The hacking challenge

On every tour we watch a series, and this time it was Mr. Robot. It got me very inspired to try out some (white hat) hacking, so I made a Kali Linux thumbdrive and started learning about the tools. My friend and coworker asked me to hack him, and we decided that I should access his Yahoo account. Here’s what happened:

Day 0 – Physical access, stealing passwords, cracking encryption

I planned to start by just walking up to his computer when he wasn’t there to see if I could access his Firefox and Chrome saved passwords, which are saved in plain text and accessible from within the browser with no type of authorization needed. I rehearsed revealing the passwords as quickly as I could on my own computer until I felt confident I could do it in a few seconds or so once the time had come. About 2 hours later he left to go grocery shopping, and as soon as I heard the door close I excitedly half-jogged to his room where I knew he had left his computer. He had locked the door. Bastard. I then recalled that we had looked at the keys to our rooms a day or so earlier, and concluded that they looked so simple that they couldn’t have been very safe. I had a fairly clear memory of the shape his key had, so I tried to find something like it by looking at the keys to the other doors and found one that seemed similar enough. I put it in, turned it, and *click*. Wow, I was not expecting it to be that easy. It had only been about two minutes since he left, and I had already opened his computer that turned out to not have any password protection. He was running Ubuntu 14.04. I opened Firefox and Chrome simultaneously and did what I had practiced. I found that he only had a few saved passwords, most of them for temporary things that were generated for him, but some of them included patterns from his personal life. I wrote all of them down together with their usernames and which sites they were saved for. While I was at it, I figured I’d also try to get hold of his passwd and shadow files, which would require root access. I tried to sudo using the passwords I had found, but to no avail. I put my Kali drive into his computer and rebooted into that, and from there I had no problems just copying the shadow file. As I rebooted the computer back into the state it was in when he left it, I thought I heard the door close again. There was a long stairway up to where I was, so I’d still have about 20 seconds before he’d get there, but it turned out it was nothing. I put the computer and the chair back exactly how it was when I entered the room, closed the door, locked it, and went back to where I was with his files.

At this time, I started thinking about the traces I had left. I didn’t clean his terminal command log, for example. In fact, I had no idea how do that. After some googling I came to the conclusion that I should be careful to remove my traces in his ~/bash_history file. Not that I thought he would check it, but still – we’re playing the hacker game, so I might as well go all in. I also got really stressed sitting in his locked room in front of his computer. I hadn’t anticipated that the emotions would be so strong, and it definitely affected my performance.

An hour later he came back, and by then I had already tried to log in to his e-mail account using the passwords I had found, but they didn’t work. I had also started looking at packet sniffing to see if there was a way for me to capture his password or session cookie or something. Then I talked with him a little bit, and I asked him if he usually logs out when he’s finished with his e-mail address. He replied that I obviously hadn’t been to his computer yet. Perfect. I mean, perfect that he thought I hadn’t been there yet, not that I didn’t even think about opening his e-mail in the browser when I had the chance. A few hours later we were away, and I borrowed a key that worked for the lock to his room, and I snuck up there to try going to his (probably already logged in) e-mail account in Firefox, which I had seen him using. It logged right in. This was too easy, so it couldn’t count. I sent an e-mail to his sister asking her to call him and tell him he should at least log out of his account if he wants to put up any kind of resistance. I decided that I hadn’t hacked him unless I accessed the e-mail from my own computer. So I booted his computer into Kali again, and this time I copied his ~/.mozilla cache. Awesome. I thought that then I could just hijack his session. Problem was that I didn’t know how. I put everything back the way it was, locked the door, and went back to the others. No one seemed to suspect anything yet. He told me that he would start an upgrade to Ubuntu 16.04 overnight.

Later that night I tried using John the Ripper to crack his shadow file, but I couldn’t get it working. I first tried it with no arguments, then I tried adding all the known passwords to a wordlist, then I tried running that wordlist with --rules, but it yielded no results. I had shoulder surfed a rough estimation if his password – 2 high digits, something in the q-area, and then a couple of unknown characters. His other passwords led me to believe this one could end with numbers. I was sure that John the Ripper could make some kind of more clever brute force attack using this knowledge, but I had no idea how. I also tried searching a little bit for information on how to hijack his session using what I had found, but I couldn’t find what I needed, and was already getting very tired. I had started thinking about setting up an ssh host as a backdoor to his computer so that I could access it more easily and possibly find an exploit through there. I went to his computer again, but this time I only had access to my own physical key which really didn’t fit. I had to wiggle it in and try to feel when it connected with the cylinder in the lock before I turned it with quite a bit of force to make it go all the way around, and to my surprise that opened the door too. I tried to install the ssh host, but I needed his sudo password. This was not the way to do it. I figured that since he had set his computer to update overnight, he was expecting to see some unusual dialogs when he arrived in the morning, so I thought I could use that to make him install the ssh host for me. I tried adding the installation and setup code in his ~./profile with sudo, hoping that it would ask him for his password with the regular keychain prompt every time he’d log in after that, and that when he entered the right credentials the script would install and start the ssh host for me. It was a once-in-two-years chance to give him a new computer boot habit like that. The problem was that the ~./profile is run so early on in the boot process that it can’t ask for a password yet and only showed an error instead. With some more editing of his system setup, it might have been possible to do it, but I didn’t want to change his system too much – this was just a friendly little game, and the challenge was to access his Yahoo mail after all. I ended up putting john to work with --fork set up so that it could use all my processor threads. I put my laptop up against the cold window of the winter night in order for it not to overheat while I was sleeping.

Day 1 – Researching possibilities and setting up the attack

10 hours later I woke up, just in time for lunch, after which we would start working (it was meant to be a day off, but there was some stuff we had to do). I was hoping to have cracked his password already, so that I could go and set up the ssh host on his computer, but it hadn’t gotten past 6 character passwords yet, and I believed his password to have 8-12 characters, so we’d be talking months before I would have a result, and I needed to log out of Kali and do some real work on the computer. To get some inspiration, I wrote a post on Reddit asking for help and advice, and it ended up getting a lot of appreciation and great replies that taught me a lot. That post is actually the main reason I’m writing this now.

I was suggested to add a keylogger to his computer, which I totally wanted to do. The problem was that I had no idea how. I was suggested to check out msf, which I did and I started learning about it, but it would have taken me too long to learn to be able to use it here. I used nmap to scan his computer for open ports, but had no success. I’d need to open a port on his computer, which I didn’t know how to do without sudo access. If only I could crack his sudo password.

The next suggestion was to do a Man in the middle attack or fake a website. I had tried scanning the network using subterfuge, but since I hadn’t managed to get working drivers for my WLAN yet, I used my phone to create a tethered USB connection to the network, and that made me unable to read anything else on the network, so Mitm attacks were out of the question for the moment. Creating a fake website felt like the easy way out, since I’ve done a lot of web development in my career, but it also felt a lot like working. However, it turns out that the Social Engineering Toolkit that’s shipped with Kali has a website cloning feature that makes all of it super easy. I had some problems with the Yahoo login site using so much javascript to do the login though, so I had to rework it a little bit anyway. I also had some trouble getting the PHP set up properly in the apache2 installation. Eventually it seemed like the error was in the code – using only <? when the default settings required <?php for the php tags. I’m not sure if it was only that or if it actually mattered that I installed and reinstalled a ton of different PHP packages during the process. In the end I had ended up pretty much rewriting the entire thing anyway.

I went back to the post, and someone had replied hinting me towards exactly what I was looking for! Crunch. Tried to set up all the possible combinations of the details from his personal life that I recognized in the other passwords. I combined manual work with automatic generation – I was quite sure it started with at least 2 numbers, and there were only 3 or 4 possible combinations of those, then some pseudo-random letters, and then some other stuff with high likelihood of being the same things. I ended up with a big wordlist that I ran through John the Ripper. Nothing. Back to the phishing tactics.

Instead of passing the fake website through to Yahoo and genuinely logging in, I wanted to exhaust his “possible password list”, because he had said earlier that he could log in with his password if he had a few tries. I went to the Yahoo login page, entered his e-mail address so that it was prefilled as if he had just logged out, and then I copied both the normal login page and the wrong password login page. I set up the fake website to send the form on the login page to my own post.php, which appended whatever was in the post variable to a harvester file on my computer and then redirected the user to the wrong password page. The form on the wrong password page redirected back to post.php again. This meant that I logged every single pasword attempt entered, and then showed the wrong password page that I had saved from Yahoo no matter what you wrote. It really looked perfect, and it made you try the password many times and then go through many password variations before you would give up.

The next step would be to redirect him to my fake login page. I decided that the best way to do this would be to reroute it locally through his /etc/hosts file, which would redirect his requests no matter which browser he was using, and since I had physical access to his computer, that should be a piece of cake. I also had to create an SSL certificate and make it look signed. I created a self signed certificate and then add it as an exception on his computer. I was done with the part on my computer.

The first problem with my setup became obvious almost immediately after I arrived to his computer. Since I was connecting my Kali installation to the network through my tethered phone, his computer couldn’t access the server I had set up on the computer. I crossed my fingers that someone had been crazy enough to make a USB Port forwarding app for USB tethering. I was lucky. Kind of. I installed the port forwarding app, but it wouldn’t redirect the protected ports (which port 80 just so happens to be) since it would require root access. I found another app with root access, but that didn’t work at all, and it turns out that the market for USB Port forwarding apps for USB tethering with root access is quite small, so there weren’t really any other ones to choose from. So it seems like when it comes to port forwarding on Android, you can either choose to have an app that works, or one that has root access, but not both :) The solution was instead to bite the bullet and hassle my way through getting the wifi drivers working on the Kali installation, which I eventually managed to do.

So now his computer could access mine. When they were on the same network. The wifi in the building was set up so that there was a different independent wifi network on each floor, and the computers tended to switch between the two of them. I didn’t want to pull anyone else into this hack, so I left all the routers and access points in the building alone and went with the easy solution of disconnecting his computer from one of the networks and asked it to forget the password. Should be good enough.

Time to set up the redirecting. I didn’t know how he normally logged in to his e-mail, if he went through his browsing history, some Yahoo portal site, went to Yahoo in his native language or .com or anything, so I went through his entire browsing history looking for variations on the Yahoo URL. I wrote down all the different subdomains for login and mail that he had in his history and threw in a couple of extra ones just to be safe. Then I booted his computer into my Kali thumbdrive again, went to his /etc/hosts file and redirected all the subdomains to the local IP of my computer. I then booted Ubuntu back up, and I was happy to see that the regular Yahoo page loaded normally, but when I tried to go to the e-mail site it redirected everything to my computer no matter how I tried to access it. There was a problem though, and it turned out to be a big one. It turns out that Firefox really doesn’t like self signed certificates. I tried to add my certificate as an exception, but that could only be done as a one time exception, and I had to close Firefox to leave the computer like he did himself. I tried storing a permanent exception, tried installing addons that worked around it, added myself as a certificate authority, added all the subdomains and localhost and everything else I could come up with as trusted sources. It would sometimes “accept” the SSL and go to the page, and sometimes not. And I only got the option to add the temporary exception when I was running his browser in Private Browsing. This was a gamble. I decided to go through his entire browsing history and remove every Yahoo page that had an https URL and replace it with the http version of the same one. Now when he entered yahoo or mail in the address bar, he would find the http links that would redirect to my computer for guaranteed success.

When I tried to start typing “yah” in his address bar the new history entries popped up as they should, but I had forgotten to add a favicon. This looked very suspicious, especially since he was expecting an attack, and by now he was really paying attention to every little detail that was going on on his computer. However, by this time five o’clock in the morning was approaching, and I just picked whatever mail-ish icon in a similar colour I could find, added it on my server computer, and then went home and went to bed. It really looked like shit, it wasn’t even in a square format, but I hoped it would be good enough. If he wouldn’t fall for it I had still removed his access to Yahoo mail by redirecting all his requests to my computer, so I could also use that to blackmail him for his password. I guess that gave me a fairly strong chance to win this, just in a more or less elegant way.

Day 2 – The big day

The next day I had to arrive earlier than him to boot up the web server. I failed. I arrived 30 minutes after he did, and he was booting up his computer just as I arrived. I set mine to boot up too and started distracting him with random questions to buy it some time, while I crossed my fingers that my computer was going to receive the same local IP address from the DHCP as it had a couple of hours earlier. As he went to his computer and opened Firefox, he found that the history sidebar was left open. I had forgotten to close it in my sleep deprived state when I finished so late that morning. That made him very suspicious. Sloppy me – you can’t afford to miss a single detail in the hacker games.

A few minutes passed. Then I heard him scream “I’ve been hacked!”. I went to see what was wrong. Together we looked at my fake login page, and I had to do everything in my power to hide my happiness as he tried to enter his password a few times. He still wasn’t sure he had really been hacked, because it just said that he had entered the wrong password, so I had to make it seem like I didn’t know anything about it. He asked me questions about it, and I tried to explain to him how something like that could happen while leaving out important details so that I wouldn’t lie (he is my friend after all), while at the same time trying to make him try as many other possible passwords as I could. After a while he tried closing the browser and going to the page again, and he received the semi-unpassable self signed certificate warning that pretty much in plain text said I’m trying to hack him. He told me “This one! I got this before too, but then it seemed to work. Do you know anything about this”? Dodged one bullet, but what do I answer? “Uhh… I guess they forgot to renew their certificate? I remember when Microsoft forgot to renew their passport.com domain! What a mess that was. Give it to the end of the day and see if they can fix it”. He was not happy about it, but he accepted my argument for the time being, and I had bought myself some time to remove the redirects and get it working again.

I had my computer set to tail -f the harvest file | grep passwd, mostly because it looked cool as he was trying out stuff. Line after line popped up with his passwords and different variations of them. I was hoping one of these passwords would also be his root password. I rehearsed entering his presumed sudo password as quickly as I could, and as soon as he left his computer to go the kitchen, I went to his computer to sudo nano (no favourite text editor installed) his /etc/hosts to change it back. Password didn’t work. exit. Close the lid. Leave. Total time: 45 seconds. Meet him in the corridor on my way from his room, and he suspiciously asks me what I have been up to, and I said I went to the bathroom, which conveniently was placed right next to his room.

The reveal

For the reveal, I wanted to make him really feel how much power you can get from hacking someone like that, but of course I didn’t want to do any actual harm to him. I opened a cascade of windows on my computer, including the terminal that had the tail command running and showing his password entries, the file where I had written down his Firefox passwords and where they lead to, and I opened a browser window for each site where I could log into his account and then went to somewhere on the site where you could see his name and that he was logged in. I even tried some different passwords for his Facebook account, which then automatically sent him an e-mail that could be used to reset his password, so I opened that e-mail in a window as well, although I didn’t use it. As the backdrop behind all this I had the yahoo mail open. My screen was a buffet of his passwords and logged in accounts. I then proceeded to change his yahoo password and waited for him to notice. It didn’t take long.

The lesson

We sat down together, and I explained everything I had done and how, and I proposed ways for him to prevent it in the future. He changed his passwords, and I removed all the sensitive information I had gathered. The look on his face as I unlocked his door with my own key and booted his computer into Kali Linux was priceless, and really gave us both some perspective on how fucked you are if someone gets a hold of your computer physically. On a personal level, I learned that his password actually did refer to his personal life, but something that I had assumed I already knew but was wrong about. In other words, never assume that you know everything you need to know.

Epilogue

I then suddenly realized that I could just replace my entire Firefox cache folder with his. I tried it by renaming ~/.mozilla/firefox/[my profile folder] to something else, and then pasting his and renaming it to the name my profile folder had had. I opened Firefox and there it was. His entire browsing history, untouched from before I had fiddled with it, autologin to most of his websites and everything. Wow. I then made a script on my USB key that copies the mozilla and chrome cache to it, just to be able to do an instant hack like that :) I’ll only use it if someone asks me to try to hack them though.