-
January 14th, 2005, 05:23 AM
#1
big problem ... need help
First things first:
Windows 2000 professional/ service pack 2...
This computer is in my stepfather’s office. It is his personal computer on which he stores all the information for his company. The system is set on automatic logon for the original built-in Administrative account. The Administrator account had a blank password. At some point we decided to actually change the password into something. Let's call that password "fish". At that point I've noticed that the "full computer name" was a random combination of letters and numbers exactly the way windows installation picks them IF and only IF you don't provide the name yourself. (Those of you who installed windows before, you know what I mean)
So:
1. The password was changed.
2. The “full computer name” was changed
3. The system was left on automatic logon of account “Administrator”
After that, system requested a reboot.
After I rebooted the system. The OS was trying to auto logon w/ the password but it said that the “system was unable to log you on”. How the hell can system tell itself that it cannot log itself on? What the hell did happen? There was no other account on the system so now it’s unusable.
So at this point I figure, **** it. Let me put the HD into a different system and pull the company files out manually and then I figure something out. I noticed that some of the files couldn’t be copied. So I tried to systematically copy what I could. Erase unnecessary content and leave everything that won’t move.
At this point I noticed that somebody turned on EFS (encrypted file system)
Can anyone, anyone help with what to do now. The files won’t move. Is there a cracker or some kind of software you guys have some experience with? This is very important for my to help this guy.
-
January 14th, 2005, 05:30 AM
#2
I also tried to use the trial version of Advanced EFS Recovery to see what it can/cannot find but It won't work becuse (I think) It can only find partial keys/hashes. What should I try to undelete to make it find more hashes?
-
January 14th, 2005, 05:40 AM
#3
You need to take OWNERSHIP of the files you want to copy
Right click..security..advanced (ithink...sorry brain is infected with brandy )
As for encryption...AFAIK.....if you dont have the key file...your f#$ked
MLF
How people treat you is their karma- how you react is yours-Wayne Dyer
-
January 14th, 2005, 12:25 PM
#4
It appears you have been having trouble with this for a while. ( guess your ass checks are puckering at this point? )
Sorry.
From what I remember of your previous posts you have been trying to secure what you believed was a situation for disaster.
I have not reviewed your past threads, but have you tried the M$ Windows 2000 recovery Console ?
( do you Know how hard it is to type out that URL when you are drunk? )
just a suggestion. I believe that is where to start.
" And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes
-
January 14th, 2005, 11:24 PM
#5
Senior Member
Unhappy,
familiar with rainbow cracks ?
Well, get pwdump 2/3/4 any version, depending what you need to do. An simply grab the Administrators hash.
Then send me the hash, i can see what my tables can do about it.
Any problems msg me
BTW: This is probably the most reliable, non-intrusive, method of retreiving the data encrypted using EFS
-
January 14th, 2005, 11:34 PM
#6
Member
hash
Send me the hash too, see what I can do...
ÍòǧÊÀ½ç¶àÆæÃºÆå«ÓîÖæÊ®ÍòÎÊ¡£
¹Â¶ÀºÚ¿ÍÀë¾ýÈ¥£¬Óû°é¹éÏçÖйúºì¡£
-
January 14th, 2005, 11:44 PM
#7
When you noticed that the computer name had changed you should have stopped immediately. Changing the computer's name alters the SSID of the administrator, (the only person who can access an EFS encrypted folder in the case of loss). Once the SSID of the admin is changed then the ability to unencrypt the EFS folder is gone.
Now, if you put the drive back in the original box, (unchanged I hope), there is a linux boot disk that I have had success with that will set the administrator password to <blank>. I'm not at work right now where it is but I can hopefully get you the place to D/L it if you can't Google it. It worked perfectly for me getting into a Win2k server that I set up for being publicly available and outside the firewall that I promptly forgot the password for....
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
January 15th, 2005, 07:10 AM
#8
tiger ... i tried the linux disk but it didn't work ... (i know enough to use it correctly)
i have the whole disk so where can i find the hashes you guys need
...but the disk won't boot on me anymore ... i can only pull them out from another system
fuking encrypted file system
-
January 15th, 2005, 12:03 PM
#9
Senior Member
Now, if you put the drive back in the original box, (unchanged I hope), there is a linux boot disk that I have had success with that will set the administrator password to <blank>. I'm not at work right now where it is but I can hopefully get you the place to D/L it if you can't Google it. It worked perfectly for me getting into a Win2k server that I set up for being publicly available and outside the firewall that I promptly forgot the password for.... [/B]
I was under the impression that you couldnt set the admin pwd because it would change the EFS encryption key aswell...
@unhappy
use pwdump version 2, 3 or 4. 3 and 4 allows you to retrieve the hash via network (?) But if your using local access any of those versions should work for you.
-
January 15th, 2005, 03:44 PM
#10
Well, I am not sure what you were trying to do:
3. The system was left on automatic logon of account “Administrator”
That is not a "security policy" that I would recommend.
Also, what was changing the computer name supposed to do for you?
Double//Cut
One of us is missing the point here? I do not think that it is a "cracking" issue..............he has one account "administrator" and he knows the passwords...........first it was blank, then he changed it to "fish" or whatever.
To my limited understanding this is a SSID/SAM issue, not a pasword one. It is a question of identities, authorities and permissions? ..............not one of passwords.............unless, of course the password file has become scrambled.
If the Knoppix boot CD won't do it for you, then I think that you have problems greater than you have mentioned.................file corruption perhaps?
You might try "Unstoppable Copier" by roadkil, then try logging in as Admin on another box and taking "ownership" of these encrypted files on the new drive. You might get past the encryption that way.
Tiger~ and Morgana~'s solutions should have worked, which does not give a great prognosis..................particularly as I am sure you did not write down the original computer name.............?
Assuming that the password files have become corrupted:
1. Mirror the hard drive onto a new one
2. Defragment it
3. Take ownership of the files as administrator and see if you can open them.
4. Run some hard drive diagnostics against that old drive............I have this feeling...........
5. Try the password recovery suggestions and note what the "real" password is.................those "recovery" tools can help if the password has become corrupted
Good luck
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|