Ethical Hacking Hacking GMail HandsOn Ethical Hacking and

Ethical Hacking: Hacking GMail Hands-On Ethical Hacking and Network Defense

Sniffing Plaintext Passwords Hands-On Ethical Hacking and Network Defense

Insecure Login Pages HTTP does not encrypt data n Always look for HTTPS on login pages n 3

Tool: Cain Click NIC icon to start sniffer n Click Sniffer tab, Password tab on bottom n n From http: //www. oxid. it/cain. html 4

Authentication Cookies Hands-On Ethical Hacking and Network Defense

GMail Uses HTTPS Sniffing for passwords won't work n Most Web mail services now use HTTPS too n 6

Cookies Thousands of people are using Gmail all the time n How can the server know who you are? n It puts a cookie on your machine that identifies you n 7

Gmail's Cookies n Gmail identifies you with these cookies n In Firefox, Tools, Options, Privacy, Show Cookies 8

Cross-Site Request Forgery (XSRF) Hands-On Ethical Hacking and Network Defense

To Internet Web-based Email Router Target Using Email Attacker Sniffing Traffic 10

Cross-Site Request Forgery (XSRF) n Gmail sends the password through a secure HTTPS connection n n But the cookie identifying the user is sent in the clear—with HTTP n n That cannot be captured by the attacker That can easily be captured by the attacker The attacker gets into your account without learning your password 11

Demonstration 12

XSRF Countermeasure Use https: //mail. google. com instead of http: //gmail. com n No other mail service has this option at all, as far as I know n 13

References n Cain n n http: //www. oxid. it/cain. html Hamster n http: //erratasec. blogspot. com/2007/08/sidejac king-with-hamster_05. html 14

Contact Sam Bowne n Computer Networking and Information Technology n City College San Francisco n Email: sbowne@ccsf. edu n Web: samsclass. info n n Last modified 6 -26 -08 15