Section 00

General Info

00-1. What is this "FAQ" for?
00-2. What is the origin of this FAQ and how do I add to it?
00-3. Is this FAQ available by anonymous FTP or WWW?
00-4. How was this FAQ prepared?

00-1. What is this "FAQ" for?

This FAQ serves two distinct purposes -- the first is to provide the NT hacker with a resource. The second purpose is a wake-up call to Sys Admins who are too lazy to install the latest Service Pack.

This FAQ assumes basic knowledge of NT. If you do not know the basics, go buy a book or take one of those overpriced classes I get junk mail about. Do not send me email asking me questions that can be answered with basic knowledge -- I don't acknowledge them, I delete them.

00-2. What is the origin of this FAQ and how do I add to it?

This FAQ started for two reasons. First, several people asked if I was going to do one. This seems reason enough, but the clincher was reading a partial quote from the NT Security FAQ, which stated in the Legaleeze section that the FAQ was not "a cookbook to be used by crackers to gain access to Windows NT systems." Well, that's hardly fun, now is it! (BTW the NT Security FAQ is still an excellent resource.)

I've been collecting info and reading about NT, but once I got to load up NT in my lab things really got moving.

To add info to this FAQ, simply send an email to faq@nmrc.org with "NT" in the subject. Please let me know what steps can duplicate an exploit, any patches or workarounds that might fix it, whether Microsoft knows or cares about it, and if you want to be credited in the FAQ.

Anonymous submissions are okay. Encrypt them if you like, here's my PGP key:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.2

mQCNAzEQrjMAAAEEANaIf2AiInhVwmrZEFZ5V2eyZfuJfjoI9unJwRhokwJ4TtVh
ApEwjXVEbJBCPRKOHzibi5IEF2BirpzzlSy0Aj82yZk/iqYtJO60S0aycSPNPBl5
BmoLJaUjxakmnMMXOl3qdeWWtScpP7B4QTHyfsHRvQz0HSUPxh6RUqAiTzdxAAUR
tCRTaW1wbGUgTm9tYWQgPHRoZWdub21lQGZhc3RsYW5lLm5ldD4=
=v0Xj
-----END PGP PUBLIC KEY BLOCK-----

00-3. Is this FAQ available by anonymous FTP or WWW?

The FAQ is available as text or HTML from the following location:

 - http://www.nmrc.org/files/nt

Entire FAQ online:

 - http://www.nmrc.org/faqs/nt

00-4. How was this FAQ prepared?

After collecting information from a number of sources, I loaded NT Server 4.0 and performed a number of the techniques discussed in this FAQ. Most of the tests involved Samba. Tests were conducted at the NMRC labs, on a friend's network, and at a client's site (yes they gave me permission).

The tests were not THAT scientific -- most involved duplicating the many bugs that people have reported and playing with the various NT hacking tools that are starting to appear.