Jump to content

Archived

This topic is now archived and is closed to further replies.

shonen

Lanschool v7.2

Recommended Posts

Anyways it go me thinking, seeing as with LAN teacher you can upload files to the remote computer and execute programs from a path name I was wondering if anyone could suggest a deccent keylogger that has no install process (I was planning on googling it mysely but I decided to do this posting first).

Thus the "hackerz muh skell" thread starts.

Share this post


Link to post
Share on other sites
Thus the "hackerz muh skell" thread starts.

No more... I was really interested in this, but I don't want it to turn into a "hackerz muh skewll" thread. Please don't turn it into one guys...

Share this post


Link to post
Share on other sites
Thus the "hackerz muh skell" thread starts[/quoute

Believe it or not, I suspect most will choose the later, I personally have no interest in myspaz, msn and other type accounts. The reason I asked is for two reason's

1: I have 6 computers in my lab/4 in the main house and I was thinking about using the software on my one LAN (especially seeing as I have a couple of younger brothers).

2: This week in class we are building a client server network, once its done our teacher is allowing us to break it and mess with eachother. Once done we have to try and secure it.

But yeah Dingle is right and that comment does fall in the Haxor me skoolzn type. Not my smartest post in here and sorry to debunk it into shitty-ness.

Share this post


Link to post
Share on other sites

My school uses this too. We have a Novell setup with zen works for app sharing. We do have admin rights to windows though, so I could just uninstall it. I do remember seeing a program called lanschooled that was specifically designed to emulate a teacher concosole.

http://wiki.compsci.ca/index.php?title=LanSchool

Unfortunitly it says it dosen't work with the newer versions.

Share this post


Link to post
Share on other sites

Password to lanuch the teacher console on the other more expensive version? Still a security risk if you got a copy and are running it on your own machine...

Sounds like the developers need to come up with some more secure means, such as a dedicated server to serve the clients and teachers so you couldn't just get a copy of the teacher console and do as you please.

Share this post


Link to post
Share on other sites
Password to lanuch the teacher console on the other more expensive version? Still a security risk if you got a copy and are running it on your own machine...

Sounds like the developers need to come up with some more secure means, such as a dedicated server to serve the clients and teachers so you couldn't just get a copy of the teacher console and do as you please.

a dedicated server would make bandwith worse than it already is with something like this

Share this post


Link to post
Share on other sites
One thing I will give to our Tafe's IT Department is they at least had the foresight to setup a bios password, however nothing was stopping me from cracking the case open while a teacher went out for a lengthy coffee break and remove the battery.

. . . . . . . . . . . . . . .

. . . . . . . . . . . .

. . . . . . . .

Uhhhh, The bios isn't the boot menu ?!?!

You can set boot priority in the Bios but it's not the same as the boot menu. The usual hotkeys for boot menu's are f11 or f12. It boots you into a selection of all the thing that the computer could potentially boot into, I.E. USB hard drive CD-rom ect . . .

My school is the same as yours, they put a password on the Bios when you try to get into it, but not the boot menu.

Share this post


Link to post
Share on other sites

TAFE was great for me in 2000. I had unlimited internet ISDN access, and my own personal network across the campus giving me heaps of room to store things and do research.

I will note I only went to this level because I found some loopholes and the instructor, who took a great dislike to me for whatever reason, tried to pretty much rubbish me in front of the class. I didn't go around trashing anything but i did leave a backdoor I haven't checked for year. I wonder......................

Share this post


Link to post
Share on other sites

At my old high school they used two. LanDesk and ABcontrol. once you had the server software for AB you could just run it and everything worked that easy with no password... Pretty dogey.

EDIT: really usefull was sysinternals TCPView. try that to see connections to and from your PC and what is making them. one time I had it open and I saw AB connect and then the sysadmin sent a netsend like messege that said "stop using it" That was funny. hahaha.

Share this post


Link to post
Share on other sites

Just a quick update

I ended up having a crack at using Winsock Packet Editor Pro (inspired by H@l0_f00's great idea previously). The idea was to see if I could capture packets that executed commands from the teacher viewer and inject them into the student without using the Teacher viewing software console. The result NO good, I ended up doing a search on google and I stumbled across a thread stating that they corrected this sort of thing since the previous versions. apparently some smarty pants had the same idea and had some java app that did the same thing (but actually worked). Well..... That is unless I cocked something up, but I am going to take another look some to later.

Also I found a nice reg edit that allows you to scan all the channels (1-255) from your Teacher viewer without the need to constantly install and uninstall. I have it floating around on USB somewhere but CBF going to get it. I shall post it a little later.

Lastly I tried a program (forget the name of it processor something or rather) but its basically a better version of task manager that kill's running processors, tried on LAN school with no luck.

Uhhhh, The bios isn't the boot menu ?!?!

Thank you so much for pointing that out and making me look like a complete tool, much appreciated *not to self read postings more thoroughly* XD

I will note I only went to this level because I found some loopholes and the instructor, who took a great dislike to me for whatever reason, tried to pretty much rubbish me in front of the class.

I got that some treatment last year, thankfully teaching this time around is much better.

I bloody laughed at the conveniently placed backdoor. Tisk Tisk! Say what were you studying at tafe if you dont mind me asking.

At my old high school they used two. LanDesk and ABcontrol. once you had the server software for AB you could just run it and everything worked that easy with no password... Pretty dogey.

EDIT: really usefull was sysinternals TCPView. try that to see connections to and from your PC and what is making them. one time I had it open and I saw AB connect and then the sysadmin sent a netsend like messege that said "stop using it" That was funny. hahaha

Landesk and ABcontrol sound a lot like lan school, Geez you would think these developers would have better security measures.

Bwahahhaha Netsend like messages, that's gold.

Share this post


Link to post
Share on other sites

sounds just like netsupport at my old school. was shit until i hacked it and became an admin from my pendrive whenever i wanted and controlled every computer in school, ricked rolled one screen at a time until the class was rick rolling ;)

used Altap Salamander to gain access to all the folders on the servers ect.... :)

Share this post


Link to post
Share on other sites
I ended up having a crack at using Winsock Packet Editor Pro (inspired by H@l0_f00's great idea previously). The idea was to see if I could capture packets that executed commands from the teacher viewer and inject them into the student without using the Teacher viewing software console. The result NO good, I ended up doing a search on google and I stumbled across a thread stating that they corrected this sort of thing since the previous versions. apparently some smarty pants had the same idea and had some java app that did the same thing (but actually worked). Well..... That is unless I cocked something up, but I am going to take another look some to later.

Sorry, I must not have explained my idea well enough lol here we go...

Say I take a look at the packets Vision6 uses to transfer the "current screen", "open programs", etc. If I can figure out how the Viewer and Client communicate than I might be able to forward either forged (or previously captured) packets to the Viewer. I fire up Paint and see if I can give you a visual ;)

33311_vision6pwn_122_477lo.JPG

With this I could send the Viewer whatever I want, so if I wanted to go on the Hak5 Forums but didn't want them to see (it's not blocked yet! :D) I could send them the packets that make it look, on the Viewer, that I'm not doing anything

Share this post


Link to post
Share on other sites

To disable lanschool functions / mess with it is simple.

PULL OUT the Ethernet cable... or

1) get a Linux/UNIX based windows password wiper livecd

2) boot into it, run the PW wiper

3) reboot without the CD

4) log in as administrator

5) delete lanschool

6) and if u have the time, get onto a teachers PC, while they aren't looking and copy the reg entries and files from their machine onto yours.

:)

Share this post


Link to post
Share on other sites

well actually... I lied... I am an admin for a school... and I gotta say thank you shonen for being very honest about this and thank you for trying to educate others about the security hole. What I might suggest is to email support and explain your findings to them before publicizing it next time though.... So rather than helping other kids get around it, help the developers code a better built product.

to those who want to pwn their school... I'm sorry that your IT people aren't as good as they should be. but the same goes to you as well... rather than trying to pwn the network jut because you can't live without the greatest thrill online for 8 hours, help the admins by letting them know where the problems exist. Just don't act like you know everything, because you'd be more likely to get ignored.

Shonen, again thank you for taking the path of not really wanting to pwn everything, rather you took this as an opportunity to learn and teach others. Good idea, just take one more step into the mode of thinking "I wonder if I can talk to the developer to help them make this product better."

-Manuel

Share this post


Link to post
Share on other sites

Well I am just glad that some good is to come of this and that theirs a system Admin in a school that is proactive in ensuring privacy for the end user.

As much as I respect and appreciate the hard work our school’s ISS department do, I was a little pissed at the way they brushed us off when we first mentioned it (we were diplomatic and polite from the get go).

Thankfully my network security teacher was a former ISS department employee, so I decided to speak to him the following day, I also mentioned that I released it hoping he would relay the information again and the matter will be taken a little more seriously.

Subsequently Azza and I had a good chat with our teacher and a different guy from ISS, they were talking about locking VMware somehow (lol they would say too much in front of us, not that I blame them). I also pointed out that a kind person by the name of Dingle suggested a USB key so you will have to do something about that one as well.

It’s been a couple of days since then and I am not sure how they are tackling the problem but at least they are finally looking into it.

To be honest with you I was considering emailing the developer about the issue but figured they would most likely be aware of it and I only study the basics of networking security (more firewalls, topologies and the bare basics to MCSE) hence I am not exactly qualified.

Feel free to take what Azza and I have found on here and follow it up with the Developer, if anybody will be taken seriously and have the knowledge/experience to make suggestions to improve the software surely its a Systems Admin from a school using it.

Thank you kindly for the praise and the suggestions, I will most certainly take it all on board and if there is a next time I shall follow your recommendations.

A message to fellow students

If you are thinking about Pwning the school I have a better suggestion, how about you take the information provided here claim it as your own work (I personally do not care) and do as Manuel suggested, surely that will give you a bigger ego boost than shutting down a class room or messing with people for no apparent reason.

P.S: special thanks to Dingle and H@l00 for the suggestions and Vako for being a understanding moderator.

Share this post


Link to post
Share on other sites

The first thing that came to mind was running wireshark and having a look at whats flying across the network.

Share this post


Link to post
Share on other sites
Sorry, I must not have explained my idea well enough lol here we go.

H@l00 you explained it perfectly fine the first time around (I should have been clearer in what I was trying to do with your idea). I was just seeing if it was at all possible to inject a packet from a certain command from the teacher viewer before I took a look at doing what you suggested.

I did this because I figured it would be easier spotting the packet for that command before I sorted through all the shit trying to work out which one is displaying the students desktop. The other reason was I read that someone tried the same sort of tactic (injecting commands without teacher viewer) in the older version's and since then they claim to have corrected it.

So jah just messing about learning WPE pro and via trail and error (to be honest I only have a rough idea what I am doing).

get a Linux/UNIX based windows password wiper livecd

Interesting, now you have caught my attention.... MMMM maybe I can have a word with my teacher and see if he will permit me in doing so. Thanks for that mate.

Registry Channel mod

Firstly neither azza or myself created the below, we stumbled across it while browsing the interwebs (I don't wanna be stealing someone else's thunder).

Anyways just copy and paste the quoted text into note pad and save as whatever file name with the .reg file extension. Then double click it and add to your VMware registry to be able to view all channels without having to install/uninstall to change.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\LanSchool]

"UseGroupChannels"=dword:00000001

"GroupChannels"=hex(7):31,00,00,00,32,00,00,00,33,00,00,00,34,00,00,00,35,00,\

00,00,36,00,00,00,37,00,00,00,38,00,00,00,39,00,00,00,31,00,30,00,00,00,31,\

00,31,00,00,00,31,00,32,00,00,00,31,00,33,00,00,00,31,00,34,00,00,00,31,00,\

35,00,00,00,31,00,36,00,00,00,31,00,37,00,00,00,31,00,38,00,00,00,31,00,39,\

00,00,00,32,00,30,00,00,00,32,00,31,00,00,00,32,00,32,00,00,00,32,00,33,00,\

00,00,32,00,34,00,00,00,32,00,35,00,00,00,32,00,36,00,00,00,32,00,37,00,00,\

00,32,00,38,00,00,00,32,00,39,00,00,00,33,00,30,00,00,00,33,00,31,00,00,00,\

33,00,32,00,00,00,33,00,33,00,00,00,33,00,34,00,00,00,33,00,35,00,00,00,33,\

00,36,00,00,00,33,00,37,00,00,00,33,00,38,00,00,00,33,00,39,00,00,00,34,00,\

30,00,00,00,34,00,31,00,00,00,34,00,32,00,00,00,34,00,33,00,00,00,34,00,34,\

00,00,00,34,00,35,00,00,00,34,00,36,00,00,00,34,00,37,00,00,00,34,00,38,00,\

00,00,34,00,39,00,00,00,35,00,30,00,00,00,35,00,31,00,00,00,35,00,32,00,00,\

00,35,00,33,00,00,00,35,00,34,00,00,00,35,00,35,00,00,00,35,00,36,00,00,00,\

35,00,37,00,00,00,35,00,38,00,00,00,35,00,39,00,00,00,36,00,30,00,00,00,36,\

00,31,00,00,00,36,00,32,00,00,00,36,00,33,00,00,00,36,00,34,00,00,00,36,00,\

35,00,00,00,36,00,36,00,00,00,36,00,37,00,00,00,36,00,38,00,00,00,36,00,39,\

00,00,00,37,00,30,00,00,00,37,00,31,00,00,00,37,00,32,00,00,00,37,00,33,00,\

00,00,37,00,34,00,00,00,37,00,35,00,00,00,37,00,36,00,00,00,37,00,37,00,00,\

00,37,00,38,00,00,00,37,00,39,00,00,00,38,00,30,00,00,00,38,00,31,00,00,00,\

38,00,32,00,00,00,38,00,33,00,00,00,38,00,34,00,00,00,38,00,35,00,00,00,38,\

00,36,00,00,00,38,00,37,00,00,00,38,00,38,00,00,00,38,00,39,00,00,00,39,00,\

30,00,00,00,39,00,31,00,00,00,39,00,32,00,00,00,39,00,33,00,00,00,39,00,34,\

00,00,00,39,00,35,00,00,00,39,00,36,00,00,00,39,00,37,00,00,00,39,00,38,00,\

00,00,39,00,39,00,00,00,31,00,30,00,30,00,00,00,31,00,30,00,31,00,00,00,31,\

00,30,00,32,00,00,00,31,00,30,00,33,00,00,00,31,00,30,00,34,00,00,00,31,00,\

30,00,35,00,00,00,31,00,30,00,36,00,00,00,31,00,30,00,37,00,00,00,31,00,30,\

00,38,00,00,00,31,00,30,00,39,00,00,00,31,00,31,00,30,00,00,00,31,00,31,00,\

31,00,00,00,31,00,31,00,32,00,00,00,31,00,31,00,33,00,00,00,31,00,31,00,34,\

00,00,00,31,00,31,00,35,00,00,00,31,00,31,00,36,00,00,00,31,00,31,00,37,00,\

00,00,31,00,31,00,38,00,00,00,31,00,31,00,39,00,00,00,31,00,32,00,30,00,00,\

00,31,00,32,00,31,00,00,00,31,00,32,00,32,00,00,00,31,00,32,00,33,00,00,00,\

31,00,32,00,34,00,00,00,31,00,32,00,35,00,00,00,31,00,32,00,36,00,00,00,31,\

00,32,00,37,00,00,00,31,00,32,00,38,00,00,00,31,00,32,00,39,00,00,00,31,00,\

33,00,30,00,00,00,31,00,33,00,31,00,00,00,31,00,33,00,32,00,00,00,31,00,33,\

00,33,00,00,00,31,00,33,00,34,00,00,00,31,00,33,00,35,00,00,00,31,00,33,00,\

36,00,00,00,31,00,33,00,37,00,00,00,31,00,33,00,38,00,00,00,31,00,33,00,39,\

00,00,00,31,00,34,00,30,00,00,00,31,00,34,00,31,00,00,00,31,00,34,00,32,00,\

00,00,31,00,34,00,33,00,00,00,31,00,34,00,34,00,00,00,31,00,34,00,35,00,00,\

00,31,00,34,00,36,00,00,00,31,00,34,00,37,00,00,00,31,00,34,00,38,00,00,00,\

31,00,34,00,39,00,00,00,31,00,35,00,30,00,00,00,31,00,35,00,31,00,00,00,31,\

00,35,00,32,00,00,00,31,00,35,00,33,00,00,00,31,00,35,00,34,00,00,00,31,00,\

35,00,35,00,00,00,31,00,35,00,36,00,00,00,31,00,35,00,37,00,00,00,31,00,35,\

00,38,00,00,00,31,00,35,00,39,00,00,00,31,00,36,00,30,00,00,00,31,00,36,00,\

31,00,00,00,31,00,36,00,32,00,00,00,31,00,36,00,33,00,00,00,31,00,36,00,34,\

00,00,00,31,00,36,00,35,00,00,00,31,00,36,00,36,00,00,00,31,00,36,00,37,00,\

00,00,31,00,36,00,38,00,00,00,31,00,36,00,39,00,00,00,31,00,37,00,30,00,00,\

00,31,00,37,00,31,00,00,00,31,00,37,00,32,00,00,00,31,00,37,00,33,00,00,00,\

31,00,37,00,34,00,00,00,31,00,37,00,35,00,00,00,31,00,37,00,36,00,00,00,31,\

00,37,00,37,00,00,00,31,00,37,00,38,00,00,00,31,00,37,00,39,00,00,00,31,00,\

38,00,30,00,00,00,31,00,38,00,31,00,00,00,31,00,38,00,32,00,00,00,31,00,38,\

00,33,00,00,00,31,00,38,00,34,00,00,00,31,00,38,00,35,00,00,00,31,00,38,00,\

36,00,00,00,31,00,38,00,37,00,00,00,31,00,38,00,38,00,00,00,31,00,38,00,39,\

00,00,00,31,00,39,00,30,00,00,00,31,00,39,00,31,00,00,00,31,00,39,00,32,00,\

00,00,31,00,39,00,33,00,00,00,31,00,39,00,34,00,00,00,31,00,39,00,35,00,00,\

00,31,00,39,00,36,00,00,00,31,00,39,00,37,00,00,00,31,00,39,00,38,00,00,00,\

31,00,39,00,39,00,00,00,32,00,30,00,30,00,00,00,32,00,30,00,31,00,00,00,32,\

00,30,00,32,00,00,00,32,00,30,00,33,00,00,00,32,00,30,00,34,00,00,00,32,00,\

30,00,35,00,00,00,32,00,30,00,36,00,00,00,32,00,30,00,37,00,00,00,32,00,30,\

00,38,00,00,00,32,00,30,00,39,00,00,00,32,00,31,00,30,00,00,00,32,00,31,00,\

31,00,00,00,32,00,31,00,32,00,00,00,32,00,31,00,33,00,00,00,32,00,31,00,34,\

00,00,00,32,00,31,00,35,00,00,00,32,00,31,00,36,00,00,00,32,00,31,00,37,00,\

00,00,32,00,31,00,38,00,00,00,32,00,31,00,39,00,00,00,32,00,32,00,30,00,00,\

00,32,00,32,00,31,00,00,00,32,00,32,00,32,00,00,00,32,00,32,00,33,00,00,00,\

32,00,32,00,34,00,00,00,32,00,32,00,35,00,00,00,32,00,32,00,36,00,00,00,32,\

00,32,00,37,00,00,00,32,00,32,00,38,00,00,00,32,00,32,00,39,00,00,00,32,00,\

33,00,30,00,00,00,32,00,33,00,31,00,00,00,32,00,33,00,32,00,00,00,32,00,33,\

00,33,00,00,00,32,00,33,00,34,00,00,00,32,00,33,00,35,00,00,00,32,00,33,00,\

36,00,00,00,32,00,33,00,37,00,00,00,32,00,33,00,38,00,00,00,32,00,33,00,39,\

00,00,00,32,00,34,00,30,00,00,00,32,00,34,00,31,00,00,00,32,00,34,00,32,00,\

00,00,32,00,34,00,33,00,00,00,32,00,34,00,34,00,00,00,32,00,34,00,35,00,00,\

00,32,00,34,00,36,00,00,00,32,00,34,00,37,00,00,00,32,00,34,00,38,00,00,00,\

32,00,34,00,39,00,00,00,32,00,35,00,30,00,00,00,32,00,35,00,31,00,00,00,32,\

00,35,00,32,00,00,00,32,00,35,00,33,00,00,00,32,00,35,00,34,00,00,00,32,00,\

35,00,35,00,00,00,00,00

Share this post


Link to post
Share on other sites
The first thing that came to mind was running wireshark and having a look at whats flying across the network.

That was exactly the first thing I did and it provides a shitload of TCP packets very quickly (yes I know you can stop it so you can view it) The hard part is making heads or tails out of the collected data. I will have to do some more reading and have a fiddle. The main problem is time (god damn assignments).

Share this post


Link to post
Share on other sites
That was exactly the first thing I did and it provides a shitload of TCP packets very quickly (yes I know you can stop it so you can view it) The hard part is making heads or tails out of the collected data. I will have to do some more reading and have a fiddle. The main problem is time (god damn assignments).

I discovered that I can easily end the process... :( Very sad. I also found that it uses both TCP and UDP protocols, which might be why they say that even if you end/block the TCP connection they can still see your computer

Share this post


Link to post
Share on other sites
I discovered that I can easily end the process... I also found that it uses both TCP and UDP protocols, which might be why they say that even if you end/block the TCP connection they can still see your computer

Ah cool, do you mind sharing a lil as to how you killed the processes with vision?

When I initially tested Lanschool against sparda's port listener/blocker I captured a session in wire shark and I don't recall seeing any UDP traffic in there.

Hopefully I will knock over my assignment before the weekend so I can have another fiddle.

Share this post


Link to post
Share on other sites
Ah cool, do you mind sharing a lil as to how you killed the processes with vision?

When I initially tested Lanschool against sparda's port listener/blocker I captured a session in wire shark and I don't recall seeing any UDP traffic in there.

Hopefully I will knock over my assignment before the weekend so I can have another fiddle.

To end the process I used TCPView which also allows you to easily see the programs running, the port they're using, what it's connected to (if it is), and to view the status of the connection i.e. "Listening" or "Established".

Share this post


Link to post
Share on other sites
To end the process I used TCPView which also allows you to easily see the programs running, the port they're using, what it's connected to (if it is), and to view the status of the connection i.e. "Listening" or "Established".

Ah awesome, I think someone else mentioned TCPview earlier in here, I shall have to give it a whirl. Thanks for sharing XD

Share this post


Link to post
Share on other sites

Dosen't lan school restart itself? I read something about somebody who make a python script to kill lanschool every five seconds.

If it were me, I would try and block traffic from the teacher computers.

Share this post


Link to post
Share on other sites
Dosen't lan school restart itself? I read something about somebody who make a python script to kill lanschool every five seconds.

If it were me, I would try and block traffic from the teacher computers

You maybe right on lan school trying to restart its self. So far I have found the best way to kill it is to get your hands on the initial setup .exe and use the uninstall option (works 100%). The only draw back is once you logout of the schools domain it obviously will be back on your task bar.

Well thus far I have only tried one port listener and blocker, by the reports in here TCPview maybe able to get the job done. I will eventually get around to seeing if this works and post my findings on here (thats if someone isn't kind enough to do it before me).

Share this post


Link to post
Share on other sites

Just one quick update for now, on Friday a class mate decided to BYO laptop with Lanschool teacher viewer installed, I can confirm 100% that you can utilize it without joining the domain (incognito much).

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...