Re: LM Hashes and NTLM Hashes with Windows Server 2003

The Escalation didn't work. I tried for both of the *_SUSY users. The IUSR_SUSY was the one I logged into as, and I was able to escalate using chntpw or whatever it's called, but when I logged into the server, I was still an unprivileged user.

For IWAM_SUSY, it failed, couldn't find the registry key or something.

What's odd now, when I log in as IUSR_SUSY, I can run net user and see all the users. There's 11. Cinder45 is listed, but no Administrator (although there's an Administrator account listed in BOTH Ophcrack and ntchpw). There's no Administrator user listed under Active Directory Users and Accounts. But there's Cinder45, and that's the username I was told to use originally, but the password doesn't work, and when I run OphCrack or chntpw, it doesn't list Cinder45.

It shows this PC is the actual domain controller. It's susy.data.local or data.susy.local. The accounts must be stored in some other place besides the SAM, but where? And what do I use to change them? I can log in with the F8 trick as Administrator, just fine. The sarvy.exe program or whatever it's called has been failing, saying there's unknown user (it's just running the net user Administrator <new password> command. I tried with and without the /domain.

So maybe I should change it to net user Cinder45 and see what happens?

Re: LM Hashes and NTLM Hashes with Windows Server 2003

Goontron's suggestion about replacing sethc.exe with cmd.exe worked!

Cinder45 was the real Admin account. Changed Cinder45's password, successfully logged in as full admin rights!

Re: LM Hashes and NTLM Hashes with Windows Server 2003

^ Sometimes you need to break shit to fix it.... Thats why my lawnmower doesn't have a deadman switch or engine brake anymore

Re: LM Hashes and NTLM Hashes with Windows Server 2003

You want a small donation for your help?

**EDIT: Trying to find away to get Google Chrome on this machine now. It's hard. I download the off-line installer for the 32-bit version for enterprises. It comes as .msi's. There's one called GoogleEnterpriseChrome.msi or something like that, then one called GoogleEnterpriseLegacy.5.something.msi.

The first one fails, saying the MSI is damaged (which it isn't). The second one, I click, and it seems to do something, but I don't seem Chrome installed anywhere. I try running the first again, but still same error.

I'm attempting Windows Update, and to my surprise, it appears to actually be looking for updates through IE (yuck). Figured that would have been shut down a long time ago, but with Server Editions, maybe things are different?

I'm also currently transferring the data to an external hard drive, which sloooooowwwwwws things down to a freaking crawl!!!!!! But there's really not that many files he wanted, just large files. They're some sort of backup files, in some format I never heard of. But when I'm done with that, I can do whatever I want with the server. Was thinking of finding the key, and reinstalling fresh, to see how it runs.

Re: LM Hashes and NTLM Hashes with Windows Server 2003

^ Nah, I learned all that to get me a nice Poweredge server for free! (They needed to migrate but the old IT guy left with the passwords, so i broke in for them.)

Besides i'll never use that information ever again, so might as well pass the info on to someone who can use it. And IIRC it was all learned from stack exchange or some MSDN paperwork anyway. But that was 8 years ago now.

Re: LM Hashes and NTLM Hashes with Windows Server 2003

I doubt that, if it's not BSOD'ing with error code,"PAGE_FAULT_IN_NON_PAGED_AREA", "PFN_LIST_CORRUPT", "REGISTRY_HIVE_FAILURE",(or similar) or giving you file-not-found error messages.
More likely a bad ATA controller or a bad drive, if even any hardware problem at all...

Re: LM Hashes and NTLM Hashes with Windows Server 2003

Spork, your persistence and subsequent success is admirable... This thread will certainly come in handy in the future. Bookmarked.

Re: LM Hashes and NTLM Hashes with Windows Server 2003

I have information like that floating around in my brain, and I pass it along, free of charge.

Sometimes, people take advantage of me though. Once, I had two friends, they were a couple. One of their bosses would give them these broken antique lamps, and I'd fix them for them, and then she'd pay them money per lamp, and we'd split it.

They asked if I'd teach them how to repair the lamps. I said I didn't want to, because if I did, why would they need me? They swore they'd never cut me out and just wanted to learn, that was it. So I taught them.

That was the very last time I ever saw an antique lamp.

They were getting something like 50$ a lamp. And it was extremely simple. New cord maybe, or a new socket, all the stuff you can buy right at Home Depot. Once they realized how simply they were to fix, that was it. No more lamps for me to fix, no more money.

Re: LM Hashes and NTLM Hashes with Windows Server 2003

It's ECC memory, so I don't think a bad stick would give us a blue screen, would it?

I agree that the hard drive should be checked. It needs maintenance.

I don't understand how passwords are stored with active directory. In the SAM file, there's an administrator account listed, and when I do the F8 and do the service restore mode or whatever it's called (to by-pass the domain controller / active directory), I can log in as Administrator.

But when I boot normally, Cinder45 is the admin account. When I login as Cinder45, after changing the password for Cinder45, I see on the desktop the stuff that I added to the Administrator's desktop when I used the F8 trick....

So obviously, I'm missing some information on server editions of Windows and where the usernames are stored. Programs like chntpw or Ophcrack aren't much help.

They where this time, only because of those two unsupervised users having logged in somehow and getting their names and passwords in the SAM. If it wasn't for that, I would have never seen the Cinder45 user and realized what was going on.

Re: LM Hashes and NTLM Hashes with Windows Server 2003

It's kind of funny, in a way, how you say my persistence is admirable. I sometimes look at my persistence as a negative. Sometimes, I don't know when to walk away. I spend waaaaayyyy to much time trying to fix something that would literally cost 5$ to repair, but I enjoy the challenge I guess, and the feeling that comes when you actually accomplish what you set out to accomplish.

It makes me feel like I've learned something new. And learning something new is the best feeling in the world, well, besides helping other people I guess.

Re: LM Hashes and NTLM Hashes with Windows Server 2003

That's always the case. The problem comes when you start to realize just how MANY things you'd like to "explore" -- and come to the realization that there just aren't enough hours in a day to even begin to prioritize those "desires" ("scratch those itches").

One of my early employers told me that the hardest lesson for most engineers to learn is "when to walk away" (i.e., when time and effort spent on a problem is just an ego-stroke and not actually productive).

So, you start to shed activities that had previously been "educational" -- but are now more "routine" (80-20 rule) -- in favor of those activities that you can either get a lot of bang for very little investment; or, that you are willing to invest a whole lot of time (for, hopefully, a big "payout")

E.g., I no longer repair monitors smaller than 30" -- unless there are ~10 of the same model that are in need of repair (so I can leverage the time spent troubleshooting the first one with the hope of applying the same repair to the remaining units).

OTOH, there's still a place for some "mindless" activities ("therapeutic?") that are definitely no longer "learning experiences" nor "profitable uses of time". E.g., I spent two hours cleaning a dozen (identical) keyboards, yesterday, when I could have replaced the lot of them for much less money and "billed" that time. (though it would take a while to research which keyboards to purchase and then a gamble as to how good they "felt")

There's a lot of truth in the saying "Youth is wasted on the young"...

Re: LM Hashes and NTLM Hashes with Windows Server 2003

For RAM with ECC, it's still possible, and an ECC malfunction, could cause the processor to generate a machine check exception. (the processor's version of a SMART trip)

For lag, the hard drive is a suspect!

Re: LM Hashes and NTLM Hashes with Windows Server 2003

If the server wasn't a domain controller it would still have a local database for users. When you promote a server into a DC you don't have local users anymore, just domain users (all local users are automatically migrated to a domain account). That's probably why you are seeing them into the SAM.

Are the files you need access from a domain user?

Re: LM Hashes and NTLM Hashes with Windows Server 2003

Couldn't have said that better! Right now, there is sooooo much to do and sooooo little time to do it all, I have to start thinking should I outsource or ask for help?

Here, people have helped me, and that, I greatly appreciate, more than they'd probably ever release. To those who have helped, I say thank you, from the bottom of my heart.

But there's projects I'm not capable of doing that I know need to be outsourced (creating a company logo, I cannot draw worth a beans).

Creating a website (I do not have the time to learn the skill to create a professional looking website, although, I'll probably try, for the simple reason that a professional looking website that does more than just display pictures and texts costs a shit ton of money).

Configuring this gosh dang switch and figuring out how to set it up so there's two VLANs, isolated from each other, one for business, one for residential. I think the issue isn't with the switch or how I've configured it (literally, every way imaginable), but with the gateway device that I'm using (a Spectrum Cable Modem). That caused a lot of headaches, and I majored in Computer Networking! But in my defense, it was a local SUNY college, not one of them fancy ivy league ones!

For the logo, I almost thought of just offering someone here 50$ to draw one, once we legalized the business. Our fear is someone will register the name before us, and then we're screwed. There's one corporation in our town that wants it, but last thought it was taken. They tried buying it off the previous owners, but would only pay enough for them to change their name. They said go to hell. Well, the main guy died, it never got renewed (just recently), I tracked down one of the officers or directors, and he gave me permission to use it, but suggested I hurry before the other corporation found out it was available.

So once I register the name, maybe I'll come here and ask the community for help. Maybe have some contest, and whoever votes for the best looking one gets the cash?

For the website, I almost thought of asking the communities. And open source effort, but the fact that we'll be using it to make money, it doesn't seem right. Why would someone help for free, so we could make cash, and they get nothing out of it? I don't think they would.

I have soooooo much going on now, I don't even get to do what I want with the business. There's no learning more about EE or writing code or working on servers, it's all making contacts, sending emails, replying to emails, checking laws, reading EULA's, trying to figure out what's legal, what isn't, trying to figure out what's compatible with what, etc.

And the whole time, I also have to not ignore my family. I have to remember I have a wife and a daughter. They're currently my driving force right there. If it wasn't for them, I would have walked away a long time ago. But they're worth the long nights and no sleep. I'm sure other parents can relate to that.

Re: LM Hashes and NTLM Hashes with Windows Server 2003

Could you go into more detail about this machine check exception? A SMART trip? Would I need special software to read it, or would the OS (Windows Server 2003 SP2 Small Business, in this case) notify me?

I would suspect the RAID controller would notify me of the slowness, but I suspect the issue could be due to maybe Windows Server 2003 running on a Core 2 Duo, when the board was meant for a Xeon, running on 2GB's of RAM, having an Exchange Server installed, an SQL server installed, being a domain controller, and having a broken copy of Symantec EndPoint installed (which I cannot upgrade, because the license expired).

For what it's worth, I was just notified by the nice people over at SpiceWorks that I cannot legal use this server. Although it was given to me with Server 2003 SBS installed, the license doesn't belong to me, and I have to format it. Blah! It was just to play with, to experience the Windows Server experience. Just wanted a 64-bit ISO to download, to do a fresh install, and see what it was like.

They suggested I download the trial for 2008R2. But that isn't going to run well on this very old Intel server (in Desktop shape).

Re: LM Hashes and NTLM Hashes with Windows Server 2003

Yes, from Cinder45. Which wasn't in the SAM. This server is the domain controller. So, where are the domain users stored? I don't understand why I couldn't login as Administrator, only when I did F8 trick, but couldn't see any users until I booted into normal mode. Then I could see the domain users.

How would a person see the hashes and stuff via some Linux program for domain users, if they had access to the controller?

The file copies are done and I can do whatever I want now. Install Linux on it, etc. Still wanted to do a fresh install of 2003 Small Business SP2 x64, just to see what it was like, but oh well, I guess I'll never get to experience that.

Re: LM Hashes and NTLM Hashes with Windows Server 2003

^ IIRC, it has its own registry hive that you could load with those tools, but i never tried anything like that.

Re: LM Hashes and NTLM Hashes with Windows Server 2003

A machine check exception is when the processor reports a fatal error to the OS and halts.

On a socket 775 quad core, especially 65 nm chips, it's usually a bus error, because of CPU-to-FSB termination issues, in short, it's because the processor had trouble accessing the FSB. (the solution with a socket 775 quad, is to increase "FSB termination voltage" in the BIOS) (65nm likely needs at least 1.2 V) (45nm chips likely require less, and are likely to get damaged from going high on the FSB termination voltage!)
The FSB termination voltage, to me, sounds like Core 2s use LVDS...

It can also report "internal timer error", which I dunno the cause, my Core i7 Extreme 965 did this for no apparent reason. I hope it was just the Vcore settings...

It can also report a CPU cache error and halt.

Thus, the machine-check-architecture, is like the processor's version of SMART.

Re: LM Hashes and NTLM Hashes with Windows Server 2003

AFAIK the domain objects are encypted into a database. They are located at windir\NTDS.

http://www.rebeladmin.com/2015/02/ac...-system-state/

The default 'administrator' account might have been renamed. You must use the "Domain Users and computers" (or something like that, I forgot - shortcut is dsa.msc) to see the users present into that domain.

Re: LM Hashes and NTLM Hashes with Windows Server 2003

Someone hacked my fucking wifi! My wife sends me texts this morning, instead of actually waking me up, for some unknown reason! Like she didn't think it was serious or some crap.

Both from Norton. First picture shows:

Compromised network
The Psychedelic Wang
This network is compromised by an unkown third party that may view and alter your communications

SSL Decrypting

An attacker is attempting to decrypt this network and may view and alter your communications



Second picture:

The Psychedelic Wang IS COMPROMISED

Your personal data and communications are exposted to an attacker on this network.