Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Basic Linux Boot Process Protections

  1. #1
    Junior Member
    Join Date
    Jul 2005
    Posts
    3

    Physical hacking, how to protect yourself from physical intruders

    (this is intended to protect users from the threat of physical hacking, I am not responsible for any misuse of this information)


    When most users imagine hackers, they picture some scraggly teenager, hunched over his linux box, remotely trashing servers.However, in many cases, hacking occurs from withing an organization, wether it be an visitor,customer,student or even a disgruntled employee. Therefore, it seems that the threat of local hacking is quite real, and the physical security of a computer system is quite possibly the second weakest layer of protection against intruders.

    It must be stated, before I launch into this tutorial, that it is impossble to ensure absolute physical security. It is, however, possible to stop the less knowledgeable attacker and make it insanely difficult for a skilled intruder to access the target system.

    The system I will use as an example is a linux box running redhat.However, this tutorial is independent of any operating system, since any operating system is equally vulnerable to physical hacking.( It should be noted that linux/unix is expecially vulnerable to physical attacks through single user mode)This tutorial should be of use to any level of user, from system administrators, to the casual end user.

    be warned however, that it is impossible to stop the most skilled of attackers, it is merely possible to slow them down.

    first off, an attacker on a linux machine would try and gain access at the LILO prompt.

    LILO: linux single

    This would start the system at runlevel 1, or linux single user mode. essentially, the user would have root, without requiring a password. This is here for system maintenance. But all is not lost, there is a way to stop intruders from entering linux single user mode.

    edit etc/inittab by inserting the following string, right after the "initdefault" line:

    ~~:S:wait:/sbin/sulogin

    This will force the intruder to enter the root password before allowing them access.
    However, the more intelligent attacker can still have access to your linux box.

    LILO: linux init=/bin/bash

    This tells the system to boot the BASH shell as your first process, instead of init. Since init is first run as root, you enter the BASH shell as root also. therefore you have rootshell.Obviously we have to restrict access to the LILO prompt at this point, so that our attacker doesn't have the chance to enter either rootshell or single user mode.First, we can password-protect the LILO prompt, so an attacker can't add options to the LILO prompt without typing a password. To add a password to the LILO prompt, just choose a password, and place the following lines in the top of the /etc/lilo.conf file:

    restricted
    password= PASSWORD

    Once you're done, make sure to re-run LILO to effect your changes, by typing lilo at the root prompt.

    At this point, all those linux geeks out there can give yourselves a hearty pat on the back, you've made your linux machine as safe as a windows box, from the perspective of physical hacking.

    However, if our intruder decided to bring one of the many available boot disks out there, we are still very vulnerable to attack.

    for windows we have: Offline NT password & registry editor

    Linux: Tom's Root Boot disk

    These are just two examples,a nd the options get even better if you are willing to pay money.Lets use tom's root boot disk as an example, since we have been doing so well with the whole linux thing.

    The intruder simply inserts the boot disk and:

    Mount the drive!!

    # mkdir /evilhaxor
    # mount /dev/hda5 /evilhaxor
    # vi /evilhaxor/etc/passwd

    And since our evil haxor d00d booted with his very own floppy, he's root on the machine.

    evilhaxor::0:0:Security Admin:/:/bin/bash

    What he/she has done is create an account that is root equivalent, and free of a password. With this account, our intruder can play around, delete the account, and sneak away into the night, or to his period three class.

    But wait! stop prying at your floppy drive with that screwdriver! All we have to do to foil our clever adversary is to forbid our trusty box to boot of anything but the hard drive. You can generally configure boot options via your computer's battery-backed NVRAM, EEPROM, CMOS, or such. On Intel x86 hardware, turn your machine off and then, as it boots, press whatever key (Esc, F1, F2...) puts you into your BIOS's configuration menu. Now, when the option is saved, try to boot off a floppy. This should be impossible.

    Okay, now, to get into our uber l337 machine, the hacker must first enter BIOS and remove the restrictions, and boot with his floppy or cd. This, by the way, is eating up time. Unless this lab is located in Siberia, someone should have noticed all this booting and restarting and such.

    So now, we go back into BIOS and find the password option, this shouldn't be too hard. So at this point, he can't boot from floppy, he can't access LILO, and he lost a lot of time just to figure this out.Unless he has some amazing cracking software up his sleeves, we just beat him.

    But, since he does have physical access, why doesn't he just open up the case and detatch the small battery ( similar to a watch battery ) for a few seconds, causing RAM to blank, and your system forgets the password you so carefully thought up.Okay, this is getting ridiculous though, right? all it takes is a bitter employee, forced to stay late. he has plenty of time, and I bet he might want to mess around in that server room.So you can lock the case, lock the server room, and maybe even remove the floppy drives and cd drives and hide them.Even then he or she could steal the hard drive and install it in another box and hack from there. the point is, physical safety is often overlooked, just as social engineering is overlooked.So keep a watchfull eye on your employees, your wetware and your hardware.

    If this tutorial helped you at all, or if you hated it and think I'm the dumbest thing that ever learned to type, email me at freezerfish@gmail.com.

    here are some links:

    http://home.eunet.no/~pnordahl/ntpasswd/ (Offline NT password & registry editor)

    http://www.toms.net/rb/ ( Tom's root boot disk )

    http://nettwerked.net (for their informative articles, and canadian perspective)

  2. #2
    Senior Member gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177

    Re: Physical hacking, how to protect yourself from physical intruders

    Originally posted here by phr0zenf1sh
    [B](this is intended to protect users from the threat of physical hacking, I am not responsible for any misuse of this information)
    Lol.


    When most users imagine hackers, they picture some scraggly teenager, hunched over his linux box, remotely trashing servers.However, in many cases, hacking occurs from withing an organization,
    (TM) Hacking Linux exposed second edition. (Slightly reworded)



    wether it be an visitor,customer,student or even a disgruntled employee. Therefore, it seems that the threat of local hacking is quite real, and the physical security of a computer system is quite possibly the second weakest layer of protection against intruders.
    What is first?







    ( It should be noted that linux/unix is expecially vulnerable to physical attacks through single user mode)

    Ummm, you can disable single user mode, and booting and pretty much anything that allows someone to get to it. If you think Unix and Linux are attacked easier from single user mode.... OK, anyway, this is not true at all. SUSE for example, you need the root password for single user mode.


    This tutorial should be of use to any level of user, from system administrators, to the casual end user.
    Heh.



    be warned however, that it is impossible to stop the most skilled of attackers, it is merely possible to slow them down.
    Not true, most users stop trying to break in when you shoot them.



    first off, an attacker on a linux machine would try and gain access at the LILO prompt.
    But when I boot up I see GRUB!!!!! Is my computer broked???????????




    LILO: linux single

    That didn't work here for some reason, hmmm.




    This would start the system at runlevel 1, or linux single user mode. essentially, the user would have root, without requiring a password.

    False.


    This is here for system maintenance. But all is not lost, there is a way to stop intruders from entering linux single user mode.
    Oh good!



    edit etc/inittab by inserting the following string, right after the "initdefault" line:


    Thanks, now that half the Linux newbies just screwed up a system file there should be LOTS of new threads.



    ~~:S:wait:/sbin/sulogin
    What's really weird si that RedHat uses GRUB by default, unless the ISOs I had were messed up.



    This will force the intruder to enter the root password before allowing them access.

    As opposed to popping in a Live CD and pulling the power plug? Do you have a job? I need some cash.


    However, the more intelligent attacker can still have access to your linux box.
    =o NOOOOOOOOOOOOOOOOOOOOOOOO




    LILO: linux init=/bin/bash
    And for the users that have GRUB?



    we can password-protect the LILO prompt, so an attacker can't add options to the LILO prompt without typing a password.
    Is that going to stop the floppy disk boot up from hell? You'd think you'd add something about a BIOS password too, I mean hell if this is going to secure my boxes my work is EASY now.



    To add a password to the LILO prompt, just choose a password, and place the following lines in the top of the /etc/lilo.conf file:

    restricted
    password= PASSWORD

    12 users reading this now have a LILO password "PASSWORD". And probably aren't sure how to log in themselves anymore.



    Once you're done, make sure to re-run LILO to effect your changes, by typing lilo at the root prompt.
    Make sure you hit ENTER.




    At this point, all those linux geeks out there can give yourselves a hearty pat on the back, you've made your linux machine as safe as a windows box, from the perspective of physical hacking.


    Whatever you're on, I want some. WTF is that ****? Windows.... Lol, like that click cancel of death the 9X users face or the ALT CTRL DEL the NT line uses? Lol.



    However, if our intruder decided to bring one of the many available boot disks out there, we are still very vulnerable to attack.
    Oh finally?



    for windows we have: Offline NT password & registry editor
    Don't forget the PHLAK tools, there are Windows servers at my college using passwords I gave them when I rebooted them.


    Linux: Tom's Root Boot disk

    These are just two examples,a nd the options get even better if you are willing to pay money.Lets use tom's root boot disk as an example, since we have been doing so well with the whole linux thing.

    We have?


    The intruder simply inserts the boot disk and:

    Mount the drive!!

    You didn't show commands for this....

    mount /dev/hd*(Whatever) /mnt/haxxored..... Damn it my coffee got cold.


    # mkdir /evilhaxor
    # mount /dev/hda5 /evilhaxor
    # vi /evilhaxor/etc/passwd
    And because almost all Linux distros use Shadow, what next?



    And since our evil haxor d00d booted with his very own floppy, he's root on the machine.
    Not on mine.



    evilhaxor::0:0:Security Admin:/:/bin/bash
    Heh, right. That won't send off alarm bells.




    What he/she has done is create an account that is root equivalent, and free of a password. With this account, our intruder can play around, delete the account, and sneak away into the night, or to his period three class.

    Ummm, no.






    But wait! stop prying at your floppy drive with that screwdriver!

    But the CD-ROM drive is so much more secure!




    All we have to do to foil our clever adversary is to forbid our trusty box to boot of anything but the hard drive.
    Yea because then they have to get into BIOS at boot up to turn it back on! Wow that must take an extra 2 seconds! You know if I lived near you, I'd give your box a BIOS password, tell it not to boot off anything but the hard drive, then smack it with a hammer.




    You can generally configure boot options via your computer's battery-backed NVRAM, EEPROM, CMOS, or such. On Intel x86 hardware, turn your machine off and then, as it boots, press whatever key (Esc, F1, F2...) puts you into your BIOS's configuration menu. Now, when the option is saved, try to boot off a floppy. This should be impossible.
    YEA ATTACKERS DON'T KNOW HOW TO GET BACK INTO A BIOS AND SET IT TO BOOT FROM SOMETHING AGAIN!


    l

    So now, we go back into BIOS and find the password option, this shouldn't be too hard. So at this point, he can't boot from floppy, he can't access LILO, and he lost a lot of time just to figure this out.Unless he has some amazing cracking software up his sleeves, we just beat him.

    Uhhh, right. False security is worse than no security.





    But, since he does have physical access, why doesn't he just open up the case and detatch the small battery ( similar to a watch battery ) for a few seconds, causing RAM to blank, and your system forgets the password you so carefully thought up.Okay, this is getting ridiculous though, right? all it takes is a bitter employee, forced to stay late. he has plenty of time, and I bet he might want to mess around in that server room.So you can lock the case, lock the server room, and maybe even remove the floppy drives and cd drives and hide them.Even then he or she could steal the hard drive and install it in another box and hack from there. the point is, physical safety is often overlooked, just as social engineering is overlooked.So keep a watchfull eye on your employees, your wetware and your hardware.

    That's deep!



    If this tutorial helped you at all, or if you hated it and think I'm the dumbest thing that ever learned to type, email me at freezerfish@gmail.com.

    Lol.

  3. #3
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hmmm, several bits seem to be missing?

    1. The distinction between a desktop and a server?

    Servers should be in a secure environment with access control, monitoring and logging. Only personnel who are trusted with the administrator password should have access. If one of them turns bad fire the entire HR (Human Remains) department

    2. I do not agree with the bit about allowing boot ONLY from the HDD. If you think about it, the steps needed to circumvent this are the same as if the HDD is FIRST in the boot sequence. If you leave the other options enabled, but LOWER in the sequence, you have the same security but make life easier for the poor guys who have to replace dead hard drives?

    3. A major omission IMHO is the removeable HDD that is locked in a MoD/DoD/NATO approved steel cabinet.

    4. Physical keyloggers anyone?

    5. Underlying security?

    I have worked in an environment where the radio tag around your neck not only acted a s a visual ID it told the security system exactly where you were and when, and would only open the door if you were authorised to that area. If I did anything naughty it would be MI5 and the FBI's fault, because their positive security vetting had failed

    Just a few observations

  4. #4
    bah... once again people tend to be super anayltical... Can't say I blame you... /sigh!!!

    Dude, I read the first line of this thing and stopped reading it. Do me a favor, take it re-write it, piss on it, burn it, hand it to you best friend and tell him it's your living will, anything, but please get it out of here.

    Put more information into your writings.

    And damnit, simply because gore posted, I can't say what I want to.

    Oh the hell with it.

    Physical security... So your telling me, if I hit you on your head with a bat, and ask you your passwords, it won't work???

  5. #5
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Physical security... So your telling me, if I hit you on your head with a bat, and ask you your passwords, it won't work???
    Actually no, it won't..........................now, a quart of petrol and a Zippo lighter...............

  6. #6
    Senior Member
    Join Date
    Jun 2003
    Posts
    188
    Hey you missed out grub. which is the default boot manager in
    various distributions.

  7. #7
    Banned
    Join Date
    May 2003
    Posts
    1,004
    So keep a watchfull eye on your employees, your wetware and your hardware.
    So wait, where you work employees and wetware are not one in the same? (Did that Bender bastard steal your stapler again?)

    Seriously though, you forgot the part about filling the entire case with non-conductive epoxy to prevent attackers from messing with the hardware. Without this crucial step, clearly indicated in the many Linux ISO-15408 submissions, the system is hopelessly insecure.

    cheers,

    catch

  8. #8
    Senior Member
    Join Date
    Dec 2004
    Posts
    3,171
    Hi phr0zenf1sh,

    A little advice...

    1. don't take any of this or those personal...

    2. unless you're absolutely sure that you know what you're talking about, next time submit the tut in another forum first for critical review and then after making the adjustments and editing submit it here...

    3. this forum will result in either approval or a good thrashing, why? , because if your tut is wrong there's a good chance someone might not know you're wrong and follow your advice thinking you're right and seriously bugger himself up...( which is why I don't give computer advice )

    4. again, don't take any of this personal...it's not about you it's about your tutorial

    Eg

  9. #9
    Senior Member
    Join Date
    Nov 2001
    Posts
    1,255
    Here's an idea: Run all your stuff off of Ramdisks, and load it off a piece of removable media (CD, removable HD), then take the removable media and stick it in a small rocket capable of achieving escape velocity, and launch it to say, Saturn. That should keep you safe from the dregs of humanity at the very least, even though these forums don't.
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?

  10. #10
    Senior Member
    Join Date
    Oct 2002
    Posts
    4,055
    *watches as the interesting feedback pours on*

    Well, my opinion: Alot of things were missing, misleading, and probably weren't written by you. I don't know though. If all else fails, chsh's idea sounds like it would secure your data fairly well
    Space For Rent.. =]

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •