Syskey password on ...
 
Notifications
Clear all

Syskey password on startup

18 Posts
4 Users
0 Likes
2,291 Views
(@robinsage)
Posts: 28
Eminent Member
Topic starter
 

Hi,
I have a question regarding handling a syskey password prompt at windows (vista, w7, w8.x) startup.

This question arose from a tech forum post where online scammers had set syskey startup whilst pretending to remotely "fix" a pc for $300. If you don't pay then… Fortunately the passwords are reasonably simple 123, 1234, 12345. I am expecting more challenging passwords as this problem evolves into malware.

In a controllable environment I would consider using a hardware keylogger to record the user typing password, but remote software negates that, so what is the "best" way to handle the situation? I know there is software from elcomsoft that will attempt dictionary / brute force attacks against an extracted syskey. Other options are from passcape or linux based tools that will turn off the syskey, but requires changing the users' passwords too and protected storage is fubar.

I had considered doing a memory dump from a live system and searching for a known key eg 123456789. So far I have been unsuccessful, and probably somewhat naive in that approach, like it's probably hashed.
Looked extensively on the 'net for info but "syskey" seems irrevocably tied to "windows password recovery" and not this situation. Any thoughts, prior work ?

thanks

 
Posted : 03/06/2014 2:34 pm
(@athulin)
Posts: 1156
Noble Member
 

This question arose from a tech forum post where online scammers had set syskey startup whilst pretending to remotely "fix" a pc for $300.

Thus preventing a boot… presumably they also forced a reboot or shutdown.

In a controllable environment I would consider using a hardware keylogger to record the user typing password, but remote software negates that, so what is the "best" way to handle the situation?

Logging the activities of a remote user at a micro-level? Third-party software, if it exists at all. The ordinary LocalSessionManager logs is at session-level only, as far as I recall. But that's an enterprise-level solution. For normal users, the best solution is not to let anyone else touch their systems.

Or were you referring to something else?

I had considered doing a memory dump from a live system and searching for a known key eg 123456789. So far I have been unsuccessful, and probably somewhat naive in that approach, like it's probably hashed.

Or not the known key you were looking for or lost since it was present or …

In general, it's bad engineering to allow an important password to be left hanging around in memory for too long. I'd expect it to have been erased from memory as soon as it was stored or used in an authentication attempt.

Looked extensively on the 'net for info but "syskey" seems irrevocably tied to "windows password recovery" and not this situation. Any thoughts, prior work ?

Have you googled for 'remove syskey password' ? I seem to find one or tweo apparently relevant links already on the first page, but as I said I'm a bit hazy on what you are really asking about.

 
Posted : 03/06/2014 9:11 pm
(@robinsage)
Posts: 28
Eminent Member
Topic starter
 

Hi,

Thanks for your comments.

yes there are many "how to remove syskey password" results. With the exception of the dictionary / bf attacks all of them appear require a user password reset as well. I am hoping to find a solution that does not require that.

If windows keeps passwords in memory, just in case they are needed then it may be possible to retrieve them in plain text. Like current user / session passwords recovered by mimikatz & windows credential editor.

One solution is to do a system restore to a point before syskey was applied. Unfortunately the bad guys and gals are starting to delete restore points too.

As for the poorly explained memory dump… I have set a syskey password on a test system and was attempting to find that password in memory after loggin in.

So, does dealing with syskey at startup occur in the forensics world?

 
Posted : 04/06/2014 12:37 am
Adam10541
(@adam10541)
Posts: 550
Honorable Member
 

I've never once encountered this syskey password, in fact to be honest I had to google it to see what it even was P

However from a forensic point of view this password doesn't stop us accessing any of the information on the hard drive as it only encrypts the SAM key, so I can't see an impact unless you are trying to conduct a live inspection.

This could prove challenging though as if you took the normal approach (image drive, restore to donor drive, boot system with donor drive) you are still going to come up against the password issue, and while you can reset the account password and thereby bypass the syskey lock, you are also going to alter the admin account and presumably lost potential evidence by way of desktop appearance, settings and some files as well…..

 
Posted : 04/06/2014 9:10 am
(@athulin)
Posts: 1156
Noble Member
 

However from a forensic point of view this password doesn't stop us accessing any of the information on the hard drive as it only encrypts the SAM key, so I can't see an impact unless you are trying to conduct a live inspection.

The syskey is also used to encrypt the EFS master key … so if you are using EFS to enctypt any of your disks, and use SYSKEY password, you're kind of stuck.

There are some tools that claim to break EFS encryption, but I have no idea of how good they are.

Never encountered any EFS disks with separately kept SYSKEYs myself.

 
Posted : 04/06/2014 7:52 pm
(@robinsage)
Posts: 28
Eminent Member
Topic starter
 

As with most password systems, people making a poor choice of password is usually the weak link. A good dictionary, a user targeted wordlist plus a strings grep of the drive and you're probably good to go with the EFS decryption tools.

Other protected storage items like email & wifi passwords also seem to get destroyed with a syskey reset.

I have seen EFS on several business class laptops, but only one instance of syskey startup on floppy back in the 2000 days.

 
Posted : 04/06/2014 11:15 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

I am failing to understand what the problem is (final goal).

  1. Re-accessing data on a system where a third party (maliciously and without user knowing it) has setup Syskey encryption of the SAM?
  2. Re-accessing the actual system (i.e. booting to it)?
  3. Re-accessing the system without blanking all user's passwords?
  4. [/listo]

    There is a rather straightforward procedure to decrypt a syskey hash, see here
    http//epyxforensics.com/node/34

    that I believe works for other versions of the OS besides the 7 on which the article is based.

    But there are several different tools/methods, another example
    http//www.oxid.it/cain.html
    http//www.oxid.it/ca_um/topics/nt_hashes_dumper.htm
    http//www.oxid.it/ca_um/topics/syskey_decoder.htm

    The point worth of note IMHO is that if the "added" Syskey encryption (and I believe change of password) has been carried out "maliciously" by a malware of some kind, the system is compromised, i.e. you have no way to know "what else" the malware may have done.

    As such the system should NOT be trusted for *anything* (if not extracting the data that was not backed up prior to the infection/attack) and possibly not even booted at all.

    Can you try better explaining the scenario/case at hand?

    jaclaz

 
Posted : 05/06/2014 12:07 am
(@robinsage)
Posts: 28
Eminent Member
Topic starter
 

Excuse the tardy reply.

A user or in this case a "ms support" scammer can set a boot time syskey password that gives the following prompt before windows will progress to the user login screen.

Entering the incorrect password 3 times will force a reboot.

Extracting and decrypting the syskey hash for windows user login password recovery is, as you said, quite straight forward. However the above prompt requires the password, not the hash. This scenario is based on a standalone pc.

1. Accessing user data - cannot login
2. Re-access the system - boot the system without syskey startup or recover required key
3. Re-access the system without blanking the passwords

Items 2 & 3 combined with a view to preserving EFS is the preferred outcome of my research.

My results so far
1. Treat as non bootable system - slave drive or use a linux / PE boot disc. No EFS
2. Simple passwords recovered via dictionay / brute attack gives full access as a normal boot.
3. A damaged but bootable OS with access to EFS.

I totally agree with your point concerning 3rd party intrusion on any system will have compromised its integrity and rendered it "untrustworthy". In a corporate environment a new drive would be fitted and a clean OS installed. I would do the same with my pc. Unfortunately in the small business and private sector without any inhouse IT support many users are oblivious to, or choose to ignore, such latent problems.

alice

 
Posted : 07/06/2014 9:49 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Extracting and decrypting the syskey hash for windows user login password recovery is, as you said, quite straight forward. However the above prompt requires the password, not the hash. This scenario is based on a standalone pc.

Now I see oops .
It is the Syskey Start Up Password! (not that you hadn't said exctly that, only that I somehow completely failed to realize it was that one you were describing)

You are describing more or less this case
http//triplescomputers.com/blog/casestudies/solution-this-is-microsoft-support-telephone-scam-computer-ransom-lockout/

I don't think there is a way to "crack" that (the advice to restore a copy of the Registry is good of course) without resetting all passwords (as a matter of fact the approach is to disable the Syskey tool offline and change an Admin password, but all the other passwords will become invalid).

Something I have never tried is to see is if the good ol' MSV_1.0.DLL trick (which lately - Holmes.Sherlock with some little help by me "ported" to grub4dos, see here http//reboot.pro/topic/18588-passpass-bypass-the-password/ http//www.sherlock.reboot.pro/passpass-bypass-the-password/ ) would allow to boot to the OS without providing a password, and then *what* can be done from the booted system.

jaclaz

 
Posted : 08/06/2014 12:02 am
(@robinsage)
Posts: 28
Eminent Member
Topic starter
 

Hi,

Yes, as per TrippleSComputers http//triplescomputers.com/blog/casestudies/solution-this-is-microsoft-support-telephone-scam-computer-ransom-lockout/. I know Steve via the Technibble forum.

Just checked my Process Monitor dump for syskey when setting / changing password (obviously after logging in) and msv1_0.dll isn't listed. It may well be used, but this is not my best area. Similarly tracing the prompt before user login is beyond my ability too (

As it happens I have devised solution #3, a clunky workaround that can preserve EFS but breaks some of the OS.

thanks for the info on PassPass. How did I not know about it sooner?! 😯 oops ?!

alice

 
Posted : 08/06/2014 1:49 am
Page 1 / 2
Share: