nintendo1889

Hacking Yahoo Webmail Login

25 posts in this topic

I can hear the murmurs already, it's not research, you aren't learning anything, yada yada yada.

I just need some tips using thc hydra for hacking yahoo webmail. Through TOR naturally.

When logging in the password is sent in the post url:

POST /config/login_verify2? .src=ym&.tries=1&.done=http%3A%2F%2Fmail.yahoo.com&.md5=&.hash=&.js=&.partner=&.slogin=YAHOOLOGIN&.intl=us&.fUpdate=&.prelog=&.bid=&.aucid=&.challenge=RandomStuff&.yplus=&.chldID=&pkg=&hasMsgr=0&.pd=ym_ver%3D0%26c%3D%26ivt%3D%26sg%3D&.u=RandomStuff&.persistent=y&passwd=ThePassword&.save=Sign+In

Edited by nintendo1889
0

Share this post


Link to post
Share on other sites

You do realize that after more than 2 or 3 failed login attempts, Yahoo! adds a CAPTCHA to the mix, don't you?

0

Share this post


Link to post
Share on other sites

Cracking a Yahoo login via Tor is a really bad idea! Here are some reasons not to do it:

1. It's incredibly illegal and could land you in jail if you don't configure Tor properly.

2. This thread will probably be locked because you're asking for help with something illegal.

3. Because Tor is so unreliable, even if THC guesses the right password, it might get a 404 error and think it's the wrong one.

4. You're going to make it hard for the Tor server operator, who might get a visit from the cops and a nasty letter at a minimum. In the long run, this hurts Tor and makes it less appealing to run exit servers.

5. If you have motivation to hack into the account, chances are the victim could identify you or bring it down to a pool of like five.

Don't do it.

Edited by blackbloc
0

Share this post


Link to post
Share on other sites

The only reason this is not locked is the CAPTCHA. It just wouldn't work. Though, for good measure, see Guideline #3 of the rules and the post about intent.

0

Share this post


Link to post
Share on other sites

The CAPTCHA kind of throws a monkey wrench into the idea of bruteforcing it, and Yahoo! uses SSL for logins, so that rules out MitM attacks. The only way I can think of to obtain a specific account's login pair would be to install a keylogger on the mark's machine that would "phone home" or otherwise convey the password to you, or else social-engineer the mark to log into their Yahoo! Mail account on a machine you own, while you surreptitiously log the POST request containing the username and password.

Edited by Colonel Panic
0

Share this post


Link to post
Share on other sites

SSL doesn't necessarily rule out MITM. Most users would probably just ignore certificate warnings. (I've been wanting to conduct an experiment to verify this for a while)

Regarding CAPCHAs, it's quite possible to create a ANN to decipher these images, I have an 8 layer GPU-powered hand writing recognition ANN coded in C# that I could almost certainly adapt to read CAPTCHAs of a specific style (given a sufficiently sized database of such CAPTCHAs, for training the ANN). People seem to overestimate the security of the CAPCHA.

There's also the methods that basically involve malware that socially engineers people to decipher CAPTCHAs -- which are becoming more common.

0

Share this post


Link to post
Share on other sites
There's also the methods that basically involve malware that socially engineers people to decipher CAPTCHAs -- which are becoming more common.

Sounds like kind of a wonky solution. How does that work?

Is it a botnet with malware installed on its zombie army that somehow injects an interstitial page (containing the CAPTCHA) into the users' Web browsers in real time, then phones that information home to the attacker?

0

Share this post


Link to post
Share on other sites
SSL doesn't necessarily rule out MITM. Most users would probably just ignore certificate warnings. (I've been wanting to conduct an experiment to verify this for a while)

As far as I am aware from experience, I know atleast alot of users ignore certificates and agree to them, I am not sure of the amount that refuse however to verify this. I know for a fact that many call centers just simply tell users to agree to certificate warnings as well, I've successfully done SSL MiTM attacks many times and succeeded many times.

Captcha's are a pain and make it not easy, they are possible to get around however of course.

I also agree TOR is the most horrible idea to do this, normally I would suggest better methods but I don't believe it is a good idea in this case.

0

Share this post


Link to post
Share on other sites

I wonder if the Tor software contains any mechanism for detecting and thwarting such abuses. I haven't looked at its source code, but if it doesn't contain such a countermeasure, it would be a good idea for the developers to implement one.

0

Share this post


Link to post
Share on other sites
I wonder if the Tor software contains any mechanism for detecting and thwarting such abuses.

How would you determine such traffic is an abuse? Maybe 5 people tried to log in at once? The exit node has no idea where traffic is coming from, or if two connections come from the same person.

0

Share this post


Link to post
Share on other sites

Well if 5,000 people tried to log in within the same second, that would be a pretty good indication that something untoward is afoot. What Tor could effectively do to stop it is another matter I guess.

Yeah, the way Tor is set up, I suppose there's really no way to stop this kind of thing.

0

Share this post


Link to post
Share on other sites
There's also the methods that basically involve malware that socially engineers people to decipher CAPTCHAs -- which are becoming more common.

Sounds like kind of a wonky solution. How does that work?

Is it a botnet with malware installed on its zombie army that somehow injects an interstitial page (containing the CAPTCHA) into the users' Web browsers in real time, then phones that information home to the attacker?

One way i heard was to setup an online flash game where users can undress a girl by entering the correct CAPTCHAs. The bad guys get a load of CAPTCHA's done while people think their just playing a game.

As far as I am aware from experience, I know atleast alot of users ignore certificates and agree to them, I am not sure of the amount that refuse however to verify this. I know for a fact that many call centers just simply tell users to agree to certificate warnings as well, I've successfully done SSL MiTM attacks many times and succeeded many times.

I've been playing around with this myself recently. Thanks to firefox 3 i've found users are less likely to accept certificates either because

1) They dont know how (it's alot harder than pressing "OK")

2) The "bad cert" page looks like a page not found and most users wont read it and will just keep pressing refresh.

Cant say for IE as the networks i've been on have been firefox 3 only.

0

Share this post


Link to post
Share on other sites
One way i heard was to setup an online flash game where users can undress a girl by entering the correct CAPTCHAs. The bad guys get a load of CAPTCHA's done while people think their just playing a game.

Like this gimmick. Makes you think you are helping to digitize books. <_<

Gimmick Here

Sound like what you where talking about.

0

Share this post


Link to post
Share on other sites

You can buy captchas aswell.

beatcaptchas.com/prices.html

Edited by Swerve
0

Share this post


Link to post
Share on other sites
There's also the methods that basically involve malware that socially engineers people to decipher CAPTCHAs -- which are becoming more common.

Sounds like kind of a wonky solution. How does that work?

Is it a botnet with malware installed on its zombie army that somehow injects an interstitial page (containing the CAPTCHA) into the users' Web browsers in real time, then phones that information home to the attacker?

This was in the news a while back: Striptease Used to Recruit Help in Cracking Sites

Edited by chown
0

Share this post


Link to post
Share on other sites
You can buy captchas aswell.

beatcaptchas.com/prices.html

Instead of buying them, it sounds like a fun project a few people I know started back in the day! Why buy what you can harvest!

0

Share this post


Link to post
Share on other sites
SSL doesn't necessarily rule out MITM. Most users would probably just ignore certificate warnings. (I've been wanting to conduct an experiment to verify this for a while)

As far as I am aware from experience, I know atleast alot of users ignore certificates and agree to them, I am not sure of the amount that refuse however to verify this. I know for a fact that many call centers just simply tell users to agree to certificate warnings as well, I've successfully done SSL MiTM attacks many times and succeeded many times.

Well, it's not just because of user error, there's also the underlying technical issue that most HTTPS web servers don't perform full certificate-chain verification and even less implement client-side certificates and lesser still properly validate those..so neither the client or the server really have any idea who they're talking to. :pirate: MITM'ing SSLv2 is a given and TLSv1 is still fairly trivial. For more info, refer to CVE-2005-2969. :rules:

@Colonel Panic: BTW, it's really irrelevant if SSL rules out MITM or not (even though it doesn't) because Yahoo only uses SSL for logins, once you're logged in everything is in the clear, including the cookie that acts as the session identifier. Hell, you can even try to force it to use HTTPS post-authentication and you'll either get redirected back to plain HTTP or won't connect/negotiate at all.

:yoink:

EDIT: Added direct response to Colonel Panic.

Edited by duper
0

Share this post


Link to post
Share on other sites

I agree with two things said here: SSL doesn't usually stop MITM, and the CAPTCHA could easily be broken, although it can slow down crackers.

For SSL, recognizing the MITM attack means the users have to check the certificates. Most don't. Experience has long proven it. As a matter of fact, many lay users are lulled into a false sense of security with SSL. If they see the lock icon or https in the address bar, they've been conditioned to trust the site. Many won't worry from that point on, thinking the connection is "secure." Unless something obviously out of the norm happens, most users will ignore warnings. Criminals currently bank on that, and many are using SSL connections in pharming scams as a psychological ploy.

As for CAPTCHA, there are automated and human methods for beating them. For a tool that has been adapted to crack many different CAPTCHA's, see PWNtcha (at bottom). These tools are usually visual computing algorithms or AI-type algorithms that can extract the word from the picture. You often need to try a specific tool for a specific type of CAPTCHA, but I don't see why we couldn't create a taxonomy of CAPTCHAs and just one tool for recognizing general properties and picking another tool for cracking. Example: this one has lines, so narrow list of possible crackers to those whose CAPTCHA's use lines. See what I'm saying?

For human approach, it involves trying to logon on and redirecting the CAPTCHA to a person, who solves it. The solution is then redirected back to the cracker to try to login. The most common way to get people to solve CAPTCHA's is porn. While money greases the gears of the corporate world, porn can be equally motivating for people on the internet. It can be games, supposedly charitable acts, or just seeing more porn links. Example: "Solve this CAPTCHA to prove your not a robot downloading all our porn, and we'll show you the next 20 pics in our lovely midget porn series!"

PWNtcha

http://caca.zoy.org/wiki/PWNtcha

0

Share this post


Link to post
Share on other sites

@army of one, what do you think about EV certs?

0

Share this post


Link to post
Share on other sites

I have mixed feelings about EV Certs. Positive feelings towards increased validation of bearer's identity. Negative towards how its done, what it means, and why it doesn't matter. The problem is the validation process. It's just too easy to cheat for smart, organized criminals. EV Certs might deal a blow to low-tech or casual phishers, but the validation process won't stop the others. Question: how are Internet-only businesses verified? Look at verisign's FAQ on EV. Read the section "Who is eligible to receive an EV SSL Certificate?" to see the top cert company's investigation process.

http://www.verisign.com/ssl/ssl-informatio...l-certificates/

It starts out nice, with personal and physical presence verification. Then, we get legal opinion letters that can substitute for physical checks. Furthermore, they don't say how they will handle virtual or online businesses who don't really have buildings and such. I bet verification for them will be pretty lax. Call a few people up, verify their names are on the web site, they own the domain, and they are incorporated. A DIY Nevada or Delaware corporation is cheap, scammers will gladly lie on the phone, web sites are cheaper than ever, and they are already good at making trustworthy-looking web presences. I don't see EV's weak checks being able to catch the phishers that are causing real problems. Mike Fratto's Information Week article agree's, although watch out for the FUD and ratings-improving hype: http://www.informationweek.com/blog/main/a...rtificates.html

The real issue is user psychology. Users have already been conditioned to trust SSL connections. Fratto's article gives an example showing how local watchdog media told people to make sure there was a lock icon before giving out credit card info. Lock icon? It doesn't mean anything about trust: it just says SSL is enabled. Bad guys use SSL, for this very reason. Now, we are conditioning users to trust a web site if its green (EV) and if its non-EV, its white (usually). The mere fact that its optional, that green not showing up is OK, is going to let phishers continue to use the SSL ploy. More sophisticated crime rings that spend a few grand to get an EV site going will be more successful than before, since users will trust the green seal. I see scammers creating one EV site, probably out of US jurisdiction, where the sales take place. They will then use the normal methods, like botnets and spam, to con users into going there. They might try to host a bunch of different web pages with different "products" all on the same EV-certified web site.

So, while EV does improve the bottom line of businesses, it does little to increase our trust in web sites. The reason EV will do nothing to stop phishers is because the certs were never really the problem. The problem is poor awareness and judgment on behalf of users. Since that hasn't changed, phishers/pharmers won't even have to worry about EV. After all, those many successful Nigerian scams weren't done on an authenticated SSL line, were they?

0

Share this post


Link to post
Share on other sites

@army of one: Agreed. Someone should do a case study on extended-validation certificate forgery. B)

0

Share this post


Link to post
Share on other sites

And apparently someone is studying up on Extended-Validation certificate forgery. I just saw this on CanSecWest's speaker annoucements:

Alexander Sotirov & Mike Zusman - SSL, The Sequel: MD5 collisions and EV certificates

I believe these are the same folks who created the Rogue MD5 Certificate at RapidSSL with the PS3 crackfarm. :borg:

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now