Hacking my school network in 1991
Back in 1991 I was a student at Franklin Sixth Form College in Grimsby, England. A sixth form college is roughly equivalent to the junior and senior years in an American high school--I was about 17.
The challenge
The college had a local area network (LAN). It wasn't connected to the Internet. However, it still had accounts and permissions--teachers could access files that students couldn't. And the admin could access anything.
There were two people in charge of "computer stuff" at the college. A system admin, Steve B, who I got along very well with, and another Steve (last name forgotten) who was the computer science teacher. I didn't get along so well with the second Steve. Probably because I was an annoyingly arrogant teenager who had no interest in taking his computer science classes. (I studied Maths, Physics, Chemistry, and Biology at A-Level. Yes, I was that kid.)
One day, I was hanging out and chatting with the system admin, Steve B. I expressed a hunch that the network security was probably pretty bad. Steve thought it probably wasn't as bad as I was suggesting.
"Why don't you hack it then?"
Yes, the admin had challenged me, a student, to hack the network!
Oh dear.
The network
The college LAN was 10BASE2 Ethernet. That's the kind that uses coax cables and no hubs. The machines were RM Nimbus PCs, mostly with 80186 processors.
Most of the machines did not have hard drives. Instead, they booted from the network and ran software fom network shares. These were located on two servers named "ADA" and "HAL". (I wasn't aware just how good these names were back then!)
Some of the machines had 3.5" floppy drives, as seen in the image. This turned out to be very useful!
Phishing
The first approach I came up with was essentially phishing, even if it wasn't called that back then. The idea was to create a fake login screen, get the admin to login, and thereby obtain the password.
But this seemed like a lot of effort. And it would probably only work a couple of times at best. So I gave up on this approach.
Login observations
Next, I observed something interesting about the login process:
- There was a noticeable delay after entering the username before the password prompt was shown
- There was no delay between entering the password and being logged on
So my hypothesis was that the computer did a network round-trip after the username was entered, but not after the password was entered.
Maybe the password was cached locally in-memory after being obtained from the network? Seemed worth pursuing.
Boot process
The boot order for these machines had the network first. You couldn't just stick in a floppy and boot off it. Unless you unplugged the network cable...
Also, the AUTOEXEC.BAT and other boot files required to connect to the network were easily copied onto a floppy. This meant that I could boot onto the network from a floppy by
- Unplugging the coax from the back of the machine
- Waiting until just after the floppy boot had started
- Plugging the network cable back in
TSR
So now I could inject my own code into the boot process. But, of course, it couldn't stop the boot--it needed sit quietly and then activate when I needed it. In MS-DOS, this was called a Terminate and stay resident program, or TSR.
I don't remember full details of the TSR code I wrote, but it was in x86 assembly and hooked into an interrupt such that it could be triggered by some key combination. It was very hacky, which seemed appropriate.
Success!
I ran the TSR and triggered it after I had entered my username. It scanned memory for my username, which it found, and then displayed any text in the surrounding memory. My password was sitting right next to my username in memory!
In plaintext!
(Even in 1991 I was surprised by this! I was expecting at least some form of trivial encryption.)
So I ran it again with Steve B's username. Sure enough, there was his password!
(Btw, for me, the thrill of even this small hack was pretty intense. I can easily see how people can be sucked into hacking just for this thrill!)
The reveal!
"Hey, Steve? Is this your password?"
He probably should have uttered some choice language at this point. But we were in school. Anyway, he changed his password.
"Hey, Steve? Is this your new password?"
The fact that Steve still didn't swear says a lot about his self control!
Fallout
Soon after, I was summoned into the other Steve's office. He was not happy. But what could he do? (I believe they contacted RM, but were told this kind of thing was pretty common.)
He tried to instill in me that I should behave responsibly and should under no circumstances give anyone else access. I thought this was all rather amusing since I had never intended to do anything with the hack anyway! The fact that I didn't seem to be taking this seriously probably annoyed him more.
No more hacking
After sixth form, I went off to Nottingham University to read Neuroscience. There was some pretty scary language in the document everyone had to sign to use the computers. They made it very clear that they would both expel and prosecute criminally anyone who hacked anything!
So I gave it up. But I still look back fondly to the days of easy hacking and limited consequences!