SmoothDesigners

Data Execution Prevention (DEP) is a set of hardware and software technologies that perform additional checks on memory to help prevent malicious code from running on a system. In Microsoft Windows XP Service Pack 2 and Microsoft Windows XP Tablet PC Edition 2005, DEP is enforced by hardware and by software.

The primary benefit of DEP is to help prevent code execution from data pages. Typically, code is not executed from the default heap and the stack. Hardware-enforced DEP detects code that is running from these locations and raises an exception when execution occurs. Software-enforced DEP can help prevent malicious code from taking advantage of exception-handling mechanisms in Windows.

http://support.microsoft.com/kb/875352

There may come a time when have to disbale DEP either for the purpose of troubleshooting a problem or otherwise

Disable Data Execution Prevention (DEP)

1. Right click on My Computer and Select Properties.
2. Click the Advanced tab, and in the Startup and Recovery section, click the Settings button.
3. In the System Startup section, click the Edit button.
4. Now find the text that says /noexecute=OptIn.
5. You need to replace OptIn (which the default) with AlwaysOff.


Be sure to enter this text carefully and exactly as it’s mentioned above. Failure to do so could prevent your computer from booting.

Your boot.ini file should read:/noexecute=AlwaysOff

6. Click File and then click Save.
7. Click OK to close Startup and Recovery window.
8. Click OK to close System Properties windows
9. Restart your computer.

This setting does not provide any DEP coverage for any part of the system, regardless of hardware DEP support.

Verifying DEP is Disabled

1. Right click on My Computer and select Properties.
2. Click the Advanced tab.
3. In the Performance section, click the Settings button and then click Data Execution Prevention tab.
4. None of the DEP settings should be available.  Click OK to close Performance Settings window.
5. Click OK to close System Properties window.

DEP is now completely disabled. If you want to enable it again, follow this guide but instead of replacing OptIn with AlwaysOff, replace AlwaysOff with OptIn (the default).

Start -> Run:

Shutdown

The options available for shutdown are:

No arguments : Display this message (same as -?)
-i : Display GUI interface, must be the first option
-l : Log off (cannot be used with -m option)
-s : Shutdown the computer
-r : Shutdown and restart the computer
-a : Abort a system shutdown
-m \\computername : Remote computer to shutdown/restart/abort
-t xx : Set timeout for shutdown to xx seconds
-c “comment” : Shutdown comment (maximum of 127 characters)
-f : Forces running applications to close without warning
-d [u][p]:xx:yy : The reason code for the shutdown

Microsoft’s SP1 for Windows Server 2003 can break SSO.  This is because in SP1 Microsoft implemented a loopback check security feature that was designed to prevent reflection attacks on the system.  In short the FQDN, Fully Qualified Domain Name, or custom header will fail when it does not match the local computer name.

The error presents itself as an “HTTP 401.1 Unauthorized: Logon Failed“

Sometimes in the event log you will sometimes see some strange characters on the Logon Process field.

Resolution:

There are two methods to resolve this issue and both involve modifying the registry.
If you are uncomfortable with modifying the registry then follow Microsoft’s registry backup and restore procedure.
http://support.microsoft.com/kb/322756/

Method 1: Specify host names
Note We recommend that you use this method.

To specify the host names that are mapped to the loopback address and can connect to Web sites on your computer, follow these steps:

1. Click Start, click Run, type regedit, and then click OK.
2. In Registry Editor, locate and then click the following registry key:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
3. Right-click MSV1_0, point to New, and then click Multi-String Value.
4. Type BackConnectionHostNames, and then press ENTER.
5. Right-click BackConnectionHostNames, and then click Modify.
6. In the Value data box, type the host name or the host names for the sites that are on the local computer, and then click OK.
7. Quit Registry Editor, and then restart the IISAdmin service.

Method 2: Disable the loopback check
Follow these steps:

1. Click Start, click Run, type regedit, and then click OK.
2. In Registry Editor, locate and then click the following registry key:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
3. Right-click Lsa, point to New, and then click DWORD Value.
4. Type DisableLoopbackCheck, and then press ENTER.
5. Right-click DisableLoopbackCheck, and then click Modify.
6. In the Value data box, type 1, and then click OK.
7. Quit Registry Editor, and then restart your computer.

To resolve the issue you can also change the Website’s FQDN to the Server’s FQDN once they match the system will pass the loopback check.

Further Reading:
You receive error 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or IIS 6
http://support.microsoft.com/kb/896861
Error message when you try to access a server locally by using its FQDN or its CNAME alias after you install Windows Server 2003 Service Pack 1: “Access denied” or “No network provider accepted the given network path”
http://support.microsoft.com/kb/926642/

1) Open the Command Prompt (located under Accessories)

2) Type systeminfo

3) Once the system has finished gathering the information, scroll up and the time is displayed in the System Up Time field.

As you can see, running systeminfo also gives a lot of useful information.

You can also use:

net statistics workstation

Look at the top line which should read “Statistics since …”

First we need to change the settings so we can see the password.

Go to: C:\Inetpub\AdminScripts\
And open adsutil.vbs in notepad or any text editor.

Search and replace: IsSecureProperty = True
With: IsSecureProperty = False

Alright we have now set the Secure Property to False so we can see the password in plain text.

To get the IUSR password:
Start up command prompt (Start -> run -> cmd)
C:\Inetpub\AdminScripts>cscript adsutil.vbs get w3svc/anonymoususerpass

Results should be something like:

anonymoususerpass : (STRING) “:NX^+N49:67j5$”

To get the IWAM password:
Start up command prompt (Start -> run -> cmd)
C:\Inetpub\AdminScripts>cscript adsutil.vbs get w3svc/wamuserpass

Changing the IUSR or IWAM password:
Instead of running a ‘get’ command in your cscript we’re going to run a ’set’ command to set our password.  So below is an example of how to set the password for the IUSR account.
C:\Inetpub\AdminScripts>cscript adsutil.vbs set w3svc/anonymoususerpass “P@ssword”

Sync passwords between IIS and MTS:
Last but not least we need to sync the passwords.  Simply run the following line and you’re all set:
C:\Inetpub\AdminScripts>cscript.exe synciwam.vbs -v

Backtrack’s Home: http://www.remote-exploit.org/backtrack.html

Note:
This should only be used for security purposes. This is intended for password retrieval for lost
passwords and should be done only by system administrators. This guide will only cover how to crack
these passwords on local systems and will use a brute force method instead of a wordlist. All the
commands are case sensitive if you receive a command error please check case.
Before we begin make sure that your system BIOS it is set to boot via CD if there is on, in case it has
been disabled or the order has been altered on your system. Now lets begin:

‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐

1. Insert Backtrack CD, and reboot system.

2. When the load screen comes up hit enter to boot Backtrack via CD.

3. The default username and password for Backtrack is:
root
toor

4. This will bring you to a command prompt. For this example we are going to be doing this
without a network.
Note: Where we could work for this command prompt and skip the GUI interface we
will load the GUI interface and a system monitor resource for ease of use. If you prefer
to skip the GUI skip to step #10

5. To load the GUI interface type:
xconf ‐This will configure Xwindows
startx ‐This will start Xwindows

6. Once the interface has loaded up, we will want to launch the command line terminal. This is
done by clicking the second box on the lower left menu. It should look like a small black box
with a frame around it.

7. Upon entering the Command Terminal we will launch a resource monitor so we can watch the
resources of this process. We will refer back to this later on. To do this type
leetmode

8. You will now be able to click the top of this monitor and drag it into a location that is best for
you.

9. That will conclude the portion of this guide for the GUI interface. Time to get some dirty work
done. Go back to the Command terminal and the rest of our work will be done here.

10. Determining which drive is the windows drive:
Type:
DF ‐DF is a Unix command meaning, Disk Free. This will display the amount of disk
space used and available on the system.
The windows drive should be hda1 but depending on the system setup this may be
different. Look for the drive with the largest size, this usually determines the
windows drive. It unsure, type : cd /mnt/DiveInQuestion/ and see what the file
contains.

11. Lets move into the live drive (the memory drive, we will be working from here later on) Type:
Cd /mnt/live/

12. Lets first get the passwords using Bkhive. Type:
Bkhive /mnt/hda1/WINDOWS/system32/config/system /mnt/live/key.txt
This will create a key.txt file for us to use within the live drive.

13. We will continue with a Samdump file. This will give us the hash’s of the passwords we want to
crack. Type:
Samdump2 /mnt/hda1/WINDOWS/system32/config/SAM /mnt/live/key.txt>hashlist.txt
This will take a samdup from the SAM directory in windows, where the passwords are
stored, and with the key.txt file it will save it as hashlist.txt

14. Time to crack the passwords!!! We will be using John the Ripper to do a brute force crack of
these passwords. I know brute force is a slow method. Using a wordlist file will be much faster
but for this example we will be using a brute force method because we know that we will get
the password with time being the only constraint. Lets do this by typing:
John hashlist.txt –f=NT
John is the program John the Ripper. The hashlist.txt is the hash file we saved. We have
already moved into the live directory where we saved it. The –f=NT is setting the password
format to NT, or windows passwords.

15. Now all you have to do is sit back and watch. As it cracks the passwords they will be displayed
with the password listed first then the user name incased in ()’s.
Enjoy and let me know if you have any questions.