Scribd
Upload
810 views2 pages

Passwords Stored Using Reversible Encryption - How It Works (Part 1)

This document summarizes how passwords are stored using reversible encryption in Windows domains. When a user changes their password on a domain with this feature enabled, the password is encrypted using RC4 with a key derived from the global LSA secret "G$MSRADIUSCHAPKEY" and a random value. The encrypted password is stored in the user's Active Directory userParameters attribute, where it can be decrypted by extracting the encryption components and decrypting with the proper RC4 key.

Uploaded by

clu5t3r
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
Download as pdf or txt
810 views2 pages

Passwords Stored Using Reversible Encryption - How It Works (Part 1)

This document summarizes how passwords are stored using reversible encryption in Windows domains. When a user changes their password on a domain with this feature enabled, the password is encrypted using RC4 with a key derived from the global LSA secret "G$MSRADIUSCHAPKEY" and a random value. The encrypted password is stored in the user's Active Directory userParameters attribute, where it can be decrypted by extracting the encryption components and decrypting with the proper RC4 key.

Uploaded by

clu5t3r
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
Download as pdf or txt
Download as pdf or txt
You are on page 1/ 2

Passwordsstoredusingreversibleencryption:howitworks(part1)

IncaseyoumissedmyHAR2009talk:inthesecondpartItalkedaboutaWindowsfeaturecalled
Storepasswordsusingreversibleencryption.Whenthisisenabled(peruserorfortheentire
domain),Windowsstoresthepasswordencrypted,butinsuchawaythatitcanreversethe
encryptionandrecovertheplaintextpassword.Thisfeatureexistsbecausesomeauthentication
protocolsrequiretheplaintextpasswordtofunctioncorrectly,thetwomostcommonexamplesare
HTTPDigestAuthenticationandCHAP.
ThisfeatureisnotenabledbydefaultbutIveseenitacoupleoftimesincustomernetworks.AsI
couldntfindanydescriptionofhowthismechanismworksoranytooltorecoverthesepasswords,I
decidedtoinvestigate.
Whenyouchangeyourpasswordonadomainthathasreversibleencryptionenabled,apassword
filtercalledRASSFM.DLLisusedtostorethepasswordusingreversibleencryption.Thekeythatis
usedtodothisisG$MSRADIUSCHAPKEY,whichisstoredasaglobalLSAsecret.Thiskeyis
decryptedusingastatickey(hardcodedintheDLL).Theresultofthisoperationiscombinedwitha
16byterandomvalue(generatedeverytimesomeonechangestheirpassword)andthatkeyis
usedtoencryptaUnicodeversionofthepasswordusingtheRC4algorithm.
IfoundoutthesepasswordsarestoredinActiveDirectoryinaperuserstructurecalled
userParameters.IfyouuseatoolsuchasADExploreryoucanlookatthisstructureinanADthat
hasenabledthisfeature.Whenyoulookatthisstructure,itlookslikeabinaryblob,withsome
humanreadablepartsinthere.Whenyouenablereversibleencryptionyouwillnoticetworeadable
strings:G$RADIUSCHAPandG$RADIUSCHAPKEY.TheuserParameterscanalsobeusedtostore
settingsunrelatedtoreversibleencryption,suchasperuserTerminalServersettings.
FollowingtheG$RADIUSCHAPpartistheasciihexencodedencryptedpassword.Thepartfollowing
theG$RADIUSCHAPKEYnameisthe16byterandomvalue.
Sotodecryptthispasswordweusethefollowingsteps:
TaketheG$MSRADIUSCHAPKEYGlobalLSAsecret
Decryptitusingthestatickey
ParsetheuserParametersstructureandextracttheG$RADIUSCHAPandG$RADIUSCHAPKEY
values
CombinethevalueofG$RADIUSCHAPKEY(the16byterandom)withthedecryptedLSAsecretto
createanRC4key
DecryptthevalueofG$RADIUSCHAPusingthatRC4key
TheresultisaplaintextUnicodepassword.Mytool'Revdump'automatesthisprocedure.
Inparttwoofthisarticle,Iwilllookatthesecurityofthismechanism.
PostedbyNielsTeusinkat7:36PM
Labels:reversibleencryption,security,vulnerability

3comments:
JayBensonsaid...
Agoodpost,lookingforwardtoparttwo.Thisisactuallyverytimely,I'vebeenaskedtofind
outifthereissomewaytodetectthisisinusepriortodiablingit.
Youmentiontwoprotocolsthatwecouldmonitorfor,areyouawareofanyothers,orpoint
metosomeresearchinthatspace?

Thanks!
October5,2009at5:24PM

Bonadiosaid...
HiNiels
IdownloadedancompiledRevdump0.2,
whenIrunitonmyWindows2008server32bitsitalwayssays:
D:\revdump>revdump
RevDump0.2byNielsTeusink
LsaRetrievePrivateDatareturned2
ERR:CannotgetLSAsecret,maybethisisnotadomaincontrollerorreversible
encryptionisdisabled?
Ihaveenabledreversiblepasswardforjustoneuserandchangedhispassword.
AmImissinganything
Thanks
December16,2009at7:10PM

NielsTeusinksaid...
@Jay
Youcouldprobablywriteascripttoseewhichaccountshavethe'Storepasswordusing
reversibleencryption'flagon.
@Bonadio
YesItrieditonWindows2008aswellrecently.Itdoesn'tseemtowork,itseemsMicrosoft
haschangedsomethings.
January6,2010at8:16PM

PostaComment

You might also like