index-of\aaa\ The MH DeskReference - Against All Authority Version 1.2 Table of Contents =Part One= =Essential background Knowledge= [0.0.0] Preface [0.0.1] The Rhino9 Team [0.0.2] Disclaimer [0.0.3] Thanks and Greets [1.0.0] Preface To NetBIOS [1.0.1] What is NetBIOS? [1.0.2] NetBIOS Names [1.0.3] NetBIOS Sessions [1.0.4] NetBIOS Datagrams [1.0.5] NetBEUI Explained [1.0.6] NetBIOS Scopes [1.2.0] Preface to SMB's [1.2.1] What are SMB's? [1.2.2] The Redirector [2.0.0] What is TCP/IP? [2.0.1] FTP Explained [2.0.2] Remote Login [2.0.3] Computer Mail [2.0.4] Network File Systems [2.0.5] Remote Printing [2.0.6] Remote Execution [2.0.7] Name Servers [2.0.8] Terminal Servers [2.0.9] Network-Oriented Window Systems [2.1.0] General description of the TCP/IP protocols [2.1.1] The TCP Level [2.1.2] The IP level [2.1.3] The Ethernet level [2.1.4] Well-Known Sockets And The Applications Layer [2.1.5] Other IP Protocols [2.1.6] Domain Name System [2.1.7] Routing [2.1.8] Subnets and Broadcasting [2.1.9] Datagram Fragmentation and Reassembly [2.2.0] Ethernet encapsulation: ARP [3.0.0] Preface to the WindowsNT Registry [3.0.1] What is the Registry? [3.0.2] In Depth Key Discussion [3.0.3] Understanding Hives [3.0.4] Default Registry Settings [4.0.0] Introduction to PPTP [4.0.1] PPTP and Virtual Private Networking [4.0.2] Standard PPTP Deployment [4.0.3] PPTP Clients [4.0.4] PPTP Architecture [4.0.5] Understanding PPTP Security [4.0.6] PPTP and the Registry [4.0.7] Special Security Update [5.0.0] TCP/IP Commands as Tools [5.0.1] The Arp Command [5.0.2] The Traceroute Command [5.0.3] The Netstat Command [5.0.4] The Finger Command [5.0.5] The Ping Command [5.0.6] The Nbtstat Command [5.0.7] The IpConfig Command [5.0.8] The Telnet Command [6.0.0] NT Security [6.0.1] The Logon Process [6.0.2] Security Architecture Components [6.0.3] Introduction to Securing an NT Box [6.0.4] Physical Security Considerations [6.0.5] Backups [6.0.6] Networks and Security [6.0.7] Restricting the Boot Process [6.0.8] Security Steps for an NT Operating System [6.0.9] Install Latest Service Pack and applicable hot-fixes [6.1.0] Display a Legal Notice Before Log On [6.1.1] Rename Administrative Accounts [6.1.2] Disable Guest Account [6.1.3] Logging Off or Locking the Workstation [6.1.4] Allowing Only Logged-On Users to Shut Down the Computer [6.1.5] Hiding the Last User Name [6.1.6] Restricting Anonymous network access to Registry [6.1.7] Restricting Anonymous network access to lookup account names and network shares [6.1.8] Enforcing strong user passwords [6.1.9] Disabling LanManager Password Hash Support [6.2.0] Wiping the System Page File during clean system shutdown [6.2.1] Protecting the Registry [6.2.2] Secure EventLog Viewing [6.2.3] Secure Print Driver Installation [6.2.4] The Schedule Service (AT Command) [6.2.5] Secure File Sharing [6.2.6] Auditing [6.2.7] Threat Action [6.2.8] Enabling System Auditing [6.2.9] Auditing Base Objects [6.3.0] Auditing of Privileges [6.3.1] Protecting Files and Directories [6.3.2] Services and NetBios Access From Internet [6.3.3] Alerter and Messenger Services [6.3.4] Unbind Unnecessary Services from Your Internet Adapter Cards [6.3.5] Enhanced Protection for Security Accounts Manager Database [6.3.6] Disable Caching of Logon Credentials during interactive logon. [6.3.7] How to secure the %systemroot%\repair\sam._ file [6.3.8] TCP/IP Security in NT [6.3.9] Well known TCP/UDP Port numbers [7.0.0] Preface to Microsoft Proxy Server [7.0.1] What is Microsoft Proxy Server? [7.0.2] Proxy Servers Security Features [7.0.3] Beneficial Features of Proxy [7.0.4] Hardware and Software Requirements [7.0.5] What is the LAT? [7.0.6] What is the LAT used for? [7.0.7] What changes are made when Proxy Server is installed? [7.0.8] Proxy Server Architecture [7.0.9] Proxy Server Services: An Introduction [7.1.0] Understanding components [7.1.1] ISAPI Filter [7.1.2] ISAPI Application [7.1.3] Proxy Servers Caching Mechanism [7.1.4] Windows Sockets [7.1.5] Access Control Using Proxy Server [7.1.6] Controlling Access by Internet Service [7.1.7] Controlling Access by IP, Subnet, or Domain [7.1.8] Controlling Access by Port [7.1.9] Controlling Access by Packet Type [7.2.0] Logging and Event Alerts [7.2.1] Encryption Issues [7.2.2] Other Benefits of Proxy Server [7.2.3] RAS [7.2.4] IPX/SPX [7.2.5] Firewall Strategies [7.2.6] Logical Construction [7.2.7] Exploring Firewall Types [7.2.3] NT Security Twigs and Ends =Part Two= =The Techniques of Survival= [8.0.0] NetBIOS Attack Methods [8.0.1] Comparing NAT.EXE to Microsoft's own executables [8.0.2] First, a look at NBTSTAT [8.0.3] Intro to the NET commands [8.0.4] Net Accounts [8.0.5] Net Computer [8.0.6] Net Config Server or Net Config Workstation [8.0.7] Net Continue [8.0.8] Net File [8.0.9] Net Group [8.1.0] Net Help [8.1.1] Net Helpmsg message# [8.1.2] Net Localgroup [8.1.3] Net Name [8.1.4] Net Pause [8.1.5] Net Print [8.1.6] Net Send [8.1.7] Net Session [8.1.8] Net Share [8.1.9] Net Statistics Server or Workstation [8.2.0] Net Stop [8.2.1] Net Time [8.2.2] Net Use [8.2.3] Net User [8.2.4] Net View [8.2.5] Special note on DOS and older Windows Machines [8.2.6] Actual NET VIEW and NET USE Screen Captures during a hack [9.0.0] Frontpage Extension Attacks [9.0.1] For the tech geeks, we give you an actual PWDUMP [9.0.2] The haccess.ctl file [9.0.3] Side note on using John the Ripper [10.0.0] WinGate [10.0.1] What Is WinGate? [10.0.2] Defaults After a WinGate Install [10.0.3] Port 23 Telnet Proxy [10.0.4] Port 1080 SOCKS Proxy [10.0.5] Port 6667 IRC Proxy [10.0.6] How Do I Find and Use a WinGate? [10.0.7] I have found a WinGate telnet proxy now what? [10.0.8] Securing the Proxys [10.0.9] mIRC 5.x WinGate Detection Script [10.1.0] Conclusion [11.0.0] What a security person should know about WinNT [11.0.1] NT Network structures (Standalone/WorkGroups/Domains) [11.0.2] How does the authentication of a user actually work [11.0.3] A word on NT Challenge and Response [11.0.4] Default NT user groups [11.0.5] Default directory permissions [11.0.6] Common NT accounts and passwords [11.0.7] How do I get the admin account name? [11.0.8] Accessing the password file in NT [11.0.9] Cracking the NT passwords [11.1.0] What is 'last login time'? [11.1.1] Ive got Guest access, can I try for Admin? [11.1.2] I heard that the %systemroot%\system32 was writeable? [11.1.3] What about spoofin DNS against NT? [11.1.4] What about default shared folders? [11.1.5] How do I get around a packet filter-based firewall? [11.1.6] What is NTFS? [11.1.7] Are there are vulnerabilities to NTFS and access controls? [11.1.8] How is file and directory security enforced? [11.1.9] Once in, how can I do all that GUI stuff? [11.2.0] How do I bypass the screen saver? [11.2.1] How can tell if its an NT box? [11.2.2] What exactly does the NetBios Auditing Tool do? [12.0.0] Cisco Routers and their configuration [12.0.1] User Interface Commands [12.0.2] disable [12.0.3] editing [12.0.4] enable [12.0.5] end [12.0.6] exit [12.0.7] full-help [12.0.8] help [12.0.9] history [12.1.0] ip http access-class [12.1.1] ip http port [12.1.2] ip http server [12.1.3] menu (EXEC) [12.1.4] menu (global) [12.1.5] menu command [12.1.6] menu text [12.1.7] menu title [12.1.8] show history [12.1.9] terminal editing [12.2.0] terminal full-help (EXEC) [12.2.1] terminal history [12.2.2] Network Access Security Commands [12.2.3] aaa authentication arap [12.2.4] aaa authentication enable default [12.2.5] aaa authentication local-override [12.2.6] aaa authentication login [12.2.7] aaa authentication nasi [12.2.8] aaa authentication password-prompt [12.2.9] aaa authentication ppp [12.3.0] aaa authentication username-prompt [12.3.1] aaa authorization [12.3.2] aaa authorization config-commands [12.3.3] aaa new-model [12.3.4] arap authentication [12.3.5] clear kerberos creds [12.3.6] enable last-resort [12.3.7] enable use-tacacs [12.3.8] ip radius source-interface [12.3.9] ip tacacs source-interface [12.4.0] kerberos clients mandatory [12.4.1] kerberos credentials forward [12.4.2] kerberos instance map [12.4.3] kerberos local-realm [12.4.4] kerberos preauth [12.4.5] kerberos realm [12.4.6] kerberos server [12.4.7] kerberos srvtab entry [12.4.8] kerberos srvtab remote [12.4.9] key config-key [12.5.0] login tacacs [12.5.1] nasi authentication [12.5.2] ppp authentication [12.5.3] ppp chap hostname [12.5.4] ppp chap password [12.5.5] ppp pap sent-username [12.5.6] ppp use-tacacs [12.5.7] radius-server dead-time [12.5.8] radius-server host [12.5.9] radius-server key [12.6.0] radius-server retransmit [12.6.1] show kerberos creds [12.6.2] show privilege [12.6.3] tacacs-server key [12.6.4] tacacs-server login-timeout [12.6.5] tacacs-server authenticate [12.6.6] tacacs-server directed-request [12.6.7] tacacs-server key [12.6.8] tacacs-server last-resort [12.6.9] tacacs-server notify [12.7.0] tacacs-server optional-passwords [12.7.1] tacacs-server retransmit [12.7.2] tacacs-server timeout [12.7.3] Traffic Filter Commands [12.7.4] access-enable [12.7.5] access-template [12.7.6] clear access-template [12.7.7] show ip accounting [12.7.8] Terminal Access Security Commands [12.7.9] enable password [12.8.0] enable secret [12.8.1] ip identd [12.8.2] login authentication [12.8.3] privilege level (global) [12.8.4] privilege level (line) [12.8.5] service password-encryption [12.8.6] show privilege [12.8.7] username [12.8.8] A Word on Ascend Routers [13.0.0] Known NT/95/IE Holes [13.0.1] WINS port 84 [13.0.2] WindowsNT and SNMP [13.0.3] Frontpage98 and Unix [13.0.4] TCP/IP Flooding with Smurf [13.0.5] SLMail Security Problem [13.0.6] IE 4.0 and DHTML [13.0.7] 2 NT Registry Risks [13.0.8] Wingate Proxy Server [13.0.9] O'Reilly Website uploader Hole [13.1.0] Exchange 5.0 Password Caching [13.1.1] Crashing NT using NTFS [13.1.2] The GetAdmin Exploit [13.1.3] Squid Proxy Server Hole [13.1.4] Internet Information Server DoS attack [13.1.5] Ping Of Death II [13.1.6] NT Server's DNS DoS Attack [13.1.7] Index Server Exposes Sensitive Material [13.1.8] The Out Of Band (OOB) Attack [13.1.9] SMB Downgrade Attack [13.2.0] RedButton [13.2.1] FrontPage WebBot Holes [13.2.2] IE and NTLM Authentication [13.2.3] Run Local Commands with IE [13.2.4] IE can launch remote apps [13.2.5] Password Grabbing Trojans [13.2.6] Reverting an ISAPI Script [13.2.7] Rollback.exe [13.2.8] Replacing System .dll's [13.2.9] Renaming Executables [13.3.0] Viewing ASP Scripts [13.3.1] .BAT and .CMD Attacks [13.3.2] IIS /..\.. Problem [13.3.3] Truncated Files [13.3.4] SNA Holes [13.3.5] SYN Flooding [13.3.6] Land Attack [13.3.7] Teardrop [13.3.8] Pentium Bug [14.0.0] VAX/VMS Makes a comeback (expired user exploit) [14.0.1] Step 1 [14.0.2] Step 2 [14.0.3] Step 3 [14.0.4] Note [15.0.0] Linux security 101 [15.0.1] Step 1 [15.0.2] Step 2 [15.0.3] Step 3 [15.0.4] Step 4 [15.0.5] Step 5 [15.0.6] Step 6 [16.0.0] Unix Techniques. New and Old. [16.0.1] ShowMount Technique [16.0.2] DEFINITIONS [16.0.3] COMPARISION TO THE MICROSOFT WINDOWD FILESHARING [16.0.4] SMBXPL.C [16.0.5] Basic Unix Commands [16.0.6] Special Chracters in Unix [16.0.7] File Permissions Etc.. [16.0.8] STATD EXPLOIT TECHNIQUE [16.0.9] System Probing [16.1.0] Port scanning [16.1.1] rusers and finger command [16.1.2] Mental Hacking, once you know a username [17.0.0] Making a DDI from a Motorola Brick phone [18.0.0] Pager Programmer [19.0.0] The End