About 3 months ago, I was sitting in yearbook class bored out of my mind. My work was done, and coolmathgames.com just wasn't doing it for me anymore. So, I decided to have some fun. I started with a question: "How could I take control of other student's computers?" I ran through what I knew about the workstations:
- Windows 7, 64-bit. No ms08-067 for me.
- The student workstations all ran a specific piece of monitoring software called LanSchool. Upon further reading, I found that the teacher software was commonly downloaded by students in the past in order to accomplish the same goal I was trying to achieve. While trying this, I discovered that the school was running a new version of the software that had the student computers connect to a server where they got their teacher assignment from. No dice here.
- Next piece of information: all of the students had a remote drive that mounted to the computer when they logged in. Each student has their own unique drive, so some sort of authentication had to be used in order to gain access to the drive specifically for that student. Since the drive was visible directly in the file explorer instead of some third party software, I was pretty darn sure this was all through SMB. This I could use.
I began to read about SMB exploitation. Most of what I found was related to compromising an SMB server, but I was far more interested in the client. Lucky for me, there's a wonderful little system admin tool called PSExec. Basically, PSExec will let you log in to a remote workstation with a set of valid credentials. I found that the remote login options that allow PSExec to work are disabled by default on Windows, but in the vast majority of business networks, the service was enabled. I banked on the same being true for my school.If I was going to exploit PSExec, I needed some valid credentials. The only problem was, all of the student accounts aren't actually stored on the workstations, they're stored in some sort of server powered by Novell software. That meant that my personal set of credentials were worthless. If only there was a default account in Windows that every
computer would have.....oh wait. If I could get the Administrator password for a workstation, I was golden.This is where some sneaky ninja-stuff came into play. When I was done with my work for yearbook class, I powered down the computer and plugged in a Ubuntu Live USB. I headed to the BIOS to change the boot order, but to my pleasant surprise, the boot order was already set up to boot from a USB first. Interesting, since that is definitely not the default configuration for store-bought PCs. I decided to put that to the side, however, and just be thankful there wasn't a BIOS password. Ubuntu booted like a dream, and before I knew it I was walking out of the System32/config folder with the SAM and SYSTEM files in my possession.Now that I had the encrypted password, I needed to crack it. I fired up ophcrack and ran two free rainbow tables for Vista/7 passwords against the files. Turned out, I got way more than I had bargained for.Turns out when I said that the computers don't locally store student credentials, I wasn't entirely correct. When the Novell software successfully authenticated a user, it seemed to create a windows account specifically for them in order to keep multiple Novell domain accounts from using the same Windows account. There were 10 student accounts and five teacher accounts in addition to the Administrator. Because I knew my own account was a 6-character alphanumeric password, I knew the other students' passwords would be as well. In a matter of minutes, I had ten new accounts I could log in with. Apparently, the teacher's' password policy is much less specific. I was able to crack 4 of the 5 teacher passwords which ranged from a 6 character alphanumeric password similar to the students, to an 8 character numbers-only password. To top it all off, I had the glorious Administrator password as well. Three letters followed by three numbers: The initials of the school district followed by the numerical part of the elementary school address.It was at this point that I started to contemplate what I was doing. I never wanted to steal student or teacher credentials. I had no desire to see grades or change grades, I just wanted to mess with my friends. I decided that after I tested the hack against school computers I would tell the principal what I had found out so that it could be fixed. But first, it was time for some fun.As you might have already guessed, the Administrator credentials worked. Not only did they work on my workstation I used in Yearbook Class, but they worked for every single student workstation in the school.
I had system level privileges on every workstation instantaneously. This got me wondering: If the tech department was lazy enough to use the same set of credentials for every student
workstation, is the same true for teacher workstations? I had to know.
So, I took a slight detour off of morality lane and decided to map the entire network of the school. Lucky for me, the hostname of each computer was the room number followed by the computer number that was conveniently taped to the top of each monitor. I spent a week logging into random IP addresses, noting the hostname of that IP address, and creating a sort of marauders map I could use to take control of the computers around me quickly. After a few days of doing this, I found a computer whose host name no longer ended in a computer number but was instead comprised of a room name followed by the term TCHR. Bingo! One after another I found teacher workstations for every single teacher computer in the school, and I had complete control. From here, I could've run keyloggers, taken teacher passwords, change grades, or anything else you can normally do on a computer. That was not the road I wanted to go down, however.The next day I went to the assistant principal and told him everything. I knew I'd be taking a risk, as he could justifiably be furious and punish me severely, but that's not what happened. When I told him I had complete control, he burst out laughing. "That's incredible!" He exclaimed. "A high school senior beat our entire tech department. I love it!" Before I knew it, I had an appointment with the technology director of my school district, where I explained my entire adventure so he could make sure it never happened again. It may sound corny, but telling the truth and being a white-hat was the best decision I could've made. I protected the privacy of several hundred students and dozens of teachers, the integrity of our grading system, and the security of every single workstation in the school. While I am sure that many students dream of hacking the school to cause chaos and believe me I thought very hard about doing so, making the choice to help and protect is so much more fulfilling. Most students will be forgotten after they leave high school, and their legacy will be at best a record on the school's wall. Mine, however, is one that will protect the school for years.