Crack the Windows SAM file from a backup filesystem

The SAM file is locate in C:\Windows\System32\config and stores all Windows account password encrypted.

The problem is that you cannot copy or tamper the file while the file system is mounted.

This leaves us with at least 2 options: copy the SAM and SYTEM files from a Linux live CD or by having a copy of those files in a backup.

I have the backup and I copy the 2 files to my Kali Linux machine.

I recover the NTLM hashes by issuing the following command:

root@kali:~# /usr/bin/samdump2 /root/Desktop/SYSTEM /root/Desktop/SAM

The backup is from a Windows 7 version and that means that we are seeing NTLM v.2 hashes, which translates to the fact that only the last part of the hashes are useful.

So we need to convert to uppercase the bold part by using 2 BASH commands:

cristi@ubserver-nv:~/hashcat$ STRING=’f9a14effe4a24ceb1cf0b2e8e9e7e9f9
cristi@ubserver-nv:~/hashcat$ echo $STRING | awk ‘{print toupper($0)}’

Copy the uppercase version to a text file and start hashcat:

crs@ubsv:~$ ./hashcat -m 1000 -a 3 ./ntlm.txt -w 3 –status

Good luck!













How to increase the Kali Linux root partition

If you need to increase the Kali Linux root partition size, this might become difficult if you have another extended partition (like SWAP) right after your root partition ends.
First things first. If you are using VMware, edit the settings of the Kali virtual machine and expand the hard disk.
Power on the Kali virtual machine.

My problem:
/dev/sda1 30GB mounted on /
/dev/sda2 5GB extended partition mounted as SWAP

What I want to do is delete the SWAP partition, mark the space as unused and increase the / partition size and leave a couple of GB free to create another SWAP partition.

Using qparted will not work, because it will tell you that the (swap) partition is in use.
Commenting the swap partition in /etc/fstab will also not work. Also tried swapoff –all with the same result.

The fix:
root@kali:~# fdisk /dev/sda5 //the SWAP partition
use p to print the current partitions on that device.
use d to delete the partition
with w write the changes and reboot.

Use df -h to see if the SWAP is still there, or qparted if you want a GUI.

Resize the root partition by deleting it:

root@kali:~# fdisk /dev/sda

Command (m for help): p
Disk /dev/sda: 300 GiB, 322122547200 bytes, 629145600 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0xaaea4a6f

Device Boot Start End Sectors Size Id Type
/dev/sda1 * 2048 60262399 60260352 28.8G 83 Linux

Command (m for help): d //deletes the partition
Selected partition 1
Partition 1 has been deleted.

// recreate the partition starting from the first allocated cylinder (2048), the increase the size of the partition
Command (m for help): n
Partition type
p primary (0 primary, 0 extended, 4 free)
e extended (container for logical partitions)
Select (default p): p
Partition number (1-4, default 1): 1
First sector (2048-629145599, default 2048): 2048
Last sector, +sectors or +size{K,M,G,T,P} (2048-629145599, default 629145599): +290G //extend the / partition to 290G

Created a new partition 1 of type ‘Linux’ and of size 290 GiB.

Command (m for help): a //mark the partition as bootable
Selected partition 1
The bootable flag on partition 1 is enabled now.

Command (m for help): p
Disk /dev/sda: 300 GiB, 322122547200 bytes, 629145600 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0xaaea4a6f

Device Boot Start End Sectors Size Id Type
/dev/sda1 * 2048 608176127 608174080 290G 83 Linux

Command (m for help): w //write the changes
The partition table has been altered.
Calling ioctl() to re-read partition table.
Re-reading the partition table failed.: Device or resource busy

The kernel still uses the old table. The new table will be used at the next reboot or after you run partprobe(8) or kpartx(8).

root@kali:~# reboot

After the reboot, issue the following command:

root@kali:~# resize2fs /dev/sda1
resize2fs 1.42.13 (17-May-2015)
Filesystem at /dev/sda1 is mounted on /; on-line resizing required
old_desc_blocks = 2, new_desc_blocks = 19
The filesystem on /dev/sda1 is now 76021760 (4k) blocks long.

Check with df -h if the partition scheme is ok.

root@kali:~# df -h
Filesystem Size Used Avail Use% Mounted on
udev 10M 0 10M 0% /dev
tmpfs 529M 7.9M 521M 2% /run
/dev/sda1 286G 9.5G 264G 4% /
tmpfs 1.3G 320K 1.3G 1% /dev/shm
tmpfs 5.0M 0 5.0M 0% /run/lock
tmpfs 1.3G 0 1.3G 0% /sys/fs/cgroup
tmpfs 265M 8.0K 265M 1% /run/user/133
tmpfs 265M 16K 265M 1% /run/user/0
tmpfs 1.3G 4.0K 1.3G 1% /var/lib/polkit-1/localauthority/90-mandatory.d
root@kali:~# resize2fs /dev/sda1

To create another SWAP partition, just use qparted and create the partition with the desired size.


Install Logwatch in Linux CentOS

Logwatch is a Linux application that parses log files, analyses them and sends periodical reports, based on specific criteria, to one or more email addresses.
In order to install logwatch in linux CentOS you have to issues the following command:

yum install logwatch

Edit the configuration file:

nano /usr/share/logwatch/default.conf/logwatch.conf

Check and edit the following directives in order to suit your needs:

LogDir = /var/log
MailFrom =
Range = yesterday //(or today)
Detail=Medium // (other: Low, Medium, High)
Service=all //(other examples would be httpd, sshd2, ftp)

Run logwatch manually:

logwatch --detail High --mailto --service http --range today

The output should be like this:

 ################### Logwatch 7.3.6 (05/19/07) ####################
        Processing Initiated: Tue May 19 14:21:59 2015
        Date Range Processed: today
                              ( 2015-May-19 )
                              Period is day.
      Detail Level of Output: 5
              Type of Output: unformatted
           Logfiles for Host: nix

 --------------------- courier mail services Begin ------------------------

 **Unmatched Entries**
   courier-pop3d - 2 Times
      Connection, ip=[::ffff:] - 1 Time
      Disconnected, ip=[::ffff:] - 1 Time

 ---------------------- courier mail services End -------------------------

 --------------------- Cron Begin ------------------------

    Authentication Failures:
       root ( 4930 Time(s)
       root ( 3524 Time(s)
       root ( 925 Time(s)
       unknown ( 391 Time(s)
       root ( 137 Time(s)
       root ( 114 Time(s)
       root ( 98 Time(s)
       root ( 90 Time(s)
       root ( 80 Time(s)
       root ( 69 Time(s)
       root ( 68 Time(s)

Block failure notice emails in qmail

I have Plesk on my Linux server and I receive lots of spam emails from the root account on my server.
Here’s what happened. My forum used to send emails to non-existent email accounts around the web and I used to receive the failure notices for them.
To block failure notice emails in qmail that were forwarded to my main email I had to modify the aliases from


Here’s a sample email I received:
Mar 30 (7 days ago)

to postmaster 
Hi. This is the qmail-send program at
I tried to deliver a bounce message to this address, but the bounce bounced!

2a00:1450:4013:0c01:0000:0000:0000:001a does not like recipient.
Remote host said: 550-5.1.1 The email account that you tried to reach does not exist. Please try
550-5.1.1 double-checking the recipient's email address for typos or
550-5.1.1 unnecessary spaces. Learn more at
550 5.1.1 q5si14669450wjx.9 - gsmtp
Giving up on 2a00:1450:4013:0c01:0000:0000:0000:001a.

--- Below this line is the original bounce.

Return-Path: <>
Received: (qmail 8634 invoked for bounce); 29 Mar 2015 23:50:02 +0200
Date: 29 Mar 2015 23:50:02 +0200
Subject: failure notice

As you can see, the postmaster account was receiving the spam from MAILER-DAEMON and MAILER-DAEMON was forwarding them to my account. Pretty nasty…

The fix:
Go to


do a

ls -alh

and you will see a couple of hidden config files.

Inside each of those file I had my @gmail account. With the next script I overwrote the gmail account with a non-existent email:



for FILE in ./.qmail-*;do echo "nonexistent@nodomain.tld" > $FILE;done

Restart/reload qmail:

service qmail reload

That’s it! You should not receive any spam from any of the root, mailman or postmaster accounts.

Batch download files from a website

I needed a quick bash script that will batch download files from a website and I cam up with the following.

The files had the names like 1.gif, 2.gif, etc and were accessible via a CDN subdomain like

So here it is:

for i in {1..18000}; do wget$i.gif; sleep 5;done

Replace with your site and that’s it.
Alternatively you can get rid of “sleep 5” and put the whole script in a file and execute it with:

[root@nix]# nohup ./ &

This will keep your script running even if you disconnect from the shell console.

Restore mysql database from sql file

If you want to restore a mysql database from a sql file you have to issue this command:

[root@enix ~]#mysql -uroot -pxxx my-database < my-database-backup.sql

– where: my-database is your databse where you want to restore data;
– my-database-backup.sql is your sql backup file
– change root to your mysql user
– change xxx with your mysql password

And that’s it.

When dumping the database with mysqldump, use the option –no-create-db.
This will suspress the CREATE DATABASE statement in your dump file.
Then restore the database with

mysql -h <host> -u <user> -p <databasename> < dump.sql

In this way you can restore your data in whatever database you like (But that database has to exist!).

Substitution operators

Substitution operators are used for expanding parameters and variable values.


${variablename:-some word}

-If varname exists and isn’t null, return its value; otherwise return word.

Purpose: Returning a default value if the variable is undefined.

[root@euve59329 ~]# echo ${PWDx:-non existent variable}
non existent variable

– If varname exists and isn’t null, return its value; otherwise set it to
word and then return its value. Positional and special parameters

[root@euve59329 ~]# echo ${ID:=0}

– ID variable does not exist. In this case, the value is set to 0.

Purpose:Setting a variable to a default value if it is undefined.


If varname exists and isn’t null, return its value; otherwise print
varname: followed by message, and abort the current command or
script (non-interactive shells only). Omitting message produces the
default message parameter null or not set.


[root@euve59329 ~]# echo ${thevariable:?does not exist}
bash: thevariable: does not exist
[root@euve59329 ~]#

– Purpose: Catching errors that result from variables being undefined.


[root@euve59329 ~]# echo ${count:+1}
[root@euve59329 ~]# echo ${countX:+1}

Purpose: Testing for the existence of a variable.
Example: ${count:+1} returns 1 (which could mean “true”) if count is




Performs substring expansion.[5] It returns the substring of $varname
starting at offset and up to length characters. The first character in
$varname is position 0. If length is omitted, the substring starts at
offset and continues to the end of $varname. If offset is less than 0 then
the position is taken from the end of $varname. If varname is @, the
length is the number of positional parameters starting at parameter
Purpose: Returning parts of a string (substrings or slices).


[root@euve59329 ~]# count=MyCoolText
[root@euve59329 ~]# echo ${count:4}
[root@euve59329 ~]# echo ${count:4:4}
[root@euve59329 ~]#

Inspired from Learning the bash Shell: Unix Shell Programming (In a Nutshell (O’Reilly))

String Manipulation and Expanding Variables

String Manipulation and Expanding Variables

For your ready references here are all your handy bash parameter substitution operators. Try them all; enhance your scripting skills like a pro:

${parameter:-defaultValue} Get default shell variables value
${parameter:=defaultValue} Set default shell variables value
${parameter:?”Error Message”} Display an error message if parameter is not set
${#var} Find the length of the string
${var%pattern} Remove from shortest rear (end) pattern
${var%%pattern} Remove from longest rear (end) pattern
${var:num1:num2} Substring
${var#pattern} Remove from shortest front pattern
${var##pattern} Remove from longest front pattern
${var/pattern/string} Find and replace (only replace first occurrence)
${var//pattern/string} Find and replace all occurrences