Learn from my comedy of errors.....
Results 1 to 8 of 8

Thread: Learn from my comedy of errors.....

  1. #1
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197

    Learn from my comedy of errors.....

    The scenario:

    1. Standalone, (not a member of any domain), Windows 2000 Server running IIS 5.
    2. Publicly available providing DNS, IIS and SMTP services.
    3. Hardened - Only Local Admin, "normal use" Admin and System have rights to anything but personal folders.
    4. One user has rights to alter web pages under c:\inetpub\wwwroot\mydomain and his personal folders.
    5. Administrative rights available to only Local Admin, (renamed), and another "normal use" admin
    6. Account lockouts last three days to cover weekends.
    7. Automatic updates set to install daily at 3am
    8. System state backup scheduled at 4:00am daily
    9. Changed "normal use" admin's password per policy
    10. Forget to change scheduled backup login password for "normal use" admin.....
    11. Go home......

    Next morning I arrive at work to find "normal use" admin's account is locked out. Lockout period is three days...... Oooops, the account will now lock itself nightly...... Go to get the nice little envelope with the Local Admin's password in it..... $h17.... Can't find it..... System state backup _useless_ since I don't have any rights worth a crap.....<sigh>

    Reboot to linux floppy with NTFS support, grab the SAM and start trying to crack it using all printable characters..... By the time it gets to a password length of 8 it reports 19 days to complete....... $h17......

    Time to try other means..... Priviledge escalation seemingly impossible from the restricted account..... Remote tools are all access denied..... Patch level is fully up to date so skiddie tools are no use.... (which I considered but didn't want to try).

    Ok, time to try the one I didn't really want to have to go through - Install second Win2k load in different folder, boot to it, edit registry to change first load's screensaver to cmd.exe, reboot, wait, run "net user LocalAdminName 12345" to reset the password, reboot, login, remove second load, fix boot.ini........ Phew....

    In the process of setting the BIOS to allow boot from the CD-ROM first it hit me...... Can you guess?




    page down




    page down




    page down




    page down




    page down



    Change the system clock forward a year and reboot..... The account unlocks.... phew!!!!!

    1 1/2 days to find the simple solution.......

    On the bright side I discovered that I have this server pretty well locked down and it won't be easy for anyone even with local access to get on it let alone remote..... Also, making sure everything ran as a service ensured that the services it provided were always available.

    LESSONS LEARNED:

    1. Secure the local admin password where it can't be "lost" and remember where the hell you put it, (a year goes past fast but the brain forgets quicker).
    2. Contrary to best practice have a third admin, (read "backdoor"), that you never use, (on non-domain member systems).
    3. Remember to check for scheduled events when you change passwords and change the password there too.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  2. #2
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    Tiger, I laughed at your expense at the line about a CD-ROM... sorry but if I hadn't have been there myself it wouldn't have been commical. Got enough money for a palm device?
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  3. #3
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    RoadClosed:

    Got enough money for a palm device?
    Let's not go there.... I have one..... with a secure information store loaded on it that even has special formats for passwords........ Wanna guess who's too lazy or stupid to put them in sometimes....

    page down, etc......

    $h17ferbrains here.....

    I learned a few things about well secured boxes though and I hope somone else can use the "trick" without having to go through the leaning curve I had to.....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  4. #4
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,914
    Hey Hey,

    Looks like you could use a copy of the CD we have here. A lot of the time we get back laptop rentals and they don't give us the password, or someone brings their computer in to be repaired and forgets to leave the password. We're too lazy to contact them to get it, so we have a couple CDs. I've never seen it take more than 30 minutes to remove/change the password. I've been meaning to play with the software to see what exactly it is, but I'm rather impressed with it....

    Peace,
    HT
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  5. #5
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    Originally posted here by HTRegz
    Looks like you could use a copy of the CD we have here.
    Hey HT, is that commercial software on the CD, or something you have developed yourself. If possible, would you be willing to share? I have had situations at my shop where something like that would have come in handy.

    Cheers:
    DjM

  6. #6
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    HT: Doh..... Now you tell me.... <LOL>

    I do find it interesting though that a simple BIOS reset of the clock unlocks the account. It means that with physical access I can brute force an admin password without regard for the lockout period because I can just reset it. Maybe there should be a system where the admin can chose the following options:-

    On account lockout check expired time by:-

    1. Local Time server on network.
    2. Internet based clock synch.
    3. Internal timer, (registers clock ticks as long as machine is left on).
    4. No check of expired time required, use system BIOS.

    In that way a given period can be enforced. If remote time sources cannot be accessed then the system reverts to 3 so that the lockout time is at least as much as the admin set. If the remote machine later becomes available then it's time is accepted if 1 or 2 were selected.

    I did try a few other things like password reset programs but the one I tried for that did not recognize the disk even when the controller drivers were provided so I was still stuck.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  7. #7
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,914
    Originally posted here by DjM
    Hey HT, is that commercial software on the CD, or something you have developed yourself. If possible, would you be willing to share? I have had situations at my shop where something like that would have come in handy.

    Cheers:
    It's not something we've developped, at least I don't think it is... The one is a fairly basic CD... and it's the one we've always had, the other one someone just handed us one day and it's great..... you can reach me at ht_regz@hotmail.com on msn messenger or 11854130 on ICQ.

    Peace,
    HT
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  8. #8
    Senior Member
    Join Date
    Dec 2003
    Posts
    121
    Learnt a couple of thing from your post...anyway it is good to share with other your mistakes so aas not to do them...
    Is that the place where I am supposed to say sth clever and brilliant so that everybody understands how clever nice guy I am????
    Screw you guys I am going home!-Kartman

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •