1 / 12

Windows

Windows. This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen C. Hayne. Windows Security. Local Security Authority (LSA) Determines whether a logon attempt is valid Security Accounts Manager (SAM)

ghada
Télécharger la présentation

Windows

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Windows This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen C. Hayne

  2. Windows Security • Local Security Authority (LSA) • Determines whether a logon attempt is valid • Security Accounts Manager (SAM) • Receives user logon information and checks it with its database to verify a correct username/password • SAM Database • Stores the LM and NT password hashes

  3. LM Password Used for backward compatibility Stores passwords in CAPS Much easier to crack than NT Hashes Password is not hashed or encrypted Broken up into 2 groups of 7 characters Usually gives away the NT password if cracked NT Password Used for compatibility with Windows NT/2000 systems Stores password exactly how they were entered by the user Uses a series of 2 one way hashes to hash the password Does not salt passwords like Unix Windows Passwords

  4. Windows “NT” Passwords • Length • Anywhere from 0 to 14 characters • Characters • All letters (upper and lowercase), numbers, and symbols are acceptable • Stored in SAM database • \WINNT\system32\config or • \WINNT\repair … 

  5. NT Passwords • 1. Hashed using RSA MD4 function • Not reversable! But can be replicated… • 2. Hashed again using MS function into SAM • Reversable and fairly simple • 3. Encrypted using Syskey function • Strong encryption of SAM on disk

  6. LM Passwords VS. NT Passwords • An 8 character LM password is 890 times easier to crack than an 8 character NT password • A 14 character LM password is 450 trillion times easier to crack than a 14 character NT Password • 450 trillion = 450,000,000,000,000

  7. Windows Cracking • Obtain copy of SAM and run 0phCrack • BUT – can’t get “real” SAM because it is LOCKED! • UNLESS, use NTFSDos, SAMDUMP or PWDUMP3 first…

  8. NTFSDos Utility that allows DOS to view NTFS partitions Can be placed on a boot disk and used to access files that can’t be accessed in Windows SAMDump Utility that “dumps” the password hashes in the SAM database Can be used to view the password hashes or to export them into a text file If Syskey is used, displayed hashes will be incorrect NTFSDos and SAMDump http://www.hackingexposed.com/links-cdrom/links-cdrom.html

  9. PWDump3 • A utility similar to SAMDump • Grabs password hashes from memory instead of the SAM database • Because of this, it will work with Syskey enabled • Can only be used by the Administrator on each system

  10. 0phCrack • Uses Dictionary, Hybrid, Brute Force and Rainbow Table attacks on password hashes • Can get password from a local machine, a repair disk, a copied SAM file, or over a network (By sniffing packets) • Can only be used by Administrators • Uses a built in version of SAMDump or PWDump3 to access the password hashes from memory

  11. Password Protection http://www.ntbugtraq.com/default.asp?sid=1&pid=47&aid=15 • Remove permissions from the “repair” file • Audit Password Registry Keys • Use a strong Admin password and DON’T share it! • Integrate @#$%{|> characters – increases key space • Possibly add characters from [Alt+###] • 2 factor?

  12. Un*x Cracking • Obtain “John the Ripper” • Run against /etc/passwd file

More Related