June 22nd, 2005 12:58 AM
Just so people know, I'm a 15 year old high school student who just finished grade 10. I noticed that your advertising Deep Freeze under security products. Admins at my school are in love with deepfreeze and think its the answer to all their prayers. According to testimonials on their site, it is uncrackable and I've even heard tell that there have been competitions where computer experts try to crack the program. Now I know what I'm about to say probably won't go over well with some of you, and I hope I don't get banned or anything as a result. I just want you to know that it was never done with malicious intent and has never been used to do anything wrong. That said: a friend and I decided we wanted to try to crack deepfreeze, we took the program winhex and found the password hash located inside the deepfreeze program. Next, we found the version of deepfreeze that was being used on the school system and downloaded that same version at my friend's house. We then set the password on his computer to "a" and examined the password hash that resulted. We continued until the password hash on his computer matched that of the school's. Upon trying it at school the next day, we realized that we had indeed successfully obtained the password. Incidently, it was also the password for the school's admin account. I was just wondering, does anyone know if this is still possible on newer versions of deepfreeze and we only managed it because the school hasn't updated? The entire process took only a few hours and it seems to be a pretty big security flaw to me.
What meaning has my life that the inevitability of death cannot destroy it?
June 22nd, 2005 01:08 AM
What version of deep freeze was your school running?
If im not mistaken the hash that deepfreeze creates is based on the password as a whole, not per letter. so the word apple would be completely different then if you string together the hash for a-p-p-l-e. so it is still doable, but it should have taken day, if not years for any decent password. especially if youy went at it manually.
June 22nd, 2005 01:12 AM
thats what my thoughts on it were as well - with that being the case you would need some sort of brute force prog that would keep trying combinations until it got a resulting matching hash - and even then without some sort of cluster running you would be lucky to crack it in days never mind hrs
June 22nd, 2005 02:47 AM
I can't remember the version of deepfreeze because this took place earlier in the school year but I could find out if you're really interested. It really did take only one day for us to do it manually. This seemed really short to me too which is why I brought it up. Deepfreeze was using a different encrytption method for each letter so even though the password is CMSCMS all 6 hex values were different. When you think about it though, the method we used wouldn't take very long because we didn't have to get all 6 characters in one guess. The most trys it would have taken would have been around 270 if the number of characters usable in the password is 45. We got the Cs almost right away cause we were going alphabetically. I didn't really understand what you were saying in your post valhallen. I wasn't talking hypothetically about the process because we actually did it.
I'll try to clarify what we did to avoid confusion: using the program winhex, we removed the password hash from deepfreeze. For example lets say it was F-5, I-2, U-6, R-1, E-5, Y-9. We then took another copy of deepfreeze and set the password to "a". We compared the password hash to the one from the school and let's say it came out to T-7. Since that doesn't match up, we knew it wasn't an a. We continued through the alphabet to "c". When we try the password "c" the resulting hex was F-5 so we know the first character is c. Just repeat for each hex value in the hash to get the entire password. It's not a long process at all.
I think that's a little bit clearer...
On a related note, I'd like to get people's thoughts on what to do about what I believe is a terrible network system faulted by incompetent admin. It's pretty bad when their default password for almost everything is the name of the school. I personally haven't done anything wrong with admin account or anything but my friend found copies of exams on the system that are going to be written in the next few days. There's potential to wreak all sorts of havoc and pretty much anyone with a moderate knowledge of computers could do what we've done. I don't think it would be a good idea to just tell the admin that we know all the important passwords and have comprimised the entire network but on the other hand, I think something should be done to make it more secure. Any thoughts are appreciated.
What meaning has my life that the inevitability of death cannot destroy it?
June 22nd, 2005 05:06 AM
yes, I would like to know which version of deepfreeze it is. to think a program like deepfreeze would have such a weak password protection amazes me. infact its to the point I dont believe it and would like proof.
about the admin, send him ana anonomous email just saying "your admin password is XXXXXX" simple. hell get the hint and change it.
June 22nd, 2005 06:27 AM
I understand what your saying dialupdaemon but am with XTC on this one. Would a prog like deepfreeze not store the password encryptyed as a whole? rather than just a hash of each individual letter. Meaning you simply could not go through the alphabet a letter at a time.
For example if the password was encrypted as a whole and we had the word cat as our password its first letter hash would be different to say cut even tho both are C's
So rather than having to simply go through each character indiviually you would ahve to try whole words at a time. Which would pretty much be brute forcing it (dictionary attack?) or if you knew the length of the password (say 6 characters) you would have to try the likes of :
and so on - which increase the amount of possibilities exponentially.
This is the way I would expect a system like deep-freeze to store the passwords and would be quite interested as well to see a working demo of this flaw.
June 22nd, 2005 06:39 AM
I'd like to see an example of this as well... Now I didn't spend much time playing, but I opened regmon and filemon in a virtual machine and couldn't see any actions that screamed "this is the password being accessed"...
I couldn't see anything in the transactions that pointed to where the password might be stored, and a quick look through the registry and the files didn't point out anything that was in identified as a password portion.
Perhaps you could give us a little walk through of how you determined this and where you looked...
I'm with val and XTC that the password storage methods seems a little far-fetched... but I'm curious to see your findings.
IT Blog: .:Computer Defense:.
(Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".
June 22nd, 2005 10:10 PM
please see this thread. I posted a text file on how to hack deepreeze. If I am not mistaken, this is what was used in this case. (correct me if I am wrong).
Antionline in a nutshell
\"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"
Trust your Technolust
June 23rd, 2005 12:28 AM
I do not testing deep freezy but even if it has that kind of flaw you will not be able to run apps that are not allowed by admin. As I think it is meaning with deep freezy to freez access and restore changes on reboot.
So you will not be able to use hex editor without permission.
Correct me if I am wrong.
// too far away outside of limit
June 23rd, 2005 01:17 AM
That would depend on the config of the computer. deep freeze does not allow PERMANENT changes. you can install whatn ever you want but when it is rebooted it all goes away. So yes, you could use a hex editor unless the accout was locked down well enough.