How to: break into a Linux user account in seconds
r3dux | July 24, 2011I thought my Linux box was pretty safe. I mean, I use a strong password, I have my entire home directory encrypted, I should be alright, yeah? Ummm, no… I’ve been thinking about security a bit recently, and as much as I’ve always had an interest in the topic, it’s not my core field – I’m a software engineer at heart, so I build software, not secure it. But with 2011 being the year of the hack with Anonymous and LulzSec hacking site after site after site, along with the major Sony hacks – it can’t help be anything but my field anymore.
So with a strong password and disk encryption I thought I was safe in case my laptop was stolen – but really it isn’t at all. If you have physical access to a machine, then it’s yours. This definitely comes under the ten laws…
The Ten Immutable Laws of Security
There’s a very good Microsoft article called the Ten Immutable Laws of Security which you can read here. The article discusses each one, but I’ll just list them here:
- Law #1: If a bad guy can persuade you to run his program on your computer, it’s not your computer anymore.
- Law #2: If a bad guy can alter the operating system on your computer, it’s not your computer anymore.
- Law #3: If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore.
- Law #4: If you allow a bad guy to upload programs to your website, it’s not your website any more.
- Law #5: Weak passwords trump strong security.
- Law #6: A computer is only as secure as the administrator is trustworthy.
- Law #7: Encrypted data is only as secure as the decryption key.
- Law #8: An out of date virus scanner is only marginally better than no virus scanner at all.
- Law #9: Absolute anonymity isn’t practical, in real life or on the Web.
- Law #10: Technology is not a panacea.
There are issues with these “laws” – but you can google that for yourself – what we’re thinking about today is #3 – physical access == potatowned…
Getting it Done
First, reboot the machine and instead of booting as normal, select recovery mode from the GRUB menu:
Next, opt to drop into a root shell:
You don’t need to enter any password at all for the above – you’re just given root access… At which point, you just reset the password for a user account (in this case I created an account called test, but you can reset the root password or the password on any other account just as easily):
That’s it – you own the box. Simply reboot again and log in with the password you just specified.
Safety is an illusion
I’ve got to say, when I first read about this my jaw just dropped – surely it’s not that easy? But it is. So good job on the disk encryption and strong password use, but it’s all for naught. You’re not asked for a root password, or for an account password before you can reset anything – you’re just given full root access because you asked for it nicely. And with a Windows machine you just boot the box from an OphCrack CD and wait a few minutes before it delivers the password via the use of rainbow tables.
Absolutely incredible.
