SYSKEY... what is it?

Printable View

June 14th, 2003, 12:18 AM
unhappyStar_7

SYSKEY... what is it?

can anyone provide more information on SYSKEY... I've been recently asigned to administer NT & win2k machines. Security is my biggest concern. I've been having problems w/ a certain user. How can I turn on SYSKEY on NT ser. pack. 6. 2000 uses it by default. Should I still install another authentification software or is syskey enough. Is it crackable by L0pth crack? Can you inject new accounts/pwds into the SAM hash w/ syskey enabled?

More on a personal note... I've been trying to avoid working w/ windows since I understood the underlying philosophy of open source but i gotta pay rent so please help
June 14th, 2003, 12:25 AM
jaguar291

SYSKEY was an optional feature added in Windows NT 4.0 SP3. It was meant to protect against offline password cracking attacks so that the SAM database would still be secure even if someone had a copy of it. However, in December 1999, a security team from BindView found a security hole in SYSKEY which indicates that a certain form of cryptoanalytic attack is possible offline. A brute-force attack then appeared to be possible.

Microsoft later collaborated with BindView to issue a fix (dubbed the 'Syskey Bug') which appears to have been settled and SYSKEY pronounced secure enough to resist brute-force attack.

Source: http://wombat.doc.ic.ac.uk/foldoc/foldoc.cgi?SYSKEY

There you go.. but just to add a lil' comment... if you've been apointed to an admin of Win NT & 2000 machines and you don't know what SYSKEY is, I recommend that you start reading a LOT.

- Cheers,
jag291
June 14th, 2003, 12:47 AM
unhappyStar_7

to my understanding ... SYS key encrypts the sam AGAIN and stores the result on a floppy or somwhere localy... ok sounds reasonable... if you get sam and you don't have the 2nd hash you cannot decrypt...

but here's where the problem is... i turned on SYSKEY at my 2000 machine at home and then put the pwd in the default dictionary for L0pth crack and it found my pwd in 1 second... so were is the extra protection
June 14th, 2003, 12:54 AM
jaguar291

Yea.. that's M$ for you... and after looking at more sources .. I found out that it can be easily cracked using L0pht and the source below has a lot of good information:

http://www.informit.com/isapi/produc...tent/index.asp

That should keep you busy securing your SAM.
June 14th, 2003, 03:42 AM
Maestr0

Syskey is a master key which is used to encrypt the SAMs and the LSA(Local Security Authority- which caches sensitive security data) which the system will not boot without. Only aministrators can run syskey.exe which manages the security level at which the syskey runs.
Level 1-(Default) Key is pseudo-randomly generated and resides on system,allows unattended re-starts
Level 2-Uses a pseudo-randomly generated key and stores the key on a floppy.
Level 3-Uses a specified key and a an MD5 hash of the key is stored on the system and compared to a password entered by a user physically before the initial boot sequence.
If you do not have the key it will render the system unbootable. (You might make it run again but it wont be pretty) Hope that helps you out, and I agree jaguar, you better start reading alot! :)

Cheers,
Maestr0