Where would be the best place to test out an unhackable netbook? The NSW department of education in Australia thinks that college is perfect . They plan on distributing netbooks, preloaded with Windows 7,and iTunes. They also have bios level tracking and security, allowing them to be remotely shut down on command. With 20,000 of these in circulation, we would think that we’ll see someone proving the “unhackable” statement wrong. We can only hope.
[via slashdot]
I’ve looked up the “SCCM” that anonymous mentioned, and it is of course a rebranding of Microsoft SMS. (System Management Server, NOT Simple Messaging Service – just to avoid confusion).
Anyone have any ideas on tips, tricks, hacks for SCCM/SMS?
@Bahorlas: I didn’t say I would have it hacked in one night, just that I would try. Some seemed to be decrying the need to try. I have built kiosks like these locked down for business before so I know how some of them do it, I also know ways around the way some do it. Did I mention I am old, I have been in IT for 15 years, that doesn’t mean I know everything just that I have been around the block many times. Did you actually look into any of the suggestions I made or are you talking out your arse? There have already been a fair few suggestions in this thread that I would say will work.
@mx44: There are a few things you can do for sccm, disable the sccm services, they may use plugins for sccm like nomad or others (nomad is popular), you will need to disable these services too, if they did their job right though they will check these services are running via group policy or login/startup scripts so you can disable those from running with a custom path based software restriction policy, this will at least stop the scripts from running, and stop sccm installs from working.
But a machine not reporting (so don’t leave the services disabled) in sccm will set off alarm bells. Check which account is running sccm and nomad (usually “NT AUTHORITY/SYSTEM”)and then deny this account access to the files you want to hide (portable executeables, pr0n etc)
If they’re monitoring for videos or something they mustn’t be doing a good job because just about everyone at the school I used to go to has stuff on theirs. Heck, the only reason my mates still there don’t have their hard drives completely full of the stuff is the disk quota.
From my understanding, SCCM isn’t primarily used for monitoring illegal copies of multimedia, but rather to monitor changes in installed software. I don’t know the details but if there is any piracy-prevention involved, I’d say it’s almost undoubtedly for software rather than music/video.
WTF do u mean “i was just COMPLIANING bout reaper and xerxox cuz they keep winnghing”
get a life oldhacker ur days r ova oldtimer!!!
Its all a lie, i ready know many people who have hacked…they get busted though :S but atleast they proved there point !
Has anybody tried a bridge USB cable? Coz if you can edit the proxysettings XML file from there….
@Bahorias, it’s a nice idea, but the bridge USB cable requires a driver (which you can’t install… i may be wrong), and my understanding of the software that comes with these cables is that it runs on your laptop account, modifying the hard drive as instructed to by another computer. If the other computer tells it to edit the Proxy Settings file, it will try to do this as the user that’s logged in and fail as it does not have permissions to modify. Also, the proxy settings xml file is overwritten through an automatic update system built into the filtering software. So whatever changes you make will be overwritten. See the wiki (http://breakout.ath.cx/wiki/) for full details.
Det just updated the laptops so now you can’t run as administrator anymore :(
Does C:\WINDOWS\Debug\wia still work?
A certain cracked release of Windows 7 Enterprise floating around now uses the key from these machines.
Also, re: Computrace, how does the persistence module actually install the application agent after a reformat? Does Windows see it as a device and install the application layer as its driver? Does it work at all under Linux?
Why would you need to put a fixed ProxyClientConfig.xml on a local webserver pointed to by the hosts file to stop it from redownloading the bad one? Just plain redirecting update.bluecoat.det.nsw.edu.au to 127.0.0.1 without running a server should make it fail to connect.
WIA doesn’t work anymore, nor does “Run As Administrator”.
Doesn’t surprise me, XP keys from previous computer rollouts (non-DER) are frequently used for home XP installs.
Computrace will install itself (not sure what method) on any system (some have said not a GPT partition table).
Good point about the xml file, really should’ve thought of that.
yeww
fully just unblocked all exe’s
so easy guys.
just use your head (:
Yea as the laptops still need to run programs, if you run as Admin in a System Folder, it will still work.
Ok now, let me make this clear to you. The current winning (strongest) group policy object (GPO) on the netbooks is the DET’s near unhackable group policy. 80% of blockable content is being blocked. If you wish to find out whats being blocked, you need to hold down windows + R (run command)… run cmd, and type GPRESULT /H %homepath%\GPRESULTS.html
This will give you the current Group policies info. You need to gain access to an account where you can create a GPO that will be stronger than DETNSW_DER_Lockdown. This is currently the Winning GPO. To make a stronger GPO, create something that will allow it all and is CLOSER to what it is allowing that what DETNSW_DER_Lockdown is. If someone makes a GPO that does this, email it to me nathan.davies-lee1@education.nsw.gov.au
Wow, epic fail posting your DET email here.
So run-as-admin works if the EXE is in a system folder… Does running cmd.exe as admin then using it to start apps not in a system folder work?
Try creating a shortcut to the program you want to run, right click and hit properties, change “start in” (might be “start directory” or “target directory”) to “C:\debug\WIA”. Post results here or on the wiki (http://breakout.ath.cx/wiki/) please :)
Nothing is unhackable.
This is the stupidest thing I’ve ever heard. By saying this, the government is just encouraging hackers, we live to meet the challenges we set ourselves regarding hacking.
Where’d the wiki go?
@Anonymous FYI my hotmail has 4710 unread messages. LAWL. I musnt subscribe to topics on forums, set my updates to whenever they occur, and start flamewars… ANYWAYS, Run as admin has been fixed. Serves me right for blabbing online to a journalist even. Here is what we shall do now…
Pull out the battery. Make sure the thing is discharged, so that way the CMOS battery is all thats left, no capacitors. Now pull the back off, remove teh cmos battery, flash the bios, ghost the HD to a backup location… and install something else to boot from, to rip apart group policies! or if you have a usb disk drive, and another computer at home, internet, and a blank disk and disk burner or a 2 gig thumb drive. Download Hirens Boot CD, load that on ur disk/usb, plug it in to your netbook/put your disk in ur portable disk drive and plug that into your netbook, and restart your netbook. If all works well, you can load mini-windows *boots from r: for ram* and delete your policies and other un-necisary crap. If you get caught, blame it on a virus! How else will they know? there is no antivirus on this piece of crap anyway other than windows forefront insecurity (no infringment meant Chasers)!
The new netbooks for year 9 2010 are even more locked down.
Apparently they disabled the “run as admin” function and if you tamper with it, the computer will lock itself.
I will be receiving one this week.
If anyone finds out a way to bypass and find any exploits with this piece of shit netbook, please e-mail me at doomcanon@hotmail.com.
Regards.
Doesn’t seem like i can take a jerk using these netbooks…
Its as easy as taking the hard drive out buying a new one or flash it and replace it in the laptops
guys i found out how to hack them in 3 easy steps that don’t include taking it apart
but why would i tell you?
haha unhackable thats y i hacked mine just take the hard drive out plug it in to another pc and run active password changer. haha i have full admin rights easy as pie then uninstall bluecoat no more blocked sites that was easy as thanks to the det for a easy hackable laptop for free yay :)
So how long did it take them to detect you’d removed Bluecoat and take it off you?
Everybody who keeps telling people to take out the hard drive to do any work on these: Google “boot from USB”.
haha nar im still on it now freak they havent taken it ive still got it haha by the way booting from usb is blocked XD
Ahh, they must’ve fixed that with the machines this year, it definitely let me last time.
i have one of these laptops and if you want to run a program on it you just install it on another computer then drag the install files to tasks,
and if you want uncensored internet you create your own proxy server (which is easier than it sounds, there are countless free webhoasting sites)
Hey to those hackers out there…
If you guys are up for it and so good at hacking. I reckon you hack the “unhackable” laptop with the actual school edition S10e lenovo ideapad and show proofing that you could do it by providing the whole proof and instructions that could be done…
just chuck it at a bloody iceberg. then we’ll see if it so “unhackable”..
hey i hacked the administrator, it wasn’t hard at all
Hey Guys just thought i’d let you know that it is easily hacked by setting up a vulnerable service (Not Going to mention which one) to run a portable file manager and then start the program in the system folder which allows you to change yourself from interactive logon to Admin giving you complete access LOL PWNED by a year 9
Open My documents.
type in C:\ then press enter.
go to Windows > System32 > catroot2 > then in one of those 2 folders you can put anything in it and it will run it as administrator because it is in the C drive.
dont say it doesnt work because it does.
SG2211
The wiki (http://breakout.ath.cx/wiki) seems to be removed. I’d like to offer my thoughts, this is for the IBM Thinkpad lenovo mini 10 offered to students this year.
This is made difficult to use regular hacks because of the following reasons:
1.The BIOS is locked down and doesn’t allow booting from other sources.
2.There is a “Tamper evident sticker” that will show if someone has opened the back panel in order to access the hard drive or CMOS battery.
3.Changing system policies will result in a bricked laptop.
An idea I had was to get a portable virtual machine program (eg Portable VirtualBox) as this does not need to be installed. In a virtual machine, install the operating system of your choice, you have 2 options from here:
1. install an anonymous webproxy in the virtual machine and use it to browse the web through your locked down Windows 7 environment…
2. use the virtual machine to browse the internet and install software.
I’ve tried as others have suggested to place these inside:
\program files
\WINDOWS\Debug\wia
But group policies stop me from running the .exe files
I’ve had more luck with:
\Windows\System32\catroot2\{heaps of characters}
The .exe file was allowed to run but Portable VirtualBox v3.2.8 failed to start – I’ll need to try different programs…I hope this helps others.
I’d also like to warn people that there is a so called “hack” on youtube from user: xvidet. There is a link given in the description to download it, I’ve just finished reading the .bat file and it is nothing more than a prank…at the very least, it will produce 3 messages ment to annoy the user on login and may or may not brick the computer.
I’ve subscribed to this topic and will be as helpful as I can with this, however, from tomorrow I will no longer have the laptop as I am returning it to my little sister.
Cheers,
Griffo
I gave the laptop back to my sister today, but I managed to try several different portable virtual machine packages with mixed results:
1. Portable VirtualBox – No luck getting the program to start properly, the process starts but nothing happens. I don’t have another Windows 7 computer to try this software on (it could be a Win7 issue?) I didn’t try using compatibility mode for this, I forgot…I believe this could still a possibility.
2. Portable Virtual PC 2007 – (http://fliiby.com/file/3820/21wrvq90ui.html) It worked great on an XP machine, but when I put it on the DET laptop it gave error messages, I tried compatibility mode with no joy…I’m unsure if these problems are caused by the locked down state of the OS or if it is due to non compatibility issues with Win7
3. Qemu for Windows – I successfully installed a virtual machine (WinXP SP3) and ran it…but without being able to install KQemu it runs too slow to be useful for an OS with a GUI. All is not lost though, I believe it is fast enough to install a small distro of Linux (without X Windows of course) and use it as an anonymous proxy for the host operating system, this would get around Bluecoat as it doesn’t block addresses in the same network as the local machine…I’ve never built a anonymous proxy, does anyone know of a good howto or package for this?
Another contender would have been Bochs (pronounced box), it is another open source portable virtual machine package but I ran out of time. It has a few features that may make it faster than Qemu (without KQemu installed).
It is unlikely that I will have another opportunity to play with this laptop within the next few weeks, but I hope I’ve given people a few ideas that will help get around the limitations set in place by DET NSW.
Cheers,
Griffo
GAINED ADMIN WITH IN A WEEK OF HAVING IT, UNINSTALLED PROXY, PARTISOIONED HDD TO RUN LINUX. HAVN’T BEEN CAUGHT YET.
Do you care to let anyone know how you got admin access without tripping any alarms? What was required to perform this?
Did you manage to gain access to the BIOS to change the boot order so that you could boot from CD, USB or NIC allowing you to install Linux?
@TRICKY
I call bullshit
I’d forgotten about this (sorry), but I did manage to make a web/URL proxy on my local server using glype-1.1. If you want to do this, you’ll need to add the following packages if you’re in a linux environment:
php5, php5-curl, curl
also, you’ll need to give your webserver write access to /var/www:
chown -R www-data:www-data /var/www/
The problem is, if you do this as a virtual machine on the DET laptop, QEmu will get stopped at the firewall…that was a little short sighted.
The only way I can think of to get the DET laptop to surf the web unrestricted is to create a URL/web proxy on a local computer inside the local network at home. I’m pretty confident this will work as Bluecoat doesn’t seem to block websites on a local network. What happens is the laptop submits a URL on the webproxy and the server fetches the page and serves it to the laptop…imagine going to http://google.com.au, on your local webproxy it would be something like:
http://192.168.0.2/browse.php?u=Oi8vd3d3Lmdvb2dsZS5jb20uYXU%3D&b=2&f=norefer
If don’t have a spare computer to dedicate for this purpose you could VMWare Server (it’s free to download and use) on another computer then install a virtual machine to do the job, I prefer this to QEmu (as I suggested in an earlier post). It is also easier to set up the virtual network card (or you can just bridge a physical NIC).
Cheers,
Griffo
@TRICKY
I (like a few before me) am here to help…not to make a name for myself or bullshit. Either be helpful or bugger off, no one likes wannabe’s.
As far as running proxies is concerned.. you could always run a proxy on your PC at home and tunnel to it.
Just for the record… Port 143 is allowed full outbound communication in DET Networks (I’m assuming some legacy compatibility with Mail). You don’t have to go through a proxy server. All you’d need to do is get PuTTY running and maybe PortableFirefox.
Not sure how bluecoat plays with weird ports though…
Port 143 is used for IMAP (a type of email service)…I wouldn’t call it legacy, but interesting to know.
I didn’t realise that PuTTY was capable of port forwarding…that’s a pretty good idea! For all those people reading this, you can redirect port 143 to port 80 using PuTTY.
Google: putty port forwarding
for instructions, source port is 143, destination is 80…
Use portable applications and run from the directory suggested a few posts ago.
Firefox will need to be directed to port 143 though…you can try surfing manually by adding :143 to each url, eg. http://www.google.com.au:143
Although you should be able to change the “proxy settings” inside firefox to point all http traffic to 143…
Can someone let us know how you go?
or u could just take the hard drive out and use active password changer the change the password then login as admin and uninstall bluecoat :)
They are very hackable,
My friends and I are constantly getting new proxies that are blocked in like a month so plenty of time for doing whatever,
Teachers logins for the Internet are very easily hacked by working out there secret question which is usually simple.
I had been running and installing anything I wanted from the cat root folder buried deep in the system, but somehow the school IT guy found out, i got the laptop back in a week, with a new hard drive and a tampered sticker but it was registered on his system so I can open it up and not get in shit.
And I changed my bubble screensaver in system 32 which was cool.
I’ve heard of ppl running os from USB but I’m not going there caz I want my laptop for yr 11 and 12, but yea they are hackable :)
Using proxies is not hacking.
Cracking teachers is not hacking.
@ The Master
You can’t remove the hard drive as there is a tamper proof sticker over the cover…however if you could that would work.
@Auskid
Finding a new proxy isn’t a hack…besides, if you run a proxy from your own computer it will never be blocked (see my previous replies).
There are lots of stories of people running operating systems from USB’s (none of which are confirmed)…but no one will say how they changed the boot order to allow booting a USB device, they sound like dreamers to me.
The ones issued in 2009 could boot from USB (I did it myself and was able to run Hiren’s off a USB stick). They locked the BIOS down in the 2010 ones and I’ve got no idea how you’d change boot order in those without knowing the CMOS password.
Lol, just fucked the laptop up, need to reset CMOS n ow :(
why did u post the boot password, now its gonna get patched
The cat root folder is blocked by group policy and you now need permision to paste things in systems 32
Anyone got anything?
Yea ive got admin now. No need for folders now.