Inside Happy Hacker Oct. 14, 2003 ___________________________________________________________ See the Happy Hacker web site at Firewall or web babysitter program blocks you? Try Still doesn't work? Try entering 206.62.52.30 in the location window of your web browser. ___________________________________________________________ In this issue: * šberhacker II finally here * How to Customize Windows XP -- the hacker way * How to defend your Windows XP computers ___________________________________________________________ *** šberhacker II finally here ___________________________________________________________ The printer finally shipped "šberhacker II: More Ways to Break into Computers." It was written by Carolyn Meinel with a lot of help from her friends, and published by Loompanics. See sample chapters from this new book at . They cover things you can do easily and legally, as you learn more about how Ethernet works. We show how, with screen shots and keystroke-by-keystroke instructions. We demystify netmasks, broadcast addresses, arp tables, sniffers and more. Want more hacking fun? I've hidden the šberhacker II chapter on phone/PBX hacking on the Happyhacker.org web site. One way to find it is to force a directory listing. Another way is to guess the URL. I made the URL kind of easy to guess. But you will really impress everyone if you can find a way to force a directory listing that reveals the hidden web pages. I promise to announce your achievement on the wargame page, and in a mailing to the list. Wonder who helped write šberhacker II? See for details on the REAL hackers from around the world who contributed. ___________________________________________________________ *** How to Customize Windows XP -- the hacker way ___________________________________________________________ If you have a Windows computer, and aren't on the hhwindows email list, you are missing out big time on harmless hacking fun. Following are excerpts from some posts on how to customize Windows XP in ways that your friends and relatives have never seen. To subscribe, send a blank email to hhwindows-subscribe@yahoogroups.com . BloodDragon6sic6@aol.com I came across the script below on a win98 box, tested it on XP and it works great. To mod the Internet Explorer title bar, goto [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] Insert a new string value named "window title" right click that string, click modify, and enter a string of text you wish to show on your internet explorer bar. "Window Title"="Paz_Rax" "Scott M Wade" Here's cool little hack for you. Open up your boot.ini file (for win2k or winXP) which will probably reside at C:\boot.ini and change the last line to have the command: /sos at the end of it. The last line of your boot.ini file should look like something like this when you're done: multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /sos After that reboot your PC and watch the kernel load instead of watching that boring splash screen! - Keep in mind that boot.ini is a hidden file by default so might have to change your folder options so you can view hidden files and folders first. Marc Erickson BootXP will allow you to edit the boot screen with it - and this page has some hints as how to do it without a program. To edit the boot screen you need to have a program that runs the same way as ntoskrnl.exe. Goto www.themexp.org and you will be able to find many of these there...once you have downloaded it you need to copy the contents to the windows/system32 directory then you need to go back to the root directory (c:\) and open the boot.ini file and edit it. It will look something like this... [boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="XP orig" /fastdetect /KERNEL=ntoskrnl.exe From Nicholas Campbell Not exactly like that because I had to edit a few things. But something like that. If you can't find boot.ini you need to enable viewing of all files. I'll assume you know how to do this if not just ask. Now you need to just make a copy of that last line and change what you want. I have: multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Deep Blue" /fastdetect /KERNEL=deepblue.exe multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="MeltXP" /fastdetect /KERNEL=meltxp.exe multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Bubbles" /fastdetect /KERNEL=ntosboot.exe If you want your boot screen to be the only one to pop up then just comment out all the ones you don't want to use. It should automatically load with the one you want. I don't know about the shutdown screen. I believe that has to do with the logon screen and I just used a program to tweak that. again check out themexp.org to see if they have anything. Hope it helps Jermaine Abrahams Try wincustomize its a great site plus it also has shell replacements like litestep and talisman. To edit the shells will also get you some good c++ experience as you learn more. (Carolyn's note: The following was emailed directly to me rather than to hhwindows. It is a fascinating email because the author reveals how he went about figuring out Windows XP Registry hacks on his own. This is what real hacking is all about -- figuring things out out, and then sharing with others. Watch out, though, when you try hacking the Registry, because you could accidentally mess up your computer so bad you can't use it. Be sure to back up everything first!) Figured out how to spoof IE6 ver info From: kropulus@earthlink.net I've learned a lot off your site and guides. An I guess the main lesson I learned from one of those guides (dunno which one), is to know what you're using and how to fix it. But that's not really my point in this e-mail, point is that I've found a way to spoof the version info in Internet Explorer 6. I've always known that any client gives off info about itself but I've never bothered to try to learn to hide it. I've spent the 4 1/2 years I've been running around the net learning how to use and repair operating systems that I use, er used, and system security. Well anyways on 8-12-03 I was playing with my router, and decided to go to grc.com and have it scanned for s**** and giggles. I noticed that they had updated the page and added a browser info scanner, basically to told you the info your browser was leaking about you: Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */* Accept-Language: en-us Connection: Keep-Alive Host: grc.com Referer: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322) Content-Length: 27 Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Cache-Control: no-cache After seeing this, I decided to see if I could find away to hide this info, searched Google and got jack, so I was off to visit good ole regedit.com. They always have good tweaks for stuff. So after searching around their site for about 30 minutes, I found this This page tells how to change the version info on the Windows Pocket PC IE to IE6. Well, after searching through my registry I found the same keys in the same location on my Windows XP Professional box: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Internet Settings\User Agent] So I did what the page said, tried it got the same info. So I rebooted, knowing how Windows is, went to grc.com again got the same info. (Carolyn's note: This is where he begins REAL hacking. Instead of saying, "Oh, darn, I give up," he uses creative thinking.) So I got to thinking, and off I went opening regedit and the hunt was on. I started out checking known internet explorer keys and got nothing. Then I found it, er rather them: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform When I looked in there I found this string value: .NET CLR 1.1.4322. So I decided to change the string name .NET VLR 2.4.7659, saved it, pressed f5 to refresh the registry, and off I went back to grc.com. BINGO! It worked. It changed that part of my info from NET CLR 1.1.4322. to .NET VLR 2.4.7659, making my User Agent read this: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET VLR 2.4.7659). So I got to thinking and I decided to try what that page on regedit.com told me (winguides.com is the same place). I changed the value of the default string value to what I wanted, and added two string values to the key below: one named Version and one named Platform; and decided to put bogus vernames for the data values. Then it was off to grc.com again. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent What do ya know, BINGO! I hit the jack pot again. My User Agent in came back just as i wanted it to: Opera/6.0 (compatible; Netscape 6.0; Freebsd 5.1; .NET VLR 2.4.7659) Hahahahahaha. Then I got to noticing that it also gave info about files you can accept. Well, I still had regedit open and I noticed this key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Accepted Documents Well, after opening the key, what do you know, here we have all the accepted files that were listed under accept (in the information the browser sent to the webserver); there all string values and the values are set to the names of the programs as listed under accept;, so I got the bright idea to rename one of the string values to test/test. Back off to grc.com again, and I got this: Accept: test/test, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */* So I tried it with all the values and it worked. Then I got the idea instead of putting fake info just put * for the info, so for: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent I changed the default string data value to * and the version and platform string I changed the data value to * and in: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform I changed the name of the string value .NET CLR 1.1.4322. to * and left the default alone for the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Accepted Documents I deleted all the string values and set the default string data value to *. Off to grc.com again and this is what I got: Accept: *, */* Accept-Language: en-us Connection: Keep-Alive Host: grc.com Referer: User-Agent: * (compatible; *; *; *) Content-Length: 26 Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Cache-Control: no-cache And there you have it. I have two computers on a lan in this apt. hooked into cable internet, my mom's computer is running the same version of Windows XP (both licensed, might I add), but anyways on her system she doesn't have the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent This is because she doesn't have Microsoft .NET Framework installed on her system. That's where ya get .NET CLR 1.1.4322 in User-Agent. But if you create the key, it will work and you don't have to create the subkey Post Platform. Kellys-korner-xp.com is also a great site for Windows XP tweaks and hacks etc. You should check it out. I found a lot of great info there about Windows XP, and some really cute tweaks for IE. From what I can find I don't think anyone has figured this out for IE6. If they have, then kewl beans, but I've found nothing on it. One last thing, I've did some testing now. If you try to run windows update, it wont work. You will have to delete the hacked keys and replace them with the backed up orginals. Also, when visiting Microsoft sites, I noticed that some that thing don't display properly, also I've got my IE settings set so that it asks to all run ActiveX controls, well with the version and all that spoofed I notice that I don't get ActiveX prompts for ActiveX controls and the browser seems to surf a little faster. So I don't believe that it's running activex controls. I still get prompts for scripts though for java and such. Like cnn.com runs like tons of ActiveX controls that cause loading time to slow way down even on cable on a 1.1 ghz system with a 128 ati video card. Well, with the version info hacked it loads like lightning. (Carolyn's note: The reason many web servers want to detect what browser you are using is to know what programs it can run. ActiveX is only run by IE, so they won't try to run ActiveX programs on non-IE browsers.) Well there ya have it in a nut shell. Just thought ya might wanna know ;) if ya got any questions er comments please e-mail me back I'll me more then glad to answer. Thanks kropulus ___________________________________________________________ *** How to Defend Your Windows XP and 2000 computers ___________________________________________________________ Things are getting really crazy for hapless owners of Windows XP and 2000 computers. (Windows 95/98/98SE/ME are safe.) Right now there is no defense against the latest remote procedure call (RPC DCOM) worm except to turn off RPC DCOM services. Experts are predicting a worm to be unleashed any day to exploit this vulnerability. Then anyone running RPC will be at the mercy of whatever the worm writer decides to do. Will he or she install back doors to remotely control and snoop on your computer, damage files, use your computer to send out spam, or wreck the operating system? If you don't want to trust the worm writers to be nice, here's the only defense known today. You can disable DCOM by editing the Registry: HKEY_LOCAL_MACHINE\Software\Microsoft\Ole\EnableDCOM to "N" If you've never used the Registry before, here's how to do it. Click Start--> Run and enter regedit in the box, then click OK. In the left hand pane, click HKEY_LOCAL_MACHINE. Find Software and click it to expand it. Then scroll way down until you find Microsoft. Click on it and scroll way down to Ole. In the right hand panel across from Ole you will see several entries (probably only three). One will say "Enable DCOM" and at the end of the line you'll see "Y". Change that "Y" to "N". Then click File--> Exit and you are done. If you don't like to mess with the Registry, here's how to do it from Control Panel. Control panel --> (In XP switch to classic view if it isn't there already) click Administrative Tools --> Component Services. Double click on this to bring up a folder labeled Computers. Click to open. Unless you are on a network, you will find just one computer in the file. Right-click on your computer and choose Properties. Click the Default Properties tab. To disable DCOM, clear the "Enable Distributed COM on this computer's check box. Click OK. Then reboot. To keep up with the latest news on dangers and defenses for your Windows computers, see and . Happy white hat hacking! ___________________________________________________________ Happy Hacker Org is devoted to *legal* hacking! If anyone plans to use any information we provide to commit crime, check out to find out what happens to bad hacker girlz and boyz. You are welcome to join our chat groups at or join our email discussion groups: Linux-for-Everyone-subscribe@yahoogroups.com Moderator: Debbie, zzz_debbie@yahoo.com hh-unix-subscribe@yahoogroups.com Moderators: Phil Dibowitz phil@ipom.com and Tom Massey hhwindows-subscribe@yahoogroups.com Windows moderators: John Demchenko and Michael Devault hhnetwork-subscribe@yahoogroups.com Moderator: Tanvir Ahmed hhprogramming-subscribe@yahoogroups.com Moderator: Tanvir Ahmed Clown Princess and Grand Pooh-bah of Happy Hacker Org: Carolyn Meinel, cmeinel@techbroker.com, (505)281-9675 To unsubscribe from this group, send an email to: happyhacker-unsubscribe@egroups.com See for hacking news and tutorials. See to see what's new in the latest edition of Meinel's book The Happy Hacker.