Lab46 Wiki

User Tools

Site Tools

You are here: start » user » nbrimme1 » portfolio » break-into-linux
user:nbrimme1:portfolio:break-into-linux

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
user:nbrimme1:portfolio:break-into-linux [2018/09/29 00:12] – [Method 1: GRUB Password] nbrimme1user:nbrimme1:portfolio:break-into-linux [2019/02/22 00:44] (current) – [Method 2: boot to single-user mode] nbrimme1
Line 2: Line 2:
  
 =====Objectives===== =====Objectives=====
-To explore the various methods of breaking into any Linux system that doesn't use //FDE// (**Full Disk Encryption**) through physical access. Also, to examine the procedure of FDE setup and other remediations to prevent this.+  * To explore the various methods of breaking into any Linux system without //FDE// (**Full Disk Encryption**) through physical access. 
 +  * To examine the procedure of setting up FDE and other remediations to prevent this.
  
 =====Prerequisites===== =====Prerequisites=====
Line 10: Line 11:
 =====Procedure===== =====Procedure=====
 ====Method 1: Using /sbin/init to execute a shell==== ====Method 1: Using /sbin/init to execute a shell====
 +[[https://en.wikipedia.org/wiki/Init|Init]] is a process started during bootup that initializes a system. It starts, stops and monitors essential service processes during bootup and shutdown. I will use it to execute a root shell after booting the target system.
   - Power on/reboot the target machine   - Power on/reboot the target machine
     - Through a graphical login screen: for a clean reboot just use the shutdown/reboot options in the system menu.     - Through a graphical login screen: for a clean reboot just use the shutdown/reboot options in the system menu.
Line 19: Line 21:
   - Continue booting.   - Continue booting.
  
-DONE! THAT'S ALL FOLKS!+DONE! THAT'S ALL FOLKS!\\
 After the target machine finishes booting, the kernel will detect the hardware and immediately drop you into a root shell. Since the system initialization script '/etc/rc.d/rc.sysinit' was bypassed and **NOT** executed,  After the target machine finishes booting, the kernel will detect the hardware and immediately drop you into a root shell. Since the system initialization script '/etc/rc.d/rc.sysinit' was bypassed and **NOT** executed, 
-we need to remount the root file system and make some changes to make the system more usable.+you need to remount the root file system to make the system more usable: 
-  - Mount the /proc file system: <code:bash>mount /proc</code> You will see an error message complaining that it was already mounted. Ignore it.+  - Mount the /proc file system: <code:bash>mount /proc</code> You will see an error message complaining that it was already mounted. Ignore it.
   - Remount the root file system in read-write mode: <code:bash>mount -o remount,rw /</code>   - Remount the root file system in read-write mode: <code:bash>mount -o remount,rw /</code>
-  - Depending on how the target's file system is laid out, you may need to mount some other file systems. Lets view the file system table: <code:bash>cat /etc/fstab</code> Mount any other needed file systems (Like '/home', '/usr', etc.).+  - Depending on how the target's file system is laid out, you may need to mount some other file systems. Lets view the file system table: <code:bash>cat /etc/fstab</code> Mount any other needed file systems (Like '/home', '/usr', etc.).
   - Do whatever nefarious things you want:   - Do whatever nefarious things you want:
     - **Change the root account password:** <code:bash>passwd root</code>     - **Change the root account password:** <code:bash>passwd root</code>
-    - **PROTIP:** I don't recommend doing this as the next time the real user logs into the system they will notice that their root password has been changed. We need to be super sneaky, secretive, and surreptitious so here's something a little less noticeable:+    - **PROTIP:** I don't recommend doing this. The next time the real user logs into the system they will notice that the root password has been changed and it's **GAME OVER**. We need to be super sneaky, secretive, and surreptitious so here's something a little less noticeable:
       - Simply add another user without modifying the original root password: <code:bash>adduser -D -u 1000 bad-user       - Simply add another user without modifying the original root password: <code:bash>adduser -D -u 1000 bad-user
 passwd bad-user</code> passwd bad-user</code>
-      - Also add the newly created user to the sudoers file. This is also not as noticable as changing the actual root password: <code:bash>visudo+      - Now add the newly created user to the sudoers file. This is also not as noticable as changing the actual root password: <code:bash>vi /etc/sudoers
 bad-user ALL=(ALL) ALL</code> bad-user ALL=(ALL) ALL</code>
-  - Reboot the target machine to make the changes persistent. First run 'sync' a few times to tell the kernel to flush any disk I/O out to the hardware and then 'umount' the mounted file systems in reverse order. +  - Reboot the target machine to make any changes to the file system persistent. 
-  - Once the file systems are all unmounted, you can reboot with either <Ctrl><Alt><Del> or the power switch.+    - Flush any disk I/O to the hardware: <code:bash>sync</code> 
 +    - Unmount any mounted file systems in reverse order: <code:bash>umount</code> 
 +  - Reboot with either <Ctrl><Alt><Del> or the power switch.
 ====Method 2: boot to single-user mode==== ====Method 2: boot to single-user mode====
 +[[https://en.wikipedia.org/wiki/Single_user_mode|Single user mode]] is a start-up mode that boots a multi-user operating system into single superuser. It is often used for diagnoses and triage of a broken or malware-infected system. After booting into single-user mode, a root shell is provided to the user.
   - Power on/reboot the target machine   - Power on/reboot the target machine
     - Through a graphical login screen: for a clean reboot just use the shutdown/reboot options in the system menu.     - Through a graphical login screen: for a clean reboot just use the shutdown/reboot options in the system menu.
Line 53: Line 58:
   - Insert any live CD and boot the system.   - Insert any live CD and boot the system.
   - Once it boots, login to the LiveCD OS and get a terminal. Become root with <code:bash>su -</code> and mount the file systems as needed.   - Once it boots, login to the LiveCD OS and get a terminal. Become root with <code:bash>su -</code> and mount the file systems as needed.
-===USB Key/initramfs=== 
  
 =====Remediation Methods===== =====Remediation Methods=====
-====Method 1: GRUB Password====+====Method 1: BIOS Password==== 
 +  - Reboot the system and go into the BIOS. Disable booting from anything other than the main disk. 
 +  - Set a BIOS password. This prevents unauthorized changes to the BIOS settings without a password. 
 +  - Set a BIOS Power On password. Now the machine will require a password before powering on. 
 +====Method 2: GRUB Password====
   - In one terminal, run:<code:bash> # grub-md5-crypt</code> and follow the directions.   - In one terminal, run:<code:bash> # grub-md5-crypt</code> and follow the directions.
   - In another terminal, edit the GRUB configuration file inside the '/boot/grub' named either 'menu.lst' or 'grub.conf'.   - In another terminal, edit the GRUB configuration file inside the '/boot/grub' named either 'menu.lst' or 'grub.conf'.
Line 69: Line 77:
   - Now Change the file permissions to prevent viewing and recovery of the GRUB password:   - Now Change the file permissions to prevent viewing and recovery of the GRUB password:
   - Now if you needed to legitimately break into your own machine, you need to press P while inside GRUB to enter the password to edit the boot parameters.   - Now if you needed to legitimately break into your own machine, you need to press P while inside GRUB to enter the password to edit the boot parameters.
-====Method 2:====+====Method 3single-user mode sulogin====
   - Find where your system has its program sulogin with this command:   - Find where your system has its program sulogin with this command:
 <code:bash># which sulogin</code> <code:bash># which sulogin</code>
Line 95: Line 103:
  
 [...]</code> [...]</code>
 +=====Full Disk Encryption====
 +====Loop Device====
 +A small file named **//crypt//** will be created and used to store cryptographic keys needed for booting, hdd encryption, ssh, etc.
 +<code:bash># create empty file 'crypt'
 +dd if=/dev/zero of=/crypt bs=1M count=256
 +# create device node
 +losetup /dev/loop0 /crypt
 +# setup LUKS header
 +cryptsetup -c aes-xts-plain64 --key-size 512 \
 + --hash sha512 --iter-time 5000 \
 + --use-urandom luksFormat /dev/loop0
 +# open file
 +cryptsetup open /dev/loop0 crypt
 +# create filesystem
 +mkfs.ext4 /dev/mapper/crypt
 +# create mountpoint
 +mkdir /mnt/crypt
 +# mount file
 +mount -t ext4 /dev/mapper/crypt /mnt/crypt
  
-====Method 3:==== +... 
-  - Reboot the system and go into the BIOS. Disable booting from anything other than the main disk+ 
-  Set a BIOS password. This prevents unauthorized changes to the BIOS settings without a password. +# unmount file 
-  Set a BIOS Power On password. Now the machine will require a password before powering on+umount /mnt/crypt 
-=====General Remediation Methods==== +# delete mountpoint 
-====Setting up Full Disk Encryption:====+rmdir /mnt/crypt 
 +# close file 
 +cryptsetup close crypt 
 +# delete device node 
 +losetup -d /dev/loop0</code> 
 +====Entire Partition==== 
 +**Note:** /dev/sdb1 will be used as the test partition, 'private' will be its name
 +<code:bash># Create partition  
 +cryptsetup -c aes-xts-plain64 \ 
 + --key-size 512 --hash sha512 \ 
 + --iter-time 5000 --use-urandom /dev/sdb1 
 +# open volume onto device mapper 
 +cryptsetup open /dev/sdb1 private 
 +# create filesystem 
 +mkfs.ext4 /dev/mapper/private 
 +# open mapped device 
 +cryptsetup --type luks open /dev/sdb1 private 
 +# mount encrypted partition 
 +mount -t ext4 /dev/mapper/private /mnt/private 
 + 
 +...
  
-====Other Remediations:====+# unmount 
 +umount /dev/sdb1 
 +# close mapped device 
 +cryptsetup close private</code>
  
 =====References===== =====References=====
user/nbrimme1/portfolio/break-into-linux.1538179937.txt.gz · Last modified: 2018/09/29 00:12 by nbrimme1

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki