Server 2008 Domain Admin Password Recovery

[Dudeman02379]

Let me first explain the situation. I work for an IT consulting company. We have a potential new client whose administrator has stopped returning their phone calls. They have a domain controller running microsoft server 2008. They do not have the administrator password. We are allowed full access to the machine to do whatever we need to recover the administrator password, and after be the administrators of their network.

I have found some ways to do this but being a linux/backtrack fan I was wondering if there was any way to recover or reset the DOMAIN administrator password with full local access to the domain controller using backtrack and the tools it comes with. Judging from the versatility of backtrack I expect it is relatively easy and I am just ignorant of the process. Could someone please point me in the right direction?

Also they don't know the password for the pix firewall but I figure we can just reset it to factory default and reconfigure it. If there was a way to recover that password as well I would be very impressed.

[streaker69]

Let me first explain the situation. I work for an IT consulting company. We have a potential new client whose administrator has stopped returning their phone calls. They have a domain controller running microsoft server 2008. They do not have the administrator password. We are allowed full access to the machine to do whatever we need to recover the administrator password, and after be the administrators of their network.

I have found some ways to do this but being a linux/backtrack fan I was wondering if there was any way to recover or reset the DOMAIN administrator password with full local access to the domain controller using backtrack and the tools it comes with. Judging from the versatility of backtrack I expect it is relatively easy and I am just ignorant of the process. Could someone please point me in the right direction?

Also they don't know the password for the pix firewall but I figure we can just reset it to factory default and reconfigure it. If there was a way to recover that password as well I would be very impressed.

There are professional tools that your company can buy to recover/reset the password on the Win2k8 box. You should not be practicing/experimenting with tools you're unfamiliar with on a clients PC, that can only lead to trouble. If they're a potential new client, the last thing you should be doing is something you're unfamiliar with.

As for the PIX, there are all kinds of sites that explain how to reset them to defaults, but a word of warning. If you find instructions follow them exactly, because if you screw up the resetting in a PIX, you'll turn it into a Brick.

[williamc]

If the server has a firewire port, I'd try winlockpwn:
http://forums.remote-exploit.org/showthread.php?t=13922

It may also be possible to shut the machine down, install a pci firewire card, and reboot. Typically, windows will install the driver without user intervention. It would be interesting to see if any of the XP and Vista methods are successful with 2008.

If that doesnt work, you can give this tool a try:
http://home.eunet.no/pnordahl/ntpasswd/

And finally:
http://www.petri.co.il/reset_domain_...er_2003_ad.htm

William

[Dudeman02379]

I appreciate your response and your concern. I of course would not just take a suggested method and just do it to a production server. I always test on virtual machines first. As mentioned I already have a method to reset the password which I have tested and it does work. My method uses Active Directory Services Restore Mode and two Microsoft Resource kit tools, SRVANY and INSTSRV. I am just wondering if backtrack and its tools have easier/better ways to do this. Or even better would be to recover the password rather than reset. This is more for my own learning and satisfying my curiosity than an absolute need. Also as mentioned I am a fan of linux and using linux utilities rather than microsoft is just fun for me.

As far as the pix I have set MANY back to factory default and I'm not really worried about that. Again I was just asking if there is a good way to recover/reset the password more for my knowledge than a need to do so.

If anyone could maybe PM me some directions or point me to a good article that would be great! Thanks.

Oh man sorry about the triple post. I was trying to get rid of the double post and ended up doing this... I don't know how to delete my posts. I feel like a fool.

The third method is the one I am familiar with. I will check out your other suggestions. Thanks alot!

[williamc]

If you want to recover the password, have a look at this thread:
http://forums.remote-exploit.org/showthread.php?t=12942

Assuming you have an administrator account:

As a local administrator, you can now dump the HASHES for the local workstation. Use FGDump, found here:

http://swamp.foofus.net/fizzgig/fgdump/downloads.htm

Syntax:
fgdump -h %hostname% -u pwnd -p pwndABC123

If FGDump doesn't work, try GSECDump, found here:

http://www.truesec.com/PublicStore/c...ookieSupport=1

GSECDump should be used with psexec, found here:
http://technet.microsoft.com/en-us/s.../bb897553.aspx

Syntax:
psexec \\%hostname% -u pwnd -p pwndABC123 -s -f -c gsecdump.exe -s

[thorin]

I'm very curious about this statement "Or even better would be to recover the password rather than reset." why would that be?

Microsoft must provide a means by which to accomplish what you want to do. It's not as if this company is unique in having lost their only sysadmin.

[streaker69]

I'm very curious about this statement "Or even better would be to recover the password rather than reset." why would that be?

Microsoft must provide a means by which to accomplish what you want to do. It's not as if this company is unique in having lost their only sysadmin.

Also, companies need to start having a 'sysadmin hit by bus' plan. As a consultant, the OP should be talking to their client about having recovery plans other than needing to hack their own boxen.

[thorin]

Also, companies need to start having a 'sysadmin hit by bus' plan. As a consultant, the OP should be talking to their client about having recovery plans other than needing to hack their own boxen.

I totally agree. Companies always seem to consider redundancy/fail-over when it comes to technology (RAID, FWs, Routers, Telecoms provisioning, etc) but they often forget to include personnel/HR in such considerations. HR/Personnel in IT departments often represent a major Single Point of Failure.

No, I don't expect every little company in the world to have multiple SysAdmins but they should definitely have a plan. Even if it's as simple as a safe deposit box with the "keys to the kingdom" that the CEO can access in the event of a critical sysadmin/bus interface issue.

[streaker69]

No, I don't expect every little company in the world to have multiple SysAdmins but they should definitely have a plan. Even if it's as simple as a safe deposit box with the "keys to the kingdom" that the CEO can access in the event of a critical sysadmin/bus interface issue.

That's exactly what I implemented. The Keys to the Kingdom are in a sealed and signed envelope inside the tape safe, and only three people know the combination to that. Each time I change the keys, I shred the old one and add the new one with a new date/signature across the seal in the back.

[Dudeman02379]

I'm very curious about this statement "Or even better would be to recover the password rather than reset." why would that be?

Microsoft must provide a means by which to accomplish what you want to do. It's not as if this company is unique in having lost their only sysadmin.

Being able to recover an admin password rather than reseting it has obviouse advantages.

1. The password may be the same as the pix which would save me some config time there.

2. Any encryption using the administrator account could be comprimised if the password was reset. ( I don't beleive this is the case in this situation but its always something to consider)

3. Who knows what services are running using the admin account.

I would also once again like to mention that I do have a method that I plan to use to reset the password. I just enjoy linux and am always amazed with what backtrack can do. I like learning things and this seemed like a good time to do some learning about AD password recovery and maybe some features in backtrack that I wasn't already aware of. There will be no need for me to contact microsoft in this case.

Streaker I agree with you 100%. I work with a company not alone. We will all know the passwords and have accounts to access and manage the system. If one of us gets "hit by a bus" its no big deal. Unfortunatly this company decided to go with a one man show and they are now paying for it because he walked away for reasons unknown to me.

willamc thanks again for the info. That has given me a few topics to read more about. I also thought about checking workstations for cached domain credentials but I doubt I will spend that much time on this and get more to work in getting them a backup which hasn't run in months!!