<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
 <META NAME="GENERATOR" CONTENT="SGML-Tools 1.0.6">
 <TITLE>The Hack FAQ: NT Console Attacks</TITLE>
 <LINK HREF="hackfaq-11.html" REL=next>
 <LINK HREF="hackfaq-9.html" REL=previous>
 <LINK HREF="hackfaq.html#toc10" REL=contents>
</HEAD>
<BODY BGCOLOR="black" TEXT="white" LINK="gray" VLINK="gray" HLINK="red">
<A HREF="hackfaq-11.html">Next</A>
<A HREF="hackfaq-9.html">Previous</A>
<A HREF="hackfaq.html#toc10">Contents</A>
<HR>
<H2><A NAME="ntconsoleattacks"></A> <A NAME="s10">10. NT Console Attacks</A></H2>

<P>This section deals with attacking at the NT Console.
<P>
<H2><A NAME="ss10.1">10.1 What does direct console access for NT get me?</A>
</H2>

<P>First off, a number of 
<A HREF="hackfaq-11.html#ntclientattacks">NT client attacks</A> may not work
if your target system does not allow logins except at the console. Any brute force
attack will obviously work much quicker if you are not going across the network.
<P>
<H2><A NAME="ss10.2">10.2 What about NT's file system?</A>
</H2>

<P>Obviously gaining access to the file system from the console is much easier than across 
a network, especially if the Sys Admin is trying to keep you out. 
<P>Try booting up the system from an MS-DOS diskette, and running NTFSDOS.EXE to access the
NTFS file system. Currently this software is read only, so it is only good for getting 
copies of existing data. Linux is another OS that will read an NTFS file system, but 
"simply loading Linux" on a "spare partition" is usually impractical, and hardly simple
if you are not familiar with it. See the question regarding recovering a 
<A HREF="hackfaq-9.html#lostntadminpassword">lost NT password</A> that uses Linux in the recovery
process. I mean, if you log in as Administrator then you definitely have access to the
file system ;-).
<P>
<H2><A NAME="ss10.3">10.3 What is Netmon and why do I care?</A>
</H2>

<P>NetMon is Microsoft's Network Monitor. It is a sniffer that runs under NT, and being a 
sniffer if you have to ask why you care, well, never mind ;-) 
<P>NetMon is protected by a password scheme on version 3.51 that has nothing to do with 
regular NT security. In Phrack 48 file 15, AON and daemon9 have not only cracked the 
encryption scheme, they have written exploits for it as well. Check the resources
section for the location of the exploit code (it includes full source including a 
Unix version in case you do not have an NT compiler). 
<P>By the way, compared to other commercial sniffers, this early version of NetMon sucks.
It would only look at traffic to and from the machine you are running it on. However,
newer versions of NetMon supposedly do actual promiscuous sniffing and is a more
useful tool. I have not seen this new NetMon but others report good things about it.
<P>
<P>
<P>
<HR>
<A HREF="hackfaq-11.html">Next</A>
<A HREF="hackfaq-9.html">Previous</A>
<A HREF="hackfaq.html#toc10">Contents</A>
</BODY>
</HTML>