Re: Syskey

[Nicola Cuomo <ncuomo () studenti unina it>]

Hi,

I was studying the same subject some time ago in the free time between
exam.
An interesting thing to note is that Syskey.exe, if you change the way
the  bootkey  is  stored, during the generation of the new bootkey use
these functions

SamiGetBootKeyInformation and
SamiSetBootKeyInformation

Imported from SAMLIB.DLL

I've  not  reverse  engineered  these  function  but  the  names  look
promising ^_^;

> From the RAZOR paper - Windows NT's SYSKEY feature (December 16, 1999)
i've deduced that, given the bootkey, to restore the not syskeyed hash
it's a matter of applying RC4. (maybe just a wrong inference ^_^;;)

Moreover  I've tried to contact Dmitry Andrianov to get SAMDUMP source
code but he haven't still replayed to my email (waiting ^_^).

When  the key is stored in the registry (when you select the option to
store  the  bootkey  locally)  it  seem  that  it's  value  is  stored
obfuscated in the following registry keys - value:

SYSTEM\CurrentControlSet\Control\Lsa\DATA - Pattern
SYSTEM\CurrentControlSet\Control\Lsa\GBG - GrafBlumGroup
SYSTEM\CurrentControlSet\Control\Lsa\JD - Lookup
SYSTEM\CurrentControlSet\Control\Lsa\Skew1 - SkewMatrix

if this is true (i've only see that Winlogon.exe working on those keys
during  the  login  as  also  do  Syskey.exe  and LSASRV.DLL ) and the
obfuscation  function is reversed a serious security bug would be that
the  ACL for these registry key allow normal user access making Syskey
useless.

Still researching....

I  know  that  my  English is heavily broken, i hope only it's someway
readable ^_^;;;;

Bye.
-- 
 Nicola                            mailto:ncuomo () studenti unina it