ITS 4550 - Fraud Prevention and Deterrence

Chapter 7, Enumeration and Computer System Hacking

This lesson presents material from chapter 7. Objectives important to this lesson:

1. Windows basics
2. Enumeration
3. Password cracking
4. PsTools
5. rootkits
6. Antiforensics
   

Concepts:

Chapter 7

The text begins with a discussion of Windows security that starts a bit slowly. A couple of pages in, we are introduced to Security Account Manager (SAM) and Active Directory (AD). The thing to know about them is that you find AD in networked computers, and you find SAM on every computer that runs a copy of Windows.

In the image above, you see the files in the config folder mentioned in the text. Note that the config folder is a hidden folder, as are most files in it. This image was taken on a computer that is in an Active Directory network. The SAM file is useful when logging in to this device while it is not on its home network. In this Technet article, Microsoft explains that the SAM file is locked by the kernel while Windows is running, and that it contains hashed versions of the passwords for users it knows. That is an example of defense in depth, protecting the information in the file three ways: hidden, locked, and hashed.

The text tells us that user objects are the primary means of assigning access permissions in Windows, but it gets around to discussing Group objects as well, which are much more efficient in networks with over ten users. (Aren't they all now?) Pages 160 and 161 offer a list of some default security groups found in Active Directory. It also mentions that users are assigned Security Identifiers (SIDs) which are used like user ID numbers to keep track of permissions. The text explains in a sidebar on page 162 that the last group of numbers in an SID (the Relative ID) tell us which of three kinds of account the ID is for: 500 means guest, 501 means administrator, and 1000 or higher means a typical user account. However, this article on the subject gives us the reverse meaning for 500 and 501. This article from Microsoft confirms that 500 means administrator, and 501 means guest. I think we should trust the Microsoft article.

Moving on to page 163, the text begins the topic of enumeration. It is defined as the search for specific information and assets available on a target machine. The text offers a list of objectives on page 163:

• user accounts
• group settings
• group membership
• application settings
• service banners
• audit settings
• other service settings
  

The text suggests several tools that may be useful in enumeration. It discusses NULL session, nbtstat, SuperScan, Angry IP Scanner, and SNScan, giving us a general idea about each of them. It warns us that enumeration. involves actively hacking a system, which is often the border between being a pest and being a lawbreaker.

The text spends a few pages talking about cracking passwords. The usual advice is given, in reverse this time, recommending that poor password choices lead to easier hacks. Some password cracking tools are recommended. More are available online and in Kali and Parrot Linux distributions.

Another tool the text mentions is actually a set of them. PsTools can be downloaded from Microsoft. It is meant to be a set of tools to be used by a system administrator. The power of the set, as explained in the text and on the download page from Microsoft, is that you can install it on one device in a network and use it to run remote commands on other devices. The last example on page 179 is a bit frightening: it copies a rootkit to a remote machine, then runs it with an administrator account.

The text offers us two pages about rootkits, explaining that they are used to take over the operating system of a computer, to hide that takeover from the user, and to take any desired action against the user, their assets, or their network.

The last section of the chapter discusses actions that might be taken to hide the traces left behind by a hacker.

• disabling auditing and editing or deleting audit/log files
• hiding data in hidden files or in Alternate Data Streams
  

Alternate Data Streams are insidious. This is a method of embedding information, executables, or any other crazy thing in an attribute of a file or folder in an NTFS file system. Watch this soft-spoken magician add a copy of the notepad program to a very small text file, hidden from the casual observer: