May 27th, 2004, 05:12 AM
I recently moved and before I left I changed the password on my RedHat 9.0 box. I wrote the password down on a piece of paper and have unfortunately lost it. I've searched everywhere and it's no where to be found.
The RedHat box is the main computer on my home network. It acts as a router, firewall, DNS, DHCP and Telnet for my home LAN. I would seriously hate to have to reinstall the box and reconfigure everything.
The only account I can log into on the box is a limited account in which I'd memorized the password.
I'm trying to figure out how I can get the root password on it without having to reinstall everything and make a new one. For some reason the Telnet server is not responding to me, port 23 is open on it but when I try and connect I'm getting nothing. I was going to try running a program called brutus but like I said the Telnet server isn't up from what I gather. Well, when I do a netstat on the RedHat box under the limited account it's listing Telnet but at the ip 0.0.0.0, so I'm confused... My local interface on the box is 192.168.1.1.....
The RedHat box actually has two network cards, eth0 acts as the public interface my ISP's DNS and DHCP servers work with and eth1 runs to a switch which I connect my workstations to. At the moment when I want on the Internet I'm connecting through a dial up connection on my Windows box. Maybe that has something to do with it (since eth0 isn't activating at boot on the RedHat box)??
Any idea's besides re-installing or searching around for a piece of paper I can't find that will get me the root password would be excellent.
The RedHat box is like I said off the Internet right now. I understand that I am asking for a privilege escalation method and that's not information you just hand out to anyone unless you feel it's okay to. If need be I can quickly install a 56k modem in the RedHat box and use a reasonable method to prove the pc is mine.
Also I have a program called Jack the ripper, I haven't used it yet but if I can figure out what file I need to get off the Linux box and a way to aquire it with a limited account that may work? The password cracking tool I use for Windows boxes is extremely fast maybe Jack the ripper would work fast as well? Of course RedHat doesn't use LAN Manager hash's right???
Thanks for any help you may provide and if no one feels comfortable helping me out I understand.
May 27th, 2004, 05:16 AM
Well, see this could be looked at from a few way's. It could be looked at as a social engineering attempt or a legit attempt to get back a lost password. Either way, it should be a lesson. If you really did lose your password, then let it be a lesson: Remember your password. The best thing to do is to format/re-install the OS (RedHat 9.0, correct?). That is the best thing from a security standpoint to do right now.
(By the way: Telnet server? Why? It's soo outdated, you might as well use SSH)
EDIT: For future reference, try to post your thread's in the correct forum. This should go (IMO) under *nix Security Discussion's or Newbie Security Discussion's.
May 27th, 2004, 05:18 AM
1. Boot from the installation CD <edit> type rescue at boot prompt</edit>
2. vi /mnt/sysimage/etc/shadow and remove the encrypted password
May 27th, 2004, 05:33 AM
Much along the method jonathans_daddy stated, you could change the boot paramaters to boot into single user mode. On my red hat box i added "single" to the end of the boot sequence. I was able to get into the box without a password (except for my grub password). This is of course the reason people always say "physical access means full access".
You are so bored that you are reading my signature?
May 27th, 2004, 05:49 AM
Heh, even if this is a Social Engineernig attempt to get passwords, it could turn into a great thread about password security. IT could also turn into an example about Social Engineering of course though too.
Anyway, I'm going to agree with a few things already said, and say to boot into single user mode. If you want to use a crack tool, then that's fine too, but just simply booting into single user mode would be much easier.
Single user mode won't run many services, it will only run what is needed for the machine to function, and gives you complete root access. No password needed.
You really should get a new way to remote access the box too. Try out SSH, which will encrypt the traffic sent to and from the box over it. It comes with RedHat, and you can use PuTTY for Windows to access it, which had a GUI to set up the options you want, then when you hit "Connect" you will see the log in prompt.
I highly recommend you use SSH over Telnet, as anyone sniffing you can get anything you type into Telnet.
If you want to try SSH out, you can use it in Linux by typing ssh -l <Username> 192.168.*.*
* = Octets of the IP your server uses.
PuTTY is an SSH client for Windows, and works very well. I use it on my Windows boxes, and I'll attach it if I can here, or I'll give you the link to download it.
May 27th, 2004, 05:56 AM
Well...I would follow the above advice. Get a CD bootable distro, enter as mini-root. Mount the system drive for write access. Wipe out the hash in the /etc/shadow file. Bam. You can do this easily with vi, or if you are not comfortable with that, with ed.
# cp /etc/shadow /etc/shadow.bak ( //make backup... )
s/:.............:/::/ ( //thats 13 dots )
Bam. Done. Reboot. No root password.
May 27th, 2004, 06:00 AM
Yeah, I'll second the PuTTy advice. I use putty with both my Window's boxes and it's great for SSH connection's. SSH (Secure Shell) won't be sniffed unlike Telnet (like gore said, and thus the reason why it's called Secure Shell). So definitely use PuTTy as a great SSH client.
May 27th, 2004, 09:00 AM
if you are using lilo as boot manager, you could possibly even do it easier..
if your kernel image is called Linux, in the lilo prompt type:
Linux init=/bin/bash rw
this boots the kernel and instead of the normal runlevels starts bash (shell) with the root harddisk mounted read write..
Then you can go to the /etc/shadow and remove the password (hash)..
ASCII stupid question, get a stupid ANSI.
When in Russia, pet a PETSCII.
Get your ass over to SLAYRadio
the best station for C64 Remixes !
May 27th, 2004, 10:09 AM
I don't know about RedHat but on FreeBSD you can boot to single user mode (press a key before kernel load and enter boot -s). There's no need to enter a password to get root access. After you get the # prompt you can change the (root) password with passwd.
Experience is something you don't get until just after you need it.
May 27th, 2004, 02:54 PM
Regardless of distribution, you can boot all linuxes into "single-user mode" by passing init=/bin/sh as a kernel parameter from your bootloader. This bypasses all of your system's startup scripts and dumps you to a shell on your root FS. From there, a simple passwd root and you can reset your password.
The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
\"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
Is your whole family retarded, or did they just catch it from you?