I remember cracking the password from a Windows system in high school. There was a centralized login mechanism using Novell but everything was cached locally. So you could boot a Linux CD and copy the password file to a memory stick, and crack at home. I think I used lophtcrack? The head admin account for the entire school district (basically root) had the password “north”. It took like a fraction of a second to crack. It was so simple that for weeks I didn’t even believe it to be true, and didn’t realize the name of the account was an admin.
I was expelled a few months later for all the fun I had after discovering this. Good times.
I was expelled from university for pulling off the exact same exploit with the "workstation only" feature in Novell. In my case, they put a computer in every dorm room, and every single one of them had a domain-wide administrator account cached in its SAM file. It was inevitable that a student would find it. It's been almost 15 years now but I believe the password was rac3c4r or something trivial like that. I ran Ophcrack overnight and in the morning I had admin access to every machine on campus.
I also had the bright idea to try this on library computers and email kiosks around campus used by thousands of students. Rather than booting into Ophcrack I'd just log in with the admin account and run pwdump from a USB stick to collect password hashes. I figured out how to enumerate Windows machines over the network using NetBIOS and ran the pwdump utility remotely using psexec, so that I could hit every computer in the library at once, or every computer in a computer lab, etc.
I ended up cracking credentials for most students and faculty on the entire campus. I was really young at the time and thought this was some real cool James Bond shit. I never once used it for evil: never read anyone's email, never viewed anyone's private files, never poked around the academic file shares for test solutions, never tried to steal credit card numbers or social security numbers from the finance office's file share. It was purely a hack for the thrill of breaking down barriers and outsmarting the security. But MONTHS later after I had long since grown tired of tinkering with this stuff, a couple of uniformed police officers pulled me out of Calculus class and took me downtown. They tossed my dorm room and confiscated my computer and my phone and every piece of digital storage I owned. The school threw the book at me, I guess because they were so embarrassed by their incompetence on display from being beaten by a 16 year old.
>I never once used it for evil: never read anyone's email, never viewed anyone's private files, never poked around the academic file shares for test solutions, never tried to steal credit card numbers or social security numbers from the finance office's file share.
I don't understand this justification. The system owners can't know that to be true and have to proceed as if the systems are compromised. Would you still feel safe if a burglar broke into your house and left a note saying they didn't take anything?
It's not a justification. What I did was wrong. I'm just telling you what I did and why I did it. I wasn't interested in hurting anyone or in gaining any advantage for myself, only in breaking the system.
Also, I didn't actually go in anyone's house. If passwords are really so inherently private even apart from their access implications, maybe we shouldn't be sharing Ken Thompson's old password.
Yes, a good defense against a charge of burglary would be not having stolen anything. In an imaginary perfect criminal justice system, charges/penalties are based on damage done. Less damage done is a lesser crime.
> In an imaginary perfect criminal justice system, charges/penalties are based on damage done.
Hell no. Otherwise you could just set up one gigantic crime by comitting a bunch of small "no damage done" crimes along the way-say, stealing a string of credentials one at a time, but not actually using them until you have all of them together and then you commit your major heist/crime.
Mens rea is an important consideration so it's not just about damage done (though the fear a key could be used in pursuit of a worse crime is also a harm) but the intent/recklessness of an act.
Well, the imaginary perfect criminal justice system would probably arrest you right as you had completely committed to causing the damage, instead of afterwards. But it should still be justifying the arrest based on the act that caused damage, not the harmless acts that set you up to be ready to do it.
Trespass is not a crime per se. It's a tortious act. Criminal trespassing is when you commit trespassing when specifically told to leave and you don't or do it again.
Just to be clear, in case this matters, it wasn't an account belonging to an administrator, it was a default superuser account called (if I remember right) "TECH" in all caps, and didn't have any files or anything in it. It's not like it was a person and I was poking around their private stuff.
What possible reason would I have to lie about it? You think I'm worried about investigators raiding my VPN service so they can track down and charge a grown-ass man in juvenile court for something that happened 15 years ago? You think I'm worried about my reputation on this throwaway account with a grand total of five previous comments? What's the point in believing that this whole escapade happened at all if you're going to randomly doubt a particular element of it?
I was a kid, I was stupid, but I wasn't an asshole. I didn't go peeking and violating people's privacy because that would have been a dick move. Just like tons of people on Hacker News today have access to personal data on SaaS systems we maintain and don't go peeking. Just like tons of people are perfectly capable of picking their neighbor's locks but don't walk into their house for no reason. It's not even tempting. I don't care what's in my neighbor's house, and I don't care what's in random other students' homework documents or email or whatever. The only interesting part was breaking the security.
No, it's generally not illegal to copy someones key. It's illegal to STEAL the key, of course, but copy? Not a crime. Some states have laws that prohibit "providing access" to a government facility which can be applied to copying government keys, but your house key? Nope.
No. The serious crime is breaking in. Usually when someone's house is broken into they don't care about the stuff at all. They care that their personal space and sense of security has been violated. Also the criminal doesn't know what they'll find when they get in in but they are setting up a situation that can escalate quickly. Kids home alone? Someone with a shotgun? The very act of breaking in means they are ready to commit violence. If someone breaks into our house and sleeps there all weekend while we are on vacation, but doesn't take anything, does that deserve a lesser sentence than if they took a $100 TV? Not in my opinion.
It's always that kid. I did something similar in high school with luckily no serious repercussions but yup it was another kid who ratted me out. I could have changed my grades and stuff but luckily I was pretty content. The network admin who I really looked up to and asked lots of technical questions vouched for me. I think the fact that I only played around with the admin account for fun and never touched anything else helped my case.
The concerned kind. Refusing to keep their mouth shut when others exploit the system.
This is a problem, here GP is a hero, a hacker, a free spirit. But there is no point in romanticizing such behavior.
If you find a vulnerability in a system, you disclose it to the people that should know about it.
You can do that anonymously, or you can alert people in a subtle way.
What you don't do is sit on it and brag to people what a clever person you are.
What the OP did is (in this case) irrelevant to what the asshole did. There were multiple ways he could have gone about dealing with the situation that did not involve fucking someone over, but he chose to do that instead.
I just cannot attribute something like that to altruism.
I was wondering when this one would come up.
"Snitches end up in ditches" mentality is at fault here.
You pretend that someone cracking everyone's password is not a problem that the organization should address or even know about.
We should not turn our gaze away. "This is not my problem" is simply not a correct response. Snowden knew that, and yet, some people call him a snitch and a traitor.
Perhaps the discretionary thing to do in the case where the perpetrator is relatively whitehat is to mention to IT that "it appears common knowledge that all admin passwords are compromised" without exposing their identity.
Sigh, I grow tired of pointing this out, but if they were able to figure out someone was doing this, and even who it was, then you weren't a l33t hacker. You used common tools and used a known exploit that people were watching.
You broke rules for personal enjoyment and weren't even good enough to not get caught. You didn't beat them, they beat you. It doesn't matter if you went unnoticed for several months, the fact is standard monitoring and logs were your down fall. Nobody ever thinks of the log files and network monitoring tools as being part of security. Not being prevented from accessing the system is not the same thing as successfully hacking a system unless you aren't caught either.
> You broke rules for personal enjoyment and weren't even good enough to not get caught.
Otherwise known as being young and in their formative years. Plenty of HN had similar experiences and luckily even 15 years ago this harsh view on teenage stupidity was in the minority.
He also doesn't seem claim to be a l33t whatever.
> Not being prevented from accessing the system is not the same thing as successfully hacking a system unless you aren't caught either.
> You didn't beat them, they beat you.
They beat themselves, which was understandable back in the day but that's a popular narrative to this day. If a school kid with random scripts or untargeted ransomware gets into a system I put far more blame on the process that prevented them from being patched than said kid.
He points out below that he was caught because another student overheard him discussing it and ratted on him. I feel like a real hacker wouldn't make a bunch of untested assumptions about situations they have no context for.
Our high school network ran on Novell NetWare, but I wasn't anywhere near smart enough to crack anything so I just wrote a little program in QBASIC that looked like the NetWare login prompt which rejected all login attempts but dumped what was entered into a text file, and left it running on one of the PCs in the computer room. It wasn't even a compiled program, it was just running inside QBASIC's IDE.
Yet it was running for three days before the admin got around to checking the machine, and all he did was try to log in, failed, and rebooted the machine — bringing it back to the real NetWare login screen. I got his password and pretty much everybody else's too, and to this day, more than 20 years later, I still use bits of his admin password from time to time when I'm creating temporary accounts.
This is exactly why some versions of Windows required you to press ctrl-alt-delete to open the login form. Programs aren't allowed to block Windows from receiving ctrl-alt-delete, so a fake login program would not be able to stay on the screen after the user pressed ctrl-alt-delete. (Of course this only works if the user knows to always hit ctrl-alt-delete when they go to login. If the user sees an already-open (fake) login screen and does not hit ctrl-alt-delete, then they're vulnerable.)
The new Windows 10 login screen doesn't seem to support anything running on it, all I've seen is a duo security prompt that A. Only showed up after a login and B. Doesn't work on Windows 10 in a non-rdp session on a Microsoft account[0]. Sadly this also means you can't run something like Wallpaper Engine on the lock screen[1].
The specific threat that ctrl-alt-delete's supposed to mitigate is where a user's already logged in, but a program's running that mimics the login prompt. Since applications can't handle ctrl-alt-del in Windows, if you pressed it at a fake login prompt, you'd get the Windows Security dialog/screen rather than a login prompt and it would be obvious that something's wrong.
Its utility's limited these days since consumer configurations of Windows have users trained not to expect to have to press ctrl-alt-del to log in. I'm not sure that it's even enabled by default on domain-joined machines any more as of Windows 10 (still available via Group Policy, though).
I've noticed sometimes the lock screen won't show the login dialog via the regular "press any keyboard key" action or via mouse dragging it up, I had to press ctrl-alt-delete. Maybe there are some heuristics that decide this that I don't know about.
It is not a hardware interrupt in the sense that there's nothing special about this key combination to generate a specific interrupt. The only related interrupts are the keyboard interrupts that happen for every keyboard activity, which the BIOS interprets and takes actions like turning on a key LED and storing the actions in a memory buffer (this is all in "real mode" on x86 processors) before that goes further up to the application. Capturing the keyboard interrupt could allow one to intercept specific keystrokes (like Ctrl+Alt+Del) before the OS gets it, but that's not possible in the OSes the most people use today (which all run in "protected mode").
Hah, I and a friend did a very similar thing with our school's NetWare. We managed to get ours to silently log the user in after collecting the credentials so it was mostly invisible. We created it to get the password from a particular guy, but in true dragnet style we installed it on as many machines as we could.
I have no idea how network drives were managed with NetWare, but some students always managed to find world writable dirs (that shouldn't be). Then it was a matter of finding some obscure subdirectory, create a new one (typically containing alt+255 characters) and stick games there. Fun times.
We did get his password (and many others), but never actually did anything with it.
I did the exact same thing, wrote the login faker in pascal.
Mine would print the "typo" error message, save credentials, and then log me out and show you the real login screen.
I managed to get the passwords of every student and teacher, but alas, I stored them in a file called hacked_passwords.txt , in my home directory. Got busted, and got a dozen saturday detentions.
My highschool (well, homeschool resource center) IT admin couldn't log into one of the macs in the A/V lab one day; I heard him talking about it, and being on good terms with him, I offered to try and hack in. I literally googled "how to hack macos password", chanced upon an `nidump` vulnerability recent enough that it hadn't been patched, used that to dump the password hash file, fed that to JTR (compiled on that same machine, to add insult to injury), and almost instantly ended up with the admin password for the entire domain: 1337
It turned out that someone hadn't changed the password, he had just mistyped it over and over again. At the time, I didn't know what "1337" meant, I just thought it was a weird number, and it wasn't until many years later that I suddenly burst into laughter, realizing the "elite" level of security in that lab.
Thanks for the good times, Ron! I'm really glad he just laughed and trusted me as I explored technology instead of freaking out when my portscanners started making the printer spew out a bunch of garbage.
I wish my story was as cool and involved some technical expertise.
In year 10, a friend of mine saw our school network admin type the admin password in (he used his index fingers and typed in each character one at a time like someone with very little typing experience - this was 1998)
Anyway, I used this info to log in as the admin and I promptly deleted all of the student accounts in the school. Students around me immediately started complaining they couldn’t log in or access their assignments.
It was a stupid and immature thing to do.
Guess it’s a good reminder and lesson that you should always be careful who is watching you over your shoulder.
Oh, did something similar to change a friend's grades in college. Pretended to be on my smartphone while the professor signed in, and filmed their fingers on the keyboard. Took some trial and error watching the low-res video (this was before phones had nice cameras) frame by frame to figure out which keys he was hitting.
My high school's administrator password was “math”. I think the statue of limitations has expired by now.
I got it by writing a simple login spoofer in Turbo Pascal. The funny thing is I never bothered to remove it and after I graduated, I heard from the actual administrator that they were having a strange problem where the first login of the day spit out a disk full error.
> I got it by writing a simple login spoofer in Turbo Pascal.
Ha, I did the exact same thing, in turbo pascal as well!
Man, I miss those simple computer systems. I used to go to other peoples' desks and type the word "end" in column 100 of the first line of their program. They'd go mad with frustration trying to figure out why their program always ran instantly, with zero errors and zero output. Or I'd like them watch me type in my 6-digit numeric password, but they still couldn't log in as me because I was slyly holding down the alt key as I typed, so the password was really a single extended ascii character...
Getting up to all those hijinks gave me a love of computers that really set the direction my life would take.
Our high school's local admin password on every machine was the name of the school district. Used it to install P2P software and emulators on lots of the machines throughout my time there. On grad day I was setting up a slideshow with my CS teacher and the domain login wasn't working. I said "just log in with local admin". He said "I don't know the password". I did it in front of him. His words: "I don't want to know what you've done with this"
I spent three solid semesters wasting my "Computer Science" electives on breaking into the Novell system... I found tons of these encrypted passwords, and it never occurred to me to just crack one. I did find plenty of other ways to get in, though :)
Yea historically the SAM file on windows has always been a weak spot because of its NTLM hashing scheme. By breaking passwords larger than 7 letters into multiple sub-password hashes it virtually guaranteed rainbow tables would destroy its security.
I used this weakness whilst working at British Telecom to legally break into some NT boxes on behalf of a FTSE 100 company whos system my team got asked to take over.
They had had a bad break up with another supplier and had lost access.
I used our Art directors MAC to break in - I did consider setting up a diy cracking farm using all our suns and running it over night but I suspect that the security department might not have approved.
The "split into 7s" thing is from LM, which goes back to the OS/2 days... and it uses DES, which operates with 56-bit keys: 7 8-bit characters. Old DES-based crypt() has a similar limit: 8 7-bit characters.
NT hashes use MD4, which wasn't invented until 1990.
I believe LM also stored the passwords in uppercase as well. The NTLM password was used, but LM was also saved for compatibility (by default) with older Windows machines.
L0pth Crack utilized this when cracking, it first found the uppercase password, then it only had to brute force the case when cracking NTLM.
I did the same thing at my school but it was a brand new SMT magnet school so we showed the net admins and helped to prevent it... Zipslack (first 100mb linux distro) with l0phtcrack was part of my EDC. I believe the first time it was shown to the adults was after someone locked the school network admin out of everything so we helped him recover. We even set up a security lab for the admin team. The next year anything that looked like hacking was grounds for expulsion which lead to a lot more problems with it if you ask me. The school with a wing full of hackers wasn't gonna quit looking at new tools. The school just decided it was like teen sex or smoking. Banned! Lol.
My school district was the Madison Metropolitan School District. I discovered quite by accident that the admin password for the school computers was just ‘mmsd’. It was literally my first guess.
My school hacking story: 7th grade, springtime, ~1998. The district used software that ran on login and populated your desktop/start menu and permissions. This was a mixed network of windows 98 and XP for all the newer computers. I found a bug where if you corrupted your own user profile folder, windows would load a temporary one after reboot and not apply all the restrictions, giving access to explorer. You could also get access to explorer by going through the f1 help menu in a couple of different programs.
Promptly used explorer to navigate to my english teachers computer via the hidden c$ share, and delete the executable from the program files folder. Next time she logged in, BOOM nothing. no start menu, no desktop, no permissions. The admins had an incredibly consistent and predictable naming scheme, and my idiot "friends" I shared the vulnerability with promptly used this to nuke like 3 labs and a bunch of teachers computers.
Fast forward 1 month, we all got pulled out of PE by a cop and sentenced to 1-3 weeks of community service.
* I abused that profile bug to work exclusively out of portable firefox on a usb drive instead of being tied to internet explorer 6 and 7, which allowed me to bypass proxy settings and get access to gmail and read slashdot/ign/halo.bungie.org during school hours! Those were the days.
There is something very wrong with the school (system) if you actually got expelled for that. If that is the whole story, they should have explained why it was wrong and tried to encourage you to learn more, responsibly, by actually asking you to help them with securing their system. That is roughly what my headmaster in Russia did in similar circumstances. The thought of expelling a kid over something silly like this wouldn't even cross anyone's mind.
In our engineering school the password hash used to be publicly accessible. Someone had devised a johntheripper binary to look like seti@home and made it run on several machines with the admins' benediction.
We had a meagre limited amount of quota on these shared systems (between 1 and 10 MB) but teachers had 1 GB. We stored the Quake binary on one teacher's account, Starcraft 1 on another and start kicking.
One day I was board in comp sci and decided to CD into drives a - z. Found a bunch of Novelle NetWare utils sitting on a hidden drive. One of them listed all the users on the system, while another sent back generic user info. Thing is, this was a very large high school and a bunch of accounts never signed in. All you had to do was log in with a blank password and it would prompt you to select one on login. Any funny business on the network was done on a burner account. It was all just fun and games, but never did get caught. Although, one of my teachers did say the network admin sent out an email to all my teachers, telling them not to let me touch their computer. No matter. It would be foolish to login from a location that has a record of you physically being there.
Used to do it on Windows 95/98 at my school with Cain and Abel.
You could save the *.pwl files to a floppy, take them home, and crack them in a few minutes. All you needed was a PC that a teacher had logged into recently.
In high school a teacher in the computer lab tossed a piece of note paper in the garbage, a fellow student saw it, fished it out and brought it to me because I would be interested in having an admin password I guess. It was indeed the admin password for the QNX machines we used.
This exact thing happened to me, except I accessed a network drive linking to some juicy information. The school expelled me and the state went after me. I ended up getting a misdemeanor expunged!
I was also expelled for basically doing the exact same thing. Exploiting cached domain admin passwords for Novell via a local SAM file. NTLM hashing does something incredibly dumb for legacy purposes by splitting passwords longer than 7 letters into multiple hashes for the first 7 letters and the second 7 letters. We got caught because a kid left a flash drive with teachers passwords in a computer lab and when the teacher tried to find out who the drive belonged too, he found that kids homework and his own password. There's some news stories that came from it:
I got kicked out of school when I was fifteen for doing this. My class was the first year to have a mandatory laptop program. Each laptop was running Windows XP on the schools AD domain. I booted up OPH-crack at home, and didn't get a result. So then I torrented a larger rainbow table and ran it again for three days. Boom, there I had it.
My motivation for this was wanting to install my own software on the laptop that my (underprivileged) family was forced to pay for (much more than what it was worth). This was not an optional item, it was a requirement of the state-run school. The student user account was not given local administrator rights on the computer.
After using the administrator account for six months to install my own software (this is when I first taught myself how to program), the school did a random "computer" check, where they confiscated everyone's computer - unannounced, at random, and simultaneously. My computer was asleep, signed onto the administrator account.
During the inspection, the school's IT administrators and an external contractor not only went through all of the files on the local computer, but they also my Gmail account which had credentials saved in Firefox.
When my father was called into the office to discuss what they found, the school had the state police there to discuss charges. After listening to them rant on for about thirty minutes, my father turned to the female police officer and calmly said "I would like to press charges against [ ...... ] school, and Mr [ ...... ] personally for accessing my child's email account in an unauthorized manner". The head master agreed to not proceed with charges but I was no longer welcome at the school.
Unrelated, but five years later, Mr [ ...... ] was charged with possession of child pornography and jailed for fifteen years.
Wow - this is awful. For simply getting admin rights on your own laptop? How do school admins get away with treating the kids like inmates? Good on your dad, he handled it well.
You don't get to be headmaster of a school without wanting to feel power over the kids.
And if that's the only power you have in your life, you'll protect it viciously.
Teachers are usually in it for the warm fuzzy feeling of doing something good, but I've never met a headmaster who didn't behave like I described above.
At my small highschool it was well known that the teachers essentially rotated being principal. They all hated it but it had to be done. While I was there it was the history teacher. Before that it was the science teacher. After I left the english teacher took over the role. Yes it was <100 people so there really was only one teacher for each subject with some overlap.
i wouldnt call it unrelated. He clearly had past behavior violating the privacy of his students with the cover of politics and police. Its how predetors like this operate, finding an authority position and exploiting it. And he clearly got away with it that time.
I was expelled a few months later for all the fun I had after discovering this. Good times.