Penetration testing from the inside (revisited)
Results 1 to 6 of 6

Thread: Penetration testing from the inside (revisited)

  1. #1
    Senior Member
    Join Date
    Jun 2002
    Posts
    174

    Penetration testing from the inside (revisited)

    This is a followup to a series of posts concerning my Company. You can visit the original at http://www.antionline.com/showthread...hreadid=257742.

    The other day, our corporate person in charge of loss prevention came by for a couple day analysis of our store. Earlier, when I first reported my findings on the company computer network, I was told to report to this guy. I did, but he never replied. This was my chance to get him in person. I told my manager that I needed to speak with him, and she said it was a good idea, but that he was in a conference call and probably wouldn't have time. He had his laptop set up in our back office, next to my primary "network access workstation" (my "0wn3d" computer...). When he stepped out to take a leak or something, I went in. He had his laptop logged out.

    I went over to the other computer and used my method to get a command prompt (see above link for explaination...). I did a "net view" to see if he was on the network under a netbios name, and he was. I then did a "net send" and sent him a "Hail the Loss Prevention Person" message. It wouldn't show up until after he logged back in...so I stepped back outside the office and continued my work.

    Not ten minutes later, I hear a "How'd ya do that, ya little hacker?" Offending? Maybe. He and I mean different things when we say the word. I offered to explain how, and he nodded. I went back into the office and, without a word, went through my trick of getting a command line. "You delved into the E: drive," he says. Actually, no I didn't, numbnuts, I was in the C: drive...(If you're reading this John, don't fire me). Then I typed "explorer Z:" and showed him where I could, "in theory" get the password for the VNC servers all around the network. Before I told him that I already had it, and could get on his laptop or anyone else's on the network, he said, "You shouldn't even be on this computer. It's to check benefits only." That was a contradiction in itself. We can't be on it, but we can. Never mind the fact that it's next to our normal terminals... and that it's always on and never logged out... and that the default page is the corporate website, which has employee manuals and open positions.. never mind that... I shouldn't be on the "Employee Computer". I quickly shut my mouth about the rest of what I'd found, like the fact that I printed off the password list from the kiosk on the sales floor...

    The funny part is that instead of saying, "We'll fix it", or "I'll bring it up at the next board meeting", he says, "You shouldn't be on there." Do you think that anyone else who would be doing what I was doing would have "permission" either? Since when does a cracker have authorization to exploit a system. Granted, I am an exception, along with all the inside-exploiters... but I still don't think it makes any sense. He could have at least humored me and said "We'll see what we can do."
    I\'m back.

  2. #2
    AO French Antique News Whore
    Join Date
    Aug 2001
    Posts
    2,126
    Safe Way :Complain to your boss by Email (Or Letter)

    Dangerous Way : Hack the system administrator, IT Director and in last case, VP and President One of them will react!
    -Simon \"SDK\"

  3. #3
    Leftie Linux Lover the_JinX's Avatar
    Join Date
    Nov 2001
    Location
    Beverwijk Netherlands
    Posts
    2,535
    I'm with SDK all the way !

    So it all comes down to how content you are in your current position . . .

    We have all been in situations where no-one would listen to us while you know there is a problem.. but noone else sees it..
    I can't give you any help on the moral dillema of how to handle this.. although I'd advice the letter
    ASCII stupid question, get a stupid ANSI.
    When in Russia, pet a PETSCII.

    Get your ass over to SLAYRadio the best station for C64 Remixes !

  4. #4
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    SDK: Don't forget to copy it to your personnel file and have a copy notarized and placed in a secure place away from work...... Then it all becomes official.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  5. #5
    Ninja Code Monkey
    Join Date
    Nov 2001
    Location
    Washington State
    Posts
    1,027
    Doing an non-sanctioned hack of the systems is a very stupid idea. You are far more likely to get legal action taken against you than anything else. Especially given the way that the security guy reacted to you in the first place. You need to get your facts straight, write them down with easy to repro steps, and elevate it to his boss and so on up the chain until someone listens.

    Use your common sense and cover your ass. Don't listen to these 'hack them yourself' twits....it's not their butt on the line when you are forced to pack your stuff and possibly get jail time. And it is quite possible that it will happen...look at Randal Schwartz.
    "When I get a little money I buy books; and if any is left I buy food and clothes." - Erasmus
    "There is no programming language, no matter how structured, that will prevent programmers from writing bad programs." - L. Flon
    "Mischief my ass, you are an unethical moron." - chsh
    Blog of X

  6. #6
    Senior Member
    Join Date
    Jun 2002
    Posts
    174
    Originally posted here by SDK
    Safe Way :Complain to your boss by Email (Or Letter)

    Dangerous Way : Hack the system administrator, IT Director and in last case, VP and President One of them will react!
    I've complained to my boss - both in person and email. I've informed other offices. For the first one I told them about, I got $50 and a thank you letter (came later after my other posts, I think). The effect of the letter was "Thank you, we'll fix it. Keep up the good work."

    So if they appreciated my first find, and rewarded me for it, then why wouldn't they let me help them out, especially when this is sooo much bigger?

    Signed,
    Lost and Confused
    I\'m back.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides