New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Module that changes a user's passwords by editing the SAM registry #7685
Conversation
This module "carves" a hash in the registries to set it as a user password. The benefits are: 1/ It doesn't change the password last change field 2/ You can set a hash directly, so you can change a user's password and revert it without cracking its hash. I have tested it in Windows 7, and 8.1. Should work on every version though. Usage: run post/windows/manage/hashcarve user=test pass=<password> run post/windows/manage/hashcarve user=test pass=<nthash> run post/windows/manage/hashcarve user=test pass=<lmhash:nthash> This work is based on the hashdump implementation.
This is pretty awesome, not sure I'll have time to test soon but certainly a useful module |
TestingWin7x64:
I should specify that it worked. |
Also, FYI, works on 8.1x64. |
Thanks for reviewing. Did it crash you box? Lsass would often crash while I was researching this but haven't had an issue with the latest version of the code. |
Not at all; worked like a charm on both 7x64 and 8.1x64 no crashes, hiccups, or odd behavior. Well, it is an odd sensation logging into Windows with just the character 'x'.... |
Cool. Was confused by your test as the session died. |
heh..... nope. That was me rebooting the VM to see if the changes would persist/flag anything. Just too lazy to exit first. |
Release NotesThe hashcarve module is now available in the framework. You can use it to change a user's password by carving a hash in the Windows registry. |
Overview
This module changes a user's password by carving a hash in the windows registry.
Module Options
Module Process
Here is the process that the module follows:
Recommandations
I would recommand to use hashdump before using the module to backup the user hashes
Use at your own risk.
Limitations
At some point, Windows 10 stopped storing users in that exact way, users whose password was set after that change would not be vulnerable. This will be updated once someone figures how the hashes are now stored.
The module does not modify the user key architecture, you cannot set a hash on a user that does not have a password.
Usage