password cracking help

[daffyduc]

So here is the deal... our unix admin quit. Literally said FU and left. Unfortunately he was the only one in the wheel access group. I have 6 servers all over the country that have ssh only enabled for external connections and 2 servers that are local to the Chicago office. I have an account setup on the test box with wheel access that he also had access to. I am hoping that he used the same password for all of the systems.

I have the root password as well but freebsd does not allow ssh as root. I have tried john the ripper and have not had any luck. I have the passwd file as well as the shadow file and root access to the test system.

Is there anyway to get his clear text password without brute forcing? Or anyway to use the hash values to login as him? Seems like you would be able to reverse engineer it via some tool... I know it is designed not to be cracked but I am sure there is a way.

The other option is to fly me to all 6 sites to reset the accounts... (The powers that be will not let any of the local workers plugin a kb/monitor to the boxes to reset it)

All I can find via the search function on this forum and the old forum archives is brute forcing which has been running for about 18 hours with no success... based on the complexity of the root password I think brute forcing it is a waste of my time unfortunately. (root pw is >12 characters containing case changes, numbers, symbols)

Any direction is greatly appreciated.

Thanks in advance...
Thomas

ps I know this sounds like an idiots corner post but I assure you it is not... if any of the admins would like confirmation I will gladly provide my contact info.

[purehate]

Best thing to do is try to find a local privilege escalation exploit. I honestly doubt you will get much help here because it has nothing to do with backtrack and it sounds like a really fishy story.

[thorin]

The other option is to fly me to all 6 sites to reset the accounts...

Enjoy your trip!

You should also do some thinking and propose a process by which such passwords get recorded physically when changed and locked in a safe deposit box or office safe, which requires two keys or two employees/managers/executives to access. (Or something along those lines).

[Archangel-Amael]

Unfortunately he was the only one in the wheel access group.

Well there is your companies first mistake.

I have the root password as well but freebsd does not allow ssh as root.

Uhh I am pretty sure it does allow root login and here is just one link on how to do it.
FreeBSD Direct Root Login with SSH

Is there anyway to get his clear text password without brute forcing?

Maybe your company should hire a lawyer if they don't have one yet and put him to work. I am sure something could be worked out even if it is to exhaust the guys money making him retain a lawyer. Childish maybe but it won't be the first or last time it's done.

(The powers that be will not let any of the local workers plugin a kb/monitor to the boxes to reset it)

Always my personal favorite, the "Company" wants it done at "all costs" but then they limit what can actually be done.

ps I know this sounds like an idiots corner post but I assure you it is not... if any of the admins would like confirmation I will gladly provide my contact info.

Not saying it is you said it, but I doubt this one as well.
If the passwords are that important to your company they will either hire the appropriate person(s) to "get the job done" or they will learn a valuable lesson and follow some advice like the above from thorin and start implementing industry best practices in this regard.