My School Loves Me

[trustme]

Hello all (yes I'm new, followed Hak 5 for a while when the USB switchblade project began),

Anyway, I'm a student in High School and as you can probably guess, I'm a tech kid.  I’m currently taking Java and Computer Integrated Manufacturing.    Since I’m more interested/skilled in manipulating software than some people who sleep through class, my teachers like me.  So my Java teacher told me he would be interested in seeing if the USB switchblade would work on the school computers.  I had tried versions of the switchblade against student accounts in the past, predictably finding them restricted by my lack of Admin access.  When I was talking with my teacher, he suggested that I try it against a teacher workstation (they have admin rights) and got permission to do so.  So I was wondering if anyone has a recommended payload/whatever most likely to work.  Any other suggestions (u3 vs.  non u3 with script, I have both types of flash drive) are appreciated as well.  I’m guessing that passwords aren’t stored locally, but he figures we’ll check and I thought about trying the script someone posted to try to get it from the server.  So again, if anyone has any suggestions I’d appreciate it.

Disclaimer: I totally understand if you don’t believe that my teacher is doing it w/ me and as a result my account gets banned/thread deleted/ etc.  I’ve seen people post similar questions before and get metaphorically shot for it.  Not sure if you’ve become more understanding about talking about such things recently. 

Finally, my schools computer policies are lacking in certain areas (which is why my school loves me) and I was wondering if you had any suggestions on fixing these problems (some fixes are obvious, don’t bother with those).

1st off, the school intelligently left the Windows keys on the side of the computer, and I know several students who installed windows off the schools VLK (how is this not obvious to the tech department??)

2nd, The school maps the network drive to F, so sticking in the U3 drives breaks when it tries to create 2 disk drives at once.  To get around this, sticking them in at login has been effective, but removes the student shared drive.  I assume they could simply remap the drive?

3rd As a user without admin rights, I can install programs.  This is obviously a major flaw (some benefits like Firefox installed have cropped up, but they’re adding Firefox to the image for next year).  I assume the fix lies in group policy restrictions???

4th Is it possible to create an image with certain settings already ticked (every time internet explorer opens, you have to go through prompts for secure sites and not to remember your password. )

Thanks in advance for any help.

Ryan

[ZeR0BuG]

The VLK keys... those may not be the ones they use... My school district bought thousands of HP desktops... with XP pro.. the VLK keys are on the sides of the computer... but when they go through the district technology center... they get re-imaged with the district image... thus replacing the already installed version of XP with that key......

and if ur school district like mine, uses active directory, some programs like fire fox do not require admin privilages for it to be installed... so they did not screw upt here.

if you are talking about a windows image to already have that checked... of course.... just use acronis True Image... and then configure ur installation how u want and then tell it to make an image of ur computer...

[GonZor]

he suggested that I try it against a teacher workstation (they have admin rights)

WORST MISTAKE, teachers should never get admin rights half the time they have no idea what they are doing, actually its more like all the time. . .  any user should only have the bare minimum privileges so that they can still do there work, why give someone admin rights when they only need access to word and ie??

1st off, the school intelligently left the Windows keys on the side of the computer, and I know several students who installed windows off the schools VLK (how is this not obvious to the tech department??)

In Australia it is a legal requirement to have these keys on the side of the computers, or at least somewhere on the computer.  If this is really an issue when the IT department orders the computers they can specify to have these put on the back of the machine, it just takes some organization.

3rd As a user without admin rights, I can install programs.    This is obviously a major flaw (some benefits like Firefox installed have cropped up, but they’re adding Firefox to the image for next year).    I assume the fix lies in group policy restrictions???

Yes this is set in group policy, although it seems a bit worrying that a student would have local admin or do you have elevated privileges?? same as above. . .

4th Is it possible to create an image with certain settings already ticked (every time internet explorer opens, you have to go through prompts for secure sites and not to remember your password.  )

Is that for internet explorer not to cache your password?? I had to do this a while back, there was a registry key.  I cant remember exactly what it was but it was easy to find just search google.

[killzone]

If you can truly do this on a teachers workstation with admin privileges then i say change the target drive of whatever payload you choose to be the actual c drive of the computer you have physical access to.  More likely then not your sysadmins/it/tech's  pwdhashes  are there to dump.  And those are far more worthwhile. 

[GonZor]

More likely then not your sysadmins/it/tech's  pwdhashes  are there to dump.  And those are far more worthwhile.

Any smart admin will not cache passwords locally, chances are (presuming your admins are not idiots) you will only be able to dump the local admin password. As for the sysadmin password, that would be stored on the server like every other password, though after you gain local admin you should be able to do a Man in the Middle attack between your sys admins comp and the authentication server or proxy, this should get you the hash.

[jool]

The question about what payload to use got me thinking. I never really bothered to follow the switchblade development that much and the wiki is down so I can't look up if it already is done or not. I was thinking about a demo / auditing payload that just goes through and logs what it could have done if it was malicious without actually doing anything to the system. I would not want to have to potentially hose a system just to prove a point. Since I don't break into systems anymore proving the point would be the only capability I need and from the description rpk5000 gave the needs seems to be similar.

[trustme]

Just to respond to some of the posts and clarify…

The VLK keys. . .  those may not be the ones they use. . .  My school district bought thousands of HP desktops. . .  with XP pro. .  the VLK keys are on the sides of the computer. . .  but when they go through the district technology center. . .  they get re-imaged with the district image. . .  thus replacing the already installed version of XP with that key. . . . . .

In Australia it is a legal requirement to have these keys on the side of the computers, or at least somewhere on the computer.  If this is really an issue when the IT department orders the computers they can specify to have these put on the back of the machine, it just takes some organization. 

Yeah you may be right on the VLK keys, but that means the keys are still good for home use by some students, like I said, this includes a couple of friends who tried it and said it works.  (There XP Pro keys too, not just Home or Media Center)  As to them being required, I don’t know if the same is true in the US.  I do think however that just putting them on the back or bottom won't fix anything, in the library we have pretty much free reign as well as with the tech teachers.

and if ur school district like mine, uses active directory, some programs like fire fox do not require admin privilages for it to be installed. . .  so they did not screw upt here.

Yes this is set in group policy, although it seems a bit worrying that a student would have local admin or do you have elevated privileges?? same as above.  .  . 

I forgot about the programs that can be run under limited users, but in my experience quite a bit of stuff needs admin rights and that doesn't cover all the crap I've seen installed.  Even if this is the case, I still think nothing should be allowed to be installed (students are limited users).  But maybe it is only limited users because like I said, the IE settings revert every time you log off. 

My complaint with internet explorer is that when I am forced to use it (firefox on a U3 drive, yay),  have to go through a bunch of stupid dialogues that revert even when you check the save setting button.  The settings seem obvious (we're a school so no password save, of course I don't care whether I'm on a secure page or not, etc) and seem simple to fix.

WORST MISTAKE, teachers should never get admin rights half the time they have no idea what they are doing, actually its more like all the time.  .  .  any user should only have the bare minimum privileges so that they can still do there work, why give someone admin rights when they only need access to word and ie??

Totally agree, obvious flaw when computers are left unattended and logged in.  How long does it take for me to come and stick my flash drive in and leave?

Any smart admin will not cache passwords locally, chances are (presuming your admins are not idiots) you will only be able to dump the local admin password.  As for the sysadmin password, that would be stored on the server like every other password, though after you gain local admin you should be able to do a Man in the Middle attack between your sys admins comp and the authentication server or proxy, this should get you the hash.

You're right.  The setup is a bunch of servers stored separately and we log in from computers where the monitor sits on top.  Obviously this is easy pickings for a usb attack even on a teacher station.  Me and my teacher both agree if such attack is technically feasible, a student could walk in at the beginning of the day, stick it in a back usb port (easily accessible, yet no one would think to look there), and take it out at the end if whatever is needed to run needs time.  He has more faith in the computer system than i do, and thinks that the password is never stored locally (we'll find out soon enough. . . ) but only on the server.  I'm guessing he'll be impressed even if i can only get the local password.  I've never heard of a man in the middle attack, and am interested in trying this.

So in summary, I'm looking for something that is automated, much like through the batch scripts i saw when i first came, and is successful at grabbing a local password, or better yet, the server password.  Being able to setup and run anything that is necessary to achieve this in under 2 minutes is a plus.  I'm capable of cracking the sam (IIRC) password w/ online crackers myself. 

So. . . any suggestions?

Thanks for all the good responses by the way.

[GonZor]

Yeah you may be right on the VLK keys, but that means the keys are still good for home use by some students, like I said, this includes a couple of friends who tried it and said it works.  (There XP Pro keys too, not just Home or Media Center)  As to them being required, I don’t know if the same is true in the US.

Only certain keys will work with certain batch's, so this shouldn't work for everyone unless they are burning their own copy of the schools disc. There must be a valid reason why these are left on the side if its not a legal requirement, ask your admins.

But maybe it is only limited users because like I said, the IE settings revert every time you log off. 

If you delete a file say "C:windows", does it get restored when you reboot?? If so then your school is using a program like HD Guard, whatever it looks like your doing to the C: drive is actually happening to a temp file on the server, then when the computer is reset the temp file is deleted and a new one is started. So your never actually putting anything on the HDD. the IE settings need to be set BEFORE the image is created.

I've never heard of a man in the middle attack, and am interested in trying this.

You have never heard of a man in the middle attack??? do you watch Hak.5?? S01x03 in particular (from memory)

So in summary, I'm looking for something that is automated, much like through the batch scripts i saw when i first came, and is successful at grabbing a local password, or better yet, the server password.

Local password is easy, all you need is pwdump. Just strip down your payload to only pwdump, nothing else will be of any use to you and this will speed up the dump process. I can't think of any way to fully automate the process for getting the server password, watch episode S01x03 that should explain about man in the middle attacks

[trustme]

I do believe that the C: drive gets restored, but I don't understand why firefox is consistently installed, as I've logged on just after they've been turned on for the day.    In experience we've moved stuff to the C: and just left it there, to find it gone the next day. 

I watched Hak 5 around 2x02 IIRC, when I first showed up i didn't watch the episodes, and only went and saw a few i had missed when i realized they were there.   

I figured as much about pwdump/fgdump, but unfortunately the wiki is down, which for some reason i recall as the way to get to downloading the packages. 

anyone bored and want to write something to automate the man in the middle attack for me?

I'm watching 1x03 now. 

EDIT:  Oh, you were talking about Cain and Abel stuff, just never heard it called that before.  Is it even possible to automate something like that. . . . or have it run off a flash drive. . .  seems like it would require access to a teacher station for a while and would look pretty obvious. 

[GonZor]

I do believe that the C: drive gets restored, but I don't understand why firefox is consistently installed, as I've logged on just after they've been turned on for the day.    In experience we've moved stuff to the C: and just left it there, to find it gone the next day. 

Then Your school is definately running a program like HD Guard that works like i described above, i can go into a detailed explanation if you like...

EDIT:  Oh, you were talking about Cain and Abel stuff, just never heard it called that before.  Is it even possible to automate something like that. . . . or have it run off a flash drive. . .  seems like it would require access to a teacher station for a while and would look pretty obvious. 

Using cain the process is pretty much already automated, all you have to do is select your target. to get cain to run you will need local admin access to install, hence the getting the local admin password first part. If what you are telling us is true then using the payload on a teachers computer should get you the local admin hash, after you login as local admin install cain, then start sniffing if your school has a proxy which i presume it does id start there because you should be able to capture passwords in clear text as people try to access the internet

[trustme]

Wiki is down and thus so is the switchblade package page, anyone have a link or want to send me there switchblade package.  .  .  prefer the non U3 one. 

if you want to email it rpk5024[at]yahoo[dot]com

Just replace the at and dot, sorry.  .  .  .  antispam

[GonZor]

I can write up a quick version for you, ill start now, ill just throw pwdump in there thats all you'll need to get the local admin hash

[killzone]

gonzor>>>

your right a SMART admin wouldn't cache there pswds locally and would configure windows to behave thusly, however given the ease at which I have done this exact same thing at several HS, colleges, and Universities, i figured he may find success with it.  If windows is not configured to not cache the psswds of anyone who logs into the machine locally, not to the network, you may find one theres something there after all. 

** just as a note i just did this on my work computer, and what do you know, theres a tech's, 2 employee's, and an interns psswd all cached locally.

[deleted]

I really want to see if this packages (if it come out) will work.

I doubt the one i am trying to build will work. (cause i dont want to spring for a U3 drive)

One way i just thought of (explains why the edit)

Two Programs, One to install a Service and one Main App.

The install program will create an administrator service for the Main App to start before login (thus avoiding any monitoring programs)

The Main App will be the Pay Load and run whatever you want. But, make the program detect when a memory stick is plugged in, make it verify that it is your memory stick (probably via a file) and make it store all the data on your memory stick.

[trustme]

EDIT:

The key worked, in order to prevent anyone else from my school from using it, i've removed the SAM dump. 

Furthermore, what can one do to stop this from happening?  My tech teacher asked how to fix it when he saw that they worked. 

[GonZor]

Furthermore, what can one do to stop this from happening?  My tech teacher asked how to fix it when he saw that they worked. 

If your school has no need for the local admin account, lower its privileges so they can do nothing and also set the password to generate randomly on boot.

To stop ARP poisoning you could always set the ARP tables manually.... Several hundred computers, sounds like fun!

[natural_orange]

It makes since so leave the keys on the computers.

They are required to buy/have the licenses but they don't need to use them for that machine.  If you have 321 computers then you need 321 licencses.

I worked over last summer imaging all the machines in the entire school distract (mac and pc) with new images.  We downloaded the same image over the network to all the computers.

I bet that if you check a bunch of computer with that program that pull the product keys off of machines they will all be the same unless you school admin is a complete noob and individually installed software on each computer