The Making of a Hacker: I Can Hack You, Part 1

«Ï» çÅñ H@Çk ¥°Ü·
What the hackers do, and how to keep them from doing it

The Making of a Hacker

Picture, if you will, a parasite that calls itself an “immunity tester.” Our immunity tester travels from host to host, “testing” to see if it can feed off that particular host. When the feeding is good, our parasite tosses a few chunks of meat in front of the sharks. The feeding frenzy begins.

You’ll know the feeding frenzy when it happens. You’ve been hit by the password traders. Unless you have frenzy protection, your bandwidth use will go through the roof. Someone needs to pay that bandwidth bill – but it won’t be the sharks or the parasites.

In spite of the feeding frenzy, our parasite is a responsible parasite. He’s careful to not destroy or otherwise damage the host. Sure, he starts the feeding frenzy, but the frenzy itself is not his concern. He’ll add one or two passwords to your members area rather than two hundred. Two hundred might get noticed.

If he’s cracked hundreds of your passwords, he’ll only post a few at a time for the sharks. You’ll focus on the few without realizing that hundreds are known. As our parasite trickles out the “fresh” passes, he remains a hero for continually doing such great work.

Almost every hacker board calls itself the top resource for “security testing.” They are “educational” in nature, and not for profit. If you’re a webmaster, you can ask the board owner to remove all references to your site from their board – and they will.

Hackers divide their work into two basic categories, cracking and exploiting. Cracking is the process of decrypting passwords so as to gain access to the members area of a paysite. Exploiting is the process of doing stuff you weren’t supposed to be able to do, so as to gain a copy of the password file for cracking purposes, or gaining access to other interesting information on the paysite’s server.

The sharks, by the way, must move quickly. That’s the reason for the feeding frenzy. There are so many sharks looking for fresh passes, that the passes last mere hours or even minutes. Shark traffic hits with a sudden heavy surge.

As a freeloader, how do you get away from the other sharks killing your passes? Your two choices are time, or money. For ten dollars a month, or twenty five, you can become a “special” member with access to longer-lasting passes. Yes, the not-for-profit board owners are selling stolen access to your bandwidth. It’s a tough sell, though. The freeloaders are freeloaders.

Your other option is to become a hacker yourself. Create your own passes! You can keep them to yourself, in which case they may last forever, or you can post them. Posting them makes you a valued contributor to that board. Since you’re now a valued contributor, you’ll also have access to that “special” area. You can now steal porn to your heart’s content.

The best part is… it’s easy, with no prior experience required. Exploiting requires you to use your brain, but beginning cracking does not. If you’re a clueless freeloader who wants to get all that porn for free, cracking is the place to start. Let’s begin.

John the Ripper

As I re-publish this in 2012, I again stopped by the Openwall Project, home of Solar Designer’s legendary John the Ripper password cracker. The site is still there, with password cracker and word lists for Mac, Windows, and Linux.

Step One.

I stopped by the Openwall Project (www.openwall.com), home of Solar Designer’s legendary John the Ripper password cracker. I installed it and grabbed a password file (with permission) from one of my customers’ paysites. I ran John the Ripper with its default settings like this:

./john passwordfile

How simple is that! I had dozens of passwords cracked within about 20 minutes. I did that my first time. I had no special word list, no specialized “cracking” rules, no benefit of other crackers’ experience. I grabbed the rest of this customer’s password files, and played with John the Ripper’s various “modes” as I read through Solar Designer’s help files.

By time I read through the help files and several beginners’ tutorials available online, John the Ripper had spewed out several hundred cracked passwords. I knew it was good, but I was quite astounded by how quickly John the Ripper can “kill” that many passwords.

Step Two.

I took those results, and several other lists I had laying around, and added everything to John the Ripper’s wordlist. If “apple” is in the wordlist, for example, John the Ripper might try such things as apple, Apple, and apple1 through apple99. By feeding your list of usernames and your list of known passwords into the wordlist, you create a snowball effect. John the Ripper can make more educated guesses based on what’s been found already. As you go through cycle after cycle of cracking and feedback, John the Ripper becomes that much more powerful.

I cheated a bit… I seeded the list. I grabbed a bunch of cracked password listings off the hackers’ boards. I added each of those usernames and passwords to my wordlist. Since I already had the listings saved on my hard drive, I only needed about ten minutes to add a hundred thousand words to my list. (I then realized I’d inserted a lot of still-encrypted passwords, and took another ten minutes to clean the list.)

Step Three.

I grabbed another password file, without permission. Once you’re allowed into the “elite” areas of the hacker boards, you’ll find the secret keywords for hundreds, probably thousands, of paysites. Depending on the “exploit” listed, you’ll be able to add your own password to the site, harvest the live password file, or even look around the entire server. I pulled the password file.

John the Ripper cracked over a thousand passwords from that file within two hours! My total time spent, counting from when I first visited the Openwall Project to download John the Ripper, was less than four hours.

Imagine, if you will, someone who gets really good at this. John the Ripper can run on anyone’s desktop PC 24 hours a day 7 days a week. Just feed it new password files occasionally, and post your results so the freeloaders can have “fresh” passes daily. It’s so simple that kids can do it – and I strongly suspect that they do. Since it really is that simple, you can see why the “hacked password” problem is as large as it is.

A Side Note

I personally feel that the current ease of paysite hacking presents a serious legal issue. We are not exercising real diligence in keeping the material inaccessible to minors. Perhaps calling it a legal issue is putting it too strongly – for now. Yet the fact remains that fourteen year olds can crack passwords as easily as eighteen year olds.

Regardless of how they got there, minors can get in all too easily. In my opinion, that is a problem. The problem is easily solved – but we must choose to bother to do so. All we need for a short-term solution is (1) an appropriate password-choosing policy, and (2) properly-written billing scripts. For the moment, that really is all we need. (The better solution is to improve our authentication procedures. Human nature – and the Law of Software Inertia – guarantees that won’t happen until we’re forced to do so.)

As we continue “the making of a hacker,” please bear in mind how easily minors can do this. Remember that legally speaking, it’s our obligation to keep them out, rather than to expect minors to refrain from coming in. Remember that we actually can choose to keep them out.