When I broke a bank (as a teen)

m4iler

2021-05-27

Okay, this will be a story with no tags and no connection to anything else. I just wanted to have fun with this one. This short story is about how I discovered a huge, incredible… standard tool and had fun with it as a teen and how I got a bottle of wine.

Background

I got a part-time job for the summer at a bank. Big building, multiple floors owned by just this bank. It was directly at the country HQ in the office-part-of-town. My job was “digitalization assistant” or something similar. What does that mean, you may ask. Well, I was the printer boy. Someone gives me paper and I make a copy. I filed stuff, but most of the time I had nothing to do. I did what I always do, befriended the people closest to me, just the usual stuff, since the web services were almost always blocked and I didn’t wanna be caught on my phone.

I actually got this job through my dad who worked on another floor in another department (keep this under your hat, stash it away, it’s gonna come in handy). My dad was working in banks for a while at that point, and my first “hack” was actually when I was about 5, going through his work PC when he was in meetings. I actually didn’t know how to read at that point, and somehow (I don’t remember this) managed to find and print confidential documents. Dad told me later that it was some financial reports that he had no access to and had no idea were accessible from his machine. That was my first bank hack. This one, however, went further than that.

Setup

After a few weeks, my colleagues found out that I know English well enough to help them translate stuff. So I translated some stuff for them, helped them formulate sentences and in the meantime, I was looking around Windows (7 at that time) to see what I could do that was actually fun. First thing I found was cmd. Cmd was open to all users, no matter who you were, you could run basic commands.

At this point in my life, I was nowhere near a skilled attacker, I was a kid who read like one or two books about pentesting and hacking, usually going through really advanced attacks which were just fun reading for me. I knew that stuff was vulnerable and exploitable, I just hadn’t had the training to do it myself. I was just poking around cmd, ping, ipconfig, shit like that… and then I found “net”

The tool

Nowadays, I would probably know what to do with this stuff, at least to do recon. At that point, I just had the command help and some online resources. The interesting thing I used at that point was “net send”. To those who can’t read, it is basically a send-to-another-PC. This command (net send) was available, and that was all I needed to have fun. I sent myself some messages which popped up on the screen in a standard alert window. I sent “test” to myself. Worked. I asked my colleague, a super-nice lady who gave me much of my work while I was there, for her IP address (which was labelled clearly on the top of the case) and sent her a simple “Hello, hiya!”. This was amazing to her, and we had fun sending her colleague across the desk random warnings and messages. I explained how it’s done, they thanked me and that was supposed to be that.

The fuckup

After a while of sending messages back and forth using this VERY confusing and complicated way, I mistyped the command (typed “net sned” instead of “net send”), I arrived at the help command again. I read through again, net user, net group, all the stuff. However, one thing I believe I noticed at that point was an asterisk in the net send command. I know what asterisk does, it sends it to everyone!

That is where I fucked up, or more precisely where the organization missed a hole. My thinking at that point was that I would send a funny message to everyone in the office. Folks I could see, maybe everyone around me, but not more. Turns out that what the asterisk did is it propagated my message to everyone in the network. And I mean everyone who was in this building, if not to all the computers in all side-offices (I cannot confirm this, but it did go to everyone in the building).

So I thought what to send, just being bored one afternoon. One message I thought of was “ALARM”, but then I thought against it. I chose the following message:

“OMG WTF BBQ”

I typed the command and sent. Colleagues perked up, asked me about it, I told them what I did and then I thought it was over. Fun joke, for about 3 seconds, to make my afternoon less boring.

The first suspicions

My father came to my office about 3 minutes later. This is open-space, so he called me, told me to go into the corridor. He was waiting for me, uneasy. He asked me “Did you just send out some bullshit message?” I told him if he means the message that popped up on my PC. He confirmed this. I told him I had nothing to do with it (sorry, dad), and after a while of drilling into me, he stopped asking and told me to not do some bullshit like that. For the rest of the day, I was looking over my shoulder, looking towards the door for police officers to come in and break every bone in my body. Dunno why, I just got really paranoid.

Getting made

The next day, I came to work and tried sending a message to my colleague. Didn’t work. Error message read that this command is disallowed by company policy. I guess someone in IT got my message. But they weren’t there, not in the office. The day went well, but when I came home that day (I went home by myself), dad ripped into me in the doorway, saying that it was me who sent that message! How did he know? My colleague from across the desk (another super-cool guy) was in an elevator with my dad. My dad got into a conversation with this guy and told him I work at his part of the office. His reply? “Oh, he’s that cool kid that sends out messages from some command line, right?”

The impact

The jig was up. I told my dad I didn’t do anything malicious, I just sent a message and didn’t know it would go out to everyone. It was only then that I learned how far my message went. Not only did it go to every single computer on every single floor, the CEO of the country’s branch was on a different floor! The gravity of it hit me. Every single meeting was hijacked by my message, every single computer in the company got this message. The CEO was so bewildered by this that he immediately phoned IT, they went to work (probably finding my IP and declaring that I sent it) and blocked the command entirely.

The fucking CEO got my message of “OMG WTF BBQ”, and went into some kind of incident response mode. I am the reason this bank blocked net send for all employees.

The colleague found out about it and gave me a bottle of wine to say sorry, but I laughed and told him it’s fine. We had a laugh over it, and if I told my dad today, he’d probably understand and laugh about it, too.

If anyone from the BBQ company is reading this, please get in touch. I would love to hear the other side of this story, since it seems way too hilarious to ignore.

This is a short story, but I just remembered it going home from work and wanted to share the giggle with you.

Have a lovely day, everyone! (Yes, I’m still pretending someone is reading this)