Understanding Microsoft Windows password

Windows password

In Windows passwords are stored at c:\windows\system32\config directory. The password hashes are stored within the SAM/SYSYEM files but that file is read only and is used by the operating system so a normal user can not access it, rename it or change it.

There are backup copies stored in windows at C:\Windows\System32\repair\directory which can be copied easily.

In Windows machine passwords are stored using NTLMv2, but they can support all types of authentication protocols like LM, NTLM, NTLMv2 and Kerberos.

LAN Manager (LM Hash) is the oldest authentication protocol used by Microsoft.

SAM – System Accounts Manager

System Accounts Manager is saved as a registry file in windows and stores password in hashed format. As passwords are still vulnerable to bruteforce attacks, Microsoft attempted to increase the security by applying SYSKEY. When Syskey is enabled, it encrypts the On disk copy of the SAM file which again protects it from bruteforce and rainbow attacks.

SYSKEY

SYSKEY is a utility that encrypts the hashed password information in a SAM database in a Windows system using a 128-bit encryption key.

Types of password attacks

Dictionary attack

Attacker tries to use the entire password prewritten in separate files called the dictionary (which contains common passwords used by people and English dictionary words). It is a fast way of cracking password but its disadvantage is that the success rate is very poor.

Bruteforce attack

Here an attacker try use all the permutations and combinations possible by a set of character sets like 0-9, A-Z, a-z and symbols. Advantage of using brute force attack is that it can have 100% success rate; however, in case of long password it will become so slow that it will be almost unfeasible.

Hybrid attack

An attacker uses the combination of the previous two methods or any other. Hybrid attack also

involve pre computed tables of hashes which increases the speed and tables are generated by using all the character sets, which also increases the success rate.

Tools for hacking Windows password (just to list a few)

1. SamInside
2. Samjuicer
3. Ophcrack Live CD and windows installer
4. ERD commander
5. Cain & Able
6. John the Ripper

Password cracking countermeasures

1. Try to enforce 14 character password and which is alpha-numeric with symbols
2. Reset your password every 30 days
3. Implement physical security and isolate access to the server
4. Implement Syskey at the time of deployment
5. Always remember to check the server logs for brute force attacks on user accounts.

Covering tracks

After disabling the auditing and before leaving the machine, an attacker can also remove the event logs to cover their presence on the system and creates backdoor for future access.

Disabling audit

It is necessary to remove any digital traces to protect yourself from being caught, so to ensure these attackers disable the auditing as soon as they get access into a system using the following command:

auditplo.exe /stop

NT Resource Kit’s auditpol.exe tool can disable auditing using the command line and at the end of their stay, the attackers will just turn on auditing again using:

auditpol.exe /start

Clearing the event log

The elsave.exe utility is a simple tool for clearing the event log. The following syntax will clear the security log on the remote server “rovil” (correct privileges are required on the remote system).

C :\> elsave –s \\rovil –I “Security” –C

Save the system log on the local machine to d:\system.log and then clear the log:
elsave –I system –F d:\system.log –C
Save the application log on \\serv1 to \\serv1\d$\application.log:
elsave –s \\serv1 –F d:\applicaion.log