Basically, if you got into cybersecurity after the year 2003 your perception of hacking is far different than those that were there in the beginning. Lets call the beginning and the initial revolution of hackers staking their claim which began around 1995. Yes, there were many hackers before then but they were few and far between. From 1995 to around 2003 virtually every public facing unix/linux server was compromised. Cyber security was a joke, and the cyber professionals at the time really just did not stand a chance. When I say unix/linux, I mean it all, for instance one of the groups I was “associated with” we’ll say by the year 2001 had rooted 430 SCO servers, 900+ HP-UX, 100+ AIX, 550 DG-UX, 87 Ultrix, 7,000+ IRIX, 8,500+ FreeBSD, BSDi, NetBSD and OpenBSD, 47,000 Solaris/Sun servers and over 65,000 Linux machines including all flavors (Red Hat, Slackware, Debian, Caldera OpenLinux, Trinux, Mandrake, Turbolinux, SUSE, PuppyLinux, TurboLinux and a myriad of other stragglers. Basically, on 100,000+ rooted machines, sniffers were running on about a third which resulted in every major Cisco core infrastructure router subsequently being compromised.
Literally, the internet was in the hands of this team of hackers. I once witnessed the entire country of Romania be dropped from the internet with an attack of only about 100 enterprise servers over a Romania hacker taking over one of the groups IRC channels that was not heavily protected. Yeah, IRC was a big deal and it was the battle ground for most of these groups. Channels like #shells/#shellz on IRC efnet was one of the main battle ground sites. Whichever group could maintain control over those channels controlled the shell trade. During the late 90’s there were four main groups that were constantly at war, the groups were TNT, Core, Phorce and NoName – TNT would later join Phorce becoming tnt/phorce as they were not strong enough independently to maintain power and control. These groups also controlled the flow of 0day exploits, scanners, backdoors and REAL, ACTUAL rootkits (not this Microsoft brand of “rootkits”). Rootkits were always deployed on *nix machines, as there is not even a root user built into a Windows account so how the term ever became synonymous with Windows Malware is beyond me, it goes to show that the white hat script kiddie ./hax0rs and pen testers have been and will continue to be a joke.
The motivations of these early hackers and packet kiddies was power, respect and knowledge. People often say that it takes a genius to break into NASA or the NSA, my team would hack hundreds of their servers by mistake just owning everything on a /8 not even trying to mess with Government/Military assets, they were never rolled into botnets or rootkitted but instead their fate was that of the ever so famous rm /fr*. Occasionally someone trying to make a name for themselves would slap a psyBNC on one of them and show off on IRC, many of these kiddies would be the ones who would end up in jail or raided because they couldn’t keep their mouths shut and their ego’s always got the best of them. There were a few small groups that loaded up on *.gov *.mil and *.nato infrastructure – from 1995 to 2003 they had infiltrated every accessible node within those organizations undetected. The aggregated data they collected over the years will most likely be never known but NATO was for certain completely compromised during this time period as well as *nas.nasa.gov and the hundreds of *.navy.mil servers running SCO for God knowns what reason. I made sure as to never be a part of any group that harvested Government servers and traffic.
Hacking Windows computers would get you laughed at in the hacker community, in the 90’s Back Orifice, NetBus and Sub7 were very popular and would allow you to have some fun with the victim who had it installed on their PC. Besides the fact that you could open somebody’s CD rom drive 5,000 miles away and redirect them to inappropriate websites and steal all their passwords as well as keylog their actions there was one thing of value on these infected hosts to a hacker, ISP information.
So, how do you root over 100,000 servers around the world without getting caught? Using a scanning tool that was never released to the public, even to this day which puts nmap to shame was called synscan (there are knock offs online, the genuine product lies with only a few individuals) AOL, Erols/RCN, Bell Atlantic and Juno IP space was scanned on ports 31337, 12345 and 27374 and 30 minutes later you had 200 different ISP accounts to hack from, the next step was always locating a target to borrow their phone line to tap into with an RJ-14 and and a tap when they weren’t home to accidentally pick up the phone and hear that ever so glorious dial-up communication and kill the login. Towards the end of my illustrious hacking career WiFi was on the market and a simple drive down the road with Net Stumbler would reveal all the access points I could ever dream of, all without any type of encryption. We would then usually setup a wireless antenna to extend the signal down the street to a rogue access point we configured. To be even more ridiculously careful we’d change our MAC addresses to a NIC made in China. The risk was always still there, not a digital footprint but physically being seen and the cops sneaking up on us.
Once online from a safe distance it was time to play, we needed to access our SPARC super computers to kick off scans and review completed ones. Having an IP touch one of the most powerful super computers in the world that was local to me wasn’t gonna float, even though it couldn’t be directly traced to me at this point. We would use SOCKS proxies that we gathered to initiate a telnet connect to a primary Wingate server that was hosted on the fastest link in the world at the time hut.fi and tut.fi and we would bounce from one gate to another making our source so convoluted that no book educated white hat would ever be able to sort through. Basically it would look like this:
telnet gateserver.nottellinghostname.com 1080
lightning@server [~]# id
uid=0(root) gid=0(root) groups=0(root)
From this server all of our tools, scanners and scripts were available. Notice that I landed a rootshell upon connecting, that is because any server that ran telnet or ftp I made a specially crafted backdoor that would Trojan /bin/login and /bin/ftp to spawn a rootshell if the right TERM field was passed to it. With an actual rootkit installed on the super computer I was virtually invisible, even if the admin was logged in looking around. A rootkit, a real one that is will Trojan ps, finger, who, netstat, top, lsof, etc and keep my IP out of the logs such as /var/log/messages and wtmp, etc. At this point, if I want to run synscan undetected I simply type ps hide synscan and I am free to run it as I please as it will not show up in top, lsof, etc.
We had three 0day wu-ftpd exploits, a proFTPD 0day exploit, wow.c (cmsd – solaris), bunked.c (rpc.sadmind exploit) 0day telnetd exploits for Linux, Irix, BSD, 0day SSHD exploits for almost every version at the time. From this cluster of super computers every single IP address in the world could be scanned in 24 hours with banner grabber to a log file. The world was ours for the taking with no mitigation procedures in place for any victims as they were not even aware of the vulnerabilities yet. We had root on the three hops on the way to the super computer so there was no issue with being logged. We developed an autorooter that would bind to synscan and automatically exploit vulnerable servers and save them in a text file. Within two days that text file held over 100,000 compromised, backdoored and rootkited servers that only we knew how to access. Since DDoS was a big thing back then amongst peers and who had internet power we would push out mstream and milk.c (0day UDP flooder) and there was not a server in the world that could withstand the bandwidth that could be produced. A system admin who operated infrastructure at a core uplink for one of the main hubs of the internet was so arrogant he offered a $10,000 reward if someone could knock the server offline for even 5 minutes, a few clicks of the mouse and a line of typing and a fraction of the internet went dark until we turned the lights back on. If you were to judge for inflation of bandwidth, the DDoS was equivalent to a 13 terabyte/second attack. Google can load balance and traffic shape all day, it would have been toast.
So, one of the key changes between now and the past is that everything is firewalled, and typically with several firewalls. The remote exploits would still work, but they were crafted with shellcode that would bind a shell to a port. Short of hacking every firewall in line and making ACL changes bindshells have become obsolete. They have been replaced with reverse shells which are the opposite principal, instead of my telneting into your server on port 9999 which is firewalled, the server inside the perimeter initiates a connection to a hostile server that is waiting to catch the shell, typically with netcat using –v –l 9999 etc.
In the 90’s everything was clear text for the most part, telnet and ftp were considered the norm. One huge issue with running telnet with default settings is that the file issue.net will display the operating system, version and kernel version from a simple banner grab. Rootshells were handed on a platter and everyone had them. 0days are only 0day for a matter of hours or days now in most cases as vendors are being notified before PoC is released. In the old days rootshell.com, hack.co.za or packetstorm would have the PoC without consideration for the vendor to patch it. There was no awareness made like there is today, we had 0day exploits for several years before anyone caught on, hence the uncountable number of rootshells a group I knew possessed J I will not be self incriminating here!
Some of the most common exploit vectors were ftpd (especially wu-ftpd and proftpd), telnet (every *nix operating system had a vuln at sometime), imap, pop3, bind/named (dns), and one of the most dangerous ever written was one for rpc.portmapper (one of the leetest ever written – was never released – an upgrade fixed the vulnerability by accident after two years of owning any linux system in the world).
One more thing if you think your safe, if you run sshd and it is not ACL’d you still may be owned right now and never know it, my TERM backdoor was ported to SSH which allows a special login/password combination to drop a rootshell and it won’t be logged on the system.
So why and when did I stop being a blackhat and join the legit side of security?
At 17 I hacked the largest ISP in Canada and gave away more than 50,000 free internet accounts and was ratted out by someone I thought was a friend but just trying to save himself from jail time. I was sued for an observed amount of money, eventually all charges were dropped as they could not produce any evidence I was the hacker who broke in. Around the same time, a friend of mine you may have heard of named mafiaboy decided to DDoS Amazon, CNN, Dell, E*Trade, eBay, and Yahoo! back into the stone age costing $1.2 billion dollars of damage and landing him in jail for a rather short time, if he had done it in today’s world we may never have heard from him again. He wrote a few books once he got out which include a few references to me or at least my aliases. They are good reads into denial of service and a peak into the old days of hacking, here are his two books for virtually nothing:
In conclusion, some big take aways from the time period were lack of firewalls, at least multiple ones, PC users almost had virtually no firewalls or host based protections and all services and daemons ran as root!
IRC Botnets : Kaiten, SDBOT
DoS (All have remained private and never released – you will only find facsimiles online) : stream.c (devastating tcp attack – my favorite), milk.c (best UDP packet flooder ever), slice.c (mixture of IGMP/ICMP flooding)
DoS that was released but very effective (winnuke.exe, teardrop.c, newtear.c, pingflood of death)
DDoS: Stachelnet, Trinoo, Tribal Flood Network (TFN), Mstream (stream.c but not original powerful source code)
DrDoS: Smurf (ICMP) and Fraggle (UDP)
Web Vulnerabilities : phf (you could return the contents of /etc/passwd – this was when it actually contained hashes which John the Ripper could crack), CGI vulnerabilities
Server Vulnerabilities: FTP (wu-ftpd, proftpd – the two biggest problem makers), Telnet (Every *nix OS effected), SSH (every version), CMSD & Sadmind (Solaris), imap/pop3 (Linux mostly), rpc.mountd, rpc.portmapper
Backdoors used: bj.c (my favorite, TERM backdoor for /bin/login), SSH backdoors with hidden embedded root user account, hiding a username within /etc/passwd & /etc/shadow, adding a bindshell on a port by editing /etc/inetd.conf and /etc/services, hiding a suid rootshell in a directory such as /tmp that a normal user account could run to escalate privileges to root.
Simple x86 Intel buffer overflows were as common as a sun set and you could find one in just about any program as code was created and pushed without any vigorous quality checks beyond “Does this work as designed?”.
Windows: lol, no respectable hacker would ever hack a windows machine back then.
The last time I hacked anything was the day before my 18th birthday