Re: Syskey

From: Nicola Cuomo (ncuomo@studenti.unina.it)
Date: 09/07/02 

Date: Sat, 7 Sep 2002 00:38:24 +0200
From: Nicola Cuomo <ncuomo@studenti.unina.it>
To: Michel Arboi <arboi@yahoo.com>

Hi,

I was studying the same subject some time ago in the free time between
exam.
An interesting thing to note is that Syskey.exe, if you change the way
the bootkey is stored, during the generation of the new bootkey use
these functions

SamiGetBootKeyInformation and
SamiSetBootKeyInformation

Imported from SAMLIB.DLL

I've not reverse engineered these function but the names look
promising ^_^;

From the RAZOR paper - Windows NT's SYSKEY feature (December 16, 1999)
i've deduced that, given the bootkey, to restore the not syskeyed hash
it's a matter of applying RC4. (maybe just a wrong inference ^_^;;)

Moreover I've tried to contact Dmitry Andrianov to get SAMDUMP source
code but he haven't still replayed to my email (waiting ^_^).

When the key is stored in the registry (when you select the option to
store the bootkey locally) it seem that it's value is stored
obfuscated in the following registry keys - value:

SYSTEM\CurrentControlSet\Control\Lsa\DATA - Pattern
SYSTEM\CurrentControlSet\Control\Lsa\GBG - GrafBlumGroup
SYSTEM\CurrentControlSet\Control\Lsa\JD - Lookup
SYSTEM\CurrentControlSet\Control\Lsa\Skew1 - SkewMatrix

if this is true (i've only see that Winlogon.exe working on those keys
during the login as also do Syskey.exe and LSASRV.DLL ) and the
obfuscation function is reversed a serious security bug would be that
the ACL for these registry key allow normal user access making Syskey
useless.

Still researching....

I know that my English is heavily broken, i hope only it's someway
readable ^_^;;;;

Bye. 

-- 
 Nicola                            mailto:ncuomo@studenti.unina.it