Password Recovery - Need some Advice

[kruptos]

Hey all,

I run a small network support company and have run into quite a snafu. I am familiar with the procedures for resetting password via the bootable linux distros, and familiar with LC5 and have the program. I am a SSCP, MCSE, CCSA, and am very familiar with netowrking. Just need a little help from the strong AntiOnline community to help me in the endevor. I will post my success and failures after tomorrow to give props to those who helped :-) My problems is this.

My new client terminated their network administrator yesterday (hence why they are my new client). The network admin left a few passwords but none of them actually work. I am now faced with about 20 client machines and 3-4 servers.

2 servers are Windows 2000 server
1 server is NT4.
25 mixed XP, 98, 2000, (with local accounts created for the users, which are part of the admin group on the local machine, i know, as I said the old admin was not to skilled)

The environment is one large workgroup...I dont know why it wasent set up as a domain, but that may be part of the reason the old admin is gone, lack of skills.

I have no true idea of what is on each server, and need to gain access to the admin account. I know I can reset the admin password with a bootable linux disk, or obtain the SAM and crack it offline possibly with LC5.

But, I need to ensure that there is very little disruption to the network, mapped drives, possible services that are running under the administrator account credentials.

Can anyone provide any input or helpfull ideas.

Basicly I need to regain control of the entire network, and start mapping it so I know its entire layout. ROOT is KEY!!!!

I was thinking of starting with a Languard scan to enumerate all accounts on the servers to see if there is other accounts that may be easier to access with admin privilages, which will allow me to reset the main admin account. THis will also let me know what share I may be dealing with.

Anyway, any ideas to make my life easier tomorrow??

[ZT3000]

Well...aren't you the lucky one?

Just think if it WAS a fully setup AD domain with DNS, Exchange and other issues.
How nasty that would be with AD database, Domain rights and DC replication issues.

You should be grateful the old admin left it a simple workgroup, I certainly would!!

(I've seen this before with 25 or so users, it's left that way because the network was slowly piecemeal put together and when it was needing to change to a Domain, the company could not afford the downtime or costs to get it converted. My guess is he's gone because he simply pissed some people off too many times.)

Anyways,

If everything is still running, nothing is locked out:
Create a password matrix chart and detailed notes (I like to use my voice recorder) to keep track of what is what, of course.

For the Desktops:
The desktops are already under Admin users so that is 25 machines you don't immediately have to worry about.
For those 25 machines, setup an Admin account for yourself and Belarc 'em (only takes a couple seconds). Plus check the REAL administrator account under safe mode, see if it's merely a blank password.
I know you won't be changing the user passwords or rights just yet. You don't know if some app they are running requires an obscure registry access and they have to have admin over the whole machine. (Been there, done that). Not to mention server access rights or local encrypted files, which issues you already are aware of.

Do any of the 25 users on the workgroup log into the server and receive Server ADMIN rights?
Out of 25 users, somebody probably does. If not, no big deal.

For the Servers:
Can only be performed after hours:
FIRST thing, without even thinking about it, I'd make a complete disk to disk image of all the servers and test each imaged disk to ensure it works. Surely you can come up with 3 spare harddrives. You explain to them, better safe than sorry, they'll understand. (they always have for me since 1991.)
I'd then remove the originals, plug in my tested backups and work off of them. If it gets too late or you get nowhere, you can simply reinsert the originals and they are ready for another days work. This gives you time to get your ideas together on how to approach it or you could simply take the copied disks offsite and crack them there.
I use Acronis Tru Image for disk copy on Servers and perhaps Ghost would work (I've forgotten).
The old sneak in by the screen saver rights on logon doesn't work anymore on Win2k, but it might work still on your NT box.

Languard should be okay to use first. But I'd make the backups before I did anything.

Oh..by the way, I'm a roving Admin (consultant/troubleshooter) so I walk weekly into hell holes and make sense of it all and not once did I have any paperwork left for me from the departing admin. Darn it all.. .LOL...

[kruptos]

Thanks for your detailed reply :-)

The disk imaging idea sounds pretty good.

I could also use a bootable Linux distro to reset the password, but that would have to be done after hours as well, there are maped drives and my luck it would be somehow ties the the server admin account and password.

AI have already reset the local admin machine passwords and nothing has broken yet :-) with luck it will stay that way.

I need to get into the servers and rename all the passwords soon, not sur if the old admin has telnet or terminal services access, but i wouldent doubt it.

The worst part about this is that I dont even know whats on each machine...lol No network docs, nothing. I am wondering this......

If the old admin created the users on the local machines with admin privlages....he would also need to create user accounts on the member servers as well, I wonder if he created those users on the server with the administrator group as well.... then I could just go in unbder the other "user/admin" account and it might be a little easier.

Anyway, I am doe to be on site at 9am cst, ill let you know what happens :-)

[ZT3000]

Originally posted here by kruptos
I am wondering this......

I wonder if he created those users on the server with the administrator group as well.... then I could just go in unbder the other "user/admin" account and it might be a little easier.

LOL, I wonder where that idea came from...

Do any of the 25 users on the workgroup log into the server and receive Server ADMIN rights? Out of 25 users, somebody probably does

Edit: You can, of course, reset the passwords using the Linux disk, but the disks you reset should be the backup copied drives, not the original ones. Like we tell our users, backup, backup, backup.

That's why I don't change the local user account passwords on the workstations, yet. Yes, they are probably a part of the Server "everyone" account, but they may also be admin accounts too. If you change the workstation admin password then they still have access to the server under "everyone" (with no password) but may lose their server admin status. Sometimes they are listed as Server dual groupies for share rights.
(After re-reading my response, I'm not sure what that old admin may have done).

Certainly make those backups FIRST. If crap happens you won't be standing there holding the bag. Then I'd concentrate on the internet routers if they have one, maybe they use dialup modem. I'd scan the network for IP's, Gateway address, etc...(easy stuff) then get that internet router/gateway access password changed.

Food for thought.

[MURACU]

Just a few quick thoughts on your problem. If it were me I would probably do the following ..
Check out the workstations with some of the users accounts to see what software is running. I would check out the services on each computer to see if they rely on the system account or a service account to run. I would pay particaler attention to data bases and client server applications if any. This should let you have a good idea on the down time necessary if you do have to reset the administrators password.
ZT3000 idea on the images is a good one but i would take it one step futher. Most disk imaging software nowdays lets you browse the image. that means we can copy the sam file from the image and brute force the different accounts in it without too much down time on the machine concerned. Can also do the same thing with a linux boot disk.
The thing that would worry me is the conditions under which the old admin left. If they were not the best and there is an internet access i would change the password on the different administrators accounts as soon as possiable. It might be a bit of a headache but the down time lost due to changing the password may be less than the time lost from a virus attack.

In anycase i wish you the best of luck and hope my answer isnt too confused as i type it quickly but took a while to send it.

[kruptos]

OK, update:

Secured some of the passwords from the old admin.

Network is actually:

2 windows 2000 Domains
1 NT Domain
1 Workgroup

Yeah, I know, the guy who left this was pretty bad, considering theres only 30 users and no reason business wise to have seperate domains.

I got Domain Admin with one of the passwords he left. But still need to get root on the rest.
There are MANY service packs missing as I gathered from LanGuard and Superscan Scans. It also seems to be default installations on the windows 2000 servers, many services running that dont need to be. I actually have a few exploits that may be able to get me Root on some of them, but dont wish to do that unless absolutly neccesary. Wass thinking of the WebDav vulnerability and using KaHT2 if it will work to create an admin account.

No trusts are set u p between domains so that leaves out using the current domain admin account I have.

Any other Ideas??

Thanks again!!

[whitehands]

What is his password like? The chance is he is using similar password for the other domain. What services are running on the domain server you have access to?

[XTC46]

set up a sniffer box on the domains and sniff for passwords being transmited. filter them by traffic from the domain controllers that way you can get rid of all the crap going through.

run a user enumeration against theservers and see what LOCAL accounts you have to work with. local accounts are easier to crack.