16 comments

[ 0.25 ms ] story [ 46.2 ms ] thread
Assuming there's no grub password set. And assuming you don't need a password to reboot it.
Exactly. It's not any attacking method, but can be handy sometimes.
If you find the LILO prompt instead of the GRUB screen, use the option "init=/bin/sh" instead.

As already pointed, this is not an attacking method, but just a recovery method. From the POV of security, getting physical access to the console is already bad.

Of course, totally agree. Yes, thanks for the LILO tip.
This is the best method. Use whatever boot loader you have (and you can provide your own via CD, USB, PXE, floppy, etc) to add a kernel argument to run a shell as init process. `mount -av` once booted should bring the filesystems in line.

If you find the BIOS is locked, the drive is encrypted, or you can't run your own bootloader (or edit theirs), use a DMA [1][2] or cold boot [3] attack. This should be the first thing you attempt if the machine is already booted up, in case the drive is encrypted. (Also trying a network attack using metasploit before trying the cold boot attack might net results)

  [1] http://www.breaknenter.org/projects/inception/
  [2] https://github.com/mrbreaker/mofo
  [3] http://www.linuxjournal.com/magazine/cold-boot-attack-tools-linux
This is not HN material
(http://ycombinator.com/newsguidelines.html)

> Please don't submit comments complaining that a submission is inappropriate for the site. If you think something is spam or offtopic, flag it by going to its page and clicking on the "flag" link. (Not all users will see this; there is a karma threshold.) If you flag something, please don't also comment that you did.

This was how the RHCE (Red Hat Certified Engineer) exam begun when I took it a few years back...

However, instead of selecting "recovery mode" you had to edit the boot line and add a "s" for single user mode.

I had this question on a job interview for a system admin role. It was the first technical question :)
Nice, this is how we usually get (unauthorized) root access on our school's *NIX systems.
If you have physical access to a Linux computer, then your options are unlimited. Manipulating grub could be one of it.

Things that come in my mind :

- Use USB Flash/CD to boot something else, mount the hard-drive and do some nasty stuff to passwd file.

- If you have your BIOS locked, you can simply remove the hard drive and use another box to do the same.

- If you got your BIOS locked with a password, you can simply remove the battery for 1-2 minutes and put it back!

- No access to the battery?! Remove the hard drive, boot from CD/usb key ( since there is no hard drive almost every BIOS will search for something to boot from ) and flash the BIOS :D

No system is secured if you have physical access to the hardware.

Great ideas! Of course, system can't be secure when you have physical access to the hardware.

What I shared is is not an attacking method, but just a recovery method, which was helpful for me recently, so I hoped that it can be helpful to someone else as well.

My disk is encrypted. Bootloader, kernel and encryption keys are with me on USB flash. Good luck trying this approach.
A DMA, cold boot or network attack might work :)