The hacker in all of us October 12, 1999 Web posted at: 11:13 a.m. EDT (1513 GMT) by Deborah Radcliff (IDG) -- "How do you spell pillage?" asks Fred Norwood, manager of information infrastructure technology at El Paso Energy Corp. in Houston. Twelve of us had just hacked Microsoft Corp.'s crown jewel -- a Windows NT box -- and were copying passwords to our hard drives. From across the room, a quick-witted Sam Gerard, data security manager at Motorola Inc., spells out the answer for us: "F-U-N!" Thus goes Day 2 of Extreme Hacking, a course taught by security whiz kids at Ernst and Young LLP's towering Houston offices. For four days, network managers, auditors and security specialists from companies such as Motorola, Electronic Data Systems Corp. and State Farm Insurance switched to the dark side. In so doing, they learned just what they're up against in their fight to keep crackers out of their networks. The truth is, hacking is easy. And, well, fun. We pushed open server doors and helped ourselves to whatever data we wanted -- all without any feeling of culpability. "This course gives me a lot more insight into the mentality and capability of attackers," says John McGraw, a security technology planner at a large computing services company. "We know all these vulnerabilities, but there are probably so many more that no one knows about." So fun was it that I was sorry to leave the capture-the-flag game at the end of Day 3. But my cab to the airport was waiting 20 floors below. By then, I had leapfrogged to the fourth and final victim Unix server and was closing in on that flag. But I had a plane to catch. Day 1: Finding the goods On Day 1, we case out our victim. Our instructor, Stuart McClure, prefers the more sanitized term "discovery." We begin discovery by finding publicly available information on the Internet. McClure talks about searching the Securities and Exchange Commission (SEC) Web site to get a thumbnail sketch of a company and its affiliates, laboratories and acquisitions. We could use this information to break in to a company by hacking its acquisitions or subsidiaries because those subnetworks aren't usually as well monitored or secure as networks at the home office. But for expediency's sake we bypass the SEC and go straight to the InterNic Registrar, the service that assigns domain names. By querying InterNic with a simple "whois" command, we get all the IP addresses of our victim's Web servers -- along with company nicknames -- and auxiliary domain name servers (DNS) in affiliates and laboratories. We even find out what type of servers they are (the main DNS is a Sun-3/180 running Unix), along with the names and phone numbers of the server administrators. I flash to the infamous cracker, Kevin Mitnick, who loved this little InterNic feature. He'd call those network administrators and try to "social engineer" (sweet-talk) them out of network information. "It's amazing the amount of information you can get from the Internet. You don't realize you're hanging out there as exposed as you are," says El Paso Energy's Norwood. We deploy a few common network troubleshooting tools (like zone transfers -- normally used to correlate data between the backup and primary servers, and Name Service lookup -- a utility used to look up the IP address of a name like www.microsoft.com) against some of the IP addresses we've just gleaned. We soon have a list of domain names and IP addresses of all the machines connected to our victim network. Next, we use traceroute (another administrative tool, which traces the route between a source and destination) to view the network topology and identify potential access control devices like routers and firewalls, which we'll steer clear of. Time to rattle some doors and look in some windows. McClure calls this "port-scanning" -- using administration and downloadable hacking tools to find out what ports are open and what services are running on those ports. I'm particularly taken with the stealthy Nmap, a utility for network mapping available for free off the Web. We deploy Nmap against our primary target to get a road map of open ports, along with the network protocols and application services they support. At the top of our list, for example, we see: "Port 7: Open; protocol TCP; service Telnet." And so it goes for 10 other open ports on that machine alone. The classroom buzzes with excitement. I realize how removed I feel from the victim. It's chilling to think that there are hundreds, nay thousands, of other crackers from underground groups such as Global Hell who probably feel the same way. Day 2: The NT root dance We're introduced to Eric Schultze, affectionately called a "Hoover" by his cronies. A Hoover can really suck the guts out of a victim machine, and Schultze, 31, proves he's worthy of his name. We start by picking our target. Test servers are notorious for lax password controls and monitoring. Or we could sniff the mail server for user names and passwords. We decide to go for the backup domain controller -- a separate physical server -- where user names are stored and security is often forgotten because it's a backup. We establish a null session (a Microsoft utility that allows services to communicate with one another without a user identification) with the victim server. I feel like a ghost inside someone else's house. I can see everything -- network services, password files, user accounts, even payroll. But I can't touch anything because null is only designed for interprocess communication. For the victim, "the sad thing about Microsoft is it doesn't log any of this," Schultze explains. We're itching to gain root access (the most privileged level of access). But first, we must log off and then back on as legitimate users in order to grab the password hashes (encoded passwords) and submit them to our ace password-cracking tools. We get back in under the user name "backup" by guessing the password (which is also "backup"). "Command completed successfully," the machine responds. I ask Schultze whether raised awareness has pushed administrators to better monitor passwords. No, he says. Most networks are still chock-full of such easy-to-guess passwords. Once in, we copy user files and encrypted password hashes onto our hard drive. We log off and hit the hashes with L0phtcrack and the even faster John the Ripper. Available on the Web, both tools test passwords against a dictionary of common passwords until they break open. The tougher passwords may take a day, though, as they must be cracked one character at a time. Within minutes, we've got more than 70% of plain-text passwords in our greasy little paws. Microsoft's LAN Manager hashes are the worst from a victim standpoint because LAN Manager splits passwords into seven-character halves and uses a known constant to encrypt each half, says Schultze. Our cracking tools are programmed for this, so they kick out passwords much faster than they would in Unix. And if the administrator disables LAN Manager, the NT box won't talk to any Windows 95 or 98 boxes, so it's a tough problem to solve. Armed with our newfound passwords, we finally reach our goal for the day and hack back into the machine at administrator level and get root control of our machine. "What's the first thing you do when you gain root? You do the root dance," explains Ron Nguyen, another instructor. Push one arm up, jiggle your hips, put the other arm up, jiggle your hips and repeat until you get it out of your system. For our reward, Nguyen hands out a red wallet card titled "20 Things to Do After You've Hacked Admin." But for the final slap to our victims' faces, we hide our hacking tools in an alternate data stream behind a readme.txt file on the victim server. You could easily hide 10M bytes of hacker tools behind such a file without changing the file size, according to Schultze. The only way administrators can catch this is to set up audit logs that would alert them when disk space changes significantly. Day 3: Capturing the Unix flag "Hacking root is a state of mind." Thus begins our syllabus for Day 3. And we really are getting into this "state." We arrive at the class rubbing our hands in anticipation of breaking the venerable Unix. Our instructor, former Air Force geek Chris Prosise, doesn't let us down. We begin by repeating discovery and gaining entry in much the same way we did on NT. But Prosise wants to have a little fun. He's showing us how to corrupt the DNS server to reroute traffic to a phony IP address on an "evil.com" server where he can: a) grab information or b) reroute the message into oblivion. He also shows us how to conduct common HTTP attacks like test-Common Gateway Interface, which forces the victim to give up files and directories with a simple "get" command, and how to execute remote commands that would disable access controls. We install Trojan horses (executable code to do our bidding remotely) and punch open back doors so we can can back in using a Telnet terminal session without needing identifications or passwords. Then we play capture the flag by leapfrogging among four Unix boxes. And this, I'm afraid, is where I was so rudely interrupted by my awaiting taxi. Suffice it to say, we learned our lessons. Network and security managers have a tough row to hoe. Bullet-proof security is a misnomer. And managing security risk is the best anyone can hope for. We also learned that there's a little bit of hacker in all of us. And by cultivating this hacker within, information security professionals can better fight the cracker without.