Ed, I have tried this on Windows XP in a lab setting and it does not work. Specifically, I used ntpasswd to change the account password and then booted the machine. The encrypted files were not accessible. If I recall correctly from my reading of the W2K resource kit, a user's password is used to encrypt their private key. Changing the password using ntpasswd undermines this process. I am suprised that it would work on a Windows 2000 machine - can you explain specifically what you did so that I can replicate it? Thanks, Eoghan On Fri, 13 Sep 2002, Ed Moyle wrote: > On Friday, September 13, 2002 08:44, Eoghan Casey wrote: > > > If you do not have the user's passphrase or a recovery agent, how do you > > do you get around EFS? > > I've gotten a few questions about this, so here is the way to do it. > There are a few caveats that should be taken into consideration before > doing this on a system, though. The first (and most important) is that > the utility I refence below requires *writing* to the drive, so you > obviously don't want to do this on any drive that can't be written to > (e.g. evidence)... so work with a mirror if you are going to do this in > that context. This type of thing really works best with remote users > (e.g. laptops) and you need physical access to the machine. I've done > this on Win2k, but haven't tried with XP. > > Briefly, EFS works by encrypting a file with DESX. Then, the DESX file > key is encrypted with some number of public keys that are in EFS certs > that windows knows about. These encrypted file keys are stored with the > file as part of the file record. One might assume that some kind of > password based key derivation would be used to encrypt the private keys > that correspond to those public keys (would seem logical to me,) but that > isn't the case in EFS... > > If you can trick Windows 2000 into logging you in (whether you know the > account password or not, you can successfully decrypt the EFS encrypted > files. How do you trick windows into logging you in? I recommend the > excellent pnordahl utility (http://home.eunet.no/~pnordahl/ntpasswd/) > for doing this (don't use on a blank password... really important.) This > works with local accounts; if you can trick Windows 2000 into logging > you in with cached credentials, you can decrypt also with domain accounts. > You really need to log in to the domain if roaming profiles are used > since the keys are stored with the profile, but using roaming profiles > and/or not having cached logins really hampers the ability of most users > to do their work, so most users/organizations usually don't do that. > > Hope this information helps somebody out there. > > Regards, > -Ed > > ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Sep 13 2002 - 17:17:34 PDT