Dan et all,

I thought I covered this, but I will add more meat for ya'll. The reason
that you can't just yank the SAM and start cracking when SYSKEY is installed
is simple. The password portion of the SAM is now encrypted by a "stronger"
system key allowing for 128-bit encryption.

This has been available since SP3 for NT4 and is default in Windows 2000,
however if you type SYSKEY (at the cmd.exe prompt) you will have 3 options
for further configuration.

If you want to get the real password hashes, then you need to use a tool
that can subvert this security mechanism. Luckily for us, Todd Sabin and
the razor.bindview.com guys came up with "DLL injection". This little bit
of nastiness wrapped up in a tool called pwdump2. This tool works with AD
too!

To quote Todd and the razor.bindview.com site

        "It uses a technique known as DLL injection. In general, one process
(pwdump2.exe) forces another process (lsass.exe) to load a DLL (samdump.dll)
and execute some code from the DLL in the other process's (lsass.exe's)
address space and user context. In this specific case, once samdump.dll is
loaded into lsass, it uses the same internal API that msv1_0.dll uses to
access the password hashes. This means it can get the hashes without doing
any of the 'hard' work of pulling them out of the registry and decrypting
them. The program neither knows nor cares what the encryption algorithms or
keys are."

Have fun,
        
        Erik B

**there is no COUNTERMEASURE for dll injection, except one "Don't get
OWNED!" ;)

*********************************************
* Erik Pace Birkholz, CISSP, MCSE
* Principal Consultant
* Foundstone National Attack & Penetration Team
* http://www.hackingexposed.com/win2k/auths.html
* http://www.blackhat.com/html/win-usa-02/win-usa-02-spkrs.html
 
 

-----Original Message-----
From: Dan B [mailto:neoredcell.fsnet.co.uk]
Sent: Tuesday, January 29, 2002 4:40 AM
To: focus-mssecurityfocus.com
Subject: Re: two questions that need answering

In-Reply-To: <B36C365832C90E47A37F4FFCDDEFC46D04F62Chkisrv08.tw.fi>

The reason i ask about syskey is that i found the
following in the LC3 helpfile :

SAM File
On systems that do not use Active Directory, or
SYSKEY, you may obtain
password hashes directly from a password database
file stored on the system
-- the SAM file.

Note: this approach will not allow you to obtain
password hashes from most
Windows 2000 systems, as Windows 2000 uses
SYSKEY by default. SYSKEY was
introduced in Windows NT Service Pack 3, but was
not turned on by default,
so SAM access works on Windows NT systems
unless SYSKEY was explicitly
turned on. SYSKEY provides an additional layer of
encryption to stored
password hashes. Interestingly, you can't tell by
looking at the SAM or at
password hashes it contains whether they've been
encrypted with SYSKEY or
not. LC3 cannot crack SYSKEY-encrypted password
hashes. This implies that
if you do not have access to at least one
administrator account on a
Windows 2000 machine, you cannot obtain the
password hashes required to run
LC3. In such cases, you may benefit from a
password reset utility.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]