Hello,
Someone donated a "server" to me, in desktop form, that has Windows Server 2003 installed. It's trying to connect to a domain controller. I bootup Ophcrack and load the encrypted SAM and see an enabled Administrator account and a disabled Guest account.
I'm thinking I could 1) try to crack the password to login into the server.
2) Simply erase the password and login the server.
I realize I'd have to do the whole F8 thing to by-pass the domain controller, which we don't have access to.
Here's where thinks get a bit exciting.
The LM password shows as:
The NTLM password shows as:
So, how exactly does Windows Server 2003 store passwords? Because there's an LM Hash and an NTLM Hash, that means the password is less than 15 characters, correct?
The person who gave me the server thought he had found the password. He gave me CHoKL0ck1920$
And if I go to an on-line password generator for LM hashes, such as:
https://asecuritysite.com/encryption/lmhash
And type everything but the $, the first 16 characters match. I noticed if I change the case of any character, it doesn't change the LM hash.
I've tried guessing what the last digit or last two digits could be, but haven't had much success. I replaced the $ with an @ symbol, and got excited for a second, because I saw 8C as the 17th digit and was like wow! That's it, but then the 18th, 19th, etc characters of the hash didn't match.
I've gone through 0 - 99. I've tried all the odd characteres, like [,{,,":, !,@,#
but I haven't tried all the two digit combo's. I tried $ and every capital letter, plus all the symbols, because capitalization doesn't seem to matter (is this wrong?)
Anyone want to try and help me crack it? The idea is to get the password to access Server, and a few others. I could reset it, but at this point, I'd rather try to get the actual password.
I wonder if the LM Hash is only part of the password with the server edition and the NTLM password has to be used as well, to determine the proper capitalization for the actual password....perhaps this is why no on-line LM Hash or on-line NTLM Hash cracker I've tried has been successful at finding the password. Perhaps I need a cracker designed specifically for LM AND NTLM combination passwords.
Like
LM_HASH:NTML_HASH
I dunno.
Someone donated a "server" to me, in desktop form, that has Windows Server 2003 installed. It's trying to connect to a domain controller. I bootup Ophcrack and load the encrypted SAM and see an enabled Administrator account and a disabled Guest account.
I'm thinking I could 1) try to crack the password to login into the server.
2) Simply erase the password and login the server.
I realize I'd have to do the whole F8 thing to by-pass the domain controller, which we don't have access to.
Here's where thinks get a bit exciting.
The LM password shows as:
Code:
ee8843bcf08825c88c2b09be5d55d545
Code:
7b9da04e2cbc851f27a3a9aae8afd318
The person who gave me the server thought he had found the password. He gave me CHoKL0ck1920$
And if I go to an on-line password generator for LM hashes, such as:
https://asecuritysite.com/encryption/lmhash
And type everything but the $, the first 16 characters match. I noticed if I change the case of any character, it doesn't change the LM hash.
I've tried guessing what the last digit or last two digits could be, but haven't had much success. I replaced the $ with an @ symbol, and got excited for a second, because I saw 8C as the 17th digit and was like wow! That's it, but then the 18th, 19th, etc characters of the hash didn't match.
I've gone through 0 - 99. I've tried all the odd characteres, like [,{,,":, !,@,#
but I haven't tried all the two digit combo's. I tried $ and every capital letter, plus all the symbols, because capitalization doesn't seem to matter (is this wrong?)
Anyone want to try and help me crack it? The idea is to get the password to access Server, and a few others. I could reset it, but at this point, I'd rather try to get the actual password.
I wonder if the LM Hash is only part of the password with the server edition and the NTLM password has to be used as well, to determine the proper capitalization for the actual password....perhaps this is why no on-line LM Hash or on-line NTLM Hash cracker I've tried has been successful at finding the password. Perhaps I need a cracker designed specifically for LM AND NTLM combination passwords.
Like
LM_HASH:NTML_HASH
I dunno.
Comment