|
| FAQ Article: Hacking Web-based Email |
Oh boy...I knew we would have to cover this at some stage :) - just having the words "hacking web-based email" on the site will bring the server loads more hits...why? because there is something about reading another persons email that fascinates hackers/husbands/wifes/boyfriends/girlfriends/students etc etc.
I will also take this opportunity to state that the information here is intended for use by you, to judge the security of your own web-based email account - and hopefully fix any blatant mistakes you have made during signing up for web-based email. This is not intended to be used to break into accounts that you don't own.
What exactly is web-based email though? is it the email you get through Outlook Express or your preferred mail client? No. Web-based email is the name associated with sites like hotmail.com, mail.yahoo.com, another.com, email.excite.com etc etc. They are all sites which provide you with your own email address, and allow you to check your email and send emails by logging into their site and doing all your email tasks via your web browser.
They are extremely popular with most internet users, simply because of their ease of use, and ease of access. When you use an actual email application from your pc (such as Outlook, Outlook express, Eudora, Netscape Mail etc) you are usually dealing with POP3 email (which is accessed by your mail application connecting to the pop3 daemon of a mail server, usually via port 110). POP3 email is not what we are dealing with today - we are merely interested in the web-based email services that you access via your web browser.
"How do I hack web-based email" must be the most frequently asked question by aspiring hackers - a lot of us have asked someone that very question in the past...and usually met with a bad response. Why is it so commonly asked?
At a guess...it's because web-based email is, for a lot of people, the only thing they use the internet for. It's easy to use, quick to setup, and more importantly...most people you know also have accounts at some web-based service on the net. And that is the real reason...most people simply get a thrill out of the idea that they might be able to "spy" on people they know.
Like the world's fascination with fly-on-the-wall television programs...reading someone's email is interesting, it's an invasion of privacy - and more importantly, you can see private exchanges of information between people. However, I am babbling on - you already know all this...which is why you want to know HOW it's done...not why.
It's likely that you are already aware of most hackers views of the question "how do I hack hotmail?" - and some of you may be mystified as to why they either flame you back (i.e. send abuse back to you), kick you from a chat room, or make fun of you. Why? you asked a perfectly good question right? - and yes, you did...it's just that it seems this subject scares a lot of people, because despite how good they think they are...they don't know the answer to your question.
There is another reason though - the question is also ignorant. A lot of people who send me the question via the hack faq form on the site expect there to be a simple, almost magic (lol) method to get into web based email...they seem to almost expect a reply from me to say "oh yeah, just type this into that box and you will be into their account, no problem". This of course, could not be further from the truth.
The simple fact is - there is no magic way to get into everyone's web-based email. There is no secret technique, or super-program that breaks into all hotmail accounts - it's done on a case-by-case basis...and a lot of it is luck. The chances are, what I will cover today will not get you into your friends email account (I am quite glad that is the case!) - but on the other hand, it just might. There are 4 or 5 clear techniques that hackers use to eventually gain access to a targets email account. I will cover each one of them individually:
Technique 1 - Lost Password Requests
Wow, lost password requests! what a great idea! With so many users signing up, then forgetting their passwords the next day something needed to be implemented to ensure user's had a way of being given/remembering their lost passwords. There are a few different methods that various email services use to handle this type of situation:
- Send over email - Some email services require you to already have another email account elsewhere, like a POP3 account with your isp or similar. If you forget your password to access their web-based email service - they will then send the forgotten password to your other email account. Seems like a good idea...but how effective is it?
Imagine a hacker gained access to your POP3 account - they could then request the lost password from your web-based email account (and probably a lot of other services you are signed up to) - and just from knowing the POP3 password, suddenly have access to everything. You also have to remember that they are sending your full password out via email! unencrypted...for anyone who hijacks the email to see. What if the 2nd email account you gave the web-based email company when you signed up becomes inaccessible at a later date? you are stuck without being able to request your lost password to a place where you can read it. Some services, won't even let you change that initial 2nd email you signed up with too :(
My main problem with this technique is the whole string of security problems that arises if a hacker gains access to one of your email addresses, and can then request lost passwords from other accounts you have, to that email. As a result of this - I will rate this technique: Security 2/5 Practicality 4/5.
- Hint Questions (full recovery) - Some services decide to ask you 1 or more questions when you sign up, such as "What is your mother's maiden name" etc - questions they think that only you will know the answer to.
Some web-based services that use this technique are poorer than others, for example - some have predefined questions, like you will be asked "What is your mother's maiden name" - and that's it, you have no choice. This is a bad thing since you might be thinking "arghh!! tons of people know the maiden name...please ask me something else!". Some are better, and let you choose from a range of questions, which one you want to answer.
This is good because you then at least get the choice...although some of the questions can be so poor that you would be better off just giving your password out freely! Lastly, the best versions of this technique let you actually enter your own question, and your own answer. These are great, since you can pick something that absolutely no-one else will know.
So, what are the downsides to this...well, let's be honest - you selected your own password, and you forget it...so what's to say you aren't going to forget your hint question's answer too! I know people that have done this. Also, your hint question is only as strong as you make it. Some questions I have seen have been pathetic (ones like "What is your date of birth") - and unless you lie...you know someone in the world is going to know it.
However, this does create another issue - you can simply lie about the answer to the question...that way, providing you remember your lie, no-one else should know the answer to the question, even if they think they do. As you can see, this technique really depends on you, and more importantly the flexibility the web-based email services provides over the hint question.
The reason I label this "(full recovery)" is because I am referring to the version of this technique, whereby you enter your hint answer correctly - and the email service presents you with a message telling you your lost password. In my opinion...this is bad, because say an attacker went through the lost password process, got the answer right, and then was presented with the password - you now both have access to the service, and the attacker can read your mail whenever he/she wants...without you being any the wiser. As a result of this, I will rate this technique: Security 2/5 Practicality 3/5.
- Hint Questions (Reset) - Same as above, but when you get the hint question right - it doesn't tell you the password you had forgotten...but instead resets the password to a completely new, random password.
This may not seem that good, and may seem a bit of a pain - but when you think about it...at least you know when someone has broken into your email. You would try to log in, and realise your password had changed...you could then inform all of your associates/friends/family that your email seems to have been broken into...and they can stop mailing that address (or wait for you to sort the issue out). It's not great...but at least you know you aren't being spied on. As a result of this, I will rate this technique: Security 3/5 Practicality 2/5.
- Password Reset - What can I say - terrible. You forget your password, click "lost password" - and it simply changes your password to a new one. I can't believe anyone would ever use this...but I have seen it in operation :(
In practise, it means that you know when you have been broken into...but, it means that feasibly...anyone can break into you and prevent you from reading your email. I did see another variation of this where it emailed your 2nd account (that you gave the web-based email service when you signed up) saying "unless you visit this enclosed link - your password will be reset in 48 hours". That was...better...I guess, but still awful.
The only thing this technique has going for it is that a hacker may be reluctant to reset your password so you can't get in - because they know it's a clear sign that they have been there. I will rate this technique: Security 1/5 Practicality 1/5.
- Create a new account - defeats the point of a lost password facility - but security wise...it's the best. If you forget your password, you have to create a new account. Inconvenient - yes! but, perhaps it will make you think more carefully before selecting a password you can't remember ;) I will rate this technique: Security 5/5 Practicality 1/5.
- Ok...now you know the most common forms of lost password systems - let's talk about why they are useful to a hacker trying to break into an account on a web-based email service. On visiting the web-based email site, a hacker would first look for a lost password link. Sometimes it's there, linked to straight away - and sometimes you need to submit one or more incorrect login attempts first, in order to be given the link.
Firstly, the hacker will look at what kind of lost password technique is in use on the site (from the techniques explained above). Try it out...and see what it does when you tell them you have lost your password (remember that the majority of sites will log your IP address when you request a lost password, and maybe even send your IP to the real owner of the account via email or similar).
If it sends it via email to a separate address (technique 1 explained above) - then does it tell you which email address it has been sent to? or does it just say "your password has been emailed to your address on record" ? If it tells you the email it has been sent to - this is bad for the real account owner...since the hacker then knows exactly which other email address of yours they need to break into (and remember it might be another email of yours they already have access to).
If it's the hint question technique - see what the question is - you wouldn't believe how many I have looked at only to see the question "what is your favourite colour?" - that's terrible, guessable within about 3 attempts. If it's a more personal question, like the "when is your birthday?", or "what is your postcode?", or "what is your mother's maiden name?" then the hacker will undoubtedly try to social engineer the information out of you. Social engineering is another topic altogether - but just so you know, social engineering is when someone tries to trick another person into revealing the information they want.
For example, to get the person's birth date I need to get into their web email - I might track them down on IRC and talk to them for ages, make friends etc....and someone along the lines, slip in the question asking when their birthday is. It is *unbelievable* how easy social engineering is sometimes, and there are zillions of techniques people use - ranging from the simple one I just described, to setting up false web sites etc to catch people's details...no joke.
The other issue is, if it's a friend/colleague trying to get into your email - the chances are they already know a lot of your personal information - be careful.
In general, people say passwords are the weakest link in the security chain - but lost password techniques are often the key to gaining access.
Technique 2 - Social Engineering
As I stated above - social engineering is when someone tries to trick another person into revealing the information they want. The most common "hacker" social engineering is when someone talks to you about hobbies/pets/family etc...in the hope that by knowing your pets names etc, they might be able to get into your accounts (if you used your pets name as a password).
You wouldn't believe how effective this is. There are varying levels of social engineering - but if can go as far people setting up fake websites and emailing you to tell you about a brilliant new web site you need to sign up to ;) - then when you do, they catch all your details they need etc. It can also end up with people phoning you, pretending to be from a company doing a survey.
Social engineering is an old form of hacking, which hasn't dated (human stupidity keeps it alive) - and you can even see it in Hollywood films such as "Hackers", and "Takedown". Social engineering to just get a password is a bit hit and miss - because you don't really know what information you need to get out of the target.
However, when combining social engineering with a lost password form that has a "hint question" - you know exactly what information you need to get out of the target person (you just have to hope they haven't lied when they answered their hint question!).
Technique 3 - Site flaws
Earlier, I said that there was no magic way to get into everyone's email. This isn't entirely true. From time to time (like with any site/server on the web) - flaws arise. When it comes down to it, the web-based email web site has to be hosted on a web server somewhere...which is likely to be either IIS 4/5 (the Windows NT/2000 web server) or Apache (mostly *nix, but also runs on a lot of Windows systems on the net).
As a lot of you will know, IIS flaws aren't exactly rare ;) - and Apache has major scares every now and then too (some bad ones recently). When an exploit in the server appears on a popular security site in the form of an advisory, there will be a gap before the server running the web-based email is patched.
Hotmail etc - will be patched almost instantly...giving you no chance. However - there are a lot of web-based email providers that are slacking...and leave themselves open to you to not only hack 1 account...but the whole server, and all accounts :( - awful really.
Aside from server flaws - there are the inevitable script flaws. Hotmail has had it's fair share of them, as have all web-based email providers.
The problem is - providers like hotmail have learnt the hard way, they had lots of flaws (silly ones) early on, and are now...shockingly...pretty secure. If you want to look over the kinds of flaws that were present, trying searching some security sites for "hotmail javascript" or similar - you will see some details on an old hotmail flaw that meant a person's hotmail session could be hijacked if a malicious user sent the account an email with some malicious javascript code in.
No system is ever 100% secure - and I promise you, hotmail (and all the other sites) will have more security flaws as bad as this in the future...it's just a case of how fast you can find out about it and use it to your advantage. Hotmail, for example, usually patch the flaw within hours :( - so this isn't exactly a concrete solution to breaking into accounts.
Excite mail recently had a php session flaw to which could lead to account hijacking...it just shows that these flaws are still there waiting to be found.
Technique 4 - Trick Emails
This is pretty lame...but human stupidity sometimes leads it to work. A lot of attackers simply sign up for email addresses like "lost_password@hotmail.com" or "administrator@excite.com" etc - anything they can think of that makes them look like a member of staff from the site.
They will then email you trying to trick you into giving them your password for some reason, or trick you into going to some site somewhere and giving out your password etc. Email providers shouldn't ever need to ask your for your password - bear that in mind.
Technique 5 - Software flaws
Knowing someone's password is only one way of getting into someone's account. When they log in, the site knows they are logged in by checking their cookie or session data (depending on how the login works since some sites will only store user info in cookies if select to do so, like with a "remember my password" checkbox or similar).
So, if an attacker steals your cookies/session information - they can walk into your inbox. I doubt I need to tell you how many Internet Explorer flaws there are coming out every month (that's not to say that other browsers such as Netscape/Mozilla/Opera aren't having their fair share too...just not as many!). A lot of the flaws allow the attacker to execute code of his/her choice on your system, or steal information/data.
So another option would be for an attacker to try and exploit the account owner in another way first. They might send you an email asking you to go to another web site - and then when you do, the page attempts the exploit on you. This is fairly common. I won't go into information gathering here - but someone with their own web site could also (to a certain extent) determine your IP address, what browser/OS/mail program you are using, just by getting you to go to their own site.
They will then know what exploits to try on you, if your not clever and not patched. Cross site scripting (css/xss) is also a common cause of cookie's being stolen, and sessions being hijacked - but we have a whole topic dedicated to that this volume, so I won't explain it here.
Therefore staying on top of security flaws in software you use is another way to avoid getting your email hacked (sign up for the weekly security newsletter at net-security.org). The point is, stealing cookie's/session data via software flaws is also a common way to get into web-based email.
Technique 6 - Trojans/Keyloggers
This technique is closely linked with the last technique, since a trojan/keylogging program would often be installed on you without you knowing, via an exploit in your browser/mail program etc.
However, a lot of people are simply dumb and run all executable attachments from emails they receive ;( When someone has you trojan'd or a keylogger on your pc, they just have to wait until you send the relevant password data from your web-based email login to them.
Technique 7 - Fake web sites (phishing)
I sometimes also see this referred to as "Password Harvesting". This technique involves you having your own web space somewhere - hopefully somewhere which isn't too obvious such as geocities or somewhere (this works best if you buy your own domain/hosting that looks authentic, for example email-login.com or something).
You then copy the html for the login page of the email provider that your target uses (i.e. copy the hotmail.com login page to your hard drive for editing). Then, the attacker modifies the login page, so that it submits information to his own scripts on his site, before probably redirecting you to the real web-based email site. Got the idea yet? yes...you fool the account owner into logging into your "fake" login screen on your server, it logs his/her details, then sends him to the real site - where he probably logs in again thinking the login just failed the first time (but we know differently) - and that's it...the login will succeed for them the second time on the real site...and they are non the wiser.
There are a few ways this can be made more authentic. Firstly, as I mentioned - the site with the fake login screen should be a believable URL (since this technique relies on you fooling the account owner into thinking it's ok to log into his email from your site).
If you register a domain like email-login.com or something...it might work, for example. It can also be made more realistic with a few small touches - like for example, when they submit to the form on the "fake" site - you send them to the "wrong password" screen, on the real server...so it looks like an authentic bad login.
It's also sometimes possible to actually make a real request to the real server with the information they entered on the fake site, so that the login succeeds on the real site! That's the best way, since they then have no clue as to what has happened.
This is an extremely dangerous technique, it relies on user stupidity and requires you to somehow fool them into logging in through your fake site...but it often works. User stupidity prevails ;)
Technique 8 - Hosts hack/trick
Firstly, what is the Windows host file?
"The short answer is that the Hosts file is like an address book. When you type an address like www.yahoo.com into your browser, the Hosts file is consulted to see if you have the IP address for that site. If you do, then your computer will use that IP and the site will open. If not, your computer will ask your ISP's (internet service provider) computer for the IP before it can access that site. Most of the time, you do not have addresses in your "address book," because you have not put any there. Therefore, most of the time your computer asks for the IP address from your ISP to find sites."
The hosts file is located in "c:\windows\hosts" for Windows 9x/ME systems, and in "c:\winnt\system32\drivers\etc\hosts" for Windows NT/2000/XP systems (if it doesn't exist you can create it, but it should exist) - open it in notepad. It's not uncommon for the file to be blank, but typically it may look something like:
127.0.0.1 localhost
212.38.191.83 www.mod-x.co.uk
So, as you can see the format is:
<IP> <Domain name>
Can you see where this one is going? ;) - this technique should be used in conjunction with the previous technique. This is the key to the problem of fooling someone into going to your "fake" site, instead of the real web-based email login.
Let's say I set up my fake hotmail login page on my www.mod-x.co.uk server, who's IP is 212.38.191.83 - if there was an entry in my targets host file that read:
212.38.191.83 hotmail.com
212.38.191.83 www.hotmail.com
When they go to their web browser and type "www.hotmail.com" - they will be taken to my server instead of hotmail! and hence, to the fake login. This is considered quite a lame thing to do - but frankly, it's requires more skill and understanding than brute forcing.
The problem you may have noticed is - you need to somehow get that entry into your target's host file...not an easy task :( - if you have physical access to their PC, then you can slip it in there when they aren't about...but otherwise, you would need to trick/exploit them to get that in there (you would probably need to work out how to remove it at a later date to, to avoid getting detected after it has served it's purpose).
Another side note I should mention is - I believe a Windows machine needs a reboot before the hosts file's changes come into effect.
The good thing about this technique, is that *nix systems also use host files in the same way (except it's located at /etc/hosts).
Technique 9 - Brute Forcing
Don't even bother with this one, just thought I would mention it. Brute forcing involves trying lots and lots of possible passwords on the web-based email login to try and get the correct password. Today, most half-decent sites will have some sort of IDS (intrusion detection system) to detect the brute force...and perhaps even auto-notify your ISP, or just simply ban you from the site.
Apart from brute forcing being skill-less, probably taking ages, there is a high risk of being caught since lots of attempt/hits to a site really show up in server logs. A number of the programs out there that claim to be stealthy brute force applications really don't work that well either.
There really isn't a great deal more you can say on hacking web-based email - without going into detail specifically on one web-based email site, and it's authentication methods etc - or describing one exploit in detail.
Hopefully, this has given you a general overview of how web-based email is hacked, and how to defend your own accounts (and made it clear that there isn't exactly a 100% guaranteed method of gaining access). Comments welcome ;)
|
Posted on: 02-02-2003
Article has been viewed 71009 times
|
| |
| Comments |
|
Comment by Rocky A.K.A kaush - 29-07-2005
hey dude da stuff was kewl i mean atleast it gave v newbies or mayb wanna bs sumthin in2 de hackin stuf ... unlike oder sites dis site reall yxplained me a lot bout dis hackin stuf so if i culdnt bcum an aspirin hacker atleast i cud get an info bout securin mah account newayz cyaz )
Comment by Nazarah - 12-08-2005
>> Another side note I should mention is - I believe a Windows machine needs a reboot before the hosts files changes come into effect.
Windows machines (at least NT based OSs) do not require a reboot for the host file entries to take effect. I useem at work all the time with no reboot =)
Comment by Wang - 13-08-2005
Quite true - XP/2000 etc do not need a reboot in order for hosts file changes to become active. This article was written before that time :) Thanks for the update.
Comment by Wang - 16-08-2005
Interesting article about how to gain access to a hotmail account if you have 2 cookies from the victims web system:
http://www.totse.com/en/hack/understanding_the_internet/164789.html
Comment by Vinod - 03-11-2005
Well I am doing some research on hacking email. I was just looking through the web when I found this page.. Well this page has explained a lot about email hacking
Comment by Clash - 06-11-2005
Thanks dude, I really love this site, and all the great info it gives. I thought this article was really interesting.
Comment by abhay gupta - 21-11-2005
Very Preliminary knowledge. The article started off with a great show, however the contents werent really matching the expectations.
Comment by Wang - 22-11-2005
Thank you for your comments. Perhaps you could expand a little on what you felt was missing from this article, or what you would like to see added in further revisions? At this point I am not sure exactly what else could be added without going into detail on one particular webmail provider (which is not really the purpose of this article, as it is intended as more of a general overview).
Comment by falcon - 08-08-2006
my x boy friend hacked me using the Technique 7 - Fake web sites (phishing).... I was stupid to trust him. He gave my account back tho... I changed the password. Do i need to do anything else to prevent him from getting back in?
How can i make sure hes not using Technique 8 - Hosts hack/trick right now... I get a messege everytime i go to hotmail.com saying that the site is not properly certified or someting... should I be worried?
Any help would be greatly appreciated...
Comment by falcon - 19-08-2006
thx for your help......... :(
Comment by Wang - 20-08-2006
Sorry falcon - I honestly forgot to reply to this thread.
If you are seeing a security warning every time you visit hotmail.com this could be a problem. First make sure you are using www.hotmail.com (with some sites the www. makes a difference when matching the SSL cert). If you still have a problem....open a dos window and do the following command:
nslookup www.hotmail.com
Paste the results here and we can take a look and make sure you have the right IPs.
Comment by Pankaj - 04-09-2006
Thanks a lot Dud, by visiting i came 2 know a lot about web-based e-mail accounts.
But i didn found,what i was actually seeking.... :(
Comment by orchid - 08-11-2006
Great article...I would like to know how to catch and have proof of someone I suspect is accessing my webmail. Would my ISP be able to trace logins back to the computer being used? Thanks
Post a comment
Please use the form below to post your comments on this article. All comments will be reviewed by the admin before being published publically.
|
| |
|
