Sunday, September 25, 2011

Forgotten Windows 2008 Server Password

HOW TO: Gain access to a Windows Server 2008 running RAID when the local administrator password is forgotten

The original problem
The IT team was diagnosing an issue with all inbound connections being rejected to a Windows 2008 server machine (a dual quad-core Dell Poweredge running 4 disk RAID PERC 6/i). It turned out the problem was that Windows Firewall was setup as using the "public" profile for its firewall rules.

Since the server should have been assigned to the "domain" profile for the firewall rules, and it seemed like the machine was not on the domain, the IT team decided it would be a good idea to "bump" the server onto the domain, that is, take it off the domain and then re-add it to the domain. Unfortunately the server ran the accounting software (including payroll) for the company.  Also, the domain controller was administered in a country half way around the world, such that any access to higher up IT support would have had to wait another 12 hours or so.

The new problem
The IT team didn't have the local administrator password for the server. And since they had now taken the server off the domain, it could no longer be accessed using the domain user and password combination that they had always used in the past. But nobody in the company knew the local administrator password for the machine. In 14 hours time the company's payroll would need to be processed and there was no way to access the application server running the accounting software. If there's anything that motivates people to work hard its the possibility of not being payed their wages due to a technical issue.

The admin password, it now seemed, was just lost forever. About this point I came upon the following Q&A post on the excellent ServerFault.com ...

http://serverfault.com/questions/428/what-is-the-best-way-to-gain-access-when-the-password-is-unknown

There is two main types of free linux-based "boot crackers" which crack windows machines by booting a custom version of linux with a limited user interface ...

Type 1: Rainbow Table Cracker
A boot cracker that brute forces passwords using lookup tables (rainbow tables). This type does not need to actually change the file system of the machine, but just reads the encrypted Windows SAM (Security Accounts Manager) password file from the machine and cracks it using lookup tables to gain access to the administrator password. Various comments on forums generally say that in most cases this will succeed, and will take no more than a few minutes.

Type 2: Password Reset Cracker
A boot cracker that resets the local administrator password on the machine. This type just clears the password and in doing so has to write to the file system. For this reason it is considered a little more risky. Also that fact that if the EFS (Encrypted File System) is being used, then it can result in the password not being cleared but actually being scrambled, and furthermore, irretrievable.

Using the cracker
I initially decided to try ophcrack since it was type 1, and didn't write back to the file system. This seemed initially to work like a charm, booting first time into its linux GUI, but when we tried to mount the file system (which was 4 disk RAID) we realised that the PERC 6/i RAID controller wasn't recognised by the cracker's linux distro. The linux command "fdisk -l" only listed one drive - that of the DVD-ROM drive which the cracker booted with - so it didn't have access to the RAID file system.

Success!
So onto the next option; using a type 2 cracker called "NTPASSWD" - we burnt the files to a CD-ROM and booted. This one has a command line only interface, but it worked like a charm - booted first time and had access to the RAID file system. It listed all the local users on the system. So we selected which one to clear the password for (Administrator) and this was all that was needed. Hey presto, restarted the machine and no login was needed - it had worked!

If this one hadn't worked, there was one final cracker that I probably would have tried, a commercial cracker, here, that boots in a "Pre-installation" version of Windows and claims to support all major RAID controllers and hard disk hardware around. The cost was something like $199 but this would have been well worth it if the other free crackers hadn't worked.

Follow @dodgy_coder

Subscribe to posts via RSS

1 comment:

  1. I just reset my windows password thanks for this help btw Techubi is also good site for this type of techniques

    ReplyDelete