Penetration Testing mailing list archives
Re: Password "security" - was"Passwords with Lan Manager (LM) under Windows" and "Whitespace in passwords"
From: "Thor (Hammer of God)" <thor () hammerofgod com>
Date: Mon, 3 Oct 2005 09:07:46 -0700
Actually, booting to an alt OS would easily allow access to the SAM- in your case, it would be SYSKEY'd, so cracking it would not be an issue, but that's why I was asking about what type of user mode is being used-- if you are using local accounts, one could easily boot to an alt OS and replace the SAM (reset the admin account.) In this case, since the local admin owns the EFS recovery keys by default, the account could be used to read all the local users files even if EFS'd. Oh, and thank you for the correction regarding access to the LSA with password-on-boot SYSKEY... You are absolutely correct; SYSKEY modes 2 and 3 do indeed encrypt the LSA- I was totally wrong about that. Not withstanding that, the main point is to use domain accounts vs local accounts to keep the "local admin" attack from being successful. You could indeed export the local admin recovery keys, but using domain accounts makes all that a moot point...
Just making sure you're using domain accounts (or will), or that you're exporting the EFS recovery cert...
Also, you might want to address things like copying files around (possibly removing EFS protection) or users just hibernating the lappy with your users...
Good stuff... t----- Original Message ----- From: "Dufresne, Pierre" <PIERRE.DUFRESNE () MESS GOUV QC CA>
To: <pen-test () securityfocus com> Cc: "Thor (Hammer of God)" <thor () hammerofgod com> Sent: Monday, October 03, 2005 7:44 AMSubject: RE: Password "security" - was"Passwords with Lan Manager (LM) under Windows" and "Whitespace in passwords"
Thanks for your detailed answer. As I said, by using SYSKEY with a password-on-boot, I was hoping to protect the cache entries stored on the laptops. Without the SYSKEY password, the machine won't boot,so an attacker could not dump the cache (CacheDump) or get access to the LSA(LSADump2). I also assume that booting with another OS would not give the attacker access to the EFS filesbecause AES is pretty strong, the cache entries are encrypted with a secret(NL$KM) which is stored in the LSA and the LSA is not accessible because the system key is password protected by a password which is not stored locally anymore. I don't assume my reasoning is foolproof, I just want to make sure deploying SYSKEY with a password-on-boot will render our laptops harder to penetrate. -----Original Message----- From: Thor (Hammer of God) [mailto:thor () hammerofgod com] Sent: 30 septembre 2005 01:06 To: Dufresne, Pierre; pen-test () securityfocus comSubject: Re: Password "security" - was"Passwords with Lan Manager (LM) underWindows" and "Whitespace in passwords"Let's break this down a bit-- I didn't pick up on the fact that you were concerned with laptop security--when you discussed SYSKEY'ing the SAM, I assumed a member/stand-alone SAM. But you can certainly SYSKEY the SAM of an XP box as well...Regarding laptop security, you're in the same boat as the rest of us. It's tough business to secure resident data and keep the box patched while makingaccess easy enough for the user to get their jobs done without compromisingsecurity. My gut feeling is that it is so difficult that the majority ofcorporate laptop deployments are seriously lacking in security, and that thelaptop represents one of the highest levels of threat and exposure to an organization. So let's chew on this one... First off, SYSKEY'ing the SAM of an XP lappy does not encrypt the cachedpwd's in the LSA. It just changes the encryption level of the SAM accountsdb itself. This is where the number of cached logons stored in the LSAcomes in... If you are authenticating to the local account base on the box,you can set this to 0 without worry (because it does not come into play).However, if you are authenticating to a domain, (which I have to assume you are doing since cached logons are a concern) setting cached logons to 0 willrequire a connection to a DC just to log on to the box-- something I don't see many people do on remote laptops using domain accounts. That beingsaid, most deployments of EFS that I have seen, particularly in laptops, arebased on domain accounts. The main reason being the fact that authentication is off-box, thus reducing the risk of local accounts compromising EFS encrypted files. You also can use the domain-basedrecovery certificate to access files should you have to take a user out backand shoot them. Hey, these things happen in the south. So, I would opine that using SYSKEY to secure local accounts on a laptopusing EFS is a bit bulky, and that the associated administrative overhead tomake it all work well is counter-productive... Of course, if any on the listare doing this with appreciable levels of success, please let us know what we are missing (what I'm missing, anyway.) Regarding passwords, just use pass phrases. This whole thread really gotskewed in regard to that, I think. For one, a password with a whitespace init is obviously more secure than one without, simply because it increases the keyspace. It doesn't matter what Cain and Able, or Adam and Eve for that matter, can do with it-- increased keyspace == increased overhead to crack. It's simple math. You'll hear all manner of war stories of people cracking this, cracking that, using rainbow tables here, LM cracks there,and a bag of Skittles on the other side. But most of that can be obviated byhaving simple, but long, pass phrases. Since Win2k, you've had the choiceof using 1298 character passwords/phrases. Even if you catch an NTLM auth onthe wire, a passphrase like "i have no farking idea what my password is." will take an eon to crack, even though it is all lower-case alpha with a period thrown in-- same with a SAM. Besides, if someone has camped out on your box and grabbed the SAM, you've got Bigger Problems (tm) anyway. In addition to easy pass phrases, I think a far more workable and viable solution for laptop data is the use of something like a PGP partition tostore data. It's easy for the user, easy for the admin, and adds real-worldsecurity to remote data deployments... t----- Original Message ----- From: "Dufresne, Pierre" <PIERRE.DUFRESNE () MESS GOUV QC CA>To: <pen-test () securityfocus com> Sent: Thursday, September 29, 2005 6:19 AMSubject: RE: Password "security" - was"Passwords with Lan Manager (LM) underWindows" and "Whitespace in passwords"Thanks for the advice,I am focusing on stolen laptops. With the password-on-boot SYSKEY featureI was hoping to protect the cache entries stored on those machines. The thing is, I was planning to make EFS available for the laptops (XP sp1).The problem is, if the attacker can crack the passwords (after dumping thecache entries with CacheDump), he gets access to the EFS files. That's why this password security thread had me worry. Thanks P.
------------------------------------------------------------------------------Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- RE: Password "security" - was"Passwords with Lan Manager (LM) und er Windows" and "Whitespace in passwords" Dufresne, Pierre (Oct 03)
- Re: Password "security" - was"Passwords with Lan Manager (LM) under Windows" and "Whitespace in passwords" Thor (Hammer of God) (Oct 03)
- <Possible follow-ups>
- RE: Password "security" - was"Passwords with Lan Manager (LM) und er Windows" and "Whitespace in passwords" Dufresne, Pierre (Oct 15)
- RE: Password "security" - was"Passwords with Lan Manager (LM) und er Windows" and "Whitespace in passwords" Dufresne, Pierre (Oct 15)