COMFIC- lecture 3
What is the windows registry?
It is a central database storage, providing localised info for the
operating system to find
It contains 2 hidden files for Windows 9x registry:
User.dat
System.dat
NT registry- more comlex
Stored in hives
HKEY_LOCAL_MACHINE and HKEY_USERS are main keys
Hive is like a root foler
Key is like the
subfolder
Subkey is a file
within a subfolder
Value is the actual data
Value is the actual data
HKEY's
HKEY_LOCAL_MACHINE\Sam-
stands for Security Account manager, now called Directory Service Database
stands for Security Account manager, now called Directory Service Database
Stores info for user, groups and domains
HKEY_LOCAL_MACHINE\Security-
local security policy, passwords and group membership
local security policy, passwords and group membership
HKEY_LOCAL_MACHINE\Software-
comp specific app settings in company subkeys such as microsoft
comp specific app settings in company subkeys such as microsoft
HKEY_USERS\System
- stores information about control sets, including device classes, hardware profile and system services listed in device manager
HKEY_USERS\.Default-
contains typical settings such as cursors
contains typical settings such as cursors
HKEY_USERS\(long number)-
stores specific user settings
Note: A lot more than this, such as last typed addresses
etc- more detail in separate document!
Sid numbers
S-1-5-21-3623811015-3361044348-30300820-1013 (example SID
number)
Note: authority values are as below:
Possible identifier authority values are:
•
0 - Null Authority
•
1 - World Authority
•
2 - Local Authority
•
3 - Creator Authority
•
4 - Non-unique Authority
•
5 - NT Authority
•
9 - Resource Manager Authority
How do I get this?
Command line wmic useraccount get name, sid
Will display all accounts with names and sid
Password and dictionary
attacks
Password reset- exploit weakness in applications that permit password reset and resets to desig value which analyst can use to open documents
Dictionary- dictionary used which is based on a profile
LOOK FOR LISTS!
Key space- brute force attack
Using password recovery toolkit by access data- just
click to add a file to crack!
Comments
Post a Comment