Windows Hacking and Security

System Attacks System Attacks

and

Security

Measures

Security Architecture of Windows Security Architecture of Windows Security Architecture of Windows Security Architecture of Windows

There are three components of Windows Security:

• LSA (Local Security Authority)

• SAM (Security Account Manager)

• SRM (Security Reference Monitor)• SRM (Security Reference Monitor)

LSA (Local Security LSA (Local Security LSA (Local Security LSA (Local Security Authority) Authority) Authority) Authority)

• LSA is the Central Part of NT Security. It is also known as SecuritySubsystem. The Local Security Authority or LSA is a key component ofthe logon process in both Windows NT and Windows 2000. In Windows2000, the LSA is responsible for validating users for both local andremote logons. The LSA also maintains the local security policy.

• During the local logon to a machine, a person enters his name and• During the local logon to a machine, a person enters his name andpassword to the logon dialog. This information is passed to the LSA,which then calls the appropriate authentication package. The passwordis sent in a non-reversible secret key format using a one-way hashfunction. The LSA then queries the SAM database for the User’saccount information. If the key provided matches the one in the SAM,the SAM returns the users SID and the SIDs of any groups the userbelongs to. The LSA then uses these SIDs to generate the securityaccess token.

SAM (Security Account ManagerSAM (Security Account ManagerSAM (Security Account ManagerSAM (Security Account Manager))))

• The Security Accounts Manager is a database in the Windows

operating system (OS) that contains user names and passwords.

SAM is part of the registry and can be found on the hard disk.

• This service is responsible for making the connection to the SAM-• This service is responsible for making the connection to the SAM-

database (Contains available user-accounts and groups). The SAM-

database can either be placed in the local registry or in the Active

Directory (If available). When the service has made the connection

it announces to the system that the SAM-database is available, so

other services can start accessing the SAM-database.

SAM (Security Account ManagerSAM (Security Account ManagerSAM (Security Account ManagerSAM (Security Account Manager))))• In the SAM, each user account can be assigned a Windows password

which is in encrypted form. If someone attempts to log on to the

system and the user name and associated passwords match an entry in

the SAM, a sequence of events takes place ultimately allowing that

person access to the system. If the user name or passwords do not

properly match any entry in the SAM, an error message is returned

requesting that the information be entered again.requesting that the information be entered again.

• When you make a New User Account with a Password, it gets stored in

the SAM File.

• Windows Security Files are located at

“C:\Windows\System32\Config\SAM”

• The moment operating system starts, the SAM file becomes

inaccessible

SRM (Security Reference MonitorSRM (Security Reference MonitorSRM (Security Reference MonitorSRM (Security Reference Monitor))))• The Security Reference Monitor is a security architecture componentthat is used to control user requests to access objects in the system.The SRM enforces the access validation and audit generation. WindowsNT forbids the direct access to objects. Any access to an object mustfirst be validated by the SRM. For example, if a user wants to access aspecific file the SRM will be used to validate the request. The SecurityReference Monitor enforces access validation and audit generationpolicy.policy.

• The reference monitor verifies the nature of the request against a tableof allowable access types for each process on the system. For example,Windows 3.x and 9x operating systems were not built with a referencemonitor, whereas the Windows NT line, which also includes Windows2000 and Windows XP, was designed with an entirely differentarchitecture and does contain a reference monitor.

Windows User Account ArchitectureWindows User Account ArchitectureWindows User Account ArchitectureWindows User Account Architecture

• User account passwords are contained in the SAM in the

Hexadecimal Format called Hashes.

• Once the Passwords converted in Hashes, you cannot

convert back to the Clear Text.convert back to the Clear Text.

Cracking Cracking Cracking Cracking Windows User account PasswordWindows User account PasswordWindows User account PasswordWindows User account Password

• Passwords are Stored and Transmitted in an encrypted form

called a Hash. When a User logs on to a system and enters a

password, a hash is generated and compared to a stored hash. If

the entered and the stored hashes match, the user is

authenticated (This is called the Challenge/Response).authenticated (This is called the Challenge/Response).

• Passwords may be cracked Manually or with Automated tools

such as a Brute-force method or the Rainbow Table attack.

Net User: Command PromptNet User: Command PromptNet User: Command PromptNet User: Command Prompt

• Windows Command Prompt Utility, Net User, can be also be used to

manipulate the User accounts in Windows.

The Commands are as follows:

• To check the User Accounts:Net User

• To Add a New User Account:Net User Username Password /add

• To Delete a User Account:Net User Username /delete

• To Change the Password of User Account:Net User Username *

To Run Net User in Vista or 7To Run Net User in Vista or 7To Run Net User in Vista or 7To Run Net User in Vista or 7

• Go to Start > Type CMD in

Search Box

• Right Click on CMD Icon• Right Click on CMD Icon

and choose the option

“Run as administrator”

Brute Force Brute Force Brute Force Brute Force AttackAttackAttackAttack

• Brute force password guessing is just what it sounds like: trying

a random approach by attempting different passwords and

hoping that one works. Some logic can be applied by trying

passwords related to the person’s name, job title, hobbies, or

other similar items.

• Brute force randomly generates passwords and their associated• Brute force randomly generates passwords and their associated

hashes.

• There are tools available to perform the Brute force attack on the

Windows SAM File. Most famous tool available for Windows

User Account Password Bruteforcing is Cain and Abel. Another

one is SamInside.

Cain and AbelCain and AbelCain and AbelCain and Abel

Rainbow Table Rainbow Table Rainbow Table Rainbow Table AttackAttackAttackAttack

• Rainbow Table Attack trades off the time-consuming process of

creating all possible password hashes by building a table of

hashes in advance of the actual crack. After this process is

finished, the table, called a rainbow table, is used to crack the

password, which will then normally only take a few seconds.

• We can use the Live CD to crack the Windows password using

the Rainbow table attack technique. Most famous Live CD

available is OphCrack

OphCrackOphCrackOphCrackOphCrack

Creating Backdoors in Windows Creating Backdoors in Windows Creating Backdoors in Windows Creating Backdoors in Windows

Creating Hidden Accounts

• Use the Net User Command to Create a Hidden Account in Windows:

Net User Hiddenuser /add• And then use the Command

Net Localgroup Users Hiddenuser /deleteNet Localgroup Users Hiddenuser /delete

• Log Off the Current User, Press ALT+CTRL+DEL combination 2 timesto get the ‘Classic Windows User Login Screen’

• Type the Username as Hiddenuser and Hit Enter, you will get Logged In

Note: This trick will not work in Windows Vista and Windows 7

Creating Backdoors in Windows Creating Backdoors in Windows Creating Backdoors in Windows Creating Backdoors in Windows

Sticky Keys Backdoor

• Sticky Keys application can be used as the Backdoor in Windows

Operating System.

• Command Prompt file ‘CMD.EXE’ can be renamed to

‘SETHC.EXE’ in C:\Windows\System32 Folder.

• After this one can hit the Shift Key 5 times on the User Login

Screen and will get the Command Prompt right there. Net User

command can be used to modify User Accounts thereafter.

Command Prompt on

the User Login Screen

Configuring a Strong Login PasswordConfiguring a Strong Login PasswordConfiguring a Strong Login PasswordConfiguring a Strong Login Password

• A Strong password is less susceptible to attack by a Hacker. The

following rules should be applied when you’re creating a

password, to protect it against attacks:

� Must not contain any part of the User’s account name� Must not contain any part of the User’s account name

� Must have a minimum of eight characters

� Must contain characters from at least three of the following

categories:

• Non alphanumeric symbols ($,:”%@!#)

• Numbers

• Uppercase letters

• Lowercase letters

Applying Applying Applying Applying SyskeySyskeySyskeySyskey SecuritySecuritySecuritySecurity

• Go to Start > Run >Type Syskey

• Click on Update• Click on Update

• Set Syskey Password,Confirm the Passwordand Click OK

Change the Boot SequenceChange the Boot SequenceChange the Boot SequenceChange the Boot Sequence

• You should change the boot sequence in the BIOS so that your

computer is not configured to boot from the CD first. It should

be configured as Hard Disk as the First Boot Device.

• This will protect your computer from the attacking Live CDs.• This will protect your computer from the attacking Live CDs.

• You may press Del or F2 Key at the System Boot to go to the

BIOS Setup

Change the Boot SequenceChange the Boot SequenceChange the Boot SequenceChange the Boot Sequence

Registry EditingRegistry EditingRegistry EditingRegistry Editing

• What is the Registry?

The Registry is a database used to store settings and options for the

32 bit versions of Microsoft Windows. It contains information and

settings for all the hardware, software, users, and preferences of the

PC. Whenever a user makes changes to a Control Panel settings, or

File Associations, System Policies, or installed software, the changesFile Associations, System Policies, or installed software, the changes

are reflected and stored in the Registry.



• The physical files that make up the registry are stored differently

depending on your version of Windows; under Windows NT/XP/Vista the

files are contained separately in the %SystemRoot%\System32\Config

directory. You cannot edit these files directly, you must use a tool

commonly known as a "Registry Editor" to make any changes.


The Structure of Registry:

• The Registry has a hierarchal structure; although it looks

complicated the structure is similar to the directory structure on your hard

disk, with Regedit being similar to Windows Explorer.

• Each main branch (denoted by a folder icon in the Registry Editor) is

called a Hive, and Hives contains Keys. Each key can contain other keyscalled a Hive, and Hives contains Keys. Each key can contain other keys

(sometimes referred to as sub-keys), as well as Values. The values contain

the actual information stored in the Registry. There are three types of

values; String, Binary, and DWORD - the use of these depends upon the

context.


• There are five main Hives (branches), each containing a specific portion ofthe information stored in the Registry. They are as follows:

• HKEY_CLASSES_ROOT - This branch contains all of your fileassociation mappings to support the drag-and-drop feature, OLEinformation, Windows shortcuts, and core aspects of the Windows userinterface.

• HKEY_CURRENT_USER - This branch links to the section of• HKEY_CURRENT_USER - This branch links to the section ofHKEY_USERS appropriate for the user currently logged onto the PC andcontains information such as logon names, desktop settings, and Startmenu settings.

• HKEY_LOCAL_MACHINE - This branch contains computer specificinformation about the type of hardware, software, and other preferences ona given PC, this information is used for all users who log onto thiscomputer.


• HKEY_USERS - This branch contains individual preferences for each user

of the computer; each user is represented by a SID sub-key located under

the main branch.

• HKEY_CURRENT_CONFIG - This branch links to the section of

HKEY_LOCAL_MACHINE appropriate for the current hardware

configuration.


• Each registry value is stored as one of five main data types:

• REG_BINARY - This type stores the value as raw binary data. Mosthardware component information is stored as binary data, and can be

displayed in an editor in hexadecimal format.

• REG_DWORD - This type represents the data by a four byte number andis commonly used for Boolean values, such as "0" is disabled and "1" isis commonly used for Boolean values, such as "0" is disabled and "1" is

enabled.

• REG_EXPAND_SZ - This type is an expandable data string that is stringcontaining a variable to be replaced when called by an application.

• REG_MULTI_SZ - This type is a multiple string used to represent valuesthat contain lists or multiple values, each entry is separated by a NULL

character.

• REG_SZ - This type is a standard string, used to represent human readabletext values.


• The Registry Editor (REGEDIT.EXE) is included with most version of

Windows it enables you to view, search and edit the data within the

Registry. There are several methods for starting the Registry Editor, the

simplest is to click on the Start button, then select Run, and in the Open

box type "regedit".

Applying the Restrictions on the Files Applying the Restrictions on the Files Applying the Restrictions on the Files Applying the Restrictions on the Files and Foldersand Foldersand Foldersand Folders

• You can set permissions on the Files and Folders in Windows so

that no one else can open or access them.

• Windows carries Access Control List command ‘CACLS’ to

apply the Access security on the Files and Folders.apply the Access security on the Files and Folders.

• Let’s say we have a folder ‘Info’, to set the permission on ‘Info’,

command is as follows:

CACLS Info /E /P Everyone:N

• To remove the restrictions on the folder , command is as follows:

CACLS Info /E /P Everyone:F

Note: Make sure that you are in the Correct Directory in the Command Prompt while Locking the

Files or Folders. If Folder name carry spaces, put the folder name in “” while running command

Hiding Files behind Folders on the Hiding Files behind Folders on the Hiding Files behind Folders on the Hiding Files behind Folders on the Local Hard Disk: ADSLocal Hard Disk: ADSLocal Hard Disk: ADSLocal Hard Disk: ADS

• You can hide your important Files behind the Folders in your HardDisk.

• Let us say we have a text file ‘Secret.txt’ and a folder ‘C:\Info’. ToHide the Text file behind the Folder, command is as follows

Type Secret.txt > C:\Info:Secret.txtType Secret.txt > C:\Info:Secret.txt

• Now delete the Original File, to view the hidden file, command is asfollows

Start C:\Info:Secret.txt

• To search the hidden files, ADS Tool ‘Streams’ can be used.

• To Search the Hidden Files: Streams –S C:\Info

• To Delete the Hidden Files: Streams –D C:\Info

SteganographySteganographySteganographySteganography

• Steganography is the technique to place

text content behind the images.

• This is generally performed by the

terrorists to hide the secret messagesterrorists to hide the secret messages

behind the images and conveying the

message via sending the Image via

Internet.

• Windows Internal Commands as well as

Steganography tools can be used to

perform this technique.

Performing System SecurityPerforming System SecurityPerforming System SecurityPerforming System Security

• Process Monitoring

• Application Monitoring• Application Monitoring

Application MonitoringApplication MonitoringApplication MonitoringApplication Monitoring

• User should always check that ‘How many Application are

installed in the Computer’.

• This can be done using the ‘Add/Remove Program’ Utility

available in Control Panel.available in Control Panel.

• Uninstall all the Applications which you have not installed or you

do not use.

Process MonitoringProcess MonitoringProcess MonitoringProcess Monitoring

• Process Explorer is a free GUI-based process viewer utility that

displays detailed information about processes running under

Windows.

• For each process it displays memory, threads, and module usage.• For each process it displays memory, threads, and module usage.

For each DLL, it shows full path and version information.

• User can check the processed running under ‘Explorer.exe’ and

Kill all the suspicious processes

Documents

Windows Hacking and Security