Hacking into the School Server
School: Desert Academy
Area of Science: Cybersecurity
New types of hacks surface everyday, and in response the firewalls, and security protocols found on Internet accessing devices are upgraded, making it harder for the hackers. As the security gets better, the vicious hackers need more power. They get more power by using another device with more RAM. They could buy a more powerful computer, but they could also use another computer that they do not own. Servers are one such type of computer. They have connectivity to the Internet, and they have a lot of power. This makes especially school servers very ideal. School servers aren’t used all the time, have a lot of power, and often have very weak security, because there is no confidential information stored on them. This is the key for hackers. They can compromise a school server and then launch a bigger widespread attack from this machine, and at the same time go relatively undetected from the school, and the outer world.
We, as a supercomputing team, do not want our school’s server to be compromised because we all store information on the server. We don’t store anything personal, confidential, or incriminating, but we all have work stored on the server. This work would be great not to lose. We want to make sure that the server is well protected from such attacks for this reason.
The problem in our project is more of a question. Is our school’s server protected well enough to keep black-hat hackers out? To find the answer, we must compromise the system. As white-hat hackers, we have all signed an agreement to hack the server in an ethical manner. We have a series of steps to complete this project. Our first step is finding the public IP address, and then we then need to crack into the main server. From there, we need to navigate to find a folder on the desktop, and the secondary server. After cracking the secondary server, and the test-student account, we have proven that our school server is vulnerable. If we can break into the server, we will report it to the technology director, and the school’s administration. We will then help patch the vulnerability.
Progress to Date:
So far, we have tried to gather information about the servers. We have concluded so far that the 2 ports we can attack the server with is port 5900 and port 3283 is open. We were originally hoping that port 22 was open, because that would have given us results sooner, but the port 22 is blocked. We are currently searching for more targeted information about the OS of the server. Os stands for operating system, and dictates what, and how to computer works. For the purposes of actually breaking into the server, we are hoping that the server’s OS is older then the current version of the macintosh OS. Since we all have student accounts, we will try to use an attack to heighten student account privileges, to gain access to a superuser account called root, and from there try to break deeper into the server.
In the steps described in the “Problem Solution” section, we have found the public IP address, which is also the main servers IP address, and we are well on our way to hacking into the server. We have tested to see if the recent vulnerability named “Shellshock” has been patched, and it has not been. However, there are no programs to mount the shellshock bug. This is only one of the things that we have tried so far to gain access.
When our project is completed, we hope to find at least one hole in our school’s server. This is very probable, as the server appears to be running an older operating system. There are also security issues that students can access directly. For instance, any student can access another student account, as we all of read write and execute privileges on all the student accounts. This is one, very well known, vulnerability, that isn’t relevant to our project, but shows us that the security at our school is in fact lacking.
Mentor: Dr. Jed Crandall
"N/A." E-mail interview.
NVD. "Vulnerability Summary for CVE-2006-2369." Http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-2369. NVD, 15 May 2006. Web. 20 Nov. 2014.
Wikipedia. "IP Address." Wikipedia. Wikimedia Foundation, 19 Nov. 2014. Web. 20 Nov. 2014.
Wikipedia. "Port Scanner." Wikipedia. Wikimedia Foundation, 14 Nov. 2014. Web. 20 Nov. 2014.
Wikipedia. "Shellshock (software Bug)." Wikipedia. Wikimedia Foundation, 16 Nov. 2014. Web. 20 Nov. 2014.
Sponsoring Teacher: Jeff Mathis
Mail the entire Team