As I guess you may know me personally — I love programming and computers in general, and this passion dates back to when I was around 12 years old.
Some years ago, I was seriously trying to get into computer security. I loved every aspect of it, the process of information gathering, learning stuff about your target and finally exploiting it.
Exploitation was for sure one of the most complex tasks as it usually took a lot of knowledge. Contrary to popular belief, it's not as easy as just searching for one of the services running on the target device on exploit-db or milw0rm.
In the beginning I used Backtrack, it's a Linux distribution specially built for security audits. Later I switched to Debian and exported the tools from Backtrack I used. Backtrack was too bloated for my taste.
Well, sadly, I didn't have too many friends that were into computer security, and I had only one friend that seriously knew Linux, we'll call him Bob, whatever.
Bob had a dedicated server he used for hosting his portfolio and the web apps he developed. Since I was 15 I considered Bob to be one of the coolest programmers I knew, he was clever and always building awesome projects. I needed to stand out, and what better way than hacking into his network?
Well after seriously scanning his servers using NMAP, using tools as DirBuster to bruteforce the directories served by Apache I figured out he is as good as I expected him to be, he didn't have any blatantly open security holes. I had to do something more creative.
I started bruteforcing his subdomains, maybe his DNS pointed some subdomains to some other server which wasn't that secure! Well, I was almost right, he had a subdomain (home.domain.com) which was dynamically pointed to his home computer which hosted an Apache server. But now what? I fired up my trustworthy DirBuster in order to enumerate what he did host there.
Back then, my friend developed an amazingly beautiful web application that was basically a file manager. He recently had some security issues with it, some file disclosures and some other stuff. He patched them immediately for his customers, but forgot to upgrade his local copy. Yay.
I knew exactly what to do, I downloaded the files which stored the hashed passwords for the administrator login, which allowed me to upload files to his computer. Thanks to Google, I didn't even need to crack that hash, I just searched the hash string and found the password already cracked. I had administrative login, and I could run almost everything I wanted.
I briefly uploaded a PHP shell script, which allowed me to run everything I wanted, he was running Windows, I was so happy.
I uploaded a Metasploit reverse shell script which allowed me to get a nice CMD shell right on my computer. He was behind a firewall, so running a bind shell would have been useless. Once I had the Metasploit payload up and running I could do anything on his computer, I had administrative permissions. But I didn't want that, did I? I wanted to get into his dedicated server!
I quickly realized that he did not type passwords to connect to his server. So what did I do? I left a keylogger to run there, for 3 days non-stop. I encoded the keylogger with 仕方が無い (shikata-ga-nai — polymorphic XOR additive feedback encoder) by running it around 10 times, the anti-virus he had did not detect it, yay!
After 3 days I had a lot of information about him, including his PayPal accounts and everything he wrote in that time, in order to protect his privacy from prying eyes, I piped all his keystroke logs through a script that would only show me the strings that contained the '@' sign. Nobody would enjoy having all his keystrokes read by someone, even if we were friends.
At that time I had read a book about Social Engineering called 'Social Engineering: The Art of Human Hacking' and decided I should apply what I had learned.
Sadly, I still didn't have access to his servers. Well, I decided to get nasty. I told him I hacked his server (at that time I didn't), and told him to check the banner displayed by his FTP motd, because I had altered it (it was all a lie, I just wanted him to connect to his FTP server). I told him he can see that by connecting through FTP using cmd.exe and the 'ftp' command. I had my keylogger, nicely waiting for him.
He logged in, I had his password, I understood his password scheme and soon after that I had root access to his dedicated server. It was fun and I understood why people say that all systems are vulnerable. His dedicated server was not, but his network architecture was.
He briefly removed his subdomain and rethought his security systems. It was a really fun week.