Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Microsoft EFS
From: Thomas Springer <tuevsec () gmx net>
Date: Wed, 12 Oct 2005 09:53:18 +0200

EFS-stuff is tricky. Let me drop a few hints (on XP/2003 only!)

EFS-Files are crypted for the actual logged-in user (be it a domain-user or a local user). By default, EFS crypts also to the key of a "default recovery agent", which is the local administrator or, if you are a domain-user, the domain-administrator.

ONLY these two accounts (user and recovery agent) can decrypt the files.
If your machine is part of a domain AND the files are crypted with a domain-account, the only way to get the data back is cracking the domain-pw.

I did a little q&a months ago for our stuff, maybe this helps to make things clearer. and never forgtet: this matters for xp/2003. efs on win2k is different (and insecure).

How is it crypted?
Depending on Version/Servicepack with 3DES, DESX oder 256Bit AES
XP SP1 offers you a registry-key to choose the ciper:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EFS AlgorithmID (DWORD)
3DES: 0x6603
DESX: 0x6604
AES-256: 0x6610

Where is the key hanging around physically?
The encrypted keys are living on
 \\<yourprofile>\Application Data\Microsoft\Crypto\RSA\{SID}\...

Can I backup/export the key?
Yes. Start a cmd.exe and say  cipher.exe /x [filename]
This saves a password-protected copy of your efs-key.

How can I check who can access an efs-crypted file?
Start a cmd.exe and say   efsinfo.exe /c /r /u

Does it help if I backup the above-mentioned key from my profile-directory?
No. Your local key-file is crypted with a random key and your user-password. Windows changes this random key every 60 days. Your backup would be useless then. If you change your windows- (or domain-)password, the key gets also encrypted new.

What happens, if a windows-administrator (or linux-user with some bootdisk) is resetting my password (be it the domain-controller or locally)? You have no longer access to your EFS-encrypted files, because your keys in the above mentioned directorys are garbled with your OLD user-password. If you (or somebody else) reset your account-password remotely, the keys won't get reencrypted Hey man, after all you wouldn't want a simple domain-admin to read your data, would you? Hopefully you have backed up your EFS-Key using cipher.exe. Otherwise you'll have to consult your recovery-agent!

depending on your os and sp, ciper.exe and efsinfo.exe might not be installed on your machine - but you can get these tools and other valuable infos from microsoft:







Do you know how his will work for a machine that is part of a Domain?
Where there are no Local Users and the Default Recovery Agent is the "Domain Admin"

I know tht one can always hack the local admin PW, then unjoin the domain, but where does that leave the machine.
Is there any way to hack the "nounce" PW?

Thanks

Tim



------------------------------------------------------------------------

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault