The Hungry Hacker's Explanation of Everything

Home » Security

How do I “hack” Hotmail?

16 September 2005 One Comment

Note: This is a historic article, kept around for archival purposes only. It’s probably still somewhat relevant, as it serves pretty well for a primer on social engineering – but don’t expect everything listed here to work without a little brain-work involved. Do not email us with questions about this article, unless you want to take the chance of being publicly ridiculed.

This is one of the most awful questions we ever get asked, and it generally happens about once a week. The reasons vary, but not as widely as you might think – they almost always fit a certain pattern with certain keywords being replaced at will to disguise the message as we hopefully won’t realize how formulaic it actually is.

Anyway, there generally isn’t at any given time a “magic fireball” that will get you into your friend’s hotmail account. Every so often a hole will appear, and they’re generally tricky to execute and almost always require a certain amount of target stupidity. And chances are you won’t get ahold of it before it’s fixed, so just give up on that right now.

So what’s a budding hotmail “hacker” to do then?

Well since most every hotmail vulnerability I’ve seen involves a level of stupidity amongst the target, and despite the fact we’ve had nearly a decade of high-density media coverage of computer security issues there still are a lot of stupid users out there ripe for the picking – let’s discuss that. It’s basically called “abusing the stupid factor” but to most it’s generally known as social engineering.

Note firstly that this doesn’t make you a hacker. Note second that it’s probably illegal depending on where you live. Note third that we’ll not be held responsible for anything that you do and this article is merely for theoretical purposes to answer what seems to be a burning question to a small portion of the internet community and we’ll be on our way.

A crash course in Social Engineering

The full wonders of social engineering are well outside the scope of this article, but we can quickly skate over this topic that some people consider tantamount to “hacking people’s minds”. Simply put, social engineering is saying things that people want to hear before they will provide you with something they shouldn’t. You can confuse them, be deceitful, be intimidating, whatever you need to do to get the information out of someone – and if you’re doing it over the phone it’s not as easy as it sounds. It generally takes a lot of bravado and some experience, and you need to think like a chess player.

In the case of hotmail, we’ll generally be doing it over the internet unless you know your target personally. Let’s first analyze the angle of attack before we start worrying about trivial things such as how to get the information you need.

Hotmail and other web services

While the majority of our requests for webmail help are about hotmail, this article theoretically applies to any web based service that uses the same techniques for user verification. With a little modification you could apply it to all manner of things.

The first thing you need to do is enumerate what exactly it is that you need. At the time of writing, Hotmail has a two-step password reset process. For step #1, all you need to know is the person’s email address (surprise) and where they live down to the zip code. Getting this information out of someone is often tricky, but it’s not impossible.

For step #2, all you need is the answer to their “secret question” but before you can do this you need to know what the secret question is – meaning you need the other information first. The secret question is usually something like “what is your favorite pet’s name?” which if you craft the conversation just right, most people will think nothing of disclosing.

Target Acquired

Now that you know what you need, it’s time to go about getting it. The only idiot-proof advice I can give is be patient. Now you must learn as much as you can about your target. Most of the information that you’ll need will be easily to get out of the person, until you get to the zip code. You could of course use the zip code as your first point of attack – you know the way some phreaks think they’re being cute by asking others what area code they’re in? And then they look on their little sheet and are like “Long Beach, nice”? Well depending on your target’s demographics (fancy talk for where they live and what they do) you might be able to pass this off as being cute.

Never under estimate the power of impersonation. Get to know the target and figure out what they would be attracted to and emulate that (easiest if done online). If they’re an early teen boy, pretend to be a girl (don’t laugh, you’d be amazed at the information you can nail out of someone). If they’re a hacker wannabe, pretend you’ll mentor them (after all, you aren’t a wannabe, right? *chortle*). If they’re into nascar pretend you have the largest collection of memorabilia in Kansas.

This may take some research, but it’s worth the time and effort especially if you go very slow. Step #1 is to acquire the zip code by any means necessary. If the person has a domain, try the one that’s listed in their whois information for a start. Tell them you have a cool device that tells you how far they are away from you (google for zipdy if they want you to pony up with an answer). Whatever works.

Hook, line and sinker

Hopefully now you are armed with a zip code, and possibly even some answers to what might be their secret question. Browse on over to Hotmail’s lost password page, and enter their email address, country, state and zipcode. If you don’t have the state, you should be able to look it up either online or maybe in a phone book. Click submit and cross your fingers.

With any luck it should pop up with a secret question and a password/confirm password box. Now let’s work on that secret question, unless you already know it in which case you can skip to the next major subheading.

If the question is for example “favorite pet’s name” simply pretend to be an animal lover. Go on and on for hours about your favorite dog and how the neighbor ran over him in his Hummer and you were shattered for life. This will almost always (from a girl anyway) instigate a much longer rant about her favorite pet – which will almost always be named in the first paragraph but so as not to arouse suspicion you’ll need to listen to it all anyway.

Whatever the question is, think of a way to extract the answer out of the person. Maiden name? Pretend you know the person’s parents. With just a little thought it’s really not hard.

Here comes the money shot!

Go back to your lost password page, and fill in all the information and cross your fingers. With a sprinkling of luck you’ll be greeted with the other person’s hotmail account for you to perform your evil deeds. Not that anyone would actually carry this out of course, what with the legal ramifications and whatnot.

There are of course some problems with this technique. Firstly, Hotmail are bound to change. That means that there may be other steps involved, and to be honest I can’t be bothered looking at hotmail every day of the week to see. Your mileage may vary. Secondly, if you don’t want to do hotmail and want to do say, Yahoo! it will need some changing too. Thirdly, you will often get someone who’s information you just can’t get, or it’s wrong. IE, someone who uses another answer for their secret question – you will have a hard time extracting that from them. Your mileage may vary.

I want to hack my wife/girlfriend/husband/boyfriend’s Hotmail!

The problem I have with this question is that after reading the above guide it should be painfully obvious that if you indeed have a relationship with this person, then you should be armed with all the information you need anyway. So if you do, knock your socks off. If you don’t, shut the hell up and come up with a better story.

Wait! I don’t want to change their password!

well, at the moment that part is up to you. You could always pretend you’re a hotmail employee (after all you do have access to their account now) and tell them you need to reset their password before they get in, and ask them what it is. Your mileage may vary, I’ve never actually put this into practice (other than testing it on a fake email account an associate setup) so I haven’t put too much thought into getting away with it. The rest is up to you, should you decide to do something silly.

One Comment »

  • raghu said:

    its so nice.

Leave your response!

Add your comment below, or trackback from your own site. You can also subscribe to these comments via RSS.

Be nice. Keep it clean. Stay on topic. No spam.

You can use these tags:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This is a Gravatar-enabled weblog. To get your own globally-recognized-avatar, please register at Gravatar. Note: By filling out this comment form or emailing us you are signifying that you have read and agree to the terms laid out on the Contact Us page.