I got a call last week from the owner a real estate company, who was referred to me by my largest and oldest client. I had a meeting with the him last week, where he gave me quick tour of the office, introduced me to his employees and showed me his (quite frankly, chaotic) network. I explained the services I offer and he then committed to a service plan where they will get a scheduled weekly visit, unlimited phone/remote support and one unscheduled emergency visits for a reasonable (in my opinion) monthly fee, which is the way all my contractual clients are setup.
As usual, with any new network I get in to, I found it not being up to my standards. To be more specific, the physical wiring is messy, the servers are not physically locked down (they are simply next to the copiers), passwords are weak, there is no network diagrams or documentation, the equipment is old, dusty and not up to date (regarding security patches and AV definitions). Most workstations are Pentium 4 Dells and the servers are Windows 2000.
All these substandard conditions, as I said, are pretty much common when dealing with a new client, who has really never paid attention to their IT or has had IT consultants that get paid on an emergency basis. Therefor, it isn’t unusual that I spend lots of time at the clients office the first couple of weeks to straighten things out to my standards.
Today, on my first scheduled visit to their office, where I expected spend most of the time getting to know the network infrastructure, I encountered a serious issue that I had never run into before; they did not know the domain controller administrator’s password. In the past, when exploring a new network, only a select few (usually the office manager and the owner) have the admin password, so I assumed, when signing this client, that they knew the password. I should’ve asked for this information before committing to the maintenance of this network, so that at least I could’ve researched domain password recovery and prepared a plan of action for my first visit.
The last person who worked on their network was not an IT professional. He was an employee that happened to have some computer knowledge and that left the company to start his own business. He probably changed the password before leaving, and he is now unreachable/unavailable. Naturally.
On my limited time there today I researched and tried two methods of resetting the DC admin password, but these methods not longer work on Windows Server 2000 SP4. The first method was to modify the registry (after gaining local administrative access to the machine) to make the screen saver (changed to cmd.exe) run after 15 seconds. After a reboot and waiting 15 seconds at the login screen, a DOS prompt cames up where the active directory console is brought up with MMC DSA.MSC. No luck there since cmd.exe isn’t allowed to run with sufficient rights (after SP3). The second method was a variant of this. (more information of these useless procedures here and here).
After doing quite a bit more research I came across OPHCRACK, an open source project:
Ophcrack is a Windows password cracker based on rainbow tables. It is a very efficient implementation of rainbow tables done by the inventors of the method. It comes with a GTK+ Graphical User Interface and runs on Windows, Mac OS X (Intel CPU) as well as on Linux.
I burned the live cd and will test it tomorrow. According to what I’ve read, Ophcrack on that CD can crack Windows 2003 domain passwords, if they don’t use weird characters (I’m hoping the password is something stupid like “mustang” or “american”). I’ll report on my findings here. Stay tuned!
