Windows hacking by Pradeep Kishnani



Why would I want to hack windows?
Well, okay stupid question but why would you want to hack windows
when there are all those lovely servers to take on? The answer is
so simple,what if the Admin has placed some really horrible
backdrop on your machine. How do you get round that? Well, that's
what this tutorial is all about : Removing restrictions on the
local machine so that you can get a shot at the servers or so you
can run programs that you otherwise wouldn't be able to.

Are there many restrictions that can be placed on me?
There are a surprising amount of things Admins can do to your
computer to make it more restricted. To compromise of course,
there are many ways to remove these annoying restrictions, one of
which I worked out and removes all the restrictions although it
temporarily screws up Internet Explorer's settings. Here is a
small list :

Control Panel
Run command
Find command
Missing start menu programs
Fixed backdrop
No DOS access
Removed CDROM and floppy access

All of the above are a real pain in the ass. I'll go through
removing these restrictions one by one.

Where do these restrictions come from?
Good question. There are two types of restriction, local and
remote. The local restrictions are usually stored in the registry
and are fairly easy to get round compared to the remote
restrictions. These are restrictions placed on servers and are
usually downloaded each time you login. They are VERY hard to get
around and most are beyond the scope of this tutorial. However if
I do show some of them, I'll point out that they are remote.
Sometimes, the remote restrictions are enforced as local ones.
This is handy to say the least.

What is the registry?
The registry is a database that Windows uses to store all its
information. You can consider it as a directory. Most programs and
files are registered here, along with user and system settings.
Driver versions and start up programs are also found in here.
Without the registry, Windows would be in trouble.

Where is the registry?
The registry consists of two files, user.dat and system.dat . Both
are stored in the windows directory. There are backups of both
files called user.da0 and system.da0 . If the main two are
destroyed, the system copies the new versions over to replace
them.

The user.dat file contains user settings. All the different parts
of a users settings make up a user profile. It is these profiles
that contain the information regarding what restrictions should be
enforced. Every user is stored here along with all their access
rights. I'll show you how to fool the system into giving you full
access the easy way later.

The system.dat file strangely enough contains information about
the system. This includes settings for Internet Explorer and other
pieces of software such as DirectX, MS Office etc etc.

Can I edit it myself?
Yes you can, using a program called regedit. It is automatically
installed and unless your friendly Admin has removed your ability
to edit it, you can use this program to set anything in the
registry that you want.

NOTE : If you remove the system.dat file ( which you usually have
to ) some programs may have problems finding their default
settings or refuse to load.

I can't edit the registry. How do I get around this ?
Well the easiest way is to simply remove user.dat and system.dat .
When you reset the computer and login, it will come up and tell
you that it needs to reset to repair the registry. Ignore this
message and use ctrl+alt+del to get it to close without selecting
'ok'. You will see that all the restrictions have been removed.
Quickly go to 'Run' and type 'command' without the quotes. This
will open a DOS window and for some reason stabilises the system.
Windows had a nasty tendency to crash if I didn't open a DOS
window for some reason. When you reset the computer, the old
registry will kick in and the restrictions will be active again.
This isn't so bad because it means you can get a machine back to
normal with the minimum of fuss.

I can't get to the registry files to delete them! What now?
Don't panic yet! I'll show you two ways of getting to the files.
Normally if the 'Run' command is missing, you're going to have
trouble getting to the C:\windows directory which holds those
files. Second, you'll find that they are write protected. In the
next few sections I'll show you how to get round this.

I have the 'Run' command. What next?
Type "c:\windows\" without the quotes. This will take you to the
directory that contains the registry. You will most likely get a
message saying that altering the files could be dangerous and
could stop windows or other programs from working. Ignore that and
select continue or click the hyper link. It will now show you the
files.

The evil scum bags have nicked the 'Run' command! Now what?!?
Now you panic........only joking! Most Admins do take out the run
command as standard. It stops normal people from going where they
shouldn't be. However, we can out smart them here by using the
shortcut trick. This trick will get us whatever we need and is
just as powerful as the run command, except it is slightly more
inconvenient.

So what's this magic shortcut trick then?
This trick is essential to a hackers toolkit. In Windows, you can
create a shortcut to just about anything from a folder to a
program or even a website! We can use this to our advantage. It
also gets round the annoying "Access Denied" messages that
explorer likes to give. Right click on the desktop, select new ->
shortcut. When it asks what you want to make the shortcut to, type
in "c:\windows\" without the quotes and press enter. Hit enter
twice more and you will find a nice shortcut on your desktop.
Click this twice and it will dump you in the Windows directory.
Nice eh?

When I type in the directory in explorer, it returns "Access
Denied". Why?

This means that the Admin has told explorer not to accept any
requests to that folder, program or website. However for some
reason explorer will let you straight through if you make a
shortcut to that folder. Security is tight eh?

Okay, I've found the files.....only I can't delete them! Windows
says that are protected!
When windows says protected, it means write protected. This is
when you can't write or alter a file. This is done for safety
reasons. No one wants to accidentally delete the registry. However
because we're evil we want to and Windows is stopping us. Don't
worry, the protection is lame. Right click on the file and hit
properties. Once in, untick the little box next to write protected
and click apply then okay. Now try deleting the file. You should
find that it goes without any hassle. This works with both
registry files.

Right, I've sabotaged the files. What next?
To prevent Windows catching on, just turn off the computer and
switch it on again. If it starts up and the registry fixing
program starts, you'll have to repeat the procedure. Sometimes it
gets you, some times it doesn't. If it keeps coming up, see the
next section.

My plans are being thwarted by this stupid registry checker!
HELP!
This nasty little program kept catching me out. It is called
regcheck and is usually found in the windows or windows\system
directory. It is called from an ini file called regcheck.ini or
regchck.ini . The name seems to vary from system to system though
I can't see any reason why it should. You can alter the .ini file
and remove the checking program. The script will complete and
still the registry won't have been restored!! Tee hee!

The network is on the Internet but Cyber patrol won't let me
access any hacking sites!
Cyber patrol is a royal pain in the ass! However, it is very easy
to remove. Press ctrl+alt+del to bring up the task list. Select
Cyber Patrol and press enter. Cyber Patrol will now bring up a
window asking for a password. Damn, we've been beaten! Not so,
press ctrl+alt+del again. This time because Cyber Patrol has
ALREADY answered windows, it won't access again. Thus Windows
thoughtfully lets us close the program. Bye bye stupid
restrictions!

I can't access the disk drive or the CDROM yet I see the Admins
doing it! How can I ?

This can be quite annoying. You have lots of stuff on disk or CD
but you just can't access them. Why? Because some sod has removed
their icons from 'My Computer'. *Sigh* I guess its no go then
right? Wrong! Although you can't see the drives, they are still
there. Load up ole faithful Internet Explorer and type "D:\"
without the quotes and press Enter. It should display a list of
the files on the CD. If it comes up with "Access Denied" or "
Permission Denied" then simply make a shortcut to it. That way,
you will see all the files.

When I try to access A: , the whole machine crashes on me! Why?
This happens when the floppy drive has been disabled in the BIOS (
Basic Input Output System). When you try to access it, Windows
will hang and force you to reboot. There is a nice easy way of
testing if the drive is open before you crash your machine. When
you log in or out, check the light on the drive. If it flashes,
the drive is available even if you can't see it in the drive list.
If it doesn't flash, the drive has been disabled.

I MUST have floppy access! How do I get it?
The only way to get disk access is to enable the floppy drive in
BIOS. This is almost ALWAYS passworded ( if not you're really
lucky ). You will need a BIOS cracker and there are loads on the
Internet. Check what BIOS the machine has when it boots up (
Award, AmiBIOS etc etc). Get a program for that. Obviously you
will somehow need to get it on the Network and there is a cunning
way to do that to!

Sneaking files onto a Network
This trick is so simple and yet so effective. Create a document
that you could pass off as school work or something. Make sure it
has an image file in it. Drag and drop the program file into your
document and then place the Image file over it. Save as a .doc
file and put it on a disk. Ask your friendly Admin to copy the
file for you. Most will just copy it and those that check will
just see a document with a piccy. They won't see your program. To
get the program back, you need to open the document on your
workstation. Drag the program back out and put it on your desktop.
This trick works with any file of any type.

Right, I've got the program. What now ?
Run the program. It should give you a password. Write this down
and reset the machine. As the machine checks its memory press the
'Del' button. It will then take you into the BIOS where it will
prompt for the password. Enter the password that you got from the
program. It should let you in. Go into the Basic options and look
for floppy drive. Go to the first one. It probably says "Not
Installed". Change it so it says "3 1/2 inch floppy". Quit the
BIOS and save changes. When it boots up, the floppy drive will be
active. Do the reverse to disable it again to stop Admins finding
you and changing the password.

How can I get back all those nice programs that they removed from
my start menu?

This is also quite easy. There is a program called groupconv.exe .
By running this, you'll restore the default star menu along with
all the usual programs and accessories. Useful if the Admin has
removed some program that you prefer or want to use like Paint
brush. You'll need paint to pull off the next trick.

How do I change this cursed background without using the display
properties?

Not so useful perhaps but nice to have none the less. No one likes
the default backgrounds but Admins tend to remove the ability to
change them which is rather upsetting. To pull this off, you need
access to paint. Normally this isn't removed. Open your bitmap of
choice into paint. From the 'File' menu, select "Set as
background". This will set your bitmap as the background. Normally
this won't stay the same and will change back next time you login.
Still, you get a decent background for the duration of your
session.

The 'Net Plug' trick
This is a nice easy way of getting Admin rights. I've taken this
from my other tutorial and pasted it here because I don't want to
have to type it out again. It is a very useful technique which is
why I'm duplicating it here.

This is an attack that I worked out myself before I was given
Admin status. It always works and I've yet to see it fail. Make
sure you are at a windows 95 or 98 machine. I doubt NT would be
fooled by this trick but I don't have any NT machines so I can't
test it for you.

Note : Most Admins, believe that they are the most knowledgeable
about their system. Many also believe that no one else knows much
about computers. In other words, for whatever reasons, they are
not too concerned about us i.e. the idiots attacking their
servers. Why? Because we aren't good enough. So why waste valuable
time configuring security that won't be needed eh? I think I've
made my point. They don't see us as a threat. You don't consider a
house spider a threat so you don't go round putting up netting to
keep them out. Why? You can't be bothered. The same rule applies
here. Even if you are a computer genius, play it dumb. Admins like
to lecture the uninitiated and would love to appear smarter than
you. This is the way you want it. The Admins will think you're a
nice guy or gal, totally harmless. This sometimes gives you more
leverage because they like you, they'll be willing to help you.
They also won't expect you to launch a huge assault on their
servers either However sometimes there are some smart people out
there who will notice your talents and pull you over to their
side. This isn't a bad place to be and can be advantageous
later.

First of all, login as yourself. Crash your computer and reset it
. Walk over to your favourite admin (the one that hates you most
is the best choice ) and apologise for being an idiot but the
computer won't let you login and could s/he please come and take a
look for you. Mumbling and grumbling they'll come over. The best
way to test if it is the machine is for them to login. Of course,
they'll log in as an admin or equivalent. They'll check your
account and see that your account is fine. They'll tell you to log
onto another machine and your account will be okay. They'll now
log off and walk off in disgust thinking you are a computer moron.
Not so my friend, we've just done them good and proper!

Turn off the computer and pull out the network lead. Turn it back
on again. The computer will detect that you aren't on a network
and will dump you at a desktop with restrictions of the last user.
If this user is the admin then chances are that he or she will
have full access to everything including DOS and drive access.
Perfect for installing all those really kewl programs you have on
a disk in your pocket......

But you aren't on the network now. That's no fun is it? Shove the
lead back in and try to access a network drive. This is the bit
where you hope the Admins are sloppy or not computer geniuses.
Windows by default caches ALL passwords so unless the Admins have
told it not to ( a key deep in the registry) then windows will
have a nice copy of their password. Go into 'My Computer' and
click on a drive. Whoop with glee as Netware logs you in as an
Admin. Why does this happen? Well windows still holds the username
and password last used to access the drive. You are logged into
windows as Admin and windows knows what credentials you last gave
to the server. So it supplies them for you. Likewise because you
are now authenticated you know have full access to the NDS tree.
Not only can you read but you can no write, modify delete etc etc.
Much more fun!

Now, this is the bit where you have to be sneaky. You have to make
a new account for yourself or upgrade your old one. There are pros
and cons to each of your choices. If you alter your existing
account and they check it for some reason ( maybe you got locked
out? ) they'll notice you have admin rights and shoot you. If you
make a new user, it might get found quicker but there is no way to
point to you ( it was created by user admin after all tee hee ).
The choice is yours. You can always do both.

I still need DOS access to run the programs. How can I get it?
Not all Admins actually remove the ability to run DOS programs,
simply because they are needed. It is likely though that the
shortcuts and the run command will have been removed. Also I doubt
you will be able to shutdown into MS-DOS mode. So how do you call
up the window?

Well, we can use our usual shortcut trick. The program that opens
the DOS windows is called "command.exe" . To run the program,
simply make a shortcut to "command" without the quotes. Double
clicking on the shortcut will pull up the MS-DOS prompt.

I've done that but I get "This has been disabled by your system
Administrator
If you get this, your Admin has locked out the ability for your
user to run DOS programs. Windows is suprisingly tight on DOS
access. There is only ONE way that I currently know of ( I'm
always searching for new ones though) to bypass this whilst logged
in as yourself. To do this, you need a program called
"poledit.exe".

What the hell is poledit?
Poledit ( short for policy editor ) is the program used to alter
user settings on any given computer. This program edits the
user.dat file that we saw earlier. It might have occured to some
Admins to block access but I have yet to see it done. Normally
registry editing is barred but that seems to be only when using
regedit.

Poledit is NOT installed by default. You will find it on the
Windows 98 CD in the resource kit folder. The file itself isn't
very big and it doesn't need any support files. You can sneak it
onto the network by hiding it in a Word file. If you have CDROM
access, you could just load it in, or burn the program to CD.

Poledit controls ALL the access rights such as control panel
access, display properties, find and run commands, DOS access,
shutting down to MSDOS mode etc etc. This tool can give them all
back to you!

Okay, I've managed to get poledit onto the network. now what?
Right, run the program. It will bring up a list of users and their
policies. There will probably be two policies stored there ( at
least). One will be called Admin or similar and the other default.
You will be user default. Now, alter the settings to whatever you
want and save them. Quit the program and you should find that your
access has been increased!

I think it worked but when I logged back onto the network, the old
settings kicked in.
This is a pain because it means your settings are stored on the
server too. When it logs in, it activates the settings you updated
and then overlays the new ones from the server. Annoying huh? Well
there isn't all that much you can do about it apart from use the
Net Plug trick.

How does it help us here? Well, turn off the computer, unplug the
network lead and turn it back on. It will automatically log you in
as the last user, i.e yourself. However because there is no
server, it will pull its restrictions from the local file ( which
we edited of course). Plug the network lead back into the computer
and try to access the drives. Even if it asks you to login again (
to access the network ), Windows isn't clever enough to pull off
the updated policy files. You're home free!!


Credits


Pradeep Kishnani
rockystone@redifffmail.com
http://completehack.focusindia.com