Chapter 8

Physical Security

Lab Exercises

8.01   Linux Password Recovery

8.02   Cisco Router Password Recovery

8.03   Cisco Switch Password Recovery

Lab Analysis

Key Term Quiz

In college lab settings, servers, routers, and switches are physically accessible. In some labs, although these systems are locked down or attached to racks, students can still physically access them and insert and remove cables and components. On the premises of enterprise networks, though, servers, routers, and switches are kept in locked rooms, where only authorized individuals have physical access to these systems. Physical security needs to be greatly implemented and enforced; otherwise, hacking into Linux systems, Cisco routers, and Cisco switches becomes trivial. Of course, if a person gains physical access and has malicious intentions, they can physically destroy these systems instead. A malicious user who has the ability to log in to these systems, as a result of physical access, can cause great potential damage and breach confidentiality, integrity, and availability.

Images 30 MINUTES

Lab Exercise 8.01: Linux Password Recovery

If you don’t physically secure your Linux system, anyone can gain access to it using the steps in this lab exercise. “Linux Password Recovery” is the “nice” way of describing this lab, but another (and just as accurate) way to describe it is “Hacking into a Linux System.” Like many cybersecurity concepts, the steps in this exercise can be used for good (password recovery) or bad (malicious hacking) purposes. Windows operating systems don’t have this “native” hacking capability, but an attacker can do something similar using third-party tools.

Learning Objectives

In this lab exercise, you’ll penetrate a Linux system with the highest privileges, without authenticating with any credentials. After this lab exercise, you’ll be able to

•   Get a passwordless root shell on any Linux distribution

•   Understand the benefits and damage this can cause

Lab Materials and Setup

The materials you need for this lab are

•   The Principles of Computer Security: CompTIA Security+ and Beyond textbook

•   The Kali Linux VM you installed in Chapter 1

Let’s Do This!

Power on your Kali Linux VM, from VMware Workstation Player.

You’ll have to be quick with your fingers in the next step, so do a few hand exercise warmups!

Images 1d–1e

Step 1 In the following steps, you’re going to halt the normal booting process of Kali Linux. After a successful power-on self-test (POST), which tests the machine’s Basic Input/Output System (BIOS), checking the keyboard, mouse, RAM, drives, and other hardware components when a machine is powered on, a bootloader is called. The purpose of a bootloader, the first program that runs after the POST, is to load and transfer control to an operating system’s kernel, which then initializes the other parts of the operating system. The bootloader on most Linux distributions is GNU GRUB 2 (GNU GRand Unified Bootloader version 2). By modifying this process, you will be able to take full control of the system.

a.   Click into the VM with your mouse (pressing CTRL-G will also put you in the VM) when you see the GRUB boot menu (see Figure 8-1). You’ll have only a few seconds to accomplish this step and the next one.

Image

FIGURE 8-1 GRUB boot menu

b.   Immediately, press the E (for edit) key on the keyboard, which will launch the configuration screen shown in Figure 8-2.

Image

FIGURE 8-2 GRUB configuration screen

c.   Look for the line that starts with linux and has vmlinuz (the Linux kernel) in it (this line is shown at the bottom of the box in Figure 8-2, with an arrow added for emphasis). Go to the end of that line; to do this, place the cursor on the line and then press the END key. Then enter init=/bin/bash at the end of the line. This entry will wrap around to the next line on the screen. This instructs the Linux kernel to launch /bin/bash instead of running init. On most Linux distributions now, init is a symbolic link to systemd, the daemon process that starts when the machine starts, and the direct or indirect parent of every running process. On these Linux distributions, the init daemon process was replaced with systemd, which handles things a lot neater than init did, minimizing unnecessary delays that were common with init.

Normally, the init symbolic link would call systemd, which would start up the system and create the environment. Adding init=/bin/bash to the configuration causes the system to boot right into a passwordless root shell instead.

d.   On that same line, you’ll also see ro. Change that ro to rw. Notice the changes in Figure 8-3. This instructs the Linux kernel to start the hard drive in read/write mode, as opposed to read-only mode, which is the default. Normally, after the integrity of the disk is checked, a process changes read-only mode to read/write mode. With your addition, changes can be written to the hard drive through the passwordless root shell.

Image

FIGURE 8-3 Configuration changes

Keep in mind that these changes are not preserved, so the next time you power up the VM, the configuration will not show your changes, and the booting process will revert back to the normal way it booted before.

e.   Press CTRL-X or press F10 to launch a passwordless root shell, as shown in Figure 8-4. This works even if the root account is locked and even if the root account doesn’t have a password configured!

Image

FIGURE 8-4 Passwordless root shell

Images 2a–2b

Step 2 At this point, you have full control of the system. Now, consider what can be done from a recovery perspective and what can be done from a malicious perspective.

a.   Perform a sequence of commands that illustrates the act of recovering from a cybersecurity incident (that deleted files, for example) or some accidental situation or actions (forgetting a password or accidentally messing up important configuration files, for example). Feel free to set up this sequence by executing other commands first.

b.   Perform a sequence of commands that deals with attacking and manipulating the system for malicious purposes (adding or deleting files, for example). Feel free to set up this sequence by executing other commands first.

Step 3 Continue the boot process by entering the command exec /sbin/init, which executes init (from the sbin directory)—remember that earlier, /bin/bash was launched instead of init.

Images 30 MINUTES

Lab Exercise 8.02: Cisco Router Password Recovery

If you don’t keep your routers (and switches, as you’ll see in Lab Exercise 8.03) in a locked room, anyone who gains physical access can wreak havoc on them by following the steps in this lab exercise. “Cisco Router Password Recovery” is the “nice” way of describing the lab exercise, but another (and just as accurate) way to describe it is “Hacking into a Cisco Router.” Again, like many cybersecurity concepts, these steps can be used for good (password recovery) or bad (malicious hacking) purposes.

Learning Objectives

In this lab exercise, you’ll penetrate a Cisco router with the highest privileges, without authenticating with credentials. After this lab exercise, you’ll be able to

•   Get into privileged EXEC mode on a Cisco router

•   Understand the benefits and damage this can cause

Lab Materials and Setup

The materials you need for this lab are

•   The Principles of Computer Security: CompTIA Security+ and Beyond textbook

•   A web browser with an Internet connection

•   A Cisco router (almost any model will do; this process is the same on just about all models)

•   A rollover/console cable

•   A USB-to-serial converter (if your rollover/console cable is 8P8C-to-serial)

Let’s Do This!

Before you can start this lab exercise, you’ll need to set up the hardware and software involved. After connecting a router to your PC, you’re going to download and install software that will allow you to send keystrokes from your keyboard to the router and receive output from the router on your monitor.

Connect the 8P8C side of the rollover/console cable to the console port on your router and the USB side (with or without an adapter) to a USB port on your PC. (Note that the 8P8C connector is usually incorrectly referred to as RJ-45: see https://packetlife.net/blog/2008/nov/8/rj45-isnt-really-rj45/.)

Download PuTTY from www.chiark.greenend.org.uk/~sgtatham/putty/. Then launch PuTTY.

On the Basic Options For Your PuTTY Session screen, make sure that the Serial radio button is selected.

Assuming you’ve connected the rollover/console cable (or adapter) to a USB port on your machine, click the Windows button (or click in the Windows 10 search box on the taskbar), type Device Manager, and select Device Manager.

Expand the Ports (Com & LPT) section, and note the port used by your USB-to-Serial Comm port. Figure 8-5 shows that it’s COM5 for me.

Image

FIGURE 8-5 Device Manager

Back in PuTTY, change the serial line port to the port identified in Device Manager.

In the Category: pane on the left, click Serial.

Under Options Controlling Local Serial Lines, verify the following settings (the last one should be the only nondefault value):

Serial Line To Connect To: COMx (where x represents the port you identified earlier)

Speed (Baud): 9600

Data Bits: 8

Stop Bits: 1

Parity: None

Flow Control: None

Click Open. You may have to press ENTER in the PuTTY command-line window before you see a prompt, where you can type commands.

Moving forward, if this is your first time using the device and it is factory reset, start with just Step 2e and then go right back to Step 1a.

Images 1a–1j

Step 1 Before you perform password recovery (or hack into a router), a password needs to be in place. You’ll set one up in this step.

The router will boot into user EXEC mode, which enables you to perform basic tasks and display limited information. You’ll see the Router> prompt. Type in the following commands and press ENTER after each command.

a.   Welcome to the Cisco IOS (Internetwork Operating System)! Type enable at the prompt to move to privileged EXEC mode (also called enable mode because of the command needed to get there), which enables you to perform unrestricted tasks at this and other levels and also enables all information to be displayed:

Router>enable

b.   At the Router# prompt, enter configure terminal to move into global configuration mode, where the running configuration can be modified:

Router#configure terminal

c.   At the Router(config)# prompt, enter enable secret ccna to configure ccna as the enable secret, which is the password (now needed for privileged EXEC mode) that will be stored as a hash in the startup-config and running-config files (coming up in Step 1e):

Router(config)#enable secret ccna

d.   Enter exit to move back down to privileged EXEC mode:

Router(config)#exit

e.   Type show running-config to see the router’s running configuration (through the running-config file) in RAM:

Router#show running-config

You should see a line that starts with enable secret, followed by a number (representing the specific hash function used) and the hash of the enable secret.

f.   Type copy running-config startup-config to copy this configuration file in RAM to NVRAM, where it will be stored as the startup-config file:

Router#copy running-config startup-config

The next time the router boots, the startup-config file will be loaded into RAM and will become the new running-config file.

g.   Type reload to reboot the router:

Router#reload

h.   Type enable at the prompt:

Router>enable

i.   At the Password prompt, enter your first name:

Password: <your name>

j.   Enter two more incorrect passwords. After you’ve entered these three incorrect passwords, you’ll see the user EXEC mode prompt again.

Password: <your name>
Password: <incorrect password>
Password: <incorrect password>
% Bad secrets
Router>

Images 2a–2i

Step 2 At this point, you need to recover the password to once again gain access to the router. You’re going to do that in yet another mode.

a.   Power off and power on the router—the power button is on the back of the router. You’ll have 60 seconds from when the router starts booting up to perform the Step 2b.

b.   Press CTRL-BREAK to place the router in ROMMON (ROM monitor) mode. When a router is powered on or resets, the ROM monitor firmware is launched, which assists the initialization of the processor hardware and boots the Cisco IOS. ROMMON mode is used to execute certain configuration tasks such as password recovery or downloading software through the console port. In the absence of an IOS image, a router will boot directly into ROMMON mode. The syntax in ROMMON mode is different than the “regular” modes you saw earlier. Furthermore, the prompt contains a number that increments with each command you execute in this mode.

c.   At the rommon 1 > prompt, enter confreg 0x2142, which alters the configuration register value to make the router boot from flash memory, without loading the startup-config file from NVRAM into RAM as the running-config file, as it normally would.

rommon 1 > confreg 0x2142

By not loading the startup-config file, which contains the password configuration, into RAM as the running-config file, there will be no password prompt for privileged EXEC mode.

d.   At the rommon 2 > prompt, enter reset (the number after rommon increases after each command):

rommon 2 > reset

The router will reboot with a default configuration.

e.   At the “Would you like to enter the initial configuration dialog? [yes/no]:” prompt, type no. At the Press RETURN To Get Started! prompt, press ENTER.

f.   At the Router> prompt, enter enable, and notice that now there is no password prompt:

Router>enable

g.   At the Router# prompt, enter copy startup-config running-config to take the startup-config file from NVRAM and load it into RAM as the running-config file:

Router#copy startup-config running-config

Wait a minute! Didn’t we just bypass this with the ROMMON running configuration? Yes, we did! Without that configuration, we would have needed to provide a password for privileged EXEC mode. Now that we’re “in,” we can bring the configuration back. We can compare this to creative bank robbers. Instead of robbing the bank and walking away with the money, they’d be lifting up the entire bank (in the middle of the night when no one is around) and placing it where they are standing, so that they are inside the vault with all the money when the structure comes down on top of them!

h.   Enter configure terminal to go into global configuration mode:

Router#configure terminal

i.   At the Router(config)# prompt, enter config-register 0x2102 to restore the configuration register to its previous value (before it was altered in ROMMON mode), which will make the router load startup-config from NVRAM as running-config into RAM, the next time it boots up:

Router(config)#config-register 0x2102

Images 3a–3c

Step 3 At this point, you have full control of the router, and it’s set up to boot normally again. Think about all the malicious things a cyberattacker would be able to do here. Now it’s time to reset the password because if you don’t, you’ll find yourself in the same situation of needing to perform password recovery!

a.   Configure a new enable secret.

b.   Save the running configuration to the startup configuration.

c.   Reload the router and get to privileged EXEC mode with the new password you just configured.

Images 30 MINUTES

Lab Exercise 8.03: Cisco Switch Password Recovery

In this lab exercise, instead of performing password recovery on (or hacking into) a router, you’ll do it on a switch.

Learning Objectives

In this lab exercise, you’ll penetrate a Cisco switch with the highest privileges, without authenticating with valid credentials. After this lab exercise, you’ll be able to

•   Get into privileged EXEC mode on a Cisco switch

•   Understand the benefits and damage this can cause

Lab Materials and Setup

The materials you need for this lab are

•   The Principles of Computer Security: CompTIA Security+ and Beyond textbook

•   PuTTY from the previous lab exercise

•   A Cisco switch (almost any model will do; this process is the same on just about all models)

•   A rollover/console cable

•   A USB-to-serial converter (if your rollover/console cable is 8P8C-to-serial)

Let’s Do This!

Start off with the same setup in the “Let’s Do This!” section in Lab Exercise 8.02 (to console into the switch and get PuTTY running), as well as all of Step 1 of that lab exercise (to set an enable secret and fail to provide the correct password when prompted). Step 1 of this lab exercise assumes you’ve already followed those steps in the last lab exercise. If this is your first time using the device and it is factory reset, start with this lab exercise’s Step 2f and then go back to Step 1.

Step 1 Remove the power cable from the switch. Interestingly enough, Cisco switches do not have power buttons like Cisco routers.

This may seem a little odd, but to get the ball rolling with Cisco switch password recovery, you’re going to need to hold down the Mode button, on the far left side of the front of the switch, as you plug the power cable back into the switch. As you did in the previous lab exercise, press ENTER after each command.

Images 2a–2h

Step 2 Like the hardware step you just did, the software process you’re about to do (performing password recovery on the switch) is very different than the password recovery process you performed on the router in the previous lab exercise.

a.   At this point, the switch should boot into switch: mode. Enter flash_init at the switch: prompt to initialize the flash file system:

switch: flash_init

b.   At the switch: prompt, enter load_helper to load and initialize boot helper images that can extend or patch the boot loader’s functionality:

switch: load_helper

c.   To see the contents of flash, enter dir_flash at the switch: prompt:

switch: dir_flash

d.   At the switch: prompt, enter rename flash:config.text flash:config.old to hide the switch’s configuration from being seen during the time it boots:

switch: rename flash:config.text flash:config.old

Cisco switches save configuration in two files that have the same contents. The startup-config file in NVRAM is used by switches during the booting process, like routers. Switches, however, have another file in flash, config.text, which is used for the purpose of this lab exercise: password recovery. The startup-config file is linked to the config.text file, and that’s why this step is needed. When you rename config.text to config.old, the switch isn’t able to map the startup-config file to config.text (since it doesn’t exist anymore). As a result, the startup-config file is not loaded into RAM as the running-config file when the switch boots up.

e.   Now boot the switch.

switch: boot

f.   At the “Would you like to enter the initial configuration dialog? [yes/no]:” prompt, enter no. When prompted to Press RETURN To Get Started!, press ENTER.

g.   At the switch> prompt, enter enable to go into privileged EXEC mode:

switch>enable

h.   At the privileged EXEC mode prompt, enter rename flash:config.old flash:config.text, which restores the file’s original name and allows it to be found the next time the switch boots up:

Switch#rename flash:config.old flash:config.text

Images 3a–3c

Step 3 At this point, you have full control of the switch, and it’s set up to boot normally again. Think about all the malicious things a cyberattacker would be able to do here. Now it’s time to reset the password because if you don’t, you’ll find yourself in the same situation of needing to perform password recovery!

a.   Configure a new enable secret.

b.   Save the running configuration to the startup configuration.

c.   Reload the switch and get to privileged EXEC mode with the new password you just configured.

Lab Analysis

1.   Why is physical access required to boot into a passwordless Linux root shell?

Images

2.   Why is physical access required to perform password recovery on a Cisco router?

Images

3.   Why is physical access required to perform password recovery on a Cisco switch?

Images

Key Term Quiz

Use the terms from the list to complete the sentences that follow.

booting

configuration

recovery

1.   The process of hacking into a Cisco router or switch can also be described as password ____________.

2.   Getting full control of a Linux system requires physical access, and the process involves interrupting the ____________ process.

3.   Hacking into a switch is made possible by renaming the ____________ file.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
54.198.200.128