Announcement

**Spork Schivago** · 03-24-2018, 02:16 PM

Re: LM Hashes and NTLM Hashes with Windows Server 2003

I wonder what the command line for hashcat would be if I knew the first 12 digits, or thought I did, and wanted it to try and guess every possible combination for what I know, plus 1 extra character and then 2 extra characters...Wonder if that's possible.

I'm not good with using hashcat.

**diif** · 03-24-2018, 02:29 PM

Re: LM Hashes and NTLM Hashes with Windows Server 2003

They are saved in the SAM file.
There's a utility on Hiren's disc that will blank the password.

**Curious.George** · 03-24-2018, 04:41 PM

Re: LM Hashes and NTLM Hashes with Windows Server 2003

Originally posted by diif View Post

They are saved in the SAM file.
There's a utility on Hiren's disc that will blank the password.

Better yet, just blank the disk and install something for which you have a legitimate license as well as a genuine NEED! (if you really want to run 2K3S, then find a genuine set of discs/CoA and do a clean install)

[Inheriting a system leaves you never quite sure of what's on the system, what's been elided, what's been corrupted, etc.]

**Spork Schivago** · 03-24-2018, 04:54 PM

Re: LM Hashes and NTLM Hashes with Windows Server 2003

I don't want to blank the hard drive yet, but I will.

Right now, I want to attempt to crack the password.

I'm trying to use hashcat, but I see it's only ever trying up to a length of 7.

This is the command I use:

Code:

/hashcat64.bin -m 3000 -a 3 -i --increment-min=1 --increment-max=15 \
--session="Windows Server 2003" --restore-file-path=./winserv2003.restore \
-o ./found_passwd /tmp/hash.txt CHoKL0ck1920?a?a

I would think that'd try with the CHoKL0ck1920, and go from there, but every time, it only cracks CHOKL0C

The log file shows mask_ctx->mask CHoKL0c but it doesn't seem to go further. I don't understand why. What sucks is the second part can only be up to 3 characters, but if I broke the hash into 16 character parts, how would the padding look for the password?

Something like ?a?a?a000000000000

The ?a means to try all characters. The --increment, from my understanding, is not to limit it to only passwords of length 15 (in the example I just typed), but to start from --increment-min and go to --increment-max.

**EDIT: The original owner is still looking for the possible password. He spent about 3 hours last night combing through old e-mails to find what he thought was it, but it appears to only be half of it. It's the rest we need.

Once we get the password, and I can login, I can access the exchange server, grab what he needs, and then format, reinstall, do whatever. I'm worried about blanking it. I have a copy of Exchange Server Datacenter edition, with a license for like 50,000 users, but it's an Academic License, so I can play around with it, but it's newer than what he has on there. If I blank the normal password, would that fuck things up with the Exchange Server where we couldn't access his e-mails? Or anything else that might be on the hard drive, encrypted or something, with the admin password?

**Spork Schivago** · 03-24-2018, 05:11 PM

Re: LM Hashes and NTLM Hashes with Windows Server 2003

So I separated the hashes into two separate ones, and ran it with ?a?a?a?a?a?a?a?a?a?a?a?a?a?a?a for the mask, and it just finished, saying cracked.

It does show the password as 8c2b09be5d55d545:K192O$

Oh, by copying and pasting, I see the issue, that's 192O, with an oh, not a zero. So I guess I've successfully cracked it:
CHoKL0ck192O$

**Spork Schivago** · 03-24-2018, 05:51 PM

Re: LM Hashes and NTLM Hashes with Windows Server 2003

Blah, even after cracking the password, I try logging in, and it says something along the lines of invalid password or cannot connect to the domain controller, which makes since that it'd need the domain controller to successfully login. But reading the net, it says it should be possible to use a local login.

Anyway, I reboot, using F8 and pick the Safe Mode. Every time I started, it'd say at the login screen, one or more services failed to start and to check the event log to see which ones.

This time, in safe mode, it says error writing to memory location blah. It shows the program as something like smc.exe. This is the Symantec Management Client.

I'll run memtest86+ to see if there's a bad stick.

What's odd, I use an on-line LM / NTLM password generator and type the known password. Sure enough, the LM shows up like the one in the SAM, but the NTLM is nothing like the SAM. Maybe the NTLM is more than just a password? Maybe it shows it's a roaming profile, or something along those lines? I dunno.

Regardless, I cannot login as Administrator for some reason. Account is not disabled. Should have worked I would have though. I'll double check the disabled account, just to be certain, because I did try it once in normal mode, not safe mode. Maybe it disabled it then because of too many failed attempts. I dunno.

**Spork Schivago** · 03-25-2018, 10:53 AM

Re: LM Hashes and NTLM Hashes with Windows Server 2003

I think the capitalization is incorrect. Trying to figure out how to use the known LM password and hashcat to figure out the correct capitalization, so the correct password is found.

**mockingbird** · 03-25-2018, 12:58 PM

Re: LM Hashes and NTLM Hashes with Windows Server 2003

Why not clone the HDD, and try blanking the password on the cloned HDD.

That way, you can experiment to see if blanking the password destroys the domain.

**Spork Schivago** · 03-25-2018, 06:42 PM

Re: LM Hashes and NTLM Hashes with Windows Server 2003

I blanked the password. I could access the hard drive with Windows installed, but the other ones with the data that he wants are encrypted using TrueCrypt (no idea what version).

I was able to log in locally, using the F8 method, but when I reboot, even after using svrany.exe to change the password to one that I set (a complex one, 11 characters long though, not 13, using !$ and lower case and one upper case letter, with two numbers) didn't allow me to login.

I believe the problem is because it cannot connect to the domain DATA.

So is there away to remove the server from the domain, so we can login normally? srvany.exe is from the Microsoft Toolkit and it's a service that runs and execute any command I want, before I login, and it has ring 0 privileges.

I had it run:

Code:

cmd.exe /k net user administrator <my 11 character password>

Maybe I needed to pass the /domain parameter to the net command?

Took forever to boot, but did not let me login. Still acting like it's because it cannot connect to the domain.

He needs some keys off the normal Windows partition, which I might be able to recover using Linux tools or something, I dunno. But the data on the encrypted partitions are the issue. I try accessing them in Safe Mode and it's a no go. Says I need to login as a Domain User to access it.

**Spork Schivago** · 03-25-2018, 06:45 PM

Re: LM Hashes and NTLM Hashes with Windows Server 2003

So maybe there's a command line I can run to make the Windows Server 2003 SP2 server the actual domain controller, and have it connect to itself somehow? Or, disconnect it from the domain controller and not have it require me to connect to one?

I've never played with Server edition before, so I dunno how this works, but I saw a lot of neat things in Control Panel - Administrative Settings that I'd like to play with, once I get it working. I needed to be logged in as Domain Controller user to access them as well, but eh.

**goontron** · 03-25-2018, 07:29 PM

Re: LM Hashes and NTLM Hashes with Windows Server 2003

The login shell is ran as admin, so, assuming i am correct and windows server 2003 has accessibility options (i've only worked on terminal server) this how one does.

Swap the drive into another computer, or boot up a recovery CD or Linux disk.
Rename c:\windows\system32\sethc.exe to sethc.old
Copy c:\windows\system32\cmd.exe to c:\windows\system32\sethc.exe
Boot up the machine to the account selection screen.
Press the shift key five times. This will bring up a command prompt window.
When you are done banging around like a skiddie, delete the false c:\windows\system32\sethc.exe and restore the saved real sethc.old

Same method can be used with windows 7 through 10 using the accessibility executable instead.

**Spork Schivago** · 03-25-2018, 07:34 PM

Re: LM Hashes and NTLM Hashes with Windows Server 2003

So I know the password is successfully being changed by using srvany.exe because when I boot into Directory Service Restore Mode, I have to type the new password.

But when I boot into normal mode, it's still not letting me in. I'm wondering if there's more going on though. I just don't know enough about Windows Servers. Should it allow me to login if it's a domain controller, or a backup domain controller, or if it's trying to connect to a domain controller but cannot?

When it starts, now it takes a while to start, and there's always a message that one or more services failed to start, and to check the Event Viewer, which I cannot, plus three times now, I got the message about smc not being able to write to a certain area of RAM.

This makes me think one of the ECC sticks is bad. I'll run memtest86+ I guess. But could a bad stick of RAM be preventing me from actually logging in during normal mode?

Any advice is greatly appreciated.

**Spork Schivago** · 03-25-2018, 07:36 PM

Re: LM Hashes and NTLM Hashes with Windows Server 2003

Originally posted by goontron View Post

The login shell is ran as admin, so, assuming i am correct and windows server 2003 has accessibility options (i've only worked on terminal server) this how one does.

Swap the drive into another computer, or boot up a recovery CD or Linux disk.
Rename c:\windows\system32\sethc.exe to sethc.old
Copy c:\windows\system32\cmd.exe to c:\windows\system32\sethc.exe
Boot up the machine to the account selection screen.
Press the shift key five times. This will bring up a command prompt window.
When you are done banging around like a skiddie, delete the false c:\windows\system32\sethc.exe and restore the saved real sethc.old

Same method can be used with windows 7 through 10 using the accessibility executable instead.

Very nice, but the svrany.exe is allowing me to execute commands as I see fit. What exact command would I run if I was at the command prompt that would allow me to login? I didn't see your post until after I posted mine, sorry about that. But neat trick at least.

**goontron** · 03-25-2018, 07:49 PM

Re: LM Hashes and NTLM Hashes with Windows Server 2003

Code:

start control

Will give you a control panel where you can enable local accounts.

But try this first: login as

Code:

.\administrator

.\ means local machine.

**Spork Schivago** · 03-25-2018, 08:07 PM

Re: LM Hashes and NTLM Hashes with Windows Server 2003

Originally posted by goontron View Post

Code:

start control

Will give you a control panel where you can enable local accounts.

But try this first: login as

Code:

.\administrator

.\ means local machine.

I tried the .\administrator trick, but that didn't work.

I'm wondering if bad RAM is preventing me from logging in. The start control is something I could do. Assuming this computer has accessibility options.

There's nothing at the login screen that suggests it does, but that doesn't necessarily mean it doesn't. IP address is set to 192.168.1.3. I'm on the 192.168.2.0 network.

Any ideas how to change the IP address from the command line? I could google it and probably find it. If I could set a static IP on the 2.0 network, perhaps I could access it remotely. I saw in the Control Panel stuff for terminal licenses and stuff.

**goontron** · 03-25-2018, 08:18 PM

Re: LM Hashes and NTLM Hashes with Windows Server 2003

Umm, lets see here...

Code:

netsh interface ip set address name="Local Area Connection" static 192.168.2.100 255.255.255.0 192.168.2.1 1

maybe? and

Code:

 ipconfig

to see if it takes

**Spork Schivago** · 03-25-2018, 08:31 PM

Re: LM Hashes and NTLM Hashes with Windows Server 2003

Ahhh! That's how you use the name. I could never figure that shit out. I'd try eth0, enp4s0, enp1s0, enp0s0, etc. Thanks!

**goontron** · 03-25-2018, 08:46 PM

Re: LM Hashes and NTLM Hashes with Windows Server 2003

^ Yeah, that's one thing i learned during my stint with Windows 5 years ago. Windows is not logical.

**Spork Schivago** · 03-26-2018, 10:58 AM

Re: LM Hashes and NTLM Hashes with Windows Server 2003

So something definitely weird here.

For one, the LM hash for admin was easy to crack, using a brute force, and although I didn't have to try all upper and lower case combo's, I tried everything know to man. Took my PC 6 hours. With LM, case don't matter, so I could have excluded the upper or the lower, and saved some time.

Anyway, once I obtained the LM, it should have just been a matter of finding the correct case for the NTLM. But that didn't work. So as a test, last night, I pulled the LM and NTLM hashes for the other two non-admin accounts,

IWAM_SUSY
IUSR_SUSY

I cracked the LM hashes again, same way, took 5ish hours. They're completely random, not normal passwords (I doubt they where for users to actually login). They're each 14 characters long, both users.

Anyway, cracking the NTLM, after having the LM, took literally a matter of seconds. So, for whatever reason, the Administrator account's NTLM does NOT match the LM hash. I blanked it, changed it, etc, still can not login via administrator.

However! I can log in as the non-admin accounts, IWAM_SUSY and IUSR_SUSY, using the insane passwords. I was thinking of using my NT Password Recovery disc, the one that lets me edit the registry, list the users, unlock / re-enable accounts, change passwords, blank passwords, etc, and trying to use Promote User to Admin Status, although I'm warned this could cause issues.

Anyone ever try that? The disc I'm using is a bootable disc and it contains chntpw on it, that runs automatically. It could be old, I dunno. Perhaps it's time to burn the latest version, just to see if anything's changed.

Announcement

LM Hashes and NTLM Hashes with Windows Server 2003

LM Hashes and NTLM Hashes with Windows Server 2003

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment