Re: Abusing Windows 7 Recovery Process

[Alex <fd () daloo de>]

I doubt that you can use the SAM from another computer on yours. The SAM
file is encrypted. 

For further reading/information google "bkhive" and/or "samdump2". 

I still agree, that the computer is compromised once you get physical
access. If you do it via USB/CD live boot or removing the HDD doesnt
matter. 

Am 2013-07-10 23:27, schrieb some one: 

> On Jul 10, 2013 9:16 PM, "some one" <s3cret.squirell () gmail com> wrote:
> > On Jul 10, 2013 1:51 PM, "Gregory Boddin" <gregory () siwhine net> wrote:
> > > It won't.
> > >
> > > The whole point is to have full local access to hard-drives (from a locked workstation for eg), to modify/read 
> > > things in it.
> > >
> > > The loaded environment IS a live environment. I would say: almost a copy of the install CD loaded from the 
> > > hard-drive.
> > >
> > > What you can do is : take the SAM, modify somewhere else (not a windows expert tough), re-inject and gain local 
> > > access. (which is kind of useless since local data are already available once the recovery is booted, unless 
> > > there's software you would like to run in that workstation once the password is reset).
> Oops, pressed send... Try again... 
>
> Hmm, not sure about this... 
>
> Haven't tried but lets say recovery console is running as system which can read the SAM and it lets us copy it off 
> the box to a share or usb or whatever, if we can get it off i'm guessing we can rip out the hashes for the users and 
> attempt to crack them, spray them about or whatever... 
>
> But changing one so we know the password and then putting it back, doubt this will work will it, as essentially we 
> are changing the SAM file anyway aren't we when we create a new legit user through net commands and it discards this 
> change when we reboot, or are there 2 SAM files? One in live environment which dissapears and the real one... 
>
> Pass, i will try it out again when i get 10mins..:-)
> > > On 9 July 2013 20:39, some one <s3cret.squirell () gmail com> wrote:
> > > > My initial thoughts after adding the user and rebooting was that it was only valid in the recovery console 
> > > > session or something as once i rebooted it was gone...
> > > >
> > > > Tried it again today in a different place and same deal. Reboot no new user...
> > > >
> > > > Anyone have this working after reboot?
> > > >
> > > > Once you've inserted your payload with admin-or-better rights, it can be
> > > > anything from a rootkit that GP can't touch to a patched GP subsys that
> > > > doesn't apply AD policies. This isn't really a caveat.
> > > >
> > > >
> > > > On 2013-07-08 12:39:18 (+0200), Fabien DUCHENE wrote:
> > > > > There may be an Active Directory domain policy which only allows a
> > > > > configured set of groups/users to be admin of your workstation.
> > > > > Keep in mind domain policies are applied at startup and periodically.
> > > >
> > > > _______________________________________________
> > > > Full-Disclosure - We believe in it.
> > > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html [1]
> > > > Hosted and sponsored by Secunia - http://secunia.com/ [2]
> > > >
> > > > _______________________________________________
> > > > Full-Disclosure - We believe in it.
> > > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html [1]
> > > > Hosted and sponsored by Secunia - http://secunia.com/ [2]
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html [1]
> Hosted and sponsored by Secunia - http://secunia.com/ [2]



Links:
------
[1] http://lists.grok.org.uk/full-disclosure-charter.html
[2] http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/