Hacking Mail Passwords

Here are the most common ways someone can hack mail passwords, and how to protect yourself against them. There are more ways, and even these techniques
could be more documented but this file is not intended to be a step-by-step lamer spoonfeeding device. You only get the ideea, the rest is up to you.
If you don't, that means you're too iresponsible in the first place. Ouch!
Hope you enjoy reading this... So lets get started:

Guessing
--------
Duh! The easiest method of hacking mail passwords is password guessing. Find out all information about the victim.
For example if the victim is interested in aquarium then his password might be something like fish, whale, dolphin, aquariam. etc.
A lot of people keep there passwords their the girlfriend's name or boyfriend's name.
You can also try "forget password", available on all mail providers. Try to guess answer to the secret question the victim gave.
For example if the question is "my mother's maiden name", "my first school name", "my pet's name", etc. its quite easy to get the answer of it.
Note that a clever user doesn't actually set the answer to have anything to do with the question, do you? :>

Dictionary Attack
-----------------
A dictionary attack means you use a program that tries to connect to the mailserver using a username (your victim's), and as password,
all the words from a long filelist. If the password is a common word (eg. cat, john, sex, password, etc) and you have a big enaugh list than you might get lucky.

Brute force
-----------
Brute force works in a way like the dictionary attack, the difference is that the program you use doesn't read the passwords from a list,
but it generates them itself. Lets say you want to break a 5 digit password.
The combinations would look like this aaaaa, aaaab, aaaac, ... aaaba, aaabb, aaabc, ... , zzzzz, if you use only lowercase alphabet digits, no numbers.
The thing is that most mailservers allow you to use lowercase, uppercase, numbers and sybols, some even require a minimmum length for the password
(eg. Yahoo! length is 6 digits). A password that look like "gJe4Ty&8lk!3" is practicly unbreakable considering the time needed to try all the combinations possible.
You do the math. Brute force is theoreticly the method that CAN get the password of the victim but it's almost IMPOSSIBLE to use in practice do to the time needed.
It all depends on the length of the password. Also, many servers may ignore you after you have to much failed logins.

Using a Keylogger
-----------------
Just install a keylogger on your victim's computer. Send it by mail or IRC and tell the victim it's a cool mp3player, whatever...
There are keyloggers that only need to be cliked once and they do all the installing job by themself without the victim even notice it.
What a keylogger does is it will log all the keystrokes the victim types on that machine.
It works in background so the victim will not realize that his keystrokes are being logged.
And if all keystrokes are recorded it means even his login and password are also included when he logins to read his mail.
Then just connect to the keylogger or set it to automaticly send you the logfile by email.

Social engeniering
------------------
This is one of the best methods, and unless the one you want to get the password from is realy smart, you have all the chances to trick him.
What you will do over here is send mail to the victim from administrator@hismailserver.com so that the victim will think he received mail from his administrator!
Newbie note: For the people who are new to SMTP, it is the Simple Mail Transfer Protocol and it runs by default at port 25.
To get some SMTP servers use google to search "free smtp" or download a free smtp server to be able to telnet to your own computer on port 25.
Personaly I use Linux wich comes by default with sendmail, and since now it worked everytime. I also played a prank on a friend tricking him
to think he was wanted by the FBI. Ok just type the following commands, without the "" of course:

"telnet mail.mailserver.com 25" or "telnet mailserver.com 25"
"HELO victimsmailserver.com"
"MAIL FROM: administrator@victimsmailserver.com
"RCPT TO: victim@victimsmailserver.com"
"DATA"

Here you can write the message you want to send to victim.
After the message is over press [Enter] and on the new line put a ".", and press [Enter] again to indicate the server that your message is over.
The mail might look like this:

Form: administrator@victimsmailserver.com

Hello user of victimsmailserver.com. We deeply apologise for the inconvenience, but our server will go down for technical problems.
We have to announce you that you have to change your password in order to keep your account.
victimsmailserver.com keeps this information private and we assure you your data will suffer no harm.

IMPORTANT NOTE: Change your password to "revalidate_account" as soon as possible or your account will be DISACTIVATED!
You will receive a confirmation e-mail from our server to notify you that your request has been taken care of, once you've made the neccesary changes.

Once again we apologise for the inconvenience and thank you for your understanding.
victimsmailserver.com administrator.

Now this was just an exaple. Be creative. You can tell the victim to send his username and password by email to you
(get a fake mail like administartor@victimsmailserver.com, note "administartor" not "administrator").
Once again you will be amased how many peolpe will get tricked even if most mailservers spcificly tell you something like:
"MAILSERVER staff will NEVER ask for your password"...
Now the way experts use, is to include a link in the mail you've sent him to a webpage you've already made that looks like the victimsmailserver.com's homepage.
Just write on that page something like "lost VICTIM'S NAME account data" so the victim thinks he has to send all his data again
Once he writes to the form on that page and presses "Submit" the page will actualy send you mail with all his data, including password.
With a little knowledge of HTML and PHP you can trick even the smartest people.

More social engeniering
-----------------------
Open your victim's mail website and login over there with wrong password! You will be directed to a page with "invalid login" message.
Just modify that page and add the line "Operation time out" by editing its source code.
Also you will have to find the line

and change it to .
Now put the webpage on a your webhost, name it timeout.html.
Make a php page which uses the mail() command to send you the username and password of the victim and name it evilscript.php.
Send the victim a mail with the following link: Picture.jpg.
Or use some javascript relocation code, like "window.redirect" but this depend on the victim's mailserver and it might now work
(Yahoo! can't be tricked with relocation anymore as far as I know) so personaly I would use the link technique...
If you have knowledge of html and php then you will understand this one.

Bugs and exploits
-----------------
The best of the best use bugs in software (eg. Internet Explorer) or in the actual daemons running on the victim's mailserver.
Techniques such as "cookie collecting", "cross site scripting", "SQL injection" etc. I'm trying to figure them out myself :>
Anyone willing to help? In the future I might write an article on these techniques, as soon as I'll be able to learn them...

Conclusion
----------
Mail passwords can only be hacked if the victim is not much conscious about security.
Use the following security measures to protect yourself from your mail password being hacked.

- Keep your passwords long enough, containing numbers and special characters. Avoid keeping simple words or names as your passwords.
- Don't access your mails from a public place (keylogging danger). If possible always access your mail account from your home.
- Don't run suspicious software on your computer, it may be a keyloger, trojan or something like that.
- Always look at attachments with a suspicious eye though it may be from a trustworthy person.
- Use the "full headder" option of your mailserver to see if the email actually comes wrom where it says it does.

XP password cracking

May be these methods might break the password of windows xp But will take time

1.Take 1 XP Bootable CD
2.Start to recover
3.Go with same recover process untill u get "intilizing devices" and process bar start to increase.
4.At the same time u press "Shift F10"
this is the loophole in OS
you will have a command window
5.Type command useradd2
6.you will have a graphics windows with the option to add new password or to remove old user n so on.
7.Change your password n let's come back n complete your recover
8.And you will now able to acess your operating system with your password.