A
N
O
N
Y
M
I
T
Y
Survival strategies
in a corporation environment





Fravia's Nofrill
Web design
'98 ~ '99
 

updated
September 1999
anon1.gif
Fravia's Anonymity Academy

Survival strategies
in a corporation environment

You're an insignificant worm from a sysad point of view. It is in part true, of course. The might of your censors and controllers is enormous and you are weak, isolated and at danger... Yet you may try to play a little your own tunes nevertheless.
On this page
"corporate survival" essays
dll taming
technical basic work
psychological basic work
useful tricks
disable Webnannys censorships
One for "public" computers A bag of tricks
 

Other related pages of my anonymity Lab
[
Main Anonymity Lab] [stalking matters] [enemy tracking]
[steganography] [What Fravia knows about you] [Tweak your browser!]
[Anonymous e-mailing] [things that happen]

This is strongly geared towards Windows 95 corporate users

This section is due to a very simple constatation: users are considered, by most system administrators, not much more than "nuisances" to their system, as if the undisturbed functioning of the system, and not the user's wishes, should be the determinant factor (for their work and for their life).



Introduction


Users are left to the compete mercy of petty and narrowminded security rules, that -far from contributing to the development of the whole organisation- squeeze all original experimenting out of those system.
You, as a (moderately) intelligent user have only one option: try to work "undercover" for the sake of the development of yourself and of everybody else... we'll list inside this section all possible tricks we know of that will allow you to defend a little more your privacy (and to snoop a little about what actually the system administrators are doing... Quis custodit Custodes? We do! :-)

Please note RULE NUMBER ONE: Never believe that you are smart. You are NOT. It is EXTREMELY more easy from a system administrator standpoint to snoop on you than the countrary. Your attempts to snoop on your administrators from inside their net on one of "their" computers (even if you believe it is "yours") are bound to be pretty feeble indeed. Yes, you can do something, but you cannot do much. Don't get any feeling of false security reading the various tricks below. Don't think you can go and "outsmart" your sysads. In fact, don't ever think that you are smart. You are NOT smart. That's rule number one.

First of all some BASIC WORK

Technical basic work

You'll have first of all to edit and save a win.bat, this will block the automated loading of Windows 95, (like pushing F8) here:

REM WIN.BAT

You may fire Winice, type winice

or start windows normally

typing win.com
This will allow you to decide if you want (or not) to start the windows bazaar and to connect on line. Keep in mind that you can do quite a lot of things off line (in dos or windows) and that if you do (and work on your zip drive (see point 4) or on a floppy inside your a: drive, the sysads have few ways to know what you are doing/writing/cracking. You should always check for TSR modules anyway (see point 9), just in case, in order to kill them :-) The interrupting of the windows bazaar starting procedure allows you also to start Winice with a winice.bat that you must edit and save as well. We are examining here the case of people that are using, at work, an intranet connected computer, because they need a lot of help. Yet this is NOT the best approach.
In general the best approach is to have ANOTHER computer at work (a portable, locked up in your drawers) where you keep -encrypted- all your sensible data and tools, unfortunately not everybody has such possibilities :-(
The following tricks will, at least, ameliorate a little the situation of absolute dependancy that most users suffer on the intranet systems of today.
The loading of Win95 is directed by the file c:\MSDOS.SYS where you'll find the following:

[Paths]

WinDir=C:\WINDOWS

WinBootDir=C:\WINDOWS

HostWinBootDrv=C


[Options]

BootMulti=1

BootGUI=1

Network=1
Just change to BootGui=0 Network=0 To work on stand alone... btw, if you add under [options] Logo=0 you will not have any more the silly Windows 95 logo, which only slows down the whole starting bazaar.

In fact one of the most peculiar things, in this windoze's dominate aera, is how useful (and powerful) simple dos batch files can be. So if you don't know how complicate (and interesting) and powerful those simple batchfiles can be, go to some second hand shop bookstore and buy for next to nothing an old book (89-91) about "dos batching". You'll be amazed at the POWER that this will give you onto your supernew windoze, as some of the examples in this section attest :-)

Psychological basic work

First and foremost (yet if you found these pages it's probably too late :-) you should NEVER give the impression that you do understand much about computers. Choose a "level" line, be like anybody else... do not be too dumb but, FOREMOST, do not be computer smart, else they will smell a rat. You should "merge" in your environment: if something goes wrong and your activities leave tracks, they wont so easily individuate you


ESSAYS

PHASE ONE

fantastic bulletr.gifessay by +Yamato about hiding Windows applications, browsing on your own proxy and cracking registry settings!

PHASE TWO

Very interesting bulletr.gifC program by Heatmizer about a Win 95 Screen Saver password decrypter that you may find pretty funny to use at work!

PHASE THREE (12 december 1998)

Another nice essay: bulletr.gifenbecor.htm: Sniffing the Corporate and Institutional Network by Embedded
PHASE FOUR (22 July 1999)

CHOWN! Incredible essay by [blue]: bulletr.gifchown_bl.htm: Who owns your files? Security thorough obscurity
PHASE FIVE (18 September 1999)

A great essay by NeuRaL_NoiSE: bulletr.gifnnhnpad.htm: Reversing, functions addition, modifications in the existing code and classic cracking of a typical M$-target: notepad.exe


Some useful tricks
(1)
Where should you keep the files the slave masters would not want you 
to use/have on your PC?


Put all the programs you should NOT have installed on your PC inside

C:\WINDOWS or C:\WINDOWS\SYSTEM, never create subdirectories. The 

total mess and confusion (which is anyway a charachteristic of the poor 

OS we are compelled to use) can in this case be turned to our advantage :-)


(2) How to defeat censorship software checking for files deemed "illegal" by the slave masters and yet use the programs Quite a lot of software allows the slave masters to know if you have or if you have not in your harddisk files deemed "illegal" by them. Change the names of the *.exe files! If necessary edit the *.dll files too (this is slightly more complicated, since you'll have to hexedit a little the calling programs and procedures) Change the names of *.exe and *.dll files to non significant names like hggq67.exe 87771ll.dll etcetera The censorship software used by your corporation will not be able to fetch them this way (this idea was pilfered from +ORC's 4.2 :-)
(3) DLL taming Modify ("tame") the *.dlls and get some "secret snoopers" for free :-) As you will probably already have seen/studied in the students' essays section, a very useful form of reversing is "object oriented reversing". Dynamic-link libraries modifying (dll-taming) is one of the most promising reversing activities, as many essays of our student section attest. Modern windoze's applications rely quite a lot onto *.dlls that are already inside your system, and keep a very interesting interchange of parameters (and data) with their functions. Nothing more simple (and obvious) than modifying these *.dlls in order to redirect those data wherever you fancy. This is *.dll taming. I won't go into too much details on the technical aspect of dll taming. The tools and techniques you'll use are, of course, the same that have been thoroughly explained in the student section (and on my tools page). If you are (or will be) a reverse engineer it won't be all too difficult, believe me.
Most of the programs and applications that the slave masters use in order to snoop onto you or to perform their "mysterious activities" (the one that you would like to "study"), do rely on *.dlls that are located like sitting ducks inside your /windows and /windows/system directory (MSPWL32.DLL for enhanced password cache security, to cite but one :-)
Well, here is one of the very few sectors where YOUR competentces should be by far superior to the capacities of your system administrators: it's our field: reversing!
"Take home" your target *.dlls and, working on your own machines, modify them until they will work the way YOU want (and not the way the applications of the system administrators expect them to :-)
You don't even need to worry much about eventual length differences between the untamed and the tamed dll... I have never seen any application checking the length of the *.dlls (there are much too many variants and versions of the main dlls... windoze is a total mess, never forget it :-), yet, if you want to go "NUMMERSICHER", don't alter their length and just patch them "inside", using the many tricks, like "snake-patching", explained in the student section.
Once you are ready (and you have thoroughly tested them) reinsert the transformed *.dll onto your machine, at work.
Nobody but you will know it (hopefully) yet you will now have some powerful tools as allies in your battle! You may have redirected the output (with the data you are interested in) to the screen or to a file (careful!) or to the printer, you may have tsrred an activation switch, or you may keep a copy of the tamed dll under another name inside your windows directory, and just batch it on or off when you need it (so that most of the time the real, untamed dll will be the one working, and your tamed one will sleep inside the directory under another non-meaningful name until your simple dos batch "awakes" it :-)
Imagine (just imagine, of course :-) that you modify the OpenPasswordCache function of the above mentioned mspwl.dll so that you will be notified (with the possibilities of having a look at the parameters) every time that function will be called... well: you are NOT using Winice or another debugger in order to get those data, so there is no "alien" application running onto your system. Everything looks "normal" from the sysad standpoint: -"stupid user sits in front of his stupid screen and our SuperhyperSnoopo version 4.2 checks what the hell he is really doing, how long and how much!". Ah! Your screen gets all the activities of their SuperhyperSnoopo version 4.2 instead! (or whatever they use... most of the time it will be an overbloated *.dll intensive app :-)
See: you are playing at a level that most system administrators cannot even understand (they would not dream of modifying a windows *.dll, they have enough problems with the "normal" bugged Micro$oft's own ones :-) and you can, if you tame wisely and if you choose wisely your target dlls, gather a LOT of information on your system in this way.
(4) Batch alternative on how to defeat censorship software checking for files deemed "illegal" by the slave masters when you do not need to use the programs Create two batch file (inside c:\windows as well), that will change on-the-fly, when you run it, the extension of all the executable you should NOT have installed on your PC to *.myn and back to real: When you are offline (or when you feel like it) REM re3444g1.BAT REM fuck the censors, recreate cd c:\windows\system ren GHHA12.myn ultima_9.exe ren GHGG12.myn chess730.exe ren GHHA12.myn snooplan.exe ren GHHA12.myn bombchef.exe REM OK, recreated names Before being online (or going home at the evening) REM ob3444g1.BAT REM deceive the censors, obscure cd c:\windows\system ren ultima_9.exeG HHA12.myn ren chess730.exe GHGG12.myn ren snooplan.exe GHHA12.myn ren bombchef.exe GHHA12.myn REM OK, obscured names
(5) How to install everything you want without a CD-ROM Buy a zip drive and use the 100 Megabyte zip cartridge in order to install whatever you like on your PC even without a CD-ROM, and in order to save/keep/move files as you fancy without leaving much traces behind you. The zip connects trhrough the parallel port and its data transfer ratio is acceptable. You may even RUN programs from there WITHOUT LEAVING ANY PHYSICAL TRACE INSIDE YOUR PC.
(6) How to download files on the web without leaving traces on the http:// grep filelog of the slave masters Never download from http:// sites, they would immediatly get your traces through the log files. Get all the files that you want through ftp-mail. (7) Visit the site with the warez you are interested in with your browser, but DO NOT DOWNLOAD. 2) Write down the exact name of the *.zip file you want. 3) Get it through ftpmail emailed to you (this leaves traces, but it is selten monitored because few know that you can freely download this way... you may eventually use the path option to get the files emailed to your home account or to an absent colleague whose password you happen to have found) GOOD FTPMAILERS: (just send to each of them an email with the word "help" in the subject and in the body. Keep in mind that some of them at times simply do not work... just try again later): MAIL SERVER MIT mail-server@rtfm.mit.edu DEARN DE BITFTP@DEARN PRINCETON BITFTP@PUCC (files until 17.825.792 bytes!) BRYANT ftpmail@ftpmail.bryant.vix.com DNA AFFRC JP ftpmail@dna.affrc.go.jp W3MAIL GMD.DE w3mail@gmd.de (Max 5 Megabytes) WWWMAIL CIESIN www.mail@ciesin.org NETMOR wwwfmail@linux.netmor.com (QUERIES INSIDE FTP SITES!) GARBO FI ftpmail@garbo.uwasa.fi GETWEB HEALTHNET getweb@usa.healthnet.org MOGLI DE w3mail@mogli.gmd.de (the best one for images)
(8) How to download images I assume that there is no track on the loggings if you just save images using the right mouse button... but you may choose to get the images ftpmailed to you as well. See point 5 and use w3mail@mogli.gmd.de
(9) How to get administrator rights (privileges) Use some resident keyboard trapper on a PC of a collegue that has NOTHING to do with you. Damage (slightly) some obvious booting function of that PC, wait until the sysad's slaves come and repair it. Fetch the administrator slave's password afterwards and use it THE SAME DAY (they have most of the time rotating passwords). A good idea is to give privileges, inside your intranet, to a WHOLE bunch of people at the same time, try always to be a fish among many.
(A) How to disable Webnannys censorships Web nannys are censorship programs whose stupidity goes beyond belief... they block anything that is deemed "dangerous" by their puritan idiotic programmers... whole geocities (for instance Athen) have been banned "en block" because somebody used somewhere the image of a pepper with the name "hot.gif". Few corporations are so stupid to use this shit, but you never know... should they use these programs, here is how to destroy them :-)
A.1. Cyber Patrol You need a special cracking program, you'll find it on the web: name= cypatrol.zip A.2. Net Nanny A.2.1) Windows 95 CTRL+ALT+DEL (Get close program menu) Choose OCRAWARE End Task A.2.2) Windows 3.1/DOS C:\ edit config.sys type rem in front of DEVICE=C:\NN\NNDRV.SYS A.3. Cybersitter A.3.1) Disable totally CD /WINDOWS copy win.cyb win.ini A.3.2) Block action (still logging, see 8.3.3 below) CTRL+ALT+DEL end task Tcpwait create c:\windows\temp_holder move the file cywin0.opt there restart internet applications... Cybersitter does not block anymore A.3.3) Remove any record from the log file Find file cywin.alt (usually inside c:\windows) remove read only switch notepad cywin.alt remove any line that begins with the word blocked save the file remake it read only
(B) How to check what's going on in your system Start using the instruments that you ALREADY HAVE inside the huge windows conundrum (if you don't have them, bring them from home): C:\WINDOWS\NETSTAT.EXE netstat > letsee and then edit letssee C:\Program Files\Common Files\Microsoft Shared\MSinfo\MSINFO32.EXE (active modules) C:\WINDOWS\WINIPCFG.EXE Then fetch these two files: bulletr.gifps bulletr.gifkill And use them to see/terminate the applications that are working on your system... you'll find an explanation inside LordClito's "old" essay on my student page.
(C) First and foremost Winice is a good weapon! Install Winice 3.2. (there is a whole project of the student section that explains how to fetch and use this most powerful debugger. You'll find softice everywhere on the web: search, or buy it, it's a very good tool and deserves it) Find the correct drivers for your PC (you may download them from Numega's site if you do not have them). No checking software in a intranet can resist the CTRL+D shot :-)
(D) Remove all limits that the sysads have imposed on you Use the policy editor (you'll not find it inside your machine at work, you'll find it HOME, on your own windows 95 cd-rom under \Admin\Apptools\Poledit or you'll easily fetch it from the web). Push F8 during boot choose start without register informations (therefore start without limits) start poledit open register configuration delete all limits IF YOU DO NOT SEE any start menu, have a look at CONFIG.SYS, you'll find there the command switches /n eliminate it and restart anew. ...And if you don't see EVEN THIS, take a look at the c:\msdos.sys again (thanks Ivan :-) and may be you'll see among: [Options] BootMulti=1 BootGUI=1 Network=1 etcetera the following: BootKeys=0 -this one causes the same shit, so you have to change it to: Bootkeys=1 Or remove it... but this would NOT be so clever, would it?
(D) Another trick: the SAFE MODE boot As anyone (should) know, you can boot the windows bazaar in SAFE MODE (press F8 at start until the windows' choose your boot menu appears).
If you do choose safe mode, you'll notice pretty interesting new possibilities, which were disabled in the "normal" booting configuration. Among other things you'll be able to choose the "update information tool" and have a look at what your sysads have made in the last months (and which *.dll you should "intercept", see point three :-)
As long as you are in safe mode you are, moreover, relatively 'safe', so experiment around a little and take note of everything in sight!
(E) Blowfishes are for ever Well, let's not forget all the advantages of a quick and reliable encryptor. I use blowfish advanced 97 beta 1 (see the reversing essay by Jon).
Blowfish advanced 97 by Markus Hahn hahn(at)flix(point)de is an extremely powerful (and quick) encryptor, that will blowfish all the files you want, at work and at home, in a couple of seconds. You may (probably) get a beta version from Markus' page at http://www-hze.rz.fht-esslingen.de/~tis5maha/software.html
A legitime question: should you be paranoid? Actually no, you should not. Most of the files and data that we have on our harddisks are perfectly legal (reversing software is not an illegal activity, you may want to read my Is reverse engineering legal? essay), and there is no real need to encrypt anything whatsoever. Yet there are (at least) two sound reasons to blowfish a lot nevertheless: 1) it's great spass to have everything you do encrypted at work just to avoid ANY administrator's sniffing. Of course, once they find all your text files blowfished they will know that you have something to hide (once more a good dos batch can transform all those funny secret.txt.bfa names into something more "neutral" like Cirrus.drv :-) yet the mere fact that they wont be able to know what you are hiding is fun enough :-) 2) it's a good PRACTICE. Once you get used to routinely blowfish your data, you'll learn also to KEEP those data in some places (and not everywhere inside your PC, and you'll get used to encrypt sensible data, which, in an epoque like the one we are living in, is a very sensible thing to do anyway.

One for "public" computers

(Libraries, Museums, Shops, etcetera :-)


BioMenace's tips, modified by fravia+

No matter what the reason is, we are always constantly trying 

to get to a computer connected to Internet. One possibility is 

to get Internet connection from Public computers. There are a

couple of good advantages.


1.  You could do any kind of activity in a more obscure way (no great 

    worry of trace-back from uninvited sources, high degree of anonymity)

2.  You’ll enjoy a free Internet service (and the Web should be free, nicht wahr?)




It is still hard to get a shell account free and without giving much 

information about yourself, but this access still helps you keep up with 

news and stuff with minimized activities. Hey, it is a gateway… J


But it is not as unobstructed as it sounds. Most of these public places 

(Libraries mainly) do use restriction methods to keep people from having 

a total control of services. Some of them use a 

limitation software called KIOSK, for instance, 

which basically prevents user from 

accessing certain features of a menu, for example the "General 

Preferences" of "Options" in Netscape, or the "Connect To" field of some Windoze's  

telnet programs (you should know the POWER of telnetting if you are reading 

these pages). Now this really bores, because there are times when you 

don’t even have access to the basic Programs and Settings menus of the Start 

Button.


Now, how would one run programs, install programs, and read files from 

these restricted systems if they don’t even let you boot (Boot 

passwords)? Impossible!


Not really


#1

One of the more remarkable things on these public computers is that they 

often "forget" a nice 'old' program called TaskMan. This is a small program 

activated by pressing Ctrl+Esc at the Password Screen (yes, try to 

figure out what is the purpose :). This program will allow you the 

Run Application option, and from there you could try your luck with 

Programs. GRP (which’ll pop up all the groups of Windows that’d have 

otherwise been hidden through censorware like IKIOSK.) And then there’s 

COMMAND.COM. Mind you, you should always have a system disk with you  

not to boot from it (Network Computers) but to run some important 

programs like COMMAND.COM on your own


#2


You know, they could have killed TaskMan after finding out what you have 

been doing with it (or even 'beforehand' if the sysads are smart, which, 

fortunately, does not happen all too often). What do we do now?! No 

worry, there’s still another way. These public computers using Windoze95 

as OS always have something on their menu (duh!): confusion and random 

behaviour: source of bugs and source of delights (for us crackers :)


Chances are they’ll have at least one single program, somewhere, which 

requires a standard file input from a disk. NotePad may be disabled, Write 

may have been crippled, but the censors won't probably have maimed that 

'vital tool':  Windows Explorer. 

Let's say good old 'cracker's TaskMan' is dead, so WindowsExplorer is 

probably the only other file utility on the marketplace of your library 

computer. Well, one possible way to get to it is to start one of these 

standard file input files [write, Notepad, Netscape (if 'they' did not 

disable the 'delicate' menu options, etc) and when you get to the "Open 

File" or  "Save" or "Save AS" sections, just go ahead to one of the 

yellow folders and click the RIGHT mouse button on it. 

What do you see?! Well, there’s the silly M$ 'rightclick' list: "Open Explore" 

(YES!!!), "Cut", "Paste", "Send To", "Delete" and more... 

The big point is that You now have access to Windows Explorer. From then 

on... well... 


#3

But again, our nasty censors and sysads world is not as forgiving as the we 

hoped it would be. 

Now, what if they have also removed EXPLORER from the RightClickOnFolderList? 

"Man, that’s it. Die public computers are too heavy censored... I give up". 

Eh? Not so fast sunny boy... 

There’s one more way. There is still one more option: the "Open" section in 

the RightClickOnFolder!

You could click on anything and it would open it through the software you 

want it to. Could even be a software 'sort of'... try ProgramManager... you’ll 

be surprised.






A bag of tricks

*** One idea to play around is to get to a file browser (somehow) and if you find all executable programs have been disabled for direct access, try it 'indirectly'! What I mean is: click on the files made for that particular program, then you just might be able to run the program you wanted, even if direct disabled. If not, hey, come to think of it, another hope is to have the "Browse" button as a choice... *** Also try installing some programs (like PIRCH). Even though I don’t know why, if you are able to run them, then they’ll automatically start the Program Manager (no matter what the restrictions were set from the outside) and once you can start Program Manager you'r done! *** Dead end with "OneEyed" (no buttons, no buttons) with Netscape? Try our famous Easter Egg shortcuts! Press Ctrl+Alt+F. Then a road will appear, explore! Try "Netscape Home Page". Try their silly and slow search engines, try downloading useful programs. Try whatever... main thing is you break the chains and you are free to roam!
Tricks by Stacker (September 1999) Entering a network which uses user authentication via NT domains and has the auth. needed for logon 'vinkje' set. (vinkje is a word describing the windows thing of checking a box, and it is also used in: hey <thisnthat> doesn't work! Well you need to put a check somewhere) Some networks need a usercode and password to log you on, or you won't be able to use the machines (even). Well, i got in useing the following. type something totally wrong. type it again. Try cancel a lot of times (this very often works in such networks, cause sysadmins mostly don't even know about this one (i do, and i am a sysadmin (at the moment))). The third time entered a wrong u/p the machine gladly assisted me in 'hacking my way in' by pointing out: "You have entered a wrong password, you may try to login as guest", which i promptly did, and tataaa your on... :) ofcourse another way is asking the guy/gall who is at the pc to type : start->run, winipcfg and then after he/she left, boot in safe mode and enter the ip adres manually (so no bootp or DHCP is needed). And you are in aswell. regards, Stacker

Page under heavy construction... started on April 97

Hey reader! Any chance you would stop leeching for a couple of minutes and send something valuable over here? Don't you think that your knowledge is needed as well?


bulletr.gifTo the essays on this page
bulletr.gifhomepage bulletr.giflinks bulletr.gifanonymity bulletr.gif+ORC bulletr.giftools bulletr.gifcocktails bulletr.gifstudents' essays
bulletr.gifantismut CGI-scripts bulletr.gifJavascript tricks bulletr.gifsearch_forms bulletr.gifmail_fravia+
bulletr.gifIs reverse engineering legal?

red(c) Fravia 1995, 1996, 1997, 1998, 1999. All rights reserved