Sign in to follow this  
Followers 0

22 posts in this topic

Hi i have big problem at the charity i volunteer for, we had one guy maintaining the server (sbs2003) he was a good guy if maybe a little bit paranoid he didn't leave a copy of the password in the safe or anywere we can find it and he died last week.

Exchange has started crashing on a regular basis it last about 36 hours before it crashes and no one can access emails until the server is restarted by powering off which i don't want to do to many times as the server is already throwing a warning on boot about raid errors

I tried going into recovery mode pressing f8 but that does not seem to be working, on the login screen there is only the domain login and no local login. I did some searching and found various methods for brute forcing passwords or blanking them and adding new ones but they are a bit dodgy or may lose data if encryption has been enabled (wich is likely) mdop2011 which has dart 5.0 may have helped but the msdn password went with admin aswell. Can anyone help

Share this post


Link to post
Share on other sites

I suggest #2 in Stockkolm link

Offline NT Password & Registry Editor (2011-05-11 Build) is an amazing password recovery tool but instead of actually recovering your Windows password like Ophcrack and similar tools do, it deletes it. Without a password, you're allowed unrestricted access to your Windows operating system.

Share this post


Link to post
Share on other sites

I think i will try both ophcrack & offline nt password & registry editor, ophcrack first though as that seems less intrusive.

Share this post


Link to post
Share on other sites

Remember if it's active directory, most tools won't work. You need specialised tools to work with AD files.

If it's AD and you don't have the tools, I can help recover them for you if they're compatible.

Share this post


Link to post
Share on other sites

@OP, before you start trying to crack the password problem, I'd advise that you make backing things up your first priority, especially with those RAID errors. One way of doing this would be to use the dd command in a linux live CD to backup an exact image of the contents of the server's hard drive, saving this onto a backup drive. The backup drive will need to be as big or bigger than the existing drive in the machine. With such an image, if you do mess things up, or the RAID completely fails, you'll be able to simply restore the hard drive contents to exactly the same state as they are currently.

 

If you don't know what you're doing, get someone else in who does. You're at serious risk of making things worse, possibly loosing everything that server contains.

3 people like this

Share this post


Link to post
Share on other sites

on the login screen there is only the domain login and no local login. 

 

On the login screen, is there no login dropdown box? If not, you don't happen to have the server name do you? For username try: server1\administrator with a blank password. Considering how paranoid the previous admin was, i'm sure he set one, but maybe he forgot.

Share this post


Link to post
Share on other sites

I found this the other day. It might have some Password Cracking tools on.

 

http://www.parrotsec.org/index.php/Main_Page

 

If it hasnt been patched there is an exploit for the local NTLM database but seriously if you go down that route then your admin needs to be fired it should have been patched a looooooooooooong time ago. 

Share this post


Link to post
Share on other sites

@OP: sorry for the loss of your co-worker, i do remember back in 2012 when you asked our opinion for a upgrade for that server :/

 

back ontopic: PLEASE do a backup if you don't have any; this should be your number 1 concern right now. If you don't have a backup then do one ASAP, preferably clone the HDD using some tool for that (dd can work too but it will take time). After that you can use Directory Service Restore Mode since it's the most secure and fastest way of retrieving the server back into your hands (since it's a SBS the logins are AD related so any password reset tool you use it won't work). For that please follow this steps: http://www.petri.co.il/reset_domain_admin_password_in_windows_server_2003_ad.htm#

 

Note: remember to read all of those steps carefully; if you don't then you can be in a much worsen situation then now.

 

After that check the server logs and hardware (if it's a OEM server, like DELL or HP then there's software from the OEM to see the state of the hardware) to see the reason the RAID controller is dumping the warning in POST and check what's up with Exchange. Also see if there's any expired certificate or low space volume.

 

Good luck!

1 person likes this

Share this post


Link to post
Share on other sites

Hi i have big problem at the charity i volunteer for, we had one guy maintaining the server (sbs2003) he was a good guy if maybe a little bit paranoid he didn't leave a copy of the password in the safe or anywere we can find it and he died last week.

Exchange has started crashing on a regular basis it last about 36 hours before it crashes and no one can access emails until the server is restarted by powering off which i don't want to do to many times as the server is already throwing a warning on boot about raid errors

I tried going into recovery mode pressing f8 but that does not seem to be working, on the login screen there is only the domain login and no local login. I did some searching and found various methods for brute forcing passwords or blanking them and adding new ones but they are a bit dodgy or may lose data if encryption has been enabled (wich is likely) mdop2011 which has dart 5.0 may have helped but the msdn password went with admin aswell. Can anyone help

 

No! Don't use cracking tools, as you'll take your server out of a supported configuration if you do. Definitely consider doing anything against a clone or P2V version of your server. That said, what I describe is the safest method to seize control over Windows/Domains as it doesn't violate any of Windows internal functionality, and your copy of Windows is still perfectly healthy.

 

  • Boot from Microsoft WinPE media so your server is offline.  Either the original Microsoft Windows install disk, or create a new WinPE disk through the Microsoft Automated Deployment Toolkit.
  • Launch cmd.exe if you are in Windows setup, and run the next two lines:
  • rename C:\windows\system32\Utilman.exe Utilman.exe.disabled
  • copy C:\windows\system32\cmd.exe C:\windows\system32\Utilman.exe
  • Now boot from Windows like normal.  When you get the logon screen, click on the lower left Accessibility icon.  It will now launch cmd.exe, rather than Utilman.exe, as the SYSTEM user.
  • Launch MMC.EXE.  CTRL-M. Add ?Active Directory Users and Computers?. OK.
  • Create a new users in your ?DOMAINNAME\Users? container.
  • Add your new user to the group ?DOMAINNAME\Users\Enterprise Adminis?
  • Add your new user to the group ?DOMAINNAME\Users\Domain Adminis?
  • Add your new user to the group ?DOMAINNAME\Builtin\Administrators?

 

Congrats!  You?ve just stolen an Active Directory Domain Controller or Forest by masquerading as the active SYSTEM user, and you didn't take Windows out of a supported configuration when you did so because SYSTEM is normally allowed to modify itself.

 

  • Boot back to your offline Windows media, "delete C:\Windows\System32\Utilman.exe", and "rename C:\Windows\System32\Utilman.exe.disabled Utilman.exe"

 

And this folks is why Windows is only secure when it?s on encrypted BitLocker volumes, and why Read Only Domain Controllers exist.

 

 

If for some reason you actually need to get in to the old Administrator user accounts without changing their passwords, the best way to do this is to attempt to use something like Metasploit and a do a pass the hash style attack from a remote host.  Your old administrators password hash is probably still cached on the domain controller, so you can use that to steal the hash, and then attempt to directly masquerade as that old user with their hash rather than password.  Won't work with RDP though unless you are on Server 2012 R2 and enable the pass the hash cache theft prevention features to support "mstsc.exe /restrictedAdmin" (this basically forces MSTSC to obey the same rules that prevent easy PowerShell double-hops).

6 people like this

Share this post


Link to post
Share on other sites

Congrats!  You?ve just stolen an Active Directory Domain Controller...

 

Oh yeah, I did say that wrong. You've stolen *all* Active Directory Domain Controllers in the domain. Builtin\Administrators replicates, and after it does you are a Local Administrator on all the domain DC's.

Share this post


Link to post
Share on other sites

ah the utilman hack, didn`t remember that; that works as well but the first thing to do should be a backup. also in sbs2k3 it`s windows key + u to activate it.

Share this post


Link to post
Share on other sites

yeah the new server i forgot about that it's still on his desk waiting to be setup lol, he had alot going on but never quite finished alot of it i guess no one expects to die, anyway i'm not in till monday, there are backups but there not full system backups just exchange and users data which is done once a week, i'll dig a drive up and do a full sytem image to be carefull and try ITFiends way of doing it.

 

will get back to you on the results

Share this post


Link to post
Share on other sites

I thought i would give itfiends solution a try in a VM at home before i went in tomorrow but the problem with server 2003 is that there is no accessability options on the login screen

Share this post


Link to post
Share on other sites

I thought i would give itfiends solution a try in a VM at home before i went in tomorrow but the problem with server 2003 is that there is no accessability options on the login screen

 

Try the hotkey Praetor mentioned. It should still work.

2 people like this

Share this post


Link to post
Share on other sites

winkey + U didn't work looks like it may have been have been disabled as it is the only combination of winkey + letter that does not do a thing

Share this post


Link to post
Share on other sites

If you are still having issues with recovering the password, this write up has never once failed me utilizing erd commander to reset the password.  you can use hirens as well to reset the password or make a new domain admin to be able to manage the domain so you don't mess anything up. 

 

http://www.petri.com/reset_domain_admin_password_in_windows_server_2003_ad.htm

1 person likes this

Share this post


Link to post
Share on other sites

looking around on the web i found that renameing sethc.exe can work i gave a try on the vm and it worked so i'm back tomorrow see if that works

Share this post


Link to post
Share on other sites

sethc.exe worked like a charm got in sorted the passwords and put a copy in the safe just encase. only trouble is i now seem to be the one who has to maintain it

1 person likes this

Share this post


Link to post
Share on other sites

I've done this before. It's not fun... but it works. You will need to reset the administrator password for local login first using a tool such as hirens. Alternately, a winPE boot disk if you have a raid that needs drivers installed...

 

http://www.geeksaresexy.net/2009/03/12/how-to-reset-your-lost-2003-active-directory-admin-password/

Have all of the required files on a memory stick somewhere, contact me if you need them.

Share this post


Link to post
Share on other sites

sethc.exe worked like a charm got in sorted the passwords and put a copy in the safe just encase. only trouble is i now seem to be the one who has to maintain it

 

Excellent! We can't help you decide who the new admin is but I'm glad you got it fixed. I knew there was another executable you could use to fix it but I couldn't remember which one. :)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.