[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 685
  • Last Modified:

Cannot locate Local Administrator Account Password for Windows 2003 Standard Server

Good Evening:

Here is my problem.  I am doing work for a company that just bought an existing business.  With this they purchased a Server that no one seems to know the Administrator password for.  It is a Windows 2003 Standard server and a member of a workgroup and I can log on with one account but it does not have any Admin righs.  I have tried using the Linux shell where you go in and it allows you to change the password, but have had no luck when it comes back up.  Does anyone know of an easy way to get this done.  I am at a loss, I have been on Google and everything and I really don't want to have to do a parallel install for this.  

HELP ME PLEASE!!!!

Thanks,
Darren
0
stacystyles
Asked:
stacystyles
  • 74
  • 57
  • 28
  • +7
1 Solution
 
snowsurferCommented:
The Linux method should work.  When you get into the shell it allows you to reset the password.

Did it allow you to get that far?
0
 
bigjimbo813Commented:
download the iso from the closest server. Burn it to a disk. Put it in the server, boot from the cd and wala, it will automagically crack the password for you. Ive used it several times works like a charm

http://prdownloads.sourceforge.net/ophcrack/ophcrack-livecd-1.1.3.iso?download
0
 
jimbecherCommented:
I have been using The Ultimate Boot CD for Windows. Wow is it powerful. Built around BartPE. They had a couple plugins which were linux based that I could not get to work.  Then tis one showed up http://www.bootcd.us/BartPE_Plugin_Details/387/CHNTPW-(Change-NT-Passwords).html

Worked for me ...
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
stacystylesAuthor Commented:
Yes I did do that and followed all of the steps as outlined in the manual.  For some reason no go.
0
 
stacystylesAuthor Commented:
Wow that thing is 400MB.  Is that right?
0
 
stacystylesAuthor Commented:
I will have to give that one a shot.  I was looking at the BrtPE stuff today.
0
 
stacystylesAuthor Commented:
For the BartPE on how does it work?  I just downladed it.
0
 
zlitoCommented:
The BartPE has a learning curve, if you have never built a live CD it could take you a while to learn how to use it. You just boot to it and it runs in Ram, it dose not use the hard drive to load.  It has a windows look to it and you use the start menu to access the programs. It might be easyer for you to use UBCD or one of the other live CD's, use Google to search for live CD there are many to choose from and allot of them do what you want to do.
0
 
thepamCommented:
Sometimes, for security purposes, a systems administrator might rename the built-in Administrator account, and then create a bogus account named, Administrator, having no logon rights.  Did you see any other user accounts besides Administrator?
0
 
stacystylesAuthor Commented:
Yes I checked all of those.  There s one other account with Admin rights and they do not know that either.
0
 
thepamCommented:
Were you able to change the password on the other account with administrative rights, and logon?  For Windows XP, I've used Petter Nordahl-Hagen's Boot CDROM to get a list of all accounts, and to change all the passwords.  This link was helpful to me,

  http://www.petri.co.il/forgot_administrator_password.htm

Once  you are able to logon with an account with administrative rights, you can poke around to check the policies.  If need be, turn on all logging to be able to use the Event Viewer to diagnose why you can't logon with the built-in Administrator account.
0
 
jimbecherCommented:
BartPE makes up a CD that you boot and it runs a copy of XP from the CD. I just had the same thing hapen to me today and the link to that one plugin worked. Reset the administrators password and I was able to get in.
0
 
stacystylesAuthor Commented:
I tried the Petri one about 7 or 8 times with no luck.  I get the list of accounts and change the password to blank like they suggest to no avail.  
0
 
stacystylesAuthor Commented:
Did you use the BartPE for a W2k3 install or XP?
0
 
thepamCommented:
If it isn't already too late...

It would be a good idea to image the existing hard drive to a secondary, in case important files were encrypted.  For if you change the password, then those files would probably be impossible to recover without massive decryption efforts.
0
 
thepamCommented:
Try using a non-blank passwords.  Is the server standalone or part of an Active Directory?
0
 
acesover2000Commented:
when you used the BartPE did you make sure to select "Write Back Changes" after you blanked the password.  It defaults not to.
0
 
stacystylesAuthor Commented:
The server is a standlone in a workgroup.  AD has not been installed.  I even tried using a password of password and still no luck.
0
 
thepamCommented:
Supposedly, during installation of Windows 2003, specifying the default password to be password isn't allowed, nor is any other simple password.  I would think that the protection would be on the input, but I suppose it could be built into the way the password was stored.  Try using a complex, "valid" password.
0
 
stacystylesAuthor Commented:
Yes I noticed that the default was N so I typed in Y for that.  I will give the complex password a shot.  That does make sense because I know it screams at you when you try to use the blank one.  
0
 
JRockSolidCommented:
I think i have a less than painless solution for you.
1.) Find a service Executable preferably a 3rd party something like Cisco's VPN dialer. You may be able to use the Event Log service path = C:\windows\system32\services.exe
2.) Find the exe path to that file.
3.) Use a bootable cd that can read and write on the NTFS partition   ex. PartPE

Now heres the fun part.  Since the Event Log is made to start with the system account. <<<NOT Smart :)  We rename the Services.exe file to old_services.exe and place the dumby service I created in dot net in its place named services.exe or whatever service file you choose.  Just dont choose one that uses svchost.exe
Then you reboot the computer. (more then likkely it will reboot on its own or you will get some colorfull error message.  Either way it doesnt matter.  Boot back p with the bootable cd and fix the files that you changed.  Then reboot again with out the cd and login as the new Admin Account my service created for you.  Change the local admin password. Delete the account the service created and hope there were no files on there that were encrypted by the administrator user that you need.  Sounds fun.

Requirements-----
.NET framework 1.1 should do
BartPE boot disk or any comperable
10 minutes of time
email me at JeHenderson@Bellsouth.net if you are interested or i can email it to you doesnt matter
Just let me know if you want to try it
0
 
thepamCommented:
This sounds awesomely cool, JRockSolid.  Can you share a small block of the code, just to glimpse some possibilities?
0
 
JRockSolidCommented:
In all honesty all i did was grab this file:
http://download.microsoft.com/download/2/8/c/28c4ace3-f5ed-4e14-bc64-3d563b807dfb/NetServ.exe

Open the solution in 2005 express and change the on start event in the FileWatcher.vb file to :

Protected Overrides Sub OnStart(ByVal args() As String)
        ' Add code here to start your service. This method should set things
        ' in motion so your service can do its work.
        If args.Length > 0 Then
        End If

        Shell("cmd /c net user Uname Password /Add", vbNormalFocus)
        Shell("cmd /c net localgroup Administrators Admin /add", vbNormalFocus)
       
    End Sub

Compiled it and it was done
Not a super coder ... I think the idea was better than the code.
0
 
JRockSolidCommented:
Now everyone can test and flame if it doesnt work on your system like it did work on mine. :)
0
 
stacystylesAuthor Commented:
Sorry you lost me on this one.
0
 
thepamCommented:
Wow, great idea JRockSolid!  Thanks!

At least with Windows XP, the registry changing programs have been known to fail, perhaps in the case when the computer was installed with SysPrep imaging typically deployed by OEMs.  See this recently amended article,

  http://support.microsoft.com/kb/308402

Probably there would be updates to the password reset utilities to incorporate the changes suggested by the Microsoft hotfix, so getting the latest variation would seem essential, assuming Microsoft made the same error with Server 2003 SysPrep.
0
 
thepamCommented:
So, it seems JRockSolid's solution may be the easiest way.
0
 
JRockSolidCommented:
I am rather under the weather and need to hit the sak my head is killing me.  Can some other experts take some time and explain the process to stacy.  I am afraid i have never been good at explaining things.  Isnt there somewhere i can post the EXE guys so anybody can try it out here on EE.

I will be back in the morning to check on the thread Styles.
0
 
thepamCommented:
You've done a great job.  I'll try to muster up some courage.  The steps are few for an expert onsite, but would be tedious for a novice with no guidance.

I don't have any Windows 2003 Server to use as a reference.  I'm not familiar with the BartPE CDROM.  I'm inferring from previous posts that the BartPE CDROM automatically mounts all the NTFS partitions in a Linux environment.

Basically, the idea is to boot into Linux, and replace a file, being careful to backup the old one.  Then reboot into Windows, possibly crashing, possibly not.  Either way, if the dumby service did its trick, then it created a new account.  So boot back into Linux, replace the dumby service with the original, to be able to reboot normally.  Then logon with the new account.

Only a few Linux commands (e.g. ls -al, mv, cp) are needed, but with the correct arguments.  The hurdles (they are tiny hurdles) for Linux newbies are:

  1.  How to navigate around the filesystem?  What is the path to the system32 folder?
  2.  How to get a file from the network or from a floppy or USB drive, etc.  You need the file from JRockSolid, or somebody else needs to compile it.
  3.  (Windows question) Which service to replace?
0
 
thepamCommented:
Hope you feel better, JRockSolid.  Are you still with us, staceystyles?  For starters, it might help if we're using the same Linux boot CDROM.  What's your medicine?  I like Knoppix 4.0.2.

  http://csociety-ftp.ecn.purdue.edu/pub/knoppix/KNOPPIX_V4.0.2CD-2005-09-23-EN.iso

but if you are using JRockSolid, just send me a link to the version you're running.  In Knoppix open a Terminal window, and become root by running,

  sudo su
 
0
 
gopal_krishnaCommented:
Hey check this out and follow the instruction provided by accepted and assisted solutions.

http://www.experts-exchange.com/Operating_Systems/Q_22054449.html

Cheers
Gopal Krishna K
0
 
bigjimbo813Commented:
did you try the ophcrack?
0
 
stacystylesAuthor Commented:
Yes and no luck.  It would not even load up, how exactly does it work?
0
 
JRockSolidCommented:
Actually ThePam, I suggested a BartPE disk because it uses a windows preinstallation invironment.(Windows not Linux).  This makes the process much easier because you dont have to use any linux commands or worrry about mounting a NTFS partition as read write on linux.  When you use BartPE you have to tell it where you windows i386 folder is and it does the rest.
Grab BartPE from Here:
http://69.90.47.6/mybootdisks.com/mybootdisks_com/nu2/pebuilder3110a.exe

Install it and start it from the Shortcut on the desktop
The first text box wants the parent folder where your I386 folder is at
If this is not on your pc then you will need to get it off a windows cd
If it is and is at c:\I386 then the source will be c:\
Next tell it what type of output and where to put the output (CD image .iso i recommend)
Then press build
then goto the output directory and burn the Image to CD
I will begin to make a temp file share for you to grab the service file off of and you will be ready to try it
How does that sound?
0
 
stacystylesAuthor Commented:
Ok I booted into Knopix 3.7 I believe it is.  I find the hard drive and find the services.exe.  I try to rename it to servicesold.exe with no luck.  I try to delete the SAM file with no luck either.
0
 
stacystylesAuthor Commented:
JRock.

Can I bulid this on any Windows 2003 Server or the Server that I need to crack it on?
0
 
JRockSolidCommented:
You can build it on any windows xp or server machine and then use it on anyother machine to boot up to
0
 
JRockSolidCommented:
DONT DELETE THE SAM FILE!!!!!!!!!         There are measures to prevent that from working. I have tried that before.  And the linux cd you are booted to doesnt have the NTFS partition mounted as read/write. That is why i offered bart pe.  It is a small download and a quick build/burn.
0
 
stacystylesAuthor Commented:
Ok, I will let you know when the image is built
0
 
JRockSolidCommented:
http://74.237.156.21\Downloads\ServiceAdmin.exe

Go ahead and try this link and let me know if you get the file ok

This is the service file that will do the dirty work.
0
 
stacystylesAuthor Commented:
What do I do ith this service file?
0
 
stacystylesAuthor Commented:
CD is in and I am rebooting a 2003 box right now.
0
 
JRockSolidCommented:
we will replace an EXE file that IS a legitimate service on your machine with this file.  That way when the SYSTEM tries to start the service it will run this file instead, and since it runs with full SYSTEM authority then the commands that are run to add an administrator account will be run by the SYSTEM wich IS an administrator. Giving you an Admin on the box that you can use to log on with and change the builtin local admins password.

You are tricking the system into running a file that needs admin account to complete.

It is like hanging outside the gas station when you are young and getting people to go in and buy you Ciggarettes.

0
 
JRockSolidCommented:
Good deal.  Did you get the file off myt site.  If you did i am going to goahead and pull the site offline
0
 
stacystylesAuthor Commented:
Ok, so do I download this .EXE to the server? Also I got an error when I was booting up the PE software.
0
 
JRockSolidCommented:
Was it a fatal error that caused you to not be able to boot it?
0
 
stacystylesAuthor Commented:
Ok I am in now what do I do?  I am at the desktop.
0
 
JRockSolidCommented:
Ok the little modded start button in the bottom left should allow you to find a "Explorer" type program to use to move and rename files.
0
 
stacystylesAuthor Commented:
Yes I got the file thanx.  Now what?  SOrry to be such a rookie at this.
0
 
JRockSolidCommented:
Once you get that up, go fine the Services.exe on the servers drive and rename it to oldservices.exe and place the serviceadmin file in its place and rename it to services.exe
Then reboot.

You wil not have to log in and the pc may throe an error or reboot itself but that wont matter

Then you will boot with bartpe again and undo the changes you made previously

Reboot without bart pe and try to login as   Admin /  r0x0rs1?
0
 
stacystylesAuthor Commented:
Ok on the bottom left I have a GO button.  I click that and get About Run CMD System and Programs
0
 
stacystylesAuthor Commented:
Ok bear withme.  I need to copy that Services file to my C Drive.  I need to reboot, and then will boot back into PE.  Give me 5 minutes.
0
 
JRockSolidCommented:
Make sure after you change the files you take the cd out before you reboot << I didnt specify that before.....

Select programs and try to find a program that allows you to browse files    I honestly dont remember the name of the program that is on their
0
 
JRockSolidCommented:
Dont worry, i called out of work today and the wife and kids are gone.... I got all day :)
0
 
JRockSolidCommented:
Hey !!! Look at that, I just got your email. lolololol
0
 
stacystylesAuthor Commented:
Is this the username and Password.


Admin /  r0x0rs1?
0
 
JRockSolidCommented:
after the whole process is over and the files are changed back.. and it worked ... yes you will login to the box with that uname and pass
those are zeros mind you
0
 
JRockSolidCommented:
just for anyone the reads this thread later , i looked it up and to get to the file manager in BartPE:

GO>Programs>A43 File Management Utility
0
 
stacystylesAuthor Commented:
When I reboot windows for the first time I get the cursor and nothing else.  Should I just reboot now.
0
 
JRockSolidCommented:
let it sit just to be sure for a few minutes and then yes, reboot to bartpe and fix the files back
Then reboot without the disk and try to login with that admin acccount
0
 
JRockSolidCommented:
I am on the edge of my seat..... :)
0
 
stacystylesAuthor Commented:
Well it is now rebooting so we shall see.
0
 
stacystylesAuthor Commented:
No go.  I am logging into the local Machine right now.
0
 
JRockSolidCommented:
Are we there yet!Are we there yet!Are we there yet!Are we there yet!Are we there yet!Are we there yet!Are we there yet!Are we there yet!
0
 
stacystylesAuthor Commented:
I logged  in and I do not see an Admin account there.  Did I not wait long enough when I rebooted into windows?
0
 
JRockSolidCommented:
Hmm i was thinking that maybe the selection of service to manipulate was a bad one. This ISnt a Domain controller is it?  You stated before that it was a part of a workgroup.
0
 
stacystylesAuthor Commented:
Correct, it is a stand alone server.
0
 
JRockSolidCommented:
No it wasnt that you didnt wait long enough
It was either a bad choice of service to use or, a problem with it being a dotnet app. or, the security has been hardened on that box and the service doesnt run as system
0
 
JRockSolidCommented:
can you open services.msc from the run command
0
 
stacystylesAuthor Commented:
yup done that.
0
 
JRockSolidCommented:
look and see if the event log service is set to run as system account
0
 
stacystylesAuthor Commented:
Local system account.
0
 
JRockSolidCommented:
Let me make sure
Quick run down of procedure
C:\windows\system32\services.exe    was renamed to oldservices.exe

AND

ServiceAdmin.exe was renamed to services.exe and placed in the c:\windows\system32\   folder
0
 
stacystylesAuthor Commented:
YEs that is correct.  How long do you wait in PE for it to take affect.  The hour glass was still showing but when I opened another instance of Explorer it showed that it was renamed so I rebooted.  SHould I have waited longer?
0
 
JRockSolidCommented:
Also check and/remove programs for Dot net framework

I dont think you did anything wrong, but i think tryuing it again with a less needed service would be in order before we count this out

It works on my XP sp2 box using a cisco vpn service
And this is very different than what we just did but in theory it is the same thing
0
 
stacystylesAuthor Commented:
Should I Install the VPn Software.  I whave it available.
0
 
stacystylesAuthor Commented:
For some reason .net 2.0 and 1.1 are installed want those gone too?
0
 
JRockSolidCommented:
Well seems that you would need to be admin to install something that runs as system

But you can try if you want

It has to install a service

OR we can try another service like...........................
......................   IPSEC  
Seems like something that must be initiated after many others

C:\windows\system32\lsass.exe

this will definately throw an error
Make sure it is set to automatic though

0
 
JRockSolidCommented:
no they are fine
actually need the .net framework to run .net apps
0
 
stacystylesAuthor Commented:
Lets try Lsass.exe  what services does that run under in the service pannel.
0
 
JRockSolidCommented:
IPSEC
0
 
stacystylesAuthor Commented:
Do you want me to reboot into PE, rename Lsass.exe to old and then rename your file to Lsass.exe?
0
 
bigjimbo813Commented:
interesting. I just downloaded and burned the iso using Sonic/Roxio (burn image) and its working fine.

How did you burn the .iso to a cd?
0
 
JRockSolidCommented:
yes do the same process except with that lsass.exe file
0
 
stacystylesAuthor Commented:
Big Jim.  It was an ISO, when I get to the load screen how does it work?
0
 
JRockSolidCommented:
The cd is actually working jimbo... It is the creation of the admin account that isnt
0
 
stacystylesAuthor Commented:
JR.  I will do that RIGHT NOW!!!
0
 
stacystylesAuthor Commented:
Ok rebooting after seeing the lsassold.exe and  the new lsass.exe in PE.  Windows is now coing up and.................it has been sitting on the cursor screen for 4 minutes, I timed it.  Now I am rebooting back to PE.
0
 
JRockSolidCommented:
i wonder if the system services have a checksum check before they are run and that is why the third party service worked
0
 
stacystylesAuthor Commented:
Rebooting back to Windows.................................
0
 
JRockSolidCommented:
I seriously doughbt it worked now
I am getting my bart pe out to do some testing
0
 
bigjimbo813Commented:
you are trying to create a local admin account? I read the question as you didnt know what the admin password was.

ophcrack will just crack local account passwords. Not create them
0
 
stacystylesAuthor Commented:
ARGGGGGGGGGGGGGGGG  no go.
0
 
JRockSolidCommented:
i Test
brb
0
 
stacystylesAuthor Commented:
ok
0
 
JRockSolidCommented:
Ok styles,  I dont know why last night i would have thought that the windows services wouldnt be sum checked, but here it is....... It will have to be a third party seervice that runs as system
Possibly is there any service like that already on that box
0
 
JRockSolidCommented:
If not what is the full name of the Cisco product you have?
0
 
stacystylesAuthor Commented:
I have the Cisco VPN Client it runs Cisco Systems, Inc. VPN Service in the service pannel.  Shall I use this one?  Where is the service located?
0
 
JRockSolidCommented:
yes use that and i am sorry this has gone wrong so far

The service should be cvpnd.exe in the cisco Systems directory
If ytou get it installed
make sure it is set to automatic start
0
 
stacystylesAuthor Commented:
Hell Don't be sorry in the least.  I am just happy that you are helping.  Give me a few to ge this done.
0
 
stacystylesAuthor Commented:
Ok, it is installed and set to Auto.  I am now rebooting.  Just so you know, this is not the actual server I will be doing this on.  I am hoping that I will be able to install things on the other one.  IF this works with the Cisco will it work with any other 3 rd party service as long as I know the name?
0
 
JRockSolidCommented:
I dont know really styles.  The windows services are set to be compared to a checksum of sort, but i cant think of a way to stop this from happening to a third party service.  That doesnt mean it cant be done.
0
 
stacystylesAuthor Commented:
Are we sure that is the correct password?
0
 
stacystylesAuthor Commented:
Never Mind.  I am in Sys Manger and an Admin account was never created.
0
 
JRockSolidCommented:
Admin r0x0rs1?


If the process fired then it should have created it.

Ive done it on mine 3 times to verify now. (With the cisco service that is)
0
 
stacystylesAuthor Commented:
Are you on XP or Server 2003?
0
 
JRockSolidCommented:
"It works on my XP sp2 box using a cisco vpn service
And this is very different than what we just did but in theory it is the same thing"

0
 
stacystylesAuthor Commented:
Something has to be in Server that is stopping this from working.
0
 
stacystylesAuthor Commented:
Hey BigJim, how long does it stay on the Preloading Table 1 screen.
0
 
JRockSolidCommented:
The vpn dialer itself has a option   "Enable Start Before Logon" in its gui under options after selecting advanced mode
If this is on and you can verify that the program is starting at the CAD screen and still the dumby service doesnt create the account then either the command lines that i put in the code dont work on 2003 server or the ggroup policy security setting are stopping the program from opening at startup.

The command lines that are in the code that work on XP are :

net user Admin r0x0rs1? /Add        
net localgroup Administrators Admin /Add

If you can verify that these are legitimate commands on 2003 server also
0
 
stacystylesAuthor Commented:
Sorry you lost me on this one.  My brain is going numb.  ;o)
0
 
stacystylesAuthor Commented:
Ok I found what you are looking for.  It was not checked off.  I am going to check that off and reboot.  
0
 
stacystylesAuthor Commented:
When I goto a command prompt in 2003 those commands work in a command prompt and when I do into users I can see the admin person there.  Letme know retryitwith thatone settingchecked off.
0
 
thepamCommented:
Wow!  You all been busy.  Sorry, I had a late night and just got back.
0
 
stacystylesAuthor Commented:
No worries.  I am creating a new PE disk from my sever 2003 Instal.. Right now my PE has my XP files.  This may help.
0
 
JRockSolidCommented:

That setting needs to be check so that it will start on boot
The thing is I work with this vpn dialer everyday and sometimes just sitting at the cad screen it will never come up (it will it just takes it a long time)
So if you can verify that the program starts normally like it is supposed to and the dumby service when replaceing the real one still doesnt create the account i think we can call this method squashed on 2003 server
0
 
thepamCommented:
What?  When you ran those commands, you see the new user?  Does that user belong to the Administrators group?
0
 
JRockSolidCommented:
Pam Styles is actually not using the affected machine right now ... He didnt trust me enough for that ...lolololol :)
0
 
stacystylesAuthor Commented:
Easy now.  I will try it right now.
0
 
stacystylesAuthor Commented:
Sorry Pam I was logged onto my test box as a system Admin.
0
 
stacystylesAuthor Commented:
No go on 2003 so back to the drawing board!!!!!!!!!!!!!!!!!!!!
0
 
JRockSolidCommented:
can you install the vpn dialer on 2003 without the admin privi's
0
 
JRockSolidCommented:
If you can i have another neat solution
Waiting for the vpn dialer to start up at the logon screen and then setting focus on it and hitting the F1 key will open a IE window that you will not see until after you log on

when you get logged on you can type :
file:///c:/WINDOWS/system32/cmd.exe
into the address bar aND IN THE PROMPT THAT COMES UP YOU RUN THE COMMANDS THAT I GAVE YOOU BEFOR
oops i am to lazy to fix that screaming lol
0
 
stacystylesAuthor Commented:
NOPE Access denied on everything, and I cannot create using the net use command.  Arg there has to be an easy way to do this
0
 
JRockSolidCommented:
The ie window that =is invoked is run by the system account because noone is logged on
and that is what gives you the POWER
running the cmd prompt from that IE windows means that the cmd prompt is run by the system as is any commands enterred at that time
0
 
stacystylesAuthor Commented:
Is there not a way during the install process?
0
 
JRockSolidCommented:
What version of vpn dialer do you have because damnit i just did it
0
 
JRockSolidCommented:
yes you can always just install over top and reset the pass there but you said you didnt want to do that
0
 
stacystylesAuthor Commented:
So i am screwed right.
0
 
stacystylesAuthor Commented:
Yes that is correct, but will I lose anything ?
0
 
stacystylesAuthor Commented:
I can just do a repair correct?
0
 
bigjimbo813Commented:
stacy, can you confirm there is infact an admin account? You just need to be able to get the password to login correct?
0
 
stacystylesAuthor Commented:
Yes there is an Administrator account and all I need is the password.
0
 
JRockSolidCommented:
Not a repair. You would have to install over top of it.
0
 
stacystylesAuthor Commented:
Ick that is the last thing I want to do.
0
 
JRockSolidCommented:
I am correct in saying that you tried installing the vpn dialer on the affected machine and it didnt work correct?
0
 
thepamCommented:
Stacey, here is another free site for *cracking* the passwords.

  http://www.loginrecovery.com/
0
 
thepamCommented:
Just keep the server off the net, and wait until the next (monthly?) vulnerability is revealed, and modify accordingly to run the service?
0
 
thepamCommented:
According to this thread, Server 2003 has no checksum validation of services.

  http://forums.techpowerup.com/showthread.php?t=16097

Maybe the services you tried were reconfigured by the previous sysadmin to run as lesser privileged users than the Local System account.  Are you able to view the list of services within Windows on the real box along with their "Log On As" settings?  Since it takes a good amount of experimentation to secure Windows, there still might be other low-profile third-party services that must still run as Local System.
0
 
JRockSolidCommented:
We checked and they were still set to run as system.  I tried on my pc to do it with a windows system and got the same result.  Although i can do it every time with the Cisco VPN service. Although with more reading and experimentation. If he could get the Cisco program on there then in 30 seconds he could have a CMD prompt with System rights anyways so there woul be no need to do it the original way.  I just dont think he can that was my last question i was waiting on the answer for.
0
 
bigjimbo813Commented:
Here is an older version which I have been using for awhile. I tested the new one and it worked find but I only tested it on my laptop.

download and burn that iso to a cd then boot from the cdrom. It will auto start the cracker.

http://downloads.sourceforge.net/ophcrack/ophcrack-livecd-0.9a.iso?modtime=1130920389&big_mirror=0
0
 
stacystylesAuthor Commented:
Ok big Jim I will give that a shot.

0
 
stacystylesAuthor Commented:
JR I have tried it on the affect server with no luck, you are correct in your assumption I do not have rights to install.  I have to go and pick my son up right now.  I will hopefully be back tonight but if not for sure tomorrow.  I appreciate all of your help with this.  I am going to try that Web site you suggested Pam.

Cheers.
0
 
stacystylesAuthor Commented:
hey bigjim, is your system xp or server2003
0
 
bigjimbo813Commented:
I have used that on several OS's. It boots to an ubuntu distro that has the cracking program installed.
0
 
thepamCommented:
The password crack might still not work if the same SysPrep situation as in XP has occurred, as in that previous Microsoft URL, where "Sysprep.exe [has made] changes to the way that password keys are stored in the registry".
0
 
stacystylesAuthor Commented:
WHat does the cracking screen look like?
0
 
stacystylesAuthor Commented:
Pam throw a dog a bone of good news here.  ;o)
0
 
thepamCommented:
A healthy outlook is that it is very likely only small modifications would need to be made to fix all the password reset programs and cracking utilties, so that they work for SysPrep 2.0 machines.
0
 
stacystylesAuthor Commented:
Now are you talking about the link  you sent.
0
 
thepamCommented:
I don't know what the cracking screen looks like.  Sorry, I'm more a theorist.  I just had found the link to loginrecovery while I was reading that is isn't as hard to crack LM passwords as it would first seem (because in the implementation, "the hash is being formed based on two 7-smbol 'halves' of the inital 14-symbol password".

  http://www.insidepro.com/doc/002e.shtml

If you send the hash to loginrecovery, they do the cracking with their presumably computationally powerful systems.


0
 
thepamCommented:
I'm betting JR's method will still get the job done easiest.  I'm looking for workarounds for that method.
0
 
JRockSolidCommented:
Heres the scope on the difference in cracking XP and server passwords

XP has a GP that enables NTLM hash values to be stored
By default Server 03 does noit allow this

What does that mean

Well NTLM hash values can be cracked in two 7 characters sections and arent case sensitive when they are hashed
NT Hashes are case sensitive
 
That means off the top you have an extra 26 characters to choose from

if you had a 2 character NTLM password that was Alpha Numeric you would have a key space(amount of possible passwords) of 58^2  characters ^ length
That is 58 to the 2nd power (not counting ASCii characters) =                         3364 Choices
With NT hash that turns into 84^2nd power (not counting ASCii characters) =  7056 Choices
with a 3 character password those numbers are                                        NTLM 195112    
                                                                                                                 NT 592704

8 characters                                                                                           NTLM 128063081718016        
                                                                                                               NT 2478758911082496
Lets See...
If yoou have a really nice machine  say                                                                             8500000 Keys a second (8.5 million keys persecond)
9.2725724785520361990950226244344 years to complete

Not saying it cant be done
Just putting perspective on it in case anyone wanted to know
I think it is interesting myself

Check out   rainbow tables too
Ophtcrack2 uses them byut it only uses alpha numeris NTLM tables i believe
You can buy rainbow tables that have been generated:
Check out some of these search results just for a good read and understanding
http://www.google.com/search?hl=en&q=%22Rainbow+Tables%22&btnG=Google+Search

Disclaimer: It is possible i screwed up the calculations or miscunstrued < or mispelled some things in this post.  I do encourage you to go read and get the solid facts before you flame me. Thankyou
0
 
stacystylesAuthor Commented:
Makes sense to me.
0
 
JRockSolidCommented:
Hey Bart PE cd will allow you to edit the registry offline!!!
I wonder if you can get to the HKLM key
If you can you can get the dumby service out of the server resource kit add the registry entries by hand
All the srvany service does is load a program when the service is started which is specified by a reg key
So if it was set to fire a batch file then you could still have the system add the keys
Let me do some reading
0
 
JRockSolidCommented:
OOPS
correction:
So if it was set to fire a batch file then you could still have the system add the keys
                                                                                                                  ^User
0
 
thepamCommented:
You're right, JR.  NT passwords are practically impossible to crack if they are not machine-guessable.
0
 
stacystylesAuthor Commented:
Ok guys, in a nut shell be honest what do you think my chances are here.  I am going to hopefully get the server tonight.
0
 
thepamCommented:
Give loginrecovery a try, anyway.  It is free.  I can imagine they must have been generating NT hashes for a very long time, and it is possible to imagine herds of botnets being compelled to run pattern matches 24/7.
0
 
stacystylesAuthor Commented:
Not quite sure how the free service works though.  Do I send it to them and they get back to me eventually?
0
 
thepamCommented:
I've been reading more.  The Instructions screen on the loginrecovery doesn't show they extract the Server 2003 SYSKEY, that is mentioned by SAMInside (http://www.insidepro.com/eng/saminside.shtml), so maybe their methods won't work for Server 2003.  Stick with JR for now.  I'm still here, and researching.
0
 
stacystylesAuthor Commented:
Ok, will do.  I have the server in my trunk so I will be on it tomorrow.
0
 
thepamCommented:
Have to take a dinner break.
0
 
thepamCommented:
I'm trying to follow down the trail JR suggested.  You can download srvany.exe from,

http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=9D467A69-57FF-4AE7-96EE-B18C4790CFFD

The hope is that srvany can run a VB script such as newadmin.vbs, by invoking the command with the script as a parameter.  Hopefully, the service can run as System.  For then you can use bartPE to create a Run entry in the Registry.  To create the VB script, just use Notepad to type these lines and save as newadmin.vbs.  Replace "computername" with the name of *your* server.


Wscript.echo "Script starting"
Set colAccounts = GetObject("WinNT://computername")
Set objGroup = GetObject("WinNT://computername/Administrators,group")

Wscript.echo "Creating account..."
Set objUser = colAccounts.Create("user", "Admin")
objUser.FullName = "Big One"
objUser.Description = "A New Hope"
objUser.AccountExpirationDate = #11/30/2006#
objUser.SetPassword "r0x0rs1"
objUser.SetInfo

Wscript.echo "Adding account to Administrators group..."
objGroup.Add(objUser.ADsPath)

Wscript.echo "Test if we can see the new account..."
Set objUser2=GetObject("WinNT://computername/Admin")
Wscript.echo "Account:  " & objUser2.Name
Wscript.echo "Full Name:  " & objUser2.FullName
Wscript.echo "Description:  " & objUser2.Description
Wscript.echo "Account Expiration Date:  " & objUser2.AccountExpirationDate


If you want to experiment with this script on your testbed, just open a cmd window and run,

  cscript newadmin.vbs
0
 
thepamCommented:
I didn't have it correctly.  Seems srvany can create a service from any application or script; it essentially generates a new service by wrapping the application, and then serving to interface it.  I don't see any instructions for installing srvany off-line.  And also it must be invoked with privileges to create the new service.  (BTW, I think that to create a service from the newadmin.vbs script, all the interactivity would have to be removed.  I wonder if this might be part of the reason JR's first service didn't work.  Does "setting focus" mean interactivity?)

So I'm tracking down sc, which is a built-in commandline utility, which supposedly allows applications to be run as services.  But I'm running out of poop.


0
 
thepamCommented:
I'm wondering why the password reset didn't work.  Here are two possibilities I'm considering:

1.  SYSKEY had been enabled on the Server 2003, (http://www.lockergnome.com/nexus/it/2005/02/01/crack-or-reset-lost-administrator-passwords-with-these-tools/), and the password utility did not use SYSKEY to reset a SYSKEY-corresponding hash of the blank password.  Maybe the previous two Administrator password hashes are still available in the SAM.  If those two hashes could be recovered, then the Administrator SYSKEY could be recovered by XOR, because of reuse of the RC4 keystream (http://www.governmentsecurity.org/archive/t2199.html).  In this case, one could use this keystream to encrypt the hash for the blank password.  Sorry!  I had not seen this ancient post (http://www.windowsnetworking.com/kbase/WindowsTips/WindowsNT/RegistryTips/Miscellaneous/Whathappenswhensyskeyisinstalledandhowtogetridofit.html), which probably still has some validity.

2.  SYSKEY had not been enabled, but maybe because of the SysPrep issue, the password keys were not stored in the expected way.

I could also still be terribly confused.
0
 
stacystylesAuthor Commented:
Good Morning guys.  Well I cheated and went with the link at loginrecovery.com  Needless to say, in 10 minutes ( I paid for the express service) my passwords were found.  I REALLY appreciate all of you time and efforts with this.  Pam and JR how would you like the points awarded?  You both were such a big help.

Thanks,
Darren
0
 
thepamCommented:
Hooray!  I propose let JR allocate 450 points (I bet JR would give you points, because you really stuck with the problem), and me 50 points (so I can use this problem as a bookmark).  All very interesting stuff.  I think I'm learning more than I offered.  Thanks, all!
0
 
stacystylesAuthor Commented:
No Thanks to you very much.
0
 
JRockSolidCommented:
Well i definately think that Pam shoould get the Accepted answer.
By the way sorry for not chimeing in all day.  It was a stressful day at the grind.
Very nice service. I knew it wouldnt be long before someone got a good 99% affective rainbow table crack service up and running.
Good call Pam
0
 
JRockSolidCommented:
I really dont know HOW the points are done styles but I insist that the accepted answer get 70% or more and I also strongly Insist that Pam get the accepted because you earned it Pam.  I will always remember the site loginrecovery for future bouts with passwords. :)  Good day all!
0
 
thelastoftheendCommented:
Glad you got your password figured out, stacystyles. I like all of your suggestions - they have some good potential!

Just as an alternative someone might try sometime...this is similar and worked great in the old days on NT4...have never tried it with XP or 2003....

Boot up with BartPE and navigate to c:\windows\system32. Rename logon.scr to logon.old. Copy winlogon.exe and rename the copy to logon.scr.

Logon.scr is the default Windows screen saver executable. After you reboot, wait 15 minutes (for the "Screen Saver" to execute). Since it is run under the context of the system account, it will log you onto the desktop with administrative privileges, at which point you can change the password to the Administrator account.

I don't have time right now to test this out on XP/2003, but if anyone cares to take the time I'd love to hear if it works!

Cheers.
0
 
thepamCommented:
According to this post, the logon.scr will not work with Server 2003,

http://www.petri.co.il/forgot_administrator_password_alternate_logon_trick.htm
0
 
thelastoftheendCommented:
Good to know - thanks!
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 74
  • 57
  • 28
  • +7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now