The Big Rick - How I Rickrolled My High School District, Got Away With It
This is a modal window.
Das Video konnte nicht geladen werden, da entweder ein Server- oder Netzwerkfehler auftrat oder das Format nicht unterstützt wird.
Formale Metadaten
| Titel |
| |
| Serientitel | ||
| Anzahl der Teile | 85 | |
| Autor | ||
| Mitwirkende | ||
| Lizenz | CC-Namensnennung 3.0 Unported: Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen. | |
| Identifikatoren | 10.5446/62232 (DOI) | |
| Herausgeber | ||
| Erscheinungsjahr | ||
| Sprache |
Inhaltliche Metadaten
| Fachgebiet | ||
| Genre | ||
| Abstract |
|
DEF CON 3079 / 85
24
28
29
47
51
53
59
60
62
70
72
75
80
84
85
00:00
ComputersicherheitCoxeter-GruppeSkriptspracheMAPMultiplikationsoperatorGüte der AnpassungComputeranimation
01:08
SoftwareNeuroinformatikSkriptspracheMinkowski-MetrikDifferenteBitMereologiePortscannerHilfesystemHackerSoftwareInternettelefonieComputersicherheitBildschirmfensterRechter WinkelPolarkoordinatent-VerteilungCybersexKlasse <Mathematik>Total <Mathematik>Metropolitan area networkComputeranimation
03:09
DatensichtgerätStreaming <Kommunikationstechnik>BeamerPhysikalisches SystemBeamerProdukt <Mathematik>Basis <Mathematik>SoftwareInhalt <Mathematik>AggregatzustandComputeranimation
03:35
Konvexe HülleDatensichtgerätVolumenATMRechnernetzStrom <Mathematik>Streaming <Kommunikationstechnik>UDP <Protokoll>AuthentifikationDienst <Informatik>Formale SpracheBrowserKontrollstrukturStreaming <Kommunikationstechnik>BenutzeroberflächeUmwandlungsenthalpieQuellcodeSpezifisches VolumenEin-AusgabeSoftwareFunktion <Mathematik>VideokonferenzCodierung <Programmierung>BroadcastingverfahrenComputeranimation
03:59
MultiplikationsoperatorEreignishorizontCodierung <Programmierung>Streaming <Kommunikationstechnik>Topologischer VektorraumComputeranimation
04:19
Produkt <Mathematik>GruppenoperationInterface <Schaltung>GamecontrollerBeamerLeistung <Physik>Computeranimation
04:56
GruppoidGesetz <Physik>ComputerWurm <Informatik>Konvexe HülleKanal <Bildverarbeitung>ServerZeitzoneFunktion <Mathematik>DefaultDatentypPasswortWeb-SeitePhysikalisches Systemt-TestBenutzeroberflächeWurzel <Mathematik>Nabel <Mathematik>GamecontrollerSkriptspracheAutomatische HandlungsplanungGleitendes MittelMessage-PassingMultiplikationsoperatorLoopBeamerElektronische PublikationKonfigurationsraumDienst <Informatik>BinärcodeHash-Algorithmust-VerteilungAbschattungVirtuelle MaschineFiletransferprotokollLeistung <Physik>Ein-AusgabeAdressraumPhysikalisches SystemStellenringPasswortStapeldateiDefaultRichtungPortscannerSoftwareNeuroinformatikZweiProzess <Informatik>SicherungskopieProgrammierungServerStreaming <Kommunikationstechnik>PolarkoordinatenMailing-ListeTouchscreenGraphische BenutzeroberflächeSpezifisches VolumenHilfesystemPunktNichtlinearer OperatorStabEndliche ModelltheorieRuhmasseSichtenkonzeptKartesische KoordinatenCASE <Informatik>Klasse <Mathematik>SchedulingSoftwaretestWurm <Informatik>BenutzerbeteiligungComputersicherheitRPCSystemaufrufDatenverwaltungGanze FunktionComputeranimation
13:55
Treiber <Programm>PasswortGanze FunktionZeitzoneSchar <Mathematik>Zenonische ParadoxienSicherungskopieFrequenzEreignishorizontServerDefaultInhalt <Mathematik>Web-SeiteSpeicherabzugPasswortPackprogrammNetzadresseGamecontrollerSicherungskopiePhysikalisches SystemMailing-ListeLoginBell and HowellMathematikComputeranimation
15:10
InformationsmanagementW3C-StandardDiagrammPasswortGamecontrollerHintertür <Informatik>Mailing-ListeTabelleInformationMinimumHash-AlgorithmusBenutzeroberflächePhysikalisches SystemBell and HowellComputeranimation
16:25
Baum <Mathematik>Formation <Mathematik>MaßstabProgrammschemat-Verteilungp-BlockServerPhysikalisches SystemStreaming <Kommunikationstechnik>AudiodateiZoomt-TestSchedulingZentrische StreckungVollständiger VerbandTaskDickeBell and HowellFormation <Mathematik>ResultanteMessage-PassingComputeranimation
17:49
Web-SeiteHackerZoomRechnernetzWeg <Topologie>ProgrammschemaSystemverwaltungSoftwaretestWort <Informatik>Message-PassingComputeranimation
18:26
ZoomProgrammschemaRechnernetzGebäude <Mathematik>InformationSoftwareschwachstelleBetragsflächet-VerteilungComputeranimation
18:52
Peer-to-Peer-NetzNichtlinearer OperatorIdentitätsverwaltungZoomVollständiger VerbandServerGraphfärbungPortscannerSpieltheorieWeb SiteComputeranimation
Transkript: Englisch(automatisch erzeugt)
00:00
Well, we have a fun talk this afternoon. I don't know about you all, but I love a good Rick Roll. And our next speaker, Rick Roll, does entire high school, which is pretty awesome. So please welcome Minh-Dung for his first time up here at DEF CON speaking, telling us about how he Rick Rolled his whole high school. Thank you. Thank you. Woo! Woo!
00:22
Hi, everyone. Thanks for coming to my talk. My name is Minh. I'm 19 years old, and I'm starting my second year as an undergraduate at the University of Illinois at Urbana-Champaign next week. This is my first time at DEF CON, and my second time ever attending a security conference. So it's extremely humbling to be up here on stage as a noob.
00:44
Before we proceed, first some disclaimers. If you came to this talk expecting anything uttered in a script to these stories, then you didn't read the abstract here for you. This presentation is for educational purposes only. I do not condone hijacking and Rick Rolling other high schools.
01:01
Also, please don't hack my own high school district. They are very cool people, and they don't deserve that. So let's start from the beginning. Here's a picture of my high school, which has about 2,000 students and is part of a larger school district in suburban Chicago, which has six high schools in total.
01:21
My school offers some IC classes. They essentially had a career pathway that you can follow from freshman to senior year. Obviously, I was running into computers, so of course I signed up in my freshman year. Those classes were held in this room. It's pretty amazing. It's where I developed my cybersecurity skills thanks to my awesome teacher, Mr. Drenth.
01:43
He's got a computer lab and has shelves full of computer parts, cables, monitors, switches, everything a high school hacker could ever dream of. Now, one of the coolest things about this room was this closet. Inside this closet were two desktop PCs that were each running Windows 7.
02:02
I inherited this space from the upperclassmen, and it was here that I really started developing my script kiddie phase. I never owned my own computer before, so this was the next best thing, since I basically had both these computers to myself. And like any hacker wannabe, I started running scans against my school network.
02:20
I was quite ambitious and decided to scan the entire 10 dot subnet. I had some help from my upperclassmen friends, and we took turns running Angry IP Scanner, and we had to split the scans into parts because if we tried to open one big scan, it would crash Notepad. We learned quite a bit from the scans,
02:40
the first being that our school district has its own metropolitan area network. So, all the high schools are connected to the same network and they each have their own subnets. We also found a ton of different things. Printers, voice over IP phones, switches. One of the coolest things we found was the security cameras.
03:02
The top left is me when I first found them, and the bottom right is my friend giving me the middle finger after I showed him. Now, one of the most important things we found in the network that forms the basis for this entire talk is the IPTV system. The system is manufactured by Xterity
03:20
and consists of three main products. The first is the Avadia Player, which are receivers attached to projectors. They send serial commands to the projector to control its current state and also what content is displayed. Here's the web interface for the Avadia Player. You can change the input source and volume,
03:40
and you can also change the current channel to a specific RTP or UDP stream. Next up is the Avadia stream, which is attached to the device that displays video output. The encoder then takes that video output and broadcasts it as a network stream, which receivers can connect to and display.
04:00
Here is an example of the carousel live stream for my high school, which is displayed on all the hallway TVs. The stream is broadcasted by the encoder to the Avadia Players. It's just a slideshow showing special events, the time, weather, et cetera, but it was also used to show morning announcements. And finally, we have the Avadia Server,
04:22
which provides an easy-to-use interface to manage all the devices at once. Here is the projector control from the Avadia Server, where we can drag and drop receivers onto the control buttons at the top, like power on and HDMI. Now, each of the six goals has its own Avadia Server, which controls the exterior devices
04:41
in a respective subnet. And in this case, I'm viewing the projectors for my specific high school. So, that was pretty much the bulk of my freshman year. I was just scanning the district network, finding random devices to screw around with, and figuring out how things worked. All right, we're going to skip a few years to my senior year, and the time skip is because
05:01
nothing notable happened in my sophomore year. And my junior year is when the COVID-19 pandemic hit. And the first semester of my senior year was hybrid learning, so not much happened then either. Then the district decided in March of my senior year that everyone would be required to come back in person in April.
05:20
It's at this point that I remember, oh hey, I still have access to all those devices from freshman year, and I should probably tell the district about it. And then I think, oh hey, I need to do a senior prank. And finally, I conclude, oh hey, I should rickroll my high school district.
05:41
So I asked a few friends for help. So I asked a few friends for help, and we officially began working on Operation Big Rick. One of the first things we needed to do was establish access to the district network from home.
06:01
Now, I already had a working solution for this because I installed Chrome RDP on every PC in the classroom that I mentioned earlier. On the screen right now is a list of all those PCs. They're grayed out because they reformat the machines every year, so I can't access them anymore. Now, while we did have network access through those PCs,
06:22
it's not going to be very hard for district tech to pinpoint me if any scan or exploitation traffic is coming from those machines. So we need a way to pivot to different machines that are not associated with us so we don't get found out. So now, I will introduce Land School. Who here knows what Land School is?
06:43
Okay, not a lot. For those who don't know, Land School is a program that gives teacher control over devices in their classroom. There are two applications. One is Land School Student, which is installed as a background process on all the student devices, and the other application is Land School Teacher, which a teacher uses on their computer
07:01
to control all the student devices. So what can you do with Land School Teacher? You can freeze a student computer to make it unusable. This is the one every student hates. You can remotely view and control a student. You can upload arbitrary files.
07:22
You can execute arbitrary files. And you can view keystroke history, which I think is absolutely insane because it opens up a massive door for abuse. Imagine what would happen if a threat actor got access to all this control. It turns out it's pretty easy to obtain
07:42
a copy of Land School Teacher if you know where to look. And if you're an IT guy provisioning hundreds of student computers, well, you're not exactly going to prioritize adding passwords to the classrooms. And here, I'm viewing a student's keystroke history. It looks like they're doing some 3D modeling based on their search history.
08:02
Now, it also turns out Land School Student was not only installed on the student computers, but also on some staff computers as well. Here's a desktop of one of the security guards. So, using our district network access and Land School Teacher, we were able to pivot
08:22
to a different high school. So that way, when we run our scans from there, the district wouldn't be able to track us. I now had a better knowledge of what to scan for, so we found a few new things. It turns out all exterior devices run SSH.
08:41
And they let you open a shell, like direct user access to the system. This makes things way easier, though, because instead of sending a bunch of web requests to control each of the receivers, we can create a payload that runs the serial commands locally on device. Now, this payload is really just a batch script
09:02
I made that makes requests to the web interface locally. But it's pretty simple, and it boils down to this logic. The first thing we do is set the receiver to play the regular stream. So, it's at address 20, 25, 25, 25, 25, 5,000. The next thing we do is set the input to HDMI,
09:20
since this is the input where the DVD stream is playing. Then, we disable infrared capabilities. This way, the teacher cannot use the remote to turn off the receiver. Although, they still can technically power off
09:41
the projector off manually by pressing the power button, but we'll get on to how to fix that later. And a final step in our initial process is to actually turn it on. Then, we enter the first loop for three minutes. It's during this loop that the countdown is displayed, not the actual rick roll yet.
10:01
The loop basically sets the volume to the max, and then it sends a power on command every 10 seconds. And this fixes the issue I mentioned earlier, where the teacher could just manually turn off the projector, but that doesn't work, because it just turns on again. Close to the end of the countdown, we switch the input back to HDMI to make sure
10:21
that the projector is still showing the rick roll. Then, we run the main loop a second time, but this time for nine minutes, and this covers the entire rick roll stream, and also allows people to read the final message that's displayed after the rick roll. Finally, we restore the channel that the receiver was broadcasting previously using a backup we made,
10:41
and then re-enable the infrared remote, so everything goes back to normal. At all times, we maintain a pivot of at least three Avadia players before connecting to the Avadia server. This way, the district would not be able to trace this back, even to the LAN school computers, without significant effort.
11:01
And then, our plan was to slowly distribute the script from the Avadia server to all of the Avadia players that we identified. In my research, I also found a privilege escalation in the Avadia player and the Avadia stream. Here's a shell where I'm logging in as root.
11:22
The way that the exploit works is that you can export a backup of the device configuration to an FTP server, which will be the attacker machine. The backup also includes a shadow file, so you can just change the root hash to something you know, import that backup back onto the device, and then log in as root via SSH. The Avadia server had an even easier privilege escalation.
11:42
Pseudo access was just given to the system control binary, which is a classic get the fuck out binary. So, you can just create a service file that executes a command that says root, and calls system control on it. Here are the root hashes, by the way, in case anyone's interested in cracking them. I haven't tried anything beyond rocku.txt at all,
12:01
so don't shame me if you do manage to get it. All right, it's go time now. We picked a date April 30th, because that was a Friday before AP exams started. We've had plenty of times to test and get things working. We're ready. But at the last minute, we found something new.
12:21
First, let me introduce the Epic system. Epic stands for education, paging, and intercoms communications. It's exactly what it sounds like. It consists of speakers, which can be installed on the ceilings of hallways and classrooms.
12:42
Similar to the IPTV system, these speakers also have a central server called the Epic server. Here's an example of one of the projectors I mentioned earlier. You use the Epic server to control various alarms, and you can create and manage Bell schedules for when class starts and when class is dismissed.
13:02
And more importantly, you can upload custom audio for Bells. So, April 27th, it's exactly three days before the Big Rick when we discovered the IP ranges for network speakers.
13:23
The reason we didn't find them in my freshman year is because the Epic system was installed in my junior year. This looks exciting for us. If we can get access, then we can change the Bells to use a Rick roll. Unfortunately, the default passwords don't work. Two days pass, it's one pass midnight on April 29th.
13:43
One of my partner's shapes is sad because he was the one trying to push us into getting the Epic system. Five minutes later, he finds a password. So, it turns out the district did change the default password, but they used the example password from the manual.
14:04
Wow. When we checked the settings, we found the IP address of the server that was bound to, which brought us to this login page when we connected. We found out that this was a login page for the Epic server,
14:22
so we quickly found the default credentials in the manual, which weren't changed, and boom, we now have control of the Bell system for one of the schools. However, there's a slight problem. The Epic system at the other schools had their default password changed. We can't log in.
14:42
But, all hope is not lost. In the settings, I found an SMB server was configured for backups with the same default credentials. And then I thought, what if the backup servers for the other school still have default credentials? I was right. He already extracted contents of one of the backup archives
15:01
for another Epic server, which we did not have any initial access to. And, in each archive is a SQL dump of the entire configuration, including user entries. Now, most of these entries were just teacher accounts connected to LDAP, so no password hashes there. But, there are a few local manufacturer-created accounts,
15:22
which you can see in the top left corner. So, it makes sense that I would try to crack the password for one of these accounts, right? The problem is that the hashes for these accounts were different across each school. And, unfortunately, RockYou didn't work for any of them. However, I discovered something strange.
15:41
It was a local account with the user name, District. And, what stood out was that this account is at the bottom of the table. It was also created in 2017, which matches the date of the other local accounts, which means that this is an account created by the manufacturer, not one installed by the district. I couldn't find any information online about this account,
16:01
and it doesn't show up in the user's list on the actual web interface. So, I concluded, it's a backdoor account. And, even better, the password was password. Yeah! Yeah! Yeah! Yeah! Woo! So, now, using the backdoor control account,
16:22
we control the Bell systems for all the schools in the district. And, that's how we epically pwned all the Epic servers. All done in less than a day, and a day before the Big Rick. And, now, we upload the Rickroll audio file as a Bell. Can you guess which one is a Rickroll?
16:43
I'll give you a hint. One of the lowercase L's in musical scale is a capital I. Also, it's the one that's three minutes long. Then, the final step is to modify the schedule to replace the Bell with our newly added Bell, and we're done.
17:00
The final task is to set up our stream with the countdown timer here, and when it hits zero, the Rickroll begins. It was a massive success, and both the IPTV systems and Bell system Rickrolls worked. Here are some GIFs across the district showing the result. This is one of my favorite ones.
17:36
It's a student experiencing the Rickroll from their Zoom meeting, and the teacher is showing it to them.
17:47
And, this is the final message that's displayed when the Rickrolls finished. I was very tame and careful about the wording, because I did not want to provoke teachers more than I already did.
18:00
So, you might be wondering what happened afterwards. Well, we compiled all the things we did into a 26 penetration test report, 26 page, sorry, and then we sent that to all the technical supervisors in the district after the Rickrolls were done, and, of course, we did this anonymously. A few days later, we got a response. It was from the director of technology for the district,
18:22
and because of our documentation and ethics, he said that the administration would not be pursuing discipline, and actually asked us to hold a debrief. So, you can imagine our reaction. It was a pretty big relief for all of us. I'm sure many of you have heard stories
18:40
where students report vulnerabilities to your school, and it does not end well for them. So, we were extremely fortunate that the district was studying with us, and, in fact, listening to our advice. Here's a screenshot from the debrief we had over Zoom. I was the only one who revealed my full identity, since my other peers thought it was a sting operation.
19:00
It clearly wasn't, or I wouldn't be here. In our debrief presentation, we referenced each other as a color, so we thought it would be funny to identify as crewmates from the hit game Among Us. Overall, the meeting went in streaming well, and we managed to resolve the issues in the district.
19:22
So, lessons I learned from the Big Rick. Always maintain a pivot, since doing that threw off district tech, and you could not figure out who did the Big Rick until I came forward. Check your scans carefully, or you might miss a server that controls all the speakers, and waits two out of three days before the deadline for an attack. Try to keep things as tame as possible,
19:41
so you don't end up in too much trouble. I could have been a horrible person, and displayed anything else that would have not been school appropriate. Document everything to protect yourself, at least if what you're doing is ethical. It really helped me, in this case at least. I'd like to thank my accomplices, Shapes, Jimmy, and Green, because I wouldn't have been able
20:01
to do this without you guys. I also want to give a shout out to Mr. Dremf for being the best IT teacher ever. I'd also like to thank SigPony and friends for encouraging and helping me prepare for this talk. And finally, I want to thank my school district for letting me graduate and not pressing charges.
20:27
Here's my website. Follow me on Twitter, and thank you for coming to my talk. Here's my website. Follow me on Twitter, and thank you for coming to my talk.