xfs
[Top] [All Lists]

Re: Using xfsdump On Linux With IRIX Version 1 FS?

To: Matthias Schniedermeyer <ms@xxxxxxx>
Subject: Re: Using xfsdump On Linux With IRIX Version 1 FS?
From: Sean Elble <elbles@xxxxxxxxxx>
Date: Fri, 24 Jul 2009 15:13:20 -0400
Cc: <xfs@xxxxxxxxxxx>
In-reply-to: <20090724171151.GA23077@xxxxxxx>
Thread-index: AcoMks5WLTzrhCbNFkKXgptVCq6/2g==
Thread-topic: Using xfsdump On Linux With IRIX Version 1 FS?
User-agent: Microsoft-Entourage/12.20.0.090605
On 7/24/09 1:11 PM, "Matthias Schniedermeyer" <ms@xxxxxxx> wrote:

> On 24.07.2009 11:36, Sean Elble wrote:
>> On 7/24/09 3:30 AM, "Matthias Schniedermeyer" <ms@xxxxxxx> wrote:
>> 
>>> 
>>> I'd guess the disc isn't very big.
>>> 
>>> You just dd it completly (for backup).
>>> 
>>> Then search for the content of the shadow-file and blank out the entry
>>> with a hex-editor. Make sure that you don't change the filesize, pad
>>> the previous/following entry with any character you have to remove.
>> 
>> Right, the disk is only 2 GB.  Presumably, to back the disk up, all I'd have
>> to do would be something like:
>> 
>>     dd if=/dev/sda of=IRIXbackup
>> 
>> Correct?  No need to specify bs or count, I presume...
> 
> Exactly.
> 
>> Then, I could use hexedit in the following manner to edit the disk:
>> 
>>     hexedit -d -f /dev/sda
> 
> Don't know hexedit. Last time i used a hex editor it was "khexedit",
> worked good enough.
> 
>> I suppose I could search for the encrypted password string itself, but as
>> Chris Wedgwood suggested, I might be better off finding the offset of the
>> /etc/shadow file by doing something like the following:
>>     
>>     xfs_ncheck /dev/sda | grep /etc/shadow
>> 
>> I'm not sure if I can use the inode number directly as an offset or not, but
>> I *think* I could use it in conjunction with a xfs_db convert command to get
>> something usable as an offset.  Something like the following, perhaps?
>> 
>>     xfs_db -c convert inode <inode from xfs_ncheck command> daddr /dev/sda
> 
> 2GB is small enough to just use "brute force".
> 
> - Make a backup-copy of the image
> - Open the image in a/the hexeditor
> - Search for something that appears in the shadow file
>   it should be pretty obvious if the hit is inside the shadow file.
> - Make the changes, (Remember filesize has to stay the same!)
> - dd the image back to the HDD.
> 
> Not very complicated and it still shouldn't take too long. :-)
> 

Yeah, that's probably what I'll do then.  I figure the disk will thrash for
a while during the search for a string in /etc/shadow, but hopefully it'll
work.  Thanks for all the advice!

-Sean

-- 
+-------------------------------------------------
|  Sean Elble      
|  Virginia Tech, Class of 2009
|  E-Mail:   elbles@xxxxxxxxxx
|  Web:      http://www.sessys.com/~elbles/
|  Cell:     860.946.9477
+-------------------------------------------------

Attachment: smime.p7s
Description: S/MIME cryptographic signature

<Prev in Thread] Current Thread [Next in Thread>