SAM and SYSKEY on Vista

Printable View

June 14th, 2006, 10:36 PM
Irongeek

SAM and SYSKEY on Vista

Hi all. A lot of the old tools no longer seem to work. If I copy the SAM and SYSTEM hivesoff of a Vista box none of the tools that should allow dumping of the hashes work. SamInside does not complain, but the hashes it gives I know are wrong. Cain says "Couldn't find LSA subkey int he hive file" when I try to extract the Syskey from the SYSTEM hive. Both the Windows and Linux version of Ophtcrack give me a message: "Error: no valid hash was found in this file". Anyone else play with this yet? I can email a Vista SAM and Syskey file if you want to test it yourself.

By the way, Sala's PassWordRenew tool sill works for creating new admin accounts.
June 15th, 2006, 12:19 AM
NeuTron

Thats good news. I would hope that Microsoft has made it more difficult to get the PW Hashes. Did PWDump have any luck with it?
June 15th, 2006, 02:25 AM
Irongeek

Nope, I've not tried PWDump, but the lsass attack Cain does does not work anymore.
June 15th, 2006, 03:52 PM
brokencrow

How about ERD Commander? Their password feature still work?
June 15th, 2006, 03:57 PM
Irongeek

I don't have a copy of ERD so I can't test it.
June 15th, 2006, 05:08 PM
Cemetric

I've tested ERD 2005, it let's you change the password and displays it as a success ...But once you try to login with the changed password, it doesn't work ... Since I did it because I forgot my old password I can't say if the old password still works ... :P.

.C.
June 16th, 2006, 02:10 PM
pcllwftdtm

What im more concerned about is the WinFS (even if its not shipping with Vista). Im told only their high end products will allow Disk encryption. Logically the Decryption Key, or hash, will have to be stored outside of the encrypted space. Does anyone know if this current version allows for Disk encryption, and better yet, has any one found a way to break it? Other wise, Law enforcment is going to have a hard time soon.
June 16th, 2006, 02:11 PM
pcllwftdtm

And by "this version" i mean the public Beta
June 16th, 2006, 02:17 PM
Irongeek

The "Whole Disk Encryption" is already there in the beta, it's called BitLocker. Bit of a pain to get to work if you have already installed the OS, but it's there to be played with.
June 16th, 2006, 02:52 PM
Spyrus

Since I dont know a whole lot about the BiLocker technology and what I have just read didnt fully answer my questions.

Lets say you have it running and your OS takes a crap... Can you read the Hard drive slaved on another PC? Or does it synch with the S/N on your BIOS? Is it similar to what XBOX does with their hard drives by just putting a lock on it?

I understand it has more functionality than that and more options but I am curious how this will affect users who don't know enough to keep a copy of the key or lose it.
June 16th, 2006, 03:00 PM
pcllwftdtm

I would hope that the bios does not do the decrypting. (for security purposes). I would hope that the whole encryption/decryption proccess requires a running vista OS. So maybe you'd boot off of the Vista disk, and use their repair tool, and in there you could onlock the disk.

In any case, all of this could just be solved by me getting the silly beta and spending a weekend playing around.
June 16th, 2006, 03:09 PM
nihil

It seems to be quite comprehensive, allowing for deployment in different scenarios.

This is the technical overview (sorry it is rather long) Section 5 deals with recovery procedures.

http://www.microsoft.com/technet/win...ech.mspx#ERMAE

I am not sure how different data recovery would be from a dodgy drive?

:(
June 16th, 2006, 03:18 PM
Irongeek

My understanding is it has three modes. From:
http://www.microsoft.com/technet/win...4d762cf31.mspx

Quote:

TPM-only. This is transparent to the user, and the user logon experience is unchanged. However, if the TPM is missing or changed, BitLocker will enter recovery mode, and you will need a recovery key or password to regain access to the data.
â€¢

Startup key. The user will need a startup key to log on to the computer. A startup key can either be physical (USB flash drive with a machine-readable key written to it) or personal (a PIN set by the user).

BitLocker also has a mode for non-TPM systems:
â€¢

USB Flash Drive key. The user inserts a USB flash drive in the computer before turning it on. The key stored on the flash drive unlocks the computer.

I've only tested the USB key version. If you have your USB key still ( or know the very long pass code you can set up when BitLocker is put on a drive) you should be able to read it in another location.

My unserstanding it that if you have the code, you can get into it on any other system so print out the a paper copy of the recovery key. :)
June 16th, 2006, 03:23 PM
pcllwftdtm

You guys are most excellent, thanks for the info!
June 16th, 2006, 03:49 PM
tin.roof.rabbit

Quote:

1. Abstract

This paper provides a brief technical overview of BitLocker™ Drive Encryption, an exciting new data protection feature in Microsoft Windows Vista™. Its primary aim is to offer insight into the feature’s lifecycle for advanced users and IT administrators who want to learn what BitLocker Drive Encryption is and how it addresses a growing data protection issue: the unwanted disclosure of confidential information -- through, for example, physical loss or theft of the computer.

This paper assumes that readers understand Trusted Platform Model (TPM) technology. For background information on TPM technology, refer to the specifications and materials maintained on the Web at http://www.trustedcomputinggroup.org/.
Top of pageTop of page
2. Overview

BitLocker™ Drive Encryption is a data protection feature available in Windows Vista Enterprise and Ultimate for client computers and in Windows Server "Longhorn". BitLocker is Microsoft’s response to one of our top customer requests: address the very real threats of data theft or exposure from lost, stolen or inappropriately decommissioned PC hardware with a tightly integrated solution in the Windows Operating System.

Bitlocker is a only available in versions of Vista that are targeted to those who are either being administered or have an administrative skill set (enterprise and ultimate). Hopefully in both cases the keys are backed up. Ideally since both products are intended to be used with AD the administrators have the Group Policy set so that if BitLocker is enabled all passwords and keys are being stored in AD.

You should be able to use the devices password to mount the dodgy drive to another machine and pull data off. Since Bitlocker is only encrypting the file structure you shouldn't have to do any extra steps like naming the machine you are attempting to recover from the same as the name as the machine you are recovering (like we currently have to do with Compusec).