This is a Mirror of the Original NT Exploits Page Created by Bill Stout

Good guys annouce security weaknesses, the bad guys keep them to themselves...

This page will attempt to list all known NT Exploits used in hacking NT security, and application security related to an NT system. If you know of hacks, security bugs, patches, workarounds, or additional information which may be relevant to this list, please e-mail Bill Stout, the originator of this page. nthacks@hidata.com

Additional copies to us would also be welcome to enable us to maintain this page. nthacks@versalink.com . Non-hyperlinked attacks below exist but I haven't gotten around to writing a page on it.

Thanks to the NT security mailing list at ntsecurity@iss.net, sister (or copycat) sites such as http://www.ntshop.net/security/exploits.htm, and contributors to this list.

If you wish to subscribe to the NT security mailing list, send mail to request-ntsecurity@iss.net and, in the text of your message (not the subject line), write: subscribe ntsecurity.

Bill Stout


Trojans
Dlls
Password sniffing DLL
Rollback.exe
Renamed Executables

Application Attacks
MS Office 7.0 FileManager hole
MS Access
1.0/2.0 SIDs
MS Word/Excel Macro virus

Passwords
Guessing/Brute force
Snooping
Cracking (decrypting)
Password caching

Direct access
Ntfsdos.exe
Linux ntfs

Other Local Attacks
Win32K Crash

Denial of Service
Ping of Death
SYN Attack
IIS Crash (GET ../..)
CPU Attacks (Telnet to port XX)
Unauthorized File deletion
SMB Crash (Dir ..\)

Snooping
Nbtstat
Scanners
Sniffing data

Man in the Middle
SMB Hijacking
SMB Downgrade (force clear text passwords)
SMB 0.12 encrypted handshake intercept
TCP
Sequence Number Prediction

Registry attacks
Registry open to guest access
Registry
automatic write by .reg files

Webserver attacks
CGI/Active Server
Perl & cgi-bin
IIS
Guest access same as Domain User
IIS .BAT/.CMD
IIS
Dot dot /..\..
IIS Truncate
IIS Redirect

Application security bugs
Frontpage 1.1 Default permissions
MS Office 7.0 FileManager hole
Systems Management Server
Microsoft SNA AS/400 shared LU ID
FTP Server Passive connection support

Browsers
Active-X
Java
Javascript
Cookies
COM/OLE



Security Checklists - Coming soon


The NT Shop has one of the most comprehensive listings of NT bugs available.

Windows NT Security Issues from Somarsoft.

Windows 95/NT Security Weaknesses are the topic of this page from BYU.

Windows 95 Vulnerabilities are discussed in CIAC bulletins.

Robert Malmgren created a most impressive FAQ at http://www.it.kth.se/~rom/ntsec.html

Community Connection, the maker of a 128-bit encrypted version of the Apache webserver called Stronghold, has a NT Hack site at http://www.c2.net/hackmsoft/.

A comprehensive NT Security book and more info is available from Tom Sheldon at: http://www.ntresearch.com.

"Internet Security with Windows NT" is due out in May of 96 - written by Mark Joseph Edwards, and contributed to by Andy Pozo, Andy Baron, Philip Carden, Dr. Bill Hancock, Mary Madden, Alix Jules, Ned Rynearson, Marcus Ranum and Mark Berry. For more details point your Web browser to http://www.ntshop.net/security/ntis.htm


Windows, Windows NT, Microsoft, and IIS are trademarks of Microsoft Corporation.