Re: PLEASE HELP - USENET/Proxy Security Question
From: nemo outis (outis_at_erewhon.com)
Date: 05/19/03
- Next message: magneticstrawberry: "IP Address Stopper"
- Previous message: Jim Watt: "Re: Backweb??"
- In reply to: Thunder$truck: "Re: PLEASE HELP - USENET/Proxy Security Question"
- Next in thread: Thunder$truck: "Re: PLEASE HELP - USENET/Proxy Security Question"
- Reply: Thunder$truck: "Re: PLEASE HELP - USENET/Proxy Security Question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 19 May 2003 18:03:38 GMT
In article <3ec8be20$0$60674$45beb828@newscene.com>,
"Thunder$truck" <nealbailey@hotmail.com> wrote:
> All,
>
> I am starting to regret ever bringing this discussion to this group. Since
>when did seeking legitimate info for technical assistance make me a "troll"?
>For all
>you self-righteous administrators out there you can promptly exit this
>discussion for it was not intended for you. And those others whom feel
>compelled to inject your moral commentaries into this dialog, you can also
>exit promptly.
> This group is called alt.privacy and this is why I solicited it's members
>for this question.
>
> For those interested in providing assistance or interested in how this
>story plays out I will continue with the most recent events.
>
> On friday, I spent my lunch hour learning SMS and ether-peek with one of
>our system admins. I've discovered when it is used and how/why.
> And it appears, for the most part, that the MS Proxy is really the only
>barrier between me and the outside world. SMS is being utilized
> primarily to push packages the SMS server realizes a clients box does not
>have. The idea of connecting to a remote host via an encrypted SSH
> tunnel won't work for me because the proxy blocks VPN connections. The
>boundaries/sensors are no longer being monitored by the the
> network security folks anymore since they've all been transistioned to the
>new network.
>
> I needed to gain access to the administrator account on my box so I set the
>BIOS to boot from floppy and used LINUX boot disk to crack the SAM
> and "null" the admin passwd. Then I used the admin account to build a bogus
>local account (free from the domain). This local acount is the same account
> name as someone who works on the other side of the building. Logged onto
>this local account, I pointed everything to the proxy and it worked.
>
> What is different (regarding proxy log reports) when reporting connections
>from a domain account and a local account? The other weak point I see
> is the switch, I'm sure the machine can be located based on the location on
>the switch facilitating the connection
>
>T/S
You have much of the underlying mechanics right for bypassing
corporate security, but you've given yourself very little
"cover."
For instance, you gave yourself local admin rights by cracking
the SAM (I use Winternals for the same purpose, but the
princilple is the same). However, did you remember to first take
a copy of the unaltered SAM before cracking it? That way, you
can restore the original password when you need to. And did you
do whatever other "housekeeping" is necessary on the cracked
machine such as messing with the event log? The devil is in the
details. If you must use a cracked machine I recommend you take a
ghost of it immediately, perhaps using an external USB hard drive
- that way you have much less to do when later restoring the
machine to the untampered state.)
My preference is not to mess with the original machine at all
(although I have done so) - I prefer to use a laptop and connect
to the network with it instead of the company machine by using
MAC spoofing. The laptop then masquerades as the legit
corporate desktop on the network. The laptop, of course, is
firewalled, etc. and is probe-proof. (In fancier cases you can
put VMWARE on the laptop and create a dummy desktop environment
which will stand up to all but the most serious probing.)
As for not being able to run a VPN, there are alternatives
out there to regular SSL/SSH etc. One handy little tool is
httport which allows you to tunnel out on port 80, ostensibly as
just your ordinary, everyday browser. (The only drawback these
days is that the fellow's payment arrangement for customized keys
seems to have broken down. Update: it's working again! Don't use
his public servers - set your home machine up with the
complementary htthost. I have used httport/htthost to tunnel
through a Squid proxy & firewall in one case.). I haven't got
around to finding or making a tool that will act as an Internet
Explorer plugin and operate in the same process space as IE -
likely there's one already out there somewhere.
If you must masquerade as someone else one handy investment is a
hardware keylogger. For a few hundred dollars (or less - prices
keep falling) you splice this inline on a coworker's keyboard.
Later you will retrieve it and harvest his password. There are
other interesting possibilities with this method - for instance,
if you can cause a software glitch on his machine that requires
a sysadmin to mess with his machine, you may snag a maintenance
or even a global admin password (some companies are so sloppy)!
Just a few ideas to work with...
Regards,
- Next message: magneticstrawberry: "IP Address Stopper"
- Previous message: Jim Watt: "Re: Backweb??"
- In reply to: Thunder$truck: "Re: PLEASE HELP - USENET/Proxy Security Question"
- Next in thread: Thunder$truck: "Re: PLEASE HELP - USENET/Proxy Security Question"
- Reply: Thunder$truck: "Re: PLEASE HELP - USENET/Proxy Security Question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
