The Hack FAQ

Simple Nomad (thegnome@nmrc.org)

1. General FAQ Info

• 1.1 How do I add to this FAQ?
• 1.2 How was this FAQ prepared?
• 1.3 Is this FAQ available by anonymous FTP or WWW?
• 1.4 What is the mission and goal of the FAQ?
• 1.5 Where is the disclaimer?
• 1.6 Contributions (and thanks to...)
• 1.7 Other credits...
• 1.8 Changelog

2. Attack Basics

• 2.1 What are the four steps to hacking?

3. Account Basics

• 3.1 What are accounts?
• 3.2 What are groups?

4. Password Basics

• 4.1 What are some password basics?
• 4.2 Why protect the hashes?
• 4.3 What is a "dictionary" password cracker?
• 4.4 What is a "brute force" password cracker?
• 4.5 Which method is best for cracking?
• 4.6 What is a "salt"?
• 4.7 What are the "dangers" of cracking passwords?

5. Denial of Service Basics

• 5.1 What is "Denial of Service"?
• 5.2 What is the Ping of Death?
• 5.3 What is a SYN Flood attack?
• 5.4 What are other popular Denial of Service attacks?

6. Misc Info

• 6.1 What is a "backdoor"?
• 6.2 Why do I care about auditing, accounting, and logging?
• 6.3 What are some different logging techniques used by Admins?
• 6.4 Why should I not just delete the log files?
• 6.5 What is a buffer overflow?

7. NT Basics

• 7.1 What are the components of NT security?
• 7.2 How does the authentication of a user actually work?
• 7.3 What is "standalone" vs. "workgroup" vs. "domain"?
• 7.4 What is a Service Pack?
• 7.5 What is a Hot Fix?
• 7.6 Where are Service Packs and Hot Fixes?
• 7.7 What's with "C2 certification"?
• 7.8 Are there are interesting default groups to be aware of?
• 7.9 What are the default directory permissions?
• 7.10 Are there any special restrictions surrounding the Administrative Tools group in Presentation Manager?
• 7.11 What is the Registry?
• 7.12 What are hives?
• 7.13 Why is the Registry like this and why do I care?

8. NT Accounts

• 8.1 What are common accounts and passwords in NT?
• 8.2 What if the Sys Admin has renamed the Administrator account?
• 8.3 How can I figure out valid account names for NT?
• 8.4 What can null sessions to an NT machine tell me?

9. NT Passwords

• 9.1 How do I access the password file in NT?
• 9.2 What do I do with a copy of SAM?
• 9.3 What's the full story with NT passwords?
• 9.4 How does brute force password cracking work with NT?
• 9.5 How does dictionary password cracking work with NT?
• 9.6 I lost the NT Administrator password. What do I do?
• 9.7 How does a Sys Admin enforce better passwords?
• 9.8 Can an Sys Admin prevent/stop SAM extraction?
• 9.9 How is password changing related to "last login time"?

10. NT Console Attacks

• 10.1 What does direct console access for NT get me?
• 10.2 What about NT's file system?
• 10.3 What is Netmon and why do I care?

11. NT Client Attacks

• 11.1 What is GetAdmin.exe and Crash4.exe?
• 11.2 Should I even try for local administrator access?
• 11.3 I have guest remote access. How can I get administrator access?
• 11.4 What about %systemroot%\system32 being writeable?
• 11.5 What if the permissions are restricted on the server?
• 11.6 What exactly does the NetBios Auditing Tool do?
• 11.7 What is the "Red Button" bug?
• 11.8 What about forging DNS packets for subversive purposes?
• 11.9 What about shares?
• 11.10 How do I get around a packet filter-based firewall?
• 11.11 I hack from my Linux box. How can I do all that GUI stuff on remote NT servers?

12. NT Denial of Service

• 12.1 What can telnet give me in the way of denial of service?
• 12.2 What can I do with Samba?
• 12.3 What's with ROLLBACK.EXE?
• 12.4 What is an OOB attack?
• 12.5 Are there any other Denial of Service attacks?

13. NT Logging and Backdoors

• 13.1 Where are the common log files in NT?
• 13.2 How do I edit/change NT log files without being detected?
• 13.3 So how can I view/clear/edit the Security Log?
• 13.4 How can I turn off auditing in NT?

14. NT Misc. Attack Info

• 14.1 How is file and directory security enforced?
• 14.2 What is NTFS?
• 14.3 Are there are vulnerabilities to NTFS and access controls?
• 14.4 What is Samba and why is it important?
• 14.5 How do I bypass the screen saver?
• 14.6 How can I detect that a machine is in fact NT on the network?
• 14.7 Can I do on-the-fly disk encryption on NT?
• 14.8 Does the FTP service allow passive connections?
• 14.9 What is this "port scanning" you are talking about?
• 14.10 Does NT have bugs like Unix' sendmail?
• 14.11 How is password changing related to "last login time"?
• 14.12 Can sessions be hijacked?
• 14.13 Are "man in the middle" attacks possible?
• 14.14 What about TCP Sequence Number Prediction?
• 14.15 What's the story with buffer overflows on NT?

15. Netware Basics

• 15.1

16. Netware Accounts

• 16.1 What are common accounts and passwords for Netware?
• 16.2 How can I figure out valid account names on Netware?

17. Netware Passwords

• 17.1 How do I access the password file in Netware?
• 17.2 What's the full story with Netware passwords?
• 17.3 How does password cracking work with Netware?
• 17.4 How does password cracking work with Netware?
• 17.5 Can an Sys Admin prevent/stop Netware password hash extraction?
• 17.6 Can I reset an NDS password with just limited rights?
• 17.7 What is OS2NT.NLM?
• 17.8 How does password encryption work?
• 17.9 Can I login without a password?
• 17.10 What's with Windows 95 and Netware passwords?

18. Netware Console Attacks

• 18.1 What's the "secret" way to get Supe access Novell once taught CNE's?
• 18.2 How do I use SETPWD.NLM?
• 18.3 I don't have SETPWD.NLM or a disk editor. How can I get Supe access?
• 18.4 What's the "debug" way to disable passwords?
• 18.5 How do I defeat console logging?
• 18.6 Can I set the RCONSOLE password to work for just Supervisor?
• 18.7 How can I get around a locked MONITOR?
• 18.8 Where are the Login Scripts stored in Netware 4.x and can I edit them?
• 18.9 What if I can't see SYS:_NETWARE?
• 18.10 So how do I access SYS:_NETWARE?
• 18.11 How can I boot my server without running STARTUP.NCF/AUTOEXEC.NCF?
• 18.12 What else can be done with console access?

19. Netware Client Attacks

• 19.1 What is the cheesy way to get Supervisor access?
• 19.2 How can I login without running the System Login Script in Netware 3.x?
• 19.3 How can I get IP info from a Netware server remotely?
• 19.4 Does 4.x store the LOGIN password to a temporary file?
• 19.5 Everyone can make themselves equivalent to anyone including Admin. How?
• 19.6 Can Windows 95 bypass NetWare user security?
• 19.7 What is Packet Signature and how do I get around it?

20. Netware Denial of Service

• 20.1 How can I abend a Netware server?
• 20.2 Will Windows 95 cause server problems for Netware?
• 20.3 Will Windows 95 cause network problems for Netware?

21. Netware Logging and Backdoors

• 21.1 How do I leave a backdoor for Netware?
• 21.2 What is the rumored "backdoor" in NDS?
• 21.3 What is the bindery backdoor in Netware 4.x?
• 21.4 Where are the common log files in Netware?
• 21.5 What is Accounting?
• 21.6 How do I defeat Accounting?
• 21.7 What is Intruder Detection?
• 21.8 How do I check for Intruder Detection?
• 21.9 What are station/time restrictions?
• 21.10 How can I tell if something is being Audited in Netware 4.x?
• 21.11 How can I remove Auditing if I lost the Audit password?
• 21.12 What is interesting about Netware 4.x's licensing?
• 21.13 What is the Word Perfect 5.1 trick when running Netware 3.x over DOS?

22. Netware Misc. Attack Info

• 22.1 How do I spoof my node or IP address?
• 22.2 How can I see hidden files and directories?
• 22.3 How do I defeat the execute-only flag?
• 22.4 How can I hide my presence after altering files?
• 22.5 What is a Netware-aware trojan?
• 22.6 What are Trustee Directory Assignments?
• 22.7 Are there any default Trustee Assignments that can be exploited?
• 22.8 What are some general ways to exploit Trustee Rights?
• 22.9 Can access to .NCF files help me?
• 22.10 Can someone think they've logged out and I walk up and take over?
• 22.11 What other Novell and third party programs have holes that give "too much access"?
• 22.12 How can I get around disk space requirements?
• 22.13 How do I remotely reboot a Netware 3.x file server?
• 22.14 What is Netware NFS and is it secure?
• 22.15 Can sniffing packets help me break into Netware servers?
• 22.16 What else can sniffing around Netware get me?
• 22.17 Do any Netware utilities have holes like Unix utilities?
• 22.18 Where can I get the Netware APIs?
• 22.19 Are there alternatives to Netware's APIs?
• 22.20 How can I remove NDS?
• 22.21 What are security considerations regarding partitions of the tree?
• 22.22 Can a department "Supe" become a regular Admin to the entire tree?
• 22.23 Are there products to help improve Netware's security?
• 22.24 Is Netware's Web server secure?
• 22.25 What's the story with Netware's FTP NLM?
• 22.26 Can an IntranetWare server be compromised from the Internet?
• 22.27 Are there any problems with Novell's Groupwise?
• 22.28 Are there any problems with Netware's Macintosh namespace?
• 22.29 What's the story with buffer overflows on Netware?

23. Netware Mathematical/Theoretical Info

• 23.1 How does the whole password/login/encryption thing work?
• 23.2 Are "man in the middle" attacks possible?
• 23.3 Are Netware-aware viruses possible?
• 23.4 Can a trojaned LOGIN.EXE be inserted during the login process?
• 23.5 Is anything "vulnerable" during a password change?
• 23.6 Is "data diddling" possible?

24. Unix Accounts

• 24.1 What are common accounts and passwords for Unix?
• 24.2 How can I figure out valid account names for Unix?

25. Unix Passwords

• 25.1 How do I access the password file in Unix?
• 25.2 What's the full story with Unix passwords?
• 25.3 How does brute force password cracking work with Unix?
• 25.4 How does dictionary password cracking work with Unix?
• 25.5 How does a Sys Admin enforce better passwords and password management?
• 25.6 So what can I learn with a password file from a heavily secured system?

26. Unix Local Attacks

• 26.1 Why attack locally?
• 26.2 How do most exploits work?
• 26.3 So how does a buffer overflow work?

27. Unix Remote Attacks

• 27.1 What are remote hacks?

28. Unix Logging

• 28.1 Where are the common log files in Unix?
• 28.2 How do I edit/change the log files for Unix?

29. Hacker Resources

• 29.1 What are some security-related WWW locations?
• 29.2 What are some security-related USENET groups?
• 29.3 What are some security-related mailing lists?
• 29.4 What are some other FAQs?
• 29.5 Where are all of these files mentioned in the FAQ?