System Attacks

and
Security
Measures

Security Architecture of Windows

There are three components of Windows Security:
LSA (Local Security Authority)
SAM (Security Account Manager)
SRM (Security Reference Monitor)

LSA (Local Security Authority)

LSA is the Central Part of NT Security. It is also known as Security

Subsystem. The Local Security Authority or LSA is a key component of
the logon process in both Windows NT and Windows 2000. In Windows
2000, the LSA is responsible for validating users for both local and
remote logons. The LSA also maintains the local security policy.

During the local logon to a machine, a person enters his name and
password to the logon dialog. This information is passed to the LSA,
which then calls the appropriate authentication package. The password
is sent in a non-reversible secret key format using a one-way hash
function. The LSA then queries the SAM database for the Users
account information. If the key provided matches the one in the SAM,
the SAM returns the users SID and the SIDs of any groups the user
belongs to. The LSA then uses these SIDs to generate the security
access token.

SAM (Security Account Manager)

Manager)
The Security Accounts Manager is a database in the Windows
operating system (OS) that contains user names and passwords.
SAM is part of the registry and can be found on the hard disk.
This service is responsible for making the connection to the SAMdatabase (Contains available user-accounts and groups). The SAMdatabase can either be placed in the local registry or in the Active
Directory (If available). When the service has made the connection
it announces to the system that the SAM-database is available, so
other services can start accessing the SAM-database.

SAM (Security Account Manager)

Manager)
In the SAM, each user account can be assigned a Windows password
which is in encrypted form. If someone attempts to log on to the
system and the user name and associated passwords match an entry in
the SAM, a sequence of events takes place ultimately allowing that
person access to the system. If the user name or passwords do not
properly match any entry in the SAM, an error message is returned
requesting that the information be entered again.
When you make a New User Account with a Password, it gets stored in
the SAM File.
Windows Security Files are located at
C:\Windows\System32\Config\SAM
The moment operating system starts, the SAM file becomes
inaccessible

SRM (Security Reference Monitor)

Monitor)

The Security Reference Monitor is a security architecture component

that is used to control user requests to access objects in the system.
The SRM enforces the access validation and audit generation. Windows
NT forbids the direct access to objects. Any access to an object must
first be validated by the SRM. For example, if a user wants to access a
specific file the SRM will be used to validate the request. The Security
Reference Monitor enforces access validation and audit generation
policy.

The reference monitor verifies the nature of the request against a table
of allowable access types for each process on the system. For example,
Windows 3.x and 9x operating systems were not built with a reference
monitor, whereas the Windows NT line, which also includes Windows
2000 and Windows XP, was designed with an entirely different
architecture and does contain a reference monitor.

Windows User Account Architecture

User account passwords are contained in the SAM in the
Hexadecimal Format called Hashes.
Once the Passwords converted in Hashes, you cannot
convert back to the Clear Text.

Cracking Windows User account Password

Passwords are Stored and Transmitted in an encrypted form
called a Hash. When a User logs on to a system and enters a
password, a hash is generated and compared to a stored hash. If
the entered and the stored hashes match, the user is
authenticated (This is called the Challenge/Response).
Passwords may be cracked Manually or with Automated tools
such as a Brute-force method or the Rainbow Table attack.

Net User: Command Prompt

Windows Command Prompt Utility, Net User, can be also be used to
manipulate the User accounts in Windows.
The Commands are as follows:
To check the User Accounts: Net User
To Add a New User Account: Net User Username Password /add
To Delete a User Account: Net User Username /delete
To Change the Password of User Account: Net User Username *

To Run Net User in Vista or 7

Go to Start > Type CMD in
Search Box
Right Click on CMD Icon
and choose the option
Run as administrator

Brute Force Attack

Brute force password guessing is just what it sounds like: trying
a random approach by attempting different passwords and
hoping that one works. Some logic can be applied by trying
passwords related to the persons name, job title, hobbies, or
other similar items.
Brute force randomly generates passwords and their associated
hashes.
There are tools available to perform the Brute force attack on the
Windows SAM File. Most famous tool available for Windows
User Account Password Bruteforcing is Cain and Abel. Another
one is SamInside.

Cain and Abel

Rainbow Table Attack

Rainbow Table Attack trades off the time-consuming process of
creating all possible password hashes by building a table of
hashes in advance of the actual crack. After this process is
finished, the table, called a rainbow table, is used to crack the
password, which will then normally only take a few seconds.
We can use the Live CD to crack the Windows password using
the Rainbow table attack technique. Most famous Live CD
available is OphCrack

OphCrack

Creating Backdoors in Windows

Creating Hidden Accounts

Use the Net User Command to Create a Hidden Account in Windows:

Net User Hiddenuser /add

And then use the Command

Net Localgroup Users Hiddenuser /delete

Log Off the Current User, Press ALT+CTRL+DEL combination 2 times

to get the Classic Windows User Login Screen

Type the Username as Hiddenuser and Hit Enter, you will get Logged In

Note: This trick will not work in Windows Vista and Windows 7

Creating Backdoors in Windows

Sticky Keys Backdoor
Sticky Keys application can be used as the Backdoor in Windows
Operating System.
Command Prompt file CMD.EXE can be renamed to
SETHC.EXE in C:\Windows\System32 Folder.
After this one can hit the Shift Key 5 times on the User Login
Screen and will get the Command Prompt right there. Net User
command can be used to modify User Accounts thereafter.

Command Prompt on
the User Login Screen

Configuring a Strong Login Password

A Strong password is less susceptible to attack by a Hacker. The
following rules should be applied when youre creating a
password, to protect it against attacks:

Must not contain any part of the Users account name

Must have a minimum of eight characters

Must contain characters from at least three of the following
categories:

Non alphanumeric symbols ($,:%@!#)

Numbers
Uppercase letters
Lowercase letters

Applying Syskey Security

Go to Start > Run >
Type Syskey

Click on Update

Set Syskey Password,

Confirm the Password
and Click OK

Change the Boot Sequence

You should change the boot sequence in the BIOS so that your
computer is not configured to boot from the CD first. It should
be configured as Hard Disk as the First Boot Device.
This will protect your computer from the attacking Live CDs.
You may press Del or F2 Key at the System Boot to go to the
BIOS Setup

Change the Boot Sequence

Registry Editing
What is the Registry?
The Registry is a database used to store settings and options for the
32 bit versions of Microsoft Windows. It contains information and
settings for all the hardware, software, users, and preferences of the
PC. Whenever a user makes changes to a Control Panel settings, or
File Associations, System Policies, or installed software, the changes
are reflected and stored in the Registry.

Registry Editing

Registry Editing

The physical files that make up the registry are stored differently
depending on your version of Windows; under Windows NT/XP/Vista the
files are contained separately in the %SystemRoot%\System32\Config
directory. You cannot edit these files directly, you must use a tool
commonly known as a "Registry Editor" to make any changes.

Registry Editing
The Structure of Registry:

The Registry has a hierarchal structure; although it looks

complicated the structure is similar to the directory structure on your hard
disk, with Regedit being similar to Windows Explorer.

Each main branch (denoted by a folder icon in the Registry Editor) is

called a Hive, and Hives contains Keys. Each key can contain other keys
(sometimes referred to as sub-keys), as well as Values. The values contain
the actual information stored in the Registry. There are three types of
values; String, Binary, and DWORD - the use of these depends upon the
context.

Registry Editing

There are five main Hives (branches), each containing a specific portion of
the information stored in the Registry. They are as follows:

HKEY_CLASSES_ROOT - This branch contains all of your file

association mappings to support the drag-and-drop feature, OLE
information, Windows shortcuts, and core aspects of the Windows user
interface.
HKEY_CURRENT_USER - This branch links to the section of
HKEY_USERS appropriate for the user currently logged onto the PC and
contains information such as logon names, desktop settings, and Start
menu settings.
HKEY_LOCAL_MACHINE - This branch contains computer specific
information about the type of hardware, software, and other preferences on
a given PC, this information is used for all users who log onto this
computer.

Registry Editing

HKEY_USERS - This branch contains individual preferences for each user

of the computer; each user is represented by a SID sub-key located under
the main branch.
HKEY_CURRENT_CONFIG - This branch links to the section of
HKEY_LOCAL_MACHINE appropriate for the current hardware
configuration.

Registry Editing

Each registry value is stored as one of five main data types:

REG_BINARY - This type stores the value as raw binary data. Most

hardware component information is stored as binary data, and can be

displayed in an editor in hexadecimal format.
REG_DWORD - This type represents the data by a four byte number and
is commonly used for Boolean values, such as "0" is disabled and "1" is
enabled.
REG_EXPAND_SZ - This type is an expandable data string that is string
containing a variable to be replaced when called by an application.
REG_MULTI_SZ - This type is a multiple string used to represent values
that contain lists or multiple values, each entry is separated by a NULL
character.
REG_SZ - This type is a standard string, used to represent human readable
text values.

Registry Editing

The Registry Editor (REGEDIT.EXE) is included with most version of

Windows it enables you to view, search and edit the data within the
Registry. There are several methods for starting the Registry Editor, the
simplest is to click on the Start button, then select Run, and in the Open
box type "regedit".

Applying the Restrictions on the Files

and Folders
You can set permissions on the Files and Folders in Windows so
that no one else can open or access them.
Windows carries Access Control List command CACLS to
apply the Access security on the Files and Folders.
Lets say we have a folder Info, to set the permission on Info,
command is as follows:

CACLS Info /E /P Everyone:N

To remove the restrictions on the folder , command is as follows:

CACLS Info /E /P Everyone:F

Note: Make sure that you are in the Correct Directory in the Command Prompt while Locking the
Files or Folders. If Folder name carry spaces, put the folder name in while running command

Hiding Files behind Folders on the

Local Hard Disk: ADS
You can hide your important Files behind the Folders in your Hard
Disk.
Let us say we have a text file Secret.txt and a folder C:\Info. To
Hide the Text file behind the Folder, command is as follows

Type Secret.txt > C:\Info:Secret.txt

Now delete the Original File, to view the hidden file, command is as
follows

Start C:\Info:Secret.txt
To search the hidden files, ADS Tool Streams can be used.
To Search the Hidden Files: Streams S C:\Info
To Delete the Hidden Files: Streams D C:\Info

Steganography
Steganography is the technique to place
text content behind the images.
This is generally performed by the
terrorists to hide the secret messages
behind the images and conveying the
message via sending the Image via
Internet.
Windows Internal Commands as well as
Steganography tools can be used to
perform this technique.

Performing System Security

Process Monitoring
Application Monitoring

Application Monitoring
User should always check that How many Application are
installed in the Computer.
This can be done using the Add/Remove Program Utility
available in Control Panel.
Uninstall all the Applications which you have not installed or you
do not use.

Process Monitoring
Process Explorer is a free GUI-based process viewer utility that
displays detailed information about processes running under
Windows.
For each process it displays memory, threads, and module usage.
For each DLL, it shows full path and version information.
User can check the processed running under Explorer.exe and
Kill all the suspicious processes