SecurityHunk

Many people open there inbox in-order to check their email or send a email and then sign-out but what we do not know that there are indeed lot of things are carried out when we simply send or receive a email.

There is a detail report/history of all those things  that are carried out and are attached with the email.

Yes, I am talking about email headers.They are kept hidden from normal user but we can certainly view it.

These headers comes very handy when tracing email, filtering spams, recording the Ip address of the sender etc. So, let's see what email header is all about and later in the post we will see how to get email header.


What is Email Header?

It is a record/report/history of  the email which covers the path from the sender to the receiver and also contains the vital information about the email servers that it has encountered in its path.

Few emails also contain digital signature to detect the tampering of the email in the path.

What information we can get from Email headers?

As i mentioned above we can get the history of the email and the information on the path the email has traveled to reach us.Lets see what information we can get from it.....
                               
            1.When the sender has composed the message(Date,Time)
            2.When the email was sent from the sender's PC to the email server.(Date,Time)
            3.When the email was sent from the email server to the intended receiver.(Date,Time)
            4.The type of protocol used in the entire path.
            5.The PC of the sender can be identified from the Header.
            6.The IP address of the sender but not always.
            7.The type and the number of digital signatures on the email I mean the type of algorithm.
            8.What type of email-client the sender has used to send the email
            9.The ISP of the sender. 
           10.If any third party is using any tracking means.

How to view Header of an Email?

Here I have listed out not all but few of the web mail providers and email client using which you can get email header.

1.Gmail: Login in a standard version >Open email of your choice >Click the down arrow next to reply >Then select show original.

2.Yahoo: Login >Select the desired email >Click on action drop down menu >Select view full header.

3.Hotmail: Login >Select Inbox >Right click on the desired email >Select view message source.


1.Outlook Express: In order to view email header in outlook Open it >Select  the desired email from Inbox >Right click on it and select Properties >Details.

2.Mozilla:Open it >Open the desired email > Click view menu >Message source.

How to read an Email Header.

Here I have taken the example of my Gmail account to explain, we will see how to view email header in gmail.

As mentioned above we first need to open up the header of  any desired email as shown below.

(Click on the image to zoom it.)

 This is what you will get in a new window as shown below.

(Click on the image to zoom it.)

As you can see i have divided the whole header into 3 sections.It is worth mentioning that a header is always analyzed in bottom to top approach.This is because most of the vital informations about the sender is there at the bottom.You can say in the above image section1 is for destination mostly and section3 is for source mostly.

Section 3:

(Click on the image to zoom it.)

MIME-Version:1.0:MIME stands for Multipurpose Internet Mail Extension. It tells about the types of attachments in the email.It allows to send sound,graphics etc.Here the Mime-Version field shows that it is currently in 1.0.

Received:by :It show the time and date the email reached the Gmail server.

In-Reply-to: and References : Both are same,as the name shows it means whether the sender has sent an reply to the past message or is a direct new message.If it is a reply message then it contains the reference of the past message.This is an unique number.

Message-ID:This show the system from which the email has originated,I mean the senders's PC.It can be changed or forged easily.This is also a unique number.

To: and From: It gives the sender's and receivers email-id.

Content type:What type of content is there in the email ie. text or image or anything else.
Section 2:

(Click on the image to zoom it.)

What is DKIM-Signature?

DKIM(DomainKeys Identified Mail) is a digital signature put on every email we send or receive through email servers.It is used because the emails cannot be tampered or altered in its path.This mechanism is also used in spam filters as spam do not have any digital signature.

In the above image there are certain values let me explain.
                  v=Version
                  a=The algorithm used by Sender or Originating Web mail provider.
                  c=canonicalization algorithm of header and body.
                  d=Sender or Originating Web mail provider.
                  s=Selector
                  h=Contains the list of all the digital signature done on this email.
                  bh=Body hash
                  b=Digital signature of header and body.

Section 1:

Delivered-To:It contains the email-id of the receiver.

Received:by : You can see there is a  2 second difference in time between the "received by:" in section 3 and section 2.It shows the time and date the email reaches the gmail server.

Return-Path: The sender's email-id.

Received :from :Specifies the Ip address of the sender generally in "[ ]" but in gmail it is masked by the gmail server address.

This video explain in detail the insights into what is Email Header using Mozilla Thunderbird client.



If you find this post worth reading then do drop a comment,it will be appreciated.

Computers talk or communicate over the network using Mac address(Media Access Control Address ) which is unique for each and every machine.Here in this post we will see how we can spoof or change the Mac Address manually and using tools.

Procedure:


Step 1.
Type "Regedit" in run and press enter.In the regedit winodow follow the path
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318] as shown in the image below.
Step 2.
Check all the values under the above path to find the correct driver description(DriverDesc) as shown in the above image.For me it was "0009",Now search for "NetworkAddress" in the right side of the editor,if you find it then change the value to your desired 12 digit number(MacAddress).If you cannot find "NetworkAddress" then create a new "string value".
Step 3.
 Now rename the new string value to "NetworkAddress" and set the value to a random 12-digit number as shown below.
Step 4.
Now disable the connection and enable then open up command prompt and type the command ipconfig /all to find the change in Mac Address.

1.SMAC :
It is not a freeware tool to use but it is a very useful tool and widely used for spoofing MacAddress(Download)

2.Macshift:
It is an opensource tool and has a command line usage.(Download)

3.MadMACs:
If it a very user friendly tool you just need to double click on the executable thats it.(Download)

If you find this post useful and interesting then do drop your comment,it will be appreciated... :)

In Microsoft Windows user account password and information are stored in a file called SAM. The windows SAM file location is “%systemroot%\system32\config” and also a backup copy of the file is also stored in ”%systemroot%\repair”.Here in this post we will see how to use John the Ripper for windows to extract the information.

As part of Windows 10 Password hack, we will be using brute force password cracker that is John the Ripper and Pwdump7.In this John the Ripper tutorial we will keep things simple for understanding and keeping in mind if any beginner is following it.

In Windows 10 and earlier versions till Windows SP3 the SAM file is by default locked with syskey enabled so we cannot open it as such and view its content so here in this post, I will show you how we can crack it and retrieve the hash.

You may be wondering what does SAM stand for?

It is can be expanded as Security Accounts Manager, it stores the user credentials information.

Requirements:

1. Pwdump7: (Download)

2.John the ripper Download

Procedure:

Step 1. You need to have the administrative privilege then open up command prompt window, using the command prompt go to the directory where pwdump7 is present and follow the on-screen information as shown below.

Step 2. After all the hashes are being displayed on the command prompt screen right click on the title bar copy it then pastes and saves it in a text file.First right click and mark the screen before copying. Here I have saved it as pw-hash.txt

Step 3.Having downloaded John the ripper for windows browse into John’s root directory and use the command as shown in the image below.

Step 4.The command we have used above is “C:\JOHN\RUN>john-386 C:/pw-hash.txt –users=Administrator”, the format of the command is “john-386 [Hash file path] –users=[Username]”.Here the hash file path is “C:/pw-hash.txt” and the username is “Administrator”, by using the above command then the John will search for the password of Administrator.

You can also use “C:\JOHN\RUN>john-386 C:/pw-hash.txt” so that John will search for the password of all the usernames available.

If you have a John the ripper wordlist then you can use the wordlist mode as well.

john --wordlist=password.txt pw-hash.txt

I think from this post we were able to understand how to use John the Ripper for windows Tutorial and Pwdump7 .

If you find this post useful then do drop a comment it will be appreciated.