Ethical Hacking Hacking GMail HandsOn Ethical Hacking and
- Slides: 15
Ethical Hacking: Hacking GMail Hands-On Ethical Hacking and Network Defense
Sniffing Plaintext Passwords Hands-On Ethical Hacking and Network Defense
Insecure Login Pages HTTP does not encrypt data n Always look for HTTPS on login pages n 3
Tool: Cain Click NIC icon to start sniffer n Click Sniffer tab, Password tab on bottom n n From http: //www. oxid. it/cain. html 4
Authentication Cookies Hands-On Ethical Hacking and Network Defense
GMail Uses HTTPS Sniffing for passwords won't work n Most Web mail services now use HTTPS too n 6
Cookies Thousands of people are using Gmail all the time n How can the server know who you are? n It puts a cookie on your machine that identifies you n 7
Gmail's Cookies n Gmail identifies you with these cookies n In Firefox, Tools, Options, Privacy, Show Cookies 8
Cross-Site Request Forgery (XSRF) Hands-On Ethical Hacking and Network Defense
To Internet Web-based Email Router Target Using Email Attacker Sniffing Traffic 10
Cross-Site Request Forgery (XSRF) n Gmail sends the password through a secure HTTPS connection n n But the cookie identifying the user is sent in the clear—with HTTP n n That cannot be captured by the attacker That can easily be captured by the attacker The attacker gets into your account without learning your password 11
Demonstration 12
XSRF Countermeasure Use https: //mail. google. com instead of http: //gmail. com n No other mail service has this option at all, as far as I know n 13
References n Cain n n http: //www. oxid. it/cain. html Hamster n http: //erratasec. blogspot. com/2007/08/sidejac king-with-hamster_05. html 14
Contact Sam Bowne n Computer Networking and Information Technology n City College San Francisco n Email: sbowne@ccsf. edu n Web: samsclass. info n n Last modified 6 -26 -08 15
- Aldy bug
- James handson
- Handson may
- Analytical research
- James handson
- James handson
- A handson
- Handson activities
- Handson activities
- Handson session
- Hands-on ethical hacking and network defense
- Mathew bevan
- "web file browser" "use regular expression"
- Ethical hacking terminologies
- Hacking disclaimer
- Google hacking game