lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Fri May  5 20:58:50 2006
From: seemyhomepage at katsokotisivuilta.ni (Markus Jansson)
Subject: Windows XP Home LSA secrets stores XP login
	passphrase in plain text

This again proves the reason to do some hacking of your own system, 
things like these would otherwise go unnoticed...

OK, I setup Windows XP Home, did the regular securing up (the much you 
can do with Home edition), like for example setting that users must use 
passwords and usernames to sign in, use control+alt+delete to sign in, 
disabled automatic login to Windows etc. etc. Rebooted, changed my 
account X passphrase, then rebooted again. Then I signed in to other 
admin level account (account Y) and ran Cain & Abel and used it to dump 
LSA secrets...wellwellwell...Windows stores my account X Windows XP 
login passphrase in plaintext in DefaultPassword field!

My Windows XP should NOT store any Windows passphrases in clear text on 
the hdd, but only stores the passphrases hash 
(LM/NTLM/NTLMv2/NT)...UNLESS specific settings are set (allowing 
automatic login to Windows). But it does. Other people have also 
verified Windows sometimes does this, even if specifically set not to 
save it.

I understand that LSA Secrets might / should store user X password in 
memory for the time the user X is signed in, so it can be used to 
authenticate the user to maybe third-party sites, network drives, etc. 
But when user X is logged out of the system, user Y cannot/should not 
see users X:s Windows XP password since it is NOT loaded into memory 
(from where it could be loaded into memory if user has not entered it 
yet because user X hasnt signed in on this session yet?!?). So, in this 
case, its seems that Windows IS storing the users passphrase in 
somewhere in plaintext, what it should not do.

Now, let me clear few things up, ok:
- Im not talking about bruteforcing NL/NTLM/NTLMv2/NT hashes.
- Im not talking about using rainbowtables to fetch the password.
- Im not saving anything under any Outlook Express, MSN, saved passwords 
or anything in the whole XP Home computer (so that if I used same 
passphrase on them too, C&A could somehow recover that).
- Yes, its true that inorder to do this, you must have SeDebug 
priveledge set to the user and admins can always reset any users 
passphrase (and anyone with physical access to the computer can always 
get admin permissions using 3rd party tools).
- HOWEVER, if you can actually GET the users password (he is currently 
using) the way Im talking about now, you can do a lot of harm with that. 
You can, for example, decrypt all EFS encrypted files in normal 
situations (since users EFS privatekey is encrypted using users 
passphrase). You can, for example, try that same password in all kinds 
of places where that users is logging in (since chances are hes using 
the same password or variations of it elsewhere).
- Yes, if/when villan can get admin permissions or physical access to 
the computer, the game is lost in sense, that it can be loaded with all 
kinds of hardware and software keyloggers and insecure settings, so that 
the next time users sign in to the computer, their passwords etc. can be 
recorded and abused by villan. However, notice the words "next time 
users sign in"! If someone steals the computer, that doesnt happen. If 
someone leaves hints that system is tampered, that doesnt happen. BUT, 
in this scenario I have told you, all you need is to GET the access to 
the computer and game is over, you dont have to wait users to sign in 
next time to the computer! This is very important issue when thinking 
about this bug & regular keylogging/insecuring the system.
- Nobody, including admins, should NOT be able to see plaintext 
passwords and Windows should NOT store them in the computer unless 
specially ordered to do because of some "weird" configuration or 
usability thing.

Now, the funny thing is, that if I changed my password via Control Panel 
- User Accounts, the new password would always be recorded in the LSA 
Secrets and recovered by C&A. However, if I used "control 
userpasswords2" to SET my password, the new password would NOT be 
recorded to LSA Secrets and C&A could not recover it from there.

This similiar bug has been discussed earlier in here, but with no 
solution or idea about why its there:
http://www.derkeiler.com/Newsgroups/microsoft.public.security/2005-05/0765.html

Ongoing discussion about the subject in:
http://www.dslreports.com/forum/remark,16012871



-- 
???My computer security & privacy related homepage
http://www.markusjansson.net
Use HushTools or GnuPG/PGP to encrypt any email
before sending it to me to protect our privacy.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ