During security assessments (internal penetration tests or Windows client hardening) at our customers, we often find configuration files with a content resembling:
UserName = COMPANY\service_user
Password = S0mE+b4sE/64==
Against security best practices, service accounts often have more privileges than what they really need or have different policies applied to them than a user account. This makes them interesting targets for attackers.
Several antivirus rely on obfuscation to store passwords:
Case study: Sophos AutoUpdate
Sophos AutoUpdate is part of the Sophos Endpoint Security and Control solution. It is responsible for connecting to a network share or web server and downloading the latest virus signatures.
According to Sophos, the so-called Sophos Update Manager account should not be and administrative account and should only have read and execute rights on the target resource.
However, in real-life situations, Compass analysts find that such accounts have often too many rights. Hence, it might be interesting to reverse the obfuscated string and recover the password in order impersonate this user.
Is the password secure?
The configuration of the Sophos AutoUpdate tool is located under C:\ProgramData\Sophos\AutoUpdate\Config\iconn.cfg:
AllowLocalConfig = 0
UserName = COMPANY\sophos_admin
ConnectionType = UNC
UseSophos = 0
AutoDial = 0
BandwidthLimit = 0
A clever hacker could use search engines in order to find such files online…
A Sophos Moderator mention on the Sophos Community forums:
iconn.cfg contains the credentials for accessing the update share. By default this is the so-called Sophos Update Manager account that has limited rights.
the term for the method used is obfuscation, it is of course reversible and just for hiding the credentials from prying eyes.
there is no secure method of storing data (password, key, whatever) needed to authenticate against a service/server.
Deobfuscating the password
First solution: debug the program
By looking for the string “UserPassword” in our favorite debugger, we find many occurences and add debug points:
After a few steps in the debugger, the deobfuscated password appears:
Time needed: minutes to hours
Second solution: decompile and reverse the algorithm
Using the knowledge acquired through our debugging, we know where to look for the decryption code. We use NSA’s decompiler Ghidra and identify the portion of the machine code responsible for deobfuscation:
The decompiler’s view of Ghidra provides us with a nice code:
We just need to extract some constants from the program and in some 80 lines of python code, we can reproduce the behaviour of the deobfuscation successfully:
Time needed: hours to days
- Apply the least privilege password to service accounts
- Security through obscurity is not a good solution, obfuscation is no exception
Do you have any plans to publish the python script you developed for this? I’m sure there are plenty of people on both the sysadmin and pentest side who’d find it very useful.
Unfortunately we wont be releasing the code.
This reversing was part of an assessment with a client and we don’t have rights on the software ☹
However, it’s fairly easy to reproduce the steps mentioned in the article! Give it a try if you encounter this during a pentest and don’t hesitate to come back to me if anything is unclear.
just google it:
Yes, another tool to deobfuscate passwords of Sophos Enterprise Console is mentioned in the article.
As far as I remember the passwords for Sophos Auto Update are in a different format and can’t be decrypted using the tool you linked or the one in the article.
Thanks for the link anyway.