Automatic Password Cracking Algorithm

Find a valid user
Find encryption algorithm used
Obtain encrypted passwords
Create list of possible passwords
Encrypt each word
See if there is a match for each user ID
Repeat steps 1 through 6

Tool: hk.exe

The hk.exe utility exposes a Local Procedure Call flaw in NT.
A non-admin user can be escalated to administrators group using hk.exe

Tool: GetAdmin

GetAdmin.exe is a small program that adds a user to the local administrators group.
It uses low-level NT kernel routine to set a globalflag allowing access to any running process.
You need to logon to the server console to execute the program.
The GetAdmin.exe is run from the command line or from a browser.
This only works with Nt 4.0 Service pack 3.

Privilege Escalation

If an attacker gains access to the network using non-admin user account, the next step is to gain higher privilege to that of an administrator.
This is called privilege escalation

Hacking Tool: KerbCrack

KerbCrack consists of two programs, kerbsniff and kerbcrack. The sniffer listens on the network and captures Windows 2000/XP Kerberos logins. The cracker can be used to find the passwords from the capture file using a bruteforce attack or a dictionary attack.

Hacking Tool: LOphtcrack

LC4 is a password auditing and recovery package distributed by @stake software. SMB packet capture listens to the local network segment and captures individual login sessions.
With LOphtcrack password cracking engine anyone can sniff the ire for extended periods is most guaranteed to obtain Administrator status in matter of days

Password Sniffing

Password guessing is hard work. Why not just sniff credentials off the wire as users log in to a server and then replay them to gain access?

Password guessing Countermeasures

Block access to TCP and UDP ports 135-139.
Disable bindings to Wins client on any adapter.
Use complex passwords
Log failed logon attempts in Event viewer - Security log full event 529 or 539 - Logon/Logoff

Hacking tool: NTInfoScan (now CIS)

NTInfoScan is a security scanner for NT 4.0 is a vulnerability scanner that produces an HTML based report of security issues found on the target system and further information.

HACKING TOOL : LEGION

Legion automates the password guessing in NetBIOS sessions. Legion will scan multiple Class C IP address ranges for Windows shares and also offers a manual dictionary attack tool.

SYSTEM HACKING

Understand the following
Remote password guessing
Eavesdropping
Denial of Service
Buffer overflows
Privilege escalation
Password cracking
keystroke loggers
sniffers
Remote control and backdoors
Port re direction
Covering tracks
Hiding files
Assuming that NetBIOS TCP139 port is open, the most effective method of breaking into NT/2000 is password guessing.
Attempting to connect to an enumerated share (IPC$, or C$) and trying username/password.
Default Admin$, C$, %Systemdrive% shares are good starting point.
Performing automated password guessing is easy-simple loop using the NT/2000 shell for command based on the standard NET USE syntax.
1. Create a simple username and password file.
2. Pipe this file into FOR command
C:\> FOR /F "token=1, 2*" %i in (credentials.txt)
do net use \\target\IPC$ %i /u: %j