Windows Passwortlisten entschlüsselt
A few days ago Peter Gutmann posted a description on how Windows 95 produces RC4 keys of 32 bits size to protect the pwl files. I verified the information and wrote a program to decrypt pwl files with a known password, I then discovered that the pwl files where well suited for a known plaintext attack as the 20 first bytes are completely predictable. The 20 first bytes of any pwl files contains the username, which is the same as the filename, in capitals, padded with 0x00. From then I wrote a program to bruteforce the pwl file and optimized it so it would run in less than 24 hours on an SGI. I run a test of the bruter software and recovered an unknown rc4 key in 8 hours, but the decrypted file was still largely unintelligible. I then proceeded to decrypt the file at all possible starting points, and discovered valuable information (cleartext passwords) offset in the file. This has enormous implications: RC4 is a stream cipher, it generates a long pseudo random stream that it uses to XOR the data byte by byte. This isn't necessarily weak encryption if you don't use the same stream twice: however WIN95 does, every resource is XORed with the same pseudo random stream. What's more the 20 first bytes are easy to guess. This is easy to exploit: XOR the 20 bytes starting at position 0x208 with the user name in uppercase, and slide this string through the rest of the file (xoring it with whatever is there) this reveal the 20 first bytes of the different resources, From there I went on to study the structure of the pwl file it is something like this (decrypted):
where wp is i word pointer to the different resources (from start of pwi file) The 2 first bytes of the resource (rs) is its length in bytes (of course XOR with RC4 output) It is the fairly easy to find all the resource pointers by jumping from start of resource to next resource, had it not been for the fact that the size sometimes is incorrect (courtesy of M$) What follows is a short c program that tries to remedy this and reconstruct the pointer table thus generating at least 54 bytes of the pseudorandom stream, and then proceedes to decrypt as much as possible from the different resources. What does this show? Although RC4 is a fairly strong cipher, it has the same limitations as any XOR streamcipher, and implementing it without sufficient knowledge can have dire consequences. I strongly suggest that the programmers at Microsoft do their homework before trying anything like this again!
DISCLAIMER: This is a quick hack, I don't make any claims about usefulness for any purpose, nor do I take responsibility for use nor consequences of use of the software. FUNCOM of Norway is not responsible for any of this, (I speak for myself, and let others speak for themselves)
This source is hereby placed in the public domain, please improve if you can.
Subject: win95 and WfWg pwl files cracked
I have just tried Frank Stevensons program for cracking. pwl files. It indeed works.
With it I could obtain the plain text passwords from a Windows95 pwl file or a windows for workgroups pwl file in less than a second. I tried it on 3 different files. All were successfully decrypted.
Ibis is very bad.
It means that anyone with access to a WfWg or Win95 box that has been used to login to a samba (or NT or OS/2 etc) server can take the pwl files off the PC and use them to get valid passwords on the server.
Note that this is not directly a security hole in samba. Its a huge security hole in the way WfWg and Win95 store their passwords on disk. It equally affects networks which use NT and OS/2 server, It also affects people who just use other WfWg and Win95 machines as servers.
Also, if your WfWg and Win95 systems have not been patched to avoid the "cd J' bug and you export any shares then anyone who can attach to those shares can obtain your pwl files. It doesn't matter what directory you are exporting.
What can you do about this?
Well, if you don't care about security then just do nothing
First of all, change your router rules to disable tcpl39, udpl37 and udpl38 from entering your network from the Internet.
Secondly, disable your WfWG and Win95 boxes from saving passwords on disk when connecting to SMB servers. Can someone please post clear instructions on exactly how to do this? (preferably with how to make it permanent)
Thirdly, delete all the .pwl files on your WfWG and Win95 boxes.
There's probably more you should do. I only found out about this decryption program a few minutes ago. I imagine more advice will be forthcoming from other people on this list.