Date: Thu, 15 Aug 2013 10:41:47 -0400 From: Rich Rumble <richrumble@...il.com> To: john-users@...ts.openwall.com Subject: Microsoft EFS I've made a new wiki entry after seeing a commit by Dhiru regarding Microsoft's EFS. http://openwall.info/wiki/john/articles/EFS_Recovery I'll be adding more once more progress is made During CMIYC'13 I was able to crack the street-team EFS pfx file (waddles1), but I was also trying other "tricks/side channels" to see if I could find plain-text versions of the files. EFS applied at the file level creates (to this day) plain-text copies of the files when they are opened, and depending on the file, like an office document there could be more than one copy of the plain-text around on the hdd. The plain-text efs0.tmp file is deleted when the files are closed, insecurely deleted, and it is entirely possible to "undelete" or recover. This was not the case for the street-team DD image, I couldn't find any of the old plain-text files :( It could of been a limitation of my "undelete" software as well. I've created EFS example files and folders for Dhiru and others to use in testing and proof of concepts. I have more to create but there is a compressed DD image on the wiki here: http://openwall.info/wiki/john/sample-non-hashes?&#EFS-Encrypting-File-System-files-Microsoft It contains files and folders of various OS's (xp, vista, 2003, 2008), patch levels as well as service pack levels; each can affect some part of the EFS processes. There are also other tweaks inside, changing the RSA key sizes, enabling FIPS settings would also affect the EFS files (not the cert or key's) I saved the various profiles for the users used to create the files as well as backed up their keys, and even dumped the SAM and SYSTEM (registry)files in case those are useful in some way to the process. -rich
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.