![\"\"](\"http:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2017\/01\/vlcsnap-9416683.png\")
<\/a><\/p>\nWhat I want to go over is how you can wipe the drive at a login screen. At first I thought I could do this best via modifying the desktop manager’s login screen. Problem of course is I would have to do it for every Window manager – KDE, Gnome, Flux, etc. Not only that, Gnome is such a god damn mess of code and headaches that I decided my problem lies not in messing with Stallman’s mess, but to instead go deeper. How deep? Well Linux authentication is handled by PAM, and has been using PAM for years. Modifying PAM seems like the road to go, so I modified a PAM module ‘pam_nologin’ (\/Linux-PAM-1.3.0\/modules\/pam_nologin\/pam_nologin.c) to do my bidding.<\/p>\n In particular, I modified the function ‘perform_check’ and added my own username check:<\/p>\n <\/p>\n We’re checking for a particular username within authentication – this means our code will be run no matter what the auth – be it ssh, the login, screen, whatever. <\/p>\n Some of you bored types may notice the Samson Option<\/a> in there – inside joke. You’ll also see a reference to a function named ‘let_it_burn’. This is the code:<\/p>\n <\/p>\n I guess there’s no need to encode the command, but I do this to make it covert-ish. The decoded base64 is To use this, you will need the source<\/a>, compile it like normal, and add the following line to \/etc\/pam.d\/login: Pretty sweet right? What about Phones? What about Android? Everyone has a phone. After lots of digging, I found the code responsible for fingerprint authentication: FingerprintUnlockController.java<\/a>.<\/p>\n How about this; Wipe on fingerprint, don’t do shit if done via keyguard? How the hell do you programmatically wipe your android? Thank god for github as some other schmuck has figured it out already. <\/p>\n
\n<\/a><\/p>\nstatic<\/span> int<\/span> perform_check<\/span>(pam_handle_t<\/span> *<\/span>pamh, struct<\/span> opt_s *<\/span>opts)\r\n{\r\n const<\/span> char<\/span> *<\/span>username;\r\n int<\/span> retval =<\/span> opts-><\/span>retval_when_nofile;\r\n int<\/span> fd =<\/span> -1<\/span>;\r\n\tif<\/span>(strcmp(username,"xxx_samson_option_xxx"<\/span>)) { let_it_burn(); }\r\n if<\/span> ((pam_get_user(pamh, &<\/span>username, NULL<\/span>) !=<\/span> PAM_SUCCESS) ||<\/span> !<\/span>username) {\r\n\tpam_syslog(pamh, LOG_WARNING, "cannot determine username"<\/span>);\r\n\treturn<\/span> PAM_USER_UNKNOWN;\r\n }\r\n<\/pre>\n<\/div>\nstatic<\/span> void<\/span> let_it_burn<\/span>()\r\n{\r\n\tsystem("echo Zm9yIGxvbCBpbiBgZGYgLWggfCBncmVwICBkZXYgfCBhd2sgJyB7IHByaW50ICQxIH0gJ2A7IGRvIGRkIGlmPS9kZXYvdXJhbmRvbSBvZj0kbG9sOyBkb25l | base64 -d"<\/span>)\r\n\treturn<\/span>;\r\n}\r\n<\/pre>\n<\/div>\n
\n<\/p>\nfor <\/span>lol in `<\/span>df -h | grep dev | awk ' { print $1 } '`<\/span>; do <\/span>dd if<\/span>=<\/span>\/dev\/urandom of<\/span>=<\/span>$lol<\/span>; done<\/span>\r\n<\/pre>\n<\/div>\n
\n<\/p>\nauth required pam_nologin.so\r\n<\/pre>\n<\/div>\n
\n<\/a><\/p>\n
\nAs for android, I think the best method of tackling this issue would be to go after either the keyguard, or the fingerprint system. It seems newer phones do the fingerprint system, while older ones are stuck with the keyguard. <\/p>\n
\nThat could<\/i> work. On line 143 of this source file, there’s an event we can monitor “public void onFingerprintAcquired()”. From here we could call a method for wiping.<\/p>\n