June 23rd, 2004, 10:03 PM
Penetration testing from the inside (revisited)
This is a followup to a series of posts concerning my Company. You can visit the original at http://www.antionline.com/showthread...hreadid=257742.
The other day, our corporate person in charge of loss prevention came by for a couple day analysis of our store. Earlier, when I first reported my findings on the company computer network, I was told to report to this guy. I did, but he never replied. This was my chance to get him in person. I told my manager that I needed to speak with him, and she said it was a good idea, but that he was in a conference call and probably wouldn't have time. He had his laptop set up in our back office, next to my primary "network access workstation" (my "0wn3d" computer...). When he stepped out to take a leak or something, I went in. He had his laptop logged out.
I went over to the other computer and used my method to get a command prompt (see above link for explaination...). I did a "net view" to see if he was on the network under a netbios name, and he was. I then did a "net send" and sent him a "Hail the Loss Prevention Person" message. It wouldn't show up until after he logged back in...so I stepped back outside the office and continued my work.
Not ten minutes later, I hear a "How'd ya do that, ya little hacker?" Offending? Maybe. He and I mean different things when we say the word. I offered to explain how, and he nodded. I went back into the office and, without a word, went through my trick of getting a command line. "You delved into the E: drive," he says. Actually, no I didn't, numbnuts, I was in the C: drive...(If you're reading this John, don't fire me). Then I typed "explorer Z:" and showed him where I could, "in theory" get the password for the VNC servers all around the network. Before I told him that I already had it, and could get on his laptop or anyone else's on the network, he said, "You shouldn't even be on this computer. It's to check benefits only." That was a contradiction in itself. We can't be on it, but we can. Never mind the fact that it's next to our normal terminals... and that it's always on and never logged out... and that the default page is the corporate website, which has employee manuals and open positions.. never mind that... I shouldn't be on the "Employee Computer". I quickly shut my mouth about the rest of what I'd found, like the fact that I printed off the password list from the kiosk on the sales floor...
The funny part is that instead of saying, "We'll fix it", or "I'll bring it up at the next board meeting", he says, "You shouldn't be on there." Do you think that anyone else who would be doing what I was doing would have "permission" either? Since when does a cracker have authorization to exploit a system. Granted, I am an exception, along with all the inside-exploiters... but I still don't think it makes any sense. He could have at least humored me and said "We'll see what we can do."