Clarence Posted October 17, 2017 Posted October 17, 2017 Hello, I am new to this form and I work for a school district as a pen tester. We use a firewall called IBoss and we had a student crack it to gain access to otherwise restricted sites and I am not able to recreate how the student worked around the firewall. I need some help on creating a breach within the IBoss system. Thank you Clarence
digininja Posted October 17, 2017 Posted October 17, 2017 Forgive the scepticism but this is a variant of the "how do I hack my wife's Facebook account?". We have no idea who you are, whether you have permission to do what you are doing or anything else. My generic suggestions would be to check the logs, check the config for anything that appears to be more open than it's supposed to be and try asking the student, he may be happy to boast about how he did it in return for a less harsh penalty.
Clarence Posted October 17, 2017 Author Posted October 17, 2017 We have asked the student and we have tried to screen cap a Chromebook during the process but he uses a usb rubber ducky to make the process much much quicker so fast in fact the screen cap. was not able to pick it up. I have tried my own attempt at what this kid can do but he is one step ahed of me.
Clarence Posted October 17, 2017 Author Posted October 17, 2017 we cant. we would need a warrant to be able to take the ducky and read the script by state law we as a school are not able to do such actions with out defeat cause and a statement from our D.A.
digininja Posted October 17, 2017 Posted October 17, 2017 If you are allowed to screen capture then use a key logger
Rkiver Posted October 17, 2017 Posted October 17, 2017 1 minute ago, Clarence said: we cant. we would need a warrant to be able to take the ducky and read the script by state law we as a school are not able to do such actions with out defeat cause and a statement from our D.A. Really? So if a student breaches your schools security, and in such breaks the Acceptable Use Policy that you would have gotten them and their parent to sign, you cannot confiscate the equipment they used to do so, even if by their actions they could be breaking data protection laws? While I am not based in the US, and am not a lawyer, I do work with schools, and we have had similar attempts. I am EXTREMELY sceptical of your statements here...
Clarence Posted October 17, 2017 Author Posted October 17, 2017 Yes the students did have a contract but the school district left out the part of trying to breach the firewall or other systems to try and make it easer on me. having the students create the breach then we patch it out by watching there screen on how to do it , or asking them. but the student that uses the ducky is able to walk up to and Chromebook and run the script and all we see is a hid keyboard was attached and our systems don't log key strokes but it does log usage over the network.
digininja Posted October 17, 2017 Posted October 17, 2017 They deliberately left out a part that said the students couldn't attack your network to make the job of a pen tester easier. Your first message sounded suspicious, this is now incompetent and suspicious.
Rkiver Posted October 17, 2017 Posted October 17, 2017 21 minutes ago, Clarence said: Yes the students did have a contract but the school district left out the part of trying to breach the firewall or other systems to try and make it easer on me. having the students create the breach then we patch it out by watching there screen on how to do it , or asking them. but the student that uses the ducky is able to walk up to and Chromebook and run the script and all we see is a hid keyboard was attached and our systems don't log key strokes but it does log usage over the network. Bull. Absolute bull. They can have an AUP that covers everything, and then give you a letter of marque to let you do your job, like they do with EVERY OTHER PENTESTING JOB EVER.
Clarence Posted October 17, 2017 Author Posted October 17, 2017 I know it's stupid I tried to warn them if something were to happen like this. There rinsing behind it was so we don't have to pay you as much
Just_a_User Posted October 17, 2017 Posted October 17, 2017 I do enjoy reading posts like this while having a coffee :) never fail to entertain. Makes me wonder if its one of you lot doing a windup :P
Rkiver Posted October 17, 2017 Posted October 17, 2017 (edited) 3 hours ago, Clarence said: I know it's stupid I tried to warn them if something were to happen like this. There rinsing behind it was so we don't have to pay you as much ... Stop. Just stop. You are paid to do a job, they don't have to pay you less due to leaving out part of an AUP. At this point I am convinced you are lying, and are a student trying to get around a firewall in your school by having us write a script for a USB Rubber Ducky for you. Edited October 17, 2017 by Rkiver
digip Posted October 17, 2017 Posted October 17, 2017 Quote I work for a school district as a pen tester. Ok. Quote We use a firewall called IBoss Who is "we"? Because "you" the pentester, aren't the one who secures the network(generally), you're the one who breaks and tests the network, then make recommendations on what to fix to the IT and Security team for the organization. If you are running iboss, and not "they" are running iboss, these are 2 different things. Who's in charge of the network? Are you the IT person who is implementing the network setup, part of the NOC/SOC, etc? Quote I am not able to recreate how the student worked around the firewall What difference does it matter how it happened? Will recreating it change anything? Sure, helps when patching, but if there is a hole, find the hole, patch the hole. You're the "pentester", hired to find weaknesses in the system. If "we" set this up, then "we" should double check and test our setup. I'd bet money, there are probably multiple ways around this firewall restriction, so knowing how the student did it, is only one of them. If you are in fact the person in charge of the network, vs some outside contractor hired to break into and test the network, then you should have intimate knowledge of the firewall, the network topology, client and server machines, their setup configurations, permissions on the network, shares, etc, and where to start filtering and checking things, applying DNS and proxy filtering, vlans, etc. While it should be trivial in most cases with tunneling or VPN's to bypass most of this stuff on the firewall, if the kid is abusing the network, you DO NOT LET THE KID BACK ON THE NETWORK, and revoke their privileges. If any abuse of a network, even if not explicitly listed in student agreement/policy for "bypassing the firewall" as a rule, should surely have something that states privilege access granted, but not a right, and abuse of, can be taken away. As school staff for the IT team, even if just one person, you should have intimate knowledge of your perimeter and the network setup, and if you don't, there are probably way more pressing issues to fix, vs one kid bypassing the firewall. What is the network sign-in policy, how do they get access to the network, are they proxied natively so they can't access DNS and outside sites, what prevents anyone from plugging into the network with BYOD, rouge AP's, etc. Either this network is wide open, or you're not telling us the whole story, or as others said, total BS. This doesn't pass the smell test, and most pentesters, won't discuss client info on an open forum, as they probably have an NDA in most cases. Not saying it's 100% fabricated lie, sure, many schools have clueless network admins who are often at the mercy of the students, or just school staff/teachers/office personnel left to set this up, but if they can hire a "pen tester", they can surely hire a network admin and some IT people who know what is up with their network. You are either in over your head or should just come out and state you're trying to bypass the IBoss firewall.
0phoi5 Posted October 17, 2017 Posted October 17, 2017 5 hours ago, digininja said: Confiscate the ducky and read the script. This. Sorry, I don't believe for a moment that you aren't allowed to confiscate it. Schools are well within their rights to confiscate mobile phones, knives, and anything else them deem unsafe, inappropriate or a breach of their rules. The Rubber Ducky falls within this.
barry99705 Posted October 17, 2017 Posted October 17, 2017 The needle on the bullshit meter just flew off. Having worked and occasionally still work for school districts in the US, I can say that yes, the school can confiscate anything that a student uses on school property that damages the property. The network is school property.
digip Posted October 17, 2017 Posted October 17, 2017 7 minutes ago, haze1434 said: This. Sorry, I don't believe for a moment that you aren't allowed to confiscate it. Schools are well within their rights to confiscate mobile phones, knives, and anything else them deem unsafe, inappropriate or a breach of their rules. The Rubber Ducky falls within this. I can't tell you how many things teachers used to confiscate from us growing up, from radios and walk-mans, to pen knives and such(today you'd probably be arrested for a small pen knife, but we all had them as kids when i was growing up), teachers never thought twice about confiscating stuff and tossing it in their drawer.They kept them locked up, you got it back at the end of the year. I don't think they have a right to search your cell or other devices, and even legally, you would probably need a warrant, but they can certainly take it and hold it till parents come get it or better yet, turn it over to police depending on what was done.
digip Posted October 17, 2017 Posted October 17, 2017 (edited) By the way, does this look like a pentester, or some kids? https://twitter.com/jonbush1234 Where the profile pick for "Clarence" comes from. https://twitter.com/jonbush1234/status/914948133163061249 looks like maybe Mr "Clarence" needs help learning how to use his new rubber ducky. @Clarence will the real slim shady please stand up - https://www.twitch.tv/videos/173897157 After some digging, looks like he is 15yrs old, born in 2002. How long before a thread lock? I think he's suffered enough... Edited October 17, 2017 by digip
Just_a_User Posted October 17, 2017 Posted October 17, 2017 (edited) 1 hour ago, digip said: How long before a thread lock? I think he's suffered enough... Yes, thats enough.Don't want to discourage him from life :) just from pretending to be things hes not and from doing things he shouldn't! lol Edited October 17, 2017 by Just_a_User
Michael Weinstein Posted October 17, 2017 Posted October 17, 2017 Kid, don't run any ducky scripts anybody gives you here. At this point, they're all going to be rm -rf / and fork bombs. Also, there's very little interesting stuff you can run on a chromebook that's not rooted and running... uh... not chromeOS.
UnLo Posted October 17, 2017 Posted October 17, 2017 *smashes desk Of course I would finish my popcorn Before getting to this. * wishes I had another buttery bag
digip Posted October 17, 2017 Posted October 17, 2017 Just now, UnLo said: *smashes desk Of course I would finish my popcorn Before getting to this. * wishes I had another buttery bag It was a good SE attempt I guess. Albeit, failed attempt. I think had he known what admins do and things in place, the ruse would have been a bit more elaborate, but that could also have made it even more fishy, given a penetration test would more than likely be confidential. I had fun just sleuthing out his info though, which was pretty easy given his digital footprint.
Joe S Posted October 17, 2017 Posted October 17, 2017 Sorry about the guys I am head of the I.T. department from the School District clarence was claiming to be A admin and I have revoked his USB rubber ducky land turtle and bash bunny from his person and thank you for linking me his twitch that we have been have been trying to find and he's going to be getting a pension for some of the stuff that he's titled it streams thank you very much Joe S
Michael Weinstein Posted October 17, 2017 Posted October 17, 2017 (edited) 1 hour ago, Joe S said: Sorry about the guys I am head of the I.T. department from the School District clarence was claiming to be A admin and I have revoked his USB rubber ducky land turtle and bash bunny from his person and thank you for linking me his twitch that we have been have been trying to find and he's going to be getting a pension for some of the stuff that he's titled it streams thank you very much Joe S So we've had Eminem, Slim Shady... and this would be Marshall Mathers? https://getyarn.io/yarn-clip/ba393c1f-4166-443c-9f8c-5cb380b26ecf#SyInJJbNa-.copy Edited October 17, 2017 by Michael Weinstein Gratuitous Hackers movie reference.
Recommended Posts