lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Thu May 25 18:19:52 2006
From: alan.cl.wong at nokia.com (alan.cl.wong@...ia.com)
Subject: bypassing Windows Domain Group Policy Objects

Hi all,

	We needed to do this a new years back and it works. Hope it's
useful. I'm pasting a document that was written a while back so didn't
try with SP2. Does not know if it still works or not. Registry disable
as announce might not even be needed but just added in case.

Cheers,
-Alan

* The views express by me are not the views of my employer *

Permanent Hack:

Basic steps for WinXP SP1 and Win2K are:
 
1) Disable WFP (windows file protection)
2) rename gpupdate.exe (WinXP) secedit.exe (Win2K) 
3) registry disable GPO
 
Step 1) DISABLING WFP
 
a) Locate the sfc_os.dll file in your System32 folder
b) Copy it and rename it to sfc_os.bak
c) Edit the sfc_os.bak with any text editor (I used Ultraedit)
d) Locate offset 0000E3BB (E3BB hex) in the file  (WinXP)
    Locate offset 0000E2B8  (E2B8 hex) in the file (Win2K)
e) at the offset, change the hex values from 8B C6 to 90 90
f) Close and save the file
 
The file sfc_os.dll exists in 2 directories: system32 and
system32dllcache (not always)

g) copy modified sfc_os.bak to sfc_os.dll
Download a tool and install onto the system "wfpadmin".
Search google...

        run "wfadmin" and select c:\windows\system32 then
press the button "Deprotect". You can close wfadmin but do
not reboot. Afterwards copy your modified sfc_os.bak to
system32 and system32\dllcache as sfc_os.dll (replace existing)
 
h) Open regedit. Locate the key:
 
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NTCurrentVersionWinlogon
 
i) Check if the SFCDisable key exists in the right pane.
Otherwise create it (Dword) and name it: SFCDisable

j) Double click the SFCDisable key and change the value data
to:   FFFFFF9D
 
Step 2) Rename gpupdate.exe  (WinXP) or secedit.exe (Win2K) 
 
a) Locate the gpupdate.exe /secedit.exe  file (under
system32) and rename it to something else.
 
Step 3) Registry disable GPO
 
a)  enter the registry (start->run "regedit")

b) locate the registry key:
      
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System
 
c) Create a new DWORD and name it: disableGPO
d) set the new value to 1 to disable GPO. (NB: 0 is the
default value means GPO is enabled)
 

-----Original Message-----
From: full-disclosure-bounces@...ts.grok.org.uk
[mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of ext
Exibar
Sent: Thursday, April 27, 2006 11:19 PM
To: full-disclosure@...ts.grok.org.uk
Subject: [Full-disclosure] bypassing Windows Domain Group Policy Objects

I seem to recall a paper on the circumventing of Windows Domain GPO's,
but I 
can't find it anywhere.....

  anyone have any information on preventing GPO's from being applied to
a 
Domain machine?  or a link to that paper?

 thanks!
   Ex 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists