Charles Hooper

Thoughts and projects from a hacker and engineer

How I Hacked My High School

When I was a freshman or sophomore in high school, I cracked my high school and got in “a lot of trouble” for it. I’ve only told the story maybe half a dozen times in my life, but after telling it a few times in the past month or so, I decided to write about.

I went to a high school in a fairly decent school district that apparently had enough money to build several computer labs in each school, network them all together as a single autonomous network, and provide reasonably fast Internet access. This was somewhere between the year 1999 and the year 2000, the exact year I can’t quite remember.

Another interesting thing to note about my high school was that it carried with it an 80-hour community service requirement for graduation. I’ve always been into computers and networking so it was natural for me volunteer to do my community service assisting the technical staff in the computer labs. Community service in this way typically involved installing printer drivers, updating software, and pushing boxes around on a cart.

My school’s computer network consisted of a mix of sevaral flavors of Windows including Windows 95, Windows 98, and Windows NT 4.0. Despite the large Microsoft-only network, we were using Novell for authentication and authorization. Each school in the district was networked together and part of this same Novell network.

My school had reasonable filtering and monitoring in place for web traffic and it wasn’t uncommon to hear of students getting into trouble for looking at, let’s say “questionable content.”

One weird thing my school did was restrict access to the local hard drive. If you went into Explorer, the C:\ volume simply wasn’t listed. This was supposedly because we were supposed to use our network-attached “S drive” which was unique to each user. The “Run” dialog from the Start menu was also disabled.

This had its flaws; however, and one day I hand-wrote (in English class) a 6 page paper detailing the variety of ways even an unskilled person could bypass this precaution. Most notably this included:

  • Create a shortcut on the desktop to C:\
  • Open internet explorer and browse to file:///...
  • Certain “Save As” and “Open” dialogs still listed the C-drive and was browsable
  • You could still get to a “Run” dialog by opening the task manager and finding it in there. This allowed you to a) Browse to the C-drive anyway, and b) Open up a command prompt

There were probably some other flaws I missed. I argued that restricting access to the local disk was rather pointless as people could simply drop to it during boot (which many students were already doing in order to get a kick out of doing deltree C:\Windows for some reason) and that the real issue was that local password caching was enabled. In other words, whenever a user logged in, a hashed version of their password was stored in the form of a windows “PWL file.”

The next time I did my community service, I handed my paper to the head technician which he responded “What? This could never happen” and threw my paper in the garbage.

What?! I couldn’t believe that someone would actually throw away what was, at the time, the longest paper I’ve ever written after barely having read it. And to do this with a 4-word response no less!

Due to my shock and what was apparent lack of maturity, I decided that I would show them. I mean, when you approach someone with what you think is an obvious, logical opinion and they don’t believe you, your next option is to show them, right? Right?

It didn’t take me too long to gather up a fairly large collection of these so-called “PWL files” on a floppy disk. Distinguishing between staff and students was trivial too due to the naming convention in place. Students’ usernames were always in the form of {ExpectedGraduationYear}{LastName}{FirstInitial}. Mine was 03hooperc. Faculty and staff, on the other hand, simply followed the convention {FirstInitial}{LastName}. I decided that I didn’t care for any of the student logins and just discarded them.

When I had a good collection of staff PWL files, I used a tool called Cain & Abel on my home computer and ran it overnight.

In the morning, I was surprised to see how many passwords were cracked. Among them, one staff login stuck out at me. It was the technician who threw my paper out. I knew that because, unlike the rest of the technical staff, he mostly worked on network issues, he must have alot more access than anyone else. His password was hilariously bad and insecure. It consisted of two three-letter words in all caps:


The man, huh? I giggled and went to school ready to launch my next attack. I went to the computer lab during lunch and waited for the opportunity to log into my new staff account. I had to be careful, though, as my school set the background of staff accounts to something very noticable and I didn’t want the computer lab attendant sitting in the back to notice that I was on an account that didn’t belong to me. At some point, she left briefly and I quickly logged onto The Man’s account.

Once I was logged in, I was more in excited and nervous than anything. Even still, I moved onto the next step of creating a backdoor account with admin privileges. I made up a name and created a new account following the faculty/staff naming convention and granted it every privilege I could. As soon as I was done, I logged off. The log-off couldn’t be slower. I felt like Peter in Office Space when he’s trying to duck out of work early and his computer keeps coming up with a bunch of last-minute tasks before it can log off.

I logged into my backdoor account exactly once to verify that it worked and never logged into it again. I fucked up and made the classic mistake of telling a friend. He was one of the few people I knew who also used Linux and we used to trade books, CDs, and manuals all the time. My favorite trade was giving him Debian GNU/Linux: Guide to Installation and Usage for a manual from Bell Canada about this crazy thing called SONET and T-carrier transmission systems (e.g., T-1 lines). Who knew that I would one day work for an ISP and later move on to manage thousands of Linux hosts based on a Debian derivative?

Some months later, I start hearing from other students that my buddy has told a bunch of people my secret and has even been logging into the account to prove it (OK, I definitely shouldn’t have shared the credentials!) I decided that the best thing to do in this case was to confess to the Director of Information Technology, who I used to bug from time to time and ask why we didn’t use Linux since it’s free (Yes, I was probably a very annoying fifteen year old) For those wondering, he said it was because of a “licensing issue” which I think was professional speak for “fuck off, kid”). So, I walked into his office one day and dropped the bomb.

I honestly don’t know what I was expecting to happen. He listened to my story, asked me how long I had this access for. When I told him, he remarked that their backups didn’t back that far and that, in any case, he’d have to report me to the administration. He walked me over to the dean of disclipline’s office and I went through a grueling session of more questions.

Something I should probably note is that this during a period where a bunch of schools, including mine, had decided to institute a so-called “zero tolerance policy.” What these zero-tolerance policies were was simply a matrix of “Violations” on one axis and “Number of prior offenses” on the other. In other words, getting caught smoking in the bathroom for the first time carried a pre-determined penalty which was slightly less bad than getting caught doing that for the second time. Students could never argue that they didn’t know they would get in so much trouble for anything because this matrix and every other school/district policy was distributed to us at the beginning of the year and we were required to have it on us at all times.

The obvious flaw with this policy, besides the fact that it ignores additional circumstances, is that in 1999 there wasn’t a row describing the penalties for any of the things I had done. In fact, I hadn’t technically violated any of the school or district policies at all! (Federal and local crimes may be another issue). I was sent home with the dean of discipline still deciding what to do with me, but I figured I was probably going to be suspended for a few days.

I went home and told my parents what happened and, very very very surprisingly, they said I did the right thing (albeit many months late). Something else amazing happened though. My parents called the school and, after talking to the dean, we learned that my school was actually considering expulsion! My parents made some phone calls and tried to pull some strings that we didn’t think we had but ultimately told me that we wouldn’t know my fate until the next day at school.

The next day I went into school and was immediately called into the dean’s office. He explained that they had decided that what I was guilty of stealing and kept using this “stole the key to the bank” metaphor. He actually told me that had I not brought the password files home on a floppy disk, I would probably be in less trouble. What the fuck?

And then I received my sentencing: Ten day suspension.

Ten days! That was huge. For comparison:

  • Ten days in the maximum amount of time you could be suspended for. Anything longer would be considered an expulsion and would require a hearing of some kind.
  • You could punch someone in the face (you know, assault) and the punishment for doing that would be 4-6 days… on the second offense.

I don’t remember how I got home but it was like my parents weren’t even mad. In fact, they seemed more proud than anything. I think they even thought that this incident would get me hired somewhere someday, too.

After my suspension, I returned to school to learn that, in addition to my now-served suspension, I was no longer allowed to use any of the computers at school. This lasted over a year and, after signing a paper agreeing to let my school sue me if I commit another offence, I was given my computer access back.

I’m terrible at concluding stories so… The End.