Administrator password has been changed

Home Forums Security Forgot Administrator Password Administrator password has been changed

This topic contains 6 replies, has 2 voices, and was last updated by Avatar Silver23 12 years, 7 months ago.

Viewing 7 posts - 1 through 7 (of 7 total)
  • Author
    Posts
  • Avatar
    Silver23
    Member
    #121787

    Hey folks, this is my 1st topic on this forum.

    I have the following problem, Some angry administrator got fired, but before he left, he changed the admin password(possibly also renamed the admin account). I did a lot of research already, but i havent been able to change the password yet.

    I tried setting a password with the srvany service, but it just doesnt seem to work. it’s not that im doing it wrong, i happen to know winternals, uses the same trick, and it also does not work….

    I do already have local Admin access just not domain access on the server. I did try setting a difficult password, in case u are wondering.

    I really hope u guys can help me. in case u need info, i will reply as soon as possible

    This is about a HP windows 2003 Server. im sitting at the server with the PDC role.

    I’m so sorry, while i was writing this I did another attempt with ERD, and u know what it just worked out… took me only 6 hours(slow server, really slow server, so the previous admin, might have done other stuff as well) thx anyway !!

    Avatar
    rvalstar
    Member
    #287061

    Re: Administrator password has been changed

    Glad it worked out.

    Just for my info, I take it this was the domain admin password and the srvany bit you refer to was from here?:

    http://www.petri.com/reset_domain_admin_password_in_windows_server_2003_ad.htm

    Did you try it specifically or use Winternals (per your reference)?

    Reason I ask is I find the service back door to be one of the best ways to take control and I’m wondering where did it fail for you? I’m not a big ERD fan as it appears to fail at least as often as it works. I usually set up the service by tweaking the registry by loading the hive in BartPE or mounting the disk as a slave on another machine.

    Would appreciate a post mortem so others can learn.

    Avatar
    Silver23
    Member
    #292211

    Re: Administrator password has been changed

    rvalstar;59833 wrote:
    Glad it worked out.

    Just for my info, I take it this was the domain admin password and the srvany bit you refer to was from here?:

    http://www.petri.com/reset_domain_admin_password_in_windows_server_2003_ad.htm

    Did you try it specifically or use Winternals (per your reference)?

    Reason I ask is I find the service back door to be one of the best ways to take control and I’m wondering where did it fail for you? I’m not a big ERD fan as it appears to fail at least as often as it works. I usually set up the service by tweaking the registry by loading the hive in BartPE or mounting the disk as a slave on another machine.

    Would appreciate a post mortem so others can learn.

    Thx for the reply, yes this is about a domain admin password. And yes most of my info came from Daniel’s website. (very helpful and a great resource)

    I used winternals and also tried it manually when winternals failed at first. I really dont know why it failed so many times (also by tweaking the registry as well as with winternals, im pretty good with registry hacks and tweaking, but it is still possible to make mistakes).

    In this case it took about 20!! minutes to start the d**mn server every boot, so u can imagine it was a drag and i was VERY carefull making sure i had it right.

    Anyway I almost had given up hope that i would be able to reset the password, and i decided to give winternals another try, and whatdayaknow it worked the 3rd time…

    Concerning the registry edit, i also tried creating a new user with admin right, unfortunaltely, that didnt work as i had hoped either.

    In the “Application” string i had it saying c:tmpscript.cmd
    the cmd was created to first make a new user and a second line to make it member of the admin group, my guess is it should have worked that way, but there could be a limitation to starting a program by using a service.

    If u’d like to know more, let me know, ill tell u

    Avatar
    rvalstar
    Member
    #287064

    Re: Administrator password has been changed

    AFAIK, the “Application” string must be an EXE like

    Quote:
    CMD.EXE

    The “AppParameters” would then be

    Quote:
    /K c:tmpscript.cmd
    Avatar
    Silver23
    Member
    #292212

    Re: Administrator password has been changed

    rvalstar;59905 wrote:
    AFAIK, the “Application” string must be an EXE like

    The “AppParameters” would then be

    Thx for the info(points awarded), i’m sure this wont be my last server with an unknown password, as a matter of fact, i had another one today(same administrator, different location)

    offtopic:
    what kind of selfrespecting admin would sabotage a network ? (in this case more then one company was disrupted for about 2 days.!!)
    /offtopic

    I usually like doing stuff the manual way, keeps me sharp. but i must admit, in this case i used winternals anyway to save me some time.

    Works great for this kind of thing, but man is it unstable. It will hang, it is just a matter of how many minutes. ( i have test tried it on many computers/servers) so i know what im talking about.

    Now at the risk of going further offtopic, any idea’s on how to prove someone sabotaged the network/servers ? There were 2 cisco routers(both reset to default configuration they were in vpn, and 2 servers win2k and a win2003 server, event logs were all erased.) There will be claims concerning damage to the concerning company’s.

    Any help in this will be appreciated !!

    Back on-topic, if u want to manually reset the passwords on a win2003 server, i usually use nt-renew or something similar. As it usually happen, servers arent installed on basic HDD’s. so most of the time u will need 3rd party drivers.

    My question, if i have a (RAID)driver that works for let’s say the windows installation, will this driver also work for resetting the local admin password via a linux boot cd/disk/usb stick) ?

    Avatar
    rvalstar
    Member
    #287079

    Re: Administrator password has been changed

    Silver23;60160 wrote:
    any idea’s on how to prove someone sabotaged the network/servers ? There were 2 cisco routers(both reset to default configuration they were in vpn, and 2 servers win2k and a win2003 server, event logs were all erased.) There will be claims concerning damage to the concerning company’s.

    You really need to get some outside security professionals in there to assess. I would have done that immediately had I appreciated the extent of the sabotage and the likelyhood of monetary claims.

    Silver23;60160 wrote:
    My question, if i have a (RAID)driver that works for let’s say the windows installation, will this driver also work for resetting the local admin password via a linux boot cd/disk/usb stick) ?

    You’ll need a compatible driver for whatever OS you boot. If you use something like a BartPE, then your existing windows driver should do the trick.

    Avatar
    Silver23
    Member
    #292214

    Re: Administrator password has been changed

    rvalstar;60204 wrote:
    You really need to get some outside security professionals in there to assess. I would have done that immediately had I appreciated the extent of the sabotage and the likelyhood of monetary claims.

    You’ll need a compatible driver for whatever OS you boot. If you use something like a BartPE, then your existing windows driver should do the trick.

    So if I would have a let’s say a HP RAID whatever, and I would like to use a linuxdisk to change the PW for non domain-admin, I would need a specific linux driver, to mount the drive. Sounds logical, now i come to think of it.

    About hiring security prof’s. Maybe I should have done that, but we are an external company, so we could only advise such a thing to the actual company owner. But i would expect longer downtime.

    And since the personnel couldnt get any work done without an accessible server/internet/e-mail, our primary goal was to get it up and running as fast as possible.

    I would have made a ghost image of the drive of some kind, including forensic data, so that i would be able to recover deleted event logs. Unfortunately I was informed about the cause of downtime, some time after i started trying to get it back online, Though it may still be possible, it is already less reliable as there is constantly data written to the HDD

Viewing 7 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic.