.

Got in over my head trying to help my school, anyone want to give me guidance?

<<

javap22

Newbie
Newbie

Posts: 2

Joined: Sat May 01, 2010 6:51 pm

Post Sat May 01, 2010 7:05 pm

Got in over my head trying to help my school, anyone want to give me guidance?

This is my first post on ethical hacker network and I hope to become an active member of the communtiy, but please don't flame me if my question is "n00bish" I am still in the process of learning offensive security and could really use help here.

Basically I am trying to convince the administrators at my school to switch the wifi security protocol from WEP to WPA, however they are reluctant to do so and claim it does not need to be done. Even after demonstrating how the password can be stolen they seem to think it doesn't matter if some random person hacks into our network. I wan't to prove them wrong.

I noticed when running a basic IP scan that we have networked security camera's...hehehe *evil look* and I was thinking that a good way to give them a lasting impression would to be to demonstrate how a hacker could gain access to the school's security system on acount of a weak password to the Wifi. Here are the details:

I found the config page for the Dibos cameras at the local ip:
10.1.1.22
Navigating there in a browser gives me something that looks like this (note this is not the page but one I found on someone else's site)
http://209.3.146.51/
*It requires IE to view*

I also found that there was a DIBOS-[lotsofnumbersandletters] workgroup on the network but when trying to "explore" that workgroup it asked for a username and password, it did not work.

I have local admin access on *some* machines with the help of ophcrack, but they seem to not be able to find the workgroup and the 10.1.1.22 page is no different from an admin account

Also, our school keeps a "remote access" citrix client running from which I can run remote-desktop and get onto one of the few local machines that have RDP enabled, from there I can see the Dibos workgroup but cannot access it, however I am a weak user on these remote computers and can't even run Cain and Abel or extract the SAM files with pwdump.

Additionally, I suspect that the Network admin account password is the same as that for the Dibos, the issue is that I don't know how to get the Network admin account although like i previously mentioned I have local admin on a few machines.

Also, I have been using an anonymous e-mail address to communicate with the administration and would like to remain unknown for a while longer so that they don't just put all kinds of security on my user account or pay particular attention to me in the future, thus if it is possible to remain invisible that would also be ideal.

Finally, I understand that the information that you post here may be used for less noble purposes and if you would prefer to PM me your advice rather than post it here than please do so.

Thanks and I look forward to being part of The Ethical Hacker Network,
Javap22
<<

jason

User avatar

Hero Member
Hero Member

Posts: 1013

Joined: Sat Jun 21, 2008 6:23 pm

Location: USA

Post Sat May 01, 2010 7:58 pm

Re: Got in over my head trying to help my school, anyone want to give me guidance?

Well, first off, this is the Ethical Hacker Network. Accessing systems or networks for which you have no authorization is breaking the law, period. At this point, the best thing that you can do is to completely stop accessing these systems. You will not find help here in furthering such an attack.

While I would agree with you on wanting to warn them anonymously about their security issues, this is by no means a risk-free thing to attempt. As clever as you think that you might be in sending an anonymous communication, there always exists the possibility that it will be traced back to you in some fashion.

Yes, information security is an awesome field to work in, landing yourself in jail is not a good way to start down that path.
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Sat May 01, 2010 8:15 pm

Re: Got in over my head trying to help my school, anyone want to give me guidance?

Like Jason already said, this is definitely not the way to go.  You will only get yourself in trouble and your warnings will be ignored by the powers that be.  There are plenty of other ways to make your case.  There have numerous studies done on the insecurity of WEP.  A study done by a reputable security expert should be convincing enough.

If you want to practice ETHICAL hacking, I would recommend that you set up your own lab.
~~~~~~~~~~~~~~
Ketchup
<<

javap22

Newbie
Newbie

Posts: 2

Joined: Sat May 01, 2010 6:51 pm

Post Sat May 01, 2010 8:20 pm

Re: Got in over my head trying to help my school, anyone want to give me guidance?

Personally to me ethics is ends before the means, however if the "ethical" hacker network is really just a bunch of people who look at studies the back to hackforums.net I go, where at least I can get help.
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Sat May 01, 2010 8:22 pm

Re: Got in over my head trying to help my school, anyone want to give me guidance?

Everyone has given you the same excellent advice therefore I offer you an analogy to think about outside of security...

The door to your home is locked/protected by an ACME lock. Someone sends you an anonymous letter warning you about the lock. You as the owner have your reason for keeping an insecure lock on your door. Unbeknownst to anyone outside of your house, you rigged explosives (honeypot) to be triggered by the first fool who wants to get inside your home. Someone comes in: Game over.

There could be plenty of reasons why they have WEP over WPA running on the network. Perhaps they have legacy machines running that can't run WPA. Perhaps they have a NAC server the moment you get by the wireless router. For whatever reason they're choosing to run WEP, the concern is not yours it is theirs and any activities taken by you - you will learn to regret. No matter how logical or moral you think you are or will be, you are as stated breaking the law.
<<

jason

User avatar

Hero Member
Hero Member

Posts: 1013

Joined: Sat Jun 21, 2008 6:23 pm

Location: USA

Post Sat May 01, 2010 8:23 pm

Re: Got in over my head trying to help my school, anyone want to give me guidance?

Apparently you have the idea of ethics exactly backwards. If what you're really after is advice on illegal activities, then we'll be happy to see the back of you.
<<

Xen

User avatar

Sr. Member
Sr. Member

Posts: 386

Joined: Tue Feb 03, 2009 3:59 am

Post Sun May 02, 2010 1:51 am

Re: Got in over my head trying to help my school, anyone want to give me guidance?

however if the "ethical" hacker network is really just a bunch of people who look at studies the back to hackforums.net I go, where at least I can get help.


Ethical Hacker Network consists of professional security professionals and beginners wishing to get into the security field. If you want to learn "ethical" hacking then we would be more than happy to help you and give you directions. This is what Ketchup and Jason were trying to do. Getting yourself in jail while trying to break into your school to prove them wrong is not the wisest thing to do. If you want to hack into your school to demonstrate the lack of security then Jason and Ketchup have given nice suggestions and sil has raised some excellent points to talk to them.

Here at EH.Net you'll be given suggestions that are best for you and keep you out of prion. However, if you don't like someone helping you out then you can always go to the 13 yrs. old h4x0rs
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Sun May 02, 2010 12:15 pm

Re: Got in over my head trying to help my school, anyone want to give me guidance?

There is a definition to the phrase ethical hacker. It boils down to a person who hacks a network with the owner's permission.

You don't have to take our word for it, go research it yourself. Any book on ethical hacking, or site for that matter, will have the definition. Including Google if you search.

While you have a valid point, it doesn't mean the actions you are taking are Ethical.

Since the school won't listen to you. Take you're concerns (with your parents or through your parents) to the school board. Sadly schools tend to ignore what students think, but start paying more attention when parents start complaining.

Failing that, you have the court of public opinion. Send a letter, or an anonymous email to the local paper with the topic of "Such and Such school putting children at risk". Don't include your hacking "findings" that you posted here, but include that they're using WEP, why wep sucks, that you're worried that the wireless network has access to all other parts of the network including student records, and how you feel you're privacy may have been violated.

After what happened with the laptops with the cameras in the school district out east, spying on the kids while at home, people will raise a fuss and things will get changed.

*Edit:
Also, I have been using an anonymous e-mail address to communicate with the administration and would like to remain unknown for a while longer so that they don't just put all kinds of security on my user account or pay particular attention to me in the future, thus if it is possible to remain invisible that would also be ideal.


I'm assuming that you did the WEP to WPA conversation some other way than via "anonymous" email. So most likely they're already watching you. If you've been using your account to play on their network, then they're probably already watching you.

:edit*
Last edited by rattis on Sun May 02, 2010 12:23 pm, edited 1 time in total.
OSWP, Sec+
<<

Bane

Post Sun May 02, 2010 3:18 pm

Re: Got in over my head trying to help my school, anyone want to give me guidance?

javap22 wrote:Personally to me ethics is ends before the means, however if the "ethical" hacker network is really just a bunch of people who look at studies the back to hackforums.net I go, where at least I can get help.


If you keep on this path you won't need ethicalhacker.net or hackforums.bet, you will need legalhelp.net or publicdefender.net breaking into a computer network without permission is a felony in the unitedstates and illegal in nearly all others.

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 3 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software