Re: Windows 2000 Administrator lockout

From: Mark Johnson-Barbier (mjb-infosec_at_mj3.org)
Date: 08/17/04

  • Next message: Alvin Oga: "Re: password protect encrypted directory - secure"
    To: Robert Ritchey <rritchey@eods.com>
    Date: Mon, 16 Aug 2004 23:23:46 -0700
    
    

    As the saying goes, if you have physical access to the box, you "own"
    it:

    Best option I know of:
    http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html
    If your server is win2k and uses encrypted files, you should make an
    unencrypted backup of your data before beginning.

    Other options that may work (in no particular order):
    - install another dual-boot version of windows on the box to a different
    %systemroot% directory (such as c:\winrecover). Boot to the new install
    OS and rename/delete the file named "sam" (no extension ... it's usually
    in c:\winnt\system32\config). When you reboot, the local accounts will
    be back to the default and your "administrator" account password will be
    blank. Warning: you'll lose all accounts on the box and any app that
    requires an account may not work ... don't try this with an app that
    requires an account SID to be the same.
    - buy the l0phtcrack program and brute-force crack the password.
    - Log into the server and schedule the command "cmd.exe" to be run 3
    minutes in the future as user "system" with desktop interaction. At the
    appointed time you'll be presented with a command prompt with the
    authority of "system" (or possibly only with whatever account the
    scheduler service is running as). After you get a command prompt, you
    can execute "usrmgr.exe" for NT4 systems or an mmc for win2k. Or you
    can use cusrmgr.exe to change the password at the command prompt. (it's
    been a long time since I've done this, so I may have left out some
    detail).
    - I seem to remember a local priv escalation where cmd.exe was copied
    with the same name as the default screensaver. instead of running the
    screensaver after x minutes of inactivity, a command prompt would appear
    with system privs. I haven't tried this myself, but it would be a fun
    way to solve your problem.
    - I belive sysinternals.com has a way to recover passwords in their
    adminpack application.

    I've used Peter Nordahl's application successfully on several win2k
    workstations and have read from others with success on servers.

    Also, be kind to your future replacement (after you win the lottery and
    move to your own private island): Implement a simple procedure to store
    passwords in a secure location where someone else can "break the glass
    in case of emergency." If security is a concern, create a new admin
    account and give half of the password to two different people. They can
    get together in an emergency to gain access, but they would have to
    collude to escalate their privs.

    mjb

    On Fri, 2004-08-13 at 11:54, Robert Ritchey wrote:
    > Hello All,
    >
    > The network that I have is rather small. 1 server, and 4 workstations.
    > I inherited the systems. There has been no administrator working there
    > for a little over a year. What administrator that was there, was very
    > much non-technical.
    >
    > When the network was built whoever built the server installed everything
    > they possibly could. This system now how few main functions:
    > 1. File server
    > 2. Internet Gateway
    > 3. Symantec Virus manager
    >
    > Nobody knows any of the passwords for anything on the system. Any of
    > the passwords that are in use are not allowed administrator access. I
    > do mean for anything! I can't even get Symantec to update virus
    > signatures, as I do not have a password to do the update with. The
    > signature is like 2003 date.
    >
    > It is just very frustrating!
    >
    > I am looking for options, before I have to go and reformat and rebuild.
    > This would in some ways make life simpler, there are wrinkles in that
    > all of there operational data and other services are on the server. We
    > are currently moving foreword with a plan to rebuild. This will happen;
    > I would rather pick the time to do it. Rather than have it forced on
    > me.
    >
    > Does anyone know of any other way to take control of this machine and
    > network.
    >
    > Thanks for your time and any ideas will be appreciated.
    >
    > Robert Ritchey
    >
    >
    > ---------------------------------------------------------------------------
    > Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
    > any course! All of our class sizes are guaranteed to be 10 students or less
    > to facilitate one-on-one interaction with one of our expert instructors.
    > Attend a course taught by an expert instructor with years of in-the-field
    > pen testing experience in our state of the art hacking lab. Master the skills
    > of an Ethical Hacker to better assess the security of your organization.
    > Visit us at:
    > http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    > ----------------------------------------------------------------------------

    --
    mjb
    ---------------------------------------------------------------------------
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
    any course! All of our class sizes are guaranteed to be 10 students or less 
    to facilitate one-on-one interaction with one of our expert instructors. 
    Attend a course taught by an expert instructor with years of in-the-field 
    pen testing experience in our state of the art hacking lab. Master the skills 
    of an Ethical Hacker to better assess the security of your organization. 
    Visit us at: 
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    ----------------------------------------------------------------------------
    

  • Next message: Alvin Oga: "Re: password protect encrypted directory - secure"

    Relevant Pages

    • Re: SP4 and n-2 password protection?
      ... DC from SP3 and a win2K server. ... account was locked out. ... Win2k SP4 DC in Native mode with Exchange 2K ...
      (microsoft.public.win2000.security)
    • OWA 440 Timeout Solution
      ... IUSR_account being out of sync. ... SO - Here is what was necessary to resolve this issue on my server: ... Expand | Web Sites ... At the command prompt, ...
      (microsoft.public.windows.server.sbs)
    • RE: Hacked NT/2K box
      ... > Win2k boxes hitched into ... > supposed to server between 1-2 million pages. ... obtain an "NT/Exchange account". ... The cracker had emailed and persuaded the ...
      (Focus-Microsoft)
    • Re: unable to schedule file copy within sql server sched job
      ... to copy a file from one server to another server. ... command under command prompt, it works fine. ... SQL 2008:http://msdn.microsoft.com/en-us/sqlserver/cc514207.aspx ... being run under does not have the same permissions as your account. ...
      (comp.databases.ms-sqlserver)
    • Re: Site Component Manager could not read the write
      ... Look in the security logs on the destination server and make sure your primary is trying to connect as System$ to the destination server. ... If you can map and make files just fine as system, some other account must be trying to access that system. ... > on the primary open a command prompt AS system by using the AT command like so ... >> SMS Site Component Manager could not read the write SMS Server Network ...
      (microsoft.public.sms.admin)