BYPASSING PASSWORDS
CJ Bronstrup

So you just got that call from Mr. Grump at Bigge Financial Services. He
suspects one of his employees of embezzlement, leaking corporate secrets,
or just plain slacking off on the job.

The first thing you want to do is get a look at that PC sitting on Joe
Loafer's desk. Uh-Oh. Joe has the system password protected. It's just a simple
screen saver password protection. You know the one you see when you want to
play with that new Pentium system at the local computer superstore without the
salesman around, but as soon as you hit a key the darn thing asks for your
password. Mr. Grump is looking at his watch while you stare stupidly at the
monitor (who can blame him, you're getting paid 50 smackers an hour for these
dumb looks). You could hack away trying to guess the password, but you are
better than that. Your first goal will be to exit Windows. The best way to accomplish t
his is to simply hit the standard CTRL + ALT + DEL. If that doesn't work you may need
to reset orcycle the power off and on. Try and observe what the computer does next.
If the computer boots directly to Windows and the screen saver does not appear immediately,
then you are in good shape and you don't need to worry about defeating the password.
However, if the screen saver starts automatically after Windows starts, chances
are a more computer savvy person set the machine up and you need to do a little more work.
If the screen saver begins immediately after Windows starts, reboot the machine. During the boot
up cycle, press F5. This will circumvent the standard boot cycle and the computer will drop to the DOS level prompt. Next, you will need to start the MS-DOS editor by typing EDIT.
Then, you will need to open the file, C:\ WINDOWS\ CONTROL.INI. Scroll down until
you see a file which looks similar to the following:

[Seen Saver.Marquee]
PWprotected=1
Text=NNNNNNNNNNNNNNNNNNNNNNNNNNN
Font=Wingdings
Size=72
BackgroundColor=128 128128
TextColor=255 255 255
Speed=10
Attributes=00000
CharSet=2
[Screensaver]
Password=1237

At this point you will need to modify a couple of things depending upon
what you want to accomplish. In this case the utilized screen saver is the marquee. By simply
changing the line PWProtected=1 to WProtected=O the password will be disabled. Unfortunately,
the password itself cannot be determined from the line Password=1237 because the password is encrypted. However, another technique could be to place a semicolon before the line

Password=1237
(;Password= 1237) and inserting
the new line "Password--".
[ScreenSaver]
;Password=1237
Password=

By replacing the encrypted password with a blank, the screen saver password
ill still be active. However, when a password request occurs, simply pressing return will do
the job. The above methods are, what I call, breaking windows with a glass cutter. There are
some quicker and somewhat dirtier methods of accomplishing the same thing. These methods could be called breaking windows with a sledge hammer.

The faster method consists of getting to the MS-DOS prompt level as
described above. Then, create a temporary subdirectory and copy

C:\ WINDOWS\ CONTROL.INI into the temporary directory.

Then delete the
C:\ WINDOWS\CONTROL.INI from the WINDOWS directory.

Also, you can simply rename CONTROL.INI to something like, CONTROL.OLD. Again, this will accomplish the same thing as modifying the CONTROL.INI file. However, the computer will display errors when windows starts. So let the situation govern which method you choose.
Some machines use third party security systems. These systems usually consist of a front end for
the standard Program Manager that comes stock with Windows. Packard Bell's Navigator is a good
example of these security systems. The Navigator has a lock feature that requires a password to enter into the standard program manager. To get around this system you will need to get
to the MS-DOS prompt level using previously described methods. Then create a temporary directory and copy C:\ WINDOWS\ STARTUP.GRP into the temporary directory and remember to delete the original. Again, you could rename STARTUP.GRP to STARTUP.OLD. This should defeat most third party password schemes. Another trick that experienced users like to use is changing the attributes of the .INI files as well as related files (.GRP) to read only or hidden. Therefore, you may need to change all the files that you will be fiddling with to the standard archive format. To display attributes of all files in the current directory, type ATTRIB C:\ WINDOWS\ *.INI (or .GRP) <RETURN>. Then use the ATTRIB command to change file attributes to archive. Example: to remove the read only attribute from all files in the Windows directory, type the following command: ATTRIB -R C:\ WINDOWS\ *.* /S <RETURN> the /s processes all files in the current directory and all subdirectories. Also, make sure the "Save Settings on Exit" option in
Program Manager is enabled. Another method is after getting to the DOS level prompt, edit the
SYSTEM.INI file under the 386Enhanced section: DEBUGLOCALREBOOT=ON Then when it asks for the screen saver password hit CTRL + ALT + DEL once. You'll get the blue screen and press <RETURN> to kill the nasty application.

If there are many people around, you will want to accomplish all of this as
quickly as you can. Try to copy all files that pertain to the task at hand onto floppies before
you attempt to gain access, because some people like to delete the necessary files. Also, it may be a
good idea to carry a system disk with you just in case you need to boot up clean. If you are creative enough you can make a .BAT file that will automate most of the procedures that I have described, the old EDLIN command should serve you well if this is your goal. However, .BAT files can be problematic unless you have analyzed all pertinent files on your target computer.
Normally I don't want to leave any evidence behind. Of course, I keep all changes that I make
relatively innocuous. However, if this is a black bag job, just for fun, I like to modify the Marquee screen saver. My favorite font is wingdings. If you use a capital N (wingding) the
screen saver will display a skull and cross bones. Then I reestablish all security measures that were
originally in place, so they have to drag out the guy who set the machine up to reset the machine. Keeps 'em on their
toes.



CJ Bronstrup
Atlas Information Services http://www.pimall.com/atlas/atlas.htm
PO Box 463, Aripeka, FL 34679 FL License # A-95-00275
Phone: (352) 666-4371 Fax: (352) 666-4373

LIKE WHAT YOU SEE?
Find Out How To Subscribe To The Gator Gazzette!


RETURN TO NAIS NEWSLETTER