Announcement

Collapse
No announcement yet.

Administrator password has been changed

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Administrator password has been changed

    Hey folks, this is my 1st topic on this forum.

    I have the following problem, Some angry administrator got fired, but before he left, he changed the admin password(possibly also renamed the admin account). I did a lot of research already, but i havent been able to change the password yet.

    I tried setting a password with the srvany service, but it just doesnt seem to work. it's not that im doing it wrong, i happen to know winternals, uses the same trick, and it also does not work....

    I do already have local Admin access just not domain access on the server. I did try setting a difficult password, in case u are wondering.

    I really hope u guys can help me. in case u need info, i will reply as soon as possible

    This is about a HP windows 2003 Server. im sitting at the server with the PDC role.


    I'm so sorry, while i was writing this I did another attempt with ERD, and u know what it just worked out... took me only 6 hours(slow server, really slow server, so the previous admin, might have done other stuff as well) thx anyway !!
    Last edited by Silver23; 24th February 2007, 15:47.
    Please give points where appropriate

    <I dont create ready scripts for you, but I'm willing to point you in the right direction>

  • #2
    Re: Administrator password has been changed

    Glad it worked out.

    Just for my info, I take it this was the domain admin password and the srvany bit you refer to was from here?:

    http://www.petri.com/reset_domain_ad...er_2003_ad.htm

    Did you try it specifically or use Winternals (per your reference)?

    Reason I ask is I find the service back door to be one of the best ways to take control and I'm wondering where did it fail for you? I'm not a big ERD fan as it appears to fail at least as often as it works. I usually set up the service by tweaking the registry by loading the hive in BartPE or mounting the disk as a slave on another machine.

    Would appreciate a post mortem so others can learn.
    Cheers,

    Rick

    ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

    2006-2099 R Valstar. This post is offered "as is" for discussion purposes only with no express or implied warranty of any kind including, but not limited to, correctness or fitness for use. Nothing herein shall be construed as advice. Attempting any activity based on information in this post is done at your own risk.

    Comment


    • #3
      Re: Administrator password has been changed

      Originally posted by rvalstar View Post
      Glad it worked out.

      Just for my info, I take it this was the domain admin password and the srvany bit you refer to was from here?:

      http://www.petri.com/reset_domain_ad...er_2003_ad.htm

      Did you try it specifically or use Winternals (per your reference)?

      Reason I ask is I find the service back door to be one of the best ways to take control and I'm wondering where did it fail for you? I'm not a big ERD fan as it appears to fail at least as often as it works. I usually set up the service by tweaking the registry by loading the hive in BartPE or mounting the disk as a slave on another machine.

      Would appreciate a post mortem so others can learn.
      Thx for the reply, yes this is about a domain admin password. And yes most of my info came from Daniel's website. (very helpful and a great resource)

      I used winternals and also tried it manually when winternals failed at first. I really dont know why it failed so many times (also by tweaking the registry as well as with winternals, im pretty good with registry hacks and tweaking, but it is still possible to make mistakes).

      In this case it took about 20!! minutes to start the d**mn server every boot, so u can imagine it was a drag and i was VERY carefull making sure i had it right.

      Anyway I almost had given up hope that i would be able to reset the password, and i decided to give winternals another try, and whatdayaknow it worked the 3rd time...

      Concerning the registry edit, i also tried creating a new user with admin right, unfortunaltely, that didnt work as i had hoped either.

      In the "Application" string i had it saying c:\tmp\script.cmd
      the cmd was created to first make a new user and a second line to make it member of the admin group, my guess is it should have worked that way, but there could be a limitation to starting a program by using a service.

      If u'd like to know more, let me know, ill tell u
      Please give points where appropriate

      <I dont create ready scripts for you, but I'm willing to point you in the right direction>

      Comment


      • #4
        Re: Administrator password has been changed

        AFAIK, the "Application" string must be an EXE like

        CMD.EXE
        The "AppParameters" would then be

        /K c:\tmp\script.cmd
        Cheers,

        Rick

        ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

        2006-2099 R Valstar. This post is offered "as is" for discussion purposes only with no express or implied warranty of any kind including, but not limited to, correctness or fitness for use. Nothing herein shall be construed as advice. Attempting any activity based on information in this post is done at your own risk.

        Comment


        • #5
          Re: Administrator password has been changed

          Originally posted by rvalstar View Post
          AFAIK, the "Application" string must be an EXE like



          The "AppParameters" would then be
          Thx for the info(points awarded), i'm sure this wont be my last server with an unknown password, as a matter of fact, i had another one today(same administrator, different location)

          offtopic:
          what kind of selfrespecting admin would sabotage a network ? (in this case more then one company was disrupted for about 2 days.!!)
          /offtopic

          I usually like doing stuff the manual way, keeps me sharp. but i must admit, in this case i used winternals anyway to save me some time.

          Works great for this kind of thing, but man is it unstable. It will hang, it is just a matter of how many minutes. ( i have test tried it on many computers/servers) so i know what im talking about.

          Now at the risk of going further offtopic, any idea's on how to prove someone sabotaged the network/servers ? There were 2 cisco routers(both reset to default configuration they were in vpn, and 2 servers win2k and a win2003 server, event logs were all erased.) There will be claims concerning damage to the concerning company's.

          Any help in this will be appreciated !!

          Back on-topic, if u want to manually reset the passwords on a win2003 server, i usually use nt-renew or something similar. As it usually happen, servers arent installed on basic HDD's. so most of the time u will need 3rd party drivers.

          My question, if i have a (RAID)driver that works for let's say the windows installation, will this driver also work for resetting the local admin password via a linux boot cd/disk/usb stick) ?
          Please give points where appropriate

          <I dont create ready scripts for you, but I'm willing to point you in the right direction>

          Comment


          • #6
            Re: Administrator password has been changed

            Originally posted by Silver23 View Post
            any idea's on how to prove someone sabotaged the network/servers ? There were 2 cisco routers(both reset to default configuration they were in vpn, and 2 servers win2k and a win2003 server, event logs were all erased.) There will be claims concerning damage to the concerning company's.
            You really need to get some outside security professionals in there to assess. I would have done that immediately had I appreciated the extent of the sabotage and the likelyhood of monetary claims.

            Originally posted by Silver23 View Post
            My question, if i have a (RAID)driver that works for let's say the windows installation, will this driver also work for resetting the local admin password via a linux boot cd/disk/usb stick) ?
            You'll need a compatible driver for whatever OS you boot. If you use something like a BartPE, then your existing windows driver should do the trick.
            Cheers,

            Rick

            ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

            2006-2099 R Valstar. This post is offered "as is" for discussion purposes only with no express or implied warranty of any kind including, but not limited to, correctness or fitness for use. Nothing herein shall be construed as advice. Attempting any activity based on information in this post is done at your own risk.

            Comment


            • #7
              Re: Administrator password has been changed

              Originally posted by rvalstar View Post
              You really need to get some outside security professionals in there to assess. I would have done that immediately had I appreciated the extent of the sabotage and the likelyhood of monetary claims.



              You'll need a compatible driver for whatever OS you boot. If you use something like a BartPE, then your existing windows driver should do the trick.
              So if I would have a let's say a HP RAID whatever, and I would like to use a linuxdisk to change the PW for non domain-admin, I would need a specific linux driver, to mount the drive. Sounds logical, now i come to think of it.

              About hiring security prof's. Maybe I should have done that, but we are an external company, so we could only advise such a thing to the actual company owner. But i would expect longer downtime.

              And since the personnel couldnt get any work done without an accessible server/internet/e-mail, our primary goal was to get it up and running as fast as possible.

              I would have made a ghost image of the drive of some kind, including forensic data, so that i would be able to recover deleted event logs. Unfortunately I was informed about the cause of downtime, some time after i started trying to get it back online, Though it may still be possible, it is already less reliable as there is constantly data written to the HDD
              Please give points where appropriate

              <I dont create ready scripts for you, but I'm willing to point you in the right direction>

              Comment

              Working...
              X