THE FINE ART OF HACKING
v1.02 r21Aug2001 fr04Aug2000
by Elf Qrin


"It is simple enough as you explain it," I said, smiling.
(Dr. Watson to Sherlock Holmes in "A Study in Scarlet", Sir Arthur Conan Doyle)



You've read it all. You may be started from some "How To Become A Hacker" article, then you've read every and any tutorial you've found on the Internet. You even learned programming.

Still you can't "hack" (whatever it means). How many times did you find people complaining about this on a hacking web board? ...May be you are one of them.

Good. You have the knowledge. There's only one thing you must learn, now: hacking is creativity. Knowledge is useless if you don't experiment, if you don't try something new, if you don't use your brain to handle such knowledge, forging it to your needs.

Enough talking. I'll show you some practical examples. They are quite simple, and closer to cracking rather than to actual hacking. But I think they are useful to let you get the idea, and make you understand how to combine your knowledge with your intelligence.


Hacking is creativity

OK, for a start, let's say you've learned HTML. You created your first homepage with a text editor. Here it is:


<HTML>
<HEAD>
<TITLE>Hello World</TITLE>
</HEAD>
<BODY>
Hello World!
</BODY>
</HTML>
You decided to put it online (because not much people will be able to see your work from your hard disk...), but you don't have enough money to pay for web hosting, so you chose a free webspace provider, let's call it GeoFortune.

Fine, but you soon discover that nobody works for free, and GeoFortune places banners in your webpage. You don't like it and decide to find a way to bypass it. The first step is to examine how GeoFortune modifies your source code so that browsers will load their banners while opening your page. You go online, open your page, save it to disk, and view it from a text editor (yes, the same you used to create your page).

Now this is how your code looks like:


<HTML>
<HEAD>
<TITLE>Hello World</TITLE>
</HEAD>
<BODY><!-- BANNER CODE -->
<SCRIPT>
<!--
document.writeln("<BIG>!AD BANNER!</BIG><P>");
// -->
</SCRIPT>
Hello World!
</BODY>
</HTML>
The code is placed right after the <BODY>, where the visible part of the document begins, so that the banner appears at the top of your page.

You start thinking that if you can tell the browser to don't execute the code added by GeoFortune, everything will be fine. Sure, but how you can do that?

A good idea could be to create a fake </HEAD> and <BODY> tags inside a comment tags pair (<!-- -->), so that GeoFortune will append his code after your fake tags and it supposedly will never be executed because of the comment tags.

This how the thing looks:


<HTML>
<HEAD>
<TITLE>Hello World</TITLE>
<!--
</HEAD>
<BODY>
-->
</HEAD>
<BODY>
Hello World!
</BODY>
</HTML>
Sadly it doesn't work as you expected: unfortunately comment tags don't require to be balanced, and the <!-- BANNER CODE --> comment added by GeoFortune also closes your comment tag.

OK, you have to think something else... wait a minute... what about using the <APPLET> command? You know HTML and the properties of all its tags, so you remember that everything inside the <APPLET> </APPLET> tags pair is reserved for browsers that don't support Java and will never be executed by all the other browsers, plus the <APPLET> must be balanced so that creating a nested <APPLET> tags pair would be useless.

You give it a try. Now the code of your page is:


<HTML>
<HEAD>
<TITLE>Hello World</TITLE>
<APPLET WIDTH=1 HEIGHT=1>
</HEAD>
<BODY>
</APPLET>
</HEAD>
<BODY>
Hello World!
</BODY>
</HTML>
After the modify applied by GeoFortune, your code appears as it follows:

<HTML>
<HEAD>
<TITLE>Hello World</TITLE>
<APPLET WIDTH=1 HEIGHT=1>
</HEAD>
<BODY><!-- BANNER CODE -->
<SCRIPT>
<!--
document.writeln("<BIG>!AD BANNER!</BIG><P>");
// -->
</SCRIPT>
</APPLET>
</HEAD>
<BODY>
Hello World!
</BODY>
</HTML>
You try it and... wow! It works! The code inside the <APPLET> tags is not executed by your browser!

Great. But you've learned HTML very well, don't you? So two considerations come up to your mind soon: first, every time someone access a page of your website for the first time his browser loads the Java Machine because of the <APPLET> tag, but well, it's a little price to pay. The second thought is just a little bit worst: your visitor may have disabled Java, but kept JavaScript active... so that the code inside the <APPLET> tags will actually be executed! Mmmm... come on... I'm sure you can do better.

You remember there's another exception code... <NOSCRIPT>. The code inside a <NOSCRIPT> </NOSCRIPT> pair tags will be executed only if JavaScript is disabled, and even in that case it would be useless because the banner is created with a JavaScript!

Thus, this is the final version of your homepage:


<HTML>
<HEAD>
<TITLE>Hello World</TITLE>
<NOSCRIPT>
</HEAD>
<BODY>
</NOSCRIPT>
</HEAD>
<BODY>
Hello World!
</BODY>
</HTML>
A month later you discover that GeoFortune changed its code and also adds some JavaScript stuff at the end of your page, so you decide to leave a <NOSCRIPT> tag open just after the </HTML> closing tag so to prevent any code added after yours to be executed.

I hope this example shown you how to turn every feature of a certain system (in this case, the HTML language) to your advantage. This is what I meant when I said that knowledge is not enough. You may know HTML very well, but if you are unable to think how to exploit its inner features you are also unable to "hack", because hacking is the ability to make uncommon things with the common tools you have. Be creative.


Think like a hacker: the Zebulun challenge

   (To CyberArmy officiers: this text is compliant to the Omega directive.)

This text is a rearrangement of some notes I took while I was breaking the CyberArmy's game Zebulun. I'm releasing it since they've changed their game, and I suppose I'm not spoiling things to anybody.

Zebulun is a hacking/cracking game, in which you have to pass many tests to complete it. After every trial you'll get a greater rank in the CyberArmy. It's not the real thing, but it's a good simulation, and it can entertain you for some days.

Again, it can be used as a good example to see how to face cracking problems. I'll try to make you follow the flow of my thoughts.

1. Zebulun 0 - Civilian

The game starts from the CyberArmy Discussion Forum (http://www.cyberarmy.com/wwwboard/index.shtml). At the top of the board there's a note: Posts with insignia indicate a Zebulun officer's post. The word "Zebulun" is clickable and contains a hyperlink to the starting page of the first test the game.

The test itself consists in a numeric pad in which you have to compose a three digits code to pass to next stage. If you fail for five times the test ends and you will be redirected to a page that uses known holes to try to crash your system (it doesn't work with most recent versions of Netscape and Internet Explorer, though).

Since the numeric pad includes 9 digits (1 to 9) there are 9^3=729 possible combinations. Mmmm... too much to try them manually. Let's give a look to the HTML source code, instead.

The first thing you notice is that you can't right click on the Zebulun link to save the page on disk, because the hyperlink invokes a JavaScript routine (fullwin()). You have to look at the source code of the CyberArmy forum, first. This is the relevant part:

<script> <!-- function fullwin(){ window.open("http://www.cyberarmy.com/zebulun","_zeb","fullscreen, scrollbars") } //--> </script>
Good, now we know that game is located at the URL http://www.cyberarmy.com/zebulun

We can open it directly, save it to disk, then open it with a text editor. Actually, we'd better make a back'up copy first so that we can modify it.

Reading the code carefully, we find the subroutine Enter_code(number) (line 186) that analyzes the code entered from the numeric pad to see if it's correct. It multiplies the digits and compares the result with the value 140 (line 196). Thus, the correct code could be find solving this equation: x*y*z=140.

However, since the possible combinations are only 729 we can make the computer try a brute force attack, testing all the combinations.

First, we have to change lines 204 and 211 that increment the number of failed attempts, so that we can have infinite tries. We only have to put a comment command (//) before of the command that increments the fails variable:

// fails++;
Otherwise, we can modify line 215, where the variable fails is checked. Normally the if statement tests if the value is lower than 6: if (fails<6), we can change this value to make it greater of the number of the possible tries, such as if (fails<141).

As you can see there's often more than one way to accomplish the same task... by the way, using more than one way doesn't make your hack "stronger", rather is useless, like taking two medicines to cure the same disease.

Once we have infinite tries, we can add the brute forcing routine in line 247. This code will override the user data input routine:

for (i1=1;i1<=9;i1++) { for (i2=1;i2<=9;i2++) { for (i3=1;i3<=9;i3++) { document.codepad.thecode.value=""+i1+i2+i3; Enter_code(i1); Enter_code(i2); Enter_code(i3); } } }
To notify when a code has been found change line 204 this way:
alert("Found code:\n"+code);
Now we can execute it on our browser.

This is the list of the matching codes (which single digits, when multiplied between them give 140 as result):

457
475
547
574 (correct code)
745
754
In line 203 ( window.open(code+".shtml",'_hidden','width=600,height=400,toolbar,scrollbars') ) we've seen that you can invoke directly the correct page using one of the numeric codes we've got, in this format: http://www.cyberarmy.com/zebulun/CODE.shtml (i.e. http://www.cyberarmy.com/zebulun/457.shtml )

Note that brute force is never a clever solution, when you can solve a problem otherwise. SALYM from Alpha Solution Project emailed me a neater way to get to the right code, suggesting an quick way to solve the equation above (x*y*z=140). He says that since x*y*z=140 and since the digits range from 1 to 9, you just have to extract the prime number from 140: 140=2*2*5*7
The only solution can be 4, 5 and 7 since 2*5, 2*7 and 5*7 are all higher than 9. You then try the permutations 457, 475, 547, 574, 754, 745 and voila.

However, the correct page is http://www.cyberarmy.com/zebulun/574.shtml

The other ones will show a page that says:

You're almost there...

Try a different combination of the factors.

With the correct URL we get:

Welcome to Zebulun 1

                                                    

You have been awarded the rank
Second Lieutenant of the CyberArmy.


Click on the badge to get the rank.

2. Zebulun 1 - Second Lieutenant

The second trial starts from http://www.cyberarmy.com/zebulun/finger.html

This page contains a Java applet that simulates a fingerprint scan (it asks you to put your finger on the screen, than acts as if it were actually analyzing it... of course it's a hoax, but I'm pretty sure everybody put his finger on the screen at least once :) ), however, after "scanning" your fingerprint for the second time it asks for username and password.

The first thing we can do is to open the HTML source code of the page to see where the Java applet is located. We find out it's stored at http://www.cyberarmy.com/zebulun/finger.class

Now we can download it and study it. We can use a hex editor such as Hex Workshop or a text editor able to open binary files, such as JGsoft EditPad (since v3.5.2).

Inside we find an URL: http://www.cs.upe.ac.za/staff/csalen/java/, that leads to the home page of the original program (http://www.cs.upe.ac.za/staff/csalen/java/finger.class).

We can download the original finger.class from http://www.cs.upe.ac.za/staff/csalen/java/finger.class and compare it with the one from Zebulun (FC /B finger.class finger_original.class from MS-DOS). We'll then find out they are the same, so the Java class hasn't been modified by CyberArmy. Otherwise a Java decompiler would have been useful to study the source code.

If the Java applet is "clean", we should focus our attention elsewhere.

Let's go back to the HTML code of the page finger.html (the one containing the Java applet). At a certain point we can read:

try this- zebulun2:3qd/XMvglMQSY (crypted)
It appears to be the required username (zebulun2) and password (3qd/XMvglMQSY), but it doesn't work: the password is obviously encrypted, as it is stated.

To crack this password, the "though" way would be to study how Unix hashes passwords and write a program to crack such passwords.
However, since someone else did this job before, we can take advantage of this, and use his tool.
In this case we can use John The Ripper (JTR).

We then create a text file named pw.txt (or anything else) containing the username:password pair (zebulun2:3qd/XMvglMQSY , in this case) and then we can start cracking it with JTR, executing it from an MS-DOS window: john pw.txt . The program correctly recognizes the content of our text file, then starts attempting to crack it:

Loaded 1 password (Standard DES [24/32 4K])

We should actually use a wordlist, but in this case I liked to see how much it would take to crack it with plain brute force ("brute force and ignorance").

On a Celeron 400Mhz PC I got the following results:

plain mode:
guesses: 0  time: 0:08:01:09 (3)  c/s: 14121  trying: phpdhi - CH1uya
zion2            (zebulun2)
guesses: 1  time: 0:10:43:11 (3)  c/s: 18591  trying: z800s - zAVI5
-incremental mode:
guesses: 0  time: 0:07:10:50  c/s: 25307  trying: judkflat - jpakeric
zion2            (zebulun2)
guesses: 1  time: 0:09:47:38  c/s: 20346  trying: z800s - zAVI5
Incremental mode is slightly quicker, at least in this case (it found the correct password about one hour before than the plain mode), however they both returned us the password we were looking for: zion2 .

Now we can access the password protected page. We don't need to wait for the double fingerscan anymore, because from the finger.html page we read the page it opens is http://www.cyberarmy.com/zebulun/zebulun2/

So, we can open it directly and enter the correct username and password: zebulun2 : zion2

3. Zebulun 2 - Lieutenant

This trial features social hacking. You must get the password chatting with the Zebulun daemon Eliza.

If you try to access directly or download Eliza's perl script (located at http://www.cyberarmy.com/zebulun/zebulun2/eliza.pl) to study it, you get the following message:

Cyberarmy Security Lockout


This script can only be called from www.cyberarmy.com, to help prevent people exploiting it. 
For some reason, the script has determined that it was not called from www.cyberarmy.com.
Occasionally, it is mistaken. If you are not trying to hack us, you should retype
www.cyberarmy.com in your browser, reload the page, and try again.
If that still doesnt work, contact the webmaster.
This error and your details have been logged.

[Return to Cyberarmy Main]
So, we actually have to try to social engeneer Eliza. Questions like "give me the password" don't work. Swear words make her unhappy. We'd better try with "sweet" words, instead.

Talking about love, at a certain point we get

the only thing I really love is my pet carbon rod
So we can insist on this:
i love pet carbon rod!
At this point we should get the following reply:
my pet carbon rod is called Mesha...
Bingo! Many people use their pets name as a password, in fact after a while, she says
"man, ive got to stop using 'Mesha' as my password for everything"
(the guys at CyberArmy surely made this test too easy...). Note that you also can get the password solving a game called Falcon (which lamenessy runs only under Internet Explorer). Some levels has more than one way to get the password... if you got the password from Eliza, there's no need to play the Falcon game. So we can proceed to next stage: http://www.cyberarmy.com/zebulun/zebulun2/zebulun3/ , using as username and password zebulun3 : Mesha

4. Zebulun 3 - Captain of the CyberArmy

This trial is a bit harder than the previous ones, because there's more than one puzzle to solve.

On the webboard dedicated to this stage, someone claimed to have put BO (Back Orifice) inside Nick's machine (Nick, or Overlord, is the owner of CyberArmy) and to have downloaded the following file: http://www.cyberarmy.com/zebulun/zebulun2/zebulun3/bomb.zip that contains two files, password protected: "red wire.doc" and "blue wire.doc".

It is obvious we have to get that file and break its password protection. As it happened before we don't necessarily have to study ZIP encryption and write our own tool, since someone else did it. We can in fact use Fast Zip Cracker (FZC). This time we'd better use a wordlist. We can start with a list containing the most common English words.
We execute it from an MS-DOS window: fzc -mw3 -nzbomb.zip -wordlist.txt , obtaining the following output:

Fast Zip Cracker 1.06 (C)1999 Fernando Papa Budzyn.

BETA-A (990326) ***PLEASE DO NOT DISTRIBUTE***

CrackSet=? in FZC.CFG.  Calculating best CrackSet.  Please wait...
Using CrackSet=1

Cracking... demon4                              (logging to FZC.LOG)

The last word tried was "daemon" (line number 1816)
Suspended after 173.1 seconds (2m 53.1s).
Found password!
So, password is demon4. We think we almost passed this stage, but we soon realize that also the two Word documents inside the .zip file are password protected.

We'd better search for some Office document password breaker tool on the Internet.

The first one we find is WFWCD (Word for Windows Password Cracker) R8 by Fauzan Mirza, 1995, but the two documents are created with a more recent version of Word, and this tool is not able to process the files: it quits with "Corrupt document file".

We find another tool called Advanced Office 97 Password Recovery. We decide to try a dictionary attack (rather than the slow brute force and ignorance), and since this tool comes with a built-in English dictionary, we decide to give it a try first, before than using a personal wordlist.

The attack is successful and we find out that the password for "blue wire.doc" is past.

Now we can finally open the document from Word, and see the following text:

Blue Wire contain the following text:
The beginning of eternity
The end of time and space
The beginning of every end,
And the end of every place.
It is followed by three dollars.
We try to solve the riddle: the beginning of the word "eternity" is "e", "e" is also the end of "time" and "space", the beginning of "end", and the end of "place". At the end of it we must add three dollars ("$$$").

So, if the character "e" has to be repeated for every word, we get eeeee$$$".

We try to go to the page that leads to next stage -- http://www.cyberarmy.com/zebulun/zebulun2/zebulun3/zebulun4/ -- using zebulun4 : eeeee$$$ as username and password, but it doesn't let us in.

May be "time" and "space" which are on the same line must be counted only as one. We try eeee$$$, but that's wrong as well.

Eventually we realize that all the "e"'s must be counted only once, and that the password to the next stage is simply e$$$

"red wire.doc" can't be broken with the English dictionary provided with the cracking tool we used, but as said before, there might be more than one way to pass a level, and you just need to find one. May be curiosity could make us look for the password to break that file too, later.

5. Zebulun 4 - Major of the CyberArmy

A funny thing of this level is that you can read the log file of the chatter bot of zebulun 2: http://www.cyberarmy.com/zebulun/zebulun2/zebulun3/zebulun4/log.shtml

Anyway, this level's challenge starts when you click on the Zebulun 5 button (that opens the page http://www.cyberarmy.com/zebulun/zebulun2/zebulun3/zebulun4/bj.pl). If you're not browsing from a Unix/Linux system, the following message appears:

Hey buddy, this is a Unix challenge. I wont even let you try the test from a
Winblows computer...
So this test requires a Unix/Linux system. Now, accessing that page from Linux would have been the canonical way. I was instead looking for a way to spoof the information provided by my system and my browser to make Windows looks like a *nix system... but then they've changed the game, and I dropped it.

However, I hope that what you have seen so far is enough to show you how to put your knowledge into practice. Your brain is much more than a place to store information.