I have setup a rogue email account on a web server that i own a lease to. What we are going to do is find the IP address to the server that sends the mail, scan for open ports to mail services (Pop3 & SMTP) input the data into Hydra and in return bruteforce for the password.
I have done this on many occasions as a security tester and what i have found is that MOST people use the same password for everything. That's why it's important to keep your email password exclusive. What i have found in 90% of the time is that people have everything linked to their main email address. Online banking, website registration and Facebook to name a few. All you have to do after gaining access to an important email account is a little detective work along with some "forgot password" forms and then you pretty must own the E-Identity. I'm going to show you how to prevent this from happening to yourself and your clients.
Please note these are real hacking methods that are going to be tested on real servers. One of the IP's i'm going to release correlates to a godaddy hosted server, and even though anyone can find this i want to say i do not condone black hat hacking, nor do i advise anyone to use these methods for malicious use. Lets Get Started
www.brotherspropertymanagement.com will be our target for example.
In backtrack 5, Fire up a Terminal, Zenmap and Hydra-GTK.
ping the desired web server:
we see a secureserver hostname along with the IP. Typically in this instance i would run a zenmap scan on it.
However no mail server is returned. This is a practical example of where we can be de-railed because the mail server is different from the one we scanned. but with a little research we can easily find the mail server AND SETTINGS on google using the hostname.
We have found the link for email setup. You will only need to do this if the web server is hosted by a product like godaddy. In some situations the web server will include all services to run the website and some back end things like FTP,HTTP,POP,SMTP & MYSQL.
click the link
Those are the settings. Now we see we have 2 options. pop.secureserver.net and smtpout.secureserver.net. Please keep this in mind, These 2 servers HOST ALL MAIL on godaddy websites. This is dangerous because if you really wanted to you could scan a range of godaddy ip's, visit the websites, copy the email addresses, make a list to bruteforce. This is why i strongly advise a secure password.
Lets choose SMTP. It's not encrypted, doesn't kick us off after a few attempts of password breaking AND ITS FAST, SUPER FAST.
ping smtpout.secureserver.net a few times and you will see the ip is different. it really doesn't matter so open Xhydra and configure like this:
single target: smtpout.secureserver.net (this is the mail server)
port: 25 (this is default unencrypted SMTP port)
protocol: smtp (simple mail transfer protocol)
as always check off show attempts.
on the passwords tab for username you always want the full user with the @domain.com in the end our user is
rogueaccount@brotherspropertymanagement.com
select your password list. refer to my Last Post on how to find a wordlist in backtrack.
Or Click Here for Wordlist
Goto the start tab and click start.
Then we have success. I will be remove the rogue account so you little bastards don't try any funny business.
RECAP:
1. Find Target
2. Find SMTP Mail Server
3. Input data to Hydra
4. Crack Away
code SMRRARMWCNXT
Here we are. Firstly i must advise you to only use these methods to test your own security. I will be hacking my own email address / router password as example.
here are your tools - all can be found in backtrack 5 and some earlier versions.
*Update 4/27/2013*
i have written a part two Using Xhydra to hack aol instant messenger passwords (AIM)
Given the popularity of this post.
Start X-Hydra
Also Start Zenmap
Everything should start by looking like this:
We will start by hacking a local network router password. This can be very useful to a hacker in the scenario where one has cracked a wifi password and gained local access to the network. After gaining access to the router possibilities are endless. all router security can be disabled and then we can perform MitM attacks (i will write an article on this later). if you're experienced enough in networking then you get the picture.
Typically a router's IP address will start with 192.168.x.x. (which it may be in your case) to check this type ipconfig in windows and ifconfig in linux. the routers IP will be the Default Gateway).
Now i'm sure you have seen this before:
What we are going to do is tell Xhydra to connect to the routers http server with a protected page, input the username and bruteforce the password. Note this method can be used against any similar password protected page not using forms (will make another post on how to use against forms later).
so your input should be like this:
Check off show attempts as it makes it easier. single target SHOULD BE YOUR DEFUALT GATEWAY. perhaps 192.168.0.1. do not use this against websites or hardware you do not own or have permission to test. Important - port should be 80 or in some cases 8080. EVEN MORE IMPORTANT under PROTOCOL find http-get and click it. to find open ports on a device just scan the target IP with zenmap.
Back to hydra
in most cases the username will be admin. also in most cases the password will be either "password" "admin" or BLANK.
however, in my situation the default password is far different from admin or blank. so what i have done was selected a wordlist. you can find many wordlists using google. typically the bigger the better especially on a local network. backtrack comes with a few. can be found in: /root/pentest/passwords/wordlists
i have compiled my own and named it password.lst.
Click Here for a basic wordlist
so:
click username enter admin
click Password list and select your list
also check off "try login as password" and "try empty password"
then move to the Specific tab.
change http / https url to just a slash /
this tells hydra what directory the protected page is on the server.
goto the start tab and click start. results will follow.
this quick tutorial is mainly for people beginning. i do not claim to be an expert in the field, however i am qualified to talk about these things. hydra is a powerful tool. it can be used for much more than just bruteforcing protected page passwords. there are a numerous amount of protocols, ftp, pop3, smtp and ssh being my favorite. next tutorial i will get a little more in depth on the scanning part and i will show you how to do this with virtually any email address.
questions please email. davidjgeraway@gmail.com
Hello World. The purpose of this blog will be to give back to the community in which i have learned so much about. I choose to write about this topic for three reasons:
a) i enjoy it
b) it's something i feel i'm qualified to write about.
c) it can help me to learn more
So lets start with what it means to "Hack". For me, it is to gain access (authorized or not) using computer software & programming knowledge of another system ran by an operating system. Hacking can be done to many things for good and bad reasons. A "Hack" can also be a modification of firmware or hardware for whatever justified reason.
However, i get the suspicion that most who stumble upon this blog are looking for point and click references or a step by step "how-to" guide. ( I will be doing that, with screenshots!)
BELIEVE me, i was there. I was a script kiddie. In todays world hacking comes a lot easier - as there are many tools and resources for you to use. Backtrack, the linux distribution, being a whole operating system full of hacking tools.
My first tutorial will be about using ping, nmap and Hydra GTK in a method called bruteforcing to test security on email passwords and local router access. See you soon!