Re: Windows 2000 Administrator lockout

[Mark Johnson-Barbier <mjb-infosec () mj3 org>]

As the saying goes, if you have physical access to the box, you "own"
it:

Best option I know of:
http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html
If your server is win2k and uses encrypted files, you should make an
unencrypted backup of your data before beginning.

Other options that may work (in no particular order):
- install another dual-boot version of windows on the box to a different
%systemroot% directory (such as c:\winrecover).  Boot to the new install
OS and rename/delete the file named "sam" (no extension ... it's usually
in c:\winnt\system32\config).  When you reboot, the local accounts will
be back to the default and your "administrator" account password will be
blank.  Warning: you'll lose all accounts on the box and any app that
requires an account may not work ... don't try this with an app that
requires an account SID to be the same.
- buy the l0phtcrack program and brute-force crack the password.  
- Log into the server and schedule the command "cmd.exe" to be run 3
minutes in the future as user "system" with desktop interaction.  At the
appointed time you'll be presented with a command prompt with the
authority of "system" (or possibly only with whatever account the
scheduler service is running as).  After you get a command prompt, you
can execute "usrmgr.exe" for NT4 systems or an mmc for win2k.  Or you
can use cusrmgr.exe to change the password at the command prompt.  (it's
been a long time since I've done this, so I may have left out some
detail).
- I seem to remember a local priv escalation where cmd.exe was copied
with the same name as the default screensaver.  instead of running the
screensaver after x minutes of inactivity, a command prompt would appear
with system privs.  I haven't tried this myself, but it would be a fun
way to solve your problem.
- I belive sysinternals.com has a way to recover passwords in their
adminpack application.


I've used Peter Nordahl's application successfully on several win2k
workstations and have read from others with success on servers.

Also, be kind to your future replacement (after you win the lottery and
move to your own private island):  Implement a simple procedure to store
passwords in a secure location where someone else can "break the glass
in case of emergency."  If security is a concern, create a new admin
account and give half of the password to two different people.  They can
get together in an emergency to gain access, but they would have to
collude to escalate their privs.

mjb


On Fri, 2004-08-13 at 11:54, Robert Ritchey wrote:
> Hello All,
>
> The network that I have is rather small.  1 server, and 4 workstations.
> I inherited the systems.  There has been no administrator working there
> for a little over a year.  What administrator that was there, was very
> much non-technical.
>
> When the network was built whoever built the server installed everything
> they possibly could.  This system now how few main functions:  
> 1. File server 
> 2. Internet Gateway
> 3. Symantec Virus manager
>
> Nobody knows any of the passwords for anything on the system.  Any of
> the passwords that are in use are not allowed administrator access.  I
> do mean for anything!  I can't even get Symantec to update virus
> signatures, as I do not have a password to do the update with.  The
> signature is like 2003 date.  
>
> It is just very frustrating!  
>
> I am looking for options, before I have to go and reformat and rebuild.
> This would in some ways make life simpler, there are wrinkles in that
> all of there operational data and other services are on the server.  We
> are currently moving foreword with a plan to rebuild.  This will happen;
> I would rather pick the time to do it.  Rather than have it forced on
> me. 
>
> Does anyone know of any other way to take control of this machine and
> network.
>
> Thanks for your time and any ideas will be appreciated.
>
> Robert Ritchey
>
>
> ---------------------------------------------------------------------------
> Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
> any course! All of our class sizes are guaranteed to be 10 students or less 
> to facilitate one-on-one interaction with one of our expert instructors. 
> Attend a course taught by an expert instructor with years of in-the-field 
> pen testing experience in our state of the art hacking lab. Master the skills 
> of an Ethical Hacker to better assess the security of your organization. 
> Visit us at: 
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> ----------------------------------------------------------------------------


--
mjb


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------