Contents]
Why would
I want to hack windows?
Well, okay stupid
question but why would you want to hack windows when
there are all those lovely servers to take on? The answer
is so simple, it often eludes people altogether. How
exactly are you going to take out the server if your
workstation is so crippled, you can't even use the run
command? Most hacking programs are DOS based. If your
friendly Admin has removed MS-DOS access, you're in
trouble. You won't be able to run all those nice programs
you've collected.
What if they
Admin has placed some really horrible backdrop on your
machine. You have a great replacement only the display
properties aren't available. How do you get round that?
Well, that's what this tutorial is all about : Removing
restrictions on the local machine so that you can get
a shot at the servers or so you can run programs that
you otherwise wouldn't be able to.
Are there
many restrictions that can be placed on me?
There are a surprising
amount of things Admins can do to your computer to make
it more restricted. To compromise of course, there are
many ways to remove these annoying restrictions, one
of which I worked out and removes all the restrictions
although it temporarily screws up Internet Explorer's
settings. Here is a small list :
Control Panel
Run command
Find command
Missing start menu programs
Fixed backdrop
No DOS access
Removed CDROM and floppy access
All of the above
are a real pain in the ass. I'll go through removing
these restrictions one by one.
Where
do these restrictions come from?
Good question.
There are two types of restriction, local and remote.
The local restrictions are usually stored in the registry
and are fairly easy to get round compared to the remote
restrictions. These are restrictions placed on servers
and are usually downloaded each time you login. They
are VERY hard to get around and most are beyond the
scope of this tutorial. However if I do show some of
them, I'll point out that they are remote. Sometimes,
the remote restrictions are enforced as local ones.
This is handy to say the least.
What
is the registry?
The registry
is a database that Windows uses to store all its information.
You can consider it as a directory. Most programs and
files are registered here, along with user and system
settings. Driver versions and start up programs are
also found in here. Without the registry, Windows would
be in trouble.
Where
is the registry?
The registry
consists of two files, user.dat and system.dat . Both
are stored in the windows directory. There are backups
of both files called user.da0 and system.da0 . If the
main two are destroyed, the system copies the new versions
over to replace them.
The user.dat
file contains user settings. All the different parts
of a users settings make up a user profile. It is these
profiles that contain the information regarding what
restrictions should be enforced. Every user is stored
here along with all their access rights. I'll show you
how to fool the system into giving you full access the
easy way later.
The system.dat
file strangely enough contains information about the
system. This includes settings for Internet Explorer
and other pieces of software such as DirectX, MS Office
etc etc.
Can I
edit it myself?
Yes you can,
using a program called regedit. It is automatically
installed and unless your friendly Admin has removed
your ability to edit it, you can use this program to
set anything in the registry that you want.
NOTE
: If you remove the system.dat file ( which
you usually have to ) some programs may have problems
finding their default settings or refuse to load.
I can't
edit the registry. How do I get around this ?
Well the easiest
way is to simply remove user.dat and system.dat . When
you reset the computer and login, it will come up and
tell you that it needs to reset to repair the registry.
Ignore this message and use ctrl+alt+del to get it to
close without selecting 'ok'. You will see that all
the restrictions have been removed. Quickly go to 'Run'
and type 'command' without the quotes. This will open
a DOS window and for some reason stabilises the system.
Windows had a nasty tendency to crash if I didn't open
a DOS window for some reason. When you reset the computer,
the old registry will kick in and the restrictions will
be active again. This isn't so bad because it means
you can get a machine back to normal with the minimum
of fuss.
I can't
get to the registry files to delete them! What now?
Don't panic yet!
I'll show you two ways of getting to the files. Normally
if the 'Run' command is missing, you're going to have
trouble getting to the C:\windows directory which holds
those files. Second, you'll find that they are write
protected. In the next few sections I'll show you how
to get round this.
I have
the 'Run' command. What next?
Type "c:\windows\"
without the quotes. This will take you to the directory
that contains the registry. You will most likely get
a message saying that altering the files could be dangerous
and could stop windows or other programs from working.
Ignore that and select continue or click the hyper link.
It will now show you the files.
The
evil scum bags have nicked the 'Run' command! Now what?!?
Now you panic........only
joking! Most Admins do take out the run command as standard.
It stops normal people from going where they shouldn't
be. However, we can out smart them here by using the
shortcut trick. This trick will get us whatever we need
and is just as powerful as the run command, except it
is slightly more inconvenient.
So what's
this magic shortcut trick then?
This trick is
essential to a hackers toolkit. In Windows, you can
create a shortcut to just about anything from a folder
to a program or even a website! We can use this to our
advantage. It also gets round the annoying "Access Denied"
messages that explorer likes to give. Right click on
the desktop, select new -> shortcut. When it asks
what you want to make the shortcut to, type in "c:\windows\"
without the quotes and press enter. Hit enter twice
more and you will find a nice shortcut on your desktop.
Click this twice and it will dump you in the Windows
directory. Nice eh?
When
I type in the directory in explorer, it returns "Access
Denied". Why?
This means that
the Admin has told explorer not to accept any requests
to that folder, program or website. However for some
reason explorer will let you straight through if you
make a shortcut to that folder. Security is tight eh?
Okay,
I've found the files.....only I can't delete them! Windows
says that are protected!
When windows
says protected, it means write protected. This is when
you can't write or alter a file. This is done for safety
reasons. No one wants to accidentally delete the registry.
However because we're evil we want to and Windows is
stopping us. Don't worry, the protection is lame. Right
click on the file and hit properties. Once in, untick
the little box next to write protected and click apply
then okay. Now try deleting the file. You should find
that it goes without any hassle. This works with both
registry files.
Right,
I've sabotaged the files. What next?
To prevent Windows
catching on, just turn off the computer and switch it
on again. If it starts up and the registry fixing program
starts, you'll have to repeat the procedure. Sometimes
it gets you, some times it doesn't. If it keeps coming
up, see the next section.
My plans
are being thwarted by this stupid registry checker!
HELP!
This nasty little
program kept catching me out. It is called regcheck
and is usually found in the windows or windows\system
directory. It is called from an ini file called regcheck.ini
or regchck.ini . The name seems to vary from system
to system though I can't see any reason why it should.
You can alter the .ini file and remove the checking
program. The script will complete and still the registry
won't have been restored!! Tee hee!
The
network is on the Internet but Cyber patrol won't let
me access any hacking sites!
Cyber patrol
is a royal pain in the ass! However, it is very easy
to remove. Press ctrl+alt+del to bring up the task list.
Select Cyber Patrol and press enter. Cyber Patrol will
now bring up a window asking for a password. Damn, we've
been beaten! Not so, press ctrl+alt+del again. This
time because Cyber Patrol has ALREADY answered windows,
it won't access again. Thus Windows thoughtfully lets
us close the program. Bye bye stupid restrictions!
I can't
access the disk drive or the CDROM yet I see the Admins
doing it! How can I ?
This can be quite
annoying. You have lots of stuff on disk or CD but you
just can't access them. Why? Because some sod has removed
their icons from 'My Computer'. *Sigh* I guess its no
go then right? Wrong! Although you can't see the drives,
they are still there. Load up ole faithful Internet
Explorer and type "D:\" without the quotes and press
Enter. It should display a list of the files on the
CD. If it comes up with "Access Denied" or " Permission
Denied" then simply make a shortcut to it. That way,
you will see all the files.
When
I try to access A: , the whole machine crashes on me!
Why?
This happens
when the floppy drive has been disabled in the BIOS
( Basic Input Output System). When you try to access
it, Windows will hang and force you to reboot. There
is a nice easy way of testing if the drive is open before
you crash your machine. When you log in or out, check
the light on the drive. If it flashes, the drive is
available even if you can't see it in the drive list.
If it doesn't flash, the drive has been disabled.
I MUST
have floppy access! How do I get it?
The only way
to get disk access is to enable the floppy drive in
BIOS. This is almost ALWAYS passworded ( if not you're
really lucky ). You will need a BIOS cracker and there
are loads on the Internet. Check what BIOS the machine
has when it boots up ( Award, AmiBIOS etc etc). Get
a program for that. Obviously you will somehow need
to get it on the Network and there is a cunning way
to do that to!
Sneaking
files onto a Network
This trick is
so simple and yet so effective. Create a document that
you could pass off as school work or something. Make
sure it has an image file in it. Drag and drop the program
file into your document and then place the Image file
over it. Save as a .doc file and put it on a disk. Ask
your friendly Admin to copy the file for you. Most will
just copy it and those that check will just see a document
with a piccy. They won't see your program. To get the
program back, you need to open the document on your
workstation. Drag the program back out and put it on
your desktop. This trick works with any file of any
type.
Right,
I've got the program. What now ?
Run the program.
It should give you a password. Write this down and reset
the machine. As the machine checks its memory press
the 'Del' button. It will then take you into the BIOS
where it will prompt for the password. Enter the password
that you got from the program. It should let you in.
Go into the Basic options and look for floppy drive.
Go to the first one. It probably says "Not Installed".
Change it so it says "3 1/2 inch floppy". Quit the BIOS
and save changes. When it boots up, the floppy drive
will be active. Do the reverse to disable it again to
stop Admins finding you and changing the password.
How
can I get back all those nice programs that they removed
from my start menu?
This is also
quite easy. There is a program called groupconv.exe
. By running this, you'll restore the default star menu
along with all the usual programs and accessories. Useful
if the Admin has removed some program that you prefer
or want to use like Paint brush. You'll need paint to
pull off the next trick.
How
do I change this cursed background without using the
display properties?
Not so useful
perhaps but nice to have none the less. No one likes
the default backgrounds but Admins tend to remove the
ability to change them which is rather upsetting. To
pull this off, you need access to paint. Normally this
isn't removed. Open your bitmap of choice into paint.
From the 'File' menu, select "Set as background". This
will set your bitmap as the background. Normally this
won't stay the same and will change back next time you
login. Still, you get a decent background for the duration
of your session.
The
'Net Plug' trick
This is a nice
easy way of getting Admin rights. I've taken this from
my other tutorial and pasted it here because I don't
want to have to type it out again. It is a very useful
technique which is why I'm duplicating it here.
This is an attack
that I worked out myself before I was given Admin status.
It always works and I've yet to see it fail. Make sure
you are at a windows 95 or 98 machine. I doubt NT would
be fooled by this trick but I don't have any NT machines
so I can't test it for you.
Note
: Most Admins, believe that they are the most
knowledgeable about their system. Many also believe
that no one else knows much about computers. In other
words, for whatever reasons, they are not too concerned
about us i.e. the idiots attacking their servers. Why?
Because we aren't good enough. So why waste valuable
time configuring security that won't be needed eh? I
think I've made my point. They don't see us as a threat.
You don't consider a house spider a threat so you don't
go round putting up netting to keep them out. Why? You
can't be bothered. The same rule applies here. Even
if you are a computer genius, play it dumb. Admins like
to lecture the uninitiated and would love to appear
smarter than you. This is the way you want it. The Admins
will think you're a nice guy or gal, totally harmless.
This sometimes gives you more leverage because they
like you, they'll be willing to help you. They also
won't expect you to launch a huge assault on their servers
either However sometimes there are some smart people
out there who will notice your talents and pull you
over to their side. This isn't a bad place to be and
can be advantageous later.
First of all,
login as yourself. Crash your computer and reset it
. Walk over to your favourite admin (the one that hates
you most is the best choice ) and apologise for being
an idiot but the computer won't let you login and could
s/he please come and take a look for you. Mumbling and
grumbling they'll come over. The best way to test if
it is the machine is for them to login. Of course, they'll
log in as an admin or equivalent. They'll check your
account and see that your account is fine. They'll tell
you to log onto another machine and your account will
be okay. They'll now log off and walk off in disgust
thinking you are a computer moron. Not so my friend,
we've just done them good and proper!
Turn off the
computer and pull out the network lead. Turn it back
on again. The computer will detect that you aren't on
a network and will dump you at a desktop with restrictions
of the last user. If this user is the admin then chances
are that he or she will have full access to everything
including DOS and drive access. Perfect for installing
all those really kewl programs you have on a disk in
your pocket......
But you aren't
on the network now. That's no fun is it? Shove the lead
back in and try to access a network drive. This is the
bit where you hope the Admins are sloppy or not computer
geniuses. Windows by default caches ALL passwords so
unless the Admins have told it not to ( a key deep in
the registry) then windows will have a nice copy of
their password. Go into 'My Computer' and click on a
drive. Whoop with glee as Netware logs you in as an
Admin. Why does this happen? Well windows still holds
the username and password last used to access the drive.
You are logged into windows as Admin and windows knows
what credentials you last gave to the server. So it
supplies them for you. Likewise because you are now
authenticated you know have full access to the NDS tree.
Not only can you read but you can no write, modify delete
etc etc. Much more fun!
Now, this is
the bit where you have to be sneaky. You have to make
a new account for yourself or upgrade your old one.
There are pros and cons to each of your choices. If
you alter your existing account and they check it for
some reason ( maybe you got locked out? ) they'll notice
you have admin rights and shoot you. If you make a new
user, it might get found quicker but there is no way
to point to you ( it was created by user admin after
all tee hee ). The choice is yours. You can always do
both.
I still
need DOS access to run the programs. How can I get it?
Not all Admins
actually remove the ability to run DOS programs, simply
because they are needed. It is likely though that the
shortcuts and the run command will have been removed.
Also I doubt you will be able to shutdown into MS-DOS
mode. So how do you call up the window?
Well, we can
use our usual shortcut trick. The program that opens
the DOS windows is called "command.exe" . To run the
program, simply make a shortcut to "command" without
the quotes. Double clicking on the shortcut will pull
up the MS-DOS prompt.
I've
done that but I get "This has been disabled by your
system Administrator
If you get this,
your Admin has locked out the ability for your user
to run DOS programs. Windows is suprisingly tight on
DOS access. There is only ONE way that I currently know
of ( I'm always searching for new ones though) to bypass
this whilst logged in as yourself. To do this, you need
a program called "poledit.exe".
What
the hell is poledit?
Poledit ( short
for policy editor ) is the program used to alter user
settings on any given computer. This program edits the
user.dat file that we saw earlier. It might have occured
to some Admins to block access but I have yet to see
it done. Normally registry editing is barred but that
seems to be only when using regedit.
Poledit is NOT
installed by default. You will find it on the Windows
98 CD in the resource kit folder. The file itself isn't
very big and it doesn't need any support files. You
can sneak it onto the network by hiding it in a Word
file. If you have CDROM access, you could just load
it in, or burn the program to CD.
Poledit controls
ALL the access rights such as control panel access,
display properties, find and run commands, DOS access,
shutting down to MSDOS mode etc etc. This tool can give
them all back to you!
Okay,
I've managed to get poledit onto the network. now what?
Right, run the
program. It will bring up a list of users and their
policies. There will probably be two policies stored
there ( at least). One will be called Admin or similar
and the other default. You will be user default. Now,
alter the settings to whatever you want and save them.
Quit the program and you should find that your access
has been increased!
This
is a pain because it means your settings are stored
on the server too. When it logs in, it activates the
settings you updated and then overlays the new ones
from the server. Annoying huh? Well there isn't all
that much you can do about it apart from use the Net
Plug trick.
How
does it help us here? Well, turn off the computer, unplug
the network lead and turn it back on. It will automatically
log you in as the last user, i.e yourself. However because
there is no server, it will pull its restrictions from
the local file ( which we edited of course). Plug the
network lead back into the computer and try to access
the drives. Even if it asks you to login again ( to
access the network ), Windows isn't clever enough to
pull off the |
