Friday 23 May 2008

SKCLONE - Like PWDUMP or COPYPWD but works on 64 bit

An anonymous author sent me the source to a tool to clone SysKey information from Windows 2000, XP, and 2003 and read and write password hashes to live windows systems, called SKCLONE.

The file is available for download here, and the README is quoted below.


SKCLONE - Like PWDUMP or COPYPWD but works on 64 bit.

(The 32bit exe works on 64 bit. How about that?)

THERE IS NO WARRANTY.

THIS PROGRAM:
* MAY TRASH YOUR SYSTEM.
* MAY CAUSE PROBLEMS WHICH CANNOT BE FIXED.
* RELIES ON ASSUMPTIONS WHICH MAY NOT ALWAYS BE TRUE.
* MAY NOT BE FIT FOR YOUR PURPOSE (OR ANY PURPOSE).
* IS NOT OF MERCHANTABLE QUALITY.
* IS NOT FIT TO BE SOLD.

USE AT YOUR OWN RISK.!!!!

IF YOUR JURISDICTION DOES NOT GIVE EFFECT TO THESE
DISCLAIMERS YOU MAY NOT USE THE PROGRAM.

YOU HAVE BEEN WARNED!

Overview

SKCLONE: Clone SysKey information from Windows 2000, XP, and 2003.
Read and write password hashes to live systems.
MUST run under the SYSTEM account. HINT: Use the AT command.
SKCLONE is free software.

Permission is granted
* to copy, distribute and use
* and make derived works
* provided attribution is given:

Copyright 2008 By Anonymous

Thanks to clark@hushmail.com for
http://beginningtoseethelight.org/ntsecurity

Thanks to Nicola Cuomo - ncuomo@studenti.unina.it for
samdump2 and bkreg, consulted for information on how syskey is stored and used.

Purpose and History


=====================


SKCLONE was written because copypwd does not work on 64bit windows at the time of writing, and I needed to move a large number of local user accounts from a 32 bit installation to a 64bit installation.

The intention was originally to clone the SysKey from a 64 bit windows to a 32 bit windows so I could use copypwd to copy the hashes to the 32bit windows, then just copy the syskey’d hashes to the 64bit windows. That’s because clark@husmail.com had a page explaining where the syskey was stored, but not how it was used. Hence the functionality for exporting syskey and syskey’d hashes.

I then found out that Nicola Cuomo has worked out how to use SysKey to decrypt the hashes extracted from NTBACKUP system state, knowledge Nicola generously embodied in BKREG and SAMDUMP2.


Since I had already written the code for decoding the SAM user V record, it was simple to duplicate the SysKey decrypting function using CryptoAPI.

It was also simple to make the process go both ways. These functions are embodied SysKeyRead, SysKeyGetBootKey and SysKeyCrypt. It was also simple to make the function GetSetSamUserPwHash both read and write.

So I never got around to finishing the code for importing the SysKey data. (You just have to recreate the four keys under LSA with new Class values).

SysKey cloning could still be useful though — just not sure for what!


How to Use

SKCLONE uses the registry APIs to read and write the SAM values directly. It MUST be run under the SYSTEM account, since only SYSTEM has access to HKLM\SECURITY\SAM.

Only writes to STDOUT. It is STRONGLY recommended that you pipe this straight into GPG or similar.

The easiest way to do this by hand on a local machine is with the AT command. Say it is 11:30, enter this in a command window: at 11:32 /interactive cmd.exe

At 11:32 a command prompt will appear running as SYSTEM. You can run SKCLONE from this prompt. Interestingly you can run RegEdit.exe from this prompt and browse the SAM, which is what I did.

The simplest way to do it remotely is to use Remote Desktop with the "connect to console:1" option, then you can just use the method above.

The simplest way to do this from script, is:
* Copy skclone.exe to \\MACHINE\admin$\skclone.exe
* Schedule a task on the remote machine as the SYSTEM account.

You don’t have to set a schedule, just create the task.
* Start the task, and wait for it to finish, by polling it’s status.

It is pretty quick (almost instant, generally).

* Copy off the file, hopefully you took advice and encrypted it with GPG. Otherwise, you should ensure it went to a directory readable only by Administrators group and SYSTEM.
* Delete the file from the remote server. Should use SDELETE or similar.
* You are done.


When importing passwords, it will NOT:


* Set the Administrator password, or any account with RID < 1000.


* Set any password which is blank. But you can use PRESETPW to


set these to a random password first.


Options


===============


Usage:


skclone [OPTIONS] COMMAND [argument]


Options are


/DEBUG executes a debug breakpoint immediately


(so you can attach a debugger).


/VERBOSE Prints more rubbish.


skclone IMPORTPWDUMP


Imports pwdump style passwords directly into registry.


INFO: A Password must already exist. Use PRESETPW to set a random one.


WARNING: Invalidates ALL user’s protected data.


WARNING: LSA Secrets, EFS files, CryptoAPI secret keys etc.


skclone EXPORTPWDUMP


Dumps pwdump style passwords directly from the registry.


INFO: Will not set null passwords. Set a random password first.


skclone USAGE


More options will be shown.


skclone SETPW <USERNAME:PWDUMPHASHES>


Same as IMPORTPWDUMP, but just does the one from the command line.


Will not overwrite a null password. Use NET USER <username> <password>


to set one first.


skclone PRESETPW


Reads list of usernames (or username:hashes) and sets a random


password for those with no password. Ignores those with one, and RID < 1000.


This is here because IMPORTPWDUMP requires that a password already exists.


skclone CLEARPW [accountName]


Clears user’s password. Will clear RID < 1000.


WARNING: Invalidates ALL user’s protected data.


WARNING: LSA Secrets, EFS files, CryptoAPI secret keys etc.


skclone REPORTPW


Lists accounts with clear passwords.


Compile without #define SIMPLEONLY for more options.


Useful Functions


============================


These functions could be usefully put into a library of some sort.


SysKeyRead reads syskey values from the live SAM into a SK_DATA


struct.


SysKeyWrite DOES NOT WORK. DO NOT USE IT.


SysKeyGetBootKey derives the bootkey from SK_DATA. This is not used


for anything in the program, but duplicates the functionality of BKREG.


SysKeyDerive derives the intermediate key from SK_DATA.


SysKeyCrypt uses the intermediate key to encrypt or decrypt LM or NT


hashes.


GetSetSamUserPwHash reads or writes SysKey encrypted NT or LM hashes.


Use SysKeyCrypt to convert these to/from PWDUMP/L0pth hashes. Takes


an open key to the SAM or a copy of it with KEY_READ access.


GetSamUserRid is a utility function which uses OpenSamUserRidKey to


lookup the RID of a user. Takes an open key to the SAM or a copy of


it with KEY_READ access.


Bugs and Limitations


============================


SKCLONE cannot clone the SysKey. DON’T TRY YOU WILL BREAK YOUR SYSTEM.


For good measure, the standard build does not include SysKey import


export functions, just PWDUMP/COPYPWD hash dumping and loading, plus


a couple of utiliies.


IMPORTPWDUMP will not overwrite a null password. However the PRESETPW


using the same input file will ensure that all accounts have passwords


by setting a random one where none exists.


IMPORTPWDUMP will not set an LM hash where none exists. If there exists


an NT hash but no LM hash, the NT hash will be set but the LM hash will


not. This shouldn’t hurt you — only very old OS require LM hashes. If


this is a problem, changing the user’s password manually will usually


set an LM hash.


REPORTPW will only list accounts with a null password (as opposed to a


zero-length password). This is generally accounts which have never had a


password, or have been cleared with CLEARPW.


SysKeyWrite function does not work! It does not write the boot key


information. It also writes some values which have nothing to do with


syskey — I think they have something to do with LSA Secrets but I am


not sure what.


For SysKey the relevant values are account_f which is 0×30 bytes from


offset 0×70 under HKLM\SECURITY\SAM\Domains\Account\F, and the


lsa_xxx_class values, which are the classes from four keys under


HKLM\SYSTEM\\ControlSet001\\Control\\Lsa.


See RegQueryInfoKey to learn about classes. They can’t be changed once set,


you have to delete the key and recreate it.


Really want a better name since we can’t actually clone the SysKey.


Maybe copypw64? Or pwdump7? or copysam?


That’s all folks.