How to Get Someone's Password

A question I get asked all the time is "can you help me hack into something?" And probably one of the most easy ways to hack into anything is to just get the password and login to it. So I thought I'd give you 64 ways to get someone's password in under 10 minutes. Oh and as a disclaimer, don't do any of this unless you have permission. Probably the most effective way of getting someone's password is to just steal their computer. Or steal their phone. Or tablet. It's sometimes called the "evil maid" attack. Once you have physical access to their computer, your chances of being able to get into their accounts are much higher. Sometimes there's no password on their device and you can get in and who knows, maybe they're already logged into the account you want to access or the credentials are cached. You could just ask them for their password. Jimmy Kimmel demonstrated how simple this is. Maybe the place you want in, has already been breached before. You can find breach forums and buy the password you want. If you can't find the database you're trying to get into, a lot of people reuse passwords. So maybe get the contents of a different database, see if their password is in that, then use it to try to get into the one you wanna get into. You can try to brute force your way in. Tools like "burp suite" or "hydra" can try to login to a website over and over with different passwords. Starting with aaa, then aab, then aac, and going down the line until it finds a match. If you can somehow get the password hash, like by grabbing the contents of C:\windows\system32\config\SAM where hashes are stored. You can then try to brute force the hash, using tools like john the ripper or hashcat. Sometimes it's easier to get into a higher level account. Like if you get root access to a linux computer, you can reset the password for any user on that machine or see their private keys. Or if you get AD admin access, or help desk access, you can then go in and reset any user's password in the AD database. Or if you can get in as the website admin, you can reset any user's password that way. Or if just get into the database directly, you could reset someone's password using SQL commands. Or heck if you're in the database, you might just be able to see the password itself there. It might be stored in plain text. And you might wonder, how the hell do I get into a database in the first place? Well you just (1) need "network access" to it, then (2) "find a vulnerability" on it or the password for it, and then (3) "exploit it" or get into it. Many times I've seen people go on shodan and find open mongodb databases. Just open, on the internet for anyone to read the entire contents of. Or you could go to a website and try to do an SQL injection. This is where the website and sql server aren't secure and allow too much user input from the website. And yeah entire databases have been dumped through SQL injections. Another way to get into a database is to comb through any code you can find on that site or app. A lot of times credentials are hard coded in programs or within the app somewhere. So, look if there are any open AWS instances that expose the codebase and then dive in. Or github repos that have usernames and passwords in them. Unfortunately a lot of private API keys are discovered this way too, which an API key can be just as good. Or sometimes even an inspection of the app itself, using the strings command, or looking at the plist file can show you a password listed right there in plain text. Actually you might just be able to right click view source and look through the code right on the website to find something. Like a vulnerability or password or api key. So an API key can get you data from a website such as passwords or other user data. Getting a private key is sometimes all you need. But you could also try exploiting an API directly. Sometimes you can trick these into sending you more data than what you should be allowed to see. We've seen some major breaches that were supposedly just data from insecure APIs. Oh yeah, and if you can get into the datacenter and steal the database server and bring it home, you can probably get into it. Maybe it's as simple as pulling the hard drive out and putting it in your own computer and then reading it that way. Ok so what else. Ah yeah. If you're on the same windows computer as the person you want their password, you could try to run mimikatz which can extract other users passwords out of memory. If you're on the same local subnet as another user, you could run a tool called responder which will act like a shared drive on the network. Other computers will see it and try to connect. But responder will first ask them to authenticate. That's where you can grab their hash and then you can use it to login to things or try to crack it. Sometimes just passing the hash is good enough to login, and you don't need the actual password. Or maybe if you run responder and get a password it's not the user you wanted, but maybe it's a user with extra privileges on the network. Like an admin. Which would have the ability to take over any account. And hey, maybe the domain admin password wasn't what you needed, but if you have that, this can get you access to other accounts that might help you get into what you want. Or maybe this password is reused in other places. Or maybe it shows you a clue what their passwords look like. If you want someone's wifi password, and you're near their device, you get something that's called a wifipineapple which will act like their wifi network and ask them for their wifi password, and their device might give it! Speaking of wifi passwords, if you're in range you can use tools like aircrackng to try to watch wifi traffic to find the password for some networks. Let's talk about innys. An inny is someone on the inside. Imagine you know someone who works at facebook, who can reset people passwords for you. Sometimes they'll charge a fee. That's one way to get it. Take a look at this. This is an inny who works at taco bell, showing that for $30 they'll reset any tacobell users account, and it's a picture of them at the terminal showing they have access to do such things. There are LOTs of different kinds of innys. Just gotta know people. Nation state actors do something similiar in what called a "seeding operation". Where they recruit someone who's about to go work for a company, and get them hired there, then use their inside access to carry out tasks for a government entity. Like the CIA. They might provide a password or internal data. Another thing I've heard nation state actors do is set up surveillance systems on certain targets. And spy on them. Such as planting microphones and listening to conversations or using long range photography to see what they are doing on the computer. Take a look through NSA's ANT catalog for example. There's a technique where you can listen to someone type their password in and the mic on your phone can record the sound of it and maybe decode what buttons were pressed. Here's an article about how someone used thermal cameras to watch what keys were warmer than others which allowed them to see what someone's password was. Let's talk about tricking the user. Sometimes called phishing, social engineering, or just scamming them. There are 100s of ways to trick the user to give you their password. Like one method is to install a keylogger on your computer, and then get them to use your computer to login to something. With a keylogger you can then go back and see what keys they typed in for their password. You can try shoulder surfing, watching their fingers hit the keys as they type their password. You should probably practice this before doing it, as it takes a bit to learn. I mean some are easier than other, watch this video and try to guess what kanye's password is. You could set up a fake look-alike website using a tool like the social engineer toolkit. And send the user a link to login to their account with a link to this fake site. And the thing is when they login, it sends you the password they typed in. You can try to call the person up, and try to trick them into telling you their password. "Hello I'm calling from Microsoft customer support. We see some suspicious activity on your account, I can fix it but you have to first give me your password." This kind of trickery works incredibly well. You could also call up the place you want to access, and act like you're them, and ask the company to reset your password. And now you have access to their account. Try looking on their desk, under their keyboard, or in their wallet for the password written down somewhere. If not there, try looking through their files. Dropbox, google drive, local storage, network storage. People sometimes think this is a safe place to put their passwords. You can also try to get the victim to install a keylogger on their machine. Maybe you trick them into installing something they think is a "chat" program or a game you want to play with them. But really it's a keylogger which captures all their keystrokes and then sends them to you. You can eventually see them type their password. Speaking of keyloggers. There are USB keyloggers too. If you can walk by someone's computer and plug it in, it'll capture all keystrokes, and stores it on the usb drive. Then you just need to walk by later and grab it. There are also other tools such as rubber ducky and omg cable that look like ordinary cables and usb drives but when you plug it in, it injects keystrokes into the computer. So you could plug it in, and it might do something like grab a dump of the memory or hash table and then you can unplug it and try to look through that data for password. Or maybe you could just attack their device over the network. Maybe it's insecure somehow. So you can identify the vulnerability, then use an exploit to get yourself access to the device. Once you get on their device you can do things like install your own keylogger, or sift through their files looking for the password. A lot of people use a password manager. This is a secure database with all their passwords in one place, and it's protected by a single password. So if you can their password manager's master password then you have access to everything. Another thing that would give you tons of data is their email. If you can't get into where you need to get, but you can get into their email, then you can just reset their password which will send them a reset link to their email and you can reset it to whatever you like. And this is so effective that what some people do is go right for attacking the email when they really need to get into another account. And they'll call up Google or Microsoft, pretend to be the person they want access to, and trick Google to resetting the gmail password. Perhaps their password is something you can guess. A lot of people use their dog's name or grandma's name or something close to them. And you don't have to social engineer them, you can sometimes just look at what they publish online a build a word list that way. They might talk a lot on social media about their private life which can all be gathered for someone to try to guess it. To give you a clearer idea, when pen testers are tasked with seeing if a company's users have weak passwords. They'll try to crack the hashes of all the users in the whole company. But what they've learned helps at finding weak passwords is to throw a whole bunch of cultural relevant words into the word list that they'll be guessing from. Such as local school names, local sports teams, local street names, city names, or things related to the company like the name of it, or it's mascott or address. It's sick how many employees use their own company name in their password! Also take a look at the most common passwords seen today. There's a high chance it's just one of those! People will often use the simplest password they can. Sometimes websites have weak reset or password policies. I've seen a website once reset the password to a new 4 character password that the website chooses. If you can reset a users password to be 4 characters, then it'll be pretty easy to brute force after that. You could call up their helpdesk, and pretend to be the person you want get access to, and ask for a password reset. You might be able to trick them into changing it for you, to whatever you choose! Sometimes you don't need their password. You can just steal their session cookie which will make it seem like you're already logged into the site without providing any password. Recently I had someone try to trick me into sending them my discord logs which contain my session data! They could use that to be me on discord. And you know what I talked with this person and they told me about another trick they use which is to send people fake dyno links. Which looks like you're authenticating to a discord dyno, but in reality you just gave them access to your account, which works even if you have 2fa turned on. Or I've seen people get into someone elses account simply by telling the website they are a different user and since the website saw they have already authenticated, they just let you switch users if you tell it you're someone else. This relies on the website being poorly coded for it to work. Private keys are another thing. If you can get a private key it's just as good as a password in some situations. Private keys are typically too hard to memorize and gotta be stored somewhere! Look around for them. When someone types their password in it's usually shown as all stars. In some situations you can right click and do inspect element to see what the password looks like in clear text. You can also try looking through cache data to see if a password is saved somewhere on their device. A lot of times the password is left as default. So, always try default passwords first, such as username admin, password admin, or whatever. If you're on the same network as them, you might be able to act as a proxy and inspect all traffic they are sending and receiving. Or intercept their traffic with something like a LAN tap. Somewhere in their traffic is their password, or session cookie. It's just a matter of finding it. Instead of getting the password for what your target is. It might be possible to attack a third party. Like maybe if you get in their apple account you can then get into their phone, then you can get into what you want. Or you could just extort them. Threaten them, do the wrench attack, until they give you their password. Now I want to emphasize, don't go stealing people's passwords and logging into their accounts accessing their data. You could get in a lot of trouble for doing that. The point I'm trying to make here is that there are a lot of ways someone can get into your accounts. And it should be clear at this poin that your password is a weak link when it comes to securing your stuff. I just mentioned 64 ways of getting into your accounts, and I didn't even mention malware or viruses at all. It's important to take your own security seriously. So use long complex passwords, and use a different one for every website you have an account on. I recommend using a password manager, use 2 factor authentication where available, and always be extremely careful where you are logging in so that you don't accidentally hand your password to the wrong person or site. Good luck. Stay safe.