Penetration Testing mailing list archives
RE: Password "security" - was"Passwords with Lan Manager (LM) und er Windows" and "Whitespace in passwords"
From: "Dufresne, Pierre" <PIERRE.DUFRESNE () MESS GOUV QC CA>
Date: Fri, 14 Oct 2005 19:07:47 -0400
Hi Chris, I also agree that BIOS are usually trivial to get rid of. We also have multiple brands/models which all have different ways to set this kind of password. With SYSKEY, the method would be standard across all our models of laptops. And since the user needs to provide another password in both cases, it might as well be a SYSKEY password. Resetting passwords in the SAM will not help you when SYSKEY is in mode 2 because it will ask for the syskey password before gettting to the logon screen. I don't want to believe that it is game over if an attacker gets physical access to one of my laptops. EFS with XP sp2 uses AES as the encryption algoritmh, which I believe is pretty strong. I am not expert, but I think that if you protect the passwords/keys/credentials with something like SYSKEY, you will give the attacker a much harder time. If anyone has any idea on how to defeat the combination I suggested, please let me know. Thanks -----Original Message----- From: Chris Clymer [mailto:cclymer () gmail com] Sent: 13 octobre 2005 00:38 To: "lists AT dawes DOT za DOT net"@smtp.enginuiti.com; pen-test () securityfocus com Subject: Re: Password "security" - was"Passwords with Lan Manager (LM) under Windows" and "Whitespace in passwords" -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rogan Dawes wrote:
[The original poster seemed to be concerned about the laptop being stolen]As I said, by using SYSKEY with a password-on-boot, I was hoping to protect the cache entries stored on the laptops. Without the SYSKEY password, the machine won't boot, so an attacker could not dump the cache (CacheDump) or get access to the LSA (LSADump2). I also assume that booting with another OS would not give the attacker access to the EFS files because AES is pretty strong, the cache entries are encrypted with a secret (NL$KM) which is stored in the LSA and the LSA is not accessible because the system key is password protected by a password which is not stored locally anymore. I don't assume my reasoning is foolproof, I just want to make sure deploying SYSKEY with a password-on-boot will render our laptops harder to penetrate.Have you thought about implementing a BIOS password on the hard drive? Granted, there is no mechanism for locking out passwords, but I don't think that there are too many BIOS's that would allow you to automate a brute force attack . . . . As far as I know, there is no method to override the hard drive password once it is set . . . (although maybe reformatting the whole disk might have some effect) Regards, Rogan
BIOS passwords are trivial to get rid of for an attacker with physical access to the machine. Just need to clear the CMOS. Every board has its own method, there can be a jumper to be set, or yanking the battery. Google is sure to reveal the right method for any model of laptop. As far as EFS...I believe it is tied into the standard windows authentication. I seem to recall(from these lists?) that it just uses the user's login password from the SAMS file to encrypt. If you can boot another OS(after getting around the BIOS password) you can get to the SAMS, which means game over. I did read a few things about putting your EFS key onto a floppy or other removable media. I'm not sure if this takes care of these other vectors in XP or not. It was clear that in win2k the administrator user always maintains the ability to read efs files...and as mentioned, reading and changing the SAMS from a live disk is trivial. It is best to assume that if an attacker gets physical access in any situation, its game over. Does that sensitive data need to be on a laptop where its out of your control and often in harms way? Why not keep it on a company server and only allow access through a secure VPN? I'm working on a paper about a much different way of preventing these kinds of attacks. Mine is mostly aimed at recovering a stolen laptop, but it uses a lot of misdirection which could be useful hiding sensitive data. The method is to prompt the user with a standard login screen, and have a bad password fail into booting a "fake" install which runs in emulation. As far as the attacker is concerned, they are inside a standard windows install, and hopefully look around a bit at interesting things we have left lying around. Underneath this emulated windows is another OS, such as linux, which is running various scripts to log the attacker's keystrokes, his activities, and to dial home with as much information as possible should be connect to the internet. - -- Chris Clymer - Chris () ChrisClymer com PGP: E546 19B6 D1EC 47A7 CAA0 8623 C807 398C CD27 15B8 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.7 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDTeSzyAc5jM0nFbgRAkueAJ4992RFKqIopCSjGqn984RZ8kHM4gCfSeH4 t0NtsHCnSzmk4BvoLNIa/i8= =208N -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- RE: Password "security" - was"Passwords with Lan Manager (LM) und er Windows" and "Whitespace in passwords" Dufresne, Pierre (Oct 03)
- Re: Password "security" - was"Passwords with Lan Manager (LM) under Windows" and "Whitespace in passwords" Thor (Hammer of God) (Oct 03)
- <Possible follow-ups>
- RE: Password "security" - was"Passwords with Lan Manager (LM) und er Windows" and "Whitespace in passwords" Dufresne, Pierre (Oct 15)
- RE: Password "security" - was"Passwords with Lan Manager (LM) und er Windows" and "Whitespace in passwords" Dufresne, Pierre (Oct 15)