Skip to main content

Featured Post

Kali Linux Terminal Customization Tutorial

Today I'll show you guys how to change kali linux terminal header text.
5 comments

How to Crack Accounts Using Bruteforce

How to Crack Accounts Using Bruteforce

Brute force attacks are one of the most
commonly used attacks to compromise online accounts, they have been known for
decades but still they are actively being used to compromise online accounts,
in this tutorial I would be demonstrating how you can utilize a brute force
attacks on Web forms using a popular and powerful tool called Sentry MBA




This tutorial is divided into 6 parts:

1) Cracking Terms and some theory
2) Tools Needed
3) Gathering Combos
4) Gathering Proxies
5) Testing Proxies
6) Making Config and Cracking




1) Cracking terms and some theory:

Dictionary Attack: A dictionary attack is a method of
hacking into a password-protected computer or server or account by
systematically entering every word in a dictionary (wordlist or combolist) as a
password and or username.


 Wordlist or Passwordlist: Wordlist or passwordlist is a list
of words that is used for cracking hashes (encrypted text) or those logins that
require only a password for example cracking the password of a protected shell
like c99


 Combo List: A list of username and passwords joined
together. It is in this format: username:password or email:password


 Proxy List: A list of proxies. And why do we need proxies? Because
some sites ban an IP if it exceeds the total number of failed login attempts.


 Proxies are of 3 types: Transparent, Anonymous and
High-Anonymous. I recommend using Anonymous or High-Anonymous proxies.


 Failure Key: A keyword(s) that a website shows upon a failed
login attempt. For example, "Incorrect Username or Password" or
"Login Failed"


 Success Key: A keyword(s) that a website shows upon a
successful login. For example, "Welcome [username]" or
"Logout"


 Ban key: A keyword(s) that a website shows when an IP has
reached the maximum number of logins allowed. For example, "You have
reached the maximum number of login attempts allowed, please try again after
[x] number of mins or hours" where X can be any number depending upon the
site.



 2) Tools you will need:


EZLeecher V3.0.3a beta #2 (LV) - For gathering combos
Note: Combos leeched by EZLeecher are suited for cracking
porn sites.
Download: Click here

Proxy Grabber - For gathering proxies
Download: Click here

Proxy Tester - For testing proxies if they are valid or not
Download: Click here

Sentry MBA - For making config and the actual cracking
Download: Click here



3) Gathering Combos:

 Open up EZLeecher and Click on 'Start leeching'. Combos will
start to leech and it’s up to you that how many combos you want to gather. The
number of combos leeched is shown in "Items in DB". Just click on
'Stop leeching' when you feel that you have gathered enough combos.






Now you may either
export the whole database or you can filter out combos for the site you are
going to crack. This can be done by clicking on ‘search database (by
URL,keyword)’ and then type in your website name. For example I searched for
‘wantedgfs’. This was the result :





This resulted in all the combos for wantedgfs to be listed.
Now in order to remove the @site.com just tick on ‘Combo output’ and search
again and then copy and paste them into a text file. If you didn’t get any
combos for your specific site, then just export all the combos.



4) Gathering Proxies:

  Note: Some sites allow unlimited login attempts and don’t
ban IP’s. Therefore, those sites don’t require any proxies.


Open up Proxy Grabber and click on ‘Start’. It will start
grabbing proxies. Stop when you think you have enough proxies. Now click on
‘Remove Duplicates’ and then ‘Save to File’.




 5) Testing Proxies:

Open up ProxyTester.exe and then paste the login or members
page URL where it says ‘Member URL’. Now click on ‘Title’ and the tool will extract
the title of the login page. Tick
‘Judge’ and ‘Use GeoTagIp’. Next load the proxies that you gathered into
ProxyTester and finally click on ‘Start Test’ and it will start checking
proxies.






6) Making Config and Cracking:

Open up Sentry MBA and paste the login URL where it says
‘Site’ on the top. Now under ‘settings’ open ‘HTTP Header’ and then change the
request method to ‘GET’ if your site is using basic authorization (also called
pop-up logins). If the site is using HTML form based logins like most modern
websites then tick on ‘MW’ and then click on the little wand icon above. Now Master
Wizard should have opened. Click on ‘Analyze Login Page’ and then ‘Use Data’ as
demonstrated below:




Next, head over to ‘Fake Settings’ tab and uncheck ‘Enable
AfterFingerPrint’. And check ‘Follow Redirects’.
Now head over to ‘Keywords’ tab and then check ‘Define
Failure Keys’ under source key phrases and then add failure key by
right-clicking and selecting ‘Add (Basic)’ as shown below :




Under ‘Lists’ head over to ‘wordlist’ tab and load your
combo list. Now head over to ‘Proxylist’
and load your tested proxy list.
Finally, Under ‘Progression’ click on ‘Start’ and let the
software do its job. Some combos will be listed in the ‘To Check’ tab. Right-click on those combos and ‘View bot

debug in default text editor’. This will show the source code received after
attempting the login with that combo. Examine the source and look for success
keys and ban keys. After finding success and ban key, copy and add those keywords
to their respective areas and check ‘Enable AfterFingerPrint’. When done, save
settings and start the cracking process again. This time successful logins will
be stored in the ‘Hits’ tab and proxies will be banned if there is a ban
keyword match.





Note: Not all sites can be cracked by this method, some
require OCR stage to be configured in the Master Wizard and some require MD5
encrypt. Basic sites can be cracked though.

FAQ:

 
1) Can I crack Facebook accounts with this method?
No you can’t. Facebook has
brute force protection.


2) Can I crack Steam accounts with this method?
Yes. But it is very difficult
to make a config for it. Few people know how to make a config for steam and
they keep it private.


3) How to protect against this attack?
Block an account temporarily
if there are lots of failed login attempts on it and add a captcha after X
number of wrong login attempts, where X can be any number you prefer.


Happy Hacking :)
Labels:

Comments

Post a Comment

Popular posts from this blog

[Bank Transfer Tutorial] Prepaid Card Cashout

1. You will goto card.com and get a prepaid card with checking acc using the bank logs info to sign up with, only change the billing address to your drop address. It will take 3-5 days for you to receive and activate the card but you can deposit after registration is successfull. And as far as you havent caused any changes on the account, the owner will not be notified. 2. Go to venmo and register an account with the prepaid account details. Verify the venmo acc with the ssn and dob. 3. After a day, add the prepaid account to your venmo acc and verify it. Add the bank log details to the venmo acc and verify it. Two days gone. 4. On the third day, load less than $11,000 in your venmo balance. 5. On the next day, cashout less than $10000 into your prepaid account. the money is yours. 6. The mail containing the card would have reached your drop. Activate it online and cashout immediately. Warning. 1. Prepaid cards take only $10,000 and less. If more than $1000
48 comments
Keep Reading

Get Any Premium Templates Free @ ThemeForest! ( Full Method )

Hi all! Today I'm going to share to you how to get any premium templates  in ThemeForest without downloading any shitty files or viruses. I think you guys enjoy this tutorial ;) . This also includes some screenshots to guide you :D Go to Google Put this query at the search box. intitle:"index.of" themeforest-4260361-journal-advanced-opencart-theme-framework.zip  Replace "4260361" with the number of your desired template. Replace "journal-advanced-opencart-theme-framework" with the name of your desired template. Then hit enter! And you will be seeing direct links of the template you want For example: I want this template. http://themeforest.net/item/ avada-responsive-multipurpose-theme / 2833226 So this would be my query: intitle:"index.of" themeforest- 2833226 - avada-responsive-multipurpose-theme .zip Screenshot A simple thanks or rep is much appreciated Enjoy
2 comments
Keep Reading

Some most important google dorks

Salam all , today i can give you some most important google dorks . whos help you for hacking . lets see blew - Dork for finding shell inurl:.php “cURL: ON MySQL: ON MSSQL: OFF” “Shell” filetype:php intext:”uname -a:” “EDT 2010? intitle:”intitle:r57shell” [ phpinfo ] [ php.ini ] [ cpu ] [ mem ] [ users ] [ tmp ] [ delete ] inurl:”c99.php” & intext:Encoder Tools Proc. FTP brute Sec. SQL PHP-code Update Feedback Self remove Logout inurl:”c100.php” & intext:Encoder Tools Proc. FTP brute Sec. SQL PHP-code Update Feedback Self remove Logout intitle:”Shell” inurl:”.php” & intext:Encoder Tools Proc. FTP brute Sec. SQL PHP-code Updat Dork html injection inurl:"id=" & intext:"warning: mysql_fetch-assoc() inurl:"id=" & intext:"warning: mysql_fetch-array() inurl:"id=" & intext:"warning: mysql_num_rows() inurl:"id=" & intext:"warning: session_satrt() inurl:"id=&qu
Post a Comment
Keep Reading