Click Here
ad info
   personal technology

 custom news
 Headline News brief
 daily almanac
 CNN networks
 CNN programs
 on-air transcripts
 news quiz

CNN Websites
 video on demand
 video archive
 audio on demand
 news email services
 free email accounts
 desktop headlines

 message boards




Hackers - Insurgency on the Internet
Main Page | Bracing for Cyberwar | Hacking Primer | Scenes from the 'Hacker Underground' | Hacking: Two Viewpoints | Timeline | Gallery | News Archive | Discussion | Related Sites


The hacker in all of us

October 12, 1999
Web posted at: 11:13 a.m. EDT (1513 GMT)

by Deborah Radcliff graphic

(IDG) -- "How do you spell pillage?" asks Fred Norwood, manager of information infrastructure technology at El Paso Energy Corp. in Houston.

Twelve of us had just hacked Microsoft Corp.'s crown jewel -- a Windows NT box -- and were copying passwords to our hard drives.

From across the room, a quick-witted Sam Gerard, data security manager at Motorola Inc., spells out the answer for us: "F-U-N!"

Thus goes Day 2 of Extreme Hacking, a course taught by security whiz kids at Ernst and Young LLP's towering Houston offices.

For four days, network managers, auditors and security specialists from companies such as Motorola, Electronic Data Systems Corp. and State Farm Insurance switched to the dark side. In so doing, they learned just what they're up against in their fight to keep crackers out of their networks.

The truth is, hacking is easy. And, well, fun. We pushed open server doors and helped ourselves to whatever data we wanted -- all without any feeling of culpability.

"This course gives me a lot more insight into the mentality and capability of attackers," says John McGraw, a security technology planner at a large computing services company. "We know all these vulnerabilities, but there are probably so many more that no one knows about."

So fun was it that I was sorry to leave the capture-the-flag game at the end of Day 3. But my cab to the airport was waiting 20 floors below. By then, I had leapfrogged to the fourth and final victim Unix server and was closing in on that flag. But I had a plane to catch.

Day 1: Finding the goods

On Day 1, we case out our victim. Our instructor, Stuart McClure, prefers the more sanitized term "discovery."

  Computerworld's home page
  Senators warn of Y2K hack potential
  Hacking your way to an IT career
  How hackers cover their tracks
 Reviews & in-depth info at's personal news page
  Year 2000 World
  Questions about computers? Let's editors help you
  Subscribe to's free daily newsletter for IT leaders
  Search in 12 languages
 News Radio
 * Computerworld Minute
 * Fusion audio primers
We begin discovery by finding publicly available information on the Internet. McClure talks about searching the Securities and Exchange Commission (SEC) Web site to get a thumbnail sketch of a company and its affiliates, laboratories and acquisitions. We could use this information to break in to a company by hacking its acquisitions or subsidiaries because those subnetworks aren't usually as well monitored or secure as networks at the home office.

But for expediency's sake we bypass the SEC and go straight to the InterNic Registrar, the service that assigns domain names. By querying InterNic with a simple "whois" command, we get all the IP addresses of our victim's Web servers -- along with company nicknames -- and auxiliary domain name servers (DNS) in affiliates and laboratories. We even find out what type of servers they are (the main DNS is a Sun-3/180 running Unix), along with the names and phone numbers of the server administrators.

I flash to the infamous cracker, Kevin Mitnick, who loved this little InterNic feature. He'd call those network administrators and try to "social engineer" (sweet-talk) them out of network information.

"It's amazing the amount of information you can get from the Internet. You don't realize you're hanging out there as exposed as you are," says El Paso Energy's Norwood.

  • Bracing for Cyberwar
  • Hacking Primer
  • Hacking: Two Views
  • Timeline
  • Gallery
  • Discussion
  • TIME: Counterhacking 101
  • Related Sites

    We deploy a few common network troubleshooting tools (like zone transfers -- normally used to correlate data between the backup and primary servers, and Name Service lookup -- a utility used to look up the IP address of a name like against some of the IP addresses we've just gleaned. We soon have a list of domain names and IP addresses of all the machines connected to our victim network.

    Next, we use traceroute (another administrative tool, which traces the route between a source and destination) to view the network topology and identify potential access control devices like routers and firewalls, which we'll steer clear of.

    Time to rattle some doors and look in some windows. McClure calls this "port-scanning" -- using administration and downloadable hacking tools to find out what ports are open and what services are running on those ports.

    I'm particularly taken with the stealthy Nmap, a utility for network mapping available for free off the Web. We deploy Nmap against our primary target to get a road map of open ports, along with the network protocols and application services they support.

    At the top of our list, for example, we see: "Port 7: Open; protocol TCP; service Telnet." And so it goes for 10 other open ports on that machine alone.

    The classroom buzzes with excitement.

    I realize how removed I feel from the victim. It's chilling to think that there are hundreds, nay thousands, of other crackers from underground groups such as Global Hell who probably feel the same way.

    Day 2: The NT root dance

    We're introduced to Eric Schultze, affectionately called a "Hoover" by his cronies. A Hoover can really suck the guts out of a victim machine, and Schultze, 31, proves he's worthy of his name.

    We start by picking our target. Test servers are notorious for lax password controls and monitoring. Or we could sniff the mail server for user names and passwords. We decide to go for the backup domain controller -- a separate physical server -- where user names are stored and security is often forgotten because it's a backup.

    We establish a null session (a Microsoft utility that allows services to communicate with one another without a user identification) with the victim server.

    I feel like a ghost inside someone else's house. I can see everything -- network services, password files, user accounts, even payroll. But I can't touch anything because null is only designed for interprocess communication.

    For the victim, "the sad thing about Microsoft is it doesn't log any of this," Schultze explains.

    We're itching to gain root access (the most privileged level of access). But first, we must log off and then back on as legitimate users in order to grab the password hashes (encoded passwords) and submit them to our ace password-cracking tools.

    We get back in under the user name "backup" by guessing the password (which is also "backup"). "Command completed successfully," the machine responds.

    I ask Schultze whether raised awareness has pushed administrators to better monitor passwords. No, he says. Most networks are still chock-full of such easy-to-guess passwords.

    Once in, we copy user files and encrypted password hashes onto our hard drive. We log off and hit the hashes with L0phtcrack and the even faster John the Ripper. Available on the Web, both tools test passwords against a dictionary of common passwords until they break open.

    The tougher passwords may take a day, though, as they must be cracked one character at a time.

    Within minutes, we've got more than 70% of plain-text passwords in our greasy little paws.

    Microsoft's LAN Manager hashes are the worst from a victim standpoint because LAN Manager splits passwords into seven-character halves and uses a known constant to encrypt each half, says Schultze. Our cracking tools are programmed for this, so they kick out passwords much faster than they would in Unix.

    And if the administrator disables LAN Manager, the NT box won't talk to any Windows 95 or 98 boxes, so it's a tough problem to solve.

    Armed with our newfound passwords, we finally reach our goal for the day and hack back into the machine at administrator level and get root control of our machine.

    "What's the first thing you do when you gain root? You do the root dance," explains Ron Nguyen, another instructor. Push one arm up, jiggle your hips, put the other arm up, jiggle your hips and repeat until you get it out of your system.

    For our reward, Nguyen hands out a red wallet card titled "20 Things to Do After You've Hacked Admin." But for the final slap to our victims' faces, we hide our hacking tools in an alternate data stream behind a readme.txt file on the victim server. You could easily hide 10M bytes of hacker tools behind such a file without changing the file size, according to Schultze. The only way administrators can catch this is to set up audit logs that would alert them when disk space changes significantly.

    Day 3: Capturing the Unix flag

    "Hacking root is a state of mind." Thus begins our syllabus for Day 3. And we really are getting into this "state." We arrive at the class rubbing our hands in anticipation of breaking the venerable Unix.

    Our instructor, former Air Force geek Chris Prosise, doesn't let us down.

    We begin by repeating discovery and gaining entry in much the same way we did on NT. But Prosise wants to have a little fun. He's showing us how to corrupt the DNS server to reroute traffic to a phony IP address on an "" server where he can: a) grab information or b) reroute the message into oblivion.

    He also shows us how to conduct common HTTP attacks like test-Common Gateway Interface, which forces the victim to give up files and directories with a simple "get" command, and how to execute remote commands that would disable access controls. We install Trojan horses (executable code to do our bidding remotely) and punch open back doors so we can can back in using a Telnet terminal session without needing identifications or passwords.

    Then we play capture the flag by leapfrogging among four Unix boxes. And this, I'm afraid, is where I was so rudely interrupted by my awaiting taxi.

    Suffice it to say, we learned our lessons.

    Network and security managers have a tough row to hoe. Bullet-proof security is a misnomer. And managing security risk is the best anyone can hope for.

    We also learned that there's a little bit of hacker in all of us. And by cultivating this hacker within, information security professionals can better fight the cracker without.

    Security weaknesses prevalent at Treasury's FMS
    October 11, 1999
    Bike Web site hacks itself after four attacks
    October 4, 1999
    Embassy site hackers aimed to show its vulnerability
    September 8, 1999
    Hackers put racist, anti-government slogans on embassy site
    September 7, 1999
    New tool blocks wily e-comm hacker tricks
    September 7, 1999

    Getting the drop on network intruders
    (Network World)
    Justice Dept. funds antihacking campaign
    (The Industry Standard)
    Microsoft: Bad security, or bad press?
    Senators warn of Y2K hack potential
    Hacker lessons
    Hacking your way to an IT career
    Hack-proof your system the hardware way
    (PC World)
    How hackers cover their tracks
    Note: Pages will open in a new browser window
    External sites are not endorsed by CNN Interactive.

    Belgrade celebrates after day of protests
    Palestinian killed in Netzarim clash
    Suicide bomber kills 13, injures 45 in Sri Lanka
    Hurricane Keith nearing landfall in Mexico
    Baby cut from slain mother released from hospital today
    VP candidates ready for tonight's face-off
    Clinton says Yugoslavia's 'hour is near'
    Shuttle launch scrubbed
    Shuttle launch scrubbed
    China plans lunar landing, Mars expedition
    Critics say 'Carnivore' review won't be independent
    Sony to launch new pet robot by year's end
    Review: Watch 'CyberWorld 3D' with open eyes, empty stomach
    Simon changes course with 'You're the One'
    Ladies and gentlemen, the Beatles! -- in their own words
    Dixie Chicks rule roost at Country Music Awards

    Launch CNN's Desktop Ticker and get the latest news, delivered right on your desktop!

    Today on CNN
    Enter keyword(s)   go    help

    Back to the top   © 2000 Cable News Network. All Rights Reserved.
    Terms under which this service is provided to you.
    Read our privacy guidelines.