A challenge for me, a challenge for you

[hoffman-log.livejournal.com]

Hey guys. Haven't posted here in a long time, but I have a good one for ya. Now, I know this isn't about bitching about crappy customers, but it's an interesting chance to test your skills, and possibly make some money too. My network teacher last year seems to enjoy doing these "challenges" where he sets up a system to be "unhackable" and offers a reward to anybody that can hack the system. Here's the specks.

The machine is protected by Hard-Guard. Read up on it. The basics are that any changes you make on the computer are lost once you reboot.

The system has a BIOS password. I have successfully passed this. The system setup password, however, is different. I have not yet cracked this.

The computer is a Dell Optiplex Gx1, BIOS version A07.

The computer will not boot into the OS. You must get past Hard-Guard first (so technically anything after this would be pretty much easy to do).

The CD-ROM is disabled (in the sense that the power cable is unplugged)

Same thing for the floppy drive, also the zip drive

Wake on LAN is disabled

I cannot make any hardware changes (like opening the case and removing the card)

Last year I was able to get around this simply by popping in a CD and re-installing the OS. Going by the above information, that's not possible this time around. So I've been trying a few other things, like hoping the "human" factor plays into it (i.e.: His windows password is the same as the hard-guard password). Thus far, however, I haven't been able to connect L0pht Crack successfully to the domain controller (from a different computer on the same network).

The ultimate goal is to boot into the OS, install Kazaa, place a folder on the desktop titled "HACKED", reboot, and have the installed changes remain (because hard-guard is supposed to wipe all changes clean).

I'm smacking my brain on the wall over this one and I gotta say, this one is really difficult... Any suggestions would be appreciated, and I will gladly split the reward money with anybody who provides any suggestions that help lead to a successful hack.

_MaH

Comments

[inahandbasket]

from the site faq: "When your computer is set up and operating exactly the way you want it, you save the hard drive image using HardGuard's BACKUP feature. BACKUP is on your startup menu, along with RESTORE and NORMAL. You may have guessed by now that you can select BACKUP, or RESTORE when you start your system. BACKUP saves everything about your computer the last time you used it. If you select RESTORE, your system is restored to the last BACKUP image you saved. If you just want to use your computer the way you did last time, select NORMAL and you get the same software you had last time."

so if you can get into the hard guard startup menu you can boot the system, install your stuff, reboot, and hit backup to save your changes.

i assume that your issue is getting a password to access that menu of hard guard?
You've got me all intrigued now.

Re:

[hoffman-log.livejournal.com]

Yeah that part is pretty much obvious. The thing here, is that something on the system is keeping it from booting into the OS. Everytime I get past the BIOS password, a Hard-Guard window comes up and says that a CMOS change was detected. I then have three options:

Restore

This will revert the system back to what it was before, reboot the computer, and incidentally, will lead right back to the above mentioned screen :-(

Analyze

This breaks down what changes it says it's noticed. The problem here is that before I can see that screen, it asks for a password.

Backup

Takes the detected changes, and makes it a part of the new backup. Again, a password is needed.

So the issue here is getting past Hard-Guard. I was wondering if anybody came up with anything I might've missed, or if there was anything I could possibly do (with my limited access) to the BIOS, hence why I provided computer and BIOS type.

I think I'll call the company and ask if they have a backdoor on the product... Of course, they'll probably just tell me to remove the card. :-(

But I'm glad I got someone interested... I personally love these kind of challenges!

_MaH

[inahandbasket]

I've been googling it hard, there's remarkably little out there about it.
I feel like there was a 2600 article on it (or a similar hunk of hardware) awhile back, but I could be wrong. They don't have articles posted on their site, it pisses me off.
"Yeah rah rah free software, free information, but not ours. :P "

Re:

[hoffman-log.livejournal.com]

This was interesting, I called the company that manufactures Hard-Guard, and SE'd some info out of them. Anyway, long story short, it sounds like there's a backdoor password of sorts to the card, but they can't give it to me. So yeah, I've been googling it hard too, and getting remarkably little as well. What was the 2600 link? Haven't come across that one yet...

_MaH

[inahandbasket]

hmm... random though.
Could you lock out that card from being loaded? maybe create an IRQ conflict in the BIOS by manually assigning them? disable slots?
I know some BIOS's I've seen you could do some pretty low leve stuff in, it'll depend what that one's set up like.
Worth a try though.

Hmmm....

[hoffman-log.livejournal.com]

Good thought... I can honestly say I didn't think about that, however, I don't remember coming across that option in the BIOS. Regardless, even if the option WAS there, I still need to get around the setup password :-(

_MaH

Re: Hmmm....

[wesmills.livejournal.com]

Is popping the case allowed at all? If so, you could pull the power jumper.. Even if it's not OK, you could still try to put a coat hanger through the air vents and short the battery. ;)

What info do they need to give you the master password?

Re: Hmmm....

[hoffman-log.livejournal.com]

Sorry. My friend came up with a clever question:

"Is it that we can't open the case, or just that we would have to get around the lock on the case?"

We're pretty good at picking locks... Anyway, no, you can't open the case. Boy wouldn't that make it easier? I'm not sure what info they need. I told them I was an assistant network administrator for a company, and that our head administrator installed the product last week. Anyway, we need to make a critical update, our head admin. is on vacation and we can't reach him, and he's the only one with the password and key to the server room and server case.

Either the guy saw through me, or something, because he didn't ask me for any additional information, and just said "I'm sorry, I'm not allowed to release that information." I read this as "There is one but I can't tell you", otherwise he probably would've just flat out said "Sorry, there's no backdoor on Hard-Guard." So now I'm scouring the net to see if anybody else has managed to crack hard-guard, but so far, nada.

_MaH

Re: Hmmm....

[inahandbasket]

ah, you just bypassed it. I see. thought you broke through it.
and no physical access to internals to short out the bios settings... ugh.
2600 is here, used to be the most respected hacker zine around, but it's gotten very lame of late with it's increased public profile. most of the stuff in there now is common sense or script kiddie-ish. used to be a great resource for geekly knowledge.

Re: Hmmm....

[hoffman-log.livejournal.com]

Hah. No I know 2600's website, I was just thinking you came across a specific document/page on the website with info on it. Ah well... No, I passed the boot password, and then hit the key to enter setup. It then wants a password before I can change anything. It will let me scroll through and see all the settings, but I can't change any without a proper password.

I still think the most frustrating things for me are the disabled CD-ROM and floppy...

_MaH

Re: Hmmm....

[inahandbasket]

ah, no. just always bugs me that you can't search for something you remember from an old mag.

good luck with your attacking it, it'll be bouncing around my head for awhile. ;o)

Re: Hmmm....

[hoffman-log.livejournal.com]

Thanks... Something I thought of but have my doubts on, is if it checks any kind of external devices for boot instructions. The CD-ROM and floppy don't work, but I have a portable USB device... I don't think I'll get anywhere with that though...

_MaH

Re: Hmmm....

[inahandbasket]

it is possible with newer computers/bioses and some USB drives. it's a pretty iffy prospect in the best of circumstances though.
Worth a try, but don't hold your breath.

Re: Hmmm....

[hoffman-log.livejournal.com]

thanks. It's an older BIOS version though, so I doubt it. Anyway, I'm going to try something that helped a little last year (when I successfully did it). I'm banking on the human element of password security. HOPEFULLY his windows login password is the same as the Hard-Guard one. I installed LC4 to a CD and I'm going to try to crack it. If anything, this should at least get me administrative privilages to the network and other resources.

_MaH

Re: Hmmm....

[inahandbasket]

keep us updated.
;o)

Re: Hmmm....

[oddball42.livejournal.com]

also something to think about you can have apps and such ready to run set up on your little usb device. then you could do something from there and have the apps there, but if you can actually log in to the internet, that would only mean you could save info, wich in and of itself could be useful.

AAAAAAAACCCCCKKKKKKK

[hoffman-log.livejournal.com]

Between this, and a problem my dad's been having with his laptop... well...

Did any of you ever work around so many complex computer things that after an hour or so of it you no longer feel computer-smart, but more like an absolute brain-dead drone?

I think my mind has shut itself down as some sort of defense maneauver...

_MaH

[akage.livejournal.com]

I'm still curious how this fraggin' thing works.

I'm slowly making my way through the technical FAQ now. Interesting...the supervisor password is stored in the boot sector. Might be a crack there, though I'm not sure what at the moment.

It's too bad it won't boot into the OS. One potential way to at least crash it, if not hack it, would seem to be attempting tons of minute file changes, perhaps eventually overloading the Hard-Guard's onboard buffer.

Side note: This thing must play hell with a defragger.

The two routes I see are:

1. Cracking the Hard-Guard supervisor password. Obviously, that gives you pretty much free reign.

2. Somehow getting in enough to either wipe or hex-edit the boot sector. Is this FAT, NTFS, Ext2 or what? Also, what OS?

Re:

[hoffman-log.livejournal.com]

UPDATE: I have access to the OS. Let's try that boot sector idea. Any suggestions on programs available for such a task?

_MaH

[akage.livejournal.com]

Norton DiskEdit, or a shareware clone called PTS Disk Editor (http://www.geocities.com/thestarman3/tool/de/PTS-DE.htm)

However, those are somewhat older apps that may not work with NTFS. My idea was that you could use hex edit to scan the first two sectors and see if the password shows up (I used to use this approach on Commodore programs back in the day). However, I'd be a little surprised if they didn't encrypt the password. Still, you never know.

You could also just wreak havoc in the boot sector, but then you end up with a machine which likely won't boot. If your goal was to crash, not hack, that would be fine.

Frhed is another option that might work with newer systems. (http://www.geocities.com/thestarman3/tool/frhed/FRHED.htm)

Re:

[hoffman-log.livejournal.com]

Oh one more thing on how it works. My bet is that hardguard stores the file accolation table (or whatever it's called in NTFS) in flashable ROM on it's chip. Then, it takes over all input/output functions on the harddrive, essentially leaving the table on the HD untouched. Then, when the system is rebooted, it reverts back to the table on the hardguard card, thus "erasing" the files.

So, yeah, defragging must be hell for the thing (see thought below) and I've wondered what you could come up with if you ran Norton Restore or some program like that on the HD.

I've been thinking about a defrag approach... Last year when this (virtually) same challenge was presented, I bypassed hardguard by reinstalling the OS. I guess hardguard is setup to check for something like that. Anyway, after that discovery, they disabled the CD-ROM. I'm curious if file read/write control exercised by hardguard is suspended during a defrag process...

The above, however, wouldn't work since I don't yet have administrative privilages. I've been trying to l0pht crack the thing, but it says i don't have the privilages to access it. Must be a LC4 "feature". Also he stepped in and said I couldn't use l0pht crack.

But when I was poking around the registry today he was making comments like I was really close... Anything I could access in the registry that might help?

_MaH

[daerlyn.livejournal.com]

Any updates? I have no advice, but I'm quite curious about how this is going.

Re:

[hoffman-log.livejournal.com]

I threw in the rag. Unfortunately these were the final days of my "I have nothing to do" state of affairs. Now I have a job. A job serving people at Ruby Tuesday. Great restaurant, mediocre job. But where the hell did my free time go?

_MaH