Ken’s Networking Tips…and Cracking the ESX Root Password

Caution: Articles written for technical not grammatical accuracy, If poor grammar offends you proceed with caution ;-)

First…Ken Cline started a blog about a month ago. It has some nice tips for networking, so check it out. My eyes were opened after reading his post about accepting default settings. I know the post is almost a month old, but I have that reading narclepsy thing. It is still a very important thing to read. My philosophy is similar to Ken’s:

Just because you CAN do something does not mean you SHOULD do it.

I guess I picked up the habit of creating a slightly complicated way of connection two pNICs to a vSwitch for redundant connections for the Management Network and VMotion Network. I think this came from the old school (ESX 2.x) way of doing things. Ken’s methods are far easier to set up and manage.

Now…on to cracking the root password on an ESX server….

VMware just released a KB article about how to change a “forgotten” root password. WOW. Pretty simple.. Anyone who knows a smidgen about Linux could have helped here. It was even a part of the RedHat test back in the day when I took it.

First off, there should be no reason to need this if proper security and change control practices are followed. Passwords should be changed regularly and they should be kept somewhere. That somewhere should be secure. ‘Nuff said.

Second…And this is the biggie…. If you follow security best practices, this method will be rendered USELESS. The boot loader (Grub in this case) should be secured properly to protect from this sort of attack. Yes, I used the “A” word here. Unauthorized entry into single user mode is an attack. If Grub is secured properly, you will need to know a password to enter the append or edit modes. This password is just as important as the root password and proper security and change control practices should also be followed here.

OK…Now your server boot loader is “secure”.  The root password is fracked and you don’t know the grub password… Now what? Enter the rescue CD. A live Linux CD, like DSL or Knoppix will allow you to boot into a Linux session and mount your boot partition and edit the grub.conf file. Now, you can boot the server and append the boot loader line to exit single user mode. Or, you can mount the root partition, chroot and change the root password that way. It is less than simple, but we are talking about “attacking” a server and changing the root password. How do I prevent the “Live CD Attack”? Use a BIOS password and set the server so it does not boot from external media. This password should also follow the security and change control practices.

Next..”cracking” the BIOS password. In a few words: DIP switch 5. Most servers have a bank of DIP switches. Flip one of them and the BIOS password is disabled. How do you avoid this? Lock the server. I have and HP key that opens any HP cabinet and a few Dell keys that do the same thing….

I am going to stop now. I am not a computer security expert by any means. I just use common sense. Three thousand years ago, I worked for an alarm company. I could get into any “secured’ alarm cabinet and shut them down. My philosophy back then was:

Locks are for honest people…

Back to the original intent of the password thing. Use common sense. The method VMware posts for resetting a lost root password should not be possible. It all falls down to common sense and the use of good security and change control best practices. Many attacks come from within. Locks and security measures will only slow someone down and hopefully trigger that alarm system to notify someone of the attack.

Leave a Reply