Documente Academic
Documente Profesional
Documente Cultură
Module Outline
Windows - Passwords
LM Hashes and NTLM Hashes
System Account Manager
Syskey
Password Cracking and Types
Tools for Cracking Windows Password
Password Cracking Countermeasure
Privilege Escalation
Alternate Data Stream & Countermeasures
Keyloggers
Covering Tracks
Removing logs
Application Isolation
Windows - Passwords
Characteristics:
LM hashes are case-insensitive.
LM Hash only support up to 142 characters.
The hash works by breaking down into 2 sets of 7 character each. If a password is
less than 14 characters, in that case, the password will be padded with nulls to
raise the password length to 14 characters.
LM Hash is 128-bit long and based on a one-way Hash function.
NTLM Hashes
System Accounts Manager is saved as a registry file in windows and stores password
in hashed format. As we know that hash is generated through one way function, so
this provides some level of security for storing passwords.
When Syskey is enabled, it encrypts the On Disk Copy of the SAM file which again
protects it from brute force and rainbow attacks.
Syskey
SYSKEY is a utility that encrypts the hashed password information in a SAM database
in a Windows system using a 128-bit encryption key.
SYSKEY was an optional feature added in Windows NT 4.0 SP3. It was meant to
protect against offline password cracking attacks so that the SAM database would still
be secure even if someone had a copy of it. However, in December 1999, a security
team from BindView found a security hole in SYSKEY which indicates that a certain
form of cryptanalytic attack is possible offline. A brute force attack then appeared to
be possible.
Microsoft later collaborated with BindView to issue a fix for the problem (dubbed the
'Syskey Bug') which appears to have been settled and SYSKEY has been pronounced
secure enough to resist brute force attack.
Types of Password Attacks
Dictionary attack: In Dictionary Attack, Attacker tries to use all the password
prewritten in a separate files called the dictionary (which contains common
passwords used by people and English dictionary words). It is a fast way of cracking
password but its disadvantage is that the success rate is very poor.
Brute Force Attack: Here an Attacker try use all the permutations and combinations
possible by a set of character sets like 0-9,A-Z,a-z and symbols. Advantage of using
brute force attack is that it can have 100% success rate, however, in case of a Long
Password, It will become so slow that it will be almost unfeasible.
Hybrid Attack: An Attacker uses the combination of the previous two method or
any other. Hybrid Attack also involve pre computed tables of hashes which increases
the speed and tables are generated by using all the character sets, which also
increases the success rate.
Tools for Cracking Windows Password
Password cracking can be prevented on your machine when you follow the
following countermeasures:
Privilege escalation is the act of gaining elevated access to resources that are
normally protected from an operating system or from an application. The result is that
an application with more privileges than intended by the application developer.
Hiding Files
Streams are not limited in size and there can be more than one stream linked to a
normal file.
Creating Alternate Data Streams
Deleting a stream file involves copying the 'front' file to a FAT partition, then copying
back to NTFS.
Streams are lost when the file is moved to FAT Partition.
STREAMS.exe can detect streams which has been created by sys internals, later
acquired by Microsoft.
Keylogger can be a device or an application that keeps track of all the keys pressed, by
creating a log file in a covert manner. The keyboard will be used by a person who
would not be aware of the fact, that he is being monitored.
Types of Keyloggers
Software Keylogger is an application that becomes invisible in the system and still
captures all the keystrokes from keyboard. It can store these Keylogs onto the system
or transmit them to the Creator.
The Hardware Key Logger is a tiny hardware device that can be attached between a
keyboard and a computer.
It keeps a record of all key strokes typed on the keyboard. The recording process is
totally transparent to the end user.
It can even record the key logs before an operating system starts and can also log
the password for BIOS if any, which is not possible for Software Keyloggers.
Hardware Keylogger & its Output
Covering Tracks
After Disabling the Auditing and before leaving the machine, an Attacker can also
remove the event logs to cover their presence on the system.
When all the information of interest has been stripped off from the target machine,
the attackers installs several back doors so that they can get easy access next time
instead of repeating the whole attacking phase again, it saves a lot of time and
reduces the suspicion level.
Disabling Auditing
It is necessary to remove any Digital Traces to protect yourself from being caught,
so to ensure this, Attackers disable the Auditing as soon as they get access into a
system using the following command:
auditpol.exe /stop
NT Resource Kit's auditpol.exe tool can disable auditing using the command line
and at the end of their stay, the attackers will just turn on auditing again using:
auditpol.exe /start
Clearing the Event log
Attackers can easily wipe out the logs in the event viewer.
This process will clear logs of all records, however, it will leave one record stating
that the event log has been cleared by 'Attacker.
Application Isolation
Application Isolation means running your programs in an isolated space which prevents
them from making permanent changes to other programs or data in your computer.
Case Study
Recovering a System with Forgotten
Hybrid Password and syskey
Practicals
Ophcrack (Live CD) and Tool
ERD Commander (Live CD)
Working of syskey
Privilege Escalation using X.exe
Gaining System Account
Creating - Alternate Data Stream
Detecting ADS using Streams Utility
from Sysinternals
Keylogger
Disabling Auditing using auditpol.exe
Clearing the Event Log
The elsave.exe utility is a simple tool for clearing the event log. The
following syntax will clear the security log on the remote server 'rovil'
(correct privileges are required on the remote system)
Save the system log on the local machine to d:\system.log and then
clear the log:
elsave -l system -F d:\system.log C
Save the application log on \\serv1 to \\serv1\d$\application.log:
elsave -s \\serv1 -F d:\application.log
Assignments and Research
Assignments:
Some Content in the Presentation has been adapted or used from Wikipedia, under the
Creative Commons Attribution-ShareAlike 3.0 Unported License.