Announcement

Collapse
No announcement yet.

How to ruin a good day in 3 easy steps

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • How to ruin a good day in 3 easy steps

    Step 1 -- start work at a company with no documentation, previous admin knowledge was swiss-cheese at best, passwords were all over the place, etc and so on...

    Step 2 -- realize that the the company's website is being hosted locally in on dual NIC (internal/external) W2K3 Standard server and resolve to "harden it" by...

    Step 3 -- disabling the external NIC card on webserver, removing said server from the domain, adding it to the DMZ workgroup, cabling the internal NIC to the DMZ switch (that you snazzily created for just such occasions - no DMZ before you came) and reboot.

    Now, don't check the local admin account's PW beforehand (or God forbid add a local Admin account of your own making) and certainly don't looksee if its even enabled and hey, be sure to forget, in all your glory, to change the IP of the internal NIC to the DMZ IP schema.

    Now, on reboot, try to log on.

    Scour http://www.petri.com/ for ideas on recovering from above-stated oopsie.

    Realize that in safe mode, per internet articles, that Admin account is enabled by default in Safe Mode. Glimmers of hope and continued employment abound....


    Already sent off for free PW recovery.

    Tried the linux bootable CD about 20x with no password, complex password(s), reset the recovery console password, but no workie when get back into safe mode.

    Swallowed pride, contacted the previous Admin (that was the hardest part, esp after deriding his skilz onsite) and guess what, he cant remember either.

    Im no Linux guru, so I get scared real quick of using Linux-based tools without the education to do it correctly.

    On an up-note, I have good backups!

    So, if you think you're having a bad day, I hope my predicament brings a smile to your face and you can say, hey it could be worse, I could be working at (company-named removed to protect the not-so-innocent) right now!

    Stacy
    Last edited by StillAsleep; 12th December 2006, 23:33. Reason: humilating typos
    It's not what you know, it who's on your IM list.

  • #2
    Re: How to ruin a good day in 3 easy steps

    Hi Stacy. Enjoyed the read.
    Sorry I can't help you. But there's other here that will chime in with their thought.
    Regards,
    Jeremy

    Network Consultant/Engineer
    Baltimore - Washington area and beyond
    www.gma-cpa.com

    Comment


    • #3
      Re: How to ruin a good day in 3 easy steps

      Laugh til you get fired, I say!

      Oh yeah, did I mention that the webserver decided not to read the W2K3 Admin guide about booting safe mode with command prompt... select it and it goes right to that danged safe mode log-on box... again and again. So, I dont get to try the neat lil NTDSUTIL thingie. Uncooperative as a man at a department store being asked to try clothes on... ARGH!

      One my my MS-buddies just logged on... FINALLLY!!!!!!! Gonna go bug him about cracking local admin PW. Of anyone, he would know, doncha think ; )

      Stacy
      It's not what you know, it who's on your IM list.

      Comment


      • #4
        Re: How to ruin a good day in 3 easy steps

        Did I mention that I am open to most any suggestions -- AHEM limited to accessing the server, of course.
        It's not what you know, it who's on your IM list.

        Comment


        • #5
          Re: How to ruin a good day in 3 easy steps

          So what can you do on this machine? Can you logon w/ any accounts and at what permission level? Are your backups of a Ghost or equivalent nature? Have you considered a recovery? Can you mount the boot drive as a slave on another machine where you have admin access?
          Cheers,

          Rick

          ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

          2006-2099 R Valstar. This post is offered "as is" for discussion purposes only with no express or implied warranty of any kind including, but not limited to, correctness or fitness for use. Nothing herein shall be construed as advice. Attempting any activity based on information in this post is done at your own risk.

          Comment


          • #6
            Hashing it out AHHH

            Okay,

            carying the title of admin is a basic admission that Im lazy, ergo, I have an impressive MSN buddy list to ping in times of self-created chaos (see above posts).

            One such canny fellow mentioned a little handy dandy OS that runs off CD-ROM called BARTPE. He also dropped some breadcrumbs that the SAM could be espied with the right plugin to said BARTPE. Well blow me down!

            10 CDs later, I finally got BARTPE and SAMINSIDE working together and VOILA!!!!!!!!!!!!!!!!!!!!!!!!!

            I booted the bad, bad server to the CD (emulating an XP environment) and with the right SCSI driver (that was a trial by fire!) was able to view the C and D drives of my errant server!

            Further, I was able to run SAMInside and decipher the MD4 hash for the Administrator account.

            Now I am downloading Cain and Abel (so appropos!) and gonna reverse-engineer AHEM convert the hash back to a password.

            And I've danced QUICKLY and fancily enough to sides-step most all blame on on the job front... I punted all fault possible to former admin, that unworthy and unlucky ba$tard HAH! Can you believe he now works for the FBI?!

            Will keep you all posted.

            Stacy
            It's not what you know, it who's on your IM list.

            Comment


            • #7
              Re: How to ruin a good day in 3 easy steps

              Bloody hell you sure like to type

              Let us know how you get on - This is turning into an interesting story.

              Michael
              Michael Armstrong
              www.m80arm.co.uk
              MCITP: EA, MCTS, MCSE 2003, MCSA 2003: Messaging, CCA, VCP 3.5, 4, 5, VCAP5-DCD, VCAP5-DCA, ITIL, MCP, PGP Certified Technician

              ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

              Comment


              • #8
                Re: How to ruin a good day in 3 easy steps

                Cain and Abel is a wonderful piece of software but it does not have any RainbowCrack files built in. It does have a link to a pay service (I have never tried) that claims to have the crack files built for the full alpha / numeric / special character set. There are also a few free services out there. I believe one is discussed on the main site here:

                http://www.petri.com/forgot_administ...assword.htm#20

                Best of luck. If the password is at all complex, the free service most probably won't work but give it a try.
                Cheers,

                Rick

                ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

                2006-2099 R Valstar. This post is offered "as is" for discussion purposes only with no express or implied warranty of any kind including, but not limited to, correctness or fitness for use. Nothing herein shall be construed as advice. Attempting any activity based on information in this post is done at your own risk.

                Comment


                • #9
                  Postmortem - Still Employed!! Yay!!!!!!!!!

                  Hello Fellow Do-Gooders!

                  Still woozzzzy from celebrating the good ole 38th on Sunday, migraine on Monday and decided best show up in the office today to ensure continued paycheck deposits into my account.

                  In the end, the best I could do was enable the network card, grab a DHCP lease on the virtual XP session running off CD (BART PE with network and SCSI plugins) and yank the website data over to a hotspare I had in the DMZ. IT was all gravy after that.

                  The best I can come up with is the the SAM corrupted. I successfully snagged the NTLM hashes using several different good password capture SW and double-checked them against each other... all got the same info, which despite my best ER DOCTOR impression "LIVE, DAMN YOU!!! LLLIIIIVVVVVVEEEEE!!!!!!!!!!!!!" refused to cooperate, so I went to PLAN C = blame the "hackers" and in effect lay MORE blame on previous admin's door by demonstrating that his network was weak and vunerable, thus the "corrupted" server.

                  I had been experiencing issues with the server's external NIC just dying for the past month (I'd have to RDP into it and disable/reenable to get the sucker going again) and the network in general has (honestly) been victim to three separate hacking attempts in the 4 months I've been here. I've been plugging holes since the day I arrived.

                  Methinks its the last admin playing with fire because the new boss hired me instead of one of his cronies. Why anyone would give a crap about a job they left voluntarily to go to another bigger job is beyond me. "Control issues" anyone?

                  Of course if I left this network in the state he/they did, I'd be pretty ashamed too! LOLOL

                  If this were an NT 4.0 network, I would have been impressed with it. However, the 2 fellas before me hadnt bothered to understand the finer complexities of a DMZ or "bastion host" (I just love to say that phrase in meetings!!! Baffle em with BS is my motto!) so that one need NOT have dual NICs in the server for the express purpose of allowing it onto the WWW and LAN simultaneously in the same box, bypassing the very expensive and functional firewall comepletely. Talk about a hacker's dream!

                  Ironically, there was a CISCO PIX here and a SONICWALL, both turned down when I came here.

                  I went with the SONICWALL because its so goooeeey (GUI) and web-enabled and I'm no CISCO "exspurt". The webbox was the last server with 2 NICs out of 10 total. And I was sooo industrious getting it in the DMZ last week that I outfoxed myself -- that was one secure server after I tampered with it -- NOBODY could log on! LOL

                  Oh well, go out with a bang, they say!

                  So, if you have console access and the box has a NIC, if you can't get the password recovered, then you CAN get the data off it using BARTPE. And yeah, you gotta manipulate the heck out of it by adding all the right plugins before you burn the ISO to get it to work (think SAMINSIDE, SCSI controller and NIC drivers at minimum) , so thats MY breadcrumb to anyone who needs to recover the local admin PW off a machine.

                  After all the neat-o hacking tools and password cracking software I downloaded and played with last week, I believe I am officially allowed to add "Ethical Hacker" to my resume/CV... that I updated this weekend ... just "in case". ;D

                  And to think I actually got paid to download and learn all that hacking, er, RECOVERY software... ain't the tech industry great!?!

                  BANG!
                  StillAsleep Stacy
                  It's not what you know, it who's on your IM list.

                  Comment


                  • #10
                    Re: How to ruin a good day in 3 easy steps

                    Wow, that was an amazing post. Don't really know what all you said but it was amazing none-the-less.

                    "Waiter, I'll have what he's having"
                    Cheers,

                    Rick

                    ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

                    2006-2099 R Valstar. This post is offered "as is" for discussion purposes only with no express or implied warranty of any kind including, but not limited to, correctness or fitness for use. Nothing herein shall be construed as advice. Attempting any activity based on information in this post is done at your own risk.

                    Comment


                    • #11
                      Re: How to ruin a good day in 3 easy steps

                      Hi Stacy

                      Must say your posts have been some of the most interesting and worth while reads in the two years ive been here!

                      Welcome to the forums - i do hope you stick around!
                      Server 2000 MCP
                      Development: ASP, ASP.Net, PHP, VB, VB.Net, MySQL, MSSQL - Check out my blog http://tonyyeb.blogspot.com

                      ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

                      Comment


                      • #12
                        Re: How to ruin a good day in 3 easy steps

                        Thank you!

                        I rarely have anything of value to say, but I've never let that stop me in the past!

                        I just updated my profile if anyone wants to take a peek.

                        And, yes, that IS Elvis 'n me in my avatar and pic ***SWOONNNN***

                        StillAsleep Stacy
                        It's not what you know, it who's on your IM list.

                        Comment


                        • #13
                          Re: How to ruin a good day in 3 easy steps

                          What the REAL Elvis?? Not an impersonator???
                          Server 2000 MCP
                          Development: ASP, ASP.Net, PHP, VB, VB.Net, MySQL, MSSQL - Check out my blog http://tonyyeb.blogspot.com

                          ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

                          Comment


                          • #14
                            Re: How to ruin a good day in 3 easy steps

                            Do you think that *I* would fling myself at, uh, gleefully consort, uh, demurely greet any old Elvis impersonator? Good gods man!

                            I just got lucky. LOL

                            That dude was hanging out in the local Wal-Mart grocery store when I walked in to gather some fixins for supper.

                            He was crooning away, shaking what his mamma (and daddy! -- tight pants told the story!!) gave him without an ounce of bashfulness, so you KNOW that had to be the real one, right?

                            I bet that pesky webserver would have logged on just nicely if he shook his hips at em like he did for me and my ripe melons.... AHEM, I was holding musk melons in my basket THANK YOU very much!!

                            I need a nap ... just ate late lunch and all warm and sleeeepppyyy. If my boss would go on home, it would be soo much easier. Do you think I would look conspicious wearing sunglasses at my desk right about now? I don't snore - much - I'm told.

                            Stacy ; D
                            It's not what you know, it who's on your IM list.

                            Comment


                            • #15
                              Re: How to ruin a good day in 3 easy steps

                              Lol! Im sure the server would have logged right on!

                              Originally posted by StillAsleep View Post
                              I need a nap ... just ate late lunch and all warm and sleeeepppyyy. If my boss would go on home, it would be soo much easier. Do you think I would look conspicious wearing sunglasses at my desk right about now? I don't snore - much - I'm told.

                              Stacy ; D
                              Lunch? Where are you?
                              Last edited by tonyyeb; 12th December 2006, 22:33.
                              Server 2000 MCP
                              Development: ASP, ASP.Net, PHP, VB, VB.Net, MySQL, MSSQL - Check out my blog http://tonyyeb.blogspot.com

                              ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

                              Comment

                              Working...
                              X