Previous Page
57 chroot
  • 10 Nov 2011 22:48:59

What do you do when you forget your root password?

Or someone dies and you need something off their computer?

Your pesky department admin won't give you su permission on your own desktop machine?

Or a roommate leaves a computer around after configuring it and then moving to France?

The fact of the matter is, if you have physical access to a computer, you can do pretty much anything you want; you could do a lot worse things than change the root password, like drill a hole through the HDD, throw it out the window of a moving car, etc. Of course, maybe there is a BIOS lock and you can't boot from other than the harddisk (solution: remove the harddisk and put it into another computer). Or maybe all the data is encrypted (who really does that?). Or maybe some Titan demasks all inodes for super security. But for most mortals, a live medium and 5 minutes of your time will grant you root access.

What you need

1. An appropriate live medium. My favorite is the System Rescue CD, but pretty much anything will do the trick, like a Gentoo Minimal Live CD. Of course, most of these things can be put onto a USB flash drive, or you can network mount. But Live CDs are easy.

2. An extremely basic knowledge of how to manually mount file systems and chroot.

3. Some better method for remembering your new root password, or a bookmark to my webpage.

How you do it

Insert your live medium, and boot the machine. Maybe pressing some function keys like F1, F2, F10, or holding the 'c' key. Some way or another, you can get the BIOS to boot your live medium, unless the BIOS is locked and protected. Often the default BIOS option is to attempt to boot something like a CD before the HDD.

Wait for the Live distro to load.

Figure out the layout of the internal HDD. Probably just do some poking around as I explain elsewhere. Worst case, just start mounting devices and looking at the contents until you find a root partition.

Yay, now we know the root partition is /dev/sda3 for example. And we should know the filesystem type from some intuition, or sloppy trial and error.

# mkdir /mnt/hack
# mount -t ext3 /dev/sda3 /mnt/hack
# mount -t proc none /mnt/hack/proc
# mount -o bind /dev /mnt/hack/dev
# chroot /mnt/hack /bin/bash
# source /etc/profile
# passwd


...and done. Unmount everything, reboot, and the computer is officially yours.

Never tried if it can work in Mac OS, but Linux doesn't read HFS+ so well, so probably if you try to write out anything you'll just corrupt a ton of inodes. But you can mount the Mac partition read only and look at anything you want. I suspect with an Apple Live CD just using a Terminal you can do pretty much the same story, but my MacBook died, so I can't try...for now (and the root user is not enabled by default).

Some people told me I shouldn't publish this information on cracking root passwords; given that I divined these tricks merely doing Gentoo installs and putting two and two together, I think it's probably okay. It's interesting that people think passwords do very much at all...


        (__)               __(^^)              /   /    (__)      / PhD  \  (oO)     /|  /---^^---/     / | /| daid  ||    *  || ||------||
Next pageNext page