   _________SWAT MAGAZINE ISSUE TWENTY SIX FEBRARY  2000 __________
  /         \___________________________________________/          \
 /                      Cracking Win 95 Passwords                   \
/                               By CiD3r                             \
-----------------------------------------------------------------------

Right this is my first tutorial for a magazine so bare with me I am going
to be writing about the many different aspects of cracking and bypassing
the Windows 95 passwords. Why am I writing this I hear you ask? Well
I'm writing it because i'm fed up with people keep asking things like
where can I find a program to get passed this password etc?

Ok before I start I know that what I am about to explain can be done
just using a program for example "Cain" but I am writing this tutorial to
help those DIY junkies out there who want to know how to do things on
their own (me). 

Right lets now get down to the good stuff, the first thing i'm going to 
talk about is the user/password screen at the windows startup. Well
there are loads of different methods for doing this lets start off with
the most easiest..

well as you may know there are many different versions of the win95
series luckily if you have one of the earlier versions this little trick
will work for you, right so lets imagine that we are at the user/pass
screen the user will automatically be entered but it gives the option
to change to another user anyway. just press "CANCEL" yeah that's right 
press cancel, if this little trick has worked properly you should now be
starting up windows if not then read on..

Right that trick did not work or was it a little too easy well here is another

On most you have a choice in the beginning to start the computer in
configuration mode this is done usually by pressing F8 when the computer is
booting up if not then try a few of the keys you will have it before long.
So your at the configuration screen now if you choose option number 7
you will go into MS-DOS mode :) now give the following command...

ren c:\windows\*pwl c:\windows\*ooo
note: ooo can be anything but keep it as it is save getting confused.

Ok now reboot and then enter whatever password and enter "eat his" as the
new password it will ask you to confirm just say yes and that is it you
should now be in.

Now say that you got in you probably realized now that you just changed the password
but you do not want your teacher or whoever know that someone has broke
in well what you do is use windows explorer and look in the windows file
Make sure you set it to show all files do this by going to:
view, folder options, view  then check the box which says show all files.
now look for the file named "ooo" and rename it back to "pwl" ,
that's it now no one will know you have got in because the password
stays the same as it was.

The third and final way of getting past the password is not the most stylish
but u still get to see what they got on their computer and you can change things 
just boot up the computer and press "F8" then boot the computer in safe mode
you will have limited uses but you can also change the 'pwd' settings etc from here!


Now that's about it for getting into the computer but how about when your
in school and want to get into one of the computers in a lesson the problem is that
the computer has a screensaver with a 'pwd', Well if your teachers computer is
running the win 95 OS which it probably is you can decrypt these 'pwd's' :)
take a look at the table below :


WINDOWS 95 SCREEN SAVER DECODER TABLE

PASSWORD KEPT IN \WINDOWS\USER.DAT OR \PROFILES\{LOGIN}.DAT
LOOK FOR ScreenSave_Data
Password looks like 'ScreenSave_Data03A7384E2230 A60..'
THE 03A7384E2230 IS THE ENCRIPTED PASSWORD
TWO DIGITS REPRESENT EACH CHAR UP TO 14 CHAR (28 DIGITS)

EXAMPLE USING DOS EDIT TO LOOK AT USER.DAT:

FIND ScreenSave_Data03A7384E2230 A6..(IGNORE ANYTHING
                                      AFTER THE FIRST
                                      SPACE WHICH IS
                                      CHAR 00, THE END
                                      OF THE PASSWORD)

LOOK AT: 03A7384E2230

1  2  3  4  5  6
03 A7 38 4E 22 30

03 K
A7 I
38 N
4E S
22 E
30 Y

PASSWORD=KINSEY



     K  I  N  S  E  Y
     1  2  3  4  5  6  7  8  9  10 11 12 13 14

20   68 CE 56 3D 47 49 81 3B 5A AC 67 D8 74 B5
21 ! 69 CF 57 3C 46 48 80 3A 5B AD 66 D9 75 B4
22 " 6A CC 54 3F 45 4B 83 39 58 AE 65 DA 76 B7
23 # 6B CD 55 3E 44 4A 82 38 59 AF 64 DB 77 B6
24 $ 6C CA 52 39 43 4D 85 3F 5E A8 63 DC 70 B1
25 % 6D CB 53 38 42 4C 84 3E 5F A9 62 DD 71 B0
26 & 6E C8 50 3B 41 4F 87 3D 5C AA 61 DE 72 B3
27 ' 6F C9 51 3A 40 4E 86 3C 5D AB 60 DF 73 B2
28 ( 60 C6 5E 35 4F 41 89 33 52 A4 6F D0 7C BD
29 ) 61 C7 5F 34 4E 40 88 32 53 A5 6E D1 7D BC
2A : 62 C4 5C 37 4D 43 8B 31 50 A6 6D D2 7E BF
2B ; 63 C5 5D 36 4C 42 8A 30 51 A7 6C D3 7F BE
2C < 64 C2 5A 31 4B 45 8D 37 56 A0 6B D4 78 B9
2D > 65 C3 5B 30 4A 44 8C 36 57 A1 6A D5 79 B8
2E = 66 C0 58 33 49 47 8F 35 54 A2 69 D6 7A BB
2F ? 67 C1 59 32 48 46 8E 34 55 A3 68 D7 7B BA


30 0 78 DE 46 2D 57 59 91 2B 4A BC 77 C8 64 A5
31 1 79 DF 47 2C 56 58 90 2A 4B BD 76 C9 65 A4
32 2 7A DC 44 2F 55 5B 93 29 48 BE 75 CA 66 A7
33 3 7B DD 45 2E 54 5A 92 28 49 BF 74 CB 67 A6
34 4 7C DA 42 29 53 5D 95 2F 4E B8 73 CC 60 A1
35 5 7D DB 43 28 52 5C 94 2E 4F B9 72 CD 61 A0
36 6 7E D8 40 2B 51 5F 97 2D 4C BA 71 CE 62 A3
37 7 7F D9 41 2A 50 5E 96 2C 4D BB 70 CF 63 A2
38 8 70 D6 4E 25 5F 51 99 23 42 B4 7F C0 6C AD
39 9 71 D7 4F 24 5E 50 98 22 43 B5 7E C1 6D AC
3A : 72 D4 4C 27 5D 53 9B 21 40 B6 7D C2 6E AF
3B ; 73 D5 4D 26 5C 52 9A 20 41 B7 7C C3 6F AE
3C < 74 D2 4A 21 5B 55 9D 27 46 B0 7B C4 68 A9
3D > 75 D3 4B 20 5A 54 9C 26 47 B1 7A C5 69 A8
3E = 76 D0 48 23 59 57 9F 25 44 B2 79 C6 6A AB
3F ? 77 D1 49 22 58 56 9E 24 45 B3 78 C7 6B AA

40 @ 08 AE 36 5D 27 29 E1 5B 3A CC 07 B8 14 D5
41 A 09 AF 37 5C 26 28 E0 5A 3B CD 06 B9 15 D4
42 B 0A AC 34 5F 25 2B E3 59 38 CE 05 BA 16 D7
43 C 0B AD 35 5E 24 2A E2 58 39 CF 04 BB 17 D6
44 D 0C AA 32 59 23 2D E5 5F 3E C8 03 BC 10 D1
45 E 0D AB 33 58 22 2C E4 5E 3F C9 02 BD 11 D0
46 F 0E A8 30 5B 21 2F E7 5D 3C CA 01 BE 12 D3
47 G 0F A9 31 5A 20 2E E6 5C 3D CB 00 BF 13 D2
48 H 00 A6 3E 55 2F 21 E9 53 32 C4 0F B0 1C DD
49 I 01 A7 3F 54 2E 20 E8 52 33 C5 0E B1 1D DC
4A J 02 A4 3C 57 2D 23 EB 51 30 C6 0D B2 1E DF
4B K 03 A5 3D 56 2C 22 EA 50 31 C7 0C B3 1F DE
4C L 04 A2 3A 51 2B 25 ED 57 36 C0 0B B4 18 D9
4D M 05 A3 3B 50 2A 24 EC 56 37 C1 0A B5 19 D8
4E N 06 A0 38 53 29 27 EF 55 34 C2 09 B6 1A DB
4F O 07 A1 39 52 28 26 EE 54 35 C3 08 B7 1B DA

50 P 18 BE 26 4D 37 39 F1 4B 2A DC 17 A8 04 C5
51 Q 19 BF 27 4C 36 38 F0 4A 2B DD 16 A9 05 C4
52 R 1A BC 24 4F 35 3B F3 49 28 DE 15 AA 06 C7
53 S 1B BD 25 4E 34 3A F2 48 29 DF 14 AB 07 C6
54 T 1C BA 22 49 33 3D F5 4F 2E D8 13 AC 00 C1
55 U 1D BB 23 48 32 3C F4 4E 2F D9 12 AD 01 C0
56 V 1E B8 20 4B 31 3F F7 4D 2C DA 11 AE 02 C3
57 W 1F B9 21 4A 30 3E F6 4C 2D DB 10 AF 03 C2
58 X 10 B6 2E 45 3F 31 F9 43 22 D4 1F A0 0C CD
59 Y 11 B7 2F 44 3E 30 F8 42 23 D5 1E A1 0D CC
5A Z 12 B4 2C 47 3D 33 FB 41 20 D6 1D A2 0E CF
5B K 13 B5 2D 46 3C 32 FA 40 21 D7 1C A3 0F CE
5C L 14 B2 2A 41 3B 35 FD 47 26 D0 1B A4 08 C9
5D M 15 B3 2B 40 3A 34 FC 46 27 D1 1A A5 09 C8
5E N 16 B0 28 43 39 37 FF 45 24 D2 19 A6 0A CB
5F O 17 B1 29 42 38 36 FE 44 25 D3 18 A7 0B CA

60 ` 28 8E 16 7D 07 09 C1 7B 1A EC 27 98 34 F5
7B { 33 95 0D 66 1C 12 DA 60 01 F7 3C 83 2F EE
7C | 34 92 0A 61 1B 15 DD 67 06 F0 3B 84 28 E9
7D } 35 93 0B 60 1A 14 DC 66 07 F1 3A 85 29 E8
7E ~ 36 90 08 63 19 17 DF 65 04 F2 39 86 2A EB

Whats all this i here you ask?

Well as you may already know this is the decrypting table for the windows
95 screensaver password! now the table above shows very little so im going
to give a brief explanantion of what it all means. Lets make an example
password which is "ablhdsld" first of all we would split this up into sets
of two digit numbers so "ablhdsld" would become: ab-lh-ds-ld.
Now we have this we can start decrypting the password so we first look
down the table to find the letters "ab".

Well have a look down the table see what you  end up with it should be on 
line 45 and look like this:
 
45, E 0D AB 33 58 22 2C E4 5E 3F C9 02 BD 11 D0
         ^^ As you can see here is the letters AB now move left across
the line and just before you reach the line number there  will be a letter
which in this case is the letter "E" making the first letter of the this
password "E". Now that you know how to get the first letter why not try
decrypting the rest of the password...
                            


Well there you go I think I've done enough explaining for now :) now go get
that file and get decrypting. 

If you have any suggestions etc send
me an email:

cid3r@hotmail.com or catch me in #cocytusUK on irc.progenic.com

Or if its really really important message me on uin : 54349021