Friday, 18 June 2010

Tutorial 1 - Hacking The Email Password of a Pop Account

Tutorial 1 - Hacking The Email Password of a Pop Account

I'm going to get straight into the first, and simplest attack you can carry out with Cain: Acquiring someone's email pop account password.

1. You need to be on the wireless network of the computer you are targeting.

2. You need to have Cain's configuration set up as in Tutorial 1.

3. The target must not be using ssl-pop (this is very unusual so you should be fine).

The following is a step by step guide to capturing the pop password (a lot of the early steps will be used for further tutorials):
Open Cain and go to the 'Sniffer' tab along the top row. Make sure you also turn on the sniffer, using the icon in the top left which looks like a little network card.
Right click in the empty grid below and select 'Scan Mac Addresses'. Choose 'All hosts in my subnet'.
A list of IPs, MAC addresses, computer names and (empty) user names will appear. If you know the computer name you want to target, great. If you need the user name however, simply right click on the computer you are interested in and select 'Resolve Host Name'.
Now you are ready to begin ARP poisoning your target. There are many explanations of poisoning but I will not go into it in detail here as it will detract from the tutorial. Essentially, you are telling the server that you are the target's computer, while telling the target that you are the server. In this way all traffic from the target is passed through you before reaching the server...and vice versa.
Click on the APR tab along the bottom left row of icons.
Make sure your mouse cursor clicks in the top one of the two empty grids. Then click on the blue plus arrow on the top row of icons.
You will be presented with a list of IPs, MACs and names in the left grid. Select the one which corresponds to your server, usually called 'Home' or the name of your internet provider's router. It should stand out.
Then in the right hand grid, select the computer you want to target. Click OK.
To begin ARP poisoning your target, click on the radiation type symbol in the top left, next to the sniffer symbol - which you will have turned on a while back.
You should now see traffic begin to accumulate in the grid underneath - if there isn't any then either your target is on a sneaky break and turned off their computer, or perhaps you have not selected the correct device as in Tutorial 1.
All that now remains is to wait until your target either checks their email through Outlook (or similar like thunderbird etc) or sends an email.
Now click on the tab called 'Passwords' on the bottom row. You will probably see lots of http entries popping up - don't worry about these for now.
Watch the 'pop3' and 'smtp' entries (you don't have to sit and watch constantly, you might get a bit bored!).
Sooner or later an entry will appear in one or both of those fields. It will contain the username and password of the pop email account.
This method has been tried and tested on many occasions as part of our network security probes. It's worked every time, and usually very fast, as people like to check their emails often.

As with any of these posts, if you are having trouble, leave a comment here and I will reply to you as soon as possible.

Jason Hart - his live 'hack me' challenge!

Jason Hart - his live 'hack me' challenge! from e-Crime Wales on Vimeo.

Thursday, 17 June 2010

An insight into work of the hacker.

With recent news that hackers’ have attacked the German e-crime site resulting in members details being posted online, now seems a good time to look at just how hackers go about their business…

In a desire to reduce risk and meet compliance and audit requirements, companies invest in security technologies including firewalls, anti-virus and anti-spy/spam. The smart ones also implement security policies and controls in an effort to protect their network, assets, and business. Unfortunately all this can be defeated instantly because hackers too are harnessing new methodologies, technologies and resources. Hackers will try the easy route first, looking for the weakest links in your network, such as an out of date OS, an un-patched web server, or default configurations. But the easiest by far is getting your password.

While usernames are used in conjunction with passwords, they cannot realistically protect your data or business. Companies assign usernames systematically, often using standard first name/last name formats, making it a breeze for a hacker to find or guess a username. All that is left to protect your system is a vulnerable password and as such entry is ‘authorised’ there will be no sign of forced entry, and little chance of an alarm being raised; the biggest and most invisible threat facing us all. So, how exactly do hackers go about getting passwords?

The methods range from the ridiculously simple to highly technical. Guessing the password is ridiculously simple. A recent study of 32 million passwords showed just how ‘guessable’ passwords can be. ‘123456’ was in first position with ‘Password’ at fourth and nearly 50% of users, used names, slang words, dictionary words, or trivial passwords using consecutive digits, adjacent keyboard keys etc. A quick web search will present a hacker with a handy list.

Hackers rely on continued use of the password because it is so weak. Phishing and phasing attacks use “dummy” web sites to trick users into providing passwords and personal details. Social networks are now firmly established as a great resource for hackers who see them as the best Social Engineering Hacking tool.

A more technical approach may involve the use of traditional keyloggers, and sniffing programs, and all are available free on the internet. Typing ‘Password Hacking’ into Youtube will return over six-thousand videos demonstrating the password hack and so even the novice is off to work. With passwords so discredited, there are three key things to consider in response.

1. Password best practices state:

• They should contain at least eight characters
• They should contain a mix of four different types of characters - upper case letters, lower case letters, numbers, and special characters. If there is only one letter or special character, it should not be either the first or last character in the password.
• It should not be a name, a slang word, or a dictionary word. Neither should it include part of your name or e-mail address.
• Passwords should be changed every 30 – 90 days

2. Check your infrastructure for unnecessary or out of date bug-riddled network devices, services, or applications? Conduct a regular network audit.

3. Educate users on password security, social engineering threats and some of the latest trends. They are users not security specialists. Do they know all of the above? Do they know not to use the same password across their social and business applications? You have a duty of care.

Good password practice will help, but two-factor authentication takes it to a new, much more secure level. Providing users with a PIN and a token which generates a one-time password, valid for a single use, will deprive hackers of their quiet and invisible entry into your network. Through a combination of implementing best practice, keeping your network infrastructure robust, and employees educated, the hacker risk can be mitigated and your confidentiality and integrity maintained.
Copyright 2009 Jason Hart. Powered by Blogger Blogger Templates create by Deluxe Templates. WP by Masterplan