March 11th, 2008, 05:14 PM
No............. and who mentioned EFS............. like that is file encryption, rather than a straight password. There is such a thing as :
What if they have used EFS? Isn't the only way to access the files by having the original password?
Sorry to have to type in crayons old chap
March 14th, 2008, 12:20 AM
If you have proper authority you do not need to do this.
Idiot boy, when you have learnt enough to graduate from your PC repair job and moved into something slightly more technical, like IT security, you would know that this not 100% true.
Nonsense! if you have obtained the password hash then the system has been penetrated.
Think Tiger/red team style Pen tests - but I don't expect an A+ PCworld techie to know much about what these are, however, I do suspect that even you may be able to use Google to find out.
I'll try and be as descriptive as I can and spell out one method (yes there are other ways too) of doing a tiger team attack that I do almost daily (sorry can't do pictures on here); You're doing a tiger team test, you're on a customer site and in front of the work station, you have no local account or domain account but you need to get domain admin in less than 20 minutes or the customer gets their money back and your job goes on the line- what are you going to do.......your going to boot into a live CD, say backtrack2 or Ophtcrack, your going to navigate your way to the SAM, your going to bkhive and samdump the SAM, your going to obtain the hash.....great, by your logic you now own the system, so you copy the hash to your pen drive, take your CD out and reboot......now you have the windows logon screen.......what you going to do now then Mr A+.......type the hash in to the logon prompt and wonder why the hell it won't let you logon...hey in your words you have the hash so you own the system right??........no, your going to run the hash through the set of rainbow tables, then three minutes later obtain the plain text password your going to logon as the local admin.....then your going to look for cached domain hashes, if you have these agreed, you may not necessarily need to crack them and can use the actual hash to move around the domain.....so say you logon to a box with a stolen domain users hash and you run a 'whosthere' and find out the domain admin is logged on, great you got the domain admin hash so you own the domain. Now you write your report and say yep we got the domain admin account.....they say great prove it,what's our password....and you say....oh well I don't actually know the password but I can read out your hash.........
Also I wouldn't expect you know know that rainbow tables can be used for more than just running a windows LM password hash through then (You do know what LM is don't you?)
And that just because you have a local admin password hash does not mean the entire system has been compromised - there is more work to do - there could be a multitude of third party app's that the local admin password is useless for, likewise you are not necessarily going to get a domain account just because you have a local admin password - (although you would have to be having a bad day if you didn't) , - and it certainly does not mean the domain has been compromised either - yes you could use pass the hash or similar if you manage to get the domain admin's hash, however as previously mentioned nothing impresses a customer more than telling them what their domain admin password is when witting their audit report. (but Pen test report writing is waaay beyond an A+ technician)
And just when I though you couldn't get any more stupid, you go and prove me very wrong.
Now that really is pathetic! this is the kind of snake oil I would expect from wannabe "security consultants".
It might have occurred to some here that if you "discover a weak password" you have just closed the stable door after the horse has bolted.......... you are already compromised............and you don't need to be a rocket scientist to figure that one out?
If you actually believe in passwords, other than as a means of allocating blame, you would set a policy and enforce it on password generation. You would know that your system enforced your policy, and that auditing it, is a totally spurious exercise.
Of course rainbow tables are only used to crack windows passwords and nothing else, and all these windows boxes are on a domain, and all these domain admins know how to use a GPO to set a a password policy, and the password policy is great because the domain admins know what constitutes a decent password, and a decent password that is over 8 characters comprising at least one capital letter, one lower case letter, one numerical character and one special character is what this great password policy is going to enforce, and due to this great password policy being in place it is going to take ages to brute force/dictionary attack a password hash with JTR because there is no such thing as rainbow tables to throw an LM hash through and get the plain text password in two minutes is there...oh wait... yes there is..oh and looky here the great password policy did nothing to address the weaknesses of LM...what do you mean the system administrator has no idea what is wrong with using LM and even less of an idea on how to disable it...or that if he did disable it the LM hash is still cached regardless....so this great password policy is superb and the box is now secure due to it...... because as we all know rainbow tables are useless and no one uses them except criminals and skiddies....hmm ever wonder why your still a PC technician....
What rainbow tables are / hot to create them / how to use them / the benefits of having them/ the perils of enabling LM (Google it), that having the best password policy in the world is absolutely useless if you still have cryptographically (big word I know, Google it) weak algorithms (best Goolge this one too ) that encrypt the password - the list goes on
Ummm, yes, well......................
"Learning" what exactly?
I use then everyday during pen tests (read above to see what I mean by Pen Tests) and I have yet to meet a pen tester who does not use them regualry.
They are not freely available to the 'criminal and skiddie communities' as you put it - but rather they are free to anyone who needs them.
Which, by definition, includes the criminal and skiddie communities.
And I would dearly love to know who, with honest intentions, actually "needs them"?
Obviously having them freely available to everyone includes criminals and skiddies.......having the Internet freely available to everyone means criminals and skddie can also use that........hell lets say the Internet is stupid and should be closed down as well shall we.....
Sheesh, AO's #1 moderator at his best......again.
Last edited by Nokia; March 14th, 2008 at 11:02 AM.
March 14th, 2008, 12:26 AM
So perhaps you can explain where the encryption key comes from for windows EFS then Nihil.....
What if they have used EFS? Isn't the only way to access the files by having the original password?
No............. and who mentioned EFS............. like that is file encryption, rather than a straight password.
To save you a Google I will tell you: it is the users password....oh wow look at that, if I know the users password maybe, just maybe I can decrypt the EFS protected file! Wow! But hey thats file encryption and has nothing to do with the password does it....
Of couse you also know that the local admin password can by default decrypt all user encrypted EFS files on a non domain work station...and you also know that the domain admin can by default decrypt all user encrypted EFS files on any work station in the whole domain......but hey, we don't need passwords do we, as this is file encryption, nothing to do with passwords.....
March 14th, 2008, 02:16 PM
That's exactly whay I raised the topic of EFS. I was referring to a stand alone system as I'm not familiar with what happens in a domain environment. If files have been encrypted on a local PC using EFS and the owner has "forgotten" his password, he's not able to access them until the original password has been recovered. Of course, I'm aware that there's a whole discussion about whether the "owner" is actually the owner of the PC/files/password but that's straying somewhat. It remains a fact that the EFS encrypted local files are inaccessible (for legitimate or other reasons) without the password.
Originally Posted by Nokia
I didn't respond earlier as it appeared that I had my knuckles tapped by Nihil :-)
March 14th, 2008, 02:50 PM
Well, I could see the reasoning behind you post, as could probably 70% of the other folks who read your post and knew tha it was relevant to the topic being discussed.
However some of the mod's here only like to pretend that they know what they are talking about and certain moderators like to talk down to people they see as below them in an effort to make themselves feel a tad more superior.
But hey, as we all know, when half the membership says the moderators attitudes are what is driving folks away from AO we are all told that they aren't and that they are doing a wonderful job. Well I could point of at least two posts by a certain moderator that epitomizes the fact that at least one of them doesn't know his arse from his elbow and should stick to swapping memory sticks out of peoples' PC's for a living.
Hey Nihil, maybe you should be more P_R_O_F_E_S_S_I_O_N_A_L
(sorry no fuzzy felt available to spell it out for you) and just STFU when you plainly don't have a clue what you're talking about, and stop trying to belittle those who do.
Oh, and I also think you owe Ignatius and apology for your pretty damn rude reply to a post that raised a very good security issue that you were to ignorant and naive to realise.
Last edited by Nokia; March 16th, 2008 at 09:00 PM.
March 14th, 2008, 02:56 PM
Originally Posted by Nokia
After reading the information in this thread, I have used "How EFS Works" as a search string in Google. I have no knowledge or experience on EFS, so pardon me if my interpretation of what I read is incorrect. With that said,
"When you save a file to be encrypted, a random cryptographic generator supplies a unique file encryption key (FEK), which is a fast symmetric key designed for bulk encryption. The FEK encrypts the data in blocks. EFS adds a header to the file, where the FEK is stored".
"EFS keys are protected by the user's password. "
So if my understanding is correct, Fle Encryption Key comes from a Cryptographic Generator. The Keys are protected by the User's Password. So is it correct to say, that the encryption key comes from ther user's password?
Thanks in advance, if anyone takes time to explain this.
March 14th, 2008, 03:08 PM
**** Nokia... Tell us what you really think!
However, if we wish to discuss Enabling LM - I do.
Running 2003AD in Mixed Mode Muther#$%#^ Legacy applications!!!!!
No matter what Linux Distro I try, File Sharing is just a pain in the ass. Reason being my quest to prove a windows shop can move to a Unix shop and have the same point and click ease as windows.
AH that's a whole other discussion.
March 14th, 2008, 03:45 PM
Sorry pal, I was speaking in general terms when I made my previous post - but loosely speaking:
So if my understanding is correct, File Encryption Key comes from a Cryptographic Generator. The Keys are protected by the User's Password
The File Encryption Key (FEK) is what is used to perform the actual encrypting and decrypting of the files. However, obviously windows needs some way to protect the FEK due to its importance. To achieve this windows used the current users private key to encrypt the FEK.
The private key is itself encrypted using a hash of the users password and actual user name and a salt (in windows xp and later only I believe) - this is where all the agro about changing user names and passwords impacting on EFS comes from.
So when a user logs on and wants to open an encrypted file, behind the scenes the users private key is decrypted, then this is used to open the FEK and then the FEK is used to open the encrypted file. (Another argument against a previously made statement that once you have the users password hash you own the system ).
There is more to it than this such as the Data Recovery Agent (DRA) can also decrypt the FEK without needing the users password or private key - by default the DRA is the local administrator on a non domain work station or the domain administrator on a domain work station - so logging on as one of these accounts will allow you to read any EFS encrypted file on that system.
Also the way the files are encrypted also exposes the file in plain text to any forensic tool such as dskchecker.exe that comes with the Windows 2000 res kit - the file is copied to a temp file, encrypted, the original file is deleted (in plain text format) and the encrypted one is copied across in its place - hence the deleted plain text file is still viewable by anyone who can view a raw image of the hard drive - easy to do if you know the local admin password (dare I say it, you need more than just the local admins password hash...)
Hope it helped a tad.
March 14th, 2008, 06:34 PM
It seems that I'm caught in some cross-fire ... I'll keep my head down!
Thanks Nokia for the fascinating insight into how this works. This is, after all, a security forum and it's good that newcomers (like me) have such information presented with clarity as a springboard into googling for further details.
March 14th, 2008, 07:00 PM
No problem - hope it helpped you - you should come join this site when you get chance - moderators are much more helpful (and actually know what they are talking about)