Just Another Security/Programming Blog: Having fun with passwords in Ubuntu RE: intruders/police/etc.

Saturday, 27 September 2014

Having fun with passwords in Ubuntu RE: intruders/police/etc.

In movies, TV shows, and comics, the idea of a "trap passcode", "secondary passwords", "fake passwords", "kill-switch password", etc., is used every now and then, where if a bad-guy(or a good-guy) is provided with a passcode to something, only to find out that that passcode is set up purely for intruders.
Whether it be wiping the whole system, or a strange gas coming out of the console to concuss the person typing it, the idea is always the same.

In the real world, it's hard to do this sort of thing without it being detected. One method is using incorrect passwords through PAM. This is what I'll be detailing through this blog.


To set this up correctly, it needs to work in a way that after the script has run, it removes itself, and any traces of its actions.
If, say, you're in a corrupt/fascist country such as Australia, the police can apply for a 3LA order, which requires you to hand over your computer passwords, encryption keys, and anything they feel that would help them with their investigation, or you can be charged with a crime, which the maximum prison term is 2 years. -- This includes SSH keys to foreign servers.


If you're a political activist, the access of your sensitive data is 100% unacceptable.
Arguably, forcing somebody to hand over encryption keys is undemocratic, and is comparable to the acts of the Stasi.




Important to note: This will not work if your user account is encrypted using ecryptfs, inside a full-disk-encryption setup. It only works if you ONLY use pure full-disk-encryption.
It would be possible to do it within ecryptfs, if you add the script to the 'login jobs' of the user account. That's for another time, though.


Requirements:
Installation of bleachbit, libav-tools

We must start with what we want our script to actually do when run.

In my case, I want it to delete some files, and 'clean' some logs.
For removal of files, I'll use 'bleachbit', which overwrites the file with random data.

/usr/bin/grab is where it will be stored. Make sure it is chown'd to root, and chmod +x'd.
Note, we run the first 'bleachbit -c' command twice. Once as root, and once as our user named 'user'.

#!/bin/bash 
#remove the .sqlmap/ folder
bleachbit -s /home/user/.sqlmap/
#test with the -p flag if you want to see what this will actually do on your system 
sudo -u user -H bleachbit -c -o adobe_reader.cache adobe_reader.mru adobe_reader.tmp bash.history chromium.cache chromium.cookies chromium.current_session chromium.dom chromium.form_history chromium.history chromium.passwords chromium.search_engines chromium.vacuum firefox.cache firefox.cookies firefox.crash_reports firefox.forms firefox.passwords firefox.session_restore firefox.site_preferences firefox.url_history firefox.vacuum flash.cache flash.cookies gedit.recent_documents gnome.search_history google_chrome.cache google_chrome.cookies google_chrome.dom google_chrome.form_history google_chrome.history google_chrome.passwords google_chrome.search_engines google_chrome.session google_chrome.vacuum kde.cache kde.recent_documents kde.tmp konqueror.cookies konqueror.current_session konqueror.url_history libreoffice.cache libreoffice.history links2.history nautilus.history openofficeorg.cache openofficeorg.recent_documents opera.cache opera.cookies opera.current_session opera.dom opera.download_history opera.search_history opera.url_history pidgin.cache pidgin.logs realplayer.cookies realplayer.history realplayer.logs seamonkey.cache seamonkey.chat_logs seamonkey.cookies seamonkey.download_history seamonkey.history skype.chat_logs sqlite3.history system.clipboard system.recent_documents system.rotated_logs system.trash thumbnails.cache thunderbird.cache thunderbird.cookies thunderbird.index thunderbird.passwords thunderbird.vacuum transmission.cache vim.history vuze.backup_files vuze.cache vuze.logs vuze.tmp wine.tmp x11.debug_logs  
bleachbit -c -o adobe_reader.cache adobe_reader.mru adobe_reader.tmp bash.history chromium.cache chromium.cookies chromium.current_session chromium.dom chromium.form_history chromium.history chromium.passwords chromium.search_engines chromium.vacuum firefox.cache firefox.cookies firefox.crash_reports firefox.forms firefox.passwords firefox.session_restore firefox.site_preferences firefox.url_history firefox.vacuum flash.cache flash.cookies gedit.recent_documents gnome.search_history google_chrome.cache google_chrome.cookies google_chrome.dom google_chrome.form_history google_chrome.history google_chrome.passwords google_chrome.search_engines google_chrome.session google_chrome.vacuum kde.cache kde.recent_documents kde.tmp konqueror.cookies konqueror.current_session konqueror.url_history libreoffice.cache libreoffice.history links2.history nautilus.history openofficeorg.cache openofficeorg.recent_documents opera.cache opera.cookies opera.current_session opera.dom opera.download_history opera.search_history opera.url_history pidgin.cache pidgin.logs realplayer.cookies realplayer.history realplayer.logs seamonkey.cache seamonkey.chat_logs seamonkey.cookies seamonkey.download_history seamonkey.history skype.chat_logs sqlite3.history system.clipboard system.recent_documents system.rotated_logs system.trash thumbnails.cache thunderbird.cache thunderbird.cookies thunderbird.index thunderbird.passwords thunderbird.vacuum transmission.cache vim.history vuze.backup_files vuze.cache vuze.logs vuze.tmp wine.tmp x11.debug_logs 
bleachbit -s /var/log/*
#rotate logs to make it not look like we've just rm -rf'd /var/log/ 
logrotate --force /etc/logrotate.d/*
#crash reports, incase sensitive data is in here
bleachbit -s /var/crash/*
#remove history files that aren't deleted by bleachbit  
bleachbit -s /home/user/.viminfo /home/user/.nano_history /home/user/.mysql_history /home/user/.history 
#delete stuff related to gpg 
bleachbit -s /home/user/.gnupg/*
#delete SSH stuff
bleachbit -s /home/user/.ssh/*
#delete all mysql stuff
bleachbit -s /var/lib/mysql/*
#all mail.
bleachbit -s /var/spool/postfix/* /var/mail/* /root/.maildir/* /home/user/.maildir/*
#this is resource intensive, so do it last. It isn't really important either.
bleachbit -c -o  apt.autoclean apt.autoremove apt.clean

Personally, I want a few pictures of the 'thief'. So, I'm adding a line to take 30 frames from the webcam, and saving them to /var/tmp/.

ts=`date +%s`
avconv -f video4linux2 -s vga -i /dev/video0 -vframes 15 /var/tmp/vid-$ts.%01d.jpg


Now we've got the 'main' part of the script.





To make the script execute on an incorrect login, we must PAM to execute it.
On my version of Ubuntu, 14.04, the contents of /etc/pam.d/common-auth is this:

#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
auth [success=1 default=ignore] pam_unix.so nullok_secure
# here's the fallback if no module succeeds
auth requisite   pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required   pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth optional pam_ecryptfs.so unwrap
auth optional   pam_cap.so 
# end of pam-auth-update config

Since common-auth is used for everything, we want to make it only run our script on the login window for Ubuntu -- lightdm.
So, we copy common-auth to a new file, common-auth-lightdm.

sudo cp /etc/pam.d/common-auth /etc/pam.d/common-auth-lightdm


Then we must edit /etc/pam.d/lightdm.

Changing
@include common-auth


to

@include common-auth-lightdm


it will now use the new common-auth-lightdm file.

We also must edit /etc/pam.d/gnome-screensaver for the 'session lockouts page'.
Edit /etc/pam.d/gnome-screensaver and replace
@include common-auth

with

@include common-auth-lightdm




Now, editing common-auth-lightdm..

To add the execution of the script in, we edit the line below "here's the fallback if no module succeeds", and add:

auth [default=ignore] pam_exec.so /usr/bin/grab

We must edit the line:
auth [success=1 default=ignore] pam_unix.so nullok_secure 

and change success=1, to success=2.

The end result is:

# here are the per-package modules (the "Primary" block)
auth    [success=2 default=ignore]      pam_unix.so nullok_secure
# here's the fallback if no module succeeds
auth [default=ignore] pam_exec.so /usr/bin/grab
auth    requisite                       pam_deny.so



To maintain plausible deniability(a term created by another fascist government), we have to be able to explain why things happened, and the source of it.

To do this, we're going to delete /usr/bin/grab in the script, and re-write it as simply the picture taking script.
I'm also going to make the computer reboot afterwards, to clear the memory.
To do this, we've going to end the script with this:

bleachbit -s /usr/bin/grab
YA="ts=\`date +%s\` ; avconv -f video4linux2 -s vga -i /dev/video0 -vframes 15 /var/tmp/vid-\$ts.%01d.jpg"
echo $YA > /usr/bin/grab
chmod +x /usr/bin/grab
reboot
exit 0

So, our end result for the whole script will look like this:

#!/bin/bash 
#remove the .sqlmap/ folder 
bleachbit -s /home/user/.sqlmap/
#test with the -p flag if you want to see what this will actually do on your system 
sudo -u user -H bleachbit -c -o adobe_reader.cache adobe_reader.mru adobe_reader.tmp bash.history chromium.cache chromium.cookies chromium.current_session chromium.dom chromium.form_history chromium.history chromium.passwords chromium.search_engines chromium.vacuum firefox.cache firefox.cookies firefox.crash_reports firefox.forms firefox.passwords firefox.session_restore firefox.site_preferences firefox.url_history firefox.vacuum flash.cache flash.cookies gedit.recent_documents gnome.search_history google_chrome.cache google_chrome.cookies google_chrome.dom google_chrome.form_history google_chrome.history google_chrome.passwords google_chrome.search_engines google_chrome.session google_chrome.vacuum kde.cache kde.recent_documents kde.tmp konqueror.cookies konqueror.current_session konqueror.url_history libreoffice.cache libreoffice.history links2.history nautilus.history openofficeorg.cache openofficeorg.recent_documents opera.cache opera.cookies opera.current_session opera.dom opera.download_history opera.search_history opera.url_history pidgin.cache pidgin.logs realplayer.cookies realplayer.history realplayer.logs seamonkey.cache seamonkey.chat_logs seamonkey.cookies seamonkey.download_history seamonkey.history skype.chat_logs sqlite3.history system.clipboard system.recent_documents system.rotated_logs system.trash thumbnails.cache thunderbird.cache thunderbird.cookies thunderbird.index thunderbird.passwords thunderbird.vacuum transmission.cache vim.history vuze.backup_files vuze.cache vuze.logs vuze.tmp wine.tmp x11.debug_logs  
bleachbit -c -o adobe_reader.cache adobe_reader.mru adobe_reader.tmp bash.history chromium.cache chromium.cookies chromium.current_session chromium.dom chromium.form_history chromium.history chromium.passwords chromium.search_engines chromium.vacuum firefox.cache firefox.cookies firefox.crash_reports firefox.forms firefox.passwords firefox.session_restore firefox.site_preferences firefox.url_history firefox.vacuum flash.cache flash.cookies gedit.recent_documents gnome.search_history google_chrome.cache google_chrome.cookies google_chrome.dom google_chrome.form_history google_chrome.history google_chrome.passwords google_chrome.search_engines google_chrome.session google_chrome.vacuum kde.cache kde.recent_documents kde.tmp konqueror.cookies konqueror.current_session konqueror.url_history libreoffice.cache libreoffice.history links2.history nautilus.history openofficeorg.cache openofficeorg.recent_documents opera.cache opera.cookies opera.current_session opera.dom opera.download_history opera.search_history opera.url_history pidgin.cache pidgin.logs realplayer.cookies realplayer.history realplayer.logs seamonkey.cache seamonkey.chat_logs seamonkey.cookies seamonkey.download_history seamonkey.history skype.chat_logs sqlite3.history system.clipboard system.recent_documents system.rotated_logs system.trash thumbnails.cache thunderbird.cache thunderbird.cookies thunderbird.index thunderbird.passwords thunderbird.vacuum transmission.cache vim.history vuze.backup_files vuze.cache vuze.logs vuze.tmp wine.tmp x11.debug_logs 
bleachbit -s /var/log/*
#rotate logs to make it not look like we've just rm -rf'd /var/log/ 
logrotate --force /etc/logrotate.d/*
#crash reports, incase sensitive data is in here
bleachbit -s /var/crash/*
#remove history files that aren't deleted by bleachbit  
bleachbit -s /home/user/.viminfo /home/user/.nano_history /home/user/.mysql_history /home/user/.history 
#delete stuff related to gpg 
bleachbit -s /home/user/.gnupg/*
#delete SSH stuff
bleachbit -s /home/user/.ssh/*
#delete all mysql stuff
bleachbit -s /var/lib/mysql/*
#all mail.
bleachbit -s /var/spool/postfix/* /var/mail/* /root/.maildir/* /home/user/.maildir/*
#this is resource intensive, so do it last. It isn't really important either.
bleachbit -c -o  apt.autoclean apt.autoremove apt.clean

#take photo of people
ts=`date +%s`
avconv -f video4linux2 -s vga -i /dev/video0 -vframes 15 /var/tmp/vid-$ts.%01d.jpg

#delete script, and rewrite.
bleachbit -s /usr/bin/grab
YA="ts=\`date +%s\` ; avconv -f video4linux2 -s vga -i /dev/video0 -vframes 15 /tmp/vid-\$ts.%01d.jpg"
echo $YA > /usr/bin/grab
chmod +X /usr/bin/grab
reboot
exit 0

There is, of course, the problem, what if you login with the wrong password yourself?
Well, then you're screwed.
But, if you're in a situation where it's all or nothing, then there are things you have to do.

Another question is it possible to add a 'second password', which would run this script, instead of it running every time an invalid login is used? The answer is yes. If you were to edit the sourcecode of pam.d, you could set something up like that. It would require extensive knowledge of how pam.d works, though. Perhaps in the future I'll look to work something like that out.
The problem, however, is in court, if you're asked why you set up a second password to take pictures, you can't say it's to stop thieves trying to guess your password. It would only work if somebody is telling you to enter your password.


Remember: It's not what they know. It's what they can prove.

No comments:

Post a Comment

Note: only a member of this blog may post a comment.