The Hack FAQ

Simple Nomad (thegnome@nmrc.org)

1. General FAQ Info

• 1.1 How do I add to this FAQ?
• 1.2 How was this FAQ prepared?
• 1.3 Is this FAQ available by anonymous FTP or WWW?
• 1.4 What is the mission and goal of the FAQ?
• 1.5 Where is the disclaimer?
• 1.6 Contributions (and thanks to...)
• 1.7 Other credits...

2. Attack Basics

• 2.1 What are the four steps to hacking?

3. Account Basics

• 3.1 What are accounts?
• 3.2 What are groups?

4. Password Basics

• 4.1 What are some password basics?
• 4.2 Why protect the hashes?
• 4.3 What is a "dictionary" password cracker?
• 4.4 What is a "brute force" password cracker?
• 4.5 Which method is best for cracking?
• 4.6 What is a "salt"?
• 4.7 What are the "dangers" of cracking passwords?

5. Denial of Service Basics

• 5.1 What is "Denial of Service"?
• 5.2 What is the Ping of Death?
• 5.3 What is a SYN Flood attack?
• 5.4 What are other popular Denial of Service attacks?

6. Misc Info

• 6.1 What is a "backdoor"?
• 6.2 Why do I care about auditing, accounting, and logging?
• 6.3 What are some different logging techniques used by Admins?
• 6.4 Why should I not just delete the log files?

7. NT Basics

• 7.1 What are the components of NT security?
• 7.2 How does the authentication of a user actually work?
• 7.3 What is "standalone" vs. "workgroup" vs. "domain"?
• 7.4 What is a Service Pack?
• 7.5 What is a Hot Fix?
• 7.6 What's with "C2 certification"?
• 7.7 Are there are interesting default groups to be aware of?
• 7.8 What are the default directory permissions?
• 7.9 Are there any special restrictions surrounding the Administrative Tools group in Presentation Manager?
• 7.10 What is the Registry?
• 7.11 What are hives?
• 7.12 Why is the Registry like this and why do I care?

8. NT Accounts

• 8.1 What are common accounts and passwords in NT?
• 8.2 What if the Sys Admin has renamed the Administrator account?
• 8.3 How can I figure out valid account names for NT?

9. NT Passwords

• 9.1 How do I access the password file in NT?
• 9.2 What's the full story with NT passwords?
• 9.3 How does
• 9.4 How does
• 9.5 I lost the NT Administrator password. What do I do?
• 9.6 How does a Sys Admin enforce better passwords?
• 9.7 Can an Sys Admin prevent/stop SAM extraction?
• 9.8 How is password changing related to "last login time"?

10. NT Console Attacks

• 10.1 What does direct console access for NT get me?
• 10.2 What about NT's file system?
• 10.3 What is Netmon and why do I care?

11. NT Client Attacks

• 11.1 What is GetAdmin.exe and Crash4.exe?
• 11.2 Should I even try for local administrator access?
• 11.3 I have guest remote access. How can I get administrator access?
• 11.4 What about %systemroot%\system32 being writeable?
• 11.5 What if the permissions are restricted on the server?
• 11.6 What exactly does the NetBios Auditing Tool do?
• 11.7 What is the "Red Button" bug?
• 11.8 What about forging DNS packets for subversive purposes?
• 11.9 What about shares?
• 11.10 How do I get around a packet filter-based firewall?
• 11.11 I hack from my Linux box. How can I do all that GUI stuff on remote NT servers?

12. NT Denial of Service

• 12.1 What can telnet give me in the way of denial of service?
• 12.2 What can I do with Samba?
• 12.3 What's with ROLLBACK.EXE?
• 12.4 What is an OOB attack?
• 12.5 Are there any other Denial of Service attacks?

13. NT Logging and Backdoors

• 13.1 Where are the common log files in NT?
• 13.2 How do I edit/change NT log files without being detected?

14. NT Misc. Attack Info

• 14.1 How is file and directory security enforced?
• 14.2 What is NTFS?
• 14.3 Are there are vulnerabilities to NTFS and access controls?
• 14.4 What is Samba and why is it important?
• 14.5 How do I bypass the screen saver?
• 14.6 How can I detect that a machine is in fact NT on the network?
• 14.7 Can I do on-the-fly disk encryption on NT?
• 14.8 Does the FTP service allow passive connections?
• 14.9 What is this "port scanning" you are talking about?
• 14.10 Does NT have bugs like Unix' sendmail?

15. Netware Accounts

• 15.1 What are common accounts and passwords for Netware?
• 15.2 How can I figure out valid account names on Netware?

16. Netware Passwords

• 16.1 How do I access the password file in Netware?
• 16.2 What's the full story with Netware passwords?
• 16.3 How does
• 16.4 How does
• 16.5 Can an Sys Admin prevent/stop Netware password hash extraction?

17. Netware Console Attacks

• 17.1 What's the "secret" way to get Supe access Novell once taught CNE's?
• 17.2 I don't have SETPWD.NLM or a disk editor. How can I get Supe access?
• 17.3 What's with NetBasic?

18. Netware Client Attacks

• 18.1 What is the cheesy way to get Supervisor access?
• 18.2 How can I get IP info from a Netware server remotely?

19. Netware Logging and Backdoors

• 19.1 How do I leave a backdoor for Netware?
• 19.2 Where are the common log files in Netware?
• 19.3 What is Accounting?
• 19.4 How do I defeat Accounting?
• 19.5 What is Intruder Detection?
• 19.6 How do I check for Intruder Detection?
• 19.7 What are station/time restrictions?

20. Netware Misc. Attack Info

• 20.1 How do I spoof my node or IP address?

21. Unix Accounts

• 21.1 What are common accounts and passwords for Unix?
• 21.2 How can I figure out valid account names for Unix?

22. Unix Passwords

• 22.1 How do I access the password file in Unix?
• 22.2 What's the full story with Unix passwords?
• 22.3 How does brute force password cracking work with Unix?
• 22.4 How does dictionary password cracking work with Unix?
• 22.5 How does a Sys Admin enforce better passwords and password management?
• 22.6 So what can I learn with a password file from a heavily secured system?

23. Unix Local Attacks

• 23.1 Why attack locally?
• 23.2 How do most exploits work?
• 23.3 So how does a buffer overflow work?

24. Unix Remote Attacks

• 24.1 What are remote hacks?

25. Unix Logging

• 25.1 Where are the common log files in Unix?
• 25.2 How do I edit/change the log files for Unix?