::::::::: :::::::: ::::::::: :::::::::: :+: :+: :+: :+: :+: :+: :+: +:+ +:+ +:+ +:+ +:+ +:+ +#++:++#+ +#++:++#++ +#++:++#: :#::+::# +#+ +#+ +#+ +#+ +#+ +#+ #+# #+# #+# #+# #+# #+# #+# ######### ######## ### ### ###
http://blacksun.box.sk _____________________________ ______________________I Topic: I_____________________ \ I I / \ HTML by: I The PC Hacking FAQ I Written by: / > I I < / Martin L. I_____________________________I Olcay Cirit \ /___________________________> <_________________________\
Version 1.5 3/17/96
Appendix by Njan 18/09/9
Table of Contents
This FAQ describes how to break-in to a PC (IBM-Compatible) from the outside in, and how to bypass some common software-based security measures. The last section details how to secure your PC against most of such attacks.
Many of these solutions assume you have physical access to the PC. For example, you can't extract the hard disk or reset the CMOS over a network, but you can do it if you have access to the computer.
1. Hardware and Firmware
1a. The BIOS
The BIOS, short for Basic Input/Output Services, is the control program of the PC. It is responsible for starting up your computer, transferring control of the system to the operating system, and for handling other low-level functions, such as disk access.
NOTE that the BIOS is not a software program, insofar as it is not purged from memory when you turn off the computer. It's firmware, meaning it is permanently and unchangeably stored in the machine. FLASH BIOS Systems, such as those from Phoenix and AMI, allow you update the BIOS through software, but that's another FAQ.
A convenient little feature that most BIOS manufacturers include is a startup password. This prevents access to the system until you enter the correct password.
If you can get access to the system after the password has been entered, then there is a software-based BIOS password extractor available from:
Resetting the CMOS
There is only one other way to get past the BIOS password. It involves discharging the static memory (CMOS) used to store the password and other system information. Once it is discharged, however, you have to reset all the system settings by hand.
****Follow these steps:
If you were unable to record the setup info, then you'll just have to set it up manually. Some newer Plug & Play BIOSes have an autodetect feature that automatically sets-up the hard disk and other items.
Again, I would like to mention that there are numerous password extractors available for free off the internet and on BBSes. Try those first: they are much cleaner and easier-to-use.
1b. Floppy Locks
Floppy Locks are generally cheap plastic inserts that hook on to the inside of the drive and lock it, thereby preventing you from using the floppy drive. The locks used are usually those little swivel locks used in computer casings to lock the keyboard.
There ARE some very secure locks, with *unique* keys. Such locks are not sold at your local computer store, and must be obtained directly from a factory in Nice, France (didn't get the name, though.). There is a distributor in Canada by the name of "Kappa Micro".
If the lock is of the swivel type, you can either pick it, or buy a key (they're all the same).
To pick it, you'll need a *thin* flathead screwdriver or a paperclip. To pick the lock, take the paperclip and insert it into the little notch on the inside of the swivel lock. Now, pull to the opposite side of the lock until the swivel is in the unlocked position.
If you choose to buy a key, you can:
A. Go to your local computer service center, and buy one of these keys. (Very
cheap. Often less than
$0.75) B. Buy the same brand of floppy lock, and use the key that comes with it.
1c. Last Resorts
If you are *REALLY* desperate to access this PC, then the following *might* work:
This will probably not work if an encrypted file system is in use. The only way to access such disks is to enter the password, or figure out a way to decrypt it, so if you forget your password, you're hosed. :(
2. DOS, Windows, and Netware
2a. Getting access to DOS
Some systems, are set up to boot directly to some sort of shell/security program, like Windows, or Windows 95. If you want to get access to a DOS prompt, you have some choices:
***Booting from a floppy requires you to create a system disk. You can do this using the DOS command FORMAT A: /S which will format a disk and place system files on it. Also, the Windows format (In File Manager or Explorer) has an option allowing you to create a system floppy.
Before you create a system disk, you must determine which floppy drive is used to boot. If the system has both a 1.2MB (5.25") Floppy Drive and a 1.44MB (3.5") Drive, it is likely that the boot drive is the 1.2 MB floppy drive. If the computer has only one floppy drive, it is quite safe to assume that it is the boot drive.
However, if you are unsure as to which drive is the boot drive, you can either find out by entering System Setup (as described in section 1) or by observing which floppy drive is read right before the operating system loads.
If the system is set to boot only from the hard disk, then you can refer to Section 1 on how to reset the CMOS.
Once you have a system disk, you place it in the floppy drive, and turn on or reset the computer. If you have done everything right, the computer will boot from the floppy drive and you will have access to a DOS prompt.
This technique, of course, can be prevented through the use of a floppy lock, and by setting the BIOS to boot only from the hard disk.
***Bypassing startup files is quite simple, but only works on versions of DOS 6.0 or better and Windows 95. When you turn on the computer and you see the text:
Starting MS-DOS ...
Starting PC-DOS ...
Starting Windows 95 ...
Press and hold the SHIFT or F5 key IMMEDIATELY. This will bypass the startup files (CONFIG.SYS and AUTOEXEC.BAT) as long as the system administrator has not disabled this feature.
Additionally, you can press and hold F8 when the startup text shows to enter the Boot menu. This lets you selectively disable certain commands, or bypass the startup files totally, among other things.
***Bypassing DriveSpace works if compression software such as DriveSpace or DoubleSpace has been installed. If so, when the startup text displays, press and hold Ctrl+F5 or Ctrl+F8. This will load the system without loading the compression driver, which means you can't access the files on disk.
HOWEVER, you *can* decompress the disk (DriveSpace only), as long as you have sufficient disk space or enough floppies.
If all else fails, you can format it or take it to a Specialized Data Recovery service. They can probably recover the files by moving them to a larger hard disk and decompressing.
***Breaking out of AUTOEXEC.BAT is rather simple also. When the computer starts up and the operating system starts loading, press Ctrl+Break (Or Ctrl+C) repeatedly. When the AUTOEXEC.BAT executes, this will terminate it and drop you to DOS. This will work unless the keyboard has been disabled, or is inactive during initialization (Drivers can be loaded in CONFIG.SYS which temporarily disable the keyboard, and then re-enable it with a command at the end of AUTOEXEC.BAT)
2b. Getting to DOS from Windows
If the above tactics fail, and the machine automatically loads Windows, then you still have a very good chance of getting to DOS. Since Windows by default gives you free access to DOS, there are special security programs made specifically to prevent the user from accessing it, among other things. Most of these programs can be bypassed.
If when Windows starts up you are presented with yet another password dialog box, analyze the situation:
If this is the Primary Windows Login or a Network login, then you can get past it by pressing the Cancel button (No Joke!) to log on as the Default user. This is because the Login information is used primarily for desktop preferences and remote file sharing.
the Default user, however, can be secured. If this is done, then it is virtually impossible to gain access through it. The only way to do this is by a series of registry entries, which are listed in the appendix at the bottom of this file.
Login passwords are stored in .PWL files in the Windows directory. You can reset all accounts to no password by using the .PWL renaming technique described below.
The filename of the .PWL file corresponds to the login name of that user. For example, Olcay.pwl contains the encrypted passwords for the account "Olcay".
The password protection in Windows 95 uses a much stronger algorithm, but you can still bypass it by *carefully* moving or renaming all .PWL files in the C:\Windows directory. The password filenames are also stored in the SYSTEM.INI file.
So, to disable passwords:
REN *.PWL *.PW_
Similarly, to re-enable passwords:
REN *.PW_ *.PWL
If this is a third-party security program, such as the one built-in to After Dark, try pressing Ctrl+Alt+Del when the dialog is presented to you. Most security programs go out of their way to be secure, and Windows 3.1 interprets this as not responding to the system, and thus will allow you close it. Windows 95 pops up a neat little dialog box that lets you terminate any running application. How convenient. :) Once you subvert this, you can prevent it from bothering you again by editing the LOAD= and RUN= sections in C:\WINDOWS\WIN.INI.
The password protection built-in to the Windows 3.1 screensavers is extremely weak. You can bypass it by editing CONTROL.INI and searching for the Password field. Delete the junk that appears after the equal sign (This is an encrypted password).
To disable Windows 95 passwords, right-click on the desktop and select Properties, choose the Screen Saver tab, and uncheck "Password protected".
If Windows starts up, and Program Manager loads, but the File menu is disabled, and access to DOS has been cut off, or some other oppressive security measures are in place, fear not. There are ways around such programs, as shall be explained below:
DOS through OLE
OLE, for Object Linking and Embedding, was hailed as a great advance in the Windows Operating System by letting you embed or link objects (this includes Executables) in documents.
Scorpion pointed out that Object Packager, which lets you package embedded files with icons, could be used to access DOS (or run any program) from most OLE-enabled applications (Like Write, WordPad, Word, etc.) Based on this information, I found a similar hole that doesn't require Object Packager but still exploits OLE. Both of these work in Windows 3.x and up.
Using Object Packager:
DOS through Write
This works by saving COMMAND.COM, the DOS executable, over WINHELP.EXE, the Windows Help program. Unfortunately, this tactic will not work with Windows 95. WordPad, the Word Processing Applet that comes with Windows 95, prevents the user from loading executable files.
DOS through Word
Microsoft Word versions 6.0 and above have a built-in macro language called WordBasic. This example works by instructing WordBasic to open up a DOS window.
Most of the Macro languages of popular applications let you do something similar to this technique. Look around in the online help files.
DOS through MODE
When Windows 95 Shuts Down and shows that dumb graphic, it's really just sitting on top of DOS. You can actually issue DOS commands (although the graphic will cover them) on the system after shutdown!!!
A simple way to do this is to type:
After the shutdown graphic shows. However, the text will be in 40-column mode, which is hard to read, and incompatible with some programs.
If you want to get a nice, clean DOS prompt, you can type:
This will reset the screen display to the normal (80-column, 16 color) DOS display mode.
*MOST* Windows Security programs are based on a VxD (Virtual Device), which gives them unprecented power over the system while Windows is running. After shutdown, all Windows-based programs will be unloaded, leaving you free to explore using DOS.
For some unknown reason, this doesn't seem to work on some systems.
DOS through Windows Login
When Windows 95 Starts up, some systems are set up to show a Windows/Network Login dialog box. You can press either
Which will let you Shut down the system (and apply the DOS THROUGH MODE technique), End any running tasks, etc. Or:
Which, since the taskbar hasn't loaded, will launch Task Manager. From this window you can end tasks, run programs, and shutdown the system (again, the DOS THROUGH MODE technique is applicable here). *All* programs are accessible from the run menu, so you can run C:\COMMAND.COM to get access to DOS.
2c. Getting past NetWare
This section is based on excerpts from the Netware Hacking FAQ. Although Netware has met a general decline in use over the years, I still thought it would be proper to include this.
Common Account Names
Novell Netware has the following default accounts: SUPERVISOR, GUEST, and Netware 4.x has ADMIN and USER_TEMPLATE as well. All of these have no password set. Don't be a dummy, password protect SUPERVISOR and ADMIN immediately. Below is a listing of common default and built-in accounts that might be in your best interest to secure.
|POST||Attaching to a second server for email|
|Attaching to a second server for printing|
Attaching an email router to the server
|BACKUP||May have password/station restrictions (see below),|
|WANGTEK||used for backing up the server to a tape unit attached to the workstation.
For complete backups,
Supervisor equivalence is required.
A test user account for temp use
Palindrome default account for backup
|CHEY_ARCHSVR||An account for Arcserve to login to the server from from the console for tape backup. Version 5.01g's password was WONDERLAND.|
|GATEWAY||Attaching a gateway machine to the server|
|FAX||Attaching a dedicated fax modem unit to the network|
|Although not required, per the Microsoft Win95 Resource Kit, Ch. 9 pg. 292 and Ch. 11 pg. 401 you need this for resource sharing without a password.|
When NetWare is first installed, the account SUPERVISOR and GUEST are left unprotected, that is, with no password. SUPERVISOR has free run of the system. You can do anything you want.
But how can you make the server think it has just been installed without actually reinstalling the server and losing all data on the disk? Simple. You just delete the files that contain the security system!
In Netware 2.x, all security information is stored in two files (NET$BIND.SYS and NET$BVAL.SYS). Netware 3.x stores that information in three files (NET$OBJ.SYS, NET$VAL.SYS and ET$PROP.SYS). The all new Netware 4.x system stores all login names and passwords in five different files (PARTITIO.NDS, BLOCK.NDS, ENTRY.NDS, VALUE.NDS and UNINSTAL.NDS [This last file may not be there, don't worry]).
Although Novell did a very good job encrypting passwords, they left all directory information easy to find and change if you can access the server's disk directly, using common utilities like Norton's Disk Edit.
Using this utility as an example, I'll give a step-by-step procedure to make these files vanish. All you need is a bootable DOS disk, Norton Utilities' Emergency Disk containing the DiskEdit program and some time near the server.
**NOTE: If Disk Edit is unavailable, any Disk Editing utility with searching capabilities will suffice.
3. Building a SECURE System
3a. Understanding the Issues
After reading this FAQ, you've probably revised your idea of a secure PC quite a bit. Truth be told, IBM didn't design the Personal Computer with security in mind. Back in 1980, their main objective was to get _something_ to market before Apple gobbled up all the market share.
After awhile, security programs started to emerge that attempted to bridge
this gap. These were quite popular, and were put into use by many companies
to prevent 'curious' employees from messing with
However, ways to bypass these security programs were quickly found. As long as computers are designed for convenience, and with humans in mind, this will almost always happen.
So, who are potential "Hackers"? The answer is: Anyone. Experienced users especially, but even newbies sometimes find weak spots. This is not to say that everyone *is* a "hacker". (Note that I use quotes because I don't believe in the popular usage of the term "Hacker". The media is out of control: their usage of the word has conflated Computer Gurus with Criminals in the minds of the people.)
As always, prevention is the best medicine. The following sections deal with how to secure your system, both through physical and software-based means.
In the old days, back when computers filled multiple rooms, the security of a system was basically all physical: Locks, security guards, etc. Now the emphasis has shifted away from physical security, and is leaning more towards software-based methods. However, in some cases, a certain degree of physical security is in order.
***If you want to prevent people from resetting your CMOS and accessing the floppy drives, etc. you have to secure the system itself. This can be done by having the computer in a locked room, leaving only the screen and keyboard accessible. There are many products which let you extend the reach of screen and keyboard cables. Even some that let you control many different computers using one screen.
***There are also security devices available made by companies such as Anchor Pad, Lucasey, and others that completely enclose the PC. These are devices such as lockdown pads, cables for monitors, and metal boxes. There are also devices that cover and lock the floppy and CD-ROM slots.
***Computer locks which bind your computer to a desk are good for discouraging theft.
***To protect your hard disk data, I would suggest investing in a removable media system that lets you "hot-swap" and lock hard disks. The hard disk could then be easily removed (with the *unique* key) and stored in a safe to prevent theft of data. Drives such as the Zip (100MB), Ditto (800MB), and Jaz (1GB) are removable as well, but do not lock.
Make sure that you test the computer immediately after these lockdown devices are installed. In some instances the stress induced on the casing by the devices can cause certain parts to malfunction.
***You can buy devices that prevent the PC electrical cord from being unplugged or turned on without a key.
***Investing in a UPS (Uninterruptable Power Supply) System is worth the cost. These protect against power fluxes which can damage your system. In the case of a power out (or if someone trips over the cord), UPS systems give you 5 minutes of rechargeable battery power to save work and perform an emergency shutdown.
***As one last measure of security, it's always nice to invest in some insurance for your computer. It won't get your data back, but it *will* give you some peace of mind.
Below is a list of measures you can take to secure your system using software/firmware based methods. They are listed in order of increasing security, so minimum security would be only implementing option #1, maximum security would be implementing #1-8. Keep in mind that implementing any of these without implementing every item below it leaves possible entry points open.
Passwords are generally the weakest link in the security chain. When choosing a password, remember these tips:
Do NOT choose something obvious: Swear words, your birthdate, topics pertaining to what you do and/or your interests are are examples of BAD passwords.
A Good Password is one that is totally random. To pick a password, try this: Grab a dictionary. Close your eyes, and flip to a random page. With your eyes still closed, put your finger on a random spot on this page. Remember the word, and do this again. Combine the two words, and append a three-digit number to the end. You also might want to intersperse non-alphanumeric characters into the password in random ways, such as an odd dash or apostrophe here and there.
Also, NEVER write your password down. Always keep it in your head. A simple Post-It note on your monitor can bring down all the security that you so meticulously set up!
A good password system hides the passwords from everyone, including the system administrators. This means that the sys admins cannot tell if the users are putting in weak passwords.
One final note: When designing a security system, be sure to take the user
into account. If a system is of such high-grade security that it is a nuisance
to use, people will always find the lazy way to do it. (Post-it Notes...)
Appendix ( (c) Njan 1999 )
If you have Windows 3.0, 3.1 or 3.11
To partialy protect DOS access while booting, you can disable/reenable the key board. Put the command: CTTY > NUL at the top of your AUTOEXEC.BAT and then CTTY > CON at the end of your AUTOEXEC.BAT
Then to stop access to DOS by crashing Windows, add these commands to the bottom
of your AUTOEXEC.BAT
Note: These registry keys took months of work to find out. Do NOT redistribute under or your own name, or die a horrible death. Appendix may be distributed with Njan's permission. Main Tutorial? I don't know. Ask the bloke that made it.