Vulnerability Development mailing list archives

Re: NT SysKey should be breakable

From: mikael.olsson () ENTERNET SE (Mikael Olsson)
Date: Sat, 9 Oct 1999 12:20:05 +0200


If you thought parts of my mail were confused, you're right,
they were, I got two paragraphs mixed together.

Short (correct) run down of the possible "attack" routes:

- SAM secret stored on local machine: Retreive it
  from disk or from RAM

- SAM secret stored on floppy: Retreive it from floppy
  if still inserted, or from RAM

- Password protected SAM secret: Retreive from un-garbled
  copy from RAM

- All variants: Brute force the encrypted SAM using known
  plain text. This would in essence double the effort
  taken to get passwords, but that's not very good security
  to my mind :-)

Mikael Olsson wrote:


Has anyone looked closely on the WinNT SysKey application?

Supposedly, it encrypts your SAM files (the ones in
\winnt\repair too?) so that Evil People(tm) can't
just leech them off your machine and hand them to
L0phtCrack.

Something is telling me that this only buys you so much
protection, since the SAM secret would need to be known
to the OS. THAT in turn means that userland apps
(at least ones running as LocalSystem) should be able to
find that same secret.

I _know_ this is not a one-way thing, since SysKey actually
asks you where to store the secret (password protected,
on a floppy, or just plain).

- Plain stored secret should be "easy" to find.

- If someone enables password protection, it should still
  be possible to break the secret of the SAM secret using
  known plaintext attacks. We know that the original SAM._
  file begins with "MSCF" followed by four zero bytes.
  That's eight bytes of known plaintext.
  There's also a string "$$hive$$.tmp" later on that seems
  to be constant, which we should be able to use as known
  plaintext. (These are just the obvious ones)

  I'm going to go ahead and guess that the secret
  used to encrypt the SAM secret is an LMHASH of
  the given password.

  It could also be that the SAM secret is kept
  somewhere in RAM without the password scramble.

- Floppy secrets could also be breakable; again, maybe
  they are loaded into RAM, or maybe the Admin just
  happened to leave the floppy in the drive :-P

Maybe worth looking into?
- I can't see myself doing it; it would take too much
time for me given that I probably don't know enough about
the NT kernel.

/Mike

--
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 ÖRNSKÖLDSVIK
Phone: +46-(0)660-105 50           Fax: +46-(0)660-122 50
Mobile: +46-(0)70-248 00 33
WWW: http://www.enternet.se        E-mail: mikael.olsson () enternet se


--
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 ÖRNSKÖLDSVIK
Phone: +46-(0)660-105 50           Fax: +46-(0)660-122 50
Mobile: +46-(0)70-248 00 33
WWW: http://www.enternet.se        E-mail: mikael.olsson () enternet se

Current thread:

Re: Guestbook perl script (error fix), (continued)
- Re: Guestbook perl script (error fix) Matt Carothers (Oct 08)
  - Newbie in Jeopardy Me Uh, K. (Oct 06)
    - Re: Newbie in Jeopardy Nimrod Vered (Oct 09)
  - Re: Guestbook perl script (error fix) Erik Parker (Oct 08)
  - SSH and X11 forwarding Rob Quinn (Oct 08)
  - fbsd 3.3 ospf_monitor research Brock Tellier (Oct 08)
    - Re: fbsd 3.3 ospf_monitor research Jeff Bachtel (Oct 10)
    - Re: fbsd 3.3 ospf_monitor research Andrew Reiter (Oct 11)
    - restoretextmode problems robert (Oct 11)
  - NT SysKey should be breakable Mikael Olsson (Oct 08)
    - Re: NT SysKey should be breakable Mikael Olsson (Oct 09)
    - 2 dodgy network programs Antonomasia (Oct 09)
    - Re: 2 dodgy network programs Nick 'Zaf' Clifford (Oct 09)
    - Re: 2 dodgy network programs David R. Conrad (Oct 13)
    - Classes? Devin Walters (Oct 16)
    - Re: Classes? Blue Boar (Oct 16)
    - Re: Classes? Dragos Ruiu (Oct 16)
    - Re: Classes? Bacano (Oct 17)
    - Re: Classes? Max Vision (Oct 18)
    - Re: Classes? David R. Conrad (Oct 17)
    - Re: Classes? Crispin Cowan (Oct 18)

(Thread continues...)