How to reset your Windows 2003 Server Domain Password

For a while now I've had a couple of win2k3 server boxes standing in the basement at school. Their main purpose was to test a setup where you have two servers working together sharing the same domain and active directory. Anyways.. The other day when I was trying to remote desktop one of the machines all I got was an error saying "this user is not permitted to log on interactively" or something like that. Bear in mind that this was the admin user so I knew something was wrong. Long story short, I came to the conclusion that someone had changed my domain admin and local admin password. I was locked out of my own box and the only solution I could think of out of the top of my head was to reinstall windows and use a stronger password this time. I didn't really want to do this because I had spent too much time trying to configure the boxes to synchronize.

A few googles later I found out that it was in fact possible to change the domain admin password as long as you had physical access to the server. So all I had to do was to crack or change the local administrator password. This can easily be done with most recover boot cds. I used a distribution of BartPE with "Password Recovery". So here's a step by step on how to recover your lost windows 2003 server domain admin password:

1. You're going to need two tools provided by Microsoft in their Resource Kit; SRVANY and INSTSRV.

2. Boot PartPE and run Password Recovery, change the local administrator password.
Remove the cd and reboot. Press F8 under boot and select Directory Restore Service Mode.

3. Log in as local administrator with the password you changed previously. Copy SRVANY and INSTSRV to a temp. folder. Copy cmd.exe from sytem32 to this folder.

4. Start a command prompt and cd to your temp folder then type:

instsrv PassRevocery "yourtempfolder\srvany.exe"

5. Configure SRVANY by opening regedit.
Find the key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PassRecovery.

Create a new subkey called Parameters and add two new values:

name: Application
type: REG_SZ (string)
value: d:\temp\cmd.exe

name: AppParameters
type: REG_SZ (string)
value: /k net user administrator new_password

6. Run services.msc, open the PassRecovery property tab. Check the starting mode is
set to Automatic. Show the Log On tab and enable the option Allow service to interact with desktop.

7. From now on, anytime you restart Windows, SRVANY will run the netuser command and reset the domain admin password.

Use this command prompt to uninstall SRVANY after you have logged on as the domain admin by typing:

net stop PassRecovery then
sc delete PassRecovery

Now delete your temp folder and change the admin password.

Cracking WEP - explained

Tomorrow I have to give a presentation about WEP and why it is so vulnerable, so I figured what better way to prepare than actually writing down the presentation?

The main problem about WEP is that people think it's designed to provide total end-to-end encryption, when in fact it was only intended to make WLANs as safe as wired lans, hence the name Wired Equivalency Privacy.

The encryption process per se is pretty straight forward. The desired WEP key (which you put in the properties of your internet connection) is merged with 3 random generated characters - initialization vectors (IVs, theese are sent in clear text along with the encrypted packet). This means that in an 64 bit WEP envirement the WEP key itself is only 40 bit. Theese 64 bits are known as the RC4 key. This key is then run through an algorithm called KSA (Key Scheduling Algorithm) to randomize the array. Next the cipher is run through PRGA (Psuedo Random Generation Algorithm) which outputs a streaming key based on the KSA's psuedo random state array. This streaming key is then XOR'd with the plain text data and run through an CRC32 creating the encrypted packet. And that's pretty much all there is to it :-) Here's a flow chart of the whole process:



So in short the main flaws in wep are:

• Initialization Vectors are reused with encrypted packets. As an IV is only 3 characters (24 bits) long it is only a matter of time before it is reused. If a sniffer program picks up enough data it is bound to find to packets with the same IVs sooner or later and by comparing theese the RC4 cipher stream can be backtracked.
• As more RC4 cipher steams are found and more IV’s are deciphered and the closer the cracker will get to discovering the WEP key.
• CRC32 is not intended for encryption purposes. The original purpose of the Cyclic Redundancy Check was to detect errors in transmission, not to encrypt data.
• Every unit using one particular AP will need the same WEP key, hence all the resultant traffic will be using the exact same WEP key as well.