Most of us know how to change/reset passwords or gain admin privileges from guest account in windows. So, let’s see how this can be done for Unix/Linux based OS.
Let’s see how to change/reset the root password?
Getting Root on a Linux machine:
Root is nothing but sort of a user, who has maximum privileges, and can do whatever he wants to do on a system. ‘Root’ to Linux is what Administrator is to Windows.
Well, in this section, we are not going to run any C program nor are we going to do any kind of coding, but we will simply exploit a small vulnerability existing in a feature which comes with Linux.
Before we move on, there is one thing that you need to keep in mind. i.e. for this to work, you need to have physical access to the target system. First boot the target system and wait for the LInux LOader or LILO prompt to come up.
At the LILO prompt type ‘linux single’ (without quotes) or ‘linux 1’ to get the root shell where you can practically do anything.
If you have grub boot loader, re-boot the system and press space bar until you get grub screen, then press ‘e’ to edit it. Press ‘e’ again on Kernel (line starting with Kernel) , in the new window press space bar and type ‘1’ and press enter. Now press ‘b’ to boot OS in run level-1 or to get the root shell.
After re-boot, Linux single is running and you get the root shell where you can type can any command which is accepted by the default shell on your system. Now, here, type ‘linuxconf’. This will bring up a blue screen, which is the Linux Configuration Utility. Then, click on Users > Root Password. This will allow you to change the root password!!! Yes, you read right, change the root password. Scroll down further, and you could also add new accounts with root privileges.
The linux config utility is certainly not a hole in Linux. It was actually designed to help, if the root password was forgotten.
Create a new account with root privileges:
Method-1
Well, there is yet another way in which we can get root. In the first method, we typed ‘linuxconf’ in the bash shell prompt; however, we could type the following to create a new account with root privileges and without any password:
echo “rajkumar::0:0:::” >> /etc/passwd
This command will basically edit the /etc/passwd file which is the password file which stores the Passwords and Usernames of all accounts on the machine. One thing to remember here is that you can edit the /etc/passwd file only if you are logged in as root, however, in this case we are not logged in as root, but we have booted into linux single which gives us the root shell. Hence, we can still edit it.
Anyway, to understand how exactly the above command works and how it is able to create a new account without a password, we need to learn the /etc/passwd file is structured.
The following is a line from a password file:
rajkumar:my_password:2:3:Rajkumar Godi:/home/rajkumar:/bin/bash
The above can in turn be broken up into:
Username: rajkumar
Encrypted Password: my_password
User number: 2
Group Number: 3
Actual Name: Rajkumar Godi (Optional)
Home Directory: /home/rajkumar (Optional)
Type of Shell: /bin/bash (Optional)
In our command, we have not included the optional fields and the password field of a typical password file line. Our command:
echo “rajkumar::0:0:::” >> /etc/passwd
can be rewritten as:
Username: rajkumar
Encrypted Password:
User number: 0
Group Number: 0
Actual Name:
Home Directory:
Type of Shell:
This basically creates a new account with root privileges, which can be used as a Backdoor into the system.
If you have enabled, shadow passwords, then the command will change to:
echo “rajkumar::0:0:::” >> /etc/shadow
A typical line from the password file on a system with Shadow Passwords enabled is as follows:
rajkumar:*:2:3:Rajkumar Godi:/home/ankit:/bin/bash
In a shadowed password file what happens is that the password field is replaced by a ' * ' (The ' * ' is called a token.) such that the encrypted password does not show up in the password file and the list of encrypted passwords is stored in a different file which is not readable by normal users.
Method-2
Now, as you are in the root shell, launch your favorite editor (eg vi) and open /etc/passwd in it. Now, delete the encrypted text between the first two colons in the line, which contains the entry for root. This, will not create a new account with root privileges, but will change the password of the root, to null. So, basically this will get you a root account without any password. Once, you have removed the encrypted password, at the prompt, type ‘init 3’ to switch back to the normal start up or else for a graphical start up
type: ‘init 5’.
Now, say you do not want to create a new account, but want to change the root password. What do you do? Well, simply use the passwd command followed by the new password. As you are in the root shell, the root password will change to the new one that you supply. As simple as it is!
OK, I get the point; Linux too is not 100% safe, so how can I make it safer? I will discuss the same in my forthcoming posts.
Thank you for reading! Enjoy!
Note: Series-1 focused on breaking in to computers which we have physical access, in Series-2 lets see how we can break in to a remote machine.
No comments:
Post a Comment