Friday, July 15, 2016

Check Your Google account activity

It is a good security practice to check your Google Account activity history regularly.

1. Check Gmail login history
  1) Login to Gmail box, scroll down to the end of page, on the right-end side, there is a “Details” link.

 2) Click “Details”, brings you the Gmail login history:


    3) In case someone login to your account from other place, you can click “Sign out all other web sessions” to sign them out.
    4) It is recommended to select the “Show an alert for unusual activity.” Option.

2. Check Recently used devices
  1) Login to your Google account
  2) Open (Copy & paste) this link: https://security.google.com/settings/security/activity
  3) The page lists devices that have been active on your account in the last 28 days.


3. Check All activity history including web browsing:
  1) Login to your Google account.
  2) Open (Copy & paste) this link: https://myactivity.google.com/myactivity

Wednesday, June 29, 2016

Extract Cisco VPN group Password from .pcf file

So you got a .pcf file, it is easy to just copy it to the Cisco VPN folder in Windows. But for MacBook, you still need the Group password to set it up. 

In .pcf file, the Group Password is encrypted. You may want to decrypt the string to get the clear text password. There are some online Websites can do the job, however, you normally don’t want to submit this kind of information to public. 

Kali has the tool to decrypt it. Simply enter: 

#cisco-decrypt [Encrypted Group Password String]


Saturday, April 23, 2016

Windows Password Audit – Copy ntds.dit


 Company should do the password audit annually.

The process normally is:

  1. Login to domain controller, export ntds.dit, SAM and SYSTEM using shadow copy.
  2. Extract Hashes from above files. (use tool NTDSXtract - http://www.ntdsxtract.com/ or SANS Investigative Forensic Toolkit (SIFT) - http://digital-forensics.sans.org/community/downloads)
  3. Use offline cracking tool to crack the hashes: Cain, ophcrack etc.
The weak password can be defined as below:

  1.  All LM hashes are considered as weak.
  2. The password is considered as short and weak if its length is less than 8.
  3. Repeatable sequence of a character. eg. ‘111111’, ‘aaaaaa’, are considered as weak.
  4. Simple patterns, eg. ‘123456’, ‘abcdefgh’, are considered as weak.
  5. Keyboard combinations patterns. Based on all possible keyboard combinations like ‘qwerty’, ‘qazwsx’, etc.
  6. National keyboard combinations patterns. The same as previous but uses national keyboard layout.
  7. User name mutations patterns. For passwords based on user name.
  8. “Freaked” passwords, eg. ‘pa$$w0rd”, ‘@pp1e’ etc.
  9. Dictionary attack against well-known passwords, eg. ‘leaking facebook, LinkedIn, eHarmony passwords’, which can be downloaded from Internet.

Step 1:  Create shadow copy for copying password files

  1. Log on to a domain controller as a member of the Enterprise Admins groups or the Domain Admins group.
  2. Click Start, right-click Command Prompt, and then click Run as administrator
  3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  1. At the elevated command prompt, type the following command, and then press ENTER: ntdsutil
  1. At the ntdsutil prompt, type the following command, and then press ENTER: snapshot
  1. At the snapshot prompt, type the following command, and then press ENTER:
activate instance ntds
  1. At the snapshot prompt, type the following command, and then press ENTER:
create
The command returns the following output:
Snapshot set {GUID} generated successfully.
Where GUID is the globally unique identifier (GUID) for the snapshot.
  1. At the snapshot prompt, type the following command, and then press ENTER:
mount { GUID }
  1. As an option, to see a list of all mounted snapshots, you can type the following command, and then press ENTER:
list mounted
The output lists each mounted snapshot and a corresponding index number. You can use the index number instead of the GUID to subsequently mount, unmount, or delete the snapshot.

  1. Open another command line windows with Administrator.
  2. Run below commands:

E:\temp>copy c:\$SNAP_201603102306_VOLUMEC$\Windows\ntds\ntds.dit
       1 file(s) copied.
E:\temp>copy c:\$SNAP_201603102306_VOLUMEC$\windows\system32\config\SYSTEM
        1 file(s) copied.
E:\temp>copy c:\$SNAP_201603102306_VOLUMEC$\windows\system32\config\SAM
        1 file(s) copied.
E:\temp>reg SAVE HKLM\SYSTEM .\sys

  1. Copy these 4 files to a USB drive.
  2. To unmount the snapshot after you have finished viewing the data, type either of the following commands, and then press ENTER:
unmount index #
-or-
unmount { GUID }
  1. Delete old snapshots that you are no longer using because they consume disk space. To delete a snapshot, type either of the following commands, and then press ENTER:
delete index #
-or-
delete { GUID }
  1. After you are done with snapshot operations, type quit to return to the ntdsutil menu, and then type quit again to return to the command prompt.

Reference: https://technet.microsoft.com/en-us/library/cc753609(WS.10).aspx