====System Hacking====

•   Assuming that NetBIOS TCP port 139 is open, the most effective method of breaking into NT/2000 is password guessing.
•   Attempting to connect to an enumerated share (IPC$ or C$) and trying to guess username/password.
•   Default admin$, C$, or %Systemdrive% shares are a good starting place.

If an attacker fails in a manual attack, he can choose to automate the task. There are several free programs that can do this, including Legion, Jack the Ripper, NetBIOS Auditing Tool (NAT; do not confuse with Network Address Translation), and L0phtcrack, (LC4) among them.
The simplest of these automation methods take advantage of the NET command line utility. This involves a simple loop using the NT4/2000 command shell. All the attacker has to do is to create a simple username and password file. He can then pipe this file into a FOR command.

C:\>FOR /F “token=1,2*”%i in (credentials.txt)
Do net use \\target\IPC$ %i /u: %j

Automated password attacks can be divided into two basic categories, dictionary attacks and brute force attacks.
•   A simple dictionary attack involves loading a dictionary file (a text file full of dictionary words) into a cracking application such as L0pthcrack or John the Ripper, and running it against user accounts loaded by the application. The larger the word and word fragment selection, the more effective the dictionary attack.
•   The brute force method is the most inclusive – though slow. Usually, it tries every possible letter and number combination in its automated exploration. 
•   A hybrid approach is one which combines features of both the methods mentioned above. It usually starts with a dictionary and then tries combinations such as two words together or a word and numbers.