|
Obtaining Win2K Account Passwords Using Autologon |
|
|
|
Well, while I was playing around with the Autologon feature in Win2K, I found out something interesting. A malicious program can actually capture the password of whichever account is set for autologon. The answer lies in the Windows registry and the password for the autologon account is in plaintext, i.e. unencrypted ! For this purpose, I've coded a sample application called AutoPwd.exe which reads the plaintext password from the registry and display it together with the user name and domain name of the account.
Win2K, similar to WinNT supports autologon to enable a user to logon to the system without him/her manually typing in his/her password. This is to speed up system logon as well as ease the user from the hassle of entering his/her password everytime he/she logs on to the system. Win2K by default disables autologon but this can be enabled using registry tweaks. I don't know if there exist other ways of managing autologons without manually editing the registry. I've searched in almost all the snap-ins in MMC but I didn't find any feature that could manage the autologon.The problem is that the registry value for the account name and password of the user is stored in cleartext, in REG_SZ form. Thus by using the registry APIs exported from ADVAPI32.DLL such as RegOpenKeyExA and RegQueryValueExA, a malicious program can simply obtain the password for whichever user account is set as autologon. I'm not sure if this can be applied to WinXP coz I tested this method on my system running Win2K Advanced Server SP3 and it works !
The autologon feature requires that the AutoAdminLogon value set to 1, REG_SZ type. This can be found in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon. By default, this value doesn't exist in Win2K, but the user can create this value. Note that setting this value to 0 disables autologon. Next, 3 more values have to be set: DefaultDomainName, DefaultPassword and DefaultUserName. The password in the DefaultPassword value is in cleartext and so this can be retrieved easily.
This could be a small problem/flaw but imagine an Internet worm which is able to obtain the values of these registry entries and then uses its own SMTP engine to send an email back to the author containing the username and password of the machine. With that user name and password, if the Win2K machine is a server, the author of the worm can telnet into the system and have full access, or he can just maps to C$ drive of the system as the Administrator. Basically, if the autologon is set to the Administrator, the person obtaining the password can virtually do anything. If it's some other user, it's also worth it coz the person can hijack his/her account, installs keyloggers, and other malicious programs under that user account.
That wraps up my article. Till then, see ya in my next articles to come.
Written by Benny T. http://www.ebcvg.com/
|
