Win 2000 Server Password Override

[777]

Hi all,

Is it possible to override or reset the password of the network admin in a Win 2000 Server? Or does anybody know of a password cracker/hack software that could do the trick? Please help.

The company that did our network went under and the person who installed the software left and could not be traced so we're left without the password to access the network.

TIA,

777

[borogovio]

Winternals Administrator Pak lets you reset the administrator password - not recover it.

[borogovio]

Originally posted by pokopiko
For retrieving the admin passwrod you will need the L0pht crack, it's rather laborous to xplain its usage here.

Poko, retrieving the admin password interests me a lot !!! I thought it wasn't possible. Can you tell me where I can find more on the subject ?

Thanks

[777]

Any link or address where I could get hold of L0pht crack? How large is the Winternal Admin pak?

TIA

777

[svgusta]

another prog it is possible to use is passware v5. You find it here in the forum. With this its possible to reset your admin password.

download here
http://forum.cdrsoft.cc/attachment.php?s=&postid=85011

read here
http://forum.cdrsoft.cc/showthread.p...light=passware

[AudioPro]

I'm actively researching win2k passwords (project i've been on for a few months now). For your situation, sounds like the best way would just be to reset the password.

In addition to the software above, you could also try out the excellent, freeware, linux-based NT password changer - _http://home.eunet.no/~pnordahl/ntpasswd/
Have used it successfully with win2k.

For actually LEARNING the admin password, this becomes quite a bit trickier, and this is where my research has been... turns out that learning the admin password without any admin access can be quite a problem.

Stay tuned, my research will result in a web page with techniques, links, and downloads.... just a matter of time.

[borogovio]

@ 777 : I made a google with 'L0pht crack' and found the homepage of the prgram and a crack for it. It's small (4 Mb), and it seems it retrieves the passwords, but you haave to be logged as an administrator.

What I'm looking for is what AudioPro says: learning the admin password being logged as a simple user

[foobar]

Originally posted by borogovio
What I'm looking for is what AudioPro says: learning the admin password being logged as a simple user

Well, do you have got physical access to the target machine?
I guess there's an account for you on it (as normal user).
Do you may boot the target machine, what's the boot sequence (floppy drive, hdd or reverse)?
If you know the answers to those questions, post again.

[borogovio]

Originally posted by foobar
Well, do you have got physical access to the target machine?
I guess there's an account for you on it (as normal user).
Do you may boot the target machine, what's the boot sequence (floppy drive, hdd or reverse)?
If you know the answers to those questions, post again.

1) User access - I can't use a screwdriver or anything like that
2) Yes, a normal user account
3) Boot sequence: first hdd, from cd and floppy either it's disabled or it comes after hdd, so no chance to boot from them

[r00lerz]

@777 the admin pak is 72mb

[foobar]

@borogovio:
check out whether you're allowed to enter the BIOS or not - if you're asked for a pwd, then your admin is forethoughtful enough to prevent the easy way of getting the pwd hashes.
if the bios is open, check if you're allowed to change the boot sequence to something starting with "floppy".

[borogovio]

No, BIOS is password protected !
But - just for the sake of knowledge - if I could boot from a floppy or a CD, what could I do ?

[777]

Thank you all for the helpful tips and links. I am downloading passware's kit and then the L0pht. Will post again the outcome.

This forum really rocks!

777

[AudioPro]

@foobar: I'd be very interested to hear a method you know to get the hashes from a boot floppy or cd under 2k.

@borogovio: There are BIOS password cracker programs out there. Maybe even saw one on this forum in the past month, but can't remember for sure...

[foobar]

@AudioPro+borogovio:
Award and AMI BIOS versions are more suitable for cracking endeavor than Phoenix.
Older BIOS versions, mainly of Award (until 1997, 1998) may accept so-called "master boot passwords".
Windows compatible BIOS crackers commonly require that you've got administrator privileges when invoking. Sometimes drivers must be installed in advance prior to use such tools, e.g. CmosPasswd.
Otherwise you need a native DOS environment to launch the second category of crackers that are most effective as far as I know.

@borogovio:
When the BIOS is locked and the boot sequence is "hdd only" you merely have little chance.
You're confined to the active W2k os - not owning administrative status - looking for existing security holes in applications (Office 97, 2k...), configuration (registry) and os components (IIS) to gain full access "by mistake". It's damned difficult and nearly impossible if the admin additionally installed antivirus software and security patches like the three service packs. I'd been working as student assistant quite a while and knew any passwords, but now I'm not involved any longer and so I started doing some password research (only workstations, no w2k server) as the default student user account is too much restricted. In two cases I succeeded due to the security being pretty lame, I was allowed to boot an alternate os from floppy...
In order to work out the administrator's password (by brute force) you always have to get the hashes of the administrator account. By feeding L0pht Crack with the hashes data, it shall calculate the password in most cases (of course, if your admin uses non printable characters, LC will likely fail).
pwdump2.exe does this for you - as long as you run it in a shell (cmd.exe) with administrative privileges. To achieve this you may either "outwit" pwdump2 somehow (making it believe that you're the big boss), i.e. altering the source (I personally don't know how) or manipulate Windows applications to invoke a cmd.exe (system status!) in which pwdump2 should perform its desired output.