May 13 2017

Reset Windows Password on 1&1 CloudServer

So a task that I’m given alot is to go ahead and reset a lost Windows Password on one of my customer’s servers. The customer is in a position where they only have a single user account, Administrator, they’re not connected to an Active Directory, and don’t have any other means to reset the password. It would typically be at this point that the customer either keep trying to remember their password, and risk being locked out, or backing up their information and reimaging their server.

The trick to all this, since these are Virtual Machines and 1&1 is in no way able to automatically reset the password like they could with the VZ-Containers, involves an old trick / “hack” involving changing out the “Ease of Access” button for a Admin-enabled Command Prompt. You can check out a tutorial on the trick by going to https://www.technibble.com/bypass-windows-logons-utilman/ . They are using Win7 with the DVD, we’re going to do the same thing with Windows Server and using Linux (since getting the Win DVD is difficult due to the timeout on boot).

Continue reading

February 28 2016

[WIP]Configure Active Directory tutorial

[Best_Wordpress_Gallery id=”1″ gal_title=”Active Directory Tutorial”]

This is still a work in progress. However I’ve included the above slideshow of a successful run through. I’ll be translating my screenshots into the tutorial below.

Domain: dankedonuts.lan

1 server : AD Controller (10.0.0.2)

1 Server : DNS/DHCP Server (10.0.0.1)

1 Server : AD Client (10.0.0.100)

Private networking (using 10.0.0.0/24)

 

On AD Controller:

Go to the Control Panel > System > Change name of computer. Call computer “addc” for AD Domain Controller. For now we won’t mess with the Domain yet. Close, reboot server.

Go to Server Manager > Manage > Add Roles > install the Active Directory.

After installation, it may take some time, the Flag in SErver Manager should appear for “Post Deployment”. You have to Promote this computer to becoming a Domain Controller.

Select Add new Forest

Root domain: “dankedonuts.lan”

Set a Directory Services Restore Mode password.

Our new NetBIOS name is “dankedonuts”
Follow prompts and click install when prompted.

The server will reboot again to confirm all changes.


 

Now we have an Active Directory, but it’s useless unless we can get others to join. Let’s get the DNS server running.

Set the name for this server as “dns” so we can figure it out in AD later. Use WorkGroup rather than domain for now.

For Active Directory domains to work, your main domain needs to have an SRV record like _ldap._tcp.dc._msdcs.mydomain.com. For our case, it’ll be _ldap._tcp.dc._msdcs.dankedonuts.lan.

Lets get the Roles. By default, DNS roles are installed, but if you go to Server Manager > Tools and you do NOT see DNS, then you’re missing some features. Click Manage > Remove Role and uninstall the DNS Role. After it’s done, you do NOT have to reboot, just go ahead and re-add the DNS role. Once that completes, reboot.

Now we can configure the DNS Manager. I’m not going to lie, Windows DNS is a PoS compared to Linux, so I have screenshots of my configuration. Basically:

-Server Manager > Tools > DNS
-Expand DNS, Expand Forward Lookup Zones.
-Right click on Forward Lookup Zones > New Zone > Primary > set the domain as "dankedonuts.lan"
-When complete, rightclick on dankedonuts.lan > New Domains > "dc._msdcs" as the name.
-Expand "dankedonuts.lan" > expand "_msdcs" > right click "dc"
-Click "Other New Records..." > choose SRV > Protocol = ldap > Click OK.

Go back to dankedonuts.lan's level and add Host(A) records for dns, addc, and (same as parent folder).

Now we should have the records we need, but since we’re the Nameserver, and this is a “fake” domain, lets change our Preferred DNS Provider to being either 127.0.0.1 or 10.0.0.1. Either way, we want to be able to do an “nslookup dankedonuts.lan” and we should get 10.0.0.2. Also do a “ping -a 10.0.0.2” and ensure that addc responds.

If so, then we’re ready to go back to the Control Panel > System  and change the Domain to “dankedonuts.lan”. If all is successful, it should ask you for an Active Directory username. By default, the Administrator of the ActiveDirectory server should work, but instead, let’s create a user for this server.

 


Back on AD Server, go to Server Manager > Tools > “Active Directory Users and Computers”.

Expand “dankedonuts.lan” > goto Users > right click in the blank area to create a new user. Name it “dnsadmin”, give it a password, and click okay.

Go back to the DNS server


Now we can input the new credentials and successfully join the Domain.

Yay!

Now let’s start taking care of the DHCP side of things. One of the first tasks of a Network Administrator is to really think about how he’s going to assign IP Addresses. For this example, we’re going to use just a small sample of 10.0.0.100 – 10.0.0.254 for clients. Later we can expand to include more and make our PNetwork even larger.

Server Manager > Tools > DHCP
Expand “dns.dankedonuts.lan”Right click “IPv4” and click “New Scope”
Name it whatever you want, set the range 10.0.0.100 to 10.0.0.254
Don’t exclude anything
Set all the router/wins/ etc IP to 10.0.0.1 (our DHCP server’s IP) and remove any public IPs.

When you’re done, rightclick “dns.dankedonuts.lan” and click “Authorize”.

Now we’re ready to assign our first client!


On the Client Server, configure the Ethernet1 to use the following:

Click “Advanced…”
Add 10.0.0.1 to “Default Gateway”
Add 10.0.0.1 to “DNS server addresses”
Add 10.0.0.1 to WINS addresses

Open up Powershell/CMD and do “ipconfig /release Ethernet1”

Verify that Ethernet1 has been assigned to a 10.0.0.100-254 address.

 

Now go to Control Panel > set any name for this computer and join the domain. Nothing special to do.


 

By now, everything is set up and good to go.

In the AD Controller, go to Server Manager > Tools > Active Directory Users …

Go to Computers and you should see our Client and DNS server.

February 15 2016

Windows Commandline via SerialConsole [1and1]

One thing that most 1&1 Dedicated Server customers seem to miss, is the usefulness of the Serial Console. Sure, it’s not a KVM access point, you’re not going to get a GUI image like the VNC console that runs on the Dells, or even the level of control that the CloudServer’s give you, but it’s still quite useful. When you’ve completely botched your network, whether via Firewall or misconfiguration of the Network, sometimes it’s just absolutely needed to get into a good ‘ol Command Line. All you need is Putty and to open a connection to your “Sercon” at “sercon.onlinehome-server.com” and enter your credientals.

From there, you can do everything from:
-Killing Processes
-View running processes
-Get Network info
-Reboot/Crashdump the server
-And our topic: Initiate CommandPrompt

You can read the 1&1 Help Article for more information on the serial console here: http://help.1and1.com/servers-c37684/dedicated-server-windows-c39510/rescue-and-recovery-c76208/use-the-serial-console-with-a-windows-server-a627376.html

The main talking point is when you’re in the “SAC>” prompt, one of the commands you can issue is “cmd”. If the server is running without issues, then “cmd” initiates a CommandPrompt connection. All you have to do is CHange ScreeNs to the newly created screen CMD0001 with “ch -sn CMD0001”. After that, it’ll ask you for login information, if this is an AD server, you can enter even the domain information here too. Once you’re in, you’ll see your “SAC>” prompt transform into the standard “C:\Windows\System32>” prompt ready for your connections. One common thing to do would be to Disable the firewall.

February 15 2016

Disable Windows Firewall via CMD

It’s pretty common that in any given week, I must access a customer’s server and disable their firewall. The firewall could have been misconfigured, they could have set their Network Location to being “Public” or changed it to “Private” while having a separate set of rules for that location, whatever the case may be, Commandline is the only ticket for us.

To cut straight to it:

netsh firewall set opmode disable

or

NetSh Advfirewall set allprofiles state off

I put two different methods of turning the Firewall Off. “netsh firewall” is the old method that seems to still work and has been time tested for me, whereas Advfirewall is the new method and the supposed “right way” to do it. I on the otherhand have never found that the old way has failed, but only time will tell.

Category: Windows | LEAVE A COMMENT
December 21 2015

Reset Windows Password on 1&1 Dedicated Servers

Based off of https://diyserver.guide/reset-windows-password-on-1and1s-cloud-server/

MobaRDP confirmed working with WinServer 2008 + 2008r2. Did not work in tests on 2012.

So previously I talked about resetting the Windows Password with 1and1’s Cloud Servers, both new and old, but dealing with the Dedicated Servers throws in a small difficulty: No KVM/VNC Console unless you’re a $300+ Dell server.

Fortunately, the process is almost as simple, and holds much the same idea as before. We’re still going to be renaming cmd.exe to Utilman, we’re still going to have to get onto the Login screen, essentially the whole thing is there except for how we get to the Login Screen. To proceed, we need to exploit a security setting that is in place to protect your server.

Background

Windows Server by default doesn’t allow you to set a Blank password. Think about how dangerous that would be, if a user account, not even an Admin, had access to your Windows Server without any means of protection. A hacker may not have access rights to files, but surely he can see and possibly read documents, maybe execute applications like MSSQL, save and dump some of your site files or protected documents. Fortunately Remote Desktop doesn’t allow a connection to even present itself, nor does it give a mention as to why. But, there’s an Application that does allow a connection to attempt to be made, brings you to the Login Page, and then let’s Windows tell you you’re not allowed to login. It then even gives you the option of “Reset password” if a reset option has been made available, and you guessed it, press the “Ease of Access” button. This little gem is also my favorite alternative to Putty as I discuessed in the “Admin Tools” section: https://diyserver.guide/mobaxterm-instead-of-putty/

MobaXterm http://mobaxterm.mobatek.net , get it and never turn back to the old ways again!

Since this exploit requires a Blank Password to produce the error we need, we’ll need a program called “chntpw” which is available on Debian operating systems by simply executing “apt-get install chntpw”. While it’s unconfirmed if the 1and1 Dedicated Server’s Linux Rescue has chntpw, though the old Cloud Server’s Rescue does, I’ve also included an optional requirement to fulfill this need

Requirements

  • Linux Rescue Mode
  • MobaXterm
  • (optional in case Rescue doesn’t have CHNTPW) a Debian VM
    • 1&1 Cloud Server
    • Virtual Box (free) + Debian ISO (free) on your computer

Reset the Password

You can follow the attached guide along the lines of the VDS/DCS steps up until you get to the “VNC Console”. Since we don’t have a VNC Console, you’ll just do the SSH task. Fortunately, MobaXterm has a GREAT SSH ability to complete that task for you.

Continue with the same steps with copying and renaming your files. When you’re done, it’s time to see if the rescue image is available:

  1. Execute chntpw and see if it gives an output or says “Command Not Found”
    1. root# chntpw
      1. if “Command Not Found” then you need the Debian VM and setup tasks are at the bottom of this guide
      2. if you get an output then proceed on
  2. While in “C:\Windows\System32” change into the folder “config”
    1. root# cd config
    2. root# pwd
      1. root# /mnt/Windows/System32/config
  3. Execute chntpw on the user you want, let’s say Admin, and choose the SAM file
root# chntpw -u Admin SAM
chntpw version 1.00 140201, (c) Petter N Hagen
Hive <SAM> name (from header): <\SystemRoot\System32\Config\SAM>
ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c <lf>
File size 262144 [40000] bytes, containing 11 pages (+ 1 headerpage)
Used for data: 492/40056 blocks/bytes, unused: 8/4648 blocks/bytes.

================= USER EDIT ====================

RID     : 1043 [0413]
Username: Admin
fullname: Admin
comment :
homedir :

.....
....

- - - - User Edit Menu:
1 - Clear (blank) user password
2 - Unlock and enable user account [probably locked now]
3 - Promote user (make user an administrator)
4 - Add user to a group
5 - Remove user from a group
q - Quit editing user, back to user select
Select: [q] > 2
Unlocked!
....
....
....
- - - - User Edit Menu:
1 - Clear (blank) user password
(2 - Unlock and enable user account) [seems unlocked already]
3 - Promote user (make user an administrator)
4 - Add user to a group
5 - Remove user from a group
q - Quit editing user, back to user select
Select: [q] > 1
Password cleared!
================= USER EDIT ====================
.
..
...
.....
- - - - User Edit Menu:
1 - Clear (blank) user password
(2 - Unlock and enable user account) [seems unlocked already]
3 - Promote user (make user an administrator)
4 - Add user to a group
5 - Remove user from a group
q - Quit editing user, back to user select
Select: [q] > q

Hives that have changed:
#  Name
0  <SAM>
Write hive files? (y/n) [n] : y
0  <SAM> - OK

 

So i tried skipping all the boring parts in that. Basically, you’re Unlocking the account (incase you caused a Lockout), Clearing the password to set it blank, and Saving your changes.

Now you can reboot the server into “Normal Mode” in the Recovery Tool.

 

MobaXterm for Remote Desktop

With our server booting back up into local “normal” mode, let’s get our Remote Desktop ready. In MobaXterm, click on “Sessions” => “RDP” => and enter the IP address where it says “Hostname” and the Username in the appropriate box. You can click OK, but if the Server isn’t ready yet, then it’ll error out but the “Session” will save to the Sessions tab and you can execute it in a few minutes.

When ready, go ahead an execute the RDP Session, hit enter when it asks for a Password, and wait for the Login Screen to show up. The error message should be something along the lines of “Account Restriction: Blank passwords aren’t allowed….”. Now you can click the “Ease of Access” and run “net user Admin <newPassword>” and login after that.

 

Debian Setup Tasks

Unfortunately, I won’t be going over how to install Virtual Box and Debian, you’ll have to either decide to get a 1and1 Cloud Server to have the image all created for you, passwords, network configurations, and all, or go through the tasks and create your own VM on your computer. Once you’re in your Debian VM, there’s two things we’ll need:

  1. chntpw – NT Password Changer
    1. sudo apt-get install chntpw
  2. sshfs – Mount an SSH connection as a File System
    1. sudo apt-get install sshfs

The basic idea is that on your local VM, you’ll have the CHNTPW but your server doesnt, but your server does have an SSH Server connection thanks to the Rescue System. We need access to server and run our application as if it was on our VM itself, that’s where SSHFS comes in.

On the Debian VM

  1. Mount the SSH including System32/config location to Debian’s /mnt folder.
    1. sshfs [email protected]<SERVERIP>:/mnt/Windows/System32/config /mnt
  2. Run chntpw on the SAM file
    1. sudo chntpw /mnt/SAM
  3. Follow rest of guide above.