Windows User account Password Security Architecture
• Windows User Login Passwords are stored and transmitted in an Encrypted form called
a Hash. These Hashes are saved in the SAM File. SAM stands for Security Account
• SAM File can be found at C:\Windows\System32\Config\SAM
• When a User is created, the Username and Password are stored in the SAM file in the
form of Hash.
• When a user logs on to the System and Enters the password, a Hash is generated and
compared to the stored Hash. If the entered and the stored hashes match, the user is
authenticated. This is called the LM/NTLM Challenge/Response.
• Passwords may be cracked manually or with automated tools such as a Brute-force
method or the Rainbow table attack.
• Once the Windows start it start using the information in the SAM file, so the SAM file
becomes Inaccessible. It cannot be Opened, Copied, Moved, Renamed or Deleted.
Cracking Windows User Login Password
◘ Live Boot Disk Attack
• Software: Active Password Recovery can be used to create Live Boot Disks
for Windows Operating System
• Live Boot Disk can be used to start the Windows and access the SAM File.
• Attacker can Remove the Passwords from the User Accounts or can set new
Passwords on the Accounts.
◘ Brute Force Attack
• Bruteforce Password Guessing is just what it sounds like: Trying a Random approach by
Attempting Different Passwords and hoping that One works. Some logic can be applied
by trying passwords related to the person’s name, job title, hobbies, or other similar
• Brute force randomly generates passwords and their associated hashes.
• There are Tools available to perform the Brute force attack on the Windows SAM File.
One of the most famous of them is Cain and Able.
◘ Net User: Command Prompt
• Windows Command Prompt Utility, Net User, can be also be used to manipulate the
User accounts in Windows. The Commands are as follows:
• To check the User Accounts: Net User
• To Add a New User Account: Net User Username Password /add
• To Delete a User Account: Net User Username /delete
• To Change the Password of User Account: Net User Username *
◘ Sticky Keys Backdoor
• Sticky Keys application can be used as the Backdoor in Windows Operating System.
• Command Prompt file ‘CMD.EXE’ can be renamed to ‘SETHC.EXE’ in
• After this one can hit the Shift Key 5 times on the User Login Screen and will get the
Command Prompt right there. Net User can be used to modify User Accounts
◘ Privilege Escalation
• Once the Administrator account is Cracked, one can easily Login with the Administrator
User Account and Promote any User Account to give him the Administrator privileges.
• One more thing which an attacker can do is to boot the computer from the Live CD and
change the SAM file to promote any Limited User account to Administrator.
Counter Measures for the Windows User Login Password Attack
◘ Configuring a Strong Login Password
• A strong password is less susceptible to attack by a hacker. The following rules should be
applied when you’re creating a password, to protect it against attacks:
• Must not contain any part of the user’s account name
• Must have a minimum of eight characters
Must contain characters from at least three of the following categories:
• Non alphanumeric symbols ($,:”%@!#)
• Uppercase letters
• Lowercase letters
◘ Change the Boot Sequence
• You should change the boot sequence in the BIOS so that your computer is not
configured to boot from the CD first. It should be configured as Hard Disk as the First
• This will protect your computer from the Live Boot Disks Attack.
• Keystroke loggers (or Keyloggers) intercept the Target’s Keystrokes and either saves
them in a file to be read later, or transmit them to a predetermined destination accessible
to the Hacker.
• Since Keylogging programs record every Keystroke typed in via the Keyboard, they can
capture a wide variety of Confidential Information, including Passwords, Credit Card
Numbers, Private Email correspondence, Names, Addresses, and Phone Numbers.
• Once installed on the target machine, either Directly by the User, or through Stealthier
means, the Keylogger program runs continually in the Background. After the Keystrokes
are logged, they can be hidden in the machine for later retrieval or transmitted to the
Attacker via the Internet.
• Steganography is the technique to place
text content behind the images.
• This is generally performed by the
Terrorists to Hide the Secret messages
behind the Images and conveying the
message via sending the Image via
• Windows Internal Commands as well as
Steganography tool ‘ImageHide’ can be
used to perform this technique.
• Let us say, image file is ‘Pic.jpg’ and text
file is ‘Message.txt’. The command to
hide the message would be:
Copy /b Pic.jpg+Message.txt Final.jpg
• To View the Hidden message, Right Click on Final.jpg > Open with > Notepad >
Go to the End of the File
Applying the permissions on the Files and Folders
• You can set permissions on the Files and Folders in Windows so that no one else can
open or access them.
• Windows carries Access Control List command ‘CACLS’ to apply the Access security on
the Files and Folders.
• Let’s say we have a folder ‘Info’, to set the permission on ‘Info’, command is as follows:
CACLS Info /E /P Everyone:N
• To remove the restrictions on the folder , command is as follows:
CACLS Info /E /P Everyone:F
Hiding Files behind Folders on the Local Hard Disk: ADS
• You can hide your important Files behind the Folders in your Hard Disk.
• Let us say we have a text file ‘Secret.txt’ and a folder ‘C:\Info’.
• To Hide the Text file behind the Folder, command is as follows
Type Secret.txt > C:\Info:Secret.txt
• Now delete the Original File, to view the hidden file, command is as follows
• To search the hidden files, ADS Tool ‘Streams’ can be used.
• To Search the Hidden Files: Streams –S C:\Info
• To Delete the Hidden Files: Streams –D C:\Info
Process Monitoring for System Security
• Process Explorer is a GUI-based process viewer utility that displays detailed information
about processes running under Windows.
• For each process it displays memory, threads, and module usage. For each DLL, it shows
full path and version information.
Autorun Application Monitoring for System Security
• Autoruns is a GUI-based Application viewer utility that displays detailed information
about the applications which automatically runs when your computer starts.
• For each Autorun application it displays a full path and application information.
Rayat Institute of Engineering and Information Technology, Railmajra, Near Ropar (Chandigarh)