Possible hostile takeover of Linux network

[hellokeith]

I may be responsible for taking over a network that consists of a single router/switch, a single Linux server, and ~20 Linux desktops.

This non-profit organization had most of that equipment donated and the admin mostly volunteered his time (the org always repaid him for any supplies like cables that he ordered on his own dime). Unfortunately, he locked down the server and desktops fairly tight and repeatedly refused (or didn't respond) to requests for the root/admin passwords. Also, he never documented any of the network such as the DSL setup, router config/password, firewall/filtering setup, and DNS/DHCP.

I went to the building and did a very quick survey (~15 minutes). All the desktops and the server are very locked down, asking for a Root login for pretty much anything other than running FireFox and OpenOffice. Many of the PC's donated did have Windows & MSOffice installed, but he dumped them for Linux and to the knowledge of the org director there are no restore/OS disks. If the Linux server is turned off, all desktops lose their internet connectivity, so apparently it is being used for DHCP and/or DNS, and I don't know exactly what all is active/inactive on the router/firewall/switch (typical Linksys or Netgear looking box for DSL).

Basically if I have to do this hostile takeover without any root/admin/network documentation, I need to know what tasks I might spend big chunks of time (say 4 or more hours) in order to give them a ballpark bid for my contracting work.

edit: Most of my network/system admin experience is in Windows/AS-400 environments, but I have installed Red Hat as a server several times and configured several Apache boxes on various Linux distros.

 

[Red Squirrel]

Restoring a linux root password is actually very easy. So your first step will probably be to change all the passwords to something you know.

To do this do the following:

1- make a boot CD (ubuntu will do)

2- Boot off it and mount the file system on the computer you want to restore the password

3- type "chroot /path/to/mountdir/

4- "/" will now be the actual system, and not your ubuntu "install". Now do "passwd root" and change the password, it will change it on the actual system.


I may of missed a few steps here as it's been a while I had to do this, but that's the jist of it. This is not too long but if you end up having to do it on every single workstation then yeah might be long/tedious. It's not like you can run a process then go for a coffee. So it's involved.


For the router/switch it's probably easier to just hard reset to factory defaults and go from there.

 

[Fallen Kell]

Originally posted by: RedSquirrel
Restoring a linux root password is actually very easy. So your first step will probably be to change all the passwords to something you know.

To do this do the following:

1- make a boot CD (ubuntu will do)

2- Boot off it and mount the file system on the computer you want to restore the password

3- type "chroot /path/to/mountdir/

4- "/" will now be the actual system, and not your ubuntu "install". Now do "passwd root" and change the password, it will change it on the actual system.


I may of missed a few steps here as it's been a while I had to do this, but that's the jist of it. This is not too long but if you end up having to do it on every single workstation then yeah might be long/tedious. It's not like you can run a process then go for a coffee. So it's involved.


For the router/switch it's probably easier to just hard reset to factory defaults and go from there.

Actually, since it sounds like he knew what he was doing, between step 1 and step 2 would be:

Open computer, and reset BIOS settings (either using jumper on motherboard if one exists or remove battery)

Because if he knew well enough to lockdown the system, he knew well enough to setup a BIOS password to keep people from booting off their own CD or flash drive...

And if this is running a current RedHat distro, you will need to understand lvm (Linux Volume Manager), because the "/" partition is actually contained within a volume group, most likely VolGroup00, and you will need to first activate the group in the OS of whatever you are booting from (LiveCD), so that the /dev/mapper/ areas are created so you can finally mount the area.

 

[sourceninja]

Couldn't you just use single user mode and change the password bypassing the whole liveCD steps?

 

[Brazen]

Originally posted by: sourceninja
Couldn't you just use single user mode and change the password bypassing the whole liveCD steps?

possibly, but he probably put a password on Grub too.

 

[aceO07]

Any updates? I'm curious about this too. Mainly just in case I forget my password.

 

[hellokeith]

The org did not contact me again, so I take it that the information I told them to get from this admin they got, or he is back working for them.

I believe it was Solaris btw. I have installed Solaris once a few years ago, but this looked new and more gui/friendly.

 

[Fallen Kell]

Solaris is another whole ball game in terms of passwords and protection, especially if it is SPARC based hardware. On SPARC hardware you can completely lock down the system, and I mean completely. The only way to bypass the prom password and security if you don't know what it is or don't have root is to get a replacement prom from Sun or another similar hardware system and remove the prom from the motherboard. If there is no prom security, it is as simple as the other methods above, but on SPARC hardware, you simply need to use the Solaris install disks, use the graphical install method and once you get to the point where you have an X session running, open up a new console window and mount the existing hard drives on the "/a" mountpoint until you find the "/" partition (or "/etc"), and follow the above posts for blanking out the shadow file entry on root.