[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Abusing Windows 7 Recovery Process


I doubt that you can use the SAM from another computer on yours. The SAM
file is encrypted. 

For further reading/information google "bkhive" and/or "samdump2". 

I still agree, that the computer is compromised once you get physical
access. If you do it via USB/CD live boot or removing the HDD doesnt
matter. 

Am 2013-07-10 23:27, schrieb some one: 

> On Jul 10, 2013 9:16 PM, "some one" <s3cret.squirell@xxxxxxxxx> wrote:
>>
>>
>> On Jul 10, 2013 1:51 PM, "Gregory Boddin" <gregory@xxxxxxxxxxx> wrote:
>> >
>> > It won't.
>> >
>> > The whole point is to have full local access to hard-drives (from a locked 
>> > workstation for eg), to modify/read things in it.
>> >
>> > The loaded environment IS a live environment. I would say: almost a copy 
>> > of the install CD loaded from the hard-drive.
>> >
>> > What you can do is : take the SAM, modify somewhere else (not a windows 
>> > expert tough), re-inject and gain local access. (which is kind of useless 
>> > since local data are already available once the recovery is booted, unless 
>> > there's software you would like to run in that workstation once the 
>> > password is reset).
>>
> Oops, pressed send... Try again... 
> 
> Hmm, not sure about this... 
> 
> Haven't tried but lets say recovery console is running as system which can 
> read the SAM and it lets us copy it off the box to a share or usb or 
> whatever, if we can get it off i'm guessing we can rip out the hashes for the 
> users and attempt to crack them, spray them about or whatever... 
> 
> But changing one so we know the password and then putting it back, doubt this 
> will work will it, as essentially we are changing the SAM file anyway aren't 
> we when we create a new legit user through net commands and it discards this 
> change when we reboot, or are there 2 SAM files? One in live environment 
> which dissapears and the real one... 
> 
> Pass, i will try it out again when i get 10mins..:-)
>>
>> >
>> > On 9 July 2013 20:39, some one <s3cret.squirell@xxxxxxxxx> wrote:
>> >>
>> >> My initial thoughts after adding the user and rebooting was that it was 
>> >> only valid in the recovery console session or something as once i 
>> >> rebooted it was gone...
>> >>
>> >> Tried it again today in a different place and same deal. Reboot no new 
>> >> user...
>> >>
>> >> Anyone have this working after reboot?
>> >>
>> >> Once you've inserted your payload with admin-or-better rights, it can be
>> >> anything from a rootkit that GP can't touch to a patched GP subsys that
>> >> doesn't apply AD policies. This isn't really a caveat.
>> >>
>> >>
>> >> On 2013-07-08 12:39:18 (+0200), Fabien DUCHENE wrote:
>> >> > There may be an Active Directory domain policy which only allows a
>> >> > configured set of groups/users to be admin of your workstation.
>> >> > Keep in mind domain policies are applied at startup and periodically.
>> >>
>> >> _______________________________________________
>> >> Full-Disclosure - We believe in it.
>> >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html [1]
>> >> Hosted and sponsored by Secunia - http://secunia.com/ [2]
>> >>
>> >> _______________________________________________
>> >> Full-Disclosure - We believe in it.
>> >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html [1]
>> >> Hosted and sponsored by Secunia - http://secunia.com/ [2]
>> >
>> > 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html [1]
> Hosted and sponsored by Secunia - http://secunia.com/ [2]



Links:
------
[1] http://lists.grok.org.uk/full-disclosure-charter.html
[2] http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/