From: Marco Ivaldi (raptor@0xdeadbeef.info)
Date: Tue Oct 11 2005 - 05:53:26 EDT
Hey pen-testers,
> As I said, by using SYSKEY with a password-on-boot, I was hoping to
> protect the cache entries stored on the laptops. Without the SYSKEY
> password, the machine won't boot, so an attacker could not dump the
> cache (CacheDump) or get access to the LSA (LSADump2). I also assume
> that booting with another OS would not give the attacker access to the
> EFS files because AES is pretty strong, the cache entries are encrypted
> with a secret (NL$KM) which is stored in the LSA and the LSA is not
> accessible because the system key is password protected by a password
> which is not stored locally anymore. I don't assume my reasoning is
> foolproof, I just want to make sure deploying SYSKEY with a
> password-on-boot will render our laptops harder to penetrate.
As usual i apologize for coming late to the party, just wanted to point
out this tool:
http://www.elcomsoft.com/aefsdr.html
http://www.elcomsoft.com/help/aefsdr/index.html?page=how_aefsdr_works.htm
"Advanced EFS Data Recovery (or AEFSDR) is a program to recover (decrypt)
files encrypted on NTFS (EFS) partitions created in Windows 2000, Windows
XP and Windows Server 2003. Files are being decrypted even in a case when
the system is not bootable and so you cannot log on, and/or some
encryption keys have been tampered. Besides, decryption is possible even
when Windows is protected using SYSKEY. AEFSDR effectively (and instantly)
decrypts the files protected under all versions Windows Server 2003
(Standard and Enterprise), Windows XP (including Service Packs 1 and 2)
and Windows 2000 (including Service Packs 1, 2, 3 and 4)."
I've not tested it and i doubt it would work with the Password Startup
SYSKEY option (so the setup you're suggesting should be basically safe),
moreover i'm by no means a Windows expert, but EFS doesn't seem such a
strong protection to me.
Just my 2 euro-cents,
-- Marco Ivaldi Antifork Research, Inc. http://0xdeadbeef.info/ 3B05 C9C5 A2DE C3D7 4233 0394 EF85 2008 DBFD B707 ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:03 EDT