May 13 2017

Reset Windows Password on 1&1 CloudServer

So a task that I’m given alot is to go ahead and reset a lost Windows Password on one of my customer’s servers. The customer is in a position where they only have a single user account, Administrator, they’re not connected to an Active Directory, and don’t have any other means to reset the password. It would typically be at this point that the customer either keep trying to remember their password, and risk being locked out, or backing up their information and reimaging their server.

The trick to all this, since these are Virtual Machines and 1&1 is in no way able to automatically reset the password like they could with the VZ-Containers, involves an old trick / “hack” involving changing out the “Ease of Access” button for a Admin-enabled Command Prompt. You can check out a tutorial on the trick by going to https://www.technibble.com/bypass-windows-logons-utilman/ . They are using Win7 with the DVD, we’re going to do the same thing with Windows Server and using Linux (since getting the Win DVD is difficult due to the timeout on boot).

Continue reading

December 21 2015

Reset Windows Password on 1&1 Dedicated Servers

Based off of https://diyserver.guide/reset-windows-password-on-1and1s-cloud-server/

MobaRDP confirmed working with WinServer 2008 + 2008r2. Did not work in tests on 2012.

So previously I talked about resetting the Windows Password with 1and1’s Cloud Servers, both new and old, but dealing with the Dedicated Servers throws in a small difficulty: No KVM/VNC Console unless you’re a $300+ Dell server.

Fortunately, the process is almost as simple, and holds much the same idea as before. We’re still going to be renaming cmd.exe to Utilman, we’re still going to have to get onto the Login screen, essentially the whole thing is there except for how we get to the Login Screen. To proceed, we need to exploit a security setting that is in place to protect your server.

Background

Windows Server by default doesn’t allow you to set a Blank password. Think about how dangerous that would be, if a user account, not even an Admin, had access to your Windows Server without any means of protection. A hacker may not have access rights to files, but surely he can see and possibly read documents, maybe execute applications like MSSQL, save and dump some of your site files or protected documents. Fortunately Remote Desktop doesn’t allow a connection to even present itself, nor does it give a mention as to why. But, there’s an Application that does allow a connection to attempt to be made, brings you to the Login Page, and then let’s Windows tell you you’re not allowed to login. It then even gives you the option of “Reset password” if a reset option has been made available, and you guessed it, press the “Ease of Access” button. This little gem is also my favorite alternative to Putty as I discuessed in the “Admin Tools” section: https://diyserver.guide/mobaxterm-instead-of-putty/

MobaXterm http://mobaxterm.mobatek.net , get it and never turn back to the old ways again!

Since this exploit requires a Blank Password to produce the error we need, we’ll need a program called “chntpw” which is available on Debian operating systems by simply executing “apt-get install chntpw”. While it’s unconfirmed if the 1and1 Dedicated Server’s Linux Rescue has chntpw, though the old Cloud Server’s Rescue does, I’ve also included an optional requirement to fulfill this need

Requirements

  • Linux Rescue Mode
  • MobaXterm
  • (optional in case Rescue doesn’t have CHNTPW) a Debian VM
    • 1&1 Cloud Server
    • Virtual Box (free) + Debian ISO (free) on your computer

Reset the Password

You can follow the attached guide along the lines of the VDS/DCS steps up until you get to the “VNC Console”. Since we don’t have a VNC Console, you’ll just do the SSH task. Fortunately, MobaXterm has a GREAT SSH ability to complete that task for you.

Continue with the same steps with copying and renaming your files. When you’re done, it’s time to see if the rescue image is available:

  1. Execute chntpw and see if it gives an output or says “Command Not Found”
    1. root# chntpw
      1. if “Command Not Found” then you need the Debian VM and setup tasks are at the bottom of this guide
      2. if you get an output then proceed on
  2. While in “C:\Windows\System32” change into the folder “config”
    1. root# cd config
    2. root# pwd
      1. root# /mnt/Windows/System32/config
  3. Execute chntpw on the user you want, let’s say Admin, and choose the SAM file
root# chntpw -u Admin SAM
chntpw version 1.00 140201, (c) Petter N Hagen
Hive <SAM> name (from header): <\SystemRoot\System32\Config\SAM>
ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c <lf>
File size 262144 [40000] bytes, containing 11 pages (+ 1 headerpage)
Used for data: 492/40056 blocks/bytes, unused: 8/4648 blocks/bytes.

================= USER EDIT ====================

RID     : 1043 [0413]
Username: Admin
fullname: Admin
comment :
homedir :

.....
....

- - - - User Edit Menu:
1 - Clear (blank) user password
2 - Unlock and enable user account [probably locked now]
3 - Promote user (make user an administrator)
4 - Add user to a group
5 - Remove user from a group
q - Quit editing user, back to user select
Select: [q] > 2
Unlocked!
....
....
....
- - - - User Edit Menu:
1 - Clear (blank) user password
(2 - Unlock and enable user account) [seems unlocked already]
3 - Promote user (make user an administrator)
4 - Add user to a group
5 - Remove user from a group
q - Quit editing user, back to user select
Select: [q] > 1
Password cleared!
================= USER EDIT ====================
.
..
...
.....
- - - - User Edit Menu:
1 - Clear (blank) user password
(2 - Unlock and enable user account) [seems unlocked already]
3 - Promote user (make user an administrator)
4 - Add user to a group
5 - Remove user from a group
q - Quit editing user, back to user select
Select: [q] > q

Hives that have changed:
#  Name
0  <SAM>
Write hive files? (y/n) [n] : y
0  <SAM> - OK

 

So i tried skipping all the boring parts in that. Basically, you’re Unlocking the account (incase you caused a Lockout), Clearing the password to set it blank, and Saving your changes.

Now you can reboot the server into “Normal Mode” in the Recovery Tool.

 

MobaXterm for Remote Desktop

With our server booting back up into local “normal” mode, let’s get our Remote Desktop ready. In MobaXterm, click on “Sessions” => “RDP” => and enter the IP address where it says “Hostname” and the Username in the appropriate box. You can click OK, but if the Server isn’t ready yet, then it’ll error out but the “Session” will save to the Sessions tab and you can execute it in a few minutes.

When ready, go ahead an execute the RDP Session, hit enter when it asks for a Password, and wait for the Login Screen to show up. The error message should be something along the lines of “Account Restriction: Blank passwords aren’t allowed….”. Now you can click the “Ease of Access” and run “net user Admin <newPassword>” and login after that.

 

Debian Setup Tasks

Unfortunately, I won’t be going over how to install Virtual Box and Debian, you’ll have to either decide to get a 1and1 Cloud Server to have the image all created for you, passwords, network configurations, and all, or go through the tasks and create your own VM on your computer. Once you’re in your Debian VM, there’s two things we’ll need:

  1. chntpw – NT Password Changer
    1. sudo apt-get install chntpw
  2. sshfs – Mount an SSH connection as a File System
    1. sudo apt-get install sshfs

The basic idea is that on your local VM, you’ll have the CHNTPW but your server doesnt, but your server does have an SSH Server connection thanks to the Rescue System. We need access to server and run our application as if it was on our VM itself, that’s where SSHFS comes in.

On the Debian VM

  1. Mount the SSH including System32/config location to Debian’s /mnt folder.
    1. sshfs [email protected]<SERVERIP>:/mnt/Windows/System32/config /mnt
  2. Run chntpw on the SAM file
    1. sudo chntpw /mnt/SAM
  3. Follow rest of guide above.
December 21 2015

Reset Windows Password on 1and1’s Cloud Server

Let’s take a scenario:
You created a Windows Server VM at 1and1.com and decided to use your own super secret password. Since you specified the password, it doesn’t show up in the cloud panel. Since this is a windows, we can’t just load up a LiveCD of Linux, CHROOT and run the command “passwd” and be done with it. We also don’t have the ability to use our own ISOs which may have a nice Bootdisk to that resets passwords in the SAM file. We need to get this data somehow, and I figured out how to do it.

The golden ticket here is we need to be able to run Command Prompt and we need to change our password. Since we have KVM access, we only need to rename the Command Prompt “cmd.exe” to a system program like “Utilman.exe” or “Magnifier.exe” so we can run it at the logon screen.

For the new Cloud Servers, which has the “Cloud Panel” and dubbed “NGCS” or “1&1 Cloud Server”, the only DVD/Application available that works seems to be GParted which is Debian based. For older 1&1 Cloud Servers, which went under the names “Dynamic Cloud Server”, “Virtual Dedicated Server”, “VDS” / “DCS”, you can use the “Recovery Tool” in the 1&1 Control Panel as the “Linux Rescue” both stable and unstable are Debian Based as well.

For the NGCS:
– Go ahead and load up the KVM from you Cloud Panel by going to “Actions” => “Access KVM Console”
– In the Cloud Panel also load the GParted by clicking “DVD” => “Applications” => select “GParted”
– Reboot server and watch it in the KVM Console
– When you follow the prompts, you’ll get to a desktop, choose “Terminal”

For VDS/DCS:
– Go to 1&1 Control Panel => 1&1 Servers => Recovery Tool => choose either Linux Rescue
– Use your VNC Console or SSH into your server using IP address, Root, and the Recovery password created
– Either option will bring you into the server’s Terminal

 

In Terminal

  1. Mount the Windows partitions
    1. NGCS
      1. mount /dev/sda2 /mnt
    2. VDS/DCS
      1. mount /dev/sda1 /mnt
  2. Change Directory to “C:\Windows\System32”
    1. cd /mnt/Windows/System32
  3. make backups of Utilman.exe or Magnifier.exe
    1. mv Utilman.exe Utilman.exe.bak
  4. Copy and Rename CMD as previous application
    1. cp cmd.exe Utilman.exe
  5. Reboot Server with back to regular mode
    1. NGCS
      1. Remove DVD from CloudPanel
      2. Restart Server
    2. VDS/DCS
      1. Recovery Tool => Windows Server (normal)

Now the server should be starting up and getting to the Logon Screen. Both the VNC Console and the KVM console should show you at the Windows Login Screen, and in the bottom left there’ll be a little square button. This is your “Ease of Access” button or “Utilman.exe”. If you renamed CMD to Utilman, then clicking this will bring up a Command Prompt, otherwise Open that and click on your Magnifier to bring up the Command Prompt

In Command Prompt

Change User Password

  1. net user <USER> <NewPassword>
  2. Login with User and it’s new password

Create a new user with Local Admin Rights

  1. net user <USER> <Password> /add
  2. net localgroup Administrators <USER> /add
  3. Login (no need to reboot)

 

Note:

  • Always remember to change the applications back to the originals with the backups you made. While unlikely someone would get KVM/VNC console access, if they find an exploit (like the one needed for Dedicated Servers) then they can reset/add Admin users.
  • Changing user passwords this way may cause loss of access to “Encrypted Files/Folders”. Do this as a last resort when the only other option that’s been given is to Reimage.