Basically anything can be added to an existing file (and directory) which brings up an interesting method of hiding important data on the system. Say you want to keep your passwords on the computer but do not want to use a text document to have them in the open. Using Alternate Data Streams to hide them from prying eyes could be a relative secure method of storing the password list on the computer.

They are detectable if the right software is being used. Windows Vista users can also use the dir *.txt /R which is further explained at Bart De Smet’s on-line blog.

To add textual information to any file in Windows you could use the command notepad filename:name for example notepad image.jpg:secret. This would open up Notepad and a blank text file at the first run. Any text that is added and saved during that session will the shown if the user opens the text document with the same command at a later time.

Executable files or other binary files can be added with the type command like this: type c:\text.exe > hello.txt:text.exe which can be executed with the start command start .\hello.txt:text.exe.

An owner of a computer surely wants to install software on it even if he is running as a limited user. This is where the problem starts. The Run As command can be used to run applications as a different user. The major problem is that you have to provide the username and password for that user to be able to run the selected application. This data can be easily logged by a keylogger.

Surun uses its own Windows service that adds the user to the group of administrators during program start and removes him automatically from that group again. The user, not the administrator, will be asked on a secure desktop that only services may access if he wants to run the program and if he confirms that the application will be started. Programs are started with a right-click and the selection of Run as Administrator.

Surun comes with lots of settings and a huge configuration. Each application that was once started with Surun can be added to a list of applications that are started without the prompt from then on.

Ophcrack is a tool that is able to quickly display Windows NT account passwords using Rainbow Tables instead of brute forcing the passwords. While it could take years to brute force a password that uses letters, numbers and special chars it takes only minutes to do so with Ophcrack.

Ophcrack can be downloaded with several different table sets. The default live cd is able to reveal passwords with alphanumeric chars only. If no passwords are revealed using this method you should download different table sets which support other chars as well.

Runs on Windows, Linux/Unix, Mac OS X, …
» Cracks LM and NTLM hashes.
» Free tables available for Windows XP and Vista.
» Brute-force module for simple passwords.
» Audit mode and CSV export.
» Real-time graphs to analyze the passwords.
» LiveCD available to simplify the cracking.
» Loads hashes from encrypted SAM recovered from a Windows partition, Vista included.
» Free and open source software (GPL).

Two additional table sets can be downloaded from the Ophcrack website. The first is 720 megabytes and should only be used on machines with at least 500 megabytes of ram. A smaller one with only 388 megabytes can be downloaded for machines with less than that amount of ram.

A new version of Ophcrack was released just four days ago.

Update: Ophcrack has not been updated for some time. The last update dates back to 2009 which was a bug fix release.

They offer a script which does the following automatically:

• changes start type (auto, demand,disabled) according to kssysteme.de
• stops and deactivates critical services (i.e. Distributed Transaction Coordinator, Messenger)
• deactivates DCOM and removes standard protocol bindings
• closes SMB /server message block) and consequently port 445 (only if you use switch “/std” or “/all”)
• deactivates DHCP if it is not used
• disable NetBios on all network interfaces (exception: switch “/lan” prevent it)

You have several options and may leave some enabled, just take a look at the website for the different options. I suggest you backup your settings before you start the script. The script itself has a restore mode as well which restores the last changes made.