A Newbie Guide to NT 4.0

by Konceptor  (konceptor@hotmail.com)

First off, what I have found during my recent adventures into my school's network is extremely useful to the malicious hacker and can lead to serious mishaps should one choose to use it for extreme personal gain.  If you choose to use the information you may obtain in a malicious manner, I will frown upon you.  You are then not a hacker, but a criminal.

This article describes what I used and how I did it.

What you need: laptop or personal computer with Windows NT 4.0 workstation and an account on the network.  A can of AdminAssist (a.k.a. ScanNT).  A willingness to explore.

I am currently enrolled in a world-renowned Tech College.  My interest in hacking never involved hacking into my own school's network, which is based on NT 4.0.  But after a year of attendance (being I am in a laptop class, in which we rent/own our laptops, take them home, dial-up, etc.), I felt a strong urge to test their network security.

"Elite" hackers more than likely know this as a no-brainer, but newbies may not be aware of Microlame's stupidity.  In my school and on everyone's laptop, we have at least three accounts that the SysAdmins set up for us: our own, the administrators, and guest.  If you are in the same scenario as I am, check out your C:\WinNT\Profiles directory and you will see a folder for each of the user accounts for that computer.  (Yes, this is kinda the same as Windows 95, except ScanNT won't work.)  Each folder is a login for the computer, and also has certain privileges on the network.  Note: Your account will be there, even if you login as "guest".

More than likely, you too will have an administrator's, or whatever they name it, account, because they like to control and set permissions on the registry and other nonsense.  As my C:\WinNT\Profiles is set up:

|administrator| |%myaccount%| |guest|

This means (if you haven't figured it out yet) that you have the option of logging in as administrator on your laptop (before you fall asleep, no student in my school is not the "god" of his laptop).

When you startup an NT 4.0 workstation, you are prompted for your login and password and the domain you are on.  I had two domains to start with, REMOTE and my computer's name.

Now, pick up a shareware can of AdminAssist.  After you install it on your laptop, it tells you that you are not currently the administrator.  Before you can say f*ck it, it then asks you if you want administrator rights under your account.  Click Yes and restart.  Presto, you can now crack all the accounts on your laptop and more, which I will get to.

(Note:  I was shocked as hell to find out my administrator's password was an easily guessed school phrase, and even more shocked to find out how stupid the administrators are to tell us students that no important information, i.e. grades, records, financing, etc. was kept on the network.)

Before, logged in under my user account, I had access to basic student stuff on my school's network.  Under my administrator's account, I now have access to different "other" directories.  I almost fell on the floor.  In my years of hacking, I have not had even half the hacker's rush as I did on the day I cracked the administrator's account in my own school, and I didn't have to snoop into the server to get it.  But the server's log files will record my excursions, so to not give myself away, I just use the library's computers and e-mail the info to a Hotmail account, or use a floppy.  Logging in under the REMOTE domain narrows unauthorized activity down to 1800 laptops, so if I wanted to not use other computers, I logged in on remote.  Except when I used a domain from another computer with their logins and passwords - you get the idea.

My next schedule was to find out how far this account would take me.  No, it did not give me total mode.  However, I did have access to staff-only related directories and outdated directories, which, when I checked the dates on them, have been there for about a year or two.  To make a long story short, I basically copied everything of interest.  I checked all outdated files just for shits and grins.  I have since obtained .DOCs of all the IP addresses on the network, copies of .PSTs of various teachers and higher-ups who don't password their e-mail access, logins and passwords, grades of everyone in the school, financial records, etc.  You name it; I run the school (I will say shame on my school, I didn't know they were corporate.  Makes me feel... marketed).  I also have access to their .html files, so a little tweak here or there might justify some incorrectness.  However, I will not use this information for maliciousness or extreme personal gain.

In my course, I have also had access to various other computers, and have made accounts on my laptop with their logins, passwords, and domains, so as to test their reach on the network.

There are a few computers which I still do not have access to on our network, but that will soon change.  Overall, this was an easy access network.  Even a newbie should be able to do this one in his sleep.  I just proved how easy it is to get everything you want off a network, without having root access to everything.  I never had superuser privileges, accounts, or rights.  I never had to use finger, portscan, whois, etc.  No late night password cracking excursions, no nothing.  I just used a few tricks that everyone else can use, but seldom do.  The time frame for all this was within a couple of days, except for the e-mail; which... I sure have a lot of e-mails in my Inbox!

Recap of Events

Check out: C:\WinNT\Profiles.  See what accounts are in there; each folder name is a login account.

Download AdminAssist.  Install it and crack passwords for accounts on your computer (however, as I recant, I haven't tried L0phtCrack on my network, but plan to.)

With NT 4.0, there are almost (I say this because we still have a couple of Win95ers on our network) no directories password protected.  NT uses authentication of you logging in to your computer.  You will have to log in under the account with the most privileges; probably the administrator's.  Duh.

Check around the network.  Look at all old files.  Look at new ones.  If you can't access some directories, don't sweat it.  You will eventually.  Build upon a base.  Eventually, even if you are a newbie, you will obtain higher permissions.  Just keep at it.  Rome wasn't built in a day.

Only make copies.  Sysadmins get uptight when they can't find something, or something's been changed.  Then they check the logs.

With access to several computers around the school, I was able to incorporate their accounts into my machine, thus providing further exploration, and not having to use each individual computer to do it.

End Note:  This writ is in no way complete.  I encountered various obstructions and highways along the way, and may have left out specific information without knowing it.

Shouts to: ~~darkness~~ and Crunch; let's do some more dumpster diving!