System Attacks and Security Measures

Security Architecture of Windows

There are three components of Windows Security: LSA (Local Security Authority) SAM (Security Account Manager) SRM (Security Reference Monitor)

LSA (Local Security Authority)

LSA is the Central Part of NT Security. It is also known as Security Subsystem. The Local Security Authority or LSA is a key component of the logon process in both Windows NT and Windows 2000. In Windows 2000, the LSA is responsible for validating users for both local and remote logons. The LSA also maintains the local security policy. During the local logon to a machine, a person enters his name and password to the logon dialog. This information is passed to the LSA, which then calls the appropriate authentication package. The password is sent in a non-reversible secret key format using a one-way hash function. The LSA then queries the SAM database for the Users account information. If the key provided matches the one in the SAM, the SAM returns the users SID and the SIDs of any groups the user belongs to. The LSA then uses these SIDs to generate the security access token.

Manager) SAM (Security Account Manager)

The Security Accounts Manager is a database in the Windows operating system (OS) that contains user names and passwords. SAM is part of the registry and can be found on the hard disk. This service is responsible for making the connection to the SAMdatabase (Contains available user-accounts and groups). The SAMdatabase can either be placed in the local registry or in the Active Directory (If available). When the service has made the connection it announces to the system that the SAM-database is available, so other services can start accessing the SAM-database.

Manager) SAM (Security Account Manager)

In the SAM, each user account can be assigned a Windows password which is in encrypted form. If someone attempts to log on to the system and the user name and associated passwords match an entry in the SAM, a sequence of events takes place ultimately allowing that person access to the system. If the user name or passwords do not properly match any entry in the SAM, an error message is returned requesting that the information be entered again. When you make a New User Account with a Password, it gets stored in the SAM File. Windows Security Files are located at C:\Windows\System32\Config\SAM The moment operating system starts, the SAM file becomes inaccessible

Monitor) SRM (Security Reference Monitor)

The Security Reference Monitor is a security architecture component that is used to control user requests to access objects in the system. The SRM enforces the access validation and audit generation. Windows NT forbids the direct access to objects. Any access to an object must first be validated by the SRM. For example, if a user wants to access a specific file the SRM will be used to validate the request. The Security Reference Monitor enforces access validation and audit generation policy. The reference monitor verifies the nature of the request against a table of allowable access types for each process on the system. For example, Windows 3.x and 9x operating systems were not built with a reference monitor, whereas the Windows NT line, which also includes Windows 2000 and Windows XP, was designed with an entirely different architecture and does contain a reference monitor.

Windows User Account Architecture

User account passwords are contained in the SAM in the Hexadecimal Format called Hashes. Once the Passwords converted in Hashes, you cannot convert back to the Clear Text.

Cracking Windows User account Password

Passwords are Stored and Transmitted in an encrypted form called a Hash. When a User logs on to a system and enters a password, a hash is generated and compared to a stored hash. If the entered and the stored hashes match, the user is authenticated (This is called the Challenge/Response). Passwords may be cracked Manually or with Automated tools such as a Brute-force method or the Rainbow Table attack.

Net User: Command Prompt

Windows Command Prompt Utility, Net User, can be also be used to manipulate the User accounts in Windows. The Commands are as follows: To check the User Accounts: Net User To Add a New User Account: Net User Username Password /add To Delete a User Account: Net User Username /delete To Change the Password of User Account: Net User Username *

To Run Net User in Vista or 7

Go to Start > Type CMD in Search Box Right Click on CMD Icon and choose the option Run as administrator

Brute Force Attack

Brute force password guessing is just what it sounds like: trying a random approach by attempting different passwords and hoping that one works. Some logic can be applied by trying passwords related to the persons name, job title, hobbies, or other similar items. Brute force randomly generates passwords and their associated hashes. There are tools available to perform the Brute force attack on the Windows SAM File. Most famous tool available for Windows User Account Password Bruteforcing is Cain and Abel. Another one is SamInside.

Cain and Abel

Rainbow Table Attack

Rainbow Table Attack trades off the time-consuming process of creating all possible password hashes by building a table of hashes in advance of the actual crack. After this process is finished, the table, called a rainbow table, is used to crack the password, which will then normally only take a few seconds. We can use the Live CD to crack the Windows password using the Rainbow table attack technique. Most famous Live CD available is OphCrack

OphCrack

Creating Backdoors in Windows

Creating Hidden Accounts
Use the Net User Command to Create a Hidden Account in Windows:

Net User Hiddenuser /add

And then use the Command

Net Localgroup Users Hiddenuser /delete

Log Off the Current User, Press ALT+CTRL+DEL combination 2 times to get the Classic Windows User Login Screen Type the Username as Hiddenuser and Hit Enter, you will get Logged In

Note: This trick will not work in Windows Vista and Windows 7

Creating Backdoors in Windows

Sticky Keys Backdoor
Sticky Keys application can be used as the Backdoor in Windows Operating System. Command Prompt file CMD.EXE can be renamed to SETHC.EXE in C:\Windows\System32 Folder. After this one can hit the Shift Key 5 times on the User Login Screen and will get the Command Prompt right there. Net User command can be used to modify User Accounts thereafter.

Command Prompt on the User Login Screen

Configuring a Strong Login Password

A Strong password is less susceptible to attack by a Hacker. The following rules should be applied when youre creating a password, to protect it against attacks: Must not contain any part of the Users account name Must have a minimum of eight characters Must contain characters from at least three of the following categories:
Non alphanumeric symbols ($,:%@!#) Numbers Uppercase letters Lowercase letters

Applying Syskey Security

Go to Start > Run > Type Syskey

Click on Update

Set Syskey Password, Confirm the Password and Click OK

Change the Boot Sequence

You should change the boot sequence in the BIOS so that your computer is not configured to boot from the CD first. It should be configured as Hard Disk as the First Boot Device. This will protect your computer from the attacking Live CDs. You may press Del or F2 Key at the System Boot to go to the BIOS Setup

Change the Boot Sequence

Registry Editing
What is the Registry? The Registry is a database used to store settings and options for the 32 bit versions of Microsoft Windows. It contains information and settings for all the hardware, software, users, and preferences of the PC. Whenever a user makes changes to a Control Panel settings, or File Associations, System Policies, or installed software, the changes are reflected and stored in the Registry.

Registry Editing

Registry Editing
The physical files that make up the registry are stored differently depending on your version of Windows; under Windows NT/XP/Vista the files are contained separately in the %SystemRoot%\System32\Config directory. You cannot edit these files directly, you must use a tool commonly known as a "Registry Editor" to make any changes.

Registry Editing
The Structure of Registry:
The Registry has a hierarchal structure; although it looks complicated the structure is similar to the directory structure on your hard disk, with Regedit being similar to Windows Explorer. Each main branch (denoted by a folder icon in the Registry Editor) is called a Hive, and Hives contains Keys. Each key can contain other keys (sometimes referred to as sub-keys), as well as Values. The values contain the actual information stored in the Registry. There are three types of values; String, Binary, and DWORD - the use of these depends upon the context.

Registry Editing
There are five main Hives (branches), each containing a specific portion of the information stored in the Registry. They are as follows: HKEY_CLASSES_ROOT - This branch contains all of your file association mappings to support the drag-and-drop feature, OLE information, Windows shortcuts, and core aspects of the Windows user interface. HKEY_CURRENT_USER - This branch links to the section of HKEY_USERS appropriate for the user currently logged onto the PC and contains information such as logon names, desktop settings, and Start menu settings. HKEY_LOCAL_MACHINE - This branch contains computer specific information about the type of hardware, software, and other preferences on a given PC, this information is used for all users who log onto this computer.

Registry Editing
HKEY_USERS - This branch contains individual preferences for each user of the computer; each user is represented by a SID sub-key located under the main branch. HKEY_CURRENT_CONFIG - This branch links to the section of HKEY_LOCAL_MACHINE appropriate for the current hardware configuration.

Registry Editing

Each registry value is stored as one of five main data types: REG_BINARY - This type stores the value as raw binary data. Most
hardware component information is stored as binary data, and can be displayed in an editor in hexadecimal format. REG_DWORD - This type represents the data by a four byte number and is commonly used for Boolean values, such as "0" is disabled and "1" is enabled. REG_EXPAND_SZ - This type is an expandable data string that is string containing a variable to be replaced when called by an application. REG_MULTI_SZ - This type is a multiple string used to represent values that contain lists or multiple values, each entry is separated by a NULL character. REG_SZ - This type is a standard string, used to represent human readable text values.

Registry Editing
The Registry Editor (REGEDIT.EXE) is included with most version of Windows it enables you to view, search and edit the data within the Registry. There are several methods for starting the Registry Editor, the simplest is to click on the Start button, then select Run, and in the Open box type "regedit".

Applying the Restrictions on the Files and Folders

You can set permissions on the Files and Folders in Windows so that no one else can open or access them. Windows carries Access Control List command CACLS to apply the Access security on the Files and Folders. Lets say we have a folder Info, to set the permission on Info, command is as follows:

CACLS Info /E /P Everyone:N

To remove the restrictions on the folder , command is as follows:

CACLS Info /E /P Everyone:F

Note: Make sure that you are in the Correct Directory in the Command Prompt while Locking the Files or Folders. If Folder name carry spaces, put the folder name in while running command

Hiding Files behind Folders on the Local Hard Disk: ADS

You can hide your important Files behind the Folders in your Hard Disk. Let us say we have a text file Secret.txt and a folder C:\Info. To Hide the Text file behind the Folder, command is as follows

Type Secret.txt > C:\Info:Secret.txt

Now delete the Original File, to view the hidden file, command is as follows

Start C:\Info:Secret.txt
To search the hidden files, ADS Tool Streams can be used. To Search the Hidden Files: Streams S C:\Info To Delete the Hidden Files: Streams D C:\Info

Steganography
Steganography is the technique to place text content behind the images. This is generally performed by the terrorists to hide the secret messages behind the images and conveying the message via sending the Image via Internet. Windows Internal Commands as well as Steganography tools can be used to perform this technique.

Performing System Security

Process Monitoring Application Monitoring

Application Monitoring
User should always check that How many Application are installed in the Computer. This can be done using the Add/Remove Program Utility available in Control Panel. Uninstall all the Applications which you have not installed or you do not use.

Process Monitoring
Process Explorer is a free GUI-based process viewer utility that displays detailed information about processes running under Windows. For each process it displays memory, threads, and module usage. For each DLL, it shows full path and version information. User can check the processed running under Explorer.exe and Kill all the suspicious processes