±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35894
New Yesterday: 0 Visitors: 120

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Syskey password on startup

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2, 3  Next 
  

RobinSage
Member
 

Syskey password on startup

Post Posted: Jun 03, 14 14:34

Hi,
I have a question regarding handling a syskey password prompt at windows (vista, w7, w8.x) startup.

This question arose from a tech forum post where online scammers had set syskey startup whilst pretending to remotely "fix" a pc for $300. If you don't pay then... Fortunately the passwords are reasonably simple 123, 1234, 12345. I am expecting more challenging passwords as this problem evolves into malware.

In a controllable environment I would consider using a hardware keylogger to record the user typing password, but remote software negates that, so what is the "best" way to handle the situation? I know there is software from elcomsoft that will attempt dictionary / brute force attacks against an extracted syskey. Other options are from passcape or linux based tools that will turn off the syskey, but requires changing the users' passwords too and protected storage is fubar.

I had considered doing a memory dump from a live system and searching for a known key eg 123456789. So far I have been unsuccessful, and probably somewhat naive in that approach, like it's probably hashed.
Looked extensively on the 'net for info but "syskey" seems irrevocably tied to "windows password recovery" and not this situation. Any thoughts, prior work ?

thanks  
 
  

athulin
Senior Member
 

Re: Syskey password on startup

Post Posted: Jun 03, 14 21:11

- AliceKlaar
This question arose from a tech forum post where online scammers had set syskey startup whilst pretending to remotely "fix" a pc for $300.


Thus preventing a boot... presumably they also forced a reboot or shutdown.

In a controllable environment I would consider using a hardware keylogger to record the user typing password, but remote software negates that, so what is the "best" way to handle the situation?


Logging the activities of a remote user at a micro-level? Third-party software, if it exists at all. The ordinary LocalSessionManager logs is at session-level only, as far as I recall. But that's an enterprise-level solution. For normal users, the best solution is not to let anyone else touch their systems.

Or were you referring to something else?

I had considered doing a memory dump from a live system and searching for a known key eg 123456789. So far I have been unsuccessful, and probably somewhat naive in that approach, like it's probably hashed.


Or not the known key you were looking for or lost since it was present or ...

In general, it's bad engineering to allow an important password to be left hanging around in memory for too long. I'd expect it to have been erased from memory as soon as it was stored or used in an authentication attempt.

Looked extensively on the 'net for info but "syskey" seems irrevocably tied to "windows password recovery" and not this situation. Any thoughts, prior work ?


Have you googled for 'remove syskey password' ? I seem to find one or tweo apparently relevant links already on the first page, but as I said I'm a bit hazy on what you are really asking about.  
 
  

RobinSage
Member
 

Re: Syskey password on startup

Post Posted: Jun 04, 14 00:37

Hi,

Thanks for your comments.

yes there are many "how to remove syskey password" results. With the exception of the dictionary / bf attacks all of them appear require a user password reset as well. I am hoping to find a solution that does not require that.

If windows keeps passwords in memory, just in case they are needed then it may be possible to retrieve them in plain text. Like current user / session passwords recovered by mimikatz & windows credential editor.

One solution is to do a system restore to a point before syskey was applied. Unfortunately the bad guys and gals are starting to delete restore points too.

As for the poorly explained memory dump... I have set a syskey password on a test system and was attempting to find that password in memory after loggin in.

So, does dealing with syskey at startup occur in the forensics world?  
 
  

Adam10541
Senior Member
 

Re: Syskey password on startup

Post Posted: Jun 04, 14 09:10

I've never once encountered this syskey password, in fact to be honest I had to google it to see what it even was Razz

However from a forensic point of view this password doesn't stop us accessing any of the information on the hard drive as it only encrypts the SAM key, so I can't see an impact unless you are trying to conduct a live inspection.

This could prove challenging though as if you took the normal approach (image drive, restore to donor drive, boot system with donor drive) you are still going to come up against the password issue, and while you can reset the account password and thereby bypass the syskey lock, you are also going to alter the admin account and presumably lost potential evidence by way of desktop appearance, settings and some files as well.....  
 
  

athulin
Senior Member
 

Re: Syskey password on startup

Post Posted: Jun 04, 14 19:52

- Adam10541
However from a forensic point of view this password doesn't stop us accessing any of the information on the hard drive as it only encrypts the SAM key, so I can't see an impact unless you are trying to conduct a live inspection.


The syskey is also used to encrypt the EFS master key ... so if you are using EFS to enctypt any of your disks, and use SYSKEY password, you're kind of stuck.

There are some tools that claim to break EFS encryption, but I have no idea of how good they are.

Never encountered any EFS disks with separately kept SYSKEYs myself.  
 
  

RobinSage
Member
 

Re: Syskey password on startup

Post Posted: Jun 04, 14 23:15

As with most password systems, people making a poor choice of password is usually the weak link. A good dictionary, a user targeted wordlist plus a strings grep of the drive and you're probably good to go with the EFS decryption tools.

Other protected storage items like email & wifi passwords also seem to get destroyed with a syskey reset.

I have seen EFS on several business class laptops, but only one instance of syskey startup on floppy back in the 2000 days.  
 
  

jaclaz
Senior Member
 

Re: Syskey password on startup

Post Posted: Jun 05, 14 00:07

I am failing to understand what the problem is (final goal).
  1. Re-accessing data on a system where a third party (maliciously and without user knowing it) has setup Syskey encryption of the SAM?
  2. Re-accessing the actual system (i.e. booting to it)?
  3. Re-accessing the system without blanking all user's passwords?

There is a rather straightforward procedure to decrypt a syskey hash, see here:
epyxforensics.com/node/34

that I believe works for other versions of the OS besides the 7 on which the article is based.

But there are several different tools/methods, another example:
www.oxid.it/cain.html
www.oxid.it/ca_um/topi...dumper.htm
www.oxid.it/ca_um/topi...ecoder.htm

The point worth of note IMHO is that if the "added" Syskey encryption (and I believe change of password) has been carried out "maliciously" by a malware of some kind, the system is compromised, i.e. you have no way to know "what else" the malware may have done.

As such the system should NOT be trusted for *anything* (if not extracting the data that was not backed up prior to the infection/attack) and possibly not even booted at all.

Can you try better explaining the scenario/case at hand?

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 

Page 1 of 3
Page 1, 2, 3  Next