The Hack FAQ

Simple Nomad (thegnome@nmrc.org)

September 6, 1999

1. General FAQ Info

• 1.1 How do I add to this FAQ?
• 1.2 How was this FAQ prepared?
• 1.3 Is this FAQ available by anonymous FTP or WWW?
• 1.4 What is the mission and goal of the FAQ?
• 1.5 Where is the disclaimer?
• 1.6 Contributions (and thanks to...)
• 1.7 Other credits...
• 1.8 Changelog

2. Attack Basics

• 2.1 What are the four steps to hacking?

3. Account Basics

• 3.1 What are accounts?
• 3.2 What are groups?

4. Password Basics

• 4.1 What are some password basics?
• 4.2 Why protect the hashes?
• 4.3 What is a "dictionary" password cracker?
• 4.4 What is a "brute force" password cracker?
• 4.5 Which method is best for cracking?
• 4.6 What is a "salt"?
• 4.7 What are the "dangers" of cracking passwords?
• 4.8 What are the password hashes stored?
• 4.9 Are there any password schemes that are safe?

5. Denial of Service Basics

• 5.1 What is "Denial of Service"?
• 5.2 What are some "real" reasons to do DoS?
• 5.3 What is the Ping of Death?
• 5.4 What is a SYN Flood attack?
• 5.5 What are other popular DoS attacks?
• 5.6 How can I discover new DoS attacks?
• 5.7 What are "distributed" DoS attacks?
• 5.8 How does one defend against DoS attacks?

6. Misc Info

• 6.1 What is a "backdoor"?
• 6.2 Why do I care about auditing, accounting, and logging?
• 6.3 What are some different logging techniques used by Admins?
• 6.4 Why should I not just delete the log files?
• 6.5 What is a buffer overflow?
• 6.6 What's the story with WinGate?
• 6.7 How do I find these buggy WinGates I can use?
• 6.8 What's with ICQ?

7. Web Browser

• 7.1 What is "unsafe" about my browser?
• 7.2 What is vulnerable about history, bookmark, and cache files?
• 7.3 What other browser files are important?
• 7.4 Can you tell me more about the "cookie" file?
• 7.5 How can I protect my browser files?
• 7.6 So why all of the paranioa about browsers?

8. The Web Browser as an Attack Tool

• 8.1 What is phf?
• 8.2 What's the "test" hack?
• 8.3 What about that "tilde" character?
• 8.4 What is the jj.c problem?
• 8.5 What's the deal with forms?
• 8.6 What will this look like in the target's log files?
• 8.7 What's the deal with Server-Side Includes?
• 8.8 What if SSIs are turned on but includes are stripped from user input?
• 8.9 What are SSL and SHTTP?
• 8.10 How can I attack "anonymously"?
• 8.11 What is the "asp dot" attack?
• 8.12 What is the campas attack?
• 8.13 What is the count.cgi attack?
• 8.14 What is the faxsurvey attack?
• 8.15 What about finger.cgi?
• 8.16 What is the glimpse exploit?
• 8.17 What are some other CGI scripts that allow remote command execution?
• 8.18 What are the MetaInfo attacks?

9. The Basic Web Server

• 9.1 What are the big "weak spots" on servers?
• 9.2 What are the critical files?
• 9.3 What's the difference between httpd running as a daemon vs. running under inetd?
• 9.4 How does the server resolve paths?
• 9.5 What log files are used by the server?
• 9.6 How do access restrictions work?
• 9.7 How do password restrictions work?
• 9.8 What is web spoofing?

10. NT Basics

• 10.1 What are the components of NT security?
• 10.2 How does the authentication of a user actually work?
• 10.3 What is "standalone" vs. "workgroup" vs. "domain"?
• 10.4 What is a Service Pack?
• 10.5 What is a Hot Fix?
• 10.6 Where are Service Packs and Hot Fixes?
• 10.7 What's with "C2 certification"?
• 10.8 Are there are interesting default groups to be aware of?
• 10.9 What are the default directory permissions?
• 10.10 Are there any special restrictions surrounding the Administrative Tools group in Presentation Manager?
• 10.11 What is the Registry?
• 10.12 What are hives?
• 10.13 Why is the Registry like this and why do I care?
• 10.14 What is the deal with Microsoft's implementation of PPTP?

11. NT Accounts

• 11.1 What are common accounts and passwords in NT?
• 11.2 What if the Sys Admin has renamed the Administrator account?
• 11.3 How can I figure out valid account names for NT?
• 11.4 What can null sessions to an NT machine tell me?

12. NT Passwords

• 12.1 How do I access the password file in NT?
• 12.2 What do I do with a copy of SAM?
• 12.3 What's the full story with NT passwords?
• 12.4 How does brute force password cracking work with NT?
• 12.5 How does dictionary password cracking work with NT?
• 12.6 I lost the NT Administrator password. What do I do?
• 12.7 How does a Sys Admin enforce better passwords?
• 12.8 Can an Sys Admin prevent/stop SAM extraction?
• 12.9 How is password changing related to "last login time"?

13. NT Console Attacks

• 13.1 What does direct console access for NT get me?
• 13.2 What about NT's file system?
• 13.3 What is Netmon and why do I care?

14. NT Client Attacks

• 14.1 What is GetAdmin.exe and Crash4.exe?
• 14.2 Should I even try for local administrator access?
• 14.3 I have guest remote access. How can I get administrator access?
• 14.4 What about %systemroot%\system32 being writeable?
• 14.5 What if the permissions are restricted on the server?
• 14.6 What exactly does the NetBios Auditing Tool do?
• 14.7 What is the "Red Button" bug?
• 14.8 What about forging DNS packets for subversive purposes?
• 14.9 What about shares?
• 14.10 How do I get around a packet filter-based firewall?
• 14.11 I hack from my Linux box. How can I do all that GUI stuff on remote NT servers?

15. NT Denial of Service

• 15.1 What can telnet give me in the way of denial of service?
• 15.2 What can I do with Samba?
• 15.3 What's with ROLLBACK.EXE?
• 15.4 What is an OOB attack?
• 15.5 Are there any other Denial of Service attacks?

16. NT Logging and Backdoors

• 16.1 Where are the common log files in NT?
• 16.2 How do I edit/change NT log files without being detected?
• 16.3 So how can I view/clear/edit the Security Log?
• 16.4 How can I turn off auditing in NT?

17. NT Misc. Attack Info

• 17.1 How is file and directory security enforced?
• 17.2 What is NTFS?
• 17.3 Are there are vulnerabilities to NTFS and access controls?
• 17.4 What is Samba and why is it important?
• 17.5 How do I bypass the screen saver?
• 17.6 How can I detect that a machine is in fact NT on the network?
• 17.7 Can I do on-the-fly disk encryption on NT?
• 17.8 Does the FTP service allow passive connections?
• 17.9 What is this "port scanning" you are talking about?
• 17.10 Does NT have bugs like Unix' sendmail?
• 17.11 How is password changing related to "last login time"?
• 17.12 Can sessions be hijacked?
• 17.13 Are "man in the middle" attacks possible?
• 17.14 What about TCP Sequence Number Prediction?
• 17.15 What's the story with buffer overflows on NT?

18. Netware Basics

• 18.1

19. Netware Accounts

• 19.1 What are common accounts and passwords for Netware?
• 19.2 How can I figure out valid account names on Netware?

20. Netware Passwords

• 20.1 How do I access the password file in Netware?
• 20.2 What's the full story with Netware passwords?
• 20.3 How does password cracking work with Netware?
• 20.4 How does password cracking work with Netware?
• 20.5 Can an Sys Admin prevent/stop Netware password hash extraction?
• 20.6 Can I reset an NDS password with just limited rights?
• 20.7 What is OS2NT.NLM?
• 20.8 How does password encryption work?
• 20.9 Can I login without a password?
• 20.10 What's with Windows 95 and Netware passwords?

21. Netware Console Attacks

• 21.1 What's the "secret" way to get Supe access Novell once taught CNE's?
• 21.2 How do I use SETPWD.NLM?
• 21.3 I don't have SETPWD.NLM or a disk editor. How can I get Supe access?
• 21.4 What's the "debug" way to disable passwords?
• 21.5 How do I defeat console logging?
• 21.6 Can I set the RCONSOLE password to work for just Supervisor?
• 21.7 How can I get around a locked MONITOR?
• 21.8 Where are the Login Scripts stored in Netware 4.x and can I edit them?
• 21.9 What if I can't see SYS:_NETWARE?
• 21.10 So how do I access SYS:_NETWARE?
• 21.11 How can I boot my server without running STARTUP.NCF/AUTOEXEC.NCF?
• 21.12 What else can be done with console access?

22. Netware Client Attacks

• 22.1 What is the cheesy way to get Supervisor access?
• 22.2 How can I login without running the System Login Script in Netware 3.x?
• 22.3 How can I get IP info from a Netware server remotely?
• 22.4 Does 4.x store the LOGIN password to a temporary file?
• 22.5 Everyone can make themselves equivalent to anyone including Admin. How?
• 22.6 Can Windows 95 bypass NetWare user security?
• 22.7 What is Packet Signature and how do I get around it?

23. Netware Denial of Service

• 23.1 How can I abend a Netware server?
• 23.2 Will Windows 95 cause server problems for Netware?
• 23.3 Will Windows 95 cause network problems for Netware?

24. Netware Logging and Backdoors

• 24.1 How do I leave a backdoor for Netware?
• 24.2 What is the rumored "backdoor" in NDS?
• 24.3 What is the bindery backdoor in Netware 4.x?
• 24.4 Where are the common log files in Netware?
• 24.5 What is Accounting?
• 24.6 How do I defeat Accounting?
• 24.7 What is Intruder Detection?
• 24.8 How do I check for Intruder Detection?
• 24.9 What are station/time restrictions?
• 24.10 How can I tell if something is being Audited in Netware 4.x?
• 24.11 How can I remove Auditing if I lost the Audit password?
• 24.12 What is interesting about Netware 4.x's licensing?
• 24.13 What is the Word Perfect 5.1 trick when running Netware 3.x over DOS?

25. Netware Misc. Attack Info

• 25.1 How do I spoof my node or IP address?
• 25.2 How can I see hidden files and directories?
• 25.3 How do I defeat the execute-only flag?
• 25.4 How can I hide my presence after altering files?
• 25.5 What is a Netware-aware trojan?
• 25.6 What are Trustee Directory Assignments?
• 25.7 Are there any default Trustee Assignments that can be exploited?
• 25.8 What are some general ways to exploit Trustee Rights?
• 25.9 Can access to .NCF files help me?
• 25.10 Can someone think they've logged out and I walk up and take over?
• 25.11 What other Novell and third party programs have holes that give "too much access"?
• 25.12 How can I get around disk space requirements?
• 25.13 How do I remotely reboot a Netware 3.x file server?
• 25.14 What is Netware NFS and is it secure?
• 25.15 Can sniffing packets help me break into Netware servers?
• 25.16 What else can sniffing around Netware get me?
• 25.17 Do any Netware utilities have holes like Unix utilities?
• 25.18 Where can I get the Netware APIs?
• 25.19 Are there alternatives to Netware's APIs?
• 25.20 How can I remove NDS?
• 25.21 What are security considerations regarding partitions of the tree?
• 25.22 Can a department "Supe" become a regular Admin to the entire tree?
• 25.23 Are there products to help improve Netware's security?
• 25.24 Is Netware's Web server secure?
• 25.25 What's the story with Netware's FTP NLM?
• 25.26 Can an IntranetWare server be compromised from the Internet?
• 25.27 Are there any problems with Novell's Groupwise?
• 25.28 Are there any problems with Netware's Macintosh namespace?
• 25.29 What's the story with buffer overflows on Netware?

26. Netware Mathematical/Theoretical Info

• 26.1 How does the whole password/login/encryption thing work?
• 26.2 Are "man in the middle" attacks possible?
• 26.3 Are Netware-aware viruses possible?
• 26.4 Can a trojaned LOGIN.EXE be inserted during the login process?
• 26.5 Is anything "vulnerable" during a password change?
• 26.6 Is "data diddling" possible?

27. Unix Accounts

• 27.1 What are common accounts and passwords for Unix?
• 27.2 How can I figure out valid account names for Unix?

28. Unix Passwords

• 28.1 How do I access the password file in Unix?
• 28.2 What's the full story with Unix passwords?
• 28.3 How does brute force password cracking work with Unix?
• 28.4 How does dictionary password cracking work with Unix?
• 28.5 How does a Sys Admin enforce better passwords and password management?
• 28.6 So how do I get to those shadowed passwords?
• 28.7 So what can I learn with a password file from a heavily secured system?
• 28.8 What's the story with SRP?

29. Unix Local Attacks

• 29.1 Why attack locally?
• 29.2 How do most exploits work?
• 29.3 So how does a buffer overflow work?

30. Unix Remote Attacks

• 30.1 What are remote hacks?

31. Unix Logging

• 31.1 Where are the common log files in Unix?
• 31.2 How do I edit/change the log files for Unix?

32. Hacker Resources

• 32.1 What are some security-related WWW locations?
• 32.2 What are some security-related USENET groups?
• 32.3 What are some security-related mailing lists?
• 32.4 What are some other FAQs?
• 32.5 Where are all of these files mentioned in the FAQ?