Archive for August, 2009
To delete the Recovery Console:
Restart your computer, click Start, click My Computer, and then double-click the hard disk where you installed the Recovery Console.
On the Tools menu, click Folder Options, and then click the View tab.
Click Show hidden files and folders, click to clear the Hide protected operating system files check box, and then click OK.
At the root folder, delete the Cmdcons folder and the Cmldr file.
At the root folder, right-click the Boot.ini file, and then click Properties.
Click to clear the Read-only check box, and then click OK.
Warning: Modifying the Boot.ini file incorrectly may prevent your computer from restarting. Make sure that you delete only the entry for the Recovery Console. Also, change the attribute for the Boot.ini file back to a read-only state after you finish this procedure. Open the Boot.ini file in Microsoft Windows Notepad, and remove the entry for the Recovery Console. It looks similar to this:
C:cmdconsbootsect.dat=”Microsoft Windows Recovery Console” /cmdcons
Save the file and close it.
To install the Recovery Console, follow these steps:
Insert the Windows XP CD into the CD-ROM drive.
Click Start, and then click Run.
In the Open box, type d:i386winnt32.exe /cmdcons where d is the drive letter for the CD-ROM drive. In the case of ‘Microsoft Windows XP Professional x64 Edition, type d:amd64winnt32.exe /cmdcons where d is the drive letter for the CD-ROM drive.
A Windows Setup Dialog Box appears. The Windows Setup Dialog Box describes the Recovery Console option. To confirm the installation, click Yes.
Restart the computer. The next time that you start your computer, “Microsoft Windows Recovery Console” appears on the startup menu.
Alternatively, you can use a Universal Naming Convention (UNC)-established connection to install the Recovery Console from a network share point.Google+
1.Go to Start > Search > All Files or Folders.
2.In the “All or part of the the file name” section, type in “newfolder.exe” file name(s).
3.To get better results, select “Look in: Local Hard Drives” or “Look in: My Computer” and then click “Search” button.
4.When Windows finishes your search, hover over the “In Folder” of “newfolder.exe“, highlight the file and copy/paste the path into the address bar. Save the file’s path on your clipboard because you’ll need the file path to delete newfolder.exe in the following manual removal steps.
Step 2: Use Windows Task Manager to Remove newfolder.exe Processes
1.To open the Windows Task Manager, use the combination of CTRL+ALT+DEL or CTRL+SHIFT+ESC.
2.Click on the “Image Name” button to search for “newfolder.exe” process by name.
3.Select the “newfolder.exe” process and click on the “End Process” button to kill it.
There are a couple of tools out there which allow you to perform brute-force password guessing in your Terminal Server environment. The most well-known however is a free tool called TSGrinder. TSGrinder is a command line tool which very basically allows automating password guessing via RDP connections. TSGrinder is a “dictionary” based attack tool, supports multiple attack windows from a single dictionary file (you can specify this on the program command line).
A very interesting option in the program is the “leet” function. This leet function enables the program to cope with a popular development in password-land. What I mean is that, from the knowledgeable user up, people tend to secure their passwords by replacing letters with well-known symbols. For example, password becomes p@ssw0rd (replacing a’s with @’s and o’s with 0’s). This is a very well thought thorough option because as we will see trying these passwords does not require you to change your dictionary file.
Another very interesting option is the “banner” option. What this option does, is acknowledge any messages prior to log on. These are the kind of messages that you have to acknowledge before you can log on to a server, usually a legal disclaimer of some sort. This logon message can be set in Group Policy in Computer Policies > Security Settings > Local Policies > Security Settings > Interactive Logon.
This was an issue in earlier versions of TSGrinder but that has been fixed now. This option basically renders the banner message useless as a countermeasure to these kinds of attacks.
TSGrinder also supports multiple password attempts in the same connection, and allows you to specify how many times to try a username/password combination within a particular connection (the default is 5) . This is used by hackers to help avoiding detection, because by default after 5 unsuccessful logon attempts, the Terminal Server ends the connection and an event is logged to the Terminal Server event log. The event looks like thisGoogle+