Bjoeboo
asked on
Acquiring current local admin password without reseting admin password --XP, 2000, Dump, SYSKEY SAM? Privilege escalation? pwdump, exploit
FUNDAMENTAL QUESTION: WHAT IS A *FUNCTIONAL* METHOD TO RECOVER *CURRENT* LOCAL ADMIN PASSWORD ON A WIN2K PRO OR XP PRO WORKSTATION, BEGINNING FROM USER-LEVEL ACCOUNT? (MULTIPLE RESOURCES AVAILABLE AND SCENARIOS DETAILED BELOW)
OK, I’m stuck. I’ve recently been saddled with the additional duties of temporary NT SysAdmin since our old one from Pakistan left due to Visa problems. (was a nice guy but you know how they’ve been tightening up things) Anyways I can’t get a hold of him and no one here has Admin rights to about 80 Win2K Pro and XP Pro boxes which are networked into 5 or 6 different workgroups. I take this as a personal affront since I received my BS degree in Information Security Systems, and recently completed my CISSP certification. Anyways there are 4 different images in use on these boxes but most of the workstations have been added to and customized over time by the old admins. (So I can’t just restore image or create new image since this temp support really isn’t my forte and I’m not even sure what all s/w to include in images) Anyways, what I’ve been doing for the past week or so is trying out various Admin password reset solutions to reset individual box’s passwords as needed to install or upgrade them.
What I need is some way of determining the original admin password since it’s the same on all my boxes (or at most different for each of the 4 images) Some of the pw reset solutions I’ve tried even allow me to replace old admin password when finished, but it never tells me what is was, also any new accounts I create are deleted when I set admin pw back to original since these solutions restore the entire SAM (for all accounts). PWDump2 and 3 are great when used in conjunction with lc4, for getting current passwords, but once I reset Admin password, then logon as admin (as required to run these dump utilities,) its no good for getting original images’ Admin password.
I understand if this post seems 'fishy' or 'suspect' to anyone; my best retort is: -if I was a blackhat, the fact that I have all the resources including tools, time, persistence, physical access, and knowledge-(yes I know I’m the one asking for help, but realize more will learn from my post than can probably answer) to solve this, then indeed where ARE the real admins in this scenario? (please stand up, please stand up)
Also, due to the sensitive nature of my posting, I’ve created a new spambox <removed by RomMod> expressly for the purpose of gathering functional 0-day solutions to my problem, from members that would be kind enough to enlighten us all with the academic details of the exploit within the forum, but not necessarily wish to propagate any more script kiddie warez.
At any rate, Let me tell you what I’ve tried so far in the hopes of giving you ideas, and not repeating anything I’ve already tried:
My objective is to eventually get pwdump2 to run while original admin password still in SAM.
Links to commercial, as well as open-source tools and exploits I used are numbered(1)(2)(etc) and given at the bottom
1 Used (1) NTFS Dos Pro to copy contents of system32/config directory (SAM files), but the latest rendition of SYSKEY renders (2)LC4 and
(3)SAMinside 2.0and 2.1useless.
2 Tried using NTFS DOS Pro to rename a copy of (4)cmd.exe to screenlogon.scr, also tried downloading (5)sysshel.exe(service) and overwriting it to spoolsv.exe This doesn’t work either. Should it? Am I doing it wrong? (I also replaced copies in dllcache) Or is this something MS beefed up? Should I disable WFP (windows file protection)?
I’m thinking the solution will be follow along the lines of:
step 1. reset admin password via (6)Winternals, (7)Passware, or the free (8)linux Admin password reset solution.
step 2. login to admin account
step 3. setup some means of privilege escalation on future regular user logins via registry or hacked system-level service substituted with cmd.exe, COMPMGMT.MSC, or similar, also if interactive functions can't be prestaged, then a system-level instance of (9)"pwdump2.exe > filename.txt" on future user logins will automatically dump without user intervention.
step 4. logout.
step 5. Re-reset admin password back to original SAM (Easily do-able with tools in step 1)
step 6. Log back in as regular user and use/or otherwise allow exploit to run that was setup in step 3.
step 7. Success. Now I have admin rights to all workgroup boxes without need to pw reset each one individually!
There Should be a way for an admin with all the tools, time, and physical access to accomplish this… Any ideas?
It seems many of these exploits (3,4,&5) used to work before recent upgrades to Win2k and XP don't run services at system-level anymore. What hackable services do run at system level? I suppose I could hack a trusted function such as ntoskrnl.exe or a .dll with (10)ResourceHacker and modify them to accomplish step 3 above, but I'm not sure how to add this in.
Exploits and tools cited above ()
1) NTFSDOS Pro 4 full version (full ver allows read AND WRITE)
http://www.sysinternals.com/ntw2k/freeware/NTFSDOS.shtml
2) LC4 (L0PhtCrack4)
http://www.atstake.com/research/lc/download.html
3) SAMInside 2.0
http://www.sharewareorder.com/SAMInside-download-19325.htm
& SAMInside 2.1
http://www.insidepro.com/eng/saminside.shtml
4) Rename cmd.exe to logon.scr exploit
http://www.olemiss.edu/helpdesk/itnews/200111/win2000.html
5) Rename sysshell.exe(is really cmd.exe) service to spoolsv.exe service
http://carcino.gen.nz/tech/win/win2kadminaccess.php
-Commercial and freeware local admin reset solutions cited:
6 Winternals Locksmith http://www.winternals.com/products/repairandrecovery/locksmith.asp
7) Passware password lockout solutions
http://www.lostpassword.com/windows-xp-2000-nt.htm
8) Offline NT Password and Registry Editor (linux, free)
http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html
9) Pwdump1(obsolete), Pwdump2(local ver.), Pwdump3(network ver.)
Pwdump2: http://razor.bindview.com/tools/desc/pwdump2_readme.html
10) ResourceHacker
http://www.users.on.net/johnson/resourcehacker/
OK, I’m stuck. I’ve recently been saddled with the additional duties of temporary NT SysAdmin since our old one from Pakistan left due to Visa problems. (was a nice guy but you know how they’ve been tightening up things) Anyways I can’t get a hold of him and no one here has Admin rights to about 80 Win2K Pro and XP Pro boxes which are networked into 5 or 6 different workgroups. I take this as a personal affront since I received my BS degree in Information Security Systems, and recently completed my CISSP certification. Anyways there are 4 different images in use on these boxes but most of the workstations have been added to and customized over time by the old admins. (So I can’t just restore image or create new image since this temp support really isn’t my forte and I’m not even sure what all s/w to include in images) Anyways, what I’ve been doing for the past week or so is trying out various Admin password reset solutions to reset individual box’s passwords as needed to install or upgrade them.
What I need is some way of determining the original admin password since it’s the same on all my boxes (or at most different for each of the 4 images) Some of the pw reset solutions I’ve tried even allow me to replace old admin password when finished, but it never tells me what is was, also any new accounts I create are deleted when I set admin pw back to original since these solutions restore the entire SAM (for all accounts). PWDump2 and 3 are great when used in conjunction with lc4, for getting current passwords, but once I reset Admin password, then logon as admin (as required to run these dump utilities,) its no good for getting original images’ Admin password.
I understand if this post seems 'fishy' or 'suspect' to anyone; my best retort is: -if I was a blackhat, the fact that I have all the resources including tools, time, persistence, physical access, and knowledge-(yes I know I’m the one asking for help, but realize more will learn from my post than can probably answer) to solve this, then indeed where ARE the real admins in this scenario? (please stand up, please stand up)
Also, due to the sensitive nature of my posting, I’ve created a new spambox <removed by RomMod> expressly for the purpose of gathering functional 0-day solutions to my problem, from members that would be kind enough to enlighten us all with the academic details of the exploit within the forum, but not necessarily wish to propagate any more script kiddie warez.
At any rate, Let me tell you what I’ve tried so far in the hopes of giving you ideas, and not repeating anything I’ve already tried:
My objective is to eventually get pwdump2 to run while original admin password still in SAM.
Links to commercial, as well as open-source tools and exploits I used are numbered(1)(2)(etc) and given at the bottom
1 Used (1) NTFS Dos Pro to copy contents of system32/config directory (SAM files), but the latest rendition of SYSKEY renders (2)LC4 and
(3)SAMinside 2.0and 2.1useless.
2 Tried using NTFS DOS Pro to rename a copy of (4)cmd.exe to screenlogon.scr, also tried downloading (5)sysshel.exe(service) and overwriting it to spoolsv.exe This doesn’t work either. Should it? Am I doing it wrong? (I also replaced copies in dllcache) Or is this something MS beefed up? Should I disable WFP (windows file protection)?
I’m thinking the solution will be follow along the lines of:
step 1. reset admin password via (6)Winternals, (7)Passware, or the free (8)linux Admin password reset solution.
step 2. login to admin account
step 3. setup some means of privilege escalation on future regular user logins via registry or hacked system-level service substituted with cmd.exe, COMPMGMT.MSC, or similar, also if interactive functions can't be prestaged, then a system-level instance of (9)"pwdump2.exe > filename.txt" on future user logins will automatically dump without user intervention.
step 4. logout.
step 5. Re-reset admin password back to original SAM (Easily do-able with tools in step 1)
step 6. Log back in as regular user and use/or otherwise allow exploit to run that was setup in step 3.
step 7. Success. Now I have admin rights to all workgroup boxes without need to pw reset each one individually!
There Should be a way for an admin with all the tools, time, and physical access to accomplish this… Any ideas?
It seems many of these exploits (3,4,&5) used to work before recent upgrades to Win2k and XP don't run services at system-level anymore. What hackable services do run at system level? I suppose I could hack a trusted function such as ntoskrnl.exe or a .dll with (10)ResourceHacker and modify them to accomplish step 3 above, but I'm not sure how to add this in.
Exploits and tools cited above ()
1) NTFSDOS Pro 4 full version (full ver allows read AND WRITE)
http://www.sysinternals.com/ntw2k/freeware/NTFSDOS.shtml
2) LC4 (L0PhtCrack4)
http://www.atstake.com/research/lc/download.html
3) SAMInside 2.0
http://www.sharewareorder.com/SAMInside-download-19325.htm
& SAMInside 2.1
http://www.insidepro.com/eng/saminside.shtml
4) Rename cmd.exe to logon.scr exploit
http://www.olemiss.edu/helpdesk/itnews/200111/win2000.html
5) Rename sysshell.exe(is really cmd.exe) service to spoolsv.exe service
http://carcino.gen.nz/tech/win/win2kadminaccess.php
-Commercial and freeware local admin reset solutions cited:
6 Winternals Locksmith http://www.winternals.com/products/repairandrecovery/locksmith.asp
7) Passware password lockout solutions
http://www.lostpassword.com/windows-xp-2000-nt.htm
8) Offline NT Password and Registry Editor (linux, free)
http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html
9) Pwdump1(obsolete), Pwdump2(local ver.), Pwdump3(network ver.)
Pwdump2: http://razor.bindview.com/tools/desc/pwdump2_readme.html
10) ResourceHacker
http://www.users.on.net/johnson/resourcehacker/
ASKER
Yes all good solutions to change admin password to get in.
But I am trying to get find out what CURRENT admin password is. I can do this by using pwdump2 but to run pwdump2 i have to be admin, to be admin I have to reset admin password... See? I'm stuck. Its like chicken-egg scenario.
There used to be exploits (I stated above) to rename system level processes to open a system-level privileged cmd prompt on startup so I could run pwdump2 that way. But they don't work anymore. There also used to be exploits to crack SYSKEYed offline SAM database (also stated above) but that doesn't work anymore either. Evidently MS has beefed up SYSKEY and limited system level hackable processes on boot. But there must be some left. Any ideas.?
But I am trying to get find out what CURRENT admin password is. I can do this by using pwdump2 but to run pwdump2 i have to be admin, to be admin I have to reset admin password... See? I'm stuck. Its like chicken-egg scenario.
There used to be exploits (I stated above) to rename system level processes to open a system-level privileged cmd prompt on startup so I could run pwdump2 that way. But they don't work anymore. There also used to be exploits to crack SYSKEYed offline SAM database (also stated above) but that doesn't work anymore either. Evidently MS has beefed up SYSKEY and limited system level hackable processes on boot. But there must be some left. Any ideas.?
If I was the new system administrator to solve this mess, I would immidiately create a new image to roll out to all the workstations, either the hard way, or if money enough, I would use a system management service to do it.
I use PcCreator http://www.capasystems.com/index.asp?p=2&p2=48 and CDM 2.0 http://www.capasystems.com/index.asp?p=2&p2=50
Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark
:o) Your brain is like a parachute. It works best when it's open
I use PcCreator http://www.capasystems.com/index.asp?p=2&p2=48 and CDM 2.0 http://www.capasystems.com/index.asp?p=2&p2=50
Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark
:o) Your brain is like a parachute. It works best when it's open
ASKER
trywaredk: I knew I'd get the re-image answer. Like I said, since these machines were originally imaged, theres so many different software products and combinations of them installed on all the individual machines that I wouldn't know what to include in images. Also I'd risk losing things currently in use on their workstations. 3 of these workgroups are developers and management has always been very liberal-minded in buying any solution package those individuals wanted, even if it was only one person; (the old admin was always complaining all he did was installs) The developers are a little higher on the payscale foodchain than I, as well as the bread and butter of the company here, and since I'm just filling in until a new sysadmin can be brought on, and I already have other regular full-time duties, I'm leaving any re-imaging fiascos to the new guy. The fact is, we probably need an extensive software audit since there isn't any one comprehensive documetation on what all we're using right now. (but I won't be volunteering myself for that either) I'm looking for an easy answer here. But this may be something I have to invent myself (such as modifying ntoskrnl or other trusted system process with Resourcehacker to load systemlevel cmd prompt, compmgmt.msc, or pwdump2 on boot)
But I'm trying to avoid re-inventing the wheel if someones already gone here before and can advise me.
RomMod: I'm trying to go with the grain here I was just wary of Chmod's post:
https://www.experts-exchange.com/questions/20683565/ATTENTION-SECURITY-EXPERTS-TA-DESCRIPTIONS-NEEDED.html
And trying to avoid offending anyone by avoiding the posting of hacks, cracks or links to them directly in this thread. Although non-functional, strictly academic discussions of windows security functions and weaknesses seems safe possibly, even beneficial to the community.
But I'm trying to avoid re-inventing the wheel if someones already gone here before and can advise me.
RomMod: I'm trying to go with the grain here I was just wary of Chmod's post:
https://www.experts-exchange.com/questions/20683565/ATTENTION-SECURITY-EXPERTS-TA-DESCRIPTIONS-NEEDED.html
And trying to avoid offending anyone by avoiding the posting of hacks, cracks or links to them directly in this thread. Although non-functional, strictly academic discussions of windows security functions and weaknesses seems safe possibly, even beneficial to the community.
"I knew I'd get the re-image answer"
:o) OK - I understand (now)
"we probably need an extensive software audit"
HOWTO: Enabling Local Auditing Policies on Windows 2000
http://support.microsoft.com/default.aspx?scid=kb;en-us;252412
HOW TO: Enable and Apply Security Auditing in Windows 2000 Server and Windows 2000 Professional:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q300549&sd=tech
Windows 2000 Server Security Guidelines - Audit acconts
http://www.colorado.edu/its/windows2000/adminguide/w2ksecguidelines.html#localpolicy
Miscellaneous Notes on Windows Logging
http://www.counterpane.com/log-windows.html
:o) OK - I understand (now)
"we probably need an extensive software audit"
HOWTO: Enabling Local Auditing Policies on Windows 2000
http://support.microsoft.com/default.aspx?scid=kb;en-us;252412
HOW TO: Enable and Apply Security Auditing in Windows 2000 Server and Windows 2000 Professional:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q300549&sd=tech
Windows 2000 Server Security Guidelines - Audit acconts
http://www.colorado.edu/its/windows2000/adminguide/w2ksecguidelines.html#localpolicy
Miscellaneous Notes on Windows Logging
http://www.counterpane.com/log-windows.html
ASKER
I'm still hoping somebody can tell me a way to *discover* current local admin password on a windows 2000 pro or a windows XP box WITHOUT resetting it.
I've been playing around with this idea, but I don't know if it'll be possible: If you can setup a temporary domain controller, and get the target machine to connect to that domain, you could use the admin account on the domain controller to run an LC4 audit. Problem is, you probably can't change the network settings on the target machine without being an administrator. Then I thought maybe if you connect to the domain through a VPN when logged in on the target machine as a normal user, you may have a chance. I'm just throwing this out there in the hope that someone else could expand on the idea (or at least spot that it's leading to a dead-end).
Hello,
Depending upon how much time you want to put into this, or already have.
The only way I can think of to satisfy your requirement of
"eventually get pwdump2 to run while original admin password still in SAM"
Is to get one machine up and running with an evaluation version of windows server.
Run dcpropmo and Service Packs (if it is allowed) on that machine then you can join one test machine that has one of your images to that temporary domain.
Once that is accomplished you can log into the test machine (Win XP PRO or W2KPRO) as administrator of the domain and THEN
you can use one of the tools to try and find the local administrator password.
Or from there you should be able to setup another local admin account to run the tools.
Like I said could be rather time consuming,
Good Luck
Depending upon how much time you want to put into this, or already have.
The only way I can think of to satisfy your requirement of
"eventually get pwdump2 to run while original admin password still in SAM"
Is to get one machine up and running with an evaluation version of windows server.
Run dcpropmo and Service Packs (if it is allowed) on that machine then you can join one test machine that has one of your images to that temporary domain.
Once that is accomplished you can log into the test machine (Win XP PRO or W2KPRO) as administrator of the domain and THEN
you can use one of the tools to try and find the local administrator password.
Or from there you should be able to setup another local admin account to run the tools.
Like I said could be rather time consuming,
Good Luck
Bad idea .... I didn't think it through enough.
You need to be logged in as admin to join a domain.
Even if you use netdom from the server you must still supply a local admin
password to create the connection
You need to be logged in as admin to join a domain.
Even if you use netdom from the server you must still supply a local admin
password to create the connection
jkrill,
sorry didn't mean to post the same idea you did 13 minutes later
It takes me awhile to write down my thoughts...I should have reloaded
the question before submitting.
sorry didn't mean to post the same idea you did 13 minutes later
It takes me awhile to write down my thoughts...I should have reloaded
the question before submitting.
mdiglo - LOL I do that at least 3 times a day :0)
PeteL
PeteL
Do you have an emergency repair disk for any of the PC's. If you do the SAM is on it run LC4 against the SAM that you pull off of the repair disk. Having read the whole thread it sounds a little fishy. Use Winternals to change all the passwords. If you get the whole ERD Suite you may even be able to do it remotely from your desk.
>> sounds a little fishy
I concur! why not simply change it? unless of course you dont wish to be caught? in which case i suggest you close the question
PeteL
I concur! why not simply change it? unless of course you dont wish to be caught? in which case i suggest you close the question
PeteL
Try these... (SYSKEY-proof)
OPTION #1
1. Use any offline tool that can read-write NTFS to overwrite the command shell (cmd.exe) into spoolsv.exe (something like that in your system32 folder). Make sure you have a backup spoolsv.exe !!
2. When Windows loads, it'll run the shell for you.
3. PWDump the SAM now off memory.
4. You know what to do.
5. Be sure to restore spoolsv.exe
OPTION #2
1. (offline) Back up your SAM with offline tool.
2. (offline) Reset Administrator password.
3. When you login as Administrator, schedule yourself a task of a batch file that would automatically retrieve the hashes and store into a floppy. (You need a floppy in A: drive)
4. (offline) Restore the SAM.
5. When the scheduled task runs, it will run in Administrator credential and retrieve the original SAM hashes to the floppy.
6. You know what to do.
7. Be sure the scheduled task is gone!
OPTION #3
Escalate somebody of known password into Admin group. I haven't figured out how to do this yet.
*** Do it at your own risk. I have not tested these options completely. ***
OPTION #1
1. Use any offline tool that can read-write NTFS to overwrite the command shell (cmd.exe) into spoolsv.exe (something like that in your system32 folder). Make sure you have a backup spoolsv.exe !!
2. When Windows loads, it'll run the shell for you.
3. PWDump the SAM now off memory.
4. You know what to do.
5. Be sure to restore spoolsv.exe
OPTION #2
1. (offline) Back up your SAM with offline tool.
2. (offline) Reset Administrator password.
3. When you login as Administrator, schedule yourself a task of a batch file that would automatically retrieve the hashes and store into a floppy. (You need a floppy in A: drive)
4. (offline) Restore the SAM.
5. When the scheduled task runs, it will run in Administrator credential and retrieve the original SAM hashes to the floppy.
6. You know what to do.
7. Be sure the scheduled task is gone!
OPTION #3
Escalate somebody of known password into Admin group. I haven't figured out how to do this yet.
*** Do it at your own risk. I have not tested these options completely. ***
Hello Jorgen :0)
Id seen that a while ago but coudnt find the link again - thanks
This STILL not been patched??
Pete
Id seen that a while ago but coudnt find the link again - thanks
This STILL not been patched??
Pete
:o) Well - not a patch, but an answer - use efs to solve the issue
http://support.microsoft.com/default.aspx?scid=kb;en-us;818200
http://support.microsoft.com/default.aspx?scid=kb;en-us;818200
Good call Jorgan! Thats a new one on me :0)
go here https://www.experts-exchange.com/questions/20747901/Points-for-Trywaredk.html
Pete
go here https://www.experts-exchange.com/questions/20747901/Points-for-Trywaredk.html
Pete
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Try the following,
First: Are you sure yove forgotton it? Try just hitting return (in case there is no password), Then try all the password you would usually use
remember passwords are CaSe senSiTive so try with the caps lock on and off, or capitalise the first "Letter"
NB. All these tools, and links are to third party tools and involve directly or indirectly changing the registry. I accept no responsibility for their use.
Your passwords are held (encrypted) in your registry and in youre "restore" directory. These tools edit one or more of these locations from a boot disk
Arm yourself with a blank (clean) Floppy Disk
Ive used this one on XP and it works
http://home.eunet.no/~pnordahl/ntpasswd/
Or try the following
----1----
This link will download software that creates a Linux Boot floppy that will let you change Passwords.
http://www.pc-pipeline.com/modules.php?op=modload&name=Downloads&file=index&req=getit&lid=6
----2----
Using this link you will have to download the Image writer then the boot disk image
http://www.thomasmathiesen.com/itak/html/software.html
----3----
Or try This one from Sunbelt
http://www.sunbeltsoftware.com/product.cfm?id=265
----4----
This ones NOT free but Its what I use
http://www.winternals.com/products/repairandrecovery/erdcommander2002.asp
Heres some further reading
http://www.petri.co.il/forgot_administrator_password.htm
Good Luck! PL