• info
• discussion
• exploit
• solution
• references

Microsoft Windows 2000 EFS Vulnerability

Quoted verbatim from James J. Grace's paper "Windows 2000 Encrypting File System (EFS) Vulnerability" released July 25, 1999:

For member servers or workstations do the following:
-Install a second (parallel) copy of Windows NT 2000 onto the computer system. If there is not enough hard disk space use a third party utility to delete unneeded files to make space. Install this copy into say c:\winnt2.
-Boot the computer to the copy of NT installed into the c:\winnt2 directory.
-Using Windows Explorer locate the c:\winnt\system32\config directory.
-Make a backup copy of all the files located in c:\winnt\system32\config.
-In the c:\winnt\system32\config directory locate and delete the SAM and SAM.LOG files.
-Shutdown and reboot the computer into the c:\winnt directory (This is the original servers installation)
-At the logon screen press CTL+ALT+DEL.
-Enter Administrator for the user name.
-Press the enter key for the password. (No Password)
-The system now logs you on as administrator.
-Using Windows Explorer, locate the encrypted files and open them. EFS will automatically decrypt the files for you.
-At this point you are able to access all files encrypted or plaintext on the server.

For Active Directory Services Domain Controllers do the following:
(For the purpose of this discussion assume Windows NT 2000 was installed into c:\winnt)
-Install a second (parallel) copy of Windows NT 2000 onto the computer system. If there is not enough hard disk space use a third party utility to delete unneeded files to make space. Install this copy into say c:\winnt2.
-Boot the computer to the copy of NT installed into the c:\winnt2 directory.
-Using Windows Explorer locate the c:\winnt\system32\config directory.
-Make a backup copy of all the files located in c:\winnt\system32\config.
-In the c:\winnt\system32\config directory locate and delete the SAM and SAM.LOG files.
-Shutdown and reboot the computer.
-As the NTLDR boots and the BOOT.INI menu is presented press the F8 key to boot the server into Safe Recovery Mode
-Select Active Directory Services Recovery from the menu.
-Select the original server installation
-The system will now boot into safe mode
-At the logon screen press CTL+ALT+DEL.
-Enter Administrator for the user name.
-Press the enter key for the password. (No Password)
-The system now logs you on as administrator.
-Using Windows Explorer, locate the encrypted files and open them. EFS will automatically decrypt the files for you.
-At this point all data on the servers has been compromised.