Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 15 Aug 2013 10:41:47 -0400
From: Rich Rumble <>
Subject: Microsoft EFS

I've made a new wiki entry after seeing a commit by Dhiru regarding
Microsoft's EFS.
I'll be adding more once more progress is made

During CMIYC'13 I was able to crack the street-team EFS pfx file
(waddles1), but I was also trying other "tricks/side channels" to see if I
could find plain-text versions of the files. EFS applied at the file level
creates (to this day) plain-text copies of the files when they are opened,
and depending on the file, like an office document there could be more than
one copy of the plain-text around on the hdd. The plain-text efs0.tmp file
is deleted when the files are closed, insecurely deleted, and it is
entirely possible to "undelete" or recover. This was not the case for the
street-team DD image, I couldn't find any of the old plain-text files :( It
could of been a limitation of my "undelete" software as well.

I've created EFS example files and folders for Dhiru and others to use in
testing and proof of concepts.
I have more to create but there is a compressed DD image on the wiki here:
It contains files and folders of various OS's (xp, vista, 2003, 2008),
patch levels as well as service pack levels; each can affect some part of
the EFS processes. There are also other tweaks inside, changing the RSA key
sizes, enabling FIPS settings would also affect the EFS files (not the cert
or key's) I saved the various profiles for the users used to create the
files as well as backed up their keys, and even dumped the SAM and SYSTEM
(registry)files in case those are useful in some way to the process.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.