She said she saw one when we were there other day.

Looks like she was right.

Rodent problem closes Whole Foods store

After reading a couple posts about impersonation by Shawn Farkas and linked to by dominick baier, I’ve decided to post some information about impersonation as well. The only difference is that my impersonation doesn’t require a password.

You may remember a few months ago when I posted about mucking around with tokens. Well this is the reason I was doing so.

It seems that by using the ImpersonateLoggedOnUser function, you can impersonate the security context of a logged-on user…and all you need is their token!

How do you get a users token? Simple.

1. Identify the PID of a user’s process you want to steal.
2. Use OpenProcessToken to retrieve the target user’s token.
3. Duplicate the user’s token using DuplicateTokenEx.
4. Then just use CreateProcessAsUser with the token obtained from ImpersonateLoggedOnUser and you’re good to go!

See, that wasn’t so tough: AgentSmith.exe

There are a few disclaimers:

1. This app needs to be run as SYSTEM. I usually just use the at command to schedule cmd.exe within the next minute to achieve this. Maybe in the future I will make this install itself as a service, but not for now.
2. Don’t do anything bad. I am not responsible for what this might do to your system.
3. As of right now, it currently just fires up a command prompt as the target user - it has been modified to allow for specific commands, but the CreateProcessAsUser function is kind of flaky with respect to the lpCommandLine parameter.

I got tired of seeing ads in my Bloglines Chicago news feed which pulls from Moreover. So I checked out GreaseMonkey, figured out how it all worked, and whipped up a script to do it for me.

Much better.

moreoverads.user.js

No Need to Click Here - I’m just claiming my feed at Feedster

I seem to be having problems with pingomatic on my WP install…time for some ngrep fun!

I’m at the sixth annual CERIAS Information Security Symposium at Purdue. It’s not too bad - I’ll let you know if I see anything neat. I’ve liked the couple virtualization projects given my recent envolvement with Microsoft Virtual Server.

As I was enjoying a fine dinner of Lipton Italian Sides one night, I came across Adi’s post on how to copy an open file with shadow copies. Not bad, I thought, and stored that little nugget of knowledge away for when I might need to do just that.

A few minutes later I remembered an old email about pwdump horking a domain controller (yes, horking is a technical term…) and wondered if I could simply copy the SAM hive (%SystemRoot%\system32\config) using shadow copies. A few hours later, using Adi’s post as a reference, I came up with the code below.

There was one small hitch when I realized that since Windows 2000, the SAM is encrypted using the syskey. Fortunately, I came across InsidePro, which includes a couple utilities to help out:

<li><em>GetSyskey </em>will extract the SYSKEY key from the SYSTEM hive.</li>
<li><em>GetHashes </em>extracts hashes in pwdump format using the previously extracted SYSKEY.</li>

Adding the decryption of the SAM into the script was pretty simple and by specifying this command, you will get yourself a nice list of hashes: VPass.bat hashes.txt

Enjoy…

Here is a zip file containing the batch script, vshadow (for both 2k3 and XP from the Volume Shadow Copy SDK), and the two utilities mentioned above in one happy automated script: VPass.zip

There are four blocks of cop cars parked along Dearborn St. in Chicago with their trunks popped and all the cops putting on their riot gear in preperation for the anti-war march. It’s a pretty impressive scene - I’ll post some pictures later.

The site was really starting to bog down for some reason lately, but I figured out what it was.

Turns out it was what I suspected all along. On my first site, I had some statistics on the pages about how many times they’d been googledbotted as well as any referer’s. However, I was generating that content from my Apache logs which I configured to log directly to MySQL and are now at just over 1,000,000 rows. Being that my server is a virtual colo (thank you, John Companies), the database was getting pegged out pretty easily.

Now that I’ve disabled those queries, it’s running much faster.

I knew I didn’t like the sound of these things. Researchers were able to break the encryption used in RFID devices such as Exxon Mobil’s Speedpass…as well as newer-generation automobiles. Now I don’t know if that refers to such cars at the autoshow that auto-start when your bluetooth key gets close enough, but that sounds like such a horrible idea to me.

There are so many bluetooth issues currently out there, that I can only imagine what people would do if they could sniff your bluetooth “car key”. I’m sure there must be more to it, but it’s still scary.