Jump to content

pinkhathackers

Active Members
  • Posts

    6
  • Joined

  • Last visited

Everything posted by pinkhathackers

  1. We now have the new LanSchool version 7.4.1.4 table and the demo decrypter on our website. @x-quisite: If you can't get h2oh4x's program to work, you can either try running it in XP Compatibility mode or simply use our website instead (http://pinkhathackers.net/decryptor.php). h2oh4x's program seems only to decrypt lskdata.bin files from LanSchool versions 7.4.1.3 and older, though this would only require a revised key map table to fix. @smd75jr: Our major concern with LanSchool was its keylogger. The use of these programs for monitoring is, to us, less intrusive than stealing passwords. Further, most of these programs can be killed by using taskkill.exe, so you may look for a solution similar to the batch files that can be found on our site (http://pinkhathackers.net/downloads.php).
  2. In fact we have, if you look on our site, pinkhathackers.net, under the Demo section you will find a decoder that you can upload your lskdata.bin file to. However we must emphasize that the one on our website as of now only decrypts lskdata.bin files from versions older than 7.4.1.4. With that version they modified their cipher slightly. We have cracked it but haven't yet updated the decryption engine on our website.
  3. The files are encoded as binary data, so it would be expected that they'd look nonsensical in Notepad (each letter you see is how the computer tried to make sense of what was really numerical data). You might try XVI32 or any other hex editor. All programming languages also have the ability to read in files as binary data, which is useful for processing the lskdata.bin file. One thing you should note, though, is that if you type a single character about 8 or more times (many more if you want it to be noticeable), you can see a distinct pattern using either Notepad or a hex editor. The binary values begin to repeat themselves after 4 repeated characters, as described on the website. Using this information, you may see how one could create a table of which 4 values correspond to which character by typing each letter at least 4 times and looking at the output. This table could be used to decode any lskdata.bin file. Also we will soon be adding the additional table for the current version; more to follow both here and on PinkHatHackers.net.
  4. LanSchool released a patch in version 7.4.1.4 that changed the encryption slightly. So far, we have confirmed that they modified which values are mapped to which characters, but everything else seems to be the same. Thus, the table in our second post is now incorrect for version 7.4.1.4, but the information in our first post should still be fine.
  5. APPENDIX: The following is a fairly inclusive table of letters and their encrypted values based on a modulus of absolute position. Table for versions prior to 7.4.1.4 ----------------------------------------------------------------------- | POS % 4 LETTER|---------------------------------------------------------------- |% = 0 % = 1 % = 2 % = 3 ----------------------------------------------------------------------- a 223 219 204 106 b 220 216 207 105 c 221 217 206 104 d 218 222 201 111 e 219 223 200 110 f 216 220 203 109 g 217 221 202 108 h 214 210 197 99 i 215 211 196 98 j 212 208 199 97 k 213 209 198 96 l 210 214 193 103 m 211 215 192 102 n 208 212 195 101 o 209 213 194 100 p 206 202 221 123 q 207 203 220 122 r 204 200 223 121 s 205 201 222 120 t 202 206 217 127 u 203 207 216 126 v 200 204 219 125 w 201 205 218 124 x 198 194 213 115 y 199 195 212 114 z 196 192 215 113 0 142 138 157 59 1 143 139 156 58 2 140 136 159 57 3 141 137 158 56 4 138 142 153 63 5 139 143 152 62 6 136 140 155 61 7 137 141 154 60 8 134 130 149 51 9 135 131 148 50 158 154 141 43 [ 225 246 80 229 ] 231 240 86 227 \ 230 241 87 226 ; 129 150 48 133 ' 157 138 44 153 , 150 129 39 146 . 148 131 37 144 / 149 130 36 145 A 251 236 74 255 B 248 239 73 252 C 249 238 72 253 D 254 233 79 250 E 255 232 78 251 F 252 235 77 248 G 253 234 76 249 H 242 229 67 246 I 243 228 66 247 J 240 231 65 244 K 241 230 64 245 L 246 225 71 242 M 247 224 70 243 N 244 227 69 240 O 245 226 68 241 P 234 253 91 238 Q 235 252 90 239 R 232 255 89 236 S 233 254 88 237 T 238 249 95 234 U 239 248 94 235 V 236 251 93 232 W 237 250 92 233 X 226 245 83 230 Y 227 244 82 231 Z 224 247 81 228 ! 155 140 42 159 @ 250 237 75 254 # 153 142 40 157 $ 158 137 47 154 % 159 136 46 155 ^ 228 243 85 224 & 156 139 45 152 * 144 135 33 148 ( 146 133 35 150 ) 147 132 34 151 _ 229 242 84 225 + 145 134 32 149 - 151 128 38 147 = 135 144 54 131 { 193 214 112 197 } 199 208 118 195 | 198 209 119 194 : 128 151 49 132 " 152 143 41 156 < 134 145 55 130 > 132 147 53 128 ? 133 146 52 129
  6. TITLE: LanSchool v7.4 Keylogger Vulnerability Authors: Thomas D, Aaron D, Henry Y Email: thehat@pinkhathackers.net Site: PinkHatHackers.net DESCRIPTION: The network monitoring program LanSchool is often used to keep an eye on students, similar to other programs like Vision6 and SynchronEyes. It has features such as remote control (local user loses all control), task manager disabling, port 80 blocking, and keylogging. The keylogger, which stores its information on the computer from which the data is captured, is especially vulnerable to exploitation, as it may contain passwords and other sensitive data that people may have typed on the computer. This article details a proof of an exploit of the LanSchool program. Pink Hat Hackers does not support, condone or recommend the use of it in real life. Similar work on LanSchool 7.2 can be found at http://hak5.org/forums/index.php?showtopic=11920. SOLUTION: Don't use LanSchool or wait for the encyrption scheme to get an upgrade. ------------------------------------------------------------------------ The LanSchool keylogger stores its data in a file called 'lskdata.bin' encrypted using a slightly modified substitution cipher. Every key can have one of four possible single byte values based on the byte's absolute position in the file, mod 4. For example, if the letter 'a' was encoded at position 739, its value would be 106, because this is the value for 'a' at position 3 (739 % 4 = 3). Clearly, by typing four consecutive characters of 'a' and reading the output, one would have enough information to consistently decode this letter. This technique was used to generate the table of character-value associations at the end of this text. Reading in one of the files using these tables to automatically look up each character was very successful. NOTES: If one holds down the shift key and presses multiple letters, LanSchool seems to only record the first letter as capitalized. This may be a bug in their code, or it may suggest a lack of complete understanding of the system, but this means that capital letters typed in succession may not be read correctly (e.g., "ABCdEF" might be read as "AbcdEf"). Further, LanSchool only stores the last 50,000 keypresses. The information would have to be gathered and merged periodically to maintain a full record. However to quote the LanSchool website (lanschool.com) that is "Weeks of keystrokes."
×
×
  • Create New...