The Threat of a Lazy Admin
Javier O. (javih3@yahoo.com)
I am writing this article because many admins do not seem to grasp the importance of security, especially "inside" security.
Last summer I moved into some new apartments here in beautiful West L.A. About a month later we decided to hook up our place with DSL, so we placed a call and scheduled an appointment. Weeks later we had DSL.
As soon as the techs were done with the installation, I busted out my Linksys switch and a couple more hubs and hooked my whole place up. First thing I did was an ifconfig to get my IP info. I noticed that we were on a DHCP based service and that we were not the only ones on the same network segment.
I decided to secure both of my roommates' Windows boxes, unsharing the drives, setting passwords and permissions for files and printers. When all that was done I checked my Linux box. I was curious to see what else was in our same segment, so I busted out the trusty Nmap scanner and did a:
That way it would scan the whole network based on a Class C address and the results from the scan could be saved to the file results.
As expected, 192.168.1.1 and 192.168.1.2 were interesting. The first one belonged to a Cisco router and the second address belonged to a 3Com SuperStack II Switch.
So I did a quick Telnet to the switch and didn't get a prompt. So I hit the Enter key twice and bam! I got a Login: prompt.
3Com switches by default have no password set. According to the manual, you are supposed to set one upon installation... tsk, tsk. So I typed in admin with no password and I got the following:
So I went to the ethernet menu and checked the statistics on all the ports. Of course they were all set to half-duplex. So I quickly ran ifconfig again on my computer and got my MAC address. That way I could check the tables on the switch and find out what port I was assigned to.
I found my MAC address matched with the MAC address on switch port 18. My roommates' MAC also matched switch port 18. So I went back to the switch and decided to change our port to full-duplex.
I logged in and typed:
I entered 10full and was sent back to the main menu.
I double-checked my work and switch port 18 was at "10 full." Cool!
Next I would create an account for myself, just in case an act of faith occurs and the admin decides to check his network and devices. Trying to make the account not seem suspicious, I named it "system" and gave full access to it.
Before any changes take place you have to reset the switch, which can be done remotely. Now by doing some bandwidth tests, I see some improvement on our connections. It is not a huge difference since all I did was double the throughput of the port (full-duplex doubles the throughput of a link), so the bandwidth and other network traffic was still the same. But at least it helps.
Now the other IP address (192.168.1.1): I was able to Telnet to the Cisco router and get low-level access. Nothing really useful but by running the command:
I can see that it is a Cisco 2600 series.
The only way to get root that I know of requires physical access to the router. Hmm...
I guess I can look around my building next time I take out the trash. There are a lot of other security issues with this setup, like the ever famous "file and printer sharing" by Microsoft.
All I had to do was open up My Network Places and choose a workgroup (about five exist on my segment), then just see what hosts offered what services. It was really kinda easy to do a:
On my computer and mount some person's drive since Windows by default shares \c$ and \IPC$. But I was more interested in the switch and router than snooping around other people's drives...
As admins and enthusiasts, always secure your shit from both sides and never trust the users.
Shout outs to: Happydrgn, Alezzz, Escorpion, littlesunshyngrl, my Family and to all my other friends!