I doubt that you can use the SAM from another computer on yours. The SAM file is encrypted.
For further reading/information google "bkhive" and/or "samdump2". I still agree, that the computer is compromised once you get physical access. If you do it via USB/CD live boot or removing the HDD doesnt matter. Am 2013-07-10 23:27, schrieb some one: > On Jul 10, 2013 9:16 PM, "some one" <[email protected]> wrote: >> >> >> On Jul 10, 2013 1:51 PM, "Gregory Boddin" <[email protected]> wrote: >> > >> > It won't. >> > >> > The whole point is to have full local access to hard-drives (from a locked >> > workstation for eg), to modify/read things in it. >> > >> > The loaded environment IS a live environment. I would say: almost a copy >> > of the install CD loaded from the hard-drive. >> > >> > What you can do is : take the SAM, modify somewhere else (not a windows >> > expert tough), re-inject and gain local access. (which is kind of useless >> > since local data are already available once the recovery is booted, unless >> > there's software you would like to run in that workstation once the >> > password is reset). >> > Oops, pressed send... Try again... > > Hmm, not sure about this... > > Haven't tried but lets say recovery console is running as system which can > read the SAM and it lets us copy it off the box to a share or usb or > whatever, if we can get it off i'm guessing we can rip out the hashes for the > users and attempt to crack them, spray them about or whatever... > > But changing one so we know the password and then putting it back, doubt this > will work will it, as essentially we are changing the SAM file anyway aren't > we when we create a new legit user through net commands and it discards this > change when we reboot, or are there 2 SAM files? One in live environment > which dissapears and the real one... > > Pass, i will try it out again when i get 10mins..:-) >> >> > >> > On 9 July 2013 20:39, some one <[email protected]> wrote: >> >> >> >> My initial thoughts after adding the user and rebooting was that it was >> >> only valid in the recovery console session or something as once i >> >> rebooted it was gone... >> >> >> >> Tried it again today in a different place and same deal. Reboot no new >> >> user... >> >> >> >> Anyone have this working after reboot? >> >> >> >> Once you've inserted your payload with admin-or-better rights, it can be >> >> anything from a rootkit that GP can't touch to a patched GP subsys that >> >> doesn't apply AD policies. This isn't really a caveat. >> >> >> >> >> >> On 2013-07-08 12:39:18 (+0200), Fabien DUCHENE wrote: >> >> > There may be an Active Directory domain policy which only allows a >> >> > configured set of groups/users to be admin of your workstation. >> >> > Keep in mind domain policies are applied at startup and periodically. >> >> >> >> _______________________________________________ >> >> Full-Disclosure - We believe in it. >> >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html [1] >> >> Hosted and sponsored by Secunia - http://secunia.com/ [2] >> >> >> >> _______________________________________________ >> >> Full-Disclosure - We believe in it. >> >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html [1] >> >> Hosted and sponsored by Secunia - http://secunia.com/ [2] >> > >> > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html [1] > Hosted and sponsored by Secunia - http://secunia.com/ [2] Links: ------ [1] http://lists.grok.org.uk/full-disclosure-charter.html [2] http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
