Good morning all,
We have a client with a server running Server 2003 that an employee changed the Admin login password before he left. I have obtained the password with four seperate password cracking tools and the results are all the same. However the password does not let us log in. Has this happened to anyone? Thoughts?
Have you recovered a local machine password or domain password?
Frankly, I'm not sure. We have been working with the SAM file from the config folder located in the windows-system 32 folder. Are we looking in the wrong place?
Think bithead is pointing in the right direction.
I guess the employee changed the domain admin and you most likely (almost sure) retrieved the local admin.
Haven't been busy with this subject lately, but recovering a domain password is alot harder as rainbow tables are useless and this will mean a bruteforce must do it. (not totally sure though)
You could use fgdump on the former admins system to retrieve the potentially cached PW and then crack it rather easily (if LM hash is enabled). Will be cached if the former admin ever logged in to test it (last 5 by default are cached).
Only 1 domain admin exists?
Sounds like you have cracked the local machine password, which is good, but you probably need to change the domain password which can be done by following these steps.
http//
Also sometimes when you crack a password that is longer than 14 characters, the cracking tools just give you the first 14.