|
| FAQ Article: Bypassing local restrictions |
This article is mainly aimed at Windows 95/98/98SE/ME systems - it is quite outdated these days.
First of all, what are local restrictions? Whenever we refer to the word 'local' what it actually means is YOUR computer, i.e. the one you are sitting at. This is of course, the opposite to 'Remote' which would refer to a computer somewhere else (for example, a computer you connect to over the Internet would be reffered to as a 'Remote Computer'). Restrictions are what system admins and those strange technicians with beards put on your local computers to stop you from access certain things.
Typical local restrictions include:
- Blocking access to the Windows control panel, and any of the tools contained within.
- Blocking access to MS Dos
- Blocking access to the registry
- Blocking access to items on the start menu
- Blocking access to particular directories or files (typically c:\windows, c:\windows\system)
- Blocking particular web sites
- Stopping you performing simple actions (such as creating shortcuts, and renaming files)
- Block access to the BIOS (main setup of the computer, Basic Input Output System
Why would they want to do this? Well, just maybe, they are expecting hackers like you! We all know that we wouldn't use our knowledge to cause damage to the system (right?) - but there are many people who would. Now, for some reason, all of the networks I have access to are set up really really well (by technicians with beards)...but does this mean they are un-hackable? Of course not.
Literally ever time they change something about the system, whether it be adding a new program or patching a security hole, they always open up a new hole somewhere else - its true. Remember, no system can ever be 100% secure. Now, lets talk about some ways to bypass all of these restrictions and regain our freedom.
*Note* Some of these techniques are very dependant on how your system is setup, and some of them simple won't work for you. Please don't send me emails saying 'It doesn't work! its rubbish!"..because I guarentee you it will work for a lot of people.
Most of the restrictions we mentioned above are set up using a program called Poledit (short for Policy Editor). This program is included on the windows 9x and NT CD's - but is not installed by windows. You will need to have a look on your windows CD for 'poledit' in order to install it. Poledit allows you to create system policies which will block off certain areas of windows.
How does it work? Basically, all it does is add information to the registry. Then, windows can look in the registry to see what you are allowed to access, and what your not. hmm, not particularly secure is it? So, in order to bypass the local restrictions, what we actually need to do is edit the registry.
Now, if your bearded technician actually understands how the policies work - they will have set up the policies so that you don't have access to the registry! Game over...or not. All it does is block the use of regedit.exe - so what we need to do is find a way of editing the registry without using regedit. Well, some of you clever people will use your programming languages to do it...but notepad is as good as any!
You can write registry files in notepad! all you need to do is save them as .reg and then run them. So, the first thing we would do is re-enable the use of regedit.exe to make getting rid of the policies a little more simple. In notepad, type in:
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Sy
stem]
"DisableRegistryTools"=dword:00000000
*NOTE* Please leave a blank line after the last line or the code won't work! I don't know why this is, but just trust me!
Now save it as "Registry.reg" and double click on it. If you recieve a message about adding data to the registry, just click ok. Now try running regedit (either from the c:\windows directory or from a floppy disk if the admins have removed it) again - it should now let you in!
Now you can go to the registry key:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Po
licies\]
This is where the system policies are stored. Editing the items here should regain you access to the features of windows. Lets look at a few more examples:
Another one that the bearded technicians love to disable is the display settings. The display setting are usually accessible by right clicking on the desktop and choosing 'properties'. The reason they usually disable this is because people like to mess around with the screen savers and put hacker backgrounds on the computers. So, going into notepad and writing the following:
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Po
licies\System]
"NoDispCPL"=dword:00000000
"NoDispBackgroundPage"=dword:00000000
"NoDispScrsavPage"=dword:00000000
"NoDispAppearancePage"=dword:00000000
"NoDispSettingsPage"=dword:00000000
and saving + running that, will regain you access to it.
*NOTE* If you already regained access to regedit, you could just go to the registry key mentioned above and delete the records above.. This would provide the same effect.
Here is the registry code to remove the other most common policy restrictions:
Access to the DOS prompt:
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Pol
icies\WinOldApp]
"Disabled"=dword:00000000
Re-enable the network properties in the control panel:
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Pol
icies\Network]
"NoNetSetup"=dword:00000000
Access to the password properties in the control panel:
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Po
licies\System]
"NoSecCPL"=dword:00000000
Put 'Run', 'Find', and the 'Settings' items back on the start menu:
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Pol
icies\Explorer]
"NoRun"=dword:00000000
"NoFind"=dword:00000000
"NoSetFolders"=dword:00000000
Stops you not being able to see drives in 'My Computer':
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Poli
cies\Explorer]
"NoDrives"=dword:00000000
Being able to view the Device Manager tab in the system properties:
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Poli
cies\System]
"NoDevMgrPage"=dword:00000000
"NoConfigPage"=dword:00000000
There are many more items that the policies can block - so I suggest you play with the poledit program and see exactly what you can do.
I have just shown you how unsecure policies are - yet admins still use them. However, the other option is 3rd party programs. These are programs written by other companies that are supposed to stop you doing things. Lets look at how these might work.
Well, firstly - a program can't control what your doing unless its running, right? So, the first thing to look at is whether you can close the program down and therefore end the restrictions. I would first of all look at using ctrl-alt-delete and seeing what is running...if you can see something which looks suspicious - kill it.
However, some programs use stealth to stop themselves being listed in ctrl-alt-delete - so try using the program that comes with windows 98 called 'System Manager'. It has a feature that shows you what is running on your system, and often lists items which don't appear in ctrl-alt-delete.
The next option is to get a copy of the program yourself! Use it at home and learn how it works...see if you can spot anything that could be a potential exploit and also check out how it uses the registry. If all fails, take the drastic approach and get to the add/remove programs page and try and remove it.
Here's are some other little tricks:
If you are restricted from creating shortcuts on the desktop, you can use the windows scripting host built into later versions windows 95 and all versions of 98.
The windows scripting host is kind of like a replacement for the outdated batch files (.bat files) which use the msdos language. They use either Visual basic or Java and allow you to perform many useful windows functions - and you can write your little programs in notepad! So, if you are restricted from creating a shortcut on the desktop, try this:
Open Notepad
Type in the following (but fill in the bits in red with the relevant information!!):
Dim WSHShell, MyShortcut, MyDesktop, DesktopPath, FileSys
set FileSys = CreateObject ("scripting.FileSystemObject")
Set WSHShell = WScript.CreateObject("WScript.Shell")
DesktopPath = WSHShell.SpecialFolders("Desktop")
Set MyShortcut = WSHShell.CreateShortcut(DesktopPath & "\mylink.lnk")
MyShortcut.TargetPath = "the full path to the target file"
MyShortcut.WorkingDirectory = "the working directory for the file, i.e. the path to the folder it is in"
MyShortcut.WindowStyle = 4
MyShortcut.IconLocation = "the full path to the target file"
MyShortcut.Save
MsgBox "Done", vbinformation, "Done"
Save this file as a .vbs file. e.g. choose 'save as' from the file menu and then type the name as 'mylink.vbs'.
Once the file is saved, double click on it. A message box should appear saying 'Done' and a shortcut should now be on your desktop.
Here is the example code to create a shortcut to telnet:
Dim WSHShell, MyShortcut, MyDesktop, DesktopPath, FileSys
set FileSys = CreateObject ("scripting.FileSystemObject")
Set WSHShell = WScript.CreateObject("WScript.Shell")
DesktopPath = WSHShell.SpecialFolders("Desktop")
Set MyShortcut = WSHShell.CreateShortcut(DesktopPath & "\Telnet.lnk")
MyShortcut.TargetPath = "c:\windows\telnet.exe"
MyShortcut.WorkingDirectory = "c:\windows\"
MyShortcut.WindowStyle = 4
MyShortcut.IconLocation = "c:\windows\telnet.exe"
MyShortcut.Save
MsgBox "Done", vbinformation, "Done"
If you are unable to access the main motherboard setup or BIOS, there are a couple of ways of getting through the password. The first is to try some backdoor passwords - BIOS manufacturers sometimes put backdoor passes in, here are some for various BIOS's:
j262
condo
djonet
lkwpeter
biostar
biosstar
AWARD_SW
HLT
SER
SKY_FOX
BIOSTAR
ALFAROME
lkwpeter
j256
AWARD?SW
LKWPETER
Syxz
aLLy
589589
589721
awkward
AW
AMI
AMIDECODE
PASS
PASSWORD
PASSOFF
phoenix
AMI_SW
A.M.I.
AMI!SW
AMI?SW
HEWITT RAND
AWARD SW
AWARD_SW
AWARD_PS
AWARD_PW
AWARD_HW
AWARD
Syxz
j262
589589
589721
lkwpeter
djonet
CONDO
J64
BIOS
SETUP
CMOS
BIOSTAR
BIOSSTAR
If none of the backdoor passes work, try using a BIOS password cracker - the file "cmoscrack.exe'' is included in this volume. This is just one of the crackers that I found.
As I say, local restrictions can be very dependant on how the system is set up - but I think most of you will find that the system policies trick works! It is also worth mentioning that you may need to remove the policies each time you log on...this is because the technician might have set the network up so that whenever you log on the policies are downloaded to your machine.
This can be a pain, but just write yourself a large .reg file which you can run when you log on and remove all the restrictions at once!
|
Posted on: 19-08-1999
Article has been viewed 13005 times
|
| |
| Comments |
|
Post a comment
Please use the form below to post your comments on this article. All comments will be reviewed by the admin before being published publically.
|
| |
|
