Vulnerability Development mailing list archives
Re: NT SysKey should be breakable
From: tsabin () BOS BINDVIEW COM (Todd Sabin)
Date: Sat, 9 Oct 1999 11:33:53 -0400
Mikael Olsson <mikael.olsson () ENTERNET SE> writes:
Has anyone looked closely on the WinNT SysKey application?
A little.
Supposedly, it encrypts your SAM files (the ones in \winnt\repair too?) so that Evil People(tm) can't just leech them off your machine and hand them to L0phtCrack. Something is telling me that this only buys you so much protection, since the SAM secret would need to be known to the OS. THAT in turn means that userland apps (at least ones running as LocalSystem) should be able to find that same secret.
If the machine is running and you have admin, finding the SYSKEY is unnecessary. You can use my pwdump2 program (http://www.webspan.net/~tas/pwdump2) to dump the unencrypted hashes, directly.
I _know_ this is not a one-way thing, since SysKey actually asks you where to store the secret (password protected, on a floppy, or just plain). - Plain stored secret should be "easy" to find. - If someone enables password protection, it should still be possible to break the secret of the SAM secret using known plaintext attacks. We know that the original SAM._ file begins with "MSCF" followed by four zero bytes. That's eight bytes of known plaintext. There's also a string "$$hive$$.tmp" later on that seems to be constant, which we should be able to use as known plaintext. (These are just the obvious ones)
SYSKEY doesn't encrypt the entire contents of the SAM file, only the 'sensitive' parts: the password hashes and password histories, I think. More recent service packs have extended it to also encrypt the LSA secrets and cached logon passwords, I believe.
I'm going to go ahead and guess that the secret used to encrypt the SAM secret is an LMHASH of the given password. It could also be that the SAM secret is kept somewhere in RAM without the password scramble.
I think this is the case, but am not sure. I know it's originally obtained by winlogon during the boot process, and then handed off to lsass which uses it to do the on the fly decryption. Also, I didn't see anything that would prevent the SYSKEY from ending up in the swap file, so it may be possible to grab it from there.
- Floppy secrets could also be breakable; again, maybe they are loaded into RAM, or maybe the Admin just happened to leave the floppy in the drive :-P Maybe worth looking into?
I think the things most worth looking at are what can you do if you e.g., steal a machine or backup tape, but don't get the SYSKEY. These are the types of attacks it's meant to protect against. Todd
Current thread:
- Re: NT SysKey should be breakable Todd Sabin (Oct 09)