User Tools

Site Tools


user:nbrimme1:portfolio:break-into-linux

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
user:nbrimme1:portfolio:break-into-linux [2018/08/11 20:44]
nbrimme1 [Procedure]
user:nbrimme1:portfolio:break-into-linux [2018/09/28 20:12] (current)
nbrimme1 [Method 1: GRUB Password]
Line 9: Line 9:
  
 =====Procedure===== =====Procedure=====
-  ​- Power on/reboot the target ​computer+====Method 1: Using /sbin/init to execute a shell==== 
 +  ​- Power on/reboot the target ​machine 
 +    - Through a graphical login screen: for a clean reboot just use the shutdown/​reboot options in the system menu. 
 +    - Through a Textual User Interface: switch to a text console with <​Ctrl>​-<​Alt>​-<​Del>​. 
 +    - If all else fails, press the Reset button or power cycle the target machine. 
 +  - Press/hold the <​Escape>​ key as soon as you see the GRUB splash screen.
   - At the grub prompt, press '​e'​ to edit    - At the grub prompt, press '​e'​ to edit 
-  - While still inside grub, add "​init=/​bin/​bash"​ to the end of the "​kernel"​ line+  - While still inside grub, add "​init=/​bin/​bash"​ to the end of the "​kernel"​ line: <​code:​bash>​kernel=/​vmlinuz-<​version>​ [...parameters...] init=/​bin/​bash</​code>​
   - Continue booting.   - Continue booting.
  
-DONE! THAT'S ALL FOLKS! ​This drops you into a root shell after the target machine finishes bootingFrom there, we need to remount the root filesystem so we can make changes to it+DONE! THAT'S ALL FOLKS! 
-<code:cli>mount -o remount,rw / +After the target machine finishes booting, the kernel will detect the hardware and immediately drop you into a root shell. Since the system initialization script '/​etc/​rc.d/​rc.sysinit'​ was bypassed and **NOT** executed 
-passwd root</​code>​ +we need to remount the root file system and make some changes to make the system more usable.
- +  - Mount the /proc file system: ​<code:bash># mount /​proc</​code>​ You will see an error message complaining that it was already mounted. Ignore it. 
-**PROTIP:** I don't recommend doing this as the next time the real user logs into the system they will notice that their root password has been changed. We need to be super sneaky, secretive, and surruptitious ​so here's something a little less noticable+  - Remount the root file system in read-write mode: <​code:​bash>mount -o remount,rw /</​code>​ 
-  - Simply add another user without modifying the original root password: <code:cli>adduser -D -u 1000 bad-user+  - Depending on how the target'​s file system is laid out, you may need to mount some other file systems. Lets view the file system table: <​code:​bash>#​ cat /​etc/​fstab</​code>​ Mount any other needed file systems (Like '/​home',​ '/​usr',​ etc.). 
 +  - Do whatever nefarious things you want: 
 +    - **Change the root account password:** <​code:​bash>​passwd root</​code>​ 
 +    ​- ​**PROTIP:** I don't recommend doing this as the next time the real user logs into the system they will notice that their root password has been changed. We need to be super sneaky, secretive, and surreptitious ​so here's something a little less noticeable
 +      - Simply add another user without modifying the original root password: <code:bash>adduser -D -u 1000 bad-user
 passwd bad-user</​code>​ passwd bad-user</​code>​
-  ​- Also add the newly created user to the sudoers file. This is also not as noticable as changing the actual root password: <code:cli>visudo+      ​- Also add the newly created user to the sudoers file. This is also not as noticable as changing the actual root password: <code:bash>visudo
 bad-user ALL=(ALL) ALL</​code>​ bad-user ALL=(ALL) ALL</​code>​
-  - Reboot the target machine to make the changes persistent: <code:cli>​reboot</​code>​+  - Reboot the target machine to make the changes persistent. First run '​sync'​ a few times to tell the kernel to flush any disk I/O out to the hardware and then '​umount'​ the mounted file systems in reverse order. 
 +  - Once the file systems are all unmounted, you can reboot with either <​Ctrl><​Alt><​Del>​ or the power switch. 
 +====Method 2: boot to single-user mode==== 
 +  - Power on/reboot the target machine 
 +    - Through a graphical login screen: for a clean reboot just use the shutdown/​reboot options in the system menu. 
 +    - Through a Textual User Interface: switch to a text console with <​Ctrl>​-<​Alt>​-<​Del>​. 
 +    - If all else fails, press the Reset button or power cycle the target machine. 
 +  - Press/hold the <​Escape>​ key as soon as you see the GRUB splash screen. 
 +  - At the grub prompt, press '​a'​ to modify the kernel parameters. 
 +  - Add a space and the letter '​S'​ (lower or upper case) to the end of the kernel parameters line:<code:bash>kernel=/​vmlinuz-version ro root=LABEL=/​ [...other-parameters...] S</​code>​ 
 +    - Sometimes there may still be some mysterious failures in single-user mode, because of **Security-Enhanced Linux policy enforcement**. In that case, add another boot parameter before the '​S':<​code:​bash>​enforcing=0</​code>​ 
 +  - Now press <​Enter>​ to boot with the newly added parameter. 
 +====Method 3: Boot a LiveCD/USB Key/​initramfs OS==== 
 +===LiveCD=== 
 +  - Power off the target machine 
 +    - Through a graphical login screen: for a clean reboot ​just use the shutdown options in the system menu. 
 +    - Through a Textual User Interface: switch to a text console with <​Ctrl>​-<​Alt>​-<​Del>​. 
 +    - If all else fails, press the Reset button or power cycle the target machine. 
 +  - Press/hold the <​Escape>​ key to enter BIOS/UEFI  
 +  - Insert any live CD and boot the system. 
 +  - Once it boots, login to the LiveCD OS and get a terminal. Become root with <​code:​bash>​su -</​code>​ and mount the file systems as needed. 
 +===USB Key/​initramfs=== 
 + 
 +=====Remediation Methods===== 
 +====Method 1: GRUB Password==== 
 +  - In one terminal, run:<​code:​bash>​ # grub-md5-crypt</​code>​ and follow the directions. 
 +  - In another terminal, edit the GRUB configuration file inside the '/​boot/​grub'​ named either '​menu.lst'​ or '​grub.conf'​. 
 +  - Add a new line directly below the '​timeout'​ line:<​code:​bash>​ 
 +# ... comments above ... 
 +default=0 
 +timeout=5 
 +password --md5 5f3782baec534bae412c27fc0850fc6d 
 +spashimage=(hd0,​0)/​grub/​splash.xpm.gz 
 +hiddenmenu 
 +......</​code>​ 
 +  - Now Change the file permissions to prevent viewing and recovery of the GRUB password:<​code:​bash>​chmod 600 /​boot/​grub/​menu.lst 
 +## or ## 
 +chmod 600 /​boot/​grub/​grub.conf</​code>​ 
 +  - Now if you needed to legitimately break into your own machine, you need to press P while inside GRUB to enter the password to edit the boot parameters. 
 +====Method 2:==== 
 +  - Find where your system has its program sulogin with this command: 
 +<​code:​bash>#​ which sulogin</​code>​ 
 +  - This will force users to enter the root password to get a shell when booting into single-user mode. This is done by requiring sulogin to get into single-user mode.  
 +    - To have the system boot up to its default run state (with the login prompt) type <​Ctrl-D>​ 
 +  - This remedy depends on what is running; traditional init, Upstart or systemd 
 +  - Look at your file a/​etc/​inittaba and see if it contains a line specifying the sysinit action. 
 +    - If that file contains a line similar to: <​code:​bash>​si::​sysinit:/​etc/​rc.d/​rc.sysinit</​code>​ then you have traditional init. 
 +    - In this case, leave that line alone and add a new line:<​code:​bash>#​ System initialization 
 +si::​sysinit:/​etc/​rc.d/​rc.sysinit 
 +ss:​S:​respawn:/​sbin/​sulogin #​ added line</​code>​ 
 +    - If that file is mostly comments with just one line specifying initdefault or even missing, and you have a directory /etc/init, then you have Upstart for init. In this case: 
 +      - If /​etc/​sysconfig/​init exists, modify '/​etc/​sysconfig/​init'​ and change: <​code:​bash>​SINGLE=/​sbin/​sushell</​code>​ to this: <​code:​bash>​SINGLE=/​sbin/​sulogin</​code>​ 
 +      - If there is no '/​etc/​sysconfig/​init',​ this file (located in /​etc/​init/​rcS.conf) prevents the booting to single-user mode:<​code:​bash>​start on runlevel S 
 +stop on runlevel [!S] 
 + 
 +console owner 
 +script 
 +    if [ -x /​usr/​share/​recovery-mode/​recovery-menu ]; then 
 +        exec /​usr/​share/​recovery-mode/​recovery-menu 
 +    else 
 +        exec /​sbin/​sulogin 
 +    fi 
 +end script 
 + 
 +[...]</​code>​
  
-=====Remediations===== +====Method 3:==== 
-  * **Setting up Full Disk Encryption:**+  - Reboot the system and go into the BIOS. Disable booting from anything other than the main disk. 
 +  - Set a BIOS password. This prevents unauthorized changes to the BIOS settings without a password. 
 +  - Set a BIOS Power On password. Now the machine will require a password before powering on. 
 +=====General Remediation Methods==== 
 +====Setting up Full Disk Encryption:====
  
-  * **Other Remediations:​**+====Other Remediations:​====
  
 =====References===== =====References=====
user/nbrimme1/portfolio/break-into-linux.1534034697.txt.gz · Last modified: 2018/08/11 20:44 by nbrimme1