The How To I’m posting here was tested on a Ubuntu 10.04 installation but will work on every linux using a bootloader (such as grub or lilo). Since Ubuntu uses grub as his standard this tutorial will also be using grub, but as I said this method I’m showing here to recover your password works universally.
To specify, the tutorial showed here does not let you hack into people’s pc’s remotely it is a local hack, this means you have to be in front of the actual box you want to recover the password. So it makes sense if you lost your password or you wan’t to get access on an old box which you don’t know the password.
Get root on Ubuntu
Press the power button of the computer and while starting continuously press on the arrows. The grub selection menu will show up:
Put the cursor on your Ubuntu installation (probably the one on the top) and press ‘e’, this will bring you to the editor view. There put the cursor on the end of the line that starts with ‘linux’, and write
What we just done is to tell the loader that we want simply a bash shell as init of our system, and guess what since it is always root starting the init you’ll get a root shell. Congratulations you are now root, this means you have the highest privileges you could possibly have on that box (in Windows it would mean you gained an ‘Administrator’ account).
What about writing privileges?
You’ll soon realize that even if you are root you cannot write anything on the filesystem. That’s because the filesystem is mounted ‘ro’ (read only). In order to be able to write you have to remount it with this command:
mount -o remount,rw /
The command means: remount the root filesystem ( / ) read and writable (rw).
Now you need to watch out since you could f*ck up your whole system with a wrong command!
Recovering the password
Change directory to ‘/etc':
Make a backup copy of the shadow file:
cp shadow shadow.bak
Now that we just backed up the shadow file (this is the file where all password hashes are stored) you can change the password of the user you want I’ll take “philipp” as my example user:
[Enter password you want]
[Enter again the same password]
As you can see after you executed ‘passwd philip’ the programm will ask you twice for the password, while typing the ‘password’ field will stay blank no ‘****’ or such thing will appear, just confirm your password with the ‘Enter’ button on your keyboard. Yipee you just did it, you changed the password! This means you recovered the password you had lost!
Exiting to the normal mode
You certainly want your shiny window manager back with the login screen etc, well here is how you should shutdown the box after this whole process:
mount -o remount,ro /
This command remounts the root filesystem to read only, now it is safe to press on the power button until the computer shuts down.
Login with the recovered password
After the shut down power up your computer again and enter your Ubuntu installation like you do normally. Once the login screen shows up you can select the user and enter the password you just changed. Success!
Ubuntu gives during your first account creation the opportunity to encrypt the home filesystem, if you did so and want to recover the password the whole thing gets trickier, you won’t be able to login normally. The only thing you can do is, while having the root shell read from the shadow file (with let’s say nano) the password hash of the user you want to recover. Then you can try to crack that hash with some rainbow tables, there are a few rainbow table providers on the net, just search for them. Once you have the hash you’ll be able to login normally.
How to protect yourself against this attack
As mentioned in ‘Troubles’ this attack is not effective if the user’s home directory is crypted. So you can crypt your home directory and choose a long password with special characters, like this your password won’t be cracked with a rainbowtable. If you are really paranoic you can try to crypt your whole filesystem, but you’ll have to take in charge that everything will be slower and if you’ll loose the key with which you crypted your filesystem you can say goodbye to all your data.