Two coworkers and I were set up in a computer room within one of the cable company's remote offices. Our attack targets consisted of two televisions, two cable modems, and two new set-top cable boxes (the intended testing target). We were connected to a cable TV broadband connection in such a way that no one else would know the difference between our setup and any normal customer. We then played porn on one TV and Disney movies on the other.
Three guys sitting in a room, hacking away, watching porn, and getting paid to do it -- life was good. The only thing missing was the beer. In short order, using a port scanner, I had found a Web server running on a high TCP port, in the neighborhood of 5390. I ran Nikto, a Web vulnerability finder, and it came up with a few false positives. But it also identified the Web server as something I had never heard of. A little research told me it was an open source Web server that had stopped being supported nearly a decade before.
I wondered how likely it was that an old Web server was patched against vulnerabilities that were common 10 years ago. My hunch was correct. I was able to access the set-top box using a simple directory traversal attack (such as
http://..//..//..//). I was in as root and had complete control of the device. It was running an old flavor of BSD, which was full of vulnerabilities by itself. In short order, we were able to steal porn, steal credit card numbers, and switch the Disney channel out with porn. We had accomplished all our goals, only a few hours in.
Later that week I learned that my success with a directory traversal attack would find its way up to the cable company's CSO and beyond. I was invited to talk about my finding ahead of the official written report. Many of the company's bigwigs flew in for the meeting. When I asked why all the hullabaloo for something they could fix in the new set-top box, I learned that the same Web server and setup was being used in millions of existing cable boxes around the world. I did a scan of the Internet looking for the high TCP port and found tens of thousands of them awaiting anyone's connection and hacking attempt.
That's nothing to say about the hardware mods and component fires we caused during the ensuing days of boredom because we had nothing else to do but wait for our scheduled plane rides back home.
It was pure joy -- and one of the most fun hacking days in my life.
True tale of (mostly) white-hat hacking No. 2: Spamming the persistent porn spammer
Some white-hat hacking walks a thin line. Here's a great example of "white-hat hacking" of a vigilante nature gone somewhat awry.