Monday, 2 June 2014

Security and Authentication Systems in Windows (8) By iSARG Uttam Nagar

Windows 8 Security Overview
Quite a long time it took me come up with the name of this article because I was not sure about the content firstly, but then finally I have figured it out.

This is day 2 of my back to back articles task and here we go!

So here every one of us know that Windows 8 is the most recent version of Microsoft Windows OS and most secure too. So today we are gonna study the system architecture running Windows 8. It is advisable to read my previous articles Windows Security Architecture, Breaking LSA – The BIOS Password and Bypassing SRM – Windows Login Password before starting with this. This is just an informative article on Windows 8 Security system. After reading this article you will be able to understand how the security systems in Windows 8 work and sketch some ideas to attack the system. Further after this I will be writing an article on retrieving the clear text passwords of Windows 8 user.

This article is designed keeping beginners in mind and not the professionals. Keep reading…

What are .dll files?
DLL stands for Dynamic Link Library. These files end with an extension .dll and contain a piece of code that is supposed to be called by other application or another .dll file. It is a file containing functions and cannot be directly executable rather can be called from an other code that has already executed. It is used just to avoid the repetitions of same code in a program, so a piece of code that would seem repeating will be written in a .dll file. That will be called whenever the function or its code is required while the execution of other program.

Local Security Authority Subsystem Service (LSASS)
I have already discussed about LSA in previous article which I mentioned at the beginning of this page. So here coming to LSASS, it’s  a sub service of it which is responsible for security processes on Windows 8 OS.

What is lsass.exe file?
“lsass.exe” file is the process that verifies the validity of user logons to your PC. LSASS generates the process responsible for authenticating users for the Windows logon service. This is performed by using authentication packages such as the default, Msgina.dll. If authentication is successful, LSASS generates the user’s access token, which is used to launch the initial shell. Other processes that the user initiates then inherit this token.
 The location of the lsass.exe file is C:\Windows\System32.

Authentication architecture
Authentication service architecture.

Here are the details of the files and protocols mentioned above in the flowchart:

Wdigest.dll - This is an authentication file that transmits credentials across the network as an MD5 hash (It is a type of encoding used to encrypt data).

Ksecdd.sys – The Kernel Security Device Driver is used to communicate with LSASS in user mode.

Lsasrv.dll – The LSA Server service, which both enforces security policies and acts as the security package manager for the LSA.

Netlogon.dll – Net Logon passes the user’s credentials through a secure channel to the domain controller and returns the domain SIDs and user rights for the user.

Secur32.dll – The Secur32.dll component is the multiple authentication provider that implements SSPI for user mode applications.
SSPI is an application interface that provides the security services for Windows Server 2003. SSPI supports the Digest Authentication SSP, wdigest.dll, which is the preferred authentication protocol for some applications and which uses protocols such as LDAP and HTTP.
 Samsrv.dll -  Security Accounts Manager (SAM) stores local security accounts, enforces locally stored policies, and supports the Application Programming Interface (API).
This whole motive of this post is to help you out with the common knowledge and give you a base for the next post. That will be on hacking the Windows 8 password.

Comment your views below and help us getting you better articles!

No comments:

Post a Comment