Ghost in the Wires_ My Adventures as the World's Most Wanted Hacker - Kevin Mitnick [125]
Next I installed a hacked version of “telnetd” that would capture and store the password of anyone who logged in to the Novell gateway machine. As I was getting myself established on Novell’s network, I saw that two other users were logged in and active. If they happened to notice that somebody else was logged in from a remote location, they would immediately know that the company was being hacked. So I took steps that made me invisible: if any system administrator called up a list of everyone who was on the system at that time, I wouldn’t show up.
I continued watching until one of the administrators logged in to the gateway; I was then able to capture his password for the root account. The password was “4kids=$$.” Cute.
It didn’t take me long to get into another system called “ithaca,” which was one of the Engineering Group’s systems in Sandy, Utah. Once I compromised that system, I was able to retrieve the encrypted password file for the entire Engineering Group and recover the passwords of a large number of users.
I searched the system administrators’ email for the keywords “modem,” “dial-up,” and “dial-in” in various forms—singular, plural, with and without a hyphen following “dial,” and so on—which led me to messages answering employee questions such as “What number do I use to dial in?” Very handy.
Once I found a dial-up, I started using that as my access point rather than going in through Novell’s Internet gateway.
For starters, I wanted to find the system that contained the source code for the NetWare operating system. I started searching through the email archives of the developers, looking for certain words that might lead me to the process used to commit updates to the source code repository. I eventually found the hostname of the source code repository: “ATM.” It wasn’t a cash machine, but to me it was worth much more than money. I then went searching back through emails looking for “ATM” and found the names of a few employees who supported the system.
I spent hours trying to log in to ATM using the Unix-based credentials I had intercepted, but without success. Finally I was able to find a valid account, but it didn’t have rights to access the source code repositories. Time for my standard fallback: social engineering. I called the number for a lady who worked in support on ATM. Using the name of an engineer whose password I had cracked, I told her I was working on a project and needed access to the Netware 3.12 client source code. My gut told me something just wasn’t right, but the lady didn’t sound at all hesitant.
When she came back on the line and told me she had given me the rights I’d requested, I felt a familiar surge of adrenaline. But after only fifteen minutes, my session was disconnected, and I couldn’t reconnect—I was locked out. Moments later the engineer changed his password. Uh-oh. That didn’t take long to figure out. Later I learned that the lady had had previous conversations with the engineer whose name I used, and realized my voice didn’t sound like his. She knew I was an imposter. Damn! Well, win some, lose some.
I called another administrator who also supported ATM and convinced him to add access rights to one of the other accounts I had compromised, only to be locked out again. I also placed backdoors in numerous systems to capture credentials as users logged in.
By now I had been working on this project for several days. Searching emails was a quick means