Password Hack

Password Hack

  I’m illustrating different types of techniques to hack somebody's passwords. I will try to get Gmail or Yahoo or any other websites passwords of my friend John Smith.

I have following techniques to implement against him.

  1. Fishing websites.
  2. Trojan Horse.
  3. key logger.
  4. Packet sniffer.
  5. Retrieve saved passwords.
  6. Security question answer tricks.

1. Fishing. 

    To hack his Gmail account, I have to develop a Gmail login page and mount it at my server.
Let’s say the fake login web site is www.my-fake-gmail-web-site.com whose IP address is 60.10.40.12.
Now, I have to update hosts file of John's machine. This way when John types www.gmail.com into his browser he will be redirected to my fake Gmail website and as soon as he enters his original credentials, my fake web application will email it to me.

What is hosts file?

    For windows OS machine it may be found at folder $\Windows\system32\drivers\etc\ with name
Hosts. Note that it has no extension. It looks like below one

# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host
# localhost name resolution is handled within DNS itself.
#    127.0.0.1       localhost
 
 
 
   Here by editing hosts file using notepad I will resolve these domains www.gmail.com
and mail.google.com to my fake web site IP address 60.10.40.12. 
The updated hosts file will look like below.

 

# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host
# localhost name resolution is handled within DNS itself.
#    127.0.0.1       localhost
.csharpcode, .csharpcode pre { font-size: small; color: black; font-family: consolas, "Courier New", courier, monospace; background-color: #ffffff; /*white-space: pre;*/ } .csharpcode pre { margin: 0em; } .csharpcode .rem { color: #008000; } .csharpcode .kwrd { color: #0000ff; } .csharpcode .str { color: #006080; } .csharpcode .op { color: #0000c0; } .csharpcode .preproc { color: #cc6633; } .csharpcode .asp { background-color: #ffff00; } .csharpcode .html { color: #800000; } .csharpcode .attr { color: #ff0000; } .csharpcode .alt { background-color: #f4f4f4; width: 100%; margin: 0em; } .csharpcode .lnum { color: #606060; }

60.10.40.12  mail.google.com

60.10.40.12 www.gmail.com 


    There are some malwares who updates the hosts file of your machine and redirects the popular sites like google.com or facebook.com to other malicious sites. 
    You can install free utility called WatchDog, who keeps watch on windows registry and sensitive file updates. It will alert you before sensitive files or windows registry get modified by third party software.

When John Smith enters his Gmail credentials, the fake Gmail web site will store his credentials and he will not be redirected to original site. This way I can get his credentials.

Note: Make sure that your are submitting your credentials to secure web site starting with https:// prefix instead of http://
 

2.Trojan Horse.

  There are plenty of software available in the market who can generate Trojan for you. After getting preconfigured Trojan I need to some how install it on John’s machine.
It works something like this.
It generates key pressed logs against the applications. It automatically submits the key log files to my email address from where I can get the all key pressed by John on his machine. 
You can try such software by your own
1. “Win Spy”  
2. “007 Spy”
or Google around for “Key logger software”.

3. Key Logger

There are several types of Keystroke logger.

  1. Key logger Software.
  2. USB Key Logger.
  3. PS/2

Hardware key logger and Software Key loggers.

There are number of free key loggers available on the internet. What is key logger?
Its a software which records the key pressed by you on keyboard. It frequently submits recorded key strokes 
to hackers. 
   As I’m a programmer I will prefer to develop my own key logger tool which will log each and every key pressed. Once my key logger founds internet connection it will submit those logs to my email address. I can even
capture the screen and submit the recorded snaps to my email account.

Hardware Key logger

The USB and PS2 series hardware key loggers are available in the market. One can easily order those on internet
or ebay.

 

You should take precaution while entering into sensitive areas where you may submit your credit card or
browsing bank accounts via cyber cafe.  

* How to fool keyboard loggers?

Suppose that my password is 007ABCD. See how I will type it.

1. First I will type CD then using mouse I will move the cursor to beginning of ‘C’

    image

 

2. Then I will type ‘007AB’ and

     image

This way keyword logger will record my wrong password CD007 instead of 007CD.

3. Best way is open On Screen keyboard found at

    Start >> Program Files >> Accessories>> Accessibility.

    and start using it. The keyword logger will not log any entries, as you are not using keyword for typing
    password.

 

image

Many online banks provides virtual keyword logger at their website.

Advise to make banking more secure.

Bankers should provide profile picture upload kind of features. When user login using username and password
bank system will ask to identify the images. If s/he able to identify the pictures uploaded by him/her, allow the
user to browse further.

  4. Packet sniffer.

   If you are submitting the credentials or any sensitive data via HTTP, the software like packet sniffer installed on intermediate nodes (or server) can watch your outgoing packet to destination as plain
text. Make sure that you are submitting the credentials via URL starting with HTTPS:// .

5. Retrieve saved passwords.

    Don’t keep save the password at client side. 
    One can retrieve the password saved in history of browsers using tolls like Spot Auditor.



6. Security question answer tricks.
      Don’t tell people about your birthdates, birth place, mother’s  median name or fathers name or
    first pet name or school name or best friend name so on.
    It can be used to forgot password.

 

Note: 

1. Passwords should be Strong. Use combination of special and alphanumeric characters.

2. Don’t use your favorite number or Mobile/Telephone/Vehicle number or birth date as a password.

3. Don’t use your girlfriend/boyfriend as a password.

 

Use latest version of ant viruses/ anti spywares etc. Mature programmer can hack someone easily.

Tags:

Hack BSNL BroadbandGmail Password ProtectionWindows Password LostHack asp.netHack WiFi NetworkAndroid WiFi HackWhat is the purpose of virtual keyboard on bank websitesASp.net 2.0 step by step Membership Provider c# port scannerAndroid Market LoginSql Server Mirroring

Author

My name is Satalaj, but people call me Sat. Here is my homepage: . I live in Pune, PN and work as a Software Engineer. I'm former MVP in ASP.net year 2010.
Disclaimer: Views or opinion expressed here are my personal research and it has nothing to do with my employer. You are free to use the code, ideas/hints in your projects. However, you should not copy and paste my original content to other web sites. Feel free to copy or extend the code.
If you want to fight with me, this website is not for you.
 

I'm Satalaj.