Eoghan and Ed, In Windows 2000, the user's password was not used to protect the EFS certificate and private key. As a result, resetting a password outside of the operating system using something like ntpasswd allowed logging in as the user with the new password, and gaining access to the EFS encrypted files (assuming the private key had not been exported and deleted from the system). It is my understanding that in Windows XP Pro the user's password IS used to protect the EFS certificate and private key. As a result, resetting a password outside of the operating system will NOT allow access to the EFS encrypted files. One solution for XP would be to reset the administrators password, login as the administrator, and then run LC3 on the SAM to recover the password of the user. One could then login as the user using the appropriate password. Note that this should always be done on a duplicate image of the drive, and never on the original as it will require installation of LC3. Regards, Raemarie Schmidt NW3C -----Original Message----- From: Eoghan Casey [mailto:eoghan.caseyat_private] Sent: Friday, September 13, 2002 5:24 PM To: Ed Moyle Cc: Eoghan Casey; forensicsat_private Subject: RE: Question about brute forcing EFS... Ed, I have tried this on Windows XP in a lab setting and it does not work. Specifically, I used ntpasswd to change the account password and then booted the machine. The encrypted files were not accessible. If I recall correctly from my reading of the W2K resource kit, a user's password is used to encrypt their private key. Changing the password using ntpasswd undermines this process. I am suprised that it would work on a Windows 2000 machine - can you explain specifically what you did so that I can replicate it? Thanks, Eoghan On Fri, 13 Sep 2002, Ed Moyle wrote: > On Friday, September 13, 2002 08:44, Eoghan Casey wrote: > > > If you do not have the user's passphrase or a recovery agent, how do > > you > > do you get around EFS? > > I've gotten a few questions about this, so here is the way to do it. > There are a few caveats that should be taken into consideration before > doing this on a system, though. The first (and most important) is > that the utility I refence below requires *writing* to the drive, so > you obviously don't want to do this on any drive that can't be written > to (e.g. evidence)... so work with a mirror if you are going to do > this in that context. This type of thing really works best with > remote users (e.g. laptops) and you need physical access to the > machine. I've done this on Win2k, but haven't tried with XP. > > Briefly, EFS works by encrypting a file with DESX. Then, the DESX > file > key is encrypted with some number of public keys that are in EFS certs > that windows knows about. These encrypted file keys are stored with the > file as part of the file record. One might assume that some kind of > password based key derivation would be used to encrypt the private keys > that correspond to those public keys (would seem logical to me,) but that > isn't the case in EFS... > > If you can trick Windows 2000 into logging you in (whether you know > the account password or not, you can successfully decrypt the EFS > encrypted files. How do you trick windows into logging you in? I > recommend the excellent pnordahl utility > (http://home.eunet.no/~pnordahl/ntpasswd/) > for doing this (don't use on a blank password... really important.) This > works with local accounts; if you can trick Windows 2000 into logging > you in with cached credentials, you can decrypt also with domain accounts. > You really need to log in to the domain if roaming profiles are used > since the keys are stored with the profile, but using roaming profiles > and/or not having cached logins really hampers the ability of most users > to do their work, so most users/organizations usually don't do that. > > Hope this information helps somebody out there. > > Regards, > -Ed > > ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Sep 18 2002 - 05:16:52 PDT