Lanschool v7.2

[Seshan]

well actually... I lied... I am an admin for a school... and I gotta say thank you shonen for being very honest about this and thank you for trying to educate others about the security hole. What I might suggest is to email support and explain your findings to them before publicizing it next time though.... So rather than helping other kids get around it, help the developers code a better built product.

to those who want to pwn their school... I'm sorry that your IT people aren't as good as they should be. but the same goes to you as well... rather than trying to pwn the network jut because you can't live without the greatest thrill online for 8 hours, help the admins by letting them know where the problems exist. Just don't act like you know everything, because you'd be more likely to get ignored.

Shonen, again thank you for taking the path of not really wanting to pwn everything, rather you took this as an opportunity to learn and teach others. Good idea, just take one more step into the mode of thinking "I wonder if I can talk to the developer to help them make this product better."

-Manuel

Some times the restrictions are just to much tho, our school had a vary bad website blocker, It almost made it impossible to do research for history because 90% of websites where blocked for "Violence" witch was completely stupid, it was easy to get by by downloading a proxy program, by the end of the same year they put it in almost everyone had this program and was getting past it. We actually had teachers downloading and using the program because it was so bad even they where restricted just as bad as us.

[H@L0_F00]

ok so I did some testing with two VMs. I found that the program uses multiple ports. When I blocked one port the screen on the Viewer went black, then the program restarted itself and reconnected, but if I blocked the other port the updating of the screen in the Viewer stopped but the Viewer could still remote control the Client. I've decided that trying to send my own packets to the Viewer won't really work more than a day or two before the teacher realizes that my screen is showing the same thing over, and over, and over again, so I've pretty much abandoned that. There's a chat function though, which I'll try to mess around with. I've also found that there can't be more than one Viewer connected to one computer.

[shonen]

Interesting find H@lo,

Sounds like Vision has some pluses over Lanschool.

lol Cheeky bloody app switching ports on you!

By the way what do you have in mind for the chat thingie?

[H@L0_F00]

Interesting find H@lo,

Sounds like Vision has some pluses over Lanschool.

lol Cheeky bloody app switching ports on you!

By the way what do you have in mind for the chat thingie?

If I can find out how they communicate with the chat function I might be able to send the class messages that seem to have come from the teacher, which would be pretty fun, especially if I did it while the teacher was helping a student and saw that somehow his computer sent the student a message ;)

[webjockey]

Our school, in the UK, also has a feature like this, its called SIMs (School Information Management System). It does exactly the same thing as Lanschool, but our teachers have their workstations connected to a 100inch "Activboard" so they can basically broadcast whatever you are doing, if you want them to or not. Also, our school has a URL/Keyword blocking system, it sometimes back fires (and also blocks for some wiiierd reasons e.g. Humour). And, also, they have locked down everything about the workstation: We cannot right click on the taskbar. We cannot Ctrl,Shift,Escape to get the task manager. Logging in and out is controlled by a daemon (RMTutor) that starts on boot (before the login) and stops last. It isn't connected in anyway to SIMs or the Website blocking feature (SWAN). We can't open executables either. We can't change our desktop. We cannot save things to the desktop (Because all our files are stored in our own private (virtualised) server which is linked to our "My Documents" folder. Most of this information is not really necessary to my explanation, but it is all I know about the architecture of the school systems (the network is a star network where the "main" star's nodes are more switches for more stars).

When we were looking at removing SIMs functionality, we decided we would stop it at its own will. To do this, we opened a file that needs to be saved (Word, Spreadsheet, Powerpoint, Text, RTF, anything that needs to be saved, I generally used Word). We then entered some data into that window (so that it needs to be saved). We then logged off. This made all the background processes to close down (except RMTutor) before we were asked if we wanted to save the file we just created. Just click "Cancel" here, and you won't be logged off, and your workstation is no longer available to the teacher.

[Swathe]

We had that at tafe. often URLs could be reached just by using the ip address lol. Dout that works now though.

[shonen]

That is a pretty neat work around Webjocky especially due to the overly protected desktop. Thanks for the share it was a interesting read.

lol I wish you could still visit blocked sites via entering IP addresses. The only work around the guys have found thus far is using XB browser but by Christ is it slow.

[MRGRIM]

Our school, in the UK, also has a feature like this, its called SIMs (School Information Management System). It does exactly the same thing as Lanschool, but our teachers have their workstations connected to a 100inch "Activboard" so they can basically broadcast whatever you are doing, if you want them to or not. Also, our school has a URL/Keyword blocking system, it sometimes back fires (and also blocks for some wiiierd reasons e.g. Humour). And, also, they have locked down everything about the workstation: We cannot right click on the taskbar. We cannot Ctrl,Shift,Escape to get the task manager. Logging in and out is controlled by a daemon (RMTutor) that starts on boot (before the login) and stops last. It isn't connected in anyway to SIMs or the Website blocking feature (SWAN). We can't open executables either. We can't change our desktop. We cannot save things to the desktop (Because all our files are stored in our own private (virtualised) server which is linked to our "My Documents" folder. Most of this information is not really necessary to my explanation, but it is all I know about the architecture of the school systems (the network is a star network where the "main" star's nodes are more switches for more stars).

When we were looking at removing SIMs functionality, we decided we would stop it at its own will. To do this, we opened a file that needs to be saved (Word, Spreadsheet, Powerpoint, Text, RTF, anything that needs to be saved, I generally used Word). We then entered some data into that window (so that it needs to be saved). We then logged off. This made all the background processes to close down (except RMTutor) before we were asked if we wanted to save the file we just created. Just click "Cancel" here, and you won't be logged off, and your workstation is no longer available to the teacher.

It's been a good 6 years or so since I was in high school. We managed to get around the RM software by pressing ctrl+alt+del after we had logged in (It needed to be straight away) we could then close all the process that it was trying to start up e.t.c

This was back in the NT4 days, so I guess RM have moved on to using GP and more advanced stuff... the days of playing Quake on your school LAN :( I kinda miss those days. I'll never forget the day when winpopup was discovered and took the LAN by storm.

[webjockey]

It's been a good 6 years or so since I was in high school. We managed to get around the RM software by pressing ctrl+alt+del after we had logged in (It needed to be straight away) we could then close all the process that it was trying to start up e.t.c

This was back in the NT4 days, so I guess RM have moved on to using GP and more advanced stuff... the days of playing Quake on your school LAN :( I kinda miss those days. I'll never forget the day when winpopup was discovered and took the LAN by storm.

Hmmm, yeah. RM (Research machines for those who don't know) have locked things down pretty far. they have actually edited Microsoft's code to get their security features to work <- logging on, and off, and changing password is all controlled by RM now, but I don't think RM themselves changed Group Policies, that was our Technicians. No more quake for us :( (except Quake Live, I don't think they have discovered that yet, but it won't be long).

There are ways to Bypass SWAN (URL/Keyword blocking):

Earlier, you could use a proxy. but now they are mostly blocked.

You could also use the translate website feature, but most of the translators are now blocked.

In some situations, using the IP does work, (if they are blocking, say a URL and not a keyword in the site)

And in certain situations, only one page in a massive archtecture is blocked: Google Images was once blocked, so to get it back, you typed the query code straight into the address bar, and it came up with the results page, which wasen't blocked).

Final solution: Find a staff username and password, and use it to bypass the warning and get to whatever you want, this is by far the riskiest. especially as keylogs of your activity are taken and stored (so they will know that somebody accessed a site, and used the address, and if it is at a 'dubious' time, then, well, its too risky to be worth it)

@Manuel, sometimes, bypassing the school systems is for convenience, and to get something which we rightfully should have. I mean, sure it would be great to notify our technician that Google Images isn't working, and that it needs to be unblocked. But that requires me getting to his office in my own time (and he is often not there). Telling him, and then waiting a few days for 'changes to take effect' (for him to get his arse into gear and make the changes). Or, I could have some fun, figuring out a solution. It would take less time, be less frustrating, and more rewarding :)

[Klaatu7]

Our school had something like this. One teacher was a jerk about using it all the time. He would lock down our desktops when we were watching movies or when he lectured. Sometimes he would just randomly lock them down when we were taking notes. I really didn't like that program, so I just stopped using the computers in his class.

[Maximillion]

My college have this, and me and my friend decided we wanted access

We have been reading how to kill the process and run the teacher edition I found this forum and read through it to see what other idea's people had to getting past it and they gave me idea's of my own we found a couple of ways to stop student and run teacher:

The first way was to load up virtual pc and load xp onto it, once we had it install we put teacher on there but we could not see any other machines even when we had put the network settings in we figured out that since we was not within a group on the domain we did not get access to any other machines the only machine we could see was our own and we could do everything we wanted block screen etc. e was messing around and found the update feature with remotly updated the lanschool student when we click it it told us it would disable lanschool student for a moment, that gave us the idea if lanschool student was disabled if we where quick enough we could load up lanschool teacher and that would stop student loaded we tried and.. Success we managed to load it up and we could view all other machines in the room.

The second way we found which is alot more easier was using a tool called apt (Advanced Process Termination) this tool gives you multiple ways to kill/crash a process we loaded this up but it did not find lanschool student because it was hidden so we had to use process explorer to find the PID and add it as a custom process we then tried all the method to kill the process but they all said they failed but when we looked at the icon in the tray it dissapeared we tried all of the way seperatly and figured kill 3 was the only that was doing it this was:

Attempts to terminate the process by sending Close messages (called WM_QUIT) to all windows in the target process. This method only works if 1) the target process has at least one window, and 2) the target process doesn't handle the WM_QUIT message (many programs don't).

and this was the best way we found.

Another problem we encountered was that we could not change the channel, we tried using the script posted earlier but it did not work since we could not see the machines in virtual pc and we could not edit the registry on the main pc because it was disabled. So we found a hex editor to edit the teacher program to change the channel this worked but it was alot of effort to change it every time we wanted a different channel. So then we got a hold of a program called cheat engine which changes values in process's we did a scan in lanschool teacher for the channel we was on and it found a lot of address's so then we hex edited the channel to something different and started that up then did another search and found less address's we went through the static address's and then found the one that changed the channel and added that into a trainer to make it alot easier, we also figured that if you change it to channel 0 you can see every single channel.

I dont want to give link to any of the files we found/created for it since we dont want anyone doing it you should be at least clever enough to follow these exploits

One more thing this program moniters all the keystrokes you type why it is running, we found this to be really bad since there was no agreement we signed/saw that authorised this so if you also have this running on the computer and it has no been authorised that they are allowed to moniter anything you type you should have the right to turn it off, or take it up with whoever looks after the network.

Thanks to the people who posted in this thread it helped me out a bit and hope I have helped out anyone =)

[Guest]

the computers at my uni have this lanschool software on them and their very annoying (but its good to know theres a way of disabling it lol)

[shonen]

Well the VMware Idea was mentioned on the first page so that was nothing new, however your findings on killing LAN school are interesting. I tried to kill it with a few port listeners with no such luck, I still reckon the best way to remove LAN school is with the installer, way less piss farting around.

Ah I never thought that setting the chan to 0 would yeild you all class rooms, that was a nice find. I cant see why the hex reg on the previous page wouldn't work in a VM, I never had an issue with it and it worked a treat.

Yeap the Admins can track this down very easily, via a number of ways, TCP/IP address, MAC address, The Domain user account and the VLAN port you are on. To Combat this I would suggest loading lan school on a laptop and jacking it into the schools network and spoofing your MAC address either via the device manager network card option (thats if it allows you to) or by using a nice lil app call sMAC. Note you do NOT have to be logged into the domain with your student user account to use the Teacher viewer. By eliminating the above three it only leave's you traceable via your VLAN port. I know for a fact that all our IT rooms are a part of 1 VLAN which means they have 10 class rooms to sort through. XD

I concur the key logging function should not be utilized without written consent, then again I am not stupid enough to use the schools network for checking emails or other private data so its not so much of an issue for me.

I am actually glad I stumbled onto this little find, one of my classes has been broken up and I have a new teacher doing the IBM iseries shit and he is a dead set NAZI with over abusing his LAN school powers. He always feels the need to mention that he is locking everyone's desktops and I just can't help myself and crack up laughing. The fucking prick told me off the other day for using my own laptop (no I wasn't do anything wrong, it wasn't even jacked into the network). I was told to turn it off because I wouldn't need it which I replied with don't ya mean because you can't control it? Its my laptop so fuck off ya twit!

I also read a few of the previous posts that I neglected to reply to. If you are after ways around content filters DO NOT bother with proxy's, pinging a web address to get the ip for a url and so forth it simply does NOT work on the vast majority of educational institutions. You sure fire way around it is to set up a VPN server at home (Win XP pro will allow for one VPN client) which is a piece of piss to do, configure your router to port forward to your local private IP address that points to your VPN server. If you have a dynamically assigned ISP TCP/IP number you may also wanna sign up for a DynDNS.org account. Once thats all done just create the client connection on your schools computer and connect to your VPN server at home and enjoy encrypted secure traffic and no more filters. XD

[Hyde]

shonen,

I used to work with LANSchool while I worked for Montgomery College and I have to say it is rather broken, haha. I haven't played with the latest version of LANSchool but with previous versions, version 6. You made some really great observations with it. Let me see if I can help and add some more information.

You could change the channels after install. You have to get into regedit though. It is a registry key which you just change the channel number, it was in the local machine and then look for the LANschool OU. We used to do that all the time for special occasions. This would allow a student to be able to get out of the LANSchool broadcast.

Also LANSchool isn't very reliable, one of the rooms I was working with, some of the computers wouldn't get the signal from the teacher station to follow a certain command. (This was on a 10Mbps LAN, haha)

There is almost no security for LANschool, what so ever. I believe it works on broadcasts as well, almost entirely. Making the network very noisy.

Ah yes, you could actually unplug yourself from the network and it would prevent the teacher from sending commands to your station. If internet access was already being blocked you could restart your PC and unplug the RJ45 cable from the back, log back in and you would be free to do as you like.

You can go to LANSchool's website and download a trial. What I used to do from time to time was download LANSchool, the trial, and install it, set the channel to the room I was in, and take over all the other PCs. I could shut off their internet and other things from my station.

Hope that helps.

[DingleBerries]

You agreed to use their computers, therefore you agree to have everything you do logged by admins.

[will-wtf]

I had to sign some long contract for the use of the net at college...

[Timmay313]

Great posting by all/ most, I am sys admin for a school. we use a similar program Sycroneyes. i personaly hate it, it uses to much bandwidth and resources on the pcs. it has features to block students from using office or internet. basicly keeping them from googling or checking notes for answers to tests. great in theory but it doesnt work most of the time. I know there are bugs in the software as well since i have seen students hit a key combination and it logs out the program.

i believe teaching proper usage is a better way then looking over sholders anyways. trust and student teacher relationships go alot further than spying.

[Sparda]

Great posting by all/ most, I am sys admin for a school. we use a similar program Sycroneyes. i personaly hate it, it uses to much bandwidth and resources on the pcs.

Interestingly, the teachers at where I work also wanted this setting up. Then attempted to blame the network when the display on the remote computers suffered massive image tearing when scrolling any document.

[shonen]

Yeah I noticed than LANschools broadcasting generates a fair amount of traffic when I was messing about with it and capturing it with a sniffer. Fucking hell 10mbps lan with that and all the other network traffic, must of been a bitch!

Hey Hyde do any of these student monitoring software on the marke actually provide any security? From the hand full I researched a while back they all seem to operate in much the same way LAN school does.

Yeah that is true Dingle but thankfully my school don't utilize the keylogging option.

That would be about right sparda, the teachers come to you guys requesting the software yet complain when it starts slowing down the network. *shakes head* Don't you just love dealing with the dumb end user sometimes. XD

Agreed Timmy but some students can't help themselves from visiting youtube and their facefuck profiles. If you ask me if you are doing this while a lecture is given you are only shooting yourself in the foot.

WOW I never knew this joint had so many school sys/network admins, its great to have some input from the other side of the fence. This question may be a lil vague but whats it like being a admin for a school?

[H@L0_F00]

Evidently my school hasn't actually bought the license for Vision6 haha I tried monitoring a couple computers in the library yesterday but when I tried to connect I got an error message saying that the "Serial has expired on this computer!" or something similar. Pretty funny if you ask me! Hahaha

[shonen]

LOL Well at least you don't have to worry about your internets dring up at school just yet. Guess they did the smart thing and ran a test before implamentation and decided against it for whatever reason.

My I.T teachers were bragging about the software prior to the install over the holiday period as it turns out they really shot themselves in the foot and gave more power to the students. NOW THAT IS FUNNY!

[macellule]

holla,

for lanschool, i have found a little solution.

when you are longin in your account, just go

to administrator utility in control panel and use Service.

deactivate LanSchoolStudent and some shit like LanSchool Server Power.

you can't stop it. but you can make iit desactivate or manual so

reboot and there is no lanschool, but take the time at the end of the period

to remake it boot automatic. so now you can make

anything when the teacher have control of the other computer ;)

cia

[shonen]

Nice Find MAC, its interesting to see the other work arounds you guys are slapping together.

I will have to check out your method when I am back at school on Tuesday.

Cheers for the post.

[webjockey]

I don't get it, you guys are thinking too hard about this. You guys have acess to running executables, full access to the control panel, and you decide the *easiest* solution is to run a vm? Just thinking about this, couldn't you get 'pskill' from Microsoft Labs, find the process name, and just shut it down with that?

[shonen]

No offense duder and please donm't take this as me being a stuck up cunt but if you read the first page you would have noticed that I said we don't have Administrative rights, so we can't install .exe files (they can be ran but not installed), control pannel is off limits and all the other negatives that are associated with having an average "user" account. Hence the VM bridging solution as a work around for installing the setup for LANschool teacher viewer software package and editing the .reg keys to be able to listen on all channels.

As for killing the process some of the process killers that just run via .exe and don't install work. I still stand by my previos statement that removing it with the LANschool installer is by far the easiest option. next tick check box next and BA BYE LANschool. XD