Re: Cain shows DefaultPassword in plain text - LASS writes it
From: Karl Levinson, mvp (levinson_k_at_despammed.com)
Date: 05/20/05
- Next message: Imhotep: "Re: Security? Right."
- Previous message: clavigo_at_gmx.at: "Re: Cain shows DefaultPassword in plain text - LASS writes it"
- In reply to: clavigo_at_gmx.at: "Cain shows DefaultPassword in plain text - LASS writes it"
- Next in thread: clavigo_at_gmx.at: "Re: Cain shows DefaultPassword in plain text - LASS writes it"
- Reply: clavigo_at_gmx.at: "Re: Cain shows DefaultPassword in plain text - LASS writes it"
- Reply: clavigo_at_gmx.at: "Re: Cain shows DefaultPassword in plain text - LASS writes it"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 20 May 2005 17:04:29 -0400
Unless I'm mistaken, this is not really a vulnerability. Try to get your
wife's password when logged in as you, or try to get your password when
logged in as your wife. You already know your password, so someone running
with your privileges isn't gaining much with this trick.
Additionally, I'm guessing you are logged in as administrator, so that you
have the SEDebug privilege in order to attach to the LSASS process? Does
this work when you are not logged in as administrator? If not, then one way
to fix this, if you are still convinced it is a vulnerability, would be to
control who is an administrator and who has SEDebug privilege, because these
people have full control of your computer, with or without LSASS.
I've been told that the locally cached credentials are quite secure, much
more secure than the local SAM password hashes. The SAM password hashes are
generally not as strongly encrypted as the cached credentials. Unless I'm
mistaken, I also think that the cached information you are discussing is
encrypted with a secret encryption key that only your account has access to.
Windows should have no need to decrypt the credentials of other users, and I
am sure Microsoft is very aware of this fact.
I also don't believe there's any way to change this, this is just the way
Windows and other operating systems work. Your OS needs to cache your
credentials in some way so that you dont' have to re-enter your password
every time you access a local or network drive, system or resource. If this
was as trivial to discover as you believe, I am confident the world would be
screaming about this.
I believe the book Hacking Exposed - Windows has a section on this, so you
might check that out as well.
If your wife is a power user, or an administrator, or has unrestricted
physical access to your computer or hard drive, then she already has the
ability to gain full access to your computer, whether it was running Windows
or Linux. Without physical security, there is no security.
<clavigo@gmx.at> wrote in message
news:1116606060.243077.19480@g14g2000cwa.googlegroups.com...
> I run Windows XP SP1 on a single user notebook (no domain account).
>
> Recently I did a few security check and was shocked about Cain
> (www.oxid.it/cain.html) showing me the plain text of my top secret
> password which I only use on that notebook.
>
> After a couple of hours of google research and sysinternals-diagnostics
> I found that LSASS writes the following registry keys whenever I change
> my password:
>
> HKLM\Security\Policy\Secrets\DefaultPassword\CurrVal
> HKLM\Security\Policy\Secrets\DefaultPassword\CupdTime
> HKLM\Security\Policy\Secrets\DefaultPassword\OldVal
> HKLM\Security\Policy\Secrets\DefaultPassword\OupdTime
>
> I swear that autologon, which could be a reason for storing the
> password, was never enabled.
>
> Removing DefaultPassword and serveral other registry keys under
> HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon such as
>
> AltDefaultUserName
> DefaultUserName
>
> and setting restrictive security option, e.g., not showing the name of
> the last user who logged in did not help. All these keys were created
> again, together with DefaultPassword.
>
> Now I'm stuck. I do not want to have my password in decryptable form
> anywhere in the system, neither in the registry nor in any kind of
> "protected" storage.
>
> As soon as I type in my password the system should hash it an forget
> it.
>
> Any pointers on how to get rid off
> HKLM\Security\Policy\Secrets\DefaultPassword (beware this is not
> DefaultPassword under Winlogon)?
>
> Thank you
> Clavigo
>
- Next message: Imhotep: "Re: Security? Right."
- Previous message: clavigo_at_gmx.at: "Re: Cain shows DefaultPassword in plain text - LASS writes it"
- In reply to: clavigo_at_gmx.at: "Cain shows DefaultPassword in plain text - LASS writes it"
- Next in thread: clavigo_at_gmx.at: "Re: Cain shows DefaultPassword in plain text - LASS writes it"
- Reply: clavigo_at_gmx.at: "Re: Cain shows DefaultPassword in plain text - LASS writes it"
- Reply: clavigo_at_gmx.at: "Re: Cain shows DefaultPassword in plain text - LASS writes it"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
