Re: two questions that need answering

From: Dan B (neo@redcell.fsnet.co.uk)
Date: 01/29/02


Date: 29 Jan 2002 12:39:30 -0000
From: Dan B <neo@redcell.fsnet.co.uk>
To: focus-ms@securityfocus.com


('binary' encoding is not supported, stored as-is)

In-Reply-To: <B36C365832C90E47A37F4FFCDDEFC46D04F62C@hkisrv08.tw.fi>

The reason i ask about syskey is that i found the
following in the LC3 helpfile :

SAM File
On systems that do not use Active Directory, or
SYSKEY, you may obtain
password hashes directly from a password database
file stored on the system
-- the SAM file.

Note: this approach will not allow you to obtain
password hashes from most
Windows 2000 systems, as Windows 2000 uses
SYSKEY by default. SYSKEY was
introduced in Windows NT Service Pack 3, but was
not turned on by default,
so SAM access works on Windows NT systems
unless SYSKEY was explicitly
turned on. SYSKEY provides an additional layer of
encryption to stored
password hashes. Interestingly, you can't tell by
looking at the SAM or at
password hashes it contains whether they've been
encrypted with SYSKEY or
not. LC3 cannot crack SYSKEY-encrypted password
hashes. This implies that
if you do not have access to at least one
administrator account on a
Windows 2000 machine, you cannot obtain the
password hashes required to run
LC3. In such cases, you may benefit from a
password reset utility.



Relevant Pages

  • RE: two questions that need answering
    ... that you can't just yank the SAM and start cracking when SYSKEY is installed ... The password portion of the SAM is now encrypted by a "stronger" ... If you want to get the real password hashes, then you need to use a tool ... Windows 2000 systems, as Windows 2000 uses ...
    (Focus-Microsoft)
  • RE: issues with syskey in NT 4.0
    ... The purpose of syskey is to further protect the weakly-encrypted ... passwords in the SAM database. ... password hashes from LOCAL attack (i.e., someone able to access them off the ... Other than backing up to protect the key, ...
    (Focus-Microsoft)
  • Syskey
    ... The paper and the tools don't describe/exploit any new vulnerability ... The paper describe the process Syskey use to encrypt the password ... registry and to dump the password hashes from a SAM database (like ...
    (Vuln-Dev)
  • Re: Passfilt.dll and Syskey
    ... I searched on our database and did not find ... any issues about syskey after upgrading DC to 2000 AD. ... | What are the procedures for upgrading to Windows 2000 from ... I am about to upgrade to ...
    (microsoft.public.win2000.security)
  • Re: Passfilt.dll and Syskey
    ... You can use the SysKey utility to further secure the SAM database by moving ... the SAM database encryption key off the Windows 2000 computer. ... entered to decrypt the system key so that Windows 2000 can access the SAM ...
    (microsoft.public.win2000.security)