|
Posted by on December 11, 2006, 3:10 pm
If you were Registered and logged in, you could reply and use other advanced thread options
On Fr 20 May 2005 I wrote the post quoted at the end of this article
asking for advice how to avoid my password showing up in plain text by
dumping the LSA Secrets with Cain. Some days ago I got the following
e-mail:
-----------
Hi Clavigo I just went trough a year'n'half old posting of you 20 mins
ago. I guess you've already solved your problem with the LSASS caching
your admin password in plain text.
I was making some tests with LSADump2 and I found out the my admin pass
was showed too, togheter with my RasDial account informations/password.
I launched RegEdit with system privileges to delete the old ras account
password still cached (now it's showed up as empty) and I made some
tests on the DefaultPassword key. If I set "pippo" as autologon
password in WinXPH_SP2 then LSADump shows me "pippo" in that key.
Therefore I think that your problem might be the same: did you try to
set a fake password in the autologon and launch caino again? There is
no evidence of my admin pass in any other secrets dumped.
Since your post is very old, if your dog is no longer with us ;))) just
trash this email.
CiaO! Alberto
-----------
Well, actually I did not solve the problem but since it did not arise
on other computers, I tought that this had been a security flaw not
reproducable by me.
However, yesterday on a new XP SP2 notebook (all available XP patches
installed) that problem reappeared SHOWING MY REAL PASSWORD after
installing a bunch of software. Unfortunately I'm not sure what piece
of sh* trigged that behaviour because I checked with Cain too late to
catch the bastard.
Following Albertos advice I solved the problem with XP Powertoys /
TweakUI by writing "blablabla" into the password field of the autologon
section even though I never used autologon on that or any other
computer before. Now Cain dumps "blablabla" instead of my real
password.
Thank you Alberto for answering such an old post by e-mail and saving
me sleepless nights again!
Clavigo
Original post dated 2005-05-20
--------------------------------------------
I run Windows XP SP1 on a single user notebook (no domain account).
Recently I did a few security check and was shocked about Cain
(www.oxid.it/cain.html) showing me the plain text of my top secret
password which I only use on that notebook.
After a couple of hours of google research and sysinternals-diagnostics
I found that LSASS writes the following registry keys whenever I change
my password:
HKLM\Security\Policy\Secrets\DefaultPassword\CurrVal
HKLM\Security\Policy\Secrets\DefaultPassword\CupdTime
HKLM\Security\Policy\Secrets\DefaultPassword\OldVal
HKLM\Security\Policy\Secrets\DefaultPassword\OupdTime
I swear that autologon, which could be a reason for storing the
password, was never enabled.
Removing DefaultPassword and serveral other registry keys under
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon such as
AltDefaultUserName
DefaultUserName
and setting restrictive security option, e.g., not showing the name of
the last user who logged in did not help. All these keys were created
again, together with DefaultPassword.
Now I'm stuck. I do not want to have my password in decryptable form
anywhere in the system, neither in the registry nor in any kind of
"protected" storage.
As soon as I type in my password the system should hash it an forget
it.
Any pointers on how to get rid off
HKLM\Security\Policy\Secrets\DefaultPassword (beware this is not
DefaultPassword under Winlogon)?
Thank you
Clavigo
|
| Similar Threads | Posted | | Mac - Clear text | August 17, 2006, 5:01 pm |
| AVG and text clipboard | April 24, 2007, 1:35 pm |
| DUMPEL - MESSAGE TEXT not displaying | November 2, 2005, 11:01 am |
| Text message spam on my cell phone? | May 10, 2006, 4:50 pm |
| Confusing GP text can open IE security hole | November 13, 2007, 3:11 pm |
| Strange Behavior of Windows 2003 when looking for a Text in several Files.. | August 19, 2005, 4:46 am |
| Security Flaw: Any website can read your clipboard text | September 18, 2005, 9:58 am |
| Wierd Odd Strange Text Files in C: Drive Windows 2003 | April 10, 2006, 10:51 am |
| SSL Padlock shows then disappears | September 21, 2005, 12:18 pm |
| Event log shows NTLM not Kerberos | August 24, 2006, 3:00 am |
|
XML site map