Resetting root password without login

[xX_Spiidey_Xx]

Alright folks, let's say you've lost your root password, or simply cannot log in as root after a hard drive install, and have no privileged users on your system. I'm about to show you how to get back in the game as root with a quick and dirty password-change hack.

For this tutorial, everything that is italicized is a user action. Anything in <angle brackets> is a keystroke. If it has a + beside it, it means press the keys at the same time.

// Changing the root password:

= - = - = - = - = - = - = - = - = - = - =

Reboot your computer. Wait for the grub screen... Press <ESC> when you're prompted.

Highlight the first option.

Press <e>.

Highlight the kernel line.

Press <e>.

Press <TAB>. You'll get an error message.

Press <ESC>.

Press <e> again.

Using your arrow keys, scroll back and change ro to rw

At the end of the line add: init=/bin/bash

Press <Enter>

Press <b>

Type at the prompt: passwd root

Enter the new password twice.

Press <CTRL>+<d> to cause a nice Kernel Panic. This will cause your system to hang.

Press and hold your power button till it shuts down. Power back up and let it boot into BackTrack normally.

Log in as root with your new password.

[Snayler]

Alright folks, let's say you've lost your root password, or simply cannot log in as root after a hard drive install, and have no privileged users on your system. I'm about to show you how to get back in the game as root with a quick and dirty password-change hack.

This could be considered an exploit to gain root privileges, right?
As a possible counter-measure, one could enable BIOS password, so that grub will only appear after the password prompt.

Thanks for sharing, xX_Spiidey_Xx.

[lordplagueis]

uhoh this should be fixed a thief or nosy person can view your files with this vunerability

[lupin]

uhoh this should be fixed a thief or nosy person can view your files with this vunerability

Pretty much every Operating System I can think of can be accessed in this way* if the attacker has physical access to the box. And you don't even need to reset a password, you can access the files directly by using an alternative OS and mounting the hard drive. The only way to "fix" a problem like this is to encrypt the locally stored files...

EDIT: * When I say "this way", I actually meant by resetting the administrative/super user password. Obviously this exact method wont work on a Windows box, but there are alternative ways by which a Windows Administrator account can have its password changed locally without logging on. Ditto for other Operating Systems.

Also, since physical access to the box is required for this method, physically securing the box will also work to provide security, as an alternative to encryption.

[skinnypuppy]

To disable the xX_Spiidey_Xx hack so that you buddies don't pwn you with this little xploit, do the following:

1.) From a terminal type "grub-md5-crypt" <enter>
2.) Enter a password for the grub menu
3.) Re-enter your password

This will generate an md5 hash of that password.

4.) Type "nano /boot/grub/menu.lst" <enter>

You are looking for this entry:

## timeout sec
# Set a timeout, in SEC seconds, before automatically booting the default entry
# (normally the first entry defined).
timeout 3

Add the following line right below it:
password --md5 <hash> (replace the <hash> with the md5 hash that was generated, copy and
paste if you must)

5.) Hit <ctl & o> to write out the file to menu.lst
6.) Hit <ctl &x> to exit

Now when you reboot, hitting <esc> at Grub boot will present the kernel options but you will need to type the letter p to enter a password before passing any args to the kernel.

Again, it's all useless if one can access your system with an alternative method (LiveCD, etc..) as Lupin stated and setting BIOS password is pointless as there are lists all over of backdoor passwords for Phoenix, AMI, Award, etc.. not too mention removing the battery, changing jumpers on the motherboard...

The only way to be safe is to encrypt.

[xX_Spiidey_Xx]

@ Snayler: Yes, absolutely. Physical access to machines is the first place I'd look to get into them. THEN I'd aim for remoteness. So yes, a BIOS password would be an efficient deterrant, but bear in mind that BIOS passwords can be dumped quite easily (CMOS battery anybody?).

@ lupin: Yup, as far as I know, this method, or quite similar can be used to root any *nix box out there.

@ skinnypuppy: Glad you posted a band-aid; when I wrote this tut I hadn't thought of the scare it could put into people.

Again, folks, the only "real" way to secure your computers is to keep them under lock and key, and for even greater security, unplugged. There are ways to change any user's passwords on a *nix box just by booting live. Encrypting your disk is one of the best ways to secure your software, but bea in mind that there are several forensics tools offer disk and hash decryption as well.

[Snayler]

@ Snayler: Yes, absolutely. Physical access to machines is the first place I'd look to get into them. THEN I'd aim for remoteness. So yes, a BIOS password would be an efficient deterrant, but bear in mind that BIOS passwords can be dumped quite easily (CMOS battery anybody?).

Yes, i know. Thanks for pointing that out, though. I forgot to mention it and others might not know. Sorry about that.

[Big-Blue]

Between, this helped me to 'recover' my password, so thank you ;D

[Noble_Hikikomori]

...and setting BIOS password is pointless as there are lists all over of backdoor passwords for Phoenix, AMI, Award, etc.. not too mention removing the battery, changing jumpers on the motherboard...

The only way to be safe is to encrypt.

Adding a BIOS password is not exactly pointless, not only does it provide another layer of defense but may actually stop some perpetrators in their tracks. I knew this little detail could be worked around somehow but never did it cross my mind, it seemed to be the ultimate physical access defense. Out of curiosity, is the only workaround hardware mods? If so, then just lock up the box.

[dmshady001]

Guess I don't everyone's hardware resources.... so I might I go about popping the CMOS battery in a VM?