The Unofficial NT Hack FAQ

Beta Version 2

Compiled by Simple Nomad
October 24, 1997

Notes about this release -
I've added a Registry section, and as I "go to press" so to speak, NT 5.0 looms on the horizon. I have not included anything really web related, you can expect that in a future updated Web Hack FAQ. If you are reading this and it is 1998, my guess is that it is horribly out of date ;-) as things are really starting to happen with NT and security at a fast pace.

As always, your comments and additions are welcome.

U means Updated, N means New


Section 00

General Info

  00-1. What is this "FAQ" for?
  00-2. What is the origin of this FAQ and how do I add to it?
  00-3. Is this FAQ available by anonymous FTP or WWW?
U 00-4. How was this FAQ prepared?

Section 01

Domains and Basic Security

  01-1. What are the components of NT security?
  01-2. How does the authentication of a user actually work?
  01-3. What is "standalone" vs. "workgroup" vs. "domain"?
U 01-4. What is a Service Pack?
N 01-5. What is a Hot Fix?
  01-6. What's with "C2 certification"?
  01-7. Are there are interesting default groups to be aware of?
  01-8. What are the default directory permissions?
  01-9. Are there any special restrictions surrounding the Administrative
        Tools group in Presentation Manager?

Section 02

Access to Accounts

  02-1. What are common accounts and passwords in NT?
  02-2. What if the Sys Admin has "renamed" the administrator account?
N 02-3. I lost the Administrator password. What do I do?

Section 03


  03-1. How do I access the password file in NT?
  03-2. How do I crack NT passwords?
  03-3. What is a "brute force" password cracker?
  03-4. What is a "dictionary" password cracker?
  03-5. Which method is best for cracking?
  03-6. How does a Sys Admin enforce better passwords?
U 03-7. Can an Sys Admin prevent/stop SAM extraction?
N 03-8. How is password changing related to "last login time"?

Section 04

From The Console

  04-1. What does console access get me?
U 04-2. What about the file system?
  04-3. What is NetMon and why do I care?
  04-4. What can I do to get info from other computers from the console?
N 04-5. What is GetAdmin.exe?

Section 05

From the Network

  05-1. Should I even try for local administrator access?
U 05-2. I have guest remote access. How can I get administrator access?
U 05-3. What about %systemroot%\system32 being writeable?
  05-4. What if the permissions are restricted on the server?
  05-5. What exactly does the NetBios Auditing Tool do?
U 05-6. What is the "Red Button" bug?
U 05-7. What about forging DNS packets for subversive purposes?
  05-8. What about shares?
N 05-9. How do I get around a packet filter-based firewall?

Section 06

File and Directory Access

  06-1. How is file and directory security enforced?
  06-2. What is NTFS?
  06-3. Are there are vulnerabilities to NTFS and access controls?
  06-4. What is Samba and why is it important?
  06-5. I hack remotely. Once in, how can I do all that GUI stuff?

Section 07

Miscellaneous Info on NT

  07-1. How do I bypass the screen saver?
  07-2. What can sniffing get me?
U 07-3. How can I detect that a machine is in fact NT on the network?
  07-4. Can I do on-the-fly disk encryption on NT?
  07-5. Does the FTP service allow passive connections?
N 07-6. What is this "port scanning" you are talking about?
N 07-7. Does NT have bugs like Unix' sendmail?

Section 08

Denial of Service

  08-1. What is "Denial of Service"?
  08-2. What is the Ping of Death?
  08-3. What is a SYN Flood attack?
  08-4. What can telnet give me in the way of denial of service?
  08-5. What can I do with Samba?
  08-6. How do I lock out others from files?
  08-7. What's with ROLLBACK.EXE?
N 08-8. What is an OOB attack?
  08-9. Are there any other denial of service attacks?

Section 09

The Registry

N 09-1. What is the Registry?
N 09-2. What are hives?
N 09-3. Why is the Registry like this and why do I care?
N 09-4. What do I do with a copy of SAM?

Section 10


U 09-1. What are some NT WWW locations?
  09-2. What are some NT USENET groups?
U 09-3. What are some NT mailing lists?
  09-4. Where are some other NT FAQs?
U 09-5. Where can I get the files mentioned in this FAQ?
N 10-6. Where can I find Service Packs and Hot Fixes?

Section 11


  11-1. Can sessions be hijacked?
U 11-2. Are "man in the middle" attacks possible?
  11-3. What about TCP Sequence Number Prediction?

Section 12

For Administrators Only

  12-1. How do I secure my server?
  12-2. I'm an idiot. Exactly how do hackers get in?

Appendix Section

N A-01. Source Code for an Audit Script
N A-02. Perl Code for NETSCRIPT.PL
N A-03. Source Code for NT LSA Exploit

[ Return to FAQ Page ]