[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Microsoft EFS

To: <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: [Full-disclosure] Microsoft EFS
From: "Dyke, Tim" <Tim.Dyke@xxxxxxxxxxxxxx>
Date: Tue, 11 Oct 2005 10:03:18 -0700

> The DEFAULT recovery agent is the Administrator, on the other hand you
always 
> can to decrypt the data from the userX login like that userX; So crack
the 
> password or overwrite it off-line (the same for the delegated recovery

> agent).

Tom wrote"
be careful:

overwriting the pw offline will work with efs on w2k.
it will not work with winxp/2003: you cant access any efs-data after 
resetting the password offline.

you'll have to crack the usesrs or the admins pw and either logon 
interactively or export their keys to get access to the efs-encrypted
data.

Tom"

Do you know how his will work for a machine that is part of a Domain?
Where there are no Local Users and the Default Recovery Agent is the
"Domain Admin"

I know tht one can always hack the local admin PW, then unjoin the
domain, but where does that leave the machine.
Is there any way to hack the "nounce" PW?

Thanks

Tim

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] Microsoft EFS
  - From: Fco. Jose Garrido Matamoros
- Re: [Full-disclosure] Microsoft EFS
  - From: Thomas Springer
- Re: [Full-disclosure] Microsoft EFS
  - From: Thomas Springer

Prev by Date: Re: [Full-disclosure] Microsoft EFS
Next by Date: [Full-disclosure] iDEFENSE Security Advisory 10.11.05: Microsoft Distributed Transaction Controller Packet Relay DoS Vulnerability
Previous by thread: RE: [Full-disclosure] Microsoft EFS
Next by thread: Re: [Full-disclosure] Microsoft EFS
Index(es):
- Date
- Thread