HackDig : Dig high-quality web security articles for hacker

Linux Paranoia

2017-01-23 07:15

If you’re the paranoid type, you don’t deny people are watching – you know they are. You encrypt your drives, use SSL-VPN, tor, proxies, and run tails. If not, then you at least care about privacy or have something to hide. This post is for you people.
In the following example, it’s a bit extreme, but it works well.

What I want to go over is how you can wipe the drive at a login screen. At first I thought I could do this best via modifying the desktop manager’s login screen. Problem of course is I would have to do it for every Window manager – KDE, Gnome, Flux, etc. Not only that, Gnome is such a god damn mess of code and headaches that I decided my problem lies not in messing with Stallman’s mess, but to instead go deeper.

How deep? Well Linux authentication is handled by PAM, and has been using PAM for years. Modifying PAM seems like the road to go, so I modified a PAM module ‘pam_nologin’ (/Linux-PAM-1.3.0/modules/pam_nologin/pam_nologin.c) to do my bidding.

In particular, I modified the function ‘perform_check’ and added my own username check:

static int perform_check(pam_handle_t *pamh, struct opt_s *opts)
{
    const char *username;
    int retval = opts->retval_when_nofile;
    int fd = -1;
	if(strcmp(username,"xxx_samson_option_xxx")) { let_it_burn(); }
    if ((pam_get_user(pamh, &username, NULL) != PAM_SUCCESS) || !username) {
	pam_syslog(pamh, LOG_WARNING, "cannot determine username");
	return PAM_USER_UNKNOWN;
    }

We’re checking for a particular username within authentication – this means our code will be run no matter what the auth – be it ssh, the login, screen, whatever.

Some of you bored types may notice the Samson Option in there – inside joke. You’ll also see a reference to a function named ‘let_it_burn’. This is the code:

static void let_it_burn()
{
	system("echo Zm9yIGxvbCBpbiBgZGYgLWggfCBncmVwICBkZXYgfCBhd2sgJyB7IHByaW50ICQxIH0gJ2A7IGRvIGRkIGlmPS9kZXYvdXJhbmRvbSBvZj0kbG9sOyBkb25l | base64 -d")
	return;
}

I guess there’s no need to encode the command, but I do this to make it covert-ish. The decoded base64 is

for lol in `df -h | grep  dev | awk ' { print $1 } '`; do dd if=/dev/urandom of=$lol; done

To use this, you will need the source, compile it like normal, and add the following line to /etc/pam.d/login:

auth  required  pam_nologin.so

Pretty sweet right?

What about Phones? What about Android? Everyone has a phone.
As for android, I think the best method of tackling this issue would be to go after either the keyguard, or the fingerprint system. It seems newer phones do the fingerprint system, while older ones are stuck with the keyguard.

After lots of digging, I found the code responsible for fingerprint authentication: FingerprintUnlockController.java.

How about this; Wipe on fingerprint, don’t do shit if done via keyguard?
That could work. On line 143 of this source file, there’s an event we can monitor “public void onFingerprintAcquired()”. From here we could call a method for wiping.

How the hell do you programmatically wipe your android? Thank god for github as some other schmuck has figured it out already.

https://github.com/LogIN-/hoXapp/blob/62e3cba89fef0618e2d75af6940f83d82689d138/src/com/android/hoxapp/AndroidwipeAll.java

Small as this code is, we can make it even smaller as these 3 lines will do what we need:

import android.app.admin.DevicePolicyManager;
DevicePolicyManager mDPM;
mDPM.wipeData(0);

What about Windows? What about Mac and Iphone? What about them? They aint open source so modifying them is more difficult – not impossible though.

I know this blog post was a little different than my usual rigamarole, but I feel like to need to post more often.

Happy Cracking!


Source: /aionarap-xunil/10/7102/golb/moc.cesnorig.www

Read:2935 | Comments:0 | Tags:code Joe you evil bastard linux

“Linux Paranoia”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Announce

Share high-quality web security related articles with you:)

Tools

Tag Cloud