Has anyone looked closely on the WinNT SysKey application?
Supposedly, it encrypts your SAM files (the ones in
\winnt\repair too?) so that Evil People(tm) can't
just leech them off your machine and hand them to
L0phtCrack.
Something is telling me that this only buys you so much
protection, since the SAM secret would need to be known
to the OS. THAT in turn means that userland apps
(at least ones running as LocalSystem) should be able to
find that same secret.
I _know_ this is not a one-way thing, since SysKey actually
asks you where to store the secret (password protected,
on a floppy, or just plain).
- Plain stored secret should be "easy" to find.
- If someone enables password protection, it should still
be possible to break the secret of the SAM secret using
known plaintext attacks. We know that the original SAM._
file begins with "MSCF" followed by four zero bytes.
That's eight bytes of known plaintext.
There's also a string "$$hive$$.tmp" later on that seems
to be constant, which we should be able to use as known
plaintext. (These are just the obvious ones)
I'm going to go ahead and guess that the secret
used to encrypt the SAM secret is an LMHASH of
the given password.
It could also be that the SAM secret is kept
somewhere in RAM without the password scramble.
- Floppy secrets could also be breakable; again, maybe
they are loaded into RAM, or maybe the Admin just
happened to leave the floppy in the drive :-P
Maybe worth looking into?
- I can't see myself doing it; it would take too much
time for me given that I probably don't know enough about
the NT kernel.
/Mike
--
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 ÖRNSKÖLDSVIK
Phone: +46-(0)660-105 50 Fax: +46-(0)660-122 50
Mobile: +46-(0)70-248 00 33
WWW: http://www.enternet.se E-mail: mikael.olsson@enternet.se
Received on Oct 09 1999
Intro
