Is there a way to get into virtual servers on VMWARE without the admin passwords ?

I have a friend who hired an IT consultant who set up 2 virtual servers for him . This consultant is now refusing to give the owner the passwords to his environment . Is there anyway to get him into his environment without the cooperation of the IT consultant .
I believe the consultant is extorting my friend. I can get physical access to the servers but cannot log in without the passwords.
I would be walking into a blackbox scenario here.
Andre PAsked:
Who is Participating?
 
Lee W, MVPConnect With a Mentor Technology and Business Process AdvisorCommented:
If the hired consultant is refusing to provide you the information you require, TERMINATE HIS SERVICES.

"I understand you do not wish to provide the necessary administration credentials.  We are not comfortable with this.  Either they are provided in a sealed envelope we can keep in a safe just in case or we will be forced to terminate your services and seek assistance from a technology provider that is willing to work with us."

Let me be clear, depending on your agreement, he may be providing a fixed rate to care for and monitor the network and that fixed rate may depend on assurances (in part, knowing you cannot modify things) that your network will be fully under his control.  This IS reasonable if he's providing a fixed monthly service fee.  HOWEVER, the idea of having a separate administrative account with credentials stored in a safe place that is verifiable not accessed except in an "emergency" is reasonable in my opinion.  If you agree and that's what you want and this consultant is not providing that, then you need a new consultant.  PERIOD.

I do not know VMWare that well but in the one instance I had to access a server I didn't have access to, I built a new VMWare install on a new drive within the server and booted that, importing the existing VMs.  Once imported, you can create another Windows VM and then attach the server OS VMDKs and and use tools and utilities freely available to reset the admin passwords on the domain.  Any good Windows Admin should be able to do this for you but may need to be local to get it done.
0
 
John HurstBusiness Consultant (Owner)Commented:
The consultant was paid to do the work for the company. The passwords belong to the company. Get your company lawyers involved as what the consultant is doing is illegal in terms of any business arrangement or contract.

I believe the consultant is extorting my friend  You can also contact the police.
1
 
asavenerCommented:
What is the OS?

I know that Windows through 2008 can have the administrator password reset via an ISO.

You can get root access on Linux at boot, if you have console access.


Basically, it's the same as if you had physical access to the server.

Windows;  http://www.wintips.org/reset-windows-account-password/
Linux:  http://www.cyberciti.biz/faq/linux-reset-forgotten-root-password/
1
Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!

 
WalkaboutTiggerConnect With a Mentor Commented:
If these are Active Directory Domain Controllers, STOP!!!  DO NOT FOLLOW THIS PROCEDURE!!!

I presume the virtual machines are running a Windows operating system.  If so, it is relatively trivial to break into them, VM or not.

I am presuming you have the administrative credentials for the VMWare host - root's password.

Go to this page and download the bootable CD image.

Unzip this file, mount the ISO on the machines' virtual CDROM drive, change the virtual BIOS to allow booting from CD, boot the VMs from the CD, zero-out the password (presuming there are no encrypted files), write the changes, restart the boxes and VOILA!  You're in as the local administrator with a blank password.

As John indicates, this is a violation of 18 U.S. Code § 880 - Receiving the proceeds of extortion and 18 U.S.C. § 1951 : US Code - Section 1951: Interference with commerce by threats or violence.

Unless there is substantive, contractual reason the consultant is failing to provide administrative credentials to said servers, whether the consultant has been compensated for their work, if they are refusing to disclose said credentials unless material or monetary transactions are performed, or are threatening physical violence, they are in violation of both of these federal statutes and possibly state or local statutes as well.

Your friend should immediately contact their legal counsel who will be able to provide them appropriate counsel in regards to the detailed facts of the case.

If the computers are at all responsible for financial transactions which may cross state lines, such as Internet sales, said consultant could also be in violation of impeding interstate commerce, yet another set of felony charges.

Before you do anything, even following the above procedure, get the attorneys involved.
0
 
Andre PAuthor Commented:
The lawyers will not prevent my friend from losing his data .
The extortion  I probably used the wrong terms , Is that he wants to hike his fees above where my friend wants to pay and he is not in a position to get a better deal or even a quote .  I call it extortion because without the passwords the guy can charge whatever he wants . Right now the situation is not hostile yet but there needs to be a plan B .
I believe these are windows virtual servers 2012  one is exchange .
0
 
WalkaboutTiggerCommented:
Is either one an active directory controller?
Do you know the Domain Administrator password?
Where is he located such that he has no options but this one consultant?
This situation is PRECISELY extortion.  Said consultant is failing to provide the credentials in lieu of raising his rates.  Not merely immoral and unethical, but genuinely criminal.
The lawyers get involved to guide you and your friend, not to contact this criminal.
0
 
Andre PAuthor Commented:
Walkabout Tiger .
He does not have access to the vmware host root . He basically had someone set this up and let them "do what they do" while he focused on the business.  All he knows is that there are virtual servers and that one of them runs exchange .
0
 
Andre PAuthor Commented:
No passwords .. Just physical access .Total Black box
0
 
John HurstBusiness Consultant (Owner)Commented:
You have to figure out a way to boot the VM offline. I have not see that done.
0
 
WalkaboutTiggerCommented:
Booting the VM offline is easy.  Getting the VM Host root password is not at all trivial.
What version of VMWare is being used?
If things are still cordial, for what reason is the consultant claiming he is withholding these credentials?  That doesn't sound at all friendly to me.
0
 
John HurstBusiness Consultant (Owner)Commented:
Publish the Consultants Name and Address PUBLICLY here - you can do that. Tell him you have done so that an entire community of experts can blacklist him.

See if he wants NO business.
0
 
Andre PAuthor Commented:
He is passive aggressively not returning calls etc .. He isnt saying NO he just isnt complying with requests . My friend is afraid of getting more aggressive because he is afraid that things could go horribly wrong . I have not seen the boxes so I dont know the version . I would like to give him another option before he turns this into a thing ...

Understand he wants to preserve his data .. Even the backups are only known by this consultant . He could lose his business . What I am looking for is a secret ace he can have that can mitigate the potential  risk from this consultant .
0
 
WalkaboutTiggerConnect With a Mentor Commented:
Actually, that could be considered extortion as well, John.
Instead, Andre, do you have another server you can install VMWare on to test something so ensure it will work with the version of VMWare your friend is running?

Step 1 is recovering / resetting the root password on VMWare.  Step 2 is recovering the Windows administrator password.  If this is a domain controller, which I suspect it is, you are surely out of luck and will need to have the consultant provide the credentials or rebuild the systems from scratch.

Are these servers at all usable?  As in, can they be logged into at all?
0
 
John HurstBusiness Consultant (Owner)Commented:
You can publish names and addresses of public consultants. Saying why should be verbal but it should be obvious to the consultant.

That is in no way extortion.
0
 
Andre PAuthor Commented:
The servers are functioning . The consultant has not done anything to damage the business . He is afraid that should he get aggressive then it COULD go that way .
Walkabout . I agree that one of them is probably a DC .
I suppose I could suggest that he purchase another server to test .
0
 
John HurstBusiness Consultant (Owner)Commented:
Buying new gear costs money as a result of the consultant actions. At least get your lawyer involved and ask about getting the police involved.
0
 
WalkaboutTiggerConnect With a Mentor Commented:
Andre, this can be done with any computer that supports virtualization in BIOS, which must be enabled.
In the short term, your friend can pay the consultant but he really should be calling his lawyers to determine his legal standing.
I find your friend's consultant's behavior reprehensible.  The right thing to do is provide the credentials and then charge through the nose if your friend breaks anything.  It is utterly stupid, not to mention criminal, to withhold the information.
0
 
John HurstBusiness Consultant (Owner)Commented:
This is why, in addition, I recommend publishing the name and address of the consultant here. This is not illegal in any way to do. It is public information (yellow pages if you will) posted here.
0
 
Andre PAuthor Commented:
Yes,
This tarnishes the trust we need to do our work .
Owners of businesses shd have this information in a safe somewhere .
0
 
Andre PAuthor Commented:
Lee, You may be right in the case that i believe it is a fixed rate contract . How does that preclude the owner from having credentials or being able to access his own data or shop for other services should he choose ?
0
 
John HurstBusiness Consultant (Owner)Commented:
He may want a small additional fee that can be negotiated, but holding server authorization ransom is (from my point of view) illegal. That is why you need a lawyer.
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
Think about it this way: If the owner has the ability to change settings on the network, then he COULD do it at any time.  Doing so COULD alter something and cause an issue that would otherwise NOT have occurred and in turn cause the consultant to do work on the system without compensation (because he's supposed to provide a flat rate).  

Here's a scenario, Suppose I'm your friend.  I notice I'm low on disk space on the Exchange server.  I log in and delete Exchange logs.  It's innocent enough... I certainly don't mean to cause a problem... but it seemed like such a simple thing, why bother the consultant... only the next morning there's a problem with Exchange... and now the consultant has to fix it... and that problem was caused by the actions of the owner.  

My agreements with my flat fee service clients are to provide an envelope with an admin account and password that is SEALED.  If that envelope is opened for any reason without my authorization, it's a $500 fee.  You have the keys.  You are ABSOLUTELY NOT to use the key except if I get hit by a bus or otherwise disappear for more than 24 hours.  My perspective is that I DO NOT own the network, but if you want me to provide a flat fee for service, you must grant me EXCLUSIVE control over it.
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
And a sealed envelope with some kind of unique marking (even his signature) can be checked at any time.
0
 
Andre PAuthor Commented:
Lee ,
Thats very interesting .
Perhaps that could be a way for him to ask for the credentials ?
But then what if your client wants to shop for an alternative to you without your knowledge ? Any prospect would need to know what they are working with and to do that would need to see the system .
Once that envelope is opened ..
That would be an issue no ?
0
 
John HurstBusiness Consultant (Owner)Commented:
The above is a way, of course. I have been consulting for 15 years and I make sure business management or my colleague have what they need. Trust has never been broken.
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
You have to trust that everyone, including your friend will behave professionally and honorably (they should be one and the same).  There are, without question those who are not.  But if your friend has a problem with the service, he needs to discuss it with his provider.  I have reasonable clients... and I've unreasonable ones.  And I've fired clients too unreasonable.  

Like I said, you open that envelope without my authorization I charge you $500 or we part ways.  That simple.  Both parties have to understand that and even if your friend THINKS they opened it reasonably, has to be prepared and willing to pay.  *I* might be willing to waive that fee or reduce it depending on what was done and why.  But I don't have.  There should be an agreement in place that defines when that envelop can be opened.  

Your friend needs to review his agreement with the provider and potentially demand it be renegotiated.  But (despite my using the word demand) be reasonable and understanding of the potential risk the consultant is taking giving you that information...

Here's another scenario - your friend, while logged in as a domain admin for a "simple" task on his computer, checks his yahoo mail and accidentally opens a worm that, because it's run as a domain admin, now infects all systems on the network.  Your consultant is on a flat fee and now has to rebuild 10 different computers over two days... He'd have to worry about only one if your friend hadn't been logged in as a domain admin!  You just cost that consultant a lot of money.
0
 
Andre PAuthor Commented:
Lee , I understand what you are saying and i agree with most of it . The thing i guess that confuses me is the idea that the OWNER of a business has to pay you to look at the systems that he is paying you to support . I can understand a previous poster's position that the client should pay if they BREAK something . Your solution precludes the client from verifying that his system is being cared for properly ,
I give you an example ..
A consultant is on a flat fee and does the bare minimal to keep the system running .. He is not patching or making sure its secure from hacking .  The system has not crashed much but still is vulnerable to data exfiltration .
Under your scenario the owner is precluded from auditing the quality of the work he assumes is being done without paying the 500 fee for opening the envelope .

At any rate .
I still would like to know what technical options are available should the system access be denied to my friend .
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
It does not preclude anything - the consultant providing reports to you should be a requirement.  Further, consider this: A consultant charging a flat fee has it in his or her best interest to ensure your systems stay patched and up to date and running smoothly.  If they charge you $1000 per month to do that and can do that in 2 hours of work, FANTASTIC for them.  But if their negligence results in them spending 20 hours troubleshooting virus infections, and server failures, when it WOULD have only taken a couple of hours a month to maintain things... how is that benefiting the consultant?

Read my article:
https://www.experts-exchange.com/articles/6633/Becoming-A-Small-Business-IT-Consultant-Choosing-a-Business-Model.html

If the consultant you hire does not share reports with you than either you, or the consultant, or both have done a VERY poor job setting up service.  

I still would like to know what technical options are available should the system access be denied to my friend .
Repeating what I said earlier:
I do not know VMWare that well but in the one instance I had to access a server I didn't have access to, I built a new VMWare install on a new drive within the server and booted that, importing the existing VMs.  Once imported, you can create another Windows VM and then attach the server OS VMDKs and and use tools and utilities freely available to reset the admin passwords on the domain.  Any good Windows Admin should be able to do this for you but may need to be local to get it done.
0
All Courses

From novice to tech pro — start learning today.