a > The story begins:
Hello subhackers. I am photon. I was on irc and i told phage about how i forgot my
lock-screen password for android phone i have (Micromax canvas xpress 2 running android 5.1 [Micromax is a company which makes affordable mobile phone]). I had not enabled usb debugging. So it was crazy scenario. I had to get my mobile phone unlocked. I googled it and i found nothing. I read somewhere in a post(the op asked in that post on xda about completely different thing but a xda member told about custom recoveries---"All custom recoveries use adb daemon!"---. Wow. My mobile phone was rooted. I also had philz custom recovery (a custom recovery is very powerful as compared to stock recoveries that are shipped originally with android mobile phones. You can do almost everything from custom recovery).
Now i was curious. I connected my mobile phone to usb; Then i switched off my phone. Then i pressed power key + volume up key (just for info) and then custom philz touch recovery opened. My device was connected to my computer with usb. I checked if adb daemon detects my connected device. It did. See in the screenshot. I launced adb by typing adb shell in my computer's command prompt. The custom recovery was still opened. Bam. I got an adb shell up and running. This shell was little different than the normal adb shell that runs when the device is on (in working state [i think you know what i mean]). The recovery adb shell looked different a little. I tried to see my id.
~ # id
uid=0(root) gid=0(root) context=u:r:adbd:s0
~ # df
Good i was root. But the uid in this case (the adb which was working in recovery state ) was different than the uid when i get a normal adb session i.e. when device is on/working. I wanted to see if my required partitions were mounted or not. I typed df. Nah. they were not mounted. I wanted to make
things clean. I tried looking the contents of root directory "/", and there was a file fstab.mt6592. I saw the contents of the file with
"more" and checked that it has some mount points for /data and /system partitions.
I mounted /data and /system partitions manually. And then i pulled
the password.key file from /data/system/ in other command prompt window by:
adb pull /data/system/password.key
I then removed the password.key file by typing
~ # rm /data/system/password.key.
If you have a pattern for lockscreen you have a pattern.key file instead. I rebooted my phone. It
showed no password. I swiped to unlock and it was unlocked. Fine. Now i found some other
things which would make this post go offtopic. Now i thought i could do the same thing with a aroma file manager in my mobile phone's custom philz recovery. I had
to just paste aromafm.zip file to clockworkmod directory (The destination was trivial. You can simply go in custom recovery and in that Advanced functions and then touch aroma file manager. If the file manager zip file is not present in the directory where it should be, this will give a simple
warning that there is not aromafm.zip file present in /sdcard/clockwordmod/aromafm directory.
I downloaded the zip file. Moved it in the clockworkmod/aromafm/ directory. And tried to start aroma file manager. Fine it installed first and started. Fine, calibration started and then it started. It was not much responsive (you know what i mean, A little bit laggy but functional.). I found the file password.key in aroma file manager(For testing i set the password again for my lock screen in settings). I touched on it and yeah it had all functions of a good file manager. I was able to delete the file. And now agian there was no password. Now my mobile phone had no password and was working. I again started an adb shell.
See the difference in both the adb shells.
Finally i thought about a trick, if i set a password which i know and pull the
password.key file, i can keep that in some other place in my computer, and then i can change the password to something else, it will change the contents of password.key file right?
now i can pull that new password.key file and remove the file by adb shell. Then i can push the previous password.key file (which has a password i know)
then i can use that password to unlock the mobile.(what difference it made?) After the work is complete i can replace that password.key file with original(new) one which has a password i do not know. And the new password which i do not know will be applied to lock screen. An attacker can also do this, and there will be no trace.
Then i thought The purpose of custom recoveries and adb is to fix things right? But is not it a little risky to have a custom recovery. Someone said: With great powers comes great responsibilities. I thought this will be good if i see what the recovery has to show me. I went to recovery settings. It Had a lot of tweaks that can be applied to the custom recovery. I saw there was an option to setup recovery lock. A little bit of time and understanding, I was able to setup a recovery lock. Now i rebooted my device in recovery. Wow. New recovery password.
Hey is adb daemon started or not? I tried to launch an adb shell. No devices found. Fine. Let me unlock this recovery. Now? Hey adb daemon started, I got an adb shell after the recovery was unlocked. Hey why would i wish to mount partitions from from adb when they can be also mounted from recovery menu? I was just wanted to check some mount points and there was a fstab file(wow) And it had the mounts. So now i found that if someone has physical access to your device he can do much more things. I realised this was cool and scary. So i decided to write a post. I encountered other more similar strange scenarios and they are described in detail in this post in next sections. I recalled other things that i thought an attacker do when he has physical access. and i summed up everything and tried my best to write a clean and informative post.
In this post>>>
a> The story begins (the one you have already read above ^)
b> Bypassing google's FRP (factory reset protection)
c> Dumpster driving (OH that was just a piece of paper!!!)
d> Lock Bumping
e> Physical access to your personal computer? (You are gone!)
f> I deleted everything personal in that folder, I am safe.
g> ATM skimming
h> Ending words.
As you have already read the introduction i will try my best not make this post go big with useless things. Now lets go to section b>
b > Bypassing google's FRP (factory reset protection) :
This is also the same thing and again show my strangeness of forgetting things. My DAD's android phone (Gionne p5 mini with android 5.1 and amigo os 3.1) was not working normally. It began to restart automatically and randomly after sometime. And i thought it might be because of some strange app or an update. I made backup for contacts and messages.
I opened the recovery. This phone is not rooted and has no custom recovery; And wiped everything from stock recovery (i did a complete factory reset). Then i restarted my device. It started. Welcome screen appeared. Now ah! The fire of hell. It asked for the gmail account that was synced last time with this device. I had no idea what it was. Neither my dad knew about that gmail account. He barely use his phone, He just make some calls and messages. Actually i made that gmail account. It was after 8 months when i needed that account. I had wrote that account somewhere(I am sure about it!) but i can't find it. Now i was in trouble. I tried putting account that i thought may work, it did not. I tried many times.
And i tried all the mobile numbers that were used for recovery contacts none of them worked. I googled and on a post a member on a similar xda post said that the account for device verification is locked for 72 hours. I had to wait for 3 days and 1 minute. But i had no patience.This was important. There must be a way. I googled "How to bypass google last sync gmail account verification".
I came up with some good results. In the first search result website, they told that how it (google's Factory Reset Protection) can be bypassed for different devices.
There are various ways.
All i had to do was to go settings>about phone> and then from there, i had to enable the developer options by tapping build number for few times.
And then in Developer options i had to enable the oem unlock. Now i see. I was just wondering how to do it. My data connection was on, and i wanted to disable it and connect to my Wi-Fi network. I tried pulling quick settings (I was not expecting it to show up when google was asking for previously synced gmail
account). And it showed. In amigo os you pull the quick settings tiles from bottom of the screen. Wow there was an option to go into settings. So easy. I loved it. I went to settings. Enabled developer options. And then in developer options i enabled OEM unlock.(if you ask, in amigo os developer options go in Advanced settings menu in settings app), I rebooted my phone. And bam. no verification. Direct startup. I was able to skip connection to the wifi also. I created an account manually later in settings app. Wow
that was interesting. Was not it? There is different ways to enable OEM unlock for different devices. Links are given at last of this post. Don't go there right now. Root junky also have some nice videos on youtube how one can bypass Google's Factory reset protection for different devices. There is a way also that
requires an OTG cable and an usb flash drive and installation of an apk file. Again links are given at end of the post (to make things organized). If you want, you can check more about oem unlock and
FRP. Actually, FRP (Factory Reset Protection) only gets enabled when someone resets his device from recovery, If the device is set to factory defaults from device settings,
FRP do not come into action, there is a seperate (different) partition (i read that in a stack-exchange thread) like /dev/block/*/by-name/that holds data of FRP and is not get wiped, if device is reset(fully wiped from recovery). I read in a post that this feature is for those people who make bigger changes to their devices, and is available so that they can fix things and do not make big mess. Examples are the people compiling new custom kernels for their devices, or the developers who ports custom ROMs (A custom rom is a rom (firmware) such as Lineage os (Previously known as cyanogen mod), AOSP roms having layers support, pacman roms, mokkee project and there are a lot more roms : like Maru os and Nethunter os (beautiful). These roms provide more customisations , performance and other features and security. (Sorry i wasGoing offtopic a little.)
Anyway this time atleast i learned something.
Hey Do you still remember why i did a factory reset on my mobile phone? It was randomly rebooting again and again. It was a battery issue. Its battery was swollen due to overcharging. I replaced the battery,
and it is working, but it is not the original one and performs not much good. Only 1850 mah it got! Any way. The capacitive /physical navigation buttons of this mobile is little less responsive after i replaced the battery. If an attacker gets physical access to your mobile phones, he can do other things also, (He simply got access to your gmail account). Even if the device is locked, adb is not available, there is no custom recovery,
If a man has good knowledge of embedded systems, he can somehow manage to get root or a previllaged shell in most of the devices. To be honest i do not know much about electronics and embedded systems, so i do not want to add these things in the post, about which i do not have any understanding/experience. Actually there are interfaces and tools such as JTAG that are more advanced and without knowledge of what you are doing exactly, you can mess with the device badly.So Lets move to next section. In upcoming sections i have tried to sum up the things an attacker usually do when he has physical access to someone's property.
c > Dumpster diving (Oh? that was just a piece of paper!!!) :
I do not know the origination of dumpster diving. But i think Kelvin Mitnick found the dumpster diving technique when he first searched for unused bus tickets in the trash. He found tickets that were unused and Kelvin Mitnick used those tickets for traveling for free in buses. (He also bought a punching machine ).
Many of us do not care about our trash or waste. We do photocopies, we do use them, After the use, we throw them in trash.We have useless documents, past bills, Reciepts of previous banking transactions etc.
What good useless paper copies will do to a company or an individual? None. Sometimes we rip them and throw them. But they can be reassembled to get the required information. An attacker can see the trash/dump to get some useful documents, details etc.
Success rates depend upon the attacker and the type of dump/trash he is looking at. Time and location is also important. . Think of it:
The dump may have poorly meshed/teared and useless document/file having names of all employees of a company and their mail address, their pay scale, their join date, Home address, Their current position in company. That is what an attacker wants. The more he finds the more are the chances of an successful attack. How can an attacker can use these details? He can just use them for social engineering attack later, or can just predict a lot about his victim, What he do, where he go, what he like etc. So what can a man do? We can always check our useless documents, if you want to throw them, first destroy them properly. There are paper shredders which can be used to destroy the documents before throwing into waste. There are two types of shredders available - strip cut shredders and cross cut shredders. "Strip cut shredders" shred paper into thin strips and can handle a large amount of paper. The shred size varies but the shredded documents can be reassembled. "Cross cut shredders" shred paper vertically and horizontally and the shredded paper/document is difficult to reassemble.
d > Lock Bumping :
We all use locks for protecting our home, property and rooms. Locks are every where. They protect us when we are not around. But most of the locks can be opened by a bump key, An attacker can use a bump key to unlock or open any door protecting a room, or house. In lock bumping an attacker uses a bump key and tries to open the lock. In a lock there are two type of pins : Driver pins and key pins. Master pins are pushed over key pins by springs. When the original lock key is pushed, key pins are pushed against driver pins. These pins are so aligned that the lock can be moved and opened. There are practice kits for lock bumping and with a lot of practice one can open any lock. The Bump key can be used to bump the lock. The bump key has teeth that sit below the key pins and then when bump key is pushed and bumped the key forces the key pins to bump and remain in its bump position for a fraction of seconds; and the bump key can be moved in that time and the lock can be opened. There are special tools also to bump locks. Any screw driver can be used to provide necessary force for bump key. Many special locks are hard to bump.But Lock bumping can damage the lock permanently. It may also be illegal to carry a bump key in many areas and locality. Hey have you played Splinter Cell double agent in pc or in play station? They do lock pick in that game too, In all parts of Splinter cell "Splinter cell
chaos theory", "Splinter Cell pandora tomorrow".
So now an attacker is inside and has physical access to personal computer. Hey we all have passwords? We set passwords to our personal computers. Let us see in next section.
e > Physical access to your personal computer? (You are gone!!!)
1. I have a linux distribution on my computer/workstation:
So many of us use linux on our home pc or in our work area. We all know linux is pretty robust
and secure (The security really depends upon the user, it can be a noobie like me, or it can be a professional who knows how to see the log files ). The attacker boots up the system. He see a linux distribution and is presented with a gtk-greeter. Hey he do not know the password and user-name! Ah! the attacker sighs! He insert his usb flash drive in usb port. He restarts the computer. He sees the post screen and bios messages carefully, knowing that it could be possible that there might be a different key assigned for bios settings or popup boot menu. He notice- bios can be opened with delete key and boot menu can be opened with key F11. He quickly press F11, He selects usb drive to boot from and hits enter. He sees his live linux usb drive menu and boots into a live session from usb. It boots up fast. He fire up a terminal in live session. Hey! he opens a file manager (in his case it was nautilus) and sees the other drives attached to the system. He mounts the partitions and checks
everything. He sees the mount points by typing df -h in terminal.
~ # df -h
He then sees that required root file system is mounted at /media/root/(blkid of that partition see in the screenshot ) He double clicks the mount point as it copies the text in a buffer. He then types chroot and press middle-click and then the selected text gets pasted. He gently press enter key. He gets a root shell. Now he is able to do anything such as changing root password, user password and launch any software or utility as root. He do what he came for, he do not change root password, and shuts down the computer and go back to his lab. If you are curious he could also mount the partitions at any place he (attacker) wants by mount.
There is also other way to get a root shell in linux; it can be obtained by editing grub kernel parameters, so that we get a root shell directly. I can not demonstrate that now, as slackware do not uses GRUB (Grub is a boot loader for linux.) Slackware uses LILO (Linux Loader.) But here is it how its done on grub:
When the grub menu appears go to recovery options and then it can be edited by pressing e .
Select the line of Kernel (the one that starts with kernel) and press e to edit it and at the last of line type init=/bin/bash and remove the words = 'silent splash' and then press b to boot in single user mode. If everything goes right you will be dropped to a root shell. Here root file system is mounted as readonly now, so remount it as read/write mount -n -o remount,rw /. Now you(or an attacker) can change the password etc.
2. I have windows installed on my computer/workstation :
Windows is operating system that is present in whole lot of computers all over the world. I am not here to compare which operating system is better, i personally love and praise linux and i do not hate windows. Its your own choice.
Now that an attacker has access to your windows system, he can also do many things. Obviously, There is the account that is password protected. Can it stop the attacker? Depends upon the password. Attacker sees the password. The attacker rubs his forehead and cleans the sweat. He reboots the system. He pulls his cd from the bag, press the eject button in cd-rom and puts cd in that. Now he boots from cd. He grins as he sees ophcrack to show up. Ophcrack uses rainbow tables to crack windows passwords. It takes a lot of time. And the password appears on the screen "admin@123". Attacker feels thrilled now. He now ejects his cd out. Now he boots into windows and become admin. He quickly do his job and also insert his usb flash drive into the usb port. Autorun is already enabled. He sees anti virus program disables it until restart. Then the malicious application installs and he make an exception for that in antivirus. It was a trojan horse. He connect to network. And now check everything. He can now remotely access this computer. Good. Attacker Shuts down the computer. And leaves. As we see ophcrack can be used to get windows password. There are other tools such as konboot or chntpw. They can also be used to crack windows passwords.
3. I have enabled ATA Password Security, Attacker can not boot from my hard disk right? :
There is a security feature in bios, One can assign a security password to the ata drives in bios settings. This prevent any unauthorized user to boot the computer with-out the password.
But there is a way to remove this ATA password applied to the hard disk drives. The method is called hot swapping hard drives. All an attacker has to do is remove the hard drive with password and insert the hard drive which has no password set for it. Now he needs to go into bios settings and select to create a new ATA password. Now as the screen appears to create a password he can just remove the hard drive and put the one which has password. And in the bios screen he can just type in the new password and reboot. He can also remove the password.
4. I have set a password to the bios :
So you have seen the option in your bios to set a user password so no one can change the bios settings. But it can be changed by removing the CMOS battery for sometime, likely for 5-10 minutes. And after that the password is gone. All your bios settings are reset. There are other methods too, which require to move the jumpers for the bios password. See the links given at the end of the post.
So what we should do is use full drive encryption. There are tools
which provide encryption such as BitLocker and TrueCrypt. Also always make backup frequently. You may not believe i had lost my useful data 2 times.
f> I deleted everything personal in that folder, I am safe!!! :
So you had some really personal pictures and data in a folder. You thought a lot about it. Then you deleted everything in that folder. Hey recycle bin? You emptied recycle bin. Fine. But the true thing is that the pictures and data is still there. Its just renamed to something that the operating system will not show. Over time it is over written by something else. Even if you empty the trash or recycle bin they are still be possible to recover. There are many free utilities available to recover the deleted data. For example for windows recuva, Recuva is available as free version and also in professional version which requires you to buy it. Other examples are I-care data recovery pro (the trial version only allows recovery of 20 Mega Bytes of data). For linux there are also recovery tools available such as photorec etc. If you remove files with rm in linux they can be recovered by a professional with some given time. There is tool in linux named shred (Yeah you grabbed me, I read that in man page of rm! ). Shred can overwrite the data/file and you can specify how many times you want to over write it. It makes it really hard to recover the data. But as in man pages shred has some limitations. It do not works in some file systems such as NFS (network file system), journalised file systems, ReiserFS, ext3 and some
compressed file systems. In case of ext3 file system the man page of shred says:
"In the case of ext3 file systems, the above disclaimer applies (and shred is thus of limited effectiveness) only in data=journal
mode, which journals file data in addition to just metadata. In both the data=ordered (default) and data=writeback modes, shred
works as usual. Ext3 journaling modes can be changed by adding the data=something option to the mount options for a particular
file system in the /etc/fstab file, as documented in the mount man page (man mount).
In addition, file system backups and remote mirrors may contain copies of the file that cannot be removed, and that will allow a
shredded file to be recovered later."
Will you read man page of rm and shred? fine. I will give link for that too. You can read them and have some more understanding. If you even physically destroy hard disk the data may even be possible to recover.There are shredder tools for windows also. You can easily find a free one online. Now let us move to next section
g > Atm skimming :
I don't know is it done today or not.
Atm skimming is the way in which a hacker is able to get the information about the atm such as pin of atm and the user information stored in the card. Usually an attacker has some special tools to do it. He can install a secret camera at a position where he can record and see the pins the user types and also installs a special hardware where one swipes his atm card. The tools then reads the card and then stores the information about atm card. And then he can use that information to create a fake card and use the money. So how can one check that atm is safe? One can look at other atm machines around. Are they looking different? Is the keypad of atm machine is little sticky? or feels different? One should avoid using atm in rural areas which are far. These days cameras are installed around almost all atm which monitors and secures the atms and you get notification messages when you withdraw money from atm.
h > Ending words :
So in this post i tried to discuss some attacks and things that an attacker can do if he has physical access to anybody's property such as mobile phones, personal
computers etc. Also me and subhacker is not responsible for any harm done to any property. Do everything on your own property or the property for which you have permissions. Khofo also has written a nice thread about physical security. You should check that post also. And hop on irc server subhacker.net, channel lobby!
As i said the links are given here in order of the sections :
Links about OEM unlock (FRP bypassing) :
1. Rootjunky's youtube channel (here you can find videos about FRP bypassing)
2. It contains some useful information about OEM
3.This post is also seem to be handy.
Links on lock bumping :
1. Lock bumping wikipedia post
2. Another good post about lock bumping.
Links on shredders for windows and linux:
2. File shredder for windows
3. Securely file shredder
4. Man page of rm
5. Man page of shred
6. Man page of file systems
Links on various tools to crack windows password:
1. chntpw to recover windows passwords
Links on clearing bios password :
1. Clear bios password
2. Another link
Links on hard drive secutiry :
1. Hackaday post
2. Other userful thread
Links on editing grub for getting root shell :
See you in lobby!