_________ SWAT MAGAZINE ISSUE SEVENTEEN: MAY 1999 _________ / \___________________________________________/ \ / Classlink Hacking \ / by Sunburst (sunburst@ukonline.co.uk) \ / ICQ: 34865702 \ ----------------------------------------------------------------------- Classlink is the name given to a piece of security software (similar to RM but cheaper) for use with windows 95 networks. It is made by viglen, and it is quite new but I predict that it will soon become quite popular, well maybe ;) As with RM the default security restrictions are lax to say the least, although as always it is the fault of the dumb admin. When the network is set up by default, any folder on the network (bar the administrator folder) can be accessed by accessing the classlink server. On this server there is quite a lot to play with. All user areas are also kept on here, but they are hidden from normal view by adding a $ at the end. To ignore this simply load up MS Word, Excel etc and type //classlink/username$ into the filename box. This will allow you read/write access through the word window, this is great if you are a bit far behind on coursework. Student and user accounts are usually pretty crippled in the amount of the network that they are actually allowed to access, so it is recommended that you get hold of a teacher, admin, or technician account so you can start to have a bit more freedom. In classlink there is the option for only programs that have been specified as allowed to be run by the admin are actually allowed to be run. You could try creating a macro in MS word, including something like "start a:\lopht.exe", but this does not always work. Your bog-standard "get admin rights" exploit should probably work, but you may have to rename the exe file to a filename that is allowed to be run on the network, eg MSWORD.EXE. If the exploit requires a dll to be loaded into the system directory, use a bootdisk or similar method to get the file in. Another way would be to find out where commonly used applications are stored, such as Word and Excel. When you have found the directory they are stored in substitute the real program for a batch file calling a trojan and the actual program. The ideal trojan is the kind that says something like "you have been disconnected please re enter your password to continue", most users will enter there password willingly. You will need one that will write to a directory that you have access to, either create your own or modify the source code for an existing one. Vortex's neterror trojan (www.infowar.co.uk/vortex) has the source code included with it, so you could modify that if you wish. My favourite way, is the social engineering technique because it makes me feel superior. You will need to find the name of a teacher and their extension number on the school phone network. Ring them up claiming that you have been called in to fix the computers and that you need their username password so you can verify their account. This will work with most teachers, apart from the ones who have close connections with the IT Department, ie. not many ;) When you have anything including or above teacher rights you will be able to access the classlink monitoring program. I forget its real name. The way its used is very similar to the netbus trojan except that it allows you to see the screen in real time. As in the later version of netbus it allows you to control the text cursor, and with the classlink proggie you can also control the mouse. Most of the features are pretty self explanatory if you've used netbus before, good feature are the scanning feature that allow you to scan every computer to see what is going on. A very interesting bug (or feature) is that it allows you to access the login boxed of unused computers ;) this is brilliant for times when you think you know the admin password and need a little time to guess it. Another security bug which is the fault of Microsoft is that explorer cannot be disabled, although it can be crippled. A quick way is to open up help in Word or Excel and then goto system info. Explorer can be opened from here. Classlink shows different colour backgrounds for each level of user. Bog standard users are shown the bluey/green screen, teachers are shown the green screen, and technicians and admins are shown a red screen. This is a good idea, but can be easily bypassed by accessing the c:\ drive (either by c:\*.* in word, or by a bootdisk) and swapping all the grey and red screens for the blue/green screen. I have forgotten where this files are stored, but they are on the c:\ drive somewhere. This is also good because it only has an effect locally and so the admin wont wonder why he sees a blue/green screen when he logs on, unless of course he logs on to the computer that you've been messing with. If you want the official angle on any of this, check out the viglen website or consult the manuals which are stored on the C:\ drive. IF your school provides Internet access, most chances are that they will have some form of primitive blocking on certain sites, not done with classlink software. Entering the IP address will bypass this, I hope you all know how to find out a site's ip address ;) Another way to gain access to usually restricted folders is to enter these folder names to anywhere where you can create a folder. Most of these I have found out from messing with the registry, Just type them in as they appear. Network Neighborhood.{208D2C60-3AEA-1069-A2D7-08002B30309D} Printers.{2227A280-3AEA-1069-A2DE-08002B30309D} Control Panel.{21EC2020-3AEA-1069-A2DD-08002B30309D} Task Scheduler.{D6277990-4C6A-11CF-8D87-00AA0060F5BF} Internet.{3DC7A020-0ACD-11CF-A9BB-OOAA004AE837} I hope this of use to anyone with access to a classlink network, if it isnt just humour me OK ;) Of course I am not responsible for what you do with this information, as it is only supplied for educative purposes..... later Sunburst sunburst@ukonline.co.uk