LanSchool Keylogger Vulnerability

[pinkhathackers]

TITLE:

LanSchool v7.4 Keylogger Vulnerability

Authors: Thomas D, Aaron D, Henry Y

Email: thehat@pinkhathackers.net

Site: PinkHatHackers.net

DESCRIPTION:

The network monitoring program LanSchool is often used to keep an eye on students, similar to other programs like Vision6 and SynchronEyes. It has features such as remote control (local user loses all control), task manager disabling, port 80 blocking, and keylogging. The keylogger, which stores its information on the computer from which the data is captured, is especially vulnerable to exploitation, as it may contain passwords and other sensitive data that people may have typed on the computer.

This article details a proof of an exploit of the LanSchool program. Pink Hat Hackers does not support, condone or recommend the use of it in real life.

Similar work on LanSchool 7.2 can be found at http://hak5.org/forums/index.php?showtopic=11920.

SOLUTION:

Don't use LanSchool or wait for the encyrption scheme to get an upgrade.

------------------------------------------------------------------------

The LanSchool keylogger stores its data in a file called 'lskdata.bin' encrypted using a slightly modified substitution cipher. Every key can have one of four possible single byte values based on the byte's absolute position in the file, mod 4. For example, if the letter 'a' was encoded at position 739, its value would be 106, because this is the value for 'a' at position 3 (739 % 4 = 3). Clearly, by typing four consecutive characters of 'a' and reading the output, one would have enough information to consistently decode this letter. This technique was used to generate the table of character-value associations at the end of this text.

Reading in one of the files using these tables to automatically look up each character was very successful.

NOTES:

If one holds down the shift key and presses multiple letters, LanSchool seems to only record the first letter as capitalized. This may be a bug in their code, or it may suggest a lack of complete understanding of the system, but this means that capital letters typed in succession may not be read correctly (e.g., "ABCdEF" might be read as "AbcdEf").

Further, LanSchool only stores the last 50,000 keypresses. The information would have to be gathered and merged periodically to maintain a full record. However to quote the LanSchool website (lanschool.com) that is "Weeks of keystrokes."

[pinkhathackers]

APPENDIX:

The following is a fairly inclusive table of letters and their encrypted values based on a modulus of absolute position.

Table for versions prior to 7.4.1.4
-----------------------------------------------------------------------
      |                                POS % 4
LETTER|----------------------------------------------------------------
      |% = 0              % = 1              % = 2              % = 3
-----------------------------------------------------------------------
a              223              219              204              106
b              220              216              207              105
c              221              217              206              104
d              218              222              201              111
e              219              223              200              110
f              216              220              203              109
g              217              221              202              108
h              214              210              197              99
i              215              211              196              98
j              212              208              199              97
k              213              209              198              96
l              210              214              193              103
m              211              215              192              102
n              208              212              195              101
o              209              213              194              100
p              206              202              221              123
q              207              203              220              122
r              204              200              223              121
s              205              201              222              120
t              202              206              217              127
u              203              207              216              126
v              200              204              219              125
w              201              205              218              124
x              198              194              213              115
y              199              195              212              114
z              196              192              215              113
0              142              138              157              59
1              143              139              156              58
2              140              136              159              57
3              141              137              158              56
4              138              142              153              63
5              139              143              152              62
6              136              140              155              61
7              137              141              154              60
8              134              130              149              51
9              135              131              148              50
               158              154              141              43
[              225              246              80               229
]              231              240              86               227
\              230              241              87               226
;              129              150              48               133
'              157              138              44               153
,              150              129              39               146
.              148              131              37               144
/              149              130              36               145
A              251              236              74               255
B              248              239              73               252
C              249              238              72               253
D              254              233              79               250
E              255              232              78               251
F              252              235              77               248
G              253              234              76               249
H              242              229              67               246
I              243              228              66               247
J              240              231              65               244
K              241              230              64               245
L              246              225              71               242
M              247              224              70               243
N              244              227              69               240
O              245              226              68               241
P              234              253              91               238
Q              235              252              90               239
R              232              255              89               236
S              233              254              88               237
T              238              249              95               234
U              239              248              94               235
V              236              251              93               232
W              237              250              92               233
X              226              245              83               230
Y              227              244              82               231
Z              224              247              81               228
!              155              140              42               159
@              250              237              75               254
#              153              142              40               157
$              158              137              47               154
%              159              136              46               155
^              228              243              85               224
&              156              139              45               152
*              144              135              33               148
(              146              133              35               150
)              147              132              34               151
_              229              242              84               225
+              145              134              32               149
-              151              128              38               147
=              135              144              54               131
{              193              214              112              197
}              199              208              118              195
|              198              209              119              194
:              128              151              49               132
"              152              143              41               156
<              134              145              55               130
>              132              147              53               128
?              133              146              52               129

[shonen]

SOLUTION:

Don't use LanSchool or wait for the encyrption scheme to get an upgrade.

I lol'd hard.

Looks like you guys did way more research into lan school than I could in my current state. Interesting stuff and thanks for sharing it.

I must admit one can't help but to feel all warm in fuzzy inside when someone else runs with a previous related topic and come up with something completely different.

Keep up the good work.

P.S: Nice addition to your website, my only gripe is your banner doesn't do the page justice. XD I will be doing Multi media next year seeing as I finished my network security course so once I get some better photoshop and web deving skills I don't mind offering a hand if you need someone (just putting that out there). XD

[kickarse]

That's cool! Just write a program to insert 50,000 characters into a txt file and your good!

[pinkhathackers]

LanSchool released a patch in version 7.4.1.4 that changed the encryption slightly. So far, we have confirmed that they modified which values are mapped to which characters, but everything else seems to be the same. Thus, the table in our second post is now incorrect for version 7.4.1.4, but the information in our first post should still be fine.

[h2oh4x!]

Ive never been good at cryptography so I aint gotta clue how this works please would you give more clear instructions with the table? maybe im opening the file wrong I have tried notepad thats just useless and ive tried a hex editor... still useless lol? But by the way I am very impressed with this well done! ;)

[smd75jr]

Up next: DyKnow?

[h2oh4x!]

I have tried contacting PinkHatHackers about how to do this but I have not yet recieved a reply. As I am waiting would anybody who understands these instructions please tell me how to use it lol :) I know I sound like an idiot asking this but its getting me really frustrated :D

Thanks in advance! ;)

[pinkhathackers]

Ive never been good at cryptography so I aint gotta clue how this works please would you give more clear instructions with the table? maybe im opening the file wrong I have tried notepad thats just useless and ive tried a hex editor... still useless lol? But by the way I am very impressed with this well done! wink.gif

The files are encoded as binary data, so it would be expected that they'd look nonsensical in Notepad (each letter you see is how the computer tried to make sense of what was really numerical data). You might try XVI32 or any other hex editor. All programming languages also have the ability to read in files as binary data, which is useful for processing the lskdata.bin file.

One thing you should note, though, is that if you type a single character about 8 or more times (many more if you want it to be noticeable), you can see a distinct pattern using either Notepad or a hex editor. The binary values begin to repeat themselves after 4 repeated characters, as described on the website. Using this information, you may see how one could create a table of which 4 values correspond to which character by typing each letter at least 4 times and looking at the output. This table could be used to decode any lskdata.bin file.

Also we will soon be adding the additional table for the current version; more to follow both here and on PinkHatHackers.net.

[sablefoxx]

That's cool! Just write a program to insert 50,000 characters into a txt file and your good!

Hey, I wrote a quick program to do just that! (actually it will send any txt file size as keyboard input 50,000+)

You can download it here; http://d0tmayhem.com/code/keysp.html

[x-quisite]

The files are encoded as binary data, so it would be expected that they'd look nonsensical in Notepad (each letter you see is how the computer tried to make sense of what was really numerical data). You might try XVI32 or any other hex editor. All programming languages also have the ability to read in files as binary data, which is useful for processing the lskdata.bin file.

One thing you should note, though, is that if you type a single character about 8 or more times (many more if you want it to be noticeable), you can see a distinct pattern using either Notepad or a hex editor. The binary values begin to repeat themselves after 4 repeated characters, as described on the website. Using this information, you may see how one could create a table of which 4 values correspond to which character by typing each letter at least 4 times and looking at the output. This table could be used to decode any lskdata.bin file.

Also we will soon be adding the additional table for the current version; more to follow both here and on PinkHatHackers.net.

u know your instruction still too hard for someone moderate in comp to understand. I have take a look at your website. Just for suggestion, i think u should create program to decode lskdata.bin file. Although maybe it's hard, but it will be very useful. And u should write detail guide step by step (tutorial) on your website about decode the lskdata.bin manually. :-)

Hey, I wrote a quick program to do just that! (actually it will send any txt file size as keyboard input 50,000+)

You can download it here; http://d0tmayhem.com/code/keysp.html

i can't understand it. U mean if we just send any txt file size as keyboard input 50,000+, the program will 'clear' all the data before? actually i like to ask about the process of lanschool. From what i understand, it function like keylogger. But the PC is remotely connected right? So the log file is save only on the PC or it automatically send to technician (lecturer) PC?

[sablefoxx]

Apparently this LAN School keylogger can only store 50,000 chars at a time, so just get a .txt file with 50,000 (or more) chars in it and you can use my program to send the contents of that file as keyboard input and fill up that space, thus overwriting anything you may have done in a couple of seconds instead of weeks.

[h2oh4x!]

Good news guys. Ive successfully created a program which allows the contents of these files to be decrypted. I will upload asap im just making the final tweaks. ;)

Oh and a big thanks to PinkHatHackers for providing the decryption table and making all of this possible!

[pinkhathackers]

u know your instruction still too hard for someone moderate in comp to understand. I have take a look at your website. Just for suggestion, i think u should create program to decode lskdata.bin file. Although maybe it's hard, but it will be very useful. And u should write detail guide step by step (tutorial) on your website about decode the lskdata.bin manually. :-)

In fact we have, if you look on our site, pinkhathackers.net, under the Demo section you will find a decoder that you can upload your lskdata.bin file to.

However we must emphasize that the one on our website as of now only decrypts lskdata.bin files from versions older than 7.4.1.4. With that version they modified their cipher slightly. We have cracked it but haven't yet updated the decryption engine on our website.

[h2oh4x!]

Hey guys. I have decided to release my LanSchool Keylogger decryptor! :)

Screenshot:

Again thank you PinkHatHackers for providing a decryption table it was very informative :) I would be happy to integrate the new decryption table for newer versions if you wish to release that.

PS: As this is a very early version of the program it is possible that you might find a few bugs if you do please post them here as I want to get it as reliable as possible.

Oh yeah any feedback would be much appreciated whether its about the GUI or maybe just a new improvement post it here! ;)

DOWNLOAD LINK:
http://www.4shared.com/file/213148961/d2b5...ryptor_v01.html

PASSWORD:
hak5.h2oh4x

Have Fun!

h2oh4x!

[x-quisite]

Firstly, thanks h2oh4x!

however, i can't run the program. when i try to run it, alert appear and said

"Run-time error'76': Path not found"

i use windows 7. i don't know if the others have same problem as me.

[pinkhathackers]

We now have the new LanSchool version 7.4.1.4 table and the demo decrypter on our website.

@x-quisite: If you can't get h2oh4x's program to work, you can either try running it in XP Compatibility mode or simply use our website instead (http://pinkhathackers.net/decryptor.php). h2oh4x's program seems only to decrypt lskdata.bin files from LanSchool versions 7.4.1.3 and older, though this would only require a revised key map table to fix.

@smd75jr: Our major concern with LanSchool was its keylogger. The use of these programs for monitoring is, to us, less intrusive than stealing passwords. Further, most of these programs can be killed by using taskkill.exe, so you may look for a solution similar to the batch files that can be found on our site (http://pinkhathackers.net/downloads.php).

[h2oh4x!]

Hey x-quisite I am running on Win XP and I haven't tested on Windows 7 so yes it will probably be because you are using Windows 7. As PinkHatHackers suggested try using XP mode that should work.

As for the new table for 7.4.1.4 I will add it to my program asap. Thanks PinkHatHackers for releasing it! :D

h2oh4x!

[h2oh4x!]

Hey guys heres the new version 0.2. This has the new algorithm for 7.4.1.4.

Please leave feedback :D

@pinkhathackers

As I do not have 7.4.1.4 could you send me an example lskdata.bin file so that I can test it please? Thanks :D

Screenshot:

Download Link: 

http://www.4shared.com/file/213882398/ac24...ryptor_v02.html



PASS: 

hak5.h2oh4x

Have fun!

h2oh4x

[sablefoxx]

For those who'd like to do research, this link may help;

http://www.mediafire.com/?dn2332iz2mk

[Soliloquy]

Can someone explain the layout of the file for me? Like there obviously cannot be characters stored in any of the first 400 bytes. I got some logs that I collected but am having trouble understanding this concept.

As an example

608 % 4 = 152 , % = 0

152, %=0 is the char "

All chars with the value of 152, or 0x98 would be "

Is that right?

[h2oh4x!]

Can someone explain the layout of the file for me? Like there obviously cannot be characters stored in any of the first 400 bytes. I got some logs that I collected but am having trouble understanding this concept.

As an example

608 % 4 = 152 , % = 0

152, %=0 is the char "

All chars with the value of 152, or 0x98 would be "

Is that right?

Hi and welcome to hak5 forums. Im not quite sure what you mean by your question and I dont know what makes you think the first 400 bytes does not store any characters as this is incorrect, however I have created a tutorial explaining exactly how to use this key table, I hope that you find it helpful :)

h2oh4x!

Tutorial link:

http://www.4shared.com/file/216272639/56f4...kdatabin_t.html

[Soliloquy]

I see what I was misunderstanding, I thought the divided value had something to do with the char. I understand what I did wrong now.

[h2oh4x!]

I see what I was misunderstanding, I thought the divided value had something to do with the char. I understand what I did wrong now.

Glad I could help. By the way we are not dividing the absolute position we are using the Modulus calculation which is not the same.

% = Modulus or Mod

/ or ÷ = Divide

h2oh4x!

[Soliloquy]

I thought the char value was the divided value... I kinda feel stupid now. Anyways, I see that there are a lot more chars used for formatting, like in your program. Would be so kind as to share please?