Chapter 7, Enumeration and Computer System Hacking
This lesson presents material from chapter 7. Objectives important
to this lesson:
The text begins with a discussion of Windows security that starts a bit
slowly. A couple of pages in, we are introduced to Security Account Manager
(SAM) and Active Directory (AD). The thing to know about them is that
you find AD in networked computers, and you find SAM on every computer
that runs a copy of Windows.
In the image above, you see the files in the config folder mentioned
in the text. Note that the config folder is a hidden folder, as are most
files in it. This image was taken on a computer that is in an Active Directory
network. The SAM file is useful when logging in to this device while it
is not on its home network. In this
Technet article, Microsoft explains that the SAM file is locked by
the kernel while Windows is running, and that it contains hashed versions
of the passwords for users it knows. That is an example of defense in
depth, protecting the information in the file three ways: hidden, locked,
The text tells us that user objects are the primary means of assigning
access permissions in Windows, but it gets around to discussing Group
objects as well, which are much more efficient in networks with over ten
users. (Aren't they all now?) Pages 160 and 161 offer a list of some default
security groups found in Active Directory. It also mentions that users
are assigned Security Identifiers (SIDs) which are used like user ID numbers
to keep track of permissions. The text explains in a sidebar on page 162
that the last group of numbers
in an SID (the Relative
ID) tell us which of three kinds of account the ID is for: 500
means guest, 501 means administrator, and 1000
or higher means a typical user
account. However, this
article on the subject gives us the reverse
meaning for 500 and 501. This
article from Microsoft confirms that 500
means administrator, and 501 means
guest. I think we should trust the Microsoft article.
Moving on to page 163, the text begins the topic of enumeration. It is
defined as the search for specific information and assets available on
a target machine. The text offers a list of objectives on page 163:
other service settings
The text suggests several tools that may be useful in enumeration. It
SuperScan, Angry IP
Scanner, and SNScan,
giving us a general idea about each of them. It warns us that enumeration.
involves actively hacking a system, which is often the border between
being a pest and being a lawbreaker.
The text spends a few pages talking about cracking passwords. The usual
advice is given, in reverse this time, recommending that poor password
choices lead to easier hacks. Some password cracking tools are recommended.
More are available online and in Kali
and Parrot Linux
Another tool the text mentions is actually a set of them. PsTools
can be downloaded from Microsoft. It is meant to be a set of tools to
be used by a system administrator. The power of the set, as explained
in the text and on the download page from Microsoft, is that you can install
it on one device in a network and use it to run remote commands on other
devices. The last example on page 179 is a bit frightening: it copies
a rootkit to a remote machine, then runs it with an administrator account.
The text offers us two pages about rootkits, explaining that they
are used to take over the operating system of a computer, to hide that
takeover from the user, and to take any desired action against the user,
their assets, or their network.
The last section of the chapter discusses actions that might be taken
to hide the traces left behind by a hacker.
disabling auditing and editing or deleting audit/log files
hiding data in hidden files or in Alternate Data Streams
Alternate Data Streams are insidious. This is a method of embedding information,
executables, or any other crazy thing in an attribute of a file or folder
in an NTFS file system. Watch this soft-spoken magician add a copy of
the notepad program to a very small text file, hidden from the casual
This week you need to submit discussion 2, lab 4, assignment 3, and
Part 3 of the ongoing course project. Project Part 4 and Assignment
4 are due in two weeks.