------------------------------------
Hacking ICLASS LAN.
by Xenocide [806] 3/2/95
------------------------------------

If you are in high school and in some sort of computer class, you might be
working on the ICLASS LAN.  I will explain different, working techniques on
how to do things with malacious intent.  I saw a lot of people on alt.2600 and
friends wondering how to break the security, so here you go.

The file is broken into these divisions:

I    What is the ICLASS
II   Using the ICLASS
III  Getting in
IV   Hacking
V    Drives and Directories
VI   While in DOS
VII  Causing Havoc
VIII Optional Utils/Updates
-------------------------------------------------------------------------------

Ed. Note: The ICLASS LAN can be thought of as a UNIX machine or variation.
It uses the same login procedures (username/password) and, like, a UNIX
machine, has variations from other machines.  I am using examples from my
machine, and yours could be the same, or different.

% What is the ICLASS

The ICLASS LAN is really known as the IBM Classroom LAN used in high schools
and some junior high schools.  Being released by IBM, we can all guess that
the security will be lax and mundane.

% Using the ICLASS

Any student probably knows how to use this since you are in the class.  Even
though, it's very simple.  The LAN is just a series of menus with a lightbar
to scroll up and down to select the options.  Basically, it was made for any
idiot.

% Getting in

Of course, this is probably the most important part.  First, you have to see
how the accounts are setup.  The account names are setup in these 3 ways:

   Account:   Explaination:

 - bjohnson   Combination of first letter of first name and full last name.
              Similar to a unix account. (ie: Bill Johnson)
              Accounts maybe setup using some sort of a combo of your name.

 - Student1   The # of the student.  Obviously, Student1 will be the teacher.

 - 1          Same as above, just a number.  This is the most likely setup.
              1 will be the teacher.

* You get 10 characters for a username.

 When you login you will probably see this screen or something similar with
 the description of the LAN at the top:
-------------------------------------------------------------------------------
  Enter your user ID:                   Server: ???

                                        [F2]=Passthru
-------------------------------------------------------------------------------

* [Server: ???] is the server you are working on.

 After seeing how you can login you, you must actually get it.  Naturally, the
 teachers account will be the best to get it.  But sometimes there is just a
 simple password on the account and you don't have enough time to crack it.
 The other methods to get in are to use your account.  This could be dangerous
 because the logs will pick up who did it.  So, try and use some others.
 As you see above, there is an option that says [F2]: Passthru.
 Is does what it says.  Enter the account # and hit F2 (It would be
 best to use the teachers account and hit F2.) The most
 easiest way to get in.  The only snag is, is that it can be disabled.  As
 the teacher did at my school.  If you can't do the passthru, and don't
 want to use your account, then you must do a brute force approach.
 This is just done by entering account # after # and seeing if the account has
 a password. There are 10 accounts at my school that are unpassworded.  Enter the account
 # and it will automatically log you in.  If you go through everyone, and there
 is not an unpassworded account, there is usually a guest account.  The guest
 accounts are usually labeled guest1, guest2, etc.  Even though they might have
 a lower access than a regular account, it can be done.  They are also usually
 unpassworded.  So, if you can get in with the pass through, your account, an
 unpassworded account, or brute force, the only other way is to ASK someone
 what their password is (but not smart people).  80% of the time you can get
 the password from them.

% Hacking

Hacking the ICLASS is so simple.  There are a million things to do and every
technique I will show you works.  If you aren't interesting in hacking, skip
down to the Havoc part.  First off, you get this menu when are in the LAN:

  ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄClass and Group SelectionsÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿

                          Micro. Applications 7th

  C ù Change Password
  N ù Network Printer Control
  R ù Remove Files
  P ù Print Now
  L ù Logout

   To run a program from drive A
      hold Ctrl and press [A]

Selection? ( ÄÙ)
-------------------------------------------------------------------------------
As I said, some options may not be there, but the last 5 will almost definatly.
Here is a quick run down of what they do:

Change Password:  Changes your password.  Nothing special.

Network Printer Control: Changes your printer output.  Nothing big.  If you try
to print, nothing will happen if you change the output.

Remove Files: Remove files from your personal directory.  This is not big
because this is your own directory.

Print Now: Prints.  Nothing big.  Sometimes can be disabled.

Logout: Logs you out.  Nothing great.

    You usually have to go to the Class Selection to go to the programs that
you can run.  You will see the same options as above except for the programs
that you can run and, instead of Change Password, it will have:
<- ù Esc - Return to Main Menu

Now, you have to you use the options the teacher gave you.  I think the best
program to hack the LAN is to use Microsoft Works.  If you have it, you are home
free. If not, there aren't a lot of ways to get it.  Skip to What To Do In DOS
if you don't have Microsoft Works.

In Microsoft Works:  First off, you need to use the <O>pen command in <F>ile.
This gives you access to the most of the computer.  You can snoop around all
you want, but the main drive (or partition) is H.  This is all of the student and
admin directories.  The directories are setup like the student ids are.  The
only bad thing is that you cannot go into other student directories except your
own.  On a very weak system you can, but usually you cannot.  This also goes
for the admin directories.  But you can go through any other directories and
open them up. If you have the time, you can open a file up and view it to look
for certain things.  If you get an error that it can't open, then click on
[X] Read Only in the Open menu.  A map of all the drives is in the next
section titles "Drives and Directories."  The other two useful commands are:

þ File Management
þ Run Other Programs

They say what they mean.  File Management will let you copy/move/delete/format
a directory/disk.  Any moron can figure out what to do.

Run Other Programs explains itself.  You can run any program you wish.  By
default, a "DOS Shell" is made.  If you have this option, this is the easiest
way to get into DOS.  If it is not there, just select Add and type
COMMAND.COM as the file to run.  Naturally type exit to return to Microsoft
Works.  You can add any other programs you want, but it is useless if the
"DOS Shell" option is present.

Now, if you don't have Microsoft Works, there are still ways to hack it.
If you look at the screen capture above of the menu options at login, you
see "[Ctrl]-A to run program from A: drive."  Well, bring your own disk up
there with a trojan or whatever and you can run it from there.  But sometimes
the option can be disabled, like mine is.  You can also put COMMAND.COM on
the disk and run that.  Type 'Exit' to return to the LAN, but remember to run
the same version of COMMAND.COM as the one is running on the LAN.  If it is
an old version such as 5.0, then you might have a problem.  If there is a
program that will copy a file, but not run it, then copy C:\COMMAND.COM to
A:.

Lastly, the ICLASS contains a major security weakness.  It uses a 3-letter
combination while holding the alt key to do certain things.  The most
important is <alt>E S C.  (Look at your escape key).  When the combo is
pressed the LAN is ended all together and the easiest way to go back is
to reboot.  But this also gets you -direct- access to DOS.  Now you can
do whatever want.  This can be disabled, but usually it won't.  Other combos
probably exist, but I haven't figured them out.  Look for updates.

% Drives and Directories

Naturally, the drives can be setup very differently.  Most of the drives
that are on mine are substituted.  This is the map of mine, yours can be
very different, but you can see what directory does what.

A: Floppy Drive
B: (Optional) Floppy Drive
C: Main Root: Usually only contains DOS root files.
F: Mirror of H: and the heart of the LAN.
   \ADMIN - Teachers Directory (Restricted..cannot view files)
   \CLASSES\(admins)\CLS? (Classes - by period)\MENUS (menus when you login)
   \COURSES - The programs you run at the selection menu
   \GENERICS - ????
   \LOGIN - Login files
     \AUTOLOG  - nothing
     \AUTOLOG2 - Login files (Can be fun to change them up)
   \LANFAN - nothing
   \LANSPOOL - MS Works reports it can't find the file.
   \LOGS - Goes to your personal directory
     \(admins)\CLASSES\(user number)
   \LOTSSHARE - Nothing of importance
   \OFFAPPS   - "                   "
   \OFFCLASS  - "                   "
   \OFFICE    - "                   "
   \OFFLOGS   - "                   "
   \PS2TAPE   - "                   "
   \PUBLIC -  Contains most vital files (ICLASS/DOS/etc)
     \DOS  - MS DOS directory
   \STUNDENT\(student usernames)
     \MENUS\  - Follows student username is this format: ??______.__#
                ie: user # 10 would be 10______.__# as the directory.
   \SYSTEM - nothing
   \TEACHERS\(admin name) - Restricted

H: Same as drive F:
L: Substituted drive for the \AUTOLOG(2) directory in F: or H:
T: "                       " \TEACHERS directory in F: or H:
W: Substituted drive.  Usually contains nothing.
X: Drive created by teacher that is used for the files we work on.
   Substitituted and worthless.
Y: Substituted drive for the \PUBLIC directory in F: or H:
Z: "               ".  Nothing of importance.

% While In DOS

While in DOS, you can do whatever searching you want.  Remember H is the
important drive, but other nifties can be elseware.  Also, the LAN adds
certain new commands.  One of the most powerful is SESSION.  Play around
with things.  For example, go to USERS (in SESSION).  It will then ask if you want to
view a users info or send a message.  Choose an option and then it will give
you a directory of the users.  The View Info option is will be useless.  It does not
show the password as you would hope.  To send a message, choose "Send a
message" and choose the username.  Type your message and it will automatically
send it, whether they be in Works or another program.  It will then display the
message and they have to hit Cntrl-Enter to clear it.  The bad thing is, is
that is broadcasts your user id in this format: From: 100[12]

100 is the user name, and [12] is the computer they are working on.
So even if you logon as guest, they can still see what computer it was sent on.
Of course, more than 1/3 of the people won't know that.

% Causing Havoc

Just being a plain *asshole* is just SO easy.  Here are some things to
try and do:

þ Hog memory.  Load as many TSR's as possible in upper memory and then
  start with the conventional.  This will cause it to be slow as hell for
  the other computers or whoever uses it next.

þ Go to Microsoft Works and create a chart.  Then select the printer control
  from the <P>rint menu to a graphics device.  Then print the chart.  It will
  take about 5 minutes to print the thing and slow everything down.  Very
  good if you print it over, and over, and over....

þ Make a spreadsheet in Works and make it print the WHOLE thing.  There are
  over 2,000 columns and 200 rows.  GUARANTEED to piss the teacher off.

þ After you login and you get your menu with all the options, hold down the
  Print Screen button.  This will majorly fuck up the printer and the lining
  will go off.  If this over and over, the paper will start riping and the
  teacher will be very pissed off.  It's even better if you speed up the
  keyboard cps rate to 30.  Hold it till it starts beeping, let go and do it
  again.

þ Login under another user and delete all the files in their directory.  I
  do not condone this at all, but if you want to be an asshole, go for it.

þ Get the Dir Trojan that creates thousands of directories in about 2 seconds.
  Login under a guest, drop to dos, leave it running, and turn the
  screen off.  By the time someone finds out what it's doing, I am sure the
  root will be filled up with directories and there might be a possiblity
  that over 1 million directories made.  But the command DELTREE kinda takes the
  fun out of it.  But there still will be over 600 new directories in the root
  drive.

þ Change the autoexec.bat for the file.  Have it do something fun for the
  next user.

% Optional Utils/Updates

The only utility I have found on hacking the ICLASS LAN is to collect
passwords.  It is available on my board.

As for updates, I plan to release an update file on some more precise
information (such as the new commands it adds in DOS).  If you have any
thing at all to contribute, you can contact me a the address below.

-------------------------------------------------------------------------------
Xenocide