Вы находитесь на странице: 1из 39

Windows Hacking

Windows Hacking
Module Outline • Windows - Passwords • LM Hashes and NTLM Hashes • System Account

Module Outline

Windows - Passwords

LM Hashes and NTLM Hashes

System Account Manager

Syskey

Password Cracking and Types

Tools for Cracking Windows Password

Password Cracking Countermeasure

Privilege Escalation

Alternate Data Stream & Countermeasures

Keyloggers

Covering Tracks

Removing logs

Application Isolation

Windows - Passwords • In Windows XP passwords are stored at c:\windows\system32\config directory but that

Windows - Passwords

In Windows XP passwords are stored at c:\windows\system32\config directory but that file is read only and is used by the operating system so a normal user can not access it, rename it or change it in anyway while using Windows.

There is a backup copy stored in windows at c:\windows\system32\repair\ directory which can be copied easily.

In Windows XP passwords are stored using NTLMv2, but they can support all types of authentication protocols like LM, NTLM, NTLMv2 and Kerberos.

XP uses Kerberos protocol when it becomes a part of the domain controller.

When windows XP is deployed in a Workgroup, then it uses NTLMv2, and uses LM

and NTLM hashes when it needs to communicate with older operating like windows

95 and 98.

LM Hashes • LAN Manager(LM Hash) is the oldest authentication protocol used by Microsoft. It

LM Hashes

LAN Manager(LM Hash) is the oldest authentication protocol used by Microsoft. It was first used in Windows 3. LM Hashes are not very secure and they do not support much features.

Characteristics:

LM hashes are case-insensitive.

LM Hash only support up to 142 characters.

The hash works by breaking down into 2 sets of 7 character each. If a password is less than 14 characters, in that case, the password will be padded with nulls to

raise the password length to 14 characters.

LM Hash is 128-bit long and based on a one-way Hash function.

NTLM Hashes • NT LAN Manager a.k.a. NTLM Hash Protocol is identical to LM Hashes.

NTLM Hashes

NT LAN Manager a.k.a. NTLM Hash Protocol is identical to LM Hashes.

The reason why NTLM was introduced was because a new protocol was required for authentication on domain controllers as domain controllers store the hashed password for domain user accounts in an active directory.

NTLM possess the same features as LM Hashes and is equally insecure.

SAM • System Accounts Manager is saved as a registry file in windows and stores

SAM

System Accounts Manager is saved as a registry file in windows and stores password in hashed format. As we know that hash is generated through one way function, so this provides some level of security for storing passwords.

As Password are still vulnerable to bruteforce acctacks, Microsoft attempted to increase the security by applying SYSKEY,

When Syskey is enabled, it encrypts the On Disk Copy of the SAM file which again protects it from brute force and rainbow attacks.

Syskey • SYSKEY is a utility that encrypts the hashed password information in a SAM

Syskey

SYSKEY is a utility that encrypts the hashed password information in a SAM database in a Windows system using a 128-bit encryption key.

SYSKEY was an optional feature added in Windows NT 4.0 SP3. It was meant to

protect against offline password cracking attacks so that the SAM database would still

be secure even if someone had a copy of it. However, in December 1999, a security team from BindView found a security hole in SYSKEY which indicates that a certain form of cryptanalytic attack is possible offline. A brute force attack then appeared to be possible.

Microsoft later collaborated with BindView to issue a fix for the problem (dubbed the 'Syskey Bug') which appears to have been settled and SYSKEY has been pronounced secure enough to resist brute force attack.

Types of Password Attacks • Dictionary attack: In Dictionary Attack, Attacker tries to use all

Types of Password Attacks

Dictionary attack: In Dictionary Attack, Attacker tries to use all the password prewritten in a separate files called the dictionary (which contains common passwords used by people and English dictionary words). It is a fast way of cracking password but its disadvantage is that the success rate is very poor.

Brute Force Attack: Here an Attacker try use all the permutations and combinations possible by a set of character sets like 0-9,A-Z,a-z and symbols. Advantage of using brute force attack is that it can have 100% success rate, however, in case of a Long

Password, It will become so slow that it will be almost unfeasible.

Hybrid Attack: An Attacker uses the combination of the previous two method or any other. Hybrid Attack also involve pre computed tables of hashes which increases the speed and tables are generated by using all the character sets, which also increases the success rate.

Tools for Cracking Windows Password • Windows passwords can be cracked by using the following

Tools for Cracking Windows Password

Windows passwords can be cracked by using the following tools:

SamInside

Samjuicer

Ophcrack Live CD and windows installer.

ERD commander

Cain n Able

John the ripper

Password Cracking Countermeasures Password cracking can be prevented on your machine when you follow the

Password Cracking Countermeasures

Password cracking can be prevented on your machine when you follow the following countermeasures:

Try to enforce 14 character password and which is alpha-numeric with symbols.

Rest your passwords every 14 days.

Implement Physical security and isolate access to the Server.

Implement SYSKEY at the time of deployment.

Always remember to check the server logs for brute force attacks on user accounts.

Privilege Escalation • Privilege escalation is the act of gaining elevated access to resources that

Privilege Escalation

Privilege escalation is the act of gaining elevated access to resources that are normally protected from an operating system or from an application. The result is that

an application with more privileges than intended by the application developer.

Hiding Files There are two ways of hiding files in NT/2000. • 1. Attrib •

Hiding Files

There are two ways of hiding files in NT/2000.

1. Attrib

use attrib +h [file/directory]

2. NTFS Alternate Data Streaming

NTFS files system used by Windows NT, 2000 and XP has a feature called Alternate Data Streams which allows data to be stored in hidden files that are linked to a normal visible file.

Streams are not limited in size and there can be more than one stream linked to a normal file.

Creating Alternate Data Streams • Step1 : Start by creating a folder in c:\ drive

Creating Alternate Data Streams

Step1 : Start by creating a folder in c:\ drive with a name Test.

Then open command Prompt and type:

cp c:\windows\system32\calc.exe c:\

This Commands will copy the calc.exe in t the c:\ drive.

And type:

type c:\calc.exe>c:\test:calc.exe

And then your calc.exe will be stored as a stream with test folder.

Check the folder contents and folder size. (folder size will remain same and nothing

will be found in directory)

Now delete the calc.exe from c:\ drive and then type:

Start c:\test:calc.exe

You will see that calculator has been opened.

Countermeasures - Streams • Deleting a stream file involves copying the 'front' file to a

Countermeasures - Streams

Deleting a stream file involves copying the 'front' file to a FAT partition, then copying back to NTFS.

Streams are lost when the file is moved to FAT Partition.

STREAMS.exe can detect streams which has been created by sys internals, later acquired by Microsoft.

• You can download Streams from Microsoft’s website.

And syntax for using streams.exe is as follows:

Streams.exe s c:\ to detect the streams in NTFS partition

Streams.exe d s c:\ to detect and delete streams from NTFS partition.

Keystroke Loggers • Keylogger can be a device or an application that keeps track of

Keystroke Loggers

Keylogger can be a device or an application that keeps track of all the keys pressed, by creating a log file in a covert manner. The keyboard will be used by a person who would not be aware of the fact, that he is being monitored.

Types of Keyloggers • There are two type of keyloggers: • Software Based Keylogger •

Types of Keyloggers

There are two type of keyloggers:

Software Based Keylogger

Hardware Based Keylogger

Software Keyloggers • Software Keylogger is an application that becomes invisible in the system and

Software Keyloggers

Software Keylogger is an application that becomes invisible in the system and still captures all the keystrokes from keyboard. It can store these Keylogs onto the system or transmit them to the Creator.

How Software Keyloggers work?

Software keyloggers monitors the keyboard buffer by using API calls due to which an operating system can notifice the Keylogging Application.

1. GetAsyncKeyState()

2. GetForegroundWindow() etc. are used to record Keystrokes form the

keyboard.

Hardware KeyLoggers • The Hardware Key Logger is a tiny hardware device that can be

Hardware KeyLoggers

The Hardware Key Logger is a tiny hardware device that can be attached between a keyboard and a computer.

It keeps a record of all key strokes typed on the keyboard. The recording process is totally transparent to the end user.

It can even record the key logs before an operating system starts and can also log the password for BIOS if any, which is not possible for Software Keyloggers.

Hardware Keylogger & its Output

Hardware Keylogger & its Output

Hardware Keylogger & its Output
Hardware Keylogger & its Output
Covering Tracks • After Disabling the Auditing and before leaving the machine, an Attacker can

Covering Tracks

After Disabling the Auditing and before leaving the machine, an Attacker can also remove the event logs to cover their presence on the system.

When all the information of interest has been stripped off from the target machine, the attackers installs several back doors so that they can get easy access next time instead of repeating the whole attacking phase again, it saves a lot of time and reduces the suspicion level.

Disabling Auditing • It is necessary to remove any Digital Traces to protect yourself from

Disabling Auditing

It is necessary to remove any Digital Traces to protect yourself from being caught, so to ensure this, Attackers disable the Auditing as soon as they get access into a system using the following command:

auditpol.exe /stop

NT Resource Kit's auditpol.exe tool can disable auditing using the command line and at the end of their stay, the attackers will just turn on auditing again using:

auditpol.exe /start

Clearing the Event log • Attackers can easily wipe out the logs in the event

Clearing the Event log

Attackers can easily wipe out the logs in the event viewer.

This process will clear logs of all records, however, it will leave one record stating

that the event log has been cleared by 'Attacker‘.

logs of all records, however, it will leave one record stating that the event log has
Application Isolation Application isolation is a process of isolating a malicious executable into a separate

Application Isolation

Application isolation is a process of isolating a malicious executable into a separate memory process by providing them a illusion as if they are running on the main machine.

However they are actually running in a different memory location which provides them a

virtual environment.

Application Isolation means running your programs in an isolated space which prevents them from making permanent changes to other programs or data in your computer.

Case Study

Case Study
Recovering a System with Forgotten Hybrid Password and syskey

Recovering a System with Forgotten Hybrid Password and syskey

Recovering a System with Forgotten Hybrid Password and syskey

Practicals

Practicals
Ophcrack (Live CD) and Tool

Ophcrack (Live CD) and Tool

Ophcrack (Live CD) and Tool
ERD Commander (Live CD)

ERD Commander (Live CD)

ERD Commander (Live CD)
Working of syskey

Working of syskey

Working of syskey
Privilege Escalation using X.exe

Privilege Escalation using X.exe

Privilege Escalation using X.exe
Gaining System Account

Gaining System Account

Gaining System Account
Creating - Alternate Data Stream

Creating - Alternate Data Stream

Creating - Alternate Data Stream
Detecting ADS using Streams Utility from Sysinternals

Detecting ADS using Streams Utility from Sysinternals

Detecting ADS using Streams Utility from Sysinternals
Keylogger

Keylogger

Keylogger
Keylogger
Disabling Auditing using auditpol.exe

Disabling Auditing using auditpol.exe

Disabling Auditing using auditpol.exe
Clearing the Event Log • The elsave.exe utility is a simple tool for clearing the

Clearing the Event Log

The elsave.exe utility is a simple tool for clearing the event log. The following syntax will clear the security log on the remote server 'rovil' (correct privileges are required on the remote system)

(correct privileges are required on the remote system) ‏ Save the system log on the local

Save the system log on the local machine to d:\system.log and then clear the log:

elsave -l system -F d:\system.log C

Save the application log on \\serv1 to \\serv1\d$\application.log:

elsave -s \\serv1 -F d:\application.log

Assignments: Assignments and Research 1: Research over different Commercial Keyloggers. 2: Research over Rainbow Tables.

Assignments:

Assignments and Research

1: Research over different Commercial Keyloggers.

2: Research over Rainbow Tables. 3: Research over Privilege Escalation. 4: Research over ADS. 5: Differentiate between different Privilege Escalation techniques in different Versions of Windows (NT, 2000, 2003, XP & Vista.

6: Download and use John the Ripper.

7: Download and use Evidence Eliminator & WinZapper. 8: Use Sandboxie for Application Isolation.

References Some Content in the Presentation has been adapted or used from Wikipedia, under the

References

Some Content in the Presentation has been adapted or used from Wikipedia, under the Creative Commons Attribution-ShareAlike 3.0 Unported License.

We would like to Thank Wikipedia for being such a great resource.

End of Module

End of Module