Windows Server 2003 SAM - Breaking password

[multiband8303]

Contractor came in and attempted to setup Proxy Server, he was caught doing some very VERY naughty things while on the job site.

Anyways - we never got the admin password (local account) that was setup -

This is our equipment, and I do not want to waste whatever was setup on the ISA Server - (Even though he is a bad person, we will not waste the hours spent on this)


Formatting the drive is NOT an option, I need to find a way to crack the SAM account and reset the password to the local administrator.

 

[stash]

So let me see if I have this straight: a contractor came in to setup ISA on one of your servers and reset the local admin password and didn't tell you what it was?

Why would you trust this machine at all? I wouldn't go near it after something like that. Who knows what else he did to the machine. He could've installed a keylogger, backdoor, rootkit, whatever.

 

[Brazen]

Originally posted by: stash
So let me see if I have this straight: a contractor came in to setup ISA on one of your servers and reset the local admin password and didn't tell you what it was?

Why would you trust this machine at all? I wouldn't go near it after something like that. Who knows what else he did to the machine. He could've installed a keylogger, backdoor, rootkit, whatever.

This is probably the worst idea I have ever heard.

 

[multiband8303]

I do not make the decisions - this is from our IT director - once inside we will evaluate from that point.

I understand and respect the threats/concerns - however at this point is not an option.

I am leaning towards the point of just installing a paralell OS - and running logon.smr - to accomplish the task.

However any kind of assistance would be great.

 

[Brazen]

Well, this is probably want you need then: http://home.eunet.no/pnordahl/ntpasswd/

 

[multiband8303]

Utility did not find the SAM, any other utilities out there?

 

[stash]

The box isn't a domain controller is it?

 

[Smilin]

Originally posted by: Brazen

Originally posted by: stash
So let me see if I have this straight: a contractor came in to setup ISA on one of your servers and reset the local admin password and didn't tell you what it was?

Why would you trust this machine at all? I wouldn't go near it after something like that. Who knows what else he did to the machine. He could've installed a keylogger, backdoor, rootkit, whatever.

This is probably the worst idea I have ever heard.

Indeed.

http://www.moviewavs.com/00954...ce_Space/worstidea.wav

 

[multiband8303]

Originally posted by: stash
The box isn't a domain controller is it?

No it is not.

 

[ITJunkie]

Well, you could always try pwdump3 (or which ever version is newest) to dump the local accounts to a txt file then use something like Lopht to actually crack them. You will need to buy lopht though I believe.

 

[RebateMonger]

Originally posted by: Brazen
Well, this is probably want you need then: http://home.eunet.no/pnordahl/ntpasswd/

In my experience, this method won't work with Server 2003 SP1 or higher. I've already tried it. Microsoft seems to have made some security improvements.....

What did they do with ISA that was special? There are some VERY good ISA consultants with spotless credentials that could set up ISA remotely for you, with a little help on a couple of reboots. (And I'm not referring to myself.)

 

[Allanv]

when i have used the NTpasswd util before on windows 2003 sp1 boxes before i noticed it was looking for winnt and that doesnt exist anymore so i had to specify windows as the dir to look at.

might wanna just check that its not doing the same.

 

[RebateMonger]

Originally posted by: Allanv
when i have used the NTpasswd util before on windows 2003 sp1 boxes before i noticed it was looking for winnt and that doesnt exist anymore so i had to specify windows as the dir to look at.

I'm pretty sure I did so in my (single) attempt to crack the Local Administrator password using NTPasswd on Server 2003 SP1. It found the account and SAID it was blanking the Local Admin password, but it didn't work. But it's certainly possible I did something wrong. I've used NTPasswd many times on XP boxes, but this was my first Server 2003 box that needed cracking.

 

[bruceb]

Have a look at this link:

http://www.petri.co.il/reset_d...ows_server_2003_ad.htm

 

[RebateMonger]

Originally posted by: bruceb
Have a look at this link:

http://www.petri.co.il/reset_d...ows_server_2003_ad.htm

But those instructions are for cracking a DC's password. He doesn't have a DC. Plus, they first require having the Local Administrator password.

 

[Nothinman]

I do not make the decisions - this is from our IT director - once inside we will evaluate from that point.

Then your IT director is incompetent, you could've reloaded the thing in the time you've wasted trying to break into it. Someone needs to give that man a clue.

 

[stash]

Originally posted by: Nothinman

I do not make the decisions - this is from our IT director - once inside we will evaluate from that point.

Then your IT director is incompetent, you could've reloaded the thing in the time you've wasted trying to break into it. Someone needs to give that man a clue.

++