In a pen test, it’s always the race to the finish. Either you get to the domain admin or r00t or you die tryin’! 🙂 But thanks to some real l33t fu by Hernan Ochoa this has only been made easy for you.
The key to pass-the-hash attacks is that Windows NTLM authentication relies on the passing of the right hash to identify you. As long as the right hash is stored in the authenticated session you are who you say you are.
Hernan Ochoa’s Pass-the-hash toolkit (http://oss.coresecurity.com/projects/pshtoolkit.htm) is precisely the tool for that. Once you gain local admin rights on a box, just run the whosthere.exe utility on the box. Mind you, in differing versions of Windows you need some right addresses to pass as parameters. So the first thing to do is goto C:\WINDOWS\system32 and copy the lsasrv.dll file onto your local machine. The pass-the-hash src tar ball, has an IDA Pro script passthehash.idc that you need to run after opening the file in IDA Pro. This will give you the right addresses to pass to whosthere.exe:
whosthere.exe -a -o outputfile.txt

Once you have the hash you could either use iam.exe or winexe (http://eol.ovh.org/winexe/) with pass-the-hash patch from jo-mo-kun (http://www.foofus.net/jmk/tools/winexe), or samba with jomo kun’s pass the hash patch.
Just set the Environment variable SMBHASH to the hash value such as

export SMBHASH="92D887C9910492C3254E2DF489A880E4:7A2EDE4F51B94203984C6BA21239CF63"

Then run winexe as

./winexe -U "Domain\\Username" //192.168.0.1 "cmd.exe"

Of course, you can also expend some time in cracking the LM hashes to get the actual passwords but it isn’t really necessary.

In this post, I will cover a how to for filing a resident’s tax appeal. It’s quite simple. This is not meant to cover all special situations but should cover simple situations if you live in a condo in Jersey City for example. For other situations, review the handbook listed below.
Most importantly – this appeal needs to be in the hands of the folks by Dec 1 2022 otherwise it will be rejected. Therefore, really important to visit the office and hand it over in-person the tax officer said. You could also send it via a certified mail.

Important Links

1. Where to get the appeal form for mid-year added/omitted assessment https://www.state.nj.us/treasury/taxation/pdf/other_forms/lpt/adomap.pdf
2. N/A for mid-year: But if you are filing during the usual time January or Apr for annual tax changes use https://www.hcnj.us/wp-content/uploads/2021/12/a-1-petition-of-appeal.pdf
3. Comparables are obtained from: https://www.zillow.com/b/20-2nd-st-jersey-city-nj-5XkRmF/
4. Appeals handbook: https://secure.njappealonline.com/prodappeals/help/Hudson_InstructionsHandbook.pdf
5. If you are filing an online appeal you can do so at http://www.njappealonline.com/prodappealonline/Home.aspx however, this site only works at certain times of the year. For example, in Nov 2022 the site is not accepting Hudson County appeals for some reason.

How to fill the form:

• The total assessed value of your property = land + improvement assessment values. You find this by going to https://tax1.co.monmouth.nj.us/cgi-bin/prc6.cgi?district=0906&ms_user=monm and clicking on the “year” as shown below.
  
  From the following page that pops up find the land and improvement values for your unit (by looking up your property address).
  

• This is the link for the ratio for Jersey City municipality (max value is 100%) i.e., the cost of the sale price. Minimum value for Common Level Ratio in Jersey City for 2022 is 0.7426 and Max is 1.0. So if your unit value is assessed to be within the maximum and minimum range you do not qualify for an appeal.
  This is where you get the Common Level Ratio values from: https://www.state.nj.us/treasury/taxation/pdf/lpt/chap123/2022ch123.pdf . E.g., let’s say your unit value was assessed to be $1mn and comparative sale prices show that the total value of the unit is $950,000 this sale price is not within $1mn/0.7426 and $1mn/(1.0). This means that you qualify for an appeal. So your taxable value would be $950,000*0.8737 (Avg. value of the Common Level Ratio) = $830,015. At a 2.118% tax rate this would come to $17,580.
• The is what the fields look like:
  Bock / Lot / Qualifier – you get it from your tax bill and also can be obtained from https://tax1.co.monmouth.nj.us/cgi-bin/prc6.cgi?district=0906&ms_user=monm by searching the site via address
• Next go to Zillow (https://www.zillow.com/b/20-2nd-st-jersey-city-nj-5XkRmF/) and find the comparable sales for your unit for the pretax year (if you are appealing 2022 assessment, use 2021 sales). Goto https://tax1.co.monmouth.nj.us/cgi-bin/prc6.cgi?district=0906&ms_user=monm and find the sale dates and add that information to the form.
• The prorated fields in the form can be left out because the county knows those values (so I did not fill those out, the county clerk did that for me)
• Sign and date the form
• You need to send one copy each to the following addresses via post or in-person (if the online system does not work).
  Hudson County Board of Taxation, Hudson County Plaza, 257 Cornelison Ave Room 303, Jersey City NJ 07302. You also need to send one copy to the city: Office of the City Assessor, 364 Martin Luther King Drive, Jersey City NJ 07305. Phone: 201-547-5131.

Update 12/29/2022:

I did go to the Hudson county court and appealed my decision in person. The city representatives were quite polite and the process was quite smooth – you just show up in the court and either accept or reject the city’s proposal. Once the judgment is reached they mail you the judgment which you can appeal for 45 days. After that the decision is binding for 2 years.

I’ve been struggling to find the best working version of John so that it can crack MS Cache outputs from Cachedump (of course, this functionality is now included in fgdump). Running fgdump gives two files host.pwdump and hostname.cachedump. I’ve found 127.0.0.1.pwdump and 127.0.0.1.cachedump files upon using fgdump without any parameters.
So now you have the Cached credentials but then comes the big problem of cracking those. So there’s the jumbo patch for john-1.7.2.
Following commands need to be executed to get this patch going:

$ tar zxvf john-1.7.2.tar.gz
$ cd john-1.7.2/
$ wget http://www.openwall.com/john/contrib/john-1.7.2-all-9.diff.gz
$ gzip -d john-1.7.2-all-9.diff.gz
$ patch -p1 <john-1.7.2-all-9.diff
$ cd src/
$ make linux-x86-sse2

You get some warnings upon compilations but the executable works very well.

Go ahead and get cracking:
$ cd run/
$ ./john –format=mscash

This has been a weird one, finding version information on the operating systems.
On Ubuntu, the following gets the version information
  cat /etc/issue
  cat /etc/lsb-release

On Linux, finding the kernel version
  uname -a
  cat /proc/version

On Windows, from Start-> Run -> cmd.exe
  winver
OR
  systeminfo

This is very simple but still there are a few times when memory fails and we’re not able to do the obvious.

To see the information about the hardware mapping :
  lshal

Finding your CPU Information
  cat /proc/cpuinfo

Finding memory information
  cat /proc/meminfo

Maximum number of SYN requests that the host will remember which did not receive an ACK from clients:
  cat /proc/sys/net/ipv4/tcp_max_syn_backlog

Finding data bus-size or bit-size i.e., whether my CPU is 32-bit or 64-bit:
  sudo lshw -C cpu | grep width

An interesting incident happened this past week to a friend – he had his identity stolen. More specifically, someone got a hold of his social security number (SSN), his date of birth (apparently) and his address. What the scammers or their “mules” (a term used to describe criminals who act on behalf of the actual criminal at their behest) did was that they went to the bank and requested to wire a huge sum of money to an account. The neat trick they played was before actually going to the bank they called the Verizon helpdesk and suspended my friend’s phone service. When they reached the bank and showed the bank agent the ID (some sort of a non-standard / fake ID) and gave the SSN to the bank agent, he/she grew suspicious and tried to contact my friend. However, due to Verizon suspending his phone service, the bank agent couldn’t get a hold of my friend. Luckily, the bank agent also sent my friend an email to which he responded promptly. The culprits were arrested and the investigation is still on.
What was quite interesting was, the modus operandi where the criminals know that banks rely on calling the customers if they suspect fraud and they had this covered. Quite intelligent.
So, you know what you need to do if your phone suddenly stops working – check if ID thieves have had a run on you, change all your passwords including email, change your credit card accounts and bank accounts and PINs and place a hold on your credit history with the credit reporting agencies such as Experian, Equifax and TransUnion.

Let’s assess the situation: You have a 3G phone which allows tethering, a windows machine, a wireless access point and another PC that is connected to the LAN port of the wireless access point (or typically called a wireless router). The wireless access point is a home network and your ISP decides to disconnect your signal or is experiencing some problems. How do you share your 3G connection, so that other computers can connect through the wireless AP and use your cell phone’s 3G connection? It’s actually quite simple.

Tether your smartphone (in this case let’s say blackberry). Blackberry tethering in Windows over AT&T is allowed using a software called AT&T Communication Manager. Install ACM, and connect your Windows machine using a mini-USB cable to your phone. Goto Start->Run->cmd.exe. Type ipconfig /all to see the IP address and the DNS servers IP addresses.

Now connect the WAN link of your Wireless access point to this Windows machine’s ethernet port. Setup a static IP for this Windows machine say 192.168.10.1 with a netmask of 255.255.255.0. Now go to Network connections (from Control Panel), right click on the Mobile connection representing your blackberry, click on Advanced. In the Internet Connection Sharing section, check the box that says “Allow other network users to connect through this computer’s Internet connection” and select “Local Area Connection” (this is the same connection you connected to the WAN port of the wireless AP). Click OK. You may have to disconnect and reconnect your ACM connection to allow the settings to take effect.

Now that this is done, connect to the administration interface of the wireless access point to the other PC that is connected to the LAN port (or through the wireless) to the access point. Go to the administration interface of the wireless AP, and set a static IP for the router in the same subnet as with the Windows box (the one you set with 192.168.10.1). Set the static IP on the AP to be say 192.168.10.2 (remember this has to be the same subnet), netmask as 255.255.255.0 and then the most important, the default gateway to 192.168.10.1 (the IP of the windows box on the ethernet card). To set the DNS server addresses, use the same addresses you found using ipconfig /all in the first step. Otherwise you could also use open DNS servers or any other DNS servers but it’ll be best to use the DNS servers pointing to the ones used by the tethered connection because you can rule out DNS issues if something isn’t working and it comes down to troubleshooting. Once on the router, the static is set, the gateway is set, the DNS is set, you should be able to connect from your wireless network to the internet through your 3G connection! 🙂
Happy internet sharing! 🙂
Here is a schematic diagram:

[tethering]                [static IP]    [static IP]   [internal IP]  [DHCP address]
                                   |         |                |           |
[ phone ] <==> [Windows machine]:eth0 <==> wan:[Wireless AP]:lan <==> [client]

Silsilay, the latest movie by Khalid Mohammed, a critic famous for his Sunday Times articles, is a disaster to say the least. Mr.Mohammed, who has torn apart most of the movies in his journalism career, to my disappointment, has not proven himself any better than the pack he tore apart. I think if he himself saw the movie impartially he probably would have given it negative five stars.
Silsilay, as the movie is called, is a movie of three stories running one after the other albeit aimlessly. The first story is of a film actress (Bhoomika Chawla) who falls in love with a bookie (Rahul Bose) who is two-timing his girl-friend, who in turn is two-timing him…sounds complex…don’t bother…it’s not complex but just kiwi drainex!
The second story is of a young girl (Riya Sen) who looks stunning in the movie and is afraid to lose her virginity and is consoled by her overly promiscuous friend to do *it*. Ashmit Patel steps into the story as her boy toy (read “snuggies”) and Jimmy Shergill, who is her co-worker from work and is looking to gain her attention. Some good (aimless) smooches result between Ashmit and Riya and Khalid Mohammed succeeds in spinning a story that is as ridiculous as Riya and Ashmit’s acting. For god’s sake Riya, Nirma soap advertisements were better!
As if the torture was not enough, Mr.Mohammed had a life-saver (or at least as he thought) a still more ridiculous story. Well, some B-grade films would have called this 3rd story a *saga*…but I frankly think that Khalid Mohammed doesn’t think!
It’s a combination of a love triangle…sorry…love quadrilateral with a diagonal (please figure out what this means on your own…watching the movie wouldn’t help anyway). In this story Tabu plays a housewife whose husband (KK) is going out with a (super hot) air hostess (Celina Jaitley) and whose son suffers from Oedipus Complex ( where a person falls in love with his own mother). As if this carcass did not stink the theatres…there was more bull**** coming across in the form of Shah Rukh Khan in between stories and scenes. Mr. Khan there are many ways to win Filmfare awards…this is probably the last way to *buy* the awards. Mr.Khan does a saving act by signalling to the audience how he behaves when nature calls arrive…how he insanely goes about dancing for no reason whatsoever.
This is all a part of the crap that I call Silsilay!
-Rajat.
Awesome Japanese Artifacts!