(this is intended to protect users from the threat of physical hacking, I am not responsible for any misuse of this information)


When most users imagine hackers, they picture some scraggly teenager, hunched over his linux box, remotely trashing servers.However, in many cases, hacking occurs from withing an organization, wether it be an visitor,customer,student or even a disgruntled employee. Therefore, it seems that the threat of local hacking is quite real, and the physical security of a computer system is quite possibly the second weakest layer of protection against intruders.

It must be stated, before I launch into this tutorial, that it is impossble to ensure absolute physical security. It is, however, possible to stop the less knowledgeable attacker and make it insanely difficult for a skilled intruder to access the target system.

The system I will use as an example is a linux box running redhat.However, this tutorial is independent of any operating system, since any operating system is equally vulnerable to physical hacking.( It should be noted that linux/unix is expecially vulnerable to physical attacks through single user mode)This tutorial should be of use to any level of user, from system administrators, to the casual end user.

be warned however, that it is impossible to stop the most skilled of attackers, it is merely possible to slow them down.

first off, an attacker on a linux machine would try and gain access at the LILO prompt.

LILO: linux single

This would start the system at runlevel 1, or linux single user mode. essentially, the user would have root, without requiring a password. This is here for system maintenance. But all is not lost, there is a way to stop intruders from entering linux single user mode.

edit etc/inittab by inserting the following string, right after the "initdefault" line:

~~:S:wait:/sbin/sulogin

This will force the intruder to enter the root password before allowing them access.
However, the more intelligent attacker can still have access to your linux box.

LILO: linux init=/bin/bash

This tells the system to boot the BASH shell as your first process, instead of init. Since init is first run as root, you enter the BASH shell as root also. therefore you have rootshell.Obviously we have to restrict access to the LILO prompt at this point, so that our attacker doesn't have the chance to enter either rootshell or single user mode.First, we can password-protect the LILO prompt, so an attacker can't add options to the LILO prompt without typing a password. To add a password to the LILO prompt, just choose a password, and place the following lines in the top of the /etc/lilo.conf file:

restricted
password= PASSWORD

Once you're done, make sure to re-run LILO to effect your changes, by typing lilo at the root prompt.

At this point, all those linux geeks out there can give yourselves a hearty pat on the back, you've made your linux machine as safe as a windows box, from the perspective of physical hacking.

However, if our intruder decided to bring one of the many available boot disks out there, we are still very vulnerable to attack.

for windows we have: Offline NT password & registry editor

Linux: Tom's Root Boot disk

These are just two examples,a nd the options get even better if you are willing to pay money.Lets use tom's root boot disk as an example, since we have been doing so well with the whole linux thing.

The intruder simply inserts the boot disk and:

Mount the drive!!

# mkdir /evilhaxor
# mount /dev/hda5 /evilhaxor
# vi /evilhaxor/etc/passwd

And since our evil haxor d00d booted with his very own floppy, he's root on the machine.

evilhaxor::0:0:Security Admin:/:/bin/bash

What he/she has done is create an account that is root equivalent, and free of a password. With this account, our intruder can play around, delete the account, and sneak away into the night, or to his period three class.

But wait! stop prying at your floppy drive with that screwdriver! All we have to do to foil our clever adversary is to forbid our trusty box to boot of anything but the hard drive. You can generally configure boot options via your computer's battery-backed NVRAM, EEPROM, CMOS, or such. On Intel x86 hardware, turn your machine off and then, as it boots, press whatever key (Esc, F1, F2...) puts you into your BIOS's configuration menu. Now, when the option is saved, try to boot off a floppy. This should be impossible.

Okay, now, to get into our uber l337 machine, the hacker must first enter BIOS and remove the restrictions, and boot with his floppy or cd. This, by the way, is eating up time. Unless this lab is located in Siberia, someone should have noticed all this booting and restarting and such.

So now, we go back into BIOS and find the password option, this shouldn't be too hard. So at this point, he can't boot from floppy, he can't access LILO, and he lost a lot of time just to figure this out.Unless he has some amazing cracking software up his sleeves, we just beat him.

But, since he does have physical access, why doesn't he just open up the case and detatch the small battery ( similar to a watch battery ) for a few seconds, causing RAM to blank, and your system forgets the password you so carefully thought up.Okay, this is getting ridiculous though, right? all it takes is a bitter employee, forced to stay late. he has plenty of time, and I bet he might want to mess around in that server room.So you can lock the case, lock the server room, and maybe even remove the floppy drives and cd drives and hide them.Even then he or she could steal the hard drive and install it in another box and hack from there. the point is, physical safety is often overlooked, just as social engineering is overlooked.So keep a watchfull eye on your employees, your wetware and your hardware.

If this tutorial helped you at all, or if you hated it and think I'm the dumbest thing that ever learned to type, email me at [email protected].

here are some links:

http://home.eunet.no/~pnordahl/ntpasswd/ (Offline NT password & registry editor)

http://www.toms.net/rb/ ( Tom's root boot disk )

http://nettwerked.net (for their informative articles, and canadian perspective)