This Tool Give Full Access To Windows 2000/xp, dreamPack Options

[Tekwo]

dreamPack:

This tool give full access to Windows 2000/XP. DreamPackPL do not change/overwrite old passwords, therefore EFS encrypted files will be still readable.


Features :

+ executing programs (from list: e.g. regedit or any other) at the logon desktop with system privileges,

+ loading Explorer shell at new desktop and work as impersonate user with system privileges ('Spirit mode'),

+ displaying local accounts list (user names) in logon desktop,

+ turn off/on logon password check (full access to every local account without modifying old passwords),

+ disabling Windows File Protection.
Current version: 2oo4.o3.27

- http://www.d--b.webpark.pl/index2_en.htm

[Redman247]

Perhaps I am addle minded but I cannot get this thing to work other than making 0KB ISO's.

<edit>

DoH!! Perhaps I should put an installation cd in the drive.

[xtreme]

Did this actually work for anyone? I go through an endless reboot loop after following the instruction.

[this-is-me]

It works. If you have PE, just copy pinball.ex_ from the created CD to your PE build, and follow the same instructions from PE. It works the same. It brings up a window at the logon screen, and you can do everything listed above. All it does is create a copy of your windows xp or 2k cd and change that one file.

[carfan]

Could you post step by step process of how to add this to PE like you stated???

[this-is-me]

Not really, just download the program, follow the instructions, take the created iso and copy pinball.ex_ to a pe cd. Then follow te instructions from pe instead of the recovery console.

[carfan]

Where in the pe cd does it go??? Ex. - what folder etc>.???

[xtreme]

I must be getting senile in my old age. It just won't work for me. I no longer get an endless loop but despite replacing the pinball.ex_ and following the instructions nothing happens. I still have to supply the admin password and I don't see any changes in the logon sequence.

[jvbarnet1]

Here's what you do:

-Download the program from the website above.
-Run it
-Point it to your WinXP CD
-Copy the pinball.ex_ file from the ISO file that it creates
-Put this file in a directory on your PE CD
-Boot a Win2K or WinXP machine from your PE CD
-Rename (on the hardrive of the XP/2K machine) %systemroot%\system32\sfcfiles.dll to sfcfiles.lld
-copy the pinball.ex_ from you cd to %systemroot%\system32
-rename pinball.ex_ to sfcfiles.dll
-reboot the machine

This program is NICE, wonder what MS will do to try to get around it. Since it replaces the system file checker before boot time, it bypasses their only security.

-JB

[Tekwo]

..........
- copy the pinball.ex_ from you cd to %systemroot%\system32

-rename pinball.ex_ to sfcfiles.dll

-reboot the machine

[xtreme]

No matter what, I still have to supply a password. I give up!!!!!!

[tox]

@xtreme, the file readme.txt with the rar setup file gives you the instruction:

CODE

* boot from CD
After boot from CD You must choose system in Recovery Console.
Console will accept every admin password.

You can change current directory
> cd system32

You should also make backup of sfcfiles.dll
(backup file sfcfiles.lld will be used during uninstalling)
> ren sfcfiles.dll sfcfiles.lld

Then You must copy from CD file pinball.ex_ into system32 directory with change file name to sfcfiles.dll
> copy x:\i386\pinball.ex_ sfcfiles.dll
(x - CD drive letter; 'map' command display all drive letters)

Finally You can write 'exit' command and reboot computer.

Note!
All time You use DreamPackPL, Windows File Protection will be disabled.

To turn off logon password check You must uncheck option 'Logon password check' in DreamPack window and reboot system.

note the last line. hope this helps you.

[Former_djb703_post]

I tried downloading the file, the rar gets CRC errors...

Has any one encountered this?

Can some one post this for download somewhere else?

Thanks,

Donovan

[Rootman]

dreamPack:

This tool give full access to Windows 2000/XP. DreamPackPL do not change/overwrite old passwords, therefore EFS encrypted files will be still readable.


Features :

+ executing programs (from list: e.g. regedit or any other) at the logon desktop with system privileges,

+ loading Explorer shell at new desktop and work as impersonate user with system privileges ('Spirit mode'),

+ displaying local accounts list (user names) in logon desktop,

+ turn off/on logon password check (full access to every local account without modifying old passwords),

+ disabling Windows File Protection.
Current version: 2oo4.o3.27

- http://www.d--b.webpark.pl/index2_en.htm

I got this to work. Here is some 'splainin' for y'all;

The original package from the http://www.d--b.webpark.pl/index2_en.htm is a RAR file that has in it a text file (poorly written) and an ISO maker tool.

After unRAR'ing it put the files someplace on your PC, anywhere as long as you remember wher it is, the desktop s fine.

1st) Have your XP install CD in the drive and then fire up the ISO maker tool. It will ask you what drive your CD is in and where to put and what to name the new ISO file that it will create. Name it what you want and put it somewhere's you'll remember.

2nd) When it is done making the ISO you have a few choices.


A) You can write the ISO to a new CDROM, boot your 2K/XP system with it and install the Dreampack executable as explained in the text file:

* boot from CD
After boot from CD You must choose system in Recovery Console.
Console will accept every admin password.

You can change current directory > cd system32

You should also make backup of sfcfiles.dll (backup file sfcfiles.lld will be used during uninstalling) > ren sfcfiles.dll sfcfiles.lld

Then You must copy from CD file pinball.ex_ into system32 directory with change file name to sfcfiles.dll > copy x:\i386\pinball.ex_ sfcfiles.dll (x - CD drive letter; 'map' command display all drive letters)

Finally You can write 'exit' command and reboot computer.

Note!
All time You use DreamPackPL, Windows File Protection will be disabled.

To turn off logon password check You must uncheck option 'Logon password check' in DreamPack window and reboot system.

What the author has done here is replaced the packed Pinball executable (pinball.ex_) with the Dreampack executable. With this you must boot with the new CD, choose to do a recovery using the recovery console (how it avoids having to put in the systems administrator password at this point is a mystery). You must then manually backup the 'C:\WINDOWS\SYSTEM32\SFCFILES.DLL' (for XP, use C:\Winnt for 2K) file from your systems hard drive and then copy / rename the piball.ex_ in it's place. This is simply slight of hand to get the executable avaliable to you from withing the running CD based recovery console..

At this point reboot the PC's NATIVE Windows and the DreamPack will come up at the login prompt with a regular Windows GUI'fied dialog. It lists all the LOCAL users on the system and has a few programs you can run as ADMIN from a drop down list on the dialog. In order to deactivate the need of a password you have to UNCHECK the 'Login password check' dialog on DramPack's dialog and reboot again.

After this reboot it will let you log in as ANY USER including ADMINISTRATOR on the system without a password.

B) Alternately for PE users you can make the ISO as outlined above, either write it to a new CDROM or use an ISO tool and copy the \I386\pinball.ex_ file from the image, rename it to 'sfcfiles.dll ' and then stick it somewhere on your PE disk. It can be placed anywhere really, it's just there so you can write it to the victim systems 'system32' directory. Boot to PE, replace the 'victim' PC's 'C:\WINDOWS\SYSTEM32\SFCFILES.DLL' with this "new' version, pop out the PE disk, reboot to the PC's NATIVE Windows and the DreamPack dialog will be there when 2K/XP runs. Handle the 'Login password check' like described above.

C) One step simpler is to get a plugin by jvbarnet1 here: http://www.coracent.com/WinPE/. The one thing that is not explained is the fact that the 'sfcfiles.lld ' file that is included apparently is not the DreamPack.dll that you need. So you will have to still build the ISO, fetch the 'pinball.ex_' and rename / copy it to the plugin's '\file' directory. Rebuild PE with the plugin activated and then run it. I'll leave it to you on how to make an icon / NU2 menu item for it.

Put simply this thingie does not allow any access from PE to the native OS, it simply makes it possible to logon to the underlying system as a local user user from within the PC's present 2K / XP system. I can see where it would be handy for forgoten passwords, I guess you could then CTRL-ALT-DEL after login and change the present users password - UNTESTED. Or use the USER configuration tool in the Control Panel. I can also see where it could be used to Bleap up systems or be used by users to bypass LOCAL security. This utility cannot be used to breach DOMAIN security.

Hope it helps y'all out.

[sandiegocal]

rootman
thanks. your instructions helped a lot. it is the kind of thorough answer that I appreciate (and I am sure that others appreciate it as well).

there are a couple of pe plugins here that help automate the process:
http://www.911cd.net/forums/index.php?show...6244&hl=regedit

i am using the john925 version:
http://userwww.sfsu.edu/~john/bartspe/DreamPackPL.zip

also, i am not convinced (yet) that this tool cannot be used to access the active directory domain. i will write more in the coming days after a few tests.

[sandiegocal]

it appears true that you do not have access to the active directory domain, however, in spirit mode, as the LOCAL administrator, you can use Active Directory Users and Computers to reset the administrator's password. In my tests, I set the password to nothing.

This will give you access to the domain controller at the next boot up.
And this is where it is most useful for me, since clients forget passwords or sysadmins "accidently" leave/get fired without passing on this little tidbit of information.

Once I have full control, and I have uninstalled Dreampack, then I reset the password again to something I can write down and give to the client (to lose). You may be able to reset it in one step at the beginning, but all of my tests were done the way I described.

I have tested this on my Win2K domain controller (in a lab environment).

it probably DOES screw up your EFS, and make any files stored using EFS permanently inaccessible, but i have not tested it and i do not use EFS, nor do any of my clients. maybe someone else can test this and write back.

hope this is useful.

[xtreme]

First of all, thanks to the guys who tried to help out as I was close to losing it. Anyways, to make along story short I got everything to work eventually as per instructions.
What is really weird however is that I encountered the problem with this file not working in Virtual PC running a fully patched and hardened version of XP. It still does not work when I try to apply the DreamPack to it, same problems as described earlier which I find extremely puzzling.

However in a real environment, everything works as it should.

[Damian]

I'm author of DreamPackPL.
EFS encrypted files should be readable. With DreamPack you can log into every local account, so the system think that you are "true" user. Until you do not change password, you can read or decrypt EFS files. You must only know, who (from what account) encrypt that files logon to right account.

Damian

[airburst]

@Damian.

Good work on the tool. I'm using John925's plugin and EFS bypass does not work for me. As a test I setup a clean XP system - with only Administrator user - and created a small EFS-encrypted folder of info. I then installed dreampack to disk from PE, deselected logon password check and duly rebooted.

The system dropped me straight into Admin as expected, but I was unable to read or even access the contents of my previously encrypted folder. I realise that changing password will bugger EFS permanently, but I assumed that disabled password would not.

[viceroy]

@Damian
I would be very surprised if DreamPackPL allowed you to bypass EFS security without a password. This is because EFS files are encrypted with the user's password. More info is at the Microsoft description.

EFS particularly addresses security concerns raised by tools available on other operating systems that allow users to physically access files from an NTFS volume without an access check.

I always assumed that unless you know the password to a user account, you cannot access it. Since you do not have the user's password in memory when you log on with DreamPack, EFS files should not be accessible. Do you use some special method to bypass the encryption in DreamPack?