Retrieving Passwords on "forgotten" machines

TobiWan

Hi there,

I have a huge problem. :roll:

A customer is running two Linux servers which have been administered by someone who is not available anymore. I don't know the reasons but I guess it's something personal so I am not obliged to investigate the backgrounds.

Anyway, the Linux servers are like blackboxes because nobody can't login. One of them is mission critical since it controls the internet access and manages internal dns and dhcp.

How can I retrieve or at least reset the passwords?

Here are the details:

One of the boxes is some kind of Debian system, I guess it's running woody. The other one is running an old release of the eSmith SME server.

I guess I can reboot the machines if I have to in order to access them.

None of the two machines has encrypted filesystems I guess.

Can I boot them, running some kind of live CD, say Knoppix or even the Gentoo live disc and chroot everything, reset passwords, add another user with a new password so that I can access the machines using ssh and sudo within the session without risk?

Once I have the root access I have to make a backup of the setups and update the machines if not reinstalling them...

A quick and responsive reinforcement whether my "plan" will work would be very much appriciated.

thanks in advance,
Tobias
_________________
Killing for peace is like fucking for virginity.

magnet · Guru Joined: 16 Mar 2003 Posts: 582 Location: france

it seems the only realistic way to gain control of those servers to me.
go !

_________________
every step aim at glory.

Reverent · n00b Joined: 13 Feb 2003 Posts: 17

when it has an older Kernel you can abuse the ptrace bug and get a root shell :twisted:

I remember another method, where you directly booted into a shell via kernel parameter. So you can put new password there but need to sync hard drive cache manually (sync 2 times to be sure) before leaving coz no daemon running there which do that for you.

magnet · Guru Joined: 16 Mar 2003 Posts: 582 Location: france

something like 'single' has parameter ? this remenber me something.
_________________
every step aim at glory.

secondshadow · Guru Joined: 23 Jun 2003 Posts: 362

I'm pretty sure it is single....though I thought that put it in maintanence(sp) mode (read-only filesystems), though its entirely possible that I'm wrong about that. Anyhow, is there a way to turn OFF that ability btw? I don't like the idea of someone who is linux savy hitting ALT-CTRL-DEL, rebooting the comp, then typing 'linux single' and having access to my computer this way...this thought makes me shudder in horror as it poses a HUGE security risk if linux/lilo were used on a computer that has sensitive information that cannotm under any cirumstances, get off that machine without authorization.

barlad · l33t Joined: 22 Feb 2003 Posts: 673

To answer your first question, the easiest way to go is to reboot your servers and chroot into the root partition to set up a new password. That takes one minute for each... that's assuming you have a cdrom drive on both servers.

As for the second question, that's funny because I am writting a paper for my school about that :p. As far as I know there is NO security for your box if someone has a physical access to it UNLESS you have encrypted your datas. There might be a way to disable the single-user boot ability but who cares? All that you would have to do is to put a cdrom into the drive instead of typing a line at LILO prompt. That or you can just unplug the harddrive (ok... not if you have a protection on your chassis ;p ) and plug it into a machine you own.

To sum it up... if you want security for users that have a physical access to the PC... encrypt your patitions.

Zoltan · Posted: Wed Oct 29, 2003 7:57 pm Post subject:

Zoltan · Posted: Wed Oct 29, 2003 8:00 pm Post subject:

Zoltan · Posted: Wed Oct 29, 2003 8:06 pm Post subject:

celloandy · Posted: Thu Oct 30, 2003 1:50 am Post subject:

Yeah, it seems like using a Knoppix CD would be your best bet. And to scondshadow: it might conceivably be possible to turn off this option, but anyone with a Knoppix CD could do the same thing anyway, unless you encrypted your filesystems, in which case I don't think the 'single' trick would even work anyway.

Also, you said you can't ssh in. Is it just that you don't know the password (in other words, is ssh running?) Because my guess is that ssh is out of date, and there have been a few remotely exploitable ssh bugs that have surfaced in recent months, proof of concept code for at least one of which is available at securityfocus.org. This would get you in just as well as the other methods, and has the added bonus that you could do it without rebooting the machine.

Andrew

bone · Posted: Thu Oct 30, 2003 4:00 am Post subject:

hyper · Posted: Wed Jan 28, 2004 6:11 pm Post subject:

I know i´m floating on the conversation...but here is my suggest:

why don´t you boot up the box with a livecd, mount the hd with the server on a dir, edit the /etc/passwd and change * on the line of the root to nothing
like