How to recover a lost Linux root or Windows 2000 Administrator password

In short, you can't easlily recover the password, you need to change it.

(Note that this is not intended as a "How to hack into a computer" lesson. Following these instructions on a system on which you shouldn't doesn't make you l33t, it makes you a script kiddie. Nobody likes weenies.)

Fear not, brave user! the solution is not as difficult as you may imagine.

To get around a lost Windows 2000 Administrator password:
(This also works for Windows NT 4.0)

You need to get hold of a specialized Linux boot disk. Don't let this part put you off, they're easy to find on the net. These disks contain support for both VFAT32 and NTFS partitions, and an automated script and utilities to alter the password file with a new password. Early versions had difficulty handling the obfuscator that Windows 2000 employs for its password hashes. Make sure you find a recent one. A quick search on your favorite search engine ought to provide a starting point. As a reference, finding one when I last needed it took around five minutes.

To get around a lost Linux root password:

You must have access to the console for this to work. Follow these steps:

• Power off the system
• Power on the system, wait for the LILO/SILO/MILO prompt (platform dependent)

• At the prompt, type <kernel> 1 (where <kernel> is the label you use to boot linux normally) and thus boot to single user mode.
• In single user mode, linux never used to prompt for the superuser password. If this is the case with your system, simply use mount -o remount -n / and then use the passwd command to change the superuser password.

• At the prompt, type in <kernel> init=/bin/sh (where <kernel> is the label you use to boot linux normally).
• Once the system dumps you at a "# " prompt, type: mount -o remount -n /
• echo root2:x:0:0:::: >> /etc/passwd
• echo root2:::::::: >> /etc/shadow
• sync
• Power cycle the system.
• Once the system has booted, log in as root2 (you shouldn't be prompted for a password) and use the command passwd root to change the root pasword, then userdel to remove the root2 user.
• Problem solved.

There are of course many variations on the linux version. For example, you could edit /etc/shadow directly. This requires knowledge of text editors such as ed (most of the time, you won't have a normal terminal when you boot like this and vi won't work!) which may or may not be an unreasonable expectation. YMMV.

• Open your favourite editor (such as vi) and open /etc/LILO.conf
  (00100 points out that this may be /etc/lilo.conf on some distributions - e.g. his Red Hat 7.1 dist. - and reminds us that unix filenames are case-sensitive)
• Add a new line, after the first line, and type Restricted blog, where "blog" is the password you wish to use to restrict it.
• Type lilo at the prompt, to execute the /etc/LILO.conf file.

Actualy, encryption the entire hard disk will stop anyone from acessing the drive without authorization. Software encryption is possible, it tends to eat up system resources and slow the machine down considerably. It also tends to use a weaker encryption to speed things up, thus its not as secure as it could be. To be totaly secure, you need a hardware encryption module.

Such a device usualy takes the form of a card which plugs into an IDE, SIDE, or SCSI port and has an identical interface on the oposite side. The drive cable is then plugged into the card. All information going into the drive is passed through the encryption system on the card, shifting the actual bits around as they are written to the disk. The disk, if removed from the card, is useless because all of its contents are encrypted, even the file system.

To acess the drive, you must use an encryption card identical to the one the disk was written to with and have the same security key used to write to the disk. The security key can take many forms, usualy a USB pen drive with a large "password" which is the key to the encrypition algorythim. The security key may also use a propriatary connection, other than USB.

The only way to bypass this system is to employ brute force. This means using trial and error to attempt to find the key. This will usualy take a very long time because keys tend to be hundreds of bytes.

I own a networking business in Colorado, and this comes up every so often.

We had one instance where a company was going to fire their network admin (for pirating software and downloading gigs of porn on company time, plus telling the owner that he couldn't be fired because he was not replacable). We were called in to prep for the firing, and we needed to get the password sets for the company.

If you can still find it online, I like using a free floppy disk tool called LinNT, which basically does the above steps using a quick automated process. This does not always work, however. We went to the workstation where the employee did his thing, and used a nifty tool from http://www.loginrecovery.com/. There is a free method, but we opted for the paid version, which gave us all the passwords to each of the accounts he used on his computer in less than three minutes.

We installed Spectre Pro, a program that logs and records everything, including screenshots, emails and chats.

I asked the owner to give the employee a series of tasks, which required logging in to different devices, such as the Cisco routers and switches. We ended up capturing his pirating and porn activities, and found out he was cheating on his wife with two women, but that was beyond our professional scope.

Well, he was fired, and he stormed out saying the owner "would be sorry". He did attempt to sabotage the network, but we had already changed the passwords. He tried to get in from his home DSL connection, but he was blocked. They now have a professional administrator, and we helped screen the applicants.

To prevent people from breaking in to machines using these methods, move the hard drive to the first boot device, and if your BIOS supports it, remove the floppy and CD from the bootable devices. Put a BIOS password on the machines. If needed, you can chage them back when you have to boot using removable media.