My school fails at computer security...

The school experience. School related queries, discussions, and stories that aren't specific to a subject.

Moderators: gmalivuk, Moderators General, Prelates

User avatar
BobTheElder
Posts: 86
Joined: Wed Feb 17, 2010 11:30 pm UTC
Location: England, near Bournemouth

Re: My school fails at computer security...

Postby BobTheElder » Sun May 23, 2010 4:29 pm UTC

hintss wrote:
Cynical Idealist wrote:
gear-guy wrote:
Cynical Idealist wrote:
hintss wrote:can someone help me to get back on the school's computers?

see my previous post

I've devised a five-step plan that should work for you.
Spoiler:
1: stop being an idiot and dicking around with the school's computers.
2: Convince the admins that you will use the computers normally
3: Wait for them to allow you back on the school's computers.
4: Remember to not fuck with the computers anymore
5: While you're at it, remember not to play games on the school computers either.

That is the stupidest thing i've heard ever, because if you actually READ his post, it says that he didn't do anything.

Right, I'll go through this point by point then.
1: This is based on past experience with hintss, not any specific post in this thread
2: Common fucking sense, here. They're the ones who can unban him, they're the ones he needs to convince.
3: See point 2.
4: See point 1.
5: See the post in this thread where he was going to websites blocked for games and passing the filter.

Also, if that's the stupidest thing you've ever heard, welcome to the internet. Let me show you what real stupidity looks like.

But then, I'm also the one who reported that the password was password and that you could get to Facebook. If it weren't for me, they wouldn't have known. Also, it is all on a Netware based network, so logging in to a workstation is logged.

You know what, now, I'm just working with my friend who I mentioned in the original post to create a complicated, dramatic looking revenge plan. He knows lockpicking, VBScript, C++, and all that, and I know where all the equipment is located in the school, in addition to how the management works, and general computer knowledge. In particular, I know that the ethernet lines, roof access, and fiber lines all lead to an unused classroom on the lower floor. Which has no security besides locks. And has double doors to the outside. And is filled with working, unused equipment. While the school is complaining about budget cuts. So anyways, by picking 2 locks, I could get access to the ethernet, and by picking another, I get roof access.

also, how much will this keep me from getting into my high school's robotics team in maybe 3 years (if I don't follow through with abovementioned plan)?


lol.... you're going to get arrested.
Rawr

User avatar
hintss
Posts: 1294
Joined: Wed Nov 25, 2009 7:19 am UTC
Contact:

Re: My school fails at computer security...

Postby hintss » Mon May 24, 2010 4:04 am UTC

it is:

Code: Select all

@echo off
Z:\LOGOUT.exe


Z:\ is a network share of mostly utility programs required by the client software, and of installers when the sysadmins need to use them. Additionally, the volume name is vol1. I found Z:\LOGOUT.exe when my other batch file for logging out,

Code: Select all

@echo off
shutdown -l


just stopped working all of a sudden. Thats when I tried Z:\LOGOUT.exe. As I later found, it makes the server think that that particular user logged out, while still allowing the user to use the workstation. Apparently, since the server thinks the user is logged out, it removes access of the network shares from that computer.

The reason I think that it is harmless on the multi-user systems is that, since it is run whenever someone logs out, it can't effect the other users. Also, NComputing is supposed to isolate the individual users, however, all network data is through the sme NIC. Specifically, it was a computer with a single NComputing X550 series card.

User avatar
Eseell
Posts: 789
Joined: Sun Feb 21, 2010 6:58 am UTC
Location: WA

Re: My school fails at computer security...

Postby Eseell » Mon May 24, 2010 5:07 am UTC

I should point out that there are serious legal implications for organizations that cannot or do not keep accurate network usage logs. For at least this reason, your use of that logout script is not harmless at all, though it may seem so at first blush.
"Math is hard work and it occupies your mind -- and it doesn't hurt to learn all you can of it, no matter what rank you are; everything of any importance is founded on mathematics." - Robert A. Heinlein

User avatar
hintss
Posts: 1294
Joined: Wed Nov 25, 2009 7:19 am UTC
Contact:

Re: My school fails at computer security...

Postby hintss » Mon May 24, 2010 5:13 am UTC

but then, one sysadmin misrepresented relevent information to the other, and we could sue NComputing for false advertising.

User avatar
Dason
Posts: 1311
Joined: Wed Dec 02, 2009 7:06 am UTC
Location: ~/

Re: My school fails at computer security...

Postby Dason » Mon May 24, 2010 5:24 am UTC

So I guess I'm wondering... why are you using your custom script in the first place? Why don't you just log out like everybody else does? Am I missing something here?
double epsilon = -.0000001;

User avatar
hintss
Posts: 1294
Joined: Wed Nov 25, 2009 7:19 am UTC
Contact:

Re: My school fails at computer security...

Postby hintss » Mon May 24, 2010 5:31 am UTC

I'm the person who was known for messing around with the computers, and I actually had one computer in the school where I was pretty much the only person who used it. But, I prefer logging out by using a batch file, and so, I had a logout one, which worked when the normal one didn't, and it stopped working for some reason. So, I tried having it run Z:\LOGOUT.exe, which only made the server think you logged out. Then, apparently, I ran it on one of the computers used by more students.

MysteryBall
Posts: 314
Joined: Wed Jul 29, 2009 2:47 pm UTC

Re: My school fails at computer security...

Postby MysteryBall » Mon May 24, 2010 3:44 pm UTC

The usual here, fairly secure, no defaults, wifi has MAC access list and WPA2 (only the school netbooks allowed, great one spending £30k on a Cisco wireless system, eh?), no bat, cmd, etc.

Of course, there is the slight thing that those Netbooks are running Ubuntu, so I just had to hop into recovery mode and enable root to retrieve the stored WPA2 key. Then I just ran ifconfig on a few of them to get a nice list of MAC addresses I can use to connect to the wifi.

They need never know, I'll be coming back to do some odd things helping out at a club and stuff, so I'd rather like to be able to sit there with my shiny new laptop on their expensive wireless solution.

The net admin knows me very well, I do a lot of work for them, he knows damn well deep down that I'm probably a major threat to his entire network. Fun times.

Oh, and the filter is set via IE proxy settings, so when Firefox was installed briefly we had unfiltered internet access, and plugging another device in via the wired sockets sitting around (or using the above hackery to hop on the wifi) will also give unfiltered access.

Good, eh?

User avatar
Eseell
Posts: 789
Joined: Sun Feb 21, 2010 6:58 am UTC
Location: WA

Re: My school fails at computer security...

Postby Eseell » Mon May 24, 2010 4:57 pm UTC

They spent that much on a Cisco wireless solution and didn't implement any kind of certificate-based EAP? What a waste; MAC address filtering is incredibly easy to work around even without physical access to an authorized computer. MAC address filtering isn't even considered a best practice for wireless design anymore.
"Math is hard work and it occupies your mind -- and it doesn't hurt to learn all you can of it, no matter what rank you are; everything of any importance is founded on mathematics." - Robert A. Heinlein

MysteryBall
Posts: 314
Joined: Wed Jul 29, 2009 2:47 pm UTC

Re: My school fails at computer security...

Postby MysteryBall » Mon May 24, 2010 5:39 pm UTC

Eseell wrote:They spent that much on a Cisco wireless solution and didn't implement any kind of certificate-based EAP? What a waste; MAC address filtering is incredibly easy to work around even without physical access to an authorized computer. MAC address filtering isn't even considered a best practice for wireless design anymore.


Yes, well, in a secondary school where they don't think that the students would do anything extremely technical, and the only students that would (me, my technician team [yes we are that, or were till the new year 10 folk took over our duties]) are on their side (so they think...) they generally don't worry about complicated solutions like that. If we put our heads together and had a bit of time, we'd probably be sitting with Remote Desktop open to an admin console on the domain controller, oh that would be fun.

They should hire folk like us, the people who think like students because they are students, to hack into their networks. Best way to protect it, really.

User avatar
BobTheElder
Posts: 86
Joined: Wed Feb 17, 2010 11:30 pm UTC
Location: England, near Bournemouth

Re: My school fails at computer security...

Postby BobTheElder » Mon May 24, 2010 11:56 pm UTC

hintss wrote:I'm the person who was known for messing around with the computers, and I actually had one computer in the school where I was pretty much the only person who used it. But, I prefer logging out by using a batch file, and so, I had a logout one, which worked when the normal one didn't, and it stopped working for some reason. So, I tried having it run Z:\LOGOUT.exe, which only made the server think you logged out. Then, apparently, I ran it on one of the computers used by more students.


Just seen a number of your posts in a couple of threads, and I'm trying to decide of you're trolling or being an arsehole :s
Rawr

hairbuns
Posts: 1
Joined: Wed Jun 02, 2010 10:50 am UTC

Re: My school fails at computer security...

Postby hairbuns » Wed Jun 02, 2010 10:54 am UTC

Well, at my school

-BIOS is unlocked
-students can install programs
-students can make shortcuts
-can't make/run .bat's, but can use CMD
-students can mess around with every PC and the server on the network, and run the CSS scripts.
-can send netsends to the admin. Which got me in trouble when I spoofed him with a fake error message by accident.

I got in trouble for reporting these faults after having some lulz installing CIV1 to play in secretary class and having a look at how the server worked, and making a shortcut to firefox, which had been installed by the PC builders. I most likely could've run some Linux boot disks for some serious lulz, but that would've gotten me suspended. Now I'm out of secretary class and doing computing for retards, so I can do some decent certificates by correspondence.

MysteryBall
Posts: 314
Joined: Wed Jul 29, 2009 2:47 pm UTC

Re: My school fails at computer security...

Postby MysteryBall » Wed Jun 02, 2010 8:56 pm UTC

hairbuns wrote:Well, at my school

-BIOS is unlocked
-students can install programs
-students can make shortcuts
-can't make/run .bat's, but can use CMD
-students can mess around with every PC and the server on the network, and run the CSS scripts.
-can send netsends to the admin. Which got me in trouble when I spoofed him with a fake error message by accident.

I got in trouble for reporting these faults after having some lulz installing CIV1 to play in secretary class and having a look at how the server worked, and making a shortcut to firefox, which had been installed by the PC builders. I most likely could've run some Linux boot disks for some serious lulz, but that would've gotten me suspended. Now I'm out of secretary class and doing computing for retards, so I can do some decent certificates by correspondence.


Your school has issues, are they looking for a new netadmin yet? I'm only just leaving school but I could sure as hell do a better job than your current lot, by the sounds of it. :<

Don't you just love it when the guys that know nothing get the jobs you'd kill for because they have 'more experience' and are 'older' than you? ;_;

User avatar
hintss
Posts: 1294
Joined: Wed Nov 25, 2009 7:19 am UTC
Contact:

Re: My school fails at computer security...

Postby hintss » Wed Jun 02, 2010 11:00 pm UTC

yeah, its so annoying when that happens...

JohnLeFou
Posts: 2
Joined: Fri Jun 04, 2010 1:36 pm UTC

Re: My school fails at computer security...

Postby JohnLeFou » Fri Jun 04, 2010 1:55 pm UTC

My school's secrurity was pretty lax. I was by no means a great hacker. I loved crashing the typing class' server when I didn't feel like working though. My Jr. year I was poking around the network browsing other students account files (pretty much nothing interesting ever), when I got a message from win chat. I thought I was in big trouble. It turns out it was the school's new Math teacher wanting to scare me a little bit. He didn't report me, he sort of admited to me that he likes to poke around too. By my Senior year things were locked down. I think he decided to throw some tips to the IT department.

User avatar
Woopate
Scrapple
Posts: 503
Joined: Fri Mar 12, 2010 10:34 am UTC

Re: My school fails at computer security...

Postby Woopate » Sat Jun 05, 2010 2:36 pm UTC

Ahh, insecure school networks. How I love thee. My circle of companions had run of the network for so long, and whatever teacher they put in charge of computer for any given year was ultimately ineffective at punting us off, that they pretty much got us to run it for extra credit. Then I moved schools.

But at the new school, somebody had managed to sneak a copy of Quake 2 onto a ghost disc or somesuch, so that every time a computer was reverted to the default, there was a version of quake 2 primed and ready to go. It was there for a whole year.

bobjoesmith
Posts: 43
Joined: Wed Feb 17, 2010 9:32 pm UTC

Re: My school fails at computer security...

Postby bobjoesmith » Thu Jun 10, 2010 10:14 pm UTC

almost same...

theres a copy of halo on the network drive...
at any given point theres like 8 ppl in the media center

User avatar
hintss
Posts: 1294
Joined: Wed Nov 25, 2009 7:19 am UTC
Contact:

Re: My school fails at computer security...

Postby hintss » Thu Jun 10, 2010 11:19 pm UTC

my estimate toward the middle of the year: I spend 2 hours out of six at school in the media center. assuming no classes went there for research, etc...

and someone put powder toy in student share. I felling angry enought that I won't report it.

User avatar
ManyPopes
Posts: 10
Joined: Sat Jan 02, 2010 9:45 pm UTC

Re: My school fails at computer security...

Postby ManyPopes » Sat Jun 12, 2010 12:01 pm UTC

Our school uses RM Tutor 4, which practically blocks everything and doesn't let you do anything. I'd say the school computer's can't really be counted as computers any more... Luckily it's never heard of java file manager which lets you copy over pre-installed programs from a pen-drive.

User avatar
hintss
Posts: 1294
Joined: Wed Nov 25, 2009 7:19 am UTC
Contact:

Re: My school fails at computer security...

Postby hintss » Sun Jun 13, 2010 7:50 am UTC

ManyPopes wrote:Our school uses RM Tutor 4, which practically blocks everything and doesn't let you do anything. I'd say the school computer's can't really be counted as computers any more... Luckily it's never heard of java file manager which lets you copy over pre-installed programs from a pen-drive.


spreadsheet ninja?

http://www.spreadsheetninja.com/the-games/

MysteryBall
Posts: 314
Joined: Wed Jul 29, 2009 2:47 pm UTC

Re: My school fails at computer security...

Postby MysteryBall » Sun Jun 13, 2010 10:23 am UTC

ManyPopes wrote:Our school uses RM Tutor 4, which practically blocks everything and doesn't let you do anything. I'd say the school computer's can't really be counted as computers any more... Luckily it's never heard of java file manager which lets you copy over pre-installed programs from a pen-drive.


RM Tutor 4 is a real-time management thing though, it's not a day to day thing?

Are you sure you're not mistaken for Community Connect 4? I have RMT3 sitting around somewhere and it's pretty much useless as a utility, I hear the CDs make good coasters though (I torrented mine, so beats me).

At least you can run programs, though. We can't run anything. :<

satinyou
Posts: 9
Joined: Sun Apr 25, 2010 9:07 am UTC

Re: My school fails at computer security...

Postby satinyou » Sun Jun 13, 2010 8:01 pm UTC

My school has fairly lax security as there are lots of proxy websites that are unblocked and every one knows the wifi password as soon as they change it.
Last edited by satinyou on Sun Aug 15, 2010 12:50 pm UTC, edited 1 time in total.

User avatar
hintss
Posts: 1294
Joined: Wed Nov 25, 2009 7:19 am UTC
Contact:

Re: My school fails at computer security...

Postby hintss » Sun Jun 13, 2010 8:06 pm UTC

last year someone put up powder toy, and its still spreading/being run.

also, armagetron was never deleted...

trumpet
Posts: 7
Joined: Fri Jul 09, 2010 3:13 am UTC

Re: My school fails at computer security...

Postby trumpet » Mon Jul 12, 2010 5:42 am UTC

This isn't exactly computer security related, but is a fun trick.

Me and my friends would print screen the desktop, and then set the image as the desktop background. Then we would delete every shortcut, and drag the taskbar down off the screen. Hilarity ensues when students and teachers alike try to find what's wrong with the computer.

User avatar
hintss
Posts: 1294
Joined: Wed Nov 25, 2009 7:19 am UTC
Contact:

Re: My school fails at computer security...

Postby hintss » Thu Jul 15, 2010 9:29 am UTC

next year, I'm checking the contracts for loopholes. last year, they were dumb enough to tell us to keep the signed contracts. then, we could "lose" them, and claim we weren't aware of the rules/restrictions...

User avatar
Dason
Posts: 1311
Joined: Wed Dec 02, 2009 7:06 am UTC
Location: ~/

Re: My school fails at computer security...

Postby Dason » Fri Jul 16, 2010 4:04 pm UTC

hintss wrote:next year, I'm checking the contracts for loopholes. last year, they were dumb enough to tell us to keep the signed contracts. then, we could "lose" them, and claim we weren't aware of the rules/restrictions...

Huh. Doesn't sound like the best idea on their part but it also sounds like a dick move on your part.
double epsilon = -.0000001;

kc7cv9n3o30vov
Posts: 12
Joined: Fri Jul 09, 2010 4:09 am UTC

Re: My school fails at computer security...

Postby kc7cv9n3o30vov » Sat Jul 17, 2010 6:24 am UTC

At my school my friend plugged his iPod into a computer to charge it...
The NSA had a little problem with that.

User avatar
Internetmeme
Posts: 1405
Joined: Fri Jul 25, 2008 3:16 pm UTC
Location: South Carolina, USA

Re: My school fails at computer security...

Postby Internetmeme » Sat Jul 17, 2010 9:34 pm UTC

Just remembered: In my Human Geography class, I was that kid that would be on the computer playing flash games (winning a game on the second try that nobody else could. That one game where you're a fish that grows and etc. It was rather easy, and I can't see how they lost after a dozen tries) when class started and ended. Bloons Tower Defense 3 was my favorite.

Then I got into I Wanna Be The Guy, and decided to try to run it at school. IWBTG.exe didn't work. So I did the age old trick of changing it to iexplore.exe. It worked in that class, but when I tried to do the same in my Flash CS3 class, it didn't work.

EDIT:
Oh and hintss? Enjoy the fun you've had in middle school. Trust me, they won't put up with any black-hatting in high school. White-hatting will be tolerated.
Spoiler:

User avatar
hintss
Posts: 1294
Joined: Wed Nov 25, 2009 7:19 am UTC
Contact:

Re: My school fails at computer security...

Postby hintss » Sat Jul 17, 2010 11:46 pm UTC

oh, so I put up with trying to white-hat for a year for no reason?

they let me write the logout script when the old one they let me write stopped working. I told both of them 2 weeks ahead of time that I was going to change it, they both acknowledged, and said OK. oh, and I had the batch file on the computers since the begining of the school year. the reason I even had a logout script is that when the normal logout methods don't work, the script usually does.

oh and more fails: booting a livecd is easy, you can get command line on the server, they somehow bodged the school homepage AND SAVED IT TO THE SERVER and guess what? they use dreamweaver. oh, and the site has a few hundred broken links, there are a bunch of mislabelled links, theres an HTML error on the home page, and they haveold versions from the last 3 years. poor orphaned group of pages.

I think I want to be grey-hat from now on...
besides, thats how I got out of a permaban and suspension the in 7th grade, I was helpful enough, it was only a 1-month ban.

MysteryBall
Posts: 314
Joined: Wed Jul 29, 2009 2:47 pm UTC

Re: My school fails at computer security...

Postby MysteryBall » Mon Jul 19, 2010 7:01 pm UTC

hintss wrote:they use dreamweaver.


Kudos to them for knowing how to use Dreamweaver, and for also having the sense to do so.

User avatar
hintss
Posts: 1294
Joined: Wed Nov 25, 2009 7:19 am UTC
Contact:

Re: My school fails at computer security...

Postby hintss » Tue Jul 20, 2010 1:53 am UTC

yeah, but if I remember right, its WYSIWYG HTML editor. the fact that they didn't check the preview before sending it out to the server...

oh, and once, I took my netbook out. within 5 minutes, I counted 7 people asking "Is that a laptop?!" and 3 people smacking the keyboard as I'm logging in to ubuntu.

User avatar
WillShowalter
Posts: 8
Joined: Mon Jul 19, 2010 3:48 am UTC
Location: Palmer, AK
Contact:

Re: My school fails at computer security...

Postby WillShowalter » Wed Jul 21, 2010 6:07 am UTC

I'm still trying to put together how exactly my school's network security works.

The entire school district is running on Novell, and all the web traffic goes through a hardware proxy called an "iBoss" (made by phantom technologies) at the district site. All outbound traffic except the proxied web traffic is blocked.
Your computer has to be logged in and authenticated through Novell before your traffic is accepted by the proxy server. From what I could gather from the iBoss product documentation, the device lets you authenticate users through a LDAP tie in, so I think they are tying to the Novell eDirectory database with the iBoss device.

The network topology in my district is such that each school is on it's own subnet (my school is on the 10.73.1.0/20 subnet) and each school has a router that connects to the district over a dedicated leased line WAN link. District networking appliances are on the 10.99.XX.XX subnet (I don't remember what the mask was). This includes the iBoss device, DHCP and DNS servers, as well as the main Novell servers that you authenticate to (I think).

The part that confuses me is that, once your authenticated, it is your MAC address that differentiates your traffic as being authenticated for the web proxy. A couple of my close friends who are also very computer proficient discovered this while I was suspended last semester. They could effectively hijack an authenticated connection to the internet, through the proxy, by spoofing their mac address to that of another computer that is already logged in. This technique was most reliable when used against a wireless client (as having to computers trying to use the same mac address creates conflicts, and if done over a switched network you basically just kick both hosts off the network).

So we determined that it is white listing authenticated MAC addresses to allow traffic through the web proxy. This makes sense since one of the things the iBoss's LDAP tie in can do is import a list of authenticated computers (specifically, their MAC addresses, hostnames don't matter) from the LDAP datebase.

By talking with one of the district networking guys I was able to find out that it also uses MAC addresses for the rest of the firewall rules (allowing outbound connections to ports other than 80, NOT going through the web proxy service, possibly going through the same hardware though, I'm not sure)

This leaves me wondering how they're discerning the MAC address of the traffic once it hits the district level. MAC addresses are used to route on your local network, and the frame's destination and source MACs change every time you change networks. There must be some equipment on the network that is adding the MAC address information to the packet before sending the frame over the WAN link. (It's not done client side because I can spoof the mac address on a linux netbook and be able to get internet access through the proxy).

I'm going to look into it more this upcoming year, doing some packet capture and traffic analyzing. I hope to know their network better than their "Networking Specialists" by the end of this upcoming year (my senior year).

They also finally switched their wireless network from WEP to WPA this last semester. They still don't seem to grasp the concept that we can easily extract the key from the registry though. It might not be the actually passphrase and only the hex key that WPA turns your passphrase into, but it still works. They have all the equipment in place that they could be using EAP, I don't get why the insist on always doing everything just a little bit wrong. =/

Update: I think ICMP echo requests (pings) worked from unauthenticated clients, but all traffic that actually ran on ports was explicitly denied.
William Showalter
IT Field Technician and full time Student
CCENT
Comptia A+

User avatar
Eseell
Posts: 789
Joined: Sun Feb 21, 2010 6:58 am UTC
Location: WA

Re: My school fails at computer security...

Postby Eseell » Wed Jul 21, 2010 7:20 am UTC

WillShowalter wrote:There must be some equipment on the network that is adding the MAC address information to the packet before sending the frame over the WAN link.

Not necessarily. They could be using something similar to Cisco NAC to enforce compliance. Traffic gets classified at the access or distribution layer by the NAC Appliance according to its security restrictions, and then marked appropriately. That way the upstream gear only has to know generic markings, perhaps with 802.1q tagging, MPLS labeling, or DSCP marking.

For example, all packets from unknown MAC addresses get thrown into the walled garden and tagged with some label "1". All upstream devices know to treat any packets labeled "1" with the strictest of security. The firewall to the Internet blocks these packets completely. Packets from known administrator MACs get tagged "3" and are allowed to bypass some of the filtering. If their QC is poor you might be able to figure out how they're doing this and work around it, but any network admin with half a brain cell is going to setup a trust boundary between your PC and the network that remarks all your packets to a neutral marking, reclassifies them, and then marks them properly.
"Math is hard work and it occupies your mind -- and it doesn't hurt to learn all you can of it, no matter what rank you are; everything of any importance is founded on mathematics." - Robert A. Heinlein

User avatar
WillShowalter
Posts: 8
Joined: Mon Jul 19, 2010 3:48 am UTC
Location: Palmer, AK
Contact:

Re: My school fails at computer security...

Postby WillShowalter » Wed Jul 21, 2010 7:27 am UTC

Eseell wrote:
WillShowalter wrote:There must be some equipment on the network that is adding the MAC address information to the packet before sending the frame over the WAN link.

Not necessarily. They could be using something similar to Cisco NAC to enforce compliance. Traffic gets classified at the access or distribution layer by the NAC Appliance according to its security restrictions, and then marked appropriately. That way the upstream gear only has to know generic markings, perhaps with 802.1q tagging, MPLS labeling, or DSCP marking.

For example, all packets from unknown MAC addresses get thrown into the walled garden and tagged with some label "1". All upstream devices know to treat any packets labeled "1" with the strictest of security. The firewall to the Internet blocks these packets completely. Packets from known administrator MACs get tagged "3" and are allowed to bypass some of the filtering. If their QC is poor you might be able to figure out how they're doing this and work around it, but any network admin with half a brain cell is going to setup a trust boundary between your PC and the network that remarks all your packets to a neutral marking, reclassifies them, and then marks them properly.


I have actually recently been learning about VLANs recently and I was wondering if they might be using an 802.1q technique or something similar. I should also clarify that the unauthenticated hosts get prompted with a login page for the iBoss proxy device (but our school logins aren't accepted by it, which makes sense if they are only importing computers and not users from eDirectory).
William Showalter
IT Field Technician and full time Student
CCENT
Comptia A+

User avatar
Eseell
Posts: 789
Joined: Sun Feb 21, 2010 6:58 am UTC
Location: WA

Re: My school fails at computer security...

Postby Eseell » Wed Jul 21, 2010 7:47 am UTC

Eh, looking at the product documentation, I don't think these iBoss things are as smart as I gave them credit for. They probably just have a master iBoss in their central office and slave iBosses at every site, like in figure 9 of their deployment guide. I've worked with devices like this before and they're really simple. In the case of an unregistered user they just intercept every DNS query or HTTP GET and reply with the address/data of their login page. Web or other application filtering works similarly except that they only intercept traffic destined for blocked addresses or protocols. It doesn't look like the iBoss works at all if there isn't one on the same broadcast domain as the end user.
"Math is hard work and it occupies your mind -- and it doesn't hurt to learn all you can of it, no matter what rank you are; everything of any importance is founded on mathematics." - Robert A. Heinlein

Chindi
Posts: 1
Joined: Wed Jul 21, 2010 7:09 am UTC

Re: My school fails at computer security...

Postby Chindi » Wed Jul 21, 2010 8:24 am UTC

iBoss is most likely being used for just content filtering. Like you stated, not that sophisticated of a design. "Registered" Being MAC addresses,possibly being sent out by novell? Figured it was just for logs and host control (At least that is the extent of novell here.) I"m not sure if an iBoss has actually been installed at each location node. I doubt they would have purchased that many (Standing joke on the cheapness of the district).

I am intrigued on where this will lead us. Perhaps this will answer the remaining questions I have on this network.

User avatar
hintss
Posts: 1294
Joined: Wed Nov 25, 2009 7:19 am UTC
Contact:

Re: My school fails at computer security...

Postby hintss » Wed Jul 21, 2010 10:27 am UTC

our network topology is:

one fiber line to district

fiber goes to ethernet bridge+switch

server, IT guy's computer, and secondary switches connect to this switch

server is a many-year-old dell with 120GB HDD, running Novell, though it was scheduled to be replaced during last summer break, but they thought it was a printer in the box, so they're doing it this summer break

uses PXE+Linux+Novell imaging software for reimaging

secondary switches power individual wings, where they feed the teacher's computers, and ternary switches, which feed groups of computers in the labs.

--misc. unrelated stuff--

oh, and theres a mystery server rack in the PE building (3 computers). its mounted on the wall, its black, it has a glass door, and you can see blinkenlights inside

and they have a rackmount tape backup unit. on a desk. in the server room and they have liek and extra 15U available in the rack.

the web filter is made by a local company (Irvine, CA). IIRC, the company's name was 3 characters, started with a number, followed by 2 letters. it can also block FTP

all the extra junk goes in this one student accesible room. also, the fiber lines and roof access go through there.

they complain of budget cuts, while at the same time, they took the good computers into storage and replaced them with NComputing.

connecting my netbook to ethernet, I could see the whole LAN, and access the ethernet, even though I was permabanned from the school's networks


not sure about the high school, but I'm sure the main servers are in the office, and theres a large rack in the library...

User avatar
WillShowalter
Posts: 8
Joined: Mon Jul 19, 2010 3:48 am UTC
Location: Palmer, AK
Contact:

Re: My school fails at computer security...

Postby WillShowalter » Wed Jul 21, 2010 4:51 pm UTC

Eseell wrote:Eh, looking at the product documentation, I don't think these iBoss things are as smart as I gave them credit for. They probably just have a master iBoss in their central office and slave iBosses at every site, like in figure 9 of their deployment guide. I've worked with devices like this before and they're really simple. In the case of an unregistered user they just intercept every DNS query or HTTP GET and reply with the address/data of their login page. Web or other application filtering works similarly except that they only intercept traffic destined for blocked addresses or protocols. It doesn't look like the iBoss works at all if there isn't one on the same broadcast domain as the end user.


I think you may be right about that. The possibility of them having a device at every site makes sense, not sure why that possibility had slipped my mind, even after I read all their supporting docs.

I'll also add that you can bypass the proxy filtering entirely on most sites just by doing an nslookup of the domain and navigating directly to the IP. I think you still had to be authenticated though, as the traffic still passes through the device.

Also, Chindi is one of the guys who originally figured out that MAC addresses were what authenticated someone to the proxy. Just thought I'd share that since he didn't. :)
William Showalter
IT Field Technician and full time Student
CCENT
Comptia A+

User avatar
Eseell
Posts: 789
Joined: Sun Feb 21, 2010 6:58 am UTC
Location: WA

Re: My school fails at computer security...

Postby Eseell » Wed Jul 21, 2010 7:16 pm UTC

hintss wrote:the web filter is made by a local company (Irvine, CA). IIRC, the company's name was 3 characters, started with a number, followed by 2 letters. it can also block FTP

Could it be M86 Security? They're based in Orange, CA and their content filters are quite popular.

Chindi wrote:iBoss is most likely being used for just content filtering. Like you stated, not that sophisticated of a design. "Registered" Being MAC addresses,possibly being sent out by novell? Figured it was just for logs and host control (At least that is the extent of novell here.) I"m not sure if an iBoss has actually been installed at each location node. I doubt they would have purchased that many (Standing joke on the cheapness of the district).

I am intrigued on where this will lead us. Perhaps this will answer the remaining questions I have on this network.

School districts probably get huge discounts for these things thanks to government grants and subsidies. They also don't seem like they'd be very expensive based on my experience with similar devices. The other possibility is that they have layer 2 extended all the way to their central office even over their WAN links with an iBoss sitting in front of the router or multilayer switch that has gateways for every subnet in the network, but frankly that's an idiotic way to build a network.

I expect that the iBoss gets a list of registered MACs from the Novell LDAP server. Machines with known MACs (e.g. teachers' desktops) are allowed to bypass the login and everyone else gets prompted for credentials (e.g. users with laptops). Users that pass the login are similarly registered with the iBoss and are filtered based on whatever restrictions are placed on the user account.

WillShowalter wrote:I'll also add that you can bypass the proxy filtering entirely on most sites just by doing an nslookup of the domain and navigating directly to the IP. I think you still had to be authenticated though, as the traffic still passes through the device.
Hee. That makes sense if the content filter intercepts every HTTP GET for non-authenticated users but only does filtering based on URL for regular users. Other content filters I've used store both the IP and domain of blocked sites, but it's conceivable that yours only filters on the domain.
"Math is hard work and it occupies your mind -- and it doesn't hurt to learn all you can of it, no matter what rank you are; everything of any importance is founded on mathematics." - Robert A. Heinlein

User avatar
WillShowalter
Posts: 8
Joined: Mon Jul 19, 2010 3:48 am UTC
Location: Palmer, AK
Contact:

Re: My school fails at computer security...

Postby WillShowalter » Wed Jul 21, 2010 7:29 pm UTC

Eseell wrote:
WillShowalter wrote:I'll also add that you can bypass the proxy filtering entirely on most sites just by doing an nslookup of the domain and navigating directly to the IP. I think you still had to be authenticated though, as the traffic still passes through the device.
Hee. That makes sense if the content filter intercepts every HTTP GET for non-authenticated users but only does filtering based on URL for regular users. Other content filters I've used store both the IP and domain of blocked sites, but it's conceivable that yours only filters on the domain.


That's exactly what I was thinking. They probably do have the ability to filter IPs, but whoever/whatever the source is for their filter list does a horrible job. Ever since they installed it they've been fighting a loosing battle against students using proxies.
William Showalter
IT Field Technician and full time Student
CCENT
Comptia A+

squareroot
Posts: 548
Joined: Tue Jan 12, 2010 1:04 am UTC
Contact:

Re: My school fails at computer security...

Postby squareroot » Thu Jul 22, 2010 1:25 am UTC

PHP Proxies are so fun; Just put a file on your website, and boom. If they block it, then there are at least twenty places you can register another domain for that sole purpose, for free. :-)

(Note: I've been having some trouble getting to mine work. Advice would be appreciated.)

My school's security was decent, I'd say. Every student had his own account (software was Novell), and thus his own section of a drive. You had to have an administrator account to access them, I guess, and they were pretty protective there. Of course, the account credentials were your student ID number - which was super easy to get, if you were persistent for maybe a day or two of watching the person you wanted to hack - and the password was just their birthday, which you could probably just get off Facebook.

Then didn't let you install anything, and you couldn't access "My Computer" in Windows Explorer. They did, however, let you access Command Prompt. ^.^ I never tried a .bat file. Once I was typing a document in Notepad (because I didn't want the bloat of MS Word, I just needed to record some text) and the librarian thought I was trying to crack the computer or something, and I when I was showing my friend how to use Command Prompt (just harmless stuff), my PE teacher made me close it for fear I was trying to hack something there, too. Ah, well. Finding some good proxy sites was enough to turn me into a hero. :)
<signature content="" style="tag:html;" overused meta />
Good fucking job Will Yu, you found me - __ -


Return to “School”

Who is online

Users browsing this forum: Majestic-12 [Bot] and 10 guests