lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 8 Jul 2013 16:31:10 -0400
From: Chris Arg <grkcharge@...il.com>
To: some one <s3cret.squirell@...il.com>, full-disclosure@...ts.grok.org.uk
Subject: Re: Abusing Windows 7 Recovery Process

I ran into the same "issue". I believe that the recovery environment is the
equivalent of booting into a windows live image. When you run the net user
command and add a user you are actually modifying the live image and not
your install.


On Mon, Jul 8, 2013 at 3:47 PM, some one <s3cret.squirell@...il.com> wrote:

> Errrr
>
> The user wasn't there never mind him being admin...
>
> I'll test this out again when i next do a win7 review on a job
> On 8 Jul 2013 11:39, "Fabien DUCHENE" <f.duchene@...-online.fr> wrote:
>
>> There may be an Active Directory domain policy which only allows a
>> configured set of groups/users to be admin of your workstation.
>> Keep in mind domain policies are applied at startup and periodically.
>>
>> > Message: 1
>> > Date: Mon, 1 Jul 2013 15:16:45 +0100
>> > From: some one <s3cret.squirell@...il.com>
>> > To: full-disclosure@...ts.grok.org.uk
>> > Subject: Re: [Full-disclosure] Abusing Windows 7 Recovery Process
>> > Message-ID:
>> >         <CA+1kKf460FE0uo7ps780N3f=gFh8G=
>> i0+o1yR5w1uPocZUbVwg@...l.gmail.com>
>> > Content-Type: text/plain; charset="iso-8859-1"
>> >
>> > I tried this out onsite today. Got the cmd.exe as described and added a
>> > user into local admin group... Restart the box try and login as new user
>> > and it isn't there...
>> >
>> > Logged in as a legit admin and ran net users and no mention of my
>> created
>> > account... Weird...
>> > On Jun 30, 2013 10:54 AM, "Cool Hand Luke" <
>> coolhandluke@...lhandluke.org>
>> > wrote:
>> >
>> >> -----BEGIN PGP SIGNED MESSAGE-----
>> >> Hash: SHA512
>> >>
>> >> On 06/29, Grandma Eubanks wrote:
>> >> > However, I think this is still interesting. It's been a while since
>> I've
>> >> > played with Windows boxes and won't have access to one for a couple
>> days,
>> >> > but isn't this triggering off of vendor supplied recovery partitions?
>> >> This
>> >> > is a regular Windows 7 sole partition box you tried this one?
>> >>
>> >> from a first look, i don't think a vendor-supplied recovery partition
>> is
>> >> necessary. it appears that it would also be possible if the "system
>> >> restore" setting was enabled (but don't quote me on that).
>> >>
>> >> i'm not sure how likely that is in your average large, corporate
>> >> environment. the ones i've seen have system restore disabled and opt to
>> >> reimage systems instead when issues occur. i'm sure there are some
>> >> environments where this could be useful, however.
>> >>
>> >> - -chl
>> >>
>> >> - --
>> >> cool hand luke
>> >>
>>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ