Command Center

Table of Contents

1.0 Administrivia

• What is the mission and goal of this FAQ?
• How was this FAQ prepared?
• How do I add to this FAQ?
• Contributors
• Other Credits
• Where can I download this FAQ?
• Where is the disclaimer?
• Changelog

2.0 Attack Basics

• What are the four steps to hacking?

3.0 Account Basics

• What are accounts?
• What are groups?

4.0 Password Basics

• What are some password basics?
• Why protect the hashes?
• What is a dictionary password cracker?
• What is a brute force password cracker?
• Which method is best for cracking?
• What is a salt?
• What are the dangers of cracking passwords?
• Where are the password hashes stored?
• Are there any password schemes that are safe?
• Is there any way I can open a password-protected Microsoft Office document?

5.0 Denial of Service Basics

• What is Denial of Service?
• What are some DoS scenarios?
• What is the Ping of Death?
• What is a SYN Flood attack?
• What are other popular DoS attacks?
• What are distributed DoS attacks?
• How can I discover new DoS attacks?
• How does one defend against DoS attacks?

6.0 Logging Basics

• Why do I care about auditing, accounting, and logging?
• What are some different logging techniques used by Admins?
• Why should I not just delete the log files?

7.0 Miscellaneous Basics

• What is a backdoor?
• What is a buffer overflow?
• What is "lame"?
• How do I get around censorware like Net Nanny or the Great Firewall of China?
• How can I forge email addresses?
• What's with ICQ?

8.0 Web Browser

• What is unsafe about my browser?
• What is in the history, bookmark, and cache files?
• What other browser files are important?
• Can you tell me more about the cookie file?
• How can I protect my browser files?
• So why all of the paranioa about browsers?

9.0 The Web Browser as an Attack Tool

• What is phf?
• What's the "test" hack?
• What about that "~" character?
• What is the jj.c problem?
• What's the deal with forms?
• What will this look like in the target's log files?
• What's the deal with Server-Side Includes?
• What if SSIs are turned on but includes are stripped from user input?
• What are SSL?
• How can I attack anonymously?
• What is the asp dot attack?
• What is the campas attack?
• What is the count.cgi attack?
• What is the faxsurvey attack?
• What about finger.cgi?
• What is the glimpse exploit?
• What are some other CGI scripts that allow remote command execution?
• What are the MetaInfo attacks?

10.0 The Basic Web Server

• What are the big weak spots on servers?
• What are the critical files?
• What's the difference between httpd running as a daemon vs. running under inetd?
• How does the server resolve paths?
• What log files are used by the server?
• How do access restrictions work?
• How do password restrictions work?
• What is web spoofing?

11.0 NT Basics

• What are the components of NT security?
• How does the authentication of a user actually work?
• What is "standalone" vs. "workgroup" vs. "domain"?
• What is a Service Pack?
• What is a Hot Fix?
• Where are Service Packs and Hot Fixes?
• What's with "C2 certification"?
• Are there are interesting default groups to be aware of?
• What are the default directory permissions?
• Are there any special restrictions surrounding the Administrative Tools group in Presentation Manager?
• What is the Registry?
• What are hives?
• Why is the Registry like this and why do I care?
• What is the deal with Microsoft's implementation of PPTP?

12.0 NT Accounts

• What are common accounts and passwords in NT?
• What if the Sys Admin has renamed the Administrator account?
• How can I figure out valid account names for NT?
• What can null sessions to an NT machine tell me?

13.0 NT Passwords

• How do I access the password file in NT?
• What do I do with a copy of SAM?
• What's the full story with NT passwords?
• How does brute force password cracking work with NT?
• How does dictionary password cracking work with NT?
• I lost the NT Administrator password. What do I do?
• How does a Sys Admin enforce better passwords?
• Can an Sys Admin prevent/stop SAM extraction?
• How is password changing related to "last login time"?

14.0 NT Console Attacks

• What does direct console access for NT get me?
• What about NT's file system?
• What is Netmon and why do I care?

15.0 NT Client Attacks

• What is GetAdmin.exe and Crash4.exe?
• Should I even try for local administrator access?
• I have guest remote access. How can I get administrator access?
• What about %systemroot%\system32 being writeable?
• What if the permissions are restricted on the server?
• What exactly does the NetBios Auditing Tool do?
• What is the "Red Button" bug?
• What about forging DNS packets for subversive purposes?
• What about shares?
• How do I get around a packet filter-based firewall?
• I hack from my Linux box. How can I do all that GUI stuff on remote NT servers?
• What's the story with WinGate?
• How do I find these buggy WinGates I can use?

16.0 NT Denial of Service

• What can telnet give me in the way of denial of service?
• What can I do with Samba?
• What's with ROLLBACK.EXE?
• What is an OOB attack?
• Are there any other Denial of Service attacks?

17.0 NT Logging and Backdoors

• Where are the common log files in NT?
• How do I edit/change NT log files without being detected?
• So how can I view/clear/edit the Security Log?
• How can I turn off auditing in NT?

18.0 NT Misc. Attack Info

• How is file and directory security enforced?
• What is NTFS?
• Are there are vulnerabilities to NTFS and access controls?
• What is Samba and why is it important?
• How do I bypass the screen saver?
• How can I detect that a machine is in fact NT on the network?
• Can I do on-the-fly disk encryption on NT?
• Does the FTP service allow passive connections?
• What is this "port scanning" you are talking about?
• Does NT have bugs like Unix' sendmail?
• How is password changing related to "last login time"?
• Can sessions be hijacked?
• Are "man in the middle" attacks possible?
• What about TCP Sequence Number Prediction?
• What's the story with buffer overflows on NT?

19.0 Netware Accounts

• What are common accounts and passwords for Netware?
• How can I figure out valid account names on Netware?

20.0 Netware Passwords

• How do I access the password file in Netware?
• What's the full story with Netware passwords?
• How does password cracking work with Netware?
• How does password cracking work with Netware?
• Can an Sys Admin prevent/stop Netware password hash extraction?
• Can I reset an NDS password with just limited rights?
• What is OS2NT.NLM?
• How does password encryption work?
• Can I login without a password?
• What's with Windows 95 and Netware passwords?

21.0 Netware Console Attacks

• What's the "secret" way to get Supe access Novell once taught CNE's?
• How do I use SETPWD.NLM?
• I don't have SETPWD.NLM or a disk editor. How can I get Supe access?
• What's the "debug" way to disable passwords?
• How do I defeat console logging?
• Can I set the RCONSOLE password to work for just Supervisor?
• How can I get around a locked MONITOR?
• Where are the Login Scripts stored in Netware 4.x and can I edit them?
• What if I can't see SYS:_NETWARE?
• So how do I access SYS:_NETWARE?
• How can I boot my server without running STARTUP.NCF/AUTOEXEC.NCF?
• What else can be done with console access?

22.0 Netware Client Attacks

• What is the cheesy way to get Supervisor access?
• How can I login without running the System Login Script in Netware 3.x?
• How can I get IP info from a Netware server remotely?
• Does 4.x store the LOGIN password to a temporary file?
• Everyone can make themselves equivalent to anyone including Admin. How?
• Can Windows 95 bypass NetWare user security?
• What is Packet Signature and how do I get around it?

23.0 Netware Denial of Service

• How can I abend a Netware server?
• Will Windows 95 cause server problems for Netware?
• Will Windows 95 cause network problems for Netware?

24.0 Netware Logging and Backdoors

• How do I leave a backdoor for Netware?
• What is the rumored "backdoor" in NDS?
• What is the bindery backdoor in Netware 4.x?
• Where are the common log files in Netware?
• What is Accounting?
• How do I defeat Accounting?
• What is Intruder Detection?
• How do I check for Intruder Detection?
• What are station/time restrictions?
• How can I tell if something is being Audited in Netware 4.x?
• How can I remove Auditing if I lost the Audit password?
• What is interesting about Netware 4.x's licensing?
• What is the Word Perfect 5.1 trick when running Netware 3.x over DOS?

25.0 Netware Misc. Attack Info

• How do I spoof my node or IP address?
• How can I see hidden files and directories?
• How do I defeat the execute-only flag?
• How can I hide my presence after altering files?
• What is a Netware-aware trojan?
• What are Trustee Directory Assignments?
• Are there any default Trustee Assignments that can be exploited?
• What are some general ways to exploit Trustee Rights?
• Can access to .NCF files help me?
• Can someone think they've logged out and I walk up and take over?
• What other Novell and third party programs have holes that give "too much access"?
• How can I get around disk space requirements?
• How do I remotely reboot a Netware 3.x file server?
• What is Netware NFS and is it secure?
• Can sniffing packets help me break into Netware servers?
• What else can sniffing around Netware get me?
• Do any Netware utilities have holes like Unix utilities?
• Where can I get the Netware APIs?
• Are there alternatives to Netware's APIs?
• How can I remove NDS?
• What are security considerations regarding partitions of the tree?
• Can a department "Supe" become a regular Admin to the entire tree?
• Are there products to help improve Netware's security?
• Is Netware's Web server secure?
• What's the story with Netware's FTP NLM?
• Can an IntranetWare server be compromised from the Internet?
• Are there any problems with Novell's Groupwise?
• Are there any problems with Netware's Macintosh namespace?
• What's the story with buffer overflows on Netware?

26.0 Netware Mathematical/Theoretical Info

• How does the whole password/login/encryption thing work?
• Are "man in the middle" attacks possible?
• Are Netware-aware viruses possible?
• Can a trojaned LOGIN.EXE be inserted during the login process?
• Is anything "vulnerable" during a password change?
• Is "data diddling" possible?

27.0 Unix Accounts

• What are common accounts and passwords for Unix?
• How can I figure out valid account names for Unix?

28.0 Unix Passwords

• How do I access the password file in Unix?
• What's the full story with Unix passwords?
• How does brute force password cracking work with Unix?
• How does dictionary password cracking work with Unix?
• How does a Sys Admin enforce better passwords and password management?
• So how do I get to those shadowed passwords?
• So what can I learn with a password file from a heavily secured system?
• What's the story with SRP?

29.0 Unix Local Attacks

• Why attack locally?
• How do most exploits work?
• So how does a buffer overflow work?

30.0 Unix Remote Attacks

• What are remote hacks?

31.0 Unix Logging

• Where are the common log files in Unix?
• How do I edit/change the log files for Unix?

32.0 Hacker Resources

• What are some security-related WWW locations?
• What are some security-related USENET groups?
• What are some security-related mailing lists?
• What are some other FAQs?

4.6 What is a salt?

To increase the overhead in cracking passwords, some algorithms employ salts to add further complexity and difficulty to the cracking of passwords. These salts are typically 2 to 8 bytes in length, and algorithmically introduced to further obfuscate the one-way hash. Of the major operating systems covered here, only NT does not use a salt. The specifics for salts for both Unix and Netware systems are covered in their individual password sections.

Historically, the way cracking has been done is to take a potential password, encrypt it and produce the hash, and then compare the result to each account in the password file. By adding a salt, you force the cracker to have to read the salt in and encrypt the potential password with each salt present in the password file. This increases the amount of time to break all of the passwords, although it is certainly no guarantee that the passwords can't be cracked. Because of this most modern password crackers when dealing with salts do give the option of checking a specific account.

Reference: http://www.nmrc.org/pub/faq/hackfaq/