Re: Relative Security Provided by Cached Domain Credentials?

From: Nicolas RUFF (lists) (ruff.lists_at_edelweb.fr)
Date: 05/11/04

  • Next message: Zack Schiel: "RE: Relative Security Provided by Cached Domain Credentials?" 
    Date: Tue, 11 May 2004 20:01:35 +0200
To: focus-ms@securityfocus.com

    > triple DES from memory
    >
    >>On a related note to part of the discussion in the
    >>'Restricting change of local admin' thread, does
    >>anyone know of a non-brute force way to break the
    >>encryption on cached domain credentials? Local
    >>accounts are easily modified or reset, but I'm not
    >>aware of any similar exploits for cached domain
    >>credentials. Given that EFS' effectiveness to
    >>secure laptop-stored data in a domain environment
    >>lives and dies by the security of the cached
    >>credentials, I'm curious to know just *how much*
    >>more secure they are.

            Hi,

    About EFS :
    -----------

    - EFS encryption is 3DES (unless you have a restricted export version of Windows), with a random FEK
    (File Encryption Key) for each file.
    - FEK is encrypted with RSA, using the EFS User Certificate (Public Key).
    - Eventually, the user Private Key is encrypted with his Windows Password.

    So if you know the user password, you can decipher all EFS encrypted files. See "Advanced EFS Data
    Recovery" tool from ElcomSoft : http://www.elcomsoft.com/aefsdr.html

    About Cached Logons :
    ---------------------

    Cached logons are stored in LSA Secrets and NL$ hidden keys. Basically, it is a salted hash :
    NTLMHash( username + NTLMHash(password) ) so you have to bruteforce. The salt key is the username,
    so if you have N accounts to crack, it takes N times the time to crack one account.

    Since this attack is very time-consuming and has little chance to succeed if user password > 6
    chars, there is no public exploit available. Hint : get an IDA Pro license if you want to know more :-)

    -nicolas-

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

  • Next message: Zack Schiel: "RE: Relative Security Provided by Cached Domain Credentials?"

    Relevant Pages

    • RE: Protecting sensitive files on a Windows file server
      ... especially secure (using the file encryption is better though). ... Protecting sensitive files on a Windows file server ... recovery (which can also break EFS) and online password/data recovery ...
      (Security-Basics)
    • Re: EFS Private Keys
      ... It's possible to have a cluster that was in use that couldn't be wiped. ... > syskey was to EFS in W2K, ... >>> the private keys are protected however the key to the private key is ... >>> stronger encryption available for EFSfiles permanently if you don't. ...
      (microsoft.public.win2000.security)
    • Re: Corrupted Admin Profile
      ... > My view on EFS: ... > Do not to use encryption unless you are in a domain and you know ... as well not having created a Recovery Agent (with backup of the ... > Q241201 How to Back Up Your Encrypting File System Private Key ...
      (microsoft.public.windowsxp.security_admin)
    • RE: Laptop Security - Microsoft EFS
      ... In the case of a laptop where the biggest concern is theft, ... As for EFS key theft, that wasn't the point I was trying to emphasize -- the ... crack the encryption, stick a sniffer in there AFTER it's decrypted. ... an additional point of attack -- one that may not make evident the ultimate ...
      (Security-Basics)
    • Re: Security of the Windows XP SP2 Boot Process
      ... If a hacker steals your notebook deactivating the Windows Firewall will be ... "I know that my system is only as safe as the ... If you must protect your data then you can use something like EFS ... data since EFS in the current SP of XP uses AES 256 encryption. ...
      (microsoft.public.windowsxp.security_admin)