==================================================================
==
Protecting Files with Windows NTXP == gE Technologies
==
==
CACLS: A new look at new methods == www.nuketutorials.com
==
==================================================================
=
Last updated : 10th
September 2002
by gloBal_enemy/Seremify =
=
Email : seremify@yahoo.com.au ICQ : 7929694
=
==================================================================
Please
do not mailbomb me or bombard me with **** as I do not
appreciate
it. If you have a question; ask me. I'll try to help
but
remember I'm doing this voluntarily and please give
me some
credit
for even trying to help spread some useful tricks to
those
who
don't know of them.
The
same applies to viruses - I have antivirus running all
the
time
24/7 but it doesn't mean that it'll stop me from having
to
download
**** on my 56kbps connection.
And
I know I have mixed up the words "ATTRIBUTE" and "PARAMETER"
a
million times here but I hope you can still understand
it.
DOS
ownz j00.
==================================================================
LEGAL
MUMBOJUMBO:
This
document is provided 'as is' and is purely intended
to be
used
as a reference document. It may not be redistributed
without
credit
to the original owner -me under the alias "gloBal_enemy".
If
you wish to publish this article somewhere, please ask
me first
and
I probably won't say NO, its just more of an interests
sake.
I'm
sure Da Vinci would've liked to know that his paintings
and
work
would be some of the most respected/valued works in
the
world.
You
may not modify this document in any way and then reproduce
it
and
claim it as your own. You may quote it or use the whole
article
but
PLEASE provide credit and if possible email me (as I
enjoy
reading
emails from people who read my guides on various topics).
Make
sure to use an accurate subject and speak in English
(my
skills
in Japanese, Malay and Chinese are very limited but
I will
try
my best).
If
you want to publish this file on your site because you
think it
is
"THAT GOOD" please do; but do not change anything and
of course
email
me. I might even (one day) add a link to all the places
that
host
this file (assuming it ever spreads) onto my own site
(which I
am
yet to have besides NukeTuts).
I
take NO RESPONSIBILITY for your actions.
If
you cannot figure out how it works, you can email me
and I'll
most
likely respond (unless I'm away of course) but if you
suffer
physical or mental problems, or encounter financial
difficulties,
then it is not my fault. Fair enough? If not, then
stop
reading.
This
document does not provide any insight into 'hacking'
computer
systems
but rather how to protect them and what to do if someone
has
used the technique against you.
==================================================================
I
will admit I didn't come across this CACLS thing on
my own, I
had
the help of a friend who uses the alias "KKOT" so I
thank him
for
telling me about this.
==================================================================
Anyway
I noticed on ASTALAVISTA there are many ways to protect
stuff
in Windows 2000 when your on a shared area and so on;
but
what
if you don't have your own account and you access the
generic
account
(in our case it was "Student" and "Computing"). The
tricks
of
using special characters do not apply if you can still
open the
folders
through Windows Explorer, and the DOS commands for renaming
them
using a password is too much trouble (not to mention
if
someone
has an ASCII chart they'll find it in not too much time).
This
method of locking files/folders could be used in conjunction
with
the ASCII locking but I'm too lazy to use that method.
This
method is FAR from secure. The only reason why it is;
is
because
there are alot of people who don't even know of it (such
as
myself)
until recently. If you feel that you are in an environment
of
people who do not know very very advanced (undocumented)
things
in
DOS/Win2k/XP then carry on.
This
system is mainly for people who do not have much power
or
priveliges
(in our case it was the STUDENT account for the school)
and
this allows you to protect your work from being deleted
by
other
more ignorant students.
==================================================================
**
If you believe this could help you; carry on **
==================================================================
This
method "CACLS" uses Windows inbuilt security systems
also
known
as ACLs (Access Control Lists) which determine who can
and
can't
access files. All admins have the power to control this
via
Windows
Explorer but lower level users are likely to not have
access
to Windows Explorer or Right Mouse buttons, let alone
access
to the Permissions tab on File Properties.
The
concept is simple; since you are OWNER you have full
permission
rights
over files. OWNER and ADMINISTRATOR have same level
of power
for
each file; but usually the Administrator is the owner
if it is
a
system file (such as Windows) but if you make a Word
Document or
a
Powerpoint presentation; then this method would prevent
other
foolish/stupid
users from deleting it.
To
do so, you (as owner) have to block all access to this
file
(including
yourself). This will work because it blocks USERNAMES
and
not computers or domains. There are ways to block them
but it
is
pointless in my situation so I have yet to explore;
feel free
to
comment on it (and if suitable I can add it to this
file).
The
method of CACLS also shows an "ACCESS DENIED" error
(how nice)
should
one try to modify (that includes EDIT and RENAME), move,
delete,
or open/run the file. In DOS it will result in an ACCESS
DENIED
message but ALSO it will allow users into directories
but
when
they try to see whats inside it will be blank. A solution
around
this is to use the /T switch (explained in ADVANCED
section
of
this file).
==================================================================
CACLS
filename [/T] [/E] [/C] [/G user:perm] [/R user [...]]
[/P
user:perm [...]] [/D user [...]]
==================================================================
For more info try typing CACLS into Win2k/XP Dos/Command
prompt
for more instructions; or just keep reading for more
easy2read
instructions. Beware there may be alot of me sidetracking...
==================================================================
>From
the above you can see there are multiple ways to do
certain
things
and many additional options you can use. The key commands
that
you need to know (assuming you have DOS access) are;
(The
example file will always be "happy.ppt" and the directory
is
called
"h:\gEtech"; the username is "Computing" and computername
is
"C5-01")
CACLS
h:\gEtech\
- This will result in DOS showing you what the current
ACL of a
directory is.
H:\gEtech\ c5-01\Student:(OI)(CI)F
The first part is self-explanatory (that is the file
in question)
but the latter can be different depending on situation.
It says
"c5-01" but if you were on a domain it would be the
domain name
and the second section is the username from either the
local PC
or domain. In this example ADMINISTRATOR does not have
access to
the file and they never will; unless they are smart
enough to
either change the owner (not too difficult) or to login
as you
and then change the ACL. Both are possible for a 'determined'
admin.
As another sidenote; the (OI)(CI) mean that all files
and
subdirectories within will be covered by the ACE. The
colon
(:) seperates the username from the permissions. More
on ACE
later...
CACLS
h:\gEtech\happy.ppt
- This will result in DOS showing you what the current
ACL of
the file(s) is.
CACLS
h:\gEtech\ /d Everyone
- This command is saying DENY access to the folder to
EVERYONE;
that is ALL USERS including yourself. It will prompt
for a 'Y'
to confirm it.
The (d - DENY) attribute means exactly that. It does
not allow
any user (when used with EVERYONE) to open the file,
rename it,
delete it, modify it, or anything. The only user with
enough
power to change it (besides Administrator) is the person
who
created it. The person who created it (you I hope) can
then
apply a permission to it and stop access.
CACLS
h:\gEtech\happy.ppt /d Everyone
- Same as above except to the individual file only.
CACLS
h:\gEtech\ /e /d MrSmith
- This uses the /e which adds/modifies the current ACL
rather
than totally clear it out and replace it. This works
well when
you want to give different users different permissions.
CACLS
h:\gEtech\ /g Lark:R
- This uses the (g - GRANT) and the (R - Read Only)
attributes.
By using this command you would be granting the user
LARK to
READ ONLY. This means they cannot delete nor modify
the file but
they have access to opening it and saving it elsewhere.
CACLS
h:\gEtech\ /e /g Minat:F
- This uses (e - Edit) and (g - Grant) and (f - Full
Access)
attributes. It will give the user MANIT full access
to the folder
whilst retaining the previous settings for other users.
There
are other ways of granting and denying as you can probably
already
tell but those are the most simplified methods. And
yes it
is
possible to do more than one at a time but I prefer
to keep it
simple
and to ensure I don't make mistakes. With the problem
of
having
to try to convert 255character names into 8, making
a mistake
on
CACLS is something you don't want to have to go back
to. You can
use
wildcards to combine files and users but again I don't
like
making
mistakes but if you must, you use *.exe to make all
EXEcutable
files
selected, and Happy.* to make all files with the name
Happy
but
an unknown extension selected. The rest you can figure
out..
Don't
go locking the whole computer or you might get into
trouble.
There
are plenty of ethic guides to hacking on the net. Read
them
if
you think you may be a script kiddie or n00b of some
sort.
If
you must know more, continue reading; otherwise skip
down a bit
and
read more useful and somewhat relevant stuff.
==================================================================
More
advanced but somewhat useless commands..
CACLS
h:\gEtech\ /t /g Student:F
By using /T you are making it apply to all subdirectories.
CACLS
h:\gEtech\*.exe /c /g Student:F
If there were files in that folder (gETech) that were
not owned
by yourself; then they will not be granted access to.
The /C will
make it continue processing files even if there is an
error.
CACLS
h:\gEtech\happy.ppt /e /r Computing
This uses /R to revoke any rights the user 'Computing'
has. It
will only work with /E since it modifies the current
ACL so all
other details/rights are left intact.
CACLS
h:\gEtech\happy.ppt /p Computing:F
CACLS
h:\gEtech\happy.ppt /p Computing:R
CACLS
h:\gEtech\happy.ppt /p Computing:W
Above are some examples of /p (REPLACE USER RIGHTS)
and I have
included a small ASCII (*gasp*) table of the different
combos.
Rights
- what goes after the colon :
Name
- what its called
O
- Can it be Opened (the file/folder ACL applies to)
Once opened it can be saved anywhere else.
R
- Can it be renamed?
Even if file is READ ONLy you can still copy it elsewhere.
M
- Can it be moved? (essentially the same as above)
W
- Can it be written to? (ie. Adding text to a word document)
D
- Can it be deleted?
Even if it can't be deleted, if they can write to it,
one
user could clear out the whole file (making it empty)
and
save it.
A
- Can the ACLs be viewed?
=============================================================
= Rights = Name = O = R = M = W = D = A = Used with
=
=============================================================
= N = None = N = N = N = N = N = N = /P
=
= R = Read = Y = N = N = N = N = Y = /G /P
=
= W = Write = Y = N = N = Y = N = Y = /G /P
=
= C = Change = Y = Y = Y = Y = N = Y = /G /P
=
= F = FULL = Y = Y = Y = Y = Y = Y = /G /P
=
=============================================================
CACLS
h:\gETech\happy.ppt /e /r Computing
This will revoke the user Computing's rights. Also note
(I just
remembered) that there is no mention of domain. You
can specify
one if you wish but if you don't, then it applies to
any user
trying to access the file/folder(s) from that account
whether
they are local or roaming.
Revoke just removes any right (makes them a "N") the
user has but
it must be used with /e as it does NOT change the ACL
settings.
==================================================================
Want
to make a batch file? Or go even further with VB?
If
you want automation make note of the following;
If
you wish to use something which does not contain "/E"
there
will
be a prompt. The prompts can be pressed automatically
by
using
the following line;
echo
y|cacls h:\gETech /g Computing:F
Note
there is no space between 'y' and | and 'cacls'. This
will
automatically
pipe the pressing of a Y into the cacls program.
If
you wish to make it automatic but not use a Y, try using
the
/E
(edit) parameter. This does not have a prompt so it
works
well
with VB.
This
brings me to my next point. I am yet to impliment CACLS
properly
into Visual Basic - please email me if you do find a
way
to
automatically supress the "Y" without the use of a batch
file.
If
you want to call it; the file is located (CACLS) in;
C:\WINNT\System32\CACLS.exe
..so
by use of a Shell(c:\winnt\system32\cacls.exe /g computing:f)
you
should get somewhere. Any further than that I cannot
do as
I
cannot supress the button automatically.
==================================================================
If
your an administrator trying to fix the problem of someone
making
your network full of CACLS's stuff then read on;
First
you need to make yourself OWNER of the files. There
are two
ways
to do this.
One
is by opening up Windows Explorer (Winkey + E), finding
the
locked
folder/files, right clicking them and then in the tab
"PERMISSIONS"
or "ACCESS" make yourself OWNER of the file. There
are
various ways of doing this, or just give yourself FULL
ACCESS.
If
it does not let you gain full access, you will have
to make
yourself
OWNER and that requires a bit of menu navigating but
I'm
sure
you will find it. In Windows XP it will prompt you that
you
must
be OWNER and ask if you wish to make yourself OWNER
if you
attempt
to change anything.
"The
GUI in File Manager or Windows NT Explorer is currently
limited
to replacing the ACLs."
-Taken
from the Microsoft Article on CACLS listed below
The
second method requires you to login as that user. Whether
that
means
you have to give him a blank password and then login
as them
or
you just get them to do it; this is the more obvious
way to do it
and
is a good way of punishing someone. To unlock the files
from
here,
you just use the above "GRANT" commands to allow access.
Note:
You cannot remove an ACL as there is always one.
==================================================================
ACE
- Access Control Entries
.. or known as "Container Access Inheritence Flags"
This
is one of the smarter names used. If the container is
locked,
you
cannot open it. If the container is see through (Folder
is
allowed
to be opened but files inside are not - NP) you can
still
see
whats inside but you can't touch.
ACE's
come about because certain files (such as files inside
your
profile)
only obtain their ACL or Access Rights because they
are
located
within another folder (or container in this analogy).
IO
- means "Inherit Only" - it will not affect the current
item but
it will travel within if other tags are used. This is
a good
example of a clear container.
CI
- means "Container Inherit" - if there are smaller containers
inside then they will have the same attributes as being
set. If
used with the IO then of course the insides will be
invisible
but the outside container will be see through.
OI
- means "Object Inherit" - if there are any files within
this
container they will share the same attributes as the
file being
selected. If you use the IO then of course they will
be invisible.
NP
- means "Non-Propogate" - this means that whatever you
set here will
< TD> |
