The hacking challenge

On every tour we watch a series, and this time it was Mr. Robot. It got me very inspired to try out some (white hat) hacking, so I made a Kali Linux thumbdrive and started learning about the tools. My friend and coworker asked me to hack him, and we decided that I should access his Yahoo account. Here’s what happened:

Day 0 – Physical access, stealing passwords, cracking encryption

I planned to start by just walking up to his computer when he wasn’t there to see if I could access his Firefox and Chrome saved passwords, which are saved in plain text and accessible from within the browser with no type of authorization needed. I rehearsed revealing the passwords as quickly as I could on my own computer until I felt confident I could do it in a few seconds or so once the time had come. About 2 hours later he left to go grocery shopping, and as soon as I heard the door close I excitedly half-jogged to his room where I knew he had left his computer. He had locked the door. Bastard. I then recalled that we had looked at the keys to our rooms a day or so earlier, and concluded that they looked so simple that they couldn’t have been very safe. I had a fairly clear memory of the shape his key had, so I tried to find something like it by looking at the keys to the other doors and found one that seemed similar enough. I put it in, turned it, and *click*. Wow, I was not expecting it to be that easy. It had only been about two minutes since he left, and I had already opened his computer that turned out to not have any password protection. He was running Ubuntu 14.04. I opened Firefox and Chrome simultaneously and did what I had practiced. I found that he only had a few saved passwords, most of them for temporary things that were generated for him, but some of them included patterns from his personal life. I wrote all of them down together with their usernames and which sites they were saved for. While I was at it, I figured I’d also try to get hold of his passwd and shadow files, which would require root access. I tried to sudo using the passwords I had found, but to no avail. I put my Kali drive into his computer and rebooted into that, and from there I had no problems just copying the shadow file. As I rebooted the computer back into the state it was in when he left it, I thought I heard the door close again. There was a long stairway up to where I was, so I’d still have about 20 seconds before he’d get there, but it turned out it was nothing. I put the computer and the chair back exactly how it was when I entered the room, closed the door, locked it, and went back to where I was with his files.

At this time, I started thinking about the traces I had left. I didn’t clean his terminal command log, for example. In fact, I had no idea how do that. After some googling I came to the conclusion that I should be careful to remove my traces in his ~/bash_history file. Not that I thought he would check it, but still – we’re playing the hacker game, so I might as well go all in. I also got really stressed sitting in his locked room in front of his computer. I hadn’t anticipated that the emotions would be so strong, and it definitely affected my performance.

An hour later he came back, and by then I had already tried to log in to his e-mail account using the passwords I had found, but they didn’t work. I had also started looking at packet sniffing to see if there was a way for me to capture his password or session cookie or something. Then I talked with him a little bit, and I asked him if he usually logs out when he’s finished with his e-mail address. He replied that I obviously hadn’t been to his computer yet. Perfect. I mean, perfect that he thought I hadn’t been there yet, not that I didn’t even think about opening his e-mail in the browser when I had the chance. A few hours later we were away, and I borrowed a key that worked for the lock to his room, and I snuck up there to try going to his (probably already logged in) e-mail account in Firefox, which I had seen him using. It logged right in. This was too easy, so it couldn’t count. I sent an e-mail to his sister asking her to call him and tell him he should at least log out of his account if he wants to put up any kind of resistance. I decided that I hadn’t hacked him unless I accessed the e-mail from my own computer. So I booted his computer into Kali again, and this time I copied his ~/.mozilla cache. Awesome. I thought that then I could just hijack his session. Problem was that I didn’t know how. I put everything back the way it was, locked the door, and went back to the others. No one seemed to suspect anything yet. He told me that he would start an upgrade to Ubuntu 16.04 overnight.

Later that night I tried using John the Ripper to crack his shadow file, but I couldn’t get it working. I first tried it with no arguments, then I tried adding all the known passwords to a wordlist, then I tried running that wordlist with --rules, but it yielded no results. I had shoulder surfed a rough estimation if his password – 2 high digits, something in the q-area, and then a couple of unknown characters. His other passwords led me to believe this one could end with numbers. I was sure that John the Ripper could make some kind of more clever brute force attack using this knowledge, but I had no idea how. I also tried searching a little bit for information on how to hijack his session using what I had found, but I couldn’t find what I needed, and was already getting very tired. I had started thinking about setting up an ssh host as a backdoor to his computer so that I could access it more easily and possibly find an exploit through there. I went to his computer again, but this time I only had access to my own physical key which really didn’t fit. I had to wiggle it in and try to feel when it connected with the cylinder in the lock before I turned it with quite a bit of force to make it go all the way around, and to my surprise that opened the door too. I tried to install the ssh host, but I needed his sudo password. This was not the way to do it. I figured that since he had set his computer to update overnight, he was expecting to see some unusual dialogs when he arrived in the morning, so I thought I could use that to make him install the ssh host for me. I tried adding the installation and setup code in his ~./profile with sudo, hoping that it would ask him for his password with the regular keychain prompt every time he’d log in after that, and that when he entered the right credentials the script would install and start the ssh host for me. It was a once-in-two-years chance to give him a new computer boot habit like that. The problem was that the ~./profile is run so early on in the boot process that it can’t ask for a password yet and only showed an error instead. With some more editing of his system setup, it might have been possible to do it, but I didn’t want to change his system too much – this was just a friendly little game, and the challenge was to access his Yahoo mail after all. I ended up putting john to work with --fork set up so that it could use all my processor threads. I put my laptop up against the cold window of the winter night in order for it not to overheat while I was sleeping.

Day 1 – Researching possibilities and setting up the attack

10 hours later I woke up, just in time for lunch, after which we would start working (it was meant to be a day off, but there was some stuff we had to do). I was hoping to have cracked his password already, so that I could go and set up the ssh host on his computer, but it hadn’t gotten past 6 character passwords yet, and I believed his password to have 8-12 characters, so we’d be talking months before I would have a result, and I needed to log out of Kali and do some real work on the computer. To get some inspiration, I wrote a post on Reddit asking for help and advice, and it ended up getting a lot of appreciation and great replies that taught me a lot. That post is actually the main reason I’m writing this now.

I was suggested to add a keylogger to his computer, which I totally wanted to do. The problem was that I had no idea how. I was suggested to check out msf, which I did and I started learning about it, but it would have taken me too long to learn to be able to use it here. I used nmap to scan his computer for open ports, but had no success. I’d need to open a port on his computer, which I didn’t know how to do without sudo access. If only I could crack his sudo password.

The next suggestion was to do a Man in the middle attack or fake a website. I had tried scanning the network using subterfuge, but since I hadn’t managed to get working drivers for my WLAN yet, I used my phone to create a tethered USB connection to the network, and that made me unable to read anything else on the network, so Mitm attacks were out of the question for the moment. Creating a fake website felt like the easy way out, since I’ve done a lot of web development in my career, but it also felt a lot like working. However, it turns out that the Social Engineering Toolkit that’s shipped with Kali has a website cloning feature that makes all of it super easy. I had some problems with the Yahoo login site using so much javascript to do the login though, so I had to rework it a little bit anyway. I also had some trouble getting the PHP set up properly in the apache2 installation. Eventually it seemed like the error was in the code – using only <? when the default settings required <?php for the php tags. I’m not sure if it was only that or if it actually mattered that I installed and reinstalled a ton of different PHP packages during the process. In the end I had ended up pretty much rewriting the entire thing anyway.

I went back to the post, and someone had replied hinting me towards exactly what I was looking for! Crunch. Tried to set up all the possible combinations of the details from his personal life that I recognized in the other passwords. I combined manual work with automatic generation – I was quite sure it started with at least 2 numbers, and there were only 3 or 4 possible combinations of those, then some pseudo-random letters, and then some other stuff with high likelihood of being the same things. I ended up with a big wordlist that I ran through John the Ripper. Nothing. Back to the phishing tactics.

Instead of passing the fake website through to Yahoo and genuinely logging in, I wanted to exhaust his “possible password list”, because he had said earlier that he could log in with his password if he had a few tries. I went to the Yahoo login page, entered his e-mail address so that it was prefilled as if he had just logged out, and then I copied both the normal login page and the wrong password login page. I set up the fake website to send the form on the login page to my own post.php, which appended whatever was in the post variable to a harvester file on my computer and then redirected the user to the wrong password page. The form on the wrong password page redirected back to post.php again. This meant that I logged every single pasword attempt entered, and then showed the wrong password page that I had saved from Yahoo no matter what you wrote. It really looked perfect, and it made you try the password many times and then go through many password variations before you would give up.

The next step would be to redirect him to my fake login page. I decided that the best way to do this would be to reroute it locally through his /etc/hosts file, which would redirect his requests no matter which browser he was using, and since I had physical access to his computer, that should be a piece of cake. I also had to create an SSL certificate and make it look signed. I created a self signed certificate and then add it as an exception on his computer. I was done with the part on my computer.

The first problem with my setup became obvious almost immediately after I arrived to his computer. Since I was connecting my Kali installation to the network through my tethered phone, his computer couldn’t access the server I had set up on the computer. I crossed my fingers that someone had been crazy enough to make a USB Port forwarding app for USB tethering. I was lucky. Kind of. I installed the port forwarding app, but it wouldn’t redirect the protected ports (which port 80 just so happens to be) since it would require root access. I found another app with root access, but that didn’t work at all, and it turns out that the market for USB Port forwarding apps for USB tethering with root access is quite small, so there weren’t really any other ones to choose from. So it seems like when it comes to port forwarding on Android, you can either choose to have an app that works, or one that has root access, but not both :) The solution was instead to bite the bullet and hassle my way through getting the wifi drivers working on the Kali installation, which I eventually managed to do.

So now his computer could access mine. When they were on the same network. The wifi in the building was set up so that there was a different independent wifi network on each floor, and the computers tended to switch between the two of them. I didn’t want to pull anyone else into this hack, so I left all the routers and access points in the building alone and went with the easy solution of disconnecting his computer from one of the networks and asked it to forget the password. Should be good enough.

Time to set up the redirecting. I didn’t know how he normally logged in to his e-mail, if he went through his browsing history, some Yahoo portal site, went to Yahoo in his native language or .com or anything, so I went through his entire browsing history looking for variations on the Yahoo URL. I wrote down all the different subdomains for login and mail that he had in his history and threw in a couple of extra ones just to be safe. Then I booted his computer into my Kali thumbdrive again, went to his /etc/hosts file and redirected all the subdomains to the local IP of my computer. I then booted Ubuntu back up, and I was happy to see that the regular Yahoo page loaded normally, but when I tried to go to the e-mail site it redirected everything to my computer no matter how I tried to access it. There was a problem though, and it turned out to be a big one. It turns out that Firefox really doesn’t like self signed certificates. I tried to add my certificate as an exception, but that could only be done as a one time exception, and I had to close Firefox to leave the computer like he did himself. I tried storing a permanent exception, tried installing addons that worked around it, added myself as a certificate authority, added all the subdomains and localhost and everything else I could come up with as trusted sources. It would sometimes “accept” the SSL and go to the page, and sometimes not. And I only got the option to add the temporary exception when I was running his browser in Private Browsing. This was a gamble. I decided to go through his entire browsing history and remove every Yahoo page that had an https URL and replace it with the http version of the same one. Now when he entered yahoo or mail in the address bar, he would find the http links that would redirect to my computer for guaranteed success.

When I tried to start typing “yah” in his address bar the new history entries popped up as they should, but I had forgotten to add a favicon. This looked very suspicious, especially since he was expecting an attack, and by now he was really paying attention to every little detail that was going on on his computer. However, by this time five o’clock in the morning was approaching, and I just picked whatever mail-ish icon in a similar colour I could find, added it on my server computer, and then went home and went to bed. It really looked like shit, it wasn’t even in a square format, but I hoped it would be good enough. If he wouldn’t fall for it I had still removed his access to Yahoo mail by redirecting all his requests to my computer, so I could also use that to blackmail him for his password. I guess that gave me a fairly strong chance to win this, just in a more or less elegant way.

Day 2 – The big day

The next day I had to arrive earlier than him to boot up the web server. I failed. I arrived 30 minutes after he did, and he was booting up his computer just as I arrived. I set mine to boot up too and started distracting him with random questions to buy it some time, while I crossed my fingers that my computer was going to receive the same local IP address from the DHCP as it had a couple of hours earlier. As he went to his computer and opened Firefox, he found that the history sidebar was left open. I had forgotten to close it in my sleep deprived state when I finished so late that morning. That made him very suspicious. Sloppy me – you can’t afford to miss a single detail in the hacker games.

A few minutes passed. Then I heard him scream “I’ve been hacked!”. I went to see what was wrong. Together we looked at my fake login page, and I had to do everything in my power to hide my happiness as he tried to enter his password a few times. He still wasn’t sure he had really been hacked, because it just said that he had entered the wrong password, so I had to make it seem like I didn’t know anything about it. He asked me questions about it, and I tried to explain to him how something like that could happen while leaving out important details so that I wouldn’t lie (he is my friend after all), while at the same time trying to make him try as many other possible passwords as I could. After a while he tried closing the browser and going to the page again, and he received the semi-unpassable self signed certificate warning that pretty much in plain text said I’m trying to hack him. He told me “This one! I got this before too, but then it seemed to work. Do you know anything about this”? Dodged one bullet, but what do I answer? “Uhh… I guess they forgot to renew their certificate? I remember when Microsoft forgot to renew their passport.com domain! What a mess that was. Give it to the end of the day and see if they can fix it”. He was not happy about it, but he accepted my argument for the time being, and I had bought myself some time to remove the redirects and get it working again.

I had my computer set to tail -f the harvest file | grep passwd, mostly because it looked cool as he was trying out stuff. Line after line popped up with his passwords and different variations of them. I was hoping one of these passwords would also be his root password. I rehearsed entering his presumed sudo password as quickly as I could, and as soon as he left his computer to go the kitchen, I went to his computer to sudo nano (no favourite text editor installed) his /etc/hosts to change it back. Password didn’t work. exit. Close the lid. Leave. Total time: 45 seconds. Meet him in the corridor on my way from his room, and he suspiciously asks me what I have been up to, and I said I went to the bathroom, which conveniently was placed right next to his room.

The reveal

For the reveal, I wanted to make him really feel how much power you can get from hacking someone like that, but of course I didn’t want to do any actual harm to him. I opened a cascade of windows on my computer, including the terminal that had the tail command running and showing his password entries, the file where I had written down his Firefox passwords and where they lead to, and I opened a browser window for each site where I could log into his account and then went to somewhere on the site where you could see his name and that he was logged in. I even tried some different passwords for his Facebook account, which then automatically sent him an e-mail that could be used to reset his password, so I opened that e-mail in a window as well, although I didn’t use it. As the backdrop behind all this I had the yahoo mail open. My screen was a buffet of his passwords and logged in accounts. I then proceeded to change his yahoo password and waited for him to notice. It didn’t take long.

The lesson

We sat down together, and I explained everything I had done and how, and I proposed ways for him to prevent it in the future. He changed his passwords, and I removed all the sensitive information I had gathered. The look on his face as I unlocked his door with my own key and booted his computer into Kali Linux was priceless, and really gave us both some perspective on how fucked you are if someone gets a hold of your computer physically. On a personal level, I learned that his password actually did refer to his personal life, but something that I had assumed I already knew but was wrong about. In other words, never assume that you know everything you need to know.

Epilogue

I then suddenly realized that I could just replace my entire Firefox cache folder with his. I tried it by renaming ~/.mozilla/firefox/[my profile folder] to something else, and then pasting his and renaming it to the name my profile folder had had. I opened Firefox and there it was. His entire browsing history, untouched from before I had fiddled with it, autologin to most of his websites and everything. Wow. I then made a script on my USB key that copies the mozilla and chrome cache to it, just to be able to do an instant hack like that :) I’ll only use it if someone asks me to try to hack them though.

The inherent problem of TwoDots and other puzzle games relying on random elements

Disclaimer: What I’m about to discuss is not specific to TwoDots – the same principles apply to games like Candy Crush Saga, although I haven’t played that as much, so I’ll use TwoDots as my example here.

Having played through the original 135 levels of TwoDots (for Android), I’ve had a growing feeling that whether I win or not is less about my skill and more about my luck. I’ve come to the conclusion that the reason I have this feeling is because it’s true. Let me explain why.

The principle of the game is that dots of different colors fall into the playing field from above, and your job is to connect dots of the same color to make them disappear. When you make dots disappear new ones fall in from the top, and you get points. If you manage to connect dots in a square, all dots of that color will disappear (and no dots of that color will fall in that time). Which colors the new dots have is random. The rest of the specifics are irrelevant for this post.

On a big playing field, the randomness of the dots add to the experience, because they let you stay creative and find new ways to connect them. The odds of there being no good moves available is small. Normally different parts of the playing field will stagnate as you exhaust the possible good moves there, so you move along to other parts where there are more good moves to be made. As you’re working on the other parts of the playing field that will slowly affect the old parts and eventually there will be good moves available there again as well. The game plays back and forth like this, and it’s fun and satisfying.

My issue with luck comes when the levels are meant to become harder. There are two main concepts being used that I will call focus points and smaller space. The latter is when you for example used to have a playing field of 5×5 dots, you now have a playing field of 4×4 dots. To explain my idea of why this becomes a problem, let’s shrink it even further, to a 2×1 playing field. Whether or not there will be a possible move is completely up to the randomness of the colors of the dots that fall in, and there’s nothing you can do to affect the outcome of the game. If we instead imagine a 100×100 dots playing field, there will probably be multiple good moves to be made at any given time, and the challenge changes from “can you do it?” to “how well can you do it?”. The smaller the space gets, the more the outcome will be affected by chance.

The second concept, focus points, is where things like ice blocks and fire are added to the game. Ice blocks are placed in certain places of the playing field and they don’t affect the dots. Once you’ve connected dots inside an ice block three times, the ice block will break. The levels require you to break all ice blocks to complete the level. This is essentially a variation of smaller space, but it’s possible to reach the ice block from farther away by connecting dots of the correct color in a square somewhere else, so there can still be a significant difference between a skilled and an unskilled player.

On a big enough playing field, focus points add to the experience, but combined with smaller space it again just lowers the chances of you getting the color dots you need to work with. Fire makes it worse, because it consumes one dot that’s next to it every turn, turning that dot into a fireball that you cannot touch. To remove the fire you need to connect dots that are next to it. I understand the wish to add another level of challenge to the game, but the problem is that when the levels are already small, whether or not you will have two dots of the same color adjacent to both each other and the fire get less and less controllable by the player. What happens is that, in a way, the strong focus point the fire creates confines the playable area to a much smaller space. If there is a lot of extra room to take dots from it might be manageable, but when there’s not you’ve pretty much shrunk the playable area to something along the lines of my earlier extreme example of a small playable area. If you can’t pull off your move in that area, you’ll have an even smaller space to work with the following turn. Whether or not you will complete the level eventually becomes so much affected by chance that you as a player can start to feel like the third wheel.

What I’m trying to say is that in a game where a main mechanic is random, the way to increase the difficulty is not to give the player fewer options. That will only make the player’s skill less relevant. Instead, what I’d like to propose is the opposite. Adding an element that can be used in many different ways and instead requiring the player to achieve more using it creates a much more interesting challenge. One thing TwoDots have done in their new level pack (which I’ve only gotten a few levels into) is add a blank dot that will turn into a dot with the color of whatever dot you connect it to. That creates a strategic element of choosing when to use blank dots and when to save them for later, which makes player strategy more important even when there are many good moves to be made. A change for the earlier levels could be to just give the player more space, but also more ice blocks to destroy.

To sum things up, when the player needs to rely on random elements to succeed, it’s best to add as many opportunities as possible to allow the player to circumvent bad luck. To increase the difficulty of the game, it’s better to add more opportunities and require more to be achieved than to try to force the player to make good moves in circumstances where the possibilities of doing so are randomized.

Something I haven’t touched upon is the reverse of this, where good luck just wins you the level, which I might discuss in a later post. Oh, and 8 paragraphs later I should add that TwoDots is a fun game and you should go play it! Thanks for taking your time to read this.

It’s about what she says

As I got sucked in by Quora again the other night, I came across a post about someone not knowing how to handle their new love’s improper English. I could relate to it, so I figured I’d write something about my experiences with language and my girlfriend. Here’s what I ended up replying:

I come from a very literate (in my native tongue) family, and I understand my language very well. Me and my family always joke and make fun of each other when someone says something wrong, because we think the involuntary picture that the words paint is funny. My girlfriend since six years back has a very different approach to language. Subtle differences in grammar isn’t something she picks up on in the same way – I’m sure she could if she practiced it, but for her language is all about getting a message across, and I as a listener am supposed to help out.

For the first few years of our relationship, she always used to tell me to “just listen to what she says, not how she says it”. It was hard for me to do it at first, because I think there is a lot of function in the nuances of language, so when she says something using incorrect grammar, she’s saying something other than what she intends to. As I’ve been trying hard to do it more and more though, it has helped me in many parts of my life. Not judging people by how they speak is helping me see beauty and intelligence in the minds of people I might otherwise not have. A lot of people lack either will or education to speak properly. That doesn’t mean they lack intelligence, insight or wisdom. They’re just not caught up by the same things that you are.

Early on I had to focus very hard on not reacting when things went wrong linguistically. The practice, however, is not about not noticing, it’s about not reacting, and that’s all a matter of habits. By retraining myself, I haven’t unlearned my language at all, I’ve only expanded it. I still notice every little grammatical error my girlfriend makes, but it doesn’t upset or trigger me anymore unless I want it to. I’ve learned to choose what to prioritize when listening, and I think my language has improved because of it. Being able to relax as someone rips my beloved grammar apart is empowering, because I get to see the person behind the words. There is so much wisdom in the least expected of places. My suggestion is to practice that skill. It will never cease to be useful – no one dislikes when you listen to what they say rather than how they say it.

Now I’d like to add to this that this last paragraph makes it sound like my girlfriend can’t speak properly whatsoever, but that’s absolutely not the case. The parts about ripping my beloved grammar apart isn’t aimed at her specifically. Either way, I’m very happy to have acquired this skill. It really does add value to my life.

A little explanation

Despite not being the blogging type of person (or so I think), here I am starting a blog. I’m doing this because I’ve heard from programmers that I look up to that it’s a good way to gather your thoughts. As such, my plan for this is to write for myself only, and publish it here as an index of my recent thoughts, memories and ideas. I figured I’d be better off doing it in English, since so far I’ve been working enough internationally for me to justify it to myself. Also, if I actually do end up writing something that would be useful not only to myself, it’ll be accessible to more people.

What not to expect:

  • Frequent updates
  • Only important important, thought through things
  • No important, thought through things

I will not give myself a schedule of any kind, but rather will I write things when I have something to write. If I have something to write. I might force myself to try it out in the beginning – I suspect if I just give it a shot I will have more to say than I thought I did. In fact, now that I think about it, this might end up being a blog about starting a blog. I wonder have many blogs like that exist. Did I mention I side track a lot? Either way, here we go!

Oh, and comments are allowed in any language. I’ll ask if I don’t understand.