sheepbyte

Powerschool (easy question)

29 posts in this topic

To answer the questions straight out...it looks like a 64-bit cypher which right away jumps to my head saying "3DES". Then I think harder and "Blowfish" is another 64-bit cypher...After more thought CAST-128 comes to mind as well. My brain hurts but these are the ones I can think of off the top of it. Just as an FYI. I would guess Blowfish or 3DES is the answer though.

0

Share this post


Link to post
Share on other sites

i'm a student in fresno unified. i have an account to powerschool and i know my password and stuff. i just wanna login in as another student. how can i figure out the password, i already have the username.

0

Share this post


Link to post
Share on other sites

Preface: I know very little about hacking (although I know a good deal about cryptography). I got a ways farther than some other people here did, but I still need some help.

I looked at the page source, and it pretty clearly uses MD5. I looked around in the source code, and found something interesting. The below function is important:

function doAdminLogin(form)
{
//deleteCookie("psaid");
var pw = form.password.value;
var i = pw.indexOf(";");
if (i < 0) {
form.username.value = pw;
form.password.value = "";
}
else {
form.username.value = pw.substring(0,i);
var pw2 = pw.substring(i+1); // Get the password and preserve the case
pw = pw.substring(i+1).toLowerCase();
form.password.value = hex_hmac_md5(pskey, pw);
if (form.ldappassword!=null) {
// LDAP is enabled, so send the clear-text password
// Customers should have SSL enabled if they are using LDAP
form.ldappassword.value = pw2; // Send the pw, preserving the case for LDAP
}
}
return true;
}

It looks like the page only submits if this function returns true. But it looks to me like it never returns anything BUT true, so how is it possible for a password submission to fail?

How can I get my hands on the message digest? I would think that it wouldn't be too hard, since the secure part should be the hash function. But I can't find the MD anywhere, and I don't know how to access the Javascript code while it's running. Is there any way to? If so, I would much appreciate some help.

I hope this info was helpful, and I also hope that someone can get further than I did.

Edit: FYI, I have a 4.0. I'm not trying to change my grade. I just noticed the other day that I could see the password key on PowerSchool and decided to try and hack it. Please do not tell me to study.

Edited by MTGandP
0

Share this post


Link to post
Share on other sites

My school also uses Powerschool. From what I know it definitely uses the MD5 hashing algorithm, or on the login page at least. On the login page, after you fill in your username and password and hit the submit button, you'll notice that the password field is expanded (meaning that there's more characters than usual). This is because JavaScript changes the value of the password field to its MD5 equivalent and then sends the password in encrypted form instead of as clear text. And I think the reason for that is because the data's being sent over an unsecured connection (no HTTPS) so a sniffer could read what's being sent across the network.

Except I think that can be beaten. Maybe if you have a sniffer running on the network, then you could get those MD5 password hashes along with the login usernames, which are in clear text. You might be able to make a manual HTTP request to the authentication page with the login details (and no need to decrypt the password since it's supposed to be sent already encrypted) and be able to log in as an administrator / teacher.

Not sure about that though, and if the MD5 encryption for the passwords uses varying salts then it might not work. But just a thought.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now