The dilemma: I needed to log in to Omniture's SiteCatalyst as somebody else. For just a moment, just to verify something. I've got an admin account so I could lookup the username. But I couldn't look up the password.
The easy answer: In real life, I just called the client and asked him to send me his password. But while I was walking around waiting for my computer to reboot, I wondered what I could have done if for some reason I couldn't have just asked the client to send me his password. Like if I were... a hacker!
The fun answer: I could have reset the password, which would have gotten me in, but then the client would know the next time he tried to log in and his old password didn't work. I needed to actually find out what the current password was.
1. Find the original email -- back when the account was setup, somebody in my company must have created the login and sent the information to the client. They may have just done it over the phone, but more likely it was emailed. I figured out how to hack everybody's email accounts on the Exchange server long ago. Simple enough to go search everybody's old 'sent' mail for anything with the user name in it.
2. Call the client -- without directly asking for the password, tell him we're rebuilding all the accounts and he needs to tell me his old password if he wants to keep it the same.
3. Call the client (sneakier) -- I suppose if I needed to, I could reset the password and login, then call and tell him the password database was corrupted so they've all been reset to "password01." Insisting, of course, that he not tell me his old password for security reasons, I tell him he should go in and change it back to his old password. That doesn't get me the old password, but it covers my access to it.
4. Monitor the client's network -- visit their building and inject myself into his upstream so I can monitor all the traffic. Hm. Major drawback: the login page is SSL encrypted. Probably renders this approach infeasible.
5. Monitor the client's machine -- as long as I'm visiting their building, I could install a physical or software keylogger. I could pretend to be a janitor, except the janitors themselves would probably not be cool with that. But if I dressed in a shirt and tie and showed up just as they did, I could probably get in the building and pretend to work for that company. While the office door is open (if they're like most janitors, they open all the doors first then start working) install the thing. If there's no tight security on the computer, a software keylogger would be better so I didn't have to come back and get it. Otherwise, a physical plug would work and I'd just have to come back a few days later.
6. Check the client's machine -- Of course, let's not forget the easy things. If I'm in there with the client's machine and I've got a minute, I should check his email archive. It's probably still stored in there from when it was setup. And he may have written it on a piece of paper or something that would also have lots of other interesting passwords.
7. Monitor Omniture's network -- Again, the SSL on the login form probably precludes me from doing this. But I could hook into Omniture's side of the network by renting office space in the same building they use. Request my computer be co-located in the central area where their servers are also. Then just plug in one time while I'm down there working on it.
8. Spoof the client's network -- This would address the SSL problem. If I can get access to the client's computer, I can set his browser to use a proxy server. A proxy server that I have specially set up to pass everything through normally, unless he goes to the secure Omniture sign-in page. When he does that, my proxy server actually sends an insecure version of the page that looks the same. When he logs in, I grab the clear password, then transmit it along and continue the session normally. He would never notice. When was the last time you checked your proxy settings to make sure nothing had been changed? And I could change it in the browser, in the hosts file, or at the DNS, depending on what kind of security his computer has.
I think those are the most realistic options. Number seven is the biggest stretch. I really like number eight! And there's a lot more you could do with that.
I want a big, white van with no windows. I'll paint BLISP on the side, "Binary Logistics ISP: portable business and personal networking solutions." There's a truck that would look okay anywhere you go with it. No matter how many antennas and weird stuff it had. Fill it with a couple computers and my boxes of spare, magical parts.
I'm gonna' write a book about that. An Internet marketer turned network penetration tester who accidentally uncovers a terrorist plot and has to singlehandedly save the President. Woot!