Today I will be exploring how to hack email and passwords for many websites using session cookies. In my previous article, I described session hijacking. Today, I will show you the practical implementation of session hijacking, that is how can we take over other user’s sessions and hack their email accounts and other website passwords. In this tutorial, hacking email accounts using session cookies, I will utilize a yahoo account.
Note: its life is only up to when your web browser is open. If you close your web browser, this will be deleted (this has a recent upgrade in the cookie’s field that provides more security).
Now this unique string, or “Magic Cookie,” is stored in two places. The first copy is stored on the server (which we cannot do anything about) and the second is stored in our web browser in the form of a cookie.
This cookie is destroyed by three ways. First when you close your web browser, second when you sign out of your account, and third if you leave your account idle for more than 20 minutes.
3. Now upload the four files onto the website and create one empty directory named “Cookies” as shown below:
Hope you all have liked it…. IF you have any queries ask me….
What are Session Cookies or Magic Cookie or Session ID?
Let’s first discuss this in very simple terms. Whenever we login into our account, it generates a unique string that contains the path of automatic login for a particular time. After that limited time passes, it expires by itself.Note: its life is only up to when your web browser is open. If you close your web browser, this will be deleted (this has a recent upgrade in the cookie’s field that provides more security).
Now this unique string, or “Magic Cookie,” is stored in two places. The first copy is stored on the server (which we cannot do anything about) and the second is stored in our web browser in the form of a cookie.
This cookie is destroyed by three ways. First when you close your web browser, second when you sign out of your account, and third if you leave your account idle for more than 20 minutes.
How to access the cookies on local system?
As I said above, this tutorial is for hacking Yahoo email account. In your web browser, open yahoo.com and login into your account.
After that, type the below code exactly as is and press enter: (without quotes)
"javascript:alert(document.cookie);"
Now a popup box will appear showing the cookies something like this:
Create one fake account on yahoo.com and login to that account and retrieve the cookie in the same manner, and notice the changes in session ID’s.
For hacking the session cookies we first need the session cookies of the victim, which are quite simple to obtain. You just need to send him one link; as soon as he clicks on it we will get his session cookie.
After hacking the session cookies, we can use stolen session cookie to login into victim’s account even without providing the username and password – as I already explained, session hacking removes the authentication on the server as we have the AUTO LOGIN cookie. In this type of attack, when victim signs out, the hacker will also sign out. But in the case of Yahoo, things are a little different. When victims sign out, the attacker still has access to his account. Yahoo maintains the session for 24 hours and then destroys the session ID’s from its server.
How to Steal the Session Cookies?
1. Go to any Free Web hosting server website which supports PHP and register.
2. Download the Cookie stealer files:
3. Now upload the four files onto the website and create one empty directory named “Cookies” as shown below:
4. Now send the link of yahoo.php to your victim. When the user clicks on the yahoo.php, the cookies get stored into directory Cookies and simultaneously the victim is redirected to his account.
5. Open the link Hacked.PHP to access the cookies. In my files the password is “password.” You need to put that in to access the files.
6. You must have gotten the username of the victim’s account. Simply click on it, and it will take you to the inbox of the victim’s Yahoo account without asking for any password.
Now it doesn’t matter if the victim signs out from his account, you will remain logged into it.
Note:
You can try this attack by using two browsers. Sign into a yahoo account on one browser and run the code. Then sign in through another browser using stolen session.
In my next article, I will explain how to decode cookies. In this tutorial, you will only get the cookies which are encrypted. You will be able to login but you will not know what information it contains. As we are professional hackers we must know each and everything, so wait till next article..
No comments:
Post a Comment