System Hacking

Windows User account Password Security Architecture 
 
• Windows User Login Passwords are stored and transmitted in an Encrypted form called 
a Hash. These Hashes are saved in the SAM File. SAM stands for Security Account 
Manager. 
• SAM File can be found at C:\Windows\System32\Config\SAM 
• When a User is created, the Username and Password are stored in the SAM file in the 
form of Hash. 
• When a user logs on to the System and Enters the password, a Hash is generated and 
compared to the stored Hash. If the entered and the stored hashes match, the user is 
authenticated. This is called the LM/NTLM Challenge/Response. 
• Passwords may be cracked manually or with automated tools such as a Brute-force 
method or the Rainbow table attack. 
• Once the Windows start it start using the information in the SAM file, so the SAM file 
becomes Inaccessible. It cannot be Opened, Copied, Moved, Renamed or Deleted. 

 
Cracking Windows User Login Password 

◘ Live Boot Disk Attack 
 • Software: Active Password Recovery can be used to create Live Boot Disks 
for Windows Operating System

• Live Boot Disk can be used to start the Windows and access the SAM File. 
• Attacker can Remove the Passwords from the User Accounts or can set new 
Passwords on the Accounts.

◘ Brute Force Attack
 • Bruteforce Password Guessing is just what it sounds like: Trying a Random approach by
Attempting Different Passwords and hoping that One works. Some logic can be applied
by trying passwords related to the person’s name, job title, hobbies, or other similar
items.
• Brute force randomly generates passwords and their associated hashes.
• There are Tools available to perform the Brute force attack on the Windows SAM File.
One of the most famous of them is Cain and Able.
 
◘ Net User: Command Prompt
 • Windows Command Prompt Utility, Net User, can be also be used to manipulate the
User accounts in Windows. The Commands are as follows:
• To check the User Accounts: Net User
• To Add a New User Account: Net User Username Password /add
• To Delete a User Account: Net User Username /delete
• To Change the Password of User Account: Net User Username *

◘ Sticky Keys Backdoor 
 • Sticky Keys application can be used as the Backdoor in Windows Operating System. 
• Command Prompt file ‘CMD.EXE’ can be renamed to ‘SETHC.EXE’ in 
C:\Windows\System32 Folder. 
• After this one can hit the Shift Key 5 times on the User Login Screen and will get the 
Command Prompt right there. Net User can be used to modify User Accounts 
thereafter. 
 
◘ Privilege Escalation 
 • Once the Administrator account is Cracked, one can easily Login with the Administrator 
User Account and Promote any User Account to give him the Administrator privileges. 
• One more thing which an attacker can do is to boot the computer from the Live CD and 
change the SAM file to promote any Limited User account to Administrator. 
 
Counter Measures for the Windows User Login Password Attack 
 

◘ Configuring a Strong Login Password 

• A strong password is less susceptible to attack by a hacker. The following rules should be 
applied when you’re creating a password, to protect it against attacks: 
• Must not contain any part of the user’s account name 
• Must have a minimum of eight characters

Must contain characters from at least three of the following categories: 
 • Non alphanumeric symbols ($,:”%@!#) 
• Numbers 
• Uppercase letters 
• Lowercase letters 
 
◘ Change the Boot Sequence 
 • You should change the boot sequence in the BIOS so that your computer is not 
configured to boot from the CD first. It should be configured as Hard Disk as the First 
Boot Device. 
• This will protect your computer from the Live Boot Disks Attack. 
 
◘ Keyloggers 
 • Keystroke loggers (or Keyloggers) intercept the Target’s Keystrokes and either saves 
them in a file to be read later, or transmit them to a predetermined destination accessible 
to the Hacker. 
• Since Keylogging programs record every Keystroke typed in via the Keyboard, they can 
capture a wide variety of Confidential Information, including Passwords, Credit Card 
Numbers, Private Email correspondence, Names, Addresses, and Phone Numbers.  
• Once installed on the target machine, either Directly by the User, or through Stealthier 
means, the Keylogger program runs continually in the Background. After the Keystrokes 
are logged, they can be hidden in the machine for later retrieval or transmitted to the 
Attacker via the Internet. 

Steganography 
• Steganography is the technique to place 
text content behind the images. 
• This is generally performed by the 
Terrorists to Hide the Secret messages 
behind the Images and conveying the 
message via sending the Image via 
Internet. 
• Windows Internal Commands as well as 
Steganography tool ‘ImageHide’ can be 
used to perform this technique. 
• Let us say, image file is ‘Pic.jpg’ and text 
file is ‘Message.txt’. The command to 
hide the message would be: 
Copy /b Pic.jpg+Message.txt Final.jpg 
• To View the Hidden message, Right Click on Final.jpg > Open with > Notepad > 
Go to the End of the File 

Applying the permissions on the Files and Folders 
 • You can set permissions on the Files and Folders in Windows so that no one else can 
open or access them. 
• Windows carries Access Control List command ‘CACLS’ to apply the Access security on 
the Files and Folders. 
• Let’s say we have a folder ‘Info’, to set the permission on ‘Info’, command is as follows: 
CACLS Info /E /P Everyone:N 
• To remove the restrictions on the folder , command is as follows: 
CACLS Info /E /P Everyone:F 
 
Hiding Files behind Folders on the Local Hard Disk: ADS 
• You can hide your important Files behind the Folders in your Hard Disk. 
• Let us say we have a text file ‘Secret.txt’ and a folder ‘C:\Info’. 
• To Hide the Text file behind the Folder, command is as follows 
Type Secret.txt > C:\Info:Secret.txt 
• Now delete the Original File, to view the hidden file, command is as follows 
Start C:\Info:Secret.txt 
• To search the hidden files, ADS Tool ‘Streams’ can be used. 
• To Search the Hidden Files: Streams –S C:\Info 
• To Delete the Hidden Files: Streams –D C:\Info 

Process Monitoring for System Security 
 • Process Explorer is a GUI-based process viewer utility that displays detailed information 
about processes running under Windows.  
• For each process it displays memory, threads, and module usage. For each DLL, it shows 
full path and version information. 
 
Autorun Application Monitoring for System Security 
 • Autoruns is a GUI-based Application viewer utility that displays detailed information 
about the applications which automatically runs when your computer starts.  
• For each Autorun application it displays a full path and application information.