You are currently viewing How to bypass authentication on Windows Server 2008 R2

How to bypass authentication on Windows Server 2008 R2

How to bypass authentication on Windows Server 2008 R2

In this article, we will be looking at how easy it is to bypass authentication. What’s more, reset the administrator password on a Windows Server 2008 R2 installation. This strategy expects us to have actual admittance to the machine. That is running the Windows server or having access to the management interface of the hypervisor when Windows Server 2008 R2 is running virtualized. This is not a great ‘hacking’ technique that can be used to pwn all Windows installations. But it is more a sysadmin last resort trick when nothing else works on a forgotten password.

And in some other situations, it is definitely useful and comes in handy when you need it. Especially at the point when you’ve compromised the administration panel of the hypervisor software. This kind of access allows you to control virtual machines. As if you had physical access to it, including the ability to use a boot disk and modify system files. Alternatively, you can apply this technique when having some kind of physical access to a host.

A couple of months ago I was conducting a penetration test on a staged Windows environment. That was running on a VMware hypervisor. The environment contained a domain controller and 3 application servers that were running Windows Server 2008 R2. Other than the Windows machines I also encountered a few Linux-based networks and backup devices.

As it was not very hard to compromise the machines on this network. I was able to access the VMware vSphere administration panel. As an administrator in a very early stage of the penetration test. This access level allowed me to reset the administrator password. Using a boot CD and finally login to the Windows Server with administrator privileges. In the following sections, I will explain how I did this. And how you can secure your Windows installations by applying this technique.

Resetting the administrator password on Windows Server 2008 R2

The starting point of this tutorial is a machine with Windows Server 2008 R2 Enterprise that has been booted with a boot CD. In this example, we’ve used the Hiren boot CD (HBCD) . But you can use any alternative boot CD as well, including a Windows installation disk. After booting the system from the boot CD navigate to the following directory of the drive that contains the Windows Server 2008 R2 installation:
/Windows/System32In this directory you will find an executable file named ‘Utilman.exe’. Utilman is a small utility that is used to configure accessibility options such as the magnifier and the on-screen keyboard. What’s so special about Utilman.exe is that we are able to execute this program before logging in to the system. We can do this by clicking the small ‘accessibility’ button in the bottom left corner of the Windows logon menu:

The ‘accessibility’ button to launch Utilman.exe is displayed on the left.
Now that we have access to the /Windows/System32 directory we can swap out the Utilman.exe program with the cmd.exe program. When we swap out these applications we can start cmd.exe with system privileges instead of Utilman.exe when pressing the accessibility button in the login screen. From this point, we are able to reset the administrator password and use it to log in.

First, we will rename the Utilman.exe program to Utilman.exe.old as follows:

Rename Utilman.exe to Utilman.exe.old
The next step is to rename cmd.exe to Utilman.exe as follows:

Rename cmd.exe to Utilman.exe. You can also copy cmd.exe and rename it so you can still use cmd.exe after logging in to Windows.
Now that we’ve swapped Utilman.exe with cmd.exe we only have to reboot the machine into Windows and click the accessibility button on the login screen. As expected this will launch a command line instead of the accessibility options:

Utilman.exe as cmd.exe
The next step is to change the administrator password as follows:

Change the administrator password.
Finally, we can logon Windows with the new administrator credentials:

Windows Server 2008 R2 Enterprise signing in with the new administrator credentials.

Lessons learned

In this article, we’ve seen how easy it is to get administrator access to a Windows Server 2008 R2 Enterprise host after we’ve compromised the hypervisor. Just the fact that we were able to boot the machine with a boot CD allowing us to tamper with data on the hard drive is a serious security issue with serious consequences.

There are several ways to prevent and mitigate this kind of attacks. One of them is to secure the BIOS with a password so that an attacker cannot change the boot options for the machine, thus unable to boot from the boot CD. A more effective way would be to apply full disk encryption which encrypts all the data on the disk preventing the attacker from tampering with it.

I hope you’ve found this small tutorial useful in some way. If you’re looking to try this technique or to practice penetration testing techniques on Windows Server 2008 machines, I can recommend you to install Metasploitable 3 which is based on Windows Server 2008.

Henceforth, WE WISH TO ANNOUNCE THAT OUR SERVICES ARE NOT AVAILABLE TO PEOPLE FROM NIGERIA AND INDIA. THESE ARE USELESS TIME WASTERS AND THIEVES TRYING TO BEG OR SCAM US OF OUR PRODUCTS. OUR SERVICES ARE NOT FREE AND PAYMENT IS UPFRONT

A LOT OF FOOLS FROM NIGERIA AND INDIA. on the off chance that YOU DON’T TRUST TO USE OUR SERVICES, DON’T CONTACT US AS WE HAVE NO FREE SERVICE

CONTACT US FOR PURCHASE/INQUIRIES, WE RESPOND ALMOST INSTANTLY 

HI BUYERS, WE ARE A PROFESSIONAL CARDING AND HACKING TEAM. HOVATOOLS HAS BEEN AROUND SINCE THE TIME OF EVO MARKET, ALPHABAY, WALLSTREET MARKET AND MORE. WE REMAIN STRONG AND RELIABLE IN THE INDUSTRY, ALWAYS PROVIDING YOU WITH THE BEST QUALITY TOOLS TO HELP YOU MAKE MONEY AND MAXIMIZE PROFIT IN THE FRAUD GAME.

TO GET STARTED, YOU CAN VISIT OUR ONLINE SHOP/STORE TO BUY EVERYTHING YOU NEED TO START CASHING OUT.  AT THE SHOP YOU GET Accounts & Bank Drops CVV & CARDS DUMPS PERSONAL INFORMATION & SCAN.

BANK HACKING SOFTWARE – WIRE/ACH DARKWEB MONEY TRANSFER HACKERS

Buy Fresh Credit Cards for Carding, BIN LIST Buy Bank Login, RDP, Buy Hacked Paypal accounts. Contact us to buy all tools and carding software. CLICK HERE TO VISIT OUR SHOP
Buy Socks 5, Email Leads, Buy Latest CC to Bitcoin Cashout Guide, Buy Hacked Zelle transfer , Western Union Money Transfer Hack, Buy Hacked Money Transfer service to your bank account.
Enroll for Paid private Carding Class.

 

Admin

The enigmatic hacking blogger who unravels the digital mysteries through his captivating blog. With relentless curiosity and a nimble touch on the keyboard, I explore the intricate web of cyberspace, exposing vulnerabilities and advocating for responsible digital citizenship. My poetic and insightful articles paint vivid pictures of the ethical dilemmas surrounding privacy, encryption, and the convergence of technology and humanity. Join me on an exhilarating journey through the labyrinth of hacking and cybersecurity as he empowers readers to become guardians of their online identities.

Leave a Reply