Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Vuln-Dev> 1999-q4

Exploit-Dev Archives: NT SysKey should be breakable

NT SysKey should be breakable

Mikael Olsson (mikael.olssonENTERNET.SE)
Fri, 8 Oct 1999 22:37:24 +0200

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: Me Uh, K.: "Newbie in Jeopardy"
Previous message: Erik Parker: "Re: Guestbook perl script (error fix)"
Next in thread: Mikael Olsson: "Re: NT SysKey should be breakable"
Reply: Mikael Olsson: "Re: NT SysKey should be breakable"
Reply: Todd Sabin: "Re: NT SysKey should be breakable"
Reply: Mikael Olsson: "Re: NT SysKey should be breakable"

Has anyone looked closely on the WinNT SysKey application?

Supposedly, it encrypts your SAM files (the ones in
\winnt\repair too?) so that Evil People(tm) can't
just leech them off your machine and hand them to
L0phtCrack.

Something is telling me that this only buys you so much
protection, since the SAM secret would need to be known
to the OS. THAT in turn means that userland apps
(at least ones running as LocalSystem) should be able to
find that same secret.

I _know_ this is not a one-way thing, since SysKey actually
asks you where to store the secret (password protected,
on a floppy, or just plain).

- Plain stored secret should be "easy" to find.

- If someone enables password protection, it should still
  be possible to break the secret of the SAM secret using
  known plaintext attacks. We know that the original SAM._
  file begins with "MSCF" followed by four zero bytes.
  That's eight bytes of known plaintext.
  There's also a string "$$hive$$.tmp" later on that seems
  to be constant, which we should be able to use as known
  plaintext. (These are just the obvious ones)

  I'm going to go ahead and guess that the secret
  used to encrypt the SAM secret is an LMHASH of
  the given password.

It could also be that the SAM secret is kept
somewhere in RAM without the password scramble.

- Floppy secrets could also be breakable; again, maybe
they are loaded into RAM, or maybe the Admin just
happened to leave the floppy in the drive :-P

Maybe worth looking into?
- I can't see myself doing it; it would take too much
time for me given that I probably don't know enough about
the NT kernel.

/Mike

--
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 ÖRNSKÖLDSVIK
Phone: +46-(0)660-105 50           Fax: +46-(0)660-122 50
Mobile: +46-(0)70-248 00 33
WWW: http://www.enternet.se        E-mail: mikael.olssonenternet.se

Next message: Me Uh, K.: "Newbie in Jeopardy"
Previous message: Erik Parker: "Re: Guestbook perl script (error fix)"
Next in thread: Mikael Olsson: "Re: NT SysKey should be breakable"
Reply: Mikael Olsson: "Re: NT SysKey should be breakable"
Reply: Todd Sabin: "Re: NT SysKey should be breakable"
Reply: Mikael Olsson: "Re: NT SysKey should be breakable"

This archive was generated by hypermail 2.0b3 on Sat Oct 09 1999 - 00:16:48 CDT