Passwords are the sole criteria of system Security for most of the System. And when it comes to Linux, if you know the root password you owns the machine. Passwords are as a Security measure for BIOS, Login, Disk, Application, etc.
Linux is considered to be the most Secure Operating System to be hacked or cracked and in reality it is, still we will be discussing some of the loop-holes and exploits of a Linux System. We will be using CentOS Linux throughout the article as an article to crack our own machine’s security.
Press any key to interrupt the boot, as soon as Linux machine boots and you will get a GRUB menu.
Press ‘e‘ to edit and go to the line starting with kernel (Generally 2nd Line).
Now press ‘e‘ to edit the kernel and add ‘1‘ at the end of line (after one blank space) forcing it to start in single user mode and thus prohibiting it to enter default run-level. Press ‘Enter’ to close the kernel editing and then boot to the altered option. For booting You need to press ‘b‘
Now you are logged in to single-user mode.
Yeah! Now using ‘passwd‘ command we can change the root password. And once you have root password you owns the Linux Machine – Don’t you Remember? You can now switch to graphical screen to edit anything and everything.
Note: In case the above ‘passwd‘ command doesn’t work for you and you didn’t get any output, it simply means that your SELinux is in enforcing mode and you need to disable it first, before proceeding further. Run following command at your prompt.
# setenforce 0
An then run the ‘passwd‘ command, to change root password. Moreover command.
Switch to X Windows
Use command “init 5” (Fedora Based) systems and “gdm3” (Debian Based) systems.
So was this not a cake-walk to hack a Linux box? Think about the scenario if somebody did this to your server, Panic! Now we will be learning how to safeguard our Linux Machine from being modified using single user mode.
How we breaked into the system? Using Single-user mode. OK, so the loophole here was – logging into single user mode without the need of entering any password.
Fixing this loophole i.e., password protecting the single user mode.
open file “/etc/rc1.d/S99single” in your favourite editor and search for line.
exec init -t1 s
Just add the following line above it. save it an exit.
exec sbin/sulogin
Before
After
Now before entering single user mode you will need to provide root password to proceed. Check again trying to enter single user mode after these changing above said file.
Why don’t you check it, Yourself.
Hack Your Linux System Without Using Single User Mode
OK, so now you will be feeling better that your system is secure. However this is partially true. It is true that your Linux Box can’t be cracked using single user mode but still it can be hacked the other way.
In the above step we modified the kernel to enter single user mode. This time also we will be editing the kernel but with a different parameter, let us see how ?
As a kernel parameter we added ‘1‘ in the above process however now we will be adding ‘init=/bin/bash’ and boot using ‘b‘.
And OOPS you again hacked into your system and the prompt is enough to justify this.
Now Trying to change the root password using the same process as stated in the first method using ‘passwd‘ command, we got something like.
Reason and Solution?
- Reason: The root (/) partition is mounted Read only. (Hence password was not written).
- Solution: Mount the root (/) partition with read-write permission.
To mount the root partition with read-write permission. Type the following command exactly.
# mount -o remount,rw /
Now again try to change the password of root using ‘passwd‘ command.
Hurrah! You hacked into your Linux System once again. Ohhh man is the system so easy to exploit. No! the answer is no. All you need is to configure your system.
All the above two process involved tweaking and passing parameters to kernel. So if we do something to stop kernel tweaking obviously our Linux box would be Secure and not that easy to break. And in order to stop kernel editing at boot we must provide password to boot loader, i.e., password protect the grub (Lilo is another bootloader for Linux but we won’t be discussing it here) boot loader.
Provide encrypted password to bootloader using ‘grub-md5-crypt‘ followed with your password. First encrypt the password
Copy the above encrypted password, exactly as it is and keep it safe we will be using it in our next step. Now open your ‘grub.conf‘ file using your favourite editor (location might be: /etc/grub.conf) and add the line.
password --md5 $1$t8JvC1$8buXiBsfANd79/X3elp9G1
Change “$1$t8JvC1$8buXiBsfANd79/X3elp9G1” with your encrypted password which you generated above and copied it safely to some other location.
The “grub.conf” file after inserting the above line, save and exit.
Now Cross Checking, editing the kernel at boot, we got.
Now you would be breathing that you system is fully secure now and not prone to hack, however still the game is not over.
You better know that you can enforce rescue mode to remove and modify the password using a bootable image.
Just put your installation CD/DVD in your drive and select Rescue Installed System or use any other rescue image, you could even use a Live Linux Distro, mount the HDD and edit the ‘grub.conf‘ file to remove password line, reboot and again you are logged in.
Note: In rescue mode Your HDD is mounted under ‘/mnt/sysimage‘.
# chroot /mnt/sysimage # vi grub.conf (remove the password line) # reboot
I know you would be asking- so where is the end. Well i would say is to.
- Password protect your BIOS.
- Change you Boot order to HDD first, followed by rest (cd/dvd, network, usb).
- Use Password sufficiently Long, Easy to remember, Hard to guess.
- Never write Your Password to anywhere.
- Obviously use Uppercase, Lowercase, Numbers and Special Character in your password thus making it hard to break.
This guide was just to make you aware of facts and tell you how to secure your System. Tecmint.com and the writer of this article strongly discourage this guide as a base of exploiting other’s system. It is the sole responsibility of the reader if they engage in any such activity and for such kind of act neither the write nor Tecmint.com will be responsible.
Your positive comments makes us feel good and encourages us and that is always sought from you. Enjoy and Stay Tuned.
It is a nice and useful article to hack a Linux system. Thanks for the good work.
This is all assuming that you have physical access to the system. Without physical access to the system most linux systems are secure. If you have physical access to the system all of these exploits are valid.
to the above file. This caused an outage and also blocked any access to the mode via root or any other user. Your post really helped me to log on and then correct the changes I made, then a reboot fixed everything and I was able to get back on.
Even if the boot order is HDD first and BIOS is locked, I can always unplug the HDD, plug in USB and boot, then plug in the HDD, right? How can one overcome this? I can think of one way.
In BIOS, do not put second boot preference at all…? But it doesn’t seem great. The HDD can be connected to a portal laptop or something like that and the password be removed.
Is it possible to encrypt these files in question? If this is possible, feels like the best way to secure the PC.
Best starting course in hacking and security world..
Very informative.
A very useful article to know how to hack a Linux system.
Here I guess It should be a /sbin/sulogin a little typo I guess
Well, even if we put a password for the bios, we can still crack it by resetting the CMOS, isn’t it?
What can be done for that?
You really saved me today. I am not a Linux admin, but was tasked with changing /nofile value to unlimited. I ran the ulimit -n unlimited, but ulimit -a still showed the value. It didn’t change. So I manually made changes to the /etc/security/limits.conf file by adding
to the above file. This caused an outage and also blocked any access the mode via root or any other user. Your post really helped me to log on and then correct the changes i made, then a reboot fixed everything and i was able to get back on.
I wish I had met you ages ago. Would have not facing TROUBLE and the Heart Burn I did. And saved me about US$1000/- REALLY…
Of course, physical access to a computer running ANY operating system is known to all security specialists to be a path to owning the machine. NOT NEWS.
[ask]
INIT: Id “x” respaawning too fase: desable for 5 minute
Awesome …Chains of Hacking tricks :)
Actually by passing the permission and re-setting the root password is a common practice, remember Linux is used to operate 24/7 as a server most of the time, hence no much of bios access.
But, if you own the machine you MUST encrypt it to protect your privacy (specially laptops), you have the encryption check-box when you install the system.
The bios is not our biggest problem but the external bootable device really.. solution is to encrypt.
I also encourage you to put a short Bios passcode, the idea of this short code is to know if someone accessed your machine, it is not a secret code, because you could easily reset it by cutting the current “the CMOS battery”.
are you saying that on a standard ubuntu install with boot luks encryption and home directory encryption options checked during the install process that you can still get into the system? can both the boot and home directory passwords be bypassed easily unless i make further changes?
I don’t think it will work with boot LUKS encryption and home directory encryption, though i have not checked it personally.
i am working on the operating system that acts the best possible window as per the req of user and used the resources as per the req of user and kill the extra things secondly its also have an other feature …. its run application automatically as user login with his articifial intelligence
Interesting article on resetting your own root-password.
You missed one boot command-line parm which I find exceptionally usefull. It is “?init-/bin/sh”. Excellent for getting into the pre-execution environment. This is usefull for examining the boot script(s).
See ./Documents/ .
Yeah pim!
Thanks for the concern
Have gone through the article and I must say that it is an eye-opener indeed.But , to be a hacker and really being able to break the root password would be to retrieve the root password itself and not resetting it.For example , there is a remote linux server somewhere around the world.I know the ip address of the server and so I want to compromise the server.In such a scenario , a real root password hacking would be being able to break the root password remotely and then owning the system.
So , is that possible ?
No! Simply not.
Avishek: KM: Yes, it is possible. Not in the same ways described by Avishek of course, but it is possible to remotely exploit some vulnerability on the server and gain root access.
I’m not able to get a GRUB menu, when I press any key to interrupt the boot.
why don’t you check log files?
There is something called a BIOS and grub password.
If you lock the machine and put a BIOS password and a grub password then you need to physically break the lock and the cover to access the machine.
We do this to show evidence of attempts to mess with the machine.
For users who do not know the root password and keep it that way, just put a lock on the box, BIOS and GRUB.
The installation usually asks if you want a grub password.
You are showing people how to change the root password after NOT putting a boot loader grub password.
— Khawar Nehal
Yeah! a process of learning. May be different point of view :)
This is an excellent article on hardening physical security.
Well done!
Thanks @ Marcel, For your valueable feedback.
I have a vmdk file which is password protected and bootloader also protected by Password.
My question is, Is there any way to login or crack the boot password.
Please any one reply this ASAP..
Thanks for your time.
can you do this remotely?
Not possible unless you have a Remote Code Execution vulnerability in the server and even if thats the case that vulnerability has to be in a process that has a root privilege
Hi Avishek,
Good post , look like you missed to include LUKS, its provides a better way protecting your machine from these simple dorks
can i change the boot image and splash screen of my fedora and centos ??
I have done the last option many times (dvd or usb booting) on some customers. Sysadmin leaves the company and they dont know root pass or sysadmin forgot root pass or sometimes they got hacked and root pass was changed…
I personally believe that the info in this article is very useful for sysadmins and security people. Really brilliant article.
When taking all this info to the practice in the real world, just make sure you guys are not doing something illegal. So just practice on your own systems or make sure that the ones asking you for help are the legitimate owners of the hacked system and it is indeed needed to be hacked.
Thanks for all this useful info on different ways to do useful things.
I then type the first letter of the password and I get immediately:
Quote:
Login incorrect
Give root password for maintenance
(or type Control-D to continue):
And so it goes on and on…. until i switch the machine off or reboot.
I think there is a bug here.
What is X Windows?
The X Window known as X or X11 is a computer application system and network protocol that gives GUI (Graphical User Interface) to users.
You can password protect your grub configuration.
The above methods still leave the system open to being accessed via a live CD, from which you can chroot to the installed system, circumventing the GRUB password. Or just re-install grub.
As others have stated 1) Physical access essentially allows any system to be owned and 2) Encrypting the drive is one of the best ways to prevent unauthorized access.
Y’all didn’t read everything do you?
* Password protect your BIOS.
* Change you Boot order to HDD first, followed by rest (cd/dvd, network, usb).
Now you can’t book from a cd… Nor can you change it to boot from cd.
*Password protect your BIOS…
If you have physical access to the machine, take a screwdriver, unplug the computer and open it (desktop or laptop). Then you locate the battery (flat battery) on the motherboard. You removed it for at least 10 seconds, it will reset the BIOS settings and hence forget the password protecting the BIOS. Enjoy… :D
@ Boomerang, Actually the Organisation, for this reason only puts a physical lock on the Machine.
As someone said, I feel it is an eye-opener. Of course, there always pros and cons of every activity. Thanks for the interesting article Avisek.
Keep up the good work!!
Cheers,
Raghavan alias Saravanan M
Jeddah | Kingdom of Saudi Arabia.
security starts with controlling access to the machine; without access to the console nobody could do the things you describe here
anyway, these are not hacks, I learned these when I got my rhce 10 years ago :))
and of course, these days I never install an operating system on a non-encrypted disk
cheers,
This has nothing to do with hacking, nor it shows how Linux is insecure. If someone has physical access to your server, the server is already theirs.
You could deny him access by encrypting your drive, but you would never encrypt a server, since you will have a performance penalty. This article should have probably been called how to change your root password if you forgot it.
If you were aiming for desktop security, than this is also insecure, since if someone took your hard drive they could still do whatever they want with it. The only way to secure a desktop PC is to encrypt the drive/partition.
Precisely what I thought.
These are ways provided within linux to get around the forgotten password issue and not loopholes as its discussed here..
Do you think linux developers are dumb not to fix these if they were loopholes?
These are some useful features left for admin’s use. Every linux admin would know this.
Not trying to bring down the article or something. But the way you are portraying the topic is not right. As Kustodian said, this is suppose to be tips on how to reset your password..
How is this not hacking? (Serious question)
IF someone has physical control of your box and can take it down, reboot, etc. they still own you. For example I can take a bootable cd, boot it, mount your partition and edit out all those changes. That’s why all the smart linux folks haven’t bothered to plug those holes. Encrypting your filesystems would make it much more difficult.
@ curt Wuollet, I agree encryption is better idea.
One of the main rules of information security: If the hacker has physical access to your machine – it’s no longer your machine.
yes! True @ Richard Steven Hack.
Haha, the `init` parameter hack is interesting! Anyway, the best way to protect your data is encrypt the disk, and use special mechanisms to prevent cold boot attack. This prevents the attackers who control your device physically, including installing your HDD on another computer and access the data.
Thanks @ ep0xcc, for your Valueable Feedback
good tutorial. There is a typo here:
passwor –md5 $1$t8JvC1$8buXiBsfANd79/X3elp9G1
password is missing the last “d”
Yeah! sorry @ [email protected],
going to fix it.
if you use full disk encryption then you can prevent these problems though the boot loader can be compromised for an evil maid attack if the attacker is determined so you may need to have that initial bootable partition an a portable stick that is always with you
@ x321x321, That’s a good idea but still system can be compromised and it happens daily.
This has been a very eye opening tutorial – I’ll have to test it out. Obviously the hacker would have to have access to my machine to run these exploits right? If the machine is secure then these hacks would be impossible to run over the network – or am I missing something. Great read – keep up the good work…
Chow
Tonto
Thanks @ Tonto for your feedback.
These aren’t exploits. These are password recovery methods.