Solved

Cannot locate Local Administrator Account Password for Windows 2003 Standard Server

Posted on 2006-11-15
174
666 Views
Last Modified: 2008-01-09
Good Evening:

Here is my problem.  I am doing work for a company that just bought an existing business.  With this they purchased a Server that no one seems to know the Administrator password for.  It is a Windows 2003 Standard server and a member of a workgroup and I can log on with one account but it does not have any Admin righs.  I have tried using the Linux shell where you go in and it allows you to change the password, but have had no luck when it comes back up.  Does anyone know of an easy way to get this done.  I am at a loss, I have been on Google and everything and I really don't want to have to do a parallel install for this.  

HELP ME PLEASE!!!!

Thanks,
Darren
0
Comment
Question by:stacystyles
  • 74
  • 57
  • 28
  • +7
174 Comments
 
LVL 5

Expert Comment

by:snowsurfer
ID: 17951618
The Linux method should work.  When you get into the shell it allows you to reset the password.

Did it allow you to get that far?
0
 
LVL 9

Expert Comment

by:bigjimbo813
ID: 17951712
download the iso from the closest server. Burn it to a disk. Put it in the server, boot from the cd and wala, it will automagically crack the password for you. Ive used it several times works like a charm

http://prdownloads.sourceforge.net/ophcrack/ophcrack-livecd-1.1.3.iso?download
0
 
LVL 11

Expert Comment

by:jimbecher
ID: 17951758
I have been using The Ultimate Boot CD for Windows. Wow is it powerful. Built around BartPE. They had a couple plugins which were linux based that I could not get to work.  Then tis one showed up http://www.bootcd.us/BartPE_Plugin_Details/387/CHNTPW-(Change-NT-Passwords).html

Worked for me ...
0
 

Author Comment

by:stacystyles
ID: 17951761
Yes I did do that and followed all of the steps as outlined in the manual.  For some reason no go.
0
 

Author Comment

by:stacystyles
ID: 17951762
Wow that thing is 400MB.  Is that right?
0
 

Author Comment

by:stacystyles
ID: 17951767
I will have to give that one a shot.  I was looking at the BrtPE stuff today.
0
 

Author Comment

by:stacystyles
ID: 17951789
For the BartPE on how does it work?  I just downladed it.
0
 
LVL 3

Expert Comment

by:zlito
ID: 17951984
The BartPE has a learning curve, if you have never built a live CD it could take you a while to learn how to use it. You just boot to it and it runs in Ram, it dose not use the hard drive to load.  It has a windows look to it and you use the start menu to access the programs. It might be easyer for you to use UBCD or one of the other live CD's, use Google to search for live CD there are many to choose from and allot of them do what you want to do.
0
 
LVL 1

Expert Comment

by:thepam
ID: 17951991
Sometimes, for security purposes, a systems administrator might rename the built-in Administrator account, and then create a bogus account named, Administrator, having no logon rights.  Did you see any other user accounts besides Administrator?
0
 

Author Comment

by:stacystyles
ID: 17952000
Yes I checked all of those.  There s one other account with Admin rights and they do not know that either.
0
 
LVL 1

Expert Comment

by:thepam
ID: 17952537
Were you able to change the password on the other account with administrative rights, and logon?  For Windows XP, I've used Petter Nordahl-Hagen's Boot CDROM to get a list of all accounts, and to change all the passwords.  This link was helpful to me,

  http://www.petri.co.il/forgot_administrator_password.htm

Once  you are able to logon with an account with administrative rights, you can poke around to check the policies.  If need be, turn on all logging to be able to use the Event Viewer to diagnose why you can't logon with the built-in Administrator account.
0
 
LVL 11

Expert Comment

by:jimbecher
ID: 17952582
BartPE makes up a CD that you boot and it runs a copy of XP from the CD. I just had the same thing hapen to me today and the link to that one plugin worked. Reset the administrators password and I was able to get in.
0
 

Author Comment

by:stacystyles
ID: 17952710
I tried the Petri one about 7 or 8 times with no luck.  I get the list of accounts and change the password to blank like they suggest to no avail.  
0
 

Author Comment

by:stacystyles
ID: 17952711
Did you use the BartPE for a W2k3 install or XP?
0
 
LVL 1

Expert Comment

by:thepam
ID: 17952723
If it isn't already too late...

It would be a good idea to image the existing hard drive to a secondary, in case important files were encrypted.  For if you change the password, then those files would probably be impossible to recover without massive decryption efforts.
0
 
LVL 1

Expert Comment

by:thepam
ID: 17952774
Try using a non-blank passwords.  Is the server standalone or part of an Active Directory?
0
 
LVL 5

Expert Comment

by:acesover2000
ID: 17952808
when you used the BartPE did you make sure to select "Write Back Changes" after you blanked the password.  It defaults not to.
0
 

Author Comment

by:stacystyles
ID: 17952809
The server is a standlone in a workgroup.  AD has not been installed.  I even tried using a password of password and still no luck.
0
 
LVL 1

Expert Comment

by:thepam
ID: 17952840
Supposedly, during installation of Windows 2003, specifying the default password to be password isn't allowed, nor is any other simple password.  I would think that the protection would be on the input, but I suppose it could be built into the way the password was stored.  Try using a complex, "valid" password.
0
 

Author Comment

by:stacystyles
ID: 17952875
Yes I noticed that the default was N so I typed in Y for that.  I will give the complex password a shot.  That does make sense because I know it screams at you when you try to use the blank one.  
0
 
LVL 3

Expert Comment

by:JRockSolid
ID: 17952954
I think i have a less than painless solution for you.
1.) Find a service Executable preferably a 3rd party something like Cisco's VPN dialer. You may be able to use the Event Log service path = C:\windows\system32\services.exe
2.) Find the exe path to that file.
3.) Use a bootable cd that can read and write on the NTFS partition   ex. PartPE

Now heres the fun part.  Since the Event Log is made to start with the system account. <<<NOT Smart :)  We rename the Services.exe file to old_services.exe and place the dumby service I created in dot net in its place named services.exe or whatever service file you choose.  Just dont choose one that uses svchost.exe
Then you reboot the computer. (more then likkely it will reboot on its own or you will get some colorfull error message.  Either way it doesnt matter.  Boot back p with the bootable cd and fix the files that you changed.  Then reboot again with out the cd and login as the new Admin Account my service created for you.  Change the local admin password. Delete the account the service created and hope there were no files on there that were encrypted by the administrator user that you need.  Sounds fun.

Requirements-----
.NET framework 1.1 should do
BartPE boot disk or any comperable
10 minutes of time
email me at JeHenderson@Bellsouth.net if you are interested or i can email it to you doesnt matter
Just let me know if you want to try it
0
 
LVL 1

Expert Comment

by:thepam
ID: 17953045
This sounds awesomely cool, JRockSolid.  Can you share a small block of the code, just to glimpse some possibilities?
0
 
LVL 3

Expert Comment

by:JRockSolid
ID: 17953109
In all honesty all i did was grab this file:
http://download.microsoft.com/download/2/8/c/28c4ace3-f5ed-4e14-bc64-3d563b807dfb/NetServ.exe

Open the solution in 2005 express and change the on start event in the FileWatcher.vb file to :

Protected Overrides Sub OnStart(ByVal args() As String)
        ' Add code here to start your service. This method should set things
        ' in motion so your service can do its work.
        If args.Length > 0 Then
        End If

        Shell("cmd /c net user Uname Password /Add", vbNormalFocus)
        Shell("cmd /c net localgroup Administrators Admin /add", vbNormalFocus)
       
    End Sub

Compiled it and it was done
Not a super coder ... I think the idea was better than the code.
0
 
LVL 3

Expert Comment

by:JRockSolid
ID: 17953111
Now everyone can test and flame if it doesnt work on your system like it did work on mine. :)
0
 

Author Comment

by:stacystyles
ID: 17953130
Sorry you lost me on this one.
0
 
LVL 1

Expert Comment

by:thepam
ID: 17953148
Wow, great idea JRockSolid!  Thanks!

At least with Windows XP, the registry changing programs have been known to fail, perhaps in the case when the computer was installed with SysPrep imaging typically deployed by OEMs.  See this recently amended article,

  http://support.microsoft.com/kb/308402

Probably there would be updates to the password reset utilities to incorporate the changes suggested by the Microsoft hotfix, so getting the latest variation would seem essential, assuming Microsoft made the same error with Server 2003 SysPrep.
0
 
LVL 1

Expert Comment

by:thepam
ID: 17953152
So, it seems JRockSolid's solution may be the easiest way.
0
 
LVL 3

Expert Comment

by:JRockSolid
ID: 17953235
I am rather under the weather and need to hit the sak my head is killing me.  Can some other experts take some time and explain the process to stacy.  I am afraid i have never been good at explaining things.  Isnt there somewhere i can post the EXE guys so anybody can try it out here on EE.

I will be back in the morning to check on the thread Styles.
0
 
LVL 1

Expert Comment

by:thepam
ID: 17953285
You've done a great job.  I'll try to muster up some courage.  The steps are few for an expert onsite, but would be tedious for a novice with no guidance.

I don't have any Windows 2003 Server to use as a reference.  I'm not familiar with the BartPE CDROM.  I'm inferring from previous posts that the BartPE CDROM automatically mounts all the NTFS partitions in a Linux environment.

Basically, the idea is to boot into Linux, and replace a file, being careful to backup the old one.  Then reboot into Windows, possibly crashing, possibly not.  Either way, if the dumby service did its trick, then it created a new account.  So boot back into Linux, replace the dumby service with the original, to be able to reboot normally.  Then logon with the new account.

Only a few Linux commands (e.g. ls -al, mv, cp) are needed, but with the correct arguments.  The hurdles (they are tiny hurdles) for Linux newbies are:

  1.  How to navigate around the filesystem?  What is the path to the system32 folder?
  2.  How to get a file from the network or from a floppy or USB drive, etc.  You need the file from JRockSolid, or somebody else needs to compile it.
  3.  (Windows question) Which service to replace?
0
 
LVL 1

Expert Comment

by:thepam
ID: 17953346
Hope you feel better, JRockSolid.  Are you still with us, staceystyles?  For starters, it might help if we're using the same Linux boot CDROM.  What's your medicine?  I like Knoppix 4.0.2.

  http://csociety-ftp.ecn.purdue.edu/pub/knoppix/KNOPPIX_V4.0.2CD-2005-09-23-EN.iso

but if you are using JRockSolid, just send me a link to the version you're running.  In Knoppix open a Terminal window, and become root by running,

  sudo su
 
0
 
LVL 9

Expert Comment

by:gopal_krishna
ID: 17953526
Hey check this out and follow the instruction provided by accepted and assisted solutions.

http://www.experts-exchange.com/Operating_Systems/Q_22054449.html

Cheers
Gopal Krishna K
0
 
LVL 9

Expert Comment

by:bigjimbo813
ID: 17956403
did you try the ophcrack?
0
 

Author Comment

by:stacystyles
ID: 17956526
Yes and no luck.  It would not even load up, how exactly does it work?
0
 
LVL 3

Expert Comment

by:JRockSolid
ID: 17956594
Actually ThePam, I suggested a BartPE disk because it uses a windows preinstallation invironment.(Windows not Linux).  This makes the process much easier because you dont have to use any linux commands or worrry about mounting a NTFS partition as read write on linux.  When you use BartPE you have to tell it where you windows i386 folder is and it does the rest.
Grab BartPE from Here:
http://69.90.47.6/mybootdisks.com/mybootdisks_com/nu2/pebuilder3110a.exe

Install it and start it from the Shortcut on the desktop
The first text box wants the parent folder where your I386 folder is at
If this is not on your pc then you will need to get it off a windows cd
If it is and is at c:\I386 then the source will be c:\
Next tell it what type of output and where to put the output (CD image .iso i recommend)
Then press build
then goto the output directory and burn the Image to CD
I will begin to make a temp file share for you to grab the service file off of and you will be ready to try it
How does that sound?
0
 

Author Comment

by:stacystyles
ID: 17956710
Ok I booted into Knopix 3.7 I believe it is.  I find the hard drive and find the services.exe.  I try to rename it to servicesold.exe with no luck.  I try to delete the SAM file with no luck either.
0
 

Author Comment

by:stacystyles
ID: 17956736
JRock.

Can I bulid this on any Windows 2003 Server or the Server that I need to crack it on?
0
 
LVL 3

Expert Comment

by:JRockSolid
ID: 17956752
You can build it on any windows xp or server machine and then use it on anyother machine to boot up to
0
 
LVL 3

Expert Comment

by:JRockSolid
ID: 17956788
DONT DELETE THE SAM FILE!!!!!!!!!         There are measures to prevent that from working. I have tried that before.  And the linux cd you are booted to doesnt have the NTFS partition mounted as read/write. That is why i offered bart pe.  It is a small download and a quick build/burn.
0
 

Author Comment

by:stacystyles
ID: 17956824
Ok, I will let you know when the image is built
0
 
LVL 3

Expert Comment

by:JRockSolid
ID: 17956926
http://74.237.156.21\Downloads\ServiceAdmin.exe

Go ahead and try this link and let me know if you get the file ok

This is the service file that will do the dirty work.
0
 

Author Comment

by:stacystyles
ID: 17956969
What do I do ith this service file?
0
 

Author Comment

by:stacystyles
ID: 17956980
CD is in and I am rebooting a 2003 box right now.
0
 
LVL 3

Expert Comment

by:JRockSolid
ID: 17957022
we will replace an EXE file that IS a legitimate service on your machine with this file.  That way when the SYSTEM tries to start the service it will run this file instead, and since it runs with full SYSTEM authority then the commands that are run to add an administrator account will be run by the SYSTEM wich IS an administrator. Giving you an Admin on the box that you can use to log on with and change the builtin local admins password.

You are tricking the system into running a file that needs admin account to complete.

It is like hanging outside the gas station when you are young and getting people to go in and buy you Ciggarettes.

0
 
LVL 3

Expert Comment

by:JRockSolid
ID: 17957036
Good deal.  Did you get the file off myt site.  If you did i am going to goahead and pull the site offline
0
 

Author Comment

by:stacystyles
ID: 17957042
Ok, so do I download this .EXE to the server? Also I got an error when I was booting up the PE software.
0
 
LVL 3

Expert Comment

by:JRockSolid
ID: 17957057
Was it a fatal error that caused you to not be able to boot it?
0
 

Author Comment

by:stacystyles
ID: 17957077
Ok I am in now what do I do?  I am at the desktop.
0
 
LVL 3

Expert Comment

by:JRockSolid
ID: 17957104
Ok the little modded start button in the bottom left should allow you to find a "Explorer" type program to use to move and rename files.
0
 

Author Comment

by:stacystyles
ID: 17957110
Yes I got the file thanx.  Now what?  SOrry to be such a rookie at this.
0
 
LVL 3

Expert Comment

by:JRockSolid
ID: 17957137
Once you get that up, go fine the Services.exe on the servers drive and rename it to oldservices.exe and place the serviceadmin file in its place and rename it to services.exe
Then reboot.

You wil not have to log in and the pc may throe an error or reboot itself but that wont matter

Then you will boot with bartpe again and undo the changes you made previously

Reboot without bart pe and try to login as   Admin /  r0x0rs1?
0
 

Author Comment

by:stacystyles
ID: 17957145
Ok on the bottom left I have a GO button.  I click that and get About Run CMD System and Programs
0
 

Author Comment

by:stacystyles
ID: 17957157
Ok bear withme.  I need to copy that Services file to my C Drive.  I need to reboot, and then will boot back into PE.  Give me 5 minutes.
0
 
LVL 3

Expert Comment

by:JRockSolid
ID: 17957161
Make sure after you change the files you take the cd out before you reboot << I didnt specify that before.....

Select programs and try to find a program that allows you to browse files    I honestly dont remember the name of the program that is on their
0
 
LVL 3

Expert Comment

by:JRockSolid
ID: 17957179
Dont worry, i called out of work today and the wife and kids are gone.... I got all day :)
0
 
LVL 3

Expert Comment

by:JRockSolid
ID: 17957198
Hey !!! Look at that, I just got your email. lolololol
0
 

Author Comment

by:stacystyles
ID: 17957248
Is this the username and Password.


Admin /  r0x0rs1?
0
 
LVL 3

Expert Comment

by:JRockSolid
ID: 17957268
after the whole process is over and the files are changed back.. and it worked ... yes you will login to the box with that uname and pass
those are zeros mind you
0
 
LVL 3

Expert Comment

by:JRockSolid
ID: 17957323
just for anyone the reads this thread later , i looked it up and to get to the file manager in BartPE:

GO>Programs>A43 File Management Utility
0
 

Author Comment

by:stacystyles
ID: 17957397
When I reboot windows for the first time I get the cursor and nothing else.  Should I just reboot now.
0
 
LVL 3

Expert Comment

by:JRockSolid
ID: 17957434
let it sit just to be sure for a few minutes and then yes, reboot to bartpe and fix the files back
Then reboot without the disk and try to login with that admin acccount
0
 
LVL 3

Expert Comment

by:JRockSolid
ID: 17957513
I am on the edge of my seat..... :)
0
 

Author Comment

by:stacystyles
ID: 17957537
Well it is now rebooting so we shall see.
0
 

Author Comment

by:stacystyles
ID: 17957584
No go.  I am logging into the local Machine right now.
0
 
LVL 3

Expert Comment

by:JRockSolid
ID: 17957593
Are we there yet!Are we there yet!Are we there yet!Are we there yet!Are we there yet!Are we there yet!Are we there yet!Are we there yet!
0
 

Author Comment

by:stacystyles
ID: 17957615
I logged  in and I do not see an Admin account there.  Did I not wait long enough when I rebooted into windows?
0
 
LVL 3

Expert Comment

by:JRockSolid
ID: 17957629
Hmm i was thinking that maybe the selection of service to manipulate was a bad one. This ISnt a Domain controller is it?  You stated before that it was a part of a workgroup.
0
 

Author Comment

by:stacystyles
ID: 17957652
Correct, it is a stand alone server.
0
 
LVL 3

Expert Comment

by:JRockSolid
ID: 17957655
No it wasnt that you didnt wait long enough
It was either a bad choice of service to use or, a problem with it being a dotnet app. or, the security has been hardened on that box and the service doesnt run as system
0
 
LVL 3

Expert Comment

by:JRockSolid
ID: 17957667
can you open services.msc from the run command
0
 

Author Comment

by:stacystyles
ID: 17957694
yup done that.
0
 
LVL 3

Expert Comment

by:JRockSolid
ID: 17957699
look and see if the event log service is set to run as system account
0
 

Author Comment

by:stacystyles
ID: 17957721
Local system account.
0
 
LVL 3

Expert Comment

by:JRockSolid
ID: 17957756
Let me make sure
Quick run down of procedure
C:\windows\system32\services.exe    was renamed to oldservices.exe

AND

ServiceAdmin.exe was renamed to services.exe and placed in the c:\windows\system32\   folder
0
 

Author Comment

by:stacystyles
ID: 17957767
YEs that is correct.  How long do you wait in PE for it to take affect.  The hour glass was still showing but when I opened another instance of Explorer it showed that it was renamed so I rebooted.  SHould I have waited longer?
0
 
LVL 3

Expert Comment

by:JRockSolid
ID: 17957791
Also check and/remove programs for Dot net framework

I dont think you did anything wrong, but i think tryuing it again with a less needed service would be in order before we count this out

It works on my XP sp2 box using a cisco vpn service
And this is very different than what we just did but in theory it is the same thing
0
 

Author Comment

by:stacystyles
ID: 17957801
Should I Install the VPn Software.  I whave it available.
0
 

Author Comment

by:stacystyles
ID: 17957811
For some reason .net 2.0 and 1.1 are installed want those gone too?
0
 
LVL 3

Expert Comment

by:JRockSolid
ID: 17957853
Well seems that you would need to be admin to install something that runs as system

But you can try if you want

It has to install a service

OR we can try another service like...........................
......................   IPSEC  
Seems like something that must be initiated after many others

C:\windows\system32\lsass.exe

this will definately throw an error
Make sure it is set to automatic though

0
 
LVL 3

Expert Comment

by:JRockSolid
ID: 17957864
no they are fine
actually need the .net framework to run .net apps
0
 

Author Comment

by:stacystyles
ID: 17957880
Lets try Lsass.exe  what services does that run under in the service pannel.
0
 
LVL 3

Expert Comment

by:JRockSolid
ID: 17957891
IPSEC
0
 

Author Comment

by:stacystyles
ID: 17957899
Do you want me to reboot into PE, rename Lsass.exe to old and then rename your file to Lsass.exe?
0
 
LVL 9

Expert Comment

by:bigjimbo813
ID: 17957901
interesting. I just downloaded and burned the iso using Sonic/Roxio (burn image) and its working fine.

How did you burn the .iso to a cd?
0
 
LVL 3

Expert Comment

by:JRockSolid
ID: 17957937
yes do the same process except with that lsass.exe file
0
 

Author Comment

by:stacystyles
ID: 17957941
Big Jim.  It was an ISO, when I get to the load screen how does it work?
0
 
LVL 3

Expert Comment

by:JRockSolid
ID: 17957946
The cd is actually working jimbo... It is the creation of the admin account that isnt
0
 

Author Comment

by:stacystyles
ID: 17957948
JR.  I will do that RIGHT NOW!!!
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 

Author Comment

by:stacystyles
ID: 17958055
Ok rebooting after seeing the lsassold.exe and  the new lsass.exe in PE.  Windows is now coing up and.................it has been sitting on the cursor screen for 4 minutes, I timed it.  Now I am rebooting back to PE.
0
 
LVL 3

Expert Comment

by:JRockSolid
ID: 17958067
i wonder if the system services have a checksum check before they are run and that is why the third party service worked
0
 

Author Comment

by:stacystyles
ID: 17958117
Rebooting back to Windows.................................
0
 
LVL 3

Expert Comment

by:JRockSolid
ID: 17958129
I seriously doughbt it worked now
I am getting my bart pe out to do some testing
0
 
LVL 9

Expert Comment

by:bigjimbo813
ID: 17958136
you are trying to create a local admin account? I read the question as you didnt know what the admin password was.

ophcrack will just crack local account passwords. Not create them
0
 

Author Comment

by:stacystyles
ID: 17958141
ARGGGGGGGGGGGGGGGG  no go.
0
 
LVL 3

Expert Comment

by:JRockSolid
ID: 17958147
i Test
brb
0
 

Author Comment

by:stacystyles
ID: 17958172
ok
0
 
LVL 3

Expert Comment

by:JRockSolid
ID: 17958294
Ok styles,  I dont know why last night i would have thought that the windows services wouldnt be sum checked, but here it is....... It will have to be a third party seervice that runs as system
Possibly is there any service like that already on that box
0
 
LVL 3

Expert Comment

by:JRockSolid
ID: 17958299
If not what is the full name of the Cisco product you have?
0
 

Author Comment

by:stacystyles
ID: 17958323
I have the Cisco VPN Client it runs Cisco Systems, Inc. VPN Service in the service pannel.  Shall I use this one?  Where is the service located?
0
 
LVL 3

Expert Comment

by:JRockSolid
ID: 17958345
yes use that and i am sorry this has gone wrong so far

The service should be cvpnd.exe in the cisco Systems directory
If ytou get it installed
make sure it is set to automatic start
0
 

Author Comment

by:stacystyles
ID: 17958383
Hell Don't be sorry in the least.  I am just happy that you are helping.  Give me a few to ge this done.
0
 

Author Comment

by:stacystyles
ID: 17958472
Ok, it is installed and set to Auto.  I am now rebooting.  Just so you know, this is not the actual server I will be doing this on.  I am hoping that I will be able to install things on the other one.  IF this works with the Cisco will it work with any other 3 rd party service as long as I know the name?
0
 
LVL 3

Expert Comment

by:JRockSolid
ID: 17958532
I dont know really styles.  The windows services are set to be compared to a checksum of sort, but i cant think of a way to stop this from happening to a third party service.  That doesnt mean it cant be done.
0
 

Author Comment

by:stacystyles
ID: 17958631
Are we sure that is the correct password?
0
 

Author Comment

by:stacystyles
ID: 17958642
Never Mind.  I am in Sys Manger and an Admin account was never created.
0
 
LVL 3

Expert Comment

by:JRockSolid
ID: 17958662
Admin r0x0rs1?


If the process fired then it should have created it.

Ive done it on mine 3 times to verify now. (With the cisco service that is)
0
 

Author Comment

by:stacystyles
ID: 17958665
Are you on XP or Server 2003?
0
 
LVL 3

Expert Comment

by:JRockSolid
ID: 17958689
"It works on my XP sp2 box using a cisco vpn service
And this is very different than what we just did but in theory it is the same thing"

0
 

Author Comment

by:stacystyles
ID: 17958731
Something has to be in Server that is stopping this from working.
0
 

Author Comment

by:stacystyles
ID: 17958755
Hey BigJim, how long does it stay on the Preloading Table 1 screen.
0
 
LVL 3

Expert Comment

by:JRockSolid
ID: 17958809
The vpn dialer itself has a option   "Enable Start Before Logon" in its gui under options after selecting advanced mode
If this is on and you can verify that the program is starting at the CAD screen and still the dumby service doesnt create the account then either the command lines that i put in the code dont work on 2003 server or the ggroup policy security setting are stopping the program from opening at startup.

The command lines that are in the code that work on XP are :

net user Admin r0x0rs1? /Add        
net localgroup Administrators Admin /Add

If you can verify that these are legitimate commands on 2003 server also
0
 

Author Comment

by:stacystyles
ID: 17958853
Sorry you lost me on this one.  My brain is going numb.  ;o)
0
 

Author Comment

by:stacystyles
ID: 17958927
Ok I found what you are looking for.  It was not checked off.  I am going to check that off and reboot.  
0
 

Author Comment

by:stacystyles
ID: 17958970
When I goto a command prompt in 2003 those commands work in a command prompt and when I do into users I can see the admin person there.  Letme know retryitwith thatone settingchecked off.
0
 
LVL 1

Expert Comment

by:thepam
ID: 17959092
Wow!  You all been busy.  Sorry, I had a late night and just got back.
0
 

Author Comment

by:stacystyles
ID: 17959128
No worries.  I am creating a new PE disk from my sever 2003 Instal.. Right now my PE has my XP files.  This may help.
0
 
LVL 3

Expert Comment

by:JRockSolid
ID: 17959167

That setting needs to be check so that it will start on boot
The thing is I work with this vpn dialer everyday and sometimes just sitting at the cad screen it will never come up (it will it just takes it a long time)
So if you can verify that the program starts normally like it is supposed to and the dumby service when replaceing the real one still doesnt create the account i think we can call this method squashed on 2003 server
0
 
LVL 1

Expert Comment

by:thepam
ID: 17959173
What?  When you ran those commands, you see the new user?  Does that user belong to the Administrators group?
0
 
LVL 3

Expert Comment

by:JRockSolid
ID: 17959197
Pam Styles is actually not using the affected machine right now ... He didnt trust me enough for that ...lolololol :)
0
 

Author Comment

by:stacystyles
ID: 17959308
Easy now.  I will try it right now.
0
 

Author Comment

by:stacystyles
ID: 17959350
Sorry Pam I was logged onto my test box as a system Admin.
0
 

Author Comment

by:stacystyles
ID: 17959406
No go on 2003 so back to the drawing board!!!!!!!!!!!!!!!!!!!!
0
 
LVL 3

Expert Comment

by:JRockSolid
ID: 17959439
can you install the vpn dialer on 2003 without the admin privi's
0
 
LVL 3

Expert Comment

by:JRockSolid
ID: 17959468
If you can i have another neat solution
Waiting for the vpn dialer to start up at the logon screen and then setting focus on it and hitting the F1 key will open a IE window that you will not see until after you log on

when you get logged on you can type :
file:///c:/WINDOWS/system32/cmd.exe
into the address bar aND IN THE PROMPT THAT COMES UP YOU RUN THE COMMANDS THAT I GAVE YOOU BEFOR
oops i am to lazy to fix that screaming lol
0
 

Author Comment

by:stacystyles
ID: 17959476
NOPE Access denied on everything, and I cannot create using the net use command.  Arg there has to be an easy way to do this
0
 
LVL 3

Expert Comment

by:JRockSolid
ID: 17959482
The ie window that =is invoked is run by the system account because noone is logged on
and that is what gives you the POWER
running the cmd prompt from that IE windows means that the cmd prompt is run by the system as is any commands enterred at that time
0
 

Author Comment

by:stacystyles
ID: 17959498
Is there not a way during the install process?
0
 
LVL 3

Expert Comment

by:JRockSolid
ID: 17959499
What version of vpn dialer do you have because damnit i just did it
0
 
LVL 3

Expert Comment

by:JRockSolid
ID: 17959513
yes you can always just install over top and reset the pass there but you said you didnt want to do that
0
 

Author Comment

by:stacystyles
ID: 17959518
So i am screwed right.
0
 

Author Comment

by:stacystyles
ID: 17959524
Yes that is correct, but will I lose anything ?
0
 

Author Comment

by:stacystyles
ID: 17959534
I can just do a repair correct?
0
 
LVL 9

Expert Comment

by:bigjimbo813
ID: 17959535
stacy, can you confirm there is infact an admin account? You just need to be able to get the password to login correct?
0
 

Author Comment

by:stacystyles
ID: 17959552
Yes there is an Administrator account and all I need is the password.
0
 
LVL 3

Expert Comment

by:JRockSolid
ID: 17959575
Not a repair. You would have to install over top of it.
0
 

Author Comment

by:stacystyles
ID: 17959679
Ick that is the last thing I want to do.
0
 
LVL 3

Expert Comment

by:JRockSolid
ID: 17959720
I am correct in saying that you tried installing the vpn dialer on the affected machine and it didnt work correct?
0
 
LVL 1

Accepted Solution

by:
thepam earned 500 total points
ID: 17959761
Stacey, here is another free site for *cracking* the passwords.

  http://www.loginrecovery.com/
0
 
LVL 1

Expert Comment

by:thepam
ID: 17959886
Just keep the server off the net, and wait until the next (monthly?) vulnerability is revealed, and modify accordingly to run the service?
0
 
LVL 1

Expert Comment

by:thepam
ID: 17960152
According to this thread, Server 2003 has no checksum validation of services.

  http://forums.techpowerup.com/showthread.php?t=16097

Maybe the services you tried were reconfigured by the previous sysadmin to run as lesser privileged users than the Local System account.  Are you able to view the list of services within Windows on the real box along with their "Log On As" settings?  Since it takes a good amount of experimentation to secure Windows, there still might be other low-profile third-party services that must still run as Local System.
0
 
LVL 3

Expert Comment

by:JRockSolid
ID: 17960219
We checked and they were still set to run as system.  I tried on my pc to do it with a windows system and got the same result.  Although i can do it every time with the Cisco VPN service. Although with more reading and experimentation. If he could get the Cisco program on there then in 30 seconds he could have a CMD prompt with System rights anyways so there woul be no need to do it the original way.  I just dont think he can that was my last question i was waiting on the answer for.
0
 
LVL 9

Expert Comment

by:bigjimbo813
ID: 17960244
Here is an older version which I have been using for awhile. I tested the new one and it worked find but I only tested it on my laptop.

download and burn that iso to a cd then boot from the cdrom. It will auto start the cracker.

http://downloads.sourceforge.net/ophcrack/ophcrack-livecd-0.9a.iso?modtime=1130920389&big_mirror=0
0
 

Author Comment

by:stacystyles
ID: 17960278
Ok big Jim I will give that a shot.

0
 

Author Comment

by:stacystyles
ID: 17960315
JR I have tried it on the affect server with no luck, you are correct in your assumption I do not have rights to install.  I have to go and pick my son up right now.  I will hopefully be back tonight but if not for sure tomorrow.  I appreciate all of your help with this.  I am going to try that Web site you suggested Pam.

Cheers.
0
 

Author Comment

by:stacystyles
ID: 17960379
hey bigjim, is your system xp or server2003
0
 
LVL 9

Expert Comment

by:bigjimbo813
ID: 17960397
I have used that on several OS's. It boots to an ubuntu distro that has the cracking program installed.
0
 
LVL 1

Expert Comment

by:thepam
ID: 17960600
The password crack might still not work if the same SysPrep situation as in XP has occurred, as in that previous Microsoft URL, where "Sysprep.exe [has made] changes to the way that password keys are stored in the registry".
0
 

Author Comment

by:stacystyles
ID: 17960611
WHat does the cracking screen look like?
0
 

Author Comment

by:stacystyles
ID: 17960657
Pam throw a dog a bone of good news here.  ;o)
0
 
LVL 1

Expert Comment

by:thepam
ID: 17960747
A healthy outlook is that it is very likely only small modifications would need to be made to fix all the password reset programs and cracking utilties, so that they work for SysPrep 2.0 machines.
0
 

Author Comment

by:stacystyles
ID: 17960754
Now are you talking about the link  you sent.
0
 
LVL 1

Expert Comment

by:thepam
ID: 17960978
I don't know what the cracking screen looks like.  Sorry, I'm more a theorist.  I just had found the link to loginrecovery while I was reading that is isn't as hard to crack LM passwords as it would first seem (because in the implementation, "the hash is being formed based on two 7-smbol 'halves' of the inital 14-symbol password".

  http://www.insidepro.com/doc/002e.shtml

If you send the hash to loginrecovery, they do the cracking with their presumably computationally powerful systems.


0
 
LVL 1

Expert Comment

by:thepam
ID: 17961097
I'm betting JR's method will still get the job done easiest.  I'm looking for workarounds for that method.
0
 
LVL 3

Expert Comment

by:JRockSolid
ID: 17961144
Heres the scope on the difference in cracking XP and server passwords

XP has a GP that enables NTLM hash values to be stored
By default Server 03 does noit allow this

What does that mean

Well NTLM hash values can be cracked in two 7 characters sections and arent case sensitive when they are hashed
NT Hashes are case sensitive
 
That means off the top you have an extra 26 characters to choose from

if you had a 2 character NTLM password that was Alpha Numeric you would have a key space(amount of possible passwords) of 58^2  characters ^ length
That is 58 to the 2nd power (not counting ASCii characters) =                         3364 Choices
With NT hash that turns into 84^2nd power (not counting ASCii characters) =  7056 Choices
with a 3 character password those numbers are                                        NTLM 195112    
                                                                                                                 NT 592704

8 characters                                                                                           NTLM 128063081718016        
                                                                                                               NT 2478758911082496
Lets See...
If yoou have a really nice machine  say                                                                             8500000 Keys a second (8.5 million keys persecond)
9.2725724785520361990950226244344 years to complete

Not saying it cant be done
Just putting perspective on it in case anyone wanted to know
I think it is interesting myself

Check out   rainbow tables too
Ophtcrack2 uses them byut it only uses alpha numeris NTLM tables i believe
You can buy rainbow tables that have been generated:
Check out some of these search results just for a good read and understanding
http://www.google.com/search?hl=en&q=%22Rainbow+Tables%22&btnG=Google+Search

Disclaimer: It is possible i screwed up the calculations or miscunstrued < or mispelled some things in this post.  I do encourage you to go read and get the solid facts before you flame me. Thankyou
0
 

Author Comment

by:stacystyles
ID: 17961147
Makes sense to me.
0
 
LVL 3

Expert Comment

by:JRockSolid
ID: 17961198
Hey Bart PE cd will allow you to edit the registry offline!!!
I wonder if you can get to the HKLM key
If you can you can get the dumby service out of the server resource kit add the registry entries by hand
All the srvany service does is load a program when the service is started which is specified by a reg key
So if it was set to fire a batch file then you could still have the system add the keys
Let me do some reading
0
 
LVL 3

Expert Comment

by:JRockSolid
ID: 17961207
OOPS
correction:
So if it was set to fire a batch file then you could still have the system add the keys
                                                                                                                  ^User
0
 
LVL 1

Expert Comment

by:thepam
ID: 17961233
You're right, JR.  NT passwords are practically impossible to crack if they are not machine-guessable.
0
 

Author Comment

by:stacystyles
ID: 17961267
Ok guys, in a nut shell be honest what do you think my chances are here.  I am going to hopefully get the server tonight.
0
 
LVL 1

Expert Comment

by:thepam
ID: 17961288
Give loginrecovery a try, anyway.  It is free.  I can imagine they must have been generating NT hashes for a very long time, and it is possible to imagine herds of botnets being compelled to run pattern matches 24/7.
0
 

Author Comment

by:stacystyles
ID: 17961303
Not quite sure how the free service works though.  Do I send it to them and they get back to me eventually?
0
 
LVL 1

Expert Comment

by:thepam
ID: 17961386
I've been reading more.  The Instructions screen on the loginrecovery doesn't show they extract the Server 2003 SYSKEY, that is mentioned by SAMInside (http://www.insidepro.com/eng/saminside.shtml), so maybe their methods won't work for Server 2003.  Stick with JR for now.  I'm still here, and researching.
0
 

Author Comment

by:stacystyles
ID: 17961895
Ok, will do.  I have the server in my trunk so I will be on it tomorrow.
0
 
LVL 1

Expert Comment

by:thepam
ID: 17961934
Have to take a dinner break.
0
 
LVL 1

Expert Comment

by:thepam
ID: 17962367
I'm trying to follow down the trail JR suggested.  You can download srvany.exe from,

http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=9D467A69-57FF-4AE7-96EE-B18C4790CFFD

The hope is that srvany can run a VB script such as newadmin.vbs, by invoking the command with the script as a parameter.  Hopefully, the service can run as System.  For then you can use bartPE to create a Run entry in the Registry.  To create the VB script, just use Notepad to type these lines and save as newadmin.vbs.  Replace "computername" with the name of *your* server.


Wscript.echo "Script starting"
Set colAccounts = GetObject("WinNT://computername")
Set objGroup = GetObject("WinNT://computername/Administrators,group")

Wscript.echo "Creating account..."
Set objUser = colAccounts.Create("user", "Admin")
objUser.FullName = "Big One"
objUser.Description = "A New Hope"
objUser.AccountExpirationDate = #11/30/2006#
objUser.SetPassword "r0x0rs1"
objUser.SetInfo

Wscript.echo "Adding account to Administrators group..."
objGroup.Add(objUser.ADsPath)

Wscript.echo "Test if we can see the new account..."
Set objUser2=GetObject("WinNT://computername/Admin")
Wscript.echo "Account:  " & objUser2.Name
Wscript.echo "Full Name:  " & objUser2.FullName
Wscript.echo "Description:  " & objUser2.Description
Wscript.echo "Account Expiration Date:  " & objUser2.AccountExpirationDate


If you want to experiment with this script on your testbed, just open a cmd window and run,

  cscript newadmin.vbs
0
 
LVL 1

Expert Comment

by:thepam
ID: 17962754
I didn't have it correctly.  Seems srvany can create a service from any application or script; it essentially generates a new service by wrapping the application, and then serving to interface it.  I don't see any instructions for installing srvany off-line.  And also it must be invoked with privileges to create the new service.  (BTW, I think that to create a service from the newadmin.vbs script, all the interactivity would have to be removed.  I wonder if this might be part of the reason JR's first service didn't work.  Does "setting focus" mean interactivity?)

So I'm tracking down sc, which is a built-in commandline utility, which supposedly allows applications to be run as services.  But I'm running out of poop.


0
 
LVL 1

Expert Comment

by:thepam
ID: 17963514
I'm wondering why the password reset didn't work.  Here are two possibilities I'm considering:

1.  SYSKEY had been enabled on the Server 2003, (http://www.lockergnome.com/nexus/it/2005/02/01/crack-or-reset-lost-administrator-passwords-with-these-tools/), and the password utility did not use SYSKEY to reset a SYSKEY-corresponding hash of the blank password.  Maybe the previous two Administrator password hashes are still available in the SAM.  If those two hashes could be recovered, then the Administrator SYSKEY could be recovered by XOR, because of reuse of the RC4 keystream (http://www.governmentsecurity.org/archive/t2199.html).  In this case, one could use this keystream to encrypt the hash for the blank password.  Sorry!  I had not seen this ancient post (http://www.windowsnetworking.com/kbase/WindowsTips/WindowsNT/RegistryTips/Miscellaneous/Whathappenswhensyskeyisinstalledandhowtogetridofit.html), which probably still has some validity.

2.  SYSKEY had not been enabled, but maybe because of the SysPrep issue, the password keys were not stored in the expected way.

I could also still be terribly confused.
0
 

Author Comment

by:stacystyles
ID: 17964211
Good Morning guys.  Well I cheated and went with the link at loginrecovery.com  Needless to say, in 10 minutes ( I paid for the express service) my passwords were found.  I REALLY appreciate all of you time and efforts with this.  Pam and JR how would you like the points awarded?  You both were such a big help.

Thanks,
Darren
0
 
LVL 1

Expert Comment

by:thepam
ID: 17967923
Hooray!  I propose let JR allocate 450 points (I bet JR would give you points, because you really stuck with the problem), and me 50 points (so I can use this problem as a bookmark).  All very interesting stuff.  I think I'm learning more than I offered.  Thanks, all!
0
 

Author Comment

by:stacystyles
ID: 17967929
No Thanks to you very much.
0
 
LVL 3

Expert Comment

by:JRockSolid
ID: 17969300
Well i definately think that Pam shoould get the Accepted answer.
By the way sorry for not chimeing in all day.  It was a stressful day at the grind.
Very nice service. I knew it wouldnt be long before someone got a good 99% affective rainbow table crack service up and running.
Good call Pam
0
 
LVL 3

Expert Comment

by:JRockSolid
ID: 17969314
I really dont know HOW the points are done styles but I insist that the accepted answer get 70% or more and I also strongly Insist that Pam get the accepted because you earned it Pam.  I will always remember the site loginrecovery for future bouts with passwords. :)  Good day all!
0
 
LVL 2

Expert Comment

by:thelastoftheend
ID: 17971646
Glad you got your password figured out, stacystyles. I like all of your suggestions - they have some good potential!

Just as an alternative someone might try sometime...this is similar and worked great in the old days on NT4...have never tried it with XP or 2003....

Boot up with BartPE and navigate to c:\windows\system32. Rename logon.scr to logon.old. Copy winlogon.exe and rename the copy to logon.scr.

Logon.scr is the default Windows screen saver executable. After you reboot, wait 15 minutes (for the "Screen Saver" to execute). Since it is run under the context of the system account, it will log you onto the desktop with administrative privileges, at which point you can change the password to the Administrator account.

I don't have time right now to test this out on XP/2003, but if anyone cares to take the time I'd love to hear if it works!

Cheers.
0
 
LVL 1

Expert Comment

by:thepam
ID: 17976920
According to this post, the logon.scr will not work with Server 2003,

http://www.petri.co.il/forgot_administrator_password_alternate_logon_trick.htm
0
 
LVL 2

Expert Comment

by:thelastoftheend
ID: 17977178
Good to know - thanks!
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
As the title indicates, I have done this before. It chills me everytime I update the OS on my phone, (http://www.experts-exchange.com/articles/18084/Upgrading-to-Android-5-0-Lollipop.html) because one time I did this and I essentially had a bricked …
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now