Fév 032018
 

From an offline SAM hive (could be from winpe), run the below command, reboot and log in with a blank password.
CAREFULL : make a backup of your hive first !


OfflineReg-win32 "c:\windows\system32\config\SAM" sam\domains\account\users\000003e8 setvaluebyteat v 0 160
OfflineReg-win32 "c:\windows\system32\config\SAM" sam\domains\account\users\000003e8 setvaluebyteat v 0 172

See here for more details about setvaluebyteat details.

000003e8 is my custom local admin account.
000001f4 would be the default windows account.
0xA0 (160) and 0xAC (170) are the offset for the LM and NTLM hash lengths: setting this to 0 effectively set the password to blank.

Use the below command line to enum accounts in your SAM db.


OfflineReg-win32 "c:\windows\system32\config\SAM" SAM\Domains\Account\Users enumkeys

 Posted by at 14 h 45 min

Poster un Commentaire

avatar
  Subscribe  
Me notifier des