Back in my day we hacked with style: a sentimental tour of late 1990s and early 2000s tools

Gather around, children. Put down your Rust-compiled eBPF probes, your Sigma rules, your billion-dollar EDR consoles. Sit on this pile of old floppy disks and let me tell you a story. A story of a time when a 56k modem was a weapon of mass destruction, when your entire operational infrastructure was a Windows 98 machine with a sticky residue on the keyboard, and when the most sophisticated command-and-control channel available to you was a chat room full of teenagers arguing about Linkin Park.

Ai miei tempi, we hacked with character.

The golden age of the RAT

It all started, more or less, in 1998, when a group called Cult of the Dead Cow released something called Back Orifice at DEF CON. The name was a deliberate pun on Microsoft BackOffice, juvenile, precise, and entirely on brand for a group that understood that naming things well was half the battle. It was a Remote Administration Tool that let you control a Windows 95/98 machine remotely: browse files, capture screens, log keystrokes, redirect ports. It ran silently. It required no particular expertise to deploy. And it weighed less than 100KB.

The security establishment predictably lost its mind. Microsoft called it malware. Cult of the Dead Cow called it a demonstration of Windows security failures. Both were right.

Then came Back Orifice 2000, or BO2K, presented at DEF CON in July 1999, released as open source, extensible through plugins, and capable of encrypted communications. At the time, it was more feature-rich than most legitimate remote administration tools on the market.

That same year, NetBus was already circulating. Created in 1998 by a Swedish programmer named Carl-Fredrik Neikter, it shared Back Orifice’s basic premise, silent remote control of Windows machines, but came with a GUI clean enough to feel almost respectable. NetBus became notorious partly because it was used to plant child pornography on a law professor’s computer in Sweden, a case that dragged the tool into actual criminal courts and forced everyone involved to get considerably more serious about what “remote administration” implied. The professor was acquitted. The episode was a preview of legal and ethical discussions that would take another decade to mature into anything resembling policy.

But neither Back Orifice nor NetBus was the most widely deployed RAT of that era. That distinction belongs to Sub7, or SubSeven, written in Delphi by a Romanian teenager who went by the name mobman and first released in February 1999. By 2000 it was everywhere. It had a polished GUI. It had an address book to track which victims were currently online. It had a server editor to customise the payload before deployment, borrowing the idea directly from BO2K. It even supported notification via ICQ when a victim came online, which was unusually polished for malware. The exact origin of the name “Sub7” has never been definitively confirmed by mobman, and the various explanations that circulated on forums were mostly folk etymology. What mattered was that it worked, it was free, and it was trivial to configure.

The Swiss Army knives of the basement operator

RATs were the glamorous end of the toolkit. Below them sat a layer of tools that were genuinely useful, sometimes elegant, and in many cases still in active use today—a testament to how slowly the core infrastructure of the internet has evolved.

Nmap, Gordon Lyon’s network scanner, was already present in this era and was quickly becoming the first thing anyone ran against a target. If you had a subnet and five minutes, you knew exactly what was listening. Netcat was the tool that could not die: read from network, write to network, listen on a port, transfer files, create a rudimentary shell. It was called the “TCP/IP Swiss Army knife” so often that the phrase became a cliché, but the cliché was accurate. Both tools are still on every pentester’s machine in 2026.

John the Ripper handled password cracking. Cain & Abel did everything else on Windows: ARP poisoning, password recovery, network sniffing, VoIP interception. dsniff and ettercap covered the sniffing side on Unix. Hping gave you raw TCP/IP packet manipulation. Aircrack, in its early versions, was beginning to make the case that WEP was not so much an encryption protocol as a polite suggestion.

For web-facing targets, there were scanners and exploit packs of varying quality. Most of them worked by cycling through a list of known CGI vulnerabilities that should have been patched months earlier but were not, because patch management in 2001 was “someone’s nephew will look at it eventually.” Whisker, Nikto, and other vulnerability scanners circulated through the same channels as everything else.

The whole ecosystem ran on the implicit assumption that the target had not updated anything since installation, which, to be fair, was usually correct.

IRC: the command center, the social club, and the crime scene

To understand how everything worked, you need to understand IRC, Internet Relay Chat, and specifically what it meant to spend time on EFnet, DALnet, Undernet, and the various smaller networks that clustered around specific interests. IRC was where the scene lived: in channels like #hack, #warez, #sub7, #bo2k, and several others with names too creative to print here.

Sub7’s IRC integration was not accidental. Starting with version 2.1, the trojan’s server component could connect to a specified IRC channel and listen for commands from the operator, responding like a bot. This was elegant, in a slightly horrifying way: your compromised machines were just IRC clients. Your command-and-control infrastructure was a free chat server you did not control and could not be traced to. Law enforcement had to figure out how to subpoena an IRC network before they could begin to understand what they were looking at.

It was the conceptual predecessor of every modern C2 framework that hides inside legitimate cloud services—the architecture, not the technology, was the innovation. The innovation was not technical. It was architectural: use infrastructure that already exists, that already generates traffic, that defenders are not monitoring because they are focused on more obvious attack surfaces. Today’s threat actors do the same thing with Slack, Telegram, and Google Drive. Ai miei tempi, we did it with a chat room called #r00t on EFnet.

Beyond pure operations, IRC was also a social space with its own culture, rituals, and hierarchy. You proved yourself by sharing information, by having access to tools before others did, by being present when something interesting happened. The channels were chaotic, frequently toxic, and also a brutal apprenticeship in network security for anyone who could not afford a conference ticket. Many people who are now respected professionals in DFIR, threat intelligence, and red teaming learned the fundamentals there.

The Italian scene: creative chaos, interrupted

Italy had its own dimension in all of this. Before IRC displaced everything else, the Italian hacker and smanettone community had built itself around BBS (Bulletin Board Systems) running on Fidonet, with a culture that blended technical curiosity, political activism, and a distinctly Mediterranean attitude toward rules.

Then came May 11, 1994.

On that morning, officers from the Guardia di Finanza knocked simultaneously on the doors of system operators across the country, executing warrants as part of what became known as Operation Hardware 1. Acting on a warrant issued by a prosecutor from Pesaro, they raided 119 Fidonet nodes on the suspicion that two individuals were using the network to distribute pirated software. The strategy was simple and brutal: take the entire directory of Fidonet nodes and raid all of them. Two were suspected; the rest would be a collateral problem. The equipment confiscated included modems, floppy disks, CD-ROMs, audio tapes, and in at least one documented case a power strip, apparently seized as “suitable for reproduction of illicit material.”

The effect on the Italian BBS community was devastating. Many sysops simply stopped. Years of informal knowledge-sharing, file archives, and community-building evaporated overnight. It was a technical community dismantled by a legal action that, in legal terms, barely held up to scrutiny. The two people originally suspected were eventually prosecuted. The hundred-and-some collateral casualties received apologies that landed with roughly the force of a handshake.

The Italian Crackdown did not kill the scene. Within months of the raids, networks like CyberNet saw their user numbers grow, partly from people who had discovered that the internet was harder to raid than a BBS at a fixed phone number. By the time IRC became the dominant medium in the late 1990s, Italian hackers and security researchers were back, distributed across international channels, slightly more cautious about where they stored their files, and considerably more articulate about digital rights.

What we learned

The tools of that era look primitive now. Sub7’s GUI resembles a Visual Basic learning exercise. Back Orifice 2000’s plugin architecture was clever for 1999 and would be immediately detected by any modern endpoint protection product. Cain & Abel stopped being maintained in 2014 and runs only on operating systems you should not be running anyway.

But the mental models were not primitive. The idea that you could use a compromised machine as a relay node, that C2 traffic should blend into legitimate traffic, that operators should avoid reusing infrastructure: these were present in the late 1990s toolkit and they are present in every serious threat actor’s playbook today. The people who built Sub7’s IRC bot integration understood operational security better than many enterprise defenders understood it a decade later.

The Italian Crackdown, for all its legal ham-fistedness, produced a generation of practitioners who thought seriously about the relationship between technical communities, legal systems, and civil liberties. Some became journalists. Some became lawyers. Some became incident responders. A few became all three at once.

Ai miei tempi, you learned by doing things you probably should not have done, in channels you definitely should not have been in, with tools you downloaded from sites that are now digital archaeology. And somehow, out of all that chaos, a profession emerged.

You’re welcome.