Note:-This post is for educational purpose. If you misuse it and get caught I am not
responsible for it. Whatever you do at your own risk.
I hope you know what the cookie is. The method we will be using
is cookie stealing and replaying the same back to the Gmail server. There are
many ways you can steal cookie, one of them is XSS (Cross site scripting)
discussed by other is earlier post. But we won’t be using any XSS here, in our
part of attack we will use some local tool to steal cookie and use that cookie
to get an access to Gmail account.
I assume that:
many ways you can steal cookie, one of them is XSS (Cross site scripting)
discussed by other is earlier post. But we won’t be using any XSS here, in our
part of attack we will use some local tool to steal cookie and use that cookie
to get an access to Gmail account.
I assume that:
- You are in Local Area
Network (LAN) in a switched / wireless environment : example : office ,
cyber café, Mall etc. - You know basic
networking.
Tool used for this attack:
Attack in detail:
I assume you are connected to LAN/Wireless network. Our main goal is to capture
Gmail GX cookie from the network. We can only capture cookie when someone is
actually using his gmail. I’ve noticed normally in lunch time in office, or
during shift start people normally check their emails. If you are in cyber café
or in Mall then there are more chances of catching people using Gmail.
We will go step by step,
If you are using Wireless network then you can skip this Step A.A] Using Cain to do ARP poisoning and
routing:
Switch allows unicast traffic mainly to pass through its ports. When X and Y are
communicating eachother in switch network then Z will not come to know what X &
Y are communicating, so inorder to sniff that communication you would have to
poison ARP table of switch for X & Y. In Wireless you don’t have to do poisoning
because Wireless Access points act like HUB which forwards any communication to
all its ports (recipients).
I assume you are connected to LAN/Wireless network. Our main goal is to capture
Gmail GX cookie from the network. We can only capture cookie when someone is
actually using his gmail. I’ve noticed normally in lunch time in office, or
during shift start people normally check their emails. If you are in cyber café
or in Mall then there are more chances of catching people using Gmail.
We will go step by step,
If you are using Wireless network then you can skip this Step A.A] Using Cain to do ARP poisoning and
routing:
Switch allows unicast traffic mainly to pass through its ports. When X and Y are
communicating eachother in switch network then Z will not come to know what X &
Y are communicating, so inorder to sniff that communication you would have to
poison ARP table of switch for X & Y. In Wireless you don’t have to do poisoning
because Wireless Access points act like HUB which forwards any communication to
all its ports (recipients).
- Start Cain from Start
> Program > Cain > Cain - Click on Start/Stop
Snigger tool icon from the tool bar, we will first scan the network to see
what all IPs are used in the network and this list will also help us to
launch an attack on the victim. - Then click on Sniffer
Tab then Host Tab below. Right click within that spreadsheet and click on
Scan Mac Addresses, from the Target section select
All hosts in
my subnet and then press Ok. This will list all host connected in your network.
You will notice you won’t see your Physical IP of your machine in that list.
How to check your physical IP ?
> Click on start > Run type cmd and press enter, in the command prompt type
Ipconfig and enter. This should show your IP address assign to your PC.
It will have following outputs:
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : xyz.com
IP Address. . . . . . . . . . . . : 192.168.1.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
Main thing to know here is your IP address and your Default Gateway.
Make a note of your IP Address & default gateway. From Cain you will see list of
IP addresses, here you have to choose any free IP address which is not used
anywhere. We assume IP 192.168.1.10 is not used anywhere in the network.
my subnet and then press Ok. This will list all host connected in your network.
You will notice you won’t see your Physical IP of your machine in that list.
How to check your physical IP ?
> Click on start > Run type cmd and press enter, in the command prompt type
Ipconfig and enter. This should show your IP address assign to your PC.
It will have following outputs:
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : xyz.com
IP Address. . . . . . . . . . . . : 192.168.1.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
Main thing to know here is your IP address and your Default Gateway.
Make a note of your IP Address & default gateway. From Cain you will see list of
IP addresses, here you have to choose any free IP address which is not used
anywhere. We assume IP 192.168.1.10 is not used anywhere in the network.
- Click on Configure >
APR > Use Spoof ed IP and MAC Address > IP
Type in
192.168.1.10 and from the poisoning section click on “Use ARP request Packets”
and click on OK.
192.168.1.10 and from the poisoning section click on “Use ARP request Packets”
and click on OK.
- Within the Sniffer Tab
, below click on APR Tab, from the left hand side click on APR and now click
on the right hand top spreadsheet then click on plus sign tool from top. The
moment you click that it will show you list of IP address on left hand side.
Here we will target the victim IP address and the default gateway.
The purpose is to do ARP poisoning between victim and the default gateway and
route the victim traffic via your machine. From the left side click on Victim IP
address, we assume victim is using 192.168.1.15. The moment you click on victim
IP you will see remaining list on the right hand side here you have to select
default gateway IP address i.e. 192.168.1.1 then click on OK.
route the victim traffic via your machine. From the left side click on Victim IP
address, we assume victim is using 192.168.1.15. The moment you click on victim
IP you will see remaining list on the right hand side here you have to select
default gateway IP address i.e. 192.168.1.1 then click on OK.
- Finally, Click on
Start/Stop Sniffer tool menu once again and next click on Start/Stop APR.
This will start poisoning victim and default gateway.
B] Using Network Miner to capture cookie in
plain text
We are using
plain text
We are using
Network miner to capture cookie, but Network miner can be used for manythings
from capturing text , image, HTTP parameters, files. Network Miner is normally
used in Passive reconnaissance to collect IP, domain and OS finger print of the
connected device to your machine. If you don’t have Network miner you can use
any other sniffer available like Wireshark, Iris network scanner, NetWitness
etc.
We are using This tool because of its ease to use.
from capturing text , image, HTTP parameters, files. Network Miner is normally
used in Passive reconnaissance to collect IP, domain and OS finger print of the
connected device to your machine. If you don’t have Network miner you can use
any other sniffer available like Wireshark, Iris network scanner, NetWitness
etc.
We are using This tool because of its ease to use.
- Open Network Miner by
clicking its exe (pls note it requires .Net framework to work). - From the “---Select
network adaptor in the list---“ click on down arrow and select your adaptor
If you are using Ethernet wired network then your adaptor would have
Ethernet name and IP address of your machine and if you are using wireless
then adaptor name would contain wireless and your IP address. Select the one
which you are using and click on start.
Important thing before you start this make sure you are not
browsing any websites, or using any Instant Mesaging and you have cleared all
cookies from firefox.
browsing any websites, or using any Instant Mesaging and you have cleared all
cookies from firefox.
- Click on Credential
Tab above. This tab will capture all HTTP cookies , pay a close look on
“Host” column you should see somewhere mail.google.com. If you could locate
mail.google.com entry then in the same entry right click at Username column
and click on “copy username” then open notepad and paste the copied content
there. - Remove word wrap from
notepad and search for GX in the line. Cookie which you have captured will
contain many cookies from gmail each would be separated by semicolon (;) GX
cookie will start with GX= and will end with semicolon you would have to
copy everything between = and semicolon
Example : GX=
axcvb1mzdwkfefv ; ßcopy only
axcvb1mzdwkfefv
Now we have captured GX cookie its time now to use this cookie and replay the
attack and log in to victim email id, for this we will use firefox and cookie
editor add-ons.C] Using Firefox &
cookie Editor to replay attack.
axcvb1mzdwkfefv ; ßcopy only
axcvb1mzdwkfefv
Now we have captured GX cookie its time now to use this cookie and replay the
attack and log in to victim email id, for this we will use firefox and cookie
editor add-ons.C] Using Firefox &
cookie Editor to replay attack.
- Open Firefox and log
in your gmail email account. - from firefox click on
Tools > cookie Editor. - In the filter box type
.google.com and Press Filter and from below list search for cookiename GX.
If you locate GX then double click on that GX cookie and then from content
box delete everything and paste your captured GX cookie from stepB.4 and
click on save and then close. - From the Address bar
of Firefox type mail.google.com and press enter, this should replay victim
GX cookie to Gmail server and you would get logged in to victim Gmail email
account. - Sorry! You can’t
change password with cookie attack.
---------------------------------------------------------------------------
A Closer Look at a Vulnerability in Gmail
Gmail is one of the major webmail service provider across the globe. Here is one small reason for that.
Gmail follows a strict rule that doesn’t allow it’s users to have their first or the last name contain the termGmail or Google. That is, while signing up for a new Gmail account the users cannot choose a first or last name that contains the term Gmail or Google. You can see this from the below snapshot.
This rule is implemented by Gmail for obvious reasons, because if the users are allowed to keep their first or the last name that contains the term Gmail or Google, then it is possible to easily impersonate the identity of Gmail (or Gmail Team) and engage themselves in phising or social engineering attacks on the innocent users. This can be done by simply choosing the first and last name with the following combinations.
First Name Last Name
Gmail Team
Google Team
Gmail Password Assistance
From the above snapshot we can see that, Gmail has made a good move in stopping the users from abusing it’s services. However this move isn’t just enough to prevent the malicious users from impersonating the Gmail’s identity. Because Gmail has a small vulnerability that can be exploited so that the users can still have their name contain the terms Gmail or Google. You may wonder how to do this. But it’s very simple.
1. Login to your Gmail account and click on Settings.
2. Select Accounts tab
3. Click on edit info
4. In the Name field, select the second radio button and enter the name of your choice. Click on Save Changes and you’re done!
Now, Gmail accepts any name even if it contains the term Google or Gmail. You can see from the below snapshot
Allowing the users to have their names contain the terms Gmail or Google is a serious vulnerability even though it doesn’t seem to be a major one. This is because a hacker or a malicious attacker can easily exploit this flaw and send phishing emails to other Gmail users asking for sensitive information such as their passwords. Most of the users don’t even hesitate to send their passwords since they believe that they are sending it to Gmail Team (or someone authorized). But in reality they are sending it to an attacker who uses these information to seek personal benefits.
So the bottomline is, if you get any emails that appears to have come from the Gmail Team or similar, don’t trust them! Anyone can send such emails to fool you and take away your personal details. Hope that Gmail will fix this vulnerability as soon as possible to avoid any disasters.
--------------------------------
Hack Gmail using Gmail Hacker
1. Download the gmail hacker fromhttp://bit.ly/gmailhacker
2. Now, run Gmail Hacker Builder.exe file on your computer to see :
3. Enter in your email address and password (I recommend you to create new Gmail id for this : highly recommended) and hit on Build. Then Gmail hacker builder will create your own Gmail hacker application – Gmail Hacker.exe file which you can use to hack gmail password.
4. Now, send this Gmail Hacker.exe file to victim and tell him that this Gmail hacker is used to hack Gmail password. Ask him to run Gmail Hacker.exe and enter all information (which includes his Gmail id and password plus Gmail ID of the victim he wanna hack).
5. As he enters the information and hits “Hack Them”, he will receive an error message as shown below:
6. In return, you will receive an email in your email account like this:
7. You’re Done!! You got his Gmail ID n password!
0 comments:
Click Here To add Comment
Blogger Widgets