Re: NT SysKey should be breakable

[tsabin () BOS BINDVIEW COM (Todd Sabin)]

Mikael Olsson <mikael.olsson () ENTERNET SE> writes:

> Has anyone looked closely on the WinNT SysKey application?

A little.

> Supposedly, it encrypts your SAM files (the ones in
> \winnt\repair too?) so that Evil People(tm) can't
> just leech them off your machine and hand them to
> L0phtCrack.
>
> Something is telling me that this only buys you so much
> protection, since the SAM secret would need to be known
> to the OS. THAT in turn means that userland apps
> (at least ones running as LocalSystem) should be able to
> find that same secret.

If the machine is running and you have admin, finding the SYSKEY is
unnecessary.  You can use my pwdump2 program
(http://www.webspan.net/~tas/pwdump2) to dump the unencrypted hashes,
directly.

> I _know_ this is not a one-way thing, since SysKey actually
> asks you where to store the secret (password protected,
> on a floppy, or just plain).
>
> - Plain stored secret should be "easy" to find.
>
> - If someone enables password protection, it should still
>   be possible to break the secret of the SAM secret using
>   known plaintext attacks. We know that the original SAM._
>   file begins with "MSCF" followed by four zero bytes.
>   That's eight bytes of known plaintext.
>   There's also a string "$$hive$$.tmp" later on that seems
>   to be constant, which we should be able to use as known
>   plaintext. (These are just the obvious ones)

SYSKEY doesn't encrypt the entire contents of the SAM file, only the
'sensitive' parts: the password hashes and password histories, I
think.  More recent service packs have extended it to also encrypt the
LSA secrets and cached logon passwords, I believe.

>   I'm going to go ahead and guess that the secret
>   used to encrypt the SAM secret is an LMHASH of
>   the given password.
>
>   It could also be that the SAM secret is kept
>   somewhere in RAM without the password scramble.

I think this is the case, but am not sure.  I know it's originally
obtained by winlogon during the boot process, and then handed off to
lsass which uses it to do the on the fly decryption.  Also, I didn't
see anything that would prevent the SYSKEY from ending up in the swap
file, so it may be possible to grab it from there.

> - Floppy secrets could also be breakable; again, maybe
>   they are loaded into RAM, or maybe the Admin just
>   happened to leave the floppy in the drive :-P
>
>
> Maybe worth looking into?

I think the things most worth looking at are what can you do if you
e.g., steal a machine or backup tape, but don't get the SYSKEY.  These
are the types of attacks it's meant to protect against.

Todd