Brendan Gillatt
Breaking RM Filtering

Notice

This article is aimed at those who wish to gain an understanding of how Research Machine's Smart Cache filtering system works. It requires an understanding of basic networking principles and an understanding of the C programming language.

If you are simply desparate to see how many virtual friends you have on Myspace, this is not for you. Furthermore you must be responsible for your actions at all times and understand that applying the concepts outlined to a live network may void your right to use the resource. Please do not be stupid and respect that, although not perfect, the filters are there for a good reason.

What is RM's Smart Tracker?

To filter the pages that students access at a school which has deployed Research Machine's Smart Tracker 2 software, all browser requests are sent through a filtering proxy, in most cases a version of Squid. Pages which fail the filtering rules are replaced with an image of a daft looking cartoon headgehog. While not perfect, it does work relatively well.

To ensure pages are only accessible through the filtering proxy, all direct connections from the local network through port 80 to the internet must be blocked. All web browsers on the network are then forced to connect through the proxy server.

Problems With The System

Firstly, the problem of identifying which user is requesting the page to apply the correct set of rules (guest, student, teacher, administrator, etc), is difficult. Research Machines decided to implement the commonly known Ident protocal. While this is a very easy to use protocal it requires the absolute trust of the machine making the request and can reveal the location of users inside a network via network sniffing.

Secondly, filtering rules are not always entirely accurate. This is a problem for content filtering in general. For example, while researching flat packable chair designs for a design technology lesson, I discovered that the retailer Ikea had its website filtered. Furthermore, CSS Play, a wealth of useful knowledge, was also blocked; not something I would expect to be considered offensive.

How the System Works

  1. The user instructs the browser to open a page.
  2. The browser is configured to direct the request to a proxy server on the local network with RM Smart Cache setup.
  3. The proxy server sends an Ident request to the user's machine running RMSmartcache.exe listening on port 113.
  4. RMSmartcache.exe discovers the logged in domain username and computer name which it uses to construct a reply. A typical one from my username would be: 1605, 8080 : USERID : WindowsNT5.1 : domain.internal\brendan-gillatt#WindowsNT5.1#RM108ST04 This information suggests that the browser connected:
    • From local port 1605
    • To the server's port 8080
    • From a Windows XP machine
    • In the domain.internal domain
    • From user account brendan-gillatt
    • From room 108, station 4
  5. If the page requested is allowed using the details given compared to the filter's rules, the page is fetched; otherwise the SafetyNet page is displayed.

Introducing the Workaround

The RMSmartcache.exe is in fact based on an open source piece of software! Mathew Mastracci's Identd server is the base of the code. Apon analysis it seems that the RM version follows a pretty vanilla version of the Ident protocal, with a few bits strapped on.

By spoofing the user account to one with high privileges, say a teacher or admin, the proxy will probably have little or no filtering. Changing the user account, room number and station number regularly will reduce the risk of being noticed.

The task of spoofing the Ident response is trivial - the pair of port numbers must be echoed with the other information simply appended. No data has to be dynamically created so simply reading the spoofed information from a text file is a sound idea.

Note that RMSmartcache.exe must be killed so that the spoofing server may receive control of port 113.

The Finished Code

I chose not to use the original code from Mathew Mastracci because it was simply too complex for what was needed. I also borrowed some of the sockets code from MSDN so I do not claim original authorship to that portion.

Note that I will not distribute binaries of the code. Firstly, and most importantly, to stop the script kiddies from looking at stuff they should not and secondly I have no idea as to what license the little bit of sockets code I used has.

The source to my spoofing server is available in the code section.

A Note Before Usage

The executable will probably not run from a standard user account, depending on how the network is set up. Using a boot disk such as UBCD for Windows can provide the required local admin account.