Windows Hacking

Module Outline

Windows - Passwords
LM Hashes and NTLM Hashes
System Account Manager
Syskey
Password Cracking and Types
Tools for Cracking Windows Password
Password Cracking Countermeasure
Privilege Escalation
Alternate Data Stream & Countermeasures
Keyloggers
Covering Tracks
Removing logs
Application Isolation
 Windows - Passwords

In Windows XP passwords are stored at c:\windows\system32\config directory but

that file is read only and is used by the operating system so a normal user can not
access it, rename it or change it in anyway while using Windows.
There is a backup copy stored in windows at c:\windows\system32\repair\
directory which can be copied easily.
In Windows XP passwords are stored using NTLMv2, but they can support all types of
authentication protocols like LM, NTLM, NTLMv2 and Kerberos.
XP uses Kerberos protocol when it becomes a part of the domain controller.
When windows XP is deployed in a Workgroup, then it uses NTLMv2, and uses LM
and NTLM hashes when it needs to communicate with older operating like windows
95 and 98.
 LM Hashes

LAN Manager(LM Hash) is the oldest authentication protocol used by Microsoft. It

was first used in Windows 3. LM Hashes are not very secure and they do not support
much features.

Characteristics:
LM hashes are case-insensitive.
LM Hash only support up to 142 characters.
The hash works by breaking down into 2 sets of 7 character each. If a password is
less than 14 characters, in that case, the password will be padded with nulls to
raise the password length to 14 characters.
LM Hash is 128-bit long and based on a one-way Hash function.
 NTLM Hashes

NT LAN Manager a.k.a. NTLM Hash Protocol is identical to LM Hashes.

The reason why NTLM was introduced was because a new protocol was required for
authentication on domain controllers as domain controllers store the hashed
password for domain user accounts in an active directory.
NTLM possess the same features as LM Hashes and is equally insecure.
 SAM

System Accounts Manager is saved as a registry file in windows and stores password
in hashed format. As we know that hash is generated through one way function, so
this provides some level of security for storing passwords.

As Password are still vulnerable to bruteforce acctacks, Microsoft attempted to

increase the security by applying SYSKEY,

When Syskey is enabled, it encrypts the On Disk Copy of the SAM file which again
protects it from brute force and rainbow attacks.
 Syskey

SYSKEY is a utility that encrypts the hashed password information in a SAM database
in a Windows system using a 128-bit encryption key.

SYSKEY was an optional feature added in Windows NT 4.0 SP3. It was meant to
protect against offline password cracking attacks so that the SAM database would still
be secure even if someone had a copy of it. However, in December 1999, a security
team from BindView found a security hole in SYSKEY which indicates that a certain
form of cryptanalytic attack is possible offline. A brute force attack then appeared to
be possible.

Microsoft later collaborated with BindView to issue a fix for the problem (dubbed the
'Syskey Bug') which appears to have been settled and SYSKEY has been pronounced
secure enough to resist brute force attack.
 Types of Password Attacks

Dictionary attack: In Dictionary Attack, Attacker tries to use all the password
prewritten in a separate files called the dictionary (which contains common
passwords used by people and English dictionary words). It is a fast way of cracking
password but its disadvantage is that the success rate is very poor.

Brute Force Attack: Here an Attacker try use all the permutations and combinations
possible by a set of character sets like 0-9,A-Z,a-z and symbols. Advantage of using
brute force attack is that it can have 100% success rate, however, in case of a Long
Password, It will become so slow that it will be almost unfeasible.

Hybrid Attack: An Attacker uses the combination of the previous two method or
any other. Hybrid Attack also involve pre computed tables of hashes which increases
the speed and tables are generated by using all the character sets, which also
increases the success rate.
 Tools for Cracking Windows Password

Windows passwords can be cracked by using the following tools:

SamInside
Samjuicer
Ophcrack Live CD and windows installer.
ERD commander
Cain n Able
John the ripper
 Password Cracking Countermeasures

Password cracking can be prevented on your machine when you follow the
following countermeasures:

Try to enforce 14 character password and which is alpha-numeric with symbols.

Rest your passwords every 14 days.
Implement Physical security and isolate access to the Server.
Implement SYSKEY at the time of deployment.
Always remember to check the server logs for brute force attacks on user accounts.
 Privilege Escalation

Privilege escalation is the act of gaining elevated access to resources that are
normally protected from an operating system or from an application. The result is that
an application with more privileges than intended by the application developer.
 Hiding Files

There are two ways of hiding files in NT/2000.

1. Attrib
use attrib +h [file/directory]
2. NTFS Alternate Data Streaming
NTFS files system used by Windows NT, 2000 and XP has a feature called
Alternate Data Streams which allows data to be stored in hidden files that are
linked to a normal visible file.

Streams are not limited in size and there can be more than one stream linked to a
normal file.
 Creating Alternate Data Streams

Step1 : Start by creating a folder in c:\ drive with a name Test.

Then open command Prompt and type:
cp c:\windows\system32\calc.exe c:\
This Commands will copy the calc.exe in t the c:\ drive.
And type:
type c:\calc.exe>c:\test:calc.exe
And then your calc.exe will be stored as a stream with test folder.
Check the folder contents and folder size. (folder size will remain same and nothing
will be found in directory)
Now delete the calc.exe from c:\ drive and then type:
Start c:\test:calc.exe
You will see that calculator has been opened.
 Countermeasures - Streams

Deleting a stream file involves copying the 'front' file to a FAT partition, then copying
back to NTFS.
Streams are lost when the file is moved to FAT Partition.
STREAMS.exe can detect streams which has been created by sys internals, later
acquired by Microsoft.

You can download Streams from Microsofts website.

And syntax for using streams.exe is as follows:
Streams.exe s c:\ to detect the streams in NTFS partition
Streams.exe d s c:\ to detect and delete streams from NTFS partition.
 Keystroke Loggers

Keylogger can be a device or an application that keeps track of all the keys pressed, by
creating a log file in a covert manner. The keyboard will be used by a person who
would not be aware of the fact, that he is being monitored.
 Types of Keyloggers

There are two type of keyloggers:

Software Based Keylogger
Hardware Based Keylogger
 Software Keyloggers

Software Keylogger is an application that becomes invisible in the system and still
captures all the keystrokes from keyboard. It can store these Keylogs onto the system
or transmit them to the Creator.

How Software Keyloggers work?

Software keyloggers monitors the keyboard buffer by using API calls due to which an
operating system can notifice the Keylogging Application.
1. GetAsyncKeyState()
2. GetForegroundWindow() etc. are used to record Keystrokes form the
keyboard.
 Hardware KeyLoggers

The Hardware Key Logger is a tiny hardware device that can be attached between a
keyboard and a computer.

It keeps a record of all key strokes typed on the keyboard. The recording process is
totally transparent to the end user.

It can even record the key logs before an operating system starts and can also log
the password for BIOS if any, which is not possible for Software Keyloggers.
Hardware Keylogger & its Output
 Covering Tracks

After Disabling the Auditing and before leaving the machine, an Attacker can also
remove the event logs to cover their presence on the system.

When all the information of interest has been stripped off from the target machine,
the attackers installs several back doors so that they can get easy access next time
instead of repeating the whole attacking phase again, it saves a lot of time and
reduces the suspicion level.
 Disabling Auditing

It is necessary to remove any Digital Traces to protect yourself from being caught,
so to ensure this, Attackers disable the Auditing as soon as they get access into a
system using the following command:
auditpol.exe /stop
NT Resource Kit's auditpol.exe tool can disable auditing using the command line
and at the end of their stay, the attackers will just turn on auditing again using:
auditpol.exe /start
 Clearing the Event log

Attackers can easily wipe out the logs in the event viewer.
This process will clear logs of all records, however, it will leave one record stating
that the event log has been cleared by 'Attacker.
 Application Isolation

Application isolation is a process of isolating a malicious executable into a separate

memory process by providing them a illusion as if they are running on the main machine.
However they are actually running in a different memory location which provides them a
virtual environment.

Application Isolation means running your programs in an isolated space which prevents
them from making permanent changes to other programs or data in your computer.
Case Study
Recovering a System with Forgotten
Hybrid Password and syskey
Practicals
Ophcrack (Live CD) and Tool
ERD Commander (Live CD)
Working of syskey
Privilege Escalation using X.exe
Gaining System Account
Creating - Alternate Data Stream
Detecting ADS using Streams Utility
from Sysinternals
Keylogger
Disabling Auditing using auditpol.exe
 Clearing the Event Log
The elsave.exe utility is a simple tool for clearing the event log. The
following syntax will clear the security log on the remote server 'rovil'
(correct privileges are required on the remote system)

Save the system log on the local machine to d:\system.log and then
clear the log:
elsave -l system -F d:\system.log C
Save the application log on \\serv1 to \\serv1\d$\application.log:
elsave -s \\serv1 -F d:\application.log
 Assignments and Research

Assignments:

1: Research over different Commercial Keyloggers.

2: Research over Rainbow Tables.
3: Research over Privilege Escalation.
4: Research over ADS.
5: Differentiate between different Privilege Escalation techniques in different Versions
of Windows (NT, 2000, 2003, XP & Vista.
6: Download and use John the Ripper.
7: Download and use Evidence Eliminator & WinZapper.
8: Use Sandboxie for Application Isolation.
 References

Some Content in the Presentation has been adapted or used from Wikipedia, under the
Creative Commons Attribution-ShareAlike 3.0 Unported License.

We would like to Thank Wikipedia for being such a great resource.

End of Module