How is it possible to set a windows account password directly by the password hash?

Posted by RMP_Official@reddit | sysadmin | View on Reddit | 29 comments

I tried almost all tools, nothing gives a possibility of changing an account's password directly by a hash, I found some interesting forks of Impacket on github with the possibility to do it with RPC but it gave me an rpc\_s\_access\_denied error even when I launched the script with SYSTEM privileges with the TrustedInstaller's token. I tried to understand the main logic of dumping the hashes but when i tried to reverse the logic it did'nt work. I think im doing something wrong and wanted to ask if someone knows a way to change an user account password directly by the hash, especially by having only the SAM and SYSTEM files.

Reply to Post

29 Comments

[-]

rfc2795_@reddit

Why

[-]

RMP_Official@reddit (OP)

I wanted to find a way of changing an account's password by a password that you don't know.

[-]

thortgot@reddit

Im a bit lost, if you are setting the password via hash you inherently know what the password is.

[-]

rehab212@reddit

Not if you stole the hashes with Mimikatz.

[-]

MNmetalhead@reddit

Exactly. This screams “pass the hash” and I certainly think OP is having a problem because I want to believe that MS inherently prevents this from happening.

[-]

rehab212@reddit

Yeah, just spitballing here, but I’m guessing password changes likely *are* done by passing a hash to the DC, but I would expect that to only be accepted coming from the lssas.exe service, and likely with another trusted hash to authenticate it, so you would need the current password of the account to perform this action.

[-]

Unexpected_Cranberry@reddit

As far as I know it's not possible. You can set it to blank, but creating a new hash won't work.

[-]

Asleep_Spray274@reddit

Op extracted the hashes and has managed to change the password or screwed something else up and is trying to reverse the hash back in again so things will work again or no one will find out what he did :)

[-]

RMP_Official@reddit (OP)

Pretty much that, but mainly i found it interesting because i did'nt find any tools for that.

[-]

strongest_nerd@reddit

Next time use shadow credentials.

[-]

Asleep_Spray274@reddit

Dude, I commend your honesty. I have no answer to help, but best of luck my friend.

[-]

BrainWaveCC@reddit

A hash is a one-way function. That is, if you have data, you can generate a hash from it. But you cannot use the hash to tell what that data was originally. That's primarily why there are no tools available to do what you want. You can set passwords, and that will generate a hash derived from that password. You can use that hash for authentication to things, but you won't know what password led to that hash.

[-]

RMP_Official@reddit (OP)

I do not want to get the password from the hash, i want to set the password of an account directly by this hash.

[-]

BrainWaveCC@reddit

I've already told you why that won't work, and why no tools support it. A hash is not reversible. Ever. That's one of the core definitions of a hash. Therefore, on no planet in this galaxy, will one ever be setting a password with a hash.

[-]

RMP_Official@reddit (OP)

You are correct but you did not understand what i try to do, in the SAM file, it is the HASH encrypted multiple times with muliple data stored, and theoretically you cna change it. But the hash encryption is confusing.

[-]

BrainWaveCC@reddit

>you did not understand what i try to do I do. It will not work. There are no tools to do it.

[-]

Important-6015@reddit

Not possible. The hash isn’t the same everytime.. the passwords gets a salt, it gets padded, before sent. Unless you know the plaintext password, it’s not possible to

[-]

VA_Network_Nerd@reddit

Sorry, it seems this comment or thread has violated a sub-reddit rule and has been removed by a moderator. **Inappropriate use of, or expectation of the Community.** * There are many reddit communities that exist that may be more catered to/dedicated your topic. - This type of post/comment is more appropriate for the /r/homelab subreddit. * Requests for assistance are expected to contain basic situational information. - They should also contain evidence of basic troubleshooting & Googling for self-help. - Keep topics/questions related to technology/people/practices/etc within a business environment. * When asking a question or requesting advice, please update your original post with any new information, or solution (if found). - This will make things easier for anyone else who may have the same issue or question in the future. ----- *If you wish to appeal this action please don't hesitate to [message the moderation team](https://www.reddit.com/message/compose?to=%2Fr%2Fsysadmin).*

[-]

Jkabaseball@reddit

I would try a dictionary attack against the password. If it's a user's account, I bet it's crackable in a few days. If it's service account (hopefully), it's not going to be that easy.

[-]

MDL1983@reddit

I believe there is a tickbox in Active Directory to store passwords with reversible encryption enabled, which would adore what you’re after, I imagine. By default thus us disabled and for good reason.

[-]

frankentriple@reddit

You can't reverse a hash, that's the whole point. Its a mathmatic operation that cannot be run in reverse.

[-]

sa_wisha@reddit

Do you have Veeam? You can restore the password attribute back to the user from an older AD Backup.

[-]

RMP_Official@reddit (OP)

I want to directly change the password by a hash on any system, not a particular

[-]

snebsnek@reddit

I strongly suspect you're up to no good. Most password stores worth their salt will salt the hash, so you can't just portably drop hashes in to stores and expect them to work in different places.

[-]

cvc75@reddit

I don't even know if I want this to be possible, I can see the potential for abuse. You could change a user's password, login and access their data, and then change the password back to the old value without being required to know the plaintext password. (Of course there's probably a dozen other ways to access that data as an admin)

[-]

RMP_Official@reddit (OP)

You can just reset the password and restore the old SAM file if you want.

[-]

RMP_Official@reddit (OP)

Yes you can bypass by multiple ways, so that is'nt a real problem

[-]

Nonaveragemonkey@reddit

Wouldn't be surprised if windows salts the input before hashing.

[-]

snebsnek@reddit

https://xyproblem.info/ What problem are you actually trying to solve here?