hacker wang: a man's hacker history

Posted by punzalan at 2020-02-28

Thirty years later, in the humid weather of Guangzhou, I often recall the sky in the Northeast when I was a child.

At that time, I often needed to look up at the sky. Because my task is to hold a pine pole and lift the TV antenna high. A gust of wind blew, and a snowflake flashed on TV. The village is very open, I have enough time to adjust the antenna to a delicate position. At a certain moment, the snowflakes in the TV suddenly disappeared, and my mood suddenly became more and more comfortable.

The pine antenna is very beautiful, but it's a little prickly.

If you like, you can call me Lao Wang. I like all the most advanced technology since I was a child. In the 1980s, the most advanced technology was electricity. At that time, the TV often stretched or compressed the image due to the change of internal voltage. It's a long way. I can't go to town with my TV in my arms to find a professional teacher to repair it. I can only open the back cover, avoid the high-pressure bag carefully, and learn to adjust the knob behind myself.

This is not the biggest challenge that TV brings to me.

Due to the peak period of power consumption, the voltage drops sharply. In order for the TV to work, I even need to change the circuit at home, connect the zero line to the ground, sprinkle salt water, and use this "Earth" but effective method to increase the voltage.

At that time, TVs were equipped with voltage regulators. In the evening, the regulator needs to be adjusted to the highest level to barely light up the TV. In the middle of the night, you need to remember to adjust the voltage regulator back. One day the old neighbor was watching TV in our house. He didn't understand this. After watching it, he went home quietly. I woke up from my dream and saw TV shining like a searchlight. My TV was sacrificed in this way.

The first time I saw a computer, it was the last page of the labor textbook issued by the school. At that time, I said, I know this thing. It's just a TV with a loudspeaker.

Girl, I want to read your diary

In 1995, I graduated from high school. My father has been ill in bed for many years, and my family money can't continue to support my studies. I realized that I had to earn money to support my family.

At that time, the boss of a software company in Beijing came to my hometown and wanted to build a "software base". He is interested in cheap manpower and land in my hometown.

At the time of recruitment, the boss said that the job is to "program" with a computer. I think it should be both simple and interesting: isn't it just "TV Plus speakers"? I've been a kid.

The boss rented an abandoned "fertilizer factory" (actually a military factory that used to produce explosives), which looks like a small building at the foot of the mountain. Only after entering the small building can we find that the space extends far and wide into the mountain. This software base is really a "base".

A 486 computer acts as the host (SCO UNIX System), connecting 20 terminals. Our team members share the computing power of this computer. Even so, we have to compete. Although 20 terminals are connected, the system can only allow up to 16 terminals to be online at the same time. If you come late with diarrhea, or you simply don't have fast hand speed, I'm sorry that you can only wait for other people to log out. Of course, if you can't finish the work, you have to deduct the salary.

The first three months were technical training, in which I learned typing and programming for the first time. So I prefer to call this school.

If there are only boys in this school, or only boys and girls with average looks, maybe I will not be a hacker. There is a girl who stirs up my young hormone.

I don't want to hide my original motive of becoming a hacker, which is a strong desire for snooping.

The girls who have just learned to type choose to type their diaries into the computer. My mind is full of thinking about how to look through the girl's folder. I imagine the moment when I open the girl's diary, I see her writing full of secret love for me.

However, your own permissions can only access your own folders. I turned my eyes to the guy sitting in front of us. This administrator is also our classmate, and he is a bad programmer, so he can only do the work of administrator. But this guy, with root permission, can view all the files.

If I could get his code, my life would be complete.

In front of love, my IQ exploded. I bought a C language book, studied it for several days, and stumbled to write a fake login page. When the administrator went out to the toilet and didn't log off the account, I ran this fake interface on his system.

As he crackled on the password, the string was automatically stored in my directory. This is the first hacker attack in my life. My teacher is his own hormone. Although I got the password, I was not so happy because I found that there was no word about me in the diary full of girl's emotional disputes.

In order to continuously monitor the "mental state" of students in the class, I need to maintain my login authority. But the administrator is free. The only job is to change the password. I have to improve my technology. I found a way to use another high-level account to enter and replace the administrator's password with my password. In this way, I can enter no matter how the password is changed. Just once I neglected to change the root password and forgot to back up the original password. In an instant, I realized that there was no way to change the password back.

After the story is: poor administrator in front of the machine tried hundreds of passwords, alerted the whole base. At this time, I just walk up to the podium and type in my password gently, then I can solve everything. But there was only one result: I was swept out. I allowed this student to call Beijing headquarters in a sweat. He was severely criticized and spent the night refitting the system.

At that time, when installing a SCO UNIX system, you need to plug 50 5-inch floppy disks back and forth.

Although no one knows until now that I am the "behind the scenes", the lesson will come to my mind in every subsequent attack. Not all competitors are as weak as the administrator, and the world often has no chance for you to recover your mistakes.


I started my career as a programmer.

I remember clearly that a group of us took the train from Harbin to Beijing and then went south along the newly built Beijing Kowloon Railway. Every stop in the middle of the way, our only task is to get off and buy beer. In three days and three nights, we almost tasted most of China's beer and came to Shenzhen through numerous mountains, rivers and villages.

In the days of Huawei's on-site development, I learned about Liang Zhaoxin, the author of Jinshan's solution to hegemony. The soft sound card that he wrote can let the horn that can only "tick - tick" ring out songs.

I fell in love with the earliest online game in China: mud. In order to set up a game server in the company, I even learned its programming language LPC. (in 1998, the old guys who Huawei's research department never met, remember the guy who was originally named "Xiao Li Feidao" in "Oriental story II" and was forced to change his name to "Du Xiao" after joining Shaolin?)

More importantly, for the first time, I saw an article written by coolfire, the godfather of Taiwanese hackers who inspired countless first generation Chinese hackers. I just know that there is a concept of system overflow. A simple overflow can obtain permissions, which is much better than stealing the administrator's password.

I began to download the attack code crazily and carry out the attack experiment. Later I learned that it was impossible for the code to compile in the past. (because the UNIX system at that time neither SCO nor the commercial version CC on tru64 supported "ASM"). As expected, my attacks at that time ended in failure. But it doesn't matter. This God like hacking technology has been printed in my mind and will never disappear.

Later, I went around Harbin, Zhuhai, Beijing and Shanghai. Although my body has no fixed place, I have a very fixed organization in the Internet world.

This is how the adventure happened:

I came across a piece of news that the famous hacker organization "Green Corps" was divided into two groups, North and south. With a heart of gossip, I sneaked into the camp of sunnet IRC Green Corps. Unexpectedly, I fell into the core hacker circle of that year. This room called "Chen isbase" has about forty or fifty people online every day. These are the first hackers in China.

When I asked them about the division of the Green Corps, I was despised. They laughed at me one after another. It's been a year. Why are they still asking. I don't mind being despised. The key problem is that these hackers actually talk to me!

Although the people I contact are a little out of sync with my hacker level, I have my ability to be a brother with them in just a month or two. At that time, Cai Jingjing, whose net name was cbird, registered a permanent room "Chen Superman" in IRC, but usually no one else. So I had the cheek to ask for the room, and pulled a few chatty brothers.

Lin langzi (later the DM of Pangu team), Oliver, se1ang, weiyangsheng, Kaka, RCCH, white, etc. were the first members. Later, with the addition of ICBM (Zhao Wei), Keji, kkqq, swan, etc., the members of Chen Superman were fixed.

There is someone in the room. We have to find something to do. So we decided that the task of this room is to engage in XXX. If you know the meaning of XXX, you are an old driver

We have a focus on a warez organization in China. They have a huge crack software and "XXX" movie channel. If we can control their FTP, doesn't it mean that we also have this important resource?

In retrospect, it was a perfect match for our group. We directly "black eat black" into their servers, and use various means to keep the permissions, so that we have enough time to drag down all the latest high-definition Maopian.

In the Internet world, we are almost invisible people. It makes me proud.

After this perfect campaign, our team has the honor to upgrade to "Superman sex team" or "SST". The team members thought the name was a bit earthy, so they wrote "SST" as "557". That's not enough. As a top hacker organization, our "557" should be hexadecimal. So the name of our group changed to "0x557".

At that time, I never thought that this loose organization would eventually become a legend of the hacker community.

Become invisible

I've found something that really fascinates me - to be invisible in the online world.

My "557" brothers and I are free to access almost any web server. There will be no obstruction.

When Lin langzi (DM) closed the door to study bugs and make use of programming, I became a "script kid" with honor. To be honest, people were lazy in those days. For example, the "IIS Unicode vulnerability" discovered by Yuan Ge can kill almost all IIS servers. However, there are many common vulnerabilities like this. As long as a scanner is used to scan in batches, most websites are sure to be in the middle. In a way, I don't have to worry about digging holes at all.

I'm concerned about how much storage space there is for the servers that have been blacked out. My principle is very simple: if you encounter a small hard disk, you can directly skim over it. If you encounter a hard disk of more than 100g, you can leave it to put "XXX". During that time, I stood in the dark until I vomited.

However, I enjoyed the process. To be exact, I enjoy hiding myself. I'm like a knight in a royal night, shuttling through the dark Internet. This is probably similar to the classic "hacker" image in your mind.

Now in retrospect, it was the best of times. Many of the core hosts that are now embedded in the internal network are exposed on the public network. As long as you want, you can access any operating system. At that time, I even logged into a machine running OS / 390. Compared with now, if you look at windows or Linux, the world is a lot monotonous.

Every black station, I have learned to hide myself better.

Even if I succeed in the attack and retreat completely, the computer's log will not deceive people. The administrator of the other party can completely rely on the log to trace to my identity. In every attack, I need to be aware of how my every move is recorded in the huge maze of servers. The most important thing is that you should know where there will be your traces. Before you leave, I will erase these traces gently instead of violently deleting all the logs.

It's not easy. When attacking IIS server, you need to know where IIS logs are stored; when attacking Apache, you need to know where Apache logs are. Of course, these are not enough. I guess the password, I try to raise the right, all the small actions will generate logs in different trivial places or even unexpected places. All these actions, once neglected, will leave traces for traceability.

For invisible people, clues mean failure.

The gate of the new world

In the Internet world, all the doors are open for me; in the real world, the walls are high.

I'm tired of doing development and want to be a professional security person. At that time, I even thought: even a system administrator. I just enjoy being in complete control of the computer. However, all the pleasant interviews ended when I took out my high school diploma.

In the first half of 2002, I was running around the streets of Shanghai, trying to find a company to take me in. Until one day in June, an old friend of IRC who often discussed technology together suddenly contacted me. He was shotgun, Ouyang Meiwen. At that time, he just came from Qiming star in Beijing to Qiming star in Shanghai to serve as CTO.

At the dinner table, I told him that I had been out of work for half a year. I can't forget his words: "you go to so many places for interviews, but you don't come to me, don't you look down on me?" Yes, my hacker community saved me. The next day I sat in Qiming star's office: the sixth floor of a magnificent five story building in Zhangjiang - the part on the roof.

At Qiming star, I can log in to the large-scale system legally for configuration check and launch penetration test on the target system. It was from that time that I came into contact with the large-scale special systems used by banks, telecommunications and other enterprises. These systems are divided into blocks and layers, just like a huge digital maze. Even administrators can only be familiar with the architecture and configuration files of their own responsible blocks.

Successful penetration does not mean that I need to be familiar with his system as the other administrator, but that I must be more familiar with his system than all the other administrator.

It's like a building, each floor has its own security, and I need to punch through all the guards and get into the core area. It is my destiny to use one enemy for ten or even one enemy for hundred.

Walking through these huge mazes like a ghost, I got the enjoyment of nothing more. From this time on, I realized that I was irreplaceable in the world.

However, the reality is always cruel. I gradually found out some truth: it sounds funny, and the purpose of penetration test is to find out the weak link for the enterprise. But in the real penetration test, in order to prevent the production system from crashing, or even just for personal reasons, enterprise technicians often hide some vulnerable environments. Only a limited interface is open to testers.

It's like the so-called "barrel principle" of information security. Theoretically, it can really require solving the "short board" problem to improve the security level, but how to ensure that the "short board" is the shortest? We can't even guarantee that they gave us all the boards. In fact, a real attack doesn't care whether you test the system or produce it. It only needs the path to the target and the attack channel. Too many examples show that the conclusion of limited penetration test is often specious.

In those years, I often doubted, could such penetration test really defend against invasion?

The night trip of royal guards: a story that can't be told

Unlike penetration testing, there are no routines or rules for a real cyber attack. As an old hacker, I experienced the most ferocious side of the Internet world: fighting in the dark server, a small mistake may make you be stabbed in the throat by the other party. This is not flower boxing, leg embroidery and self deception.

I want to find a way for me to participate in real cyber attacks.

Once, our team carried out an unannounced penetration test task. The customer was a multinational group company. They suspected that competitors stole confidential information through network attacks. However, the security vendors believed that the core network was logically isolated and the core data could not be accessed by external intrusion. This project is only known to the CTO of the customer and the core leader of the security department. The purpose is to verify whether the core data can be accessed through external attacks and test the emergency response ability of the administrator. We are authorized to use all means except DOS to initiate penetration from the external network.

It's a huge goal, but it's heavily defended. Almost all types of security systems exist in the world. Although it was difficult to break through these automatic defense systems, I succeeded.

Confrontation with machines is never the most difficult; confrontation with people is what I stand here for.

After the initial penetration, we opened the attack channel to the intranet, and mastered the right to view the email of all the other party. By checking the administrator's email, I know that they have found signs of intrusion and fixed the vulnerability, but they obviously do not know that they have been monitored. It's good news for me to monitor each other's email. It's so-called knowing one's own and knowing the other's. At least for now I have a big advantage - I can see the opponent's cards.

For penetration testing, the initial attacks are the easiest to be found, because some regular scanning and utilization attempts must be made, and the security devices deployed on the border have the ability to detect such attacks, but from another perspective, administrators are also the most likely to ignore these information, and the scanning data of various attacks on the network every day is enough to make the real traces of attacks Drowned in the vast alarm.

Many administrators will think that since a vulnerability is found, it is safe to apply a patch or even go offline directly. In fact, an experienced intruder will make timely use of the entrance to open other attack channels and migrate to the past, and it is likely to make some minor adjustments to make vulnerability utilization difficult and prevent other intruders from using it.

The administrator of the other side is obviously more professional, accurately locate the location of the vulnerability, and repair it in time. However, from his email, he did not find any other traces, and he is not clear that the portal server is in fact ineffective.

For a large-scale target, it's not that you can get a website permission, a domain controller's account and a database. Most of the time, you don't even know where the real data is stored. I have to constantly detect, search, analyze the network structure of the other party, analyze the scope of the administrator authority of the other party, and analyze the data of various applications.

In this process, it is inevitable to have a confrontation with the administrator - Technical and psychological. This kind of confrontation is the last thing for attackers. In my opinion, a perfect attack should be done without the administrator's knowledge. The so-called "come quietly, go quietly". However, the idealized results are very difficult to exist, and more importantly, the confrontation has been produced in the process of attack.

In the process of attack and defense, the administrator has the control advantage of resources. He can go offline at any time and feel that there is a problem machine. So for the attacker, this is not only a technical confrontation, but also a psychological confrontation. He should try his best to disguise his purpose. If he can't completely hide his traces, it's better for the administrator to feel that the attacker is an idiot, Let him produce a sense of technical superiority, so as not to take the extreme protective measures such as unplugging the network cable, analyzing the disk image, etc.

I chose to start at two o'clock in the middle of the night. However, I never thought that even in the middle of the night, I just entered the other side's server system and triggered the alarm of the other side. In a very short time, the other side's administrator entered the computer room, logged in the system and kicked me out.

We feel very surprised, because this attack did not use any third-party tools, did not attempt to crack the password, did not mention the right operation, and fully followed the norms of the administrator's daily management to log in the system through legal identity and path, and prohibited logging. From a technical point of view, it has reached the acme.

Fortunately, the administrator of the other side didn't find out all my attack ways. We placed a very rough webshell in a very obvious position and forged several aimless attack records. From the content of the email, the other side obviously thought that this was an automatic attack without targets, and this kind of attack was full of the network. The administrator was confused by us and didn't Realize that this is a targeted attack. The attack springboard machine still exists. I redesigned the attack path, chose the opportunity and launched the attack. At the moment when I was about to break through the defense line successfully, I was unprepared, and I was killed by the administrator again.

I finally realized that the administrator of the other side had made special monitoring means in a special place. This kind of special protection can only be built according to the actual situation of the network. It's not a general script at all. This seemingly small trick has tripped up my "old driver" several times. Since then, I have clearly realized that customized means of protection at key locations play an extraordinary role in protection.

We have acquired some sensitive data, including access card data, but the final goal has not been achieved. We are ready to test another possibility. After communicating with the CTO of the other party and being authorized, we made a crazy plan: by copying the access card of the other party, we sent people to infiltrate their work area and directly connect to the Wi Fi of the internal network, so as to disguise the internal personnel to bypass their protection script. We have selected the executor and made a careful plan of attack and cooperation.

But the night before the plan was implemented, things turned around: we found the defense settings of the other party, extracted the monitoring script on a test server that is said to have been abandoned, and found that it can be bypassed after analysis.

We enter the centralized console of the other party. Although this machine can not directly enter the core system as a springboard, the memory of this console stores the system level password of the target machine that we long for. We successfully mirrored the memory of this machine. As we all know, there are several bytes in the 2G memory, which are exactly the "golden key" we dream of.

However, in order to analyze the location of the password, we must download all the 2G memory to the local. It's impossible to transfer a 2G file to the administrator. It's like moving a safe out of a heavily guarded building.

What we need to do is to cut this huge memory image into dozens of small pieces and transmit them through numerous different channels. Even so, in order not to attract the other administrator's attention, we have made self speed limit for all download channels, and the transmission speed cannot exceed 1m. Finally, the last bit of this memory arrived at my local storage safely. I know it's done.

By using the system password, I successfully obtained the highest authority of the other party's server, and finally got the "confidential" information - the pre prepared test file. Although it has been a tough three in and three out, the final result is satisfactory. We have found many defects of the other network, and we have gained a lot, because the real experience of attack and defense confrontation cannot be simulated in the laboratory environment.

This experience makes me unforgettable.

The maze of hackers

Twenty years of hacking career makes me believe more and more that the really excellent hacking is more like an art, a kind of confrontation between people and programs, people and people. 0day and rootkit are just a kind of assistant. What they really test is hacker's technical ability and thinking ability. The more sophisticated the technology, the more unstable it is. And my opponents, often do not give me any chance to miss. I have to use the existing rules in the system to do things beyond the rules.

Time has passed quickly since I left my hometown. Many of the first generation hackers in China who were active in IRC at that time have reached their fortitude. Some people don't write code for a long time and become public officials; some people go far away from home and are hard to meet on the other side of the earth; some people are still here, starting their own businesses and building their own cyber security empire; some people are "skilled and courageous" and take risks but end up in jail.

Today, there are more than ten famous people. I watched my hacker community grow old year by year.

Accustomed to fighting in bit position, I finally decided to make an ideal "art" with my experience. I decided to set up a company of my own with CP, an old hacker who has worked with us for many years, and jannock, a brother of "black cloud vulnerability". The foundation of the company is: we have rich experience in network confrontation.

We know what kind of protection means are just as useless for experienced hackers;

We know how to check for anomalies in a seemingly normal system;

We also know how to use small cost protection, can cause huge trouble to hackers.

We decided to use our technology and experience to make more people feel the attack we are suffering. Although I always use "no culture" to come from ridicule, I like my company name very much: Jinhang. This reminds me of the days when I used to go on a night trip in the royal guards. I want to find a way to "see" the hacker's attack path in real time, sense his source and predict his attack purpose. Just like my opponent wanted to see me.

We decided to prepare a "real" virtual world for hackers.

Let me talk about how a hacker thinks:

After breaking through the border defense, the hacker's first need is to find out the internal structure of the target. He would infiltrate all possible places to gather information. What we have to do is to install a virtual door in such a large cyberspace.

You can imagine a thief. After entering a villa, he found five locked doors, which did not seem to make any difference. He could not judge which door was hiding what you wanted. All doors are locked, but the type of lock is not the same. It turns out that if I was the thief, I would attack from the lock that I most easily opened, and then find out whether there are hidden doors, windows and other channels to enter other rooms. If not, I can open a channel to enter the villa, so that I don't have to go in and out from the big door every time, stand firm and judge the surrounding environment.

I believe you will make the same choice.

Do you remember that I have the most say in what kind of locks hackers are familiar with. Behind this door, it's the maze we set up - the real virtual system.

I will create this "virtual system" according to the user's original business model. However, the similarity between this scenario and the user's real production environment is not as important as you think. Because for the attacker, he doesn't know what is "real" until he opens other doors. On the contrary, the more the virtual field system conforms to his imagination, the more confident the hacker will be.

There is a very simple way to judge: in order to explore the environment, hackers will do a series of input in the virtual system. If the output data fed back by the virtual system meets his expectation, the hacker will believe it.

All we have to do is hide all kinds of detection scripts in this virtual system - remember the scripts that made me lose my way? This is more subtle and flexible than the scripts I encountered back then. It's like under the floor of a room, full of sensors. (if a few cameras are placed in an obvious position, the hacker can turn it off with one hand.) As long as someone steps into the room, his detailed movements will be recorded and sent out. According to this, all the attempts of a hacker will be exposed to us, even if we fall into it.

In my opinion, the key to this matter is not how to build a virtual environment to capture the actions of hackers, but how to analyze every action of hackers.

Why does he use this command combination?

Why does he want to look up this information?

Each of his movements points to a clear intention in the eyes of our peers. Is he a competitor? Or hostile forces? Or just a lost script kid? Can be exposed through behavior.

Furthermore, the way he typed instructions, the location of downloaded files, and the habit of searching data all clearly defined him as an exact person. With these fingerprints, the next time he attacks any virtual system under the control of Jinxing, the system will be able to identify him in the first time. In this way, all his "criminal records" can be linked. This is very important for accurately predicting his next move.

This "real virtual maze", I named it magic cloud.

What makes me proud is that all these judgments can be automatically completed by magic cloud. Only when users need to analyze the relationship between different intelligence, they need experts to intervene.

I'm very looking forward to "Jinxing", because my nearly 20 years of hacking career are all devoted to it.

Entrepreneurship has made me so busy that I was forced to change from a "free hacker" to a hands-on start-up company, CSO. But this kind of transformation didn't make me uncomfortable. I'm the kind of person who "doesn't knock code for two hours every day". This gives me enough passion to polish the initial products.


In those days, I was forced to make a living in China, but now, I choose to settle down in the southern country because of "Jinxing". It took me 20 years to walk from the northernmost end of the country to the southernmost end, but never far away from this "cyberwar".

Over the years, I've witnessed the rise of high-rise buildings in all cities, but I'm not lucky enough to be a wealthy tenant;

I've seen hackers expand from the secretive circles of a few of us to a myriad of people, but I haven't become a black industry practitioner who trades data for sports cars.

I have witnessed the transformation of cybersecurity from a no one to a huge industry. It's hard to create a business. But inside, I've always been a hacker.

It makes me proud.

[Laowang, Wang Junqing]

"Pay attention to us as soon as you like"


The official account of Lei Feng's industry is reported.

Focus on cutting-edge technology and tell the story behind hackers.

Long press the QR code below and identify the concern