Karachi   ->   Sweden   ->   Karachi, again   ->   Dubai   ->   Bahrain   ->   Karachi, once more   ->   London and Leeds

Monday, November 08, 2004

Exploiting Systems: Part I

Are you a hacker?
Come on. I won't tell anyone
No, I don't know anything about hacking.
OK. But can you tell me how to get someone's MSN password?
If it was that easy, MS would have closed down their service.
Oh, no, it's not that difficult. My friend has done it!
Then go and ask him!

I had this kind of discussion many times in the last few years. I confess that I have broken into a Netscape mail address, a Rocketmail address (later acquired by Yahoo!) and a few accounts on Kalpoint (the mail system is now closed). Now, I feel sorry for all of these except the last one. I also hacked into some Nettlink accounts. But all of this has more to do with the systems + users stupidity rather than my ingenuity.

I'll narrate some basics for everyone's benefit. And no I am not going to bore you with "hacker" vs. "cracker" debate. How much useless stuff people can talk...

Hackers have a deep knowledge of a system and they can use this knowledge in ways that the developer(s) perhaps couldn't even imagine! It's this exploitation of weak areas combined with determinism that makes a hack successful. For example, I'd start by telling about SQL Code injection: A typical login system reads in a user id and password and then checks up the related data in a database using something like this:

"select * from users where user_id = '" + uid + "' and password = '" + pwd + "'"

If 0 records are found, invalid user id or password was entered. Otherwise the user is in!

Now if you have hacker's vision with the knowledge that a SQL statement can contain comments, you can immediately create statements of the form

"select * from users where user_id = 'ali' -- blah blah blah"

This means that you can comment out the password checking part when the query is executed on the server! Just use "ali' --" as the user id and anything for the password. Try playing with Kal Community. It's vulnerable to this attack; however, there are no interesting accounts. You might try this userid (amongst several others): shahbazsiyal.

To be continued...

Best years of our lives
When we first met
I could hardly believe
The things that would happen
That we could achieve
So let's be together
For all of our time
We'll go out so thankful
That you are still mine
("Best Years of Our Lives" from Shrek I)