When a server group is created during the installation of Symantec Antivirus Corporate Edition a user ID and password is also created. This password is used to gain access to Symantec System Center to manage the designated server groups, servers and client systems. The purpose of this short write up is to describe the password structure, creation and storage of Symantec Antivirus Corporate Edition 10.x password within Microsoft Windows environment.
Where is the ID and password stored ?
The ID and hashed passwords for each user is stored in the registry at location.
The stored hash “gmvmhdMEOADKxdUyoy3WrYKl+BhxQ2t18UvKtri9sc4=” is generated by combining a 4byte salt, User ID, Password, and the DomainGUID. These are then separated by the hard coded string “goclips” creating the string shown below.
Note: All of this data is stored in the registry of the primary server of the associated Symantec AV server group.
Can this password be cracked ?
With all of this data ID,SALT,DomainGUID and hard code string it is possible to brute force the hash and recover the password.
But even easier if you have administrator access to the Windows primary server it is possible to change the password using the Symantec supplied tool IFORGOT.EXE. This tools is installed by default on any system that has Symantec System Center installed. It is located in folder.
C:\Program Files\Symantec\Symantec System Center\Tools\
To use this tool you will need to know the primary server name, user ID and have admin access to the designated primary server.