How students are compromising their school’s internal networks. Part 1
This article explores the vulnerabilities in school networks, focusing on how students compromise them. We discuss Active Directory, bypassing content filters, and Chromebooks. We explain how students escalate their privileges allowing them to access restricted resources, and even leak school data using dual-booting. Moreover, security flaws such as default credentials that lead to data breaches are explained. This article is meant to raise awareness and help better protect our education’s critical infrastructure. Read Part 2 here: https://medium.com/@alimuhammadsecured/how-students-are-compromising-their-schools-internal-networks-part-2-0a4bed4cbc93
Chapter 1: Active Directory
Before we get started it’s important to understand what school servers are built on before we talk about how they are compromised and exactly what is being “compromised”. When you log in to your school PCs have you ever noticed how you can use any PC or laptop but it somehow has all your files and documents? Or how about every computer knowing your account exists without you needing to create it on every computer? This is done by Active Directory this is a service that can get pretty complex but typically it’s made up of a RADIUS (authentication), a ticketing server (Kerberos), and the client (your computer authenticating). Of course, these servers are within the school network (intranet) and cannot be accessed over the internet directly unless some sort of VPN or gateway is being used (Palo Alto being a common one).
Chapter 2: Personal Laptops
When COVID-19 hit students were given their own personal Windows laptops and Chromebooks to take home and complete their assignments. Due to the severity and urgency, these devices were issued without the proper security configuration and designs. We’ll be focusing primarily on Windows laptops (the most common) and Google Chromebooks. The Google Chromebooks were developed by Google and are designed for productivity and security weeding out the bloatware and security faults inherent in Windows (we’ll take about this more).
Chapter 3: Dual booting (Windows)
These laptops issued by the schools have software and policy restrictions that prevent you from accessing certain sites such as gaming, social media, or streaming. However, I noticed something particularly interesting when visiting these blocked sites, there would be a redirect to https://localhost:PORT_NUMBER/STUDENT_ID?blocked_URL=UID. Hmm… this means that the blocking is being done locally on the computer and not on the network level. This would make sense since the same behavior can be observed when being blocked from a site on your home wifi (as they don’t have control over it they still need a way of blocking). Fueled by curiosity I decided to figure out a bypass or learn more about these security functionalities for my research paper.
I tried accessing files in the “Program Files” C drive (these contents include data, caches, and configurations for software on your Windows laptop), AppData, and more. However, the computer had policy restrictions that denied even read access. I decided I’d still try to access these files on the drive using dual-booting. Dual booting allows multiple operating systems on one hard drive via partitioning. Therefore, you can have Windows 10, Windows 11, and Windows 7 (depending on your hard drive’s size) on one drive.
In theory, by dual booting Windows 10, and creating an Admin account, I should now have escalated privileges and be able to access the school’s files and contents through the other Windows operating system on the same drive with no issues. However, the laptop’s policies had restricted BIOS with a password pin, rate-limiting (impressive), and with any developer options completely disabled. There are ways to find the default BIOS password used by manufacturers by looking up the model number on websites such as bios-pw.org, but this did not work as the password set was custom to the schools. However, there was one pitfall: Safe Mode.
Safe Mode is a feature in Windows that allows troubleshooting, load drives, and much more without authentication. Safe mode can be accessed on the login screen by holding the SHIFT key down and clicking on the restart button. This blue screen pops up with many options, the one that caught my eye was the “Use a Device”. I popped in my bootable Windows 10 USB and booted off of it. After some research, I realized by running the windows on the bootable USB I could create a partition using diskpart.exe which I accessed from the system32-level CMD and created a partition.
Luckily, the school’s hard drive was JUST big enough for another Windows OS to fit (if not I’d have to use Linux or something else). I installed the Windows on the new partition, logged in, and went to the drive of the school contents on drive D:\. After a few hours, I finally found the software responsible for the content blocking-Lightspeed.
Lightspeed is a proprietary filtering agent meant for the public education sector. After looking at the files present that the LightSpeed agent uses, I noticed the file “LSProxy.exe”. Hmm, this seems interesting because proxies sit in between you and the content you want, and proxies can also redirect you to a block page like the one we saw earlier being hosted on localhost. So out of curiosity I simply renamed the file to something else, then rebooted the laptop, chose the school OS this time, and logged in.
Moment of truth… I opened up Google Chrome, typed in Discord and it worked! I could not believe how poor this security design really was. At the very least a static hash could have been downloaded and checked to see if the contents of the LightSpeed Agent files have maintained integrity (even Malware developers do this), but for some reason, this was not the case.
After doing more research, I came to the realization that I could download and load my own EXEs and applications bypassing the native block policy. You see, Window’s has a policy that blocks applications from running like this one:
After some Googling, it turns out that Windows’s default policy block will turn a blind eye to applications being loaded on different drives or certain file paths. I realized this by mistake when I downloaded Firefox Portable on my “escalated” Windows partition and tried running it from the restricted school partition and it opened!
Now this leads to a whole new world of security concerns. For example, Firefox allows you to download extensions, one of which is a Windscribe proxy extension. Through this, I was now able to completely mask my internet traffic by using a VPN proxy and could even keep the LightSpeed LSProxy agent enabled!
Okay, so students can now access Discord and Netflix-so what? The security issue comes into play considering the dangerous amount of confidential data stored on the school OS itself, which can now be accessed freely, manipulated, and used. Moreover, un-indexed malware can now also be loaded freely, this includes keyloggers, ransomware, and so much more. I say un-indexed because if the hash of the executable is not stored in the database, it’s possible to bypass the anti-virus completely. In particular, many organizations use CarbonBlack AV which can be bypassed this way.
Moreover, now that apps can be loaded students can pull the network credentials off the device using Netsh. However, many network administrators now use an encryption key instead of the actual password. Therefore, students can pull this key, load it onto their unrestricted partition, download Nmap, and start compromising the internal network. This is because of the lack of zero-trust networks-once you’re inside the walls the security posture significantly decreases.
