Vulnerability Development mailing list archives
NT SysKey should be breakable
From: mikael.olsson () ENTERNET SE (Mikael Olsson)
Date: Fri, 8 Oct 1999 22:37:24 +0200
Has anyone looked closely on the WinNT SysKey application? Supposedly, it encrypts your SAM files (the ones in \winnt\repair too?) so that Evil People(tm) can't just leech them off your machine and hand them to L0phtCrack. Something is telling me that this only buys you so much protection, since the SAM secret would need to be known to the OS. THAT in turn means that userland apps (at least ones running as LocalSystem) should be able to find that same secret. I _know_ this is not a one-way thing, since SysKey actually asks you where to store the secret (password protected, on a floppy, or just plain). - Plain stored secret should be "easy" to find. - If someone enables password protection, it should still be possible to break the secret of the SAM secret using known plaintext attacks. We know that the original SAM._ file begins with "MSCF" followed by four zero bytes. That's eight bytes of known plaintext. There's also a string "$$hive$$.tmp" later on that seems to be constant, which we should be able to use as known plaintext. (These are just the obvious ones) I'm going to go ahead and guess that the secret used to encrypt the SAM secret is an LMHASH of the given password. It could also be that the SAM secret is kept somewhere in RAM without the password scramble. - Floppy secrets could also be breakable; again, maybe they are loaded into RAM, or maybe the Admin just happened to leave the floppy in the drive :-P Maybe worth looking into? - I can't see myself doing it; it would take too much time for me given that I probably don't know enough about the NT kernel. /Mike -- Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 ÖRNSKÖLDSVIK Phone: +46-(0)660-105 50 Fax: +46-(0)660-122 50 Mobile: +46-(0)70-248 00 33 WWW: http://www.enternet.se E-mail: mikael.olsson () enternet se
Current thread:
- Re: Guestbook perl script (error fix) Blue Boar (Oct 04)
- Re: Guestbook perl script (error fix) Matt Carothers (Oct 08)
- Newbie in Jeopardy Me Uh, K. (Oct 06)
- Re: Newbie in Jeopardy Nimrod Vered (Oct 09)
- Re: Guestbook perl script (error fix) Erik Parker (Oct 08)
- SSH and X11 forwarding Rob Quinn (Oct 08)
- fbsd 3.3 ospf_monitor research Brock Tellier (Oct 08)
- Re: fbsd 3.3 ospf_monitor research Jeff Bachtel (Oct 10)
- Re: fbsd 3.3 ospf_monitor research Andrew Reiter (Oct 11)
- restoretextmode problems robert (Oct 11)
- Newbie in Jeopardy Me Uh, K. (Oct 06)
- NT SysKey should be breakable Mikael Olsson (Oct 08)
- Re: NT SysKey should be breakable Mikael Olsson (Oct 09)
- 2 dodgy network programs Antonomasia (Oct 09)
- Re: 2 dodgy network programs Nick 'Zaf' Clifford (Oct 09)
- Re: 2 dodgy network programs David R. Conrad (Oct 13)
- Classes? Devin Walters (Oct 16)
- Re: Classes? Blue Boar (Oct 16)
- Re: Classes? Dragos Ruiu (Oct 16)
- Re: Classes? Bacano (Oct 17)
- Re: Classes? Max Vision (Oct 18)
- Re: Guestbook perl script (error fix) Matt Carothers (Oct 08)
- Re: Classes? David R. Conrad (Oct 17)