Before I begin, I would like to address that this is gray-hat hack at most, and that I do not want to do any malicious acts like a black-hat would.
This school year is coming up quite soon, and I wanted to exit high school with a little fun. My school, like many others, uses SchoolLoop. Each school has their own site which will look different, depending on the creator's design choices.
2 example sites (not my own school's):
Example 1
Example 2
What I would like to do is change this site's content. Nothing too extreme though, on the off chance that I get caught. I have already learned HTML, so that is not a problem. After doing a bit of research, I found that the staff member that has control of the site can edit it at anytime.
So what I need to do is either a) take control of SchoolLoop itself, or b) get that staff member's account.
Since the first is much harder to do, especially since I'm only a novice, the second option is the best choice. However, the problem is that I have no idea which staff member is the one in control of said account.
Currently, I have a few ideas. It would greatly help if you could build on them.
- Do some extra recon during the school year and find out who has the account. This might cause suspicion when I do get the account since I might be the only person who asked.
- Since SchoolLoop is not a secure site, not using https, I could use a man-in-the-middle attack to keylog usernames and passwords. This won't work so well if I don't have a specific target in mind, though.
- This one is a bit far-fetched. Somehow getting a key logger on every device on that connection. This is somewhat black-hat, in my opinion, and achieving this also seems quite difficult.
- Some sort of social engineering where the staff members click on a phishing link or download some file that has an embedded key logger.
If anyone could add on to this or give suggestions, I would greatly appreciate it.
5 Responses
If your school site has a login system or a student email system then you can try brute forcing with THC-Hydra.
Your best shot is that the teacher who'll have it will be either the principal,deputy head , one of the technicians or some sort of head of department which should narrow your targets. Try sending phishing emails to those few emails with a keylogger attached.
I recommend instead of trying to change the website you should try and d-dos the website. There are tools like LOIC which would do the job and would be much easier to use.
*all educational purposes
This is what the login page looks like. Users get to choose their login name, so I won't be able to brute force without that name first. However, the "Forgot password?" option lets you put in an email. Since I can get most staff emails easily, it's all a matter of getting that email password and going from there.
Also, what would I able to do after DDoSing the website? Would I be able to do anything else once that happens? If I can't, it doesn't feel like a prank because the site will just be down and no one would really bat an eye at that.
Find out who the staff member is, see if a kid is in that staff members class or close to their computer. Get a usb rubber ducky and export their chrome/ie passwords they may have the passwords for schoolloop there.
Some users, like me and many others on Null Byte, don't have our passwords autosaved on our web browser. In that scenario, what other options could I do with the rubber ducky? Have it inject a key logger or something similar?
Yea, you can do that with the rubber ducky and powershell. You could also have it create a rule where every couple days (or specific day ) it emails you the log file.. Then delete it. You would have to program that into the ducky obviously, and test it make sure you dont get caught.
Share Your Thoughts