Win 2000 Server Password Override

777

777

1
Hi all,

Is it possible to override or reset the password of the network admin in a Win 2000 Server? Or does anybody know of a password cracker/hack software that could do the trick? Please help.

The company that did our network went under and the person who installed the software left and could not be traced so we're left without the password to access the network.

TIA,

777
 
B

borogovio

1
pokopiko said:
For retrieving the admin passwrod you will need the L0pht crack, it's rather laborous to xplain its usage here.
Click to expand...
Poko, retrieving the admin password interests me a lot !!! I thought it wasn't possible. Can you tell me where I can find more on the subject ?

Thanks
 
777

777

1
Any link or address where I could get hold of L0pht crack? How large is the Winternal Admin pak?

TIA

777
 
A

AudioPro

1
I'm actively researching win2k passwords (project i've been on for a few months now). For your situation, sounds like the best way would just be to reset the password.

In addition to the software above, you could also try out the excellent, freeware, linux-based NT password changer - _http://home.eunet.no/~pnordahl/ntpasswd/
Have used it successfully with win2k.

For actually LEARNING the admin password, this becomes quite a bit trickier, and this is where my research has been... turns out that learning the admin password without any admin access can be quite a problem.

Stay tuned, my research will result in a web page with techniques, links, and downloads.... just a matter of time.
 
B

borogovio

1
@ 777 : I made a google with 'L0pht crack' and found the homepage of the prgram and a crack for it. It's small (4 Mb), and it seems it retrieves the passwords, but you haave to be logged as an administrator.

What I'm looking for is what AudioPro says: learning the admin password being logged as a simple user
 
F

foobar

1
borogovio said:
What I'm looking for is what AudioPro says: learning the admin password being logged as a simple user
Click to expand...
Well, do you have got physical access to the target machine?
I guess there's an account for you on it (as normal user).
Do you may boot the target machine, what's the boot sequence (floppy drive, hdd or reverse)?
If you know the answers to those questions, post again.
 
B

borogovio

1
foobar said:
Well, do you have got physical access to the target machine?
I guess there's an account for you on it (as normal user).
Do you may boot the target machine, what's the boot sequence (floppy drive, hdd or reverse)?
If you know the answers to those questions, post again.
Click to expand...
1) User access - I can't use a screwdriver or anything like that :(
2) Yes, a normal user account
3) Boot sequence: first hdd, from cd and floppy either it's disabled or it comes after hdd, so no chance to boot from them :( :(
 
F

foobar

1
@borogovio:
check out whether you're allowed to enter the BIOS or not - if you're asked for a pwd, then your admin is forethoughtful enough to prevent the easy way of getting the pwd hashes.
if the bios is open, check if you're allowed to change the boot sequence to something starting with "floppy".
 
B

borogovio

1
No, BIOS is password protected !
But - just for the sake of knowledge - if I could boot from a floppy or a CD, what could I do ?
 
Last edited:
777

777

1
Thank you all for the helpful tips and links. I am downloading passware's kit and then the L0pht. Will post again the outcome.

This forum really rocks! :D

777
 
A

AudioPro

1
@foobar: I'd be very interested to hear a method you know to get the hashes from a boot floppy or cd under 2k.

@borogovio: There are BIOS password cracker programs out there. Maybe even saw one on this forum in the past month, but can't remember for sure...
 
F

foobar

1
@AudioPro+borogovio:
Award and AMI BIOS versions are more suitable for cracking endeavor than Phoenix.
Older BIOS versions, mainly of Award (until 1997, 1998) may accept so-called "master boot passwords".
Windows compatible BIOS crackers commonly require that you've got administrator privileges when invoking. Sometimes drivers must be installed in advance prior to use such tools, e.g. CmosPasswd.
Otherwise you need a native DOS environment to launch the second category of crackers that are most effective as far as I know.

@borogovio:
When the BIOS is locked and the boot sequence is "hdd only" you merely have little chance.
You're confined to the active W2k os - not owning administrative status - looking for existing security holes in applications (Office 97, 2k...), configuration (registry) and os components (IIS) to gain full access "by mistake". It's damned difficult and nearly impossible if the admin additionally installed antivirus software and security patches like the three service packs. I'd been working as student assistant quite a while and knew any passwords, but now I'm not involved any longer and so I started doing some password research (only workstations, no w2k server) as the default student user account is too much restricted. In two cases I succeeded due to the security being pretty lame, I was allowed to boot an alternate os from floppy...
In order to work out the administrator's password (by brute force) you always have to get the hashes of the administrator account. By feeding L0pht Crack with the hashes data, it shall calculate the password in most cases (of course, if your admin uses non printable characters, LC will likely fail).
pwdump2.exe does this for you - as long as you run it in a shell (cmd.exe) with administrative privileges. To achieve this you may either "outwit" pwdump2 somehow (making it believe that you're the big boss), i.e. altering the source (I personally don't know how) or manipulate Windows applications to invoke a cmd.exe (system status!) in which pwdump2 should perform its desired output.
 
Last edited:
A

AudioPro

1
This is an interesting thread, so let's not let it die. foobar or borogovio, any updates? And by the way, this is not an impossible problem. The more I learn about it, I realize that there are almost an infinite number of possible avenues of attack. It's just a matter of finding the right one for your situation.
 
Shadey

Shadey

1
You could use ERD and boot - and then use the locksmith tool, under an NTFS environment., not difficult.
 
You must log in or register to reply here.
Top