|
Subject: Intro to password cracking Date: 11 Feb 2004 Rev 1.0 Once you have mastered the use of proxies you may want to try something else, cracking website passwords like xxx sites and news providers. The programs discussed here are: wwwhack Access Diver 4.92 There are newer versions of Access Diver but they install apps with them, like SpyBan and anonymous surfing. There are also other cracking programs as well. Two others are Golden Eye and Sentry cracking prog, to mention the many that are out there. If you search these programs you will find other help and information. The program wwwhack. This program has news server support in addition to POP3, FTP, and HTTP capabilities. So what is an HTML form ? Its basically a webpage which has an input box on the page. The user enters something in the box...and clicks a button to send the data to the server. I'm sure most of you have seen these kind of pages out there, on sites like hotmail. They generally allow you to login to an account. These are the kind of forms you would be interested in. Ok, let me see how. Well you won't believe but its absolutely easy!!!..*normally*. What do we need. A program: wwwhack The program wwwhack, well it sucks in general, and is very basic, but it rules if it comes to form based sites. A good wordlist is also needed. Proxies are a must. *Be sure they work. Check them several times with Access Diver or ProxyChecker. Normally just one proxy is needed but if you need proxy rotation like for suze-video...you obviously need MANY good proxies. - some spare time...because form based sites are very slow to brute force crack. So with that, lets get started. In your browser, open the site with a form based login. As an example I have selected http://www.mrskin.com/login.html?url=/member/index.html Enter something like: Login = Dean Password = Dean and press enter. You will be taken to the error page. Look for Keyword given on this page. CaSe SeNsiTiVE An example of keyword is not correct, incorrect, try again, login failed, CaSe SeNsiTiVE, denied, invalid, sorry, follow, expired, renew, username, password so on. Now that we have found our keyword lets open wwwhack. From the tool bar choose Options Choose Proxy setup Select Always use this Proxy -> enter a good working HTTP elite HIGH anonymity proxy wwwhack will also work from SocksCap and SocksChain. If you are using those programs you can skip using this option. Input your very best proxy (note that the port is inputted into a separate box) Remember this proxy should be a fast level 1 or 2 proxy (HIGH anonymity or anonymous) From the tool bar Choose access Choose Web Page (html form) A popup window titled HTML form-based back should display. Now in the top box in the window enter the Login page url. http://www.mrskin.com/login.html?url=/member/index.html Click on automatically get info. All the boxes should fill in. There are times where wwwhack can not automatically get the required information. In these cases it maybe necessary to open the login page source code and manually get the information. Other times wwwhack may not know where to place the information and places this information in the last box in the window (the additional forms data to pass) In most cases the information is as follows: The Form Action box should read : login pages Method : Post Username Field : Username or UN Password Field : Password or PW In most case the additional forms data box should be left blank. If there is something in that box at this time delete it. If all of the boxes are filled in with the information as described above hit the OK Button On this next window leave the Use content-length tolerance box unchecked Now we come to the most interesting point. This is the point where many people dont know what to do: Choosing the correct Key phrases Well but you looked the keyword on the login page up already. Can anyone remember what it was??? Or are you saying to yourself, shit how can I remember all these key words. Well the one good thing about wwwhack is that you can enter several keyword into it. Please cut and paste the following into the key phases box u s e r l o g i n;lihr passwort;ogin;incorrect login.;sorry that user name & password combination is not associated with an active account;not;login;sorry;bad;authorization;failed; incorrect; forget your password; failure;invalid member ;username;ooops...;access denied;denied;sorry;please try again;lease try again;not found;login failed;your membership cannot be found;could not be validated!;login;username/password error;invalid;bad;ihre id As you can see we have gathered a large number of keywords and placed them in the key phases box. wwwhack does not care if they are case sensitive. It looks at the string. Under the word Username, the box should read: Read from this file Now press the browse button and load the word list provided to you in the text file attached. Under the word Password, the box should read: Assume it is the same as the username Note: This does not mean that the username and the password are the same, it does mean use the same combo list for both the username and the password. If you really want the password and had the time you could select username = all possible combinations and password = all combinations and wwwhack will start with the letter a for both and use all combination of letters and numbers to acquire a hit. Doing so will only take about 211 days and some hours depending on the speed of your proxies, LOL. Moving on: If you are looking for only one pass, check the box. Stop after finding one password. However I recommend you leave this box uncheck since you have the option to stop and save passes later. Check the box: Skip to next username after finding the password. Every one checked those boxes??? Press the OK Button At this time a new window will appear with three tabs. Status - Found: - Warning: If all is good, you should be seeing your program running and with time hits being displayed in the found tab. Once you have found the number of passwords you want, go to the found tab and select save passes. To exit the program just click on the X and Wwwhack will ask you if you want to save the position in the word list for continuing in the future. Select either yes or no. If you selected yes, the next time you want to run the url just choose From the toolbar choose File -> Resume saved attempt. Well at this time it is time to say 3 things. - wwwhack will give you fakes. Check if you find a password to make sure its alive before you hand it out to someone. - wwwhack will not work with all form sites. It is very effective for ccbill and ibill form sites. It Will Not work for Globill sites. There are other form based programs used for those sites. - And finally Have fun. Enjoy and don't ask me how to solve your site. Access Diver is a very good and versatile program. Settings for Access Diver: Open Access Diver it will give you an options error at first start up. This will not appear after setting it up. Set it on expert mode (My Skill menu drop down) Open the settings tab. Only the following boxes must be checked: * let a bot retries once again on abnormal replies * Always force a security test to begin * Never stop continue until the end (depends on how much passes you want) * search in your history also * All the other must be unchecked * The box what says what redirections mean? must be set on They mean nothing special. Go to the search tab. Check word size control-use this future during a search Set your size for usernames and passwords. I prefer for both 3 to 9 but you can set it as you wish (CC-BILL=6 to 8 and IBILL=2 to 12 ect. Just find out what billing co uses which combination * On fly "Only word case conversion: user and pass both don't convert what to do with logins found: put them on top of your wordlist(FAST) test al possible combinations=off Manipulation tab: Set in on don't use this future. Go to the Proxy tab. -> My list Use WEB proxies: on Rotate proxy's on and set on 1 Proxy skipping: first 3 boxes checked the last one off Retry user/pass after skipping: off Proxy error handling: Don't use a proxy after it's skipped: on Continue to use timed out proxy's: off Reactivation: don't reactivate proxy's go to the proxy analyser tab: set the speed for the speed accuracy tester on 80 and for the confidentiality tester on 50 find the parameters tab at bottom right of this page check the first 4 boxes leave the last open It will ask for your proxy judge settings now, so check the level 4 and 5 boxes this way it will delete level 4 and 5 proxies after a test. This are the most important settings. Leave the rest of the settings just as the are and find a good wordlist and about 2000 level 1,2 and 3 proxy's.(use Google and search for anonymous proxylist) Be careful with your proxy's because if the are not level 1, 2, or 3 you can be traced and kicked off by your ISP. (HTTP elite HIGH anonymity, HTTP anonymous, HTTP) Access Diver will also work through SockCap and SocksChain. Exploiting: Ok first of all, exploiting is nothing like brute forcing described above! You must be VERY comfortable with brute forcing before you even go near exploiting a website! This can be very dangerous (but fun), so be careful... I'm sure that a webmaster will be a lot more concerned if he sees http://his-site.com/.htpasswd in his log file rather than a brute forcing attempt. Now with that said, I'll go onto the procedure First of all, load up Access Diver and set "My Skill" to expert. Next click on the exploiter tab. Then click on the folder icon to load into it your exploits list. A very good exploits list may be found at my site on http://securitysite.host.sk Now that the list is loaded, you must set the exploit, whether you want it to be a root exploit or a local exploit. (root= http://thesite.com/ZONE , local=http://thesite.com/dir/subdir/ZONE), you can do this by highlighting all the exploits and clicking the circle next to either root or local, and clicking on the button with the dots next to the + button. Now with these set we can begin exploiting. Type in the URL of the site you want to exploit in the address box where it say "server" then click on start, and wait, you will here the default sound of finding a pass for a site on Access Diver, if you find an exploit. If you hear that sound, don't think that you can immediately exploit that site, you must first check them. So click on the exploit which has possible failure written next to it, and then click on the button with the eye. That will connect you to that specific zone of the site, then explore the contents and see if there is anything that you can do to exploit the site... That is all. It may look easy, but the hard part is finding out what to do with the exploits when you have got them. now that is where you need to have a bit of knowledge. This information came from the group and website below. THEY DO NOT GIVE HELP OR SUPORT FOR ON-TOPIC SITES. So you may want to be careful about what you say or ask. They will give advice and help in general though. alt.sex.passwords http://www.alt.sex.passwords.net.ms/