64 ways to steal someone’s password
Question. I get asked all the time is, can you help me? I can do something. And probably the most easy way to hack into anything just to get the password and log into it. So I thought I'd give you 64 ways to get someone's password in 17 minutes and as it is claimer, don't do any of this. Unless you have permission, probably the most effective way of getting someone's password is just distill their computer or steal their phone or tablet. This is sometimes called the evil made attack because once you have physical access to their computer, the chances of you being able to get into their accounts is much higher. Sometimes there's no password on their device and you could just get in and who knows, maybe they're already logged into the account, you want to access or their credentials are cached. You're in, you could Just ask for their password. Jimmy Kimmel demonstrated, how to do this on TV steering to give my boss red right now. No, I cannot do that. It is my dog's name and the year I graduated from high school like my cat's name and then just like a random number. Maybe the place you want in. Has already been breached before. You can go on to breach forums and just buy the passwords you want. If you can't find the database you're trying to get into A lot of people reuse passwords, so maybe get into the contents of a different database. See if their password is in that, and then use it to try to get into the one, you want to get into. You can try to brute force your way in tools, like burp, Suite or Hydra can try to log into a website over and over with each time, trying a different password, starting with, maybe a a, and then a, a b, and then AAC and the going down the line until it finds a match.
If you could somehow get the password hash like by grabbing the contents of Windows system32, config Sam, where hashes are stored, then you can try to move towards the hash so it was like using John the Ripper or hash cat. Sometimes it's easier to get into a higher level account. Like, if you can get root access to a Linux computer, then you can reset the password for any user on that machine or see their private keys or if you can get a d admin access or help desk access, You can then go in and reset any users password in the whole ad database or if you can get in as the web site admin, you can reset any users password, that way. Or if you can get into the database directly, you can reset someone's password using SQL commands or Heck. If you can get in the database, you might just be able to see the password itself there. Sometimes it's stored in. Plain text. And you might wonder how the hell am I gonna get into a database of a company in the first place? Well, you just need network access to it and then find a vulnerability on it or you fa password for it and then exploit it or get into it. Many times. I've seen people go onto the website showed an and they find open mongodb databases and they're just open sitting on the internet for anyone to read the entire contents of or you could go into a website and try to do an SQL injection. This is where the website and database servers. Servers just aren't secure and they allow too much user input from the website. And yes entire databases have been dumped through SQL injections another way to get into a database is to comb through any code that you might find on the website or app. A lot of times credentials are hard-coded in programs or within the app somewhere, you can also look to see if there's any open AWS instances that expose the code base and then dive in there looking for any sort of database. Essentials or you can look through GitHub repos searching for usernames and passwords in there. Unfortunately, a lot of private API keys and passwords are discovered on GitHub, just posted right there in the public for anyone to see and an API key. If you can get that, it's often just as good as a password or sometimes even an inspection of the app itself. Using like the strings command or looking through the plist files. May just contain a password sitting right there in plain text for you to use. Actually, you might just be able to right click and view. Person look through the code right on the website and find something like a vulnerability or password or API key. So an API key can get you data from a website such as password or other user data. Getting a private key is sometimes all you need, but you could also try exploiting an API directly. Sometimes you can trick apis into sending you more data than what you should be allowed to see. And we've seen some major breaches, that was supposedly, just data from insecure apis. Oh yeah. And if you can get into it data, Center physically and steal a database server and bring it home. You could probably Into it. Eventually it might be as simple as just pulling out the hard drive and putting it in your own computer and trying to read it that way.
Okay. So what else? Oh yeah. If you're on the same Windows computer as a person that you want to steal their password, you can try to run many cats come. This is a tool that can extract other users passwords out of memory. And if you're on the same local subnet as another user, you could run a tool called responder which will act like a shared drive on the network. Other computers will see it and try to connect, but responder will First cast them to authenticate. And this is where another computer will show you their password hash and you can just grab that and try to crack. A kit sometimes just passing. The hash is good enough to log into something, and you don't actually need passport, or maybe you run responder and get the password to of another user. Not the one you're trying to get, what if you have that, you might want to try to login as them. See if they have some sort of extra privileges, like maybe they're an admin and if they are, then that would give you the ability to take over whoevers account you want. And hey, maybe the domain admin password wasn't what you wanted, but if you had that is, can get you access to other accounts that might make you get into what you do want. Or maybe this password is reused in other places or maybe it shows you a clue of what the passwords might look, someone's Wi-Fi, password and your near their device. You can get something that's called a Wi-Fi pineapple, which will act like their Wi-Fi network and ask them for their Wi-Fi, password and their devices might give Speaking of Wi-Fi passwords if you're in range, you can get tools like aircrack-ng to try to watch Wi-Fi, traffic and try to crack the password on some networks. Let's talk about Genies. Any is someone on the inside? Imagine if you knew someone who worked at Facebook, who could reset any users password for you and they might charge you a fee. That's one way to get a password, right. Take a look at this, this is a picture. Someone sent me of an innie who works at Taco Bell. Showing that for 30 bucks, they'll reset any Taco. Bell. Users account. And this picture is of their terminal showing that they have access to do these things. There's a lot of different kind of enemies. You just got to know people nation-state actors do something similar with what's called a seeding operation where they recruit someone who's about to go work for a company and they help them get hired there and then use their inside access to carry out tasks that will help the government. Like the CIA might seen someone in To a company and then ask them for passwords or internal data or something. Another thing I've heard nation-state actors do is set up surveillance systems on certain targets and spy on them such as planting microphones and listening to conversations or using long-range photography to see what they're doing on a computer. Take a look through nsa's ant catalog for an example, to see some wild and crazy tools that could absolutely be used to steal password. And I saw this article the other day. Supposedly, you could just turn the mic on on your phone And record when somebody types in their password and that might be enough information to decode. What buttons were pressed which is another crazy article about someone using thermal cameras to watch what keys got warmer when someone was typing on their, let's talk about tricking your target. This is sometimes called phishing or social engineering or just scamming them. There are hundreds of ways to trick the user to give you their password. Like one method is to install a keylogger. On your Computer and then get them to use your computer to log into something of theirs with a keylogger on your computer, you can then go back and see what keys they typed when they type in their password to a website. You can try a shoulder surfing watching their fingers, hit the keys as they type their password. You should probably practice this before doing it as it takes a bit to learn. I mean some reason others, like, watch this video and try to guess what Kanye's password is.
You could set up a fake look-alike website using a tool, like the social engineering tool kit and with this you can set like a totally fake website and then give them the link to make it look like they're logging into their account, but it's a fake website. And then when they try to login, it captures that password that they typed in and sent it to you. You can try to call the person up and just try to trick them into telling you, their password like flu.
Calling from Microsoft customer support. We see some suspicious activity on your account. I can fix it. But first, I need you to verify your password. This kind of trickery can work very well, it might be the most easy way to get someone's password. You could also call up the place that you're trying to access and act. Like you're the target, you're trying to access and ask the company to reset your password. You're acting like you're them and know if you can get them to do that, you can Access their account, you can also try On the desk, under the keyboard or in their wallet password just might be written down somewhere. If you are the CEO of a company and you're dumb enough to leave your login info on a Post-It note on your desk. So it's not a hack, it's barely social engineering, if they don't physically, write it down, you could try looking through their files Dropbox. Google Drive local storage. Network storage people sometimes think it's a safe place to store their passwords in some files up here. You could also try to get a victim to install.
2:27 PM
Lackey logger on. Chat program or game that they want to play. But really it's a kilo which captures all their keystrokes and then sends them to you and you can eventually see what passwords they type when they finally do. Speaking of keyloggers, there are USB through our doors to. If you could just walk by someone's computer and plug it in, it'll capture all the keystrokes that person types and stores it on the USB drive and then you just need to walk by later. Pull it out. There are also other tools such as rubber ducky and OMG cable. That looks like ordinary cables USB drives. When you plug it in it, injects keystrokes into the computer so you could plug in and it might do something like grab a dump of the memory or hash table and then you can unplug it and try to look through that data for a password or maybe you could just attack the device over the network because it's insecure somehow. So if you can identify a vulnerability and use that exploit to get yourself access to their device, once you get on their device, You can do things like install your own key logger or sift through their files, looking for the password, a lot of people use password managers now which I recommend I think it's a good idea but what this is is it secure database where all your passwords are in one place and it's protected by a single password. So if you can get their password managers master password and you can have access to everything, another thing that will give you tons of data is their email. If you can't get in to where you need to get, You can get into their email inbox, then you can just reset their password which will typically send them a link to their email and then you can just click the link and reset it to whatever you want. And this is so effective that what some people do is go right for attacking the email when they need to get into someone else's account. Like, they'll call up Google, or Microsoft and pretend to be that person that they want access to you and trick Google into resetting, the Gmail password. A lot of times the password is just something you can guess. A lot of people use their dog's name or grandma's name or something close to them. Here's gilfoyle. Doing it on the show Silicon Valley, I was social engineering them, then that information is entered into a word list generator, pop it with their hash into John, the Ripper and within minutes. You have their passwords and you don't have to social engineer them. You can sometimes just look at what they publish online and build a A word list that way, they might talk a lot on social media about the things they love or their private life which can all be gathered for someone to try to guess what their password might be in there to give you a clearer idea. When pentesters, our task to seeing if a company's users have weak passwords, they'll try to crack the hashes of all the users in the whole company. But what they've learned at helps them find weak passwords is to throw a whole bunch of cultural relevant words into the word list that they'll be guessing from such as local. School names, local sports teams, local street names, local restaurants, city names for things that are related to the company, like the name of the company or its mascot or address. It's sick how many employees use our own company name as your password also take a look at the most common password seen today. There's a high chance. It might be just one of those people often use the simplest password they can Sometimes websites have week reset or password policies and seen a website once reset the password to a new for character password that the website chose for me. And if you can reset a user's password to be four characters, it'll be pretty easy to brute force that afterwards. If you know where the person works that you're trying to hack into you could call up their help desk and pretend to be that person that you want to access and ask for a password reset and you might be able to trick them into changing it for you to whatever you choose. Sometimes you don't need their password. Sometimes you can just steal a session cookie which will make it seem like you're already logged in without even providing a password recently. I had someone try to trick me into sending them, my Discord logs, which contained my session data if I would have sent this to them, they would have been able to log in as me on Discord, even though I have two Factor authentication turned on. And you don't what? I talked to this person and they told me about another trick that they use, which is to send people think Dino links on Discord which looks like you're Into a Discord. I know. But in reality, you just gave them access to your account which Even if you have two fa turned on, or I've seen people get into someone else's account simply by telling the website that they are a different user and since the website saw that they have already authenticated, that it just lets them switch users to someone else and this obviously relies on the website being poorly coded and insecure for its work. Private keys are a whole nother thing. If you can get a private key, it's often just as good as a password, and private keys are typically too hard to memorize, and they've got to be stored somewhere so where they, stored, you can look around for them and try to find him when someone types their password in. It's usually shown in all-stars on the screen, right? I'm gonna in some situations, you can right-click and do inspect element to see what the password looks like. In. Clear text. You can also try looking through cash. Just data to see if a password is saved somewhere on their device, a lot of times the password is left as default to so always try default passwords like maybe admin admin or rude or admin password here on the same network. As them might be able to act as a proxy. I started in accepting all the traffic on your network and inspect, all their traffic that they're sending or receiving intercept. Their traffic was something like a land tap somewhere in the traffic, is their password or session cookie and it's just a
I'm finding it set up getting the password for the Target that you want. It might be possible to attack a third party, like maybe if you can get into their apple accounts that might get you into their phone. And then once you're in their phone, then you can get into the other account you want. Or you could just extort them, threaten them attack them. There's something called a wrench attack where it doesn't matter how much security you have. If somebody is banging you in the head with a wrench over and over, that might be enough for you to give up your password. I've got it. All right here with a bow on it. Now I want to emphasize don't go stealing people's passwords and logging into their accounts, accessing their data. You could get in a lot of trouble for doing that. The point. I'm trying to make here is that there are a lot of ways that someone can get into your accounts and it should be clear at this point that your password is a weak link when it comes to securing your stuff. I just mentioned, 64 ways of getting into your accounts, but with enough create Cavity time and resources. This list can grow really long. It's important to take your own security, seriously. So use a long complex passwords, use a different password on every website, you have an account on and I recommend using a password manager and use two Factor authentication where available and always be extremely careful of where you're logging in or who you're giving your password to so that you don't accidentally hand, your password to the wrong person or site, good luck, and stay safe.
