lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <1064496796.bb2788e0Palan@myrealbox.com>
From: Palan at myrealbox.com (Palan)
Subject: SAM Switch - Win2k/XP password-less login

Hello,

I found that SAM file could be replaced just like PWL files in Win9x. I posted the following to Bugtraq, but in spite of posting twice it never appeared in the list... (possibly moderated)

Folks, go ahead and change the boot options in your BIOS ASAP.

>>>>>> Original Posting to Bugtraq but never appeared

It is well know that Windows 2k/XP local user account passwords can be reset with Petter Nordahl's ntbootdisk available at 

http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html

Since the disk loads the Windows NTFS partition as read write partition wouldn't it be nice if we could backup the SAM file and restore it if something went wrong.  

This seems to have a security issue, similar to PWL files replacement in Win9x. In the Win9x world renaming PWL files allowed one to bypass the Win9x passwords. The same would be feasible with Windows 2k/XP as well.

Normally when Windows 2k/XP OS is active, the SAM registry cannot be accessed, Petter's disk tries to load the files offline and makes the necessary password reset changes. Just copying the SAM file to a secondary medium before changes and restoring the SAM file later is enough to get the old passwords back.

Someone could
1. Backup the old administrator password
2. Replace it with chntpw utility 
3. Install applications/trojans/sniffer 
4. Restore the old administrator password 

This means ANYONE could be ADMINISTRATOR to a box without knowing the password and not changing the password (a.k.a SAM switch).

In a University/Corporate environment point 3 is a nightmare, it would be difficult to detect such offline privilege use techniques.

Though this technique is possible by command line, Petter's disk doesn't have a menu interface for this. I have changed the scripts on his disk to be able to backup and restore the SAM file. It is available at

http://whitehatzone.tripod.com

Some Solutions to address this issue:
1. By default HDD should be the first boot device (The above floppy image could easily be modified to be made to boot from CDROM, USB storage, USB floppy hence HDD should be the first)
2. The SAM password injection technique as identified by Petter Nordahl should be addressed by the vendor.
(On a side note this is fixable by the vendor if they correct the NTLM and LANMan crypted hash to that of the syskeyed NTLMv2 instead of vice-versa as done currently. This is what allows Petter's utility to inject crypted LANMAN, NTLM hashes into the SAM which get syskeyed on next boot.)


-Palan Annamalai

Researcher, VTLAN, 
Virginia Tech.
palan-AT-myrealbox.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ