TUCoPS :: Password Security

TUCoPS :: Password Security :: pwhackin.txt
Intro to Password Hacking

Subject: Intro to password cracking
Date: 11 Feb 2004

Rev 1.0

Once you have mastered the use of proxies you may want to try something else,
cracking website passwords like xxx sites and news providers.

The programs discussed here are:
wwwhack
Access Diver 4.92

There are newer versions of Access Diver but they install apps with them, like
SpyBan and anonymous surfing. There are also other cracking programs as well.
Two others are Golden Eye and Sentry cracking prog, to mention the many that are
out there. If you search these programs you will find other help and
information.

The program wwwhack. This program has news server support in addition to 
POP3, FTP, and HTTP capabilities.

So what is an HTML form ? 

Its basically a webpage which has an input box on the page. The user enters
something in the box...and clicks a button to send the data to the server. I'm
sure most of you have seen these kind of pages out there, on sites like hotmail.

They generally allow you to login to an account. These are the kind of forms you
would be interested in.

Ok, let me see how. Well you won't believe but its absolutely
easy!!!..*normally*.

What do we need. A program: wwwhack

The program wwwhack, well it sucks in general, and is very basic, but it rules
if it comes to form based sites. 

A good wordlist is also needed.

Proxies are a must. *Be sure they work. Check them several times with Access
Diver or ProxyChecker. Normally just one proxy is needed but if you need proxy
rotation like for suze-video...you obviously need MANY good proxies. 

- some spare time...because form based sites are very slow to brute force crack.

So with that, lets get started. 

In your browser, open the site with a form based login.  

As an example I have selected
http://www.mrskin.com/login.html?url=/member/index.html 

Enter something like:
Login = Dean
Password = Dean 

and press enter. 

You will be taken to the error page. 

Look for Keyword given on this page. CaSe SeNsiTiVE

An example of keyword is not correct, incorrect, try again, login failed, CaSe
SeNsiTiVE, denied, invalid, sorry, follow, expired, renew, username, password so
on. 

Now that we have found our keyword lets open wwwhack. 

From the tool bar choose  Options
Choose      Proxy setup
Select      Always use this Proxy -> enter a good working HTTP elite HIGH
anonymity proxy

wwwhack will also work from SocksCap and SocksChain. If you are using those
programs you can skip using this option.

Input your very best proxy (note that the port is inputted into a separate box)
Remember this proxy should be a fast level 1 or 2 proxy (HIGH anonymity or
anonymous)

From the tool bar Choose access 

Choose Web Page (html form) 

A popup window titled HTML form-based back should display. 

Now in the top box in the window enter the Login page url.    
http://www.mrskin.com/login.html?url=/member/index.html 

Click on automatically get info.  All the boxes should fill in.  
There are times where wwwhack can not automatically get the required
information. In these cases it maybe necessary to open the login page source
code and manually get the information.  

Other times wwwhack may not know where to place the information and places this
information in the last box in the window (the additional forms data to pass) 
In most cases the information is as follows: 

The Form Action box should read : login pages 
Method :   Post
Username Field : Username  or  UN
Password Field : Password  or  PW

In most case the additional forms data box should be left blank.  If there is
something in that box at this time delete it.

If  all of the boxes are filled in with the information as described above hit
the OK Button

On this next window leave the Use content-length tolerance box unchecked

Now we come to the most interesting point. This is the point where many people
dont know what to do: Choosing the correct Key phrases

Well but you looked the keyword on the login page up already.  Can anyone
remember what it was??? Or are you saying to yourself, shit how can I remember
all these key words. Well the one good thing about wwwhack is that you can enter
several keyword into it.  

Please cut and paste the following into the key phases box 

u s e r l o g i n;lihr passwort;ogin;incorrect login.;sorry that user name &
password combination is not associated with an active
account;not;login;sorry;bad;authorization;failed; incorrect; forget your
password; failure;invalid member ;username;ooops...;access
denied;denied;sorry;please try again;lease try again;not found;login failed;your
membership cannot be found;could not be validated!;login;username/password
error;invalid;bad;ihre id 

As you can see we have gathered a large number of keywords and placed them in
the key phases box. wwwhack does not care if they are case sensitive. It looks
at the string. 

Under the word Username, the box should read:
Read from this file 

Now press the browse button and load the word list provided to you in the text
file attached.

Under the word Password, the box should read: 
Assume it is the same as the username 

Note: This does not mean that the username and the password are the same, it
does mean use the same combo list for both the username and the password. 

If you really want the password and had the time you could select username = all
possible combinations and password = all combinations and wwwhack will start
with the letter a for both and use all combination of letters and numbers to
acquire a hit. 

Doing so will only take about 211 days and some hours depending on the speed of
your proxies, LOL.

Moving on: 

If you are looking for only one pass, check the box. Stop after finding one
password. However I recommend you leave this box uncheck since you have the
option to stop and save passes later. 
Check the box: Skip to next username after finding the password. Every one
checked those boxes??? 

Press the OK Button 

At this time a new window will appear with three tabs.  

Status - Found: - Warning: 

If all is good, you should be seeing your program running and with time hits
being displayed in the found tab.  

Once you have found the number of passwords you want, go to the found tab and
select save passes. 

To exit the program just click on the X and Wwwhack will ask you if you want to
save the position in the word list for continuing in the future.  Select either
yes or no. 

If you selected yes, the next time you want to run the url just choose 
From the toolbar choose  File -> Resume saved attempt. 

Well at this time it is time to say 3 things. 

- wwwhack will give you fakes.   Check if you find a password to make sure its
alive before you hand it out to someone. 

- wwwhack will not work with all form sites.  It is very effective for ccbill
and ibill form sites.  It Will Not work for Globill sites.  There are other form
based programs used for those sites. 

- And finally Have fun. Enjoy and don't ask me how to solve your site.  



Access Diver is a very good and versatile program. 

Settings for Access Diver:

Open Access Diver it will give you an options error at first start up. This will
not appear after setting it up.

Set it on expert mode (My Skill menu drop down)
Open the settings tab.
Only the following boxes must be checked:
* let a bot retries once again on abnormal replies
* Always force a security test to begin
* Never stop continue until the end (depends on how much passes you     want)
* search in your history also
* All the other must be unchecked
* The box what says what redirections mean? must be set on They mean nothing
special.


Go to the search tab.
Check word size control-use this future during a search
Set your size for usernames and passwords.
I prefer for both 3 to 9 but you can set it as you wish
(CC-BILL=6 to 8 and IBILL=2 to 12 ect. Just find out what billing co uses which
combination 

* On fly "Only word case conversion: user and pass both don't convert
what to do with logins found: put them on top of your wordlist(FAST)
test al possible combinations=off


Manipulation tab: Set in on don't use this future.

Go to the Proxy tab. -> My list
Use WEB proxies: on
Rotate proxy's on and set on 1
Proxy skipping: first 3 boxes checked the last one off
Retry user/pass after skipping: off
Proxy error handling: Don't use a proxy after it's skipped: on
Continue to use timed out proxy's: off
Reactivation: don't reactivate proxy's

go to the proxy analyser tab:

set the speed for the speed accuracy tester on 80 and for the confidentiality
tester on 50

find the parameters tab at bottom right of this page check the first 4 boxes
leave the last open

It will ask for your proxy judge settings now, so check the level 4 and 5 boxes
this way it will delete level 4 and 5 proxies after a test.

This are the most important settings.
Leave the rest of the settings just as the are and find a good wordlist and
about 2000 level 1,2 and 3 proxy's.(use Google and search for anonymous
proxylist) Be careful with your proxy's because if the are not level 1, 2, or 3
you can be traced and kicked off by your ISP. (HTTP elite HIGH anonymity, HTTP
anonymous, HTTP)

Access Diver will also work through SockCap and SocksChain.


Exploiting:

Ok first of all, exploiting is nothing like brute forcing described above! You
must be VERY comfortable with brute forcing before you even go near exploiting a
website! This can be very dangerous (but fun), so be careful... I'm sure that a
webmaster will be a lot more concerned if he sees http://his-site.com/.htpasswd
in his log file rather than a brute forcing attempt. Now with that said, I'll go
onto the procedure

First of all, load up Access Diver and set "My Skill" to expert. Next click on
the exploiter tab. Then click on the folder icon to load into it your exploits
list. A very good exploits list may be found at my site on
http://securitysite.host.sk Now that the list is loaded, you must set the
exploit, whether you want it to be a root exploit or a local exploit. 
(root= http://thesite.com/ZONE , local=http://thesite.com/dir/subdir/ZONE), you
can do this by highlighting all the exploits and clicking the circle next to
either root or local, and clicking on the button with the dots next to the +
button. Now with these set we can begin exploiting.

Type in the URL of the site you want to exploit in the address box where it say
"server" then click on start, and wait, you will here the default sound of
finding a pass for a site on Access Diver, if you find an exploit. If you hear
that sound, don't think that you can immediately exploit that site, you must
first check them. So click on the exploit which has possible failure written
next to it, and then click on the button with the eye. That will connect you to
that specific zone of the site, then explore the contents and see if there is
anything that you can do to exploit the site...

That is all. It may look easy, but the hard part is finding out what to do with
the exploits when you have got them. now that is where you need to have a bit of
knowledge.

This information came from the group and website below. THEY DO NOT GIVE HELP OR
SUPORT FOR ON-TOPIC SITES. So you may want to be careful about what you say or
ask. They will give advice and help in general though. 

        alt.sex.passwords

        http://www.alt.sex.passwords.net.ms/