1

I've been contacted by a local golf course that has lost login access to their Windows 2003 server (suspected cause is a password change by a disgruntled ex-manager).

When I visited the site, they have the password taped to the wall behind the server and it had been working until a few weeks ago. When they try to login now it says incorrect username or password.

I've tried booting from the UBCD and running the Offline NT Password Editor application and it can see the hard drives (it's a RAID5) and the NTFS partition (DEV/SDA1), but when it tries to mount the partition, it fails with the error:

Failed to read last sector (sector number): invalid argument. etc etc. NTFS Probe returned error code 12. Sorry, cannot continue

enter image description here

I'm assuming that it has loaded the correct RAID drivers given that it can see the HDD's and determine the partitions on the RAID volume. So what is causing this error?

Windows boots OK, but they can't log in. So surely it can't be an NTFS corruption... can it? From another computer on the network, they can log in using RDC but the account is not an administrative account so I can't reset any passwords or create a new Local admin account or an AD admin account.

I'd like to reset the Local admin password and/or the AD admin password. There appear to be a number of other user accounts in the Administrators group, so I'm waiting on the possible creators of those accounts to get back to us with possible passwords, but in regards to the actual "Administrator" account(s), what else can I try?

Reece
  • 783
  • 2
  • 12
  • 30
  • 2
    Domain controllers do not have a local admin account, so there's that... – Mark Henderson Jan 11 '15 at 09:25
  • Knowing whether it's a domain controller or not is very important here. – HopelessN00b Jan 11 '15 at 18:12
  • It is a DC. When I look in AD users and computers, the users and computers are all listed in sections under the domain name. There are all of the built-in users and groups within the "Users" section outside of the domain name. I've found a few articles around the web that have procedures for resetting the AD admin account password, but all require local admin access... The password for local admin is not known also, hence my attempts to use Offline NT Password Editor and the road-block I've run into above. – Reece Jan 11 '15 at 21:57
  • Yeah, the procedure for resetting a local account is different for the procedure for resetting a domain account. And domain controllers don't have any local accounts, so... you're probably out of luck. If you have access to Metasploit, you can dump the domain acconts password hashes and try to brute force them, but other than that, I think you're out luck. (Unless, maybe, you can pull off an escalation of privledge exploit with one of those non-admin accounts.) I'd say it's time to restore from the backups your client probably doesn't have, or up your fee a lot to hack their server. – HopelessN00b Jan 12 '15 at 13:42

0 Answers0