{Disarmed} Re: [Leaplist] Floppy image (or, on a CDROM), Boots installed Linux or Windows, as root, bypassing all passwords

Tony Turner tony_l_turner at yahoo.com
Sat Jun 27 17:22:26 EDT 2009 

Big difference between this and a tool like CHNTPW is #1 it doesnt modify the SAM so local admin account pw doesnt get changed and it may never be detected, especially if you removed the splash screen for the Kon-boot cd. #2 it works on Linux as well. But seriously, physical security trumps all. We know this to be true and there are scads of default and backdoor account pw available for a variety of devices if you have local access. I personally use the list at http://www.phenoelit-us.org/dpl/dpl.html and find it to be quite useful when I'm doing contract work on "managed" devices that aren't quite so managed and local staff don't recall who set it up and what password might have been used.
 
Also while we are on the topic, don't forget to lock down single user mode in Linux. If an attacker can invoke single user especially with no password required... Yeah you will be pwned.
 
**Note** None of the following will protect you against rescue boot cd's only grub modification and easy access to single user mode for root access. It is possible to protect the grub initialization process with a password but as a predominantly Windows guy, my skills just aren't that far advanced yet. If you know an easy way to do this or know a good link, please clue me in. Now that being said, here are 3 ways to harden against this attack that I've saved in my personal documentation. I'd atribute these but no longer recall where I got this info.
 
I personally add the following to /etc/inittab
 
~:S:wait:/sbin/sulogin
 
and put it right before the run level which requires root login to access single user mode.
 
Another thing you can do is prevent changes to grub.conf (or lilo) with
 
Add  "password=urpassword" to the kernel definition of the lilo.conf or grub.conf (don't use the root password as this line can be displayed in grub, though not in lilo but you don't want to hand out your root pw here either)
 
Change the mode of the file to 600 as  
                               
#chmod  600 grub.conf or lilo.conf
 
or some people prefer to create a boot password which can be done with the following:
 


Use the grub-md5-crypt command to generate an encrypted version of your selected password:

# grub-md5-crypt
Password: hello
Retype password: hello
$1$gNc9G$BppzXI37ogNVc2aJ8tjSe0


Enter the encrypted password into the top of your Grub configuration file, /boot/grub/grub.conf:

# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE: You have a /boot partition. This means that
# all kernel and initrd paths are relative to /boot/, eg.
# root (hd0,0)
# kernel /vmlinuz-version ro root=/dev/concord3/f8root
# initrd /initrd-version.img
#boot=/dev/md0
password --md5 $1$gNc9G$BppzXI37ogNVc2aJ8tjSe0
default=0
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title Fedora (2.6.23.1-49.fc8)
root (hd0,0)
kernel /vmlinuz-2.6.23.1-49.fc8 ro root=/dev/concord3/f8root rhgb quiet
initrd /initrd-2.6.23.1-49.fc8.img
title Fedora (2.6.23.1-42.fc8)
root (hd0,0)
kernel /vmlinuz-2.6.23.1-42.fc8 ro root=/dev/concord3/f8root rhgb quiet
initrd /initrd-2.6.23.1-42.fc8.img 
--- On Sat, 6/27/09, patrick <pberry2 at cfl.rr.com> wrote:


From: patrick <pberry2 at cfl.rr.com>
Subject: [Leaplist] Floppy image (or, on a CDROM), Boots installed Linux or Windows, as root, bypassing all passwords
To: "This is the Leap Main List" <leaplist at leap-cf.org>
Date: Saturday, June 27, 2009, 4:41 PM


This can be run from a floppy, or, as a floppy image on the CDrom, to alter the installed boot-up in order to log on as Root user, in either a Microsoft environment that is on the hard drive, or, into any installed Linux system.

This alters the kernel as boot occurs, so you are Root user.  Then, before exit, you need to run Kon-Fix!

Yes, it has been tested on Linux and Windows Servers.

Securely Lock your machine rooms!

For those of you who haven't seen this yet...
http://www.piotrbania.com/all/kon-boot/

-- This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

_______________________________________________
Leaplist mailing list
Leaplist at leap-cf.org
http://lists.leap-cf.org/mailman/listinfo/leaplist

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.leap-cf.org/pipermail/leaplist/attachments/20090627/77ad55c0/attachment.html

More information about the Leaplist mailing list