I hacked my high school, and you should too.

- I have worked for Northrup Grumman and Uber as a security engineer and I built security tools that have been used around the world. The coolest thing that I have done in my life is that I got to help develop code that ran on every device that had Uber installed on it. The purpose of this code was to help the 20% Uber was losing to fraudulent trips. The talent needed to work on a project like this was so rare that I was hired on as the first team member, as an intern and later hired on as a college dropout. This is not to toot my own horn, but it is to make a point: being a “hacker” is rare and it might be one of the most powerful skills in the age of computers.

- I am going to show you, verbatim, of what I wrote when I graduated high school. No one else knew about this besides who might have, allegedly, worked with me. An important note on this, this all happened before I knew that cyber security competitions existed.

- ## How I hacked my school

- ### Fucking Cool Stuff

So with these stories, I am entrusting you with our wrong doings at PHS and if you choose to tell others about these shenanigans I would appreciate you use anonymity as a member of our team is still in PHS and I would rather the word not have a chance of spreading and the person getting in trouble haha thanks.

- #### **Part 1 - Getting Administrative Access on All the Computers In the School**

So in Windows, to be able to change everything about the operating system, your user account must have the privileges of an Administrator user. Our student accounts are pretty limited, only allowing us access to certain programs and saving and opening files in a pretty restricted area on the computer. Naturally, we wanted to get complete control of the computers because we were bored haha. Before they upgraded the computers to Windows 7, this process was pretty easy. So we knew about a way to get the next best thing to the computer’s password and that is the password hashes using a tool called Ophcrack (Appendix A 7). A password hash is better explained here: http://stackoverflow.com/questions/1602776/what-is-password-hashing but it is basically a way to store a password on a computer so that if someone were to find the password hash on the computer (like we did) they would not just be able to read the password like they would read plain text (so instead of a computer storing “password” as the user’s password on the computer, they would be storing “5f4dcc3b5aa765d61d8327deb882cf99” (if they were using the MD5 hashing algorithm (there are a lot of different hashing algorithms that generate different combinations of numbers and letters, MD5 is just one of them))). So in order to use Ophcrack, we changed the computer’s BIOS (You know when you turn on your computer and you see like “Press f2” or something like that? If you press f2 when the computer is booting up you can change your own comuter’s bios settings :D) ([http://computer.howstuffworks.com/bios.htm](http://computer.howstuffworks.com/bios.htm)) so that when the computer was looking for an Operating system to boot into, it would first look at the flash drive that we had attached to the computer and checked if they flash drive had an Operating system on it (Ophcrack is considered a linux operating system based off of the Debian distrobution). Once the computer recognized our attached USB as having Ophcrack, Ophcrack would then be able to scan for the place on the hard drive where Windows stores its password hashes (Ophcrack is able to do this without worrying about not have the right permissions to access the passwords because it is using Linux and Linux has a different way it handles permissions and thus it completely ignores any permissions that the Windows operating system has on its files :D pretty cool huh?). So once Ophcrack gave us the password hashes we needed, we did this thing called a Rainbow Table lookup (no we are not checking to see if the passwords are gay or not haha). You can read more about rainbow tables here: http://kestas.kuliukas.com/RainbowTables/ but basically since the password hashing algorithm will give vary different output in a small difference in the password (try it for yourself: http://www.miraclesalad.com/webtools/md5.php) it is impossible to simply deduce what the password is when you are only given the hash. Rainbow tables effectively break password hashing for fairly simple passwords (ie if there are only letters and numbers and it is smaller than 14 characters) because they are made in order to associate a specific password it a correlating hash (so these rainbow tables have the hash for password, password1, password2, password3, … and the person with the password hash only needs to find where their hash is in the table and get the password that it is associated with). Because this is MCPS, they do not have good password security and thus we found the password as a 6 digit alphanumeric string (alphabet and number characters only). And because the admin password is the same on all the computers, we had admin access on every single computer and had full control over all of them :D

- #### **Part 2 - Dealing with the Windows 7 upgrade**

So MCPS got a little smarter when they upgraded their OS from XP to 7 because they password protected the BIOS so that we were not able to change it (They also changed the admin password so our old one did not work). This did not stop us however :D So we did some research and discovered that the BIOS is really just a part on the computer’s motherboard that has to always be kept on (if you knew electrical engineering this would make sense due to the actual hardware logical gates having to store electrical charges but CS people don’t really care about that stuff haha). So this part on the motherboard is powered by a small battery called the CMOS battery ([http://www.allabouthappylife.com/acer_ferrari_5000/acer_ferrari_5000_detach-rtc-battery.jpg](http://www.allabouthappylife.com/acer_ferrari_5000/acer_ferrari_5000_detach-rtc-battery.jpg)). If this battery were to lose power or be unplugged, any settings that were changed by the user in the BIOS would be reset (:D). So you could only guess how happy we  were to find this out. The next day we found an isolated computer lab, opened up a computer, pulled the battery out and put it back in then used Ophcrack to find that they still had a 6 character alpha numeric password (they never learn). And that was that :D

- #### **Part 3 - The School’s Wifi Password**

Our motive for this was pretty obvious, we saw there was a wifi access point and we wanted to use it :D So going about solving this problem, we had to think about the ways we could gain access to it. It was secured with WPA2 encryption and unlike previous versions of wifi encryption like WPA and WEP, WPA2 is able to be cracked. So we could not remotely get the wifi password, we would need physical access to a device. Our first thought was since every router that was broadcasting the wifi signal was connected to a central router that had the password we could attempt to go into the ceiling, attach a lan cable into the router in the ceiling (those white things with green blinking lights) and then locate the main router on the network and rest the password. There were two problems with this approach as first getting access to something in the ceiling was pretty conspicuous and if someone turned the corner and saw us, we would have a hard time explaining and then secondly we did not know if we could actually find out the pre existing password or if we would have to reset the password which would then cause Mrs.Hackey to be all like WTF someone changed the wifi password and then we could also be caught. So we needed a physical device that was not conspicuous to obtain that is using the wifi network. Our answer was in the Mac laptops as they were 1) connected to the wifi network and 2) able to be obtained in a classroom setting. So getting our hands on a macbook we discovered that you had to be admin on the macbook to view the wifi password so you know what we did? Made ourselves admin :D So with almost any OS you can reset the admin password if the security settings are not changed to prevent that (this is MCPS of course they did not set the right settings :D) so we did this https://discussions.apple.com/thread/4913069?tstart=0 **boom **logged in and got the password **snap** :D

- #### **Part 4 - Getting access to all of the security cameras**

So you can see our collection of images in Appendix A 8 (it is not complete because there are different models of cameras and the program we made did not account for the authentication method for the other model of camera so we were not able to get all the cameras but this is still a pretty good list :D). So this little project was a little more advanced in the sense that we had to use our knowledge about computer networking to do what we wanted to do. So we figured that there was no way that the cameras were directly connected to like a central computer with wires because that would take up way too much wire so they were more likely connected to the routers scattered around the ceilings. And since the routers are all on the wifi network, that meant that the cameras were on it too. Now the tricky part in this is determining what subnet (or sub-network: http://blog.codepath.com/2011/11/15/what-are-subnets/) all of the cameras were on. So when we connected our computers to the network, the network has to issue out IP addresses to our computers so it could identify our computers on the network and keep track of who was who. And since we were given IP addresses in the form 192.168.1.[0-255] we thought that maybe the cameras were in somewhere buried in another subnet like 192.168.2.0/16 or 192.168.3.0/16 (this will make more sense if you read the SANS thing on networking or do some Googling on subnets and i can answer any questions you have about them). So how we would check to see if the cameras were on a subnet is do this thing called a Ping Sweep. In a ping sweep we are essentially trying any possible combination of IP address in a particular subnet and issuing a Ping command on it. What ping is is a small message that is sent from one computer to another destination across a network in order to tell if something exists at that IP address. But in our attempts we did hear back from any of our ping requests and thus we concluded that there were no cameras on that subnet. After some time of experimentation we realized something important. So since the schools network is self contained, it is considered to be private. Private IPv4 addressing is explained here: http://compnetworking.about.com/od/workingwithipaddresses/f/privateipaddr.htm but what you need to know for this is that private IPv4 has 3 different subnets that it uses, 10.0.0.0, 172.16.0.0. and 192.168.0.0. When we connected our computers, we were on 192.168.0.0 but had not tested the other two subnets. So doing our Ping Sweep again, we found them. When our computer lit up with Ping responses from the 172.16.0.0 subnet, we were so siced. Now that we knew where they were, we needed access to them. We knew they were IQeye so we did some research as to how they worked. We found a document that would later, after we got access to the cameras, be pretty funny ([http://www.iqeye.com/sites/default/files/mcps_case_study.pdf](http://www.iqeye.com/sites/default/files/mcps_case_study.pdf)) as well as there being a login web page that could be accessed for each camera that authorized a user that had the correct username and password. After trying the default username and password, we were not successful and concluded that MCPS wasn’t entirely insecure. Doing some more research we hit the jackpot. We found a document ([https://media.blackhat.com/us-13/US-13-Heffner-Exploiting-Network-Surveillance-Cameras-Like-A-Hollywood-Hacker-WP.pdf)](https://media.blackhat.com/us-13/US-13-Heffner-Exploiting-Network-Surveillance-Cameras-Like-A-Hollywood-Hacker-WP.pdf_)which had found an exploit in the IQeye cameras that returned the username and password hash of the account which you used to log in. Performing this exploit gave us what we needed and we then proceeded to break the password hash which, whatdoyahknow, was an extremely basic password, “mcps_152.” 152, that was a familiar number, where had I seen that before? Talking with my team we realized that it was Poolesville’s school code. I had forgotten to metion earlier that in our Ping sweep, we did a sweep of the entire 172.16.0.0 subnet and got hits in every subnet (so we found cameras in 172.16.1.0, 172.16.2.0, 172.16.3.0, etc…) so it would only make sense that each of those subnets had another school’s security cameras in them and their password was in the form “mcps_” plus the school code. Instead of trying to find every school’s school code, we just tried every password combination (that is we tried mcps_1, mcps_2, mcps_3, …, mcps_999). We automated this of course so we got it done in a matter of seconds so it was no big deal. So at this point we had access to every single camera in the entire county :D

- ## No internet for you!

- I had so much fun doing that.

- Once competitions started, they were really fun competitions, but none of them really hit like the adrenaline that you got when you figured out how to hack the next thing in real life. With competitions, breaking out of the box is fun, but the stakes just aren’t that high.

- High school “content filtering”, is more like “child surveillance” now that more powerful internet filters are available, the ethics of which are questionable. There is so much of the Internet that you can’t access and tools that you can use, it is insane. I recently spent a lot of time running into problems with this.

- ### It is like NCIS, but for kids

- I have run a cyber security competition recently where 200 students tried to forensically investigate a fictional murder mystery, whose evidence was on the internet. If you are interested in more details, here is a video about it:

- {{video https://youtu.be/2AOxuHuHS1U?t=27}}

- It is so much fun to run this. We just had our 7th year running this, and each year it has become easier because I have been writing a better service to host it. Over the years, I have had high schoolers who competed end up helping me so the competition grew better and better every year. By hosting it at the local community college, we bring 200 students every year into a building that they could end up going to, and cemented in their minds as a place where they care about cyber security.

- We ended up spending a ton of time trying to set the competition up in a way where the _very_ locked down systems that the students had were capable of accessing the competition site, and be able to solve the challenges. Given that this is a very real world competition, there are tools that the students need to use, but the computers are simply Chromebooks with very restrictive networks. When the competition started, our wiki page was not able to be accessed, the firewall was blocking it. Without access to this page, most students would not be able to progress. Anticipating that there would be problems like this, we built an entire virtual system that the students could use to access everything that they needed. It was really, really annoying to deal with.

- ## Show some respect, the kids are hacking

- If I was going to school right now, I would hack the living _shit_ out of these computers. We used to install Halo on every computer in a classroom so that we could have a LAN party and play with everyone.

- Rodney Mullen, a world renown skateboarder, gave a TED talk on how skateboarding was similar to hacking. Skateboarding and hacking require a great deal of flow. An insane amount of focus is needed to “do what you were not supposed to”. Have you ever considered how the fuck the physics works on the shit people do when riding a _rail_? Oh yeah, and kids are doing this. Every day, skateboarders invest their time, and literally their body, to honing in an intricate physics equations they can come up with in their head. If you don’t believe me that skateboarding is important, it is literally in the olympics.

- Hacking is not just getting into unauthorized places like the movies will have you think, it is about doing something to show that you can do something crazy! You want to give someone that “holy shit, you just did that?” moment. I used to bring my own computer every day just so I didn’t have have to deal with any restrictions from the school’s computers. It was the only way that I could stay in my flow of hacking. If I had to deal with the insane restrictions on the school computers, I would actually just spend every second of my day thinking about how to bypass the ludicrous restrictions, and you aren’t going to stop me.

- ## Be realistic

- If you impose crazy restrictions, you are going to make some insane hackers that you can’t control. It is really that simple. What if I, as a professional security researcher, happen to end up doing some research about the very same security system you are using. I might post an anonymous post somewhere on the internet and a student ends up finding it. Very much in the same way that I learned how to hack the cameras.

- It really isn’t that hard, give students the tools that they need to play and they will be happy. My high school teacher literally manages his own server racks so that he can let his cyber class hack something. He wheels a massive server rack around his classroom because that is the best that he can do. Incredible! Help this man out! He is trying to teach cyber security! You need resources for that, damn.

- If anyone who is a teacher, student, someone in charge of a school system reads this and wants to talk more about how to actually teach cyber security, I can help you. Don’t make the same mistake NYU did: [[NYU Dropped the Ball]]. Hit me up on twitter.