Found something useful? Don't forget to leave a comment!

Thursday, July 31, 2008

Bus passenger beheaded seat mate, witness says -

Bus passenger beheaded seat mate, witness says -


As of now this story is all over the news - a man on an eastbound Greyhound Canada bus in Manitoba beheaded the sleeping guy next to him, apparently for no reason at all. What is this world coming to? Are people cutting off each other's heads just because they feel like it? What the heck, there's just no rational explanation for this.

As linked above, the news story comes from CNN. Oddly enough, CNN seems to have a (very dark) sense of humor. Check out these lines from their article:

  • "It was like something between a dog howling and a baby crying, I guess you could say" - WTF?! I know this is a quote from an eyewitness, but still - is this America's premier news source, or this is little kids on Halloween?
  • "Colwell praised the "extraordinary" level-headedness and bravery of the bus driver and passengers." All right, let's make it perfectly clear that there's NO GODDAMN WAY that some journalist innocently decided to use that phrase. This isn't a quote from a person on the's something the writer had to have added in. Funny how they mentioned heads in a story about decapitation...'nuff said.
  • "everyone except the knife-wielder and his victim had left the bus" - Who knows, maybe it was a poor choice of words, but I kinda doubt that after the previous two. Maybe it was a bad attempt at some twisted humor...How did the dead guy get off the bus? Haha, he couldn't cause he was dead! Wow - bad, BAD joke.
  • "Once they are released, Greyhound will take them by bus to Winnipeg" - yeah, I guess this is a fact, but if I saw a guy lose his head (literally) on a Greyhound bus, I sure wouldn't want to ride again...I mean, what if someone chopped off my head while I was sleeping? I'd rather look out for myself - and that's only possible if I get to keep my head.

I've always considered CNN to be a humdrum, mainstream news source. Guess I'll have to head over to more often and take a close look.

Wednesday, July 30, 2008

On Campus @ Northwestern University

I'm writing this post in a dorm room at Northwestern University, where I've been for almost two weeks. I am taking AP Computer Science A through Northwestern's Center for Talent Development (CTD)- a fancy name for what is more or less a summer camp.

But enough of that. As with my earlier post about the University of Chicago, I'm going to highlight some of my personal observations and experiences while on campus. I wish I had some pictures to share, but unfortunately I don't have a camera handy...


I can't really provide a true impression of Northwestern's academic programs, as CTD is a high school program.  The teachers are predominantly from high schools near Evanston. Of course, this does not imply anything about their level of knowledge. In terms of the actual college, though, Northwestern is highly regarded, particularly the journalism and business programs. Naturally, admissions are competitive, with a 26% admissions rate. Here are some ACT/SAT stats, courtesy of the College Board:

  Middle 50%
SAT Critical Reading 670 - 750
SAT Math 680 - 770
SAT Writing 660 - 750
ACT Composite 30 - 34

Obviously, these are some high-powered scores. Personally, though, I have little to worry about in the standardized test department! :D

Campus, Housing and Location

Northwestern University is located in Evanston, IL, only about 15-20 minutes away from Chicago. Simply drive north on Lake Shore Drive, and you'll reach Evanston pretty quickly. The nice thing about Evanston is that it is a good-sized city (population 74,000) with all the resources one would want, but is right next door to the Windy City. Evanston is a decent place, with a combination of urban and suburban life, but it also has its seedier places. Transportation is a cinch since the CTA Purple Line lightrail system runs through.

The Northwestern campus is well-regarded for its scenic beauty, and I can see why. All of the old buildings are built of a pleasing beige-colored stone, and ivy is abundant. The Norris University Center, a looming multilevel structure, is a bustling hub of students, food, and activities. Our Comp Sci classroom is located in Annenberg Hall, a newer building with computer labs and tech-heavy classrooms.

My dorm, Allison Hall, has definitely seen better days; the ivy and surrounding trees, though, somewhat compensate for that. Currently, there is a lot of construction going on, marring the landscape. Each double room has two desks, a bunk bed, and a retrofitted window air conditioner. The bathrooms have an odd smell, no thanks to their constant use over the years by some (not-so-clean) students. There are dual Ethernet lines in each room running at 10Mbps (a holdover from a previous era?) Obviously, Allison can't hold a candle to the brand-spankin' newness of Max Palevsky Commons over at the University of Chicago, but it's still a fun and lively place to be.

the famous Northwestern arch


As residential students we're entitled to three meals a day. The food service definitely has its on and off days. Some days, their is a reasonable variety of food - mac and cheese, fries, pasta, rice, fruit - while other days there is almost nothing except for excessively greasy burgers. Breakfast blows all the time, though because they always seem to serve the same old menu of scrambled eggs and French toast. Nevertheless, I'm grateful for the soda machines, which are on during every meal - perfect for grabbing a drink to go.

Naturally, an escapade to restaurants to town is a must when the in-house dining is deficient. There are many choices - Chipotle, Potbelly, Flat Top Grill, pizza, Joy Yee's Noodles, and various chicken places.

Student Life

A school can often be judged by the quality of its students.
Here at CTD, most of the kids are pretty well-equipped in the brain department. Not surprisingly, our Comp Sci class has a highly skewed male:female ratio (guess in which direction?) Diversity is abundant: many of the kids come from neighboring states, while others come from across the country or even internationally (Korea). Many of us are quite quirky and have exotic interests (chess grandmaster, anyone? or one of the best Quiz Bowlers in the nation?) The residential teaching assistants are equally interesting - hardcore gamers, med school name it.


Northwestern University, is, simply put, an awesome institution. From the life to the students, it's a decent school that caters to an entire spectrum of people and tastes. The lush campus and surrounding town supplement the academic reputation. Northwestern University is definitely on my Common App's list of schools...

Wednesday, July 23, 2008

uTorrent IPFilter Updater v1.1 Available - Windows 2000/XP/Vista

UPDATE: January 6, 2009

This program no longer works with the new download location as the site implements a server-side download limiter which seems to vary the download link. I will try throwing something together, maybe in C# or Python, but no guarantees that this issue will be successfully tackled.


A new version 1.1 of my uTorrent IPFilter Updater is now available. This is a minor update fixing just a couple of things.

  • Confirmed compatibility with all recent versions of uTorrent, v1.6 to 1.8
  • Confirmed support for Windows 2000/XP/Vista. If you have trouble on any of these OSes please contact me!
  • Updated wget to 1.11.4 using the binaries and DLLs available here. This should fix any issues caused by missing files - every required file is now included.

To perform an update (once every 1-2 weeks is good), simply run Update.cmd.


Tuesday, July 22, 2008

Cracking Windows Passwords with Rainbow Tables Using ophcrack

In my earlier post, Retrieving Windows Passwords Through Backtrack 3, I outlined the process of obtaining the Windows login password hashes. Obviously, those hashes are encrypted, so naturally we come to the next step - password cracking. There are several methods of attacking password hashes:

  • dictionary attack - run the contents of a wordlist against a password hash for matches
  • brute force attack - compute and try all possible password combination and see if it matches your hash
  • hybrid attack - combines dictionary and brute force methods (permutating the wordlist)
  • rainbow tables - trades off disk and memory space for time: all possible combinations are precomputed and stored in large files, which can be rapidly scanned to find a match for the hash

For the vast majority of Windows passwords, rainbow tables work great. ophcrack is a great n00b-friendly solution as the client is small and easy to install; additionally, rainbow tables for alphanumeric tables are freely available and are claimed to have a 99.9% success rate.

  1. Step 1 - Download and install the ophcrack client + tables.
    2. At the tables download screen, download:
      1. WinXP small (380MB) if you have less than 512MB of RAM and want to crack LM hashes
      2. WinXP large (703MB) if you have more than 512MB of RAM and want to crack LM hashes
      3. Vista tables (461MB) if you want to crack NTLM hashes (default hash type on Vista)
      4. oph_install1
      5. Note: You may also manually download and install the table files
  2. Step 2 - Check ophcrack settings
    1. Open ophcrack and check the Tables button and the Preferences tab.
    2. Ensure that the table(s) you downloaded are enabled with a green icon.
    3. oph_tables 
    4. In Preferences, ensure that the number of threads is equal to the number of processor cores you have.
  3. Step 3 - Load the password hashes.
    1. If you used my Linux-based dumping procedure or a tool such as pwdump or fgdump, select PWDUMP file from the Load button.
    2. oph_load 
    3. You may also input a single hash or load the SAM from the local computer.
  4. Step 4 - Begin cracking!
    1. This is the easy step - once the hashes are loaded, simply press Crack. If all goes well and the passwords are alphanumeric only, you should have the decrypted password under the NT Pwd column within 10 minutes or so.
    2. Here is a screenshot of some successfully decrypted passwords - three simulated, relatively strong passwords that were cracked in only 26 seconds using the XP small tables on a machine with 1GB RAM.oph_cracked

It is a common belief that the NTLM hash algorithm is much more secure than the older LM algorithm used in Windows 2000 and XP. However, the ready availability of the Vista/NTLM rainbow tables puts this oudated belief to rest. With rainbow tables, even attackers with run-of-the-mill PCs can mount an effective attack against Windows passwords. GUI tools like ophcrack only simplify such efforts. Advice for the whitehats and the security-minded? Use a long password - on Windows 2000/XP, NTLM must be used if the password exceeds 14 characters due to limitations in LM. Furthermore, long passwords deter brute force attacks. Make sure you don't use a common word in your password, as this is easy prey for dictionary attacks.

Additionally, use a symbol or two in your password, as this will automatically render alphanumeric-only rainbow tables useless. Similarly, brute-force and dictionary attacks will be made much more difficult due to the vastly expanded search space.

From a larger perspective, we again demonstrate the weaknesses of Windows password hashing algorithms. Again, have more than one layer of protection - encrypt your data, set a BIOS passwords, etc. A compromised password = compromised data.

Thursday, July 17, 2008

Firefox 3.0.1 ThinApp Released!

I have made available a new version of my Mozilla Firefox ThinApp. This release updates Firefox to 3.0.1 and is built upon VMWare ThinApp 4. As usual, this build contains integrated Flash 9 and is fully supports the default update method. Barring any major/critical updates of the ThinApp virtualization software, I will not be releasing any more Firefox 3.0 builds.

Download now @ Skydrive (13.7MB)

MD5: 8BF613BC1AAA8143C695A66E1874A406

Wednesday, July 16, 2008

MediaMonkey Thinstall

Following my review of MediaMonkey, I have decided to make a portable-friendly version of MediaMonkey. Like my other Portable Apps, simply throw on a USB drive and take your music on the go.



DOWNLOAD: MediaMonkey.exe (v3.0.3.1183)

MediaMonkey 3.0 vs. WMP 11: Not Even Comparable

Ever since I got a email account and found out about Ruckus, a free music site for college students, I have been downloading music en masse. Currently have more than 5GB of (mostly classical) music. Initially I tried organizing everything using the Library function of Windows Media Player (WMP) 11. But as I deleted, moved, and renamed music files, I found that WMP's basic capabilities just weren't up to the task. The most glaring omission was the lack of reliable auto-updating of the Library. I often found myself looking at nonexistent library entries that pointed to nonexistent files.


Naturally, being a "there's always a solution to everything"-type of person, I set out to find the perfect program for reliably and efficiently managing and playing my now-immense music library. From friends and Googling I came across MediaMonkey, billed as a "Free Media Jukebox, Music Manager, CD Ripper & Converter". First, a rundown of its features and specs. It has the standard set features - tagging, playing, burning, and ripping. As any decent music program should, MediaMonkey encodes MP3s, monitors podcasts, and can sync with portable players, including iPod (take that, iTunes users!) While Windows Media Player claims to monitor your music folders, MediaMonkey actually does it. The Standard (free) version can rescan your music and update the library accordingly, while the Gold version raises the stakes by doing constant auto-monitoring. When I deleted a music file off my hard drive in Windows Explorer, MediaMonkey got rid of it in the library only a few seconds later. This really comes in handy if you're the type of person who likes to always manipulate files. By contrast, Windows Media Player never seems to reliably refresh the library (there isn't even a button for that).

File monitoring options in MediaMonkey

So how well does MediaMonkey actually manage a library of music? By poking around I concluded that the library database system is powered by SQLite, the premier free and open-source library for implementing a high performance embedded SQL database. SQLite is also a key component of Firefox 3, Mac OS X, and the iPhone. The MediaMonkey website claims the ability to handle a library of 100,000+ songs, something I have no reason to doubt. I would hate to see WMP try to struggle through that many songs.

Music is meant to be played. Sure, Windows Media Player does that without a hitch, but nothing more. In WMP, playing one song from the Library will add a few (25 or so) songs to the "Now Playing" list. Obviously, this severely limits variety if you just want your music to keep playing. In MediaMonkey, however, all songs from the current category (Artist, Album, Genre, Composer, etc.) This ensures that you are not limited to the skewed whims of a random number generator.

Screenshot of MediaMonkey playing from an automagically generated Now Playing list of all my Andre Rieu songs

I also tested memory usage for both WMP and MM. While playing WMP rang in at 38,672K, while MediaMonkey registered 29,308K. Not only does WMP suck, it also uses more memory!

Of course, functionality isn't the only thing. An attractive user interface and cool visualizations are always nice bonuses. MediaMonkey excels in both these areas. The MM website has a collection of installable themes, including one that slaps WMP 11 across the face. There are also add-on visualizations, many of which take advantage of hardware 3D graphics acceleration. Besides eye candy, MediaMonkey's plug-in architecture allows for various other functional enhancements, including playback and encoding support for other audio formats.

WMP 11 or MediaMonkey?

I could go on and on about the various nifty features of MediaMonkey, but I'll keep it simple: IT'S AWESOME. WMP 11 simply can't hold a candle to MM's sheer power. Novices and casual users will find the Standard version more than adequate, while audiophiles will find the paid Gold version well worth their money.

Saturday, July 12, 2008

Retrieving Windows Password Hashes using Backtrack 3 - A Walkthrough

WARNING: The procedure outlined here is NOT intended for casual n00b users. If you don't get it, don't do it. Experience with Linux is highly recommended to understand this tutorial.

Let's say that you forgot your Windows password...or that you need to get at another user's for legitimate (pentesting?) purposes. Assume the following:

  • The Windows installation has passwords on all local accounts, including the administrator.
  • As a result, you will not be able to use Windows to recover the password hashes.

So what now? The solution is to use another operating system to gain access to the Windows partition on the hard drive. Linux, with its now-strong NTFS support, is ideal for this task. Today, I'll be showing you how to use the Backtrack 3 Linux distribution and samdump2 to access and dump the SAM file on Windows XP and Vista. The instructions that follow detail installing BT3 on a USB stick through Windows - if you're going for your own password, then have another computer available.

Obtain and install Backtrack 3 onto a USB drive (not CD!)

    • You will need a 1GB or larger drive.
    • Extract the downloaded ISO file to the root of your USB stick using something like WinRAR or IZArc.
    • Navigate to the boot directory. Run bootinst.bat to install the bootloader on your USB. Make sure you run this from your USB and NOT from your local hard drive - otherwise, you will end up not being able to boot Windows anymore!


    Install samdump2 v2.0.

      • samdump2 is a Linux tool for decoding the Windows SAM file and undoing SYSKEY encryption. Backtrack 3 actually contains version 1.1, but this version is comprised of two separate programs which is less user-friendly. The latest version combines both SYSKEY decryption and SAM reading into one program.
      • I have compiled an LZM module which will update Backtrack 3 with the latest version. Put the module file in BT3/modules.

    Start BT3.

      • Restart your computer and boot to the USB device (you may have change your BIOS boot settings).
      • You should see the following menu: bt3_boot
        The fancy Compiz graphics are not needed. In fact, we could do with just a command prompt. I recommend choosing either BT3 Graphics mode (KDE) or BT3 Text mode Frame Buffer.
      • If Backtrack 3 does not automatically login, use root and toor as the username and password, respectively.

    Perform the dump.

      • If you are using graphical mode, open a shell window from the menu bar.
      • Type df. This command gives you a listing of all mounted filesystems. Your Windows partition should be among the output; make note of the corresponding device name "Mounted on" column - for example, hda1 from /dev/hda1.
      • Now enter cd /mnt/DEVNAME/WINDOWS/system32/config. Replace DEVNAME with your device name - I am using hda1 in the example, so I would type cd /mnt/XXX/WINDOWS/system32/config.
      • Type ls to list the contents of this directory. Verify that the files SAM and system among the listing.
      • Now type samdump2 -o ~/winhashes.txt system SAM to undo the SYSKEY protection and dump the SAM. A copy of the hashes will be stored to winhashes.txt in the user home directory.
      • Simply copy this text file to your same USB stick or use Backtrack 3's Firefox to email or upload it.
      • The hash file (see below) is in standard pwdump format. Many password-cracking tools can handle this, such as John The Ripper and ophcrack.bt3_vi

    This method demonstrates Windows' inherent lack of password security. By default, Windows NT, 2000 and XP store the hash using LM, which is quite insecure and easily defeated. Windows Vista uses the more secure NTLM hash. But regardless, make sure you use a strong password that is reasonably long and contains numbers and/or symbols. However, password-dumping attacks like this can be effectively thwarted by setting a BIOS/boot password so that the computer cannot be started without authorization. It is fair to say that many or most people have no such security on their computers short of locking their computers when they go out. Unfortunately, though, the Windows password provides a false and inflated sense of security and privacy.

    Monday, July 7, 2008

    ZBLADE2 R3 Released!

    Revision 3 (R3) of my ZBLADE2 USB information-gathering tool has been released. It retains all of the functionality of R2, and has the following changes/updates/additions:

    • EZ-Config section at beginning of run.cmd: each tool has a entry that you can set either to 0 (disabled) or 1 (enabled), allowing quick and painless selection of what tools to run
    • Updated FirePassword to v2.5, which supports Firefox 3
    • added fgdump v2.1.0 as an alternate Windows login password/DCC cache dumper. Although gsecdump remains the default tool for this, fgdump is provided for anyone experiencing trouble (Vista!) You can enable fgdump in the EZ-Config section. Though redundant, it should be fine if you choose to enable both tools.


    You may download ZBLADE2 R3 below:

    MD5: 3913BA86BFDDECBEC885FCCD6B068A0E

    Friday, July 4, 2008

    Weekly Travels: A Taste of Chicago

    Over the past week my friends and I have worked hard and played hard. Here is a lineup of our activities so far:

    On Friday, we took the Metra downtown and walked to Pizza Uno for dinner. The Chicago deep-dish they have there is superb, but so is Giordano's, and I still can't decide which is superior. Curfew was at 11:15 pm, though, and we were kinda rushed (the fact that we got out of lab at 7:00 didn't help). We waited for the train for 20 minutes, and whether due to chance or a misreading of the schedule, it still didn't come. It was now 10:50 pm, and we had to move to our last resort: a taxi. Where are those things when you need them? We waited another five minutes before a taxi van showed up. We told the Turkish taxi dude to go fast and that we had to be back by 11:10 at the latest. At times we were going 70 in a 45 mph zone. Thanks to this guy's awesome driving we made it back actually 3 minutes before, at 11:12. That was one of the best stunts we ever pulled - hopefully it will be unnecessary to repeat that.

    The next day we went downtown again, this time to see (and taste?) the Taste of Chicago. It's actually still going on till July 6. Basically, it's a highly overpriced food festival with some of the most murderous crowds ever. Admission itself is free, but to eat the food or ride the rides ya gotta buy tickets (12 for $8). To put this in perspective, consider the fact that ONE slice of pizza is 7 or 8 tickets, a barbecue sandwich up to 10, and the Ferris Wheel 6. If you are a gluttonous eater, too bad for you, cuz you'll be forking over a lot of money. Oh, and don't forget the enormous number of people - it is literally packed, and a lot of times you can't even move. They really need to implement some form of crowd control.

    The 4th of July means fireworks. Actually, though, Chicago's fireworks are on the 3rd, and my roommate's dad offered to take us all out to the festivities at Millennium Park. After a quick drive down to the Metra station, we hopped on and got off at Van Buren Street. The place was crawling with cops - near the subway station, their was a crapload of cop cars, cop SUVs, and unmarked police vehicles. Downtown, there were at least two cops on every street corner. After stops at Chipotle and Jamba Juice, we headed for Millennium Park. Getting there  meant (at least, according to my roommate's dad) a little shortcut through the Taste of Chicago grounds. Unfortunately, our plans were ruined by the crowds there, which were even worse this time around. By the time we escaped, it was already too late and we had to go back for curfew. But, at the very least, we had enough crowds for a lifetime.

    Stay tuned for more adventures!