Page 1 of 2 12 LastLast
Results 1 to 10 of 18

Thread: big problem ... need help

  1. #1
    Banned
    Join Date
    Aug 2004
    Posts
    534

    big problem ... need help

    First things first:

    Windows 2000 professional/ service pack 2...

    This computer is in my stepfather’s office. It is his personal computer on which he stores all the information for his company. The system is set on automatic logon for the original built-in Administrative account. The Administrator account had a blank password. At some point we decided to actually change the password into something. Let's call that password "fish". At that point I've noticed that the "full computer name" was a random combination of letters and numbers exactly the way windows installation picks them IF and only IF you don't provide the name yourself. (Those of you who installed windows before, you know what I mean)

    So:
    1. The password was changed.
    2. The “full computer name” was changed
    3. The system was left on automatic logon of account “Administrator”

    After that, system requested a reboot.

    After I rebooted the system. The OS was trying to auto logon w/ the password but it said that the “system was unable to log you on”. How the hell can system tell itself that it cannot log itself on? What the hell did happen? There was no other account on the system so now it’s unusable.

    So at this point I figure, **** it. Let me put the HD into a different system and pull the company files out manually and then I figure something out. I noticed that some of the files couldn’t be copied. So I tried to systematically copy what I could. Erase unnecessary content and leave everything that won’t move.

    At this point I noticed that somebody turned on EFS (encrypted file system)

    Can anyone, anyone help with what to do now. The files won’t move. Is there a cracker or some kind of software you guys have some experience with? This is very important for my to help this guy.

  2. #2
    Banned
    Join Date
    Aug 2004
    Posts
    534
    I also tried to use the trial version of Advanced EFS Recovery to see what it can/cannot find but It won't work becuse (I think) It can only find partial keys/hashes. What should I try to undelete to make it find more hashes?

  3. #3
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    You need to take OWNERSHIP of the files you want to copy
    Right click..security..advanced (ithink...sorry brain is infected with brandy )



    As for encryption...AFAIK.....if you dont have the key file...your f#$ked

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  4. #4
    Senior Member IKnowNot's Avatar
    Join Date
    Jan 2003
    Posts
    792
    It appears you have been having trouble with this for a while. ( guess your ass checks are puckering at this point? )

    Sorry.
    From what I remember of your previous posts you have been trying to secure what you believed was a situation for disaster.

    I have not reviewed your past threads, but have you tried the M$ Windows 2000 recovery Console ?
    ( do you Know how hard it is to type out that URL when you are drunk? )

    just a suggestion. I believe that is where to start.
    " And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

  5. #5
    Senior Member
    Join Date
    Jan 2005
    Posts
    128
    Unhappy,

    familiar with rainbow cracks ?

    Well, get pwdump 2/3/4 any version, depending what you need to do. An simply grab the Administrators hash.

    Then send me the hash, i can see what my tables can do about it.

    Any problems msg me

    BTW: This is probably the most reliable, non-intrusive, method of retreiving the data encrypted using EFS
    http://sfx-images.mozilla.org/affili...88x31/take.gif
    If You\'ve Done Something Right. People Wont Know You\'ve Done Anything At All - God (futurama)

  6. #6

    hash

    Send me the hash too, see what I can do...
    ÍòǧÊÀ½ç¶àÆæÃºÆå«ÓîÖæÊ®ÍòÎÊ¡£
    ¹Â¶ÀºÚ¿ÍÀë¾ýÈ¥£¬Óû°é¹éÏçÖйú
    ºì¡£

  7. #7
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    When you noticed that the computer name had changed you should have stopped immediately. Changing the computer's name alters the SSID of the administrator, (the only person who can access an EFS encrypted folder in the case of loss). Once the SSID of the admin is changed then the ability to unencrypt the EFS folder is gone.

    Now, if you put the drive back in the original box, (unchanged I hope), there is a linux boot disk that I have had success with that will set the administrator password to <blank>. I'm not at work right now where it is but I can hopefully get you the place to D/L it if you can't Google it. It worked perfectly for me getting into a Win2k server that I set up for being publicly available and outside the firewall that I promptly forgot the password for....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  8. #8
    Banned
    Join Date
    Aug 2004
    Posts
    534
    tiger ... i tried the linux disk but it didn't work ... (i know enough to use it correctly)

    i have the whole disk so where can i find the hashes you guys need

    ...but the disk won't boot on me anymore ... i can only pull them out from another system

    fuking encrypted file system

  9. #9
    Senior Member
    Join Date
    Jan 2005
    Posts
    128
    Now, if you put the drive back in the original box, (unchanged I hope), there is a linux boot disk that I have had success with that will set the administrator password to <blank>. I'm not at work right now where it is but I can hopefully get you the place to D/L it if you can't Google it. It worked perfectly for me getting into a Win2k server that I set up for being publicly available and outside the firewall that I promptly forgot the password for.... [/B]

    I was under the impression that you couldnt set the admin pwd because it would change the EFS encryption key aswell...

    @unhappy

    use pwdump version 2, 3 or 4. 3 and 4 allows you to retrieve the hash via network (?) But if your using local access any of those versions should work for you.
    http://sfx-images.mozilla.org/affili...88x31/take.gif
    If You\'ve Done Something Right. People Wont Know You\'ve Done Anything At All - God (futurama)

  10. #10
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Well, I am not sure what you were trying to do:

    3. The system was left on automatic logon of account “Administrator”
    That is not a "security policy" that I would recommend.

    Also, what was changing the computer name supposed to do for you?

    Double//Cut

    One of us is missing the point here? I do not think that it is a "cracking" issue..............he has one account "administrator" and he knows the passwords...........first it was blank, then he changed it to "fish" or whatever.

    To my limited understanding this is a SSID/SAM issue, not a pasword one. It is a question of identities, authorities and permissions? ..............not one of passwords.............unless, of course the password file has become scrambled.

    If the Knoppix boot CD won't do it for you, then I think that you have problems greater than you have mentioned.................file corruption perhaps?

    You might try "Unstoppable Copier" by roadkil, then try logging in as Admin on another box and taking "ownership" of these encrypted files on the new drive. You might get past the encryption that way.

    Tiger~ and Morgana~'s solutions should have worked, which does not give a great prognosis..................particularly as I am sure you did not write down the original computer name.............?

    Assuming that the password files have become corrupted:

    1. Mirror the hard drive onto a new one
    2. Defragment it
    3. Take ownership of the files as administrator and see if you can open them.
    4. Run some hard drive diagnostics against that old drive............I have this feeling...........
    5. Try the password recovery suggestions and note what the "real" password is.................those "recovery" tools can help if the password has become corrupted

    Good luck

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •