A Lesson on Trust

by Sairys

While I can't say I'm very proud of what happened, it does show a certain truth of the computer world.  Hackers (using the term lightly) do not stick up for each other when things take a turn for the worse.

During my junior year in high school, the school network security was a joke.  The school admin's goal was to block student access from the C: drive, prevent us from obtaining DOS access, restrict us to our username folders, and block us from inappropriate web sites.  I'm sure that the school faced security issues before but they did nothing to make it more difficult for us.

Being a typical student, I wanted access beyond what the web proxy would offer me.

When class got dull, I took refuge in a quick game of Slime Soccer or Jet Slalom.  As these sites became more popular and the proxy started picking them off one by one, alternate ways had had to be found.

I soon became very apparent that the proxy would only check the initial ASCII URL.  If a student came up with an IP address, the proxy did nothing.

Over the span of a month, the school switched proxies about three or four times.  They finally stumped us with Bess.

So far the only method around it is to use Babel Fish to translate websites back to English (although now they block AltaVista as well).  Also, sometimes it misses websites that have a www2 clone of itself.  The most outrageous thing was when www.google.com was blocked, but after enough complaints it was once again cleared as an appropriate site.

At the time I was also enrolled in a computer science class, a Cisco networking class, and an A+ tech class.  Each of those classes had use of the command prompt.  Doing labs where one needs to ping a machine or run tracert across a network is impossible when Altiris is blocking you.

After a few days of watching the teacher do the labs for us on the overhead, a few of us realized that Altiris only blocked the command prompt from the Start menu.

A quick glance at a Windows 2000 install showed that the COMMAND.COM file is in the C:\WINNT\SYSTEM32 folder.

The best thing was that Altiris did not prevent us from making shortcuts.  So a quick link to the COMMAND.COM file gave us the prompt we dreamed of.

At this point the wanna-be hacker inside a couple of us woke up.

We began to have a bit of a game going.  See what you can learn about the network.  I must admit that it was fun and even exhilarating.

A week later we already had access to the C: drive and command prompt access.  We learned that while Altiris would prevent us from entering local URLs by hand, it had no issue with links.

So a simple hyperlink to file:///C:/ would give us the drive.  From there we could run COMMAND.COM, Telnet, or anything else that we wanted.

Until this point it was nothing special.

A little bit of clicking and some short HTML.  Eventually an accomplice of ours learned a teacher's password.  None of us worried about using it because we still didn't have gradebook passwords, nor did any of us desire them.

Teachers have it a little bit easier then students.  At the time, teachers had full access to student folders.  Also, they had no restrictions of the command prompt and could even execute REGEDIT.

Nevertheless, the key was when we saw a small login script executing in the background.  We took a screenshot and found the location where the file was being run from.

It was this file that made me aware of the array of NET commands.

NET USE, for example, will map a network shared directory to a drive letter.  That's how the servers automatically displayed the O: drive for students and the T: drive for teachers.

Also, I learned about the NET VIEW command, which displayed all the computers on the local workgroup.

When I ran this command, the results were astonishing.  Every machine in the entire school district was visible from any node.  Using the teacher account, I could NET USE to the folder of any student that belonged to the school district.  Be it a middle school kid or the prom queen of the rival high school.

While this was "cool" at the time, it was of no use to us.  The thing which to this point amuses me is that the admin of this network created a master login script for himself.  This script would automatically NET USE to every directory on the district server.  This still did not do much.  At this point we had access to every student folder, but were still restricted to the single teacher's files.

It was by pure accident that I struck gold.

A class of mine went to one of the computer labs to type up some essays.  I picked a computer and powered it on, but was welcomed by a blue screen that claimed the boot volume to be corrupt.  Needless to say the computer wouldn't work.

Being too lazy to shift a computer over I tried to see if I could get to the command prompt and run anything to fix the problem.  I was unsuccessful, but once the class left the room for lunch I found myself alone with the machine.

Actually, I was desperate for results so I began looking closely at the boot prompts.  Press F2 for Diagnostic was one of them and it seemed appropriate at the time.  I hit F2 and was greeted by a Bootworks logo.  The available options were all grayed out so I couldn't do anything, but when I quit I found myself face to face with the command line.  It was time to explore.

DIR showed a file called STARTNET.BAT.

They couldn't have made this simpler.  This file called all the necessary programs to connect me to the local network.  Better yet, no login needed.

Once I realized that I could see other computers, I checked to see if I could access my personal folder.  I could.  Using NET USE, I mapped the teacher directory and found I could access any folder I wanted to, anywhere in the entire school district server.

I also quickly learned that every machine was, by default, sharing $C.  This meant that remotely I could access the C: drive of every computer.

At this point I should have reported this hole to the admins and saved myself the trouble, but curiosity got the best of me.  This was too good to be true.  There was almost no way to trace who was at the computer.  There was no username, no password.  The only evidence would be IP information and MAC address, but since hundreds of students sit in that lab during the day, it would be hard to trace it back to me.

Another check at the network computer made me laugh a little more.  TROY_PROXY was the name of the machine which housed the friendly Bess guard dog.  A simple DEL statement would get rid of it all.

Fortunately, none of us had malicious intent.  At this point, the network was at our disposal, and even though there was nothing we wanted from all those folders, it was sure nice to know that they were available to us.  It was like being released from a prison.  Also, up to this point no one had any idea what was going on.  None of the admins even bothered to check up on the red flags that were probably showing up on their systems.  Nevertheless, the fun had to end at some point.

A certain student who went by the alias eCKO decided to play some more games.

He learned how to remotely shut down machines, as well as eject CD-ROMs.  Personally, I was a little intrigued but he decided not to share this information.  Anyway, his fun backfired on him.

During one of his classes he began to eject his teacher's CD-ROM from his computer.  The sad thing is that he admitted to it personally.  He claims to have thought the teacher to be "cool" and not rat him out.  Wrong!

Within a day his username was blocked.  This posed problems for him since he needed to get to his student folder to get some files.  He got the bright idea that since he knew a teacher's password that he would simply use that to get his files.  Needless to say, his computer was being watched.

The moment he logged in with the teacher username, his computer froze as the Altiris "eye" watched his screen.  He knew he was busted.

It took about two days for him to turn himself in.  He admitted to using the teacher password and claimed that I had given it to him.  I quickly got a pass to get down to the office and was interviewed, prison style.

As I sat there I heard a few other familiar names getting called down, and saw a few familiar faces pass into a nearby "conference office."  It was clear that everyone who was in on this was ratted out.

I did the only thing I could and tried to save my ass.  There was no denying the fact that I used the teacher's account and accessed data that was not mine to access, but no harm was done.  I figured that as long as I told the technicians how to fix their problems that things would be all right.

Into the second hour of the meeting, two computer techs walked into the room and decided that they wanted to talk.  I told them about all their security issues as well as the major Bootworks flaw.  I can honestly say that they were decent people, one of them at least.

We cracked some jokes and, in the end, they decided that since I personally did not cause any damage that they would talk to the principal and get me off the hook.  ,"According to us, you're not in any trouble."  Great words to hear at such a moment, but unfortunately they were empty.

They did speak to the principal, but she claimed that some action still had to be taken.  All four of us were suspended indefinitely and we had to schedule a hearing.  We all got our sentences on Friday, but I was fortunate to get a hearing the upcoming Monday.

The meeting was pointless though since my statement meant nothing to the principal who seemed only concerned about us gaining access to teacher e-mails, which we did not do.  Either way, two of us got a week's vacation, the kid who originally got the password was out for an extra day, while eCKO was out for two weeks and lost all of his computer classes.  Also, he didn't receive a very warm welcome when he returned.

Someone once said "If you tell anyone about your acts, you've already made your first mistake."

Probably the best advice one could offer.  Trust no one.  While you think your friends will not rat you out, just wait until they sit in the hot seat.  Also, as far as school "exploration" is concerned, keep away from it.

While most admins will not concern themselves too much, the repercussions could be serious.  While suspension is not very bad, especially since the absence is exempt, worse things could happen.

In eCKO's case, he lost his computer classes.  But if anyone suspects tampering with the gradebooks, your own grade could quickly become void.  Imagine trying to send a transcript with a note that says your grades are invalid.  We don't like the massage "invalid" on our compilers, let alone our high school transcripts.

I was fortunate this time, but it took me a few weeks before I got back on track with all the schoolwork I missed.  Also, as expected, my grades dropped a little in all my classes.  I have decided since to leave the school computers to be used for their intended purpose.

As for the admins, they ghetto patched some of the loopholes and completely ignored others.

"Sources" claim that the DOS access no longer works and simply displays an empty directory.

Bess is still at large, but we still have our shortcuts.