Jump to content

Gmail Password Recovery In Cain And Abel...


NegativeSpace

Recommended Posts

After downloading Cain & Abel and doing a little ignorant clicking, I've found that my gmail user name and password can be recovered by the software.

I don't want that information floating around the air, at least not in an unencrypted plain text form, but I don't know what to do about it. It's recovered by using the "Credential Manager" tool under the "Decoders" tab in C&A.

After I snooped the password, which I already knew of course, GMail notifier stopped working, and I uninstalled it. I would like to be able to use it, but not if there is no way to protect it from being sniffed.

I don't even know if this 'Credential Manager" is part of GMail notifier, or if it was installed from the factory, because I've seen some stuff about 'HP credential manager'....... Anyway, whats the solution?

Also, can someone point me to a place where I can learn about LM Hash and NTLM Hash? I remember watching an episode of Hak5 that dealt with LM Hash, but I don't remember which episode.

Edited by NegativeSpace
Link to comment
Share on other sites

The password was stored locally, which means you can recover it quite easily. Same way you can recover passwords from IE, FF, Chrome, Opera and Windows itself if you have the relevant permissions and access to the machine.

Link to comment
Share on other sites

The password was stored locally, which means you can recover it quite easily. Same way you can recover passwords from IE, FF, Chrome, Opera and Windows itself if you have the relevant permissions and access to the machine.

I didn't think of it that way. I guess it would be a lot harder for anyone to recover that same information from another machine on the network because it would all be encrypted. Is that correct?

Link to comment
Share on other sites

Well yeah, once someone is on your network then your pretty much SOL.

Yeah I'm not so worried of anyone having network access. I guess I will reinstall the GMail notifier now that I know why it was so easy to recover the password. I also remembered how easy it is to recover a windows login password, so I changed that to be longer so it's not LM Hashed, which I should have done the day I learned that XP stores this password with LM Hash, but I have my security slack like everyone else I guess.

Link to comment
Share on other sites

Yeah I'm not so worried of anyone having network access. I guess I will reinstall the GMail notifier now that I know why it was so easy to recover the password. I also remembered how easy it is to recover a windows login password, so I changed that to be longer so it's not LM Hashed, which I should have done the day I learned that XP stores this password with LM Hash, but I have my security slack like everyone else I guess.

You could try and hack my Gmail password, it would almost be impossible to crack it. I use upper and lower case, as well as combination of letters, numbers and symbols and its a total of 20 characters. That's how strong my passwords are.

Link to comment
Share on other sites

You could try and hack my Gmail password, it would almost be impossible to crack it. I use upper and lower case, as well as combination of letters, numbers and symbols and its a total of 20 characters. That's how strong my passwords are.

Cracking it? Whats to crack? Its not like there is some hash people can download of your password to crack.

Instead, if I were wanting to get someones gmail password I would try several things first. I would either phish it in some manner via faked page or social site you visit reguarly(hoping you use the same password multiple places), or if I was already on your network, just use your cookies via ssl strip with mitm or something similar to a session hijack ala hamster and ferret.

Then there is also the password reset questions. To do that, you need their gmail sign on name and you can start the password reset process. It then sends an email to the user to click a linnk to reset it, but if they dont reply within 24 hours (aka no longer have that email address) google then lets you try again, but the next time (after the 24 hour period) google then asks you your password reset questions. If a user picked something simple, then it may be trivial to get at the password, but if their reply is more than a one word answer, then it becomes much more difficult.

Link to comment
Share on other sites

Cracking it? Whats to crack? Its not like there is some hash people can download of your password to crack.

Instead, if I were wanting to get someones gmail password I would try several things first. I would either phish it in some manner via faked page or social site you visit reguarly(hoping you use the same password multiple places), or if I was already on your network, just use your cookies via ssl strip with mitm or something similar to a session hijack ala hamster and ferret.

Then there is also the password reset questions. To do that, you need their gmail sign on name and you can start the password reset process. It then sends an email to the user to click a linnk to reset it, but if they dont reply within 24 hours (aka no longer have that email address) google then lets you try again, but the next time (after the 24 hour period) google then asks you your password reset questions. If a user picked something simple, then it may be trivial to get at the password, but if their reply is more than a one word answer, then it becomes much more difficult.

I am a very conscious user when it comes down to phishing or stealing personal information. I am always careful, when clicking on links that I don't know, or where they come from. So you can try and phish me, but it won't work, I delete most of my emails that I receive. I don't use social website much, everytime I subscribe to a different website I always use a different password and very difficult to guess. I don't use https much, I use other methods for securing myself online. My reset questions are never personal, like what is my mother maiden name or how many dogs have I had in the past.

I don't know try me.

Edited by Infiltrator
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...