May 13 2017

Reset Windows Password on 1&1 CloudServer

So a task that I’m given alot is to go ahead and reset a lost Windows Password on one of my customer’s servers. The customer is in a position where they only have a single user account, Administrator, they’re not connected to an Active Directory, and don’t have any other means to reset the password. It would typically be at this point that the customer either keep trying to remember their password, and risk being locked out, or backing up their information and reimaging their server.

The trick to all this, since these are Virtual Machines and 1&1 is in no way able to automatically reset the password like they could with the VZ-Containers, involves an old trick / “hack” involving changing out the “Ease of Access” button for a Admin-enabled Command Prompt. You can check out a tutorial on the trick by going to https://www.technibble.com/bypass-windows-logons-utilman/ . They are using Win7 with the DVD, we’re going to do the same thing with Windows Server and using Linux (since getting the Win DVD is difficult due to the timeout on boot).

Continue reading

December 21 2015

Reset Windows Password on 1&1 Dedicated Servers

Based off of https://diyserver.guide/reset-windows-password-on-1and1s-cloud-server/

MobaRDP confirmed working with WinServer 2008 + 2008r2. Did not work in tests on 2012.

So previously I talked about resetting the Windows Password with 1and1’s Cloud Servers, both new and old, but dealing with the Dedicated Servers throws in a small difficulty: No KVM/VNC Console unless you’re a $300+ Dell server.

Fortunately, the process is almost as simple, and holds much the same idea as before. We’re still going to be renaming cmd.exe to Utilman, we’re still going to have to get onto the Login screen, essentially the whole thing is there except for how we get to the Login Screen. To proceed, we need to exploit a security setting that is in place to protect your server.

Background

Windows Server by default doesn’t allow you to set a Blank password. Think about how dangerous that would be, if a user account, not even an Admin, had access to your Windows Server without any means of protection. A hacker may not have access rights to files, but surely he can see and possibly read documents, maybe execute applications like MSSQL, save and dump some of your site files or protected documents. Fortunately Remote Desktop doesn’t allow a connection to even present itself, nor does it give a mention as to why. But, there’s an Application that does allow a connection to attempt to be made, brings you to the Login Page, and then let’s Windows tell you you’re not allowed to login. It then even gives you the option of “Reset password” if a reset option has been made available, and you guessed it, press the “Ease of Access” button. This little gem is also my favorite alternative to Putty as I discuessed in the “Admin Tools” section: https://diyserver.guide/mobaxterm-instead-of-putty/

MobaXterm http://mobaxterm.mobatek.net , get it and never turn back to the old ways again!

Since this exploit requires a Blank Password to produce the error we need, we’ll need a program called “chntpw” which is available on Debian operating systems by simply executing “apt-get install chntpw”. While it’s unconfirmed if the 1and1 Dedicated Server’s Linux Rescue has chntpw, though the old Cloud Server’s Rescue does, I’ve also included an optional requirement to fulfill this need

Requirements

  • Linux Rescue Mode
  • MobaXterm
  • (optional in case Rescue doesn’t have CHNTPW) a Debian VM
    • 1&1 Cloud Server
    • Virtual Box (free) + Debian ISO (free) on your computer

Reset the Password

You can follow the attached guide along the lines of the VDS/DCS steps up until you get to the “VNC Console”. Since we don’t have a VNC Console, you’ll just do the SSH task. Fortunately, MobaXterm has a GREAT SSH ability to complete that task for you.

Continue with the same steps with copying and renaming your files. When you’re done, it’s time to see if the rescue image is available:

  1. Execute chntpw and see if it gives an output or says “Command Not Found”
    1. root# chntpw
      1. if “Command Not Found” then you need the Debian VM and setup tasks are at the bottom of this guide
      2. if you get an output then proceed on
  2. While in “C:\Windows\System32” change into the folder “config”
    1. root# cd config
    2. root# pwd
      1. root# /mnt/Windows/System32/config
  3. Execute chntpw on the user you want, let’s say Admin, and choose the SAM file
root# chntpw -u Admin SAM
chntpw version 1.00 140201, (c) Petter N Hagen
Hive <SAM> name (from header): <\SystemRoot\System32\Config\SAM>
ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c <lf>
File size 262144 [40000] bytes, containing 11 pages (+ 1 headerpage)
Used for data: 492/40056 blocks/bytes, unused: 8/4648 blocks/bytes.

================= USER EDIT ====================

RID     : 1043 [0413]
Username: Admin
fullname: Admin
comment :
homedir :

.....
....

- - - - User Edit Menu:
1 - Clear (blank) user password
2 - Unlock and enable user account [probably locked now]
3 - Promote user (make user an administrator)
4 - Add user to a group
5 - Remove user from a group
q - Quit editing user, back to user select
Select: [q] > 2
Unlocked!
....
....
....
- - - - User Edit Menu:
1 - Clear (blank) user password
(2 - Unlock and enable user account) [seems unlocked already]
3 - Promote user (make user an administrator)
4 - Add user to a group
5 - Remove user from a group
q - Quit editing user, back to user select
Select: [q] > 1
Password cleared!
================= USER EDIT ====================
.
..
...
.....
- - - - User Edit Menu:
1 - Clear (blank) user password
(2 - Unlock and enable user account) [seems unlocked already]
3 - Promote user (make user an administrator)
4 - Add user to a group
5 - Remove user from a group
q - Quit editing user, back to user select
Select: [q] > q

Hives that have changed:
#  Name
0  <SAM>
Write hive files? (y/n) [n] : y
0  <SAM> - OK

 

So i tried skipping all the boring parts in that. Basically, you’re Unlocking the account (incase you caused a Lockout), Clearing the password to set it blank, and Saving your changes.

Now you can reboot the server into “Normal Mode” in the Recovery Tool.

 

MobaXterm for Remote Desktop

With our server booting back up into local “normal” mode, let’s get our Remote Desktop ready. In MobaXterm, click on “Sessions” => “RDP” => and enter the IP address where it says “Hostname” and the Username in the appropriate box. You can click OK, but if the Server isn’t ready yet, then it’ll error out but the “Session” will save to the Sessions tab and you can execute it in a few minutes.

When ready, go ahead an execute the RDP Session, hit enter when it asks for a Password, and wait for the Login Screen to show up. The error message should be something along the lines of “Account Restriction: Blank passwords aren’t allowed….”. Now you can click the “Ease of Access” and run “net user Admin <newPassword>” and login after that.

 

Debian Setup Tasks

Unfortunately, I won’t be going over how to install Virtual Box and Debian, you’ll have to either decide to get a 1and1 Cloud Server to have the image all created for you, passwords, network configurations, and all, or go through the tasks and create your own VM on your computer. Once you’re in your Debian VM, there’s two things we’ll need:

  1. chntpw – NT Password Changer
    1. sudo apt-get install chntpw
  2. sshfs – Mount an SSH connection as a File System
    1. sudo apt-get install sshfs

The basic idea is that on your local VM, you’ll have the CHNTPW but your server doesnt, but your server does have an SSH Server connection thanks to the Rescue System. We need access to server and run our application as if it was on our VM itself, that’s where SSHFS comes in.

On the Debian VM

  1. Mount the SSH including System32/config location to Debian’s /mnt folder.
    1. sshfs [email protected]<SERVERIP>:/mnt/Windows/System32/config /mnt
  2. Run chntpw on the SAM file
    1. sudo chntpw /mnt/SAM
  3. Follow rest of guide above.