hello, this a little sploit i wrote for Linux to test a man in the middle attack against Messenger/Hotmail. A kind of swiss army knife that: */ use the messenger scrambler bug to get passwords hashes */ spoof hotmail site to retrieve plaintext passwords (since protocol is not enciphered) when users open their hotmail account directly from messenger. */ remotely crash the client (i did not yet identify where exactly live the bug) */ upload a malicious program of your choice as an update. Since it was not signed by microsoft, messenger will complain about it but however will ask the user if he wishes to open it anyway. Guess what should be a typical user behavior ? ;) this script need the useful arptool from Cristiano Lincoln Mattos and our favorite web server (for hotmail spoofing and fake messenger update) use it for educationnal purpose only. cheers, Gregory Duchemin _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
This archive was generated by hypermail 2b30 : Sun Jul 15 2001 - 21:44:19 PDT