Thursday, February 10, 2011

Thinking like a Hacker

The semester is firing on all cylinders and we've moved beyond use of basic security tools to password security. In this popular lab assignment students have a three-part task. They're to use a popular hacking tool to compromise a server system in our quarantined and firewall-protected information security lab. Once they've blown a hole in the web/FTP server's authentication mechanism, they use another masterpiece of software to snatch the password file and move it to their personal system. The final step in the process is cracking as many user passwords as possible.

Last night I had the opportunity to watch a group of students, loosely formed as a cyber "gang", take their first footsteps into the dark side. The group had the trappings of the goons I see from China, Korea, and other areas of the globe hammering at our academic servers. There's just one problem: my students haven't learned to think like a hacker. Yet.

At the outset, they're unorganized. No one is in charge and it's total anarchy. After a few minutes they realize  organization is the key. Wordlists are divided, tasks assigned. One student is on his cell phone, talking over strategy with a friend. Others are thinking in terms of buffer overflows and denial of service, trying to crash the server in an effort to find a weakness on reboot.

I let them wander, occasionally offering up observations on ways thugs on the pacific rim might tackle the problem, but never give the secret away. Students mull over the ideas. Puzzled looks soon turn to a flurry of keystrokes.

A few minutes later I hear "I've got it..." and a student rattles off a username and all-too-weak (by design) password. Seconds later the team is prowling the system working part two of the assignment. Ideas are thrown about, some more complex than others. One student stumbles on the solution by accident. It isn't elegant, but it's effective just the same. But there's a problem: he's lost the password file. A  few seconds pass before another student leverages a server tool against itself. He deftly locates then moves the username and hash-laden file to his workstation. In hacker speak, the box is pwn3d.

The team is riding the wave, smiles abound, spirits are high. The file is Emailed to each member of the crew where they'll resume part 3 on machines at work and home.

As they're packing up I ask the team what they've learned. Each student offers up a nugget of wisdom. Heads nod in agreement. It's clear they understand the objectives of the exercise. Inside, I smile to myself because they're now thinking like hackers.

No comments:

Post a Comment