User:Ans

• circuit diagram of Sanyo refrigerator, model SR-D72 (ผังวงจรตู้เย็นซันโยรุ่น SR-D72) (archive)

802.1x[edit]

• https://supportforums.cisco.com/thread/213469?decorator=print&displayFullThread=true
  • Software\Microsoft\EAPOL\Parameters\General\Global\AuthMode
  • 0: When user logs in, if already authenticated with Machine credentials, the user’s credentials are not used
  • 1: When user logs in, 802.1X authentication use the user’s-credentials
  • 2: Machine authentication only
  • default: 1
  • Software\Microsoft\EAPOL\Parameters\General\Global\SupplicantMode
  • 0: Disable 802.1X
  • 1: Inhibit transmission of EAPOL-Start and EAPOL-Logoff packets under all scenarios
  • 2: learning to determine the transmission of EAPOL packets
  • 3: Compliant with 802.1X spec
  • default: wired: 2, wireless: 3
• http://www.stevens.edu/itwiki/w/index.php/Linux_802.1x (via network manager)
• http://tldp.org/HOWTO/html_single/8021X-HOWTO/
• http://social.technet.microsoft.com/Forums/fi-FI/winserverNAP/thread/b56e9fe5-6aac-4f00-ac6a-55e89d758424
  • http://www.microsoft.com/DOWNLOADS/details.aspx?familyid=05951071-6B20-4CEF-9939-47C397FFD3DD&displaylang=en Deployment of IEEE 802.1X for Wired Networks Using Microsoft Windows
• machine passwd expire
  • http://support.microsoft.com/kb/904943
  • http://support.microsoft.com/kb/936626
  • http://technet.microsoft.com/en-us/library/cc512611.aspx
  • https://supportforums.cisco.com/message/846335
• windows resume from hibernate, but not login (the screen show locked status), connect port via hub
  • lan port is plugged before resume: windows not send identity response
  • unplug and then plug lan port at pc: windows initiate start eap, switch request identity, windows not send identity response
  • unplug and then plug lan port at hub uplink: switch request identity, windows not send identity response
• on logged on windows desktop (not auto use windows logon name in 802.1x)
  1. unplug and then plug lan port at pc, then key user credential: windows initiate start eap, switch request identity, windows not send identity response until user enter credential
  2. unplug and then plug hub uplink: switch request identity, windows send identity response
  3. unplug and then plug lan port at pc (not key credential): windows initiate start eap, switch request identity, windows not send identity response
  4. unplug and then plug hub uplink: switch request identity, windows not send identity response until user enter credential
  5. logoff windows: windows initiate start eap, switch request identity, windows send machine identity response, success, ping success
     1. shutdown (after logoff): no eap activity
  6. logon windows: windows initiate start eap, switch req id x 3, (req+15s) fail, ping ok, (fail+10s) switch req id x 3, (req+15s) fail, ping ok, (fail+10s) fail, switch req id, ping fail, (req+5s) switch req id x 2, ping fail
  7. shutdown without logoff: same as logoff windows

windows domain[edit]

• http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/45018 bypassing Windows Domain Group Policy Objects
  1. Disable WFP (windows file protection)
     • sfc_os.dll, wfpadmin.exe
  2. rename gpupdate.exe (WinXP) secedit.exe (Win2K)
  3. registry disable GPO
     • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\disableGPO=1
• http://www.crcnetbase.com/doi/abs/10.1201/9781420052206.ch3 (cache) Chapter 3 Windows User Authentication Architecture
  • pwdump{2,3,4}: Online password hash access tools, use Windows internal RPC functions of the Samr family (SamrQuery InformationUser( ) which support SYSKEY)
  • lsadump/lsadump2: Online access to the LSA Secrets database (It crash the system[1])
  • Applications that need to access the LSA Secrets typically use the LsaStorePrivateData( ) and LsaRetrievePrivateData( )(example) system functions to access LSA Secrets.
    • HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets, $MACHINE.ACC, _SC_ServiceName (service password)
    • DPAPI_SYSTEM: Data Protection API. Data is encrypted using 3DES and a key that is not stored anywhere on the system. CryptProtectData( ), CryptUnprotectData( ), CryptProtectMemory( ). When user change passwd using standard OS tools, DPAPI will automatically open the CREDHIST file, decrypt all the master keys using the old password, and then encrypt all the master keys with the new password.
  • Protected Storage: HKEY_CURRENT_USER\Software\Microsoft\Protected Storage System Provider. Access to the Protected Storage service was provided by means of CryptoAPI functions.
  • SYSKEY
    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\SecureBoot
      • 1: SYSKEY is stored locally in the registry (SYSTEM file),
      • 2: SYSKEY is derived from an administrator selected password, or
      • 3: SYSKEY will be stored on a floppy disk
    • encryption key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\{JD,Skew1,GBG,Data}, HKEY_LOCAL_MACHINE\Security\Policy\PolSecretEncryptionKey, HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\F
• http://moyix.blogspot.com/2008/02/creddump-extract-credentials-from.html creddump
  • http://code.google.com/p/creddump/
  • lsadump2: advapi32.LsarQuerySecret (inject dll to bypass permission)
  • cachedump: lsa key from lsass.exe memory + advapi32.SystemFunction005 --> decrypt NL$KM
  • Cain & Abel: offline, advapi32.SystemFunction005
• http://blogs.technet.com/b/markrussinovich/archive/2005/04/30/circumventing-group-policy-settings.aspx Circumventing Group Policy Settings: regmon