physically hacking into mcdonalds computer system

[zax]

Lets just start off by saying that I am a major noob but I realize the consequences can be jail time.


Background info

One day at work I had accidentally forgotten to punch out when I went on break.  When I came back I realized that I was on the clock during my break.  Obviously I went to tell my manager so I wouldn't get in trouble.  We were in the office when I told him and he said "no problem" and turned to the computer to fix it.  He was logging into what I assume was the sysadmin account because he had the ability to manually change my time punch to fix my mistake.  Now realizing the power his account has, I wish I had looked at his hands when he was typing the password.  But since that day, when we are slow(all the time) I think about that computer; I mean its right there.  I could actually walk just 15 feet from my spot on the grill line to the office and literally press the power button shutting down this system.(I wouldn't do this because I have no idea what would happen, probably fired)  its just sitting in there, with open usb ports too.  Like I said, I am a noob.  I have no idea what I could do with this, but I want to break into this system really bad, just for the thrill.  I want to do this just to see if I can and to learn how safe my job is.


The system is running Windows server 2003

EDIT: The other system is in fact i2i video surveillance system

There is another computer on the desk, but I am not completely sure about the possibilities on that one, I'm not even sure if its connected to the main one yet but it displays all the security cameras and it says "i2i systems" if I remember correctly.


Please share some knowledge with me, I am a very curious noob.

[Kulverstukas]

Hardware keylogger. Nuff said. If you don't have money for it, then buy Teensy and make one yourself.

[white-knight]

  I want to do this just to see if I can and to learn how safe my job is.

What does this mean ? Or do you mean how safe your work place computer security is?


If you can get your hands on the hardware nothing is secure.


If you want to see his password just forget to clock in or out again and have him fix it then make sure you watch what he is typing, the password is probably on a sticky note close by anyways.

[KingCasra]

Get a Rubber ducky and run an exploit on it for root. Server 03 has too many exploits on Metasploit.

[zax]

Would remote access be possible?   I could maybe infect the rat via bootable usb?  can you do this to a Windows server 2003 computer when locked?  There are security cameras in the office so physically logging into the system with his password would not help much because I am sure to get caught...   I would like to hack into there i2i surveillance system but I don't think its possible..  idk why...  thoughts...?

[0E 800]

Can you get us the public ip of the windows 2003 server?

Get on the computer and goto www.whatismyipaddress.com

[white-knight]

Yes im sure remote access is possible but it will be much harder with your current skill level. like kulverstukas said the easiest way would be to use a ducky. takes only a few seconds to have a backdoor put in and u can remote into it from another pc but u will be seen on camera plugging it in  ...


you could also get in through the main network from the wifi im sure . not the guest wifi for the customers 


I don't think  you should  do this if you do get in and fuck something up you will get caught and more than likely blamed for more than you did. you will be lucky if you are just fired.   just saying

[zax]

Since the rubber ducky cost money I cant do this tonight or tomarro, ill look into it.  As for getting the IP, the computer is always locked unless someone is there..


 If I could plug a ducky in without being seen by the camera how else could I get caught?   Sorry in advance if this is a stupid question...  I need to know to prevent it.

[iTpHo3NiX]

With your skill level a ducky isn't really the way to go. Find out if the keyboard is USB or PS/2.


Then as kulver said, use a hardware keylogger.
Ps/2:
http://www.amazon.com/KeyKatcher-64K-PS-Hardware-Keylogger/dp/B004ZLV1UI
Usb:
http://www.amazon.com/Keyllama-4MB-USB-Value-Keylogger/dp/B004ZGXU48

These devices sit between the keyboard and the computer and will log any button presses.

Next thing you're going to want to do is map the network. Also turning off the computer that accesses the cameras won't necessarily turn the cameras off unless it's the actual DVR.

With your current knowledge and skillet I wouldn't be too hasty to do anything without researching... just my $0.02

[zax]

Plugging anything into the computer would be risky because of the cameras, so if I do ducky or the hardware keylogger I need to do it conspicuously.  A little social engineering could do the trick.  I could walk into the office with the devise taped to the back of my phone.   I would ask my boss if I can charge my phone, I have charged my phone there before.  If my boss wasn't on the computer and it was locked, I would plug a USB extension cord that resembled a iPhone charger into the computer.  Now I could hold my my phone and have the device hidden behind it, act like im plugging it into my phone for a couple mins and BAM solves the camera problem...  So now If I were to use this to gain remote access, and I had accidentally fucked something up, could I get caught?  if so how?  and how do you prevent it?


EDIT:  I'm really interested in this but my knowledge is very limited.  I need to learn more and I don't know where to start.  I've looked at some of the "where to start with hacking" threads but didn't get exactly what I was looking for.  If I wanted to be an expert at this type of hacking what should I start of learning, what programming language should I learn first?  I know the basics of HTML/CSS.

[white-knight]

  A little social engineering could do the trick.  I could walk into the office with the devise taped to the back of my phone.   I would ask my boss if I can charge my phone, I have charged my phone there before.  If my boss wasn't on the computer and it was locked, I would plug a USB extension cord that resembled a iPhone charger into the computer.  Now I could hold my my phone and have the device hidden behind it, act like im plugging it into my phone for a couple mins and BAM solves the camera problem...

Or you could actually plug a phone in and do everything you want. look into KALI nethunter ,pwnphone or kalipwn. all free images . They have lots of tools and apps for phones now.

[Kulverstukas]

Dude. This is why you still work at McDonald's. You sound like some hyped up teenager that wants to fuck shit up after watching "Person of Interest"... what you are asking is how to do this and that without even searching and reading A LOT.

[proxx]

This thread makes my eyes burn , listen to Kulverstukas , educate yourself and come back in a year.
I think this has gone far enough, nothing personal.

[P!X3LTR0N]

Dude. This is why you still work at McDonald's. You sound like some hyped up teenager that wants to fuck shit up after watching "Person of Interest"... what you are asking is how to do this and that without even searching and reading A LOT.

I didn't want to post this, thought I would be seen as "to honest" again  . Anyway, OP you need to do a lot of research and since you know that the server OS is very old it opens up many possibilities. Just do some research on different exploits for that OS and if you have a laptop and there is wifi, connect, do a sweep to find the different IP ranges. You should find the server, and it should show which OS it is running for sure.


Use your imagination, Scan the server for vulnerabilities etc, I mean you could do this from outside the MacDonalds and then do research on the vulnerabilities you find, try to exploit them etc. You should be able to enumerate and find some cool stuff.

Also remember it is illegal breaking into the system(unless you have a non-disclosure) so I would advise knowing what you are doing before you do it, also setup VM's at home to test these vulnerabilities and get comfortable with all the different aspects etc...

[techb]

When I worked at Subway I had user level access to the computer in the back. I could get in the admin account because they left the default password. And actually used it a few times to print off applications for people.

But the only thing I did on that system was telnet into IRC and chat with people, or watch ASCII StarWars cause boredom. Don't be stupid.