EH-Net

Hi All

How can i hack Gmail.

i have a squid server and now on this 25 user are connected.now i want to sniff
gmail password .

 ::) simple. use a packet sniffer. Next

Hi and welcome to ethicalhacker.net.

This site is called ethicalhacker.net because it is devoted to ETHICAL hacking. You request doesn't sound all that ethical, it sounds illegal more than anything else. Perhaps you can elaborate in your request if you think it's within the realm of ethical hacking.

Jimbob

First of all I have to agree with Jimbob. This is an "Ethical Hacking" site. I would think twice before posting stuff like this. It really sound malicious when someone comes out and says "I want to hack gmail". Second It's gmail... Google is very secure so good luck! Intercepting the passwords will do you no good because they are encrypted. You might be able to catch any chatting, but that's if the user wasn't smart and forced the site to connect via SSL. i.e. change the http to https.

Also, you do need a packet sniffer like RoleReversal said, but I would research public key and private key encryption and in order to crack the passwords you do get from sniffing the traffic would require you to get goggles private key.. I don't see that happening.. but hey, anythings possible.

hi all

i know very well that this is not ethical hacking activity.
but i am working as network administrator.and we have a information that some
user send confidentational data to out side of our organozation.

Sayonara.yoga,

if this is the case then you may be able to contact Google direct to determine if your confidential information is there, but I suspect you may need smoking gun evidence and possibly a police warrant.

Alternatively if you have information related to a specific individual you may be able to contact them directly and request that they show your their account. They may subscribe to 'nothing to hide....', of course if they are smart then any evidence will be deleted so access to their gmail account will not be of any use.

Finally even though it is a corporate network and corporate information I would advise reviewing your policies and/or contracts as it may still be illegal to sniff the passwords from the network. This could potentially get both your self and your employer into a whole heap of trouble.

As others have said, gmail should be encrypted therefore merely sniffing the traffic on your proxy may not be sufficient. I do not believe this is the most logical, legal or practical approach, but without knowing your environment better it is difficult to suggest a better course of action.

If it is causing problems and data leakage then you could/should review corporate policy and block access to gmail et.al. just be aware that in this day and age a sufficiently privileged insider will usually be able to find some way of removing data from safe storage. Often improving the audit-trail capabilities of your environment is enough to stop insiders doing unwanted activities as it increases the prospect of getting caught.

Hope this helps.

RR

If you strongly suspect an employee is sending confidential information out from the company to a third party then you need so seek legal council. If your company has a legal department speak to them and see what action you can take. You need to determine if it is legal for you to monitor their activities at all before you begin.

If the situation is serious enough consider bringing in an outside expert in computer forensics to assist with the investigation.

Jimbob

I agree that if an employee is doing this, there are some technical as well as non-technical steps to now take. Talk to management to see how they want to proceed.

In the future, I would consider putting in a Data Loss Prevention product like Vontu (http://www.vontu.com/) or Vericept (https://www.vericept.com/) to look at the data before allowing it to go outside of your organization.

Hope this helps,
Don

PS - A couple pieces of advice. All caps in text communications means you are yelling. I'm sure that's not what you meant. Secondly, asking how to hack gmail will get the wrong reaction (as you saw) from our community. Stating it as a professional issue clearly got you more info.

As stated earlier... what you're describing isn't really going to garner a great response, unless you articulated a bit better on what you were after. 

#1)  What country are you in?  Your English appeared rather... strained.  That can affect the legal ramifications.  If you are in Russia... or Cuba... the policies may well be different than the USA or UK.  IE.. what policies.

#2)  IF you are in a country that has laws on such things, it is quite possible you will have to have a written permission signed by employees that their internet usage can and will be monitored.  If you do not have that, you are heading for a world of hurt in court.  If you are in the US, it can amount to fines, and quite possibly "burrito in the bum" lovin time with a prison life partner.  Or at least couple month partner.

#3)  Also, if it is your server... and these are your laptops/computers... on your LAN.. in your company... why don't you just install a keylogger?  Either hardware or software?  It is not only easier than learning to sniff Gmail passwords... it is also looks better in a court case than digging around inside peoples personal email accounts.  Catch the drift? 

There are so many levels of problems here.  If this is the case, it is still not legal to break someones personal email account.  You cant take thier password and rummage through thier account. 

but you can examine the computer.  This is done every day.  Just get a forensic examiner to check it out.  With encase you can peice together a bunch of interesting things like webmail pages.  Plus, if it turns into litigation, you stealing a password isnot going to help matters.

From a technical standpoint (I think the legal/ethical has already been covered) Good_4sh's advice is your best option.  Once you have the "smoking gun" evidence from the keylogger you can collect the employees hard drive for forensic analysis. 

If you aren't interested in punitive action (fire/arrest employee) then I wouldn't even bother.  Just block access to all web mail accounts and that should discourage this from happening in the future.  A lot of companies don't allow access to Web Mail as a standard practice.  Good Luck!

Digging around peoples personal email accounts.. even if they are checking them from YOUR offices... is a bad bad idea from a legal stand point.  Recording what they type ironically is much much less difficult to explain, and fairly easy if you have pre-existing policies signed by the said employees.  So, if you are indeed an admin of an office... careful where you dig.  If you're using that as an excuse to try and dig into peoples private email boxes, and arn't being told to do this for a business... get ready for Bubba's lovin.

Keylog the suspected user's terminal.  This will eliminate any legal issues (I am assuming the terminal and IT equipment is owned by the company)... Keylogging will also eliminate encryption as an obstacle.

Plus, if you AREN'T who you say you are, it will be a little more difficult to install a keylogger and have logs sent to you remotely. Problem Solved.

~Efferri

You sure? Personally I'd check with my legal department. This may not be universally true.

Mmmmm, that is not completely correct, and no offense intended Efferri but just hear me out a sec. I have been dealing with legal issues like this for a major Fortune 100 Financial institution for years now and have a lot of experience in this area (preventing data leakage and prosecuting those who would sell your trade secrets).

 I have seen employees successfully sue their employers for tactics like that EVEN when their is a signed agreement acknowledging no expectation of privacy on company owned equipment. This type of tactic CAN fall into the realm of violating your employees rights even if you own the equipment and is very tricky to handle in court, because you have selected THAT employee for a level of monitoring beyond the rest of your employees it can also fall into the realm of discrimination.

Personally I would avoid this type of situation altogether and deploy a tool like Vontu as Don suggested. It is forensically sound, generally accepted as a standard in legal communities for IP (Intellectual Property) loss cases and keeps your company protected from discrimination responses from your employees.

-Jordan

It's been my impression, though I am a bit newer to this field than many of you, that for an organization to employ the use of keyloggers, it must be done across the entire operation.  Otherwise, not only will the evidence be inadmissible in court, but the company opens itself up to litigation.

I could be wrong, but that's the way I've always understood it.

No offense taken what-so-ever.  That's what these forums are for.  I don't claim to be an expert on the laws of the land (or even savvy).  I merely speak from personal experience.  I have had to resort to this two times in the past 11 years, and it has served me well.  Granted, we had a blanket disclaimer on all login screens notifying the user of monitoring, and also have them all sign a pretty lengthy Appropriate Use Agreement (which includes a CYA page of monitoring jargon.)

So, when I offered the KL suggestion, I was assuming the individual would be bright enough to check with his/her superiors before implementing anything.

 ;)

That is very true, any action like a keylogger or privacy violation to an employee needs to be first OKed by HR and/or Legal council really.  I actually had an issue earlier this year where I had to go through so much friggin paperwork it made my head hurt... because a user was going places with their federal laptop they should not have been.  I had to prove that I had not singled out this employee for investigation, but rather they had come to me... when their laptop stopped working.  (Anyone say... Viruses?)  I quickly discovered their computer full of... well lets not go there.  None the less, it was a friggin headache, and the user had brought the infected/filled computer to me.  Setting up an appliance that blanket covers the office is probably the best.  Blanket keylogging for a smaller organization is semi-doable I suppose though.

yes, that is exactly my point, you have to be able to prove that you had not singled out the employee, hence blanket coverage is the best way to go IMO.