Student Claims To Have Hacked Our Network

[XaVi3r]

Ok so not exactly how I wanted to start my Tuesday but alas here I am. I work as a Network Admin in a k12 school district. A teacher came to me this morning and said that a student showed him that he could get to any file on our server including teacher home directories, business office tax information, employee personal info. Everything. Now this shouldn't be possible without Domain Admin privileges and I looked and only the IT staff has those privileges and the student has the exact same privileges and group policies that every student has. Students do not have access to command prompt and have no way (that I know of) to get to the registry editor. They also can not instal programs. Any ideas guys? Anything that I could be missing? Any help would be great this is ruining my morning as you can imagine.

[Jason Cooper]

Have you eliminated a miss configuration of the shared folders permissions? If so have you asked the students how they did it?

Assuming they have hacked there way in anything we can suggest would be pure guess work on our part. It might be a server that is missing a patch, it could be a key logger that logged an admin's login, it could be an easy guessable password, etc. Those students who have gained access will know how they did it (even if it is just running an exploit).

[The Sorrow]

Need more specifics. How have you eliminated access to cmd and regedit? And Jason has a point, how are your permissions set up? I was a Jr. Admin for my high school and they had similar issues.

[Sparda]

Are you sure they weren't logged in as an admin?

[nopenopenope]

Do the network PC's have bios passwords? he could boot from linux and do anything he wants, or portable .exe's off a flash drive could allow him to escalate his privileges. Also you can get access to cmd easily simply with notepad and saving a specific file as .bat, you can also get access to cmd with paint as seen from a past hak5 episode. It really all depends on how you have 'blocked' things. Its the simple stuff that lets you get to the big stuff. He could be sniffing, dumping hashes, running exploits. You should probably just ask him. I used to do this kind of stuff all the time in high school lol.

Edited February 8, 2012 by soka80

[digip]

Escalating privileges is one thing, but if this is all joined to a domain, logging in or booting off linux media, won't give him access to the domain unless he can harvest cached domain hashes. If not booted off some other media(something the school should lock down via the BIOS) he would need to 1, already be joined to the domain and work his way up while logged on to the domain, or 2 know an admin password and just logon as the admin or a teacher with the same privileges.

CMD is not always disabled when joined to a domain. It has to be restricted based on group policy and user groups, but their are still ways to launch it, ie: vb macros in Excel. Even if regedit is disabled, a bat script of even VBS script can re-enable it by doing basically what group policy does, but directly against the registry. We used to do this at work, when it was disabled by group policy on the domain, we could merge our own reg files to turn it on and off at will(its a simple 0 or 1 bit flip), something that still works today with windows. From there, you could then enable gpedit.msc to remove restrictions and cmd.exe, etc. If the user then escalated his privileges while logged onto the domain, then he could have made his sign on part of the admin user group, but shouldn't be able to push that onto the domain controller without admin access to Active Directory, so an admin checking active directory wouldn't see that he was part of the admin group in Active Directory, but would be able to see his elevated privileges if sitting at the machine where it was done from.

My guess is it could have been a misconfiguration, or the kid did something like a MITM on a teachers connection, either via Cain or Metasploit, some other tools, and a pass the hash for credentials to see other shares on the network. Might have even found cached domain hashes from an admin account and just passed them up the food chain to gain access to the shares, but more than likely, someone enabled sharing on a drive or share, that was wide open to the rest of the network and they overlooked it. You can restrict access to shares, but if the files themselves are flagged for "everyone" then they would show up on normal users mapped drives if they are on the same path as their normal shares, just shouldn't give them access to write to the share unless that flag was set as well.

Final thought, if the user was prompted for access to a share or just to logon to the domain in general, he could have guessed the login and password for access. Its not impossible to brute force domain logons. Especially if the password is easily figured out and he already knows someone else's sign on name like a teacher or admin, ie:combination of school number, location, school name, etc.

[iisjman07]

Is the local Admininstrator account password protected? Are all machines protected from use of konboot/ophcrack, etc?

[Infiltrator]

In this circumstance I would review the following:

1. Ensure all students permissions don't allow them to perform any administrative tasks.
   
2. Is the BIOS on all the Pcs, password protected?.
   
3. If not, then they could've booted a Live Linux Distro, reset the admin password and enabled CMD.
   
4. Ensure the boot menu option is disabled in the BIOS. (This will prevent the booting of any USB/Media)
   
5. Even if the BIOS is password protected, anyone could have cleared the BIOS by removing the CMOS battery. Make sure the case is properly secured and tired down.
   
6. Make sure no PC in the school has a keylogger installed.
   
7. Does the school allow students to bring their own laptop, if so the student in question could have used ARP poisoning to collect the passwords.
   
8. Preventing arp-poisoning can be easily dwarfed, at the switch level.
   
9. Ensure all machines in the school are properly patched (updated).
   
10. Review the current group polices and make chances as necessary.
    
11. Definitely review the configurations on all the workstations and take note of anything out of the ordinary.
    
12. Ensure all password and account policies are met. (passwords should be changed once or twice a month, and they should be above 8 characters with mix-alpha-numerics and special characters if possible).
    
13. Local administrator passwords should be hard to guess. At my work for instance, it's over 15 characters long.
    
14. If the school has wireless internet, it should be monitored, any devices should be whitelisted and periodically checked out for unwanted software. Also it would be a good idea to activate AP isolation.
    

Edited February 8, 2012 by Infiltrator

[Brak710]

How about just ask the student how and thank him for bringing it to the schools attention?

Don't screw up some kid who clearly has a liking for IT Security. If he has done nothing nefarious, you better not allow him to get ANYTHING but praise.

[Brak710]

Reading over things again, you clearly have no idea what happened. Therefore, you can't even be sure that something DID happen. Like I said, talk to the student, you're lucky you have the ability to contact your "hacker." Right now you're on a wild goose chase because even if you find a hole, you'll never know if it was the right one.

[Infiltrator]

Reading over things again, you clearly have no idea what happened. Therefore, you can't even be sure that something DID happen. Like I said, talk to the student, you're lucky you have the ability to contact your "hacker." Right now you're on a wild goose chase because even if you find a hole, you'll never know if it was the right one.

You make a good point, instead of incriminating the student, he should be praised and recognized for his talents/skills. He did in fact, found a security weakness that no one in the IT department was able to detect.

Now it comes down to the school to appraise him or discipline him.

[Hash Tag]

I find your situation very interesting. As I read through all of the reponses, I must admit that I too was already thinking of things that you should look into or check until I read Brak710's brilliant post. His answer was so simple yet so effective. Sometimes in an attempt to be an analytical thinker, we tend to overthink things through.

The reason I found your situation so interesting is that my wife is a vice principle (which means the she does all of the dicipline) of a k8 school. Now, just because she's not in IT doesn't mean she's not an analytical person. She received her Masters in Educational Psychology and her Doctorate in Educational Inovation and Leadership, so she's used to doing research and analyzing results. I really wanted to hear her take on your situation and what would actually happen if it happened to her. So I read XaVi3r's original post without all of the replies, and I asked her what she would do. I expected her to say something like get the IT guy on it and suspend the kid. To my amazement, she told me exactly what Brak710 posted. She said that she would thank the student for bringing this issue to her attention, and ask the student what he/she did to access the files. It's nice to know that there are at least some administrators that would respond with gratitude. I'm not so sure that was the case at my school.

[Tox1k]

If he's doing what I think, then I did the same thing in 7th grade and could access anyone's info.

Our school had permissions set up, but there were some flaws. For some reason I could go into the network, and what was called "\school\VirtualLocker\Student\" and use active directory to search for someone's asb number, then find the folder with the ASB number and that was their documents. Long story short, one of my friends saw me doing it and spread the knowledge around, so I went up going to the IT and helping them fix it.

Check your network permissions for profiles folders, that's the most common and every school I've gone to has had some error I can exploit. My suggestion would be locking access to every network except their own profile and the classes they are in.

[The Sorrow]

How about just ask the student how and thank him for bringing it to the schools attention?

Don't screw up some kid who clearly has a liking for IT Security. If he has done nothing nefarious, you better not allow him to get ANYTHING but praise.

Reading over things again, you clearly have no idea what happened. Therefore, you can't even be sure that something DID happen. Like I said, talk to the student, you're lucky you have the ability to contact your "hacker." Right now you're on a wild goose chase because even if you find a hole, you'll never know if it was the right one.

I have one response, and it is a resounding NO. You do not praise a minor for bypassing protocols and taking matters into their own hands when it is clearly not their job nor their business. I would have praised him if he had went to the IT department with his findings (instead of parading the feat around and showing his teacher). Plus from what it looks like to me like no one has gotten the kid to reenact this exploit so the administrators can fix the issue.

Ive been this kid, and i made the choice I described and was asked by the IT department to help them. Being the good kid isn't as fun when you first look at it, but it pays out much more.

[Trcx]

I would have praised him if he had went to the IT department with his findings (instead of parading the feat around and showing his teacher). Plus from what it looks like to me like no one has gotten the kid to reenact this exploit so the administrators can fix the issue.

While I understand your sentiment, I would say that going to the teacher was the right choice as most k12 systems don't have the IT department in the building unless they are fixing an issue.

I'm not sure that I agree with the praise sentiment, but punishing him is definitely the wrong direction to go. If he is anything like me it would not discourage him from "tinkering" with computer, but rather discourage him from reporting vulnerabilities.

[Brak710]

I have one response, and it is a resounding NO. You do not praise a minor for bypassing protocols and taking matters into their own hands when it is clearly not their job nor their business. I would have praised him if he had went to the IT department with his findings (instead of parading the feat around and showing his teacher). Plus from what it looks like to me like no one has gotten the kid to reenact this exploit so the administrators can fix the issue.

Ive been this kid, and i made the choice I described and was asked by the IT department to help them. Being the good kid isn't as fun when you first look at it, but it pays out much more.

You're completely out of it. Telling a teacher is the SAME thing as telling the IT department. Had he just shown this off to friends, I could see you point. But here? No, you're wrong.

I work for a HUGE company. We work on single servers and databases that cost more than the building the OPs school and everything in it is worth. I assure you, if someone in house - employee/visitor/janitorial-services/whatever - finds an issue, they are endlessly praised for bringing it up. One mistake could be a billion dollar nightmare. You know those stories about a big company losing a laptop and releasing some customer data? Hah, yeah right, we got hacked and we're saving face because people are less worried about jacked laptops than a hack/breach. Actually losing a laptop is immediate termination on the spot here. No one ever gets fired after these "stories", that's awfully convenient. It would have been 10x nicer if someone caught this before anyone outside even knew about our issue.

Security is quite frankly THE most important thing for us, and it should be for everyone else. You're upset a student saw "confidential" information about a school? That's cute. The day we I walk in and all our client/patient data has been taken I might as well just turn around and go home - that's game-over.

I'm not saying what the OP is doing is worthless and irrelevant, I'm just saying proper handling of breaches is a necessity at any level of IT. If you don't take it seriously and handle it properly, you're going to get burned. You don't want ANYONE fearing mentioning a possible hole for fear of punishment. If you feel the kid didn't handle the knowledge properly at first, simply add a professional sounding "Next time you find another hole, let me know as soon as you can, I really like being able to have you help us out on this as early as possible."

You have the opportunity to just ask the kid what he did, and move on knowing the solution. It might be an eye-opening discussion with this kid that makes you have a completely new view on a certain attack vector and how things like these could be more easily detected earlier.

Don't fall into "You do not praise a minor for bypassing protocols and taking matters into their own hands when it is clearly not their job nor their business" type thinking. You'll be replaced by someone more open minded and willing to do it for 10% less in the IT world. For all you know, your replacement is the kid you're trying to suppress.

Edited February 22, 2012 by Brak710

[Infiltrator]

Brak710 has a point in there.

[The Sorrow]

Don't fall into "You do not praise a minor for bypassing protocols and taking matters into their own hands when it is clearly not their job nor their business" type thinking. You'll be replaced by someone more open minded and willing to do it for 10% less in the IT world. For all you know, your replacement is the kid you're trying to suppress.

Protocol exists for a reason. Bypassing protocol is a sign of laziness. Playing by the rules and working the system to your advantage has a far greater reward than just doing whatever you want and hoping you get something beneficial out of it. The world doesn't work that way. Case and point.

[Brak710]

Protocol exists for a reason. Bypassing protocol is a sign of laziness. Playing by the rules and working the system to your advantage has a far greater reward than just doing whatever you want and hoping you get something beneficial out of it. The world doesn't work that way. Case and point.

I really have no idea what you're talking about. You're upset a minor found a gaping security flaw and reported it to what he felt was the authority in control. This has nothing to do with protocols and rewards. As far as I'm concerned, the student followed the "protocol" assumed in a school environment.

You're more than welcome to think how the world works, but I'll tell you someone is always going to think of a better way a better and more efficent way to do something. You can either accept that or become irrelevant. This kid reported the problem. Talk with him, thank him, and fix the problem.

Edited March 6, 2012 by Brak710

[The Sorrow]

Every school i have attended or heard of requires a student and their parents to sign a document specifying what and how the facility computers are to be used. (Some would call this an Acceptable Use Policy or AUP Agreement). Typically this document graphically explains how school (or any establishment with an organized IT department) computers are to be used, as well as spelling out what sort of disciplinary action will be taken if an individual breaks the terms of the document. This goes for employees and students. Every situation is different, but usually a flaw is fount by someone who is doing something they are not supposed to do. Try poking around any other business network and see how far it gets you when you report a flaw to someone you assume is in charge. The agreement you sign explains what to do, follow it, get rewarded.

[Drewdroid]

@ The Sorrow, it sounds like you're essentially against the hacker spirit. I'd posit that a career in law enforcement living by the letter of the law is appropriate for you. Many times there are rules or laws that are in place, but it does not mean that they were created by knowledgeable IT personnel. Most of those "laws" and rules are in place to cover the collective legal behinds of the administration. Would you prefer to use a cryptography suite that wasn't poked and prodded at until it broke and was fixed? The cryptography that has been hacked to death and fixed is more trustworthy than something that lives behind a shroud of secrecy. It's by pushing boundaries that we find issues in the software or security procedures.

Should the kid have been poking around? No, not if he signed the acceptable use policy. He did bring it to the attention of the school rather than using it for his own personal gain. We exist in many gray areas when it comes to what is right or wrong. I see what you are saying about going against the policies. Do I fault him for poking around the network? Hell, no. It's human nature to explore.

I'm growing tired of a society that is being forced to think in black and white terms. OBEY, all else is wrong and shall be punished.

In regards to the actual question - Communicate with that youth that brought it up and if it something that he did do successfully, find out what paths he took to get there. I often have other eyes to check my work and verify I didn't miss something glaring in the details. Discuss the use policies and get his input on why they did not deter him. The administration might not agree but I believe you may be able to guide that kid in ways and levels that other teachers have not been to reach him on yet.

[Brak710]

If you ever wonder why school networks are pathetic and insecure, it's exactly this mentality of "the rules protect it, leave it alone." Your meaningless "acceptable use policy" will be worthless when someone finds a way past the firewall or through a public-facing service on the network. Once that's breached, well... Hopefully there isn't any Windows Domain permission issues on the confidential files... Hopefully.

My highschool had this exact same issue with the administration. They had an AUP and acted like that was the network security, and 2 weeks into the year I handed them the Horde mail server on a DVD. Needless to say, they I eventually helped them move to a new email system. There were so many poor practices and policies we ended up reformatting and reinstalling all the servers since no one cared about security on the initial installs. This place handled student information, payment information, and occasionally credit-card data. Pathetic. I assume there never was a major breach from the outside, but we'd have no idea since there was no logging or anything of the nature that was usable.

...That and they don't pay anything for anyone good to stick around, but that's another topic.

Edited March 9, 2012 by Brak710

[digip]

I'd like to know what has happened or transpired since the Op first posted this topic though. Any feedback?? Its become a debate over ethics or how to handle a disclosure, not that I have an issue with that, but what if anything has been done since the so called "hack" if even that has happened. We really don't know if the kid actually hacked anything, or if he just found something unsecured.

[bobbyb1980]

I think it's an interesting situation. On the one hand if every kid went around trying to break into networks in the name of the greater security good, then we would have extremely insecure networks with constant threats.

On the flip side of that coin, if no one ever tried to engage networks to test security then we would have extremely insecure networks.

Networks are inherently insecure and everyone knows that, I don't think we need a kid to prove that. This is obviously a question of ethics with no right/wrong answer, I just think it depends on the situation. From what I understand the kid presented the security vulnerability in a somewhat professional fashion, as professional as a high school kid can be at least. I think it's good for people to do this, but in a manner where they don't undermine anyone's authority.

I think the kid should be warned, it was nice of him to find the vulnerability, but there are people who are paid to do that. He should be made to understand his job is to read books and be a student and not break into networks.

[CanadianTaco]

Students do not have access to command prompt and have no way (that I know of) to get to the registry editor.

That's what the admins at my school thought. They blocked access to cmd.exe ... so I created a new shortcut to command.com ... done. Didn't do anything bad... unless you consider solitaire bad.

Edited March 15, 2012 by CanadianTaco