How do I crack EFS encrypted files?

Source: Internet
Author: User
Tags ntfs permissions

EFS (Encrypting File System, encrypting filesystem) is a practical feature unique to Windows 2000/XP that can be stored directly by the operating system for files and data on NTFS volumes, greatly improving the security of the data. EFS encryption is based on a public key policy. The encrypted file is then created using the FEK and data extension standard x algorithms. If you log into a domain environment, the key generation relies on the domain controller, or it relies on the local machine. The following small series on the combination of examples for you to explain how to crack EFS encrypted files.

The company recently recruited a number of new employees, but because the company's computer equipment is limited, so only a few new employees share a computer. For ease of use, each user creates a separate account that does not interfere with each other.

In order to prevent others from peeping at files, Xiao Wang stores all the important files in the "Little King's Files" folder in D, and then clicks the "Advanced" button in the general Panel in the Properties window of the folder, clicking the "Encrypt content to protect data" item in the open window. The folder is encrypted using Windows's own EFS encryption technology. In this way, in addition to Xiao Wang himself, others can not access the files in it. But the bad thing is, Xiao Wang did not leave a few days, when the boss let Small sun find a in the small king there important documents, small sun but dumbfounded.

In the face of the embarrassment of the sun, thanks to his colleagues Xiao Li to help, skillfully break through the encryption barrier, easy to find the small Wang's important documents. Xiao Li is unable to do it? And look down the road slowly.

As we know, EFS (Encrypting File System, encrypting filesystem) is a practical feature built into Windows XP that encrypts files and data on NTFS partitions, greatly improving the security of your data. Xiao Li can break the protection of EFS encryption algorithm, the key is to use the system provided by the "Policy Agent" method, which allows a specific user to read all the encrypted files. Of course, this approach is for a multiple-account environment. Because there are multiple accounts with administrator privileges on the public computer. Xiao Wang uses the "administrator" account, while another colleague uses the account name "Hongyun", which also has administrator privileges. Small Lee is with the help of "Hongyun" account, just easy to break through the shackles of encryption. Xiao Li first to "Hongyun" account login system, after the "start" → "run" in the implementation of the "Cmd.exe" program, in the CMD window first switch to the C-packing directory, after the execution of the command "Cipher/r:mykey", note that the "MyKey" for the export of the key file name. Then the system prompts for a password (Figure 1), and the password entered by Xiao Li is "key123456789". Of course, the password can be set arbitrarily.

In this way, the C-packing directory generated two files, the extension is "CER" and "PFX." The file generated in this example is "Mykey.cer" and "MYKEY.PFK", where "mykey.cer" is the public key certificate file, and "MYKEY.PFK" is the proxy's private key certificate file. Run the gpedit.msc command in Start → Run to open the Group Policy Editor window. Expand Computer Configuration → Windows settings → security settings → public key policy → Encrypting File System branch in the list on the left side of the window. Click on the "Add Number recovery Agent" item on its right-click menu to eject the Operator Wizard interface (Figure 2). In the Select Recovery Agent window, click the Browse for Folder button, import the "mykey.cer" file you created earlier in the File Selection window, and then click the "Next" button to complete the operation.

In Explorer, enter the "Xiao Wang's Files" folder in the D disk. Open the General Panel in the Properties window of any of these files, click the Advanced button, click the "Details" button in the Advanced Properties window, and see the recovery agent project you just created in the Information window (Figure 3).

Double-click the previously generated file "MYKEY.PFK" to eject the Certificate Import Wizard interface (Figure 4), click the "Next" button, and then enter the preset password "key123456789" in the password window to complete the import of the certificate. When the above operation is completed. In Explorer D disk in the "Small Wang Files" folder, double-click the encrypted file, you can access its contents. In this way, Xiao Li almost did not spend any strength, he succeeded in finding the small Wang's encrypted file.

Tip: Although the above method can retrieve EFS encrypted files, it does not explain the vulnerability of Windows EFS encryption, which is based on the fact that you must be a multiple account environment and that you have multiple accounts with administrator privileges, and you use the Windows default encryption configuration. How to put an end to the above security risks? The countermeasure is to prevent other users from illegally accessing EFS encrypted files by setting permissions. Open the Security panel in the Properties window of an EFS-encrypted file or folder, click the Advanced button, open the General panel in the Advanced Security Settings window, and uncheck the "Allow inheritable permissions from parent to propagate to this object and all child objects" item. Click the "Delete" button, the "permission list" in all other accounts deleted, only keep their own account, after such permission settings, EFS Encrypted file security can be fundamentally protected.

Introduction to EFS encryption:

1. Why did I not need to enter my password when I opened the encrypted file?

This is an attribute of EFS encryption and is the best proof of the tight combination of EFS encryption and the operating system. Because unlike the general encryption software, EFS encryption is not by double-clicking the file, then pops up a dialog box, and then enters the correct password to confirm the user's; User confirmation for EFS encryption is done when you log on to Windows. Once you have logged in with the appropriate account, you can open any of the corresponding encrypted files and do not need to provide any additional passwords.

2. My encrypted files are not open, can I convert NTFS partitions into FAT32 partitions to save my files? Of course it's impossible. Many have tried various methods, such as converting NTFS partitions into FAT32 partitions, using software such as Ntfsdos to DOS files to FAT32 partitions, and so on, but these attempts have failed. After all, EFS is a kind of encryption, not a general privilege or something, and these methods do not help with EFS encryption. And if your key is lost or not backed up, then all the encrypted data will be hopeless in the event of an accident.

3. I have encrypted the data after reloading the operating system, now encrypted data can not be opened. Would it be all right if I used the same username and password as the previous system?

That's certainly not going to work, as we've learned earlier that the key to the EFS encryption system is based on the SID of each user. Although you use the same username and password in the new system, the user's SID has changed. This can be understood as two people with the same name, although their names are the same, but the fingerprint can never be the same, then this idea for the identification of fingerprint is not the name of the EFS encryption system is of course ineffective.

4. Is the data encrypted by EFS absolutely safe?

Of course not, security is always relative. For example, a file that has been encrypted by EFS, if there is no appropriate key, the encrypted file cannot be opened, but it can still be deleted (some people do think: you dare not let me see it!) Well, I'll delete it, let's not look at it. So for important files, the best practice is to use NTFS permissions and EFS encryption. This way, if the illegal user does not have the appropriate permissions, the protected files and folders will not be accessible, and even if you have permissions (such as reinstalling the operating system for illegal access to important data and assigning permissions to yourself as a new administrator), there is no key to open encrypted data.

5. I only used ghost to restore the system, the user account and the corresponding SID has not changed, how the previous encryption file can not open?

This is also normal because the key used for EFS encryption is not generated when you create the user, but when you first encrypt the file with EFS. If you have not encrypted any files before you use Ghost to create a mirror image of the system, then there is no key in your system, and the mirror of such a system does not include the key. Once you encrypt the file and use Ghost to restore the system to the state where the image was created, the key used to decrypt the file is lost. So this problem must be noticed!

Note : More wonderful tutorials Please pay attention to the triple computer tutorial section, triple Computer office group: 189034526 welcome you to join

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.