lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <434CC0EE.40109@gmx.net>
Date: Thu Oct 13 06:30:17 2005
From: tuevsec at gmx.net (Thomas Springer)
Subject: Microsoft EFS

EFS-stuff is tricky. Let me drop a few hints (on XP/2003 only!)

EFS-Files are crypted for the actual logged-in user (be it a domain-user 
or a local user).
By default, EFS crypts also to the key of a "default recovery agent", 
which is the local administrator or, if you are a domain-user, the 
domain-administrator.

ONLY these two accounts (user and recovery agent) can decrypt the files.
If your machine is part of a domain AND the files are crypted with a 
domain-account, the only way to get the data back is cracking the domain-pw.

I did a little q&a months ago for our stuff, maybe this helps to make 
things clearer. and never forgtet: this matters for xp/2003. efs on 
win2k is different (and insecure).

How is it crypted?
Depending on Version/Servicepack with 3DES, DESX oder 256Bit AES
XP SP1 offers you a registry-key to choose the ciper:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EFS 
AlgorithmID (DWORD)
3DES: 0x6603
DESX: 0x6604
AES-256: 0x6610

Where is the key hanging around physically?
The encrypted keys are living on
  \\<yourprofile>\Application Data\Microsoft\Crypto\RSA\{SID}\...

Can I backup/export the key?
Yes. Start a cmd.exe and say  cipher.exe /x [filename]
This saves a password-protected copy of your efs-key.

How can I check who can access an efs-crypted file?
Start a cmd.exe and say   efsinfo.exe /c /r /u

Does it help if I backup the above-mentioned key from my profile-directory?
No. Your local key-file is crypted with a random key and your 
user-password. Windows changes this random key every 60 days. Your 
backup would be useless then. If you change your windows- (or 
domain-)password, the key gets also encrypted new.

What happens, if a windows-administrator (or linux-user with some 
bootdisk) is resetting my password (be it the domain-controller or locally)?
You have no longer access to your EFS-encrypted files, because your keys 
in the above mentioned directorys are garbled with your OLD 
user-password. If you (or somebody else) reset your account-password 
remotely, the keys won't get reencrypted  Hey man, after all you 
wouldn't want a simple domain-admin to read your data, would you? 
Hopefully you have backed up your EFS-Key using cipher.exe. Otherwise 
you'll have to consult your recovery-agent!

depending on your os and sp, ciper.exe and efsinfo.exe might not be 
installed on your machine - but you can get these tools and other 
valuable infos from microsoft:







> Do you know how his will work for a machine that is part of a Domain?
> Where there are no Local Users and the Default Recovery Agent is the 
> "Domain Admin"
> 
> I know tht one can always hack the local admin PW, then unjoin the 
> domain, but where does that leave the machine.
> Is there any way to hack the "nounce" PW?
> 
> Thanks
> 
> Tim
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ