Symantec Antivirus Corporate Edition Passwords


When a server group is created during the installation of Symantec Antivirus Corporate Edition a user ID and password is also created. This password is used to gain access to Symantec System Center to manage the designated server groups, servers and client systems. The purpose of this short write up is to describe the password structure, creation and storage of Symantec Antivirus Corporate Edition 10.x password within Microsoft Windows environment.


Where is the ID and password stored ?

The ID and hashed passwords for each user is stored in the registry at location.

[HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\CurrentVersion\Accounts]


The format is :

"user-admin-p"="AkI4gmvmhdMEOADKxdUyoy3WrYKl+BhxQ2t18UvKtri9sc4="


How is this hash generated?

The stored hash “gmvmhdMEOADKxdUyoy3WrYKl+BhxQ2t18UvKtri9sc4=” is generated by combining a 4byte salt, User ID, Password, and the DomainGUID. These are then separated by the hard coded string “goclips” creating the string shown below.


goclipsAkI4goclipsadmingoclips201f137ec971224c85bed9a8e5172c21goclipstesttestgoclipsAkI4goclips


This string is then hashed using SHA256. After being hashed it is base64 encoded and stored in the registry. The 4 byte salt is also stored at the beginning of the registry entry.


[HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\CurrentVersion\Accounts]

"user-admin-p"="AkI4gmvmhdMEOADKxdUyoy3WrYKl+BhxQ2t18UvKtri9sc4="


What is the DomainGUID and where is it stored?


The other key part of the string is the DomainGUID this is created when the server group is created. The DomainGUID is located in the registry at.

[HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\CurrentVersion]

"DomainGUID"=hex:20,1f,13,7e,c9,71,22,4c,85,be,d9,a8,e5,17,2c,21


Note: All of this data is stored in the registry of the primary server of the associated Symantec AV server group.


Can this password be cracked ?

With all of this data ID,SALT,DomainGUID and hard code string it is possible to brute force the hash and recover the password.


But even easier if you have administrator access to the Windows primary server it is possible to change the password using the Symantec supplied tool IFORGOT.EXE. This tools is installed by default on any system that has Symantec System Center installed. It is located in folder.

C:\Program Files\Symantec\Symantec System Center\Tools\

To use this tool you will need to know the primary server name,user ID and have admin access to the designated primary server.



COLOR CODE REF:


Hard coded string

4 Byte random salt

User ID

Password

DomainGUID

BASE64 of SHA256 hash

Copyright © 2008 Layered Defense Research Team. All rights reserved.