Page 1 of 2 12 LastLast
Results 1 to 10 of 18

Thread: Cracking NT server that became ownerless

  1. #1
    Junior Member
    Join Date
    Oct 2001
    Posts
    20

    Exclamation Cracking NT server that became ownerless

    Hi, I have a problem.

    I work for a very large company that has had lots of "DOWN-SIZING" and one of my application servers was just shipped from a remote location to me. The admin is no longer with the company and guess what? He locked out everyones admin accounts on the box.

    I would hate to re-build it.

    It is NT 4.0 with Service Pack 3

    The machine is a Compaq Proliant 5500 with dual processors, dual power supplies and a raid with 8 - 12 gig hard drives and 1 gig of memory.

    It was running a SQLserver database as well as some unique custom applications and a WEB Server based reporting application. The configuration is rather complex and re-building would be a major pain and time consuming.

    Time that I do not really have after working remotely on SUN servers around the world.

    I am not able to purchase LockSmith as it is too costly for a one time use! Although I am sure I would find a use for it in our systems elsewhere. We have over 200,000 NT servers and over 200,000 SUN Enterprise servers.

    And no one here can help. I tried our Security groups and all the various admin groups with no luck.

    Please help!!!
    --MityMousse (Pronounced Mighty Moose!!!)

    If knowledge is POWER, and Power is KNOWLEDGE, what do we have if we have a little of both but not a lot of one?

  2. #2
    Senior Member
    Join Date
    Jan 2002
    Posts
    218
    have you tried the basics yet? trying the good old Administrator:password combo sometimes works, or other variations like Administrator:administrator. that is assuming he left the default Administrator account active. also there are literally hundreds of brute forcing programs out there for free to download. just check the archives here. i am sure that there has to be at least one insecure account that would not take you too long to crack with a nice dictionary file and fast machine. the faster the machine, the easier it should be of course. got any dual processor machines not in use? another server that could be turned into a cracking box temporarily? always worth a try man. just let it rip for a day or two if need be. have fun.

  3. #3
    AntiOnline Senior Member souleman's Avatar
    Join Date
    Oct 2001
    Location
    Flint, MI
    Posts
    2,883
    Run lophtcrack on the password file. That would be the easist way.

    With over 200,000 NT machines, I am supprised that you never ran into this problem before. We had that problem here with 1 NT machine.

    I am just curious who you work for. I didn't know any company in Michigan was that big. Unless you are at one of the automotive companies, or Amway....
    \"Ignorance is bliss....
    but only for your enemy\"
    -- souleman

  4. #4
    Senior Member
    Join Date
    Sep 2001
    Posts
    429
    I recieved the by email 2day from Woody's WINDOWS Watch.


    Recovering lost password on NTFS
    If Win2k is on an NTFS partition, things are a lot tougher (that's why this is the file system to opt for if you want to make your computer as secure as possible). You can use a password recovery (read 'cracking') utility such as LC3 or Locksmith, but they aren't cheap. A less expensive alternative is Elcomsoft's Advanced NT Security Explorer (ANTExp) which goes for $49 (that's for a personal licence, a business licence will set you back $149). With the latter you'll still need to create a DOS boot disk with NTFS support in order to access the SAM file, then run ANTExp on a functioning Windows machine to recover the password from SAM. If you want to know how to do that, check out this Computing.net article. These programs all use brute force to recover the password and that means the process can be lengthy.

    There is a cheaper alternative. That's to use Linux. There's a free utility called the NT Admin Boot Disk available from The NT Toolbox. Click the Downloads link on the site's home page to find it and make sure you download both the updated BIN file and the original NT Admin Boot Disk. The latter contains an outdated BIN file (that's why you want the updated version as well) plus the rawrite.exe utility, which lets you create a boot floppy from the BIN file.

    This little gem boots into Linux with NTFS file support and resets the administrator's password. It's not particularly user friendly (we are talking Linux here, folks), but it will get the job done and leave your wallet intact.

    __

    it saves me typing the same

    J.

  5. #5
    if you have access to this machine, and can boot off the floppy, then there is a really easy solution

    http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html

    This disk goes in through linux, with NTFS read/write, and allows you to CHANGE the passwords of any local accounts. . .
    it's basically the same thing as above, but it IS rather user-friendly, albeit a linux command line.

  6. #6
    Junior Member
    Join Date
    Oct 2001
    Posts
    20
    I work for WorldCom - UUNET Internet Backbone.

    The respons from other groups has been, rebuild it! Kinda lame!!!

    Our security group suggest lophtcrack but they sadi it is their experience that once this is done the system is un-stable and un-usable?????? Don't ask me this is out of my area of expertise.

    I tried the usual's for administrator/password etc, but nothing.

    I am sure someone in our company has experienced this and overcome it, but I can not find them!!!
    --MityMousse (Pronounced Mighty Moose!!!)

    If knowledge is POWER, and Power is KNOWLEDGE, what do we have if we have a little of both but not a lot of one?

  7. #7
    Junior Member
    Join Date
    Oct 2001
    Posts
    20
    Is there a way to un-lock an account that exists and I do know the password to that one, but as I mentioned the rogue ex-employee locked all the accounts.

    Is there an attribute in the registry or is there some kind of lock file?

    Does anyone have a NTFS boot disk I can grab?

    ?????
    --MityMousse (Pronounced Mighty Moose!!!)

    If knowledge is POWER, and Power is KNOWLEDGE, what do we have if we have a little of both but not a lot of one?

  8. #8
    Senior Member bAgZ's Avatar
    Join Date
    Jul 2001
    Posts
    206
    Why don't you try and pull out a hard drive and put it on another computer and boot up. then access the password file and copy it accross. After that just run L0pht crack and thats it you will have the passwords. I hope that this will help you
    ----------------------------------------------------------------------------------------------------------
    "If I'd asked my customers what they wanted, they'd have said a faster horse." ~ Henry Ford

  9. #9
    Senior Member
    Join Date
    Dec 2001
    Posts
    1,193
    200k nt servers and the box only had svcpk 3. Sql 7 doesn't run properly at this svc pak and you would need 2wk for sql2k. Unless it is sql6.5. 200k sun enterprise (maybe you mean ultras?) There is something wrong here.... A company that size worried about the cost of a decent tool? hmmmmm
    Trappedagainbyperfectlogic.

  10. #10
    Senior Member
    Join Date
    Jan 2002
    Posts
    218
    you said { Is there a way to un-lock an account that exists and I do know the password to that one, but as I mentioned the rogue ex-employee locked all the accounts. }

    with the methods posted above, you should be able to access the administrators account instead of a user account. even if all the user accounts are locked out, the admin should not. and as far as finding a ntfs boot disk, try the links on http://www.bootdisk.com you should be able to find something helpful there. and as far as LC3 making systems unstable, that is the first i have heard of it. we use it here at the air force base among many other tools to test security and have not expereinced any problems with it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •