Bienvenido! - Willkommen! - Welcome!

Bitácora Técnica de Tux&Cía., Santa Cruz de la Sierra, BO
Bitácora Central: Tux&Cía.
Bitácora de Información Avanzada: Tux&Cía.-Información
May the source be with you!

Friday, September 17, 2010

Recover root passwd

Cracking passwd
with John (JTR) took one hour

the john -incremental test option

cracks passwords much faster than the default john options.
It cracks numbers, uppercase, lowercase and one special char in less than 4 hours on a P4 3.0GHz.
Simple text passwords like linux done in 30 seconds, but you gotta realize that john guesses semi-randomly and not in a true
brute force fasion. This is why its great for those single accounts that other crackers like rainbow couldn't get with letters and numbers.
If you keep pressing Enter the next time you run john, you should see its "progress" and what passwords it is probing.
Matt
I try to find out how secure my passwords are and tried the 
following on a XP 2700+ box:
I created a file passwd.1 with the following content:
$2a$05$CL3uN2mrTaP6zoDNubQsEuFhxIB0K4bIylcm5yuP5LTY8nZ3HJ4MO:1002:100:te 
st:/home/test:/bin/bash

Then I used john from SuSE 9.1-DVD:
john -users:test -session:testcrack  passwd.1
Loaded 1 password hash (OpenBSD Blowfish [32/32])
linux            (test)
guesses: 1  time: 0:01:11:27 (3)  c/s: 333  trying: linuxWhy does it take so long to crack a simple passwd like "linux", 
while the password test1 was found immediately?


on OPEN SUSE (untill) 10.2
METHOD 1
Here are the all steps to change password for root in linux:
1)when u reached at the grub screen press 'e' on linux
2)line which contains the word 'kernel' press 'e'
3)go to end of that line and write 'linux single' or 'single'
4)the press 'esc' and press 'b' to reboot the system
5) now wait for the prompt, write there:
passwd root

METHOD 2
Please try out the following steps to change the root password:
1. Boot the computer with Linux Installation CD.
2. Enter into Linux Rescue mode by entering the following command in boot screen.
boot: linux rescue
3. When the sh prompt is reached, assuming that the rescue mode mount automagically (read and write) the root partition on the disk to /mnt/sysimage, enter the following commands
#chroot /mnt/sysimage
#passwd
The above steps will prompt you to enter your new password.
----------------------------------------------------
Source:
old-en.opensuse.org/Recover_Root_Password
Recover Root Password

Set Root Password
If you've lost your root password, you might be able to recover it using the steps below. However, some systems are protected with boot loader passwords that will not let you do that without THAT password. If the boot loader is password protected, you need to boot from other media Like the OpenSUSE CD/DVD/mini-boot. OpenSUSE install CD is probably the best one to use.
CD/DVD Recovery Mode
If using CD/DVD boot media, You need to choose Rescue System. You enter root and then mount the disk manually. For example, a Compaq raid controller will probably be /dev/ida/c0d0 or an IDE drive will be /dev/hda1. Find the partitions by using fdisk /dev/ida/c0d0 or fdisk /dev/hda (just "p" and quit) and then mount what you need.
mount -o remount,rw /dev/sda2 /mnt
# cd /mnt
# chroot /mnt
# passwd
For OpenSuSE 10.3, you need some more steps:
Start the rescue system. Find the disk root partition, then, assuming its hdxy (or probably sdxy):
mount /dev/hdxy /mnt
mount -o bind /proc /mnt/proc
mount -o bind /sys /mnt/sys
mount -o bind /dev /mnt/dev
chroot /mnt
you are root in the installed sytem, with all at hand: passwd, but also YaST...
"bind" allow using two mount points for system virtual folders.
If all fails, consider that you can pull this drive (or install another drive in this machine) and mount it from another running Linux. Then recover the root password as explained above.
Single User Mode
The first thing to try is to boot to single user mode.
This MIGHT not work for you, because your system might be configured to still ask for a root password to get to single user mode.
If that's the case, use following trick that replaces init with /bin/bash.
First, try single user. If you don't see either a LILO or GRUB boot screen, try hitting CTRL-X to get one. If it's LILO, just type "linux single" and that should do it (assuming that "linux" is the lilo label). If GRUB, hit 'e", then select the "kernel" line, hit "e" again, and add " single" (or just " 1") to the end of the line. Press ENTER, and then "b" to boot. (Newer version of grub uses "a" to append to the boot line)
You should get a fairly normal looking boot sequence except that it terminates a little early at a bash prompt. If you get a "Give root password for system maintenance", this isn't going to work, so see the "init or /bin/bash" version below.
If you do get the prompt, the / filesystem may not be mounted rw (although "mount" may say it is). Do
mount -o remount,rw /
If that doesn't work (it might not), just type "mount" to find out where "/" is mounted. Let's say it is on /dev/sda2. You'd then type:
mount -o remount,rw /dev/sda2
If you can do this, just type "passwd" once you are in and change it to whatever you like. Or just edit /etc/shadow to remove the password field: move to just beyond the first ":" and remove everything up to the next ":". With vi, that would be "/:" to move to the first ":", space bar once, then "d/:" and ENTER. You'll get a warning about changing a read-only file; that's normal. Before you do this, /etc/shadow might look like:
root:$1$8NFmV6tr$rT.INHxDBWn1VvU5gjGzi/:12209:0:99999:7:-1:-1:1074970543
bin:*:12187:0:99999:7:::
daemon:*:12187:0:99999:7:::
adm:*:12187:0:99999:7:::
and after, the first few lines should be:
root::12209:0:99999:7:-1:-1:1074970543
bin:*:12187:0:99999:7:::
daemon:*:12187:0:99999:7:::
adm:*:12187:0:99999:7:::
You'll need to force the write: with vi, ":wq!". (If that still doesn't work, you needed to do the -o remount,rw, above).
INIT or /bin/bash Mode
Another trick is to add "init=/bin/bash" (LILO "linux init=/bin/bash" or add it to the Grub "kernel" line). This will dump you to a bash prompt much earlier than single user mode, and a lot less has been initialised, mounted, etc. You'll definitely need the "-o remount,rw" here. Also note that other filesystems aren't mounted at all, so you may need to mount them manually if you need them. Look in /etc/fstab for the device names.
Keep this in mind if you have a Linux machine in a publically accessible place : without more protection, it's not usually hard to recover a lost root password, which means it's just as easy for someone to CHANGE it, or access root without your knowledge.
Another way to do this is to remove the password from /etc/shadow. Just in case you screw up, I'd copy it somewhere safe first. You want to end up with the root line looking something like this:
Original line:
root:$1$EYBTVZHP$QtjkCG768giXzPvW4HqB5/:12832:0:99999:7:::
After editing:
root::12832:0:99999:7:::
If you are having trouble with editing (you really do have to learn vi one of these days), you could just (after making a copy, of course) just
echo  "root::12832:0:::::" > /mnt/etc/shadow 
or, if you were in single user mode
echo  "root::12832:0:::::" > /etc/shadow 
and then fix things up when rebooted. 

Contents
Set root password
If you've lost your root password, you might be able to recover it using the steps below. However, some systems are protected with boot loader passwords that will not let you do that without THAT password. If the boot loader is password protected, you need to boot from other media Like the OpenSUSE CD/DVD/mini-boot. OpenSUSE install CD is probably the best one to use.

CD/DVD recovery mode
If using CD/DVD boot media, You need to choose Rescue System. You enter root and then mount the disk manually. For example, a Compaq raid controller will probably be /dev/ida/c0d0 or an IDE drive will be /dev/hda1. Find the partitions by using fdisk /dev/ida/c0d0 or fdisk /dev/hda (just "p" and quit) and then mount what you need.
mount -o remount,rw /dev/sda2 /mnt
# cd /mnt
# chroot /mnt
# passwd
For 10.3, you need some more steps:
Start the rescue system. Find the disk root partition, then, assuming its hdxy (or probably sdxy):
mount /dev/hdxy /mntmount -o bind /proc /mnt/proc
mount -o bind /sys /mnt/sys
mount -o bind /dev /mnt/dev
chroot /mnt
you are root in the installed sytem, with all at hand: passwd, but also YaST...
"bind" allow using two mount points for system virtual folders.
If all fails, consider that you can pull this drive (or install another drive in this machine) and mount it from another running Linux. Then recover the root password as explained above.

Single user mode
The first thing to try is to boot to single user mode. This MIGHT not work for you, because your system might be configured to still ask for a root password to get to single user mode. If that's the case, we'll use another trick that replaces init with /bin/bash.
First, try single user. If you don't see either a LILO or GRUB boot screen, try hitting CTRL-X to get one. If it's LILO, just type "linux single" and that should do it (assuming that "linux" is the lilo label). If GRUB, hit 'e", then select the "kernel" line, hit "e" again, and add " single" (or just " 1") to the end of the line. Press ENTER, and then "b" to boot. (Newer version of grub uses "a" to append to the boot line)
You should get a fairly normal looking boot sequence except that it terminates a little early at a bash prompt. If you get a "Give root password for system maintenance", this isn't going to work, so see the "init or /bin/bash" version below.
If you do get the prompt, the / filesystem may not be mounted rw (although "mount" may say it is). Do
mount -o remount,rw /
If that doesn't work (it might not), just type "mount" to find out where "/" is mounted. Let's say it is on /dev/sda2. You'd then type:
mount -o remount,rw /dev/sda2
If you can do this, just type "passwd" once you are in and change it to whatever you like. Or just edit /etc/shadow to remove the password field: move to just beyond the first ":" and remove everything up to the next ":". With vi, that would be "/:" to move to the first ":", space bar once, then "d/:" and ENTER. You'll get a warning about changing a read-only file; that's normal.
Before you do this, /etc/shadow might look like:
root:$1$8NFmV6tr$rT.INHxDBWn1VvU5gjGzi/:12209:0:99999:7:-1:-1:1074970543
bin:*:12187:0:99999:7:::
daemon:*:12187:0:99999:7:::
adm:*:12187:0:99999:7:::
and after, the first few lines should be:
root::12209:0:99999:7:-1:-1:1074970543
bin:*:12187:0:99999:7:::
daemon:*:12187:0:99999:7:::
adm:*:12187:0:99999:7:::
You'll need to force the write: with vi, ":wq!". (If that still doesn't work, you needed to do the -o remount,rw, above).

INIT or /bin/bash mode
Another trick is to add "init=/bin/bash" (LILO "linux init=/bin/bash" or add it to the Grub "kernel" line). This will dump you to a bash prompt much earlier than single user mode, and a lot less has been initialised, mounted, etc. You'll definitely need the "-o remount,rw" here.
Also note that other filesystems aren't mounted at all, so you may need to mount them manually if you need them. Look in /etc/fstab for the device names.
Keep this in mind if you have a Linux machine in a publically accessible place : without more protection, it's not usually hard to recover a lost root password, which means it's just as easy for someone to CHANGE it, or access root without your knowledge.
Another way to do this is to remove the password from /etc/shadow. Just in case you screw up, I'd copy it somewhere safe first. You want to end up with the root line looking something like this:
Original line:
root:$1$EYBTVZHP$QtjkCG768giXzPvW4HqB5/:12832:0:99999:7:::
After editing:
root::12832:0:99999:7:::
If you are having trouble with editing (you really do have to learn vi one of these days), you could just (after making a copy, of course) just
echo  "root::12832:0:::::" {greater than simbol} /mnt/etc/shadow 
or, if you were in single user mode
echo  "root::12832:0:::::" {greater than simbol} /etc/shadow 
and then fix things up when rebooted.

No comments: