EvilZone
Hacking and Security => Beginner's Corner => : zax May 06, 2015, 07:57:53 AM
-
Lets just start off by saying that I am a major noob but I realize the consequences can be jail time.
Background info
One day at work I had accidentally forgotten to punch out when I went on break. When I came back I realized that I was on the clock during my break. Obviously I went to tell my manager so I wouldn't get in trouble. We were in the office when I told him and he said "no problem" and turned to the computer to fix it. He was logging into what I assume was the sysadmin account because he had the ability to manually change my time punch to fix my mistake. Now realizing the power his account has, I wish I had looked at his hands when he was typing the password. But since that day, when we are slow(all the time) I think about that computer; I mean its right there. I could actually walk just 15 feet from my spot on the grill line to the office and literally press the power button shutting down this system.(I wouldn't do this because I have no idea what would happen, probably fired) its just sitting in there, with open usb ports too. Like I said, I am a noob. I have no idea what I could do with this, but I want to break into this system really bad, just for the thrill. I want to do this just to see if I can and to learn how safe my job is.
The system is running Windows server 2003
EDIT: The other system is in fact i2i video surveillance system
There is another computer on the desk, but I am not completely sure about the possibilities on that one, I'm not even sure if its connected to the main one yet but it displays all the security cameras and it says "i2i systems" if I remember correctly.
Please share some knowledge with me, I am a very curious noob.
-
Hardware keylogger. Nuff said. If you don't have money for it, then buy Teensy and make one yourself.
-
I want to do this just to see if I can and to learn how safe my job is.
What does this mean ? Or do you mean how safe your work place computer security is?
If you can get your hands on the hardware nothing is secure.
If you want to see his password just forget to clock in or out again and have him fix it then make sure you watch what he is typing, the password is probably on a sticky note close by anyways.
-
Get a Rubber ducky and run an exploit on it for root. Server 03 has too many exploits on Metasploit.
-
Would remote access be possible? I could maybe infect the rat via bootable usb? can you do this to a Windows server 2003 computer when locked? There are security cameras in the office so physically logging into the system with his password would not help much because I am sure to get caught... I would like to hack into there i2i surveillance system but I don't think its possible.. idk why... thoughts...?
-
Can you get us the public ip of the windows 2003 server?
Get on the computer and goto www.whatismyipaddress.com
-
Yes im sure remote access is possible but it will be much harder with your current skill level. like kulverstukas said the easiest way would be to use a ducky. takes only a few seconds to have a backdoor put in and u can remote into it from another pc but u will be seen on camera plugging it in ...
you could also get in through the main network from the wifi im sure . not the guest wifi for the customers
I don't think you should do this if you do get in and fuck something up you will get caught and more than likely blamed for more than you did. you will be lucky if you are just fired. just saying
-
Since the rubber ducky cost money I cant do this tonight or tomarro, ill look into it. As for getting the IP, the computer is always locked unless someone is there..
If I could plug a ducky in without being seen by the camera how else could I get caught? Sorry in advance if this is a stupid question... I need to know to prevent it.
-
With your skill level a ducky isn't really the way to go. Find out if the keyboard is USB or PS/2.
(https://www.bigkeys.com/images/ps2-v-usb.jpg)
Then as kulver said, use a hardware keylogger.
Ps/2:
http://www.amazon.com/KeyKatcher-64K-PS-Hardware-Keylogger/dp/B004ZLV1UI
Usb:
http://www.amazon.com/Keyllama-4MB-USB-Value-Keylogger/dp/B004ZGXU48
These devices sit between the keyboard and the computer and will log any button presses.
Next thing you're going to want to do is map the network. Also turning off the computer that accesses the cameras won't necessarily turn the cameras off unless it's the actual DVR.
With your current knowledge and skillet I wouldn't be too hasty to do anything without researching... just my $0.02
-
Plugging anything into the computer would be risky because of the cameras, so if I do ducky or the hardware keylogger I need to do it conspicuously. A little social engineering could do the trick. I could walk into the office with the devise taped to the back of my phone. I would ask my boss if I can charge my phone, I have charged my phone there before. If my boss wasn't on the computer and it was locked, I would plug a USB extension cord that resembled a iPhone charger into the computer. Now I could hold my my phone and have the device hidden behind it, act like im plugging it into my phone for a couple mins and BAM solves the camera problem... So now If I were to use this to gain remote access, and I had accidentally fucked something up, could I get caught? if so how? and how do you prevent it?
EDIT: I'm really interested in this but my knowledge is very limited. I need to learn more and I don't know where to start. I've looked at some of the "where to start with hacking" threads but didn't get exactly what I was looking for. If I wanted to be an expert at this type of hacking what should I start of learning, what programming language should I learn first? I know the basics of HTML/CSS.
-
A little social engineering could do the trick. I could walk into the office with the devise taped to the back of my phone. I would ask my boss if I can charge my phone, I have charged my phone there before. If my boss wasn't on the computer and it was locked, I would plug a USB extension cord that resembled a iPhone charger into the computer. Now I could hold my my phone and have the device hidden behind it, act like im plugging it into my phone for a couple mins and BAM solves the camera problem...
Or you could actually plug a phone in and do everything you want. look into KALI nethunter ,pwnphone or kalipwn. all free images . They have lots of tools and apps for phones now.
-
Dude. This is why you still work at McDonald's. You sound like some hyped up teenager that wants to fuck shit up after watching "Person of Interest"... what you are asking is how to do this and that without even searching and reading A LOT.
-
This thread makes my eyes burn , listen to Kulverstukas , educate yourself and come back in a year.
I think this has gone far enough, nothing personal.
-
Dude. This is why you still work at McDonald's. You sound like some hyped up teenager that wants to fuck shit up after watching "Person of Interest"... what you are asking is how to do this and that without even searching and reading A LOT.
I didn't want to post this, thought I would be seen as "to honest" again 8) . Anyway, OP you need to do a lot of research and since you know that the server OS is very old it opens up many possibilities. Just do some research on different exploits for that OS and if you have a laptop and there is wifi, connect, do a sweep to find the different IP ranges. You should find the server, and it should show which OS it is running for sure.
Use your imagination, Scan the server for vulnerabilities etc, I mean you could do this from outside the MacDonalds and then do research on the vulnerabilities you find, try to exploit them etc. You should be able to enumerate and find some cool stuff.
Also remember it is illegal breaking into the system(unless you have a non-disclosure) so I would advise knowing what you are doing before you do it, also setup VM's at home to test these vulnerabilities and get comfortable with all the different aspects etc...
-
When I worked at Subway I had user level access to the computer in the back. I could get in the admin account because they left the default password. And actually used it a few times to print off applications for people.
But the only thing I did on that system was telnet into IRC and chat with people, or watch ASCII StarWars cause boredom. Don't be stupid.
-
EDIT: I'm really interested in this but my knowledge is very limited. I need to learn more and I don't know where to start. I've looked at some of the "where to start with hacking" threads but didn't get exactly what I was looking for. If I wanted to be an expert at this type of hacking what should I start of learning, what programming language should I learn first? I know the basics of HTML/CSS.
IDK if you guys read this.... I'm trying to learn, I'm trying to be pointed in the right direction. I want someone to share how they learned.
EDIT: You guys may have the wrong image of me.. Yes I am an 18 yr old high school dropout wanna be hacker (Im going to get my GED, yes very unfortunate situation but its not because I am stupid or lazy). This McDonalds thing may be out of my reach, but I need to start somewhere. I believe I could pull it off considering my McDonalds is ghetto as fuck and old as shit. But never mind that for now, ill come back to it at a later time. For now, what language should I learn(just asking for opinions here, I know every ones answer will be different) and what types of stuff should I be fluent at to be good at this?
-
To learn find something that excites you and go for it. You seem to have a goal atm for getting into your work computer so maybe look into Networking and network hacking. there is alot of free courses and info online as well as plenty of info here an the WIKI..
This is a new site for free training http://www.cybrary.it/ (http://www.cybrary.it/)
Practice on VMs , your own network or maybe your friends that dont care if you hack them.
cant remember what else i was gonna say all i can think about is food right now .. good luck
-
Yea, you need to start somewhere but this isnt it. start smaller.
-
dayum thats pretty good for a mcdonalds computer :P
-
This is a useful lesson in anonymity, too. Let's work with what the OP told us:
-Works at McDonalds (3500 stores, give or take)
-"In the ghetto" = high risk stores (500 stores).
-"It's always super dead" = lowest performing stores (200 stores)
-Win2003 + i2i (assuming it's not standard issue, some stores may have different video vendor) (100 stores)
-OP is about 18, getting GED, interested in computers.
-OP had specific interaction with manager
So with just that, you're talking maybe 100 managers being emailed about a specific interaction with a very specific person. Chances of detection are immense.
Probably 50% of people on hacking/security forums are working for corporations like McDonald's.
-
This is a useful lesson in anonymity, too. Let's work with what the OP told us:
-Works at McDonalds (3500 stores, give or take)
-"In the ghetto" = high risk stores (500 stores).
-"It's always super dead" = lowest performing stores (200 stores)
-Win2003 + i2i (assuming it's not standard issue, some stores may have different video vendor) (100 stores)
-OP is about 18, getting GED, interested in computers.
-OP had specific interaction with manager
So with just that, you're talking maybe 100 managers being emailed about a specific interaction with a very specific person. Chances of detection are immense.
Probably 50% of people on hacking/security forums are working for corporations like McDonald's.
Lol shave that down ;)
-
just wanted to note that, social engineering if done correctly can work pretty good with big corporations like that, of course OP cant call his manager since he'll reconize his voice but if the manager uses the computer to check emails or get someone else to call and get him to open a page on that computer to ""accept something of some kind, that sound legit"" lol, but yeah SEtoolkit is pretty good for things like that since you cant code your own stuff ... anyways this might not apply to this case but for the sake of the thread i thought i'd post it..
heres a cool link as an example:
Kevin Mitnick doing some live 1337 SE @ defcon
https://www.youtube.com/watch?v=DB6ywr9fngU
EDIT: heres a pretty cool kevin mitnick interview where he uses a usb stick to autorun a payload on the pc...
fast foward to 16:10 if you just want to see the hack..
https://www.youtube.com/watch?v=Q7G3kKRdUl4