Thursday, November 17, 2011

Enable God Mode On Windows8

Windows 8 God Mode is a secret interface implemented by Microsoft that gives the user complete control over the Windows 8 OS.

In nut shell Windows 8 God Mode  is a basic folder that brings complete control of the entire operating system to a single desktop icon.

Unlocking Windows 8 God Mode

The beauty of this feature is that it is incredibly easy to unlock, and if the user does not like it - the icon can simply be dragged into the recycle bin to remove it. Please keep in mind this is not third party software, nothing needs to be downloaded or installed.

1. Right-click anywhere on the desktop and create a new folder.

2. Rename the new folder to “GodMode.{ED7BA470-8E54-465E-825C-99712043E01C}” (copy and paste everything except the quotation marks)

3. That’s it! A new folder titled “GodMode” will be on the desktop and double-clicking will activate it.

The screen above show you how it look like. Don't you see this is awesome:)
windows-8-unlock-feature

windows-8-unlock-feature



Monday, November 14, 2011

Booting Windows Server 8 from a VHD

In the previous, think some of you might heard about dual boot on a single machine. Have you ever think that you can do so with a virtual hard drive. The beauty of the VHD, when you are done with it, just delete it and make a new one.

In other area also, VHD provide a good performance in the Fixed Size disk and it do not require Hyper-V to boot them. Here I am going to explain some of the steps. They will be just 4 simple steps. Download the Windows Server 8 Preview and start to test it out your self at Windows Server 8 Preview download page.

Step 1 : Create Virtual Hard Drive by using diskpart.

  1. diskpart
  2. create vdisk file=”e:\winsrv8devprev.vhd” maximum=20000 type=FIXED
  3. select vdisk file=”e:\winsrv8devprev.vhd”
  4. attach vdisk
  5. create partition primary
  6. assign letter=W
  7. format quick fs=ntfs label=WINSRV8DEVPREV
  8. exit 

Step 2 : Preparation for installation.

  1. Create a folder in Drive e:\vhd
  2. Copy the install.wim from the cd\sources\install.wim to e:\vhd
  3. Download powershell script from http://archive.msdn.microsoft.com/InstallWindowsImage/Release/ProjectReleases.aspx?ReleaseId=2662
  4. After you have perform step 1 and 2, to proceed to the next steps you can either use step 3.1 or 3.2.But my prefer option will be using powershell

Step 3.1 : Installing WIM Image to VHD (powershell)

  1. Open cmd and cd to e:\vhd
  2. run powershell command and run the following command to change the behaviour of the powershell to allow any scripts to be loaded set-executionpolicy unrestricted
  3. .\install-windowimage.ps1 -WIM install.wim
  4. .\install-windowimage.ps1 -WIM install.wim -Apply -index 1 -Destination w:

 Step 3.2 : Installing WIM Image to VHD (imagex)

  1. Open cmd and cd to e:\vhd
  2. run powershell command and run the following command to start the installation "imagex /apply d:\install.vim 1 w:" 
Now we are good to move on, we have completed our setup on the virtual hard drive setup. We are ready to configure the virtual hard disk to be bootable in a non hyper-v setup. The following next step, you will have an easy option to configure and making sure the virtual hard drive can be boot. Each of the steps give you an idea what is required.

 

Step 4.1 : Configure vhd boot (1 step)

  1. bcdboot w:\windows

Step 4.2 : Configure vhd boot (4 step)

  1. bcdedit /copy {current} /d "Windows 8 Preview"
  2. bcdedit /set device vhd=d:\vhd\windows8.vhd
  3. bcdedit /set osdevice vhd=d:\vhd\windows8.vhd
  4. bcdedit /set detecthal on
    If you can't find the guid, below got some example where to look for guid which also known as identifier

    guid-identifier-windows-7-bcdedit

    I am interested in hearing your feedback, so that I can improve my articles and learning resources for you.

      Saturday, November 12, 2011

      Breaking Windows 8 Authentication

      Think all of the IT users know what does sticky key does. If you are not sure what is those , I got some good article that mention about it here. It may bring some good useability to some of the users. But it also can bring some vulnerabilities to the windows if it is not handle properly. What I want to show you here will be where by you have a scenario where by username is unknown and you will need to have access to the windows machine. Yet in the market there is plenty of tools to do so, but do you know that certain tweak in the windows you can gain access to the cmd and reset the password. Sethc is nothing but sticky keys program which is present in system32 files.

      The concern I want to raise here is, how many of us did aware of this issue?How many of us validate the files integrity in the server in a week?


      Step for Windows XP
      Step 1. Goto c:\windows\system32
      Step 2. Rename the file sethc.exe to sethc.exe.bak
      Step 3. Copy cmd.exe to sethc.exe
      Step 4. Now log off and in press the key 5 times


      Step for Windows 7, Vista, 8
      Step 1. Goto c:\windows\system32
      Step 2 Right click on sethc.exe and run as administrator.
      Step 3 Again right click on sethc.exe, open properties.
      Step 4 Click on Advanced tab , then on owner 
      Step 5 Click edit, change the owner from "trusted installer" to "administrator" and click apply.
      Step 6. Rename the file sethc.exe to sethc.exe.bak
      Step 7. Copy cmd.exe to sethc.exe
      Step 8. Now log off and in press the key 5 times

      Here you go, a sample video how it look like. You can view this video at my youtube channel as well @ http://www.youtube.com/watch?v=Fg913McTRIU



      Don't learn to hack... hack to learn!!!!

      I am interested in hearing your feedback, so that I can improve my articles and learning resources for you.

      Monday, November 7, 2011

      Wireless Attack on Microsoft Peap - Part 3 of 3

      Just to recap on what we have configure on the previous session.We have completed by installing the Wireless Pwnage Edition (WPE) which provide credential logging for credential logging for multiple EAP types including PEAP, TTLS, LEAP, EAP-MD5, EAP-MSCHAPv2, PAP, CHAP and others. It is part of the radius configuration which we need in our next steps.

      The next step would be configuring the hardware to support Wireless Pwnage Edition (WPE) so that we can break the wireless PEAP. The wireless devices must be configure to use the radius ip address from the Wireless Pwnage Edition (WPE).

      The last steps would be the most interesting part, where by we going to locate our target. In this demo, it is done in a control environment where by the client is authenticating using the Active Directory credential. The credential going to be sent over from the wireless access point to Microsoft IAS for validation.

      Now we need to force the client to connect to our Wireless Pwnage Edition (WPE) radius so that we can log down all the credential. I will show you 2 example here regard to the different on the logs where by the client use the notebook that is join to the Active Directory and also using standalone devices such as ipad, portable computer and etc. Please take note that , this attack often happen where by the users being left with the decision to trust or reject certificates from the unknown certificate of authority. The hackers  can exploit this deployment weakness by impersonating the target network’s AP service set identifier (SSID) and RADIUS server which I have cover in the previous article on Configure Radius server to log account information and configuring the wireless access point to divert all the request to the Wireless Pwnage Edition (WPE) radius. After we have all the information of the account, we can hack it in the offline mode.I will explain more later.

      By now we are ready to test the exploit
      1)start the radius server by typing the following command radiusd
      2)validate the logs by typing the following command tail -f /usr/local/var/log/radius/freeradius-server-wpe.log

      If you do see your username and password capture by the radius server that mean you have a weak configuration and you will need to measure in such a way, whether you have a strong password policy to mitigate the issue. I will cover more on my next article toward the 4 major steps that we need to do to ensure the security of the wireless network.

      As on the sample below, I have screen capture 2 samples on which one of the device is part of active directory and another device is a standalone which I use ipad in this lab. On this lab, the password is been hardcode to the dictionary for the sake of proofing how it works.

      Sample 1 : Attacking Ipad
      wireless peap attack on ipad

      wireless peap attack on ipad using asleap
      If you notice carefully, the username is capture as ckwong and we can see the challenge and response which have been capture by our radius server. The next step is to hack the password.As you can see on the result, we can break the password if it is part of our wordlist.

      Sample 2 : Attacking a machine that is join to active directory
      wireless peap attack on active directory client
      wireless peap attack on active directory client using asleap
      The attempt for hacking machine that is part of the active directory will be the same. The username is capture as ckwong and we can see the challenge and response which have been capture by our radius server. The next step is to hack the password. As you can see, we can't break it and it end with an error " Could not recover last 2 bytes of hash from the challenge/response". This happen because the different between the 2 attempt, the 2nd attempt does contain domain information.

      I am interested in hearing your feedback, so that I can improve my articles and learning resources for you.

      Related Article:
      3)Breaking the wireless security

      Tuesday, November 1, 2011

      Wireless Attack on Microsoft Peap - Part 2 of 3

      Wireless Hardware Requirement

      Now you have configure the Wireless Pwnage Edition (WPE) and you also need another hardware component which is the wireless device. You need to have a wireless device that support WPA Enterprise. But in market today, you can easily find those wireless devices. In the next step, you need to configure the wireless radius IP to your free-radius and you also need to key in the password as shown as below.

      Hardware Configuration for Wireless Peap Attack

      Hardware checklist preparation

      1)Making sure your wireless hardware device does support WPA-Enterprise
      2)Configure radius server IP into wireless device
      3)Configure radius server Shared Secret password which is test .This is the default password for Wireless Pwnage Edition (WPE).
      4)On the target wireless network device you need to configure the same wireless broadcast ESSID or Extended Service Set Identification.

      I am interested in hearing your feedback, so that I can improve my articles and learning resources for you.

      Related Article:
      3)Breaking the wireless security