Good enough that you should be able to get it to see the hardware on the target.
  3. USB Thumb drive. In this case I am using a 512mb SanDisk Cruiser Mini. Major over-kill in capacity but I didn't buy the thing for this task, it's quite useful for doing other things too. I supposed you could use a floppy but I haven't tried, and I further supposed that you could have a server out on the net to upload things to but that assumes you have a network connection or are able to establish one, from linux on the target machine. I'd rather not attempt it. I will however say that my target had a cable connection and Knoppix saw it and let me get on the net, no problem. As you know, USB drives aren't free and so that is the first of the not free items.
  4. LC5 (L0pht Crack) is the tool I am using to crack the passwords from the recovered SAM file. This program is not free but does have a free trial which is crippled and time limited.
  5. Although not required, it is desirable to have a separate windows machine to run LC5 on. You can, provided you have an accessable account, install LC5 on the target machine and crack the recovered SAM file. Please note however that not even the venerable L0pht Crack will be able to access the SAM while windows is running so, you will still have to recover it with Linux.
The most challenging part of this project was getting a copy of the SAM file. I know the linux nerds are all busting a gut over this one. It was not easy. I wasn't able to find a single website that had instructions on how to do this. Well I take that back.. a great many web sites have information on this subject. None of those websites tell you much beyond the theory and explain the arguments for some of the commands, and if possible caveats you might encounter.

Guess what? That shit doesn't help anyone but fucking Linux nerds. I don't know what Grub is and I don't give a shit. I don't know why linux doesn't access NTFS volumes without some modification and really, I could give a shit HOW you change that... I just want it changed. So here comes Knoppix. Support for NTFS, and that's not even the best part. It mounts the volumes for you, and puts up a nice little desktop icon for all the drives. That's right... DESKTOP! Knoppix comes with KDE, which is a GUI like windows. So with KDE you get "windows" style navigation and the familiar look/feel of a GUI is pulled off very well. It also has USB support and mounts the USB drive for you, with desktop icon.

Here's what to do to recover the SAM:
  • Burn Knoppix onto a CD from the ISO you downloaded, pack it up and your thumb drive and gain physical access to the target system.
  • plug in the USB thumb drive to the target system
  • Start the target system and get into the BIOS setup utility to make sure the system will boot from the CD-ROM drive first
  • Boot the system with the knoppix CD in the drive and it should boot into Knoppix bootloader, just type knoppix at the boot: prompt.
  • Be patient, this may take some time, produce screen flickers and pops and such from the speakers. Hardware detection, ya know?
  • Once you get to the KDE desktop you need to open up the hard disk that's labeled hda1 and navigate to windows/System32/Config/ where you will find a file named SAM, with no extension. This is the one we want. Right click on it and choose copy.
  • Close the window for hda1 and right click on the icon for sda1, the thumb drive. Choose toggle read/writable. KDE will ask if you're sure you want to do this, you do want to make the drive writable.
  • Open the drive labeled sda1, right click and choose paste.
  • Click that K icon where the start menu should be and choose log out, then choose end session.
  • Knoppix does its thing, ejects the CD, you take it and close the drive, hit enter... go home
You now have the SAM file from the target machine on your thumb drive and using LC5 you can crack the passwords of the accounts on that system. Cool huh.