Backtrack4 password "toor" doesn't work!

[whitelisted]

I'm sorry, but I think it's very unlikely that this is a corrupted file or a bad burn.

If you think about what a live image has to go through before it even reaches the point of dropping you at a hash prompt - loading the kernel image and miniroot, uncompressing and mounting the squashfs root filesystem, going through the init scripts, and eventually hauling the vast reptilian bulk of KDE off the filesystem and into main memory after you've typed "startx", I really think a corrupt download or a duff burn would have already presented themselves with far worse symptoms than something as trivial as a changed root password (refusals to boot, kernel panics, or filesystem corruption errors).

I've just booted off my copy of bt4-final.iso, and run "sshd-generate" (to generate a set of ssh host keys), followed by "/etc/init.d/ssh start" (to start the ssh daemon) and finally "ssh root@localhost". The password "toor" doesn't work. A quick check of /etc/ssh/sshd_config shows that PermitRootLogin is set to yes, so that's not the problem.

Typing "passwd root" (to change the root password) and setting it to something else and then trying again to ssh to localhost means I can log in successfully using my new password.

This pretty well proves that the root password on the live image isn't "toor".

Finally, because I'm absent-minded and I didn't think to save my /etc/shadow and /etc/passwd before changing root's password, I rebooted off the live image again and used John The Ripper to break the password.

For those interested in keeping track, here's a copy/paste of the steps:

Code:

root@bt:~# cd /pentest/passwords/jtr
root@bt:/pentest/passwords/jtr# ./unshadow /etc/passwd /etc/shadow | egrep ^root >p
root@bt:/pentest/passwords/jtr# cat p
root:U6aMy0wojraho:0:0:root:/root:/bin/bash
root@bt:/pentest/passwords/jtr# ./john p
Loaded 1 password hash (Traditional DES [128/128 BS SSE2])
                 (root)
guesses: 1  time: 0:00:00:00 100% (2)  c/s: 12471  trying: 12345 - boomer
root@bt:/pentest/passwords/jtr#

OK, so John cracked the password in no time at all, but there's no password shown.. hmm..

OK, so testing a theory, here's a a C program that I quickly bodged together:

Code:

root@bt:~# cat foo.c
#define _XOPEN_SOURCE
#include <unistd.h>
#include <stdio.h>

main() {
    printf("%s\n", crypt("", "U6"));
}

root@bt:~# gcc foo.c -lcrypt -o foo
root@bt:~# ./foo
U6aMy0wojraho
root@bt:~#

Note the output of my program (U6aMy0wojraho) matches root's password hash shown in the JTR phase above.

This pretty well shows that the root password on the live image is a zero-length string, not "toor".

If you check around on the site, you should find the mods and developers saying in about a hundred different threads that "toor" is the password that is set by the installer, it's not what's used by the live image.

[roockie]

thx nice job whitelisted, there were no further questions. I probably compared it too much with bt3.

[geminidpr]

I installed BT4 on a dedicated harddrive,no partitions,and when the pc rebooted and asked for login and pwd I typed in root then toor as the pwd and it didn't accept this but then I got the prompt "root@bt:~#" and typed in "startx" then I was able to get in. Is the way it should work or is my installation a bit corrupt?

PS: I used the iso Live CD image that a friend of mine gave me to install BT4 on my dedicated harddrive. I couldn't download the vm ware version cause I'm using dial-up so if I start the download now and order the cd online at the same time,I will definitely receive the CD by mail B4 the download is complete.

[xX_Spiidey_Xx]

This pretty well shows that the root password on the live image is a zero-length string, not "toor".

I booted my liveDVD iso, and here are my steps:

Code:

sshd-generate
vi /etc/ssh/sshd_config
...
PermitEmptyPasswords YES
...
:wq
/etc/init.d/ssh start
useradd spiidey
passwd spiidey
<!-- test was the password used -->
ssh spiidey@localhost
<prompt> Password: test
<shell> spiidey@bt: ssh root@localhost
<NO PASSWORD PROMPT, dropped to a root shell over ssh>
<shell> root@bt:

also shows that on a live boot that the root password is a zero-length string.

BUT: when it is installed, the password will be toor, unless you changed it using the passwd command.