Anti School Kit: Third Edition
Anti School Kit: Third Edition
Anti School Kit: Third Edition
this
guide. I nor anyone hosting this guide can be held responsible for anything you do after reading this. What you do with
your day lies on your shoulders. So keep the subpoenas out of my mailbox, thank ya much.
----------------------------
Greets and meets. Well I started off this year (2010) with an update to one of my tutorials and with no original article
ideas in mind I thought it's as good a time as ever to clean this article up a bit, and give it a needed update. I got some
positive response from the last edition, but the problem is I copypasted many of the parts from the first edition release
and it really shows when you read through it. Anywho, so yeah besides the phreak intro guides the school theme is one
I've used a lot in past tutorials. Mostly just cause I remember being an 8th grade n00b trying to find some information
that I could relate to the school network. There was nothing around, and even now most of the school texts circulating
are pretty lame. Eventually as I learned more it was the network at my high school where I really got my newby little
flippers wet in it all. Err, not to say go pwn your school or anything, after all this guide is for information purposes only
and all that good shit. Still something fun to ponder over. =) Well anyways, blah blah, lets get on with it..
-----------------------------------
Well as in the last edition I'm going to start off this guide with how to hijack the PA system. In the previous edition I
discussed trying to social engineer one of the office peoples into patching you through to the PA extension, and how to
hardwire yourself into the PBX to patch yourself through. Oh take note in case you didn't know PBX stands for Private
Branch eXchange, and is the internal phone network your school uses to tie together all those phones. Anywho the
problem with that is that the first one would most likely not work (even those desk jockies are going to wonder why you
would really need to be patched through to fix some "crash at the central office"), and the second one is way too risky
for too little reward. Thankfully nowadays every school has a voip PBX running, which actually makes your job a bit
easier. I already talked about much of what follows in Phones & Tones: Second Edition, but since you might not be
interested in phreaking all together I'm going to be repeating myself a bit in order to keep all the relevant information
here. So anyways for this I will assume you have a laptop (if you don't, none of this section applies to you) so you will
want to download Cain & Abel..
www.oxid.it/cain.html
Now a good thing to note from here is that despite the fact that any school PA system is tied in with voip PBXs they still
function basically the same as they used to with analog PBXs. Whenever someone needs to call Sally GoCutsHerself into
the main office so her parents can pick her up or needs to announce some morning crap over the intercom they pick up
the phone and dial an extension to access the PA system.
From here I will assume you have a softphone downloaded and a decent mic or headset to use. If you don't have a
softphone you can download X-Lite below..
www.counterpath.com/x-lite-download.html
Now to get that PA system extension. For this you will need to crack open your laptop and catch an announcement as
it's being issued. You can try this during lunch. If your school allows you to just open your laptop up while you're eating,
or if not you can just get in your or a friend's car in the parking lot during your lunch break and try it then. Hell even give
yourself a skip day and have all day to fuck around..well, assuming you can find yourself a spot close enough to the
school to get on their WiFi without getting busted for skipping. I'm going to assume from here that there is both a
wireless access point and you have access to it. How to crack the key if it's protected will be linked later so for right now
lets just go on with how to get access to the PA system. Now open up Cain & Abel, and set yourself up an ARP poison
route. First go to Configure, select your network card, and click OK. Now click the + sign, and this will bring up the MAC
Address Scanner. "All hosts in my subnet" should already be active so just click OK. Then click the + sign again and
you'll see a list of hosts on the left side of the window. Highlight all of them, and all the hosts on the right side. Then
just click OK again and you're set. You can watch all the calls coming over from the SIP tab so keep an eye on the To
and From fields. As soon as an announcement comes on check to see the call that came through at that same time and
you should see the user that placed it, and the username/extension number for the PA extension. It should be
somewhat obvious to identify since most schools are going to base most the usernames on the name of the user. Say
the first name and last initial, or first initial and last name of the staff/teacher/whatever. On the other hand the PA
system will have a much different username. Of course this scheme might not apply to your school, but it happens
enough to be mentioned. You can also if you want just go into the office right before they send an announcement and
pay close attention to what extension they hit to get to the PA system, or even look at one of the phones themselves
for the extension number (there's usually an extension list by the dial pad, just find a reason to be close enough to scan
over it). Alternatively you can just try using this list of common extensions..
www.totse2.net/text-files/strphnext.htm
Now that you have the PA system extension to call you will need to get access to a user to call it from. What you will
first want to do is find the SIP server. What we will be using for this is SiVuS, which has an entire suite of tools for all
your voip needs..
www.vopsecurity.org
So open SiVuS, go to SIP Component Discovery, in the "Target network" field enter 192.168.1.1-254 (or whatever the
network range is), and then just click Scan. Let that play through and you should find the SIP server fairly quickly (UDP
port 5060). So go back over to Cain & Abel. Hopefully at this point you've let it run long enough to have a decent list of
users to attempt to crack into. So from the Sniffer tab click over to the Passwords tab at the bottom of the window, and
then from the scroll bar select SIP. At this point you should see a list of password hashes so just right click on one of
them and select the dictionary crack. A good thing to note here is a popular default password on PBXs is for the pass to
be either the same as the username or the extension number so throwing both into your word list would probably be a
good idea. There are some options to use with your word list like reverse, double, numbered, etc so just select your
word list and let it rip. This is a good time to be doing this during a skip day so you can just take your work home with
you and run the cracker through all the hashes you grabbed until something clicks (one of the many advantages of
passive cracking).
So from here I'll assume you have the IP for the SIP server, a user/pass to use, and the extension for the PA system. So
when you're ready to give your announcement over the PA system open up X-Lite, right click, click on "SIP Account
Settings..", click "Add...", fill in the appropriate info, and click OK. Now dial up the extension, and from here it's all you.
Scream obscenities, play your favorite song, or whatever. Have fun with it.
---------------------------------------------------
Part 1: Intro
You should be plenty familiar with this software. It controls what programs you open, what sites you visit, and at
random moments lets the teacher monitor all your computering. So yeah, fuck that, it's got to go. Lets continue..
Part 2: LanSchool
This is one of the most popular classroom management programs used, and it's not all that hard to bypass. One of the
more direct courses of action you can take is to disable the program directly in order to leverage some freedom. The
problem is of course that the program will start itself after 15 seconds after it's closed. In order to fix this problem you
can create a short python script to keep the program closed..
def KillYou()
time.sleep(15)
KillYou()
Just run it through py2exe and take it to school on a USB stick (if py2exe fails just make a batch file that'll do the same
thing). Give this script some time to run and after a bit it should produce an error, and you can just kill the script from
there. You can also just run a linux live cd, drop over to the hdd, and kill the programs themselves from the computer.
C:\Program Files\LANSchool\Student.exe
C:\Program Files\LANSchool\StudentPower.exe
This will keep it off until the next time it's reinstalled.
Part 3: Vision6
This is another very popular piece of software that schools use to control activity on their computers. In previous
versions of Vision it was as simple as going to C:\Program Files\Master Solution\Vision and running MEUCONF.exe. This
file isn't included with Vision6, but you can download it manually below..
www.megaupload.com/?d=EIU4BIIU
If the link there is down by the time you read this you can just google "meuconf.exe" to see if you can find a new link or
find a torrent for earlier versions of Vision, install it on your computer, and extract MEUCONF.EXE from there (credits to
doctoroctagonapus23 for the tip and download link).
So drop this file to a USB stick, open it up on the computer in class, run the file & select "Run Manually?", and then just
close out Vision6 from the task bar. Then there, you're done.
Another popular piece of classroom control is SMART Sync (formerly known as SynchronEyes). They've definitely improved
their software since the older versions as far as security goes, but it's still basically the same crap as before. If you
have the permissions you can try to kill the process itself by going to cmd prompt and punching in..
Also you can as always drop to a linux live cd, drop over to the hdd, and kill the two files below to remove the software
from the computer itself..
This technique applies to most classroom management programs so I decided to give it a part of it's own. Most of these
apps use policies to set permissions for applications. What you can access, what you can't (iexplorer.exe, cmd.exe,
regedit.exe, etc). I got to give credit to Darawk from edgeofnowhere.cc for the idea. First select the program you want to
open from it's program folder and copy it to the desktop. For example iexplorer.exe from C:\Program Files\Internet
Explorer\, regedit.exe from c:\windows\, cmd.exe from c:\windows\system32\, etc etc. Now change the file extension
from exe to txt. Then plug in your USB stick and open up a hex editor. Just google one up, there's plenty to pick from.
Now open up the file you just copied to the desktop, and search for the string "Polic". This should bring you to the
policies entry, which is the entry that checks the group policies to see whether you can open the file or not. Just edit
one letter out of the name of the policy, save the file, and then change the extension of the file back to exe. Now run it,
and since the policy check fails it will just automatically start the file.
Part 6: Closing
Well that should cover you for that. One thing I should mention is for killing processes you will probably need higher
permissions on the OS. Just take a crack at the Windows pass using ophcrack. School computer passes usually aren't all
that complicated..
http://ophcrack.sourceforge.net/download.php
--------------------------------------
Well since every network is just a little different I can't give you a word to word on this, but I can at least give you
some tips on how to get started. So if you don't have it already you will of course need to get NetStumbler..
www.netstumbler.com/downloads/
So just pack up your laptop, head over to your school, and see what comes up and what sort of encryption if any the
access points use. If they come across encrypted then you can try your hand at cracking it with BackTrack..
www.backtrack-linux.org/downloads/
Burn it to a CD, come back around, and what you will do from here depends on the encryption used. I'll link some
tutorials out of laziness..
WEP: http://thewifihack.com/blog/?p=39
WPA2: http://opsec.cotse.net/opsec/?p=1046
So from here one way or another you should have access to the network. So what now? Well from here that's pretty
much up to you. A great place to start is doing some basic scans to get an idea of the network. If you for some odd
reason don't have it already you can download nmap below..
http://nmap.org/download.html
So open up the Zenmap GUI and select in Profile "Slow comprehensive scan" or if you're the impatient type just set it at
"Intense scan plus UDP" and in Target punch in 192.168.1.1-254 or whatever the network range is. Then just click Scan
and let it scan through. A great start for shits and giggles is the http servers you come across during your scan. Most
will be network devices (many times with the default account still set, admin:admin), but some may be other services
used by the staff tied in to the network with a web server. Just punch any you find into your browser and see what they
are. Now on to more serious targets. To make any serious progress within the network you need to tackle the active
directory. For this you will first want to gather some information on the AD for your school's network. A decent tool for
this is Winfingerprint, which can be downloaded below..
http://sourceforge.net/projects/winfingerprint/
This scanner can run a wide variety of checks that you would be interested in. For this scan what you will want to do is
check all the scan options (minus ping and traceroute), check "SNMP Community Strings", punch in the IP range over on
the top left corner of the window, and then click "Scan". Let that scan through, and ideally what you want to pull from
this are the users on the network and the hosts to target. Now that you're done with that it's time to start gathering
some passes. Even though SMB cracking is definitely an old tactic it still has it's place when exploring LANs. For this I
would suggest using smbbf, which is included in the smbat kit..
www.cqure.net/wp/smbat
You should see a list of functions to use so it should be pretty straight forward, however I will mention one thing.
Unless you know the host you're targeting is some Win2k host (still remotely possible on some of the legacy systems at
the school district building) you should just set -P at 0. Of course you're bound to run into a lockout limit so don't expect
to run a long wordlist. A good thing to do is just write yourself a wordlist of some likely passes on the network and see
what ticks. An example would be for the pass to be the same as the hostname, the workgroup, the name of the school,
the name of the football team, admin, password, system, etc. If you're successful you can then just net use your way on
and see what's being shared. Of course cracking SMB can be lame so lets go over some other services you may want to
look into while you're scanning. The first one I have to mention is Kerberos (port 88). This is used a lot on networks and
should be one of your first targets when you're exploring the network. A good choice here is a CLI set known as
KerbCrack, which can be downloaded below..
http://ntsecurity.nu/toolbox/kerbcrack/
Though the name is kerbcrack it actually contains two tools, kerbcrack and kerbsniff. Kerbsniff is good for MITM attacks
against 2k/XP systems. Of course 2000 isn't all that popular on networks now (thankfully), but there are still plenty of
XP hosts you can try this against. You just punch in the output file and sniff the pass string as it's being sent over. The
other tool, kerbcrack, is a cracker that can run either brute force or a dictionary crack against the host. As always I would
suggest just running a dictionary crack, and fill it with some of the common passes (including some of the one's I
mentioned before). Another choice target is LDAP (port 389). This is used for a lot of administrative functions, and is
also good for enumerating more information on the network. A good choice for this and many other protocols is Hydra,
which can be downloaded at..
http://freeworld.thc.org/thc-hydra/
This is of course natively for *nix, but there is a cygwin version for those allergic to any OS outside Windows. It's got a
lot of options so just run the program to read through all the parameters. If you successfully snag a pass you can use an
open source java LDAP browser known as Jxplorer to browse through..
http://jxplorer.org/
There's also ftp (21), ssh (22), telnet (23), snmp (161), and other ports that you will want to look into when scanning
the network. Most of the telnet/ssh servers will probably as with http be network devices, but they're worth a check
anyways. Hydra can equally take care of any of those other ports so you already have all you need there. Of course
outside dictionary cracks and MITM attacks there's also plenty of vulnerabilities related to the software itself that you
can use, but vulns come and go so I won't really get into any specifics. If you need more information on a server you
come across telnet into it, and see what banner the server spits back. On most ports you should be able to grab a
banner upon connect, while with others like http you will need to throw a request at it to get a response. For example
with HTTP upon connecting to the server just type in HEAD / HTTP/1.1 and that should do it. Then just google the name
and version and "vulnerability" (i.e search "powerschool 1.6 vulnerability"..minus the quotations), then see what you
come up with. Nmap will also do a bulk of the fingerprinting itself, which should give you the chance to look into any
vulnerabilities related to the version of the OS that a particular host uses. I couldn't possibly go over every possibility so
you'll just have to do your homework there.
--------------------------------
Part 1: Intro
So now lets move on to changing your grades. As I did in the last edition I should remind you that your grades are not
just on the computer, but also hard copied. So if you were to actually try any of what follows you could very well get
busted by the discrepancy between the two.
This should be the easiest part, but if you are to have any success with this you should gather a list of usernames for
your school. By far the most common username scheme for schools to use is the first initial and last name (i.e Norman
Bates becomes NBATES). Of course there are other schemes that your school may use. One you can try is to check the
school web site for email addresses. You can either snag an email spider (google one) to do the work for you, look
through the pages yourself, or google dork it. To do the last option there in the list just search something like
"intext:@countyname.k12.stateinitial.us" (minus the quotes) and see if you get lucky. If the email search doesn't bring
up any results there's still other options available to you. Scan over any faculty's desk for any notes that may have their
username (and possibly even password) on it, or just skim over the screen when you see one of them logging in. All you
need is to get one username to figure out the scheme and throw together a user list yourself.
Part 3: Building a Wordlist
Well now that you have the user list to use you need to put together a wordlist to use. While any word list you can find
on the net will do you should put in your own passes on top of what's included to make sure it can test for some
common defaults. While with most gradebook options the default is usually set by the admin there are some common
schemes. This includes password, Password, gradebook, Gradebook, same as username, 1234, 123456, teachers'
birthdate in various ways (two digit birth month/two digit birth year for example), first 2 or 3 letters of the teacher's last
name or their initials + birthdate, first 2 or 3 letters of te teacher's last name or initials + the last 4 digits of their SSN,
et cetera. Out of this list incorporate into the wordlist what you can. While you may not have any teachers' SSN you can
sometimes gather a list relatively easy while exploring the school's network. Many times schools will leave a list of
social security numbers and their corresponding names on one of the servers on the network for accounting purposes. So
just pay attention to any of the text files on any servers you manage to get even user access into to see what you can
find.
Part 4: PowerTeacher
This is one of the more prominent gradebook wares used. It runs off a PowerSchool web server, which is probably going
to be registered within the same domain as your school's website. Just type in http://ps.yourschoolsite/teachers or
http://powerschool.yourschoolsite/teachers and if your school uses it one of the two should bring up the form used. From
here you have multiple options. You can try to take a crack at one of the users, or try to take a crack at the server. If
you want to try a crack at the users just try using Brutus, which can be downloaded below..
www.hoobie.net/brutus/
So open up Brutus and just enter the URL for the PowerTeacher login into the Target field, select "HTTP (Form)" in the
Type field, click "Modify sequence", hit "Learn Form Settings" and once the right settings are loaded click OK, enter in
the user list you should have filled before into "User File", make a pass list for yourself with some common passes
including the name of the school; name of the football team; etc and then load that in the "Pass File", check "Use
Proxy", click "Define" and enter a valid proxy, and then just click "Start". Let that play through and if you get lucky you
can cop an account to login with. Of course if you don't you can still take a shot at the server itself. A good thing to first
do is open up Zenmap GUI again and scan the host that the server is on itself. This will get you the banner for the web
server itself, and any other servers that could be targeted to achieve access to what you want. So your first start should
always be to try looking for any public vulns that you may be able to use. Just search for "servername version
vulnerability" and if that doesn't work try looking for any other packages they may use on the server. Hell you can even
try entering the version of PowerSchool your school uses into google and see what you find (it's had plenty of vulns here
and there). If all that doesn't work you can just scrap trying the http server itself and target some of the other servers
on the host using Hydra (as explained earlier) or with any public vulns that the service may be exploitable to. So lets
say one way or another you got access to one of the accounts on the PowerTeacher service, what now? Click the
Gradebook icon, and from here you should see the Scoresheet tab (it's a spreadsheet). Here you should see the grades
for every student in their classes, which you can edit at will. Yup, no way to edit all the grades you wish without having
full server access or a district admin account. Still any teacher account would be valuable to somebody..
Part 5: GradeSpeed.NET
This one is actually a bit more secure than some other gradebook options used. Mostly because unlike PowerSchool and
some others GradeSpeed.NET is ran off a separate server (the gradespeed site). Though no site is completely secure
having the gradebook separate from the school network is actually better since a compromise of the actual network
(which isn't very hard to accomplish) is still not a free reign to edit any of the grades. For this I will be repeating much
of what I described in the previous section. First to locate the GradeSpeed login for your school you can try some of the
URLs below..
gradespeed.yourschoolsite/gs/
gradespeed2.yourschoolsite/gs/
gs.yourschoolsite/gs/
schoolname.gradespeed.net/gs/
So from here you will see different login options for different types of accounts in the order of Teacher, Substitute,
Administrator, and Parent. If you could it would be great to get an Administrator account, but since you could easily
count all the admin accounts on any single school's gradebook page on one hand it's unlikely you'd do anything besides
lock all the accounts. So just click Teacher, copy the URL for the login page, and enter it into Brutus the same way I
described in the PowerTeacher section (no point in repeating myself). Of course one thing I have to add is that if you
followed the previous section on hacking the school network and snagged any LDAP logins then you may be able to use
the same username/pass logins to get on GradeSpeed.NET. So anyways once logged in you can simply click over to
Grades to see a list of tables for various students and assignments. Should be obvious what to do from here so I'll close
it off here.
Part 6: Closing
There are definitely other options, but as you see the techniques are pretty much going to run the same irregardless of
the type of gradebook software used. JoomlaLMS, Pinnacle Gradebook2, Lynx.NET, TeacherEase, etc. If the software is
tied in with the web server and not just tied in with the domain then you can try targeting the site itself to gain access
to the databases used. I could dedicate an entire section to this topic, but there's been entirely too many guides on
testing sites for common vulns as it is so if you need some information to start here check some of the milw0rm texts..
www.milw0rm.com/papers/
Section 6: The Conclusion
--------------------------
Well that's it for this article. I honestly had been sitting on this article unfinished for a few weeks. Other projects, old
SNES games, and other rl shit distracted me just enough to honestly forget I was even writing this till a couple days
ago. If you need any help that isn't something stupid like "help me hack my skool!!" or just need to get in touch with me
there's some contact details below. If you send me an email or message and I don't respond to you within a few days or
so I'm probably either just busy or just not interested in helping you (meaning you're asking the wrong question).
Murder Mouse
http://houseofhackers.ning.com/profile/MurderMouse
www.informationleak.net
http://resistance.zzl.org/index.html
www.totse2.net
www.gonullyourself.org