9.7. Windows

9.7.1. Local User Authentication

When Windows performs local login authentication, the operating system will use the password entered by the user as a credential to compare and verify the password in the system. Authenticate by winlogon.exereceiving user input passed to lsass.exe.

winlogon.exeUsed to display the login interface after the user logs out, restarts, or locks the screen. lsass.exeIt is used to compare and authenticate the plaintext password into the form of NTLM Hash and the SAM database.

9.7.2. SAM

The Security Accounts Manager (SAM) is a mechanism used by the Windows operating system to manage the security of user accounts. The database file used to store Windows operating system passwords is divided into LM Hash and NTLM Hash in order to avoid the leakage of plaintext passwords. When the user authenticates, the entered hash value will be compared with the hash value stored in the SAM file.

SAM files are stored %SystemRoot%system32configsamin HKEY_LOCAL_MACHINESAMSAM, in the registry, in HKEY_LOCAL_MACHINESECURITYSAM. Under normal circumstances, the SAM file is locked and cannot be directly accessed, copied, or moved. Only the system user authority can read and write the file.

9.7.3. Password Cracking

• Get %SystemRoot%system32configsamfiles

• Get the %SystemRoot%repairsam._file

• Use tool to export SAM hash value from registry

• Sniff and analyze SMB packets from the network and obtain password hashes from them

9.7.4. SPNEGO

SPNEGO (SPNEGO: Simple and Protected GSS-API Negotiation) is a security protocol provided by Microsoft that uses the GSS-API authentication mechanism to enable Webservers to share Windows Credentials. It extends Kerberos.