How to bypass authentication on Windows Server 2008 R2



In this article we will take a gander at the fact that it is so natural to sidestep validation and reset the head secret key on a Windows Server 2008 R2 establishment. This procedure expects us to have physical access to the machine that is running the Windows server or approach the administration interface of the hypervisor when Windows Server 2008 R2 is running virtualized. This isn't an incredible 'hacking' procedure that can be utilized to pwn all Windows establishments yet it is progressively a sysadmins final resort trap when nothing else takes a shot at an overlooked secret key. What's more, in some different circumstances it is unquestionably helpful and proves to be useful when you require it. Particularly exactly when you've bargained the organization board of the hypervisor programming. This sort of access enables you to control the virtual machines as though you had physical access to it, including the capacity to utilize boot plate and change framework documents. On the other hand you can apply this strategy when have some sort of physical access to a host.rs.

A few months back I was leading an infiltration test on an arranged Windows condition that was running on a VMware hypervisor. The earth contained an area controller and 3 application servers that were running Windows Server 2008 R2. Other then the Windows machines I additionally experienced a couple of Linux based system and go down gadgets. As it was not hard to trade off the machines on this system I could get to the VMware vSphere organization board as overseer in a beginning time of the infiltration test. This entrance level enabled me to reset the chairman watchword utilizing a boot CD lastly login to the Windows Server with director benefits. In the take after areas I will clarify how I did this and how you can secure your Windows establishments from applying this procedure.

Resetting the administrator password on Windows Server 2008 R2

The beginning stage of this instructional exercise is a machine with Windows Server 2008 R2 Enterprise that has been booted with a boot CD. In this illustration we've utilized the Hiren boot CD (HBCD) however you can utilize any option boot CD too, including a Windows establishment circle. In the wake of booting the framework from the boot CD explore to the accompanying catalog of the drive that contains the Windows Server 2008 R2 establishment:
In this index you will locate an executable record named 'Utilman.exe'. Utilman is a little utility that is utilized to design openness alternatives, for example, the magnifier and the on-screen console. What's so uncommon about Utilman.exe is that we can execute this program before signing in the framework. We can do this by tapping the little 'openness' catch in the base left corner of the Windows logon menu:

The ‘accessibility’ button to launch Utilman.exe displayed at the left.

Since we approach the/Windows/System32 registry we can swap out the Utilman.exe program with the cmd.exe program. When we swap out these applications we can begin cmd.exe with framework benefits rather than Utilman.exe when squeezing the availability catch in the logon screen. Starting here we can reset the director secret word and utilize it to login. 

To start with we will rename the Utilman.exe program to Utilman.exe.old as following:

Rename Utilman.exe to Utilman.exe.old
The next step is to rename cmd.exe to Utilman.exe as following:
Rename cmd.exe to Utilman.exe. You can also copy cmd.exe and rename it so you can still use cmd.exe after logging in to Windows
Since we've swapped Utilman.exe with cmd.exe we just need to reboot the machine into Windows and tap the availability catch on the login screen. Not surprisingly this will dispatch a charge line rather than the openness alternatives:
Utilman.exe as cmd.exe
The next step is to change the administrator password as following:
Change the administrator password.
At long last we can logon Windows with the new director certifications
Windows Server 2008 R2 Enterprise signing in with the new administrator credentials.

Comments

Popular posts from this blog

The Secure Socket Tunneling Protocol

Fake WAP

Lets Make a Simple Keylogger