Table of Contents

=Part One=

=Essential background Knowledge=

[0.0.0] Preface

[0.0.1] The Rhino9 Team

[0.0.2] Disclaimer

[0.0.3] Thanks and Greets

[1.0.0] Preface To NetBIOS

[1.0.1] What is NetBIOS?

[1.0.2] NetBIOS Names

[1.0.3] NetBIOS Sessions

[1.0.4] NetBIOS Datagrams

[1.0.5] NetBEUI Explained

[1.0.6] NetBIOS Scopes

[1.2.0] Preface to SMB's

[1.2.1] What are SMB's?

[1.2.2] The Redirector

[2.0.0] What is TCP/IP?

[2.0.1] FTP Explained

[2.0.2] Remote Login

[2.0.3] Computer Mail

[2.0.4] Network File Systems

[2.0.5] Remote Printing

[2.0.6] Remote Execution

[2.0.7] Name Servers

[2.0.8] Terminal Servers

[2.0.9] Network-Oriented Window Systems

[2.1.0] General description of the TCP/IP protocols

[2.1.1] The TCP Level

[2.1.2] The IP level

[2.1.3] The Ethernet level

[2.1.4] Well-Known Sockets And The Applications Layer

[2.1.5] Other IP Protocols

[2.1.6] Domain Name System

[2.1.7] Routing

[2.1.8] Subnets and Broadcasting

[2.1.9] Datagram Fragmentation and Reassembly

[2.2.0] Ethernet encapsulation: ARP

[3.0.0] Preface to the WindowsNT Registry

[3.0.1] What is the Registry?

[3.0.2] In Depth Key Discussion

[3.0.3] Understanding Hives

[3.0.4] Default Registry Settings

[4.0.0] Introduction to PPTP

[4.0.1] PPTP and Virtual Private Networking

[4.0.2] Standard PPTP Deployment

[4.0.3] PPTP Clients

[4.0.4] PPTP Architecture

[4.0.5] Understanding PPTP Security

[4.0.6] PPTP and the Registry

[4.0.7] Special Security Update

[5.0.0] TCP/IP Commands as Tools

[5.0.1] The Arp Command

[5.0.2] The Traceroute Command

[5.0.3] The Netstat Command

[5.0.4] The Finger Command

[5.0.5] The Ping Command

[5.0.6] The Nbtstat Command

[5.0.7] The IpConfig Command

[5.0.8] The Telnet Command

[6.0.0] NT Security

[6.0.1] The Logon Process

[6.0.2] Security Architecture Components

[6.0.3] Introduction to Securing an NT Box

[6.0.4] Physical Security Considerations

[6.0.5] Backups

[6.0.6] Networks and Security

[6.0.7] Restricting the Boot Process

[6.0.8] Security Steps for an NT Operating System

[6.0.9] Install Latest Service Pack and applicable hot-fixes

[6.1.0] Display a Legal Notice Before Log On

[6.1.1] Rename Administrative Accounts

[6.1.2] Disable Guest Account

[6.1.3] Logging Off or Locking the Workstation

[6.1.4] Allowing Only Logged-On Users to Shut Down the Computer

[6.1.5] Hiding the Last User Name

[6.1.6] Restricting Anonymous network access to Registry

[6.1.7] Restricting Anonymous network access to lookup account names and network shares

[6.1.8] Enforcing strong user passwords

[6.1.9] Disabling LanManager Password Hash Support

[6.2.0] Wiping the System Page File during clean system shutdown

[6.2.1] Protecting the Registry

[6.2.2] Secure EventLog Viewing

[6.2.3] Secure Print Driver Installation

[6.2.4] The Schedule Service (AT Command)

[6.2.5] Secure File Sharing

[6.2.6] Auditing

[6.2.7] Threat Action

[6.2.8] Enabling System Auditing

[6.2.9] Auditing Base Objects

[6.3.0] Auditing of Privileges

[6.3.1] Protecting Files and Directories

[6.3.2] Services and NetBios Access From Internet

[6.3.3] Alerter and Messenger Services

[6.3.4] Unbind Unnecessary Services from Your Internet Adapter Cards

[6.3.5] Enhanced Protection for Security Accounts Manager Database

[6.3.6] Disable Caching of Logon Credentials during interactive logon.

[6.3.7] How to secure the %systemroot%\repair\sam._ file

[6.3.8] TCP/IP Security in NT

[6.3.9] Well known TCP/UDP Port numbers

[7.0.0] Preface to Microsoft Proxy Server

[7.0.1] What is Microsoft Proxy Server?

[7.0.2] Proxy Servers Security Features

[7.0.3] Beneficial Features of Proxy

[7.0.4] Hardware and Software Requirements

[7.0.5] What is the LAT?

[7.0.6] What is the LAT used for?

[7.0.7] What changes are made when Proxy Server is installed?

[7.0.8] Proxy Server Architecture

[7.0.9] Proxy Server Services: An Introduction

[7.1.0] Understanding components

[7.1.1] ISAPI Filter

[7.1.2] ISAPI Application

[7.1.3] Proxy Servers Caching Mechanism

[7.1.4] Windows Sockets

[7.1.5] Access Control Using Proxy Server

[7.1.6] Controlling Access by Internet Service

[7.1.7] Controlling Access by IP, Subnet, or Domain

[7.1.8] Controlling Access by Port

[7.1.9] Controlling Access by Packet Type

[7.2.0] Logging and Event Alerts

[7.2.1] Encryption Issues

[7.2.2] Other Benefits of Proxy Server

[7.2.3] RAS

[7.2.4] IPX/SPX

[7.2.5] Firewall Strategies

[7.2.6] Logical Construction

[7.2.7] Exploring Firewall Types

[7.2.3] NT Security Twigs and Ends

=Part Two=

=The Techniques of Survival=

[8.0.0] NetBIOS Attack Methods

[8.0.1] Comparing NAT.EXE to Microsoft's own executables

[8.0.2] First, a look at NBTSTAT

[8.0.3] Intro to the NET commands

[8.0.4] Net Accounts

[8.0.5] Net Computer

[8.0.6] Net Config Server or Net Config Workstation

[8.0.7] Net Continue

[8.0.8] Net File

[8.0.9] Net Group

[8.1.0] Net Help

[8.1.1] Net Helpmsg message#

[8.1.2] Net Localgroup

[8.1.3] Net Name

[8.1.4] Net Pause

[8.1.5] Net Print

[8.1.6] Net Send

[8.1.7] Net Session

[8.1.8] Net Share

[8.1.9] Net Statistics Server or Workstation

[8.2.0] Net Stop

[8.2.1] Net Time

[8.2.2] Net Use

[8.2.3] Net User

[8.2.4] Net View

[8.2.5] Special note on DOS and older Windows Machines

[8.2.6] Actual NET VIEW and NET USE Screen Captures during a hack

[9.0.0] Frontpage Extension Attacks

[9.0.1] For the tech geeks, we give you an actual PWDUMP

[9.0.2] The haccess.ctl file

[9.0.3] Side note on using John the Ripper

[10.0.0] WinGate

[10.0.1] What Is WinGate?

[10.0.2] Defaults After a WinGate Install

[10.0.3] Port 23 Telnet Proxy

[10.0.4] Port 1080 SOCKS Proxy

[10.0.5] Port 6667 IRC Proxy

[10.0.6] How Do I Find and Use a WinGate?

[10.0.7] I have found a WinGate telnet proxy now what?

[10.0.8] Securing the Proxys

[10.0.9] mIRC 5.x WinGate Detection Script

[10.1.0] Conclusion

[11.0.0] What a security person should know about WinNT

[11.0.1] NT Network structures (Standalone/WorkGroups/Domains)

[11.0.2] How does the authentication of a user actually work

[11.0.3] A word on NT Challenge and Response

[11.0.4] Default NT user groups

[11.0.5] Default directory permissions

[11.0.6] Common NT accounts and passwords

[11.0.7] How do I get the admin account name?

[11.0.8] Accessing the password file in NT

[11.0.9] Cracking the NT passwords

[11.1.0] What is 'last login time'?

[11.1.1] Ive got Guest access, can I try for Admin?

[11.1.2] I heard that the %systemroot%\system32 was writeable?

[11.1.3] What about spoofin DNS against NT?

[11.1.4] What about default shared folders?

[11.1.5] How do I get around a packet filter-based firewall?

[11.1.6] What is NTFS?

[11.1.7] Are there are vulnerabilities to NTFS and access controls?

[11.1.8] How is file and directory security enforced?

[11.1.9] Once in, how can I do all that GUI stuff?

[11.2.0] How do I bypass the screen saver?

[11.2.1] How can tell if its an NT box?

[11.2.2] What exactly does the NetBios Auditing Tool do?

[12.0.0] Cisco Routers and their configuration

[12.0.1] User Interface Commands

[12.0.2] disable

[12.0.3] editing

[12.0.4] enable

[12.0.5] end

[12.0.6] exit

[12.0.7] full-help

[12.0.8] help

[12.0.9] history

[12.1.0] ip http access-class

[12.1.1] ip http port

[12.1.2] ip http server

[12.1.3] menu (EXEC)

[12.1.4] menu (global)

[12.1.5] menu command

[12.1.6] menu text

[12.1.7] menu title

[12.1.8] show history

[12.1.9] terminal editing

[12.2.0] terminal full-help (EXEC)

[12.2.1] terminal history

[12.2.2] Network Access Security Commands

[12.2.3] aaa authentication arap

[12.2.4] aaa authentication enable default

[12.2.5] aaa authentication local-override

[12.2.6] aaa authentication login

[12.2.7] aaa authentication nasi

[12.2.8] aaa authentication password-prompt

[12.2.9] aaa authentication ppp

[12.3.0] aaa authentication username-prompt

[12.3.1] aaa authorization

[12.3.2] aaa authorization config-commands

[12.3.3] aaa new-model

[12.3.4] arap authentication

[12.3.5] clear kerberos creds

[12.3.6] enable last-resort

[12.3.7] enable use-tacacs

[12.3.8] ip radius source-interface

[12.3.9] ip tacacs source-interface

[12.4.0] kerberos clients mandatory

[12.4.1] kerberos credentials forward

[12.4.2] kerberos instance map

[12.4.3] kerberos local-realm

[12.4.4] kerberos preauth

[12.4.5] kerberos realm

[12.4.6] kerberos server

[12.4.7] kerberos srvtab entry

[12.4.8] kerberos srvtab remote

[12.4.9] key config-key

[12.5.0] login tacacs

[12.5.1] nasi authentication

[12.5.2] ppp authentication

[12.5.3] ppp chap hostname

[12.5.4] ppp chap password

[12.5.5] ppp pap sent-username

[12.5.6] ppp use-tacacs

[12.5.7] radius-server dead-time

[12.5.8] radius-server host

[12.5.9] radius-server key

[12.6.0] radius-server retransmit

[12.6.1] show kerberos creds

[12.6.2] show privilege

[12.6.3] tacacs-server key

[12.6.4] tacacs-server login-timeout

[12.6.5] tacacs-server authenticate

[12.6.6] tacacs-server directed-request

[12.6.7] tacacs-server key

[12.6.8] tacacs-server last-resort

[12.6.9] tacacs-server notify

[12.7.0] tacacs-server optional-passwords

[12.7.1] tacacs-server retransmit

[12.7.2] tacacs-server timeout

[12.7.3] Traffic Filter Commands

[12.7.4] access-enable

[12.7.5] access-template

[12.7.6] clear access-template

[12.7.7] show ip accounting

[12.7.8] Terminal Access Security Commands

[12.7.9] enable password

[12.8.0] enable secret

[12.8.1] ip identd

[12.8.2] login authentication

[12.8.3] privilege level (global)

[12.8.4] privilege level (line)

[12.8.5] service password-encryption

[12.8.6] show privilege

[12.8.7] username

[12.8.8] A Word on Ascend Routers

[13.0.0] Known NT/95/IE Holes

[13.0.1] WINS port 84

[13.0.2] WindowsNT and SNMP

[13.0.3] Frontpage98 and Unix

[13.0.4] TCP/IP Flooding with Smurf

[13.0.5] SLMail Security Problem

[13.0.6] IE 4.0 and DHTML

[13.0.7] 2 NT Registry Risks

[13.0.8] Wingate Proxy Server

[13.0.9] O'Reilly Website uploader Hole

[13.1.0] Exchange 5.0 Password Caching

[13.1.1] Crashing NT using NTFS

[13.1.2] The GetAdmin Exploit

[13.1.3] Squid Proxy Server Hole

[13.1.4] Internet Information Server DoS attack

[13.1.5] Ping Of Death II

[13.1.6] NT Server's DNS DoS Attack

[13.1.7] Index Server Exposes Sensitive Material

[13.1.8] The Out Of Band (OOB) Attack

[13.1.9] SMB Downgrade Attack

[13.2.0] RedButton

[13.2.1] FrontPage WebBot Holes

[13.2.2] IE and NTLM Authentication

[13.2.3] Run Local Commands with IE

[13.2.4] IE can launch remote apps

[13.2.5] Password Grabbing Trojans

[13.2.6] Reverting an ISAPI Script

[13.2.7] Rollback.exe

[13.2.8] Replacing System .dll's

[13.2.9] Renaming Executables

[13.3.0] Viewing ASP Scripts

[13.3.1] .BAT and .CMD Attacks

[13.3.2] IIS /..\.. Problem

[13.3.3] Truncated Files

[13.3.4] SNA Holes

[13.3.5] SYN Flooding

[13.3.6] Land Attack

[13.3.7] Teardrop

[13.3.8] Pentium Bug

[14.0.0] VAX/VMS Makes a comeback (expired user exploit)

[14.0.1] Step 1

[14.0.2] Step 2

[14.0.3] Step 3

[14.0.4] Note

[15.0.0] Linux security 101

[15.0.1] Step 1

[15.0.2] Step 2

[15.0.3] Step 3

[15.0.4] Step 4

[15.0.5] Step 5

[15.0.6] Step 6

[16.0.0] Unix Techniques. New and Old.

[16.0.1] ShowMount Technique

[16.0.2] DEFINITIONS

[16.0.3] COMPARISION TO THE MICROSOFT WINDOWD FILESHARING

[16.0.4] SMBXPL.C

[16.0.5] Basic Unix Commands

[16.0.6] Special Chracters in Unix

[16.0.7] File Permissions Etc..

[16.0.8] STATD EXPLOIT TECHNIQUE

[16.0.9] System Probing

[16.1.0] Port scanning

[16.1.1] rusers and finger command

[16.1.2] Mental Hacking, once you know a username

[17.0.0] Making a DDI from a Motorola Brick phone

[18.0.0] Pager Programmer

[19.0.0] The End