____________________________________________________________ GUIDE TO (mostly) HARMLESS HACKING Vol. 3 No. 6 How to Be a Hero in Computer Lab ____________________________________________________________ If you are a student, you know you can get into trouble if you hack your school's computers. But if you can persuade your teachers that you are the good guy who will help protect them from digital vandals, you can become a hero. You may even get their permission to try break-in techniques. ************************************************************ In this Guide you will learn how to: · Customize the animated logo on Internet Explorer · Circumvent security programs through Internet Explorer · Circumvent security programs through any Microsoft Office programs · Circumvent FoolProof · Circumvent Full Armor · Solve the web babysitter problem · Break into absolutely any school computer. · Keep clueless kiddie hackers from messing up your school computer system ************************************************************ This Guide will give you some tips for safely proving just how good you are, and maybe even showing your hacker teacher buddies a thing or two. But I would feel really bad if someone were to use the tips in this Guide to mess up his or her life. ************************************************************ You can mess up your life warning: In most countries kids don't have nearly the legal protections that adults have. If you get involved in a hacker gang at school and you guys get caught, you can easily get expelled from school or even arrested. Even if the authorities don't have very good proof of your guilt. Even if you are innocent. Arghhh! ************************************************************ First task of this Guide, then, is how to find teachers who would love to play hacker games with you and give you free run of the schools computer systems. Whoa, you say, now this is some social engineering challenge! But actually this isn't that hard. Coyote suggests, "in many cases you may find that if you prove yourself responsible (i.e.: not acting like a jerk in class and not hacking to be cool), it will be easier to gain the trust of the teacher and subsequently gain the job helping with the systems. And once you reach this level you are almost guaranteed that you will know more about system management, and of course hacking, than you could have by simply breaking in." Here's the first thing you need to remember. Your teachers are overworked. If they get mad at hackers, it is because computer vandals keep on messing things up. Guess who gets to stay late at work fixing the mess students make when they break into school computers? Right, it's usually your computer lab teachers. Think about it. Your computer lab teachers might really, really, like the idea of having you help with the work. The problem is -- will they dare to trust you? Karl Schaffarczyk warns, "I nearly got chucked out of school (many years ago) for pulling up a DOS prompt on a system that was protected against such things." Sheesh, just for getting a DOS prompt? But the problem is that your teachers go to a lot of effort to set school computers up so they can be used to teach classes. The minute they realize you know how to get to DOS, they know you could mess things up so bad they will have to spend a sleepless night -- or two or three -- putting that computer back together. Teachers hate to stay up all night. Imagine that! So if you really want to work a deal where you become supreme ruler and hero-in-chief of your school's computers, don't start by getting caught! Don't start even by showing your teacher, "Hey, look how easy it is to get a DOS prompt!" Remember, some authorities will immediately kick you out of school or call the cops. Honest, many people are terrified of teenage hackers. You can't really blame them, either, when you consider those news stories. Here are some examples of stories your school authorities have probably read. - 13 FEBRUARY 1997 Hackers are reported to be using servers at Southampton University to circulate threatening emails (that) ... instruct recipients to cancel credit cards, claiming their security has been breached. (c) VNU Business Publications Limited, 1997 NETWORK NEWS 7/5/97 P39 A teenager was fined an equivalent of US$350 for paralysing US telephone switchboards...The unnamed teenager made around 60,000 calls... (C) 1997 M2 Communications Ltd. TELECOMWORLDWIRE 6/5/97 WORLDCOM in the UK recently suffered a systems failure following a hacker attack... (C) 1997 M2 Communications Ltd. TELECOMWORLDWIRE 6/5/97 Scary, huh? It's not surprising that nowadays some people are so afraid of hackers that they blame almost anything on us. For example, in 1997, authorities at a naval base at first blamed attackers using high-energy radio waves for computer screens that froze. Later investigators learned that ship radars, not hackers, were freezing screens. So instead of getting mad at teachers who are terrified of hackers, give them a break. The media is inundating them with scare stories. Plus which they have probably spent a lot of time fixing messes made by kiddie hackers. Your job is to show them that you are the good guy. Your job is to show them you can make life better for them by giving you free run of the school computers. This same basic technique also will work with your ISP. If you offer to help for free, and if you convince them you are responsible, you can get the right to have root (or administrative) access to almost any computer system. For example, I was talking with the owner of the ISP one day, who complained how overworked he was. I told him I knew a high school sophomore who had been busted for hacking but had reformed. This fellow, I promised, would work for free in exchange for the root password on one of his boxes. Next day they did the deal. Now this hacker and his friends get to play break-in games on this computer during off hours when paying customers don't use it. In exchange, those kids fix anything that goes wrong with that box. So try it. Find an overworked teacher. Or overworked owner of an ISP. Offer to show him or her that you know enough to help take care of those computers. But how do you prove you know enough for the job? If you start out by telling your computer lab teacher that you know how to break into the school computers, some teachers will get excited and suspend you from school. Just in case your teacher is the kind who gets scared by all those hacker news stories, don't start out by talking about breaking in! Instead, start with showing them, with their permission, a few cheap tricks. Cheap Internet Explorer Tricks A good place to start is with Internet Explorer. For starters, what could be more harmless -- yet effective at showing off your talents -- than changing the animated logos on IE (IE) and Netscape? You could do it the easy way with Microangelo, available from ftp://ftp.impactsoft.com/pub/impactsoft/ma21.zip. But since you are a hacker, you may want to impress your teachers by doing it the hacker way. 1) Bring up Paint. 2) Click "image," then "attributes." 3) Choose width = 40, height=480, units in pels. 4) Make a series of pictures, each 40x40 pels. One way to do this is to open a new picture for each one and set attributes to width = 40 and height = 40. Then cut and paste each one into the 40x480 image. 5) Make the top 40x40 image be the one you want to have sit there when IE is doing nothing. The next three are shown once when a download starts, and the rest are played in a loop until the download is done. You must have an even number of images for this to work. 6)Now run the Registry editor. This is well hidden since Microsoft would prefer that you not play with the Registry. One way is to click "start," then "programs" then "MS-DOS," and then in the MS-DOS window with the C:\windows prompt give the command "regedit." 7) Click to highlight the subkey "HKEY_CURRENT_USER\Software\Microsoft\IE\Toolbar" 8) On the task bar above, click "Edit," then "Find." Type "Brandbitmap" in the find window. 9) Now double click on BrandBitmap to get a dialog window. Type the path and file name of your custom animated graphic into it. So let's say you set up a flaming skull that rotates when you run IE. Your teacher is impressed. Now she wants you to put it back the way it was before. This is easy. Just open up BrandBitmap, and delete the name of your animation file. Windows Explorer will then automatically revert to the saved graphic in BackBitmap. Let's now show your teacher something that is a little bit scary. Did you know that Internet Explorer (IE) can be used to break some Windows babysitter programs? Your school might be running one of them. If you play this right, you can win points by trashing that babysitter program. Yes, you could just get to work on those babysitter programs using the tips of the GTMHH on how to break into Win95. However, we will also look at a new way to get around them in this chapter, using IE. The advantage of using IE when your teacher is anxiously looking over your shoulder is that you could just "accidentally" stumble on some cool stuff, instead of looking like a dangerous hacker. Then you could show that you know how to take advantage of that security flaw. Besides, if it turns out the security program you try to override is well enough written to keep IE from breaking it, you don't look like a dummy. ************************************************************ Evil Genius tip: People are less afraid of you if you type sloowwwlllllyyyyyyyyyy. ************************************************************ The dirty little secret is that IE actually is a Windows shell program. That means it is an alternative to the Win95 desktop. From IE you may launch any program. IE operates much like the Program Manager and Windows Explorer that come with the Win 95 and Win NT operating systems. Yes, from the IE shell you can run any program on your computer -- unless the security program you are trying to break has anticipated this attack. With a little ingenuity you may be able to even gain control of your school's LAN. But don't try that just yet! ************************************************************ Newbie note: A shell is a program that mediates between you and the operating system. The big deal about IE being a Windows shell is that Microsoft never told anyone that it was in fact a shell. The security problems that are plaguing IE are mostly a consequence of it turning out to be a shell. By contrast, the Netscape and Mosaic Web browsers are not quite such full-featured shells. This makes them safer to use. But you can still do some interesting things with them to break into a Win95 box. Experiment and have fun! ************************************************************ To use IE as a Win95 shell, bring it up just like you would if you were going to surf the Web. If your computer is set to automatically initiate an Internet connection, you can kill it. You don't need to be online for this to work. Now here are a few fun suggestions. In the space where you would normally type in the URL you want to surf, instead type in c:. Whoa, look at all those file folders that come up on the screen. Now for fun, click "Program Files" then click "Accessories" then click "Paint." All of a sudden Paint is running. Now paint your teacher who is watching this hack surprised. Next close all that stuff and get back to the URL window in IE. Click on the Windows folder, then click on Regedit.exe to start it up. Export the password file (it's in HKEY_CLASSES_ROOT). Open it in Word Pad. Remember, the ability to control the Registry of a server is the key to controlling the network it serves. Show this to your teacher and tell her that you're going to use IE to change all the school's password files. In a few hours the Secret Service will be fighting with the FBI on your front lawn over who gets to try to bust you. OK, only kidding here. No, maybe it would be a bit better to tell your teacher that if you can edit the registry, you can get total control over that computer. And maybe much more. Suggest that the school delete IE from all its computers. You are on the road to being a hero. If you actually do edit the Registry, you had better know how to revert to its backup, or else undo your changes. Otherwise you will be making more work for the computer lab teacher instead of less work. Remember, the objective is to prove to your teachers you can cut how much work they have to do! What if the school babysitter program won't let you run regedit.exe? Try typing c:/command.com. Then see Chapter 2 for how to edit the Registry from DOS. If you have gotten this far with IE, next try entering r:/ or w:/ or z: etc. to see if you can access the disk of a network server. Be sure to do this with your teacher watching and with her permission to try to access network computers. If you succeed, now you have a really good reason to ask her to take IE off all the school computers. This is because you have just taken over the entire school LAN. But you are a hero because you have done it to save your school from those mean kiddie hackers who change grades and class assignments. By now you have a great shot at getting a volunteer job running the school's computer systems. Before you know it, you and your friends will be openly playing Quake at school -- and the authorities will consider it a small price to pay for your expertise. Cheap Tricks with Microsoft Office You also can run a Windows shell from several Microsoft Office programs. Remember, once you get a shell, you have a good shot at disabling security programs. The following exploit works with Microsoft Word, Excel, and Powerpoint. To use them get into a Windows shell: 1) Click "help", then "About Microsoft (name of program inserted here)," then "System Info..." 2) This brings up a window which includes a button labeled "run." Click "run" and put in anything you want, for example regedit.exe! (That is, unless the security program you are trying to break has a way to disable this.) Microsoft Access is a bit harder. The "run" button only gives a few choices. One of them is File Manager. But File Manager is also a Windows shell. From it you can run any program. (That is, unless the security program you are trying to break has a way to disable this.) How to Circumvent FoolProof There is usually a hotkey to turn off FoolProof. One young hacker reports his school uses shift-alt-X (hold down the shift and alt keys at the same time, then press the "x" key.) Of course other schools may have other arrangements. If you get the hotkey right, a sound may play, and a lock in the lower-right corner should open for 20-30 seconds. Dante tells how he managed to get out of a hot spot with an even better hack of Fool Proof. "My computer science teacher asked me to show her exactly HOW I managed to print the 'the universe revolves around me' image I made to all the network printers in the school..." So he had her watch while he did the deed. ************************************************************ You can get punched in the nose warning: Dante was lucky that his teacher was understanding. In some schools a harmless joke like this would be grounds for expulsion. ************************************************************ Here is how Dante -- and anyone -- may disable FoolProof. 1) First, break into the Windows box using one of the techniques of the GTMHHs on Hacking Windows. Warning -- don't try the soldering iron bit. Your teacher will faint. 3) Now you can edit the autoexec.bat and config.sys files. (Be sure to back them up.) In config.sys delete the line device=fp, and in autoexec.bat, delete fptsr.exe. 4) Run regedit.exe. You have to remove FoolProof from the Registry, too. Use the Regedit search feature to find references to Fool Proof. 5) Find the Registry backup files and make copies with different names just in case. Making a mistake with the Registry can cause spectacular messes! 6) Save the registry, and reboot. FoolProof won't load. 7) To put things back the way they were, rename the backup files. You are now the school hero security expert. How to Circumvent Full Armor "I ran up against this program 8 months ago at school, they attempted to prevent people from writing to the hard drive. It presented itself as a challenge....for about 5 minutes." -- Dave Manges. Here's how Dave tells us he did the deed: 1) In the properties of the program it mentions the thread file (can't remember the name of the file) it was something.vbx 2) OK...this is easy enough, open notepad, open something.vbx 3) Just because I can't write to the hard drive doesn't mean I can't edit something already there, delete the first character from the file. 4) The file (opened in notepad) looks like garbage, but if memory serves the first letter was M. 5) Save the File and restart the computer, it should come up with an error like "Unable to Initialize Full Armor". 6) Now you can go into add/remove programs and uninstall it. Again, remember to back up all files before changing them so you can put the computer back the way you found it. Solve the Web Babysitter Problem Suppose your next goal is to get rid of Web babysitter programs. But this can be a tough job. Think about it from the point of view of the teachers. If even one kid were to complain to her parents that she had seen dirty movies running on other kid's monitors in computer lab, your school would be in big trouble. So merely blasting your way through those babysitter programs with techniques such as those you learned in Chapter 2 will solve the problem for only a short time -- and get you and your teacher and your school in trouble. But once again you can be a hero. You can help your teachers discover the Web sites that are being blocked by those babysitter programs. They may be surprised to find out the block lots more than naughty pictures. They often secretly censor certain political sites, too. If your school is running CYBERsitter, you can really beat up on it. CYBERsitter has encrypted its list of banned sites, which include those with political beliefs they don't like. But you can download a program to decrypt this list at: http://peacefire.org/info/hackTHIS.shtml. (This Web site is maintained by a teen organization, Peacefire, devoted to freedom of speech.) When your teacher discovers the hidden political agenda of CYBERsitter, you are a hero. Unless, of course, your teacher agrees with CYBERsitter's tactics. If so, you can probably find other teachers in your school who will be appalled by CYBERsitter. How about IE's built-in site blocking system? It is harder to uncover what it blocks because it works by limiting the viewer to web sites that have "certificates" provided by a number of organizations. If a site hasn't gone to the effort of getting a certificate, IE can keep you from seeing it. Of course, after reading Chapter 2, you can quickly disable the IE censorship feature. But instead of doing this, how about directing your teacher to http://peacefire.org and let him or her follow the links? Then perhaps the authorities at your school will be ready to negotiate with you to find a way to give you freedom to surf without grossing out other kids in the computer lab or library who can't help but notice what may be on your monitor. How to Break into Absolutely any School Computer As you know from Chapter 2, you can break into any computer to which you have physical access. The trick is to figure out, once you have complete control, how to disable whatever program is giving you a hard time. There are only a few possible ways for these programs to work. Maybe all you need to do is control-alt-delete and remove it from the list of active programs that brings up. If this doesn't work, if you can get into DOS, you can edit any files. See Chapter 1 for details how all the ways to get to DOS. Or you may only need to access regedit.exe. You can run it from either DOS or, depending on how good your problem program is, from Windows. Once you can edit files, the ones you are likely to need to alter are autoexec.bat, config.sys, anything with the extension .pwl or .lnk, \windows\startm~1\programs\startup, and the Registry. Look for lines with suspicious names that remind you of the name of the program you want to disable. *********************************************************** You can get punched in the nose note: Of course you could do something obvious like "format c:" and reinstall only what you want on that box. But this will make your teachers throw fits. Mega fits. If you want to be a hero, make sure that you can always return any school computer to the way it was before you hacked it. *********************************************************** When you are done, turn the victim computer off and then back on again instead of a reboot with power still on. This will get rid of anything lingering in RAM that could defeat your efforts. Keep Clueless Kiddie Hackers from Messing up Your School Computers Now that you have shown your teachers that you can break absolutely any security on any box to which you have physical access, what next? Do you just leave your teachers feeling awed and helpless? Or do you help them? There is a reason why they have security systems on your school's computers. You would be amazed at all the things clumsy or malicious users can do. You can do your school a world of good by using your hacking skills to fix things so that security works much better. Here are some basic precautions that you can offer to your teachers to lock down school computers. (See the GTMHH on how to break into Windows computers for instructions on how to do most of these.) 1) Disable all boot keys. 2) Password the CMOS. If it already has a password, change it. Give your teacher the new password. 3) Remove any programs that allow the user to get to regedit or dos. 4) Programs that allow hot keys to circumvent security should be changed, if possible, to disable them. 5) Remove programs that can't be made safe. 6) Don't make it possible for Win95 computers to access sensitive data on a network disk. (The passwords can be easily grabbed and decoded.) 7) Try really, really hard to persuade the school administration to replace Win95 with WinNT. With experimentation you will figure out much more for yourself. Since Win95 is a totally insecure operating system, this will be a losing battle. But at least you will be able to keep secure enough that those students who do break in will know enough to not do anything disastrous by accident. As for malicious school hackers, sigh, there will always be kewl d00dz who think "format c:" shows they are, ahem, kewl d00dz. You may also have a problem with school administrators who may feel that it is inconvenient to set up such a secure system. They will have to give up the use of lots of convenient programs. Upgrading to WinNT will cost money. Try explaining to them how much easier it will be to keep those wannbe hacker vandals from trashing the school computers or using them to visit bianca's Smut Shack. Are you ready to turn your hacking skills into a great reputation at school? Are you ready to have the computer lab teachers begging to learn from you? Are you ready to have the entire school computer system under your control -- legally? You will, of course, only use the tricks of this Guide under the supervision of an admiring teacher, right? It sure is more fun than expulsion and juvenile court! ___________________________________________________________ To subscribe to Happy Hacker and receive the Guides to (mostly) Harmless Hacking, please email hacker@techbroker.com with message "subscribe happy-hacker" in the body of your message. Copyright 1997 Carolyn P. Meinel. You may forward or post this GUIDE TO (mostly) HARMLESS HACKING on your Web site as long as you leave this notice at the end. ___________________________________________________________