-
Notifications
You must be signed in to change notification settings - Fork 13.8k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
35 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
## Overview | ||
This module changes a user's password by carving a hash in the windows registry. | ||
|
||
1. It doesn't change the "password last changed" field | ||
2. You can set a hash directly, so you can change a user's password and revert it without cracking it's hash. | ||
3. It bypasses the password complexity requirements | ||
|
||
## Module Options | ||
- **USER** - This option allows you to specify the user you wish to change the password of. | ||
- **PASS** - This option allows you to specify the password to be set in the form of a clear text password, a single NT hash, or a couple of LM:NT hashes. | ||
|
||
## Module Process | ||
Here is the process that the module follows: | ||
|
||
- Retrieves list of users from the registry. | ||
- If the user is found it attempts to: | ||
- load the user key from the registry | ||
- check if the lm and nt hashes exit in the key | ||
- replace the hashes if they exist | ||
- write they user key back into the registry | ||
|
||
## Recommandations | ||
I would recommand to use hashdump before using the module to backup the user hashes | ||
Use at your own risk. | ||
|
||
## Limitations | ||
|
||
At some point, Windows 10 stopped storing users in that exact way, users whose password was set after that change would not be vulnerable. This will be updated once someone figures how the hashes are now stored. | ||
|
||
The module does not modify the user key architecture, you cannot set a hash on a user that does not have a password. | ||
|
||
## Usage | ||
run post/windows/manage/hashcarve user=test pass=password | ||
run post/windows/manage/hashcarve user=test pass=nthash | ||
run post/windows/manage/hashcarve user=test pass=lmhash:nthash |