Date post: | 06-Apr-2018 |
Category: |
Documents |
Upload: | bluepiratez |
View: | 226 times |
Download: | 0 times |
of 22
8/3/2019 Ethical Hacking GMail
1/22
Ethical Hacking:Ethical Hacking:Hacking GMailHacking GMail
8/3/2019 Ethical Hacking GMail
2/22
Teaching HackingTeaching Hacking
8/3/2019 Ethical Hacking GMail
3/22
3
What do Hackers Do?What do Hackers Do?
Get into computersystems without validGet into computersystems without valid
accounts and passwordsaccounts and passwords
Open encrypted files without the keyOpen encrypted files without the key Take overWeb serversTake overWeb servers
Collect passwords from Internet trafficCollect passwords from Internet traffic
Take overcomputers with remote accessTake overcomputers with remote accesstrojanstrojans
And much, much moreAnd much, much more
8/3/2019 Ethical Hacking GMail
4/22
4
Ethical HackersEthical Hackers
Ethical Hackers do the same thing criminalEthical Hackers do the same thing criminal
hackers do, with one differencehackers do, with one difference
Ethical Hackers have permission from theEthical Hackers have permission from theownerof the machines to hack inownerof the machines to hack in
These "Penetration Tests" reveal securityThese "Penetration Tests" reveal security
problems so they can be fixedproblems so they can be fixed
8/3/2019 Ethical Hacking GMail
5/22
5
Two Hacking ClassesTwo Hacking Classes
CNIT 123: Ethical Hacking and Network DefenseCNIT 123: Ethical Hacking and Network DefenseHas been taught since Spring 2007 (fourtimes)Has been taught since Spring 2007 (fourtimes)
FaceFace--toto--face and Online sections available Fall 2008face and Online sections available Fall 2008
CNIT 124: Advanced Ethical HackingCNIT 124: Advanced Ethical Hacking
Taught forthe first time in Spring 2008Taught forthe first time in Spring 2008
8/3/2019 Ethical Hacking GMail
6/22
6
Certificate in NetworkCertificate in Network
SecuritySecurity
8/3/2019 Ethical Hacking GMail
7/22
7
Associate of Science DegreeAssociate of Science Degree
8/3/2019 Ethical Hacking GMail
8/22
8
Student AgreementStudent Agreement
Required forevery student in CNIT 123:Required forevery student in CNIT 123:
Ethical Hacking and Network Defense orEthical Hacking and Network Defense or
CNIT 124: Advanced Ethical HackingCNIT 124: Advanced Ethical Hacking
8/3/2019 Ethical Hacking GMail
9/22
Sniffing PlaintextSniffing PlaintextPasswordsPasswords
8/3/2019 Ethical Hacking GMail
10/22
10
Insecure Login PagesInsecure Login Pages
HTTP does notHTTP does not
encrypt dataencrypt data
Always look forAlways look forHTTPS on loginHTTPS on login
pagespages
8/3/2019 Ethical Hacking GMail
11/22
11
Tool: CainTool: Cain
Click NIC icon to start snifferClick NIC icon to start sniffer
Click Sniffer tab, Password tab on bottomClick Sniffer tab, Password tab on bottom
From http://www.oxid.it/cain.htmlFrom http://www.oxid.it/cain.html
8/3/2019 Ethical Hacking GMail
12/22
Authentication CookiesAuthentication Cookies
8/3/2019 Ethical Hacking GMail
13/22
13
Mail Uses HTTPSGMail Uses HTTPS
Sniffing forSniffing for
passwords won'tpasswords won't
workwork
Most Web mailMost Web mail
services now useservices now use
HTTPS tooHTTPS too
8/3/2019 Ethical Hacking GMail
14/22
14
CookiesCookies
Thousands of people areThousands of people are
using Gmail all the timeusing Gmail all the time
How can the serverknowHow can the serverknowwho you are?who you are?
It puts a cookie on yourIt puts a cookie on your
machine that identifiesmachine that identifies
youyou
8/3/2019 Ethical Hacking GMail
15/22
15
Gmail's CookiesGmail's Cookies
Gmail identifiesGmail identifies
you with theseyou with these
cookiescookies In Firefox, Tools,In Firefox, Tools,
Options, Privacy,Options, Privacy,
Show CookiesShow Cookies
8/3/2019 Ethical Hacking GMail
16/22
CrossCross--SiteRequestSite
RequestForgery (XSRF)Forgery (XSRF)
8/3/2019 Ethical Hacking GMail
17/22
17
WebWeb--based Emailbased Email
Router
Target
Using
AttackerSniffing
Traffic
To
Internet
8/3/2019 Ethical Hacking GMail
18/22
18
CrossCross--Site Request ForgerySite Request Forgery
(XSRF)(XSRF) Gmail sends the password through aGmail sends the password through a
secure HTTPS connectionsecure HTTPS connection
That cannot be captured by the attackerThat cannot be captured by the attacker But the cookie identifying the user is sentBut the cookie identifying the user is sent
in the clearin the clearwith HTTPwith HTTP
That can easily be captured by the attackerThat can easily be captured by the attacker
The attackergets into youraccountThe attackergets into youraccount
without learning yourpasswordwithout learning yourpassword
8/3/2019 Ethical Hacking GMail
19/22
19
DemonstrationDemonstration
8/3/2019 Ethical Hacking GMail
20/22
20
XSRF CountermeasureXSRF Countermeasure
UseUsehttps://mail.google.comhttps://mail.google.com instead ofinstead of
http://gmail.comhttp://gmail.com
No othermail service has this option at all,No othermail service has this option at all,as faras I knowas faras I know
8/3/2019 Ethical Hacking GMail
21/22
21
ReferencesReferences
CainCain
http://www.oxid.it/cain.htmlhttp://www.oxid.it/cain.html
HamsterHamster http://erratasec.blogspot.com/2007/08/sidejachttp://erratasec.blogspot.com/2007/08/sidejac
kingking--withwith--hamster_05.htmlhamster_05.html
8/3/2019 Ethical Hacking GMail
22/22
22
ContactContact
Sam BowneSam Bowne
ComputerNetworking and InformationComputerNetworking and Information
TechnologyTechnology City College San FranciscoCity College San Francisco
Email: [email protected]: [email protected]
Web: samsclass.infoWeb: samsclass.info Last modified 6Last modified 6--2626--0808