**********

Author: Edit
Date: 30-09-04

Copyright: You may distribute this tutorial as you wish as long as this disclaimer stays intact and unmodified. You may host
this on your web server (as well as any of my other tutorials), as long as it stays completely in-tact (no editing) and I am given
FULL CREDIT for the work.

Disclaimer: I take no responsibility whatsoever of what you do with this information, I don't care what you use it for, it's nothing
to do with me. This tutorial was written with the intention to teach those who would like to learn the what's and how's of
Windows XP's Administration weaknesses.

Who am I? I guess it's only polite for me to introduce myself, I'm Edit of no fixed electronical abode, I'm not a member of any
"hacking groups" or "security organisations". I work for myself. You can contact me here, feedback is appreciated - good or
bad. Feel free to hit me with suggestions, comments, complaints or whatever.

**********

How to guarantee local Administrator access to any Windows XP box

In this tutorial I will discuss a number of different methods to gain admin access to any Windows XP system. The only catch is,
you have to have physical access to the box. I've set it out into sections and each method should be tried in order, i.e., from the
beginning of the tutorial to the end.

Contents

1 Safe mode methods

2 Normal logon methods
3 Recovery Console methods
4 Logon.scr method
5 Password retrieval/cracking
6 Password reseters
7 XP Recovery process

Section 1 - Getting admin access using Safe Mode Back to top

The scariest part about this method is the fact that 80% of XP machines don't have an Administrator (Domain Controller)
password. Yeah, you heard right. 80%. In saying that, we can boot the target machine up into Safe mode and try logging in
with "Administrator" as the username and leaving the password blank. This will be the end of the road for most of you readers
as this method is the most likely to work. If this method doens't work for you, skip on down to section three - your PC is likely to
be harder to break into than the usual XP childsplay box.

What to do once you're in? Well generally the trend seems to be adding yourself to the Administrators usergroup. But first you
needs to make yourself an account. To do this go into the control panel and navigate your way to Administrative Tools >>
Computer Management >> Local Users and Groups >> Users (see below). Right click in the white space on the right hand side
and select New User, add the details and be sure to make yourself a member of the Administrators usergroup.

Control Panel --> Administrative Tools

Computer Management --> Local Users and Groups --> Users

If you already have a username, you'll see it in the list on the right hand side, right click on your username and go Properties.
Click the Member Of tab up the top, now click the add button and choose Administrators.

You're now an administrator.

Section 2 - Getting admin access using the Normal Login prompt Back to top

Note: If you're machine is running a Novell Client, the follwing will not work. Instead - to logon to the local machine
only - there should be a checkbox at the bottom of the client, something like "local machine" or "this machine
only". Make sure it's checked.

Yep, you guessed it. This method is almost identical to the Safe Mode method, the only thing different is a neat little trick I
learned back in 'Nam. You know when you boot into XP normally and all you get is the normal usernames to login as? Well
those days are over. Give you're machine the three fingered salute (ctrl + alt + delete) TWICE. Hello, we've now got a login
where we can attempt to login with any username we like.

Type in "Administrator" as the username and leave the password blank. See Section 1 - Getting access using Safe Mode for
instructions on what to do once you're in.
Section 3 - Getting access using the Recovery Console Back to top
For this method to work you'll need to have access to a Windows 2000 Pro setup disc. We'll use this to run the Recovery
Console. How? Navigate your way into your BIOS (Basic Input/Output System) by hitting either the delete key, F1 or F2 when
your PC first gets turned on. In the BIOS you'll need to find how to enable booting from a CD, if you're unsure you'll need to
look in your motherboard manual or go to your motherbaord's manufacturers site and browse for some instructions.

**Shit, I can't get a Windows 2000 Pro disc!**

You wont need the product key or anything like that so you should invest a night of bandwidth and download an .ISO image off
Kazaa or some other P2P network - it'll be well worth it, you'll use it more than you think.

Okay, now we got your PC booting off the CDROM drive. Whack the 2000 disc in and hit any key when it asks you if you'd like
to boot off the CD. Now an even bluer screen comes up with "Loading Windows 2000 Setup" or something like that at the top.
Great, now we're setting up Windows setup. It should take around 4-5 minutes to fully load and you'll be presented with a
screen that has a number of options. It may look something like this:

1. Press ENTER to install Windows 2000 Professional

2. Press R if you would like to run the 2000 Professional Recovery Console
3. Press F3 to exit

Or something like that. In any case, you want to hit "R" so you get prompted with a black screen that is asking you what
Windows installation you'd like to login to. It should have "1. C:\Windows\" up the top and a blinking cursor beneath it.

Note: It may not be C:\ that your Windows installation in located - I was going to say %SYSTEMROOT%\Windows
\ but that sometimes gets a little confusing.

Hit "1" and then ENTER. It's now asking you for a password... hit ENTER again. You're in!

For more information on this security hole in Windows XP, visit: < - - - - Haha, ugly looking

bastard, isn't he?

Contrary to popular belief it is very difficult (i.e., I havn't been able to work it out yet) to navigate to anywhere in Documents and
Settings using the recovery console. I was logged in as the Full Access Domain Controller (Administrator) on my machine and
it still threw up the Access Denied error.

This led me to believe that Microsoft doesn't see a reason to be tampering with Documents and Settings using the Recovery
Console, and for good reason. Anything could be added to the startup folder if it was otherwise.

I also found, however, that you can copy files from a floppy or cdrom to the hard drive but not to floppies or cdroms. This could
be potentially damaging for the owner of of box you're getting admin access to. What could you do with this functionality?
Almost anything.

I wrote this before I tried it... now that I tried it I found that it probably wont work, if you'd still like to see what I
tried, read on. If not, jump down to after the blockquote.
 You can now (in theory) add yourself as a normal user. Not straight away though, you'd need to prepare yourself
in advance. This is an idea that's just popped into my head, I havn't tried it and am giving no guarantees it'll work...
but here we go. My idea is to edit the autoexec.bat file so it will execute a command that will either add you as a
normal user on the machine or install a keylogger, you may take your pick. I'm going to add a normal user for this
demonstration.

**Note**
All this shit in autoexec.bat is only going to happen when the next person logs on to the machine, so don't get
impatient if you gotta wait a couple of days.

How do I edit autoexec.bat? Now here's a trick for young players. The Recovery console comes with a built in
BATCH command that will allow you to run any batch commands within a text file that you've copied from a floppy
in the recovery console. We'll create a text-come-batch file that will add a couple of lines of extra instructions onto
the autoexec.bat file.

What will be in this batch file? Well, shit, you can put in there whatever the hell you please but for this tutorial's
sake I'm going to add in a simple command that will add me as a new normal user next time the owner logs on.
Now you need to need to be kind of careful here, if you have a reasonably clued up owner they'll notice there is a
new user if they log off then on again. But that's a risk you need to decide if your willing to take.

Anyway, where was I? Ahh, yes, creating this batch file. I've pissed around with the recovery console for the last
half an hour and decided the best way to do this is to create a file called autoexec.bat in advance and chuck it on
a floppy. In autoexec.bat add the following text:

net user [yourusername] [your password] /ADD

exit

Where [yourusername] and [your password] are replaced with the corresponding values. This will add you as user
with normal access privledges. We cannot add you as an administrator because it'll give us a System error 5,
access denied, if a Domain Controller isn't logged on while trying to add a user from the command prompt.

Save this file to A:\autoexec.bat.

When you get into the recovery console, whack the floppy in and type: "copy a:\autoexec.bat c:\autoexec.bat" and
hit enter. It should prompt you if you want to overwrite the autoexec.bat file. Choose 'y' for yes. Type "exit" and hit
enter.

I've just tried this method and it changed the value of autoexec.bat without a worry in the world but one problem:
the autoexec.bat file in Windows XP is not parsed by default. You need to change a registry value for it to be
parsed on startup. Hey, you might get lucky.

Another interesting thing I found while using the recovery console was the restrictions placed on the NET command. You can
only use NET USE in the recovery console. This means you could potentially NET USE your way into a location on your
network and add files to the current installation although there really isn't a lot of point unless the files are too big to fit of a
floppy (even then you could burn them to a CD).

Section 4 - Getting admin access using the logon.scr method Back to top
Personally I had high aspirations for this method. I really thought it has potential to be one of the great XP faux pas. I wasn't
totally wrong. This method will allow you command-line access with no command restrictions, i.e., things like net user/send/
whatever aren't disabled. You do, however, come accross some interesting Access Denied errors.

What's the point in this method? If you've already got a damn account why the hell are you moaning? Well, kimosabi, you may
have an account but you don't have access to the domain controllers documents do you now? No, you don't. Well this method
will not only let you see his/her documents it'll let you copy, delete or even move em. You can own your Domain Controller's
documents.
This method will only work if you have access to the regitry or can manipulate the system so the registry gets edited next time
the administrator (or someone with registry editing capabilities) logs on. It involves editing two hives (you only really need to do
one but the other just makes things faster). The usual disclaimer applies here - if you screw with your registry and you don't
know what you're doing you could shoot yourself in the foot and fuck the OS. Don't piss around if you're incompetent.

First of all you'll need to fire up the registry editor by going Start > Run and typing "regedit" or "regedt32". Now navigate your
way to the key "HKEY_USERS\.DEFAULT\Control Panel\Desktop".

There you'll find a hive called SCRNSAVE.EXE and it should have a value of "logon.scr". This hive is the hive that tells the
operating system what to do when the system has been idle for 600 seconds at the logon prompt. At the moment it is going to
execute the "logon.scr" screen saver. What's to stop us changing that to whatever we want? Absolutely nothing (except limited
access to editing the registry ;)). What you want to do is change the value of "logon.scr" to "cmd.exe". To do this, double click
on the hive SCRNSAVE.EXE (a box will pop up) and change it's value.

Now this will do the trick but we might as well make it as easy as possible for ourselves because, shit, that's what we're here
for, right? In the same key you'll find another hive called "ScreenSaveTimeOut" this should (usually) have a value of 600, that
means 600 seconds. So when you restart your PC and leave it sitting at the logon prompt it'll take 10 minutes for it to execute
the "SCRNSAVE.EXE" hive. We want to change that to something a little more realistic. You can choose how long you'd like
but I'll say 10 for the sake of the argument.

Okay, so now we've changed the two registry hives and are ready to try the logon.scr method of gaining commandline
administrator access to Windows XP. Restart your machine and when it gets to the stage where it's sitting at the screen with
the usernames ready for you to click on, don't move the mouse... just wait for 10 seconds.

Holy shit, it worked! We now got a full screen command prompt at our disposal! Yeehaaa! But wait... oh man, when I try "net
user myusername mypassword /ADD" it doesn't work! Access denied! Yeah, you're right, you can't actually add new users at
all (from my experience) using this method.

But look on the bright side, you can navigate to anywhere in the OS. You can copy, paste, edit and do whatever you like with
the files on the hard drive... except the SAM.

What can I do if this method doesn't work for me?

There are a number of things you can try if this method doesn't work for you. The first and most obvious thing to try is instead
of putting just "cmd.exe" (which should work) you could try putting the whole path and filename. I.e., "C:\Windows\System32
\cmd.exe" or you could even go so far as to changing cmd.exe to command.com.
Another interesting thing you could try is this: Fire up a command prompt (or notepad to make a batch file, whatever you have
access to) and type "copy C:\windows\system32\logon.scr C:\windows\backup\logon.scr" hit enter, type "copy C:\windows
\system32\cmd.exe C:\windows\system32\logon.scr" hit enter, hit "y". Make sure the SCRNSAVE.EXE value is "logon.scr" and
change the ScreenSaveTimeOut value to 10. Logout and wait 10 seconds.

I've included some fun things to do with commandline access below - just for your entertainment and enjoyment ;)

1. Adding ourselves as a normal user

2. Getting rid of those annoying restrictions
3. Using the shutdown command
4. Sending messages to people on your network

1. Adding ourselves as a normal user

We can add ourselves as a new user the next time the Admin logs on by putting a batch file in the admin's startup folder that
adds a new local user to the system.

But wait, if I run a batch file wont a window come up and alert the admin?! Yeah, it certainly will. But we'll get around that.
Ideally we would use VB and Windows scripting to run the batch file invisibly but I can't figure out how to make a shortcut that
I've created using a batch file to parse a couple of arguments... anyway. I may end up posting an update and enabling the
running of invisibility mode if I ever figure it out, but for now, we'll have to go with what we got.

I thought about telling you all how to use the "START [batch file] /MIN" command but then realised that because there was shit
all in the file we're going to parse it wont matter if we /MIN it or not. Larger batch files, maybe, but not this one.

**Note**
If you'd like to know any more about things I've talked about but can't include in here because of restrictions likely to be in place
under certain situations, mail me and I'll be happy to explain how to do em (e.g., running batch files invisibly and using the /MIN
switch).

First, what's going in this little batch file of ours? Well obviously we'll need a command that will add us as a new user and an
exit command.

Well, lets do it. You're currently sitting at this screen:

From here type:

net user hit enter

You should now see:

User accounts for \\XPPROBOX

-------------------------------------------------------------------------------
Administrator JoeBloggs Guest
The command completed successfully.

We now know all of the usernames on the machine you're working on. We need one of these for our batch file. We'll choose
JoeBloggs because he's most probably a local Administrator rather than a Domain Controller. Why? Most people don't even
know they have a domain controller account and the ones that do never usually use them. JoeBloggs will most probably be
owner of the PC and the main account.

Now type:

edit "C:\Documents and Settings\JoeBloggs\Start Menu\Programs\Startup\runonce.bat" hit enter

Now in the batch file you've just created type the following text:

net user myusername mypassw123 /ADD

exit

The net command useage is as follows:

Make sure you have the password in the same format as the one I've used, i.e., you should have 7 letters and 3 numbers and
make the password 10 characters in length. Why the hell would you want to do that? Because of the password policies that
may be in place on your target machine. My password policy is the password must be at least 10 characters in length and must
contain at least 3 numbers.

You can have your password longer but DO NOT have it longer than 14 characters. Why, oh why not? Because of the older
versions on Windows this time. If your password is longer than 14 characters then the batch file will prompt you and ask you if
you're sure you you want that password and you wont be able to use that account through a machine running an earlier version
on Windows.

That's what your batch file should look like. Save it and exit. That's it for this method, all you got to do now is watch and wait -
as soon as the user logs on again you'll be an admin (as long as they don't notice or do anything about the dos box popping up
when they login).
You're next mission is to delete that batch file once your a user and you've done what you want to do, the most important thing
while doing this kind of thing is covering your tracks, staying anonymous and not getting caught. Do this at school and you're
likely to be banned or discommunicated from your computer class. Be careful.

If you do manage to add yourself a user account then have a quick look at the "fun" section down below but more importantly
hop on down to Section 5 - Password Retrieval/Cracking and get into the good stuff... pure administration!

2. Getting rid of those annoying restrictions

First of all I should mention that some networks have notepad disabled or uninstalled due to security risks (you have to admit,
it's a pretty good idea considering what we're going to do with it). I've been searching for the registy entry for a while now and
havn't managed to find it, if you notepad is disabled or not working then you should get your own text editor and bring it on a
floppy, cdrom or even email it to yourself.

Now that we got ourselves an account we can pretty much do whatever we like. Let's just test the water and see if there are
any restrictions placed on us... Fire up a command prompt. How? There are a number of ways. First try the most obvious, hit
Start and then Run. Run isn't there? Try crackin into notepad and typing the following:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoRun"=dword:00000000

Click File, Save As and call it "enableregtools.reg". Now go into My computer or explorer and find where you saved it, double
click it. It'll ask you if you're sure you'd like to add these values to the registry, click yes. "Information successfully entered into
the registry". Click start... Click...shit, still not there? Usually with Windows XP you'll need to reload/refresh the operating
system. There is a couple of ways to this but the easiest way is to log out and then log back in. You could also restart the
machine but that'd just be a waste of time, wouldn't it?

Now you may just hit a brick wall here - if you have a clued in admin then he may just have your user policy set to reset it's
registry values every time you logon. That'd suck. If this is the case then you will not be able to use the run dialog. All is not
lost, however. We can still edit the registry using notepad and from that enable the registry tools and fire up regedit. Let's do
that now.

If you do have the run dialon, type in "regedit" and hit enter. If you don't then fire up notepad and type: "regedit" and save it as
"regedit.bat" making sure you selected the *.* all files option before you save. Run the batch file.

Hehehe, oldest trick in the book. Almost every admin on a network will have the brains to disable Rregistry Tools Just do what
you did earlier but with this text:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=dword:00000000

Try it again, i.e., Click Start, Run and type "regedit", hit enter.

That worked? Shit. Too easy. Wander on to Section 5 - Password Retrieval/Cracking and challenge yourself.
Still no go? Maybe we're dealing with a okay admin here. Nevermind - admin's rules were made to be broken, right? We'll try to
enable the registry using Visual Basic Scripting. Sounds interesting doesn't it? Don't be scared that you've never used vbs
before - it's really quite simple. To save you having to write your own script I've found a pre-written one out there on the web.
click here to have a look. The file will be in the root of wherever you unzipped this tutorial. It's called enableRegEdit.vbs, find it
and double click.

But wait, what does it do? It uses Windows Scripting and has a look in your registry for two DWORD values and if it find them,
it deletes them. They're both "DisableRegTools" and one is in HKLM and the other is in HKCU. The one in HKLM disables the
running of *.reg files and the other one disables the running of regedit.exe and regedt32.exe. Once you've double clicked a box
like this should pop up:

Note: Windows Scripting is enabled by default in Windows XP and sometimes sysadmins will even use it.

Yes? Try and open regedit again. Most probably you'll be in by now but if you're the guy that always gets that sysadmin that
thinks of everything you'll still be faced with the "Registry Editing has been disabled by your system Administrator." message. I
have one last suggestion.

Just recently I came across a nice little program called "Registrar Lite" - it's fabulous! Even if RegTools are disabled you can
still edit the registry at your own leisure. I've added the executable to the zip file - it's called Reglite.exe.

Okay, so now you got access to the registry. Phew. Read on to find out what you can do now.

You may as well make sure CMD is enabled.

Note: If you're navigating using either Registrar Lite or Regedit you may find there is no 'Windows' or 'System'
keys where I've told you to add the value DisableCMD. You'll have to create them by right clicking on the
superkey - i.e., Microsoft and choosing new --> key and calling it Windows, do the same thing again only this time
right cick on Windows rather than Microsoft.

This is what the values represent:

Value: 0 enable command prompt and batch files

Value: 1 disable command prompt and batch files
Value: 2 disable command prompt but allow batch files

Double click on the entry called "DisableCMD" and give it a value of 0.

Task Manager disabled?

This is also a simple registry setting.

Navigate your way to: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System] and find the

value DisableTaskMgr - change it's value from 1 to 0.

There you go, you've pretty much nuked any restrictions that may have been in place because if you control the registry, you
control the world.

I've compiled a bit of a list of shit you can manipulate using the registry that could prove somewhat useful (or useless,
depending on your motives) to you.

***Copied from http://sudhirmangla.i6networks.com/win/winsecret.htm***

Important Note: Before you read on, you need to keep one thing in mind. Whenever you make changes to the
Windows Registry you need to Refresh it before the changes take place. Simply press F5 to refresh the registry
and enable the changes. If this does not work Restart your system.

Disabling Display of Drives in My Computer:

This is yet another trick you can play on your geek friend. To disable the display of local or networked drives when
you click My Computer go to:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Now in the right pane create a new DWORD item and name it NoDrives. Now modify it's value and set it to
3FFFFFF (Hexadecimal) Now press F5 to refresh. When you click on My Computer, no drives will be shown. To
enable display of drives in My Computer, simply delete this DWORD item. It's .reg file is as follows:

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]

"NoDrives"=dword:03ffffff

Pop a banner each time Windows Boots:

To pop a banner which can contain any message you want to display just before a user is going to log on, go to
the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WinLogon

Now create a new string Value in the right pane named LegalNoticeCaption and enter the value that you want to
see in the Menu Bar. Now create yet another new string value and name it: LegalNoticeText. Modify it and insert
the message you want to display each time Windows boots. This can be effectively used to display the company's
private policy each time the user logs on to his NT box. It's .reg file would be:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Winlogon]

"LegalNoticeCaption"="Caption here."

Secure your Desktop Icons and Settings:

You can save your desktop settings and secure it from your nerdy friend by playing with the registry. Simply
launch the Registry Editor go to:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

In the right pane create a new DWORD Value named NoSaveSettings and modify it's value to 1. Refresh and
restart for the settings to get saved.

Deleting System Options from the Start menu:

You can actually remove the Find and Run options from the start menu by performing a simple registry hack.
Again like always Launch the registry editor and scroll down to the below key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Right-click on the right pane and select New, DWORD Value. Name it NoFind.(To remove the RUN option name it
NoRun). Double-click the newly create DWORD to edit it's value and enter 1 as its value. This will disable the
FIND option of the Start Menu and will also disable the default Shortcut key(F3 for Find.),

To restore the Run or find command modify the value of the DWORD to 0 or simply Delete the DWORD value.

Cleaning Recent Docs Menu and the RUN MRU:

The Recent Docs menu can be easily disabled by editing the Registry. To do this go to the following Key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Now in the right pane, create a new DWORD value by the name: NoRecentDocsMenu and set it's value to 1.
Restart Explorer to save the changes.

You can also clear the RUN MRU history. All the listings are stored in the key:

HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

You can delete individual listings or the entire listing. To delete History of Find listings go to:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Doc Find Spec MRU and delete.

Other Similar Useful Tricks :

Launch Regedit and go to the following Registry Key:

HKEY_CURRENT_USER/Software/Microsoft/CurrentVersion/Policies

Under this key, there will definitely be a key named explorer. Now under this explorer key we can create new
DWORD values and modify it's value to 1 in order to impose the restriction. If you want to remove the Restriction,
then you can simply delete the respective DWORD values or instead change their values to 0. The following is a
list of DWORD values that can be created under the Explorer Key-:

NoDeletePrinter: Disables Deletion of already installed Printers

NoAddPrinter: Disables Addition of new Printers

NoRun: Disables or hides the Run Command

NoSetFolders: Removes Folders from the Settings option on Start Menu (Control Panel, Printers, Taskbar)

NoSetTaskbar: Removes Taskbar system folder from the Settings option on Start Menu

NoFind: Removes the Find Tool (Start >Find)

NoDrives: Hides and does not display any Drives in My Computer

NoNetHood: Hides or removes the Network Neighborhood icon from the desktop

NoDesktop: Hides all items including, file, folders and system folders from the Desktop

NoClose: Disables Shutdown and prevents the user from normally shutting down Windows.

NoSaveSettings: Means to say, 'Don't save settings on exit'

DisableRegistryTools: Disable Registry Editing Tools (If you disable this option, the Windows Registry Editor
(regedit.exe) too will not work.)

NoRecentDocsHistory: Removes Recent Document system folder from the Start Menu (IE 4 and above)

ClearRecentDocsOnExit: Clears the Recent Documents system folder on Exit.

Nolnternetlcon: Removes the Internet (system folder) icon from the Desktop.

Under the same key: HKEY_CURRENT_USER/Software/Microsoft/CurrentVersion/Policies you can create new

subkeys other than the already existing Explorer key. Now create a new key and name it System. Under this new
key, system we can create the following new DWORD values(1 for enabling the particular option and 0 for
disabling the particular option):

* NODispCPL: Hides Control Panel

* NoDispBackgroundPage: Hides Background page.

* NoDispScrsavPage: Hides Screen Saver Page

* NoDispAppearancePage: Hides Appearance Page

* NoDispSettingsPage: Hides Settings Page

* NoSecCPL: Disables Password Control Panel

* NoPwdPage: Hides Password Change Page

* NoAdminPaqe: Hides Remote Administration Page

* NoProfilePage: Hides User Profiles Page

* NoDevMgrPage: Hides Device Manager Page

 * NoConfigPage: Hides Hardware Profiles Page

* NoFileSysPage: Hides File System Button

* NoVirtMemPage: Hides Virtual Memory Button

Similarly, if we create a new subkey named WinOldApp, we can add the following DWORD values under it(1 for
enabling the particular option and 0 for disabling the particular option):

Disabled: Disable MS-DOS Prompt

NoRealMode: Disable Single-Mode MS-DOS.

The shit you can do with the registry is pretty much unlimited, explore, conquer... reinstall your OS. Oh, hopefully I mentioned
you should back shit up before you screw with it - because if you do accidentally piss with something the wrong way and it
does stuff your OS, don't come running to me baby, I tested most of this stuff and it worked fine.

3. Shutting down networked PC's

In Windows XP there is an executable called shutdown.exe (or .com, can't remember which at the moment) and it's sole
purpose is to, yup, you guessed it, shutdown computers. But who's computer can I shut down? If I got your IP right now, could I
shut down your computer? No. Good questions though, keep reading.

I've researched a little about the shutdown command and have found you need to be a Network Administrator to have the
correct privledges to successfully implement this command. If you don't you'll either be presented with the dreaded "Access is
denied." error or you'll be spat at with the "Network path not found" excuse. I've added instructions on how to use this method
at the end of this paper if you A) have Network Administration rights or B) would like to try it anyway.

4. Lets learn how to use NET SEND

This is undoubtedly the most talked about network tool ever. Every single forum you go to that has anything remotely to do with
computers or security will have at least 5 threads pertaining questions such as "How do I NET SEND?" or "OmFgLmAo! I
H4X0R'd SK00L wif N37 SEND!". The sad fact of the matter is more than half of the people that post these burdens to online
society have no idea what they're talking about and further confuse those wishing to learn what NET SEND is and how to use it.

NET SEND is a message sending utility that uses the NET application built into all Windows operating systems.

Now most of you will already know the "net" command. It is, of course, short for network. When you type "net" it runs the
network command application. It has many commands that can be used for a number of different things. The command to send
a message is (believe it or not) "net send".

Type "net view" in any command prompt to view all of the computers you're currently connected with on your network. You
should get something like this:

So now we can type:

net send GOLDIES You are receiving this message by way of the net send command.

The "net send" bit is reasonably self explanitory, the GOLDIES is the computer name and everything after it, i.e., "You are
receiving this message by way of the net send command." is the message.

That was easy, wasn't it?

Another way you can send a net send message is using the run dialog. It's shown below - I can't be bothered typing it all out
again.

Section 5 - Password Retrieval/Cracking Back to top

I'm going to be a lazy bugger and just refer you to another tutorial written by Th3 R@V3N from TGS-Security. It's as good as
any you'll come across.

I've included it in my zip. You can read it here.

Maybe I'll take the time one day to write my own... maybe.

Section 6 - Password Reseters Back to top

There are a number of *nix based password reseters out there in the wilderness but my favourite (one of the two I've used) is
NTPasswd. It's small, simple and has only failed me once. I've included this in the .zip also - you should find it in the /
NTpasswd directory where you unzipped this tut.

What exactly is a "*nix password reseter"?

I've taken a small extract from this little tool's website to give you all an overview:

This is a utility to (re)set the password of any user that has a valid (local) account on your NT system, by
modifying the crypted password in the registrys SAM file.

You do not need to know the old password to set a new one.
 It works offline, that is, you have to shutdown your computer and boot off a floppydisk or CD. The bootdisk
includes stuff to access NTFS partitions and scripts to glue the whole thing together.

Works with syskey (no need to turn it off, but you can if you have lost the key)

Will detect and offer to unlock locked or disabled out user accounts!

It is also an almost fully functional registry editor!

So now you know what it is, I bet you want to know how to use it too? Fine. I'll run through just quickly what you need to do to
create the bootable floppy. Before we do anything, find a blank floppy - if you don't have a blank one, format one and make
sure you do this first. It's just so annoying when you need a formatted floppy and you don't have one. Okay, formatted? Good.
Carry on.

You'll find a .zip in the \NTPasswd directory, unzip it to your local machine somewhere and run the install.bat file.

Note: You must extract to a path that doesn't have any spaces in it, e.g., "C:\Hacking\Windows password reseter
\NTPasswd\" is not acceptable. It's ideal to extract to: "C:\NTPasswd\" as this is short and easy for it to handle.

This'll fire up a Command Prompt and it'll ask you to enter the targest diskette drive - most likely this'll be A: for you so type "A:"
and hit enter. Now it's asking you to put a formatted floppy in - chuck you're floppy in and hit enter. Wait for it to finish. Make
sure you don't eject the floppy too early cause it could fuck things a little, just wait till the floppy light goes off.

Now you got yourself a *nix based bootable NT Password Reseter. How easy was that? Now, it gets a little harder for all you
nix newbies. Boot your target machine up with the floppy. You'll find yourself at a screen saying "Please select partition by
number or a) blah, blah blah. You'll most likely want to select the option (1). Hit 1 and then hit enter.

The next prompt is asking you where the path and registry files are - the default is "Windows\system32\config". This is correct
so just hit enter.

Note: Wherever there is an option in [square brackets] it means it's the default - generally this is what you want.

Now it'll ask you what exactly you want to do. You'll want to edit user information. I think it's option 1 from memory. Next is how
do you want to edit it - you'll want to reset the password to null (nothing, blank, nada, etc). To do this you'll need to type "*"
without the quotes. If you don't type this asterisk then your password will be left alone.

I think it asks you if you're sure, of course you are, and then it'll ask you if you want to perorm any additional tasks while you're
there. This is up to you but generally you'll just want to type "!" without the quotes to quit and then it should prompt you to save
your changes. You're sure? Yes.

Done. That's it. Take the floppy out and reboot your machine. Now the Administrator account has NO password.

Section 7 - Restoring Windows XP Back to top

Here we get to the stage where we're biting our nails and starting to get embarassed. It's taken you this long to get into a
Windows box?! Well there's still a couple of things that you can try to get yourself in. We're kind of getting into the territory
where we're not slinking around in the shadows any longer... this is letting the world know we're trying to hack this box country.

What exactly are we going to do? Like all Windows Operating Systems, Windows XP has it's own restore functions too. There
is, however, a number of limitations to it. The biggest probably being that you need to have a full-ducks-nuts XP CD. If you're
running XP Home you'll need the corporate XP Home CD and the same applies for XP Professional too.

What will it do? It pretty much replaces all files that are created when Windows is first installed. So it'll blow away all of the
users current settings, preferences and files contained in Documents and Settings (i.e., My Documents). So you'll basically
have a brand new install of Windows with all or most of your programs intact and all of your other local files untouched.
Where can you get a corporate XP CD from? Well they're not that easy to get, truth be told. But I'm sure you could go and have
a browse on some P2P networks like bittorrent (It's definitely on there), Kazaa, WinMX, BearShear, XoloX, all of the above and
see what you can see. If you're looking for a product key then I'd be inclined to recomment www.cracks.am as they've proved
reasonably reliable for me.

Lets do it.

Boot off your corporate CD and fire into Windows Setup. When you get to the stage where it asks you if you what you want to
do, hit enter, we want to setup Windows XP. Next it'll ask you what partition you want to install on, usually you'll choose C:\
here but it could be anything from C through G.

Now it's telling you that you've already got a installation on Windows XP on this partition, to setup XP hit enter or to continue
setting up XP on this partition, hit ESC. We want to hit ESC. Don't panic, this will NOT make you lose all your data.

The next step, if you fuck it up, WILL make you lose all your data. It now asks you to choose how you'd like to format the
current partition, there'll be three options. The first one is "Format with the NTFS filesystem (Quick)", we do NOT want this one.
The second is "Format with the NTFS filesystem", we do NOT want this one either. We want the last one, it'll be "Leave the
current filesystem intact".

Hit enter.

Okay, now we're pretty much done. Wait for the install to complete and once you've rebooted after the install you should be
presented with a nice colourful desktop with that ugly default stone-henge background.

Note: Do NOT try this method if a) you're incompetent or b) you don't want to get caught. This method is pretty much a last
resort.

Let's now take a quick look at the shutdown command. I still havn't been able to master shutting down a remote computer even
after reading that you need either network admin access or exactly the same credentials as the target machine (i.e., username
and password).

Anyway, here goes:

-------------------------------------------------------------------------------
shutdown -r -m \\GOLDIES -t 30 -c "This PC is shutting down"
-------------------------------------------------------------------------------

The -r is the restart handle, i.e., the PC will shutdown and restart.
The -m \\ handle is the computer name.
The -t 30 handle is the time in seconds in which the PC will shutdown.
The -c is the comment handle, i.e., anything in quotes after that will be a comment that'll pop up on the screen of the targeted
PC.

There are many more handles that you can use to make life easier/more difficult if you'd like. They are:

-------------------------------------------------------------------------------
Usage: shutdown [-i | -l | -s | -r | -a] [-f] [-m \\computername] [-t xx] [-c "comment"] [-d
up:xx:yy]

-i Display GUI interface, must be the first option

-l Log off (cannot be used with -m option)
-s Shutdown the computer
-r Shutdown and restart the computer
-a Abort a system shutdown
-m \\computername Remote computer to shutdown/restart/abort
-t xx Set timeout for shutdown to xx seconds
-c "comment" Shutdown comment (maximum of 127 characters)
-f Forces running applications to close without warning
-d [u] [p]:xx:yy The reason code for the shutdown
u is the user code
p is a planned shutdown code
xx is the major reason code (positive integer less than 256)
yy is the minor reason code (positive integer less than 65536)
-------------------------------------------------------------------------------

Note: You can shutdown your own PC by typing: "shutdown -s -t 60", that'll give you an RPC dialog telling you your PC will
shutdown. Exactly the same as what the blaster worm and the sasser worm did. You can cancel a shutdown process by typing
"shutdown -a" for abort.

Have fun.

Author's last words

Well that's it. Please excuse the bad formatting, bad grammar and messy graphics - hopefully they'll get the point across
enough so you'll get a basic understanding. This tutorial was writtin mainly for my own benefit, I struck a machine at work that I
couldn't break into and pretty much had to try all of these methods of entry to complete the job (well actually no, I lie, I only tried
one).

It interested me so I thought, shit, why not? Hope you enjoyed the read - yeah, I know, it is huge, but I tried to make it
comprehensive and not miss too much stuff out. Some sections I found I was getting ahead of myself and not explaining fully
what I meant. If you don't understand any of this or are wanting to ask questions, make criticisms, make me your God, etc.,
flick me a mail. Back to top