Upload
jigsaw55555
View
15.700
Download
7
Embed Size (px)
Citation preview
System Attacks System Attacks
and
Security
Measures
Security Architecture of Windows Security Architecture of Windows Security Architecture of Windows Security Architecture of Windows
There are three components of Windows Security:
• LSA (Local Security Authority)
• SAM (Security Account Manager)
• SRM (Security Reference Monitor)• SRM (Security Reference Monitor)
LSA (Local Security LSA (Local Security LSA (Local Security LSA (Local Security Authority) Authority) Authority) Authority)
• LSA is the Central Part of NT Security. It is also known as SecuritySubsystem. The Local Security Authority or LSA is a key component ofthe logon process in both Windows NT and Windows 2000. In Windows2000, the LSA is responsible for validating users for both local andremote logons. The LSA also maintains the local security policy.
• During the local logon to a machine, a person enters his name and• During the local logon to a machine, a person enters his name andpassword to the logon dialog. This information is passed to the LSA,which then calls the appropriate authentication package. The passwordis sent in a non-reversible secret key format using a one-way hashfunction. The LSA then queries the SAM database for the User’saccount information. If the key provided matches the one in the SAM,the SAM returns the users SID and the SIDs of any groups the userbelongs to. The LSA then uses these SIDs to generate the securityaccess token.
SAM (Security Account ManagerSAM (Security Account ManagerSAM (Security Account ManagerSAM (Security Account Manager))))
• The Security Accounts Manager is a database in the Windows
operating system (OS) that contains user names and passwords.
SAM is part of the registry and can be found on the hard disk.
• This service is responsible for making the connection to the SAM-• This service is responsible for making the connection to the SAM-
database (Contains available user-accounts and groups). The SAM-
database can either be placed in the local registry or in the Active
Directory (If available). When the service has made the connection
it announces to the system that the SAM-database is available, so
other services can start accessing the SAM-database.
SAM (Security Account ManagerSAM (Security Account ManagerSAM (Security Account ManagerSAM (Security Account Manager))))• In the SAM, each user account can be assigned a Windows password
which is in encrypted form. If someone attempts to log on to the
system and the user name and associated passwords match an entry in
the SAM, a sequence of events takes place ultimately allowing that
person access to the system. If the user name or passwords do not
properly match any entry in the SAM, an error message is returned
requesting that the information be entered again.requesting that the information be entered again.
• When you make a New User Account with a Password, it gets stored in
the SAM File.
• Windows Security Files are located at
“C:\Windows\System32\Config\SAM”
• The moment operating system starts, the SAM file becomes
inaccessible
SRM (Security Reference MonitorSRM (Security Reference MonitorSRM (Security Reference MonitorSRM (Security Reference Monitor))))• The Security Reference Monitor is a security architecture componentthat is used to control user requests to access objects in the system.The SRM enforces the access validation and audit generation. WindowsNT forbids the direct access to objects. Any access to an object mustfirst be validated by the SRM. For example, if a user wants to access aspecific file the SRM will be used to validate the request. The SecurityReference Monitor enforces access validation and audit generationpolicy.policy.
• The reference monitor verifies the nature of the request against a tableof allowable access types for each process on the system. For example,Windows 3.x and 9x operating systems were not built with a referencemonitor, whereas the Windows NT line, which also includes Windows2000 and Windows XP, was designed with an entirely differentarchitecture and does contain a reference monitor.
Windows User Account ArchitectureWindows User Account ArchitectureWindows User Account ArchitectureWindows User Account Architecture
• User account passwords are contained in the SAM in the
Hexadecimal Format called Hashes.
• Once the Passwords converted in Hashes, you cannot
convert back to the Clear Text.convert back to the Clear Text.
Cracking Cracking Cracking Cracking Windows User account PasswordWindows User account PasswordWindows User account PasswordWindows User account Password
• Passwords are Stored and Transmitted in an encrypted form
called a Hash. When a User logs on to a system and enters a
password, a hash is generated and compared to a stored hash. If
the entered and the stored hashes match, the user is
authenticated (This is called the Challenge/Response).authenticated (This is called the Challenge/Response).
• Passwords may be cracked Manually or with Automated tools
such as a Brute-force method or the Rainbow Table attack.
Net User: Command PromptNet User: Command PromptNet User: Command PromptNet User: Command Prompt
• Windows Command Prompt Utility, Net User, can be also be used to
manipulate the User accounts in Windows.
The Commands are as follows:
• To check the User Accounts:Net User
• To Add a New User Account:Net User Username Password /add
• To Delete a User Account:Net User Username /delete
• To Change the Password of User Account:Net User Username *
To Run Net User in Vista or 7To Run Net User in Vista or 7To Run Net User in Vista or 7To Run Net User in Vista or 7
• Go to Start > Type CMD in
Search Box
• Right Click on CMD Icon• Right Click on CMD Icon
and choose the option
“Run as administrator”
Brute Force Brute Force Brute Force Brute Force AttackAttackAttackAttack
• Brute force password guessing is just what it sounds like: trying
a random approach by attempting different passwords and
hoping that one works. Some logic can be applied by trying
passwords related to the person’s name, job title, hobbies, or
other similar items.
• Brute force randomly generates passwords and their associated• Brute force randomly generates passwords and their associated
hashes.
• There are tools available to perform the Brute force attack on the
Windows SAM File. Most famous tool available for Windows
User Account Password Bruteforcing is Cain and Abel. Another
one is SamInside.
Cain and AbelCain and AbelCain and AbelCain and Abel
Rainbow Table Rainbow Table Rainbow Table Rainbow Table AttackAttackAttackAttack
• Rainbow Table Attack trades off the time-consuming process of
creating all possible password hashes by building a table of
hashes in advance of the actual crack. After this process is
finished, the table, called a rainbow table, is used to crack the
password, which will then normally only take a few seconds.
• We can use the Live CD to crack the Windows password using
the Rainbow table attack technique. Most famous Live CD
available is OphCrack
OphCrackOphCrackOphCrackOphCrack
Creating Backdoors in Windows Creating Backdoors in Windows Creating Backdoors in Windows Creating Backdoors in Windows
Creating Hidden Accounts
• Use the Net User Command to Create a Hidden Account in Windows:
Net User Hiddenuser /add• And then use the Command
Net Localgroup Users Hiddenuser /deleteNet Localgroup Users Hiddenuser /delete
• Log Off the Current User, Press ALT+CTRL+DEL combination 2 timesto get the ‘Classic Windows User Login Screen’
• Type the Username as Hiddenuser and Hit Enter, you will get Logged In
Note: This trick will not work in Windows Vista and Windows 7
Creating Backdoors in Windows Creating Backdoors in Windows Creating Backdoors in Windows Creating Backdoors in Windows
Sticky Keys Backdoor
• Sticky Keys application can be used as the Backdoor in Windows
Operating System.
• Command Prompt file ‘CMD.EXE’ can be renamed to
‘SETHC.EXE’ in C:\Windows\System32 Folder.
• After this one can hit the Shift Key 5 times on the User Login
Screen and will get the Command Prompt right there. Net User
command can be used to modify User Accounts thereafter.
Command Prompt on
the User Login Screen
Configuring a Strong Login PasswordConfiguring a Strong Login PasswordConfiguring a Strong Login PasswordConfiguring a Strong Login Password
• A Strong password is less susceptible to attack by a Hacker. The
following rules should be applied when you’re creating a
password, to protect it against attacks:
� Must not contain any part of the User’s account name� Must not contain any part of the User’s account name
� Must have a minimum of eight characters
� Must contain characters from at least three of the following
categories:
• Non alphanumeric symbols ($,:”%@!#)
• Numbers
• Uppercase letters
• Lowercase letters
Applying Applying Applying Applying SyskeySyskeySyskeySyskey SecuritySecuritySecuritySecurity
• Go to Start > Run >Type Syskey
• Click on Update• Click on Update
• Set Syskey Password,Confirm the Passwordand Click OK
Change the Boot SequenceChange the Boot SequenceChange the Boot SequenceChange the Boot Sequence
• You should change the boot sequence in the BIOS so that your
computer is not configured to boot from the CD first. It should
be configured as Hard Disk as the First Boot Device.
• This will protect your computer from the attacking Live CDs.• This will protect your computer from the attacking Live CDs.
• You may press Del or F2 Key at the System Boot to go to the
BIOS Setup
Change the Boot SequenceChange the Boot SequenceChange the Boot SequenceChange the Boot Sequence
Registry EditingRegistry EditingRegistry EditingRegistry Editing
• What is the Registry?
The Registry is a database used to store settings and options for the
32 bit versions of Microsoft Windows. It contains information and
settings for all the hardware, software, users, and preferences of the
PC. Whenever a user makes changes to a Control Panel settings, or
File Associations, System Policies, or installed software, the changesFile Associations, System Policies, or installed software, the changes
are reflected and stored in the Registry.
Registry EditingRegistry EditingRegistry EditingRegistry Editing
Registry EditingRegistry EditingRegistry EditingRegistry Editing
• The physical files that make up the registry are stored differently
depending on your version of Windows; under Windows NT/XP/Vista the
files are contained separately in the %SystemRoot%\System32\Config
directory. You cannot edit these files directly, you must use a tool
commonly known as a "Registry Editor" to make any changes.
Registry EditingRegistry EditingRegistry EditingRegistry Editing
The Structure of Registry:
• The Registry has a hierarchal structure; although it looks
complicated the structure is similar to the directory structure on your hard
disk, with Regedit being similar to Windows Explorer.
• Each main branch (denoted by a folder icon in the Registry Editor) is
called a Hive, and Hives contains Keys. Each key can contain other keyscalled a Hive, and Hives contains Keys. Each key can contain other keys
(sometimes referred to as sub-keys), as well as Values. The values contain
the actual information stored in the Registry. There are three types of
values; String, Binary, and DWORD - the use of these depends upon the
context.
Registry EditingRegistry EditingRegistry EditingRegistry Editing
• There are five main Hives (branches), each containing a specific portion ofthe information stored in the Registry. They are as follows:
• HKEY_CLASSES_ROOT - This branch contains all of your fileassociation mappings to support the drag-and-drop feature, OLEinformation, Windows shortcuts, and core aspects of the Windows userinterface.
• HKEY_CURRENT_USER - This branch links to the section of• HKEY_CURRENT_USER - This branch links to the section ofHKEY_USERS appropriate for the user currently logged onto the PC andcontains information such as logon names, desktop settings, and Startmenu settings.
• HKEY_LOCAL_MACHINE - This branch contains computer specificinformation about the type of hardware, software, and other preferences ona given PC, this information is used for all users who log onto thiscomputer.
Registry EditingRegistry EditingRegistry EditingRegistry Editing
• HKEY_USERS - This branch contains individual preferences for each user
of the computer; each user is represented by a SID sub-key located under
the main branch.
• HKEY_CURRENT_CONFIG - This branch links to the section of
HKEY_LOCAL_MACHINE appropriate for the current hardware
configuration.
Registry EditingRegistry EditingRegistry EditingRegistry Editing
• Each registry value is stored as one of five main data types:
• REG_BINARY - This type stores the value as raw binary data. Mosthardware component information is stored as binary data, and can be
displayed in an editor in hexadecimal format.
• REG_DWORD - This type represents the data by a four byte number andis commonly used for Boolean values, such as "0" is disabled and "1" isis commonly used for Boolean values, such as "0" is disabled and "1" is
enabled.
• REG_EXPAND_SZ - This type is an expandable data string that is stringcontaining a variable to be replaced when called by an application.
• REG_MULTI_SZ - This type is a multiple string used to represent valuesthat contain lists or multiple values, each entry is separated by a NULL
character.
• REG_SZ - This type is a standard string, used to represent human readabletext values.
Registry EditingRegistry EditingRegistry EditingRegistry Editing
• The Registry Editor (REGEDIT.EXE) is included with most version of
Windows it enables you to view, search and edit the data within the
Registry. There are several methods for starting the Registry Editor, the
simplest is to click on the Start button, then select Run, and in the Open
box type "regedit".
Applying the Restrictions on the Files Applying the Restrictions on the Files Applying the Restrictions on the Files Applying the Restrictions on the Files and Foldersand Foldersand Foldersand Folders
• You can set permissions on the Files and Folders in Windows so
that no one else can open or access them.
• Windows carries Access Control List command ‘CACLS’ to
apply the Access security on the Files and Folders.apply the Access security on the Files and Folders.
• Let’s say we have a folder ‘Info’, to set the permission on ‘Info’,
command is as follows:
CACLS Info /E /P Everyone:N
• To remove the restrictions on the folder , command is as follows:
CACLS Info /E /P Everyone:F
Note: Make sure that you are in the Correct Directory in the Command Prompt while Locking the
Files or Folders. If Folder name carry spaces, put the folder name in “” while running command
Hiding Files behind Folders on the Hiding Files behind Folders on the Hiding Files behind Folders on the Hiding Files behind Folders on the Local Hard Disk: ADSLocal Hard Disk: ADSLocal Hard Disk: ADSLocal Hard Disk: ADS
• You can hide your important Files behind the Folders in your HardDisk.
• Let us say we have a text file ‘Secret.txt’ and a folder ‘C:\Info’. ToHide the Text file behind the Folder, command is as follows
Type Secret.txt > C:\Info:Secret.txtType Secret.txt > C:\Info:Secret.txt
• Now delete the Original File, to view the hidden file, command is asfollows
Start C:\Info:Secret.txt
• To search the hidden files, ADS Tool ‘Streams’ can be used.
• To Search the Hidden Files: Streams –S C:\Info
• To Delete the Hidden Files: Streams –D C:\Info
SteganographySteganographySteganographySteganography
• Steganography is the technique to place
text content behind the images.
• This is generally performed by the
terrorists to hide the secret messagesterrorists to hide the secret messages
behind the images and conveying the
message via sending the Image via
Internet.
• Windows Internal Commands as well as
Steganography tools can be used to
perform this technique.
Performing System SecurityPerforming System SecurityPerforming System SecurityPerforming System Security
• Process Monitoring
• Application Monitoring• Application Monitoring
Application MonitoringApplication MonitoringApplication MonitoringApplication Monitoring
• User should always check that ‘How many Application are
installed in the Computer’.
• This can be done using the ‘Add/Remove Program’ Utility
available in Control Panel.available in Control Panel.
• Uninstall all the Applications which you have not installed or you
do not use.
Process MonitoringProcess MonitoringProcess MonitoringProcess Monitoring
• Process Explorer is a free GUI-based process viewer utility that
displays detailed information about processes running under
Windows.
• For each process it displays memory, threads, and module usage.• For each process it displays memory, threads, and module usage.
For each DLL, it shows full path and version information.
• User can check the processed running under ‘Explorer.exe’ and
Kill all the suspicious processes