Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Vulnerability Development: Re: NT SysKey should be breakable

Re: NT SysKey should be breakable

From: Mikael Olsson <mikael.olsson_at_ENTERNET.SE>
Date: Sat, 9 Oct 1999 12:20:05 +0200

If you thought parts of my mail were confused, you're right,
they were, I got two paragraphs mixed together.

Short (correct) run down of the possible "attack" routes:

- SAM secret stored on local machine: Retreive it
  from disk or from RAM

- SAM secret stored on floppy: Retreive it from floppy
  if still inserted, or from RAM

- Password protected SAM secret: Retreive from un-garbled
  copy from RAM

- All variants: Brute force the encrypted SAM using known
  plain text. This would in essence double the effort
  taken to get passwords, but that's not very good security
  to my mind :-)

Mikael Olsson wrote:
>
> Has anyone looked closely on the WinNT SysKey application?
>
> Supposedly, it encrypts your SAM files (the ones in
> \winnt\repair too?) so that Evil People(tm) can't
> just leech them off your machine and hand them to
> L0phtCrack.
>
> Something is telling me that this only buys you so much
> protection, since the SAM secret would need to be known
> to the OS. THAT in turn means that userland apps
> (at least ones running as LocalSystem) should be able to
> find that same secret.
>
> I _know_ this is not a one-way thing, since SysKey actually
> asks you where to store the secret (password protected,
> on a floppy, or just plain).
>
> - Plain stored secret should be "easy" to find.
>
> - If someone enables password protection, it should still
> be possible to break the secret of the SAM secret using
> known plaintext attacks. We know that the original SAM._
> file begins with "MSCF" followed by four zero bytes.
> That's eight bytes of known plaintext.
> There's also a string "$$hive$$.tmp" later on that seems
> to be constant, which we should be able to use as known
> plaintext. (These are just the obvious ones)
>
> I'm going to go ahead and guess that the secret
> used to encrypt the SAM secret is an LMHASH of
> the given password.
>
> It could also be that the SAM secret is kept
> somewhere in RAM without the password scramble.
>
> - Floppy secrets could also be breakable; again, maybe
> they are loaded into RAM, or maybe the Admin just
> happened to leave the floppy in the drive :-P
>
> Maybe worth looking into?
> - I can't see myself doing it; it would take too much
> time for me given that I probably don't know enough about
> the NT kernel.
>
> /Mike
>
> --
> Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 ÖRNSKÖLDSVIK
> Phone: +46-(0)660-105 50 Fax: +46-(0)660-122 50
> Mobile: +46-(0)70-248 00 33
> WWW: http://www.enternet.se E-mail: mikael.olsson@enternet.se 

--
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 ÖRNSKÖLDSVIK
Phone: +46-(0)660-105 50           Fax: +46-(0)660-122 50
Mobile: +46-(0)70-248 00 33
WWW: http://www.enternet.se        E-mail: mikael.olsson@enternet.se
Received on Oct 09 1999
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos