Jump to content

Archived

This topic is now archived and is closed to further replies.

shonen

Lanschool v7.2

Recommended Posts

I started back at school this week after having a week off and our I.T department did a massive overhaul of our computers, network among other things. One of my funny as Teachers went on a bit of a power trip and was showing off his new found powers via this newly installed piece of software called Lanschool. Which I will admit was impressive and annoying from a student prospective.

Lanschool v7.2. In a nut shell equivocates to VNC on steroids. It allows a teacher to view ever desktop in a class room from his Teacher Viewer client whilst permitting them to carry out some of the following features (some of these features can affect an entire class room and all of its students).

Link: http://www.lanschool.com/lanschool/feature...ick-easy-access

- Logging of Keystrokes.

- Remote control of desktop.

- Disabling the internet connection.

- Shutting down the PC

- Redirecting websites.

- Locking the screen.

- Displaying the teachers desktop on all students class room desktops.

- Hosting a chat session

- The list goes on and on.....................

Anyways me and a fellow class mate spent most of our project management class trying find a way to disable it so the teacher couldn't do any of the above (we enjoy our free mass downloading). I will admit it was a sod and I do MEAN SOD to try and remove with your limited student access, mandatory profile and our some what limited computer knowledge. In the end we worked out how to remove it, but obviously it comes back when you log off due to the mandatory profile (still its better than nothing).

We also had a bit of a fiddle and tried to obtain the same powers our teacher was demonstrating, sure enough we managed to find a work around and that work around allowed us more than a single class room (it was so simple it was not funny, which is slightly worrying seeing as the two of us are no hackers). For the record after an hour of some cheap harmless laughs at the expense of fellow class mates we ended up reporting the issue to the school's IT department and demonstrated how we could virtually spy/shut down any class room. Oddly enough they didn't seem to interested and if there track record is anything to go by this issue wont be resolved until they get around to the next upgrade (but meh we tried to do the right thing).

I know this piece of software is some what popular among Tafe's and high school institutions(not sure about Universities) within Australia and I was curious if any of the folk in here have ever come across this software during there studies?

Also if any one is interested I don't mind posting a tutorial for the above but before I do I wanna read the policy on here on what can be posted. I know the mod's have a anti How to hax0r yours skoolzorz policy which is fair enough and the last thing I wanna do is piss some of the people off in here.

Share this post


Link to post
Share on other sites

My policy is this:

If you start posting information or questions about disabling the thing, or hacking your school it be a l33t little shite, then I will let you get flamed until I have to step in and lock it. If you carry on pissing me off, I will toy with you until you suffer a rage burnout and start sending me threatening emails.

If you post an interesting discourse on what you have done, how the software works, the architechture, how it is vulnrable etc I will step in to defend the post. We are supposed to be hackers here, so I'm interested in hacking topics, so if you present them in a technical way and avoid moral issues about should you or should you not be doing this then I'm down with that (because everyone here does illegal things, for better or for worse). We do have a lot of sys-admins here, so present it on their level rather than billy no-mates.

FYI i see this as the latter.

Share this post


Link to post
Share on other sites

To be honest I had no intention of posting to be a "l33t little shite" if I took that mentality why would I make reference and mention I am no hacker and have limited computer knowledge? Seriously give me some credit I at least had the decency to not give out information and inquire/do my own research about the policy in here prior to posting.

I am well aware of the fact that system administrators congregate on this forum and as for posting technical detail on what I have done, like I mentioned in the above it was really simple, so simple in fact that it really isn't that technical (any idiot could do it, which could explain how we managed to fluke it). Well seeing as I am a fledgling 1st year Network student, I guess that rules me out on displaying it at a Systems Admin level. =P

lol Now why would I go to the trouble of flaming your email? Do you have that affect on people?

FYI I am an aussie we don't get upset to easily, the day I take offense to something said in a forum and feel the need to flame an email account is the day I go out the back yard and play a quick game of hide and go neck myself. The only exception would be when you English Folk take the ashes back off us shortly (god damn we are playing shit).

By the way thanks for posting the policy and saving me the searching, it is much appreciated.

Share this post


Link to post
Share on other sites

Like you, I don't really get upset over these things. And as I said, or attempted to state, from your inital post you don't fall into the l33t shite catagory. What I was trying to do was to get you to post a 2nd, well structured, insiteful peice detailing your discoverys and how you came to those conclusions, mainly because I've never heard of this software before, and i'm curious to learn more. I also wanted to avoid someone jumping in with an angry post about the moral implications of hacking a school network, everyone know that if you get caught your fucked so its pointless posting about that imo. And as a sys-admin its always good to know what the users might be up to, so I aprove this post.

I don't know why I occasionally get hatemail either, usually I just file it under "Shit i'm not going to do anything about" and carry on about my day.

Share this post


Link to post
Share on other sites

If you couldn't pick it up from Vako's post, posting things like "I 0wn3d the sch00lz network" isn't exactly smiled upon. Instead start by posting they software/system architecture, how you discovered the vulnerability, and how you exploited it, in a way to educate not bloat about your 1337ness. Vako wasn't personally attacking you per say he was attacking your post. He is basically saying: try this post again.

Edit: Oh and post a potential fix for the security weakness if at all possible.

Share this post


Link to post
Share on other sites

Nah I never thought Vako was attacking in his post, I found it amusing for the most part and the rest was confusion on weather I should or should not post.

The initial post was some what cocked up on my part (sorry guys). Even I was not sure what I was trying to say with it. It was initially a hey I found this silly flaw due to poor implementation but the IT department were like piss off you shit you are creating more work for us and it turned into a hey I would like to share because this is seriously stupid and I was hoping someone could roughly explain what you could do to stop it from a administrator prospective.

Anyways due to my low level in I.T and the I.T department not telling us much on how things are setup and right fully so. Some of the below is based on my own assumptions.

Obviously there are groups for teachers/students and when a student log's in we get the server software loaded on login to the domain and the teachers get the viewer. Both groups have restrictions on not being able to install software or accessing the desktop to remove it. The teachers lan school viewer has a set channel number that loads for that class room and can not be changed unless it is re-installed hence teachers can not view other class rooms other than the one there desktop resides in.

Now a class mate and I tried a whole bunch of different things to try and kill/remove it, in the end we worked out that we could remove the LAN school server that loaded on login if you got your hands on the installation file (mind you it was not easy finding the software and crack god bless rapid share). Yes it was that simple I couldn't believe it.

The next objective was to install the LAN school viewer the teachers were using to see if it would work, we couldn't do this in the host operating system so we thought hey we get to use VMware so why not try booting XP while bridging the network adapter and install it seeing as we have administrator rights in the guest O.S. (it worked a charm). We both also concluded that even if the school didn't provide us with the VMware application we could always just bring along our own laptop and theoretically it should work pretty much the same way.

The most amusing thing is each class room is linked via a channel number (1 to 250 if my memory is correct) this channel can only be set in the initial install process. So seeing as we have Administrator privileges within a virtual environment we could uninstall and reset the channel number to another class room on the next install (which is more than what the teachers can do).

Prior to installing the LAN school view software I was expecting some sort of password for teachers to access clients over the network, but nope nothing. From memory I didn't see anywhere within the programs install process/or the program itself that allows you to set a password. Now I could be wrong about this seeing as I did only have a fiddle for a short time (85% sure though) but I will take a good look tomorrow and confirm it.

It seems rather odd that the only security is your limited desktop access and the fact that only teachers get the LAN school viewer at login. As I mentioned in the above I am simply gob smacked at how easy it all was and if I was a malicious user god help all the students at my crappy tafe.

My humble apologizes that this isn't slightly more technical and more than likely not well written, I am trying to work on both of those aspects. XD

Share this post


Link to post
Share on other sites

The easiest way to stop software like this is to check out which port it's listening and block it. I used to have one that would run fine as a limited user and block any port for both inbound and outbound traffic.

Edit:

I found it, it this one: http://wareseeker.com/Network-Internet/ems...0.15.zip/345181

I haven't have now checked that link for evilness, and it only does TCP, but TCP is what every type of remote desktop uses that I have ever seen.

Actual page for it: http://www.e-systems.ro/port_blocker.htm

Virus Total says: http://www.virustotal.com/analisis/e0a0da8...1bd9a4fee5d9f3d

Share this post


Link to post
Share on other sites

Thats actually a pretty neat hack all being said. The next port of call is working out what is monitored on the network. If the admins are smart they will notice things like large downloads or certain sites being accessed. Time to work out the network topology.

Share this post


Link to post
Share on other sites

lmfao Trust one of your guys to come up with a quick fix and here I was thinking that my method was really simple. /facepalm =P

Thanks a lot for the advice and the linkage Sparda your a gun and yeah I was planning on checking out what port and stuff it utilizes in my home lab running a sniffer.

Thanks Vako I am glad it gets your thumbs up. It seems our admins are pretty good and I am yet to be blocked from downloading stuff (some days I do go through a fair amount). Yeah they do restrict sites and unfortunately hak5 is one of em. A while ago I had a VPN setup so all was good but at the minute my network is a little chaotic and in need of repairs (band aid solutions for the moment).

By the way this maybe a silly question but how would one go about working out the network topology? My best guess is with nmap or something?

Share this post


Link to post
Share on other sites

I actually am interested in finding out how you did this. At my school they use Lan School as well... and I hate that software. damn thing is annoying. can you pm me instructions how you did this?

TIA

Manuel

Share this post


Link to post
Share on other sites
I actually am interested in finding out how you did this. At my school they use Lan School as well... and I hate that software. damn thing is annoying. can you pm me instructions how you did this?

TIA

Manuel

Post the details here instead?

Share this post


Link to post
Share on other sites

Didnt his last post pretty much describe it?.. Well except maybe for the script loading from the server part. Don't see how you coulda changed those settings unless the admins were too lazy to lock it down.

Anyone with that viewer could tap in. Shouldn't they have userids/passwrods or tie it into AD if the software can do that?

At the HS I went to you couldn't even right click windows.... what is it with these IT teams at schools now days?

Share this post


Link to post
Share on other sites

My school uses essentially the same thing. It's called Vision6. They're still in the process of installing it on all computers and are having trouble for some reason, therefor the computer I use is safe for now. As Sparda said, the easiest way to go about stopping the snooping teachers would be to close the port it uses, which was my initial thought (after "Fuck..."). But I was also thinking about maybe trying to disconnect his computer from *all* of the computers in my class because seeing only one computer during only one class stop responding would seem pretty fishy, especially since I'm already known as "the computer dude." I'm not quite sure how I'll go about doing this but I got a hold of the same installation they're using at my school (i found my teacher's flash drive one day with the file on it) so I plan on setting up my own little test lab to see all the possible ways to get around this. I figure it's being implemented in other classes and probably in the library as well so I'll probably have some fun messing with the other students (if I can find a way to connect to them). The installation can install both the 'Master' and the 'client' so I figure i can install the Master on the school computer to see what I can do. I've installed Master on my computer already and it prompts for a password during installation so I'm thinking the password is only to use the Master on that computer (leaving another Master to connect to the classroom password free) but I'll need to run some tests. I'll keep you guys posted if you want...

Share this post


Link to post
Share on other sites
Zenmap, the NMap gui, has a neat topology feature. If they have an eye on the IDS they will notice that though, so don't be to blatant

Thanks for that Vako I never knew the gui version could map out topologies, I have only ever had exposure to the CLI Linux stuff. Last time I tried to scan the schools network I am pretty sure the IDS kicked in and slammed the door in my face due to the large number of Syn's being sent. I shall be chucking that on my to check out list.

Didnt his last post pretty much describe it?.. Well except maybe for the script loading from the server part. Don't see how you coulda changed those settings unless the admins were too lazy to lock it down.

Anyone with that viewer could tap in. Shouldn't they have userids/passwrods or tie it into AD if the software can do that?

At the HS I went to you couldn't even right click windows.... what is it with these IT teams at schools now days?

I though so to, the only thing I neglected to post was the link to download the LAN School software and the crack, reason being I neglected to send myself the link for the rapid share download during class (I was having a hard enough time hiding what I was doing from my teacher) and posting warez on here would surely equivalent to a breach of policy /instant flame.

But yeah if you only wanted to disable the app so teachers cant hijack your desktop Sparda's suggestion was far better than my own. If you wanted to be an annoying twat (not that I encourage it) all ya need is to know how to use VMware which is a piece of piss and doesn't require a guide IMHO.

Agreed you shouldn't be able to tap in just because you have access to the software, as I mentioned I am pretty sure it doesn't have an option to support passwords and even if it did I guess it would mean a little more over head's for our schools IT department. I was going to confirm it today and have a better look at it but its 45 degrees here and I am suffering a bad case of CBF syndrome (I shall do it tomorrow).

By the way when you say AD do you mean active directory? (that went a little over my head).

lol Yeah our Administrators like to be pretty tight on the level of desktop access we have (we can't right click either). On the funny side they do all this stuff and I have still found the odd oversight.

We have a computer in the library with a specific purpose for changing your student login password. Its basically a Web browser only minus the Bar at the top for entering url's, back forward buttons etc. The same class mate who helped with the above and myself discovered that you could change any students password who previously changed there's. All you had to do was use a short cut for the back button on a web browser (alt and back arrow). Once that was done you had the students user ID, special word and a blank screen to input your new password. Granted they are only crappy limited user accounts but we could use that to access that student's email. The class mate I was working with in the above and I were discussing that we could create a batch file, to ping its loop back address to buy us time to leave a comp with the stolen student login, then get it to run a a crap load of net send commands (yes the admins didn't even disable that). In the end I talked my mate out of it because it is rather skiddy and whats the point of being an asshole who ruins someones day. We knew we could do it that was enough.

I'll keep you guys posted if you want...

please do h@lo_foo I would be most interested as to who you tackled this project and how it all went.

Share this post


Link to post
Share on other sites

It's great to see a post about school networks without the "help me hax" bullshit. Vako hit it right on the head imo.

Share this post


Link to post
Share on other sites

My teacher has this software at my college ccna/win2k3 server class, but he never uses it. it's more like his playtoy to either mess with or help others without getting up. It is a pretty cool ass program though (think about it. If you could get the software to run out side of the domain, you could have all your friends computers in view at all times *discarding weirdness and stalkery* so if they mess it up, it's all there in one interface...

BTW, dont you think if your in a class of say 30 to 50 computers and that ONE computer or two is computers that are never visible on the software, you dont think the teacher is going to raise suspicion?

Share this post


Link to post
Share on other sites
It's great to see a post about school networks without the "help me hax" bullshit.

I couldn't agree more its stupidity like this that makes the rest of us average n00bs look bad. If there is one thing I love about the hak5 episode's and its community is it doesn't just arm you with technical know how but it also has strong emphases on the ethical side of things and having the correct mind set. Just because you can doesn't always mean you should. I don't get why anyone would wanna do damage to your schools network the saying you don't shit where you sleep springs to mind.

Out of curiosity seeing as you are a fellow Aussie and all do you or have you knocked around the Ausphreak community at all?

My teacher has this software at my college ccna/win2k3 server class, but he never uses it. it's more like his playtoy to either mess with or help others without getting up. It is a pretty cool ass program though (think about it. If you could get the software to run out side of the domain, you could have all your friends computers in view at all times *discarding weirdness and stalkery* so if they mess it up, it's all there in one interface...

BTW, dont you think if your in a class of say 30 to 50 computers and that ONE computer or two is computers that are never visible on the software, you dont think the teacher is going to raise suspicion?

Your CCNA teacher sounds exactly the same as mine, he only use's it for lending a hand or in the event he gets bored, he likes to take the piss the funny bastard. Actually my lack of student ID and my desktop in his viewer aroused suspicion when he was messing with the class, I just told him I unplugged my cable so you can't bother me which he responded with fuck your no fun. XD

Yeah I was curious to know if the software works outside of the domain myself, that was one of the things I was planning on testing sometime next week if one of the guys bring in a laptop and the IT department haven't fixed it (which I highly doubt).

Share this post


Link to post
Share on other sites

I havent used this software so I do not know how it works exactly, sounds alot like vnc. Would it be possible to turn this into a PE and run it off a thumb drive, that way you get all the interesting benefits, instead of installing it in a vm. After reading this, what i get is that you only installed it in a vm in order to change the ip it monitors.

Here is a guide to making a quick PE for it. Dont have any machines to test it on but it ran(slowly)

http://arch.kimag.es/share/84634413.png

http://arch.kimag.es/share/96389733.png

http://arch.kimag.es/share/93034037.png

http://arch.kimag.es/share/85852695.png

Screenshots

fyi, LskTSDat.ini is where the ips the teacher can view are. Editing this will let you view other sources. The teacher setup creates a folder on the C:// drive, not sure if its shared but there may be a fun RCE there.. but Im done playing with it. no reason I would need this

Share this post


Link to post
Share on other sites

Ok well I messed around with it a little, Vision6 that is. I found that you must be on the same domain/workgroup, but I've thought of a knew way that may enable you to get around it without your teacher even knowing! Although it's a long shot, I think that if you did some packet analysis you might be able to see how the computers communicate. If you can discover which packets are used to display your computer's desktop then, in theory, you could keep forwarding those packets to your teachers computer making it seem like you we're inactive (the mouse just sits there or something). This seems like a great project for me to work on and if anybody has any input about how I should go about doing this then please feel free to help

Share this post


Link to post
Share on other sites
Here is a guide to making a quick PE for it. Dont have any machines to test it on but it ran(slowly)

That is down right crazy DiggleBerries, it would be nice to save time booting a virtual machine. I will definetly check it out and hopefully I can get it all working. Thank you very muchly.

think that if you did some packet analysis you might be able to see how the computers communicate. If you can discover which packets are used to display your computer's desktop then, in theory, you could keep forwarding those packets to your teachers computer

WOW I like where you are heading with this concept H@l0_f00, it would be pretty funky to get that working not to mention very educational. Unfortunitly I have no idea how you would tackel it. In any case its a brillant idea.

By the way dose Vision utilize a password for a teacher to connect to the student machines or is it like LAN school?

Lan School findings

I took another look at the software today both on my home lan and via a google.

Port Blocker:

I first had a crack at Sparda's port listener/blocker suggestion (I used the program he kidly provided). Lan School runs on TCP port 796, now if I am in the teacher viewer watching the students desktop, the minute I block port 796 the teacher loses the displayed desktop connection and goes back to the computer name list when you first launch the program and the port listener turns its self off (WTF?). Then all the teacher has to do is click on the computer name and its back to viewing your desktop as normal. Also on the odd occasion the teacher view has crashed completely.

I also did some reading after checking this out on the official Lan school page and they claim that even if you block a port with firewall LAN school still runs as per usually. Aparently this was a bug in older versions where students with a little to much desktop access would just install and block it in a firewall. I guess this another one of those things I will add to the confirm list.

Password required?

I had a really good look for an option to enable password both on the install process and in the options when install and I can confirm 100% that you can't set one (which works out well for students such as myself).

I took the liberty of double checking Lan Schools official website and found the following:

Linkage: http://www.lanschool.com/lanschool/technical-advantages

"f you suspect a student is using a unauthorized teacher console, you can quickly identify them with the security monitoring tool. It captures all LanSchool activity to a log file. There is also a "secure" version of LanSchool that requires teachers to enter a password to open the console."

I suspect that the secure version with passworded connectivity would cost a little more and if your school has already purchased the unsecure version's license at $800 per class room, they will be in no hurry to do it all over again. Not to mention the time and effort required for the implamentation of the new software.

Key Logger in LAN school

As I mentioned in the first post it comes with a inbuilt key logger. When Azza and I original got the teacher view working it was the first thing we checked out but unfortunitly it doesn't log jack all. I tried to test the logger on my own LAN today to see if it was some setting or something to do with the schools network. Unfortunitly I got the same thing and so did Azza when he tested it on his lan. My best guess is maybe this feature is a part of the secure version.

Anyways it go me thinking, seeing as with LAN teacher you can upload files to the remote computer and execute programs from a path name I was wondering if anyone could suggest a deccent keylogger that has no install process (I was planning on googling it mysely but I decided to do this posting first).

What if two Teachers are viewing?

This was one thing I was slightly concerned about, as it turns out both teachers are oblivous to eachothers presance. Kick ass!

Share this post


Link to post
Share on other sites

Boot from a usb on their computer and install any version of Linux you like. If your going to break school rules go the whole 10 yards.

P.S. Every school institution I've ever been to never locks down the boot menu key. Kinda sad imo.

Share this post


Link to post
Share on other sites
Out of curiosity seeing as you are a fellow Aussie and all do you or have you knocked around the Ausphreak community at all?

I used to read their forums and stop bby their IRC a bit but haven't been back for ages. I have a terrible forum addiction and had to cull some back. Once I have boiled down my essential list, I might try and get involved there too.

Share this post


Link to post
Share on other sites
By the way dose Vision utilize a password for a teacher to connect to the student machines or is it like LAN school?

There's a an option to implement a password when you first install it but I'm not sure if it's used to protect people from using the program (running the .exe) or if it's used to secure the viewer to client connection (encryption, authentication, verification, etc.). I'll install a VM of XP to check out how the password is implemented.

P.S. Every school institution I've ever been to never locks down the boot menu key. Kinda sad imo.

Same here... Quite the mistake. I booted Ophcrack ASAP when I got to my new school this year and cracked the pass within seconds, it's "envision" WTF lol but I also think they should disable LM hash in the first place because there's nothing older than XP SP3, leaving LM hash to be only a security issue

Share this post


Link to post
Share on other sites
P.S. Every school institution I've ever been to never locks down the boot menu key. Kinda sad imo.

One thing I will give to our Tafe's IT Department is they at least had the foresight to setup a bios password, however nothing was stopping me from cracking the case open while a teacher went out for a lengthy coffee break and remove the battery.

I used to read their forums and stop bby their IRC a bit but haven't been back for ages. I have a terrible forum addiction and had to cull some back. Once I have boiled down my essential list, I might try and get involved there too

lol I feel ya, I am an avid forum junky and try to keep things to a minimum myself. I figured as much every Aussie who is into comp security usually stops by Ausphreak once in there lives. I use to post on the forum and hang in the IRC channel about a year and a half ago, Not so proactive now but I still keep in touch with some of there members.

From what I hear they aint so proactive now days, that greypages they setup was totally kick ass.

There's a an option to implement a password when you first install it but I'm not sure if it's used to protect people from using the program (running the .exe) or if it's used to secure the viewer to client connection (encryption, authentication, verification, etc.). I'll install a VM of XP to check out how the password is implemented

Same here... Quite the mistake. I booted Ophcrack ASAP when I got to my new school this year and cracked the pass within seconds, it's "envision" WTF lol but I also think they should disable LM hash in the first place because there's nothing older than XP SP3, leaving LM hash to be only a security issue

Thanks for the heads up mate, if I get some time and my download speeds aint being a sod I may take a look at it sometime tomorrow. I am curious to see the difference between Vision and Lan School.

LOL That would have blown a few peoples minds, I did this in class to recover a password for a VM machine of windows, IT department forgot the Administrator password, useless bastards. Funny thing was I didn't feel like working that day (hang over) and I wanted 5 minutes before lunch time before I announced I found the password. XD

I tried the exact same thing for a Admin pass on a local machine to no avail, I suspect I need better rainbow tables than the default stuff supplied with Ophcrack.

Lastly seeing as some of the posters in here use LAN school and its almost back to school time I am interested to hear how other people went trying azza and I's work around.

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...