_____________________________________________________________________________
The Hacking Truths Manual: Hacking Windows 9x Part 1 ----Ankit Fadia
_____________________________________________________________________________
On reading the title of this Manual all you Uberhackers will be going #@#! And would be getting ready to flame me. But I am first going to bring the newbies up to a certain level before introducing advanced topics. A lot of hacker enthusiasts are still running Microsoft Windows 9x.
And would be putting up lame questions to mailing lists and getting bombed. This manual teaches you how you can hack Windows. How Windows can be used for hacking. Once you have finished this Manual you would be able to show off your Windows proficiency and impress all your wannabe hacker friends.
BIOS Passwords
Basic settings on your computer such as how many and what kinds of disk drives you have which one are enabled and which are disabled and which ones are used for booting are held in a CMOS chip on the mother board. A tiny battery keeps this chip always running so that whenever you turn your computer off, it still remembers its instructions.
A common method of entering the BIOS is pressing the Del key at Bootup; other common methods are Ctrl +Alt +Esc and Ctrl + Esc.
Most computers have a BIOS which can be configured to ask for a password as soon as the computer is switched on. If the Ask Password option is enabled then as soon as the PC is switched on a Dialog box welcomes you and asks you for the password. You cannot override this and there is no way of disabling this because to enter the BIOS you need to know the BIOS password.
So what do you do? Disable it.
Now Disable the BIOS password you need to enter the BIOS. But as soon as you enter the BIOS the BIOS asks for a password. Now the most common method of overriding this password prompt is by trying out the default BIOS passwords. Some common passwords are:
lkwpeter
j262
AWARD_SW
AWARD_PW
Biostar
AMI
Award
bios
BIOS
setup
cmos
AMI!SW1
AMI?SW1
password
hewittrand
Many BIOS also have their default password that can be tried. "j262" opens most versions of Award BIOS it works about 80% of the time. "AWARD_SW" and "AWARD_PW" work on some computers as well, but much less often. In some BIOS shift+s y x z also works. The best way to find out the default passwords of various BIOS is to search at
http://astalavista.box.sk which is the best search engine for security related matter.
There are various BIOS's out there and each BIOS has
various versions.So in order to find out the Default Password of a Particular
BIOS, one can go to the website of the particular BIOS.The websites are:
award.com
megatrends.com
mrbios.com
Well if the default passwords did not work them get ready for some serious Hacking stuff. Now as the default BIOS password did not work we will try to reset the BIOS to its default settings so that it asks for no password at all. So to do following:
First you have to open the computer and then look for a round lithium battery, it probably looks like a silver coin. So remove the battery and after 30 seconds or so put it back. Some computers may also require you to reset the jumper, so look for a 3-pin jumper and reset it. For example, on most machines you will find a three-pin device with pins one and two jumpered. If you move the jumper to pins two and three and leave it there for over five seconds, it will reset the CMOS.
When you boot the machine some BIOS may give an error saying that the BIOS was reset or tampered with, but that is not such a big problem.
**************************
WARNING: Messing with the CMOS chip and the jumper is more dangerous than editing system files. So do everything with utmost caution.
**************************
**************************
Hacking Trick: Now on many computers a series or keystrokes may crash the password program.
To try this boot the PC and wait for the password prompt, then keep pressing ESC for 50 to 100 times. This will result in the crashing of the password program and the computer will continue booting. However this might work on only selected machines.
*************************
There's a pretty lame solution to the BIOS password problem. It's a program called KillCMOS which you can download from
http://www.koasp.com. or if can’t find it there search for it at http://astalavista.box.skThere are also a number of CMOS password crackers available on hacker Web sites. But using other doesn’t make you feel that you are hacking a computer and it is really lame to use someone else’s software for hacking and calling yourself a hacker.
Windows Login Password
You have cracked the BIOS password and are just about to say how lame this hack was, when you suddenly see Windows asking you for the login password and you go shit what do I do now?
Well fret not this hack is even lamer than the previous one. After this hack you will know why a hacker running WinDoze is considered to be lame and why does a hacker laugh whenever someone says Microsoft and security in the same sentence.
To hack the Windoze login password, reboot and wait for the message:
"Starting Windows 9x…"
When you see this on the screen press F8 the boot menu will come up. Select option 7.
To boot into dos. Then goto to the Windows directory by typing
C:\>cd windows
******************
TIP: Keys that will affect the bootup process are F4, F5, F6, F8, Shift+F5, Control+F5 and Shift+F8. Try them out and see what happens!!!
*******************
Then rename all files with the extension .pwl by typing the following command:
C:\windows>ren *.pwl *.xyz
Or delete them by typing
C:\windows>del *.pwl *.xyz
Now when the Windows password login pops up you can write anything in the place where the windows login password is got to be typed. As you have renamed (or deleted although renaming then would be better as the victim will not know that his PC has been tampered with.)the windows password files windows cannot find that file so when you enter a password that you have made up in your mind Windows just takes it as the original password.
******************
Hacking Trick
There is a way of disabling the F8 key or the boot up key.
******************
Hacking Trick
Don’t have a boot disk? Wanna know how to make one? Well it’s simple.
Insert a blank floppy into the floppy drive and goto the control panel. Click on Add/Remove Programs, then click on the Start Up disk tab and then click on the Create Disk button.
*******************
2). Find the file msdos.sys which can be find at c:\msdos.sys. Since this is a hidden system file, you will have to make it writeable by changing it’s attributes by going to the DOS Prompt and typing the following:
goto the root directory:
C:\Windows>cd\
Then make msdos.sys writeable and unhide it by typing:
C:\>attrib msdos.sys –h –w
3)Open msdos.sys in WordPad
6) You will see something that looks like this:
;FORMAT
[Paths]
WinDir=C:\WINDOWS
WinBootDir=C:\WINDOWS
HostWinBootDrv=C
[Options]
BootMenu=0 (default)
BootMulti=1
BootGUI=1
DoubleBuffer=1
AutoScan=1
WinVer=4.10.1998
;
;The following lines are required for compatibility with other programs.
;Do not remove them (MSDOS.SYS needs to be >1024 bytes).
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxa
To disable the function keys during bootup, directly below [Options] you insert the following piece of code "BootKeys=0."
(Without the quotes of course.)
Now instead of inserting the BootKeys command you can also insert the following command:
"BootDelay=0."
Not many people know about the BootDelay=0 command so that along with the BootKeys command does make your machine safer.
Then save msdos.sys.
7) Since msdos.sys is an important system file you should change it’s attributes back to read only and hidden by typing:
c:>attrib msdos.sys +h +r
*******************
********************
Hacking Trick:
Now there is another way of hacking the Windows Password thing. When the Boot Menu comes (which comes up when you press the F8 key remember???) Safe Mode. Or you can instead of holding the F8 key simply press the F5 key, which directly boots the machine in the safe mode. Select when Windows boots in the safe mode it does not ask for the Login Password so you can work on the machine in the safe mode.
There is yet another way of bypassing the password.(And Micro$oft says Windows security is quite good…gimme a break).Now sometimes the Boot Keys like F8,F5 etc are disabled then your startup disk comes in handy. Now after the BIOS password has been hacked enter the BIOS (on most machines you can enter the BIOS by pressing the DEL key during boot up.) and enable Boot from the A: Now insert the boot disk and wait for the DOS prompt and type out the commands and you are through.
*******************
Actually if the machine is running Windows 95 or Windows 98 and is not part of a LAN you do not need to perform the above hacks. You can simply click on cancel when the Windows Login Dialog box comes up. Anyway a good hacker should know all the ways it can be done. Well that wraps up the Passwords section of this manual.
There is also a software which ships with windows which will allow you to remove some Windows Passwords. It is called pwledit. You can usually find it in Start>Programs>Accessories>System Tools>PWLedit. If you can’t find it there then you can install it from the Windows 95 installation disk. You will find it in the path d:\admin\apptools\pwledit. I do not know if it ships with Win98 but you can search the installation CD to see if it does.
Changing Windows Visuals
Now that you know how to break into a local machine running windows lets learn some useful Windows tricks, which can be used to impress people. Although they are quite lame but being interesting I thought I would mention them in this manual. If your computer is configured to work normally then a boring blue screen saying Welcome to Windows 95 will welcome you every time you boot your system. Do you want to change it to a Wacky one with sculls and blood all around? Well hang on this section will give you a step by step process of how to change your boot up screen and also the boring old Shut Down splash screen.
Now to change the Startup screen in Windows 98 look for file named c:\logo.sys
Now since this file ends with an extension of .sys it might be hidden so you might not be able to view it in Windows Explorer so to view all .sys(System Files) irrespective of what attributes they have goto MSDOS and after typing cd\ type the following
C:\>Attrib *.sys
This might bring the following on the screen:
SHR C:\MSDOS.sys
SHR C:\IO.sys
A SHR C:\CONFIG.sys
A SHR C:\logo.sys
It already had logo.sys in c:\. Now the SHR signifies that logo.sys is a System File,It is Hidden and is Read Only.
In some Machines you may not have c:\logo.sys . In those cases I suggest that you copy logow.sys from the windows directory by going to MSDOS and typing the following:
C:\>cd windows
C:\Windows>copy logow.sys c:
Now as we have seen earlier logo.sys is a read only file that is it cannot be edited.To make it editable change it’s attributes by doing the following:
Step 1. Goto MSDOS
Step 2. Type the following:
C:\Windows>cd\
C:\>attrib logo.sys –s –h –r
This makes logo.sys editable.Now follow the following steps to finally get the wacky welcome screen you want.
Step 1: Open MSPaint
Step 2: From the File Menu select Open
Step 3: open c:\logo.sys
Step 4: This opens the boring Startup splash screen. You can play with it and make your own splash screen.
Then save it as c:\logo.sys. Change it’s attributes back to the normal by typing the following command at the command prompt (MSDOS)
C:\>attrib logo.sys +h +r +s
Now restart your computer to find yourself being greeted by your very own wacky cool splash screen. Similarly you can change the Shut Down Screen. Now In this case goto to the command prompt and make logw.sys editable by following the above steps and then open it in paint ,edit it and save it as c:\windows\logow.sys.After saving it change it’s properties back to the normal(By using c:\>attrib c:\windows\logow.sys +h +s +r) Voila even your boring shutdown screen has been changed.
Cleaning your Tracks
Now when you type in the URL of a particular site what actually happens? The browser contacts the website you are trying to access and downloads all the images and text of the particular page you are visiting and stores it on the hardisk i.e. the disk cache. So a person who has access to your
###############################
Hacking Info:
Every computer which is connected to the Internet is assigned with an IP address.If you want to connect to that certain computer, you have to know it's IP address. But IP addresses are quite long and are not easy to remember.So what do you do? This is what hostnames are for. Hostnames are simple names for IP addresses in the human language. Say you want to goto hotmail.com you do not need to write it’s IP address you just write hotmail.com which is easy to remember.Now when you enter the hostname the browser contacts the DNS server or the Domain Name Server. These servers store the hostnames and the IP addresses.
Tech Words:
URL -Universal Resource Locator- it is the address of the page.
##############################
machine is able to find out which sites you visited. Say you work in a company and want to change your job, so you take the net to look for a new job and visit many job searching sites and your boss is keeping check on what the company internet account is being used for, so when he goes through the disk cache and finds out that one of his workers is looking for another job, I can assure you it will not be pleasant for you. So how can we remove all traces from the hard disk of which sites we visit? Both Netscape's Navigator and Microsoft's Internet Explorer store the URLs of the web pages you have recently visited in the URL history and all images and other program files in it’s history for future reference.
Internet Explorer Users
To delete all entries in Internet Explorer's history:
1 In an Internet Explorer window, click on the View Menu
2. Choose Internet Options from the drop down menu.
3. Click the Clear History button, in the History frame.
This will delete all entries in Internet Explorer’s History. But sometimes you might want to delete all selected entries from Internet’s explorer’s history, to do so so the following:
1. Launch Internet Explorer
2. From the Internet Explorer click on the History button.
3.A new frame will appear on the left side containing the history enteries.
3.To delete a specific entry either right click on it and select delete from the pop-up menu or left click once and press the DEL key from the keyboard.
This will delete all cached pages of that particular site
whose entry you just deleted thus all traces of that site have been removed
from your machine.
Now when you visit a particular site it will be having many images, applets and other multimedia components running, now the browser downloads these components to your hard disk, this is known as the cache. Now if you have visited a site and your browser has downloaded all the components once then when you again visit the site, the browser will check if the content on the site has changed or not. If the content has not changed it will straightaway load the copy of the website from your hard disk without downloading the different multimedia components again, thereby saving your online time. But if the browser finds that the content on the site has changed then it will download a fresh copy of the page again. So the cache is another place which might give away your surfing habits.
To clear Internet Explorer’s disk cache:
1 Launch Internet Explorer
You can also disable the caching of web content. Although it is not advisable to do so coz then you will have to download the images etc everytime you visit the website even if the content has not changed. Anyway to disable the cache:
1.Launch Internet Explorer
2.Click on View and then Internet Options.
3. In the Program Files tab click on the settings button.
4.Set the Amount of DiskSpace to 0 MB by dragging the roller.
Cookies
What exactly is a cookie?
Maximum Security describes a cookie as---
What are cookies? The cookie concept is very much like getting your hand stamped at a dance club. You can roam the club, have some drinks, dance, and even go outside to your car for a few minutes. As long as the stamp is on your hand, you will not have to pay again, nor will your access be restricted. But cookies go much further than this. They record specific information about the user, so when that user returns to the page, the information (known as state information) can be retrieved. The issue concerning cookies, though, isn't that the information is retrieved. The controversy is about where the information is retrieved from: your hard disk drive.
Cookies (which Netscape calls persistent client state HTTP cookies) are now primarily used to store options about each user as he browses a page. The folks at Netscape explain it this way:
This simple mechanism provides a powerful new tool which enables a host of new types of applications to be written for Web-based environments. Shopping applications can now store information about the currently selected items, for fee services can send back registration information and free the client from retyping a user-id on next connection, sites can store per-user preferences on the client, and have the client supply those preferences every time that site is connected to.
Cross Reference:The article from which the previous quote is excerpted, "Persistent Client State HTTP Cookies," can be found at
http://home.netscape.com/newsref/std/cookie_spec.html.
In Internet Explorer Cookies are stored as individual files in the c:\windows\cookies
To remove cookies you goto C:\windows\cookies and delete them individually.
You can also disable cookies
1.Launch Internet Explorer
2.Click on View and then Internet Options.
3. Click on the Advanced tab
4. Scroll down to the security section .You can enable and disable by clicking on the appropriate radio buttons.
URL Address Bar
Each time you type a URL into the address bar it's stored in its pull-down menu. If you clear the history of Internet Explorer the entries in the URL Address Bar are automatically deleted. But for all those of you uberhackers
***************
UberHacker Tip:
I would also like to explain a method of doing it through the registry.
It involves the Windows Registry and should probably only be attempted by those familiar with it. We have tried the method and it works, but you modify the Registry at your own risk. Under HKEY_CURRENT_USER\ Software\ Microsoft\ Internet Explorer there is a folder called TypedURLs. You can delete specific keys (URL's) in this folder to remove them from the typed-URL history.
*****************
Netscape Communicator
Entries in History can be removed by the following method:
4. Delete individual entries or hold down the shift key and select the range to be deleted.
The Disk Cache can be deleted by:
1. Launch Navigator, click on Edit.
4. Click on Clear Disk Cache.
To disable Disk Caching:
1. Launch Navigator, click on Edit.
Cookies by Netscape are stored in a single file cookies.txt in
To disable cookies:
3. Click on Advanced
4. Click on Disable Cookies.
Clearing typed-URL history for Navigator:
You can remove entries from the URL History by opening the file
C:\Program Files\Netscape\Users\<username>\prefs.js
In Notepad and deleting lines that look like this:
user_pref("browser.url_history.URL_13",
"www.perl.org/");
This will remove the particular entry , perl.org in this
case which is the 13th URL in the URL history.
***********************
Hacking Tip: Netscape too gives you away in the registy to clean your tracks in the registry,
Click HKEY_CURRENT_USER . This will give you a screen with a left hand side and a right hand side window.Click the "Software" topic. This will give you "Netscape" on the left hand side. On the right hand side you will see the URL history. Just delete them and you're home free.
***********************
The Registry
The registry is the core of the operating system.If you mess with it you may need to reinstall your operating system, so keep you installation disks ready.But if do conquer the registry you can control the whole computer, even the whole LAN for that matter.Controlling the registry is comparable to having root access of a Unix box. However Windows 98 has a built in registry repair tool which can revert the registry to its original state. But before editing the registry, make a backup copy on a floppy disk.
To open the registry in Windows goto Start and click on Run then type regedit.
Some computers may not open the registry this way and may require you to write c:\windows\regedit.exe in the Run box. Basically you should know that the registry is in the Windows directory by the name regedit.exe.You can also open it by going to My Computer then C: then Windows and then open it by double clicking on regedit.
Anyway when you open the registry you will see something like the following in the left frame:
HKEY_CLASSES_ROOT HKEY_CURRENT_USER HKEY_LOCAL_MACHINE HKEY_USERS HKEY_CURRENT_CONFIG HKEY_DYN_DATA
Microsoft believes in security by obscurity.They think that they are keeping away users from customizing Windows or editing the registry by hiding it in the Windows directory and giving it a weird name.And the registry has been made such that when the average user opens it the weird characters like the ones above will get better of him. This section will tell you more about the registry and will help you overcome the fear of editing the registry.
The registry is made up two files user.dat and system.dat (DO NOT PLAY WITH THEM.) and controls everything about your Operating System, from how the desktop looks to storing your Internet Dial Up password to which sites you visit on the net. First of all play with the various hives of the registry (the ones I have printed above are known as hives), you will soon agree with me that there is simply no way you can understand the registry this way, you would be able to see only strange characters. But we hackers have a way of viewing the registry in a way we can understand.
Now to view the sub menus of a particular hive expand it by clicking on the plus sign on it’s left. The menu names do give you some idea about where you are.
Say you want to change the way a particular software works or if you wan to remove a password of a particular program you can look for the particular software under the software menu. Click HKEY_CURRENT_USER . This will give you a screen with a left hand side and a right hand side window. Click the "Software" topic. This will give you a list of software on the left side. On the right hand side you will see some data that you cannot understand.To convert this form to one which is easy to understand and change, you click on the particular menu or topic you want to change to the readable form
then go up to the Registry heading on the Regedit menu bar. Click it, then choose Export Registry File. It will ask for a name and the path you want to export to,enter any name on your choice.
Now open WORDPAD and open the file you had exported from the registry.Remember that to open the file you had exported you must succeed the filename with a .reg extension.
You will find that now you are able to understand a hell lot of more and it has become very easy to edit the entries and customize it.
There are a lot of registry tricks out there which can used to improve your PC performance, which can be used to change how Windows looks.Some common ones are:
…and lots more.
There are so many that an entire website has been setup giving more tips and info on the registry.
www.regedit.com is fully devoted to the registry. They have a well-designed site with some amazing registry hacks.
I have attached the entire site organized as a help file which can be viewed locally and you will not have to go online everytime you need to learn a new trick.
Baby Sitter Programs
Are you being provoked by stupid baby sitting programs setup by your employee or your parents to control your surfing habits? Are you being stopped by the baby sitter program to surf the sites you want to? Do you want to hack this program and surf sites you want to?
I do not encourage pornography being feed to children neither do I want to spread the idea of not obeying the company policies.I just want to express the fact that no censorship program can filter out all the smut off the net .The condition of these censorship programs is.People are just tricked into buying these useless programs. There are several ways to disable the web-censorship program.
The first methos is to press control-alt-delete which brings up a list of programs running at that particular time.If the censorship program is part of this list, just click on it and click "End Task" and then click on Cancel to remove it.
Some programs are automatically started during boot up.The list of such programs can be found in c:\autoexec.bat Now open Autoexec.bat in notepad or Wordpad and delete any reference to the censorship program.
While some programs are also automatially started with Windows.A list of such programs is found in "C:\WINDOWS\Start Menu\Programs\startup." You can goto this folder and delete the shortcut to the censorship program.Shortcuts have a .ink extension.If you delete entries from this folder, then it might arouse suspicion. If you keep the shift key pressed when windows starts it will not start programs mentioned in this folder.
Even system.ini and user.ini can start such baby sitter programs. Change it’s attributes to writable and open it in Notepad and delete reference to the program. Then change the attributes back to the original.
Even PwlEdit may remove passwords which have been set to control surfing habits.
Internet Explorer has a built in Content Advisor which if enabled asks for a password every time a site without a certificate is encountered.This program is so lame that it will not allow the user to open Yahoo without entering the Content Advisor Password as Yahoo does not have a certificate.
It is very easy to edit the registry to remove this password.It has been described in the attachment.
Well fellows that is all for now and Happy Hacking!!!