Focus on Microsoft
Relative Security Provided by Cached Domain Credentials? May 07 2004 01:05PM
Zack Schiel (ZSchiel blueandco com) (1 replies)
Re: Relative Security Provided by Cached Domain Credentials? May 08 2004 09:18AM
Joshua Feek (jfeek yahoo com au) (1 replies)
Re: Relative Security Provided by Cached Domain Credentials? May 11 2004 06:01PM
Nicolas RUFF (lists) (ruff lists edelweb fr)
> triple DES from memory
>
>>On a related note to part of the discussion in the
>>'Restricting change of local admin' thread, does
>>anyone know of a non-brute force way to break the
>>encryption on cached domain credentials? Local
>>accounts are easily modified or reset, but I'm not
>>aware of any similar exploits for cached domain
>>credentials. Given that EFS' effectiveness to
>>secure laptop-stored data in a domain environment
>>lives and dies by the security of the cached
>>credentials, I'm curious to know just *how much*
>>more secure they are.

Hi,

About EFS :
-----------

- EFS encryption is 3DES (unless you have a restricted export version of Windows), with a random FEK
(File Encryption Key) for each file.
- FEK is encrypted with RSA, using the EFS User Certificate (Public Key).
- Eventually, the user Private Key is encrypted with his Windows Password.

So if you know the user password, you can decipher all EFS encrypted files. See "Advanced EFS Data
Recovery" tool from ElcomSoft : http://www.elcomsoft.com/aefsdr.html

About Cached Logons :
---------------------

Cached logons are stored in LSA Secrets and NL$ hidden keys. Basically, it is a salted hash :
NTLMHash( username + NTLMHash(password) ) so you have to bruteforce. The salt key is the username,
so if you have N accounts to crack, it takes N times the time to crack one account.

Since this attack is very time-consuming and has little chance to succeed if user password > 6
chars, there is no public exploit available. Hint : get an IDA Pro license if you want to know more :-)

-nicolas-

------------------------------------------------------------------------
---
------------------------------------------------------------------------
---

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus