Sunday, February 28, 2010

How to Crack a Wi-Fi Network's WEP Password with BackTrack

What You'll Need

Here's what you'll need:

  • A compatible wireless adapter—This is the biggest requirement. You'll need a wireless adapter that's capable of packet injection, and chances are the one in your computer is not. Ex. Alfa AWUS050NH USB adapter, Alfa AWUS036H, not the US050NH, instead. There are plenty of resources on getting aircrack-compatible adapters out there.
  • A BackTrack 3 Live CD. We already took you on a full screenshot tour of how to install and use BackTrack 3, the Linux Live CD that lets you do all sorts of security testing and tasks. Download yourself a copy of the CD and burn it, or load it up in VMware to get started. (I tried the BackTrack 4 pre-release, and it didn't work as well as BT3. Do yourself a favor and stick with BackTrack 3 for now.)
  • A nearby WEP-enabled Wi-Fi network. The signal should be strong and ideally people are using it, connecting and disconnecting their devices from it. The more use it gets while you collect the data you need to run your crack, the better your chances of success.
  • Patience with the command line. This is an ten-step process that requires typing in long, arcane commands and waiting around for your Wi-Fi card to collect data in order to crack the password. Like the doctor said to the short person, be a little patient.

Crack That WEP

To crack WEP, you'll need to launch Konsole, BackTrack's built-in command line. It's right there on the taskbar in the lower left corner, second button to the right. Now, the commands.

First run the following to get a list of your network interfaces:


The only one I've got there is labeled ra0. Yours may be different; take note of the label and write it down. From here on in, substitute it in everywhere a command includes (interface).

Now, run the following four commands. See the output that I got for them in the screenshot below.

airmon-ng stop (interface)
ifconfig (interface) down
macchanger --mac 00:11:22:33:44:55 (interface)
airmon-ng start (interface)

If you don't get the same results from these commands as pictured here, most likely your network adapter won't work with this particular crack. If you do, you've successfully "faked" a new MAC address on your network interface, 00:11:22:33:44:55.

Now it's time to pick your network. Run:

airodump-ng (interface)

To see a list of wireless networks around you. When you see the one you want, hit Ctrl+C to stop the list. Highlight the row pertaining to the network of interest, and take note of two things: its BSSID and its channel (in the column labeled CH), as pictured below. Obviously the network you want to crack should have WEP encryption (in the ENC) column, not WPA or anything else.

Like I said, hit Ctrl+C to stop this listing. (I had to do this once or twice to find the network I was looking for.) Once you've got it, highlight the BSSID and copy it to your clipboard for reuse in the upcoming commands.

Now we're going to watch what's going on with that network you chose and capture that information to a file. Run:

airodump-ng -c (channel) -w (file name) --bssid (bssid) (interface)

Where (channel) is your network's channel, and (bssid) is the BSSID you just copied to clipboard. You can use the Shift+Insert key combination to paste it into the command. Enter anything descriptive for (file name). I chose "yoyo," which is the network's name I'm cracking.

You'll get output like what's in the window in the background pictured below. Leave that one be. Open a new Konsole window in the foreground, and enter this command:

aireplay-ng -1 0 -a (bssid) -h 00:11:22:33:44:55 -e (essid) (interface)

Here the ESSID is the access point's SSID name, which in my case is yoyo. What you want to get after this command is the reassuring "Association successful" message with that smiley face.

You're almost there. Now it's time for:

aireplay-ng -3 -b (bssid) -h 00:11:22:33:44:55 (interface)

Here we're creating router traffic to capture more throughput faster to speed up our crack. After a few minutes, that front window will start going crazy with read/write packets. (Also, I was unable to surf the web with the yoyo network on a separate computer while this was going on.) Here's the part where you might have to grab yourself a cup of coffee or take a walk. Basically you want to wait until enough data has been collected to run your crack. Watch the number in the "#Data" column—you want it to go above 10,000. (Pictured below it's only at 854.)

Depending on the power of your network (mine is inexplicably low at -32 in that screenshot, even though the yoyo AP was in the same room as my adapter), this process could take some time. Wait until that #Data goes over 10k, though—because the crack won't work if it doesn't. In fact, you may need more than 10k, though that seems to be a working threshold for many.

Once you've collected enough data, it's the moment of truth. Launch a third Konsole window and run the following to crack that data you've collected:

aircrack-ng -b (bssid) (file name-01.cap)

Here the filename should be whatever you entered above for (file name). You can browse to your Home directory to see it; it's the one with .cap as the extension.

If you didn't get enough data, aircrack will fail and tell you to try again with more. If it succeeds, it will look like this:

The WEP key appears next to "KEY FOUND." Drop the colons and enter it to log onto the network.

Wednesday, February 24, 2010

Manage user accounts with LDIFDE tool

The LDAP Data Interchange Format Directory Exchange utility (LDIFDE.exe), on the other hand, is much more powerful. It comes bundled in the default installation of Windows 2000 Server, Advanced Server, and Datacenter Server. In this article, I will show you the power of LDIFDE and explain how to use it to add, modify, and remove users in your Active Directory tree.

Modifying Active Directory information
I will now go over the process of creating new users in Active Directory using this utility. I have created an organizational unit named newusers, which I will use for all of the examples.

Example 1—importing new users
In this example, I will import two new users—NewUser and AnotherUser—into Active Directory. To do this, I will create a text file named Import.ldf with the following data:
dn: CN=New User,OU=newusers,DC=slowe,DC=com
changetype: add
cn: New User
objectClass: user
samAccountName: NewUser

dn: CN=Another User,OU=newusers,DC=slowe,DC=com
changetype: add
cn: Another User
objectClass: user
samAccountName: AnotherUser

This might look a little intimidating, and the format is definitely not as simple as the one used with the addusers utility, so let's take a closer look at what's going on.

A new user is being created in a specific organizational unit (newusers, in this case) and the user’s name fields are being set up.

To import this information, I will use the following command:
ldifde -v -i -s w2ks -f import.ldf

Again, the –v indicates that I want verbose output for this command, while the next parameter, -i, indicates import mode. By default, LDIFDE uses export mode unless this parameter is present. The -s and –f parameters specify the server and the name of the import file, respectively.

The output from this command is shown in Listing D.

When I browse to the newusers organizational unit in the Active Directory Users And Computers GUI tool after this process is finished, I find that there are two new users matching the descriptions above.

Example 2—Modifying information
You can also use LDIFDE to modify the information for a user, if necessary—such as when a user changes offices or gets married. For this example, I will modify the address of the two users I just created. Since they work in the same office and have the same address, this is what will be in the import file I use:
dn: CN=New User,OU=newusers,DC=slowe,DC=com
changetype: modify
replace: streetAddress
streetAddress: 1450 Bum Street
replace: l
l: Somewheretown
replace: st
st: Somestate
replace: postalCode
postalCode: 90210

dn: CN=Another User,OU=newusers,DC=slowe,DC=com
changetype: modify
replace: streetAddress
streetAddress: 1450 Bum Street
replace: l
l: Somewheretown
replace: st
st: Somestate
replace: postalCode
postalCode: 90210

This needs a little more explanation. The line beginning with dn indicates which Active Directory object is being worked with. In the case, it is being modified as indicated by the changetype line. Next, the import file is requesting a replacement of the object’s street address, the data for which is given on the next line followed by a dash, which indicates that this modification record is to continue. Next, l (locality or city), st (state), and postalCode (postal code) are all modified. Note the blank line between the last dash of the first record and the first line of the second record. This is critical. If you don’t include it, the modification won’t work. To execute these modifications, I issue this command:
ldifde -v -i -s w2ks -f modify.ldf

The output is similar to the previous example. When I look in the GUI utility, I see that the address records for both users were properly modified and match the information I entered into Modify.ldf.

Example 3—Deleting objects from Active Directory
Upper management has finally realized that these two new users weren’t worth the stock options they were given, so they're being let go. To delete two users, you would normally use the GUI, but for demonstration purposes, I am going to show you how to do it with LDIFDE.

First, I need to create a file that will tell LDIFDE what to do. Here is what that command file, named Delete.ldf, will contain:
dn: CN=New User,OU=newusers,DC=slowe,DC=com
changetype: delete

dn: CN=Another User,OU=newusers,DC=slowe,DC=com
changetype: delete

This is pretty self-explanatory. To execute the commands in this file, I type
ldifde -v -i -s w2ks -f delete.ldf

Once I finish, I can verify that the users are indeed gone from Active Directory by going to the GUI tool once again.

LDIFDE is a powerful utility that can be useful in adding, deleting, and modifying user accounts in Active Directory. As an example, I am currently working on a set of scripts to create Exchange contacts (as objects) in Active Directory for people who exist in a Microsoft SQL Server database of business contacts, with an automatic update every hour. I am using LDIFDE to do the importing into ADS. Of course, with this power comes some complexity. You will need to practice a little with this utility—preferably on a test network—before trying to make mass changes to your live Active Directory.

CSVDE command to import User Accounts in Active Directory

Preparation - The secrets of importing objects with CSVDE:

1) Practice with CSVDE Export. Remember that seven minutes of planning will save you an hour or rework. It may seem eccentric to start with an export when all you want to do is import, but trust me always start with CSVDE export. Here is my reasoning: gain experience of CSVDE switches in conditions where you can do no harm to Active Directory.

When you use CSVDE -i filename to import user accounts, you make changes that will be difficult to reverse. In export mode, you can do no harm to Active Directory, also starting with CSVDE -f filename.csv will help build up your understanding of the switches, or what Microsoft call the parameters.

2) Learn the precise spelling of LDAP fields, for example sAMAccountName is correct, sAMAaccountNames has two mistakes and would cause the import to fail. (This LDAP name is singular, and the double Aa is incorrect.)

3) Create a good .CSV file and learn as much as you can about the LDAP fields in the first row. When you export a user, you get a spreadsheet full of a LDAP attributes, for example, sn, phone, email and many more besides. My advice is to investigate which of the LDAP fields in the first row are compulsory, which are optional, which have strange numeric data, and which you can safely ignore when you switch CSVDE to import mode.

Example 1: A simple import with minimal LDAP fields

My theme is getting you started. Imagine the scenario: your manager wants 500 users added to his Windows 2003 domain. Fortunately, human resources have all the new joiners in a spreadsheet called Newport.csv. So, let us begin with a simple spreadsheet with only 3 LDAP columns: objectClass, sAMAccountName and DN.

LDAP Fields for Excel  DN sAMAccountName, objectClass

A) objectClass - User. Simple and easy we want to create a user and not a computer and not an OU.

B) sAMAccountName - This is the logon name, maximum of 11 characters. What the user should put in the Ctrl, Alt Delete logon box. Keep this name simple for now. Remember we just want to get the prototype import working and then we can add more LDAP fields.

C) DN - Distinguished name, for example, CN= Firstname Surname,OU=Newport,dc=domain,dc=com

DN is the hardest LDAP field to create. Let us break it down into 3 elements.

1) User name - CN= Firstname Surname. If it were me, the value would be CN=Guy Thomas. In this context think of CN= as meaning common name, or just plain name.

2) Organizational name - OU=Newport. All you have to worry about is have you created an OU called Newport in your domain? If not, then either create one, or change this value to OU=YourOU.

3) Domain name - dc=domain, dc=com. Is your domain called something like or is it plain mydom (no .com, .net or It is essential to find out what your domain is called, and only you know the answer.

CSVDE bulk importWhat would you say the Domain name is for this screen shot? cp,, cp.local? The answer is

So of this were your domain the third DN element would be, dc=cp,dc=com. Incidentally, dc stands for domain context not domain controller.

The Actual CSVDE -i import command

After all the hard work in preparing the spreadsheet, we are now ready for the import. Open the CMD prompt, navigate to the folder where you saved your .csv file.

Type this command: CSVDE -i -f Newport.csv

To check your new users, launch Active Directory Users and Computers and examine the Newport Organizational Unit. After each import, right click the OU and select Refresh from the short cut menu. Simply pressing F5 is not good enough.

Example of customized CSVDE command:

OU=Khadamat-FM users

c:\>csvde -f output.csv -d "OU=Khadamat-FM Users,DC=Local,DC=Khadamat-FM,DC=ae" -r ObjectClass=user -l "cn,Title,telephoneNumber,Mobile,mail"

this command will export the name,job title, tel no., mobile phone, and email address to output.csv file

CSVDE command to export User Accounts in Active Directory

Example 1: The plain CSVDE -f export switch

Our mission: To export all users and computers into a file called adusers.csv and then to read this export data in Excel.

Preparation: Open up a command prompt, I use Start, Run, CMD.

Type this command: CSVDE -f adusers.csv

To see instantly the result of your command, type: notepad adusers.csv. For a more useful view of your export, open a spreadsheet like Excel, click File (menu) Open, select: Files of Type and change to All files, now browse to the directory where you created adusers.csv.

Learning Points

Note 1: The -f switch specifies the filename.

Example 2: Filter the output with CSVDE -d

What the -d filter does is focus the export on one particular area. For example, suppose you only wish to export one OU and not the whole Active Directory domain.

Command: CSVDE -d "OU=Newport,DC=cp,dc=com" -f Newport.csv.

If you try this filter, make sure you substitute your OU for Newport and your domain for dc=cp. Observe carefully the syntax with those speech marks and commas between the elements. Avoid the trap of being so concerned with the -d switch that you forget the -f filename.csv.

Example 3a: Filter the rows with CSVDE -r

If you use CSVDE with only the -f switch, then you probably get too much data. For instance, you may only be interested in the user objects and not the OU or binary objects. In which case you need a filter to remove the unwanted data.

There are two way to filter the output, row-wise or column-wise. With the -r switch you can select rows which meet your criteria, for example object = user.

Command: CSVDE -f adusers.csv -r objectClass=user

Learning Points

Note 1: Let us concentrate on the syntax of the filter switch: -r objectClass=User. There is no comma in this command, just a space between the switch and the parameter. What I mean is there should be no space between the minus sign and the switch. -r is correct. However, - r (with a space) would be a mistake.

Note 2: A Surprise. Even though you specifically ask for objectClass=user, CSVDE returns both user and computer objects. I didn't know why this happened until Jon de R. kindly wrote in and said we need the objectCategory=person filter.

Jon de R. suggests: CSVDE -f onlyusers.csv -r objectCategory=person.

Clive B points out: objectCategory=person also includes 'contacts'.

Warning: Sometimes when you copy and paste these CSVDE commands they do not work. What happens is that ‘copy’ picks up a phantom ° symbol, which blocks the proper execution. All you get is a list of the commands, just as if you had typed CSVDE /? My answer was to check in ‘Word’ for any extra symbols. If all else fails, I type the command manually at the command prompt.

Sometimes closing the CMD prompt window, then re-opening magically clears the problem. When you start a second CMD prompt, CSVDE suddenly works, whereas previously it failed. I only solved my latest mystery error by logging off and logging on again. I say again if CSVDE fails or encounters an error it seems to freeze when you subsequently issue a perfectly valid command.

Example 3b Fine tuning the CSVDE -r filter

Conclusion: after hours of frustration, my advice is avoid these advanced features. While it is possible to refine the -r switch, my advice is stick to the basics of Example 2a.

O.K., so really want to master this -r switch. If you add brackets, speech marks and & (ampersand) then you can produce a more focused output. In my humble opinion, the normally excellent help is a bit sketchy on this -r switch. I found experimenting yielded results whereas slavishly following the instruction lead to disappointment.

Here is a command that filters users whose surname = Thomas.

CSVDE -f export.csv -r "(&(objectClass=user)(sn=Thomas))"

Here is a variation using a wild card *

CSVDE -f export.csv -r "(&(objectClass=user)(sn=Thom*))"

Note: Suggestion from Vinnie

I though you might find it useful that this command string only produced, users and no contacts.
CSVDE -f onlyusers.csv -r "(&(objectClass=user)(objectCategory=person))"

Thursday, February 18, 2010

Configuring Roaming User Profiles

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Before you create a roaming user profile, you need to create each user account. Then, log on to a server as an administrator to create a network share to store the roaming user profiles, designate the groups of users to receive the roaming user profiles, and grant all users Full Control permissions.

Use the following procedures when you create and manage roaming user profiles.

Creating Roaming User Profiles

To perform the following procedure, you must be a member of the Account Operators group, Domain Admins group, or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. For enhanced security, consider using the Runascommand to perform this procedure.

To create a roaming user profile

  1. Open Active Directory Users and Computers.

  2. Click the domain and the OU where the user account resides.

  3. Right-click the user account for which to set a roaming profile, and then click Properties.

  4. Click the Profile tab, and then type the profile path information in Profile path. (Use the full path in each user account. For example, type \\Server\ShareName\UserName.)

Wednesday, February 17, 2010

How to View / Disconnect Remote Desktop Sessions from Commandline

I used to receive the maximum number of connections error message when I try to log on to the Windows 2003 Server in my office via Windows Remote Desktop.

“The terminal server has exceeded the maximum number of allowed connections“

Session Exceeded

This is pretty annoying if you have some urgent work to do in the server. Most of the already logged in users won’t even be using the session at the time, but I can’t login! So how to solve this? After a bit of googling, as usual, I found a simple way to disconnect other remotely logged in sessions. :D

First of all you must be logged in to your client computer as a domain Admin user. Now open the command prompt and type in the following command.

qwinsta /server:SERVERIP

The Ip address or domain name of the Remote server should be entered in place ofSERVERIP


qwinsta /server:

You will get a list of the Remote Sessions in the command window.

Remote sessions list

In the above sceenshot we can clearly see an Active RDP session with the ID 2 which belongs to the user Administrator. In order to disconnect that user we are going to use the session ID. Use the following command line to disconnect the remote session.

rwinsta /server:SERVERIP SESSIONID

For example in order to terminate the session of the Administrator user the following command should be given.

rwinsta /server: 2

Disconnect Remote Session

Now let’s confirm if the user is really disconnected. Just type in the qwinstacommand in proper format.

Disconnected Remote Sessions List

As you can see our session with ID 2 is no longer there. Now for the user we just disconnected will see the following message.


The remote session was disconnected because you session was logged off at the remote computer. Your administrator or another user might have ended your connection.