What is syskey?
Table of Contents
Syskey is a tool that has been native to Microsoft systems since Windows 2000 XP and has the function of adding a level of security to the system preload. Do not confuse this tool with the Setup password, which can also be easily broken.
How Syskeying works?
Microsoft systems have a database called SAM, where user accounts are stored. With Syskey active, this bank is encrypted with a unique password, that is, it doesn’t matter if you know the user’s password, because without the key to decrypt the SAM, the system will not be loaded and, therefore, will not even load the user accounts.
Imagine that your computer’s passwords are access cards that are inside a safe, which in turn has a key to be opened. To access the computer, you will need to get your card and for that, you will need the key to the safe. This explanation recalls a detail: if you have more than one user of this computer, ALL of them will need this key, as it is unique. In addition, it is worth remembering that the computer data is not encrypted with SYSKEY, therefore, it only makes it difficult to access the system, but the data can be read from another computer / OS. To encrypt your data, I advise using Bitlocker
Myths and Legends: Passwords in Windows II (Syskey)
Faced with the problem of poor local encryption of passwords (LM and NTLM), Microsoft introduced a patch enhancement for Windows NT and serial for Windows 2000 and later. The system was called “Syskey” (System key) and adds a new layer of security. Although all current Windows use and keep it active, Syskey is one of the least known functionalities. Basically, the LM and NTLM signatures or hashes stored in the SAM are encrypted again with a master password (System key) to try to protect them.
This is, as usual, a good idea misused. In practice, a security system with certain contraindications results. After reverse engineering, the Microsoft encryption system for Syskey was discovered and made public, and there are ‘crack’ programs that allow you to bypass this security method without major problems. However, if Syskey is used correctly, it can practically eliminate the possibility of an “offline” attack if the hard drive is stolen, accessed by booting with another operating system, etc.
Possibilities offered by Syskey
You can type ‘syskey’ (as administrator) on the command line to verify that it is active by default, usually without being aware (there is no way to disable it). If you decide to take real advantage of Syskey, you should know that it allows three different types of storage for the master password (with which the SAM encrypts), but very few use it.
Option 1: The Syskey password to encrypt the SAM can be stored in the registry through a stealth algorithm devised by Microsoft. The password is chosen by the system itself and the user does not have to know it. The master password hiding algorithm is by no means complex and has been deciphered and made public. This is the option that all Windows use by default.
Option 2: You can tell the system to ask us for the master password when starting Windows. In this way the administrator chooses the «System key» and both this master key and the usual user password will have to be used in order to be able to appear. Double authentication.
Option 3: Finally, the master key can be stored on a floppy disk. It will not ask for it when starting Windows, it will take it directly from the inserted floppy and the system will not boot if it is not present.
These last two options are the most secure since by not remaining the “System key” in any file, an attacker with access to the hard disk (or SAM) would also have to somehow obtain that master password, either its value or the floppy disk that houses it. Ideal solution?
Disadvantages of Syskey
A major impediment is that if either of these last two options is enabled, the system will not “network” at startup until you are prompted for that master password. It starts the least but without ‘connectivity’. Once the Syskey is entered, it raises the network and asks for the ‘normal’ password. It is a problem for a server to be restarted remotely, we could not connect to it until someone physically entered the master password, since it would not start, for example, the Terminal Server or any other defined service.
In case of storing the master password on a floppy disk, it would be possible to leave it on the floppy disk drive and the system would read it automatically, but although more convenient, it also implies that if it is entered without supervision, no real security improvement is achieved. In addition, floppy disks are obsolete storage systems, tending to disappear and prone to failures. However, well-used Syskey is still an interesting option to consider in some scenarios, as this would raise the level of authentication to two factors: it would require something that is known (the normal Windows password) and something that is it has (the physical floppy disk), thus greatly reducing the chance of success in offline attacks and system access.
By default, Syskey comes activated with the first option. A password is chosen by the system and stored in the registry. This is not safe since the way to store it is public and it is possible, through a program, to know it.
The key under the doormat
When the password is stored in the registry (first option), it is “distributed” at different points in the registry. Windows performs permutations of this data to obfuscate it. There is a tool called bkhive that allows the recovery of the Syskey password. If this data and the SAM file are obtained, it will be possible to eliminate the security layer introduced by Syskey without problems and obtain the LM / NTLM hashes of the passwords. And for practical purposes, whoever has access to the SAM has access to that area of the registry that stores the Syskey master key. It is like installing an additional security gate in front of the house door but hiding your key under the doormat.
Therefore, even if the Syskey remains active on Windows, an attacker could access the hard drive through any system (again a “Live” distribution of Linux, or use the hard drive on another machine …), have access to the SAM file, use bkhive to get the Syskey, combine both data with samdump, get the LM / NTLM hashes and finally use brute force against them. Although it seems complex, it is a process of a couple of automatic steps with the appropriate programs.
But once again why are these LM / NTLM hashes that Windows ultimately uses to store your passwords so easy to break with brute force? We will see it in the next installment.