Search This Blog

Sunday, October 30, 2011

Warhammer 40K Windows 7 Theme

I went around looking for a Warhammer 40k theme and found one, but the site is installing all sort of spyware when downloading the theme. So, I manage to just rip out the theme in a VMWare and I uploaded it myself for you to take it as it is. Just all the desktop wallpaper, in 30 mins interval.

Download:
http://www.fileserve.com/file/pVhAZxa/W40K-SM.themepack

Here are some preview:




Region Free for Philips Immersive Sound Home theater HTS3560 Blu-ray

At Home screen, type on your remote: 13893108520 

This will display all of the current settings for your player.
Region_Code: DVD(X) BD(A)

This will not change any settings, but will report your current settings. So it's a reporting function only. 
If your X is 0, its already region free.

To change your DVD region settings try the following:

Turn on player with no disk inserted
Press "Home" on the remote control
Press and hold "stop" on the remote control, until you see the eject on the display
Press 259 on the remote control
After enter the code 13893108520 again on the HOME Screen and the player will show Region_Code: DVD(0) BD(A)

Now the buttons on the front of the player do not work anymore....

You will need to go to SETUP and click on RESET FACTORY SETTINGS....
Wait until the player restarts and now you can play all DVD regions

Hacking the company's laptop PART 2


In the previous articles, I mentioned how easy it was for me to obtain my administrator’s right simply by social engineering the IT support department. However, that doesn’t not solve ALL the problems we have. It is good to have a laptop with an additional local admin account, but it is not enough to simply have that. There are still other helpless laptops out there. Ultimately, what I wanted was the admin account so that I can help them out too.

While I have my admin rights, it’s easy and simple to just change the password of the admin account to whatever I like, but that’s not my aim. I also realized that in order to push my hacking tools onto the laptop to extract the password hash, I will probably have to disable or uninstall the antivirus system because it is basically blocking and deleting my software whenever I copy it in.

Touching the antivirus is probably not where I want to go. Basically, messing with the antivirus may trigger some audit alarms which will not look nice on me. Secondly, I may not be able to properly uninstall or install the antivirus back because it may have a secondary password or some required files for the group policy. Enterprise level antivirus usually has all these additional stuffs. Destroying the antivirus will be a last resort for me.

Just to recall in the first article, the hard disk has a disk based encryption and that is why I am unable to use a boot disk or boot CD to extract the password hash.  In short, I am pretty screw if I continue in this path to try to extract the password hash. In a separate thread, I did manage to break one of these systems using a floppy boot up, but that’s another story. I had another thought. That is to install the system console and boot that up. But the chances that I will be able to run or do anything else in that restricted shell is quite close to none. So, what will be better than the password hash? Answer : The password itself.

So, how can one get the password? Let’s backtrack this a bit. How does the IT department upgrade and change all our passwords? Typically if you work smart, you will either push it down a GPO or use some sort of batch processing, maybe even SMS or WUSS. Now, being such a huge enterprise, I would guess they would use at least one of these. I strike GPO off because the admin account is a local account. So, what I will do is to find out how they changed the password (in batch).

I do not know why, but my IT department like to leave a link to their software repository around on their desktop. I guess that’s probably the root of corporate piracy if any happens here. In any case, this is the place I would start. Looking through the folders, I basically had gone through these times to times for other reasons, so pretty much know which are the new stuffs, or simply just sort them by date. Then from the new folders, I found another link to another server which contains the new software sets for this upgrade. Now, this will contains the binaries for the antivirus. I almost thought that I would reconsider breaking the antivirus and reinstalling it back using these binaries. Until I saw a very obvious file in the root directory.  It sound like jackpot. In fact, there is even a file call “ChangePasswordforXXX.exe” lying around there for the picking. Bingo.

So, this is a exe file. I would like to break it apart using IDA Pro or other debugger, but just throwing at a long shot, I thought I would start with a text editor instead. Based on my experience, most people do not encrypt or even obfuscate their binary. I had been able to break many applications and website basically because the binaries is not protected. Again, this enables me to accomplish what I did. By looking through the binary file, I notice this is a simple WISE installation binary. Yes, actually I already knew that when I saw the icon. They did not even bothered to change it. WISE has tendency to leave some of the configuration in clear text even when it is compiled into a binary. That is the reason why I saw the things I saw without even the use of a debugger. Somewhere in the file, I saw the password I was looking for. In fact, I did not even really take a look at the file, I simple do a search for “password” and I am brought to that offset in the file.
The password was long, complex and consists of alphanumeric with upper and lower case and symbols. But it is just another password hacked by me today.

As an added bonus, I even got hold of an additional password in the file just right below it. It is the encryption password for the harddisk. I haven’t figured out how I could use it, but I guess it will probably be useful, someday.


Hacking the company's laptop PART 1


This articles talks about hacking and other activities which may seems to be illegal and will certainly get you into trouble if you are caught doing it. I would advise you read it as a form of entertainment and treat it as entirely fiction without any truth in it. Ok, let’s set this imaginary environment.

WE all had laptops for a long, long time that I did not even remember the days where laptop did not exist. Due to special considerations, my department had always had the privilege of admin rights on our laptop due to the work we do. We are required to install software, run privilege tasks etc on a daily basis. We never imagine the day that this would end. We never had the problem of facing this. Until now.

Due to new firm requirement, we are required to upgrade to a new version of the laptop OS with some enhancements as well as a new set of software for our work. This time, the top management came down on us hard and decided that we should not have administrative rights to the corporate laptop because we are supposed to perform our privileged task on another laptop. Ok, let’s leave that out of our story. The fact that we may be caught out in the field for weeks, it does not seems logical that we do not have access to our email and other corporate information systems. Therefore, we NEED to have administrative rights to the laptop. SOMEHOW.

Let’s pause for a minute if you feel that we need to discuss the moral and legal issue here. Like I said, its an imaginary environment. By all rights of standard, we should never have to ask for any thing and everything is given. However, this does not actually happen in the real world or for that matters, this imaginary world of our. So, someone needs to be the hero. Someone need to break some rules. Someone will have to do it. Yes, I know, that would be me.

Ok, lets come back to the story. So, many of us find that we cannot even insert a thumbdrive (oops, sorry, flashdrive) without triggering an administrative prompt. Life has been hell since the upgrade and it seems like the end of days is just about to begin. Unknown to most, a few of us are already beginning to work on this “problem”. The intention is just to be able to have enough rights to perform some of our installations etc without having to tear the laptop apart. Of course, in the process, we would not want to trigger any alert or alarms as well. Hackers get caught. Good hackers DON’T get caught.

So, we narrowed down our options. One of the endgame objectives would no doubt be the administrative rights. A more direct answer would be the administrator password. And inside our laptop, there is the local administrator account, which is used by the IT support department to roll out updates and perform installation on our laptop. This seems like the very object we want.

Usually before I go about the hard way, I try the easy way. In fact, the easy way usually works. I tried a few passwords. No luck. In fact, I was very caution to ensure that password lockout was not enable on this account. For very obvious reasons, if this account is lockout, it will be difficult to recover the system. I always wonder if this is the reason why everyone wants to attack the admin account, beside than knowing it has the rights of god on the machine. So, it does not use a simple password.

Another very direct way to recover a system is to wipe the password. This is more effective than you can imagine. I had broken tons of laptop whose owner does not want me to enter their system by simply rebooting into my boot CD and wiping off the administrator password. However, we have a problem here. This system is protected by a disk based encryption. When we boot up from a foreign OS, the encrypted partition simple will not mount. In fact, this was one problem I was dying to crack. Anyway, wiping the password is not the way to go.

Another approach is to extract the password hash. We all heard of rainbow tables and LCP. I guess this would be easy. I had extracted lots of passwords hashes in the past using PWDump or FGDump. One obstacle lies ahead. Antivirus. The antivirus is switch on to the maximum mode which simply detect and delete anything and everything it feels is dangerous. This includes some of our tools which we use for work as well. Nasty. The question is : Do I want to break the antivirus as well? Antivirus firm has spend millions on R&D to ensure their solution works and works well in a corporate environment. I am sure they had figured out that someone will want to disabled or uninstall their product in the corporate. Secondly, I also do not want to trigger some alarm if I had my antivirus off.  

Wednesday, October 26, 2011

I am trying out a new look and feel for my blog. Its been a long while since my previous theme and I thought I should give it a change. Let me know what you think!

Breaking Deep Freeze 6

I had came across Faronics Deep Freeze and despite what they claim on their website, it is not as secure as it seems which I will show later in this post.

First, some links to the official product:
http://www.faronics.com/enterprise/deep-freeze

And before I do on, read about the Unfreezer which written by Blackhat Emiliano Torres.
http://usuarios.arnet.com.ar/fliamarconato/pages/edeepunfreezer.html
He had managed to break Deep Freeze again and again, at least until v5.7. Then there was nothing. Did version 6 onward finally defeated all the hacks? Well, I am going to the answer is NO. In fact, it just got simpler!

Before I go about talking about hacking Deep Freeze, let me show talk about the critical flaw in the design which can cause some totally disastrous situations which is irrecoverable.

Lets imagine for a moment that you suspect there are malware in the system and the malware is going to clean it up at the next reboot. But hell, you have no idea there was a schedule scan at reboot and you freeze your system drive. What is going to happen? It will boot up and scan the HDD and then maybe it will find the malware and remove it, but it doesn't matter because its frozen. And at the end of the scan, the anti malware would reboot to make sure you boot up clean and good. And then it will reboot, and because the flag for "I have already scanned" is actually not save, it would scan again. Infinite loop. So totally screwed aren't we.

Similarly, if you have a really good defrag program like PerfectDisk or similar product which allows your to perform a boot time defrag for your system files, you can imagine it will be the similar case above. Defrag and it will try to set flag and reboot, but it will not change the flag and it will loop forever.

And now this is the part which I talk about the flaw. YOU CANNOT UNFREEZE UNLESS YOU CAN BOOT INTO WINDOWS!!!! So, there is no way out even if you have the password, the admin access and the physical. OK, let me take it back, you can if you read on. But otherwise, its great format time and a good round of curse and swearing at Deep Freeze.

Now, you will notice I had talked about the flag in the above case. That is the same principle we are going to use to break Deep Freeze. Let's take a look at some of those boot up files which are in Windows system and main directory:



  • DepFrzLo.sys (kernel driver)
  • DepFrzHi.sys (filesystem driver)
  • dfserv.exe (service)
  • frzstate.exe (password dialog)
  • persis00.sys (password file and “on/off switch”)



If you are sharp, you would already know how I would do it. During one of the penetration test, I was asked if I have and do-not-have physical access, how would I do it. So, lets tackle the have physical access first because its definitely easier.

You can go ahead and delete the filesystem driver, which does not work. The trick actually lies in the persis00.sys or persis0.sys depending on which version. What you will need is the trial version at least and install it on another system with a known password since you install it. Then boot it up and unfreeze the drive and shut down. Copy out the file. I will advise using a WinPE based boot up vie a LiveCD or Mini-XP to read the file out.

What you need to do next is to plant and replace the locked file in the target drive. Using the same method, boot up your LiveCD and mount the drive. Then just replace the file. YES, its that simple. Nothing prevents you from doing anything at all from the LiveCD. Make you feel pretty stupid paying so much for this piece of software don't it?

Anyway, after the file had been replaced, boot it up and its unfreeze. Uninstall it, reinstall it, do whatever you want. And remember to get the flag for your anti malware or defrag software set before getting stuck again in another infinite loop. But what the hell, as long as you keep your unfrozen persis00.sys handy, break it is only limited to how fast your LiveCD can boot up.

So, what if I have no physical access? OK, this part is concept only, since I did not completely test it. Deep Freeze does not protect the boot MBR if you bypass the mass IRP hooking using another driver. OK, you will look at me and give me the WTF look. Yes, Deep Freeze uses rootkit technology obviously. Their IRP hook however could be bypassed. One such tool is MBRKit. With that in, all you need to do it to redirect the boot up somewhere else. For example, another mini-Linux with Samba image. Then put in the boot up script into the boot image to replace the file persis00.sys and of course do remember to set the boot back to normal once it had successfully done so. So does that sound far fetch. Of course NOT. But it has man risk which may cause the system to hang up etc, so extensive testing is required to create such an attack. Of course, I think I just gave the concept design for a Deep Freeze attack rootkit.

So, Deep Freeze is totally crap. No, obviously not. It just had its flaw. Is there a way to prevent this attack. Yes. Consider full disk encryption. And NO. Even with a full disk encryption, there is an unencrypted partition and that could be attacked. Unless its pure hardware based implementation.

I hope this very long article is help to give you some insight on Deep Freeze. While this exposed on way to overcome it, it can prove to be helpful in life and death situation such as the one above. I hope Deep Freeze give this more thought rather than the "We will think about it" when they got hacked by Emiliano Torres.

Download the workable Anti Deep Freeze Rootkit here:
HAHA, sorry no download! :P

The mysterious LGA1944

While surfing on Asus support website (http://support.asus.com), I notice there are 2 new categories of motherboard listed. They are the LGA2011 and the LGA1944. I know whats LGA2011. That's the supposed motherboard which will house the X79 chipset coming in at Nov 2011. But what is socket LGA1944? Could the industry been keeping so quiet about a secret socket that nobody had heard about so far?

I did some research and found out that the LGA1944 could be the socket to support the G34 chipset from AMD. So here we have it. There is no secret socket and neither is it for Ivory Bridge...

Amazon Gift Cards!

Thanks for viewing!

Copyright © 2008 nemesisv.blogspot.com, All rights reserved.