According to a website I use: "XXX uses hi-tech software to prevent
password crackers from operating, but most web-email providers, such as
Hotmail, do not. Because anyone who has access to your email account can
request your XXX password, revealing your email address means that
anyone capable of hacking your email account can request your XXX
password. This happens around 300 times a day and in these instances,
there is nothing we can do to help you."
I do not understand this. When I access my webmail, I type in the
username/password and the page loads. If the combination is incorrect I
am rejected.
1. Are there crackers that work on web based e-mail? I thought you
had to download the password file and crack it locally.
2. How do they work?
3. Wouldn't the cracker be locked out after a few incorrect enteries?
>According to a website I use: "XXX uses hi-tech software to prevent
>password crackers from operating, but most web-email providers, such as
>Hotmail, do not. Because anyone who has access to your email account can
>request your XXX password, revealing your email address means that
>anyone capable of hacking your email account can request your XXX
>password. This happens around 300 times a day and in these instances,
>there is nothing we can do to help you."
>I do not understand this. When I access my webmail, I type in the
>username/password and the page loads. If the combination is incorrect I
>am rejected.
>1. Are there crackers that work on web based e-mail? I thought you
>had to download the password file and crack it locally.
>2. How do they work?
>3. Wouldn't the cracker be locked out after a few incorrect enteries?
Many places will send y ou your password if you loose it. They send it to
your email account on file. Thus if someone can get at your email account
they can request thatthe password be sent to you and then read what the
password is from your email.
>qewjf <kewfk2@ifrw.com> writes:
>
>
>
>>According to a website I use: "XXX uses hi-tech software to prevent
>>password crackers from operating, but most web-email providers, such as
>>Hotmail, do not. Because anyone who has access to your email account can
>>request your XXX password, revealing your email address means that
>>anyone capable of hacking your email account can request your XXX
>>password. This happens around 300 times a day and in these instances,
>>there is nothing we can do to help you."
>>
>>
>
>
>
>>I do not understand this. When I access my webmail, I type in the
>>username/password and the page loads. If the combination is incorrect I
>>am rejected.
>>
>>
>
>
>
>>1. Are there crackers that work on web based e-mail? I thought you
>>had to download the password file and crack it locally.
>>
>>
>
>
>
>>2. How do they work?
>>
>>
>
>
>
>>3. Wouldn't the cracker be locked out after a few incorrect enteries?
>>
>>
>
>Many places will send y ou your password if you loose it. They send it to
>your email account on file. Thus if someone can get at your email account
>they can request thatthe password be sent to you and then read what the
>password is from your email.
>
>
>
Yes, I understand that. What the website seemed to be saying was that
it is possible to crack Hotmail, Yahoo, etc, through password crackers
and this is that the questions above related to .
> On Mon, 29 Aug 2005 20:28:45 GMT, osfwofujro <jwo@9ewutr.com> wrote:
>
>>>Many places will send y ou your password if you loose it. They send it to
>>>your email account on file. Thus if someone can get at your email account
>>>they can request thatthe password be sent to you and then read what the
>>>password is from your email.
>>>
>>>
>>>
>>Yes, I understand that. What the website seemed to be saying was that
>>it is possible to crack Hotmail, Yahoo, etc, through password crackers
>>and this is that the questions above related to .
>
> Although most things are possible, if it were trivial to acquire
> passwords for those services they would not be viable.
>
> Providing ytou do not use obvious guessable passwords you have
> nothing to worry about.
> --
> Jim Watt
> http://www.gibnet.com
Ah, Jim I believe he asked for an explanation. So, do some googling and
describe to the OP the basics of password cracking. Try not to sound like
to much of a moron, OK?
>Jim Watt wrote:
>
>
>
>>On Mon, 29 Aug 2005 20:28:45 GMT, osfwofujro <jwo@9ewutr.com> wrote:
>>
>>
>>
>>>>Many places will send y ou your password if you loose it. They send it to
>>>>your email account on file. Thus if someone can get at your email account
>>>>they can request thatthe password be sent to you and then read what the
>>>>password is from your email.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>Yes, I understand that. What the website seemed to be saying was that
>>>it is possible to crack Hotmail, Yahoo, etc, through password crackers
>>>and this is that the questions above related to .
>>>
>>>
>>Although most things are possible, if it were trivial to acquire
>>passwords for those services they would not be viable.
>>
>>Providing ytou do not use obvious guessable passwords you have
>>nothing to worry about.
>>--
>>Jim Watt
>>http://www.gibnet.com
>>
>>
>
>Ah, Jim I believe he asked for an explanation. So, do some googling and
>describe to the OP the basics of password cracking. Try not to sound like
>to much of a moron, OK?
>
>
>
>
According to a different newsgroup there are crackers that work on
webmail, but I don't know what they are and how they would work in practice
> Imhotep wrote:
>
>>Jim Watt wrote:
>>
>>
>>
>>>On Mon, 29 Aug 2005 20:28:45 GMT, osfwofujro <jwo@9ewutr.com> wrote:
>>>
>>>
>>>
>>>>>Many places will send y ou your password if you loose it. They send it
>>>>>to your email account on file. Thus if someone can get at your email
>>>>>account they can request thatthe password be sent to you and then read
>>>>>what the password is from your email.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>Yes, I understand that. What the website seemed to be saying was that
>>>>it is possible to crack Hotmail, Yahoo, etc, through password crackers
>>>>and this is that the questions above related to .
>>>>
>>>>
>>>Although most things are possible, if it were trivial to acquire
>>>passwords for those services they would not be viable.
>>>
>>>Providing ytou do not use obvious guessable passwords you have
>>>nothing to worry about.
>>>--
>>>Jim Watt
>>>http://www.gibnet.com
>>>
>>>
>>
>>Ah, Jim I believe he asked for an explanation. So, do some googling and
>>describe to the OP the basics of password cracking. Try not to sound like
>>to much of a moron, OK?
>>
>>
>>
>>
> According to a different newsgroup there are crackers that work on
> webmail, but I don't know what they are and how they would work in
> practice
>
> Ideas?
Well, since Jim Watt has bailed on any sort of technical description (it is
beyond his abilities), I will give it a shot.
Most webmail apps are written with PHP or ASP. Now, I write web apps in PHP
and I do not know or use ASP. Older PHP versions defaulted to using global
varables. This is not a good thing to do as I can inject values for
variables...Take a peak at this web site as it goes into greater detail.
The other way to crack web mail sites is to use some sort of password
guessing. It can be quite usefull if users are not restricted on the
passwords that they construct (ie enforce alphanumeric passwords which are
not based in dictionary words). It generally works as follows:
A password generator (usually based on some sort of dictionary engine) is
used to construct passwords and guess bad passwords. Password cracking this
way has the following problems:
1) Can generate a lot of log messages (again if the app was written
correctly and has logging enabled)
2) Is very slow
3) Good web mail apps will lockout an account or an IP address if too many
password failures happen. Again, if the app was written correctly.
The best way to password crack is to get hold of the password file/DB
dump/etc and upload it locally. This allows you to brute force/dictionary
crack very, very quickly. Etc, etc, etc...
Unruh wrote:
> qewjf <kewfk2@ifrw.com> writes:
>
>
>>According to a website I use: "XXX uses hi-tech software to prevent
>>password crackers from operating, but most web-email providers, such as
>>Hotmail, do not. Because anyone who has access to your email account can
>>request your XXX password, revealing your email address means that
>>anyone capable of hacking your email account can request your XXX
>>password. This happens around 300 times a day and in these instances,
>>there is nothing we can do to help you."
>
>
>>I do not understand this. When I access my webmail, I type in the
>>username/password and the page loads. If the combination is incorrect I
>>am rejected.
>
>
>>1. Are there crackers that work on web based e-mail? I thought you
>>had to download the password file and crack it locally.
>
>
>>2. How do they work?
>
>
>>3. Wouldn't the cracker be locked out after a few incorrect enteries?
>
>
> Many places will send y ou your password if you loose it. They send it to
> your email account on file. Thus if someone can get at your email account
> they can request thatthe password be sent to you and then read what the
> password is from your email.
>
Many users use the same password everywhere. Users use names, pets,
streets addresses etc on multiple sites. Very few users use complex and
sufficiently long passwords.
Some sites have their password files exposed that can be accessed using
for example a telnet session embedded HTML Java page from their free
website host, file may be hidden from the Internet but accessible
directly through their user web server site(there are other methods,
this is just an example). This allows password files to be cracked at
leisure, without provider even seeing traffic, though this would imply
someone was watching.
Many of the free web mail hosts do not set a max tries setting...causes
too many user support issues.
The most common "cracker" I have seen used on Yahoo are simple name
dictionary crackers. It is remarkable how successful even this simple
method appears to be.
Another method commonly used with Yahoo would be simply to place a
trojan on the machine you wanted using one of several buffer overflow
methods in their older Yahoo versions. Some of the exploits were
related to JAVA and others with the YAHOO tool itself. I am not aware
of any exploits in their current 6.0 version of IM however there are
several methods to obtain the victims IP and attack the remote user host
directly with other exploits.
Another method commonly used is posting links in rooms (probably some
sexy sounding girl with pics posted) where an exploit awaited users who
clicked links. Some of the profile pages had exploits embedded (varied
methods). Once trojaned getting passwords is easy.
For awhile I found IM exploits in Yahoo an interesting study in methods,
they ran the gambit. Yahoos password is good for their IM, mail,
portfolio, and other sensitive areas.
They have a difficult time fixing stupid users or compromised machines
which makes their options complex and difficult to manage, so they don't.
> On Tue, 30 Aug 2005 21:40:29 GMT, Imhotep <Imhotep@nospam.com> wrote:
>
>>osfwofujro wrote:
>>
>>> Imhotep wrote:
>>>
>>>>Jim Watt wrote:
>>>>
>>>>
>>>>
>>>>>On Mon, 29 Aug 2005 20:28:45 GMT, osfwofujro <jwo@9ewutr.com> wrote:
>>>>>
>>>>>
>>>>>
>>>>>>>Many places will send y ou your password if you loose it. They send
>>>>>>>it to your email account on file. Thus if someone can get at your
>>>>>>>email account they can request thatthe password be sent to you and
>>>>>>>then read what the password is from your email.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>Yes, I understand that. What the website seemed to be saying was that
>>>>>>it is possible to crack Hotmail, Yahoo, etc, through password crackers
>>>>>>and this is that the questions above related to .
>>>>>>
>>>>>>
>>>>>Although most things are possible, if it were trivial to acquire
>>>>>passwords for those services they would not be viable.
>>>>>
>>>>>Providing ytou do not use obvious guessable passwords you have
>>>>>nothing to worry about.
>>>>>--
>>>>>Jim Watt
>>>>>http://www.gibnet.com
>>>>>
>>>>>
>>>>
>>>>Ah, Jim I believe he asked for an explanation. So, do some googling and
>>>>describe to the OP the basics of password cracking. Try not to sound
>>>>like to much of a moron, OK?
>>>>
>>>>
>>>>
>>>>
>>> According to a different newsgroup there are crackers that work on
>>> webmail, but I don't know what they are and how they would work in
>>> practice
>>>
>>> Ideas?
>>
>>Well, since Jim Watt has bailed on any sort of technical description (it
>>is beyond his abilities), I will give it a shot.
>>
>>Most webmail apps are written with PHP or ASP. Now, I write web apps in
>>PHP and I do not know or use ASP. Older PHP versions defaulted to using
>>global varables. This is not a good thing to do as I can inject values for
>>variables...Take a peak at this web site as it goes into greater detail.
>>
>>http://us3.php.net/manual/en/security.globals.php
>>
>>The other way to crack web mail sites is to use some sort of password
>>guessing. It can be quite usefull if users are not restricted on the
>>passwords that they construct (ie enforce alphanumeric passwords which are
>>not based in dictionary words). It generally works as follows:
>>
>>A password generator (usually based on some sort of dictionary engine) is
>>used to construct passwords and guess bad passwords. Password cracking
>>this way has the following problems:
>>
>>1) Can generate a lot of log messages (again if the app was written
>>correctly and has logging enabled)
>>
>>2) Is very slow
>>
>>3) Good web mail apps will lockout an account or an IP address if too many
>>password failures happen. Again, if the app was written correctly.
>>
>>
>>The best way to password crack is to get hold of the password file/DB
>>dump/etc and upload it locally. This allows you to brute force/dictionary
>>crack very, very quickly. Etc, etc, etc...
>>
>>Anyway, that is the very, very basics of it...
>
> from someone with a very basic idea about computers
> and none of that applies to Hormail, Yahoo and the other
> large webmail services
Try reading the part where I say "...that is the very, very basics of it".
Notice how I do not talk about any one specific web mail application.
I am still waiting for your description of webail password hacking....we are
all still waiting...Oh but that is right, you are all about talking out
your *** and always falling short on actually delivering something
meaningful.
It seems the best technical description you can give is "don't worry about
it"...hummm seems a little lacking. Seems yet again you have been exposed
for the hypocrite fraud you are....
As for you lame, but predictable attempt to insult me, comment about
"...basic idea..." I would destroy you in a face to face competition
illustrating computer science knowledge and you know it.
On Mon, 29 Aug 2005 01:12:57 GMT, in alt.computer.security , qewjf
<kewfk2@ifrw.com> in <titQe.2340$Ys5.1242@newsfe7-gui.ntli.net> wrote:
>According to a website I use: "XXX uses hi-tech software to prevent
>password crackers from operating, but most web-email providers, such as
>Hotmail, do not. Because anyone who has access to your email account can
>request your XXX password, revealing your email address means that
>anyone capable of hacking your email account can request your XXX
>password. This happens around 300 times a day and in these instances,
>there is nothing we can do to help you."
>
>I do not understand this. When I access my webmail, I type in the
>username/password and the page loads. If the combination is incorrect I
>am rejected.
>
>1. Are there crackers that work on web based e-mail? I thought you
>had to download the password file and crack it locally.
>
>2. How do they work?
>
>3. Wouldn't the cracker be locked out after a few incorrect enteries?
I think that they are using a rather loose definition of "cracker",
but not an unreasonable one. Cracking did mean trying to break the
encryption, but as words change their meanings over time a meaning of
"illegitimately getting your password" is a good meaning as well. My
interest is in the "hi-tech software" claim. Was that their actual
wording? If so, what "hi-tech" solution do they have?
Password cracking and webmail. 
Linear Mode
