Penetration Testing mailing list archives
RE: Password "security" - was"Passwords with Lan Manager (LM) und er Windows" and "Whitespace in passwords"
From: "Dufresne, Pierre" <PIERRE.DUFRESNE () MESS GOUV QC CA>
Date: Mon, 3 Oct 2005 10:44:44 -0400
Thanks for your detailed answer. As I said, by using SYSKEY with a password-on-boot, I was hoping to protect the cache entries stored on the laptops. Without the SYSKEY password, the machine won't boot, so an attacker could not dump the cache (CacheDump) or get access to the LSA (LSADump2). I also assume that booting with another OS would not give the attacker access to the EFS files because AES is pretty strong, the cache entries are encrypted with a secret (NL$KM) which is stored in the LSA and the LSA is not accessible because the system key is password protected by a password which is not stored locally anymore. I don't assume my reasoning is foolproof, I just want to make sure deploying SYSKEY with a password-on-boot will render our laptops harder to penetrate. -----Original Message----- From: Thor (Hammer of God) [mailto:thor () hammerofgod com] Sent: 30 septembre 2005 01:06 To: Dufresne, Pierre; pen-test () securityfocus com Subject: Re: Password "security" - was"Passwords with Lan Manager (LM) under Windows" and "Whitespace in passwords" Let's break this down a bit-- I didn't pick up on the fact that you were concerned with laptop security-- when you discussed SYSKEY'ing the SAM, I assumed a member/stand-alone SAM. But you can certainly SYSKEY the SAM of an XP box as well... Regarding laptop security, you're in the same boat as the rest of us. It's tough business to secure resident data and keep the box patched while making access easy enough for the user to get their jobs done without compromising security. My gut feeling is that it is so difficult that the majority of corporate laptop deployments are seriously lacking in security, and that the laptop represents one of the highest levels of threat and exposure to an organization. So let's chew on this one... First off, SYSKEY'ing the SAM of an XP lappy does not encrypt the cached pwd's in the LSA. It just changes the encryption level of the SAM accounts db itself. This is where the number of cached logons stored in the LSA comes in... If you are authenticating to the local account base on the box, you can set this to 0 without worry (because it does not come into play). However, if you are authenticating to a domain, (which I have to assume you are doing since cached logons are a concern) setting cached logons to 0 will require a connection to a DC just to log on to the box-- something I don't see many people do on remote laptops using domain accounts. That being said, most deployments of EFS that I have seen, particularly in laptops, are based on domain accounts. The main reason being the fact that authentication is off-box, thus reducing the risk of local accounts compromising EFS encrypted files. You also can use the domain-based recovery certificate to access files should you have to take a user out back and shoot them. Hey, these things happen in the south. So, I would opine that using SYSKEY to secure local accounts on a laptop using EFS is a bit bulky, and that the associated administrative overhead to make it all work well is counter-productive... Of course, if any on the list are doing this with appreciable levels of success, please let us know what we are missing (what I'm missing, anyway.) Regarding passwords, just use pass phrases. This whole thread really got skewed in regard to that, I think. For one, a password with a whitespace in it is obviously more secure than one without, simply because it increases the keyspace. It doesn't matter what Cain and Able, or Adam and Eve for that matter, can do with it-- increased keyspace == increased overhead to crack. It's simple math. You'll hear all manner of war stories of people cracking this, cracking that, using rainbow tables here, LM cracks there, and a bag of Skittles on the other side. But most of that can be obviated by having simple, but long, pass phrases. Since Win2k, you've had the choice of using 1298 character passwords/phrases. Even if you catch an NTLM auth on the wire, a passphrase like "i have no farking idea what my password is." will take an eon to crack, even though it is all lower-case alpha with a period thrown in-- same with a SAM. Besides, if someone has camped out on your box and grabbed the SAM, you've got Bigger Problems (tm) anyway. In addition to easy pass phrases, I think a far more workable and viable solution for laptop data is the use of something like a PGP partition to store data. It's easy for the user, easy for the admin, and adds real-world security to remote data deployments... t ----- Original Message ----- From: "Dufresne, Pierre" <PIERRE.DUFRESNE () MESS GOUV QC CA> To: <pen-test () securityfocus com> Sent: Thursday, September 29, 2005 6:19 AM Subject: RE: Password "security" - was"Passwords with Lan Manager (LM) under Windows" and "Whitespace in passwords"
Thanks for the advice, I am focusing on stolen laptops. With the password-on-boot SYSKEY feature
I was hoping to protect the cache entries stored on those machines. The thing is, I was planning to make EFS available for the laptops (XP sp1). The problem is, if the attacker can crack the passwords (after dumping the cache entries with CacheDump), he gets access to the EFS files. That's why this password security thread had me worry. Thanks P.
------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- RE: Password "security" - was"Passwords with Lan Manager (LM) und er Windows" and "Whitespace in passwords" Dufresne, Pierre (Oct 03)
- Re: Password "security" - was"Passwords with Lan Manager (LM) under Windows" and "Whitespace in passwords" Thor (Hammer of God) (Oct 03)
- <Possible follow-ups>
- RE: Password "security" - was"Passwords with Lan Manager (LM) und er Windows" and "Whitespace in passwords" Dufresne, Pierre (Oct 15)
- RE: Password "security" - was"Passwords with Lan Manager (LM) und er Windows" and "Whitespace in passwords" Dufresne, Pierre (Oct 15)