Announcement

Collapse
No announcement yet.

Stump the 'Big Boys!'

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Stump the 'Big Boys!'

    I've got one for you all.....
    I've got a dual boot system with WinXP and Win2003 STANDARD server. It was left to me by my boss to get this server up and running since there is alot of software on it that we need. However...the person who built it, left the company 'suddenly' and didn't leave the password. I've tried Daniel's suggestions (all of them) but to no avail. I downloaded/purchased the software password-changer.com and it doesn't work either. The problem here is...I don't know the local Admin password. I work at a high level IT firm and I'm thinking about editing this in HEX. Risky to be sure, but I can see the 'password' via other softwares. Only it is encrypted and in hex. Any of you geek boys/gals out there want to take a crack at this one? I have no earthly idea why I am not able to reset the password through normal methods. If any of you have ever viewed the password area of the sectors in HEX in the /system32/config SAM file and know exactly where I need to change the binary from and to...please let me know. I will monitor this for the rest of this day and maybe the next few.

  • #2
    Re: Stump the 'Big Boys!'

    Here's some more info...

    No, I don't know for sure if Active Directory is in place, I'm going to assume so. This is not a production server so I do not have a backup, we use it for testing purposes only. I only need the local Admin password for the Win2003 server. After that I can use Mr. Petri's instructions and go from there. Yes, I have successfully edited HEX before, so I do know what I'm doing. However, I don't have a good 'model' for this particular machine to use to determine just where and what to edit. My goal is to clear the local Admin password so that I can login and reset it accordingly. I must keep the SID's in place for other licensed software on this PC.

    Comment


    • #3
      Re: Stump the 'Big Boys!'

      It's a "test" setup, yet it has crucial software on it? That's a bit odd IMHO...

      Add "linux" to your google searches and you'll find the answer that ye seeks...


      Aaarrggg matey
      ** Remember to give credit where credit is due and leave reputation points where appropriate **

      Comment


      • #4
        Re: Stump the 'Big Boys!'

        You can tell if it is a DC or not when you boot it up you should see only the domain name in the logon box. If you see the server name too then it does't have AD.
        We used to use ERD Commander for things like this but there are some linux ones out there that are just as good. I think ERD has been republished by MS under there desktop stuff but it depends ifyou have a license for it.
        cheers
        Andy

        Please read this before you post:


        Quis custodiet ipsos custodes?

        Comment


        • #5
          Re: Stump the 'Big Boys!'

          Well if it's in workgroup mode he'll only see the local domain in the drop down so I'm not sure how he'd determine if it is in workgroup mode or is in fact a DC, unless he makes a very good guess based on the name he sees in the drop down.

          Comment


          • #6
            Re: Stump the 'Big Boys!'

            Yes...this is a test box. I work with a team of computer scientists and we do low level forensics, RAID recoveries and database recoveries off the binary in the HEX. Would you like a crack at some of what I do? This is one of our test boxes that contains proprietary software on it that we have written, scripts et al that we need to use. All I need is the password. I'm not super comfortable re-writing the HEX in the SAM realizing just what kind of opportunities I have to totally destroy the data on the drive if I screw it up. I was hoping that this forum, because of Mr. Petri would provide some useful correspondence to my dilemma.

            "Don't speak unless you can improve upon the silence." Angelica Huston, EVERAFTER

            Comment


            • #7
              Re: Stump the 'Big Boys!'

              Not being overly familiar with Win2003 STANDARD server....I hope I can pick your brain. I'm on my third piece of software to determine the local Admin password. I agree with Mr. Petri, if I can get that local Admin password, then I should be able to recover from there. Problem is...I'm not sure just how this box is setup so that if I change the password in the local SAM (I don't think there is any other SAM database, correct?) Just how should I login once I reboot the box? I've tried the one login where it disables the Active Directory, put in the 'changed' password and it didn't work. I do know that syskey is enabled. That really shouldn't matter. Any idea what kind of configuration I'm looking at? Better yet....any idea what part of the binary HEX I need to change in the sector? If I figure this out...and surely it will be a bit different depending on software versions...I'm going to post it here so that everyone will know. It would be much quicker than all the hoops I've been trying to jump through.

              Comment


              • #8
                Re: Stump the 'Big Boys!'

                Remove HDD from server, attach to another machine buy USB, Firewire, SATA, IDE cable, E-SATA, whatever and copy the required data from the drive.

                Alternatively, Ghost, Image, Acronis the drive to another physical HDD and then HEX edit the copy so the original stays safe.
                1 1 was a racehorse.
                2 2 was 1 2.
                1 1 1 1 race 1 day,
                2 2 1 1 2

                Comment


                • #9
                  Re: Stump the 'Big Boys!'

                  An ERD (error repair disc)will allow you to change the local administrator password in a few clicks. (I use my own ERD and have used it numerous times to reset windows passwords - also have a look at BartPE who also created his own windowsPE cd. Im pretty sure he may have a few utitlies so you can create your own live windows CD as i did some years back.). Wininternals used to do one a few years back until they got bought out my MS. Either that or use Ophcrack which uses rainbow tables to terrogate the SAM database. Note the SAM database can only be accessed once windows is dismounted hence why Ophcrack is a live CD. I know the passwords are hashed with an algorithim but im pretty sure there not simple HEX strings. If they were all you`d need is a HEX calculator or knowledge of boolean algebra and you could have the password deciphered in no time.
                  Last edited by scurlaruntings; 7th August 2008, 11:18.

                  Comment


                  • #10
                    Re: Stump the 'Big Boys!'

                    Is it just me or does anyone else thinks that It's a bit odd the fact that Deeno works in IT forensics with a team of scientists and yet he's having problem recovering a local admin password from a machine that has "crucial software" on it?

                    Hope Im wrong or missing something here.


                    BTW Deeno, I like that saying from Mrs Huston.

                    Cheers
                    Caesar's cipher - 3

                    ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

                    SFX JNRS FC U6 MNGR

                    Comment


                    • #11
                      Re: Stump the 'Big Boys!'

                      Originally posted by L4ndy View Post
                      Is it just me or does anyone else thinks that It's a bit odd the fact that Deeno works in IT forensics with a team of scientists and yet he's having problem recovering a local admin password from a machine that has "crucial software" on it?

                      Hope Im wrong or missing something here.


                      BTW Deeno, I like that saying from Mrs Huston.

                      Cheers
                      To be honest you dont need the windows password to recover any data. The disc can be mounted on anything else or slaved and you can access all the data. Unless theres some volatile data he needs to get to that only exists whilst windows is live. Cracking a local windows password is easy. Even interrogating a NTDS.dit is fairly elementary providing you have the right tools. I can certainly do it and im by no means a forensic scientists but i did work in electronics for some years to a component level and understand the finer workings of electronics in terms of what goes on on a low level as well as low level languages. Either way in my opinion its fairly immaterial as the data can be accessed easily without any convoluted process.

                      Comment

                      Working...
                      X