badall Posted June 20, 2014 Share Posted June 20, 2014 Hi i have big problem at the charity i volunteer for, we had one guy maintaining the server (sbs2003) he was a good guy if maybe a little bit paranoid he didn't leave a copy of the password in the safe or anywere we can find it and he died last week. Exchange has started crashing on a regular basis it last about 36 hours before it crashes and no one can access emails until the server is restarted by powering off which i don't want to do to many times as the server is already throwing a warning on boot about raid errors I tried going into recovery mode pressing f8 but that does not seem to be working, on the login screen there is only the domain login and no local login. I did some searching and found various methods for brute forcing passwords or blanking them and adding new ones but they are a bit dodgy or may lose data if encryption has been enabled (wich is likely) mdop2011 which has dart 5.0 may have helped but the msdn password went with admin aswell. Can anyone help Link to comment Share on other sites More sharing options...
Stokkolm Posted June 20, 2014 Share Posted June 20, 2014 Try the tools listed here: http://pcsupport.about.com/od/toolsofthetrade/tp/passrecovery.htm Link to comment Share on other sites More sharing options...
+Fulcrum Subscriber¹ Posted June 20, 2014 Subscriber¹ Share Posted June 20, 2014 I suggest #2 in Stockkolm link Offline NT Password & Registry Editor (2011-05-11 Build) is an amazing password recovery tool but instead of actually recovering your Windows password like Ophcrack and similar tools do, it deletes it. Without a password, you're allowed unrestricted access to your Windows operating system. Link to comment Share on other sites More sharing options...
badall Posted June 20, 2014 Author Share Posted June 20, 2014 I think i will try both ophcrack & offline nt password & registry editor, ophcrack first though as that seems less intrusive. Link to comment Share on other sites More sharing options...
+Cryton Subscriber² Posted June 20, 2014 Subscriber² Share Posted June 20, 2014 All I've ever had to use is http://pogostick.net/~pnh/ntpasswd xendrome 1 Share Link to comment Share on other sites More sharing options...
n_K Posted June 20, 2014 Share Posted June 20, 2014 Remember if it's active directory, most tools won't work. You need specialised tools to work with AD files. If it's AD and you don't have the tools, I can help recover them for you if they're compatible. Link to comment Share on other sites More sharing options...
+theblazingangel MVC Posted June 20, 2014 MVC Share Posted June 20, 2014 @OP, before you start trying to crack the password problem, I'd advise that you make backing things up your first priority, especially with those RAID errors. One way of doing this would be to use the dd command in a linux live CD to backup an exact image of the contents of the server's hard drive, saving this onto a backup drive. The backup drive will need to be as big or bigger than the existing drive in the machine. With such an image, if you do mess things up, or the RAID completely fails, you'll be able to simply restore the hard drive contents to exactly the same state as they are currently. If you don't know what you're doing, get someone else in who does. You're at serious risk of making things worse, possibly loosing everything that server contains. Roger H., Praetor and TAZMINATOR 3 Share Link to comment Share on other sites More sharing options...
D!ABOL!C Posted June 20, 2014 Share Posted June 20, 2014 on the login screen there is only the domain login and no local login. On the login screen, is there no login dropdown box? If not, you don't happen to have the server name do you? For username try: server1\administrator with a blank password. Considering how paranoid the previous admin was, i'm sure he set one, but maybe he forgot. Link to comment Share on other sites More sharing options...
+John Teacake MVC Posted June 20, 2014 MVC Share Posted June 20, 2014 I found this the other day. It might have some Password Cracking tools on. http://www.parrotsec.org/index.php/Main_Page If it hasnt been patched there is an exploit for the local NTLM database but seriously if you go down that route then your admin needs to be fired it should have been patched a looooooooooooong time ago. Link to comment Share on other sites More sharing options...
Praetor Posted June 21, 2014 Share Posted June 21, 2014 (edited) @OP: sorry for the loss of your co-worker, i do remember back in 2012 when you asked our opinion for a upgrade for that server :/ back ontopic: PLEASE do a backup if you don't have any; this should be your number 1 concern right now. If you don't have a backup then do one ASAP, preferably clone the HDD using some tool for that (dd can work too but it will take time). After that you can use Directory Service Restore Mode since it's the most secure and fastest way of retrieving the server back into your hands (since it's a SBS the logins are AD related so any password reset tool you use it won't work). For that please follow this steps: http://www.petri.co.il/reset_domain_admin_password_in_windows_server_2003_ad.htm# Note: remember to read all of those steps carefully; if you don't then you can be in a much worsen situation then now. After that check the server logs and hardware (if it's a OEM server, like DELL or HP then there's software from the OEM to see the state of the hardware) to see the reason the RAID controller is dumping the warning in POST and check what's up with Exchange. Also see if there's any expired certificate or low space volume. Good luck! goretsky 1 Share Link to comment Share on other sites More sharing options...
ITFiend Posted June 21, 2014 Share Posted June 21, 2014 Hi i have big problem at the charity i volunteer for, we had one guy maintaining the server (sbs2003) he was a good guy if maybe a little bit paranoid he didn't leave a copy of the password in the safe or anywere we can find it and he died last week. Exchange has started crashing on a regular basis it last about 36 hours before it crashes and no one can access emails until the server is restarted by powering off which i don't want to do to many times as the server is already throwing a warning on boot about raid errors I tried going into recovery mode pressing f8 but that does not seem to be working, on the login screen there is only the domain login and no local login. I did some searching and found various methods for brute forcing passwords or blanking them and adding new ones but they are a bit dodgy or may lose data if encryption has been enabled (wich is likely) mdop2011 which has dart 5.0 may have helped but the msdn password went with admin aswell. Can anyone help No! Don't use cracking tools, as you'll take your server out of a supported configuration if you do. Definitely consider doing anything against a clone or P2V version of your server. That said, what I describe is the safest method to seize control over Windows/Domains as it doesn't violate any of Windows internal functionality, and your copy of Windows is still perfectly healthy. Boot from Microsoft WinPE media so your server is offline. Either the original Microsoft Windows install disk, or create a new WinPE disk through the Microsoft Automated Deployment Toolkit. Launch cmd.exe if you are in Windows setup, and run the next two lines: rename C:\windows\system32\Utilman.exe Utilman.exe.disabled copy C:\windows\system32\cmd.exe C:\windows\system32\Utilman.exe Now boot from Windows like normal. When you get the logon screen, click on the lower left Accessibility icon. It will now launch cmd.exe, rather than Utilman.exe, as the SYSTEM user. Launch MMC.EXE. CTRL-M. Add ?Active Directory Users and Computers?. OK. Create a new users in your ?DOMAINNAME\Users? container. Add your new user to the group ?DOMAINNAME\Users\Enterprise Adminis? Add your new user to the group ?DOMAINNAME\Users\Domain Adminis? Add your new user to the group ?DOMAINNAME\Builtin\Administrators? Congrats! You?ve just stolen an Active Directory Domain Controller or Forest by masquerading as the active SYSTEM user, and you didn't take Windows out of a supported configuration when you did so because SYSTEM is normally allowed to modify itself. Boot back to your offline Windows media, "delete C:\Windows\System32\Utilman.exe", and "rename C:\Windows\System32\Utilman.exe.disabled Utilman.exe" And this folks is why Windows is only secure when it?s on encrypted BitLocker volumes, and why Read Only Domain Controllers exist. If for some reason you actually need to get in to the old Administrator user accounts without changing their passwords, the best way to do this is to attempt to use something like Metasploit and a do a pass the hash style attack from a remote host. Your old administrators password hash is probably still cached on the domain controller, so you can use that to steal the hash, and then attempt to directly masquerade as that old user with their hash rather than password. Won't work with RDP though unless you are on Server 2012 R2 and enable the pass the hash cache theft prevention features to support "mstsc.exe /restrictedAdmin" (this basically forces MSTSC to obey the same rules that prevent easy PowerShell double-hops). Brandon H, Squirrelington, Aergan and 3 others 6 Share Link to comment Share on other sites More sharing options...
ITFiend Posted June 21, 2014 Share Posted June 21, 2014 Congrats! You?ve just stolen an Active Directory Domain Controller... Oh yeah, I did say that wrong. You've stolen *all* Active Directory Domain Controllers in the domain. Builtin\Administrators replicates, and after it does you are a Local Administrator on all the domain DC's. Link to comment Share on other sites More sharing options...
Praetor Posted June 21, 2014 Share Posted June 21, 2014 ah the utilman hack, didn`t remember that; that works as well but the first thing to do should be a backup. also in sbs2k3 it`s windows key + u to activate it. Link to comment Share on other sites More sharing options...
badall Posted June 22, 2014 Author Share Posted June 22, 2014 yeah the new server i forgot about that it's still on his desk waiting to be setup lol, he had alot going on but never quite finished alot of it i guess no one expects to die, anyway i'm not in till monday, there are backups but there not full system backups just exchange and users data which is done once a week, i'll dig a drive up and do a full sytem image to be carefull and try ITFiends way of doing it. will get back to you on the results Link to comment Share on other sites More sharing options...
badall Posted June 22, 2014 Author Share Posted June 22, 2014 I thought i would give itfiends solution a try in a VM at home before i went in tomorrow but the problem with server 2003 is that there is no accessability options on the login screen Link to comment Share on other sites More sharing options...
Eric Veteran Posted June 22, 2014 Veteran Share Posted June 22, 2014 I thought i would give itfiends solution a try in a VM at home before i went in tomorrow but the problem with server 2003 is that there is no accessability options on the login screen Try the hotkey Praetor mentioned. It should still work. Brandon H and Praetor 2 Share Link to comment Share on other sites More sharing options...
badall Posted June 24, 2014 Author Share Posted June 24, 2014 winkey + U didn't work looks like it may have been have been disabled as it is the only combination of winkey + letter that does not do a thing Link to comment Share on other sites More sharing options...
sc302 Veteran Posted June 24, 2014 Veteran Share Posted June 24, 2014 If you are still having issues with recovering the password, this write up has never once failed me utilizing erd commander to reset the password. you can use hirens as well to reset the password or make a new domain admin to be able to manage the domain so you don't mess anything up. http://www.petri.com/reset_domain_admin_password_in_windows_server_2003_ad.htm koppit 1 Share Link to comment Share on other sites More sharing options...
badall Posted June 24, 2014 Author Share Posted June 24, 2014 looking around on the web i found that renameing sethc.exe can work i gave a try on the vm and it worked so i'm back tomorrow see if that works Link to comment Share on other sites More sharing options...
badall Posted June 25, 2014 Author Share Posted June 25, 2014 sethc.exe worked like a charm got in sorted the passwords and put a copy in the safe just encase. only trouble is i now seem to be the one who has to maintain it Eric 1 Share Link to comment Share on other sites More sharing options...
koppit Posted June 25, 2014 Share Posted June 25, 2014 I've done this before. It's not fun... but it works. You will need to reset the administrator password for local login first using a tool such as hirens. Alternately, a winPE boot disk if you have a raid that needs drivers installed... http://www.geeksaresexy.net/2009/03/12/how-to-reset-your-lost-2003-active-directory-admin-password/Have all of the required files on a memory stick somewhere, contact me if you need them. Link to comment Share on other sites More sharing options...
Eric Veteran Posted June 25, 2014 Veteran Share Posted June 25, 2014 sethc.exe worked like a charm got in sorted the passwords and put a copy in the safe just encase. only trouble is i now seem to be the one who has to maintain it Excellent! We can't help you decide who the new admin is but I'm glad you got it fixed. I knew there was another executable you could use to fix it but I couldn't remember which one. :) Link to comment Share on other sites More sharing options...
Recommended Posts