SecureMac, Inc.

StaticUsers.net – OnGuard

June 2, 2001

PowerOn Software, INC has many offices throughout the United States. The company was formed in 1993 and is still kicking with new products. on April 15th 1999 they purchased Nortins Disk Lock. So it shows they are wanting to make a secure product by keeping on top of the new programs.

Views

I have worked with PowerOn Software in the school environment. It can be made very secure. The software can disable shift down on startup, disable disk-startup, allow multiple users, groups etc. OnGuard is made for PC and Mac computers so …

StaticUsers.net – OnGuard

PowerOn Software, INC has many offices throughout the United States. The company was formed in 1993 and is still kicking with new products. on April 15th 1999 they purchased Nortins Disk Lock. So it shows they are wanting to make a secure product by keeping on top of the new programs.

Views

I have worked with PowerOn Software in the school environment. It can be made very secure. The software can disable shift down on startup, disable disk-startup, allow multiple users, groups etc. OnGuard is made for PC and Mac computers so you can control a mixed network with the same software!

Trial Version

PowerOn Software has released a trial version of OnGuard to download so check it out. This product is a must to secure a network, and for registered users they have lifetime updates and tech support! ask for nick when you call =). As always check out their site for the newest version.

Features

  • Open settings across network.
  • Improved script ability.
  • Directs Netscape downloads to a user’s folder, or prevents downloads entirely.
  • Improved disk locking for increased protection.
  • Import large lists of users’ names and passwords.
  • Compatible with all applications, extensions, and control panels.
  • Users experience the real Macintosh interface.
  • Controls what a user can launch, open, save, copy, view, and eject.
  • Works with all local and networked disks.
  • Locks protected drives when computer is booted from a floppy.
  • Disables launching applications from user’s folder or floppy disk.
  • Directs saved files to a user’s folder or floppy disk.
  • Prevents users from changing the location of icons on the desktop or in folders.
  • Prevents deleting files, folders, applications, and system resources.
  • Limits access to system folder.
  • Stops users from renaming files, folders, and disks.
  • Prevents modifying forms, clip art, and other documents.
  • Prevents moving and copying files, folders, and applications.
  • Limits access to Control Panels and the Chooser.
  • Works with System 7 Drag and Drop Features.
  • Allows user to eject floppy by dragging it to the trash.
  • Removes ghost icons on the desktop when a floppy is ejected.
  • Prevents changing icons, comments, and sizes in dialogs
  • displayed with the Finder’s Get Info command.
  • Tracks user activities, including: startup and shutdown; sign on and off; idle time; application launching; file saving, opening and copying; and attempted violations for all or specific users.

 New Features

3.4 adds the following new security fixes to the program. Apple’s Navigation Services and restricting the users ability to store files in protected folders have been added in this version.

Insecurity

Earlier SecureMac.com reported that the encryption used for On Guard was cracked, we have not yet tested to see if the encryption used to store the password information is still the same and effects version 3.4. Fill out the form below to send us feedback

OnGuard can be made very secure. Really the only ways to get past it are to utilize the permissions that the instructor has given you. If you can run programs off of a zipdisk or disk, or anywhere where the admin lets you, you can make a applescript to remove the extension and control panel to the trash and restart.

If you have access to the control panel you can disable the extension or control panel.
If you can run programs from the launcher, that you normally don’t have access to you can run the program then go in the directory.

– Start with extensions off if you can, there is usually another set of keys to do so with.
If you can open Netscape, you can open a file in the directory and trace back a directory, a example would be file:///macHardDisk/Documents/ so you can open documents from there.

Same with Microsoft word or any other Word program.

OnGuard’s Password Encryption Scheme Cracked.

Dawid adix Adamski has explored the possibilities of encryptions and the standard used on the MacOS. He has found these to be easy and unreliable for security products, or any means of security.

On Guard password weakness Passwords and logins aren’t case sensitive, so revenge, REVENGE and ReVeNgE is the same for On Guard.

Passwords are stored in “Users” file in “Preferences:On Guard Prefs” Open that file using ResEdit. There is Use2 resource. ID 1 = administrator preferences. Others IDs are for other accounts. 1. Login offset (administrator and other) starts from 09H 2. Administrator password offset starts from 1CH 3. Others passwords offsets (ID 2, 3, 4, 5, …) starts from 22H There are differences in these three encryptions Examples: 1. administrator passwords: 18 84 52 24 91 08 E4 52 = BRIDGE 10 8E 41 2A 11 46 = GATE 1C A4 45 2B 11 49 C4 72 29 = REVENGE 24 8A 58 21 93 0A A5 32 49 58 8A = exclusive 2. others passwords: 0C 42 29 12 48 84 72 29 = BRIDGE OC 4F 28 11 49 C4 52 91 = OPENER 3. login: 29 04 C8 6D 34 9B 8D = Admin 21 C8 DE 6F 3A 1B = root

The easiest way to decrypt passwords and logins (and understand how it works) is to change hex into binary system.

Let’s take encrypted administrator password: 10 8E 41 2A 11 46 (GATE). In bin it is: 0001 0000 1000 1110 0100 0001 0010 1010 0001 0001 0100 0110 Now we have to add two zeros (00) at the begining of this string 00 0001 0000 1000 1110 0100 0001 0010 1010 0001 0001 0100 0110 Group it in that way: 8 bits, 1 bit, 8 bits, 1 bit… and so on [00 0001 00]0[0 1000 111]0 [0100 0001] 0[010 1010 0]0[01 0001 01]00 0110 Write the same without zeros between 8 bits. Only bits in brackets. 0000 0100 0100 0111 0100 0001 0101 0100 0100 0101 This binary string in hex is: 04 47 41 54 45. The first byte is the length of the password and 47 41 54 45 in ASCII codes is GATE. Another way to write it down: XX AA BB CC DD EE FF GG HH = xx aa bb cc dd ee ff gg hh where: XX – encrypted length of the password xx – decrypted length of the password AA BB CC DD EE FF GG HH – encrypted password (hex) aa bb cc dd ee ff gg hh – decrypted password in ASCII codes (hex) xx = 0XX ROR 2 aa = XAA ROR 1 bb = BB cc = CCD ROL 1 dd = DDE ROL 2 ee = EEF ROL 3 ff = FFG ROL 4 gg = GGHH ROL 5 hh = HHII ROL 6 and so on Differences between logins, administrator password and other passwords 1. login – we add three zeros at the beginning (000) 2. administrator password – two zeros (00) 3. other passwords – one zero (0) Example for login: hex: 29 04 C8 6D 34 9B 8D bin: 0010 1001 0000 0100 1100 1000 0110 1101 0011 0100 1001 1011 1000 1101 three zeros at the begining: 000 0010 1001 0000 0100 1100 1000 0110 1101 0011 0100 1001 1011 1000 1101 brackets, 8 bits, 1 bit, 8 bits, 1 bit….. [000 0010 1]0[01 0000 01]0[0 1100 100]0[ 0110 1101] 0[011 0100 1]0[01 1011 10]00 1101 only bits in brackets: 0000 0101 0100 0001 0110 0100 0110 1101 0110 1001 0110 1110 in hex it is: 05 41 64 6D 69 6E login length = 5 login = Admin tested on: On Guard 3.2 by Power On Software, Inc. and Fluent Dawid adix Adamski adixx@friko4.onet.pl

Fix: Because of the program covered, it is going to be hard to fix than without the developers making the encryption harder (ie: DES, RC5, IDEA or RC4) Many people will say to keep the computer secure, just keep the local security stronger. This would be impossible in this case because of the option for the Emergency password and No Guard(program to generate Emergency! passwords). Vinnie Moscaritolo vinnie@apple.com “A good fix is to not depend on passwords.”

Bypassing OnGuard using DropStuff

Get dropstuff on the computer (Download it if it’s not there)
Open it, hit command-s (stuff), choose the On Guard extension or the preference or whatever (it will let you), check the “Delete files after encoding” check box and stuff it onto the HD or students folder or something. Restart the computer. No On Guard if you did the extension, a new On Guard if you did the prefs. Do whatever you want. Then, when you’re done doing your shit, expand the stuffed file and replace the preference or extension or something.
You just totally by-passed On Guard without being caught.

Bypassing OnGuard using Transmit

What you are going to do:
You are going to try and bypass Onguard by using Transmit an ftp program.

What you need:
The knowledge of how to install stuff on to the protected HD (see installing stuff on protected hd’s).  A computer protected by onguard.

What to do:
Download transmit (www.panic.com) and install onto the protected HD. Now, launch transmit. Do not connect to any ftp server, rather just look on the HD window (the left side) and open he protected HD, then open the system folder and then delete the onguard prefs. It may say it is locked but it will delete it anyway. Now restart the computer and there is no protection. The login is admin and there is no pass- or it could be login: administrator pass: [no pass]. Now, create new accounts and enjoy!

How not to get caught:
Believe me, this is hard. If you have full access you can use the assimilator (they usually have it on the hd, if now download it from downloads.com) and assimilate the hard drives back to normal- or you can just create all the accounts the way they were (assuming you know how they were) and then just make a new account, a hidden one and give yourself admin privs and use it all the time!

Installing Stuff onto OnGuard protected HD’s using Stuffit expander.

What you are going to do:
You are going to tell Stuffit Expander to unstuff files onto the protected hard drive.

What you need:
An OnGuard protected computer that HAS STUFFIT EXPANDER ON IT AND IS USABLE.

What to do:
Open stuffit expander then under one of the menus select preferences. Now click on the destination icon- and set the destination to “ask you” where to put something when you unstuff it. Now, download a program that you want install or stuff a program on your home computer that you want to install. Now get your stuffed program and drag it onto the stuffit expander that is on the onguard protected hd- it should ask you where you want to unstuff it to. Select somewhere on the hardrive and walla- your program is right there on the HD!

How not to get caught:
Make sure there is not teacher around when you do it- and also make sure you install the program into someplace that is not so obvious. The program you installed will be erased if the admins decide to assimilate all the computer, or that computer.

Fun with Stickies

What you are going to do:
You are going to have some fun by making a stickies message appear at startup!

What you need:
A computer that you want the stickies message to appear on when it starts up.

What to do:
Usually in the apple menu on the computer- even in AtEase or OnGuard they have stickies still launchable. Well open stickies, make a new stickies message that you want to appear at startup (best to make big lettering and make it fille the screen) and then go under one of the menus and select “Preferences” Then select “Launch at system startup”. Now quit and then the next time the computer starts up, thats what the computer will show. How not to get caught:
Make sure no teacher is around. Make sure you dont write your name on the note- make sure nobody knows who did it- 🙂

Bypassing old versions of on-guard using on-guard

What you are going to do:
You are going to get full admin privs by using an exploit in old versions of on-guard.

What you need:
A computer protected by on-guard.

What to do:
Open find file and search for guard, or ard. If you find an applications called On Guard or OnGuard open it. If not this exploit will not work cause the admi fixed it. Now open the onguard app that you found and in login type in admin. Now click on “Startup User” and then click ok , I think. Now you should have full admi privs- if not it is probably a newer version of onguard…
How not to get caught:
Make sure no teacher is around. Just log back into studenst mode or guest mode or whatever the default is when your done doing what you wanted to do…

Hacking On Guard – By Cybercuzco

A little background first. On-Gaurd is a security program for the macintosh. It is used in some schools in place of FoolProof. I had looked around all the hackintosh sites for an on guard hack Faq but I couldn’t find any so I sat down and wrote my own. But enough of this shit on to the good stuff.

The first thing you need to know when hacking on-guard is that security is of utmost importance. I can’t stress this enough IF YOU ARE SUCCESSFUL AT HACKING ON-GUARD TELL NO ONE !!!! This includes all your hacking friends, teachers, parents, siblings, the media etc. Also try to get at a computer that wont be immediately associated with you or better yet one that will be traced to someone completely different.

There are three basic ways you can get past on guard; the non software approach, the software approach, and the last ditch zip drive approach.

I. The non software approach:
This method is the easiest and therefore the least likely to work. Find out what system you are running. If you have sys7.5 or better great keep going. Next go to the find file under the apple menu. Search for preferences or prefs. If you find it keep going otherwise try the next method. open the on guard preferences folder from inside find file and drag the users file into the trash. IMPORTANT: do not empty the trash. Simply restart the computer. It will throw up the login screen login as Administrator password Admin and you’re in. congratulations you have successfully hacked on guard

I. Cleanup:
once you are done doing whatever it was you were doing as administrator 😉 bring the original users pref out of the trash and replace the new users file you’ll find in on guard prefds with the old one. Try to leave the computer as you found it. Get a program like big secret to hide any newly installed files and folders and before you exit trash the on guard log. Use burn preferably. Tip: install invisible oasis so you can find out your real administrators password.

II. Software Approach:
Get Disk tools , A shareware program from any info mac ftp or search for it at http://www.filez.com Next find a computer that you can install disk tools on and run it. search for folders but dont try to install it or any other file into the system folder it really fucks up the computer. Trust me I know from experience ;-). Once you have disk tools installed use it to move the users file into the trash just like in the non software approach. Restart and enter Administraor as login and Admin as password. You now have an unprotected computer. Have fun!

III. Zip Drive Approach:
Step one Acquire a zip drive and at least one disk. Put Disk tools (see method two) And have zip tools on it. Follow the standard directions for hooking up a Zip drive to the computer insert the disk and hope the system doesnt have any exstensions in it that could really screw up the computer. Did I mention this should only be done as a last ditch effort? Well it should. Once the Disk is mounted on the screen you should be able to run programs off of it like a second hard drive. Use approach #II the rest of the way in.

So that’s how you hack on guard. If you have any tips tricks or helpful hints I could add to this FAQ e-mail me at Cybercuzco@hotmail.com

 

john@administrator.ndo.co.uk writes:

This document is for administrators, who want to know about security risks in their system. It is not for use by hackers or others seeking to gain ILLEGAL access to systems to steal or destroy information.

Here is how to beat OnGuard. This bug has been in OnGuard versions for years, PowerOn Software don’t seem to want to remove it. I informed them about it in 1997, but when I downloaded their latest version of OnGuard a few weeks ago. I bypassed the security within 5 minutes. The procedure is below.

You will need to boot the system from another disk and then run ResEdit. If the computer came with a CD containing your system software, then copy RedEdit to a floppy. If it came with floppies, copy ResEdit to one which is bootable (maybe Disk Tools). Make a copy of the boot disk before you copy ResEdit to it. Keep your original disk locked and use the copy with ResEdit on it for bypassing OnGuard. Boot the system with this disk. The protected hard disk should have only one item on it, called something like “Double Click on Unlock”. Ignore this. If you open it, it will expect you to enter the administrator password to make all contents of the hard disk visible again.

Open ResEdit, either from the boot disk, or, if you booted from a CD, insert the floppy. Don’t worry if the administrator has not allowed you to access the floppy drive under normal use. Because you have booted from a different disk, the OnGuard extension is not loaded, it wont stop you. When you open the hard disk from within ResEdit, you we see all the files there, but they will be invisible. From the file menu, “Get Info” and make the particular files/folders visible that you want access to. When you finish what you want to do. Make them invisible again and restart the computer from the normal HD. Everything will be back to normal. Note: In older versions on OnGuard, after you have booted from the boot disk, you may find the contents of the HD, in an invisible folder called “On Guar Items” or something like that

nOGuard 2.0

Several security programs use emergency passwords. These are passwords generated by the program in case the admin forgets his password. They usually give the user complete access to a computer.

In theory you’ll need all sorts of software registration information for the company to give away the emergency password. In reality you only need to find the algorithm used to be able to generate the emergency password.

nOGuard 2.0 is a program that generates emergency passwords for OnGuard 3.1 and 3.3.

There are many more ways then listed here, if you know of one please email us. We are more than happy to research and post it here!

Get the latest security news and deals