Jump to content



Photo

No access to server, passwords lost as our admin died

Answered Go to the full post

  • Please log in to reply
21 replies to this topic

#1 badall

badall

    THE BADASS

  • Tech Issues Solved: 1
  • Joined: 08-May 02

Posted 20 June 2014 - 18:06

Hi i have big problem at the charity i volunteer for, we had one guy maintaining the server (sbs2003) he was a good guy if maybe a little bit paranoid he didn't leave a copy of the password in the safe or anywere we can find it and he died last week.

Exchange has started crashing on a regular basis it last about 36 hours before it crashes and no one can access emails until the server is restarted by powering off which i don't want to do to many times as the server is already throwing a warning on boot about raid errors

I tried going into recovery mode pressing f8 but that does not seem to be working, on the login screen there is only the domain login and no local login. I did some searching and found various methods for brute forcing passwords or blanking them and adding new ones but they are a bit dodgy or may lose data if encryption has been enabled (wich is likely) mdop2011 which has dart 5.0 may have helped but the msdn password went with admin aswell. Can anyone help



Best Answer badall , 25 June 2014 - 20:03

sethc.exe worked like a charm got in sorted the passwords and put a copy in the safe just encase. only trouble is i now seem to be the one who has to maintain it

Go to the full post



#2 Stokkolm

Stokkolm

    Neowinian Senior

  • Tech Issues Solved: 2
  • Joined: 09-February 03
  • Location: Alaska
  • OS: Windows 8.1
  • Phone: Lumia 1520

Posted 20 June 2014 - 18:12

Try the tools listed here: http://pcsupport.abo...assrecovery.htm



#3 Fulcrum

Fulcrum

    Long time reader

  • Joined: 27-April 02

Posted 20 June 2014 - 18:23

I suggest #2 in Stockkolm link

Offline NT Password & Registry Editor (2011-05-11 Build) is an amazing password recovery tool but instead of actually recovering your Windows password like Ophcrack and similar tools do, it deletes it. Without a password, you're allowed unrestricted access to your Windows operating system.



#4 OP badall

badall

    THE BADASS

  • Tech Issues Solved: 1
  • Joined: 08-May 02

Posted 20 June 2014 - 18:28

I think i will try both ophcrack & offline nt password & registry editor, ophcrack first though as that seems less intrusive.



#5 +Cryton

Cryton

    Neowinian

  • Tech Issues Solved: 1
  • Joined: 19-April 02

Posted 20 June 2014 - 18:31

All I've ever had to use is http://pogostick.net/~pnh/ntpasswd



#6 n_K

n_K

    Neowinian Senior

  • Tech Issues Solved: 3
  • Joined: 19-March 06
  • Location: here.
  • OS: FreeDOS
  • Phone: Nokia 3315

Posted 20 June 2014 - 18:36

Remember if it's active directory, most tools won't work. You need specialised tools to work with AD files.

If it's AD and you don't have the tools, I can help recover them for you if they're compatible.



#7 +theblazingangel

theblazingangel

    Software Engineer

  • Tech Issues Solved: 6
  • Joined: 25-March 04
  • Location: England, UK

Posted 20 June 2014 - 18:41

@OP, before you start trying to crack the password problem, I'd advise that you make backing things up your first priority, especially with those RAID errors. One way of doing this would be to use the dd command in a linux live CD to backup an exact image of the contents of the server's hard drive, saving this onto a backup drive. The backup drive will need to be as big or bigger than the existing drive in the machine. With such an image, if you do mess things up, or the RAID completely fails, you'll be able to simply restore the hard drive contents to exactly the same state as they are currently.

 

If you don't know what you're doing, get someone else in who does. You're at serious risk of making things worse, possibly loosing everything that server contains.



#8 D!ABOL!C

D!ABOL!C

    Neowinian Senior

  • Tech Issues Solved: 2
  • Joined: 06-April 03
  • Location: North Carolina
  • OS: Windows 8.1 and OSX 10.9.5
  • Phone: HTC One (M8) Android 4.4.3

Posted 20 June 2014 - 19:17

on the login screen there is only the domain login and no local login. 

 

On the login screen, is there no login dropdown box? If not, you don't happen to have the server name do you? For username try: server1\administrator with a blank password. Considering how paranoid the previous admin was, i'm sure he set one, but maybe he forgot.



#9 +RedReddington

RedReddington

    member_id=28229

  • Joined: 14-May 03

Posted 20 June 2014 - 20:02

I found this the other day. It might have some Password Cracking tools on.

 

http://www.parrotsec...x.php/Main_Page

 

If it hasnt been patched there is an exploit for the local NTLM database but seriously if you go down that route then your admin needs to be fired it should have been patched a looooooooooooong time ago. 



#10 Praetor

Praetor

    ASCii / ANSi Designer

  • Tech Issues Solved: 7
  • Joined: 05-June 02
  • Location: Lisbon
  • OS: Windows Eight dot One dot One 1!one

Posted 21 June 2014 - 00:59

@OP: sorry for the loss of your co-worker, i do remember back in 2012 when you asked our opinion for a upgrade for that server :/

 

back ontopic: PLEASE do a backup if you don't have any; this should be your number 1 concern right now. If you don't have a backup then do one ASAP, preferably clone the HDD using some tool for that (dd can work too but it will take time). After that you can use Directory Service Restore Mode since it's the most secure and fastest way of retrieving the server back into your hands (since it's a SBS the logins are AD related so any password reset tool you use it won't work). For that please follow this steps: http://www.petri.co....er_2003_ad.htm#

 

Note: remember to read all of those steps carefully; if you don't then you can be in a much worsen situation then now.

 

After that check the server logs and hardware (if it's a OEM server, like DELL or HP then there's software from the OEM to see the state of the hardware) to see the reason the RAID controller is dumping the warning in POST and check what's up with Exchange. Also see if there's any expired certificate or low space volume.

 

Good luck!


Edited by Praetor, 21 June 2014 - 00:59.


#11 ITFiend

ITFiend

    ハッピー

  • Joined: 13-October 09
  • Location: Galactic Sector ZZ9 Plural Z Alpha
  • OS: Windows Server 2012 R2, Windows 8.1
  • Phone: Windows Phone 8.1

Posted 21 June 2014 - 02:22

Hi i have big problem at the charity i volunteer for, we had one guy maintaining the server (sbs2003) he was a good guy if maybe a little bit paranoid he didn't leave a copy of the password in the safe or anywere we can find it and he died last week.

Exchange has started crashing on a regular basis it last about 36 hours before it crashes and no one can access emails until the server is restarted by powering off which i don't want to do to many times as the server is already throwing a warning on boot about raid errors

I tried going into recovery mode pressing f8 but that does not seem to be working, on the login screen there is only the domain login and no local login. I did some searching and found various methods for brute forcing passwords or blanking them and adding new ones but they are a bit dodgy or may lose data if encryption has been enabled (wich is likely) mdop2011 which has dart 5.0 may have helped but the msdn password went with admin aswell. Can anyone help

 

No! Don't use cracking tools, as you'll take your server out of a supported configuration if you do. Definitely consider doing anything against a clone or P2V version of your server. That said, what I describe is the safest method to seize control over Windows/Domains as it doesn't violate any of Windows internal functionality, and your copy of Windows is still perfectly healthy.

 

  • Boot from Microsoft WinPE media so your server is offline.  Either the original Microsoft Windows install disk, or create a new WinPE disk through the Microsoft Automated Deployment Toolkit.
  • Launch cmd.exe if you are in Windows setup, and run the next two lines:
  • rename C:\windows\system32\Utilman.exe Utilman.exe.disabled
  • copy C:\windows\system32\cmd.exe C:\windows\system32\Utilman.exe
  • Now boot from Windows like normal.  When you get the logon screen, click on the lower left Accessibility icon.  It will now launch cmd.exe, rather than Utilman.exe, as the SYSTEM user.
  • Launch MMC.EXE.  CTRL-M. Add “Active Directory Users and Computers”. OK.
  • Create a new users in your “DOMAINNAME\Users” container.
  • Add your new user to the group “DOMAINNAME\Users\Enterprise Adminis”
  • Add your new user to the group “DOMAINNAME\Users\Domain Adminis”
  • Add your new user to the group “DOMAINNAME\Builtin\Administrators”

 

Congrats!  You’ve just stolen an Active Directory Domain Controller or Forest by masquerading as the active SYSTEM user, and you didn't take Windows out of a supported configuration when you did so because SYSTEM is normally allowed to modify itself.

 

  • Boot back to your offline Windows media, "delete C:\Windows\System32\Utilman.exe", and "rename C:\Windows\System32\Utilman.exe.disabled Utilman.exe"

 

And this folks is why Windows is only secure when it’s on encrypted BitLocker volumes, and why Read Only Domain Controllers exist.

 

 

If for some reason you actually need to get in to the old Administrator user accounts without changing their passwords, the best way to do this is to attempt to use something like Metasploit and a do a pass the hash style attack from a remote host.  Your old administrators password hash is probably still cached on the domain controller, so you can use that to steal the hash, and then attempt to directly masquerade as that old user with their hash rather than password.  Won't work with RDP though unless you are on Server 2012 R2 and enable the pass the hash cache theft prevention features to support "mstsc.exe /restrictedAdmin" (this basically forces MSTSC to obey the same rules that prevent easy PowerShell double-hops).



#12 ITFiend

ITFiend

    ハッピー

  • Joined: 13-October 09
  • Location: Galactic Sector ZZ9 Plural Z Alpha
  • OS: Windows Server 2012 R2, Windows 8.1
  • Phone: Windows Phone 8.1

Posted 21 June 2014 - 04:05

Congrats!  You’ve just stolen an Active Directory Domain Controller...

 

Oh yeah, I did say that wrong. You've stolen *all* Active Directory Domain Controllers in the domain. Builtin\Administrators replicates, and after it does you are a Local Administrator on all the domain DC's.



#13 Praetor

Praetor

    ASCii / ANSi Designer

  • Tech Issues Solved: 7
  • Joined: 05-June 02
  • Location: Lisbon
  • OS: Windows Eight dot One dot One 1!one

Posted 21 June 2014 - 10:26

ah the utilman hack, didn`t remember that; that works as well but the first thing to do should be a backup. also in sbs2k3 it`s windows key + u to activate it.

#14 OP badall

badall

    THE BADASS

  • Tech Issues Solved: 1
  • Joined: 08-May 02

Posted 22 June 2014 - 00:24

yeah the new server i forgot about that it's still on his desk waiting to be setup lol, he had alot going on but never quite finished alot of it i guess no one expects to die, anyway i'm not in till monday, there are backups but there not full system backups just exchange and users data which is done once a week, i'll dig a drive up and do a full sytem image to be carefull and try ITFiends way of doing it.

 

will get back to you on the results



#15 OP badall

badall

    THE BADASS

  • Tech Issues Solved: 1
  • Joined: 08-May 02

Posted 22 June 2014 - 23:00

I thought i would give itfiends solution a try in a VM at home before i went in tomorrow but the problem with server 2003 is that there is no accessability options on the login screen