pinkhathackers Posted December 9, 2009 Posted December 9, 2009 TITLE: LanSchool v7.4 Keylogger Vulnerability Authors: Thomas D, Aaron D, Henry Y Email: thehat@pinkhathackers.net Site: PinkHatHackers.net DESCRIPTION: The network monitoring program LanSchool is often used to keep an eye on students, similar to other programs like Vision6 and SynchronEyes. It has features such as remote control (local user loses all control), task manager disabling, port 80 blocking, and keylogging. The keylogger, which stores its information on the computer from which the data is captured, is especially vulnerable to exploitation, as it may contain passwords and other sensitive data that people may have typed on the computer. This article details a proof of an exploit of the LanSchool program. Pink Hat Hackers does not support, condone or recommend the use of it in real life. Similar work on LanSchool 7.2 can be found at http://hak5.org/forums/index.php?showtopic=11920. SOLUTION: Don't use LanSchool or wait for the encyrption scheme to get an upgrade. ------------------------------------------------------------------------ The LanSchool keylogger stores its data in a file called 'lskdata.bin' encrypted using a slightly modified substitution cipher. Every key can have one of four possible single byte values based on the byte's absolute position in the file, mod 4. For example, if the letter 'a' was encoded at position 739, its value would be 106, because this is the value for 'a' at position 3 (739 % 4 = 3). Clearly, by typing four consecutive characters of 'a' and reading the output, one would have enough information to consistently decode this letter. This technique was used to generate the table of character-value associations at the end of this text. Reading in one of the files using these tables to automatically look up each character was very successful. NOTES: If one holds down the shift key and presses multiple letters, LanSchool seems to only record the first letter as capitalized. This may be a bug in their code, or it may suggest a lack of complete understanding of the system, but this means that capital letters typed in succession may not be read correctly (e.g., "ABCdEF" might be read as "AbcdEf"). Further, LanSchool only stores the last 50,000 keypresses. The information would have to be gathered and merged periodically to maintain a full record. However to quote the LanSchool website (lanschool.com) that is "Weeks of keystrokes." Quote
pinkhathackers Posted December 9, 2009 Author Posted December 9, 2009 APPENDIX: The following is a fairly inclusive table of letters and their encrypted values based on a modulus of absolute position. Table for versions prior to 7.4.1.4 ----------------------------------------------------------------------- | POS % 4 LETTER|---------------------------------------------------------------- |% = 0 % = 1 % = 2 % = 3 ----------------------------------------------------------------------- a 223 219 204 106 b 220 216 207 105 c 221 217 206 104 d 218 222 201 111 e 219 223 200 110 f 216 220 203 109 g 217 221 202 108 h 214 210 197 99 i 215 211 196 98 j 212 208 199 97 k 213 209 198 96 l 210 214 193 103 m 211 215 192 102 n 208 212 195 101 o 209 213 194 100 p 206 202 221 123 q 207 203 220 122 r 204 200 223 121 s 205 201 222 120 t 202 206 217 127 u 203 207 216 126 v 200 204 219 125 w 201 205 218 124 x 198 194 213 115 y 199 195 212 114 z 196 192 215 113 0 142 138 157 59 1 143 139 156 58 2 140 136 159 57 3 141 137 158 56 4 138 142 153 63 5 139 143 152 62 6 136 140 155 61 7 137 141 154 60 8 134 130 149 51 9 135 131 148 50 158 154 141 43 [ 225 246 80 229 ] 231 240 86 227 \ 230 241 87 226 ; 129 150 48 133 ' 157 138 44 153 , 150 129 39 146 . 148 131 37 144 / 149 130 36 145 A 251 236 74 255 B 248 239 73 252 C 249 238 72 253 D 254 233 79 250 E 255 232 78 251 F 252 235 77 248 G 253 234 76 249 H 242 229 67 246 I 243 228 66 247 J 240 231 65 244 K 241 230 64 245 L 246 225 71 242 M 247 224 70 243 N 244 227 69 240 O 245 226 68 241 P 234 253 91 238 Q 235 252 90 239 R 232 255 89 236 S 233 254 88 237 T 238 249 95 234 U 239 248 94 235 V 236 251 93 232 W 237 250 92 233 X 226 245 83 230 Y 227 244 82 231 Z 224 247 81 228 ! 155 140 42 159 @ 250 237 75 254 # 153 142 40 157 $ 158 137 47 154 % 159 136 46 155 ^ 228 243 85 224 & 156 139 45 152 * 144 135 33 148 ( 146 133 35 150 ) 147 132 34 151 _ 229 242 84 225 + 145 134 32 149 - 151 128 38 147 = 135 144 54 131 { 193 214 112 197 } 199 208 118 195 | 198 209 119 194 : 128 151 49 132 " 152 143 41 156 < 134 145 55 130 > 132 147 53 128 ? 133 146 52 129 Quote
shonen Posted December 14, 2009 Posted December 14, 2009 SOLUTION: Don't use LanSchool or wait for the encyrption scheme to get an upgrade. I lol'd hard. Looks like you guys did way more research into lan school than I could in my current state. Interesting stuff and thanks for sharing it. I must admit one can't help but to feel all warm in fuzzy inside when someone else runs with a previous related topic and come up with something completely different. Keep up the good work. P.S: Nice addition to your website, my only gripe is your banner doesn't do the page justice. XD I will be doing Multi media next year seeing as I finished my network security course so once I get some better photoshop and web deving skills I don't mind offering a hand if you need someone (just putting that out there). XD Quote
kickarse Posted December 23, 2009 Posted December 23, 2009 That's cool! Just write a program to insert 50,000 characters into a txt file and your good! Quote
pinkhathackers Posted January 19, 2010 Author Posted January 19, 2010 LanSchool released a patch in version 7.4.1.4 that changed the encryption slightly. So far, we have confirmed that they modified which values are mapped to which characters, but everything else seems to be the same. Thus, the table in our second post is now incorrect for version 7.4.1.4, but the information in our first post should still be fine. Quote
h2oh4x! Posted January 25, 2010 Posted January 25, 2010 Ive never been good at cryptography so I aint gotta clue how this works please would you give more clear instructions with the table? maybe im opening the file wrong I have tried notepad thats just useless and ive tried a hex editor... still useless lol? But by the way I am very impressed with this well done! ;) Quote
h2oh4x! Posted January 27, 2010 Posted January 27, 2010 I have tried contacting PinkHatHackers about how to do this but I have not yet recieved a reply. As I am waiting would anybody who understands these instructions please tell me how to use it lol :) I know I sound like an idiot asking this but its getting me really frustrated :D Thanks in advance! ;) Quote
pinkhathackers Posted January 29, 2010 Author Posted January 29, 2010 Ive never been good at cryptography so I aint gotta clue how this works please would you give more clear instructions with the table? maybe im opening the file wrong I have tried notepad thats just useless and ive tried a hex editor... still useless lol? But by the way I am very impressed with this well done! wink.gif The files are encoded as binary data, so it would be expected that they'd look nonsensical in Notepad (each letter you see is how the computer tried to make sense of what was really numerical data). You might try XVI32 or any other hex editor. All programming languages also have the ability to read in files as binary data, which is useful for processing the lskdata.bin file. One thing you should note, though, is that if you type a single character about 8 or more times (many more if you want it to be noticeable), you can see a distinct pattern using either Notepad or a hex editor. The binary values begin to repeat themselves after 4 repeated characters, as described on the website. Using this information, you may see how one could create a table of which 4 values correspond to which character by typing each letter at least 4 times and looking at the output. This table could be used to decode any lskdata.bin file. Also we will soon be adding the additional table for the current version; more to follow both here and on PinkHatHackers.net. Quote
sablefoxx Posted January 30, 2010 Posted January 30, 2010 That's cool! Just write a program to insert 50,000 characters into a txt file and your good! Hey, I wrote a quick program to do just that! (actually it will send any txt file size as keyboard input 50,000+) You can download it here; http://d0tmayhem.com/code/keysp.html Quote
x-quisite Posted January 30, 2010 Posted January 30, 2010 The files are encoded as binary data, so it would be expected that they'd look nonsensical in Notepad (each letter you see is how the computer tried to make sense of what was really numerical data). You might try XVI32 or any other hex editor. All programming languages also have the ability to read in files as binary data, which is useful for processing the lskdata.bin file. One thing you should note, though, is that if you type a single character about 8 or more times (many more if you want it to be noticeable), you can see a distinct pattern using either Notepad or a hex editor. The binary values begin to repeat themselves after 4 repeated characters, as described on the website. Using this information, you may see how one could create a table of which 4 values correspond to which character by typing each letter at least 4 times and looking at the output. This table could be used to decode any lskdata.bin file. Also we will soon be adding the additional table for the current version; more to follow both here and on PinkHatHackers.net. u know your instruction still too hard for someone moderate in comp to understand. I have take a look at your website. Just for suggestion, i think u should create program to decode lskdata.bin file. Although maybe it's hard, but it will be very useful. And u should write detail guide step by step (tutorial) on your website about decode the lskdata.bin manually. :-) Hey, I wrote a quick program to do just that! (actually it will send any txt file size as keyboard input 50,000+) You can download it here; http://d0tmayhem.com/code/keysp.html i can't understand it. U mean if we just send any txt file size as keyboard input 50,000+, the program will 'clear' all the data before? actually i like to ask about the process of lanschool. From what i understand, it function like keylogger. But the PC is remotely connected right? So the log file is save only on the PC or it automatically send to technician (lecturer) PC? Quote
sablefoxx Posted January 30, 2010 Posted January 30, 2010 Apparently this LAN School keylogger can only store 50,000 chars at a time, so just get a .txt file with 50,000 (or more) chars in it and you can use my program to send the contents of that file as keyboard input and fill up that space, thus overwriting anything you may have done in a couple of seconds instead of weeks. Quote
h2oh4x! Posted January 31, 2010 Posted January 31, 2010 Good news guys. Ive successfully created a program which allows the contents of these files to be decrypted. I will upload asap im just making the final tweaks. ;) Oh and a big thanks to PinkHatHackers for providing the decryption table and making all of this possible! Quote
pinkhathackers Posted January 31, 2010 Author Posted January 31, 2010 u know your instruction still too hard for someone moderate in comp to understand. I have take a look at your website. Just for suggestion, i think u should create program to decode lskdata.bin file. Although maybe it's hard, but it will be very useful. And u should write detail guide step by step (tutorial) on your website about decode the lskdata.bin manually. :-) In fact we have, if you look on our site, pinkhathackers.net, under the Demo section you will find a decoder that you can upload your lskdata.bin file to. However we must emphasize that the one on our website as of now only decrypts lskdata.bin files from versions older than 7.4.1.4. With that version they modified their cipher slightly. We have cracked it but haven't yet updated the decryption engine on our website. Quote
h2oh4x! Posted February 1, 2010 Posted February 1, 2010 Hey guys. I have decided to release my LanSchool Keylogger decryptor! :) Screenshot: Again thank you PinkHatHackers for providing a decryption table it was very informative :) I would be happy to integrate the new decryption table for newer versions if you wish to release that. PS: As this is a very early version of the program it is possible that you might find a few bugs if you do please post them here as I want to get it as reliable as possible. Oh yeah any feedback would be much appreciated whether its about the GUI or maybe just a new improvement post it here! ;) DOWNLOAD LINK: http://www.4shared.com/file/213148961/d2b5...ryptor_v01.html PASSWORD: hak5.h2oh4x Have Fun! h2oh4x! Quote
x-quisite Posted February 2, 2010 Posted February 2, 2010 Firstly, thanks h2oh4x! however, i can't run the program. when i try to run it, alert appear and said "Run-time error'76': Path not found" i use windows 7. i don't know if the others have same problem as me. Quote
pinkhathackers Posted February 2, 2010 Author Posted February 2, 2010 We now have the new LanSchool version 7.4.1.4 table and the demo decrypter on our website. @x-quisite: If you can't get h2oh4x's program to work, you can either try running it in XP Compatibility mode or simply use our website instead (http://pinkhathackers.net/decryptor.php). h2oh4x's program seems only to decrypt lskdata.bin files from LanSchool versions 7.4.1.3 and older, though this would only require a revised key map table to fix. @smd75jr: Our major concern with LanSchool was its keylogger. The use of these programs for monitoring is, to us, less intrusive than stealing passwords. Further, most of these programs can be killed by using taskkill.exe, so you may look for a solution similar to the batch files that can be found on our site (http://pinkhathackers.net/downloads.php). Quote
h2oh4x! Posted February 2, 2010 Posted February 2, 2010 Hey x-quisite I am running on Win XP and I haven't tested on Windows 7 so yes it will probably be because you are using Windows 7. As PinkHatHackers suggested try using XP mode that should work. As for the new table for 7.4.1.4 I will add it to my program asap. Thanks PinkHatHackers for releasing it! :D h2oh4x! Quote
h2oh4x! Posted February 2, 2010 Posted February 2, 2010 Hey guys heres the new version 0.2. This has the new algorithm for 7.4.1.4. Please leave feedback :D @pinkhathackers As I do not have 7.4.1.4 could you send me an example lskdata.bin file so that I can test it please? Thanks :D Screenshot: Download Link: http://www.4shared.com/file/213882398/ac24...ryptor_v02.html PASS: hak5.h2oh4x Have fun! h2oh4x Quote
sablefoxx Posted February 4, 2010 Posted February 4, 2010 For those who'd like to do research, this link may help; http://www.mediafire.com/?dn2332iz2mk Quote
Soliloquy Posted February 6, 2010 Posted February 6, 2010 Can someone explain the layout of the file for me? Like there obviously cannot be characters stored in any of the first 400 bytes. I got some logs that I collected but am having trouble understanding this concept. As an example 608 % 4 = 152 , % = 0 152, %=0 is the char " All chars with the value of 152, or 0x98 would be " Is that right? Quote
h2oh4x! Posted February 6, 2010 Posted February 6, 2010 Can someone explain the layout of the file for me? Like there obviously cannot be characters stored in any of the first 400 bytes. I got some logs that I collected but am having trouble understanding this concept. As an example 608 % 4 = 152 , % = 0 152, %=0 is the char " All chars with the value of 152, or 0x98 would be " Is that right? Hi and welcome to hak5 forums. Im not quite sure what you mean by your question and I dont know what makes you think the first 400 bytes does not store any characters as this is incorrect, however I have created a tutorial explaining exactly how to use this key table, I hope that you find it helpful :) h2oh4x! Tutorial link: http://www.4shared.com/file/216272639/56f4...kdatabin_t.html Quote
Soliloquy Posted February 6, 2010 Posted February 6, 2010 I see what I was misunderstanding, I thought the divided value had something to do with the char. I understand what I did wrong now. Quote
h2oh4x! Posted February 6, 2010 Posted February 6, 2010 I see what I was misunderstanding, I thought the divided value had something to do with the char. I understand what I did wrong now. Glad I could help. By the way we are not dividing the absolute position we are using the Modulus calculation which is not the same. % = Modulus or Mod / or ÷ = Divide h2oh4x! Quote
Soliloquy Posted February 8, 2010 Posted February 8, 2010 I thought the char value was the divided value... I kinda feel stupid now. Anyways, I see that there are a lot more chars used for formatting, like in your program. Would be so kind as to share please? Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.