1:00 AM
El DiPablo
So I have this deal with a local business near me. I fix their computers, and take care of their network for them and they give me and my family free stuff. Fair trade right?
Well, a few months ago I rebuilt their network, and domain controller and upgraded them from a Windows 2000 domain to Windows 2003. After the upgrade I noticed that they had very weak password policy. In fact, they had no password policy and they never changed their passwords. I told them they should consider going with a stronger password policy, but they were more concerned with ease of use. Ok, at lease I warned them!
Well I got a call on Monday from the frantic business owner. His server was no longer accessible and none of his domain passwords worked any more. One thing he had set up on his router was RDP access to his server from the Internet. Normally not a terrible thing if you have good passwords, and account lockouts, but like I said before, he didn’t.
When I finally showed up to his office to assess the situation, my account was no longer active either. Your network is only as secure as your weakest link. The weak link in this network was passwords.
Anyway, I had to get them back up and running because without their server their business could not function. I will mention some of the things I ran into, but will go into how I addressed them in different posts. This post is about recovering a domain password after it’s been compromised.
Apparently this will work on a Windows 2008 and 2008R2 Domain Controller too. Anyway, I did the following:
- Rebooted the domain controller into Directory Services Restore mode by pressing F8 at boot up
- Logged into the server with the local administrator account and the Directory Services Recovery password. (If you don’t know it, follow my video here to reset it as it works on all versions of Windows)
- Downloaded SRVANY.exe and INSTSRV.exe from the Microsoft Resource kit (Here)
- I extracted the above files to d:\recover
- I opened a command prompt and changed into d:\recover then ran the following:
instsrv PassRecovery "d:\recover\srvany.exe"
- The above created a new service that runs as a local service which when started in normal mode will have full domain admin access
- Next I went into services, and went into the properties of my PassRecovery service, made sure it was set to automatic start, and on the logon tab I checked the box to allow interaction with the desktop.
- Next I opened the registry and navigated to:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PassRecovery- From there I created a new sub-key called Parameters
- Within Parameters I added the following values:
name: Application
type: REG_SZ (string)
value: c:\windows\System32\cmd.exe
name: AppParameters
type: REG_SZ (string)
value: /k net user administrator n3wP@55w0rd! /domain
- Make sure to change the above password to something you can remember
- Now reboot, and the service should start up and reset your domain administrator password
After you are able to login to your domain as Administrator, run the following from command line to remove the PassRecovery service we created:
net stop PassRecovery
sc delete PassRecovery
Also go ahead and delete the d:\recover directory, and reset the Administrator password if you want.
Something to note on this is whomever hacked in was not a fool. They were smart enough to delete the net.exe application from the System32 directory so at first this trick didn’t work. I had to go back into Directory Services Recovery Mode and copy net.exe from a different Windows 2003 server to the System32 directory on the hacked server. After that the trick worked fine.
Another thing the hacker did, that I noticed after I finally got in, was delete the gpedit.msc snap-in so I couldn’t modify Group Policy. I did the same thing as I did with net.exe, and copied it from another server. Easy fix.
Some other things they did was:
- Created 4 back door accounts
- Deleted several user accounts
- Created a startup script that recreated back door accounts at boot up and put them in the Domain Admins group
I am also fairly sure they got in using RDP and an RDP brute force/dictionary attack tool like TSGrinder. I will discuss what I did to mitigate that stuff in future articles.
Also to touch back on the password weaknesses, I enabled a good strong password policy and lockout policy which should help against brute force and dictionary attacks.
It’s sad to say that sometimes being the victim of a hack like this is a good lesson in password security, and how important it is. This situation could have been much worse if this hacker wanted to be really malicious. The next time an administrator tells you that your password or your password policy is not strong enough, you may want to listen.
[Via Petri IT Knowledge Base]
