Follow us on Twitter!
Ideas are far more powerful than guns.
Sunday, April 20, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 37
Guests Online: 35
Members Online: 2

Registered Members: 82847
Newest Member: Zanjux
Latest Articles

Mozilla Engineering

Arrow Image How to use and abuse mozilla to get some passwords.



Firstly, I would like to say this is for learning purposes only, the story(ies) may or may not be true and no illegal activities are the fault of hellboundhackers, the users of hbh, or I.

Ok. So, I found a new way of social engineering. It's fun, easy, and might just get you a password or two. Alright, for this, you will need to be with the friend or victim when doing this. Oh, and be sure to have the new mozilla firefox installed.

Well, they are over at your house and you say you sent an email with something important for them, but you forgot it. Say you deleted it off of your computer because you really didn't need it, or something. Just have an excuse for them to check their e-mail. Once they accept, tell them your computer is having some problems with hotmail and you need to save the password. To prove it, try to get into your account, but keep typing incorrect passwords. Then, just let them type it in, and go on. It helps if you really did send something. So they read through, say ok, and leave. Now, if they leave for even a second without erasing your cookies, your in. (this way you don't have to download un-friendly looking extensions) Now follow this.

Goto tools>options>security>show passwords
Click show passwords in the little box that pops up, and click ok. Read his/her password, and scram. Now, that worked for me, but I don't know about you. Occasionally it doesn't give you the pass for hotmail, but usually it will. I also used this to get a friends pass for a forum, AND his account on another website. This is my full story, and how I did it.

First, I found out about this by playing with mozillas options, and I had more in plan then just hotmail. He was supposed to come over to my house, so just before he did (on his way here) I sent an email with a small flash movie I made. He got to my house and I asked him to go onto his email and check it out, because I deleted it and we were bored. He knows already how messed up my computer is, so the next part was easy. I said that logins aren't working right, and they keep saying incorrect password. I said I found one way to get passed, by saving your password. So he didn't say anything, he just continued. He watched the movie, laughed, and one pass was done. I saved my pass on top of it (it collects more than one pass for different usernames) and checked out my email. I asked him about that forum he was talking about. He told me about it, and I asked if he could show me. Again, he saved the password, and another password done. I checked it out, said cool, and saved another pass on top so he didn't think I was saving them and could log on when ever. Next he wanted to check out another website just for fun, and he instinctively saved the pass. I went on the site too :). Another password done. That is how I made 3 passwords, in less than thirty minutes. To view them before he left, I simply said I was heading on to see if someone messaged me when we were playing video games. Success.

Using nearly this same technique, you can get passwords for nearly anything. If you gain access to their computer, always see if you can view their passes like this. Just another way we can get ahead.

**NOTE**
***Ok, FYI, I have recieved some flaming for this, so I think it is deserved that I give my say right here and now. Here are a few frequently asked questions.

Q. Dude, why the HELL would you do this to a friend?!?
A. I did this to my friend and it turned out he used the same password for EVERYTHING. And the password? The town we live in. How secure is that? I thought it was a bit more of an impactive way to show him about his passwords. I have told him for 3 years to make his passwords secure and he just says "Ya ya, what ever" and this opened his eyes. I let him think for a while someone else was really reading through his emails, sending emails under his name etc. and told him it was me, gave him the new password and immediatley he changed his passwor to one including numbers and not just a guessable word. NOW he no longer uses the same password twice. I think it really taught him a lesson about password security.

Q. Why would you write an article about this anyways?

A. How many people have stopped hitting the "Remember Password" button firefox pops up with? I know I did when I found it (not that I really ever did before anyways...)

Q. Why not just use a keylogger?

A. Well, I'm not trying to "pwnzerrz any1's uph tehm n00b3r5" I am trying to help out friends with security. I don't think I need to make/download a keylogger.... and, FFS: if I can do this, why the second F's sake would I take time out to program a keylogger? I'm lazy when I can be!

Q. Why do you use hotmail? (yes folk theory, I was getting to you :P)

A. I unno... It is more universal for my friends, I have been trying to get them onto gmail and yahoo (even though AIM is WAY easier for social engineering)

Comments

Folk Theoryon December 03 2006 - 03:47:10
two questions: why would you want your FRIEND'S password? youre supposed to be his friend not someone who steals his passwords... and the most important qustion: WHY THE HELL DO U USE HOTMAIL???
err0r33on December 03 2006 - 15:18:25
The easyest thing would be to get a keylogger on, and tell him to access his Hotmail.
DarkShadow1990on December 03 2006 - 16:34:00
ok... so you are saying that i need to get the victim into my house, on my computer, get him to log on and save his passwords... The only reason this work for you is because your friend trusts you. You thanked him by abusing this trust for what purpose...to screw your friend?
Flaming_figureson December 03 2006 - 19:00:37
Ok, I guess I should explain my friend has asked me a thousand times to hack him. I didn't actually mess anything up, I just told him that he should always make sure he clears his passwords. Also, you can do this by going to someones house, or even logging this password. I wanred him of security, he changed his password, and now doubts slightly the god hood of mozilla. He knows everything wont magically go away if he wants it to. Now he changes his passes frequently and is a lot more secure about the internet. Every hack can have a purpose. Try to find the right one.
Hapticon January 30 2007 - 16:50:47
This is a great trick, set these options on abandoned PCs at school or work and you'll build up quite a collection. Also, some people make a habit of using the same password for everything. So if you get really lucky, you could get your hands on an admin password.
Flaming_figureson March 15 2007 - 22:09:02
Actually, that was my original reason of this. This was basically just saying, "Hey, you can do this and this is how you do it" I left the why to you and you instantly think of my example as evil and the only reason. You can do it at school, work, or if you S.E. someone into letting you fix their comp (enemy) you can take a quick glance at it and they will know nothing about it. And like Haptic said, you may only need one. (I did it a school once, and avoided everyones pass but one... that was payback though Smile )
Flaming_figureson March 15 2007 - 22:10:22
Oops, and it was also an announcement about safety of yourself. I never save any usernames or passwords especially in mozilla anymore and always do a quick check before anyone goes on my comp.
Flaming_figureson July 03 2007 - 20:13:55
Lol.... I am actually pretty suse (but cannot confirm) that firefox save the passes in a text file... I will explore because then we know where the passes are saved and we can figure out how to access them remotely...(without keyloggers which if found can be deleted)
cis_slayeron July 23 2007 - 05:28:11
but if they have their security set right.....you cant view ANYTHING...which is how mines set...lol....very nice article tho....i liked it.....im am gonna have to try this on some computers school....church.....work.....the likes hahah
cis_slayeron July 23 2007 - 05:34:45
and Firefox stores all the "Options" configuration as a javascript file...so i know all of you are smart....just insert some code to have it send all passwrds to yourself....dont know if that will work or not....but it gives you somthing to think about
Post Comment

Sorry.

You must have completed the challenge Basic 1 and have 100 points or more, to be able to post.