-
August 9th, 2005, 07:44 AM
#1
Junior Member
Physical hacking, how to protect yourself from physical intruders
(this is intended to protect users from the threat of physical hacking, I am not responsible for any misuse of this information)
When most users imagine hackers, they picture some scraggly teenager, hunched over his linux box, remotely trashing servers.However, in many cases, hacking occurs from withing an organization, wether it be an visitor,customer,student or even a disgruntled employee. Therefore, it seems that the threat of local hacking is quite real, and the physical security of a computer system is quite possibly the second weakest layer of protection against intruders.
It must be stated, before I launch into this tutorial, that it is impossble to ensure absolute physical security. It is, however, possible to stop the less knowledgeable attacker and make it insanely difficult for a skilled intruder to access the target system.
The system I will use as an example is a linux box running redhat.However, this tutorial is independent of any operating system, since any operating system is equally vulnerable to physical hacking.( It should be noted that linux/unix is expecially vulnerable to physical attacks through single user mode)This tutorial should be of use to any level of user, from system administrators, to the casual end user.
be warned however, that it is impossible to stop the most skilled of attackers, it is merely possible to slow them down.
first off, an attacker on a linux machine would try and gain access at the LILO prompt.
LILO: linux single
This would start the system at runlevel 1, or linux single user mode. essentially, the user would have root, without requiring a password. This is here for system maintenance. But all is not lost, there is a way to stop intruders from entering linux single user mode.
edit etc/inittab by inserting the following string, right after the "initdefault" line:
~~:S:wait:/sbin/sulogin
This will force the intruder to enter the root password before allowing them access.
However, the more intelligent attacker can still have access to your linux box.
LILO: linux init=/bin/bash
This tells the system to boot the BASH shell as your first process, instead of init. Since init is first run as root, you enter the BASH shell as root also. therefore you have rootshell.Obviously we have to restrict access to the LILO prompt at this point, so that our attacker doesn't have the chance to enter either rootshell or single user mode.First, we can password-protect the LILO prompt, so an attacker can't add options to the LILO prompt without typing a password. To add a password to the LILO prompt, just choose a password, and place the following lines in the top of the /etc/lilo.conf file:
restricted
password= PASSWORD
Once you're done, make sure to re-run LILO to effect your changes, by typing lilo at the root prompt.
At this point, all those linux geeks out there can give yourselves a hearty pat on the back, you've made your linux machine as safe as a windows box, from the perspective of physical hacking.
However, if our intruder decided to bring one of the many available boot disks out there, we are still very vulnerable to attack.
for windows we have: Offline NT password & registry editor
Linux: Tom's Root Boot disk
These are just two examples,a nd the options get even better if you are willing to pay money.Lets use tom's root boot disk as an example, since we have been doing so well with the whole linux thing.
The intruder simply inserts the boot disk and:
Mount the drive!!
# mkdir /evilhaxor
# mount /dev/hda5 /evilhaxor
# vi /evilhaxor/etc/passwd
And since our evil haxor d00d booted with his very own floppy, he's root on the machine.
evilhaxor::0:0:Security Admin:/:/bin/bash
What he/she has done is create an account that is root equivalent, and free of a password. With this account, our intruder can play around, delete the account, and sneak away into the night, or to his period three class.
But wait! stop prying at your floppy drive with that screwdriver! All we have to do to foil our clever adversary is to forbid our trusty box to boot of anything but the hard drive. You can generally configure boot options via your computer's battery-backed NVRAM, EEPROM, CMOS, or such. On Intel x86 hardware, turn your machine off and then, as it boots, press whatever key (Esc, F1, F2...) puts you into your BIOS's configuration menu. Now, when the option is saved, try to boot off a floppy. This should be impossible.
Okay, now, to get into our uber l337 machine, the hacker must first enter BIOS and remove the restrictions, and boot with his floppy or cd. This, by the way, is eating up time. Unless this lab is located in Siberia, someone should have noticed all this booting and restarting and such.
So now, we go back into BIOS and find the password option, this shouldn't be too hard. So at this point, he can't boot from floppy, he can't access LILO, and he lost a lot of time just to figure this out.Unless he has some amazing cracking software up his sleeves, we just beat him.
But, since he does have physical access, why doesn't he just open up the case and detatch the small battery ( similar to a watch battery ) for a few seconds, causing RAM to blank, and your system forgets the password you so carefully thought up.Okay, this is getting ridiculous though, right? all it takes is a bitter employee, forced to stay late. he has plenty of time, and I bet he might want to mess around in that server room.So you can lock the case, lock the server room, and maybe even remove the floppy drives and cd drives and hide them.Even then he or she could steal the hard drive and install it in another box and hack from there. the point is, physical safety is often overlooked, just as social engineering is overlooked.So keep a watchfull eye on your employees, your wetware and your hardware.
If this tutorial helped you at all, or if you hated it and think I'm the dumbest thing that ever learned to type, email me at freezerfish@gmail.com.
here are some links:
http://home.eunet.no/~pnordahl/ntpasswd/ (Offline NT password & registry editor)
http://www.toms.net/rb/ ( Tom's root boot disk )
http://nettwerked.net (for their informative articles, and canadian perspective)
-
August 9th, 2005, 08:12 AM
#2
Re: Physical hacking, how to protect yourself from physical intruders
Originally posted here by phr0zenf1sh
[B](this is intended to protect users from the threat of physical hacking, I am not responsible for any misuse of this information)
Lol.
When most users imagine hackers, they picture some scraggly teenager, hunched over his linux box, remotely trashing servers.However, in many cases, hacking occurs from withing an organization,
(TM) Hacking Linux exposed second edition. (Slightly reworded)
wether it be an visitor,customer,student or even a disgruntled employee. Therefore, it seems that the threat of local hacking is quite real, and the physical security of a computer system is quite possibly the second weakest layer of protection against intruders.
What is first?
( It should be noted that linux/unix is expecially vulnerable to physical attacks through single user mode)
Ummm, you can disable single user mode, and booting and pretty much anything that allows someone to get to it. If you think Unix and Linux are attacked easier from single user mode.... OK, anyway, this is not true at all. SUSE for example, you need the root password for single user mode.
This tutorial should be of use to any level of user, from system administrators, to the casual end user.
Heh.
be warned however, that it is impossible to stop the most skilled of attackers, it is merely possible to slow them down.
Not true, most users stop trying to break in when you shoot them.
first off, an attacker on a linux machine would try and gain access at the LILO prompt.
But when I boot up I see GRUB!!!!! Is my computer broked???????????
That didn't work here for some reason, hmmm.
This would start the system at runlevel 1, or linux single user mode. essentially, the user would have root, without requiring a password.
False.
This is here for system maintenance. But all is not lost, there is a way to stop intruders from entering linux single user mode.
Oh good!
edit etc/inittab by inserting the following string, right after the "initdefault" line:
Thanks, now that half the Linux newbies just screwed up a system file there should be LOTS of new threads.
What's really weird si that RedHat uses GRUB by default, unless the ISOs I had were messed up.
This will force the intruder to enter the root password before allowing them access.
As opposed to popping in a Live CD and pulling the power plug? Do you have a job? I need some cash.
However, the more intelligent attacker can still have access to your linux box.
=o NOOOOOOOOOOOOOOOOOOOOOOOO
LILO: linux init=/bin/bash
And for the users that have GRUB?
we can password-protect the LILO prompt, so an attacker can't add options to the LILO prompt without typing a password.
Is that going to stop the floppy disk boot up from hell? You'd think you'd add something about a BIOS password too, I mean hell if this is going to secure my boxes my work is EASY now.
To add a password to the LILO prompt, just choose a password, and place the following lines in the top of the /etc/lilo.conf file:
restricted
password= PASSWORD
12 users reading this now have a LILO password "PASSWORD". And probably aren't sure how to log in themselves anymore.
Once you're done, make sure to re-run LILO to effect your changes, by typing lilo at the root prompt.
Make sure you hit ENTER.
At this point, all those linux geeks out there can give yourselves a hearty pat on the back, you've made your linux machine as safe as a windows box, from the perspective of physical hacking.
Whatever you're on, I want some. WTF is that ****? Windows.... Lol, like that click cancel of death the 9X users face or the ALT CTRL DEL the NT line uses? Lol.
However, if our intruder decided to bring one of the many available boot disks out there, we are still very vulnerable to attack.
Oh finally?
for windows we have: Offline NT password & registry editor
Don't forget the PHLAK tools, there are Windows servers at my college using passwords I gave them when I rebooted them.
Linux: Tom's Root Boot disk
These are just two examples,a nd the options get even better if you are willing to pay money.Lets use tom's root boot disk as an example, since we have been doing so well with the whole linux thing.
We have?
The intruder simply inserts the boot disk and:
Mount the drive!!
You didn't show commands for this....
mount /dev/hd*(Whatever) /mnt/haxxored..... Damn it my coffee got cold.
# mkdir /evilhaxor
# mount /dev/hda5 /evilhaxor
# vi /evilhaxor/etc/passwd
And because almost all Linux distros use Shadow, what next?
And since our evil haxor d00d booted with his very own floppy, he's root on the machine.
Not on mine.
evilhaxor::0:0:Security Admin:/:/bin/bash
Heh, right. That won't send off alarm bells.
What he/she has done is create an account that is root equivalent, and free of a password. With this account, our intruder can play around, delete the account, and sneak away into the night, or to his period three class.
Ummm, no.
But wait! stop prying at your floppy drive with that screwdriver!
But the CD-ROM drive is so much more secure!
All we have to do to foil our clever adversary is to forbid our trusty box to boot of anything but the hard drive.
Yea because then they have to get into BIOS at boot up to turn it back on! Wow that must take an extra 2 seconds! You know if I lived near you, I'd give your box a BIOS password, tell it not to boot off anything but the hard drive, then smack it with a hammer.
You can generally configure boot options via your computer's battery-backed NVRAM, EEPROM, CMOS, or such. On Intel x86 hardware, turn your machine off and then, as it boots, press whatever key (Esc, F1, F2...) puts you into your BIOS's configuration menu. Now, when the option is saved, try to boot off a floppy. This should be impossible.
YEA ATTACKERS DON'T KNOW HOW TO GET BACK INTO A BIOS AND SET IT TO BOOT FROM SOMETHING AGAIN!
l
So now, we go back into BIOS and find the password option, this shouldn't be too hard. So at this point, he can't boot from floppy, he can't access LILO, and he lost a lot of time just to figure this out.Unless he has some amazing cracking software up his sleeves, we just beat him.
Uhhh, right. False security is worse than no security.
But, since he does have physical access, why doesn't he just open up the case and detatch the small battery ( similar to a watch battery ) for a few seconds, causing RAM to blank, and your system forgets the password you so carefully thought up.Okay, this is getting ridiculous though, right? all it takes is a bitter employee, forced to stay late. he has plenty of time, and I bet he might want to mess around in that server room.So you can lock the case, lock the server room, and maybe even remove the floppy drives and cd drives and hide them.Even then he or she could steal the hard drive and install it in another box and hack from there. the point is, physical safety is often overlooked, just as social engineering is overlooked.So keep a watchfull eye on your employees, your wetware and your hardware.
That's deep!
If this tutorial helped you at all, or if you hated it and think I'm the dumbest thing that ever learned to type, email me at freezerfish@gmail.com.
Lol.
-
August 9th, 2005, 10:09 AM
#3
-
August 9th, 2005, 01:41 PM
#4
bah... once again people tend to be super anayltical... Can't say I blame you... /sigh!!!
Dude, I read the first line of this thing and stopped reading it. Do me a favor, take it re-write it, piss on it, burn it, hand it to you best friend and tell him it's your living will, anything, but please get it out of here.
Put more information into your writings.
And damnit, simply because gore posted, I can't say what I want to.
Oh the hell with it.
Physical security... So your telling me, if I hit you on your head with a bat, and ask you your passwords, it won't work???
-
August 9th, 2005, 02:12 PM
#5
Physical security... So your telling me, if I hit you on your head with a bat, and ask you your passwords, it won't work???
Actually no, it won't..........................now, a quart of petrol and a Zippo lighter...............
-
August 9th, 2005, 06:03 PM
#6
Hey you missed out grub. which is the default boot manager in
various distributions.
-
August 9th, 2005, 09:18 PM
#7
So keep a watchfull eye on your employees, your wetware and your hardware.
So wait, where you work employees and wetware are not one in the same? (Did that Bender bastard steal your stapler again?)
Seriously though, you forgot the part about filling the entire case with non-conductive epoxy to prevent attackers from messing with the hardware. Without this crucial step, clearly indicated in the many Linux ISO-15408 submissions, the system is hopelessly insecure.
cheers,
catch
-
August 9th, 2005, 10:20 PM
#8
Hi phr0zenf1sh,
A little advice...
1. don't take any of this or those personal...
2. unless you're absolutely sure that you know what you're talking about, next time submit the tut in another forum first for critical review and then after making the adjustments and editing submit it here...
3. this forum will result in either approval or a good thrashing, why? , because if your tut is wrong there's a good chance someone might not know you're wrong and follow your advice thinking you're right and seriously bugger himself up...( which is why I don't give computer advice )
4. again, don't take any of this personal...it's not about you it's about your tutorial
Eg
-
August 9th, 2005, 10:55 PM
#9
Here's an idea: Run all your stuff off of Ramdisks, and load it off a piece of removable media (CD, removable HD), then take the removable media and stick it in a small rocket capable of achieving escape velocity, and launch it to say, Saturn. That should keep you safe from the dregs of humanity at the very least, even though these forums don't.
Chris Shepherd
The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
\"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
Is your whole family retarded, or did they just catch it from you?
-
August 10th, 2005, 02:21 AM
#10
*watches as the interesting feedback pours on*
Well, my opinion: Alot of things were missing, misleading, and probably weren't written by you. I don't know though. If all else fails, chsh's idea sounds like it would secure your data fairly well
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|