The Hack FAQ version 1.0

The Hack FAQ version 1.0
------------------------

Simple Nomad [thegnome@nmrc.org]

Brought to you in wonderous plaintext, the way it was intended.

This FAQ answers questions about hacking, including the steps to perform such actions.
It is intended to be a resource for anyone who reads it -- sys admin, fed, or intruder.
Most of these techniques are not new, in fact a lot of the info here is culled from
public sources. These sources are cited when known. My disclaimer is this: I have no
disclaimer. In this litigious society, me stating "for educational purposes only" and
"I am not responsible for your actions" mean nothing. If someone is going to sue me
because of the idiotic actions of another, a simple disclaimer will not stop them,
regardless of the truth.

The Hack FAQ has a long history. It started as the Unofficial Netware Hack FAQ about
5 years ago. Several FAQs came after that, including one on NT and one on Web hacking.
About 18 months ago I combined them into one FAQ. I have been neglectful of this project
but now intend to make things right and update it. In fact, I am rewriting the entire
thing from scratch. As it starts anew, we assign it version 1.0. So mote it be.

Contents
--------

N means new, U means updated

1. General FAQ Info

 1.1  How is the FAQ laid out?
 1.2  How do I add to this FAQ?
 1.3  How is this FAQ prepared?
 1.4  Where can I get the latest copy of the FAQ?
 1.5  Contributions and shouts

2. Hacking Basics

 2.1  What is hacking anyway?
 2.2  What are the steps to hacking?
 2.3  What are accounts?
 2.4  What are groups?
 2.5  What about passwords?
 2.6  Why protect the hashes?
 2.7  What is a "dictionary" password cracker?
 2.8  What is a "brute force" password cracker?
 2.9  So what is the best password cracking method?
 2.10 What are common passwords?

3. Misc Basic Info

 3.1  What are backdoors?
 3.2  Why should I care about auditing, logging, and accounting?
 3.3  Why should I not just delete the log files?
 3.4  What's a buffer overflow and why do I care?
 3.5  What is spoofing? And hijacking?

4. Denial of Service

 4.1  What is "Denial of Service"?
 4.2  Why launch a DoS attack if it is so lame?
 4.3  What is the Ping of Death?
 4.4  What is a SYN Flood?
 4.5  Are there other types of floods?

5. Web Browser

 5.1  What is "unsafe" about my browser?
 5.2  What is vulnerable about history, bookmark, and cache files?
 5.3  What other browser files are important?
 5.4  Can you tell me more about the "cookie" file?
 5.5  How can I protect my browser files?
 5.6  So why all of the paranioa about browsers?
 5.7  What is phf?
 5.8  What's the "test" hack?
 5.9  What about that "tilde" character?
 5.10 What is the jj.c problem?
 5.11 What's the deal with forms?
 5.12 What will this look like in the target's log files?
 5.13 What's the deal with Server-Side Includes?
 5.14 What if SSIs are turned on but includes are stripped from user input?
 5.15 What are SSL and SHTTP?
 5.16 How can I attack "anonymously"?
 5.17 What is the "asp dot" attack?
 5.18 What is the campas attack?
 5.19 What is the count.cgi attack?
 5.20 What is the faxsurvey attack?
 5.21 What about finger.cgi?
 5.22 What is the glimpse exploit?
 5.23 What are some other CGI scripts that allow remote command execution?
 5.24 What are the MetaInfo attacks?
 5.25 What are the big "weak spots" on servers?
 5.26 What are the critical files?
 5.27 What's the difference between httpd running as a daemon vs. running under inetd?
 5.28 How does the server resolve paths?
 5.29 What log files are used by the server?
 5.30 How do access restrictions work?
 5.31 How do password restrictions work?
 5.32 What is web spoofing?

6. Win NT

 6.1  What are the components of NT security?
 6.2  How does the authentication of a user actually work?
 6.3  What is "standalone" vs. "workgroup" vs. "domain"?
 6.4  What is a Service Pack?
 6.5  What is a Hot Fix?
 6.5  Where are Service Packs and Hot Fixes?
 6.6  What's with "C2 certification"?
 6.7  Are there are interesting default groups to be aware of?
 6.8  What are the default directory permissions?
 6.9  Are there any special restrictions surrounding the Administrative Tools group in Presentation Manager?
 6.10 What is the Registry?
 6.11 What are hives?
 6.12 Why is the Registry like this and why do I care?
 6.13 What is the deal with Microsoft's implementation of PPTP?
 6.14 What are common accounts and passwords in NT?
 6.15 What if the Sys Admin has renamed the Administrator account?
 6.16 How can I figure out valid account names for NT?
 6.17 What can null sessions to an NT machine tell me?
 6.18 How do I access the password file in NT?
 6.19 What do I do with a copy of SAM?
 6.20 What's the full story with NT passwords?
 6.21 How does brute force password cracking work with NT?
 6.22 How does dictionary password cracking work with NT?
 6.23 I lost the NT Administrator password. What do I do?
 6.24 How does a Sys Admin enforce better passwords?
 6.25 Can an Sys Admin prevent/stop SAM extraction?
 6.26 How is password changing related to "last login time"?
 6.27 What does direct console access for NT get me?
 6.28 What about NT's file system?
 6.29 What is Netmon and why do I care?
 6.30 What is GetAdmin.exe and Crash4.exe?
 6.31 Should I even try for local administrator access?
 6.32 I have guest remote access. How can I get administrator access?
 6.33 What about %systemroot%\system32 being writeable?
 6.34 What if the permissions are restricted on the server?
 6.35 What exactly does the NetBios Auditing Tool do?
 6.36 What is the "Red Button" bug?
 6.37 What about forging DNS packets for subversive purposes?
 6.38 What about shares?
 6.39 How do I get around a packet filter-based firewall?
 6.40 I hack from my Linux box. How can I do all that GUI stuff on remote NT servers?
 6.41 What can telnet give me in the way of denial of service?
 6.42 What can I do with Samba?
 6.43 What's with ROLLBACK.EXE?
 6.44 What is an OOB attack?
 6.45 Are there any other Denial of Service attacks?
 6.46 Where are the common log files in NT?
 6.47 How do I edit/change NT log files without being detected?
 6.48 So how can I view/clear/edit the Security Log?
 6.49 How can I turn off auditing in NT?
 6.50 How is file and directory security enforced?
 6.51 What is NTFS?
 6.52 Are there are vulnerabilities to NTFS and access controls?
 6.53 What is Samba and why is it important?
 6.54 How do I bypass the screen saver?
 6.55 How can I detect that a machine is in fact NT on the network?
 6.56 Can I do on-the-fly disk encryption on NT?
 6.57 Does the FTP service allow passive connections?
 6.58 What is this "port scanning" you are talking about?
 6.59 Does NT have bugs like Unix' sendmail?
 6.61 How is password changing related to "last login time"?
 6.62 Can sessions be hijacked?
 6.63 Are "man in the middle" attacks possible?
 6.64 What about TCP Sequence Number Prediction?
 6.65 What's the story with buffer overflows on NT?

7. Netware

 7.1  What are common accounts and passwords for Netware?
 7.2  How can I figure out valid account names on Netware?
 7.3  How do I access the password file in Netware?
 7.4  What's the full story with Netware passwords?
 7.5  How does password cracking work with Netware?
 7.6  How does password cracking work with Netware?
 7.7  Can an Sys Admin prevent/stop Netware password hash extraction?
 7.8  Can I reset an NDS password with just limited rights?
 7.9  What is OS2NT.NLM?
 7.10 How does password encryption work?
 7.11 Can I login without a password?
 7.12 What's with Windows 95 and Netware passwords?
 7.13 What's the "secret" way to get Supe access Novell once taught CNE's?
 7.14 How do I use SETPWD.NLM?
 7.15 I don't have SETPWD.NLM or a disk editor. How can I get Supe access?
 7.16 What's the "debug" way to disable passwords?
 7.17 How do I defeat console logging?
 7.18 Can I set the RCONSOLE password to work for just Supervisor?
 7.19 How can I get around a locked MONITOR?
 7.20 Where are the Login Scripts stored in Netware 4.x and can I edit them?
 7.21 What if I can't see SYS:_NETWARE?
 7.22 So how do I access SYS:_NETWARE?
 7.23 How can I boot my server without running STARTUP.NCF/AUTOEXEC.NCF?
 7.24 What else can be done with console access?
 7.25 What is the cheesy way to get Supervisor access?
 7.26 How can I login without running the System Login Script in Netware 3.x?
 7.27 How can I get IP info from a Netware server remotely?
 7.28 Does 4.x store the LOGIN password to a temporary file?
 7.29 Everyone can make themselves equivalent to anyone including Admin. How?
 7.30 Can Windows 95 bypass NetWare user security?
 7.31 What is Packet Signature and how do I get around it?
 7.32 How can I abend a Netware server?
 7.33 Will Windows 95 cause server problems for Netware?
 7.34 Will Windows 95 cause network problems for Netware?
 7.35 How do I leave a backdoor for Netware?
 7.36 What is the rumored "backdoor" in NDS?
 7.37 What is the bindery backdoor in Netware 4.x?
 7.38 Where are the common log files in Netware?
 7.39 What is Accounting?
 7.40 How do I defeat Accounting?
 7.41 What is Intruder Detection?
 7.42 How do I check for Intruder Detection?
 7.43 What are station/time restrictions?
 7.44 How can I tell if something is being Audited in Netware 4.x?
 7.45 How can I remove Auditing if I lost the Audit password?
 7.46 What is interesting about Netware 4.x's licensing?
 7.47 What is the Word Perfect 5.1 trick when running Netware 3.x over DOS?
 7.48 How do I spoof my node or IP address?
 7.49 How can I see hidden files and directories?
 7.50 How do I defeat the execute-only flag?
 7.51 How can I hide my presence after altering files?
 7.52 What is a Netware-aware trojan?
 7.53 What are Trustee Directory Assignments?
 7.54 Are there any default Trustee Assignments that can be exploited?
 7.55 What are some general ways to exploit Trustee Rights?
 7.56 Can access to .NCF files help me?
 7.57 Can someone think they've logged out and I walk up and take over?
 7.58 What other Novell and third party programs have holes that give "too much access"?
 7.59 How can I get around disk space requirements?
 7.60 How do I remotely reboot a Netware 3.x file server?
 7.61 What is Netware NFS and is it secure?
 7.62 Can sniffing packets help me break into Netware servers?
 7.63 What else can sniffing around Netware get me?
 7.64 Do any Netware utilities have holes like Unix utilities?
 7.65 Where can I get the Netware APIs?
 7.66 Are there alternatives to Netware's APIs?
 7.67 How can I remove NDS?
 7.68 What are security considerations regarding partitions of the tree?
 7.69 Can a department "Supe" become a regular Admin to the entire tree?
 7.70 Are there products to help improve Netware's security?
 7.71 Is Netware's Web server secure?
 7.72 What's the story with Netware's FTP NLM?
 7.73 Can an IntranetWare server be compromised from the Internet?
 7.74 Are there any problems with Novell's Groupwise?
 7.75 Are there any problems with Netware's Macintosh namespace?
 7.76 What's the story with buffer overflows on Netware?
 7.77 How does the whole password/login/encryption thing work?
 7.78 Are "man in the middle" attacks possible?
 7.79 Are Netware-aware viruses possible?
 7.80 Can a trojaned LOGIN.EXE be inserted during the login process?
 7.81 Is anything "vulnerable" during a password change?
 7.82 Is "data diddling" possible?

8. Unix

 8.1  What are common accounts and passwords for Unix?
 8.2  How can I figure out valid account names for Unix?
 8.3  How do I access the password file in Unix?
 8.4  What's the full story with Unix passwords?
 8.5  How does brute force password cracking work with Unix?
 8.6  How does dictionary password cracking work with Unix?
 8.7  How does a Sys Admin enforce better passwords and password management?
 8.8  So what can I learn with a password file from a heavily secured system?
 8.9  Why attack locally?
 8.10 How do most exploits work?
 8.11 So how does a buffer overflow work?
 8.12 What are remote hacks?
 8.13 Where are the common log files in Unix?
 8.14 How do I edit/change the log files for Unix?

9. Resources

 9.1  What are some security-related WWW locations?
 9.2  What are some security-related USENET groups?
 9.3  What are some security-related mailing lists?
 9.4  What are some other FAQs?
 9.5  Where are all of these files mentioned in the FAQ?