The MH DeskReference
Version 1.2


Table of Contents

=Part One=
=Essential background Knowledge=

[0.0.0] Preface
[0.0.1] The Rhino9 Team
[0.0.2] Disclaimer
[0.0.3] Thanks and Greets

[1.0.0] Preface To NetBIOS
[1.0.1] What is NetBIOS?
[1.0.2] NetBIOS Names
[1.0.3] NetBIOS Sessions
[1.0.4] NetBIOS Datagrams
[1.0.5] NetBEUI Explained
[1.0.6] NetBIOS Scopes

[1.2.0] Preface to SMB's
[1.2.1] What are SMB's?
[1.2.2] The Redirector

[2.0.0] What is TCP/IP?
[2.0.1] FTP Explained
[2.0.2] Remote Login
[2.0.3] Computer Mail
[2.0.4] Network File Systems
[2.0.5] Remote Printing
[2.0.6] Remote Execution
[2.0.7] Name Servers
[2.0.8] Terminal Servers
[2.0.9] Network-Oriented Window Systems
[2.1.0] General description of the TCP/IP protocols
[2.1.1] The TCP Level
[2.1.2] The IP level
[2.1.3] The Ethernet level
[2.1.4] Well-Known Sockets And The Applications Layer
[2.1.5] Other IP Protocols
[2.1.6] Domain Name System
[2.1.7] Routing
[2.1.8] Subnets and Broadcasting
[2.1.9] Datagram Fragmentation and Reassembly
[2.2.0] Ethernet encapsulation: ARP

[3.0.0] Preface to the WindowsNT Registry
[3.0.1] What is the Registry?
[3.0.2] In Depth Key Discussion
[3.0.3] Understanding Hives
[3.0.4] Default Registry Settings

[4.0.0] Introduction to PPTP
[4.0.1] PPTP and Virtual Private Networking
[4.0.2] Standard PPTP Deployment
[4.0.3] PPTP Clients
[4.0.4] PPTP Architecture
[4.0.5] Understanding PPTP Security
[4.0.6] PPTP and the Registry
[4.0.7] Special Security Update

[5.0.0] TCP/IP Commands as Tools
[5.0.1] The Arp Command
[5.0.2] The Traceroute Command
[5.0.3] The Netstat Command
[5.0.4] The Finger Command
[5.0.5] The Ping Command
[5.0.6] The Nbtstat Command
[5.0.7] The IpConfig Command
[5.0.8] The Telnet Command

[6.0.0] NT Security
[6.0.1] The Logon Process
[6.0.2] Security Architecture Components
[6.0.3] Introduction to Securing an NT Box
[6.0.4] Physical Security Considerations
[6.0.5] Backups
[6.0.6] Networks and Security
[6.0.7] Restricting the Boot Process
[6.0.8] Security Steps for an NT Operating System
[6.0.9] Install Latest Service Pack and applicable hot-fixes
[6.1.0] Display a Legal Notice Before Log On
[6.1.1] Rename Administrative Accounts
[6.1.2] Disable Guest Account
[6.1.3] Logging Off or Locking the Workstation
[6.1.4] Allowing Only Logged-On Users to Shut Down the Computer
[6.1.5] Hiding the Last User Name
[6.1.6] Restricting Anonymous network access to Registry
[6.1.7] Restricting Anonymous network access to lookup account names and network shares
[6.1.8] Enforcing strong user passwords
[6.1.9] Disabling LanManager Password Hash Support
[6.2.0] Wiping the System Page File during clean system shutdown
[6.2.1] Protecting the Registry
[6.2.2] Secure EventLog Viewing
[6.2.3] Secure Print Driver Installation
[6.2.4] The Schedule Service (AT Command)
[6.2.5] Secure File Sharing
[6.2.6] Auditing
[6.2.7] Threat Action
[6.2.8] Enabling System Auditing
[6.2.9] Auditing Base Objects
[6.3.0] Auditing of Privileges
[6.3.1] Protecting Files and Directories
[6.3.2] Services and NetBios Access From Internet
[6.3.3] Alerter and Messenger Services
[6.3.4] Unbind Unnecessary Services from Your Internet Adapter Cards
[6.3.5] Enhanced Protection for Security Accounts Manager Database
[6.3.6] Disable Caching of Logon Credentials during interactive logon.
[6.3.7] How to secure the %systemroot%\repair\sam._ file
[6.3.8] TCP/IP Security in NT
[6.3.9] Well known TCP/UDP Port numbers

[7.0.0] Preface to Microsoft Proxy Server
[7.0.1] What is Microsoft Proxy Server?
[7.0.2] Proxy Servers Security Features
[7.0.3] Beneficial Features of Proxy
[7.0.4] Hardware and Software Requirements
[7.0.5] What is the LAT?
[7.0.6] What is the LAT used for?
[7.0.7] What changes are made when Proxy Server is installed?
[7.0.8] Proxy Server Architecture
[7.0.9] Proxy Server Services: An Introduction
[7.1.0] Understanding components
[7.1.1] ISAPI Filter
[7.1.2] ISAPI Application
[7.1.3] Proxy Servers Caching Mechanism
[7.1.4] Windows Sockets
[7.1.5] Access Control Using Proxy Server
[7.1.6] Controlling Access by Internet Service
[7.1.7] Controlling Access by IP, Subnet, or Domain
[7.1.8] Controlling Access by Port
[7.1.9] Controlling Access by Packet Type
[7.2.0] Logging and Event Alerts
[7.2.1] Encryption Issues
[7.2.2] Other Benefits of Proxy Server
[7.2.3] RAS
[7.2.4] IPX/SPX
[7.2.5] Firewall Strategies
[7.2.6] Logical Construction
[7.2.7] Exploring Firewall Types
[7.2.3] NT Security Twigs and Ends

=Part Two=
=The Techniques of Survival=


[8.0.0] NetBIOS Attack Methods
[8.0.1] Comparing NAT.EXE to Microsoft's own executables
[8.0.2] First, a look at NBTSTAT
[8.0.3] Intro to the NET commands
[8.0.4] Net Accounts
[8.0.5] Net Computer
[8.0.6] Net Config Server or Net Config Workstation
[8.0.7] Net Continue
[8.0.8] Net File
[8.0.9] Net Group
[8.1.0] Net Help
[8.1.1] Net Helpmsg message#
[8.1.2] Net Localgroup
[8.1.3] Net Name
[8.1.4] Net Pause
[8.1.5] Net Print
[8.1.6] Net Send
[8.1.7] Net Session
[8.1.8] Net Share
[8.1.9] Net Statistics Server or Workstation
[8.2.0] Net Stop
[8.2.1] Net Time
[8.2.2] Net Use
[8.2.3] Net User
[8.2.4] Net View
[8.2.5] Special note on DOS and older Windows Machines
[8.2.6] Actual NET VIEW and NET USE Screen Captures during a hack

[9.0.0] Frontpage Extension Attacks
[9.0.1] For the tech geeks, we give you an actual PWDUMP
[9.0.2] The haccess.ctl file
[9.0.3] Side note on using John the Ripper

[10.0.0] WinGate
[10.0.1] What Is WinGate?
[10.0.2] Defaults After a WinGate Install
[10.0.3] Port 23 Telnet Proxy
[10.0.4] Port 1080 SOCKS Proxy
[10.0.5] Port 6667 IRC Proxy
[10.0.6] How Do I Find and Use a WinGate?
[10.0.7] I have found a WinGate telnet proxy now what?
[10.0.8] Securing the Proxys
[10.0.9] mIRC 5.x WinGate Detection Script
[10.1.0] Conclusion

[11.0.0] What a security person should know about WinNT
[11.0.1] NT Network structures (Standalone/WorkGroups/Domains)
[11.0.2] How does the authentication of a user actually work
[11.0.3] A word on NT Challenge and Response
[11.0.4] Default NT user groups
[11.0.5] Default directory permissions
[11.0.6] Common NT accounts and passwords
[11.0.7] How do I get the admin account name?
[11.0.8] Accessing the password file in NT
[11.0.9] Cracking the NT passwords
[11.1.0] What is 'last login time'?
[11.1.1] Ive got Guest access, can I try for Admin?
[11.1.2] I heard that the %systemroot%\system32 was writeable?
[11.1.3] What about spoofin DNS against NT?
[11.1.4] What about default shared folders?
[11.1.5] How do I get around a packet filter-based firewall?
[11.1.6] What is NTFS?
[11.1.7] Are there are vulnerabilities to NTFS and access controls?
[11.1.8] How is file and directory security enforced?
[11.1.9] Once in, how can I do all that GUI stuff?
[11.2.0] How do I bypass the screen saver?
[11.2.1] How can tell if its an NT box?
[11.2.2] What exactly does the NetBios Auditing Tool do?


[12.0.0] Cisco Routers and their configuration
[12.0.1] User Interface Commands
[12.0.2] disable
[12.0.3] editing
[12.0.4] enable
[12.0.5] end
[12.0.6] exit
[12.0.7] full-help
[12.0.8] help
[12.0.9] history
[12.1.0] ip http access-class
[12.1.1] ip http port
[12.1.2] ip http server
[12.1.3] menu (EXEC)
[12.1.4] menu (global)
[12.1.5] menu command
[12.1.6] menu text
[12.1.7] menu title
[12.1.8] show history
[12.1.9] terminal editing
[12.2.0] terminal full-help (EXEC)
[12.2.1] terminal history
[12.2.2] Network Access Security Commands
[12.2.3] aaa authentication arap
[12.2.4] aaa authentication enable default
[12.2.5] aaa authentication local-override
[12.2.6] aaa authentication login
[12.2.7] aaa authentication nasi
[12.2.8] aaa authentication password-prompt
[12.2.9] aaa authentication ppp
[12.3.0] aaa authentication username-prompt
[12.3.1] aaa authorization
[12.3.2] aaa authorization config-commands
[12.3.3] aaa new-model
[12.3.4] arap authentication
[12.3.5] clear kerberos creds
[12.3.6] enable last-resort
[12.3.7] enable use-tacacs
[12.3.8] ip radius source-interface
[12.3.9] ip tacacs source-interface
[12.4.0] kerberos clients mandatory
[12.4.1] kerberos credentials forward
[12.4.2] kerberos instance map
[12.4.3] kerberos local-realm
[12.4.4] kerberos preauth
[12.4.5] kerberos realm
[12.4.6] kerberos server
[12.4.7] kerberos srvtab entry
[12.4.8] kerberos srvtab remote
[12.4.9] key config-key
[12.5.0] login tacacs
[12.5.1] nasi authentication
[12.5.2] ppp authentication
[12.5.3] ppp chap hostname
[12.5.4] ppp chap password
[12.5.5] ppp pap sent-username
[12.5.6] ppp use-tacacs
[12.5.7] radius-server dead-time
[12.5.8] radius-server host
[12.5.9] radius-server key
[12.6.0] radius-server retransmit
[12.6.1] show kerberos creds
[12.6.2] show privilege
[12.6.3] tacacs-server key
[12.6.4] tacacs-server login-timeout
[12.6.5] tacacs-server authenticate
[12.6.6] tacacs-server directed-request
[12.6.7] tacacs-server key
[12.6.8] tacacs-server last-resort
[12.6.9] tacacs-server notify
[12.7.0] tacacs-server optional-passwords
[12.7.1] tacacs-server retransmit
[12.7.2] tacacs-server timeout
[12.7.3] Traffic Filter Commands
[12.7.4] access-enable
[12.7.5] access-template
[12.7.6] clear access-template
[12.7.7] show ip accounting
[12.7.8] Terminal Access Security Commands
[12.7.9] enable password
[12.8.0] enable secret
[12.8.1] ip identd
[12.8.2] login authentication
[12.8.3] privilege level (global)
[12.8.4] privilege level (line)
[12.8.5] service password-encryption
[12.8.6] show privilege
[12.8.7] username
[12.8.8] A Word on Ascend Routers

[13.0.0] Known NT/95/IE Holes
[13.0.1] WINS port 84
[13.0.2] WindowsNT and SNMP
[13.0.3] Frontpage98 and Unix
[13.0.4] TCP/IP Flooding with Smurf
[13.0.5] SLMail Security Problem
[13.0.6] IE 4.0 and DHTML
[13.0.7] 2 NT Registry Risks
[13.0.8] Wingate Proxy Server
[13.0.9] O'Reilly Website uploader Hole
[13.1.0] Exchange 5.0 Password Caching
[13.1.1] Crashing NT using NTFS
[13.1.2] The GetAdmin Exploit
[13.1.3] Squid Proxy Server Hole
[13.1.4] Internet Information Server DoS attack
[13.1.5] Ping Of Death II
[13.1.6] NT Server's DNS DoS Attack
[13.1.7] Index Server Exposes Sensitive Material
[13.1.8] The Out Of Band (OOB) Attack
[13.1.9] SMB Downgrade Attack
[13.2.0] RedButton
[13.2.1] FrontPage WebBot Holes
[13.2.2] IE and NTLM Authentication
[13.2.3] Run Local Commands with IE
[13.2.4] IE can launch remote apps
[13.2.5] Password Grabbing Trojans
[13.2.6] Reverting an ISAPI Script
[13.2.7] Rollback.exe
[13.2.8] Replacing System .dll's
[13.2.9] Renaming Executables
[13.3.0] Viewing ASP Scripts
[13.3.1] .BAT and .CMD Attacks
[13.3.2] IIS /..\.. Problem
[13.3.3] Truncated Files
[13.3.4] SNA Holes
[13.3.5] SYN Flooding
[13.3.6] Land Attack
[13.3.7] Teardrop
[13.3.8] Pentium Bug

[14.0.0] VAX/VMS Makes a comeback (expired user exploit)
[14.0.1] Step 1
[14.0.2] Step 2
[14.0.3] Step 3
[14.0.4] Note

[15.0.0] Linux security 101
[15.0.1] Step 1
[15.0.2] Step 2
[15.0.3] Step 3
[15.0.4] Step 4
[15.0.5] Step 5
[15.0.6] Step 6

[16.0.0] Unix Techniques. New and Old.
[16.0.1] ShowMount Technique
[16.0.2] DEFINITIONS
[16.0.3] COMPARISION TO THE MICROSOFT WINDOWD FILESHARING
[16.0.4] SMBXPL.C
[16.0.5] Basic Unix Commands
[16.0.6] Special Chracters in Unix
[16.0.7] File Permissions Etc..
[16.0.8] STATD EXPLOIT TECHNIQUE
[16.0.9] System Probing
[16.1.0] Port scanning
[16.1.1] rusers and finger command
[16.1.2] Mental Hacking, once you know a username

[17.0.0] Making a DDI from a Motorola Brick phone

[18.0.0] Pager Programmer

[19.0.0] The End

You may can attach document

Thanks a lot Binary Hashes. Really Nice document. Good post.

Manu

wow thats a really interresting posting, thank you, i will enjoy reading it this afternoon or even the most useful parts of it, many many thanks

I am unable do download the file. Can you post a url to the file or something? Plese

this actually looks interesting and worth a read, thanks a lot, shall investigate it later

PS: its a very old guide, but I'm interested on the Rhino teams views on some things that dont change over time

nice docu thanks

very nice text really worth reading .

Ahh Nice Doc mate Thanx for Posting it will Read it..

very nice reading, thanks for sharing.

thx
i'll read soon.

cool man, thx

thnks you man i red that

nice book, thanks man

nice one !!

thx dude,information is erverything

so long

Mrwh!P

nice lil refrence material there, if anything is lacking, id say maybe some new exploitaiton methods, ie. pointer overflows and heap...


[16.0.8] STATD EXPLOIT TECHNIQUE

wow. lol, that brings back memories, the good ol days when rpc.statd ran wild.

Hei, Thanks a lot m8 these is 100 % usefull for all beginners. Go on so.

nice, thanx!

nice txt bro big thanxss

now reading it hehe

Very nice list, useful reference... thanks

Thanks binary_hashes
Some very good reading ahead.

really cool link

very good post, lotta thing to read