[ Return to FAQ Page ]
The Unofficial NT Hack FAQ
Beta Version 2
Compiled by Simple Nomad
October 24, 1997
[ Return to FAQ Page ]
Beta Version 2
Compiled by Simple Nomad
October 24, 1997
Notes about this release -
I've added a Registry section, and as I "go to press" so to speak, NT 5.0
looms on the horizon. I have not included anything really web related, you
can expect that in a future updated Web Hack FAQ. If you are reading this
and it is 1998, my guess is that it is horribly out of date ;-) as things
are really starting to happen with NT and security at a fast pace.
As always, your comments and additions are welcome.
U means Updated, N means New
Contents
General Info 00-1. What is this "FAQ" for? 00-2. What is the origin of this FAQ and how do I add to it? 00-3. Is this FAQ available by anonymous FTP or WWW? U 00-4. How was this FAQ prepared?
Domains and Basic Security
01-1. What are the components of NT security?
01-2. How does the authentication of a user actually work?
01-3. What is "standalone" vs. "workgroup" vs. "domain"?
U 01-4. What is a Service Pack?
N 01-5. What is a Hot Fix?
01-6. What's with "C2 certification"?
01-7. Are there are interesting default groups to be aware of?
01-8. What are the default directory permissions?
01-9. Are there any special restrictions surrounding the Administrative
Tools group in Presentation Manager?
Access to Accounts 02-1. What are common accounts and passwords in NT? 02-2. What if the Sys Admin has "renamed" the administrator account? N 02-3. I lost the Administrator password. What do I do?
Passwords 03-1. How do I access the password file in NT? 03-2. How do I crack NT passwords? 03-3. What is a "brute force" password cracker? 03-4. What is a "dictionary" password cracker? 03-5. Which method is best for cracking? 03-6. How does a Sys Admin enforce better passwords? U 03-7. Can an Sys Admin prevent/stop SAM extraction? N 03-8. How is password changing related to "last login time"?
From The Console 04-1. What does console access get me? U 04-2. What about the file system? 04-3. What is NetMon and why do I care? 04-4. What can I do to get info from other computers from the console? N 04-5. What is GetAdmin.exe?
From the Network 05-1. Should I even try for local administrator access? U 05-2. I have guest remote access. How can I get administrator access? U 05-3. What about %systemroot%\system32 being writeable? 05-4. What if the permissions are restricted on the server? 05-5. What exactly does the NetBios Auditing Tool do? U 05-6. What is the "Red Button" bug? U 05-7. What about forging DNS packets for subversive purposes? 05-8. What about shares? N 05-9. How do I get around a packet filter-based firewall?
File and Directory Access 06-1. How is file and directory security enforced? 06-2. What is NTFS? 06-3. Are there are vulnerabilities to NTFS and access controls? 06-4. What is Samba and why is it important? 06-5. I hack remotely. Once in, how can I do all that GUI stuff?
Miscellaneous Info on NT 07-1. How do I bypass the screen saver? 07-2. What can sniffing get me? U 07-3. How can I detect that a machine is in fact NT on the network? 07-4. Can I do on-the-fly disk encryption on NT? 07-5. Does the FTP service allow passive connections? N 07-6. What is this "port scanning" you are talking about? N 07-7. Does NT have bugs like Unix' sendmail?
Denial of Service 08-1. What is "Denial of Service"? 08-2. What is the Ping of Death? 08-3. What is a SYN Flood attack? 08-4. What can telnet give me in the way of denial of service? 08-5. What can I do with Samba? 08-6. How do I lock out others from files? 08-7. What's with ROLLBACK.EXE? N 08-8. What is an OOB attack? 08-9. Are there any other denial of service attacks?
The Registry N 09-1. What is the Registry? N 09-2. What are hives? N 09-3. Why is the Registry like this and why do I care? N 09-4. What do I do with a copy of SAM?
Resources U 10-1. What are some NT WWW locations? 10-2. What are some NT USENET groups? U 10-3. What are some NT mailing lists? 10-4. Where are some other NT FAQs? U 10-5. Where can I get the files mentioned in this FAQ? N 10-6. Where can I find Service Packs and Hot Fixes?
Mathematical/Theoretical 11-1. Can sessions be hijacked? U 11-2. Are "man in the middle" attacks possible? 11-3. What about TCP Sequence Number Prediction?
For Administrators Only 12-1. How do I secure my server? 12-2. I'm an idiot. Exactly how do hackers get in?
N A-01. Source Code for an Audit Script N A-02. Perl Code for NETSCRIPT.PL N A-03. Source Code for NT LSA Exploit
[ Return to FAQ Page ]