Related Research Articles
In cryptanalysis and computer security, password cracking is the process of guessing passwords protecting a computer system. A common approach is to repeatedly try guesses for the password and to check them against an available cryptographic hash of the password. Another type of approach is password spraying, which is often automated and occurs slowly over time in order to remain undetected, using a list of common passwords.
The Security Account Manager (SAM) is a database file in Windows NT, Windows 2000, Windows XP, Windows Vista, Windows 7, 8.1, 10 and 11 that stores users' passwords. It can be used to authenticate local and remote users. Beginning with Windows 2000 SP4, Active Directory authenticates remote users. SAM uses cryptographic measures to prevent unauthenticated users accessing the system.
Integrated Windows Authentication (IWA) is a term associated with Microsoft products that refers to the SPNEGO, Kerberos, and NTLMSSP authentication protocols with respect to SSPI functionality introduced with Microsoft Windows 2000 and included with later Windows NT-based operating systems. The term is used more commonly for the automatically authenticated connections between Microsoft Internet Information Services, Internet Explorer, and other Active Directory aware applications.
The Encrypting File System (EFS) on Microsoft Windows is a feature introduced in version 3.0 of NTFS that provides filesystem-level encryption. The technology enables files to be transparently encrypted to protect confidential data from attackers with physical access to the computer.
Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single SSO ID to any of several related, yet independent, software systems.
LAN Manager is a discontinued network operating system (NOS) available from multiple vendors and developed by Microsoft in cooperation with 3Com Corporation. It was designed to succeed 3Com's 3+Share network server software which ran atop a heavily modified version of MS-DOS.
The graphical identification and authentication (GINA) is a component of Windows NT 3.51, Windows NT 4.0, Windows 2000, Windows XP and Windows Server 2003 that provides secure authentication and interactive logon services. GINA is a replaceable dynamically linked library that is loaded early in the boot process in the context of Winlogon when the machine is started. It is responsible for handling the secure attention sequence, typically Control-Alt-Delete, and interacting with the user when this sequence is received. GINA is also responsible for starting initial processes for a user (such as the Windows Shell) when they first log on. GINA is discontinued in Windows Vista.
MS-CHAP is the Microsoft version of the Challenge-Handshake Authentication Protocol, (CHAP).
Ophcrack is a free open-source program that cracks Windows log-in passwords by using LM hashes through rainbow tables. The program includes the ability to import the hashes from a variety of formats, including dumping directly from the SAM files of Windows, and can be run via the command line or using the program’s GUI. On most computers, ophcrack can crack most passwords within a few minutes.
A credential service provider (CSP) is a trusted entity that issues security tokens or electronic credentials to subscribers. A CSP forms part of an authentication system, most typically identified as a separate entity in a Federated authentication system. A CSP may be an independent third party, or may issue credentials for its own use. The term CSP is used frequently in the context of the US government's eGov and e-authentication initiatives. An example of a CSP would be an online site whose primary purpose may be, for example, internet banking - but whose users may be subsequently authenticated to other sites, applications or services without further action on their part.
In a Windows network, NT LAN Manager (NTLM) is a suite of Microsoft security protocols intended to provide authentication, integrity, and confidentiality to users. NTLM is the successor to the authentication protocol in Microsoft LAN Manager (LANMAN), an older Microsoft product. The NTLM protocol suite is implemented in a Security Support Provider, which combines the LAN Manager authentication protocol, NTLMv1, NTLMv2 and NTLM2 Session protocols in a single package. Whether these protocols are used or can be used on a system, which is governed by Group Policy settings, for which different versions of Windows have different default settings.
Cain and Abel was a password recovery tool for Microsoft Windows. It could recover many kinds of passwords using methods such as network packet sniffing, cracking various password hashes by using methods such as dictionary attacks, brute force and cryptanalysis attacks. Cryptanalysis attacks were done via rainbow tables which could be generated with the winrtgen.exe program provided with Cain and Abel. Cain and Abel was maintained by Massimiliano Montoro and Sean Babcock.
Data Protection Application Programming Interface (DPAPI) is a simple cryptographic application programming interface available as a built-in component in Windows 2000 and later versions of Microsoft Windows operating systems. In theory, the Data Protection API can enable symmetric encryption of any kind of data; in practice, its primary use in the Windows operating system is to perform symmetric encryption of asymmetric private keys, using a user or system secret as a significant contribution of entropy. A detailed analysis of DPAPI inner-workings was published in 2011 by Bursztein et al.
There are a number of security and safety features new to Windows Vista, most of which are not available in any prior Microsoft Windows operating system release.
Security Support Provider Interface (SSPI) is a component of Windows API that performs security-related operations such as authentication.
Remote Desktop Services (RDS), known as Terminal Services in Windows Server 2008 and earlier, is one of the components of Microsoft Windows that allow a user to initiate and control an interactive session on a remote computer or virtual machine over a network connection.
In computer security, pass the hash is a hacking technique that allows an attacker to authenticate to a remote server or service by using the underlying NTLM or LanMan hash of a user's password, instead of requiring the associated plaintext password as is normally the case. It replaces the need for stealing the plaintext password to gain access with stealing the hash.
Credential stuffing is a type of cyberattack in which the attacker collects stolen account credentials, typically consisting of lists of usernames or email addresses and the corresponding passwords, and then uses the credentials to gain unauthorized access to user accounts on other systems through large-scale automated login requests directed against a web application. Unlike credential cracking, credential stuffing attacks do not attempt to use brute force or guess any passwords – the attacker simply automates the logins for a large number of previously discovered credential pairs using standard web automation tools such as Selenium, cURL, PhantomJS or tools designed specifically for these types of attacks, such as Sentry MBA, SNIPR, STORM, Blackbullet and Openbullet.
Web Authentication (WebAuthn) is a web standard published by the World Wide Web Consortium (W3C). WebAuthn is a core component of the FIDO2 Project under the guidance of the FIDO Alliance. The goal of the project is to standardize an interface for authenticating users to web-based applications and services using public-key cryptography. WebAuthn credentials that are available across multiple devices are commonly referred to as passkeys.
Zerologon is a privilege elevation vulnerability in Microsoft's authentication protocol Netlogon Remote Protocol (MS-NRPC), as implemented in the Windows Client Authentication Architecture and Samba. The vulnerability was first reported to Microsoft by security researcher Tom Tervoort from Secura on 17 August 2020 and dubbed "Zerologon". Zerologon was given a Common Vulnerability Scoring System v3.1 severity ranking of 10 by the U.S. American National Institute of Standards and Technology and a 5.5 by Microsoft. Crowdstrike classifies it as the most severe Active Directory vulnerability of 2020.
References
- 1 2 "Protect derived domain credentials with Windows Defender Credential Guard". Windows IT Pro Center. Retrieved 14 September 2018.
- ↑ "Analysis of the attack surface of windows 10 virtualization-based security" (PDF). blackhat.com. Retrieved 13 November 2018.
- 1 2 3 Yosifovich, Pavel; Russinovich, Mark (5 May 2017). Windows Internals, Part 1: System architecture, processes, threads, memory management, and more, Seventh Edition. Microsoft Press. ISBN 978-0-13-398647-1.
- ↑ "Credential Guard Cheat Sheet". insights.adaptiva.com. Retrieved 13 November 2018.
- ↑ "Deep Dive into Credential Guard, Credential Theft & Lateral Traversal". Microsoft Virtual Academy. Retrieved 17 September 2018.
- ↑ "Windows 10 Device Guard and Credential Guard Demystified". Microsoft TechNet, Ash's blog. 2 March 2016. Retrieved 17 September 2018.
- ↑ "Technique: Credential Dumping". attack.mitre.org. Retrieved 8 July 2019.
- 1 2 "Windows Credential Guard & Mimikatz". nviso labs. 2018-01-09. Retrieved 14 September 2018.
- ↑ "Third party Security Support Providers with Credential Guard". Windows Dev Center. Retrieved 14 September 2018.
- ↑ "Retrieving NTLM Hashes without touching LSASS: the "Internal Monologue" Attack". andreafortuna.org. Archived from the original on 26 May 2018. Retrieved 5 November 2018.
