Friday, October 8, 2010

How To Byepass BIOS Passwords

Introduction to BIOS Passwords

The best method to reset a BIOS password depends on what BIOS the computer has. Common BIOS's include AMI, Award, IBM and Phoenix. Numerous other BIOS's do exist, but these are the most common.
Some BIOS's allow you to require a password be entered before the system will boot. Some BIOS's allow you to require a password to be entered before the BIOS setup may be accessed.
The general categories of solutions to reset a BIOS password are:
  • Using a Backdoor BIOS Password
  • Resetting the BIOS Password using Software
  • Resetting the BIOS Password using Hardware
  • Vendor Specific Solutions for resetting the BIOS Password

 

 

 







Using a Backdoor BIOS Password

Some BIOS manufacturers implement a backdoor password. The backdoor password is a BIOS password that works, no matter what the user sets the BIOS password to. These passwords are typically used for testing and maintenance. Manufacturers typically change the backdoor BIOS passwords from time to time.

AMI Backdoor BIOS Passwords

Reported AMI backdoor BIOS passwords include A.M.I., AAAMMMIII, AMI?SW , AMI_SW, BIOS, CONDO, HEWITT RAND, LKWPETER, MI, and PASSWORD.

Award Backdoor BIOS Passwords

One reported Award backdoor BIOS password is eight spaces. Other reported Award backdoor BIOS passwords include 01322222, 589589, 589721, 595595, 598598 , ALFAROME, ALLY, ALLy, aLLY, aLLy, aPAf, award, AWARD PW, AWARD SW, AWARD?SW, AWARD_PW, AWARD_SW, AWKWARD, awkward, BIOSTAR, CONCAT, CONDO, Condo, condo, d8on, djonet, HLT, J256, J262, j262, j322, j332, J64, KDD, LKWPETER, Lkwpeter, PINT, pint, SER, SKY_FOX, SYXZ, syxz, TTPTHA, ZAAAADA, ZAAADA, ZBAAACA, and ZJAAADC.

Phoenix Backdoor BIOS Passwords

Reported Phoenix BIOS backdoor passwords include BIOS, CMOS, phoenix, and PHOENIX.

Backdoor BIOS Passwords from Other Manufacturers

Reported BIOS backdoor passwords for other manufacturers include:
ManufacturerBIOS Password
VOBIS & IBMmerlin
DellDell
BiostarBiostar
CompaqCompaq
Enoxxo11nE
Epoxcentral
FreetechPosterie
IWilliwill
Jetwayspooml
Packard Bellbell9
QDIQDI
SiemensSKY_FOX
SOYOSY_MB
TMCBIGO
ToshibaToshiba
Remember that what you see listed may not be the actual backdoor BIOS password, this BIOS password may simply have the same checksum as the real backdoor BIOS password. For Award BIOS, this checksum is stored at F000:EC60.

Resetting the BIOS Password using Software

Every system must store the BIOS password information somewhere. If you are able to access the machine after it has been booted successfully, you may be able to view the BIOS password. You must know the memory address where the BIOS password is stored, and the format in which the BIOS password is stored. Or, you must have a program that knows these things.
You can write your own program to read the BIOS password from the CMOS memory on a PC by writing the address of the byte of CMOS memory that you wish to read in port 0x370, and then reading the contents of port 0x371.
!BIOS will recover the BIOS password for most common BIOS versions, including IBM, American Megatrends Inc, Award and Phoenix.
CmosPwd will recover the BIOS password for the following BIOS versions:
  • ACER/IBM BIOS
  • AMI BIOS
  • AMI WinBIOS 2.5
  • Award 4.5x/4.6x/6.0
  • Compaq (1992)
  • Compaq (New version)
  • IBM (PS/2, Activa, Thinkpad)
  • Packard Bell
  • Phoenix 1.00.09.AC0 (1994), a486 1.03, 1.04, 1.10 A03, 4.05 rev 1.02.943, 4.06 rev 1.13.1107
  • Phoenix 4 release 6 (User)
  • Gateway Solo - Phoenix 4.0 release 6
  • Toshiba
  • Zenith AMI

Resetting the BIOS Password using Hardware

If you cannot access the machine after if has been powered up, it is still possible to get past the BIOS password. The BIOS password is stored in CMOS memory that is maintained while the PC is powered off by a small battery, which is attached to the motherboard. If you remove this battery, all CMOS information (including the BIOS password) will be lost. You will need to re-enter the correct CMOS setup information to use the machine. The machines owner or user will most likely be alarmed when it is discovered that the BIOS password has been deleted.
On some motherboards, the battery is soldered to the motherboard, making it difficult to remove. If this is the case, you have another alternative. Somewhere on the motherboard you should find a jumper that will clear the BIOS password. If you have the motherboard documentation, you will know where that jumper is. If not, the jumper may be labeled on the motherboard. If you are not fortunate enough for either of these to be the case, you may be able to guess which jumper is the correct jumper. This jumper is usually standing alone near the battery. If you cannot locate this jumper, you might short both of the points where the battery connects to the motherboard.
If all else fails, you may have to clear the BIOS password by resetting the RTC (Real Time Clock) IC (Integrated Circuit) on your motherboard.
Many RTC's require an external battery. If your RTC is one of this type, you can clear the BIOS password just by unsocketing the RTC and reseating it.
RTC's which require external batteries include:








Most RTC chips with integrated batteries can be reset to clear the BIOS password by shorting two pins together for a few seconds.
You will see more than one option for some chips due to testing by various people in the field. Remember to remove power from the system before shorting these pins.
RTC ChipPins
Dallas DS1287ATI benchmarq bp3287AMT3 (N.C.) and 21 (NC/RCL)
Chips & Technologies P82C20612 (GND) and 32 (5V)-or-74 (GND) and 75 (5V)
OPTi F82C2063 and 26
Dallas Semiconductor DS12887A3 (N.C.) and 21 (RCLR)
You should be able to discover how to reset the BIOS password stored in most RTC (Real Time Clock) chips by reading the manufacturers data sheet for that RTC. Some RTC's, like the Dallas DS1287 and TI benchmarq bq3287mt cannot be cleared. The solution to resetting the BIOS password on systems with those RTC's is to purchase a replacement RTC chip.

How To Check Whether You are Victim of RATS or not ?

In this post i am going to show you how to find out when you are infected with a RAT or Keylogger, without using any complex tools. Now i believe most of you might know that you need to have an internet connection to make a RAT or a Keylogger work, which would mean, if you are not connected to internet, you don't have to worry about being infected with RAT or Keylogger. Ok, so for those who have internet connection and think they are being infected with a Trojan, here is a little guide that can solve your problem.

1. Now every program has their own process which can be seen on task manager. So the first thing to do is to find out which process the Trojan is being attached to. If you see some unknown process search that on google. A good hacker will always makes sure he hides its process with a Windows based Process, for eg. svchost.exe or something like that.

2. If you cant find, then the next thing you can do is use cmd (to open cmd prompt, Click on Start--->Accessories-->Command prompt).

3. Once Command Prompt is opened, use this command: netstat -an |find /i "listening"

Note: The NETSTAT command will show you whatever ports are open or in use, but it is NOT a port scanning tool!

Now we wonder What this Command does? This command will show all the opening ports. Now check for any unknown port.

4. You can skip step 3 if you want, and can do this instead.

Open command prompt and type netstat -b



Now this command will show you the active connections with the process with their PID (Process Identifier) and also the packets.
Look out for SYN Packets and the Foreign address its been connecting with , check the process its been associated with, check the ports also. If you find that its connecting to some unknown ports, then you can say you have been backdoored.

5. Go to your task manager. On the top of it, click on View---> select Column---> Tick on PID (Process Identifier).
Match the suspicious Process with the Processes In task manager, check PID also.
Now most of the RATs resides on Start up. How to delete them from start up?


a) Go to regedit ---> HKLM\Software\Microsoft\Windows\Current version\Run
On the Right hand side, check for the process name which you find on step 4. if its not their. Check at
HKCU\Software\Microsoft\Windows\Current Version\Run
OR
Open Cmd prompt & type start msconfig. Go to Startup tab, you can check the startup process there