Comments on: Attacking Password Recovery Facilities

By: vijay

vijay — Tue, 22 Apr 2008 20:01:11 +0000

want 2 break mail id password

By: frantic

frantic — Fri, 04 Jan 2008 21:07:16 +0000

I need to recover my gmail password. im in college and have forgotten my password. , im scared as hell of the whole hacking/cracking business and i dnt wana be phished (however that verb is supposed to be phrased).My security question has an answer my friend(hu filled the form n made d account for me) cant remember and he put a wrong secondary email id. u c my email id shud have beenâ€¦.@yahoo.co.in and he wroteâ€¦@yahoo.com. Now i cant get those reset links. Please help me! my internship correspondence is at stake! i cudnt understand the post by emmanuel hleah. Please tell me if the password can be recovered from my comp or if i can by any means access the incorrect secondary mail id.

By: dAVY

dAVY — Sun, 04 Nov 2007 07:47:21 +0000

mailinator is blocked by aol naw ,it reverts to other aol sugestion

By: Adrian Pastor

Adrian Pastor — Mon, 24 Sep 2007 22:55:00 +0000

Loser,

I just described a technique that could (for instance) allow you to a sample a large number of passwords that you would get emailed when clicking on a “I forgot my password” link.

If a site emails you a newly “randomly” generated password each time you reset it, you might be able to find a pattern by sampling a large number over a continued period of time. i.e.: 10 passwords requested per second for a total of 10 minutes.

Feel free to contact me through http://www.gnucitizen.org/contact and I’ll give yo u my messenger contact.

By: Loser

Loser — Mon, 24 Sep 2007 21:20:13 +0000

Hi, Interesting post. However, due to lack of technical knowledge, difficult to fathom. Mind elucidating online?

By: hany

hany — Mon, 24 Sep 2007 04:26:33 +0000

Dear
I will be very thankfull of urs if ur retrive my password of my e mail iceman4love@hotmail.com plz its very urgent..i will make dua for u if u get back my password.

plz e mail me that password on ice.man4love@hotmail.com

thanks
hany

By: Emmanuel Hleah

Emmanuel Hleah — Sun, 09 Sep 2007 04:54:25 +0000

#!/bin/bash
#
# resetRootPass script
#
# Recover lost root password of mysql database.
#
# By Willem Bermon
#

echo
echo "Mysql password recovery utility"
echo

# Stop the mysql server
/etc/init.d/mysql stop
/etc/init.d/mysql zap > /dev/null
/bin/killall mysqld > /dev/null

# Run mysqld in permissionless mode
/sbin/start-stop-daemon --start --quiet --exec /usr/bin/mysqld_safe \
        --background -- --skip-grant-tables >/dev/null 2>&1

sleep 1

# Execute queries
mysql -u root mysql -e "UPDATE user SET Password=PASSWORD('$1') WHERE \
                        user='root'; \
                        FLUSH PRIVILEGES;"
if [[ $? -eq 0 ]]
then
        echo " ** SQL root password updated"
else
        echo " ** SQL root password update unsuccesful"
fi

# Restart the mysql server
/bin/killall mysqld > /dev/null
/etc/init.d/mysql start

echo "Succesfully updated password!!"
echo
echo
exit 0

By: juby

juby — Fri, 27 Jul 2007 07:02:50 +0000

can i retrive the password of gmai account

By: Adrian Pastor

Adrian Pastor — Wed, 11 Jul 2007 09:16:45 +0000

Hi Esteban!

I believe the behaviour you described would occur only if the application is implemented properly.

Regarding mailinator, the following URL

http://www.mailinator.com/faq.jsp

mentions:

“after a few hours, all email is auto-deleted.”

So you’re right, received emails are not kept that long.

By: esteban

esteban — Wed, 11 Jul 2007 08:44:54 +0000

when the provider sends and email with a link + hash, it normally wont allow you to send you another link (lets say password recovery email) unless the timeout for the first one expires…the timeout is normally a time/cost function that limits how long or how much money it would cost you to get the hash predicted the following attempt (usually hours)

anyway, nice website mailinator.com, can be handy!!! anyone knows for how long it keeps your emails? probably not much!

is anyone aware of cool sampling tools that tries usual tricks (like b8/64/etc encoding, etc) and non-usual ones?

By: Adrian Pastor

Adrian Pastor — Tue, 10 Jul 2007 09:52:10 +0000

MadCyril:

I agree, this can be done with scripting languages like Perl, Ruby or Python. However, wouldn’t you rather reduce the number of lines of code to 5 by using a public site (mailinator in this case) that simplifies your work.

Tominator:

Sometimes the password might be more valuable. Imagine a forum site. The database simply holds public info. Now imagine the admin can see my password in the clear. Since most people reuse passwords he could now try the same password on the email I used to register (which he can see in the clear).

Furthermore, some people use site-based patterns for their passwords. i.e.:

MYPASS_4_www.forumsite.org

In this case the admin who can see my pw in the clear could try using my username on amazon and the following password:

MYPASS_4_www.amazon.com

The point is, whenever it’s feasible for information to be protected it should be. I personally don’t want dodgy admins looking up my password :) but yes you’re right, other sensitive data is usually in the clear anyways.

By: Tominator

Tominator — Mon, 09 Jul 2007 14:11:39 +0000

Hi,

I have a question: why must a password be stored in a hash with salt? Isn’t the rest of the data in your database more valuable than the pw, and totally not encrypted whatsoever? What difference does hashing the pw make?

Otherwise great read.

By: MadCyril

MadCyril — Mon, 09 Jul 2007 12:13:06 +0000

“Imagine writing a script that authenticates to your gmail account and parses the content of emails? This is crazy!”

– not at all, have you met Perl? I bet this could be done in 20 lines or less.

By: ol

ol — Sun, 08 Jul 2007 08:04:14 +0000

A paper that shows how to attack password request functionality using buffer truncation attacks..

http://www.sec-1labs.co.uk/pap.....elease.pdf

By: pagvac

pagvac — Fri, 06 Jul 2007 21:19:08 +0000

pdp:

didn’t know mailinator supports rss feeds. this makes the parsing even easier. well spotted!

mario:

password reminder and header injection is definitely an interesting topic to discuss. Although I haven’t played with this topic, who knows, you might find something on the topic in the future GNUCITIZEN :)

ntp:

life wouldn’t really be the same without GNU tools :-). Especially curl, I’m a huge fan of the project. It even supports proprietary authentication mechanisms like Windows authentication (NTLM auth), proxies, etc … it really is a must-have tool for server-side attacks.

By: ntp

ntp — Fri, 06 Jul 2007 16:27:15 +0000

huh. mailinator.com is a staple of mine. i always use it (or dodgeit.com) in the mail (required) fields in blog comments. i don’t want my real email address sitting in a database or plaintext email where it can be stolen and used for nefarious purposes.

bash, curl, grep, and cut are also staples of mine. if you do

for i in `seq 0 99` ; do stuff ; done

i think the results might come out quite faster, although i didn’t check this with time(1).

By: pdp

pdp — Fri, 06 Jul 2007 10:19:28 +0000

yep, ap is our password hacking guru, :) I am sure he will take on the challenge. sometimes, I get the feeling that he can make a password cracker out of chair or something.

By: .mario

.mario — Fri, 06 Jul 2007 10:11:47 +0000

Hi!

Nice article. Maybe it would be interesting too to write sth about password reminder and header injection - this problem is no news but still very often to find and quite related to the topic of this article.

Greetings,
.mario

By: pdp

pdp — Fri, 06 Jul 2007 09:12:24 +0000

I think that your approach is very interesting. I’ve never heard of mailinator but it seamed to be a quite interesting service. Good stuff!

One thing that I would like to point out is that mailinator supports RSS feeds as well:

http://mailinator.com/rss.jsp?.....omusername

so, it might be easier to extract all email entries with wget/curl in combination with the XMLStarlet toolkit or just grep/awk. Also, GMail supports RSS through the GData services. However, we need cookies for that. So yes, your approach is definitely cleaner. I love it.

Here is probably the place to mention that client-side security issues can expand across the traditional boundaries that they currently reside at. I can foresee a worm that can send XSS payloads over email and as such propagate. This is possible due to the existence of services such as mailinator and others that can transform RSS to email, email to RSS, etc. I am planning to release a paper on that soon, so stay tuned.