Symantec AntiVirus Asks For Password During Uninstall

KB ID 0000894 

Problem

I was finishing off a domain migration this week and was changing the clients over to McAfee. On one machine I found it had Symantec AntiVirus. When I tried to remove it, it asked for a password.

One of the other machines had Symantec Endpoint Protection installed and this did the same.

As expected, no one knew what this password was, and the default password ‘symantec’ didn’t work.

Solution

The same fix worked for both of them, and its painfully easy. While still being asked for the password, do the following.

1. Launch Task Manager, (Press Ctrl+Alt+Delete, Or right click the taskbar, or simply run Taskmgr.exe).

2. Select the processes tab, Locate the MSIEXEC.EXE service. Note: There may be more than one, if so select the one that running under the user account that you a logged on as DO NOT select it is it is running under the SYSTEM account. End the process.

3. Now the password request box will have disappeared, and the uninstall process will complete on its own.

Related Articles, References, Credits, or External Links

NA

Cisco Router – Password Recovery /Bypass

KB ID 0000931 

Problem

If you have a Cisco router that you have forgotten the password for, or have been given one, or simply bought one from ebay, you may not know the password. In fact many years ago an ISP was going to charge me a ridiculas amount of money to put an entry in a routers routing table, this procedure ‘ahem’ would have allowed to to do it myself, for free, and then reload the router.

Solution

The reason you are able to do this is because of the router’s configuration register, this is the setting that decides how the system boots and how it operates. Usually it’s set to 0x2102 you can see this on a working router by running a ‘show version‘ command.

There are a number of different config register settings;

Configuration Register

Router Behavior

0x102 Ignores break, 9600 console baud
0x1202 1200 baud rate
0x2101 Boots into bootstrap, ignores break, Boots into ROM if initial boot fails, 9600 console baud rate
0x2102 Ignores break, Boots into ROM if initial boot fails, 9600 console baud rate default value for most platforms
0x2120 Boots into ROMmon, 19200 console speed
0x2122 Ignores break, Boots into ROM if initial boot fails, 19200 console baud rate
0x2124 NetBoot, Ignores break, Boots into ROM if initial boot fails, 19200 console speed
0x2142 Ignores break ,Boots into ROM if initial boot fails, 9600 console baud rate, Ignores the contents of Non-Volatile RAM (NVRAM) (ignores configuration)
0x2902 Ignores break, Boots into ROM if initial boot fails, 4800 console baud rate
0x2922 Ignores break, Boots into ROM if initial boot fails, 38400 console baud rate
0x3122 Ignores break, Boots into ROM if initial boot fails, 57600 console baud rate
0x3902 Ignores break, Boots into ROM if initial boot fails, 2400 console baud rate
0x3922 Ignores break, Boots into ROM if initial boot fails, 115200 console baud rate

The one we are interested in I’ve emboldened above (0x2142), if we can boot the router, without loading the config, we can manually load the config whilst we have administrative access, which means we can do what we like, (including changing the passwords).

1. Connect a console cable to the router and connect to it using some terminal emulation software (like PuTTy)*. Power cycle the router and as it starts to boot press the ‘break’ key (on some keyboards press Ctrl+Break, on others you can simply press the Esc Key. You will know you are successful if the router boots into ROMMON mode. Issue the following commands;

[box]

rommon 1 > confreg 0x2142
rommon 2 > reset 

[/box]

*Typically at Baud 9600, 8 bits, 1 Stop Bit, No parity, No flow control.

2. The router will reboot, when prompted select no to not enter the setup dialog. (Don’t panic your config is safe in NVRAM!).

3. Now you can go to enable mode without entering a password, and load the routers startup-configuration into memory.

[box]

Router> enable
Router# copy startup-conig running-config
Destination filename [running-config]? {Enter}

[/box]

4. You can at this point make any changes you like, but we are here to change the passwords. On this router I want to reset the enable password, and I protect console access with a username and password, so I want to add a new one for myself. Set the configuration register back to its default setting of 0x2101, save the changes. Then reload the router and make sure you can now get access.

[box]

Petes-Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.

Petes-Router(config)# enable secret P@ssword123
Petes-Router(config)# username petelong privilege 15 password P@ssword123
Petes-Router(config)# config-register 0x2102
Petes-Router(config)# end
Petes-Router# write memory
Petes-Router# reload
Proceed with reload? [confirm] {Enter}

[/box]

5. And we are in.

Related Articles, References, Credits, or External Links

Cisco Catalyst Password Recovery / Reset

Cisco ASA – Password Recovery / Reset

Cisco PIX (500 Series) Password Recovery / Reset

 

Cisco – Cracking and Decrypting Passwords (Type 7 and Type 5)

KB ID 0000940 

Problem

Decrypt Type 7 Cisco Passwords

The Internet is full of sites that have something like the tool below, tap your ‘encrypted’ password in and it will reveal the Cisco password.

 

Input Type 7 Obfuscated Password: Output Plain Text Password:

As you can see I’ve specifically written ‘obfuscated’ above, because the password isn’t actually encrypted at all. All that happens is the Vigenere algorithm is used to obfuscate the password. While tools like the one above are all well and good, your Cisco router will do exactly the same for you, to demonstrate, paste the following into the tool above.

107D1C09560521580F16693F14082026351C1512

Hopefully you will get the password Sup3rS3cr#tP@ssword.

Your router can also convert that to clear text for you;

[box]

Petes-Router#
Petes-Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Petes-Router(config)#key chain decrypt
Petes-Router(config-keychain)#key 0
Petes-Router(config-keychain-key)#key-string 7 107D1C09560521580F16693F14082026351C1512
Petes-Router(config-keychain-key)#exit
Petes-Router(config-keychain)#exit
Petes-Router(config)#exit
Petes-Router#
*Mar 1 00:04:48.691: %SYS-5-CONFIG_I: Configured from console by console
Petes-Router#show key chain decrypt
Key-chain decrypt:
key 0 -- text "Sup3rS3cr#tP@ssword"
accept lifetime (always valid) - (always valid) [valid now]
send lifetime (always valid) - (always valid) [valid now]
Petes-Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Petes-Router(config)#no key chain decrypt

[/box]

So whats the point of these type 7 passwords? Well the only real benefit of them is if someone is looking over your shoulder while you are looking at the config, they can’t see actual passwords in the config.

The passwords in my config are in clear text? That’s because there are three levels of password storage 0 (not encrypted), 7 (weakly encrypted), and (5 strongly encrypted). If you want to convert your config to display them as 7 you need to enter the service password-encryption command;

[box]

Petes-Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Petes-Router(config)#service password-encryption
Petes-Router(config)#

Before

username pete password 0 Password123

After

username pete password 7 142713181F13253920796166

[/box]

If Type 7 passwords are so weak, how do I use Type 5 passwords? When creating accounts use the secret command like so;

[box]

Petes-Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Petes-Router(config)#username petelong secret Password123
Petes-Router(config)#

Displays in the config as;

username petelong secret 5 $1$VkQd$Vma3sR7B1LL.v5lgy1NYc/

[/box]

Decrypting Type 5 Cisco Passwords

 

Decrypting a Type 5 Cisco password is an entirely different ball game, they are considered ‘secure’ because they are ‘salted’ (have some random text added to the password to create an MD5 hash) however that random salt is shown in the config.

[box]

username attackme secret 5 $1$TMnL$iAFs16ZXx7x18vR1DeIp6/

[/box]

Well armed with the salt and the hash, we can use exactly the same method that Cisco use to create the encrypted password, by brute force attacking the password, this might sound like a difficult piece of hacking ninja skill, but we simply use openssl on a Linux box (here I’m using CentOS 6.5), all you need is a wordlist.txt file (search the Internet).

Feed openssl the salt, and a piece of the hash (see the example above), and it will run through, (grep) the wordlist until it finds a match, where it spits out the decrypted password an the original hash like so;

[box]

[root@pnl-server1 ~]# openssl passwd -1 -salt TMnL -table -in wordlist.txt | grep 8vR1DeIp6
SECRETPASSWORD $1$TMnL$iAFs16ZXx7x18vR1DeIp6/
[root@pnl-server1 ~]#

[/box]

The decrypted password is SECRETPASSWORD

Note: The limitation here is the password has to be in the wordlist.txt file,but if you are adept at searching the Internet there are some impressive wordlist files out there, just make sure you use one that has full line breaks. Also remember, the longer the wordlist, the longer it takes.

Related Articles, References, Credits, or External Links

NA