📄 standsec.html
字号:
remote file sharing.</p>
<p>the Default user, however, can be secured. If this is done, then it is virtually
impossible to gain access through it. The only way to do this is by a series
of registry entries, which are listed in the appendix at the bottom of this
file.</p>
<p>Login passwords are stored in .PWL files in the Windows directory. You can
reset all accounts to no password by using the .PWL renaming technique described
below. </p>
<p>The filename of the .PWL file corresponds to the login name of that user. For
example, Olcay.pwl contains the encrypted passwords for the account "Olcay".</p>
<p>The password protection in Windows 95 uses a much stronger algorithm, but you
can still bypass it by *carefully* moving or renaming all .PWL files in the
C:\Windows directory. The password filenames are also stored in the SYSTEM.INI
file.</p>
<p>So, to disable passwords:</p>
<p> CD \WINDOWS<br>
REN *.PWL *.PW_</p>
<p>Similarly, to re-enable passwords:</p>
<p> CD \WINDOWS<br>
REN *.PW_ *.PWL</p>
<p></p>
<p><b><font size="3"><a name="20"></a>Third-Party Password</font></b><br>
<br>
If this is a third-party security program, such as the one built-in to After
Dark, try pressing Ctrl+Alt+Del when the dialog is presented to you. Most security
programs go out of their way to be secure, and Windows 3.1 interprets this as
not responding to the system, and thus will allow you close it. Windows 95 pops
up a neat little dialog box that lets you terminate any running application.
How convenient. :) Once you subvert this, you can prevent it from bothering
you again by editing the LOAD= and RUN= sections in C:\WINDOWS\WIN.INI.</p>
<p><br>
<font size="3"><b><a name="21"></a>Screensavers</b></font><br>
<br>
The password protection built-in to the Windows 3.1 screensavers is extremely
weak. You can bypass it by editing CONTROL.INI and searching for the Password
field. Delete the junk that appears after the equal sign (This is an encrypted
password).</p>
<p>To disable Windows 95 passwords, right-click on the desktop and select Properties,
choose the Screen Saver tab, and uncheck "Password protected".</p>
<p></p>
<p><br>
<font size="4"><b><a name="22"></a>Windows-Based Security</b></font><br>
<br>
If Windows starts up, and Program Manager loads, but the File menu is disabled,
and access to DOS has been cut off, or some other oppressive security measures
are in place, fear not. There are ways around such programs, as shall be explained
below:</p>
<p><br>
<b><font size="3"><a name="23"></a>DOS through OLE</font></b><br>
<br>
OLE, for Object Linking and Embedding, was hailed as a great advance in the
Windows Operating System by letting you embed or link objects (this includes
Executables) in documents.</p>
<p>Scorpion pointed out that Object Packager, which lets you package embedded
files with icons, could be used to access DOS (or run any program) from most
OLE-enabled applications (Like Write, WordPad, Word, etc.) Based on this information,
I found a similar hole that doesn't require Object Packager but still exploits
OLE. Both of these work in Windows 3.x and up.</p>
<p>Using Object Packager:</p>
<ol>
<li>Start up Write or WordPad</li>
<li>Select "Object" from the "Insert" menu</li>
<li>The location of the Insert Object command may vary. Look Around.</li>
<li>Choose Package from the list, and click OK</li>
<li>Select "Import" from the "File" menu</li>
<li> Enter C:\COMMAND.COM, and select OK</li>
<li>Select "Update" Under the "File" menu</li>
<li>Go back to your document, and double click on the COMMAND.COM icon</li>
</ol>
<p>Using Insert:</p>
<ol>
<li>Start up Write or WordPad</li>
<li>Select "Object" from the "Insert" menu</li>
<li>Again, the location of the Insert Object command may vary. Look Around.</li>
<li>Select "Create from File"</li>
<li>Enter C:\COMMAND.COM as the filename</li>
<li>Click OK, go back to your document, and double click on the COMMAND.COM
icon<br>
</li>
</ol>
<p><font size="3"><b><a name="24"></a>DOS through Write</b></font><br>
<br>
This works by saving COMMAND.COM, the DOS executable, over WINHELP.EXE, the
Windows Help program. Unfortunately, this tactic will not work with Windows
95. WordPad, the Word Processing Applet that comes with Windows 95, prevents
the user from loading executable files.</p>
<ol>
<li>Go into Accessories, and start up Write (*NOT* NOTEPAD!!)</li>
<li>Open C:\COMMAND.COM</li>
<li>A dialog box will pop up. Select "NO CONVERSION"</li>
<li>Select Save As...</li>
<li>Save it as C:\WINDOWS\WINHELP.EXE</li>
<li>If it asks if you want to overwrite WINHELP.EXE, choose YES</li>
<li>Press F1. Normally, this loads Windows Help, but now it will create a DOS
prompt window.</li>
</ol>
<p></p>
<p></p>
<p><b><font size="3"><a name="25"></a>DOS through Word</font></b><br>
<br>
Microsoft Word versions 6.0 and above have a built-in macro language called
WordBasic. This example works by instructing WordBasic to open up a DOS window.</p>
<p>Most of the Macro languages of popular applications let you do something similar
to this technique. Look around in the online help files.</p>
<ol>
<li>If Microsoft Word is installed, start it up.</li>
<li>From the Tools Menu, select Macro.</li>
<li>Type in a Macro name, and click "Create"</li>
<li>When the Macro window comes up, type in one of the following depending on
which Windows you are using:<br>
For Windows 3.1: Shell Environ$("COMSPEC") <br>
For Windows 95: Shell Environ$("COMMAND") <br>
For Windows NT: Shell Environ$("CMD")<br>
<br>
If all else fails: Shell "C:\COMMAND.COM"</li>
<li>Run the macro by pressing the little play button on the macro toolbar. This
will launch a DOS prompt.</li>
</ol>
<p><font size="3"><b><a name="26"></a>DOS through MODE</b></font><br>
<br>
When Windows 95 Shuts Down and shows that dumb graphic, it's really just sitting
on top of DOS. You can actually issue DOS commands (although the graphic will
cover them) on the system after shutdown!!!</p>
<p>A simple way to do this is to type:</p>
<p> CLS</p>
<p>After the shutdown graphic shows. However, the text will be in 40-column mode,
which is hard to read, and incompatible with some programs.</p>
<p>If you want to get a nice, clean DOS prompt, you can type:</p>
<p> MODE CO80</p>
<p>This will reset the screen display to the normal (80-column, 16 color) DOS
display mode.</p>
<p>*MOST* Windows Security programs are based on a VxD (Virtual Device), which
gives them unprecented power over the system while Windows is running. After
shutdown, all Windows-based programs will be unloaded, leaving you free to explore
using DOS.</p>
<p>For some unknown reason, this doesn't seem to work on some systems.</p>
<p></p>
<p><br>
<b><font size="3"><a name="27"></a>DOS through Windows Login</font></b><br>
<br>
When Windows 95 Starts up, some systems are set up to show a Windows/Network
Login dialog box. You can press either</p>
<p> Ctrl+Alt+Del</p>
<p>Which will let you Shut down the system (and apply the DOS THROUGH MODE technique),
End any running tasks, etc. Or:</p>
<p> Ctrl+Esc</p>
<p>Which, since the taskbar hasn't loaded, will launch Task Manager. From this
window you can end tasks, run programs, and shutdown the system (again, the
DOS THROUGH MODE technique is applicable here). *All* programs are accessible
from the run menu, so you can run C:\COMMAND.COM to get access to DOS.</p>
<hr>
<p></p>
<p><b><font size="4"><a name="28"></a>2c. Getting past NetWare</font></b></p>
<p>This section is based on excerpts from the Netware Hacking FAQ. Although Netware
has met a general decline in use over the years, I still thought it would be
proper to include this.</p>
<p><font size="4"><b><a name="29"></a>Common Account Names</b></font><br>
<br>
Novell Netware has the following default accounts: SUPERVISOR, GUEST, and Netware
4.x has ADMIN and USER_TEMPLATE as well. All of these have no password set.
Don't be a dummy, password protect SUPERVISOR and ADMIN immediately. Below is
a listing of common default and built-in accounts that might be in your best
interest to secure.</p>
<table width="60%" border="1">
<tr>
<td valign="top">
<div align="center"><b>Account </b></div>
</td>
<td>
<p align="center"><b>Purpose</b></p>
</td>
</tr>
<tr>
<td valign="top">POST</td>
<td>Attaching to a second server for email</td>
</tr>
<tr>
<td valign="top">
<p>MAIL</p>
</td>
<td> </td>
</tr>
<tr>
<td valign="top">PRINT</td>
<td>Attaching to a second server for printing</td>
</tr>
<tr>
<td valign="top">LASER</td>
<td> </td>
</tr>
<tr>
<td valign="top">HPLASER</td>
<td> </td>
</tr>
<tr>
<td valign="top">PRINTER</td>
<td> </td>
</tr>
<tr>
<td valign="top">
<p>LASERWRITER</p>
</td>
<td> </td>
</tr>
<tr>
<td valign="top">ROUTER</td>
<td>
<p>Attaching an email router to the server</p>
</td>
</tr>
<tr>
<td valign="top">BACKUP</td>
<td>May have password/station restrictions (see below), </td>
</tr>
<tr>
<td valign="top">WANGTEK</td>
<td>used for backing up the server to a tape unit attached to the workstation.
For complete backups, <br>
Supervisor equivalence is required.</td>
</tr>
<tr>
<td valign="top">TEST</td>
<td>
<p>A test user account for temp use</p>
</td>
</tr>
<tr>
<td valign="top">ARCHIVIST</td>
<td>
<p>Palindrome default account for backup</p>
</td>
</tr>
<tr>
<td valign="top">CHEY_ARCHSVR</td>
<td>An account for Arcserve to login to the server from from the console for
tape backup. Version 5.01g's password was WONDERLAND.</td>
</tr>
<tr>
<td valign="top">GATEWAY</td>
<td>Attaching a gateway machine to the server</td>
</tr>
<tr>
<td valign="top">
<p>GATE</p>
</td>
<td> </td>
</tr>
<tr>
<td valign="top">FAX</td>
<td>Attaching a dedicated fax modem unit to the network</td>
</tr>
<tr>
<td valign="top">FAXUSER </td>
<td> </td>
</tr>
<tr>
<td valign="top">
<p>FAXWORKS </p>
</td>
<td> </td>
</tr>
<tr>
<td valign="top">
<p> </p>
<p>WINDOWS_PASSTHRU</p>
</td>
<td>Although not required, per the Microsoft Win95 Resource Kit, Ch. 9 pg.
292 and Ch. 11 pg. 401 you need this for resource sharing without a password.</td>
</tr>
</table>
<p><font size="4"><b><a name="30"></a>Resetting Netware</b></font><br>
<br>
When NetWare is first installed, the account SUPERVISOR and GUEST are left unprotected,
that is, with no password. SUPERVISOR has free run of the system. You can do
anything you want.</p>
<p>But how can you make the server think it has just been installed without actually
reinstalling the server and losing all data on the disk? Simple. You just delete
the files that contain the security system! </p>
<p>In Netware 2.x, all security information is stored in two files (NET$BIND.SYS
and NET$BVAL.SYS). Netware 3.x stores that information in three files (NET$OBJ.SYS,
NET$VAL.SYS and ET$PROP.SYS). The all new Netware 4.x system stores all login
names and passwords in five different files (PARTITIO.NDS, BLOCK.NDS, ENTRY.NDS,
VALUE.NDS and UNINSTAL.NDS [This last file may not be there, don't worry]).</p>
<p>Although Novell did a very good job encrypting passwords, they left all directory
information easy to find and change if you can access the server's disk directly,
using common utilities like Norton's Disk Edit. </p>
<p>Using this utility as an example, I'll give a step-by-step procedure to make
these files vanish. All you need is a bootable DOS disk, Norton Utilities' Emergency
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -