Work security penetration testing

[Legodude522]

Hello, the president of my company assigned me the task of testing how secure our computers actually are after he got word from the IT idiots that I had administrative privileges and they were furious as hell. (that's an understatement!) Fortunately the president of my company took it in good humour because he knew I never had any malicious intent in mind. I simply did it to get my job done. Our IT department is contracted so they only do the bare minimum.

This is what I originally did. Bought a hardware keylogger and placed it between the keyboard and the computer. Eventually the IT guy logged in with his account on my PC. Apparently they force us to change our password every 30 days, he hasn't changed his password in over a year and a half.

So now I need to make a slightly more elaborate scheme. Here is my theory... Unplug the PC from the network. Reset the local administrative account. Log in as administrator. Install whatever software I need for work. *Bonus* Install a software keylogger this time to log whatever the IT guy types in when he is remotely connected. This has to all be done when disconnected to the network because the next time I plug in the network, the security parameters will set back. Which is fine, I'll just log in on his account again using the newly lifted password and set my self as an administrator again on the network.

Ok, so here is what I need to know.

• Best and most discrete way of resetting the administrator account on Windows XP Pro SP2
• A discrete software keylogger that can log what is type in remotely.

Right now I'm downloading UBCD for the password reset task.

 

[berry120]

This is what I originally did. Bought a hardware keylogger and placed it between the keyboard and the computer. Eventually the IT guy logged in with his account on my PC.

Geez - you want to be careful with that sort of thing. Finding passwords on an open share or lying around on bits of paper is one thing; using hardware based keyloggers to lift passwords is a whole different matter! You need to be careful who you annoy with this sort of thing as well; whilst your company boss may be fine with it, if the IT guys own the equipment then technically they're the ones that can prosecute you over it. If they're not the ones that own the equipment then legally you should be able to get admin permissions through legal means anyway.

Keyloggers are a bit of a last resort and intensely frowned upon in checking the security of systems. Yes, they can be useful but anyone can whack a hardware keylogger into the back of a system and get someone to log onto their machine. The only way round that would be to up the physical security, locking all the computers away under the desk where no connections can be made or broken. Quite frankly that shouldn't be the case unless you're working on an absolutely mission critical system or one readily open to the public.

As for resetting the admin password discretely - there's really no such thing. Either you try and lift the hash to try and crack it (which won't get you anywhere if it's secure enough) or you reset it and hope they don't notice.

They should notice of course. If anyone reset an admin password on a machine I was working on then I'd grab as many logs as I could to try and hunt the culprit down - before wiping and re-imaging the system before I did anything else at all.

I'm not trying to spoil the fun here, I'm a firm believer that security should be tested and insecure things should be blasted open. But putting keyloggers left right and centre in my mind is going a stage too far, and could land you in big trouble even if you don't expect it. In certain situations they are appropriate tools to use and should be guarded against, but within an organisation I think employee trust should come into the equation that much.

I'd certainly far sooner I was trusted not to whack keyloggers at the back of PCs and have them open for me to adjust and swap cables over as and when I needed than having them locked down and having to ring up an official person with a key to come every time I wanted to adjust something. If I was caught doing something like that where I work then I'd be out the door before I had a chance to explain myself, and rightly so.

 

[Legodude522]

Thanks for your input. I was expecting somebody to come along and give me the riot act. The machines are owned by my company. The IT guy isn't very intelligent. Only reason we keep him is because we are locked in. You have no idea how rediculously stupid things can be. I work a tight time schedule and shouldn't have to wait 5 hours to have a simple piece of software installed to complete a $20,000 order that the customer is waiting on. Losing an order because the computer doesn't have the appropriate software isn't fun. Especially when I got 3 Portuguese guys screaming at me.

I'm on my iPhone so typing anymore would equal cramps.

Oh, and as a technicality, he typed it on my own personal keyboard.

 

[berry120]

Thanks for your input. I was expecting somebody to come along and give me the riot act.

It wasn't meant as a riot act, just a pointer - in normal circumstances and under normal company rules, that sort of thing would see anyone out the door instantly, whether they thought they had good reason for doing so or not. I make no apologies for pointing that out; if nothing else I wouldn't want others reading this thread and thinking it's perfectly acceptable to use keyloggers to break into systems if they feel they need admin permissions.

Also, given your above post you were mis-stating your intentions a bit. Your preceding post implies that you and your company wants you to have admin permissions so you can do your job properly and as such you want a way to circumvent the IT guy to get those permissions. It's the company's machines and you've got the ok from the guy high up, so that in my books is not so much of an issue.

Your first post however stated that you wanted to "test" the security of your company's computers by installing a key logger to grab the contractor's password. That's a completely different situation, and one that I'd never condone!

 

[Legodude522]

The president of the company approved access for me but the admin refuses to do it.

I think I can figure out the rest of the technical computer side details on my own. I might request for the thread to be locked in the future but for now I'll leave it open so I can report back later. Many thanks for the advice.

 

[officemanager1]

The president of the company approved access for me but the admin refuses to do it.

I think I can figure out the rest of the technical computer side details on my own. I might request for the thread to be locked in the future but for now I'll leave it open so I can report back later. Many thanks for the advice.

This whole post sound B*** S***
If IT was contracted to the company they will do what the company asks for since they are paid to do a service and if you need certain software to do the job for your sales, your boss would have it provided.

Who are you kidding, You talk crap!!!

 

[Legodude522]

I'm not BSing. But I'm not going to argue. I can understand why you take that stance from your position.

Bottomline, I need to do my job and I have authorization from the boss.

Mods, please lock thread.

 

[Atomic Rooster]

As you wish.